From shemminger at osdl.org Sat Oct 1 00:04:06 2005 From: shemminger at osdl.org (Stephen Hemminger) Date: Sat Oct 1 00:03:54 2005 Subject: [LARTC] [ANNOUNCE] iproute2 version (050929) Message-ID: <20050930150406.2e2221fd@dxpl.pdx.osdl.net> There is an new minor update to iproute2 utilities available: http://developer.osdl.org/dev/iproute2/download/iproute2-050929.tar.gz Also, this (and future) releases are now signed, for key info read: http://developer.osdl.org/dev/iproute2/signature.html [Stephen Hemminger] Fix uninitialized memory and leaks Add -batch option to ip. Update to 2.6.14 headers [Arnaldo] Integrate support for DCCP into 'ss' [Mike Frysinger] Fix build issues with netem tables (parallel make and HOSTCC) [Eric Dumazet] Fix lnstat : First column should not be summed -- Stephen Hemminger OSDL http://developer.osdl.org/~shemminger From jody.shumaker at gmail.com Sat Oct 1 00:29:52 2005 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Sat Oct 1 00:29:58 2005 Subject: [LARTC] Ceil Rate In-Reply-To: <20050930161339.GA25083@localhost.home.com> References: <20050930161339.GA25083@localhost.home.com> Message-ID: <2af436490509301529i38418912l592d456a93f66b4e@mail.gmail.com> You didn't set a ceil for 1:10, you only set a rate. when no ceil is specified, a subclass will borrow past its rate max if it can. You should use: tc class add dev eth1 parent 1:1 classid 1:10 htb rate 64kbit ceil 64kbit quantum 1501 And then it would use 64kbit as a hard cap, only going past it for short bursts when trying to maintain 64kbit as the average (cburst paramater can control this, but shouldn't be neccasary). - Jody On 9/30/05, anderson@skyweb.co.ke wrote: > > > tc class add dev eth1 parent 1:1 classid 1:10 htb rate 64kbit quantum 1501 > The problem is I often find the rate exceeding the ceil which is 64kbit for > 1:10 when I ran this > command: > > tc -s show class dev eth1 > > I'm also using a script that captures the output of the above command and > feeds it to rrdtool to plot a graph of the usage and it also shows that > the > bandwidth being utilised exceeds 64kbit. > > How can ensure that this doesn't happen? Where did I go wrong with my > config? > > Any help would be appreciated. > > > Thanks. > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20050930/81c730b4/attachment.htm From szafot at poczta.fm Sat Oct 1 02:31:05 2005 From: szafot at poczta.fm (Krzysiek) Date: Sat Oct 1 02:31:16 2005 Subject: [LARTC] ip route add default mpath (rr| drr|random|wrandom)... Message-ID: <20051001003105.48624D54FF@poczta.interia.pl> > > 2.6.14-rc2 comes with fixes for > > CONFIG_IP_ROUTE_MULTIPATH_CACHED, > > but i declare that my routing patches are not >compatible with this > > feature, until someone proves that both features > work together. > > Ok. I just wanted to know what are your patches supposed to do. I as far > as i know they help when i have multiply links attached to one interface - > for example 3 dsl modems attached to one switch and this switch to 1 > ethernet port in the serwer. > Can these patches do something more? In the previous mail i wrote that i'm not using patches from http://www.ssi.bg/~ja/ but actually i am. I was doing various experiments and finally ended with the patched kernel. But forgotten it ;) And this configuartion worked fine: kernel with patches from http://www.ssi.bg/~ja/ and with CONFIG_IP_ROUTE_MULTIPATH_CACHED=n. Kernel without these patches also works but not so good. Do not work or work bad: ftp, https, online communicators. I've not tested it too much but if it is true than i know now what these patches do. The route is not changed too fast so given connection to the remote serwer is always with the same route (isp, dsl, interface - so with the same source address). This is especially needed if login is required. Krzysiek ---------------------------------------------------------------------- Tak niesamowity CZAT... >>> http://link.interia.pl/f18ba From jorge at inway.cz Sat Oct 1 02:58:53 2005 From: jorge at inway.cz (choros) Date: Sat Oct 1 02:58:59 2005 Subject: [LARTC] imq + htb Message-ID: <433DDF4D.4050306@inway.cz> Hi, i am running imq + htb on my router , the situation is like this eth0 = uplink to my provider eth1 = 1st customer eth2 = 2nd customer eth3 = 3th customer eth0 has limit 512 and i want to share this between eth1 eth2 and eth3 , but not working , this is the script i used, \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ #!/bin/sh PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/sbin:/usr/local/bin iptables -t mangle -F 2>/dev/null iptables -t mangle -X 2>/dev/null iptables -t mangle -N markov iptables -t mangle -I PREROUTING -j markov iptables -t mangle -N markov2 iptables -t mangle -I POSTROUTING -j markov2 tc qdisc del dev imq0 root >/dev/null 2>&1 tc qdisc del dev imq1 root >/dev/null 2>&1 #bring up the imq0 ip link set dev imq0 up #marking of incoming from eth1,eth2,eth3 iptables -t mangle -A markov -i eth1 -j MARK --set-mark 1 iptables -t mangle -A markov -i eth2 -j MARK --set-mark 2 iptables -t mangle -A markov -i eth3 -j MARK --set-mark 3 #forward it to imq0 iptables -t mangle -A PREROUTING -i eth1 -j IMQ --todev 0 iptables -t mangle -A PREROUTING -i eth2 -j IMQ --todev 0 iptables -t mangle -A PREROUTING -i eth3 -j IMQ --todev 0 tc qdisc add dev imq0 root handle 10: htb default 20 tc class add dev imq0 parent 10: classid 10:2 \ htb rate 512Kbit ceil 512Kbit ##################################################### #class for eth1 tc class add dev imq0 parent 10:2 classid 10:21 htb rate 128Kbit ceil 512Kbit # mark tc filter add dev imq0 parent 10:2 protocol ip prio 1 handle 1 fw classid 10:21 tc qdisc add dev imq0 parent 10:21 sfq perturb 15 ####################################################### # class for eth2 tc class add dev imq0 parent 10:2 classid 10:22 htb rate 128Kbit ceil 512Kbit #mark tc filter add dev imq0 parent 10:2 protocol ip prio 1 handle 2 fw classid 10:22 tc qdisc add dev imq0 parent 10:22 sfq perturb 15 ######################################### # class for eth3 tc class add dev imq0 parent 10:2 classid 10:23 htb rate 128Kbit ceil 512Kbit #mark tc filter add dev imq0 parent 10:2 protocol ip prio 1 handle 3 fw classid 10:23 tc qdisc add dev imq0 parent 10:23 sfq perturb 15 ############################################## ############################################## # outgoing traffic to eth1,eth2,eth3 #bring up imq1 ip link set dev imq1 up #make marks iptables -t mangle -A markov2 -o eth1 -j MARK --set-mark 21 iptables -t mangle -A markov2 -o eth2 -j MARK --set-mark 22 iptables -t mangle -A markov2 -o eth3 -j MARK --set-mark 23 #forward it to imq1 iptables -t mangle -A POSTROUTING -o eth1 -j IMQ --todev 1 iptables -t mangle -A POSTROUTING -o eth2 -j IMQ --todev 1 iptables -t mangle -A POSTROUTING -o eth3 -j IMQ --todev 1 tc qdisc add dev imq1 root handle 10: htb default 20 tc class add dev imq1 parent 10: classid 10:2 htb rate 512Kbit ceil 512Kbit ################################## # class for eth1 tc class add dev imq1 parent 10:2 classid 10:21 htb rate 128Kbit ceil 512Kbit # mark tc filter add dev imq1 parent 10:2 protocol ip prio 1 handle 21 fw classid 10:21 tc qdisc add dev imq1 parent 10:21 sfq perturb 15 #################################### # class for eth2 tc class add dev imq1 parent 10:2 classid 10:22 htb rate 128Kbit ceil 512Kbit #mark tc filter add dev imq1 parent 10:2 protocol ip prio 1 handle 22 fw classid 10:22 tc qdisc add dev imq1 parent 10:22 sfq perturb 15 ##################################### #class for eth3 tc class add dev imq1 parent 10:2 classid 10:23 htb rate 128Kbit ceil 512Kbit #mark tc filter add dev imq1 parent 10:2 protocol ip prio 1 handle 23 fw classid 10:23 tc qdisc add dev imq1 parent 10:23 sfq perturb 15 ###################################### ###################################### But the traffic is unshaped, i think maybe somethink wrong with the filters becouse if i do tc -s class show dev imq0 or imq1 while uploading or downloading traffic doesnt get to right class. If i take look in iptables -t mangle -L -n -v the packets are marked well OUTPUT OF tc -s class show dev imq0 class htb 10:22 parent 10:2 leaf 8026: prio 0 rate 128000bit ceil 512000bit burst 1615b cburst 1.625Kb Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 103424 ctokens: 26624 class htb 10:23 parent 10:2 leaf 8027: prio 0 rate 128000bit ceil 512000bit burst 1615b cburst 1.625Kb Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 103424 ctokens: 26624 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ PARTIAL OUTPUT of iptables -t mangle -L -n -v Chain markov (1 references) pkts bytes target prot opt in out source destination 96 8578 MARK all -- eth1 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x1 25004 36M MARK all -- eth2 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x2 0 0 MARK all -- eth3 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x3 Chain markov2 (1 references) pkts bytes target prot opt in out source destination 7 1750 MARK all -- * eth1 0.0.0.0/0 0.0.0.0/0 MARK set 0x15 24874 36M MARK all -- * eth2 0.0.0.0/0 0.0.0.0/0 MARK set 0x16 6 2222 MARK all -- * eth3 0.0.0.0/0 0.0.0.0/0 MARK set 0x17 class htb 10:2 root rate 512000bit ceil 512000bit burst 1.625Kb cburst 1.625Kb Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 26624 ctokens: 26624 class htb 10:21 parent 10:2 leaf 8025: prio 0 rate 128000bit ceil 512000bit burst 1615b cburst 1.625Kb Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 103424 ctokens: 26624 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ THANKS A LOT FOR HELP Jorge Sanchez From andy.furniss at dsl.pipex.com Sat Oct 1 14:42:00 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sat Oct 1 14:42:02 2005 Subject: [LARTC] imq + htb In-Reply-To: <433DDF4D.4050306@inway.cz> References: <433DDF4D.4050306@inway.cz> Message-ID: <433E8418.1030605@dsl.pipex.com> choros wrote: > tc filter add dev imq0 parent 10:2 protocol ip prio 1 handle 3 fw > classid 10:23 The filters need to be on the root - 10: or you need another filter on 10: to filter the packets to 10:2. Andy. From andy.furniss at dsl.pipex.com Sat Oct 1 14:45:01 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sat Oct 1 14:45:05 2005 Subject: [LARTC] Dequeue In-Reply-To: <20050930163516.GA25172@localhost.home.com> References: <20050930163516.GA25172@localhost.home.com> Message-ID: <433E84CD.4030801@dsl.pipex.com> anderson@skyweb.co.ke wrote: > Hi, > > Does the 'tc' tool show dequeue statistics? If so what switches does one > use to see this. > No it shows enqueue. > If not which is the best way to see these statistics? tcpdump or Vincent Perriers monitoring tool at www.rawsoft.org Andy. From daniel_phlander at yahoo.com Sat Oct 1 14:50:54 2005 From: daniel_phlander at yahoo.com (Daniel Phlander) Date: Sat Oct 1 14:51:00 2005 Subject: [LARTC] Re: RE: Control Traffic In-Reply-To: <20050926100004.E857E4035@outpost.ds9a.nl> Message-ID: <20051001125054.84506.qmail@web32406.mail.mud.yahoo.com> Hi Andreas! I mainly understand what you mean, I tried to fix something on the script, I don't know if I did it well. Can you take another look on it please and if is wrong to make the corrections directly on it so that I see where the mistake is... With this script I want to make limits for IP class 85.120.48.0/25 for international traffic in 256 KBps classes and for metropolitan traffic 100 MB or approximatively. Thank you! #!/bin/bash ### unitati de masura pt debit # kbps - kilobytes per second # mbps - megabytes per second # kbit - kilbits per second # mbit - megabits per second EXT_IF="eth0" INT_IF="eth1" TC=/sbin/tc IPTABLES=/sbin/iptables # RATE DOWNLOAD RAD_INET_ALL="1736kbit" RAD_INET_LOW="64kbit" RAD_INET_HIGH="256kbit" RAD_METRO_ALL="90mbit" RAD_METRO_LOW="70mbit" RAD_METRO_HIGH="80mbit" # RATE UPLOAD RUP_INET_ALL="1536kbit" RUP_INET="128kbit" RUP_METRO_ALL="90mbit" RUP_METRO="70mbit" # RATA INTRANET RATE_INTRA="80mbit" DEST="85.120.48.128/25 192.171.172.0/24 10.10.10.0/24 217.156.110.86/32 193.226.18.0/24" if [ "$1" = "status" ] then clear echo "* [ discipline interfata $EXT_IF ]" $TC qdisc show dev $EXT_IF echo "* [ disciplinele interfata $INT_IF ]" $TC qdisc show dev $INT_IF echo "* [ clase interfata $EXT_IF ]" $TC class show dev $EXT_IF echo "* [ clase interfata $INT_IF ]" $TC class show dev $INT_IF echo "* [ filtre interfata $EXT_IF ]" $TC filter show dev $EXT_IF $TC filter show dev $EXT_IF parent 1:20 $TC filter show dev $EXT_IF parent 1:30 echo "* [ filtre interfata $INT_IF ]" $TC filter show dev $INT_IF $TC filter show dev $INT_IF parent 1:20 $TC filter show dev $INT_IF parent 1:30 echo echo "* [ marcarea traficului ]" $IPTABLES -n -t mangle -L POSTROUTING exit fi $TC qdisc delete dev $EXT_IF root 2> /dev/null $TC qdisc delete dev $INT_IF root 2> /dev/null $TC qdisc delete dev $INT_IF ingress 2> /dev/null $IPTABLES -t mangle -F POSTROUTING if [ "$1" = "stop" ] then echo "[*] Managementul debitului este oprit." exit fi ### //// 1] Clasele pentru traficul metropolitan/internet pt ambele interfe?e: $TC qdisc add dev $EXT_IF root handle 1: htb default 30 $TC class add dev $EXT_IF parent 1: classid 1:1 htb rate 100mbit $TC class add dev $EXT_IF parent 1:1 classid 1:20 htb rate $RUP_METRO_ALL $TC class add dev $EXT_IF parent 1:1 classid 1:30 htb rate $RUP_INET_ALL $TC qdisc add dev $INT_IF root handle 1: htb default 30 $TC class add dev $INT_IF parent 1: classid 1:1 htb rate 100mbit $TC class add dev $INT_IF parent 1:1 classid 1:20 htb rate $RAD_METRO_ALL $TC class add dev $INT_IF parent 1:1 classid 1:30 htb rate $RAD_INET_ALL ### //// 2] Clasificarea explicita a traficului metropolitan for i in $DEST; do $TC filter add dev $EXT_IF parent 1: protocol ip u32 match ip dst $i flowid 1:20 $TC filter add dev $INT_IF parent 1: protocol ip u32 match ip src $i flowid 1:20 done ### Client 1 => #85.120.48.0/25 # class $TC class add dev $EXT_IF parent 1:20 classid 1:21 htb rate $RUP_METRO $TC class add dev $EXT_IF parent 1:30 classid 1:31 htb rate $RUP_INET $TC class add dev $INT_IF parent 1:20 classid 1:21 htb rate $RAD_METRO_LOW ceil $RAD_METRO_HIGH $TC class add dev $INT_IF parent 1:30 classid 1:31 htb rate $RAD_INET_LOW ceil $RAD_INET_HIGH # MARK $IPTABLES -t mangle -A POSTROUTING -o $EXT_IF -s 85.120.48.0/25 -j MARK --set-mark 1 $IPTABLES -t mangle -A POSTROUTING -o $INT_IF -d 85.120.48.0/25 -j MARK --set-mark 1 # clasificare $TC filter add dev $EXT_IF parent 1:20 protocol ip handle 1 fw flowid 1:21 $TC filter add dev $EXT_IF parent 1:30 protocol ip handle 1 fw flowid 1:31 $TC filter add dev $INT_IF parent 1:20 protocol ip handle 1 fw flowid 1:21 $TC filter add dev $INT_IF parent 1:30 protocol ip handle 1 fw flowid 1:31 echo "[*] Managementul debitului este activ." lartc-request@mailman.ds9a.nl wrote:Send LARTC mailing list submissions to lartc@mailman.ds9a.nl To subscribe or unsubscribe via the World Wide Web, visit http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc or, via email, send a message with subject or body 'help' to lartc-request@mailman.ds9a.nl You can reach the person managing the list at lartc-owner@mailman.ds9a.nl When replying, please edit your Subject line so it is more specific than "Re: Contents of LARTC digest..." Today's Topics: 1. Re: Traffic Control (Andreas Klauer) 2. Re: LARTC Digest, Vol 7, Issue 6 (Gobbledegeek) 3. ip route add default mpath (rr| drr|random|wrandom)... (Krzysiek) ---------------------------------------------------------------------- Message: 1 Date: Sun, 25 Sep 2005 12:09:52 +0200 From: Andreas Klauer Subject: Re: [LARTC] Traffic Control To: lartc@mailman.ds9a.nl Message-ID: <200509251209.52461.Andreas.Klauer@metamorpher.de> Content-Type: text/plain; charset="iso-8859-15" On Sunday 25 September 2005 07:37, Daniel Phlander wrote: > I made a script as the attached one but it doesn't make any limit and I > can't figure out what the problem is. This is only a quick guess by glancing at your script, but it seems that your HTB class tree is messed up. You have 'only child' classes - a parent with only one child does not make sense, a child class needs at least one sibling. Your default/filter rules point to parent classes, which won't work. You must put packets into leaf classes. Attach filter rules to the qdisc (attaching them to classes may not work) and have them point to leaf classes (make sure the default class is a leaf class as well). HTH Andreas ------------------------------ Message: 2 Date: Mon, 26 Sep 2005 12:25:34 +0530 From: Gobbledegeek Subject: [LARTC] Re: LARTC Digest, Vol 7, Issue 6 To: lartc@mailman.ds9a.nl Message-ID: <463aea57050925235541c3820e@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 > > 1. iproute2/nano-howto: dual external routing, a "virtual > subnet" (/dev/rob0) > > Success!! I played around with this off and on all day, and now it > works. I turned on /proc/sys/net/ipv4/conf/dummy0/proxy_arp (how can > the interface be flagged NOARP and yet do proxy ARP?) Hmm there are a few arp patches on julians pages for lvs.. read their readme's to find out how they are applicable.... Rgrds ------------------------------ Message: 3 Date: 26 Sep 2005 09:56:18 +0200 From: Krzysiek Subject: [LARTC] ip route add default mpath (rr| drr|random|wrandom)... To: lartc@mailman.ds9a.nl Message-ID: <20050926075618.721CC173E66@poczta.interia.pl> Content-Type: TEXT/plain; CHARSET=ISO-8859-2 Anyone using it? I've tried but after about 5 min I always get kernel panic. My setup is based on nano.txt. I works well but only if CONFIG_IP_ROUTE_MULTIPATH_CACHED=n. I just wanted to play with the new mpath feature of ip. But enabling CONFIG_IP_ROUTE_MULTIPATH_CACHED always resuts in kernel panic. I'm not using any kernel patches from http://www.ssi.bg/~ja/ - are they needed at all? - They do not apply cean. The kernel is 2.6.13. This configuration does not work: CONFIG_IP_ROUTE_MULTIPATH=y CONFIG_IP_ROUTE_MULTIPATH_CACHED=y CONFIG_IP_ROUTE_MULTIPATH_RR=m CONFIG_IP_ROUTE_MULTIPATH_RANDOM=m CONFIG_IP_ROUTE_MULTIPATH_WRANDOM=m CONFIG_IP_ROUTE_MULTIPATH_DRR=m How should i use these modules? ip route add default mpath (rr| drr|random|wrandom)... does not load the appropriate module automatically. Loading them manualy changes nothing. And issuing this command on kernel where this feature is not enebled does not report any error. Krzysiek ---------------------------------------------------------------------- Sa niesamowite, zobaczysz... ;-) >>> link http://link.interia.pl/f18b9 ------------------------------ _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc End of LARTC Digest, Vol 7, Issue 7 *********************************** Cu respect, Daniel Sandulescu Telefon: 0722-217018 0788-656.946 Tel/Fax: 0245-614556 E-mail : office@optinet.ro --------------------------------- Yahoo! for Good Click here to donate to the Hurricane Katrina relief effort. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051001/171554fc/attachment.html From andy.furniss at dsl.pipex.com Sat Oct 1 15:33:00 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sat Oct 1 15:33:01 2005 Subject: [LARTC] Hmmm... Weird results with HTB in kernel 2.6.11 In-Reply-To: <4338207B.4050806@expertron.co.za> References: <4338207B.4050806@expertron.co.za> Message-ID: <433E900C.9080400@dsl.pipex.com> Justin Schoeman wrote: > Hi all, > > I have been getting some strange results with HTB in kernel 2.6.11, and > was wondering if anybody could give me some advice. Also, if someone > could direct me to the changelog for the recent versions so I can see if > it is worth upgrading? > > Anyway, the problem can best be summed up by looking at the output of > 'tc -s -d class show dev eth0'. Some of the relevant results are: > > class htb 1:1 root rate 1686Kbit ceil 1686Kbit burst 1809b/8 mpu 0b > overhead 0b > cburst 1809b/8 mpu 0b overhead 0b level 7 > Sent 1964319339 bytes 2514673 pkt (dropped 0, overlimits 0 requeues 0) > rate 1694Kbit 244pps backlog 0b 0p requeues 0 > lended: 1257439 borrowed: 0 giants: 0 > tokens: -29826 ctokens: -29826 > > class htb 1:8 parent 1:1 rate 32000bit ceil 1686Kbit burst 1603b/8 mpu > 0b overhe > ad 0b cburst 1809b/8 mpu 0b overhead 0b level 6 > Sent 27361971 bytes 52043 pkt (dropped 0, overlimits 0 requeues 0) > rate 32704bit 6pps backlog 0b 0p requeues 0 > lended: 16076 borrowed: 2007 giants: 0 > tokens: -1796566 ctokens: 16310 > > class htb 1:39 parent 1:1 rate 8000bit ceil 1686Kbit burst 1600b/8 mpu > 0b overhe > ad 0b cburst 1809b/8 mpu 0b overhead 0b level 6 > Sent 258423850 bytes 281091 pkt (dropped 0, overlimits 0 requeues 0) > rate 132152bit 19pps backlog 0b 0p requeues 0 > lended: 5241 borrowed: 270604 giants: 0 > tokens: -1073545 ctokens: 1525 > > As you can see, the parent class is pretty much maxxed out, which is > fine, but two of the child classes are not OK... 1:8 with a target rate > of 32kbit is getting 32kbit, while 1:39 with a target rate of 8kbit is > getting 132kbit! Looking at the states, this seems to be the normal > state while the link is saturated. > > Can anybody see something obvious wrong (perhaps an underflow, or > something?), or is more info needed? If so, what info? Neither are backlogged - If several consecutive tc -s -d class show dev eth0 are the same then htb isn't limiting them at that time. 1:39 is allowed to borrow - but you say the link is full perhaps your ceil is too high and you are not fully in control, or you have attached queues to the leafs which are too short, or there is packet loss elsewhere. Andy. From gjnardoni at yahoo.com.ar Sat Oct 1 16:05:19 2005 From: gjnardoni at yahoo.com.ar (Guillermo Javier Nardoni) Date: Sat Oct 1 16:03:13 2005 Subject: [LARTC] I gave up.-...-.-.-.- :'( Message-ID: <007101c5c691$2c6f81f0$5b00a8c0@ripst> Actually i gave up, i tried and tried and tried so many times, upgrading software falling back to an old version but it didn't work, that's it. i can't do work together tc with iptables and iproute2 when i mark a packet with iptables tc doesn't recognize them so it falls at the default leaf of the tc's tree what i like is to mark packets depending on their ip (the one who make a connetion into de linux (gateway) box) and port. i'll transcript my script because i really don't know what to do. p.d. so, what i like to do is just simple, i guess; everything comes from eth1 and goes to eth1 (lan users to linux box services) must be shapped by ipaddres + port (dport i guess INPUT/OUTPUT CHAIN?) and everything comes from ETH1 goes to ETH0 (Internet Access i guess PREROUTING/POSTROUTING/FORWARD chain) MUST BE SHAPPED BY PORT + IPADDRESS i have this situation on the linux server: eth0: (Out to internet) eth1: (LAN) configutarion: eth0 (network 200.123.166.72, broadcast: 200.123.166.79; (ip range: 200.123.166.73-77) eth0 ip: 200.123.166.73 eth0: gw: 200.123.166.78 eth0: netmask: 255.255.255.248 eth dns1: 200.123.166.73 eth0 dns2: 200.123.166.74 configuration: eth1 (network 172.16.0.0 broadcast: 172.16.0.255 (ip range: 172.16.0.1-254) eth1 ip: 172.16.0.1 eth1: gw: (none) eth1: netmask: 255.255.0.0 eth1: dns1: 200.123.166.73 eth1: dns2: 200.123.166.74 LINUX BOX SERVING THIS SERVICES: HTTP (PORT 80) SMTP (PORT 25) POP3 (PORT 110) SSH (PORT 22) FTP (PORT 20-21) SMB FS (PORT 136-139) IRC (PORT 6667) CONFIGURATION OF TC: tc=/sbin/tc iptables=/sbin/iptables echo "Building tc Classes" IFACE="eth0 eth1" for i in $IFACE;do $tc qdisc add dev $i root handle 1: htb default 10 $tc class add dev $i parent 1: classid 1:1 htb rate 2048mbit $tc class add dev $i parent 1:1 classid 1:10 htb rate 10kbit ceil 128kbit quantum 1514 $tc class add dev $i parent 1:1 classid 1:20 htb rate 10kbit ceil 256kbit quantum 1514 $tc class add dev $i parent 1:1 classid 1:30 htb rate 10kbit ceil 512kbit quantum 1514 $tc class add dev $i parent 1:1 classid 1:40 htb rate 10kbit ceil 1024bit quantum 1514 $tc class add dev $i parent 1:1 classid 1:50 htb rate 10kbit ceil 2048bit quantum 1514 $tc class add dev $i parent 1:1 classid 1:60 htb rate 10kbit ceil 256kbit quantum 1514 # USED FOR HTTP/IRC $tc class add dev $i parent 1:1 classid 1:70 htb rate 10kbit ceil 128kbit quantum 1514 # USED FOR EMAIL (SMTP/POP3) $tc qdisc add dev $i parent 1:10 handle 10: sfq perturb 10 $tc qdisc add dev $i parent 1:20 handle 20: sfq perturb 10 $tc qdisc add dev $i parent 1:30 handle 30: sfq perturb 10 $tc qdisc add dev $i parent 1:40 handle 40: sfq perturb 10 $tc qdisc add dev $i parent 1:50 handle 50: sfq perturb 10 $tc qdisc add dev $i parent 1:60 handle 60: sfq perturb 10 $tc qdisc add dev $i parent 1:70 handle 70: sfq perturb 10 $tc filter add dev $i parent 1:0 protocol ip prio 0 handle 10 fw flowid 1:10 $tc filter add dev $i parent 1:0 protocol ip prio 0 handle 20 fw flowid 1:20 $tc filter add dev $i parent 1:0 protocol ip prio 0 handle 30 fw flowid 1:30 $tc filter add dev $i parent 1:0 protocol ip prio 0 handle 40 fw flowid 1:40 $tc filter add dev $i parent 1:0 protocol ip prio 0 handle 50 fw flowid 1:50 $tc filter add dev $i parent 1:0 protocol ip prio 0 handle 60 fw flowid 1:60 $tc filter add dev $i parent 1:0 protocol ip prio 0 handle 70 fw flowid 1:70 PORTS="80 6667 20 21" #ANY IP MUST BE SHAPPED BY THESE PORTS TO THE 1:60 LEAF for i in $PORTS;do $iptables -t mangle -A INPUT -i eth1 -s 172.16.0.0/16 -p tcp --dport $i -j MARK --set-mark 60 $iptables -t mangle -A INPUT -i eth1 -s 172.16.0.0/16 -p udp --dport $i -j MARK --set-mark 60 $iptables -t mangle -A OUTPUT -o eth1 -d 172.16.0.0/16 -p tcp --dport $i -j MARK --set-mark 60 $iptables -t mangle -A OUTPUT -o eth1 -d 172.16.0.0/16 -p udp --dport $i -j MARK --set-mark 60 $iptables -t mangle -A INPUT -i eth0 -d 200.123.166.72/30 -p tcp --dport $i -j MARK --set-mark 60 $iptables -t mangle -A INPUT -i eth0 -d 200.123.166.72/30 -p udp --dport $i -j MARK --set-mark 60 $iptables -t mangle -A OUTPUT -o eth0 -d 200.123.166.72/30 -p tcp --dport $i -j MARK --set-mark 60 $iptables -t mangle -A OUTPUT -o eth0 -d 200.123.166.72/30 -p udp --dport $i -j MARK --set-mark 60 done SOOOOOOOOOOOOOOOOOO WHAT AM I DOING WRONG, COUSE EVERY TRAFFIC COMMING OR GOING JUST FALLS ON 1:10 (DEFAULT LEAF) This is an extract from the script, so it show you the LOCAL PROCESS of information not PREROUTING PLEASE HELPPPPPPPPP ME I DON'T KNOW WHAT TO DO AND MY SYSTEM IS GOING DOWN FASTER.- MY CONFIGURATION IS: ip utility, iproute2-ss050330 tc utility, iproute2-ss050330 iptables v1.3.3 kernel: 2.6.13 patch applied for kernel and iproute and iptables (esfq + wrr) heeeeeeeeeeeeeeeelp thank you so much Guillermo from Argentina -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051001/82aa9748/attachment-0001.htm From jorge at inway.cz Sat Oct 1 16:56:43 2005 From: jorge at inway.cz (choros) Date: Sat Oct 1 16:56:44 2005 Subject: [LARTC] imq + htb In-Reply-To: <433E8418.1030605@dsl.pipex.com> References: <433DDF4D.4050306@inway.cz> <433E8418.1030605@dsl.pipex.com> Message-ID: <433EA3AB.5070107@inway.cz> Andy Furniss wrote: > choros wrote: > >> tc filter add dev imq0 parent 10:2 protocol ip prio 1 handle 3 fw >> classid 10:23 > > > The filters need to be on the root - 10: or you need another filter > on 10: to filter the packets to 10:2. > > Andy. thanks for your help . I did what you say and everything seems to be ok.. Jorge From tiago.silva at zmail.pt Sat Oct 1 20:45:11 2005 From: tiago.silva at zmail.pt (=?ISO-8859-1?Q?Tiago_Bruno_Esp=EDrito_Santo_Silva?=) Date: Sat Oct 1 20:29:12 2005 Subject: [LARTC] heavy VBR traffic with HTB Message-ID: <433ED937.9090009@zmail.pt> Hello! I made a simple configuration with HTB, 10% http and 90% Video, where http can share the available bandwidth left from video. But :(... i think HTB it's not very fast and it can't adapt quickly to the great variation of the MPEG 4 VBR (700M film), and some times it jerks a bit in great variations of bandwidth. I'm making a download to have always 100% bandwidth utilization (or near). This setup is running on a controlled home lan. Have any one tried something like that? am i missing some thing? Please some one tell me something. thanks Tiago PS: sorry my English :( From netmon at hot.ee Sat Oct 1 21:13:50 2005 From: netmon at hot.ee (Anonymous) Date: Sat Oct 1 21:13:59 2005 Subject: [LARTC] need help on multiple isp routing References: <20051001140323.A05DC4629@outpost.ds9a.nl> Message-ID: <001001c5c6bc$428e9900$1000a8c0@naksitrallid.dyn.ee> could someone take a fresh look at my configuration and then tell me where from i took the wrong turn. yes, outgoing packets take different routes/gateways based on a ip fwmark/iptables mark. at least i believe they do. but when i run an iftop session (one per each of ppp interfaces) i see that packets (with correct outgoing ip) going out and get replies only on ppp0, while ppp1 only send (outgoing ip'a also correct) and recieve but doesn't forward. some mistake i did in filter input/forward nat prerouting, huh? i don't get it... should i somehow mark incoming packets as well? i'm lost :( or drop packets from ppp0 on ppp1 and then ppp1 on ppp0? #!/bin/sh PPP=(ppp0 ppp1) IP=(`ifconfig ${PPP[0]}|sed -n 2p|column -s ":" -t|awk '{print $3}'` `ifconfig ${PPP[1]}|sed -n 2p|column -s ":" -t|awk '{print $3}'`) GATEWAY=(`ifconfig ${PPP[0]}|sed -n 2p|column -s ":" -t|awk '{print $5}'` `ifconfig ${PPP[1]}|sed -n 2p|column -s ":" -t|awk '{print $5}'`) route del default ip route flush table auxiliary ip route show table main | grep -Ev ^default \ | while read ROUTE ; do ip route add table auxiliary $ROUTE done ip route add table auxiliary default via ${GATEWAY[1]} dev ${PPP[1]} ip route add table main default via ${GATEWAY[0]} dev ${PPP[0]} ip rule add fwmark 252 table auxiliary ip rule add fwmark 254 table main iptables -F iptables -F -t nat iptables -F -t mangle iptables -A INPUT -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i ppp1 -p tcp -m tcp --dport 20 -j ACCEPT iptables -A INPUT -i ppp1 -p tcp -m tcp --dport 21 -j ACCEPT iptables -A INPUT -i ppp0 -p udp -m udp --dport 53 -j ACCEPT iptables -A INPUT -i ppp+ -p tcp -m tcp --dport 80 -j ACCEPT iptables -A INPUT -i ppp0 -p udp -m udp --dport 123 -j ACCEPT iptables -A INPUT -i ppp1 -p tcp -m tcp --dport 55000:55500 -j ACCEPT iptables -A INPUT -i ppp+ -m state --state NEW,INVALID -j DROP iptables -A FORWARD -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i ppp0 -p tcp -m tcp --dport 4662 -j ACCEPT iptables -A FORWARD -i ppp1 -p tcp -m tcp --dport 4663 -j ACCEPT iptables -A FORWARD -i ppp0 -p udp -m udp --dport 4672 -j ACCEPT iptables -A FORWARD -i ppp1 -p udp -m udp --dport 4673 -j ACCEPT iptables -A FORWARD -i ppp0 -p tcp -m tcp --dport 5000:5010 -j ACCEPT iptables -A FORWARD -i ppp0 -p tcp -m tcp --dport 15402 -j ACCEPT iptables -A FORWARD -i ppp0 -p udp -m udp --dport 15402 -j ACCEPT iptables -A FORWARD -i ppp+ -m state --state NEW,INVALID -j DROP iptables -t mangle -A PREROUTING -s 192.168.0.62 -j MARK --set-mark 252 iptables -t mangle -A PREROUTING -s 192.168.0.16 -j MARK --set-mark 254 iptables -t mangle -A PREROUTING -p icmp -m icmp -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m length --length 0:128 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m length --length 128: -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 20 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 21 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p udp -m udp --sport 53 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p udp -m udp --sport 123 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -p icmp -m icmp -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m length --length 0:128 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m length --length 128: -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 20 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 21 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 22 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -p udp -m udp --dport 53 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 80 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -p udp -m udp --dport 123 -j TOS --set-tos Minimize-Delay iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 4662 -j DNAT --to 192.168.0.16:4662 iptables -t nat -A PREROUTING -i ppp1 -p tcp -m tcp --dport 4663 -j DNAT --to 192.168.0.62:4663 iptables -t nat -A PREROUTING -i ppp0 -p udp -m udp --dport 4672 -j DNAT --to 192.168.0.16:4672 iptables -t nat -A PREROUTING -i ppp1 -p udp -m udp --dport 4673 -j DNAT --to 192.168.0.62:4673 iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 5000:5010 -j DNAT --to 192.168.0.16:5000-5010 iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 15402 -j DNAT --to 192.168.0.16:15402 iptables -t nat -A PREROUTING -i ppp0 -p udp -m udp --dport 15402 -j DNAT --to 192.168.0.16:15402 iptables -t nat -A PREROUTING -i eth2 -p tcp -m tcp -s 192.168.0.16 --dport 80 -j DNAT --to 192.168.0.1:3128 #iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.16 -j MASQUERADE #iptables -t nat -A POSTROUTING -o ppp1 -s 192.168.0.62 -j MASQUERADE iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.16 -j SNAT --to ${IP[0]} iptables -t nat -A POSTROUTING -o ppp1 -s 192.168.0.62 -j SNAT --to ${IP[1]} From stef.coene at docum.org Sun Oct 2 08:50:43 2005 From: stef.coene at docum.org (Stef Coene) Date: Sun Oct 2 08:50:32 2005 Subject: [LARTC] I gave up.-...-.-.-.- :'( In-Reply-To: <007101c5c691$2c6f81f0$5b00a8c0@ripst> References: <007101c5c691$2c6f81f0$5b00a8c0@ripst> Message-ID: <200510020850.43166.stef.coene@docum.org> On Saturday 01 October 2005 16:05, Guillermo Javier Nardoni wrote: > SOOOOOOOOOOOOOOOOOO WHAT AM I DOING WRONG, COUSE EVERY TRAFFIC COMMING OR > GOING JUST FALLS ON 1:10 (DEFAULT LEAF) Check with iptables -L -v -n -t mangle to see if you the counters are incrementing like it should be. Also, classes and marks are in hex. So try "--set-mark 0x60" to force the number be interpreted as a hex number. And using iptables + tc works. I used in a few hundred scripts. Check out www.docum.org for working examples. Stef From andy.furniss at dsl.pipex.com Sun Oct 2 13:36:53 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sun Oct 2 13:37:03 2005 Subject: [LARTC] I gave up.-...-.-.-.- :'( In-Reply-To: <007101c5c691$2c6f81f0$5b00a8c0@ripst> References: <007101c5c691$2c6f81f0$5b00a8c0@ripst> Message-ID: <433FC655.90900@dsl.pipex.com> Guillermo Javier Nardoni wrote: > Actually i gave up, i tried and tried and tried so many times, upgrading software falling back to an old version > but it didn't work, that's it. > i can't do work together tc with iptables and iproute2 > when i mark a packet with iptables tc doesn't recognize them so it falls at the default leaf of the tc's tree Try what Stef says - but even if mark doesn't work for you there are always other ways - iptables CLASSIFY or use tc filters to classify. > > what i like is to mark packets depending on their ip (the one who make a connetion into de linux (gateway) box) and port. > > i'll transcript my script because i really don't know what to do. > > p.d. so, what i like to do is just simple, i guess; everything comes from eth1 and goes to eth1 (lan users to linux box services) must be shapped by ipaddres + port (dport i guess INPUT/OUTPUT CHAIN?) > and everything comes from ETH1 goes to ETH0 (Internet Access i guess PREROUTING/POSTROUTING/FORWARD chain) MUST BE SHAPPED BY PORT + IPADDRESS > Remember you can only shape outbound traffic on eth0/1 if you want to shape inbound then you need to use policers/dummy/imq (though you can shape inbound on eth0 that is for LAN by shaping on eth1). > i have this situation on the linux server: > > eth0: (Out to internet) > eth1: (LAN) > > configutarion: eth0 (network 200.123.166.72, broadcast: 200.123.166.79; (ip range: 200.123.166.73-77) > eth0 ip: 200.123.166.73 > eth0: gw: 200.123.166.78 > eth0: netmask: 255.255.255.248 > eth dns1: 200.123.166.73 > eth0 dns2: 200.123.166.74 > > configuration: eth1 (network 172.16.0.0 broadcast: 172.16.0.255 (ip range: 172.16.0.1-254) > eth1 ip: 172.16.0.1 > eth1: gw: (none) > eth1: netmask: 255.255.0.0 > eth1: dns1: 200.123.166.73 > eth1: dns2: 200.123.166.74 I assume your routing is all OK and just tc is not working. > > LINUX BOX SERVING THIS SERVICES: HTTP (PORT 80) SMTP (PORT 25) POP3 (PORT 110) SSH (PORT 22) FTP (PORT 20-21) SMB FS (PORT 136-139) IRC (PORT 6667) > > CONFIGURATION OF TC: > > tc=/sbin/tc > iptables=/sbin/iptables > > echo "Building tc Classes" > IFACE="eth0 eth1" > > for i in $IFACE;do > $tc qdisc add dev $i root handle 1: htb default 10 > > $tc class add dev $i parent 1: classid 1:1 htb rate 2048mbit Should be kbit and may still be too high for your inet link. > > $tc class add dev $i parent 1:1 classid 1:10 htb rate 10kbit ceil 128kbit quantum 1514 > $tc class add dev $i parent 1:1 classid 1:20 htb rate 10kbit ceil 256kbit quantum 1514 > $tc class add dev $i parent 1:1 classid 1:30 htb rate 10kbit ceil 512kbit quantum 1514 > $tc class add dev $i parent 1:1 classid 1:40 htb rate 10kbit ceil 1024bit quantum 1514 > $tc class add dev $i parent 1:1 classid 1:50 htb rate 10kbit ceil 2048bit quantum 1514 Missing ks on last two ceils. > > $tc class add dev $i parent 1:1 classid 1:60 htb rate 10kbit ceil 256kbit quantum 1514 # USED FOR HTTP/IRC > $tc class add dev $i parent 1:1 classid 1:70 htb rate 10kbit ceil 128kbit quantum 1514 # USED FOR EMAIL (SMTP/POP3) > > > $tc qdisc add dev $i parent 1:10 handle 10: sfq perturb 10 > $tc qdisc add dev $i parent 1:20 handle 20: sfq perturb 10 > $tc qdisc add dev $i parent 1:30 handle 30: sfq perturb 10 > $tc qdisc add dev $i parent 1:40 handle 40: sfq perturb 10 > $tc qdisc add dev $i parent 1:50 handle 50: sfq perturb 10 > > $tc qdisc add dev $i parent 1:60 handle 60: sfq perturb 10 > $tc qdisc add dev $i parent 1:70 handle 70: sfq perturb 10 > > $tc filter add dev $i parent 1:0 protocol ip prio 0 handle 10 fw flowid 1:10 > $tc filter add dev $i parent 1:0 protocol ip prio 0 handle 20 fw flowid 1:20 > $tc filter add dev $i parent 1:0 protocol ip prio 0 handle 30 fw flowid 1:30 > $tc filter add dev $i parent 1:0 protocol ip prio 0 handle 40 fw flowid 1:40 > $tc filter add dev $i parent 1:0 protocol ip prio 0 handle 50 fw flowid 1:50 > $tc filter add dev $i parent 1:0 protocol ip prio 0 handle 60 fw flowid 1:60 > $tc filter add dev $i parent 1:0 protocol ip prio 0 handle 70 fw flowid 1:70 Won't make any difference here but 1 is the top prio for filters. > > > PORTS="80 6667 20 21" > #ANY IP MUST BE SHAPPED BY THESE PORTS TO THE 1:60 LEAF > for i in $PORTS;do > $iptables -t mangle -A INPUT -i eth1 -s 172.16.0.0/16 -p tcp --dport $i -j MARK --set-mark 60 > $iptables -t mangle -A INPUT -i eth1 -s 172.16.0.0/16 -p udp --dport $i -j MARK --set-mark 60 Marking in INPUT will have no effect for tc - I don't know what you are trying to do here. Andy. From andy.furniss at dsl.pipex.com Sun Oct 2 13:40:14 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sun Oct 2 13:40:17 2005 Subject: [LARTC] heavy VBR traffic with HTB In-Reply-To: <433ED937.9090009@zmail.pt> References: <433ED937.9090009@zmail.pt> Message-ID: <433FC71E.1090607@dsl.pipex.com> Tiago Bruno Esp?rito Santo Silva wrote: > Hello! > > I made a simple configuration with HTB, 10% http and 90% Video, where > http can share the available bandwidth left from video. > > But :(... i think HTB it's not very fast and it can't adapt quickly to > the great variation of the MPEG 4 VBR (700M film), and some times it > jerks a bit in great variations of bandwidth. I'm making a download to > have always 100% bandwidth utilization (or near). This setup is running > on a controlled home lan. > > Have any one tried something like that? am i missing some thing? > > Please some one tell me something. You rates/ceils are probably too high you need to allow for overheads - seeing your script would help. Andy. From lists at wildgooses.com Sun Oct 2 20:25:17 2005 From: lists at wildgooses.com (Ed W) Date: Sun Oct 2 20:25:29 2005 Subject: [LARTC] heavy VBR traffic with HTB In-Reply-To: <433FC71E.1090607@dsl.pipex.com> References: <433ED937.9090009@zmail.pt> <433FC71E.1090607@dsl.pipex.com> Message-ID: <4340260D.8020206@wildgooses.com> Andy Furniss wrote: > Tiago Bruno Esp?rito Santo Silva wrote: > >> Hello! >> >> I made a simple configuration with HTB, 10% http and 90% Video, where >> http can share the available bandwidth left from video. >> >> But :(... i think HTB it's not very fast and it can't adapt quickly to >> the great variation of the MPEG 4 VBR (700M film), and some times it >> jerks a bit in great variations of bandwidth. I'm making a download to >> have always 100% bandwidth utilization (or near). This setup is running >> on a controlled home lan. >> >> Have any one tried something like that? am i missing some thing? >> >> Please some one tell me something. > > > You rates/ceils are probably too high you need to allow for overheads > - seeing your script would help. Actually he said he ws *downloading*, and so he probably doesn't have control over the incoming stream. Remember that you can only really control outgoing rates properly - incoming streams you control indirectly and all you can do is ignore the sender for a while and hope he stops sending you stuff so quickly... So this is probably your problem - HTB reacts instantly, but the sender keeps sending stuff for perhaps several seconds until you stop answering him and then backs off - there is a reaction lag and there is not much you can do about it really. Ed W From tiago.silva at zmail.pt Sun Oct 2 21:28:41 2005 From: tiago.silva at zmail.pt (=?ISO-8859-1?Q?Tiago_Bruno_Esp=EDrito_Santo_Silva?=) Date: Sun Oct 2 21:12:23 2005 Subject: [LARTC] heavy VBR traffic with HTB In-Reply-To: <4340260D.8020206@wildgooses.com> References: <433ED937.9090009@zmail.pt> <433FC71E.1090607@dsl.pipex.com> <4340260D.8020206@wildgooses.com> Message-ID: <434034E9.3090104@zmail.pt> Ed W wrote: > Andy Furniss wrote: > >> Tiago Bruno Esp?rito Santo Silva wrote: >> >>> Hello! >>> >>> I made a simple configuration with HTB, 10% http and 90% Video, where >>> http can share the available bandwidth left from video. >>> >>> But :(... i think HTB it's not very fast and it can't adapt quickly to >>> the great variation of the MPEG 4 VBR (700M film), and some times it >>> jerks a bit in great variations of bandwidth. I'm making a download to >>> have always 100% bandwidth utilization (or near). This setup is running >>> on a controlled home lan. >>> >>> Have any one tried something like that? am i missing some thing? >>> >>> Please some one tell me something. >> >> >> >> You rates/ceils are probably too high you need to allow for overheads >> - seeing your script would help. > > > > Actually he said he ws *downloading*, and so he probably doesn't have > control over the incoming stream. > > Remember that you can only really control outgoing rates properly - > incoming streams you control indirectly and all you can do is ignore > the sender for a while and hope he stops sending you stuff so > quickly... So this is probably your problem - HTB reacts instantly, > but the sender keeps sending stuff for perhaps several seconds until > you stop answering him and then backs off - there is a reaction lag > and there is not much you can do about it really. > > Ed W Thanks for the responses! Well i'm out this days but i'll try to test again when i go back home, I'll send the scripts later this week. I have 3 PCs, something like this: A<===>R<===>B Where R is the router with 2 ethernet cards...so i have in A a http server (tcp) and VLC streaming (udp) to B, i think i can control the outgoing traffic from A to B in the "R"outer. You are saying to me that with this configuration if the rates/ceils are well chosen, the video streaming must work with no jerks even if the bandwidth is at 100% (or near). Thanks for your help Tiago From netmon at hot.ee Mon Oct 3 16:37:04 2005 From: netmon at hot.ee (Anonymous) Date: Mon Oct 3 16:37:17 2005 Subject: [LARTC] need help on multiple isp routing References: <20051002100007.9C06D4042@outpost.ds9a.nl> Message-ID: <003201c5c827$edcf9050$1000a8c0@naksitrallid.dyn.ee> i finally made it! yeeee-ha! it works! the only thing i have to configure is how to make those 2 links to use their own DNS servers, as ISP's1 servers do not answer queries from ISP's2 ip address and vise versa. i run BIND (as caching and also for my local zone) on my router configured to forward requests to ISP's1 DNS servers. i really don't want to run 2 copies of BIND with forwarders of ISP2 as the only difference in configuration. would anybody come up with a more elegant solution on that issue? i'm sure it is not nice to specify both ISP's servers as forwarders for a single server as the server itself uses default gateway of ISP1. and then about services installed on a router machine itself - ftp, www. they do not seem to listen on ISP's2 ip. any solution besides configuring virtual servers? here's my firewall script. i'd like if someone would correct me. especially on mangle table as i'm still not sure if i mark packets correctly. #!/bin/sh PPP=(ppp0 ppp1) IP=(`ifconfig ${PPP[0]}|sed -n 2p|column -s ":" -t|awk '{print $3}'` `ifconfig ${PPP[1]}|sed -n 2p|column -s ":" -t|awk '{print $3}'`) GATEWAY=(`ifconfig ${PPP[0]}|sed -n 2p|column -s ":" -t|awk '{print $5}'` `ifconfig ${PPP[1]}|sed -n 2p|column -s ":" -t|awk '{print $5}'`) ip route flush table auxiliary ip route show table main | grep -Ev ^default \ | while read ROUTE ; do ip route add table auxiliary $ROUTE done ip route add table auxiliary default via ${GATEWAY[1]} dev ${PPP[1]} ip rule add fwmark 0xfc table auxiliary echo 0 > /proc/sys/net/ipv4/conf/${PPP[0]}/rp_filter echo 0 > /proc/sys/net/ipv4/conf/${PPP[1]}/rp_filter iptables -F iptables -F -t nat iptables -F -t mangle iptables -A INPUT -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i ${PPP[1]} -p tcp -m tcp --dport 20 -j ACCEPT iptables -A INPUT -i ${PPP[1]} -p tcp -m tcp --dport 21 -j ACCEPT iptables -A INPUT -i ${PPP[0]} -p udp -m udp --dport 53 -j ACCEPT iptables -A INPUT -i ${PPP[1]} -p udp -m udp --dport 53 -j ACCEPT iptables -A INPUT -i ${PPP[0]} -p tcp -m tcp --dport 80 -j ACCEPT iptables -A INPUT -i ${PPP[0]} -p udp -m udp --dport 123 -j ACCEPT iptables -A INPUT -i ${PPP[1]} -p tcp -m tcp --dport 55000:55500 -j ACCEPT iptables -A INPUT -i ppp+ -m state --state NEW,INVALID -j DROP iptables -A FORWARD -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i ${PPP[0]} -p tcp -m tcp --dport 4662 -j ACCEPT iptables -A FORWARD -i ${PPP[0]} -p tcp -m tcp --dport 4663 -j ACCEPT iptables -A FORWARD -i ${PPP[0]} -p udp -m udp --dport 4672 -j ACCEPT iptables -A FORWARD -i ${PPP[0]} -p udp -m udp --dport 4673 -j ACCEPT iptables -A FORWARD -i ${PPP[0]} -p tcp -m tcp --dport 5000:5010 -j ACCEPT iptables -A FORWARD -i ${PPP[0]} -p tcp -m tcp --dport 15402 -j ACCEPT iptables -A FORWARD -i ${PPP[0]} -p udp -m udp --dport 15402 -j ACCEPT iptables -A FORWARD -i ${PPP[1]} -p tcp -m tcp --dport 15502 -j ACCEPT iptables -A FORWARD -i ${PPP[1]} -p udp -m udp --dport 15502 -j ACCEPT iptables -A FORWARD -i ppp+ -m state --state NEW,INVALID -j DROP iptables -t mangle -A PREROUTING -s 192.168.0.59 -j MARK --set-mark 252 ### iptables -t mangle -A PREROUTING -p icmp -m icmp -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m length --length 0:128 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m length --length 128: -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 20 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 21 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p udp -m udp --sport 53 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p udp -m udp --sport 123 -j TOS --set-tos Minimize-Delay iptables -t mangle -A INPUT -i ${PPP[1]} -j MARK --set-mark 252 #iptables -t mangle -A FORWARD -d 192.168.0.59 -j MARK --set-mark 252 iptables -t mangle -A OUTPUT -o ${PPP[1]} -j MARK --set-mark 252 iptables -t mangle -A OUTPUT -p icmp -m icmp -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m length --length 0:128 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m length --length 128: -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 20 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 21 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 22 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -p udp -m udp --dport 53 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 80 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -p udp -m udp --dport 123 -j TOS --set-tos Minimize-Delay iptables -t mangle -A POSTROUTING -s 192.168.0.59 -j MARK --set-mark 252 iptables -t nat -A PREROUTING -i ${PPP[0]} -p tcp -m tcp --dport 4662 -j DNAT --to 192.168.0.16:4662 iptables -t nat -A PREROUTING -i ${PPP[0]} -p tcp -m tcp --dport 4663 -j DNAT --to 192.168.0.62:4663 iptables -t nat -A PREROUTING -i ${PPP[0]} -p udp -m udp --dport 4672 -j DNAT --to 192.168.0.16:4672 iptables -t nat -A PREROUTING -i ${PPP[0]} -p udp -m udp --dport 4673 -j DNAT --to 192.168.0.62:4673 iptables -t nat -A PREROUTING -i ${PPP[0]} -p tcp -m tcp --dport 5000:5010 -j DNAT --to 192.168.0.16:5000-5010 iptables -t nat -A PREROUTING -i ${PPP[0]} -p tcp -m tcp --dport 15402 -j DNAT --to 192.168.0.16:15402 iptables -t nat -A PREROUTING -i ${PPP[0]} -p udp -m udp --dport 15402 -j DNAT --to 192.168.0.16:15402 iptables -t nat -A PREROUTING -i ${PPP[1]} -p tcp -m tcp --dport 15502 -j DNAT --to 192.168.0.59:15502 iptables -t nat -A PREROUTING -i ${PPP[1]} -p udp -m udp --dport 15502 -j DNAT --to 192.168.0.59:15502 iptables -t nat -A PREROUTING -i eth2 -p tcp -m tcp -s 192.168.0.16 --dport 80 -j DNAT --to 192.168.0.1:3128 iptables -t nat -A POSTROUTING -o ${PPP[1]} -s 192.168.0.59 -j MASQUERADE iptables -t nat -A POSTROUTING -o ${PPP[0]} -s 192.168.0.0/26 -j MASQUERADE From rob0 at gmx.co.uk Mon Oct 3 17:38:12 2005 From: rob0 at gmx.co.uk (/dev/rob0) Date: Mon Oct 3 17:38:19 2005 Subject: [LARTC] need help on multiple isp routing In-Reply-To: <003201c5c827$edcf9050$1000a8c0@naksitrallid.dyn.ee> References: <20051002100007.9C06D4042@outpost.ds9a.nl> <003201c5c827$edcf9050$1000a8c0@naksitrallid.dyn.ee> Message-ID: <200510031038.12300.rob0@gmx.co.uk> On Monday 2005-October-03 09:37, Anonymous wrote: > configure is how to make those 2 links to use their own DNS servers, Why? > as ISP's1 servers do not answer queries from ISP's2 ip address and So? They're answering queries from your ISP1 address, no? Is this a problem? > vise versa. i run BIND (as caching and also for my local zone) on my > router configured to forward requests to ISP's1 DNS servers. i really > don't want to run 2 copies of BIND with forwarders of ISP2 as the > only difference in configuration. would anybody come up with a more > elegant solution on that issue? i'm sure it is not nice to specify Just don't use forwarders at all. wget the latest root hints file or just use what you have, for "type hints" for the "." zone. Forwarding is rarely a good idea. It gains you nothing. You won't increase the load on the root servers. > both ISP's servers as forwarders for a single server as the server > itself uses default gateway of ISP1. So this is not a problem, but still, forwarders are not helping you. > and then about services > installed on a router machine itself - ftp, www. they do not seem to > listen on ISP's2 ip. any solution besides configuring virtual > servers? I prefer Julian's approach to dual gateway routing ... his routes patch and the nano.txt HOWTO. That provides more of what people tend to want from multiple ISP connections in a more transparent way. All services use both links equally (or as weighted.) I'm sure there are situations in which splitting traffic by service or destination makes sense ... just not at my 3 dual-ISP sites. -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From c-d.hailfinger.devel.2005 at gmx.net Mon Oct 3 19:55:09 2005 From: c-d.hailfinger.devel.2005 at gmx.net (Carl-Daniel Hailfinger) Date: Mon Oct 3 19:53:25 2005 Subject: [LARTC] ip address delete bug? Message-ID: <4341707D.90206@gmx.net> Hi, it seems that "ip address delete" will delete all addresses of the same class on an interface if it is ordered to only delete the first one: # ip a f eth0 # ip a l eth0 3: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether xx:xx:xx:xx:xx:xx # ip a a 192.168.a.b brd + dev eth0 # ip a a 192.168.c.d brd + dev eth0 # ip a d 192.168.a.b brd + dev eth0 # ip a l eth0 3: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether xx:xx:xx:xx:xx:xx I'm using kernel 2.6.13 and iproute2-050816. The man page seems to agree with me that this behaviour is wrong. If that behaviour is intended, please update the man page. Regards, Carl-Daniel -- http://www.hailfinger.org/ From surda at shurdix.com Mon Oct 3 20:00:12 2005 From: surda at shurdix.com (Peter Surda) Date: Mon Oct 3 20:00:39 2005 Subject: [LARTC] ip address delete bug? In-Reply-To: <4341707D.90206@gmx.net> Message-ID: <200593200127124@mail.routehat.org> On Mon, 03 Oct 2005 19:55:09 +0200 Carl-Daniel Hailfinger wrote: >Hi, hi >it seems that "ip address delete" will delete all addresses of the same >class on an interface if it is ordered to only delete the first one: Incidentally I encountered similar behavior with kernel 2.4 and older iproute (20010824 with some patches) a couple of weeks ago, so it's nothing new. >Regards, >Carl-Daniel Yours sincerely, Peter -- http://www.shurdix.org - Linux distribution for routers and firewalls From bugfood-ml at fatooh.org Mon Oct 3 22:13:48 2005 From: bugfood-ml at fatooh.org (Corey Hickey) Date: Mon Oct 3 22:13:59 2005 Subject: [LARTC] two link In-Reply-To: <12ec503505100313051971cc51@mail.gmail.com> References: <12ec503505092910197e23692a@mail.gmail.com> <433C8C8C.9030508@fatooh.org> <12ec5035050930042042bc48b7@mail.gmail.com> <51342.66.93.171.129.1128111268.squirrel@fatooh.org> <12ec503505100313051971cc51@mail.gmail.com> Message-ID: <434190FC.6080605@fatooh.org> Fabio Silva wrote: > Corey , > > sorry, but, i need to make this and my server has proxy transparent > can you give an aid to me with this? I'm sorry, but I don't understand your question. I understand if English isn't your native language, but I can't tell what you mean here. Also, please keep this discussion on the lartc mailing list. Usually this means using the "reply to all" function of your email program. There's a chance you'll ask a question that could be better answered by another member of the mailing list, and it's also quite possible that I'll make a mistake and somebody will correct me. -Corey From anderson at skyweb.co.ke Tue Oct 4 09:23:20 2005 From: anderson at skyweb.co.ke (anderson@skyweb.co.ke) Date: Tue Oct 4 09:23:49 2005 Subject: [LARTC] Ceil Rate In-Reply-To: <2af436490509301529i38418912l592d456a93f66b4e@mail.gmail.com> References: <20050930161339.GA25083@localhost.home.com> <2af436490509301529i38418912l592d456a93f66b4e@mail.gmail.com> Message-ID: <20051004072320.GA19394@localhost.home.com> I thought that the default ceil was the same as the rate, or does that only apply to the root class? Thanks for the info. On Fri Sep 30, 2005 at 06:29:52PM -0400, Jody Shumaker wrote: > You didn't set a ceil for 1:10, you only set a rate. when no ceil is > specified, a subclass will borrow past its rate max if it can. > > You should use: > > tc class add dev eth1 parent 1:1 classid 1:10 htb rate 64kbit ceil 64kbit > quantum 1501 > > And then it would use 64kbit as a hard cap, only going past it for short > bursts when trying to maintain 64kbit as the average (cburst paramater can > control this, but shouldn't be neccasary). > > - Jody > > On 9/30/05, anderson@skyweb.co.ke wrote: > > > > > > tc class add dev eth1 parent 1:1 classid 1:10 htb rate 64kbit quantum 1501 > > > > > The problem is I often find the rate exceeding the ceil which is 64kbit for > > 1:10 when I ran this > > command: > > > > tc -s show class dev eth1 > > > > I'm also using a script that captures the output of the above command and > > feeds it to rrdtool to plot a graph of the usage and it also shows that > > the > > bandwidth being utilised exceeds 64kbit. > > > > How can ensure that this doesn't happen? Where did I go wrong with my > > config? > > > > Any help would be appreciated. > > > > > > Thanks. > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From manyx at poczta.fm Tue Oct 4 11:19:32 2005 From: manyx at poczta.fm (ManyX) Date: Tue Oct 4 11:19:38 2005 Subject: [LARTC] iproute2-050929 ERORR compiling Message-ID: <001501c5c8c4$bba20570$0a0aa7c0@mx> Dzien Dobry Is there some error witch iproute2-050929.tar.gz becouse when i compile I don't get tc I have kernel 2.6.12.3 this is my log with compile # make make[1]: Entering directory `/home/src/a/04102005/iproute2-050929/lib' gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o ll_map.o ll_map.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o libnetlink.o libnetlink.c ar rcs libnetlink.a ll_map.o libnetlink.o gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o utils.o utils.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o rt_names.o rt_names.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o ll_types.o ll_types.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o ll_proto.o ll_proto.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o ll_addr.o ll_addr.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o inet_proto.o inet_proto.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o dnet_ntop.o dnet_ntop.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o dnet_pton.o dnet_pton.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o ipx_ntop.o ipx_ntop.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o ipx_pton.o ipx_pton.c ar rcs libutil.a utils.o rt_names.o ll_types.o ll_proto.o ll_addr.o inet_proto.o dnet_ntop.o dnet_pton.o ipx_ntop.o ipx_pton.o make[1]: Leaving directory `/home/src/a/04102005/iproute2-050929/lib' make[1]: Entering directory `/home/src/a/04102005/iproute2-050929/ip' gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o ip.o ip.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o ipaddress.o ipaddress.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o iproute.o iproute.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o iprule.o iprule.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o rtm_map.o rtm_map.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o iptunnel.o iptunnel.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o ipneigh.o ipneigh.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o iplink.o iplink.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o ipmaddr.o ipmaddr.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o ipmonitor.o ipmonitor.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o ipmroute.o ipmroute.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o ipprefix.o ipprefix.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o ipxfrm.o ipxfrm.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o xfrm_state.o xfrm_state.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o xfrm_policy.o xfrm_policy.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o xfrm_monitor.o xfrm_monitor.c gcc ip.o ipaddress.o iproute.o iprule.o rtm_map.o iptunnel.o ipneigh.o iplink.o ipmaddr.o ipmonitor.o ipmroute.o ipprefix.o ipxfrm.o xfrm_state.o xfrm_policy.o xfrm_monitor.o ../lib/libnetlink.a ../lib/libutil.a -lresolv -L../lib -lnetlink -lutil -o ip gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o rtmon.o rtmon.c gcc rtmon.o ../lib/libnetlink.a ../lib/libutil.a -lresolv -L../lib -lnetlink -lutil -o rtmon make[1]: Leaving directory `/home/src/a/04102005/iproute2-050929/ip' make[1]: Entering directory `/home/src/a/04102005/iproute2-050929/tc' gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -DCONFIG_GACT -DCONFIG_GACT_PROB -c -o tc_core.o tc_core.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -DCONFIG_GACT -DCONFIG_GACT_PROB -c -o tc_red.o tc_red.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -DCONFIG_GACT -DCONFIG_GACT_PROB -c -o tc_cbq.o tc_cbq.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -DCONFIG_GACT -DCONFIG_GACT_PROB -c -o tc_estimator.o tc_estimator.c ar rcs libtc.a tc_core.o tc_red.o tc_cbq.o tc_estimator.o gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -DCONFIG_GACT -DCONFIG_GACT_PROB -c -o tc.o tc.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -DCONFIG_GACT -DCONFIG_GACT_PROB -c -o tc_qdisc.o tc_qdisc.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -DCONFIG_GACT -DCONFIG_GACT_PROB -c -o tc_class.o tc_class.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -DCONFIG_GACT -DCONFIG_GACT_PROB -c -o tc_filter.o tc_filter.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -DCONFIG_GACT -DCONFIG_GACT_PROB -c -o tc_util.o tc_util.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -DCONFIG_GACT -DCONFIG_GACT_PROB -c -o m_police.o m_police.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -DCONFIG_GACT -DCONFIG_GACT_PROB -c -o m_estimator.o m_estimator.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -DCONFIG_GACT -DCONFIG_GACT_PROB -c -o m_action.o m_action.c gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -DCONFIG_GACT -DCONFIG_GACT_PROB -c -o m_ematch.o m_ematch.c bison -d -t -v -o emp_ematch.yacc.c emp_ematch.y emp_ematch.y:11: unrecognized: %error-verbose emp_ematch.y:11: Skipping to next % make[1]: *** [emp_ematch.yacc.c] Error 1 make[1]: Leaving directory `/home/src/a/04102005/iproute2-050929/tc' make[1]: Entering directory `/home/src/a/04102005/iproute2-050929/misc' gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o ss.o ss.c bison ssfilter.y -o ssfilter.c ssfilter.y contains 27 shift/reduce conflicts. gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -c -o ssfilter.o ssfilter.c gcc ss.o ssfilter.o -lresolv -L../lib -lnetlink -lutil -o ss gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -o nstat nstat.c -lm gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -o ifstat ifstat.c ../lib/libnetlink.a ../lib/libutil.a -lm gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -o rtacct rtacct.c ../lib/libnetlink.a ../lib/libutil.a -lm gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -I/usr/include -o arpd arpd.c ../lib/libnetlink.a ../lib/libutil.a -ldb -lpthread arpd.c:19:20: db_185.h: No such file or directory arpd.c:42: error: parse error before '*' token arpd.c:42: warning: type defaults to `int' in declaration of `dbase' arpd.c:42: warning: data definition has no type or storage class arpd.c: In function `do_one_request': arpd.c:304: error: `DBT' undeclared (first use in this function) arpd.c:304: error: (Each undeclared identifier is reported only once arpd.c:304: error: for each function it appears in.) arpd.c:304: error: parse error before "dbkey" arpd.c:308: error: request for member `sync' in something not a structure or union arpd.c:338: error: `dbkey' undeclared (first use in this function) arpd.c:341: error: request for member `get' in something not a structure or union arpd.c:341: error: `dbdat' undeclared (first use in this function) arpd.c:365: error: request for member `del' in something not a structure or union arpd.c:391: error: request for member `put' in something not a structure or union arpd.c:409: error: request for member `put' in something not a structure or union arpd.c:421: error: request for member `put' in something not a structure or union arpd.c: In function `get_arp_pkt': arpd.c:485: error: `DBT' undeclared (first use in this function) arpd.c:485: error: parse error before "dbkey" arpd.c:517: error: `dbkey' undeclared (first use in this function) arpd.c:520: error: request for member `get' in something not a structure or union arpd.c:520: error: `dbdat' undeclared (first use in this function) arpd.c:530: error: request for member `put' in something not a structure or union arpd.c: In function `main': arpd.c:670: warning: implicit declaration of function `dbopen' arpd.c:670: error: `DB_HASH' undeclared (first use in this function) arpd.c:670: warning: assignment makes pointer from integer without a cast arpd.c:680: error: `DBT' undeclared (first use in this function) arpd.c:680: error: parse error before "dbkey" arpd.c:682: error: `dbkey' undeclared (first use in this function) arpd.c:712: error: `dbdat' undeclared (first use in this function) arpd.c:717: error: request for member `put' in something not a structure or union arpd.c:722: error: request for member `sync' in something not a structure or union arpd.c:728: error: parse error before "dbkey" arpd.c:730: error: request for member `seq' in something not a structure or union arpd.c:730: error: `R_NEXT' undeclared (first use in this function) arpd.c:822: error: request for member `sync' in something not a structure or union arpd.c:841: error: request for member `close' in something not a structure or union arpd.c:845: error: request for member `close' in something not a structure or union make[1]: *** [arpd] Error 1 make[1]: Leaving directory `/home/src/a/04102005/iproute2-050929/misc' make[1]: Entering directory `/home/src/a/04102005/iproute2-050929/netem' gcc -Wall -O1 -I../include -o maketable maketable.c -lm gcc -Wall -O1 -I../include -o normal normal.c -lm gcc -Wall -O1 -I../include -o pareto pareto.c -lm gcc -Wall -O1 -I../include -o paretonormal paretonormal.c -lm ./normal > normal.dist ./pareto > pareto.dist 7./paretonormal > paretonormal.dist ./maketable experimental.dat > experimental.dist make[1]: Leaving directory `/home/src/a/04102005/iproute2-050929/netem' When I do make tc in tc directry I get "bison -o emp_ematch.yacc.c emp_ematch.y emp_ematch.y:11: unrecognized: %error-verbose emp_ematch.y:11: Skipping to next % make: *** [emp_ematch.yacc.c] Error 1" I hvae "bison-1.35-i386-1" Whta I do wrong ?? Thenks for help -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051004/babac6e9/attachment-0001.html From dwerder at gmx.net Tue Oct 4 11:27:37 2005 From: dwerder at gmx.net (Dominik Werder) Date: Tue Oct 4 11:26:52 2005 Subject: [LARTC] iproute2-050929 ERORR compiling In-Reply-To: <001501c5c8c4$bba20570$0a0aa7c0@mx> References: <001501c5c8c4$bba20570$0a0aa7c0@mx> Message-ID: > Dzien Dobry > > Is there some error witch iproute2-050929.tar.gz becouse when i compile > I don't get tc > I have kernel 2.6.12.3 > > this is my log with compile Read README carefully, especially the part about db_185.h or like.. btw. this version you mentioned didnt worked with your kernel revision for me too, I had to use an older version.. and make sure your bison is not too old.. regards, Dominik From dwerder at gmx.net Tue Oct 4 11:33:15 2005 From: dwerder at gmx.net (Dominik Werder) Date: Tue Oct 4 11:32:29 2005 Subject: [LARTC] Incoming traffic? Message-ID: Hi there, a program is downloading large files on a regular basis and has no switch to limit bandwidth. Is there a way to shape this incoming traffic? Any pointers? My outgoing traffic shaping works perfectly, but this incoming thing gives me a headache.. many thanks in advance! Dominik From Andreas.Klauer at metamorpher.de Tue Oct 4 12:00:34 2005 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Tue Oct 4 12:00:20 2005 Subject: [LARTC] Incoming traffic? In-Reply-To: References: Message-ID: <200510041200.34745.Andreas.Klauer@metamorpher.de> On Tuesday 04 October 2005 11:33, Dominik Werder wrote: > a program is downloading large files on a regular basis and has no > switch to limit bandwidth. > > Is there a way to shape this incoming traffic? Any pointers? On a router, you could just setup shaping on the LAN interface. On a standalone machine, you'd either have to use ingress qdisc, or if you want to use more familiar schedulers like HTB for incoming traffic, maybe IMQ can help you. Shaping incoming traffic usually works by dropping packets that were already sent to you and hoping that the other side will back off and send packets slower. This causes overhead (as packets have to be re-sent) which is why some people don't like this method. Personally, I've been using this approach for ages on my router (shaping incoming traffic as outgoing traffic on LAN interface) and found that it's better than having a single person / download choke the line completely... Better methods are said to exist (like tcp window resizing or whatever) but I've never seen them implemented in Linux so far. HTH Andreas Klauer From edward.ralph.smith at gmail.com Tue Oct 4 15:08:41 2005 From: edward.ralph.smith at gmail.com (Edward Smith) Date: Tue Oct 4 15:08:46 2005 Subject: [LARTC] Incoming traffic? Message-ID: <39458b080510040608r58db5804kef46fed118878f02@mail.gmail.com> Dominik, if you are running a router, the way to do it is to shape outgoing traffic on your LAN interface. A copy of my script to do this is at http://www.stardotstar.org/?page_id=63 Edward Date: Tue, 04 Oct 2005 11:33:15 +0200 > From: "Dominik Werder" > Subject: [LARTC] Incoming traffic? > To: lartc@mailman.ds9a.nl > Message-ID: > Content-Type: text/plain; format=flowed; delsp=yes; charset=utf-8 > > Hi there, > > a program is downloading large files on a regular basis and has no switch > to limit bandwidth. > > Is there a way to shape this incoming traffic? Any pointers? > > > My outgoing traffic shaping works perfectly, but this incoming thing gives > me a headache.. > > many thanks in advance! > Dominik > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051004/09b93f89/attachment.htm From shebas at it.iitb.ac.in Tue Oct 4 17:33:51 2005 From: shebas at it.iitb.ac.in (shebas@it.iitb.ac.in) Date: Tue Oct 4 17:38:20 2005 Subject: [LARTC] Unscribe me Message-ID: <32803.10.129.46.96.1128440031.squirrel@www.it.iitb.ac.in> please Unscribe me from this mailing list From unki at netshadow.at Tue Oct 4 17:54:21 2005 From: unki at netshadow.at (Andreas Unterkircher) Date: Tue Oct 4 17:54:43 2005 Subject: [LARTC] Unscribe me In-Reply-To: <32803.10.129.46.96.1128440031.squirrel@www.it.iitb.ac.in> References: <32803.10.129.46.96.1128440031.squirrel@www.it.iitb.ac.in> Message-ID: <4342A5AD.3010002@netshadow.at> Unsubscribe yourself? (at the bottom of the page). http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc shebas@it.iitb.ac.in wrote: >please Unscribe me from this mailing list >_______________________________________________ >LARTC mailing list >LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From andre.correa at pobox.com Tue Oct 4 19:24:18 2005 From: andre.correa at pobox.com (Andre D. Correa) Date: Tue Oct 4 19:24:25 2005 Subject: [LARTC] IMQ and nfcache Message-ID: <4342BAC2.3090805@pobox.com> Hi, I'm working on the IMQ patch for 2.6.14-rc* and ran in trouble with nfcache. I have to be honest that I'm not following kernel devel as I should so I need to ask for a little help here. I know Mr Harald Welte removed nfcache but I'm not sure about the way to go. I have this at net/ipv4/netfilter/ipt-IMQ.c: static unsigned int imq_target(struct sk_buff **pskb, const struct net_device *in, const struct net_device *out, unsigned int hooknum, const void *targinfo, void *userdata) { struct ipt_imq_info *mr = (struct ipt_imq_info*)targinfo; (*pskb)->imq_flags = mr->todev | IMQ_F_ENQUEUE; (*pskb)->nfcache |= NFC_ALTERED; return IPT_CONTINUE; } I found that in places like ip_conntrack_core.c and ip_nat_core.c, nfcache references have just being removed. Tk in advance for any help. Cheers... -------------------------------------------------------------------- Andre D. Correa, CISSP | Visite meus projetos pessoais: andre.correa (at) pobox.com | Visit my personal projects: http://andre.hiperlinks.com.br | - http://www.malware.com.br/ Sao Paulo / SP / Brazil | - http://www.linuximq.net/ -------------------------------------------------------------------- From c-d.hailfinger.devel.2005 at gmx.net Tue Oct 4 19:53:16 2005 From: c-d.hailfinger.devel.2005 at gmx.net (Carl-Daniel Hailfinger) Date: Tue Oct 4 19:51:35 2005 Subject: [LARTC] Incoming traffic? In-Reply-To: References: Message-ID: <4342C18C.9010205@gmx.net> Dominik Werder schrieb: > Hi there, > > a program is downloading large files on a regular basis and has no > switch to limit bandwidth. > > Is there a way to shape this incoming traffic? Any pointers? Use trickle. Regards, Carl-Daniel -- http://www.hailfinger.org/ From ian.t7 at hotmail.co.uk Tue Oct 4 21:06:54 2005 From: ian.t7 at hotmail.co.uk (Ian stuart Turnbull) Date: Tue Oct 4 21:06:58 2005 Subject: [LARTC] tc - in an abnormal LAN Message-ID: Hello, I have been reading the "Linux Advanced Routing & Traffic Control HOWTO" and was hoping you might be able to give me a little help. I am very new to Linux so please be gentle !?! My network is slightly different to the normal. I have a router with 4 ports DSL-D504T. In the house where I live 3 other people have Win-XP machines on the 3 ports of the router. I have the other port and my machine runs Linux. I connect to the router with eth1. My Linux is also a DHCP server and I can force the 3 other peoples' computers get their IP addresses from my Linux box rather than the DHCP router. Knowing this is there any way of using "tc" to share the bandwidth more fairly ? One of the guys in particular downloads movies all the time. Naturally they do not want a normal LAN where my Linux is the main server. Thanks in advance for any help / pointers to documentation etc that you can give. Ian T _________________________________________________________________ MSN Messenger 7.5 is now out. Download it for FREE here. http://messenger.msn.co.uk From c-d.hailfinger.devel.2005 at gmx.net Tue Oct 4 21:11:53 2005 From: c-d.hailfinger.devel.2005 at gmx.net (Carl-Daniel Hailfinger) Date: Tue Oct 4 21:10:08 2005 Subject: [LARTC] ip address delete bug? In-Reply-To: <200593200127124@mail.routehat.org> References: <200593200127124@mail.routehat.org> Message-ID: <4342D3F9.80705@gmx.net> Hi, Peter Surda schrieb: > On Mon, 03 Oct 2005 19:55:09 +0200 Carl-Daniel Hailfinger > wrote: > > >>it seems that "ip address delete" will delete all addresses of the same >>class on an interface if it is ordered to only delete the first one: > > Incidentally I encountered similar behavior with kernel 2.4 and older iproute > (20010824 with some patches) a couple of weeks ago, so it's nothing new. OK, I found out that this is documented behaviour, although the hint is not in the man page. "secondary --- this address is not used when selecting the default source address for outgoing packets. An IP address becomes secondary if another address within the same prefix (network) already exists. The first address within the prefix is primary and is the tag address for the group of all the secondary addresses. When the primary address is deleted all of the secondaries are purged too." That means there is no way to change the IP of an interface if the prefix and network size stay the same. Are there any plans to fix that? > Yours sincerely, > Peter Regards, Carl-Daniel From jasonb at edseek.com Tue Oct 4 21:14:30 2005 From: jasonb at edseek.com (Jason Boxman) Date: Tue Oct 4 21:14:44 2005 Subject: [LARTC] tc - in an abnormal LAN In-Reply-To: References: Message-ID: <200510041514.30723.jasonb@edseek.com> On Tuesday 04 October 2005 15:06, Ian stuart Turnbull wrote: > I connect to the router with eth1. My Linux is also a DHCP server and I > can force the 3 other peoples' computers get their IP addresses from my > Linux box rather than the DHCP router. Knowing this is there any way of > using "tc" to share the bandwidth more fairly ? One of the guys in > particular downloads movies all the time. Yes. You need to ensure each of your roommates has a blackholed IP address. That will solve your problem. ;) > Naturally they do not want a normal LAN where my Linux is the main server. Maybe your router has some QoS options? If you can't stick your Linux machine between the network and the router/switch, there isn't much you could do. More seriously, if you provide them with DHCP you could transparently redirect them through your box and apply QoS without their knowledge, but it would be far easier to just ask, no? -- Jason Boxman http://edseek.com/ - Linux and FOSS stuff From shemminger at osdl.org Tue Oct 4 21:44:54 2005 From: shemminger at osdl.org (Stephen Hemminger) Date: Tue Oct 4 21:44:48 2005 Subject: [LARTC] iproute2-050929 ERORR compiling In-Reply-To: <001501c5c8c4$bba20570$0a0aa7c0@mx> References: <001501c5c8c4$bba20570$0a0aa7c0@mx> Message-ID: <20051004124454.0d193de9@dxpl.pdx.osdl.net> There are two different problems. The first is arpd needs the dbm library (usually dbm-devel on most distros). Or you can just ignore the problem if you don't run arpd The second is problems with building the new ematch grammar stuff. I don't have an easy fix for this, but you could try a newer version of bison/flex. From Andreas.Klauer at metamorpher.de Tue Oct 4 22:52:22 2005 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Tue Oct 4 22:52:05 2005 Subject: [LARTC] tc - in an abnormal LAN In-Reply-To: References: Message-ID: <200510042252.22053.Andreas.Klauer@metamorpher.de> On Tuesday 04 October 2005 21:06, Ian stuart Turnbull wrote: > My network is slightly different to the normal. > > I have a router with 4 ports DSL-D504T. In the house where I live 3 > other people have Win-XP machines on the 3 ports of the router. I have > the other port and my machine runs Linux. Your network is normal, you just want to do things the wrong way. > One of the guys in particular downloads movies all the time. Naturally > they do not want a normal LAN where my Linux is the main server. I wouldn't want /your/ Linux either, because that way everyone is offline whenever your box is not operational. You should keep a dedicated router with QoS capabilities, and although Linux based would be nice, it's not an absolute requirement. However, concerning the downloads all the time guy in particular, let me tell you a story (even though I'm not good at storytelling). I lived in a flat together with 4 other people, and we shared one DSL line. At the time, I needed to use Telnet/SSH a lot, and it was super laggy, because the others downloaded stuff. Now, we already had a Linux router, so it might have been a little easier for me, but that's beside the point. After a lot of trial & error and with help from LARTC I set up a proper QoS on the router, and everyone in the flat benefitted from it, even the guys who downloaded all the time, for one simple reason: Without QoS, they couldn't do things like chatting or gaming while downloading either, and the net was super slow for them as well. And downloads still go at full speed most of the time (because most of the time, people are sleeping, or at uni / work), downloads only need to go a little slower while others want to use the net too. So you can be fair to others and still benefit from it. If your roommates don't get that, kick them out. HTH Andreas From alexeyt at freeshell.org Tue Oct 4 23:23:27 2005 From: alexeyt at freeshell.org (Alexey Toptygin) Date: Tue Oct 4 23:24:11 2005 Subject: [LARTC] ip address delete bug? In-Reply-To: <4342D3F9.80705@gmx.net> References: <200593200127124@mail.routehat.org> <4342D3F9.80705@gmx.net> Message-ID: On Tue, 4 Oct 2005, Carl-Daniel Hailfinger wrote: > OK, I found out that this is documented behaviour, although the hint is not > in the man page. If it's not in the man page, then where is the below quote from? > "secondary --- this address is not used when selecting the default source > address for outgoing packets. An IP address becomes secondary if another > address within the same prefix (network) already exists. The first address > within the prefix is primary and is the tag address for the group of all the > secondary addresses. When the primary address is deleted all of the > secondaries are purged too." > > That means there is no way to change the IP of an interface if the prefix and > network size stay the same. Are there any plans to fix that? What's wrong with delete followed by add? This thread started on netdev, so I'm cc-ing that, in case someone doesn't read both lists. Alexey From c-d.hailfinger.devel.2005 at gmx.net Wed Oct 5 00:58:19 2005 From: c-d.hailfinger.devel.2005 at gmx.net (Carl-Daniel Hailfinger) Date: Wed Oct 5 00:56:32 2005 Subject: [LARTC] ip address delete bug? In-Reply-To: References: <200593200127124@mail.routehat.org> <4342D3F9.80705@gmx.net> Message-ID: <4343090B.5010803@gmx.net> Alexey Toptygin schrieb: > On Tue, 4 Oct 2005, Carl-Daniel Hailfinger wrote: > >> OK, I found out that this is documented behaviour, although the hint >> is not in the man page. > > If it's not in the man page, then where is the below quote from? ip-cref.tex. >> "secondary --- this address is not used when selecting the default >> source address for outgoing packets. An IP address becomes secondary >> if another address within the same prefix (network) already exists. >> The first address within the prefix is primary and is the tag address >> for the group of all the secondary addresses. When the primary address >> is deleted all of the secondaries are purged too." >> >> That means there is no way to change the IP of an interface if the >> prefix and network size stay the same. Are there any plans to fix that? > > What's wrong with delete followed by add? You are logged into the machine via ssh on eth0. You delete the ip address of eth0. How are you going to add the new address to eth0 now that your connection is gone? Go to the server room and use the console? Normally, I would add the new IP to eth0, start another ssh to the new IP, log out from the session to the old IP, remove the old IP from eth0 and be done. If I want the server to be reachable under both IPs during a transition period, I can delay deletion of the old IP until later. > This thread started on netdev, so I'm cc-ing that, in case someone > doesn't read both lists. Didn't start there, but if netdev is interested, we can keep them in cc. > Alexey Regards, Carl-Daniel From alexeyt at freeshell.org Wed Oct 5 01:08:26 2005 From: alexeyt at freeshell.org (Alexey Toptygin) Date: Wed Oct 5 01:09:07 2005 Subject: [LARTC] ip address delete bug? In-Reply-To: <4343090B.5010803@gmx.net> References: <200593200127124@mail.routehat.org> <4342D3F9.80705@gmx.net> <4343090B.5010803@gmx.net> Message-ID: On Wed, 5 Oct 2005, Carl-Daniel Hailfinger wrote: >>> "secondary --- this address is not used when selecting the default source >>> address for outgoing packets. An IP address becomes secondary if another >>> address within the same prefix (network) already exists. The first address >>> within the prefix is primary and is the tag address for the group of all >>> the secondary addresses. When the primary address is deleted all of the >>> secondaries are purged too." >>> >>> That means there is no way to change the IP of an interface if the prefix >>> and network size stay the same. Are there any plans to fix that? >> >> What's wrong with delete followed by add? > > You are logged into the machine via ssh on eth0. You delete the ip address of > eth0. How are you going to add the new address to eth0 now that your > connection is gone? Go to the server room and use the console? > > Normally, I would add the new IP to eth0, start another ssh to the new IP, > log out from the session to the old IP, remove the old IP from eth0 and be > done. If I want the server to be reachable under both IPs during a transition > period, I can delay deletion of the old IP until later. Then I guess the question is: does anything in common use depend on the old behavior? Alexey From surda at shurdix.com Wed Oct 5 01:20:08 2005 From: surda at shurdix.com (Peter Surda) Date: Wed Oct 5 01:20:33 2005 Subject: [LARTC] ip address delete bug? In-Reply-To: <4343090B.5010803@gmx.net> Message-ID: <20059512087124@mail.routehat.org> On Wed, 05 Oct 2005 00:58:19 +0200 Carl-Daniel Hailfinger wrote: via ssh on eth0. You delete the ip >address of eth0. How are you going to add the new address to eth0 now >that your connection is gone? Go to the server room and use the console? (btw exactly the thing that happened to me) but the solution is easy, put everything into one line: ip addr del blah1 dev eth0;ip addr add blah2 dev eth0;ip link set eth0 up ;-) >Regards, >Carl-Daniel Yours sincerely, Peter -- http://www.shurdix.org - Linux distribution for routers and firewalls From shemminger at osdl.org Wed Oct 5 01:23:02 2005 From: shemminger at osdl.org (Stephen Hemminger) Date: Wed Oct 5 01:22:51 2005 Subject: [LARTC] ip address delete bug? In-Reply-To: <4342D3F9.80705@gmx.net> References: <200593200127124@mail.routehat.org> <4342D3F9.80705@gmx.net> Message-ID: <20051004162302.6296267b@dxpl.pdx.osdl.net> Current versions of iproute2 display the following: Warning: Executing wildcard deletion to stay compatible with old scripts. Explicitly specify the prefix length (192.168.a.b/32) to avoid this warning. This special behaviour is likely to disappear in further releases, fix your scripts! From jody.shumaker at gmail.com Wed Oct 5 02:46:43 2005 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Wed Oct 5 02:46:44 2005 Subject: [LARTC] Ceil Rate In-Reply-To: <20051004072320.GA19394@localhost.home.com> References: <20050930161339.GA25083@localhost.home.com> <2af436490509301529i38418912l592d456a93f66b4e@mail.gmail.com> <20051004072320.GA19394@localhost.home.com> Message-ID: <43432273.7040401@gmail.com> anderson@skyweb.co.ke wrote: >I thought that the default ceil was the same as the rate, or does that only >apply to the root class? > >Thanks for the info. > > > I just checked the documentation, and you are correct, "The default ceil is the same as the rate." However since that doesn't seem to be happening for you, I'd suggest trying to set it. Also, it'd be helpful to include the output of 'tc -s class show dev eth1' instead of merely citing it. It would list the actual ceil being used and other useful information. - Jody From szafot at poczta.fm Wed Oct 5 09:47:43 2005 From: szafot at poczta.fm (Krzysiek) Date: Wed Oct 5 09:48:14 2005 Subject: [LARTC] iproute2-050929 ERORR compiling Message-ID: <20051005074743.5AAE3EB2EC@poczta.interia.pl> > There are two different problems. The first is arpd needs the dbm library > (usually dbm-devel on most distros). Or you can just ignore the problem > if you don't run arpd > > The second is problems with building the new ematch grammar stuff. I > don't > have an easy fix for this, but you could try a newer version of > bison/flex. There is easy workaround regarding flex. The newest version doesn't work. I had the same problem - and i had recent versions of flex, bison etc. It works if you remove recent flex and install older vesion: http://prdownloads.sourceforge.net/lex/flex-2.5.27.tar.bz2?download Krzysiek From c-d.hailfinger.devel.2005 at gmx.net Wed Oct 5 17:32:34 2005 From: c-d.hailfinger.devel.2005 at gmx.net (Carl-Daniel Hailfinger) Date: Wed Oct 5 17:30:46 2005 Subject: [LARTC] ip address delete bug? In-Reply-To: <1128474946.6224.8.camel@localhost.localdomain> References: <200593200127124@mail.routehat.org> <4342D3F9.80705@gmx.net> <4343090B.5010803@gmx.net> <1128474946.6224.8.camel@localhost.localdomain> Message-ID: <4343F212.6020606@gmx.net> jamal wrote: > On Tue, 2005-04-10 at 23:08 +0000, Alexey Toptygin wrote: > >>On Wed, 5 Oct 2005, Carl-Daniel Hailfinger wrote: > > [..] > >>>Normally, I would add the new IP to eth0, start another ssh to the new IP, >>>log out from the session to the old IP, remove the old IP from eth0 and be >>>done. If I want the server to be reachable under both IPs during a transition >>>period, I can delay deletion of the old IP until later. >> >>Then I guess the question is: does anything in common use depend on the >>old behavior? > > There's a new feature in newer kernels which allows for an alias to be > upgraded to become primary when you delete the primary. You need to > configure the sysctl otherwise it defaults to purging all the > secondaries when you delete the primary. Thanks for that feature! Just looked at /proc/sys/net/ipv4/conf/*/promote_secondaries and it is the feature I was looking for. Merged in 2.6.12, if anyone reads this in a mail archive and wonders whether he has to upgrade. This leads to another question: Can I manually promote a secondary address to become primary without deleting the primary? This would help me to use the new address by default during the transition period. > What it sounds like is you need to have ssh run over SCTP instead of TCP > to allow multi-homing. Maybe, but I did not find any current openssh version with sctp support. And with promote_secondaries, my original problem is solved perfectly. Regards, Carl-Daniel -- http://www.hailfinger.org/ From shemminger at osdl.org Wed Oct 5 18:14:31 2005 From: shemminger at osdl.org (Stephen Hemminger) Date: Wed Oct 5 18:14:16 2005 Subject: [LARTC] iproute2-050929 ERORR compiling In-Reply-To: <20051005074743.5AAE3EB2EC@poczta.interia.pl> References: <20051005074743.5AAE3EB2EC@poczta.interia.pl> Message-ID: <20051005091431.28521e7f@dxpl.pdx.osdl.net> On 05 Oct 2005 09:47:43 +0200 Krzysiek wrote: > > There are two different problems. The first is arpd needs the dbm library > > (usually dbm-devel on most distros). Or you can just ignore the problem > > if you don't run arpd > > > > The second is problems with building the new ematch grammar stuff. I > > don't > > have an easy fix for this, but you could try a newer version of > > bison/flex. > > There is easy workaround regarding flex. The newest version doesn't work. I had the same problem - and i had recent versions of flex, bison etc. It works if you remove recent flex and install older vesion: http://prdownloads.sourceforge.net/lex/flex-2.5.27.tar.bz2?download There was some discussion with the Redhat and Suse maintainers when Thomas added the ematch stuff. The problem is that the new flex is not backwards compatible, so the distro's aren't switching yet. From shemminger at osdl.org Wed Oct 5 20:34:58 2005 From: shemminger at osdl.org (Stephen Hemminger) Date: Wed Oct 5 20:34:50 2005 Subject: [LARTC] Re: [ANNOUNCE] iproute2 version (050929) In-Reply-To: References: <20050930150406.2e2221fd@dxpl.pdx.osdl.net> Message-ID: <20051005113458.46f0892d@dxpl.pdx.osdl.net> On Sat, 1 Oct 2005 23:34:25 +0200 (CEST) Krzysztof Oledzki wrote: > > > On Fri, 30 Sep 2005, Stephen Hemminger wrote: > > > There is an new minor update to iproute2 utilities available: > > http://developer.osdl.org/dev/iproute2/download/iproute2-050929.tar.gz > > > It hangs on "ip rule flush". Tested on 2.6.13.2. > > > Best regards, > > > Krzysztof Ol?dzki Fixed by this patch (in next release) ========== When assigning an ip address to an ethernet adapter, the newest (050929) version of 'ip addr' hangs while older versions worked. The problem was traced to be a removed initialisation. The patch below corrects this problem. Regards, Jerome Borsboom --- iproute2-050929/lib/libnetlink.c 2005-09-21 21:33:18.000000000 +0200 +++ iproute2-050929/lib/libnetlink.c 2005-10-04 13:42:30.000000000 +0200 @@ -235,7 +235,10 @@ unsigned seq; struct nlmsghdr *h; struct sockaddr_nl nladdr; - struct iovec iov; + struct iovec iov = { + .iov_base = (void*)n, + .iov_len = n->nlmsg_len + }; struct msghdr msg = { .msg_name = &nladdr, .msg_namelen = sizeof(nladdr), -- Stephen Hemminger OSDL http://developer.osdl.org/~shemminger From aptgetd at gmail.com Thu Oct 6 01:18:24 2005 From: aptgetd at gmail.com (noc ops) Date: Thu Oct 6 01:18:33 2005 Subject: [LARTC] HOWTO unmaintained? In-Reply-To: <20050819075235.6cd88f3d@localhost.localdomain> References: <200508171219.54668.Andreas.Klauer@metamorpher.de> <43031F4A.1090007@wildgooses.com> <20050817092428.531193f0@dxpl.pdx.osdl.net> <4304866E.4020605@wildgooses.com> <20050819075235.6cd88f3d@localhost.localdomain> Message-ID: <43445F40.7010306@gmail.com> Does anyone know where we stand with lartc howto? regards, /virendra Stephen Hemminger wrote: > On Thu, 18 Aug 2005 14:00:30 +0100 > Ed W wrote: > > >>>>I wonder if someone would host a mediawiki and consider uploading the >>>>documentation there. This would make it easier for people to >>>>contribute, and I think it shold be fairly easy to convert from it's >>>>current format to a wiki >>>> >>>> >>>> >>> >>>Good idea, I'll see if the OSDL will put up a wiki for it >>>on developer.osdl.org, stay tuned. >>> >>> >> >>Can I suggest that you look very hard at Mediawiki (ie as per >>wikipedia). It's built for scalability, is really easy to edit, very >>actively maintained, and has all the distributed stuff built in if you >>really needed to spread the load over several machines. All in all a >>very grown up documentation tool. Oh and it's also multi-lingual so it >>might also be possible to use it to help with the translation issues >> >>I mainly mentioned it because I'm sure there are some tools for >>converting the current lartc faq up to the wiki format and obviously >>that's the first main step. >> >>If someone will host it then I have some experience maintaining a >>mediawiki site and could probably help out some > > > Okay, if the lartc.org guys don't pick it up, I'll setup a mediawiki > when I get back from holiday. For an example see: > http://wiki.linux-nfs.org > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From efgonzalez at gmail.com Thu Oct 6 02:24:18 2005 From: efgonzalez at gmail.com (=?ISO-8859-1?Q?Eduardo_Fern=E1ndez?=) Date: Thu Oct 6 02:24:22 2005 Subject: [LARTC] Two linux routers with DSL Message-ID: Hi all! I've the following config: [LAN] - [big router] - [dsl router] - [internet] Big router is a dedicated computer running linux, dsl router is a small device running linux embedded (busybox) and connected to the internet via pppoa. Both routers are connected together via ethernet. I want to reduce as much as possible the load in the dsl router, so I'd like the big router to do NAT. How should I configure both routers? Thank you very much for your help! Eduardo Fern?ndez From sd_linux at earnware.com Thu Oct 6 03:30:54 2005 From: sd_linux at earnware.com (Sean Dwyer) Date: Thu Oct 6 03:31:08 2005 Subject: [LARTC] Error in "15.10 Example of full nat solution with QoS"? Message-ID: <91740-22005104613054248@earnware.com> Near the end of section 15.10, the following commands are shown for prioritizing SYN packets: iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x1 iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN Shouldn't the "-I" option really be "-A"? Like so: iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x1 iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN Won't using "-I" cause these entries to be inserted at the top of the chain, putting the RETURN before the MARK is set? Maybe I'm missing something. From shemminger at osdl.org Thu Oct 6 04:41:33 2005 From: shemminger at osdl.org (Stephen Hemminger) Date: Thu Oct 6 04:39:22 2005 Subject: [LARTC] HOWTO unmaintained? In-Reply-To: <43445F40.7010306@gmail.com> References: <200508171219.54668.Andreas.Klauer@metamorpher.de> <43031F4A.1090007@wildgooses.com> <20050817092428.531193f0@dxpl.pdx.osdl.net> <4304866E.4020605@wildgooses.com> <20050819075235.6cd88f3d@localhost.localdomain> <43445F40.7010306@gmail.com> Message-ID: <20051005194133.69caad77@localhost.localdomain> On Wed, 05 Oct 2005 16:18:24 -0700 noc ops wrote: > Does anyone know where we stand with lartc howto? > > > regards, > /virendra > > Stephen Hemminger wrote: The new wiki http://linux-net.osdl.org is available and you are welcome to put it there. From soho at paralax.org Thu Oct 6 12:55:20 2005 From: soho at paralax.org (darkstar) Date: Thu Oct 6 09:50:46 2005 Subject: [LARTC] problem with classifying Message-ID: <43450298.7070104@paralax.org> Hello list I have a problem with classifying traffic from two providers, and about 600 users. I have the following situation: P1-\ | linux | --eth0-| box |-eth1 P2-/ | | P1 and P2 are coming from VLANs. I have 4 type traffic which I want to classify. The traffic is divided as follows: P1 - 100mbit from realm 0x70000 10mbit from realm ! 0x70000 P2 - 30mbit from realm 0x80000 1mbit from realm ! 0x80000 For this I use marking by realm with iptables, like this: iptables -t mangle -A FORWARD -i eth0.1 -m realm --realm 0x70000 -j MARK --set-mark 0x27 iptables -t mangle -A FORWARD -i eth0.2 -m realm --realm 0x80000 -j MARK --set-mark 0x28 iptables -t mangle -A FORWARD -i eth0.1 -m realm ! --realm 0x70000 -j MARK --set-mark 0x29 iptables -t mangle -A FORWARD -i eth0.2 -m realm ! --realm 0x80000 -j MARK --set-mark 0x2a After this I classify them with: iptables -t mangle -A POSTROUTING -o eth1 -m mark --mark 0x27 -j CLASSIFY --set-class 1:1 iptables -t mangle -A POSTROUTING -o eth1 -m mark --mark 0x29 -j CLASSIFY --set-class 1:2 iptables -t mangle -A POSTROUTING -o eth1 -m mark --mark 0x28 -j CLASSIFY --set-class 1:3 iptables -t mangle -A POSTROUTING -o eth1 -m mark --mark 0x2a -j CLASSIFY --set-class 1:4 So far, so good... Both HTB or HFSC are identical and looks like this: tc qdisc add dev eth1 root handle 1: htb default ffff tc class add dev eth1 parent 1: classid 1:fffe htb rate 102400kbit ceil 102400kbit tc class add dev eth1 parent 1:fffe classid 1:1 htb rate 97280kbit ceil 97280kbit tc class add dev eth1 parent 1:fffe classid 1:2 htb rate 7168kbit ceil 7168kbit tc class add dev eth1 parent 1:fffe classid 1:3 htb rate 10240kbit ceil 30720kbit tc class add dev eth1 parent 1:fffe classid 1:4 htb rate 1024kbit ceil 1024kbit And then filters per IP are attached for these classes. The same is in the egress and everythung seems to work, but after the applying of classes and filters the delay of ping from class 1:2 is jumping from: time=1.60 ms time=1.65 ms time=1.91 ms time=1.86 ms to: time=986.60 ms time=1110.63 ms time=1240.98 ms time=857.34 ms Please help, I cannot understand where is the mistake. I tryed many ways to classify this traffic but something is wrong... Any help is very appreciated Thanks in advance regards From rvokal at redhat.com Thu Oct 6 15:37:21 2005 From: rvokal at redhat.com (Radek =?ISO-8859-1?Q?Vok=E1l?=) Date: Thu Oct 6 15:37:33 2005 Subject: [LARTC] buffer overflow in ip Message-ID: <1128605841.30878.23.camel@localhost.localdomain> This comse from iproute-ss050901, rebuilt on FC4 with -fortify-source option. Seems like ip has a buffer overflow which sometimes causes a segfault.. will try to look at it tmrw, so far here's my gdb output. $ gdb ip GNU gdb Red Hat Linux (6.3.0.0-1.21rh) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db library "/lib/libthread_db.so.1". (gdb) ip -6 route show dev eth1 via :: Undefined command: "ip". Try "help". (gdb) set args -6 route show dev eth1 via :: (gdb) run Starting program: /sbin/ip -6 route show dev eth1 via :: Reading symbols from shared object read from target memory...done. Loaded system supplied DSO at 0xffffe000 2001:470:1f01:1867::/80 metric 256 mtu 1500 advmss 1440 metric 10 4294967295 *** buffer overflow detected ***: /sbin/ip terminated ======= Backtrace: ========= /lib/libc.so.6(__chk_fail+0x41)[0x945c45] /sbin/ip[0x804f877] /sbin/ip[0x806114c] /sbin/ip[0x804e707] /sbin/ip[0x8049579] /sbin/ip[0x8049a90] /lib/libc.so.6(__libc_start_main+0xdf)[0x87cd5f] /sbin/ip[0x8049431] ======= Memory map: ======== 0084a000-00864000 r-xp 00000000 fd:00 13828114 /lib/ld-2.3.5.so 00864000-00865000 r--p 00019000 fd:00 13828114 /lib/ld-2.3.5.so 00865000-00866000 rw-p 0001a000 fd:00 13828114 /lib/ld-2.3.5.so 00868000-0098b000 r-xp 00000000 fd:00 13828127 /lib/libc-2.3.5.so 0098b000-0098d000 r--p 00123000 fd:00 13828127 /lib/libc-2.3.5.so 0098d000-0098f000 rw-p 00125000 fd:00 13828127 /lib/libc-2.3.5.so 0098f000-00991000 rw-p 0098f000 00:00 0 009fc000-00a0b000 r-xp 00000000 fd:00 13828162 /lib/libresolv-2.3.5.so 00a0b000-00a0c000 r--p 0000e000 fd:00 13828162 /lib/libresolv-2.3.5.so 00a0c000-00a0d000 rw-p 0000f000 fd:00 13828162 /lib/libresolv-2.3.5.so 00a0d000-00a0f000 rw-p 00a0d000 00:00 0 00b68000-00b71000 r-xp 00000000 fd:00 13828190 /lib/libgcc_s-4.0.1-20050727.so.1 00b71000-00b72000 rw-p 00009000 fd:00 13828190 /lib/libgcc_s-4.0.1-20050727.so.1 08048000-0806b000 r-xp 00000000 fd:00 5996663 /sbin/ip 0806b000-0806e000 rw-p 00022000 fd:00 5996663 /sbin/ip 0806e000-0808f000 rw-p 0806e000 00:00 0 [heap] b7f61000-b7f63000 rw-p b7f61000 00:00 0 b7f6a000-b7f6b000 rw-p b7f6a000 00:00 0 bfa55000-bfa6b000 rw-p bfa55000 00:00 0 [stack] ffffe000-fffff000 ---p 00000000 00:00 0 [vdso] Program received signal SIGABRT, Aborted. 0xffffe410 in __kernel_vsyscall () (gdb) bt #0 0xffffe410 in __kernel_vsyscall () #1 0x00890118 in raise () from /lib/libc.so.6 #2 0x00891888 in abort () from /lib/libc.so.6 #3 0x008c522a in __libc_message () from /lib/libc.so.6 #4 0x00945c45 in __chk_fail () from /lib/libc.so.6 #5 0x0804f877 in print_route (who=0xbfa67028, n=0xbfa636ac, arg=0x98d5e0) at iproute.c:219 #6 0x0806114c in rtnl_dump_filter (rth=0x806dc40, filter=0x804f51a , arg1=0x98d5e0, junk=0, arg2=0x0) at libnetlink.c:207 #7 0x0804e707 in iproute_list_or_flush (argc=Variable "argc" is not available. ) at iproute.c:1219 #8 0x08049579 in do_cmd (argv0=0xbfa69b34 "route", argc=6, argv=0xbfa6816c) at ip.c:84 #9 0x08049a90 in main (argc=7, argv=0xbfa68168) at ip.c:225 #10 0x0087cd5f in __libc_start_main () from /lib/libc.so.6 #11 0x08049431 in _start () -- Radek Vok?l -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20051006/07b34520/attachment.pgp From admin at subnet.cc Thu Oct 6 19:57:43 2005 From: admin at subnet.cc (Samuel Koscelansky / "SUBNET") Date: Thu Oct 6 19:58:56 2005 Subject: [LARTC] HTB problem running on VLAN, not working Message-ID: <004701c5ca9f$744c1080$1c1c43d9@floppy> Hello. I'm running linux box with Slackware 9.1 and compiled kernel 2.4.31 with "yes" to VLANs and "yes" to all QoS. On this box i have more ethernet interfaces: eth0 eth1 eth2 and so as more vlan interfaces: eth0.100 eth1.3 eth1.4 This is entrace(uplink) router to our whole network and my goal is to shape users on this machine. I want for this purpose use HTB so I write little test script, which is shaping all users as default traffic and my computer as unique class. This script is olny for testing, if it all works well, but I caught on some problems. Here is my test script: #!/bin/bash # /sbin/tc qdisc del dev eth0 root /sbin/tc qdisc add dev eth0 root handle 1: htb r2q 1 /sbin/tc qdisc del dev eth1 root /sbin/tc qdisc add dev eth1 root handle 2: htb r2q 1 /sbin/tc qdisc del dev eth2 root /sbin/tc qdisc add dev eth2 root handle 3: htb r2q 1 /sbin/tc qdisc del dev eth0.100 root /sbin/tc qdisc add dev eth0.100 root handle 100: htb default 10 r2q 1 /sbin/tc qdisc del dev eth1.3 root /sbin/tc qdisc add dev eth1.3 root handle 13: htb r2q 1 /sbin/tc qdisc del dev eth1.4 root /sbin/tc qdisc add dev eth1.4 root handle 14: htb default 20 r2q 1 #classes for download /sbin/tc class add dev eth0.100 parent 100: classid 100:1 htb rate 4000kbit quantum 6000 /sbin/tc class add dev eth0.100 parent 100:1 classid 100:2 htb rate 1000kbit quantum 6000 /sbin/tc qdisc add dev eth0.100 parent 100:2 handle 1002 pfifo limit 10 /sbin/tc class add dev eth0.100 parent 100:1 classid 100:3 htb rate 3000kbit quantum 6000 /sbin/tc qdisc add dev eth0.100 parent 100:3 handle 1003 pfifo limit 10 #classes for upload /sbin/tc class add dev eth1.4 parent 14: classid 14:4 htb rate 4000kbit quantum 6000 /sbin/tc class add dev eth1.4 parent 14:4 classid 14:5 htb rate 1000kbit quantum 6000 /sbin/tc qdisc add dev eth1.4 parent 14:5 handle 145 pfifo limit 10 /sbin/tc class add dev eth1.4 parent 14:4 classid 14:6 htb rate 3000kbit quantum 6000 /sbin/tc qdisc add dev eth1.4 parent 14:6 handle 146 pfifo limit 10 #my pc testing class #down /sbin/tc class add dev eth0.100 parent 100:2 classid 100:2828 htb rate 1000kbit quantum 6000 /sbin/tc filter add dev eth0.100 parent 100: protocol ip prio 1 u32 match ip dst 217.67.28.28 classid 100:2828 /sbin/tc qdisc add dev eth0.100 parent 100:2828 handle 1002828 sfq perturb 10 #up /sbin/tc class add dev eth1.4 parent 14:5 classid 14:2828 htb rate 1000kbit quantum 6000 /sbin/tc filter add dev eth1.4 parent 14: protocol ip prio 1 u32 match ip src 217.67.28.28 classid 14:2828 /sbin/tc qdisc add dev eth1.4 parent 14:2828 handle 142828 sfq perturb 10 #default classes #down /sbin/tc class add dev eth0.100 parent 100:1 classid 100:10 htb rate 3000kbit quantum 6000 /sbin/tc qdisc add dev eth0.100 parent 100:10 handle 10010 sfq perturb 10 #up /sbin/tc class add dev eth1.4 parent 14:4 classid 14:20 htb rate 3000kbit quantum 6000 /sbin/tc qdisc add dev eth1.4 parent 14:20 handle 1420 sfq perturb 10 As you can see traffic goes throught eth0.100 (this is uplink interface to our ISP) and throught eth1.4 which belogns to interface to one part of our network and where my testing PC is situated. Other interfaces in this script are not used for now, this is due to simplify testing purposes. When I run this script I get no errors and everything seems to be fine, but is not. My PC is served as default traffic and not as uniqe class. When I'd removed default from root classes then all traffic, including my PC was served as root class traffic. Here is dump from statistics: ### eth0: queueing disciplines qdisc htb 1: r2q 1 default 0 direct_packets_stat 9500 Sent 4585808 bytes 9500 pkts (dropped 0, overlimits 0) ### eth1: queueing disciplines qdisc htb 2: r2q 1 default 0 direct_packets_stat 9782 Sent 7806825 bytes 9782 pkts (dropped 0, overlimits 0) backlog 3p ### eth2: queueing disciplines qdisc htb 3: r2q 1 default 0 direct_packets_stat 1 Sent 78 bytes 1 pkts (dropped 0, overlimits 0) ### eth0.100: queueing disciplines qdisc htb 100: r2q 1 default 10 direct_packets_stat 122 Sent 4685336 bytes 9630 pkts (dropped 360, overlimits 9606) backlog 69p qdisc pfifo 1003: parent 100:3 limit 10p Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc sfq 2828: parent 100:2828 quantum 1514b perturb 10sec Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc sfq 10: parent 100:10 quantum 1514b perturb 10sec Sent 4631802 bytes 9501 pkts (dropped 360, overlimits 0) backlog 69p ### eth0.100: traffic classes class htb 100:2828 parent 100:2 leaf 2828: prio 0 rate 1000Kbit ceil 1000Kbit burst 2879b cburst 2879b Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 18432 ctokens: 18432 class htb 100:1 root rate 4000Kbit ceil 4000Kbit burst 6719b cburst 6719b Sent 4570697 bytes 9445 pkts (dropped 0, overlimits 0) rate 9078bps 22pps lended: 0 borrowed: 0 giants: 0 tokens: 423 ctokens: 423 class htb 100:10 parent 100:1 leaf 10: prio 0 rate 3000Kbit ceil 3000Kbit burst 5439b cburst 5439b Sent 4637832 bytes 9519 pkts (dropped 360, overlimits 0) rate 9078bps 22pps backlog 74p lended: 9445 borrowed: 0 giants: 0 tokens: -11928 ctokens: -11928 class htb 100:2 parent 100:1 rate 1000Kbit ceil 1000Kbit burst 2879b cburst 2879b Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 18432 ctokens: 18432 class htb 100:3 parent 100:1 leaf 1003: prio 0 rate 3000Kbit ceil 3000Kbit burst 5439b cburst 5439b Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 11604 ctokens: 11604 ### eth0.100: filtering rules filter parent 100: protocol ip pref 1 u32 filter parent 100: protocol ip pref 1 u32 fh 800: ht divisor 1 filter parent 100: protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 100:2828 match d9431c1c/ffffffff at 16 ### eth1.3: queueing disciplines qdisc htb 13: r2q 1 default 0 direct_packets_stat 3 Sent 218 bytes 3 pkts (dropped 0, overlimits 0) ### eth1.4: queueing disciplines qdisc htb 14: r2q 1 default 20 direct_packets_stat 74 Sent 4726451 bytes 5889 pkts (dropped 49, overlimits 6433) backlog 56p qdisc pfifo 146: parent 14:6 limit 10p Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc sfq 2828: parent 14:2828 quantum 1518b perturb 10sec Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc sfq 1420: parent 14:20 quantum 1518b perturb 10sec Sent 4654955 bytes 5813 pkts (dropped 49, overlimits 0) backlog 56p ### eth1.4: traffic classes class htb 14:2828 parent 14:5 leaf 2828: prio 0 rate 1000Kbit ceil 1000Kbit burst 2879b cburst 2879b Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 18432 ctokens: 18432 class htb 14:20 parent 14:4 leaf 1420: prio 0 rate 3000Kbit ceil 3000Kbit burst 5439b cburst 5439b Sent 4673585 bytes 5836 pkts (dropped 49, overlimits 0) rate 22696bps 26pps backlog 67p lended: 5769 borrowed: 0 giants: 0 tokens: -12404 ctokens: -12404 class htb 14:4 root rate 4000Kbit ceil 4000Kbit burst 6719b cburst 6719b Sent 4623310 bytes 5769 pkts (dropped 0, overlimits 0) rate 46832bps 57pps lended: 0 borrowed: 0 giants: 0 tokens: -928 ctokens: -928 class htb 14:5 parent 14:4 rate 1000Kbit ceil 1000Kbit burst 2879b cburst 2879b Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 18432 ctokens: 18432 class htb 14:6 parent 14:4 leaf 146: prio 0 rate 3000Kbit ceil 3000Kbit burst 5439b cburst 5439b Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 11604 ctokens: 11604 ### eth1.4: filtering rules filter parent 14: protocol ip pref 1 u32 filter parent 14: protocol ip pref 1 u32 fh 800: ht divisor 1 filter parent 14: protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 14:2828 match d9431c1c/ffffffff at 12 >From this statistics you can see, that all traffic is served in default class, but why? Anyone can help me or give som answers? In forward to you, thanks a lot! :) PS. lsmod: Module Size Used by Not tainted cls_route 4056 0 (unused) cls_u32 4668 2 cls_fw 2392 0 (unused) sch_sfq 3392 4 sch_htb 19648 6 ipt_state 504 1 (autoclean) ip_conntrack 29960 0 (autoclean) [ipt_state] iptable_filter 1644 1 (autoclean) ip_tables 14688 2 [ipt_state iptable_filter] 8021q 14056 3 (autoclean) ide-scsi 9296 0 scsi_mod 73832 1 [ide-scsi] 8139too 13960 2 mii 2304 0 [8139too] tg3 57992 1 agpgart 37496 0 (unused) ip ro sh: 217.67.31.0/30 dev eth1.3 proto kernel scope link src 217.67.31.1 217.67.31.4/30 via 217.67.28.250 dev eth1.4 proto zebra metric 110 equalize 217.67.16.108/30 dev eth0.100 proto kernel scope link src 217.67.16.110 217.67.28.252/30 via 217.67.28.58 dev eth1 proto zebra metric 110 equalize 217.67.28.248/30 dev eth1.4 proto kernel scope link src 217.67.28.249 217.67.28.88/29 via 217.67.28.58 dev eth1 proto zebra metric 20 equalize 217.67.28.80/29 dev eth2 proto kernel scope link src 217.67.28.81 217.67.28.72/29 via 217.67.28.250 dev eth1.4 proto zebra metric 20 equalize 217.67.28.64/29 via 217.67.28.250 dev eth1.4 proto zebra metric 20 equalize 217.67.28.112/29 via 217.67.28.250 dev eth1.4 proto zebra metric 210 equalize 217.67.28.104/29 via 217.67.28.250 dev eth1.4 proto zebra metric 110 equalize 217.67.28.96/29 via 217.67.28.58 dev eth1 proto zebra metric 20 equalize 217.67.28.24/29 via 217.67.28.250 dev eth1.4 proto zebra metric 110 equalize 217.67.28.16/29 via 217.67.28.250 dev eth1.4 proto zebra metric 110 equalize 217.67.28.8/29 via 217.67.28.250 dev eth1.4 proto zebra metric 200 equalize 217.67.28.0/29 via 217.67.28.58 dev eth1 proto zebra metric 20 equalize 217.67.28.56/29 dev eth1 proto kernel scope link src 217.67.28.57 217.67.28.48/29 via 217.67.28.58 dev eth1 proto zebra metric 20 equalize 217.67.28.40/29 via 217.67.28.250 dev eth1.4 proto zebra metric 210 equalize 217.67.28.32/29 via 217.67.28.250 dev eth1.4 proto zebra metric 120 equalize 10.101.5.0/24 via 217.67.28.58 dev eth1 proto zebra metric 110 equalize 10.101.4.0/24 via 217.67.28.250 dev eth1.4 proto zebra metric 120 equalize 10.101.7.0/24 via 217.67.28.250 dev eth1.4 proto zebra metric 20 equalize 10.101.6.0/24 via 217.67.28.250 dev eth1.4 proto zebra metric 210 equalize 10.101.1.0/24 via 217.67.28.250 dev eth1.4 proto zebra metric 110 equalize 10.101.0.0/24 via 217.67.28.58 dev eth1 proto zebra metric 20 equalize 10.255.20.0/24 dev eth1 proto kernel scope link src 10.255.20.1 10.101.2.0/24 via 217.67.28.250 dev eth1.4 proto zebra metric 110 equalize 10.255.10.0/24 dev eth0.100 proto kernel scope link src 10.255.10.1 10.101.8.0/24 via 217.67.28.250 dev eth1.4 proto zebra metric 20 equalize 192.168.172.0/24 dev eth0 proto kernel scope link src 192.168.172.1 127.0.0.0/8 dev lo scope link default via 217.67.16.109 dev eth0.100 Network segment 217.67.28.24/29 where is also situated my test PC is not directly attached to this router and im using ospf as routing protocol. I've also tried to set this flags to VLANs: vconfig set_flag eth0.100 1 1 vconfig set_flag eth1.3 1 1 vconfig set_flag eth1.4 1 1 VLAN Dev name | VLAN ID Name-Type: VLAN_NAME_TYPE_RAW_PLUS_VID_NO_PAD eth0.100 | 100 | eth0 eth1.3 | 3 | eth1 eth1.4 | 4 | eth1 eth0.100 VID: 100 REORDER_HDR: 1 dev->priv_flags: 1 total frames received: 38218094 total bytes received: 3919770540 Broadcast/Multicast Rcvd: 0 total frames transmitted: 40429222 total bytes transmitted: 1882231869 total headroom inc: 0 total encap on xmit: 0 Device: eth0 INGRESS priority mappings: 0:0 1:0 2:0 3:0 4:0 5:0 6:0 7:0 EGRESSS priority Mappings: eth1.4 VID: 4 REORDER_HDR: 1 dev->priv_flags: 1 total frames received: 14211699 total bytes received: 223220948 Broadcast/Multicast Rcvd: 8471 total frames transmitted: 13202004 total bytes transmitted: 4187683963 total headroom inc: 0 total encap on xmit: 13202004 Device: eth1 INGRESS priority mappings: 0:0 1:0 2:0 3:0 4:0 5:0 6:0 7:0 EGRESSS priority Mappings: eof~ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051006/79887698/attachment-0001.htm From crosero at uaa.edu Thu Oct 6 23:40:19 2005 From: crosero at uaa.edu (Carlos Rosero) Date: Thu Oct 6 23:24:19 2005 Subject: [LARTC] Problems with ipp2p Message-ID: <200510062124.j96LOW37014890@mail.uaa.edu> Hello every body: I have RedHat fedora core 2 machine, using iptables and squid. I am having a lot of problems with peer2peer traffic. (bittorrent, kazaa, etc.) so I have installed ipp2p from rpm. Every thing was ok until I use iptables rules. I get this error. [root@router iptables]# iptables -A INPUT -p tcp -m ipp2p --ipp2p -j DROP iptables: No chain/target/match by that name sames as: iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 0x01 iptables -A FORWARD -m ipp2p --udp --kazaa --bit -j DROP iptables -A FORWARD -m ipp2p --tcp --edk --soul -j DROP same error. but if I use iptables -m ipp2p -help I get the help page: [root@router iptables]# iptables -m ipp2p --help iptables v1.2.9 Usage: iptables -[AD] chain rule-specification [options] iptables -[RI] chain rulenum rule-specification [options] iptables -D chain rulenum [options] . IPP2P v0.7.1 options: --ipp2p Grab all known p2p packets --ipp2p-data Identify all known p2p download commands (obsolete) --edk [TCP&UDP] All known eDonkey/eMule/Overnet packets --dc [TCP] All known Direct Connect packets . So I don't know what is wrong. My system: [root@router iptables]# cat /proc/version Linux version 2.6.10-1.771_FC2smp (bhcompile@porky.build.redhat.com) (gcc version 3.3.3 20040412 (Red Hat Linux 3.3.3-7)) #1 SMP Mon Mar 28 01:10:51 EST 2005 Iptables version iptables-1.2.9-2.3.1 Thanks. Carlos -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051006/fd339dcc/attachment.html From Andreas.Klauer at metamorpher.de Thu Oct 6 23:37:44 2005 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Thu Oct 6 23:37:14 2005 Subject: [LARTC] Problems with ipp2p In-Reply-To: <200510062124.j96LOW37014890@mail.uaa.edu> References: <200510062124.j96LOW37014890@mail.uaa.edu> Message-ID: <200510062337.44207.Andreas.Klauer@metamorpher.de> On Thursday 06 October 2005 23:40, Carlos Rosero wrote: > iptables: No chain/target/match by that name > but if I use iptables -m ipp2p -help I get the help page: > So I don't know what is wrong. The help page is provided by the iptables module, but the functionality is in the kernel, so I guess the error message means the kernel module is not loaded. I can't check right now, but I think it was called ipt_ipp2p. HTH Andreas From rvokal at redhat.com Fri Oct 7 07:31:32 2005 From: rvokal at redhat.com (Radek =?ISO-8859-1?Q?Vok=E1l?=) Date: Fri Oct 7 07:31:44 2005 Subject: [LARTC] buffer overflow in ip In-Reply-To: <1128605841.30878.23.camel@localhost.localdomain> References: <1128605841.30878.23.camel@localhost.localdomain> Message-ID: <1128663092.9501.1.camel@localhost.localdomain> This patch fixes the problem --- iproute2-ss050901/ip/iproute.c~ 2005-09-01 14:21:50.000000000 -0500 +++ iproute2-ss050901/ip/iproute.c 2005-10-06 21:30:36.000000000 -0500 @@ -216,13 +216,13 @@ int print_route(const struct sockaddr_nl memset(&via, 0, sizeof(via)); via.family = r->rtm_family; if (tb[RTA_GATEWAY]) - memcpy(&via.data, RTA_DATA(tb[RTA_GATEWAY]), host_len); + memcpy(&via.data, RTA_DATA(tb[RTA_GATEWAY]), host_len/8); } if (filter.rprefsrc.bitlen>0) { memset(&prefsrc, 0, sizeof(prefsrc)); prefsrc.family = r->rtm_family; if (tb[RTA_PREFSRC]) - memcpy(&prefsrc.data, RTA_DATA(tb[RTA_PREFSRC]), host_len); + memcpy(&prefsrc.data, RTA_DATA(tb[RTA_PREFSRC]), host_len/8); } if (filter.rdst.family && inet_addr_match(&dst, &filter.rdst, filter.rdst.bitlen)) host_len should be divided by 8, as it's units is bits, where memcpy is using bytes units. On Thu, 2005-10-06 at 15:37 +0200, Radek Vok?l wrote: > This comse from iproute-ss050901, rebuilt on FC4 with -fortify-source > option. Seems like ip has a buffer overflow which sometimes causes a > segfault.. > > will try to look at it tmrw, so far here's my gdb output. -- Radek Vok?l -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20051007/ad220697/attachment.pgp From devin at freeshell.org Fri Oct 7 08:23:04 2005 From: devin at freeshell.org (Devin Bayer) Date: Fri Oct 7 08:23:40 2005 Subject: [LARTC] dynamic gateways Message-ID: <8F2873B1-BEA0-4AF5-8A2A-A9196B256214@freeshell.org> Hello. I'm glad this list is finally back up. Good job whoever is is responsible. I wanted to ask this question months ago because it would save a fair amount of work. But I'm still curious about implementing this idea: All replies will be routed back through the same host they entered from, instead of the default gateway. This is the similar to the idea described in the LARTC HOWTO section 4.2.1: Split access. The HOWTO describes automatically associating the source address of incoming packets with the gateway they entered in and using those associations for replies. The difference is that instead of the gateways being statically defined, whenever a packet is received the previous hop is added as a gateway. It would also have to be connection-oriented, not address-oriented. So what are people's ideas on this? I couldn't find it being done before, but it seems to only make sense. It's just something I was thinking over to help ease the administration of the situation with multiple gateways. It would become basically config-less if this was all dynamic. - Devin Bayer From gjnardoni at yahoo.com.ar Fri Oct 7 14:47:22 2005 From: gjnardoni at yahoo.com.ar (Guillermo Javier Nardoni) Date: Fri Oct 7 14:50:35 2005 Subject: [LARTC] Problems with ipp2p References: <200510062124.j96LOW37014890@mail.uaa.edu> Message-ID: <00cf01c5cb3e$0cb84160$b80010ac@ripst> Hello there, may be you should you: iptables -t nat -A PREROUTING -p tcp -i $DEV_IN -m ipp2p --ipp2p -j DROP iptables -t nat -A POSTROUTING -p tcp -o $DEV_OUT -m ipp2p --ipp2p -j DROP i had some issues trying ipp2p, but when i've just put -t nat or -t mangle or even -t filter (default for iptables, i guess) it worked very nice regards guillermo from argentina P.D: Sorry Andrea, i sweared i was sending an email to the mailing list instead of you.- ----- Original Message ----- From: Carlos Rosero To: lartc@mailman.ds9a.nl Sent: Thursday, October 06, 2005 6:40 PM Subject: [LARTC] Problems with ipp2p Hello every body: I have RedHat fedora core 2 machine, using iptables and squid. I am having a lot of problems with peer2peer traffic. (bittorrent, kazaa, etc.) so I have installed ipp2p from rpm. Every thing was ok until I use iptables rules. I get this error. [root@router iptables]# iptables -A INPUT -p tcp -m ipp2p --ipp2p -j DROP iptables: No chain/target/match by that name sames as: iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 0x01 iptables -A FORWARD -m ipp2p --udp --kazaa --bit -j DROP iptables -A FORWARD -m ipp2p --tcp --edk --soul -j DROP same error. but if I use iptables -m ipp2p -help I get the help page: [root@router iptables]# iptables -m ipp2p --help iptables v1.2.9 Usage: iptables -[AD] chain rule-specification [options] iptables -[RI] chain rulenum rule-specification [options] iptables -D chain rulenum [options] . IPP2P v0.7.1 options: --ipp2p Grab all known p2p packets --ipp2p-data Identify all known p2p download commands (obsolete) --edk [TCP&UDP] All known eDonkey/eMule/Overnet packets --dc [TCP] All known Direct Connect packets . So I don't know what is wrong. My system: [root@router iptables]# cat /proc/version Linux version 2.6.10-1.771_FC2smp (bhcompile@porky.build.redhat.com) (gcc version 3.3.3 20040412 (Red Hat Linux 3.3.3-7)) #1 SMP Mon Mar 28 01:10:51 EST 2005 Iptables version iptables-1.2.9-2.3.1 Thanks. Carlos ------------------------------------------------------------------------------ _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051007/3acc4e52/attachment.html From crosero at uaa.edu Fri Oct 7 15:29:00 2005 From: crosero at uaa.edu (Carlos Rosero) Date: Fri Oct 7 15:12:53 2005 Subject: [LARTC] Problems with ipp2p In-Reply-To: <200510062337.44207.Andreas.Klauer@metamorpher.de> Message-ID: <200510071313.j97DDDxd022041@mail.uaa.edu> Thanks for the advice, how do in know if kernel module is loaded?, and how I do I load the module?. Thanks. On Thursday 06 October 2005 23:40, Carlos Rosero wrote: > iptables: No chain/target/match by that name > but if I use iptables -m ipp2p -help I get the help page: > So I don't know what is wrong. The help page is provided by the iptables module, but the functionality is in the kernel, so I guess the error message means the kernel module is not loaded. I can't check right now, but I think it was called ipt_ipp2p. From rob0 at gmx.co.uk Fri Oct 7 15:37:09 2005 From: rob0 at gmx.co.uk (/dev/rob0) Date: Fri Oct 7 15:37:17 2005 Subject: [LARTC] Problems with ipp2p In-Reply-To: <200510071313.j97DDDxd022041@mail.uaa.edu> References: <200510071313.j97DDDxd022041@mail.uaa.edu> Message-ID: <200510070837.09889.rob0@gmx.co.uk> On Friday 2005-October-07 08:29, Carlos Rosero wrote: > Thanks for the advice, how do in know if kernel module is loaded?, lsmod(8) > and how I do I load the module?. modprobe(8) I *strongly* urge you to take some time to acquaint yourself with the OS. You're trying to secure your network against abuse from within; this is normally a problem best handled on the political/social level. If you want to try to address it as a technical issue, you absolutely must know more about it than your users do. Start with Fedora documentation and branch out into applications and generic documentation as needed. -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From bclark at eccotours.dyndns.org Fri Oct 7 18:28:14 2005 From: bclark at eccotours.dyndns.org (Brent Clark) Date: Fri Oct 7 18:28:16 2005 Subject: [LARTC] How would this help my LAN / network Message-ID: <4346A21E.7090102@eccotours.dyndns.org> HI all I just came across one of the threads on the LARTC. In the thread it had this. So my question is, for the following rules, would these increase my browsing / traffic, and if so, how. iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m length --length 0:128 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m length --length 128: -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 20 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 21 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p udp -m udp --sport 53 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p udp -m udp --sport 123 -j TOS --set-tos Minimize-Delay Out of interest, Can I use this on the FORWARD. If so, would it be best in the PREROUTING, or the FORWARD. Baring in mind that this is for a natting FW. I have a private LAN, behind the FW, I basically would likes to try and speed things up for my users. If someone would take the time to briefly explain this to me, I would be most grateful. Kind Regards Brent Clark From Andreas.Klauer at metamorpher.de Fri Oct 7 18:45:13 2005 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Fri Oct 7 18:44:40 2005 Subject: [LARTC] How would this help my LAN / network In-Reply-To: <4346A21E.7090102@eccotours.dyndns.org> References: <4346A21E.7090102@eccotours.dyndns.org> Message-ID: <200510071845.13766.Andreas.Klauer@metamorpher.de> On Friday 07 October 2005 18:28, Brent Clark wrote: > So my question is, for the following rules, would these increase my > browsing / traffic, and if so, how. I use something similar in my script... but it's useless to change TOS by itself, because this setting is pretty much ignored everywhere. So changing TOS alone won't do anything. However, if you're using this together with some scheduler that uses the TOS setting to classify packets (like PRIO qdisc), it can for example affect the order in which the packets are going out the net. HTH Andreas From sd_linux at earnware.com Fri Oct 7 19:42:22 2005 From: sd_linux at earnware.com (Sean Dwyer) Date: Fri Oct 7 19:42:34 2005 Subject: [LARTC] Error in "15.10 Example of full nat solution with QoS"? Message-ID: <260150-220051057174222162@earnware.com> On Wednesday 05 October 2005 18:30, Sean Dwyer wrote: > Near the end of section 15.10, the following commands are shown for prioritizing SYN packets: > > iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x1 > iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN > > Shouldn't the "-I" option really be "-A"? Like so: > > iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x1 > iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN > > Won't using "-I" cause these entries to be inserted at the top of the chain, putting the RETURN > before the MARK is set? Maybe I'm missing something. Does anybody who maintains lartc.org read this mailing list? From shemminger at osdl.org Sat Oct 8 00:43:44 2005 From: shemminger at osdl.org (Stephen Hemminger) Date: Sat Oct 8 00:47:25 2005 Subject: [LARTC] [ANNOUNCE] iproute2 (051007) Message-ID: <20051007154344.400dd82b@dxpl.pdx.osdl.net> Fix one serious bug (in libnetlink), and a couple of other minor patches. http://developer.osdl.org/dev/iproute2/download/iproute2-051007.tar.gz Stephen Hemminger Reenable ip mroute Mike Frysinger Handle pfifo_fast that has no qopt without segfaulting Mads Martin Joergensen Trivial netem ccopts Jerome Borsboom Fix regression in ip addr (libnetlink) handling -- Stephen Hemminger OSDL http://developer.osdl.org/~shemminger From psihozefir at yahoo.com Sat Oct 8 10:48:20 2005 From: psihozefir at yahoo.com (panca sorin) Date: Sat Oct 8 10:48:29 2005 Subject: [LARTC] [ANNOUNCE] iproute2 (051007) In-Reply-To: <20051007154344.400dd82b@dxpl.pdx.osdl.net> Message-ID: <20051008084821.35994.qmail@web32602.mail.mud.yahoo.com> Hi! --- Stephen Hemminger wrote: > Fix one serious bug (in libnetlink), and a couple of > other minor > patches. > > http://developer.osdl.org/dev/iproute2/download/iproute2-051007.tar.gz > > Stephen Hemminger > Reenable ip mroute > > Mike Frysinger > Handle pfifo_fast that has no qopt without > segfaulting This means it can be used as a leaf qdisc? When i tried to use it like that it seg faulted. That made me stay with sfq. > > Mads Martin Joergensen > Trivial netem ccopts > > Jerome Borsboom > Fix regression in ip addr (libnetlink) handling > > > -- > Stephen Hemminger > OSDL http://developer.osdl.org/~shemminger > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > Thank you for your post! __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com From psihozefir at yahoo.com Sat Oct 8 10:48:20 2005 From: psihozefir at yahoo.com (panca sorin) Date: Sat Oct 8 10:48:30 2005 Subject: [LARTC] [ANNOUNCE] iproute2 (051007) In-Reply-To: <20051007154344.400dd82b@dxpl.pdx.osdl.net> Message-ID: <20051008084821.35994.qmail@web32602.mail.mud.yahoo.com> Hi! --- Stephen Hemminger wrote: > Fix one serious bug (in libnetlink), and a couple of > other minor > patches. > > http://developer.osdl.org/dev/iproute2/download/iproute2-051007.tar.gz > > Stephen Hemminger > Reenable ip mroute > > Mike Frysinger > Handle pfifo_fast that has no qopt without > segfaulting This means it can be used as a leaf qdisc? When i tried to use it like that it seg faulted. That made me stay with sfq. > > Mads Martin Joergensen > Trivial netem ccopts > > Jerome Borsboom > Fix regression in ip addr (libnetlink) handling > > > -- > Stephen Hemminger > OSDL http://developer.osdl.org/~shemminger > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > Thank you for your post! __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com From lartc at wcsl.net Sat Oct 8 23:21:34 2005 From: lartc at wcsl.net (Steve Wakelin) Date: Sat Oct 8 23:22:25 2005 Subject: [LARTC] Two Output Gateways Message-ID: <000701c5cc4e$56e26480$c702a8c0@wcsl.local> Hello, Currently running Kernel 2.4.31 with iptables 1.3.3 i-----------i i R1 i--------i i-----------i i i-----------i i-- i S1 i i-----------i i i-----------i i R2 i---------i i-----------i Sceanario Two internet connections comming into R1 and R2 R1 and R2 both connect to internal destination server S1 Due to software restrictions have to use one default route. Simple script to validate gw availablilty and swap if necessary Reqirements Returning traffic from incoming connections over the same router as where it originated. i.e. If default gatway is set to be R1 incoming connections are fine if originated on connection R1. However connections initiated through R2 timeout. Have tried numerous combinations of iptables, iproute2 and cannot get it to work. Is it possible to mark which router the traffic originated and push the return traffic over that router for instance ? Any help greatly appreciated. Regards /Steve From andy.furniss at dsl.pipex.com Sun Oct 9 02:27:50 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sun Oct 9 02:27:58 2005 Subject: [LARTC] HTB problem running on VLAN, not working In-Reply-To: <004701c5ca9f$744c1080$1c1c43d9@floppy> References: <004701c5ca9f$744c1080$1c1c43d9@floppy> Message-ID: <43486406.6060603@dsl.pipex.com> Samuel Koscelansky / "SUBNET" wrote: I tested shaping on vlan and it seems OK for me (even though my switch doesn't do vlan it doesn't seem to block oversize frames). I noticed a few things with your setup - > #classes for download > /sbin/tc class add dev eth0.100 parent 100: classid 100:1 htb rate 4000kbit quantum 6000 > > /sbin/tc class add dev eth0.100 parent 100:1 classid 100:2 htb rate 1000kbit quantum 6000 > /sbin/tc qdisc add dev eth0.100 parent 100:2 handle 1002 pfifo limit 10 You attach pfifo as if 100:2 is a leaf class here > > #my pc testing class > #down > /sbin/tc class add dev eth0.100 parent 100:2 classid 100:2828 htb rate 1000kbit quantum 6000 > /sbin/tc filter add dev eth0.100 parent 100: protocol ip prio 1 u32 match ip dst 217.67.28.28 classid 100:2828 > /sbin/tc qdisc add dev eth0.100 parent 100:2828 handle 1002828 sfq perturb 10 But have it as a parent here, also I think the handle on sfq is too big and if eth0.100 is to your ISP then dst should be changed src in the match. Andy. From jorge at inway.cz Sun Oct 9 02:35:32 2005 From: jorge at inway.cz (choros) Date: Sun Oct 9 02:35:30 2005 Subject: [LARTC] readable tc -s filter show dev X Message-ID: <434865D4.90900@inway.cz> Hi everybody, i think somobody here should encounter the same problem as me. :-) I have the problem with the output of commang tc -s filter show dev X , for first i dont fully understand all descriptions as fh, divisor , and the ip adress is in hex. My question is if somebody did write some convertor to convert this hex numbers to normal ip numbers.. thanks. Jorge Sanchez From andy.furniss at dsl.pipex.com Sun Oct 9 03:02:28 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sun Oct 9 03:02:27 2005 Subject: [LARTC] Error in "15.10 Example of full nat solution with QoS"? In-Reply-To: <260150-220051057174222162@earnware.com> References: <260150-220051057174222162@earnware.com> Message-ID: <43486C24.5050507@dsl.pipex.com> Sean Dwyer wrote: > On Wednesday 05 October 2005 18:30, Sean Dwyer wrote: > >>Near the end of section 15.10, the following commands are shown for prioritizing SYN packets: >> >> iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x1 >> iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN >> >>Shouldn't the "-I" option really be "-A"? Like so: >> >> iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x1 >> iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN >> >>Won't using "-I" cause these entries to be inserted at the top of the chain, putting the RETURN >>before the MARK is set? Maybe I'm missing something. > > > Does anybody who maintains lartc.org read this mailing list? I doubt if Bert reads every or maybe any post - I agree about the -I being wrong. The LARTC hasn't been changed for a while but will be someday I guess. There is going to be a wiki soon - there is already a new one for Linux-net http://linux-net.osdl.org/ . Andy. From lists at llondel.org Sun Oct 9 09:45:56 2005 From: lists at llondel.org (David Hough) Date: Sun Oct 9 09:46:00 2005 Subject: [LARTC] Two Output Gateways In-Reply-To: <000701c5cc4e$56e26480$c702a8c0@wcsl.local> References: <000701c5cc4e$56e26480$c702a8c0@wcsl.local> Message-ID: <1128843956.8742.18.camel@robinton.llondel.org> On Sat, 2005-10-08 at 22:21 +0100, Steve Wakelin wrote: > Hello, > > Is it possible to mark which router the traffic originated and push the > return traffic over > that router for instance ? > Try http://selab.edu.ms/twiki/bin/view/Networking/RoutesKeeperProject for one solution. The site appears to be down at the moment but hopefully it'll reappear after the weekend. I'm running two feeds here and it handles incoming stuff from either port just fine and copes with the loss of one feed well enough that sometimes I haven't noticed for some time (usenet collection requires use of specific ports for specific servers and when one fails it tips me off that a feed is down). Dave From daniel_phlander at yahoo.com Sun Oct 9 13:30:57 2005 From: daniel_phlander at yahoo.com (Daniel Phlander) Date: Sun Oct 9 13:31:01 2005 Subject: [LARTC] Script control traffic In-Reply-To: <20051009100006.9AFEA44C7@outpost.ds9a.nl> Message-ID: <20051009113057.67632.qmail@web32413.mail.mud.yahoo.com> Hi ! Anyone can show me a script for bandwitch management to contain packets marking with iptables and tc filters? For example, I want to set limits for 192.168.10.0/24 class: international min 64 kbps max 128 kbps; metropolitan 192.168.10.0/24 and 192.168.11.0/24 classes with 100 mbps management between them. Respectfully, Daniel Phlander --------------------------------- Yahoo! Music Unlimited - Access over 1 million songs. Try it free. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051009/b090d284/attachment.htm From raymond.v at komunikasys.com Mon Oct 10 05:13:08 2005 From: raymond.v at komunikasys.com (KOMUNIKA SYSTEM) Date: Mon Oct 10 05:13:28 2005 Subject: [LARTC] (no subject) Message-ID: <20051010031320.26D174053@outpost.ds9a.nl> Dear all, I've install htb init on my fedora core 3. and I also have 2 VSAT with 4 meg each link. How can I merge both of the link into 8 meg? Is it possible to do that? Thx. KOMUNIKA SYSTEM Internet Solution Provider www.komunikasys.com From prasadvvv at lucent.com Mon Oct 10 07:29:57 2005 From: prasadvvv at lucent.com (Vendra, Hari Prasad V V P CH S H (Hari V)) Date: Mon Oct 10 07:30:08 2005 Subject: [LARTC] Question on Routing Tables Message-ID: <6733C768256DEC42A72BAFEFA9CF06D210033FAB@ii0015exch002u.iprc.lucent.com> Hi, I am using Fedora Core 3 kernel 2.6.9.The max limit on routing tables is 255(5 of them are reserved ,0,1,253,254,255 ).I am using iproute2 utility for managing routes.I want to increase the max limit of routing tables to 1000(min.).Is there some solution for it? Or some patch available? Or it cannot be achieved. thanks in advance for your response. Regards, Hari From shemminger at osdl.org Mon Oct 10 16:40:02 2005 From: shemminger at osdl.org (Stephen Hemminger) Date: Mon Oct 10 16:37:56 2005 Subject: [LARTC] Re: [ANNOUNCE] iproute2 version (050929) In-Reply-To: References: <20050930150406.2e2221fd@dxpl.pdx.osdl.net> <20051005113458.46f0892d@dxpl.pdx.osdl.net> Message-ID: <20051010074002.5cd642da@localhost.localdomain> On Mon, 10 Oct 2005 12:34:51 +0200 (CEST) Krzysztof Oledzki wrote: > > > On Wed, 5 Oct 2005, Stephen Hemminger wrote: > > > On Sat, 1 Oct 2005 23:34:25 +0200 (CEST) > > Krzysztof Oledzki wrote: > > > >> > >> > >> On Fri, 30 Sep 2005, Stephen Hemminger wrote: > >> > >>> There is an new minor update to iproute2 utilities available: > >>> http://developer.osdl.org/dev/iproute2/download/iproute2-050929.tar.gz > >> > >> > >> It hangs on "ip rule flush". Tested on 2.6.13.2. > >> > >> > >> Best regards, > >> > >> > >> Krzysztof Ol?dzki > > > > Fixed by this patch (in next release) > > Not sure... Just checked iproute2-ss051007 and it still hangs on "ip rule > flush" with ~100% cpu load. > Are you running as root? If not it will loop forever. From kenneth.kalmer at gmail.com Mon Oct 10 20:31:21 2005 From: kenneth.kalmer at gmail.com (Kenneth Kalmer) Date: Mon Oct 10 20:31:27 2005 Subject: [LARTC] Prioritize ACK packets Message-ID: Guys I'm a bit rusty and in a hurry, can anyone share with me how to prioritze TCP/ACK packets on an outgoing interface... I need these acknowledgements to get through on a congested DSL link... Thanks in advance! -- Kenneth Kalmer kenneth.kalmer@gmail.com Folding@home stats http://vspx27.stanford.edu/cgi-bin/main.py?qtype=userpage&username=kenneth%2Ekalmer From shemminger at osdl.org Tue Oct 11 01:16:03 2005 From: shemminger at osdl.org (Stephen Hemminger) Date: Tue Oct 11 01:20:24 2005 Subject: [LARTC] Re: [ANNOUNCE] iproute2 version (050929) In-Reply-To: <1128976620.6353.3.camel@localhost.localdomain> References: <20050930150406.2e2221fd@dxpl.pdx.osdl.net> <20051005113458.46f0892d@dxpl.pdx.osdl.net> <20051010074002.5cd642da@localhost.localdomain> <1128973355.6327.135.camel@localhost.localdomain> <1128976620.6353.3.camel@localhost.localdomain> Message-ID: <20051010161603.3c96d524@dxpl.pdx.osdl.net> On Mon, 10 Oct 2005 16:37:00 -0400 jamal wrote: > On Mon, 2005-10-10 at 22:08 +0200, Krzysztof Oledzki wrote: > > > > > > > > > Why are you trying to flush those tables? > > To install a new set of rules. > > > > > flush should kill everything if i am not mistaken. > Are you replacing the main table etc as well? > > > > Try to downgrade the kernel and see what happens - go as far as 2.6.12 > > But why? It works with older (ss050330) version of iproute2 even on > > 2.6.13.3. > > > > Ok, sorry i wasnt aware of that. Try the attached patch. > > cheers, > jamal Look like the -batch code that keeps the RTNL handle open was breaking this. The patch shows the general idea, but it still has problems because I think it would still not work if used in -batch situation. -- Stephen Hemminger OSDL http://developer.osdl.org/~shemminger From kevin-lartc at horizon.com Tue Oct 11 13:07:03 2005 From: kevin-lartc at horizon.com (kevin-lartc@horizon.com) Date: Tue Oct 11 13:07:14 2005 Subject: [LARTC] How to do network emulation on incoming traffic? Message-ID: <20051011110703.25409.qmail@science.horizon.com> I'm trying to simulate a satellite link to a Linux server to test application performance. I haven't used any of the tc stuff before, but I blandly assured people it would be "easy" to set up a simulated long thin pipe on a spare network interface. However, now that I'm exploring, it's proving quite difficult. Let me start with the general question first. My setup is: +--------+ +---------+ | Linux |-----------| Windows | | Server | LAN | Client | +--------+ +---------+ And I want the LAN to look like a satellite link, with delay, jitter, packet loss, and (asymmetric) rate limiting in both directions. (If you care, I'm trying to emulate a DirecWay satellite link for a feasibility test. The parameters are ~350+/-35 ms delay each way, 75 kbit/s uplink, 550 kbit/s downlink. The latter takes from a multi-megabyte "fair usage" bucket that refills at 50 kbit/s. I don't have good packet loss numbers, so I'm going to start with 1% and see how sensitive performance is.) Can anyone tell me how to do that? My problem is that trying to set up netem incoming is proving to be a pain: # tc qdisc add dev spare handle ffff: ingress # tc qdisc add dev spare parent ffff: handle 10: netem delay 300ms 50ms 25% loss 1% RTNETLINK answers: Unknown error 4294967295 I'm not at all certain why this doesn't work. I'm told that the ingress queue is a bit of a kludge; is there an explanaiton of how it is implemented somewhere, that would help me understand its limitations? The whole tc system is causing me some confusion. First of all, am I right that there's considerable overlap in functionality with netfilter? Both have packet selection (filtering) mechanisms, and both can throw away packets, but they differ in what other actions they can do: Netfilter can redirect, reply to, and modify packets, but it cannot delay or reorder them. Its throttling features (limit and hashlimit match modules) are fairly simplistic. It does, however, have sophtisticated stateful packet classification features. Netfilter also lets you mess with packets in multiple different places in the routing path. There's PREROUTING and POSTROUTING, and every packet also passes through one of INPUT, OUTPUT, and FORWARD. tc is all about throttling and reordering packets. It cannot redirect, reply to, or modify packets, and its classification is stateless and fairly simplistic. You can use netfilter to perform filtering (classification) for tc, but not vice-versa. I *think* netfilter's flexibility comes at a bit of a speed penalty, and doing pure-tc classification will be faster than the equivalent logic using netfilter. (But for a typical broadband connection up to 10 Mbit/sec, this is not a big issue.) One tc question: If most queueing is done outgoing, is there some sort of "local delivery" outgoing queue that I can use to throttle traffic to local services? Now, I think that I understand netfilter. Each packet passes through a succession of rules, each of which has some match conditions and an action. This continues until a final disposition action is performed. tc is a little more confusing. With classless qdiscs, it seems that there is a chain of queues, and packets pass through them in sequence. QUESTION: It seems that these queues are "active" at both ends. A source pushes packets into them, and a device pulls them out at its transmission rate. When a device polls for packets from a priority queue, the queue will give the "best" packet available at the time. It's not clear how this works when two queues are connected together. If a rate-limited FIFO is reciving packets from a priority queue, does it "pull" until it's full, even though waiting might result in better packet ordering? I need to use netem plus a rate-control queue like tbf. QUESTION: The whole major:minor number thing is a bit confusing. I know that minor number 0 is reserved for qdescs, but is the convention that class x:y is associated with qdesc x:0 something that is enforced somewhere, or are they just random 32-bit numbers, 65536 of which are reserved for qdescs? But when you have classful qdiscs, thing start getting confusing. It appears that you need three things: - A "tc qdisc add" statement to create the "major" qdisc in the chain. - Some "tc class add" statements to create queue classes - Some "tc filter add" statements to assign packets to the various classes. The picture at http://pupa.da.ru/tc/ seems to help, but it doesn't explain the multiple-major case at all. (But that web page *des* tell me about the IMQ device, which may be the solution to my problems... I'll go away and play with that now.) Anyway, thanks for any guidance on the subject. I think there's some big conceptual issue I'm just not getting, leading to a disconnect. From steve at 4dllc.com Tue Oct 11 14:40:10 2005 From: steve at 4dllc.com (Steve Comfort) Date: Tue Oct 11 14:40:42 2005 Subject: [LARTC] VPN through PPP Message-ID: <434BB2AA.1040206@4dllc.com> Hi all, This is probably not the right place for this question, but maybe someone can help me out. I am trying to setup a VPN between two private addresses, using iproute2 (which is my only excuse for mailing this list). The setup is as below : eth0 ppp0 Wireless ppp0 eth0 192.168.200.202 192.168.94.134 <-----> 192.168.94.132 192.168.2.200 Both eth0 (strictly ixp1) and ppp0's are on wireless boards that we make. I have basically followed the VPN Howto and done the following : ip tunnel add net0 mode gre remote 192.168.2.200 local 192.168.200.202 ttl 255 dev ppp0 ip link set net0 up ip addr add 192.168.200.202 dev net0 ip route add 192.168.2.0/24 dev net0 I have tried various combinations of the above, using the ppp IP address for remote and the eth0 for local, etc, etc. (4 possible combinations). I do the reverse on the other end of the tunnel, but do not see any traffic over this lot. I am able to ping and ssh between the two wireless boxes. I do have a firewall, configured to do NAT on the PPP interface. I have also tried excluding the destination addresses from being NAt'd but this didn't make any difference. Any suggestions would be greatly appreciated. Best regards Steve Comfort From kevin-lartc at horizon.com Tue Oct 11 16:14:29 2005 From: kevin-lartc at horizon.com (kevin-lartc@horizon.com) Date: Tue Oct 11 16:14:38 2005 Subject: [LARTC] How to do network emulation on incoming traffic? In-Reply-To: <434BAE87.1060306@sohonet.co.uk> Message-ID: <20051011141429.15369.qmail@science.horizon.com> > Somebody will probaby correct me quickly here but I dont think there is > a way of creating jitter and latency and packet loss easily in linux. Er... excuse me? The network emulator module ("netem") does it very nicely. The problem is, it's a traffic control queue discipline, and thus only works on egress traffic. Actually, after having found some more docs, the whole business of nested qdiscs is starting to make more sense. A classful qdisc just chooses among a number of sub-queues when a "dequeue" request from the device for more data to send arrives. The result is a tree of qdiscs, with classless qdiscs at the leaves. But this means that it makes no sense to have a child of a classless qdisc. And yet the netem examples are full of such things, e.g.: ttp://linux-net.osdl.org/index.php/Netem#Rate_control When does netem ever pull from the "child" queue? From ricardo_soria at yahoo.com Tue Oct 11 17:11:32 2005 From: ricardo_soria at yahoo.com (Ricardo Soria) Date: Tue Oct 11 17:11:37 2005 Subject: [LARTC] Re: Prioritize ACK packets In-Reply-To: <20051011100008.C0927458E@outpost.ds9a.nl> Message-ID: <20051011151132.182.qmail@web31111.mail.mud.yahoo.com> Hi: Look here: http://www.tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/ Hope this helps. Regards. Ricardo Soria. __________________________________________________ Correo Yahoo! Espacio para todos tus mensajes, antivirus y antispam ?gratis! Reg?strate ya - http://correo.espanol.yahoo.com/ From rob0 at gmx.co.uk Tue Oct 11 21:36:47 2005 From: rob0 at gmx.co.uk (/dev/rob0) Date: Tue Oct 11 21:36:52 2005 Subject: [LARTC] VPN through PPP In-Reply-To: <434BB2AA.1040206@4dllc.com> References: <434BB2AA.1040206@4dllc.com> Message-ID: <200510111436.48102.rob0@gmx.co.uk> On Tuesday 2005-October-11 07:40, Steve Comfort wrote: > The setup is as below : Your ASCII diagram was not clear. > I have basically followed the VPN Howto and done the following : Are you talking about the old one from TLDP? > Any suggestions would be greatly appreciated. Perhaps not much help, but I use http://openvpn.org/ -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From alvarolmmotta at gmail.com Tue Oct 11 22:05:34 2005 From: alvarolmmotta at gmail.com (Alvaro Motta) Date: Tue Oct 11 22:05:39 2005 Subject: [LARTC] Inaccurate results without natting the traffic. Message-ID: <3941d81c0510111305y4668a257k226618ec6b6e9f99@mail.gmail.com> Hi folks. For quite a while, I tried to use linux (cbq and htb) to control bandwidth in order to replace a cisco equipment used to play this role on our network. After trying here and there, with a bunch of different distros, different versions, different compilations, ... the closest I could get was as follows: (using htb.init and cbq.init) Desired BW ==> Achieved BW 128k ==> 404.78 KB/s 64k ==> 337.9 KB/s 16k ==> 68.86 KB/s 8k ==> 31.12 KB/s 1k ==> 3.77 KB/s No matter what I'd do, the results were always the same, i.e, control out of control. I tried to get some help from a few mailing lists, including this one. Anyway, one thing I noticed was that all the documentation regarding the matter, and most of the messages on the mailing lists would mention firewalling the box along with the traffic control. I asked if the firewall was a mandatory piece on this puzzle, and got no as answer. Without giving up, I stayed playing (actually it has been a fight ....) in the lab installing and configuring a linux box to replace our cisco bbsm. Very frustrating task, since I was like running after the tail.... Iptables were configured in a bunch of ways, .... no result. Until the day, for no particular reason, I decided to masquerade the traffic. Oh men, I got so desperated and mad when I saw the box controlling the traffic as it should..... The reason for such a reaction has a simple answer: I cannot masquerade the traffic..... :o((((( I managed to find a company that sells a solution (built on top of conectiva) that does control the traffic without using masquerade. I even played with the solution and saw that it does not nat the traffic ...... but the guys did not disclose to me what was the trick... and since we buried a lot of money on cisco's solution, no one here is willing to spend money to replace it. This decision is out of my hands. Now I come to you guys again, with the question: How to make cbq or htb work without masquerading the traffic? Any help is very appreciated. Cheers, AL From bugfood-ml at fatooh.org Tue Oct 11 22:17:26 2005 From: bugfood-ml at fatooh.org (Corey Hickey) Date: Tue Oct 11 22:17:31 2005 Subject: [LARTC] Inaccurate results without natting the traffic. In-Reply-To: <3941d81c0510111305y4668a257k226618ec6b6e9f99@mail.gmail.com> References: <3941d81c0510111305y4668a257k226618ec6b6e9f99@mail.gmail.com> Message-ID: <434C1DD6.6070303@fatooh.org> Alvaro Motta wrote: > Now I come to you guys again, with the question: How to make cbq or > htb work without masquerading the traffic? That really isn't supposed to have anything to do with it.... Can you post your configuration files/scripts and a quick ASCII map showing where your Linux machine is placed? -Corey From jlynch at frink.nuigalway.ie Tue Oct 11 23:04:07 2005 From: jlynch at frink.nuigalway.ie (Jonathan Lynch) Date: Tue Oct 11 23:04:19 2005 Subject: [LARTC] The effects of queueing on delay Message-ID: <1129064647.13493.41.camel@pgala.it.nuigalway.ie> I have a router with 3 network interfaces like in the following ASCII diagram below. All interfaces are 100mbit. There is tcp traffic being sent from net1 to net3 and from net2 to net3 and the tcp connections consume as much bandwidth as possible. There is a pfifo queue on the egress interface eth0 of the core router with a limit of 10 packets. net1 --> (eth1) router (eth0) -> net3 (eth2) ^ | net 2 I police traffic on the edge of net1 to 48.4375 Mbit and shape the traffic on exit of net 2 to 48.4375 Mbit. There are no packets in the queue of the egress interface eth0 of the router at any stage. (every packet is enqueued by pfifo_enqueue() to an empty queue. I have confirmed this by adding adding a counter in sch_fifo.c that is incremented every time there is a packet in the queue when a new packet is enqueued.) The delay is at a maximum of 2ms. When I increase the policing rate and shaping rates to 48.4687. The combined increase is 31.2 kbit which is very small. there are some packets queued for a short period and some dropped which clears the queue. The maximum number of packets dropped was 20 per second. But the delay goes up to 30ms. check out the graphs at http://frink.nuigalway.ie/~jlynch/queue/ I cant seem to explain this. Even if the queue was full all the time and each packet was of maximum size, the delay imposed by queueing should be a maximum of 10 * 1500 * 8 /100,000,000 which equals 1ms. How can so much delay be added by such a small increase in the throughput coming from net1 and net2 ? I would appreciate if someone could explain it to me. Btw im using a stratum 1 NTP server on the same LAN to ensure measurement accuracy. Jonathan From rh at teleinfor.com.br Tue Oct 11 23:10:36 2005 From: rh at teleinfor.com.br (RH Equipe Teleinfor) Date: Tue Oct 11 23:11:09 2005 Subject: [LARTC] Linha fale a vontede todos os dias (11)6839-0277 References: <1129064647.13493.41.camel@pgala.it.nuigalway.ie> Message-ID: <01d701c5cea8$3ab64ae0$0100a8c0@polaris> Linha fale a vontade todos os dias, aquela que voc? s? paga a assinatura www.telefonevesper.com.br ----- Original Message ----- From: "Jonathan Lynch" To: Sent: Tuesday, October 11, 2005 6:04 PM Subject: [LARTC] The effects of queueing on delay > > I have a router with 3 network interfaces like in the following ASCII > diagram below. All interfaces are 100mbit. There is tcp traffic being > sent from net1 to net3 and from net2 to net3 and the tcp connections > consume as much bandwidth as possible. There is a pfifo queue on the > egress interface eth0 of the core router with a limit of 10 packets. > > > net1 --> (eth1) router (eth0) -> net3 > (eth2) > ^ > | > net 2 > > I police traffic on the edge of net1 to 48.4375 Mbit and shape the > traffic on exit of net 2 to 48.4375 Mbit. There are no packets in the > queue of the egress interface eth0 of the router at any stage. (every > packet is enqueued by pfifo_enqueue() to an empty queue. I have > confirmed this by adding adding a counter in sch_fifo.c that is > incremented every time there is a packet in the queue when a new packet > is enqueued.) The delay is at a maximum of 2ms. > > When I increase the policing rate and shaping rates to 48.4687. The > combined increase is 31.2 kbit which is very small. there are some > packets queued for a short period and some dropped which clears the > queue. The maximum number of packets dropped was 20 per second. But the > delay goes up to 30ms. > > check out the graphs at > http://frink.nuigalway.ie/~jlynch/queue/ > > > I cant seem to explain this. Even if the queue was full all the time and > each packet was of maximum size, the delay imposed by queueing should be > a maximum of 10 * 1500 * 8 /100,000,000 which equals 1ms. > > How can so much delay be added by such a small increase in the > throughput coming from net1 and net2 ? > > I would appreciate if someone could explain it to me. > > Btw im using a stratum 1 NTP server on the same LAN to ensure > measurement accuracy. > > > Jonathan > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From tdi at pozman.pl Wed Oct 12 00:39:50 2005 From: tdi at pozman.pl (Dariusz Dwornikowski) Date: Wed Oct 12 00:40:29 2005 Subject: [LARTC] VPN through PPP In-Reply-To: <434BB2AA.1040206@4dllc.com> References: <434BB2AA.1040206@4dllc.com> Message-ID: <20051012003950.1952b809@tdi.pozman.pl> you could use openvpn -- *Dariusz 'tdi' Dwornikowski | Gentoo | admin at pozman.pl | *[JID]:tdi@gentoo.pl|[gg]:2266034|[IRC]:#gentoo-pl@freenode | *[MAIL]:tdi@pozman.pl|[WWW]:www.tdi.pozman.pl | *Serwery,administracja,webapps - www.ProAdmin.com.pl | *Fingerprint:43E21CC46DAFD2F754E91547D59B39F56AAA4B5F | From daniel-wittenberg at starken.com Wed Oct 12 01:26:56 2005 From: daniel-wittenberg at starken.com (Daniel Wittenberg) Date: Wed Oct 12 01:27:02 2005 Subject: [LARTC] dual-isp incoming traffic problems Message-ID: <1129073216.2622.40.camel@tholian.starken.com> I have two ISP connections, and am having some issues. I can connect to any services on the firewall, like the smtp gateway, but anything on the internal server only works from one connection. The lartc guide has a good example for what to do for services on the box, but leaves it open for how to handle services on an internal host. I've tried using iptables to mark the packets incoming, but that doesn't seem to work. ip route add default via 1.1.1.254 table T1 dev eth0 ip rule add from 1.1.1.2 table T1 ** Real IP ip rule add from 1.1.1.3 table T1 ** eth0:0 IP ip rule add from 1.1.1.4 table T1 ** eth0:1 IP ip rule add fwmark 1 table T1 and similar for ISP connection #2, with: ip route flush cache as the last part. Any ideas on how to get connections through to the internal server from both ISP's? ISP #1 -- \ -- Linux Firewall -- internal server / ISP #2 -- Thanks, Dan From david_list at boreham.org Wed Oct 12 01:58:50 2005 From: david_list at boreham.org (David Boreham) Date: Wed Oct 12 01:59:58 2005 Subject: [LARTC] dual-isp incoming traffic problems In-Reply-To: <1129073216.2622.40.camel@tholian.starken.com> References: <1129073216.2622.40.camel@tholian.starken.com> Message-ID: <434C51BA.5020302@boreham.org> Daniel Wittenberg wrote: >I have two ISP connections, and am having some issues. I can connect to >any services on the firewall, like the smtp gateway, but anything on the >internal server only works from one connection. > I think we do what you're trying to achieve, but before I spend the time to dive into the details, let's confirm what you're looking to do: You have two upstream connections and separate public IP subnet allocations from each ISP, yes ? You're not running BGP, right ? You have a single Linux router that has three physical interfaces : one connects to ISP A, the next to ISP B and the third to the internal network, correct ? Let me know if I got all this right. If so then we run much the same setup here and I can tell you how we configured it (I do remember it took several days of reading kernel source code and tcpdump'ing to get it all working). From daniel-wittenberg at starken.com Wed Oct 12 02:40:41 2005 From: daniel-wittenberg at starken.com (Daniel Wittenberg) Date: Wed Oct 12 02:40:49 2005 Subject: [LARTC] dual-isp incoming traffic problems In-Reply-To: <434C51BA.5020302@boreham.org> References: <1129073216.2622.40.camel@tholian.starken.com> <434C51BA.5020302@boreham.org> Message-ID: <1129077641.2622.54.camel@tholian.starken.com> Sounds like you are right on track to what I've got. Dual - isp, no BGP (DSL connections),and 3 interfaces, with at least a /28 on each ISP connection. That would be great if you have any insight! Dan On Tue, 2005-10-11 at 17:58 -0600, David Boreham wrote: > Daniel Wittenberg wrote: > > >I have two ISP connections, and am having some issues. I can connect to > >any services on the firewall, like the smtp gateway, but anything on the > >internal server only works from one connection. > > > I think we do what you're trying to achieve, but before I spend > the time to dive into the details, let's confirm what you're looking to do: > You have two upstream connections and separate public IP > subnet allocations from each ISP, yes ? You're not running BGP, right ? > You have a single Linux router that has three physical interfaces : > one connects to ISP A, the next to ISP B and the third to the internal > network, correct ? > > Let me know if I got all this right. If so then we run much the > same setup here and I can tell you how we configured it > (I do remember it took several days of reading kernel > source code and tcpdump'ing to get it all working). > > > From nelsoneci at gmail.com Wed Oct 12 02:49:56 2005 From: nelsoneci at gmail.com (Nelson Castillo) Date: Wed Oct 12 02:50:02 2005 Subject: [LARTC] dual-isp incoming traffic problems In-Reply-To: <1129073216.2622.40.camel@tholian.starken.com> References: <1129073216.2622.40.camel@tholian.starken.com> Message-ID: <2accc2ff0510111749u50477610mde518c3c4714f5ed@mail.gmail.com> > Any ideas on how to get connections through to the > internal server from both ISP's? > ISP #1 -- > \ > -- Linux Firewall -- internal server > / > ISP #2 -- Looks like you have the same problems I had. Check if this works for you: http://mailman.ds9a.nl/pipermail/lartc/2005q3/016832.html Regards. -- Homepage : http://geocities.com/arhuaco The first principle is that you must not fool yourself and you are the easiest person to fool. -- Richard Feynman. From luca.maragnani at objectlab.it Wed Oct 12 10:46:08 2005 From: luca.maragnani at objectlab.it (Luca Maragnani) Date: Wed Oct 12 10:46:30 2005 Subject: [LARTC] Ip route cache problem Message-ID: <434CCD50.3080104@objectlab.it> Hello, I need some help about a routing problem on a complex configuration. The problem is that I can't reach from services outside from my DMZ. The scenario is a gateway linked to three internet connections, so that I used three distinct iproute2 tables for routing. The gw is running ipvs for balancing over the dmz's servers. DMZ servers are on 192.168.1.0/24 network, . Every table has the route to reach : 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1 I'm using iptables to NAT a server on my DMZ to reach DNS services outsides: iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -d 151.99.0.100 --dport 53 -j SNAT --to-source 81.77.88.99 Looking inside the cache I find only the route to reach the dns server, but not the one that the dns needs to reach my server: 151.99.0.100 from 192.168.1.2 via 81.77.88.100 dev eth2 src 192.168.1.249 cache mtu 1500 advmss 1460 metric10 64 iif eth0 I experieced in the past that reentering the iptables nat command worked, but it seems a random effect and not always works. Thank's in advance, Luca Maragnani From ionut at topall.ro Wed Oct 12 12:20:16 2005 From: ionut at topall.ro (Ionut Popovici) Date: Wed Oct 12 12:20:23 2005 Subject: [LARTC] Ip route cache problem Message-ID: <434CE360.7070608@topall.ro> >Hello, >I need some help about a routing problem on a complex configuration. >The problem is that I can't reach from services outside from my DMZ. >The scenario is a gateway linked to three internet connections, so that >I used three distinct iproute2 tables for routing. The gw is running >ipvs for balancing over the dmz's servers. >DMZ servers are on 192.168.1.0/24 network, . >Every table has the route to reach : >192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1 >I'm using iptables to NAT a server on my DMZ to reach DNS services outsides: >iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -d 151.99.0.100 >--dport 53 -j SNAT --to-source 81.77.88.99 Have u try to use DNAT from iptables because dnat is in PREROTING , and if u have a dns service u need to make the outside service connection to connect 2 your dns server ! >Looking inside the cache I find only the route to reach the dns server, >but not the one that the dns needs to reach my server: >151.99.0.100 from 192.168.1.2 via 81.77.88.100 dev eth2 src 192.168.1.249 > cache mtu 1500 advmss 1460 metric10 64 iif eth0 > >I experieced in the past that reentering the iptables nat command >worked, but it seems a random effect and not always works. > >Thank's in advance, >Luca Maragnani -------------- next part -------------- A non-text attachment was scrubbed... Name: ionut.vcf Type: text/x-vcard Size: 836 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20051012/ef7522fa/ionut.vcf From luca.maragnani at objectlab.it Wed Oct 12 14:52:29 2005 From: luca.maragnani at objectlab.it (Luca Maragnani) Date: Wed Oct 12 14:52:53 2005 Subject: [LARTC] Ip route cache problem In-Reply-To: <434CE360.7070608@topall.ro> References: <434CE360.7070608@topall.ro> Message-ID: <434D070D.6000006@objectlab.it> Sorry, surely I did'nt explained well the problem. I don't have DNS services. I need to access dns server at 151.99.0.100 from my servers which have private ip addresses. I think the only thing I need is to SNAT the connection. Thank's all the same Luca Ionut Popovici wrote: >> Hello, >> I need some help about a routing problem on a complex configuration. > > >> The problem is that I can't reach from services outside from my DMZ. > > >> The scenario is a gateway linked to three internet connections, so >> that I used three distinct iproute2 tables for routing. The gw is >> running ipvs for balancing over the dmz's servers. > > >> DMZ servers are on 192.168.1.0/24 network, . > > >> Every table has the route to reach : >> 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1 > > >> I'm using iptables to NAT a server on my DMZ to reach DNS services >> outsides: >> iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -d >> 151.99.0.100 --dport 53 -j SNAT --to-source 81.77.88.99 > > Have u try to use DNAT from iptables because dnat is in PREROTING , > and if u have a dns service u need to make the outside service > connection to connect 2 your dns server ! > >> Looking inside the cache I find only the route to reach the dns >> server, but not the one that the dns needs to reach my server: >> 151.99.0.100 from 192.168.1.2 via 81.77.88.100 dev eth2 src >> 192.168.1.249 >> cache mtu 1500 advmss 1460 metric10 64 iif eth0 >> >> I experieced in the past that reentering the iptables nat command >> worked, but it seems a random effect and not always works. >> >> Thank's in advance, >> Luca Maragnani > > >_______________________________________________ >LARTC mailing list >LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From sebas at belzebuth.ca Wed Oct 12 19:36:08 2005 From: sebas at belzebuth.ca (Sebastien Guay) Date: Wed Oct 12 19:36:15 2005 Subject: [LARTC] Redundant firewall Message-ID: <20051012133608.sz12d0g80004ooow@webmail.belzebuth.ca> Hi, I hope this is not OT. I searched through the archives but didn't find anything really answering my question. I want to create a cluster of two firewalls with Linux-HA so that if the primary fail, the secondary firewall will take over. Note that I don't care about syncing states between firewalls, they will just have to reconnect :) It's a typical configuration: _______FW1_______ / | \ INTERNET--ROUTER--< |HB >--SERVER \_______ | _______/ FW2 HB is the heartbeat between the two firewalls. The default gateway of SERVER will be the IP address of the cluster of firewall. So SERVER->INTERNET will always go through the right FW. But I'm concerned about INTERNET->SERVER (public IP). My question is: will enabling proxy_arp on the active firewall and disabling it on the inactive be enough to route the traffic through the correct(active) firewall? Thanks S?bastien -- From david at davidcoulson.net Wed Oct 12 19:37:55 2005 From: david at davidcoulson.net (David Coulson) Date: Wed Oct 12 19:38:06 2005 Subject: [LARTC] Redundant firewall In-Reply-To: <20051012133608.sz12d0g80004ooow@webmail.belzebuth.ca> References: <20051012133608.sz12d0g80004ooow@webmail.belzebuth.ca> Message-ID: <434D49F3.7000308@davidcoulson.net> Sebastien Guay wrote: > My question is: will enabling proxy_arp on the active firewall and > disabling it on the inactive be enough to route the traffic through the > correct(active) firewall? You use heartbeat and fake for that - It will update the ARP tables with the new firewall MAC when failover occurs. David From sebas at belzebuth.ca Wed Oct 12 19:59:31 2005 From: sebas at belzebuth.ca (Sebastien Guay) Date: Wed Oct 12 19:59:36 2005 Subject: [LARTC] Redundant firewall In-Reply-To: <434D49F3.7000308@davidcoulson.net> References: <20051012133608.sz12d0g80004ooow@webmail.belzebuth.ca> <434D49F3.7000308@davidcoulson.net> Message-ID: <20051012135931.sgf4yg7rkc0ckkso@webmail.belzebuth.ca> Le mer 12 oct 2005 13:37:55 EDT, David Coulson ? ?crit : > Sebastien Guay wrote: > > My question is: will enabling proxy_arp on the active firewall and > > disabling it on the inactive be enough to route the traffic through the > > correct(active) firewall? > > You use heartbeat and fake for that - It will update the ARP tables with > the new firewall MAC when failover occurs. Maybe I understand it the wrong way (in that case it will be more a Linux-HA question) but I will have two fully functionnal firewall. From the ROUTER pov, a packet destined to SERVER can pass through FW1 as well as FW2. But it should only through FW1 OR FW2 (whichever is active). Am I wrong in assuming this? S?bastien -- From david at davidcoulson.net Wed Oct 12 20:26:01 2005 From: david at davidcoulson.net (David Coulson) Date: Wed Oct 12 20:26:06 2005 Subject: [LARTC] Redundant firewall In-Reply-To: <20051012135931.sgf4yg7rkc0ckkso@webmail.belzebuth.ca> References: <20051012133608.sz12d0g80004ooow@webmail.belzebuth.ca> <434D49F3.7000308@davidcoulson.net> <20051012135931.sgf4yg7rkc0ckkso@webmail.belzebuth.ca> Message-ID: <434D5539.5020404@davidcoulson.net> Sebastien Guay wrote: > Maybe I understand it the wrong way (in that case it will be more a > Linux-HA question) but I will have two fully functionnal firewall. From > the ROUTER pov, a packet destined to SERVER can pass through FW1 as well > as FW2. But it should only through FW1 OR FW2 (whichever is active). Well, you have a VIP which is on either firewall (actually two VIPs, one for the inside interface, one for the outside). Packets to your inside network are routed to that VIP, rather than to a specific firewall. The router has no comprehension of fw1 or fw2 - Only that there is an IP it sends packets for your subnet to. David From sebas at belzebuth.ca Wed Oct 12 21:08:32 2005 From: sebas at belzebuth.ca (Sebastien Guay) Date: Wed Oct 12 21:08:43 2005 Subject: [LARTC] Redundant firewall Message-ID: <20051012150832.ny01yipw08gcwsc0@webmail.belzebuth.ca> Sorry David for the offlist reply. Le mer 12 oct 2005 14:26:01 EDT, David Coulson ? ?crit : > Sebastien Guay wrote: > > Maybe I understand it the wrong way (in that case it will be more a > > Linux-HA question) but I will have two fully functionnal firewall. From > > the ROUTER pov, a packet destined to SERVER can pass through FW1 as well > > as FW2. But it should only through FW1 OR FW2 (whichever is active). > > Well, you have a VIP which is on either firewall (actually two VIPs, one > for the inside interface, one for the outside). I think it would have been better if I had given more details in the first place. Sorry about that :( Say x.x.x.141 is the public IP address of FW1 (same IP for eth0 and eth1) and x.x.x.140 of FW2 (eth0 and eth1). Heartbeat will be configured to create the VIP x.x.x.129 on both interfaces (you raised this point but it's more for the Linux-HA mailing list). So 141, 140, 129 and the server's IP are all on the same subnet. Packets from the router may go through 141, 140 or 129. But they should only go through 129. > Packets to your inside > network are routed to that VIP, rather than to a specific firewall. Yes but they can also be routed to the real IP of FW1 and FW2. And that's what I try to avoid. > The router has no comprehension of fw1 or fw2 - Only that there is an IP > it sends packets for your subnet to. My bad. I should have said "IP of FW1 or IP of FW2". Thanks for the help so far David. I really appreciate it. S?bastien -- From mcdaemond at gmail.com Wed Oct 12 07:13:41 2005 From: mcdaemond at gmail.com (McDaeMonD) Date: Wed Oct 12 22:38:19 2005 Subject: [LARTC] dual-isp incoming traffic problems In-Reply-To: <2accc2ff0510111749u50477610mde518c3c4714f5ed@mail.gmail.com> References: <1129073216.2622.40.camel@tholian.starken.com> <2accc2ff0510111749u50477610mde518c3c4714f5ed@mail.gmail.com> Message-ID: i have the same prob with this and i add some problem :-) i have 2 isp, and got dhcp from them, and every 6 hour isp b refresh the ip,default gw,ns and every 8 hour isp b refresh the ip,default gw,ns so i put 2 router and 1 gw modem modem | | | dhcp | dhcp Router Router | 10.1.1.1 | 10.2.2.2 | | \ / \ / gw | | 192.168.0.254 | internal net have a route like at http://lartc.org/howto/lartc.rpdb.multiple-links.html this is to much ? having 2 router and more eth ? From marek at piasta.pl Thu Oct 13 00:17:01 2005 From: marek at piasta.pl (Marek Kierdelewicz) Date: Thu Oct 13 00:17:05 2005 Subject: [LARTC] u32 hashing filter - deletion problem! Message-ID: <20051013001701.5a00d79c@cat> Hi there, I'm having a bit of a headache because of the u32 filter with hashing... My router administration system updates filter configuration differentially. Therefore I need to delete filters sometimes. I know that by deleting root class I'd make all filters go away, but I can't use that option in this particular case. When I delete even a single u32 hashed filter I end up with non-functional u32 hashed filters. No band is classified by hashed u32 filters any more. The only thing that saves the day is a root class delete and full filter reload. Test platform 1 --------------- tested kernels: 2.6.13.4 and 2.6.11-rc4 (both with SMP) Hardware: 2 x Intel(R) Xeon(TM) CPU 2.40GHz with HT enabled Test platform 2 --------------- tested kernels: 2.6.13.2 Hardware: AMD Athlon 900MHz I don't know if it's important, but I'm using CPU cycle counter as a packet scheduler clock source on both systems. Any comments? Should I go to the kernel dev group with this? Cheers, Marek Kierdelewicz KoBa ISP From shemminger at osdl.org Thu Oct 13 00:32:46 2005 From: shemminger at osdl.org (Stephen Hemminger) Date: Thu Oct 13 00:33:33 2005 Subject: [LARTC] Re: [ANNOUNCE] iproute2 version (050929) In-Reply-To: <1128990692.6353.14.camel@localhost.localdomain> References: <20050930150406.2e2221fd@dxpl.pdx.osdl.net> <20051005113458.46f0892d@dxpl.pdx.osdl.net> <20051010074002.5cd642da@localhost.localdomain> <1128973355.6327.135.camel@localhost.localdomain> <1128976620.6353.3.camel@localhost.localdomain> <20051010161603.3c96d524@dxpl.pdx.osdl.net> <1128990692.6353.14.camel@localhost.localdomain> Message-ID: <20051012153246.6e4e7bdd@dxpl.pdx.osdl.net> On Mon, 10 Oct 2005 20:31:31 -0400 jamal wrote: > On Mon, 2005-10-10 at 16:16 -0700, Stephen Hemminger wrote: > > > Look like the -batch code that keeps the RTNL handle open was > > breaking this. The patch shows the general idea, but it still has > > problems because I think it would still not work if used in > > -batch situation. > > I see what you mean. > You definitely need at least one extra socket for deleting > in the flush_rule(). Something like the attached, untested, > uncompiled. > > > Krzysztof, if you have time please try the attached patch? > > cheers, > jamal applied to iproute2 cvs -- Stephen Hemminger OSDL http://developer.osdl.org/~shemminger From sebas at belzebuth.ca Thu Oct 13 01:06:41 2005 From: sebas at belzebuth.ca (Sebastien Guay) Date: Thu Oct 13 01:07:18 2005 Subject: [LARTC] Redundant firewall In-Reply-To: <434D6FF2.5030109@davidcoulson.net> References: <20051012133608.sz12d0g80004ooow@webmail.belzebuth.ca> <434D49F3.7000308@davidcoulson.net> <20051012135931.sgf4yg7rkc0ckkso@webmail.belzebuth.ca> <434D5539.5020404@davidcoulson.net> <20051012150608.6qw2mx8eso0gkc0w@webmail.belzebuth.ca> <434D6FF2.5030109@davidcoulson.net> Message-ID: <20051012190641.es6ns373wcc80k48@webmail.belzebuth.ca> Le mer 12 oct 2005 16:20:02 EDT, David Coulson ? ?crit : > Sebastien Guay wrote: > > So 141, 140, 129 and the server's IP are all on the same subnet. > > Packets from the router may go through 141, 140 or 129. But they should > > only go through 129. > > Configure the router to only send packets to .129 then :-) Believe me, if it was my router, we wouldn't have had this discussion :) It's my ISP's router. I will ask them. They are generally very helpful. However I'm still curious if the proxy_arp trick (1 on the active one and 0 on the other) would do (although probably longer for the other to take over in case of a failover)? S?bastien -- From steve at 4dllc.com Thu Oct 13 09:38:39 2005 From: steve at 4dllc.com (Steve Comfort) Date: Thu Oct 13 09:39:11 2005 Subject: [LARTC] VPN over PPP - more detail Message-ID: <434E0EFF.2030707@4dllc.com> Hi All, Let me try again, this time with fixed width ! First off the scenario. We have a local and remote site, both of which connect to the internet via a wireless network. The wireless cards themselves have both an ethernet (ixp1) and an "Atheros" (ath0) interface. The devices connect via PPPoE, and so there is also a ppp0 interface on each device. On one side we have : IXP1 IP address : 192.168.200.202 PPP0 IP address : 192.168.94.134 ATH0 IP address : Unassigned And on the other side : IXP1 : 192.168.2.200 PPP0 : 192.168.94.132 ATH0 : Unassigned I have tried various combinations of local and remote addresses, and have tried both IPSec and GRE tunnels, all to no avail. There is a masquerading firewall on the PPP interfaces, but turning this off does not have any effect. I have tried excluding the 192.168.2.200 address from being masqueraded, also to no avail. I can quite happily ssh to either of the two PPP interfaces, but cannot access anything behind the PPP interfaces.I am going to try assigning an intermediate address such as 192.168.200.11 to the tunnel interface, but I have the feeling that the tunnels are not even being created. I do do the tunneling from both sides, so I don't think that is the problem, unless there are very short timeouts associated with their creation ?? Does anyone know if there is any information hidden away in the /proc interface which will tell me whether the tunnels have failed? Can anyone explain how the various IP addresses would be encapsulated in an IPSec over PPP interface. Maybe then I could figure out my routing etc. Best regards Steve Comfort From mihaivlad at web-profile.net Thu Oct 13 11:07:29 2005 From: mihaivlad at web-profile.net (Vlad Mihai) Date: Thu Oct 13 11:07:35 2005 Subject: [LARTC] nexthop match Message-ID: Hello guys! I have the following setup: Linux router acting as a gateway for several subnets in the LAN. The subnets are: 127.17.0.0/16 (will go out via NAT) 195.229.x.x/24 193.289.y.y/28 213.189.z.z/26 etc. There are about 20 subnets including the private Class B subnet. I want to mark the packets that will go on the Internet, and leave out the packets that move from one subnet to the other. If I am to use something like: -s 172.17.0.0/16 -d !195.229.x.x/24 -s 172.17.0.0/16 -d !193.289.y.y/28 etc... I will have around 100 rules for upload and 100 for download Is there any possibility to use something like: -s 172.17.0.0/16 -d !195.229.x.x/24, !193.289.y.y/28, ... As in to use something like ipset Or, Match the packets by the next-hop address... -m nexthop --next-hop GW_ADDRESS Unfortunately ipset cannot be used for this scenario, and the old nexthop patch was not accepted in the pom tree. Does anybody have an old copy of the nexthop patch (https://lists.netfilter.org/pipermail/netfilter-devel/2003-November/013216. html), or any other idea... Thanks, Mihai From joerg at alea.gnuu.de Thu Oct 13 10:52:21 2005 From: joerg at alea.gnuu.de (Joerg Sommer) Date: Thu Oct 13 12:10:00 2005 Subject: [LARTC] shape downstream of a ppp link Message-ID: Hi, is it anyhow possible to tell the other end of the ppp link how he should queue the packages? I have a ppp link to my isp and would like to control the order of packages send to me. I would like to give uucp a lower priority than http. Is this possible? Has ppp any special features to control such things? Bye, J?rg. -- Gott hat den Menschen erschaffen, weil er vom Affen entt?uscht war. Danach hat er auf weitere Experimente verzichtet. (Mark Twain) From unki at netshadow.at Thu Oct 13 12:16:38 2005 From: unki at netshadow.at (Andreas Unterkircher) Date: Thu Oct 13 12:16:44 2005 Subject: =?iso-8859-1?Q?=5BLARTC=5D?= shape downstream of a ppp link In-Reply-To: Message-ID: <20051013.J3A.90395000@egroupware.netshadow.at> I would say no. You could only shape (= drop) some of the incoming packets, and hope that the sender will slow down on this, because he doesn't receive ACK for the dropped packets. This you can do with the normal tc methods. Andreas Joerg Sommer (joerg@alea.gnuu.de) schrieb: > > Hi, > > is it anyhow possible to tell the other end of the ppp link how he should > queue the packages? I have a ppp link to my isp and would like to control > the order of packages send to me. I would like to give uucp a lower > priority than http. Is this possible? Has ppp any special features to > control such things? > > Bye, J?rg. > -- > Gott hat den Menschen erschaffen, weil er vom Affen entt?uscht war. > Danach hat er auf weitere Experimente verzichtet. > (Mark Twain) > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From Andreas.Klauer at metamorpher.de Thu Oct 13 12:26:50 2005 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Thu Oct 13 12:26:54 2005 Subject: [LARTC] shape downstream of a ppp link In-Reply-To: References: Message-ID: <200510131226.50794.Andreas.Klauer@metamorpher.de> On Thursday 13 October 2005 10:52, Joerg Sommer wrote: > is it anyhow possible to tell the other end of the ppp link how he > should queue the packages? Only by making a phone call and threatening the ISP directly... ;-) > I would like to give uucp a lower priority than http. Is this possible? > Has ppp any special features to control such things? It's possible, although there is not really a nice solution for it. I do this kind of "prioritizing" by shaping packets that the router can send to the machines in my LAN, which basically reduces to "drop anything that comes in too fast", in your case "drop uucp packets if they come in too fast". Not really nice since packets have to be re-sent, but for me this is still better than letting one file transfer hog the whole line forever when I need bandwidth for interactive sessions. Regards, Andreas Klauer From schilli69 at hotmail.com Thu Oct 13 14:17:48 2005 From: schilli69 at hotmail.com (Andreas SCHILDORFER) Date: Thu Oct 13 14:17:54 2005 Subject: [LARTC] linux marking 802.1p ? Message-ID: Hello ! How does linux 802.1p marking for differnt traffic? How does linux make Layer 2 VLAN 802.1p priority for flows? Thanks Schilli _________________________________________________________________ Behalten Sie Ihre Hotmails, den Messenger und die Suchfunktionen stets im Auge! http://toolbar.msn.at?DI=43&XAPID=2170 Jetzt downloaden! From support8 at greatlakes.net Thu Oct 13 16:41:19 2005 From: support8 at greatlakes.net (Eliot, Wireless and Server Administrator, Great Lakes Internet) Date: Thu Oct 13 16:45:05 2005 Subject: [LARTC] HFSC Advanced Limiting Message-ID: <0633E0EDB4F25F43A2D7179CA11FAFAB04B52C@xavier.staff.greatlakes.net> I am investigating changing our broadband bandwidth control scripts over to HFSC. What I would like to accomplish is this: { * DOWNLOAD * I need a download class for each user (we'll call it Class 1) that offers a minimum of lets say 384Kbps and a maximum of 1.5Mbps. The rates between 384Kbps and 1.5Mbps should be shared among all users. Each user should always be able to get at least 384Kbps. Inside this main class for each user, there will be different categories of traffic (VoIP, P2P, General). The VoIP subclass (Class 11) should offer a real-time bandwidth of 64Kbps minimum with a maximum of 128Kbps, sharing anything over 80Kbps with other services. The VoIP subclass should also be able to dequeue the packets within a 30ms timeframe, but more importantly, it should not vary the time in which it dequeues the packets by more than 2-3ms between each packet. The P2P subclass (Class 12) should offer a mimimum of 0Kbps and a maximum of 384Kbps, sharing all of its allotted bandwidth with anything that needs it. The General subclass (Class 13) should offer a minimum of 320Kbps and a maximum of 1.5Mbps sharing anything over 320Kbps. } { * UPLOAD * I also need an upload class for each user (we'll call it Class 2) that offers a minimum of lets say 256Kbps and a maximum of 768Kbps. The rates between 256Kbps and 768Kbps will be shared among all users. Each user should always be able to upload at a speed of at least 256Kbps. Ther should also be VoIP, P2P, and General subclasses on upload. VoIP (Class 21) should be exactly the same as in the download class. P2P (Class 22) should go from 0-256Kbps sharing all allotted bandwidth with anything that needs it. The General subclass (Class 23) should offer a minimum of 192Kbps upload with a max of 768Kbps, sharing anything over 192Kbps. } My biggest confusion is on how to get the rates to say something like: If the VoIP upload subclass needs the bandwidth, it gets it, but otherwise the 64Kbps from the VoIP class is allotted to the General upload subclass giving it 256Kbps for upload and the General upload subclass does not need to share that 256Kbps with anything else except the VoIP subclass, but if it goes over the 256Kbps, it shares that extra bandwidth with other people. Are all of these criteria possible to meet with HFSC? If not, which ones need to be adjusted and why? What would you recommend in place of them? What is the maximum number you can use on class IDs? How many customers should one router be able to handle with this kind of QoS policy? With a P3 800MHz proccessor in a router, will I be able to implement this complex of a QoS policy and still have it handle 4,000 customers? What about 10,000? Is there any way to do triple numbering for class IDs (i.e. 1:1:2 instead of 1:12)? Also, if you do not know for certain any of the answers to these questions, please do not make conjecture. Only answer with facts. Thank you in advance for any responses to this. Eliot Gable Certified Wireless Network Administrator Cisco Certified Network Associate CompTIA Security+ Certified CompTIA Network+ Certified Network and Systems Administrator Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 810-679-3395 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051013/cddcec64/attachment.htm From dpsims at dpsims.com Thu Oct 13 17:19:41 2005 From: dpsims at dpsims.com (David Sims) Date: Thu Oct 13 17:19:45 2005 Subject: [LARTC] wondershaper.... Message-ID: Hi, I am new to the Linux Advance Routing Project and to Policy Based Routing as implemented in Linux.... but I have been using Linux for 10 years so not _really_ a newbie.... Looking at the lartc.org website I came across the reference implementation of a traffic shaper... I also have Matt Marsh's book on 'Policy Based Routing using Linux' which covers traffic shaping a bit in the later chapters.... but I am not crystal clear on it.... I have a linux box doing simple policy based routing for a fairly substantial private network and routing the resulting traffic in a policy based way to two different ISPs via T-1 (1.544 Mb/s) pipes... Sort of arbitrary poor-boy load balancing resulting in two distinct QOSes (i.e., heavily loaded and lightly loaded ;)... I would like to also experiment with traffic shaping and would welcome any thoughts that you might have regarding implementation in such a setup... Basically the PBR Linux box has two NICs.... Eth0 is facing the private network and is the default gateway for all private traffic... while eth1 is facing a DMZ LAN where the various ISPs and other private network services live.... My first thought was to run wondershaper as is and set the parameters to 3 Mb up and 3 Mb down (i.e., 2 x t-1).... But then I had a flash of common sense and decided to ask first if there might not be a better way.... ;) If anyone has any thoughts about traffic shaping in this environment or on the setup in general I would love to hear them... TIA. Any and all instruction gratefully received. Dave Sims Houston, Texas From jlynch at frink.nuigalway.ie Thu Oct 13 18:06:27 2005 From: jlynch at frink.nuigalway.ie (Jonathan Lynch) Date: Thu Oct 13 18:06:51 2005 Subject: [LARTC] The effects of queueing on delay...(TX Ring Buffer the problem) In-Reply-To: <1129064647.13493.41.camel@pgala.it.nuigalway.ie> References: <1129064647.13493.41.camel@pgala.it.nuigalway.ie> Message-ID: <1129219587.8517.2.camel@localhost.localdomain> This was down to the tx buffer size on the network card i was using. It was an Intel 82547EI gigabit Card using the e1000 driver and operating at 100mbit. The tx buffer was set to 256 which caused this huge delay. The minimum the driver lets me reduce the tx buffer size using ethtool is 80. By reducing the tx ring buffer to 80, the delay when there is full link utilisation and a maximum queue of 10 packets was reduced from 30ms to 10ms. The 3com 3c59x vortex driver uses a tx buffer of 16. I reduced the tx to 16 on the e1000 driver, but the max throughput i could achieve on the interface went down. Has anyone experimented with reducing the size of the tx buffer on this card to get a good balance between delay and throughput ? Jonathan On Tue, 2005-10-11 at 22:04 +0100, Jonathan Lynch wrote: > I have a router with 3 network interfaces like in the following ASCII > diagram below. All interfaces are 100mbit. There is tcp traffic being > sent from net1 to net3 and from net2 to net3 and the tcp connections > consume as much bandwidth as possible. There is a pfifo queue on the > egress interface eth0 of the core router with a limit of 10 packets. > > > net1 --> (eth1) router (eth0) -> net3 > (eth2) > ^ > | > net 2 > > I police traffic on the edge of net1 to 48.4375 Mbit and shape the > traffic on exit of net 2 to 48.4375 Mbit. There are no packets in the > queue of the egress interface eth0 of the router at any stage. (every > packet is enqueued by pfifo_enqueue() to an empty queue. I have > confirmed this by adding adding a counter in sch_fifo.c that is > incremented every time there is a packet in the queue when a new packet > is enqueued.) The delay is at a maximum of 2ms. > > When I increase the policing rate and shaping rates to 48.4687. The > combined increase is 31.2 kbit which is very small. there are some > packets queued for a short period and some dropped which clears the > queue. The maximum number of packets dropped was 20 per second. But the > delay goes up to 30ms. > > check out the graphs at > http://frink.nuigalway.ie/~jlynch/queue/ > > > I cant seem to explain this. Even if the queue was full all the time and > each packet was of maximum size, the delay imposed by queueing should be > a maximum of 10 * 1500 * 8 /100,000,000 which equals 1ms. > > How can so much delay be added by such a small increase in the > throughput coming from net1 and net2 ? > > I would appreciate if someone could explain it to me. > > Btw im using a stratum 1 NTP server on the same LAN to ensure > measurement accuracy. > > > Jonathan > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From support8 at greatlakes.net Thu Oct 13 20:08:06 2005 From: support8 at greatlakes.net (Eliot, Wireless and Server Administrator, Great Lakes Internet) Date: Thu Oct 13 20:11:56 2005 Subject: [LARTC] wondershaper.... Message-ID: <0633E0EDB4F25F43A2D7179CA11FAFAB04B534@xavier.staff.greatlakes.net> Well, the way I see it, if you are trying to load balance over two T1 lines in your own network, using multipath routing or something similar is not an issue. However, when you are trying to load balance over two T1 lines provided by seperate ISPs, you run into the "global address problem." That is, your packets going through 1 T1 go out to the world with a source IP from ISP 1 and your packets going through the other T1 go out to the world with a source IP from ISP 2. Now, on the sending end, you don't really care. But, the receiving end does care. If you are just doing a packet-per-packet load balancing, JOE webserver on the Internet is going to see half your packets coming from one IP and half coming from the other. It is not going to reassemble them into a full stream and decode them. And if you try to force your packets going out one T1 to have the IP of the other T1, the ingress filter on your ISP's network (that would be ingress from you to them, egress from them to the world) will likely filter out your packets as spoofed packets. So, the only real load balancing you can do on two T1 lines from two different ISPs is flow-based load balancing. A single connection goes through a single T1 and you load balance the seperate connections across the T1 lines. By doing it this way, you make the sacrifice that you are not receiving equal load balancing. Specifically, your upload speed on any given connection will never exceed the maximum speed of a single T1 line. BGP comes in handy when that's not what you want to do. With BGP, you can advertise a route to your network block through both providers. Then, you can send packets out either provider with a single IP address and the packets will return via the best route from the server you are connecting to and your network. You can alter that load balancing on a network block basis by advertising some network blocks out one T1 and other network blocks out the other T1 with smaller subnet masks than your entire network block. This takes advantage of the fact that routers always route to the route with the smallest subnet mask. For instance, if you have a /20 network block, you can advertise the /20 out both providers, then advertise 8 /24's out one provider and 8 /24's out the other (or 4 /23's, or whatever you want). If you combine BGP with equal-cost multipath routing and force the costs of the T1 lines to the same cost, you can send one packet out one T1 and one out the other giving you a maximum upload speed of 3 Mbps. This is the only way I know of to load balance across two connections to seperate ISPs. If you have another way that solves the above listed problem, please let me know. Now, if your T1 lines are from the same ISP, you should look into bonding them or using equal-cost multipath routing on both ends, either of which would give you 3 Mbps in both directions. Eliot Gable Certified Wireless Network Administrator Cisco Certified Network Associate CompTIA Security+ Certified CompTIA Network+ Certified Network and Systems Administrator Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 810-679-3395 -----Original Message----- From: David Sims [mailto:dpsims@dpsims.com] Sent: Thu 10/13/2005 11:38 AM To: Eliot, Wireless and Server Administrator, Great Lakes Internet Subject: RE: [LARTC] wondershaper.... Hi Eliot, Of course, BGP would be the traditional solution for Policy Based Routing.... but I like doing things in new and different ways to learn about them and to see if they are actually better or worse than the traditional way.... (it's through that process that computer science moves ahead ;)... It would seem at first blush that Policy Based Routing under Linux is head and shoulders above the traditional methodologies.... and I think the functionality is far better than even Cisco's.... I would agree that fault tolerance is not as good as with one of the more traditional mechanisms, but think of my environment as a 'lab'... It's easy enough to swing all the traffic to one T-1 or another in the event of a failure... even though the volume would kill the working T-1 due to the amount of traffic... A more optimal situation would be to use ethernet over fiber where one could just get 4 Mb/s without regard to electical interfaces.... rather than load balancing two T-1s.... but then there's no backup at all in that situation... it would either be working or not working.... Any other thoughts?? Dave ********************************************************************** On Thu, 13 Oct 2005, Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: > > I would recommend that you investigate the possible use of BGP over > those T1s from other providers. That would be your best solution. You > can use BGP to shape the loading on the T1 lines and it would offer you > better fault tolerance in the event that one of the T1 lines went down. > Of course, you would still benefit from QoS policies on your routers. > > Eliot Gable > Certified Wireless Network Administrator > Cisco Certified Network Associate > CompTIA Security+ Certified > CompTIA Network+ Certified > Network and Systems Administrator > Great Lakes Internet, Inc. > 112 North Howard > Croswell, MI 48422 > 810-679-3395 > > > > -----Original Message----- > From: lartc-bounces@mailman.ds9a.nl on behalf of David Sims > Sent: Thu 10/13/2005 11:19 AM > To: lartc@mailman.ds9a.nl > Subject: [LARTC] wondershaper.... > > Hi, > > I am new to the Linux Advance Routing Project and to Policy Based > Routing as implemented in Linux.... but I have been using Linux for 10 > years so not _really_ a newbie.... Looking at the lartc.org website I came > across the reference implementation of a traffic shaper... > > I also have Matt Marsh's book on 'Policy Based Routing using Linux' > which covers traffic shaping a bit in the later chapters.... but I am not > crystal clear on it.... > > I have a linux box doing simple policy based routing for a fairly > substantial private network and routing the resulting traffic in a policy > based way to two different ISPs via T-1 (1.544 Mb/s) pipes... Sort of > arbitrary poor-boy load balancing resulting in two distinct QOSes (i.e., > heavily loaded and lightly loaded ;)... > > I would like to also experiment with traffic shaping and would welcome > any thoughts that you might have regarding implementation in such a > setup... Basically the PBR Linux box has two NICs.... Eth0 is facing the > private network and is the default gateway for all private traffic... > while eth1 is facing a DMZ LAN where the various ISPs and other private > network services live.... > > My first thought was to run wondershaper as is and set the parameters to > 3 Mb up and 3 Mb down (i.e., 2 x t-1).... But then I had a flash of common > sense and decided to ask first if there might not be a better way.... ;) > > If anyone has any thoughts about traffic shaping in this environment or > on the setup in general I would love to hear them... > > TIA. Any and all instruction gratefully received. > > Dave Sims > Houston, Texas > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051013/a2945bce/attachment.html From jasonb at edseek.com Thu Oct 13 21:45:37 2005 From: jasonb at edseek.com (Jason Boxman) Date: Thu Oct 13 21:46:02 2005 Subject: [LARTC] HFSC Advanced Limiting In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB04B52C@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB04B52C@xavier.staff.greatlakes.net> Message-ID: <200510131545.37554.jasonb@edseek.com> On Thursday 13 October 2005 10:41, Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: > I am investigating changing our broadband bandwidth control scripts over to > HFSC. What I would like to accomplish is this: > > { * DOWNLOAD * Read the replies to the thread "shape downstream of a ppp link" as the same concept applies here. It's difficult to shape ingress traffic. You could, nevertheless, employ hfsc in some fashion for ingress either with IMQ or by attaching it to the LAN facing side of your network (pretend ingress is egress). > What is the maximum number you can use on class IDs? 0xFFF I believe. (If it's actually 0xFFFF someone correct me.) > How many customers should one router be able to handle with this kind of > QoS policy? That's going to depend on many things, one of which being packet matching. Were you going to use `tc filter` or, say, `iptables` matching? For the former, with so many clients, others have posted they needed to use `tc filter` with hashtables or the performance hit was huge for thousands of `tc filter` rules. (i.e. unusable.) > With a P3 800MHz proccessor in a router, will I be able to implement this > complex of a QoS policy and still have it handle 4,000 customers? > > What about 10,000? Maybe. > Is there any way to do triple numbering for class IDs (i.e. 1:1:2 instead > of 1:12)? No. > Also, if you do not know for certain any of the answers to these questions, > please do not make conjecture. Only answer with facts. Thank you in advance > for any responses to this. Excellent. Then I'm sure you've read LARTC HOWTO and Google'd extensively already. -- Jason Boxman http://edseek.com/ - Linux and FOSS stuff From support8 at greatlakes.net Thu Oct 13 22:24:06 2005 From: support8 at greatlakes.net (Eliot, Wireless and Server Administrator, Great Lakes Internet) Date: Thu Oct 13 22:27:54 2005 Subject: [LARTC] HFSC Advanced Limiting Message-ID: <0633E0EDB4F25F43A2D7179CA11FAFAB04B537@xavier.staff.greatlakes.net> Thank you for your response. I do know how to shape a specific direction of traffic. Given that I am the ISP sitting between the customer and the Internet, it is trivial for me to shape both directions. Based on your response, I take it that 'tc filter' takes more of a performance hit than iptables? And yes, I have read the LARTC HOWTO and Google'd extensively. This is my current rough draft based on my specifications: #!/sbin/runscript start_test() { PIPEID="1000" USERNAME="test" BASEUPLOAD="256" BASEDOWNLOAD="384" MAXUPLOAD="768" BURSTUPLOAD=${MAXUPLOAD} BURSTLENGTHUPLOAD="2000" MAXDOWNLOAD="1500" BURSTDOWNLOAD=${MAXDOWNLOAD} BURSTLENGTHDOWNLOAD="2000" VOIPBASEUPLOAD="80" VOIPMAXUPLOAD="128" VOIPSHAREDUPLOAD=${VOIPSHAREDUPLOAD} VOIPBASEDOWNLOAD="80" VOIPMAXDOWNLOAD="128" VOIPSHAREDDOWNLOAD=${VOIPSHAREDDOWNLOAD} VOIPLATENCY="30" P2PBASEUPLOAD="0" P2PMAXUPLOAD="256" P2PSHAREDUPLOAD=${P2PMAXUPLOAD} P2PBASEDOWNLOAD="0" P2PMAXDOWNLOAD="384" P2PSHAREDDOWNLOAD=${P2PMAXDOWNLOAD} GENBASEUPLOAD="168" GENMAXUPLOAD="768" GENSHAREDUPLOAD=${GENMAXUPLOAD} GENBASEDOWNLOAD="384" GENMAXDOWNLOAD="1500" GENSHAREDDOWNLOAD=${GENMAXDOWNLOAD} start_user M1=00; M2=07; M3=BA; M4=25; M5=21; M6=B7; start_mac } setup_main_devices() { einfo "Starting bandwidth management on interfaces ..." einfo " - Creating qdiscs on interfaces ..." CMD="tc qdisc add dev eth0 root handle 1: hfsc default 1" docmd CMD="tc qdisc add dev eth1 root handle 2: hfsc default 1" docmd CMD="tc class add dev eth0 parent 1:0 classid 1:1 hfsc ls m2 100Mbit ul m2 100Mbit" docmd CMD="tc class add dev eth1 parent 2:0 classid 2:1 hfsc ls m2 100Mbit ul m2 100Mbit" docmd } start_user() { einfo "Starting bandwidth management for ${USERNAME} ..." einfo " - Creating classes on eth0 for upload control ..." CMD="tc class add dev eth0 parent 1:0 classid 1:${PIPEID} hfsc ls m1 ${BURSTUPLOAD}Kbit d ${BURSTLENGTHUPLOAD}ms m2 ${BASEUPLOAD}Kbit ul m2 ${MAXUPLOAD}Kbit" docmd CMD="tc class add dev eth0 parent 1:${PIPEID} classid 1:${PIPEID}0 hfsc sc umax 1500b dmax ${VOIPLATENCY}ms rate ${VOIPBASEUPLOAD}Kbit" docmd CMD="tc class add dev eth0 parent 1:${PIPEID} classid 1:${PIPEID}1 hfsc ls m2 ${P2PSHAREDUPLOAD}Kbit ul m2 ${P2PMAXUPLOAD}Kbit" docmd CMD="tc class add dev eth0 parent 1:${PIPEID} classid 1:${PIPEID}2 hfsc rt m2 ${GENBASEUPLOAD}Kbit ls m2 ${GENSHAREDUPLOAD}Kbit ul m2 ${GENMAXUPLOAD}Kbit" docmd einfo " - Creating classes on eth1 for download control ..." CMD="tc class add dev eth1 parent 2:0 classid 2:${PIPEID} hfsc ls m1 ${BURSTDOWNLOAD}Kbit d ${BURSTLENGTHDOWNLOAD}ms m2 ${BASEDOWNLOAD}Kbit ul m2 ${MAXDOWNLOAD}Kbit" docmd CMD="tc class add dev eth1 parent 2:${PIPEID} classid 2:${PIPEID}0 hfsc sc umax 1500b dmax ${VOIPLATENCY}ms rate ${VOIPBASEDOWNLOAD}Kbit" docmd CMD="tc class add dev eth1 parent 2:${PIPEID} classid 2:${PIPEID}1 hfsc ls m2 ${P2PSHAREDDOWNLOAD}Kbit ul m2 ${P2PMAXDOWNLOAD}Kbit" docmd CMD="tc class add dev eth1 parent 2:${PIPEID} classid 2:${PIPEID}2 hfsc rt m2 ${GENBASEDOWNLOAD}Kbit ls m2 ${GENSHAREDDOWNLOAD}Kbit ul m2 ${GENMAXDOWNLOAD}Kbit" docmd } docmd() { if [[ "${CMD}" ]]; then ebegin " - ${CMD}" $CMD if [[ $? -eq 0 ]]; then eend 0; else eend 1; fi fi } depend() { need net } start() { stop setup_main_devices start_test } stop() { ebegin "Stopping QoS ruleset" tc qdisc del dev eth0 root 2>&1 1>/dev/null tc qdisc del dev eth1 root 2>&1 1>/dev/null tc qdisc del dev eth2 root 2>&1 1>/dev/null eend 0 } restart() { stop start } $1 Oddly, I keep getting these errors: * Starting bandwidth management on interfaces ... * - Creating qdiscs on interfaces ... * - tc qdisc add dev eth0 root handle 1: hfsc default 1... [ ok ] * - tc qdisc add dev eth1 root handle 2: hfsc default 1... [ ok ] * - tc class add dev eth0 parent 1:0 classid 1:1 hfsc ls m2 100Mbit ul m2 100Mbit... [ ok ] * - tc class add dev eth1 parent 2:0 classid 2:1 hfsc ls m2 100Mbit ul m2 100Mbit... [ ok ] * Starting bandwidth management for test ... * - Creating classes on eth0 for upload control ... * - tc class add dev eth0 parent 1:0 classid 1:1000 hfsc ls m1 768Kbit d 2000ms m2 256Kbit ul m2 768Kbit... [ ok ] * - tc class add dev eth0 parent 1:1000 classid 1:10000 hfsc sc umax 1500b dmax 30ms rate 80Kbit... RTNETLINK answers: File exists [ !! ] * - tc class add dev eth0 parent 1:1000 classid 1:10001 hfsc ls m2 256Kbit ul m2 256Kbit... RTNETLINK answers: File exists [ !! ] * - tc class add dev eth0 parent 1:1000 classid 1:10002 hfsc rt m2 168Kbit ls m2 768Kbit ul m2 768Kbit... [ ok ] * - Creating classes on eth1 for download control ... * - tc class add dev eth1 parent 2:0 classid 2:1000 hfsc ls m1 1500Kbit d 2000ms m2 384Kbit ul m2 1500Kbit... [ ok ] * - tc class add dev eth1 parent 2:1000 classid 2:10000 hfsc sc umax 1500b dmax 30ms rate 80Kbit... RTNETLINK answers: Invalid argument [ !! ] * - tc class add dev eth1 parent 2:1000 classid 2:10001 hfsc ls m2 384Kbit ul m2 384Kbit... RTNETLINK answers: Invalid argument [ !! ] * - tc class add dev eth1 parent 2:1000 classid 2:10002 hfsc rt m2 384Kbit ls m2 1500Kbit ul m2 1500Kbit... RTNETLINK answers: Invalid argument [ !! ] Also, note that I am deleting the qdiscs that exist each time I start the script, so there should not be any entries that still exist when I run the script again. I'm also not certain if what I am doing here actually achieves my goals, but this is my best guess at the moment. And, just in case you are wondering, I have not gotten to the 'tc filter' or 'iptables -j CLASSIFY' parts yet. Thanks in advance. Eliot Gable Certified Wireless Network Administrator Cisco Certified Network Associate CompTIA Security+ Certified CompTIA Network+ Certified Network and Systems Administrator Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 810-679-3395 -----Original Message----- From: lartc-bounces@mailman.ds9a.nl on behalf of Jason Boxman Sent: Thu 10/13/2005 3:45 PM To: lartc@mailman.ds9a.nl Subject: Re: [LARTC] HFSC Advanced Limiting On Thursday 13 October 2005 10:41, Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: > I am investigating changing our broadband bandwidth control scripts over to > HFSC. What I would like to accomplish is this: > > { * DOWNLOAD * Read the replies to the thread "shape downstream of a ppp link" as the same concept applies here. It's difficult to shape ingress traffic. You could, nevertheless, employ hfsc in some fashion for ingress either with IMQ or by attaching it to the LAN facing side of your network (pretend ingress is egress). > What is the maximum number you can use on class IDs? 0xFFF I believe. (If it's actually 0xFFFF someone correct me.) > How many customers should one router be able to handle with this kind of > QoS policy? That's going to depend on many things, one of which being packet matching. Were you going to use `tc filter` or, say, `iptables` matching? For the former, with so many clients, others have posted they needed to use `tc filter` with hashtables or the performance hit was huge for thousands of `tc filter` rules. (i.e. unusable.) > With a P3 800MHz proccessor in a router, will I be able to implement this > complex of a QoS policy and still have it handle 4,000 customers? > > What about 10,000? Maybe. > Is there any way to do triple numbering for class IDs (i.e. 1:1:2 instead > of 1:12)? No. > Also, if you do not know for certain any of the answers to these questions, > please do not make conjecture. Only answer with facts. Thank you in advance > for any responses to this. Excellent. Then I'm sure you've read LARTC HOWTO and Google'd extensively already. -- Jason Boxman http://edseek.com/ - Linux and FOSS stuff _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051013/2f56bd15/attachment.htm From chilek at chilan.com Thu Oct 13 22:57:26 2005 From: chilek at chilan.com (Tomasz Chilinski) Date: Thu Oct 13 22:57:29 2005 Subject: [LARTC] HFSC Advanced Limiting In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB04B537@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB04B537@xavier.staff.greatlakes.net> Message-ID: <20051013205348.M32790@chilan.com> On Thu, 13 Oct 2005 16:24:06 -0400, Eliot wrote > Oddly, I keep getting these errors: > > parent 1:1000 classid 1:10000 hfsc sc umax 1500b dmax 30ms rate 80Kbit... > RTNETLINK answers: File exists > [ !! ] * - tc > class add dev eth0 parent 1:1000 classid 1:10001 hfsc ls m2 256Kbit > ul m2 256Kbit... RTNETLINK answers: File exists Classid should be in range 0x0000-0xFFFF, so it's cause of problem in this script snippet. > Eliot Gable > Certified Wireless Network Administrator > Cisco Certified Network Associate > CompTIA Security+ Certified > CompTIA Network+ Certified > Network and Systems Administrator > Great Lakes Internet, Inc. > 112 North Howard > Croswell, MI 48422 > 810-679-3395 -- Kind regards, Tomasz Chilinski RHCX, RHCE, RedHat Academy Instructor Cisco Certified Academy Instructor LMS developer: http://lms.rulez.pl Kadu developer: http://www.kadu.net Director of Chilan.com network engineering department From c-d.hailfinger.devel.2005 at gmx.net Thu Oct 13 23:55:12 2005 From: c-d.hailfinger.devel.2005 at gmx.net (Carl-Daniel Hailfinger) Date: Thu Oct 13 23:55:17 2005 Subject: [LARTC] brouting on interfaces without IP address Message-ID: <434ED7C0.2000109@gmx.net> Hi, [sorry for the crosspost, I don't know whether this is a routing or ebtables problem] I want to redirect all HTTP traffic passing through my bridge to a squid proxy on another machine. However, setting up brouting as suggested in the ebtables examples doesn't work and the packets get dropped on the floor completely. /\/\/\/\/\/\/\/\ +----------------------+ +-------------+ / LAN \-----|bridgeint bridgeext|----| Router | \ 192.168.0.0/24 / | | |(192.168.0.1)| \/\/\/\/\/\/\/\/ | eth0(192.168.0.5) | +-------------+ | +----------------------+ | | | | | +--------------------+ +----------------+ \------------| Proxy(192.168.0.4) |----| Another Router | +--------------------+ +----------------+ Packet flow for unredirected traffic: LAN <-> bridgeint <-> bridgeext <-> Router <-> Internet Packet flow (assymetric) for redirected traffic: LAN -> bridgeint -> eth0 -> Proxy -> Another Router -> Internet LAN <- Proxy <- Another Router <- Internet However, once I insert the ebtables rule to actually do the redirection, all packets I want to redirect get dropped. This happens regardless of where I try to broute the packets. I tried DROPping them in BROUTING, REDIRECTing them in PREROUTING, DNATing them to the MAC of eth0 in PREROUTING, but each time the packets never leave eth0. All debugging so far hasn't helped (I read the LARTC HowTo twice, read all ebtables/bridge/iproute2 documentation I could find), the only remaining possible explanation I can think of is that the kernel routing code drops packets entering on devices which have no IP address attached. Is that true? To make sure the bridge doesn't accidentally answer to packets running through it, the bridge device (bridge) and its enslaved ethernet interfaces (bridgeext and bridgeint) have no IP address assigned to them. The bridge has an additional ethernet interface (eth0) which handles all traffic going directly to the bridge. bridge:~ # ip a l 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:11:22:33:44:55 brd ff:ff:ff:ff:ff:ff inet 192.168.0.5/24 brd 192.168.0.255 scope global eth1 valid_lft forever preferred_lft forever 3: bridgeext: mtu 1500 qdisc htb qlen 1000 link/ether 00:01:02:03:04:05 brd ff:ff:ff:ff:ff:ff 4: bridgeint: mtu 1500 qdisc htb qlen 1000 link/ether 00:06:07:08:09:0a brd ff:ff:ff:ff:ff:ff 5: bridge: mtu 1500 qdisc noqueue link/ether 00:01:02:03:04:05 brd ff:ff:ff:ff:ff:ff bridge:~ # brctl show bridge name bridge id STP enabled interfaces bridge 8000.000102030405 no bridgeint bridgeext bridge:~ # ebtables -t nat -L --Lx ebtables -t nat -N ifacefilter-int ebtables -t nat -N proxy ebtables -t nat -A PREROUTING -i bridgeint -j ifacefilter-int ebtables -t nat -A ifacefilter-int -p IPv4 --ip-src 192.168.0.0/24 --ip-proto tcp --ip-dport 80 -j proxy ebtables -t nat -A proxy -j mark --set-mark 0x1 --mark-target CONTINUE ebtables -t nat -A proxy -j dnat --to-dst 00:11:22:33:44:55 --dnat-target ACCEPT bridge:~ # ip ru l 0: from all lookup local 32765: from all fwmark 0x1 lookup proxy 32766: from all lookup main 32767: from all lookup default bridge:~ # ip r l table proxy default via 192.168.0.4 dev eth0 bridge:~ # cat /proc/sys/net/ipv4/ip_forward 1 bridge:~ # uname -a Linux bridge 2.6.11.7-secpatched #3 Fri Oct 8 04:19:31 CEST 2005 x86_64 x86_64 x86_64 GNU/Linux Thanks for any help, Carl-Daniel -- http://www.hailfinger.org/ From jorge at inway.cz Fri Oct 14 11:21:11 2005 From: jorge at inway.cz (jorge) Date: Fri Oct 14 11:31:56 2005 Subject: [LARTC] ip rule add dev Message-ID: <434F7887.9030508@inway.cz> Hi , have a question: i have a router with some interfaces and i want that some interfaces wil lookup others tables then defaults for other default gw. like this. So all the traffic from vlan0002 will be routed via 213.151.73.176. /usr/sbin/ip rule add dev vlan0002 lookup 15 /usr/sbin/ip route add default via 213.151.73.176/27 table 15 is it ok? or i ommited something? thanks -- Jorge Sanchez InWay a.s. From tkiran at ku.edu.tr Fri Oct 14 13:01:20 2005 From: tkiran at ku.edu.tr (TAYLAN KIRAN) Date: Fri Oct 14 13:00:33 2005 Subject: [LARTC] share bandwith fairly Message-ID: <20051014T140120Z_DF7D00090000@ku.edu.tr> Dear members, I am trying to share the bandwith for all users fairly. because some users heavily uses p2p programs and a few hosts consume most of bandwith. when we limit each flow it does not work as one client has many connection at same time. Firstly I tried to write a script that use the ipfm(which accounts traffic usage) logs as follow .extract ip addresses heavy bandwith users from log file .create a new class with 128kbit for that Ip address . add tc filter for that IP by classify the ip addres with 'match ip dst' parameter. it works for a few IP. After 4 or 5 ip addresses added it does not work for last added ip addresses. let me show the lines that I used. ?------- creation of qdisc and parent ?------------ tc qdisc del dev eth0 root tc qdisc add dev eth0 root handle 1: htb default 12 tc class add dev eth0 parent 1 classid 1:1 htb rate 10mbit ceil 10mbit ?----works for each IP address found in ipfm logs that exceed the desired bandwith usage ?--- tc class add dev eth0 parent 1:1 classid 1:$index htb rate 128kbit ceil 128kbit tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \match ip dst $ipaddress classid 1:$index but it does not work good. then I tried to find better solution in maillist. there are some solutions there. but not appropriate to us as they required patching kernel like esfq,routehat,wrr. is there any suggestion. Thanks Note: sorry for my poor english. Taylan -------------- next part -------------- Skipped content of type multipart/related From surda at shurdix.com Fri Oct 14 13:12:56 2005 From: surda at shurdix.com (Peter Surda) Date: Fri Oct 14 13:13:23 2005 Subject: [LARTC] share bandwith fairly In-Reply-To: <20051014T140120Z_DF7D00090000@ku.edu.tr> Message-ID: <200591413125618601@mail.routehat.org> On Fri, 14 Oct 2005 14:01:20 +0300 "TAYLAN KIRAN" wrote: >Dear members, Hi, > I am trying to share the bandwith for all users fairly. because some users >heavily uses p2p programs and a few hosts consume most of bandwith. when we >limit each flow it does not work as one client has many connection at same >time. Ideal for this situation is WRR ( http://wipl-wrr.sourceforge.net/wrr.html ). If you are looking for an integrated solution, see my signature. >Taylan Yours sincerely, Peter -- http://www.shurdix.org - Linux distribution for routers and firewalls From tkiran at ku.edu.tr Fri Oct 14 13:35:31 2005 From: tkiran at ku.edu.tr (TAYLAN KIRAN) Date: Fri Oct 14 13:34:26 2005 Subject: [LARTC] share bandwith fairly Message-ID: <20051014T143531Z_DF7D00090000@ku.edu.tr> Thank you for your answer. I donwloaded shurdix and tried to install it. but it is really not user friendly. it was difficult for me to install it. after isnatallation i saw that all files are read only. I change the rights but I still couldnt edit the files. also I have many scripts run on my box. so it is not easy for me to change the system. also as I said I dont want to patch kernel and recompile it. I checked forum for shurdic there isnt any support in english. system is as following. 2.6.9-1.667smp #1 SMP Tue Nov 2 14:59:52 EST 2004 i686 i686 i386 GNU/Linux use only one network device. I saw tc.sh script. As i see it is not applicabe to unpatched kernels like mine . -------------- next part -------------- Skipped content of type multipart/related From support8 at greatlakes.net Fri Oct 14 14:53:15 2005 From: support8 at greatlakes.net (Eliot, Wireless and Server Administrator, Great Lakes Internet) Date: Fri Oct 14 14:59:47 2005 Subject: [LARTC] HFSC Advanced Limiting Message-ID: <0633E0EDB4F25F43A2D7179CA11FAFAB04B538@xavier.staff.greatlakes.net> So, then you're saying 1:10001 is equivilant to 110,001, which would be 0x1ADB1 -- as opposed to 10,001 = 0x2711 ? Eliot Gable Certified Wireless Network Administrator Cisco Certified Network Associate CompTIA Security+ Certified CompTIA Network+ Certified Network and Systems Administrator Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 810-679-3395 -----Original Message----- From: lartc-bounces@mailman.ds9a.nl on behalf of Tomasz Chilinski Sent: Thu 10/13/2005 4:57 PM To: lartc Subject: RE: [LARTC] HFSC Advanced Limiting On Thu, 13 Oct 2005 16:24:06 -0400, Eliot wrote > Oddly, I keep getting these errors: > > parent 1:1000 classid 1:10000 hfsc sc umax 1500b dmax 30ms rate 80Kbit... > RTNETLINK answers: File exists > [ !! ] * - tc > class add dev eth0 parent 1:1000 classid 1:10001 hfsc ls m2 256Kbit > ul m2 256Kbit... RTNETLINK answers: File exists Classid should be in range 0x0000-0xFFFF, so it's cause of problem in this script snippet. > Eliot Gable > Certified Wireless Network Administrator > Cisco Certified Network Associate > CompTIA Security+ Certified > CompTIA Network+ Certified > Network and Systems Administrator > Great Lakes Internet, Inc. > 112 North Howard > Croswell, MI 48422 > 810-679-3395 -- Kind regards, Tomasz Chilinski RHCX, RHCE, RedHat Academy Instructor Cisco Certified Academy Instructor LMS developer: http://lms.rulez.pl Kadu developer: http://www.kadu.net Director of Chilan.com network engineering department _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051014/189c419a/attachment.html From nikky at mnet.bg Fri Oct 14 15:07:01 2005 From: nikky at mnet.bg (Nickola Kolev) Date: Fri Oct 14 15:07:09 2005 Subject: [LARTC] HFSC Advanced Limiting In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB04B538@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB04B538@xavier.staff.greatlakes.net> Message-ID: <20051014160701.16823d16.nikky@mnet.bg> Hello, On Fri, 14 Oct 2005 08:53:15 -0400 "Eliot, Wireless and Server Administrator, Great Lakes Internet" wrote: > > So, then you're saying 1:10001 is equivilant to 110,001, which would > be 0x1ADB1 -- as opposed to 10,001 = 0x2711 ? Nope, what he meant was that most probably 1:10001 is recognised as 1:1000 (i.e. the 1 at the end is just cut off). Regards, Nickola -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20051014/6529aa87/attachment.pgp From ethy.brito at inexo.com.br Fri Oct 14 15:09:19 2005 From: ethy.brito at inexo.com.br (Ethy H. Brito) Date: Fri Oct 14 15:09:25 2005 Subject: [LARTC] tc filter not filtering -or- what am I going wrong? Message-ID: <20051014100919.289c3e82@pulsar.inexo.com.br> Dear All I am trying a very simple set up: (a bit long message follows) #Flush previous definitions $TC qdisc del dev $VVNET root >&/dev/null $TC qdisc del dev $INTERNET root >&/dev/null $IPT -t mangle -D PREROUTING -i $INTERNET -d 200.231.56.0/24 -j IMQ --todev 0 # Mothers off all disciplines $TC qdisc add dev $VVNET root handle 1: htb default FFFF r2q 1 $TC qdisc add dev $INTERNET root handle 1: htb default FFFF r2q 1 #Master Class - outputs to local radio network and internet $TC class add dev $VVNET parent 1: classid 1:1 htb rate 256Kbit ceil 256Kbit $TC class add dev $INTERNET parent 1: classid 1:1 htb rate 256Kbit ceil 256Kbit #Everything coming from internet to the clients goes thru IMQ $IPT -t mangle -A PREROUTING -i $INTERNET -d 1.2.3.0/24 -j IMQ --todev 0 $IP link set imq0 up #Ping classes $TC class add dev $INTERNET parent 1:1 classid 1:22 htb \ rate 100Kbit ceil 100Kbit $TC class add dev $VVNET parent 1:1 classid 1:22 htb \ rate 100Kbit ceil 100Kbit So far no news! Let try some filtering: $TC filter add dev $VVNET protocol ip \ parent 1:0 prio 2 u32 \ match ip icmp_type 0 0xff flowid 1:22 $TC filter add dev $VVNET protocol ip \ parent 1:0 prio 2 u32 \ match ip icmp_type 8 0xff flowid 1:22 $TC filter add dev $INTERNET protocol ip \ parent 1:0 prio 2 u32 \ match ip icmp_type 0 0xff flowid 1:22 $TC filter add dev $INTERNET protocol ip \ parent 1:0 prio 2 u32 \ match ip icmp_type 8 0xff flowid 1:22 What do I mean!? Every single icmp (request or reply) goes thru its own class. But if I ping interface $INTERNET address (from outside) 'tc -s class show dev $INTERNET' counter for class 1:22 doesn't increment! (pings do get replyed). There is sometimes something passing thru 1:22 but it is certainly not icmp packets I am filtering. For the records: default class 1:ffff counter is NOT incrementing as well. What is wrong with my setup?? # tc filter ls dev eth3 ($INTERNET is eth3) filter parent 1: protocol ip pref 2 u32 filter parent 1: protocol ip pref 2 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 2 u32 fh 800::800 order 2048 key ht 800 \ bkt 0 flowid 1:22 match 00000000/ff000000 at 20 filter parent 1: protocol ip pref 2 u32 fh 800::801 order 2049 key ht 800 \ bkt 0 flowid 1:22 match 08000000/ff000000 at 20 (BTW this offset 'at 20' is it decimal or hex??? 'tc add filter' put it there, not me.)) # tc -s class show dev eth3 |head -5 ; echo sleeping 5 seconds; \ sleep 5 ;tc -s class show dev eth3 |head -5 class htb 1:22 parent 1:1 prio 0 rate 100Kbit ceil 100Kbit\ burst 1727b cburst 1727b Sent 44408169 bytes 58800 pkts (dropped 0, overlimits 0) lended: 58800 borrowed: 0 giants: 0 tokens: 105984 ctokens: 105984 sleeping 5 seconds class htb 1:22 parent 1:1 prio 0 rate 100Kbit ceil 100Kbit\ burst 1727b cburst 1727b Sent 44408169 bytes 58800 pkts (dropped 0, overlimits 0) lended: 58800 borrowed: 0 giants: 0 tokens: 105984 ctokens: 105984 # Thanx for your time Regards -- Ethy H. Brito /"\ InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML +55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL S.J.Campos - Brasil / \ From chilek at chilan.com Fri Oct 14 15:12:39 2005 From: chilek at chilan.com (Tomasz Chilinski) Date: Fri Oct 14 15:12:51 2005 Subject: [LARTC] HFSC Advanced Limiting In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB04B538@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB04B538@xavier.staff.greatlakes.net> Message-ID: <20051014130531.M16417@chilan.com> On Fri, 14 Oct 2005 08:53:15 -0400, Eliot, Wireless and Server Administrator, Great Lakes Internet wrote > So, then you're saying 1:10001 is equivilant to 110,001, which would > be 0x1ADB1 -- as opposed to 10,001 = 0x2711 ? I would like to say that classids are not decimal numbers but hexadecimal, i.e. if you've got decimal class number 65535 you show write it down in tc command as FFFF. I hope now it's clear ;-) > Eliot Gable > Certified Wireless Network Administrator > Cisco Certified Network Associate > CompTIA Security+ Certified > CompTIA Network+ Certified > Network and Systems Administrator > Great Lakes Internet, Inc. > 112 North Howard > Croswell, MI 48422 > 810-679-3395 > -- Kind regards, Tomasz Chilinski RHCX, RHCE, RedHat Academy Instructor Cisco Certified Academy Instructor LMS developer: http://lms.rulez.pl Kadu developer: http://www.kadu.net Director of Chilan.com network engineering department From support8 at greatlakes.net Fri Oct 14 15:14:25 2005 From: support8 at greatlakes.net (Eliot, Wireless and Server Administrator, Great Lakes Internet) Date: Fri Oct 14 15:18:40 2005 Subject: [LARTC] HFSC Advanced Limiting Message-ID: <0633E0EDB4F25F43A2D7179CA11FAFAB04B539@xavier.staff.greatlakes.net> Thank you. That did solve my problem. My previous question still stands, though. Eliot Gable Certified Wireless Network Administrator Cisco Certified Network Associate CompTIA Security+ Certified CompTIA Network+ Certified Network and Systems Administrator Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 810-679-3395 -----Original Message----- From: lartc-bounces@mailman.ds9a.nl on behalf of Tomasz Chilinski Sent: Thu 10/13/2005 4:57 PM To: lartc Subject: RE: [LARTC] HFSC Advanced Limiting On Thu, 13 Oct 2005 16:24:06 -0400, Eliot wrote > Oddly, I keep getting these errors: > > parent 1:1000 classid 1:10000 hfsc sc umax 1500b dmax 30ms rate 80Kbit... > RTNETLINK answers: File exists > [ !! ] * - tc > class add dev eth0 parent 1:1000 classid 1:10001 hfsc ls m2 256Kbit > ul m2 256Kbit... RTNETLINK answers: File exists Classid should be in range 0x0000-0xFFFF, so it's cause of problem in this script snippet. > Eliot Gable > Certified Wireless Network Administrator > Cisco Certified Network Associate > CompTIA Security+ Certified > CompTIA Network+ Certified > Network and Systems Administrator > Great Lakes Internet, Inc. > 112 North Howard > Croswell, MI 48422 > 810-679-3395 -- Kind regards, Tomasz Chilinski RHCX, RHCE, RedHat Academy Instructor Cisco Certified Academy Instructor LMS developer: http://lms.rulez.pl Kadu developer: http://www.kadu.net Director of Chilan.com network engineering department _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051014/516dd23f/attachment.html From norbi.lists at nix.hu Thu Oct 13 20:28:36 2005 From: norbi.lists at nix.hu (BUCHMULLER Norbert) Date: Fri Oct 14 15:29:11 2005 Subject: [LARTC] VPN through PPP In-Reply-To: <434BB2AA.1040206@4dllc.com> References: <434BB2AA.1040206@4dllc.com> Message-ID: <20051013202836.2d17a142.norbi.lists@nix.hu> On Tue, 11 Oct 2005 14:40:10 +0200 Steve Comfort wrote: Hi, I can't understand your diagram as well. :-( Let's suppose you have 2 hosts, host A and host B, each has an outer ("public") and an inner ("local") interface. The outer interfaces have the IP addresses Apub and Bpub respectively, and the inner networks have the address spaces Aloc and Bloc, respectively. Also we make use of another pair of IP addresses, for the tunnel interfaces (10.10.10.1 and 10.10.10.2). Then the right commands would be: host A: ip tunnel add net0 mode gre remote local ip address add 10.10.10.1/32 net0 ip link set net0 up ip route add dev net0 host B: ip tunnel add net0 mode gre remote local ip address add 10.10.10.2/32 net0 ip link set net0 up ip route add dev net0 If the tunnel works, you can ping 10.10.10.2 from host A (and 10.10.10.1 from host B), if the routing works also, you can ping the other inner network from each host. > I do have a firewall, configured to do NAT on the PPP interface. I have > also tried excluding the destination addresses from being NAt'd but this > didn't make any difference. Just a quick question: you do not filter out GRE (IP protocol 47) on the firewall? (NATing GRE is a bad idea as well - it does not work AFAIK.) And don't forget that the GRE tunnel transmits all the traffic unencrypted, so only use it on a trusted network. (Not even on that.:-) norbi From support8 at greatlakes.net Fri Oct 14 15:56:44 2005 From: support8 at greatlakes.net (Eliot, Wireless and Server Administrator, Great Lakes Internet) Date: Fri Oct 14 16:00:42 2005 Subject: [LARTC] TC Output Redirection Message-ID: <0633E0EDB4F25F43A2D7179CA11FAFAB04B53A@xavier.staff.greatlakes.net> Ok, this is a rather large annoyance... How do you redirect the error output for TC? It does not seem to use any of the standard file descriptors (like STDOUT or STDERR) for error output. I have tried: tc 2>&1 1>/dev/null tc 3>&1 2>&1 1>/dev/null etc No matter what I do, I cannot seem to redirect the output. Anyone have any suggestions? Thanks. Eliot Gable Certified Wireless Network Administrator Cisco Certified Network Associate CompTIA Security+ Certified CompTIA Network+ Certified Network and Systems Administrator Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 810-679-3395 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051014/b0554ef7/attachment.htm From unki at netshadow.at Fri Oct 14 17:12:12 2005 From: unki at netshadow.at (Andreas Unterkircher) Date: Fri Oct 14 17:12:14 2005 Subject: [LARTC] TC Output Redirection In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB04B53A@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB04B53A@xavier.staff.greatlakes.net> Message-ID: <434FCACC.2050906@netshadow.at> Basic shell... first the target then the assignments. So tc 1>/dev/null 2>&1 Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: > > Ok, this is a rather large annoyance... How do you redirect the error > output for TC? It does not seem to use any of the standard file > descriptors (like STDOUT or STDERR) for error output. I have tried: > > tc 2>&1 1>/dev/null > tc 3>&1 2>&1 1>/dev/null > etc > > No matter what I do, I cannot seem to redirect the output. Anyone have > any suggestions? > Thanks. > > Eliot Gable > Certified Wireless Network Administrator > Cisco Certified Network Associate > CompTIA Security+ Certified > CompTIA Network+ Certified > Network and Systems Administrator > Great Lakes Internet, Inc. > 112 North Howard > Croswell, MI 48422 > 810-679-3395 > >------------------------------------------------------------------------ > >_______________________________________________ >LARTC mailing list >LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From support8 at greatlakes.net Fri Oct 14 18:18:22 2005 From: support8 at greatlakes.net (Eliot, Wireless and Server Administrator, Great Lakes Internet) Date: Fri Oct 14 18:22:18 2005 Subject: [LARTC] HFSC Advanced Limiting Message-ID: <0633E0EDB4F25F43A2D7179CA11FAFAB04B53B@xavier.staff.greatlakes.net> Ok, my incoming mail is not working right now, so I don't know who has responded to my posts, or if anyone has. I have figured out how to trap the TC output and redirect it to a file (finally) by using 'tc &>/file'. Also, it occured to me that 0xFFFF limit might actually mean 0xF:0xFFF for the class IDs. Is that correct? I have made some pretty big changes to my script. Now, I seem to be having issues with deleting classes I added. See the output below for details. bash-2.05b# ./qos start * Stopping QoS ruleset... * - tc qdisc del dev eth0 root... [ ok ] * - tc qdisc del dev eth1 root... [ ok ] * Starting bandwidth management on interfaces ... * - Creating qdiscs on interfaces ... * - tc qdisc add dev eth0 root handle 1: hfsc default 1... [ ok ] * - tc class add dev eth0 parent 1:0 classid 1:1 hfsc ls m2 100Mbit ul m2 100Mbit... [ ok ] * - tc qdisc add dev eth1 root handle 2: hfsc default 1... [ ok ] * - tc class add dev eth1 parent 2:0 classid 2:1 hfsc ls m2 100Mbit ul m2 100Mbit... [ ok ] * Starting bandwidth management for test ... * - Creating classes on eth0 for upload control ... * - tc class add dev eth0 parent 1:0 classid 1:300 hfsc ls m1 768Kbit d 2000ms m2 256Kbit ul m2 768Kbit... [ ok ] * - tc class add dev eth0 parent 1:300 classid 1:301 hfsc sc umax 1500b dmax 30ms rate 80Kbit... [ ok ] * - tc class add dev eth0 parent 1:300 classid 1:302 hfsc ls m2 256Kbit ul m2 256Kbit... [ ok ] * - tc class add dev eth0 parent 1:300 classid 1:303 hfsc rt m2 168Kbit ls m2 768Kbit ul m2 768Kbit... [ ok ] * - Creating classes on eth1 for download control ... * - tc class add dev eth1 parent 2:0 classid 2:300 hfsc ls m1 1500Kbit d 2000ms m2 384Kbit ul m2 1500Kbit... [ ok ] * - tc class add dev eth1 parent 2:300 classid 2:301 hfsc sc umax 1500b dmax 30ms rate 80Kbit... [ ok ] * - tc class add dev eth1 parent 2:300 classid 2:302 hfsc ls m2 384Kbit ul m2 384Kbit... [ ok ] * - tc class add dev eth1 parent 2:300 classid 2:303 hfsc rt m2 384Kbit ls m2 1500Kbit ul m2 1500Kbit... [ ok ] bash-2.05b# QOSUSER="test" ./qos stop * Stopping bandwidth management for test ... * - Deleting classes on eth0 for upload control ... * - tc class del dev eth0 parent 1:300 classid 1:301 hfsc sc umax 1500b dmax 30ms rate 80Kbit... [ ok ] * - tc class del dev eth0 parent 1:300 classid 1:302 hfsc ls m2 256Kbit ul m2 256Kbit... [ ok ] * - tc class del dev eth0 parent 1:300 classid 1:303 hfsc rt m2 168Kbit ls m2 768Kbit ul m2 768Kbit... [ ok ] * - tc class del dev eth0 parent 1:0 classid 1:300 hfsc ls m1 768Kbit d 2000ms m2 256Kbit ul m2 768Kbit... * >>>>> RTNETLINK answers: Device or resource busy [ !! ] * - Deleting classes on eth1 for download control ... * - tc class del dev eth1 parent 2:300 classid 2:301 hfsc sc umax 1500b dmax 30ms rate 80Kbit... [ ok ] * - tc class del dev eth1 parent 2:300 classid 2:302 hfsc ls m2 384Kbit ul m2 384Kbit... [ ok ] * - tc class del dev eth1 parent 2:300 classid 2:303 hfsc rt m2 384Kbit ls m2 1500Kbit ul m2 1500Kbit... [ ok ] * - tc class del dev eth1 parent 2:0 classid 2:300 hfsc ls m1 1500Kbit d 2000ms m2 384Kbit ul m2 1500Kbit... * >>>>> RTNETLINK answers: Device or resource busy [ !! ] Thanks again for any help. Eliot Gable Certified Wireless Network Administrator Cisco Certified Network Associate CompTIA Security+ Certified CompTIA Network+ Certified Network and Systems Administrator Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 810-679-3395 -----Original Message----- From: lartc-bounces@mailman.ds9a.nl on behalf of Tomasz Chilinski Sent: Thu 10/13/2005 4:57 PM To: lartc Subject: RE: [LARTC] HFSC Advanced Limiting On Thu, 13 Oct 2005 16:24:06 -0400, Eliot wrote > Oddly, I keep getting these errors: > > parent 1:1000 classid 1:10000 hfsc sc umax 1500b dmax 30ms rate 80Kbit... > RTNETLINK answers: File exists > [ !! ] * - tc > class add dev eth0 parent 1:1000 classid 1:10001 hfsc ls m2 256Kbit > ul m2 256Kbit... RTNETLINK answers: File exists Classid should be in range 0x0000-0xFFFF, so it's cause of problem in this script snippet. > Eliot Gable > Certified Wireless Network Administrator > Cisco Certified Network Associate > CompTIA Security+ Certified > CompTIA Network+ Certified > Network and Systems Administrator > Great Lakes Internet, Inc. > 112 North Howard > Croswell, MI 48422 > 810-679-3395 -- Kind regards, Tomasz Chilinski RHCX, RHCE, RedHat Academy Instructor Cisco Certified Academy Instructor LMS developer: http://lms.rulez.pl Kadu developer: http://www.kadu.net Director of Chilan.com network engineering department _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051014/0d8663f4/attachment.html From gregoriandres at yahoo.com.ar Sat Oct 15 03:26:31 2005 From: gregoriandres at yahoo.com.ar (LinuXKiD) Date: Sat Oct 15 03:26:43 2005 Subject: [LARTC] esfq ? or wrr ? Message-ID: Hi If I have a HTB class with 128kbit, and I want to put "N" users in that class ( in order to share bandwidth fairly ) , which is better for me ? esfq (hash dst) or wrr ? I would attach esfq or wrr to HTB parent class. Also I've readed on Jim script that over WRR put a RED qdisc, but I don't understand it. bests andres From imipak at yahoo.com Sat Oct 15 08:15:33 2005 From: imipak at yahoo.com (Jonathan Day) Date: Sat Oct 15 08:15:40 2005 Subject: [LARTC] esfq ? or wrr ? In-Reply-To: Message-ID: <20051015061533.90776.qmail@web31510.mail.mud.yahoo.com> I think it depends on the type of traffic you're expecting from the different users. If you're expecting very similar patterns of behaviour, then my guess would be ESFQ would be the better. If, on the other hand, the network load is going to shift over time, between the users, then WRR would seem the more logical choice. You might also want to look at HFSC (Heirarchical Fair Service Curve) - it's possible you might be able to get what you want from the single algorithm, rather than piping through several. The fewer layers you have, the less latency you'll introduce. HFSC also has the advantage that it is standard in the kernel, so likely has better testing. ESFQ and WRR have been forward-ported, well, sometimes, but only the combined -qos patch seems to be current - the individual patches don't seem to be maintained at all. I would like to see the patches cleaned up (as necessary) then submitted for merging into the mainstream kernel. Linux' QoS code is in frankly horrible shape at the moment, so anything that stirred interest in it would almost have to be a good thing, even if the patches themselves didn't get included any time soon. --- LinuXKiD wrote: > Hi > > If I have a HTB class with 128kbit, and I want to > put "N" users in that class ( in order to share > bandwidth fairly ) , > > which is better for me ? esfq (hash dst) or wrr ? > > I would attach esfq or wrr to HTB parent class. > > Also I've readed on Jim script that over WRR put > a RED qdisc, but I don't understand it. > > bests > > andres > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > __________________________________ Start your day with Yahoo! - Make it your home page! http://www.yahoo.com/r/hs From bugfood-ml at fatooh.org Sat Oct 15 09:06:34 2005 From: bugfood-ml at fatooh.org (Corey Hickey) Date: Sat Oct 15 09:06:40 2005 Subject: [LARTC] esfq ? or wrr ? In-Reply-To: <20051015061533.90776.qmail@web31510.mail.mud.yahoo.com> References: <20051015061533.90776.qmail@web31510.mail.mud.yahoo.com> Message-ID: <4350AA7A.5080207@fatooh.org> Jonathan Day wrote: > ESFQ and WRR have been forward-ported, well, > sometimes, but only the combined -qos patch seems to > be current - the individual patches don't seem to be > maintained at all. I still maintain ESFQ; the latest version is at: http://fatooh.org/esfq-2.6/ These days there hasn't been much to do; as far as I know the patches I made on 2005-03-31 still work fine with the latest kernel and iproute2. I just put a note about that on my ESFQ page. > I would like to see the patches cleaned up (as > necessary) then submitted for merging into the > mainstream kernel. Linux' QoS code is in frankly > horrible shape at the moment, so anything that stirred > interest in it would almost have to be a good thing, > even if the patches themselves didn't get included any > time soon. That would be nice. One or two other people have approached me about trying to get ESFQ merged, but I just haven't gotten around to it. When I've finished my current project I'll get in touch with Stephen Hemminger and see what must be done to get the iproute2 patch merged, and then take it from there. This would be an appropriate time to ask: Does anybody have any fixes for or improvements to ESFQ that I don't know about? My patch doesn't have anything revolutionary -- I've been merely keeping Alexander Clouter's 2.6 port in sync with the upstream changes to SFQ. -Corey From rkurjata at ire.pw.edu.pl Sat Oct 15 10:16:39 2005 From: rkurjata at ire.pw.edu.pl (Robert Kurjata) Date: Sat Oct 15 10:17:03 2005 Subject: [LARTC] esfq ? or wrr ? In-Reply-To: <4350AA7A.5080207@fatooh.org> References: <20051015061533.90776.qmail@web31510.mail.mud.yahoo.com> <4350AA7A.5080207@fatooh.org> Message-ID: <810712028.20051015101639@ire.pw.edu.pl> [cut] CH> This would be an appropriate time to ask: CH> Does anybody have any fixes for or improvements to ESFQ that I don't CH> know about? My patch doesn't have anything revolutionary -- I've been CH> merely keeping Alexander Clouter's 2.6 port in sync with the upstream CH> changes to SFQ. Yes :) Some time ago I needed to do sfq between different users in NAT-ed environment. The users were marked by firewall marks, so I've done a little change to esfq just adding new hash source - nfmark. It was done for iproute2-ss020116 and kernel 2.4.26, so it's a little old. The kernel part is still (I think, not tried) operational. I think it makes esfq more flexible. The patches for individual files are below. -----------KERNEL-PATCH----------- --- sch_esfq.c.old 2004-04-21 18:00:42.000000000 +0200 +++ sch_esfq.c 2004-01-07 21:39:24.000000000 +0100 @@ -117,6 +117,7 @@ { u32 h, h2; u32 hs; + u32 nfm; switch (skb->protocol) { case __constant_htons(ETH_P_IP): @@ -124,6 +125,7 @@ struct iphdr *iph = skb->nh.iph; h = iph->daddr; hs = iph->saddr; + nfm = skb -> nfmark; h2 = hs^iph->protocol; if (!(iph->frag_off&htons(IP_MF|IP_OFFSET)) && (iph->protocol == IPPROTO_TCP || @@ -137,6 +139,7 @@ struct ipv6hdr *iph = skb->nh.ipv6h; h = iph->daddr.s6_addr32[3]; hs = iph->saddr.s6_addr32[3]; + nfm = skb->nfmark; h2 = hs^iph->nexthdr; if (iph->nexthdr == IPPROTO_TCP || iph->nexthdr == IPPROTO_UDP || @@ -148,6 +151,7 @@ h = (u32)(unsigned long)skb->dst; hs = (u32)(unsigned long)skb->sk; h2 = hs^skb->protocol; + nfm = skb->nfmark; } switch(q->hash_kind) { @@ -157,6 +161,8 @@ return esfq_hash_u32(q,h); case TCA_SFQ_HASH_SRC: return esfq_hash_u32(q,hs); + case TCA_SFQ_HASH_FWMARK: + return esfq_hash_u32(q,nfm); default: if (net_ratelimit()) printk(KERN_DEBUG "esfq unknown hash method, fallback to classic\n"); --- pkt_sched.h.old 2005-10-15 09:49:10.000000000 +0200 +++ pkt_sched.h 2005-10-15 09:48:31.000000000 +0200 @@ -162,6 +162,7 @@ TCA_SFQ_HASH_CLASSIC, TCA_SFQ_HASH_DST, TCA_SFQ_HASH_SRC, + TCA_SFQ_HASH_FWMARK, }; struct tc_sfq_qopt ------------IPROUTE---------------------- --- q_esfq.c.old 2005-10-15 09:57:08.000000000 +0200 +++ q_esfq.c 2005-10-15 09:51:36.000000000 +0200 @@ -30,7 +30,7 @@ { fprintf(stderr, "Usage: ... esfq [ perturb SECS ] [ quantum BYTES ] [ depth FLOWS ]\n\t[ divisor HASHBITS ] [ limit PKTS ] [ hash HASHTYPE]\n"); fprintf(stderr,"Where: \n"); - fprintf(stderr,"HASHTYPE := { classic | src | dst }\n"); + fprintf(stderr,"HASHTYPE := { classic | src | dst | fwmark }\n"); } #define usage() return(-1) @@ -95,6 +95,9 @@ } else if(strcmp(*argv,"src") == 0) { opt.hash_kind= TCA_SFQ_HASH_SRC; + } else + if(strcmp(*argv,"fwmark") == 0) { + opt.hash_kind= TCA_SFQ_HASH_FWMARK; } else { fprintf(stderr, "Illegal \"hash\"\n"); explain(); @@ -148,6 +151,9 @@ case TCA_SFQ_HASH_SRC: fprintf(f,"src"); break; + case TCA_SFQ_HASH_FWMARK: + fprintf(f,"fw"); + break; default: fprintf(f,"Unknown"); } -- Greetings, Robert Kurjata From gregoriandres at yahoo.com.ar Sat Oct 15 13:50:16 2005 From: gregoriandres at yahoo.com.ar (LinuXKiD) Date: Sat Oct 15 13:50:25 2005 Subject: [LARTC] esfq ? or wrr ? In-Reply-To: <20051015061533.90776.qmail@web31510.mail.mud.yahoo.com> Message-ID: -> I think it depends on the type of traffic you're -> expecting from the different users. If you're -> expecting very similar patterns of behaviour, then my -> guess would be ESFQ would be the better. -> -> If, on the other hand, the network load is going to -> shift over time, between the users, then WRR would -> seem the more logical choice. -> -> You might also want to look at HFSC (Heirarchical Fair -> Service Curve) - it's possible you might be able to -> get what you want from the single algorithm, rather -> than piping through several. The fewer layers you -> have, the less latency you'll introduce. HFSC also has -> the advantage that it is standard in the kernel, so -> likely has better testing. OK. I've read some domcumments about HFSC, but at the momment I understand it. Can you post me a good tutorial about HFSC ? thank you. -> -> ESFQ and WRR have been forward-ported, well, -> sometimes, but only the combined -qos patch seems to -> be current - the individual patches don't seem to be -> maintained at all. -> -> I would like to see the patches cleaned up (as -> necessary) then submitted for merging into the -> mainstream kernel. Linux' QoS code is in frankly -> horrible shape at the moment, so anything that stirred -> interest in it would almost have to be a good thing, -> even if the patches themselves didn't get included any -> time soon. -> -> --- LinuXKiD wrote: -> -> > Hi -> > -> > If I have a HTB class with 128kbit, and I want to -> > put "N" users in that class ( in order to share -> > bandwidth fairly ) , -> > -> > which is better for me ? esfq (hash dst) or wrr ? -> > -> > I would attach esfq or wrr to HTB parent class. -> > -> > Also I've readed on Jim script that over WRR put -> > a RED qdisc, but I don't understand it. -> > -> > bests -> > -> > andres -> > _______________________________________________ -> > LARTC mailing list -> > LARTC@mailman.ds9a.nl -> > -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -> > -> -> -> -> -> __________________________________ -> Start your day with Yahoo! - Make it your home page! -> http://www.yahoo.com/r/hs From braithwa at usq.edu.au Sat Oct 15 16:05:56 2005 From: braithwa at usq.edu.au (Stephen Braithwaite) Date: Sat Oct 15 16:07:08 2005 Subject: [LARTC] FW: Some queueing disciplines that I wrote. Message-ID: <9A21B9DC026C80439FBD8C5B197AE04B70CD91@zeta.usq.edu.au> Dear LATRC and devotees, I have developed some Linux queueing disciplines. I developed them for my masters project. You are free to use or distribute my work. Here is the abstract from my dissertation:- This is a project to implement a Mice and Elephants queuing discipline on Linux. My project has three aims. The first aim was to produce a prototype Mice and Elephants router for the purpose of further evaluation of the Mice and Elephants strategy. The second aim was to make a contribution to Linux by making my implementation as code that would be both fit for distribution with Linux and useful in a small business or domestic setting. The third aim was to explore and document a method of creating Linux queuing disciplines. The rest of my dissertation, manual pages on my queuing disciplines, my own HOWTO on how to write queueing disciplines, manual pages on the kernal interface for queuing disciplines, and the tarball sourcode are all avaiable from:- http://www.sci.usq.edu.au/staff/braithwa/MastProj/index.html Please read the HOWTO for instructions on how to build and install. Please direct questions about this to braith@dodo.com.au Apart from Mice and Elephants queueing disciplines, an ARED queueing discipline is there also. Yours sincerely, Stephen Braithwaite P.S. :- I would like to "sell" (not really - of course its all free) you the concept of mice and elephants. So here is some cut and paste from my master's dissertation:- A "Mice and Elephants" strategy (also called Shortest Job First) is one which favours the short flows over long flows. In a mice and elephants strategy the short flows or the packets from them are called mice, and the long flows or the packets from them are called elephants. It involves identifying flows and associating packet with their flows in order to be able to treat long flows different to short flows. One way to favor the mice is to give the mice priority when dequeueing. Another is to avoid dropping mouse packets by dropping elephant packets before the queue is full. Proponents of "Mice and Elephants" queuing strategies argue that equal throughput for each flow or host (sometimes called "Processor Sharing" or "Fair Queueing") is the wrong goal. Mice and Elephants strategy response times are significantly better than those obtained using Fair Queuing. Shortest Remaining Processing Time (SRPT) has been shown to give better results than Processor Sharing for a range of measures including average task turnover time [36]. [36] uses mean task turnover time divided by job length as a measure of starva- tion, and shows both analytically and by simulation that no class of jobs are worse off when the the job sizes are heavy tailed (as they are in internet traffic). In reality, SRPT would be difficult in a queuing discipline, because we dont know the length of each job, we only know the size of a job so far. But Shortest Job First (SJF) has been shown to be a sufficiently good approximation to SRPT, to enjoy the same benefits over Processor Sharing that SRPT does. [49] shows that shortest job first gives near optimal response time regardless of which group of flows we care to observe. For example, Shortest Job First gives as good a result to medium length jobs than if we were to give them absolute priority. Simulation of an implementation of Shortest Job First is described in [13], with results that show significant gains over other strategies Two cases of congested queues fed by Poisson Pareto Burst Proccesses were math- ematically modelled. [14] One had a Pareto distribution shape parameter of 1.4 (heavy tails) and the other had a Pareto distribution shape parameter of 1.2 (very heavy tails). Both cases were modelled with a Mice and Elephants strategy and without. The benefit from the Mice and Elephants strategy was assessed by calculating the extra capacity needed when the Mice and Elephant strategy was not used in order that at most 5% of flows are delayed by more than 20%. In the heavy tails case, 16% more capacity was required. In the very heavy tails case 40% more capacity was required. The modelling showed that the benefit of a mice and elephants strategy would be quite significant. Long flows consitute a small minority, but make up the vast majority of traffic. About 20% of the flows have more than 10 packets but these flows carry 85% of the total traffic. [60] [24] During periods of traffic congestion the long flows account for an even greater percentage of the traffic than they do if we take overall traffic mea- surments. In [15] an example was given where the short flows accounted for 89% of the traffic flow and the long flows accounted for the other 11% of the traffic flow over- all. During periods of high congestion, the long flows accounted for a disproportionate amount of the traffic flow - perhaps 88%. It stands to reason that interactive short flows are delay sensitive as far as the per- ceived quality of service is concerned, because a human being will have an active process happening and will be impatient to wait for a result from her mouse click or keystroke. For example, the keystrokes in a telnet session will have to wait in a queue congested by packets from long flows. It is also worth mentioning that short flows are particuarly sensitive to dropped packets [35] . Treating mice and elephants equally is not truly "fair", and it would be more fair to assist the mice in order to achieve a better perceived quality of service. From david_list at boreham.org Sat Oct 15 16:14:20 2005 From: david_list at boreham.org (David Boreham) Date: Sat Oct 15 16:13:44 2005 Subject: [LARTC] FW: Some queueing disciplines that I wrote. In-Reply-To: <9A21B9DC026C80439FBD8C5B197AE04B70CD91@zeta.usq.edu.au> References: <9A21B9DC026C80439FBD8C5B197AE04B70CD91@zeta.usq.edu.au> Message-ID: <43510EBC.7020209@boreham.org> Stephen, this sounds interesting. One question : did you address the 'arms race' with file sharing application developers ? What I mean is that giving preference to short flows seems like a fine idea until footorrent or whatever comes along that has the strategy of opening zillions of short-lived connections to a large number of servers. Now all the flows are short and there are no long flows to give lower priority to. Thoughts ? (I did read quickly through your thesis but couldn't see anything on this. Apologies if I missed it). From braithwa at usq.edu.au Sat Oct 15 16:28:22 2005 From: braithwa at usq.edu.au (Stephen Braithwaite) Date: Sat Oct 15 16:28:33 2005 Subject: [LARTC] FW: Some queueing disciplines that I wrote. Message-ID: <9A21B9DC026C80439FBD8C5B197AE04B70CD92@zeta.usq.edu.au> David, I am a newbie to the list - and dont know how to to reply on the correct thread - but here goes:- Your objection is spot on. Bit torrent seems to present a real challenge. The definition of a flow need not be the TCP definition of a flow. I am not sure if it will help, but any the queuing discipline and ingress que filter are able to work with any combination of protocol, source port number, source ip, dest port, dest ip as the definition of a flow. This may or may not help. -----Original Message----- From: David Boreham [mailto:david_list@boreham.org] Sent: Sun 10/16/2005 12:14 AM To: Stephen Braithwaite Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] FW: Some queueing disciplines that I wrote. Stephen, this sounds interesting. One question : did you address the 'arms race' with file sharing application developers ? What I mean is that giving preference to short flows seems like a fine idea until footorrent or whatever comes along that has the strategy of opening zillions of short-lived connections to a large number of servers. Now all the flows are short and there are no long flows to give lower priority to. Thoughts ? (I did read quickly through your thesis but couldn't see anything on this. Apologies if I missed it). From gypsy at iswest.com Sat Oct 15 17:40:53 2005 From: gypsy at iswest.com (gypsy) Date: Sat Oct 15 17:39:42 2005 Subject: [LARTC] esfq ? or wrr ? References: <20051015061533.90776.qmail@web31510.mail.mud.yahoo.com> <4350AA7A.5080207@fatooh.org> Message-ID: <43512305.6E60C5FC@iswest.com> Corey Hickey wrote: > > I still maintain ESFQ; the latest version is at: > http://fatooh.org/esfq-2.6/ > > This would be an appropriate time to ask: > Does anybody have any fixes for or improvements to ESFQ that I don't > know about? My patch doesn't have anything revolutionary -- I've been > merely keeping Alexander Clouter's 2.6 port in sync with the upstream > changes to SFQ. > > -Corey 1) I'd like for your code to support kernel version 2.4! It is crazy that there are two branches of ESFQ. 2) ESFQ should be able to match a firewall mark, dport and sport. All except CLASSIC should understand NOT ("! sport 22"). 3) The documentation should be improved. -- gypsy From raymond.v at komunikasys.com Sat Oct 15 18:59:13 2005 From: raymond.v at komunikasys.com (KOMUNIKA SYSTEM) Date: Sat Oct 15 19:00:24 2005 Subject: [LARTC] (no subject) Message-ID: <20051015170018.EC7CB4521@outpost.ds9a.nl> Dear all, Please someone help me regarding how to merge 2 internet link connection. I need to double the speed into my LAN. Is it possible to do that? Thx. KOMUNIKA SYSTEM Internet Solution Provider www.komunikasys.com From jorge at inway.cz Sat Oct 15 20:29:20 2005 From: jorge at inway.cz (Jorge Sanchez) Date: Sat Oct 15 20:29:32 2005 Subject: [LARTC] general shaping rules Message-ID: <43514A80.6050109@inway.cz> Hi, i dont fully understand this sentence, could someone be so kind to expleain me it? Any router performing a shaping function should be the bottleneck on the link, and should be shaping slightly below the maximum available link bandwidth. This prevents queues from forming in other routers, affording maximum control of packet latency/deferral to the shaping device. From lartc at 24x7linux.com Sat Oct 15 21:17:50 2005 From: lartc at 24x7linux.com (Jose Luis Domingo Lopez) Date: Sat Oct 15 21:17:53 2005 Subject: [LARTC] general shaping rules In-Reply-To: <43514A80.6050109@inway.cz> References: <43514A80.6050109@inway.cz> Message-ID: <20051015191749.GA23409@localhost> On Saturday, 15 October 2005, at 20:29:20 +0200, Jorge Sanchez wrote: > Any router performing a shaping function should be the bottleneck on the > link, and should be shaping slightly below the maximum available link > bandwidth. This prevents queues from forming in other routers, affording > maximum control of packet latency/deferral to the shaping device. > In the Internet, traffic flows through a number of router between source and destination, routers you can not control. In the router closest to your network (if using ADSL, the local telephone witching central with DSLAM adapters) sometimes the ISP or telco applies buffering to each subscriber. That is, to get tranfer rates up it is very easy to allocate and indeterminate (but usually large) buffer for incoming traffic. This way, when you download at full speed you get, well, full speed, but the telco is getting more data at a rate greater than you can, so it buffers traffic in excess. So, if the sending box somewhat slows down (network congestion), your telco still has data to send and keep your line 100% full. So statistics show you get a fantastic service bandwitdh wise, but not so good with respect to latency. The only way to prevent those buffer to even start filling is shaping traffic to/from your network some Kbps bellow your nominal maximun transfer rate. You have to "be" the bottelneck to be able to control bandwidth allocation and keep latency to a minumun. Hope I made an understandable explanation. Greetings, -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.14-rc3-git7) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20051015/effcb28f/attachment.pgp From psihozefir at yahoo.com Sat Oct 15 21:35:40 2005 From: psihozefir at yahoo.com (panca sorin) Date: Sat Oct 15 21:35:47 2005 Subject: [LARTC] FW: Some queueing disciplines that I wrote. In-Reply-To: <9A21B9DC026C80439FBD8C5B197AE04B70CD91@zeta.usq.edu.au> Message-ID: <20051015193540.84746.qmail@web32615.mail.mud.yahoo.com> I have an objection too: VoIP (Voice over IP), video and audio streaming are "elephants". They are big flows, yet people don't like movies played as picture slideshows and interrupted audio or phone calls. End of objection. Trying to build a solution: Making the hipothesis. I think "intrractive traffic" shoud be defined and recognized not by it's packet size nor by duration of the connection nor by ports it comes or goes. We do not have a "computerized" definition of "interactive traffic", so we cannot separate it from "bulk traffic". We know that "interractive traffic" = traffic that should have such priority that the user can interract with the network without being annoyed by network latency. "Bulk traffic" = traffic that the user don't care if is delayed for a few seconds, but has to take place and finnish in resonable time. The conclusions: 1. Now that the definitions are given, how can we sepparate the two, living no chance for programmers to "cheat" the algorithm? Or maybe we can trust them and ask them for help and set for interractive applications' traffic some bits that the routers can recognize and build some queues accordingly. 2. How many classes do we need and what applications could be into each of them? Waiting for some ideas... __________________________________ Yahoo! Music Unlimited Access over 1 million songs. Try it free. http://music.yahoo.com/unlimited/ From marek at piasta.pl Sat Oct 15 22:31:43 2005 From: marek at piasta.pl (Marek Kierdelewicz) Date: Sat Oct 15 22:31:53 2005 Subject: [LARTC] (no subject) In-Reply-To: <20051015170018.EC7CB4521@outpost.ds9a.nl> References: <20051015170018.EC7CB4521@outpost.ds9a.nl> Message-ID: <20051015223143.26e6d705@cat> > Dear all, Hi there! > Please someone help me regarding how to merge 2 internet link > connection. I need to double the speed into my LAN. Is it possible to > do that? Please read appropriate chapter of the Linux Advanced Routing and Traffic Control Howto: http://lartc.org/howto/lartc.loadshare.html > KOMUNIKA SYSTEM > Internet Solution Provider > www.komunikasys.com Marek Kierdelewicz KoBa ISP From braithwa at usq.edu.au Sun Oct 16 04:42:23 2005 From: braithwa at usq.edu.au (Stephen Braithwaite) Date: Sun Oct 16 04:42:41 2005 Subject: [LARTC] FW: Some queueing disciplines that I wrote. Message-ID: <9A21B9DC026C80439FBD8C5B197AE04B70CD93@zeta.usq.edu.au> > I have an objection too: > VoIP (Voice over IP), video and audio streaming are > "elephants". They are big flows, yet people don't like > movies played as picture slideshows and interrupted > audio or phone calls. > End of objection. - Panca Sorin Panca Sorin is correct. Video and audio streaming would suffer if classified as elephants. Fortunately they have a different type of service and are likely to be associated with certain port numbers. Linux is flexible and allows you to separate these streams using something like . If you used video or audio streaming you would separate these out, probably using the u32 classifier. Because these are fixed rate, and because they require their fixed rate, these streams need to be given absolute priority. So the prio classful queuing discipline would be a suitable contianer. Within the prio classful queuing discipline, the fixed rate flows should be channeled into a simple drop tail, while the remainder could be channeled into a mice and elephants queueing discipline such as meredt. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 3040 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20051016/fb1d3891/attachment.bin From aptgetd at gmail.com Sun Oct 16 07:53:04 2005 From: aptgetd at gmail.com (noc ops) Date: Sun Oct 16 07:53:11 2005 Subject: [LARTC] regarding lartc howto Message-ID: <4351EAC0.3070404@gmail.com> Hi, Is the following link is current, if not, any pointers will be appreciated. http://lartc.org/howto/ regards, /virendra From aptgetd at gmail.com Sun Oct 16 07:57:41 2005 From: aptgetd at gmail.com (noc ops) Date: Sun Oct 16 07:57:47 2005 Subject: [LARTC] regarding lartc howto In-Reply-To: <4351EAC0.3070404@gmail.com> References: <4351EAC0.3070404@gmail.com> Message-ID: <4351EBD5.1000107@gmail.com> Sorry about the typo, I meant to ask, is the following still current, if not, any pointers will be appreciated. regards, /virendra noc ops wrote: > Hi, > > Is the following link is current, if not, any pointers will be appreciated. > > http://lartc.org/howto/ > > > > regards, > /virendra > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From sandro at e-den.it Sun Oct 16 13:18:26 2005 From: sandro at e-den.it (Sandro Dentella) Date: Sun Oct 16 13:18:58 2005 Subject: [LARTC] routing pb? ping not "emerging" Message-ID: <20051016111826.GA11336@casa.e-den.it> Hi all, i'm puzzled by a ploblem and I don't know how to debug it... I have a firewall with 2 gateways, adsl and isdn. Main gateway is via adsl, backup via isdn. I setup 2 table 'adsl' and 'isdn'. You can find a description below. I made a script to test both tables. That mainly 1. adds an iptables -t mangle -A OUTPUT -d my_test_ping_node -j MARK --set-mark 3 2. adds: ip rule add fwmark 3 table isdn 3. ip route flush cloned 4. ping to my_test_ping_node (here 217.27.90.70) I correctly obtain that ping packets go to the router, reach the test, get back to the interface... but ping don't show anything I see them w/ tcpdump on the firewall: 12:42:00.671314 IP 192.168.111.1 > 217.27.90.70: icmp 64: echo request seq 1 12:42:00.720840 IP 217.27.90.70 > 192.168.111.1: icmp 64: echo reply seq 1 I'm sure i'm not firewalling (I use log, and nothing gets logged). If I change default route to isdn, ping work correctly. This is not the first time I get into this situation, but I never understood what solved it. I'm convinced it is a routing problem, but I'm clueless: what can it be in between the packet ass seen by tcpdump and the fact that ping shows it? Is there a way to see which rule a packet is really using? Thanks a lot for any possible explanation sandro *:-) lo: 127.0.0.1/8 [eth0]: eth1: 192.168.11.254/24 eth2: 80.20.60.252/29 ==> GW 80.20.60.249 - main adsl eth3: 192.168.111.1/24 ==> GW 192.168.111.254 - isdn [eth4]: ### TABLE main: 80.20.60.248/29 dev eth2 proto kernel scope link src 80.20.60.252 192.168.111.0/24 dev eth3 proto kernel scope link src 192.168.111.1 192.168.11.0/24 dev eth1 proto kernel scope link src 192.168.11.254 default via 80.20.60.249 dev eth2 ### TABLE adsl: 80.20.60.248/29 dev eth2 scope link src 80.20.60.252 192.168.111.0/24 dev eth3 scope link src 192.168.111.1 192.168.11.0/24 dev eth1 scope link src 192.168.11.254 default via 80.20.60.249 dev eth2 ### TABLE isdn: 80.20.60.248/29 dev eth2 scope link src 80.20.60.252 192.168.111.0/24 dev eth3 scope link src 192.168.111.1 192.168.11.0/24 dev eth1 scope link src 192.168.11.254 default via 192.168.111.254 dev eth3 ### RULES: 0: from all lookup local 39: from all fwmark 0x3 lookup isdn 40: from 80.20.60.248/29 lookup adsl 41: from 192.168.111.0/24 lookup isdn 48: from 192.168.11.0/24 lookup adsl 50: from all iif eth3 lookup isdn 52: from all iif eth2 lookup adsl 32766: from all lookup main 32767: from all lookup default -- Sandro Dentella *:-) e-mail: sandro@e-den.it http://www.tksql.org TkSQL Home page - My GPL work From david_list at boreham.org Sun Oct 16 19:22:15 2005 From: david_list at boreham.org (David Boreham) Date: Sun Oct 16 19:22:19 2005 Subject: [LARTC] FW: Some queueing disciplines that I wrote. In-Reply-To: <9A21B9DC026C80439FBD8C5B197AE04B70CD92@zeta.usq.edu.au> References: <9A21B9DC026C80439FBD8C5B197AE04B70CD92@zeta.usq.edu.au> Message-ID: <43528C47.9040301@boreham.org> Stephen Braithwaite wrote: >The definition of a flow need not be the TCP definition of a flow. >I am not sure if it will help, but any the queuing discipline and ingress que filter are >able to work with any combination of protocol, source port number, source ip, dest port, dest ip as the definition of a flow. This may or may not help. > > Ah, that's very interesting. So you could assign all traffic to/from a 'hog' ISP customer to the elephant category. From augustopaulo at hotmail.com Sun Oct 16 23:15:31 2005 From: augustopaulo at hotmail.com (Paulo Augusto) Date: Sun Oct 16 23:15:40 2005 Subject: [LARTC] Lost packets and strange "behaviour" of my TC rules Message-ID: An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051016/79b1c21c/attachment-0001.htm From braithwa at usq.edu.au Mon Oct 17 02:30:05 2005 From: braithwa at usq.edu.au (Stephen Braithwaite) Date: Mon Oct 17 02:30:15 2005 Subject: [LARTC] FW: Some queueing disciplines that I wrote. Message-ID: <9A21B9DC026C80439FBD8C5B197AE04B70CD94@zeta.usq.edu.au> > > The definition of a flow need not be the TCP definition of a > > flow. I am not sure if it will help, but any the queuing > > discipline and ingress que filter are able to work with any > > combination of protocol, source port number, source ip, dest > > port, dest ip as the definition of a flow. This may or may > > not help. > > Ah, that's very interesting. So you could assign all traffic to/from a > 'hog' ISP customer to the elephant category. You cannot assign it as such, it has to happen automaically. If you made the definition of a flow to be the source/destination IP number then the flow consisting of traffic to/from a 'hog' computer would find itself soon find itself designated as an elephant. If this is deployed on the router where the NAT occurs, then the queuing discipline sees the internal IP numbers. The time scales over which a flow becomes/ceases to be an elephant are configurable. There is also a mechanism to have the queuing discipline not purely mice and elephant and not purely fair queueing, but somewhere in between. From sandro at e-den.it Mon Oct 17 12:24:41 2005 From: sandro at e-den.it (Sandro Dentella) Date: Mon Oct 17 12:25:00 2005 Subject: [LARTC] routing pb? ping not "emerging".... pls.. In-Reply-To: <20051016111826.GA11336@casa.e-den.it> References: <20051016111826.GA11336@casa.e-den.it> Message-ID: <20051017102441.GA10072@casa.e-den.it> Sorry for re-posting, but I'd really need a help... Hi all, i'm puzzled by a ploblem and I don't know how to debug it... I have a firewall with 2 gateways, adsl and isdn. Main gateway is via adsl, backup via isdn. I setup 2 table 'adsl' and 'isdn'. You can find a description below. I made a script to test both tables. That mainly 1. adds an iptables -t mangle -A OUTPUT -d my_test_ping_node -j MARK --set-mark 3 2. adds: ip rule add fwmark 3 table isdn 3. ip route flush cloned 4. ping to my_test_ping_node (here 217.27.90.70) I correctly obtain that ping packets go to the router, reach the test, get back to the interface... but ping don't show anything I see them w/ tcpdump on the firewall: 12:42:00.671314 IP 192.168.111.1 > 217.27.90.70: icmp 64: echo request seq 1 12:42:00.720840 IP 217.27.90.70 > 192.168.111.1: icmp 64: echo reply seq 1 I'm sure i'm not firewalling (I use log, and nothing gets logged). If I change default route to isdn, ping work correctly. This is not the first time I get into this situation, but I never understood what solved it. I'm convinced it is a routing problem, but I'm clueless: what can it be in between the packet ass seen by tcpdump and the fact that ping shows it? Is there a way to see which rule a packet is really using? Thanks a lot for any possible explanation sandro *:-) lo: 127.0.0.1/8 [eth0]: eth1: 192.168.11.254/24 eth2: 80.20.60.252/29 ==> GW 80.20.60.249 - main adsl eth3: 192.168.111.1/24 ==> GW 192.168.111.254 - isdn [eth4]: ### TABLE main: 80.20.60.248/29 dev eth2 proto kernel scope link src 80.20.60.252 192.168.111.0/24 dev eth3 proto kernel scope link src 192.168.111.1 192.168.11.0/24 dev eth1 proto kernel scope link src 192.168.11.254 default via 80.20.60.249 dev eth2 ### TABLE adsl: 80.20.60.248/29 dev eth2 scope link src 80.20.60.252 192.168.111.0/24 dev eth3 scope link src 192.168.111.1 192.168.11.0/24 dev eth1 scope link src 192.168.11.254 default via 80.20.60.249 dev eth2 ### TABLE isdn: 80.20.60.248/29 dev eth2 scope link src 80.20.60.252 192.168.111.0/24 dev eth3 scope link src 192.168.111.1 192.168.11.0/24 dev eth1 scope link src 192.168.11.254 default via 192.168.111.254 dev eth3 ### RULES: 0: from all lookup local 39: from all fwmark 0x3 lookup isdn 40: from 80.20.60.248/29 lookup adsl 41: from 192.168.111.0/24 lookup isdn 48: from 192.168.11.0/24 lookup adsl 50: from all iif eth3 lookup isdn 52: from all iif eth2 lookup adsl 32766: from all lookup main 32767: from all lookup default -- Sandro Dentella *:-) e-mail: sandro@e-den.it http://www.tksql.org TkSQL Home page - My GPL work From lartc-337 at ccp.com.au Mon Oct 17 17:47:30 2005 From: lartc-337 at ccp.com.au (Lee Sanders) Date: Mon Oct 17 17:47:44 2005 Subject: [LARTC] WRR and Monitoring/Graphing usage Message-ID: <200510172347.30461.lartc-337@ccp.com.au> Hi All, I've just installed WRR and am looking at tools to monitor, graph and display the system and throughput of each queue/class/filter. I've looked at: iptraf - only shows tcp/udp flows, not QOS queue throughputs show.pl - doesnt work with WRR (as far as I can tell) tc-graph.pl - doesnt work with WRR (as far as I can tell) polltc_ - doesnt work with WRR (as far as I can tell) py-htbstat - doesnt work with WRR (as far as I can tell) the only project that shows promise right now is pmacct which I will investigate further in the morning. Is anyone else here using wrr and monitoring your usage. Text or graphical format I don't care. I need a way to monitor the testing I am about to do with iperf to check WRR is working correctly. Regards, Lee From surda at shurdix.com Mon Oct 17 18:24:03 2005 From: surda at shurdix.com (Peter Surda) Date: Mon Oct 17 18:24:34 2005 Subject: [LARTC] WRR and Monitoring/Graphing usage In-Reply-To: <200510172347.30461.lartc-337@ccp.com.au> Message-ID: <20059171824325342@mail.routehat.org> On Mon, 17 Oct 2005 23:47:30 +0800 Lee Sanders wrote: >Hi All, Hi, >I've just installed WRR and am looking at tools to monitor, graph and display >the system and throughput of each queue/class/filter. You can use rrdtool, or if you are looking for an integrated solution, check out my signature. >Regards, >Lee Yours sincerely, Peter -- http://www.shurdix.org - Linux distribution for routers and firewalls From bdschuym at pandora.be Mon Oct 17 19:25:44 2005 From: bdschuym at pandora.be (Bart De Schuymer) Date: Mon Oct 17 20:24:47 2005 Subject: [LARTC] Re: [Ebtables-user] brouting on interfaces without IP address In-Reply-To: <434ED7C0.2000109@gmx.net> References: <434ED7C0.2000109@gmx.net> Message-ID: <1129569944.3394.1.camel@localhost.localdomain> Op do, 13-10-2005 te 23:55 +0200, schreef Carl-Daniel Hailfinger: > bridge:~ # ebtables -t nat -L --Lx > ebtables -t nat -N ifacefilter-int > ebtables -t nat -N proxy > ebtables -t nat -A PREROUTING -i bridgeint -j ifacefilter-int > ebtables -t nat -A ifacefilter-int -p IPv4 --ip-src 192.168.0.0/24 > --ip-proto tcp --ip-dport 80 -j proxy > ebtables -t nat -A proxy -j mark --set-mark 0x1 --mark-target CONTINUE > ebtables -t nat -A proxy -j dnat --to-dst 00:11:22:33:44:55 > --dnat-target ACCEPT Make this 00:01:02:03:04:05, or just use -j redirect cheers, Bart From andy.furniss at dsl.pipex.com Mon Oct 17 21:20:43 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Mon Oct 17 21:20:36 2005 Subject: [LARTC] The effects of queueing on delay...(TX Ring Buffer the problem) In-Reply-To: <1129219587.8517.2.camel@localhost.localdomain> References: <1129064647.13493.41.camel@pgala.it.nuigalway.ie> <1129219587.8517.2.camel@localhost.localdomain> Message-ID: <4353F98B.8020709@dsl.pipex.com> Jonathan Lynch wrote: > This was down to the tx buffer size on the network card i was using. It > was an Intel 82547EI gigabit Card using the e1000 driver and operating > at 100mbit. The tx buffer was set to 256 which caused this huge delay. > The minimum the driver lets me reduce the tx buffer size using ethtool > is 80. By reducing the tx ring buffer to 80, the delay when there is > full link utilisation and a maximum queue of 10 packets was reduced from > 30ms to 10ms. > > The 3com 3c59x vortex driver uses a tx buffer of 16. I reduced the tx to > 16 on the e1000 driver, but the max throughput i could achieve on the > interface went down. > > Has anyone experimented with reducing the size of the tx buffer on this > card to get a good balance between delay and throughput ? Strange - I thought that as long as you are under rate for the link then the most htb should burst per tick is the burst size specified. That assumes one bulk class - more will make it worse. Andy. From andy.furniss at dsl.pipex.com Mon Oct 17 21:31:19 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Mon Oct 17 21:31:11 2005 Subject: [LARTC] HFSC Advanced Limiting In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB04B537@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB04B537@xavier.staff.greatlakes.net> Message-ID: <4353FC07.9000406@dsl.pipex.com> Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: > Thank you for your response. > > I do know how to shape a specific direction of traffic. Given that I am the ISP sitting between the customer and the Internet, it is trivial for me to shape both directions. > I think the point Jason was making is that you are shaping from the wrong end of the bottleneck if you shape traffic from your customers. If their link speed to you is high and you shape to well below it then it won't be too bad, but the point stands that it is not the same as when shaping from the "right" end of the bottleneck, especially WRT latency and jitter. Andy. From andy.furniss at dsl.pipex.com Mon Oct 17 23:29:12 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Mon Oct 17 23:29:06 2005 Subject: [LARTC] Lost packets and strange "behaviour" of my TC rules In-Reply-To: References: Message-ID: <435417A8.4020705@dsl.pipex.com> Paulo Augusto wrote: > > I'm using the TG (www.postel.org/tg ) as a TCP traffic > generator, to establish three 90kbits/s TCP flows from PC1(any port) to PC2(port > 20000, 20001 and 20002), with different durations and pause times, which as can > be shown in the next files: Usually tcp won't be like this, netperf may be better to test with, as it's more normal for bulk tcp to try to go as fast as it can. > > I've also plotted a graph with gnuplot, showing me that (somehow) my rules were > "correct", I've got an average value of 30kbits/s, a 10kbits/s and a 60kbits/s. > > Is it normal that some packets get dropped by the rules or not (taking into > account my test configuration) ? The packets are not dropped in this case as the default queue length for sfq is 128, which can hold a rwin worth of data. The missing packets just didn't get sent because htb slowed the packets down to the rates specified and the sender will only send more once the ones already sent are acked. Andy. From swaminathan.vasudevan at hp.com Mon Oct 17 23:44:46 2005 From: swaminathan.vasudevan at hp.com (Vasudevan, Swaminathan (PNB Roseville)) Date: Mon Oct 17 23:44:56 2005 Subject: [LARTC] TC show filter command shows all u32 filters defined with different priority iin all priority. Message-ID: <83AB0942FD087D499DF2DD5CEE1B6133019EC68F@cacexc06.americas.cpqcorp.net> Hi, I am currently working on the TC. I have seen some behaviour which seems to be odd. I know someone in the mailing list would have seen this problem or may have some fix for this problem. When I try to include u32 filters with different priority or pref, I could see the filters being set on all the priority's irrespective of the priority number. See my sample script below and the command "tc filter show dev eth1 parent yy:". Can anyone suggest a fix for this. Is that a bug in just displaying - if so has it been fixed or is there any fix available on the net. Sample Script: #! /bin/sh tc qdisc add dev eth1 root handle 1:0 htb r2q 1 tc class add dev eth1 parent 1:0 classid 1:fffe htb rate 100mbit tc filter add dev eth1 parent 1:0 prio 1 protocol ip u32 tc filter add dev eth1 parent 1:0 prio 1 handle ffe:0 protocol ip u32 divisor 256 tc filter add dev eth1 parent 1:0 prio 1 protocol ip u32 ht 800:: match u32 \ 0x00000800 0x0000FFFF at -4 hashkey mask 0x00ff0000 at -8 link ffe: tc class add dev eth1 parent 1:fffe classid 1:13E htb rate 100mbit tc qdisc add dev eth1 parent 1:13E handle 13E:0 htb r2q 1 tc class add dev eth1 parent 13E:0 classid 13E:1 htb rate 100mbit tc class add dev eth1 parent 13E:0 classid 13E:2 htb rate 100mbit tc qdisc add dev eth1 parent 13E:2 tbf rate 1bps burst 1 latency 50ms tc filter add dev eth1 parent 1:0 prio 1 protocol ip u32 ht ffe:3E match u32 \ 0x000bcd59 0xffffffff at -12 match u16 0x123E 0xffff at -8 flowid 1:13E #### Queue 1 tc filter add dev eth1 parent 13E:0 prio 1 protocol ip u32 match ip protocol 1 0xff flowid 13E:2 tc filter add dev eth1 parent 13E:0 prio 2 protocol ip u32 match ip protocol 2 0xff flowid 13e:2 #### Queue 2 tc filter add dev eth1 parent 13E:0 prio 1 protocol ip u32 match ip protocol 6 0xff flowid 13E:1 ##### Command show filter shows all three filters under all three priority's -bash-2.05b# tc filter show dev eth1 parent 13E: filter protocol ip pref 1 u32 filter protocol ip pref 1 u32 fh 801: ht divisor 1 filter protocol ip pref 1 u32 fh 801::800 order 2048 key ht 801 bkt 0 flowid 13e :2 match 00020000/00ff0000 at 8 filter protocol ip pref 1 u32 fh 800: ht divisor 1 filter protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 13e :2 match 00010000/00ff0000 at 8 filter protocol ip pref 1 u32 fh 800::801 order 2049 key ht 800 bkt 0 flowid 13e :1 match 00060000/00ff0000 at 8 filter protocol ip pref 2 u32 filter protocol ip pref 2 u32 fh 801: ht divisor 1 filter protocol ip pref 2 u32 fh 801::800 order 2048 key ht 801 bkt 0 flowid 13e :2 match 00020000/00ff0000 at 8 filter protocol ip pref 2 u32 fh 800: ht divisor 1 filter protocol ip pref 2 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 13e :2 match 00010000/00ff0000 at 8 filter protocol ip pref 2 u32 fh 800::801 order 2049 key ht 800 bkt 0 flowid 13e :1 match 00060000/00ff0000 at 8 Please can anyone tell me what to do. Thanks Swami From andy.furniss at dsl.pipex.com Tue Oct 18 00:30:44 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Tue Oct 18 00:30:37 2005 Subject: [LARTC] TC show filter command shows all u32 filters defined with different priority iin all priority. In-Reply-To: <83AB0942FD087D499DF2DD5CEE1B6133019EC68F@cacexc06.americas.cpqcorp.net> References: <83AB0942FD087D499DF2DD5CEE1B6133019EC68F@cacexc06.americas.cpqcorp.net> Message-ID: <43542614.7010604@dsl.pipex.com> Vasudevan, Swaminathan (PNB Roseville) wrote: > When I try to include u32 filters with different priority or pref, I > could see the filters being set on all the priority's irrespective of > the priority number. Your script is OK for me. I always put "tc qdisc del dev ethX root" at the beginning of scripts - maybe you reran yours without cleaning up first. [root@amd /home/andy/Qos]# uname -r 2.6.12-rc1 [root@amd /home/andy/Qos]# tc -V tc utility, iproute2-ss050330 [root@amd /home/andy/Qos]# tc filter show dev eth0 parent 13E: filter protocol ip pref 1 u32 filter protocol ip pref 1 u32 fh 800: ht divisor 1 filter protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 13e:2 match 00010000/00ff0000 at 8 filter protocol ip pref 1 u32 fh 800::801 order 2049 key ht 800 bkt 0 flowid 13e:1 match 00060000/00ff0000 at 8 filter protocol ip pref 2 u32 filter protocol ip pref 2 u32 fh 801: ht divisor 1 filter protocol ip pref 2 u32 fh 801::800 order 2048 key ht 801 bkt 0 flowid 13e:2 match 00020000/00ff0000 at 8 Andy. From swaminathan.vasudevan at hp.com Tue Oct 18 00:34:14 2005 From: swaminathan.vasudevan at hp.com (Vasudevan, Swaminathan (PNB Roseville)) Date: Tue Oct 18 00:34:27 2005 Subject: [LARTC] TC show filter command shows all u32 filters defined with different priority iin all priority. Message-ID: <83AB0942FD087D499DF2DD5CEE1B6133019EC691@cacexc06.americas.cpqcorp.net> Hi Andy, Thanks for the reply. I am currently using Linux kernel 2.4.29. -bash-2.05b# tc filter ls -bash-2.05b# tc -V tc utility, iproute2-ss041019 -bash-2.05b# uname -r 2.4.29 I am seeing this problem in this kernel. Should I change the kernel or else should I change the iproute2 to a newer version. Thanks Swami -----Original Message----- From: Andy Furniss [mailto:andy.furniss@dsl.pipex.com] Sent: Monday, October 17, 2005 3:31 PM To: Vasudevan, Swaminathan (PNB Roseville) Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] TC show filter command shows all u32 filters defined with different priority iin all priority. Vasudevan, Swaminathan (PNB Roseville) wrote: > When I try to include u32 filters with different priority or pref, I > could see the filters being set on all the priority's irrespective of > the priority number. Your script is OK for me. I always put "tc qdisc del dev ethX root" at the beginning of scripts - maybe you reran yours without cleaning up first. [root@amd /home/andy/Qos]# uname -r 2.6.12-rc1 [root@amd /home/andy/Qos]# tc -V tc utility, iproute2-ss050330 [root@amd /home/andy/Qos]# tc filter show dev eth0 parent 13E: filter protocol ip pref 1 u32 filter protocol ip pref 1 u32 fh 800: ht divisor 1 filter protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 13e:2 match 00010000/00ff0000 at 8 filter protocol ip pref 1 u32 fh 800::801 order 2049 key ht 800 bkt 0 flowid 13e:1 match 00060000/00ff0000 at 8 filter protocol ip pref 2 u32 filter protocol ip pref 2 u32 fh 801: ht divisor 1 filter protocol ip pref 2 u32 fh 801::800 order 2048 key ht 801 bkt 0 flowid 13e:2 match 00020000/00ff0000 at 8 Andy. From andy.furniss at dsl.pipex.com Tue Oct 18 01:05:43 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Tue Oct 18 01:05:35 2005 Subject: [LARTC] TC show filter command shows all u32 filters defined with different priority iin all priority. In-Reply-To: <83AB0942FD087D499DF2DD5CEE1B6133019EC691@cacexc06.americas.cpqcorp.net> References: <83AB0942FD087D499DF2DD5CEE1B6133019EC691@cacexc06.americas.cpqcorp.net> Message-ID: <43542E47.9030100@dsl.pipex.com> Vasudevan, Swaminathan (PNB Roseville) wrote: > Hi Andy, > Thanks for the reply. > I am currently using Linux kernel 2.4.29. > > -bash-2.05b# tc filter ls > -bash-2.05b# tc -V > tc utility, iproute2-ss041019 > -bash-2.05b# uname -r > 2.4.29 > > I am seeing this problem in this kernel. > Should I change the kernel or else should I change the iproute2 to a > newer version. I don't know really, I haven't used 2.4s for a long time. There is a more recent iproute2-ss here http://developer.osdl.org/dev/iproute2/download/iproute2-ss050901.tar.bz2 I would try that first. Andy. From swaminathan.vasudevan at hp.com Tue Oct 18 01:09:01 2005 From: swaminathan.vasudevan at hp.com (Vasudevan, Swaminathan (PNB Roseville)) Date: Tue Oct 18 01:09:32 2005 Subject: [LARTC] TC show filter command shows all u32 filters defined with different priority iin all priority. Message-ID: <83AB0942FD087D499DF2DD5CEE1B6133019EC695@cacexc06.americas.cpqcorp.net> Hi Andy, I think the problem may reside in the Linux kernel 2.4.29. Because I even tried the "tc utility, iproute2-ss050816". But still the behaviour is same. So there may be some fix in 2.6 branch, which is missing in 2.4.29. Can anyone in the group suggest me if there is any fix for 2.4 kernel. Thanks Swami -----Original Message----- From: Andy Furniss [mailto:andy.furniss@dsl.pipex.com] Sent: Monday, October 17, 2005 4:06 PM To: Vasudevan, Swaminathan (PNB Roseville) Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] TC show filter command shows all u32 filters defined with different priority iin all priority. Vasudevan, Swaminathan (PNB Roseville) wrote: > Hi Andy, > Thanks for the reply. > I am currently using Linux kernel 2.4.29. > > -bash-2.05b# tc filter ls > -bash-2.05b# tc -V > tc utility, iproute2-ss041019 > -bash-2.05b# uname -r > 2.4.29 > > I am seeing this problem in this kernel. > Should I change the kernel or else should I change the iproute2 to a > newer version. I don't know really, I haven't used 2.4s for a long time. There is a more recent iproute2-ss here http://developer.osdl.org/dev/iproute2/download/iproute2-ss050901.tar.bz 2 I would try that first. Andy. From c-d.hailfinger.devel.2005 at gmx.net Tue Oct 18 02:03:23 2005 From: c-d.hailfinger.devel.2005 at gmx.net (Carl-Daniel Hailfinger) Date: Tue Oct 18 02:03:29 2005 Subject: [LARTC] Re: [Ebtables-user] brouting on interfaces without IP address In-Reply-To: <1129569944.3394.1.camel@localhost.localdomain> References: <434ED7C0.2000109@gmx.net> <1129569944.3394.1.camel@localhost.localdomain> Message-ID: <43543BCB.7030604@gmx.net> Bart De Schuymer schrieb: > Op do, 13-10-2005 te 23:55 +0200, schreef Carl-Daniel Hailfinger: > >> However, once I insert the ebtables rule to actually do the >> redirection, all packets I want to redirect get dropped. This >> happens regardless of where I try to broute the packets. I tried >> DROPping them in BROUTING, REDIRECTing them in PREROUTING, DNATing >> them to the MAC of eth0 in PREROUTING, but each time the packets >> never leave eth0. >> [...] >> bridge:~ # ebtables -t nat -L --Lx >> ebtables -t nat -N ifacefilter-int ebtables -t nat -N proxy >> ebtables -t nat -A PREROUTING -i bridgeint -j ifacefilter-int >> ebtables -t nat -A ifacefilter-int -p IPv4 --ip-src 192.168.0.0/24 >> --ip-proto tcp --ip-dport 80 -j proxy >> ebtables -t nat -A proxy -j mark --set-mark 0x1 --mark-target >> CONTINUE > >> ebtables -t nat -A proxy -j dnat --to-dst 00:11:22:33:44:55 >> --dnat-target ACCEPT > > > Make this 00:01:02:03:04:05, or just use -j redirect Sorry if I was unclear, but -j redirect doesn't work. Same for --to-dst 00:01:02:03:04:05. That's why I tried to use the MAC of eth0 in --to-dst. Regards, Carl-Daniel From sandro at e-den.it Tue Oct 18 10:07:34 2005 From: sandro at e-den.it (Sandro Dentella) Date: Tue Oct 18 10:07:58 2005 Subject: [LARTC] debugging iproute2 Message-ID: <20051018080734.GA31483@casa.e-den.it> OK, maybe the message was too long... how can I debug why a packet (eg: icmp reply) that arrives to my box (tcpdump shows it) and does not show up to ping even if it is: a. destined to my box b. is not dropped by iptables I strongly suspect it is a routing problem, since I only have this if I define more routing tables. So I think you are the guys/gurus that can help me... more details in the mail I sent yesteray: http://mailman.ds9a.nl/pipermail/lartc/2005q4/017168.html Can I log debug messages for a packet that is not routable by the kernel? Can I know which rule is a packet going throught? TIA sandro *:-) PS: I apoligize: in the archives my message figures as "sun" of another thread: I don't undertand why -- Sandro Dentella *:-) e-mail: sandro@e-den.it http://www.tksql.org TkSQL Home page - My GPL work From swaminathan.vasudevan at hp.com Tue Oct 18 19:56:05 2005 From: swaminathan.vasudevan at hp.com (Vasudevan, Swaminathan (PNB Roseville)) Date: Tue Oct 18 19:58:15 2005 Subject: [LARTC] TC show filter command shows all u32 filters defined with different priority iin all priority. Message-ID: <83AB0942FD087D499DF2DD5CEE1B6133019EC699@cacexc06.americas.cpqcorp.net> Hi Andy, I found out the fix. There is patch in 2.4.30 for cls_32.c. If I apply the patch to my kernel 2.4.29. It seems to be working. Thanks Swami -----Original Message----- From: Andy Furniss [mailto:andy.furniss@dsl.pipex.com] Sent: Monday, October 17, 2005 4:06 PM To: Vasudevan, Swaminathan (PNB Roseville) Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] TC show filter command shows all u32 filters defined with different priority iin all priority. Vasudevan, Swaminathan (PNB Roseville) wrote: > Hi Andy, > Thanks for the reply. > I am currently using Linux kernel 2.4.29. > > -bash-2.05b# tc filter ls > -bash-2.05b# tc -V > tc utility, iproute2-ss041019 > -bash-2.05b# uname -r > 2.4.29 > > I am seeing this problem in this kernel. > Should I change the kernel or else should I change the iproute2 to a > newer version. I don't know really, I haven't used 2.4s for a long time. There is a more recent iproute2-ss here http://developer.osdl.org/dev/iproute2/download/iproute2-ss050901.tar.bz 2 I would try that first. Andy. From nata at cnett.com.br Tue Oct 18 20:45:07 2005 From: nata at cnett.com.br (Nataniel Klug) Date: Tue Oct 18 20:45:19 2005 Subject: [LARTC] Two differente networks at the same ethernet pci adapter Message-ID: <001d01c5d414$0fe382d0$57001eac@NATANIEL> Hello all, I need to put an IP alias to the same ethernet card, like this: eth0 - IP1/MASK1/BROADCAST1 eth0:1 - IP2/MASK2/BROADCAST2 In this box I will have another card that conects to a LAN netowork. I need this two alias in eth0 becouse I have two routes do take, but it seens to do not work. This is the script I am using (this scripts works fine when I have two ethernet cards like eth0 and eth1 for backbone and eth2 for LAN): ---- SCRIPT BEGINING /usr/loca/firewall/loadbalance ---- #!/bin/sh #------------------------- # Configuracao de redirecionamento de portas para os links # Balanceamento de carga entre pontos de rede # ++++++++++++++++++++++++ # Script criado por NATANIEL KLUG #------------------------- # #---- # Variaveis de sistema #---- IPTABLES="/usr/local/sbin/iptables" IP="/sbin/ip" # #---- # ENTRADA DE LINKS #---- IF1='eth0' IF2='eth0' # #---- # Declara as redes #---- P1_NET=172.30.0.0/24' P2_NET='10.1.1.0/24' # #---- # Declara IPs #---- IP1='172.30.0.55' IP2='10.1.1.10' # #---- # Declara gateway das conexoes #---- P1='172.30.0.1' P2='10.1.1.1' # #---- # Mascara as redes e marca os pacotes #---- $IPTABLES -t nat -A POSTROUTING -o $IF1 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o $IF2 -j MASQUERADE # #---- # Declaracao de rotas padrao para os links #---- $IP route add $P1_NET dev $IF1 src $IP1 table T1 $IP route add default via $P1 table T1 $IP route add $P2_NET dev $IF2 src $IP2 table T2 $IP route add default via $P1 table T2 # $IP route add $P1_NET dev $IF1 src $IP1 $IP route add $P2_NET dev $IF2 src $IP2 # $IP route add default scope global nexthop via $P1 dev $IF1 weight 1 nexthop via $P2 dev $IF2 weight 1 # $IP rule add from $IP1 table T1 $IP rule add from $IP2 table T2 # #---- # Atualiza tabela de cache #---- $IP route flush cache ---- END OS SCRIPT --- What can I do (if there is something) for this to work? Att, Nataniel Klug From bdschuym at pandora.be Tue Oct 18 20:03:44 2005 From: bdschuym at pandora.be (Bart De Schuymer) Date: Tue Oct 18 21:02:36 2005 Subject: [LARTC] Re: [Ebtables-user] brouting on interfaces without IP address In-Reply-To: <43543BCB.7030604@gmx.net> References: <434ED7C0.2000109@gmx.net> <1129569944.3394.1.camel@localhost.localdomain> <43543BCB.7030604@gmx.net> Message-ID: <1129658624.3470.6.camel@localhost.localdomain> Op di, 18-10-2005 te 02:03 +0200, schreef Carl-Daniel Hailfinger: > Bart De Schuymer schrieb: > > Op do, 13-10-2005 te 23:55 +0200, schreef Carl-Daniel Hailfinger: > > > >> However, once I insert the ebtables rule to actually do the > >> redirection, all packets I want to redirect get dropped. This > >> happens regardless of where I try to broute the packets. I tried > >> DROPping them in BROUTING, REDIRECTing them in PREROUTING, DNATing > >> them to the MAC of eth0 in PREROUTING, but each time the packets > >> never leave eth0. > >> [...] > >> bridge:~ # ebtables -t nat -L --Lx > >> ebtables -t nat -N ifacefilter-int ebtables -t nat -N proxy > >> ebtables -t nat -A PREROUTING -i bridgeint -j ifacefilter-int > >> ebtables -t nat -A ifacefilter-int -p IPv4 --ip-src 192.168.0.0/24 > >> --ip-proto tcp --ip-dport 80 -j proxy > >> ebtables -t nat -A proxy -j mark --set-mark 0x1 --mark-target > >> CONTINUE > > > >> ebtables -t nat -A proxy -j dnat --to-dst 00:11:22:33:44:55 > >> --dnat-target ACCEPT > > > > > > Make this 00:01:02:03:04:05, or just use -j redirect > > Sorry if I was unclear, but -j redirect doesn't work. Same for --to-dst > 00:01:02:03:04:05. That's why I tried to use the MAC of eth0 in --to-dst. OK. Anyway, you need to use the MAC address of the logical bridge device. Please first try it with a simpler setup in which you don't need to mark the packet, using a simple routing table. Do any packets leave on eth0? cheers, Bart From tkiran at ku.edu.tr Wed Oct 19 10:33:21 2005 From: tkiran at ku.edu.tr (TAYLAN KIRAN) Date: Wed Oct 19 10:15:47 2005 Subject: [LARTC] help for script add ip addresses dynamically Message-ID: <20051019T113321Z_DF7D00090000@ku.edu.tr> Hi, I am trying to write a script that will create a class and will add specific Ip address to that class. let me write commands: tc qdisc del dev eth0 root tc qdisc add dev eth0 root handle 1: htb default 12 tc class add dev eth0 parent 1 classid 1:1 htb rate 10mbit ceil 10mbit tc qdisc add dev eth0 parent 1:1 sfq tc class add dev eth0 parent 1:1 classid 1:21 htb rate 128kbit ceil 128kbit tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \match ip dst 172.18.5.74 classid 1:21 tc class add dev eth0 parent 1:1 classid 1:22 htb rate 128kbit ceil 128kbit tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \match ip dst 193.140.57.150 classid 1:22 tc class add dev eth0 parent 1:1 classid 1:23 htb rate 128kbit ceil 128kbit tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \match ip dst 172.18.5.74 classid 1:23 tc class add dev eth0 parent 1:1 classid 1:24 htb rate 128kbit ceil 128kbit tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \match ip dst 172.18.5.74 classid 1:24 tc class add dev eth0 parent 1:1 classid 1:25 htb rate 128kbit ceil 128kbit tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \match ip dst 172.18.5.74 classid 1:25 As you see above I create 5 cladd for 5 different Ip address and limit download traffic to 128 kbps but when I check statistics below i see that only a few classes work properly. others continue to download above 128kbps even 512kbps. is there any idea? [root@fwr router]# tc -s class show dev eth0 class htb 1:22 parent 1:1 prio 0 rate 128Kbit ceil 128Kbit burst 1615b cburst 1615b Sent 6068801 bytes 14516 pkts (dropped 0, overlimits 0 requeues 0) rate 42bit lended: 14516 borrowed: 0 giants: 0 tokens: 95744 ctokens: 95744 class htb 1:1 root rate 10Mbit ceil 10Mbit burst 2848b cburst 2848b Sent 25851580 bytes 28255 pkts (dropped 0, overlimits 0 requeues 0) rate 16072bit 11pps lended: 0 borrowed: 0 giants: 0 tokens: -142 ctokens: -142 class htb 1:23 parent 1:1 prio 0 rate 128Kbit ceil 128Kbit burst 1615b cburst 1615b Sent 19799433 bytes 13750 pkts (dropped 0, overlimits 0 requeues 0) rate 16031bit 10pps backlog 11p lended: 13739 borrowed: 0 giants: 0 tokens: -193536 ctokens: -193536 class htb 1:21 parent 1:1 prio 0 rate 128Kbit ceil 128Kbit burst 1615b cburst 1615b Sent 0 bytes 0 pkts (dropped 0, overlimits 0 requeues 0) lended: 0 borrowed: 0 giants: 0 tokens: 103424 ctokens: 103424 class htb 1:24 parent 1:1 prio 0 rate 128Kbit ceil 128Kbit burst 1615b cburst 1615b Sent 0 bytes 0 pkts (dropped 0, overlimits 0 requeues 0) lended: 0 borrowed: 0 giants: 0 tokens: 103424 ctokens: 103424 class htb 1:25 parent 1:1 prio 0 rate 128Kbit ceil 128Kbit burst 1615b cburst 1615b Sent 0 bytes 0 pkts (dropped 0, overlimits 0 requeues 0) lended: 0 borrowed: 0 giants: 0 tokens: 103424 ctokens: 103424 Also you can see below tc filter output [root@fwr router]# tc filter show dev eth0 filter parent 1: protocol ip pref 1 u32 filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:21 match ac12054a/ffffffff at 16 filter parent 1: protocol ip pref 1 u32 fh 800::801 order 2049 key ht 800 bkt 0 flowid 1:22 match c18c3996/ffffffff at 16 filter parent 1: protocol ip pref 1 u32 fh 800::802 order 2050 key ht 800 bkt 0 flowid 1:23 match c18c395a/ffffffff at 16 filter parent 1: protocol ip pref 1 u32 fh 800::803 order 2051 key ht 800 bkt 0 flowid 1:24 match ac101055/ffffffff at 16 filter parent 1: protocol ip pref 1 u32 fh 800::804 order 2052 key ht 800 bkt 0 flowid 1:25 match ac10113b/ffffffff at 16 Taylan KIRAN Network&System Specialist Koc University -------------- next part -------------- Skipped content of type multipart/related From andy.furniss at dsl.pipex.com Wed Oct 19 12:49:44 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Wed Oct 19 12:49:45 2005 Subject: [LARTC] HFSC Advanced Limiting In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB04B52C@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB04B52C@xavier.staff.greatlakes.net> Message-ID: <435624C8.4080003@dsl.pipex.com> Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: > > Also, if you do not know for certain any of the answers to these questions, please do not make conjecture. Only answer with facts. Not many people seem to use hfsc, so you are loosing out on general advice by saying this. Andy. From andy.furniss at dsl.pipex.com Wed Oct 19 12:55:10 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Wed Oct 19 12:55:13 2005 Subject: [LARTC] HFSC Advanced Limiting In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB04B537@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB04B537@xavier.staff.greatlakes.net> Message-ID: <4356260E.308@dsl.pipex.com> Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: > CMD="tc qdisc add dev eth0 root handle 1: hfsc default 1" Default should be a leaf class. - tc class add dev eth1 parent 2:1000 classid 2:10000 hfsc sc umax 1500b dmax 30ms rate 80Kbit... If you attach qdisc to eth then it sees packet length as ip len + 14 so use 1514. Andy. From andy.furniss at dsl.pipex.com Wed Oct 19 12:59:46 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Wed Oct 19 12:59:46 2005 Subject: [LARTC] HTB and PRIO qdiscs introducing extra latency when output interface is saturated In-Reply-To: <42F25928.6010205@dsl.pipex.com> References: <1122460110.8454.11.camel@pgala.it.nuigalway.ie> <42E78B39.1030201@dsl.pipex.com> <1122478662.4637.49.camel@pgala.it.nuigalway.ie> <42E80247.7010100@dsl.pipex.com> <1122568638.7828.40.camel@pgala.it.nuigalway.ie> <42E95302.2020303@dsl.pipex.com> <1123016381.4768.35.camel@pgala.it.nuigalway.ie> <42F0CED8.1090406@dsl.pipex.com> <42F11BDA.8070501@dsl.pipex.com> <42F25928.6010205@dsl.pipex.com> Message-ID: <43562722.9050106@dsl.pipex.com> Andy Furniss wrote: > Andy Furniss wrote: > >> I haven't checked those figures or tested close to limits though, the >> 12k burst would need increasing a bit aswell or that will slightly >> over limit rate at HZ=1000. > > > It seems that htb still uses ip level for burst so 12k is enough. > > With the overhead at 38 I can ceil at 99mbit OK. > Jonathan spotted that on eth skb->len is ip len + 14 so overhead should be 24 not 38. Andy. From nata at cnett.com.br Wed Oct 19 14:41:30 2005 From: nata at cnett.com.br (Nataniel Klug) Date: Wed Oct 19 14:41:47 2005 Subject: [LARTC] Load balance (two links in one server): why is this not working? Message-ID: <000a01c5d4aa$6ec68540$57001eac@NATANIEL> Hello, I am trying to make a load balance at my box using two conections. I have compile my kernel with this patch routes-2.6.13-12.diff (tha I get from this website: http://www.linuxvirtualserver.org/~julian/#routes). The problem is that when I try to balance using weight sintaxe (i will put the script bellow) some conectios just drop. So I can enter some pages but other I could not... What can I do? I am using this script (and reading this howto, again, to see if I missed something: http://www.ssi.bg/~ja/nano.txt): --- SCRIPT --- #!/bin/sh #------------------------- # Configuracao de redirecionamento de portas para os links # Balanceamento de carga entre pontos de rede #------------------------- #---- # Variaveis de sistema #---- IPTABLES="/usr/local/sbin/iptables" IP="/sbin/ip" # #---- # ENTRADA DE LINKS #---- IF1='eth0' IF2='eth3' # #---- # Declara as redes #---- P1_NET='200.163.208.0/25' P2_NET='10.1.1.0/24' # #---- # Declara IPs #---- IP1='200.163.208.6' IP2='10.1.1.10' # #---- # Declara gateway das conexoes #---- P1='200.163.208.1' P2='10.1.1.1' # #---- # Mascara as redes e marca os pacotes #---- $IPTABLES -t nat -A POSTROUTING -o $IF1 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o $IF2 -j MASQUERADE # #---- # Declaracao de rotas padrao para os links #---- $IP route add $P1_NET dev $IF1 src $IP1 table T1 $IP route add default via $P1 table T1 $IP route add $P2_NET dev $IF2 src $IP2 table T2 $IP route add default via $P1 table T2 # $IP route add $P1_NET dev $IF1 src $IP1 $IP route add $P2_NET dev $IF2 src $IP2 # $IP route add default scope global nexthop via $P1 dev $IF1 weight 4 nexthop via $P2 dev $IF2 weight 1 # $IP rule add from $IP1 table T1 $IP rule add from $IP2 table T2 # #---- # Atualiza tabela de cache #---- $IP route flush cache --- SCRIPT --- Att, Nataniel Klug -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051019/7b44c9e5/attachment.htm From pupilla at hotmail.com Wed Oct 19 15:34:21 2005 From: pupilla at hotmail.com (Marco Berizzi) Date: Wed Oct 19 15:34:25 2005 Subject: [LARTC] mark value as routing key Message-ID: Hi. I have a problem with iptables mark target. I'm using iptables to mark packet in this manner: iptables -t mangle -I OUTPUT --protocol tcp --dport 80 -j MARK --set-mark 1 This linux box has two different ip addresses on two different subnet on the same ethernet NIC: eth0: 1.1.1.254/24 eth0:adslA: 10.10.10.6/29 This is my ip rule sh output: 0: from all lookup local 400: from all fwmark 0x1 lookup adsl 450: from all lookup hdsl 32766: from all lookup main 32767: from all lookup default Here is ip route sh table adsl: default via 10.10.10.1 dev eth0 metric 1 and this is ip route sh table hdsl: default via 1.1.1.1 dev eth0 metric 1 main table doesn't have any default route. Locally generated packet with destination port 80 are going through the adsl table but the packet source ip is 1.1.1.254. Why? Kernel is vanilla 2.6.14-rc4 From marek at piasta.pl Wed Oct 19 15:51:08 2005 From: marek at piasta.pl (Marek Kierdelewicz) Date: Wed Oct 19 15:51:13 2005 Subject: [LARTC] Load balance (two links in one server): why is this not working? In-Reply-To: <000a01c5d4aa$6ec68540$57001eac@NATANIEL> References: <000a01c5d4aa$6ec68540$57001eac@NATANIEL> Message-ID: <20051019155108.0dd625a5@cat> > Hello, Hi there. > > I am trying to make a load balance at my box using two > conections. I have compile my kernel with this patch > routes-2.6.13-12.diff (tha I get from this website: > http://www.linuxvirtualserver.org/~julian/#routes). > .... I've tried to implement similar setup some time ago. The problem was that there was no way to assure that active connection won't be routed throu different gateways (route cache entries timeout...). I've failed to overcome this problem with a help of route patches. I was able to balance traffic over few connections with connmark+nth iptables patches. Think of it as an alternative if route patches won't work as advertised. Marek Kierdelewicz KoBa ISP From alex at hostingcenter.ro Wed Oct 19 16:44:49 2005 From: alex at hostingcenter.ro (Alex) Date: Wed Oct 19 16:44:44 2005 Subject: [LARTC] arp flood (offtopic?) Message-ID: <032b01c5d4bb$a8837ed0$020c0c0a@admin> Hi guys, Sorry if this is a little offtopic, but I was wandering what can one do to prevent/stop arp flooding ? Thanks, Alex -- This message has been scanned for viruses and dangerous content by LG-Network(http://www.lgnet.ro), and is believed to be clean. From c-d.hailfinger.devel.2005 at gmx.net Wed Oct 19 16:51:26 2005 From: c-d.hailfinger.devel.2005 at gmx.net (Carl-Daniel Hailfinger) Date: Wed Oct 19 16:53:22 2005 Subject: [LARTC] arp flood (offtopic?) In-Reply-To: <032b01c5d4bb$a8837ed0$020c0c0a@admin> References: <032b01c5d4bb$a8837ed0$020c0c0a@admin> Message-ID: <43565D6E.80109@gmx.net> Hi, Alex schrieb: > > Sorry if this is a little offtopic, but I was wandering what can one do > to prevent/stop arp flooding ? Shut down the switch port where the machine is attached to. Some managed switches can do that automatically once the arp flood starts. Regards, Carl-Daniel From nata at cnett.com.br Wed Oct 19 16:57:58 2005 From: nata at cnett.com.br (Nataniel Klug) Date: Wed Oct 19 16:58:12 2005 Subject: [LARTC] Load balance (two links in one server): why is this notworking? References: <000a01c5d4aa$6ec68540$57001eac@NATANIEL> <20051019155108.0dd625a5@cat> Message-ID: <001401c5d4bd$7e3ea7b0$57001eac@NATANIEL> Marek, I made a test to route some kind of trafic throu one link and other kind throu other using L7-Filter compiled into kernel and iptables. It worked properly. So now I will put P2P and messenger trafic throu one link and all other trafic thou other link. Thanks. Att, Nataniel Klug ----- Original Message ----- From: Marek Kierdelewicz To: lartc@mailman.ds9a.nl Sent: Wednesday, October 19, 2005 11:51 AM Subject: Re: [LARTC] Load balance (two links in one server): why is this notworking? > Hello, Hi there. > > I am trying to make a load balance at my box using two > conections. I have compile my kernel with this patch > routes-2.6.13-12.diff (tha I get from this website: > http://www.linuxvirtualserver.org/~julian/#routes). > .... I've tried to implement similar setup some time ago. The problem was that there was no way to assure that active connection won't be routed throu different gateways (route cache entries timeout...). I've failed to overcome this problem with a help of route patches. I was able to balance traffic over few connections with connmark+nth iptables patches. Think of it as an alternative if route patches won't work as advertised. Marek Kierdelewicz KoBa ISP _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051019/f5d44ab1/attachment.html From aliaj00 at gmail.com Wed Oct 19 17:11:15 2005 From: aliaj00 at gmail.com (timi koli) Date: Wed Oct 19 17:11:19 2005 Subject: [LARTC] new here can guide me throw :) Message-ID: <19697b80510190811t3fa34ef4vdf8bdd88d1acc5aa@mail.gmail.com> i'am new here and i saw some tutorials but those was old for the 2.4.xkernel and i don't know were to start correctly. many thanks to all of you. sincerly: Timi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051019/6fbba6d9/attachment.htm From nata at cnett.com.br Wed Oct 19 17:27:22 2005 From: nata at cnett.com.br (Nataniel Klug) Date: Wed Oct 19 17:27:32 2005 Subject: [LARTC] Redirect mark to some route Message-ID: <002701c5d4c1$9a27bf80$57001eac@NATANIEL> Hello, Here is what I want to do: I have a patch that make me able to mark package by its nature useing layer 7. So I use this line to mark a packge (i will use msnmessenger like example): $IPT -t mangle -A POSTROUTING -m layer7 --l7proto msnmessenger -j MARK --set-mark 3001 Now I want that all packges with this mark get throu my gateway using the link at eth2 and all other packges use link at eth1. How can I do this?! Att, Nataniel Klug -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051019/df2c8518/attachment.html From alvarolmmotta at gmail.com Wed Oct 19 18:53:58 2005 From: alvarolmmotta at gmail.com (Alvaro Motta) Date: Wed Oct 19 18:54:03 2005 Subject: [LARTC] Inaccurate results without natting the traffic. In-Reply-To: <434C1DD6.6070303@fatooh.org> References: <3941d81c0510111305y4668a257k226618ec6b6e9f99@mail.gmail.com> <434C1DD6.6070303@fatooh.org> Message-ID: <3941d81c0510190953v74fd4529xe4bb38075e2f2536@mail.gmail.com> Hi Corey, First, let me thank you for your message. Sorry for not responding before. As per your request, here is a sketch of my test bed environment. ____ ____ ____ | | | | | | | A |----------| B |----------| C | |____| |____| |____| Machine A IPA - 192.168.0.20/24 DefGw - 192.168.0.1 Machine B IPB (eth1) - 192.168.0.19/24 IPB (eth0) - 10.4.10.201/16 DefGw - 192.168.0.1 Machine C IPC - 10.4.10.202/16 DefGw - 57.4.10.202 On machine B: 2.6.11-1.1369_FC4 (Fedora Core 4) iproute-2.6.11-1 cbq.init v0.7.3 following scripts: cbq-0002.eth0 DEVICE=eth0, 100Mbit,10Mbit RATE=100Mbit WEIGHT=10Mbit cbq-0003.eth1 DEVICE=eth1, 100Mbit,10Mbit RATE=100Mbit WEIGHT=10Mbit cbq-0004.dwn DEVICE=eth0 RATE=64Kbit WEIGHT=6kbit RULE=0/0,0/0 cbq-0005.upl DEVICE=eth1 RATE=64kbit WEIGHT=6kbit RULE=0/0,0/0 For testing purposes, we have apache installed on machines A and C. >From C I do a wget 192.168.0.20/1M and get those funk results stated on my previous message. >From A I do a wget 10.4.10.202/1M and the achieved results are very close to the desired bandwidth. So, from C's perspective, the upload rate is fine, but the download rate is way out of what we want. The funniest thing is that if I swap the interfaces on the .dwn and .upl files, the results are the same. If, on B I issue iptables -t nat -A POSTROUTING -s 0/0 -d 0/0 -j MASQUERADE, then the results of download and upload are pretty much the same. Whatever I do with the iptables command, the only way to have the desired transfer rate is if the target and destination machines are included in the nat (that's why I use 0/0). Output of cbq.init compile: /sbin/tc qdisc del dev eth0 root /sbin/tc qdisc add dev eth0 root handle 1 cbq bandwidth 100Mbit avpkt 1000 cell 8 /sbin/tc class change dev eth0 root cbq weight 10Mbit allot 1514 /sbin/tc qdisc del dev eth1 root /sbin/tc qdisc add dev eth1 root handle 1 cbq bandwidth 100Mbit avpkt 1000 cell 8 /sbin/tc class change dev eth1 root cbq weight 10Mbit allot 1514 /sbin/tc class add dev eth0 parent 1: classid 1:2 cbq bandwidth 100Mbit rate 100Mbit weight 10Mbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded /sbin/tc qdisc add dev eth0 parent 1:2 handle 2 tbf rate 100Mbit buffer 10Kb/8 limit 15Kb mtu 1500 /sbin/tc class add dev eth1 parent 1: classid 1:3 cbq bandwidth 100Mbit rate 100Mbit weight 10Mbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded /sbin/tc qdisc add dev eth1 parent 1:3 handle 3 tbf rate 100Mbit buffer 10Kb/8 limit 15Kb mtu 1500 /sbin/tc class add dev eth0 parent 1: classid 1:4 cbq bandwidth 100Mbit rate 64Kbit weight 6Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded /sbin/tc qdisc add dev eth0 parent 1:4 handle 4 tbf rate 64Kbit buffer 10Kb/8 limit 15Kb mtu 1500 /sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 200 u32 match ip src 0/0 match ip dst 0/0 classid 1:4 /sbin/tc class add dev eth1 parent 1: classid 1:5 cbq bandwidth 100Mbit rate 64Kbit weight 6Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded /sbin/tc qdisc add dev eth1 parent 1:5 handle 5 tbf rate 64Kbit buffer 10Kb/8 limit 15Kb mtu 1500 /sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 200 u32 match ip src 0/0 match ip dst 0/0 classid 1:5 Output of cbq.init list ### eth0: queueing disciplines qdisc cbq 1: rate 100000Kbit (bounded,isolated) prio no-transmit qdisc tbf 2: parent 1:2 rate 100000Kbit burst 10Kb lat 400us qdisc tbf 4: parent 1:4 rate 64000bit burst 10Kb lat 625.0ms ### eth0: traffic classes class cbq 1: root rate 100000Kbit (bounded,isolated) prio no-transmit class cbq 1:2 parent 1: leaf 2: rate 100000Kbit (bounded) prio 5 class cbq 1:4 parent 1: leaf 4: rate 64000bit (bounded) prio 5 class tbf 2:1 parent 2: class tbf 4:1 parent 4: ### eth0: filtering rules filter parent 1: protocol ip pref 200 u32 filter parent 1: protocol ip pref 200 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 200 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:4 match 00000000/00000000 at 12 match 00000000/00000000 at 16 ### eth1: queueing disciplines qdisc cbq 1: rate 100000Kbit (bounded,isolated) prio no-transmit qdisc tbf 3: parent 1:3 rate 100000Kbit burst 10Kb lat 400us qdisc tbf 5: parent 1:5 rate 64000bit burst 10Kb lat 625.0ms ### eth1: traffic classes class cbq 1: root rate 100000Kbit (bounded,isolated) prio no-transmit class cbq 1:3 parent 1: leaf 3: rate 100000Kbit (bounded) prio 5 class cbq 1:5 parent 1: leaf 5: rate 64000bit (bounded) prio 5 class tbf 3:1 parent 3: class tbf 5:1 parent 5: ### eth1: filtering rules filter parent 1: protocol ip pref 200 u32 filter parent 1: protocol ip pref 200 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 200 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:5 match 00000000/00000000 at 12 match 00000000/00000000 at 16 Output of cbq.init stats ### eth0: queueing disciplines qdisc cbq 1: rate 100000Kbit (bounded,isolated) prio no-transmit Sent 84 bytes 2 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 borrowed 0 overactions 0 avgidle 81 undertime 0 qdisc tbf 2: parent 1:2 rate 100000Kbit burst 10Kb lat 400us Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc tbf 4: parent 1:4 rate 64000bit burst 10Kb lat 625.0ms Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 ### eth0: traffic classes class cbq 1: root rate 100000Kbit (bounded,isolated) prio no-transmit Sent 84 bytes 2 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 borrowed 0 overactions 0 avgidle 81 undertime 0 class cbq 1:2 parent 1: leaf 2: rate 100000Kbit (bounded) prio 5 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 borrowed 0 overactions 0 avgidle 81 undertime 0 class cbq 1:4 parent 1: leaf 4: rate 64000bit (bounded) prio 5 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 borrowed 0 overactions 0 avgidle 3.63072e+06 undertime 0 class tbf 2:1 parent 2: class tbf 4:1 parent 4: ### eth0: filtering rules filter parent 1: protocol ip pref 200 u32 filter parent 1: protocol ip pref 200 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 200 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:4 (rule hit 0 success 0) match 00000000/00000000 at 12 (success 0 ) match 00000000/00000000 at 16 (success 0 ) ### eth1: queueing disciplines qdisc cbq 1: rate 100000Kbit (bounded,isolated) prio no-transmit Sent 2352 bytes 56 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 borrowed 0 overactions 0 avgidle 81 undertime 0 qdisc tbf 3: parent 1:3 rate 100000Kbit burst 10Kb lat 400us Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc tbf 5: parent 1:5 rate 64000bit burst 10Kb lat 625.0ms Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 ### eth1: traffic classes class cbq 1: root rate 100000Kbit (bounded,isolated) prio no-transmit Sent 2352 bytes 56 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 borrowed 0 overactions 0 avgidle 81 undertime 0 class cbq 1:3 parent 1: leaf 3: rate 100000Kbit (bounded) prio 5 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 borrowed 0 overactions 0 avgidle 81 undertime 0 class cbq 1:5 parent 1: leaf 5: rate 64000bit (bounded) prio 5 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 borrowed 0 overactions 0 avgidle 3.63072e+06 undertime 0 class tbf 3:1 parent 3: class tbf 5:1 parent 5: ### eth1: filtering rules filter parent 1: protocol ip pref 200 u32 filter parent 1: protocol ip pref 200 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 200 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:5 (rule hit 0 success 0) match 00000000/00000000 at 12 (success 0 ) match 00000000/00000000 at 16 (success 0 ) I hope this is enough information for you to try to help me. Thanks for your time and consideration. best regards, AL On 10/11/05, Corey Hickey wrote: > Alvaro Motta wrote: > > Now I come to you guys again, with the question: How to make cbq or > > htb work without masquerading the traffic? > > That really isn't supposed to have anything to do with it.... Can you > post your configuration files/scripts and a quick ASCII map showing > where your Linux machine is placed? > > -Corey > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From bugfood-ml at fatooh.org Wed Oct 19 19:40:57 2005 From: bugfood-ml at fatooh.org (Corey Hickey) Date: Wed Oct 19 19:41:07 2005 Subject: [LARTC] Inaccurate results without natting the traffic. In-Reply-To: <3941d81c0510190953v74fd4529xe4bb38075e2f2536@mail.gmail.com> References: <3941d81c0510111305y4668a257k226618ec6b6e9f99@mail.gmail.com> <434C1DD6.6070303@fatooh.org> <3941d81c0510190953v74fd4529xe4bb38075e2f2536@mail.gmail.com> Message-ID: <43568529.9010504@fatooh.org> Alvaro Motta wrote: > I hope this is enough information for you to try to help me. > > > Thanks for your time and consideration. Well, it looks like you've posted enough information now. Unfortunately, I'm not having any bright ideas. You have me stumped. Hopefully someone else on this list will take interest and be able to help you. Sorry, Corey From marek at piasta.pl Wed Oct 19 20:04:58 2005 From: marek at piasta.pl (Marek Kierdelewicz) Date: Wed Oct 19 20:05:55 2005 Subject: [LARTC] arp flood (offtopic?) In-Reply-To: <032b01c5d4bb$a8837ed0$020c0c0a@admin> References: <032b01c5d4bb$a8837ed0$020c0c0a@admin> Message-ID: <20051019200458.5be5ebf5@cat> > Hi guys, Hi > > Sorry if this is a little offtopic, but I was wandering what can one > do to prevent/stop arp flooding ? You can increase arp cache table size: echo 512 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 It'll make your box handle arpfloods more easily (at least DoS part). You can also use static arp entries (man arp). This will ensure known computers will always have access to (throu) your router (even with arpflood in progress). Two solutions mentioned above cope with "Neighbour table overflow" and problems with accessibility to other legitimate users. They don't cope however with router's cpu utilisation... Hope that helps. Marek Kierdelewicz KoBa ISP From alex at hostingcenter.ro Wed Oct 19 22:55:09 2005 From: alex at hostingcenter.ro (Alex) Date: Wed Oct 19 22:54:53 2005 Subject: [LARTC] arp flood (offtopic?) References: <032b01c5d4bb$a8837ed0$020c0c0a@admin> <20051019200458.5be5ebf5@cat> Message-ID: <001501c5d4ef$645e2190$020c0c0a@admin> This is what I do to avoid "Neighbor table overflow" : echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh2 echo 8192 > /proc/sys/net/ipv4/neigh/default/gc_thresh3 I should mention that I don't get the message Neighbor table overflow, at least with these settings, don't know with default. Now the thing is that the load average goes up to 30 and the gateway doesn't even respond to ping after a while. The arp-requests are not only for ips that are assigned to hosts but even for un-allocated ips in the same subnet. Maybe dividing into multiple vlans would be a better idea? Regards, Alex ----- Original Message ----- From: "Marek Kierdelewicz" To: Sent: Wednesday, October 19, 2005 9:04 PM Subject: Re: [LARTC] arp flood (offtopic?) >> Hi guys, > > Hi > >> >> Sorry if this is a little offtopic, but I was wandering what can one >> do to prevent/stop arp flooding ? > > You can increase arp cache table size: > > echo 512 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 > echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 > echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 > > It'll make your box handle arpfloods more easily (at least DoS part). > > You can also use static arp entries (man arp). This will ensure known > computers will always have access to (throu) your router (even with > arpflood in progress). > > > Two solutions mentioned above cope with "Neighbour table overflow" and > problems with accessibility to other legitimate users. They > don't cope however with router's cpu utilisation... > > Hope that helps. > > Marek Kierdelewicz > KoBa ISP > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > -- > This message has been scanned for viruses and > dangerous content by LG-Network(http://www.lgnet.ro), and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by LG-Network(http://www.lgnet.ro), and is believed to be clean. From comp.techs at aspenview.org Wed Oct 19 23:42:37 2005 From: comp.techs at aspenview.org (comp.techs) Date: Wed Oct 19 23:42:45 2005 Subject: [LARTC] load balance with gre/ipsec Message-ID: <648A21EA469E3848922D9860785CD5EF4566EE@aspen-mail01.aspenview.org> Hi, I have the following setup. Two linux systems with two [test] external interfaces encrypted with ipsec [transport]. Two gre tunnels that pass 10.200.0.0/24 and 10.200.1.0/24 network traffic. Testing the balanced tunnels I would setup iptraf on one and ping from the other. The results would be as expected; traffic would be split between the two interfaces. Testing with an ftp transfer of 300MB I would get various results: 1. one interface would be transfering at 36Mbit/s the other would be at 1.5Mbits/s [a -> b] or one interface would be transfering at 29Mbit/s and the other a 0. 2. I would get the same results from [b->a] Is there something I missed or did not configure properly? Any help or suggestions would be appreciated. jason 192.168.0.1 [ipsec tunnel] 192.168.0.2 [A] ------------------------------------------------------------- [B] 172.16.0.1 [ipsec tunnel] 172.16.0.2 ------------------------------------------------------------- [A] linux 2.6.13 internal 10.200.1.2/24 ext 192.168.0.1 ext 172.16.0.1 [gre tunnels] netb 10.200.1.2 netb2 10.200.1.2 [B] linux 2.6.13 internal 10.200.0.2 ext 192.168.0.2 ext 172.16.0.2 [gre tunnels] neta 10.200.0.2 neta2 10.200.0.2 a. ip tunnel add netb mode gre remote 172.16.0.2 local 172.16.0.1 ttl 255 ip link set netb up ip addr add 10.200.1.2 deb netb ip tunnel add netb2 mode gre remote 192.168.0.2 local 192.168.0.1 ttl 255 ip link set netb2 up ip addr add 10.200.1.2 dev netb2 ip route add equalize 10.200.0.0/24 nexthop via 10.200.1.2 dev netb nexthop via 10.200.1.2 dev netb2 b. ip tunnel add neta mode gre remote 172.16.0.1 local 172.16.0.2 ttl 255 ip link set neta up ip addr add 10.200.0.2 deb netb ip tunnel add neta2 mode gre remote 192.168.0.1 local 192.168.0.2 ttl 255 ip link set neta2 up ip addr add 10.200.0.2 dev neta2 ip route add equalize 10.200.1.0/24 nexthop via 10.200.0.2 dev neta nexthop via 10.200.0.2 dev neta2 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051019/33933757/attachment.htm From comp.techs at aspenview.org Thu Oct 20 00:04:59 2005 From: comp.techs at aspenview.org (comp.techs) Date: Thu Oct 20 00:05:07 2005 Subject: [LARTC] gre/ipsec loadbalancing Message-ID: <648A21EA469E3848922D9860785CD5EF4566EF@aspen-mail01.aspenview.org> Hi, I have the following setup. Two linux systems with two [test] external interfaces encrypted with ipsec [transport]. Two gre tunnels that pass 10.200.0.0/24 and 10.200.1.0/24 network traffic. Testing the balanced tunnels I would setup iptraf on one and ping from the other. The results would be as expected; traffic would be split between the two interfaces. Testing with an ftp transfer of 300MB I would get various results: 1. one interface would be transfering at 36Mbit/s the other would be at 1.5Mbits/s [a -> b] or one interface would be transfering at 29Mbit/s and the other a 0. 2. I would get the same results from [b->a] Is there something I missed or did not configure properly? Any help or suggestions would be appreciated. jason 192.168.0.1 [ipsec tunnel] 192.168.0.2 [A] ------------------------------------------------------------- [B] 172.16.0.1 [ipsec tunnel] 172.16.0.2 ------------------------------------------------------------- [A] linux 2.6.13 internal 10.200.1.2/24 ext 192.168.0.1 ext 172.16.0.1 [gre tunnels] netb 10.200.1.2 netb2 10.200.1.2 [B] linux 2.6.13 internal 10.200.0.2 ext 192.168.0.2 ext 172.16.0.2 [gre tunnels] neta 10.200.0.2 neta2 10.200.0.2 a. ip tunnel add netb mode gre remote 172.16.0.2 local 172.16.0.1 ttl 255 ip link set netb up ip addr add 10.200.1.2 deb netb ip tunnel add netb2 mode gre remote 192.168.0.2 local 192.168.0.1 ttl 255 ip link set netb2 up ip addr add 10.200.1.2 dev netb2 ip route add equalize 10.200.0.0/24 nexthop via 10.200.1.2 dev netb nexthop via 10.200.1.2 dev netb2 b. ip tunnel add neta mode gre remote 172.16.0.1 local 172.16.0.2 ttl 255 ip link set neta up ip addr add 10.200.0.2 deb netb ip tunnel add neta2 mode gre remote 192.168.0.1 local 192.168.0.2 ttl 255 ip link set neta2 up ip addr add 10.200.0.2 dev neta2 ip route add equalize 10.200.1.0/24 nexthop via 10.200.0.2 dev neta nexthop via 10.200.0.2 dev neta2 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051019/ce24c841/attachment.html From c-d.hailfinger.devel.2005 at gmx.net Thu Oct 20 00:09:40 2005 From: c-d.hailfinger.devel.2005 at gmx.net (Carl-Daniel Hailfinger) Date: Thu Oct 20 00:11:34 2005 Subject: [LARTC] arp flood (offtopic?) In-Reply-To: <001501c5d4ef$645e2190$020c0c0a@admin> References: <032b01c5d4bb$a8837ed0$020c0c0a@admin> <20051019200458.5be5ebf5@cat> <001501c5d4ef$645e2190$020c0c0a@admin> Message-ID: <4356C424.80009@gmx.net> Alex schrieb: > Now the thing is that the load average goes up to 30 and the gateway > doesn't even respond to ping after a while. > The arp-requests are not only for ips that are assigned to hosts but > even for un-allocated ips in the same subnet. Ah. Classical problem. There are only two realistic explanations for it: - the source of the arp flood is scanning the local net - the source of the arp flood has been infected with a virus. In my experience, only viruses generate real floods, scans are much more friendly to the network. So just clean the viruses from the flooding machines. > Maybe dividing into multiple vlans would be a better idea? Yes, that would somewhat help, but not solve the problem completely. Besides, I'd go for fixing the real problem instead of some symptoms. Regards, Carl-Daniel -- http://www.hailfinger.org/ From lartc-337 at ccp.com.au Thu Oct 20 02:13:16 2005 From: lartc-337 at ccp.com.au (Lee Sanders) Date: Thu Oct 20 02:13:27 2005 Subject: [LARTC] new here can guide me throw :) In-Reply-To: <19697b80510190811t3fa34ef4vdf8bdd88d1acc5aa@mail.gmail.com> References: <19697b80510190811t3fa34ef4vdf8bdd88d1acc5aa@mail.gmail.com> Message-ID: <200510200813.16418.lartc-337@ccp.com.au> Hi Timi, To give advice we really need to know what you are trying to do. However here are a few links to sites I found useful when figuring out how to use QOS on linux. Ignore what you were told, most of the things you will read apply to both 2.4 and 2.6. If its a specific program like WRR that only has patches for 2.2 and 2.4, look harder because their are patches for 2.6 :) If your just shaping your network to improve performance look at wondershaper http://lartc.org/wondershaper/ If you want to share bandwidth equally amongst X machines where X isn't really known, try WRR http://wipl-wrr.sourceforge.net/ Kern 2.6 patch available here http://www.zz9.dk/wrr and here http://kem.p.lodz.pl/%7Epeter/qnet/ If you want to do specific shaping for specific services there are about 11 different linux queuing methods to pick from, most here advise using HTB http://luxik.cdi.cz/%7Edevik/qos/htb/ A ready made script to use HTB on your server HTB.init http://sourceforge.net/projects/htbinit/ Three other pages I found useful in learning wtf was going on. http://www.faqs.org/docs/Linux-HOWTO/ADSL-Bandwidth-Management-HOWTO.html http://lartc.org/lartc.html http://www.opalsoft.net/qos/DS.htm Regards, Lee From J.Kraaijeveld at Askesis.nl Thu Oct 20 09:45:54 2005 From: J.Kraaijeveld at Askesis.nl (Joost Kraaijeveld) Date: Thu Oct 20 09:48:21 2005 Subject: [LARTC] Ho do i manage NAT'ed egress bandwidht? Message-ID: <1129794354.22270.78.camel@Panoramix> Hi, I have a Debian based NAT router. How can I manage upstream egress bandwidth based on the LAN ipadress in the network below? My goal is that host1 get a minumum of 10Mbit up/down and host2 gets a minimum of 90Mbit up/down, both max 100Mbit up/down? targethost 172.16.255.254 | | 172.16.0.1 natrouter 172.31.255.254 | | + ----------------------+ | | 172.31.0.1 172.31.0.2 host1 host2 TIA -- Groeten, Joost Kraaijeveld Askesis B.V. Molukkenstraat 14 6524NB Nijmegen tel: 024-3888063 / 06-51855277 fax: 024-3608416 e-mail: J.Kraaijeveld@Askesis.nl web: www.askesis.nl From oscar at ufomechanic.net Thu Oct 20 10:33:08 2005 From: oscar at ufomechanic.net (Oscar Mechanic) Date: Thu Oct 20 10:33:23 2005 Subject: [LARTC] arp flood (offtopic?) In-Reply-To: <4356C424.80009@gmx.net> References: <032b01c5d4bb$a8837ed0$020c0c0a@admin> <20051019200458.5be5ebf5@cat> <001501c5d4ef$645e2190$020c0c0a@admin> <4356C424.80009@gmx.net> Message-ID: <1129797188.14822.187.camel@OSCARLAPLIN> Has anyone tried ebtables and the limit target to control the rate On Thu, 2005-10-20 at 00:09 +0200, Carl-Daniel Hailfinger wrote: > Alex schrieb: > > Now the thing is that the load average goes up to 30 and the gateway > > doesn't even respond to ping after a while. > > The arp-requests are not only for ips that are assigned to hosts but > > even for un-allocated ips in the same subnet. > > Ah. Classical problem. There are only two realistic explanations for it: > - the source of the arp flood is scanning the local net > - the source of the arp flood has been infected with a virus. > In my experience, only viruses generate real floods, scans are much more > friendly to the network. So just clean the viruses from the flooding > machines. > > > Maybe dividing into multiple vlans would be a better idea? > > Yes, that would somewhat help, but not solve the problem completely. > Besides, I'd go for fixing the real problem instead of some symptoms. > > > Regards, > Carl-Daniel From marek at piasta.pl Thu Oct 20 10:49:52 2005 From: marek at piasta.pl (Marek Kierdelewicz) Date: Thu Oct 20 10:50:04 2005 Subject: [LARTC] Ho do i manage NAT'ed egress bandwidht? In-Reply-To: <1129794354.22270.78.camel@Panoramix> References: <1129794354.22270.78.camel@Panoramix> Message-ID: <20051020104952.16a1999e@cat> > Hi, Hi > > I have a Debian based NAT router. How can I manage upstream egress > bandwidth based on the LAN ipadress in the network below? My goal is > that host1 get a minumum of 10Mbit up/down and host2 gets a minimum > of 90Mbit up/down, both max 100Mbit up/down? > You can use iptables MARK target in PREROUTING or FORWARD chain of nat table in conjuction with a fw filter (see tc filter help). Marek Kierdelewicz KoBa ISP From jlynch at frink.nuigalway.ie Thu Oct 20 13:07:30 2005 From: jlynch at frink.nuigalway.ie (Jonathan Lynch) Date: Thu Oct 20 13:07:37 2005 Subject: [LARTC] DSCP, ToS and Egress In-Reply-To: <20050218112539.ud1zmh6kg0wcogw0@home.wep.net> References: <421472FC.1080207@iit.demokritos.gr> <20050217093326.86wps221hk4ggsss@home.wep.net> <4214BD40.2030207@iit.demokritos.gr> <20050218112539.ud1zmh6kg0wcogw0@home.wep.net> Message-ID: <1129806450.14444.24.camel@localhost.localdomain> I was just looking at your QoS Script. Did you ever notice that no packets will be put into gred dp3 ? I was using a similar script based on AF examples on the web and apparently in the gred qdisc now when you declare 3 dps they are numbered 0,1,2 and not 1,2,3. This line in gred_enqueue in sch_gred.c will prevent packets that you have given a tcindex of 113,123,133,143 of being put in the right dp. They will get put into the default dp. if ( ((skb->tc_index&0xf) > (t->DPs -1)) || !(q=t->tab[skb- >tc_index&0xf])) { This isnt a bug in the code either as I found out. You could take the -1 out of this line or else use gred DP0 , DP1, DP2 and change your tcindex classifiers to 110,111,112 Jonathan On Fri, 2005-02-18 at 11:25 -0600, Dan Cox wrote: > I've added a few more helper functions for a more complete demonstration. I've > also added some suggested default values (see script). > Here's an example usage for a 100mbit LAN: > > # Load the functions into the environment > # > source diffserv.sh > # > # Set device queue length and MTU > # > init_device eth1 10 1500 > # > # Clear the device qdiscs > # > reset_qdisc eth1 > # > # Create the root DSMARK qdisc & filters. > # > init_classifier eth1 10: > # > # Now create our main HTB qdisc > # We attach to the parent DSMARK qdisc (10:) and give ourselves a handle of 1: > # > qdisc eth1 "parent 10: handle 1: htb default 1 r2q 1" > # > # Now we create our leaf HTB + GRED classes and qdiscs to perform diffserv > # Note that this will create HTB classes underneath the HTB qdisc (1:) > # > diffserv 1: eth1 100000 100000 1000 10 1500 1500 64 0 > > In a more complex setup, you can insert additional levels of HTB classes under > the HTB qdisc and then call 'diffserv' on those leaf classes, but remember to > add additional filters (can NOT use iptables CLASSIFY target) or traffic will > never reach those classes. 'diffserv' assumes traffic has already made > it as far > as its parent qdisc (or class) and attaches it's filters there. > > Dan- > From support8 at greatlakes.net Thu Oct 20 14:54:03 2005 From: support8 at greatlakes.net (Eliot, Wireless and Server Administrator, Great Lakes Internet) Date: Thu Oct 20 14:58:00 2005 Subject: [LARTC] HFSC Advanced Limiting Message-ID: <0633E0EDB4F25F43A2D7179CA11FAFAB04B541@xavier.staff.greatlakes.net> Thank you. Eliot Gable Certified Wireless Network Administrator Cisco Certified Network Associate CompTIA Security+ Certified CompTIA Network+ Certified Network and Systems Administrator Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 810-679-3395 -----Original Message----- From: Andy Furniss [mailto:andy.furniss@dsl.pipex.com] Sent: Wed 10/19/2005 6:55 AM To: Eliot, Wireless and Server Administrator, Great Lakes Internet Cc: jasonb@edseek.com; lartc@mailman.ds9a.nl Subject: Re: [LARTC] HFSC Advanced Limiting Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: > CMD="tc qdisc add dev eth0 root handle 1: hfsc default 1" Default should be a leaf class. - tc class add dev eth1 parent 2:1000 classid 2:10000 hfsc sc umax 1500b dmax 30ms rate 80Kbit... If you attach qdisc to eth then it sees packet length as ip len + 14 so use 1514. Andy. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051020/0e703845/attachment.htm From lartc-337 at ccp.com.au Thu Oct 20 15:51:02 2005 From: lartc-337 at ccp.com.au (Lee Sanders) Date: Thu Oct 20 15:51:08 2005 Subject: [LARTC] Ho do i manage NAT'ed egress bandwidht? In-Reply-To: <1129794354.22270.78.camel@Panoramix> References: <1129794354.22270.78.camel@Panoramix> Message-ID: <200510202151.03166.lartc-337@ccp.com.au> Hi Joost, This sounds like a situation where you would probably use HTB to shape your bandwidth. You can search the archives for info on HTB, read the LARTC pages but you may find more specific information relating to your situation at the below links. http://luxik.cdi.cz/%7Edevik/qos/htb/ Or you can just use this ready made HTB script on your server which should suit your problem description without much extra work on your behalf. http://sourceforge.net/projects/htbinit/ Regards, Lee On Thu, 20 Oct 2005 03:45 pm, Joost Kraaijeveld wrote: > Hi, > > I have a Debian based NAT router. How can I manage upstream egress > bandwidth based on the LAN ipadress in the network below? My goal is > that host1 get a minumum of 10Mbit up/down and host2 gets a minimum of > 90Mbit up/down, both max 100Mbit up/down? > > targethost > 172.16.255.254 > > > 172.16.0.1 > natrouter > 172.31.255.254 > > > + ----------------------+ > > 172.31.0.1 172.31.0.2 > host1 host2 > > > TIA From lista at umeda.com.br Thu Oct 20 16:12:16 2005 From: lista at umeda.com.br (James Lista) Date: Thu Oct 20 16:12:31 2005 Subject: [LARTC] Consider r2q change References: <1129794354.22270.78.camel@Panoramix> Message-ID: <001801c5d580$46ec2b20$0700000a@d3lta> Buddies, When I run my HTB script it says the below message with "dmesg" what does that mean ? -------------------------------------------------------- HTB: quantum of class 10001 is big. Consider r2q change. HTB: quantum of class 10002 is big. Consider r2q change. HTB: quantum of class 10030 is small. Consider r2q change. HTB: quantum of class 10031 is small. Consider r2q change. From m.innocenti at cineca.it Thu Oct 20 16:23:32 2005 From: m.innocenti at cineca.it (m.innocenti@cineca.it) Date: Thu Oct 20 16:23:41 2005 Subject: [LARTC] Consider r2q change In-Reply-To: <001801c5d580$46ec2b20$0700000a@d3lta> References: <1129794354.22270.78.camel@Panoramix> <001801c5d580$46ec2b20$0700000a@d3lta> Message-ID: <4357A8D1.4040805@cineca.it> James Lista ha scritto: > Buddies, > > When I run my HTB script it says the below message with "dmesg" > what does that mean ? > HTB: quantum of class 10001 is big. Consider r2q change. The kernel calculate the quantum using rate / r2q (rate to quantum) which have a default value of 10. If the calculated value is less than 1000 then the quantum will have a value of 1000 and you get the message you posted. You should have a quantum value bigger than your MTU. -- ********************************************************************** Marco Innocenti Gruppo Infrastruttura e Sicurezza CINECA phone:+39 0516171553 / fax:+39 0516132198 Via Magnanelli 6/3 e-mail: innocenti@cineca.it 40033 Casalecchio di Reno Bologna (Italia) ********************************************************************** From lartc-337 at ccp.com.au Thu Oct 20 16:32:39 2005 From: lartc-337 at ccp.com.au (Lee Sanders) Date: Thu Oct 20 16:32:45 2005 Subject: [LARTC] Consider r2q change In-Reply-To: <001801c5d580$46ec2b20$0700000a@d3lta> References: <1129794354.22270.78.camel@Panoramix> <001801c5d580$46ec2b20$0700000a@d3lta> Message-ID: <200510202232.39935.lartc-337@ccp.com.au> You really should search the list archives. This question has been asked a dozen times in the last year. Google also turned this up quite quickly. http://www.docum.org/docum.org/faq/cache/31.html To copy and paste some previous answers from the list. You will need to sort these yourself. It is documented in HTB manual. The complaint was not displayed before and sharing was silently wrong. Quantum of leaf should be between 1500 and 60000 and it is computed as rate/r2q (or can be supplied independly). So that if your maximal leaf rate is 1Mbit (120000Bps) then r2q should be 3. If max rate is 10kbit (1200Bps) then r2q should be 1. It is warning only and will not affect functionality, only precision. devik Smallest rate : 16kbit = 2 kilobyt / r2q (=10) = 200. ?And this is < 1500. ?So you get warnings. Biggest rate : 100mbit = 12.5 mbyte / r2q = 1.2 Mbyte > 60.000. ?So you get warnings. ? If you do tc qdisc add dev eth0 root handle 1: htb default 10 r2q 1 Smallest rate : 16kbit = 2kilobyte / r2k = 2000. ?And this is > 1500. ?So no warnings. Biggest rate : 100mbit = 12.5 mbyte / r2q = 12.5 Mbyte > 60.000. ?So you get warnings. ?But you can overrule the quantum : tc class add dev eth0 parent 1:1 classid 1:11 htb rate 128kbit burst 2k quantum 60000 Quantum is used when 2 classes are getting more bandwidth then the rate. ? So it's only important for sharing the remaining bandwidth. ?In that case, each class may send quantum bytes. If I understand the source, that message occours when you have a leaf class whose calculated quantum (rate/r2q) is less than 1000 byte and the kernel set the quantum to 1000 byte. I've read that the quantum should be bigger than the MTU so I don't understand why the kernel don't use a minimum quantum value bigger than 1500. Someone has a clue? ?From kernel-source-2.6.10/net/sched/sch_htb.c if (!hopt->quantum && cl->un.leaf.quantum < 1000) { ? ? printk(KERN_WARNING "HTB: quantum of class %X is small. Consider r2q change.\n", cl->classid); ? ? cl->un.leaf.quantum = 1000; I hope this helps. Regards, Lee On Thu, 20 Oct 2005 10:12 pm, James Lista wrote: > nsider r2q change. > HTB: quantum of class 10002 is big. Consider r2q change. > HTB: quantum of class 10030 is small. Consider r2q change. > HTB: quantum of class 10031 is small. Consider r2q change. From yhmail29 at yahoo.co.in Thu Oct 20 16:42:03 2005 From: yhmail29 at yahoo.co.in (Yogesh Hasabnis) Date: Thu Oct 20 16:42:14 2005 Subject: [LARTC] Monitoring the traffic shaping setup Message-ID: <20051020144203.86493.qmail@web8405.mail.in.yahoo.com> Hi All, I am a new member of this list. I want to know about a way to monitor the traffic shaping setup to confirm whether it is working as expected. I went through the archives of this list and found some pointers related to tc-snmp extension/patch for net-snmp and some perl scripts on www.docum.org. I want to know whether this type of a setup work. Or else is there any other way ? Actually I am not even successful in applying the tc-snmp extension/patch to net-snmp. I applied the patch and started snmpd and when I give the command "snmpwalk -v 2c -c string 127.0.0.1 enterprises.18756", I get the error "SNMPv2-SMI::enterprises.18756 = No Such Object available on this agent at this OID". Kindly give me some clues for resolving the above two issues. Thanks Yogesh H __________________________________ Start your day with Yahoo! - Make it your home page! http://www.yahoo.com/r/hs From klaus at ipp2p.org Thu Oct 20 18:31:10 2005 From: klaus at ipp2p.org (Klaus) Date: Thu Oct 20 18:31:14 2005 Subject: [LARTC] IPP2P version 0.8.0 released Message-ID: <4357C64E.6060207@ipp2p.org> Hi, The new version ipp2p 0.8.0 is released. Klaus -- www.ipp2p.com From paul.lewis at st-annes.oxford.ac.uk Thu Oct 20 18:40:38 2005 From: paul.lewis at st-annes.oxford.ac.uk (Paul Lewis) Date: Thu Oct 20 18:40:42 2005 Subject: [LARTC] Firewall.routing configuration problems Message-ID: <003c01c5d595$00853360$e7544381@SANNPJLTABLET> Hi, I am trying to set up a linux box to act as a router for my college. There are two different types of users; students and conference guests, and they have IPs statically assigned by DHCP, from separate ranges (but they are on the same subnet). The students go out onto an academic connection (via eth0), and conference guests go out on an ADSL line (via eth3). eth1 and eth2 are configured for internal use. My question is this (and I'm not 100% sure if it's a firewall or routing issue, hence the post to both mailing lists). I have some firewall rules in place which direct packets out to a specific ethernet device, depending on the IP that the packet is coming from. It will probably help if I define the IPs, subnets and netmasks etc for the ethernet devices: eth0 Link encap:Ethernet HWaddr 00:14:22:09:FB:1A inet addr:192.168.100.253 Bcast:192.168.100.255 Mask:255.255.255.0 eth1 Link encap:Ethernet HWaddr 00:04:23:BB:89:9C inet addr:192.168.7.253 Bcast:192.168.7.255 Mask:255.255.248.0 eth3 Link encap:Ethernet HWaddr 00:14:22:09:FB:1B inet addr:192.168.20.253 Bcast:192.168.20.255 Mask:255.255.255.0 Students have an IP in the range 192.168.4.1-192.168.6.253, and conference guests have an IP in the range 192.168.0.1-192.168.3.253. The firewall rules for routing packets to the correct ethernet device (conference guests to eth3 and students to eth0) are as follows: iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE -o eth3 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE -o eth3 iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE -o eth3 iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -j MASQUERADE -o eth3 iptables -t nat -A POSTROUTING -s 192.168.4.0/24 -j MASQUERADE -o eth0 iptables -t nat -A POSTROUTING -s 192.168.5.0/24 -j MASQUERADE -o eth0 iptables -t nat -A POSTROUTING -s 192.168.6.0/24 -j MASQUERADE -o eth0 iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -j MASQUERADE -o eth0 (The 192.168.7.0 subnet is reserved for system devices). The default gateway for the linux box itself is 192.168.100.254, which is the same route as the students, and so, the student rules work fine, and they get internet perfectly well. The problem arises with conference guests; thy do not seem to get internet access (they cannot access web pages, email, etc), although if you try to go to a website like www.google.com, the browser is able to determine the IP address of the website (I'm not 100% sure if this is correct or not, and am currently not in a position to check). I have tried manually adding a route for each of the subnets, e.g. route add -net 192.168.0.0 netmask 255.255.255.0 dev eth3 But this does not seem to make any difference, even if I consequently remove the default gateway too (the only difference that makes is that students then lose internet access too!) I have been advised by a friend that it could be a firewall configuration issue, and that I need some rules to redirect incoming packets from eth3 back out on the correct interface, as at the moment they might be going from eth3 to the default gateway. I'm not sure if this is the case, and even if it were, I'm not sure how to construct rules to do this. I'm sorry this is such a long post. Is anyone able to shed any light on this situation? Any help would be *greatly* appreciated :) If any other information about the setup is needed, I will gladly provide it... Many thanks, Paul --- Paul Lewis (paul.lewis@st-annes.ox.ac.uk) JCR Computing Rep St Anne's College http://www.stannesjcr.org From surda at shurdix.com Thu Oct 20 19:03:29 2005 From: surda at shurdix.com (Peter Surda) Date: Thu Oct 20 19:03:54 2005 Subject: [LARTC] Firewall.routing configuration problems In-Reply-To: <003c01c5d595$00853360$e7544381@SANNPJLTABLET> Message-ID: <20059201932925342@mail.routehat.org> On Thu, 20 Oct 2005 17:40:38 +0100 "Paul Lewis" wrote: >Hi, hi [cut] >The students go out onto an academic connection (via >eth0), and conference guests go out on an ADSL line (via eth3). eth1 and >eth2 are configured for internal use. ok. >The firewall rules >for routing packets to the correct ethernet device (conference guests to >eth3 and students to eth0) are as follows: > iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE -o >eth3 [cut] You are mistaken here I think. This doesn't influence routing, only masquerading. You are problably missing (in addition to what you have) policy based routing, something like: ip rule add from 192.168.0.0/22 table 10 ip rule add from 192.168.4.0/22 table 11 ip route add default via your_gateway_on_eth3 dev eth3 table 10 ip route add default via your_gateway_on_eth0 dev eth0 table 11 (in reality it is slightly more complicated, you need to add proper routes for other subnets if you want them to be able to communicate with each other). >Many thanks, > >Paul Yours sincerely, Peter -- http://www.shurdix.org - Linux distribution for routers and firewalls From jasonb at edseek.com Thu Oct 20 22:26:51 2005 From: jasonb at edseek.com (Jason Boxman) Date: Thu Oct 20 22:27:22 2005 Subject: [LARTC] Monitoring the traffic shaping setup In-Reply-To: <20051020144203.86493.qmail@web8405.mail.in.yahoo.com> References: <20051020144203.86493.qmail@web8405.mail.in.yahoo.com> Message-ID: <200510201626.51337.jasonb@edseek.com> On Thursday 20 October 2005 10:42, Yogesh Hasabnis wrote: > Hi All, > > Kindly give me some clues for resolving the above two > issues. I never had any success doing it that way. I wrote polltc[1] to handle generating some basic graphs using RRDTool. It might work for you. [1] http://edseek.com/software-ive-written/ -- Jason Boxman http://edseek.com/ - Linux and FOSS stuff From surda at shurdix.com Fri Oct 21 00:19:10 2005 From: surda at shurdix.com (Peter Surda) Date: Fri Oct 21 00:19:38 2005 Subject: [LARTC] arp flood (offtopic?) In-Reply-To: <032b01c5d4bb$a8837ed0$020c0c0a@admin> Message-ID: <20059210191025342@mail.routehat.org> On Wed, 19 Oct 2005 17:44:49 +0300 "Alex" wrote: >Hi guys, Hi, >Sorry if this is a little offtopic, but I was wandering what can one do to >prevent/stop arp flooding ? As Carl-Daniel already said, the proper way to do this is to clean all the machines from worms. I have some tips on how to do this. I am the author of ASPE (Automatic Security Policy Enforcement), and two of it's modules are quite useful for this: aspe.arpflood and aspe.vulncheck. Unfortunately, ASPE is developed only as a part of a whole linux distribution so using it on another distributions isn't straightforward, but fortunately, you don't have to run ASPE on a router, just put it on some old box (Pentium I with 64MB RAM and one network card should be sufficient) somewhere on the LAN. During the last 2 months there has been a substantial rewrite to make ASPE more configurable, which had also the effect that it is more complex to setup. Complete and current configuration docs are available here: http://docs.shurdix.org/aspe:config , but there are no examples yet which makes it difficult to understand. There is also a short intro, but only in German: http://shurdeek.shurdix.org/tmp/ASPE.pdf So I'll post some info here, I hope people won't mind because in my experience a lot of sites have this problem and I have been working on ASPE for about 2 years now so it's been tested in action. It's licensed under GPL. ASPE works like this: there are modules (4 at the moment) and they detect stuff (both active and passive) and you can define actions it should do when a certain amount (per IP) of them occurs. The 2 modules for the mentioned problem are: aspe.arpflood: detects computers that are looking for computers that don't exist. It uses PCAP to capture ARP requests. ARP request look like this: who has A tell B This tells us 2 things: A is looking for B, and a exists. Next time it sees something like who has B tell C won't be considered as a part of flood because it remembers that B exists (IPs time out after one day of inactivity) If a computer has been constantly looking for non-existing computers for a substantial amount of time (configurable) it is considered to be flooding. It is able to catch worms that scan the network slowly as well. aspe.vulncheck: looks for windows computer that are not patched against sasser. It has very low overhead (both CPU and network), as large parts are passive, but high effectiveness. the actions are: (these work without any requirements): - send an email to admin - notify the computer via winpopup - execute an external program (these work only when you use Shurdix' user management) - send an email to the owner of the computer - block/unblock internet access If you can hack up a script that blocks the correct switch port, you can use the "exec", if not, you can use "mailadmin" (the triggers are not exclusive so you can use both at the same time too). Here is what the config could look like in your situation: /etc/syconfig/aspe.vulncheck: dev=eth0 # don't scan more frequently than once an hour maxfreq=3600 action_vulnerable_timeout=86400 action_patched_timeout=86400 # notify him/her constantly if vulnerable action_vulnerable_notifyperson_count=* action_vulnerable_notifyperson_method=winpopup action_vulnerable_notifyperson_msg=Your computer is vulnerable to the Sasser Worm. Please visit http://windowsupdate.microsoft.com and update your system. # thank if patched (don't worry, this will REALLY only be triggered once, not # everytime the computer connects to the network :-)) action_patched_notifyperson_count=1 action_patched_notifyperson_method=winpopup action_patched_notifyperson_msg=Thank you for updating your system and keeping our network safe. /etc/sysconfig/aspe.arpflood: #if you want to ignore some computers uncomment next line #ignore=1.2.3.4 dev=eth0 # 24 hours action_arp_timeout=86400 # 3 per minute action_arp_mtba=20 # after about 10 minutes it's a flood action_arp_inform_count=30 action_arp_inform_method=mailadmin action_arp_inform_subj=aspe.arpflood report action_arp_inform_msg=$ip is flooding # if you have a script that blocks the switch: action_arp_kickhim_count=30 action_arp_kickhim_method=exec action_arp_kickhim_exec=/root/kickhim.sh $ip /etc/sysconfig/mail: sender=who@you.want.the.mails.to.be.coming.from root=admin@email.address # if you need a relay uncomment following line #relay=1.2.5.6 For monitoring, grep logs for "aspe", every hit of a defined trigger is logged (which is usually different from "every occurence of a problem"). I hope it helps and isn't too confusing. If you have questions, I recommend you post into the ASPE forum: http://forum.shurdix.org/viewforum.php?f=3 (you can post in English of course). >Thanks, > >Alex Yours sincerely, Peter -- http://www.shurdix.org - Linux distribution for routers and firewalls From comp.techs at aspenview.org Fri Oct 21 00:21:16 2005 From: comp.techs at aspenview.org (comp.techs) Date: Fri Oct 21 00:21:25 2005 Subject: [LARTC] (no subject) Message-ID: <648A21EA469E3848922D9860785CD5EF4566F0@aspen-mail01.aspenview.org> Hi, I have the following setup. Two linux systems with two [test] external interfaces encrypted with ipsec [transport]. Two gre tunnels that pass 10.200.0.0/24 and 10.200.1.0/24 network traffic. Testing the balanced tunnels I would setup iptraf on one and ping from the other. The results would be as expected; traffic would be split between the two interfaces. Testing with an ftp transfer of 300MB I would get various results: 1. one interface would be transfering at 36Mbit/s the other would be at 1.5Mbits/s [a -> b] or one interface would be transfering at 29Mbit/s and the other a 0. 2. I would get the same results from [b->a] Is there something I missed or did not configure properly? Any help or suggestions would be appreciated. jason 192.168.0.1 [ipsec tunnel] 192.168.0.2 [A] ------------------------------------------------------------- [B] 172.16.0.1 [ipsec tunnel] 172.16.0.2 ------------------------------------------------------------- [A] linux 2.6.13 internal 10.200.1.2/24 ext 192.168.0.1 ext 172.16.0.1 [gre tunnels] netb 10.200.1.2 netb2 10.200.1.2 [B] linux 2.6.13 internal 10.200.0.2 ext 192.168.0.2 ext 172.16.0.2 [gre tunnels] neta 10.200.0.2 neta2 10.200.0.2 a. ip tunnel add netb mode gre remote 172.16.0.2 local 172.16.0.1 ttl 255 ip link set netb up ip addr add 10.200.1.2 deb netb ip tunnel add netb2 mode gre remote 192.168.0.2 local 192.168.0.1 ttl 255 ip link set netb2 up ip addr add 10.200.1.2 dev netb2 ip route add equalize 10.200.0.0/24 nexthop via 10.200.1.2 dev netb nexthop via 10.200.1.2 dev netb2 b. ip tunnel add neta mode gre remote 172.16.0.1 local 172.16.0.2 ttl 255 ip link set neta up ip addr add 10.200.0.2 deb netb ip tunnel add neta2 mode gre remote 192.168.0.1 local 192.168.0.2 ttl 255 ip link set neta2 up ip addr add 10.200.0.2 dev neta2 ip route add equalize 10.200.1.0/24 nexthop via 10.200.0.2 dev neta nexthop via 10.200.0.2 dev neta2 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051020/06af4fbe/attachment.html From klaus at ipp2p.org Fri Oct 21 08:57:20 2005 From: klaus at ipp2p.org (Klaus) Date: Fri Oct 21 08:57:30 2005 Subject: [LARTC] IPP2P version 0.8.0 released In-Reply-To: References: Message-ID: <43589150.7070003@ipp2p.org> www.ipp2p.org is CORRECT I have written my own domain wrong. www.ipp2p.com is something I have never tested until now and it looks quite different from my website... Klaus LinuXKiD wrote: > Hi, Klaus! > > -> -- > -> www.ipp2p.com > > www.ipp2p.com ? > > or www.ipp2p.org ? > > best regards, > > andres. > > -> -----Mensaje original----- > -> De: lartc-bounces@mailman.ds9a.nl > -> [mailto:lartc-bounces@mailman.ds9a.nl]En nombre de Klaus > -> Enviado el: Jueves, 20 de Octubre de 2005 01:31 p.m. > -> Para: lartc@mailman.ds9a.nl > -> Asunto: [LARTC] IPP2P version 0.8.0 released > -> > -> > -> Hi, > -> > -> The new version ipp2p 0.8.0 is released. > -> > -> Klaus > > -> > -> _______________________________________________ > -> LARTC mailing list > -> LARTC@mailman.ds9a.nl > -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From jorge at inway.cz Fri Oct 21 11:02:14 2005 From: jorge at inway.cz (Jorge Sanchez) Date: Fri Oct 21 11:02:13 2005 Subject: [LARTC]MASQed network to exit on different ext IP addres Message-ID: <4358AE96.7020507@inway.cz> Hi, i have a following problem. Looks like this ROUTER --------------DEF.GWa aaa.aaa.aaa.aaa | DEF.GWb bbb.bbb.bbb.bbb | ---------------- ------------------- | | VLAN0015 ETH0 ----- xxx.xxx.xxx.xxx 10.0.0.0/24 (alias on eth0) -- fff.fff.fff.fff.fff i need that all traffic from subnet 10.0.0.0/24 goes out masqueraded with ip address of alias on eth0 (fff.fff.fff.fff) and have default gw bbb.bbb.bbb.bbb . There is obsolote kernel 2.2.25 and iproute ver. iproute2-ss991023 with ipchains version ipchains 1.3.8, 27-Oct-1998 I tried folowing /usr/sbin/ip rule add prio 100 dev vlan0015 lookup 15 (here i tried also to do prio 100 from 10.0.0.0/24 lookup 15 ) /usr/sbin/ip route add default via bbb.bbb.bbb.bbb table 15 (here i tried to add src fff.fff.fff.fff, but no effect) /usr/sbin/ip route flush cache ipchains -A fwdmasq -i vlan+ -j MASQ ipchains -A forward -j fwdmasq -s 10.0.0.0/24 i tried also source nat with the iproute but no way, /usr/sbin/ip rule add prio 100 from 10.0.0.0/24 nat fff.fff.fff.fff lookup 15 The problem is that packets are still leaving router with ip addres xxx.xxx.xxx.xxx instead of fff.fff.fff.fff. thanks a lot Jorge Sanchez From cnicules at 4email.net Fri Oct 21 11:57:22 2005 From: cnicules at 4email.net (ciprian niculescu) Date: Fri Oct 21 11:57:29 2005 Subject: [LARTC] jitter generation Message-ID: <4358BB82.6010502@4email.net> Hi, in a project i must degrade the voip/video, i know to do latency (tbf), but i don't know how to create jitter. I want to do it on a router/bridge and not the generating equipment. Any have a idea, or know a piece of code that do it? Thanks Ciprian From oscar at ufomechanic.net Fri Oct 21 12:09:50 2005 From: oscar at ufomechanic.net (Oscar Mechanic) Date: Fri Oct 21 12:09:56 2005 Subject: [LARTC] jitter generation In-Reply-To: <4358BB82.6010502@4email.net> References: <4358BB82.6010502@4email.net> Message-ID: <1129889390.28895.10.camel@OSCARLAPLIN> Using nth or random from iptables set a mark then set the tc filter for different BW's based on different marks. You could drop the packets but that is not really jitter more compensation testing. Also play around with burst in HTB but you will need more than one call for this to be useful. On Fri, 2005-10-21 at 11:57 +0200, ciprian niculescu wrote: > Hi, > > in a project i must degrade the voip/video, i know to do latency (tbf), > but i don't know how to create jitter. I want to do it on a > router/bridge and not the generating equipment. Any have a idea, or know > a piece of code that do it? > > Thanks > > Ciprian > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From andy.furniss at dsl.pipex.com Fri Oct 21 17:15:29 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Fri Oct 21 17:15:27 2005 Subject: [LARTC] jitter generation In-Reply-To: <4358BB82.6010502@4email.net> References: <4358BB82.6010502@4email.net> Message-ID: <43590611.9090002@dsl.pipex.com> ciprian niculescu wrote: > Hi, > > in a project i must degrade the voip/video, i know to do latency (tbf), > but i don't know how to create jitter. I want to do it on a > router/bridge and not the generating equipment. Any have a idea, or know > a piece of code that do it? > Use netem - http://linux-net.osdl.org/index.php/Netem Andy. From rob0 at gmx.co.uk Fri Oct 21 19:22:56 2005 From: rob0 at gmx.co.uk (/dev/rob0) Date: Fri Oct 21 19:23:02 2005 Subject: [LARTC] IPP2P version 0.8.0 released In-Reply-To: <43589150.7070003@ipp2p.org> References: <43589150.7070003@ipp2p.org> Message-ID: <200510211222.57095.rob0@gmx.co.uk> On Friday 2005-October-21 01:57, Klaus wrote: > www.ipp2p.com is something I have never tested until now and it > looks quite different from my website... A cyber-squatter by the looks of it, waiting for you to offer huge sums of money for that domain name. -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From gregoriandres at yahoo.com.ar Fri Oct 21 21:37:50 2005 From: gregoriandres at yahoo.com.ar (LinuXKiD) Date: Fri Oct 21 21:37:53 2005 Subject: [LARTC] [OFF-TOPIC] IPP2P version 0.8.0 released In-Reply-To: <200510211222.57095.rob0@gmx.co.uk> Message-ID: -> On Friday 2005-October-21 01:57, Klaus wrote: -> > www.ipp2p.com is something I have never tested until now and it -> > looks quite different from my website... -> -> A cyber-squatter by the looks of it, waiting for you to offer huge sums -> of money for that domain name. Surely... This is "ipp2p.com" information Registration Service Provided By: best-domain Contact: bentiger99@hotmail.com Visit: Domain name: IPP2P.com Administrative Contact: best-domain lin ye (bentiger99@hotmail.com) +1.13870080170 Fax: +1.13870080170 5718 S Drexel Ave. chicago, IL 60637 US Billing Contact: best-domain lin ye (bentiger99@hotmail.com) +1.13870080170 Fax: +1.13870080170 5718 S Drexel Ave. chicago, IL 60637 US Technical Contact: best-domain lin ye (bentiger99@hotmail.com) +1.13870080170 Fax: +1.13870080170 5718 S Drexel Ave. chicago, IL 60637 US Registrant Contact: best-domain lin ye (bentiger99@hotmail.com) +1.13870080170 Fax: +1.13870080170 5718 S Drexel Ave. chicago, IL 60637 US Status: Active Name Servers: dns1.name-services.com dns2.name-services.com dns3.name-services.com dns4.name-services.com dns5.name-services.com Creation date: 26 Sep 2005 03:13:21 Expiration date: 26 Sep 2006 03:13: From gregoriandres at yahoo.com.ar Fri Oct 21 21:42:06 2005 From: gregoriandres at yahoo.com.ar (LinuXKiD) Date: Fri Oct 21 21:42:05 2005 Subject: [LARTC] ciber con terminales "bobas" Message-ID: hola estoy intentando diagramar un proyecto de ciber cuya red lan este compuesta por PCs que no posean con disco duro, y booten y operen mediante un "gran" servidor central. He leido acerca de LTSP, pero el tema es que necesitaria correr wingarch en las terminales por el msn y el IE (perdon perdon perdon perdon ) (Este ultimo lo podria reemplazar por el firefox.) Puedo hacer esto y poner wine y correr estas aplicaciones ? o que me recomiendan ? gracias! From pjsmith at mtgsy.net Sat Oct 22 11:17:56 2005 From: pjsmith at mtgsy.net (Paul J. Smith) Date: Sat Oct 22 11:18:04 2005 Subject: [LARTC] Differentiating between http downloads and interactive traffic Message-ID: Hi, I've been wondering if anyone has thought of a way to differentiate between an established http download and interactive http traffic? I would like to give interactive http traffic priority over someone downloading large files. Has anyone any ideas how to detect packets that are part of a download like this? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051022/63ad6c86/attachment.htm From unki at netshadow.at Sat Oct 22 11:22:25 2005 From: unki at netshadow.at (Andreas Unterkircher) Date: Sat Oct 22 11:22:28 2005 Subject: [LARTC] Differentiating between http downloads and interactive traffic In-Reply-To: References: Message-ID: <435A04D1.2080904@netshadow.at> I don't know how you really can differ between them. But I guess easy way would be using HTB burst. So the first (small?) packets get a high bandwidth immediately trough burst settings. If more data is requested, it will be slown down to defined ceil bandwidth. Cheers, Andreas Paul J. Smith wrote: > Hi, > > I?ve been wondering if anyone has thought of a way to differentiate > between an established http download and interactive http traffic? I > would like to give interactive http traffic priority over someone > downloading large files. > > Has anyone any ideas how to detect packets that are part of a download > like this? > > Thanks. > >------------------------------------------------------------------------ > >_______________________________________________ >LARTC mailing list >LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From unki at netshadow.at Sat Oct 22 11:22:25 2005 From: unki at netshadow.at (Andreas Unterkircher) Date: Sat Oct 22 12:09:35 2005 Subject: [LARTC] Differentiating between http downloads and interactive traffic In-Reply-To: References: Message-ID: <435A04D1.2080904@netshadow.at> I don't know how you really can differ between them. But I guess easy way would be using HTB burst. So the first (small?) packets get a high bandwidth immediately trough burst settings. If more data is requested, it will be slown down to defined ceil bandwidth. Cheers, Andreas Paul J. Smith wrote: > Hi, > > I?ve been wondering if anyone has thought of a way to differentiate > between an established http download and interactive http traffic? I > would like to give interactive http traffic priority over someone > downloading large files. > > Has anyone any ideas how to detect packets that are part of a download > like this? > > Thanks. > >------------------------------------------------------------------------ > >_______________________________________________ >LARTC mailing list >LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From norbi.lists at nix.hu Sat Oct 22 17:23:34 2005 From: norbi.lists at nix.hu (BUCHMULLER Norbert) Date: Sat Oct 22 17:23:41 2005 Subject: [LARTC] Differentiating between http downloads and interactive traffic In-Reply-To: References: Message-ID: <20051022172334.77a45c21.norbi.lists@nix.hu> On Sat, 22 Oct 2005 10:17:56 +0100 "Paul J. Smith" wrote: > I've been wondering if anyone has thought of a way to differentiate > between an established http download and interactive http traffic? I > would like to give interactive http traffic priority over someone > downloading large files. Hello, you may give the "connbytes" Netfilter extension a try. With that extension, you can mark those TCP connections which have transmitted a certain number of bytes. Then you can use the fwmark QoS filter to differentiate them. (The drawback is that someone can bypass it with closing the connection after the limit, and resuming the download with another connection.) Currenty connbytes is in the extra section, so you must patch the kernel (and possibly iptables) to use it. Alternatively, you can use delay pool feature of the Squid HTTP proxy, which does almost the same on application level. norbi From norbi.lists at nix.hu Sat Oct 22 17:35:31 2005 From: norbi.lists at nix.hu (BUCHMULLER Norbert) Date: Sat Oct 22 17:35:36 2005 Subject: [LARTC] jitter generation In-Reply-To: <4358BB82.6010502@4email.net> References: <4358BB82.6010502@4email.net> Message-ID: <20051022173531.73898810.norbi.lists@nix.hu> On Fri, 21 Oct 2005 11:57:22 +0200 ciprian niculescu wrote: > in a project i must degrade the voip/video, i know to do latency (tbf), > but i don't know how to create jitter. I want to do it on a > router/bridge and not the generating equipment. Any have a idea, or know > a piece of code that do it? Hello, I've never tried, but the "Network emulator" (CONFIG_NET_SCH_NETEM) from the kernel QoS code does the very same thing (according its configure help section). Let us know if (and how:-) it works, please. (I'm very interested.) norbi From dpsims at dpsims.com Sat Oct 22 17:57:59 2005 From: dpsims at dpsims.com (David Sims) Date: Sat Oct 22 17:58:04 2005 Subject: [LARTC] Advice.... Message-ID: Hi, I'm a relative newbie to LARTC but I have read Matthew Marsh's book and lurked on this list for a while.... I still seem to be missing a few key ideas here.... So... Maybe folks on the list will be kind enough to help. I have two different ISPs. Cogent and Bell. I have three different firewalls (2 PIX and 1 IPCop). And I have an Ubuntu Linux box doing LARTC for around 40 LANs (all using 192.168.x.x/24).... Here's a picture: /----------------------| / | 3 |-----IPCop----|---cogent distribution----0-ubuntu-1----| | 2 |-----PIX------| | | ^ n/a |-----PIX----------bell | ^ 192.168.x.x/24 192.168.25.x/24 distribution upstream if: 192.168.24.1/24 ubuntu eth0: 192.168.24.2/24 ubuntu eth1: 192.168.25.1 ipcop downsteam ip: 192.168.25.25 pix1 downstream if: 192.168.25.20 pix2 downstream if: 192.168.25.21 The Ubuntu machine also has an interface in the cogent DMZ using a public ip address (xxx.xxx.xxx.75). Here'e the result of ip addr ls: 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:01:03:cf:26:6d brd ff:ff:ff:ff:ff:ff inet 192.168.24.2/24 brd 192.168.24.255 scope global eth0 inet6 fe80::201:3ff:fecf:266d/64 scope link valid_lft forever preferred_lft forever 3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:10:4b:99:1a:84 brd ff:ff:ff:ff:ff:ff inet 192.168.25.1/24 brd 192.168.25.255 scope global eth1 inet6 fe80::210:4bff:fe99:1a84/64 scope link valid_lft forever preferred_lft forever 4: eth2: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:10:4b:74:99:e3 brd ff:ff:ff:ff:ff:ff inet 192.168.26.1/24 brd 192.168.26.255 scope global eth2 inet6 fe80::210:4bff:fe74:99e3/64 scope link valid_lft forever preferred_lft forever 5: eth3: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:b0:d0:b6:5d:65 brd ff:ff:ff:ff:ff:ff inet xxx.xxx.xxx.75/27 brd xxx.xxx.xxx.255 scope global eth3 6: sit0: mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0 I have set up 4 new routing tables in /etc/iproute2/rt_tables: # reserved values # 255 local 254 main 253 default 0 unspec # # local # #1 inr.ruhep 100 management 110 cogent 120 bell 130 ipcop and I have created a simple script to use all this stuff the way I want to: #!/bin/sh ## ##First let's set up a rule and route for the management traffic ## ip rule add from xxx.xxx.xxx.75 priority 10000 table management ip route add default via xxx.xxx.xxx.xxx proto static table management # Cogent router ^^^^^^^^^^^^^^^ ## ##Next let's set up a route for all Cogent traffic and define rules for Cogent ## ## First a default route for Cogent: # ip route add default via 192.168.25.20 proto static table cogent # ## Then rules to use the Cogent route: # ip rule add from 192.168.1.0/24 priority 11000 table cogent ip rule add from 192.168.2.0/24 priority 11010 table cogent # ## ##Then let's set up a route for all Bell traffic and define rules for Bell ## # ## First a default route for Bell: # ip route add default via 192.168.25.21 proto static table bell # ## Then rules to use the Bell route: # ip rule add from 192.168.20.0/24 priority 12022 table bell # ## End of Bell rules # ## And now lets add a route to use the IP Cop firewall # ip route add default via 192.168.25.25 proto static table ipcop # ## Then rules to use the IP Cop route: # # No rules yet # # Routes for local sites connected via ethernet # ip route add 192.168.1.0/24 via 192.168.24.1 table main ip route add 192.168.2.0/24 via 192.168.24.1 table main ip route add 192.168.20.0/24 via 192.168.24.1 table main # ip route add default via 192.168.25.20 table main # ip route flush cache # # End of script Here are my questions: 1) I want traffic coming from 192.168.20.x/24 to egress via the Bell PIX and Bell to the Internet, but I also want to connect from 192.168.20.x/24 to devices in the Cogent DMZ (including the DMZ interface of the Ubuntu LARTC router)... Which doesn't seem to want to work... WHY?? Traffic should go out Bell and route through the Internet to the Cogent DMZ LAN which has public address space.... but it does not... I can ping and traceroute to any other host on the Internet from 192.168.20.x/24 and traceroute shows the traffic going out Bell just fine... but traceroute to a device in the Cogent DMZ stops at the distribution router.... It must be because the Ubuntu LARTC router has an interface in the Cogent DMZ LAN.... How do I tell the Ubuntu box to ignore this local interface in routing decisions?? 2) What's the best way to monitor the traffic passing through the Ubuntu LARTC router? I am using jnettop and darkstat but maybe there are better tools?? Advice? I would like to monitor traffic volume by distribution LAN... Unfortunately, the distribution equipment (Cisco 4000) does not support SNMP so I cannot use MRTG to poll this equipment... 3) One objective of this setup is to be able to shift traffic between the two Cogent firewalls as a testbed to evaluate different firewall technology and proxy services using live traffic on a dynamic basis... Any advice from more knowledgable folks on doing this?? 4) Any other thoughts about what I am tring to do? Any better way?? TIA and kind regards, Dave From slamb at slamb.org Sat Oct 22 19:06:12 2005 From: slamb at slamb.org (Scott Lamb) Date: Sat Oct 22 19:06:23 2005 Subject: [LARTC] jitter generation In-Reply-To: <20051022173531.73898810.norbi.lists@nix.hu> References: <4358BB82.6010502@4email.net> <20051022173531.73898810.norbi.lists@nix.hu> Message-ID: <35FD7C94-8235-434A-8B9B-9A964D54990E@slamb.org> On 22 Oct 2005, at 08:35, BUCHMULLER Norbert wrote: > I've never tried, but the "Network emulator" (CONFIG_NET_SCH_NETEM) > from > the kernel QoS code does the very same thing (according its configure > help section). > > Let us know if (and how:-) it works, please. (I'm very interested.) I just tried it the other day. It's surprisingly easy to use and you can simulate a lot of conditions. Documentation is lacking, but this wiki page helps a lot: http://linux-net.osdl.org/index.php/Netem You may need a pretty modern kernel. I hit a crash bug in one of RedHat's customized 2.6.9 kernels. The people on the netdev list mentioned a chance since then that may have fixed it. Haven't tried it yet, but the same operation worked fine for them. -- Scott Lamb From gtaylor at riverviewtech.net Sun Oct 23 05:31:51 2005 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Sun Oct 23 05:42:51 2005 Subject: [LARTC] Differentiating between http downloads and interactive traffic In-Reply-To: References: Message-ID: <435B0427.20605@riverviewtech.net> I would recommend looking at the connrate (http://www.netfilter.org/projects/patch-o-matic/pom-extra.html#pom-extra-connrate) Patch-O-Matic patch. Your interactive sessions could be long lived and thus pass the connlimit and / or connbytes matches and thus be falsely classified. Where as if you test for your interactive sessions by looking for an over all average low rate, burst delay burst delay etc, you should have a low average and thus be able to match based on rate to classify them higher. Grant. . . . Paul J. Smith wrote: > Hi, > > I?ve been wondering if anyone has thought of a way to differentiate > between an established http download and interactive http traffic? I > would like to give interactive http traffic priority over someone > downloading large files. > > Has anyone any ideas how to detect packets that are part of a download > like this? > > Thanks. From gtaylor at riverviewtech.net Sun Oct 23 07:12:43 2005 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Sun Oct 23 07:23:47 2005 Subject: [LARTC] Advice.... In-Reply-To: References: Message-ID: <435B1BCB.6000607@riverviewtech.net> > 1) I want traffic coming from 192.168.20.x/24 to egress via the Bell PIX > and Bell to the Internet, but I also want to connect from 192.168.20.x/24 > to devices in the Cogent DMZ (including the DMZ interface of the Ubuntu > LARTC router)... Which doesn't seem to want to work... WHY?? Traffic > should go out Bell and route through the Internet to the Cogent DMZ LAN > which has public address space.... but it does not... I can ping and > traceroute to any other host on the Internet from 192.168.20.x/24 and > traceroute shows the traffic going out Bell just fine... but traceroute > to a device in the Cogent DMZ stops at the distribution router.... It must > be because the Ubuntu LARTC router has an interface in the Cogent DMZ LAN.... > How do I tell the Ubuntu box to ignore this local interface in routing > decisions?? I take it that the Ubuntu Linux box is the ""Distribution Router that you are speaking of? I know you have provided a list of the rules / routes that you are populating your various routing tables with but I'd like a an output of your routing tables and your routing rules. Also can we get an example of a (scrubbed) trace route from a 192.168.20.x client computer. As I'm sitting here thinking about it I bet you can not send returning (outbound) traffic that came in the eth3 b/c your system is using Cogent as it's default route to the internet. To solve this you may need to mark the traffic that comes in eth3 so that you can test for the IP Mark to use the Management routing table. > 2) What's the best way to monitor the traffic passing through the Ubuntu > LARTC router? I am using jnettop and darkstat but maybe there are better > tools?? Advice? I would like to monitor traffic volume by distribution > LAN... Unfortunately, the distribution equipment (Cisco 4000) does not > support SNMP so I cannot use MRTG to poll this equipment... You could easily setup rules in your FORWARD table that are used soly as counters... > 3) One objective of this setup is to be able to shift traffic between the > two Cogent firewalls as a testbed to evaluate different firewall > technology and proxy services using live traffic on a dynamic basis... Any > advice from more knowledgable folks on doing this?? Rather than just changing the default route in your Cogent table I'd set up two Cogent tables, one with one router as the default and the other table with the other router. I think this would allow you to shift load from one router over to the other with out breaking existing streams. To do this you would have a couple of rules that would decide which Cogent routing table to use based on the marks in the packet / stream. If a packet / stream is not marked you would know that it is new and could just start going out the router that you want and thus be marked for said router on the way out. If packet / stream marked as Cogent_1 use table Cogent_1. If packet / stream marked as Cogent_2 use table Cogent_2. If packet / stream unmarked (new) use table Cogent_(what) and mark as such. > 4) Any other thoughts about what I am tring to do? Any better way?? That depends on what you are ultimately trying to do. From the sounds of it you are still in a testing phase and don't have a final direction to go yet. (This may just be me misunderstanding you though.) Grant. . . . From daniel_phlander at yahoo.com Sun Oct 23 15:31:50 2005 From: daniel_phlander at yahoo.com (Daniel Phlander) Date: Sun Oct 23 15:31:58 2005 Subject: [LARTC] Script for metropolitan Message-ID: <20051023133150.59937.qmail@web32403.mail.mud.yahoo.com> The script is corect ? #!/bin/bash /sbin/iptables -F -t mangle /sbin/iptables -X /sbin/iptables -t mangle -N mark_horiz_src /sbin/iptables -t mangle -N mark_horiz_dst /sbin/iptables -t mangle -A PREROUTING -i eth0 -j mark_horiz_src /sbin/iptables -t mangle -A PREROUTING -i eth1 -j mark_horiz_dst /sbin/iptables -t mangle -A OUTPUT -o eth0 -j mark_horiz_dst /usr/local/bin/mipclasses -s mark_horiz_src -d mark_horiz_dst -m 1 < /start/metro.txt | iptables-restore -n IF="eth0" RATE_INET="256kbit" RATE_METRO="1024kbit" CEIL="512kbit" #traficul implicit se duce in clasa 1:20 (internet) tc qdisc add dev $IF root handle 1:0 htb default 20 tc class add dev $IF parent 1:0 classid 1:1 htb rate 240kbit # clasa 1:10 pt traficul metropolitan # clasa 1:20 pt traficul extern # poti sa renunti la prio daca nu vrei prioritati diferite tc class add dev $IF parent 1:1 classid 1:10 htb rate $RATE_METRO ceil $CEIL prio 2 tc class add dev $IF parent 1:1 classid 1:20 htb rate $RATE_INET ceil $CEIL prio 1 # setam disciplinele pentru fiecare clasa # poti sa folosesti 'pfifo_fast' (disciplina implicita) # in loc de 'sfq perturb 10' tc qdisc add dev $IF parent 1:10 handle 10:0 sfq perturb 10 tc qdisc add dev $IF parent 1:20 handle 20:0 sfq perturb 10 # clasificam pachetele dupa FW_MARK: 0x1=metropolitan -> 1:10 tc filter add dev $IF protocol ip parent 1:0 prio 1 handle 1 fw flowid 1:10 Tks ! --------------------------------- Yahoo! FareChase - Search multiple travel sites in one click. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051023/418808d7/attachment.html From augustopaulo at hotmail.com Sun Oct 23 22:09:08 2005 From: augustopaulo at hotmail.com (Paulo Augusto) Date: Sun Oct 23 22:09:15 2005 Subject: [LARTC] Lost packets and strange "behaviour" of my TC rules In-Reply-To: <435417A8.4020705@dsl.pipex.com> Message-ID: An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051023/0a6e071e/attachment-0001.htm From eantoranz at gmail.com Sun Oct 23 22:41:28 2005 From: eantoranz at gmail.com (Edmundo Carmona) Date: Sun Oct 23 22:41:32 2005 Subject: [LARTC] problems with multipath routing Message-ID: <65aa6af90510231341o7c47a4fcx59568b79dd226fbd@mail.gmail.com> Hello, guys! This is my very first post on this mail list.. and I hope this can be a productive relation! :-) I'm Edmundo Carmona. Computer Engineer in Venezuela. I'm also registered at the netfilter mail list and sometimes help there (as well as make questions, of course). Now the post: Some time ago, I set up a linux box that was supposed to balance the load on three internet links. The thing worked... but only with two interfaces. It never worked with three... and after some experimentacion I noticed that it didn't work well when two of the links were "present" on the same subnet (the three links are provided by the same ISP)... and they work with DHCP, by the way. So I set up that box with two links and another box handles the third. Why did that happen? is there a way to make it work? With that setup I was trying to make I made a number of different thingsm but right now that's the one problem that's busting my head for the longest. I hope you can shed some light on the problem. From Andreas.Klauer at metamorpher.de Mon Oct 24 07:48:39 2005 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Mon Oct 24 07:50:09 2005 Subject: [LARTC] Script for metropolitan In-Reply-To: <20051023133150.59937.qmail@web32403.mail.mud.yahoo.com> References: <20051023133150.59937.qmail@web32403.mail.mud.yahoo.com> Message-ID: <200510240748.39393.Andreas.Klauer@metamorpher.de> On Sunday 23 October 2005 15:31, Daniel Phlander wrote: > The script is corect ? I don't have any experience with metropolian networks, however the rates you are using in your script are weird. > RATE_INET="256kbit" > RATE_METRO="1024kbit" > CEIL="512kbit" > tc class add dev $IF parent 1:0 classid 1:1 htb rate 240kbit So the root class has 240kbit, meaning it's child classes should not be allowed to use more than 240kbit altogether. > tc class add dev $IF parent 1:1 classid 1:10 htb rate $RATE_METRO ceil > $CEIL prio 2 This child class has 1024kbit rate, but only 512kbit ceil (which means it should not be allowed to use more than 512kbit ever), and the parent has only 240kbit, so what rate is it using now? > tc class add dev $IF parent 1:1 classid 1:20 htb rate > $RATE_INET ceil $CEIL prio 1 This child class hase 256kbit rate, 512kbit ceil. That would be okay, if the parent could offer that much rate, which it doesn't. HTH Andreas Klauer From bugfood-ml at fatooh.org Mon Oct 24 11:02:21 2005 From: bugfood-ml at fatooh.org (Corey Hickey) Date: Mon Oct 24 11:02:33 2005 Subject: [LARTC] [ANNOUNCE] ESFQ for Linux 2.6.13 Message-ID: <60132.66.93.171.129.1130144541.squirrel@fatooh.org> In a recent thread on this list, Robert Kurjata provided me a patch to add hashing by iptables mark to the Linux 2.4 version of ESFQ. Thanks to that contribution, I was able to easily add support to the 2.6 port I maintain. I found out, however, that the existing hash algorithm results in a lot of colllisions when the range of hashed values is small. The purturbation spreads the collisions out a little, but the result still wasn't very fair, especially when hashing only three fwmark values: 0, 1 and 2. So, I wrote an alternative hash function. It's quite simple, and as long as the range of input values is smaller than the hash table (default 1024, up to 16384), collisions will not happen at all. See the updated README file for more details. Home page: http://fatooh.org/esfq-2.6/ Direct URL: http://fatooh.org/esfq-2.6/esfq-2.6.13.tar.gz README (also available in the tar.gz): http://fatooh.org/esfq-2.6/current/README Try it out, have fun, and if you find a bug or have a suggestion please send me an email. -Corey From korta at neuf.fr Mon Oct 24 12:21:22 2005 From: korta at neuf.fr (Franck LEPRETTE) Date: Mon Oct 24 12:21:41 2005 Subject: [LARTC] Problem with ip route . VERY SLOW Message-ID: <001901c5d884$aeb61b60$b500a8c0@NOVIS.COM> Hello everybody I?m french and ?im a network administrator. It the firs time I write on this mailing list .. I configure a debian distribution (the last one sarge) with iproute2 to route packets depending on source ip address It works fine but it is very very slow . When I make a ping for example on a windows machine : [in French ] $> ping www.Google.Fr Envoi d'une requ?te 'ping' sur www.l.google.com [216.239.59.99] avec 32 octets de donn?es : It waits for a long time HERE . I think it?s the route decision which takes a long time , Then it works fine . R?ponse de 216.239.59.99 : octets=32 temps=76 ms TTL=241 R?ponse de 216.239.59.99 : octets=32 temps=76 ms TTL=241 R?ponse de 216.239.59.99 : octets=32 temps=77 ms TTL=241 R?ponse de 216.239.59.99 : octets=32 temps=76 ms TTL=241 Is there a solution to make the connection faster ? Is there any problems with routing on multiple interfaces ? Thanks in advance -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051024/510d276f/attachment.html From cbi at vipnet.ro Mon Oct 24 14:16:17 2005 From: cbi at vipnet.ro (Bogdan Coman) Date: Mon Oct 24 14:16:02 2005 Subject: [Fwd: Re: [LARTC] Problem with ip route . VERY SLOW] Message-ID: <435CD091.2070105@vipnet.ro> Hi, Franck LEPRETTE wrote: > Hello everybody > > I?m french and ?im a network administrator. > > It the firs time I write on this mailing list .. > > I configure a debian distribution (the last one sarge) with iproute2 > to route packets depending on source ip address > > It works fine but it is very very slow . > > When I make a ping for example on a windows machine : > > /[in French ]/ > > /$> ping www.Google.Fr/ > > /Envoi d'une requ?te 'ping' sur www.l.google.com [216.239.59.99] avec > 32 octets de donn?es :/ > > *It waits for a long time HERE .* > > *I think it?s the route decision which takes a long time ,* > I believe that is the DNS that makes it take longer here, and not source routing. > ** > > *Then it works fine .* > > / / > > /R?ponse de 216.239.59.99 : octets=32 temps=76 ms TTL=241/ > > /R?ponse de 216.239.59.99 : octets=32 temps=76 ms TTL=241/ > > /R?ponse de 216.239.59.99 : octets=32 temps=77 ms TTL=241/ > > /R?ponse de 216.239.59.99 : octets=32 temps=76 ms TTL=241/ > > / / > > Is there a solution to make the connection faster ? > > Is there any problems with routing on multiple interfaces ? > > Thanks in advance > > / / > >------------------------------------------------------------------------ > >_______________________________________________ >LARTC mailing list >LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From unki at netshadow.at Mon Oct 24 14:18:58 2005 From: unki at netshadow.at (Andreas Unterkircher) Date: Mon Oct 24 14:19:13 2005 Subject: [Fwd: Re: [LARTC] Problem with ip route . VERY SLOW] In-Reply-To: <435CD091.2070105@vipnet.ro> References: <435CD091.2070105@vipnet.ro> Message-ID: <435CD132.8020605@netshadow.at> Bogdan Coman wrote: >> /Envoi d'une requ?te 'ping' sur www.l.google.com [216.239.59.99] avec >> 32 octets de donn?es :/ >> >> *It waits for a long time HERE .* >> >> *I think it?s the route decision which takes a long time ,* >> > I believe that is the DNS that makes it take longer here, and not > source routing. > I don't belive that, because it's already resolved. Do you checked with tcpdump where your packets are flowing? Cheers, Andreas From korta at neuf.fr Mon Oct 24 14:39:14 2005 From: korta at neuf.fr (Franck LEPRETTE) Date: Mon Oct 24 14:39:17 2005 Subject: [LARTC] Problem with ip route . VERY SLOW In-Reply-To: <435CC47E.5090803@adica.eu.org> Message-ID: <000701c5d897$f17316c0$6500a8c0@NOVIS.COM> * I believe that is the DNS that makes it take longer here, and not source * routing. First of all, tx for your answer. It's possible but I don't think so because nslookup command answers fast. More over, when I type ping hostname, before I have to wait for response, the computer has resolved the hostname to ip address. But how can I know where is the bottleneck ? The problem of very slow connection appears for example when I try to ping a host or when I try to connect to a website with my navigator. I remember that I have 3 interfaces and I wonder my self if it's possible that there are too many interfaces on the computer; or there are restrictions with iproutes2 etc...? -----Message d'origine----- De?: Bogdan Coman [mailto:cbi@adica.eu.org] Envoy??: lundi 24 octobre 2005 13:25 ??: Franck LEPRETTE Cc?: lartc@mailman.ds9a.nl Objet?: Re: [LARTC] Problem with ip route . VERY SLOW Hi, Franck LEPRETTE wrote: > Hello everybody > > I?m french and ?im a network administrator. > > It the firs time I write on this mailing list .. > > I configure a debian distribution (the last one sarge) with iproute2 > to route packets depending on source ip address > > It works fine but it is very very slow . > > When I make a ping for example on a windows machine : > > /[in French ]/ > > /$> ping www.Google.Fr/ > > /Envoi d'une requ?te 'ping' sur www.l.google.com [216.239.59.99] avec > 32 octets de donn?es :/ > > *It waits for a long time HERE .* > > *I think it?s the route decision which takes a long time ,* > I believe that is the DNS that makes it take longer here, and not source routing. > ** > > *Then it works fine .* > > / / > > /R?ponse de 216.239.59.99 : octets=32 temps=76 ms TTL=241/ > > /R?ponse de 216.239.59.99 : octets=32 temps=76 ms TTL=241/ > > /R?ponse de 216.239.59.99 : octets=32 temps=77 ms TTL=241/ > > /R?ponse de 216.239.59.99 : octets=32 temps=76 ms TTL=241/ > > / / > > Is there a solution to make the connection faster ? > > Is there any problems with routing on multiple interfaces ? > > Thanks in advance > > / / > >------------------------------------------------------------------------ > >_______________________________________________ >LARTC mailing list >LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From tech at wildcash.com Mon Oct 24 15:48:08 2005 From: tech at wildcash.com (Rudi Starcevic) Date: Mon Oct 24 15:48:16 2005 Subject: [LARTC] In eth0 out eth1 Message-ID: <435CE618.70702@wildcash.com> Hello, I have a routing configuration that I've been working on and seems to be working well for me. I'd like to ask for some peer review. If your interested and can take a moment to consider this I could use some advice on if this correct. I'm still very much learning, sorry if this email is off topic or too long or anything. I want to route a wireless network through my Linux box and out a Broadband gateway. The wireless network is 192.168.3.0/24 The Linux machine has eth0 for the wireless network and eth1 for the Broadband gateway. Here is a text diagram: http://www.informationobject.com/iproute/c_schema.txt Thus a PC can be added to the wireless work and set it's default gateway to 192.168.3.10. I have two scripts to configure the Linux machine to forward/route traffic from eth0 to eth1 and out the Broadband gateway. One script for route config. and one script for firewall/iptables config. They are listed here and also at: http://www.informationobject.com/iproute/a_route.txt http://www.informationobject.com/iproute/b_firewall.txt Would you say this is the correct way to go about doing this routing configuration? Thank you. echo "Route Setup" echo "Flushing NICs" ip addr flush eth0 ip addr flush eth1 ip link set eth0 down ip link set eth1 down ip link set eth0 up ip link set eth1 up echo "Routing Tables:" cat /etc/iproute2/rt_tables ### example rt_tables ### ## reserved values ## #255 local #254 main #253 default #0 unspec ## ## local ## ##1 inr.ruhep #200 wireless #201 internet ### example end ### echo "Setup NIC 0" ip addr add 192.168.3.10/24 dev eth0 brd + echo "Setup NIC 1" ip addr add 192.168.1.1/24 dev eth1 brd + echo "Setup Default Route [ internet table ]" ip route add default via 192.168.1.254 proto static table internet echo "Setup LAN Route [ wireless table ]" ip route add 192.168.3/24 via 192.168.3.10 proto static table wireless echo "Setup Internet ip rule" ip rule add to 0/0 prio 17000 table internet echo "Setup LAN ip rule" ip rule add to 192.168.3/24 prio 16000 table wireless echo "Flushing ip route cache" ip route flush cache echo "Firewall Setup" ################################################################################ # Enable forwarding echo "Enable Kernel Forwarding" echo 1 > /proc/sys/net/ipv4/ip_forward ################################################################################ echo -n "reset " for chain in INPUT FORWARD OUTPUT ; do iptables --policy $chain DROP done for table in filter nat mangle ; do iptables --table $table --flush iptables --table $table --delete-chain done modprobe ip_nat_ftp ################################################################################ echo -n "INPUT " # accept everything from wireless iptables -A INPUT -i eth0 -s 192.168.3.0/24 -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i eth1 -s 192.168.1.0/24 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ################################################################################ echo -n "FORWARD " iptables -A FORWARD -i eth0 -j ACCEPT iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT ################################################################################ echo -n "OUTPUT " # allows unrestricted output from this machine iptables -A OUTPUT -o lo -j ACCEPT iptables -A OUTPUT -o eth0 -j ACCEPT iptables -A OUTPUT -o eth1 -j ACCEPT ################################################################################ echo done. Kind regards, Rudi. From comp.techs at aspenview.org Mon Oct 24 19:20:41 2005 From: comp.techs at aspenview.org (comp.techs) Date: Mon Oct 24 19:20:46 2005 Subject: [LARTC] loadbalance/gre tunnels Message-ID: <648A21EA469E3848922D9860785CD5EF4566F1@aspen-mail01.aspenview.org> Hi, I have two systems each with 2 two gre tunnels over ipsec. The tunnels are setup to loadbalance using 'ip route'. Using ping from one server to the other I get equal results via the two gre tunnels, but when I try a large ftp transfer the utilization of one tunnel is 90% and the other 10%. The two interfaces are both 100/full. What would be the reason for this, or would there be a better way of doing this? thx jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051024/2ffb9790/attachment.htm From korta at neuf.fr Mon Oct 24 20:14:01 2005 From: korta at neuf.fr (Franck LEPRETTE) Date: Mon Oct 24 20:17:15 2005 Subject: [LARTC] Problem with ip route . VERY SLOW In-Reply-To: <435D2176.5030600@bdeb.qc.ca> Message-ID: <000001c5d8c6$b65a42a0$6500a8c0@NOVIS.COM> (i speak in english) Tx for your answer No, if i ping a local host , it works fine and fast. I use two route tables with iproutes2 , : 1) table T1 2) table T2 And If I enter > ip route ls table T1 default via 192.168.0.100 dev eth3 > ip route ls table T2 default via 192.168.1.100 dev eth2 > route default 192.168.0.100 UG .. so , i think there are two default gateways ? Do you think it's the matter ? if yes , how can I modify it ? -----Message d'origine----- De?: Guillaume Beaudoin [mailto:guillaume.beaudoin@bdeb.qc.ca] Envoy??: lundi 24 octobre 2005 20:01 ??: Franck LEPRETTE Cc?: lartc@mailman.ds9a.nl Objet?: Re: [LARTC] Problem with ip route . VERY SLOW Bonjour Franck, Hi Franck, Est-ce que la m?me chose se produit si tu ping une adresse sur ton r?seau local? Est-ce que tu aurais deux passerelles par d?fault? Does the same thing happens if you ping an address on your local area network? Do you have two default gateway? Feel free to message me off list in french, I don't want to bothers our english collegues with french too much. Regards, > * I believe that is the DNS that makes it take longer here, and not source > * routing. > > > First of all, tx for your answer. > > It's possible but I don't think so because nslookup command answers fast. > More over, when I type ping hostname, before I have to wait for response, > the computer has resolved the hostname to ip address. > > But how can I know where is the bottleneck ? > > The problem of very slow connection appears for example when I try to ping a > host or when I try to connect to a website with my navigator. > > I remember that I have 3 interfaces and I wonder my self if it's possible > that there are too many interfaces on the computer; or there are > restrictions with iproutes2 etc...? > > -- Guillaume Beaudoin "? la hauteur de mon avenir." Service Informatique Une tradition d'excellence Coll?ge de Bois-de-Boulogne depuis plus de 40 ans. From korta at neuf.fr Mon Oct 24 20:22:42 2005 From: korta at neuf.fr (Franck LEPRETTE) Date: Mon Oct 24 20:24:26 2005 Subject: [Fwd: Re: [LARTC] Problem with ip route . VERY SLOW] In-Reply-To: <435CD132.8020605@netshadow.at> Message-ID: <000d01c5d8c7$ed1699a0$6500a8c0@NOVIS.COM> I 'm not in front of my computer , so i can test tcpdump But I will try to do it tomorrow , Tx for the tip -----Message d'origine----- De?: Andreas Unterkircher [mailto:unki@netshadow.at] Envoy??: lundi 24 octobre 2005 14:19 ??: lartc@mailman.ds9a.nl Objet?: Re: [Fwd: Re: [LARTC] Problem with ip route . VERY SLOW] Bogdan Coman wrote: >> /Envoi d'une requ?te 'ping' sur www.l.google.com [216.239.59.99] avec >> 32 octets de donn?es :/ >> >> *It waits for a long time HERE .* >> >> *I think it?s the route decision which takes a long time ,* >> > I believe that is the DNS that makes it take longer here, and not > source routing. > I don't belive that, because it's already resolved. Do you checked with tcpdump where your packets are flowing? Cheers, Andreas From gypsy at iswest.com Tue Oct 25 08:59:27 2005 From: gypsy at iswest.com (gypsy) Date: Tue Oct 25 08:59:55 2005 Subject: [LARTC] Problem with ip route . VERY SLOW References: <000701c5d897$f17316c0$6500a8c0@NOVIS.COM> Message-ID: <435DD7CF.F4691818@iswest.com> Franck LEPRETTE wrote: > I remember that I have 3 interfaces and I wonder my self if it's possible > that there are too many interfaces on the computer; or there are > restrictions with iproutes2 etc...? No, there are not too many interfaces. I have run 4 all at once. Three were ethernet (DSL) and 1 ppp (Modem). Yes, there are iproute2 issues. 1) The LARTC HOWTO is wrong. 2) Your routing tables seem to have only 2 entries; you probably need 3. 3) Similar IP addresses can be a problem. 192.168.0.0/24 is too similar to 192.168.100.0/24. Worse, private IPs are a pain. (All that is my opinion, not necessarily fact.) 4) There shouldn't be a default route. Instead, there should be a default route for each external interface such that packets received on one get replied on the same one. This link is apparently dead http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking so read this instead http://yesican.chsoft.biz/lartc/MultihomedLinuxNetworking.html Post your configuration files. Do not just describe them. Give us an explanation of the setup, possibly including some "ASCII art". Here's a link where you will find other's successes: http://yesican.chsoft.biz/lartc/index.html Read EXAMPLES and MULTIPATH and follow the links. -- gypsy From cyberdoc at cyberdoc.dk Tue Oct 25 14:36:51 2005 From: cyberdoc at cyberdoc.dk (Daniel Frederiksen) Date: Tue Oct 25 14:37:03 2005 Subject: [LARTC] Ip Src rewite. Message-ID: <435E26E3.2080204@cyberdoc.dk> Hello folks.. Does any of you know if it is possible to rewrite the ip src in a packet. I have a problem involving a DMZ with external IP addresses routed trough a single WAN IP. When the server initiates a connection, it looks like it comes from the WAN ip instead of it's designated External IP routed through the WAN. So in short, Is it possible to rewrite the packet in the router, with Iptables, to make it look like it comes from the external IP address instead of the WAN IP of the router/firewall. Thank you very much for your time, I appreciate it. /Daniel Frederiksen NB: Small diagram of the setup. DMZ GW/FW ISP/Internet ----------------------------------------------------------------------- Server #1 --| e.f.g.h3/26 | |---- Gateway/Firewall --- ISP WAN IP: a.b.c.d/30 Server #2 --| a.b.c.d1/30 Ext. IP: e.f.g.h/26 e.f.g.h4/26 e.f.g.h1/26 ---------------------------------------------------------------------- From oscar at ufomechanic.net Tue Oct 25 14:45:31 2005 From: oscar at ufomechanic.net (Oscar Mechanic) Date: Tue Oct 25 14:45:53 2005 Subject: [LARTC] Ip Src rewite. In-Reply-To: <435E26E3.2080204@cyberdoc.dk> References: <435E26E3.2080204@cyberdoc.dk> Message-ID: <1130244331.15040.136.camel@OSCARLAPLIN> Maybe I have missed somthing and you need to do it in POSTROUTING but how about SNAT. PS: ip can do stateless nat. On Tue, 2005- 10-25 at 14:36 +0200, Daniel Frederiksen wrote: > Hello folks.. > > Does any of you know if it is possible to rewrite the ip src in a packet. > I have a problem involving a DMZ with external IP addresses routed > trough a single WAN IP. When the server initiates a connection, it looks > like it comes from the WAN ip instead of it's designated External IP > routed through the WAN. > So in short, Is it possible to rewrite the packet in the router, with > Iptables, to make it look like it comes from the external IP address > instead of the WAN IP of the router/firewall. > > Thank you very much for your time, I appreciate it. > > /Daniel Frederiksen > > > NB: Small diagram of the setup. > > DMZ GW/FW ISP/Internet > ----------------------------------------------------------------------- > Server #1 --| > e.f.g.h3/26 | > |---- Gateway/Firewall --- ISP WAN IP: a.b.c.d/30 > Server #2 --| a.b.c.d1/30 Ext. IP: e.f.g.h/26 > e.f.g.h4/26 e.f.g.h1/26 > ---------------------------------------------------------------------- > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From cyberdoc at cyberdoc.dk Tue Oct 25 14:58:04 2005 From: cyberdoc at cyberdoc.dk (Daniel Frederiksen) Date: Tue Oct 25 14:58:16 2005 Subject: [LARTC] Ip Src rewite. In-Reply-To: <1130244331.15040.136.camel@OSCARLAPLIN> References: <435E26E3.2080204@cyberdoc.dk> <1130244331.15040.136.camel@OSCARLAPLIN> Message-ID: <435E2BDC.1080507@cyberdoc.dk> Oscar Mechanic wrote: > Maybe I have missed somthing and you need to do it in POSTROUTING but > how about SNAT. > Well currently I do not NAT at all. I have ip_forwarding enabled and have assigned the first IP from the external block on the inside of the Gateway/Firewall. On the outside of the Gateway/Firewall I have assigned the WAN IP. This way when a system on the DMZ establishes a connection it is forwarded through the Gateway. Any suggestions to changes are appreciated. /Daniel.. > PS: ip can do stateless nat. > > On Tue, 2005- > 10-25 at 14:36 +0200, Daniel Frederiksen wrote: > >>Hello folks.. >> >>Does any of you know if it is possible to rewrite the ip src in a packet. >>I have a problem involving a DMZ with external IP addresses routed >>trough a single WAN IP. When the server initiates a connection, it looks >>like it comes from the WAN ip instead of it's designated External IP >>routed through the WAN. >>So in short, Is it possible to rewrite the packet in the router, with >>Iptables, to make it look like it comes from the external IP address >>instead of the WAN IP of the router/firewall. >> >>Thank you very much for your time, I appreciate it. >> >>/Daniel Frederiksen >> >> >>NB: Small diagram of the setup. >> >> DMZ GW/FW ISP/Internet >>----------------------------------------------------------------------- >> Server #1 --| >> e.f.g.h3/26 | >> |---- Gateway/Firewall --- ISP WAN IP: a.b.c.d/30 >> Server #2 --| a.b.c.d1/30 Ext. IP: e.f.g.h/26 >> e.f.g.h4/26 e.f.g.h1/26 >>---------------------------------------------------------------------- >> >>_______________________________________________ >>LARTC mailing list >>LARTC@mailman.ds9a.nl >>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From oscar at ufomechanic.net Tue Oct 25 15:21:23 2005 From: oscar at ufomechanic.net (Oscar Mechanic) Date: Tue Oct 25 15:21:42 2005 Subject: [LARTC] Ip Src rewite. In-Reply-To: <435E2BDC.1080507@cyberdoc.dk> References: <435E26E3.2080204@cyberdoc.dk> <1130244331.15040.136.camel@OSCARLAPLIN> <435E2BDC.1080507@cyberdoc.dk> Message-ID: <1130246483.15040.150.camel@OSCARLAPLIN> So you want packets leaving the WAN to have address e.f.g.h/26 rather than a.b.c.d/30 That would mean you ISP has assigned you the two ranges e.f.g.h and a.b.c.d. Your gateway cannot be a gateway from this diagram That must be e.f.g.h/27 GW has e.f.g.h/27 and e.f.g.h/26 interfaces > >> DMZ GW/FW ISP/Internet > >>----------------------------------------------------------------------- > >> Server #1 --| > >> e.f.g.h3/26 | > >> |---- Gateway/Firewall --- ISP WAN IP: a.b.c.d/30 > >> Server #2 --| a.b.c.d1/30 Ext. IP: e.f.g.h/26 > >> e.f.g.h4/26 e.f.g.h1/26 > >>---------------------------------------------------------------------- I would assume what you will end up doing is iptables -t nat -A POSTROUTING -m mac-source -j SNAT --to- source iptables -t nat -A POSTROUTING -m mac-source -j SNAT --to- source Where ALIAS1 and ALIAS2 are the IP's of server 1 and server 2 aliased on the firewall Regards Shane On Tue, 2005-10-25 at 14:58 +0200, Daniel Frederiksen wrote: > Oscar Mechanic wrote: > > Maybe I have missed somthing and you need to do it in POSTROUTING but > > how about SNAT. > > > > Well currently I do not NAT at all. I have ip_forwarding enabled and > have assigned the first IP from the external block on the inside of the > Gateway/Firewall. On the outside of the Gateway/Firewall I have assigned > the WAN IP. This way when a system on the DMZ establishes a connection > it is forwarded through the Gateway. > > Any suggestions to changes are appreciated. > > /Daniel.. > > > PS: ip can do stateless nat. > > > > On Tue, 2005- > > 10-25 at 14:36 +0200, Daniel Frederiksen wrote: > > > >>Hello folks.. > >> > >>Does any of you know if it is possible to rewrite the ip src in a packet. > >>I have a problem involving a DMZ with external IP addresses routed > >>trough a single WAN IP. When the server initiates a connection, it looks > >>like it comes from the WAN ip instead of it's designated External IP > >>routed through the WAN. > >>So in short, Is it possible to rewrite the packet in the router, with > >>Iptables, to make it look like it comes from the external IP address > >>instead of the WAN IP of the router/firewall. > >> > >>Thank you very much for your time, I appreciate it. > >> > >>/Daniel Frederiksen > >> > >> > >>NB: Small diagram of the setup. > >> > >> DMZ GW/FW ISP/Internet > >>----------------------------------------------------------------------- > >> Server #1 --| > >> e.f.g.h3/26 | > >> |---- Gateway/Firewall --- ISP WAN IP: a.b.c.d/30 > >> Server #2 --| a.b.c.d1/30 Ext. IP: e.f.g.h/26 > >> e.f.g.h4/26 e.f.g.h1/26 > >>---------------------------------------------------------------------- > >> > >>_______________________________________________ > >>LARTC mailing list > >>LARTC@mailman.ds9a.nl > >>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From oscar at ufomechanic.net Tue Oct 25 15:25:26 2005 From: oscar at ufomechanic.net (Oscar Mechanic) Date: Tue Oct 25 15:25:53 2005 Subject: [LARTC] Ip Src rewite. In-Reply-To: <1130246483.15040.150.camel@OSCARLAPLIN> References: <435E26E3.2080204@cyberdoc.dk> <1130244331.15040.136.camel@OSCARLAPLIN> <435E2BDC.1080507@cyberdoc.dk> <1130246483.15040.150.camel@OSCARLAPLIN> Message-ID: <1130246726.15040.154.camel@OSCARLAPLIN> excuse my iptables -m mac --mac-source 00:20:23:20:20:20 You will do this cause you dont want your 26 to become a 27 and loose 3 addrs. Alias are no longer called aliases but for convenience On Tue, 2005-10-25 at 14:21 +0100, Oscar Mechanic wrote: > So you want packets leaving the WAN to have address e.f.g.h/26 rather > than a.b.c.d/30 > > That would mean you ISP has assigned you the two ranges e.f.g.h and > a.b.c.d. > > Your gateway cannot be a gateway from this diagram > > That must be e.f.g.h/27 GW has > e.f.g.h/27 and e.f.g.h/26 interfaces > > >> DMZ GW/FW ISP/Internet > > >>----------------------------------------------------------------------- > > >> Server #1 --| > > >> e.f.g.h3/26 | > > >> |---- Gateway/Firewall --- ISP WAN IP: a.b.c.d/30 > > >> Server #2 --| a.b.c.d1/30 Ext. IP: e.f.g.h/26 > > >> e.f.g.h4/26 e.f.g.h1/26 > > >>---------------------------------------------------------------------- > > I would assume what you will end up doing is > > iptables -t nat -A POSTROUTING -m mac-source -j SNAT --to- > source > iptables -t nat -A POSTROUTING -m mac-source -j SNAT --to- > source > > Where ALIAS1 and ALIAS2 are the IP's of server 1 and server 2 aliased on > the firewall > > Regards > Shane > > On Tue, 2005-10-25 at 14:58 +0200, Daniel Frederiksen wrote: > > Oscar Mechanic wrote: > > > Maybe I have missed somthing and you need to do it in POSTROUTING but > > > how about SNAT. > > > > > > > Well currently I do not NAT at all. I have ip_forwarding enabled and > > have assigned the first IP from the external block on the inside of the > > Gateway/Firewall. On the outside of the Gateway/Firewall I have assigned > > the WAN IP. This way when a system on the DMZ establishes a connection > > it is forwarded through the Gateway. > > > > Any suggestions to changes are appreciated. > > > > /Daniel.. > > > > > PS: ip can do stateless nat. > > > > > > On Tue, 2005- > > > 10-25 at 14:36 +0200, Daniel Frederiksen wrote: > > > > > >>Hello folks.. > > >> > > >>Does any of you know if it is possible to rewrite the ip src in a packet. > > >>I have a problem involving a DMZ with external IP addresses routed > > >>trough a single WAN IP. When the server initiates a connection, it looks > > >>like it comes from the WAN ip instead of it's designated External IP > > >>routed through the WAN. > > >>So in short, Is it possible to rewrite the packet in the router, with > > >>Iptables, to make it look like it comes from the external IP address > > >>instead of the WAN IP of the router/firewall. > > >> > > >>Thank you very much for your time, I appreciate it. > > >> > > >>/Daniel Frederiksen > > >> > > >> > > >>NB: Small diagram of the setup. > > >> > > >> DMZ GW/FW ISP/Internet > > >>----------------------------------------------------------------------- > > >> Server #1 --| > > >> e.f.g.h3/26 | > > >> |---- Gateway/Firewall --- ISP WAN IP: a.b.c.d/30 > > >> Server #2 --| a.b.c.d1/30 Ext. IP: e.f.g.h/26 > > >> e.f.g.h4/26 e.f.g.h1/26 > > >>---------------------------------------------------------------------- > > >> > > >>_______________________________________________ > > >>LARTC mailing list > > >>LARTC@mailman.ds9a.nl > > >>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From thiagolima at webforce.com.br Tue Oct 25 18:33:57 2005 From: thiagolima at webforce.com.br (Thiago Lima - lst) Date: Tue Oct 25 18:34:13 2005 Subject: [LARTC] Terminal Services and traffic control. Message-ID: <20051025163444.8192D14B90@gw040707.gws.penso.com.br> Hi everybody, I have a network that only uses terminal services. Look at the diagram. 20 machines running WinXP <-> LinuxFW-1 <-> 1Mbit link dedicated fiber link LinuxFW-2 Terminal Server I?d like to give the maximum priority for bandwidth to terminal services (port 3389). I?ve changed the CBQ script from LARTC site to suite my needs, but every time I run it my connections to 3389 becomes slower. Without TC the connections are faster and better. I can?t afford to loose more time trying to reinvent the wheel. I?ve read all documentations and I still can?t make a good traffic control for my needs. 1) Does anyone have something like that? 2) Where should I put the traffic control? In LinuxFW-1 or LinuxFW-2? 3) Is my script changes right? Here comes the script. Thanks a lot. ---- cut --- #!/bin/bash # The Ultimate Setup For Your Internet Connection At Home # # # Set the following values to somewhat less than your actual download # and uplink speed. In kilobits DOWNLINK=850 UPLINK=850 DEV=eth2 # clean existing down- and uplink qdiscs, hide errors /sbin/tc qdisc del dev $DEV root 2> /dev/null > /dev/null /sbin/tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null ###### uplink # install root CBQ /sbin/tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 10mbit # shape everything at $UPLINK speed - this prevents huge queues in your # DSL modem which destroy latency: # main class /sbin/tc class add dev $DEV parent 1: classid 1:1 cbq rate 1000kbit \ allot 1500 prio 5 bounded isolated # high prio class 1:10: /sbin/tc class add dev $DEV parent 1:1 classid 1:10 cbq rate ${UPLINK}kbit \ allot 1600 prio 1 avpkt 1000 # prioridade para o TS /sbin/tc class add dev $DEV parent 1:1 classid 1:11 cbq rate 1000kbit \ allot 1600 prio 1 avpkt 1000 # bulk and default class 1:20 - gets slightly less traffic, # and a lower priority: /sbin/tc class add dev $DEV parent 1:1 classid 1:20 cbq rate $[7*$UPLINK/10]kbit \ allot 32000 prio 2 avpkt 1000 # both get Stochastic Fairness: /sbin/tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10 /sbin/tc qdisc add dev $DEV parent 1:11 handle 11: sfq perturb 10 /sbin/tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10 # start filters # TOS Minimum Delay (ssh, NOT scp) in 1:10: /sbin/tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \ match ip tos 0x10 0xff flowid 1:10 # Coloca a porta do TS como interativa /sbin/tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \ match ip sport 3389 0xff flowid 1:11 /sbin/tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \ match ip dport 3389 0xff flowid 1:11 # ICMP (ip protocol 1) in the interactive class 1:10 so we # can do measurements & impress our friends: /sbin/tc filter add dev $DEV parent 1:0 protocol ip prio 11 u32 \ match ip protocol 1 0xff flowid 1:10 # To speed up downloads while an upload is going on, put ACK packets in # the interactive class: /sbin/tc filter add dev $DEV parent 1: protocol ip prio 12 u32 \ match ip protocol 6 0xff \ match u8 0x05 0x0f at 0 \ match u16 0x0000 0xffc0 at 2 \ match u8 0x10 0xff at 33 \ flowid 1:10 # rest is 'non-interactive' ie 'bulk' and ends up in 1:20 /sbin/tc filter add dev $DEV parent 1: protocol ip prio 13 u32 \ match ip dst 0.0.0.0/0 flowid 1:20 ########## downlink ############# # slow downloads down to somewhat less than the real speed to prevent # queuing at our ISP. Tune to see how high you can set it. # ISPs tend to have *huge* queues to make sure big downloads are fast # # attach ingress policer: /sbin/tc qdisc add dev $DEV handle ffff: ingress # filter *everything* to it (0.0.0.0/0), drop everything that's # coming in too fast: /sbin/tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \ 0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1 Thanks a lot. From J.Kraaijeveld at Askesis.nl Tue Oct 25 20:41:10 2005 From: J.Kraaijeveld at Askesis.nl (Joost Kraaijeveld) Date: Tue Oct 25 20:41:13 2005 Subject: [LARTC] Terminal Services and traffic control. In-Reply-To: <20051025163444.8192D14B90@gw040707.gws.penso.com.br> References: <20051025163444.8192D14B90@gw040707.gws.penso.com.br> Message-ID: <1130265670.16914.22.camel@Panoramix> On Tue, 2005-10-25 at 14:33 -0200, Thiago Lima - lst wrote: > Hi everybody, > > I have a network that only uses terminal services. > > Look at the diagram. > > 20 machines running WinXP <-> LinuxFW-1 <-> 1Mbit link dedicated fiber link LinuxFW-2 Terminal Server > > I?d like to give the maximum priority for bandwidth to terminal services (port 3389). > > I?ve changed the CBQ script from LARTC site to suite my needs, but every time I run it my connections to 3389 becomes slower. Without TC the connections are faster and better. > > I can?t afford to loose more time trying to reinvent the wheel. I?ve read all documentations and I still can?t make a good traffic control for my needs. > > 1) Does anyone have something like that? I have such a network running Citrix. > 2) Where should I put the traffic control? In LinuxFW-1 or LinuxFW-2? > 3) Is my script changes right? First: do you have a perfomance problem when running without any traffic control: according to my experience, each connection runs OK with ~20-30 kilobit/sec? If you don't have problems, don't fix them. Second, do you use any other services from the Windows server on the other side: DHCP, DNS, WINS, file shareing (e.g. roaming profiles, home directories) profiles, databases (SQL server), Internet connections etc? If you have any of those (especially the ones for name resolution) you must take those in account also. -- Groeten, Joost Kraaijeveld Askesis B.V. Molukkenstraat 14 6524NB Nijmegen tel: 024-3888063 / 06-51855277 fax: 024-3608416 e-mail: J.Kraaijeveld@Askesis.nl web: www.askesis.nl From thiagolima at webforce.com.br Tue Oct 25 21:00:04 2005 From: thiagolima at webforce.com.br (Thiago Lima - lst) Date: Tue Oct 25 21:00:16 2005 Subject: RES: [LARTC] Terminal Services and traffic control. In-Reply-To: <1130265670.16914.22.camel@Panoramix> Message-ID: <20051025190050.996CA14EEA@gw040707.gws.penso.com.br> -----Mensagem original----- De: Joost Kraaijeveld [mailto:J.Kraaijeveld@Askesis.nl] Enviada em: ter?a-feira, 25 de outubro de 2005 16:41 Para: Thiago Lima - lst Cc: lartc@mailman.ds9a.nl Assunto: Re: [LARTC] Terminal Services and traffic control. On Tue, 2005-10-25 at 14:33 -0200, Thiago Lima - lst wrote: > Hi everybody, > > I have a network that only uses terminal services. > > Look at the diagram. > > 20 machines running WinXP <-> LinuxFW-1 <-> 1Mbit link dedicated fiber link LinuxFW-2 Terminal Server > > I?d like to give the maximum priority for bandwidth to terminal services (port 3389). > > I?ve changed the CBQ script from LARTC site to suite my needs, but every time I run it my connections to 3389 becomes slower. Without TC the connections are faster and better. > > I can?t afford to loose more time trying to reinvent the wheel. I?ve read all documentations and I still can?t make a good traffic control for my needs. > > 1) Does anyone have something like that? I have such a network running Citrix. As far as I know, Citrix is more optimized for long distance setups. > 2) Where should I put the traffic control? In LinuxFW-1 or LinuxFW-2? > 3) Is my script changes right? First: do you have a perfomance problem when running without any traffic control: according to my experience, each connection runs OK with ~20-30 kilobit/sec? If you don't have problems, don't fix them. Yes I have problems without traffic control. For instance, when someone transfers a file between the networks TS sessions become slow. Even open outlook becomes unusable. Second, do you use any other services from the Windows server on the other side: DHCP, DNS, WINS, file shareing (e.g. roaming profiles, home directories) profiles, databases (SQL server), Internet connections etc? If you have any of those (especially the ones for name resolution) you must take those in account also. I have a file server running into another server. TS users use those files for work. But there?re basically excel and word files. Tks Joost. -- Groeten, Joost Kraaijeveld Askesis B.V. Molukkenstraat 14 6524NB Nijmegen tel: 024-3888063 / 06-51855277 fax: 024-3608416 e-mail: J.Kraaijeveld@Askesis.nl web: www.askesis.nl From comp.techs at aspenview.org Tue Oct 25 23:33:19 2005 From: comp.techs at aspenview.org (comp.techs) Date: Tue Oct 25 23:36:18 2005 Subject: [LARTC] gre/ipsec loadbalancing Message-ID: <648A21EA469E3848922D9860785CD5EF4566F3@aspen-mail01.aspenview.org> Hi, I managed to get the equal load balancing working using the sch_teql device, using two gre tunnels over ipsec. thx jason ________________________________ From: lartc-bounces@mailman.ds9a.nl on behalf of comp.techs Sent: Wed 10/19/2005 4:04 PM To: lartc@mailman.ds9a.nl Subject: [LARTC] gre/ipsec loadbalancing Hi, I have the following setup. Two linux systems with two [test] external interfaces encrypted with ipsec [transport]. Two gre tunnels that pass 10.200.0.0/24 and 10.200.1.0/24 network traffic. Testing the balanced tunnels I would setup iptraf on one and ping from the other. The results would be as expected; traffic would be split between the two interfaces. Testing with an ftp transfer of 300MB I would get various results: 1. one interface would be transfering at 36Mbit/s the other would be at 1.5Mbits/s [a -> b] or one interface would be transfering at 29Mbit/s and the other a 0. 2. I would get the same results from [b->a] Is there something I missed or did not configure properly? Any help or suggestions would be appreciated. jason 192.168.0.1 [ipsec tunnel] 192.168.0.2 [A] ------------------------------------------------------------- [B] 172.16.0.1 [ipsec tunnel] 172.16.0.2 ------------------------------------------------------------- [A] linux 2.6.13 internal 10.200.1.2/24 ext 192.168.0.1 ext 172.16.0.1 [gre tunnels] netb 10.200.1.2 netb2 10.200.1.2 [B] linux 2.6.13 internal 10.200.0.2 ext 192.168.0.2 ext 172.16.0.2 [gre tunnels] neta 10.200.0.2 neta2 10.200.0.2 a. ip tunnel add netb mode gre remote 172.16.0.2 local 172.16.0.1 ttl 255 ip link set netb up ip addr add 10.200.1.2 deb netb ip tunnel add netb2 mode gre remote 192.168.0.2 local 192.168.0.1 ttl 255 ip link set netb2 up ip addr add 10.200.1.2 dev netb2 ip route add equalize 10.200.0.0/24 nexthop via 10.200.1.2 dev netb nexthop via 10.200.1.2 dev netb2 b. ip tunnel add neta mode gre remote 172.16.0.1 local 172.16.0.2 ttl 255 ip link set neta up ip addr add 10.200.0.2 deb netb ip tunnel add neta2 mode gre remote 192.168.0.1 local 192.168.0.2 ttl 255 ip link set neta2 up ip addr add 10.200.0.2 dev neta2 ip route add equalize 10.200.1.0/24 nexthop via 10.200.0.2 dev neta nexthop via 10.200.0.2 dev neta2 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051025/374ed2eb/attachment.html From cyberdoc at cyberdoc.dk Wed Oct 26 00:03:25 2005 From: cyberdoc at cyberdoc.dk (Daniel Frederiksen) Date: Wed Oct 26 00:03:36 2005 Subject: [LARTC] Ip Src rewite. In-Reply-To: <1130246483.15040.150.camel@OSCARLAPLIN> References: <435E26E3.2080204@cyberdoc.dk> <1130244331.15040.136.camel@OSCARLAPLIN> <435E2BDC.1080507@cyberdoc.dk> <1130246483.15040.150.camel@OSCARLAPLIN> Message-ID: <435EABAD.4010003@cyberdoc.dk> Oscar Mechanic wrote: > So you want packets leaving the WAN to have address e.f.g.h/26 rather > than a.b.c.d/30 > > That would mean you ISP has assigned you the two ranges e.f.g.h and > a.b.c.d. Well, yes my ISP has assigned me the two "classes", however the a.b.c.d/30 is a single IP through which the e.f.g.h/26 are routed through. The ISP is not routing the e.f.g.h/26 directly to the line, but through the single WAN IP a.b.c.e/30.. This is why all traffic going through is touched and marked as coming from the WAN instead of the External IP address. Any suggestions to solving that?. /Daniel > > Your gateway cannot be a gateway from this diagram > > That must be e.f.g.h/27 GW has > e.f.g.h/27 and e.f.g.h/26 interfaces > >>>> DMZ GW/FW ISP/Internet >>>>----------------------------------------------------------------------- >>>> Server #1 --| >>>> e.f.g.h3/26 | >>>> |---- Gateway/Firewall --- ISP WAN IP: a.b.c.d/30 >>>> Server #2 --| a.b.c.d1/30 Ext. IP: e.f.g.h/26 >>>> e.f.g.h4/26 e.f.g.h1/26 >>>>---------------------------------------------------------------------- > > > I would assume what you will end up doing is > > iptables -t nat -A POSTROUTING -m mac-source -j SNAT --to- > source > iptables -t nat -A POSTROUTING -m mac-source -j SNAT --to- > source > > Where ALIAS1 and ALIAS2 are the IP's of server 1 and server 2 aliased on > the firewall > > Regards > Shane > > On Tue, 2005-10-25 at 14:58 +0200, Daniel Frederiksen wrote: > >>Oscar Mechanic wrote: >> >>>Maybe I have missed somthing and you need to do it in POSTROUTING but >>>how about SNAT. >>> >> >>Well currently I do not NAT at all. I have ip_forwarding enabled and >>have assigned the first IP from the external block on the inside of the >>Gateway/Firewall. On the outside of the Gateway/Firewall I have assigned >>the WAN IP. This way when a system on the DMZ establishes a connection >>it is forwarded through the Gateway. >> >>Any suggestions to changes are appreciated. >> >>/Daniel.. >> >> >>>PS: ip can do stateless nat. >>> >>>On Tue, 2005- >>>10-25 at 14:36 +0200, Daniel Frederiksen wrote: >>> >>> >>>>Hello folks.. >>>> >>>>Does any of you know if it is possible to rewrite the ip src in a packet. >>>>I have a problem involving a DMZ with external IP addresses routed >>>>trough a single WAN IP. When the server initiates a connection, it looks >>>>like it comes from the WAN ip instead of it's designated External IP >>>>routed through the WAN. >>>>So in short, Is it possible to rewrite the packet in the router, with >>>>Iptables, to make it look like it comes from the external IP address >>>>instead of the WAN IP of the router/firewall. >>>> >>>>Thank you very much for your time, I appreciate it. >>>> >>>>/Daniel Frederiksen >>>> >>>> >>>>NB: Small diagram of the setup. >>>> >>>> DMZ GW/FW ISP/Internet >>>>----------------------------------------------------------------------- >>>> Server #1 --| >>>> e.f.g.h3/26 | >>>> |---- Gateway/Firewall --- ISP WAN IP: a.b.c.d/30 >>>> Server #2 --| a.b.c.d1/30 Ext. IP: e.f.g.h/26 >>>> e.f.g.h4/26 e.f.g.h1/26 >>>>---------------------------------------------------------------------- >>>> >>>>_______________________________________________ >>>>LARTC mailing list >>>>LARTC@mailman.ds9a.nl >>>>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>> >>> >> >>_______________________________________________ >>LARTC mailing list >>LARTC@mailman.ds9a.nl >>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From omry at firefang.net Wed Oct 26 00:15:47 2005 From: omry at firefang.net (Omry Yadan) Date: Wed Oct 26 00:16:00 2005 Subject: [LARTC] Help needed with traffic control script. Message-ID: <435EAE93.1050802@firefang.net> Hi. I am having shaping traffic using tc, I have been trying for a very long time, and I just didn't get it to work the way I want it. I will really appriciate it if you experts will have a look at my script and tell me what I do wrong. First, I`ll describe my envornment, than my requirements. I run a small server on Debian etch with kernel version 2.6.7. the server ip is 10.0.0.2 I have another machine in the lan, its ip is 10.0.0.1 I am connected to the internet via adsl model that acts as a router (10.0.0.138, I set it to be the gateway for both machines). my upload capacity is around 110 Kilo-bytes per second. I want to control engress on the server. my requrements: 1. I want the server to use no more than 100 Kbps when sending to the internet. 2. I don't want to limit the upload at all to other machines in the network (packets to the network gets free pass). 3. I want good download performence to the server. (prioritize ACK and high TOS packets). 4. I want http traffic to the internet (not to the LAN) get at least 81Kbps (if it needs it). 5. I want other traffic to the internet get at least 9Kbps (if it needs it). 6. I want traffic http traffic to be shared fairly between connected ip addresses, meaning if two clients connects, one opens many connections and one opens one connection, I want them both to get approximatly the same bandwidth. to do all this, I am trying to create a tree like this: ROOT_QUEUE (HTB) +- LAN_QUEUE (HTB, rate 100Mbit) +- INET_QUEUE (HTB, rate 100Kbps) + INET_INTERACTIVE (HTB, rate 10Kbps, ceil 100Kbps, prio 2) + INET_DEFAULT (HTB, rate 90Kbps, ceil 100Kbps, prio 1) + INET_HTTP (HTB, rate 81Kbps, ceil 90Kbps) + SFQ + INET_UNCLASSIFIED (HTB, 9Kbps, ceil 90Kbps) +SFQ attached is my script, which does not seem to work. some of the problems with it currently are : 1. unclassified packets (not http) can get bandwidth even if http needs it 2. users with many connections opened to http gets more bandwidth than users with few connections. Thanks. -------------- next part -------------- A non-text attachment was scrubbed... Name: tc_init.sh Type: application/x-shellscript Size: 4062 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20051026/52293139/tc_init.bin From omry at firefang.net Wed Oct 26 01:14:53 2005 From: omry at firefang.net (Omry Yadan) Date: Wed Oct 26 01:16:01 2005 Subject: [LARTC] Help needed with traffic control script. In-Reply-To: <435EAE93.1050802@firefang.net> References: <435EAE93.1050802@firefang.net> Message-ID: <435EBC6D.6050807@firefang.net> had a problem with previous script (debug exit early in it), please look at this one instead. while writing the previous message I found and fixed some problem in the script. because of this 'exit' I didn't really test the changnes. it seems that now "unclassified" packagets no longer grabs bandwidth from http, but on the other hand - it takes a very long time to open an ssh connection from the server to a machine on the internet while users are downloading. -------------- next part -------------- A non-text attachment was scrubbed... Name: tc_init.sh Type: application/x-shellscript Size: 3853 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20051026/c937791c/tc_init-0001.bin From alex at samad.com.au Wed Oct 26 02:01:43 2005 From: alex at samad.com.au (Alexander Samad) Date: Wed Oct 26 02:01:51 2005 Subject: [LARTC] multipath patches Message-ID: <20051026000143.GB10248@samad.com.au> Hi Can any one point me to any doco on the multipath patches that have been added to the 2.6.13+ There now seems to be modules multipath_cached multipath_random multipath_rr etc Thanks A -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20051026/82d3b7a2/attachment.pgp From rob0 at gmx.co.uk Wed Oct 26 02:25:19 2005 From: rob0 at gmx.co.uk (/dev/rob0) Date: Wed Oct 26 02:25:28 2005 Subject: [LARTC] Ip Src rewite. In-Reply-To: <435EABAD.4010003@cyberdoc.dk> References: <435E26E3.2080204@cyberdoc.dk> <1130246483.15040.150.camel@OSCARLAPLIN> <435EABAD.4010003@cyberdoc.dk> Message-ID: <200510251925.19967.rob0@gmx.co.uk> On Tuesday 2005-October-25 17:03, Daniel Frederiksen wrote: > Well, yes my ISP has assigned me the two "classes", however the > a.b.c.d/30 is a single IP through which the e.f.g.h/26 are routed > through. The ISP is not routing the e.f.g.h/26 directly to the line, > but through the single WAN IP a.b.c.e/30.. > This is why all traffic going through is touched and marked as coming > from the WAN instead of the External IP address. What you describe sounds like NAT. Your gateway should be forwarding that traffic with the source IP unchanged. Can you show us tcpdump or iptables -j LOG of some of these packets' source IP being changed? I think we are missing part of the picture here. iptables-save; ip r l; ip ru l; ip a l # all those might help. Munge consistently if you feel compelled to munge. > >>>>NB: Small diagram of the setup. > >>>> > >>>> DMZ GW/FW ISP/Internet > >>>>----------------------------------------------------------------- > >>>>------ Server #1 --| > >>>> e.f.g.h3/26 | > >>>> > >>>> |---- Gateway/Firewall --- ISP WAN IP: a.b.c.d/30 > >>>> > >>>> Server #2 --| a.b.c.d1/30 Ext. IP: e.f.g.h/26 > >>>> e.f.g.h4/26 e.f.g.h1/26 "DMZ" implies there is a separate subnet, and perhaps a SNAT'ed LAN, correct? You have 3 interfaces: internal, DMZ and external? Whether or not there is an internal doesn't directly affect this, but anyway, that is how I would set it up. Your DMZ machines should have e.f.g.h1 as their default gateway. Your router machine should have whatever the ISP told you to use as its default gateway (probably a.b.c.d2, I bet.) -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From cyberdoc at cyberdoc.dk Wed Oct 26 03:20:30 2005 From: cyberdoc at cyberdoc.dk (Daniel Frederiksen) Date: Wed Oct 26 03:20:42 2005 Subject: [LARTC] Ip Src rewite. In-Reply-To: <200510251925.19967.rob0@gmx.co.uk> References: <435E26E3.2080204@cyberdoc.dk> <1130246483.15040.150.camel@OSCARLAPLIN> <435EABAD.4010003@cyberdoc.dk> <200510251925.19967.rob0@gmx.co.uk> Message-ID: <435ED9DE.9020805@cyberdoc.dk> /dev/rob0 wrote: > On Tuesday 2005-October-25 17:03, Daniel Frederiksen wrote: > >>Well, yes my ISP has assigned me the two "classes", however the >>a.b.c.d/30 is a single IP through which the e.f.g.h/26 are routed >>through. The ISP is not routing the e.f.g.h/26 directly to the line, >>but through the single WAN IP a.b.c.e/30.. >>This is why all traffic going through is touched and marked as coming >>from the WAN instead of the External IP address. > > > What you describe sounds like NAT. Your gateway should be forwarding > that traffic with the source IP unchanged. Can you show us tcpdump or > iptables -j LOG of some of these packets' source IP being changed? I would like to supply some tcpdump data, but at the moment the amount of data flowing through is massive and extends to 118 systems. I was actually trying to simplify the scenario a little bit. The thing is I also have multiple lines with the same config running through the gateway/firewall as a multipath routed setup. Ok here goes, I'll try to define the complete setup: eth0 (WAN 1) IP: 80.16x.xxx.70/30 eth1 (WAN 2) IP: 80.16y.yyy.174/30 eth2 (Routed WAN 2 Class) IP: 80.16z.zzz.65/26 eth3 (Routed WAN 1 Class) IP: 62.24w.www.1/26 eth4 IP: 192.168.1.1/24 :~# ip ru 0: from all lookup local 32761: from 80.16x.xxx.70 lookup WAN1 32762: from 62.24w.www.0/26 lookup WAN1 32763: from 80.16z.zzz.64/26 lookup WAN2 32764: from 80.16y.yyy.174 lookup WAN2 32766: from all lookup main 32767: from all lookup default :~# ip r 80.16y.yyy.172/30 dev eth1 proto kernel scope link src 80.16y.yyy.174 80.16x.xxx.68/30 dev eth0 proto kernel scope link src 80.16x.xxx.70 80.16z.zzz.64/26 dev eth2 proto kernel scope link src 80.16z.zzz.65 62.24w.www.0/26 dev eth3 proto kernel scope link src 62.24w.www.1 192.168.1.0/24 dev eth4 proto kernel scope link src 192.168.1.1 default via 80.16x.xxx.69 dev eth0 The only other settings are: echo "1" > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 80.16x.xxx.70 D'ooohhhh (Slaps his forehead).. Just found the problem.. Missing a "-s 192.168.1.0/24" in the above statement, to exclude everything except the LAN.. No wonder everything got nat'ed.. Well, I guess I'm buying the next round.. Anyway, thanks allot guys. You made my day and night.. /Daniel. > > I think we are missing part of the picture here. iptables-save; ip r l; > ip ru l; ip a l # all those might help. Munge consistently if you feel > compelled to munge. > > >>>>>>NB: Small diagram of the setup. >>>>>> >>>>>> DMZ GW/FW ISP/Internet >>>>>>----------------------------------------------------------------- >>>>>>------ Server #1 --| >>>>>> e.f.g.h3/26 | >>>>>> >>>>>> |---- Gateway/Firewall --- ISP WAN IP: a.b.c.d/30 >>>>>> >>>>>> Server #2 --| a.b.c.d1/30 Ext. IP: e.f.g.h/26 >>>>>> e.f.g.h4/26 e.f.g.h1/26 > > > "DMZ" implies there is a separate subnet, and perhaps a SNAT'ed LAN, > correct? You have 3 interfaces: internal, DMZ and external? Whether or > not there is an internal doesn't directly affect this, but anyway, that > is how I would set it up. > > Your DMZ machines should have e.f.g.h1 as their default gateway. Your > router machine should have whatever the ISP told you to use as its > default gateway (probably a.b.c.d2, I bet.) From rvokal at redhat.com Wed Oct 26 10:51:48 2005 From: rvokal at redhat.com (Radek =?ISO-8859-1?Q?Vok=E1l?=) Date: Wed Oct 26 10:52:13 2005 Subject: [LARTC] Bug in ip -6? Message-ID: <1130316708.3197.10.camel@localhost.localdomain> Hi, this appeared on Red Hat bugzilla and I'm not sure if customer presumption is correct `ip -6 route add 10::a120/124 via 10::a111` returns RTNETLINK answers : invalid argument His expected result is that route table to subnet 10::a120/124 should be added I know RFC3587 described prefix 001b is the unicast global address range assigned by IANA, and all other unicast address rage is 'unassigned'. But 'unassigned' does not mean illegal. It's only administrative purpose. Implementation should not get such restriction. Is he correct? Should this be fixed? -- Radek Vok?l -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20051026/69904df4/attachment.pgp From jv.suri at gmail.com Wed Oct 26 11:20:49 2005 From: jv.suri at gmail.com (Suresh Babu) Date: Wed Oct 26 11:20:52 2005 Subject: [LARTC] Help regarding TBF and CBQ Message-ID: <35a277ac0510260220w108bcd5i411afea2af638450@mail.gmail.com> Hello Please give advice in selecting suitable QoS Solution for our device. It contains one WAN port and a LAN port(4 port switch). The WAN will be connected to an ADSL modem(so we don`t know the bandwidth in advance for the WAN and depends on the ADSL connection taken). We need to give highest priority to the Voice and control the WAN bandwidth to 2Mbps. I tried with the TBF by giving 500kbps for voice and 1.5Mbps for other traffic(I`m assuming that a user takes atmost 2Mbps line). But the maximum throughput i`m getting for the data is 1.15 only. Even if create only one TBF class with full 2 Mbps rate). I need to simulate different WAN bandwidth speeds like 64kbps, 128kbps, 256kbps..etc, How to do simulate this?. What is the maximum bandwidth that a TBF can control? What is the suitable solution for providing a QoS to our device? Does CBQ helps in my case? Thanks in Advance. Regards, Suresh Babu. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051026/38c111a5/attachment.htm From J.Kraaijeveld at Askesis.nl Wed Oct 26 11:30:19 2005 From: J.Kraaijeveld at Askesis.nl (Joost Kraaijeveld) Date: Wed Oct 26 11:30:23 2005 Subject: RES: [LARTC] Terminal Services and traffic control. In-Reply-To: <20051025190050.996CA14EEA@gw040707.gws.penso.com.br> References: <20051025190050.996CA14EEA@gw040707.gws.penso.com.br> Message-ID: <1130319019.16914.48.camel@Panoramix> On Tue, 2005-10-25 at 17:00 -0200, Thiago Lima - lst wrote: > As far as I know, Citrix is more optimized for long distance setups. Mmmm. This is what the Citrix marketing department wants to believe you anyway. > First: do you have a perfomance problem when running without any traffic > control: according to my experience, each connection runs OK with ~20-30 > kilobit/sec? If you don't have problems, don't fix them. > > Yes I have problems without traffic control. For instance, when > someone transfers a file between the networks TS sessions become slow. Even > open outlook becomes unusable. Do you mean by that: user copies a file from his client to the TS session (or the other way around)? Or do you mean that the user copies a file in the TS session from directory to directory in the TS session? If the latter, are the directries local to the TS server or are they actually mounted shares? If so, on which side of the link are the shares? > Second, do you use any other services from the Windows server on the > other side: DHCP, DNS, WINS, file shareing (e.g. roaming profiles, home > directories) profiles, databases (SQL server), Internet connections etc? > If you have any of those (especially the ones for name resolution) you > must take those in account also. > > I have a file server running into another server. TS users use those > files for work. But there?re basically excel and word files. OK, but are the files in the TS session or on the client computer? Is the location of the fileserver on the side of the TS server or on the side of the clients? -- Groeten, Joost Kraaijeveld Askesis B.V. Molukkenstraat 14 6524NB Nijmegen tel: 024-3888063 / 06-51855277 fax: 024-3608416 e-mail: J.Kraaijeveld@Askesis.nl web: www.askesis.nl From Aristarchus at myrealbox.com Wed Oct 26 14:51:45 2005 From: Aristarchus at myrealbox.com (Aristarchus) Date: Wed Oct 26 14:51:51 2005 Subject: [LARTC] No Nat problem Message-ID: <1130331105.c7eeda3cAristarchus@myrealbox.com> Hello... I have the following problem: The usual way for a linux router to manage connections between 2 or more internet providers and an internal network is to SNAT the internal network into the (usually 1) external ip address that the provider has given us. My problem is that i dont wish to do SNAT (anymore) because my provider has given my a unique internet ip address for each pc so that my the internet address and local are identical. My SNAT configuration worked perfectly. I had two routing tables 1)Main 231.245.21.0/27 dev eth2 scope link 192.168.1.0/24 dev eth0 scope link 192.168.2.0/24 dev eth1 scope link default via 192.168.1.1 dev eth0 2)Policy 231.245.21.0/27 dev eth2 scope link 192.168.1.0/24 dev eth0 scope link 192.168.2.0/24 dev eth1 scope link default via 231.245.21.1 dev eth2 Where 192.168.2.0 is my internal network, 231.245.21.0 the network of Provider 1 and 192.168.1.0 the network of Provider 2.It all worked (almost) flawlessly. Certain Ports were going out from eth2 while all the other from eth0. One would say that with the internet ips i would have to make the following change: (Asuming that pc's at lan have 231.245.21.4-62 from now on) 1)Main 231.245.21.0/27 dev eth2 scope link 231.245.21.0/27 dev eth0 scope link 192.168.1.0/24 dev eth1 scope link default via 192.168.1.1 dev eth2 and 2)Policy 231.245.21.0/27 dev eth2 scope link 231.245.21.0/27 dev eth0 scope link 192.168.1.0/24 dev eth1 scope link default via 231.245.21.1 dev eth2 But alas, when i tried to do that it was not accepted: "RTNETLINK : File exists" <--- exit output I tried to do it with the route command and it was accepted only for main table but look what was happening. If i had the first declaration of the subnet in eth2 I could only communicate with the gateway 1 (231.245.21.1) while if it was eth0 in the first declaration I couldn' t communicate with the gw but only with lan. Then I tried another way. Instead of declaring the same network I declared a static route only with the gateway in eth2. Thus : 1)Main 231.245.21.1 dev eth2 scope link 231.245.21.0/27 dev eth0 scope link 192.168.1.0/24 dev eth1 scope link default via 192.168.1.1 dev eth1 2)Policy 231.245.21.1 dev eth2 scope link 231.245.21.0/27 dev eth0 scope link 192.168.1.0/24 dev eth1 scope link default via 231.245.21.1 dev eth2 And in that way i managed into the point that i could communicate from my linux router with both sides. I mean Provider 1 and internal network. I could also communicate from my local lan with provider 2. But the real problem is that i cannot communicate with Provider 1 from my local lan. Is this the right way to accomplish that and i am missing something or is it the tottally wrong way to do it. Someone plz help. Thank you in advance From thiagolima at webforce.com.br Wed Oct 26 14:58:31 2005 From: thiagolima at webforce.com.br (Thiago Lima - lst) Date: Wed Oct 26 14:58:40 2005 Subject: RES: RES: [LARTC] Terminal Services and traffic control. In-Reply-To: <1130319019.16914.48.camel@Panoramix> Message-ID: <20051026125917.EF589F809@gw040707.gws.penso.com.br> -----Mensagem original----- De: Joost Kraaijeveld [mailto:J.Kraaijeveld@Askesis.nl] Enviada em: quarta-feira, 26 de outubro de 2005 07:30 Para: Thiago Lima - lst Cc: lartc@mailman.ds9a.nl Assunto: Re: RES: [LARTC] Terminal Services and traffic control. On Tue, 2005-10-25 at 17:00 -0200, Thiago Lima - lst wrote: > As far as I know, Citrix is more optimized for long distance setups. Mmmm. This is what the Citrix marketing department wants to believe you anyway. > First: do you have a perfomance problem when running without any traffic > control: according to my experience, each connection runs OK with ~20-30 > kilobit/sec? If you don't have problems, don't fix them. > > Yes I have problems without traffic control. For instance, when > someone transfers a file between the networks TS sessions become slow. Even > open outlook becomes unusable. Do you mean by that: user copies a file from his client to the TS session (or the other way around)? Or do you mean that the user copies a file in the TS session from directory to directory in the TS session? If the latter, are the directries local to the TS server or are they actually mounted shares? If so, on which side of the link are the shares? > Second, do you use any other services from the Windows server on the > other side: DHCP, DNS, WINS, file shareing (e.g. roaming profiles, home > directories) profiles, databases (SQL server), Internet connections etc? > If you have any of those (especially the ones for name resolution) you > must take those in account also. > > I have a file server running into another server. TS users use those > files for work. But there're basically excel and word files. OK, but are the files in the TS session or on the client computer? Is the location of the fileserver on the side of the TS server or on the side of the clients? The files are in the file server, with stands right next to the TS (connected by gigabit Ethernet). My problem is to make connections from my office to TS with maximum priority. There's some other traffic in the 1Mbit link. TS port should have maxixum priority and flow. From kenneth.kalmer at gmail.com Wed Oct 26 17:33:31 2005 From: kenneth.kalmer at gmail.com (Kenneth Kalmer) Date: Wed Oct 26 17:33:36 2005 Subject: [LARTC] Explenation of WRR parameters Message-ID: Guys Oppologies for the cross post. I've been scouring the docs coming with the wrr patches and for the life of me I can't figure out why there are 8 parameters for each class. weight1, min1, decr1, incr1, weight2, min2, decr2, incr2 According to the docs these parameters are handled the same way, but looking at the example scripts there are different values for these. I had a look at the formulas, and have gotten my own set of reasonable values, based on the calculations, but do I place the same values in param1 & param2? Any help would be appreciated -- Kenneth Kalmer kenneth.kalmer@gmail.com Folding@home stats http://vspx27.stanford.edu/cgi-bin/main.py?qtype=userpage&username=kenneth%2Ekalmer From omry_y at zahav.net.il Wed Oct 26 20:26:53 2005 From: omry_y at zahav.net.il (Omry Yadan) Date: Wed Oct 26 20:27:08 2005 Subject: [LARTC] Help needed with traffic control script. In-Reply-To: <20051026071931.61097.qmail@web32612.mail.mud.yahoo.com> References: <20051026071931.61097.qmail@web32612.mail.mud.yahoo.com> Message-ID: <435FCA6D.7010304@zahav.net.il> had a look. seems like you change is cosmetic only, or did I missed it? panca sorin wrote: >--- Omry Yadan wrote: > > > >>had a problem with previous script (debug exit early >>in it), please look >>at this one instead. >> >>while writing the previous message I found and fixed >>some problem in the >>script. >> >>because of this 'exit' I didn't really test the >>changnes. >> >>it seems that now "unclassified" packagets no longer >>grabs bandwidth >>from http, but on the other hand - >> >>it takes a very long time to open an ssh connection >>from the server to a >>machine on the internet while users are downloading. >> >> >> >What about incomming packets? how can you be sure that >interractive traffic gets to you from the internet >first when you download something? Priorize control >packets, too. (ACK, SYN and SYN ACK). >I modified your script and added some new variables. > > > >__________________________________ >Yahoo! FareChase: Search multiple travel sites in one click. >http://farechase.yahoo.com > From comp.techs at aspenview.org Wed Oct 26 23:47:52 2005 From: comp.techs at aspenview.org (comp.techs) Date: Wed Oct 26 23:48:00 2005 Subject: [LARTC] multipath routing Message-ID: <648A21EA469E3848922D9860785CD5EF4566F5@aspen-mail01.aspenview.org> Hi, I am tring to us ip route to load balance between two interfaces. ip route add equalize 10.200.1.0/24 nexthop via 10.200.0.2 dev neta nexthop via 10.200.0.2 dev neta2 Where neta and neta2 are gre tunnels. Testing show that packets travel in a single sided manner. Do I need to use the multipath (IP_ROUTE_MULTIPATH_CACHED) module? thx jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051026/a9ada448/attachment.html From yhmail29 at yahoo.co.in Thu Oct 27 13:02:49 2005 From: yhmail29 at yahoo.co.in (Yogesh Hasabnis) Date: Thu Oct 27 13:02:56 2005 Subject: [LARTC] tc rules and DGD patches Message-ID: <20051027110249.12005.qmail@web8401.mail.in.yahoo.com> Hi All, I have one query which may be quite silly. My Linux internet gateway has Dead Gateway Detetction patches applied to it's kernel. If I am right, the DGD patches allow us to add static routes which are not destroyed even if the interface or the link goes down. I want to know whether, with the DGD patches applied, the traffic shaping rules defined using tc, added to an interface remain intact when a link/interface goes down (and comes up some time later) ? Thanks Yogesh __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com From eantoranz at gmail.com Thu Oct 27 16:20:59 2005 From: eantoranz at gmail.com (Edmundo Carmona) Date: Thu Oct 27 16:21:02 2005 Subject: [LARTC] multipath routing In-Reply-To: <648A21EA469E3848922D9860785CD5EF4566F5@aspen-mail01.aspenview.org> References: <648A21EA469E3848922D9860785CD5EF4566F5@aspen-mail01.aspenview.org> Message-ID: <65aa6af90510270720x75903866pebfea4e3ed2f0598@mail.gmail.com> Multipath takes a little more that just setting the default route. You have to set separate routing tables for each interface involved in the multipath routing (though I haven't understood yet why they are needed.. the fact is that if you don't set them, multipath won't route). Also, even if you set it all right, it doesn't mean that if you send two packets to a location X, one will go through one interface and the second will go through the other. Routes are cached, and after a routing decision has been made for the first packet, packets going to that same host will go through the same interface till the caching time has gone by. On 10/26/05, comp.techs wrote: > Hi, I am tring to us ip route to load balance between two interfaces. > > > > ip route add equalize 10.200.1.0/24 nexthop via 10.200.0.2 dev neta nexthop > via 10.200.0.2 dev neta2 > > Where neta and neta2 are gre tunnels. Testing show that packets travel in > a single sided manner. > > Do I need to use the multipath (IP_ROUTE_MULTIPATH_CACHED) module? > > thx jason > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > From eantoranz at gmail.com Thu Oct 27 16:24:57 2005 From: eantoranz at gmail.com (Edmundo Carmona) Date: Thu Oct 27 16:25:04 2005 Subject: [LARTC] problems with multipath routing (2nd attempt) Message-ID: <65aa6af90510270724g2a2a09c6p3313f2f63c9dd6bb@mail.gmail.com> This was my very first post to the lartc mail list... but mailman replied saying there was a problem delivering the message to the recipients... and as I got NO replies at all, I guess no one received it. So I decided to resend it to see if there's anyone to "bring me into the light" on this one. ;) Can anybody help here? ---------- Forwarded message ---------- From: Edmundo Carmona Date: Oct 23, 2005 4:41 PM Subject: problems with multipath routing To: lartc Hello, guys! This is my very first post on this mail list.. and I hope this can be a productive relation! :-) I'm Edmundo Carmona. Computer Engineer in Venezuela. I'm also registered at the netfilter mail list and sometimes help there (as well as make questions, of course). Now the post: Some time ago, I set up a linux box that was supposed to balance the load on three internet links. The thing worked... but only with two interfaces. It never worked with three... and after some experimentacion I noticed that it didn't work well when two of the links were "present" on the same subnet (the three links are provided by the same ISP)... and they work with DHCP, by the way. So I set up that box with two links and another box handles the third. Why did that happen? is there a way to make it work? With that setup I was trying to make I made a number of different thingsm but right now that's the one problem that's busting my head for the longest. I hope you can shed some light on the problem. From gypsy at iswest.com Thu Oct 27 17:31:02 2005 From: gypsy at iswest.com (gypsy) Date: Thu Oct 27 17:31:15 2005 Subject: [LARTC] tc rules and DGD patches References: <20051027110249.12005.qmail@web8401.mail.in.yahoo.com> Message-ID: <4360F2B6.3C26FC18@iswest.com> Yogesh Hasabnis wrote: > > Hi All, > > I have one query which may be quite silly. My Linux > internet gateway has Dead Gateway Detetction patches > applied to it's kernel. If I am right, the DGD patches > allow us to add static routes which are not destroyed > even if the interface or the link goes down. I want to > know whether, with the DGD patches applied, the > traffic shaping rules defined using tc, added to an > interface remain intact when a link/interface goes > down (and comes up some time later) ? > > Thanks > > Yogesh Yes, they remain intact. In fact, you can create rules for an interface that does not even exist. -- Gypsy From comp.techs at aspenview.org Thu Oct 27 18:02:01 2005 From: comp.techs at aspenview.org (comp.techs) Date: Thu Oct 27 18:03:55 2005 Subject: [LARTC] multipath routing Message-ID: <648A21EA469E3848922D9860785CD5EF4566FC@aspen-mail01.aspenview.org> Hi, I also used TEQL this worked very well, but I require the (weight) option. thx jason ________________________________ From: lartc-bounces@mailman.ds9a.nl on behalf of Edmundo Carmona Sent: Thu 10/27/2005 8:20 AM To: lartc Subject: Re: [LARTC] multipath routing Multipath takes a little more that just setting the default route. You have to set separate routing tables for each interface involved in the multipath routing (though I haven't understood yet why they are needed.. the fact is that if you don't set them, multipath won't route). Also, even if you set it all right, it doesn't mean that if you send two packets to a location X, one will go through one interface and the second will go through the other. Routes are cached, and after a routing decision has been made for the first packet, packets going to that same host will go through the same interface till the caching time has gone by. On 10/26/05, comp.techs wrote: > Hi, I am tring to us ip route to load balance between two interfaces. > > > > ip route add equalize 10.200.1.0/24 nexthop via 10.200.0.2 dev neta nexthop > via 10.200.0.2 dev neta2 > > Where neta and neta2 are gre tunnels. Testing show that packets travel in > a single sided manner. > > Do I need to use the multipath (IP_ROUTE_MULTIPATH_CACHED) module? > > thx jason > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051027/58d1990e/attachment.htm From comp.techs at aspenview.org Thu Oct 27 20:05:22 2005 From: comp.techs at aspenview.org (comp.techs) Date: Thu Oct 27 20:07:25 2005 Subject: [LARTC] multipath routing Message-ID: <648A21EA469E3848922D9860785CD5EF4566FD@aspen-mail01.aspenview.org> Hi, using the following: ip route add equalize 10.200.1.0/24 nexthop via 10.200.0.2 dev neta nexthop > via 10.200.0.2 dev neta2 while doing a -> while [ 1 ] do ip route flush cache done the transfer of packets almost seems equal? thx jason ________________________________ From: lartc-bounces@mailman.ds9a.nl on behalf of comp.techs Sent: Thu 10/27/2005 10:02 AM To: Edmundo Carmona; lartc@mailman.ds9a.nl Subject: RE: [LARTC] multipath routing Hi, I also used TEQL this worked very well, but I require the (weight) option. thx jason ________________________________ From: lartc-bounces@mailman.ds9a.nl on behalf of Edmundo Carmona Sent: Thu 10/27/2005 8:20 AM To: lartc Subject: Re: [LARTC] multipath routing Multipath takes a little more that just setting the default route. You have to set separate routing tables for each interface involved in the multipath routing (though I haven't understood yet why they are needed.. the fact is that if you don't set them, multipath won't route). Also, even if you set it all right, it doesn't mean that if you send two packets to a location X, one will go through one interface and the second will go through the other. Routes are cached, and after a routing decision has been made for the first packet, packets going to that same host will go through the same interface till the caching time has gone by. On 10/26/05, comp.techs wrote: > Hi, I am tring to us ip route to load balance between two interfaces. > > > > ip route add equalize 10.200.1.0/24 nexthop via 10.200.0.2 dev neta nexthop > via 10.200.0.2 dev neta2 > > Where neta and neta2 are gre tunnels. Testing show that packets travel in > a single sided manner. > > Do I need to use the multipath (IP_ROUTE_MULTIPATH_CACHED) module? > > thx jason > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051027/c5d197fe/attachment.html From dpsims at dpsims.com Thu Oct 27 23:24:03 2005 From: dpsims at dpsims.com (David Sims) Date: Thu Oct 27 23:24:08 2005 Subject: [LARTC] Wondershaper.... Message-ID: Hi, I am doing LARTC style policy based routing to allocate traffic between two different T-1 based ISPs via a single egress NIC card (two different default routes depending on source address). I would like to try out Wondershaper on this NIC. I have initially set: DOWNLINK=2500 UPLINK=2500 DEV=eth1 with the idea being that the aggregate maximum rate out this NIC is 2 x 1544 (i.e., 2 T-1s) or about 3.1 Mb/s.... Is that an appropriate setting?? What's the best way to tell if this traffic shaping is having the desired effect?? Is there a way to independently apply this shaper to each of the flows? Dave From swaminathan.vasudevan at hp.com Fri Oct 28 20:02:07 2005 From: swaminathan.vasudevan at hp.com (Vasudevan, Swaminathan (PNB Roseville)) Date: Fri Oct 28 20:03:12 2005 Subject: [LARTC] Issues in setting up different priorities for the MAC match filter Message-ID: <83AB0942FD087D499DF2DD5CEE1B6133019EC6CE@cacexc06.americas.cpqcorp.net> Hi, I am currently using TC for setting up user MAC based filters,and I am seeing a problem when I try to assign different priorities to the MAC Match filter apart from the root qdisc and parent class. Here is my script. /*****************************************************/ First of all I create the qdisc and class based on priority 2 and also the Hash mask tc qdisc add dev eth1 root handle 1:0 htb r2q 1 tc class add dev eth1 parent 1:0 classid 1:fffe htb rate 100mbit tc filter add dev eth1 parent 1:0 prio 2 protocol ip u32 tc filter add dev eth1 parent 1:0 prio 2 handle ffe:0 protocol ip u32 divisor 256 tc filter add dev eth1 parent 1:0 prio 2 protocol ip u32 ht 800:: match u32 \ 0x00000800 0x0000FFFF at -4 hashkey mask 0x00ff0000 at -8 link ffe: Then I am trying to create a MAC match filter for each user with a different priority. User 1: tc class add dev eth1 parent 1:fffe classid 1:140 htb rate 100mbit tc qdisc add dev eth1 parent 1:140 handle 140:0 htb r2q 1 tc class add dev eth1 parent 140:0 classid 140:1 htb rate 100mbit tc class add dev eth1 parent 140:0 classid 140:2 htb rate 100mbit tc qdisc add dev eth1 parent 140:2 tbf rate 1bps burst 1 latency 50ms tc filter add dev eth1 parent 1:0 prio 3 protocol ip u32 ht ffe:40 match u32 \ 0x000bcd59 0xffffffff at -12 match u16 0x1240 0xffff at -8 flowid 1:140 User 2: tc class add dev eth1 parent 1:fffe classid 1:13E htb rate 100mbit tc qdisc add dev eth1 parent 1:13E handle 13E:0 htb r2q 1 tc class add dev eth1 parent 13E:0 classid 13E:1 htb rate 100mbit tc class add dev eth1 parent 13E:0 classid 13E:2 htb rate 100mbit tc qdisc add dev eth1 parent 13E:2 tbf rate 1bps burst 1 latency 50ms tc filter add dev eth1 parent 1:0 prio 4 protocol ip u32 ht ffe:3E match u32 \ 0x000bcd59 0xffffffff at -12 match u16 0x123E 0xffff at -8 flowid 1:13E /* test ends here */ Output from tc: ~ # tc qdisc show dev eth1 qdisc htb 1: r2q 1 default 0 direct_packets_stat 193 qdisc htb 140: parent 1:140 r2q 1 default 0 direct_packets_stat 0 qdisc tbf 8001: parent 140:2 rate 8bit burst 0b lat 1us qdisc htb 13e: parent 1:13e r2q 1 default 0 direct_packets_stat 0 qdisc tbf 8002: parent 13e:2 rate 8bit burst 0b lat 1us The output from the tc when I type "tc filter show dev eth1" is as shown below: ~ # tc filter show dev eth1 filter parent 1: protocol ip pref 2 u32 filter parent 1: protocol ip pref 2 u32 fh ffe: ht divisor 256 filter parent 1: protocol ip pref 2 u32 fh ffe:3e:800 order 2048 key ht ffe bkt 3e flowid 1:13e match 000bcd59/ffffffff at -12 match 123e0000/ffff0000 at -8 filter parent 1: protocol ip pref 2 u32 fh ffe:40:800 order 2048 key ht ffe bkt 40 flowid 1:140 match 000bcd59/ffffffff at -12 match 12400000/ffff0000 at -8 filter parent 1: protocol ip pref 2 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 2 u32 fh 800::800 order 2048 key ht 800 bkt 0 link ffe: match 00000800/0000ffff at -4 hash mask 00ff0000 at -8 filter parent 1: protocol ip pref 3 u32 filter parent 1: protocol ip pref 3 u32 fh 801: ht divisor 1 filter parent 1: protocol ip pref 4 u32 filter parent 1: protocol ip pref 4 u32 fh 802: ht divisor 1 Note: Here the priority given to the MAC match filters are not assigned properly. I am currently using Linux kernel 2.4.30. Could anyone of you help me out on this. Thanks Swami From karl at klxsystems.net Sat Oct 29 02:16:24 2005 From: karl at klxsystems.net (karl@klxsystems.net) Date: Sat Oct 29 02:16:46 2005 Subject: [LARTC] Mangling TOS, or Precedence/SecurityOpts/Compartment? Message-ID: <2290.66.125.65.130.1130545006.squirrel@www.klxsystems.net> Hi there LARTC, We are running a set of three systems for semiconductor technology, and would like to finalize our work in getting them to interoperate properly, but have run into some issues that touch on the very fabric of TCP/IP expertise. Iptables has already been used to solve "part of this", can we somehow use Diffserv capabilities to acheive the aims of modfiying packets such that the "invisible" machine stays "invisible"?: The three systems consist of: System #1: Chip fabrication ?tool? running std. TCP Server, using port 5000 System #2: Controller machine, running standard TCP Client, using port 5000 System #3: ?Invisible? Analysis machine running Fedora Core 4, and analysis software To see the drawing: http://www.klxsystems.net/pics/Analysis.html The Tool Server? and the ?Controller Machine? typically only communicate with one another over a standard tcp connection, in single mode. For the purposes of analysis, a third ?Invisible? Analysis machine is placed between Systems #1 and 2, and is cabled as shown in Figure 1, it has two Ethernet ports, and in general acts like a ?bridge? in that it possesses a ?Bypass Card?, which allows the Tool Server and the Controller Machine to pass traffic through it?s two Ethernet ports. One of the features of the Bypass card it contains, is that it physically shunts the copper Ethernet connections together when, say, power is cut. It runs in an ?unshunted? format when conducting ?Analysis?, and shunts the copper back together when it ?hangs up? It?s purpose is to sit BETWEEN the Tool and Controller machines, and intercept data they are exchanging, for analysis used to effect better performance, and then ?hang up? by shunting the connection, and thus allowing the two main machines (Tool/Controller) to keep ?talking? as they were prior to the ?analysis? machine intervening. Our problem: We need to seamlessly start and stop the second TCP Client connection the Analysis machine ?invisibly? creates/ terminates. The issue has been one of TCP/IP sequence numbers, ?how to get them to stay the same?, and not ?drop? the connection per RFC 798. Using dsniff or other sequence number guessing isn?t an option. One option for part of this might be to use PF rules to allow a change of the source ip address of the packets going from the analysis machine towards the tool server. Or to change the ?precedence/securityopts/compartment? fields by using PF as well. (I posted to the PF list to ask about the details of commands/ flags/ features, but some of this is beyond PF) -is there diffserv/iproute functionality that would help with the below question from an openbsd networking standpoint? Perhaps it's yet another list someone might know of, or one of the gods here will have some input from on high. Question: how do we get the Analysis machine to invisibly connect, and disconnect, without violating RFC 798? There are several RFC?s that point to Differentiated Service field manipulations, using tools like iproute2, but those never went into ways to actually MODIFY the ?Precedence, Security Option, and/or Compartment? fields in an IP header from what we could tell. The RFC that led us to this information stated: With the advent of DiffServ, intermediate nodes may modify the Differentiated Services Codepoint (DSCP) [RFC2474] of the IP header to indicate the desired Per-hop Behavior (PHB) [RFC2475, RFC2597, RFC2598]. The DSCP includes the three bits formerly known as the precedence field. Because any modification to those three bits will be considered illegal by endpoints that are precedence-aware, they may cause failures in establishing connections, or may cause established connections to be reset. Any suggestions if iproute, iptables, or other technologies would facilitate this complex type of transaction? We understand that modifying the TOS can be done at the application level, as stated by RFC 2873, but these other fields, it?s still vague as to what we can utilize. -karlski From gdamjan at mail.net.mk Sat Oct 29 04:26:22 2005 From: gdamjan at mail.net.mk (Damjan) Date: Sat Oct 29 04:26:27 2005 Subject: [LARTC] Traffic control of PPPoE users Message-ID: <20051029022621.GA14362@legolas.on.net.mk> I need some suggestions, I want to limit the up and down bandwidth of PPPoE users that are terminated on a Linux router (kernel 2.6). What are my options, can I apply tbf qdisc on a ppp interface? That would limit the download, what about the upload? Any suggestions are welcome. -- damjan | ?????? This is my jabber ID --> damjan@bagra.net.mk <-- not my mail address!!! From romary.sonrier at free.fr Sat Oct 29 10:58:25 2005 From: romary.sonrier at free.fr (Romary Sonrier) Date: Sat Oct 29 10:58:28 2005 Subject: [LARTC] Traffic control of PPPoE users In-Reply-To: <20051029022621.GA14362@legolas.on.net.mk> References: <20051029022621.GA14362@legolas.on.net.mk> Message-ID: <200510291058.25234.romary.sonrier@free.fr> Hello Damjan, If you use PPPoE with a DSL modem in bridge mode(RFC 1483 BRIDGED) in order to terminate a ppp tunnel on a linux box, it will not be easy to achieve QoS on the upload side. I was trying to do such a thing few weeks ago, but i notice that all QoS algorythm under linux are made to work if the network device (for instance ppp0 ) is able to give the accurate time needed to transmit each packet. And it is not the case of an ppp device, all the packet will pass throw your QoS because all queues created with tc will be empty: when a packet arrive on the upload side on your ppp0, then pppd and the ppp kernel stuff will add an 8bits header (needed for pppoe) and send few micro second after your packet on the ethernet device associated with the pppoe sesion. As the queue of the QoS will almost always be empty, the QoS on ppp0 wont work, because a QoS algorythm need to a choice between different class of packet. By the way, you should notice that the queue of your modem will be full and that QoS should be made on the modem with pppoe, not on the linux box I have made many test with as simple algorythm as PRIO, as with HTB and HFSC, with slow ADSL link at 128kbit/s or 256kbit/s on the upload side. In fact, all i said is true if you want to be able an almost perfect QoS, and if you want to have a jitter (generated by the pppoe link) less gibber than 100ms. In my case i was willing to get less than 20ms over pppoe, for VoIP (MGCP/SIP) application, and i failed the linux algorythm. If 100ms is good for you try HFSC, with the rt option, it will be fine. bye Le Samedi 29 Octobre 2005 04:26, Damjan a ?crit?: > I need some suggestions, I want to limit the up and down bandwidth of PPPoE > users that are terminated on a Linux router (kernel 2.6). > > What are my options, can I apply tbf qdisc on a ppp interface? That > would limit the download, what about the upload? > > Any suggestions are welcome From bartek at go3.pl Sun Oct 30 12:25:21 2005 From: bartek at go3.pl (Bartosz) Date: Sun Oct 30 12:21:57 2005 Subject: [LARTC] FWMARK ROUTING OVER MULTIPLE ROUTERS/LANS Message-ID: <200510301225.21547.bartek@go3.pl> I would like to route ssh in my network via DSL2 and all other trafic via DSL1. So far I menaged to do it for LAN2 but there are still WLAN1,LAN3 and LAN1 to go. On all routers I added table "pilicka" with rule for fwmark and I fwmarked ssh. # ip rule show 0: from all lookup local 32765: from all fwmark 0x3 lookup pilicka 32766: from all lookup main 32767: from all lookup default # iptables -L -t mangle Chain PREROUTING (policy ACCEPT) target prot opt source destination MARK tcp -- anywhere anywhere tcp spt:ssh MARK set 0x3 MARK tcp -- anywhere anywhere tcp dpt:ssh MARK set 0x3 Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Routing for pilicka table is the same as for main table exept default gw on all routers. Network is set to work with DSL1 and it is working. modem DSL1 modem DSL2 | | | | [eth0] R1 [eth1] [eth1] R4 [eth0] \ / LAN1 LAN2 \ / [eth0] R2 [ra0] -------- [ra0] R3 [eth0] [ra1] | | Access point -- WLAN1 | | [ra0] R5 [eth0] -- LAN3 From rvokal at redhat.com Mon Oct 31 08:59:52 2005 From: rvokal at redhat.com (Radek =?ISO-8859-1?Q?Vok=E1l?=) Date: Mon Oct 31 09:00:39 2005 Subject: [LARTC] ip tunnel doesn't show warning or error Message-ID: <1130745593.3368.24.camel@localhost.localdomain> This is really strange behavior .. root@garfield ~# ip tunnel add testing123 mode ipip remote 192.168.1.1 local 192.168.1.12 root@garfield ~# ip tunnel show .. testing123: ip/ip remote 192.168.1.1 local 192.168.1.12 ttl inherit root@garfield ~# ip tunnel add testingabc mode ipip remote 192.168.1.1 local 192.168.1.12 root@garfield ~# echo $? 0 root@garfield ~# ip tunnel show .. testing123: ip/ip remote 192.168.1.1 local 192.168.1.12 ttl inherit I guess the second tunnel add should end up with an error, but ioctl doesn't report anything on this .. -- Radek Vok?l -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20051031/2226906f/attachment.pgp From rvokal at redhat.com Mon Oct 31 11:08:32 2005 From: rvokal at redhat.com (Radek =?ISO-8859-1?Q?Vok=E1l?=) Date: Mon Oct 31 11:09:16 2005 Subject: [LARTC] ip tunnel doesn't show warning or error In-Reply-To: <1130745593.3368.24.camel@localhost.localdomain> References: <1130745593.3368.24.camel@localhost.localdomain> Message-ID: <1130753312.3368.30.camel@localhost.localdomain> On Mon, 2005-10-31 at 08:59 +0100, Radek Vok?l wrote: > This is really strange behavior .. > > root@garfield ~# ip tunnel add testing123 mode ipip remote 192.168.1.1 > local 192.168.1.12 > root@garfield ~# ip tunnel show > .. > testing123: ip/ip remote 192.168.1.1 local 192.168.1.12 ttl inherit > root@garfield ~# ip tunnel add testingabc mode ipip remote 192.168.1.1 > local 192.168.1.12 > root@garfield ~# echo $? > 0 > root@garfield ~# ip tunnel show > .. > testing123: ip/ip remote 192.168.1.1 local 192.168.1.12 ttl inherit > > I guess the second tunnel add should end up with an error, but ioctl > doesn't report anything on this .. > Here's small patch to show at least some warning --- iproute2-051007/ip/iptunnel.c.old 2005-02-10 19:31:18.000000000 +0100 +++ iproute2-051007/ip/iptunnel.c 2005-10-31 11:03:04.000000000 +0100 @@ -130,7 +130,8 @@ static int do_add_ioctl(int cmd, const c struct ifreq ifr; int fd; int err; - + char old_name[IFNAMSIZ]; + strncpy(old_name,p->name,IFNAMSIZ); if (cmd == SIOCCHGTUNNEL && p->name[0]) strncpy(ifr.ifr_name, p->name, IFNAMSIZ); else @@ -138,6 +139,10 @@ static int do_add_ioctl(int cmd, const c ifr.ifr_ifru.ifru_data = (void*)p; fd = socket(AF_INET, SOCK_DGRAM, 0); err = ioctl(fd, cmd, &ifr); + if (strncmp(ifr.ifr_data,old_name,IFNAMSIZ)) { + fprintf(stderr,"Warning: Tunnel already exists (% s)\n",ifr.ifr_data); + } if (err) perror("ioctl"); close(fd); -- Radek Vok?l -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20051031/e7d5ed8d/attachment.pgp From talk2ram at gmail.com Mon Oct 31 17:02:09 2005 From: talk2ram at gmail.com (ram) Date: Mon Oct 31 17:02:13 2005 Subject: [LARTC] Load balance with Multiple Links Message-ID: Hi i have read the all the docs and try to deploy the load balance and QoS using my 4 links (DSL links) My setup looks like below LAN ----Local IP-----Connected to Linux Box Eth1 Eth5-- connected to one DSL1 Eth4-- connected to one DSL2 Eth3-- connected to one DSL3 Eth2-- connected to one DSL4 iam marking them in prerouting randomly and puting them in table and snating at POSROUTING iam able to achieve with 2links with out any problem and making own script to work as deamon to check the link status and keep change the markings now problem when i add 2+2 more links could not able to understand.. how can i do that.. and how can i mark them could some one guide me, and also make some b/w allocation for the some IP where required to be high priority ram -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051031/6cd07fc4/attachment.htm From storm at tux.org Mon Oct 31 23:56:24 2005 From: storm at tux.org (Bradley Alexander) Date: Mon Oct 31 23:57:11 2005 Subject: [LARTC] IProute2 and netfilter interactions Message-ID: <200510311756.25732.storm@tux.org> I am trying to build a firewall and from my reading of the list archives and other places, I'm worried about unintended interactions between iptables and iproute2. Here is my situation I have an internal network on eth0 and two separate dmzs on eth1 and eth2 respectively (a wireless network and a kiosk). On the outbound side, I have a cablemodem provider and a dsl provider. What I need is to set up routing such that the internal network goes out on the dsl, while the dmzs go out on the cablemodem. What would be the best approach to this configuration? Will there be any unforseen interactions between iproute and iptables? Thanks, -- --Brad ======================================================================== Bradley M. Alexander | IA Analyst, SysAdmin, Security Engineer | storm [at] tux.org ======================================================================== Key fingerprints: DSA 0x54434E65: 37F6 BCA6 621D 920C E02E E3C8 73B2 C019 5443 4E65 RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A C8 9C F0 93 75 A0 01 34 ======================================================================== Why do they put Braille dots on the keypad of the drive-up ATM? From dennis at loop.com.tw Tue Nov 1 11:21:25 2005 From: dennis at loop.com.tw (Nai-Hsien) Date: Tue Nov 1 11:21:49 2005 Subject: [LARTC] PowerPC can not accurately run HTM Message-ID: <014501c5dece$0376be30$0102000a@loop.com.tw> I am running HTB on a PowerPC platform and using following script to do rate limit. When I set rate of class 1:11 lower than 4mbit, I can get traffic rate close to the setting. However, if I set the rate higher than 4mbit, I will get much lower bandwidth (roughly 4.5mbit) than the setting, no matter how big the setting is. To verify the script, I run it on PC with then I got correct result. Could anybody give me some hints? Thank you Dennis tc qdisc add dev wan1 root handle 1: htb default 10 tc class add dev wan1 parent 1: classid 1:1 htb rate 100mbit tc class add dev wan1 parent 1:1 classid 1:10 htb rate 1mbit ceil 2mbit tc class add dev wan1 parent 1:1 classid 1:11 htb rate 8mbit ceil 8mbit tc filter add dev wan1 protocol ip parent 1: u32 match ip dst 11.1.1.1 flowid 1:11 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051101/7653db03/attachment.html From talk2ram at gmail.com Tue Nov 1 14:13:30 2005 From: talk2ram at gmail.com (ram) Date: Tue Nov 1 14:13:39 2005 Subject: [LARTC] Load balance with Multiple Links In-Reply-To: References: Message-ID: Hi i have read the all the docs and try to deploy the load balance and QoS using my 4 links (DSL links) My setup looks like below LAN ----Local IP-----Connected to Linux Box Eth1 Eth5-- connected to one DSL1 Eth4-- connected to one DSL2 Eth3-- connected to one DSL3 Eth2-- connected to one DSL4 iam marking them in prerouting randomly and puting them in table and snating at POSROUTING iam able to achieve with 2links with out any problem and making own script to work as deamon to check the link status and keep change the markings now problem when i add 2+2 more links could not able to understand.. how can i do that.. and how can i mark them could some one guide me, and also make some b/w allocation for the some IP where required to be high priority ram -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051101/68dac171/attachment.htm From gregoriandres at yahoo.com.ar Tue Nov 1 15:46:57 2005 From: gregoriandres at yahoo.com.ar (LinuXKiD) Date: Tue Nov 1 15:47:12 2005 Subject: [LARTC] ADSL-Bandwidth-Management-HOWTO Message-ID: Hi, I've read ADSL-Bandwidth-Management-HOWTO http://www.tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/implementation.htm l#AEN166 and I've a doubt from script: [ ... ] # DNS name resolution (small packets) iptables -t mangle -A MYSHAPER-OUT -p udp -j MARK --set-mark 21 [ ... ] That is a bug ? I think that " DNS name resolution (small packets) " is better match with: # DNS name resolution (small packets) iptables -t mangle -A MYSHAPER-OUT -p udp --dport 53 -j MARK --set-mark 21 iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 53 -j MARK --set-mark 21 ORIGINAL AND COMPLETE SCRIPT IS HERE: #!/bin/bash # # myshaper - DSL/Cable modem outbound traffic shaper and prioritizer. # Based on the ADSL/Cable wondershaper (www.lartc.org) # # Written by Dan Singletary (8/7/02) # # NOTE!! - This script assumes your kernel has been patched with the # appropriate HTB queue and IMQ patches available here: # (subnote: future kernels may not require patching) # # http://luxik.cdi.cz/~devik/qos/htb/ # http://luxik.cdi.cz/~patrick/imq/ # # Configuration options for myshaper: # DEV - set to ethX that connects to DSL/Cable Modem # RATEUP - set this to slightly lower than your # outbound bandwidth on the DSL/Cable Modem. # I have a 1500/128 DSL line and setting # RATEUP=90 works well for my 128kbps upstream. # However, your mileage may vary. # RATEDN - set this to slightly lower than your # inbound bandwidth on the DSL/Cable Modem. # # # Theory on using imq to "shape" inbound traffic: # # It's impossible to directly limit the rate of data that will # be sent to you by other hosts on the internet. In order to shape # the inbound traffic rate, we have to rely on the congestion avoidance # algorithms in TCP. Because of this, WE CAN ONLY ATTEMPT TO SHAPE # INBOUND TRAFFIC ON TCP CONNECTIONS. This means that any traffic that # is not tcp should be placed in the high-prio class, since dropping # a non-tcp packet will most likely result in a retransmit which will # do nothing but unnecessarily consume bandwidth. # We attempt to shape inbound TCP traffic by dropping tcp packets # when they overflow the HTB queue which will only pass them on at # a certain rate (RATEDN) which is slightly lower than the actual # capability of the inbound device. By dropping TCP packets that # are over-rate, we are simulating the same packets getting dropped # due to a queue-overflow on our ISP's side. The advantage of this # is that our ISP's queue will never fill because TCP will slow it's # transmission rate in response to the dropped packets in the assumption # that it has filled the ISP's queue, when in reality it has not. # The advantage of using a priority-based queuing discipline is # that we can specifically choose NOT to drop certain types of packets # that we place in the higher priority buckets (ssh, telnet, etc). This # is because packets will always be dequeued from the lowest priority class # with the stipulation that packets will still be dequeued from every # class fairly at a minimum rate (in this script, each bucket will deliver # at least it's fair share of 1/7 of the bandwidth). # # Reiterating main points: # * Dropping a tcp packet on a connection will lead to a slower rate # of reception for that connection due to the congestion avoidance algorithm. # * We gain nothing from dropping non-TCP packets. In fact, if they # were important they would probably be retransmitted anyways so we want to # try to never drop these packets. This means that saturated TCP connections # will not negatively effect protocols that don't have a built-in retransmit like TCP. # * Slowing down incoming TCP connections such that the total inbound rate is less # than the true capability of the device (ADSL/Cable Modem) SHOULD result in little # to no packets being queued on the ISP's side (DSLAM, cable concentrator, etc). Since # these ISP queues have been observed to queue 4 seconds of data at 1500Kbps or 6 megabits # of data, having no packets queued there will mean lower latency. # # Caveats (questions posed before testing): # * Will limiting inbound traffic in this fashion result in poor bulk TCP performance? # - Preliminary answer is no! Seems that by prioritizing ACK packets (small <64b) # we maximize throughput by not wasting bandwidth on retransmitted packets # that we already have. # # NOTE: The following configuration works well for my # setup: 1.5M/128K ADSL via Pacific Bell Internet (SBC Global Services) DEV=eth0 RATEUP=90 RATEDN=700 # Note that this is significantly lower than the capacity of 1500. # Because of this, you may not want to bother limiting inbound traffic # until a better implementation such as TCP window manipulation can be used. # # End Configuration Options # if [ "$1" = "status" ] then echo "[qdisc]" tc -s qdisc show dev $DEV tc -s qdisc show dev imq0 echo "[class]" tc -s class show dev $DEV tc -s class show dev imq0 echo "[filter]" tc -s filter show dev $DEV tc -s filter show dev imq0 echo "[iptables]" iptables -t mangle -L MYSHAPER-OUT -v -x 2> /dev/null iptables -t mangle -L MYSHAPER-IN -v -x 2> /dev/null exit fi # Reset everything to a known state (cleared) tc qdisc del dev $DEV root 2> /dev/null > /dev/null tc qdisc del dev imq0 root 2> /dev/null > /dev/null iptables -t mangle -D POSTROUTING -o $DEV -j MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -D PREROUTING -i $DEV -j MYSHAPER-IN 2> /dev/null > /dev/null iptables -t mangle -F MYSHAPER-IN 2> /dev/null > /dev/null iptables -t mangle -X MYSHAPER-IN 2> /dev/null > /dev/null ip link set imq0 down 2> /dev/null > /dev/null rmmod imq 2> /dev/null > /dev/null if [ "$1" = "stop" ] then echo "Shaping removed on $DEV." exit fi ########################################################### # # Outbound Shaping (limits total bandwidth to RATEUP) # set queue size to give latency of about 2 seconds on low-prio packets ip link set dev $DEV qlen 30 # changes mtu on the outbound device. Lowering the mtu will result # in lower latency but will also cause slightly lower throughput due # to IP and TCP protocol overhead. ip link set dev $DEV mtu 1000 # add HTB root qdisc tc qdisc add dev $DEV root handle 1: htb default 26 # add main rate limit classes tc class add dev $DEV parent 1: classid 1:1 htb rate ${RATEUP}kbit # add leaf classes - We grant each class at LEAST it's "fair share" of bandwidth. # this way no class will ever be starved by another class. Each # class is also permitted to consume all of the available bandwidth # if no other classes are in use. tc class add dev $DEV parent 1:1 classid 1:20 htb rate $[$RATEUP/7]kbit ceil ${RATEUP}kbit prio 0 tc class add dev $DEV parent 1:1 classid 1:21 htb rate $[$RATEUP/7]kbit ceil ${RATEUP}kbit prio 1 tc class add dev $DEV parent 1:1 classid 1:22 htb rate $[$RATEUP/7]kbit ceil ${RATEUP}kbit prio 2 tc class add dev $DEV parent 1:1 classid 1:23 htb rate $[$RATEUP/7]kbit ceil ${RATEUP}kbit prio 3 tc class add dev $DEV parent 1:1 classid 1:24 htb rate $[$RATEUP/7]kbit ceil ${RATEUP}kbit prio 4 tc class add dev $DEV parent 1:1 classid 1:25 htb rate $[$RATEUP/7]kbit ceil ${RATEUP}kbit prio 5 tc class add dev $DEV parent 1:1 classid 1:26 htb rate $[$RATEUP/7]kbit ceil ${RATEUP}kbit prio 6 # attach qdisc to leaf classes - here we at SFQ to each priority class. SFQ insures that # within each class connections will be treated (almost) fairly. tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10 tc qdisc add dev $DEV parent 1:21 handle 21: sfq perturb 10 tc qdisc add dev $DEV parent 1:22 handle 22: sfq perturb 10 tc qdisc add dev $DEV parent 1:23 handle 23: sfq perturb 10 tc qdisc add dev $DEV parent 1:24 handle 24: sfq perturb 10 tc qdisc add dev $DEV parent 1:25 handle 25: sfq perturb 10 tc qdisc add dev $DEV parent 1:26 handle 26: sfq perturb 10 # filter traffic into classes by fwmark - here we direct traffic into priority class according to # the fwmark set on the packet (we set fwmark with iptables # later). Note that above we've set the default priority # class to 1:26 so unmarked packets (or packets marked with # unfamiliar IDs) will be defaulted to the lowest priority # class. tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 20 fw flowid 1:20 tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 21 fw flowid 1:21 tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 22 fw flowid 1:22 tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 23 fw flowid 1:23 tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 24 fw flowid 1:24 tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 25 fw flowid 1:25 tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 26 fw flowid 1:26 # add MYSHAPER-OUT chain to the mangle table in iptables - this sets up the table we'll use # to filter and mark packets. iptables -t mangle -N MYSHAPER-OUT iptables -t mangle -I POSTROUTING -o $DEV -j MYSHAPER-OUT # add fwmark entries to classify different types of traffic - Set fwmark from 20-26 according to # desired class. 20 is highest prio. iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 0:1024 -j MARK --set-mark 23 # Default for low port traffic iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 0:1024 -j MARK --set-mark 23 # "" iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 20 -j MARK --set-mark 26 # ftp-data port, low prio iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 5190 -j MARK --set-mark 23 # aol instant messenger iptables -t mangle -A MYSHAPER-OUT -p icmp -j MARK --set-mark 20 # ICMP (ping) - high prio, impress friends iptables -t mangle -A MYSHAPER-OUT -p udp -j MARK --set-mark 21 # DNS name resolution (small packets) iptables -t mangle -A MYSHAPER-OUT -p tcp --dport ssh -j MARK --set-mark 22 # secure shell iptables -t mangle -A MYSHAPER-OUT -p tcp --sport ssh -j MARK --set-mark 22 # secure shell iptables -t mangle -A MYSHAPER-OUT -p tcp --dport telnet -j MARK --set-mark 22 # telnet (ew...) iptables -t mangle -A MYSHAPER-OUT -p tcp --sport telnet -j MARK --set-mark 22 # telnet (ew...) iptables -t mangle -A MYSHAPER-OUT -p ipv6-crypt -j MARK --set-mark 24 # IPSec - we don't know what the payload is though... iptables -t mangle -A MYSHAPER-OUT -p tcp --sport http -j MARK --set-mark 25 # Local web server iptables -t mangle -A MYSHAPER-OUT -p tcp -m length --length :64 -j MARK --set-mark 21 # small packets (probably just ACKs) iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 26 # redundant- mark any unmarked packets as 26 (low prio) # Done with outbound shaping # #################################################### echo "Outbound shaping added to $DEV. Rate: ${RATEUP}Kbit/sec." # uncomment following line if you only want upstream shaping. # exit #################################################### # # Inbound Shaping (limits total bandwidth to RATEDN) # make sure imq module is loaded modprobe imq numdevs=1 ip link set imq0 up # add qdisc - default low-prio class 1:21 tc qdisc add dev imq0 handle 1: root htb default 21 # add main rate limit classes tc class add dev imq0 parent 1: classid 1:1 htb rate ${RATEDN}kbit # add leaf classes - TCP traffic in 21, non TCP traffic in 20 # tc class add dev imq0 parent 1:1 classid 1:20 htb rate $[$RATEDN/2]kbit ceil ${RATEDN}kbit prio 0 tc class add dev imq0 parent 1:1 classid 1:21 htb rate $[$RATEDN/2]kbit ceil ${RATEDN}kbit prio 1 # attach qdisc to leaf classes - here we at SFQ to each priority class. SFQ insures that # within each class connections will be treated (almost) fairly. tc qdisc add dev imq0 parent 1:20 handle 20: sfq perturb 10 tc qdisc add dev imq0 parent 1:21 handle 21: red limit 1000000 min 5000 max 100000 avpkt 1000 burst 50 # filter traffic into classes by fwmark - here we direct traffic into priority class according to # the fwmark set on the packet (we set fwmark with iptables # later). Note that above we've set the default priority # class to 1:26 so unmarked packets (or packets marked with # unfamiliar IDs) will be defaulted to the lowest priority # class. tc filter add dev imq0 parent 1:0 prio 0 protocol ip handle 20 fw flowid 1:20 tc filter add dev imq0 parent 1:0 prio 0 protocol ip handle 21 fw flowid 1:21 # add MYSHAPER-IN chain to the mangle table in iptables - this sets up the table we'll use # to filter and mark packets. iptables -t mangle -N MYSHAPER-IN iptables -t mangle -I PREROUTING -i $DEV -j MYSHAPER-IN # add fwmark entries to classify different types of traffic - Set fwmark from 20-26 according to # desired class. 20 is highest prio. iptables -t mangle -A MYSHAPER-IN -p ! tcp -j MARK --set-mark 20 # Set non-tcp packets to highest priority iptables -t mangle -A MYSHAPER-IN -p tcp -m length --length :64 -j MARK --set-mark 20 # short TCP packets are probably ACKs iptables -t mangle -A MYSHAPER-IN -p tcp --dport ssh -j MARK --set-mark 20 # secure shell iptables -t mangle -A MYSHAPER-IN -p tcp --sport ssh -j MARK --set-mark 20 # secure shell iptables -t mangle -A MYSHAPER-IN -p tcp --dport telnet -j MARK --set-mark 20 # telnet (ew...) iptables -t mangle -A MYSHAPER-IN -p tcp --sport telnet -j MARK --set-mark 20 # telnet (ew...) iptables -t mangle -A MYSHAPER-IN -m mark --mark 0 -j MARK --set-mark 21 # redundant- mark any unmarked packets as 26 (low prio) # finally, instruct these packets to go through the imq0 we set up above iptables -t mangle -A MYSHAPER-IN -j IMQ # Done with inbound shaping # #################################################### echo "Inbound shaping added to $DEV. Rate: ${RATEDN}Kbit/sec." -- Andres Gregori Linux Support Services linux@dimensionip.com.ar 291 15 4041973 From eantoranz at gmail.com Tue Nov 1 16:12:20 2005 From: eantoranz at gmail.com (Edmundo Carmona) Date: Tue Nov 1 16:12:24 2005 Subject: [LARTC] IProute2 and netfilter interactions In-Reply-To: <200510311756.25732.storm@tux.org> References: <200510311756.25732.storm@tux.org> Message-ID: <65aa6af90511010712h7b9c94d6u226251c804783bbc@mail.gmail.com> Separate routing tables.... and you can make routing decisions based on DMZs netwotk segments.... or firewall marks, so that packates that come from segment X, use a routing table that has route Y as its default GW. ;-) That would do. On 10/31/05, Bradley Alexander wrote: > I am trying to build a firewall and from my reading of the list archives and > other places, I'm worried about unintended interactions between iptables and > iproute2. Here is my situation > > I have an internal network on eth0 and two separate dmzs on eth1 and eth2 > respectively (a wireless network and a kiosk). On the outbound side, I have a > cablemodem provider and a dsl provider. What I need is to set up routing such > that the internal network goes out on the dsl, while the dmzs go out on the > cablemodem. > > What would be the best approach to this configuration? Will there be any > unforseen interactions between iproute and iptables? > > Thanks, > -- > --Brad > ======================================================================== > Bradley M. Alexander | > IA Analyst, SysAdmin, Security Engineer | storm [at] tux.org > ======================================================================== > Key fingerprints: > DSA 0x54434E65: 37F6 BCA6 621D 920C E02E E3C8 73B2 C019 5443 4E65 > RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A C8 9C F0 93 75 A0 01 34 > ======================================================================== > Why do they put Braille dots on the keypad of the drive-up ATM? > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From eantoranz at gmail.com Tue Nov 1 17:54:11 2005 From: eantoranz at gmail.com (Edmundo Carmona) Date: Tue Nov 1 17:57:34 2005 Subject: [LARTC] IProute2 and netfilter interactions In-Reply-To: <200511011131.25824.storm@tux.org> References: <200510311756.25732.storm@tux.org> <65aa6af90511010712h7b9c94d6u226251c804783bbc@mail.gmail.com> <200511011131.25824.storm@tux.org> Message-ID: <65aa6af90511010854y22c480f9sed8a5a9b47a63be4@mail.gmail.com> Well, well, well. :-) Let's see. First of all, I'll use simple iptables/ip commands to set it up according to what you have stated in your previous message. It's your homework to get it up with fwbuilder. I may have a mistake here or ther... and I hope you could forgive me in that case.... here we go: Start by adding two new routing tables in /etc/iproute2/rt_tables. Say table4 for eth4 and table5 for eth5. That is done with a text editor.. like vi or nano. Add two new routing tables and place a number for them.. there should be 3 or 4 already there... just add two more lines at the end with a number (under 250, i guess) and the name. Save and exit. Then, let's fill them up: ip route add default via gw4 table table4 ip route add default via gw5 table table5 (gw4 and gw5 are the gateways for each internet link). Then.... how do we tell packets to use one interface or the other. You could mark packets in MANGLE FORWARD. Set a differemt fwmark for each OUTBOUND interface you want to force packets to go through. iptables -t mangle -A FORWARD -i eth0 -j MARK --set-mark 4 iptables -t mangle -A FORWARD -i eth1 -j MARK --set-mark 5 iptables -t mangle -A FORWARD -i eth2 -j MARK --set-mark 5 (4 and 5 are just flags you are setting on those packets that will accompany them till they reach the outbound interface.. and therefore, can be used by IPROUTE on the second routing decision... yes, there will be a second routing decision, cause you are setting a FWMARK. ;)). then.... we know that you have to use one routing table or the other according to the FWMARK they bring with them... here we go: ip rule add fwmark 4 table table4 ip rule add fwmark 5 table table5 Here, I'm not taking in consideration packets moving from one DMZ to the other... that could be solved using iptables commands. As I said, there might be a mistake here or ther... but that should work. Good luck! Keep me posted so I know if you succeded. On 11/1/05, Bradley Alexander wrote: > Thanks Edmundo, > > Since this is my first foray into routing this complex, I hope you will > indulge a few (no doubt) stupid questions. > > First, you are, in fact, saying that I should use iproute2 to build a default > route from eth0 to eth4 (Internal to DSL) and another set of default routes > for eth1 and eth2 to eth5 (dmz/kiosk to cablemodem),,,And then iptables (I'm > using fwbuilder to generate rules) will route them to the right exit > interfaces with none of the problems of packets going out one outbound > interface and the response coming back on the other, correct? > > What is the best approach to setting this up in iproute2? (I'm _completely_ > new to iproute2.) > > Thanks in advance, > > On Tuesday 01 November 2005 10:12 am, Edmundo Carmona wrote: > > Separate routing tables.... and you can make routing decisions based > > on DMZs netwotk segments.... or firewall marks, so that packates that > > come from segment X, use a routing table that has route Y as its > > default GW. ;-) > > > > That would do. > > > > On 10/31/05, Bradley Alexander wrote: > > > I am trying to build a firewall and from my reading of the list archives > > > and other places, I'm worried about unintended interactions between > > > iptables and iproute2. Here is my situation > > > > > > I have an internal network on eth0 and two separate dmzs on eth1 and eth2 > > > respectively (a wireless network and a kiosk). On the outbound side, I > > > have a cablemodem provider and a dsl provider. What I need is to set up > > > routing such that the internal network goes out on the dsl, while the > > > dmzs go out on the cablemodem. > > > > > > What would be the best approach to this configuration? Will there be any > > > unforseen interactions between iproute and iptables? > > > > > > Thanks, > > > -- > > > --Brad > > > ======================================================================== > > > Bradley M. Alexander | > > > IA Analyst, SysAdmin, Security Engineer | storm [at] tux.org > > > ======================================================================== > > > Key fingerprints: > > > DSA 0x54434E65: 37F6 BCA6 621D 920C E02E E3C8 73B2 C019 5443 4E65 > > > RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A C8 9C F0 93 75 A0 01 34 > > > ======================================================================== > > > Why do they put Braille dots on the keypad of the drive-up ATM? > > > > > > _______________________________________________ > > > LARTC mailing list > > > LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > -- > --Brad > ======================================================================== > Bradley M. Alexander | > IA Analyst, SysAdmin, Security Engineer | storm [at] tux.org > ======================================================================== > Key fingerprints: > DSA 0x54434E65: 37F6 BCA6 621D 920C E02E E3C8 73B2 C019 5443 4E65 > RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A C8 9C F0 93 75 A0 01 34 > ======================================================================== > Criminals love gun control - it makes their jobs safer. > > From rout at tj.rs.gov.br Tue Nov 1 20:56:20 2005 From: rout at tj.rs.gov.br (Felipe Szczesny Rout) Date: Tue Nov 1 21:00:48 2005 Subject: [LARTC] HTB, rate and ceil question Message-ID: <1130874980.25463.36.camel@localhost.localdomain> Hello I have a 64kbits link to location and I need to limit the traffic of a machine (10.200.0.86) to this location to ensure that this machine will no use all th bandwidth, and I did a rule to this situation where the machine has it bandwith limited to 10kbits if there is other traffic to this location, otherwise it can use up to 54 kbits. tc qdisc add dev eth0 root handle 1: htb ... tc class add dev eth0 parent 1: classid 1:1640 htb rate 64kbit tc class add dev eth0 parent 1:1640 classid 1:1641 htb rate 10kbit ceil 54kbit tc class add dev eth0 parent 1:1640 classid 1:1642 htb rate 54kbit ceil 64kbit tc filter add dev eth0 protocol ip parent 1:0 prio 5 u32 match ip src 10.200.0.86 match ip dst 10.205.86.0/24 flowid 1:1641 tc filter add dev eth0 protocol ip parent 1:0 prio 5 u32 match ip dst 10.205.86.0/24 flowid 1:1642 ... The problem is that when 10.200.0.86 starts to use more than 10kbit it seems don't back to it again when other traffic back to the link and it is a heavy traffic, enough to use all 54kbit assigned to it. Does anybody else has observed this behaivor ? I'm using ntop to monitor the link. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051101/d734a10d/attachment.html From webmaster at baexporta.gba.gov.ar Tue Nov 1 21:11:27 2005 From: webmaster at baexporta.gba.gov.ar (Juan Ignacio Borda) Date: Tue Nov 1 21:13:07 2005 Subject: [LARTC] How to priorize Traffic Message-ID: <4367CBEF.8060708@baexporta.gba.gov.ar> Hi guys, I want to priorize traffic comming down from internet on my ppp0 int I want port 80 and 21 (and others ) to have preference over P2P traffic, I don't want to bann P2P just give to it less prio than other more vital services... does anyone know how to do it or where to read on. Thanks in advance From unki at netshadow.at Tue Nov 1 22:00:16 2005 From: unki at netshadow.at (Andreas Unterkircher) Date: Tue Nov 1 22:00:01 2005 Subject: [LARTC] How to priorize Traffic In-Reply-To: <4367CBEF.8060708@baexporta.gba.gov.ar> References: <4367CBEF.8060708@baexporta.gba.gov.ar> Message-ID: <4367D760.1030504@netshadow.at> How about this? http://www.lartc.org/howto/ Juan Ignacio Borda wrote: > Hi guys, I want to priorize traffic comming down from internet on my > ppp0 int > I want port 80 and 21 (and others ) to have preference over P2P > traffic, I don't want to bann P2P just give to it less prio than other > more vital services... does anyone know how to do it or where to read on. > > Thanks in advance > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From erik at ironsavior.net Tue Nov 1 23:13:20 2005 From: erik at ironsavior.net (Erik Elmore) Date: Tue Nov 1 23:13:25 2005 Subject: [LARTC] How to priorize Traffic In-Reply-To: <4367D760.1030504@netshadow.at> References: <4367CBEF.8060708@baexporta.gba.gov.ar> <4367D760.1030504@netshadow.at> Message-ID: <82b4b0ec0511011413i5b4d621bn2bf58e34ab26309a@mail.gmail.com> That seems to be the million dollar question and it really isn't as simple as your question puts it. If you spend time learning a few things, it will become much easier. I would recommend the lartc howto and the htb user guide. The htb user guide made a lot of things more clear to me. I hope to have time to make a framework for easily defining shaping rules soon. On 11/1/05, Andreas Unterkircher wrote: > How about this? http://www.lartc.org/howto/ > > Juan Ignacio Borda wrote: > > > Hi guys, I want to priorize traffic comming down from internet on my > > ppp0 int > > I want port 80 and 21 (and others ) to have preference over P2P > > traffic, I don't want to bann P2P just give to it less prio than other > > more vital services... does anyone know how to do it or where to read on. > > > > Thanks in advance > > > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From xuanyuanzhe at gmail.com Wed Nov 2 04:34:24 2005 From: xuanyuanzhe at gmail.com (=?GB2312?B?0PnUr9Xc?=) Date: Wed Nov 2 04:34:43 2005 Subject: [LARTC] about TC rate estimator Message-ID: I have a question: When TC calculates the rate of the outgoing traffic in each queue or class, does the amount of totally sent bytes include the bytes in IP header and TCP/UDP header? Thank u very much for replying^_^ From lartc-337 at ccp.com.au Wed Nov 2 05:20:42 2005 From: lartc-337 at ccp.com.au (Lee Sanders) Date: Wed Nov 2 05:20:52 2005 Subject: [LARTC] How to priorize Traffic In-Reply-To: <4367CBEF.8060708@baexporta.gba.gov.ar> References: <4367CBEF.8060708@baexporta.gba.gov.ar> Message-ID: <200511021220.42482.lartc-337@ccp.com.au> If you want to do shaping for specific services there are over 11 different linux queuing methods to pick from, most here advise using HTB. http://luxik.cdi.cz/%7Edevik/qos/htb/ A ready made script to use HTB on your server exists, its called HTB.init. I suggest you have a look at this, it could get you up and running very quickly with your requirements. http://sourceforge.net/projects/htbinit/ An alternative for shaping your network to improve performance. http://lartc.org/wondershaper/ Regards, Lee On Wed, 2 Nov 2005 04:11 am, Juan Ignacio Borda wrote: > Hi guys, I want to priorize traffic comming down from internet on my > ppp0 int > I want port 80 and 21 (and others ) to have preference over P2P traffic, > I don't want to bann P2P just give to it less prio than other more vital > services... does anyone know how to do it or where to read on. > > Thanks in advance From Andreas.Klauer at metamorpher.de Wed Nov 2 07:26:48 2005 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Wed Nov 2 07:26:51 2005 Subject: [LARTC] How to priorize Traffic In-Reply-To: <4367CBEF.8060708@baexporta.gba.gov.ar> References: <4367CBEF.8060708@baexporta.gba.gov.ar> Message-ID: <200511020726.49017.Andreas.Klauer@metamorpher.de> On Tuesday 01 November 2005 21:11, Juan Ignacio Borda wrote: > I want port 80 and 21 (and others ) to have preference over P2P traffic, > I don't want to bann P2P just give to it less prio than other more vital > services... does anyone know how to do it or where to read on. A good way would probably be to look up some example scripts on the net that already deal with P2P. There are some that use IPP2P and / or l7-filter (two project that try to detect type of traffic by looking at the data of the packets). My own script uses a combination of HTB / PRIO / SFQ qdiscs and puts said P2P traffic into the lowest PRIO band. I found this to be quite effective in my home network, although others might find it a tad too aggressive, because PRIO won't give any bandwidth to P2P as long as there are ssh/www/other packets to be sent / received. You can have a look at the script here: http://www.metamorpher.de/fairnat/ If you're not shaping for clients behind a router, you'll need a bit of a different approach, but if you've already read the LARTC howto and other docs it might give you an idea of how to solve it in your own situation. HTH Andreas Klauer From szogunek at ssh.pl Wed Nov 2 14:28:28 2005 From: szogunek at ssh.pl (szogunek) Date: Wed Nov 2 14:28:17 2005 Subject: [LARTC] Re: LARTC Digest, Vol 9, Issue 3 In-Reply-To: <20051102110006.03DBC4539@outpost.ds9a.nl> References: <20051102110006.03DBC4539@outpost.ds9a.nl> Message-ID: <1515.195.205.236.197.1130938108.squirrel@www.poczta.internet.pl> hi there, is there any possible way to control traffic in child??? class with selected protocols for example http i try to use this script but its now working in theory: there is root class 1:0 with subclass 1:2 in class 1:2 all ip adresses have their bandwidth limit 1:{iden} and now i try also control bandwith in this class i.e. if class 1:{iden} have 190kbit i want 95kbit with burst to 190kbit for port 80 and 95kbit with burst to 190kbit for port 110 and 40kbit with burt to 95kbit for rest of his traffic. i attach my script whit should do that in theory but its not doing this any one can help correct my errors or tell how to do that? best regards szogunek ------> script start here <---- tc filter add dev $SIECETH0 protocol ip preference 2 parent 1:0 u32 match ip dst $host flowid 1:1${iden} tc class add dev $SIECETH0 parent 1:2 classid 1:${iden} htb rate ${down}kbit ceil ${downmax}kbit prio $prio tc filter add dev $SIECETH0 protocol ip preference 2 parent 1:2 u32 match ip dst $host flowid 1:${iden} tc class add dev $SIECETH0 parent 1:${iden} classid 1:${iden}1 htb rate ${p2pd}kbit ceil ${downmax}kbit prio 2 tc qdisc add dev $SIECETH0 parent 1:${iden}1 handle 9${iden}: sfq perturb 5 tc filter add dev $SIECETH0 protocol ip preference 2 parent 1:${iden} u32 match ip sport 80 0xffff flowid 1:${iden}1 tc class add dev $SIECETH0 parent 1:${iden} classid 1:${iden}2 htb rate ${p2pd}kbit ceil ${downmax}kbit prio 2 tc qdisc add dev $SIECETH0 parent 1:${iden}2 handle 2${iden}: sfq perturb 5 tc filter add dev $SIECETH0 protocol ip preference 2 parent 1:${iden} u32 match ip sport 110 0xffff flowid 1:${iden}2 tc class add dev $SIECETH0 parent 1:${iden} classid ${iden}3 htb rate ${p2pd}kbit ceil ${downmax}kbit prio 7 tc qdisc add dev $SIECETH0 parent 1:${iden}3 handle 3${iden}: sfq perturb 5 tc filter add dev $SIECETH0 protocol ip preference 2 parent 1:${iden} u32 match ip protocol 17 0xff flowid 1:${iden}3 tc class add dev $SIECETH0 parent 1:${iden} classid 1:${iden}4 htb rate ${p2pd}kbit ceil ${p2pd}kbit prio 2 tc filter add dev $SIECETH0 protocol ip preference 2 parent 1:${iden} u32 match ip sport 22 0xffff flowid 1:${iden}2 ---->script end <----- From tech at wildcash.com Wed Nov 2 14:43:22 2005 From: tech at wildcash.com (Rudi Starcevic) Date: Wed Nov 2 14:43:10 2005 Subject: [LARTC] TC not rate limiting for me Message-ID: <4368C27A.4030206@wildcash.com> Hi, I've have my IP and TC scripts working OK but my rate limiting does not seem to be being appiled. My available download speed is around 150kbps. I'd like to limit this box and the machines it forwards for to 10kbps each, a total of 20kbps. Thus leaving 130kbps unused. The classes I've created are simple and the stats show they are moving bytes OK, however; the entire 150kbps is always used. Is this odd? Have I missed something in my simple classes below? tc qdisc add dev eth1 root handle 1: htb default 12 tc class add dev eth1 parent 1: classid 1:1 htb rate 20kbps ceil 20kbps tc class add dev eth1 parent 1:1 classid 1:10 htb rate 10kbps ceil 20kbps tc class add dev eth1 parent 1:1 classid 1:12 htb rate 10kbps ceil 20kbps tc filter add dev eth1 parent 1:0 prio 0 protocol ip handle 22 fw flowid 1:10 iptables -t mangle -A PREROUTING -p tcp -s 192.168.3.110 -j MARK --set-mark 22 [stats] class htb 1:1 root rate 160000bit ceil 160000bit burst 1799b/8 mpu 0b overhead 0b cburst 1799b/8 mpu 0b overhead 0b level 7 Sent 1957552 bytes 28162 pkts (dropped 0, overlimits 0) rate 3672bit 7pps lended: 0 borrowed: 0 giants: 0 tokens: 89703 ctokens: 89703 class htb 1:10 parent 1:1 leaf 20: prio 0 quantum 1000 rate 80000bit ceil 160000bit burst 1699b/8 mpu 0b overhead 0b cburst 1799b/8 mpu 0b overhead 0b level 0 Sent 668860 bytes 9984 pkts (dropped 0, overlimits 0) lended: 9984 borrowed: 0 giants: 0 tokens: 167527 ctokens: 88884 class htb 1:12 parent 1:1 leaf 30: prio 0 quantum 1000 rate 80000bit ceil 160000bit burst 1699b/8 mpu 0b overhead 0b cburst 1799b/8 mpu 0b overhead 0b level 0 Sent 1288692 bytes 18178 pkts (dropped 0, overlimits 0) rate 3672bit 7pps lended: 18178 borrowed: 0 giants: 0 tokens: 169165 ctokens: 89703 Thanks. Regards, Rudi. From szogunek at ssh.pl Wed Nov 2 14:59:00 2005 From: szogunek at ssh.pl (szogunek) Date: Wed Nov 2 14:58:49 2005 Subject: [LARTC] Re: LARTC Digest, Vol 9, Issue 3 In-Reply-To: <20051102110006.03DBC4539@outpost.ds9a.nl> References: <20051102110006.03DBC4539@outpost.ds9a.nl> Message-ID: <1649.195.205.236.197.1130939940.squirrel@www.poczta.internet.pl> hi there, is there any possible way to control traffic in child??? class with selected protocols for example http i try to use this script but its now working in theory: there is root class 1:0 with subclass 1:2 in class 1:2 all ip adresses have their bandwidth limit 1:{iden} and now i try also control bandwith in this class i.e. if class 1:{iden} have 190kbit i want 95kbit with burst to 190kbit for port 80 and 95kbit with burst to 190kbit for port 110 and 40kbit with burt to 95kbit for rest of his traffic. i attach my script whit should do that in theory but its not doing this any one can help correct my errors or tell how to do that? best regards szogunek ------> script start here <---- tc filter add dev $SIECETH0 protocol ip preference 2 parent 1:0 u32 match ip dst $host flowid 1:1${iden} tc class add dev $SIECETH0 parent 1:2 classid 1:${iden} htb rate ${down}kbit ceil ${downmax}kbit prio $prio tc filter add dev $SIECETH0 protocol ip preference 2 parent 1:2 u32 match ip dst $host flowid 1:${iden} tc class add dev $SIECETH0 parent 1:${iden} classid 1:${iden}1 htb rate ${p2pd}kbit ceil ${downmax}kbit prio 2 tc qdisc add dev $SIECETH0 parent 1:${iden}1 handle 9${iden}: sfq perturb 5 tc filter add dev $SIECETH0 protocol ip preference 2 parent 1:${iden} u32 match ip sport 80 0xffff flowid 1:${iden}1 tc class add dev $SIECETH0 parent 1:${iden} classid 1:${iden}2 htb rate ${p2pd}kbit ceil ${downmax}kbit prio 2 tc qdisc add dev $SIECETH0 parent 1:${iden}2 handle 2${iden}: sfq perturb 5 tc filter add dev $SIECETH0 protocol ip preference 2 parent 1:${iden} u32 match ip sport 110 0xffff flowid 1:${iden}2 tc class add dev $SIECETH0 parent 1:${iden} classid ${iden}3 htb rate ${p2pd}kbit ceil ${downmax}kbit prio 7 tc qdisc add dev $SIECETH0 parent 1:${iden}3 handle 3${iden}: sfq perturb 5 tc filter add dev $SIECETH0 protocol ip preference 2 parent 1:${iden} u32 match ip protocol 17 0xff flowid 1:${iden}3 tc class add dev $SIECETH0 parent 1:${iden} classid 1:${iden}4 htb rate ${p2pd}kbit ceil ${p2pd}kbit prio 2 tc filter add dev $SIECETH0 protocol ip preference 2 parent 1:${iden} u32 match ip sport 22 0xffff flowid 1:${iden}2 ---->script end <----- From tuttle at bbs.cvut.cz Wed Nov 2 15:06:40 2005 From: tuttle at bbs.cvut.cz (Vlada Macek) Date: Wed Nov 2 15:06:44 2005 Subject: [LARTC] must cut the line down too much for shaping to work Message-ID: <4368C7F0.6030104@bbs.cvut.cz> Hi, my situation: One internet connection 256 kbps uplink/downlink, pretty stable speed, a Linux router with three NICs (one to ISP, one to DMZ and one with VLANs enabled to our LAN). Each of three VLANs (1, 10, 11) is a region for me; id 1 gets guaranteed 128 kbps, id 10 and 11 both get guaranteed 64 kbps (both uplink and downlink). Simple configuration. After I read relevant parts of lartc (GREAT READING by the way, thanks!) and dozen other docs I was able to set this thing up: I mark packets in the iptables mangle FORWARD chain according to from where the packet comes and where it wants to go. It does work, but... On many places there is a warning that the shaping box must stay a bottleneck of the route so the queue can start to fill inside it and be shaped. Somethere they say a few percent of the upstream rate must be sacrificed, some say 25%... Okay, I tried to set a full 256kbit on a root HTB class, just for fun. No shaping. I set 230kbit then. Still nothing. The beast started to work as expected when I cut my line to 220 kb/s! It means effectively fall of the download speed from some 29-30 KB/s to about 26 KB/s as I measured it. I consider it to be serious, given our internet connection is VERY expensive (because of the unfortunate location of the company building, but we are working on the cost problem). I do not know whether I can afford such resource loss presently... Is it possible I got something not tuned well or is fall from 256 to 220 kb/s normal for usual shaping? Thanks in advance. -- \//\/\ (Sometimes credited as 1494 F8DD 6379 4CD7 E7E3 1FC9 D750 4243 1F05 9424.) From Andreas.Klauer at metamorpher.de Wed Nov 2 15:07:43 2005 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Wed Nov 2 15:08:06 2005 Subject: [LARTC] Re: LARTC Digest, Vol 9, Issue 3 In-Reply-To: <1649.195.205.236.197.1130939940.squirrel@www.poczta.internet.pl> References: <20051102110006.03DBC4539@outpost.ds9a.nl> <1649.195.205.236.197.1130939940.squirrel@www.poczta.internet.pl> Message-ID: <200511021507.43661.Andreas.Klauer@metamorpher.de> On Wednesday 02 November 2005 14:59, szogunek wrote: > i.e. if class 1:{iden} have 190kbit > i want 95kbit with burst to 190kbit for port 80 > and 95kbit with burst to 190kbit for port 110 > and 40kbit with burt to 95kbit for rest of his traffic. So 95kbit+95kbit+40kbit=190kbit? What do you want? Script is too hard to read, and I'm lazy today... HTH Andreas From tuttle at bbs.cvut.cz Wed Nov 2 15:32:49 2005 From: tuttle at bbs.cvut.cz (Vlada Macek) Date: Wed Nov 2 15:32:54 2005 Subject: [LARTC] Re: must cut the line down too much for shaping to work In-Reply-To: <4368C7F0.6030104@bbs.cvut.cz> References: <4368C7F0.6030104@bbs.cvut.cz> Message-ID: <4368CE11.6090308@bbs.cvut.cz> One more to my previous posting: What I want to get is to not let any of the three regions to dominate the line and to maintain the 128-64-64 bandwidth ratio. I'm not concerned in the ceil (limit the region's upload/download when the line is free), I wish free borrowing. Isn't there any other method instead of HTB, not suffering with the 15% bandwidth loss, that would be capable of bringing me what I want? Thanks, VM From szogunek at komputersat.pl Wed Nov 2 16:52:08 2005 From: szogunek at komputersat.pl (szogunek@komputersat.pl) Date: Wed Nov 2 16:49:23 2005 Subject: [LARTC] trouble with traffic shaping HTB Message-ID: <1721.195.205.236.197.1130946728.squirrel@poczta.komputersat.pl> hi there, is there any possible way to control traffic in child??? class with selected protocols for example http i try to use this script but its now working in theory: there is root class 1:0 with subclass 1:2 in class 1:2 all ip adresses have their bandwidth limit 1:{iden} and now i try also control bandwith in this class i.e. if class 1:{iden} have 190kbit i want 95kbit with burst to 190kbit for port 80 and 95kbit with burst to 190kbit for port 110 and 40kbit with burt to 95kbit for rest of his traffic. i attach my script whit should do that in theory but its not doing this any one can help correct my errors or tell how to do that? best regards szogunek ------> script start here <---- tc filter add dev $SIECETH0 protocol ip preference 2 parent 1:0 u32 match ip dst $host flowid 1:1${iden} tc class add dev $SIECETH0 parent 1:2 classid 1:${iden} htb rate ${down}kbit ceil ${downmax}kbit prio $prio tc filter add dev $SIECETH0 protocol ip preference 2 parent 1:2 u32 match ip dst $host flowid 1:${iden} tc class add dev $SIECETH0 parent 1:${iden} classid 1:${iden}1 htb rate ${p2pd}kbit ceil ${downmax}kbit prio 2 tc qdisc add dev $SIECETH0 parent 1:${iden}1 handle 9${iden}: sfq perturb 5 tc filter add dev $SIECETH0 protocol ip preference 2 parent 1:${iden} u32 match ip sport 80 0xffff flowid 1:${iden}1 tc class add dev $SIECETH0 parent 1:${iden} classid 1:${iden}2 htb rate ${p2pd}kbit ceil ${downmax}kbit prio 2 tc qdisc add dev $SIECETH0 parent 1:${iden}2 handle 2${iden}: sfq perturb 5 tc filter add dev $SIECETH0 protocol ip preference 2 parent 1:${iden} u32 match ip sport 110 0xffff flowid 1:${iden}2 tc class add dev $SIECETH0 parent 1:${iden} classid ${iden}3 htb rate ${p2pd}kbit ceil ${downmax}kbit prio 7 tc qdisc add dev $SIECETH0 parent 1:${iden}3 handle 3${iden}: sfq perturb 5 tc filter add dev $SIECETH0 protocol ip preference 2 parent 1:${iden} u32 match ip protocol 17 0xff flowid 1:${iden}3 tc class add dev $SIECETH0 parent 1:${iden} classid 1:${iden}4 htb rate ${p2pd}kbit ceil ${p2pd}kbit prio 2 tc filter add dev $SIECETH0 protocol ip preference 2 parent 1:${iden} u32 match ip sport 22 0xffff flowid 1:${iden}2 ---->script end <----- From gregoriandres at yahoo.com.ar Wed Nov 2 17:22:02 2005 From: gregoriandres at yahoo.com.ar (LinuXKiD) Date: Wed Nov 2 17:22:06 2005 Subject: [LARTC] Differentiating between http downloads and interactivetraffic In-Reply-To: <435B0427.20605@riverviewtech.net> Message-ID: Hi, I've read your recomendation: (http://www.netfilter.org/projects/patch-o-matic/pom-extra.html#pom-extra-co nnrate in order to differentiate between an established http download and interactive http traffic. In that patch suggest something like that: iptables .. -m tos --tos Minimize-Delay \ -m connrate --connrate 20000:inf \ -j TOS --set-tos Maximize-Throughput => match packets in minimize-delay TOS connections that are transferring faster than 20kbps and change their tos to maximize-throughput instead. Is very intresting! Somebody has really tryed this patch ? best regards andres -> -> -> I would recommend looking at the connrate -> (http://www.netfilter.org/projects/patch-o-matic/pom-extra.html#p -> om-extra-connrate) Patch-O-Matic patch. Your interactive -> sessions could be long lived and thus pass the connlimit and / -> or connbytes matches and thus be falsely classified. Where as -> if you test for your interactive sessions by looking for an over -> all average low rate, burst delay burst delay etc, you should -> have a low average and thus be able to match based on rate to -> classify them higher. -> -> -> -> Grant. . . . -> -> Paul J. Smith wrote: -> > Hi, -> > -> > I?ve been wondering if anyone has thought of a way to differentiate -> > between an established http download and interactive http traffic? I -> > would like to give interactive http traffic priority over someone -> > downloading large files. -> > -> > Has anyone any ideas how to detect packets that are part of a download -> > like this? -> > -> > Thanks. -> -> _______________________________________________ -> LARTC mailing list -> LARTC@mailman.ds9a.nl -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From tobia.conforto at linux.it Wed Nov 2 18:57:45 2005 From: tobia.conforto at linux.it (Tobia Conforto) Date: Wed Nov 2 18:57:48 2005 Subject: [LARTC] HTB not shaping traffic Message-ID: <20051102175745.GP2866@ikkoku.ath.cx> I cannot get HTB to function properly. Most classes transmit more than their ceiling, more than any reasonable burst would allow. I have reviewed my script several times but I can't find anything out of place. The setup is as standard as it gets: one HTB root qdisc, a small tree of HTB classes, one SFQ qdisc for each leaf HTB class. To illustrate the problem, here is non-leaf HTB class 1:30, the one that exhibits the worst behaviour: | tc class add dev eth0 parent 1:1 classid 1:30 htb prio 30 rate 149kbit Here are the statistic after a few hours: | class htb 1:30 parent 1:1 rate 149000bit ceil 149000bit burst 1617b cburst 1617b | Sent 344497902 bytes 513804 pkts (dropped 0, overlimits 0) | rate 226304bit 74pps | lended: 0 borrowed: 0 giants: 0 | tokens: -59999999 ctokens: -59999999 As you can see, the class has been transmitting at a 226kbit rate, when its ceil is 149kbit! I let tc choose burst/cburst and they seem ok. I am concerned by the tokens and ctokens numbers, because they seem quite out of place. What is happening here? Here are the statistics for the root qdisc and class: | qdisc htb 1: r2q 10 default 20 direct_packets_stat 1090 | Sent 415742014 bytes 1523439 pkts (dropped 35052, overlimits 1693102) | backlog 230p | class htb 1:1 root rate 224000bit ceil 224000bit burst 1627b cburst 1627b | Sent 413505692 bytes 1522121 pkts (dropped 0, overlimits 0) | rate 285200bit 162pps | lended: 0 borrowed: 0 giants: 0 | tokens: -59946694 ctokens: -59946694 Why does the qdisc show millions of overlimit packets and only thousands of dropped ones? Why are those numbers zero in ALL the classes? The OS is Debian Sarge with a vanilla 2.6.9 kernel and the iproute (tc) package that comes with Debian, version 20041019-3. The eth0 device which is being shaped is part of Ethernet bridge br0. Am I missing something or is this a bug? Has it already been fixed in a new version of any of the software I am using? I can send the full tc script, kernel config or anything else by mail. I have attached an excerpt of the script below. Tobia Relevant (IMHO) part of the tc script, after variable substitution: | tc qdisc add dev eth0 root handle 1: htb | | tc class add dev eth0 parent 1: classid 1:1 htb rate 224kbit | tc class add dev eth0 parent 1:1 classid 1:10 htb prio 1 rate 224kbit | tc class add dev eth0 parent 1:1 classid 1:20 htb prio 20 rate 200kbit | tc class add dev eth0 parent 1:1 classid 1:30 htb prio 30 rate 149kbit | tc class add dev eth0 parent 1:20 classid 1:21 htb prio 21 rate 178kbit | tc class add dev eth0 parent 1:20 classid 1:22 htb prio 22 rate 178kbit | tc class add dev eth0 parent 1:30 classid 1:31 htb prio 31 rate 112kbit | tc class add dev eth0 parent 1:30 classid 1:32 htb prio 32 rate 112kbit | | for i in 10 21 22 31 32; do | tc qdisc add dev eth0 parent 1:$i handle $i: sfq perturb 10 | done The rest of the script are filters and a trivial ingress policer. From jody.shumaker at gmail.com Wed Nov 2 20:38:43 2005 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Wed Nov 2 20:38:48 2005 Subject: [LARTC] Re: must cut the line down too much for shaping to work In-Reply-To: <4368CE11.6090308@bbs.cvut.cz> References: <4368C7F0.6030104@bbs.cvut.cz> <4368CE11.6090308@bbs.cvut.cz> Message-ID: <2af436490511021138h25545f6br21e9408e2e3b2b1@mail.gmail.com> i'm only sacrificing 4kbit on my 512kbit uplink and i'm getting the results I want. Can you be more specific as to how it was "failing" when you had it set closer to the actual link speed? The reason to keep the speed limit under the actual connection is more of a latency issue. The reason to do it is so you keep the queue on your server and thus can guarentee lower latency for certain things. From the sound of youe setup, a 2:1:1 ratio split, the latency thing isn't really an issue at all. I don't see why you couldn't just keep it as the actual connection bandwidth. Please say what didn't work instead of just saying "didn't work as expected" or "No shaping." Give some detailed output that you're basing this statement on. My best suggestion on the limited information would be to mabye set it up with a root class of 256kbit, then setup the child classes as 120-60-60 with borrowing. In my own usage, leaving some free bandwidth that every subclass has to borrow from seems to work better than assigning it all. Also, are you basing the drop from 30KB/s to 26KB/s off measured transfers or just calculating the bandwidth. If you haven't tested your actual bandwidth without HTB active I'd suggest doing that. - Jody Shumaker On 11/2/05, Vlada Macek wrote: > > One more to my previous posting: > > What I want to get is to not let any of the three regions to dominate > the line and to maintain the 128-64-64 bandwidth ratio. I'm not > concerned in the ceil (limit the region's upload/download when the line > is free), I wish free borrowing. > > Isn't there any other method instead of HTB, not suffering with the 15% > bandwidth loss, that would be capable of bringing me what I want? > > Thanks, > > VM > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051102/9d026371/attachment.htm From szogunek at komputersat.pl Thu Nov 3 12:52:54 2005 From: szogunek at komputersat.pl (szogunek@komputersat.pl) Date: Thu Nov 3 12:50:07 2005 Subject: [LARTC] advanced traffic control for ip and services In-Reply-To: <20051102175758.70B5A4581@outpost.ds9a.nl> References: <20051102175758.70B5A4581@outpost.ds9a.nl> Message-ID: <1989.195.205.236.197.1131018774.squirrel@poczta.komputersat.pl> Andreas.Klauer@metamorpher.de> > Subject: Re: [LARTC] Re: LARTC Digest, Vol 9, Issue 3 > To: lartc@mailman.ds9a.nl > Message-ID: <200511021507.43661.Andreas.Klauer@metamorpher.de> > Content-Type: text/plain; charset="iso-8859-2" > > On Wednesday 02 November 2005 14:59, szogunek wrote: >> i.e. if class 1:{iden} have 190kbit >> i want 95kbit with burst to 190kbit for port 80 >> and 95kbit with burst to 190kbit for port 110 >> and 40kbit with burt to 95kbit for rest of his traffic. > > So 95kbit+95kbit+40kbit=190kbit? What do you want? > Script is too hard to read, and I'm lazy today... > > HTH > Andreas > > so u think if there will be i.e. 4kbit with burt to 190kbit it will work fine? From tobia.conforto at linux.it Thu Nov 3 14:54:33 2005 From: tobia.conforto at linux.it (Tobia) Date: Thu Nov 3 14:54:41 2005 Subject: [LARTC] Re: HTB not shaping traffic In-Reply-To: <20051102175745.GP2866@ikkoku.ath.cx> References: <20051102175745.GP2866@ikkoku.ath.cx> Message-ID: <20051103135433.GU2866@ikkoku.ath.cx> I solved my problem by myself, by studying devik's HTB manual: http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm Here are my remarks for those browsing the mailing list archive. The line that made me realize what I was doing wrong is: "The rate supplied for a parent should be the sum of the rates of its children." Apparently I was confusing the purpose of 'rate' to that of 'ceil' and HTB was not too happy about it. Tobia From michael at bbd.co.za Thu Nov 3 18:52:43 2005 From: michael at bbd.co.za (Michael Davidson) Date: Thu Nov 3 18:53:00 2005 Subject: [LARTC] Cannot get htb & prio working together. Message-ID: <436A4E6B.6090506@bbd.co.za> Hi, I've failed miserably in my endeavours so far and I'm at the point where help would be much appreciated. I want to have 3 bandwidth limited classes on my Internet interface. In each of those classes I want 3 prioritization bands, and then use "tc filters" to place the traffic into the correct class and priority. The problem is that the traffic doesn't get classified at all, it just seems to go through the root queue untouched. This is the minimal config I've been testing with: tc qdisc add dev eth0 root handle 1: htb tc class add dev eth0 parent 1: classid 1:1 htb rate 120kbit tc class add dev eth0 parent 1:1 classid 1:20 htb rate 30kbit ceil 120kbit tc qdisc add dev eth0 parent 1:20 handle 20: prio #Note: With a "prio" qdisc the class ID's of nn:1 to 3 are automatically provided tc qdisc add dev eth0 parent 20:1 handle 201: sfq tc qdisc add dev eth0 parent 20:2 handle 202: sfq tc qdisc add dev eth0 parent 20:3 handle 203: sfq tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dport 22 0xffff flowid 20:1 tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dport 23 0xffff flowid 20:3 A "tc filter show" displays the filters and so on and one can see the hits & successes when testing with, say, Telnet, but the counters on the respective queue/flowid don't increment. Only counters on the root queue show activity. :- filter parent 1: protocol ip pref 1 u32 fh 800::801 order 2049 key ht 800 bkt 0 flowid 20:3 (rule hit 82 success 31) match 00000017/0000ffff at 20 (success 31 ) qdisc sfq 201: parent 20:3 limit 128p quantum 1514b flows 128/1024 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 I've tried changing the filter parent for the "prio" qdisc i.e 20, but a "tc filter show" doesn't even display the filter and as you might expect only the root queue counter shows activity. The os is Fedora Core 4 with an "out the box" server installation. Linux version 2.6.11-1.1369_FC4 Thanks in advance Mike D. From Andreas.Klauer at metamorpher.de Thu Nov 3 19:09:06 2005 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Thu Nov 3 19:09:13 2005 Subject: [LARTC] Cannot get htb & prio working together. In-Reply-To: <436A4E6B.6090506@bbd.co.za> References: <436A4E6B.6090506@bbd.co.za> Message-ID: <200511031909.06811.Andreas.Klauer@metamorpher.de> On Thursday 03 November 2005 18:52, Michael Davidson wrote: > tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dport > 22 0xffff flowid 20:1 > tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dport > 23 0xffff flowid 20:3 Do filters actually work in between different qdiscs? I use HTB & PRIO also, but my filter puts packets from the HTB qdisc to the HTB leaf class first, and then another filter puts packets from the PRIO qdisc in the correct PRIO band. HTH Andreas From jody.shumaker at gmail.com Thu Nov 3 23:11:41 2005 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Thu Nov 3 23:11:47 2005 Subject: [LARTC] Cannot get htb & prio working together. In-Reply-To: <200511031909.06811.Andreas.Klauer@metamorpher.de> References: <436A4E6B.6090506@bbd.co.za> <200511031909.06811.Andreas.Klauer@metamorpher.de> Message-ID: <2af436490511031411o6a739104vc0980f2fefd5cc1e@mail.gmail.com> Filters I believe are per qdisc. You really need to have filters to specify which HTB class and which prio class. tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dport 22 0xffff flowid 1:20 tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dport 23 0xffff flowid 1:20 tc filter add dev eth0 parent 1:20 protocol ip prio 1 u32 match ip dport 22 0xffff flowid 20:1 tc filter add dev eth0 parent 1:20 protocol ip prio 1 u32 match ip dport 23 0xffff flowid 20:3 I imagine what you actually want to do would be differently. have some set of filters that define what goes into 1:20, then you'll need a set of filters for 1:20 specifying where in that qdisc they should go. - Jody On 11/3/05, Andreas Klauer wrote: > > On Thursday 03 November 2005 18:52, Michael Davidson wrote: > > tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dport > > 22 0xffff flowid 20:1 > > tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dport > > 23 0xffff flowid 20:3 > > Do filters actually work in between different qdiscs? > > I use HTB & PRIO also, but my filter puts packets from the HTB qdisc to > the > HTB leaf class first, and then another filter puts packets from the PRIO > qdisc in the correct PRIO band. > > HTH > Andreas > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051103/de7ec89b/attachment.html From tuttle at bbs.cvut.cz Fri Nov 4 09:06:20 2005 From: tuttle at bbs.cvut.cz (Vlada Macek) Date: Fri Nov 4 09:06:26 2005 Subject: [LARTC] Re: must cut the line down too much for shaping to work In-Reply-To: <2af436490511021138h25545f6br21e9408e2e3b2b1@mail.gmail.com> References: <4368C7F0.6030104@bbs.cvut.cz> <4368CE11.6090308@bbs.cvut.cz> <2af436490511021138h25545f6br21e9408e2e3b2b1@mail.gmail.com> Message-ID: <436B167C.7090107@bbs.cvut.cz> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [At 02.11.2005 20:38, Jody Shumaker kindly sent the following quotation.] > i'm only sacrificing 4kbit on my 512kbit uplink and i'm getting the > results I want. Can you be more specific as to how it was > "failing" when you had it set closer to the actual link speed? Sure, I just tried to keep the message as short as possible, expecting that it will be clear what I was talking about. Sorry. > The reason to keep the speed limit under the actual connection is > more of a latency issue. The reason to do it is so you keep the > queue on your server and thus can guarentee lower latency for > certain things. From the sound of youe setup, a 2:1:1 ratio split, > the latency thing isn't really an issue at all. I don't see why > you couldn't just keep it as the actual connection bandwidth. > > Please say what didn't work instead of just saying "didn't work as > expected" or "No shaping." Give some detailed output that you're > basing this statement on. Ok, I'll describe the testcase. All measures was not a matter of seconds, I always waited at least for a 30 seconds when the situation stabilized. I worked with three xterms, each in one of the region, each wgeting a big file from differrent quick internet server. One station without HTB on the router got the data as quick as 29-30 KB/s (real and pretty stable speed). I take this as a 100% bandwidth. Still without HTB, I started all three wgets and they fairly shared the 100% bandwidth. But I said I wish 2:1:1 ratio (128-64-64 ideally) and this was not reached with HTB's 256 kbit ceil - the bandwidth was still shared 1:1:1. I concluded that the shaping do not work and one line could therefore dominate the line, keeping down the others when the line is stressed. Some 2:1:1 results came when I set ceil down to about 220-225kbit. Then the first line's wget was truly getting data twice as quick as the other ones. This agreed with the statements in articles that I always need to give away some precious bandwidth to be able to shape it. And with this setting, even one wget gets the data at about 26 KB/s rate, which is a pretty big loss from out point of view (big real bandwidth cost from the ISP). So, my shaping works, but the cost is big. I was asking here whether this cost is normal or I could have something untuned in the setup. > My best suggestion on the limited information would be to mabye set > it up with a root class of 256kbit, then setup the child classes > as 120-60-60 with borrowing. In my own usage, leaving some free > bandwidth that every subclass has to borrow from seems to work > better than assigning it all. I'll try it, when we turn the shaping on, even when I doubt it will work. But I do not know about it much, we'll see. === One more question in case someone here knows, sorry about overweighting the message: The reason we had to turn the shaping off temporarily was that we experienced a blackout and our D-Link DGS-1248T switch forgot all its settings (namely VLANs) without power. We are currently not able to find out whether it's usual (and how to defend) or we got a defective piece. If you have a clue, please drop me a note. Thanks in advance! - -- \//\/\ (Sometimes credited as 1494 F8DD 6379 4CD7 E7E3 1FC9 D750 4243 1F05 9424.) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDaxZ211BCQx8FlCQRAkRQAKCTPnfRggv1TwVzUKXIr3fHoBkV/ACgnB39 wu+abfujhVSPmhykW15cOos= =iiS9 -----END PGP SIGNATURE----- From tobia.conforto at linux.it Fri Nov 4 11:13:22 2005 From: tobia.conforto at linux.it (Toby) Date: Fri Nov 4 11:13:29 2005 Subject: [LARTC] Cannot get htb & prio working together. In-Reply-To: <2af436490511031411o6a739104vc0980f2fefd5cc1e@mail.gmail.com> References: <436A4E6B.6090506@bbd.co.za> <200511031909.06811.Andreas.Klauer@metamorpher.de> <2af436490511031411o6a739104vc0980f2fefd5cc1e@mail.gmail.com> Message-ID: <20051104101322.GB26102@ikkoku.ath.cx> Jody Shumaker wrote: > tc filter add ... parent 1:0 ... match ip dport 22 0xffff flowid 1:20 > tc filter add ... parent 1:0 ... match ip dport 23 0xffff flowid 1:20 > > tc filter add ... parent 1:20 ... match ip dport 22 0xffff flowid 20:1 > tc filter add ... parent 1:20 ... match ip dport 23 0xffff flowid 20:3 ^^^^ you mean 20: here The last two filters need to have 20: as parent, if you want to keep each filter inside a single qdisc. Toby -- UNIX is a lever for the intellect. -John R. Mashey From lartc at dervishd.net Fri Nov 4 11:17:43 2005 From: lartc at dervishd.net (DervishD) Date: Fri Nov 4 11:16:32 2005 Subject: [LARTC] Latency/burst problem with HTB Message-ID: <20051104101743.GA83@DervishD> Hi all :) I'm new to this list, as I'm new too to traffic shaping ;) I've set up an FTP server in my ADSL line and I wanted it to serve as fast as possible as long as I don't use my outgoing ADSL bandwidth, and I'm currently using HTB for that (succesfully, I must add). The problem is (when the FTP server is serving higher than its "rate" and near to its "ceil") that protocols like SMTP or POP-3, when I use them as client, slow to a crawl because being short-burst in nature never use the speed I have configured for them :(( I don't know if I'm missing something, but other protocols seems to work OK. For example, when I browse the web, pages start to download slowly, DNS queries are very slow but once the pages start dowloading, speed is pretty good. My setup is for a few PC connected to an ADSL router using Ethernet cards, and I'm only shaping outgoing traffic in one box, the one serving FTP. The other boxes are more or less inactive. My shaping has an HTB discipline at root: tc qdisc add dev eth0 root handle 1: htb default 110 I've played with r2q, because it assigns too big a quantum to some classes and too small a quantum to others, until I noticed that using the default r2q assigned a very big quantum to classes that I want big quantums for and very small quantum to classes I want very small quantums for. After that I add a base class to be able to borrow bandwith, althoug I'm not sure now if that's a good idea: tc class add dev eth0 parent 1: classid 1:1 htb rate 100Mbit ceil 100Mbit This class has the speed and ceil of my Ethernet card (100Mbit). Now I add two major classes, one for general LAN traffic and other for Ethernet traffic to the ADSL router: # Hi speed class tc class add dev eth0 parent 1:1 classid 1:10 htb rate 95Mbit ceil 95Mbit tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10 # Low speed class (ADSL) tc class add dev eth0 parent 1:1 classid 1:11 htb rate 256kbit ceil 256kbit As you can see, bandwidth cannot be borrowed, so I think I could get rid of 1:1. Anyway, this shouldn't make any difference for bursted protocols that now are slow. In the hispeed class I use 95 as rate and ceil because being averaged values, I prefer to slow down LAN traffic and ensure I always have a bit of unused Ethernet slots so the low speed (ADSL) class doesn't have to wait. Should I specify (100M-256k)bit for rate and ceil here? The low speed class gets 256kbit although my ADSL is capable of upload at 300kbit. I give a bit for the other box that may use the ADSL and runs an operating system without shaping ;) I want to make sure that box has at least 50kbit more or less, no matter if I'm serving FTP in my box. For general LAN traffic I've chosen an SFQ queue discipline since I sometimes use many protocols at a time and adding a bit of fairness is desirable, although a pfifo_fast will probably work here, too. Last, I add two classes below the ADSL class, one to shape FTP traffic, the other class to shape the rest of traffic. # Other ADSL traffic tc class add dev eth0 parent 1:11 classid 1:110 htb rate 192kbit ceil 256kbit prio 0 tc qdisc add dev eth0 parent 1:110 handle 110: sfq perturb 10 # To filter FTP traffic tc class add dev eth0 parent 1:11 classid 1:111 htb rate 64kbit ceil 256kbit prio 1 Here are the most important classes. They share bandwidth, because I want the FTP server to borrow traffic if the ADSL is otherwise unused. The FTP server gots 8Kbps and the rest of the traffic 24kpbs. Finally, the filters: tc filter add dev eth0 prio 1 protocol ip parent 1:0\ u32 match ip dst 192.168.0.0/24 flowid 1:10 tc filter add dev eth0 prio 2 protocol ip parent 1:0\ u32 match ip sport 0x3000 0x3000 flowid 1:111 tc filter add dev eth0 prio 2 protocol ip parent 1:0\ u32 match ip sport 0x4000 0x4000 flowid 1:111 tc filter add dev eth0 prio 2 protocol ip parent 1:0\ u32 match ip sport 0x20 0xff flowid 1:111 I'm serving passive FTP only in ports from 0x3000 to 0x4fff, and active FTP in port 20. The rest of LAN traffic (including FTP) is sent to the hispeed class. As you can see, I give more priority to general ADSL traffic, and I'm sure such traffic is NEVER 24kbps, always much less than that, but if someone is using my FTP server at, let's say, 15kbps (borrowing bandwidth and still with a backlog of 15-30 packets, I can tell from the "tc -d -s" stats), if I try to download 300kB of email using POP-3, the client slows to a crawl. If I browse many small pages, the speed is slow. At the same time, browsing large pages or downloading gcc-4.0.2 ;) gives a speed more or less similar to that I would have without shaping and without the FTP server (well, a bit less because the "burst effect" affects this transmissions too and the slower pace in the ack packets makes FTP download a bit slower). I've played with burst and cburst values, and increasing burst in class 1:110 (ADSL general traffic) and its parents to 16kb helps a bit, as helps decreasing the burst in 1:111 (FTP traffic thru ADSL), but I still get high latency, slow downloads, etc. If I stop borrowing bandwidth things go a bit better, but I want to share bandwidth. Am I doing anything wrong (probably a lot of things...)? Is slow latency and slow "bursted protocols" a price to pay to have bandwidth sharing and shaping? Is there any value I can tweak to make general ADSL traffic more responsive? As you can see from the commands above, I've assigned a higher priority to it to slow down latency, but... Thanks a lot in advance. I've read HTB documentation and, while it is good and informative, it's not enough (for me) to know how to solve this problem. I don't want to use any other qdisc because I need a classful one and I don't fully understand CBQ (I understand HTB MUCH better). Thanks again and pleased to meet you :) Ra?l N??ez de Arenas Coronado -- Linux Registered User 88736 | http://www.dervishd.net http://www.pleyades.net & http://www.gotesdelluna.net It's my PC and I'll cry if I want to... From rsenykoff at harrislogic.com Fri Nov 4 17:15:17 2005 From: rsenykoff at harrislogic.com (Ron Senykoff) Date: Fri Nov 4 17:22:26 2005 Subject: [LARTC] Open Source Project "Q*Box" Launched Message-ID: Hello all. I created a "plug and play" kind of solution for bridge-based QoS LAN-WAN traffic shaping. Based on the LEAF bering-uClibc branch, I'm calling it 'QBox' and the project site for now is located at: http://content.cs.luc.edu/projects/comp412/q-box I'm interested in any feedback you might have. This is based off of experience I have over the last couple years maintaining custom QoS builds shaping video, citrix, and VoIP all at one site (plus regular internet etc). The current build takes about 2.5 MB on CF and I should have that paired down further before long. Havn't had the chance to do any stress testing yet, but the manufacturer of the board claims that you can get 50Mbps routed through it. Once I add Layer 7 filtering I doubt we'll be able to sustain that though. Thanks, -Ron From rsenykoff at harrislogic.com Fri Nov 4 19:44:36 2005 From: rsenykoff at harrislogic.com (Ron Senykoff) Date: Fri Nov 4 20:13:44 2005 Subject: [LARTC] Open Source Project "Q*Box" Launched In-Reply-To: <979F16C43033B44F8E8A65AE08D0847A016BD6@server.superiorholidayadventures.ca> References: <979F16C43033B44F8E8A65AE08D0847A016BD6@server.superiorholidayadventures.ca> Message-ID: > This looks really neat! I considered building something similar in the > past but never got around to. Have you considered adding MRTG or > Cricket for graphing? Great suggestions. I definitely want to include monitoring tools. I have used ntop before, but ran into performance issues even on a T-1 link (Pentium Pro proc) -- but come to think of it I was also doing some heavy monitoring of the queues. MRTG and Cricket look to be much lighter weight. Do you have experience with which one would require less CPU? Thanks, -Ron From gentoo at databit7.com Fri Nov 4 22:28:11 2005 From: gentoo at databit7.com (Hammond, Robin-David%KB3IEN) Date: Fri Nov 4 22:28:35 2005 Subject: [LARTC] Re: must cut the line down too much for shaping to work In-Reply-To: <436B167C.7090107@bbs.cvut.cz> References: <4368C7F0.6030104@bbs.cvut.cz> <4368CE11.6090308@bbs.cvut.cz> <2af436490511021138h25545f6br21e9408e2e3b2b1@mail.gmail.com> <436B167C.7090107@bbs.cvut.cz> Message-ID: I am using a netbsd machine to shape as 768k dsl for voip+ traditional uses. I have been using HFSC queuing quite effectively for some months. I too have had to cap the pipe at 740 kbps. Part of this is the aforemention need for lowest latency possible, but one also looses overhead to framing, in the case of IP over 802.3 there are at least 38 if not 42 bytes out of every 1500 (assuming you are using the MTU of 1500, the largest mtu allowed on 802.3) Then your may not have a 512kb uplink of ether, you might have 512kb of ATM bandwidth which is another set of framing overhead. Normaly one can expect to loose a few % here as well. For best results, defragment everything going in or out, use TCP SYN/ACK compression. And yes using IP6 is an advantage as the IP headers are smaller. In short, if you are finding discrepancies in usable vs paid-paid for bandwidth, look too the frames. If you are still having problems, test the line. Rarely is the problem with the cpu/ram/NIC, not being responsive enought. Sometimes the speed regulation isnt quite what the ATM bridge is expecting and you can loose packets on the bridge if they dont get cached well enough. Using a high quality onboard ISDN or Frame Driver can avert these problems i am told. But I am happy to have 740k our of 768k knowing that the boss's telephone wont splutter. On Fri, 4 Nov 2005, Vlada Macek wrote: > Date: Fri, 04 Nov 2005 09:06:20 +0100 > From: Vlada Macek > To: lartc@mailman.ds9a.nl > Subject: Re: [LARTC] Re: must cut the line down too much for shaping to work > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > [At 02.11.2005 20:38, Jody Shumaker kindly sent the following quotation.] > >> i'm only sacrificing 4kbit on my 512kbit uplink and i'm getting the >> results I want. Can you be more specific as to how it was >> "failing" when you had it set closer to the actual link speed? > > Sure, I just tried to keep the message as short as possible, expecting > that it will be clear what I was talking about. Sorry. > >> The reason to keep the speed limit under the actual connection is >> more of a latency issue. The reason to do it is so you keep the >> queue on your server and thus can guarentee lower latency for >> certain things. From the sound of youe setup, a 2:1:1 ratio split, >> the latency thing isn't really an issue at all. I don't see why >> you couldn't just keep it as the actual connection bandwidth. >> >> Please say what didn't work instead of just saying "didn't work as >> expected" or "No shaping." Give some detailed output that you're >> basing this statement on. > > Ok, I'll describe the testcase. All measures was not a matter of > seconds, I always waited at least for a 30 seconds when the situation > stabilized. > > I worked with three xterms, each in one of the region, each wgeting a > big file from differrent quick internet server. One station without > HTB on the router got the data as quick as 29-30 KB/s (real and pretty > stable speed). I take this as a 100% bandwidth. > > Still without HTB, I started all three wgets and they fairly shared > the 100% bandwidth. But I said I wish 2:1:1 ratio (128-64-64 ideally) > and this was not reached with HTB's 256 kbit ceil - the bandwidth was > still shared 1:1:1. I concluded that the shaping do not work and one > line could therefore dominate the line, keeping down the others when > the line is stressed. > > Some 2:1:1 results came when I set ceil down to about 220-225kbit. > Then the first line's wget was truly getting data twice as quick as > the other ones. This agreed with the statements in articles that I > always need to give away some precious bandwidth to be able to shape > it. And with this setting, even one wget gets the data at about 26 > KB/s rate, which is a pretty big loss from out point of view (big real > bandwidth cost from the ISP). > > So, my shaping works, but the cost is big. I was asking here whether > this cost is normal or I could have something untuned in the setup. > >> My best suggestion on the limited information would be to mabye set >> it up with a root class of 256kbit, then setup the child classes >> as 120-60-60 with borrowing. In my own usage, leaving some free >> bandwidth that every subclass has to borrow from seems to work >> better than assigning it all. > > > I'll try it, when we turn the shaping on, even when I doubt it will > work. But I do not know about it much, we'll see. > > === > > One more question in case someone here knows, sorry about > overweighting the message: The reason we had to turn the shaping off > temporarily was that we experienced a blackout and our D-Link > DGS-1248T switch forgot all its settings (namely VLANs) without power. > We are currently not able to find out whether it's usual (and how to > defend) or we got a defective piece. If you have a clue, please drop > me a note. > > Thanks in advance! > > - -- > > \//\/\ > (Sometimes credited as 1494 F8DD 6379 4CD7 E7E3 1FC9 D750 4243 1F05 9424.) > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFDaxZ211BCQx8FlCQRAkRQAKCTPnfRggv1TwVzUKXIr3fHoBkV/ACgnB39 > wu+abfujhVSPmhykW15cOos= > =iiS9 > -----END PGP SIGNATURE----- > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > Microsoft: Where do you want to go tomorrow? Linux: Where do you want to go today? BSD: Are you guys coming, or what? Robin-David Hammond KB3IEN www.aresnyc.org. From nix4me at cfl.rr.com Sat Nov 5 01:57:23 2005 From: nix4me at cfl.rr.com (nix4me) Date: Sat Nov 5 01:57:31 2005 Subject: [LARTC] ftp shaping and excluding ls packets Message-ID: <436C0373.7080804@cfl.rr.com> Hi, I am currently using a script to shape my outbound ftp traffic. Works great except for 1 thing. When a user goes to list a dir, the listing is also getting shaped. This causes dir listings to be very slow. Is there a way to differentiate the dir listing packets? Here is a my current script: #!/bin/bash #shaping passive and active outbound ftp traffic on an internal computer without affecting inbound and lan speed # mark the outbound passive ftp packets on ports 50000-51000 iptables -t mangle -D OUTPUT -o eth0 -j MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -N MYSHAPER-OUT iptables -t mangle -I OUTPUT -o eth0 -j MYSHAPER-OUT iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 20 iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 59999 -j MARK --set-mark 26 iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK --set-mark 26 iptables -t mangle -A MYSHAPER-OUT -p tcp -m length --length :64 -j MARK --set-mark 30 # clear it tc qdisc del dev eth0 root #add the root qdisk tc qdisc add dev eth0 root handle 1: htb default 20 #add main rate limit class tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit #add leaf classes tc class add dev eth0 parent 1:1 classid 1:2 htb rate 100mbit tc class add dev eth0 parent 1:1 classid 1:3 htb rate 40kbps tc class add dev eth0 parent 1:3 classid 1:31 htb rate 30kbps ceil 40kbps prio 2 tc class add dev eth0 parent 1:3 classid 1:32 htb rate 10kbps ceil 34kbps prio 1 #filter traffic into classes tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 20 fw flowid 1:2 tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 26 fw flowid 1:31 tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 30 fw flowid 1:32 Thanks, Mark From gypsy at iswest.com Sat Nov 5 04:58:17 2005 From: gypsy at iswest.com (gypsy) Date: Sat Nov 5 04:58:03 2005 Subject: [LARTC] Open Source Project "Q*Box" Launched References: Message-ID: <436C2DD9.6C642429@iswest.com> Ron Senykoff wrote: > > Hello all. > > I created a "plug and play" kind of solution for bridge-based QoS > LAN-WAN traffic shaping. Based on the LEAF bering-uClibc branch, I'm > calling it 'QBox' and the project site for now is located at: > > http://content.cs.luc.edu/projects/comp412/q-box The qboxWhitepaper.pdf paragraph 2.1 is chopped off. Neat idea. I intend to try it out. Thanks! -- gypsy From rsenykoff at harrislogic.com Sat Nov 5 05:44:03 2005 From: rsenykoff at harrislogic.com (Ron Senykoff) Date: Sat Nov 5 05:44:07 2005 Subject: [LARTC] Open Source Project "Q*Box" Launched In-Reply-To: <436C2DD9.6C642429@iswest.com> References: <436C2DD9.6C642429@iswest.com> Message-ID: On 11/4/05, gypsy wrote: > > The qboxWhitepaper.pdf paragraph 2.1 is chopped off. > > Neat idea. I intend to try it out. Thanks! Thanks for letting me know about the chopped off paragraph. I'm putting out v0.2 now which will fix a reboot issue (I forgot to set the watchdog timer up correctly on my last build) and add the parameter for defining the gateway in the networking configuration file. Everything else has been rock solid for me over the last couple weeks. Let me know if you have any questions. -Ron From michael at bbd.co.za Sat Nov 5 10:53:40 2005 From: michael at bbd.co.za (Michael Davidson) Date: Sat Nov 5 10:53:59 2005 Subject: [LARTC] Cannot get htb & prio working together. In-Reply-To: <20051104101322.GB26102@ikkoku.ath.cx> References: <436A4E6B.6090506@bbd.co.za> <200511031909.06811.Andreas.Klauer@metamorpher.de> <2af436490511031411o6a739104vc0980f2fefd5cc1e@mail.gmail.com> <20051104101322.GB26102@ikkoku.ath.cx> Message-ID: <436C8124.2030206@bbd.co.za> Hi, I've tried the multi tier filtering as suggested, but It didn't do the trick unfortunately. The filters were accepted at the command line but when but when I do "tc -s -d filter show dev eth0" the only filters displayed are those with "root" as the parent. Below is my current script. tc qdisc add dev eth0 root handle 1: htb tc class add dev eth0 parent 1: classid 1:1 htb rate 120kbit tc class add dev eth0 parent 1:1 classid 1:20 htb rate 30kbit ceil 120kbit tc qdisc add dev eth0 parent 1:20 handle 20: prio # #Note: With a "prio" qdisc the class ID's of 20:1 to 3 are automatically provided # tc qdisc add dev eth0 parent 20:1 handle 201: sfq tc qdisc add dev eth0 parent 20:2 handle 202: sfq tc qdisc add dev eth0 parent 20:3 handle 203: sfq tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dport 22 0xffff flowid 1:20 tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dport 23 0xffff flowid 1:20 tc filter add dev eth0 parent 20:0 protocol ip prio 1 u32 match ip dport 22 0xffff flowid 20:1 tc filter add dev eth0 parent 20:0 protocol ip prio 1 u32 match ip dport 23 0xffff flowid 20:3 Regards Mike. Toby wrote: >Jody Shumaker wrote: > > >>tc filter add ... parent 1:0 ... match ip dport 22 0xffff flowid 1:20 >>tc filter add ... parent 1:0 ... match ip dport 23 0xffff flowid 1:20 >> >>tc filter add ... parent 1:20 ... match ip dport 22 0xffff flowid 20:1 >>tc filter add ... parent 1:20 ... match ip dport 23 0xffff flowid 20:3 >> >> > ^^^^ you mean 20: here > >The last two filters need to have 20: as parent, if you want to keep >each filter inside a single qdisc. > > >Toby > > > -- Regards Mike. Michael Davidson Barone Budge & Dominick Email: michael@bbd.co.za Office: +27 11 532 8380 BB&D : +27 11 532 8300 Fax: +27 11 532 8400 Mobile: +27 82 650 5707 Home: +27 11 452 4423 This e-mail is confidential and subject to the disclaimer published at http://www.bbd.co.za From tobia.conforto at linux.it Sat Nov 5 12:10:30 2005 From: tobia.conforto at linux.it (Toby) Date: Sat Nov 5 12:10:35 2005 Subject: [LARTC] Latency/burst problem with HTB In-Reply-To: <20051104101743.GA83@DervishD> References: <20051104101743.GA83@DervishD> Message-ID: <20051105111030.GC26102@ikkoku.ath.cx> DervishD wrote: > tc filter add dev eth0 ... ip sport 0x3000 0x3000 flowid 1:111 > tc filter add dev eth0 ... ip sport 0x4000 0x4000 flowid 1:111 > tc filter add dev eth0 ... ip sport 0x20 0xff flowid 1:111 > > I'm serving passive FTP only in ports from 0x3000 to 0x4fff, and > active FTP in port 20. Then you should use the following port numbers in your filters: 0x3000 0xf000 0x4000 0xf000 20 0xffff The first two of your filters were matching more ports than needed, while the latter WAS NOT MATCHING YOUR ACTIVE FTP TRAFFIC AT ALL. I suggest you read a tutorial on ip addresses and netmasks, that should cover the basis of how bitmasks work. > Is there any value I can tweak to make general ADSL traffic more > responsive? Yes, you can make another HTB class, let's call it 1:112, for ICMP traffic (ie. ping, port unreachable...) and very small TCP packets (SYN, ACK, RST... all that stuff) and give it the highest priority. That's a good place to put interactive SSH traffic too, if you use it: #low-latency class #remember to give sibling classes different priorities, >0 tc class add dev eth0 parent 1:11 classid 1:112 \ htb rate 1kbit ceil 256kbit prio 0 #small TCP packets, <64bytes tc filter add dev eth0 prio 2 protocol ip parent 1:0 u32 \ match ip protocol 6 0xff \ match u8 0x05 0x0f at 0 \ match u16 0x0000 0xffc0 at 2 \ flowid 1:112 #ICMP tc filter add dev eth0 prio 2 protocol ip parent 1:0 u32 \ match ip protocol 1 0xff \ flowid 1:112 #interactive SSH traffic (NOT including scp, x11 tunnels...) tc filter add dev eth0 prio 2 protocol ip parent 1:0 u32 \ match ip dport 22 0xffff \ match ip tos 0x10 0xff \ flowid 1:112 By the way, I didn't invent all this, it's by Bert Hubert. You should check his wondershaper script: http://lartc.org/wondershaper/ Toby -- UNIX is a lever for the intellect. -John R. Mashey From tobia.conforto at linux.it Sat Nov 5 12:21:46 2005 From: tobia.conforto at linux.it (Toby) Date: Sat Nov 5 12:21:51 2005 Subject: [LARTC] ftp shaping and excluding ls packets In-Reply-To: <436C0373.7080804@cfl.rr.com> References: <436C0373.7080804@cfl.rr.com> Message-ID: <20051105112146.GD26102@ikkoku.ath.cx> nix4me wrote: > When a user goes to list a dir, the listing is also getting shaped. > This causes dir listings to be very slow. > Is there a way to differentiate the dir listing packets? Only if your ftp server software can send dir lists on different ports and/or with different IP TOS flags. If it doesn't and you're using open source software it shouldn't be difficult to hack it yourself to set for example IPTOS_LOWDELAY when sending dir lists, then use iptables --tos to put it into a different class. See how OpenSSH sets IP TOS flags in packet.c: packet_set_tos() Toby -- UNIX is a lever for the intellect. -John R. Mashey From tobia.conforto at linux.it Sat Nov 5 13:20:19 2005 From: tobia.conforto at linux.it (Toby) Date: Sat Nov 5 13:20:23 2005 Subject: [LARTC] Open Source Project "Q*Box" Launched In-Reply-To: References: <979F16C43033B44F8E8A65AE08D0847A016BD6@server.superiorholidayadventures.ca> Message-ID: <20051105122019.GF26102@ikkoku.ath.cx> Ron Senykoff wrote: > MRTG and Cricket look to be much lighter weight. Do you have > experience with which one would require less CPU? I think that a SNMP daemon would require the least CPU, letting the user do his own graphing using MRTG, Cricket or any other product he might already be using to monitor other appliances. Otherwise, if you want to include graphs in your web interface, MRTG and Cricket consume pretty much the same (usually negligible) CPU, as they both use RRDTool as a backend to collect and graph data. Toby -- UNIX is a lever for the intellect. -John R. Mashey From nix4me at cfl.rr.com Sat Nov 5 14:26:40 2005 From: nix4me at cfl.rr.com (nix4me) Date: Sat Nov 5 14:26:45 2005 Subject: [LARTC] ftp shaping and excluding ls packets In-Reply-To: <20051105130554.GG26102@ikkoku.ath.cx> References: <436C0373.7080804@cfl.rr.com> <20051105112146.GD26102@ikkoku.ath.cx> <436CAAA8.1010904@cfl.rr.com> <20051105130554.GG26102@ikkoku.ath.cx> Message-ID: <436CB310.6060902@cfl.rr.com> Toby wrote: >nix4me wrote: > > >>I have examined the packets leaving and i can't seem to pin point which >>are the listings. I ran ethereal and then continually requested lists, >>the only packets i see leaving are coming from port 60000 which is the >>control port. >> >> > >As far as I know listings don't go through the control port, they go >through one of the data ports, as if you were downloading a file. > >That's why you cannot differentiate them from regular downloads, unless >the server software uses a different data port or different TOS flags or >something. > > >Toby > > > Yes, I see them now. They are indeed leaving on a shaped port range. And the packets are larger than the ACK size that I am putting at the head of the que. They seem to be 1450 in length. Mark From unki at netshadow.at Sat Nov 5 15:00:42 2005 From: unki at netshadow.at (Andreas Unterkircher) Date: Sat Nov 5 15:00:14 2005 Subject: [LARTC] ftp shaping and excluding ls packets In-Reply-To: <436CB310.6060902@cfl.rr.com> References: <436C0373.7080804@cfl.rr.com> <20051105112146.GD26102@ikkoku.ath.cx> <436CAAA8.1010904@cfl.rr.com> <20051105130554.GG26102@ikkoku.ath.cx> <436CB310.6060902@cfl.rr.com> Message-ID: <436CBB0A.1010005@netshadow.at> Another idea would be - if the directory which will be listed isn't too large - that you use netfilters connbytes match. If less data are requested via ftp-data the will get a higher priority then bulk ftp-data. You can match with iptables and put them in the desired queues. Cheers, Andreas nix4me wrote: > Toby wrote: > >> nix4me wrote: >> >> >>> I have examined the packets leaving and i can't seem to pin point >>> which are the listings. I ran ethereal and then continually >>> requested lists, the only packets i see leaving are coming from port >>> 60000 which is the control port. >>> >> >> >> As far as I know listings don't go through the control port, they go >> through one of the data ports, as if you were downloading a file. >> >> That's why you cannot differentiate them from regular downloads, unless >> the server software uses a different data port or different TOS flags or >> something. >> >> >> Toby >> >> >> > Yes, I see them now. They are indeed leaving on a shaped port range. > And the packets are larger than the ACK size that I am putting at the > head of the que. > > They seem to be 1450 in length. > > Mark > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From lartc at dervishd.net Sat Nov 5 15:42:47 2005 From: lartc at dervishd.net (DervishD) Date: Sat Nov 5 15:41:33 2005 Subject: [LARTC] Latency/burst problem with HTB In-Reply-To: <20051105111030.GC26102@ikkoku.ath.cx> References: <20051104101743.GA83@DervishD> <20051105111030.GC26102@ikkoku.ath.cx> Message-ID: <20051105144247.GB9469@DervishD> Hi Toby, and thanks for your answer :) Excuse me for the long reply, but I wanted to put my current settings for tc just in case. Feel free to ignore. * Toby dixit: > DervishD wrote: > > tc filter add dev eth0 ... ip sport 0x3000 0x3000 flowid 1:111 > > tc filter add dev eth0 ... ip sport 0x4000 0x4000 flowid 1:111 > > tc filter add dev eth0 ... ip sport 0x20 0xff flowid 1:111 > > > > I'm serving passive FTP only in ports from 0x3000 to 0x4fff, and > > active FTP in port 20. > > Then you should use the following port numbers in your filters: > > 0x3000 0xf000 > 0x4000 0xf000 > 20 0xffff > > The first two of your filters were matching more ports than needed, > while the latter WAS NOT MATCHING YOUR ACTIVE FTP TRAFFIC AT ALL. > > I suggest you read a tutorial on ip addresses and netmasks, that > should cover the basis of how bitmasks work. I know how they work, but sometimes my brain doesn't work correctly ;)))) The first two are a typo, in my tc setup I have masks 0xf000 and 0xf000, I don't know why I made such mistake, because I swear I cut'n'pasted it :??? and the third one is an error, caused because I was testing with ports 0x??20 to differentiate connections (to test settings for different FTP servers) with a hand made client that used different ports for active connections. I simply didn't put the mask back to 0xffff and worst, I didn't move to 20 *decimal* and left the 0x. I chose 0x??20 because it was easier to remeber and fancier to read O:) than 0x??14. Thanks for advising, because right now I don't have active ftp traffic and I would NEVER have spotted the errors. Thanks a lot, really. And I don't understand the typo :? I've seen the output of "tc filter show dev eth0" and shows "match 30000000/f0000000 at 20". > > Is there any value I can tweak to make general ADSL traffic more > > responsive? > > Yes, you can make another HTB class, let's call it 1:112, for ICMP > traffic (ie. ping, port unreachable...) and very small TCP packets > (SYN, ACK, RST... all that stuff) and give it the highest priority. But all that traffic goes already through a higher priority class. The "general ADSL traffic" has a higher priority (prio 0) and "ADSL outgoing FTP traffic" has prio 1 :??? Sorry but that value doesn't show in what I posted, certainly I had a problem when cutting and pasting... I had to modify what I cut because I took it from a zsh script. Here is the real contents: TCQA="tc qdisc add dev eth0 parent" TCCA="tc class add dev eth0 parent" TCFA="tc filter add dev eth0 protocol ip parent" action "Starting traffic control on eth0" # root qdisc, defaults to ADSL other traffic $=TCQA root handle 1: htb default 21 r2q 1 # hispeed class (Ethernet) $=TCCA 1: classid 1:1 htb rate 95Mbit ceil 95Mbit $=TCQA 1:1 handle 10: sfq perturb 10 # lospeed class (ADSL) $=TCCA 1: classid 1:2 htb rate 256kbit ceil 256kbit burst 16384 cburst 8192 # Other ADSL traffic $=TCCA 1:2 classid 1:21 htb rate 224kbit ceil 256kbit prio 0 burst 16384 cburst 8192 $=TCQA 1:21 handle 21: sfq perturb 10 # FTP thru ADSL traffic $=TCCA 1:2 classid 1:22 htb rate 64kbit ceil 160kbit prio 1 # Filters $=TCFA 1:0 prio 1 u32 match ip dst 192.168.0.0/24 flowid 1:1 $=TCFA 1:0 prio 2 u32 match ip sport 0x3000 0xf000 flowid 1:22 $=TCFA 1:0 prio 2 u32 match ip sport 0x4000 0xf000 flowid 1:22 $=TCFA 1:0 prio 2 u32 match ip sport 20 0xffff flowid 1:22 I removed yesterday the old 1:1 class because I want no borrowing between Ethernet general traffic and Ethernet ADSL traffic. If I add this as you suggest (modifiying identifiers) $=TCCA 1:2 classid 1:23 htb rate 1kbit ceil 256kbit prio 0 then it will have the same priority that general traffic. I don't undertand why it should improve responsiveness :? I'm going to test, or course :), but I don't understand... > By the way, I didn't invent all this, it's by Bert Hubert. > You should check his wondershaper script: http://lartc.org/wondershaper/ I did, but if I don't do any "borrowing" (as wondershaper seems to do), latency is low. I want low latency when borrowing. With the setup I've posted above (that is, reducing ftp ceil to 160kbit and raising adsl-general rate to 250kbit) there's almost no latency, but I would like to add a bit more of ceil to ftp traffic. I'll test your suggestions, which I find quite interesting, and if I have success, I'll tell :) Thanks for your invaluable help, but if this works I'm afraid I won't understand why, because by default all that traffic that will be matched by the new filters will go to the fast-adsl class anyway :? Would it be because it will go out of the queue *even before* than general ADSL traffic? I think that's the reason, right? Well, I've finally tested your suggestion, and I've noticed only a marginal improvement in responsiveness and latency, around 10% more or less. Anytime I increase the "ceil" of the FTP-thru-ADSL traffic above 160kbit (that's the value I'm currently using), the latency skyrockets and the download speed stinks. I no longer see any improvement, then. With values near 160kbit, messing with "burst" and "cburst" give as slight improvement and your suggestions give a 10% more of download bandwidth and about the same improveness in latency (please note that except the download bandwidth, the rest of improvements are subjetive, they represent what I feel when using my network). This means that without the new class and filters I'm stuck with 160kbit max for the served FTP traffic, and with them I can raise that limit a bit. Probably I'm making mistakes in my r2q value, the burst and cburst values, etc. that have to be corrected, too O:) Thanks again, Toby :) With your suggestion I've raised from 19kbps to almost 22kbps the FTP speed (that's an extra 11MB per hour and almost 300MB a day, and that's GOOD!), while having a decent latency. BTW, this is what I have now: TCQA="tc qdisc add dev eth0 parent" TCCA="tc class add dev eth0 parent" TCFA="tc filter add dev eth0 protocol ip parent" action "Starting traffic control on eth0" # root qdisc, defaults to ADSL other traffic $=TCQA root handle 1: htb default 21 r2q 1 # hispeed class (Ethernet) $=TCCA 1: classid 1:1 htb rate 95Mbit ceil 95Mbit $=TCQA 1:1 handle 10: sfq perturb 10 # lospeed class (ADSL) $=TCCA 1: classid 1:2 htb rate 256kbit ceil 256kbit burst 16384 cburst 8192 # Low latency ADSL traffic $=TCCA 1:2 classid 1:20 htb rate 4kbit ceil 256kbit prio 0 burst 16384 cburst 8194 # Other ADSL traffic $=TCCA 1:2 classid 1:21 htb rate 224kbit ceil 256kbit prio 1 burst 16384 cburst 8192 $=TCQA 1:21 handle 21: sfq perturb 10 # FTP thru ADSL traffic $=TCCA 1:2 classid 1:22 htb rate 64kbit ceil 175kbit prio 2 # Filters # Ethernet LAN traffic $=TCFA 1:0 prio 1 u32 match ip dst 192.168.0.0/24 flowid 1:1 # Low latency traffic small TCP packets (<64 bytes) $=TCFA 1:0 prio 2 u32 match ip protocol 6 0xff\ match u8 0x05 0x0f at 0\ match u16 0x0000 0xffc0 at 2\ flowid 1:20 # Low latency traffic, ICMP $=TCFA 1:0 prio 2 u32 match ip protocol 1 0xff flowid 1:20 # FTP thru ADSL traffic $=TCFA 1:0 prio 2 u32 match ip sport 0x3000 0xf000 flowid 1:22 $=TCFA 1:0 prio 2 u32 match ip sport 0x4000 0xf000 flowid 1:22 $=TCFA 1:0 prio 2 u32 match ip sport 20 0xffff flowid 1:22 Ra?l N??ez de Arenas Coronado -- Linux Registered User 88736 | http://www.dervishd.net http://www.pleyades.net & http://www.gotesdelluna.net It's my PC and I'll cry if I want to... From tobia.conforto at linux.it Sat Nov 5 16:17:31 2005 From: tobia.conforto at linux.it (Toby) Date: Sat Nov 5 16:17:39 2005 Subject: [LARTC] Latency/burst problem with HTB In-Reply-To: <20051105144247.GB9469@DervishD> References: <20051104101743.GA83@DervishD> <20051105111030.GC26102@ikkoku.ath.cx> <20051105144247.GB9469@DervishD> Message-ID: <20051105151730.GI26102@ikkoku.ath.cx> DervishD wrote: > If I add this as you suggest then it will have the same priority that > general traffic. It doesn't if you lower general traffic to prio 1 and ftp traffic to prio 2, as I'm sure I said somewhere in my other email. > Would it be because it will go out of the queue *even before* than > general ADSL traffic? I think that's the reason, right? Yes, that's the idea. Now the only thing left to do is to lower the total rate and ceil to 16kbit below the ADSL upload cap (again, read the wondershaper documentation to understand why.) Just substitute 240kbit for 256kbit throughout the script and adjust the other rates accordingly: ... classid 1:2 htb rate 240kbit ceil 240kbit ... classid 1:20 htb rate 4kbit ceil 240kbit prio 0 ... classid 1:21 htb rate 172kbit ceil 240kbit prio 1 ... classid 1:22 htb rate 64kbit ceil 175kbit prio 2 By the way, I wouldn't use the burst option. Toby -- UNIX is a lever for the intellect. -John R. Mashey From lartc at dervishd.net Sat Nov 5 16:47:15 2005 From: lartc at dervishd.net (DervishD) Date: Sat Nov 5 16:46:38 2005 Subject: [LARTC] Latency/burst problem with HTB In-Reply-To: <20051105151730.GI26102@ikkoku.ath.cx> References: <20051104101743.GA83@DervishD> <20051105111030.GC26102@ikkoku.ath.cx> <20051105144247.GB9469@DervishD> <20051105151730.GI26102@ikkoku.ath.cx> Message-ID: <20051105154715.GA10117@DervishD> Hi Toby :) * Toby dixit: > DervishD wrote: > > If I add this as you suggest then it will have the same priority that > > general traffic. > It doesn't if you lower general traffic to prio 1 and ftp traffic to > prio 2, as I'm sure I said somewhere in my other email. Which I've done ;)) You said that in the comments of the "tc" commands (you say that the priorities of the sibling classes should be lower). > > Would it be because it will go out of the queue *even before* than > > general ADSL traffic? I think that's the reason, right? > > Yes, that's the idea. OK, I understand now. Thanks a lot :))) > Now the only thing left to do is to lower the total rate and ceil > to 16kbit below the ADSL upload cap (again, read the wondershaper > documentation to understand why.) That's something I learnt even when I didn't know about wondershaper ;) My ADSL has 300kbit of upload rate, that's why I'm using 256 and not 300. I want to leave those 44kbit for the other box. BTW, I didn't notice that the other box was up and running (running WinDOS) is uploading traffic at almost 10kbps so it is probably filling the ADSL router buffers :( That may be the reason why I'm getting poor latency when the ADSL FTP traffic goes above 175 (in fact, I bet the traffic limit is 300kbit-otherboxkbit). Unfortunately I cannot shutdown that box by now, and probably I will need to do my shaping taking into account an upload rate from the other machine of about 12kbps or something like that. 15kbps will be better... That leaves a value nearer to 180kbit instead of 256... Well, I'll try to make the other box upload at a lower rate if I can. > By the way, I wouldn't use the burst option. But it gives me some improvement, why should I get rid of it? I'm not sure about why it does, but using a burst of 8192-20480 and a cburst of about the half seems to improve latency a bit. It's just an illusion? For me it would be great if I could get rid of the burst and cburst settings, because my tc script will be easier to maintain. Thanks a lot for your help, now my tc works much better :)) Ra?l N??ez de Arenas Coronado -- Linux Registered User 88736 | http://www.dervishd.net http://www.pleyades.net & http://www.gotesdelluna.net It's my PC and I'll cry if I want to... From jody.shumaker at gmail.com Sun Nov 6 01:12:41 2005 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Sun Nov 6 01:12:47 2005 Subject: [LARTC] Cannot get htb & prio working together. In-Reply-To: <436C8124.2030206@bbd.co.za> References: <436A4E6B.6090506@bbd.co.za> <200511031909.06811.Andreas.Klauer@metamorpher.de> <2af436490511031411o6a739104vc0980f2fefd5cc1e@mail.gmail.com> <20051104101322.GB26102@ikkoku.ath.cx> <436C8124.2030206@bbd.co.za> Message-ID: <436D4A79.3070804@gmail.com> Michael Davidson wrote: > Hi, > > I've tried the multi tier filtering as suggested, but It didn't do the > trick unfortunately. The filters were accepted at the command line but > when but when I do "tc -s -d filter show dev eth0" the only filters > displayed are those with "root" as the parent. Below is my current > script. > That's because that command defaults to showing the root unless you tell it what to look at. tc -s -d filter show dev eth0 parent 20: A simple tc filter help lists that. - Jody From lartc-337 at ccp.com.au Sun Nov 6 08:53:59 2005 From: lartc-337 at ccp.com.au (Lee Sanders) Date: Sun Nov 6 08:54:08 2005 Subject: [LARTC] tc qdisc replace failing Message-ID: <200511061553.59671.lartc-337@ccp.com.au> Hi, Having issues getting a replace command working correctly. The error reported is "RTNETLINK answers: Invalid argument" which isn't descriptive or helpful. The command i'm running is: tc qdisc replace dev ppp0 parent 8001:D handle D: tbf rate 5Kbit burst 5kb latency 70ms The idea being to replace an sfq with handle D and hopefully limit a certain user in my WRR class. If I delete the qdisc first and add with the below line it works. tc qdisc del dev ppp0 parent 8001:D handle D: tc qdisc add dev ppp0 parent 8001:D handle D: tbf rate 5Kbit burst 1540 latency 70ms Anyone see what I'm doing wrong ? :Lee From gypsy at iswest.com Sun Nov 6 18:42:06 2005 From: gypsy at iswest.com (gypsy) Date: Sun Nov 6 18:41:46 2005 Subject: [LARTC] tc qdisc replace failing References: <200511061553.59671.lartc-337@ccp.com.au> Message-ID: <436E406E.DC8C4E51@iswest.com> Lee Sanders wrote: > > Hi, > > Having issues getting a replace command working correctly. The error reported > is "RTNETLINK answers: Invalid argument" which isn't descriptive or helpful. > > The command i'm running is: > > tc qdisc replace dev ppp0 parent 8001:D handle D: tbf rate 5Kbit burst 5kb > latency 70ms > > The idea being to replace an sfq with handle D and hopefully limit a certain > user in my WRR class. If I delete the qdisc first and add with the below line > it works. > > tc qdisc del dev ppp0 parent 8001:D handle D: > tc qdisc add dev ppp0 parent 8001:D handle D: tbf rate 5Kbit burst 1540 > latency 70ms > > Anyone see what I'm doing wrong ? > > :Lee I believe that replace is still broken so, if I'm correct, the answer is, "replace does not work." -- gypsy From michael at bbd.co.za Sun Nov 6 21:11:49 2005 From: michael at bbd.co.za (Michael Davidson) Date: Sun Nov 6 21:12:07 2005 Subject: [LARTC] Cannot get htb & prio working together. In-Reply-To: <436D4A79.3070804@gmail.com> References: <436A4E6B.6090506@bbd.co.za> <200511031909.06811.Andreas.Klauer@metamorpher.de> <2af436490511031411o6a739104vc0980f2fefd5cc1e@mail.gmail.com> <20051104101322.GB26102@ikkoku.ath.cx> <436C8124.2030206@bbd.co.za> <436D4A79.3070804@gmail.com> Message-ID: <436E6385.3070400@bbd.co.za> Hi Many thanks. Filtering at sub-qdisc and the correct use of the "tc filter show" command was where I was coming short, I'm flying now. Thanks again, Mike D. Jody Shumaker wrote: > Michael Davidson wrote: > >> Hi, >> >> I've tried the multi tier filtering as suggested, but It didn't do >> the trick unfortunately. The filters were accepted at the command >> line but when but when I do "tc -s -d filter show dev eth0" the only >> filters displayed are those with "root" as the parent. Below is my >> current script. >> > That's because that command defaults to showing the root unless you > tell it what to look at. > > tc -s -d filter show dev eth0 parent 20: > > A simple tc filter help lists that. > > - Jody > -- Regards Mike. Michael Davidson Barone Budge & Dominick Email: michael@bbd.co.za Office: +27 11 532 8380 BB&D : +27 11 532 8300 Fax: +27 11 532 8400 Mobile: +27 82 650 5707 Home: +27 11 452 4423 This e-mail is confidential and subject to the disclaimer published at http://www.bbd.co.za From sophana78 at yahoo.fr Mon Nov 7 01:31:50 2005 From: sophana78 at yahoo.fr (sophana) Date: Mon Nov 7 01:32:05 2005 Subject: [LARTC] has anyone tried adsl-optmizer kernel patches for dsl modems? Message-ID: <436EA076.7040102@yahoo.fr> Hi I'm using wondershaper like script. But noticed imperfect scheduling. By googling, I found some patches that takes the aal5 atm overhead in the scheduling algorithms. http://www.adsl-optimizer.dk/ADSL-optimizer/ Before trying it, has anyone tried these patches? they apply on 2.4.29 kernel and 2.6.9 TC. I use centos4 with a 2.6 kernel, so I can't try these easily. Thanks From angel.arancibia at gmail.com Mon Nov 7 17:56:42 2005 From: angel.arancibia at gmail.com (Angel Aranciba) Date: Thu Nov 10 15:58:24 2005 Subject: [LARTC] interesting routing situation Message-ID: <2c91a67a0511070856u10d395c0t@mail.gmail.com> Hi, this is my first mail to the list, I'm no speak English, but i try my best. this situation attack my attention since i first er about it, but i still don't have a good solution. There are 2 different networks whit different connection to the internet each one whit their servers (lets call it A and B to each server). it is need to mount some kind of service (webserver for example) in A for internet (lets call it C), but for some kind of external medium (whit external i mean that we don't have access to it) A is filtered, and none from the Internet can open a connexion whit A. Here is where B appears. A VPN is open between both (form A to B), and then is easy from C to use B, to go throw the vpn tunnel to A. Ok so far, that seems to work, but there is a problem. B has 4 connexion (2in2out) for each interaction between A and C !!!. So the idea is similar, but what we need to do is ones the connexion is initialize (through b) C->B->A is not to use B any more. What thinks about this situation? Could be done? Thanks and sorry again for my poor English. -- ----- Angel Arancibia GNU/Linux User Registered #358969 http://counter.li.org/ ICQ: 327093745 MSN: angel.arancibia@gmail.com ------------------------------- "Computer science is no more about computers than astronomy is about telescopes." - Edsger W. Dijkstra "There are only 10 types of people in the world: Those who understand binary, and those who don't" From gdamjan at mail.net.mk Mon Nov 7 18:01:59 2005 From: gdamjan at mail.net.mk (Damjan) Date: Thu Nov 10 15:58:38 2005 Subject: [LARTC] Traffic control of PPPoE users In-Reply-To: <200510291058.25234.romary.sonrier@free.fr> References: <20051029022621.GA14362@legolas.on.net.mk> <200510291058.25234.romary.sonrier@free.fr> Message-ID: <20051107170159.GA19504@legolas.on.net.mk> > If you use PPPoE with a DSL modem in bridge mode(RFC 1483 BRIDGED) in order to > terminate a ppp tunnel on a linux box, it will not be easy to achieve QoS on > the upload side. My network is Ethernet only (some parts of it is proprietary wireless ethernet). No ADSL. I want to terminate several users on the ethernet with a linux box. I'll make some tests on my own, and report back how it went. Can you give any hints about the testing you did? -- damjan | ?????? This is my jabber ID --> damjan@bagra.net.mk <-- not my mail address!!! From payal-lartc at scriptkitchen.com Mon Nov 7 18:14:32 2005 From: payal-lartc at scriptkitchen.com (Payal Rathod) Date: Thu Nov 10 15:58:54 2005 Subject: [LARTC] using lartc Message-ID: <20051107171432.GA16893@tranquility.scriptkitchen.com> Hi, Even after many tries I am not able to get lartc at all. So, I am starting fresh again. Can someone tell can I use lartc on a single machine and see it working? Where do I start from exactly? I am getting more and more confused. With warm regards, -Payal From shemminger at osdl.org Tue Nov 8 19:28:23 2005 From: shemminger at osdl.org (Stephen Hemminger) Date: Thu Nov 10 16:05:00 2005 Subject: [LARTC] [ANNOUNCE] iproute2 2.6.14-051107 Message-ID: <20051108102823.0ab4cf62@localhost.localdomain> Update to iproute2 is available. Most of the changes were to repair the things that broke with the introduction of the batch mode to the ip command. http://developer.osdl.org/dev/iproute2/download/iproute2-2.6.14-051107.tar.gz For info on CVS ans other info see: http://linux-net.osdl.org/index.php/Iproute2 Masahide NAKAMURA * Updating for 2.6.14 - Show UPD{SA,POLICY} message information from kernel instead of error - Add lengh check of deleting message from kernel - Use macro for struct xfrm_user{sa,policy}_id * Minor fix: - Add fflush at the end of normal dump Jamal Hadi Salim * Fix handling of XFRM monitor and state * Fix ip rule flush, need to reopen rtnl Stephen Hemminger * Update to 2.6.14 sanitized headers * Add more CBQ examples from Fedora Core * Fix buffer overrun in iproute because of bits vs. bytes confusion Patrick McHardy * Fix ip command shortcuts From brett at wrl.org Tue Nov 8 22:16:19 2005 From: brett at wrl.org (Brett Charbeneau) Date: Thu Nov 10 16:06:13 2005 Subject: [LARTC] Dead Gateway Detection with PPPoE Message-ID: Gentlefolk, First, many thanks to EVERYONE that tries so hard to make this advanced routing stuff useful to the "...rest of us"! You all rock! I have been prowling the archives of this list for an answer to my problem, and have seen some close situations, but no joy. Yet. I've got a relatively simple setup I'm trying to get working: we've got a public-access network with 90 or so clients and I'd like to route all their traffic over a 3 Mbps DSL line - except when that goes down, then I'd like to fall over to our T1. So I'm working on a Debian box in hopes that it will act as a router for this public subnet like so: ppp0 DSL IP (via PPPoe) eth1 192.168.1.0 (Public subnet) eth2 XX.XX.XX.XX (Our DMZ) I've downloaded the 2.4.31 kernel source, patched it with the Julianpatches and read nano.txt about 8 times. I am SNATing the outgoing traffic to the appropriate address with iptables depending on the interface like so, iptables -t nat -A POSTROUTING -s $NATNET -o ppp0 -j SNAT --to $DSL iptables -t nat -A POSTROUTING -s $NATNET -o eth2 -j SNAT --to $WRL I made sure to include the stateful iptables statements as they appear in nano.txt. I worked extensively with mpath2.sh and have since cobbled together a script a la nano.txt, with the associated ping script to test routes by pinging each of the two gateways every 60 seconds. When initially running the script it sets up the tables just the way one would expect and everything works great. Clients are happy and can access the web at blazing speed. When the DSL line goes down, however, the routing table doesn't change to reflect the T1 gateway and the clients are dead in the water - no pinging of hosts not directly connected to the router box and no web traffic even though domain names are resolving. When the DSL line comes back up that route is used instantly and the clients are all happy again. So I'm clearly missing something. I include some info below, and I'm happy to get more specific upon request, I just don't want to flood the list. Can anyone suggest other things I can check? I'm grateful for any help anyone can take the time to offer! root@endurance:~# ip rule 0: from all lookup local 50: from all lookup main 201: from (Correct DSL IP address) lookup 201 202: from (Correct DMZ network) lookup 202 222: from all lookup 222 32766: from all lookup main 32767: from all lookup default (When DSL is UP) root@endurance:~# ip route get 204.152.189.113 204.152.189.113 via (DSL gateway) dev ppp0 src (DSL IP address) cache mtu 1492 advmss 1452 (When DSL is DOWN) root@endurance:~# ip route get 204.152.189.113 RTNETLINK answers: Network is unreachable -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett at wrl.org ******************************************************************** From dpsims at dpsims.com Wed Nov 9 16:02:04 2005 From: dpsims at dpsims.com (David Sims) Date: Thu Nov 10 16:09:15 2005 Subject: [LARTC] What Cisco calls 'Overloading NAT'?? Message-ID: Hi, Is there a way in Linux to do NAT with a pool of outside addresses such that each connection to the outside resource gets a different IP address?? I don't want 1:1 NAT as I have some thousands of IP addresses on one side of the LARTC router that _may_ need to access a resource on the other side... The resource needs to see a different IP address for each active call, but these addresses can be reused after the call concludes.... Any clues?? TIA, Dave From gdamjan at mail.net.mk Wed Nov 9 17:34:33 2005 From: gdamjan at mail.net.mk (Damjan) Date: Thu Nov 10 16:10:09 2005 Subject: [LARTC] Re: [ANNOUNCE] iproute2 2.6.14-051107 In-Reply-To: <20051108102823.0ab4cf62@localhost.localdomain> References: <20051108102823.0ab4cf62@localhost.localdomain> Message-ID: <20051109163433.GA26468@legolas.on.net.mk> > Update to iproute2 is available. Most of the changes were to repair the > things that broke with the introduction of the batch mode to the ip command. > http://developer.osdl.org/dev/iproute2/download/iproute2-2.6.14-051107.tar.gz I'm getting this error when trying to compile on Slackware-10.2. The version of bison is 1.35. make[1]: Entering directory `/home/damjan/src/iproute2-2.6.14-051107/tc' bison -d -t -v -o emp_ematch.yacc.c emp_ematch.y emp_ematch.y:11: unrecognized: %error-verbose emp_ematch.y:11: Skipping to next % make[1]: *** [emp_ematch.yacc.c] Error 1 -- damjan | ?????? This is my jabber ID --> damjan@bagra.net.mk <-- not my mail address!!! From sandro at e-den.it Wed Nov 9 23:31:28 2005 From: sandro at e-den.it (Sandro Dentella) Date: Thu Nov 10 16:15:54 2005 Subject: [LARTC] main adsl fail, backp and test Message-ID: <20051109223128.GA29489@casa.e-den.it> hi all, I have a firewall with 2 gateways. Router A (main, adsl), router I (backup, isdn). In case of failure of adsl I switch to isdn. How can I know when it is time to go back? Which is a standard way to test the adsl line? TIA sandro -- Sandro Dentella *:-) e-mail: sandro@e-den.it http://www.tksql.org TkSQL Home page - My GPL work From shemminger at osdl.org Wed Nov 9 18:15:51 2005 From: shemminger at osdl.org (Stephen Hemminger) Date: Thu Nov 10 16:24:45 2005 Subject: [LARTC] Re: [ANNOUNCE] iproute2 2.6.14-051107 In-Reply-To: <20051109163433.GA26468@legolas.on.net.mk> References: <20051108102823.0ab4cf62@localhost.localdomain> <20051109163433.GA26468@legolas.on.net.mk> Message-ID: <20051109091551.32b67120@localhost.localdomain> On Wed, 9 Nov 2005 17:34:33 +0100 Damjan wrote: > > Update to iproute2 is available. Most of the changes were to repair the > > things that broke with the introduction of the batch mode to the ip command. > > http://developer.osdl.org/dev/iproute2/download/iproute2-2.6.14-051107.tar.gz > > I'm getting this error when trying to compile on Slackware-10.2. > The version of bison is 1.35. > > make[1]: Entering directory `/home/damjan/src/iproute2-2.6.14-051107/tc' > bison -d -t -v -o emp_ematch.yacc.c emp_ematch.y > emp_ematch.y:11: unrecognized: %error-verbose > emp_ematch.y:11: Skipping to next % > make[1]: *** [emp_ematch.yacc.c] Error 1 > > The ematch stuff probably needs bison 2.0 talk to Thomas. From oscar at ufomechanic.net Thu Nov 10 16:11:51 2005 From: oscar at ufomechanic.net (Oscar Mechanic) Date: Thu Nov 10 16:25:32 2005 Subject: [LARTC] What Cisco calls 'Overloading NAT'?? In-Reply-To: References: Message-ID: <1131635512.7845.20.camel@OSCARLAPLIN> Is that not multiple NETMAP entries in iptables. Are you using SIP/H323/MGCP On Wed, 2005-11-09 at 09:02 -0600, David Sims wrote: > Hi, > > Is there a way in Linux to do NAT with a pool of outside addresses such > that each connection to the outside resource gets a different IP address?? > I don't want 1:1 NAT as I have some thousands of IP addresses on one side > of the LARTC router that _may_ need to access a resource on the other > side... The resource needs to see a different IP address for each active > call, but these addresses can be reused after the call concludes.... > > Any clues?? > > TIA, > > Dave > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From payal-lartc at scriptkitchen.com Thu Nov 10 16:57:55 2005 From: payal-lartc at scriptkitchen.com (Payal Rathod) Date: Thu Nov 10 16:58:53 2005 Subject: [LARTC] throtling bandwidth Message-ID: <20051110155755.GA5954@tranquility.scriptkitchen.com> Hi, My branch office as got a 256Kbps b/w from their service provider at a very very high rate per Mb. They don't require 256Kbps at all but the ISP does not offer anything low. Can we restrict the bandwith to say 64Kbps nothing fancy? How do I go about it? With warm regards, -Payal From oscar at ufomechanic.net Thu Nov 10 17:06:50 2005 From: oscar at ufomechanic.net (Oscar Mechanic) Date: Thu Nov 10 17:08:13 2005 Subject: [LARTC] throtling bandwidth In-Reply-To: <20051110155755.GA5954@tranquility.scriptkitchen.com> References: <20051110155755.GA5954@tranquility.scriptkitchen.com> Message-ID: <1131638810.7845.28.camel@OSCARLAPLIN> Instead of restricting the speed use iptables ipt_account to restrict usage and the put in a script on cron to zero the counters. That way you get to budget and the users get best experience. On Thu, 2005-11-10 at 10:57 -0500, Payal Rathod wrote: > Hi, > My branch office as got a 256Kbps b/w from their service provider at a > very very high rate per Mb. They don't require 256Kbps at all but the > ISP does not offer anything low. Can we restrict the bandwith to say > 64Kbps nothing fancy? How do I go about it? > > With warm regards, > -Payal > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From brett at wrl.org Thu Nov 10 17:09:18 2005 From: brett at wrl.org (Brett Charbeneau) Date: Thu Nov 10 17:11:00 2005 Subject: [LARTC] throtling bandwidth In-Reply-To: <20051110155755.GA5954@tranquility.scriptkitchen.com> Message-ID: On Thu, 10 Nov 2005, Payal Rathod wrote: PR> My branch office as got a 256Kbps b/w from their service provider at a PR> very very high rate per Mb. They don't require 256Kbps at all but the PR> ISP does not offer anything low. Can we restrict the bandwith to say PR> 64Kbps nothing fancy? How do I go about it? Payal, I've had success limiting bandwidth on interfaces for our wireless networks. Patrons are coming in with P2P applications that hog the whole pipe if you let them. For us, these intefaces are on a firewall with two network cards and these statements did the trick limiting traffic to 256K coming and going: tc qdisc delete dev eth0 root tc qdisc add dev eth0 root tbf limit 5kb burst 5kb rate 256kbit tc qdisc delete dev eth1 root tc qdisc add dev eth1 root tbf limit 5kb burst 5kb rate 256kbit You have to at least have iproute2 (or in my case, becuase we use Debian "iproute") installed so the "tc" command is recognized. Hope this is useful! -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From dpsims at dpsims.com Thu Nov 10 17:16:23 2005 From: dpsims at dpsims.com (David Sims) Date: Thu Nov 10 17:16:30 2005 Subject: [LARTC] What Cisco calls 'Overloading NAT'?? In-Reply-To: <1131635512.7845.20.camel@OSCARLAPLIN> References: <1131635512.7845.20.camel@OSCARLAPLIN> Message-ID: Hi Oscar, I am doing the existing routing (only!) with a pretty bare Ubuntu server install... i.e., no firewall and no iptables at this point.... Cisco (in at least some software) allows many:1 NAT with a pool of NAT addresses rather than a single address.... This way, every connection seems to come from a different post-NAT address (at least up to the number of addresses in the pool).... I am curious if Linux iproute2 supports this concept?? Dave ************************************************************************* On Thu, 10 Nov 2005, Oscar Mechanic wrote: > Is that not multiple NETMAP entries in iptables. Are you using > SIP/H323/MGCP > > > On Wed, 2005-11-09 at 09:02 -0600, David Sims wrote: > > Hi, > > > > Is there a way in Linux to do NAT with a pool of outside addresses such > > that each connection to the outside resource gets a different IP address?? > > I don't want 1:1 NAT as I have some thousands of IP addresses on one side > > of the LARTC router that _may_ need to access a resource on the other > > side... The resource needs to see a different IP address for each active > > call, but these addresses can be reused after the call concludes.... > > > > Any clues?? > > > > TIA, > > > > Dave > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From tgraf at suug.ch Thu Nov 10 17:35:49 2005 From: tgraf at suug.ch (Thomas Graf) Date: Thu Nov 10 17:35:42 2005 Subject: [LARTC] Re: [ANNOUNCE] iproute2 2.6.14-051107 In-Reply-To: <20051109091551.32b67120@localhost.localdomain> References: <20051108102823.0ab4cf62@localhost.localdomain> <20051109163433.GA26468@legolas.on.net.mk> <20051109091551.32b67120@localhost.localdomain> Message-ID: <20051110163549.GX23537@postel.suug.ch> * Stephen Hemminger 2005-11-09 09:15 > On Wed, 9 Nov 2005 17:34:33 +0100 > Damjan wrote: > > > > Update to iproute2 is available. Most of the changes were to repair the > > > things that broke with the introduction of the batch mode to the ip command. > > > http://developer.osdl.org/dev/iproute2/download/iproute2-2.6.14-051107.tar.gz > > > > I'm getting this error when trying to compile on Slackware-10.2. > > The version of bison is 1.35. > > > > make[1]: Entering directory `/home/damjan/src/iproute2-2.6.14-051107/tc' > > bison -d -t -v -o emp_ematch.yacc.c emp_ematch.y > > emp_ematch.y:11: unrecognized: %error-verbose > > emp_ematch.y:11: Skipping to next % > > make[1]: *** [emp_ematch.yacc.c] Error 1 > > > > > > The ematch stuff probably needs bison 2.0 talk to Thomas. Yes, bison 2.0 or a compatible version is required. It should be possible to remove '%error-verbose' from the yacc grammar at the cost of less precise grammar error messages. From oscar at ufomechanic.net Thu Nov 10 17:41:06 2005 From: oscar at ufomechanic.net (Oscar Mechanic) Date: Thu Nov 10 17:41:19 2005 Subject: [LARTC] What Cisco calls 'Overloading NAT'?? In-Reply-To: References: <1131635512.7845.20.camel@OSCARLAPLIN> Message-ID: <1131640866.7845.54.camel@OSCARLAPLIN> If I was thee I would install iptables. To my knowledge the nat implementation in ip is stateless so you could not use it for that but I stand to be corrected. You could do a nice implementation using nth or random on SNAT. So if it is a new connections using connstate then put it into nth off a SNAT target and conntrack will do the rest for you. Of coarse all of this is useless if you dont have iptables. But ubuntu/debian rpms are top class. You did not say what session proto you were using. Oh I just remembered something if you are using SIP then you will have to be able to catch the RTP channel and nat them the same. The SNAT target in iptables has a round robin feature but I think the above point will be a problem. On Thu, 2005-11-10 at 10:16 -0600, David Sims wrote: > Hi Oscar, > > I am doing the existing routing (only!) with a pretty bare Ubuntu server > install... i.e., no firewall and no iptables at this point.... Cisco (in > at least some software) allows many:1 NAT with a pool of NAT addresses > rather than a single address.... This way, every connection seems to come > from a different post-NAT address (at least up to the number of addresses > in the pool).... I am curious if Linux iproute2 supports this concept?? > > Dave > ************************************************************************* > On Thu, 10 Nov 2005, Oscar Mechanic wrote: > > > Is that not multiple NETMAP entries in iptables. Are you using > > SIP/H323/MGCP > > > > > > On Wed, 2005-11-09 at 09:02 -0600, David Sims wrote: > > > Hi, > > > > > > Is there a way in Linux to do NAT with a pool of outside addresses such > > > that each connection to the outside resource gets a different IP address?? > > > I don't want 1:1 NAT as I have some thousands of IP addresses on one side > > > of the LARTC router that _may_ need to access a resource on the other > > > side... The resource needs to see a different IP address for each active > > > call, but these addresses can be reused after the call concludes.... > > > > > > Any clues?? > > > > > > TIA, > > > > > > Dave > > > _______________________________________________ > > > LARTC mailing list > > > LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From payal-lartc at scriptkitchen.com Thu Nov 10 18:07:28 2005 From: payal-lartc at scriptkitchen.com (Payal Rathod) Date: Thu Nov 10 18:07:38 2005 Subject: [LARTC] throtling bandwidth In-Reply-To: References: <20051110155755.GA5954@tranquility.scriptkitchen.com> Message-ID: <20051110170728.GA8678@tranquility.scriptkitchen.com> On Thu, Nov 10, 2005 at 11:09:18AM -0500, Brett Charbeneau wrote: > tc qdisc delete dev eth0 root > tc qdisc add dev eth0 root tbf limit 5kb burst 5kb rate 256kbit > > tc qdisc delete dev eth1 root > tc qdisc add dev eth1 root tbf limit 5kb burst 5kb rate 256kbit I have adsl (pppoe) with eth0 as my internal interface and eth1 as external. What do I do in this case, I want to limit to 64kbps Thanks a lot. With warm regards, -Payal From brett at wrl.org Thu Nov 10 18:12:03 2005 From: brett at wrl.org (Brett Charbeneau) Date: Thu Nov 10 18:12:08 2005 Subject: [LARTC] throtling bandwidth In-Reply-To: <20051110170728.GA8678@tranquility.scriptkitchen.com> Message-ID: On Thu, 10 Nov 2005, Payal Rathod wrote: PR> On Thu, Nov 10, 2005 at 11:09:18AM -0500, Brett Charbeneau wrote: PR> > tc qdisc delete dev eth0 root PR> > tc qdisc add dev eth0 root tbf limit 5kb burst 5kb rate 256kbit PR> > PR> > tc qdisc delete dev eth1 root PR> > tc qdisc add dev eth1 root tbf limit 5kb burst 5kb rate 256kbit PR> PR> PR> I have adsl (pppoe) with eth0 as my internal interface and eth1 as PR> external. What do I do in this case, I want to limit to 64kbps Does that make your pppoe interface ppp0? Try issuing an "ifconfig" command to see. I'm always confused about how the kernel sees a pppoe interface. Give this a try: tc qdisc delete dev eth0 root tc qdisc add dev eth0 root tbf limit 5kb burst 5kb rate 64kbps tc qdisc delete dev eth1 root tc qdisc add dev eth1 root tbf limit 5kb burst 5kb rate 64kbps -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From oscar at ufomechanic.net Thu Nov 10 18:16:37 2005 From: oscar at ufomechanic.net (Oscar Mechanic) Date: Thu Nov 10 18:16:50 2005 Subject: [LARTC] throtling bandwidth In-Reply-To: <20051110170915.GB8678@tranquility.scriptkitchen.com> References: <20051110155755.GA5954@tranquility.scriptkitchen.com> <1131638810.7845.28.camel@OSCARLAPLIN> <20051110170915.GB8678@tranquility.scriptkitchen.com> Message-ID: <1131642997.7845.70.camel@OSCARLAPLIN> Sorry its ipt_quota iptables -I FORWARD 1 -s 192.16.0.1/24 -m quota --quota 6000 -j ACCEPT iptables -I FORWARD 2 -s 192.16.0.1/24 -j DENY All of 192.16.0.0 will be limited to 6M after which they get nothing more clever things are possible but I will leave it too you. quota Implements network quotas by decrementing a byte counter with each packet. --quota bytes The quota in bytes. On Thu, 2005-11-10 at 12:09 -0500, Payal Rathod wrote: > On Thu, Nov 10, 2005 at 04:06:50PM +0000, Oscar Mechanic wrote: > > Instead of restricting the speed use iptables ipt_account to restrict > > usage and the put in a script on cron to zero the counters. That way you > > get to budget and the users get best experience. > > > > Sorry didn't get what you meant. What exactly is ipt_account? Can you > give an example? > Thanks in advance. > With warm regards, > -Payal From payal-lartc at scriptkitchen.com Thu Nov 10 18:26:35 2005 From: payal-lartc at scriptkitchen.com (Payal Rathod) Date: Thu Nov 10 18:26:38 2005 Subject: [LARTC] throtling bandwidth In-Reply-To: References: <20051110170728.GA8678@tranquility.scriptkitchen.com> Message-ID: <20051110172635.GB9398@tranquility.scriptkitchen.com> On Thu, Nov 10, 2005 at 12:12:03PM -0500, Brett Charbeneau wrote: > Does that make your pppoe interface ppp0? Try issuing an > "ifconfig" command to see. I'm always confused about how the > kernel sees a pppoe interface. Yes, my ISP assigned IP is given to ppp0 With warm regards, -Payal From oscar at ufomechanic.net Thu Nov 10 18:28:44 2005 From: oscar at ufomechanic.net (Oscar Mechanic) Date: Thu Nov 10 18:29:10 2005 Subject: [LARTC] What Cisco calls 'Overloading NAT'?? In-Reply-To: References: <1131635512.7845.20.camel@OSCARLAPLIN> <1131640866.7845.54.camel@OSCARLAPLIN> Message-ID: <1131643724.7845.81.camel@OSCARLAPLIN> Dont bother with books, (What have books ever done for us ?(Life of brian)) http://iptables-tutorial.frozentux.net/iptables-tutorial.html I also suggest you take a long look at http://asteriskathome.sourceforge.net/ So you need at least 40 calls going at anyone time. If you were using SIP this would come with the proxy hand off I see your problem. But I do not know if SNA uses seperate ports for session initiation and others for Transport. If it all uses 1 port then excellent standard round robin SNAT from iptables will do the trick. Happy days If you have multiple ports for a call setup then I believe you are going to need to use iptables recent in conjunction with snat. Basically to push the IP onto a stack then if the IP is in that stack SNAT all that traffic from that IP. You will need a stack (iptables recent will create them stacks) for each SNAT target. So you grab all the data from that IP not just the initial call set up layer. On Thu, 2005-11-10 at 10:53 -0600, David Sims wrote: > Hi, > > Any pointer to a good and current iptables book or howto?? I have > Matthew Marsh's book on Policy Routing using Linux but the coverage of > iptables and netfilter are a bit limited there... I haven't used the > filtering stuff since ipchains days and I am sure that there have been > many advances.... > > The application that I am trying to make work is an old time IBM SNA > gateway (Attachmate) that wants to assign LUs to IP addresses... So, when > I do many:1 NAT, the first connection works fine but after that nothing... > I just need to figure out a way of accomodating 40 users out of 2000 or > so... and I have to use NAT since there has to be an address > translation.... I was also thinking of setting up a pool of 40 or > 50 addresses in my private space (192.168.x.y) and then doing 1:1 NAT on > those... Then I would only need to figure out a way (DNS round robin?) of > giving each new user a different address.... > > Thanks for your response and advice. > > Dave > ************************************************************************* > On Thu, 10 Nov 2005, Oscar Mechanic wrote: > > > > > If I was thee I would install iptables. To my knowledge the nat > > implementation in ip is stateless so you could not use it for that but I > > stand to be corrected. > > > > You could do a nice implementation using nth or random on SNAT. So if it > > is a new connections using connstate then put it into nth off a SNAT > > target and conntrack will do the rest for you. > > > > Of coarse all of this is useless if you dont have iptables. But > > ubuntu/debian rpms are top class. > > > > You did not say what session proto you were using. Oh I just remembered > > something if you are using SIP then you will have to be able to catch > > the RTP channel and nat them the same. > > > > The SNAT target in iptables has a round robin feature but I think the > > above point will be a problem. > > > > On Thu, 2005-11-10 at 10:16 -0600, David Sims wrote: > > > Hi Oscar, > > > > > > I am doing the existing routing (only!) with a pretty bare Ubuntu server > > > install... i.e., no firewall and no iptables at this point.... Cisco (in > > > at least some software) allows many:1 NAT with a pool of NAT addresses > > > rather than a single address.... This way, every connection seems to come > > > from a different post-NAT address (at least up to the number of addresses > > > in the pool).... I am curious if Linux iproute2 supports this concept?? > > > > > > Dave > > > ************************************************************************* > > > On Thu, 10 Nov 2005, Oscar Mechanic wrote: > > > > > > > Is that not multiple NETMAP entries in iptables. Are you using > > > > SIP/H323/MGCP > > > > > > > > > > > > On Wed, 2005-11-09 at 09:02 -0600, David Sims wrote: > > > > > Hi, > > > > > > > > > > Is there a way in Linux to do NAT with a pool of outside addresses such > > > > > that each connection to the outside resource gets a different IP address?? > > > > > I don't want 1:1 NAT as I have some thousands of IP addresses on one side > > > > > of the LARTC router that _may_ need to access a resource on the other > > > > > side... The resource needs to see a different IP address for each active > > > > > call, but these addresses can be reused after the call concludes.... > > > > > > > > > > Any clues?? > > > > > > > > > > TIA, > > > > > > > > > > Dave > > > > > _______________________________________________ > > > > > LARTC mailing list > > > > > LARTC@mailman.ds9a.nl > > > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > From payal-lartc at scriptkitchen.com Thu Nov 10 18:45:36 2005 From: payal-lartc at scriptkitchen.com (Payal Rathod) Date: Thu Nov 10 18:45:45 2005 Subject: [LARTC] simple routing query Message-ID: <20051110174536.GA10440@tranquility.scriptkitchen.com> Hi, I have 2 interfaces - one for adsl and other for LAN on my Linux gateway machine. The IP addresses are 10.10.10.3 & 192.168.10.101 respectively. Now my routing tables show this particular entry. What exactly is this? 169.254.0.0/16 dev eth0 scope link Or by traditional route -n, 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 What exactly is this 169.254.0.0/16 thing? Thanks in advance. With warm regards, -Payal From brett at wrl.org Thu Nov 10 18:50:34 2005 From: brett at wrl.org (Brett Charbeneau) Date: Thu Nov 10 18:50:40 2005 Subject: [LARTC] simple routing query In-Reply-To: <20051110174536.GA10440@tranquility.scriptkitchen.com> Message-ID: On Thu, 10 Nov 2005, Payal Rathod wrote: PR> What exactly is this 169.254.0.0/16 thing? Remember - Google is your friend on stuff like this. Here's a good rundown on the subject: http://www.cas.ilstu.edu/shac/Knowledge/Spam/iana.htm see the "Autoconfiguration" IP Addresses section. -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From gdamjan at mail.net.mk Thu Nov 10 18:56:42 2005 From: gdamjan at mail.net.mk (Damjan) Date: Thu Nov 10 18:56:45 2005 Subject: [LARTC] Re: [ANNOUNCE] iproute2 2.6.14-051107 In-Reply-To: <20051110163549.GX23537@postel.suug.ch> References: <20051108102823.0ab4cf62@localhost.localdomain> <20051109163433.GA26468@legolas.on.net.mk> <20051109091551.32b67120@localhost.localdomain> <20051110163549.GX23537@postel.suug.ch> Message-ID: <20051110175642.GB26468@legolas.on.net.mk> > > > I'm getting this error when trying to compile on Slackware-10.2. > > > The version of bison is 1.35. > > > > The ematch stuff probably needs bison 2.0 talk to Thomas. > > Yes, bison 2.0 or a compatible version is required. It should > be possible to remove '%error-verbose' from the yacc grammar > at the cost of less precise grammar error messages. I've upgraded to Bison 1.875d and it compiled fine. -- damjan | ?????? This is my jabber ID --> damjan@bagra.net.mk <-- not my mail address!!! From oscar at ufomechanic.net Thu Nov 10 19:13:02 2005 From: oscar at ufomechanic.net (Oscar Mechanic) Date: Thu Nov 10 19:13:10 2005 Subject: [LARTC] What Cisco calls 'Overloading NAT'?? In-Reply-To: <1131643724.7845.81.camel@OSCARLAPLIN> References: <1131635512.7845.20.camel@OSCARLAPLIN> <1131640866.7845.54.camel@OSCARLAPLIN> <1131643724.7845.81.camel@OSCARLAPLIN> Message-ID: <1131646382.7845.104.camel@OSCARLAPLIN> I will leave the tweaking to yourself like putting in a match on connection to clear it out of the stack when the session link is closed hint look at --ctstate iptables -t nat -A POSTROUTING -p tcp --dport 5060 -d 212.12.12.1 -m recent --name subnet1 --set iptables -t nat -A POSTROUTING -p tcp --dport 5060 -d 212.12.12.2 -m recent --name subnet2 --set .... .... iptables -t nat -A POSTROUTING -p tcp --dport 5060 -d 212.12.12.2 -m recent --name subnet41 --set Need some tweaks here aswell iptables -t nat -A POSTROUTING -m recent --name subnet1 --rcheck -j SNAT --to-source 212.12.12.1 iptables -t nat -A POSTROUTING -m recent --name subnet2 --rcheck -j SNAT --to-source 212.12.12.2 ..... .... iptables -t nat -A POSTROUTING -m recent --name subnet41 --rcheck -j SNAT --to-source 212.12.12.41 iptables -t nat -A POSTROUTING -p tcp --dport 5060 -m conntrack -- ctstate NEW -j SNAT --to-source 212.12.12.1-212.12.12.41 On Thu, 2005-11-10 at 17:28 +0000, Oscar Mechanic wrote: > Dont bother with books, (What have books ever done for us ?(Life of > brian)) > > http://iptables-tutorial.frozentux.net/iptables-tutorial.html > > I also suggest you take a long look at > > http://asteriskathome.sourceforge.net/ > > So you need at least 40 calls going at anyone time. If you were using > SIP this would come with the proxy hand off > > I see your problem. But I do not know if SNA uses seperate ports for > session initiation and others for Transport. > > If it all uses 1 port then excellent standard round robin SNAT from > iptables will do the trick. Happy days > > If you have multiple ports for a call setup then I believe you are going > to need to use iptables recent in conjunction with snat. Basically to > push the IP onto a stack then if the IP is in that stack SNAT all that > traffic from that IP. You will need a stack (iptables recent will create > them stacks) for each SNAT target. So you grab all the data from that IP > not just the initial call set up layer. > > On Thu, 2005-11-10 at 10:53 -0600, David Sims wrote: > > Hi, > > > > Any pointer to a good and current iptables book or howto?? I have > > Matthew Marsh's book on Policy Routing using Linux but the coverage of > > iptables and netfilter are a bit limited there... I haven't used the > > filtering stuff since ipchains days and I am sure that there have been > > many advances.... > > > > The application that I am trying to make work is an old time IBM SNA > > gateway (Attachmate) that wants to assign LUs to IP addresses... So, when > > I do many:1 NAT, the first connection works fine but after that nothing... > > I just need to figure out a way of accomodating 40 users out of 2000 or > > so... and I have to use NAT since there has to be an address > > translation.... I was also thinking of setting up a pool of 40 or > > 50 addresses in my private space (192.168.x.y) and then doing 1:1 NAT on > > those... Then I would only need to figure out a way (DNS round robin?) of > > giving each new user a different address.... > > > > Thanks for your response and advice. > > > > Dave > > ************************************************************************* > > On Thu, 10 Nov 2005, Oscar Mechanic wrote: > > > > > > > > If I was thee I would install iptables. To my knowledge the nat > > > implementation in ip is stateless so you could not use it for that but I > > > stand to be corrected. > > > > > > You could do a nice implementation using nth or random on SNAT. So if it > > > is a new connections using connstate then put it into nth off a SNAT > > > target and conntrack will do the rest for you. > > > > > > Of coarse all of this is useless if you dont have iptables. But > > > ubuntu/debian rpms are top class. > > > > > > You did not say what session proto you were using. Oh I just remembered > > > something if you are using SIP then you will have to be able to catch > > > the RTP channel and nat them the same. > > > > > > The SNAT target in iptables has a round robin feature but I think the > > > above point will be a problem. > > > > > > On Thu, 2005-11-10 at 10:16 -0600, David Sims wrote: > > > > Hi Oscar, > > > > > > > > I am doing the existing routing (only!) with a pretty bare Ubuntu server > > > > install... i.e., no firewall and no iptables at this point.... Cisco (in > > > > at least some software) allows many:1 NAT with a pool of NAT addresses > > > > rather than a single address.... This way, every connection seems to come > > > > from a different post-NAT address (at least up to the number of addresses > > > > in the pool).... I am curious if Linux iproute2 supports this concept?? > > > > > > > > Dave > > > > ************************************************************************* > > > > On Thu, 10 Nov 2005, Oscar Mechanic wrote: > > > > > > > > > Is that not multiple NETMAP entries in iptables. Are you using > > > > > SIP/H323/MGCP > > > > > > > > > > > > > > > On Wed, 2005-11-09 at 09:02 -0600, David Sims wrote: > > > > > > Hi, > > > > > > > > > > > > Is there a way in Linux to do NAT with a pool of outside addresses such > > > > > > that each connection to the outside resource gets a different IP address?? > > > > > > I don't want 1:1 NAT as I have some thousands of IP addresses on one side > > > > > > of the LARTC router that _may_ need to access a resource on the other > > > > > > side... The resource needs to see a different IP address for each active > > > > > > call, but these addresses can be reused after the call concludes.... > > > > > > > > > > > > Any clues?? > > > > > > > > > > > > TIA, > > > > > > > > > > > > Dave > > > > > > _______________________________________________ > > > > > > LARTC mailing list > > > > > > LARTC@mailman.ds9a.nl > > > > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From payal-lartc at scriptkitchen.com Thu Nov 10 19:33:03 2005 From: payal-lartc at scriptkitchen.com (Payal Rathod) Date: Thu Nov 10 19:33:09 2005 Subject: [LARTC] simple routing query In-Reply-To: References: <20051110174536.GA10440@tranquility.scriptkitchen.com> Message-ID: <20051110183303.GA11910@tranquility.scriptkitchen.com> On Thu, Nov 10, 2005 at 12:50:34PM -0500, Brett Charbeneau wrote: > http://www.cas.ilstu.edu/shac/Knowledge/Spam/iana.htm > > see the "Autoconfiguration" IP Addresses section. Yes, I read it, thnaks but I don't understand it. | Addresses in the range 169.254.0.0 to 169.254.255.255 are used |automatically by some PCs and Macs when they are configured to use IP, |do not have a static IP Address assigned, and are unable to obtain an |IP address using DHCP. | |This traffic is intended to be confined to the local network, so the |administrator of the local network should look for misconfigured hosts. What do they mean by this? Is it at address given by error due to misconfiguaration. Payal From brett at wrl.org Thu Nov 10 19:36:00 2005 From: brett at wrl.org (Brett Charbeneau) Date: Thu Nov 10 19:36:10 2005 Subject: [LARTC] simple routing query In-Reply-To: <20051110183303.GA11910@tranquility.scriptkitchen.com> Message-ID: On Thu, 10 Nov 2005, Payal Rathod wrote: PR> What do they mean by this? Is it at address given by error due to PR> misconfiguaration. That's always been my experience. If I were you I'd double-check the way your interfaces are configured. Something is goofy or not getting flushed or something - that 169.154.x.x address seems, in some hardware, to mean that there is confusion somewhere down the line. -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From unki at netshadow.at Thu Nov 10 19:42:06 2005 From: unki at netshadow.at (Andreas Unterkircher) Date: Thu Nov 10 19:41:11 2005 Subject: [LARTC] simple routing query In-Reply-To: <20051110183303.GA11910@tranquility.scriptkitchen.com> References: <20051110174536.GA10440@tranquility.scriptkitchen.com> <20051110183303.GA11910@tranquility.scriptkitchen.com> Message-ID: <4373947E.1080104@netshadow.at> I had such a experience with SuSE on a server with two network interface. While only one of them was connected to the lan with a fixed IP, the other was configured by YaST to get it's IP from a DHCP server. Cause it can't reach it and timed out, the interface didn't get an IP address, but suddenly a 169.254.x.x route appeared. Probably you hit the same thing. Payal Rathod wrote: >On Thu, Nov 10, 2005 at 12:50:34PM -0500, Brett Charbeneau wrote: > > >>http://www.cas.ilstu.edu/shac/Knowledge/Spam/iana.htm >> >> see the "Autoconfiguration" IP Addresses section. >> >> > >Yes, I read it, thnaks but I don't understand it. >| Addresses in the range 169.254.0.0 to 169.254.255.255 are used >|automatically by some PCs and Macs when they are configured to use IP, >|do not have a static IP Address assigned, and are unable to obtain an >|IP address using DHCP. >| >|This traffic is intended to be confined to the local network, so the >|administrator of the local network should look for misconfigured hosts. > >What do they mean by this? Is it at address given by error due to >misconfiguaration. > >Payal >_______________________________________________ >LARTC mailing list >LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From payal-lartc at scriptkitchen.com Thu Nov 10 19:47:48 2005 From: payal-lartc at scriptkitchen.com (Payal Rathod) Date: Thu Nov 10 19:47:52 2005 Subject: [LARTC] simple routing query In-Reply-To: <4373947E.1080104@netshadow.at> References: <20051110174536.GA10440@tranquility.scriptkitchen.com> <20051110183303.GA11910@tranquility.scriptkitchen.com> <4373947E.1080104@netshadow.at> Message-ID: <20051110184748.GA11997@tranquility.scriptkitchen.com> On Thu, Nov 10, 2005 at 07:42:06PM +0100, Andreas Unterkircher wrote: > I had such a experience with SuSE on a server with two network > interface. While only one of them was > connected to the lan with a fixed IP, the other was configured by YaST > to get it's IP from a DHCP server. I too am on SuSE. One IP is my LAN IP but the SuSE box is the DHCP server itself. But many of my friend have seen this on their RedHat servers. 169.254.0.0/16 dev eth0 scope link Their machines had only 1 network card and had fixed IPs. What is the solution to this? With warm regards, -Payal From payal-lartc at scriptkitchen.com Thu Nov 10 19:48:53 2005 From: payal-lartc at scriptkitchen.com (Payal Rathod) Date: Thu Nov 10 19:48:56 2005 Subject: [LARTC] lartc.org reading Message-ID: <20051110184853.GB11997@tranquility.scriptkitchen.com> Hi, This is the 7th time I am reading lartc.org howto and now got the reason why I could't understand it for so many days. It starts real good with cool basics, but on Chapter 4 "Rules - routing policy database" it gets complicated very fast. e.g. it mentions /etc/iproute2/rt_tables file but does not tell what it does, and what all other configuration files do. It is like learning a language by reading a dictionary - not an easy way. Also, easy examples are not shown and the author has graduated to complex examples so soon. Is there any easier to understand guide for me and other like me? Thanks in advance. With warm regards, -Payal From paul.lewis at st-annes.oxford.ac.uk Thu Nov 10 20:09:07 2005 From: paul.lewis at st-annes.oxford.ac.uk (Paul Lewis) Date: Thu Nov 10 20:09:33 2005 Subject: [LARTC] Routing Configuration Message-ID: <003701c5e62a$3a2c64d0$e7544381@SANNPJLTABLET> Hi, I have emailed the list before (email can be found here http://mailman.ds9a.nl/pipermail/lartc/2005q4/017220.html) regarding this matter. Basically, I am trying to set up a router for my college, to route conference guests over an adsl line, and students over an academic connection. I've looked at man ip(8), and a few examples, and think I have a configuration that will work, but was wondering if somebody would mind taking a look at it before I implement it (the system is currently live, so I want to minimize downtime while implementing this change). The configuration I have devised below is based on the tutorial here (http://www.linuxquestions.org/questions/answers.php?action=viewarticle&arti d=490). The setup I have is shown below, along with the commands I think I will need to run to set up routing correctly: -------------------------------------- | eth2 eth0 | ----- | 192.168.7.253 ---> 192.168.100.253 | ISP_1 ----- | |------| 255.255.252.0 255.255.255.0 |-------| | | | | | | | | LAN | | ROUTER | | WEB | | | | | ISP_2 | | | |------| eth1 eth3 |-------| | ----- | 192.168.3.253 ----> 192.168.20.253 | ----- | 255.255.252.0 255.255.255.0 | -------------------------------------- echo "ISP_1" >> /etc/iproute2/rt_tables echo "ISP_2" >> /etc/iproute2/rt_tables ip route add 192.168.4.0/22 dev eth2 src 192.168.7.253 table ISP_1 ip route add default via 192.168.100.253 table ISP_1 ip route add 192.168.0.0/22 dev eth1 src 192.168.3.253 table ISP_2 ip route add default via 192.168.20.253 table ISP_2 ip rule add from 192.168.7.253 table ISP_1 ip rule add from 192.168.3.253 table ISP_2 If anyone could advise as to whether this is correct, or if there is something I have completely missed or overlooked, or interpreted incorrectly, it would be greatly appreciated. Paul --- Paul Lewis (paul.lewis@st-annes.ox.ac.uk) JCR Computing Rep St Anne's College http://www.stannesjcr.org From unki at netshadow.at Thu Nov 10 20:13:11 2005 From: unki at netshadow.at (Andreas Unterkircher) Date: Thu Nov 10 20:12:16 2005 Subject: [LARTC] simple routing query In-Reply-To: <20051110184748.GA11997@tranquility.scriptkitchen.com> References: <20051110174536.GA10440@tranquility.scriptkitchen.com> <20051110183303.GA11910@tranquility.scriptkitchen.com> <4373947E.1080104@netshadow.at> <20051110184748.GA11997@tranquility.scriptkitchen.com> Message-ID: <43739BC7.5040506@netshadow.at> Solution? Leave it as it is or delete it :) It shouldn't make any problem It's a local block of ip addresses and don't get routed. Cheers, Andreas PS: But perhaps dhcpcd or pump is running in background on due some miss configuration? Payal Rathod wrote: >On Thu, Nov 10, 2005 at 07:42:06PM +0100, Andreas Unterkircher wrote: > > >>I had such a experience with SuSE on a server with two network >>interface. While only one of them was >>connected to the lan with a fixed IP, the other was configured by YaST >>to get it's IP from a DHCP server. >> >> > >I too am on SuSE. One IP is my LAN IP but the SuSE box is the DHCP >server itself. But many of my friend have seen this on their RedHat >servers. >169.254.0.0/16 dev eth0 scope link > >Their machines had only 1 network card and had fixed IPs. > >What is the solution to this? > >With warm regards, >-Payal > > From warlord at trust-b.com Thu Nov 10 23:50:00 2005 From: warlord at trust-b.com (Igor Krneta) Date: Thu Nov 10 23:46:14 2005 Subject: [LARTC] cpu power needed for shaping Message-ID: <4373CE98.7020101@trust-b.com> Hello, My company recently upgraded our internet connection and I need to set up shaping. I was wondering , what are the CPU and RAM requirements for shaping 768/768 DSL line ? I have a few old P III's (450 MHz, 256 RAM) and some VIA Eden (533 MHz, 512 RAM) boxes lying around. Which one would be most appropriate ? That box would be a shaping only box, and all internet traffic would go through it. From bugfood-ml at fatooh.org Fri Nov 11 01:25:02 2005 From: bugfood-ml at fatooh.org (Corey Hickey) Date: Fri Nov 11 01:25:08 2005 Subject: [LARTC] cpu power needed for shaping In-Reply-To: <4373CE98.7020101@trust-b.com> References: <4373CE98.7020101@trust-b.com> Message-ID: <4373E4DE.3090508@fatooh.org> Igor Krneta wrote: > Hello, > My company recently upgraded our internet connection and I need to set > up shaping. I was wondering , what are the CPU and RAM requirements for > shaping 768/768 DSL line ? Not much. I help take care of a P1-200 with 96MB RAM that does firewalling, NAT, shaping, and load balancing for a T1 and a 6000/600 ADSL line. It never comes close to having to work hard. > I have a few old P III's (450 MHz, 256 RAM) and some VIA Eden (533 MHz, > 512 RAM) boxes lying around. Which one would be most appropriate ? Use whichever one you expect to be stable -- you don't want to have to deal with crashes. Otherwise, I would use the faster machine just because it'll be quicker to set up and administrate. -Corey From pstaszewski at artcom.pl Fri Nov 11 04:07:51 2005 From: pstaszewski at artcom.pl (=?UTF-8?B?UGF3ZcWCIFN0YXN6ZXdza2k=?=) Date: Fri Nov 11 04:10:12 2005 Subject: [LARTC] action redirect and dummy interface Message-ID: <43740B06.5090104@artcom.pl> Hello i have some problems on 2.6.14 kernel dummy and iproute :) i have server with 2 nics : eth0 <> inet eth1 <> lan dummy0 (i want to shape incoming traffic from lan machine on this interface) my config: tc qdisc del dev dummy0 root tc qdisc add dev dummy0 root handle 1: htb tc class add dev dummy0 parent 1: classid 1:1 htb rate 100kbit ceil 100kbit tc class add dev dummy0 parent 1: classid 1:2 htb rate 100kbit ceil 100kbit tc filter add dev dummy0 protocol ip pref 1 parent 1: handle 1 fw classid 1:1 tc filter add dev dummy0 protocol ip pref 2 parent 1: handle 2 fw classid 1:2 ifconfig dummy0 up tc qdisc del dev eth1 root tc qdisc add dev eth1 root handle 1: htb tc filter add dev eth1 parent 1:0 protocol ip prio 10 u32 \ match ip dst 0/0 flowid 1:1 \ action ipt -j MARK --set-mark 2 \ action mirred egress redirect dev dummy0 tc qdisc del dev eth1 ingress tc qdisc add dev eth1 ingress tc filter add dev eth1 parent ffff: protocol ip prio 10 u32 \ match ip src 0/0 flowid 1:1 \ action ipt -j MARK --set-mark 1 \ action mirred egress redirect dev dummy0 and i have only tx-es on dummy0 interface no rx packets and lan machine cannot comunicate with server and vice-versa any solutions ... i readed this post http://oss.sgi.com/projects/netdev/archive/2004-04/msg00251.html and i have the same config ... but :) From pstaszewski at artcom.pl Fri Nov 11 07:33:58 2005 From: pstaszewski at artcom.pl (=?UTF-8?B?UGF3ZcWCIFN0YXN6ZXdza2k=?=) Date: Fri Nov 11 07:36:17 2005 Subject: [LARTC] action redirect and dummy interface Message-ID: <43743B56.3080001@artcom.pl> Hello i have some problems on 2.6.14 kernel dummy and iproute :) i have server with 2 nics : eth0 <> inet eth1 <> lan dummy0 (i want to shape incoming traffic from lan machine on this interface) my config: tc qdisc del dev dummy0 root tc qdisc add dev dummy0 root handle 1: htb tc class add dev dummy0 parent 1: classid 1:1 htb rate 100kbit ceil 100kbit tc class add dev dummy0 parent 1: classid 1:2 htb rate 100kbit ceil 100kbit tc filter add dev dummy0 protocol ip pref 1 parent 1: handle 1 fw classid 1:1 tc filter add dev dummy0 protocol ip pref 2 parent 1: handle 2 fw classid 1:2 ifconfig dummy0 up tc qdisc del dev eth1 root tc qdisc add dev eth1 root handle 1: htb tc filter add dev eth1 parent 1:0 protocol ip prio 10 u32 \ match ip dst 0/0 flowid 1:1 \ action ipt -j MARK --set-mark 2 \ action mirred egress redirect dev dummy0 tc qdisc del dev eth1 ingress tc qdisc add dev eth1 ingress tc filter add dev eth1 parent ffff: protocol ip prio 10 u32 \ match ip src 0/0 flowid 1:1 \ action ipt -j MARK --set-mark 1 \ action mirred egress redirect dev dummy0 and i have only tx-es on dummy0 interface no rx packets and lan machine cannot comunicate with server and vice-versa any solutions ... i readed this post http://oss.sgi.com/projects/netdev/archive/2004-04/msg00251.html and i have the same config ... but :) From talk2ram at gmail.com Fri Nov 11 10:04:44 2005 From: talk2ram at gmail.com (ram) Date: Fri Nov 11 10:04:49 2005 Subject: [LARTC] main adsl fail, backp and test In-Reply-To: <20051109223128.GA29489@casa.e-den.it> References: <20051109223128.GA29489@casa.e-den.it> Message-ID: look Dead gateway detection in google lot of examples there ram On 11/10/05, Sandro Dentella wrote: > > hi all, > > I have a firewall with 2 gateways. Router A (main, adsl), router I > (backup, isdn). > > In case of failure of adsl I switch to isdn. How can I know when it is > time to go back? Which is a standard way to test the adsl line? > > TIA > sandro > > > -- > Sandro Dentella *:-) > e-mail: sandro@e-den.it > http://www.tksql.org TkSQL Home page - My GPL work > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051111/5af74279/attachment.html From mark.lidstone at bmtseatech.co.uk Fri Nov 11 10:50:03 2005 From: mark.lidstone at bmtseatech.co.uk (Mark Lidstone) Date: Fri Nov 11 10:50:46 2005 Subject: [LARTC] Pfifo_fast "Unknown qdisc" and asking for basic design advice Message-ID: Hi all, I've done a search through the archives but I can't find a cause/solution to this. I'm running a FC4 box with the stock 2.6.12 kernel and a FC2 box with a stock 2.6.9 kernel. I'm obviously using iproute2 and the patched tc. When I clear down the qdiscs with "tc qdisc del dev root" I get the following in response to "tc qdisc": qdisc pfifo_fast 0: dev eth0 [Unknown qdisc, optlen=20] qdisc pfifo_fast 0: dev eth1 [Unknown qdisc, optlen=20] Unfortunately I cannot add pfifo_fast as a queue type (I was hoping to use one - see below). Have I missed something? Secondly, I was wondering if anyone could look over what I am trying to do and point out any stupid mistakes I've made. I am trying to get the following setup working: root | | PRIO / | \ ______/ | \______ | | | 0 | 2 pfifo_fast 1 sfq HTB__________ / | \ \ ______/ | \______ \______ | | | | sfq sfq sfq sfq Basically, we have 4 companies that will be sharing bandwidth on a connection (the four sfq's at the bottom) and some video conferencing equipment that needs priority over everything (the pfifo_fast). Have I misunderstood anything vital here? Many thanks, Mark Lidstone IT and Network Support Administrator BMT SeaTech Ltd Grove House, Meridians Cross, 7 Ocean Way Ocean Village, Southampton. SO14 3TJ. UK Tel: +44 (0)23 8063 5122 Fax: +44 (0)23 8063 5144 E-Mail: mailto:mark.lidstone@bmtseatech.co.uk Website: www.bmtseatech.co.uk ======================================================================== == Confidentiality Notice and Disclaimer: The contents of this e-mail and any attachments are intended only for the use of the e-mail addressee(s) shown. If you are not that person, or one of those persons, you are not allowed to take any action based upon it or to copy it, forward, distribute or disclose the contents of it and you should please delete it from your system. BMT SeaTech Limited does not accept liability for any errors or omissions in the context of this e-mail or its attachments which arise as a result of Internet transmission, nor accept liability for statements which are those of the author and not clearly made on behalf of BMT SeaTech Limited. ======================================================================== == From jandre at megaserve.net Fri Nov 11 11:21:37 2005 From: jandre at megaserve.net (Jandre Olivier) Date: Fri Nov 11 11:19:00 2005 Subject: [LARTC] simple routing query In-Reply-To: <43739BC7.5040506@netshadow.at> References: <20051110174536.GA10440@tranquility.scriptkitchen.com> <20051110183303.GA11910@tranquility.scriptkitchen.com> <4373947E.1080104@netshadow.at> <20051110184748.GA11997@tranquility.scriptkitchen.com> <43739BC7.5040506@netshadow.at> Message-ID: <437470B1.4010703@megaserve.net> How do I disable the zeroconf route so that the system will boot without the 169.254.0.0 / 255.255.0.0 route? by Cynthia Davis Symptom: Every time the system boots, the zeroconf route (169.254.0.0) is enabled. You manually disable it by turning off the firewall and remove the route with 169.254.0.0 / 255.255.0.0 using the route command. Example output of the route with the zeroconf route enables would like similar to the following: # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.15.50.0 * 255.255.252.0 U 0 0 0 eth0 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 Solution: To disable the zeroconf route during system boot, edit the /etc/sysconfig/network file and add the following NOZEROCONF value to the end of the file: NETWORKING=YES HOSTNAME=localhost.localdomain NOZEROCONF=yes Additional Information: Find out more about zeroconf at http://www.zeroconf.org/. Jandre Andreas Unterkircher wrote: > Solution? Leave it as it is or delete it :) It shouldn't make any problem > It's a local block of ip addresses and don't get routed. > > Cheers, > Andreas > > PS: But perhaps dhcpcd or pump is running in background on due some > miss configuration? > > Payal Rathod wrote: > >> On Thu, Nov 10, 2005 at 07:42:06PM +0100, Andreas Unterkircher wrote: >> >> >>> I had such a experience with SuSE on a server with two network >>> interface. While only one of them was >>> connected to the lan with a fixed IP, the other was configured by >>> YaST to get it's IP from a DHCP server. >>> >> >> >> I too am on SuSE. One IP is my LAN IP but the SuSE box is the DHCP >> server itself. But many of my friend have seen this on their RedHat >> servers. >> 169.254.0.0/16 dev eth0 scope link >> >> Their machines had only 1 network card and had fixed IPs. >> >> What is the solution to this? >> >> With warm regards, >> -Payal >> >> > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- /*---------------------------------------------------------------------*/ __ _ ---------- / / (_)__ __ ____ __ --------- ------- / /__/ / _ \/ // /\ \/ / -------- ---- /____/_/_//_/\_,_/ /_/\_\ ------ localhost@localdomain.za.net From tomasz.paszkowski at e-wro.pl Fri Nov 11 13:58:13 2005 From: tomasz.paszkowski at e-wro.pl (Tomasz Paszkowski) Date: Fri Nov 11 13:58:23 2005 Subject: [LARTC] action redirect and dummy interface In-Reply-To: <43743B56.3080001@artcom.pl> References: <43743B56.3080001@artcom.pl> Message-ID: <20051111125813.GA13483@krezus.e-wro.net> On Fri, Nov 11, 2005 at 07:33:58AM +0100, Pawe? Staszewski wrote: > Hello i have some problems on 2.6.14 kernel dummy and iproute :) [cut] > > and i have only tx-es on dummy0 interface no rx packets and lan machine > cannot comunicate with server and vice-versa > > imho it's better to use imq. -- Tomasz Paszkowski -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20051111/1545dad6/attachment.pgp From andy.furniss at dsl.pipex.com Fri Nov 11 15:05:27 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Fri Nov 11 15:05:14 2005 Subject: [LARTC] action redirect and dummy interface In-Reply-To: <43740B06.5090104@artcom.pl> References: <43740B06.5090104@artcom.pl> Message-ID: <4374A527.8040509@dsl.pipex.com> Pawe? Staszewski wrote: > Hello i have some problems on 2.6.14 kernel dummy and iproute :) > > i have server with 2 nics : > > eth0 <> inet > eth1 <> lan > > dummy0 (i want to shape incoming traffic from lan machine on this > interface) OK but the script sends both egress and ingress on eth1 to dummy0. > > my config: > tc qdisc del dev dummy0 root > > tc qdisc add dev dummy0 root handle 1: htb > tc class add dev dummy0 parent 1: classid 1:1 htb rate 100kbit ceil 100kbit > tc class add dev dummy0 parent 1: classid 1:2 htb rate 100kbit ceil 100kbit > > > tc filter add dev dummy0 protocol ip pref 1 parent 1: handle 1 fw > classid 1:1 > tc filter add dev dummy0 protocol ip pref 2 parent 1: handle 2 fw > classid 1:2 > > ifconfig dummy0 up > > > > tc qdisc del dev eth1 root > tc qdisc add dev eth1 root handle 1: htb > > tc filter add dev eth1 parent 1:0 protocol ip prio 10 u32 \ > match ip dst 0/0 flowid 1:1 \ > action ipt -j MARK --set-mark 2 \ > action mirred egress redirect dev dummy0 > > > > tc qdisc del dev eth1 ingress > > tc qdisc add dev eth1 ingress > > tc filter add dev eth1 parent ffff: protocol ip prio 10 u32 \ > match ip src 0/0 flowid 1:1 \ > action ipt -j MARK --set-mark 1 \ > action mirred egress redirect dev dummy0 Apart from adding a modprobe this works for me using the attached dummy.c on 2.6.12. > > > and i have only tx-es on dummy0 interface no rx packets and lan machine > cannot comunicate with server and vice-versa > > > any solutions ... i readed this post > http://oss.sgi.com/projects/netdev/archive/2004-04/msg00251.html > and i have the same config ... but :) That patch didn't go into kernel and was superseeded by another version which I attach - but AFAIK it's still not in kernel yet and jamal is still working on it. Andy. -------------- next part -------------- A non-text attachment was scrubbed... Name: dummy.c.gz Type: application/x-gzip Size: 2952 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20051111/f14729bd/dummy.c.bin From davidb at kth.se Fri Nov 11 15:21:15 2005 From: davidb at kth.se (David Blomberg) Date: Fri Nov 11 15:21:24 2005 Subject: [LARTC] marked packets end up in wrong class Message-ID: <48338.192.16.127.216.1131718875.squirrel@webmail.sys.kth.se> Hello, I have recently started looking at tc and iptables. I have an htb-queue with two classes 1:10 and 1:20 where 1:20 is the default. Then I use iptables to mark all packets I send out on eth1. I then filter marked packets into class 1:10. I expected all packets sent on eth1 to end up in class 1:10, but some packets still go to 1:20. Did I do it wrong? Thank you for any help. regards, David Blomberg My script: --------------------------------------------------------------------------- /sbin/tc qdisc add dev eth1 root handle 1: htb default 20 r2q 1 /sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 200kbit burst 15k /sbin/tc class add dev eth1 parent 1:1 classid 1:10 htb rate 100kbit ceil 200kbit burst 15k /sbin/tc class add dev eth1 parent 1:1 classid 1:20 htb rate 100kbit ceil 200kbit burst 15k /sbin/tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 /sbin/tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10 # iptables /sbin/iptables -F /sbin/iptables -A OUTPUT -t mangle -o eth1 -j MARK --set-mark 1 /sbin/tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle 1 fw flowid 1:10 --------------------------------------------------------------------------- #/sbin/tc -s qdisc ls dev eth1 qdisc htb 1: r2q 1 default 20 direct_packets_stat 0 Sent 450040 bytes 3021 pkt (dropped 0, overlimits 152 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 10: parent 1:10 limit 128p quantum 1514b perturb 10sec Sent 448654 bytes 2988 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 20: parent 1:20 limit 128p quantum 1514b perturb 10sec Sent 1386 bytes 33 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 From andy.furniss at dsl.pipex.com Fri Nov 11 15:22:05 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Fri Nov 11 15:22:08 2005 Subject: [LARTC] Pfifo_fast "Unknown qdisc" and asking for basic design advice In-Reply-To: References: Message-ID: <4374A90D.6070804@dsl.pipex.com> Mark Lidstone wrote: > Hi all, > > I've done a search through the archives but I can't find a > cause/solution to this. > > I'm running a FC4 box with the stock 2.6.12 kernel and a FC2 box with a > stock 2.6.9 kernel. I'm obviously using > iproute2 and the patched tc. > > When I clear down the qdiscs with "tc qdisc del dev root" I get > the following in response to "tc qdisc": > > qdisc pfifo_fast 0: dev eth0 [Unknown qdisc, optlen=20] > qdisc pfifo_fast 0: dev eth1 [Unknown qdisc, optlen=20] > > Unfortunately I cannot add pfifo_fast as a queue type (I was hoping to > use one - see below). Have I missed something? pfifo_fast is what you get as default on interfaces - it's just like prio but not meant to be used by you - I suppose you could nest prios, but in this case I think what you need is just pfifo or bfifo. > > Secondly, I was wondering if anyone could look over what I am trying to > do and point out any stupid mistakes I've made. I am trying to get the > following setup working: > > root > | > | > PRIO > / | \ > ______/ | \______ > | | | > 0 | 2 > pfifo_fast 1 sfq > HTB__________ > / | \ \ > ______/ | \______ \______ > | | | | > sfq sfq sfq sfq > > Basically, we have 4 companies that will be sharing bandwidth on a > connection (the four sfq's at the bottom) and some video conferencing > equipment that needs priority over everything (the pfifo_fast). Have I > misunderstood anything vital here? You would be better off having htb as root so you can throttle traffic to below link speed. You can htb's prio parameter to do much the same. Sfq is nice but the perturb causes packet reordering I would think about trying to seperate each customers traffic into bulk and interactive aswell and just use sfq on bulk. Andy. > > Many thanks, > > Mark Lidstone > IT and Network Support Administrator > > BMT SeaTech Ltd > Grove House, Meridians Cross, 7 Ocean Way Ocean Village, Southampton. > SO14 3TJ. UK > Tel: +44 (0)23 8063 5122 > Fax: +44 (0)23 8063 5144 > > E-Mail: mailto:mark.lidstone@bmtseatech.co.uk > Website: www.bmtseatech.co.uk > ======================================================================== > == > Confidentiality Notice and Disclaimer: > The contents of this e-mail and any attachments are intended only for > the use of the e-mail addressee(s) shown. If you are not that person, or > one of those persons, you are not allowed to take any action based upon > it or to copy it, forward, distribute or disclose the contents of it and > you should please delete it from your system. BMT SeaTech Limited does > not accept liability for any errors or omissions in the context of this > e-mail or its attachments which arise as a result of Internet > transmission, nor accept liability for statements which are those of the > author and not clearly made on behalf of BMT SeaTech Limited. > ======================================================================== > == > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From pstaszewski at artcom.pl Fri Nov 11 15:44:08 2005 From: pstaszewski at artcom.pl (=?UTF-8?B?UGF3ZcWCIFN0YXN6ZXdza2k=?=) Date: Fri Nov 11 15:44:13 2005 Subject: [LARTC] action redirect and dummy interface In-Reply-To: <4374A527.8040509@dsl.pipex.com> References: <43740B06.5090104@artcom.pl> <4374A527.8040509@dsl.pipex.com> Message-ID: <4374AE38.1010909@artcom.pl> Andy Furniss wrote: > Pawe? Staszewski wrote: > >> Hello i have some problems on 2.6.14 kernel dummy and iproute :) >> >> i have server with 2 nics : >> >> eth0 <> inet >> eth1 <> lan >> >> dummy0 (i want to shape incoming traffic from lan machine on this >> interface) > > > OK but the script sends both egress and ingress on eth1 to dummy0. > Yes i try to send ingress and egress packets from eth1 to dummy >> >> my config: >> tc qdisc del dev dummy0 root >> >> tc qdisc add dev dummy0 root handle 1: htb >> tc class add dev dummy0 parent 1: classid 1:1 htb rate 100kbit ceil >> 100kbit >> tc class add dev dummy0 parent 1: classid 1:2 htb rate 100kbit ceil >> 100kbit >> >> >> tc filter add dev dummy0 protocol ip pref 1 parent 1: handle 1 fw >> classid 1:1 >> tc filter add dev dummy0 protocol ip pref 2 parent 1: handle 2 fw >> classid 1:2 >> >> ifconfig dummy0 up >> >> >> >> tc qdisc del dev eth1 root >> tc qdisc add dev eth1 root handle 1: htb >> >> tc filter add dev eth1 parent 1:0 protocol ip prio 10 u32 \ >> match ip dst 0/0 flowid 1:1 \ >> action ipt -j MARK --set-mark 2 \ >> action mirred egress redirect dev dummy0 >> >> >> >> tc qdisc del dev eth1 ingress >> >> tc qdisc add dev eth1 ingress >> >> tc filter add dev eth1 parent ffff: protocol ip prio 10 u32 \ >> match ip src 0/0 flowid 1:1 \ >> action ipt -j MARK --set-mark 1 \ >> action mirred egress redirect dev dummy0 > > > Apart from adding a modprobe this works for me using the attached > dummy.c on 2.6.12. > > I load dummy on system start. >> >> >> and i have only tx-es on dummy0 interface no rx packets and lan >> machine cannot comunicate with server and vice-versa >> >> >> any solutions ... i readed this post >> http://oss.sgi.com/projects/netdev/archive/2004-04/msg00251.html >> and i have the same config ... but :) > > > That patch didn't go into kernel and was superseeded by another > version which I attach - but AFAIK it's still not in kernel yet and > jamal is still working on it. > > Andy. Ok thanks i try your attached patch tommorow and try to do some tests. From andy.furniss at dsl.pipex.com Fri Nov 11 16:15:36 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Fri Nov 11 16:15:23 2005 Subject: [LARTC] Re: RED qdisc not working... In-Reply-To: <6278d2220511071626j3646afa7n5ac33228e8b3fc82@mail.gmail.com> References: <6278d2220511071626j3646afa7n5ac33228e8b3fc82@mail.gmail.com> Message-ID: <4374B598.7000307@dsl.pipex.com> Daniel J Blueman wrote: > Has anyone been able to get the RED (random early detection) qdisc > working lately? > > I can't get anything going through it to be dropped or marked; the > 'marked', 'early', 'pdrop' and 'other' fields remain at 0 [1]. In my > example script [2], I get the 3072Kbits/s transfer into eth0, which > you'd expect if the RED qdisc wasn't there. > > I have tried with a recent 2.6.12 debian kernel and stock 2.6.14 on > x86_64 debian. I built new iproute and iptables packages from latest > clean upstream sources, but to no avail. > > Any ideas? Please CC me on replies, as I am not subscribed. > > Dan > > --- [1] > > # tc -s qdisc show dev eth0 > qdisc htb 1: r2q 10 default 10 direct_packets_stat 0 > Sent 53985530 bytes 36757 pkts (dropped 0, overlimits 45125) > qdisc red 10: parent 1:10 limit 512Kb min 64Kb max 128Kb > Sent 53985530 bytes 36757 pkts (dropped 0, overlimits 0) > marked 0 early 0 pdrop 0 other 0 > > --- [2] > > tc qdisc del dev eth0 root > > tc qdisc add dev eth0 root handle 1: htb default 10 > tc class add dev eth0 parent 1: classid 1:1 htb rate 4096kbit ceil 4096kbit > tc class add dev eth0 parent 1:1 classid 1:10 htb rate 3072kbit ceil 3072kbit > tc qdisc add dev eth0 parent 1:10 handle 10: red \ > limit 4096kbit min 512kbit max 1024kbit avpkt 1000 \ > burst 100 probability 0.02 bandwidth 1024kbit > ___ > Daniel J Blueman You need to test with several tcp connections, one will not have a big enough rwin to fill the queue enough to reach the buffer thresholds - which for clarity I would specify in kb not kbit. Andy. Andy. From ethy.brito at inexo.com.br Fri Nov 11 16:20:16 2005 From: ethy.brito at inexo.com.br (Ethy H. Brito) Date: Fri Nov 11 16:20:19 2005 Subject: [LARTC] passive FTP trafic control Message-ID: <20051111132016.5299021b@pulsar.inexo.com.br> Hi All How to classify packets belonging to a FTP session? Port 21 session is easy. but what about data transfers? Their port numbers (both) are above 1024. I was thinking about ip_conntrack_ftp. Something like: iptables -A FORWARD -p tcp --sport 1024: --dport 1024: \ -m state --state ESTABLISHED,RELATED -j CLASSIFY --set-class X:Y But what if I also have ip_conntrack_irc, for instance. IRC packets will also be directed to X:Y class since they are RELATED packets. How to make shure that only FTP RELATED packets will be CLASSIFY'ed?? -- Ethy H. Brito /"\ InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML +55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL S.J.Campos - Brasil / \ From davidb at kth.se Fri Nov 11 16:32:58 2005 From: davidb at kth.se (David Blomberg) Date: Fri Nov 11 16:33:05 2005 Subject: [LARTC] marked packets end up in wrong class Message-ID: <34466.192.16.127.216.1131723178.squirrel@webmail.sys.kth.se> Hello, I have recently started looking at tc and iptables. I have an htb-queue with two classes 1:10 and 1:20 where 1:20 is the default. Then I use iptables to mark all packets I send out on eth1. I then filter marked packets into class 1:10. I expected all packets sent on eth1 to end up in class 1:10, but some packets still go to 1:20. Did I do it wrong? Thank you for any help. regards, David Blomberg My script: --------------------------------------------------------------------------- /sbin/tc qdisc add dev eth1 root handle 1: htb default 20 r2q 1 /sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 200kbit burst 15k /sbin/tc class add dev eth1 parent 1:1 classid 1:10 htb rate 100kbit ceil 200kbit burst 15k /sbin/tc class add dev eth1 parent 1:1 classid 1:20 htb rate 100kbit ceil 200kbit burst 15k /sbin/tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 /sbin/tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10 # iptables /sbin/iptables -F /sbin/iptables -A OUTPUT -t mangle -o eth1 -j MARK --set-mark 1 /sbin/tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle 1 fw flowid 1:10 --------------------------------------------------------------------------- #/sbin/tc -s qdisc ls dev eth1 qdisc htb 1: r2q 1 default 20 direct_packets_stat 0 Sent 450040 bytes 3021 pkt (dropped 0, overlimits 152 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 10: parent 1:10 limit 128p quantum 1514b perturb 10sec Sent 448654 bytes 2988 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 20: parent 1:20 limit 128p quantum 1514b perturb 10sec Sent 1386 bytes 33 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 From andy.furniss at dsl.pipex.com Fri Nov 11 16:34:42 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Fri Nov 11 16:34:39 2005 Subject: [LARTC] action redirect and dummy interface In-Reply-To: <4374AE38.1010909@artcom.pl> References: <43740B06.5090104@artcom.pl> <4374A527.8040509@dsl.pipex.com> <4374AE38.1010909@artcom.pl> Message-ID: <4374BA12.9090009@dsl.pipex.com> Pawe? Staszewski wrote: >> That patch didn't go into kernel and was superseeded by another >> version which I attach - but AFAIK it's still not in kernel yet and >> jamal is still working on it. > > Ok thanks i try your attached patch tommorow and try to do some tests. > OK - it's not a patch - just replace drivers/net/dummy.c with the uncompressed attachment. Andy. From andy.furniss at dsl.pipex.com Fri Nov 11 17:10:21 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Fri Nov 11 17:10:09 2005 Subject: [LARTC] marked packets end up in wrong class In-Reply-To: <48338.192.16.127.216.1131718875.squirrel@webmail.sys.kth.se> References: <48338.192.16.127.216.1131718875.squirrel@webmail.sys.kth.se> Message-ID: <4374C26D.2040603@dsl.pipex.com> David Blomberg wrote: > Hello, > > I have recently started looking at tc and iptables. I have an htb-queue > with two classes 1:10 and 1:20 where 1:20 is the default. Then I use > iptables to mark all packets I send out on eth1. I then filter marked > packets into class 1:10. I expected all packets sent on eth1 to end up in > class 1:10, but some packets still go to 1:20. Did I do it wrong? > qdisc sfq 20: parent 1:20 limit 128p quantum 1514b perturb 10sec > Sent 1386 bytes 33 pkt (dropped 0, overlimits 0 requeues 0) It's arp, iptables only sees ip traffic. If you don't specify an htb default it will pass unshaped (It would get dropped with hfsc). If you use a default class then I would use a tc filter ... protocol arp u32 match u32 0 0 .... to send it to a high prio/interactive class. Andy. From mark.lidstone at bmtseatech.co.uk Fri Nov 11 17:29:35 2005 From: mark.lidstone at bmtseatech.co.uk (Mark Lidstone) Date: Fri Nov 11 17:30:29 2005 Subject: [LARTC] Pfifo_fast "Unknown qdisc" and asking for basic design advice Message-ID: Hi Andy, Many thanks for the reply. Is there a reason why the user is not supposed to use pfifo_fast? I don't think I need a full-on PRIO (surely pfifo_fast is more efficient if it is classless?). Sorry for asking, but I didn't come across this limitation in the documentation. Following your suggestions, I've come up with the following: #!/bin/sh SQ="tc qdisc add dev eth0" SC="tc class add dev eth0" SF="tc filter add dev eth0" tc qdisc del dev eth0 root $SQ root handle 1:0 htb $SC parent 1:0 classid 1:1 htb rate 4096kbit $SC parent 1:1 classid 1:2 htb prio 0 rate 768kbit #Video Conferencing $SC parent 1:1 classid 1:3 htb prio 1 rate 1545kbit #Company 1 $SC parent 1:1 classid 1:4 htb prio 1 rate 832kbit #Company 2 $SC parent 1:1 classid 1:5 htb prio 1 rate 713kbit #Company 3 $SC parent 1:1 classid 1:6 htb prio 1 rate 238kbit #Company 4 $SQ parent 1:2 handle 5:0 prio #Video Conferencing $SQ parent 1:3 handle 6:0 prio #Company 1 $SQ parent 1:4 handle 7:0 prio #Company 2 $SQ parent 1:5 handle 8:0 prio #Company 3 $SQ parent 1:6 handle 9:0 prio #Company 4 $SF parent 1:0 protocol ip prio 0 u32 match ip src 1.2.3.4/32 flowid 5:0 $SF parent 1:0 protocol ip prio 0 u32 match ip src 1.2.3.5/32 flowid 6:0 $SF parent 1:0 protocol ip prio 0 u32 match ip src 1.2.3.6/32 flowid 7:0 $SF parent 1:0 protocol ip prio 0 u32 match ip src 1.2.3.7/32 flowid 8:0 $SF parent 1:0 protocol ip prio 0 u32 match ip src 1.2.3.8/32 flowid 9:0 (I've a horrible feeling there's something obviously and fundamentally wrong with this) What happens with any traffic not from these IPs? Many thanks, Mark Lidstone IT and Network Support Administrator BMT SeaTech Ltd Grove House, Meridians Cross, 7 Ocean Way Ocean Village, Southampton. SO14 3TJ. UK Tel: +44 (0)23 8063 5122 Fax: +44 (0)23 8063 5144 E-Mail: mailto:mark.lidstone@bmtseatech.co.uk Website: www.bmtseatech.co.uk ======================================================================== == Confidentiality Notice and Disclaimer: The contents of this e-mail and any attachments are intended only for the use of the e-mail addressee(s) shown. If you are not that person, or one of those persons, you are not allowed to take any action based upon it or to copy it, forward, distribute or disclose the contents of it and you should please delete it from your system. BMT SeaTech Limited does not accept liability for any errors or omissions in the context of this e-mail or its attachments which arise as a result of Internet transmission, nor accept liability for statements which are those of the author and not clearly made on behalf of BMT SeaTech Limited. ======================================================================== == -----Original Message----- From: Andy Furniss [mailto:andy.furniss@dsl.pipex.com] Sent: 11 November 2005 14:22 To: Mark Lidstone Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] Pfifo_fast "Unknown qdisc" and asking for basic design advice Mark Lidstone wrote: > Hi all, > > I've done a search through the archives but I can't find a > cause/solution to this. > > I'm running a FC4 box with the stock 2.6.12 kernel and a FC2 box with > a stock 2.6.9 kernel. I'm obviously using > iproute2 and the patched tc. > > When I clear down the qdiscs with "tc qdisc del dev root" I get > the following in response to "tc qdisc": > > qdisc pfifo_fast 0: dev eth0 [Unknown qdisc, optlen=20] > qdisc pfifo_fast 0: dev eth1 [Unknown qdisc, optlen=20] > > Unfortunately I cannot add pfifo_fast as a queue type (I was hoping to > use one - see below). Have I missed something? pfifo_fast is what you get as default on interfaces - it's just like prio but not meant to be used by you - I suppose you could nest prios, but in this case I think what you need is just pfifo or bfifo. > > Secondly, I was wondering if anyone could look over what I am trying > to do and point out any stupid mistakes I've made. I am trying to get > the following setup working: > > root > | > | > PRIO > / | \ > ______/ | \______ > | | | > 0 | 2 > pfifo_fast 1 sfq > HTB__________ > / | \ \ > ______/ | \______ \______ > | | | | > sfq sfq sfq sfq > > Basically, we have 4 companies that will be sharing bandwidth on a > connection (the four sfq's at the bottom) and some video conferencing > equipment that needs priority over everything (the pfifo_fast). Have > I misunderstood anything vital here? You would be better off having htb as root so you can throttle traffic to below link speed. You can htb's prio parameter to do much the same. Sfq is nice but the perturb causes packet reordering I would think about trying to seperate each customers traffic into bulk and interactive aswell and just use sfq on bulk. Andy. > > Many thanks, > > Mark Lidstone > IT and Network Support Administrator > > BMT SeaTech Ltd > Grove House, Meridians Cross, 7 Ocean Way Ocean Village, Southampton. > SO14 3TJ. UK > Tel: +44 (0)23 8063 5122 > Fax: +44 (0)23 8063 5144 > > E-Mail: mailto:mark.lidstone@bmtseatech.co.uk > Website: www.bmtseatech.co.uk > ====================================================================== > == > == > Confidentiality Notice and Disclaimer: > The contents of this e-mail and any attachments are intended only for > the use of the e-mail addressee(s) shown. If you are not that person, > or one of those persons, you are not allowed to take any action based > upon it or to copy it, forward, distribute or disclose the contents of > it and you should please delete it from your system. BMT SeaTech > Limited does not accept liability for any errors or omissions in the > context of this e-mail or its attachments which arise as a result of > Internet transmission, nor accept liability for statements which are > those of the author and not clearly made on behalf of BMT SeaTech Limited. > ====================================================================== > == > == > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From andreas.klauer at metamorpher.de Fri Nov 11 19:28:21 2005 From: andreas.klauer at metamorpher.de (andreas.klauer@metamorpher.de) Date: Fri Nov 11 19:28:39 2005 Subject: [LARTC] cpu power needed for shaping In-Reply-To: <4373CE98.7020101@trust-b.com> References: <4373CE98.7020101@trust-b.com> Message-ID: <20051111192821.5nfxkeo3xfq8k8wk@www.metamorpher.de> Quoting Igor Krneta : > My company recently upgraded our internet connection and I need to > set up shaping. I was wondering , what are the CPU and RAM > requirements for shaping 768/768 DSL line ? It all depends on how complicated you want your shaping setup to be and how many clients you have to serve. For example, in my home network with 5 client machines (and something like 10 classes / 5 filters per client), the old PII machine with 128MB of RAM I was using for this task was 95% idle all of the time... If you have thousands of classes and just as many filters, it probably would be different, though. > I have a few old P III's (450 MHz, 256 RAM) and some VIA Eden (533 > MHz, 512 RAM) boxes lying around. Which one would be most appropriate > ? I think it's quite safe to say that in a normal setup any of these should be more than sufficient. HTH Andreas Klauer From pstaszewski at artcom.pl Fri Nov 11 21:01:18 2005 From: pstaszewski at artcom.pl (=?UTF-8?B?UGF3ZcWCIFN0YXN6ZXdza2k=?=) Date: Fri Nov 11 21:01:25 2005 Subject: [LARTC] action redirect and dummy interface In-Reply-To: <4374BA12.9090009@dsl.pipex.com> References: <43740B06.5090104@artcom.pl> <4374A527.8040509@dsl.pipex.com> <4374AE38.1010909@artcom.pl> <4374BA12.9090009@dsl.pipex.com> Message-ID: <4374F88E.3050003@artcom.pl> Andy Furniss wrote: > Pawe? Staszewski wrote: > >>> That patch didn't go into kernel and was superseeded by another >>> version which I attach - but AFAIK it's still not in kernel yet and >>> jamal is still working on it. >> >> >> Ok thanks i try your attached patch tommorow and try to do some tests. >> > > OK - it's not a patch - just replace drivers/net/dummy.c with the > uncompressed attachment. > > Andy. > > > ok i replace 2.6.14 dummy driver with yours and it is working. thanks again From lartc at dervishd.net Fri Nov 11 21:38:30 2005 From: lartc at dervishd.net (DervishD) Date: Fri Nov 11 21:37:11 2005 Subject: [LARTC] passive FTP trafic control In-Reply-To: <20051111132016.5299021b@pulsar.inexo.com.br> References: <20051111132016.5299021b@pulsar.inexo.com.br> Message-ID: <20051111203830.GD292@DervishD> Hi Ethy :) * Ethy H. Brito dixit: > How to make shure that only FTP RELATED packets will be CLASSIFY'ed?? I can only suggest that you limit the source ports available to passive FTP. In my FTP server this can be configured, but probably in other servers you can do it too. Once you do this, it's quite easy to setup a "tc filter" to mark packages (or iptables if you prefer). Ra?l N??ez de Arenas Coronado -- Linux Registered User 88736 | http://www.dervishd.net http://www.pleyades.net & http://www.gotesdelluna.net It's my PC and I'll cry if I want to... From unki at netshadow.at Fri Nov 11 22:20:52 2005 From: unki at netshadow.at (Andreas Unterkircher) Date: Fri Nov 11 22:19:50 2005 Subject: [LARTC] passive FTP trafic control In-Reply-To: <20051111203830.GD292@DervishD> References: <20051111132016.5299021b@pulsar.inexo.com.br> <20051111203830.GD292@DervishD> Message-ID: <43750B34.9010409@netshadow.at> You could try to match on helper within iptables. Should be something like iptables -A FORWARD --match conntrack --ctproto tcp --ctstate RELATED,ESTABLISHED --match helper --helper ftp -j CLASSIFY .... Perhaps this will match your data channel. Cheers, Andreas DervishD wrote: > Hi Ethy :) > > * Ethy H. Brito dixit: > > >>How to make shure that only FTP RELATED packets will be CLASSIFY'ed?? >> >> > > I can only suggest that you limit the source ports available to >passive FTP. In my FTP server this can be configured, but probably in >other servers you can do it too. Once you do this, it's quite easy to >setup a "tc filter" to mark packages (or iptables if you prefer). > > Ra?l N??ez de Arenas Coronado > > > From ryan.castellucci at gmail.com Sat Nov 12 21:26:23 2005 From: ryan.castellucci at gmail.com (Ryan Castellucci) Date: Sat Nov 12 21:26:31 2005 Subject: [LARTC] Borrowing between HTB classes not working as expectd. Message-ID: <118619310511121226g74c39bafs7a4ec4b5e6caf95@mail.gmail.com> I'm using a fairly large number of classes, andf borrowing is not working as expected... I've called this setting it up on an IMQ device with speed 1200/256 on a 1536/384 line. I'm then throwing a UDP data transfer at it that gets tossed in one of the class under parent 1:6. The classification is working fine, but when I try to ping out, ping times are in the 900ms range, even though pings are classified in the classes under 1:5, and speeds in classes under 1:4 are well under the 60% they should be getting. Any idea what I've done wrong here? Perl code to set everything up below, if you comment out the system call, it'll list off all the tc commands executed. How I wanted this to work is higher priority classes to get a shot at bandwidth first in excess of the base rates on all the other classes. #!/usr/bin/perl -w use strict; my $dev = $ARGV[0]; my $speed_down = $ARGV[1]; my $speed_up = $ARGV[2]; my $tc_bin = "/sbin/tc"; tc("qdisc del dev $dev root"); tc("qdisc add dev $dev root handle 1:0 htb r2q 1 default 4"); tc("class add dev $dev parent 1:0 classid 1:2 htb ". "rate " . int($speed_up * 0.85) . "kbit ". "ceil " . int($speed_up * 0.85) . "kbit ". "prio 1 burst 64k"); tc("qdisc add dev $dev parent 1:2 handle 2: sfq perturb 10"); # Critical class tc("class add dev $dev parent 1:2 classid 1:3 htb ". "rate " . int($speed_down * 0.05 + 64) . "kbit ". "ceil " . int($speed_down * 0.05 + 64 + ($speed_up * 0.10)) . "kbit ". "prio 2 burst 64k"); tc("qdisc add dev $dev parent 1:3 handle 3: sfq perturb 10"); # High class tc("class add dev $dev parent 1:2 classid 1:4 htb ". "rate " . int($speed_up * 0.50) . "kbit ". "ceil " . int($speed_up * 0.95) . "kbit ". "prio 3 burst 64k"); tc("qdisc add dev $dev parent 1:4 handle 4: sfq perturb 10"); # Med class tc("class add dev $dev parent 1:2 classid 1:5 htb ". "rate " . int($speed_up * 0.40) . "kbit ". "ceil " . int($speed_up * 0.95) . "kbit ". "prio 5 burst 64k"); tc("qdisc add dev $dev parent 1:5 handle 5: sfq perturb 10"); # Low class tc("class add dev $dev parent 1:2 classid 1:6 htb ". "rate " . int($speed_up * 0.10) . "kbit ". "ceil " . int($speed_up * 0.80) . "kbit ". "prio 7 burst 64k"); tc("qdisc add dev $dev parent 1:6 handle 6: sfq perturb 10"); for (my $i=100;$i <= 110;$i++) { # High class tc("class add dev $dev parent 1:4 classid 1:" . ($i + 256) . " htb ". "rate " . int($speed_up * 0.50) . "kbit ". "ceil " . int($speed_up * 0.95) . "kbit ". "prio 4 burst 15k"); tc("qdisc add dev $dev parent 1:" . ($i + 256) . " handle " . ($i + 256) . ": sfq perturb 10"); tc("filter add dev $dev protocol ip parent 1: prio 5 handle " . tohex($i + 256) . " fw flowid 1:" . ($i + 256)); # Med class tc("class add dev $dev parent 1:5 classid 1:" . ($i + 512) . " htb ". "rate " . int($speed_up * 0.40) . "kbit ". "ceil " . int($speed_up * 0.95) . "kbit ". "prio 6 burst 15k"); tc("qdisc add dev $dev parent 1:" . ($i + 512) . " handle " . ($i + 512) . ": sfq perturb 10"); tc("filter add dev $dev protocol ip parent 1: prio 5 handle " . tohex($i + 512) . " fw flowid 1:" . ($i + 512)); # Low class tc("class add dev $dev parent 1:6 classid 1:" . ($i + 768) . " htb ". "rate " . int($speed_up * 0.10) . "kbit ". "ceil " . int($speed_up * 0.80) . "kbit ". "prio 8 burst 15k"); tc("qdisc add dev $dev parent 1:" . ($i + 768) . " handle " . ($i + 768) . ": sfq perturb 10"); tc("filter add dev $dev protocol ip parent 1: prio 5 handle " . tohex($i + 768) . " fw flowid 1:" . ($i + 768)); } tc("filter add dev $dev protocol ip parent 1: prio 5 handle 0x3 fw flowid 1:3"); sub tc { my $arg = shift; print "$tc_bin $arg\n"; system($tc_bin,split(/ /,$arg)); } sub tohex { return '0x' . sprintf("%2.2x",shift); } -- Ryan Castellucci http://ryanc.org/ From andreas.klauer at metamorpher.de Sun Nov 13 01:10:21 2005 From: andreas.klauer at metamorpher.de (andreas.klauer@metamorpher.de) Date: Sun Nov 13 01:10:45 2005 Subject: [LARTC] Borrowing between HTB classes not working as expectd. In-Reply-To: <118619310511121226g74c39bafs7a4ec4b5e6caf95@mail.gmail.com> References: <118619310511121226g74c39bafs7a4ec4b5e6caf95@mail.gmail.com> Message-ID: <20051113011021.8arfa95999wbo4s4@www.metamorpher.de> Quoting Ryan Castellucci : > I've called this setting it up on an IMQ device with speed 1200/256 > on a 1536/384 line. > Perl code to set everything up below, if you comment out the system call, > it'll list off all the tc commands executed. Hmmm, the output it produces for me is really weird. Could you post the output of 'tc -d qdisc show dev ' and 'tc -d class show dev ' somewhere, it's easier to understand and maybe that will make more sense to me. The main problems in the output I get is that rates do not add up; children class rates added up together is higher than parent class rate, which means the children take more bandwidth for guaranteed than the parent can offer. Sometimes child class ceil rates is greater than parent class ceil rate, which should not be exceeded in any case (at least to my understanding of HTB). By looking at your Perl code, you seem to be mixing up $speed_up and $speed_down quite a lot; at least to me it makes no sense to have a download class as child of an upload class, especially not with that much difference in available download/upload rate. But I'm not really a Perl programmer, so maybe I misunderstood this part. HTH Andreas From ryan.castellucci at gmail.com Sun Nov 13 03:11:09 2005 From: ryan.castellucci at gmail.com (Ryan Castellucci) Date: Sun Nov 13 03:11:14 2005 Subject: [LARTC] Borrowing between HTB classes not working as expectd. In-Reply-To: <20051113011021.8arfa95999wbo4s4@www.metamorpher.de> References: <118619310511121226g74c39bafs7a4ec4b5e6caf95@mail.gmail.com> <20051113011021.8arfa95999wbo4s4@www.metamorpher.de> Message-ID: <118619310511121811g320b6385n6246510464c073ea@mail.gmail.com> I did not mix these up. I'm using the 1:2 class for TCP and ICMP control packets, such as TCP acks which need an amount of bandwidth proportinat to the makimum download rate. On 11/12/05, andreas.klauer@metamorpher.de wrote: > Quoting Ryan Castellucci : > > > I've called this setting it up on an IMQ device with speed 1200/256 > > on a 1536/384 line. > > > Perl code to set everything up below, if you comment out the system call, > > it'll list off all the tc commands executed. > > Hmmm, the output it produces for me is really weird. Could you post the output > of 'tc -d qdisc show dev ' and 'tc -d class show dev ' > somewhere, it's easier to understand and maybe that will make more > sense to me. > > The main problems in the output I get is that rates do not add up; children > class rates added up together is higher than parent class rate, which > means the > children take more bandwidth for guaranteed than the parent can offer. > Sometimes > child class ceil rates is greater than parent class ceil rate, which > should not > be exceeded in any case (at least to my understanding of HTB). > > By looking at your Perl code, you seem to be mixing up $speed_up and > $speed_down > quite a lot; at least to me it makes no sense to have a download class > as child > of an upload class, especially not with that much difference in available > download/upload rate. But I'm not really a Perl programmer, so maybe I > misunderstood this part. I did not mix these up. I'm using the 1:2 class for TCP and ICMP control packets, such as TCP acks which need an amount of bandwidth proportinate to the maximum download rate. The tc show output is attached. -- Ryan Castellucci http://ryanc.org/ -------------- next part -------------- # tc -d qdisc show dev imq0;tc -d class show dev imq0 qdisc htb 1: r2q 1 default 4 direct_packets_stat 0 ver 3.17 qdisc sfq 3: parent 1:3 limit 128p quantum 1500b flows 128/1024 perturb 10sec qdisc sfq 356: parent 1:356 limit 128p quantum 1500b flows 128/1024 perturb 10sec qdisc sfq 612: parent 1:612 limit 128p quantum 1500b flows 128/1024 perturb 10sec qdisc sfq 868: parent 1:868 limit 128p quantum 1500b flows 128/1024 perturb 10sec qdisc sfq 357: parent 1:357 limit 128p quantum 1500b flows 128/1024 perturb 10sec qdisc sfq 613: parent 1:613 limit 128p quantum 1500b flows 128/1024 perturb 10sec qdisc sfq 869: parent 1:869 limit 128p quantum 1500b flows 128/1024 perturb 10sec qdisc sfq 358: parent 1:358 limit 128p quantum 1500b flows 128/1024 perturb 10sec qdisc sfq 614: parent 1:614 limit 128p quantum 1500b flows 128/1024 perturb 10sec qdisc sfq 870: parent 1:870 limit 128p quantum 1500b flows 128/1024 perturb 10sec qdisc sfq 359: parent 1:359 limit 128p quantum 1500b flows 128/1024 perturb 10sec qdisc sfq 615: parent 1:615 limit 128p quantum 1500b flows 128/1024 perturb 10sec qdisc sfq 871: parent 1:871 limit 128p quantum 1500b flows 128/1024 perturb 10sec qdisc sfq 360: parent 1:360 limit 128p quantum 1500b flows 128/1024 perturb 10sec qdisc sfq 616: parent 1:616 limit 128p quantum 1500b flows 128/1024 perturb 10sec qdisc sfq 872: parent 1:872 limit 128p quantum 1500b flows 128/1024 perturb 10sec qdisc sfq 361: parent 1:361 limit 128p quantum 1500b flows 128/1024 perturb 10sec qdisc sfq 617: parent 1:617 limit 128p quantum 1500b flows 128/1024 perturb 10sec qdisc sfq 873: parent 1:873 limit 128p quantum 1500b flows 128/1024 perturb 10sec class htb 1:356 parent 1:4 leaf 356: prio 4 quantum 16000 rate 128000bit ceil 243000bit burst 15Kb/8 mpu 0b overhead 0b cburst 1902b/8 mpu 0b overhead 0b level 0 class htb 1:617 parent 1:5 leaf 617: prio 6 quantum 12750 rate 102000bit ceil 243000bit burst 15Kb/8 mpu 0b overhead 0b cburst 1902b/8 mpu 0b overhead 0b level 0 class htb 1:357 parent 1:4 leaf 357: prio 4 quantum 16000 rate 128000bit ceil 243000bit burst 15Kb/8 mpu 0b overhead 0b cburst 1902b/8 mpu 0b overhead 0b level 0 class htb 1:616 parent 1:5 leaf 616: prio 6 quantum 12750 rate 102000bit ceil 243000bit burst 15Kb/8 mpu 0b overhead 0b cburst 1902b/8 mpu 0b overhead 0b level 0 class htb 1:2 root rate 217000bit ceil 217000bit burst 64Kb/8 mpu 0b overhead 0b cburst 1870b/8 mpu 0b overhead 0b level 7 class htb 1:615 parent 1:5 leaf 615: prio 6 quantum 12750 rate 102000bit ceil 243000bit burst 15Kb/8 mpu 0b overhead 0b cburst 1902b/8 mpu 0b overhead 0b level 0 class htb 1:3 parent 1:2 leaf 3: prio 2 quantum 15500 rate 124000bit ceil 149000bit burst 64Kb/8 mpu 0b overhead 0b cburst 1785b/8 mpu 0b overhead 0b level 0 class htb 1:614 parent 1:5 leaf 614: prio 6 quantum 12750 rate 102000bit ceil 243000bit burst 15Kb/8 mpu 0b overhead 0b cburst 1902b/8 mpu 0b overhead 0b level 0 class htb 1:4 parent 1:2 rate 128000bit ceil 243000bit burst 64Kb/8 mpu 0b overhead 0b cburst 1902b/8 mpu 0b overhead 0b level 6 class htb 1:613 parent 1:5 leaf 613: prio 6 quantum 12750 rate 102000bit ceil 243000bit burst 15Kb/8 mpu 0b overhead 0b cburst 1902b/8 mpu 0b overhead 0b level 0 class htb 1:361 parent 1:4 leaf 361: prio 4 quantum 16000 rate 128000bit ceil 243000bit burst 15Kb/8 mpu 0b overhead 0b cburst 1902b/8 mpu 0b overhead 0b level 0 class htb 1:5 parent 1:2 rate 102000bit ceil 243000bit burst 64Kb/8 mpu 0b overhead 0b cburst 1902b/8 mpu 0b overhead 0b level 6 class htb 1:612 parent 1:5 leaf 612: prio 6 quantum 12750 rate 102000bit ceil 243000bit burst 15Kb/8 mpu 0b overhead 0b cburst 1902b/8 mpu 0b overhead 0b level 0 class htb 1:360 parent 1:4 leaf 360: prio 4 quantum 16000 rate 128000bit ceil 243000bit burst 15Kb/8 mpu 0b overhead 0b cburst 1902b/8 mpu 0b overhead 0b level 0 class htb 1:6 parent 1:2 rate 25000bit ceil 204000bit burst 64Kb/8 mpu 0b overhead 0b cburst 1854b/8 mpu 0b overhead 0b level 6 class htb 1:868 parent 1:6 leaf 868: prio 7 quantum 3125 rate 25000bit ceil 204000bit burst 15Kb/8 mpu 0b overhead 0b cburst 1854b/8 mpu 0b overhead 0b level 0 class htb 1:869 parent 1:6 leaf 869: prio 7 quantum 3125 rate 25000bit ceil 204000bit burst 15Kb/8 mpu 0b overhead 0b cburst 1854b/8 mpu 0b overhead 0b level 0 class htb 1:873 parent 1:6 leaf 873: prio 7 quantum 3125 rate 25000bit ceil 204000bit burst 15Kb/8 mpu 0b overhead 0b cburst 1854b/8 mpu 0b overhead 0b level 0 class htb 1:872 parent 1:6 leaf 872: prio 7 quantum 3125 rate 25000bit ceil 204000bit burst 15Kb/8 mpu 0b overhead 0b cburst 1854b/8 mpu 0b overhead 0b level 0 class htb 1:358 parent 1:4 leaf 358: prio 4 quantum 16000 rate 128000bit ceil 243000bit burst 15Kb/8 mpu 0b overhead 0b cburst 1902b/8 mpu 0b overhead 0b level 0 class htb 1:871 parent 1:6 leaf 871: prio 7 quantum 3125 rate 25000bit ceil 204000bit burst 15Kb/8 mpu 0b overhead 0b cburst 1854b/8 mpu 0b overhead 0b level 0 class htb 1:870 parent 1:6 leaf 870: prio 7 quantum 3125 rate 25000bit ceil 204000bit burst 15Kb/8 mpu 0b overhead 0b cburst 1854b/8 mpu 0b overhead 0b level 0 class htb 1:359 parent 1:4 leaf 359: prio 4 quantum 16000 rate 128000bit ceil 243000bit burst 15Kb/8 mpu 0b overhead 0b cburst 1902b/8 mpu 0b overhead 0b level 0 From ro0ot at phreaker.net Sun Nov 13 05:21:37 2005 From: ro0ot at phreaker.net (ro0ot) Date: Sun Nov 13 05:21:59 2005 Subject: [LARTC] MSN keeps disconnecting with load balancing Message-ID: <4376BF51.7040300@phreaker.net> Hi, I have the my gateway with load balancing traffic going out over two providers. Web browsing is fine...working great. But, my clients (office staff) complains that MSN keeps disconnecting (in 5 mins). Why? Please help me... Regards, ro0ot From erik at ironsavior.net Sun Nov 13 05:39:17 2005 From: erik at ironsavior.net (Erik Elmore) Date: Sun Nov 13 05:39:23 2005 Subject: [LARTC] MSN keeps disconnecting with load balancing In-Reply-To: <4376BF51.7040300@phreaker.net> References: <4376BF51.7040300@phreaker.net> Message-ID: <82b4b0ec0511122039kd6671aem3cc83758986def6f@mail.gmail.com> Just tell them that you have banned MSN B-) On 11/12/05, ro0ot wrote: > Hi, > > I have the my gateway with load balancing traffic going out over two > providers. Web browsing is fine...working great. > > But, my clients (office staff) complains that MSN keeps disconnecting > (in 5 mins). Why? > > Please help me... > > Regards, > ro0ot > > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From rsenykoff at harrislogic.com Sun Nov 13 06:15:15 2005 From: rsenykoff at harrislogic.com (Ron Senykoff) Date: Sun Nov 13 06:15:19 2005 Subject: [LARTC] MSN keeps disconnecting with load balancing In-Reply-To: <82b4b0ec0511122039kd6671aem3cc83758986def6f@mail.gmail.com> References: <4376BF51.7040300@phreaker.net> <82b4b0ec0511122039kd6671aem3cc83758986def6f@mail.gmail.com> Message-ID: > I have the my gateway with load balancing traffic going out over two > providers. Web browsing is fine...working great. > > But, my clients (office staff) complains that MSN keeps disconnecting > (in 5 mins). Why? I'm not sure why but I have observed this behavior before. I seem to remember making a static route on the load balancer to make all traffic for the msn messaging servers go out a particular interface (not load balanced, but it really isn't much traffic anyways). Not the best solution, but it works. X.X.X.X --> IP of msn server Y.Y.Y.Y --> IP of the gateway ip route add X.X.X.X/24 via Y.Y.Y.Y -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051112/3b010f76/attachment.html From bugfood-ml at fatooh.org Sun Nov 13 06:19:49 2005 From: bugfood-ml at fatooh.org (Corey Hickey) Date: Sun Nov 13 06:19:54 2005 Subject: [LARTC] MSN keeps disconnecting with load balancing In-Reply-To: <4376BF51.7040300@phreaker.net> References: <4376BF51.7040300@phreaker.net> Message-ID: <4376CCF5.9080107@fatooh.org> ro0ot wrote: > Hi, > > I have the my gateway with load balancing traffic going out over two > providers. Web browsing is fine...working great. > > But, my clients (office staff) complains that MSN keeps disconnecting > (in 5 mins). Why? Do you mean MSN instant messenger? I've never used it, but I can give you a few generic steps to take when you want to figure out what's going wrong with a connection. Are you familiar with tcpdump and/or ethereal? 1. Go to the computer of a client who is complaining about disconnection. 2. ssh into your gateway and run: # tcpdump -i eth0 host 123.123.123.123 and port not ssh Change "eth0" to the inside interface and "123.123.123.123" to the IP address of your client. 3. See if tcpdump is catching lots and lots of packets. If it is, either stop programs on your clients machine that access the Internet or use more filters (like "and port not imaps"). 4. Once you're not catching lots of extraneous packets, kill tcpdump and run: # tcpdump -s 1500 -w log -i eth0 host 123.123.123.123 and port not ssh Include any other filters you have to use. 5. Have your client start up their program, and then sit there and wait. Don't do anything else that would send packets through the gateway; you don't want to clutter up the log. 6. See if the problem manifests. Most likely it won't, because that's just the way things are :) , but if it does you'll have a log. Kill tcpdump and examine the file with: # tcpdump -r log If you want more verbosity, use "-v", "-vv", or "-vvv". Or, if you want to use a gui, copy the log file to some machine with X11 and use: # ethereal -r log -Corey From ryan.castellucci at gmail.com Sun Nov 13 07:25:04 2005 From: ryan.castellucci at gmail.com (Ryan Castellucci) Date: Sun Nov 13 07:25:10 2005 Subject: [LARTC] MSN keeps disconnecting with load balancing In-Reply-To: <4376CCF5.9080107@fatooh.org> References: <4376BF51.7040300@phreaker.net> <4376CCF5.9080107@fatooh.org> Message-ID: <118619310511122225t58d04261j30a9bf84c64258c6@mail.gmail.com> This problem is caused by the cached route to MSN expiring, and the kernel trying to route the existing connection over the other internet connection. If you're doing SNAT, this will result in the source IP address changing, and MSN will reset the connection. On 11/12/05, Corey Hickey wrote: > ro0ot wrote: > > Hi, > > > > I have the my gateway with load balancing traffic going out over two > > providers. Web browsing is fine...working great. > > > > But, my clients (office staff) complains that MSN keeps disconnecting > > (in 5 mins). Why? > > Do you mean MSN instant messenger? I've never used it, but I can give > you a few generic steps to take when you want to figure out what's going > wrong with a connection. Are you familiar with tcpdump and/or ethereal? > > 1. Go to the computer of a client who is complaining about disconnection. > > 2. ssh into your gateway and run: > # tcpdump -i eth0 host 123.123.123.123 and port not ssh > Change "eth0" to the inside interface and "123.123.123.123" to the IP > address of your client. > > 3. See if tcpdump is catching lots and lots of packets. If it is, either > stop programs on your clients machine that access the Internet or use > more filters (like "and port not imaps"). > > 4. Once you're not catching lots of extraneous packets, kill tcpdump and > run: > # tcpdump -s 1500 -w log -i eth0 host 123.123.123.123 and port not ssh > Include any other filters you have to use. > > 5. Have your client start up their program, and then sit there and wait. > Don't do anything else that would send packets through the gateway; you > don't want to clutter up the log. > > 6. See if the problem manifests. Most likely it won't, because that's > just the way things are :) , but if it does you'll have a log. Kill > tcpdump and examine the file with: > # tcpdump -r log > If you want more verbosity, use "-v", "-vv", or "-vvv". Or, if you want > to use a gui, copy the log file to some machine with X11 and use: > # ethereal -r log > > > -Corey > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Ryan Castellucci http://ryanc.org/ From andreas.klauer at metamorpher.de Sun Nov 13 12:19:44 2005 From: andreas.klauer at metamorpher.de (andreas.klauer@metamorpher.de) Date: Sun Nov 13 12:19:56 2005 Subject: [LARTC] Borrowing between HTB classes not working as expectd. In-Reply-To: <118619310511121811g320b6385n6246510464c073ea@mail.gmail.com> References: <118619310511121226g74c39bafs7a4ec4b5e6caf95@mail.gmail.com> <20051113011021.8arfa95999wbo4s4@www.metamorpher.de> <118619310511121811g320b6385n6246510464c073ea@mail.gmail.com> Message-ID: <20051113121944.5yfmwytrsdmo0sc4@www.metamorpher.de> Quoting Ryan Castellucci : > I did not mix these up. I'm using the 1:2 class for TCP and ICMP > control packets, such as TCP acks which need an amount of bandwidth > proportinate to the maximum download rate. There seems to be a misunderstanding of some kind. You say you're using the 1:2 class for control packets; but in the output you've sent, the 1:2 class is the root HTB class, so it should be (indirectly) used for everything. The only classes you can use directly (that means classify packets to) are the leaf classes (HTB classes which don't have any more children), in your setup that would be one of the 1:3,356-361,612-617,869-873 leaf classes. Class 1:2 has a rate/ceil of 217kbit. Children of this class are 1:3 (124/149), 1:4 (128/243), 1:5 (102/243), and 1:6 (25/204). As I said before, the problem is that the rates of these classes don't add up. These child classes added together for example use 124+128+102+25=379kbit, although the parent provides only 217kbit. Classes 1:4 and 1:5 in particular can borrow up to 243kbit each, although the parent class can provide only 217kbit in total. So how exactly do you expect the borrowing to work? Unless you have an understanding of the inner workings of HTB in great detail, the results of this setup are pretty much unpredictable. The same problem can be found further down the tree; for example, the class 1:4 has a rate of 128kbit. Children of this class are 1:356-361, with a rate of 128kbit each. Added together, they require a rate of 768kbit, but the parent class only provides 128kbit (or it would if the parent class of this parent class could provide as much). Same story with 1:5 and 1:6. The first thing you have to do is calculate the class rates so they add up properly. Otherwise you will never get anywhere near a predictable borrowing behaviour. HTH Andreas Klauer From gentoo at databit7.com Sun Nov 13 14:29:54 2005 From: gentoo at databit7.com (gentoo@databit7.com) Date: Sun Nov 13 14:29:59 2005 Subject: Again: Re: [LARTC] MSN keeps disconnecting with load balancing (fwd) Message-ID: This 'MSN' is a web site? Im guessing it 'refresh'es every 5 minutes or so. They are proably testing cookies against the ip address they appear to be comming from. This is horribly wreckless of them if they arnt offering IPv6. Are they? They only way i have to remedy this problem is to get their IP range and bind it to the most stable connexion you have, defeating the load-balancing, almost, sorta, oh well... You can TRY sending to MSN up either pipe but using the same src address in both cases. some ISPs are really mean/useless and wont let you send from you own addresses if you dont lease them from the ISP. boo. this will ofcourse still bring the content all down one pipe still... upstream load balancing restored, downstream still skewed.... OR break the clients into two groups, those using pipe1 by default, those using pipe2 by default when talking to MSN. As long as both connextions stay up no one complains, if one goes down, half of them complain 'i got logged off'. Im sure you can rig a proxy on each upstream feed that conducts the signin process for them everytime. so much work... oh well best of luck. On Sun, 13 Nov 2005, ro0ot wrote: > Date: Sun, 13 Nov 2005 12:21:37 +0800 > From: ro0ot > To: lartc@mailman.ds9a.nl > Subject: [LARTC] MSN keeps disconnecting with load balancing > > Hi, > > I have the my gateway with load balancing traffic going out over two > providers. Web browsing is fine...working great. > > But, my clients (office staff) complains that MSN keeps disconnecting (in 5 > mins). Why? > > Please help me... > > Regards, > ro0ot > > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > Robin-David Hammond KB3IEN www.aresnyc.org. --===============0492895792==-- From ro0ot at phreaker.net Sun Nov 13 17:51:04 2005 From: ro0ot at phreaker.net (ro0ot) Date: Sun Nov 13 17:59:39 2005 Subject: [LARTC] MSN keeps disconnecting with load balancing In-Reply-To: <65aa6af90511122036q5774b9ffx7b4c0c309ec8eed3@mail.gmail.com> References: <4376BF51.7040300@phreaker.net> <65aa6af90511122036q5774b9ffx7b4c0c309ec8eed3@mail.gmail.com> Message-ID: <43776EF8.7060606@phreaker.net> I have this in /etc/iproute2/rt_tables as below: - 216 https.out 219 msn.out And, I have the below in my custom script: - $IPTABLES -t nat -A POSTROUTING -o eth3 -j SNAT --to-source 1.2.3.4 $IPTABLES -t nat -A POSTROUTING -o eth4 -j SNAT --to-source 5.6.7.8 $IPTABLES -t mangle -A PREROUTING -i eth1 -p tcp --dport 443 -j MARK --set-mark 16 $IPTABLES -t mangle -A PREROUTING -i eth1 -p tcp --dport 1863 -j MARK --set-mark 19 ip rule add fwmark 16 table https.out ip rule add fwmark 19 table msn.out ip route add default via 1.2.3.4 dev eth3 table https.out ip route add default via 1.2.3.4 dev eth3 table msn.out But, still I am facing complaints... Edmundo Carmona wrote: >We have exaclty the same problem in our load-balancing proxy. > >Remember that if you are load-balancing, traffic eventually will come >out through another network interface,,, and hence, another source IP. > >The problem must be that the MSN service gets "confused" when he sees >that the one session has changed source IPs... or maybe it's a IP >stack problem and not related to the MSN specifically. Anybody can >provide some more feedback on this? The IP session layer is supposed >to keep sessions across changing IPs? > >Our "solution" was to tell the MSN clients to use a proxy server that >has a single internet connection (separete from our main proxy server, >which is the one loadbalancing). > >On 11/13/05, ro0ot wrote: > > >>Hi, >> >>I have the my gateway with load balancing traffic going out over two >>providers. Web browsing is fine...working great. >> >>But, my clients (office staff) complains that MSN keeps disconnecting >>(in 5 mins). Why? >> >>Please help me... >> >>Regards, >>ro0ot >> >> >> >>_______________________________________________ >>LARTC mailing list >>LARTC@mailman.ds9a.nl >>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> >> >> > > > > > From oscar at ufomechanic.net Sun Nov 13 18:13:41 2005 From: oscar at ufomechanic.net (Oscar Mechanic) Date: Sun Nov 13 18:14:07 2005 Subject: [LARTC] MSN keeps disconnecting with load balancing In-Reply-To: <43776EF8.7060606@phreaker.net> References: <4376BF51.7040300@phreaker.net> <65aa6af90511122036q5774b9ffx7b4c0c309ec8eed3@mail.gmail.com> <43776EF8.7060606@phreaker.net> Message-ID: <1131902021.8826.57.camel@OSCARLAPLIN> This is not a problem with linux it is a simple fact of IP/TCP and applications. A workaround is put the IP into a ipt_recent list then SNAT all that traffic the one way for a given time. There was a ipt_helper for MSN but I dont know where it is in development. I use the route taget in iptables rather than ip (sorry guys but you can just do so much funky stuff with it) So just to recap on my suggestion. Find the MSN traffic e.g. What ever port it uses for session initiation then put that ip into an ipt_recent list. The check that list before you snat. This will SNAT all the traffic from that IP to one interface for a certain amount of time that you set e.g. if it has not seen the packet within 600 secs clear it from the list. I use the for VoIP to multiple SNAT targets. On Mon, 2005-11-14 at 00:51 +0800, ro0ot wrote: > I have this in /etc/iproute2/rt_tables as below: - > > 216 https.out > 219 msn.out > > And, I have the below in my custom script: - > > $IPTABLES -t nat -A POSTROUTING -o eth3 -j SNAT --to-source 1.2.3.4 > $IPTABLES -t nat -A POSTROUTING -o eth4 -j SNAT --to-source 5.6.7.8 > > $IPTABLES -t mangle -A PREROUTING -i eth1 -p tcp --dport 443 -j MARK > --set-mark 16 > $IPTABLES -t mangle -A PREROUTING -i eth1 -p tcp --dport 1863 -j MARK > --set-mark 19 > > ip rule add fwmark 16 table https.out > ip rule add fwmark 19 table msn.out > > ip route add default via 1.2.3.4 dev eth3 table https.out > ip route add default via 1.2.3.4 dev eth3 table msn.out > > But, still I am facing complaints... > > Edmundo Carmona wrote: > > >We have exaclty the same problem in our load-balancing proxy. > > > >Remember that if you are load-balancing, traffic eventually will come > >out through another network interface,,, and hence, another source IP. > > > >The problem must be that the MSN service gets "confused" when he sees > >that the one session has changed source IPs... or maybe it's a IP > >stack problem and not related to the MSN specifically. Anybody can > >provide some more feedback on this? The IP session layer is supposed > >to keep sessions across changing IPs? > > > >Our "solution" was to tell the MSN clients to use a proxy server that > >has a single internet connection (separete from our main proxy server, > >which is the one loadbalancing). > > > >On 11/13/05, ro0ot wrote: > > > > > >>Hi, > >> > >>I have the my gateway with load balancing traffic going out over two > >>providers. Web browsing is fine...working great. > >> > >>But, my clients (office staff) complains that MSN keeps disconnecting > >>(in 5 mins). Why? > >> > >>Please help me... > >> > >>Regards, > >>ro0ot > >> > >> > >> > >>_______________________________________________ > >>LARTC mailing list > >>LARTC@mailman.ds9a.nl > >>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > >> > >> > >> > > > > > > > > > > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From ro0ot at phreaker.net Sun Nov 13 17:36:27 2005 From: ro0ot at phreaker.net (ro0ot) Date: Sun Nov 13 19:30:49 2005 Subject: [LARTC] MSN keeps disconnecting with load balancing In-Reply-To: <118619310511122225t58d04261j30a9bf84c64258c6@mail.gmail.com> References: <4376BF51.7040300@phreaker.net> <4376CCF5.9080107@fatooh.org> <118619310511122225t58d04261j30a9bf84c64258c6@mail.gmail.com> Message-ID: <43776B8B.7010802@phreaker.net> Is it possible to increase the cached route timeout? Yes, I am using SNAT, will MASQUERADE help? Ryan Castellucci wrote: >This problem is caused by the cached route to MSN expiring, and the >kernel trying to route the existing connection over the other internet >connection. If you're doing SNAT, this will result in the source IP >address changing, and MSN will reset the connection. > >On 11/12/05, Corey Hickey wrote: > > >>ro0ot wrote: >> >> >>>Hi, >>> >>>I have the my gateway with load balancing traffic going out over two >>>providers. Web browsing is fine...working great. >>> >>>But, my clients (office staff) complains that MSN keeps disconnecting >>>(in 5 mins). Why? >>> >>> >>Do you mean MSN instant messenger? I've never used it, but I can give >>you a few generic steps to take when you want to figure out what's going >>wrong with a connection. Are you familiar with tcpdump and/or ethereal? >> >>1. Go to the computer of a client who is complaining about disconnection. >> >>2. ssh into your gateway and run: >># tcpdump -i eth0 host 123.123.123.123 and port not ssh >>Change "eth0" to the inside interface and "123.123.123.123" to the IP >>address of your client. >> >>3. See if tcpdump is catching lots and lots of packets. If it is, either >>stop programs on your clients machine that access the Internet or use >>more filters (like "and port not imaps"). >> >>4. Once you're not catching lots of extraneous packets, kill tcpdump and >>run: >># tcpdump -s 1500 -w log -i eth0 host 123.123.123.123 and port not ssh >>Include any other filters you have to use. >> >>5. Have your client start up their program, and then sit there and wait. >>Don't do anything else that would send packets through the gateway; you >>don't want to clutter up the log. >> >>6. See if the problem manifests. Most likely it won't, because that's >>just the way things are :) , but if it does you'll have a log. Kill >>tcpdump and examine the file with: >># tcpdump -r log >>If you want more verbosity, use "-v", "-vv", or "-vvv". Or, if you want >>to use a gui, copy the log file to some machine with X11 and use: >># ethereal -r log >> >> >>-Corey >>_______________________________________________ >>LARTC mailing list >>LARTC@mailman.ds9a.nl >>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> >> >> > > >-- >Ryan Castellucci http://ryanc.org/ >_______________________________________________ >LARTC mailing list >LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > From ryan.castellucci at gmail.com Sun Nov 13 19:52:42 2005 From: ryan.castellucci at gmail.com (Ryan Castellucci) Date: Sun Nov 13 19:52:45 2005 Subject: [LARTC] Borrowing between HTB classes not working as expectd. In-Reply-To: <20051113121944.5yfmwytrsdmo0sc4@www.metamorpher.de> References: <118619310511121226g74c39bafs7a4ec4b5e6caf95@mail.gmail.com> <20051113011021.8arfa95999wbo4s4@www.metamorpher.de> <118619310511121811g320b6385n6246510464c073ea@mail.gmail.com> <20051113121944.5yfmwytrsdmo0sc4@www.metamorpher.de> Message-ID: <118619310511131052w710ac4fbi93563bba42351558@mail.gmail.com> On 11/13/05, andreas.klauer@metamorpher.de wrote: > Quoting Ryan Castellucci : > > I did not mix these up. I'm using the 1:2 class for TCP and ICMP > > control packets, such as TCP acks which need an amount of bandwidth > > proportinate to the maximum download rate. > > There seems to be a misunderstanding of some kind. You say you're using > the 1:2 > class for control packets; but in the output you've sent, the 1:2 class is the > root HTB class, so it should be (indirectly) used for everything. Erp, I ment 1:3..... > The only > classes you can use directly (that means classify packets to) are the leaf > classes (HTB classes which don't have any more children), in your setup that > would be one of the 1:3,356-361,612-617,869-873 leaf classes. > > Class 1:2 has a rate/ceil of 217kbit. Children of this class are 1:3 > (124/149), > 1:4 (128/243), 1:5 (102/243), and 1:6 (25/204). As I said before, the problem > is that the rates of these classes don't add up. These child classes added > together for example use 124+128+102+25=379kbit, although the parent provides > only 217kbit. Classes 1:4 and 1:5 in particular can borrow up to 243kbit each, > although the parent class can provide only 217kbit in total. So how exactly do > you expect the borrowing to work? Unless you have an understanding of > the inner > workings of HTB in great detail, the results of this setup are pretty much > unpredictable. > > The same problem can be found further down the tree; for example, the > class 1:4 > has a rate of 128kbit. Children of this class are 1:356-361, with a rate of > 128kbit each. Added together, they require a rate of 768kbit, but the parent > class only provides 128kbit (or it would if the parent class of this parent > class could provide as much). > > Same story with 1:5 and 1:6. > > The first thing you have to do is calculate the class rates so they add up > properly. Otherwise you will never get anywhere near a predictable borrowing > behaviour. I'll go though and make sure everything adds up, and try it again. -- Ryan Castellucci http://ryanc.org/ From h2004409 at bits-pilani.ac.in Sun Nov 13 20:09:23 2005 From: h2004409 at bits-pilani.ac.in (Amit Vyas) Date: Sun Nov 13 20:07:51 2005 Subject: [LARTC] Diffserv Research Network Message-ID: Hi all, We are a group of research students and working on IPv6 QoS aware Grid. >From our set of experiments we have a particular case: Suppose a host A want to initiate traffic of some kind to host B, where A and B are connected by two intermediate routers wherein there can be other connections from the router. Our needs are as follows 1. We assume that routers are Diffserv routers and provide us QoS but we will also assume that routers are not in our network boundaries. 2. The network will be working as Best Effort network until our application requests required end to end QoS. 3. Our application negotiates the QoS requirements and then network sets it up for us dynamically. Since we do not have any restrictions and we can also assume that routers are in our domain in case some disagrees over end to end QoS in Internet scenario. We want to setup this research network environment I would like to know 1. How can we build such Diffserv routers which can understand and provide us QoS (Signaling?)(We have experience of statically setting up QoS network environment using with tc scripts) 2. How can we use negotiate dynamically setting up of QoS? 3. The concept of Active networks where store and forward networks are transformed to store-compute and forward networks proposes that packets carry executable code with their data payload and its executed at designated active nodes. So is it possible to have routers as active nodes for the traffic from an authenticated sender? But then is it possible in core Internet routers? If not then what can be possible solutions and if yes how does one go about it? In case you are interested we have a Thesis report for previous work which can be accessed here http://discovery/gridone/Piyush-Gupta-Revised-Final-Report-Dissertatyon-Oct- 2005.pdf Thanks in advance. Amit Vyas ME CS. BITS Pilani. From h2004409 at bits-pilani.ac.in Sun Nov 13 23:50:46 2005 From: h2004409 at bits-pilani.ac.in (Amit Vyas) Date: Sun Nov 13 23:49:17 2005 Subject: [LARTC] Diffserv Research Network In-Reply-To: Message-ID: Sorry about the link in previous mail correct link is http://discovery.bits-pilani.ac.in/gridone/Piyush-Gupta-Revised-Final-Report -Dissertatyon-Oct-2005.pdf -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Amit Vyas Sent: Monday, November 14, 2005 12:39 AM To: lartc@mailman.ds9a.nl Subject: [LARTC] Diffserv Research Network Hi all, We are a group of research students and working on IPv6 QoS aware Grid. >From our set of experiments we have a particular case: Suppose a host A want to initiate traffic of some kind to host B, where A and B are connected by two intermediate routers wherein there can be other connections from the router. Our needs are as follows 1. We assume that routers are Diffserv routers and provide us QoS but we will also assume that routers are not in our network boundaries. 2. The network will be working as Best Effort network until our application requests required end to end QoS. 3. Our application negotiates the QoS requirements and then network sets it up for us dynamically. Since we do not have any restrictions and we can also assume that routers are in our domain in case some disagrees over end to end QoS in Internet scenario. We want to setup this research network environment I would like to know 1. How can we build such Diffserv routers which can understand and provide us QoS (Signaling?)(We have experience of statically setting up QoS network environment using with tc scripts) 2. How can we use negotiate dynamically setting up of QoS? 3. The concept of Active networks where store and forward networks are transformed to store-compute and forward networks proposes that packets carry executable code with their data payload and its executed at designated active nodes. So is it possible to have routers as active nodes for the traffic from an authenticated sender? But then is it possible in core Internet routers? If not then what can be possible solutions and if yes how does one go about it? In case you are interested we have a Thesis report for previous work which can be accessed here http://discovery/gridone/Piyush-Gupta-Revised-Final-Report-Dissertatyon-Oct- 2005.pdf Thanks in advance. Amit Vyas ME CS. BITS Pilani. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051114/5fd76f6e/attachment.htm From fernando.serto at memetrics.com Mon Nov 14 06:16:24 2005 From: fernando.serto at memetrics.com (Fernando Serto) Date: Mon Nov 14 06:16:41 2005 Subject: [LARTC] another multipath problem Message-ID: Hi, I've been trying to setup 2 DSL links in the office, both on the same firewall/router/gateway. the firewall is running kernel 2.6.11 (custom built on debian). this is the network diagram: 150.101.124.y/29 (internode's gw) | | |150.101.124.x/29 (eth2) +---------+ | |192.168.10.1/24 (eth1) | FW |------------------------ | | 192.168.10.0/24 (internal net) +---------+ |203.100.236.x (ppp0)/61.8.x.x/24 (eth0) | | 203.9.190.y (pacific.net's gw) what I want to achieve: I have a bunch of ips on the 61.8.x.net/25 net, and they are routed via 203.9.190.y on one of our ISPs (pacific internet). this setup works fine, and I have heaps of NATed rules on the firewall to nat traffic to internal servers on the 192.168.10.0/24 network. We just got another DSL from another ISP, to have a few services running out of it. so we got 5 ips on the 150.101.124.net/29 net, and I'm trying to also nat them to internal servers. I want to have a few of the servers reachable from both ISPs. But more than that, I want to choose which of the servers should primarily go through a chosen link. I could manage to setup outgoing traffic from specific servers through internode's DSL, as the default is pacific internet. as you can see on my routing tables: * main routing table: root@fenestra:~# ip route sh tab main 203.9.190.y dev ppp0 proto kernel scope link src 203.100.236.x 203.100.236.x dev ppp0 scope link src 203.100.236.x 150.101.124.net/29 dev eth2 proto kernel scope link src 150.101.124.x 192.168.10.0/25 dev eth1 scope link src 192.168.10.1 61.8.x.net/25 dev eth0 scope link 192.168.10.0/24 dev eth1 proto kernel scope link src 192.168.10.1 127.0.0.0/8 dev lo scope link default via 203.9.190.y dev ppp0 * internode routing table: root@fenestra:~# ip route sh tab internode 203.100.236.x via 203.100.236.x dev ppp0 150.101.124.net/29 dev eth2 scope link src 150.101.124.x 61.8.x.net/25 dev eth0 scope link 192.168.10.0/24 via 192.168.10.1 dev eth1 127.0.0.0/8 dev lo scope link default via 150.101.124.y dev eth2 * pacificnet routing table: root@fenestra:~# ip route sh tab pacificnet 203.9.190.y dev ppp0 scope link src 203.100.236.x 203.100.236.x dev ppp0 scope link src 203.100.236.x 61.8.x.net/25 dev ppp0 scope link src 203.100.236.x 192.168.10.0/24 via 192.168.10.1 dev eth1 127.0.0.0/8 dev lo scope link default via 203.9.190.190 dev ppp0 and on my routing rules: root@fenestra:~# ip rule sh 0: from all lookup local 32744: from all to 192.168.10.20 lookup internode 32745: from 192.168.10.20 lookup internode 32762: from 150.101.124.178 lookup internode 32763: from 203.100.236.222 lookup pacificnet 32766: from all lookup main 32767: from all lookup default as an example, I'll use server 192.168.10.20. I could manage to make all traffic from that server go through internode, but I couldn't figure out a way to create a nat rule to access 192.168.10.20 from outside. I have the following iptables NAT rules, that should nat traffic to 150.101.124.x or 61.8.x.x on port 143 to port 22 on 192.168.10.20: Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- 0.0.0.0/0 150.101.124.x tcp dpt:143 to:192.168.10.20:22 DNAT tcp -- 0.0.0.0/0 61.8.x.x tcp dpt:143 to:192.168.10.20:22 Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 192.168.10.20 0.0.0.0/0 to:150.101.124.x telneting to port 143 from an outside server on 61.8.x.x 143 works fine: root@skywalker:~# telnet 61.8.29.31 143 Trying 61.8.29.31... Connected to 61.8.29.31. Escape character is '^]'. SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4 but telneting to the same port on 150.101.124.x doesn't, it actually does, but is incredibly slow. don't know if it's clear, if not, let me know and I'll clarify. thanks in advance! cheers, Fernando From lartc-337 at ccp.com.au Mon Nov 14 10:53:48 2005 From: lartc-337 at ccp.com.au (Lee Sanders) Date: Mon Nov 14 10:53:56 2005 Subject: [LARTC] Using TBF to throttle a PC to 5kbps Message-ID: <200511141753.48133.lartc-337@ccp.com.au> Hi Everyone, This is a simple question but I don't understand why the below tbf is not working as expected by throttling traffic to 5kbps If I throttle a PC's traffic using the below when traffic exceeds 5kbps packets start getting dropped (as they should) but all traffic gets dropped. not just the bit over 5kbps. TC="tc add dev ppp0" $TC parent 8001:2 handle 2: tbf rate 5kbps latency 50ms burst 1540 I can see the "dropped" counter increasing, the overlimits counter stays the same and there is a "backlog" counter with 21p or similar each time which also stays the same. To get traffic working again I have to delete the qdisc and add it again. What am I doing wrong ? This is a Kubuntu machine running 2.6.14 kernel, the tbf is a leaf qdisc for a WRR class. Thanks in Advance Lee p.s. if anyone can explain what the backlog is, I can't find it in the docco. From jandre at megaserve.net Mon Nov 14 11:41:32 2005 From: jandre at megaserve.net (Jandre Olivier) Date: Mon Nov 14 11:23:03 2005 Subject: [LARTC] MSN keeps disconnecting with load balancing In-Reply-To: <43776EF8.7060606@phreaker.net> References: <4376BF51.7040300@phreaker.net> <65aa6af90511122036q5774b9ffx7b4c0c309ec8eed3@mail.gmail.com> <43776EF8.7060606@phreaker.net> Message-ID: <437869DC.1090805@megaserve.net> I had similiar problems, re-reading the docs seemed to solved my problem, when u create your routing tables, u must make sure, the packet is returning on the same interface, cause what I found happens, that after the caching expired, all my downloads use to break, including msn this is an example of one interface's routing table, now for each interface do the same , then setup your default global scope $ip route add 10.0.1.0/24 dev eth2 src 10.0.1.50 table line1 $ip route add default via 10.0.1.19 table line1 $ip rule add from 10.0.1.50 table line1 $ip route add 10.0.2.0/24 dev eth3 src 10.0.2.50 table line2 $ip route add default via 10.0.2.19 table line2 $ip rule add from 10.0.2.50 table line2 hope this helps J ro0ot wrote: > I have this in /etc/iproute2/rt_tables as below: - > > 216 https.out > 219 msn.out > > And, I have the below in my custom script: - > > $IPTABLES -t nat -A POSTROUTING -o eth3 -j SNAT --to-source 1.2.3.4 > $IPTABLES -t nat -A POSTROUTING -o eth4 -j SNAT --to-source 5.6.7.8 > > $IPTABLES -t mangle -A PREROUTING -i eth1 -p tcp --dport 443 -j MARK > --set-mark 16 > $IPTABLES -t mangle -A PREROUTING -i eth1 -p tcp --dport 1863 -j MARK > --set-mark 19 > > ip rule add fwmark 16 table https.out > ip rule add fwmark 19 table msn.out > > ip route add default via 1.2.3.4 dev eth3 table https.out > ip route add default via 1.2.3.4 dev eth3 table msn.out > > But, still I am facing complaints... > > > Edmundo Carmona wrote: > >> We have exaclty the same problem in our load-balancing proxy. >> >> Remember that if you are load-balancing, traffic eventually will come >> out through another network interface,,, and hence, another source IP. >> >> The problem must be that the MSN service gets "confused" when he sees >> that the one session has changed source IPs... or maybe it's a IP >> stack problem and not related to the MSN specifically. Anybody can >> provide some more feedback on this? The IP session layer is supposed >> to keep sessions across changing IPs? >> >> Our "solution" was to tell the MSN clients to use a proxy server that >> has a single internet connection (separete from our main proxy server, >> which is the one loadbalancing). >> >> On 11/13/05, ro0ot wrote: >> >> >>> Hi, >>> >>> I have the my gateway with load balancing traffic going out over two >>> providers. Web browsing is fine...working great. >>> >>> But, my clients (office staff) complains that MSN keeps disconnecting >>> (in 5 mins). Why? >>> >>> Please help me... >>> >>> Regards, >>> ro0ot >>> >>> >>> >>> _______________________________________________ >>> LARTC mailing list >>> LARTC@mailman.ds9a.nl >>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>> >>> >> >> >> >> >> >> > > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- /*---------------------------------------------------------------------*/ __ _ ---------- / / (_)__ __ ____ __ --------- ------- / /__/ / _ \/ // /\ \/ / -------- ---- /____/_/_//_/\_,_/ /_/\_\ ------ localhost@localdomain.za.net From boy2eye at 263.net Mon Nov 14 15:32:08 2005 From: boy2eye at 263.net (bend chen) Date: Mon Nov 14 15:29:56 2005 Subject: [LARTC] htb and hfsc Message-ID: <20051114142953.87EF631FE8@smtp.263.net> SGksbGFydGOjoQ0KDQoJSSByZWFkIHNvbWUgYXJ0aWNsZSBmb3IgbGludXggcW9zLHdobyBjYW4g dGVsbCBtZSBodGIgYW5kIGhmc2Msd2hpY2ggYmV0dGVyPw0KSSdtIG5vdCBmaW5kIGFib3V0IGhm c2MgaW5mb3JtYXRpb24uDQoNCnRoYW5rcyB5b3VyIGhlbHAuDQoNCg0KDQoNCg== From jarod125 at yahoo.com Mon Nov 14 17:49:40 2005 From: jarod125 at yahoo.com (Gabriel) Date: Mon Nov 14 17:49:50 2005 Subject: [LARTC] htb and hfsc Message-ID: <20051114164940.37914.qmail@web60920.mail.yahoo.com> On Mon, 14 Nov 2005 16:32:08 +0200, bend chen wrote: > Hi,lartc! > > I read some article for linux qos,who can tell me htb and hfsc,which > better? > I'm not find about hfsc information. > > thanks your help. > > > > http://luxik.cdi.cz/~devik/qos/htb/ htb home http://www.cs.cmu.edu/~hzhang/HFSC/main.html first link in google when querying for hfsc -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/ __________________________________ Yahoo! FareChase: Search multiple travel sites in one click. http://farechase.yahoo.com From ro0ot at phreaker.net Mon Nov 14 18:48:25 2005 From: ro0ot at phreaker.net (ro0ot) Date: Mon Nov 14 19:45:55 2005 Subject: [LARTC] MSN keeps disconnecting with load balancing In-Reply-To: <437869DC.1090805@megaserve.net> References: <4376BF51.7040300@phreaker.net> <65aa6af90511122036q5774b9ffx7b4c0c309ec8eed3@mail.gmail.com> <43776EF8.7060606@phreaker.net> <437869DC.1090805@megaserve.net> Message-ID: <4378CDE9.6070906@phreaker.net> I have the similar line below but it doesn't help, :( ip route add 1.2.3.0/24 dev eth3 src 1.2.3.4 table 2 ip route add default via 1.2.3.3 table 2 ip rule add from 1.2.3.4 table 2 ip route add 5.6.7.0/24 dev eth4 src 5.6.7.8 table 3 ip route add default via 5.6.7.7 table 3 ip rule add from 5.6.7.8 table 3 Jandre Olivier wrote: > I had similiar problems, re-reading the docs seemed to solved my > problem, when u create your routing tables, u must make sure, the > packet is returning on the same interface, cause what I found happens, > that after the caching expired, all my downloads use to break, > including msn > > this is an example of one interface's routing table, now for each > interface do the same , then setup your default global scope > > $ip route add 10.0.1.0/24 dev eth2 src 10.0.1.50 table line1 > $ip route add default via 10.0.1.19 table line1 > $ip rule add from 10.0.1.50 table line1 > > $ip route add 10.0.2.0/24 dev eth3 src 10.0.2.50 table line2 > $ip route add default via 10.0.2.19 table line2 > $ip rule add from 10.0.2.50 table line2 > > hope this helps > > J > > > > ro0ot wrote: > >> I have this in /etc/iproute2/rt_tables as below: - >> >> 216 https.out >> 219 msn.out >> >> And, I have the below in my custom script: - >> >> $IPTABLES -t nat -A POSTROUTING -o eth3 -j SNAT --to-source 1.2.3.4 >> $IPTABLES -t nat -A POSTROUTING -o eth4 -j SNAT --to-source 5.6.7.8 >> >> $IPTABLES -t mangle -A PREROUTING -i eth1 -p tcp --dport 443 -j MARK >> --set-mark 16 >> $IPTABLES -t mangle -A PREROUTING -i eth1 -p tcp --dport 1863 -j MARK >> --set-mark 19 >> >> ip rule add fwmark 16 table https.out >> ip rule add fwmark 19 table msn.out >> >> ip route add default via 1.2.3.4 dev eth3 table https.out >> ip route add default via 1.2.3.4 dev eth3 table msn.out >> >> But, still I am facing complaints... >> >> >> Edmundo Carmona wrote: >> >>> We have exaclty the same problem in our load-balancing proxy. >>> >>> Remember that if you are load-balancing, traffic eventually will come >>> out through another network interface,,, and hence, another source IP. >>> >>> The problem must be that the MSN service gets "confused" when he sees >>> that the one session has changed source IPs... or maybe it's a IP >>> stack problem and not related to the MSN specifically. Anybody can >>> provide some more feedback on this? The IP session layer is supposed >>> to keep sessions across changing IPs? >>> >>> Our "solution" was to tell the MSN clients to use a proxy server that >>> has a single internet connection (separete from our main proxy server, >>> which is the one loadbalancing). >>> >>> On 11/13/05, ro0ot wrote: >>> >>> >>>> Hi, >>>> >>>> I have the my gateway with load balancing traffic going out over two >>>> providers. Web browsing is fine...working great. >>>> >>>> But, my clients (office staff) complains that MSN keeps disconnecting >>>> (in 5 mins). Why? >>>> >>>> Please help me... >>>> >>>> Regards, >>>> ro0ot >>>> >>>> >>>> >>>> _______________________________________________ >>>> LARTC mailing list >>>> LARTC@mailman.ds9a.nl >>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>>> >>>> >>> >>> >>> >>> >>> >>> >>> >> >> >> >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From ryan.castellucci at gmail.com Mon Nov 14 23:32:26 2005 From: ryan.castellucci at gmail.com (Ryan Castellucci) Date: Mon Nov 14 23:32:36 2005 Subject: [LARTC] Transfer speed exceeding the ceil Message-ID: <118619310511141432o4bfbde1dj9178e3c166c67039@mail.gmail.com> What's going on here? I'm spewing UDP traffic at this thing, and it is exceeding the ceil. Anyone know how to fix this? class htb 1:613 parent 1:5 leaf 613: prio 6 quantum 2560 rate 20480bit ceil 103360bit burst 15Kb/8 mpu 0b overhead 0b cburst 1728b/8 mpu 0b overhead 0b level 0 Sent 16591370 bytes 4159 pkt (dropped 39449, overlimits 0 requeues 0) rate 412384bit 6pps backlog 0b 126p requeues 0 lended: 887 borrowed: 3146 giants: 1748 tokens: -1605047 ctokens: -32828 -- Ryan Castellucci http://ryanc.org/ From andy.furniss at dsl.pipex.com Mon Nov 14 23:36:08 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Mon Nov 14 23:35:48 2005 Subject: [LARTC] Pfifo_fast "Unknown qdisc" and asking for basic design advice In-Reply-To: References: Message-ID: <43791158.9060501@dsl.pipex.com> Mark Lidstone wrote: > Hi Andy, > > Many thanks for the reply. > > Is there a reason why the user is not supposed to use pfifo_fast? I > don't think I need a full-on PRIO (surely pfifo_fast is more efficient > if it is classless?). Sorry for asking, but I didn't come across this > limitation in the documentation. Not sure really. > > Following your suggestions, I've come up with the following: > > #!/bin/sh > SQ="tc qdisc add dev eth0" > SC="tc class add dev eth0" > SF="tc filter add dev eth0" > > tc qdisc del dev eth0 root > $SQ root handle 1:0 htb > $SC parent 1:0 classid 1:1 htb rate 4096kbit > $SC parent 1:1 classid 1:2 htb prio 0 rate 768kbit #Video > Conferencing > $SC parent 1:1 classid 1:3 htb prio 1 rate 1545kbit #Company 1 > $SC parent 1:1 classid 1:4 htb prio 1 rate 832kbit #Company 2 > $SC parent 1:1 classid 1:5 htb prio 1 rate 713kbit #Company 3 > $SC parent 1:1 classid 1:6 htb prio 1 rate 238kbit #Company 4 > $SQ parent 1:2 handle 5:0 prio #Video Conferencing > $SQ parent 1:3 handle 6:0 prio #Company 1 > $SQ parent 1:4 handle 7:0 prio #Company 2 > $SQ parent 1:5 handle 8:0 prio #Company 3 > $SQ parent 1:6 handle 9:0 prio #Company 4 > > $SF parent 1:0 protocol ip prio 0 u32 match ip src 1.2.3.4/32 > flowid 5:0 > $SF parent 1:0 protocol ip prio 0 u32 match ip src 1.2.3.5/32 > flowid 6:0 > $SF parent 1:0 protocol ip prio 0 u32 match ip src 1.2.3.6/32 > flowid 7:0 > $SF parent 1:0 protocol ip prio 0 u32 match ip src 1.2.3.7/32 > flowid 8:0 > $SF parent 1:0 protocol ip prio 0 u32 match ip src 1.2.3.8/32 > flowid 9:0 > > (I've a horrible feeling there's something obviously and fundamentally > wrong with this) > > What happens with any traffic not from these IPs? You can use a catch all filter after the others ... u32 match u32 0 0 .. Unlike htb prio 1 is the top prio for filters. Without knowing what your setup is it's hard to say what's the best way in detail eg. where and what bandwidth are the bottleneck links and which end of them you are shaping. Andy. From brett at wrl.org Tue Nov 15 20:47:34 2005 From: brett at wrl.org (Brett Charbeneau) Date: Mon Nov 21 22:28:21 2005 Subject: [LARTC] mpath2.sh script works - sort of Message-ID: Greetings all, While I haven't given up on getting a dead gateway detection script a la nano.txt to work on my T1/DSL router box, I have taken a break and played with the mpath2.sh script that Robert Kurjata wrote back in 2001. This shows more promise in that I can actually get it to work - is it foolish to try and use this script for this purpose? Here's my setup: My router is a Debian box with a custom 2.4.31 kernel with Julian's routes-2.4.29-9.diff patch applied. It has three network cards in it: ppp0 DSL eth1 on the network with the T1 at the gateway eth2 local non-routable subnet The mpath2.sh script, when executed manually after boot, gets things going, but pointed to my secondary connection - in this case, the T1. If I execute mpath2.sh and then restart the network connections with /etc/init.d/networking restart then the primary gateway (on the DSL) comes right up as it should. If I unplug the DSL modem, the script changes the default route to the T1 perfectly. QUESTIONS: Is the mpath2.sh a dependable way to proceed? What might I be doing wrong that causes the mpath2.sh script to route stuff in the wrong order until I restart the network connections? I'd be MOST grateful for any tips anyone can find the time to share! -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From shemminger at osdl.org Tue Nov 15 19:59:50 2005 From: shemminger at osdl.org (Stephen Hemminger) Date: Mon Nov 21 22:28:29 2005 Subject: [LARTC] Pfifo_fast "Unknown qdisc" and asking for basic design advice In-Reply-To: References: Message-ID: <20051115105950.459ed1ed@localhost.localdomain> On Fri, 11 Nov 2005 09:50:03 -0000 "Mark Lidstone" wrote: > Hi all, > > I've done a search through the archives but I can't find a > cause/solution to this. > > I'm running a FC4 box with the stock 2.6.12 kernel and a FC2 box with a > stock 2.6.9 kernel. I'm obviously using > iproute2 and the patched tc. > > When I clear down the qdiscs with "tc qdisc del dev root" I get > the following in response to "tc qdisc": > > qdisc pfifo_fast 0: dev eth0 [Unknown qdisc, optlen=20] > qdisc pfifo_fast 0: dev eth1 [Unknown qdisc, optlen=20] > Current versions of iproute2 know about pfifo_fast. > Unfortunately I cannot add pfifo_fast as a queue type (I was hoping to > use one - see below). Have I missed something? pfifo_fast is only suitable as a baseline with no other qdisc's involved. It can only sit directly on the device (at the bottom). It shouldn't be that much faster than doing it with prio and fifo for most things. The additional overhead of prio and fifo are mostly because they are in separate modules and that adds some memory locality penalty. From psihozefir at yahoo.com Tue Nov 15 14:42:52 2005 From: psihozefir at yahoo.com (panca sorin) Date: Mon Nov 21 22:28:39 2005 Subject: [LARTC] can I use tos and fwmark at the same time? Message-ID: <20051115134253.6020.qmail@web32603.mail.mud.yahoo.com> Hello lartc maintainers and users! I have a router with two NICs. One NIC is connected to the Internet and the other to my internal LAN. I made a script for priorizing interactive traffic. The script matches TOS Minimize-Delay for priorizing interactive trafic, and fwmark for metropolitan packets. I have two root classes (simulating two circuits) : 1:1 for internet and 1:3 for metropolitan. When I watch -n1 tc -s -d qdisc show, the classes that belong to metropolitan traffic (FE) on the two interfaces are not sending nor receiving any byte... Can someone help me out this situation? I list my tc and iptables scripts below (for some reason I could't attach them - "Invalid file"). Thank you in advance! --------------------------------------------------------------------------------------------------------------------- my_script.sh: #!/bin/bash tc=/sbin/tc u=kbit U=Mbit RATE=256 metro=1 for eth in ` echo eth0 eth1 `; do $tc qdisc del dev $eth root &>/dev/null $tc qdisc add dev $eth root handle 1: htb default FF # class default - non-priorized traffic $tc class add dev $eth parent 1: classid 1:1 htb rate $RATE$u ceil $[$RATE-16]$u $tc class add dev $eth parent 1:1 classid 1:FF htb rate 1$u ceil $[$RATE-16]$u prio 1 $tc qdisc add dev $eth parent 1:FF handle FF: sfq perturb 10 # priorized traffic - Internet (TOS = Minimize-Delay) $tc class add dev $eth parent 1:1 classid 1:2 htb rate $[$RATE-16]$u ceil $[$RATE-16]$u burst 16k prio 0 $tc filter add dev $eth parent 1: protocol ip prio 1 u32 match ip tos 0x10 0xff flowid 1:2 $tc qdisc add dev $eth parent 1:2 handle 2: sfq perturb 10 # metropolitan (MARK = 1) $tc class add dev $eth parent 1: classid 1:3 htb rate 100$U ceil 99$U $tc class add dev $eth parent 1:3 classid 1:FE htb rate 99$U ceil 99$U $tc qdisc add dev $eth parent 1:FE handle FE: sfq perturb 10 $tc filter add dev $eth parent 1: protocol ip prio 0 handle $metro fw flowid 1:FE done ---------------------------------------------------------------------------------------------------------------------- output of iptables-save (mangle PREROUTING): -A PREROUTING -p tcp -m tcp --sport 80 -j TOS --set-tos 0x10 -A PREROUTING -p tcp -m tcp --dport 80 -j TOS --set-tos 0x10 -A PREROUTING -p tcp -m tcp --dport 443 -j TOS --set-tos 0x10 -A PREROUTING -p tcp -m tcp --sport 443 -j TOS --set-tos 0x10 -A PREROUTING -p tcp -m tcp --sport 5050 -j TOS --set-tos 0x10 -A PREROUTING -p tcp -m tcp --dport 5050 -j TOS --set-tos 0x10 -A PREROUTING -p tcp -m tcp --dport 6667 -j TOS --set-tos 0x10 -A PREROUTING -p tcp -m tcp --sport 6667 -j TOS --set-tos 0x10 -A PREROUTING -p tcp -m tcp --tcp-flags SYN ACK -j TOS --set-tos 0x10 -A PREROUTING -s 82.77.124.128/255.255.255.224 -d 82.77.124.128/255.255.255.224 -j MARK --set-mark 0x1 -A PREROUTING -s 82.77.124.128/255.255.255.224 -d 193.226.0.0/255.255.0.0 -j MARK --set-mark 0x1 -A PREROUTING -s 193.226.0.0/255.255.0.0 -d 82.77.124.128/255.255.255.224 -j MARK --set-mark 0x1 -A PREROUTING -s 192.129.0.0/255.255.0.0 -d 82.77.124.128/255.255.255.224 -j MARK --set-mark 0x1 -A PREROUTING -s 82.77.124.128/255.255.255.224 -d 192.129.0.0/255.255.0.0 -j MARK --set-mark 0x1 --------------------------------- Yahoo! FareChase - Search multiple travel sites in one click. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051115/bb196823/attachment.html From ryan.castellucci at gmail.com Wed Nov 16 03:55:49 2005 From: ryan.castellucci at gmail.com (Ryan Castellucci) Date: Mon Nov 21 22:28:54 2005 Subject: [LARTC] Re: UDP transfer speed exceeding the ceil by about 4x In-Reply-To: <118619310511151258v614ebe13nce07e80726bbb146@mail.gmail.com> References: <118619310511151258v614ebe13nce07e80726bbb146@mail.gmail.com> Message-ID: <118619310511151855y722b6c5ci1ddc9ddb7591af29@mail.gmail.com> Even more interesting details; This seems to only happen when the packets are fragmented. On 11/15/05, Ryan Castellucci wrote: > A bit more detail. > > I have the following htb classes set up... > > class htb 1:356 parent 1:4 leaf 356: prio 4 quantum 1600 rate 12800bit > ceil 51680bit burst 15Kb/8 mpu 0b overhead 0b cburst 1663b/8 mpu 0b > overhead 0b level 0 > class htb 1:357 parent 1:4 leaf 357: prio 4 quantum 1600 rate 12800bit > ceil 51680bit burst 15Kb/8 mpu 0b overhead 0b cburst 1663b/8 mpu 0b > overhead 0b level 0 > class htb 1:2 root rate 51200bit ceil 54400bit burst 64Kb/8 mpu 0b > overhead 0b cburst 1667b/8 mpu 0b overhead 0b level 7 > class htb 1:3 parent 1:2 leaf 3: prio 2 quantum 10400 rate 83200bit > ceil 88640bit burst 64Kb/8 mpu 0b overhead 0b cburst 1709b/8 mpu 0b > overhead 0b level 0 > class htb 1:614 parent 1:5 leaf 614: prio 6 quantum 1500 rate 10240bit > ceil 51680bit burst 15Kb/8 mpu 0b overhead 0b cburst 1663b/8 mpu 0b > overhead 0b level 0 > class htb 1:4 parent 1:2 rate 25600bit ceil 51680bit burst 64Kb/8 mpu > 0b overhead 0b cburst 1663b/8 mpu 0b overhead 0b level 6 > class htb 1:613 parent 1:5 leaf 612: prio 6 quantum 1500 rate 10240bit > ceil 51680bit burst 15Kb/8 mpu 0b overhead 0b cburst 1663b/8 mpu 0b > overhead 0b level 0 > class htb 1:5 parent 1:2 rate 20480bit ceil 51680bit burst 64Kb/8 mpu > 0b overhead 0b cburst 1663b/8 mpu 0b overhead 0b level 6 > class htb 1:612 parent 1:5 leaf 612: prio 6 quantum 1500 rate 10240bit > ceil 51680bit burst 15Kb/8 mpu 0b overhead 0b cburst 1663b/8 mpu 0b > overhead 0b level 0 > class htb 1:6 parent 1:2 rate 5120bit ceil 43520bit burst 64Kb/8 mpu > 0b overhead 0b cburst 1653b/8 mpu 0b overhead 0b level 6 > class htb 1:868 parent 1:6 leaf 868: prio 7 quantum 1500 rate 2560bit > ceil 43520bit burst 15Kb/8 mpu 0b overhead 0b cburst 1653b/8 mpu 0b > overhead 0b level 0 > class htb 1:869 parent 1:6 leaf 869: prio 7 quantum 1500 rate 2560bit > ceil 43520bit burst 15Kb/8 mpu 0b overhead 0b cburst 1653b/8 mpu 0b > overhead 0b level 0 > class htb 1:358 parent 1:4 leaf 358: prio 4 quantum 1600 rate 12800bit > ceil 51680bit burst 15Kb/8 mpu 0b overhead 0b cburst 1663b/8 mpu 0b > overhead 0b level 0 > class htb 1:870 parent 1:6 leaf 870: prio 7 quantum 1500 rate 2560bit > ceil 43520bit burst 15Kb/8 mpu 0b overhead 0b cburst 1653b/8 mpu 0b > overhead 0b level 0 > > and my traffic is being classified properly, however, UDP traffic is > able to exceed the ceiling rate on 1:613 and it's parents, and tops > out at about 4x whatever I set that ceil to (I tried several values, > and the UDP transfer rate always settled at about 4x the ceil). > > It manages to throttle TCP traffic just fine. ICMP exceeds the ceil > slighlty, but not enough to really worry me (about 3%) > > I've read through the documentation several times, but I don't see a > whole lot. I also tried messing with the quantum, burst, and cburst, > but that didn't really help. > > If anyone has any other ideas of what to try, i'd really appreciate > it, as I'm kinda stuck here :( > > On 11/14/05, Ryan Castellucci wrote: > > What's going on here? I'm spewing UDP traffic at this thing, and it is > > exceeding the ceil. Anyone know how to fix this? > > > > class htb 1:613 parent 1:5 leaf 613: prio 6 quantum 2560 rate 20480bit > > ceil 103360bit burst 15Kb/8 mpu 0b overhead 0b cburst 1728b/8 mpu 0b > > overhead 0b level 0 > > Sent 16591370 bytes 4159 pkt (dropped 39449, overlimits 0 requeues 0) > > rate 412384bit 6pps backlog 0b 126p requeues 0 > > lended: 887 borrowed: 3146 giants: 1748 > > tokens: -1605047 ctokens: -32828 > > > > -- > > Ryan Castellucci http://ryanc.org/ > > > > > -- > Ryan Castellucci http://ryanc.org/ > -- Ryan Castellucci http://ryanc.org/ From liyiyan8848 at 163.com Wed Nov 16 10:23:56 2005 From: liyiyan8848 at 163.com (=?gb2312?B?wO7R0g==?=) Date: Mon Nov 21 22:30:45 2005 Subject: [LARTC] about the equalize patch Message-ID: <437AFAAC.0000B1.17687@bj163app31.163.com> Hi Everyone, Recently i am researching in the load balancing of multipath.someone tell me that if let the function of load balance basing per packet come true ,it must make use of the equalize'patch,so i download it and apply it to the kernel 2.4.20, it works well. the other day because of system upgrade ,i apply this patch to the linux kernel 2.4.30,the compiling is all right ,but when the system deals with the part of the network,like ping,the system breaks down.So i want to inquire that does the equalize patch only support for the kernel 2.4.18,2.4.19,2.4.20?i can't find new vesion of this .In addtion,i hear that this patch can't support the environment of smp or p4 of multi-thread,really? I think the equalize patch is very useful,if it can't support the new kernel and device ,i hope some one can modify and improve it to let this patch use more widely. In the end ,if above words let you read difficultily ,I am sorry for the poor english and will improve it in the later. Thanks in Advance Liyan£¬from china -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051116/bcc9a36d/attachment-0001.html From ryan.castellucci at gmail.com Tue Nov 15 18:23:34 2005 From: ryan.castellucci at gmail.com (Ryan Castellucci) Date: Mon Nov 21 22:31:21 2005 Subject: [LARTC] UDP traffic going through leaf faster then ceil... Message-ID: <118619310511150923w49e6c731ge9055bab4a2497ae@mail.gmail.com> What's going on here? I'm spewing UDP traffic at this thing, and it is exceeding the ceil, (i watched it for a few minutes, it didn't slow down). Anyone know how to fix this? class htb 1:613 parent 1:5 leaf 613: prio 6 quantum 2560 rate 20480bit ceil 103360bit burst 15Kb/8 mpu 0b overhead 0b cburst 1728b/8 mpu 0b overhead 0b level 0 Sent 16591370 bytes 4159 pkt (dropped 39449, overlimits 0 requeues 0) rate 412384bit 6pps backlog 0b 126p requeues 0 lended: 887 borrowed: 3146 giants: 1748 tokens: -1605047 ctokens: -32828 -- Ryan Castellucci http://ryanc.org/ From ryan.castellucci at gmail.com Tue Nov 15 19:32:57 2005 From: ryan.castellucci at gmail.com (Ryan Castellucci) Date: Mon Nov 21 22:31:48 2005 Subject: [LARTC] Re: Transfer speed exceeding the ceil In-Reply-To: <118619310511141432o4bfbde1dj9178e3c166c67039@mail.gmail.com> References: <118619310511141432o4bfbde1dj9178e3c166c67039@mail.gmail.com> Message-ID: <118619310511151032t668ed2f2x4cbc9d6939833742@mail.gmail.com> Upon futher examination, traffic seems to flow at about 4x whatever the ceil is set to. On 11/14/05, Ryan Castellucci wrote: > What's going on here? I'm spewing UDP traffic at this thing, and it is > exceeding the ceil. Anyone know how to fix this? > > class htb 1:613 parent 1:5 leaf 613: prio 6 quantum 2560 rate 20480bit > ceil 103360bit burst 15Kb/8 mpu 0b overhead 0b cburst 1728b/8 mpu 0b > overhead 0b level 0 > Sent 16591370 bytes 4159 pkt (dropped 39449, overlimits 0 requeues 0) > rate 412384bit 6pps backlog 0b 126p requeues 0 > lended: 887 borrowed: 3146 giants: 1748 > tokens: -1605047 ctokens: -32828 > > -- > Ryan Castellucci http://ryanc.org/ > -- Ryan Castellucci http://ryanc.org/ From andy.furniss at dsl.pipex.com Wed Nov 16 15:55:35 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Mon Nov 21 22:35:32 2005 Subject: [LARTC] Pfifo_fast "Unknown qdisc" and asking for basic design advice In-Reply-To: References: Message-ID: <437B4867.4030700@dsl.pipex.com> Mark Lidstone wrote: > Hi Andy, > > The situation is this: there are a total of four companies represented > in our building. We've all been looking at upgrading our Internet > connections from ADSL, and as we're all owned by the same parent company > it made sense to buy our bandwidth "in bulk". As such we're hoping to > get a 4Mb/4Mb pipe of some description. > > One of the drivers for going ahead with this is the fact that one of the > companies wants to start using some reasonably funky video conferencing > equipment. > > The four companies are not paying the same amount each for the > connection. Each company has agreed to pay an amount that represents > their expected usage of the system. To keep things fair, we would like > to shape the traffic on the link to reflect the amounts people are > paying. Also, the video conferencing equipment (as it will be available > to all the companies in the building) will need a guaranteed chunk of > bandwidth itself. > > We've looked at getting our ISP to provide the traffic shaping, but they > want to charge a large setup fee and quite a bit of money per quarter to > 'maintain' it (to leave the settings alone, in other words). I'm > looking at using a spare box we have here as a means of shaping our > outgoing traffic as an alternative. The idea is that downstream traffic > will still be better off than with a 20:1 contended ADSL. > > The traffic will be split by IP, so the latest incarnation of the rules > I have are: > > SQ="tc qdisc add dev eth0" > SC="tc class add dev eth0" > SF="tc filter add dev eth0" > > tc qdisc del dev eth0 root > $SQ root handle 1:0 htb > $SC parent 1:0 classid 1:1 htb rate 4mbit > $SC parent 1:1 classid 1:2 htb rate kbit ceil 4mbit > $SC parent 1:1 classid 1:3 htb rate kbit ceil 4mbit > $SC parent 1:1 classid 1:4 htb rate kbit ceil 4mbit > $SC parent 1:1 classid 1:5 htb rate kbit ceil 4mbit > $SC parent 1:1 classid 1:6 htb rate kbit ceil 4mbit > $SQ parent 1:2 handle 120: pfifo limit 50 > $SQ parent 1:3 handle 130: pfifo limit 50 > $SQ parent 1:4 handle 140: pfifo limit 50 > $SQ parent 1:5 handle 150: pfifo limit 50 > $SQ parent 1:6 handle 160: pfifo limit 50 > > $SF parent 1:0 protocol ip prio 1 u32 match ip src 1.1.1.5/32 flowid 1:6 > $SF parent 1:0 protocol ip prio 2 u32 match ip src 1.1.1.1/32 flowid 1:2 > $SF parent 1:0 protocol ip prio 3 u32 match ip src 1.1.1.2/32 flowid 1:3 > $SF parent 1:0 protocol ip prio 4 u32 match ip src 1.1.1.3/32 flowid 1:4 > $SF parent 1:0 protocol ip prio 5 u32 match ip src 1.1.1.4/32 flowid 1:5 > > It's just a very simple 5-child HTB with pfifo queues. If you give the htb video class prio 0 and the rest 1 then this would be OK. There are tweaks that you can do if you want the latency even lower or you could use hfsc - I don't know what jitter is acceptable for you, as it is I guess 25ms @ 4mbit link speed. You can't use 4mbit as a ceil for a 4mbit link as this figure will include overheads that htb doesn't see. I would prefer bfifo to pfifo and make sure the video class has some spare rate and the rates add up. > > I might split things down more later, but this should get things going. > It's just a pity that the ISP want to charge stupid amounts of money for > the shaping. If it's Xdsl in the UK I think they have to pay BT - maybe not with 1:1 products though. You can still shape or police ingress traffic - the results can't be guarenteed but you can do alot better than doing nothing. You do need to sacrifice some bandwidth, depending on your traffic type/link speed and what latency/jitter you need about 10-20% - with 4mbit the results will be better than with lower speeds. Andy. From andy.furniss at dsl.pipex.com Wed Nov 16 16:03:33 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Mon Nov 21 22:35:51 2005 Subject: [LARTC] has anyone tried adsl-optmizer kernel patches for dsl modems? In-Reply-To: <436EA076.7040102@yahoo.fr> References: <436EA076.7040102@yahoo.fr> Message-ID: <437B4A45.8010309@dsl.pipex.com> sophana wrote: > Hi > > I'm using wondershaper like script. But noticed imperfect scheduling. > > By googling, I found some patches that takes the aal5 atm overhead in > the scheduling algorithms. > http://www.adsl-optimizer.dk/ADSL-optimizer/ > > Before trying it, has anyone tried these patches? they apply on 2.4.29 > kernel and 2.6.9 TC. I use centos4 with a 2.6 kernel, so I can't try > these easily. They should be OK as long as you are sure about your overheads. I use something similar and use ceil 286kbit while synced at 288kbit without problems. If your modem is connected by eth rather than ppp then htb/whatever will see the packet size as ip len + 14 - so you need to account for that. I think that produces a corner case (overhead < 14) where you would need to put in a negative number - I don't think that will work, but haven't tried. Andy. From andy.furniss at dsl.pipex.com Wed Nov 16 16:35:24 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Mon Nov 21 22:36:15 2005 Subject: [LARTC] [ANNOUNCE] ESFQ for Linux 2.6.13 In-Reply-To: <60132.66.93.171.129.1130144541.squirrel@fatooh.org> References: <60132.66.93.171.129.1130144541.squirrel@fatooh.org> Message-ID: <437B51BC.8070709@dsl.pipex.com> Corey Hickey wrote: > In a recent thread on this list, Robert Kurjata provided me a patch to add > hashing by iptables mark to the Linux 2.4 version of ESFQ. Thanks to that > contribution, I was able to easily add support to the 2.6 port I maintain. > > I found out, however, that the existing hash algorithm results in a lot of > colllisions when the range of hashed values is small. The purturbation > spreads the collisions out a little, but the result still wasn't very > fair, especially when hashing only three fwmark values: 0, 1 and 2. > > So, I wrote an alternative hash function. It's quite simple, and as long > as the range of input values is smaller than the hash table (default 1024, > up to 16384), collisions will not happen at all. See the updated README > file for more details. > > Home page: > http://fatooh.org/esfq-2.6/ > > Direct URL: > http://fatooh.org/esfq-2.6/esfq-2.6.13.tar.gz > > README (also available in the tar.gz): > http://fatooh.org/esfq-2.6/current/README > > Try it out, have fun, and if you find a bug or have a suggestion please > send me an email. Loosing perturb for non classic is really good thanks Corey. Andy. From comp.techs at aspenview.org Wed Nov 16 21:13:58 2005 From: comp.techs at aspenview.org (comp.techs) Date: Mon Nov 21 22:38:30 2005 Subject: [LARTC] load balancing Message-ID: <648A21EA469E3848922D9860785CD5EF456701@aspen-mail01.aspenview.org> Hi, I have 2 routers that are connected using 2 gre tunnels over ipsec, and ospf. Ospf sets up the equal cost route, but uses the 'equalize' in the route. Is there a way to remove/disable packet based load balancing? I would just like to do a flow based load balance? thx jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051116/918b05b6/attachment.htm From ryan.castellucci at gmail.com Wed Nov 16 22:01:56 2005 From: ryan.castellucci at gmail.com (Ryan Castellucci) Date: Mon Nov 21 22:38:38 2005 Subject: [LARTC] Transfer speed exceeding the ceil In-Reply-To: <437B5B9B.5010402@dsl.pipex.com> References: <118619310511141432o4bfbde1dj9178e3c166c67039@mail.gmail.com> <437B5B9B.5010402@dsl.pipex.com> Message-ID: <118619310511161301j5adec24fn5aa0bf821d36357b@mail.gmail.com> On 11/16/05, Andy Furniss wrote: > Ryan Castellucci wrote: > > What's going on here? I'm spewing UDP traffic at this thing, and it is > > exceeding the ceil. Anyone know how to fix this? > > > > class htb 1:613 parent 1:5 leaf 613: prio 6 quantum 2560 rate 20480bit > > ceil 103360bit burst 15Kb/8 mpu 0b overhead 0b cburst 1728b/8 mpu 0b > > overhead 0b level 0 > > Sent 16591370 bytes 4159 pkt (dropped 39449, overlimits 0 requeues 0) > > rate 412384bit 6pps backlog 0b 126p requeues 0 > > lended: 887 borrowed: 3146 giants: 1748 > > tokens: -1605047 ctokens: -32828 > > Try and verify rate of udp arrival at the target machine with tcpdump -ttt. > > The sent counter is actually an enqueue rather than dequeue count so > blatting with udp may cause bogus rates (not that I've checked how > exactly htb does rate calculations). > > Andy. I checked it with iftop, which confirms what tc is showing. I had determined that this is an issue with fragmented packets rather then specificly UDP, take a look at the other messages i posted to the mailing list. is the is bug in tc/htb? or is this perhpse something that could be corrected by enlarging the quantum? -- Ryan Castellucci http://ryanc.org/ From andy.furniss at dsl.pipex.com Thu Nov 17 01:11:30 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Mon Nov 21 22:39:40 2005 Subject: [LARTC] Transfer speed exceeding the ceil In-Reply-To: <118619310511161301j5adec24fn5aa0bf821d36357b@mail.gmail.com> References: <118619310511141432o4bfbde1dj9178e3c166c67039@mail.gmail.com> <437B5B9B.5010402@dsl.pipex.com> <118619310511161301j5adec24fn5aa0bf821d36357b@mail.gmail.com> Message-ID: <437BCAB2.9070803@dsl.pipex.com> Ryan Castellucci wrote: > On 11/16/05, Andy Furniss wrote: > >>Ryan Castellucci wrote: >> >>>What's going on here? I'm spewing UDP traffic at this thing, and it is >>>exceeding the ceil. Anyone know how to fix this? >>> >>>class htb 1:613 parent 1:5 leaf 613: prio 6 quantum 2560 rate 20480bit >>>ceil 103360bit burst 15Kb/8 mpu 0b overhead 0b cburst 1728b/8 mpu 0b >>>overhead 0b level 0 >>>Sent 16591370 bytes 4159 pkt (dropped 39449, overlimits 0 requeues 0) >>>rate 412384bit 6pps backlog 0b 126p requeues 0 >>>lended: 887 borrowed: 3146 giants: 1748 >>>tokens: -1605047 ctokens: -32828 >> >>Try and verify rate of udp arrival at the target machine with tcpdump -ttt. >> >>The sent counter is actually an enqueue rather than dequeue count so >>blatting with udp may cause bogus rates (not that I've checked how >>exactly htb does rate calculations). >> >>Andy. > > > I checked it with iftop, which confirms what tc is showing. I had > determined that this is an issue with fragmented packets rather then > specificly UDP, take a look at the other messages i posted to the > mailing list. is the is bug in tc/htb? or is this perhpse something > that could be corrected by enlarging the quantum? I tried fragged udp and it seemed OK for me - whats the mtu on the interface - if it's bigger than normal then try specifying it along with rate/ceils to htb - Looking as I type I can see giants 1748 above (I should have noticed that earlier) - htb does not shape big packets properly unless you use the mtu option. The list is down for me today. Andy. From ryan.castellucci at gmail.com Thu Nov 17 01:36:24 2005 From: ryan.castellucci at gmail.com (Ryan Castellucci) Date: Mon Nov 21 22:39:48 2005 Subject: [LARTC] Transfer speed exceeding the ceil In-Reply-To: <437BCAB2.9070803@dsl.pipex.com> References: <118619310511141432o4bfbde1dj9178e3c166c67039@mail.gmail.com> <437B5B9B.5010402@dsl.pipex.com> <118619310511161301j5adec24fn5aa0bf821d36357b@mail.gmail.com> <437BCAB2.9070803@dsl.pipex.com> Message-ID: <118619310511161636q1009a08fi2612818e77d2451c@mail.gmail.com> On 11/16/05, Andy Furniss wrote: > Ryan Castellucci wrote: > > On 11/16/05, Andy Furniss wrote: > > > >>Ryan Castellucci wrote: > >> > >>>What's going on here? I'm spewing UDP traffic at this thing, and it is > >>>exceeding the ceil. Anyone know how to fix this? > >>> > >>>class htb 1:613 parent 1:5 leaf 613: prio 6 quantum 2560 rate 20480bit > >>>ceil 103360bit burst 15Kb/8 mpu 0b overhead 0b cburst 1728b/8 mpu 0b > >>>overhead 0b level 0 > >>>Sent 16591370 bytes 4159 pkt (dropped 39449, overlimits 0 requeues 0) > >>>rate 412384bit 6pps backlog 0b 126p requeues 0 > >>>lended: 887 borrowed: 3146 giants: 1748 > >>>tokens: -1605047 ctokens: -32828 > >> > >>Try and verify rate of udp arrival at the target machine with tcpdump -ttt. > >> > >>The sent counter is actually an enqueue rather than dequeue count so > >>blatting with udp may cause bogus rates (not that I've checked how > >>exactly htb does rate calculations). > >> > >>Andy. > > > > > > I checked it with iftop, which confirms what tc is showing. I had > > determined that this is an issue with fragmented packets rather then > > specificly UDP, take a look at the other messages i posted to the > > mailing list. is the is bug in tc/htb? or is this perhpse something > > that could be corrected by enlarging the quantum? > > I tried fragged udp and it seemed OK for me - whats the mtu on the > interface - if it's bigger than normal then try specifying it along with > rate/ceils to htb - Looking as I type I can see giants 1748 above (I > should have noticed that earlier) - htb does not shape big packets > properly unless you use the mtu option. > > The list is down for me today. I was not manualy setting the MTU. The interfaces I'm using have MTU of 1500, but I'll try setting the MTU for my classes to 1500 and see if that resolves the problem. Thanks! -- Ryan Castellucci http://ryanc.org/ From gdamjan at mail.net.mk Thu Nov 17 06:20:01 2005 From: gdamjan at mail.net.mk (Damjan) Date: Mon Nov 21 22:40:50 2005 Subject: [LARTC] Re: [ANNOUNCE] iproute2 2.6.14-051107 In-Reply-To: <20051108102823.0ab4cf62@localhost.localdomain> References: <20051108102823.0ab4cf62@localhost.localdomain> Message-ID: <20051117052001.GA14857@legolas.on.net.mk> > Patrick McHardy > * Fix ip command shortcuts Hmm.. what's this change? I've noticed that "ip address" no longer works, only "ip addr" works. -- damjan | ?????? This is my jabber ID --> damjan@bagra.net.mk <-- not my mail address!!! From andy.furniss at dsl.pipex.com Thu Nov 17 13:09:14 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Mon Nov 21 22:41:54 2005 Subject: [LARTC] Transfer speed exceeding the ceil In-Reply-To: <118619310511161636q1009a08fi2612818e77d2451c@mail.gmail.com> References: <118619310511141432o4bfbde1dj9178e3c166c67039@mail.gmail.com> <437B5B9B.5010402@dsl.pipex.com> <118619310511161301j5adec24fn5aa0bf821d36357b@mail.gmail.com> <437BCAB2.9070803@dsl.pipex.com> <118619310511161636q1009a08fi2612818e77d2451c@mail.gmail.com> Message-ID: <437C72EA.7010806@dsl.pipex.com> Ryan Castellucci wrote: > On 11/16/05, Andy Furniss wrote: > >>Ryan Castellucci wrote: >> >>>On 11/16/05, Andy Furniss wrote: >>> >>> >>>>Ryan Castellucci wrote: >>>> >>>> >>>>>What's going on here? I'm spewing UDP traffic at this thing, and it is >>>>>exceeding the ceil. Anyone know how to fix this? >>>>> >>>>>class htb 1:613 parent 1:5 leaf 613: prio 6 quantum 2560 rate 20480bit >>>>>ceil 103360bit burst 15Kb/8 mpu 0b overhead 0b cburst 1728b/8 mpu 0b >>>>>overhead 0b level 0 >>>>>Sent 16591370 bytes 4159 pkt (dropped 39449, overlimits 0 requeues 0) >>>>>rate 412384bit 6pps backlog 0b 126p requeues 0 >>>>>lended: 887 borrowed: 3146 giants: 1748 >>>>>tokens: -1605047 ctokens: -32828 >>>> >>>>Try and verify rate of udp arrival at the target machine with tcpdump -ttt. >>>> >>>>The sent counter is actually an enqueue rather than dequeue count so >>>>blatting with udp may cause bogus rates (not that I've checked how >>>>exactly htb does rate calculations). >>>> >>>>Andy. >>> >>> >>>I checked it with iftop, which confirms what tc is showing. I had >>>determined that this is an issue with fragmented packets rather then >>>specificly UDP, take a look at the other messages i posted to the >>>mailing list. is the is bug in tc/htb? or is this perhpse something >>>that could be corrected by enlarging the quantum? >> >>I tried fragged udp and it seemed OK for me - whats the mtu on the >>interface - if it's bigger than normal then try specifying it along with >>rate/ceils to htb - Looking as I type I can see giants 1748 above (I >>should have noticed that earlier) - htb does not shape big packets >>properly unless you use the mtu option. >> >>The list is down for me today. > > > I was not manualy setting the MTU. The interfaces I'm using have MTU > of 1500, but I'll try setting the MTU for my classes to 1500 and see > if that resolves the problem. Hmm - 1500 should work by default and you should see no giants - so if the mtu on the interface was 1500 I can't see how htb counted 1748 giants. Andy. From comp.techs at aspenview.org Thu Nov 17 21:47:39 2005 From: comp.techs at aspenview.org (comp.techs) Date: Mon Nov 21 22:48:00 2005 Subject: [LARTC] multipath routing Message-ID: <648A21EA469E3848922D9860785CD5EF456702@aspen-mail01.aspenview.org> Hi, I have set up multipath routing using two gre tunnels. The multipath routes are setup via (zebra/ospf). I managed to modify zebra not to include the 'equalize' in the multpath route, and set the weights 1:2. My question is that after doing 4+ ftp transfers I still do not see much traffic on the interface with a weight of 1 even thought the first tunnel is near maximum capacity. If this is due to the route cache, is there a way to reduce the TTL on the cache ? thx jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051117/56e29cf5/attachment.html From pch at packetconsulting.pl Thu Nov 17 22:46:37 2005 From: pch at packetconsulting.pl (Piotr Chytla) Date: Mon Nov 21 22:48:09 2005 Subject: [LARTC] passive FTP trafic control In-Reply-To: <43750B34.9010409@netshadow.at> References: <20051111132016.5299021b@pulsar.inexo.com.br> <20051111203830.GD292@DervishD> <43750B34.9010409@netshadow.at> Message-ID: <20051117214637.GA4074@packetconsulting.pl> On Fri, Nov 11, 2005 at 10:20:52PM +0100, Andreas Unterkircher wrote: > You could try to match on helper within iptables. Should be something like > > iptables -A FORWARD --match conntrack --ctproto tcp --ctstate > RELATED,ESTABLISHED --match helper --helper ftp -j CLASSIFY .... > > Perhaps this will match your data channel. > Something about 6 month ago I wrote iptables rules for DNATing incoming connection to ftp server behind nat , ${ipt} -t nat -A PREROUTING -i eth0 -p tcp -s ${src} -d ${fw_ip}/32 --dport 8181 -j DNAT +--to-destination ${ftp_int} ${ipt} -t nat -A PREROUTING -i eth0 -p tcp -s ${src} -d ${fw_ip}/32 -m helper --helper ftp-8181 -j DNAT --to-destination ${ftp_int} ${ipt} -A FORWARD -p tcp -i eth0 -s ${src} -d ${ftp_int} --dport 8181 -m state --state NEW -j ACCEPT ${ipt} -A FORWARD -p tcp -i eth0 -s ${src} -d ${ftp_int} -m helper --helper ftp-8181 -m state --state NEW,RELATED -j ACCEPT 8181 - ftp port src - source address fw_ip - firewall ip (external) ftp_int - ftp server internal ip. Everything was great but firewall sometimes hangs without kernel panic , maybe some deadlock in ftp conntrack code or in ftp helper. Kernel was 2.4.20 or 22 . /pch -- Dyslexia bug unpatched since 1977 ... exploit has been leaked to the underground. From contato at patrick.eti.br Fri Nov 18 04:03:21 2005 From: contato at patrick.eti.br (Patrick) Date: Mon Nov 21 22:50:29 2005 Subject: [LARTC] tc and loadbalance via mangle References: <43791158.9060501@dsl.pipex.com> Message-ID: <001601c5ebec$a2917ca0$0401a8c0@tulipa> Hello! I have a great problem! I use the table mangle to classify the packages among two link, and also use the mangle to do band control, download and upload, they put the packages marked in PREROUTING with I number him/it of the link it is also marked in FORWARD (for band control) and the two enter in conflict, it doesn't happen swinging. PREROUTING -------- mark1 ---> link 1 -------- mark 2 ---> link 2 FORWARD -------- mark 0x9a ---> client 12 -------- mark 0x8c ---> client 19 help me! Patrick Brand?o From brett at wrl.org Tue Nov 15 20:47:34 2005 From: brett at wrl.org (Brett Charbeneau) Date: Mon Nov 21 22:55:01 2005 Subject: [LARTC] mpath2.sh script works - sort of Message-ID: Greetings all, While I haven't given up on getting a dead gateway detection script a la nano.txt to work on my T1/DSL router box, I have taken a break and played with the mpath2.sh script that Robert Kurjata wrote back in 2001. This shows more promise in that I can actually get it to work - is it foolish to try and use this script for this purpose? Here's my setup: My router is a Debian box with a custom 2.4.31 kernel with Julian's routes-2.4.29-9.diff patch applied. It has three network cards in it: ppp0 DSL eth1 on the network with the T1 at the gateway eth2 local non-routable subnet The mpath2.sh script, when executed manually after boot, gets things going, but pointed to my secondary connection - in this case, the T1. If I execute mpath2.sh and then restart the network connections with /etc/init.d/networking restart then the primary gateway (on the DSL) comes right up as it should. If I unplug the DSL modem, the script changes the default route to the T1 perfectly. QUESTIONS: Is the mpath2.sh a dependable way to proceed? What might I be doing wrong that causes the mpath2.sh script to route stuff in the wrong order until I restart the network connections? I'd be MOST grateful for any tips anyone can find the time to share! -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From jlynch at frink.nuigalway.ie Sun Nov 20 00:53:31 2005 From: jlynch at frink.nuigalway.ie (Jonathan Lynch) Date: Mon Nov 21 23:01:09 2005 Subject: [LARTC] The effects of queueing on delay...(TX Ring Buffer the problem) In-Reply-To: <4353F98B.8020709@dsl.pipex.com> References: <1129064647.13493.41.camel@pgala.it.nuigalway.ie> <1129219587.8517.2.camel@localhost.localdomain> <4353F98B.8020709@dsl.pipex.com> Message-ID: <1132444411.437fbafb215ea@www.compsoc.nuigalway.ie> Quoting Andy Furniss : > Jonathan Lynch wrote: > > This was down to the tx buffer size on the network card i was using. It > > was an Intel 82547EI gigabit Card using the e1000 driver and operating > > at 100mbit. The tx buffer was set to 256 which caused this huge delay. > > The minimum the driver lets me reduce the tx buffer size using ethtool > > is 80. By reducing the tx ring buffer to 80, the delay when there is > > full link utilisation and a maximum queue of 10 packets was reduced from > > 30ms to 10ms. > > > > The 3com 3c59x vortex driver uses a tx buffer of 16. I reduced the tx to > > 16 on the e1000 driver, but the max throughput i could achieve on the > > interface went down. > > > > Has anyone experimented with reducing the size of the tx buffer on this > > card to get a good balance between delay and throughput ? > > Strange - I thought that as long as you are under rate for the link then > the most htb should burst per tick is the burst size specified. > > That assumes one bulk class - more will make it worse. > > Andy. > Just noticed your reply there, havnt been very busy lately and havnt been checked LARTC in a while. say for example with a htb qdisc configured with a ceil of 100 Mbit (overhead 24 mpu 84 mtu 1600 burst 12k cburst 12k quantum 1500) or a queue discipline that doesnt rate limit such as prio or red there was a delay of 30 ms imposed when the outgoing interface was saturated and the tx ring size was 256. when the tx ring size was reduced to 80 the delay was around 9ms. The tx ring is a fifo structure. The NIC driver uses DMA to transmit packets from the tx ring. these are worst case delays when The tx ring is full of maximum size FTP packets with the VoIP packet at the end. The VoIP has to wait for all the FTP packets to be transmitted. When the rate was reduced to 99Mbit the maximum delay imposed is about 2ms. It seems that with the reduced rate there is time to clear more packets from the TX ring...there are less packets in the ring resulting in a lower delay. But the delay increases linearly. Also a question when defining the following parameters (overhead 24 mpu 84 mtu 1600 burst 12k cburst 12k quantum 1500) i have them defined on all classes and on the htb qdisc itself. Is there a minimum place where they can be specified...ie just on the htb qdisc itself, or do they have to be specified on all Jonathan From mark.lidstone at bmtseatech.co.uk Tue Nov 15 11:31:14 2005 From: mark.lidstone at bmtseatech.co.uk (Mark Lidstone) Date: Mon Nov 21 23:13:25 2005 Subject: [LARTC] Pfifo_fast "Unknown qdisc" and asking for basic design advice Message-ID: Hi Andy, The situation is this: there are a total of four companies represented in our building. We've all been looking at upgrading our Internet connections from ADSL, and as we're all owned by the same parent company it made sense to buy our bandwidth "in bulk". As such we're hoping to get a 4Mb/4Mb pipe of some description. One of the drivers for going ahead with this is the fact that one of the companies wants to start using some reasonably funky video conferencing equipment. The four companies are not paying the same amount each for the connection. Each company has agreed to pay an amount that represents their expected usage of the system. To keep things fair, we would like to shape the traffic on the link to reflect the amounts people are paying. Also, the video conferencing equipment (as it will be available to all the companies in the building) will need a guaranteed chunk of bandwidth itself. We've looked at getting our ISP to provide the traffic shaping, but they want to charge a large setup fee and quite a bit of money per quarter to 'maintain' it (to leave the settings alone, in other words). I'm looking at using a spare box we have here as a means of shaping our outgoing traffic as an alternative. The idea is that downstream traffic will still be better off than with a 20:1 contended ADSL. The traffic will be split by IP, so the latest incarnation of the rules I have are: SQ="tc qdisc add dev eth0" SC="tc class add dev eth0" SF="tc filter add dev eth0" tc qdisc del dev eth0 root $SQ root handle 1:0 htb $SC parent 1:0 classid 1:1 htb rate 4mbit $SC parent 1:1 classid 1:2 htb rate kbit ceil 4mbit $SC parent 1:1 classid 1:3 htb rate kbit ceil 4mbit $SC parent 1:1 classid 1:4 htb rate kbit ceil 4mbit $SC parent 1:1 classid 1:5 htb rate kbit ceil 4mbit $SC parent 1:1 classid 1:6 htb rate kbit ceil 4mbit $SQ parent 1:2 handle 120: pfifo limit 50 $SQ parent 1:3 handle 130: pfifo limit 50 $SQ parent 1:4 handle 140: pfifo limit 50 $SQ parent 1:5 handle 150: pfifo limit 50 $SQ parent 1:6 handle 160: pfifo limit 50 $SF parent 1:0 protocol ip prio 1 u32 match ip src 1.1.1.5/32 flowid 1:6 $SF parent 1:0 protocol ip prio 2 u32 match ip src 1.1.1.1/32 flowid 1:2 $SF parent 1:0 protocol ip prio 3 u32 match ip src 1.1.1.2/32 flowid 1:3 $SF parent 1:0 protocol ip prio 4 u32 match ip src 1.1.1.3/32 flowid 1:4 $SF parent 1:0 protocol ip prio 5 u32 match ip src 1.1.1.4/32 flowid 1:5 It's just a very simple 5-child HTB with pfifo queues. I might split things down more later, but this should get things going. It's just a pity that the ISP want to charge stupid amounts of money for the shaping. Many thanks, Mark Lidstone IT and Network Support Administrator BMT SeaTech Ltd Grove House, Meridians Cross, 7 Ocean Way Ocean Village, Southampton. SO14 3TJ. UK Tel: +44 (0)23 8063 5122 Fax: +44 (0)23 8063 5144 E-Mail: mailto:mark.lidstone@bmtseatech.co.uk Website: www.bmtseatech.co.uk ======================================================================== == Confidentiality Notice and Disclaimer: The contents of this e-mail and any attachments are intended only for the use of the e-mail addressee(s) shown. If you are not that person, or one of those persons, you are not allowed to take any action based upon it or to copy it, forward, distribute or disclose the contents of it and you should please delete it from your system. BMT SeaTech Limited does not accept liability for any errors or omissions in the context of this e-mail or its attachments which arise as a result of Internet transmission, nor accept liability for statements which are those of the author and not clearly made on behalf of BMT SeaTech Limited. ======================================================================== == -----Original Message----- From: Andy Furniss [mailto:andy.furniss@dsl.pipex.com] Sent: 14 November 2005 22:36 To: Mark Lidstone Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] Pfifo_fast "Unknown qdisc" and asking for basic design advice Mark Lidstone wrote: > Hi Andy, > > Many thanks for the reply. > > Is there a reason why the user is not supposed to use pfifo_fast? I > don't think I need a full-on PRIO (surely pfifo_fast is more efficient > if it is classless?). Sorry for asking, but I didn't come across this > limitation in the documentation. Not sure really. > > Following your suggestions, I've come up with the following: > > #!/bin/sh > SQ="tc qdisc add dev eth0" > SC="tc class add dev eth0" > SF="tc filter add dev eth0" > > tc qdisc del dev eth0 root > $SQ root handle 1:0 htb > $SC parent 1:0 classid 1:1 htb rate 4096kbit > $SC parent 1:1 classid 1:2 htb prio 0 rate 768kbit #Video > Conferencing > $SC parent 1:1 classid 1:3 htb prio 1 rate 1545kbit #Company 1 > $SC parent 1:1 classid 1:4 htb prio 1 rate 832kbit #Company 2 > $SC parent 1:1 classid 1:5 htb prio 1 rate 713kbit #Company 3 > $SC parent 1:1 classid 1:6 htb prio 1 rate 238kbit #Company 4 > $SQ parent 1:2 handle 5:0 prio #Video Conferencing > $SQ parent 1:3 handle 6:0 prio #Company 1 > $SQ parent 1:4 handle 7:0 prio #Company 2 > $SQ parent 1:5 handle 8:0 prio #Company 3 > $SQ parent 1:6 handle 9:0 prio #Company 4 > > $SF parent 1:0 protocol ip prio 0 u32 match ip src 1.2.3.4/32 flowid > 5:0 > $SF parent 1:0 protocol ip prio 0 u32 match ip src 1.2.3.5/32 flowid > 6:0 > $SF parent 1:0 protocol ip prio 0 u32 match ip src 1.2.3.6/32 flowid > 7:0 > $SF parent 1:0 protocol ip prio 0 u32 match ip src 1.2.3.7/32 flowid > 8:0 > $SF parent 1:0 protocol ip prio 0 u32 match ip src 1.2.3.8/32 flowid > 9:0 > > (I've a horrible feeling there's something obviously and fundamentally > wrong with this) > > What happens with any traffic not from these IPs? You can use a catch all filter after the others ... u32 match u32 0 0 .. Unlike htb prio 1 is the top prio for filters. Without knowing what your setup is it's hard to say what's the best way in detail eg. where and what bandwidth are the bottleneck links and which end of them you are shaping. Andy. From ryan.castellucci at gmail.com Tue Nov 15 21:58:49 2005 From: ryan.castellucci at gmail.com (Ryan Castellucci) Date: Mon Nov 21 23:13:41 2005 Subject: [LARTC] UDP transfer speed exceeding the ceil by about 4x Message-ID: <118619310511151258v614ebe13nce07e80726bbb146@mail.gmail.com> A bit more detail. I have the following htb classes set up... class htb 1:356 parent 1:4 leaf 356: prio 4 quantum 1600 rate 12800bit ceil 51680bit burst 15Kb/8 mpu 0b overhead 0b cburst 1663b/8 mpu 0b overhead 0b level 0 class htb 1:357 parent 1:4 leaf 357: prio 4 quantum 1600 rate 12800bit ceil 51680bit burst 15Kb/8 mpu 0b overhead 0b cburst 1663b/8 mpu 0b overhead 0b level 0 class htb 1:2 root rate 51200bit ceil 54400bit burst 64Kb/8 mpu 0b overhead 0b cburst 1667b/8 mpu 0b overhead 0b level 7 class htb 1:3 parent 1:2 leaf 3: prio 2 quantum 10400 rate 83200bit ceil 88640bit burst 64Kb/8 mpu 0b overhead 0b cburst 1709b/8 mpu 0b overhead 0b level 0 class htb 1:614 parent 1:5 leaf 614: prio 6 quantum 1500 rate 10240bit ceil 51680bit burst 15Kb/8 mpu 0b overhead 0b cburst 1663b/8 mpu 0b overhead 0b level 0 class htb 1:4 parent 1:2 rate 25600bit ceil 51680bit burst 64Kb/8 mpu 0b overhead 0b cburst 1663b/8 mpu 0b overhead 0b level 6 class htb 1:613 parent 1:5 leaf 612: prio 6 quantum 1500 rate 10240bit ceil 51680bit burst 15Kb/8 mpu 0b overhead 0b cburst 1663b/8 mpu 0b overhead 0b level 0 class htb 1:5 parent 1:2 rate 20480bit ceil 51680bit burst 64Kb/8 mpu 0b overhead 0b cburst 1663b/8 mpu 0b overhead 0b level 6 class htb 1:612 parent 1:5 leaf 612: prio 6 quantum 1500 rate 10240bit ceil 51680bit burst 15Kb/8 mpu 0b overhead 0b cburst 1663b/8 mpu 0b overhead 0b level 0 class htb 1:6 parent 1:2 rate 5120bit ceil 43520bit burst 64Kb/8 mpu 0b overhead 0b cburst 1653b/8 mpu 0b overhead 0b level 6 class htb 1:868 parent 1:6 leaf 868: prio 7 quantum 1500 rate 2560bit ceil 43520bit burst 15Kb/8 mpu 0b overhead 0b cburst 1653b/8 mpu 0b overhead 0b level 0 class htb 1:869 parent 1:6 leaf 869: prio 7 quantum 1500 rate 2560bit ceil 43520bit burst 15Kb/8 mpu 0b overhead 0b cburst 1653b/8 mpu 0b overhead 0b level 0 class htb 1:358 parent 1:4 leaf 358: prio 4 quantum 1600 rate 12800bit ceil 51680bit burst 15Kb/8 mpu 0b overhead 0b cburst 1663b/8 mpu 0b overhead 0b level 0 class htb 1:870 parent 1:6 leaf 870: prio 7 quantum 1500 rate 2560bit ceil 43520bit burst 15Kb/8 mpu 0b overhead 0b cburst 1653b/8 mpu 0b overhead 0b level 0 and my traffic is being classified properly, however, UDP traffic is able to exceed the ceiling rate on 1:613 and it's parents, and tops out at about 4x whatever I set that ceil to (I tried several values, and the UDP transfer rate always settled at about 4x the ceil). It manages to throttle TCP traffic just fine. ICMP exceeds the ceil slighlty, but not enough to really worry me (about 3%) I've read through the documentation several times, but I don't see a whole lot. I also tried messing with the quantum, burst, and cburst, but that didn't really help. If anyone has any other ideas of what to try, i'd really appreciate it, as I'm kinda stuck here :( On 11/14/05, Ryan Castellucci wrote: > What's going on here? I'm spewing UDP traffic at this thing, and it is > exceeding the ceil. Anyone know how to fix this? > > class htb 1:613 parent 1:5 leaf 613: prio 6 quantum 2560 rate 20480bit > ceil 103360bit burst 15Kb/8 mpu 0b overhead 0b cburst 1728b/8 mpu 0b > overhead 0b level 0 > Sent 16591370 bytes 4159 pkt (dropped 39449, overlimits 0 requeues 0) > rate 412384bit 6pps backlog 0b 126p requeues 0 > lended: 887 borrowed: 3146 giants: 1748 > tokens: -1605047 ctokens: -32828 > > -- > Ryan Castellucci http://ryanc.org/ > -- Ryan Castellucci http://ryanc.org/ From kustosz at veb.pl Wed Nov 16 14:18:56 2005 From: kustosz at veb.pl (Michal Kustosik) Date: Mon Nov 21 23:14:03 2005 Subject: [LARTC] per packet loadbalancing. Message-ID: <20051116131855.GA32051@veb.pl> I have the following scheme: ------------- ------------- | router | eth0 ------------------ eth0 | router | | linux 1 | | linux 2 | | | eth1 ------------------ eth1 | | ------------- ------------- I'd like to do per packet loadbalancing on linux1 and linux2 routers. How to configure each one? I think, the Julian Anastasov patches from http://www.ssi.bg/~ja/#routes are unnecessary ??? Regards, -- Michal From andy.furniss at dsl.pipex.com Wed Nov 16 17:17:31 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Mon Nov 21 23:14:18 2005 Subject: [LARTC] Transfer speed exceeding the ceil In-Reply-To: <118619310511141432o4bfbde1dj9178e3c166c67039@mail.gmail.com> References: <118619310511141432o4bfbde1dj9178e3c166c67039@mail.gmail.com> Message-ID: <437B5B9B.5010402@dsl.pipex.com> Ryan Castellucci wrote: > What's going on here? I'm spewing UDP traffic at this thing, and it is > exceeding the ceil. Anyone know how to fix this? > > class htb 1:613 parent 1:5 leaf 613: prio 6 quantum 2560 rate 20480bit > ceil 103360bit burst 15Kb/8 mpu 0b overhead 0b cburst 1728b/8 mpu 0b > overhead 0b level 0 > Sent 16591370 bytes 4159 pkt (dropped 39449, overlimits 0 requeues 0) > rate 412384bit 6pps backlog 0b 126p requeues 0 > lended: 887 borrowed: 3146 giants: 1748 > tokens: -1605047 ctokens: -32828 Try and verify rate of udp arrival at the target machine with tcpdump -ttt. The sent counter is actually an enqueue rather than dequeue count so blatting with udp may cause bogus rates (not that I've checked how exactly htb does rate calculations). Andy. From irworden at rockwellcollins.com Mon Nov 21 23:07:57 2005 From: irworden at rockwellcollins.com (irworden@rockwellcollins.com) Date: Mon Nov 21 23:18:15 2005 Subject: [LARTC] Using DSCP to choose a route table Message-ID: Hello, I am writing a routing daemon that is able to assign different gateways to a destination address for different classes of service. Multiple DiffServ Code Point values are mapped into a single class of service. I have accomplished this by using the iptables MARK target to label each packet with a class of service value and then using 'ip rule add fwmark' to have each packet routed in the appropriate class. However, I now need to combine this routing daemon with other programs to create a complete system and more than one of them requires the iptables QUEUE target. There exists an IPQ Multiplex Daemon (ipqmd), but it uses the iptables MARK target to identify which packets are sent to which program, and I can't use MARK for two different things. I have tried to use 'ip rule add tos' to map TOS field values into route tables directly (this works great with tc for the queues), but I am only allowed to set the 4 TOS bits, not the full field (I believe it is the kernel, not iproute2 that rejects the values). I have seen some man pages that also document a 'dsfield' option, but I have not found a version of iproute2 for which this is actually accepted. I have also not seen a u32 filter for 'ip rule' although 'tc' has one (iptables also has one in patch-o-matic), which would be extremely useful. Does anyone have a suggestion on how I can get these things to work together? There are several options, if I can get any to work: 1. Find a way to filter TOS values directly into route tables 2. Find a way to get packets that come from a certain qdisc to map into a certain route table. (packets are already sorted into queues and queues map directly to route tables -- there is one of each for every class of service) 3. Find a way to pack multiple values into the iptables MARK (so more than one app can use it) 4. (If nothing else works:) Write my own IPQ multiplex daemon that doesn't use iptables MARK 5. Maybe I could abuse routing realms (thereby not allowing me to use them for their intended purpose if I should choose to do so in the future)? 6. Other (please specify in comments :-) I have looked through the past few months of the archives and haven't seen anything relating to the inability of 'ip rule' to handle dscp values, and I have tried the latest version of iproute2 and looked at source for the latest Linux kernel release (I am running on a 2.6.9 kernel) to see if it looked like it would handle non-TOS values (although I'm not certain I've looked at the right kernel code for that). I would prefer not to have to write my own IPQ multiplex daemon (or try to get my company to authorize me to "enhance" the existing GPL'ed one). Thank you, Ian Worden Rockwell Collins, Inc. From mark.lidstone at bmtseatech.co.uk Wed Nov 16 14:12:43 2005 From: mark.lidstone at bmtseatech.co.uk (Mark Lidstone) Date: Mon Nov 21 23:18:23 2005 Subject: [LARTC] Pfifo_fast "Unknown qdisc" and asking for basic design advice Message-ID: Hi Stephen, Many thanks for that information. I thought my iproute2 was up to date, but I must have made a mistake somewhere. I'll go and grab it again. I can see your point about prio or (p/b)fifo not being much slower, but this will be running on an oldish Celeron box so I wanted to make things as memory efficient as possible. Again, many thanks for clearing that up. Mark Lidstone IT and Network Support Administrator BMT SeaTech Ltd Grove House, Meridians Cross, 7 Ocean Way Ocean Village, Southampton. SO14 3TJ. UK Tel: +44 (0)23 8063 5122 Fax: +44 (0)23 8063 5144 E-Mail: mailto:mark.lidstone@bmtseatech.co.uk Website: www.bmtseatech.co.uk ======================================================================== == Confidentiality Notice and Disclaimer: The contents of this e-mail and any attachments are intended only for the use of the e-mail addressee(s) shown. If you are not that person, or one of those persons, you are not allowed to take any action based upon it or to copy it, forward, distribute or disclose the contents of it and you should please delete it from your system. BMT SeaTech Limited does not accept liability for any errors or omissions in the context of this e-mail or its attachments which arise as a result of Internet transmission, nor accept liability for statements which are those of the author and not clearly made on behalf of BMT SeaTech Limited. ======================================================================== == -----Original Message----- From: Stephen Hemminger [mailto:shemminger@osdl.org] Sent: 15 November 2005 19:00 To: Mark Lidstone Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] Pfifo_fast "Unknown qdisc" and asking for basic design advice On Fri, 11 Nov 2005 09:50:03 -0000 "Mark Lidstone" wrote: > Hi all, > > I've done a search through the archives but I can't find a > cause/solution to this. > > I'm running a FC4 box with the stock 2.6.12 kernel and a FC2 box with > a stock 2.6.9 kernel. I'm obviously using > iproute2 and the patched tc. > > When I clear down the qdiscs with "tc qdisc del dev root" I get > the following in response to "tc qdisc": > > qdisc pfifo_fast 0: dev eth0 [Unknown qdisc, optlen=20] > qdisc pfifo_fast 0: dev eth1 [Unknown qdisc, optlen=20] > Current versions of iproute2 know about pfifo_fast. > Unfortunately I cannot add pfifo_fast as a queue type (I was hoping to > use one - see below). Have I missed something? pfifo_fast is only suitable as a baseline with no other qdisc's involved. It can only sit directly on the device (at the bottom). It shouldn't be that much faster than doing it with prio and fifo for most things. The additional overhead of prio and fifo are mostly because they are in separate modules and that adds some memory locality penalty. From andy.furniss at dsl.pipex.com Wed Nov 16 17:49:48 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Mon Nov 21 23:18:29 2005 Subject: [LARTC] Using TBF to throttle a PC to 5kbps In-Reply-To: <200511141753.48133.lartc-337@ccp.com.au> References: <200511141753.48133.lartc-337@ccp.com.au> Message-ID: <437B632C.8050803@dsl.pipex.com> Lee Sanders wrote: > Hi Everyone, > > This is a simple question but I don't understand why the below tbf is not > working as expected by throttling traffic to 5kbps > > If I throttle a PC's traffic using the below when traffic exceeds 5kbps > packets start getting dropped (as they should) but all traffic gets dropped. > not just the bit over 5kbps. > > TC="tc add dev ppp0" > $TC parent 8001:2 handle 2: tbf rate 5kbps latency 50ms burst 1540 > > I can see the "dropped" counter increasing, the overlimits counter stays the > same and there is a "backlog" counter with 21p That's strange - this is a count of the packets queued, but why 21 - the settings you use make for a very small buffer 5kbps and 50ms is < 1 bulk packet. do a tc -s -d qdisc ls dev ppp0 and you may see tbf has optimised it to even less. Try with 500ms latency. Andy. From gregoriandres at yahoo.com.ar Tue Nov 22 00:13:32 2005 From: gregoriandres at yahoo.com.ar (LinuXKiD) Date: Tue Nov 22 00:14:06 2005 Subject: [LARTC] VOIP traffic under vSAT link Message-ID: Hi, I've a vsat internet link and I want to know if I can make VOIP calls under it. ( Ping in the best case reach 900/ 100 ms by sattelite effect ) Can with SIP protocol make voip calls ? Thanks andres From kloostec at gavintech.com Tue Nov 22 01:01:30 2005 From: kloostec at gavintech.com (Chris Kloosterman) Date: Tue Nov 22 01:01:56 2005 Subject: [LARTC] Iproute2 src mangling problems Message-ID: <20051121160130.ny8ol2nkwrkkso8o@qbranch.gavintech.com> Hi, I'm having an issue with changing the source address of packets origininating from a specific user using a combination of iptables and iproute2. We want to change packets originating from a specific service so that they originate from that service's IP address, so that we can move it to a different physical server and have the packets appear to come from the same place. First, I'll explain what I have set up. =============== OS: CentOS 4.2 (also tried Fedora Core 4) IPRoute version: iproute.i386 2.6.9-3 (from yum) IPTables version: iptables.i386 1.2.11-3.1.RHEL4 Kernel: 2.6.9-11.EL =============== - We have two IP addresses assigned to this machine using aliases: [root@tequesta ~]# ip addr show 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 ... inet xxx.yyy.zzz.39/24 brd xxx.yyy.zzz.255 scope global eth0 inet xxx.yyy.zzz.16/24 brd xxx.yyy.zzz.255 scope global secondary eth0:0 ... - We're marking packets that go through iptables with mark 0xf1: /sbin/iptables -I OUTPUT -t mangle -m owner --uid-owner (uid) -j MARK --set-mark 0xf1 - With iproute2, we're setting packets marked with 0xf1 to go to a special table (which has already been created in the proper places): /sbin/ip rule add fwmark 0xf1 lookup kloostec - The routing table kloostec looks like this: xxx.yyy.zzz.0/24 dev eth0 proto static src xxx.yyy.zzz.16 default via xxx.yyy.zzz.254 dev eth0 - The routing table default looks like this: xxx.yyy.zzz.0/24 dev eth0 scope link src xxx.yyy.zzz.39 ... default via xxx.yyy.zzz.254 dev eth0 =============== So, all traffic should appear to originate from .39 except traffic flagged with mark 0xf1 (all traffic from user (uid)), which should have its source mangled to .16. However, all traffic appears to originate from .39, regardless of user. =============== If I modify the routing table default so that it looks like this: xxx.yyy.zzz.0/24 dev eth0 scope link src xxx.yyy.zzz.16 ... default via xxx.yyy.zzz.254 dev eth0 Then all traffic appears to originate from .16, as would be expected. =============== If I modify the routing table kloostec so that the gateway is incorrect: xxx.yyy.zzz.0/24 dev eth0 proto static src xxx.yyy.zzz.16 default via xxx.yyy.zzz.100 dev eth0 Then traffic coming from user (uid) that is destined out of subnet stops working. So, I know that the marking and table redirection is working correctly. =============== So, my question is, why are the packets not having their source address changed when they are marked 0xf1? If anyone could answer this, it would end days of searching and reading documentation and pulling my hair out! Let me know if you any more details. Thanks in advance, Chris Kloosterman -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-keys Size: 1697 bytes Desc: PGP Public Key Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20051121/1138c78a/attachment.key From zfireboy at yahoo.com Tue Nov 22 01:22:17 2005 From: zfireboy at yahoo.com (weihua zhang) Date: Tue Nov 22 01:22:31 2005 Subject: [LARTC] HTB classid problem Message-ID: <20051122002217.60323.qmail@web32606.mail.mud.yahoo.com> Hey, everyone, I am kindda newbie to this subject, so I just post my problem directly, please let me know if anything is wrong. in my config file when I use tc class add dev eth1 parent 1:11 classid 1:11016 htb rate 512kbit burst 10k everything works correctly but...when classid goes larger than 1:19999, eg: tc class add dev eth1 parent 1:21 classid 1:21006 htb rate 256kbit burst 10k it thows out "RTNETLINK answers: Invalid argument" I am using Fedora core 3 and what I am trying to do here is regulating each mac's packets attached under access point. so basiclly parent 1:21 stands for an access point, and 1:21xxx stands for one device id attached to it. originally we had no more than 50 macs per AP, eg: 1:2101 for upload, 1:2102 for download per mac address. so 1:21xx can cover 50 macs. now when I want to add more than 50 macs under one AP, the classid pattern needs to be updated. it's very strange to me that when I updated all classid to cover 500 macs per AP, eg: 1:21xxx, it throws out invalid argument error, but it works fine when classid was below 1:19999. hope I stated this problem clearly. thanks ahead for the help. --------------------------------- Yahoo! FareChase - Search multiple travel sites in one click. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051121/29f14337/attachment-0001.html From dvillarreal at tvg.com.mx Tue Nov 22 01:42:53 2005 From: dvillarreal at tvg.com.mx (Gustavo Daniel Villarreal) Date: Tue Nov 22 01:43:10 2005 Subject: [LARTC] VOIP traffic under vSAT link In-Reply-To: Message-ID: >From an Avaya switch documentation: "80 millisecond (ms) to 180 ms delay can give quality business communication, which is much better than cell-phone quality. This range is very well suited for the majority of businesses. The International Telecommunication Union (ITU-T) recommends 150 milliseconds one-way delay (including endpoints) as the limit for ?excellent? voice quality. This value is largely misinterpreted as the only measurement to calculate a network delay budget for IP telephones. One-way delays in excess of 250 ms can cause the well-known problem of ?talk-over?, when each person starts to talk because the delay prevents them from realizing that the other person has already started talking." On 11/21/05 5:13 PM, "LinuXKiD" wrote: > Hi, > > I've a vsat internet link and I want > to know if I can make VOIP calls under it. > > ( Ping in the best case reach 900/ 100 ms > by sattelite effect ) > > Can with SIP protocol make voip calls ? > > Thanks > andres > > -- Gustavo Daniel Villarreal ````````````````````````` Telecomunicaciones VG y Asoc. Monterrey, N.L. M?xico +528181302140 From shemminger at osdl.org Tue Nov 22 01:43:06 2005 From: shemminger at osdl.org (Stephen Hemminger) Date: Tue Nov 22 01:43:35 2005 Subject: [LARTC] HTB classid problem In-Reply-To: <20051122002217.60323.qmail@web32606.mail.mud.yahoo.com> References: <20051122002217.60323.qmail@web32606.mail.mud.yahoo.com> Message-ID: <20051121164306.6932139d@dxpl.pdx.osdl.net> On Mon, 21 Nov 2005 16:22:17 -0800 (PST) weihua zhang wrote: > Hey, everyone, I am kindda newbie to this subject, so I just post my problem directly, please let me know if anything is wrong. > > in my config file > when I use > tc class add dev eth1 parent 1:11 classid 1:11016 htb rate 512kbit burst 10k > > everything works correctly > > but...when classid goes larger than 1:19999, eg: > tc class add dev eth1 parent 1:21 classid 1:21006 htb rate 256kbit burst 10k > it thows out "RTNETLINK answers: Invalid argument" > > I am using Fedora core 3 and what I am trying to do here is regulating each mac's > packets attached under access point. so basiclly parent 1:21 stands for an access point, and 1:21xxx stands for one device id attached to it. originally we had no more > than 50 macs per AP, eg: 1:2101 for upload, 1:2102 for download per mac address. > so 1:21xx can cover 50 macs. > > now when I want to add more than 50 macs under one AP, the classid pattern needs to be updated. it's very strange to me that when I updated all classid to cover 500 macs per AP, eg: 1:21xxx, it throws out invalid argument error, but it works fine when classid was below 1:19999. > > hope I stated this problem clearly. > thanks ahead for the help. > Some non-obvious things about classid's. * Tc parses classid's in hex (base 16) by default. * Classid's are usually split into a major and minor part by the colon(:) * The maximum value (hard coded into the the packet scheduler API) is 16 bits for each; ie. 16 bits for minor number. Why not just use some shell functions to encode the access point to class id mapping more densely? From salim.si at askey.com.tw Tue Nov 22 07:37:44 2005 From: salim.si at askey.com.tw (Salim) Date: Tue Nov 22 07:31:47 2005 Subject: [LARTC] relation b/w uplink and downlink rate control Message-ID: <002e01c5ef2f$41c46ae0$455f030a@askeyrd3> Hello all, I have browsed archives and real all available HOWTOs, but I still have a few doubts. My set up is a router, as below. LAN(100MB)-------------(eth1)Linux-Router(eth0)---------------WAN(2MB/512) My aim is to cotrol both uplink and downlink bandwidth. For uplink control, I will use HTB on WAN interface. For downlink, I plan to attach HTB on LAN interface(both egress/outgoing). No ingress policing, no IMQ. On WAN interface, like in wondershaper and myshaper, I plan to have classes which handles interactive and bulk traffic seperately. ACK packets and small packets also in interactive class. This setup guarantees that a) interactive traffic wont be drowned out b) uploads won't slow downloads But this set up does not guarantee that one bulk traffic will not drown another bulk traffic, right? For example, FTP traffic might affect HTTP. If Am I right? So I plan to have a downlink control, achieved by shaping on LAN interface(eth1).My idea is to filter different protocols into different classes having different rate and ciel. In this way, I maybe able to ensure that FTP downloads will not slow down the HTTP traffic too much. My doubt is, if I do this, will it work well with the different filtering scheme of uplink(WAN)? i.e, the traffic is controlled in the uplink and downlink in different ways, one based on protocol(LAN) and the other based on latency issues(WAN). Will they affect each other? Can they exist together and give the desired results? I know it maybe a good idea to test it myself, hands-on. But I am not able to simulate all the combinations. If my idea is bad in theory, I do not need to spend too much time on it. On a different note, why the sum of child classes in wondershaper is more than its parent? Why it still works? regards Salim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051122/e1243553/attachment.htm From kaber at trash.net Tue Nov 22 08:22:09 2005 From: kaber at trash.net (Patrick McHardy) Date: Tue Nov 22 08:22:52 2005 Subject: [LARTC] Iproute2 src mangling problems In-Reply-To: <20051121160130.ny8ol2nkwrkkso8o@qbranch.gavintech.com> References: <20051121160130.ny8ol2nkwrkkso8o@qbranch.gavintech.com> Message-ID: <4382C721.8060904@trash.net> Chris Kloosterman wrote: > - We have two IP addresses assigned to this machine using aliases: > > [root@tequesta ~]# ip addr show > 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 > ... > inet xxx.yyy.zzz.39/24 brd xxx.yyy.zzz.255 scope global eth0 > inet xxx.yyy.zzz.16/24 brd xxx.yyy.zzz.255 scope global secondary eth0:0 > ... > > - We're marking packets that go through iptables with mark 0xf1: > > /sbin/iptables -I OUTPUT -t mangle -m owner --uid-owner (uid) -j MARK > --set-mark 0xf1 > > - With iproute2, we're setting packets marked with 0xf1 to go to a > special table (which has already been created in the proper places): > > /sbin/ip rule add fwmark 0xf1 lookup kloostec > > - The routing table kloostec looks like this: > > xxx.yyy.zzz.0/24 dev eth0 proto static src xxx.yyy.zzz.16 > default via xxx.yyy.zzz.254 dev eth0 > > - The routing table default looks like this: > > xxx.yyy.zzz.0/24 dev eth0 scope link src xxx.yyy.zzz.39 > ... > default via xxx.yyy.zzz.254 dev eth0 > > =============== > > So, my question is, why are the packets not having their source address > changed when they are marked 0xf1? If anyone could answer this, it > would end days of searching and reading documentation and pulling my > hair out! What source address does the packet have when it hits your mark rule? :) No, seriously, this is a common misunderstanding, unfortunately what you're trying to do is not possible. At the time the source address is selected there is no packet and as a consequence no netfilter mark, so marks can't be uses for this. The only way is to use SNAT. From kaber at trash.net Tue Nov 22 08:30:10 2005 From: kaber at trash.net (Patrick McHardy) Date: Tue Nov 22 08:30:32 2005 Subject: [LARTC] Re: [ANNOUNCE] iproute2 2.6.14-051107 In-Reply-To: <20051117052001.GA14857@legolas.on.net.mk> References: <20051108102823.0ab4cf62@localhost.localdomain> <20051117052001.GA14857@legolas.on.net.mk> Message-ID: <4382C902.2050000@trash.net> Damjan wrote: >>Patrick McHardy >> * Fix ip command shortcuts > > > Hmm.. what's this change? > > I've noticed that "ip address" no longer works, only "ip addr" works. This seems to be one of the things the introduction of batch mode broke. This patch fixes it. -------------- next part -------------- Index: ip/ip.c =================================================================== RCS file: /repos/iproute2/ip/ip.c,v retrieving revision 1.10 diff -u -r1.10 ip.c --- ip/ip.c 24 Oct 2005 16:26:25 -0000 1.10 +++ ip/ip.c 22 Nov 2005 03:49:54 -0000 @@ -62,13 +62,15 @@ const char *cmd; int (*func)(int argc, char **argv); } cmds[] = { - { "addr", do_ipaddr }, - { "maddr", do_multiaddr }, + { "address", do_ipaddr }, + { "maddress", do_multiaddr }, { "route", do_iproute }, { "rule", do_iprule }, - { "neigh", do_ipneigh }, + { "neighbour", do_ipneigh }, + { "neighbor", do_ipneigh }, { "link", do_iplink }, { "tunnel", do_iptunnel }, + { "tunl", do_iptunnel }, { "monitor", do_ipmonitor }, { "xfrm", do_xfrm }, { "mroute", do_multiroute }, From msc at antzsystem.de Tue Nov 22 11:04:03 2005 From: msc at antzsystem.de (Markus Schulz) Date: Tue Nov 22 11:04:49 2005 Subject: [LARTC] has anyone tried adsl-optmizer kernel patches for dsl modems? In-Reply-To: <437B4A45.8010309@dsl.pipex.com> References: <436EA076.7040102@yahoo.fr> <437B4A45.8010309@dsl.pipex.com> Message-ID: <200511221104.03299.msc@antzsystem.de> On Wednesday 16 November 2005 16:03, Andy Furniss wrote: > sophana wrote: > > Hi > > > > I'm using wondershaper like script. But noticed imperfect > > scheduling. > > > > By googling, I found some patches that takes the aal5 atm overhead > > in the scheduling algorithms. > > http://www.adsl-optimizer.dk/ADSL-optimizer/ > > > > Before trying it, has anyone tried these patches? they apply on > > 2.4.29 kernel and 2.6.9 TC. I use centos4 with a 2.6 kernel, so I > > can't try these easily. > > They should be OK as long as you are sure about your overheads. > > I use something similar and use ceil 286kbit while synced at 288kbit > without problems. > > If your modem is connected by eth rather than ppp then htb/whatever > will see the packet size as ip len + 14 - so you need to account for > that. can you explain this a bit more please? > I think that produces a corner case (overhead < 14) where you would > need to put in a negative number - I don't think that will work, but > haven't tried. should be easy to patch in. Overhead is only a simple variable which will be added in htb/* module for each paket. Only sign/unsign problem should be considered. msc From francois.taillandier at netsecureone.com Tue Nov 22 15:55:41 2005 From: francois.taillandier at netsecureone.com (Francois Taillandier) Date: Tue Nov 22 15:56:03 2005 Subject: [LARTC] WFQ substitue Message-ID: <200511221555.42826.francois.taillandier@netsecureone.com> Hi, I wanted to implemente WFQ, but it is not implemented on tc. Is there any way of making something like WFQ with which is implemented on tc?? What I exactly want to do, is to select flows by IP and port destination, and priorize them, but I don't need (and don't really want) to fix any rate... Has anyone got any clue??? Thank you Bye From nicl at i-procc.za.net Tue Nov 22 16:43:42 2005 From: nicl at i-procc.za.net (Nic le Roux) Date: Tue Nov 22 16:38:00 2005 Subject: [LARTC] PRIO Q's Message-ID: <004601c5ef7b$876dc0e0$640aa8c0@rohlig.co.za> Good morning, I have a client that needs some shaping done. Im only familiar with the HTB qeueu and was hopeing someone could give me a few pointers if possible. I need to shape outgoing and incoming as far as possible though I don't know if it will be possible to do so without policeing the incoming bandwidth. They have a link and their service provider allows them to burts as badndwidth is available. Any help welcome. Regards Nic From gregoriandres at yahoo.com.ar Tue Nov 22 20:26:17 2005 From: gregoriandres at yahoo.com.ar (LinuXKiD) Date: Tue Nov 22 20:26:49 2005 Subject: [LARTC] PRIO Q's In-Reply-To: <004601c5ef7b$876dc0e0$640aa8c0@rohlig.co.za> Message-ID: Hi, see www.linuximq.net regards andres -> -> -> Good morning, -> -> I have a client that needs some shaping done. -> Im only familiar with the HTB qeueu and was hopeing someone -> could give me a -> few pointers if possible. -> -> I need to shape outgoing and incoming as far as possible though -> I don't know -> if it will be possible to do so without policeing the incoming bandwidth. -> They have a link and their service provider allows them to burts as -> badndwidth is available. -> -> Any help welcome. -> -> Regards -> Nic -> -> _______________________________________________ -> LARTC mailing list -> LARTC@mailman.ds9a.nl -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From nicl at i-procc.za.net Tue Nov 22 20:38:17 2005 From: nicl at i-procc.za.net (Nic le Roux) Date: Tue Nov 22 20:32:24 2005 Subject: [LARTC] PRIO Q's In-Reply-To: <43834E73.2000700@gmail.com> Message-ID: <003901c5ef9c$4c6cc2e0$640aa8c0@rohlig.co.za> |Nic le Roux wrote: | |>Good morning, |> |>I have a client that needs some shaping done. |>Im only familiar with the HTB qeueu and was hopeing someone could give |>me a few pointers if possible. |> |>I need to shape outgoing and incoming as far as possible though I don't |>know if it will be possible to do so without policeing the incoming bandwidth. |>They have a link and their service provider allows them to burts as |>badndwidth is available. |> |> |> |What is your question? Give more details. |Or you mean "as fair as possible" ? HI There, I need to shape for VoIP Calls on a clients Fibre connection to IS. He has variable bandwidth available according to the ISP's utilisation, This can vary by bursting up to 512Kbit per second in and out. I know this doesn't sound like much but its in South Africa and over here the Bandwidth is very expensive. We need to shape both incoming and outgoing if possible to give the voice calls top priority. I think the PRIO que would work the best according to what I have read but would I be able to use it on an incoming connection ? Any help / suggestions welcome. Thanks and Regards Nic From comp.techs at aspenview.org Tue Nov 22 20:57:49 2005 From: comp.techs at aspenview.org (comp.techs) Date: Tue Nov 22 20:58:03 2005 Subject: [LARTC] Multipath TE Message-ID: <648A21EA469E3848922D9860785CD5EF456703@aspen-mail01.aspenview.org> Hi, is there any way to route traffic between 2 ECMP routes dependent on the current utilization(packet loss/bandwidth)? For example using OSPF on 2 linux routers with ECMP gre tunnels between them. If the bandwidth on one tunnel starts to exceed a given value the "mechanism" will start sending traffice to the other interface. thx jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051122/4b079a49/attachment.html From jablonskis at gmail.com Tue Nov 22 22:51:18 2005 From: jablonskis at gmail.com (Vaidas) Date: Tue Nov 22 22:30:22 2005 Subject: [LARTC] is it possible? Message-ID: <438392D6.9060903@gmail.com> Hello. I wonder to know is it possible and how? 1: | 1:1 / | \ / | \ / | \ / 1:3 \ / \ 1:2 \ \ 1:4 / \ / \ / \ a?:b? \ / \ ? / \ / \ ? ? From jablonskis at gmail.com Tue Nov 22 23:21:01 2005 From: jablonskis at gmail.com (Vaidas) Date: Tue Nov 22 22:59:59 2005 Subject: [LARTC] is it possible? (fixed pic) Message-ID: <438399CD.3000507@gmail.com> http://barakas.servebeer.com/stuff/tc_htb.txt From lartc at dervishd.net Tue Nov 22 23:37:38 2005 From: lartc at dervishd.net (DervishD) Date: Tue Nov 22 23:37:51 2005 Subject: [LARTC] tc filter: match tcp src vs. match ip sport Message-ID: <20051122223738.GA1284@DervishD> Hi all :)) This matches what I want: tc filter add dev eth0 protocol ip parent 1:0 prio 9 u32\ match ip sport 0x3000 0xf000 flowid 1:22 and traffic goes to 1:22, but this one doesn't match: tc filter add dev eth0 protocol ip parent 1:0 prio 9 u32\ match tcp src 0x3000 0xf000 flowid 1:22 I don't understand why the first one matches and the second one doesn't :? because in the output of "tc filter show" the only difference is that the first one matches "at 20" and the second one "at nexthdr+0", which should be identical :????? What the heck am I doing wrong? Thanks a lot :) Ra?l N??ez de Arenas Coronado -- Linux Registered User 88736 | http://www.dervishd.net http://www.pleyades.net & http://www.gotesdelluna.net It's my PC and I'll cry if I want to... From djweis at internetsolver.com Wed Nov 23 03:07:51 2005 From: djweis at internetsolver.com (Dave Weis) Date: Wed Nov 23 03:08:56 2005 Subject: [LARTC] Full hashing filter sample Message-ID: I'm trying to get the hashing filters set up for about 1k IP addresses. I went through the list archives and read the howto. I did find a couple non-functional samples. Does anyone have a shell/perl script that would at least generate the basic rules for 256k, 512k, etc, and then attach the ip range to it? dave -- Dave Weis djweis@internetsolver.com http://www.internetsolver.com/ From sophana78 at yahoo.fr Wed Nov 23 14:23:52 2005 From: sophana78 at yahoo.fr (Sophana Kok) Date: Wed Nov 23 14:24:10 2005 Subject: [Bulk] Re: [LARTC] has anyone tried adsl-optmizer kernel patches for dsl modems? In-Reply-To: <200511221104.03299.msc@antzsystem.de> References: <436EA076.7040102@yahoo.fr> <437B4A45.8010309@dsl.pipex.com> <200511221104.03299.msc@antzsystem.de> Message-ID: <43846D68.2050709@yahoo.fr> Markus Schulz wrote: >On Wednesday 16 November 2005 16:03, Andy Furniss wrote: > > >>I use something similar and use ceil 286kbit while synced at 288kbit >>without problems. >> >> What thing similar do you use? I don't understand why it is not in the kernel already. >should be easy to patch in. Overhead is only a simple variable which >will be added in htb/* module for each paket. Only sign/unsign problem >should be considered. > > How? The ppp over aal5 atm encapsulation is in almost all adsl lines isn't it? Isn't it standard? This makes a huge number of lines in the world. Are there other patches ? or distributions that already include these patches? Regards From msc at antzsystem.de Wed Nov 23 17:11:05 2005 From: msc at antzsystem.de (Markus Schulz) Date: Wed Nov 23 17:11:40 2005 Subject: [Bulk] Re: [LARTC] has anyone tried adsl-optmizer kernel patches for =?iso-8859-1?q?dsl=09modems=3F?= In-Reply-To: <43846D68.2050709@yahoo.fr> References: <436EA076.7040102@yahoo.fr> <200511221104.03299.msc@antzsystem.de> <43846D68.2050709@yahoo.fr> Message-ID: <200511231711.06094.msc@antzsystem.de> On Wednesday 23 November 2005 14:23, Sophana Kok wrote: > Markus Schulz wrote: > >On Wednesday 16 November 2005 16:03, Andy Furniss wrote: > >>I use something similar and use ceil 286kbit while synced at > >> 288kbit without problems. > > What thing similar do you use? I don't understand why it is not in > the kernel already. sounds like he has calculated the constant overhead for each htb-class and set the ceil value to according this. this is equivalent to the stuff from adsl-optimizer. in both ways you need to setup classes for packets with same average size or it won't work. Most important is the class for ACK-only packets cause they have the biggest overhead. correct me if i'm wrong. > >should be easy to patch in. Overhead is only a simple variable which > >will be added in htb/* module for each paket. Only sign/unsign > > problem should be considered. > > How? this refers to the possible negativ overhead mentioned from Andy Furniss by use of pppoe. But i don't understand whencever the -14 Bytes should come from. so i asked for explanation. If signed overhead is really needed, it can be easy added into the patches you meantioned (http://www.adsl-optimizer.dk/ADSL-optimizer/). Cause these patches only add a constant offset to a htb class which will be set with modified iproute tc utility. > The ppp over aal5 atm encapsulation is in almost all adsl lines isn't > it? Isn't it standard? yes, i think so. therefore i asked Andy to explain his objection. > This makes a huge number of lines in the world. > Are there other patches ? > or distributions that already include these patches? Don't know a distribution which already include these patches. But the effort for a selfmade kernel with these patches is maintainable. msc From phillskonf at atlas.cz Wed Nov 23 18:08:55 2005 From: phillskonf at atlas.cz (Phill) Date: Wed Nov 23 18:09:13 2005 Subject: [LARTC] Source based routing, some TCP packets not SNAT-ed Message-ID: <4384A227.1000307@atlas.cz> Hello, I have a problem with the following setup, I hope you can help me. I have two internet gateways, one for LAN1 and the second for LAN2. +--------------+ GW1 more eth0| |eth4(SNAT) GW2 ---...routers...-----+ router +----------------- | | +---+------+---+ eth1| eth2| | | LAN1| LAN2| I am using the following setup: ip rule add fwmark 1 lookup LAN2 ip route add default via GW1 ip route add table LAN2 default via GW2 ip route flush cache So the default routing table has default route set to GW1 and the table LAN2 has default gw set to GW2. I am marking packets in iptables. iptables -t mangle -A PREROUTING -s $IP1_IN_LAN2 -d ! 10.0.0.0/255.0.0.0 -j MARK --set-mark 0x1 iptables -t mangle -A PREROUTING -s $IP2_IN_LAN2 -d ! 10.0.0.0/255.0.0.0 -j MARK --set-mark 0x1 The last thing in my firewall is: iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source $Public_IP The configuration is quite simple, but now straight to the problem: When I run tethereal I see packets with the correct IP address, but sometimes there are packets which have not been nat-ed. I found out that the packets are always marked with the flags [FIN, ACK] and sometimes it is [TCP Retransmission]. For example: #tethereal -i eth4 |grep "10.109.158" 1427.492655 10.109.158.109 -> 194.213.62.44 TCP 1943 > www [FIN, ACK] Seq=0 Ack=0 Win=65535 Len=0 1428.938362 10.109.158.109 -> 194.213.62.44 TCP [TCP Retransmission] 1943 > www [FIN, ACK] Seq=0 Ack=0 Win=65535 Len=0 1431.855387 10.109.158.109 -> 194.213.62.44 TCP [TCP Retransmission] 1943 > www [FIN, ACK] Seq=0 Ack=0 Win=65535 Len=0 1437.890639 10.109.158.109 -> 194.213.62.44 TCP [TCP Retransmission] 1943 > www [FIN, ACK] Seq=0 Ack=0 Win=65535 Len=0 where 10.109 is my internal network (LAN2). These packets are not SNAT-ed. Is it configuration problem, or a kernel/netfilter problem? I tried google, various kernel options, some iptables rules, but did not find the solution. I can post more information if u ask me to. Thanks for any advice, I am getting desperate. -Phill ---------------------------------------------- Member of PSF|Predictable Suicide Fanatics[CZ] a Day of Defeat clan WWW: http://psf.gotdns.com ---------------------------------------------- ---------------------------------------------- Member of Wireless community network PilsFree WWW: http://www.pilsfree.net ---------------------------------------------- ---------------------------------------------- I do know everything, just not all at once. It's a virtual memory problem. ---------------------------------------------- From erik at ironsavior.net Wed Nov 23 22:08:28 2005 From: erik at ironsavior.net (Erik Elmore) Date: Wed Nov 23 22:08:44 2005 Subject: [LARTC] is it possible? (fixed pic) In-Reply-To: <438399CD.3000507@gmail.com> References: <438399CD.3000507@gmail.com> Message-ID: <82b4b0ec0511231308n11750edfofbbb24349b29063a@mail.gmail.com> Hrm? On 11/22/05, Vaidas wrote: > http://barakas.servebeer.com/stuff/tc_htb.txt > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From salim.si at askey.com.tw Thu Nov 24 07:00:07 2005 From: salim.si at askey.com.tw (Salim) Date: Thu Nov 24 06:54:21 2005 Subject: [LARTC] ftp connmark Message-ID: <002701c5f0bc$557424c0$455f030a@askeyrd3> I saw this snippet from Daniel Chemko dchemko@smgtec.com Mon, 31 May 2004 09:30:43 -0700 # Egress marking (mostly for QOS operations) iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A POSTROUTING -o ${if_inet} --dport 21 -j MARK --set-mark 0x111 iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark I want to mark many packets, including FTP. So above these lines, I have a few more lines in my script. Like the following... iptables -t mangle -A POSTROUTING -p icmp -j MARK --set-mark 0x110 iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A POSTROUTING -o ${if_inet} --dport 21 -j MARK --set-mark 0x111 iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark So, when an ICMP packet comes to the 2nd ('restore-mark') line, it is already marked with 0x110. Will the restore-mark mark the packet with 0 since there is no connmark set for ICMP? Or it will leave the packet untouched? In that case, I can not redirect the ICMP packet to the class I defined for it. What is the solution for this issue? What to do if I have different classification marks, some use connmark and some does not(just fw mark)? regards Salim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051124/2b54722c/attachment.htm From unki at netshadow.at Thu Nov 24 07:44:13 2005 From: unki at netshadow.at (Andreas Unterkircher) Date: Thu Nov 24 07:44:21 2005 Subject: [LARTC] RE: [Havp-users] problems installing from source In-Reply-To: <20051124053624.427DB3B4031@mail.cathedral.qld.edu.au> Message-ID: <20051124.Ejl.47994000@egroupware.netshadow.at> look for clamav-devel-* or clamav-dev-* packages of your distribution. Paul Matthews (paul.matthews@cathedral.qld.edu.au) schrieb: > > I have installed the following when it comes to clamAV > > clamav-db-0.87-1.1.fc3.rf.i386.rpm > clamav-0.87-1.1.fc3.rf.i386.rpm > clamd-0.87-1.1.fc3.rf.i386.rpm > > am I missing something if so could you please direct me to the website? > > Thanks! > > -----Original Message----- > From: havp-users-admin@lists.sourceforge.net > [mailto:havp-users-admin@lists.sourceforge.net] On Behalf Of Andreas > Unterkircher > Sent: Thursday, 24 November 2005 3:07 > To: havp-users@lists.sourceforge.net > Subject: Re: [Havp-users] problems installing from source > > Have you also installed clamav-devel packages which includes the > clamav-header files? > Because the error say, that they are not available... > > Paul Matthews schrieb: > > > > Hi there > > > > I'm having some issues when installing HAVP from source. I have clamAV > > installed already and when I run the make command I get this error > > > > [root@fedora havp-0.74]# make > > > > cd havp && make > > > > make[1]: Entering directory `/install/havp-0.74/havp' > > > > g++ -DHAVE_CONFIG_H -I. -I. -I.. -O2 -c havp.cpp -o havp.o > > > > In file included from havp.cpp:40: > > > > clamlibscanner.h:21:20: clamav.h: No such file or directory > > > > In file included from havp.cpp:40: > > > > clamlibscanner.h:31: error: field `limits' has incomplete type > > > > clamlibscanner.h:32: error: field `dbstat' has incomplete type > > > > make[1]: *** [havp.o] Error 1 > > > > make[1]: Leaving directory `/install/havp-0.74/havp' > > > > make: *** [all] Error 2 > > > > any ideas? > > > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://ads.osdn.com/?ad_idv37&alloc_id865&op=ick > _______________________________________________ > Havp-users mailing list > Havp-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/havp-users > > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://ads.osdn.com/?ad_idv37&alloc_id865&op?k > _______________________________________________ > Havp-users mailing list > Havp-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/havp-users > > From ronniesahlberg at gmail.com Thu Nov 24 10:52:33 2005 From: ronniesahlberg at gmail.com (ronnie sahlberg) Date: Thu Nov 24 10:52:50 2005 Subject: [LARTC] ip route mpath rr problem Message-ID: Hi list, I have tried google but just cant get this to work or figure it out. My setup ======== vanilla 2.6.13 kernel with CONFIG_IP_ROUTE_MULTIPATH=y CONFIG_IP_ROUTE_MULTIPATH_CACHED=y CONFIG_IP_ROUTE_MULTIPATH_RR=y CONFIG_IP_ROUTE_MULTIPATH_RANDOM=y CONFIG_IP_ROUTE_MULTIPATH_WRANDOM=y CONFIG_IP_ROUTE_MULTIPATH_DRR=y My configuration: A host with two ppp links. Ontop of these two ppp dialup links i have created two CIPE tunnels, one on each link. Both A and B are under my control. +----+ cipcb0/ppp0 +-----+ | |----------------------| | | A | | B | | | cipcb1/ppp1 | | | |----------------------| | +----+ +-----+ >From A's perspective ppp0 : local ip:10.1.1.1 peer:10.1.1.254 ppp1 : local ip:10.1.1.2 peer:10.1.1.254 (my ISP givesd me the same peer for concurretn dialupsa) The two tunnels: cipcb0: local:10.2.2.1 peer:10.2.2.2 cipcb1: local:10.2.2.5 peer:10.2.2.6 Both CIPE tunnels work fine. I can ping my other box B fine using either 10.2.2.2 or 10.2.2.6 and the traffic goes across the correct interface. What I want =========== I would like packet by packet load-balancing between A and B. Traffic originating from A going to B will be load balanced packet by packet across cipcb0 and cipcb1. What I have tried ================= ip route add 10.3.3.3/32 equalize nexthop via 10.2.2.2 dev cipcb0 nexthop via 10.2.2.6 dev cipcb1 I also run a tcpdump on each of the two itnerfaces cipcb0 and cipcb1 to see where the traffic goes. On A : ping 10.3.3.3 : this makes all outgoing traffic go through a single link. I tried it while at the same time i ran while true;do ip route flush cache; done but that just made tcpdump show the echo reply packet coming back jump back and forth between cipcb0/cipcb1 with a granularity of changing every 2 seconds or so. weird. All outgoing traffic from A still went through the same cipcb interface. What i have searched for but failed to find =========================== I have found posts that refer to something like ip route add ... mpath rr but can not find which iproute2 package that contains the mpath arguments. Request for help: ================= I currently use 2.6.13 with the config options i listed above. How can I do packet by packet load balancing from packets from A to B? I am willing to change to whatever 2.6 kernel known to work. Where can i find an iproute2 tool that supports mpath argument? i suppose i need this? Anyone willing to help me? best regards ronnie sahlberg, ethereal developer From brick at caramidaru.botosani.rdsnet.ro Thu Nov 24 11:25:49 2005 From: brick at caramidaru.botosani.rdsnet.ro (brick@caramidaru.botosani.rdsnet.ro) Date: Thu Nov 24 11:26:30 2005 Subject: [LARTC] htb thingy Message-ID: hi all i want to first apollogiaze if my message will annoy you(my guess is because it will be quite large:)) i have the following situation on my hands i was recently faced with the problem of traffic shaping/bandwith limiting. my setup is(very common i guess) -internet comming in(going out) through eth0 -internet is being "shared" with the private local network via eth1. i googled&googled worked my brain out and arrived to this sollution: in order to have everybody have a guaranteed bandwidth i have to "htb" them:) here's what i did i limit the upload by ahaping outgoing traffic according to this tree, on eth0 # +---------+ # | root 1: | # +---------+ # | # +----------------------------------------------+ # | class 1:11-total | # +----------------------------------------------+ # | | \ # | | \ # | | +-------------------------------+ # | | | class 1:101 -upload "local" | # | | +-------------------------------+ # | | | # | \ 111:sfq # | | # +------------------+ +--------------------------+ # | class 1:1-lower | | class 1:2-higher rates | # +------------------+ +--------------------------+ # / \ | | # | | | | # +-----+ +-----+ +-----+ +-----+ # |1:102|... |1:130| |1:204| ... |1:228| # +-----+ +-----+ +-----+ +-----+ # so here goes how i build the tree #first some variables dev=eth0 total=512 #for first class i define the limits-i have ten users in this min1=16 max1=$[$min1*10] #second class-12 users min2=24 max2=$[$min2*12] #what's left of the bandwidth i put into the local upload class local=$[$total-$max1-$max2] #the root tc qdisc add dev $dev root handle 1: htb default 101 r2q 1 #i fixed r2q to 1 because of the warnings i could get from too low/high #quantums. #the main class tc class add dev $dev parent 1:0 classid 1:11 htb rate ${max}kbit\ burst 2k prio 1 #the class for the first category of users tc class add dev $dev parent 1:11 classid 1:1 htb rate ${max1}kbit\ ceil $[$max1+$max1/5]kbit burst 2k prio 1 #then the list of classes for this category tc class add dev $dev parent 1:1 clasid 1:102 htb rate ${min1}kbit\ ceil $[$max1/2] burst 2k prio 1 #and so on #then we do the second category tc class add dev $dev parent 1:11 classid 1:2 htb rate ${max2}kbit\ ceil $[$max2+$max2/4]kbit burst 2k prio 1 #then a class for every ip in this group tc class add dev $dev parent 1:2 classid 1:204 htb rate ${min2}kbit\ ceil $[$max2/2]kbit burst 2k prio 1 ## at this point i have a first round of questions....do i need to set a different burst value? do i need to specify quantum? i saw on a htb-utils generated script that quantum for the parent classes was set to 1500, should i do that too? any other suggestion is wellcome ## #now i define the class for the trafic generated from the router itself tc class add dev $dev parent 1:11 classid 1:101 htb rate ${local}kbit\ burst 2k prio 1 #we add a sfq qdisc to share equally this bandwidth between all the #visitors/guest or whatever tc qdisc add dev $dev parent 1:101 handle 111: sfq perturb 10 now the tree is done because i use SNAT i can t use the u32 selector to classify the traffic. so i use the fw filter, after marking the packets that come from each ip with iptables. #first we mark the packets leaving the machine iptables -A OUTPUT -t mangle -o $dev -s $local_internet_ip -j MARK\ --set-mark 1 then we atach a filter that sends this traffic where it needs to go tc filter add dev $dev parent 1:0 protocol ip prio 1 handle 1\ fw flowid 1:101 #we add rules to mark the packets from the local network iptables -A FORWARD -t mangle -i eth1 -o eth0 -s 192.168.168.2/32\ -j MARK --set-mark 2 #then the filters .. tc filter add dev $dev parent 1:0 protocol ip prio 2 handle 2\ fw flowid 1:102 #any comments about how i use iptables here? #i put a different priority to this filter because i want the local trafic #to be tested first. is this wrong? to shape the download i use a similar tree but on eth1, and i use larger values for the limits since this is the "download" speed:) also here i use the u32 selector to direct the trafic. is this ok, or should i find a way to use iptables marking as well? and instead of the local upload branch i have a separate "larger" branch for local downloads(from the router). # +---------+ # | root 1: |------------------- # +---------+ \ # | | # | +----------------------+ # | |class 1:3 local 3mbit | # | +----------------------+ # | | # | +--------+ # | | 1:30 | # | +--------+ # +------------------------------+ | # | class 1:11-internet 512kbit | sfq: # +------------------------------+ # / \ # | | # +-----------------------------------+ +-------------------------+ # | class 1:1-minim 160kbit | | class 1:2 minim 360kbit | # +-----------------------------------+ +-------------------------+ # | | | | | | # +-----+ +-----+ +-----+ +-----+ +-----+ +-----+ # |1:102| | ... | |1:130| |1:204| | ... | |1:228| # +-----+ +-----+ +-----+ +-----+ +-----+ +-----+ # another problem i ran into is that i can t seem to atach filters anywhere but the root qdisc any advice on how i can inprove my setup is wellcome aaa almost forgot i use fedora core 4 THANK YOU FOR YOUR PACIENCE! From sorin.panca at gmail.com Thu Nov 24 14:46:40 2005 From: sorin.panca at gmail.com (Sorin Panca) Date: Thu Nov 24 14:42:05 2005 Subject: [LARTC] Will this work? Message-ID: <4385C440.1080204@gmail.com> Hi people! Will this filter work? # the traffic for MAN - match IP & MARK $tc filter add dev $EXT1 parent 1: protocol ip prio 0 handle 0x1 fw u32 match ip src $IP flowid 1:B$hIP $tc filter add dev $INT1 parent 1: protocol ip prio 0 handle 0x1 fw u32 match ip dst $IP flowid 1:B$hIP # the traffic for Internet - match IP only (what is left after MAN filter) $tc filter add dev $EXT1 parent 1: protocol ip prio 0 u32 match ip src $IP flowid 1:C$hIP $tc filter add dev $INT1 parent 1: protocol ip prio 0 u32 match ip dst $IP flowid 1:C$hIP # $hIP is the last byte of the IP address, written in hexa From andy.furniss at dsl.pipex.com Thu Nov 24 15:59:10 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Thu Nov 24 15:59:17 2005 Subject: [LARTC] has anyone tried adsl-optmizer kernel patches for dsl modems? In-Reply-To: <200511221104.03299.msc@antzsystem.de> References: <436EA076.7040102@yahoo.fr> <437B4A45.8010309@dsl.pipex.com> <200511221104.03299.msc@antzsystem.de> Message-ID: <4385D53E.9010702@dsl.pipex.com> Markus Schulz wrote: > On Wednesday 16 November 2005 16:03, Andy Furniss wrote: > >>sophana wrote: >> >>>Hi >>> >>>I'm using wondershaper like script. But noticed imperfect >>>scheduling. >>> >>>By googling, I found some patches that takes the aal5 atm overhead >>>in the scheduling algorithms. >>>http://www.adsl-optimizer.dk/ADSL-optimizer/ >>> >>>Before trying it, has anyone tried these patches? they apply on >>>2.4.29 kernel and 2.6.9 TC. I use centos4 with a 2.6 kernel, so I >>>can't try these easily. >> >>They should be OK as long as you are sure about your overheads. >> >>I use something similar and use ceil 286kbit while synced at 288kbit >>without problems. >> >>If your modem is connected by eth rather than ppp then htb/whatever >>will see the packet size as ip len + 14 - so you need to account for >>that. > > > can you explain this a bit more please? It's because htb uses skb->len for packet size and if you shape on an eth interface this is ip length + 14, but it's just ip length if you shape on ppp/vlan etc. You can see this by looking at htb counters and sending fixed size packets. > > >>I think that produces a corner case (overhead < 14) where you would >>need to put in a negative number - I don't think that will work, but >>haven't tried. > > > should be easy to patch in. Overhead is only a simple variable which > will be added in htb/* module for each paket. Only sign/unsign problem > should be considered. Yep - you just need to be aware of it and I can't recall it being mentioned in the thesis - I have only tested on 2.6 kernels. Andy. From andy.furniss at dsl.pipex.com Thu Nov 24 16:13:18 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Thu Nov 24 16:13:27 2005 Subject: [Bulk] Re: [LARTC] has anyone tried adsl-optmizer kernel patches for dsl modems? In-Reply-To: <43846D68.2050709@yahoo.fr> References: <436EA076.7040102@yahoo.fr> <437B4A45.8010309@dsl.pipex.com> <200511221104.03299.msc@antzsystem.de> <43846D68.2050709@yahoo.fr> Message-ID: <4385D88E.6080307@dsl.pipex.com> Sophana Kok wrote: > Markus Schulz wrote: > >> On Wednesday 16 November 2005 16:03, Andy Furniss wrote: >> >> >>> I use something similar and use ceil 286kbit while synced at 288kbit >>> without problems. >>> > > What thing similar do you use? I don't understand why it is not in the > kernel already. I use my own based on the tc tweak that Ed Wildgoose posted to the list, but patching htb aswell so it's perfect (the tc alone patch is a cell too big for some packet sizes) > >> should be easy to patch in. Overhead is only a simple variable which >> will be added in htb/* module for each paket. Only sign/unsign >> problem should be considered. >> >> > How? > > The ppp over aal5 atm encapsulation is in almost all adsl lines isn't it? > Isn't it standard? In jeesper's thesis there is a table - Knowing you overhead can be tricky - but you can test, best if your modem gives cell counters or even if it doesn't on adsl you may be able to see differences in throughput/latency if you look hard enough. > This makes a huge number of lines in the world. > Are there other patches ? > or distributions that already include these patches? I don't think so, patching is easy you need to test and know your overheads aswell. Andy. From andy.furniss at dsl.pipex.com Thu Nov 24 16:33:05 2005 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Thu Nov 24 16:33:13 2005 Subject: [Bulk] Re: [LARTC] has anyone tried adsl-optmizer kernel patches for dsl modems? In-Reply-To: <200511231711.06094.msc@antzsystem.de> References: <436EA076.7040102@yahoo.fr> <200511221104.03299.msc@antzsystem.de> <43846D68.2050709@yahoo.fr> <200511231711.06094.msc@antzsystem.de> Message-ID: <4385DD31.9060109@dsl.pipex.com> Markus Schulz wrote: > On Wednesday 23 November 2005 14:23, Sophana Kok wrote: > >>Markus Schulz wrote: >> >>>On Wednesday 16 November 2005 16:03, Andy Furniss wrote: >>> >>>>I use something similar and use ceil 286kbit while synced at >>>>288kbit without problems. >> >>What thing similar do you use? I don't understand why it is not in >>the kernel already. > > > sounds like he has calculated the constant overhead for each htb-class > and set the ceil value to according this. this is equivalent to the > stuff from adsl-optimizer. in both ways you need to setup classes for > packets with same average size or it won't work. Most important is the > class for ACK-only packets cause they have the biggest overhead. > correct me if i'm wrong. Nothing to do with htb classes, though you are right about small packets being a pain - they typically use 2 x 53 byte atm cells. The patches make htb lookup the delay of one less than the aal5 length in a table that is generated by a patched tc so the delay returned is the delay of the packet when it is atm cells. > > >>>should be easy to patch in. Overhead is only a simple variable which >>>will be added in htb/* module for each paket. Only sign/unsign >>>problem should be considered. >> >>How? > > > this refers to the possible negativ overhead mentioned from Andy Furniss > by use of pppoe. It's pppoa, pppoe has > 14 overhead. Andy. From comp.techs at aspenview.org Thu Nov 24 20:25:21 2005 From: comp.techs at aspenview.org (comp.techs) Date: Thu Nov 24 20:25:44 2005 Subject: [LARTC] multipath Message-ID: <648A21EA469E3848922D9860785CD5EF456704@aspen-mail01.aspenview.org> Hi, I have setup a ECMP route between two linux systems. I do not have the equalize enabled. This would be flow based. After sending a few ftp/scp sessions I noticed that the 'per flow based' was jumping between interfaces for just one session. My question is, would this be a result of the routing cache changing between the two ECMP systems. If this is the case would removing/disabling the route cache improve this ? Has anyone have a simular setup? Any suggestions appreciated jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051124/8acb97ed/attachment.html From jared.ballou at us.army.mil Thu Nov 24 21:39:50 2005 From: jared.ballou at us.army.mil (SGT Jared Ballou) Date: Thu Nov 24 21:40:37 2005 Subject: [LARTC] Load Balancing/NAT In-Reply-To: <20051124102638.E196045E2@outpost.ds9a.nl> References: <20051124102638.E196045E2@outpost.ds9a.nl> Message-ID: <43862516.3050007@us.army.mil> Hey, I'm trying to set up a Gentoo box to replace an aging BSD box here. The BSD box is running packet filter and I have it set up to take all data and route it to one of six sattelites. I have come up with the following config, but unfortunately I have no real way to test it short of switching the satellites over to the new system and prayer. The setup is: 192.168.252/22 - The LAN addresses, all run by DHCP on the Cisco BBSM which is behind the load balancer. Cannot change these. 10.10.1.1 - The Internal Interface, Gentoo box's IP to the BBSM. I can change this if needed. 10.10.1.2 - The BBSM's address to reply with (I cannot change this address, I tried but the BBSM hates me, and I have the BSD working on this by just NATing and then forwarding all traffic through the 10.10.1.2 gateway) 10.254.X.1 - Gentoo's ethX IPs to interface to the satelite modems. I can change these as needed. 10.254.X.10 - The Sattelite modem's IP addresses. I cannot change these. That's the setup. Like I said, the BSD box runs it fine but I am having administrative issues, and the new box has more stuff available as well as being faster. I havd 289 users as of now with more to come, so the BSD setup is sweating a bit, and I want to run Squid on this load balanced net, and an internal Web server on a different interface when I get some free time. I've gotten a lot of help on this from Chris Verges, and using his info I put this together and wanted to see if anyone had any changes I should make before I basically go live to run the test. One thing I have not added yet is the interfacing to eth0 (Internal addressing) which I am unsure how to code exactly. Thanks for any help anyone can give. SCRIPT FOLLOWS: #!/bin/sh #Define my vars #Interfaces IF0=eth0 IF1=eth1 IF2=eth2 IF2=eth3 IF2=eth4 IF2=eth5 IF2=eth6 #IP Addresses bound to interfaces IP0=10.10.1.1 #Internal Interface Address IP1=10.254.7.1 #Satellite 1 Interface IP2=10.254.9.1 #Satellite 2 Interface IP3=10.254.10.1 #Satellite 3 Interface IP4=10.254.16.1 #Satellite 4 Interface IP5=10.254.17.1 #Satellite 5 Interface IP6=10.254.18.1 #Satellite 6 Interface #IP Addresses of Gateways P0=10.10.1.2 #BBSM IP Address P1=10.254.7.10 #Sattelite 1 Router/Modem IP (Gateway) P2=10.254.9.10 #Sattelite 2 Router/Modem IP (Gateway) P3=10.254.10.10 #Sattelite 3 Router/Modem IP (Gateway) P4=10.254.16.10 #Sattelite 4 Router/Modem IP (Gateway) P5=10.254.17.10 #Sattelite 5 Router/Modem IP (Gateway) P6=10.254.18.10 #Sattelite 6 Router/Modem IP (Gateway) #Networks P0_NET="10.10.1.0/24" # BBSM Net P1_NET=10.254.7.0/24 #Satellite 1 Network P2_NET=10.254.9.0/24 #Satellite 2 Network P3_NET=10.254.10.0/24 #Satellite 3 Network P4_NET=10.254.16.0/24 #Satellite 4 Network P5_NET=10.254.17.0/24 #Satellite 5 Network P6_NET=10.254.18.0/24 #Satellite 6 Network #Perform Network Address Translation for this network NAT_NET=192.168.252/22 #Add the routes ip route add $P1_NET dev $IF1 src $IP1 table T1 ip route add default via $P1 table T1 ip route add $P2_NET dev $IF2 src $IP2 table T2 ip route add default via $P2 table T2 ip route add $P3_NET dev $IF3 src $IP3 table T3 ip route add default via $P3 table T3 ip route add $P4_NET dev $IF4 src $IP4 table T4 ip route add default via $P4 table T4 ip route add $P5_NET dev $IF5 src $IP5 table T5 ip route add default via $P5 table T5 ip route add $P6_NET dev $IF6 src $IP6 table T6 ip route add default via $P6 table T6 #Assign nets to corect IFs ip route add $P1_NET dev $IF1 src $IP1 ip route add $P2_NET dev $IF2 src $IP2 ip route add $P3_NET dev $IF3 src $IP3 ip route add $P4_NET dev $IF4 src $IP4 ip route add $P5_NET dev $IF5 src $IP5 ip route add $P6_NET dev $IF6 src $IP6 #Default gateway if I go wiggy ip route add default via $P1 #Assign tables to IPs ip rule add from $IP1 table T1 ip rule add from $IP2 table T2 ip rule add from $IP3 table T2 ip rule add from $IP4 table T2 ip rule add from $IP5 table T2 ip rule add from $IP6 table T2 #Load Balance ip route add default scope global \ nexthop via $P1 dev $IF1 weight 1 \ nexthop via $P2 dev $IF2 weight 1 \ nexthop via $P3 dev $IF3 weight 1 \ nexthop via $P4 dev $IF4 weight 1 \ nexthop via $P5 dev $IF5 weight 1 \ nexthop via $P6 dev $IF6 weight 1 #Setup NAT on all external interfaces ip route add nat $IP1 via $NAT_NET ip rule add nat $IP1 from $NAT_NET ip route add nat $IP2 via $NAT_NET ip rule add nat $IP2 from $NAT_NET ip route add nat $IP3 via $NAT_NET ip rule add nat $IP3 from $NAT_NET ip route add nat $IP4 via $NAT_NET ip rule add nat $IP4 from $NAT_NET ip route add nat $IP5 via $NAT_NET ip rule add nat $IP5 from $NAT_NET ip route add nat $IP6 via $NAT_NET ip rule add nat $IP6 from $NAT_NET From sophana78 at yahoo.fr Thu Nov 24 22:10:36 2005 From: sophana78 at yahoo.fr (sophana) Date: Thu Nov 24 22:10:59 2005 Subject: [LARTC] max latency with htb and wondershaper for voip and p2p Message-ID: <43862C4C.4060104@yahoo.fr> Hi I'm actually using a wondershaper derived script. The problem I have is that when I ping (ping is in high priority queue) the ping time is not as low as I expected with p2p running: 760 packets transmitted, 760 received, 0% packet loss, time 759695ms rtt min/avg/max/mdev = 39.667/62.863/598.539/33.287 ms, pipe 2 With voip, it is much better with the qos but it is still a little choppy. My line is an adsl 512/128 kbit/s. Assuming the biggest low prio packet is about 1.5kbyte, this makes a max latency of 93ms higher than min latency: 133ms in my case. (that's what I notice on the ping times) I don't understand why is voip still choppy. In my config, can I assume that packets in 1:10 have the highest priority even with htb? (if the 1:10 rate is not reached). Do I need to setup a prio qdisc instead of htb for voip? If I lower the mtu of the p2p software to 750byte for example, will I get a max latency of 87ms? Can I do voip and P2P together with htb with such a line? Thanks for your help. qdisc htb 1: r2q 1 default 20 direct_packets_stat 0 qdisc htb 1: : 9637 ( 77.096000 kbit/s) sent=305656509 : Sent 305656509 bytes 1228041 pkts (dropped 0, overlimits 559094 requeues 0) qdisc sfq 10: parent 1:10 limit 128p quantum 1514b perturb 10sec qdisc sfq 10: : 588 ( 4.704000 kbit/s) sent=28498626 : Sent 28498626 bytes 489927 pkts (dropped 0, overlimits 0 requeues 0) qdisc sfq 20: parent 1:20 limit 128p quantum 1514b perturb 10sec qdisc sfq 20: : 228 ( 1.824000 kbit/s) sent=8288143 : Sent 8288143 bytes 81245 pkts (dropped 0, overlimits 0 requeues 0) qdisc sfq 30: parent 1:30 limit 128p quantum 1514b perturb 10sec qdisc sfq 30: : 8821 ( 70.568000 kbit/s) sent=268869740 : Sent 268869740 bytes 656869 pkts (dropped 0, overlimits 0 requeues 0) qdisc ingress ffff: ---------------- qdisc ingress ffff: : 7005 ( 56.040000 kbit/s) sent=127032425 : Sent 127032425 bytes 1036821 pkts (dropped 52, overlimits 0 requeues 0) class htb 1:1 root rate 110Kbit ceil 110Kbit burst 1612b cburst 1612b class htb 1:1 : 9637 ( 77.096000 kbit/s) sent=305656509 : Sent 305656509 bytes 1228041 pkts (dropped 0, overlimits 0 requeues 0) rate 7480bit 29pps lended: 400601 borrowed: 0 giants: 0 tokens: 116551 ctokens: 116551 class htb 1:10 parent 1:1 leaf 10: prio 0 rate 55Kbit ceil 110Kbit burst 6Kb cburst 1612b class htb 1:10 : 588 ( 4.704000 kbit/s) sent=28498626 : Sent 28498626 bytes 489927 pkts (dropped 0, overlimits 0 requeues 0) rate 715bit 12pps lended: 489927 borrowed: 0 giants: 0 tokens: 907972 ctokens: 116551 class htb 1:20 parent 1:1 leaf 20: prio 1 rate 33Kbit ceil 110Kbit burst 1603b cburst 1612b class htb 1:20 : 228 ( 1.824000 kbit/s) sent=8288143 : Sent 8288143 bytes 81245 pkts (dropped 0, overlimits 0 requeues 0) rate 133bit 1pps lended: 80319 borrowed: 926 giants: 0 tokens: 378446 ctokens: 116551 class htb 1:30 parent 1:1 leaf 30: prio 2 rate 22Kbit ceil 110Kbit burst 1601b cburst 1612b class htb 1:30 : 8821 ( 70.568000 kbit/s) sent=268869740 : Sent 268869740 bytes 656869 pkts (dropped 0, overlimits 0 requeues 0) rate 6686bit 15pps lended: 257194 borrowed: 399675 giants: 0 tokens: 101987 ctokens: 104038 From sophana78 at yahoo.fr Thu Nov 24 22:32:14 2005 From: sophana78 at yahoo.fr (sophana) Date: Thu Nov 24 22:32:35 2005 Subject: [LARTC] Re: has anyone tried adsl-optmizer kernel patches for dsl modems? (pppoa overhead) In-Reply-To: <4385DD31.9060109@dsl.pipex.com> References: <436EA076.7040102@yahoo.fr> <200511221104.03299.msc@antzsystem.de> <43846D68.2050709@yahoo.fr> <200511231711.06094.msc@antzsystem.de> <4385DD31.9060109@dsl.pipex.com> Message-ID: <4386315E.2030604@yahoo.fr> Andy Furniss wrote: > > Nothing to do with htb classes, though you are right about small > packets being a pain - they typically use 2 x 53 byte atm cells. > > The patches make htb lookup the delay of one less than the aal5 length > in a table that is generated by a patched tc so the delay returned is > the delay of the packet when it is atm cells. You are right. He is calculating the exact overhead of pppoa inside the kernel (not pppoe because pppoe is not the point of congestion). He also modified tc so that overhead can be tweaked in the script. I know the exact atm rate of my adsl line. So it should be possible to make an exact scheduling. The most important application is VOIP on low rate adsl uploads because VOIP packets are small. I still don't understand why this is not included in the kernel and tc... My problem is that I have a 2.6.x kernel and his patch is for 2.4.x kernel. From sophana78 at yahoo.fr Thu Nov 24 22:35:55 2005 From: sophana78 at yahoo.fr (sophana) Date: Thu Nov 24 22:36:17 2005 Subject: [Bulk] Re: [LARTC] has anyone tried adsl-optmizer kernel patches for dsl modems? In-Reply-To: <4385D53E.9010702@dsl.pipex.com> References: <436EA076.7040102@yahoo.fr> <437B4A45.8010309@dsl.pipex.com> <200511221104.03299.msc@antzsystem.de> <4385D53E.9010702@dsl.pipex.com> Message-ID: <4386323B.1030107@yahoo.fr> Andy Furniss wrote: > Markus Schulz wrote: > >> should be easy to patch in. Overhead is only a simple variable which >> will be added in htb/* module for each paket. Only sign/unsign >> problem should be considered. > > > Yep - you just need to be aware of it and I can't recall it being > mentioned in the thesis - I have only tested on 2.6 kernels. I'm sorry, but that does not seem such simple. In pppoa (ppp over aal5), the packets are atm cell aligned, so the overhead depends on the packet size. It is not linear at all. From comp.techs at aspenview.org Thu Nov 24 22:57:00 2005 From: comp.techs at aspenview.org (comp.techs) Date: Thu Nov 24 22:57:12 2005 Subject: [LARTC] ip route mpath rr problem Message-ID: <648A21EA469E3848922D9860785CD5EF456705@aspen-mail01.aspenview.org> Hi, I have been trying to do something simular using 2 gre tunnels between linux routers. I have used Policy based routing with seperate routing tables, with kernel patches such as http://www.ssi.bg/~ja/#multigw. I also tried both per flow/per packet based balancing. So far everything tends to be very inconsistant; packets seem to be dictated by the route cache (?). Here are some suggestions you might try: Teql using nth or random from iptables if you do find an answer I would be intrested. thx jason ________________________________ From: lartc-bounces@mailman.ds9a.nl on behalf of ronnie sahlberg Sent: Thu 11/24/2005 2:52 AM To: lartc@mailman.ds9a.nl Subject: [LARTC] ip route mpath rr problem Hi list, I have tried google but just cant get this to work or figure it out. My setup ======== vanilla 2.6.13 kernel with CONFIG_IP_ROUTE_MULTIPATH=y CONFIG_IP_ROUTE_MULTIPATH_CACHED=y CONFIG_IP_ROUTE_MULTIPATH_RR=y CONFIG_IP_ROUTE_MULTIPATH_RANDOM=y CONFIG_IP_ROUTE_MULTIPATH_WRANDOM=y CONFIG_IP_ROUTE_MULTIPATH_DRR=y My configuration: A host with two ppp links. Ontop of these two ppp dialup links i have created two CIPE tunnels, one on each link. Both A and B are under my control. +----+ cipcb0/ppp0 +-----+ | |----------------------| | | A | | B | | | cipcb1/ppp1 | | | |----------------------| | +----+ +-----+ >From A's perspective ppp0 : local ip:10.1.1.1 peer:10.1.1.254 ppp1 : local ip:10.1.1.2 peer:10.1.1.254 (my ISP givesd me the same peer for concurretn dialupsa) The two tunnels: cipcb0: local:10.2.2.1 peer:10.2.2.2 cipcb1: local:10.2.2.5 peer:10.2.2.6 Both CIPE tunnels work fine. I can ping my other box B fine using either 10.2.2.2 or 10.2.2.6 and the traffic goes across the correct interface. What I want =========== I would like packet by packet load-balancing between A and B. Traffic originating from A going to B will be load balanced packet by packet across cipcb0 and cipcb1. What I have tried ================= ip route add 10.3.3.3/32 equalize nexthop via 10.2.2.2 dev cipcb0 nexthop via 10.2.2.6 dev cipcb1 I also run a tcpdump on each of the two itnerfaces cipcb0 and cipcb1 to see where the traffic goes. On A : ping 10.3.3.3 : this makes all outgoing traffic go through a single link. I tried it while at the same time i ran while true;do ip route flush cache; done but that just made tcpdump show the echo reply packet coming back jump back and forth between cipcb0/cipcb1 with a granularity of changing every 2 seconds or so. weird. All outgoing traffic from A still went through the same cipcb interface. What i have searched for but failed to find =========================== I have found posts that refer to something like ip route add ... mpath rr but can not find which iproute2 package that contains the mpath arguments. Request for help: ================= I currently use 2.6.13 with the config options i listed above. How can I do packet by packet load balancing from packets from A to B? I am willing to change to whatever 2.6 kernel known to work. Where can i find an iproute2 tool that supports mpath argument? i suppose i need this? Anyone willing to help me? best regards ronnie sahlberg, ethereal developer _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051124/100be8a0/attachment.htm From kustosz at veb.pl Fri Nov 25 12:17:45 2005 From: kustosz at veb.pl (Michal Kustosik) Date: Fri Nov 25 12:18:10 2005 Subject: [LARTC] tcpdump not working with imq0 devices Message-ID: <20051125111745.GA21363@veb.pl> On my debian woody (kernel 2.4.31) the tcpdump doesn't work with imq0 devices. If I try to tcpdump imq devices there is no packet seen: [...] rt1:~# tcpdump -n -i imq0 Warning: arptype 65535 not supported by libpcap - falling back to cooked socket tcpdump: WARNING: imq0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on imq0, link-type LINUX_SLL (Linux cooked), capture size 68 bytes [...] and there is no packet seen. I have sent the packet to imq0 by: rt1:~# iptables -I PREROUTING -t mangle -j IMQ --todev 0 and there is no other entry in mangle table. There is also no firewall entry and no entry in nat table. The ifconfig command show, that the packet goes by imq0: [...] rt1:~# ifconfig imq0 imq0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00 UP RUNNING NOARP MTU:1500 Metric:1 RX packets:3268292 errors:0 dropped:0 overruns:0 frame:0 TX packets:3248999 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:30 RX bytes:1987844908 (1.8 GiB) TX bytes:1981674079 (1.8 GiB) [...] Everything but iptables is installing from packages deb. I tried to complile TCPDUMP 3.9.4 from http://www.tcpdump.org/ but it is the same reason. I have other router, with similar configuration (vlan, imq, htb, the same kernel version 2.4.31, the same distribution debian woody) and there is no problem with debuging interfaces by tcpdump command. Have anybody solved the same problem? Below some information about the strange router: kernel - 2.4.31 with patch-o-matic-ng, imq-nat.diff, linux-2.4.28-imq2.diff, iptables - v1.3.3 with iptables-1.3.0-imq1.diff vlan - iANS-3.4.3a, e100-3.4.14 lsmod: [...] Module Size Used by Tainted: P imq 1752 1 ipt_IMQ 800 0 ipt_REDIRECT 960 0 (autoclean) cls_fw 2368 0 (autoclean) cls_u32 4548 0 (autoclean) sch_sfq 3456 0 (autoclean) sch_htb 19040 0 (autoclean) ipt_ttl 640 0 (autoclean) ipt_state 608 0 (autoclean) ipt_REJECT 3072 0 (autoclean) ipt_connlimit 1504 0 (autoclean) ipt_LOG 3648 0 (autoclean) ipt_limit 960 0 (autoclean) iptable_filter 1728 0 (autoclean) ipt_mac 672 15 (autoclean) ipt_helper 992 22 (autoclean) ipt_multiport 640 132 (autoclean) ipt_MARK 800 255 (autoclean) iptable_mangle 2208 1 (autoclean) ians 113220 3 (autoclean) reiserfs 167392 1 (autoclean) e100 36292 4 ip_nat_ftp 2848 0 (unused) iptable_nat 22420 2 [ipt_REDIRECT ip_nat_ftp] ip_tables 13664 17 [ipt_IMQ ipt_REDIRECT ipt_ttl ipt_state ipt_REJECT ipt_connlimit ipt_LOG ipt_limit iptable_filter ipt_mac ipt_helper ipt_multiport ipt_MARK iptable_mangle iptable_nat] ip_conntrack_ftp 3872 1 ip_conntrack 28544 1 [ipt_REDIRECT ipt_state ipt_connlimit ipt_helper ip_nat_ftp iptable_nat ip_conntrack_ftp] rtc 6012 0 (autoclean) [...] Regards, -- Michal Kustosik From unki at netshadow.at Fri Nov 25 12:26:20 2005 From: unki at netshadow.at (Andreas Unterkircher) Date: Fri Nov 25 12:26:45 2005 Subject: =?iso-8859-1?Q?=5BLARTC=5D?= tcpdump not working with imq0 devices In-Reply-To: <20051125111745.GA21363@veb.pl> Message-ID: <20051125.Xzl.55607800@egroupware.netshadow.at> As far as I know it's simply not possible. Also you can't use iptables on a imq device. Cheers, Andreas Michal Kustosik (kustosz@veb.pl) schrieb: > > > On my debian woody (kernel 2.4.31) the tcpdump > doesn't work with imq0 devices. If I try to tcpdump > imq devices there is no packet seen: > [...] > rt1:~# tcpdump -n -i imq0 > Warning: arptype 65535 not supported by libpcap - falling back to cooked socket > tcpdump: WARNING: imq0: no IPv4 address assigned > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on imq0, link-type LINUX_SLL (Linux cooked), capture size 68 bytes > > [...] > and there is no packet seen. I have sent the packet to imq0 by: > rt1:~# iptables -I PREROUTING -t mangle -j IMQ --todev 0 > and there is no other entry in mangle table. There is also > no firewall entry and no entry in nat table. > > The ifconfig command show, that the packet goes by imq0: > [...] > rt1:~# ifconfig imq0 > imq0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00 > UP RUNNING NOARP MTU:1500 Metric:1 > RX packets:3268292 errors:0 dropped:0 overruns:0 frame:0 > TX packets:3248999 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:30 > RX bytes:1987844908 (1.8 GiB) TX bytes:1981674079 (1.8 GiB) > [...] > > Everything but iptables is installing from packages deb. > I tried to complile TCPDUMP 3.9.4 from http://www.tcpdump.org/ > but it is the same reason. > > I have other router, with similar configuration (vlan, imq, htb, the > same kernel version 2.4.31, the same distribution debian woody) > and there is no problem with debuging interfaces by tcpdump command. > > Have anybody solved the same problem? > > > Below some information about the strange router: > kernel - 2.4.31 with patch-o-matic-ng, imq-nat.diff, > linux-2.4.28-imq2.diff, > iptables - v1.3.3 with iptables-1.3.0-imq1.diff > vlan - iANS-3.4.3a, e100-3.4.14 > lsmod: > [...] > Module Size Used by Tainted: P > imq 1752 1 > ipt_IMQ 800 0 > ipt_REDIRECT 960 0 (autoclean) > cls_fw 2368 0 (autoclean) > cls_u32 4548 0 (autoclean) > sch_sfq 3456 0 (autoclean) > sch_htb 19040 0 (autoclean) > ipt_ttl 640 0 (autoclean) > ipt_state 608 0 (autoclean) > ipt_REJECT 3072 0 (autoclean) > ipt_connlimit 1504 0 (autoclean) > ipt_LOG 3648 0 (autoclean) > ipt_limit 960 0 (autoclean) > iptable_filter 1728 0 (autoclean) > ipt_mac 672 15 (autoclean) > ipt_helper 992 22 (autoclean) > ipt_multiport 640 132 (autoclean) > ipt_MARK 800 255 (autoclean) > iptable_mangle 2208 1 (autoclean) > ians 113220 3 (autoclean) > reiserfs 167392 1 (autoclean) > e100 36292 4 > ip_nat_ftp 2848 0 (unused) > iptable_nat 22420 2 [ipt_REDIRECT ip_nat_ftp] > ip_tables 13664 17 [ipt_IMQ ipt_REDIRECT ipt_ttl ipt_state ipt_REJECT > ipt_connlimit ipt_LOG ipt_limit iptable_filter ipt_mac ipt_helper ipt_multiport ipt_MARK > iptable_mangle iptable_nat] > ip_conntrack_ftp 3872 1 > ip_conntrack 28544 1 [ipt_REDIRECT ipt_state ipt_connlimit ipt_helper > ip_nat_ftp iptable_nat ip_conntrack_ftp] > rtc 6012 0 (autoclean) > [...] > > > > Regards, > -- > Michal Kustosik > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From kustosz at veb.pl Fri Nov 25 12:45:51 2005 From: kustosz at veb.pl (Michal Kustosik) Date: Fri Nov 25 12:46:20 2005 Subject: [LARTC] tcpdump not working with imq0 devices In-Reply-To: <20051125.Xzl.55607800@egroupware.netshadow.at> References: <20051125111745.GA21363@veb.pl> <20051125.Xzl.55607800@egroupware.netshadow.at> Message-ID: <20051125114551.GA26931@veb.pl> On Fri, Nov 25, 2005 at 12:26:20PM +0100, Andreas Unterkircher wrote: > As far as I know it's simply not possible. Also you can't use iptables on a > imq device. > I read on http://www.linuximq.net/usage.html that it is nessesary to use iptables to specify which packets should go through the imq device: [... http://www.linuximq.net/usage.html ...] After attaching a qdisc to the device you have to specify which packets should go through the imq device. An iptables target (`IMQ') is provided for using all the packet-selecting power of iptables. ... /usr/sbin/iptables -t mangle -A PREROUTING -i ppp0 -j IMQ --todev 0 ... [...] I have done the same. Regards, -- Michal Kustosik > Cheers, > Andreas > > Michal Kustosik (kustosz@veb.pl) schrieb: > > > > > > On my debian woody (kernel 2.4.31) the tcpdump > > doesn't work with imq0 devices. If I try to tcpdump > > imq devices there is no packet seen: > > [...] > > rt1:~# tcpdump -n -i imq0 > > Warning: arptype 65535 not supported by libpcap - falling back to cooked socket > > tcpdump: WARNING: imq0: no IPv4 address assigned > > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > > listening on imq0, link-type LINUX_SLL (Linux cooked), capture size 68 bytes > > > > [...] > > and there is no packet seen. I have sent the packet to imq0 by: > > rt1:~# iptables -I PREROUTING -t mangle -j IMQ --todev 0 > > and there is no other entry in mangle table. There is also > > no firewall entry and no entry in nat table. > > > > The ifconfig command show, that the packet goes by imq0: > > [...] > > rt1:~# ifconfig imq0 > > imq0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00 > > UP RUNNING NOARP MTU:1500 Metric:1 > > RX packets:3268292 errors:0 dropped:0 overruns:0 frame:0 > > TX packets:3248999 errors:0 dropped:0 overruns:0 carrier:0 > > collisions:0 txqueuelen:30 > > RX bytes:1987844908 (1.8 GiB) TX bytes:1981674079 (1.8 GiB) > > [...] > > > > Everything but iptables is installing from packages deb. > > I tried to complile TCPDUMP 3.9.4 from http://www.tcpdump.org/ > > but it is the same reason. > > > > I have other router, with similar configuration (vlan, imq, htb, the > > same kernel version 2.4.31, the same distribution debian woody) > > and there is no problem with debuging interfaces by tcpdump command. > > > > Have anybody solved the same problem? > > > > > > Below some information about the strange router: > > kernel - 2.4.31 with patch-o-matic-ng, imq-nat.diff, > > linux-2.4.28-imq2.diff, > > iptables - v1.3.3 with iptables-1.3.0-imq1.diff > > vlan - iANS-3.4.3a, e100-3.4.14 > > lsmod: > > [...] > > Module Size Used by Tainted: P > > imq 1752 1 > > ipt_IMQ 800 0 > > ipt_REDIRECT 960 0 (autoclean) > > cls_fw 2368 0 (autoclean) > > cls_u32 4548 0 (autoclean) > > sch_sfq 3456 0 (autoclean) > > sch_htb 19040 0 (autoclean) > > ipt_ttl 640 0 (autoclean) > > ipt_state 608 0 (autoclean) > > ipt_REJECT 3072 0 (autoclean) > > ipt_connlimit 1504 0 (autoclean) > > ipt_LOG 3648 0 (autoclean) > > ipt_limit 960 0 (autoclean) > > iptable_filter 1728 0 (autoclean) > > ipt_mac 672 15 (autoclean) > > ipt_helper 992 22 (autoclean) > > ipt_multiport 640 132 (autoclean) > > ipt_MARK 800 255 (autoclean) > > iptable_mangle 2208 1 (autoclean) > > ians 113220 3 (autoclean) > > reiserfs 167392 1 (autoclean) > > e100 36292 4 > > ip_nat_ftp 2848 0 (unused) > > iptable_nat 22420 2 [ipt_REDIRECT ip_nat_ftp] > > ip_tables 13664 17 [ipt_IMQ ipt_REDIRECT ipt_ttl ipt_state ipt_REJECT > > ipt_connlimit ipt_LOG ipt_limit iptable_filter ipt_mac ipt_helper ipt_multiport ipt_MARK > > iptable_mangle iptable_nat] > > ip_conntrack_ftp 3872 1 > > ip_conntrack 28544 1 [ipt_REDIRECT ipt_state ipt_connlimit ipt_helper > > ip_nat_ftp iptable_nat ip_conntrack_ftp] > > rtc 6012 0 (autoclean) > > [...] > > > > > > > > Regards, > > -- > > Michal Kustosik > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From unki at netshadow.at Fri Nov 25 12:54:03 2005 From: unki at netshadow.at (Andreas Unterkircher) Date: Fri Nov 25 12:54:14 2005 Subject: =?iso-8859-1?Q?=5BLARTC=5D?= tcpdump not working with imq0 devices In-Reply-To: <20051125114551.GA26931@veb.pl> Message-ID: <20051125.P3k.83103600@egroupware.netshadow.at> yes, this is needed to get the traffic on the IMQ devices. But after this you can't match anything on the IMQ devices. Michal Kustosik (kustosz@veb.pl) schrieb: > > On Fri, Nov 25, 2005 at 12:26:20PM +0100, Andreas Unterkircher wrote: > > As far as I know it's simply not possible. Also you can't use iptables on a > > imq device. > > > I read on http://www.linuximq.net/usage.html that it is nessesary to > use iptables to specify which packets should go through the imq device: > > [... http://www.linuximq.net/usage.html ...] > After attaching a qdisc to the device you have to specify which packets > should go through the imq device. An iptables target (`IMQ') is provided > for using all the packet-selecting power of iptables. > ... > /usr/sbin/iptables -t mangle -A PREROUTING -i ppp0 -j IMQ --todev 0 > ... > [...] > I have done the same. > > Regards, > -- > Michal Kustosik > > > > Cheers, > > Andreas > > > > Michal Kustosik (kustosz@veb.pl) schrieb: > > > > > > > > > On my debian woody (kernel 2.4.31) the tcpdump > > > doesn't work with imq0 devices. If I try to tcpdump > > > imq devices there is no packet seen: > > > [...] > > > rt1:~# tcpdump -n -i imq0 > > > Warning: arptype 65535 not supported by libpcap - falling back to cooked socket > > > tcpdump: WARNING: imq0: no IPv4 address assigned > > > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > > > listening on imq0, link-type LINUX_SLL (Linux cooked), capture size 68 bytes > > > > > > [...] > > > and there is no packet seen. I have sent the packet to imq0 by: > > > rt1:~# iptables -I PREROUTING -t mangle -j IMQ --todev 0 > > > and there is no other entry in mangle table. There is also > > > no firewall entry and no entry in nat table. > > > > > > The ifconfig command show, that the packet goes by imq0: > > > [...] > > > rt1:~# ifconfig imq0 > > > imq0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00 > > > UP RUNNING NOARP MTU:1500 Metric:1 > > > RX packets:3268292 errors:0 dropped:0 overruns:0 frame:0 > > > TX packets:3248999 errors:0 dropped:0 overruns:0 carrier:0 > > > collisions:0 txqueuelen:30 > > > RX bytes:1987844908 (1.8 GiB) TX bytes:1981674079 (1.8 GiB) > > > [...] > > > > > > Everything but iptables is installing from packages deb. > > > I tried to complile TCPDUMP 3.9.4 from http://www.tcpdump.org/ > > > but it is the same reason. > > > > > > I have other router, with similar configuration (vlan, imq, htb, the > > > same kernel version 2.4.31, the same distribution debian woody) > > > and there is no problem with debuging interfaces by tcpdump command. > > > > > > Have anybody solved the same problem? > > > > > > > > > Below some information about the strange router: > > > kernel - 2.4.31 with patch-o-matic-ng, imq-nat.diff, > > > linux-2.4.28-imq2.diff, > > > iptables - v1.3.3 with iptables-1.3.0-imq1.diff > > > vlan - iANS-3.4.3a, e100-3.4.14 > > > lsmod: > > > [...] > > > Module Size Used by Tainted: P > > > imq 1752 1 > > > ipt_IMQ 800 0 > > > ipt_REDIRECT 960 0 (autoclean) > > > cls_fw 2368 0 (autoclean) > > > cls_u32 4548 0 (autoclean) > > > sch_sfq 3456 0 (autoclean) > > > sch_htb 19040 0 (autoclean) > > > ipt_ttl 640 0 (autoclean) > > > ipt_state 608 0 (autoclean) > > > ipt_REJECT 3072 0 (autoclean) > > > ipt_connlimit 1504 0 (autoclean) > > > ipt_LOG 3648 0 (autoclean) > > > ipt_limit 960 0 (autoclean) > > > iptable_filter 1728 0 (autoclean) > > > ipt_mac 672 15 (autoclean) > > > ipt_helper 992 22 (autoclean) > > > ipt_multiport 640 132 (autoclean) > > > ipt_MARK 800 255 (autoclean) > > > iptable_mangle 2208 1 (autoclean) > > > ians 113220 3 (autoclean) > > > reiserfs 167392 1 (autoclean) > > > e100 36292 4 > > > ip_nat_ftp 2848 0 (unused) > > > iptable_nat 22420 2 [ipt_REDIRECT ip_nat_ftp] > > > ip_tables 13664 17 [ipt_IMQ ipt_REDIRECT ipt_ttl ipt_state ipt_REJECT > > > ipt_connlimit ipt_LOG ipt_limit iptable_filter ipt_mac ipt_helper ipt_multiport > ipt_MARK > > > iptable_mangle iptable_nat] > > > ip_conntrack_ftp 3872 1 > > > ip_conntrack 28544 1 [ipt_REDIRECT ipt_state ipt_connlimit ipt_helper > > > ip_nat_ftp iptable_nat ip_conntrack_ftp] > > > rtc 6012 0 (autoclean) > > > [...] > > > > > > > > > > > > Regards, > > > -- > > > Michal Kustosik > > > > > > _______________________________________________ > > > LARTC mailing list > > > LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From kustosz at veb.pl Fri Nov 25 13:05:10 2005 From: kustosz at veb.pl (Michal Kustosik) Date: Fri Nov 25 13:05:26 2005 Subject: [LARTC] tcpdump not working with imq0 devices In-Reply-To: <20051125.P3k.83103600@egroupware.netshadow.at> References: <20051125114551.GA26931@veb.pl> <20051125.P3k.83103600@egroupware.netshadow.at> Message-ID: <20051125120510.GB26931@veb.pl> On Fri, Nov 25, 2005 at 12:54:03PM +0100, Andreas Unterkircher wrote: > yes, this is needed to get the traffic on the IMQ devices. > But after this you can't match anything on the IMQ devices. > but "tcpdump -n -i imq0" shoud present any packets going through the imq0 interface, yes? In my event the tcpdump show nothing. -- Michal Kustosik > Michal Kustosik (kustosz@veb.pl) schrieb: > > > > On Fri, Nov 25, 2005 at 12:26:20PM +0100, Andreas Unterkircher wrote: > > > As far as I know it's simply not possible. Also you can't use iptables on a > > > imq device. > > > > > I read on http://www.linuximq.net/usage.html that it is nessesary to > > use iptables to specify which packets should go through the imq device: > > > > [... http://www.linuximq.net/usage.html ...] > > After attaching a qdisc to the device you have to specify which packets > > should go through the imq device. An iptables target (`IMQ') is provided > > for using all the packet-selecting power of iptables. > > ... > > /usr/sbin/iptables -t mangle -A PREROUTING -i ppp0 -j IMQ --todev 0 > > ... > > [...] > > I have done the same. > > > > Regards, > > -- > > Michal Kustosik > > > > > > > Cheers, > > > Andreas > > > > > > Michal Kustosik (kustosz@veb.pl) schrieb: > > > > > > > > > > > > On my debian woody (kernel 2.4.31) the tcpdump > > > > doesn't work with imq0 devices. If I try to tcpdump > > > > imq devices there is no packet seen: > > > > [...] > > > > rt1:~# tcpdump -n -i imq0 > > > > Warning: arptype 65535 not supported by libpcap - falling back to cooked socket > > > > tcpdump: WARNING: imq0: no IPv4 address assigned > > > > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > > > > listening on imq0, link-type LINUX_SLL (Linux cooked), capture size 68 bytes > > > > > > > > [...] > > > > and there is no packet seen. I have sent the packet to imq0 by: > > > > rt1:~# iptables -I PREROUTING -t mangle -j IMQ --todev 0 > > > > and there is no other entry in mangle table. There is also > > > > no firewall entry and no entry in nat table. > > > > > > > > The ifconfig command show, that the packet goes by imq0: > > > > [...] > > > > rt1:~# ifconfig imq0 > > > > imq0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00 > > > > UP RUNNING NOARP MTU:1500 Metric:1 > > > > RX packets:3268292 errors:0 dropped:0 overruns:0 frame:0 > > > > TX packets:3248999 errors:0 dropped:0 overruns:0 carrier:0 > > > > collisions:0 txqueuelen:30 > > > > RX bytes:1987844908 (1.8 GiB) TX bytes:1981674079 (1.8 GiB) > > > > [...] > > > > > > > > Everything but iptables is installing from packages deb. > > > > I tried to complile TCPDUMP 3.9.4 from http://www.tcpdump.org/ > > > > but it is the same reason. > > > > > > > > I have other router, with similar configuration (vlan, imq, htb, the > > > > same kernel version 2.4.31, the same distribution debian woody) > > > > and there is no problem with debuging interfaces by tcpdump command. > > > > > > > > Have anybody solved the same problem? > > > > > > > > > > > > Below some information about the strange router: > > > > kernel - 2.4.31 with patch-o-matic-ng, imq-nat.diff, > > > > linux-2.4.28-imq2.diff, > > > > iptables - v1.3.3 with iptables-1.3.0-imq1.diff > > > > vlan - iANS-3.4.3a, e100-3.4.14 > > > > lsmod: > > > > [...] > > > > Module Size Used by Tainted: P > > > > imq 1752 1 > > > > ipt_IMQ 800 0 > > > > ipt_REDIRECT 960 0 (autoclean) > > > > cls_fw 2368 0 (autoclean) > > > > cls_u32 4548 0 (autoclean) > > > > sch_sfq 3456 0 (autoclean) > > > > sch_htb 19040 0 (autoclean) > > > > ipt_ttl 640 0 (autoclean) > > > > ipt_state 608 0 (autoclean) > > > > ipt_REJECT 3072 0 (autoclean) > > > > ipt_connlimit 1504 0 (autoclean) > > > > ipt_LOG 3648 0 (autoclean) > > > > ipt_limit 960 0 (autoclean) > > > > iptable_filter 1728 0 (autoclean) > > > > ipt_mac 672 15 (autoclean) > > > > ipt_helper 992 22 (autoclean) > > > > ipt_multiport 640 132 (autoclean) > > > > ipt_MARK 800 255 (autoclean) > > > > iptable_mangle 2208 1 (autoclean) > > > > ians 113220 3 (autoclean) > > > > reiserfs 167392 1 (autoclean) > > > > e100 36292 4 > > > > ip_nat_ftp 2848 0 (unused) > > > > iptable_nat 22420 2 [ipt_REDIRECT ip_nat_ftp] > > > > ip_tables 13664 17 [ipt_IMQ ipt_REDIRECT ipt_ttl ipt_state ipt_REJECT > > > > ipt_connlimit ipt_LOG ipt_limit iptable_filter ipt_mac ipt_helper ipt_multiport > > ipt_MARK > > > > iptable_mangle iptable_nat] > > > > ip_conntrack_ftp 3872 1 > > > > ip_conntrack 28544 1 [ipt_REDIRECT ipt_state ipt_connlimit ipt_helper > > > > ip_nat_ftp iptable_nat ip_conntrack_ftp] > > > > rtc 6012 0 (autoclean) > > > > [...] > > > > > > > > > > > > > > > > Regards, > > > > -- > > > > Michal Kustosik > > > > > > > > _______________________________________________ > > > > LARTC mailing list > > > > LARTC@mailman.ds9a.nl > > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > > > _______________________________________________ > > > LARTC mailing list > > > LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Michal Kustosik Administrator Sieci Damis VeB http://www.veb.damis.pl/ From benoit at season-of-mist.com Fri Nov 25 13:32:44 2005 From: benoit at season-of-mist.com (Benoit DELAGARDE) Date: Fri Nov 25 13:33:02 2005 Subject: [LARTC] 2 WAN links and DNAT Message-ID: <000001c5f1bc$578e0cc0$6401a8c0@Buggsbunny> Hi Here is a short description of my network: ppp0 (adsl) ppp1 (adsl) | | | | --------------------- | Router | | Firewall | | MASQUERAD | | DNAT | | | | eth0 | --------------------- | | | ---------------------- | | Local Web and Mail Network Server I forward all incoming connection for http and SMTP to my server by using a DNAT translation. But I encounter a problem: All answer are routed to my default gateway (ppp0) If the connections come from ppp0 no problem, but if the connections come from ppp1, the client never get answer. I have de-activated rp_filtering but it seems that one of my providers use this feature, and of course, this should be default gateway! So I'm looking for a way to route the packets to the right interface. Google gave my some solutions but no ones are working. Here are my iptable # Generated by iptables-save v1.2.11 on Fri Nov 25 12:21:59 2005 *filter :INPUT DROP [2:184] :FORWARD DROP [0:0] :OUTPUT DROP [3:188] -A INPUT -i lo -j ACCEPT -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j LOG -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP -A INPUT -d 255.255.255.255 -i br0 -j ACCEPT -A INPUT -s 192.168.1.0/255.255.255.0 -i br0 -j ACCEPT -A INPUT -d 224.0.0.0/240.0.0.0 -i br0 -p ! tcp -j ACCEPT -A INPUT -s 192.168.1.0/255.255.255.0 -i ppp1 -j LOG -A INPUT -s 192.168.1.0/255.255.255.0 -i ppp1 -j DROP -A INPUT -s 192.168.1.0/255.255.255.0 -i ppp0 -j LOG -A INPUT -s 192.168.1.0/255.255.255.0 -i ppp0 -j DROP -A INPUT -d 255.255.255.255 -i ppp1 -j ACCEPT -A INPUT -d 255.255.255.255 -i ppp0 -j ACCEPT -A INPUT -d 213.41.177.180 -i ppp1 -j ACCEPT -A INPUT -d 193.253.54.64 -i ppp0 -j ACCEPT -A INPUT -j LOG -A INPUT -j DROP -A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -d 192.168.1.100 -i ppp1 -p tcp -m tcp --dport 4662 -j ACCEPT -A FORWARD -d 192.168.1.100 -i ppp0 -p tcp -m tcp --dport 4662 -j ACCEPT -A FORWARD -d 192.168.1.100 -i ppp1 -p udp -m udp --dport 4672 -j ACCEPT -A FORWARD -d 192.168.1.100 -i ppp0 -p udp -m udp --dport 4672 -j ACCEPT -A FORWARD -d 192.168.1.100 -i ppp1 -p tcp -m tcp --dport 5500 -j ACCEPT -A FORWARD -d 192.168.1.100 -i ppp0 -p tcp -m tcp --dport 5500 -j ACCEPT -A FORWARD -d 192.168.1.5 -i ppp1 -p tcp -m tcp --dport 22 -j ACCEPT -A FORWARD -d 192.168.1.5 -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT -A FORWARD -d 192.168.1.4 -i ppp1 -p tcp -m tcp --dport 22 -j ACCEPT -A FORWARD -d 192.168.1.4 -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT -A FORWARD -d 192.168.1.4 -i ppp1 -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -d 192.168.1.4 -i ppp0 -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -d 192.168.1.4 -i ppp1 -p tcp -m tcp --dport 25 -j ACCEPT -A FORWARD -d 192.168.1.4 -i ppp0 -p tcp -m tcp --dport 25 -j ACCEPT -A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j ACCEPT -A FORWARD -s 192.168.1.0/255.255.255.0 -i br0 -o ppp1 -j ACCEPT -A FORWARD -s 192.168.1.0/255.255.255.0 -i br0 -o ppp0 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -d 192.168.1.0/255.255.255.0 -o ppp1 -j LOG -A FORWARD -d 192.168.1.0/255.255.255.0 -o ppp1 -j DROP -A FORWARD -d 192.168.1.0/255.255.255.0 -o ppp0 -j LOG -A FORWARD -d 192.168.1.0/255.255.255.0 -o ppp0 -j DROP -A FORWARD -j LOG -A FORWARD -j DROP -A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -d 255.255.255.255 -o br0 -j ACCEPT -A OUTPUT -d 192.168.1.0/255.255.255.0 -o br0 -j ACCEPT -A OUTPUT -d 224.0.0.0/240.0.0.0 -o br0 -p ! tcp -j ACCEPT -A OUTPUT -d 192.168.1.0/255.255.255.0 -o ppp1 -j LOG -A OUTPUT -d 192.168.1.0/255.255.255.0 -o ppp1 -j DROP -A OUTPUT -d 192.168.1.0/255.255.255.0 -o ppp0 -j LOG -A OUTPUT -d 192.168.1.0/255.255.255.0 -o ppp0 -j DROP -A OUTPUT -d 255.255.255.255 -o ppp1 -j ACCEPT -A OUTPUT -d 255.255.255.255 -o ppp0 -j ACCEPT -A OUTPUT -s ipofppp1 -o ppp1 -j ACCEPT -A OUTPUT -s ipofppp0 -o ppp0 -j ACCEPT -A OUTPUT -j LOG -A OUTPUT -j DROP COMMIT # Completed on Fri Nov 25 12:21:59 2005 # Generated by iptables-save v1.2.11 on Fri Nov 25 12:21:59 2005 *mangle :PREROUTING ACCEPT [13497:7096745] :INPUT ACCEPT [119515:10818662] :FORWARD ACCEPT [2263653:1380696494] :OUTPUT ACCEPT [3681:323141] :POSTROUTING ACCEPT [2445397:1397479483] -A PREROUTING -i ppp0 -m state --state NEW -j MARK --set-mark 0x1 -A PREROUTING -i ppp1 -m state --state NEW -j MARK --set-mark 0x2 -A PREROUTING -j CONNMARK --save-mark -A POSTROUTING -j CONNMARK --restore-mark COMMIT # Completed on Fri Nov 25 12:21:59 2005 # Generated by iptables-save v1.2.11 on Fri Nov 25 12:21:59 2005 *nat :PREROUTING ACCEPT [169:12721] :POSTROUTING ACCEPT [339:27714] :OUTPUT ACCEPT [279:22659] -A PREROUTING -i ppp1 -p tcp -m tcp --dport 4662 -j DNAT --to-destination 192.168.1.100:4662 -A PREROUTING -i ppp0 -p tcp -m tcp --dport 4662 -j DNAT --to-destination 192.168.1.100:4662 -A PREROUTING -i ppp1 -p udp -m udp --dport 4672 -j DNAT --to-destination 192.168.1.100:4672 -A PREROUTING -i ppp0 -p udp -m udp --dport 4672 -j DNAT --to-destination 192.168.1.100:4672 -A PREROUTING -i ppp1 -p tcp -m tcp --dport 5500 -j DNAT --to-destination 192.168.1.100:5500 -A PREROUTING -i ppp0 -p tcp -m tcp --dport 5500 -j DNAT --to-destination 192.168.1.100:5500 -A PREROUTING -i ppp1 -p tcp -m tcp --dport 666 -j DNAT --to-destination 192.168.1.5:22 -A PREROUTING -i ppp0 -p tcp -m tcp --dport 666 -j DNAT --to-destination 192.168.1.5:22 -A PREROUTING -i ppp1 -p tcp -m tcp --dport 667 -j DNAT --to-destination 192.168.1.4:22 -A PREROUTING -i ppp0 -p tcp -m tcp --dport 667 -j DNAT --to-destination 192.168.1.4:22 -A PREROUTING -i ppp1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.4:80 -A PREROUTING -i ppp0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.4:80 -A PREROUTING -i ppp1 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.1.4:25 -A PREROUTING -i ppp0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.1.4:25 -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp1 -j MASQUERADE -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 -j MASQUERADE COMMIT # Completed on Fri Nov 25 12:21:59 2005 And for my route table : ~> ip rule 0: from all lookup local 32764: from all fwmark 0x2 lookup nerim 32765: from all fwmark 0x1 lookup wanadoo 32766: from all lookup main 32767: from all lookup default ~> ip route list 80.10.246.1 dev ppp0 scope link 80.10.246.132 dev ppp0 scope link 62.4.16.245 dev ppp1 proto kernel scope link src 213.41.177.180 64.4.17.69 dev ppp1 scope link 64.4.16.70 dev ppp1 scope link 193.253.160.3 dev ppp0 proto kernel scope link src 193.253.54.64 192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1 default dev ppp1 scope link ~> ip route list table nerim 192.168.1.0 dev br0 scope link default dev ppp1 scope link ~> ip route list table wanadoo 192.168.1.0 dev br0 scope link default dev ppp0 scope link I believe this should work but no. tcpdump give me somthong like this : 12:35:04.073949 IP 82.227.29.100.32983 > 213.41.177.180.80: tcp 0 12:35:04.074092 IP 82.227.29.100.32983 > 192.168.1.4.80: tcp 0 12:35:07.072874 IP 82.227.29.100.32983 > 213.41.177.180.80: tcp 0 12:35:07.072997 IP 82.227.29.100.32983 > 192.168.1.4.80: tcp 0 Witch mean that my packets are sent to the right server, but I never get an answer. All work when I delete the rule below 32764: from all fwmark 0x2 lookup nerim 32765: from all fwmark 0x1 lookup wanadoo My questions are: - Did I make a mistake somewhere, or did I misunderstand something(CERTAINLY)? Where? - What can I do to solve this problem? From unki at netshadow.at Fri Nov 25 13:42:30 2005 From: unki at netshadow.at (Andreas Unterkircher) Date: Fri Nov 25 13:42:42 2005 Subject: =?iso-8859-1?Q?=5BLARTC=5D?= tcpdump not working with imq0 devices In-Reply-To: <20051125120510.GB26931@veb.pl> Message-ID: <20051125.CVW.10119500@egroupware.netshadow.at> No - if the interface doesn't support the necessary socketoptions (I guess something like SO_ATTACH_FILTER) it won't work. Michal Kustosik (kustosz@veb.pl) schrieb: > > On Fri, Nov 25, 2005 at 12:54:03PM +0100, Andreas Unterkircher wrote: > > yes, this is needed to get the traffic on the IMQ devices. > > But after this you can't match anything on the IMQ devices. > > > but "tcpdump -n -i imq0" shoud present any packets going > through the imq0 interface, yes? In my event the tcpdump > show nothing. > > -- > Michal Kustosik > > > > > > Michal Kustosik (kustosz@veb.pl) schrieb: > > > > > > On Fri, Nov 25, 2005 at 12:26:20PM +0100, Andreas Unterkircher wrote: > > > > As far as I know it's simply not possible. Also you can't use iptables on a > > > > imq device. > > > > > > > I read on http://www.linuximq.net/usage.html that it is nessesary to > > > use iptables to specify which packets should go through the imq device: > > > > > > [... http://www.linuximq.net/usage.html ...] > > > After attaching a qdisc to the device you have to specify which packets > > > should go through the imq device. An iptables target (`IMQ') is provided > > > for using all the packet-selecting power of iptables. > > > ... > > > /usr/sbin/iptables -t mangle -A PREROUTING -i ppp0 -j IMQ --todev 0 > > > ... > > > [...] > > > I have done the same. > > > > > > Regards, > > > -- > > > Michal Kustosik > > > > > > > > > > Cheers, > > > > Andreas > > > > > > > > Michal Kustosik (kustosz@veb.pl) schrieb: > > > > > > > > > > > > > > > On my debian woody (kernel 2.4.31) the tcpdump > > > > > doesn't work with imq0 devices. If I try to tcpdump > > > > > imq devices there is no packet seen: > > > > > [...] > > > > > rt1:~# tcpdump -n -i imq0 > > > > > Warning: arptype 65535 not supported by libpcap - falling back to cooked socket > > > > > tcpdump: WARNING: imq0: no IPv4 address assigned > > > > > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > > > > > listening on imq0, link-type LINUX_SLL (Linux cooked), capture size 68 bytes > > > > > > > > > > [...] > > > > > and there is no packet seen. I have sent the packet to imq0 by: > > > > > rt1:~# iptables -I PREROUTING -t mangle -j IMQ --todev 0 > > > > > and there is no other entry in mangle table. There is also > > > > > no firewall entry and no entry in nat table. > > > > > > > > > > The ifconfig command show, that the packet goes by imq0: > > > > > [...] > > > > > rt1:~# ifconfig imq0 > > > > > imq0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00 > > > > > UP RUNNING NOARP MTU:1500 Metric:1 > > > > > RX packets:3268292 errors:0 dropped:0 overruns:0 frame:0 > > > > > TX packets:3248999 errors:0 dropped:0 overruns:0 carrier:0 > > > > > collisions:0 txqueuelen:30 > > > > > RX bytes:1987844908 (1.8 GiB) TX bytes:1981674079 (1.8 GiB) > > > > > [...] > > > > > > > > > > Everything but iptables is installing from packages deb. > > > > > I tried to complile TCPDUMP 3.9.4 from http://www.tcpdump.org/ > > > > > but it is the same reason. > > > > > > > > > > I have other router, with similar configuration (vlan, imq, htb, the > > > > > same kernel version 2.4.31, the same distribution debian woody) > > > > > and there is no problem with debuging interfaces by tcpdump command. > > > > > > > > > > Have anybody solved the same problem? > > > > > > > > > > > > > > > Below some information about the strange router: > > > > > kernel - 2.4.31 with patch-o-matic-ng, imq-nat.diff, > > > > > linux-2.4.28-imq2.diff, > > > > > iptables - v1.3.3 with iptables-1.3.0-imq1.diff > > > > > vlan - iANS-3.4.3a, e100-3.4.14 > > > > > lsmod: > > > > > [...] > > > > > Module Size Used by Tainted: P > > > > > imq 1752 1 > > > > > ipt_IMQ 800 0 > > > > > ipt_REDIRECT 960 0 (autoclean) > > > > > cls_fw 2368 0 (autoclean) > > > > > cls_u32 4548 0 (autoclean) > > > > > sch_sfq 3456 0 (autoclean) > > > > > sch_htb 19040 0 (autoclean) > > > > > ipt_ttl 640 0 (autoclean) > > > > > ipt_state 608 0 (autoclean) > > > > > ipt_REJECT 3072 0 (autoclean) > > > > > ipt_connlimit 1504 0 (autoclean) > > > > > ipt_LOG 3648 0 (autoclean) > > > > > ipt_limit 960 0 (autoclean) > > > > > iptable_filter 1728 0 (autoclean) > > > > > ipt_mac 672 15 (autoclean) > > > > > ipt_helper 992 22 (autoclean) > > > > > ipt_multiport 640 132 (autoclean) > > > > > ipt_MARK 800 255 (autoclean) > > > > > iptable_mangle 2208 1 (autoclean) > > > > > ians 113220 3 (autoclean) > > > > > reiserfs 167392 1 (autoclean) > > > > > e100 36292 4 > > > > > ip_nat_ftp 2848 0 (unused) > > > > > iptable_nat 22420 2 [ipt_REDIRECT ip_nat_ftp] > > > > > ip_tables 13664 17 [ipt_IMQ ipt_REDIRECT ipt_ttl ipt_state > ipt_REJECT > > > > > ipt_connlimit ipt_LOG ipt_limit iptable_filter ipt_mac ipt_helper ipt_multiport > > > ipt_MARK > > > > > iptable_mangle iptable_nat] > > > > > ip_conntrack_ftp 3872 1 > > > > > ip_conntrack 28544 1 [ipt_REDIRECT ipt_state ipt_connlimit > ipt_helper > > > > > ip_nat_ftp iptable_nat ip_conntrack_ftp] > > > > > rtc 6012 0 (autoclean) > > > > > [...] > > > > > > > > > > > > > > > > > > > > Regards, > > > > > -- > > > > > Michal Kustosik > > > > > > > > > > _______________________________________________ > > > > > LARTC mailing list > > > > > LARTC@mailman.ds9a.nl > > > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > > > > > > _______________________________________________ > > > > LARTC mailing list > > > > LARTC@mailman.ds9a.nl > > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > _______________________________________________ > > > LARTC mailing list > > > LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > -- > Michal Kustosik > Administrator Sieci Damis VeB > http://www.veb.damis.pl/ > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From kustosz at veb.pl Fri Nov 25 14:15:29 2005 From: kustosz at veb.pl (Michal Kustosik) Date: Fri Nov 25 14:15:48 2005 Subject: [LARTC] tcpdump not working with imq0 devices In-Reply-To: <20051125.CVW.10119500@egroupware.netshadow.at> References: <20051125120510.GB26931@veb.pl> <20051125.CVW.10119500@egroupware.netshadow.at> Message-ID: <20051125131529.GC26931@veb.pl> On Fri, Nov 25, 2005 at 01:42:30PM +0100, Andreas Unterkircher wrote: > No - if the interface doesn't support the necessary socketoptions (I guess > something like SO_ATTACH_FILTER) it won't work. > thank you for explain... compiling kernel with "Socket Filtering" in "Networking options" should be enough to see packets by tcpdump on imq interface? -- Michal > Michal Kustosik (kustosz@veb.pl) schrieb: > > > > On Fri, Nov 25, 2005 at 12:54:03PM +0100, Andreas Unterkircher wrote: > > > yes, this is needed to get the traffic on the IMQ devices. > > > But after this you can't match anything on the IMQ devices. > > > > > but "tcpdump -n -i imq0" shoud present any packets going > > through the imq0 interface, yes? In my event the tcpdump > > show nothing. > > > > -- > > Michal Kustosik > > > > > > > > > > > Michal Kustosik (kustosz@veb.pl) schrieb: > > > > > > > > On Fri, Nov 25, 2005 at 12:26:20PM +0100, Andreas Unterkircher wrote: > > > > > As far as I know it's simply not possible. Also you can't use iptables on a > > > > > imq device. > > > > > > > > > I read on http://www.linuximq.net/usage.html that it is nessesary to > > > > use iptables to specify which packets should go through the imq device: > > > > > > > > [... http://www.linuximq.net/usage.html ...] > > > > After attaching a qdisc to the device you have to specify which packets > > > > should go through the imq device. An iptables target (`IMQ') is provided > > > > for using all the packet-selecting power of iptables. > > > > ... > > > > /usr/sbin/iptables -t mangle -A PREROUTING -i ppp0 -j IMQ --todev 0 > > > > ... > > > > [...] > > > > I have done the same. > > > > > > > > Regards, > > > > -- > > > > Michal Kustosik > > > > > > > > > > > > > Cheers, > > > > > Andreas > > > > > > > > > > Michal Kustosik (kustosz@veb.pl) schrieb: > > > > > > > > > > > > > > > > > > On my debian woody (kernel 2.4.31) the tcpdump > > > > > > doesn't work with imq0 devices. If I try to tcpdump > > > > > > imq devices there is no packet seen: > > > > > > [...] > > > > > > rt1:~# tcpdump -n -i imq0 > > > > > > Warning: arptype 65535 not supported by libpcap - falling back to cooked socket > > > > > > tcpdump: WARNING: imq0: no IPv4 address assigned > > > > > > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > > > > > > listening on imq0, link-type LINUX_SLL (Linux cooked), capture size 68 bytes > > > > > > > > > > > > [...] > > > > > > and there is no packet seen. I have sent the packet to imq0 by: > > > > > > rt1:~# iptables -I PREROUTING -t mangle -j IMQ --todev 0 > > > > > > and there is no other entry in mangle table. There is also > > > > > > no firewall entry and no entry in nat table. > > > > > > > > > > > > The ifconfig command show, that the packet goes by imq0: > > > > > > [...] > > > > > > rt1:~# ifconfig imq0 > > > > > > imq0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00 > > > > > > UP RUNNING NOARP MTU:1500 Metric:1 > > > > > > RX packets:3268292 errors:0 dropped:0 overruns:0 frame:0 > > > > > > TX packets:3248999 errors:0 dropped:0 overruns:0 carrier:0 > > > > > > collisions:0 txqueuelen:30 > > > > > > RX bytes:1987844908 (1.8 GiB) TX bytes:1981674079 (1.8 GiB) > > > > > > [...] > > > > > > > > > > > > Everything but iptables is installing from packages deb. > > > > > > I tried to complile TCPDUMP 3.9.4 from http://www.tcpdump.org/ > > > > > > but it is the same reason. > > > > > > > > > > > > I have other router, with similar configuration (vlan, imq, htb, the > > > > > > same kernel version 2.4.31, the same distribution debian woody) > > > > > > and there is no problem with debuging interfaces by tcpdump command. > > > > > > > > > > > > Have anybody solved the same problem? > > > > > > > > > > > > > > > > > > Below some information about the strange router: > > > > > > kernel - 2.4.31 with patch-o-matic-ng, imq-nat.diff, > > > > > > linux-2.4.28-imq2.diff, > > > > > > iptables - v1.3.3 with iptables-1.3.0-imq1.diff > > > > > > vlan - iANS-3.4.3a, e100-3.4.14 > > > > > > lsmod: > > > > > > [...] > > > > > > Module Size Used by Tainted: P > > > > > > imq 1752 1 > > > > > > ipt_IMQ 800 0 > > > > > > ipt_REDIRECT 960 0 (autoclean) > > > > > > cls_fw 2368 0 (autoclean) > > > > > > cls_u32 4548 0 (autoclean) > > > > > > sch_sfq 3456 0 (autoclean) > > > > > > sch_htb 19040 0 (autoclean) > > > > > > ipt_ttl 640 0 (autoclean) > > > > > > ipt_state 608 0 (autoclean) > > > > > > ipt_REJECT 3072 0 (autoclean) > > > > > > ipt_connlimit 1504 0 (autoclean) > > > > > > ipt_LOG 3648 0 (autoclean) > > > > > > ipt_limit 960 0 (autoclean) > > > > > > iptable_filter 1728 0 (autoclean) > > > > > > ipt_mac 672 15 (autoclean) > > > > > > ipt_helper 992 22 (autoclean) > > > > > > ipt_multiport 640 132 (autoclean) > > > > > > ipt_MARK 800 255 (autoclean) > > > > > > iptable_mangle 2208 1 (autoclean) > > > > > > ians 113220 3 (autoclean) > > > > > > reiserfs 167392 1 (autoclean) > > > > > > e100 36292 4 > > > > > > ip_nat_ftp 2848 0 (unused) > > > > > > iptable_nat 22420 2 [ipt_REDIRECT ip_nat_ftp] > > > > > > ip_tables 13664 17 [ipt_IMQ ipt_REDIRECT ipt_ttl ipt_state > > ipt_REJECT > > > > > > ipt_connlimit ipt_LOG ipt_limit iptable_filter ipt_mac ipt_helper ipt_multiport > > > > ipt_MARK > > > > > > iptable_mangle iptable_nat] > > > > > > ip_conntrack_ftp 3872 1 > > > > > > ip_conntrack 28544 1 [ipt_REDIRECT ipt_state ipt_connlimit > > ipt_helper > > > > > > ip_nat_ftp iptable_nat ip_conntrack_ftp] > > > > > > rtc 6012 0 (autoclean) > > > > > > [...] > > > > > > > > > > > > > > > > > > > > > > > > Regards, > > > > > > -- > > > > > > Michal Kustosik > > > > > > > > > > > > _______________________________________________ > > > > > > LARTC mailing list > > > > > > LARTC@mailman.ds9a.nl > > > > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > > > > > > > > > _______________________________________________ > > > > > LARTC mailing list > > > > > LARTC@mailman.ds9a.nl > > > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > _______________________________________________ > > > > LARTC mailing list > > > > LARTC@mailman.ds9a.nl > > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > > > _______________________________________________ > > > LARTC mailing list > > > LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > -- > > Michal Kustosik > > Administrator Sieci Damis VeB > > http://www.veb.damis.pl/ > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From unki at netshadow.at Fri Nov 25 14:32:19 2005 From: unki at netshadow.at (Andreas Unterkircher) Date: Fri Nov 25 14:32:30 2005 Subject: =?iso-8859-1?Q?=5BLARTC=5D?= tcpdump not working with imq0 devices In-Reply-To: <20051125131529.GC26931@veb.pl> Message-ID: <20051125.g11.96975100@egroupware.netshadow.at> I would say this is something within IMQ itself. Michal Kustosik (kustosz@veb.pl) schrieb: > > On Fri, Nov 25, 2005 at 01:42:30PM +0100, Andreas Unterkircher wrote: > > No - if the interface doesn't support the necessary socketoptions (I guess > > something like SO_ATTACH_FILTER) it won't work. > > > thank you for explain... > compiling kernel with "Socket Filtering" in "Networking options" > should be enough to see packets by tcpdump on imq interface? > > -- > Michal > > > > > Michal Kustosik (kustosz@veb.pl) schrieb: > > > > > > On Fri, Nov 25, 2005 at 12:54:03PM +0100, Andreas Unterkircher wrote: > > > > yes, this is needed to get the traffic on the IMQ devices. > > > > But after this you can't match anything on the IMQ devices. > > > > > > > but "tcpdump -n -i imq0" shoud present any packets going > > > through the imq0 interface, yes? In my event the tcpdump > > > show nothing. > > > > > > -- > > > Michal Kustosik > > > > > > > > > > > > > > > > Michal Kustosik (kustosz@veb.pl) schrieb: > > > > > > > > > > On Fri, Nov 25, 2005 at 12:26:20PM +0100, Andreas Unterkircher wrote: > > > > > > As far as I know it's simply not possible. Also you can't use iptables on a > > > > > > imq device. > > > > > > > > > > > I read on http://www.linuximq.net/usage.html that it is nessesary to > > > > > use iptables to specify which packets should go through the imq device: > > > > > > > > > > [... http://www.linuximq.net/usage.html ...] > > > > > After attaching a qdisc to the device you have to specify which packets > > > > > should go through the imq device. An iptables target (`IMQ') is provided > > > > > for using all the packet-selecting power of iptables. > > > > > ... > > > > > /usr/sbin/iptables -t mangle -A PREROUTING -i ppp0 -j IMQ --todev 0 > > > > > ... > > > > > [...] > > > > > I have done the same. > > > > > > > > > > Regards, > > > > > -- > > > > > Michal Kustosik > > > > > > > > > > > > > > > > Cheers, > > > > > > Andreas > > > > > > > > > > > > Michal Kustosik (kustosz@veb.pl) schrieb: > > > > > > > > > > > > > > > > > > > > > On my debian woody (kernel 2.4.31) the tcpdump > > > > > > > doesn't work with imq0 devices. If I try to tcpdump > > > > > > > imq devices there is no packet seen: > > > > > > > [...] > > > > > > > rt1:~# tcpdump -n -i imq0 > > > > > > > Warning: arptype 65535 not supported by libpcap - falling back to cooked > socket > > > > > > > tcpdump: WARNING: imq0: no IPv4 address assigned > > > > > > > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > > > > > > > listening on imq0, link-type LINUX_SLL (Linux cooked), capture size 68 > bytes > > > > > > > > > > > > > > [...] > > > > > > > and there is no packet seen. I have sent the packet to imq0 by: > > > > > > > rt1:~# iptables -I PREROUTING -t mangle -j IMQ --todev 0 > > > > > > > and there is no other entry in mangle table. There is also > > > > > > > no firewall entry and no entry in nat table. > > > > > > > > > > > > > > The ifconfig command show, that the packet goes by imq0: > > > > > > > [...] > > > > > > > rt1:~# ifconfig imq0 > > > > > > > imq0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00 > > > > > > > UP RUNNING NOARP MTU:1500 Metric:1 > > > > > > > RX packets:3268292 errors:0 dropped:0 overruns:0 frame:0 > > > > > > > TX packets:3248999 errors:0 dropped:0 overruns:0 carrier:0 > > > > > > > collisions:0 txqueuelen:30 > > > > > > > RX bytes:1987844908 (1.8 GiB) TX bytes:1981674079 (1.8 GiB) > > > > > > > [...] > > > > > > > > > > > > > > Everything but iptables is installing from packages deb. > > > > > > > I tried to complile TCPDUMP 3.9.4 from http://www.tcpdump.org/ > > > > > > > but it is the same reason. > > > > > > > > > > > > > > I have other router, with similar configuration (vlan, imq, htb, the > > > > > > > same kernel version 2.4.31, the same distribution debian woody) > > > > > > > and there is no problem with debuging interfaces by tcpdump command. > > > > > > > > > > > > > > Have anybody solved the same problem? > > > > > > > > > > > > > > > > > > > > > Below some information about the strange router: > > > > > > > kernel - 2.4.31 with patch-o-matic-ng, imq-nat.diff, > > > > > > > linux-2.4.28-imq2.diff, > > > > > > > iptables - v1.3.3 with iptables-1.3.0-imq1.diff > > > > > > > vlan - iANS-3.4.3a, e100-3.4.14 > > > > > > > lsmod: > > > > > > > [...] > > > > > > > Module Size Used by Tainted: P > > > > > > > imq 1752 1 > > > > > > > ipt_IMQ 800 0 > > > > > > > ipt_REDIRECT 960 0 (autoclean) > > > > > > > cls_fw 2368 0 (autoclean) > > > > > > > cls_u32 4548 0 (autoclean) > > > > > > > sch_sfq 3456 0 (autoclean) > > > > > > > sch_htb 19040 0 (autoclean) > > > > > > > ipt_ttl 640 0 (autoclean) > > > > > > > ipt_state 608 0 (autoclean) > > > > > > > ipt_REJECT 3072 0 (autoclean) > > > > > > > ipt_connlimit 1504 0 (autoclean) > > > > > > > ipt_LOG 3648 0 (autoclean) > > > > > > > ipt_limit 960 0 (autoclean) > > > > > > > iptable_filter 1728 0 (autoclean) > > > > > > > ipt_mac 672 15 (autoclean) > > > > > > > ipt_helper 992 22 (autoclean) > > > > > > > ipt_multiport 640 132 (autoclean) > > > > > > > ipt_MARK 800 255 (autoclean) > > > > > > > iptable_mangle 2208 1 (autoclean) > > > > > > > ians 113220 3 (autoclean) > > > > > > > reiserfs 167392 1 (autoclean) > > > > > > > e100 36292 4 > > > > > > > ip_nat_ftp 2848 0 (unused) > > > > > > > iptable_nat 22420 2 [ipt_REDIRECT ip_nat_ftp] > > > > > > > ip_tables 13664 17 [ipt_IMQ ipt_REDIRECT ipt_ttl ipt_state > > > ipt_REJECT > > > > > > > ipt_connlimit ipt_LOG ipt_limit iptable_filter ipt_mac ipt_helper > ipt_multiport > > > > > ipt_MARK > > > > > > > iptable_mangle iptable_nat] > > > > > > > ip_conntrack_ftp 3872 1 > > > > > > > ip_conntrack 28544 1 [ipt_REDIRECT ipt_state ipt_connlimit > > > ipt_helper > > > > > > > ip_nat_ftp iptable_nat ip_conntrack_ftp] > > > > > > > rtc 6012 0 (autoclean) > > > > > > > [...] > > > > > > > > > > > > > > > > > > > > > > > > > > > > Regards, > > > > > > > -- > > > > > > > Michal Kustosik > > > > > > > > > > > > > > _______________________________________________ > > > > > > > LARTC mailing list > > > > > > > LARTC@mailman.ds9a.nl > > > > > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > LARTC mailing list > > > > > > LARTC@mailman.ds9a.nl > > > > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > > > _______________________________________________ > > > > > LARTC mailing list > > > > > LARTC@mailman.ds9a.nl > > > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > > > > > > _______________________________________________ > > > > LARTC mailing list > > > > LARTC@mailman.ds9a.nl > > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > -- > > > Michal Kustosik > > > Administrator Sieci Damis VeB > > > http://www.veb.damis.pl/ > > > > > > _______________________________________________ > > > LARTC mailing list > > > LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From davidb at kth.se Fri Nov 25 16:42:52 2005 From: davidb at kth.se (David Blomberg) Date: Fri Nov 25 16:43:09 2005 Subject: [LARTC] Difference between snmp traffic rate, and rate from tc Message-ID: <45350.192.16.127.251.1132933372.squirrel@webmail.sys.kth.se> Hello, I use rrdtool to graph the traffic in the different classes on an interface, eth1. Basically, I use the output from tc -s qdisc ls dev eth1 my tc script (which is only for testing the graphing) looks like this: /sbin/tc qdisc add dev eth1 root handle 1: htb default 20 r2q 1 /sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 200kbit burst 15k /sbin/tc class add dev eth1 parent 1:1 classid 1:10 htb rate 100kbit ceil 200kbit burst 15k /sbin/tc class add dev eth1 parent 1:1 classid 1:20 htb rate 50kbit ceil 200kbit burst 15k /sbin/tc class add dev eth1 parent 1:1 classid 1:30 htb rate 50kbit ceil 200kbit burst 15k /sbin/tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 /sbin/tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10 /sbin/tc qdisc add dev eth1 parent 1:30 handle 30: sfq perturb 10 /sbin/iptables -F /sbin/iptables -A OUTPUT -t mangle -o eth1 -j MARK --set-mark 1 /sbin/tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle 1 fw flowid 1:10 # Filter arp packets to class 1:30. /sbin/tc filter add dev eth1 protocol arp u32 match u32 0 0 flowid 1:30 When I with the help of snmp, I also graph the rate of packets going out on the interface. My problem is that the rate I get from snmp is not the same as the rate I get from the root class of my queue. In both cases, the rate is calculated by rrdtool, I submit the number of bytes that have been transmitted. Shouldn't the rate of packets leaving the root class be the same as the rate given by snmp? Thank you for the help, regards, David Blomberg From lartc at dervishd.net Fri Nov 25 17:44:19 2005 From: lartc at dervishd.net (DervishD) Date: Fri Nov 25 17:44:34 2005 Subject: [LARTC] [RESEND] tc filter: match tcp src vs. match ip sport Message-ID: <20051125164419.GB199@DervishD> Hi all :)) Sorry for asking again, but got no answers and google doesn't give useful information (seems like "nexthdr" doesn't work right, but I don't know why...). I really want to know what am I doing wrong... This filter matches what I want: tc filter add dev eth0 protocol ip parent 1:0 prio 9 u32\ match ip sport 0x3000 0xf000 flowid 1:22 and traffic goes to 1:22, but this one doesn't match: tc filter add dev eth0 protocol ip parent 1:0 prio 9 u32\ match tcp src 0x3000 0xf000 flowid 1:22 I don't understand why the first one matches and the second one doesn't :? because in the output of "tc filter show" the only difference is that the first one matches "at 20" and the second one "at nexthdr+0", which should be identical :????? Looks like "nexthdr" is not working, and I prefer to use it just in case I have to filter IP packets with options (because then the first filter won't work). What the heck am I doing wrong? Is iptables my only option? What's the matter with "nexthdr"? Thanks a lot in advance :) Ra?l N??ez de Arenas Coronado -- Linux Registered User 88736 | http://www.dervishd.net http://www.pleyades.net & http://www.gotesdelluna.net It's my PC and I'll cry if I want to... From benoit at season-of-mist.com Fri Nov 25 17:48:58 2005 From: benoit at season-of-mist.com (Benoit DELAGARDE) Date: Fri Nov 25 17:49:11 2005 Subject: [LARTC] 2 WAN links and DNAT In-Reply-To: <000001c5f1bc$578e0cc0$6401a8c0@Buggsbunny> Message-ID: <004e01c5f1e0$22428400$6401a8c0@Buggsbunny> Ho I forget important information: I use a Debian stable with iptables v1.2.11 (from deb package) and a kernel 2.6.14.2 (recompiled) I just try another approach, without success. I try to use the conntrack but it seems not working too. -A PREROUTING -m conntrack --ctorigdst 193.253.54.64 -j MARK --set-mark 0x1 -A PREROUTING -m conntrack --ctorigdst 213.41.177.180 -j MARK --set-mark 0x2 Idem with CONNMARK (corrected in the right order) -A PREROUTING -j CONNMARK --restore-mark -A PREROUTING -m mark ! --mark 0x0 -j ACCEPT -A PREROUTING -i ppp0 -j CONNMARK --set-mark 0x1 -A PREROUTING -i ppp1 -j CONNMARK --set-mark 0x2 -A PREROUTING -j CONNMARK --save-mark These 2 samples don't match my outgoing DNATed packets. I have made test with tcpdmp on my 2 ppp interfaces. Each time, the outgoing packets get through the default gateway, like the packets are not marked. > -----Message d'origine----- > De?: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] > De la part de Benoit DELAGARDE > Envoy??: vendredi 25 novembre 2005 13:33 > ??: lartc@mailman.ds9a.nl > Objet?: [LARTC] 2 WAN links and DNAT > > Hi > > Here is a short description of my network: > > ppp0 (adsl) ppp1 (adsl) > | | > | | > --------------------- > | Router | > | Firewall | > | MASQUERAD | > | DNAT | > | | > | eth0 | > --------------------- > | > | > | > ---------------------- > | | > Local Web and Mail > Network Server > > > I forward all incoming connection for http and SMTP to my server by using > a > DNAT translation. > But I encounter a problem: All answer are routed to my default gateway > (ppp0) > If the connections come from ppp0 no problem, but if the connections come > from ppp1, the client never get answer. > I have de-activated rp_filtering but it seems that one of my providers use > this feature, and of course, this should be default gateway! > > So I'm looking for a way to route the packets to the right interface. > Google gave my some solutions but no ones are working. > > > Here are my iptable > # Generated by iptables-save v1.2.11 on Fri Nov 25 12:21:59 2005 > *filter > :INPUT DROP [2:184] > :FORWARD DROP [0:0] > :OUTPUT DROP [3:188] > -A INPUT -i lo -j ACCEPT > -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j LOG > -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP > -A INPUT -d 255.255.255.255 -i br0 -j ACCEPT > -A INPUT -s 192.168.1.0/255.255.255.0 -i br0 -j ACCEPT > -A INPUT -d 224.0.0.0/240.0.0.0 -i br0 -p ! tcp -j ACCEPT > -A INPUT -s 192.168.1.0/255.255.255.0 -i ppp1 -j LOG > -A INPUT -s 192.168.1.0/255.255.255.0 -i ppp1 -j DROP > -A INPUT -s 192.168.1.0/255.255.255.0 -i ppp0 -j LOG > -A INPUT -s 192.168.1.0/255.255.255.0 -i ppp0 -j DROP > -A INPUT -d 255.255.255.255 -i ppp1 -j ACCEPT > -A INPUT -d 255.255.255.255 -i ppp0 -j ACCEPT > -A INPUT -d 213.41.177.180 -i ppp1 -j ACCEPT > -A INPUT -d 193.253.54.64 -i ppp0 -j ACCEPT > -A INPUT -j LOG > -A INPUT -j DROP > -A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss > 1400:1536 -j TCPMSS --clamp-mss-to-pmtu > -A FORWARD -d 192.168.1.100 -i ppp1 -p tcp -m tcp --dport 4662 -j ACCEPT > -A FORWARD -d 192.168.1.100 -i ppp0 -p tcp -m tcp --dport 4662 -j ACCEPT > -A FORWARD -d 192.168.1.100 -i ppp1 -p udp -m udp --dport 4672 -j ACCEPT > -A FORWARD -d 192.168.1.100 -i ppp0 -p udp -m udp --dport 4672 -j ACCEPT > -A FORWARD -d 192.168.1.100 -i ppp1 -p tcp -m tcp --dport 5500 -j ACCEPT > -A FORWARD -d 192.168.1.100 -i ppp0 -p tcp -m tcp --dport 5500 -j ACCEPT > -A FORWARD -d 192.168.1.5 -i ppp1 -p tcp -m tcp --dport 22 -j ACCEPT > -A FORWARD -d 192.168.1.5 -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT > -A FORWARD -d 192.168.1.4 -i ppp1 -p tcp -m tcp --dport 22 -j ACCEPT > -A FORWARD -d 192.168.1.4 -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT > -A FORWARD -d 192.168.1.4 -i ppp1 -p tcp -m tcp --dport 80 -j ACCEPT > -A FORWARD -d 192.168.1.4 -i ppp0 -p tcp -m tcp --dport 80 -j ACCEPT > -A FORWARD -d 192.168.1.4 -i ppp1 -p tcp -m tcp --dport 25 -j ACCEPT > -A FORWARD -d 192.168.1.4 -i ppp0 -p tcp -m tcp --dport 25 -j ACCEPT > -A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j > ACCEPT > -A FORWARD -s 192.168.1.0/255.255.255.0 -i br0 -o ppp1 -j ACCEPT > -A FORWARD -s 192.168.1.0/255.255.255.0 -i br0 -o ppp0 -j ACCEPT > -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -d 192.168.1.0/255.255.255.0 -o ppp1 -j LOG > -A FORWARD -d 192.168.1.0/255.255.255.0 -o ppp1 -j DROP > -A FORWARD -d 192.168.1.0/255.255.255.0 -o ppp0 -j LOG > -A FORWARD -d 192.168.1.0/255.255.255.0 -o ppp0 -j DROP > -A FORWARD -j LOG > -A FORWARD -j DROP > -A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT > -A OUTPUT -o lo -j ACCEPT > -A OUTPUT -d 255.255.255.255 -o br0 -j ACCEPT > -A OUTPUT -d 192.168.1.0/255.255.255.0 -o br0 -j ACCEPT > -A OUTPUT -d 224.0.0.0/240.0.0.0 -o br0 -p ! tcp -j ACCEPT > -A OUTPUT -d 192.168.1.0/255.255.255.0 -o ppp1 -j LOG > -A OUTPUT -d 192.168.1.0/255.255.255.0 -o ppp1 -j DROP > -A OUTPUT -d 192.168.1.0/255.255.255.0 -o ppp0 -j LOG > -A OUTPUT -d 192.168.1.0/255.255.255.0 -o ppp0 -j DROP > -A OUTPUT -d 255.255.255.255 -o ppp1 -j ACCEPT > -A OUTPUT -d 255.255.255.255 -o ppp0 -j ACCEPT > -A OUTPUT -s ipofppp1 -o ppp1 -j ACCEPT > -A OUTPUT -s ipofppp0 -o ppp0 -j ACCEPT > -A OUTPUT -j LOG > -A OUTPUT -j DROP > COMMIT > # Completed on Fri Nov 25 12:21:59 2005 > # Generated by iptables-save v1.2.11 on Fri Nov 25 12:21:59 2005 > *mangle > :PREROUTING ACCEPT [13497:7096745] > :INPUT ACCEPT [119515:10818662] > :FORWARD ACCEPT [2263653:1380696494] > :OUTPUT ACCEPT [3681:323141] > :POSTROUTING ACCEPT [2445397:1397479483] > -A PREROUTING -i ppp0 -m state --state NEW -j MARK --set-mark 0x1 > -A PREROUTING -i ppp1 -m state --state NEW -j MARK --set-mark 0x2 > -A PREROUTING -j CONNMARK --save-mark > -A POSTROUTING -j CONNMARK --restore-mark > COMMIT > # Completed on Fri Nov 25 12:21:59 2005 > # Generated by iptables-save v1.2.11 on Fri Nov 25 12:21:59 2005 > *nat > :PREROUTING ACCEPT [169:12721] > :POSTROUTING ACCEPT [339:27714] > :OUTPUT ACCEPT [279:22659] > -A PREROUTING -i ppp1 -p tcp -m tcp --dport 4662 -j DNAT --to-destination > 192.168.1.100:4662 > -A PREROUTING -i ppp0 -p tcp -m tcp --dport 4662 -j DNAT --to-destination > 192.168.1.100:4662 > -A PREROUTING -i ppp1 -p udp -m udp --dport 4672 -j DNAT --to-destination > 192.168.1.100:4672 > -A PREROUTING -i ppp0 -p udp -m udp --dport 4672 -j DNAT --to-destination > 192.168.1.100:4672 > -A PREROUTING -i ppp1 -p tcp -m tcp --dport 5500 -j DNAT --to-destination > 192.168.1.100:5500 > -A PREROUTING -i ppp0 -p tcp -m tcp --dport 5500 -j DNAT --to-destination > 192.168.1.100:5500 > -A PREROUTING -i ppp1 -p tcp -m tcp --dport 666 -j DNAT --to-destination > 192.168.1.5:22 > -A PREROUTING -i ppp0 -p tcp -m tcp --dport 666 -j DNAT --to-destination > 192.168.1.5:22 > -A PREROUTING -i ppp1 -p tcp -m tcp --dport 667 -j DNAT --to-destination > 192.168.1.4:22 > -A PREROUTING -i ppp0 -p tcp -m tcp --dport 667 -j DNAT --to-destination > 192.168.1.4:22 > -A PREROUTING -i ppp1 -p tcp -m tcp --dport 80 -j DNAT --to-destination > 192.168.1.4:80 > -A PREROUTING -i ppp0 -p tcp -m tcp --dport 80 -j DNAT --to-destination > 192.168.1.4:80 > -A PREROUTING -i ppp1 -p tcp -m tcp --dport 25 -j DNAT --to-destination > 192.168.1.4:25 > -A PREROUTING -i ppp0 -p tcp -m tcp --dport 25 -j DNAT --to-destination > 192.168.1.4:25 > -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp1 -j MASQUERADE > -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 -j MASQUERADE > COMMIT > # Completed on Fri Nov 25 12:21:59 2005 > > > > And for my route table : > > ~> ip rule > 0: from all lookup local > 32764: from all fwmark 0x2 lookup nerim > 32765: from all fwmark 0x1 lookup wanadoo > 32766: from all lookup main > 32767: from all lookup default > > > ~> ip route list > 80.10.246.1 dev ppp0 scope link > 80.10.246.132 dev ppp0 scope link > 62.4.16.245 dev ppp1 proto kernel scope link src 213.41.177.180 > 64.4.17.69 dev ppp1 scope link > 64.4.16.70 dev ppp1 scope link > 193.253.160.3 dev ppp0 proto kernel scope link src 193.253.54.64 > 192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1 > default dev ppp1 scope link > > ~> ip route list table nerim > 192.168.1.0 dev br0 scope link > default dev ppp1 scope link > > ~> ip route list table wanadoo > 192.168.1.0 dev br0 scope link > default dev ppp0 scope link > > > > I believe this should work but no. > tcpdump give me somthong like this : > > 12:35:04.073949 IP 82.227.29.100.32983 > 213.41.177.180.80: tcp 0 > 12:35:04.074092 IP 82.227.29.100.32983 > 192.168.1.4.80: tcp 0 > 12:35:07.072874 IP 82.227.29.100.32983 > 213.41.177.180.80: tcp 0 > 12:35:07.072997 IP 82.227.29.100.32983 > 192.168.1.4.80: tcp 0 > > Witch mean that my packets are sent to the right server, but I never get > an > answer. > All work when I delete the rule below > 32764: from all fwmark 0x2 lookup nerim > 32765: from all fwmark 0x1 lookup wanadoo > > > My questions are: > - Did I make a mistake somewhere, or did I misunderstand > something(CERTAINLY)? Where? > - What can I do to solve this problem? > > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From borghart at gmx.de Fri Nov 25 20:05:35 2005 From: borghart at gmx.de (Borghart Steffen) Date: Fri Nov 25 20:05:50 2005 Subject: [LARTC] ingress police kernel options? Message-ID: <20051125190535.GA3348@gmx.de> Hello list! In am stuck in getting the wondershaper script working. The last line of the script (tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 1800kbit burst 10k drop flowid :1) produces the following error: RTNETLINK answers: Invalid argument Could somebody please give me a hint on how to fix this? Regards, borghart From Andreas.Klauer at metamorpher.de Fri Nov 25 20:13:01 2005 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Fri Nov 25 20:12:57 2005 Subject: [LARTC] ingress police kernel options? In-Reply-To: <20051125190535.GA3348@gmx.de> References: <20051125190535.GA3348@gmx.de> Message-ID: <200511252013.01904.Andreas.Klauer@metamorpher.de> On Friday 25 November 2005 20:05, Borghart Steffen wrote: > RTNETLINK answers: Invalid argument > Could somebody please give me a hint on how to fix this? Missing (u32) filter support in the kernel? HTH Andreas Klauer From borghart at gmx.de Fri Nov 25 21:06:40 2005 From: borghart at gmx.de (Borghart Steffen) Date: Fri Nov 25 21:07:05 2005 Subject: [LARTC] ingress police kernel options? In-Reply-To: <200511252013.01904.Andreas.Klauer@metamorpher.de> References: <20051125190535.GA3348@gmx.de> <200511252013.01904.Andreas.Klauer@metamorpher.de> Message-ID: <20051125200640.GA3735@gmx.de> Hi, I have this option (see attached kernel-config) enabled. Could you post a working kernel-config for a later 2.6 kernel? Can something else than the Kernel be a reason for this error? Regards, Borghart On Fri, Nov 25, 2005 at 08:13:01PM +0100, Andreas Klauer wrote: > On Friday 25 November 2005 20:05, Borghart Steffen wrote: > > RTNETLINK answers: Invalid argument > > Could somebody please give me a hint on how to fix this? > > Missing (u32) filter support in the kernel? > > HTH > Andreas Klauer > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -------------- next part -------------- # # Automatically generated make config: don't edit # Linux kernel version: 2.6.14.2-skas3-v8.2 # Fri Nov 25 18:14:08 2005 # CONFIG_X86=y CONFIG_SEMAPHORE_SLEEPERS=y CONFIG_MMU=y CONFIG_UID16=y CONFIG_GENERIC_ISA_DMA=y CONFIG_GENERIC_IOMAP=y CONFIG_ARCH_MAY_HAVE_PC_FDC=y # # Code maturity level options # CONFIG_EXPERIMENTAL=y CONFIG_CLEAN_COMPILE=y CONFIG_LOCK_KERNEL=y CONFIG_INIT_ENV_ARG_LIMIT=32 # # General setup # CONFIG_LOCALVERSION="" CONFIG_LOCALVERSION_AUTO=y CONFIG_SWAP=y CONFIG_SYSVIPC=y CONFIG_POSIX_MQUEUE=y # CONFIG_BSD_PROCESS_ACCT is not set CONFIG_SYSCTL=y CONFIG_AUDIT=y CONFIG_AUDITSYSCALL=y CONFIG_HOTPLUG=y CONFIG_KOBJECT_UEVENT=y # CONFIG_IKCONFIG is not set # CONFIG_CPUSETS is not set CONFIG_INITRAMFS_SOURCE="" # CONFIG_EMBEDDED is not set CONFIG_KALLSYMS=y # CONFIG_KALLSYMS_EXTRA_PASS is not set CONFIG_PRINTK=y CONFIG_BUG=y CONFIG_BASE_FULL=y CONFIG_FUTEX=y CONFIG_EPOLL=y CONFIG_SHMEM=y CONFIG_CC_ALIGN_FUNCTIONS=0 CONFIG_CC_ALIGN_LABELS=0 CONFIG_CC_ALIGN_LOOPS=0 CONFIG_CC_ALIGN_JUMPS=0 # CONFIG_TINY_SHMEM is not set CONFIG_BASE_SMALL=0 # # Loadable module support # CONFIG_MODULES=y CONFIG_MODULE_UNLOAD=y CONFIG_MODULE_FORCE_UNLOAD=y CONFIG_OBSOLETE_MODPARM=y # CONFIG_MODVERSIONS is not set # CONFIG_MODULE_SRCVERSION_ALL is not set CONFIG_KMOD=y CONFIG_STOP_MACHINE=y # # Processor type and features # CONFIG_X86_PC=y # CONFIG_X86_ELAN is not set # CONFIG_X86_VOYAGER is not set # CONFIG_X86_NUMAQ is not set # CONFIG_X86_SUMMIT is not set # CONFIG_X86_BIGSMP is not set # CONFIG_X86_VISWS is not set # CONFIG_X86_GENERICARCH is not set # CONFIG_X86_ES7000 is not set # CONFIG_M386 is not set # CONFIG_M486 is not set # CONFIG_M586 is not set # CONFIG_M586TSC is not set # CONFIG_M586MMX is not set # CONFIG_M686 is not set # CONFIG_MPENTIUMII is not set # CONFIG_MPENTIUMIII is not set CONFIG_MPENTIUMM=y # CONFIG_MPENTIUM4 is not set # CONFIG_MK6 is not set # CONFIG_MK7 is not set # CONFIG_MK8 is not set # CONFIG_MCRUSOE is not set # CONFIG_MEFFICEON is not set # CONFIG_MWINCHIPC6 is not set # CONFIG_MWINCHIP2 is not set # CONFIG_MWINCHIP3D is not set # CONFIG_MGEODEGX1 is not set # CONFIG_MCYRIXIII is not set # CONFIG_MVIAC3_2 is not set # CONFIG_X86_GENERIC is not set CONFIG_X86_CMPXCHG=y CONFIG_X86_XADD=y CONFIG_X86_L1_CACHE_SHIFT=6 CONFIG_RWSEM_XCHGADD_ALGORITHM=y CONFIG_GENERIC_CALIBRATE_DELAY=y CONFIG_X86_WP_WORKS_OK=y CONFIG_X86_INVLPG=y CONFIG_X86_BSWAP=y CONFIG_X86_POPAD_OK=y CONFIG_X86_GOOD_APIC=y CONFIG_X86_INTEL_USERCOPY=y CONFIG_X86_USE_PPRO_CHECKSUM=y # CONFIG_HPET_TIMER is not set CONFIG_SMP=y CONFIG_NR_CPUS=8 CONFIG_SCHED_SMT=y # CONFIG_PREEMPT_NONE is not set CONFIG_PREEMPT_VOLUNTARY=y # CONFIG_PREEMPT is not set CONFIG_PREEMPT_BKL=y CONFIG_X86_LOCAL_APIC=y CONFIG_X86_IO_APIC=y CONFIG_X86_TSC=y CONFIG_X86_MCE=y CONFIG_X86_MCE_NONFATAL=y CONFIG_X86_MCE_P4THERMAL=y # CONFIG_TOSHIBA is not set # CONFIG_I8K is not set # CONFIG_X86_REBOOTFIXUPS is not set # CONFIG_MICROCODE is not set # CONFIG_X86_MSR is not set # CONFIG_X86_CPUID is not set # # Firmware Drivers # # CONFIG_EDD is not set # CONFIG_DELL_RBU is not set CONFIG_DCDBAS=m CONFIG_NOHIGHMEM=y # CONFIG_HIGHMEM4G is not set # CONFIG_HIGHMEM64G is not set CONFIG_PROC_MM=y CONFIG_SELECT_MEMORY_MODEL=y CONFIG_FLATMEM_MANUAL=y # CONFIG_DISCONTIGMEM_MANUAL is not set # CONFIG_SPARSEMEM_MANUAL is not set CONFIG_FLATMEM=y CONFIG_FLAT_NODE_MEM_MAP=y # CONFIG_SPARSEMEM_STATIC is not set # CONFIG_MATH_EMULATION is not set CONFIG_MTRR=y # CONFIG_EFI is not set CONFIG_IRQBALANCE=y # CONFIG_REGPARM is not set CONFIG_SECCOMP=y # CONFIG_HZ_100 is not set # CONFIG_HZ_250 is not set CONFIG_HZ_1000=y CONFIG_HZ=1000 CONFIG_PHYSICAL_START=0x100000 # CONFIG_KEXEC is not set # # Power management options (ACPI, APM) # CONFIG_PM=y # CONFIG_PM_DEBUG is not set # # ACPI (Advanced Configuration and Power Interface) Support # CONFIG_ACPI=y CONFIG_ACPI_AC=y CONFIG_ACPI_BATTERY=y CONFIG_ACPI_BUTTON=y CONFIG_ACPI_VIDEO=y # CONFIG_ACPI_HOTKEY is not set CONFIG_ACPI_FAN=y CONFIG_ACPI_PROCESSOR=y CONFIG_ACPI_THERMAL=y # CONFIG_ACPI_ASUS is not set CONFIG_ACPI_IBM=y # CONFIG_ACPI_TOSHIBA is not set CONFIG_ACPI_BLACKLIST_YEAR=0 # CONFIG_ACPI_DEBUG is not set CONFIG_ACPI_EC=y CONFIG_ACPI_POWER=y CONFIG_ACPI_SYSTEM=y # CONFIG_X86_PM_TIMER is not set # CONFIG_ACPI_CONTAINER is not set # # APM (Advanced Power Management) BIOS Support # # CONFIG_APM is not set # # CPU Frequency scaling # CONFIG_CPU_FREQ=y CONFIG_CPU_FREQ_TABLE=y # CONFIG_CPU_FREQ_DEBUG is not set CONFIG_CPU_FREQ_STAT=y # CONFIG_CPU_FREQ_STAT_DETAILS is not set CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE=y # CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE is not set CONFIG_CPU_FREQ_GOV_PERFORMANCE=y # CONFIG_CPU_FREQ_GOV_POWERSAVE is not set # CONFIG_CPU_FREQ_GOV_USERSPACE is not set CONFIG_CPU_FREQ_GOV_ONDEMAND=y # CONFIG_CPU_FREQ_GOV_CONSERVATIVE is not set # # CPUFreq processor drivers # # CONFIG_X86_ACPI_CPUFREQ is not set # CONFIG_X86_POWERNOW_K6 is not set # CONFIG_X86_POWERNOW_K7 is not set # CONFIG_X86_POWERNOW_K8 is not set # CONFIG_X86_GX_SUSPMOD is not set CONFIG_X86_SPEEDSTEP_CENTRINO=y CONFIG_X86_SPEEDSTEP_CENTRINO_ACPI=y CONFIG_X86_SPEEDSTEP_CENTRINO_TABLE=y # CONFIG_X86_SPEEDSTEP_ICH is not set # CONFIG_X86_SPEEDSTEP_SMI is not set # CONFIG_X86_P4_CLOCKMOD is not set # CONFIG_X86_CPUFREQ_NFORCE2 is not set # CONFIG_X86_LONGRUN is not set # CONFIG_X86_LONGHAUL is not set # # shared options # # CONFIG_X86_ACPI_CPUFREQ_PROC_INTF is not set # CONFIG_X86_SPEEDSTEP_LIB is not set # # Bus options (PCI, PCMCIA, EISA, MCA, ISA) # CONFIG_PCI=y # CONFIG_PCI_GOBIOS is not set # CONFIG_PCI_GOMMCONFIG is not set # CONFIG_PCI_GODIRECT is not set CONFIG_PCI_GOANY=y CONFIG_PCI_BIOS=y CONFIG_PCI_DIRECT=y CONFIG_PCI_MMCONFIG=y # CONFIG_PCIEPORTBUS is not set # CONFIG_PCI_MSI is not set CONFIG_PCI_LEGACY_PROC=y CONFIG_ISA_DMA_API=y CONFIG_ISA=y # CONFIG_EISA is not set # CONFIG_MCA is not set # CONFIG_SCx200 is not set # CONFIG_HOTPLUG_CPU is not set # # PCCARD (PCMCIA/CardBus) support # # CONFIG_PCCARD is not set # # PCI Hotplug Support # # CONFIG_HOTPLUG_PCI is not set # # Executable file formats # CONFIG_BINFMT_ELF=y CONFIG_BINFMT_AOUT=y CONFIG_BINFMT_MISC=y # # Networking # CONFIG_NET=y # # Networking options # CONFIG_PACKET=y # CONFIG_PACKET_MMAP is not set CONFIG_UNIX=y # CONFIG_NET_KEY is not set CONFIG_INET=y CONFIG_IP_MULTICAST=y # CONFIG_IP_ADVANCED_ROUTER is not set CONFIG_IP_FIB_HASH=y # CONFIG_IP_PNP is not set # CONFIG_NET_IPIP is not set # CONFIG_NET_IPGRE is not set # CONFIG_IP_MROUTE is not set # CONFIG_ARPD is not set # CONFIG_SYN_COOKIES is not set # CONFIG_INET_AH is not set # CONFIG_INET_ESP is not set # CONFIG_INET_IPCOMP is not set # CONFIG_INET_TUNNEL is not set CONFIG_INET_DIAG=y CONFIG_INET_TCP_DIAG=y # CONFIG_TCP_CONG_ADVANCED is not set CONFIG_TCP_CONG_BIC=y # # IP: Virtual Server Configuration # # CONFIG_IP_VS is not set # CONFIG_IPV6 is not set CONFIG_NETFILTER=y # CONFIG_NETFILTER_DEBUG is not set CONFIG_BRIDGE_NETFILTER=y # CONFIG_NETFILTER_NETLINK is not set # # IP: Netfilter Configuration # CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_CT_ACCT=y CONFIG_IP_NF_CONNTRACK_MARK=y CONFIG_IP_NF_CONNTRACK_EVENTS=y CONFIG_IP_NF_CT_PROTO_SCTP=y CONFIG_IP_NF_FTP=y CONFIG_IP_NF_IRC=y CONFIG_IP_NF_NETBIOS_NS=y CONFIG_IP_NF_TFTP=y CONFIG_IP_NF_AMANDA=y CONFIG_IP_NF_PPTP=y CONFIG_IP_NF_QUEUE=y CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_MATCH_LIMIT=y CONFIG_IP_NF_MATCH_IPRANGE=y CONFIG_IP_NF_MATCH_MAC=y CONFIG_IP_NF_MATCH_LAYER7=y # CONFIG_IP_NF_MATCH_LAYER7_DEBUG is not set CONFIG_IP_NF_MATCH_PKTTYPE=y CONFIG_IP_NF_MATCH_MARK=y CONFIG_IP_NF_MATCH_MULTIPORT=y CONFIG_IP_NF_MATCH_TOS=y CONFIG_IP_NF_MATCH_RECENT=y CONFIG_IP_NF_MATCH_ECN=y CONFIG_IP_NF_MATCH_DSCP=y CONFIG_IP_NF_MATCH_AH_ESP=y CONFIG_IP_NF_MATCH_LENGTH=y CONFIG_IP_NF_MATCH_TTL=y CONFIG_IP_NF_MATCH_TCPMSS=y CONFIG_IP_NF_MATCH_HELPER=y CONFIG_IP_NF_MATCH_STATE=y CONFIG_IP_NF_MATCH_CONNTRACK=y CONFIG_IP_NF_MATCH_OWNER=y CONFIG_IP_NF_MATCH_PHYSDEV=y CONFIG_IP_NF_MATCH_ADDRTYPE=y CONFIG_IP_NF_MATCH_REALM=y CONFIG_IP_NF_MATCH_SCTP=y CONFIG_IP_NF_MATCH_DCCP=y CONFIG_IP_NF_MATCH_COMMENT=y # CONFIG_IP_NF_MATCH_CONNMARK is not set CONFIG_IP_NF_MATCH_CONNBYTES=y CONFIG_IP_NF_MATCH_HASHLIMIT=y CONFIG_IP_NF_MATCH_STRING=y CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_TARGET_REJECT=y CONFIG_IP_NF_TARGET_LOG=y CONFIG_IP_NF_TARGET_ULOG=y CONFIG_IP_NF_TARGET_TCPMSS=y CONFIG_IP_NF_TARGET_NFQUEUE=y CONFIG_IP_NF_NAT=y CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=y CONFIG_IP_NF_TARGET_REDIRECT=y CONFIG_IP_NF_TARGET_NETMAP=y CONFIG_IP_NF_TARGET_SAME=y CONFIG_IP_NF_NAT_SNMP_BASIC=y CONFIG_IP_NF_NAT_IRC=y CONFIG_IP_NF_NAT_FTP=y CONFIG_IP_NF_NAT_TFTP=y CONFIG_IP_NF_NAT_AMANDA=y CONFIG_IP_NF_NAT_PPTP=y CONFIG_IP_NF_MANGLE=y CONFIG_IP_NF_TARGET_TOS=y CONFIG_IP_NF_TARGET_ECN=y CONFIG_IP_NF_TARGET_DSCP=y CONFIG_IP_NF_TARGET_MARK=y CONFIG_IP_NF_TARGET_CLASSIFY=y CONFIG_IP_NF_TARGET_TTL=y # CONFIG_IP_NF_TARGET_CONNMARK is not set # CONFIG_IP_NF_TARGET_CLUSTERIP is not set CONFIG_IP_NF_RAW=m CONFIG_IP_NF_TARGET_NOTRACK=m CONFIG_IP_NF_ARPTABLES=y CONFIG_IP_NF_ARPFILTER=y CONFIG_IP_NF_ARP_MANGLE=y # # Bridge: Netfilter Configuration # # CONFIG_BRIDGE_NF_EBTABLES is not set # # DCCP Configuration (EXPERIMENTAL) # # CONFIG_IP_DCCP is not set # # SCTP Configuration (EXPERIMENTAL) # # CONFIG_IP_SCTP is not set # CONFIG_ATM is not set CONFIG_BRIDGE=y # CONFIG_VLAN_8021Q is not set # CONFIG_DECNET is not set # CONFIG_LLC2 is not set # CONFIG_IPX is not set # CONFIG_ATALK is not set # CONFIG_X25 is not set # CONFIG_LAPB is not set # CONFIG_NET_DIVERT is not set # CONFIG_ECONET is not set # CONFIG_WAN_ROUTER is not set CONFIG_NET_SCHED=y CONFIG_NET_SCH_CLK_JIFFIES=y # CONFIG_NET_SCH_CLK_GETTIMEOFDAY is not set # CONFIG_NET_SCH_CLK_CPU is not set CONFIG_NET_SCH_CBQ=y CONFIG_NET_SCH_HTB=y CONFIG_NET_SCH_HFSC=y CONFIG_NET_SCH_PRIO=y CONFIG_NET_SCH_RED=y CONFIG_NET_SCH_SFQ=y CONFIG_NET_SCH_TEQL=y CONFIG_NET_SCH_TBF=y CONFIG_NET_SCH_GRED=y CONFIG_NET_SCH_DSMARK=y CONFIG_NET_SCH_NETEM=y CONFIG_NET_SCH_INGRESS=y CONFIG_NET_QOS=y CONFIG_NET_ESTIMATOR=y CONFIG_NET_CLS=y CONFIG_NET_CLS_BASIC=y CONFIG_NET_CLS_TCINDEX=y CONFIG_NET_CLS_ROUTE4=y CONFIG_NET_CLS_ROUTE=y CONFIG_NET_CLS_FW=y CONFIG_NET_CLS_U32=y CONFIG_CLS_U32_PERF=y CONFIG_NET_CLS_IND=y CONFIG_CLS_U32_MARK=y # CONFIG_NET_CLS_RSVP is not set # CONFIG_NET_CLS_RSVP6 is not set CONFIG_NET_EMATCH=y CONFIG_NET_EMATCH_STACK=32 CONFIG_NET_EMATCH_CMP=y CONFIG_NET_EMATCH_NBYTE=y CONFIG_NET_EMATCH_U32=y CONFIG_NET_EMATCH_META=y CONFIG_NET_EMATCH_TEXT=y # CONFIG_NET_CLS_ACT is not set CONFIG_NET_CLS_POLICE=y # # Network testing # # CONFIG_NET_PKTGEN is not set # CONFIG_HAMRADIO is not set # CONFIG_IRDA is not set # CONFIG_BT is not set # CONFIG_IEEE80211 is not set # # Device Drivers # # # Generic Driver Options # CONFIG_STANDALONE=y CONFIG_PREVENT_FIRMWARE_BUILD=y CONFIG_FW_LOADER=m # # Connector - unified userspace <-> kernelspace linker # # CONFIG_CONNECTOR is not set # # Memory Technology Devices (MTD) # # CONFIG_MTD is not set # # Parallel port support # CONFIG_PARPORT=y CONFIG_PARPORT_PC=y # CONFIG_PARPORT_SERIAL is not set # CONFIG_PARPORT_PC_FIFO is not set # CONFIG_PARPORT_PC_SUPERIO is not set # CONFIG_PARPORT_GSC is not set # CONFIG_PARPORT_1284 is not set # # Plug and Play support # CONFIG_PNP=y # CONFIG_PNP_DEBUG is not set # # Protocols # # CONFIG_ISAPNP is not set # CONFIG_PNPBIOS is not set CONFIG_PNPACPI=y # # Block devices # CONFIG_BLK_DEV_FD=y # CONFIG_BLK_DEV_XD is not set # CONFIG_PARIDE is not set # CONFIG_BLK_CPQ_DA is not set # CONFIG_BLK_CPQ_CISS_DA is not set # CONFIG_BLK_DEV_DAC960 is not set # CONFIG_BLK_DEV_UMEM is not set # CONFIG_BLK_DEV_COW_COMMON is not set CONFIG_BLK_DEV_LOOP=y # CONFIG_BLK_DEV_CRYPTOLOOP is not set # CONFIG_BLK_DEV_NBD is not set # CONFIG_BLK_DEV_SX8 is not set # CONFIG_BLK_DEV_UB is not set # CONFIG_BLK_DEV_RAM is not set CONFIG_BLK_DEV_RAM_COUNT=16 CONFIG_LBD=y # CONFIG_CDROM_PKTCDVD is not set # # IO Schedulers # CONFIG_IOSCHED_NOOP=y CONFIG_IOSCHED_AS=y CONFIG_IOSCHED_DEADLINE=y CONFIG_IOSCHED_CFQ=y # CONFIG_ATA_OVER_ETH is not set # # ATA/ATAPI/MFM/RLL support # CONFIG_IDE=y CONFIG_BLK_DEV_IDE=y # # Please see Documentation/ide.txt for help/info on IDE drives # # CONFIG_BLK_DEV_IDE_SATA is not set # CONFIG_BLK_DEV_HD_IDE is not set CONFIG_BLK_DEV_IDEDISK=y CONFIG_IDEDISK_MULTI_MODE=y CONFIG_BLK_DEV_IDECD=y # CONFIG_BLK_DEV_IDETAPE is not set # CONFIG_BLK_DEV_IDEFLOPPY is not set # CONFIG_BLK_DEV_IDESCSI is not set # CONFIG_IDE_TASK_IOCTL is not set # # IDE chipset support/bugfixes # CONFIG_IDE_GENERIC=y CONFIG_BLK_DEV_CMD640=y # CONFIG_BLK_DEV_CMD640_ENHANCED is not set # CONFIG_BLK_DEV_IDEPNP is not set CONFIG_BLK_DEV_IDEPCI=y CONFIG_IDEPCI_SHARE_IRQ=y # CONFIG_BLK_DEV_OFFBOARD is not set CONFIG_BLK_DEV_GENERIC=y # CONFIG_BLK_DEV_OPTI621 is not set CONFIG_BLK_DEV_RZ1000=y CONFIG_BLK_DEV_IDEDMA_PCI=y # CONFIG_BLK_DEV_IDEDMA_FORCED is not set CONFIG_IDEDMA_PCI_AUTO=y # CONFIG_IDEDMA_ONLYDISK is not set # CONFIG_BLK_DEV_AEC62XX is not set # CONFIG_BLK_DEV_ALI15X3 is not set # CONFIG_BLK_DEV_AMD74XX is not set # CONFIG_BLK_DEV_ATIIXP is not set # CONFIG_BLK_DEV_CMD64X is not set # CONFIG_BLK_DEV_TRIFLEX is not set # CONFIG_BLK_DEV_CY82C693 is not set # CONFIG_BLK_DEV_CS5520 is not set # CONFIG_BLK_DEV_CS5530 is not set # CONFIG_BLK_DEV_HPT34X is not set # CONFIG_BLK_DEV_HPT366 is not set # CONFIG_BLK_DEV_SC1200 is not set CONFIG_BLK_DEV_PIIX=y # CONFIG_BLK_DEV_IT821X is not set # CONFIG_BLK_DEV_NS87415 is not set # CONFIG_BLK_DEV_PDC202XX_OLD is not set # CONFIG_BLK_DEV_PDC202XX_NEW is not set # CONFIG_BLK_DEV_SVWKS is not set # CONFIG_BLK_DEV_SIIMAGE is not set # CONFIG_BLK_DEV_SIS5513 is not set # CONFIG_BLK_DEV_SLC90E66 is not set # CONFIG_BLK_DEV_TRM290 is not set # CONFIG_BLK_DEV_VIA82CXXX is not set # CONFIG_IDE_ARM is not set # CONFIG_IDE_CHIPSETS is not set CONFIG_BLK_DEV_IDEDMA=y # CONFIG_IDEDMA_IVB is not set CONFIG_IDEDMA_AUTO=y # CONFIG_BLK_DEV_HD is not set # # SCSI device support # # CONFIG_RAID_ATTRS is not set CONFIG_SCSI=y CONFIG_SCSI_PROC_FS=y # # SCSI support type (disk, tape, CD-ROM) # CONFIG_BLK_DEV_SD=y # CONFIG_CHR_DEV_ST is not set # CONFIG_CHR_DEV_OSST is not set # CONFIG_BLK_DEV_SR is not set CONFIG_CHR_DEV_SG=y # CONFIG_CHR_DEV_SCH is not set # # Some SCSI devices (e.g. CD jukebox) support multiple LUNs # # CONFIG_SCSI_MULTI_LUN is not set # CONFIG_SCSI_CONSTANTS is not set # CONFIG_SCSI_LOGGING is not set # # SCSI Transport Attributes # # CONFIG_SCSI_SPI_ATTRS is not set # CONFIG_SCSI_FC_ATTRS is not set # CONFIG_SCSI_ISCSI_ATTRS is not set # CONFIG_SCSI_SAS_ATTRS is not set # # SCSI low-level drivers # # CONFIG_BLK_DEV_3W_XXXX_RAID is not set # CONFIG_SCSI_3W_9XXX is not set # CONFIG_SCSI_7000FASST is not set # CONFIG_SCSI_ACARD is not set # CONFIG_SCSI_AHA152X is not set # CONFIG_SCSI_AHA1542 is not set # CONFIG_SCSI_AACRAID is not set # CONFIG_SCSI_AIC7XXX is not set # CONFIG_SCSI_AIC7XXX_OLD is not set # CONFIG_SCSI_AIC79XX is not set CONFIG_SCSI_DPT_I2O=m # CONFIG_SCSI_IN2000 is not set # CONFIG_MEGARAID_NEWGEN is not set # CONFIG_MEGARAID_LEGACY is not set # CONFIG_MEGARAID_SAS is not set CONFIG_SCSI_SATA=y # CONFIG_SCSI_SATA_AHCI is not set # CONFIG_SCSI_SATA_SVW is not set CONFIG_SCSI_ATA_PIIX=y # CONFIG_SCSI_SATA_MV is not set # CONFIG_SCSI_SATA_NV is not set # CONFIG_SCSI_SATA_PROMISE is not set # CONFIG_SCSI_SATA_QSTOR is not set CONFIG_SCSI_SATA_SX4=m # CONFIG_SCSI_SATA_SIL is not set CONFIG_SCSI_SATA_SIS=m # CONFIG_SCSI_SATA_ULI is not set # CONFIG_SCSI_SATA_VIA is not set # CONFIG_SCSI_SATA_VITESSE is not set CONFIG_SCSI_SATA_INTEL_COMBINED=y # CONFIG_SCSI_BUSLOGIC is not set # CONFIG_SCSI_DMX3191D is not set # CONFIG_SCSI_DTC3280 is not set # CONFIG_SCSI_EATA is not set # CONFIG_SCSI_FUTURE_DOMAIN is not set # CONFIG_SCSI_GDTH is not set # CONFIG_SCSI_GENERIC_NCR5380 is not set # CONFIG_SCSI_GENERIC_NCR5380_MMIO is not set # CONFIG_SCSI_IPS is not set # CONFIG_SCSI_INITIO is not set # CONFIG_SCSI_INIA100 is not set # CONFIG_SCSI_PPA is not set # CONFIG_SCSI_IMM is not set # CONFIG_SCSI_NCR53C406A is not set # CONFIG_SCSI_SYM53C8XX_2 is not set CONFIG_SCSI_IPR=m # CONFIG_SCSI_IPR_TRACE is not set # CONFIG_SCSI_IPR_DUMP is not set # CONFIG_SCSI_PAS16 is not set # CONFIG_SCSI_PSI240I is not set # CONFIG_SCSI_QLOGIC_FAS is not set # CONFIG_SCSI_QLOGIC_FC is not set # CONFIG_SCSI_QLOGIC_1280 is not set CONFIG_SCSI_QLA2XXX=y # CONFIG_SCSI_QLA21XX is not set # CONFIG_SCSI_QLA22XX is not set # CONFIG_SCSI_QLA2300 is not set # CONFIG_SCSI_QLA2322 is not set # CONFIG_SCSI_QLA6312 is not set # CONFIG_SCSI_QLA24XX is not set # CONFIG_SCSI_LPFC is not set # CONFIG_SCSI_SYM53C416 is not set # CONFIG_SCSI_DC395x is not set # CONFIG_SCSI_DC390T is not set # CONFIG_SCSI_T128 is not set # CONFIG_SCSI_U14_34F is not set # CONFIG_SCSI_ULTRASTOR is not set # CONFIG_SCSI_NSP32 is not set # CONFIG_SCSI_DEBUG is not set # # Old CD-ROM drivers (not SCSI, not IDE) # # CONFIG_CD_NO_IDESCSI is not set # # Multi-device support (RAID and LVM) # # CONFIG_MD is not set # # Fusion MPT device support # # CONFIG_FUSION is not set # CONFIG_FUSION_SPI is not set # CONFIG_FUSION_FC is not set # CONFIG_FUSION_SAS is not set # # IEEE 1394 (FireWire) support # CONFIG_IEEE1394=y # # Subsystem Options # # CONFIG_IEEE1394_VERBOSEDEBUG is not set # CONFIG_IEEE1394_OUI_DB is not set # CONFIG_IEEE1394_EXTRA_CONFIG_ROMS is not set # CONFIG_IEEE1394_EXPORT_FULL_API is not set # # Device Drivers # # # Texas Instruments PCILynx requires I2C # CONFIG_IEEE1394_OHCI1394=y # # Protocol Drivers # # CONFIG_IEEE1394_VIDEO1394 is not set # CONFIG_IEEE1394_SBP2 is not set # CONFIG_IEEE1394_ETH1394 is not set # CONFIG_IEEE1394_DV1394 is not set CONFIG_IEEE1394_RAWIO=y # CONFIG_IEEE1394_CMP is not set # # I2O device support # # CONFIG_I2O is not set # # Network device support # CONFIG_NETDEVICES=y CONFIG_DUMMY=m # CONFIG_BONDING is not set # CONFIG_EQUALIZER is not set CONFIG_TUN=y # CONFIG_NET_SB1000 is not set # # ARCnet devices # # CONFIG_ARCNET is not set # # PHY device support # # CONFIG_PHYLIB is not set # # Ethernet (10 or 100Mbit) # CONFIG_NET_ETHERNET=y CONFIG_MII=y # CONFIG_HAPPYMEAL is not set # CONFIG_SUNGEM is not set # CONFIG_CASSINI is not set # CONFIG_NET_VENDOR_3COM is not set # CONFIG_LANCE is not set # CONFIG_NET_VENDOR_SMC is not set # CONFIG_NET_VENDOR_RACAL is not set # # Tulip family network device support # # CONFIG_NET_TULIP is not set # CONFIG_AT1700 is not set # CONFIG_DEPCA is not set # CONFIG_HP100 is not set # CONFIG_NET_ISA is not set CONFIG_NET_PCI=y # CONFIG_PCNET32 is not set # CONFIG_AMD8111_ETH is not set # CONFIG_ADAPTEC_STARFIRE is not set # CONFIG_AC3200 is not set # CONFIG_APRICOT is not set # CONFIG_B44 is not set # CONFIG_FORCEDETH is not set # CONFIG_CS89x0 is not set # CONFIG_DGRS is not set # CONFIG_EEPRO100 is not set # CONFIG_E100 is not set # CONFIG_FEALNX is not set # CONFIG_NATSEMI is not set CONFIG_NE2K_PCI=y CONFIG_8139CP=y CONFIG_8139TOO=y CONFIG_8139TOO_PIO=y # CONFIG_8139TOO_TUNE_TWISTER is not set # CONFIG_8139TOO_8129 is not set # CONFIG_8139_OLD_RX_RESET is not set # CONFIG_SIS900 is not set # CONFIG_EPIC100 is not set # CONFIG_SUNDANCE is not set # CONFIG_TLAN is not set # CONFIG_VIA_RHINE is not set # CONFIG_NET_POCKET is not set # # Ethernet (1000 Mbit) # # CONFIG_ACENIC is not set # CONFIG_DL2K is not set # CONFIG_E1000 is not set # CONFIG_NS83820 is not set # CONFIG_HAMACHI is not set # CONFIG_YELLOWFIN is not set # CONFIG_R8169 is not set # CONFIG_SIS190 is not set # CONFIG_SKGE is not set CONFIG_SK98LIN=y # CONFIG_VIA_VELOCITY is not set # CONFIG_TIGON3 is not set # CONFIG_BNX2 is not set # # Ethernet (10000 Mbit) # # CONFIG_CHELSIO_T1 is not set # CONFIG_IXGB is not set CONFIG_S2IO=m # CONFIG_S2IO_NAPI is not set # CONFIG_2BUFF_MODE is not set # # Token Ring devices # # CONFIG_TR is not set # # Wireless LAN (non-hamradio) # # CONFIG_NET_RADIO is not set # # Wan interfaces # # CONFIG_WAN is not set # CONFIG_FDDI is not set # CONFIG_HIPPI is not set # CONFIG_PLIP is not set CONFIG_PPP=y # CONFIG_PPP_MULTILINK is not set # CONFIG_PPP_FILTER is not set CONFIG_PPP_ASYNC=y CONFIG_PPP_SYNC_TTY=y # CONFIG_PPP_DEFLATE is not set # CONFIG_PPP_BSDCOMP is not set CONFIG_PPPOE=y # CONFIG_SLIP is not set # CONFIG_NET_FC is not set # CONFIG_SHAPER is not set # CONFIG_NETCONSOLE is not set # CONFIG_NETPOLL is not set # CONFIG_NET_POLL_CONTROLLER is not set # # ISDN subsystem # # CONFIG_ISDN is not set # # Telephony Support # # CONFIG_PHONE is not set # # Input device support # CONFIG_INPUT=y # # Userland interfaces # CONFIG_INPUT_MOUSEDEV=y CONFIG_INPUT_MOUSEDEV_PSAUX=y CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024 CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768 # CONFIG_INPUT_JOYDEV is not set # CONFIG_INPUT_TSDEV is not set CONFIG_INPUT_EVDEV=y # CONFIG_INPUT_EVBUG is not set # # Input Device Drivers # CONFIG_INPUT_KEYBOARD=y CONFIG_KEYBOARD_ATKBD=y # CONFIG_KEYBOARD_SUNKBD is not set # CONFIG_KEYBOARD_LKKBD is not set # CONFIG_KEYBOARD_XTKBD is not set # CONFIG_KEYBOARD_NEWTON is not set CONFIG_INPUT_MOUSE=y CONFIG_MOUSE_PS2=y # CONFIG_MOUSE_SERIAL is not set # CONFIG_MOUSE_INPORT is not set # CONFIG_MOUSE_LOGIBM is not set # CONFIG_MOUSE_PC110PAD is not set # CONFIG_MOUSE_VSXXXAA is not set # CONFIG_INPUT_JOYSTICK is not set # CONFIG_INPUT_TOUCHSCREEN is not set # CONFIG_INPUT_MISC is not set # # Hardware I/O ports # CONFIG_SERIO=y CONFIG_SERIO_I8042=y # CONFIG_SERIO_SERPORT is not set # CONFIG_SERIO_CT82C710 is not set # CONFIG_SERIO_PARKBD is not set # CONFIG_SERIO_PCIPS2 is not set CONFIG_SERIO_LIBPS2=y # CONFIG_SERIO_RAW is not set # CONFIG_GAMEPORT is not set # # Character devices # CONFIG_VT=y CONFIG_VT_CONSOLE=y CONFIG_HW_CONSOLE=y # CONFIG_SERIAL_NONSTANDARD is not set # # Serial drivers # CONFIG_SERIAL_8250=y # CONFIG_SERIAL_8250_CONSOLE is not set # CONFIG_SERIAL_8250_ACPI is not set CONFIG_SERIAL_8250_NR_UARTS=4 # CONFIG_SERIAL_8250_EXTENDED is not set # # Non-8250 serial port support # CONFIG_SERIAL_CORE=y # CONFIG_SERIAL_JSM is not set CONFIG_UNIX98_PTYS=y # CONFIG_LEGACY_PTYS is not set CONFIG_PRINTER=y # CONFIG_LP_CONSOLE is not set # CONFIG_PPDEV is not set # CONFIG_TIPAR is not set # # IPMI # # CONFIG_IPMI_HANDLER is not set # # Watchdog Cards # # CONFIG_WATCHDOG is not set # CONFIG_HW_RANDOM is not set # CONFIG_NVRAM is not set # CONFIG_RTC is not set # CONFIG_GEN_RTC is not set # CONFIG_DTLK is not set # CONFIG_R3964 is not set # CONFIG_APPLICOM is not set # CONFIG_SONYPI is not set # # Ftape, the floppy tape device driver # CONFIG_AGP=y # CONFIG_AGP_ALI is not set # CONFIG_AGP_ATI is not set # CONFIG_AGP_AMD is not set # CONFIG_AGP_AMD64 is not set CONFIG_AGP_INTEL=y # CONFIG_AGP_NVIDIA is not set # CONFIG_AGP_SIS is not set # CONFIG_AGP_SWORKS is not set # CONFIG_AGP_VIA is not set # CONFIG_AGP_EFFICEON is not set CONFIG_DRM=y CONFIG_DRM_TDFX=y # CONFIG_DRM_R128 is not set # CONFIG_DRM_RADEON is not set # CONFIG_DRM_I810 is not set # CONFIG_DRM_I830 is not set # CONFIG_DRM_I915 is not set # CONFIG_DRM_MGA is not set # CONFIG_DRM_SIS is not set # CONFIG_DRM_VIA is not set CONFIG_DRM_SAVAGE=y # CONFIG_MWAVE is not set # CONFIG_RAW_DRIVER is not set # CONFIG_HPET is not set # CONFIG_HANGCHECK_TIMER is not set # # TPM devices # # CONFIG_TCG_TPM is not set # # I2C support # # CONFIG_I2C is not set # # Dallas's 1-wire bus # # CONFIG_W1 is not set # # Hardware Monitoring support # CONFIG_HWMON=y # CONFIG_HWMON_VID is not set # CONFIG_SENSORS_HDAPS is not set # CONFIG_HWMON_DEBUG_CHIP is not set # # Misc devices # # CONFIG_IBM_ASM is not set # # Multimedia Capabilities Port drivers # # # Multimedia devices # # CONFIG_VIDEO_DEV is not set # # Digital Video Broadcasting Devices # CONFIG_DVB=y CONFIG_DVB_CORE=y # # Supported SAA7146 based PCI Adapters # # CONFIG_DVB_AV7110 is not set # CONFIG_DVB_BUDGET is not set # CONFIG_DVB_BUDGET_CI is not set # CONFIG_DVB_BUDGET_AV is not set # # Supported USB Adapters # # CONFIG_DVB_USB is not set # CONFIG_DVB_TTUSB_BUDGET is not set # CONFIG_DVB_TTUSB_DEC is not set CONFIG_DVB_CINERGYT2=y CONFIG_DVB_CINERGYT2_TUNING=y CONFIG_DVB_CINERGYT2_STREAM_URB_COUNT=32 CONFIG_DVB_CINERGYT2_STREAM_BUF_SIZE=512 CONFIG_DVB_CINERGYT2_QUERY_INTERVAL=250 CONFIG_DVB_CINERGYT2_ENABLE_RC_INPUT_DEVICE=y CONFIG_DVB_CINERGYT2_RC_QUERY_INTERVAL=50 # # Supported FlexCopII (B2C2) Adapters # # CONFIG_DVB_B2C2_FLEXCOP is not set # # Supported BT878 Adapters # # # Supported Pluto2 Adapters # # CONFIG_DVB_PLUTO2 is not set # # Supported DVB Frontends # # # Customise DVB Frontends # # # DVB-S (satellite) frontends # # CONFIG_DVB_STV0299 is not set # CONFIG_DVB_CX24110 is not set # CONFIG_DVB_TDA8083 is not set # CONFIG_DVB_TDA80XX is not set # CONFIG_DVB_MT312 is not set # CONFIG_DVB_VES1X93 is not set # CONFIG_DVB_S5H1420 is not set # # DVB-T (terrestrial) frontends # # CONFIG_DVB_SP8870 is not set # CONFIG_DVB_SP887X is not set # CONFIG_DVB_CX22700 is not set # CONFIG_DVB_CX22702 is not set # CONFIG_DVB_L64781 is not set # CONFIG_DVB_TDA1004X is not set # CONFIG_DVB_NXT6000 is not set # CONFIG_DVB_MT352 is not set # CONFIG_DVB_DIB3000MB is not set # CONFIG_DVB_DIB3000MC is not set # # DVB-C (cable) frontends # # CONFIG_DVB_ATMEL_AT76C651 is not set # CONFIG_DVB_VES1820 is not set # CONFIG_DVB_TDA10021 is not set # CONFIG_DVB_STV0297 is not set # # ATSC (North American/Korean Terresterial DTV) frontends # # CONFIG_DVB_NXT2002 is not set # CONFIG_DVB_OR51211 is not set # CONFIG_DVB_OR51132 is not set # CONFIG_DVB_BCM3510 is not set # CONFIG_DVB_LGDT330X is not set # # Graphics support # # CONFIG_FB is not set # CONFIG_VIDEO_SELECT is not set # # Console display driver support # CONFIG_VGA_CONSOLE=y # CONFIG_MDA_CONSOLE is not set CONFIG_DUMMY_CONSOLE=y # # Sound # CONFIG_SOUND=y # # Advanced Linux Sound Architecture # CONFIG_SND=y CONFIG_SND_TIMER=y CONFIG_SND_PCM=y CONFIG_SND_RAWMIDI=y CONFIG_SND_SEQUENCER=y # CONFIG_SND_SEQ_DUMMY is not set CONFIG_SND_OSSEMUL=y CONFIG_SND_MIXER_OSS=y CONFIG_SND_PCM_OSS=y CONFIG_SND_SEQUENCER_OSS=y # CONFIG_SND_VERBOSE_PRINTK is not set # CONFIG_SND_DEBUG is not set # # Generic devices # CONFIG_SND_MPU401_UART=y # CONFIG_SND_DUMMY is not set # CONFIG_SND_VIRMIDI is not set # CONFIG_SND_MTPAV is not set # CONFIG_SND_SERIAL_U16550 is not set # CONFIG_SND_MPU401 is not set # # ISA devices # # CONFIG_SND_AD1816A is not set # CONFIG_SND_AD1848 is not set # CONFIG_SND_CS4231 is not set # CONFIG_SND_CS4232 is not set # CONFIG_SND_CS4236 is not set # CONFIG_SND_ES968 is not set # CONFIG_SND_ES1688 is not set # CONFIG_SND_ES18XX is not set # CONFIG_SND_GUSCLASSIC is not set # CONFIG_SND_GUSEXTREME is not set # CONFIG_SND_GUSMAX is not set # CONFIG_SND_INTERWAVE is not set # CONFIG_SND_INTERWAVE_STB is not set # CONFIG_SND_OPTI92X_AD1848 is not set # CONFIG_SND_OPTI92X_CS4231 is not set # CONFIG_SND_OPTI93X is not set # CONFIG_SND_SB8 is not set # CONFIG_SND_SB16 is not set # CONFIG_SND_SBAWE is not set # CONFIG_SND_WAVEFRONT is not set # CONFIG_SND_ALS100 is not set # CONFIG_SND_AZT2320 is not set # CONFIG_SND_CMI8330 is not set # CONFIG_SND_DT019X is not set # CONFIG_SND_OPL3SA2 is not set # CONFIG_SND_SGALAXY is not set # CONFIG_SND_SSCAPE is not set CONFIG_SND_AC97_CODEC=y CONFIG_SND_AC97_BUS=y # # PCI devices # # CONFIG_SND_ALI5451 is not set # CONFIG_SND_ATIIXP is not set # CONFIG_SND_ATIIXP_MODEM is not set # CONFIG_SND_AU8810 is not set # CONFIG_SND_AU8820 is not set # CONFIG_SND_AU8830 is not set # CONFIG_SND_AZT3328 is not set # CONFIG_SND_BT87X is not set # CONFIG_SND_CS46XX is not set # CONFIG_SND_CS4281 is not set # CONFIG_SND_EMU10K1 is not set # CONFIG_SND_EMU10K1X is not set # CONFIG_SND_CA0106 is not set # CONFIG_SND_KORG1212 is not set # CONFIG_SND_MIXART is not set # CONFIG_SND_NM256 is not set # CONFIG_SND_RME32 is not set # CONFIG_SND_RME96 is not set # CONFIG_SND_RME9652 is not set # CONFIG_SND_HDSP is not set # CONFIG_SND_HDSPM is not set # CONFIG_SND_TRIDENT is not set # CONFIG_SND_YMFPCI is not set # CONFIG_SND_AD1889 is not set # CONFIG_SND_ALS4000 is not set # CONFIG_SND_CMIPCI is not set # CONFIG_SND_ENS1370 is not set # CONFIG_SND_ENS1371 is not set # CONFIG_SND_ES1938 is not set # CONFIG_SND_ES1968 is not set # CONFIG_SND_MAESTRO3 is not set # CONFIG_SND_FM801 is not set CONFIG_SND_ICE1712=y # CONFIG_SND_ICE1724 is not set CONFIG_SND_INTEL8X0=y # CONFIG_SND_INTEL8X0M is not set # CONFIG_SND_SONICVIBES is not set # CONFIG_SND_VIA82XX is not set # CONFIG_SND_VIA82XX_MODEM is not set # CONFIG_SND_VX222 is not set # CONFIG_SND_HDA_INTEL is not set # # USB devices # # CONFIG_SND_USB_AUDIO is not set # CONFIG_SND_USB_USX2Y is not set # # Open Sound System # # CONFIG_SOUND_PRIME is not set # # USB support # CONFIG_USB_ARCH_HAS_HCD=y CONFIG_USB_ARCH_HAS_OHCI=y CONFIG_USB=y # CONFIG_USB_DEBUG is not set # # Miscellaneous USB options # CONFIG_USB_DEVICEFS=y # CONFIG_USB_BANDWIDTH is not set # CONFIG_USB_DYNAMIC_MINORS is not set # CONFIG_USB_SUSPEND is not set # CONFIG_USB_OTG is not set # # USB Host Controller Drivers # CONFIG_USB_EHCI_HCD=y # CONFIG_USB_EHCI_SPLIT_ISO is not set # CONFIG_USB_EHCI_ROOT_HUB_TT is not set # CONFIG_USB_ISP116X_HCD is not set # CONFIG_USB_OHCI_HCD is not set CONFIG_USB_UHCI_HCD=y # CONFIG_USB_SL811_HCD is not set # # USB Device Class drivers # # CONFIG_OBSOLETE_OSS_USB_DRIVER is not set # CONFIG_USB_BLUETOOTH_TTY is not set # CONFIG_USB_ACM is not set CONFIG_USB_PRINTER=y # # NOTE: USB_STORAGE enables SCSI, and 'SCSI disk support' may also be needed; see USB_STORAGE Help for more information # CONFIG_USB_STORAGE=y # CONFIG_USB_STORAGE_DEBUG is not set # CONFIG_USB_STORAGE_DATAFAB is not set # CONFIG_USB_STORAGE_FREECOM is not set # CONFIG_USB_STORAGE_ISD200 is not set # CONFIG_USB_STORAGE_DPCM is not set # CONFIG_USB_STORAGE_USBAT is not set # CONFIG_USB_STORAGE_SDDR09 is not set # CONFIG_USB_STORAGE_SDDR55 is not set # CONFIG_USB_STORAGE_JUMPSHOT is not set # CONFIG_USB_STORAGE_ONETOUCH is not set # # USB Input Devices # CONFIG_USB_HID=y CONFIG_USB_HIDINPUT=y # CONFIG_HID_FF is not set # CONFIG_USB_HIDDEV is not set # CONFIG_USB_AIPTEK is not set # CONFIG_USB_WACOM is not set # CONFIG_USB_ACECAD is not set # CONFIG_USB_KBTAB is not set # CONFIG_USB_POWERMATE is not set # CONFIG_USB_MTOUCH is not set # CONFIG_USB_ITMTOUCH is not set CONFIG_USB_EGALAX=m # CONFIG_USB_YEALINK is not set # CONFIG_USB_XPAD is not set # CONFIG_USB_ATI_REMOTE is not set # CONFIG_USB_KEYSPAN_REMOTE is not set # CONFIG_USB_APPLETOUCH is not set # # USB Imaging devices # # CONFIG_USB_MDC800 is not set # CONFIG_USB_MICROTEK is not set # # USB Multimedia devices # # CONFIG_USB_DABUSB is not set # # Video4Linux support is needed for USB Multimedia device support # # # USB Network Adapters # # CONFIG_USB_CATC is not set # CONFIG_USB_KAWETH is not set # CONFIG_USB_PEGASUS is not set # CONFIG_USB_RTL8150 is not set # CONFIG_USB_USBNET is not set CONFIG_USB_MON=y # # USB port drivers # # CONFIG_USB_USS720 is not set # # USB Serial Converter support # # CONFIG_USB_SERIAL is not set # # USB Miscellaneous drivers # # CONFIG_USB_EMI62 is not set # CONFIG_USB_EMI26 is not set # CONFIG_USB_AUERSWALD is not set # CONFIG_USB_RIO500 is not set # CONFIG_USB_LEGOTOWER is not set # CONFIG_USB_LCD is not set # CONFIG_USB_LED is not set CONFIG_USB_CYTHERM=m # CONFIG_USB_PHIDGETKIT is not set CONFIG_USB_PHIDGETSERVO=m # CONFIG_USB_IDMOUSE is not set # CONFIG_USB_SISUSBVGA is not set # CONFIG_USB_LD is not set # CONFIG_USB_TEST is not set # # USB DSL modem support # # # USB Gadget Support # # CONFIG_USB_GADGET is not set # # MMC/SD Card support # # CONFIG_MMC is not set # # InfiniBand support # # CONFIG_INFINIBAND is not set # # SN Devices # # # File systems # CONFIG_EXT2_FS=y # CONFIG_EXT2_FS_XATTR is not set # CONFIG_EXT2_FS_XIP is not set CONFIG_EXT3_FS=y CONFIG_EXT3_FS_XATTR=y # CONFIG_EXT3_FS_POSIX_ACL is not set # CONFIG_EXT3_FS_SECURITY is not set CONFIG_JBD=y # CONFIG_JBD_DEBUG is not set CONFIG_FS_MBCACHE=y # CONFIG_REISERFS_FS is not set # CONFIG_JFS_FS is not set # CONFIG_FS_POSIX_ACL is not set # CONFIG_XFS_FS is not set # CONFIG_MINIX_FS is not set # CONFIG_ROMFS_FS is not set CONFIG_INOTIFY=y # CONFIG_QUOTA is not set CONFIG_DNOTIFY=y # CONFIG_AUTOFS_FS is not set CONFIG_AUTOFS4_FS=y # CONFIG_FUSE_FS is not set # # CD-ROM/DVD Filesystems # CONFIG_ISO9660_FS=y CONFIG_JOLIET=y # CONFIG_ZISOFS is not set CONFIG_UDF_FS=y CONFIG_UDF_NLS=y # # DOS/FAT/NT Filesystems # CONFIG_FAT_FS=y CONFIG_MSDOS_FS=y CONFIG_VFAT_FS=y CONFIG_FAT_DEFAULT_CODEPAGE=437 CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1" # CONFIG_NTFS_FS is not set # # Pseudo filesystems # CONFIG_PROC_FS=y CONFIG_PROC_KCORE=y CONFIG_SYSFS=y CONFIG_TMPFS=y # CONFIG_HUGETLBFS is not set # CONFIG_HUGETLB_PAGE is not set CONFIG_RAMFS=y # CONFIG_RELAYFS_FS is not set # # Miscellaneous filesystems # # CONFIG_ADFS_FS is not set # CONFIG_AFFS_FS is not set # CONFIG_HFS_FS is not set # CONFIG_HFSPLUS_FS is not set # CONFIG_BEFS_FS is not set # CONFIG_BFS_FS is not set # CONFIG_EFS_FS is not set # CONFIG_CRAMFS is not set # CONFIG_VXFS_FS is not set # CONFIG_HPFS_FS is not set # CONFIG_QNX4FS_FS is not set # CONFIG_SYSV_FS is not set # CONFIG_UFS_FS is not set # # Network File Systems # CONFIG_NFS_FS=y # CONFIG_NFS_V3 is not set # CONFIG_NFS_V4 is not set # CONFIG_NFS_DIRECTIO is not set CONFIG_NFSD=y # CONFIG_NFSD_V3 is not set CONFIG_NFSD_TCP=y CONFIG_LOCKD=y CONFIG_EXPORTFS=y CONFIG_NFS_COMMON=y CONFIG_SUNRPC=y # CONFIG_RPCSEC_GSS_KRB5 is not set # CONFIG_RPCSEC_GSS_SPKM3 is not set # CONFIG_SMB_FS is not set # CONFIG_CIFS is not set # CONFIG_NCP_FS is not set # CONFIG_CODA_FS is not set # CONFIG_AFS_FS is not set # CONFIG_9P_FS is not set # # Partition Types # # CONFIG_PARTITION_ADVANCED is not set CONFIG_MSDOS_PARTITION=y # # Native Language Support # CONFIG_NLS=y CONFIG_NLS_DEFAULT="iso8859-1" CONFIG_NLS_CODEPAGE_437=y # CONFIG_NLS_CODEPAGE_737 is not set # CONFIG_NLS_CODEPAGE_775 is not set # CONFIG_NLS_CODEPAGE_850 is not set # CONFIG_NLS_CODEPAGE_852 is not set # CONFIG_NLS_CODEPAGE_855 is not set # CONFIG_NLS_CODEPAGE_857 is not set # CONFIG_NLS_CODEPAGE_860 is not set # CONFIG_NLS_CODEPAGE_861 is not set # CONFIG_NLS_CODEPAGE_862 is not set # CONFIG_NLS_CODEPAGE_863 is not set # CONFIG_NLS_CODEPAGE_864 is not set # CONFIG_NLS_CODEPAGE_865 is not set # CONFIG_NLS_CODEPAGE_866 is not set # CONFIG_NLS_CODEPAGE_869 is not set # CONFIG_NLS_CODEPAGE_936 is not set # CONFIG_NLS_CODEPAGE_950 is not set # CONFIG_NLS_CODEPAGE_932 is not set # CONFIG_NLS_CODEPAGE_949 is not set # CONFIG_NLS_CODEPAGE_874 is not set # CONFIG_NLS_ISO8859_8 is not set # CONFIG_NLS_CODEPAGE_1250 is not set # CONFIG_NLS_CODEPAGE_1251 is not set # CONFIG_NLS_ASCII is not set CONFIG_NLS_ISO8859_1=y # CONFIG_NLS_ISO8859_2 is not set # CONFIG_NLS_ISO8859_3 is not set # CONFIG_NLS_ISO8859_4 is not set # CONFIG_NLS_ISO8859_5 is not set # CONFIG_NLS_ISO8859_6 is not set # CONFIG_NLS_ISO8859_7 is not set # CONFIG_NLS_ISO8859_9 is not set # CONFIG_NLS_ISO8859_13 is not set # CONFIG_NLS_ISO8859_14 is not set # CONFIG_NLS_ISO8859_15 is not set # CONFIG_NLS_KOI8_R is not set # CONFIG_NLS_KOI8_U is not set # CONFIG_NLS_UTF8 is not set # # Profiling support # CONFIG_PROFILING=y CONFIG_OPROFILE=y # # Kernel hacking # # CONFIG_PRINTK_TIME is not set # CONFIG_DEBUG_KERNEL is not set CONFIG_LOG_BUF_SHIFT=15 CONFIG_DEBUG_BUGVERBOSE=y CONFIG_EARLY_PRINTK=y CONFIG_X86_FIND_SMP_CONFIG=y CONFIG_X86_MPPARSE=y # # Security options # # CONFIG_KEYS is not set # CONFIG_SECURITY is not set # # Cryptographic options # # CONFIG_CRYPTO is not set # # Hardware crypto devices # # # Library routines # CONFIG_CRC_CCITT=y # CONFIG_CRC16 is not set CONFIG_CRC32=y CONFIG_LIBCRC32C=m CONFIG_TEXTSEARCH=y CONFIG_TEXTSEARCH_KMP=y CONFIG_TEXTSEARCH_BM=y CONFIG_TEXTSEARCH_FSM=y CONFIG_GENERIC_HARDIRQS=y CONFIG_GENERIC_IRQ_PROBE=y CONFIG_GENERIC_PENDING_IRQ=y CONFIG_X86_SMP=y CONFIG_X86_HT=y CONFIG_X86_BIOS_REBOOT=y CONFIG_X86_TRAMPOLINE=y CONFIG_PC=y From gregoriandres at yahoo.com.ar Fri Nov 25 21:19:38 2005 From: gregoriandres at yahoo.com.ar (LinuXKiD) Date: Fri Nov 25 21:20:23 2005 Subject: [LARTC] FAIR NAT: this is correct ? Message-ID: on Fair NAT: ------------- [...] # Correcting TOS for large packets with Minimize-Delay-TOS $BIN_IPT -t mangle -A $FN_CHK_TOS -p tcp -m length --length 0:512 -j RETURN $BIN_IPT -t mangle -A $FN_CHK_TOS -p udp -m length --length 0:1024 -j RETURN $BIN_IPT -t mangle -A $FN_CHK_TOS -j TOS --set-tos Maximize-Throughput $BIN_IPT -t mangle -A $FN_CHK_TOS -j RETURN [...] I think that best is: [...] # Correcting TOS for large packets with Minimize-Delay-TOS $BIN_IPT -t mangle -A $FN_CHK_TOS -p tcp -m length --length 0:512 -j RETURN $BIN_IPT -t mangle -A $FN_CHK_TOS -p udp -m length --length 0:1024 -j RETURN ## NEW LINE: $BIN_IPT -t mangle -A $FN_CHK_TOS -p icmp -m length --length 0:1024 -j RETURN $BIN_IPT -t mangle -A $FN_CHK_TOS -j TOS --set-tos Maximize-Throughput $BIN_IPT -t mangle -A $FN_CHK_TOS -j RETURN [...] because on original FARINAT, PINGS are marked as "MAXIMIZE THROUGHPUT" is correct my note ?? bests andres From comp.techs at aspenview.org Fri Nov 25 21:38:40 2005 From: comp.techs at aspenview.org (comp.techs) Date: Fri Nov 25 21:38:52 2005 Subject: [LARTC] Marking DSCP Message-ID: <648A21EA469E3848922D9860785CD5EF456706@aspen-mail01.aspenview.org> Hi, what would be the easiest way to mark packets for AF. For example ingress www traffic being marked as AF31? thx jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051125/bff63e02/attachment.html From Andreas.Klauer at metamorpher.de Sat Nov 26 01:13:56 2005 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Sat Nov 26 01:13:56 2005 Subject: [LARTC] FAIR NAT: this is correct ? In-Reply-To: References: Message-ID: <200511260113.56307.Andreas.Klauer@metamorpher.de> On Friday 25 November 2005 21:19, LinuXKiD wrote: > $BIN_IPT -t mangle -A $FN_CHK_TOS -p icmp -m length --length 0:1024 -j > RETURN > [...] > > because on original FARINAT, PINGS are marked as "MAXIMIZE THROUGHPUT" > > is correct my note ?? The code you quoted is a rule that should be protocol independent. Lower the priority of packets that claim to be interactive but are too big. Or rather, let packets keep their high priority status only if they're small enough. It should apply to ICMP and all others as well, but obviously it doesn't. Well spotted... I don't like that part of the script. It's pretty much random, I can't even remember why I'm using 0:512 for tcp, but 0:1024 for udp as packet size criteria. The prioritization of Fair NAT is still way too static, given that everyone has different requirements. Andreas Klauer From gregoriandres at yahoo.com.ar Sat Nov 26 03:13:59 2005 From: gregoriandres at yahoo.com.ar (LinuXKiD) Date: Sat Nov 26 03:14:17 2005 Subject: [LARTC] FAIR NAT: this is correct ? In-Reply-To: <200511260113.56307.Andreas.Klauer@metamorpher.de> Message-ID: -> On Friday 25 November 2005 21:19, LinuXKiD wrote: -> > $BIN_IPT -t mangle -A $FN_CHK_TOS -p icmp -m length --length 0:1024 -j -> > RETURN -> > [...] -> > -> > because on original FARINAT, PINGS are marked as "MAXIMIZE THROUGHPUT" -> > -> > is correct my note ?? -> -> The code you quoted is a rule that should be protocol independent. Lower -> the priority of packets that claim to be interactive but are too big. Or -> rather, let packets keep their high priority status only if -> they're small -> enough. It should apply to ICMP and all others as well, but obviously it -> doesn't. Well spotted... -> OK, what about: $BIN_IPT -t mangle -A $FN_CHK_TOS -m length --length 0:512 -j RETURN instead... $BIN_IPT -t mangle -A $FN_CHK_TOS -p icmp -m length --length 0:1024 -j RETURN I think that (in ICMP case) would priorize small ICMP packets. and other small packets on other protocol. BTW, I think that FairNat and JiM QoS scripts are Great! I'm studing both in order to learn about Qos. bests andres. From talk2ram at gmail.com Sat Nov 26 09:03:24 2005 From: talk2ram at gmail.com (ram) Date: Sat Nov 26 09:03:42 2005 Subject: [LARTC] Recomendation for the Large B/w suggestion Message-ID: Hi all I have 100MB internet traffic i would like differentiate the VoIP/http/ftp and other Traffic is this HTB can suppor this kind of traffic what should be hardward config to classify this kind of traffic any sample config, borrowing kind of setup ram -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051126/1da62873/attachment.htm From nix4me at cfl.rr.com Sun Nov 27 01:02:59 2005 From: nix4me at cfl.rr.com (nix4me) Date: Sun Nov 27 01:03:15 2005 Subject: [LARTC] shaping outboaud email Message-ID: <4388F7B3.2090100@cfl.rr.com> Hi, I thought sending email went out on port 25? When I look with ethereal, outbound email transfers were on port 58020. I assume it's choosing a random port for transfer? If so how do I tag it with iptables mark? I was hoping it was as simple as tagging port 25. Thanks, Mark From nelsoneci at gmail.com Sun Nov 27 01:07:09 2005 From: nelsoneci at gmail.com (Nelson Castillo) Date: Sun Nov 27 01:07:29 2005 Subject: [LARTC] shaping outboaud email In-Reply-To: <4388F7B3.2090100@cfl.rr.com> References: <4388F7B3.2090100@cfl.rr.com> Message-ID: <2accc2ff0511261607y3cdad4bfo86e60e4cd400d392@mail.gmail.com> > I thought sending email went out on port 25? > > When I look with ethereal, outbound email transfers were on port 58020. The destination port is 25. The source port is chosen by the kernel. -- Homepage : http://geocities.com/arhuaco The first principle is that you must not fool yourself and you are the easiest person to fool. -- Richard Feynman. From nix4me at cfl.rr.com Sun Nov 27 02:06:06 2005 From: nix4me at cfl.rr.com (nix4me) Date: Sun Nov 27 02:06:45 2005 Subject: [LARTC] refining my rules Message-ID: <4389067E.4020506@cfl.rr.com> Hi, I am currently using the following script to shape traffic on my linux box. I am getting ready to move the script to my linux firewall box so it shapes traffic for my home lan. I am looking to refine my rules a bit so to make bandwidth sharing a bit more efficient. Specifically I am looking to give out bound email more priority so that when a large email is sent, I want it to borrow all of the ftp bandwidth. For some reason it only borrows some of the bandwidth but not all. Here is my script: #!/bin/bash #shaping passive and active outbound ftp traffic on an internal computer without affecting inbound and lan speed # mark the outbound passive ftp packets on ports 50000-51000 iptables -t mangle -D OUTPUT -o eth0 -j MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -N MYSHAPER-OUT iptables -t mangle -I OUTPUT -o eth0 -j MYSHAPER-OUT # mark packets: 20 is lan traffic, 26 is active ftp and passive ftp, 30 is ACK for downloads, 35 is email iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 20 iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 59999 -j MARK --set-mark 26 iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK --set-mark 26 iptables -t mangle -A MYSHAPER-OUT -p tcp -m length --length :64 -j MARK --set-mark 30 iptables -t mangle -A MYSHAPER-OUT -m tcp -p tcp --dport 25 -j MARK --set-mark 35 # clear it tc qdisc del dev eth0 root #add the root qdisk tc qdisc add dev eth0 root handle 1: htb default 20 #add main rate limit class tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit #add leaf classes, 1:2 is lan, 1:3 is outbound max tc class add dev eth0 parent 1:1 classid 1:2 htb rate 100mbit tc class add dev eth0 parent 1:1 classid 1:3 htb rate 40kbps # 1:31 is ftp with lower prio, 1:32 is ACk AND email higher prio tc class add dev eth0 parent 1:3 classid 1:31 htb rate 20kbps ceil 40kbps prio 2 tc class add dev eth0 parent 1:3 classid 1:32 htb rate 20kbps ceil 40kbps prio 1 #filter traffic into classes tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 20 fw flowid 1:2 tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 26 fw flowid 1:31 tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 30 fw flowid 1:32 tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 35 fw flowid 1:32 Any comments would be greatly appreciated, Mark From Andreas.Klauer at metamorpher.de Sun Nov 27 11:05:58 2005 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Sun Nov 27 11:06:16 2005 Subject: [LARTC] refining my rules In-Reply-To: <4389067E.4020506@cfl.rr.com> References: <4389067E.4020506@cfl.rr.com> Message-ID: <200511271105.58404.Andreas.Klauer@metamorpher.de> On Sunday 27 November 2005 02:06, nix4me wrote: > #add main rate limit class > tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit In a 100mbit network, the full 100mbit can only be reached under optimal conditions (I don't know what they are though), so I suggest you measure the actual throughput your network can reach and use this as rate, or just use a slightly lower value here. > #add leaf classes, 1:2 is lan, 1:3 is outbound max > tc class add dev eth0 parent 1:1 classid 1:2 htb rate 100mbit If you give the LAN class the full parent class rate, you've got two problems. First, your parent class will already be fully booked. There is nothing left for the other classes, and HTB will have to cheat somehow to distribute bandwidth now, which may lead to unexpected results. Second, if you got a lot of LAN traffic between the router and other machines (fileserver etc.), this traffic can take up the whole line and interfere with your internet traffic. So in my opinion the rate of the LAN class should be the rate of the parent class minus the rate(s) of your internet class(es). > tc class add dev eth0 parent 1:1 classid 1:3 htb rate 40kbps > # 1:31 is ftp with lower prio, 1:32 is ACk AND email higher prio > tc class add dev eth0 parent 1:3 classid 1:31 htb rate 20kbps ceil > 40kbps prio 2 > tc class add dev eth0 parent 1:3 classid 1:32 htb rate 20kbps ceil > 40kbps prio 1 You don't have any internet traffic other than ftp and email? Regards, Andreas Klauer From benoit at season-of-mist.com Mon Nov 28 10:22:15 2005 From: benoit at season-of-mist.com (Benoit DELAGARDE) Date: Mon Nov 28 10:22:18 2005 Subject: [LARTC] conntrack match failed, packets not FWMarked Message-ID: <0b9801c5f3fd$397aed00$6401a8c0@Buggsbunny> Hi all, I have 2 ISPs on a Linux router and a local network with one Linux server and many windows. The local network is masqueraded. I want to give access to port 25 and 80 of my server from any incoming request (i.e. from my 2 ISP). I have made a DNAT translation, witch work but the outgoing answers are not routed correctly. Of course, the de-SNAT process is done before the routing process. So all packet follow the default route. I look for solutions on the LARTC mailing-list archive, on the LARTC documentation, on Google, and anywhere I know, but all the solutions I found won't work. Based on the LARTC 2 ISP sample (Chapter 4.2), I try to mark my package to be correctly routed (via a FWMARK), without success. But everything I read tell me this should work. Here are my rules (from iptables-save): *mangle :PREROUTING ACCEPT [529944:316988323] :INPUT ACCEPT [374208:35129218] :FORWARD ACCEPT [4225914:2972153716] :OUTPUT ACCEPT [147094:14149367] :POSTROUTING ACCEPT [4855993:3030201798] -A PREROUTING -m conntrack --ctorigdst IP_OF_PPP0 -j MARK --set-mark 0x1 -A PREROUTING -m conntrack --ctorigdst IP_OF_PPP1 -j MARK --set-mark 0x2 -A PREROUTING -m connmark --mark 0x1 -j LOG --log-prefix "FWMARK1" COMMIT # Completed on Mon Nov 28 09:53:06 2005 # Generated by iptables-save v1.2.11 on Mon Nov 28 09:53:06 2005 *nat :PREROUTING ACCEPT [7696:835113] :POSTROUTING ACCEPT [29406:2303772] :OUTPUT ACCEPT [24589:1956035] -A PREROUTING -i ppp1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.4:80 -A PREROUTING -i ppp0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.4:80 -A PREROUTING -i ppp1 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.1.4:25 -A PREROUTING -i ppp0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.1.4:25 -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp1 -j MASQUERADE -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 -j MASQUERADE COMMIT I also have routing table but the line -A PREROUTING -m connmark --mark 0x1 -j LOG --log-prefix "FWMARK1" don't give me any result!!!! Nothing is logged! My packets are not marked. Why? I am on a DEBIAN Stable with a KERNEL 2.6.14.2 (hand made with make-kpkg) and the default iptables (v1.2.11) and iproute2 (iproute2-ss041019) Does any one have an idea? (or more ;-) ) From davidb at kth.se Mon Nov 28 13:18:43 2005 From: davidb at kth.se (David Blomberg) Date: Mon Nov 28 13:18:49 2005 Subject: [LARTC] RE: Difference between snmp traffic rate, and rate from tc In-Reply-To: <20051125200829.D31AC46BA@outpost.ds9a.nl> References: <20051125200829.D31AC46BA@outpost.ds9a.nl> Message-ID: <42725.192.16.125.246.1133180323.squirrel@webmail.sys.kth.se> Hi, I guess I'll answer my own question myself. I was on a wireless interface, so the difference seems to have been due to physical layer overhead. I switched to wire and did not notice any difference, regards David Blomberg > Hello, > > I use rrdtool to graph the traffic in the different classes on an > interface, eth1. Basically, I use the output from > > tc -s qdisc ls dev eth1 > > my tc script (which is only for testing the graphing) looks like this: > > /sbin/tc qdisc add dev eth1 root handle 1: htb default 20 r2q 1 > /sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 200kbit burst > 15k > > /sbin/tc class add dev eth1 parent 1:1 classid 1:10 htb rate 100kbit ceil > 200kbit burst 15k > /sbin/tc class add dev eth1 parent 1:1 classid 1:20 htb rate 50kbit ceil > 200kbit burst 15k > /sbin/tc class add dev eth1 parent 1:1 classid 1:30 htb rate 50kbit ceil > 200kbit burst 15k > > /sbin/tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 > /sbin/tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10 > /sbin/tc qdisc add dev eth1 parent 1:30 handle 30: sfq perturb 10 > > /sbin/iptables -F > /sbin/iptables -A OUTPUT -t mangle -o eth1 -j MARK --set-mark 1 > > /sbin/tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle 1 fw > flowid 1:10 > # Filter arp packets to class 1:30. > /sbin/tc filter add dev eth1 protocol arp u32 match u32 0 0 flowid 1:30 > > When I with the help of snmp, I also graph the rate of packets going out > on the interface. My problem is that the rate I get from snmp is not the > same as the rate I get from the root class of my queue. In both cases, the > rate is calculated by rrdtool, I submit the number of bytes that have been > transmitted. Shouldn't the rate of packets leaving the root class be the > same as the rate given by snmp? > > Thank you for the help, > > regards, > > David Blomberg From blist at prostream.net Mon Nov 28 17:27:23 2005 From: blist at prostream.net (blist) Date: Mon Nov 28 17:27:26 2005 Subject: [LARTC] Combining DSL lines Message-ID: <438B2FEB.3080809@prostream.net> I am looking for a solution to take 4 or more ADSL lines with PPPoE and a Static IP and then have my Local network behind them. I was reviewing http://lartc.org/howto/lartc.rpdb.multiple-links.html and it looks like a good solution. How can the document be modified to do NAT from the local network? I would need the local network to be NATed to the WAN. How can I set it up so that the external interfaces login via PPPoE? From justin.todd at argonsecurity.com Mon Nov 28 20:23:58 2005 From: justin.todd at argonsecurity.com (Justin Todd) Date: Mon Nov 28 20:22:22 2005 Subject: [LARTC] Wireless links + Realtime video >= Headache! (long queue delays) Message-ID: <00c301c5f451$47f89950$c901a8c0@jtwin> Hello LARTC gurus. I'm new to this list and have a mind boggling problem that I cannot resolve. Let me describe my problem: We have a custom built wireless camera comprised of an IP encoder and a BitsyX running Linux. It communicates to an antenna unit (Bitsyx) which plugs into a Windows machine with a digitial video recorder: [IP Video Encoder] -> [Linux Box 1] - 2Mbit Wireless Link -> [Linux Box 2] -> [Digital Video Recorder running on XP] Realtime H.263 Video (UDP) flows from the encoder to the DVR at 500kbit/sec peak. (avg is about 275-300). There is also a bit of sporatic 2-way TCP communication. Both linux boxes do SNAT and DNAT using iptables. Under normal conditions this scenario works reasonably well (despite the fact that its a bit slow.) ***Problem: When bit errors on the wireless link occur, video will get jerky and get behind (sometimes as much as 20 seconds!) and then suddenly the video will appear to go in fast foward and catch up again! This is clearly unacceptable for realtime video! We would rather lose the occassional packet then have it get behind. QUESTIONS: 1) will doing SNAT twice on a UDP video stream cause considerable or negligable delay? 2) Is there a way to tell the kernel to drop a packet if its not delievered within an acceptable period of time? 3) How can you optimize your TCP stack for realtime video? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051128/7f2ef4f7/attachment.html From c-d.hailfinger.devel.2005 at gmx.net Mon Nov 28 20:54:07 2005 From: c-d.hailfinger.devel.2005 at gmx.net (Carl-Daniel Hailfinger) Date: Mon Nov 28 20:54:17 2005 Subject: [LARTC] Wireless links + Realtime video >= Headache! (long queue delays) In-Reply-To: <00c301c5f451$47f89950$c901a8c0@jtwin> References: <00c301c5f451$47f89950$c901a8c0@jtwin> Message-ID: <438B605F.3030001@gmx.net> Hi, Justin Todd schrieb: > Realtime H.263 Video (UDP) flows from the encoder to the DVR at > 500kbit/sec peak. (avg is about 275-300). There is also a bit of > sporatic 2-way TCP communication. > > ***Problem: When bit errors on the wireless link occur, video will > get jerky and get behind (sometimes as much as 20 seconds!) and then > suddenly the video will appear to go in fast foward and catch up > again! This is clearly unacceptable for realtime video! We would > rather lose the occassional packet then have it get behind. > > QUESTIONS: > > 1) will doing SNAT twice on a UDP video stream cause considerable or > negligable delay? Should not be measurable unless the Linux machines are totally overloaded. For a reasonably fast machine, 100 MBit/s wirespeed SNAT is possible, so you should be fine. > 2) Is there a way to tell the kernel to drop a packet if its not > delievered within an acceptable period of time? You could try to tune the TX timeout, but I have no idea whether there is a sysctl for that. > 3) How can you optimize your TCP stack for realtime video? TCP stack? I thought you were doing video over UDP. Sending video over TCP would indeed explain your problems. Regards, Carl-Daniel -- http://www.hailfinger.org/ From rootlinux at yahoo.com Tue Nov 29 06:11:00 2005 From: rootlinux at yahoo.com (root linux) Date: Tue Nov 29 06:11:03 2005 Subject: [LARTC] fwmark port - dual adsl line Message-ID: <20051129051100.82625.qmail@web36202.mail.mud.yahoo.com> Hi all, Below is my network diagram: - eth0 (adsl 1) eth1 (adsl 2) | | | | | | | | ----------------- | | | Gateway | | | ----------------- | | | tun0 Below is my iptables scripting to mark certain ports: - # eMule $IPTABLES -t mangle -A PREROUTING -i tun0 -p tcp -m multiport --destination-ports 4242,4661,4662,4663,4711 -j MARK ?-set-mark 11 $IPTABLES -t mangle -A PREROUTING -i tun0 -p udp -m multiport --destination-ports 4672 -j MARK ?-set-mark 11 # BitTorrent $IPTABLES -t mangle -A PREROUTING -i tun0 -p tcp --dport 6881:6889 -j MARK ?-set-mark 12 $IPTABLES -t mangle -A PREROUTING -i tun0 -p tcp --dport 6969 -j MARK ?-set-mark 12 # DirectConnect $IPTABLES -t mangle -A PREROUTING -i tun0 -p tcp -m multiport --destination-ports 411,1412,20000 -j MARK ?-set-mark 13 # Kazaa $IPTABLES -t mangle -A PREROUTING -i tun0 -p tcp -m multiport ?destination-ports 1214,6699 -j MARK ?-set-mark 14 $IPTABLES -t mangle -A PREROUTING -i tun0 -p udp --dport 1214 -j MARK ?-set-mark 14 # Gnutella $IPTABLES -t mangle -A PREROUTING -i tun0 -p tcp -m multiport ?destination-ports 6346,6347 -j MARK ?-set-mark 15 $IPTABLES -t mangle -A PREROUTING -i tun0 -p udp -m multiport ?destination-ports 6346,6347 -j MARK ?-set-mark 15 Below is the iproute scripting: - # ip rule add fwmark 11 table p2p_01 ip rule add fwmark 12 table p2p_02 ip rule add fwmark 13 table p2p_03 ip rule add fwmark 14 table p2p_04 ip rule add fwmark 15 table p2p_05 # ip route add default via 192.168.3.1 dev eth0 table p2p_01 ip route add default via 192.168.3.1 dev eth0 table p2p_02 ip route add default via 192.168.3.1 dev eth0 table p2p_03 ip route add default via 192.168.3.1 dev eth0 table p2p_04 ip route add default via 192.168.3.1 dev eth0 table p2p_05 Can I mark same number for different ports? Like the rule for "eMule? Regards, rootlinux __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com From justin.todd at argonsecurity.com Tue Nov 29 20:02:56 2005 From: justin.todd at argonsecurity.com (Justin Todd) Date: Tue Nov 29 20:01:19 2005 Subject: [LARTC] Optimizing linux for the routing of realtime video Message-ID: <01f001c5f517$826cf9c0$c901a8c0@jtwin> I'm currently trying to optimize a linux machine which acts as a Layer 3 router of RTP H.263 video. Occassionally I'll get delays related to layer 2 wireless retries, thus rendering the video on the recieving end stale/useless. Is there way to optimize a linux machine to route realtime video? In my case, losing a few frames of H.263 is better than having the video delayed for 5 seconds (H.263 has its own methods for error concealing which work pretty good). As far as I know, there are a few things I could do: - Sysctl options allow for some minimal TCP/IP stack configuration - iptables? - tc? Basically, I need some way to discard old data thats sitting in the transmit queue. Regards, Justin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051129/710bc8d3/attachment.htm From david_list at boreham.org Tue Nov 29 20:07:54 2005 From: david_list at boreham.org (David Boreham) Date: Tue Nov 29 20:08:01 2005 Subject: [LARTC] Optimizing linux for the routing of realtime video In-Reply-To: <01f001c5f517$826cf9c0$c901a8c0@jtwin> References: <01f001c5f517$826cf9c0$c901a8c0@jtwin> Message-ID: <438CA70A.8030908@boreham.org> Justin Todd wrote: > I'm currently trying to optimize a linux machine which acts as a Layer 3 > router of RTP H.263 video. Occassionally I'll get delays related to > layer 2 > wireless retries, thus rendering the video on the recieving end > stale/useless. Maintaining QoS over wireless links, especially in the presence of interference is tricky, perhaps impossible. My gut feel is that your problems are likely all wireless-related and the solution will lie there too. Perhaps the radios are queuing subsequent packets behind the one they attempt to re-transmit ? Often there are tweakable parameters in the radios that you can try to play with (enable RTS for example). Good luck ! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051129/8983a127/attachment.html From sophana78 at yahoo.fr Wed Nov 30 02:37:24 2005 From: sophana78 at yahoo.fr (sophana) Date: Wed Nov 30 02:37:39 2005 Subject: [LARTC] Optimizing linux for the routing of realtime video In-Reply-To: <438CA70A.8030908@boreham.org> References: <01f001c5f517$826cf9c0$c901a8c0@jtwin> <438CA70A.8030908@boreham.org> Message-ID: <438D0254.4070904@yahoo.fr> I saw a wireless qos package. Don't remember the name. But it exists. I think there are standards about it, and an implementation in linux. But you must have an internal wireless pci card I think, or an openwrt based wifi router. David Boreham wrote: > Justin Todd wrote: > >> I'm currently trying to optimize a linux machine which acts as a Layer 3 >> router of RTP H.263 video. Occassionally I'll get delays related to >> layer 2 >> wireless retries, thus rendering the video on the recieving end >> stale/useless. > > Maintaining QoS over wireless links, especially in the presence of > interference > is tricky, perhaps impossible. My gut feel is that your problems are > likely all > wireless-related and the solution will lie there too. Perhaps the > radios are > queuing subsequent packets behind the one they attempt to re-transmit ? > Often there are tweakable parameters in the radios that you can try to > play > with (enable RTS for example). > > Good luck ! > > >------------------------------------------------------------------------ > >_______________________________________________ >LARTC mailing list >LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From rsenykoff at harrislogic.com Wed Nov 30 04:45:18 2005 From: rsenykoff at harrislogic.com (Ron Senykoff) Date: Wed Nov 30 04:45:21 2005 Subject: [LARTC] Optimizing linux for the routing of realtime video In-Reply-To: <438D0254.4070904@yahoo.fr> References: <01f001c5f517$826cf9c0$c901a8c0@jtwin> <438CA70A.8030908@boreham.org> <438D0254.4070904@yahoo.fr> Message-ID: > >> I'm currently trying to optimize a linux machine which acts as a Layer 3 > >> router of RTP H.263 video. Occassionally I'll get delays related to > >> layer 2 > >> wireless retries, thus rendering the video on the recieving end > >> stale/useless. > > > > Maintaining QoS over wireless links, especially in the presence of > > interference > > is tricky, perhaps impossible. My gut feel is that your problems are > > likely all > > wireless-related and the solution will lie there too. Perhaps the > > radios are > > queuing subsequent packets behind the one they attempt to re-transmit ? > > Often there are tweakable parameters in the radios that you can try to > > play > > with (enable RTS for example). The real problem here is that even though the video can handle packet loss, the wireless link prevents it. Video is sent w/ UDP packets thus giving the application control of what to do with packet loss. However, the wireless link is guaranteeing delivery of those UDP packets. Thus I agree that the solution will have to be with the wireless link itself. If it were me, I would look into providing dedicated APs for the wireless video. Or maybe go with an AP that supports multiple channels, and keep the video on a dedicated channel, so you don't get interference from other devices. Also make sure you aren't overloading the AP (for example, 54 megabit G radio is the total throughput for _all_ clients talking to it) and make sure there aren't other APs around causing interference. A rogue AP set up can cause real havoc, and newer APs even support 'countermeasures' to watch for these APs. HTH From vnulllists at pcnet.com.pl Wed Nov 30 09:02:16 2005 From: vnulllists at pcnet.com.pl (Jakub Wartak) Date: Wed Nov 30 09:05:03 2005 Subject: [LARTC] Optimizing linux for the routing of realtime video In-Reply-To: <438D0254.4070904@yahoo.fr> References: <01f001c5f517$826cf9c0$c901a8c0@jtwin> <438CA70A.8030908@boreham.org> <438D0254.4070904@yahoo.fr> Message-ID: <200511300902.17045.vnulllists@pcnet.com.pl> Dnia ?roda, 30 listopada 2005 02:37, sophana napisa?: > I saw a wireless qos package. Don't remember the name. Do you mean http://frottle.sf.net/ ? -- Jakub Wartak -vnull FreeBSD/OpenBSD/Linux/Solaris/Network Administrator http://vnull.pcnet.com.pl/ From GregScott at InfraSupportEtc.com Wed Nov 30 10:09:01 2005 From: GregScott at InfraSupportEtc.com (Greg Scott) Date: Wed Nov 30 10:09:07 2005 Subject: [LARTC] Optimizing linux for the routing of realtime video Message-ID: <925A849792280C4E80C5461017A4B8A26BF1@mail733.InfraSupportEtc.com> Are you sending anything else besides the H.263 stream over that wireless link? As an earlier reply mentioned, your problem could be related to radio issues - and if so, nothing you can do about it. Well maybe there is. You would need something that would watch the queue of outbound H.263 packets and get rid of anything older than (some number) of milliseconds. I don't know of any packages that do this. If the issue is contention with other packet streams from other apps inside your network, then you can prioritize the H.263 stuff so that these packets tend to the top of the outbound queue. - Greg Scott -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Justin Todd Sent: Tuesday, November 29, 2005 1:03 PM To: lartc@mailman.ds9a.nl Subject: [LARTC] Optimizing linux for the routing of realtime video I'm currently trying to optimize a linux machine which acts as a Layer 3 router of RTP H.263 video. Occassionally I'll get delays related to layer 2 wireless retries, thus rendering the video on the recieving end stale/useless. Is there way to optimize a linux machine to route realtime video? In my case, losing a few frames of H.263 is better than having the video delayed for 5 seconds (H.263 has its own methods for error concealing which work pretty good). As far as I know, there are a few things I could do: - Sysctl options allow for some minimal TCP/IP stack configuration - iptables? - tc? Basically, I need some way to discard old data thats sitting in the transmit queue. Regards, Justin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20051130/5545a97d/attachment.htm From unki at netshadow.at Wed Nov 30 11:05:18 2005 From: unki at netshadow.at (Andreas Unterkircher) Date: Wed Nov 30 11:05:21 2005 Subject: [LARTC] Screening packets within tc-classes Message-ID: <20051130.Dqk.80373300@egroupware.netshadow.at> Hello list, I'm currently a bit planless so perhaps someone here could give me a point in the right direction. History: I wrote a shaper web tool (http://shaper.netshadow.at) and now got several feature requests if it would be possible to graph "what's going on" (this mean per IP address, tcp/udp ports or protocols) in a specific chain. A chain represents a specific tc-class. Packets get into this chains via tc-filter or iptables MARK. Currently I'm drawing graphs with data got from the dequeuing counters via tc -s class show dev ${IF}. Not the best way - I know - but it was enough till yet. Now the question is - is it possible to get direct access to network packets that flow through a specifc tc-class? I was thinking about iptables and dumping the MARK-value via libpcap. But I don't think that this will work because the pcap-filter is attached to the device itself before the iptables rules (like the restore-mark) are acting. So I guess libpcap will not see this. I was also thinking about forwarding the traffic of each chain to a dummy device. But with a greater amount of chains this will become a enormous overhead. In summary I'm searching for a "easy" way to get the traffic which flows to a specific tc-class to make some graphs. From IP/MAC-Level to tcp/udp ports. If there is no such way I will simply dump all the data from libpcap and try to extract the necessary details from this data and parse it. Any ideas are welcome. Cheers, Andreas From kaber at trash.net Thu Dec 1 12:23:06 2005 From: kaber at trash.net (Patrick McHardy) Date: Thu Dec 1 12:23:22 2005 Subject: [LARTC] Screening packets within tc-classes In-Reply-To: <20051130.Dqk.80373300@egroupware.netshadow.at> References: <20051130.Dqk.80373300@egroupware.netshadow.at> Message-ID: <438EDD1A.8080709@trash.net> Andreas Unterkircher wrote: > Hello list, > > I'm currently a bit planless so perhaps someone here could give me a point in > the right direction. > > History: I wrote a shaper web tool (http://shaper.netshadow.at) and now got > several feature requests if it would be possible to graph "what's going on" > (this mean per IP address, tcp/udp ports or protocols) in a specific chain. A > chain represents a specific tc-class. Packets get into this chains via > tc-filter or iptables MARK. > > Currently I'm drawing graphs with data got from the dequeuing counters via tc > -s class show dev ${IF}. Not the best way - I know - but it was enough till > yet. > > Now the question is - is it possible to get direct access to network packets > that flow through a specifc tc-class? > > I was thinking about iptables and dumping the MARK-value via libpcap. But I > don't think that this will work because the pcap-filter is attached to the > device itself before the iptables rules (like the restore-mark) are acting. So > I guess libpcap will not see this. No it won't, but its not able to use the netfilter mark anyway. One way would be to use the ipt action combined with the ULOG target and send packets to userspace that way. From michael at bbd.co.za Thu Dec 1 17:23:10 2005 From: michael at bbd.co.za (Michael Davidson) Date: Thu Dec 1 17:23:21 2005 Subject: [LARTC] Wrong src addr is pkts Message-ID: <438F236E.5010900@bbd.co.za> Hi I have a FW dual homed to the Internet via a leased line and most recently by a ADSL line. I have SQUID running on the FW which I want to direct to the ADSL line as well as other traffic from my LAN. After reading the LARTC Howto and the on-line book by Matthew ?? I have my LAN-Internet traffic sorted but the SQUID traffic is a problem. This is my config on a test machine: Chain OUTPUT (policy ACCEPT 47542 packets, 4771K bytes) pkts bytes target prot opt in out source destination 458 44858 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:80:443 MARK set 0x1d # ip rule ls 0: from all lookup local 2000: from all fwmark 0x1d iif lo lookup table2 32766: from all lookup main 32767: from all lookup default # ]# ip route ls table 2 192.168.10.16/28 dev eth1 proto kernel scope link src 192.168.10.30 10.1.1.0/24 dev eth2 proto kernel scope link src 10.1.1.254 10.3.0.0/23 dev eth0 proto kernel scope link src 10.3.1.224 default via 10.1.1.59 dev eth2 src 10.1.1.254 Eth0 is the leased line, eth2 is the ADSL line and eth1 my internal LAN. My default route in the "main" table points to the leased line. With the above config I find that the output of squid is routed to the ADSL line as desired, however, the problem is that the source address in the packets is that of my LL interface. Is there a way to fix this? I've read a lot on the web but I find that I'm now going in circles so any help would be appreciated. Regards Mike.D. From unki at netshadow.at Thu Dec 1 18:45:42 2005 From: unki at netshadow.at (Andreas Unterkircher) Date: Thu Dec 1 18:45:45 2005 Subject: [LARTC] Screening packets within tc-classes In-Reply-To: <438EDD1A.8080709@trash.net> References: <20051130.Dqk.80373300@egroupware.netshadow.at> <438EDD1A.8080709@trash.net> Message-ID: <438F36C6.6010906@netshadow.at> Good suggestion to use ulog for this. So I could dump the exactly traffic which would run through a class (CLASSIFY) to analyze and extract the necessary data to draw the graphs. So I do not have to parse my class