From gregoriandres at yahoo.com.ar Mon Jan 2 05:04:04 2006 From: gregoriandres at yahoo.com.ar (LinuXKiD) Date: Mon Jan 2 05:04:47 2006 Subject: [LARTC] [OT?] MikroTik instead Linux ? Message-ID: [Off topic ?] Somebody can help me to convince some people to use Linux instead MikroTik ???? Happy new year. Andres. From manish at tuxspace.com Mon Jan 2 08:37:58 2006 From: manish at tuxspace.com (Manish Kathuria) Date: Mon Jan 2 08:38:13 2006 Subject: [LARTC] [OT?] MikroTik instead Linux ? In-Reply-To: References: Message-ID: <43B8D856.5090006@tuxspace.com> LinuXKiD wrote: > [Off topic ?] > > Somebody can help me to convince some people > to use Linux instead MikroTik ???? > > Happy new year. > > Andres. As far as I remember, MikroTik is also based on Linux, except for that the fact that they have their own shell with a different set of commands. From rkurjata at ire.pw.edu.pl Mon Jan 2 10:24:42 2006 From: rkurjata at ire.pw.edu.pl (Robert Kurjata) Date: Mon Jan 2 10:24:33 2006 Subject: [LARTC] [OT?] MikroTik instead Linux ? In-Reply-To: References: Message-ID: <55296652.20060102102442@ire.pw.edu.pl> Witaj LinuXKiD, W Twoim li?cie datowanym 2 stycznia 2006 (05:04:04) mo?na przeczyta?: > [Off topic ?] > Somebody can help me to convince some people > to use Linux instead MikroTik ???? MikroTik IS A Linux :) (prev. release was using kernel 2.4.14) But when I needed to make an access points and wireless bridges, I've created my own distro instead buying MikroTik. It took almost 1 day (starting from bare bering-uclibc) to do, and I have full control over it. Since then we have over 10 wireless p2p and p2mp connections with uptime more than 50 days each. So, if you Have a qualified person to make that solution for you - Linux gives you more control, If not - Mikrotik is ready to go out of the box. > Happy new year. > Andres. > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Pozdrowienia, Robert Kurjata From aleksander at krediidiinfo.ee Mon Jan 2 15:40:54 2006 From: aleksander at krediidiinfo.ee (Aleksander) Date: Mon Jan 2 15:39:42 2006 Subject: [LARTC] Several IP's, one mail and http server Message-ID: <43B93B76.7000702@krediidiinfo.ee> Hi, I want to have several IP's for my connection and each IP will have it's own hostname. Now I want to serve a web server and mail server for each hostname/IP_addr pair on the same box in the internal LAN using one apache and one postfix daemon. If I do one SNAT and several DNATs then only the hostname which I SNAT the server to would work. Is the only way to do it correctly by assigning the internal server several IP's (virtual interfaces) and then make SNAT and DNATs for each interface/IP_addr individually? ATM I've got one IP and several hostnames. Using DNAT and apache's name based virtual hosts things work. Planning on getting each hostname it's own IP address, but continue to use the same http server for all the hosts, at least for now. Configuring the mail server might be even trickier, don't know if Postfix supports listening on different interfaces and have a different hostname for each interface/IP. I know it's OK if Postfix tells SMTP clients that its hostname is A, although the clients connected to hostname B, but it's still ugly. The gateway and server are linuxes (correct spelling?) of course. And the gateway stays, the server has to stay in the LAN. So would the virtual interface solution work and is it the only one? Thanks in advance, Alex From eantoranz at gmail.com Mon Jan 2 15:44:41 2006 From: eantoranz at gmail.com (Edmundo Carmona) Date: Mon Jan 2 15:44:45 2006 Subject: [LARTC] Several IP's, one mail and http server In-Reply-To: <43B93B76.7000702@krediidiinfo.ee> References: <43B93B76.7000702@krediidiinfo.ee> Message-ID: <65aa6af90601020644g6e387b91vbc9fe113d4862e55@mail.gmail.com> I don't know about the mail server, but apache supports virtual domains, and so the requests will be served differently depending on the request's domain, and not the IP of the host. A single IP should do the trick. On 1/2/06, Aleksander wrote: > Hi, > > I want to have several IP's for my connection and each IP will have it's > own hostname. > > Now I want to serve a web server and mail server for each > hostname/IP_addr pair on the same box in the internal LAN using one > apache and one postfix daemon. > > If I do one SNAT and several DNATs then only the hostname which I SNAT > the server to would work. > > Is the only way to do it correctly by assigning the internal server > several IP's (virtual interfaces) and then make SNAT and DNATs for each > interface/IP_addr individually? > > ATM I've got one IP and several hostnames. Using DNAT and apache's name > based virtual hosts things work. Planning on getting each hostname it's > own IP address, but continue to use the same http server for all the > hosts, at least for now. > > Configuring the mail server might be even trickier, don't know if > Postfix supports listening on different interfaces and have a different > hostname for each interface/IP. I know it's OK if Postfix tells SMTP > clients that its hostname is A, although the clients connected to > hostname B, but it's still ugly. > > The gateway and server are linuxes (correct spelling?) of course. And > the gateway stays, the server has to stay in the LAN. So would the > virtual interface solution work and is it the only one? > > Thanks in advance, > Alex > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From aleksander at krediidiinfo.ee Mon Jan 2 16:18:27 2006 From: aleksander at krediidiinfo.ee (Aleksander) Date: Mon Jan 2 16:16:40 2006 Subject: [LARTC] Several IP's, one mail and http server In-Reply-To: <65aa6af90601020644g6e387b91vbc9fe113d4862e55@mail.gmail.com> References: <43B93B76.7000702@krediidiinfo.ee> <65aa6af90601020644g6e387b91vbc9fe113d4862e55@mail.gmail.com> Message-ID: <43B94443.3080403@krediidiinfo.ee> Edmundo Carmona wrote: >I don't know about the mail server, but apache supports virtual >domains, and so the requests will be served differently depending on >the request's domain, and not the IP of the host. A single IP should >do the trick. > Yes, that's the case when the hostnames have the same IP. But when they have different ones and apache tries to answer their request, the clients will denied it, as it comes from a different IP. Some ascii 'art' might help: 192.168.0.10 has external IP a.b.c.d (iptables SNAT) a.b.c.d:80 DNAT \ ---> 192.168.0.10:80 a.b.c.f:80 DNAT / The request from the client arrives at apache and apache answers, no matter via which external IP it comes. But when the request comes via a.b.c.f, then the client will be expecting the answer form a.b.c.f, not a.b.c.d, where it will come from. Apache is assigned a.b.c.d and has no way of changing that, actually apache thinks it sending from 192.168.0.10 anyway. The only solution I see is having a (virtual) interface for each external IP. That so? From eantoranz at gmail.com Mon Jan 2 16:29:33 2006 From: eantoranz at gmail.com (Edmundo Carmona) Date: Mon Jan 2 16:29:34 2006 Subject: [LARTC] Several IP's, one mail and http server In-Reply-To: <43B94443.3080403@krediidiinfo.ee> References: <43B93B76.7000702@krediidiinfo.ee> <65aa6af90601020644g6e387b91vbc9fe113d4862e55@mail.gmail.com> <43B94443.3080403@krediidiinfo.ee> Message-ID: <65aa6af90601020729p3c0723adwe68ff50dca60bc8e@mail.gmail.com> Can you SNAT (or masquerade) the requests before they are forwarded to the WEB SERVER? That would do the trick (but destroy the statistics :-( ) On 1/2/06, Aleksander wrote: > Edmundo Carmona wrote: > > >I don't know about the mail server, but apache supports virtual > >domains, and so the requests will be served differently depending on > >the request's domain, and not the IP of the host. A single IP should > >do the trick. > > > Yes, that's the case when the hostnames have the same IP. But when they > have different ones and apache tries to answer their request, the > clients will denied it, as it comes from a different IP. > > Some ascii 'art' might help: > > 192.168.0.10 has external IP a.b.c.d (iptables SNAT) > > a.b.c.d:80 DNAT \ > ---> 192.168.0.10:80 > a.b.c.f:80 DNAT / > > The request from the client arrives at apache and apache answers, no > matter via which external IP it comes. But when the request comes via > a.b.c.f, then the client will be expecting the answer form a.b.c.f, not > a.b.c.d, where it will come from. Apache is assigned a.b.c.d and has no > way of changing that, actually apache thinks it sending from > 192.168.0.10 anyway. > > The only solution I see is having a (virtual) interface for each > external IP. That so? > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From aleksander at krediidiinfo.ee Mon Jan 2 16:42:33 2006 From: aleksander at krediidiinfo.ee (Aleksander) Date: Mon Jan 2 16:40:43 2006 Subject: [LARTC] Several IP's, one mail and http server In-Reply-To: <65aa6af90601020729p3c0723adwe68ff50dca60bc8e@mail.gmail.com> References: <43B93B76.7000702@krediidiinfo.ee> <65aa6af90601020644g6e387b91vbc9fe113d4862e55@mail.gmail.com> <43B94443.3080403@krediidiinfo.ee> <65aa6af90601020729p3c0723adwe68ff50dca60bc8e@mail.gmail.com> Message-ID: <43B949E9.9000904@krediidiinfo.ee> Edmundo Carmona wrote: >Can you SNAT (or masquerade) the requests before they are forwarded to >the WEB SERVER? That would do the trick (but destroy the statistics >:-( ) > I can't really imagine doing a iptables SNAT (and delete!) for each connection which is DNAT'ed. And even if that would be possible, be cause there are several services running the SNATting would fall out of sync instantly. If that is what you propose. From eantoranz at gmail.com Mon Jan 2 16:47:04 2006 From: eantoranz at gmail.com (Edmundo Carmona) Date: Mon Jan 2 16:47:08 2006 Subject: [LARTC] Several IP's, one mail and http server In-Reply-To: <43B949E9.9000904@krediidiinfo.ee> References: <43B93B76.7000702@krediidiinfo.ee> <65aa6af90601020644g6e387b91vbc9fe113d4862e55@mail.gmail.com> <43B94443.3080403@krediidiinfo.ee> <65aa6af90601020729p3c0723adwe68ff50dca60bc8e@mail.gmail.com> <43B949E9.9000904@krediidiinfo.ee> Message-ID: <65aa6af90601020747p5afa05c8n2a8a87db1df046eb@mail.gmail.com> If I understand correctly, the server is not directly connected to the internet, right? There are some boxes connected to the internet instead... am I right? If that's the case, in those boxes: # your DNAT so requests are forwarded to the web server iptables -t nat -A PREROUNTING blah blah -j DAN --to-destination webServersIP # my SNAT so web requests will (sure as hell) come back this way. iptables -t nat -A POSTROUTING -p pct --dport 80 -j SNAT thisHostsIP Did I nail it? On 1/2/06, Aleksander wrote: > Edmundo Carmona wrote: > > >Can you SNAT (or masquerade) the requests before they are forwarded to > >the WEB SERVER? That would do the trick (but destroy the statistics > >:-( ) > > > I can't really imagine doing a iptables SNAT (and delete!) for each > connection which is DNAT'ed. And even if that would be possible, be > cause there are several services running the SNATting would fall out of > sync instantly. If that is what you propose. > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From eantoranz at gmail.com Mon Jan 2 16:49:07 2006 From: eantoranz at gmail.com (Edmundo Carmona) Date: Mon Jan 2 16:49:11 2006 Subject: Fwd: [LARTC] Several IP's, one mail and http server In-Reply-To: <65aa6af90601020747p5afa05c8n2a8a87db1df046eb@mail.gmail.com> References: <43B93B76.7000702@krediidiinfo.ee> <65aa6af90601020644g6e387b91vbc9fe113d4862e55@mail.gmail.com> <43B94443.3080403@krediidiinfo.ee> <65aa6af90601020729p3c0723adwe68ff50dca60bc8e@mail.gmail.com> <43B949E9.9000904@krediidiinfo.ee> <65aa6af90601020747p5afa05c8n2a8a87db1df046eb@mail.gmail.com> Message-ID: <65aa6af90601020749r2874b160nea4b5ae895206c78@mail.gmail.com> There was a typo. It was DNAT, and not DAN ---------- Forwarded message ---------- From: Edmundo Carmona Date: Jan 2, 2006 11:47 AM Subject: Re: [LARTC] Several IP's, one mail and http server To: lartc If I understand correctly, the server is not directly connected to the internet, right? There are some boxes connected to the internet instead... am I right? If that's the case, in those boxes: # your DNAT so requests are forwarded to the web server iptables -t nat -A PREROUNTING blah blah -j DAN --to-destination webServersIP # my SNAT so web requests will (sure as hell) come back this way. iptables -t nat -A POSTROUTING -p pct --dport 80 -j SNAT thisHostsIP Did I nail it? From lartc at nospam.otaku42.de Mon Jan 2 08:20:47 2006 From: lartc at nospam.otaku42.de (Michael Renzmann) Date: Mon Jan 2 16:58:31 2006 Subject: [LARTC] [OT?] MikroTik instead Linux ? In-Reply-To: References: Message-ID: <1136186448.4459.33.camel@gimli> Hi. On Mon, 2006-01-02 at 01:04 -0300, LinuXKiD wrote: > Somebody can help me to convince some people > to use Linux instead MikroTik ???? MikroTik's RouterOS IS Linux. You just give a lot of options to control all the knobs that Linux provides out of your hand, afaik. Bye, Mike From aleksander at krediidiinfo.ee Mon Jan 2 17:07:30 2006 From: aleksander at krediidiinfo.ee (Aleksander) Date: Mon Jan 2 17:05:45 2006 Subject: Fwd: [LARTC] Several IP's, one mail and http server In-Reply-To: <65aa6af90601020749r2874b160nea4b5ae895206c78@mail.gmail.com> References: <43B93B76.7000702@krediidiinfo.ee> <65aa6af90601020644g6e387b91vbc9fe113d4862e55@mail.gmail.com> <43B94443.3080403@krediidiinfo.ee> <65aa6af90601020729p3c0723adwe68ff50dca60bc8e@mail.gmail.com> <43B949E9.9000904@krediidiinfo.ee> <65aa6af90601020747p5afa05c8n2a8a87db1df046eb@mail.gmail.com> <65aa6af90601020749r2874b160nea4b5ae895206c78@mail.gmail.com> Message-ID: <43B94FC2.4030006@krediidiinfo.ee> Edmundo Carmona wrote: >There was a typo. It was DNAT, and not DAN > >---------- Forwarded message ---------- >From: Edmundo Carmona >Date: Jan 2, 2006 11:47 AM >Subject: Re: [LARTC] Several IP's, one mail and http server >To: lartc > > >If I understand correctly, the server is not directly connected to the >internet, right? > >There are some boxes connected to the internet instead... am I right? > > One connection, several IP addrs with their own host names. One gateway with these several external IPs. The gateway has one internal IP too, of course. The gateway does SNAT for the internal LAN. Clients connect to the gateway using different hostnames and therefore different IP's. They are connecting to a webserver, which is in the internel LAN. They can connect thanks to DNAT (one DNAT for each IP to the same box in the LAN). When the server on the internal LAN answers the requests, his external IP is assigned by the SNAT rule. If that external IP is not the same as the one to which the client connected, the client will drop the servers responses --- they come from a different IP, as he connected to in the first place. The only way I see to make it work would have apache to use IP based virtual hosts. That requires virtual interfaces, correct? By clients I mean random users all over the Internet who connect to different IPs on the same gateway. How other machines in the LAN connect to the webserver using valid hostnames is another business, easily resolved with DNS zones. Hope you can figure this out. Thanks for interest, I'll be back tomorrow. Alex From kajtek at biezanow.net Mon Jan 2 18:01:37 2006 From: kajtek at biezanow.net (Kajetan Staszkiewicz) Date: Mon Jan 2 18:01:50 2006 Subject: [LARTC] TC in Wireless Environment In-Reply-To: <003c01c60bc9$2c82cee0$6a01a8c0@AZIM> References: <003c01c60bc9$2c82cee0$6a01a8c0@AZIM> Message-ID: <200601021801.37454.kajtek@biezanow.net> Dnia ?roda, 28 grudnia 2005 17:10, napisa?e(a)?: > Thank you so much for your reply. Its my mistake - I should have made it a > bit more transparent. But yes, you got me right on that. > > I will try to discuss 2 probable scenarios - > > 1. Ingress - suppose I have a ingress policer, which allows data to enter > system at 2 Mbps. I should be able to set it to 1Mbps or increase to 3Mbps > depending on my wireless network conditions. Wireless links are dynamic and > error rate is high. Hence I want to set the policer to these values, > without losing any packets and without disturbing the queuing discipline. > > 2. Egress - I use a token bucket to shape out going traffic. Similarly, > here also, I should be able to dynamically set the out going rate, without > reloading all the queue parameters. > > I want to control this on multiple interfaces. But initially, it would be > good to try such a thing on only one interface. > > I would like to know, if such a provision is available in TC. So it is only settings for one machine? Deleting and adding just a few rules should not be such a big problem. In my case adding new rules takes about 30 seconds (hundreds of rules for each user in the network), so as I mentioned I use `tc class change`. It works just like `tc class add`: (from a perl script) `$TC class change dev $ifname parent 1:6667 classid 1:$klasa htb rate 5kbit ceil $ceildown quantum 2000 burst 10kbit`; `$TC class change dev imq$imqname parent 1:6667 classid 1:$klasa htb rate 5kbit ceil $ceilup quantum 2000 burst 10kbit`; It changes properties of specified class without deleting all clases on device (like `tc qdisc del dev eth0.11 root` does). -- | pozdrawiam / greetings | powered by Trustix, Gentoo and FreeBSD | | Kajetan Staszkiewicz | JID: vegeta@chrome.pl | | Vegeta | IMQ devnames: http://tuxpowered.net | `------------------------^----------------------------------------' From pzawora at interia.pl Mon Jan 2 18:24:50 2006 From: pzawora at interia.pl (Pawel Zawora) Date: Mon Jan 2 18:25:45 2006 Subject: [LARTC] routing- multiple net provider, tcp logging Message-ID: <43B961E2.6000206@interia.pl> Hi all, Is any way to logs tcp connection (not packets)? something like this: src_IP dst_Ip, srcPort, dst_port bytes_send bytes_received? Any netfilter extension? 2 issue: eth0------- connection 1 NET ---------gw (linux) eth1--------connection 2 Real bandwitch on connection 1 and connection 2 is depend on different things (ie weather) How to detect that connection 1 is loosing i.e. 50% packet (or real bandwitch is less than ...) and based on this change routing? Thanks for ANY help. Pawel Z ---------------------------------------------------------------------- Kobieta na Nowy Rok! >>> http://link.interia.pl/f18ec From GregScott at InfraSupportEtc.com Mon Jan 2 18:51:25 2006 From: GregScott at InfraSupportEtc.com (Greg Scott) Date: Mon Jan 2 18:51:25 2006 Subject: Fwd: [LARTC] Several IP's, one mail and http server Message-ID: <925A849792280C4E80C5461017A4B8A26D5D@mail733.InfraSupportEtc.com> You want multiple IP Addresses for email if you are hosting more than one domain. The reason is, everyone now checks for reverse DNS with email so you need a different public IP Address for each email domain. This way, all the reverse DNS translations will be unique. For apache, you can have multiple websites sharing the same IP Address as long as you don't do anything with SSL. SSL requires a unique IP Address for every website because of the way the protocol works. So you can use either name virtual hosts or IP based virtual hosts, your choice. Note that if you are hosting email and websites for the same domain, it **might** be convenient for the email and website for each domain to share an IP Address. Let's say you decide you want unique IP Addresses for everything. Let's also say you have an external address range of, say, 1.2.3.0/29. So this gives you the following IP Addresses, which we will asign like this: 1.2.3.0 not ussable - defines the network 1.2.3.1 Outside (WAN) firewall interface 1.2.3.2 Public IP for first email 1.2.3.3 Public IP for 2nd email 1.2.3.4 Public IP for first website 1.2.3.5 Public IP for 2nd website 1.2.3.6 available for other stuff 1.2.3.7 defines the broadcast Let's further say you have an internal LAN with, say, 192.168.0.0/24. Let's assign these IP Addresses: 192.168.0.1 Inside (LAN) firewall interface This is the internal gateway everyone uses 192.168.0.2 Private IP for first email 192.168.0.3 Private IP for 2nd email 192.168.0.4 Private IP for first website 192.168.0.5 Private IP for 2nd website Note that hosts 192.168.0.2 through .5 all point to the same physical box. This box could be Linux, Windows, or (pick your poison). It hosts all the websites and email domains. So you have a firewall at 192.168.0.1 and another box with .2 thru .5. The firewall has 2 interfaces - one inside and one outside. Let's say that interface eth0 is the outside and eth1 is inside. Next we need firewall rules. Here are some code fragments that should minimally do the trick: ***************************************************************** . . . PUBLIC_EMAIL1_IP="1.2.3.2" # First mail server PRIVATE_EMAIL1_IP="192.168.0.2" PUBLIC_EMAIL2_IP="1.2.3.3" # 2nd mail server PRIVATE_EMAIL2_IP="192.168.0.3" PUBLIC_WEB1_IP="1.2.3.4" # First web server PRIVATE_WEB1_IP="192.168.0.4" PUBLIC_WEB2_IP="1.2.3.5" # 2nd web server PRIVATE_WEB2_IP="192.168.0.5" . . . # Email might butcher the text wrapping below /sbin/ifconfig eth0:0 $PUBLIC_EMAIL1_IP netmask 255.255.255.248 broadcast 1.2.3.7 /sbin/ifconfig eth0:1 $PUBLIC_EMAIL2_IP netmask 255.255.255.248 broadcast 1.2.3.7 /sbin/ifconfig eth0:2 $PUBLIC_WEB1_IP netmask 255.255.255.248 broadcast 1.2.3.7 /sbin/ifconfig eth0:3 $PUBLIC_WEB2_IP netmask 255.255.255.248 broadcast 1.2.3.7 # You need a POSTROUTING rule for email. echo " Email (outbound SMTP, port 25)" $IPTABLES -t nat -A POSTROUTING -o eth0 -p TCP --dport 25 \ -s $PRIVATE_EMAIL1_IP -j SNAT --to $PUBLIC_EMAIL1_IP . . . # You need FORWARDing rules. Email might butcher text wrapping. echo " Email packets for ports 25 (SMTP), 110 (POP3), and 143 (IMAP)" $IPTABLES -A FORWARD -p TCP --dport 25 -s 0/0 -d $PRIVATE_EMAIL1_IP -j ACCEPT $IPTABLES -A FORWARD -p TCP --dport 110 -s 0/0 -d $PRIVATE_EMAIL1_IP -j ACCEPT $IPTABLES -A FORWARD -p TCP --dport 143 -s 0/0 -d $PRIVATE_EMAIL1_IP -j ACCEPT $IPTABLES -A FORWARD -p TCP --dport 25 -s 0/0 -d $PRIVATE_EMAIL2_IP -j ACCEPT $IPTABLES -A FORWARD -p TCP --dport 110 -s 0/0 -d $PRIVATE_EMAIL2_IP -j ACCEPT $IPTABLES -A FORWARD -p TCP --dport 143 -s 0/0 -d $PRIVATE_EMAIL2_IP -j ACCEPT echo " WWW packets (port 80)" $IPTABLES -A FORWARD -p TCP --dport 80 -s 0/0 -d $PRIVATE_WEB1_IP -j ACCEPT $IPTABLES -A FORWARD -p TCP --dport 80 -s 0/0 -d $PRIVATE_WEB2_IP -j ACCEPT . . . # And you need PREROUTING rules echo " HTTP" $IPTABLES -t nat -A PREROUTING -i eth0 -d $PUBLIC_WEB1_IP \ -p tcp --dport 80 -j DNAT --to $PRIVATE_WEB1_IP $IPTABLES -t nat -A PREROUTING -i eth0 -d $PUBLIC_WEB2_IP \ -p tcp --dport 80 -j DNAT --to $PRIVATE_WEB2_IP echo " Email - SMTP, POP3, and IMAP" $IPTABLES -t nat -A PREROUTING -i eth0 -d $PUBLIC_EMAIL1_IP \ -p tcp --dport 25 -j DNAT --to $PRIVATE_EMAIL1_IP $IPTABLES -t nat -A PREROUTING -i eth0 -d $PUBLIC_EMAIL1_IP \ -p tcp --dport 110 -j DNAT --to $PRIVATE_EMAIL1_IP $IPTABLES -t nat -A PREROUTING -i eth0 -d $PUBLIC_EMAIL1_IP \ -p tcp --dport 143 -j DNAT --to $PRIVATE_EMAIL1_IP $IPTABLES -t nat -A PREROUTING -i eth0 -d $PUBLIC_EMAIL2_IP \ -p tcp --dport 25 -j DNAT --to $PRIVATE_EMAIL2_IP $IPTABLES -t nat -A PREROUTING -i eth0 -d $PUBLIC_EMAIL2_IP \ -p tcp --dport 110 -j DNAT --to $PRIVATE_EMAIL2_IP $IPTABLES -t nat -A PREROUTING -i eth0 -d $PUBLIC_EMAIL2_IP \ -p tcp --dport 143 -j DNAT --to $PRIVATE_EMAIL2_IP Note that you can inmprove on the rules in the FORWARD chain. You'll want to test for RELATED and ESTABLISHED and not just blindly ACCEPT incoming packets on those ports. Think about jumping to a user defined table that tests for this instead of directly to ACCEPT. - Greg Scott -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Aleksander Sent: Monday, January 02, 2006 10:08 AM To: lartc@mailman.ds9a.nl Subject: Re: Fwd: [LARTC] Several IP's, one mail and http server Edmundo Carmona wrote: >There was a typo. It was DNAT, and not DAN > >---------- Forwarded message ---------- >From: Edmundo Carmona >Date: Jan 2, 2006 11:47 AM >Subject: Re: [LARTC] Several IP's, one mail and http server >To: lartc > > >If I understand correctly, the server is not directly connected to the >internet, right? > >There are some boxes connected to the internet instead... am I right? > > One connection, several IP addrs with their own host names. One gateway with these several external IPs. The gateway has one internal IP too, of course. The gateway does SNAT for the internal LAN. Clients connect to the gateway using different hostnames and therefore different IP's. They are connecting to a webserver, which is in the internel LAN. They can connect thanks to DNAT (one DNAT for each IP to the same box in the LAN). When the server on the internal LAN answers the requests, his external IP is assigned by the SNAT rule. If that external IP is not the same as the one to which the client connected, the client will drop the servers responses --- they come from a different IP, as he connected to in the first place. The only way I see to make it work would have apache to use IP based virtual hosts. That requires virtual interfaces, correct? By clients I mean random users all over the Internet who connect to different IPs on the same gateway. How other machines in the LAN connect to the webserver using valid hostnames is another business, easily resolved with DNS zones. Hope you can figure this out. Thanks for interest, I'll be back tomorrow. Alex _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From kajtek at biezanow.net Mon Jan 2 21:09:21 2006 From: kajtek at biezanow.net (Kajetan Staszkiewicz) Date: Mon Jan 2 21:09:25 2006 Subject: [LARTC] tc lockup Message-ID: <200601022109.21132.kajtek@biezanow.net> A few days ago I had a very big problem with tc. On the machine tc is used in many ways: - from crontab to load night-time and day-time bandwidth (at 1am and 8am) - from crontab to get statistics for qdiscs on WAN interfaces (every minute) - from perl/php database for changing user bandwidth (sometimes) What happened: At 1am the night-time bandwidth should be loaded. tc hanged up, and also every tc (for qdisc stats) loaded every minute from cron was waiting(?) for the first one to finish its job. So the next day I had several hundreds tcs running and I was unable to kill any of them. (loadavg 800 looks pretty bad). reboot -f was the only solution (some other deamons stopped working and everything was really slow). The same thing happened about year ago on some other server. After it I added some changes in qdisc stats script to check if there is any other tc running and in that case don't check qdisc stats and therefore don't run any more tc. The similiraity between those two servers is that they have 2 processors. It never happened to me on any other machine with 1 processor. Current setup on which the problem appeared a few days ago is Linux 2.4.31, iproute2-ss051107, iptables v1.3.2, Debian (probably testing, I'm not maintaining the system). Setup which caused probles ~year ago is Linux 2.4.28, iproute2-ss041019, iptables v1.2.11, Slackware (mostly "current"). Kernels are heavy patched with p-o-m, imq and grsec. Did anyone had similar problems? And what is the difference between sources (.tar.gz): iproute2-date_only iproute2-2.6.X-date iproute2-ssdate ? In current setups I'm using iproute2-2.6.X-date.tar.gz, which results in: [root@XXX src]# ls | grep iproute iproute2-2.6.14-051107 [root@XXX src]# ip -V ip utility, iproute2-ss051107 and the log says: Table to handle kernel paging request at virtual address ffffffe4 (http://tuxpowered.net/tc_lockup/log.txt) Unfortunatly I don't have System.map for this kernel anymore :( -- | pozdrawiam / greetings | powered by Trustix, Gentoo and FreeBSD | | Kajetan Staszkiewicz | JID: vegeta@chrome.pl | | Vegeta | IMQ devnames: http://tuxpowered.net | `------------------------^----------------------------------------' From rkurjata at ire.pw.edu.pl Mon Jan 2 23:02:17 2006 From: rkurjata at ire.pw.edu.pl (Robert Kurjata) Date: Mon Jan 2 23:03:01 2006 Subject: Fwd: [LARTC] Several IP's, one mail and http server In-Reply-To: <925A849792280C4E80C5461017A4B8A26D5D@mail733.InfraSupportEtc.com> References: <925A849792280C4E80C5461017A4B8A26D5D@mail733.InfraSupportEtc.com> Message-ID: <102381439.20060102230217@ire.pw.edu.pl> W Twoim li?cie datowanym 2 stycznia 2006 (18:51:25) mo?na przeczyta?: GS> You want multiple IP Addresses for email if you are hosting more than GS> one domain. The reason is, everyone now checks for reverse DNS with GS> email so you need a different public IP Address for each email domain. GS> This way, all the reverse DNS translations will be unique. IMHO it is not true. Novadays, it is required for a mail server to have a valid reverse dns record. But it doesn't have to point back to the same name. It would lead to very very poor IP space usage - eg. virtual hosting provider, which has 300 domains would need 300 IP's even if all of them are hosted on 1 machine, and number of domains can MUCH higher than all of the IPs. mail.domainA.com - WW.XX.YY.ZZ ZZ.YY.XX.WW.in-addr.arpa PTR - host.domainB.com host.domainB.com - WW.XX.YY.ZZ for an egzample one of the bigest portals - yahoo: dig yahoo.com MX - mx1.mail.yahoo.com - 67.28.113.10, 67.28.113.11 dig 10.113.28.67.in-addr.arpa PTR - mta-v4.level3.mail.yahoo.com. dig mta-v4.level3.mail.yahoo.com. - 67.28.113.10 Citation from one of the mail server manuals: If you have a PTR record for your IP address, and the target of the PTR record has an A record pointing back to that same IP address, mail will not be rejected from your server due to an invalid PTR. -- Pozdrowienia, Robert Kurjata From GregScott at InfraSupportEtc.com Tue Jan 3 00:34:22 2006 From: GregScott at InfraSupportEtc.com (Greg Scott) Date: Tue Jan 3 00:34:19 2006 Subject: Fwd: [LARTC] Several IP's, one mail and http server Message-ID: <925A849792280C4E80C5461017A4B8A26D61@mail733.InfraSupportEtc.com> >> IMHO it is not true. Novadays, it is required for a mail server to have a valid >> reverse dns record. But it doesn't have to point back to the same name. It would >> lead to very very poor IP space usage - eg. virtual hosting provider, which has >> 300 domains would need 300 IP's even if all of them are hosted on 1 machine, >> and number of domains can MUCH higher than all of the IPs. I wish! I've run across places that seem to check that the reverse DNS matches the forward DNS name. I've seen it with Comcast and I gotta believe there are others doing it. It is a pain for me because I have to consume a precious IP Address for each email domain I host here. It may be possible that the big hosters know about each other and make special arrangements with each other to which little ol' me is not privvy. If anyone out there has any connections with the Comcast DNS people, I'd love to talk to you about this and other issues - but we're straying off the original topic. - Greg -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Robert Kurjata Sent: Monday, January 02, 2006 4:02 PM To: lartc@mailman.ds9a.nl Subject: Re[2]: Fwd: [LARTC] Several IP's, one mail and http server W Twoim li?cie datowanym 2 stycznia 2006 (18:51:25) mo?na przeczyta?: GS> You want multiple IP Addresses for email if you are hosting more GS> than one domain. The reason is, everyone now checks for reverse DNS GS> with email so you need a different public IP Address for each email GS> domain. This way, all the reverse DNS translations will be unique. IMHO it is not true. Novadays, it is required for a mail server to have a valid reverse dns record. But it doesn't have to point back to the same name. It would lead to very very poor IP space usage - eg. virtual hosting provider, which has 300 domains would need 300 IP's even if all of them are hosted on 1 machine, and number of domains can MUCH higher than all of the IPs. mail.domainA.com - WW.XX.YY.ZZ ZZ.YY.XX.WW.in-addr.arpa PTR - host.domainB.com host.domainB.com - WW.XX.YY.ZZ for an egzample one of the bigest portals - yahoo: dig yahoo.com MX - mx1.mail.yahoo.com - 67.28.113.10, 67.28.113.11 dig 10.113.28.67.in-addr.arpa PTR - mta-v4.level3.mail.yahoo.com. dig mta-v4.level3.mail.yahoo.com. - 67.28.113.10 Citation from one of the mail server manuals: If you have a PTR record for your IP address, and the target of the PTR record has an A record pointing back to that same IP address, mail will not be rejected from your server due to an invalid PTR. -- Pozdrowienia, Robert Kurjata _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From salim.si at askey.com.tw Tue Jan 3 03:48:54 2006 From: salim.si at askey.com.tw (Salim) Date: Tue Jan 3 03:49:06 2006 Subject: [LARTC] ip_queue module issue Message-ID: <002301c61010$3fa46f60$455f030a@askeyrd3> Hi All, I am adding ip_queue module for snort inline IDS. I am using snort2.4.0 And iptables-1.3.4. Userspace Queuing(queue target) is enabled. It is built-in and not built as a module. The output of /proc/net/ip_queue is shown below: cat /proc/net/ip_queue> Peer PID : 0 Copy mode : 0 Copy range : 0 Queue length : 0 Queue max. length : 1024 IPTABLES 1.3.4 is being used and it is built with install-devel option And libipq.a is seen in /lib directory. SNORT is also built in with following options: ./configure --prefix=/usr/local/snort \ --with-libpcap-includes=/usr/local/snort-lib/include \ --with-libpcap-libraries=/usr/local/snort-lib/lib \ --with-libpcre-includes=/usr/local/snort-lib/include \ --with-libpcre-libraries=/usr/local/snort-lib/lib \ --with-libnet-includes=/usr/local/snort-lib/include \ --with-libnet-libraries=/usr/local/snort-lib/lib \ --with-libipq-includes=/usr/local/iptables/include \ --with-libipq-libraries=/usr/local/iptables/lib \ --enable-inline cat /proc/net/netlink> sk Eth Pid Groups Rmem Wmem Dump Locks c11c8040 0 0 00000000 0 0 00000000 2 c7ec0140 3 0 00000000 0 0 00000000 7 c11c8780 4 0 00000000 0 0 00000000 2 c7e74c40 5 0 00000000 0 0 00000000 2 Starting SNORT now: /usr/local/snort/bin/snort -Q -N -l /var/log/snortlog -t /var/log/snortlog -s -D> Initializing Inline mode Reading from iptables InitInline: : Failed to send netlink message: Connection refused Starting snortd: FAILED cat /proc/net/netlink> sk Eth Pid Groups Rmem Wmem Dump Locks c11c8040 0 0 00000000 0 0 00000000 2 c7ec0140 3 0 00000000 0 0 00000000 8 >>>Locks increasing c11c8780 4 0 00000000 0 0 00000000 2 c7e74c40 5 0 00000000 0 0 00000000 2 Can anybody please point me as to what could be the issue. As it is the ip_queue Is built in kernel and it is running as can be seen from cat /proc/net/ip_queue Any pointers would be greatly appreciated. regards Salim From aleksander at krediidiinfo.ee Tue Jan 3 08:15:58 2006 From: aleksander at krediidiinfo.ee (Aleksander) Date: Tue Jan 3 08:14:13 2006 Subject: Fwd: [LARTC] Several IP's, one mail and http server In-Reply-To: <925A849792280C4E80C5461017A4B8A26D61@mail733.InfraSupportEtc.com> References: <925A849792280C4E80C5461017A4B8A26D61@mail733.InfraSupportEtc.com> Message-ID: <43BA24AE.7070505@krediidiinfo.ee> Greg Scott wrote: >I wish! I've run across places that seem to check that the reverse DNS matches the forward DNS name. I've seen it with Comcast and I gotta believe there are others doing it. It is a pain for me because I have to consume a precious IP Address for each email domain I host here. It may be possible that the big hosters know about each other and make special arrangements with each other to which little ol' me is not privvy. If anyone out there has any connections with the Comcast DNS people, I'd love to talk to you about this and other issues - but we're straying off the original topic. > >- Greg > > My mailservers will have their own reverse. ATM they don't and work fine too. It's not an issue. Sorry to hear you have to mess with that. What you proposed is kind of the thing I had in mind. Instead of all the forwarding rules I use "echo 1 > /proc/sys/net/ipv4/ip_forward". Is the additional checking you propose worth it? So the question, if I have to create virtual interfaces on the internal box should be answered "YES, that's the only way"? Have you had experience setting up postfix to work on several interfaces? I have an idea, how to make apache work, quite familiar with virtual hosts, but not postfix. It's not really a topic for this list though. Thanks, Alex Note: I seem to be missing the the first email of Greg, the one Robert quoted. No idea why, there's even no spam filtering at my end. Found it in the archives anyway. From nikky at mnet.bg Tue Jan 3 09:14:15 2006 From: nikky at mnet.bg (Nickola Kolev) Date: Tue Jan 3 09:14:39 2006 Subject: [LARTC] routing- multiple net provider, tcp logging In-Reply-To: <43B961E2.6000206@interia.pl> References: <43B961E2.6000206@interia.pl> Message-ID: <20060103101415.3f32677c.nikky@mnet.bg> Hello, On Mon, 02 Jan 2006 18:24:50 +0100 Pawel Zawora wrote: > Hi all, > Is any way to logs tcp connection (not packets)? something like this: > src_IP dst_Ip, srcPort, dst_port bytes_send bytes_received? > Any netfilter extension? You should probably look at some NetFlow based solution. F.e. softflowd, netams, fprobe, etc. > 2 issue: > eth0------- connection 1 > NET ---------gw (linux) > eth1--------connection 2 > > Real bandwitch on connection 1 and connection 2 is depend on > different things (ie weather) > How to detect that connection 1 is loosing i.e. 50% packet (or real > bandwitch is less than ...) and based on this change routing? Are those wireless links? I cant help there much, sorry. Regards, Nickola -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060103/e0d7030e/attachment.pgp From GregScott at InfraSupportEtc.com Tue Jan 3 12:11:45 2006 From: GregScott at InfraSupportEtc.com (Greg Scott) Date: Tue Jan 3 12:12:25 2006 Subject: Fwd: [LARTC] Several IP's, one mail and http server Message-ID: <925A849792280C4E80C5461017A4B8A26D68@mail733.InfraSupportEtc.com> > What you proposed is kind of the thing I had in mind. Instead of all the > forwarding rules I use "echo 1 > /proc/sys/net/ipv4/ip_forward". Is the > additional checking you propose worth it? Even with the approach I proposed you still have to turn on ip_forward. If you're going to use multiple IP Addresses, somebody has to listen on all those addresses and the firewall is the right box to do it - that is its job. So then you set up appropriate DNAT, SNAT, and FORWARDing rules so the application servers only see traffic they are supposed to see. There are probably other ways to do it, but this is the way I use and it works well. Re: Postfix - I spent lots of time inside this book: Postfix, Richard Blum, Sams Publishing, 2001. I'll bet there's a newer edition out by now. - Greg -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Aleksander Sent: Tuesday, January 03, 2006 1:16 AM To: lartc@mailman.ds9a.nl Subject: Re: Fwd: [LARTC] Several IP's, one mail and http server Greg Scott wrote: >I wish! I've run across places that seem to check that the reverse DNS >matches the forward DNS name. I've seen it with Comcast and I gotta believe there are others doing it. It is a pain for me because I have to consume a precious IP Address for each email domain I host here. It may be possible that the big hosters know about each other and make special arrangements with each other to which little ol' me is not privvy. If anyone out there has any connections with the Comcast DNS people, I'd love to talk to you about this and other issues - but we're straying off the original topic. > >- Greg > > My mailservers will have their own reverse. ATM they don't and work fine too. It's not an issue. Sorry to hear you have to mess with that. What you proposed is kind of the thing I had in mind. Instead of all the forwarding rules I use "echo 1 > /proc/sys/net/ipv4/ip_forward". Is the additional checking you propose worth it? So the question, if I have to create virtual interfaces on the internal box should be answered "YES, that's the only way"? Have you had experience setting up postfix to work on several interfaces? I have an idea, how to make apache work, quite familiar with virtual hosts, but not postfix. It's not really a topic for this list though. Thanks, Alex Note: I seem to be missing the the first email of Greg, the one Robert quoted. No idea why, there's even no spam filtering at my end. Found it in the archives anyway. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From kaber at trash.net Tue Jan 3 13:58:37 2006 From: kaber at trash.net (Patrick McHardy) Date: Tue Jan 3 13:59:11 2006 Subject: [LARTC] ip_queue module issue In-Reply-To: <002301c61010$3fa46f60$455f030a@askeyrd3> References: <002301c61010$3fa46f60$455f030a@askeyrd3> Message-ID: <43BA74FD.9030205@trash.net> Salim wrote: > Hi All, > I am adding ip_queue module for snort inline IDS. > > I am using snort2.4.0 > And iptables-1.3.4. > > Userspace Queuing(queue target) is enabled. It is built-in and not built as > a module. > The output of /proc/net/ip_queue is shown below: > > cat /proc/net/ip_queue> > Peer PID : 0 > Copy mode : 0 > Copy range : 0 > Queue length : 0 > Queue max. length : 1024 > > > IPTABLES 1.3.4 is being used and it is built with install-devel option > And libipq.a is seen in /lib directory. > > SNORT is also built in with following options: > ./configure --prefix=/usr/local/snort \ > --with-libpcap-includes=/usr/local/snort-lib/include \ > --with-libpcap-libraries=/usr/local/snort-lib/lib \ > --with-libpcre-includes=/usr/local/snort-lib/include \ > --with-libpcre-libraries=/usr/local/snort-lib/lib \ > --with-libnet-includes=/usr/local/snort-lib/include \ > --with-libnet-libraries=/usr/local/snort-lib/lib \ > --with-libipq-includes=/usr/local/iptables/include \ > --with-libipq-libraries=/usr/local/iptables/lib \ > --enable-inline > > cat /proc/net/netlink> > sk Eth Pid Groups Rmem Wmem Dump Locks > c11c8040 0 0 00000000 0 0 00000000 2 > c7ec0140 3 0 00000000 0 0 00000000 7 > c11c8780 4 0 00000000 0 0 00000000 2 > c7e74c40 5 0 00000000 0 0 00000000 2 > > Starting SNORT now: > /usr/local/snort/bin/snort -Q -N -l /var/log/snortlog -t > /var/log/snortlog -s -D> > Initializing Inline mode > Reading from iptables > InitInline: : Failed to send netlink message: Connection refused > Starting snortd: FAILED > > cat /proc/net/netlink> > sk Eth Pid Groups Rmem Wmem Dump Locks > c11c8040 0 0 00000000 0 0 00000000 2 > c7ec0140 3 0 00000000 0 0 00000000 8 >>>Locks > increasing > c11c8780 4 0 00000000 0 0 00000000 2 > c7e74c40 5 0 00000000 0 0 00000000 2 > > Can anybody please point me as to what could be the issue. As it is the > ip_queue > Is built in kernel and it is running as can be seen from cat > /proc/net/ip_queue Does it work if you build it as a module? If not please send the output of strace -s 1000 -f snort ... From ethy.brito at inexo.com.br Tue Jan 3 15:40:12 2006 From: ethy.brito at inexo.com.br (Ethy H. Brito) Date: Tue Jan 3 15:40:36 2006 Subject: [LARTC] match mark problem still resists Message-ID: <20060103124012.0c43a742@pulsar.inexo.com.br> Dear All I am kinda frustrated with the lack of help some developers are dispensing to this problem (read ignoring it). A few days ago (december 22th) I reported a problem with 'tc filter match mark' against 2.4 kernel series and got no answers that could lead me to any solution. This is a steady problem that occurs in kernel 2.4 series and match mark (at least for me). I browsed thru the source codes but run thru a wall of bricks at some point. I have a single question to developers of TC: Isn't it strange that my problem be related to the only match inside 'parse_selector' that is treated differently from other matches? All except 'mark' is parsed like parse_xxxx(&argc, &argv, sel, ..) and mark is parsed parse_mark(&argc, &argv, n,..) where sel is a struct tc_u32_sel and n is a struct nlmsghdr. I should say that this deserves at least an "You idiot, you are using it the wrong way. Do like this and stop bothering me!" answer. Sorry my tempestuous attitude. Frustratedly -- Ethy H. Brito /"\ InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML +55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL S.J.Campos - Brasil / \ From asamjani at rajant.com Tue Jan 3 16:43:15 2006 From: asamjani at rajant.com (Azim Samjani) Date: Tue Jan 3 16:42:57 2006 Subject: [LARTC] TC in Wireless Environment In-Reply-To: <200601021801.37454.kajtek@biezanow.net> Message-ID: <006301c6107c$6983eb00$6a01a8c0@AZIM> Thanks very much. This is what I needed. Really appreciate your efforts! Azim. -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Kajetan Staszkiewicz Sent: Monday, January 02, 2006 12:02 PM To: lartc@mailman.ds9a.nl Subject: Re: [LARTC] TC in Wireless Environment Dnia ?roda, 28 grudnia 2005 17:10, napisa?e(a)?: > Thank you so much for your reply. Its my mistake - I should have made > it a bit more transparent. But yes, you got me right on that. > > I will try to discuss 2 probable scenarios - > > 1. Ingress - suppose I have a ingress policer, which allows data to > enter system at 2 Mbps. I should be able to set it to 1Mbps or > increase to 3Mbps depending on my wireless network conditions. > Wireless links are dynamic and error rate is high. Hence I want to set > the policer to these values, without losing any packets and without disturbing the queuing discipline. > > 2. Egress - I use a token bucket to shape out going traffic. > Similarly, here also, I should be able to dynamically set the out > going rate, without reloading all the queue parameters. > > I want to control this on multiple interfaces. But initially, it would > be good to try such a thing on only one interface. > > I would like to know, if such a provision is available in TC. So it is only settings for one machine? Deleting and adding just a few rules should not be such a big problem. In my case adding new rules takes about 30 seconds (hundreds of rules for each user in the network), so as I mentioned I use `tc class change`. It works just like `tc class add`: (from a perl script) `$TC class change dev $ifname parent 1:6667 classid 1:$klasa htb rate 5kbit ceil $ceildown quantum 2000 burst 10kbit`; `$TC class change dev imq$imqname parent 1:6667 classid 1:$klasa htb rate 5kbit ceil $ceilup quantum 2000 burst 10kbit`; It changes properties of specified class without deleting all clases on device (like `tc qdisc del dev eth0.11 root` does). -- | pozdrawiam / greetings | powered by Trustix, Gentoo and FreeBSD | | Kajetan Staszkiewicz | JID: vegeta@chrome.pl | | Vegeta | IMQ devnames: http://tuxpowered.net | `------------------------^----------------------------------------' _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From kaber at trash.net Tue Jan 3 19:49:20 2006 From: kaber at trash.net (Patrick McHardy) Date: Tue Jan 3 19:50:25 2006 Subject: [LARTC] match mark problem still resists In-Reply-To: <20060103124012.0c43a742@pulsar.inexo.com.br> References: <20060103124012.0c43a742@pulsar.inexo.com.br> Message-ID: <43BAC730.30205@trash.net> Ethy H. Brito wrote: > I am kinda frustrated with the lack of help some developers are dispensing to this > problem (read ignoring it). You should report it to a list that it actually read by developers, namely netdev@vger.kernel.org. From salim.si at askey.com.tw Wed Jan 4 03:14:38 2006 From: salim.si at askey.com.tw (Salim) Date: Wed Jan 4 03:15:28 2006 Subject: [LARTC] ip_queue module issue References: <002301c61010$3fa46f60$455f030a@askeyrd3> <43BA74FD.9030205@trash.net> Message-ID: <002c01c610d4$a04e3930$455f030a@askeyrd3> it does work when iptables as a whole is built as a module. ----- Original Message ----- From: "Patrick McHardy" To: "Salim" Cc: ; "Netfilter Development Mailinglist" Sent: Tuesday, January 03, 2006 8:58 PM Subject: Re: [LARTC] ip_queue module issue > Salim wrote: > > Hi All, > > I am adding ip_queue module for snort inline IDS. > > > > I am using snort2.4.0 > > And iptables-1.3.4. > > > > Userspace Queuing(queue target) is enabled. It is built-in and not built as > > a module. > > The output of /proc/net/ip_queue is shown below: > > > > cat /proc/net/ip_queue> > > Peer PID : 0 > > Copy mode : 0 > > Copy range : 0 > > Queue length : 0 > > Queue max. length : 1024 > > > > > > IPTABLES 1.3.4 is being used and it is built with install-devel option > > And libipq.a is seen in /lib directory. > > > > SNORT is also built in with following options: > > ./configure --prefix=/usr/local/snort \ > > --with-libpcap-includes=/usr/local/snort-lib/include \ > > --with-libpcap-libraries=/usr/local/snort-lib/lib \ > > --with-libpcre-includes=/usr/local/snort-lib/include \ > > --with-libpcre-libraries=/usr/local/snort-lib/lib \ > > --with-libnet-includes=/usr/local/snort-lib/include \ > > --with-libnet-libraries=/usr/local/snort-lib/lib \ > > --with-libipq-includes=/usr/local/iptables/include \ > > --with-libipq-libraries=/usr/local/iptables/lib \ > > --enable-inline > > > > cat /proc/net/netlink> > > sk Eth Pid Groups Rmem Wmem Dump Locks > > c11c8040 0 0 00000000 0 0 00000000 2 > > c7ec0140 3 0 00000000 0 0 00000000 7 > > c11c8780 4 0 00000000 0 0 00000000 2 > > c7e74c40 5 0 00000000 0 0 00000000 2 > > > > Starting SNORT now: > > /usr/local/snort/bin/snort -Q -N -l /var/log/snortlog -t > > /var/log/snortlog -s -D> > > Initializing Inline mode > > Reading from iptables > > InitInline: : Failed to send netlink message: Connection refused > > Starting snortd: FAILED > > > > cat /proc/net/netlink> > > sk Eth Pid Groups Rmem Wmem Dump Locks > > c11c8040 0 0 00000000 0 0 00000000 2 > > c7ec0140 3 0 00000000 0 0 00000000 8 >>>Locks > > increasing > > c11c8780 4 0 00000000 0 0 00000000 2 > > c7e74c40 5 0 00000000 0 0 00000000 2 > > > > Can anybody please point me as to what could be the issue. As it is the > > ip_queue > > Is built in kernel and it is running as can be seen from cat > > /proc/net/ip_queue > > Does it work if you build it as a module? If not please send the output > of strace -s 1000 -f snort ... From iocc at lartc.lists.flashdance.cx Wed Jan 4 06:42:15 2006 From: iocc at lartc.lists.flashdance.cx (Peter Magnusson) Date: Wed Jan 4 06:42:31 2006 Subject: [LARTC] QoS script for gw without NAT? In-Reply-To: <20051230140607.303e6e45.linux@pilot.org.ua> References: <20051230140607.303e6e45.linux@pilot.org.ua> Message-ID: On Fri, 30 Dec 2005, Denis Ovsienko wrote: >> one computer. All scripts that I have found does QoS based on port, >> not IP. I use different IPs for different services, so I wanna do QoS >> based on IP, not the port. > Does u32 filter syntax make any problem doing so? u32 filter syntax? And that is the syntax that tc uses or what? I have tried several scripts, they kinda expect that you use NAT and I have tried to modify them to make it work for my setup. But I couldnt get it to work like it should. Could you recommend any script for doing QoS that I should take a look on and see if I could use it? Yes I have tried to write a QoS script from scratch but it that didnt work either :( >> What I need is a script that sets a high priority on ACK's, all UDP >> traffic by default. Then I want to have different priority on diffrent >> IPs, all IPs should have a max available and a min available bandwidth >> that they could use, in case all upstream bandwidth are used (thats > http://rentacoder.com/ But doesnt it already exist an already made script that can do what I want? Just that I havent found it yet. Maybe someone on this list knows if it does? From kaber at trash.net Wed Jan 4 08:13:19 2006 From: kaber at trash.net (Patrick McHardy) Date: Wed Jan 4 08:13:56 2006 Subject: [LARTC] ip_queue module issue In-Reply-To: <002c01c610d4$a04e3930$455f030a@askeyrd3> References: <002301c61010$3fa46f60$455f030a@askeyrd3> <43BA74FD.9030205@trash.net> <002c01c610d4$a04e3930$455f030a@askeyrd3> Message-ID: <43BB758F.4020409@trash.net> Salim wrote: > it does work when iptables as a whole is built as a module. Do you use any patches that might register as queue handler, like IMQ? Otherwise please check your logs for messages from ip_queue during boot time, it should have logged the reason if registration failed. From diego.cabrero at e-attico.net Wed Jan 4 09:12:16 2006 From: diego.cabrero at e-attico.net (Diego Cabrero) Date: Wed Jan 4 09:12:33 2006 Subject: [LARTC] Marking Packets on VoIP connections In-Reply-To: <43BAC730.30205@trash.net> References: <20060103124012.0c43a742@pulsar.inexo.com.br> <43BAC730.30205@trash.net> Message-ID: <43BB8360.6050708@e-attico.net> Hi there,... I know this topic may not belongs to this list, but it is crucial for me to get packets marked on this VoIP application. The diagram to understand the problem is showed on the next line... VoIP SIP phone+GW >---->eth0[SERVER1]eth1, tun0>--->( INTERNET-VPN)>--->eth1,tun0[SERVER2]eth0---->VoIP SIP phone+GW. MARKER Just by knowing that VoIP Gateways are configured to establish a incoming call connection through the ports interval 16384:16482. So then the fact that one of the phones get a port from that interval depends on which of them calls..., it's suposed that SERVERS do ip forwarding, does it means port forwarding too? What should be the best way of marking packets with iptables in the right case SERVER1 is the packet marker?? Should i mark them by IP address and forget about ports? -Thanks Diego From rani79 at idm.net.lb Wed Jan 4 10:23:56 2006 From: rani79 at idm.net.lb (Rani Ahmed) Date: Wed Jan 4 10:25:55 2006 Subject: [LARTC] Limiting the Number of connection sessions allowed Message-ID: <43BB942C.8020703@idm.net.lb> yes! how to Limit the number of connection sessions allowed per Internet customer? We here in Lebanon,Beirut have some major ISP's do it. ============================== by the way i put a question about an example using tcng/ingress on per customer basis and was not answered by any body. thanks. ( i am not pushing it) From oscar at ufomechanic.net Wed Jan 4 10:45:19 2006 From: oscar at ufomechanic.net (Oscar Mechanic) Date: Wed Jan 4 10:45:44 2006 Subject: [LARTC] Limiting the Number of connection sessions allowed In-Reply-To: <43BB942C.8020703@idm.net.lb> References: <43BB942C.8020703@idm.net.lb> Message-ID: <1136367920.14145.48.camel@OSCARLAPLIN> When you limit connections do you mean TCP or the number of physical devices. What type of network are you connecting to Cable/Wireless/DSL On Wed, 2006-01-04 at 11:23 +0200, Rani Ahmed wrote: > yes! how to Limit the number of connection sessions allowed per Internet > customer? > We here in Lebanon,Beirut have some major ISP's do it. > > ============================== > > by the way i put a question about an example using tcng/ingress on per > customer basis and was not answered by any body. thanks. ( i am not > pushing it) > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From alpt at freaknet.org Wed Jan 4 13:29:24 2006 From: alpt at freaknet.org (Alpt) Date: Wed Jan 4 13:29:51 2006 Subject: [LARTC] "Established connection" issues using multipath In-Reply-To: <20060103102847.GA11808@nihil> References: <20051225102921.GA30288@nihil> <20060103102847.GA11808@nihil> Message-ID: <20060104122924.GA17050@nihil> On Tue, Jan 03, 2006 at 11:28:47AM +0100, : ~> On Sun, Dec 25, 2005 at 11:29:21AM +0100, : ~> ~> The multipath code creates new cached routes. Since ~> ~> after connect the socket is "connected", i.e. saddr and ~> ~> daddr are known and they are always provided when resolving ~> ~> route ~> ~> ~> ~> So, the connected socket should not experience any outage ~> ~> when the route is resolved after cache entry expiration ~> ~> assuming the routing rules do not change. ~> ~> (That is snip of the Julian Anastasov's reply in a lartc thread: ~> ~> http://mailman.ds9a.nl/pipermail/lartc/2002q2/003780.html) ~> ~> ~> ~> Does it mean that it should work? ~> ~> No, it doesn't. Any ideas? ~> ~> PS: this thread was: ~> http://marc.theaimsgroup.com/?l=linux-net&m=113550638110682&w=2 Yay, there is a solution, but we cannot use it: The IP of gw A is 10.157.108.4 The IP of gw B is 10.29.212.6 The IP of C is 10.157.108.213 They are in an ad-hoc network, A can see C but not B, and B can see C. The steps are: - the node C creates for each gw an IPIP tunnel to A and a second to B tunl0: ip/ip remote any local any ttl inherit nopmtudisc tunl1: ip/ip remote any local 10.157.108.214 ttl inherit - the node C assigna a different IP to each tunnel ifconfig tunl0 10.157.108.213 ifconfig tunl1 10.157.108.214 At this point we have two different interfaces and we can use the LARTC method: http://www.lartc.org/howto/lartc.rpdb.multiple-links.html an we have: pc1:~/src# ip rule 0: from all lookup local 32764: from 10.157.108.213 lookup 201 32765: from 10.157.108.214 lookup 202 32766: from all lookup main 32767: from all lookup default pc1:~/src# ip route show table 201 10.0.0.0/8 dev tunl0 scope link src 10.157.108.213 default via 10.157.108.4 dev tunl0 pc1:~/src# ip route show table 202 10.0.0.0/8 dev tunl1 scope link src 10.157.108.214 default via 10.29.212.6 dev tunl1 The default route in the main table is: default nexthop via 10.157.108.4 dev tunl0 weight 1 nexthop via 10.29.212.6 dev tunl1 weight 1 All the rp_filter controls are disabled and ip_forwarding is enabled. It works, in fact, each time the routing cache has to be filled, a random route is chosen from the multipath route and all the packets which have a specific source go out from the same route. Now the problem is that a node has to have only one IP! If we assign other IPs to the tunnel interfaces conflicts will arise because those IPs will be reachable. I've tried to use `iif' in the routing rules but it doesn't work if the same IP is assigned to all the tunnels. Is there a nice solution? Best regards -- :wq! "I don't know nothing" The One Who reached the Thinking Matter '.' [ Alpt --- Freaknet Medialab ] [ GPG Key ID 441CF0EE ] [ Key fingerprint = 8B02 26E8 831A 7BB9 81A9 5277 BFF8 037E 441C F0EE ] - To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From james at teyandei.net Wed Jan 4 19:17:17 2006 From: james at teyandei.net (james@teyandei.net) Date: Wed Jan 4 19:18:18 2006 Subject: [LARTC] tcng questions: TCP_ACK, ebtables Message-ID: <2565.199.113.187.23.1136398637.squirrel@www.r1hosting.com> Hi all, I have a couple of questions regarding tcng behavior. First - I want to mark TCP_ACK packets as high priority, a common case. I figured the tcp_ACK rule in fields4.tc would be enough but I've come across Jason Boxman's tutorial and he recommends using: class( <$ack> ) if ip_len < 64 && ip_hl == 0x5 && (raw[33].b >> 4) & 0xff; So basically the tcp_ACK rule doesn't work? Has it been fixed? Which way is right? Secondly - I was wondering if anyone is trying to use l7filter on a bridging Ethernet setup. It looks to me like the packets don't get to the iptables layer so whatever marking I do with l7filter doesn't affect packets going through the bridge, only packets addressed to the bridge itself (which I have given an IP so that I can run some other things on it). Do I need to look into ebtables marking? I don't know if l7filter works with ebtables anyway. Or am I doing something wrong? The system I'm working with is running Debian sarge and kernel 2.6.14.4 with the l7filter patch. Thanks for any help. James From muthukumar at gmail.com Wed Jan 4 23:24:38 2006 From: muthukumar at gmail.com (Muthukumar S) Date: Wed Jan 4 23:25:41 2006 Subject: [LARTC] TC/CBQ shaping problems Message-ID: Hello everyone, I'm a newbie experimenting with CBQ shaping and am facing a few problems. Can any of you please help? TEST SETUP: +---------------+ +----------------+ | 10.0.0.103 |----------->| 10.0.0.102 | +---------------+ +----------------+ 10.0.0.103: Linux, 100Mbit/s NIC 10.0.0.102: Windows, 100Mbit/s NIC, iperf tcp server (ports 2000 and 2001) WHAT I WANT TO DO: 1. Traffic from 10.0.0.103 to 10.0.0.102 port 2000 should always receive at least 60Mbit/s regardless of presence of other traffic. 2. In the absence of traffic to 10.0.0.102 port 2000, all other traffic should use all available bandwidth CBQ SETUP 1: #!/bin/bash # rate1 = 60Mbit/s RATE1=614400000 PRIO="prio 1" DEV="dev eth0" OPTION="allot 1514 maxburst 20 avpkt 1000" # reset qdiscs tc qdisc del $DEV root # root CBQ tc qdisc add $DEV root handle 10: cbq bandwidth 100mbit avpkt 1000 # 60 Mbit/s class tc class add $DEV parent 10:0 classid 10:1 cbq bandwidth 100mbit rate $RATE1 $OPTION $PRIO borrow # add filter tc filter add $DEV parent 10:0 protocol ip prio 3 handle 1 fw flowid 10:1 # mark packets iptables -A OUTPUT -t mangle -p tcp --dport 2000 -d 10.0.0.102 -j MARK --set-mark 1 OBSERVED RESULTS FOR SETUP 1: 1. A single iperf session to 10.0.0.102 port 2000 for 40 seconds reports 93.1 Mbit/s 2. Two simultaneous iperf sessions to 10.0.0.102 on ports 2000 and 2001 for 40 seconds each report 48.4 Mbit/s and 44.3 Mbit/s respectively 3. "tc -s -d class show dev eth0" shows the 10:1 class processing packets and I assume port 2001 traffic uses the root qdisc. Is this assumption right? CBQ SETUP 2: I added a CBQ class 10:2 with a rate of 10240000, prio 3, borrow parameter, a filter to direct port 2001 traffic to 10:2 and iptables rules to assign fwmark. OBSERVED RESULTS FOR SETUP 2: Almost the same as above results with traffic being directed to appropriate classes. QUESTIONS: 1. What am I doing wrong? Why doesn't port 2000 traffic always receive at least 60 Mbit/s? 2. prio 1 offers higher priority than prio 3, right? Lower the number, higher the priority? 3. bandwidth parameter: I've seen examples where people always use the NIC bandwidth (100 Mbit/s) and some examples where people use the link bandwidth (say 6 Mbit/s for a DSL link). Which is right? 4. is it recommended that I have a class below the root CBQ and all other classes as sub classes of that class? Thanks! Muthu From linux at pilot.org.ua Thu Jan 5 00:00:05 2006 From: linux at pilot.org.ua (Denis Ovsienko) Date: Thu Jan 5 00:00:12 2006 Subject: [LARTC] TC/CBQ shaping problems In-Reply-To: References: Message-ID: <20060105020005.015b26aa.linux@pilot.org.ua> [...] > RATE1=614400000 tc(8) manpage extract: UNITS All parameters accept a floating point number, possibly followed by a unit. Bandwidths or rates can be specified in: kbps Kilobytes per second mbps Megabytes per second kbit Kilobits per second mbit Megabits per second bps or a bare number Bytes per second [...] > tc qdisc add $DEV root handle 10: cbq bandwidth 100mbit avpkt 1000 Bandwidth is 100 Megabits per second. > # 60 Mbit/s class > tc class add $DEV parent 10:0 classid 10:1 cbq bandwidth 100mbit rate > $RATE1 $OPTION $PRIO borrow Rate is 614400000 Bytes per second, roughly about 6 Gigabits per second. I hope it helps. -- DO4-UANIC From muthukumar at gmail.com Thu Jan 5 00:53:07 2006 From: muthukumar at gmail.com (Muthukumar S) Date: Thu Jan 5 00:53:09 2006 Subject: [LARTC] TC/CBQ shaping problems In-Reply-To: <20060105020005.015b26aa.linux@pilot.org.ua> References: <20060105020005.015b26aa.linux@pilot.org.ua> Message-ID: Thank you Denis. I modified my script to use "mbit" uniformly but I still don't understand the results: #!/bin/bash RATE1=60mbit RATE2=10mbit PRIO1="prio 1" PRIO2="prio 3" OPTION="allot 1514 maxburst 20 avpkt 1000" tc qdisc del dev $DEV root tc qdisc add $DEV root handle 10: cbq bandwidth 100mbit avpkt 1000 tc class add $DEV parent 10:0 handle 10:1 cbq bandwidth 100mbit rate $RATE1 $OPTION $PRIO1 borrow tc class add $DEV parent 10:0 handle 10:2 cbq bandwidth 100mbit rate $RATE2 $OPTION $PRIO2 borrow tc filter add $DEV parent 10:0 protocol ip prio 1 handle 1 fw flowid 10:1 tc filter add $DEV parent 10:0 protocol ip prio 1 handle 2 fw flowid 10:2 iptables -A OUTPUT -t mangle -p tcp --dport 2000 -d 10.0.0.102 -j mark --set-mark 1 iptables -A OUTPUT -t mangle -p tcp --dport 2001 -d 10.0.0.102 -j mark --set-mark 2 OBSERVED RESULTS: - With both 10:1 and 10:2 as "borrow" Single iperf session to port 2000 reports 93.7 Mbits/s Two simultaneous iperf sessions to ports 2000 and 2001 report 45.8 and 45.7 Mbits/s respectively Single iperf session to port 2001 reports 89.1 Mbits/s - With 10:2 as "bounded" Single iperf session to port 2000 reports 88.9 Mbits/s Two simultaneous iperf sessions to ports 2000 and 2001 report 72.8 and 19.3 Mbits/s respectively Single iperf session to port 2001 reports 11.2 Mbits/s QUESTIONS: 1. When 10:2 is "bounded", is the reported 19.3 Mbits/s usage within acceptable limits for CBQ accuracy? 2. When both 10:1 and 10:2 are "borrow", why doesn't port 2001 receive all bandwidth when it is the only session present? 3. When both 10:1 and 10:2 are "borrow", why do they share the available bandwidth equally? 4. Is my goal of having port 2000 receive at least 60mbits all the time AND port 2001 receiving all bandwidth when there is no port 2000 traffic not feasible? I appreciate any help members can provide. Thanks! Muthu On 1/4/06, Denis Ovsienko wrote: > [...] > > RATE1=614400000 > tc(8) manpage extract: > UNITS > All parameters accept a floating point number, possibly > followed by a unit. > > Bandwidths or rates can be specified in: > > kbps Kilobytes per second > > mbps Megabytes per second > > kbit Kilobits per second > > mbit Megabits per second > > bps or a bare number > Bytes per second > > > [...] > > tc qdisc add $DEV root handle 10: cbq bandwidth 100mbit avpkt 1000 > Bandwidth is 100 Megabits per second. > > > # 60 Mbit/s class > > tc class add $DEV parent 10:0 classid 10:1 cbq bandwidth 100mbit rate > > $RATE1 $OPTION $PRIO borrow > Rate is 614400000 Bytes per second, roughly about 6 Gigabits per second. > I hope it helps. > > -- > DO4-UANIC > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From jakovuk at summit.by Thu Jan 5 12:29:04 2006 From: jakovuk at summit.by (Äìèòðèé ßêîâóê) Date: Thu Jan 5 12:29:20 2006 Subject: [LARTC] statistics htb Message-ID: <1944848449.20060105132904@summit.by> Hi can anybody tell me what is the best and right way to gather statistics from htb.init usage in graphics or in any other format cause it's pretty uncomfortable to view statistics in text when you've got 4 interfaces and enough filters and queues Thank you ! Dzmitryj Jakavuk From lartc-337 at ccp.com.au Thu Jan 5 12:38:31 2006 From: lartc-337 at ccp.com.au (Lee Sanders) Date: Thu Jan 5 12:38:44 2006 Subject: [LARTC] statistics htb In-Reply-To: <1944848449.20060105132904@summit.by> References: <1944848449.20060105132904@summit.by> Message-ID: <200601051938.31670.lartc-337@ccp.com.au> Hi Dzmitryj, I'd look at polltc and htbstat http://edseek.com/~jasonb/software.shtml http://www2.ldc.net/~dor/py-htbstat/ There may be others as well but these are the only two I've seen mentioned = on=20 this list for stats. Regards, Lee On Thu, 5 Jan 2006 07:29 pm, =C4=EC=E8=F2=F0=E8=E9 =DF=EA=EE=E2=F3=EA wrote: > Hi can anybody tell me what is the best and right way to gather statistics > from htb.init usage in graphics or in any other format cause it's > pretty uncomfortable to view statistics in text when you've got 4 > interfaces and enough filters and queues > > Thank you ! > > Dzmitryj Jakavuk From seph at directionless.org Thu Jan 5 17:02:10 2006 From: seph at directionless.org (seph) Date: Thu Jan 5 17:02:14 2006 Subject: [LARTC] multiple links and nat Message-ID: Hi, this might be a dumb question, but I'm not finding much information online. I'm trying to setup a 2.6 linux box to run nat across multiple upstream links as a simple way to aggregate bandwidth. I found the instructions in lartc section 4.2 (http://lartc.org/howto/lartc.rpdb.multiple-links.html) fairly clear and straightforward. I implemented those, and a couple of trivial iptables commands and tried it. Persistent masqueraded connections (like ssh) weren't very happy. The frequently hung, and I saw the "MASQUERADE: Route sent us somewhere else." error. googling for that, I see lots of suggestions to use connmark, but no examples of how connmark and the multiple link stuff interact. Does anyone have a pointer? The rules I'm using are roughly: /sbin/ip route add P1_NET dev IF1 src IP1 table 201 /sbin/ip route add default via P1 table 201 /sbin/ip route add P1_NET dev IF1 src IP1 /sbin/ip route add 127.0.0.0/8 dev lo table 201 /sbin/ip rule add from IP1 table 201 /sbin/ip route add P2_NET dev IF2 src IP2 table 202 /sbin/ip route add default via P2 table 202 /sbin/ip route add P2_NET dev IF2 src IP2 /sbin/ip route add 127.0.0.0/8 dev lo table 202 /sbin/ip rule add from IP2 table 202 /sbin/ip route del default /sbin/ip route add default scope global nexthop via P1 dev IF1 weight 1 nexthop via P2 dev IF2 weight 4 /sbin/ip route flush cache /sbin/iptables -t nat -A PREROUTING -s LOCALNET -d P1_NET -j ACCEPT /sbin/iptables -t nat -A PREROUTING -s LOCALNET -d P2_NET -j ACCEPT /sbin/iptables -t nat -A POSTROUTING -o IF1 -s LOCALNET -j MASQUERADE /sbin/iptables -t nat -A POSTROUTING -o IF2 -s LOCALNET -j MASQUERADE thanks seph From eantoranz at gmail.com Thu Jan 5 17:21:52 2006 From: eantoranz at gmail.com (Edmundo Carmona) Date: Thu Jan 5 17:22:31 2006 Subject: [LARTC] multiple links and nat In-Reply-To: References: Message-ID: <65aa6af90601050821x3f8a09b4sc0abb6419451c183@mail.gmail.com> The problem (as usual) is the change of route the routing box is doing for connections already stablished. Maybe you can try using separate routing tablewith a single internet link for ssh (policy routing). On 1/5/06, seph wrote: > Hi, this might be a dumb question, but I'm not finding much > information online. > > I'm trying to setup a 2.6 linux box to run nat across multiple > upstream links as a simple way to aggregate bandwidth. I found the > instructions in lartc section 4.2 > (http://lartc.org/howto/lartc.rpdb.multiple-links.html) fairly clear > and straightforward. I implemented those, and a couple of trivial > iptables commands and tried it. > > Persistent masqueraded connections (like ssh) weren't very happy. The > frequently hung, and I saw the "MASQUERADE: Route sent us somewhere > else." error. googling for that, I see lots of suggestions to use > connmark, but no examples of how connmark and the multiple link stuff > interact. Does anyone have a pointer? > > The rules I'm using are roughly: > > /sbin/ip route add P1_NET dev IF1 src IP1 table 201 > /sbin/ip route add default via P1 table 201 > /sbin/ip route add P1_NET dev IF1 src IP1 > /sbin/ip route add 127.0.0.0/8 dev lo table 201 > /sbin/ip rule add from IP1 table 201 > /sbin/ip route add P2_NET dev IF2 src IP2 table 202 > /sbin/ip route add default via P2 table 202 > /sbin/ip route add P2_NET dev IF2 src IP2 > /sbin/ip route add 127.0.0.0/8 dev lo table 202 > /sbin/ip rule add from IP2 table 202 > > > /sbin/ip route del default > /sbin/ip route add default scope global nexthop via P1 dev IF1 weight 1 nexthop via P2 dev IF2 weight 4 > /sbin/ip route flush cache > > > /sbin/iptables -t nat -A PREROUTING -s LOCALNET -d P1_NET -j ACCEPT > /sbin/iptables -t nat -A PREROUTING -s LOCALNET -d P2_NET -j ACCEPT > /sbin/iptables -t nat -A POSTROUTING -o IF1 -s LOCALNET -j MASQUERADE > /sbin/iptables -t nat -A POSTROUTING -o IF2 -s LOCALNET -j MASQUERADE > > > thanks > seph > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From rkurjata at ire.pw.edu.pl Thu Jan 5 18:29:12 2006 From: rkurjata at ire.pw.edu.pl (Robert Kurjata) Date: Thu Jan 5 18:28:47 2006 Subject: [LARTC] multiple links and nat In-Reply-To: <65aa6af90601050821x3f8a09b4sc0abb6419451c183@mail.gmail.com> References: <65aa6af90601050821x3f8a09b4sc0abb6419451c183@mail.gmail.com> Message-ID: <174298620.20060105182912@ire.pw.edu.pl> Witaj Edmundo, W Twoim li?cie datowanym 5 stycznia 2006 (17:21:52) mo?na przeczyta?: Please consult: http://www.ssi.bg/~ja/#routes and my example scpript mpath2.sh published there. Without those patches - it just doesn't work :) > The problem (as usual) is the change of route the routing box is doing > for connections already stablished. > Maybe you can try using separate routing tablewith a single internet > link for ssh (policy routing). > On 1/5/06, seph wrote: >> Hi, this might be a dumb question, but I'm not finding much >> information online. >> >> I'm trying to setup a 2.6 linux box to run nat across multiple >> upstream links as a simple way to aggregate bandwidth. I found the >> instructions in lartc section 4.2 >> (http://lartc.org/howto/lartc.rpdb.multiple-links.html) fairly clear >> and straightforward. I implemented those, and a couple of trivial >> iptables commands and tried it. >> >> Persistent masqueraded connections (like ssh) weren't very happy. The >> frequently hung, and I saw the "MASQUERADE: Route sent us somewhere >> else." error. googling for that, I see lots of suggestions to use >> connmark, but no examples of how connmark and the multiple link stuff >> interact. Does anyone have a pointer? >> >> The rules I'm using are roughly: >> >> /sbin/ip route add P1_NET dev IF1 src IP1 table 201 >> /sbin/ip route add default via P1 table 201 >> /sbin/ip route add P1_NET dev IF1 src IP1 >> /sbin/ip route add 127.0.0.0/8 dev lo table 201 >> /sbin/ip rule add from IP1 table 201 >> /sbin/ip route add P2_NET dev IF2 src IP2 table 202 >> /sbin/ip route add default via P2 table 202 >> /sbin/ip route add P2_NET dev IF2 src IP2 >> /sbin/ip route add 127.0.0.0/8 dev lo table 202 >> /sbin/ip rule add from IP2 table 202 >> >> >> /sbin/ip route del default >> /sbin/ip route add default scope global nexthop via P1 dev IF1 weight 1 nexthop via P2 dev IF2 weight 4 >> /sbin/ip route flush cache >> >> >> /sbin/iptables -t nat -A PREROUTING -s LOCALNET -d P1_NET -j ACCEPT >> /sbin/iptables -t nat -A PREROUTING -s LOCALNET -d P2_NET -j ACCEPT >> /sbin/iptables -t nat -A POSTROUTING -o IF1 -s LOCALNET -j MASQUERADE >> /sbin/iptables -t nat -A POSTROUTING -o IF2 -s LOCALNET -j MASQUERADE >> >> >> thanks >> seph >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Pozdrowienia, Robert Kurjata From keithm at paisd.com Thu Jan 5 22:34:55 2006 From: keithm at paisd.com (Keith Mitchell) Date: Thu Jan 5 22:34:59 2006 Subject: [LARTC] Adding dsmark qdisc fails Message-ID: <7CB7AD89F6E23843B328C2C542D5AF5B58DBDB@gates.paisd.com> I 'm having a problem identical to one encountered on this list awhile back: >I'm trying to configure dsmark qdisc on 2.6.11.4 user mode linux and >tc from iproute2-2.6.11-050314. > > >I think I have some mismatch in my setup since adding dsmark qdisc >fails *unless* I specify "set_tc_index" argument which I believe should >be optional: > > ># tc qdisc add dev eth1 handle 1:0 root dsmark indices 8 >RTNETLINK answers: Invalid argument >Mar 20 13:00:50 user user.debug kernel: dsmark_init(sch a0bb3ae0,[qdisc a0bb3b60],opt 00000000) > >here the log shows that opt is null, sch_dsmark checks for that and >bails out. However running tc with "set_tc_index" goes ok: > > ># tc qdisc add dev eth1 handle 1:0 root dsmark indices 8 set_tc_index >Mar 20 13:01:12 user user.debug kernel: dsmark_init(sch a0bb3060,[qdisc a0bb30e0],opt a038e9d0) >Mar 20 13:01:12 user user.debug kernel: dsmark_init: qdisc a0bb30e0 > ># tc qdisc show dev eth1 >qdisc dsmark 1: indices 0x0008 set_tc_index > > > >but then changing the class fails: > > ># tc class change dev eth1 classid 1:1 dsmark mask 0x0 value 0xb8 >RTNETLINK answers: Invalid argument >Mar 20 13:02:28 user user.debug kernel: dsmark_get(sch a0bb3060,[qdisc a0bb30e0],classid 10001) >Mar 20 13:02:28 user user.debug kernel: dsmark_change(sch a0bb3060,[qdisc a0bb30e0],classid 10001,parent 0),arg 0x2 > > >Any ideas where I've gone wrong? > > >-- >Tero I've applied the patch to my iproute2 that was suggested as a solution, as well as upgrading to the latest version (http://developer.osdl.org/dev/iproute2/download/iproute2-2.6.14-051107. tar.gz ) of iproute2 which includes the patch, but always get the following errors: # tc qdisc add dev eth1 handle 1:0 root dsmark indices 64 RTNETLINK answers: Invalid argument Changing that to: # tc qdisc add dev eth1 handle 1:0 root dsmark indices 64 set_tc_index Works, but following that with produces the same error: # tc class change dev eth1 classid 1:1 dsmark mask 0x3 value 0x88 RTNETLINK answers: Invalid argument Is this an iproute2 bug, or user error? I'm using iproute2 on FC4 2.6.14-1.1653 TIY Keith Mitchell CTO Productivity Associates, Inc. 5625 Ruffin Rd STE 220 San Diego, CA 92123 858-495-3528 (Direct) 858-495-3540 (Fax) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060105/5d7a8a96/attachment.htm From keithm at paisd.com Fri Jan 6 01:38:23 2006 From: keithm at paisd.com (Keith Mitchell) Date: Fri Jan 6 01:38:26 2006 Subject: [LARTC] Adding dsmark qdisc fails Message-ID: <7CB7AD89F6E23843B328C2C542D5AF5B58DBDD@gates.paisd.com> K never mind, i'm a dork. * Edit iproute2/Config to enable Diffserv support: TC_CONFIG_DIFFSERV=y ________________________________ From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Keith Mitchell Sent: Thursday, January 05, 2006 1:35 PM To: lartc@mailman.ds9a.nl Subject: [LARTC] Adding dsmark qdisc fails I 'm having a problem identical to one encountered on this list awhile back: >I'm trying to configure dsmark qdisc on 2.6.11.4 user mode linux and >tc from iproute2-2.6.11-050314. > > >I think I have some mismatch in my setup since adding dsmark qdisc >fails *unless* I specify "set_tc_index" argument which I believe should >be optional: > > ># tc qdisc add dev eth1 handle 1:0 root dsmark indices 8 >RTNETLINK answers: Invalid argument >Mar 20 13:00:50 user user.debug kernel: dsmark_init(sch a0bb3ae0,[qdisc a0bb3b60],opt 00000000) > >here the log shows that opt is null, sch_dsmark checks for that and >bails out. However running tc with "set_tc_index" goes ok: > > ># tc qdisc add dev eth1 handle 1:0 root dsmark indices 8 set_tc_index >Mar 20 13:01:12 user user.debug kernel: dsmark_init(sch a0bb3060,[qdisc a0bb30e0],opt a038e9d0) >Mar 20 13:01:12 user user.debug kernel: dsmark_init: qdisc a0bb30e0 > ># tc qdisc show dev eth1 >qdisc dsmark 1: indices 0x0008 set_tc_index > > > >but then changing the class fails: > > ># tc class change dev eth1 classid 1:1 dsmark mask 0x0 value 0xb8 >RTNETLINK answers: Invalid argument >Mar 20 13:02:28 user user.debug kernel: dsmark_get(sch a0bb3060,[qdisc a0bb30e0],classid 10001) >Mar 20 13:02:28 user user.debug kernel: dsmark_change(sch a0bb3060,[qdisc a0bb30e0],classid 10001,parent 0),arg 0x2 > > >Any ideas where I've gone wrong? > > >-- >Tero I've applied the patch to my iproute2 that was suggested as a solution, as well as upgrading to the latest version (http://developer.osdl.org/dev/iproute2/download/iproute2-2.6.14-051107. tar.gz ) of iproute2 which includes the patch, but always get the following errors: # tc qdisc add dev eth1 handle 1:0 root dsmark indices 64 RTNETLINK answers: Invalid argument Changing that to: # tc qdisc add dev eth1 handle 1:0 root dsmark indices 64 set_tc_index Works, but following that with produces the same error: # tc class change dev eth1 classid 1:1 dsmark mask 0x3 value 0x88 RTNETLINK answers: Invalid argument Is this an iproute2 bug, or user error? I'm using iproute2 on FC4 2.6.14-1.1653 TIY Keith Mitchell CTO Productivity Associates, Inc. 5625 Ruffin Rd STE 220 San Diego, CA 92123 858-495-3528 (Direct) 858-495-3540 (Fax) From linux at pilot.org.ua Fri Jan 6 02:38:49 2006 From: linux at pilot.org.ua (Denis Ovsienko) Date: Fri Jan 6 02:38:57 2006 Subject: [LARTC] TC/CBQ shaping problems In-Reply-To: References: <20060105020005.015b26aa.linux@pilot.org.ua> <20060105042114.578099e8.linux@pilot.org.ua> Message-ID: <20060106043849.5844bffa.linux@pilot.org.ua> > It doesn't seem to help. I still see bandwidth being shared equally > between classes. Both iperf sessions report approximately 46 to 47 > Mbits/sec. Do you think what I am trying to achieve is possible with > CBQ? Okay... I have spent some time trying different CBQ trees until I found that I can't divide 100mbits with precision better than 10 mbit. I managed to do it before though, but with different proportions... Most surprisingly precision goes worse when avpkt goes closer to 1500 (iperf sends quite big packets). I tried HTB and found that it doesn't divide 100mbit well, but if we try to limit outgoing interface by 50 mbit and divide it, it works just fine (see below). I guess that CBQ would do it too, if we don't try to control 100% of interface bandwidth and set all qdisc/class attributes precisely. -------------------------------------------------------------------------- tc qdisc add dev home root handle 10: htb default 3 tc class add dev home parent 10: classid 10:1 htb rate 50mbit tc class add dev home parent 10:1 classid 10:2 htb rate 40mbit ceil 50mbit tc class add dev home parent 10:1 classid 10:3 htb rate 10mbit ceil 50mbit tc filter add dev home parent 10: prio 1 protocol ip u32 match ip dst 10.0.0.102 match ip dport 2000 0xffff flowid 10:2 Now we have iperf server at 10.0.0.102, ports 2000 and 2001. 1. port 2000 traffic only $ iperf --client 10.0.0.102 --port 2000 --format k --time 10 --interval 1 ------------------------------------------------------------ Client connecting to 10.0.0.102, TCP port 2000 TCP window size: 16.0 KByte (default) ------------------------------------------------------------ [ 5] local 10.0.0.103 port 44056 connected with 10.0.0.102 port 2000 [ ID] Interval Transfer Bandwidth [ 5] 0.0- 1.0 sec 6376 KBytes 52232 Kbits/sec [ 5] 1.0- 2.0 sec 6120 KBytes 50135 Kbits/sec [ 5] 2.0- 3.0 sec 6184 KBytes 50659 Kbits/sec [ 5] 3.0- 4.0 sec 6224 KBytes 50987 Kbits/sec [ 5] 4.0- 5.0 sec 6168 KBytes 50528 Kbits/sec [ 5] 5.0- 6.0 sec 6192 KBytes 50725 Kbits/sec [ 5] 6.0- 7.0 sec 6208 KBytes 50856 Kbits/sec [ 5] 7.0- 8.0 sec 6216 KBytes 50921 Kbits/sec [ 5] 8.0- 9.0 sec 6208 KBytes 50856 Kbits/sec [ 5] 9.0-10.0 sec 6200 KBytes 50790 Kbits/sec [ 5] 0.0-10.0 sec 62104 KBytes 50780 Kbits/sec 2. port 2001 traffic only iperf --client 10.0.0.102 --port 2001 --format k --time 10 --interval 1 ------------------------------------------------------------ Client connecting to 10.0.0.102, TCP port 2001 TCP window size: 16.0 KByte (default) ------------------------------------------------------------ [ 5] local 10.0.0.103 port 48914 connected with 10.0.0.102 port 2001 [ ID] Interval Transfer Bandwidth [ 5] 0.0- 1.0 sec 6280 KBytes 51446 Kbits/sec [ 5] 1.0- 2.0 sec 6176 KBytes 50594 Kbits/sec [ 5] 2.0- 3.0 sec 6208 KBytes 50856 Kbits/sec [ 5] 3.0- 4.0 sec 6192 KBytes 50725 Kbits/sec [ 5] 4.0- 5.0 sec 6224 KBytes 50987 Kbits/sec [ 5] 5.0- 6.0 sec 6216 KBytes 50921 Kbits/sec [ 5] 6.0- 7.0 sec 6192 KBytes 50725 Kbits/sec [ 5] 7.0- 8.0 sec 6192 KBytes 50725 Kbits/sec [ 5] 8.0- 9.0 sec 6200 KBytes 50790 Kbits/sec [ 5] 9.0-10.0 sec 6208 KBytes 50856 Kbits/sec [ 5] 0.0-10.0 sec 62096 KBytes 50787 Kbits/sec 3. port 2001 traffic is sent alone, then mixed with port 2000 traffic, then is sent alone again. 3.1 xterm 1: $ date; iperf --client 10.0.0.102 --port 2001 --format k --time 20 --interval 1 ??? ??? 6 04:31:54 MSK 2006 ------------------------------------------------------------ Client connecting to 10.0.0.102, TCP port 2001 TCP window size: 16.0 KByte (default) ------------------------------------------------------------ [ 5] local 10.0.0.103 port 53131 connected with 10.0.0.102 port 2001 [ ID] Interval Transfer Bandwidth [ 5] 0.0- 1.0 sec 6336 KBytes 51905 Kbits/sec [ 5] 1.0- 2.0 sec 6184 KBytes 50659 Kbits/sec [ 5] 2.0- 3.0 sec 6208 KBytes 50856 Kbits/sec [ 5] 3.0- 4.0 sec 6200 KBytes 50790 Kbits/sec [ 5] 4.0- 5.0 sec 6192 KBytes 50725 Kbits/sec [ 5] 5.0- 6.0 sec 6208 KBytes 50856 Kbits/sec [ 5] 6.0- 7.0 sec 6200 KBytes 50790 Kbits/sec [ 5] 7.0- 8.0 sec 3360 KBytes 27525 Kbits/sec [ 5] 8.0- 9.0 sec 1216 KBytes 9961 Kbits/sec [ 5] 9.0-10.0 sec 1232 KBytes 10093 Kbits/sec [ 5] 10.0-11.0 sec 1248 KBytes 10224 Kbits/sec [ 5] 11.0-12.0 sec 1312 KBytes 10748 Kbits/sec [ 5] 12.0-13.0 sec 1224 KBytes 10027 Kbits/sec [ 5] 13.0-14.0 sec 1208 KBytes 9896 Kbits/sec [ 5] 14.0-15.0 sec 4088 KBytes 33489 Kbits/sec [ 5] 15.0-16.0 sec 6208 KBytes 50856 Kbits/sec [ 5] 16.0-17.0 sec 6184 KBytes 50659 Kbits/sec [ 5] 17.0-18.0 sec 6216 KBytes 50921 Kbits/sec [ 5] 18.0-19.0 sec 6224 KBytes 50987 Kbits/sec [ 5] 19.0-20.0 sec 6200 KBytes 50790 Kbits/sec [ ID] Interval Transfer Bandwidth [ 5] 0.0-20.0 sec 89456 KBytes 36613 Kbits/sec 3.2 xterm 2: $ date; iperf --client 10.0.0.102 --port 2000 --format k --time 7 --interval 1 ??? ??? 6 04:32:02 MSK 2006 ------------------------------------------------------------ Client connecting to 10.0.0.102, TCP port 2000 TCP window size: 16.0 KByte (default) ------------------------------------------------------------ [ 5] local 10.0.0.103 port 41592 connected with 10.0.0.102 port 2000 [ ID] Interval Transfer Bandwidth [ 5] 0.0- 1.0 sec 4928 KBytes 40370 Kbits/sec [ 5] 1.0- 2.0 sec 5008 KBytes 41026 Kbits/sec [ 5] 2.0- 3.0 sec 4960 KBytes 40632 Kbits/sec [ 5] 3.0- 4.0 sec 4960 KBytes 40632 Kbits/sec [ 5] 4.0- 5.0 sec 4944 KBytes 40501 Kbits/sec [ 5] 5.0- 6.0 sec 4968 KBytes 40698 Kbits/sec [ 5] 6.0- 7.0 sec 4960 KBytes 40632 Kbits/sec [ 5] 0.0- 7.0 sec 34736 KBytes 40547 Kbits/sec -- DO4-UANIC From keithm at paisd.com Fri Jan 6 03:04:49 2006 From: keithm at paisd.com (Keith Mitchell) Date: Fri Jan 6 03:04:50 2006 Subject: [LARTC] Wondershaper and DSCP Message-ID: <7CB7AD89F6E23843B328C2C542D5AF5B58DBDE@gates.paisd.com> Did anyone ever answer this one? THIS is what I am trying to do: >[LARTC] cbq+sfq and DSCP marking >Maria Joana Urbano stmaria@dei.uc.pt >Thu, 13 Feb 2003 19:29:42 +0000 > > * Previous message: [LARTC] Monitoring.... > * Next message: [LARTC] two routes 1 network card > * Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] > >--=======7DB32766======= >Content-Type: text/plain; x-avg-checked=avg-ok-427B3C31; charset=us-ascii; format=flowed >Content-Transfer-Encoding: 8bit > >Hi, > >I am a little confused about traffic control at egress + DSCP marking. > >Suppose I have a home router and set three different traffic classes at the >egress interface in a similar way to what wondershaper (cbq version) does: > >tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 10mbit >tc class add dev $DEV parent 1: classid 1:1 cbq rate ${UPLINK}kbit allot >1500 prio 5 bounded isolated >tc class add dev $DEV parent 1:1 classid 1:10 cbq rate ${UPLINK}kbit allot >1600 prio 1 avpkt 1000 >tc class add dev $DEV parent 1:1 classid 1:20 cbq rate $[9*$UPLINK/10]kbit >allot 1600 prio 2 avpkt 1000 >tc class add dev $DEV parent 1:1 classid 1:30 cbq rate $[8*$UPLINK/10]kbit >allot 1600 prio 2 avpkt 1000 >tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10 >tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10 >tc qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10 > >Then, I would like to DSCP mark the packets that leave the router based on >their class. Ex., packets from class 1:10 would be marked with 0xb8 and >packets from class 1:30 would have a 0x0 DSCP mark. > > >However, after some reading, the only DS marking examples i found was like >this (i.e., no chance to >add cbq and sfq filters): > >tc qdisc add $DEV handle 1:0 root dsmark indices 64 >tc class change $DEV classid 1:10 dsmark mask 0x3 value 0xb8 >tc class change $DEV classid 1:20 dsmark mask 0x3 value 0x90 >tc class change $DEV classid 1:30 dsmark mask 0x3 value 0x0 > >I am not sure if I understood the dsmark and DSCP marking model. It is not >posible to add the DSCP marking to the cbq+sfq example above? > > >Any help would be appreciate. Tnx! >J. > >--=======7DB32766======= >Content-Type: text/plain; charset=us-ascii; x-avg=cert; x-avg-checked=avg-ok-427B3C31 >Content-Disposition: inline > > >--- >Outgoing mail is certified Virus Free. >Checked by AVG anti-virus system (http://www.grisoft.com). >Version: 6.0.449 / Virus Database: 251 - Release Date: 27-01-2003 > >--=======7DB32766=======-- > > > From oliver.hookins at anchor.com.au Fri Jan 6 08:34:43 2006 From: oliver.hookins at anchor.com.au (Oliver Hookins) Date: Fri Jan 6 08:34:52 2006 Subject: [LARTC] HTB traffic shaping odd effects Message-ID: <43BE1D93.2040409@anchor.com.au> Hi, I'm trying to perform some (what I consider) basic traffic shaping on our network utilising HTB. I have mostly reused the example on the lartc.org site: tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit burst 24k tc class add dev eth0 parent 1:1 classid 1:10 htb rate 50mbit ceil 80mbit burst 19k tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1mbit ceil 1mbit tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10 tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10 tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src X.X.X.X flowid 1:20 So we have a total of 100mbit to be used, the default class 1:10 gets 50mbit and a ceiling of 80mbit whereas my test host X.X.X.X gets only 1mbit in any situation. Some rate limiting is definitely happening, but I am finding the outbound traffic is limited to 2mbit instead of 1mbit. If I change the rate (to say 10mbit) the outbound traffic gets up to again twice the rate (in this case 20mbit). Any thoughts? I have had a look at the tc statistics but it doesn't appear as I would expect it to. Class 1:10 shows a lot of dropped packets but it is only averaging around 30mbit constantly. On the other hand class 1:20 doesn't show any dropped packets. Similarly there are no packets marked as overlimit for any class. I occasionally see the tokens for 1:20 go negative... everything is quite strange. Any help would be appreciated. -- Regards, Oliver Hookins From dor at ldc.net Fri Jan 6 09:42:52 2006 From: dor at ldc.net (Dmytro O. Redchuk) Date: Fri Jan 6 09:42:55 2006 Subject: [LARTC] statistics htb In-Reply-To: <200601051938.31670.lartc-337@ccp.com.au> References: <1944848449.20060105132904@summit.by> <200601051938.31670.lartc-337@ccp.com.au> Message-ID: <20060106084252.GB6412@ldc.net> On Thu, Jan 05, 2006 at 07:38:31PM +0800, Lee Sanders wrote: > Hi Dzmitryj, > > I'd look at polltc and htbstat > http://edseek.com/~jasonb/software.shtml > http://www2.ldc.net/~dor/py-htbstat/ I have updated (today) py-htbstat. Changes are: o added a possibility to set upper limit for graphs (useful when counters reset after htb shaper restarting), o added a script for getting a single picture (it returns "Content-Type: image/png") for including in other pages, o fixed a minor bug in htbstat.cgi config file. If anybody offers any suggestions, i'll be very thankful. > > There may be others as well but these are the only two I've seen mentioned on > this list for stats. > > Regards, > Lee > > On Thu, 5 Jan 2006 07:29 pm, ??????? ?????? wrote: > > Hi can anybody tell me what is the best and right way to gather statistics > > from htb.init usage in graphics or in any other format cause it's > > pretty uncomfortable to view statistics in text when you've got 4 > > interfaces and enough filters and queues > > > > Thank you ! > > > > Dzmitryj Jakavuk > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- _,-=._ /|_/| `-.} `=._,.-=-._., @ @._, `._ _,-. ) _,.-' ` G.m-"^m`m' Dmytro O. Redchuk From linux at pilot.org.ua Fri Jan 6 10:17:14 2006 From: linux at pilot.org.ua (Denis Ovsienko) Date: Fri Jan 6 10:17:15 2006 Subject: [LARTC] HTB traffic shaping odd effects In-Reply-To: <43BE1D93.2040409@anchor.com.au> References: <43BE1D93.2040409@anchor.com.au> Message-ID: <20060106121714.4f36042c.linux@pilot.org.ua> > tc qdisc add dev eth0 root handle 1: htb default 10 > tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit burst 24k Does the following help? tc qdisc add dev eth0 root handle 1: htb default 1 tc class add dev eth0 parent 1: classid 1:1 htb rate 81mbit burst 24k -- DO4-UANIC From s.heidl at teles.de Fri Jan 6 15:30:46 2006 From: s.heidl at teles.de (Sebastian Heidl) Date: Fri Jan 6 15:31:01 2006 Subject: [LARTC] routing decision based on sorce port Message-ID: <1136557846.10545.42.camel@sehe-c4.berlin.teles.de> Hello Routing Gurus ;-) I'd like to know if it's possible to make a routing decision for pakets originating from a specific port of the local machine without using ipfilter/iptables to mark the pakets. I read about the tc filter stuff but that seems only to be able to sort the pakets to a different queue on the same interface and not choose a different interface for example. Is that at all possible and if yes how ? regards, _sh_ From GregScott at InfraSupportEtc.com Fri Jan 6 16:16:30 2006 From: GregScott at InfraSupportEtc.com (Greg Scott) Date: Fri Jan 6 16:16:43 2006 Subject: [LARTC] routing decision based on sorce port Message-ID: <925A849792280C4E80C5461017A4B8A26D82@mail733.InfraSupportEtc.com> What's wrong with using iptables to mark the packets? That is what it's for... - Greg Scott -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Sebastian Heidl Sent: Friday, January 06, 2006 8:31 AM To: lartc@mailman.ds9a.nl Subject: [LARTC] routing decision based on sorce port Hello Routing Gurus ;-) I'd like to know if it's possible to make a routing decision for pakets originating from a specific port of the local machine without using ipfilter/iptables to mark the pakets. I read about the tc filter stuff but that seems only to be able to sort the pakets to a different queue on the same interface and not choose a different interface for example. Is that at all possible and if yes how ? regards, _sh_ _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From rani79 at idm.net.lb Fri Jan 6 20:04:51 2006 From: rani79 at idm.net.lb (Rani Ahmed) Date: Fri Jan 6 20:04:55 2006 Subject: [LARTC] Internet Satellite connection configuration on linux Message-ID: <43BEBF53.5080608@idm.net.lb> hi all. here in Lebanon,Beriut we are allowed only to use satellite for downlink only. uplink is made through a router connected to public land lines. The satellite card is a penta card. i want to distribute Internet connection to customers. such a connection i want to do on linux. but what hinders me is the configuration which i dont know how to do. so please , some one tell me how to configure that, please. this is the diagram of what i want to make with linux: ----satelite----downlink_only----->[Linux box]<---->{customers_LAN} || || {ISP} <====(cisco_router)<==uplink= Thanks for you help. From seph at directionless.org Fri Jan 6 20:14:08 2006 From: seph at directionless.org (seph) Date: Fri Jan 6 20:14:18 2006 Subject: [LARTC] multiple links and nat In-Reply-To: <174298620.20060105182912@ire.pw.edu.pl> (Robert Kurjata's message of "Thu, 5 Jan 2006 18:29:12 +0100") References: <65aa6af90601050821x3f8a09b4sc0abb6419451c183@mail.gmail.com> <174298620.20060105182912@ire.pw.edu.pl> Message-ID: I was hoping to avoid having to patch things. I'll take a look at mpath and see what I want to do. If it really does need patching than I think the howto should be updated to reflect that. seph Robert Kurjata writes: > Witaj Edmundo, > > W Twoim li?cie datowanym 5 stycznia 2006 (17:21:52) mo?na przeczyta?: > > Please consult: http://www.ssi.bg/~ja/#routes and my example scpript > mpath2.sh published there. > > Without those patches - it just doesn't work :) > > >> The problem (as usual) is the change of route the routing box is doing >> for connections already stablished. > >> Maybe you can try using separate routing tablewith a single internet >> link for ssh (policy routing). > >> On 1/5/06, seph wrote: >>> Hi, this might be a dumb question, but I'm not finding much >>> information online. >>> >>> I'm trying to setup a 2.6 linux box to run nat across multiple >>> upstream links as a simple way to aggregate bandwidth. I found the >>> instructions in lartc section 4.2 >>> (http://lartc.org/howto/lartc.rpdb.multiple-links.html) fairly clear >>> and straightforward. I implemented those, and a couple of trivial >>> iptables commands and tried it. >>> >>> Persistent masqueraded connections (like ssh) weren't very happy. The >>> frequently hung, and I saw the "MASQUERADE: Route sent us somewhere >>> else." error. googling for that, I see lots of suggestions to use >>> connmark, but no examples of how connmark and the multiple link stuff >>> interact. Does anyone have a pointer? >>> >>> The rules I'm using are roughly: >>> >>> /sbin/ip route add P1_NET dev IF1 src IP1 table 201 >>> /sbin/ip route add default via P1 table 201 >>> /sbin/ip route add P1_NET dev IF1 src IP1 >>> /sbin/ip route add 127.0.0.0/8 dev lo table 201 >>> /sbin/ip rule add from IP1 table 201 >>> /sbin/ip route add P2_NET dev IF2 src IP2 table 202 >>> /sbin/ip route add default via P2 table 202 >>> /sbin/ip route add P2_NET dev IF2 src IP2 >>> /sbin/ip route add 127.0.0.0/8 dev lo table 202 >>> /sbin/ip rule add from IP2 table 202 >>> >>> >>> /sbin/ip route del default >>> /sbin/ip route add default scope global nexthop via P1 dev IF1 weight 1 nexthop via P2 dev IF2 weight 4 >>> /sbin/ip route flush cache >>> >>> >>> /sbin/iptables -t nat -A PREROUTING -s LOCALNET -d P1_NET -j ACCEPT >>> /sbin/iptables -t nat -A PREROUTING -s LOCALNET -d P2_NET -j ACCEPT >>> /sbin/iptables -t nat -A POSTROUTING -o IF1 -s LOCALNET -j MASQUERADE >>> /sbin/iptables -t nat -A POSTROUTING -o IF2 -s LOCALNET -j MASQUERADE >>> >>> >>> thanks >>> seph >>> _______________________________________________ >>> LARTC mailing list >>> LARTC@mailman.ds9a.nl >>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>> >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > -- > Pozdrowienia, > Robert Kurjata > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From s.heidl at teles.de Fri Jan 6 20:36:17 2006 From: s.heidl at teles.de (Sebastian Heidl) Date: Fri Jan 6 20:36:33 2006 Subject: [LARTC] routing decision based on sorce port In-Reply-To: <925A849792280C4E80C5461017A4B8A26D82@mail733.InfraSupportEtc.com> References: <925A849792280C4E80C5461017A4B8A26D82@mail733.InfraSupportEtc.com> Message-ID: <20060106203617.ced282b6.s.heidl@teles.de> > On Fri, 6 Jan 2006 09:16:30 -0600 "Greg Scott" wrote: > What's wrong with using iptables to mark the packets? That is what it's > for... Well, I thought it would be "cleaner" to use the routing tools to do the routing. If that's the "way to do it", fine. thanks, _sh_ > - Greg Scott > > > -----Original Message----- > From: lartc-bounces@mailman.ds9a.nl > [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Sebastian Heidl > Sent: Friday, January 06, 2006 8:31 AM > To: lartc@mailman.ds9a.nl > Subject: [LARTC] routing decision based on sorce port > > > > Hello Routing Gurus ;-) > > I'd like to know if it's possible to make a routing decision for pakets > originating from a specific port of the local machine without using > ipfilter/iptables to mark the pakets. I read about the tc filter stuff > but that seems only to be able to sort the pakets to a different queue > on the same interface and not choose a different interface for example. > > Is that at all possible and if yes how ? > > regards, > _sh_ > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From gypsy at iswest.com Sat Jan 7 06:02:54 2006 From: gypsy at iswest.com (gypsy) Date: Sat Jan 7 06:03:06 2006 Subject: [LARTC] multiple links and nat References: <65aa6af90601050821x3f8a09b4sc0abb6419451c183@mail.gmail.com> <174298620.20060105182912@ire.pw.edu.pl> Message-ID: <43BF4B7E.CC12537A@iswest.com> seph wrote: > > I was hoping to avoid having to patch things. I'll take a look at > mpath and see what I want to do. > > If it really does need patching than I think the howto should be > updated to reflect that. > > seph Seph, The HOWTO has not been updated in years. Who knows when, if ever, it will be? Robert is correct. -- gypsy > Robert Kurjata writes: > > > Witaj Edmundo, > > > > W Twoim li???cie datowanym 5 stycznia 2006 (17:21:52) mo??na przeczyta??: > > > > Please consult: http://www.ssi.bg/~ja/#routes and my example scpript > > mpath2.sh published there. > > > > Without those patches - it just doesn't work :) > > > > > >> The problem (as usual) is the change of route the routing box is doing > >> for connections already stablished. > > > >> Maybe you can try using separate routing tablewith a single internet > >> link for ssh (policy routing). > > > >> On 1/5/06, seph wrote: > >>> Hi, this might be a dumb question, but I'm not finding much > >>> information online. > >>> > >>> I'm trying to setup a 2.6 linux box to run nat across multiple > >>> upstream links as a simple way to aggregate bandwidth. I found the > >>> instructions in lartc section 4.2 > >>> (http://lartc.org/howto/lartc.rpdb.multiple-links.html) fairly clear > >>> and straightforward. I implemented those, and a couple of trivial > >>> iptables commands and tried it. > >>> > >>> Persistent masqueraded connections (like ssh) weren't very happy. The > >>> frequently hung, and I saw the "MASQUERADE: Route sent us somewhere > >>> else." error. googling for that, I see lots of suggestions to use > >>> connmark, but no examples of how connmark and the multiple link stuff > >>> interact. Does anyone have a pointer? > >>> > >>> The rules I'm using are roughly: > >>> > >>> /sbin/ip route add P1_NET dev IF1 src IP1 table 201 > >>> /sbin/ip route add default via P1 table 201 > >>> /sbin/ip route add P1_NET dev IF1 src IP1 > >>> /sbin/ip route add 127.0.0.0/8 dev lo table 201 > >>> /sbin/ip rule add from IP1 table 201 > >>> /sbin/ip route add P2_NET dev IF2 src IP2 table 202 > >>> /sbin/ip route add default via P2 table 202 > >>> /sbin/ip route add P2_NET dev IF2 src IP2 > >>> /sbin/ip route add 127.0.0.0/8 dev lo table 202 > >>> /sbin/ip rule add from IP2 table 202 > >>> > >>> > >>> /sbin/ip route del default > >>> /sbin/ip route add default scope global nexthop via P1 dev IF1 weight 1 nexthop via P2 dev IF2 weight 4 > >>> /sbin/ip route flush cache > >>> > >>> > >>> /sbin/iptables -t nat -A PREROUTING -s LOCALNET -d P1_NET -j ACCEPT > >>> /sbin/iptables -t nat -A PREROUTING -s LOCALNET -d P2_NET -j ACCEPT > >>> /sbin/iptables -t nat -A POSTROUTING -o IF1 -s LOCALNET -j MASQUERADE > >>> /sbin/iptables -t nat -A POSTROUTING -o IF2 -s LOCALNET -j MASQUERADE > >>> > >>> > >>> thanks > >>> seph > > -- > > Pozdrowienia, > > Robert Kurjata From ff at nrvissing.net Sat Jan 7 09:15:20 2006 From: ff at nrvissing.net (Flemming Frandsen) Date: Sat Jan 7 09:15:53 2006 Subject: [LARTC] Sharing a DSL between 40 subnets with htb Message-ID: <43BF7898.1070409@nrvissing.net> I have a network with around 40 /24 subnets that shares a common DSL, this cries out for shaping so here I am trying to make it work as my first tc project. I have managed to cargocult some snippets from this list and tried to come up with a config, but there are a few things that I'd really like some input on: 1) Are the NAT'ed addresses available in the PREROUTING table of eth0? 2) If not then can I have the iptable --set-mark stuff in the tables for one interface and use the mark in tc on another interface? 3) Is it possible to filter on the routing table in stead of the --set-mark? so all traffic going to a certain router gets filtered into the same htb? 4) Does this look at all sane? Note: I didn't generate the 40 classes for this example. #!/bin/sh -x #This is a generated traffic shaper script that is supposed to evenly #share out a common DSL line between a number of subnets on: #eth0: The DSL line. #eth1: The 10.48.0.0/12 net, which contains 20 user subnets. #eth2: The 10.16.0.0/12 net, which contains the server net. #ath0: The 10.32.0.0/12 net, which contains 20 user subnets. #Root htb that all the traffic is going to go through: tc qdisc add dev eth0 root handle 1: htb default 0x42 tc class add dev eth0 parent 1: classid 1:1 htb rate 700kbit burst 6k #Default class for everything not matched by the firewall rules: tc class add dev eth0 parent 1:1 classid 1:42 htb rate 600kbit\ burst 15k prio 0 tc qdisc add dev eth0 parent 1:42 handle 42: sfq perturb 20 #Have the bucket that traffic gets dropped into #be determined by the firewall mark #btw: --set-mark 0xbabeface maps to class id babe:face tc filter add dev eth0 parent 1: protocol ip prio 1 handle 1 fw #Start the table for classifying traffic: iptables -t mangle -N to-dsl #Hook up the classification table to the interface iptables -t mangle -A PREROUTING -o eth0 -j to-dsl #Here are all the buckets for the user subnets #Adding subnet: 10.16.0.0/24 iptables -t mangle -A to-dsl -s 10.16.0.0/24\ -j MARK --set-mark 0x11000 tc class add dev eth0 parent 1:1 classid 1:1000\ htb rate 600kbit burst 15k prio 10 tc qdisc add dev eth0 parent 1:1000 sfq perturb 20 #Adding subnet: 10.32.0.0/24 iptables -t mangle -A to-dsl -s 10.32.0.0/24\ -j MARK --set-mark 0x12000 tc class add dev eth0 parent 1:1 classid 1:2000\ htb rate 600kbit burst 15k prio 10 tc qdisc add dev eth0 parent 1:2000 sfq perturb 20 #Adding subnet: 10.32.1.0/24 iptables -t mangle -A to-dsl -s 10.32.1.0/24\ -j MARK --set-mark 0x12001 tc class add dev eth0 parent 1:1 classid 1:2001\ htb rate 600kbit burst 15k prio 10 tc qdisc add dev eth0 parent 1:2001 sfq perturb 20 #Adding subnet: 10.32.2.0/24 iptables -t mangle -A to-dsl -s 10.32.2.0/24\ -j MARK --set-mark 0x12002 tc class add dev eth0 parent 1:1 classid 1:2002\ htb rate 600kbit burst 15k prio 10 tc qdisc add dev eth0 parent 1:2002 sfq perturb 20 #Adding subnet: 10.32.3.0/24 iptables -t mangle -A to-dsl -s 10.32.3.0/24\ -j MARK --set-mark 0x12003 tc class add dev eth0 parent 1:1 classid 1:2003\ htb rate 600kbit burst 15k prio 10 tc qdisc add dev eth0 parent 1:2003 sfq perturb 20 #Adding subnet: 10.48.0.0/24 iptables -t mangle -A to-dsl -s 10.48.0.0/24\ -j MARK --set-mark 0x13000 tc class add dev eth0 parent 1:1 classid 1:3000\ htb rate 600kbit burst 15k prio 10 tc qdisc add dev eth0 parent 1:3000 sfq perturb 20 #Adding subnet: 10.48.1.0/24 iptables -t mangle -A to-dsl -s 10.48.1.0/24\ -j MARK --set-mark 0x13001 tc class add dev eth0 parent 1:1 classid 1:3001\ htb rate 600kbit burst 15k prio 10 tc qdisc add dev eth0 parent 1:3001 sfq perturb 20 #Adding subnet: 10.48.2.0/24 iptables -t mangle -A to-dsl -s 10.48.2.0/24\ -j MARK --set-mark 0x13002 tc class add dev eth0 parent 1:1 classid 1:3002\ htb rate 600kbit burst 15k prio 10 tc qdisc add dev eth0 parent 1:3002 sfq perturb 20 #Adding subnet: 10.48.3.0/24 iptables -t mangle -A to-dsl -s 10.48.3.0/24\ -j MARK --set-mark 0x13003 tc class add dev eth0 parent 1:1 classid 1:3003\ htb rate 600kbit burst 15k prio 10 tc qdisc add dev eth0 parent 1:3003 sfq perturb 20 From linux at pilot.org.ua Sun Jan 8 01:04:53 2006 From: linux at pilot.org.ua (Denis Ovsienko) Date: Sun Jan 8 01:04:58 2006 Subject: [LARTC] routing decision based on sorce port In-Reply-To: <1136557846.10545.42.camel@sehe-c4.berlin.teles.de> References: <1136557846.10545.42.camel@sehe-c4.berlin.teles.de> Message-ID: <20060108030453.04c6ad7f.linux@pilot.org.ua> There is a small, but important issue with outgoing packets policy routing. Locally originating packets don't hit PREROUTING chain of mangle table (http://www.faqs.org/docs/iptables/traversingoftables.html), so you generally can't policy route such traffic. -- DO4-UANIC From r.belletti at Libero.it Sun Jan 8 07:24:34 2006 From: r.belletti at Libero.it (Roberto Belletti) Date: Sun Jan 8 07:24:44 2006 Subject: [LARTC] unexpected drop Message-ID: <000801c6141c$31ad2b30$0100000a@casa> Hello everybody, I have a Linux router with an ethernet adapter and a ADSL device. My router has a GRE tunnel connected to a remote IP address. Using "tc" I have configured 3 different classes: 1. 290kbit rate (used for Voip Services) 2. 180kbit rate (used for GRE tunnel) 3. 80kbit rate (for generic data traffic) For each class, using "iperf", I send some data from a PC (connected attraverso eth0 device) to a remote destination. The remote destination is the GRE tunnel terminator. The data traffic test is different for each class: 1. 240kbit, 60byte packet size, UDP protocol 2. 200kbit, 250byte packet size, UDP protocol 3. 80kbit, 235byte packet size, UDP protocol In this way I got a lot of dropped packets on each class, while my expected results was a many drop packages only on the second class. Can someone help me? Thank all you, roberto This is the class configuration script: iptables -t mangle -A PREROUTING -m dscp --dscp 40 -j MARK --set-mark 100 iptables -t mangle -A PREROUTING -m dscp --dscp 40 -j ACCEPT iptables -t mangle -A PREROUTING -d 11.11.11.250 -j DSCP --set-dscp 16 iptables -t mangle -A PREROUTING -d 11.11.11.250 -j MARK --set-mark 200 iptables -t mangle -A PREROUTING -d 11.11.11.250 -j ACCEPT iptables -t mangle -A PREROUTING -j DSCP --set-dscp 0 iptables -t mangle -A PREROUTING -j MARK --set-mark 300 iptables -t mangle -A PREROUTING -j ACCEPT tc qdisc add dev atm0 root handle 1: cbq bandwidth 500Kbit avpkt 500 tc qdisc add dev tadsl0 root handle 1: cbq bandwidth 500Kbit avpkt 500 tc class add dev atm0 classid 1:1 parent 1: cbq bandwidth 500Kbit rate 500Kbit avpkt 400 prio 1 allot 500 tc class add dev atm0 classid 1:2 parent 1:1 cbq bandwidth 500Kbit rate 290Kbit avpkt 400 prio 1 allot 500 bounded isolated tc filter add dev atm0 parent 1:0 protocol ip prio 1 handle 100 fw flowid 1:2 tc qdisc add dev atm0 parent 1:2 pfifo limit 10 tc class add dev atm0 classid 1:3 parent 1:1 cbq bandwidth 500Kbit rate 180Kbit avpkt 400 prio 2 bounded isolated allot 500 tc filter add dev atm0 parent 1:0 protocol ip prio 2 handle 200 fw flowid 1:3 tc qdisc add dev atm0 parent 1:3 handle 20: sfq perturb 5 tc class add dev atm0 classid 1:4 parent 1:1 cbq bandwidth 500Kbit rate 80Kbit avpkt 400 prio 3 bounded isolated allot 500 tc filter add dev atm0 parent 1:0 protocol ip prio 3 handle 300 fw flowid 1:4 tc qdisc add dev atm0 parent 1:4 handle 30: sfq perturb 5 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060108/a5defc5a/attachment.html From kajtek at biezanow.net Sun Jan 8 16:59:23 2006 From: kajtek at biezanow.net (Kajetan Staszkiewicz) Date: Sun Jan 8 16:59:15 2006 Subject: [LARTC] HTB - not borrowing, not exceeding rate Message-ID: <200601081659.24726.kajtek@biezanow.net> Hello! I have a quite complicated setup. In my network on each interface there is bandwidth limitation for each user. Booth outgoing (on interface itself) and incoming (attached IMQ) traffic. There is main HTB class which limits bandwidth for whole interface and HTB subclasses for each user. Filtering is done with hashing filters. This setup was working correctly. But now in the network I have a DC hub (p2p) which allows user to exchange files. The problem is that I want in-network p2p connections to be faster than Internet bandwidth (and not "eating" their Internet bandwidth) and also I want in-network connections to have lower priority in borrowing the link bandwidth (I am using radio links between network segments and having "good" Internet access is priority over local traffic). Here is current setup: tc qdisc del root dev eth2.24 2>/dev/null tc qdisc add root dev eth2.24 handle 1: htb default 1 # main rate limitation for whole connection (802.11a radio link) tc class add dev eth2.24 parent 1: classid 1:1 htb rate 15000kbit ceil 15000kbit burst 10kbit # class for internet connections - this one can use nearly whole link tc class add dev eth2.24 parent 1:1 classid 1:6667 htb rate 12000kbit ceil 13500kbit burst 100kbit # class for in-network p2p connections - this one has lower guaranteed rate tc class add dev eth2.24 parent 1:1 classid 1:6666 htb rate 3000kbit ceil 14000kbit burst 10kbit tc qdisc add dev eth2.24 parent 1:6666 handle 6666: sfq perturb 5 quantum 1500b # users (htb+sfq for each): tc class add dev eth2.24 parent 1:6667 classid 1:2 htb rate 1kbit ceil 256kbit quantum 2000 burst 100kbit tc qdisc add dev eth2.24 parent 1:2 handle 2: sfq perturb 5 quantum 1500b tc class add dev eth2.24 parent 1:6667 classid 1:3 htb rate 1kbit ceil 256kbit quantum 2000 burst 100kbit tc qdisc add dev eth2.24 parent 1:3 handle 3: sfq perturb 5 quantum 1500b .... .... tc class add dev eth2.24 parent 1:6667 classid 1:1006 htb rate 1kbit ceil 384kbit quantum 2000 burst 100kbit tc qdisc add dev eth2.24 parent 1:1006 handle 1006: sfq perturb 5 quantum 1500b (some hashing filters - which I think are working properly, so not shown here) # traffic going to these networks goes to hashing filters tc filter add dev eth2.24 protocol ip parent 1:0 u32 match ip dst 192.168.1.0/24 hashkey mask 0x000000ff at 16 link 2: $TC filter add dev eth2.24 protocol ip parent 1:0 u32 match ip dst 192.168.3.0/24 hashkey mask 0x000000ff at 16 link 3: # now in-network p2p traffic. if it comes from other LANs then direct it to # 1:6666 tc filter add dev eth2.24 protocol ip parent 1:0 u32 match ip src 192.168.5.0/24 flowid 1:6666 tc filter add dev eth2.24 protocol ip parent 1:0 u32 match ip src 192.168.4.0/24 flowid 1:6666 Filters look OK. AFAIK the last filter is the most important so even trafiic to 192.168.1.0/24 but comming from 192.168.5.0/24 will go to 1:6666 instead of hashing filters and user bandwidth HTB. The hashing filtes were working on previous setup and now users still have their proper bandwidth from the Internet. Here is the graph representing the traffic: http://tuxpowered.net/lan_p2p/lan_eth1_rx_dzien.png the colors are: #ff00ff - htb 1:6666 (LAN p2p) #00ff00 - htb 1:6667 (Internet) #000000 - real interface traffic (tc -s li show ethXX) And now description of the problem: Class 1:6666 never has more traffic than 'rate'. AFAIK it should be having 'rate' as minimum guaranted rate and going up to 'ceil' if there is free bandwidth. (directing LAN traffic to 1:1 works OK - look at the graph at about 14:45 - 14:55) Bandwidth sharing setup works for me on WAN interfaces, but there I have only 1 level of classes tree. Here are 2 levels and it is not working. What I want: .---------------------------------. | 1:1 rate = ceil = link bandwidth| `---------------------------------' | | .--------------------. .-------------------------. | 1:6666 p2p traffic | | 1:6667 Internet traffic | | low priority in | | high prioriy in | | badwidth sharing: | | bandwidth sharing: | | ceil =~ from 1:1 | | ceil =~ from 1:1 | | rate = small | | rate = (from1:1)-1:6666 | `--------------------' `-------------------------' | +-- 1:2 user rate=1kbit ceil=256kbit +-- 1:2 user rate=1kbit ceil=256kbit ..... +-- 1:1203 user rate=1kbit ceil=384kbit -- | pozdrawiam / greetings | powered by Trustix, Gentoo and FreeBSD | | Kajetan Staszkiewicz | JID: vegeta@chrome.pl | | Vegeta | IMQ devnames: http://tuxpowered.net | `------------------------^----------------------------------------' From ff at nrvissing.net Sun Jan 8 19:08:31 2006 From: ff at nrvissing.net (Flemming Frandsen) Date: Sun Jan 8 19:09:05 2006 Subject: [LARTC] Sharing a DSL between 40 subnets with htb In-Reply-To: <43C0058C.CFD61ED3@iswest.com> References: <43BF7898.1070409@nrvissing.net> <43C0058C.CFD61ED3@iswest.com> Message-ID: <43C1551F.90200@nrvissing.net> gypsy wrote: > I recommend that you look here. It may not be what you want, but it > certainly is worth checking out even if it turns out not to be your > answer: http://www.shurdix.org/ I'm not going to change the entire OS just to get the traffic shaping set up and the traffic shaper in shuredix does shaping pr. ip (which is not what I want) . However, shurdix does use the imq to do ingres shaping (aka policing) and that's a neat trick that had somehow escaped my attention, so thanks for the hint. Someone really ought to start a LARTC cookbook wiki to go with the LARTC howto. From andy.furniss at dsl.pipex.com Sun Jan 8 22:16:00 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sun Jan 8 22:15:43 2006 Subject: [LARTC] Sharing a DSL between 40 subnets with htb In-Reply-To: <43BF7898.1070409@nrvissing.net> References: <43BF7898.1070409@nrvissing.net> Message-ID: <43C18110.6020504@dsl.pipex.com> Flemming Frandsen wrote: > I have a network with around 40 /24 subnets that shares a common DSL, > this cries out for shaping so here I am trying to make it work as my > first tc project. > > I have managed to cargocult some snippets from this list and tried to > come up with a config, but there are a few things that I'd really like > some input on: > > 1) Are the NAT'ed addresses available in the PREROUTING table of eth0? eth0 doesn't have a prerouting table everything coming in from anywhere hits prerouting. If eth0 is WAN then packets coming in will still have real ip addresses in PREROUTING. > > 2) If not then can I have the iptable --set-mark stuff in the tables > for one interface and use the mark in tc on another interface? Yes tables are not device specific. > > 3) Is it possible to filter on the routing table in stead of the > --set-mark? so all traffic going to a certain router gets > filtered into the same htb? You could use tc filters on ip/dst mac etc > #Have the bucket that traffic gets dropped into > #be determined by the firewall mark > #btw: --set-mark 0xbabeface maps to class id babe:face > tc filter add dev eth0 parent 1: protocol ip prio 1 handle 1 fw Don't think you need handle 1 here. > > #Hook up the classification table to the interface > iptables -t mangle -A PREROUTING -o eth0 -j to-dsl Out dev isn't known in prerouting. Andy. From andy.furniss at dsl.pipex.com Sun Jan 8 22:20:08 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sun Jan 8 22:19:51 2006 Subject: [LARTC] unexpected drop In-Reply-To: <000801c6141c$31ad2b30$0100000a@casa> References: <000801c6141c$31ad2b30$0100000a@casa> Message-ID: <43C18208.3070209@dsl.pipex.com> Roberto Belletti wrote: > Hello everybody, > > I have a Linux router with an ethernet adapter and a ADSL device. > My router has a GRE tunnel connected to a remote IP address. > > Using "tc" I have configured 3 different classes: > 1. 290kbit rate (used for Voip Services) > 2. 180kbit rate (used for GRE tunnel) > 3. 80kbit rate (for generic data traffic) > > For each class, using "iperf", I send some data from a PC (connected attraverso eth0 device) > to a remote destination. The remote destination is the GRE tunnel terminator. > > The data traffic test is different for each class: > 1. 240kbit, 60byte packet size, UDP protocol > 2. 200kbit, 250byte packet size, UDP protocol > 3. 80kbit, 235byte packet size, UDP protocol > > In this way I got a lot of dropped packets on each class, while my expected results was > a many drop packages only on the second class. iperf may be using data rates htb uses ip level packet sizes (I guess on atm0 - it's ip len +14 on eth). I don't know cbq but notice the rates don't add up. Andy. From andy.furniss at dsl.pipex.com Sun Jan 8 23:00:48 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sun Jan 8 23:00:31 2006 Subject: [LARTC] Wondershaper and DSCP In-Reply-To: <7CB7AD89F6E23843B328C2C542D5AF5B58DBDE@gates.paisd.com> References: <7CB7AD89F6E23843B328C2C542D5AF5B58DBDE@gates.paisd.com> Message-ID: <43C18B90.6060105@dsl.pipex.com> Keith Mitchell wrote: > Did anyone ever answer this one? THIS is what I am trying to do: > > >>[LARTC] cbq+sfq and DSCP marking I haven't used dscp but it looks like you need to add cbq below dsmark and then filter with tcindex see http://lartc.org/howto/lartc.adv-qdisc.dsmark.html Andy. From oliver.hookins at anchor.com.au Mon Jan 9 00:13:46 2006 From: oliver.hookins at anchor.com.au (Oliver Hookins) Date: Mon Jan 9 00:14:53 2006 Subject: [LARTC] HTB traffic shaping odd effects In-Reply-To: <20060106121714.4f36042c.linux@pilot.org.ua> References: <43BE1D93.2040409@anchor.com.au> <20060106121714.4f36042c.linux@pilot.org.ua> Message-ID: <43C19CAA.3040807@anchor.com.au> Denis Ovsienko wrote: >>tc qdisc add dev eth0 root handle 1: htb default 10 >>tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit burst 24k > > Does the following help? > tc qdisc add dev eth0 root handle 1: htb default 1 > tc class add dev eth0 parent 1: classid 1:1 htb rate 81mbit burst 24k That seems a bit backward, limiting the total available bandwidth to enforce child class limits. Or is that how htb works, that the sum of the child classes must add up to no less than the parent class? In any case we have 100mbit available so I don't want to set it any lower than that, if possible. -- Regards, Oliver Hookins From andy.furniss at dsl.pipex.com Mon Jan 9 02:06:00 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Mon Jan 9 02:07:09 2006 Subject: [LARTC] HTB traffic shaping odd effects In-Reply-To: <43BE1D93.2040409@anchor.com.au> References: <43BE1D93.2040409@anchor.com.au> Message-ID: <43C1B6F8.5010803@dsl.pipex.com> Oliver Hookins wrote: > Hi, > > I'm trying to perform some (what I consider) basic traffic shaping on > our network utilising HTB. I have mostly reused the example on the > lartc.org site: > > tc qdisc add dev eth0 root handle 1: htb default 10 > tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit burst 24k > tc class add dev eth0 parent 1:1 classid 1:10 htb rate 50mbit ceil > 80mbit burst 19k burst 19k will limit you unless your HZ=1000 > tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1mbit ceil > 1mbit > tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10 > tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10 > tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src > X.X.X.X flowid 1:20 > > So we have a total of 100mbit to be used, the default class 1:10 gets > 50mbit and a ceiling of 80mbit whereas my test host X.X.X.X gets only > 1mbit in any situation. Some rate limiting is definitely happening, but > I am finding the outbound traffic is limited to 2mbit instead of 1mbit. > If I change the rate (to say 10mbit) the outbound traffic gets up to > again twice the rate (in this case 20mbit). Not sure can you show output of tc -s -d class ls dev eth0 while it's running at 2x speed. > > Any thoughts? I have had a look at the tc statistics but it doesn't > appear as I would expect it to. Class 1:10 shows a lot of dropped > packets but it is only averaging around 30mbit constantly. On the other > hand class 1:20 doesn't show any dropped packets. Similarly there are no > packets marked as overlimit for any class. Apart from the 30mbit that would be normal. Andy. I occasionally see the tokens > for 1:20 go negative... everything is quite strange. > > Any help would be appreciated. > From andy.furniss at dsl.pipex.com Mon Jan 9 02:11:01 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Mon Jan 9 02:12:25 2006 Subject: [LARTC] HTB traffic shaping odd effects In-Reply-To: <43C19CAA.3040807@anchor.com.au> References: <43BE1D93.2040409@anchor.com.au> <20060106121714.4f36042c.linux@pilot.org.ua> <43C19CAA.3040807@anchor.com.au> Message-ID: <43C1B825.2000409@dsl.pipex.com> Oliver Hookins wrote: > Denis Ovsienko wrote: > >>> tc qdisc add dev eth0 root handle 1: htb default 10 >>> tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit burst 24k >> >> >> Does the following help? >> tc qdisc add dev eth0 root handle 1: htb default 1 >> tc class add dev eth0 parent 1: classid 1:1 htb rate 81mbit burst 24k > > > That seems a bit backward, limiting the total available bandwidth to > enforce child class limits. Or is that how htb works, that the sum of > the child classes must add up to no less than the parent class? > > In any case we have 100mbit available so I don't want to set it any > lower than that, if possible. > You haven't got 100mbit once overheads are accounted for and in this test using 81 instead of 100 won't affect your bandwidth as all traffic is going to one of the two sub classes. I have IIRC spotted differences (to do with quantum and sharing excess) when parent is > than ceils - it wasn't the same setup as yours though. Andy. From oliver.hookins at anchor.com.au Mon Jan 9 03:44:01 2006 From: oliver.hookins at anchor.com.au (Oliver Hookins) Date: Mon Jan 9 03:45:01 2006 Subject: [LARTC] HTB traffic shaping odd effects In-Reply-To: <43C1B6F8.5010803@dsl.pipex.com> References: <43BE1D93.2040409@anchor.com.au> <43C1B6F8.5010803@dsl.pipex.com> Message-ID: <43C1CDF1.8050805@anchor.com.au> Andy Furniss wrote: > Oliver Hookins wrote: > >> Hi, >> >> I'm trying to perform some (what I consider) basic traffic shaping on >> our network utilising HTB. I have mostly reused the example on the >> lartc.org site: >> >> tc qdisc add dev eth0 root handle 1: htb default 10 >> tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit burst 24k >> tc class add dev eth0 parent 1:1 classid 1:10 htb rate 50mbit ceil >> 80mbit burst 19k > > > burst 19k will limit you unless your HZ=1000 Our HZ is 512. >> tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1mbit ceil >> 1mbit >> tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10 >> tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10 >> tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src >> X.X.X.X flowid 1:20 >> >> So we have a total of 100mbit to be used, the default class 1:10 gets >> 50mbit and a ceiling of 80mbit whereas my test host X.X.X.X gets only >> 1mbit in any situation. Some rate limiting is definitely happening, >> but I am finding the outbound traffic is limited to 2mbit instead of >> 1mbit. If I change the rate (to say 10mbit) the outbound traffic gets >> up to again twice the rate (in this case 20mbit). > > > Not sure can you show output of tc -s -d class ls dev eth0 while it's > running at 2x speed. class htb 1:1 root rate 100Mbit ceil 100Mbit burst 24Kb/8 mpu 0b cburst 132644b/8 mpu 0b level 7 Sent 741267447736 bytes 735629628 pkts (dropped 0, overlimits 0) rate 4316188bps 22688pps lended: 489885589 borrowed: 0 giants: 0 tokens: -78 ctokens: 6677 class htb 1:10 parent 1:1 leaf 10: prio 0 quantum 200000 rate 50Mbit ceil 80Mbit burst 19Kb/8 mpu 0b cburst 106440b/8 mpu 0b level 0 Sent 740240463634 bytes 734522966 pkts (dropped 429910165, overlimits 0) rate 4233957bps 22358pps lended: 244988819 borrowed: 489885528 giants: 0 tokens: -293 ctokens: 6636 class htb 1:20 parent 1:1 leaf 20: prio 0 quantum 13107 rate 1Mbit ceil 1Mbit burst 2Kb/8 mpu 0b cburst 2Kb/8 mpu 0b level 0 Sent 755354078 bytes 755048 pkts (dropped 0, overlimits 0) rate 84198bps 321pps backlog 4p lended: 755220 borrowed: 61 giants: 0 tokens: -21517 ctokens: -21517 -- Regards, Oliver Hookins From sendtofl at yahoo.com.cn Mon Jan 9 09:18:18 2006 From: sendtofl at yahoo.com.cn (=?gb2312?B?t67BwQ==?=) Date: Mon Jan 9 09:19:14 2006 Subject: [LARTC] (no subject) Message-ID: <200601091618183162947@yahoo.com.cn> bGFydGOjrMT6usOjoQ0KDQoJDQoNCqGhoaGhoaGhoaGhoaGhoaHWwg0KwPGjoQ0KIAkJCQkNCg0K oaGhoaGhoaGhoaGhoaGhobeuwcENCqGhoaGhoaGhoaGhoaGhoaFzZW5kdG9mbEB5YWhvby5jb20u Y24NCqGhoaGhoaGhoaGhoaGhoaGhoaGhMjAwNi0wMS0wOQ0K From s.heidl at teles.de Mon Jan 9 10:01:37 2006 From: s.heidl at teles.de (Sebastian Heidl) Date: Mon Jan 9 10:02:23 2006 Subject: [LARTC] routing decision based on sorce port In-Reply-To: <20060108030453.04c6ad7f.linux@pilot.org.ua> References: <20060108030453.04c6ad7f.linux@pilot.org.ua> Message-ID: <1136797297.10545.50.camel@sehe-c4.berlin.teles.de> On Sun, 2006-01-08 at 03:04 +0300, Denis Ovsienko wrote: > There is a small, but important issue with outgoing packets policy > routing. Locally originating packets don't hit PREROUTING chain of > mangle table > (http://www.faqs.org/docs/iptables/traversingoftables.html), so you > generally can't policy route such traffic. Hmm, according to a newer version of the iptables tutorial (http://iptables-tutorial.frozentux.net/iptables-tutorial.html) there is another routing decision after the packets traverse the OUTPUT chain of the mangle table. So at least marking the pakets should be possible I think. _sh_ From poltorak at alsenet.com Mon Jan 9 15:06:29 2006 From: poltorak at alsenet.com (PoltoS/) Date: Mon Jan 9 15:05:59 2006 Subject: [LARTC] What does tc shape? Message-ID: <1136815589.43c26de57c9fc@mail1.alsenet.com> Does tc shape IP traffic only, or all traffic going out of interface (Ethernet headers + IP data)? PoltoS/ ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ ------------------------------------------------- From andy.furniss at dsl.pipex.com Mon Jan 9 18:41:51 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Mon Jan 9 18:41:35 2006 Subject: [LARTC] HTB traffic shaping odd effects In-Reply-To: <43C1CDF1.8050805@anchor.com.au> References: <43BE1D93.2040409@anchor.com.au> <43C1B6F8.5010803@dsl.pipex.com> <43C1CDF1.8050805@anchor.com.au> Message-ID: <43C2A05F.7000407@dsl.pipex.com> Oliver Hookins wrote: >> burst 19k will limit you unless your HZ=1000 > > Our HZ is 512. > I don't know if it makes any difference, but I would have chosen 500 so that it was 2ms. The default now is 250 and with 19k burst that fits the speed you get really well - with 512 it would be around 70meg. I would get rid of the 2 burst settings you use. >> Not sure can you show output of tc -s -d class ls dev eth0 while it's >> running at 2x speed. > > > class htb 1:1 root rate 100Mbit ceil 100Mbit burst 24Kb/8 mpu 0b cburst > 132644b/8 mpu 0b level 7 > Sent 741267447736 bytes 735629628 pkts (dropped 0, overlimits 0) > rate 4316188bps 22688pps > lended: 489885589 borrowed: 0 giants: 0 > tokens: -78 ctokens: 6677 > > class htb 1:10 parent 1:1 leaf 10: prio 0 quantum 200000 rate 50Mbit > ceil 80Mbit burst 19Kb/8 mpu 0b cburst 106440b/8 mpu 0b level 0 > Sent 740240463634 bytes 734522966 pkts (dropped 429910165, overlimits 0) > rate 4233957bps 22358pps > lended: 244988819 borrowed: 489885528 giants: 0 > tokens: -293 ctokens: 6636 > > class htb 1:20 parent 1:1 leaf 20: prio 0 quantum 13107 rate 1Mbit ceil > 1Mbit burst 2Kb/8 mpu 0b cburst 2Kb/8 mpu 0b level 0 > Sent 755354078 bytes 755048 pkts (dropped 0, overlimits 0) > rate 84198bps 321pps backlog 4p > lended: 755220 borrowed: 61 giants: 0 > tokens: -21517 ctokens: -21517 84198 bps - tc means bytes/sec by this, so it's < 1mbit. Htb uses really long (100 sec) average for its rate so it probably is giving 1mbit. Andy. From manish at tuxspace.com Mon Jan 9 18:42:48 2006 From: manish at tuxspace.com (Manish Kathuria) Date: Mon Jan 9 18:42:55 2006 Subject: [LARTC] Internet Satellite connection configuration on linux In-Reply-To: <43BEBF53.5080608@idm.net.lb> References: <43BEBF53.5080608@idm.net.lb> Message-ID: <43C2A098.8050300@tuxspace.com> Rani Ahmed wrote: > hi all. here in Lebanon,Beriut we are allowed only to use satellite for > downlink only. uplink is made through a router connected to public land > lines. The satellite card is a penta card. i want to distribute Internet > connection to customers. > > such a connection i want to do on linux. but what hinders me is the > configuration which i dont know how to do. > so please , some one tell me how to configure that, please. > > this is the diagram of what i want to make with linux: > > ----satelite----downlink_only----->[Linux box]<---->{customers_LAN} > || > || > {ISP} <====(cisco_router)<==uplink= > Thanks for you help. How are you connecting to the satellite for uplink ? Are you using PPTP or some other method ? You can download the linux modules available from the Pentamedia website on your linux box and make the DVB card receive the download from the satellite. Ideally your linux box should have two ethernet cards and the Pentamedia DVB Card. One ethernet will be connected to the CISCO router for the uplink and the other will be connected to the LAN. Enable IP forwarding on your linux box and use SNAT rules if required. Let me know if you want more information. -- Manish http://www.tuxspace.com/ From andy.furniss at dsl.pipex.com Tue Jan 10 00:57:53 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Tue Jan 10 00:57:35 2006 Subject: [LARTC] HTB - not borrowing, not exceeding rate In-Reply-To: <200601081659.24726.kajtek@biezanow.net> References: <200601081659.24726.kajtek@biezanow.net> Message-ID: <43C2F881.3010108@dsl.pipex.com> Kajetan Staszkiewicz wrote: > Here is current setup: > > tc qdisc del root dev eth2.24 2>/dev/null > tc qdisc add root dev eth2.24 handle 1: htb default 1 > > # main rate limitation for whole connection (802.11a radio link) > tc class add dev eth2.24 parent 1: classid 1:1 htb rate 15000kbit ceil > 15000kbit burst 10kbit Burst too small - it's realated to HZ and also should be at least as big as child bursts. http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm#burst > > # class for internet connections - this one can use nearly whole link > tc class add dev eth2.24 parent 1:1 classid 1:6667 htb rate 12000kbit ceil > 13500kbit burst 100kbit > > # class for in-network p2p connections - this one has lower guaranteed rate > tc class add dev eth2.24 parent 1:1 classid 1:6666 htb rate 3000kbit ceil > 14000kbit burst 10kbit > tc qdisc add dev eth2.24 parent 1:6666 handle 6666: sfq perturb 5 quantum > 1500b I would condider using htb prio here and sfq peturb causes packet reordering so 5 is a bit low. SFQ is really best for bulk traffic. > # now in-network p2p traffic. if it comes from other LANs then direct it to > # 1:6666 > tc filter add dev eth2.24 protocol ip parent 1:0 u32 match ip src > 192.168.5.0/24 flowid 1:6666 > tc filter add dev eth2.24 protocol ip parent 1:0 u32 match ip src > 192.168.4.0/24 flowid 1:6666 I think these should be before the other filters. Andy. From andy.furniss at dsl.pipex.com Tue Jan 10 01:04:32 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Tue Jan 10 01:04:06 2006 Subject: [LARTC] What does tc shape? In-Reply-To: <1136815589.43c26de57c9fc@mail1.alsenet.com> References: <1136815589.43c26de57c9fc@mail1.alsenet.com> Message-ID: <43C2FA10.3020706@dsl.pipex.com> PoltoS/ wrote: > Does tc shape IP traffic only, or all traffic going out of interface (Ethernet > headers + IP data)? You can shape all types of traffic. On eth interfaces the qdiscs see ip packets as ip length +14 (there are more than 14 overhead on the wire - with htb you can specify overheads/mpu) on ppp qdiscs see just ip length - not sure about others. Andy. From ff at nrvissing.net Tue Jan 10 14:02:36 2006 From: ff at nrvissing.net (Flemming Frandsen) Date: Tue Jan 10 14:04:13 2006 Subject: [LARTC] Shaping traffic bound for the NAT'ed networks whithout imq Message-ID: <40857.194.239.27.101.1136898156.squirrel@mail.nrvissing.net> I'm trying to set up a shaper that can shape the inbound traffic to around 40 subnets, that hang on 3 different interfaces of the router. As Linux can't do ingress shaping I'm left with having to set up 3 seperate shapers, one for each internal interface. This is not completely optimal as I'll have to limit each of the 3 interfaces to 1/3 of the total downstream bandwidth of the ADSL, leaving users unhappy with performance and if a user happens to be on the same segment as a leecher then he gets hit, but not everyone else. I've thought about using IMQ, but it's not available in the standard kernel, and I'd really hate to have to reboot the router as it's inaccessible and any breakdown would piss off the users. I have two questions: 1) I compiled IMQ as a module and inserted it, but I couldn't "ifconfig imq0 up" or anything else with it, any idea what I might be doing wrong? 2) Is there any alternative to using IMQ to get all the inbound traffic shaped at once? -- Flemming Frandsen, NrVissing.Net administrator. From andre at matuschek.org Tue Jan 10 16:05:05 2006 From: andre at matuschek.org (=?iso-8859-15?Q?Andr=E9_Matuschek?=) Date: Tue Jan 10 16:06:33 2006 Subject: [LARTC] qdisc's useless in my case? Message-ID: Hi! First, thanks for this great howto! Second, sorry for my english, it's not the best! I have a question about the Linux qdisc. My configuation in short: Linux Box with 4 100Mbit ethernet inferfaces: - eth0 goes to a switch with ~60 PC's connected wo use the internet connection. (192.168.1.200) - eth1 goes to an cable Modem with 5Mbit transfer speed - eth2 connects the 2. cable modem. - eth3 is a 100Mbit Cable to the next router, with the subnet 192.168.2.0/24 (same thing as this one) (192.168.5.1) With your howto I managed it to balance the traffic from eth0 over the two cable modems to the internet: router:~# ip route show 192.168.5.0/24 dev eth3 proto kernel scope link src 192.168.5.1 192.168.2.0/24 via 192.168.5.2 dev eth3 62.143.132.0/24 dev eth1 proto kernel scope link src 62.143.132.84 62.143.132.0/24 dev eth2 proto kernel scope link src 62.143.132.156 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.200 default nexthop via 62.143.132.1 dev eth1 weight 1 nexthop via 62.143.132.1 dev eth2 weight 1 Works fine! Then I wend on reading your howto and came to the chapter "Queueing Disciplines for Bandwidth Management". Sometimes an 'expert' in the group of users starts some kind of P2P-Software without an upload-limit wich then slows down all connections very badly. To lessen this effect I thought of adding the SFQ-qdisc to the interfaces eth1 & eth2. In the description of SFQ I read "disallows any single conversation from drowning out the rest". Now what I worry about ist if this has any effect at all. Maybe the kernel sends all the Packets from the LAN (from eth0) to the to cable-modems, which are connected via 100Mbit crossover-cable and the modem queues the packets itself and drops the ones exceeding the maximum upload rate. With an constant empty queue in the kernel it would make no differences if fifo_fast or sfq is the qdisc, right? So my question is: Am I right? Is it useless to assign sfq to eth1 & eth2? What would be an alternative solution? PS: I read seph's mail from Thu Jan 5 17:02:10 CET 2006. I had the same problem. Solution: Use a kernel > 2.6.11 (don't know exactly when this was fixed) but with 2.6.14.3 and 2.6.15 this "MASQUERADE: Route sent us somewhere else." never appeared again! And: assure that CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set, it throws a spanner in the works! Thanks, Andr? From comp.techs at aspenview.org Tue Jan 10 17:50:05 2006 From: comp.techs at aspenview.org (comp.techs) Date: Tue Jan 10 17:50:18 2006 Subject: [LARTC] Gred/dsmark/htb Message-ID: <648A21EA469E3848922D9860785CD5EF45670A@aspen-mail01.aspenview.org> Hi, I am trying to get assured forwarding/expedited forwarding with gred and htb working. Below is the script I am using. The following steps are what I thing is how the script works. My problem is that if I remove the HTB qdisc from the script and have the GREDS parent as the dsmark it works, but when I add the htb as a parent of GRED and DSmark the parent of htb it does not work? Any suggestion appreciated. thx jason 1. The DS field is marked by iptables in prerouting/mangle to the appropriate class. 2. DSMark masks the ds and copies ths dscp to the tcindex field. 3. filters are selected as per what dscp there handle is. 4. the minor of the filter is returned back to the dsmark and copied to the tcindex #!/bin/sh tc qdisc del dev eth0 root tc qdisc add dev eth0 handle 1:0 root dsmark indices 16 set_tc_index tc filter add dev eth0 parent 1:0 protocol ip prio 1 tcindex \ mask 0xfc shift 2 pass_on #af class 1 tc filter add dev eth0 parent 1:0 protocol ip prio 1 \ handle 10 tcindex classid 1:11 tc filter add dev eth0 parent 1:0 protocol ip prio 1 \ handle 12 tcindex classid 1:12 tc filter add dev eth0 parent 1:0 protocol ip prio 1 \ handle 14 tcindex classid 1:13 #af class 2 tc filter add dev eth0 parent 1:0 protocol ip prio 1 \ handle 18 tcindex classid 1:8 tc filter add dev eth0 parent 1:0 protocol ip prio 1 \ handle 20 tcindex classid 1:9 tc filter add dev eth0 parent 1:0 protocol ip prio 1 \ handle 22 tcindex classid 1:10 #af class 3 tc filter add dev eth0 parent 1:0 protocol ip prio 1 \ handle 26 tcindex classid 1:5 tc filter add dev eth0 parent 1:0 protocol ip prio 1 \ handle 28 tcindex classid 1:6 tc filter add dev eth0 parent 1:0 protocol ip prio 1 \ handle 30 tcindex classid 1:7 #af class 4 tc filter add dev eth0 parent 1:0 protocol ip prio 1 \ handle 34 tcindex classid 1:2 tc filter add dev eth0 parent 1:0 protocol ip prio 1 \ handle 36 tcindex classid 1:3 tc filter add dev eth0 parent 1:0 protocol ip prio 1 \ handle 38 tcindex classid 1:4 #ef tc filter add dev eth0 parent 1:0 protocol ip prio 1 \ handle 46 tcindex classid 1:1 #limit egress to 1Mbit tc qdisc add dev eth0 parent 1:0 handle 2:0 htb tc class add dev eth0 parent 2:0 classid 2:1 htb rate 1Mbit ceil 1Mbit #create 13 gred's tc qdisc add dev eth0 parent 2:1 gred setup DPs 13 default 13 grio #ef tc qdisc change dev eth0 parent 2:1 gred limit 512000 min 24000 max 32000 \ avpkt 1000 burst 40 probability 0.01 bandwidth 1024 DP 1 prio 1 #af41 tc qdisc change dev eth0 parent 2:1 gred limit 512000 min 24000 max 32000 \ avpkt 1000 burst 40 probability 0.04 bandwidth 1024 DP 2 prio 2 #af42 tc qdisc change dev eth0 parent 2:1 gred limit 512000 min 24000 max 32000 \ avpkt 1000 burst 40 probability 0.06 bandwidth 1024 DP 3 prio 3 #af43 tc qdisc change dev eth0 parent 2:1 gred limit 512000 min 24000 max 32000 \ avpkt 1000 burst 40 probability 0.02 bandwidth 1024 DP 4 prio 4 #af31 tc qdisc change dev eth0 parent 2:1 gred limit 512000 min 24000 max 32000 \ avpkt 1000 burst 40 probability 0.04 bandwidth 1024 DP 5 prio 5 #af32 tc qdisc change dev eth0 parent 2:1 gred limit 512000 min 24000 max 32000 \ avpkt 1000 burst 40 probability 0.06 bandwidth 1024 DP 6 prio 6 #af33 tc qdisc change dev eth0 parent 2:1 gred limit 512000 min 24000 max 32000 \ avpkt 1000 burst 40 probability 0.02 bandwidth 1024 DP 7 prio 7 #af21 tc qdisc change dev eth0 parent 2:1 gred limit 512000 min 24000 max 32000 \ avpkt 1000 burst 40 probability 0.04 bandwidth 1024 DP 8 prio 8 #af22 tc qdisc change dev eth0 parent 2:1 gred limit 512000 min 24000 max 32000 \ avpkt 1000 burst 40 probability 0.06 bandwidth 1024 DP 9 prio 9 #af23 tc qdisc change dev eth0 parent 2:1 gred limit 512000 min 24000 max 32000 \ avpkt 1000 burst 40 probability 0.02 bandwidth 1024 DP 10 prio 10 #af11 tc qdisc change dev eth0 parent 2:1 gred limit 512000 min 24000 max 32000 \ avpkt 1000 burst 40 probability 0.04 bandwidth 1024 DP 11 prio 11 #af12 tc qdisc change dev eth0 parent 2:1 gred limit 512000 min 24000 max 32000 \ avpkt 1000 burst 40 probability 0.06 bandwidth 1024 DP 12 prio 12 #af13 tc qdisc change dev eth0 parent 2:1 gred limit 512000 min 24000 max 32000 \ avpkt 1000 burst 40 probability 0.06 bandwidth 1024 DP 13 prio 13 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060110/a0a1b547/attachment.htm From jonas.jasas at gmail.com Tue Jan 10 18:22:37 2006 From: jonas.jasas at gmail.com (Jonas Jasas) Date: Tue Jan 10 18:22:41 2006 Subject: [LARTC] Simple shaping question Message-ID: I have linux box (does nat and firewall for small network) connected to dsl. I want to set priorities for protocols (that nothing could disturb web browsing). This is my rules (eth0 connected to internet): /sbin/tc qdisc del dev eth0 root /sbin/tc qdisc add dev eth0 root handle 1 htb default 30 r2q 100 /sbin/tc class add dev eth0 parent 1: classid 1:2 htb rate 900Kbit burst 15k /sbin/tc class add dev eth0 parent 1:2 classid 1:10 htb rate 900Kbit ceil 900Kbit /sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 100 u32 match ip sport 80 0xffff classid 1:10 /sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 100 u32 match ip dport 80 0xffff classid 1:10 /sbin/tc class add dev eth0 parent 1:2 classid 1:20 htb rate 10Kbit ceil 900Kbit I start to download from ftp it uses all bandwidth (as it should be), when I start to download on web, web and ftp rated become more or less equal :/ . I want that ftp traffic would be limited to 10kbit and all other bandwidth would be left for web trafic. What is wrong with my rules? Thank you for advice! From diego.cabrero at e-attico.net Tue Jan 10 18:36:08 2006 From: diego.cabrero at e-attico.net (Diego Cabrero) Date: Tue Jan 10 18:36:09 2006 Subject: [LARTC] Simple shaping question In-Reply-To: References: Message-ID: <43C3F088.5020001@e-attico.net> Try chosing a lower limit for the 80th port at least 900-10, then add a sfq qdisc down the 1:10, 1:20 and 1:30 classes like this: tc qdisc add dev eth0 parent 1:x0 handle 1: sfq perturb 10 It will work, i had that kind of problem before. Regards. -Diego Jonas Jasas escribi?: >I have linux box (does nat and firewall for small network) connected >to dsl. I want to set priorities for protocols (that nothing could >disturb web browsing). This is my rules (eth0 connected to internet): > >/sbin/tc qdisc del dev eth0 root >/sbin/tc qdisc add dev eth0 root handle 1 htb default 30 r2q 100 > >/sbin/tc class add dev eth0 parent 1: classid 1:2 htb rate 900Kbit burst 15k > >/sbin/tc class add dev eth0 parent 1:2 classid 1:10 htb rate 900Kbit >ceil 900Kbit >/sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 100 u32 match >ip sport 80 0xffff classid 1:10 >/sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 100 u32 match >ip dport 80 0xffff classid 1:10 > >/sbin/tc class add dev eth0 parent 1:2 classid 1:20 htb rate 10Kbit ceil 900Kbit > >I start to download from ftp it uses all bandwidth (as it should be), >when I start to download on web, web and ftp rated become more or less >equal :/ . I want that ftp traffic would be limited to 10kbit and all >other bandwidth would be left for web trafic. > >What is wrong with my rules? >Thank you for advice! >_______________________________________________ >LARTC mailing list >LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From diego.cabrero at e-attico.net Tue Jan 10 18:43:59 2006 From: diego.cabrero at e-attico.net (Diego Cabrero) Date: Tue Jan 10 18:44:02 2006 Subject: [LARTC] Simple shaping question In-Reply-To: <43C3F088.5020001@e-attico.net> References: <43C3F088.5020001@e-attico.net> Message-ID: <43C3F25F.4030908@e-attico.net> An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060110/2d34d4e7/attachment-0001.html From ff at nrvissing.net Tue Jan 10 22:40:53 2006 From: ff at nrvissing.net (Flemming Frandsen) Date: Tue Jan 10 22:41:27 2006 Subject: [LARTC] tc filter add ... fw returns RTNETLINK answers: Invalid argument Message-ID: <43C429E5.3070007@nrvissing.net> When I run this: tc filter add dev eth0 parent 1: protocol ip prio 1 handle 1 fw I get: RTNETLINK answers: Invalid argument The traditional interpretation of that gnarly error message is that cls_fw is missing, but lsmod | grep cls_fw gets me: cls_fw 2336 4 (autoclean) I can't remove it because it's in use, but all 4 statements that use it failed, so I'm really stumped. This is what happens in begining of the traffic shaper script: + tc qdisc del dev eth0 root + tc qdisc add dev eth0 root handle 1: htb default 0x42 + tc class add dev eth0 parent 1: classid 1:1 htb rate 700kbit burst 6k + tc class add dev eth0 parent 1:1 classid 1:42 htb rate 600kbit burst 15k prio 0 + tc qdisc add dev eth0 parent 1:42 handle 42: sfq perturb 20 + tc filter add dev eth0 parent 1: protocol ip prio 1 handle 1 fw RTNETLINK answers: Invalid argument + iptables -t mangle -N to-dsl Any clues? From muthukumar at gmail.com Tue Jan 10 23:21:20 2006 From: muthukumar at gmail.com (Muthukumar S) Date: Tue Jan 10 23:21:23 2006 Subject: [LARTC] tc filter add ... fw returns RTNETLINK answers: Invalid argument In-Reply-To: <43C429E5.3070007@nrvissing.net> References: <43C429E5.3070007@nrvissing.net> Message-ID: On 1/10/06, Flemming Frandsen wrote: > When I run this: > tc filter add dev eth0 parent 1: protocol ip prio 1 handle 1 fw > > I get: > RTNETLINK answers: Invalid argument You are missing the flowid. For example tc filter add dec eth0 parent 1: protocol ip prio 1 handle 1 fw flowid 1:42 > > The traditional interpretation of that gnarly error message is that > cls_fw is missing, but lsmod | grep cls_fw gets me: > cls_fw 2336 4 (autoclean) > > I can't remove it because it's in use, but all 4 statements that use it > failed, so I'm really stumped. > > > This is what happens in begining of the traffic shaper script: > > + tc qdisc del dev eth0 root > + tc qdisc add dev eth0 root handle 1: htb default 0x42 > + tc class add dev eth0 parent 1: classid 1:1 htb rate 700kbit burst 6k > + tc class add dev eth0 parent 1:1 classid 1:42 htb rate 600kbit burst > 15k prio 0 > + tc qdisc add dev eth0 parent 1:42 handle 42: sfq perturb 20 > + tc filter add dev eth0 parent 1: protocol ip prio 1 handle 1 fw > RTNETLINK answers: Invalid argument > + iptables -t mangle -N to-dsl > > Any clues? > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From ff at nrvissing.net Wed Jan 11 00:19:07 2006 From: ff at nrvissing.net (Flemming Frandsen) Date: Wed Jan 11 00:19:42 2006 Subject: [LARTC] tc filter add ... fw returns RTNETLINK answers: Invalid argument Message-ID: <43C440EB.7010508@nrvissing.net> Muthukumar S wrote: >On 1/10/06, Flemming Frandsen wrote: > > >>When I run this: >>tc filter add dev eth0 parent 1: protocol ip prio 1 handle 1 fw >> >>I get: >>RTNETLINK answers: Invalid argument >> >> > >You are missing the flowid. For example >tc filter add dec eth0 parent 1: protocol ip prio 1 handle 1 fw flowid 1:42 > > No, no I'm not, I'm using iptables like this: ... iptables -t mangle -A from-dsl-eth1 -d 10.48.6.0/24 -j MARK --set-mark 0x14806 iptables -t mangle -A from-dsl-eth1 -d 10.48.6.0/24 -j RETURN tc class add dev eth1 parent 1:1 classid 1:4806 htb rate 1200mbit burst 15k prio 10 tc qdisc add dev eth1 parent 1:4806 sfq perturb 21 ... That means that packets with --set-mark 0x14806 get put into classid 1:4806 The RETURN rule means that I can have a -j LOG at the end of my chain to figure out what didn't get matched, I just wish you could say -j MARK,RETURN in the same rule. The funny thing that I realized after sending the original mail is that the shaper works, it classifies the traffic correctly, eventhough the tc filter command moans about an invalid argument. It would be very nice to either get a usable error message or have tc shut up about the non-error. From andy.furniss at dsl.pipex.com Wed Jan 11 01:45:00 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Wed Jan 11 01:44:51 2006 Subject: [LARTC] Shaping traffic bound for the NAT'ed networks whithout imq In-Reply-To: <40857.194.239.27.101.1136898156.squirrel@mail.nrvissing.net> References: <40857.194.239.27.101.1136898156.squirrel@mail.nrvissing.net> Message-ID: <43C4550C.2060205@dsl.pipex.com> Flemming Frandsen wrote: > I'm trying to set up a shaper that can shape the inbound traffic to around > 40 subnets, that hang on 3 different interfaces of the router. > > As Linux can't do ingress shaping I'm left with having to set up 3 > seperate shapers, one for each internal interface. > > This is not completely optimal as I'll have to limit each of the 3 > interfaces to 1/3 of the total downstream bandwidth of the ADSL, leaving > users unhappy with performance and if a user happens to be on the same > segment as a leecher then he gets hit, but not everyone else. > > I've thought about using IMQ, but it's not available in the standard > kernel, and I'd really hate to have to reboot the router as it's > inaccessible and any breakdown would piss off the users. > > I have two questions: > 1) I compiled IMQ as a module and inserted it, but I couldn't "ifconfig > imq0 up" or anything else with it, any idea what I might be doing wrong? > > 2) Is there any alternative to using IMQ to get all the inbound traffic > shaped at once? Yes (depending on exact setup/requirements) - it's just gone in the latest net tree it's called ifb. http://www.mail-archive.com/netdev%40vger.kernel.org/msg05208.html AIUI if you have a recent kernel you should be able to build it as a stand alone module. Andy. From andy.furniss at dsl.pipex.com Wed Jan 11 01:51:46 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Wed Jan 11 01:51:46 2006 Subject: [LARTC] tc filter add ... fw returns RTNETLINK answers: Invalid argument In-Reply-To: <43C429E5.3070007@nrvissing.net> References: <43C429E5.3070007@nrvissing.net> Message-ID: <43C456A2.1000602@dsl.pipex.com> Flemming Frandsen wrote: > When I run this: > tc filter add dev eth0 parent 1: protocol ip prio 1 handle 1 fw > > I get: > RTNETLINK answers: Invalid argument As I already said - you don't need handle 1 Andy. From andy.furniss at dsl.pipex.com Wed Jan 11 01:52:36 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Wed Jan 11 01:52:29 2006 Subject: [LARTC] tc filter add ... fw returns RTNETLINK answers: Invalid argument In-Reply-To: <43C440EB.7010508@nrvissing.net> References: <43C440EB.7010508@nrvissing.net> Message-ID: <43C456D4.7020000@dsl.pipex.com> Flemming Frandsen wrote: > tc class add dev eth1 parent 1:1 classid 1:4806 htb rate 1200mbit burst > 15k prio 10 1200mbit with 15k burst won't work. Andy. From andy.furniss at dsl.pipex.com Wed Jan 11 02:03:18 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Wed Jan 11 02:03:10 2006 Subject: [LARTC] qdisc's useless in my case? In-Reply-To: References: Message-ID: <43C45956.2060600@dsl.pipex.com> Andr? Matuschek wrote: > Now what I worry about ist if this has any effect at all. Maybe the > kernel sends > all the Packets from the LAN (from eth0) to the to cable-modems, which are > connected via 100Mbit crossover-cable and the modem queues the packets > itself > and drops the ones exceeding the maximum upload rate. With an constant > empty > queue in the kernel it would make no differences if fifo_fast or sfq is > the qdisc, right? > > So my question is: Am I right? Is it useless to assign sfq to eth1 & > eth2? What would > be an alternative solution? Yes you are right. You need to use htb/hfsc/cbq on both eths and limit the traffic headed for the internet to < each cable rate. You could use sfq as part of the setup, it is better to try and seperate interactive traffic from bulk and only use sfq on the bulk. You could also limit inbound traffic by shaping on the lan facing eth (if it goes to both lan eths then it's more complicated but possible). Andy. From nata at cnett.com.br Wed Jan 11 02:20:27 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Wed Jan 11 02:22:40 2006 Subject: [LARTC] control p2p upload bandwidth rate References: <43AAE878.10404@phreaker.net> <2af436490512221148p27dc53a1vc90f8549f54ae7c4@mail.gmail.com> Message-ID: <002401c6164d$34bde1b0$9a0023ac@NATANIEL> Jody, I have a script that makes connections for every user with his auth. So, in this script, I have two mark tags. Can I use this tip you give to ro0ot? My doubt is if I use this every time some user log it will be all executed again, it will not make me trouble? Now I mark all packts from a client and forward this to some cbq/htb band control rules. It is working fine, but I have never made a test for longer time... Thanks for your cooperation. Att, Nataniel Klug ----- Original Message ----- From: Jody Shumaker To: lartc@mailman.ds9a.nl Sent: Thursday, December 22, 2005 5:48 PM Subject: Re: [LARTC] control p2p upload bandwidth rate Seems like eth0 is your IF connected to the itnernet, you need to do shaping on that for the upload. Modifying the rates and using the same tc comands but on eth0 would likely do it. Also your script is flawed, the layer7 matching for most if not all of those protocols will only match on the first packet or two. After that the data for those connections won't match. I suggest you look into using CONNMARK target/matching so you can match all of the data, not just the first few packets. With your setup it'd be used something along these lines: #before setting mark: #restores any saved mark iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark #accepts the packet if it has a mark besides the default 0 and prevents the saved mark from being changed iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT #use "-j MARK --set-mark #" here #after all the --set-mark's iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j CONNMARK --save-mark iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT Without this, I'm not really sure how you were matching all packets for your download shaping. Normally, only the first packet or two will have matching data in the TCP connection, and if you don't somehow mark the whole connection using the above, the majority of the bandwidth won't be shaped correctly. - Jody On 12/22/05, ro0ot wrote: Hi all, I am running Slackware 10.1 with Kernel 2.6.14.3 includes iptables 1.3.4 with layer 7 My network diagram below: - INTERNET --- LINUX_ROUTER_FW --- PCs Below is my simple iptables script: - echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t mangle -A POSTROUTING -m layer7 --l7proto applejuice -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -m layer7 --l7proto ares -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -m layer7 --l7proto bittorrent -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -m layer7 --l7proto directconnect -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -m layer7 --l7proto edonkey -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -m layer7 --l7proto fasttrack -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -m layer7 --l7proto gnucleuslan -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -m layer7 --l7proto gnutella -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -m layer7 --l7proto napster -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -m layer7 --l7proto openft -j MARK --set-mark 1 Below is my simple tc script: - tc qdisc del dev eth1 root tc qdisc add dev eth1 root handle 1: htb default 20 tc class add dev eth1 parent 1: classid 1:1 htb rate 10240kbit ceil 10240kbit tc class add dev eth1 parent 1:1 classid 1:11 htb rate 32kbit ceil 512kbit tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:11 tc qdisc add dev eth1 parent 1:11 sfq perturb 10 I have no problem shaping the "PCs" p2p download bandwidth rate. How can I control the "PCs" p2p upload bandwidth rate? Please help...thanks, :) Regards, ro0ot _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ------------------------------------------------------------------------------ _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060110/852b2081/attachment-0001.htm From jody.shumaker at gmail.com Wed Jan 11 06:11:45 2006 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Wed Jan 11 06:12:54 2006 Subject: [LARTC] control p2p upload bandwidth rate In-Reply-To: <002401c6164d$34bde1b0$9a0023ac@NATANIEL> References: <43AAE878.10404@phreaker.net> <2af436490512221148p27dc53a1vc90f8549f54ae7c4@mail.gmail.com> <002401c6164d$34bde1b0$9a0023ac@NATANIEL> Message-ID: <2af436490601102111s71440bd4w84f37ca0157752f2@mail.gmail.com> #accepts the packet if it has a mark besides the default 0 and prevents the saved mark from being changed iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT That section after the restore-mark rule will cause any saved marks to skip the rest of the chain. This results in only the first packets of a tcp connection having to hit their individual --set-mark rule. If you do have concerns about cpu usage or some such, I'd suggest trying trying out the ipp2p match module instead of the more generic l7match module. It's more specific to p2p and tends to be much faster than doing regular expressions. On 1/10/06, Nataniel Klug wrote: > > I have a script that makes connections for every user with his auth. So, > in this script, I have two mark tags. Can I use this tip you give to ro0ot? > My doubt is if I use this every time some user log it will be all executed > again, it will not make me trouble? > I'm not sure exactly what you mean by this. If my above explanation doesn't apply, could you possibly explain or give an example? - Jody -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060111/bc4970f2/attachment.html From nata at cnett.com.br Wed Jan 11 11:06:33 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Wed Jan 11 11:07:22 2006 Subject: [LARTC] control p2p upload bandwidth rate References: <43AAE878.10404@phreaker.net> <2af436490512221148p27dc53a1vc90f8549f54ae7c4@mail.gmail.com> <002401c6164d$34bde1b0$9a0023ac@NATANIEL> <2af436490601102111s71440bd4w84f37ca0157752f2@mail.gmail.com> Message-ID: <002d01c61696$b39af420$0e001eac@NATANIEL> Jody, My question is not about P2P filters. This is working fine at my gateway box. My question concerns to my autentication gateway, where I use PPPoE to autenticante my LAN clients at a Radius server into my DMZ. This PPPoE server, when I have a new conection, make some rules using IPTABLES and CBQ/HTB to control my clients internet speed. The script I use when a client conects is this: === /etc/ppp/ip-up === #! /bin/bash IPT="/usr/local/sbin/iptables" interface=$1 remoteIP=$5 download=`grep Download /var/run/radattr.$interface | awk '{ print $2; }'` upload=`grep Upload /var/run/radattr.$interface | awk '{ print $2; }'` cliente=`grep Cliente /var/run/radattr.$interface | awk '{ print $2; }'` contamark=`echo $interface | cut -c 4-99` mark=`expr $contamark + 500` echo "$download" > /tmp/$interface.download echo "$upload" > /tmp/$interface.upload echo "$cliente" > /tmp/$interface.cliente #if [ $cliente == "cliente" ] #then #$IPT -I FORWARD -d $remoteIP -p tcp --dport 1:1024 -j DROP #$IPT -I FORWARD -d $remoteIP -p tcp --dport 6000:9000 -j DROP #fi /sbin/tc qdisc add dev $interface root handle 1 cbq bandwidth 10Mbit avpkt 1000 cell 8 /sbin/tc class add dev $interface parent 1: classid 1:$mark cbq bandwidth 10Mbit rate "$download"Kbit weight `expr $download / 10`Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded /sbin/tc qdisc add dev $interface parent 1:$mark handle $mark sfq perturb 10 /sbin/tc filter add dev $interface parent 1:0 protocol ip prio 200 handle $mark fw classid 1:$mark $IPT -t mangle -A POSTROUTING -d $remoteIP -j MARK --set-mark $mark /sbin/tc qdisc add dev eth0 root handle 1 cbq bandwidth 10Mbit avpkt 1000 cell 8 /sbin/tc class add dev eth0 parent 1: classid 1:$mark cbq bandwidth 10Mbit rate "$upload"Kbit weight `expr $upload / 10`Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded /sbin/tc qdisc add dev eth0 parent 1:$mark handle $mark sfq perturb 10 /sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle $mark fw classid 1:$mark $IPT -t mangle -A FORWARD -s $remoteIP -j MARK --set-mark $mark echo "PPP started at $(date): interface = $interface Remote IP = $remoteIP download = $download upload = $upload mark = $mark " >/tmp/$interface === END === My doubt is, what you said is that only one package in a mark will me matched without that other comands, so, the lines I have put in red are correct? Today it is working fine, but I have never made a test longer than 20 or 30 minutes... Att, Nataniel Klug ----- Original Message ----- From: Jody Shumaker To: Nataniel Klug Cc: lartc@mailman.ds9a.nl Sent: Wednesday, January 11, 2006 3:11 AM Subject: Re: [LARTC] control p2p upload bandwidth rate #accepts the packet if it has a mark besides the default 0 and prevents the saved mark from being changed iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT That section after the restore-mark rule will cause any saved marks to skip the rest of the chain. This results in only the first packets of a tcp connection having to hit their individual --set-mark rule. If you do have concerns about cpu usage or some such, I'd suggest trying trying out the ipp2p match module instead of the more generic l7match module. It's more specific to p2p and tends to be much faster than doing regular expressions. On 1/10/06, Nataniel Klug wrote: I have a script that makes connections for every user with his auth. So, in this script, I have two mark tags. Can I use this tip you give to ro0ot? My doubt is if I use this every time some user log it will be all executed again, it will not make me trouble? I'm not sure exactly what you mean by this. If my above explanation doesn't apply, could you possibly explain or give an example? - Jody -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060111/e2e2ae39/attachment.htm From ff at nrvissing.net Wed Jan 11 12:55:15 2006 From: ff at nrvissing.net (Flemming Frandsen) Date: Wed Jan 11 12:55:28 2006 Subject: [LARTC] tc filter add ... fw returns RTNETLINK answers: Invalidargument In-Reply-To: <43C456D4.7020000@dsl.pipex.com> References: <43C440EB.7010508@nrvissing.net> <43C456D4.7020000@dsl.pipex.com> Message-ID: <62432.194.239.27.101.1136980515.squirrel@mail.nrvissing.net> >> tc class add dev eth1 parent 1:1 classid 1:4806 htb rate 1200mbit burst >> 15k prio 10 > > 1200mbit with 15k burst won't work. Good thing too, because it's typo, I don't really have an Internet link in the Gb/s, it ought to say 1200kbit. >> tc filter add dev eth0 parent 1: protocol ip prio 1 handle 1 fw >> RTNETLINK answers: Invalid argument > > As I already said - you don't need handle 1 I tried removing it, but it didn't make any difference. Am I correct in assuming that the reason that the 'parent 1:' part isn't needed is because it comes from the mark? -- Flemming Frandsen, NrVissing.Net administrator. From ff at nrvissing.net Wed Jan 11 13:21:52 2006 From: ff at nrvissing.net (Flemming Frandsen) Date: Wed Jan 11 13:21:56 2006 Subject: [LARTC] Shaping traffic bound for the NAT'ed networks whithoutimq In-Reply-To: <43C4550C.2060205@dsl.pipex.com> References: <40857.194.239.27.101.1136898156.squirrel@mail.nrvissing.net> <43C4550C.2060205@dsl.pipex.com> Message-ID: <56399.194.239.27.101.1136982112.squirrel@mail.nrvissing.net> > Yes (depending on exact setup/requirements) - it's just gone in the > latest net tree it's called ifb. > > http://www.mail-archive.com/netdev%40vger.kernel.org/msg05208.html Hmm, this sounds interesting, although it would mean upgrading the kernel to 2.6 on a router that's hard to get to physically if something goes wrong. I'll just keep going with 2.4 and the suboptimal shaper until I have access to the serial console on the machine (which means installing a second soekris at the same location. -- Flemming Frandsen, NrVissing.Net administrator. From jonas.jasas at gmail.com Wed Jan 11 16:05:10 2006 From: jonas.jasas at gmail.com (Jonas Jasas) Date: Wed Jan 11 16:05:20 2006 Subject: [LARTC] Re: Simple shaping question In-Reply-To: <2af436490601100936n4f007112t2be6d891bf22fdf3@mail.gmail.com> References: <2af436490601100936n4f007112t2be6d891bf22fdf3@mail.gmail.com> Message-ID: Thank you for your help! This is my modified rules, but that work exactly as before :~/ /sbin/tc qdisc del dev eth0 root /sbin/tc qdisc add dev eth0 root handle 1 htb default 20 r2q 100 /sbin/tc class add dev eth0 parent 1: classid 1:2 htb rate 900Kbit burst 15k /sbin/tc class add dev eth0 parent 1:2 classid 1:10 htb rate 890Kbit ceil 900Kbit /sbin/tc class add dev eth0 parent 1:2 classid 1:20 htb rate 10Kbit ceil 900Kbit /sbin/tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10 /sbin/tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10 /sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 100 u32 match ip sport 80 0xffff flowid 1:10 /sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 100 u32 match ip dport 80 0xffff flowid 1:10 Are these rules OK or I am missing something again? Can anyone show me working example of similar rules. Thanks again for help! From jody.shumaker at gmail.com Wed Jan 11 16:08:14 2006 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Wed Jan 11 16:08:20 2006 Subject: [LARTC] control p2p upload bandwidth rate In-Reply-To: <002d01c61696$b39af420$0e001eac@NATANIEL> References: <43AAE878.10404@phreaker.net> <2af436490512221148p27dc53a1vc90f8549f54ae7c4@mail.gmail.com> <002401c6164d$34bde1b0$9a0023ac@NATANIEL> <2af436490601102111s71440bd4w84f37ca0157752f2@mail.gmail.com> <002d01c61696$b39af420$0e001eac@NATANIEL> Message-ID: <2af436490601110708g2585712ds433d1473f038abcc@mail.gmail.com> > My doubt is, what you said is that only one package in a mark will me > matched without that other comands, so, the lines I have put in red are > correct? Today it is working fine, but I have never made a test longer than > 20 or 30 minutes... > > Att, > > Nataniel Klug > > It should perfectly fine. Since you're just marking based on an ip match, there is no need for CONNMARK. CONNMARK is only needed when you want to mark a whole connection based on something you'll only see once, like the p2p protocol's headers. destination/source addresses will be present in every packet you want to mark. - Jody -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060111/f7f0e6cf/attachment.html From diego.cabrero at e-attico.net Wed Jan 11 16:36:33 2006 From: diego.cabrero at e-attico.net (Diego Cabrero) Date: Wed Jan 11 16:36:34 2006 Subject: [LARTC] Re: Simple shaping question In-Reply-To: References: <2af436490601100936n4f007112t2be6d891bf22fdf3@mail.gmail.com> Message-ID: <43C52601.5080409@e-attico.net> An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060111/a98f5547/attachment.htm From hotny at gmx.de Wed Jan 11 20:44:33 2006 From: hotny at gmx.de (Hotny) Date: Wed Jan 11 20:44:42 2006 Subject: [LARTC] Traffic Control using with an application Message-ID: <001a01c616e7$72c1fc90$0100a8c0@Amelie> Hi! I want to use traffic control for a resource controller for a multimedia middleware platform. Is there a library or syscalls, so that I don't have to use the Systemcommands? Thanks for your help! Hotny From andy.furniss at dsl.pipex.com Thu Jan 12 01:23:04 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Thu Jan 12 01:22:50 2006 Subject: [LARTC] tc filter add ... fw returns RTNETLINK answers: Invalidargument In-Reply-To: <62432.194.239.27.101.1136980515.squirrel@mail.nrvissing.net> References: <43C440EB.7010508@nrvissing.net> <43C456D4.7020000@dsl.pipex.com> <62432.194.239.27.101.1136980515.squirrel@mail.nrvissing.net> Message-ID: <43C5A168.3010601@dsl.pipex.com> Flemming Frandsen wrote: >>>tc filter add dev eth0 parent 1: protocol ip prio 1 handle 1 fw >>>RTNETLINK answers: Invalid argument >> >>As I already said - you don't need handle 1 > > > I tried removing it, but it didn't make any difference. > > Am I correct in assuming that the reason that the 'parent 1:' part isn't > needed is because it comes from the mark? > Remove handle 1 not parent 1: In the context of fw handle 1 tells the filter to match mark 1. Andy. From dor at ldc.net Thu Jan 12 08:09:53 2006 From: dor at ldc.net (Dmytro O. Redchuk) Date: Thu Jan 12 08:10:01 2006 Subject: [LARTC] Re: Simple shaping question In-Reply-To: References: <2af436490601100936n4f007112t2be6d891bf22fdf3@mail.gmail.com> Message-ID: <20060112070953.GA4498@ldc.net> On Wed, Jan 11, 2006 at 05:05:10PM +0200, Jonas Jasas wrote: > Thank you for your help! > This is my modified rules, but that work exactly as before :~/ > > /sbin/tc qdisc del dev eth0 root The problem is that eth0 is connected to Internet? Do you really want to shape outgoing (ACK?) packets? > > Thanks again for help! > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- _,-=._ /|_/| `-.} `=._,.-=-._., @ @._, `._ _,-. ) _,.-' ` G.m-"^m`m' Dmytro O. Redchuk From jonas.jasas at gmail.com Thu Jan 12 09:48:13 2006 From: jonas.jasas at gmail.com (Jonas Jasas) Date: Thu Jan 12 09:48:20 2006 Subject: [LARTC] Re: Simple shaping question In-Reply-To: <20060112070953.GA4498@ldc.net> References: <2af436490601100936n4f007112t2be6d891bf22fdf3@mail.gmail.com> <20060112070953.GA4498@ldc.net> Message-ID: On 1/12/06, Dmytro O. Redchuk wrote: > The problem is that eth0 is connected to Internet? Yes it is connected to internet, but what is the difference if it is connected to internet or LAN? > Do you really want to shape outgoing (ACK?) packets? Yes, I have router and web server in one box. So I want that outgoing/incoming office traffic and web servers traffic would be with the high priority. In what place of iptables this htb traffic control is handled? My rules are ok when I set the same rate and ceil. From diego.cabrero at e-attico.net Thu Jan 12 10:16:01 2006 From: diego.cabrero at e-attico.net (Diego Cabrero) Date: Thu Jan 12 10:16:03 2006 Subject: [LARTC] Re: Simple shaping question In-Reply-To: References: <2af436490601100936n4f007112t2be6d891bf22fdf3@mail.gmail.com> <20060112070953.GA4498@ldc.net> Message-ID: <43C61E51.2050402@e-attico.net> An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060112/9d05eda7/attachment-0001.html From dor at ldc.net Thu Jan 12 10:30:30 2006 From: dor at ldc.net (Dmytro O. Redchuk) Date: Thu Jan 12 10:30:40 2006 Subject: [LARTC] Re: Simple shaping question In-Reply-To: References: <2af436490601100936n4f007112t2be6d891bf22fdf3@mail.gmail.com> <20060112070953.GA4498@ldc.net> Message-ID: <20060112093030.GA4408@ldc.net> On Thu, Jan 12, 2006 at 10:48:13AM +0200, Jonas Jasas wrote: > On 1/12/06, Dmytro O. Redchuk wrote: > > The problem is that eth0 is connected to Internet? > Yes it is connected to internet, but what is the difference if it is > connected to internet or LAN? > > > Do you really want to shape outgoing (ACK?) packets? > Yes, I have router and web server in one box. So I want that > outgoing/incoming office traffic and web servers traffic would be > with the high priority. > > In what place of iptables this htb traffic control is handled? > My rules are ok when I set the same rate and ceil. Then, sorry, I didn't understand which traffic you would like to control and in which way. And still can not understand. Can you draw a picture? Let's say, a client (who wants to download), a server (who offers web or ftp services), a box (who should perform a traffic control), thier interfaces... -- _,-=._ /|_/| `-.} `=._,.-=-._., @ @._, `._ _,-. ) _,.-' ` G.m-"^m`m' Dmytro O. Redchuk From alex.hocquel_NOSPAM_ at free.fr Thu Jan 12 13:01:57 2006 From: alex.hocquel_NOSPAM_ at free.fr (Alexandre) Date: Thu Jan 12 14:00:14 2006 Subject: [LARTC] iproute problem Message-ID: Hello, I'm on Debian Sarge, and try actually to setup iproute this way : - local network 1: 192.168.12.0/24 - local network 2: 172.20.0.0/16 - one router on both network : 192.168.12.50 & 172.20.201.50 - one router to internet (SLIS) : 172.20.1.1 I want from my 1st local network to access internet... here are my lines... (taken from The LARTC Howto) ip route add 172.20.0.0/16 dev ra0 src 172.20.201.50 table Project ip route add default via 172.20.1.1 table Project ip route add 172.20.0.0/16 dev ra0 src 172.20.201.50 ip route add default via 172.20.1.1 ip rule add from 172.20.201.50 table Project ip route add 192.168.12.0/24 dev eth0 table Project ip route add 127.0.0.0/8 dev lo table Project after that : # ip route show 192.168.12.0/24 dev eth0 proto kernel scope link src 192.168.12.50 172.20.0.0/16 dev ra0 proto kernel scope link src 172.20.201.50 default via 172.20.1.1 dev ra0 and if I try from local network 1: $ ping 172.20.201.50 it works, I can even access with ssh on but: $ ping 172.20.1.1 doesn't work! what's the problem? Any suggestion will be appreciated ;-) thanks by advance, Alexandre From jody.shumaker at gmail.com Thu Jan 12 15:48:33 2006 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Thu Jan 12 15:48:36 2006 Subject: [LARTC] iproute problem In-Reply-To: References: Message-ID: <2af436490601120648k71b1e3e1h6ae0854bf2da7657@mail.gmail.com> Are you sure 172.20.1.1 doesn't block pings? Is there anything else wrong with the setup besides the pings not working? It's not that uncommon for a server to not respond to ping. - Jody On 1/12/06, Alexandre wrote: > > Hello, > > I'm on Debian Sarge, and try actually to setup iproute this way : > - local network 1: 192.168.12.0/24 > - local network 2: 172.20.0.0/16 > - one router on both network : 192.168.12.50 & 172.20.201.50 > - one router to internet (SLIS) : 172.20.1.1 > > I want from my 1st local network to access internet... > > here are my lines... (taken from The LARTC Howto) > > ip route add 172.20.0.0/16 dev ra0 src 172.20.201.50 table Project > ip route add default via 172.20.1.1 table Project > ip route add 172.20.0.0/16 dev ra0 src 172.20.201.50 > ip route add default via 172.20.1.1 > ip rule add from 172.20.201.50 table Project > ip route add 192.168.12.0/24 dev eth0 table Project > ip route add 127.0.0.0/8 dev lo table Project > > after that : > > # ip route show > 192.168.12.0/24 dev eth0 proto kernel scope link src 192.168.12.50 > 172.20.0.0/16 dev ra0 proto kernel scope link src 172.20.201.50 > default via 172.20.1.1 dev ra0 > > and if I try from local network 1: > $ ping 172.20.201.50 > it works, I can even access with ssh on > but: > $ ping 172.20.1.1 > doesn't work! > > what's the problem? > > Any suggestion will be appreciated ;-) > > thanks by advance, > > Alexandre > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060112/cd25beb7/attachment.htm From amit at xsinfoways.com Thu Jan 12 15:49:44 2006 From: amit at xsinfoways.com (amit pasari) Date: Thu Jan 12 15:49:55 2006 Subject: [LARTC] tc class class id problem Limitation Message-ID: <6.2.1.2.0.20060112201315.05709bd8@147.202.41.46> Hello, I have been working on tc class . But when the classid reaches 5 digit , it DOES NOT ACCEPT THAT ... see the example below :: tc class add dev eth0 parent 10:36 classid 10:13310 cbq bandwidth 10Mbit rate 32Kbit allot 1514 weight 3.2Kbit prio 5 maxburst 20 avpkt 1000 bounded See the bold digit !! this command doesn't work , but if i use with 4 digit then it works : tc class add dev eth0 parent 10:36 classid 10:1331 cbq bandwidth 10Mbit rate 32Kbit allot 1514 weight 3.2Kbit prio 5 maxburst 20 avpkt 1000 bounded Can anyone tell me is it a limitation or what , and can i over come it ?? URGENT HELP IS REQUIRED !! Thanks in advance . amit pasari -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060112/cb6ea5e5/attachment.html From dor at ldc.net Thu Jan 12 16:08:07 2006 From: dor at ldc.net (Dmytro O. Redchuk) Date: Thu Jan 12 16:08:14 2006 Subject: [LARTC] tc class class id problem Limitation In-Reply-To: <6.2.1.2.0.20060112201315.05709bd8@147.202.41.46> References: <6.2.1.2.0.20060112201315.05709bd8@147.202.41.46> Message-ID: <20060112150806.GE4408@ldc.net> On Thu, Jan 12, 2006 at 08:19:44PM +0530, amit pasari wrote: > Hello, > I have been working on tc class . But when the classid reaches 5 digit , > it DOES NOT ACCEPT THAT ... > see the example below :: > tc class add dev eth0 parent 10:36 classid 10:13310 cbq bandwidth 10Mbit > rate 32Kbit allot 1514 weight 3.2Kbit prio 5 maxburst 20 avpkt 1000 bounded > > See the bold digit !! this command doesn't work , but if i use with 4 > digit then it works : > tc class add dev eth0 parent 10:36 classid 10:1331 cbq bandwidth 10Mbit > rate 32Kbit allot 1514 weight 3.2Kbit prio 5 maxburst 20 avpkt 1000 bounded > > Can anyone tell me is it a limitation or what , and can i over come it ?? Four. In hex. 0001 - FFFF (FFFE?) I guess. > URGENT HELP IS REQUIRED !! > Thanks in advance . > > amit pasari > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- _,-=._ /|_/| `-.} `=._,.-=-._., @ @._, `._ _,-. ) _,.-' ` G.m-"^m`m' Dmytro O. Redchuk XMMS: From dunadanmontaraz at hotmail.com Thu Jan 12 20:01:57 2006 From: dunadanmontaraz at hotmail.com (Beto .) Date: Thu Jan 12 20:01:59 2006 Subject: [LARTC] Qos and bandwidth control Message-ID: hi everybody. im trying to set up an QoS config, using layer7 (http://l7-filter.sourceforge.net/) for protocol detection. im suposing 3 clients with this configuration: 3 clients: 1.2.3.1 , 1.2.3.2 , 1.2.3.3 1.2.3.1 has 256kbit bandwidth "guaranteed" clients 1.2.3.2 and 1.2.3.3 has 256kbit bandwith so im marking every packet using layer7 iptables module, classifying them in three groups: high priority(2), medium priority(3) and low priority(4). Protocols (or applications) like ssh, VOIP or games suit in the high priority category, and P2P apps go in the low priority category. iptables commands are like this: iptables -t mangle -A POSTROUTING -m layer7 --l7proto ssh -j MARK --set-mark 2 iptables -t mangle -A POSTROUTING -m layer7 --l7proto h323 -j MARK --set-mark 2 iptables -t mangle -A POSTROUTING -m layer7 --l7proto directconnect -j MARK --set-mark 4 iptables -t mangle -A POSTROUTING -m layer7 --l7proto bittorrent -j MARK --set-mark 4 iptables -t mangle -A POSTROUTING -m layer7 --l7proto fasttrack -j MARK --set-mark 4 then i use a combination of tc commands to enqueue packets on different classes depending on this mark. the problem im facing is that i also have to limit client's bandwidth and im not sure that my solution is the best. i've searched for an example like this in the web but i have found nothing. here is my little script for this config, comments will be very appreciatted!!! it could have some errors. Basic protocol detection and enqueue was working fine, but im not sure now, with "bandwidth restrictions" additions. #!/bin/bash tc qdisc add dev eth0 root handle 1: htb default 8 tc class add dev eth0 parent 1: classid 1:1 htb rate 512kbit tc class add dev eth0 parent 1:1 classid 1:2 htb rate 256kbit prio 1 tc class add dev eth0 parent 1:1 classid 1:3 htb rate 256kbit prio 1 tc filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip src 1.2.3.1/32 flowid 1:2 tc filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip src 1.2.3.2/32 flowid 1:3 tc filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip src 1.2.3.3/32 flowid 1:3 # classes for client 1 tc class add dev eth0 parent 1:2 classid 1:4 htb rate 200kbit tc class add dev eth0 parent 1:2 classid 1:5 htb rate 128kbit ceil 256kbit tc class add dev eth0 parent 1:2 classid 1:6 htb rate 20kbit ceil 256kbit tc filter add dev eth0 protocol ip parent 1:2 prio 1 handle 2 fw flowid 1:4 tc filter add dev eth0 protocol ip parent 1:2 prio 1 handle 3 fw flowid 1:5 tc filter add dev eth0 protocol ip parent 1:2 prio 1 handle 4 fw flowid 1:6 # i need this?? tc qdisc add dev eth0 parent 1:4 handle 4: sfq perturb 10 tc qdisc add dev eth0 parent 1:5 handle 5: sfq perturb 10 tc qdisc add dev eth0 parent 1:6 handle 6: sfq perturb 10 # classes for clients 2 and 3 tc class add dev eth0 parent 1:3 classid 1:7 htb rate 200kbit tc class add dev eth0 parent 1:3 classid 1:8 htb rate 128kbit ceil 256kbit tc class add dev eth0 parent 1:3 classid 1:9 htb rate 20kbit ceil 256kbit # filters for clients 2 and 3 classes tc filter add dev eth0 protocol ip parent 1:3 prio 1 handle 2 fw flowid 1:7 tc filter add dev eth0 protocol ip parent 1:3 prio 1 handle 3 fw flowid 1:8 tc filter add dev eth0 protocol ip parent 1:3 prio 1 handle 4 fw flowid 1:9 tc qdisc add dev eth0 parent 1:7 handle 7: sfq perturb 10 tc qdisc add dev eth0 parent 1:8 handle 8: sfq perturb 10 tc qdisc add dev eth0 parent 1:9 handle 9: sfq perturb 10 thanks! Roberto Scattini _________________________________________________________________ Charla con tus amigos en l?nea mediante MSN Messenger: http://messenger.latam.msn.com/ From andy.furniss at dsl.pipex.com Thu Jan 12 22:43:57 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Thu Jan 12 22:43:30 2006 Subject: [LARTC] Gred/dsmark/htb In-Reply-To: <648A21EA469E3848922D9860785CD5EF45670A@aspen-mail01.aspenview.org> References: <648A21EA469E3848922D9860785CD5EF45670A@aspen-mail01.aspenview.org> Message-ID: <43C6CD9D.1010409@dsl.pipex.com> comp.techs wrote: > Hi, I am trying to get assured forwarding/expedited forwarding with gred and htb working. Below is the script I am using. > The following steps are what I thing is how the script works. My problem is that if I remove the HTB qdisc from the script and have the GREDS parent as the dsmark it works, but when I add the htb as a parent of GRED and DSmark the parent of htb it does not work? > > Any suggestion appreciated. > thx jason > > 1. The DS field is marked by iptables in prerouting/mangle to the appropriate class. > 2. DSMark masks the ds and copies ths dscp to the tcindex field. > 3. filters are selected as per what dscp there handle is. > 4. the minor of the filter is returned back to the dsmark and copied to the tcindex > > > #!/bin/sh > tc qdisc del dev eth0 root > tc qdisc add dev eth0 handle 1:0 root dsmark indices 16 set_tc_index > tc filter add dev eth0 parent 1:0 protocol ip prio 1 tcindex \ > mask 0xfc shift 2 pass_on > #af class 1 I think all the filters below here should be on 2:0 > tc filter add dev eth0 parent 1:0 protocol ip prio 1 \ > handle 10 tcindex classid 1:11 > tc filter add dev eth0 parent 1:0 protocol ip prio 1 \ > handle 12 tcindex classid 1:12 > tc filter add dev eth0 parent 1:0 protocol ip prio 1 \ > handle 14 tcindex classid 1:13 > #af class 2 Andy. From tuipveus at gmail.com Fri Jan 13 12:00:07 2006 From: tuipveus at gmail.com (Janne Raatikainen) Date: Fri Jan 13 12:00:52 2006 Subject: [LARTC] multiple isp + nat Message-ID: <1a9f78a60601130300h7a4458a1te78801863c7845e2@mail.gmail.com> I configured multiple isp (actually only multiple gw) according http://lartc.org/howto/lartc.rpdb.multiple-links.html. Now NAT (Internet) seems to work, both external interfaces work ( I didnt configure load balancing because I dont need it). However I have problem that I can not ping from NAT to public ip of my Linux box. Problem is that I can not connect from 192.168.1.0/24 network to services listening 84.248.213.195, but I can connect to Internet from NAT through that interface gateway (84.248.192.0). Connecting with public ip worked fine when I had simple NAT, with single Internet-connection. I also notice that portforwarding from Linux-box (public ip) to computer under nat doesnt work too. Anyone has idea what is the problem? # ip rule ls 0: from all lookup local 32762: from 84.248.213.195 lookup T1 32764: from 88.192.38.86 lookup T2 32766: from all lookup main 32767: from all lookup default # ip route 84.248.192.0 dev eth2 scope link src 84.248.213.195 88.192.32.0 dev eth0 scope link src 88.192.38.86 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.50 88.192.32.0/20 dev eth0 proto kernel scope link src 88.192.38.86 84.248.192.0/19 dev eth2 proto kernel scope link src 84.248.213.195 default via 88.192.32.1 dev eth0 default via 84.248.192.1 dev eth2 Do I have to use some different kind of iptables-rules (fwmark?), than I used when I had only one connection to Internet, or do I have to add some route or gw? Janne From madhava.rayudu at gmail.com Fri Jan 13 16:16:34 2006 From: madhava.rayudu at gmail.com (Madhava Rayudu) Date: Fri Jan 13 16:16:39 2006 Subject: [LARTC] Per user bandwidth limiting ..for small ISP.using Squid Message-ID: Sir, Kindly excuse me. I am a newbie to LARTC.. I am a small ISP in rural India distributing 1 MB link to 200 people. I have been using rshaper by Alessandro Rubini for shaping. http://freshmeat.net/projects/rshaper/ My kernel is Linux version 2.4.22-1.2115.nptl( Fedora Core 1) Rshaper is very good in controlling incoming bandwidth (from LAN) I use Squid also on this Linux Box.. Right now I am using Delay Pools of Squid to control bandwidth per user for Http traffic. Squid saves me around 35% of bandwidth and hence I can not afford not to use it. Squid also gives my clients a feel of speed --an important thing for me. Rshaper is no more under active development. The author advised me to switch to TC.. Rshaper will not work on any new kernel.. I want to switch to kernel 2.6 Any Ideas for this kind of a situation using tc , Squid.. Bandwidth of 1 MB for 200 users means "tiny" rates I have to use for each client (7-8 Kbit). Using rshper I wrote scripts rshaperctl 10.x.x.1 2400 . . . . . . . . . . . . rshaperctl 10.x.x.250 2400 which means the Clinet 10.x.x.1 sends @2400 bytes/sec and gets 3 times 2400(7200) downloads..( the default behaviuor of rshaper) (all 250 lines ..batch file) and for port 80 (Squid) I am using delay pools .. I want browsing should be fast .. downloads can be slow.. I want a similar solution using TC , Htb .. Kindly Help... Thankx a lot for your time.... Rayudu. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060113/dc393668/attachment.htm From surda at shurdix.com Fri Jan 13 16:58:19 2006 From: surda at shurdix.com (Peter Surda) Date: Fri Jan 13 16:58:26 2006 Subject: [LARTC] Per user bandwidth limiting ..for small ISP.using Squid In-Reply-To: References: Message-ID: <43C7CE1B.7080600@shurdix.com> Madhava Rayudu schrieb: > Sir, Hello, > I am a small ISP in rural India distributing 1 MB > link to 200 people. ... > Squid saves me around 35% of bandwidth and hence I can > not afford not to use it. I hope people won't mind if I mention my project again: http://www.shurdix.org For some time it was successfully used on a network with 8MBit link and 1400 users (although the peak of simultaneously active users was "only" slightly above 700). So it should be able to work in your situation. Your situation is however special because you have squid. Combining squid and tc is problematic. However, there were some kind guys who designed the "tproxy" iptables extension, which can help you. It isn't easy to setup and if you have NAT you need 2 separate machines (one doing the NAT and one running the squid), but is doable. This way tc will see squid's traffic with the IP of the real client. Squid including the tproxy patch can be found in the optional package for shurdix (I'll document it on the wiki page if you are interested). My recommendation for your situation would be something like this: - keep your router, let it do NAT and perhaps a minimal firewall - get a second machine, put it between the router and the LAN, and install shurdix there - configure it to use TC and Squid (and optionally IP accounting and/or firewall if you like). No delay pools necessary. I would like to stress again however that combining tproxied squid and tc isn't easy and is poorly documented (but possible and it works). YMMV. > Rayudu. Yours sincerely, Peter -- http://www.shurdix.org - Linux distribution for routers and firewalls From manish at tuxspace.com Fri Jan 13 17:32:30 2006 From: manish at tuxspace.com (Manish Kathuria) Date: Fri Jan 13 17:32:53 2006 Subject: [LARTC] multiple isp + nat In-Reply-To: <1a9f78a60601130300h7a4458a1te78801863c7845e2@mail.gmail.com> References: <1a9f78a60601130300h7a4458a1te78801863c7845e2@mail.gmail.com> Message-ID: <43C7D61E.3090106@tuxspace.com> Janne Raatikainen wrote: > I configured multiple isp (actually only multiple gw) according > http://lartc.org/howto/lartc.rpdb.multiple-links.html. > > Now NAT (Internet) seems to work, both external interfaces work ( I > didnt configure load balancing because I dont need it). However I have > problem that I can not ping from NAT to public ip of my Linux box. > Problem is that I can not connect from 192.168.1.0/24 network to > services listening 84.248.213.195, but I can connect to Internet from > NAT through that interface gateway (84.248.192.0). Connecting with > public ip worked fine when I had simple NAT, with single > Internet-connection. Have you used any firewall rules which prevent INPUT from the LAN ? > > I also notice that portforwarding from Linux-box (public ip) to computer > under nat doesnt work too. Anyone has idea what is the problem? You will have to accept the traffic in the FOWARD chain in addition to the port forwarding rule for the system which is being accessed. I think it will be better if you list your firewall rules here to make the things clear. It will make it easier to identify the reason. Do I have to use some different kind of iptables-rules (fwmark?), than I used > when I had only one connection to Internet, or do I have to add some > route or gw? > > Janne > -- Manish http://www.tuxspace.com/ From l.lucrezia at tiesse.com Fri Jan 13 19:41:31 2006 From: l.lucrezia at tiesse.com (V. Luciano Lucrezia) Date: Fri Jan 13 19:41:45 2006 Subject: [LARTC] HTB not shaping correctly ? (or bad scripts...) Message-ID: Hello to everybody, We have an ADSL link with uplink speed of 530kbit, the goal is to divide the traffic into three classes, let say A, B and C. A data rate of 240kbps must be guaratee to class A. The remaing rate must be assigned: at least 180kbit to class B and at least 80kbit to class C. The unused band of class A must be given to class B and C (if needed) The unused band of class B must be given to C (if needed) The unused band of class C must be given to B (if needed) We started with the following HTB configuration: # DEV_RATE=530kbit DEV_CEIL=530kbit RT_RATE=240kbit RT_CEIL=240kbit MC_RATE=180kbit MC_CEIL=530kbit BE_RATE=80kbit BE_CEIL=530kbit OUTDEV=atm0 iptables -t mangle -F iptables -F tc qdisc del dev $OUTDEV root handle 1: # Classification of A iptables -t mangle -A PREROUTING -p udp --dport 50000 -j MARK --set-mark 100 iptables -t mangle -A PREROUTING -p udp --dport 50000 -j ACCEPT # Classification of B iptables -t mangle -A PREROUTING -p udp --dport 50001 -j MARK --set-mark 200 iptables -t mangle -A PREROUTING -p udp --dport 50001 -j ACCEPT # Classification of C iptables -t mangle -A PREROUTING -p udp --dport 50002 -j MARK --set-mark 300 iptables -t mangle -A PREROUTING -p udp --dport 50002 -j ACCEPT # Definition of Class tc qdisc add dev $OUTDEV root handle 1: htb default 30 tc class add dev $OUTDEV parent 1: classid 1:1 htb rate ${DEV_RATE} ceil ${DEV_CEIL} cburst 500kb tc class add dev $OUTDEV parent 1:1 classid 1:10 htb rate ${RT_RATE} ceil ${RT_CEIL} prio 1 tc class add dev $OUTDEV parent 1:1 classid 1:20 htb rate ${MC_RATE} ceil ${MC_CEIL} prio 2 tc class add dev $OUTDEV parent 1:1 classid 1:30 htb rate ${BE_RATE} ceil ${BE_CEIL} prio 3 tc filter add dev $OUTDEV parent 1:0 protocol ip prio 1 handle 100 fw classid 1:10 \ police rate ${RT_RATE} burst 20kbit drop flowid 1:10 tc filter add dev $OUTDEV parent 1:0 protocol ip prio 2 handle 200 fw classid 1:20 tc filter add dev $OUTDEV parent 1:0 protocol ip prio 3 handle 300 fw classid 1:30 tc qdisc add dev $OUTDEV parent 1:10 handle 10: pfifo limit 10 tc qdisc add dev $OUTDEV parent 1:20 handle 20: pfifo limit 50 tc qdisc add dev $OUTDEV parent 1:30 handle 30: pfifo limit 30 Data are generated by a SmartBits. Packet size for class A is 60 byte. Avarage packet size for class B is 250 and avarage packet size for C is 235. In class B and C there are some packets of 1500 bytes. Adsl MTU is 576. Date are received from Ethernet interface and sent over adsl. The ADSL modem is connected via usb interface to the box. This does not introduce extra overhead. On class A we sent exactly 240kbit or more and regardless data rate sent for class B and C, on class A we never reach 240kbit stopping to 238kbit. What is sent on class B and C is completely received. To get exactly 240kbit on A, we must set RT_RATE to 290kbit, but of course sendign more than 290kbit, we suck band to B and C. In this case we exceed RT_RATE (again this sounds strange...) With value between 240 and 290, we continue to stop to 238. Changing value of RT_CEIL does not help and in any case we NEED to stop at 240kbit. Do you have an explanation for this ? There are better way to use shaping rules ? Previously we tried: tc class add dev $OUTDEV parent 1: classid 1:1 htb rate ${DEV_RATE} ceil ${DEV_CEIL} obtaining same results in terms of data rate, but we got too much delay in class B and C. Increasing the value of limit for class A, we get more delay. Using sfq does not help, as we loose many packets. Any help will be appreciated... Thanks -- luciano lucrezia From ff at nrvissing.net Fri Jan 13 22:21:55 2006 From: ff at nrvissing.net (Flemming Frandsen) Date: Fri Jan 13 22:22:28 2006 Subject: [LARTC] Traffic Control using with an application In-Reply-To: <001a01c616e7$72c1fc90$0100a8c0@Amelie> References: <001a01c616e7$72c1fc90$0100a8c0@Amelie> Message-ID: <43C819F3.1090604@nrvissing.net> Hotny wrote: > I want to use traffic control for a resource controller for a multimedia > middleware platform. Is there a library or syscalls, so that I don't > have to use the Systemcommands? Why would you want to do that? There is nothing sinful or expensive about calling other programs from your own, it's actually a good idea as it makes your application more robust (no breaking down because a binary interface has changed) and easier to debug. If you are doing something that demands very fast responses then maybe you are better off doing all the traffic shaping directly, see frottle for an example of a way to do that. From ff at nrvissing.net Fri Jan 13 22:45:49 2006 From: ff at nrvissing.net (Flemming Frandsen) Date: Fri Jan 13 22:46:23 2006 Subject: [LARTC] tc filter add ... fw returns RTNETLINK answers: Invalidargument In-Reply-To: <2af436490601110714h7abbc3b2neb9d7061a6baacea@mail.gmail.com> References: <43C440EB.7010508@nrvissing.net> <43C456D4.7020000@dsl.pipex.com> <62432.194.239.27.101.1136980515.squirrel@mail.nrvissing.net> <2af436490601110714h7abbc3b2neb9d7061a6baacea@mail.gmail.com> Message-ID: <43C81F8D.2010703@nrvissing.net> Jody Shumaker wrote: > I have never seen anything coming from the mark unless you specify it. I have. > I'm honestly not really sure how setting a mark of 0x14806 can > automatically set it to go to flowid 1:4806. Because someone wrote it to do that, a mark of 0xdadface will map to flowid dad:face. > I'm fairly sure you need > either a CLASSIFY target, or a tc filter to use the mark to put it in a > specific classid. Is there something I'm missing here? I'm pretty sure you are, I have it working here at my end. The CLASSIFY target of iptables is something I have overlooked, it looks like it does exactly the same thing except with a slightly different and less obscure syntax. I'll change my script to use CLASSIFY in stead, it seems a lot nicer. > I'm curious > because you said it's working as it is right now, and would like to know > if there's something I'm just not familiar with. This then makes me > wonder, what do you want this command to do? If its erroring an dnot > doing anything, but as you claim everything is working correctly... then > what do you need this for? First the error, it was because I had "handle 1" in there, just like Andy said. The trick is that this: iptables -t mangle -A to-dsl -s $subnet -j MARK --set-mark $mark ... sets a mark that this: tc filter add dev $uplink parent 1: protocol ip prio 1 fw ... uses to hit this directly: tc class add dev $uplink parent 1:1 classid $class htb \ ceil $userUpCeil rate $userUpRate burst 15k prio 10 Without any inbetween duplication of information, but so does CLASSIFY, so I'll just use that later on, thanks. From Andreas.Klauer at metamorpher.de Fri Jan 13 23:56:41 2006 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Fri Jan 13 23:56:59 2006 Subject: [LARTC] Qos and bandwidth control In-Reply-To: References: Message-ID: <20060113225641.GA11542@EIS> On Thu, Jan 12, 2006 at 07:01:57PM +0000, Beto . wrote: > 1.2.3.1 has 256kbit bandwidth "guaranteed" > clients 1.2.3.2 and 1.2.3.3 has 256kbit bandwith So I guess that means 512kbit in total? > so im marking every packet using layer7 iptables module I have not used layer7 so far, only IPP2P, but the basic idea of classifying and prioritizing should be the same. > iptables -t mangle -A POSTROUTING -m layer7 --l7proto ssh -j MARK > --set-mark 2 No connmark? Does layer7 actually detect every single packet of this protocol, or only the first ones of a connection? In the latter case, you'd have to mark the connection, not just a single packet. > the problem im facing is that i also have to limit client's bandwidth and > im not sure that my solution is the best. i've searched for an example like > this in the web but i have found nothing. I don't know what's best either. My solution was to give every user a separate HTB class, to limit their bandwidth. Further prioritization of packets has then to be done inside this user class. Your setup looks like you're trying to do something similar. > it could have some errors. Basic protocol detection and enqueue was working > fine, but im not sure now, with "bandwidth restrictions" additions. The most common error with HTB classes is that the sum of the children class rates is not equal to the parent class rate. You got it right for the root class 1:1 and it's children 1:2, 1:3 (256+256=512kbit), but it's wrong for the children of 1:2 (200+128+20=348kbit, whereas the parent can only offer 256kbit in total). Also, I don't see where in your setup the classification by user is taking place. Regards, Andreas Klauer From jody.shumaker at gmail.com Sat Jan 14 00:04:15 2006 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Sat Jan 14 00:04:29 2006 Subject: [LARTC] tc filter add ... fw returns RTNETLINK answers: Invalidargument In-Reply-To: <43C81F8D.2010703@nrvissing.net> References: <43C440EB.7010508@nrvissing.net> <43C456D4.7020000@dsl.pipex.com> <62432.194.239.27.101.1136980515.squirrel@mail.nrvissing.net> <2af436490601110714h7abbc3b2neb9d7061a6baacea@mail.gmail.com> <43C81F8D.2010703@nrvissing.net> Message-ID: <2af436490601131504u3967c229kc5aaadfc766dca15@mail.gmail.com> On 1/13/06, Flemming Frandsen wrote: > > Jody Shumaker wrote: > > I have never seen anything coming from the mark unless you specify it. > > I have. > > > > I'm honestly not really sure how setting a mark of 0x14806 can > > automatically set it to go to flowid 1:4806. > > Because someone wrote it to do that, a mark of 0xdadface will map to > flowid dad:face. Interesting, learn something new every day. I was guessing I was missing something since you had stated it was working, but was curious as to what. I'll have to keep this feature in mind. > I'll change my script to use CLASSIFY in stead, it seems a lot nicer. Just as a warning, I recall users having some issues with classify in the past, so your current setup may not seem as nice, it might still be better. In particular I seem to recall issues with matching targets more than 1 level deep. For example if you have 1:10 10:100 and 100:1000, you can't have classify target the 100:1000. This behavior might have changed though. As usual, if it ain't broke, don't fix it? - Jody -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060113/69e5b6a5/attachment.html From janne at raatikainen.org Sat Jan 14 10:44:34 2006 From: janne at raatikainen.org (Janne Raatikainen) Date: Sat Jan 14 10:44:34 2006 Subject: [LARTC] RE: multiple isp + nat Message-ID: <1a9f78a60601140144v101c3bf3ob3725ee8aea0442d@mail.gmail.com> On 1/13/06, Manish Kathuria wrote: > Janne Raatikainen wrote: > > I configured multiple isp (actually only multiple gw) according > > http://lartc.org/howto/lartc.rpdb.multiple-links.html. > > > > Now NAT (Internet) seems to work, both external interfaces work ( I > > didnt configure load balancing because I dont need it). However I have > > problem that I can not ping from NAT to public ip of my Linux box. > > Problem is that I can not connect from 192.168.1.0/24 network to > > services listening 84.248.213.195, but I can connect to Internet from > > NAT through that interface gateway (84.248.192.0). Connecting with > > public ip worked fine when I had simple NAT, with single > > Internet-connection. > > Have you used any firewall rules which prevent INPUT from the LAN ? > I have, but according my logging any iptables dropping-rule doesn't reject packets. I have also tried disabling all those droppings, but it still doesnt work. Like I said, I have used same kind of rules, which I used with normal NAT, where is only 1 external nic and one internal nic. I just added new nic there, to have multiple ip's. Here you can see connections works and which doesnt: http://www.raatikainen.org/extra/multigw/router3.png (Some fix to that photo: I can connect from under nat to computers in Internet, web pages work, but I can not connect from Internet to my NAT even if I use portforwarding. (same rules which work fine with only single external nic) So problem is that I can not connect from 192.168.1.0/24 to 84.248.213.195 (Linux-server), but I have to use internal ip 192.168.1.50 of that same Linux server. If I go to Linux-server and do following: pinging from inside-interface (eth1) goes fine to Internet: # ping -I 192.168.1.50 google.com PING google.com (64.233.187.99): 56 data bytes 64 bytes from 64.233.187.99: icmp_seq=0 ttl=240 time=139.8 ms but: #traceroute -i eth1 google.com traceroute: Warning: google.com has multiple addresses; using 72.14.207.99 traceroute to google.com (72.14.207.99), 30 hops max, 38 byte packets traceroute: sendto: Operation not permitted 1 traceroute: wrote google.com 38 chars, ret=-1 even traceroute -I -i eth1 google.com (using icmp-packets, instead udp) gives same error. Next thing is that I try to ping from NAT to external ip of my Linux-server and see from Linux logs where packet disappears. I will get following lines: Jan 7 01:43:28 raatikainen kernel: mangleprerouting IN=eth1 OUT= MAC=00:04:75:cb:66:00:00:13:8f:3f:8f:05:08:00 SRC=192.168.1.79 DST=84.248.213.195 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=65178 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=25346 Jan 7 01:43:28 raatikainen kernel: natprerouting IN=eth1 OUT= MAC=00:04:75:cb:66:00:00:13:8f:3f:8f:05:08:00 SRC=192.168.1.79 DST=84.248.213.195 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=65178 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=25346 Like you see, there is no icmp-reply from 84.248.213.195 -> 192.168.1.79. Why? If I ping from 192.168.1.79 -> 192.168.1.50 it will get icmp reply back too. > > > > I also notice that portforwarding from Linux-box (public ip) to computer > > under nat doesnt work too. Anyone has idea what is the problem? > > You will have to accept the traffic in the FOWARD chain in addition to > the port forwarding rule for the system which is being accessed. > > I think it will be better if you list your firewall rules here to make > the things clear. It will make it easier to identify the reason. You can see iptables-rules and routes in: http://www.raatikainen.org/extra/multigw/verkkoongelma.txt Janne From tuipveus at gmail.com Sat Jan 14 11:06:22 2006 From: tuipveus at gmail.com (Janne Raatikainen) Date: Sat Jan 14 11:06:22 2006 Subject: [LARTC] multiple isp + nat In-Reply-To: <1a9f78a60601130300h7a4458a1te78801863c7845e2@mail.gmail.com> References: <1a9f78a60601130300h7a4458a1te78801863c7845e2@mail.gmail.com> Message-ID: <1a9f78a60601140206rf1ec31x94f06eeafc4109be@mail.gmail.com> Please notice my another message down there from another e-mail -> ps. This gmail is confusing to use for mailing list. :) pps. I hope this message now goes under another in archive, because it doesn't have "RE:" in subject-line. From Andreas.Klauer at metamorpher.de Sat Jan 14 16:21:10 2006 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Sat Jan 14 16:22:15 2006 Subject: [LARTC] Per user bandwidth limiting ..for small ISP.using Squid In-Reply-To: <43C7CE1B.7080600@shurdix.com> References: <43C7CE1B.7080600@shurdix.com> Message-ID: <20060114152110.GA10585@EIS> On Fri, Jan 13, 2006 at 04:58:19PM +0100, Peter Surda wrote: > I hope people won't mind if I mention my project again: > http://www.shurdix.org We're happy to receive any reply at all, really... :-) > Your situation is however special because you have squid. Combining > squid and tc is problematic. I agree; so far I haven't been able to shape squid traffic the way I want it to. However, shouldn't rshaper suffer from the same issues? It should at least be possible to do something similar to rshaper using tc. > However, there were some kind guys who designed the "tproxy" iptables > extension, which can help you. It isn't easy to setup and if you have > NAT you need 2 separate machines (one doing the NAT and one running > the squid), but is doable. This way tc will see squid's traffic with > the IP of the real client. These are about the most interesting lines I've seen on this topic. However, I'm in a small home network situation, so even having just one dedicated linux machine is luxury. So any solution that requires separate machines is not feasible for me. > My recommendation for your situation would be something like this: > - keep your router, let it do NAT and perhaps a minimal firewall > - get a second machine, put it between the router and the LAN, and > install shurdix there > - configure it to use TC and Squid (and optionally IP accounting and/or > firewall if you like). No delay pools necessary. Other possibilities are: - Never touch a running system. (If it works, why not leave as is?) - Find out how exactly rshaper limits and/or distributes up- and download bandwidth for * User <-> Internet * User <-> User * Internet <-> Squid (and other caches, DNS etc.) * Squid (and others?) <-> User and use this information to build a tc class tree. - If you want to keep rshaper, port it to 2.6 by yourself ;-) Regards, Andreas Klauer From vladimir at sycore.org Sat Jan 14 22:41:31 2006 From: vladimir at sycore.org (Vladimir S. Petukhov) Date: Sat Jan 14 22:43:27 2006 Subject: [LARTC] guarantee package delivery Message-ID: <200601150041.31290.vladimir@sycore.org> Hi to all! Sorry for my English :) The problem: We have a shaper software based on tc linux shaper/filter. This software ('shaper') work with one interface ('eth0') with fixed bandwidth and limit user (above 100 user each time) bandwidth accordingly user's tariff plan. User traffic filter based on destination (user) ip. There a lot of connection types: OpenVPN, ipip, PPP... But we want to provide guaranted bandwidth to ONE userspace application (filter may be applied by port number). Moreover - packets must not be dropped! One of the obviously decisions: Module (kernel) must inform userspace about current bandwidth or data amout, that programm can be send this moment. How it can be done? Thanks.... From surda at shurdix.com Sat Jan 14 22:43:10 2006 From: surda at shurdix.com (Peter Surda) Date: Sat Jan 14 22:44:23 2006 Subject: [LARTC] Per user bandwidth limiting ..for small ISP.using Squid In-Reply-To: <20060114152110.GA10585@EIS> References: <43C7CE1B.7080600@shurdix.com> <20060114152110.GA10585@EIS> Message-ID: <43C9706E.9040005@shurdix.com> Andreas Klauer schrieb: >>However, there were some kind guys who designed the "tproxy" iptables >>extension, which can help you. >> (cut) >These are about the most interesting lines I've seen on this topic. >However, I'm in a small home network situation, so even having just >one dedicated linux machine is luxury. So any solution that requires >separate machines is not feasible for me. > > Unfortunately for design reasons, TPROXY and NAT won't work together and AFAIK there are no plans to change this. I didn't investigate deeply, but I assume TPROXY uses the fields reserved for NAT for other purposes. So if you need both NAT and TPROXY, you need 2 boxes (and some hacking with the routing or arptables or both ;-)). >Other possibilities are: >- Never touch a running system. (If it works, why not leave as is?) > > Actually this is a great idea. I admit I didn't read the original post completely and assumed that a new system is required for some reason. >- Find out how exactly rshaper limits and/or distributes > > Upon looking at the docs for rshaper, I don't think it distributes anything (only limits and has no borrowing). This can be done with HTB (and IMQ). Several years ago I wrote a bandwidth management system for a small ISP that actually worked somewhat like this (the ISP uses a web interface to set incoming/outgoing bandwith for individual customers, and optionally a monthly limit, and cron sets up the HTB rules automagically). I don't use it personally, Shurdix does fair distribution only, but I imagine there are people who might have other requirements. If there is enough interest (and I find the time) I can polish it and put it for download. >Regards, >Andreas Klauer > > Yours sincerely, Peter -- http://www.shurdix.org - Linux distribution for routers and firewalls From Andreas.Klauer at metamorpher.de Sun Jan 15 00:29:50 2006 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Sun Jan 15 00:30:39 2006 Subject: [LARTC] guarantee package delivery In-Reply-To: <200601150041.31290.vladimir@sycore.org> References: <200601150041.31290.vladimir@sycore.org> Message-ID: <20060114232950.GA13093@EIS> On Sun, Jan 15, 2006 at 12:41:31AM +0300, Vladimir S. Petukhov wrote: > Moreover - packets must not be dropped! Sorry for this useless answer, but... How strong is this condition? I mean, even if you don't drop a packet locally, it can still be dropped by the target machine, or by one of the routers in between. You have no influence on that whatsoever, so no matter what you do, your application must be able to handle dropped packets. If you think about it that way, is it still critical when a packet gets dropped locally? If not, you could just do this the usual way. > One of the obviously decisions: Module (kernel) must inform > userspace about current bandwidth or data amout, that programm can be send > this moment. Does the kernel even know about that? Regards, Andreas Klauer From madhava.rayudu at gmail.com Sun Jan 15 08:57:57 2006 From: madhava.rayudu at gmail.com (Madhava Rayudu) Date: Sun Jan 15 08:58:20 2006 Subject: [LARTC] Per user bandwidth limiting ..for small ISP.using Squid In-Reply-To: <43C9706E.9040005@shurdix.com> References: <43C7CE1B.7080600@shurdix.com> <20060114152110.GA10585@EIS> <43C9706E.9040005@shurdix.com> Message-ID: Upon looking at the docs for rshaper, I don't think it distributes > anything (only limits and has no borrowing). This can be done with HTB > (and IMQ). Several years ago I wrote a bandwidth management system for a > small ISP that actually worked somewhat like this (the ISP uses a web > interface to set incoming/outgoing bandwith for individual customers, > and optionally a monthly limit, and cron sets up the HTB rules > automagically). I don't use it personally, Shurdix does fair > distribution only, but I imagine there are people who might have other > requirements. If there is enough interest (and I find the time) I can > polish it and put it for download. My requiremet suits exactly this.. Kindly post t it I will Download ... Thanx a lot for great help.. Regards, Rayudu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060115/5302a8dd/attachment.htm From zoup at zoup.org Mon Jan 16 12:10:37 2006 From: zoup at zoup.org (Armin ranjbar) Date: Sun Jan 15 12:06:10 2006 Subject: [LARTC] missing program? Message-ID: <20060116144037.798539db.zoup@zoup.org> hi list :) its been a long since I'm looking for a tool that can : generate traffic in all protocols ( the ability to send customized and standard (example : syn/ack) to target ) control over Ip Diagram ability to do Denial of service attack ! ( I'm not looking to crack anything , but i need to test my own setup with it ) the ability to work without its own server ( like socket , which also can work as server ) be able to measure throughput or response times. Developed Actively do you know one ? -- He that breaks a thing to find out what it is has left the path of wisdom. -- J.R.R. Tolkien From andre at matuschek.org Sun Jan 15 13:09:20 2006 From: andre at matuschek.org (=?iso-8859-15?Q?Andr=E9_Matuschek?=) Date: Sun Jan 15 13:09:33 2006 Subject: [LARTC] missing program? In-Reply-To: <20060116144037.798539db.zoup@zoup.org> References: <20060116144037.798539db.zoup@zoup.org> Message-ID: Hi! > do you know one ? Maybe hping does not meets all your requirements, but it goes in the right direction. Have a look at http://www.hping.org/ ! Andr? From kajtek at biezanow.net Sun Jan 15 13:49:17 2006 From: kajtek at biezanow.net (Kajetan Staszkiewicz) Date: Sun Jan 15 13:49:20 2006 Subject: [LARTC] HTB - not borrowing, not exceeding rate In-Reply-To: <43C2F881.3010108@dsl.pipex.com> References: <200601081659.24726.kajtek@biezanow.net> <43C2F881.3010108@dsl.pipex.com> Message-ID: <200601151349.17964.kajtek@biezanow.net> Dnia wtorek, 10 stycznia 2006 00:57, Andy Furniss napisa?(a): > > # main rate limitation for whole connection (802.11a radio link) > > tc class add dev eth2.24 parent 1: classid 1:1 htb rate 15000kbit ceil > > 15000kbit burst 10kbit > > Burst too small - it's realated to HZ and also should be at least as big > as child bursts. > > http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm#burst That was the problem. Now I don't specify burst, so tc calculates it by itself and now all is working as I wanted. Thank you. -- | pozdrawiam / greetings | powered by Trustix, Gentoo and FreeBSD | | Kajetan Staszkiewicz | JID: vegeta@chrome.pl | | Vegeta | IMQ devnames: http://tuxpowered.net | `------------------------^----------------------------------------' From vladimir at sycore.org Sun Jan 15 13:52:38 2006 From: vladimir at sycore.org (Vladimir S. Petukhov) Date: Sun Jan 15 13:52:45 2006 Subject: [LARTC] guarantee package delivery Message-ID: <200601151552.38821.vladimir@sycore.org> >> Moreover - packets must not be dropped! >Sorry for this useless answer, but... How strong is this condition? > I mean, even if you don't drop a packet locally, it can still be > dropped by the target machine, or by one of the routers in between. > You have no influence on that whatsoever, so no matter what you do, > your application must be able to handle dropped packets. No. There are no routers and no any other hosts between server and client machine. There are only ... air and space :) . I talk about sattelite link with 100% qality within fixed bandwidth. In way from server to client only a shaper can drop packets. This programm (client-server) use this characteristic (this and some other) and "accellerate Internet access". But any packet loss entail speed fall and a lot off "land" high-proced traffic. > Does the kernel even know about that? Of course. We use HTB to separate speed between user, and may be logic implemented, that guaranted package delivering to the network adapter. That all we need: do not filter THIS traffic at all - talk about availible "traffic" to userspace programm (using tokens, e.g. or in some other way). From paul.lewis at st-annes.oxford.ac.uk Sun Jan 15 19:36:37 2006 From: paul.lewis at st-annes.oxford.ac.uk (Paul Lewis) Date: Sun Jan 15 19:36:40 2006 Subject: [LARTC] Network configuration Message-ID: <000301c61a02$9f6f3500$6402a8c0@sannpjl> Hi, Apologies for the cross-posting; I'm not sure whether this is a firewall or routing issue, or both! I have four network cards, detailed below. eth0 and eth3 connect to my ISPs, and eth1 and eth2 connect to local networks. I want to route all traffic from eth2 to eth0, and from eth1 to eth3. However, I am having a few problems with this. eth0 ip: 192.168.100.253/24 gw: 192.168.100.254 (ISP) eth1 ip: 192.168.3.253/22 gw: 192.168.20.253 (eth3) eth2 ip: 192.168.7.253/22 gw: 192.168.100.253 (eth0) eth3 ip: 192.168.20.253/24 gw: 192.168.20.254 (ISP) I have tried setting up routing using these commands: echo "ISP_1" >> /etc/iproute2/rt_tables echo "ISP_2" >> /etc/iproute2/rt_tables ip route add 192.168.4.0/22 dev eth2 src 192.168.7.253 table ISP_1 ip route add default via 192.168.100.253 table ISP_1 ip route add 192.168.0.0/22 dev eth1 src 192.168.3.253 table ISP_2 ip route add default via 192.168.20.253 table ISP_2 ip rule add from 192.168.7.253 table ISP_1 ip rule add from 192.168.3.253 table ISP_2 However, this yielded no success. I have also tried a simple iptables forwarding configuration (without the routing config above): iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT iptables -A FORWARD -i eth1 -o eth3 -j ACCEPT iptables -A FORWARD -i eth3 -o eth1 -j ACCEPT # default policy iptables -P FORWARD DROP Again, with no success. I do have a reasonably complex firewall in place, but no other rules in the FORWARD section of the firewall. I have a number of open ports under INPUT for other services the machine provides, and nothing under OUTPUT. In the NAT section, I have no rules in OUTPUT, a couple of MASQUERADING rules under POSTROUTING, and hundreds of rules under PREROUTING (accepting or denying machines based on their MAC). I've had a few thoughts on this; do I need to have four default gateways configured; one for each network card? And do I need more (or any) forwarding rules in the firewall? I've been struggling with this problem for some time now, and it's really starting to annoy me. I would really appreciate any feedback people could send me. Many thanks, Paul --- Paul Lewis (paul.lewis@st-annes.ox.ac.uk) Part II Student Department Of Materials University Of Oxford From hariett.jones at wp.pl Sun Jan 15 21:59:54 2006 From: hariett.jones at wp.pl (Hariett Jones) Date: Sun Jan 15 22:00:23 2006 Subject: [LARTC] even bandwith for users on 2 newtworks Message-ID: <43cab7ca69c72@wp.pl> Server : eth0 - internet DSL eth1 - LAN wlan0 - wireles LAN I want server to share bandwith from eth0 evenly for users on eth1 and wlan0. How can i make it ? Is it possible ? As far as i know htb splits outgoing bandwith on one device only. ---------------------------------------------------- Grypa? Damy rad?! Sprawd? jak jej zapowbiega?, a je?li ju? za p??no ...jak leczy? - grypa.wp.pl http://klik.wp.pl/?adr=www.grypa.wp.pl&sid=636 From ff at nrvissing.net Sun Jan 15 22:42:45 2006 From: ff at nrvissing.net (Flemming Frandsen) Date: Sun Jan 15 22:43:26 2006 Subject: [LARTC] even bandwith for users on 2 newtworks In-Reply-To: <43cab7ca69c72@wp.pl> References: <43cab7ca69c72@wp.pl> Message-ID: <43CAC1D5.9010600@nrvissing.net> Hariett Jones wrote: > I want server to share bandwith from eth0 evenly for users on eth1 > and wlan0. How can i make it ? Is it possible ? As far as i know htb > splits outgoing bandwith on one device only. This is the most braindead defect of Linux (IMHO): You can't, because you can only shape outgoing traffic on an interface. However, some people have found that it works just fine if only Linux would allow it, but due to the rule that "You can only shape outgoing traffic on an interface" you have to make an intermediate fake device where the traffic shaping can take place. The Intermediate Message Queue (IMQ) is a patch for 2.4 and 2.6 and will allow you to take all the traffic coming in from eth0 and pipe it via imq0 before routing so you can traffic shape IMQ0. For kernel 2.6.16 there is a new feature called IFB which does the same thing (in this context anyway) as IMQ, so if you can upgrade your kernel, then this might be the best choice. From c-d.hailfinger.devel.2006 at gmx.net Mon Jan 16 00:25:16 2006 From: c-d.hailfinger.devel.2006 at gmx.net (Carl-Daniel Hailfinger) Date: Mon Jan 16 00:25:29 2006 Subject: [LARTC] even bandwith for users on 2 newtworks In-Reply-To: <43CAC1D5.9010600@nrvissing.net> References: <43cab7ca69c72@wp.pl> <43CAC1D5.9010600@nrvissing.net> Message-ID: <43CAD9DC.3000708@gmx.net> Flemming Frandsen schrieb: > Hariett Jones wrote: > >> I want server to share bandwith from eth0 evenly for users on eth1 >> and wlan0. How can i make it ? Is it possible ? As far as i know htb >> splits outgoing bandwith on one device only. > > This is the most braindead defect of Linux (IMHO): You can't, because > you can only shape outgoing traffic on an interface. Yes, you can. Easily. And you don't need IMQ/IFB. eth1->eth0 and wlan0->eth0 are easy. Classical outgoing shaping. eth0->eth1 and eth0->wlan0 are similar. Outgoing shaping on eth1 and wlan0 each with a limit of half the incoming bandwidth of eth0. I had to learn that Linux can perform most of the tasks people claim are impossible. Some involve a lot of iproute2 trickery and even the standard Howtos may tell you the problems can't be solved. However, there are some cases where IMQ/IFB is useful. I don't want to bash these intermediary devices, they're just abused too many times. Regards, Carl-Daniel -- http://www.hailfinger.org/ From michael at bbd.co.za Mon Jan 16 11:39:10 2006 From: michael at bbd.co.za (Michael Davidson) Date: Mon Jan 16 11:39:50 2006 Subject: [LARTC] Network configuration In-Reply-To: <000301c61a02$9f6f3500$6402a8c0@sannpjl> References: <000301c61a02$9f6f3500$6402a8c0@sannpjl> Message-ID: <43CB77CE.6010104@bbd.co.za> Hi, There is an "anti-spoofing" issue that you haven't mentioned and may well have to contend with. Some Linux distro's, certainly Redhat, when installed with default settings will engage the anti-spoofing mechnism. This prevents any interface from being used as a default route other than the one declared in the routing table called "main". You need to "echo 0 > /proc/sys/net/ipv4/conf/eth3/rp_filter" to turn off the anti-spoofing for that interface. Using iptables you can manually put back some of the anti-spoofing mechanism. See "Rusty Russell's unreliable guide to iptables" Regards Mike. Paul Lewis wrote: >Hi, > >Apologies for the cross-posting; I'm not sure whether this is a firewall or >routing issue, or both! > >I have four network cards, detailed below. eth0 and eth3 connect to my ISPs, >and eth1 and eth2 connect to local networks. I want to route all traffic >from eth2 to eth0, and from eth1 to eth3. However, I am having a few >problems with this. > >eth0 >ip: 192.168.100.253/24 >gw: 192.168.100.254 (ISP) > >eth1 >ip: 192.168.3.253/22 >gw: 192.168.20.253 (eth3) > >eth2 >ip: 192.168.7.253/22 >gw: 192.168.100.253 (eth0) > >eth3 >ip: 192.168.20.253/24 >gw: 192.168.20.254 (ISP) > >I have tried setting up routing using these commands: > >echo "ISP_1" >> /etc/iproute2/rt_tables >echo "ISP_2" >> /etc/iproute2/rt_tables > >ip route add 192.168.4.0/22 dev eth2 src 192.168.7.253 table ISP_1 >ip route add default via 192.168.100.253 table ISP_1 >ip route add 192.168.0.0/22 dev eth1 src 192.168.3.253 table ISP_2 >ip route add default via 192.168.20.253 table ISP_2 > >ip rule add from 192.168.7.253 table ISP_1 >ip rule add from 192.168.3.253 table ISP_2 > >However, this yielded no success. I have also tried a simple iptables >forwarding configuration (without the routing config above): > >iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT >iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT >iptables -A FORWARD -i eth1 -o eth3 -j ACCEPT >iptables -A FORWARD -i eth3 -o eth1 -j ACCEPT > ># default policy >iptables -P FORWARD DROP > >Again, with no success. I do have a reasonably complex firewall in place, >but no other rules in the FORWARD section of the firewall. I have a number >of open ports under INPUT for other services the machine provides, and >nothing under OUTPUT. > >In the NAT section, I have no rules in OUTPUT, a couple of MASQUERADING >rules under POSTROUTING, and hundreds of rules under PREROUTING (accepting >or denying machines based on their MAC). > >I've had a few thoughts on this; do I need to have four default gateways >configured; one for each network card? And do I need more (or any) >forwarding rules in the firewall? > >I've been struggling with this problem for some time now, and it's really >starting to annoy me. I would really appreciate any feedback people could >send me. > >Many thanks, > >Paul > >--- >Paul Lewis (paul.lewis@st-annes.ox.ac.uk) >Part II Student >Department Of Materials >University Of Oxford > > > >_______________________________________________ >LARTC mailing list >LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > From ff at nrvissing.net Mon Jan 16 12:45:04 2006 From: ff at nrvissing.net (Flemming Frandsen) Date: Mon Jan 16 12:45:08 2006 Subject: [LARTC] even bandwith for users on 2 newtworks In-Reply-To: <43CAD9DC.3000708@gmx.net> References: <43cab7ca69c72@wp.pl> <43CAC1D5.9010600@nrvissing.net> <43CAD9DC.3000708@gmx.net> Message-ID: <37763.194.239.27.101.1137411904.squirrel@mail.nrvissing.net> >> This is the most braindead defect of Linux (IMHO): You can't, because >> you can only shape outgoing traffic on an interface. > > Yes, you can. Easily. And you don't need IMQ/IFB. > > eth1->eth0 and wlan0->eth0 are easy. Classical outgoing shaping. > eth0->eth1 and eth0->wlan0 are similar. Outgoing shaping on eth1 and > wlan0 each with a limit of half the incoming bandwidth of eth0. This is exactly what I'm doing now, and it's not an optimal solution. It's a rather stupid hack that gets worse each time you add an interface. My gatway has 3 internal interfaces and I absolutely detest that I can't use more than 1/3 of the lines download capacity on each of these three networks because of the poor design of Linux traffic shaping. Currently (pre-2.6.16) you can only attach a real traffic shaper to the the output of a device, but why not allow a traffic shaper to be attached to the input of a device, without any of the IMQ/IFB nonsense? I think the problem is that attaching the trafficshaper to the output queue is easy whereas attaching it to the input is hard as there is no queue there to build from, so noone bothered to write it. Luckily we can just upgrade to 2.6.16 at some point and this problem will mostly be solved. > However, there are some cases where IMQ/IFB is useful. I don't want > to bash these intermediary devices, they're just abused too many > times. Well, shaping incoming traffic correctly is exactly what IMQ/IFB was written for, so it's hardly abuse. -- Flemming Frandsen, NrVissing.Net administrator. From alexeyt at freeshell.org Mon Jan 16 14:01:43 2006 From: alexeyt at freeshell.org (Alexey Toptygin) Date: Mon Jan 16 14:02:01 2006 Subject: [LARTC] even bandwith for users on 2 newtworks In-Reply-To: <37763.194.239.27.101.1137411904.squirrel@mail.nrvissing.net> References: <43cab7ca69c72@wp.pl> <43CAC1D5.9010600@nrvissing.net> <43CAD9DC.3000708@gmx.net> <37763.194.239.27.101.1137411904.squirrel@mail.nrvissing.net> Message-ID: On Mon, 16 Jan 2006, Flemming Frandsen wrote: > Currently (pre-2.6.16) you can only attach a real traffic shaper to the > the output of a device, but why not allow a traffic shaper to be attached > to the input of a device, without any of the IMQ/IFB nonsense? > > I think the problem is that attaching the trafficshaper to the output > queue is easy whereas attaching it to the input is hard as there is no > queue there to build from, so noone bothered to write it. No, attaching to the input is just as easy as to the output. The reason that isn't implemented is that it wouldn't really be useful. Say you're sharing bandwidth between 2 users, A and B. Suppose A is sending more agressively than B; then, you can throw away A's overage packets, giving A and B equal shares of your upstream bandwidth. Some LAN bandwidth is wasted by A, but this isn't much if A is running a good TCP. No uplink bandwidth is wasted. On the other hand, say A and B are downloading large files, and A's server is sending more than B's server. The router at your ISP is going to send you whatever gets there first, so that'll mostly be A's traffic. If you now shape this on input, you'll be throwing away packets that have already gotten to you, and took up downlink bandwidth. By throwing out packets going to A, you can make A and B have "fair" shares of the bandwidth; but B's share won't actually increase (and A's share will get smaller) unless A's server starts sending slower. (This is why A's server should be running ECN.) The only way to do downlink shaping without wasting your bandwidth would be at the ISP - the other end of your weakest link to the net. Unfortunately, I don't know of any ISP that will do shaping for you. Alexey From amsabuncu at gmail.com Mon Jan 16 19:49:53 2006 From: amsabuncu at gmail.com (A.M. Sabuncu) Date: Mon Jan 16 19:50:04 2006 Subject: [LARTC] Question about TBF burst parameter Message-ID: <30580f240601161049l6fd18a5fq947ec20d3facca04@mail.gmail.com> Hi, I am a completely newbie, and have been doing intense reading for the entire last week, and have the following novice question: In section 9.2.2.2. of LARTC HOWTO, the following sample configuration given: # tc qdisc add dev ppp0 root tbf rate 220kbit latency 50ms burst 1540 Why is the burst parameter value determined to be 1540? Thanks, Todd -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060116/283f7d44/attachment.html From brian at hammerstein.net Mon Jan 16 20:26:18 2006 From: brian at hammerstein.net (Brian Hammerstein) Date: Mon Jan 16 20:26:29 2006 Subject: [LARTC] FS: Cyclades PC300/TE2 Dual T1 Interface PCI Card For Linux PC! Message-ID: <011e01c61ad2$b9aa2df0$640fa8c0@sb51g> Hi. I have a Cyclades PC300/TE2 card that turns a Linux PC into a Dual T1 interface router. It is well made and high performance. I used it for a few years. It includes two T1 cables. Cyclades has gotten out of this business but the Linux kernel developer community supports this card so no additional driver is needed. It cost me $700+. I would like to sell it for about $300. Put this in a PC with Linux and you get a dual T1 router. Run BGP4 with freeware like Zebra. Way way cool. http://www.cyclades.com/products/6/pc300 http://www.cyclades.com/resources/?wp=6 http://www.kernel.org/pub/linux/utils/net/hdlc/#cards -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060116/ae869daa/attachment.htm From GregScott at InfraSupportEtc.com Mon Jan 16 20:43:41 2006 From: GregScott at InfraSupportEtc.com (Greg Scott) Date: Mon Jan 16 20:43:52 2006 Subject: [LARTC] FS: Cyclades PC300/TE2 Dual T1 Interface PCI Card For LinuxPC! Message-ID: <925A849792280C4E80C5461017A4B8A26DC4@mail733.InfraSupportEtc.com> I hope this isn't too far off topic. I did a little bit of pricing homework a few months ago on new T1 cards. The idea was to build a Linux based router/firewall. After all, Ethernet NICs are easily available for less than $10 today. But all the T1 cards I found cost a fortune. And about a year ago, I learned the list price for a complete Adtran Netvanta 3200 router with T1 card is in the $700 range. Cisco 17xx routers are considerably more expensive. With that kind of cost, I have a difficult time justifying the time and effort to build a Linux T1 router. Am I nuts? Does anyone know of an ongoing supply for low cost and reliable PCI <--> T1 cards? - Greg Scott -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Brian Hammerstein Sent: Monday, January 16, 2006 1:26 PM To: lartc@mailman.ds9a.nl Subject: [LARTC] FS: Cyclades PC300/TE2 Dual T1 Interface PCI Card For LinuxPC! Hi. I have a Cyclades PC300/TE2 card that turns a Linux PC into a Dual T1 interface router. It is well made and high performance. I used it for a few years. It includes two T1 cables. Cyclades has gotten out of this business but the Linux kernel developer community supports this card so no additional driver is needed. It cost me $700+. I would like to sell it for about $300. Put this in a PC with Linux and you get a dual T1 router. Run BGP4 with freeware like Zebra. Way way cool. http://www.cyclades.com/products/6/pc300 http://www.cyclades.com/resources/?wp=6 http://www.kernel.org/pub/linux/utils/net/hdlc/#cards -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060116/4dc48e8b/attachment.html From ff at nrvissing.net Mon Jan 16 22:25:51 2006 From: ff at nrvissing.net (Flemming Frandsen) Date: Mon Jan 16 22:26:24 2006 Subject: [LARTC] even bandwith for users on 2 newtworks In-Reply-To: References: <43cab7ca69c72@wp.pl> <43CAC1D5.9010600@nrvissing.net> <43CAD9DC.3000708@gmx.net> <37763.194.239.27.101.1137411904.squirrel@mail.nrvissing.net> Message-ID: <43CC0F5F.2050301@nrvissing.net> Alexey Toptygin wrote: > No, attaching to the input is just as easy as to the output. The reason > that isn't implemented is that it wouldn't really be useful. You are full of it. What everybody who asks for shaping want is mainly ingress shaping and it works just fine. When TCP starts to notice that packets are getting lost it will throttle down and transmit slower, just like any non-idiotic protocol, because that's the way the Internet works. You are right that the packets that have already traversed the DSL line have consumed bandwidth that can never be reclaimed, but the point is that once you start dropping packets then fewer will follow and the situation will stabilize. The fact remains that ingress shaping is immensely useful and that it works. Linux traffic shaping doesn't support it out of the box (pre 2.6.16) and that's because it was hard(er) to implement, not because it's not useful it is in the real world. From surda at shurdix.com Mon Jan 16 22:41:31 2006 From: surda at shurdix.com (Peter Surda) Date: Mon Jan 16 22:41:40 2006 Subject: [LARTC] even bandwith for users on 2 newtworks In-Reply-To: <43CC0F5F.2050301@nrvissing.net> References: <43cab7ca69c72@wp.pl> <43CAC1D5.9010600@nrvissing.net> <43CAD9DC.3000708@gmx.net> <37763.194.239.27.101.1137411904.squirrel@mail.nrvissing.net> <43CC0F5F.2050301@nrvissing.net> Message-ID: <43CC130B.1010805@shurdix.com> Flemming Frandsen schrieb: > The fact remains that ingress shaping is immensely useful and that it > works. I agree. Ingress shaping, when done properly, is very useful. According to my experience, one of the main characteristics of traffic control (both ingress and egress) is that its effects are often counter-intuitive and you only realize it after seeing it in action. The "obvious things" turn out to be plainly wrong. Yours sincerely, Peter -- http://www.shurdix.org - Linux distribution for routers and firewalls From jody.shumaker at gmail.com Mon Jan 16 23:27:53 2006 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Mon Jan 16 23:28:00 2006 Subject: [LARTC] Multi-path routing only using last nexthop in default route. Message-ID: <2af436490601161427w33b4f04ao6c45791edb92cd34@mail.gmail.com> I've applied julian's paches to a 2.6.14 gentoo kernel with the appropiate options enabled, and i'm using a modified version of the mpath2.sh script also available on julian's site http://www.ssi.bg/~ja/ Overall everything works nearly perfectly. Incomming connections to either the fios (PPPoE) connection, or cable modem get routed back out correctly. The problem I'm having is with the default gateway. ${IP} route add default table 221 proto static \ nexthop via ${EXTGW2} dev ${EXTIF2} weight 1\ nexthop via ${EXTGW1} dev ${EXTIF1} weight 5 With this command, connections going out from my network always seem to use the GW1 route. I if I reverse the order of the nexthop's to list GW1 first and GW2 second, then the reverse happens and all outgoign connections use GW2. I'm going to attempt to test this better by attempting a large number of connections to a large list of ip's, but in running this setup I've never seen it use both gateway's. Possible symptom I've noticed is that in the route cache, there tends to be 2 entries, with the used gateway showing up first, such as: 83.53.46.36 from 192.168.0.128 via 10.9.44.15 dev ppp0 src 192.168.0.1 cache mtu 1492 advmss 1452 metric10 64 iif eth0 83.53.46.36 from 192.168.0.128 via 66.189.76.1 dev eth1 src 192.168.0.1 cache mtu 1500 advmss 1460 metric10 64 iif eth0 In this case, ppp0 was listed as the second nexthop. If I reversed the order of the nexthop's, then the order they show up in the cache reverses. Does anyone have any ideas why both gateways don't seem to be used? Please let me know if any other information about my setup would be useful. I've been experimenting with various other options like turning off rp_filter for both connections, adjusting weight's, performing the connections from various internal ip's to various external ip's to insure new route lookups, etc. I've just never ever seen it use anything but the last specified nexthop which has lead me to fear it's a problem with the patches and/or my kernel. Thanks, Jody -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060116/ce0b002b/attachment-0001.htm From c-d.hailfinger.devel.2006 at gmx.net Tue Jan 17 01:06:24 2006 From: c-d.hailfinger.devel.2006 at gmx.net (Carl-Daniel Hailfinger) Date: Tue Jan 17 01:09:56 2006 Subject: [LARTC] even bandwith for users on 2 newtworks In-Reply-To: <43CC0F5F.2050301@nrvissing.net> References: <43cab7ca69c72@wp.pl> <43CAC1D5.9010600@nrvissing.net> <43CAD9DC.3000708@gmx.net> <37763.194.239.27.101.1137411904.squirrel@mail.nrvissing.net> <43CC0F5F.2050301@nrvissing.net> Message-ID: <43CC3500.3050301@gmx.net> Flemming Frandsen schrieb: > Alexey Toptygin wrote: > >> No, attaching to the input is just as easy as to the output. The >> reason that isn't implemented is that it wouldn't really be useful. > > > You are full of it. If "it"=="knowledge", then you're probably right. > What everybody who asks for shaping want is mainly ingress shaping and > it works just fine. > > When TCP starts to notice that packets are getting lost it will throttle > down and transmit slower, just like any non-idiotic protocol, because > that's the way the Internet works. > > You are right that the packets that have already traversed the DSL line > have consumed bandwidth that can never be reclaimed, but the point is > that once you start dropping packets then fewer will follow and the > situation will stabilize. > > The fact remains that ingress shaping is immensely useful and that it > works. > > Linux traffic shaping doesn't support it out of the box (pre 2.6.16) and > that's because it was hard(er) to implement, not because it's not useful > it is in the real world. Please check your facts. Since you only talk about dropping packets and never about queues, the following has been available for years in mainline kernels: http://lartc.org/howto/lartc.adv-filter.policing.html Regards, Carl-Daniel From jared.ballou at us.army.mil Tue Jan 17 02:22:24 2006 From: jared.ballou at us.army.mil (Jared Ballou) Date: Tue Jan 17 02:24:01 2006 Subject: [LARTC] Load Balancing with Instant Messenger traffic? Message-ID: <43CC46D0.2090105@us.army.mil> Hi, I have a box set up to distribute load over 4 satellite connections. I cannot use Instant Messenger programs with it as it stands, I believe that using iproute2, the path to the server is not being locked to one interface, so the IM servers are getting user traffic from multiple IPs. When I set just one default gateway, IMs work great. When I use the scope global/nexthop method of load balancing, IM programs will keep disconnecting and needing to reconnect. Is there a way (besides bonding) to make IM traffic locked into a certain interface? I'd like to do it balanced too since Yahoo webcams take up 30% of the bandwidth here, but if I have to I guess I could forward all that traffic out one modem and everything else out another. Thanks. From jody.shumaker at gmail.com Tue Jan 17 02:59:32 2006 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Tue Jan 17 03:00:43 2006 Subject: [LARTC] Re: Multi-path routing only using last nexthop in default route. In-Reply-To: <2af436490601161427w33b4f04ao6c45791edb92cd34@mail.gmail.com> References: <2af436490601161427w33b4f04ao6c45791edb92cd34@mail.gmail.com> Message-ID: <2af436490601161759l3a452733s7bc93c14fde96b09@mail.gmail.com> I found that for ppp devices, i should ony define the next hop with the dev, not a via. However this still didn't fix my problem, but I've narrowed down my problem a little further. # ip route get 66.189.123.136 66.189.123.136 dev ppp0 src 71.248.183.244 cache mtu 1492 advmss 1452 metric10 64 # ip route get 66.189.123.137 66.189.123.137 dev ppp0 src 66.189.76.198 cache mtu 1492 advmss 1452 metric10 64 It does properly do a 5:1 round robin choice , but only the src changes, not the dev. The above I believe should really have outputted for the second route: 66.189.123.137 dev eth1 src 66.189.76.198 cache mtu 1492 advmss 1452 metric10 64 I'm not sure what is wrong with my config, as I've gone over and over it. My best guess is that something is wrong in the kernel I compiled with the patches. # ip rule show 0: from all lookup local 50: from all lookup main 201: from 71.248.183.244 lookup 201 202: from 66.189.76.198/22 lookup 202 221: from all lookup 221 32766: from all lookup main 32767: from all lookup default # ip route show table main 10.9.44.15 dev ppp0 proto kernel scope link src 71.248.183.244 192.168.100.0/24 dev eth1 proto kernel scope link src 192.168.100.2 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1 66.189.76.0/22 dev eth1 proto kernel scope link src 66.189.76.198 127.0.0.0/8 dev lo scope link # ip route show table 201 default via 10.9.44.15 dev ppp0 proto static src 71.248.183.244 prohibit default proto static metric 1 # ip route show table 202 default via 66.189.76.1 dev eth1 proto static src 66.189.76.198 prohibit default proto static metric 1 # ip route show table 221 default proto static nexthop via 66.189.76.1 dev eth1 weight 1 nexthop dev ppp0 weight 5 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060116/dfef8662/attachment.html From alex at samad.com.au Tue Jan 17 05:16:22 2006 From: alex at samad.com.au (Alexander Samad) Date: Tue Jan 17 05:18:28 2006 Subject: [LARTC] Re: Multi-path routing only using last nexthop in default route. In-Reply-To: <2af436490601161759l3a452733s7bc93c14fde96b09@mail.gmail.com> References: <2af436490601161427w33b4f04ao6c45791edb92cd34@mail.gmail.com> <2af436490601161759l3a452733s7bc93c14fde96b09@mail.gmail.com> Message-ID: <20060117041622.GD10902@samad.com.au> On Mon, Jan 16, 2006 at 08:59:32PM -0500, Jody Shumaker wrote: > I found that for ppp devices, i should ony define the next hop with the > dev, not a via. However this still didn't fix my problem, but I've narrowed > down my problem a little further. > > # ip route get 66.189.123.136 > 66.189.123.136 dev ppp0 src 71.248.183.244 > cache mtu 1492 advmss 1452 metric10 64 > # ip route get 66.189.123.137 > 66.189.123.137 dev ppp0 src 66.189.76.198 > cache mtu 1492 advmss 1452 metric10 64 doesnt the second ip r g just show you what you have in the route cache, when I try it on my multi home machine default metric 5 nexthop via 141.168.16.1 dev eth0 weight 3 nexthop via 220.233.1.45 dev ppp0 weight 4 but this might be because I don't have the round-robin patch applied to the kernel. > > It does properly do a 5:1 round robin choice , but only the src changes, not > the dev. The above I believe should really have outputted for the second > route: > 66.189.123.137 dev eth1 src 66.189.76.198 > cache mtu 1492 advmss 1452 metric10 64 > > I'm not sure what is wrong with my config, as I've gone over and over it. My > best guess is that something is wrong in the kernel I compiled with the > patches. > > # ip rule show > 0: from all lookup local > 50: from all lookup main > 201: from 71.248.183.244 lookup 201 > 202: from 66.189.76.198/22 lookup 202 > 221: from all lookup 221 > 32766: from all lookup main > 32767: from all lookup default > > # ip route show table main > 10.9.44.15 dev ppp0 proto kernel scope link src 71.248.183.244 > 192.168.100.0/24 dev eth1 proto kernel scope link src 192.168.100.2 > 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1 > 66.189.76.0/22 dev eth1 proto kernel scope link src 66.189.76.198 > 127.0.0.0/8 dev lo scope link > > # ip route show table 201 > default via 10.9.44.15 dev ppp0 proto static src 71.248.183.244 > prohibit default proto static metric 1 > > # ip route show table 202 > default via 66.189.76.1 dev eth1 proto static src 66.189.76.198 > prohibit default proto static metric 1 > > # ip route show table 221 > default proto static > nexthop via 66.189.76.1 dev eth1 weight 1 > nexthop dev ppp0 weight 5 > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060117/6a1301d8/attachment.pgp From jody.shumaker at gmail.com Tue Jan 17 06:37:48 2006 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Tue Jan 17 06:38:34 2006 Subject: [LARTC] Re: Multi-path routing only using last nexthop in default route. In-Reply-To: <20060117041622.GD10902@samad.com.au> References: <2af436490601161427w33b4f04ao6c45791edb92cd34@mail.gmail.com> <2af436490601161759l3a452733s7bc93c14fde96b09@mail.gmail.com> <20060117041622.GD10902@samad.com.au> Message-ID: <2af436490601162137r2deaf778y990266e0f0806202@mail.gmail.com> Yes, it just shows you what is in the cache, but I was specifying ip addresses that weren't in the cache yet. I also tried doing traceroutes from an internal pc, and those always ended up going over the 1 interface. I've also tried adjusting the weights to 1:1 and opening up numerous connections to multiple ftp's. Also for comparison, if I change the order of the nexthop's I'll instead get effectively the reverse. # ip route get 66.1.1.11 66.1.1.11 via 66.189.76.1 dev eth1 src 71.248.183.63 cache mtu 1500 advmss 1460 metric10 64 # ip route get 66.1.1.12 66.1.1.12 via 66.189.76.1 dev eth1 src 66.189.76.198 cache mtu 1500 advmss 1460 metric10 64 It always is pointing to dev eth1 while with the reverse order it was ppp0. All this by only changing the order of the nexthops. I went through and double checked that I did apply julian's patches to the kernel source I last built with. - Jody On 1/16/06, Alexander Samad wrote: > > On Mon, Jan 16, 2006 at 08:59:32PM -0500, Jody Shumaker wrote: > > I found that for ppp devices, i should ony define the next hop with the > > dev, not a via. However this still didn't fix my problem, but I've > narrowed > > down my problem a little further. > > > > # ip route get 66.189.123.136 > > 66.189.123.136 dev ppp0 src 71.248.183.244 > > cache mtu 1492 advmss 1452 metric10 64 > > # ip route get 66.189.123.137 > > 66.189.123.137 dev ppp0 src 66.189.76.198 > > cache mtu 1492 advmss 1452 metric10 64 > > doesnt the second ip r g just show you what you have in the route cache, > when I try it on my multi home machine > > default metric 5 > nexthop via 141.168.16.1 dev eth0 weight 3 > nexthop via 220.233.1.45 dev ppp0 weight 4 > > but this might be because I don't have the round-robin patch applied to > the kernel. > > > > > > It does properly do a 5:1 round robin choice , but only the src changes, > not > > the dev. The above I believe should really have outputted for the > second > > route: > > 66.189.123.137 dev eth1 src 66.189.76.198 > > cache mtu 1492 advmss 1452 metric10 64 > > > > I'm not sure what is wrong with my config, as I've gone over and over > it. My > > best guess is that something is wrong in the kernel I compiled with the > > patches. > > > > # ip rule show > > 0: from all lookup local > > 50: from all lookup main > > 201: from 71.248.183.244 lookup 201 > > 202: from 66.189.76.198/22 lookup 202 > > 221: from all lookup 221 > > 32766: from all lookup main > > 32767: from all lookup default > > > > # ip route show table main > > 10.9.44.15 dev ppp0 proto kernel scope link src 71.248.183.244 > > 192.168.100.0/24 dev eth1 proto kernel scope link src 192.168.100.2 > > 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1 > > 66.189.76.0/22 dev eth1 proto kernel scope link src 66.189.76.198 > > 127.0.0.0/8 dev lo scope link > > > > # ip route show table 201 > > default via 10.9.44.15 dev ppp0 proto static src 71.248.183.244 > > prohibit default proto static metric 1 > > > > # ip route show table 202 > > default via 66.189.76.1 dev eth1 proto static src 66.189.76.198 > > prohibit default proto static metric 1 > > > > # ip route show table 221 > > default proto static > > nexthop via 66.189.76.1 dev eth1 weight 1 > > nexthop dev ppp0 weight 5 > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > > iD8DBQFDzG+WkZz88chpJ2MRAkQJAKDaR/QeqheUntdS2pX/j5IMWoQ5FQCeLX4V > EHKOXCpr481+FEt8h5bRzDo= > =ukY3 > -----END PGP SIGNATURE----- > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060117/09fe00b6/attachment-0001.html From ff at nrvissing.net Tue Jan 17 14:27:25 2006 From: ff at nrvissing.net (Flemming Frandsen) Date: Tue Jan 17 14:28:20 2006 Subject: [LARTC] even bandwith for users on 2 newtworks In-Reply-To: <43CC3500.3050301@gmx.net> References: <43cab7ca69c72@wp.pl><43CAC1D5.9010600@nrvissing.net> <43CAD9DC.3000708@gmx.net> <37763.194.239.27.101.1137411904.squirrel@mail.nrvissing.net> <43CC0F5F.2050301@nrvissing.net> <43CC3500.3050301@gmx.net> Message-ID: <54090.194.239.27.101.1137504445.squirrel@mail.nrvissing.net> >>> No, attaching to the input is just as easy as to the output. The >>> reason that isn't implemented is that it wouldn't really be useful. >> You are full of it. > > If "it"=="knowledge", then you're probably right. No, I was aiming more for BS. > Since you only talk about dropping packets and never about queues, Well, naturally the way to decide what packets to drop is to have it go though various queues, but in the end it's all about dropping packets. > the following has been available for years in mainline kernels: > http://lartc.org/howto/lartc.adv-filter.policing.html Yes, but that doesn't change the fact that it's useless, there is no way to set up a HTB tree and assign SFQ's to each leaf like you can on the outbound traffic. On my network I have 41 subnets, each a /24 and each subnet needs to get a fair share of both inboud and outbound bandwidth. The 41 subnets are accessed from the gateway via 3 different network interfaces. Outbound shaping is easy and correct, there is just one HTB tree with an SFQ for each subnet. Inbound shaping is ugly and incorrect, because I have to have 3 different HTB trees (one for each internal interface) that each has to get 1/3 (actually weighted by number of subnets behind each interface) of the total bandwidth. That means that max downstream is 800kb/s for the users where it ought to be 1600kb/s, which sucks because most traffic to the users is very bursty. It would have been a much nicer design to be able to put the 3 inbound HTB trees into one inbound tree on the external interface, just like the outbound tree. Ingress shaping *is* very useful and it's a pity that Linux has taken this long to gain support for it. -- Flemming Frandsen, NrVissing.Net administrator. From alpt at freaknet.org Tue Jan 17 16:01:07 2006 From: alpt at freaknet.org (Alpt) Date: Tue Jan 17 16:01:38 2006 Subject: [LARTC] Multipath issues Message-ID: <20060117150107.GB11048@nihil> The problem is described here: http://marc.theaimsgroup.com/?l=linux-net&m=113550638110682&w=2 and continues here: http://marc.theaimsgroup.com/?l=linux-net&m=113636640615375&w=2 Do you have any ideas to solve this problem? -- :wq! "I don't know nothing" The One Who reached the Thinking Matter '.' [ Alpt --- Freaknet Medialab ] [ GPG Key ID 441CF0EE ] [ Key fingerprint = 8B02 26E8 831A 7BB9 81A9 5277 BFF8 037E 441C F0EE ] From madhava.rayudu at gmail.com Tue Jan 17 18:26:12 2006 From: madhava.rayudu at gmail.com (Madhava Rayudu) Date: Tue Jan 17 18:26:41 2006 Subject: [LARTC] Per user bandwidth limiting ..for small ISP.using Squid In-Reply-To: <43C9706E.9040005@shurdix.com> References: <43C7CE1B.7080600@shurdix.com> <20060114152110.GA10585@EIS> <43C9706E.9040005@shurdix.com> Message-ID: Thanks a lot ...Andreas Klauer Upon looking at the docs for rshaper, I don't think it distributes > anything (only limits and has no borrowing). This can be done with HTB > (and IMQ). Several years ago I wrote a bandwidth management system for a > small ISP that actually worked somewhat like this (the ISP uses a web > interface to set incoming/outgoing bandwith for individual customers, > and optionally a monthly limit, and cron sets up the HTB rules > automagically). I don't use it personally, Shurdix does fair > distribution only, but I imagine there are people who might have other > requirements. If there is enough interest (and I find the time) I can > polish it and put it for download. This is what I want... Make it accessible .. I will download .. Rayudu. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060117/34e298f8/attachment.htm From daniel.netzer at zeroconcept.de Tue Jan 17 19:07:36 2006 From: daniel.netzer at zeroconcept.de (Daniel Netzer) Date: Tue Jan 17 19:07:39 2006 Subject: [LARTC] simply limit interface bandwith Message-ID: <43CD3268.3010604@zeroconcept.de> Hi there, I am quite new to lartc and the usage of tc commands is still very difficult for me. All examples I have read (including the lartc.pdf) are way too complex for my "simple" problem. I just need to hard limit a given interface to a bandwith (egress and ingress) like: eth0 inbound 1000kbit eth0 outbound 1000kbit No priorities, just a bandwidth limitation per device. Thanks Daniel From alex at samad.com.au Tue Jan 17 20:23:13 2006 From: alex at samad.com.au (Alexander Samad) Date: Tue Jan 17 20:23:24 2006 Subject: [LARTC] Re: Multi-path routing only using last nexthop in default route. In-Reply-To: <2af436490601162137r2deaf778y990266e0f0806202@mail.gmail.com> References: <2af436490601161427w33b4f04ao6c45791edb92cd34@mail.gmail.com> <2af436490601161759l3a452733s7bc93c14fde96b09@mail.gmail.com> <20060117041622.GD10902@samad.com.au> <2af436490601162137r2deaf778y990266e0f0806202@mail.gmail.com> Message-ID: <20060117192313.GE10902@samad.com.au> On Tue, Jan 17, 2006 at 12:37:48AM -0500, Jody Shumaker wrote: > Yes, it just shows you what is in the cache, but I was specifying ip > addresses that weren't in the cache yet. I also tried doing traceroutes from > an internal pc, and those always ended up going over the 1 interface. I've > also tried adjusting the weights to 1:1 and opening up numerous connections > to multiple ftp's. > > Also for comparison, if I change the order of the nexthop's I'll instead get > effectively the reverse. > > # ip route get 66.1.1.11 > 66.1.1.11 via 66.189.76.1 dev eth1 src 71.248.183.63 > cache mtu 1500 advmss 1460 metric10 64 > # ip route get 66.1.1.12 > 66.1.1.12 via 66.189.76.1 dev eth1 src 66.189.76.198 > cache mtu 1500 advmss 1460 metric10 64 your right I tried it on my machine for x in $(seq 1 10); do ip r g 1.1.1.$x; done 1.1.1.1 via 220.233.1.45 dev ppp0 src 220.233.15.63 cache mtu 1492 advmss 1452 metric 10 64 1.1.1.2 via 220.233.1.45 dev ppp0 src 141.168.16.16 cache mtu 1492 advmss 1452 metric 10 64 1.1.1.3 via 220.233.1.45 dev ppp0 src 220.233.15.63 cache mtu 1492 advmss 1452 metric 10 64 1.1.1.4 via 220.233.1.45 dev ppp0 src 141.168.16.16 cache mtu 1492 advmss 1452 metric 10 64 1.1.1.5 via 220.233.1.45 dev ppp0 src 220.233.15.63 cache mtu 1492 advmss 1452 metric 10 64 1.1.1.6 via 220.233.1.45 dev ppp0 src 220.233.15.63 cache mtu 1492 advmss 1452 metric 10 64 1.1.1.7 via 220.233.1.45 dev ppp0 src 220.233.15.63 cache mtu 1492 advmss 1452 metric 10 64 1.1.1.8 via 220.233.1.45 dev ppp0 src 220.233.15.63 cache mtu 1492 advmss 1452 metric 10 64 1.1.1.9 via 220.233.1.45 dev ppp0 src 220.233.15.63 cache mtu 1492 advmss 1452 metric 10 64 1.1.1.10 via 220.233.1.45 dev ppp0 src 220.233.15.63 cache mtu 1492 advmss 1452 metric 10 64 just the src address is changing, I am pretty sure this used work at some point in time, i am using 2.6.14-1-smp, iptables v1.3.3 > > It always is pointing to dev eth1 while with the reverse order it was ppp0. > All this by only changing the order of the nexthops. I went through and > double checked that I did apply julian's patches to the kernel source I last > built with. > > - Jody > > On 1/16/06, Alexander Samad wrote: > > > > On Mon, Jan 16, 2006 at 08:59:32PM -0500, Jody Shumaker wrote: > > > I found that for ppp devices, i should ony define the next hop with the > > > dev, not a via. However this still didn't fix my problem, but I've > > narrowed > > > down my problem a little further. > > > > > > # ip route get 66.189.123.136 > > > 66.189.123.136 dev ppp0 src 71.248.183.244 > > > cache mtu 1492 advmss 1452 metric10 64 > > > # ip route get 66.189.123.137 > > > 66.189.123.137 dev ppp0 src 66.189.76.198 > > > cache mtu 1492 advmss 1452 metric10 64 > > > > doesnt the second ip r g just show you what you have in the route cache, > > when I try it on my multi home machine > > > > default metric 5 > > nexthop via 141.168.16.1 dev eth0 weight 3 > > nexthop via 220.233.1.45 dev ppp0 weight 4 > > > > but this might be because I don't have the round-robin patch applied to > > the kernel. > > > > > > > > > > It does properly do a 5:1 round robin choice , but only the src changes, > > not > > > the dev. The above I believe should really have outputted for the > > second > > > route: > > > 66.189.123.137 dev eth1 src 66.189.76.198 > > > cache mtu 1492 advmss 1452 metric10 64 > > > > > > I'm not sure what is wrong with my config, as I've gone over and over > > it. My > > > best guess is that something is wrong in the kernel I compiled with the > > > patches. > > > > > > # ip rule show > > > 0: from all lookup local > > > 50: from all lookup main > > > 201: from 71.248.183.244 lookup 201 > > > 202: from 66.189.76.198/22 lookup 202 > > > 221: from all lookup 221 > > > 32766: from all lookup main > > > 32767: from all lookup default > > > > > > # ip route show table main > > > 10.9.44.15 dev ppp0 proto kernel scope link src 71.248.183.244 > > > 192.168.100.0/24 dev eth1 proto kernel scope link src 192.168.100.2 > > > 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1 > > > 66.189.76.0/22 dev eth1 proto kernel scope link src 66.189.76.198 > > > 127.0.0.0/8 dev lo scope link > > > > > > # ip route show table 201 > > > default via 10.9.44.15 dev ppp0 proto static src 71.248.183.244 > > > prohibit default proto static metric 1 > > > > > > # ip route show table 202 > > > default via 66.189.76.1 dev eth1 proto static src 66.189.76.198 > > > prohibit default proto static metric 1 > > > > > > # ip route show table 221 > > > default proto static > > > nexthop via 66.189.76.1 dev eth1 weight 1 > > > nexthop dev ppp0 weight 5 > > > > > _______________________________________________ > > > LARTC mailing list > > > LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.2 (GNU/Linux) > > > > iD8DBQFDzG+WkZz88chpJ2MRAkQJAKDaR/QeqheUntdS2pX/j5IMWoQ5FQCeLX4V > > EHKOXCpr481+FEt8h5bRzDo= > > =ukY3 > > -----END PGP SIGNATURE----- > > > > > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060118/6758f21c/attachment.pgp From ff at nrvissing.net Tue Jan 17 20:22:56 2006 From: ff at nrvissing.net (Flemming Frandsen) Date: Tue Jan 17 20:23:40 2006 Subject: [LARTC] Re: even bandwith for users on 2 newtworks In-Reply-To: <20060117133307.11462.qmail@arcoscom.com> References: <43cab7ca69c72@wp.pl> <43CAC1D5.9010600@nrvissing.net> <43CAD9DC.3000708@gmx.net> <37763.194.239.27.101.1137411904.squirrel@mail.nrvissing.net> <43CC0F5F.2050301@nrvissing.net> <43CC3500.3050301@gmx.net> <54090.194.239.27.101.1137504445.squirrel@mail.nrvissing.net> <20060117133307.11462.qmail@arcoscom.com> Message-ID: <43CD4410.2060509@nrvissing.net> Samuel D?az Garc?a wrote: > Try IMQ (Intermediate Message Queue) http://www.linuximq.net. I've seen it and tried it, but for some reason the imq module I built on another machine than the router (it boots from flash, so no gcc) didn't work, the module loaded correctly, but I couldn't initialize the imq0 device. I'm going to have to build a new router with the same specs soon anyway, so that one will have 2.6.16 and thus IFB, once that works I'll upgrade the existing router and all will be well. From surda at shurdix.com Tue Jan 17 21:14:41 2006 From: surda at shurdix.com (Peter Surda) Date: Tue Jan 17 21:14:53 2006 Subject: [LARTC] Per user bandwidth limiting ..for small ISP.using Squid In-Reply-To: References: <43C7CE1B.7080600@shurdix.com> <20060114152110.GA10585@EIS> <43C9706E.9040005@shurdix.com> Message-ID: <43CD5031.7070405@shurdix.com> Madhava Rayudu schrieb: > This is what I want... Make it accessible .. I will download .. Please watch this thread for updates: http://forum.shurdix.org/viewtopic.php?t=56 I can't publish it now, it may contain private data that doesn't belong to me. Wait a couple of weeks pls. > Rayudu. Yours sincerely, Peter -- http://www.shurdix.org - Linux distribution for routers and firewalls From jody.shumaker at gmail.com Tue Jan 17 22:53:06 2006 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Tue Jan 17 22:53:21 2006 Subject: [LARTC] Re: Multi-path routing only using last nexthop in default route. In-Reply-To: <20060117192313.GE10902@samad.com.au> References: <2af436490601161427w33b4f04ao6c45791edb92cd34@mail.gmail.com> <2af436490601161759l3a452733s7bc93c14fde96b09@mail.gmail.com> <20060117041622.GD10902@samad.com.au> <2af436490601162137r2deaf778y990266e0f0806202@mail.gmail.com> <20060117192313.GE10902@samad.com.au> Message-ID: <2af436490601171353o7bed72cbl1ca5ac4830a91dfa@mail.gmail.com> Does anyone have a confirmed to be working multipath setup? I'd like to see their route output and confirm that this really is an issue. The issue might actually be something else and this output is expected? I'm just sticking on this because the order of nexthops is what changes the behavior, which seems wrong. Also, if I try retieving paths from an internal address to an external, it will always use only the last nexthop. # for x in $(seq 1 10); do ip route get 66.1.1.$x from 192.168.0.128 iif eth0; done 66.1.1.1 from 192.168.0.128 dev ppp0 src 192.168.0.1 cache mtu 1492 advmss 1452 metric10 64 iif eth0 66.1.1.2 from 192.168.0.128 dev ppp0 src 192.168.0.1 cache mtu 1492 advmss 1452 metric10 64 iif eth0 etc. I'm using 2.6.14-gentoo-r5 #4 SMP PREEMPT w/ julian's patches and iptables v1.3.4 - Jody On 1/17/06, Alexander Samad wrote: > > On Tue, Jan 17, 2006 at 12:37:48AM -0500, Jody Shumaker wrote: > > Yes, it just shows you what is in the cache, but I was specifying ip > > addresses that weren't in the cache yet. I also tried doing traceroutes > from > > an internal pc, and those always ended up going over the 1 interface. > I've > > also tried adjusting the weights to 1:1 and opening up numerous > connections > > to multiple ftp's. > > > > Also for comparison, if I change the order of the nexthop's I'll instead > get > > effectively the reverse. > > > > # ip route get 66.1.1.11 > > 66.1.1.11 via 66.189.76.1 dev eth1 src 71.248.183.63 > > cache mtu 1500 advmss 1460 metric10 64 > > # ip route get 66.1.1.12 > > 66.1.1.12 via 66.189.76.1 dev eth1 src 66.189.76.198 > > cache mtu 1500 advmss 1460 metric10 64 > > your right I tried it on my machine > for x in $(seq 1 10); do ip r g 1.1.1.$x; done > 1.1.1.1 via 220.233.1.45 dev ppp0 src 220.233.15.63 > cache mtu 1492 advmss 1452 metric 10 64 > 1.1.1.2 via 220.233.1.45 dev ppp0 src 141.168.16.16 > cache mtu 1492 advmss 1452 metric 10 64 > 1.1.1.3 via 220.233.1.45 dev ppp0 src 220.233.15.63 > cache mtu 1492 advmss 1452 metric 10 64 > 1.1.1.4 via 220.233.1.45 dev ppp0 src 141.168.16.16 > cache mtu 1492 advmss 1452 metric 10 64 > 1.1.1.5 via 220.233.1.45 dev ppp0 src 220.233.15.63 > cache mtu 1492 advmss 1452 metric 10 64 > 1.1.1.6 via 220.233.1.45 dev ppp0 src 220.233.15.63 > cache mtu 1492 advmss 1452 metric 10 64 > 1.1.1.7 via 220.233.1.45 dev ppp0 src 220.233.15.63 > cache mtu 1492 advmss 1452 metric 10 64 > 1.1.1.8 via 220.233.1.45 dev ppp0 src 220.233.15.63 > cache mtu 1492 advmss 1452 metric 10 64 > 1.1.1.9 via 220.233.1.45 dev ppp0 src 220.233.15.63 > cache mtu 1492 advmss 1452 metric 10 64 > 1.1.1.10 via 220.233.1.45 dev ppp0 src 220.233.15.63 > cache mtu 1492 advmss 1452 metric 10 64 > > just the src address is changing, I am pretty sure this used work at > some point in time, i am using 2.6.14-1-smp, iptables v1.3.3 > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060117/975a0251/attachment-0001.htm From c.ciprian at gmail.com Tue Jan 17 23:45:08 2006 From: c.ciprian at gmail.com (Ciprian Constantinescu) Date: Tue Jan 17 23:45:13 2006 Subject: [LARTC] disconnecting Message-ID: I have done the setup presented on lartc.org for load balancing (multihoming). I have 2 ISP and 1 LAN. After doing the setup on the linux box I saw that the balancing works, but the yahoo messenger on the LAN disconnects quite often. I also have DC++ and Azureus, with port forwarding from the linux box to the windows machine. After doing the load balancing, the two p2p applications started to use very much CPU. What can I do about that? How can this be solved? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060118/b7576be8/attachment.html From alex at samad.com.au Wed Jan 18 03:13:13 2006 From: alex at samad.com.au (Alexander Samad) Date: Wed Jan 18 03:13:54 2006 Subject: [LARTC] Re: Multi-path routing only using last nexthop in default route. In-Reply-To: <2af436490601171353o7bed72cbl1ca5ac4830a91dfa@mail.gmail.com> References: <2af436490601161427w33b4f04ao6c45791edb92cd34@mail.gmail.com> <2af436490601161759l3a452733s7bc93c14fde96b09@mail.gmail.com> <20060117041622.GD10902@samad.com.au> <2af436490601162137r2deaf778y990266e0f0806202@mail.gmail.com> <20060117192313.GE10902@samad.com.au> <2af436490601171353o7bed72cbl1ca5ac4830a91dfa@mail.gmail.com> Message-ID: <20060118021313.GF10902@samad.com.au> On Tue, Jan 17, 2006 at 04:53:06PM -0500, Jody Shumaker wrote: > Does anyone have a confirmed to be working multipath setup? I'd like to see > their route output and confirm that this really is an issue. The issue > might actually be something else and this output is expected? I'm just > sticking on this because the order of nexthops is what changes the behavior, > which seems wrong. I think mine is working, because I se traffic heading out of the second interface (ones that I know have originated from my box), plus when I check the cache table there are entries for both interfaces. just can't prove it right now 8( A > > Also, if I try retieving paths from an internal address to an external, it > will always use only the last nexthop. > > # for x in $(seq 1 10); do ip route get 66.1.1.$x from 192.168.0.128 iif > eth0; done > 66.1.1.1 from 192.168.0.128 dev ppp0 src 192.168.0.1 > cache mtu 1492 advmss 1452 metric10 64 iif eth0 > 66.1.1.2 from 192.168.0.128 dev ppp0 src 192.168.0.1 > cache mtu 1492 advmss 1452 metric10 64 iif eth0 > etc. > > I'm using 2.6.14-gentoo-r5 #4 SMP PREEMPT w/ julian's patches and iptables > v1.3.4 > > - Jody > > On 1/17/06, Alexander Samad wrote: > > > > On Tue, Jan 17, 2006 at 12:37:48AM -0500, Jody Shumaker wrote: > > > Yes, it just shows you what is in the cache, but I was specifying ip > > > addresses that weren't in the cache yet. I also tried doing traceroutes > > from > > > an internal pc, and those always ended up going over the 1 interface. > > I've > > > also tried adjusting the weights to 1:1 and opening up numerous > > connections > > > to multiple ftp's. > > > > > > Also for comparison, if I change the order of the nexthop's I'll instead > > get > > > effectively the reverse. > > > > > > # ip route get 66.1.1.11 > > > 66.1.1.11 via 66.189.76.1 dev eth1 src 71.248.183.63 > > > cache mtu 1500 advmss 1460 metric10 64 > > > # ip route get 66.1.1.12 > > > 66.1.1.12 via 66.189.76.1 dev eth1 src 66.189.76.198 > > > cache mtu 1500 advmss 1460 metric10 64 > > > > your right I tried it on my machine > > for x in $(seq 1 10); do ip r g 1.1.1.$x; done > > 1.1.1.1 via 220.233.1.45 dev ppp0 src 220.233.15.63 > > cache mtu 1492 advmss 1452 metric 10 64 > > 1.1.1.2 via 220.233.1.45 dev ppp0 src 141.168.16.16 > > cache mtu 1492 advmss 1452 metric 10 64 > > 1.1.1.3 via 220.233.1.45 dev ppp0 src 220.233.15.63 > > cache mtu 1492 advmss 1452 metric 10 64 > > 1.1.1.4 via 220.233.1.45 dev ppp0 src 141.168.16.16 > > cache mtu 1492 advmss 1452 metric 10 64 > > 1.1.1.5 via 220.233.1.45 dev ppp0 src 220.233.15.63 > > cache mtu 1492 advmss 1452 metric 10 64 > > 1.1.1.6 via 220.233.1.45 dev ppp0 src 220.233.15.63 > > cache mtu 1492 advmss 1452 metric 10 64 > > 1.1.1.7 via 220.233.1.45 dev ppp0 src 220.233.15.63 > > cache mtu 1492 advmss 1452 metric 10 64 > > 1.1.1.8 via 220.233.1.45 dev ppp0 src 220.233.15.63 > > cache mtu 1492 advmss 1452 metric 10 64 > > 1.1.1.9 via 220.233.1.45 dev ppp0 src 220.233.15.63 > > cache mtu 1492 advmss 1452 metric 10 64 > > 1.1.1.10 via 220.233.1.45 dev ppp0 src 220.233.15.63 > > cache mtu 1492 advmss 1452 metric 10 64 > > > > just the src address is changing, I am pretty sure this used work at > > some point in time, i am using 2.6.14-1-smp, iptables v1.3.3 > > > > > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060118/f142f637/attachment.pgp From c.ciprian at gmail.com Wed Jan 18 03:22:56 2006 From: c.ciprian at gmail.com (Ciprian Constantinescu) Date: Wed Jan 18 03:22:58 2006 Subject: [LARTC] Re: Multi-path routing only using last nexthop in default route. In-Reply-To: <20060118021313.GF10902@samad.com.au> References: <2af436490601161427w33b4f04ao6c45791edb92cd34@mail.gmail.com> <2af436490601161759l3a452733s7bc93c14fde96b09@mail.gmail.com> <20060117041622.GD10902@samad.com.au> <2af436490601162137r2deaf778y990266e0f0806202@mail.gmail.com> <20060117192313.GE10902@samad.com.au> <2af436490601171353o7bed72cbl1ca5ac4830a91dfa@mail.gmail.com> <20060118021313.GF10902@samad.com.au> Message-ID: It works. I have a Debian and the tests were the following: 1. multiple traceroute to multiple hosts. you can observe the gateway that changes 2. i run a squid server and i entered http://whatismyip.com multiple times from the same computer in the lan. the ip changed between the 2 providers i have 3. i run mrtg on the box, so the graph said it all On 1/18/06, Alexander Samad wrote: > > On Tue, Jan 17, 2006 at 04:53:06PM -0500, Jody Shumaker wrote: > > Does anyone have a confirmed to be working multipath setup? I'd like to > see > > their route output and confirm that this really is an issue. The issue > > might actually be something else and this output is expected? I'm just > > sticking on this because the order of nexthops is what changes the > behavior, > > which seems wrong. > > I think mine is working, because I se traffic heading out of the second > interface (ones that I know have originated from my box), plus when I > check the cache table there are entries for both > interfaces. > > just can't prove it right now 8( > > A > > > > > Also, if I try retieving paths from an internal address to an external, > it > > will always use only the last nexthop. > > > > # for x in $(seq 1 10); do ip route get 66.1.1.$x from 192.168.0.128 iif > > eth0; done > > 66.1.1.1 from 192.168.0.128 dev ppp0 src 192.168.0.1 > > cache mtu 1492 advmss 1452 metric10 64 iif eth0 > > 66.1.1.2 from 192.168.0.128 dev ppp0 src 192.168.0.1 > > cache mtu 1492 advmss 1452 metric10 64 iif eth0 > > etc. > > > > I'm using 2.6.14-gentoo-r5 #4 SMP PREEMPT w/ julian's patches and > iptables > > v1.3.4 > > > > - Jody > > > > On 1/17/06, Alexander Samad wrote: > > > > > > On Tue, Jan 17, 2006 at 12:37:48AM -0500, Jody Shumaker wrote: > > > > Yes, it just shows you what is in the cache, but I was specifying ip > > > > addresses that weren't in the cache yet. I also tried doing > traceroutes > > > from > > > > an internal pc, and those always ended up going over the 1 > interface. > > > I've > > > > also tried adjusting the weights to 1:1 and opening up numerous > > > connections > > > > to multiple ftp's. > > > > > > > > Also for comparison, if I change the order of the nexthop's I'll > instead > > > get > > > > effectively the reverse. > > > > > > > > # ip route get 66.1.1.11 > > > > 66.1.1.11 via 66.189.76.1 dev eth1 src 71.248.183.63 > > > > cache mtu 1500 advmss 1460 metric10 64 > > > > # ip route get 66.1.1.12 > > > > 66.1.1.12 via 66.189.76.1 dev eth1 src 66.189.76.198 > > > > cache mtu 1500 advmss 1460 metric10 64 > > > > > > your right I tried it on my machine > > > for x in $(seq 1 10); do ip r g 1.1.1.$x; done > > > 1.1.1.1 via 220.233.1.45 dev ppp0 src 220.233.15.63 > > > cache mtu 1492 advmss 1452 metric 10 64 > > > 1.1.1.2 via 220.233.1.45 dev ppp0 src 141.168.16.16 > > > cache mtu 1492 advmss 1452 metric 10 64 > > > 1.1.1.3 via 220.233.1.45 dev ppp0 src 220.233.15.63 > > > cache mtu 1492 advmss 1452 metric 10 64 > > > 1.1.1.4 via 220.233.1.45 dev ppp0 src 141.168.16.16 > > > cache mtu 1492 advmss 1452 metric 10 64 > > > 1.1.1.5 via 220.233.1.45 dev ppp0 src 220.233.15.63 > > > cache mtu 1492 advmss 1452 metric 10 64 > > > 1.1.1.6 via 220.233.1.45 dev ppp0 src 220.233.15.63 > > > cache mtu 1492 advmss 1452 metric 10 64 > > > 1.1.1.7 via 220.233.1.45 dev ppp0 src 220.233.15.63 > > > cache mtu 1492 advmss 1452 metric 10 64 > > > 1.1.1.8 via 220.233.1.45 dev ppp0 src 220.233.15.63 > > > cache mtu 1492 advmss 1452 metric 10 64 > > > 1.1.1.9 via 220.233.1.45 dev ppp0 src 220.233.15.63 > > > cache mtu 1492 advmss 1452 metric 10 64 > > > 1.1.1.10 via 220.233.1.45 dev ppp0 src 220.233.15.63 > > > cache mtu 1492 advmss 1452 metric 10 64 > > > > > > just the src address is changing, I am pretty sure this used work at > > > some point in time, i am using 2.6.14-1-smp, iptables v1.3.3 > > > > > > > > > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > > iD8DBQFDzaQ5kZz88chpJ2MRArpVAKDVe8ET7m4Qz09HhxbykV93/meFtACg3bWT > GgOZ8WrUWiAmIT83rrRCRR8= > =7U0w > -----END PGP SIGNATURE----- > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > -- Ciprian Constantinescu mobile: +40745192289 e-mail: c_ciprian_ro@yahoo.com e-mail: c.ciprian@gmail.com yahoo messenger: c_ciprian_ro@yahoo.com msn messenger: c_ciprian_ro@yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060118/aeccaff3/attachment.html From jody.shumaker at gmail.com Wed Jan 18 05:59:13 2006 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Wed Jan 18 05:59:16 2006 Subject: [LARTC] Re: Multi-path routing only using last nexthop in default route. In-Reply-To: References: <2af436490601161427w33b4f04ao6c45791edb92cd34@mail.gmail.com> <2af436490601161759l3a452733s7bc93c14fde96b09@mail.gmail.com> <20060117041622.GD10902@samad.com.au> <2af436490601162137r2deaf778y990266e0f0806202@mail.gmail.com> <20060117192313.GE10902@samad.com.au> <2af436490601171353o7bed72cbl1ca5ac4830a91dfa@mail.gmail.com> <20060118021313.GF10902@samad.com.au> Message-ID: <2af436490601172059s24cddcedy57d26f5028245d67@mail.gmail.com> I understand it can work, my point was I want to figure out what is different or wrong with my setup compared to one where it is working. Would you mind posting the results of ip rule show ip route show table all what kernel version you have, and possibly the output from this command? for x in $(seq 1 10); do ip r g 1.1.1.$x; done I'm kind of grasping at straws because everything I've tried short of debugging/hacking the kernel code hasn't worked. Thanks, Jody On 1/17/06, Ciprian Constantinescu wrote: > > It works. I have a Debian and the tests were the following: > > 1. multiple traceroute to multiple hosts. you can observe the > gateway that changes > 2. i run a squid server and i entered http://whatismyip.com multiple > times from the same computer in the lan. the ip changed between the 2 > providers i have > 3. i run mrtg on the box, so the graph said it all > > > On 1/18/06, Alexander Samad wrote: > > > On Tue, Jan 17, 2006 at 04:53:06PM -0500, Jody Shumaker wrote: > > > Does anyone have a confirmed to be working multipath setup? I'd like > > to see > > > their route output and confirm that this really is an issue. The > > issue > > > might actually be something else and this output is expected? I'm just > > > sticking on this because the order of nexthops is what changes the > > behavior, > > > which seems wrong. > > > > I think mine is working, because I se traffic heading out of the second > > interface (ones that I know have originated from my box), plus when I > > check the cache table there are entries for both > > interfaces. > > > > just can't prove it right now 8( > > > > A > > > > > > > > Also, if I try retieving paths from an internal address to an > > external, it > > > will always use only the last nexthop. > > > > > > # for x in $(seq 1 10); do ip route get 66.1.1.$x from 192.168.0.128iif > > > eth0; done > > > 66.1.1.1 from 192.168.0.128 dev ppp0 src 192.168.0.1 > > > cache mtu 1492 advmss 1452 metric10 64 iif eth0 > > > 66.1.1.2 from 192.168.0.128 dev ppp0 src 192.168.0.1 > > > cache mtu 1492 advmss 1452 metric10 64 iif eth0 > > > etc. > > > > > > I'm using 2.6.14-gentoo-r5 #4 SMP PREEMPT w/ julian's patches and > > iptables > > > v1.3.4 > > > > > > - Jody > > > > > > On 1/17/06, Alexander Samad wrote: > > > > > > > > On Tue, Jan 17, 2006 at 12:37:48AM -0500, Jody Shumaker wrote: > > > > > Yes, it just shows you what is in the cache, but I was specifying > > ip > > > > > addresses that weren't in the cache yet. I also tried doing > > traceroutes > > > > from > > > > > an internal pc, and those always ended up going over the 1 > > interface. > > > > I've > > > > > also tried adjusting the weights to 1:1 and opening up numerous > > > > connections > > > > > to multiple ftp's. > > > > > > > > > > Also for comparison, if I change the order of the nexthop's I'll > > instead > > > > get > > > > > effectively the reverse. > > > > > > > > > > # ip route get 66.1.1.11 > > > > > 66.1.1.11 via 66.189.76.1 dev eth1 src 71.248.183.63 > > > > > cache mtu 1500 advmss 1460 metric10 64 > > > > > # ip route get 66.1.1.12 > > > > > 66.1.1.12 via 66.189.76.1 dev eth1 src 66.189.76.198 > > > > > cache mtu 1500 advmss 1460 metric10 64 > > > > > > > > your right I tried it on my machine > > > > for x in $(seq 1 10); do ip r g 1.1.1.$x; done > > > > 1.1.1.1 via 220.233.1.45 dev ppp0 src 220.233.15.63 > > > > cache mtu 1492 advmss 1452 metric 10 64 > > > > 1.1.1.2 via 220.233.1.45 dev ppp0 src 141.168.16.16 > > > > cache mtu 1492 advmss 1452 metric 10 64 > > > > 1.1.1.3 via 220.233.1.45 dev ppp0 src 220.233.15.63 > > > > cache mtu 1492 advmss 1452 metric 10 64 > > > > 1.1.1.4 via 220.233.1.45 dev ppp0 src 141.168.16.16 > > > > cache mtu 1492 advmss 1452 metric 10 64 > > > > 1.1.1.5 via 220.233.1.45 dev ppp0 src 220.233.15.63 > > > > cache mtu 1492 advmss 1452 metric 10 64 > > > > 1.1.1.6 via 220.233.1.45 dev ppp0 src 220.233.15.63 > > > > cache mtu 1492 advmss 1452 metric 10 64 > > > > 1.1.1.7 via 220.233.1.45 dev ppp0 src 220.233.15.63 > > > > cache mtu 1492 advmss 1452 metric 10 64 > > > > 1.1.1.8 via 220.233.1.45 dev ppp0 src 220.233.15.63 > > > > cache mtu 1492 advmss 1452 metric 10 64 > > > > 1.1.1.9 via 220.233.1.45 dev ppp0 src 220.233.15.63 > > > > cache mtu 1492 advmss 1452 metric 10 64 > > > > 1.1.1.10 via 220.233.1.45 dev ppp0 src 220.233.15.63 > > > > cache mtu 1492 advmss 1452 metric 10 64 > > > > > > > > just the src address is changing, I am pretty sure this used work at > > > > some point in time, i am using 2.6.14-1-smp, iptables v1.3.3 > > > > > > > > > > > > > > > > > _______________________________________________ > > > LARTC mailing list > > > LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.2 (GNU/Linux) > > > > iD8DBQFDzaQ5kZz88chpJ2MRArpVAKDVe8ET7m4Qz09HhxbykV93/meFtACg3bWT > > GgOZ8WrUWiAmIT83rrRCRR8= > > =7U0w > > -----END PGP SIGNATURE----- > > > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > > -- > Ciprian Constantinescu > mobile: +40745192289 > e-mail: c_ciprian_ro@yahoo.com > e-mail: c.ciprian@gmail.com > yahoo messenger: c_ciprian_ro@yahoo.com > msn messenger: c_ciprian_ro@yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060117/71672d5a/attachment-0001.htm From ja at ssi.bg Wed Jan 18 09:54:37 2006 From: ja at ssi.bg (Julian Anastasov) Date: Wed Jan 18 09:49:51 2006 Subject: [LARTC] Multi-path routing only using last nexthop in default route. In-Reply-To: <2af436490601161427w33b4f04ao6c45791edb92cd34@mail.gmail.com> References: <2af436490601161427w33b4f04ao6c45791edb92cd34@mail.gmail.com> Message-ID: Hello, On Mon, 16 Jan 2006, Jody Shumaker wrote: > ${IP} route add default table 221 proto static \ > nexthop via ${EXTGW2} dev ${EXTIF2} weight 1\ > nexthop via ${EXTGW1} dev ${EXTIF1} weight 5 > > With this command, connections going out from my network always seem to use > the GW1 route. I if I reverse the order of the nexthop's to list GW1 first > and GW2 second, then the reverse happens and all outgoign connections use > GW2. I'm going to attempt to test this better by attempting a large number > of connections to a large list of ip's, but in running this setup I've never > seen it use both gateway's. Do you have script to ping/arping the gateways on eth device(s)? The NOARP devices are always preferred if the GWs on ARP devices are not marked reachable in ARP cache. Regards -- Julian Anastasov From diego.cabrero at e-attico.net Wed Jan 18 10:38:29 2006 From: diego.cabrero at e-attico.net (Diego Cabrero) Date: Wed Jan 18 10:38:36 2006 Subject: [LARTC] Download and upload independency Message-ID: <43CE0C95.4050409@e-attico.net> Hello everyone: As it is known, when you limit uplink bandwidth it usually gets downlink bandwidth to a lower value. I just want to know what is the optimal configuration for eth1 and imq0 according to some variables of tc(HTB), txqueuelen, mtu, etc. to make these packet flows less independent on an ethernet based network. Thank you in advance. -Diego From comp.techs at aspenview.org Wed Jan 18 17:49:03 2006 From: comp.techs at aspenview.org (comp.techs) Date: Wed Jan 18 17:49:50 2006 Subject: [LARTC] Gred/dsmark/htb Message-ID: <648A21EA469E3848922D9860785CD5EF45670B@aspen-mail01.aspenview.org> Hi, thx for the reply. If I changed the parent to 2.0 for the filters this would not pass the minor classid field back to the tcindex, which is required for gred? thx jason ________________________________ From: Andy Furniss [mailto:andy.furniss@dsl.pipex.com] Sent: Thu 1/12/2006 2:43 PM To: comp.techs Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] Gred/dsmark/htb comp.techs wrote: > Hi, I am trying to get assured forwarding/expedited forwarding with gred and htb working. Below is the script I am using. > The following steps are what I thing is how the script works. My problem is that if I remove the HTB qdisc from the script and have the GREDS parent as the dsmark it works, but when I add the htb as a parent of GRED and DSmark the parent of htb it does not work? > > Any suggestion appreciated. > thx jason > > 1. The DS field is marked by iptables in prerouting/mangle to the appropriate class. > 2. DSMark masks the ds and copies ths dscp to the tcindex field. > 3. filters are selected as per what dscp there handle is. > 4. the minor of the filter is returned back to the dsmark and copied to the tcindex > > > #!/bin/sh > tc qdisc del dev eth0 root > tc qdisc add dev eth0 handle 1:0 root dsmark indices 16 set_tc_index > tc filter add dev eth0 parent 1:0 protocol ip prio 1 tcindex \ > mask 0xfc shift 2 pass_on > #af class 1 I think all the filters below here should be on 2:0 > tc filter add dev eth0 parent 1:0 protocol ip prio 1 \ > handle 10 tcindex classid 1:11 > tc filter add dev eth0 parent 1:0 protocol ip prio 1 \ > handle 12 tcindex classid 1:12 > tc filter add dev eth0 parent 1:0 protocol ip prio 1 \ > handle 14 tcindex classid 1:13 > #af class 2 Andy. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060118/38e7b42b/attachment.html From nikky at mnet.bg Thu Jan 19 10:11:51 2006 From: nikky at mnet.bg (Nickola Kolev) Date: Thu Jan 19 10:12:42 2006 Subject: [LARTC] simply limit interface bandwith In-Reply-To: <43CD3268.3010604@zeroconcept.de> References: <43CD3268.3010604@zeroconcept.de> Message-ID: <20060119111151.5e559971.nikky@mnet.bg> Hello, You should give the LARTC howto a look: http://lartc.org/howto/lartc.qdisc.advice.html On Tue, 17 Jan 2006 17:07:36 -0100 Daniel Netzer wrote: > Hi there, > > I am quite new to lartc and the usage of tc commands is still very > difficult for me. All examples I have read (including the lartc.pdf) > are way too complex for my "simple" problem. > > I just need to hard limit a given interface to a bandwith (egress and > ingress) like: > > eth0 inbound 1000kbit > eth0 outbound 1000kbit > > No priorities, just a bandwidth limitation per device. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060119/f8797f5d/attachment.pgp From andrew.goodluck at intafrica.com Thu Jan 19 12:17:41 2006 From: andrew.goodluck at intafrica.com (andrew.goodluck@intafrica.com) Date: Thu Jan 19 12:18:21 2006 Subject: [LARTC] Allowing certain IP to browse Message-ID: <1247.192.168.35.14.1137669461.squirrel@webmail.satconet.com> Hi all, Need your input of the following: I have a linux box(firewall) -I want to restric some users not to browse but send emails only Example: 192.168.x.2 up to 192.168.X.45 to send emails and browse, while the rest(192.168.X.46 to 192.168.X.254) to send emails only. How do I do that? thanx Andy From jandre at megaserve.net Thu Jan 19 13:18:24 2006 From: jandre at megaserve.net (Jandre Olivier) Date: Thu Jan 19 13:10:38 2006 Subject: [LARTC] Allowing certain IP to browse In-Reply-To: <1247.192.168.35.14.1137669461.squirrel@webmail.satconet.com> References: <1247.192.168.35.14.1137669461.squirrel@webmail.satconet.com> Message-ID: <43CF8390.20600@megaserve.net> howdy, iptables will help u here for starters /sbin/iptables -A FORWARD -s 192.168.x.2/32 -p tcp --dport 80 -j ACCEPT /sbin/iptables -A FORWARD -s 192.168.x.2/32 -p tcp --dport 25 -j ACCEPT /sbin/iptables -A FORWARD -s 192.168.x.2/32 -j DROP similiar setup for the rest, this is not very clean though, might want to create subnets for each network and put them in seperate network cards in your linux box to physicly segment the networks, then you have control Lata J andrew.goodluck@intafrica.com wrote: > Hi all, > Need your input of the following: > I have a linux box(firewall) > -I want to restric some users not to browse but send emails only > Example: 192.168.x.2 up to 192.168.X.45 to send emails and browse, while > the rest(192.168.X.46 to 192.168.X.254) to send emails only. How do I do > that? > thanx > Andy > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- /*---------------------------------------------------------------------*/ __ _ ---------- / / (_)__ __ ____ __ --------- ------- / /__/ / _ \/ // /\ \/ / -------- ---- /____/_/_//_/\_,_/ /_/\_\ ------ localhost@localdomain.za.net From gypsy at iswest.com Thu Jan 19 17:07:47 2006 From: gypsy at iswest.com (gypsy) Date: Thu Jan 19 17:08:05 2006 Subject: [LARTC] Download and upload independency References: <43CE0C95.4050409@e-attico.net> Message-ID: <43CFB953.8EFE6025@iswest.com> Diego Cabrero wrote: > > Hello everyone: > As it is known, when you limit uplink bandwidth it usually gets downlink > bandwidth to a lower value. > I just want to know what is the optimal configuration for eth1 and imq0 > according to some variables of tc(HTB), txqueuelen, mtu, etc. to make > these packet flows less independent on an ethernet based network. > > Thank you in advance. > > -Diego Diego, Since nobody else answered this, I'll give it a try. I accelerate all small packets on the egress side because this sends the ACK packets ASAP. Doing this improves download speed. I use 'quantum 1514', 'prio #' and 'burst #k' in my 'tc class add' lines. E.G.: tc class add dev eth1 parent 1:1 classid 1:20 htb rate $RATE ceil \ $CEIL burst 16k quantum 1514 prio 2 Make sure the sum of the rates is <= the parent rate. Some say it is better to patch htb to deque one packet at a time rather than 2. I don't. Be sure you change your linux kernel source vi ~linux/include/net/pkt_sched.h so it uses PSCHED_CPU because JIFFIES just does not cut the mustard. I am just now implementing IMQ. What a pain getting it to compile (bad linux 2.4 patch)! I can't say yet if this is the right approach, but I intend to accelerate SSH and put everything else into a default bulk class, adding an esfq qdisc: ~'parent 1:20 handle 20: esfq limit 64 depth 64 divisor 10 \ hash dst perturb 20' and then filter SSH by source and dest port 22 into accelerated 1:10. I want to shape the incoming flows by where the packets come from - but I might change my mind after I try this :o I looked at documentation on the DSL sites about tweaking, then at Oskar Andreasson's tutorial to understand the /proc settings, but I can't find my notes about what I changed. I did increase buffer sizes, but I can't recall anything further right now... IIRC, most things were correct so I did not change much. -- gypsy From gypsy at iswest.com Thu Jan 19 19:28:26 2006 From: gypsy at iswest.com (gypsy) Date: Thu Jan 19 19:45:32 2006 Subject: [LARTC] IMQ slows computer to a crawl Message-ID: <43CFDA4A.1A8543BD@iswest.com> I am attempting to implement IMQ on a 2.4.31 version kernel with iptables 1.3.3. I am following the example at http://www.linuximq.net/usage.html. When I enter the line iptables -t mangle -A POSTROUTING -o eth1 -j IMQ --todev1 (eth1 is the external interface), the computer slows to a crawl. OK, the CPU is only an AMD K6 233 which is not the world's greatest CPU, but egress shaping is done at acceptable speed. Neither top nor free is any help. top says the system is using 35% and user about 1%, with load averages in the range of 0.2x, 0.2x and 0.1x and top itself is at the top of the list. free says 3388 free mem and 780 used swap. Even attaching to a non connected device (change eth1 to eth2 in the above iptables line) creates this condition!?? Does anyone have any suggestions as to what might cause this huge slowdown? How do I troubleshoot this? I'll have to reimplement policing if I can't make IMQ work. Thanks for any assistance. -- gypsy From jody.shumaker at gmail.com Fri Jan 20 01:54:06 2006 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Fri Jan 20 01:54:58 2006 Subject: [LARTC] Multi-path routing only using last nexthop in default route. In-Reply-To: <2af436490601181355q5999cb6dj6eef4dd99e313067@mail.gmail.com> References: <2af436490601161427w33b4f04ao6c45791edb92cd34@mail.gmail.com> <2af436490601181355q5999cb6dj6eef4dd99e313067@mail.gmail.com> Message-ID: <2af436490601191654r40b8446ek8a84be5419587276@mail.gmail.com> Further information, I've found that if I run with multiple nexthops for the default route, eventually I get a kernel panic. I can of course speed up the process by having some script repeatedly retrieve new routes. Some of the info on screen when it happens: EFLAGS: 00010202 EIP is at _stext+0x3feffd68/0x28 Stack: rcu_do_batch+0x1f/0x70 rcu_process_callbacks+0x5d/0x70 tasklet_action+0x73/0xd0 __do_softirq+0xc5/0xe0 do_softirq+0x32/0x40 irq_exit+0x3e/0x40 do_IRQ+0x1e/0x30 common_interrupt+0x1a/0x20 acpi_processor_idle+0x129/0x2b4 cpu_idle+0x67/0x70 start_kernel+0x161/0x180 unknown_bootoption+0x0/0x1b0 Both times it happened, the stack trace was pretty much the same. If I instead only specify one nexthop, then I don't get this kernel panic. for x in $(seq 1 254); do for y in $(seq 1 254); do for z in $(seq 1 254); do ip r g 1.$x.$y.$z; done; done; done If I run that, with 2 nexthop's, it kernel panics fairly quickly, after 500-1000 iterations roughly? With only 1 nexthop specified it had gone up to roughly 4000 iterations and beyond with no kernel panic. Possibly the patches aren't compatible with other patches the gentoo kernel has applied... going to research what I can on that. - Jody On 1/18/06, Jody Shumaker wrote: > > > Do you have script to ping/arping the gateways on eth device(s)? > > The NOARP devices are always preferred if the GWs on ARP devices are > > not marked reachable in ARP cache. > > > Yes, I have a script that pings the gateways on both devices every minute. > I also just checked with `arp -an` and the gateway for the eth1 device is > listed. Also, if I swap the order of the nexthop's then I can have it favor > the eth1 over ppp0 always. > > - Jody > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060119/4a109363/attachment.html From gypsy at iswest.com Fri Jan 20 03:32:03 2006 From: gypsy at iswest.com (gypsy) Date: Fri Jan 20 03:32:24 2006 Subject: [LARTC] IMQ slows computer to a crawl - SOLVED References: <43CFDA4A.1A8543BD@iswest.com> Message-ID: <43D04BA3.A4C37053@iswest.com> gypsy wrote: > > I am attempting to implement IMQ on a 2.4.31 version kernel with > iptables 1.3.3. > > I am following the example at http://www.linuximq.net/usage.html. When > I enter the line > iptables -t mangle -A POSTROUTING -o eth1 -j IMQ --todev1 > > (eth1 is the external interface), the computer slows to a crawl. OK, > the CPU is only an AMD K6 233 which is not the world's greatest CPU, but > egress shaping is done at acceptable speed. > > Neither top nor free is any help. top says the system is using 35% and > user about 1%, with load averages in the range of 0.2x, 0.2x and 0.1x > and top itself is at the top of the list. free says 3388 free mem and > 780 used swap. > > Even attaching to a non connected device (change eth1 to eth2 in the > above iptables line) creates this condition!?? > > Does anyone have any suggestions as to what might cause this huge > slowdown? How do I troubleshoot this? I'll have to reimplement > policing if I can't make IMQ work. > > Thanks for any assistance. > -- > gypsy The answer is that the wrong IMQ device was specified. I loaded imq with: modprobe imq numdevs=1 That makes the --todev 0 not 1. Moreover, I was in the wrong mangle chain. WRONG: iptables -t mangle -A POSTROUTING -o eth1 -j IMQ --todev 1 RIGHT: iptables -t mangle -A PREROUTING -i eth1 -j IMQ --todev 0 So much for the documentation at http://www.linuximq.net/usage.html . Thanks to http://wiki.nix.hu/cgi-bin/twiki/view/IMQ/WebHome -- gypsy From at.matei at gmail.com Fri Jan 20 11:13:06 2006 From: at.matei at gmail.com (at.matei) Date: Fri Jan 20 11:14:37 2006 Subject: [LARTC] multiple wrr as child of htb Message-ID: <43D0B7B2.2050700@gmail.com> Hi all, Here's the situation. I have 80 users sharing a internet link of 5Mb link. The users are grouped in /29 ip addr classes so I have 10 classes of users I want to create a root htb, then 10 htb childs each with 0.5Mb bandwidth. The traffic will be directed to each class using tc filters. Now, I want that each of 8 users from each class to share equally the class bandwidth. Can I use wrr with 8 classes each as leaf for each htb child? Or, simply said: will each wrr classifier work on all seen ip addresses or just the addresses from its htb parent. Thnaks for any comments, Alex From mikaels at powertech.no Fri Jan 20 11:24:51 2006 From: mikaels at powertech.no (Mikael Svenson) Date: Fri Jan 20 11:24:31 2006 Subject: [LARTC] Multiple links and nat Message-ID: <43D0BA73.4040601@powertech.no> I read the previous thread about this but I seem to have a small problem. I'm running gentoo with 2.6.14 kernel and have applied the patch from http://www.ssi.bg/~ja/#routes. If I try to lynx to two different pages from the box itself it switches the interfaces every other time which is how it's supposed to work. If I use an extra machine and set it's gateway to 10.0.4.211(eth0), then all requests are being sent to just one interface all the time. The same happens if I try other machines. It's only requests generated inside the box which are being routed properly. I'm just wondering if something is amiss in my setup. I have also tried the mpath2.sh script, but I got the same results. My setup is like this: eth0: 10.0.4.211 (internal network) eth1: 192.168.1.2 (ISP1) eth2: 10.0.0.2 (ISP2) Commands: ip route add 192.168.1.0/24 dev eth1 src 192.168.1.2 table T1 ip route add default via 192.168.1.1 table T1 ip route add 10.0.0.0/24 dev eth2 src 10.0.0.2 table T2 ip route add default via 10.0.0.1 table T2 ip rule add from 192.168.1.2 table T1 ip rule add from 10.0.0.2 table T2 ip route add default scope global nexthop via 192.168.1.1 dev eth1 weight 1 nexthop via 10.0.0.1 dev eth2 weight 1 iptables -t nat -A PREROUTING -s 10.0.4.0/255.255.254.0 -d 192.168.1.0/24 -j ACCEPT iptables -t nat -A PREROUTING -s 10.0.4.0/255.255.254.0 -d 10.0.0.0/24 -j ACCEPT iptables -t nat -A POSTROUTING -o eth1 -s 10.0.4.0/255.255.254.0 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth2 -s 10.0.4.0/255.255.254.0 -j MASQUERADE From jarod125 at yahoo.com Fri Jan 20 13:39:52 2006 From: jarod125 at yahoo.com (Gabriel) Date: Fri Jan 20 13:40:30 2006 Subject: [LARTC] multiple wrr as child of htb Message-ID: <20060120123952.45403.qmail@web60921.mail.yahoo.com> On Fri, 20 Jan 2006 12:13:06 +0200, at.matei wrote: > Hi all, > Here's the situation. > I have 80 users sharing a internet link of 5Mb link. > The users are grouped in /29 ip addr classes so I have 10 classes of users Maybe I'm getting this wrong, but how can you have 8 users/class in a /29 subnet? Isn't 6 (2^3-1) the max? > Thnaks for any comments, > > Alex -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/ __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From diego.cabrero at e-attico.net Fri Jan 20 14:20:56 2006 From: diego.cabrero at e-attico.net (Diego Cabrero) Date: Fri Jan 20 14:21:00 2006 Subject: [LARTC] Download and upload independency In-Reply-To: <43CFB953.8EFE6025@iswest.com> References: <43CE0C95.4050409@e-attico.net> <43CFB953.8EFE6025@iswest.com> Message-ID: <43D0E3B8.2060400@e-attico.net> An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060120/30733499/attachment.htm From surda at shurdix.com Fri Jan 20 14:39:21 2006 From: surda at shurdix.com (Peter Surda) Date: Fri Jan 20 14:39:23 2006 Subject: [LARTC] multiple wrr as child of htb In-Reply-To: <43D0B7B2.2050700@gmail.com> References: <43D0B7B2.2050700@gmail.com> Message-ID: <43D0E809.9040502@shurdix.com> at.matei schrieb: > Hi all, hi > Can I use wrr with 8 classes each as leaf for each htb child? Yes, but ESFQ may be better. I had stability problems when using more than 1 WRR per interface, but it is possible that it's fixed now. Furthermore, WRR is designed for large numbers so it is an overkill in your situation. > Or, simply said: will each wrr classifier work on all seen ip > addresses or just the addresses from its htb parent. Any seen IP, they are assigned dynamically. If there are too many, the classes are "recycled" in a LIFO. > Thnaks for any comments, NP. > Alex Yours sincerely, Peter -- http://www.shurdix.org - Linux distribution for routers and firewalls From at.matei at gmail.com Fri Jan 20 14:53:50 2006 From: at.matei at gmail.com (at.matei) Date: Fri Jan 20 14:55:10 2006 Subject: [LARTC] multiple wrr as child of htb In-Reply-To: <20060120123952.45403.qmail@web60921.mail.yahoo.com> References: <20060120123952.45403.qmail@web60921.mail.yahoo.com> Message-ID: <43D0EB6E.2020901@gmail.com> Gabriel wrote: >On Fri, 20 Jan 2006 12:13:06 +0200, at.matei wrote: > > > >>Hi all, >>Here's the situation. >>I have 80 users sharing a internet link of 5Mb link. >>The users are grouped in /29 ip addr classes so I have 10 >> >> >classes of users > >Maybe I'm getting this wrong, but how can you have 8 >users/class in a /29 subnet? Isn't 6 (2^3-1) the max? > > > Well, think not of ip separate classes but only grouping. From 255 addresses I can group 8 users by means of tc filter with x.x.x.x/29. There are not ip classes but qdisc classes. You're right about classical subnetting. Alex From alex at qb.ro Fri Jan 20 15:32:22 2006 From: alex at qb.ro (Alexandru Matei) Date: Fri Jan 20 15:32:33 2006 Subject: [LARTC] multiple wrr as child of htb In-Reply-To: <43D0E809.9040502@shurdix.com> References: <43D0B7B2.2050700@gmail.com> <43D0E809.9040502@shurdix.com> Message-ID: <43D0F476.6080001@qb.ro> Peter Surda wrote: > at.matei schrieb: > >> Hi all, > > > hi > >> Can I use wrr with 8 classes each as leaf for each htb child? > > > Yes, but ESFQ may be better. I had stability problems when using more > than 1 WRR per interface, but it is possible that it's fixed now. > Furthermore, WRR is designed for large numbers so it is an overkill in > your situation. > >> Or, simply said: will each wrr classifier work on all seen ip >> addresses or just the addresses from its htb parent. > > > Any seen IP, they are assigned dynamically. If there are too many, the > classes are "recycled" in a LIFO. > Ok, maybe I was not clear enough. What I'm interested in is the order of passing throught filters. WRR has an built-in filter. HTB child classes are fed by matching certain ip addresses (in my case htb chlid1 is for x.x.x.0/29, htb child2 is for x.x.x.8/29 ) and so on. I want to attach wrr1 as child to htb child 1 so the traffic get even divided between clients x.x.x.0/29, wrr2 as child to htb child 2 and so on. What I don't know is: 1/ tc filter match for is evaluated first 2/ if wrr1 is going to classify only hosts seen in x.x.x.0/29 or all hosts x.x.x.0/24 Regards, Alex >> Thnaks for any comments, > > > NP. > >> Alex > > > Yours sincerely, > Peter > From gypsy at iswest.com Sat Jan 21 06:15:27 2006 From: gypsy at iswest.com (gypsy) Date: Sat Jan 21 06:16:10 2006 Subject: [LARTC] Download and upload independency References: <43CE0C95.4050409@e-attico.net> <43CFB953.8EFE6025@iswest.com> <43D0E3B8.2060400@e-attico.net> Message-ID: <43D1C36F.9CAC5A65@iswest.com> > Diego Cabrero wrote: > > All right, so priorizing ACK packets is one of the solutions. Then, do > you use 1:20 class for ACK packets? Please don't post in HTML. My Email reader was full of crap like
. I create what I call an interactive class. I have a "T1" radio connection to the internet, so my upload rate is 1500kbit which I strangle to 1350 (90%). The interactive class has a rate of 200kbit, ceil of 1350kbit and prio 1 so it can borrow from all other classes (but it never needs to; I should find out how low rate can go but I haven't had time to do that). I set this up as 1:10 but I don't think the classid really matters (although I'm not sure). The rate, ceil, prio and burst do matter. Quantum is there because that lets me set any rate I want without having htb complain about r2q and because it is correct for ethernet. > Or just by setting the parameters > 'quantum 1514', 'prio #' and 'burst #k' is enough to do it inside > whatever traffic runs through 1:20?. Not if I understand what you are asking. You need a class that has nothing going through it except really important traffic (SSH and ACK for me), so you do not want anything else in it. I do not use esfq on this either. All my other classes use esfq (which is why I maintain it for 2.4 kernels). If I had two classes and I was going to create an interactive one, I'd steal a bit of bandwith from each of the other two, making sure they are set up to lend. It does not take much just for ACK. > In case you assign one whole htb class for ACK packets,if i am not > using priority bands (just ensuring VoIP?s QoS) is it so simple as > asignate them a low bandwidth (1Kb) and higher priority? Almost. Along with low bandwidth you need a big ceiling and the HIGHEST priority so it can borrow when necessary. But since the packets are small, you don't need a big burst. For VoIP, you need to try to keep it's class from lending when there is traffic and you sure don't want (e)sfq because that reorders the packets, which likely will disrupt your conversation. If everything is prio 0 (no prio specified), you can't be sure which class will lend spare bandwidth first. > Thanks a lot. > > -Diego You're welcome if this helps, otherwise you don't need to thank me ;) -- gypsy > gypsy escribi?: > > > Diego Cabrero wrote: > > > > > >> Hello everyone: > >> As it is known, when you limit uplink bandwidth it usually gets > >> downlink > >> bandwidth to a lower value. > >> I just want to know what is the optimal configuration for eth1 and > >> imq0 > >> according to some variables of tc(HTB), txqueuelen, mtu, etc. to > >> make > >> these packet flows less independent on an ethernet based network. > >> > >> Thank you in advance. > >> > >> -Diego > >> > >> > > Diego, > > > > Since nobody else answered this, I'll give it a try. > > > > I accelerate all small packets on the egress side because this sends > > the > > ACK packets ASAP. Doing this improves download speed. > > > > I use 'quantum 1514', 'prio #' and 'burst #k' in my 'tc class add' > > lines. E.G.: > > tc class add dev eth1 parent 1:1 classid 1:20 htb rate $RATE ceil \ > > $CEIL burst 16k quantum 1514 prio 2 > > > > Make sure the sum of the rates is <= the parent rate. Some say it > > is > > better to patch htb to deque one packet at a time rather than 2. I > > don't. > > > > Be sure you change your linux kernel source > > vi ~linux/include/net/pkt_sched.h > > so it uses PSCHED_CPU because JIFFIES just does not cut the mustard. > > > > I am just now implementing IMQ. What a pain getting it to compile > > (bad > > linux 2.4 patch)! I can't say yet if this is the right approach, > > but I > > intend to accelerate SSH and put everything else into a default bulk > > class, adding an esfq qdisc: > > ~'parent 1:20 handle 20: esfq limit 64 depth 64 divisor 10 \ > > hash dst perturb 20' > > and then filter SSH by source and dest port 22 into accelerated > > 1:10. I > > want to shape the incoming flows by where the packets come from - > > but I > > might change my mind after I try this :o > > > > I looked at documentation on the DSL sites about tweaking, then at > > Oskar > > Andreasson's tutorial to understand the /proc settings, but I can't > > find > > my notes about what I changed. I did increase buffer sizes, but I > > can't > > recall anything further right now... IIRC, most things were correct > > so > > I did not change much. > > -- > > gypsy From ttw_chien at yahoo.com.tw Sat Jan 21 06:24:38 2006 From: ttw_chien at yahoo.com.tw (=?big5?q?=FFffffa6=FFffffca=FFffffa4=FFffffc0=20=FFffffa9=FFfffff6?=) Date: Sat Jan 21 06:24:42 2006 Subject: [LARTC] TCNG make test error Message-ID: <20060121052438.54611.qmail@web53412.mail.yahoo.com> Hi: I try to install TCNG into my Fedora core3 but make test error, so when I compile my tc code , I saw the same error -> cpp: unregnized option `-$' my cpp verwion is cpp-3.4.2-6.fc3 , put kernel 2.4.27 & iproute2-2.6.9 source under tcsim/ , can anybody tell how to fix this problem?? Thanks Fionna ___________________________________________________ ³Ì·sª© Yahoo!©_¼¯§Y®É³q°T 7.0¡A§K¶Oºô¸ô¹q¸Ü¥ô§A¥´¡I http://messenger.yahoo.com.tw/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060121/be931d86/attachment.html From fals138 at gmail.com Sun Jan 22 13:07:32 2006 From: fals138 at gmail.com (Ismail Fahmi) Date: Sun Jan 22 13:08:21 2006 Subject: [LARTC] classless qdisc and classful qdisc Message-ID: <75dbe4850601220407h44b99847p28258c5409dc6353@mail.gmail.com> Hello, I'm still new in using tc...I wanna ask... 1. what is the difference between classless and classful qdisc?? when I made a qdisc, are I must create both of that qdisc...??? 2. what is the difference beetween three of the classless qdisc in linux redhat 2.4, sfq pfifo and tbf if I using the htb classful qdisc ??? because when I use htb classful qdisc it means I made a qdisc that can rate b/w for each class, so it's no difference between I used tbf classless qdisc in each class and I used sfq or pfifo... -regards- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060122/7bd9c49b/attachment.htm From Andreas.Klauer at metamorpher.de Sun Jan 22 18:08:03 2006 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Sun Jan 22 18:08:38 2006 Subject: [LARTC] classless qdisc and classful qdisc In-Reply-To: <75dbe4850601220407h44b99847p28258c5409dc6353@mail.gmail.com> References: <75dbe4850601220407h44b99847p28258c5409dc6353@mail.gmail.com> Message-ID: <20060122170803.GA12539@EIS> On Sun, Jan 22, 2006 at 07:07:32PM +0700, Ismail Fahmi wrote: > 1. what is the difference between classless and classful qdisc?? when I made > a qdisc, are I must create both of that qdisc...??? A classful qdisc allows packets to be sorted into different groups, and to handle packets differently depending on the group they belong to. This gives you a lot of control over how packets of a certain type / belonging to a certain user / etc. should be treated. A classless qdisc just takes all incoming packets and treats them essentially all the same (with some exceptions). You can't manually customize or group type of packets in any way. > 2. what is the difference beetween three of the classless qdisc in linux > redhat 2.4, sfq pfifo and tbf if I using the htb classful qdisc ??? because > when I use htb classful qdisc it means I made a qdisc that can rate b/w for > each class, so it's no difference between I used tbf classless qdisc in each > class and I used sfq or pfifo... Not sure if I got this question right. Are you asking what the difference between limiting bandwidth using HTB and TBF is? In that case, TBF is classless, doesn't know anything at all about other traffic, and will just stupidly limit the bandwidth to a certain value. HTB on the other hand knows about its classes and can balance the total available bandwidth between them. HTH Andreas Klauer From c.ciprian at gmail.com Sun Jan 22 19:19:42 2006 From: c.ciprian at gmail.com (Ciprian Constantinescu) Date: Sun Jan 22 19:20:21 2006 Subject: [LARTC] Problems with load balancing Message-ID: I have 2 providers, each on a separate interface, and a LAN on the third interface. After I do the load balancing, only one line is used and the traffic gets through very hard. Also, a simple command, like iptables -t nat -L, takes very long to show the output. Does anyone know what could be wrong? I list my outputs here: taurus:~# ip route show all 192.168.2.0/26 dev eth0 proto kernel scope link src 192.168.2.22 86.55.39.128/25 dev eth1 proto kernel scope link src 86.55.39.223 10.0.0.0/24 dev eth2 proto kernel scope link src 10.0.0.1 default nexthop via 192.168.2.1 dev eth0 weight 1 nexthop via 86.55.39.129 dev eth1 weight 1 taurus:~# ip route show table RTC 192.168.2.0/26 dev eth0 scope link src 192.168.2.22 86.55.39.128/25 dev eth1 scope link 10.0.0.0/25 dev eth2 scope link 127.0.0.0/8 dev lo scope link default via 192.168.2.1 dev eth0 taurus:~# ip route show table EVO 192.168.2.0/26 dev eth0 scope link 86.55.39.128/25 dev eth1 scope link src 86.55.39.223 10.0.0.0/25 dev eth2 scope link 127.0.0.0/8 dev lo scope link default via 86.55.39.129 dev eth1 taurus:~# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 10.0.0.0/24 !10.0.0.0/24 to:10.0.0.1 Chain OUTPUT (policy ACCEPT) target prot opt source destination -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060122/08363a58/attachment.html From andre at matuschek.org Sun Jan 22 19:38:54 2006 From: andre at matuschek.org (=?iso-8859-15?Q?Andr=E9_Matuschek?=) Date: Sun Jan 22 19:39:12 2006 Subject: [LARTC] Problems with load balancing In-Reply-To: References: Message-ID: Hi! I would guess it's a problem with your DNS relsolution. Try "route" and "route -n" and check if there's a difference. "route -n" disables the DNS resolution. Andr? From andre at matuschek.org Sun Jan 22 20:51:01 2006 From: andre at matuschek.org (=?iso-8859-15?Q?Andr=E9_Matuschek?=) Date: Sun Jan 22 20:51:17 2006 Subject: [LARTC] Problems with load balancing In-Reply-To: References: Message-ID: Hi! > I have tried. The route -n executes immediatly, while route is slow. > What do > I have to do to solve this? Try to change your DNS-Server. Edit the file /etc/resolv.conf, remove all "nameserver" lines and add one new nameserver. Try something like nameserver 192.58.128.30 Ask your provider for a DNS-Address and take this one. After saving the file, "route" should execute fast immediatly. Read "man resolv.conf"! Andr? --- http://www.matuschek.org/ --- From carl at vivitec.com.au Mon Jan 23 03:30:48 2006 From: carl at vivitec.com.au (Carl Brewer) Date: Mon Jan 23 03:31:34 2006 Subject: [LARTC] Setting an alias as the "default" IP address, or something similar? Message-ID: <43D43FD8.1070008@vivitec.com.au> Hello, Ive had a poke around through various linux routing documents, but haven't found what I think is an elegant solution to a routing issue I'm having with a hosting provider and RHEL ES 4 running in a VMware VM. Here's a diagram of the situation : Default route at provider our host (A) 72.3.230.1/26 ---- 72.3.230.30/26 the VM (B) 192.168.239.1/24 ----- 192.168.239.2/24 72.3.205.160/32 I need to have the 72.3.205.160 address be used by the linux box B in the VM as its default IP address - ie : when traffic goes out from it (originating) it needs to go out the 72.3.205.160/32 interface and then via the 192.168.239.2 to .1 (default route). This setup is because the hosting vendor will only allocate us /32 addresses in addition to the base IP address they supply, which is fine if we run them as aliases on eth0 on our host, but doesn't work so well in a VM (you can't attach a route to a /32 that I'm aware of, if you can, I'd *love* to know how!) Does anyone here have a suggestion for the neatest way to do this? At present I have the 192.168 network and a static route on A pointing the 72.3 address via 192.168.239.2 as that seemed to be the easiest way to do it, and inbound traffic works fine, but I haven't found a way to make the box in the VM use the 72.3.205.160 address as its source when it originates traffic, so things like DNS queries etc don't work unless I also NAT outgoing traffic on A, which I'd prefer not to do unless there's no alternative. Maybe a bridge between the two? I don't really have a handle on the VMware bridge setup (it's VMware workstation 5.0 at the moment). so maybe it's something that would be better done in VMware, but I'd prefer to use a purely IP routing solution if possible so we're not tied to VMware (at some point I want to migrate this to xen or seperate hardware). Should I maybe use a tunnel? I have no experience with tunneling, and not really sure of how it would solve the problem Any suggestions? Thanks! Carl -- ======================= Vivitec Pty. Ltd. Suite 6, 51-55 City Rd. Southbank, 3006. Ph. +61 3 8626 5626 Fax +61 3 9682 1000 ======================= From alex at samad.com.au Mon Jan 23 04:22:23 2006 From: alex at samad.com.au (Alexander Samad) Date: Mon Jan 23 04:22:38 2006 Subject: [LARTC] Setting an alias as the "default" IP address, or something similar? In-Reply-To: <43D43FD8.1070008@vivitec.com.au> References: <43D43FD8.1070008@vivitec.com.au> Message-ID: <20060123032223.GD12447@samad.com.au> On Mon, Jan 23, 2006 at 01:30:48PM +1100, Carl Brewer wrote: > > > Hello, > Ive had a poke around through various linux routing documents, > but haven't found what I think is an elegant solution to a > routing issue I'm having with a hosting provider and RHEL ES 4 running > in a VMware VM. > > Here's a diagram of the situation : > > > Default route > at provider our host (A) > 72.3.230.1/26 ---- 72.3.230.30/26 the VM (B) > 192.168.239.1/24 ----- 192.168.239.2/24 > 72.3.205.160/32 > hi maybe I am missign something but can't your just use this ip r a default via 192.168.239.1 src 72.3.205.160 plus you might need this as well ip r a 192.168.239.0/24 src 192.168.239.2 You might want to look at bridging, the vm interface sort of becomes the external interface and teh vm nic driver keeps the traffic different > > I need to have the 72.3.205.160 address be used by the > linux box B in the VM as its default IP address - ie : > when traffic goes out from it (originating) it needs > to go out the 72.3.205.160/32 interface and then > via the 192.168.239.2 to .1 (default route). > > This setup is because the hosting vendor will only allocate > us /32 addresses in addition to the base IP address they supply, which > is fine if we run them as aliases on eth0 on our host, but doesn't work > so well in a VM (you can't attach a route to a /32 that I'm > aware of, if you can, I'd *love* to know how!) > > Does anyone here have a suggestion for the neatest way to > do this? At present I have the 192.168 network and a static > route on A pointing the 72.3 address via 192.168.239.2 as that > seemed to be the easiest way to do it, and inbound traffic > works fine, but I haven't found a way to make the box in the > VM use the 72.3.205.160 address as its source when it originates > traffic, so things like DNS queries etc don't work unless I > also NAT outgoing traffic on A, which I'd prefer not to do unless > there's no alternative. Maybe a bridge between the two? I don't > really have a handle on the VMware bridge setup (it's VMware > workstation 5.0 at the moment). so maybe it's something that > would be better done in VMware, but I'd prefer to use a purely IP > routing solution if possible so we're not tied to VMware (at some > point I want to migrate this to xen or seperate hardware). > > Should I maybe use a tunnel? I have no experience with tunneling, and > not really sure of how it would solve the problem > > > Any suggestions? > > Thanks! > > Carl > > > > > -- > ======================= > Vivitec Pty. Ltd. > Suite 6, 51-55 City Rd. > Southbank, 3006. > Ph. +61 3 8626 5626 > Fax +61 3 9682 1000 > ======================= > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060123/86236534/attachment.pgp From storm at tux.org Mon Jan 23 05:18:52 2006 From: storm at tux.org (Bradley Alexander) Date: Mon Jan 23 05:19:11 2006 Subject: [LARTC] Help configuring firewall Message-ID: <1137989933.5564.30.camel@localhost.localdomain> I am trying to configure a firewall, but nailing down the configuration is eluding me. The box is running Debian stable. Basically, I have a rackmount server with six network cards. eth0 is the internal network, eth1 is a kiosk network, eth2 is a DMZ/wireless network. On the outbound side, eth3 is a DSL connection and eth4 is a cablemodem connection. What I am trying to do is route all internal traffic out the DSL connection (eth0 to eth3), and the two dmzs, kiosk and wireless out the cable connection (eth1 and eth2 to eth4). Thus far as I have been unable to get this to work. For the sake of the discussion, the internal network is 10.1.1.0/24, the kiosk is 172.16.1.0/24 and the dmz/wireless is 192.168.1.0/24. The dsl line is 1.2.3.4 and the cable line is 9.8.7.6. I added the following to rt_tables: 1 internal 2 kiosk 3 dmz then created a script ip rule add from 10.1.1.0/24 table internal ip route add default via 1.2.3.4 dev eth3 table internal ip rule add from 172.16.1.0/24 table kiosk ip route add default via 9.8.7.6 dev eth4 table kiosk ip rule add from 192.168.1.0/24 table dmz ip route add default via 9.8.7.6 dev eth4 table dmz When I run this script, it does not do what I expect, especially after running the firewall rules atop it. I thought I had it nailed, but it wasn't working as expected, and I really couldn't test very well. I'm hoping some kind soul on this list might have a few minutes for an email exchange to help me get this sorted out. If so, please email me off-list. I'm sure its probably something that I overlooked, but I'm at a loss as to what. Regards, --b From carl at vivitec.com.au Mon Jan 23 07:49:02 2006 From: carl at vivitec.com.au (Carl Brewer) Date: Mon Jan 23 07:49:40 2006 Subject: [LARTC] Setting an alias as the "default" IP address, or something similar? In-Reply-To: <20060123032223.GD12447@samad.com.au> References: <43D43FD8.1070008@vivitec.com.au> <20060123032223.GD12447@samad.com.au> Message-ID: <43D47C5E.3040401@vivitec.com.au> Alexander Samad wrote: > On Mon, Jan 23, 2006 at 01:30:48PM +1100, Carl Brewer wrote: >> >> Hello, >> Ive had a poke around through various linux routing documents, >> but haven't found what I think is an elegant solution to a >> routing issue I'm having with a hosting provider and RHEL ES 4 running >> in a VMware VM. >> >> Here's a diagram of the situation : >> >> >> Default route >> at provider our host (A) >> 72.3.230.1/26 ---- 72.3.230.30/26 the VM (B) >> 192.168.239.1/24 ----- 192.168.239.2/24 >> 72.3.205.160/32 >> > hi > > maybe I am missign something but can't your just use this > > ip r a default via 192.168.239.1 src 72.3.205.160 > > plus you might need this as well > ip r a 192.168.239.0/24 src 192.168.239.2 I just needed the first one, thankyou. That worked a treat. Out of curiosity, I have that command currently in rc.local, but is there a better place to put it in the redhat startup sequence? Normally it'd do in /etc/sysconfig/network but I'm not sure of the possibility of putting that sort of thing in there? -- ======================= Vivitec Pty. Ltd. Suite 6, 51-55 City Rd. Southbank, 3006. Ph. +61 3 8626 5626 Fax +61 3 9682 1000 ======================= From lartc at manchotnetworks.net Mon Jan 23 10:04:10 2006 From: lartc at manchotnetworks.net (lartc) Date: Mon Jan 23 10:04:49 2006 Subject: [LARTC] http gets to user space Message-ID: <1138007050.4423.4.camel@drs0.manchotnetworks.net> hi all, curious is anyone has successfully sent http get packets to userspace for blacklist filtering ... i'd like to do a live cd that would obviate the neccessity to install squid and squidguard, but rather, have iptables send packets to squidguard (or something else) directly ... cheers charles From unki at netshadow.at Mon Jan 23 10:23:46 2006 From: unki at netshadow.at (Andreas Unterkircher) Date: Mon Jan 23 10:23:50 2006 Subject: [LARTC] http gets to user space In-Reply-To: <1138007050.4423.4.camel@drs0.manchotnetworks.net> References: <1138007050.4423.4.camel@drs0.manchotnetworks.net> Message-ID: <20060123102346.rairhwo7wg400ocw@webmail.netshadow.at> You mean transparent proxy? http://www.faqs.org/docs/Linux-mini/TransparentProxy.html Quoting lartc : > hi all, > > curious is anyone has successfully sent http get packets to userspace > for blacklist filtering ... > > i'd like to do a live cd that would obviate the neccessity to install > squid and squidguard, but rather, have iptables send packets to > squidguard (or something else) directly ... > > > cheers > > charles > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From unki at netshadow.at Mon Jan 23 10:26:57 2006 From: unki at netshadow.at (Andreas Unterkircher) Date: Mon Jan 23 10:27:54 2006 Subject: [LARTC] http gets to user space In-Reply-To: <1138007050.4423.4.camel@drs0.manchotnetworks.net> References: <1138007050.4423.4.camel@drs0.manchotnetworks.net> Message-ID: <20060123102657.0tce4wbb44wkg4gg@webmail.netshadow.at> ah. missunderstood the question. you meant without squid.. sry :) Quoting lartc : > hi all, > > curious is anyone has successfully sent http get packets to userspace > for blacklist filtering ... > > i'd like to do a live cd that would obviate the neccessity to install > squid and squidguard, but rather, have iptables send packets to > squidguard (or something else) directly ... > > > cheers > > charles > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From diego.cabrero at e-attico.net Mon Jan 23 10:37:49 2006 From: diego.cabrero at e-attico.net (Diego Cabrero) Date: Mon Jan 23 10:38:00 2006 Subject: [LARTC] Adding HTB support for kernel 2.4.19 SUSE 8.1 Message-ID: <43D4A3ED.4000407@e-attico.net> Hi everybody, I've got a little problem when adding HTB support to my SUSE 8.1 by patching its kernel 2.4.19. After i patch kernel getting some errors, the HTB kernel option shows up but when i make modules it finds something wrong with the sch_htb.o module. Could somebody give me a hand on this? Thanks in advance. I get this information when patching (patch -p1 < htb3.6_2.4.17.diff) ****************************************************** patching file net/sched/Config.in Reversed (or previously applied) patch detected! Assume -R? [n] n Apply anyway? [n] y Hunk #1 FAILED at 2. 1 out of 1 hunk FAILED -- saving rejects to file net/sched/Config.in.rej patching file net/sched/Makefile Reversed (or previously applied) patch detected! Assume -R? [n] y Hunk #1 succeeded at 15 (offset -1 lines). patching file net/sched/sch_htb.c patching file include/linux/pkt_sched.h Reversed (or previously applied) patch detected! Assume -R? [n] y patching file net/sched/sch_api.c Hunk #1 FAILED at 1117. Hunk #2 succeeded at 1205 with fuzz 2. 1 out of 2 hunks FAILED -- saving rejects to file net/sched/sch_api.c.rej patching file lib/Makefile Hunk #1 FAILED at 8. 1 out of 1 hunk FAILED -- saving rejects to file lib/Makefile.rej patching file lib/rbtree.c Reversed (or previously applied) patch detected! Assume -R? [n] y Hunk #2 succeeded at 126 (offset 1 line). Hunk #3 succeeded at 292 (offset 1 line). patching file include/net/pkt_sched.h Reversed (or previously applied) patch detected! Assume -R? [n] y Hunk #1 succeeded at 222 (offset 1 line). *************************************************** From linkrupak at gmail.com Mon Jan 23 11:47:34 2006 From: linkrupak at gmail.com (rupak shrestha) Date: Mon Jan 23 11:48:40 2006 Subject: [LARTC] Curosity on HTB Message-ID: Hello members. I wanted know if htb shapes download speed and upload speed too? i want to give a client 128/64. so is it possible to give 128 download download speed and 64 upload speed.I mean 2 way traffic control. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060123/16412e83/attachment.html From dor at ldc.net Mon Jan 23 11:59:59 2006 From: dor at ldc.net (Dmytro O. Redchuk) Date: Mon Jan 23 12:00:28 2006 Subject: [LARTC] Curosity on HTB In-Reply-To: References: Message-ID: <20060123105959.GJ3978@ldc.net> On Mon, Jan 23, 2006 at 04:47:34PM +0600, rupak shrestha wrote: > Hello members. > I wanted know if htb shapes download speed and upload speed too? i want to > give a client 128/64. so is it possible to give 128 download download speed > and 64 upload speed.I mean 2 way traffic control. If you have a router, you probably have more than one interface. Limit download speed at an internal interface and upload -- at an external one (to/from client's address[es], or mark packets...). -- _,-=._ /|_/| `-.} `=._,.-=-._., @ @._, `._ _,-. ) _,.-' ` G.m-"^m`m' Dmytro O. Redchuk From amsabuncu at gmail.com Mon Jan 23 13:52:20 2006 From: amsabuncu at gmail.com (A.M. Sabuncu) Date: Mon Jan 23 14:00:29 2006 Subject: [LARTC] Curosity on HTB In-Reply-To: References: Message-ID: <30580f240601230452g1b6da9e8hfd3ce50d4da3a7b4@mail.gmail.com> Rupak, I am new to LARTC, but based on what I have read, one of the fundamentals cited in the various documentation is that incoming traffic cannot be shaped. Incoming traffic can only be limited via "throttling". Maybe others on this list can provide further specifics. Hope this helps - Todd On 1/23/06, rupak shrestha wrote: > > Hello members. > I wanted know if htb shapes download speed and upload speed too? i want to > give a client 128/64. so is it possible to give 128 download download speed > and 64 upload speed.I mean 2 way traffic control. > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060123/86ba8558/attachment.htm From kajtek at biezanow.net Mon Jan 23 14:28:03 2006 From: kajtek at biezanow.net (Kajetan Staszkiewicz) Date: Mon Jan 23 14:28:12 2006 Subject: [LARTC] Curosity on HTB In-Reply-To: References: Message-ID: <200601231428.03772.kajtek@biezanow.net> Dnia poniedzia?ek, 23 stycznia 2006 11:47, rupak shrestha napisa?(a): > Hello members. > I wanted know if htb shapes download speed and upload speed too? i want to > give a client 128/64. so is it possible to give 128 download download speed > and 64 upload speed.I mean 2 way traffic control. You can shape only traffic outgoing from a network interface. To shape incoming traffic you need other interface (so traffic incoming on one interface is outgoing on other one so you can shape it). But this can ofcourse be some virtual interface like IMQ. -- | pozdrawiam / greetings | powered by Trustix, Gentoo and FreeBSD | | Kajetan Staszkiewicz | JID: vegeta@chrome.pl | | Vegeta | IMQ devnames: http://tuxpowered.net | `------------------------^----------------------------------------' From alex at qb.ro Mon Jan 23 15:53:53 2006 From: alex at qb.ro (Alexandru Matei) Date: Mon Jan 23 15:55:08 2006 Subject: [LARTC] multiple wrr as child of htb In-Reply-To: <43D117F5.6030600@shurdix.com> References: <43D0B7B2.2050700@gmail.com> <43D0E809.9040502@shurdix.com> <43D0F476.6080001@qb.ro> <43D117F5.6030600@shurdix.com> Message-ID: <43D4EE01.403@qb.ro> Thanks all for your answer. I'll see how it will behave in practice and let you know. Thanks again, Alex Peter Surda wrote: > Alexandru Matei schrieb: > >> Ok, maybe I was not clear enough. > > > Yes you were :-) > >> What I'm interested in is the order of passing throught filters. WRR >> has an built-in filter. > > > Yes. But this isn't anything special per se, any classful qdisc > distributes packets somehow, you just usually "tune" it by using tc > filter. > >> HTB child classes are fed by matching certain ip addresses (in my >> case htb chlid1 is for x.x.x.0/29, htb child2 is for x.x.x.8/29 ) >> and so on. > > > Yes. > >> I want to attach wrr1 as child to htb child 1 so the traffic get >> even divided between clients x.x.x.0/29, wrr2 as child to htb child 2 >> and so on. > > > That isn't a problem (other than potential stability issues I > mentioned before). > >> What I don't know is: >> 1/ tc filter match for is evaluated first > > > Of course. > >> 2/ if wrr1 is going to classify only hosts seen in x.x.x.0/29 or all >> hosts x.x.x.0/24 > > > WRR classifies those packets that "flow" through it, like any other > qdisc. It doesn't care whether they are a /29 subnet or some arbitrary > IPs (it uses hashing in a way similar to conntrack for assigning > classes). > >> Regards, >> Alex > > > Yours sincerely, > Peter > From gypsy at iswest.com Mon Jan 23 17:13:05 2006 From: gypsy at iswest.com (gypsy) Date: Mon Jan 23 17:14:00 2006 Subject: [LARTC] Adding HTB support for kernel 2.4.19 SUSE 8.1 References: <43D4A3ED.4000407@e-attico.net> Message-ID: <43D50091.55921D21@iswest.com> Diego Cabrero wrote: > > Hi everybody, > I've got a little problem when adding HTB support to my SUSE 8.1 by > patching its kernel 2.4.19. > > After i patch kernel getting some errors, the HTB kernel option shows up > but when i make modules it finds something wrong with the sch_htb.o module. > > Could somebody give me a hand on this? > > Thanks in advance. > > I get this information when patching (patch -p1 < htb3.6_2.4.17.diff) > ****************************************************** > patching file net/sched/Config.in > Reversed (or previously applied) patch detected! Assume -R? [n] n > Apply anyway? [n] y NO! Never say YES when patch says "Reverse?". Never say YES when patch says "Apply anyway?" either. > Hunk #1 FAILED at 2. > 1 out of 1 hunk FAILED -- saving rejects to file net/sched/Config.in.rej > patching file net/sched/Makefile > Reversed (or previously applied) patch detected! Assume -R? [n] y > Hunk #1 succeeded at 15 (offset -1 lines). > patching file net/sched/sch_htb.c > patching file include/linux/pkt_sched.h > Reversed (or previously applied) patch detected! Assume -R? [n] y > patching file net/sched/sch_api.c > Hunk #1 FAILED at 1117. > Hunk #2 succeeded at 1205 with fuzz 2. > 1 out of 2 hunks FAILED -- saving rejects to file net/sched/sch_api.c.rej > patching file lib/Makefile > Hunk #1 FAILED at 8. > 1 out of 1 hunk FAILED -- saving rejects to file lib/Makefile.rej > patching file lib/rbtree.c > Reversed (or previously applied) patch detected! Assume -R? [n] y > Hunk #2 succeeded at 126 (offset 1 line). > Hunk #3 succeeded at 292 (offset 1 line). > patching file include/net/pkt_sched.h > Reversed (or previously applied) patch detected! Assume -R? [n] y > Hunk #1 succeeded at 222 (offset 1 line). Whatever just succeeded reversed what was in htb3.6_2.4.17.diff. Go get the kernel source for 2.4.32. Copy your worlking .config into that source and make oldconfig rm .version Edit linux/include/net/pkt_sched.h changing JIFFIES to CPU Compile and install that new kernel. --gypsy From uwe.ludwig at gmx.net Mon Jan 23 19:57:22 2006 From: uwe.ludwig at gmx.net (Uwe Ludwig) Date: Mon Jan 23 19:58:37 2006 Subject: [LARTC] HFSC Two piece service curve questions Message-ID: Hello, this is my first post here and it is about the behavior of a HFSC class with a two piece-wise linear service curve. My goal is to separate audio streams from bulk traffic. To keep it simple a use two classes one high priority realtime and the other for the rest. Example: tc qdisc add dev ppp0 root handle 1: hfsc default 11 tc class add dev ppp0 parent 1: classid 1:1 hfsc rt m1 400kbit d 30ms m2 100kbit ls rate 100kbit ul rate 500kbit tc class add dev ppp0 parent 1: classid 1:11 hfsc ls rate 400kbit ul rate 500kbit [filter...] As I understand it the first piece (high slope) of the service curve in class 1:1 effects the first deadline of packets in the class. It shortens the time before packets leave the class for the first time. Later on the timeline the 2nd piece of the service curve has a constant lower slope (100kbit). and defines the deadlines' intervals (when packets leave the class). This intervals are constant and higher than the first "manipulated" deadline. As a result of the shortened first deadline all later deadline time points are nearer the arriving time of its packets which gives as a lower delay. (typically they also arrive in canstant intervals considering audio or video streams) Now coming to my question I am wondering if this "high slope effect" of the first service curve piece only takes effect for the first time the class is used (first 10ms). If this is the case only the first time a audio stream flow through class 1:1 it's delay will be lowered. Later starting flows will not profit of the high m1 slope. To be honest I think it is just a bit of a wrong understanding by me here, isn't it? Regards, Uwe -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/ From alexeyt at freeshell.org Mon Jan 23 20:21:09 2006 From: alexeyt at freeshell.org (Alexey Toptygin) Date: Mon Jan 23 20:21:27 2006 Subject: [LARTC] Setting an alias as the "default" IP address, or something similar? In-Reply-To: <43D47C5E.3040401@vivitec.com.au> References: <43D43FD8.1070008@vivitec.com.au> <20060123032223.GD12447@samad.com.au> <43D47C5E.3040401@vivitec.com.au> Message-ID: On Mon, 23 Jan 2006, Carl Brewer wrote: >> hi >> maybe I am missign something but can't your just use this >> >> ip r a default via 192.168.239.1 src 72.3.205.160 >> >> plus you might need this as well >> ip r a 192.168.239.0/24 src 192.168.239.2 > > I just needed the first one, thankyou. That worked a treat. > > Out of curiosity, I have that command currently in rc.local, but is > there a better place to put it in the redhat startup sequence? Normally > it'd do in /etc/sysconfig/network but I'm not sure of the possibility of > putting that sort of thing in there? I haven't used RedHat in a while, but IIRC you can put GATEWAY=192.168.239.1 into /etc/sysconfig/network-scripts/ifcfg- file Alexey From alex at samad.com.au Mon Jan 23 21:47:22 2006 From: alex at samad.com.au (Alexander Samad) Date: Mon Jan 23 21:49:12 2006 Subject: [LARTC] Setting an alias as the "default" IP address, or something similar? In-Reply-To: <43D47C5E.3040401@vivitec.com.au> References: <43D43FD8.1070008@vivitec.com.au> <20060123032223.GD12447@samad.com.au> <43D47C5E.3040401@vivitec.com.au> Message-ID: <20060123204722.GF12447@samad.com.au> On Mon, Jan 23, 2006 at 05:49:02PM +1100, Carl Brewer wrote: > Alexander Samad wrote: > >On Mon, Jan 23, 2006 at 01:30:48PM +1100, Carl Brewer wrote: > >> > >>Hello, > >>Ive had a poke around through various linux routing documents, > >>but haven't found what I think is an elegant solution to a > >>routing issue I'm having with a hosting provider and RHEL ES 4 running > >>in a VMware VM. > >> > >>Here's a diagram of the situation : > >> > >> > >> Default route > >> at provider our host (A) > >> 72.3.230.1/26 ---- 72.3.230.30/26 the VM (B) > >> 192.168.239.1/24 ----- 192.168.239.2/24 > >> 72.3.205.160/32 > >> > >hi > > > >maybe I am missign something but can't your just use this > > > >ip r a default via 192.168.239.1 src 72.3.205.160 > > > >plus you might need this as well > >ip r a 192.168.239.0/24 src 192.168.239.2 > > I just needed the first one, thankyou. That worked a treat. > > Out of curiosity, I have that command currently in rc.local, but is > there a better place to put it in the redhat startup sequence? Normally > it'd do in /etc/sysconfig/network but I'm not sure of the possibility of > putting that sort of thing in there? Hi Sorry not sure about redhat, but rc.local sounds like the place to put it > > > > -- > ======================= > Vivitec Pty. Ltd. > Suite 6, 51-55 City Rd. > Southbank, 3006. > Ph. +61 3 8626 5626 > Fax +61 3 9682 1000 > ======================= > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060124/97887d36/attachment.pgp From carl at vivitec.com.au Mon Jan 23 23:10:02 2006 From: carl at vivitec.com.au (Carl Brewer) Date: Mon Jan 23 23:11:15 2006 Subject: [LARTC] Setting an alias as the "default" IP address, or something similar? In-Reply-To: References: <43D43FD8.1070008@vivitec.com.au> <20060123032223.GD12447@samad.com.au> <43D47C5E.3040401@vivitec.com.au> Message-ID: <43D5543A.4060105@vivitec.com.au> Alexey Toptygin wrote: > On Mon, 23 Jan 2006, Carl Brewer wrote: > >>> hi maybe I am missign something but can't your just use this >>> >>> ip r a default via 192.168.239.1 src 72.3.205.160 >>> >>> plus you might need this as well >>> ip r a 192.168.239.0/24 src 192.168.239.2 >> >> >> I just needed the first one, thankyou. That worked a treat. >> >> Out of curiosity, I have that command currently in rc.local, but is >> there a better place to put it in the redhat startup sequence? Normally >> it'd do in /etc/sysconfig/network but I'm not sure of the possibility of >> putting that sort of thing in there? > > > I haven't used RedHat in a while, but IIRC you can put > GATEWAY=192.168.239.1 > into /etc/sysconfig/network-scripts/ifcfg- file That does the equivalent to the src route above? -- ======================= Vivitec Pty. Ltd. Suite 6, 51-55 City Rd. Southbank, 3006. Ph. +61 3 8626 5626 Fax +61 3 9682 1000 ======================= From alexeyt at freeshell.org Mon Jan 23 23:22:39 2006 From: alexeyt at freeshell.org (Alexey Toptygin) Date: Mon Jan 23 23:22:55 2006 Subject: [LARTC] Setting an alias as the "default" IP address, or something similar? In-Reply-To: <43D5543A.4060105@vivitec.com.au> References: <43D43FD8.1070008@vivitec.com.au> <20060123032223.GD12447@samad.com.au> <43D47C5E.3040401@vivitec.com.au> <43D5543A.4060105@vivitec.com.au> Message-ID: On Tue, 24 Jan 2006, Carl Brewer wrote: > Alexey Toptygin wrote: >> On Mon, 23 Jan 2006, Carl Brewer wrote: >> >>>> hi maybe I am missign something but can't your just use this >>>> >>>> ip r a default via 192.168.239.1 src 72.3.205.160 >>>> >>>> plus you might need this as well >>>> ip r a 192.168.239.0/24 src 192.168.239.2 >>> >>> >>> I just needed the first one, thankyou. That worked a treat. >>> >>> Out of curiosity, I have that command currently in rc.local, but is >>> there a better place to put it in the redhat startup sequence? Normally >>> it'd do in /etc/sysconfig/network but I'm not sure of the possibility of >>> putting that sort of thing in there? >> >> >> I haven't used RedHat in a while, but IIRC you can put >> GATEWAY=192.168.239.1 >> into /etc/sysconfig/network-scripts/ifcfg- file > > That does the equivalent to the src route above? No, sorry, I wasn't reading very carefully. It'll add the default route, but without the src. There was some way to run a script every time you bring up an interface, but I don't remember what it was. Alexey From linux at pilot.org.ua Tue Jan 24 08:16:47 2006 From: linux at pilot.org.ua (Denis Ovsienko) Date: Tue Jan 24 08:17:35 2006 Subject: [LARTC] Setting an alias as the "default" IP address, or something similar? In-Reply-To: <43D47C5E.3040401@vivitec.com.au> References: <43D43FD8.1070008@vivitec.com.au> <20060123032223.GD12447@samad.com.au> <43D47C5E.3040401@vivitec.com.au> Message-ID: <20060124101647.01e16307.linux@pilot.org.ua> > Out of curiosity, I have that command currently in rc.local, but is > there a better place to put it in the redhat startup sequence? > Normally it'd do in /etc/sysconfig/network but I'm not sure of the > possibility of putting that sort of thing in there? There are two ways: 1. create /sbin/ifup-local, which will run 'ip ro add' or 'ip ro replace'. Your routing table will be adjusted each time the interface is brought up (with default route). 2. Wait until I find time for preparing /etc/net for Fedora Extras. Wait until I get my work accepted into Fedora Extras. Wait until /etc/net moves to Fedora Core. Wait until next RedHat Linux is built from that Fedora Core. Buy one and have fun specifying any route attributes in interface configuration files. -- DO4-UANIC From sridhar.krishanan at yahoo.co.uk Tue Jan 24 08:42:08 2006 From: sridhar.krishanan at yahoo.co.uk (Sridhar Krishnan) Date: Tue Jan 24 08:42:13 2006 Subject: [LARTC] Problems in Bandwidth limiting-Help needed!!! Message-ID: <20060124074209.69324.qmail@web27407.mail.ukl.yahoo.com> Dear All I am a newbie to traffic control and i am trying to setup bandwidth restriction in my local network as well as internet access to users. I got around 60 pcs in my lab and i am planning to divide bandwidth based on classes. I am using iptables to mark packets and then route the traffic to the specified class. Following is the network setup Two network cards in the server eth0 and eth1 eth0 - internal network eth2 - DMZ ( Running Web server,Mail server and FTP ) eth1 - External Network Following is a sample script i have written in which http, ftp and default classes are defined. ------------------------------------------------------------------- ## script for traffic control tc qdisc del dev eth1 root tc qdisc add dev eth1 root handle 1:0 htb default 5 iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1 iptables -t mangle -A PREROUTING -p tcp -i eth1 --dport 80 -j RETURN tc class add dev eth1 parent 1:0 classid 1:1 htb rate 128kbit ceil 128kbit tc class add dev eth1 parent 1:1 classid 1:2 htb rate 64kbit ceil 64kbit tc qdisc add dev eth1 parent 1:2 handle 2: sfq perturb 10 tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle 1 fw classid 1:2 tc class add dev eth1 parent 1:1 classid 1:5 htb rate 32kbit ceil 32kbit tc qdisc add dev eth1 parent 1:5 handle 5: sfq perturb 10 tc class add dev eth1 parent 1:1 classid 1:3 htb rate 32kbit ceil 32kbit tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle 2 fw classid 1:3 iptables -t mangle -A PREROUTING -p tcp --dport 5000:5100 -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -p tcp --dport 5000:5100 -j RETURN iptables -t mangle -A PREROUTING -p tcp --dport 20 -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -p tcp --dport 20 -j RETURN iptables -t mangle -A PREROUTING -p tcp --sport 5000:5100 -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -p tcp --sport 5000:5100 -j RETURN iptables -t mangle -A PREROUTING -p tcp --sport 20 -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -p tcp --sport 20 -j RETURN iptables -t mangle -A PREROUTING -p tcp -m state --state related,established --sport 1024: -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -p tcp -m state --state related,established --dport 1024: -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -p tcp -m state --state related,established --dport 1024: -j MARK --set-mark 2 ## script ends here ---------------------------------------------------------------------------------------- The network is 100 Mbps LAN, the average throughput is around 10 Mbps normally . The testing was done between local network and servers configured in DMZ ,which also has 10 Mbps normal throughput. I thoroughly tested the above script and following are the results obtained. Total Number of Workstations Tested : 10 (Simultaneous access) SlNo HTB Ceil root class default Obtained rate rate rate rate Result -------------------------------------------------------------------------------- 1 2M 2M 10M 2M 800 to 2Mb on all machines(expected was 200k on each machine,each class getting the maximum rate) 2 32k 64k 512k 10k 25k to 36kbps varying on different machines and different protocols(each machine was getting the maximum rate for a class) The protocols tested are HTTP and FTP using wget utility. The reading are taken from the output of wget. Following are the clarifications required. 1) How to restrict the FTP protocols(passive and active FTP) ? 2) The rate obtained was exceeding the rate specified. how to solve this? 3) Any problem in bandwidth allocation to classes in the above script? 4) Is it possible to use squid for caching so that user can access internet through proxy? Thanks for any help Sridhar Krishanan --------------------------------- To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060124/cd6c4a68/attachment.htm From sorin.panca at gmail.com Tue Jan 24 16:20:25 2006 From: sorin.panca at gmail.com (Sorin Panca) Date: Tue Jan 24 16:15:51 2006 Subject: [LARTC] Is local originated traffic affected? Message-ID: <43D645B9.7000901@gmail.com> Hi! I built some rules to shape traffic from my linux router in both dirrections: to the Internet and to the LAN. When i apply the rules my computer cannot acces the Internet or the LAN. Is this behavior normal? Do I need to write some rules for local IPs of my router? (I have sevaral, both on the internal and the external NICs.) Thank you for any advice! Sorin. From sorin.panca at gmail.com Tue Jan 24 21:16:09 2006 From: sorin.panca at gmail.com (Sorin Panca) Date: Tue Jan 24 21:11:53 2006 Subject: [LARTC] Is local originated traffic affected? In-Reply-To: <43D65707.7010308@gmail.com> References: <43D645B9.7000901@gmail.com> <43D6470B.6000501@ll.mit.edu> <43D64CBF.7070001@gmail.com> <43D64E12.50508@ll.mit.edu> <43D65707.7010308@gmail.com> Message-ID: <43D68B09.3060502@gmail.com> I posted earlier today and i forgot to attach the rules I used... The problem was that when I apply them, the router gets isolated from both the Internet and the LAN. I'm sorry I reply to my post! I don't know if this behaviour is normal. Here are my rules... leaf="sfq perturb 10" BURST="50k" CBURST="150k" # Deleting old qdiscs: $tc qdisc del dev $EXT1 root &>/dev/null $tc qdisc del dev $INT1 root &>/dev/null # Adding three root classes: class 1:A = LAN (100 Mbit/s) MARK = 0x2; # class 1:B = MAN (1 Mbit/s) MARK = 0x1; class 1:C = Internet (256 kbit/s) # Also the packets have the TOS field altered by the iptables-script so # that they are either Minimized-Delay or Maximize-Throughput based on # their length. for DEV in ` echo $INT1 $EXT1 `; do $tc qdisc add dev $DEV root handle 1: htb default FF # Class MAN $tc class add dev $DEV parent 1: classid 1:B htb \ rate $ROOT_MAN_RATE$kbit ceil $ROOT_MAN_CEIL$kbit \ burst $BURST cburst $CBURST # Class Internet $tc class add dev $DEV parent 1: classid 1:C htb \ rate $ROOT_NET_RATE$kbit ceil $ROOT_NET_CEIL$kbit \ burst $BURST cburst $CBURST # Class default $tc class add dev $DEV parent 1: classid 1:FF htb \ rate $BULK_NET_RATE$kbit ceil $BULK_NET_CEIL$kbit $tc qdisc add dev $DEV parent 1:FF handle FF: $leaf done # Class LAN $tc class add dev $INT1 parent 1: classid 1:A htb \ rate $LAN_RATE$Mbit ceil $LAN_RATE$Mbit \ burst $BURST cburst $CBURST $tc qdisc add dev $INT1 parent 1:A handle A: $leaf $tc filter add dev $INT1 parent 1: protocol ip prio 1 \ u32 match mark 0x2 0xffffffff flowid 1:A # Reading the list of clients form a file (one client per line) # Cutting out some detailes about reading that file $hIP is the # last part of the client's IP written in hexa # (the network is 192.168.0.0/24) for CLIENT in $THATFILE; do # Setting speeds in MAN: for DEV in ` echo $EXT1 $INT1 `; do $tc class add dev $DEV parent 1:B classid 1:B$hIP htb \ rate $MANRATE ceil $MANCEIL \ burst $BURST cburst $CBURST &>/dev/null $tc qdisc add dev $DEV parent 1:B$hIP handle B$hIP: \ $leaf &>/dev/null done # Setting speeds in the Internet for DEV in ` echo $EXT1 $INT1 `; do $tc class add dev $DEV parent 1:C classid 1:C$hIP htb \ rate $NETRATE ceil $NETCEIL \ burst $BURST cburst $CBURST &>/dev/null $tc qdisc add dev $DEV parent 1:C$hIP handle C$hIP: \ $leaf &>/dev/null done $tc filter add dev $INT1 parent 1: protocol ip prio 1 u32 \ match ip dst $MAXIP/32 \ match mark 0x1 0xffffffff \ flowid 1:B$hIP $tc filter add dev $EXT1 parent 1: protocol ip prio 1 u32 \ match ip src $MAXIP/32 \ match mark 0x1 0xffffffff \ flowid 1:B$hIP $tc filter add dev $INT1 parent 1: protocol ip prio 1 u32 \ match ip dst $MAXIP/32 \ flowid 1:C$hIP $tc filter add dev $EXT1 parent 1: protocol ip prio 1 u32 \ match ip src $MAXIP/32 \ flowid 1:C$hIP done Tank you in advance! From boy2eye at yahoo.com.cn Wed Jan 25 03:41:52 2006 From: boy2eye at yahoo.com.cn (bend chen) Date: Wed Jan 25 03:42:43 2006 Subject: [LARTC] tcf_action_destroy destroying Message-ID: <20060125024152.82345.qmail@web15407.mail.cnb.yahoo.com> Hi,lartc I used iproute-060110 with iptables1.3.4 on gentoo 2005r1 kernel 2.6.14-5. I find some error messages in system logfile: HTB: quantum of class 10001 is big. Consider r2q change. HTB: quantum of class 10010 is big. Consider r2q change. tcf_action_init_1: successfull police HTB: quantum of class 20001 is big. Consider r2q change. HTB: quantum of class 20020 is big. Consider r2q change. HTB: quantum of class 10001 is big. Consider r2q change. HTB: quantum of class 10010 is big. Consider r2q change. tcf_action_destroy destroying dcf0ba60 next 00000000 tcf_action_init_1: successfull police HTB: quantum of class 20001 is big. Consider r2q change. HTB: quantum of class 20020 is big. Consider r2q change. and this is my script: /root/ct/sbin/ct qdisc del dev eth0 root ; /root/ct/sbin/ct qdisc del dev eth0 ingress ; /root/ct/sbin/ct qdisc add dev eth0 root handle 1: htb default 10 r2q 1; /root/ct/sbin/ct class add dev eth0 parent 1: classid 1:1 htb rate 10000kbps; /root/ct/sbin/ct class add dev eth0 parent 1:1 classid 1:10 htb rate 9990kbps ceil 10000kbps; /root/ct/sbin/ct class add dev eth0 parent 1:1 classid 1:11 htb rate 10kbps; /root/ct/sbin/ct qdisc add dev eth0 parent 1:10 handle 13: sfq perturb 5; /root/ct/sbin/ct qdisc add dev eth0 parent 1:11 handle 14: sfq perturb 5; /root/ct/sbin/ct filter add dev eth0 parent 1: protocol ip handle 1 fw classid 1:10; /root/ct/sbin/ct filter add dev eth0 parent 1: protocol ip handle 2 fw classid 1:11; /root/ct/sbin/ct qdisc del dev eth1 root; /root/ct/sbin/ct qdisc add dev eth1 root handle 2: htb default 20 r2q 1; /root/ct/sbin/ct class add dev eth1 parent 2: classid 2:1 htb rate 10000kbps; /root/ct/sbin/ct class add dev eth1 parent 2:1 classid 2:20 htb rate 990kbps ceil 10000kbps; /root/ct/sbin/ct class add dev eth1 parent 2:1 classid 2:21 htb rate 100kbps; /root/ct/sbin/ct qdisc add dev eth1 parent 2:20 handle 15: sfq perturb 5; /root/ct/sbin/ct qdisc add dev eth1 parent 2:21 handle 16: sfq perturb 5; /root/ct/sbin/ct filter add dev eth1 parent 2: protocol ip handle 3 fw classid 2:20; /root/ct/sbin/ct filter add dev eth1 parent 2: protocol ip handle 4 fw classid 2:21; iptables -t mangle -F; iptables -F; iptables -t mangle -A FORWARD -m physdev --physdev-in eth1 --physdev-out eth0 -m layer7 --l7proto bittorrent -j MARK --set-mark 0x2 ; iptables -t mangle -A FORWARD -m physdev --physdev-in eth1 --physdev-out eth0 -m layer7 --l7proto bittorrent -j RETURN; iptables -t mangle -A FORWARD -m physdev --physdev-in eth0 --physdev-out eth1 -m layer7 --l7proto bittorrent -j MARK --set-mark 0x4 ; iptables -t mangle -A FORWARD -m physdev --physdev-in eth0 --physdev-out eth1 -m layer7 --l7proto bittorrent -j RETURN; thanks your help. --------------------------------- ÑÅ»¢1GÃâ·ÑÓÊÏä°Ù·Ö°Ù·ÀÀ¬»øÐÅ ÑÅ»¢ÖúÊÖ-ËÑË÷¡¢É±¶¾¡¢·ÀɧÈÅ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060125/112fcb1b/attachment.html From openswan at obs.bg Wed Jan 25 14:28:14 2006 From: openswan at obs.bg (openswan) Date: Wed Jan 25 14:26:33 2006 Subject: [LARTC] PRIO on non-leaf classes? Message-ID: <43D77CEE.8000001@obs.bg> Hello, I'm using HTB and would like to ask is it correct to put "PRIO" on non-leaf classes ? I know that on leaf classes it's correct and determines how the excess bandwidth is distributed among non-leaf classes. Thanks Nikolay G.K From dor at ldc.net Wed Jan 25 15:07:54 2006 From: dor at ldc.net (Dmytro O. Redchuk) Date: Wed Jan 25 15:09:00 2006 Subject: [LARTC] PRIO on non-leaf classes? In-Reply-To: <43D77CEE.8000001@obs.bg> References: <43D77CEE.8000001@obs.bg> Message-ID: <20060125140754.GM3873@ldc.net> On Wed, Jan 25, 2006 at 03:28:14PM +0200, openswan wrote: > Hello, > > I'm using HTB and would like to ask is it correct to put "PRIO" on > non-leaf classes ? I know that on leaf classes it's correct and > determines how the excess bandwidth is distributed among non-leaf classes. I believe it's okay, but i didnt experiment much. ((I think of HTB classes as working with tokens, both leaf and non-leaf.)) > > Thanks > Nikolay G.K -- _,-=._ /|_/| `-.} `=._,.-=-._., @ @._, `._ _,-. ) _,.-' ` G.m-"^m`m' Dmytro O. Redchuk From Andreas.Klauer at metamorpher.de Wed Jan 25 16:00:21 2006 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Wed Jan 25 16:01:12 2006 Subject: [LARTC] PRIO on non-leaf classes? In-Reply-To: <43D77CEE.8000001@obs.bg> References: <43D77CEE.8000001@obs.bg> Message-ID: <20060125150021.GB10755@EIS> On Wed, Jan 25, 2006 at 03:28:14PM +0200, openswan wrote: > I'm using HTB and would like to ask is it correct to put "PRIO" on > non-leaf classes ? I know that on leaf classes it's correct and > determines how the excess bandwidth is distributed among non-leaf classes. Depends on what you mean by "PRIO". If you're talking about the class parameter prio (in lower-case letters), then it's correct, the PRIO QDisc however, can not be attached to anything but the device itself (root qdisc) or a leaf class. Regards Andreas Klauer From gypsy at iswest.com Wed Jan 25 16:20:46 2006 From: gypsy at iswest.com (gypsy) Date: Wed Jan 25 16:21:45 2006 Subject: [LARTC] tcf_action_destroy destroying References: <20060125024152.82345.qmail@web15407.mail.cnb.yahoo.com> Message-ID: <43D7974E.A7227A14@iswest.com> bend chen wrote: > > Hi,lartc > > I used iproute-060110 with iptables1.3.4 on gentoo 2005r1 kernel > 2.6.14-5. > I find some error messages in system logfile: > > HTB: quantum of class 10001 is big. Consider r2q change. > HTB: quantum of class 10010 is big. Consider r2q change. > tcf_action_init_1: successfull police > HTB: quantum of class 20001 is big. Consider r2q change. > HTB: quantum of class 20020 is big. Consider r2q change. > HTB: quantum of class 10001 is big. Consider r2q change. > HTB: quantum of class 10010 is big. Consider r2q change. > tcf_action_destroy destroying dcf0ba60 next 00000000 > tcf_action_init_1: successfull police > HTB: quantum of class 20001 is big. Consider r2q change. > HTB: quantum of class 20020 is big. Consider r2q change. > > and this is my script: > > /root/ct/sbin/ct qdisc del dev eth0 root ; > /root/ct/sbin/c! t qdisc del dev eth0 ingress ; > /root/ct/sbin/ct qdisc add dev eth0 root handle 1: htb default 10 r2q > 1; > /root/ct/sbin/ct class add dev eth0 parent 1: classid 1:1 htb rate > 10000kbps; > /root/ct/sbin/ct class add dev eth0 parent 1:1 classid 1:10 htb rate > 9990kbps ceil 10000kbps; > /root/ct/sbin/ct class add dev eth0 parent 1:1 classid 1:11 htb rate > 10kbps; > /root/ct/sbin/ct qdisc add dev eth0 parent 1:10 handle 13: sfq perturb > 5; > /root/ct/sbin/ct qdisc add dev eth0 parent 1:11 handle 14: sfq perturb > 5; > /root/ct/sbin/ct filter add dev eth0 parent 1: protocol ip handle 1 fw > classid 1:10; > /root/ct/sbin/ct filter add dev eth0 parent 1: protocol ip handle 2 fw > classid 1:11; > /root/ct/sbin/ct qdisc del dev eth1 root; > /root/ct/sbin/ct qdisc add dev eth1 root handle 2: htb default 20 r2q > 1; > /root/ct/sbin/ct class add dev eth1 parent 2: classid 2:1 htb rate > 10000kbps; This is HUGE; you cannot mean 10,000Kbit!?? -- gypsy From linux at pilot.org.ua Wed Jan 25 17:47:15 2006 From: linux at pilot.org.ua (Denis Ovsienko) Date: Wed Jan 25 17:48:07 2006 Subject: [LARTC] Is local originated traffic affected? In-Reply-To: <43D645B9.7000901@gmail.com> References: <43D645B9.7000901@gmail.com> Message-ID: <20060125194715.09a029a7.linux@pilot.org.ua> > When i apply the rules my computer cannot acces the Internet or the > LAN. Is this behavior normal? Do I need to write some rules for local > IPs of my router? (I have sevaral, both on the internal and the Generally speaking, queue disciplines/classes of a particular network interface don't take in account whether outgoing packets being queued were generated by localhost or are forwarded from other hosts. So more probable reason of the effect described could be that your QoS setup limits packets originating from localhost to very low rate (say, 0kbps), effectively dropping them. Or that could be a firewall misconfiguration. Hope this hint helps. -- DO4-UANIC From nampreet at hotmail.com Thu Jan 26 09:23:13 2006 From: nampreet at hotmail.com (Nampreet Sarao) Date: Thu Jan 26 09:24:23 2006 Subject: [LARTC] help!! Message-ID: hi i am doing my final year project on Traffic Shaping .could any one please guide me how do i actually go about it. i mean the first step.i have read the lartc documentation for the same. what do i do next.please help thanks in advance _________________________________________________________________ How good are you in a Formula One car? Play now http://server1.msn.co.in/sp05/tataracing/onlinegame.asp From boy2eye at yahoo.com.cn Thu Jan 26 09:35:41 2006 From: boy2eye at yahoo.com.cn (bend chen) Date: Thu Jan 26 09:35:55 2006 Subject: [LARTC] tcf_action_destroy destroying Message-ID: <20060126083541.61520.qmail@web15408.mail.cnb.yahoo.com> hi. >gypsy worte:--------------------------- >This is HUGE; you cannot mean 10,000Kbit!?? ???,my script 10000Kbps is mean10Mbps. Iproute can not support 10Mbps? >bend chen wrote: > > Hi,lartc > > I used iproute-060110 with iptables1.3.4 on gentoo 2005r1 kernel > 2.6.14-5. > I find some error messages in system logfile: > > HTB: quantum of class 10001 is big. Consider r2q change. > HTB: quantum of class 10010 is big. Consider r2q change. > tcf_action_init_1: successfull police > HTB: quantum of class 20001 is big. Consider r2q change. > HTB: quantum of class 20020 is big. Consider r2q change. > HTB: quantum of class 10001 is big. Consider r2q change. > HTB: quantum of class 10010 is big. Consider r2q change. > tcf_action_destroy destroying dcf0ba60 next 00000000 > tcf_action_init_1: successfull police > HTB: quantum of class 20001 is big. Consider r2q change. > HTB: quantum of class 20020 is big. Consider r2q change. > > and this is my script: > > /root/ct/sbin/ct qdisc del dev eth0 root ; > /root/ct/sbin/c! t qdisc del dev eth0 ingress ; > /root/ct/sbin/ct qdisc add dev eth0 root handle 1: htb default 10 r2q > 1; > /root/ct/sbin/ct class add dev eth0 parent 1: classid 1:1 htb rate > 10000kbps; > /root/ct/sbin/ct class add dev eth0 parent 1:1 classid 1:10 htb rate > 9990kbps ceil 10000kbps; > /root/ct/sbin/ct class add dev eth0 parent 1:1 classid 1:11 htb rate > 10kbps; > /root/ct/sbin/ct qdisc add dev eth0 parent 1:10 handle 13: sfq perturb > 5; > /root/ct/sbin/ct qdisc add dev eth0 parent 1:11 handle 14: sfq perturb > 5; > /root/ct/sbin/ct filter add dev eth0 parent 1: protocol ip handle 1 fw > classid 1:10; > /root/ct/sbin/ct filter add dev eth0 parent 1: protocol ip handle 2 fw > classid 1:11; > /root/ct/sbin/ct qdisc del dev eth1 root; > /root/ct/sbin/ct qdisc add dev eth1 root handle 2: htb default 20 r2q > 1; > /root/ct/sbin/ct class add dev eth1 parent 2: classid 2:1 htb rate > 10000kbps; -------------------------- >This is HUGE; you cannot mean 10,000Kbit!?? -- gypsy --------------------------------- ÑÅ»¢1GÃâ·ÑÓÊÏä°Ù·Ö°Ù·ÀÀ¬»øÐÅ ÑÅ»¢ÖúÊÖ-ËÑË÷¡¢É±¶¾¡¢·ÀɧÈÅ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060126/c63036db/attachment.htm From lhaond at bearstech.com Thu Jan 26 11:33:12 2006 From: lhaond at bearstech.com (Laurent Haond) Date: Thu Jan 26 11:34:31 2006 Subject: [LARTC] tc qdisc ingress problem ? Message-ID: <43D8A568.8040202@bearstech.com> Hi, all I've got problems with tc qdisc ingress. I'm using vanillia kernel 2.6.14.4 patched with http://www.ssi.bg/~ja/routes-2.6.14-12.diff, and iproute2-2.6.14-051107. i am using ingress to limit incoming traffic : (DEV is eth1 / DOWNLINK is 7700) # attach ingress policer: tc qdisc add dev $DEV handle ffff: ingress # filter *everything* to it (0.0.0.0/0), drop everything that's # coming in too fast: tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \lm 0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1 This does limit traffic but to ~32KB/s !! #tc -s qdisc show dev eth1 [...] qdisc ingress ffff: ---------------- Sent 37001411 bytes 51120 pkt (dropped 3422, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 It's is normal to have dropped packets without overlimits ?? Could it be related to CPU performance (overload), i'm using a wrap2 board (geode sc1100 at 266Mhz) ? Running top during a big download, it appears that cpu is 95% idle... Thanks Laurent Haond From sorin.panca at gmail.com Thu Jan 26 13:43:30 2006 From: sorin.panca at gmail.com (Sorin Panca) Date: Thu Jan 26 13:38:44 2006 Subject: [LARTC] Is local originated traffic affected? Message-ID: <43D8C3F2.5050809@gmail.com> Denis Ovsienko wrote: > So more probable reason of the effect described could be that your QoS > setup limits packets originating from localhost to very low rate (say, > 0kbps), effectively dropping them. Or that could be a firewall > misconfiguration. Hope this hint helps. Tank you! That was the problem: localy generated traffic was going to the default class. I've added some filters for it and now it works fine. Firewall configuration was added and tested long before the implementation of qdiscs. It works ok. From manish at tuxspace.com Thu Jan 26 14:29:18 2006 From: manish at tuxspace.com (Manish Kathuria) Date: Thu Jan 26 14:31:52 2006 Subject: [LARTC] Problems in Dead Gateway Detection / Failover - Multiple ISP Links Message-ID: <43D8CEAE.3010006@tuxspace.com> Hello, I have configured a load balancing router using Julian's patches and as described in "nano.txt" for two ISP links as shown below. ISP 1 ISP 2 . . | | | | | | | WAN WAN | +-\-+ +-\-+ | | | | |R1 | GW1 GW2 |R2 | | |------. --------| | | | | | | | +---+ | | +---+ EXT1 | | EXT2 +\----\-+ | | | LINUX | | ROUTER| | | | | | | +---/---+ | INT IF | | | /----------------\ | LAN | | | \----------------/ LAN NETWORK = 192.168.100.0/24 INT IF = 192.168.100.1 ISP1 NETWORK = 10.20.30.128/29 R1 - ROUTER1 GW1 = 10.20.30.129 EXT1 = 10.20.30.130 ISP2 NETWORK = 172.16.32.128/29 R2 - ROUTER2 GW2 = 172.16.32.129 EXT2 = 172.16.32.130 Both the ISPs have provided /29 subnets of Public IPs. The above mentioned addresses are just for example. The gateways for both the ISPs are routers placed at the same location which are further connected through Radio Link and Leased Line. Things work fine as long as both the ISP links are alive. While testing the dead gateway detection and failover functionality we observed that if we make the first hop gateway (i.e Router R1 or R2) of one of the ISPs dead by either disconnecting the ethernet cable between Linux Router and R1/R2 or by switching off the gateway (R1/R2) itself, dead gateway detection takes place and failover to the other ISP takes place. However, if there is a problem in the ISP connectivity at any of the subsequent hops, there is no dead gateway detection and failover also does not take place. I have tested this on various linux kernels from 2.4 as well as 2.6 series. Somehow I have never faced a similar problem before and things have been working perfectly. In real life situation here, the first hop gateway is rarely going to be down so dead gateway detection and failover is going to be required whenever there is some connectivity problem at any of the later hops. So that's where dead gateway detection needs to work. What could be the reason ? How can this be resolved ? I would appreciate any pointers or suggestions. Thanks, Manish Kathuria From ethy.brito at inexo.com.br Thu Jan 26 15:08:37 2006 From: ethy.brito at inexo.com.br (Ethy H. Brito) Date: Thu Jan 26 15:08:49 2006 Subject: [LARTC] nat table remenbering nat's Message-ID: <20060126120837.12956dd4@pulsar.inexo.com.br> Dear All Why NAT rules stays valid even if I flush nat anf table chains?? I have: iptables -P FORWARD DROP iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -s SOME_IP -d SOME_BCP_5_IP --dport 1234 -j ACCEPT iptables -i nat -A PREROUTING -s SOME_IP -d MY_INTERNET_IP \\ --dport 1234 -j DNAT --to-destination SOME_BCP_5_IP The conection is established and the data is flowing normaly. Suddenly I decide to not authorize this data flow anymore. So I iptables -t nat -F PREROUTING iptables -F FORWARD For my surprise the data flow (observed with tcpdump) is still there! It is like the state machine does not let go this data flow. What to do to block this data flow?? Is there any way to flush the conntrack database? Regards -- Ethy H. Brito /"\ InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML +55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL S.J.Campos - Brasil / \ From GregScott at InfraSupportEtc.com Thu Jan 26 15:22:51 2006 From: GregScott at InfraSupportEtc.com (Greg Scott) Date: Thu Jan 26 15:22:59 2006 Subject: [LARTC] nat table remenbering nat's Message-ID: <925A849792280C4E80C5461017A4B8A2031F45@mail733.InfraSupportEtc.com> Doesn't the policy change to ACCEPT after you flush the rules? Try an iptables -L -v -n after doing iptables -F and see what the default policy says. - Greg Scott -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Ethy H. Brito Sent: Thursday, January 26, 2006 8:09 AM To: lartc@mailman.ds9a.nl Subject: [LARTC] nat table remenbering nat's Dear All Why NAT rules stays valid even if I flush nat anf table chains?? I have: iptables -P FORWARD DROP iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -s SOME_IP -d SOME_BCP_5_IP --dport 1234 -j ACCEPT iptables -i nat -A PREROUTING -s SOME_IP -d MY_INTERNET_IP \\ --dport 1234 -j DNAT --to-destination SOME_BCP_5_IP The conection is established and the data is flowing normaly. Suddenly I decide to not authorize this data flow anymore. So I iptables -t nat -F PREROUTING iptables -F FORWARD For my surprise the data flow (observed with tcpdump) is still there! It is like the state machine does not let go this data flow. What to do to block this data flow?? Is there any way to flush the conntrack database? Regards -- Ethy H. Brito /"\ InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML +55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL S.J.Campos - Brasil / \ _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From ethy.brito at inexo.com.br Thu Jan 26 15:51:13 2006 From: ethy.brito at inexo.com.br (Ethy H. Brito) Date: Thu Jan 26 15:51:21 2006 Subject: [LARTC] nat table remenbering nat's In-Reply-To: <925A849792280C4E80C5461017A4B8A2031F45@mail733.InfraSupportEtc.com> References: <925A849792280C4E80C5461017A4B8A2031F45@mail733.InfraSupportEtc.com> Message-ID: <20060126125113.397817e3@pulsar.inexo.com.br> On Thu, 26 Jan 2006 08:22:51 -0600 "Greg Scott" wrote: > Doesn't the policy change to ACCEPT after you flush the rules? Try an > iptables -L -v -n after doing iptables -F and see what the default > policy says. Yes it does. It changes to ACCEPT in all chains. So you are saying that I cannot stop the pre-established data flow because it will keep flowing because the default policy changed to ACCEPT updating the timout timer? But I flushed nat table. This should kill all conntrack entries related to the rules on this table. Ethy > > - Greg Scott > > > -----Original Message----- > From: lartc-bounces@mailman.ds9a.nl > [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Ethy H. Brito > Sent: Thursday, January 26, 2006 8:09 AM > To: lartc@mailman.ds9a.nl > Subject: [LARTC] nat table remenbering nat's > > > Dear All > > Why NAT rules stays valid even if I flush nat anf table chains?? > > I have: > > iptables -P FORWARD DROP > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -s SOME_IP -d SOME_BCP_5_IP --dport 1234 -j ACCEPT > iptables -i nat -A PREROUTING -s SOME_IP -d MY_INTERNET_IP \\ > --dport 1234 -j DNAT --to-destination SOME_BCP_5_IP > > The conection is established and the data is flowing normaly. > Suddenly I decide to not authorize this data flow anymore. So I > > iptables -t nat -F PREROUTING > iptables -F FORWARD > > For my surprise the data flow (observed with tcpdump) is still there! > It is like the state machine does not let go this data flow. > > What to do to block this data flow?? > Is there any way to flush the conntrack database? > > Regards > > -- > > Ethy H. Brito /"\ > InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML > +55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL > S.J.Campos - Brasil / \ > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Ethy H. Brito /"\ InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML +55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL S.J.Campos - Brasil / \ From GregScott at InfraSupportEtc.com Thu Jan 26 15:58:34 2006 From: GregScott at InfraSupportEtc.com (Greg Scott) Date: Thu Jan 26 15:58:43 2006 Subject: [LARTC] nat table remenbering nat's Message-ID: <925A849792280C4E80C5461017A4B8A2031F47@mail733.InfraSupportEtc.com> No, it just flushes the rules and changes the policy to ACCEPT. The connections are still connected. I do this all the time with firewalls up and running. If flushing the rules killed all the active connections, it would be super disruptive. I suppose if you want to stop connections, flush the rules and then set the policy to DROP - do 2 commands instead of just flushing. Take what I say for what it's worth. I am not a netfilter developer, just a long-time user. - Greg -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Ethy H. Brito Sent: Thursday, January 26, 2006 8:51 AM Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] nat table remenbering nat's On Thu, 26 Jan 2006 08:22:51 -0600 "Greg Scott" wrote: > Doesn't the policy change to ACCEPT after you flush the rules? Try an > iptables -L -v -n after doing iptables -F and see what the default > policy says. Yes it does. It changes to ACCEPT in all chains. So you are saying that I cannot stop the pre-established data flow because it will keep flowing because the default policy changed to ACCEPT updating the timout timer? But I flushed nat table. This should kill all conntrack entries related to the rules on this table. Ethy > > - Greg Scott > > > -----Original Message----- > From: lartc-bounces@mailman.ds9a.nl > [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Ethy H. Brito > Sent: Thursday, January 26, 2006 8:09 AM > To: lartc@mailman.ds9a.nl > Subject: [LARTC] nat table remenbering nat's > > > Dear All > > Why NAT rules stays valid even if I flush nat anf table chains?? > > I have: > > iptables -P FORWARD DROP > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -s SOME_IP -d SOME_BCP_5_IP --dport 1234 -j ACCEPT > iptables -i nat -A PREROUTING -s SOME_IP -d MY_INTERNET_IP \\ > --dport 1234 -j DNAT --to-destination SOME_BCP_5_IP > > The conection is established and the data is flowing normaly. > Suddenly I decide to not authorize this data flow anymore. So I > > iptables -t nat -F PREROUTING > iptables -F FORWARD > > For my surprise the data flow (observed with tcpdump) is still there! > It is like the state machine does not let go this data flow. > > What to do to block this data flow?? > Is there any way to flush the conntrack database? > > Regards > > -- > > Ethy H. Brito /"\ > InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML > +55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL > S.J.Campos - Brasil / \ > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Ethy H. Brito /"\ InterNexo Ltda. \ / CAMPANHA DA FITA ASCII - CONTRA MAIL HTML +55 (12) 3941-6860 X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL S.J.Campos - Brasil / \ _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From ethy.brito at inexo.com.br Thu Jan 26 16:15:56 2006 From: ethy.brito at inexo.com.br (Ethy H. Brito) Date: Thu Jan 26 16:16:04 2006 Subject: [LARTC] nat table remenbering nat's In-Reply-To: <925A849792280C4E80C5461017A4B8A2031F47@mail733.InfraSupportEtc.com> References: <925A849792280C4E80C5461017A4B8A2031F47@mail733.InfraSupportEtc.com> Message-ID: <20060126131556.2d7b884e@pulsar.inexo.com.br> On Thu, 26 Jan 2006 08:58:34 -0600 "Greg Scott" wrote: > No, it just flushes the rules and changes the policy to ACCEPT. The > connections are still connected. I do this all the time with firewalls > up and running. If flushing the rules killed all the active > connections, it would be super disruptive. Well, at least the coneections belonging to NAT should be destroyed because there is no authorization to these data flow anymore. Don't you agree? > > I suppose if you want to stop connections, flush the rules and then set > the policy to DROP - do 2 commands instead of just flushing. I did this. Stoped (flushed) all (I really mean all) rules and started them again with a diferent source adderss for NAT rules. My surprise was that that old NAT connection continued to flow despite the fact there was no rule at NAT filter for it. I suppose this old connection is still flowing because conntrack database state it as ESTABLISHED and it is grabbed by "ESTABLISHED, RELATED -j ACCEPT" rule. Did I made myself clear? I suppose that once a data flow is establisehd its conntrack database entry is only deleted if you or the other party kills the applications tha holds the connetions alive. BTW rebooting the machine stops the old data flow and only accepts the second (new) one. (unnecessary to say that rebooting clears the conntrack database, of course). > > Take what I say for what it's worth. I am not a netfilter developer, > just a long-time user. And so am I. Just a long-time user since ipfwadm. (Any developer reading this could please shed some like on this?) Ethy From GregScott at InfraSupportEtc.com Thu Jan 26 17:13:55 2006 From: GregScott at InfraSupportEtc.com (Greg Scott) Date: Thu Jan 26 17:14:11 2006 Subject: [LARTC] nat table remenbering nat's Message-ID: <925A849792280C4E80C5461017A4B8A2031F48@mail733.InfraSupportEtc.com> > Well, at least the coneections belonging to NAT should be destroyed > because there is no authorization to these data flow anymore. > Don't you agree? Don't know. The Netfilter developers would have to answer that one. The netfilter guys have a userspace conntrack program that (I think) lets look at the conntrack database. And I think there are some data structures in the /proc filesystem. But I haven't dug into them. - Greg -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Ethy H. Brito Sent: Thursday, January 26, 2006 9:16 AM Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] nat table remenbering nat's On Thu, 26 Jan 2006 08:58:34 -0600 "Greg Scott" wrote: > No, it just flushes the rules and changes the policy to ACCEPT. The > connections are still connected. I do this all the time with > firewalls up and running. If flushing the rules killed all the active > connections, it would be super disruptive. Well, at least the coneections belonging to NAT should be destroyed because there is no authorization to these data flow anymore. Don't you agree? > > I suppose if you want to stop connections, flush the rules and then > set the policy to DROP - do 2 commands instead of just flushing. I did this. Stoped (flushed) all (I really mean all) rules and started them again with a diferent source adderss for NAT rules. My surprise was that that old NAT connection continued to flow despite the fact there was no rule at NAT filter for it. I suppose this old connection is still flowing because conntrack database state it as ESTABLISHED and it is grabbed by "ESTABLISHED, RELATED -j ACCEPT" rule. Did I made myself clear? I suppose that once a data flow is establisehd its conntrack database entry is only deleted if you or the other party kills the applications tha holds the connetions alive. BTW rebooting the machine stops the old data flow and only accepts the second (new) one. (unnecessary to say that rebooting clears the conntrack database, of course). > > Take what I say for what it's worth. I am not a netfilter developer, > just a long-time user. And so am I. Just a long-time user since ipfwadm. (Any developer reading this could please shed some like on this?) Ethy _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From haden at homelan.lt Thu Jan 26 20:10:00 2006 From: haden at homelan.lt (Tomas Simonaitis) Date: Thu Jan 26 20:09:51 2006 Subject: [LARTC] nat table remenbering nat's In-Reply-To: <20060126131556.2d7b884e@pulsar.inexo.com.br> References: <925A849792280C4E80C5461017A4B8A2031F47@mail733.InfraSupportEtc.com> <20060126131556.2d7b884e@pulsar.inexo.com.br> Message-ID: <200601262110.00498.haden@homelan.lt> To clear things up: Connection which was up was not blocked in FORWARD? You only changed rule in PREROUTING ("...different source adress...")? If so, "old" connection just didn't hit prerouting as its already been there, and forward isn't dropping its packets. To me it seems to behave as expected. On Thursday 26 January 2006 17:15, Ethy H. Brito wrote: > On Thu, 26 Jan 2006 08:58:34 -0600 > I did this. Stoped (flushed) all (I really mean all) rules and started them > again with a diferent source adderss for NAT rules. My surprise was that > that old NAT connection continued to flow despite the fact there was no > rule at NAT filter for it. I suppose this old connection is still flowing > because conntrack database state it as ESTABLISHED and it is grabbed by > "ESTABLISHED, RELATED -j ACCEPT" rule. Did I made myself clear? From ethy.brito at inexo.com.br Thu Jan 26 20:20:47 2006 From: ethy.brito at inexo.com.br (Ethy H. Brito) Date: Thu Jan 26 20:21:02 2006 Subject: [LARTC] nat table remenbering nat's In-Reply-To: <200601262110.00498.haden@homelan.lt> References: <925A849792280C4E80C5461017A4B8A2031F47@mail733.InfraSupportEtc.com> <20060126131556.2d7b884e@pulsar.inexo.com.br> <200601262110.00498.haden@homelan.lt> Message-ID: <20060126172047.5ccb91e0.ethy.brito@inexo.com.br> On Thu, 26 Jan 2006 21:10:00 +0200 Tomas Simonaitis wrote: > To clear things up: > Connection which was up was not blocked in FORWARD? No, they are not. I have a ESTABLISHED -j ACCEPT rule as first rule. > You only changed rule in PREROUTING ("...different source adress...")? That is correct. > If so, "old" connection just didn't hit prerouting as its already been there, > and forward isn't dropping its packets. > To me it seems to behave as expected. Questionable. I flushed NAT. I assume that a flushed table must forget each and every previous authorizations. The way you put it, the only way to stop old stream is to reboot the machine which is unacceptable from my point of view. Suppose you have a partnership and want to drop those privileges. While your late partner does not close the connction(s) (s)he will still have granted access to your intranet. Did you think of that? Ethy From haden at homelan.lt Thu Jan 26 20:35:14 2006 From: haden at homelan.lt (Tomas Simonaitis) Date: Thu Jan 26 20:34:58 2006 Subject: [LARTC] nat table remenbering nat's In-Reply-To: <20060126172047.5ccb91e0.ethy.brito@inexo.com.br> References: <925A849792280C4E80C5461017A4B8A2031F47@mail733.InfraSupportEtc.com> <200601262110.00498.haden@homelan.lt> <20060126172047.5ccb91e0.ethy.brito@inexo.com.br> Message-ID: <200601262135.14851.haden@homelan.lt> You might want to take a look at cutter (http://www.lowth.com/cutter/) (maybe as temporary solution, at least you wouldn't need to reboot). On Thursday 26 January 2006 21:20, Ethy H. Brito wrote: > Questionable. I flushed NAT. I assume that a flushed table must forget > each and every previous authorizations. The way you put it, the only way > to stop old stream is to reboot the machine which is unacceptable from > my point of view. > > Suppose you have a partnership and want to drop those privileges. While > your late partner does not close the connction(s) (s)he will still have > granted access to your intranet. Did you think of that? > > Ethy From c-d.hailfinger.devel.2006 at gmx.net Thu Jan 26 23:04:17 2006 From: c-d.hailfinger.devel.2006 at gmx.net (Carl-Daniel Hailfinger) Date: Thu Jan 26 23:05:15 2006 Subject: [LARTC] Profiling hotspots in my tc filter ruleset Message-ID: <43D94761.40302@gmx.net> Hi, after I saw that my machine was having problems to forward more than 200 Mbit/s, I decided to profile the kernel and find out the hotspots. This is what I found: [...] 1028 bridge.ko __br_forward 1033 bridge.ko br_nf_forward_finish 1074 bridge.ko ip_sabotage_in 1119 ebtable_filter.ko ebt_hook 1177 sky2.ko sky2_phy_stats 1304 bridge.ko setup_pre_routing 1417 bridge.ko br_fdb_cleanup 1425 sky2.ko sky2_put_idx 1766 ipt_physdev.ko .text 2113 bridge.ko br_nf_pre_routing_finish 2133 bridge.ko br_nf_forward_ip 2314 bridge.ko br_handle_frame_finish 2454 bridge.ko br_dev_queue_push_xmit 2515 bridge.ko ip_sabotage_out 2718 sky2.ko sky2_rx_add 2858 sch_htb.ko htb_enqueue 3983 bridge.ko br_handle_frame 4796 bridge.ko br_nf_pre_routing 7047 bridge.ko br_nf_post_routing 8158 sky2.ko sky2_xmit_frame 9519 sch_htb.ko htb_classify 9910 sch_htb.ko htb_dequeue 9916 ip_tables.ko ipt_do_table 9944 bridge.ko br_fdb_update 10094 bridge.ko __br_fdb_get 14446 sky2.ko sky2_intr 15323 sky2.ko sky2_tx_complete 17745 ebt_ip.ko ebt_filter_ip 55535 sky2.ko sky2_poll 82377 ebtables.ko ebt_do_table 84971 cls_u32.ko u32_classify 125089 af_packet.ko packet_rcv I admit that my rulesets are not really optimized and I could probably fix that by building better rulesets. However, I was interested in general where to start. sky2: tuning with ethtool helped quite a bit ebtables: will get mostly rid of that after reconfiguration af_packet: that's probably the fault of a few tcpdump instances This leaves cls_u32 to attack. Nearly all rules I have are added with the following command: # tc filter add dev eth0 parent 1:0 protocol ip prio $prio u32 match ip src $ip flowid 1:$flowid Now my problem is that I have about 30-60 filter rules with the above characteristics. Unfortunately the IPs I'm filtering do have nothing in common and they generate only 3% of the accumulated traffic. That means over 97% of the traffic is checked against a linear list of filters without ever matching anything. I looked at hashed filters, but they seem not to be the right thing because a hashing filter for a /16 network where only 30 IPs should be matched will probably make performance worse. Only 30 IPs of the /16 subnet are filtered. Each of them gets a different filter, but their collective traffic is only 3% of the total traffic. So if I manage to catch them all with one filter rule and attach my usual rules only to packets from that filter, 97% of my traffic will hit only 1 filter instead of 30. Is there anything like ipset available for tc? Regards, Carl-Daniel -- http://www.hailfinger.org/ From elmono222 at gmail.com Fri Jan 27 14:50:47 2006 From: elmono222 at gmail.com (Juan Felipe Botero) Date: Fri Jan 27 14:51:02 2006 Subject: [LARTC] linux bridging Message-ID: I have a question, can i use traffic control in a linux pc if the linux is enabled as a bridge? -- Juan Felipe Botero Ingenier?a de sistemas Universidad de Antioquia -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060127/b4054ba2/attachment.html From c-d.hailfinger.devel.2006 at gmx.net Fri Jan 27 14:57:35 2006 From: c-d.hailfinger.devel.2006 at gmx.net (Carl-Daniel Hailfinger) Date: Fri Jan 27 14:58:32 2006 Subject: [LARTC] linux bridging In-Reply-To: References: Message-ID: <43DA26CF.1050206@gmx.net> Juan Felipe Botero schrieb: > I have a question, can i use traffic control in a linux pc if the linux is > enabled as a bridge? Yes. Regards, Carl-Daniel -- http://www.hailfinger.org/ From gypsy at iswest.com Sat Jan 28 04:20:25 2006 From: gypsy at iswest.com (gypsy) Date: Sat Jan 28 04:20:39 2006 Subject: [LARTC] help!! References: Message-ID: <43DAE2F9.AF23F9F1@iswest.com> Nampreet Sarao wrote: > > hi i am doing my final year project on Traffic Shaping .could any one please > guide me how do i actually go about it. > > i mean the first step.i have read the lartc documentation for the same. > what do i do next.please help > thanks in advance I suggest you download a script and install it. You can get some links from here: http://yesican.chsoft.biz/lartc/index.html Look particularly at Jim diGriz, Jason Boxman, Devik and Wonder Shaper. That should provide plenty to get started. -- gypsy From gypsy at iswest.com Sat Jan 28 04:36:57 2006 From: gypsy at iswest.com (gypsy) Date: Sat Jan 28 04:37:19 2006 Subject: [LARTC] tcf_action_destroy destroying References: <20060126083541.61520.qmail@web15408.mail.cnb.yahoo.com> Message-ID: <43DAE6D9.81AB7FE7@iswest.com> bend chen wrote: > > hi. > > > >gypsy worte:--------------------------- > >This is HUGE; you cannot mean 10,000Kbit!?? > ???,my script 10000Kbps is mean10Mbps. > Iproute can not support 10Mbps? Sure, yes it can handle 10Mbps - and 100Mbps too. But the reason you are getting the r2q error message is that you set a much smaller rate for the children. I stole this from a previous posting to LARTC and have never actually used it, but try something like this, or search the archives for messages containing "LAN" and "Klauer" to see from whom it was stolen ;) DEV=eth1 # 100000 kbit ~= 100Mbit. # Lower this value if your LAN doesn't actually make 100MBit. LAN_SPEED=100000 LAN_SUBNET=192.168.223.0 # install root HTB, point default traffic to 1:20: $BIN_TC qdisc add dev $DEV root handle 1: htb default 20 # Add fat class. $BIN_TC class add dev $DEV parent 1: classid 1:2 htb rate ${LAN_SPEED}kbit quantum 1500 # Add local lan child. $BIN_TC class add dev $DEV parent 1:2 classid 1:3 htb rate $(($LAN_SPEED-$UPLINK))kbit quantum 1500 $BIN_TC class add dev $DEV parent 1:2 classid 1:1 htb rate ${UPLINK}kbit burst 6k # high prio class 1:10: $BIN_TC class add dev $DEV parent 1:1 classid 1:10 htb rate ${UPLINK}kbit \ burst 6k prio 1 # bulk & default class 1:20 $BIN_TC class add dev $DEV parent 1:1 classid 1:20 htb rate $[9*$UPLINK/10]kbit \ burst 6k prio 2 $BIN_TC class add dev $DEV parent 1:1 classid 1:30 htb rate $[8*$UPLINK/10]kbit \ burst 6k prio 2 # attach ingress policer: $BIN_TC qdisc add dev $DEV handle ffff: ingress # exclude LAN traffic $BIN_TC filter add dev $DEV parent ffff: protocol ip prio 1 u32 \ match ip src $LAN_SUBNET/24 \ match ip dst $LAN_SUBNET/24 \ flowid :1 > >bend chen wrote: > > > > Hi,lartc > > > > I used iproute-060110 with iptables1.3.4 on gentoo 2005r1 kernel > > 2.6.14-5. > > I find some error messages in system logfile: > > > > HTB: quantum of class 10001 is big. Consider r2q change. > > HTB: quantum of class 10010 is big. Consider r2q change. > > tcf_action_init_1: successfull police > > HTB: quantum of class 20001 is big. Consider r2q change. > > HTB: quantum of class 20020 is big. Consider r2q change. > > HTB: quantum of class 10001 is big. Consider r2q change. > > HTB: quantum of class 10010 is big. Consider r2q change.> > tcf_action_destroy destroying dcf0ba60 next 00000000 > > tcf_action_init_1: successfull police > > HTB: quantum of class 20001 is big. Consider r2q change. > > HTB: quantum of class 20020 is big. Consider r2q change. > > > > and this is my script: > > > > /root/ct/sbin/ct qdisc del dev eth0 root ; > > /root/ct/sbin/c! t qdisc del dev eth0 ingress ; > > /root/ct/sbin/ct qdisc add dev eth0 root handle 1: htb default 10 > r2q > > 1; > > /root/ct/sbin/ct class add dev eth0 parent 1: classid 1:1 htb rate > > 10000kbps; > > /root/ct/sbin/ct class add dev eth0 parent 1:1 classid 1:10 htb rate > > 9990kbps ceil 10000kbps; > > /root/ct/sbin/ct class add dev eth0 parent 1:1 classid 1:11 htb rate > > 10kbps; > > /root/ct/sbin/ct qdisc add dev eth0 parent 1:10 handle 13: sfq > perturb > > 5; > > /root/ct/sbin/ct qdisc add dev eth0 parent 1:11 handle 14: sfq > perturb > > 5; > > /root/ct/sbin/ct filter! add dev eth0 parent 1: protocol ip handle 1 > fw > > classid 1:10; > > /root/ct/sbin/ct filter add dev eth0 parent 1: protocol ip handle 2 > fw > > classid 1:11; > > /root/ct/sbin/ct qdisc del dev eth1 root; > > /root/ct/sbin/ct qdisc add dev eth1 root handle 2: htb default 20 > r2q > > 1; > > /root/ct/sbin/ct class add dev eth1 parent 2: classid 2:1 htb rate > > 10000kbps; > -------------------------- > >This is HUGE; you cannot mean 10,000Kbit!?? > -- > gypsy From boy2eye at yahoo.com.cn Sat Jan 28 07:15:48 2006 From: boy2eye at yahoo.com.cn (bend chen) Date: Sat Jan 28 07:15:53 2006 Subject: [LARTC] tcf_action_destroy destroying Message-ID: <20060128061548.50003.qmail@web15407.mail.cnb.yahoo.com> Thanks gypsy's help. I will test your script :) --------------------------------- ÑÅ»¢1GÃâ·ÑÓÊÏä°Ù·Ö°Ù·ÀÀ¬»øÐÅ ÑÅ»¢ÖúÊÖ-ËÑË÷¡¢É±¶¾¡¢·ÀɧÈÅ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060128/0d12000a/attachment.html From brick at caramidaru.botosani.rdsnet.ro Sat Jan 28 08:57:01 2006 From: brick at caramidaru.botosani.rdsnet.ro (brick@caramidaru.botosani.rdsnet.ro) Date: Sat Jan 28 08:57:20 2006 Subject: [LARTC] gypsy, and not only Message-ID: hi i ve seen one of your replies here and i saw that you receomend 2 modifications in the kernel files in order to improve htb. first in pkt_sched.h, changing PSCHED_JIFFIES to PSCHED_CPU. and then, sch_htb.c, changing HYSTERESIS from 1 to 0. is it that simple? i mean i just change these here variables and i get better results? i ve done a search and found the first file in 3 locations. where exactly do i do these modifications? tnx From sorin.panca at gmail.com Sat Jan 28 13:52:08 2006 From: sorin.panca at gmail.com (Sorin Panca) Date: Sat Jan 28 13:46:32 2006 Subject: [LARTC] Re: traffic shaping and gre tunnels Message-ID: <43DB68F8.8090206@gmail.com> Hi! I read http://mailman.ds9a.nl/pipermail/lartc/2002q4/006244.html and I did that. Can anyone tell me if there is something else to do for shapeing over tunnels to work? I noticed that gre interfaces don't have a queue attached. I'm running linux-2.6.15 and iptables-1.3.4 with no patches. Thank you in advance, Sorin. From ad at heliosphan.co.uk Sat Jan 28 14:59:25 2006 From: ad at heliosphan.co.uk (Adam James) Date: Sat Jan 28 14:59:27 2006 Subject: [LARTC] gypsy, and not only In-Reply-To: References: Message-ID: <1138456765.7257.8.camel@heliosphan.kernelpanic.co.uk> On Sat, 2006-01-28 at 09:57 +0200, brick@caramidaru.botosani.rdsnet.ro wrote: > i ve seen one of your replies here and i saw that you receomend 2 > modifications in the kernel files in order to improve htb. > first in pkt_sched.h, changing PSCHED_JIFFIES to PSCHED_CPU. > and then, sch_htb.c, changing HYSTERESIS from 1 to 0. > is it that simple? > i mean i just change these here variables and i get better results? > i ve done a search and found the first file in 3 locations. where exactly > do i do these modifications? http://edseek.com/~jasonb/articles/traffic_shaping/buildkernel.html#sourceopts answers this. Kernels newer than 2.6.8 allow you to change the clock source without editing any source files. Look under 'Networking ---> QoS and/or fair queueing ---> Packet scheduler clock source (CPU cycle counter)'. Keep in mind that if you use any kind of CPU frequency scaling, do _not_ use PSCHED_CPU, as variable clock speeds are not taken into account. HTH, -- Adam James PROOF OF GOD'S EXISTENCE #87: ARGUMENT FROM BIBLICAL HISTORY (1) Many modern historians think that there probably was somebody named Jesus, maybe. (2) Therefore, God exists. From sorin.panca at gmail.com Sat Jan 28 15:26:31 2006 From: sorin.panca at gmail.com (Sorin Panca) Date: Sat Jan 28 15:20:35 2006 Subject: [LARTC] Re: traffic shaping and gre tunnels (addition) Message-ID: <43DB7F17.6020004@gmail.com> Hi! I want to add to my previous post that: my setup looks like this internet --> linux router with NAT and tc ==> gre tunnel ==> forwarding router --> LAN At my NATting router I can "see" the forwarded LAN (192.168.2.0/24). Now let's say that there is a LAN workstation with the IP 192.168.2.18 and I filter the traffic with tc for it. If the fowarding router has the internal address 192.168.2.1, the bandwidth allocated to 192.168.0.1 should be the sum of the bandwidth allocated for the LAN? On the linux router with NAT and tc I allocate a quantum for each connected machine. Every machine has it's own htb class. I should mention that I receive LARTC digests once a day.. so please CC me for faster respose. Thank you in advance, Sorin. From gypsy at iswest.com Sat Jan 28 18:33:18 2006 From: gypsy at iswest.com (gypsy) Date: Sat Jan 28 18:33:23 2006 Subject: [LARTC] gypsy, and not only References: Message-ID: <43DBAADE.67C44DF3@iswest.com> brick@caramidaru.botosani.rdsnet.ro wrote: > > hi > i ve seen one of your replies here and i saw that you receomend 2 > modifications in the kernel files in order to improve htb. > first in pkt_sched.h, changing PSCHED_JIFFIES to PSCHED_CPU. > and then, sch_htb.c, changing HYSTERESIS from 1 to 0. > is it that simple? > i mean i just change these here variables and i get better results? > i ve done a search and found the first file in 3 locations. where exactly > do i do these modifications? > tnx Hi, The place to change JIFFIES to CPU is in the kernel source, which for me is /usr/src/linux-2.4.32/include/net/pkt_sched.h This is a MUST DO. The place to change HYSTERESIS is /usr/src/linux-2.4.32/net/sched/sch_htb.c No, it is not quite that simple. You should experiment with HYSTERESIS to see what works best. For ATM, I recommend 0. Use an editor to change the kernel source. Make sure you have a working .config in the source tree (that can be the hard part, but your distro should provide the .config that matches your kernel). Get into the source tree: cd /usr/src/linux (if there is a symlink) or cd /usr/src/linux-2.4.32 rm .version make oldconfig Check .config to be sure it looks like what you want. The syntax of the following is a personal preference: make dep ; make clean ; make bzImage Check to be sure the kernel built properly. make modules ; make modules_install Install your new kernel. Run your boot loader (lilo / grub / ??). modprobe sch_htb lsmod If all is OK, you don't need to reboot. Otherwise fix anything that a reboot won't fix and reboot. -- gypsy From xen.mails at gmail.com Sat Jan 28 19:37:31 2006 From: xen.mails at gmail.com (Anand) Date: Sat Jan 28 19:37:32 2006 Subject: [LARTC] using tc on xen Message-ID: Hi Everyone! My knowledge of tc is very much limited and i got introduced to it by my need for traffic limiting on xen based VM's. For every VM there is a interface. The network is a bridged network. Has any one tried out something like this ? I tried the below script to limit download on an interface however it didn't seem to work. Still the interface is able to download at full speeds. 1. vm01 ==> is virtual interface ------------------------------------------------------------------------ #!/bin/sh TC=/sbin/tc DNLD=150Kbit # DOWNLOAD Limit DWEIGHT=15Kbit # DOWNLOAD Weight Factor $TC qdisc add dev vm01 root handle 11: cbq bandwidth 100Mbit avpkt 1000 mpu 64 $TC class add dev vm01 parent 11:0 classid 11:1 cbq rate $DNLD weight $DWEIGHT allot 1514 prio 1 avpkt 1000 bounded $TC filter add dev vm01 parent 11:0 protocol ip handle 4 fw flowid 11:1 Any help would be highly appreciated. -- regards, Anand -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060129/ae8ea951/attachment.htm From gypsy at iswest.com Sun Jan 29 07:54:03 2006 From: gypsy at iswest.com (gypsy) Date: Sun Jan 29 07:54:13 2006 Subject: [LARTC] Reminder - links Message-ID: <43DC668B.4A020A1F@iswest.com> Because these tend to get lost, here are some links that I think everyone should know about: wiki: http://linux-net.osdl.org API: http://www.coverfire.com/lql/ Stef Coene: (Broken? I hope not. This is excellent stuff!) http://www.docum.org/docum.org/ Jason Boxman: http://edseek.com/~jasonb/articles/traffic_shaping/ Dan Singletary: http://www.tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/index.html Emmanuel Roger: http://www.prout.be/qos/index.html -- gypsy From stef.coene at docum.org Sun Jan 29 14:17:40 2006 From: stef.coene at docum.org (Stef Coene) Date: Sun Jan 29 14:17:45 2006 Subject: [LARTC] Reminder - links In-Reply-To: <43DC668B.4A020A1F@iswest.com> References: <43DC668B.4A020A1F@iswest.com> Message-ID: <200601291417.41123.stef.coene@docum.org> On Sunday 29 January 2006 07:54, gypsy wrote: > Because these tend to get lost, here are some links that I think > everyone should know about: > > wiki: > http://linux-net.osdl.org > > API: > http://www.coverfire.com/lql/ > > Stef Coene: (Broken? I hope not. This is excellent stuff!) > http://www.docum.org/docum.org/ Not anymore ;) Stef From fals138 at gmail.com Sun Jan 29 16:07:58 2006 From: fals138 at gmail.com (Ismail Fahmi) Date: Sun Jan 29 16:08:00 2006 Subject: [LARTC] how can I delete filter : RTNETLINK file doesn't exist Message-ID: <75dbe4850601290707q40f50bd1jf3164a3433bb37@mail.gmail.com> what is the script for deleting filter that already exist??? the htb script is: tc qdisc add dev eth0 root handle 1:0 htb default 4 tc class add dev eth0 parent 1:0 classid 1:1 htb rate 500kbps ceil 500kbps tc class add dev eth0 parent 1:1 classid 1:2 htb rate 300kbps ceil 300kbps tc qdisc add dev eth0 parent 1:2 handle 12:0 pfifo tc class add dev eth0 parent 1:1 classid 1:3 htb rate 150kbps ceil 150kbps tc qdisc add dev eth0 parent 1:3 handle 13:0 pfifo tc class add dev eth0 parent 1:1 classid 1:4 htb rate 50kbps ceil 50kbps tc qdisc add dev eth0 parent 1:4 handle 14:0 pfifo when IP x.x.x.x access the web server (i.e http://test.com/class-A.php) he get the filter to class A (flow 1:2) because in class-A.php there is a script: tc filter add dev eth0 protocol ip parent 1:0 u32 match ip dst x.x.x.x flowid 1:2 then i wanna delete the filter for ip x.x.x.x so he get the default class (1:4) when i exec as root: tc filter del dev eth0 protocol ip parent 1:0 u32 match ip dst x.x.x.x there are a feedback ---> RTNETLINK file doesn't exist anyone can help me??? From gypsy at iswest.com Sun Jan 29 20:50:13 2006 From: gypsy at iswest.com (gypsy) Date: Sun Jan 29 20:50:21 2006 Subject: [LARTC] Problems in Dead Gateway Detection / Failover - MultipleISP Links References: <43D8CEAE.3010006@tuxspace.com> Message-ID: <43DD1C75.C141A9E0@iswest.com> Manish Kathuria wrote: --== snip ==-- > However, if there is a problem in the ISP connectivity at any of the > subsequent hops, there is no dead gateway detection and failover also > does not take place. I have tested this on various linux kernels from > 2.4 as well as 2.6 series. > > Somehow I have never faced a similar problem before and things have been > working perfectly. In real life situation here, the first hop gateway is > rarely going to be down so dead gateway detection and failover is going > to be required whenever there is some connectivity problem at any of the > later hops. So that's where dead gateway detection needs to work. > > What could be the reason ? How can this be resolved ? I would appreciate > any pointers or suggestions. > > Thanks, > > Manish Kathuria Manish, Same here (a long time ago. I no longer have multiple ISPs). I don't have any answers for you, but here are a few pointers: Use arping in a script, pinging the farthest hop that arping can reach that is of interest. Whenever arping returns a bad status, run 'ip route flush cache'. Put a nice long sleep in the script and run it all the time. Perhaps in that same script, 'ping -n1 -I' each WAN interface in turn to some destination that must always be up but reachable only by/on that interface. Run 'ip route flush cache' whenever that ping fails. You are just trying to detect the up or down status of the link, so don't flood the connection with arping and ping packets. Using sleep, space those pings apart to something sensible. Although Julian has never confirmed (or denied) this, it was my experience that only the **__FIRST__** nexhop affected the up or down status of the connection. If that succeeded, nothing would flag the connection as dead. If you know C, perhaps you can examine Julian's kernel patch to see if there is any useful information there. In my opinion, Julian should document exactly how DGD works. Perhaps he has and I just can't find it on his web site, but (when I cared), I was not able to find anything useful there. Have you tried to engage Julian in a conversation to resolve this? He posts here occasionally but I do not know if he answers questions about DGD off this list. -- gypsy From manish at tuxspace.com Mon Jan 30 04:38:27 2006 From: manish at tuxspace.com (Manish Kathuria) Date: Mon Jan 30 04:38:44 2006 Subject: [LARTC] Problems in Dead Gateway Detection / Failover - MultipleISP Links In-Reply-To: <43DD1C75.C141A9E0@iswest.com> References: <43D8CEAE.3010006@tuxspace.com> <43DD1C75.C141A9E0@iswest.com> Message-ID: <43DD8A33.9020305@tuxspace.com> gypsy wrote: > Manish Kathuria wrote: > --== snip ==-- > >> However, if there is a problem in the ISP connectivity at any of the >>subsequent hops, there is no dead gateway detection and failover also >>does not take place. I have tested this on various linux kernels from >>2.4 as well as 2.6 series. >> >>Somehow I have never faced a similar problem before and things have been >>working perfectly. In real life situation here, the first hop gateway is >>rarely going to be down so dead gateway detection and failover is going >>to be required whenever there is some connectivity problem at any of the >>later hops. So that's where dead gateway detection needs to work. >> >>What could be the reason ? How can this be resolved ? I would appreciate >>any pointers or suggestions. >> >>Thanks, >> >>Manish Kathuria > > > Manish, > > Same here (a long time ago. I no longer have multiple ISPs). > > I don't have any answers for you, but here are a few pointers: Thanks for your mail. I wil try out the suggestions given by you. > > Use arping in a script, pinging the farthest hop that arping can reach > that is of interest. Whenever arping returns a bad status, run 'ip > route flush cache'. Put a nice long sleep in the script and run it all > the time. > > Perhaps in that same script, 'ping -n1 -I' each WAN interface in turn to > some destination that must always be up but reachable only by/on that > interface. Run 'ip route flush cache' whenever that ping fails. The only thing is whether by doing this the kernel would be able to mark the gateway having bad status as down or not. If it does not any other intervention, then its really superb. > > You are just trying to detect the up or down status of the link, so > don't flood the connection with arping and ping packets. Using sleep, > space those pings apart to something sensible. I was thinking of writing a daemon which will ping a remote host through each of the WAN interfaces every 5 seconds. If one of them gives a bad status response continuosly for 8-10 times, the default route will be changed to the other ISP's gateway and if the status changes again, it will be restored back to the load balanced multipath state. Will have to actually try and see which method fits in better here and is more elegant. If your suggestion works, its perhaps the best way out. > > Although Julian has never confirmed (or denied) this, it was my > experience that only the **__FIRST__** nexhop affected the up or down > status of the connection. If that succeeded, nothing would flag the > connection as dead. If you know C, perhaps you can examine Julian's > kernel patch to see if there is any useful information there. In my > opinion, Julian should document exactly how DGD works. Perhaps he has > and I just can't find it on his web site, but (when I cared), I was not > able to find anything useful there. There are excellent documents at http://www.ssi.bg/~ja/dgd-usage.txt and http://www.ssi.bg/~ja/nano.txt which have explained it very well. Quoting from the dgd-usage.txt document here ... ---Begin Quote--- * the alternative routes check the neighbour state not only for gateways but for hosts, i.e. for any kind of neighbours. Note that in some cases the neighbour can remain in reachable state while its nexthops are failed. For example, it is even possible the gateway to be a proxy ARP server and the gateway IP to remain always in reachable state. In such case we can not notice the real state of the gateway's IP. * the alternative routes can be a list from unipath or multipath routes, using NOARP and ARP devices. As result, the first alive or first suspected (but not dead) route is selected by inspecting the state of the gateways in each path or the neighbours through the used device from the path. * as result we take care of the state of each path in a multipath route and we try to use only the alive paths considering their relative weights ---End Quote--- In the current situaion I am dealing with, the firsthop gateway is always reachable. It is only the subsequent hops which can go down. And when that happens, the dead gateway detection doesnt work, the outgoing traffic keeps on going out through the dead ISP's WAN interface. But what confuses me is that DGD does work for one of the ISPs which is also identically connected. Could running routed / gated play a role here in resolving this problem ? > > Have you tried to engage Julian in a conversation to resolve this? He > posts here occasionally but I do not know if he answers questions about > DGD off this list. I have not done it so far. > -- > gypsy > Thanks once again for your suggestions. -- Manish Kathuria From kenneth.kalmer at gmail.com Mon Jan 30 12:33:41 2006 From: kenneth.kalmer at gmail.com (Kenneth Kalmer) Date: Mon Jan 30 12:33:43 2006 Subject: [LARTC] Suggestions for a new shaper Message-ID: Guys Reading through my lartc mail, and thinking on how to tackle my next shaping solution, gave me an idea. I'd like to propose this idea for scrutiny and if it sounds viable I'll definitely need to start developing in due time. For me in my day to day work with developing network application specifically geared for middle-tier ISP's, and reading on other peoples issues I gather that the following would be the ultimate solution to traffic jams. First the case study. An untrusted network with over-subscribed users (and abusers). Common at universities and bigger enterprises. People want good speed at any time, but abusers should be detected and clamped down automatically. This system needs intelligence. Let's say a good combo between HTB & WRR, through in a pacemaker and the configurability of XML files. My thinking is Python (I only code interpreted) doing the configurations and "live" htb manipulation to simulate wrr, but still offer the gaurentees of htb. The account for data and detect abusers, something like pmacctd would be easy to integrate with and provides powerful options. Extra things should be the ability to handle multiple subnets, not just a single one, and while doing Python we might as well have options to produce rrd's to make sure that everything is running perfectly. Any advice, tips or suggestions? I know it won't be an easy feat, but it is worth a shot... Best -- Kenneth Kalmer kenneth.kalmer@gmail.com Folding@home stats http://fah-web.stanford.edu/cgi-bin/main.py?qtype=userpage&username=kenneth%2Ekalmer From lhaond at bearstech.com Mon Jan 30 12:55:30 2006 From: lhaond at bearstech.com (Laurent Haond) Date: Mon Jan 30 12:55:38 2006 Subject: [LARTC] tc qdisc ingress problem ? In-Reply-To: <43D8A568.8040202@bearstech.com> References: <43D8A568.8040202@bearstech.com> Message-ID: <43DDFEB2.7040203@bearstech.com> Laurent Haond a ?crit : >Hi, all > >I've got problems with tc qdisc ingress. >I'm using vanillia kernel 2.6.14.4 patched with >http://www.ssi.bg/~ja/routes-2.6.14-12.diff, and iproute2-2.6.14-051107. > >i am using ingress to limit incoming traffic : >(DEV is eth1 / DOWNLINK is 7700) > ># attach ingress policer: >tc qdisc add dev $DEV handle ffff: ingress > ># filter *everything* to it (0.0.0.0/0), drop everything that's ># coming in too fast: >tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \lm > 0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1 > >This does limit traffic but to ~32KB/s !! > >#tc -s qdisc show dev eth1 >[...] >qdisc ingress ffff: ---------------- > Sent 37001411 bytes 51120 pkt (dropped 3422, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > >It's is normal to have dropped packets without overlimits ?? > >Could it be related to CPU performance (overload), i'm using a wrap2 >board (geode sc1100 at 266Mhz) ? >Running top during a big download, it appears that cpu is 95% idle... > >Thanks > >Laurent Haond > >_______________________________________________ >LARTC mailing list >LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartcen > > Finally, I've found the solution, on this hardware it seems that NET_SCH clock cannot rely on CPU clock, I recompiled a kernel with : CONFIG_NET_SCH_CLK_GETTIMEOFDAY=y instead of CONFIG_NET_SCH_CLK_CPU=y and now everything seems to be OK. Laurent From ccarstea at orion.ro Mon Jan 30 13:15:02 2006 From: ccarstea at orion.ro (Cristian Carstea) Date: Mon Jan 30 13:14:08 2006 Subject: [LARTC] u32 match versus iptables CLASSIFY target - performance Message-ID: <33308.82.76.57.78.1138623302.squirrel@mail.orion.ro> hello, i have a question: - which one is faster: "tc filter with u32 match per dst ip" or "iptables match per dst ip with target CLASSIFY"? - this question is for large rulesets (over 500) thank you, cristian carstea From surda at shurdix.com Mon Jan 30 13:26:33 2006 From: surda at shurdix.com (Peter Surda) Date: Mon Jan 30 13:26:40 2006 Subject: [LARTC] Suggestions for a new shaper In-Reply-To: References: Message-ID: <43DE05F9.7090904@shurdix.com> Kenneth Kalmer wrote: > Guys Hi, > First the case study. An untrusted network with over-subscribed users > (and abusers). Common at universities and bigger enterprises. People > want good speed at any time, but abusers should be detected and > clamped down automatically. This system needs intelligence. Let's say > a good combo between HTB & WRR, through in a pacemaker and the > configurability of XML files. I have a lot of experience in networks like this, so I'll post some comments: > My thinking is Python (I only code interpreted) doing the > configurations and "live" htb manipulation to simulate wrr, but still > offer the gaurentees of htb. I have heard that HTB doesn't scale well when you have it arranged in this way (search "Ostrochovsky" in the archives, or perhaps it was another list => use google). This would have to be analysed. Usually I avoid it by creating more levels (think binary tree), but I don't have any measurements on high load. WRR on the other hand has many advantages: it scales very well, automatically penalizes abusers, and behaves predictably (I performed a statistical-mathematical analysis of one such case last week, got great results). There is one problem though: what it distributes is actually sending frequency, not bandwidth. Therefore, you can't set limits to traffic of individuals, you can't give anyone "guaranteed" bandwith, or give someone "twice as much bandwidth as the others". You can set it up so that certain IPs are penalized less or more, but there is no way to give them specific bandwidth. In my experience (my customers) sometimes want to set specific bandwidths, but after using WRR for some time, due to its fairness characteristics they decide it's not necessary. A commercial ISP may have different requirements though, so that they can sell different bandwidths for different prices. Although I don't have a mathematical proof :-), I think that these two approaches are mutually exclusive. If you want predictable behaviour (no latency peaks), you can either give individual people specific bandwidth, or you can utilize the bandwidth fully. You can't utilize the whole bandwidth while giving people specific amounts of it. Nevertheless, I have some ideas how to bring certain advantages of HTB to WRR: - if you want to cap someone, you may be able to use a htb inside one wrr-subclass - if you want to guarantee someone's bandwidth, give him a permanently higher weight (cap others to a lower weight), put htb there and set its rate (For comparison, I use ESFQ inside the wrr-subclasses). I'd like to stress however that you lose a lot of WRR's predictability if you manually fiddle with the settings. This would have to be tested extensively. > Extra things should be the ability to handle multiple subnets, not > just a single one, WRR handles multiple subnets without problems and without the need to set anything (classes are assigned dynamically as the IPs appear). > and while doing Python we might as well have > options to produce rrd's to make sure that everything is running > perfectly. Sorry for advertisement (again). Shurdix already does this, most of it automatically (and uses perl, but the scripts are very simple). I use ipt_ACCOUNT for accounting because I want it to be independent from traffic control, but WRR has it's own accounting method (look on their website, it is also more precise, because iptables-based accounting doesn't know about packets that are dropped while doing egress). > Any advice, tips or suggestions? I know it won't be an easy feat, but > it is worth a shot... As I said, the first thing you should do is to set your priorities: - if you want to utilise the bandwidth fully, go WRR - if you want to set specific parameters, go HTB And you have to test, test, test, because if you lose predictability you're screwed :-). > Best > Kenneth Kalmer Yours sincerely, Peter -- http://www.shurdix.org - Linux distribution for routers and firewalls From dor at ldc.net Mon Jan 30 13:28:30 2006 From: dor at ldc.net (Dmytro O. Redchuk) Date: Mon Jan 30 13:28:39 2006 Subject: [LARTC] u32 match versus iptables CLASSIFY target - performance In-Reply-To: <33308.82.76.57.78.1138623302.squirrel@mail.orion.ro> References: <33308.82.76.57.78.1138623302.squirrel@mail.orion.ro> Message-ID: <20060130122830.GC9242@ldc.net> On Mon, Jan 30, 2006 at 02:15:02PM +0200, Cristian Carstea wrote: > hello, > > i have a question: > - which one is faster: "tc filter with u32 match per dst ip" or "iptables > match per dst ip with target CLASSIFY"? > - this question is for large rulesets (over 500) use hashes if it's possible to hash those "ip dst". > > thank you, > cristian carstea -- _,-=._ /|_/| `-.} `=._,.-=-._., @ @._, `._ _,-. ) _,.-' ` G.m-"^m`m' Dmytro O. Redchuk From lartc at ssi.bg Mon Jan 30 13:35:36 2006 From: lartc at ssi.bg (Anton Glinkov) Date: Mon Jan 30 13:35:39 2006 Subject: [LARTC] HTB prio question Message-ID: <33479.217.79.71.231.1138624536.squirrel@217.79.71.231> Hello Is the prio specification in the htb class global or is it on a per class basis? A simple example: class 1:10 parent 1: class 1:130 parent 1:10 prio 3 class 1:170 parent 1:10 prio 7 class 1:171 parent 1:170 prio 1 class 1:172 parent 1:170 prio 2 Which class will get excessive bandwidth first? 130 or 171/172? Thanks. From kenneth.kalmer at gmail.com Mon Jan 30 14:30:06 2006 From: kenneth.kalmer at gmail.com (Kenneth Kalmer) Date: Mon Jan 30 14:30:09 2006 Subject: [LARTC] Suggestions for a new shaper In-Reply-To: <43DE05F9.7090904@shurdix.com> References: <43DE05F9.7090904@shurdix.com> Message-ID: On 1/30/06, Peter Surda wrote: > Kenneth Kalmer wrote: > > Guys > Hi, Hi Peter > > First the case study. An untrusted network with over-subscribed users > > (and abusers). Common at universities and bigger enterprises. People > > want good speed at any time, but abusers should be detected and > > clamped down automatically. This system needs intelligence. Let's say > > a good combo between HTB & WRR, through in a pacemaker and the > > configurability of XML files. > I have a lot of experience in networks like this, so I'll post some > comments: I know, I've learned a lot about WRR from your postings and hacking shurdix to sh*t... :) > > My thinking is Python (I only code interpreted) doing the > > configurations and "live" htb manipulation to simulate wrr, but still > > offer the gaurentees of htb. > I have heard that HTB doesn't scale well when you have it arranged in > this way (search "Ostrochovsky" in the archives, or perhaps it was > another list => use google). This would have to be analysed. Usually I > avoid it by creating more levels (think binary tree), but I don't have > any measurements on high load. Understood > WRR on the other hand has many advantages: it scales very well, > automatically penalizes abusers, and behaves predictably (I performed a > statistical-mathematical analysis of one such case last week, got great > results). There is one problem though: what it distributes is actually > sending frequency, not bandwidth. Therefore, you can't set limits to > traffic of individuals, you can't give anyone "guaranteed" bandwith, or > give someone "twice as much bandwidth as the others". You can set it up > so that certain IPs are penalized less or more, but there is no way to > give them specific bandwidth. I got this under control, I just have to automate this in my current setup. > In my experience (my customers) sometimes want to set specific > bandwidths, but after using WRR for some time, due to its fairness > characteristics they decide it's not necessary. A commercial ISP may > have different requirements though, so that they can sell different > bandwidths for different prices. This is true, but a product of ours needs to offer a best of both world solution... I also think a lot of other people would benefit from such a setup if, and when, it works as advertised. Imagine that everyone can use the internet at full speed, but as soon as the CEO needs to view a webcast everyone is slowed down to accommodate him. I know it's great in theory, but some people will demand this... > Although I don't have a mathematical proof :-), I think that these two > approaches are mutually exclusive. If you want predictable behaviour (no > latency peaks), you can either give individual people specific > bandwidth, or you can utilize the bandwidth fully. You can't utilize the > whole bandwidth while giving people specific amounts of it. Here I tend to disagree... Unless tc and the kernel can't handle it properly, why can't wrr be partially simulated by constantly adjusting the rates of HTB classes. I use wrr myself and love it, but there are things in htb that I desire in wrr (and vice versa). > Nevertheless, I have some ideas how to bring certain advantages of HTB > to WRR: > - if you want to cap someone, you may be able to use a htb inside one > wrr-subclass > - if you want to guarantee someone's bandwidth, give him a permanently > higher weight (cap others to a lower weight), put htb there and set its rate > > (For comparison, I use ESFQ inside the wrr-subclasses). So do I, but I never even thought about attaching an htb to a wrr. I still want to try creating two htb's siblings and attaching a wrr to each of them, but IIRC in one of your postings to me that either wrr or the kernel doesn't like this very much and it will eventually panic. > I'd like to stress however that you lose a lot of WRR's predictability > if you manually fiddle with the settings. This would have to be tested > extensively. Bumped my head several times with the insane wrr params... > > Extra things should be the ability to handle multiple subnets, not > > just a single one, > WRR handles multiple subnets without problems and without the need to > set anything (classes are assigned dynamically as the IPs appear). This is very cool, I know... The same can be simulated by a script... > > and while doing Python we might as well have > > options to produce rrd's to make sure that everything is running > > perfectly. > Sorry for advertisement (again). Shurdix already does this, most of it > automatically (and uses perl, but the scripts are very simple). I use > ipt_ACCOUNT for accounting because I want it to be independent from > traffic control, but WRR has it's own accounting method (look on their > website, it is also more precise, because iptables-based accounting > doesn't know about packets that are dropped while doing egress). Advertise as much as you like. As stated earlier I've hacked shurdix to sh*t to see how you achieve things and you to get a working wrr config. The problem is that a lot of people, like us, tend to roll our 'all-in-one' solutions that need a host of other software and services running over several boxes, all very tightly integrated to deliver an in-house ISP (for the lack of a better word). Everything we build starts on a clean RHEL and then mutates to a fully working product (while keeping the base firmly intact). > > Any advice, tips or suggestions? I know it won't be an easy feat, but > > it is worth a shot... > As I said, the first thing you should do is to set your priorities: > - if you want to utilise the bandwidth fully, go WRR > - if you want to set specific parameters, go HTB > > And you have to test, test, test, because if you lose predictability > you're screwed :-). Definitely. Everyone must understand that I'm not biased to either one of the algorithms, something is just telling me to try and fine the middle man. Something that is both firm and fair, and can keep a constant eye on things, set guarantees and stick to them. It can be done, I'm sure, it is only a matter of time! > > Best > > Kenneth Kalmer > Yours sincerely, > Peter As always, thanks Peter! Very much appreciated! Regards -- Kenneth Kalmer kenneth.kalmer@gmail.com Folding@home stats http://fah-web.stanford.edu/cgi-bin/main.py?qtype=userpage&username=kenneth%2Ekalmer From foxy202 at gmail.com Mon Jan 30 15:43:00 2006 From: foxy202 at gmail.com (foxy 202) Date: Mon Jan 30 15:43:10 2006 Subject: [LARTC] P4 dual core vs AMD64 dual core with HTB Message-ID: Hi All, Please for some advice. I have Linux router that do traffic control with HTB , routing and traffic counting. currently machine is with P4 2.2GHZ 1GB RAM. I plan to migrate to dual core CPU. I know well P4 dual core but is it anybody has experience with AMD64 dual core / or single core / for traffic control . I use Deban Linux for my router. Can I expect problems with HTB and iproute 2 over ATHLON DUAL CORE/BOX or single box ? Currently my problem is that i have too big system load over CPU / 60-80%/ and packet dropping. at every 15-20sec i have traffic freeze for 1-2sec. when more users are online. Regards foxy202 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060130/3d177783/attachment-0001.html From paul at gpmidi.net Mon Jan 30 15:47:36 2006 From: paul at gpmidi.net (Paul M.) Date: Mon Jan 30 15:47:38 2006 Subject: [LARTC] P4 dual core vs AMD64 dual core with HTB In-Reply-To: References: Message-ID: In general the dual core Opterons tend to be a lot faster than the P4 dual cores. But its possible that this has changed since I last saw a performance comparison of the two. -Paul On 1/30/06, foxy 202 wrote: > > > Hi All, > > Please for some advice. > > I have Linux router that do traffic control with HTB , routing and traffic > counting. > currently machine is with P4 2.2GHZ 1GB RAM. I plan to migrate to dual core > CPU. I know well > P4 dual core but is it anybody has experience with AMD64 dual core / or > single core / for traffic control . I use Deban Linux for my router. Can I > expect problems with HTB and iproute 2 over ATHLON DUAL CORE/BOX or single > box ? > Currently my problem is that i have too big system load over CPU / 60-80%/ > and packet dropping. at every 15-20sec i have traffic freeze for 1-2sec. > when more users are online. > > > > > Regards > foxy202 > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > From Andreas.Klauer at metamorpher.de Mon Jan 30 16:22:41 2006 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Mon Jan 30 16:23:19 2006 Subject: [LARTC] HTB prio question In-Reply-To: <33479.217.79.71.231.1138624536.squirrel@217.79.71.231> References: <33479.217.79.71.231.1138624536.squirrel@217.79.71.231> Message-ID: <20060130152241.GA16864@EIS> On Mon, Jan 30, 2006 at 02:35:36PM +0200, Anton Glinkov wrote: > Is the prio specification in the htb class global or is it on a per class > basis? A simple example: > > class 1:10 parent 1: > class 1:130 parent 1:10 prio 3 > > class 1:170 parent 1:10 prio 7 > class 1:171 parent 1:170 prio 1 > class 1:172 parent 1:170 prio 2 > > Which class will get excessive bandwidth first? 130 or 171/172? I haven't tested it, but from my understanding, it should be 1:130. Children classes should not be able to borrow from the outside by themselves - they can only tell their parent to borrow for them, so it's 1:130 (prio 3) vs 1:170 (prio 7) here. Regards Andreas Klauer From c-d.hailfinger.devel.2006 at gmx.net Mon Jan 30 16:29:53 2006 From: c-d.hailfinger.devel.2006 at gmx.net (Carl-Daniel Hailfinger) Date: Mon Jan 30 16:30:01 2006 Subject: [LARTC] P4 dual core vs AMD64 dual core with HTB In-Reply-To: References: Message-ID: <43DE30F1.5030902@gmx.net> Hi, foxy 202 schrieb: > > I have Linux router that do traffic control with HTB , routing and traffic > counting. > currently machine is with P4 2.2GHZ 1GB RAM. I plan to migrate to dual core > CPU. I know well > P4 dual core but is it anybody has experience with AMD64 dual core / or > single core / for traffic control . I use Deban Linux for my router. Can I > expect problems with HTB and iproute 2 over ATHLON DUAL CORE/BOX or single > box ? > Currently my problem is that i have too big system load over CPU / 60-80%/ > and packet dropping. at every 15-20sec i have traffic freeze for 1-2sec. > when more users are online. An Athlon64 3200+ should be sufficient for 200-400 MBit/s in each direction with HTB and traffic accounting. At least it works for me. However, if you start using tcpdump, your CPU usage will go through the roof. Suggestion: Use oprofile and find out what demands the most performance in your setup, then fix that and retest. Regards, Carl-Daniel -- http://www.hailfinger.org/ From pstaszewski at artcom.pl Mon Jan 30 16:42:13 2006 From: pstaszewski at artcom.pl (=?UTF-8?B?UGF3ZcWCIFN0YXN6ZXdza2k=?=) Date: Mon Jan 30 16:42:13 2006 Subject: [LARTC] P4 dual core vs AMD64 dual core with HTB Message-ID: <43DE33D5.1000004@artcom.pl> >Hi All, > >Please for some advice. > >I have Linux router that do traffic control with HTB , routing and traffic >counting. >currently machine is with P4 2.2GHZ 1GB RAM. I plan to migrate to dual core >CPU. I know well >P4 dual core but is it anybody has experience with AMD64 dual core / or >single core / for traffic control . I use Deban Linux for my router. Can I >expect problems with HTB and iproute 2 over ATHLON DUAL CORE/BOX or single >box ? I have dual core p4 (64bit compiled) with hfsc configuration for 4500users CPU load on this machine is about 20% Average with 60Mbit/s traffic I also want to know did the AMD (Opteron) will be better for such solution like traffic management :) >Currently my problem is that i have too big system load over CPU / 60-80%/ How many users You have ? How many pps on interfaces ? How large is traffic load (data) , what kind of traffic ? Did You use hashing filters for traffic management (filtering) ? Is this machine is doing NAT or any of iptables things ? >and packet dropping. at every 15-20sec i have traffic freeze for 1-2sec. >when more users are online. What type of interfaces You have ? Did You use NAPI if available ? From ccarstea at orion.ro Mon Jan 30 16:44:17 2006 From: ccarstea at orion.ro (Cristian Carstea) Date: Mon Jan 30 16:43:28 2006 Subject: [LARTC] u32 match versus iptables CLASSIFY target - performance Message-ID: <1178.82.76.57.78.1138635857.squirrel@mail.orion.ro> > On Mon, Jan 30, 2006 at 02:15:02PM +0200, Cristian Carstea wrote: >> hello, >> >> i have a question: >> - which one is faster: "tc filter with u32 match per dst ip" or "iptables match per dst ip with target CLASSIFY"? >> - this question is for large rulesets (over 500) > > use hashes if it's possible to hash those "ip dst". can you please detail this a little? thank you, cristian carstea > >> >> thank you, >> cristian carstea > > -- > _,-=._ /|_/| > `-.} `=._,.-=-._., @ @._, > `._ _,-. ) _,.-' > ` G.m-"^m`m' Dmytro O. Redchuk > From dor at ldc.net Mon Jan 30 17:08:18 2006 From: dor at ldc.net (Dmytro O. Redchuk) Date: Mon Jan 30 17:08:26 2006 Subject: [LARTC] u32 match versus iptables CLASSIFY target - performance In-Reply-To: <1178.82.76.57.78.1138635857.squirrel@mail.orion.ro> References: <1178.82.76.57.78.1138635857.squirrel@mail.orion.ro> Message-ID: <20060130160818.GF9242@ldc.net> On Mon, Jan 30, 2006 at 05:44:17PM +0200, Cristian Carstea wrote: > > > On Mon, Jan 30, 2006 at 02:15:02PM +0200, Cristian Carstea wrote: > >> hello, > >> > >> i have a question: > >> - which one is faster: "tc filter with u32 match per dst ip" or > "iptables match per dst ip with target CLASSIFY"? > >> - this question is for large rulesets (over 500) > > > > use hashes if it's possible to hash those "ip dst". > > can you please detail this a little? Mmmm... With my english.. Try this: http://lartc.org/howto/lartc.adv-filter.hashing.html ------- You can filter packets with hash table, you can cascade hashes. Each cell in hash table can contain many filters (it seems not to be stated in the HOWTO; but it's possible an it's great). > > thank you, > cristian carstea -- _,-=._ /|_/| `-.} `=._,.-=-._., @ @._, `._ _,-. ) _,.-' ` G.m-"^m`m' Dmytro O. Redchuk From peter at endian.it Mon Jan 30 17:22:35 2006 From: peter at endian.it (Peter Warasin) Date: Mon Jan 30 17:22:43 2006 Subject: [LARTC] loadbalancing multipath routing frequently freezes udp connections Message-ID: <43DE3D4B.6020700@endian.it> hi i recently searched in the mailinglist archive and found similar problems, whose solutions helped very much, thank you. i have the following scenario: a firewall with one lan interface eth0 10.1.1.1/24 and two uplink interfaces eth1 10.2.2.1/24 eth2 10.3.3.1/24 each uplink interface does SNAT: iptables -t nat -I POSTROUTING -o eth1 -j SNAT --to-source 10.2.2.1 iptables -t nat -I POSTROUTING -o eth2 -j SNAT --to-source 10.3.3.1 i set up loadbalancing multipath routing as described in the howto. then i had the well mentioned problem that established connections leave the wrong interface after the routing cache clears. i solved this using the CONNMARK target, marking connections which left one interface and directing those packages always to the same interface using the approrpiate ip rule fwmark entry. but this works only for tcp. udp connections (like an openvpn connection) frequently freeze. it seems that udp packages still leave the wrong interface after a routing cache clear. any ideas? do i have something wrong with the iptables mangle rules? i used the following commands: ip rule add prio 200 from 10.2.2.0/24 table 200 ip rule add prio 200 fwmark 200 table 200 ip route add 10.2.2.0/24 dev eth1 proto static table 200 ip route add default via 10.2.2.100 proto static table 200 ip rule add prio 201 from 10.3.3.0/24 table 201 ip rule add prio 201 fwmark 201 table 201 ip route add 10.3.3.0/24 dev eth2 proto static table 201 ip route add default via 10.3.3.100 proto static table 201 ip route add default scope global nexthop via 10.2.2.100 dev eth1 nexthop via 10.3.3.100 dev eth2 # contains MARK rules for connection initiations coming from the outside #(portfw) iptables -t mangle -N INCOMINGMARK # contains MARK rules for connection initiations coming from the inside # routed by multi path routes iptables -t mangle -N OUTGOINGMARK # contains MARK rules for connection initiations coming from the inside # forced by user configuration to leave through a specific uplink iptables -t mangle -N OUTGOINGCUSTOMMARK iptables -t mangle -A POSTROUTING -j OUTGOINGMARK -m state --state NEW iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark -m state --state NEW -m mark ! --mark 0 iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A PREROUTING -j OUTGOINGCUSTOMMARK -m state --state NEW iptables -t mangle -A PREROUTING -j INCOMINGMARK -m state --state NEW iptables -A INCOMINGMARK -i eth1 -j MARK --set-mark 200 iptables -A OUTGOINGMARK -o eth1 -j MARK --set-mark 200 iptables -A INCOMINGMARK -i eth2 -j MARK --set-mark 201 iptables -A OUTGOINGMARK -o eth2 -j MARK --set-mark 201 thank you in advance, any help would be greatly appreciated peter -- :: e n d i a n :: open source - open minds :: peter warasin :: http://www.endian.it :: peter@endian.it From iler_ml at fastmail.fm Mon Jan 30 17:54:08 2006 From: iler_ml at fastmail.fm (iler_ml@fastmail.fm) Date: Mon Jan 30 17:54:12 2006 Subject: [LARTC] conntrack event/hook when 'expected' connection terminates ? Message-ID: <1138640049.13140.253099229@webmail.messagingengine.com> Hello, I need to understand how conntrack_core.c handles the termination of 'expected' connection; handling in the case when 'expected' connection arrived, then terminates (In my conntrack module, I need to specially handle the event of termination termination of 'expected' connection.) In ip_conntrack_core.c, I can't find the call chain of deallocation of 'expectation' after termination of 'expected' connection. Deallocation must happen somewhere, but I don't see any hooks related to termination of 'expected' connection. Or maybe the termination of expected connection is not detected at all, but handled via expiring timer ? Can anyone confirm or correct this ? So my question is how is termination of expected connection handled by conntrack code. Thanks Yakov Lerner -- iler_ml@fastmail.fm -- http://www.fastmail.fm - IMAP accessible web-mail From rme at image.dk Mon Jan 30 18:45:29 2006 From: rme at image.dk (Rasmus Melgaard) Date: Mon Jan 30 18:45:38 2006 Subject: [LARTC] Shared ADSL SHAPER Message-ID: <200601301845.29753.rme@image.dk> Hi, I'm trying to make a shaper / firewall to improve sharing of bandwidth on a ADSL (3mbit down / ? mbit up) Since the ADSL is very asymmetric, down is unimportant, I make a ingress rate limit shaper to ensure, all shaping is at the Shaper, and not on the Router or the ISP. The Idea is then to make one HTB hierarchy and have each client (IP) filtererd and put in a child-HTB queue. This is the main idea, I have added prio to each HTB-child to keep priorities for each client. I currently use a reduced setup with total-uplink limited to 160kbit, and i run first the firewall script (first) and then the Shaper script, below. The problem is know that if a take Azureus, bittorrent client, and let it go (no uplink limitation), it now kills its own downlink speed. If I limit the uplink speed in Azureus the downlink will grow again, it is quiet obvious. I've tried adding some trick from the net, to especially improve ACK performance, but it hasn't helped. Setup: Clients (1-32)---Switch---Linux(shaper+firewall)---Cisco Soho 78---ISP BR Rasmus Melgaard ------------------------------------ FIREWALL: Firewall script: #First we flush our current rules iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X #Setup default policies to handle unmatched traffic iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP #Copy and paste these examples ... export LAN=eth0 export WAN=eth1 export LAN_SCOPE="10.0.0.0/24" #Then we lock our services so they only work from the LAN iptables -I INPUT 1 -i ${LAN} -j ACCEPT iptables -I INPUT 1 -i lo -j ACCEPT iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT #(Optional) Allow access to our ssh server from the WAN # iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT #Drop TCP / UDP packets to privileged ports iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP #Finally we add the rules for NAT iptables -I FORWARD -i ${LAN} -d ${LAN_SCOPE} -j DROP iptables -A FORWARD -i ${LAN} -s ${LAN_SCOPE} -j ACCEPT iptables -A FORWARD -i ${WAN} -d ${LAN_SCOPE} -j ACCEPT iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE #Tell the kernel that ip forwarding is OK echo 1 > /proc/sys/net/ipv4/ip_forward for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done #MTU Clamp iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu --------------------------------------------- SHAPER: Shaping script: #Copy and paste these examples ... export LAN=eth0 export WAN=eth1 #delete previous tc qdisc del dev ${WAN} root tc qdisc del dev ${LAN} root function command() { echo "Command -> $*" if ! $($*) then exit 0 fi } CEILDOWNRATE="3000mbit" CEILRATE="160kbit" CLIENTRATE="20kbit" LAN_SCOPE="10.0.0.0/24" LAN_SCOPE_PRE="10.0.0." LAN_SCOPE_POST="/32" LEAF_QDISC="prio" HTB_MAIN_OPT="quantum 36000 burst 32000 cburst 16000" HTB_LEAF_OPT="quantum 5000 burst 2000 cburst 1000" MAX_IP_LIMIT=33 #General egress Wan port command "tc qdisc add dev ${WAN} root handle 1: htb default 10" command "tc class add dev ${WAN} parent 1: classid 1:1 htb rate ${CEILRATE} ceil ${CEILRATE} ${HTB_MAIN_OPT}" #Fix general tos - new chain tosfix command "iptables -t mangle -N tosfix" command "iptables -t mangle -A tosfix -p tcp -m length --length 0:512 -j RETURN" command "iptables -t mangle -A tosfix -m limit --limit 2/s --limit-burst 10 -j RETURN" command "iptables -t mangle -A tosfix -j TOS --set-tos Maximize-Throughput" command "iptables -t mangle -A tosfix -j RETURN" #Fix Ack being - new chain ack command "iptables -t mangle -N ack" command "iptables -t mangle -A ack -m tos ! --tos Normal-Service -j RETURN" command "iptables -t mangle -A ack -p tcp -m length --length 0:128 -j TOS --set-tos Minimize-Delay" command "iptables -t mangle -A ack -p tcp -m length --length 128: -j TOS --set-tos Maximize-Throughput" command "iptables -t mangle -A ack -j RETURN" #Add rules command "iptables -t mangle -A POSTROUTING -p tcp -m tos --tos Minimize-Delay -j tosfix" command "ptables -t mangle -A POSTROUTING -p tcp -m tcp --tcp-flags" SYN,RST,ACK ACK -j ack #Every ip egress IP=1 while [ "$IP" -lt $MAX_IP_LIMIT ] do CLASSID=${IP}0 IPADDR=${LAN_SCOPE_PRE}${IP}${LAN_SCOPE_POST} echo "Class ID: ${CLASSID}" echo "IP Addrs: ${IPADDR}" echo "Adding Class" command "tc class add dev ${WAN} parent 1:1 classid 1:${CLASSID} htb rate ${CLIENTRATE} ceil ${CEILRATE} ${HTB_LEAF_OPT}" echo "Adding qdisc" command "tc qdisc add dev ${WAN} parent 1:${CLASSID} handle ${CLASSID}: ${LEAF_QDISC}" echo "Adding PREROUTING filtering" command "iptables -I POSTROUTING -t mangle -s ${IPADDR} -j CLASSIFY --set-class 1:${CLASSID}" IP=$(($IP+1)) done #ingress command "tc qdisc add dev ${WAN} handle ffff: ingress" command "tc filter add dev ${WAN} parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${CEILDOWNRATE} burst 30k drop flowid :1" From sitecopy at public.linkpool.de Mon Jan 30 23:57:33 2006 From: sitecopy at public.linkpool.de (Ralph Brugger) Date: Tue Jan 31 00:11:47 2006 Subject: [LARTC] Debian Sarge Server with iptables behind D-Link Router Message-ID: Hi, I have the shown (end of this post) net work configuration. In a "few" words: My Debian Sarge server is connected to a D-Link ADSL Router (DSL-562T). DMZ is enabled for the Debian Sarge IP on the Router. My Linux server has two NIC's. ethlan = internal Net ethdsl = external -> D-Link My Linux server is configured to make NAT via iptables. Current state - what's working: - Access from internal LAN to Internet is working (http, https, ftp, etc) - Access inside the LAN is working - Access inside the LAN to the linux server is working (http, https, IMAP and SSH) - Access from outside the LAN (from internet) to the Linux server is working for https, IMAP and SSH ***BUT***: Same Problem simular for SSH, https and IMAP: On an internet browser inside the lan I can't access the webserver on the Linux Server when I enter the external URL of the Linux server (dynDNS domain name). The https-page won't be opened. A simple ping to the linux server with the same dynDSN domain name works. Trying to enter the external IP of the linux server in the browser also won't work. The page won't be opened in the browser. Die Seite wird im Browser dann nicht ge?ffnet. Via telnet auf https ider ssh oder IMAP wird ebenso keine Verbindung aufgebaut, wenn ich als Ziel den dynDSN Domainnamen angebe. Wie gesagt, gebe ich statt des dynDNS Domainnamens den lokalen Namen oder die lokale IP ein, dann geht es. iptables schould log dropped pakets. But there aren't any dropped packets. Ifconfig also does not show any errors (dropped packets) for ethlan / ethdsl. So I've tried to understand what tcpdumd shows for port 443. But I'm bound to say that I'm absolutety not firm with tcpdump. Here's what tcpdump shows: tcpdump for port 443: Not working access from inside the lan to the servers external Name / the servers external IP: => no connection ==================================== p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win 65535 18:43:41.477631 IP lp-java.linkpool.3491 > p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win 65535 18:43:41.479358 IP p54BE15A1.dip0.t-ipconnect.de.https > lp-java.linkpool.3491: R 0:0(0) ack 1859848765 win 0 18:43:41.967525 IP lp-java.linkpool.3491 > p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win 65535 18:43:41.969239 IP p54BE15A1.dip0.t-ipconnect.de.https > lp-java.linkpool.3491: R 0:0(0) ack 1 win 0 18:43:42.468301 IP lp-java.linkpool.3491 > p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win 65535 18:43:42.470116 IP p54BE15A1.dip0.t-ipconnect.de.https > lp-java.linkpool.3491: R 0:0(0) ack 1 win 0 tcpdump for port 443: WORKING access from inside the lan to the servers INTERNAL Name / the servers INTERNAL IP: => Successful connection ==================================== 18:45:38.773997 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: S 1505679381:1505679381(0) win 65535 18:45:38.774478 IP lp-komodo.LINKPOOL.https > lp-java.linkpool.3492: S 189223170:189223170(0) ack 1505679382 win 5840 18:45:38.774062 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: . ack 1 win 65535 18:45:38.774608 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: P 1:106(105) ack 1 win 65535 18:45:38.774660 IP lp-komodo.LINKPOOL.https > lp-java.linkpool.3492: . ack 106 win 5840 18:45:38.813185 IP lp-komodo.LINKPOOL.https > lp-java.linkpool.3492: P 1:1055(1054) ack 106 win 5840 18:45:38.927284 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: . ack 1055 win 64481 Is there any one who can interpret those results? Are these enough informations to see where the problem may ve? Wrong Routing? Linux server iptables problem? Problem inside the D-Link Router? Any suggestions are welcome! Internet | DSL | | D-Link DSL-562T 192.168.200.5 | | ------------------------------------ | Dev=ethdsl Linux Server | | 192.168.200.2 lp-komodo | | | | | route + iptables | | | | | 192.168.240.2 | | Dev=ethlan | |----------------------------------- | | Switch 10/100/1000 | | ------------------------------------ |Dev=LAN Windows Client | | XP Pro SP2 | |192.168.240.010 lp-java | | | -----------------------------------| Regards, Ralph From gregoriandres at yahoo.com.ar Tue Jan 31 15:58:04 2006 From: gregoriandres at yahoo.com.ar (LinuXKiD) Date: Tue Jan 31 15:58:12 2006 Subject: [LARTC] Debian Sarge Server with iptables behind D-Link Router In-Reply-To: Message-ID: try next: - Put d-link ADSL as "modem" - Make PPPoE call under Linux -> -> Hi, -> -> I have the shown (end of this post) net work configuration. -> -> In a "few" words: My Debian Sarge server is connected to a D-Link ADSL -> Router (DSL-562T). DMZ is enabled for the Debian Sarge IP on the Router. -> -> My Linux server has two NIC's. -> ethlan = internal Net -> ethdsl = external -> D-Link -> -> My Linux server is configured to make NAT via iptables. -> -> Current state - what's working: -> - Access from internal LAN to Internet is working (http, https, ftp, etc) -> - Access inside the LAN is working -> - Access inside the LAN to the linux server is working (http, https, -> IMAP and SSH) -> - Access from outside the LAN (from internet) to the Linux server is -> working for https, IMAP and SSH -> -> ***BUT***: -> Same Problem simular for SSH, https and IMAP: -> On an internet browser inside the lan I can't access the webserver on -> the Linux Server when I enter the external URL of the Linux server -> (dynDNS domain name). -> The https-page won't be opened. A simple ping to the linux server with -> the same dynDSN domain name works. Trying to enter the external IP of -> the linux server in the browser also won't work. -> The page won't be opened in the browser. -> -> Die Seite wird im Browser dann nicht ge?ffnet. -> Via telnet auf https ider ssh oder IMAP wird ebenso keine Verbindung -> aufgebaut, wenn ich als Ziel den dynDSN Domainnamen angebe. -> Wie gesagt, gebe ich statt des dynDNS Domainnamens den lokalen Namen -> oder die lokale IP ein, dann geht es. -> -> iptables schould log dropped pakets. But there aren't any -> dropped packets. -> Ifconfig also does not show any errors (dropped packets) for ethlan / -> ethdsl. -> -> So I've tried to understand what tcpdumd shows for port 443. But I'm -> bound to say that I'm absolutety not firm with tcpdump. -> Here's what tcpdump shows: -> -> -> tcpdump for port 443: -> Not working access from inside the lan to the servers external Name / -> the servers external IP: -> => no connection -> ==================================== -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win -> 65535 -> 18:43:41.477631 IP lp-java.linkpool.3491 > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win -> 65535 -> 18:43:41.479358 IP p54BE15A1.dip0.t-ipconnect.de.https > -> lp-java.linkpool.3491: R 0:0(0) ack 1859848765 win 0 -> 18:43:41.967525 IP lp-java.linkpool.3491 > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win -> 65535 -> 18:43:41.969239 IP p54BE15A1.dip0.t-ipconnect.de.https > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0 -> 18:43:42.468301 IP lp-java.linkpool.3491 > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win -> 65535 -> 18:43:42.470116 IP p54BE15A1.dip0.t-ipconnect.de.https > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0 -> -> -> tcpdump for port 443: -> WORKING access from inside the lan to the servers INTERNAL Name / the -> servers INTERNAL IP: -> => Successful connection -> ==================================== -> 18:45:38.773997 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: S -> 1505679381:1505679381(0) win 65535 -> 18:45:38.774478 IP lp-komodo.LINKPOOL.https > lp-java.linkpool.3492: S -> 189223170:189223170(0) ack 1505679382 win 5840 -> 18:45:38.774062 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: . -> ack 1 win 65535 -> 18:45:38.774608 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: P -> 1:106(105) ack 1 win 65535 -> 18:45:38.774660 IP lp-komodo.LINKPOOL.https > lp-java.linkpool.3492: . -> ack 106 win 5840 -> 18:45:38.813185 IP lp-komodo.LINKPOOL.https > lp-java.linkpool.3492: P -> 1:1055(1054) ack 106 win 5840 -> 18:45:38.927284 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: . -> ack 1055 win 64481 -> -> Is there any one who can interpret those results? Are these enough -> informations to see where the problem may ve? -> Wrong Routing? Linux server iptables problem? Problem inside the D-Link -> Router? -> Any suggestions are welcome! -> -> Internet -> | -> DSL -> | -> | -> D-Link DSL-562T -> 192.168.200.5 -> | -> | -> ------------------------------------ -> | Dev=ethdsl Linux Server | -> | 192.168.200.2 lp-komodo | -> | | | -> | route + iptables | -> | | | -> | 192.168.240.2 | -> | Dev=ethlan | -> |----------------------------------- -> | -> | -> Switch 10/100/1000 -> | -> | -> ------------------------------------ -> |Dev=LAN Windows Client | -> | XP Pro SP2 | -> |192.168.240.010 lp-java | -> | | -> -----------------------------------| -> -> -> Regards, -> -> Ralph -> -> _______________________________________________ -> LARTC mailing list -> LARTC@mailman.ds9a.nl -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From sitecopy at public.linkpool.de Tue Jan 31 16:21:14 2006 From: sitecopy at public.linkpool.de (Ralph Brugger) Date: Tue Jan 31 16:25:14 2006 Subject: [LARTC] Re: Debian Sarge Server with iptables behind D-Link Router In-Reply-To: References: Message-ID: Hi, > try next: > - Put d-link ADSL as "modem" > - Make PPPoE call under Linux Yes I've already tried this - that's my current configuration since one week;) But I want to understand why it's not possible to use the D-Link as a router, and for what kind of problem the tcpdump results stand for. Ralph > > > > -> > -> Hi, > -> > -> I have the shown (end of this post) net work configuration. > -> > -> In a "few" words: My Debian Sarge server is connected to a D-Link ADSL > -> Router (DSL-562T). DMZ is enabled for the Debian Sarge IP on the Router. > -> > -> My Linux server has two NIC's. > -> ethlan = internal Net > -> ethdsl = external -> D-Link > -> > -> My Linux server is configured to make NAT via iptables. > -> > -> Current state - what's working: > -> - Access from internal LAN to Internet is working (http, https, ftp, etc) > -> - Access inside the LAN is working > -> - Access inside the LAN to the linux server is working (http, https, > -> IMAP and SSH) > -> - Access from outside the LAN (from internet) to the Linux server is > -> working for https, IMAP and SSH > -> > -> ***BUT***: > -> Same Problem simular for SSH, https and IMAP: > -> On an internet browser inside the lan I can't access the webserver on > -> the Linux Server when I enter the external URL of the Linux server > -> (dynDNS domain name). > -> The https-page won't be opened. A simple ping to the linux server with > -> the same dynDSN domain name works. Trying to enter the external IP of > -> the linux server in the browser also won't work. > -> The page won't be opened in the browser. > -> > -> Die Seite wird im Browser dann nicht ge?ffnet. > -> Via telnet auf https ider ssh oder IMAP wird ebenso keine Verbindung > -> aufgebaut, wenn ich als Ziel den dynDSN Domainnamen angebe. > -> Wie gesagt, gebe ich statt des dynDNS Domainnamens den lokalen Namen > -> oder die lokale IP ein, dann geht es. > -> > -> iptables schould log dropped pakets. But there aren't any > -> dropped packets. > -> Ifconfig also does not show any errors (dropped packets) for ethlan / > -> ethdsl. > -> > -> So I've tried to understand what tcpdumd shows for port 443. But I'm > -> bound to say that I'm absolutety not firm with tcpdump. > -> Here's what tcpdump shows: > -> > -> > -> tcpdump for port 443: > -> Not working access from inside the lan to the servers external Name / > -> the servers external IP: > -> => no connection > -> ==================================== > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win > -> 65535 > -> 18:43:41.477631 IP lp-java.linkpool.3491 > > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win > -> 65535 > -> 18:43:41.479358 IP p54BE15A1.dip0.t-ipconnect.de.https > > -> lp-java.linkpool.3491: R 0:0(0) ack 1859848765 win 0 > -> 18:43:41.967525 IP lp-java.linkpool.3491 > > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win > -> 65535 > -> 18:43:41.969239 IP p54BE15A1.dip0.t-ipconnect.de.https > > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0 > -> 18:43:42.468301 IP lp-java.linkpool.3491 > > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win > -> 65535 > -> 18:43:42.470116 IP p54BE15A1.dip0.t-ipconnect.de.https > > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0 > -> > -> > -> tcpdump for port 443: > -> WORKING access from inside the lan to the servers INTERNAL Name / the > -> servers INTERNAL IP: > -> => Successful connection > -> ==================================== > -> 18:45:38.773997 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: S > -> 1505679381:1505679381(0) win 65535 > -> 18:45:38.774478 IP lp-komodo.LINKPOOL.https > lp-java.linkpool.3492: S > -> 189223170:189223170(0) ack 1505679382 win 5840 > -> 18:45:38.774062 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: . > -> ack 1 win 65535 > -> 18:45:38.774608 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: P > -> 1:106(105) ack 1 win 65535 > -> 18:45:38.774660 IP lp-komodo.LINKPOOL.https > lp-java.linkpool.3492: . > -> ack 106 win 5840 > -> 18:45:38.813185 IP lp-komodo.LINKPOOL.https > lp-java.linkpool.3492: P > -> 1:1055(1054) ack 106 win 5840 > -> 18:45:38.927284 IP lp-java.linkpool.3492 > lp-komodo.LINKPOOL.https: . > -> ack 1055 win 64481 > -> > -> Is there any one who can interpret those results? Are these enough > -> informations to see where the problem may ve? > -> Wrong Routing? Linux server iptables problem? Problem inside the D-Link > -> Router? > -> Any suggestions are welcome! > -> > -> Internet > -> | > -> DSL > -> | > -> | > -> D-Link DSL-562T > -> 192.168.200.5 > -> | > -> | > -> ------------------------------------ > -> | Dev=ethdsl Linux Server | > -> | 192.168.200.2 lp-komodo | > -> | | | > -> | route + iptables | > -> | | | > -> | 192.168.240.2 | > -> | Dev=ethlan | > -> |----------------------------------- > -> | > -> | > -> Switch 10/100/1000 > -> | > -> | > -> ------------------------------------ > -> |Dev=LAN Windows Client | > -> | XP Pro SP2 | > -> |192.168.240.010 lp-java | > -> | | > -> -----------------------------------| > -> > -> > -> Regards, > -> > -> Ralph > -> > -> _______________________________________________ > -> LARTC mailing list > -> LARTC@mailman.ds9a.nl > -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From ss18_2004 at yahoo.com Wed Feb 1 11:53:31 2006 From: ss18_2004 at yahoo.com (Calin Ilis) Date: Wed Feb 1 11:53:34 2006 Subject: [LARTC] QOS server droping packets 4% loss In-Reply-To: <43DDFEB2.7040203@bearstech.com> Message-ID: <20060201105331.83590.qmail@web50802.mail.yahoo.com> Hi all, I have a problem with htb and wonder if anybody has encountered this. On my LAN I have more than 1000 clients, and I am using htb to shape the incoming trafic. The problem is that I am experiencing packet loss (about 4%) in the qos server. The server is droping packets even if my trafic is relatively moderate. I tried everithing estimator, senting the quantum etc etc but it doesn't seem to improve. my script is relatively simple: tc qdisc del dev eth0 root tc qdisc add dev eth0 root handle 1: htb default 10 #root class tc class add dev eth0 parent 1:0 classid 1:1 htb rate 50000kbit ceil 50000kbit #default class tc class add dev eth0 parent 1:1 classid 1:10 htb rate 512kbit ceil 512kbit #and each client IP has a class asocieted tc class add dev eth0 parent 1:1 classid 1:$COUNTER htb rate 5kbit ceil 400kbit tc filter add dev eth0protocol ip parent 1:0 prio 2 u32 match ip dst $IP flowid 1:$COUNTER # and counter increments by 1 for each rule added What could I do ? Are there some kernel parameters that I could modify in order to obtain a better performance ? Thanks --------------------------------- Yahoo! Autos. Looking for a sweet ride? Get pricing, reviews, & more on new and used cars. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060201/0dff16b7/attachment.htm From jandre at megaserve.net Wed Feb 1 12:51:43 2006 From: jandre at megaserve.net (Jandre Olivier) Date: Wed Feb 1 12:44:40 2006 Subject: [LARTC] failover routing Message-ID: <43E0A0CF.9020801@megaserve.net> Hi Guys, I would just like to have advice and pointers of the best way would be, Someting like BGP or OSPF? I have 2 internet connections at diffrent locations. let say connection A and B 1.) router A has a fast internet connection and a seperate interface for clients using /lan/pppoe/ipsec etc and another ethernet interface going to router B 2.) router B has similiar setup as router A and also a seperate ether interface for clients and one going to router A 3.) all clients gets masqueraded as there is limited amount of internet routable ips Now my first thought was to write some perl/bash scripts to just ping your internet gateway address of Router A and if its down, just change your default route to router B and everyone and vice versa and u can still get access. This way for me is not very clean though as Im the one writing the scripts as something like zebra might do this perfectly? just a basic idea of what my setup is. What would be my best way of doing this.? -- /*---------------------------------------------------------------------*/ __ _ ---------- / / (_)__ __ ____ __ --------- ------- / /__/ / _ \/ // /\ \/ / -------- ---- /____/_/_//_/\_,_/ /_/\_\ ------ localhost@localdomain.za.net From GregScott at InfraSupportEtc.com Wed Feb 1 15:40:45 2006 From: GregScott at InfraSupportEtc.com (Greg Scott) Date: Wed Feb 1 15:40:52 2006 Subject: [LARTC] failover routing Message-ID: <925A849792280C4E80C5461017A4B8A2031FB1@mail733.InfraSupportEtc.com> Your script could have the backup router take on the IP Address of the primary after it loses its heartbeat. You'll run into a problem with ARP caches. I saw some code floating around earlier that allowed one box to listen to the MAC address of another and respond to its ARP requests. You would need to incorporate something like this in any solution. And this all assumes routers A and B are in parallel; all clients and both routers are on the same LAN. So you have a separate NIC between routers A and B for heartbeat. Each router has a NIC on the LAN side, and each has a NIC connecting to the Internet. - Greg Scott -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Jandre Olivier Sent: Wednesday, February 01, 2006 5:52 AM To: lartc@mailman.ds9a.nl Subject: [LARTC] failover routing Hi Guys, I would just like to have advice and pointers of the best way would be, Someting like BGP or OSPF? I have 2 internet connections at diffrent locations. let say connection A and B 1.) router A has a fast internet connection and a seperate interface for clients using /lan/pppoe/ipsec etc and another ethernet interface going to router B 2.) router B has similiar setup as router A and also a seperate ether interface for clients and one going to router A 3.) all clients gets masqueraded as there is limited amount of internet routable ips Now my first thought was to write some perl/bash scripts to just ping your internet gateway address of Router A and if its down, just change your default route to router B and everyone and vice versa and u can still get access. This way for me is not very clean though as Im the one writing the scripts as something like zebra might do this perfectly? just a basic idea of what my setup is. What would be my best way of doing this.? -- /*---------------------------------------------------------------------* / __ _ ---------- / / (_)__ __ ____ __ --------- ------- / /__/ / _ \/ // /\ \/ / -------- ---- /____/_/_//_/\_,_/ /_/\_\ ------ localhost@localdomain.za.net _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From comp.techs at aspenview.org Wed Feb 1 17:31:24 2006 From: comp.techs at aspenview.org (comp.techs) Date: Wed Feb 1 17:31:36 2006 Subject: [LARTC] prio test results Message-ID: <648A21EA469E3848922D9860785CD5EF45670C@aspen-mail01.aspenview.org> Hi, below are some test results from implementing a prio qdisc 'that is also below'. The qdisc is attacted to a vlan interface for my external network. Both tests were run at the same time. The links are policed at 6.0M 'by our provider'. 192.168.70.1 --> 192.168.30.1 My question is: If using a prio qdisc should'nt the iperf run with a tos of b8 have the majority of the bandwidth? thx jason ./iperf -c 192.168.30.1 -t 20 -i 5 --tos 0xb8 [dscp 46] ef [ 5] local 192.168.70.1 port 33483 connected with 192.168.30.1 port 5001 [ ID] Interval Transfer Bandwidth [ 5] 0.0- 5.0 sec 2.80 MBytes 4.69 Mbits/sec [ 5] 5.0-10.0 sec 968 KBytes 1.59 Mbits/sec [ 5] 10.0-15.0 sec 1.73 MBytes 2.90 Mbits/sec [ 5] 15.0-20.0 sec 2.05 MBytes 3.45 Mbits/sec [ 5] 0.0-20.2 sec 7.53 MBytes 3.13 Mbits/sec ./iperf -c 192.168.30.1 -t 20 -i 5 --tos 0x28 [dscp 10] af11 [ 5] local 192.168.70.1 port 33484 connected with 192.168.30.1 port 5001 [ ID] Interval Transfer Bandwidth [ 5] 0.0- 5.0 sec 2.13 MBytes 3.58 Mbits/sec [ 5] 5.0-10.0 sec 2.37 MBytes 3.97 Mbits/sec [ 5] 10.0-15.0 sec 2.20 MBytes 3.68 Mbits/sec [ 5] 15.0-20.0 sec 1.75 MBytes 2.94 Mbits/sec [ 5] 0.0-20.3 sec 8.45 MBytes 3.49 Mbits/sec #!/bin/sh tc qdisc del dev eth0.2 root tc qdisc add dev eth0.2 root handle 1: prio tc filter add dev eth0.2 parent 1:0 prio 1 protocol ip u32 \ match ip tos 0xb8 0xfc flowid 1:1 tc filter add dev eth0.2 parent 1:0 prio 2 protocol ip u32 \ match ip tos 0x68 0xfc flowid 1:2 tc filter add dev eth0.2 parent 1:0 prio 3 protocol ip u32 \ match ip tos 0x28 0xfc flowid 1:3 tc filter add dev eth0.2 parent 1:0 prio 3 protocol ip u32 \ match ip tos 0x00 0xfc flowid 1:3 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060201/19b3ecbd/attachment.html From nata at cnett.com.br Wed Feb 1 20:18:34 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Wed Feb 1 20:18:50 2006 Subject: [LARTC] About ip route 2 prio at tables Message-ID: <000f01c62764$4cc2b740$0e001eac@NATANIEL> Hello, I am looking for an answer. I am doind some thing like a loadshare betwen two backbones. To one of them I send all p2p, msn and irc packages and to the other one I send the rest I have. The problem I am facing is about prio at tables: ip rule add fwmark 1 table 201 prio 202 This is the rule I make. This is, I thinbk, working fine. The default gateway is set into table 222 just like this: ip route add default table 222 $GWE1 dev $IFE1 My question is: wich one will get hit first? Like, when a package comes and look for a gateway it will start looking in lower prio or higher prio tables? If it looks in lower, then my rule is right. The other way I will have to rewrite it. Att, Nataniel Klug From mordor at technologies.mine.nu Wed Feb 1 22:45:06 2006 From: mordor at technologies.mine.nu (Carlos Blanquer Tomas) Date: Wed Feb 1 22:45:13 2006 Subject: [LARTC] About ip route 2 prio at tables In-Reply-To: <000f01c62764$4cc2b740$0e001eac@NATANIEL> References: <000f01c62764$4cc2b740$0e001eac@NATANIEL> Message-ID: <43E12BE2.5080109@technologies.mine.nu> Nataniel Klug wrote: > My question is: wich one will get hit first? Like, when a package comes >and look for a gateway it will start looking in lower prio or higher prio >tables? If it looks in lower, then my rule is right. The other way I will >have to rewrite it. > > You're doing it right. From gregoriandres at yahoo.com.ar Wed Feb 1 23:11:10 2006 From: gregoriandres at yahoo.com.ar (LinuXKiD) Date: Wed Feb 1 23:11:19 2006 Subject: [LARTC] Re: Debian Sarge Server with iptables behind D-Link Router In-Reply-To: Message-ID: Some times, I fail to access some HTTPS URLs or MSN service if you (dlink or router) miss manipulate mtu andres -> -> Hi, -> -> > try next: -> > - Put d-link ADSL as "modem" -> > - Make PPPoE call under Linux -> -> Yes I've already tried this - that's my current configuration since one -> week;) -> -> But I want to understand why it's not possible to use the D-Link as a -> router, and for what kind of problem the tcpdump results stand for. -> -> Ralph -> -> > -> > -> > -> > -> -> > -> Hi, -> > -> -> > -> I have the shown (end of this post) net work configuration. -> > -> -> > -> In a "few" words: My Debian Sarge server is connected to a -> D-Link ADSL -> > -> Router (DSL-562T). DMZ is enabled for the Debian Sarge IP -> on the Router. -> > -> -> > -> My Linux server has two NIC's. -> > -> ethlan = internal Net -> > -> ethdsl = external -> D-Link -> > -> -> > -> My Linux server is configured to make NAT via iptables. -> > -> -> > -> Current state - what's working: -> > -> - Access from internal LAN to Internet is working (http, -> https, ftp, etc) -> > -> - Access inside the LAN is working -> > -> - Access inside the LAN to the linux server is working (http, https, -> > -> IMAP and SSH) -> > -> - Access from outside the LAN (from internet) to the Linux server is -> > -> working for https, IMAP and SSH -> > -> -> > -> ***BUT***: -> > -> Same Problem simular for SSH, https and IMAP: -> > -> On an internet browser inside the lan I can't access the -> webserver on -> > -> the Linux Server when I enter the external URL of the Linux server -> > -> (dynDNS domain name). -> > -> The https-page won't be opened. A simple ping to the linux -> server with -> > -> the same dynDSN domain name works. Trying to enter the -> external IP of -> > -> the linux server in the browser also won't work. -> > -> The page won't be opened in the browser. -> > -> -> > -> Die Seite wird im Browser dann nicht ge?ffnet. -> > -> Via telnet auf https ider ssh oder IMAP wird ebenso keine Verbindung -> > -> aufgebaut, wenn ich als Ziel den dynDSN Domainnamen angebe. -> > -> Wie gesagt, gebe ich statt des dynDNS Domainnamens den lokalen Namen -> > -> oder die lokale IP ein, dann geht es. -> > -> -> > -> iptables schould log dropped pakets. But there aren't any -> > -> dropped packets. -> > -> Ifconfig also does not show any errors (dropped packets) -> for ethlan / -> > -> ethdsl. -> > -> -> > -> So I've tried to understand what tcpdumd shows for port 443. But I'm -> > -> bound to say that I'm absolutety not firm with tcpdump. -> > -> Here's what tcpdump shows: -> > -> -> > -> -> > -> tcpdump for port 443: -> > -> Not working access from inside the lan to the servers -> external Name / -> > -> the servers external IP: -> > -> => no connection -> > -> ==================================== -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win -> > -> 65535 -> > -> 18:43:41.477631 IP lp-java.linkpool.3491 > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win -> > -> 65535 -> > -> 18:43:41.479358 IP p54BE15A1.dip0.t-ipconnect.de.https > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1859848765 win 0 -> > -> 18:43:41.967525 IP lp-java.linkpool.3491 > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win -> > -> 65535 -> > -> 18:43:41.969239 IP p54BE15A1.dip0.t-ipconnect.de.https > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0 -> > -> 18:43:42.468301 IP lp-java.linkpool.3491 > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win -> > -> 65535 -> > -> 18:43:42.470116 IP p54BE15A1.dip0.t-ipconnect.de.https > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0 -> > -> -> > -> -> > -> tcpdump for port 443: -> > -> WORKING access from inside the lan to the servers INTERNAL -> Name / the -> > -> servers INTERNAL IP: -> > -> => Successful connection -> > -> ==================================== -> > -> 18:45:38.773997 IP lp-java.linkpool.3492 > -> lp-komodo.LINKPOOL.https: S -> > -> 1505679381:1505679381(0) win 65535 -> > -> 18:45:38.774478 IP lp-komodo.LINKPOOL.https > -> lp-java.linkpool.3492: S -> > -> 189223170:189223170(0) ack 1505679382 win 5840 1460,nop,nop,sackOK> -> > -> 18:45:38.774062 IP lp-java.linkpool.3492 > -> lp-komodo.LINKPOOL.https: . -> > -> ack 1 win 65535 -> > -> 18:45:38.774608 IP lp-java.linkpool.3492 > -> lp-komodo.LINKPOOL.https: P -> > -> 1:106(105) ack 1 win 65535 -> > -> 18:45:38.774660 IP lp-komodo.LINKPOOL.https > -> lp-java.linkpool.3492: . -> > -> ack 106 win 5840 -> > -> 18:45:38.813185 IP lp-komodo.LINKPOOL.https > -> lp-java.linkpool.3492: P -> > -> 1:1055(1054) ack 106 win 5840 -> > -> 18:45:38.927284 IP lp-java.linkpool.3492 > -> lp-komodo.LINKPOOL.https: . -> > -> ack 1055 win 64481 -> > -> -> > -> Is there any one who can interpret those results? Are these enough -> > -> informations to see where the problem may ve? -> > -> Wrong Routing? Linux server iptables problem? Problem -> inside the D-Link -> > -> Router? -> > -> Any suggestions are welcome! -> > -> -> > -> Internet -> > -> | -> > -> DSL -> > -> | -> > -> | -> > -> D-Link DSL-562T -> > -> 192.168.200.5 -> > -> | -> > -> | -> > -> ------------------------------------ -> > -> | Dev=ethdsl Linux Server | -> > -> | 192.168.200.2 lp-komodo | -> > -> | | | -> > -> | route + iptables | -> > -> | | | -> > -> | 192.168.240.2 | -> > -> | Dev=ethlan | -> > -> |----------------------------------- -> > -> | -> > -> | -> > -> Switch 10/100/1000 -> > -> | -> > -> | -> > -> ------------------------------------ -> > -> |Dev=LAN Windows Client | -> > -> | XP Pro SP2 | -> > -> |192.168.240.010 lp-java | -> > -> | | -> > -> -----------------------------------| -> > -> -> > -> -> > -> Regards, -> > -> -> > -> Ralph -> > -> -> > -> _______________________________________________ -> > -> LARTC mailing list -> > -> LARTC@mailman.ds9a.nl -> > -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -> -> _______________________________________________ -> LARTC mailing list -> LARTC@mailman.ds9a.nl -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From philippe.latu at linux-france.org Wed Feb 1 23:37:25 2006 From: philippe.latu at linux-france.org (Philippe Latu) Date: Wed Feb 1 23:37:53 2006 Subject: [LARTC] Re: Debian Sarge Server with iptables behind D-Link Router In-Reply-To: References: Message-ID: <200602012337.26837.philippe.latu@linux-france.org> Hello, Le Mercredi 1 F?vrier 2006 23:11, LinuXKiD a ?crit?: > Some times, I fail to access some HTTPS URLs or MSN service > if you (dlink or router) miss manipulate mtu Did you try the TCPMSS netfilter target ? For instance : -A POSTROUTING -o ppp0 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss \ 1400:1536 -j TCPMSS --clamp-mss-to-pmtu -A POSTROUTING -o ppp0 -j MASQUERADE As you are probably using pppoe on the telephon loop, the maximum transmit unit cannot reach its maximum 1500 bytes. The pppoe header takes 4 bytes. You should also let some icmp packets get in in order to have pmtu discovery effective. HTH, > > andres > > > -> > -> Hi, > -> > -> > try next: > -> > - Put d-link ADSL as "modem" > -> > - Make PPPoE call under Linux > -> > -> Yes I've already tried this - that's my current configuration since one > -> week;) > -> > -> But I want to understand why it's not possible to use the D-Link as a > -> router, and for what kind of problem the tcpdump results stand for. > -> > -> Ralph > -> > -> > > -> > > -> > > -> > -> > -> > -> Hi, > -> > -> > -> > -> I have the shown (end of this post) net work configuration. > -> > -> > -> > -> In a "few" words: My Debian Sarge server is connected to a > -> D-Link ADSL > -> > -> Router (DSL-562T). DMZ is enabled for the Debian Sarge IP > -> on the Router. > -> > -> > -> > -> My Linux server has two NIC's. > -> > -> ethlan = internal Net > -> > -> ethdsl = external -> D-Link > -> > -> > -> > -> My Linux server is configured to make NAT via iptables. > -> > -> > -> > -> Current state - what's working: > -> > -> - Access from internal LAN to Internet is working (http, > -> https, ftp, etc) > -> > -> - Access inside the LAN is working > -> > -> - Access inside the LAN to the linux server is working (http, > https, -> > -> IMAP and SSH) > -> > -> - Access from outside the LAN (from internet) to the Linux server > is -> > -> working for https, IMAP and SSH > -> > -> > -> > -> ***BUT***: > -> > -> Same Problem simular for SSH, https and IMAP: > -> > -> On an internet browser inside the lan I can't access the > -> webserver on > -> > -> the Linux Server when I enter the external URL of the Linux server > -> > -> (dynDNS domain name). > -> > -> The https-page won't be opened. A simple ping to the linux > -> server with > -> > -> the same dynDSN domain name works. Trying to enter the > -> external IP of > -> > -> the linux server in the browser also won't work. > -> > -> The page won't be opened in the browser. > -> > -> > -> > -> Die Seite wird im Browser dann nicht ge?ffnet. > -> > -> Via telnet auf https ider ssh oder IMAP wird ebenso keine > Verbindung -> > -> aufgebaut, wenn ich als Ziel den dynDSN Domainnamen > angebe. -> > -> Wie gesagt, gebe ich statt des dynDNS Domainnamens den > lokalen Namen -> > -> oder die lokale IP ein, dann geht es. > -> > -> > -> > -> iptables schould log dropped pakets. But there aren't any > -> > -> dropped packets. > -> > -> Ifconfig also does not show any errors (dropped packets) > -> for ethlan / > -> > -> ethdsl. > -> > -> > -> > -> So I've tried to understand what tcpdumd shows for port 443. But > I'm -> > -> bound to say that I'm absolutety not firm with tcpdump. > -> > -> Here's what tcpdump shows: > -> > -> > -> > -> > -> > -> tcpdump for port 443: > -> > -> Not working access from inside the lan to the servers > -> external Name / > -> > -> the servers external IP: > -> > -> => no connection > -> > -> ==================================== > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win > -> > -> 65535 > -> > -> 18:43:41.477631 IP lp-java.linkpool.3491 > > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win > -> > -> 65535 > -> > -> 18:43:41.479358 IP p54BE15A1.dip0.t-ipconnect.de.https > > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1859848765 win 0 > -> > -> 18:43:41.967525 IP lp-java.linkpool.3491 > > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win > -> > -> 65535 > -> > -> 18:43:41.969239 IP p54BE15A1.dip0.t-ipconnect.de.https > > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0 > -> > -> 18:43:42.468301 IP lp-java.linkpool.3491 > > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win > -> > -> 65535 > -> > -> 18:43:42.470116 IP p54BE15A1.dip0.t-ipconnect.de.https > > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0 > -> > -> > -> > -> > -> > -> tcpdump for port 443: > -> > -> WORKING access from inside the lan to the servers INTERNAL > -> Name / the > -> > -> servers INTERNAL IP: > -> > -> => Successful connection > -> > -> ==================================== > -> > -> 18:45:38.773997 IP lp-java.linkpool.3492 > > -> lp-komodo.LINKPOOL.https: S > -> > -> 1505679381:1505679381(0) win 65535 > -> > -> 18:45:38.774478 IP lp-komodo.LINKPOOL.https > > -> lp-java.linkpool.3492: S > -> > -> 189223170:189223170(0) ack 1505679382 win 5840 -> 1460,nop,nop,sackOK> > -> > -> 18:45:38.774062 IP lp-java.linkpool.3492 > > -> lp-komodo.LINKPOOL.https: . > -> > -> ack 1 win 65535 > -> > -> 18:45:38.774608 IP lp-java.linkpool.3492 > > -> lp-komodo.LINKPOOL.https: P > -> > -> 1:106(105) ack 1 win 65535 > -> > -> 18:45:38.774660 IP lp-komodo.LINKPOOL.https > > -> lp-java.linkpool.3492: . > -> > -> ack 106 win 5840 > -> > -> 18:45:38.813185 IP lp-komodo.LINKPOOL.https > > -> lp-java.linkpool.3492: P > -> > -> 1:1055(1054) ack 106 win 5840 > -> > -> 18:45:38.927284 IP lp-java.linkpool.3492 > > -> lp-komodo.LINKPOOL.https: . > -> > -> ack 1055 win 64481 > -> > -> > -> > -> Is there any one who can interpret those results? Are these enough > -> > -> informations to see where the problem may ve? > -> > -> Wrong Routing? Linux server iptables problem? Problem > -> inside the D-Link > -> > -> Router? > -> > -> Any suggestions are welcome! > -> > -> > -> > -> Internet > -> > -> | > -> > -> DSL > -> > -> | > -> > -> | > -> > -> D-Link DSL-562T > -> > -> 192.168.200.5 > -> > -> | > -> > -> | > -> > -> ------------------------------------ > -> > -> | Dev=ethdsl Linux Server | > -> > -> | 192.168.200.2 lp-komodo | > -> > -> | | | > -> > -> | route + iptables | > -> > -> | | | > -> > -> | 192.168.240.2 | > -> > -> | Dev=ethlan | > -> > -> |----------------------------------- > -> > -> | > -> > -> | > -> > -> Switch 10/100/1000 > -> > -> | > -> > -> | > -> > -> ------------------------------------ > -> > -> |Dev=LAN Windows Client | > -> > -> | XP Pro SP2 | > -> > -> |192.168.240.010 lp-java | > -> > -> | | > -> > -> -----------------------------------| > -> > -> > -> > -> > -> > -> Regards, > -> > -> > -> > -> Ralph > -> > -> > -> > -> _______________________________________________ > -> > -> LARTC mailing list > -> > -> LARTC@mailman.ds9a.nl > -> > -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -> > -> _______________________________________________ > -> LARTC mailing list > -> LARTC@mailman.ds9a.nl > -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- - Philippe Latu < G N U / Linux > philippe.latu(at)linux-france.org Projet inetdoc.Linux http://www.linux-france.org/prj/inetdoc < I U T 'A' Paul Sabatier > philippe.latu(at)iut-tlse3.fr - 05.62.25.80.28 Enseignant/Charg? de mission Syst?mes & R?seau From rani79 at idm.net.lb Thu Feb 2 08:33:51 2006 From: rani79 at idm.net.lb (Rani Ahmed) Date: Thu Feb 2 08:33:50 2006 Subject: [LARTC] A question in tcng Message-ID: <43E1B5DF.7070302@idm.net.lb> this my tcng code. when converting tcng to tc code, i get in the tc code for the (ipproto "skip") =>(ipproto 57). sure, it's taken from the mapping /etc/protocols . ipproto is the protocol value. what kind of "ipproto" integer value should it be to mean (ipproto "any" ) or (ipproto "whatever" ) or (ipproto "don't_care" )? i'll replace the string value later from my /etc/protocols . however, i think it's zero. i know i could have not inserted the option (ipproto), but it's complaining about it. rsvp is not working as rsvp() (without parameters, i mean). the documetation says it can be without parameters. ingress { // can be also rsvp(ipproto "tcp") or whatever in /etc/protocols according to requirements rsvp(ipproto "skip") { // example on using the on() function /* on ( src 192.168.2.1 ,sport 30, dst 192.168.2.1, dport 21) police(rate 5kBps,burst 5kB) drop ; */ class(1) on ( src 192.168.2.2 , dst 192.168.2.1) police(rate 5kBps,burst 50kB) drop ; //,mtu 1510B } // end rsvp } // end ingress From gregoriandres at yahoo.com.ar Thu Feb 2 09:41:01 2006 From: gregoriandres at yahoo.com.ar (LinuXKiD) Date: Thu Feb 2 09:41:06 2006 Subject: [LARTC] Re: Debian Sarge Server with iptables behind D-Link Router In-Reply-To: <200602012337.26837.philippe.latu@linux-france.org> Message-ID: very good. thank you -> -> -> Hello, -> -> Le Mercredi 1 F?vrier 2006 23:11, LinuXKiD a ?crit?: -> > Some times, I fail to access some HTTPS URLs or MSN service -> > if you (dlink or router) miss manipulate mtu -> -> Did you try the TCPMSS netfilter target ? -> -> For instance : -> -A POSTROUTING -o ppp0 -p tcp --tcp-flags SYN,RST SYN -m tcpmss -> --mss \ -> 1400:1536 -j TCPMSS --clamp-mss-to-pmtu -> -A POSTROUTING -o ppp0 -j MASQUERADE -> -> As you are probably using pppoe on the telephon loop, the -> maximum transmit -> unit cannot reach its maximum 1500 bytes. -> The pppoe header takes 4 bytes. -> -> You should also let some icmp packets get in in order to have -> pmtu discovery -> effective. -> -> HTH, -> -> > -> > andres -> > -> > -> > -> -> > -> Hi, -> > -> -> > -> > try next: -> > -> > - Put d-link ADSL as "modem" -> > -> > - Make PPPoE call under Linux -> > -> -> > -> Yes I've already tried this - that's my current -> configuration since one -> > -> week;) -> > -> -> > -> But I want to understand why it's not possible to use the -> D-Link as a -> > -> router, and for what kind of problem the tcpdump results stand for. -> > -> -> > -> Ralph -> > -> -> > -> > -> > -> > -> > -> > -> > -> > -> -> > -> > -> Hi, -> > -> > -> -> > -> > -> I have the shown (end of this post) net work configuration. -> > -> > -> -> > -> > -> In a "few" words: My Debian Sarge server is connected to a -> > -> D-Link ADSL -> > -> > -> Router (DSL-562T). DMZ is enabled for the Debian Sarge IP -> > -> on the Router. -> > -> > -> -> > -> > -> My Linux server has two NIC's. -> > -> > -> ethlan = internal Net -> > -> > -> ethdsl = external -> D-Link -> > -> > -> -> > -> > -> My Linux server is configured to make NAT via iptables. -> > -> > -> -> > -> > -> Current state - what's working: -> > -> > -> - Access from internal LAN to Internet is working (http, -> > -> https, ftp, etc) -> > -> > -> - Access inside the LAN is working -> > -> > -> - Access inside the LAN to the linux server is working (http, -> > https, -> > -> IMAP and SSH) -> > -> > -> - Access from outside the LAN (from internet) to the -> Linux server -> > is -> > -> working for https, IMAP and SSH -> > -> > -> -> > -> > -> ***BUT***: -> > -> > -> Same Problem simular for SSH, https and IMAP: -> > -> > -> On an internet browser inside the lan I can't access the -> > -> webserver on -> > -> > -> the Linux Server when I enter the external URL of the -> Linux server -> > -> > -> (dynDNS domain name). -> > -> > -> The https-page won't be opened. A simple ping to the linux -> > -> server with -> > -> > -> the same dynDSN domain name works. Trying to enter the -> > -> external IP of -> > -> > -> the linux server in the browser also won't work. -> > -> > -> The page won't be opened in the browser. -> > -> > -> -> > -> > -> Die Seite wird im Browser dann nicht ge?ffnet. -> > -> > -> Via telnet auf https ider ssh oder IMAP wird ebenso keine -> > Verbindung -> > -> aufgebaut, wenn ich als Ziel den dynDSN Domainnamen -> > angebe. -> > -> Wie gesagt, gebe ich statt des dynDNS Domainnamens den -> > lokalen Namen -> > -> oder die lokale IP ein, dann geht es. -> > -> > -> -> > -> > -> iptables schould log dropped pakets. But there aren't any -> > -> > -> dropped packets. -> > -> > -> Ifconfig also does not show any errors (dropped packets) -> > -> for ethlan / -> > -> > -> ethdsl. -> > -> > -> -> > -> > -> So I've tried to understand what tcpdumd shows for -> port 443. But -> > I'm -> > -> bound to say that I'm absolutety not firm with tcpdump. -> > -> > -> Here's what tcpdump shows: -> > -> > -> -> > -> > -> -> > -> > -> tcpdump for port 443: -> > -> > -> Not working access from inside the lan to the servers -> > -> external Name / -> > -> > -> the servers external IP: -> > -> > -> => no connection -> > -> > -> ==================================== -> > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S -> 1859848764:1859848764(0) win -> > -> > -> 65535 -> > -> > -> 18:43:41.477631 IP lp-java.linkpool.3491 > -> > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S -> 1859848764:1859848764(0) win -> > -> > -> 65535 -> > -> > -> 18:43:41.479358 IP p54BE15A1.dip0.t-ipconnect.de.https > -> > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1859848765 win 0 -> > -> > -> 18:43:41.967525 IP lp-java.linkpool.3491 > -> > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S -> 1859848764:1859848764(0) win -> > -> > -> 65535 -> > -> > -> 18:43:41.969239 IP p54BE15A1.dip0.t-ipconnect.de.https > -> > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0 -> > -> > -> 18:43:42.468301 IP lp-java.linkpool.3491 > -> > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S -> 1859848764:1859848764(0) win -> > -> > -> 65535 -> > -> > -> 18:43:42.470116 IP p54BE15A1.dip0.t-ipconnect.de.https > -> > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0 -> > -> > -> -> > -> > -> -> > -> > -> tcpdump for port 443: -> > -> > -> WORKING access from inside the lan to the servers INTERNAL -> > -> Name / the -> > -> > -> servers INTERNAL IP: -> > -> > -> => Successful connection -> > -> > -> ==================================== -> > -> > -> 18:45:38.773997 IP lp-java.linkpool.3492 > -> > -> lp-komodo.LINKPOOL.https: S -> > -> > -> 1505679381:1505679381(0) win 65535 -> > -> > -> 18:45:38.774478 IP lp-komodo.LINKPOOL.https > -> > -> lp-java.linkpool.3492: S -> > -> > -> 189223170:189223170(0) ack 1505679382 win 5840 > -> 1460,nop,nop,sackOK> -> > -> > -> 18:45:38.774062 IP lp-java.linkpool.3492 > -> > -> lp-komodo.LINKPOOL.https: . -> > -> > -> ack 1 win 65535 -> > -> > -> 18:45:38.774608 IP lp-java.linkpool.3492 > -> > -> lp-komodo.LINKPOOL.https: P -> > -> > -> 1:106(105) ack 1 win 65535 -> > -> > -> 18:45:38.774660 IP lp-komodo.LINKPOOL.https > -> > -> lp-java.linkpool.3492: . -> > -> > -> ack 106 win 5840 -> > -> > -> 18:45:38.813185 IP lp-komodo.LINKPOOL.https > -> > -> lp-java.linkpool.3492: P -> > -> > -> 1:1055(1054) ack 106 win 5840 -> > -> > -> 18:45:38.927284 IP lp-java.linkpool.3492 > -> > -> lp-komodo.LINKPOOL.https: . -> > -> > -> ack 1055 win 64481 -> > -> > -> -> > -> > -> Is there any one who can interpret those results? Are -> these enough -> > -> > -> informations to see where the problem may ve? -> > -> > -> Wrong Routing? Linux server iptables problem? Problem -> > -> inside the D-Link -> > -> > -> Router? -> > -> > -> Any suggestions are welcome! -> > -> > -> -> > -> > -> Internet -> > -> > -> | -> > -> > -> DSL -> > -> > -> | -> > -> > -> | -> > -> > -> D-Link DSL-562T -> > -> > -> 192.168.200.5 -> > -> > -> | -> > -> > -> | -> > -> > -> ------------------------------------ -> > -> > -> | Dev=ethdsl Linux Server | -> > -> > -> | 192.168.200.2 lp-komodo | -> > -> > -> | | | -> > -> > -> | route + iptables | -> > -> > -> | | | -> > -> > -> | 192.168.240.2 | -> > -> > -> | Dev=ethlan | -> > -> > -> |----------------------------------- -> > -> > -> | -> > -> > -> | -> > -> > -> Switch 10/100/1000 -> > -> > -> | -> > -> > -> | -> > -> > -> ------------------------------------ -> > -> > -> |Dev=LAN Windows Client | -> > -> > -> | XP Pro SP2 | -> > -> > -> |192.168.240.010 lp-java | -> > -> > -> | | -> > -> > -> -----------------------------------| -> > -> > -> -> > -> > -> -> > -> > -> Regards, -> > -> > -> -> > -> > -> Ralph -> > -> > -> -> > -> > -> _______________________________________________ -> > -> > -> LARTC mailing list -> > -> > -> LARTC@mailman.ds9a.nl -> > -> > -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -> > -> -> > -> _______________________________________________ -> > -> LARTC mailing list -> > -> LARTC@mailman.ds9a.nl -> > -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -> > -> > _______________________________________________ -> > LARTC mailing list -> > LARTC@mailman.ds9a.nl -> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -> -> -- -> - Philippe Latu -> < G N U / Linux > -> philippe.latu(at)linux-france.org -> Projet inetdoc.Linux -> http://www.linux-france.org/prj/inetdoc -> -> < I U T 'A' Paul Sabatier > -> philippe.latu(at)iut-tlse3.fr - 05.62.25.80.28 -> Enseignant/Charg? de mission Syst?mes & R?seau -> -> -> _______________________________________________ -> LARTC mailing list -> LARTC@mailman.ds9a.nl -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From sorin.panca at gmail.com Thu Feb 2 09:58:41 2006 From: sorin.panca at gmail.com (Sorin Panca) Date: Thu Feb 2 09:52:26 2006 Subject: [LARTC] tunneled tc Message-ID: <43E1C9C1.8080503@gmail.com> Hello! I've posted recently a question about shaping tunneled traffic. Now I ask a sorter question: I tried to add a HTB qdisc to a gre tunnel interface and after that there is no traffic going out into the tunnel. The classes, filters and qdiscs are ok. Does anyone know what else should I do for it to work? Then I tried to add a txqueuelen but with no effect (after the command completed, I still have a 0 txqueuelen). The gre interface doesn't have a default qdisc. I'm running linux-2.6.15 on a Gentoo system. Please help! Any advice is useful now. Thank you in advance! Sorin From s.heidl at teles.de Thu Feb 2 10:15:18 2006 From: s.heidl at teles.de (Sebastian Heidl) Date: Thu Feb 2 10:16:50 2006 Subject: [LARTC] failover routing In-Reply-To: <925A849792280C4E80C5461017A4B8A2031FB1@mail733.InfraSupportEtc.com> References: A849792280C4E80C5461017A4B8A2031FB1@mail733.InfraSupportEtc.com> Message-ID: <1138871718.10432.273.camel@sehe-c4.berlin.teles.de> On Wed, 2006-02-01 at 08:40 -0600, Greg Scott wrote: > Your script could have the backup router take on the IP Address of the > primary after it loses its heartbeat. You'll run into a problem with > ARP caches. I saw some code floating around earlier that allowed one > box to listen to the MAC address of another and respond to its ARP > requests. You would need to incorporate something like this in any > solution. Heartbeat (http://www.linux-ha.org/) does a gratuitous ARP (sends an ARP-reply broadcast) when it takes over the ip of the other host so the clients _should_ know the new MAC address belonging to the router. _sh_ > And this all assumes routers A and B are in parallel; all clients and > both routers are on the same LAN. So you have a separate NIC between > routers A and B for heartbeat. Each router has a NIC on the LAN side, > and each has a NIC connecting to the Internet. > > - Greg Scott > > > -----Original Message----- > From: lartc-bounces@mailman.ds9a.nl > [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Jandre Olivier > Sent: Wednesday, February 01, 2006 5:52 AM > To: lartc@mailman.ds9a.nl > Subject: [LARTC] failover routing > > Hi Guys, > > I would just like to have advice and pointers of the best way would be, > Someting like BGP or OSPF? > > I have 2 internet connections at diffrent locations. let say connection > A and B > > 1.) router A has a fast internet connection and a seperate interface for > clients using /lan/pppoe/ipsec etc and another ethernet interface going > to router B > > 2.) router B has similiar setup as router A and also a seperate ether > interface for clients and one going to router A > > 3.) all clients gets masqueraded as there is limited amount of internet > routable ips > > Now my first thought was to write some perl/bash scripts to just ping > your internet gateway address of Router A and if its down, just change > your default route to router B and everyone and vice versa and u can > still get access. > This way for me is not very clean though as Im the one writing the > scripts as something like zebra might do this perfectly? > just a basic idea of what my setup is. What would be my best way of > doing this.? > > -- > /*---------------------------------------------------------------------* > / > __ _ > ---------- / / (_)__ __ ____ __ --------- > ------- / /__/ / _ \/ // /\ \/ / -------- > ---- /____/_/_//_/\_,_/ /_/\_\ ------ > localhost@localdomain.za.net > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From admin at vdx.lt Thu Feb 2 13:12:45 2006 From: admin at vdx.lt (Vaidas) Date: Thu Feb 2 13:12:56 2006 Subject: [LARTC] marking and limiting P2P packets Message-ID: <20060202121248.2BF64396ED@mailhub.takas.lt> Hello, I am trying to shape p2p trafik to 256kbps on my dsl line. I wrote this set of commands: DEV=eth2 ip link set imq0 up tc qdisc add dev imq0 root handle 1:0 htb default 21 r2q 2 tc class add dev imq0 parent 1:0 classid 1:1 htb rate 530kbit tc class add dev imq0 parent 1:1 classid 1:20 htb rate 530kbit ceil 530kbit prio 0 tc class add dev imq0 parent 1:1 classid 1:21 htb rate 64kbit ceil 256kbit prio 1 tc qdisc add dev imq0 parent 1:20 handle 20:0 sfq perturb 10 tc qdisc add dev imq0 parent 1:21 handle 21:0 sfq perturb 10 tc filter add dev imq0 parent 1:0 prio 0 protocol ip handle 6 fw flowid 1:20 tc filter add dev imq0 parent 1:0 prio 1 protocol ip handle 7 fw flowid 1:21 iptables -t mangle -N DSL-IN iptables -t mangle -I PREROUTING -i $DEV -j DSL-IN iptables -t mangle -A DSL-IN -p tcp -j CONNMARK --restore-mark iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j MARK --set-mark 7 iptables -t mangle -A DSL-IN -p tcp -m mark --mark 7 -j CONNMARK --save-mark iptables -t mangle -A DSL-IN -p udp -m ipp2p --ipp2p -j MARK --set-mark 7 iptables -t mangle -A DSL-IN -m mark --mark 0 -j MARK --set-mark 6 iptables -t mangle -A DSL-IN -j IMQ --todev 0 marked p2p packets goes to 1:21 ant not marked packets goes to 1:20 And its not working :( I tried this script with ports 21, 80 insteed of p2p mark? then it is working, I?m thinking that the problem is on marking p2p packets?what is wrong? Linux Debian 2.4.32.v1 #1 SMP Mon Jan 30 00:14:04 UTC 2006 i686 GNU/Linux iptables v1.3.4 ip utility, iproute2-ss041019 IPP2P v0.8.1_rc1 ______________________________________ Vaidas VDXnet sistem? administratorius -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060202/2a0675a3/attachment.htm From rogerindia at gmail.com Thu Feb 2 13:33:47 2006 From: rogerindia at gmail.com (Roger Singh) Date: Thu Feb 2 13:33:49 2006 Subject: [LARTC] Virtual Interface Message-ID: Hi Guys, I want to create multiple virtual interfaces on a system running linux 2.6. The main requirment being, to assign unique MAC address fo each of the virtual interfaces. I need to know, if this is possible and will really appriciate if someone can provide me pointer in this direction. Thanks a lot. R. Singh -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060202/289f2c23/attachment.html From ethy.brito at inexo.com.br Thu Feb 2 13:40:29 2006 From: ethy.brito at inexo.com.br (Ethy H. Brito) Date: Thu Feb 2 13:40:32 2006 Subject: [LARTC] marking and limiting P2P packets In-Reply-To: <20060202121248.2BF64396ED@mailhub.takas.lt> References: <20060202121248.2BF64396ED@mailhub.takas.lt> Message-ID: <20060202104029.51701464@pulsar.inexo.com.br> On Thu, 2 Feb 2006 14:12:45 +0200 "Vaidas" wrote: > iptables -t mangle -A DSL-IN -p tcp -j CONNMARK --restore-mark > > iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPT > > iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j MARK --set-mark 7 > > iptables -t mangle -A DSL-IN -p tcp -m mark --mark 7 -j CONNMARK --save-mark > > iptables -t mangle -A DSL-IN -p udp -m ipp2p --ipp2p -j MARK --set-mark 7 > > iptables -t mangle -A DSL-IN -m mark --mark 0 -j MARK --set-mark 6 > > iptables -t mangle -A DSL-IN -j IMQ --todev 0 What about saving the marks with '-j CONNMARK --save-mark' unconditionally as the last rule of DSL-IN chain? Ethy From math02084 at math.aegean.gr Thu Feb 2 15:18:14 2006 From: math02084 at math.aegean.gr (Papadakis Dimitrios) Date: Thu Feb 2 15:18:16 2006 Subject: [LARTC] Linux Gateway Qos_2 interfaces (1 lan and 1 internet) problem Message-ID: <6289C602DAA8CA4394AE9015BB08405946368A@hermes2.aegean.gr> Hello...I have a Slackware based machine doing routing & QoS for my internal LAN users... It has two interfaces: eth1(100mbps) that connects to the aDSL modem(USR 9105) and eth0(100mbps) that connects to my local LAN... I'am using shorewall as a firewall...i think it's configured well as it's working as i want and i pass all the online firewall tests... :D All lan users can use the masqueraded internet connection... Now,i made a Qos script using htb and sfq and created 5 classes: 1 for interactive traffic,1 for bulk and p2p traffic and 3 that have equal bandwidth for my 3 lan users... Now my problem is that the traffic from 10.0.0.25 doesn't go to class 1:11 as i want..the same happens with 10.0.0.21 and 10.0.0.20 When i see tc statistics for the classes,traffic flows to 1:10,1:14 except the users classes (1:11,1:12,1:13) beeing idle all the time Happily ssh goes into interactive class but icmp doesn't go into interactive class...those things i've managed to test for now.... This is the first major problem...i don't know now if ipp2p works... misc information ----------------- Slackware 10.2 tc utility, iproute2-ss050330 kernel 2.6.15 vanilla iptables v1.3.3 aDSL 1024/256 What am i doing wrong? Here is the script i use: -------------------------------------------------------------------- #!/bin/bash # clean existing down- and uplink qdiscs, hide errors tc qdisc del dev eth1 root 2> /dev/null > /dev/null tc qdisc del dev eth1 ingress 2> /dev/null > /dev/null #Create a mangle array iptables -t mangle -F #MSS Clamping discovery iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu #------------------------------------ Klasseis -----------------------------------------------# #Create classes # root class tc qdisc add dev eth1 root handle 1: htb default 14 tc class add dev eth1 parent 1: classid 1:1 htb rate 250kbps ceil 250kbps #interactive class tc class add dev eth1 parent 1:1 classid 1:10 htb rate 50kbps ceil 250kbps prio 1 #users classes tc class add dev eth1 parent 1:1 classid 1:11 htb rate 60kbps ceil 250kbps prio 2 tc class add dev eth1 parent 1:1 classid 1:12 htb rate 60kbps ceil 250kbps prio 2 tc class add dev eth1 parent 1:1 classid 1:13 htb rate 60kbps ceil 250kbps prio 2 #p2p class tc class add dev eth1 parent 1:1 classid 1:14 htb rate 20kbps ceil 250kbps prio 6 #attach sfq on every class tc qdisc add dev eth1 parent 1:10 handle 20: sfq perturb 10 tc qdisc add dev eth1 parent 1:11 handle 30: sfq perturb 10 tc qdisc add dev eth1 parent 1:12 handle 40: sfq perturb 10 tc qdisc add dev eth1 parent 1:13 handle 50: sfq perturb 10 tc qdisc add dev eth1 parent 1:14 handle 60: sfq perturb 10 #who goes to which class tc filter add dev eth1 protocol ip parent 1:0 prio 2 u32 match ip src 10.0.0.25 flowid 1:11 tc filter add dev eth1 protocol ip parent 1:0 prio 2 u32 match ip src 10.0.0.20 flowid 1:12 tc filter add dev eth1 protocol ip parent 1:0 prio 2 u32 match ip src 10.0.0.21 flowid 1:13 tc filter add dev eth1 parent 1: protocol ip prio 1 handle 1 fw flowid 1:10 #we want interactive traffic here tc filter add dev eth1 parent 1: protocol ip prio 6 handle 2 fw flowid 1:14 #we want p2p traffic here #Sending the TOS-bits to the appropriate classes iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j MARK --set-mark 1 iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j RETURN iptables -t mangle -A PREROUTING -m tos --tos Minimize-Cost -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -m tos --tos Minimize-Cost -j RETURN iptables -t mangle -A PREROUTING -m tos --tos Maximize-Throughput -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -m tos --tos Maximize-Throughput -j RETURN #Setting TOS-bit iptables -t mangle -A PREROUTING -p icmp -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p icmp -j RETURN iptables -t mangle -A PREROUTING -p tcp --sport telnet -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp --dport telnet -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp --sport telnet -j RETURN iptables -t mangle -A PREROUTING -p tcp --dport telnet -j RETURN iptables -t mangle -A PREROUTING -p tcp --sport ssh -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp --dport ssh -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp --sport ssh -j RETURN iptables -t mangle -A PREROUTING -p tcp --dport ssh -j RETURN iptables -t mangle -A PREROUTING -p tcp --sport ftp -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp --dport ftp -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp --dport ftp -j RETURN iptables -t mangle -A PREROUTING -p tcp --dport ftp-data -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp --dport ftp-data -j RETURN # Prioritize packets to begin tcp connections, those with SYN flag set iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 1 iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN # ----------------------------------------------------------------------------------------------------------------------------------------------------------# #ipp2p for marking p2p traffic #Letting ipp2p control tcp connections iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m ipp2p --debug --edk --kazaa --gnu --dc --bit --apple --winmx --soul --ares -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -p tcp -m mark --mark 2 -j CONNMARK --save-mark #Letting ippp2 controling udp connections iptables -t mangle -A PREROUTING -p udp -j CONNMARK --restore-mark iptables -t mangle -A PREROUTING -p udp -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A PREROUTING -p udp -m ipp2p --debug --edk --kazaa --gnu --dc --bit --apple --winmx --soul --ares -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -p udp -m mark --mark 2 -j CONNMARK --save-mark #mark p2p traffic iptables -t mangle -N MARKED iptables -t mangle -A POSTROUTING -m mark --mark 2 -j MARKED iptables -t mangle -A MARKED -m physdev --physdev-out eth1 -j CLASSIFY --set-class 1:14 ------------------------------------------------------------------------------------------------ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060202/bb6a9172/attachment-0001.htm From ryan.castellucci at gmail.com Thu Feb 2 19:08:44 2006 From: ryan.castellucci at gmail.com (Ryan Castellucci) Date: Thu Feb 2 19:08:45 2006 Subject: [LARTC] Virtual Interface In-Reply-To: <118619310602021004r46f6f746j27f06bffb3cd0022@mail.gmail.com> References: <118619310602021004r46f6f746j27f06bffb3cd0022@mail.gmail.com> Message-ID: <118619310602021008s1f18983ci60bfb2922666e160@mail.gmail.com> You can do this with vlans, but this may not be a suitable solution, as if you want to make them work normaly, you will need to tie this to a vlan capable switch. I don't belive that alias interfaces support setting seperate mac addresses, however, you might want to look at ebtables, it has some mac address rewriting functionality which may meet your needs. On 2/2/06, Roger Singh wrote: > Hi Guys, > > I want to create multiple virtual interfaces on a system running linux 2.6. > The main requirment being, to assign unique MAC address fo each of the > virtual interfaces. > > I need to know, if this is possible and will really appriciate if someone > can provide me pointer in this direction. > > Thanks a lot. > > R. Singh > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > -- Ryan Castellucci http://ryanc.org/ -- Ryan Castellucci http://ryanc.org/ From ryan.castellucci at gmail.com Thu Feb 2 19:19:03 2006 From: ryan.castellucci at gmail.com (Ryan Castellucci) Date: Thu Feb 2 19:19:07 2006 Subject: [LARTC] Load Balancing with Instant Messenger traffic? In-Reply-To: <43CC46D0.2090105@us.army.mil> References: <43CC46D0.2090105@us.army.mil> Message-ID: <118619310602021019r3eb1ea88h4ee88a0dcd01179e@mail.gmail.com> I've seen this issue as well, it has something to do with route cacheing, you loose connections every 5 or 10 minutes, right? You have a couple options.... Use iproute to create rules to tie each user to a specific connection. I've done this before and it works ok. Another idea I just had would be to use the iptables CONNMARK and MARK extensions to tag connections with what interface they initialy went out on, then use iproute rules to make routing decisions based on the packet mark. I can probably whip up some example stuff if you need it. On 1/16/06, Jared Ballou wrote: > Hi, I have a box set up to distribute load over 4 satellite connections. > I cannot use Instant Messenger programs with it as it stands, I believe > that using iproute2, the path to the server is not being locked to one > interface, so the IM servers are getting user traffic from multiple IPs. > When I set just one default gateway, IMs work great. When I use the > scope global/nexthop method of load balancing, IM programs will keep > disconnecting and needing to reconnect. Is there a way (besides bonding) > to make IM traffic locked into a certain interface? I'd like to do it > balanced too since Yahoo webcams take up 30% of the bandwidth here, but > if I have to I guess I could forward all that traffic out one modem and > everything else out another. Thanks. > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Ryan Castellucci http://ryanc.org/ From jantomak at yahoo.com Thu Feb 2 21:58:01 2006 From: jantomak at yahoo.com (Jan Tomak) Date: Thu Feb 2 21:58:06 2006 Subject: [LARTC] limit number of connections per ip Message-ID: <20060202205801.32822.qmail@web37002.mail.mud.yahoo.com> Hello! I've read a lot of mail archives, but can't find solutions for my problem. I have router with about 700 users. I'm using HTB with SFQ leaf qdiscs for every user (client ip). So, different IP can have its own rate limit. This scheme ir working fine for a long time. But how can I limit number of connections (sessions) from one host? I see from ip_conntrack that some of users have more than 1000 active connections (mostly P2P udp). As I know there is connlimit patch for iptables, but it capable to limit only tcp sessions. And there is ESFQ qdisc, allowing to divide bandwidth more fairly, but inside one class. In my case every user have its own class and I'm not able to control how many connections simultaneously they do implementy ESFQ! Also I don't understand how to deal with it from iptables side - connlimit will not help with UDP. What can be done in my case? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060202/15aad725/attachment.html From rme at image.dk Thu Feb 2 22:17:16 2006 From: rme at image.dk (Rasmus Melgaard) Date: Thu Feb 2 22:17:22 2006 Subject: [LARTC] limit number of connections per ip In-Reply-To: <20060202205801.32822.qmail@web37002.mail.mud.yahoo.com> References: <20060202205801.32822.qmail@web37002.mail.mud.yahoo.com> Message-ID: <200602022217.16269.rme@image.dk> Well, only TCP has connections, UDP has non it is only a stream of packets. So for each user (IP) you could make a class for TCP and one for UDP. IP / \ TCP UDP The TCP class you already know how to limit, the UDP class I would limit with pfifo with a suitable packet limit setting (in pratice this would lead to det same effect as the TCP conn. limiting). Although not a hard limit. Extra: I would make a seperate high prio class for ICMP to communicate error, connection failures back and forth. NB! P2P normally used TCP (I know the bittorent does) BR Rasmus Melgaard On Thursday 02 February 2006 21:58, Jan Tomak wrote: > Hello! > > I've read a lot of mail archives, but can't find solutions for my > problem. I have router with about 700 users. I'm using HTB with SFQ leaf > qdiscs for every user (client ip). So, different IP can have its own rate > limit. This scheme ir working fine for a long time. But how can I limit > number of connections (sessions) from one host? I see from ip_conntrack > that some of users have more than 1000 active connections (mostly P2P udp). > As I know there is connlimit patch for iptables, but it capable to limit > only tcp sessions. And there is ESFQ qdisc, allowing to divide bandwidth > more fairly, but inside one class. In my case every user have its own class > and I'm not able to control how many connections simultaneously they do > implementy ESFQ! Also I don't understand how to deal with it from iptables > side - connlimit will not help with UDP. > > What can be done in my case? > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com From nata at cnett.com.br Fri Feb 3 00:57:15 2006 From: nata at cnett.com.br (Nata) Date: Fri Feb 3 00:57:26 2006 Subject: [LARTC] Problem with routing to multiple tables Message-ID: An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060202/aafb6f4e/attachment.htm From nata at cnett.com.br Fri Feb 3 10:54:08 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Fri Feb 3 10:54:20 2006 Subject: [LARTC] limit number of connections per ip References: <20060202205801.32822.qmail@web37002.mail.mud.yahoo.com> <200602022217.16269.rme@image.dk> Message-ID: <004c01c628a7$c736e1b0$0e001eac@NATANIEL> So Rasmus, If I put a limit into TCP connections it will reflect into UDP conections over the same source IP? How can I make a limit into TCP connections? Att, Nataniel Klug ----- Original Message ----- From: "Rasmus Melgaard" To: Sent: Thursday, February 02, 2006 7:17 PM Subject: Re: [LARTC] limit number of connections per ip > Well, only TCP has connections, UDP has non it is only a stream of packets. > > So for each user (IP) you could make a class for TCP and one for UDP. > > IP > / \ > TCP UDP > > The TCP class you already know how to limit, the UDP class I would limit with > pfifo with a suitable packet limit setting (in pratice this would lead to det > same effect as the TCP conn. limiting). Although not a hard limit. > > Extra: > I would make a seperate high prio class for ICMP to communicate error, > connection failures back and forth. > > NB! P2P normally used TCP (I know the bittorent does) > > BR > Rasmus Melgaard > > > > On Thursday 02 February 2006 21:58, Jan Tomak wrote: > > Hello! > > > > I've read a lot of mail archives, but can't find solutions for my > > problem. I have router with about 700 users. I'm using HTB with SFQ leaf > > qdiscs for every user (client ip). So, different IP can have its own rate > > limit. This scheme ir working fine for a long time. But how can I limit > > number of connections (sessions) from one host? I see from ip_conntrack > > that some of users have more than 1000 active connections (mostly P2P udp). > > As I know there is connlimit patch for iptables, but it capable to limit > > only tcp sessions. And there is ESFQ qdisc, allowing to divide bandwidth > > more fairly, but inside one class. In my case every user have its own class > > and I'm not able to control how many connections simultaneously they do > > implementy ESFQ! Also I don't understand how to deal with it from iptables > > side - connlimit will not help with UDP. > > > > What can be done in my case? > > > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam protection around > > http://mail.yahoo.com > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From rogerindia at gmail.com Fri Feb 3 16:17:25 2006 From: rogerindia at gmail.com (Roger Singh) Date: Fri Feb 3 16:17:28 2006 Subject: [LARTC] Virtual Interface In-Reply-To: <118619310602021008s1f18983ci60bfb2922666e160@mail.gmail.com> References: <118619310602021004r46f6f746j27f06bffb3cd0022@mail.gmail.com> <118619310602021008s1f18983ci60bfb2922666e160@mail.gmail.com> Message-ID: Thanks Ryan. VLAN will not for for me, I will check ebtables. BTW, I was thinking more on lines of MAC-VLAN. I could not find much information about it. I will really appriciate if someone can provide me some direction one this. Thanks R On 2/2/06, Ryan Castellucci wrote: > > You can do this with vlans, but this may not be a suitable solution, > as if you want to make them work normaly, you will need to tie this to > a vlan capable switch. I don't belive that alias interfaces support > setting seperate mac addresses, however, you might want to look at > ebtables, it has some mac address rewriting functionality which may > meet your needs. > > On 2/2/06, Roger Singh wrote: > > Hi Guys, > > > > I want to create multiple virtual interfaces on a system running linux > 2.6. > > The main requirment being, to assign unique MAC address fo each of the > > virtual interfaces. > > > > I need to know, if this is possible and will really appriciate if > someone > > can provide me pointer in this direction. > > > > Thanks a lot. > > > > R. Singh > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > > -- > Ryan Castellucci http://ryanc.org/ > > > -- > Ryan Castellucci http://ryanc.org/ > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060203/4161c16d/attachment.html From nhgxfjijdrcd at mailinator.com Fri Feb 3 19:48:22 2006 From: nhgxfjijdrcd at mailinator.com (list user) Date: Fri Feb 3 19:48:27 2006 Subject: [lartc] Virtual Interface Message-ID: <43E3A576.2080604@mailinator.com> Hi Roger, [big snip: lost o.p.] There are a couple of different approaches you might try. One is to use uml-utilities' tunctl to create an ethernet tap. Another is to use the dummy interface. With either method you can bridge, route, configure as you would a physical device using ifconfig and/or ip. The following methods work for me. I use Fedora Core 4. Its network setup methods are in /etc/sysconfig/network-scripts. cd /etc/sysconfig/network-scripts ln -s ifup-eth ifup-tap ln -s ifdown-eth ifdown-tap echo 'ip link show tap0 | grep "tap0" 2>&1 >/dev/null || tunctl -t tap0 DEVICE=tap0 TYPE=ethernet ONBOOT=yes BOOTPROTO=static MACADDR=5a:5a:5a:5a:5a:5a NETWORK=192.168.0.0 IPADDR=192.168.0.1 BROADCAST=192.168.0.255 NETMASK=255.255.255.0' > ifcfg-tap0 ifup tap0 ln -s ifup-eth0 ifup-dummy ln -s ifdown-eth ifdown-dummy echo 'ip link show dummy0 | grep "dummy0" 2>&1 >/dev/null || { ip link set dummy0 up ip link set dummy0 arp on ip link set dummy0 multicast on } DEVICE=dummy0 TYPE=ethernet ONBOOT=yes BOOTPROTO=static MACADDR=a4:a5:a5:a5:a5:a5 NETWORK=192.168.0.0 IPADDR=192.168.0.2 BROADCAST=192.168.0.255 NETMASK=255.255.255.0' > ifcfg-dummy0 ifup dummy0 If all went well there should now be two new virtual ethernet devices, tap0 and dummy0. Hope this information is useful to you, Mike Wright :m) From nata at cnett.com.br Sat Feb 4 11:52:13 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Sat Feb 4 11:52:43 2006 Subject: [LARTC] Routing for multiple interfaces (marking ports) Message-ID: <003301c62979$0f45c490$0e001eac@NATANIEL> Hello guys, I am still in doubt about this kind of server. So my question is about the "prio" at routing tables like: I have 3 tables in /etc/iproute2/rt_tables: 201 201 202 202 222 222 In table 201 there is the rules about my internet link (frame relay) that comes into eth0. So I made this route into it: [root@ns2 iproute2]# ip route show table 201 default via 200.163.208.1 dev eth0 proto static src 200.163.208.3 prohibit default proto static metric 1 In table 202 there is the rules about my internet link (adsl) that comes into eth2. So I made this route into it: [root@ns2 iproute2]# ip route show table 202 default via 10.1.1.1 dev eth2 proto static src 10.1.1.10 prohibit default proto static metric 1 In table 222 there is the rules about both link, if I want to make balance in them. But I dont want to balance I just want to make all traffic from my netowork to the internet that goes to port 80 go through my DSL line (eth2) and all the rest goes through eth0 (frame relay), so into table 222 I made this route: [root@ns2 iproute2]# ip route show table 222 default via 200.163.208.1 dev eth0 proto static src 200.163.208.3 I have marked all packges with port 80 as destination like this: IPT="/usr/local/sbin/iptables" $IPT -t mangle -F $IPT -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark $IPT -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT $IPT -t mangle -A PREROUTING -d ! 200.163.208.0/25 -p tcp -m tcp --dport 80 -j MARK --set-mark 2 $IPT -t mangle -A PREROUTING -d ! 200.163.208.0/25 -p udp -m udp --dport 80 -j MARK --set-mark 2 $IPT -t mangle -A PREROUTING -p tcp -m mark --mark 2 -j CONNMARK --save-mark $IPT -t mangle -A PREROUTING -p udp -m mark --mark 2 -j CONNMARK --save-mark Until now its all right, I think. My doubt came here. How can I set this MARK to go ONLY to the table 202? So I made a rule like this: /sbin/ip rule add prio 210 fwmark 2 table 202 This is my problem. I think it is all working but I need to know how the TABLES prio works. My list of tables and rules looks like this: [root@ns2 iproute2]# ip rule 0: from all lookup local 50: from all lookup main 201: from 200.163.208.0/26 lookup 201 202: from 10.1.1.0/24 lookup 202 210: from all fwmark 0x2 lookup 202 222: from all lookup 222 32766: from all lookup main 32767: from all lookup default This prio reads tables from lower prio (0) to higher prio (32767) or it makes reading this the other way? Att, Nataniel Klug From peter at endian.it Sat Feb 4 13:30:46 2006 From: peter at endian.it (Peter Warasin) Date: Sat Feb 4 13:30:55 2006 Subject: [LARTC] Routing for multiple interfaces (marking ports) In-Reply-To: <003301c62979$0f45c490$0e001eac@NATANIEL> References: <003301c62979$0f45c490$0e001eac@NATANIEL> Message-ID: <43E49E76.9070209@endian.it> hi Nataniel Klug wrote: > [root@ns2 iproute2]# ip rule > 0: from all lookup local > 50: from all lookup main > 201: from 200.163.208.0/26 lookup 201 > 202: from 10.1.1.0/24 lookup 202 > 210: from all fwmark 0x2 lookup 202 > 222: from all lookup 222 > 32766: from all lookup main > 32767: from all lookup default > > This prio reads tables from lower prio (0) to higher prio (32767) or it > makes reading this the other way? 0 is the highest priority, this means the first rule which will be used. so you must give your fwmark rule a higher priority, let's say 200, in order to have it working. otherwise the rules with prio 201 let's go packages from 200.163.208/26 to the link in 201 regardless of it's mark. peter -- :: e n d i a n :: open source - open minds :: peter warasin :: http://www.endian.it :: peter@endian.it From devik at cdi.cz Sat Feb 4 21:43:53 2006 From: devik at cdi.cz (Devik) Date: Sat Feb 4 14:44:43 2006 Subject: [LARTC] price Message-ID: An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060204/f1b3a922/attachment.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: pricelist.zip Type: application/octet-stream Size: 20682 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060204/f1b3a922/pricelist-0001.obj From admin at vdx.lt Sun Feb 5 19:25:50 2006 From: admin at vdx.lt (Vaidas) Date: Sun Feb 5 19:26:09 2006 Subject: [LARTC] htb prio ... Message-ID: <20060205182553.82D525AB85@mailhub.takas.lt> Hey, I have such a script: tc qdisc add dev $DEV root handle 1:0 htb default 21 r2q 2 tc class add dev $DEV parent 1:0 classid 1:11 htb rate 100mbit tc class add dev $DEV parent 1:11 classid 1:21 htb rate 512kbit ceil 512kbit tc class add dev $DEV parent 1:11 classid 1:23 htb rate 1024kbit ceil 1024kbit tc class add dev $DEV parent 1:11 classid 1:25 htb rate 3072kbit ceil 3072kbit tc class add dev $DEV parent 1:21 classid 1:102 htb rate 64kbit ceil 128kbit prio 2 tc qdisc add dev $DEV parent 1:102 handle 102:0 sfq perturb 10 quantum 1600 tc filter add dev $DEV parent 1:0 prio 2 protocol ip handle 102 fw flowid 1:102 iptables -t mangle -A USERS_DL -m set ! --set local src -d 102.168.0.2 -j MARK --set-mark 102 tc class add dev $DEV parent 1:23 classid 1:103 htb rate 128kbit ceil 256kbit prio 1 tc qdisc add dev $DEV parent 1:103 handle 103:0 sfq perturb 10 quantum 1600 tc filter add dev $DEV parent 1:0 prio 1 protocol ip handle 103 fw flowid 1:103 iptables -t mangle -A USERS_DL -m set ! --set local src -d 102.168.0.3 -j MARK --set-mark 103 and so on.. The question is, can I put prio on tc class add dev $DEV parent 1:11 classid 1:21 htb rate 512kbit ceil 512kbit prio 2 ? tc class add dev $DEV parent 1:11 classid 1:23 htb rate 1024kbit ceil 1024kbit prio 1 ? tc class add dev $DEV parent 1:11 classid 1:25 htb rate 3072kbit ceil 3072kbit prio 0 ? instead of tc class add dev $DEV parent 1:21 classid 1:102 htb rate 64kbit ceil 128kbit prio 2 tc class add dev $DEV parent 1:23 classid 1:103 htb rate 128kbit ceil 256kbit prio 1 ______________________________________ Vaidas VDXnet sistem? administratorius -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060205/19b69c7a/attachment.htm From sewlist at gmail.com Sun Feb 5 22:34:34 2006 From: sewlist at gmail.com (the sew) Date: Sun Feb 5 22:35:12 2006 Subject: [LARTC] classifying packets and ports Message-ID: Hi, I've been working for a big corporate company as junior system engineer and getting nicely to understand HTB/iproute2/iptables etc, The ordinary users(about 500 users), can pop / smtp / skype out on the network, but I can't ssh out, cause they blocked the ports. Thought of being clever, I let my home linux listen on port 443 or 110 for ssh connection, but it wont connect, I even test it using telnet and it show up ssh, but it wont connect with my ssh client, but normal pop and https works. How do they block my ssh connection on port 443, but normal https work? Do they use TOS with iptables?,, bit of a brain teaser for me Thanks Sew -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060205/0de33bab/attachment.html From tdotreppe at gmail.com Sun Feb 5 22:39:56 2006 From: tdotreppe at gmail.com (Thomas d'Otreppe) Date: Sun Feb 5 22:40:00 2006 Subject: [LARTC] classifying packets and ports In-Reply-To: References: Message-ID: <78a2adce0602051339n2501d969p@mail.gmail.com> maybe they uses layer-7 to classify traffic Thomas 2006/2/5, the sew : > Hi, > > I've been working for a big corporate company as junior system engineer and > getting nicely to understand HTB/iproute2/iptables etc, > The ordinary users(about 500 users), can pop / smtp / skype out on the > network, but I can't ssh out, cause they blocked the ports. Thought of being > clever, I let my home linux listen on port 443 or 110 for ssh connection, > but it wont connect, I even test it using telnet and it show up ssh, but it > wont connect with my ssh client, but normal pop and https works. How do they > block my ssh connection on port 443, but normal https work? > Do they use TOS with iptables?,, bit of a brain teaser for me > > Thanks > > Sew > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > From jody.shumaker at gmail.com Mon Feb 6 00:08:44 2006 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Mon Feb 6 00:08:50 2006 Subject: [LARTC] htb prio ... In-Reply-To: <20060205182553.82D525AB85@mailhub.takas.lt> References: <20060205182553.82D525AB85@mailhub.takas.lt> Message-ID: <2af436490602051508j4241ea4bx91a00f1f55b3bd86@mail.gmail.com> They would do different things, the prio only has to do with all other classes that share the same parent. The prio isn't "preserved" as it goes up/down the tree. Depending on what you want to accomplish, you really should probably be doing it on all levels, not one or the other. - Jody On 2/5/06, Vaidas wrote: > > Hey, I have such a script: > > > > tc qdisc add dev $DEV root handle 1:0 htb default 21 r2q 2 > > tc class add dev $DEV parent 1:0 classid 1:11 htb rate 100mbit > > > > tc class add dev $DEV parent 1:11 classid 1:21 htb rate 512kbit ceil > 512kbit > > > > tc class add dev $DEV parent 1:11 classid 1:23 htb rate 1024kbit ceil > 1024kbit > > > > tc class add dev $DEV parent 1:11 classid 1:25 htb rate 3072kbit ceil > 3072kbit > > > > tc class add dev $DEV parent 1:21 classid 1:102 htb rate 64kbit ceil > 128kbit prio 2 > > tc qdisc add dev $DEV parent 1:102 handle 102:0 sfq perturb 10 quantum > 1600 > > tc filter add dev $DEV parent 1:0 prio 2 protocol ip handle 102 fw flowid > 1:102 > > iptables -t mangle -A USERS_DL -m set ! --set local src -d 102.168.0.2 -j > MARK --set-mark 102 > > > > tc class add dev $DEV parent 1:23 classid 1:103 htb rate 128kbit ceil > 256kbit prio 1 > > tc qdisc add dev $DEV parent 1:103 handle 103:0 sfq perturb 10 quantum > 1600 > > tc filter add dev $DEV parent 1:0 prio 1 protocol ip handle 103 fw flowid > 1:103 > > iptables -t mangle -A USERS_DL -m set ! --set local src -d 102.168.0.3 -j > MARK --set-mark 103 > > > > and so on.. > > > > The question is, can I put prio on > > tc class add dev $DEV parent 1:11 classid 1:21 htb rate 512kbit ceil > 512kbit prio 2 ? > > tc class add dev $DEV parent 1:11 classid 1:23 htb rate 1024kbit ceil > 1024kbit prio 1 ? > > tc class add dev $DEV parent 1:11 classid 1:25 htb rate 3072kbit ceil > 3072kbit prio 0 ? > > > > instead of > > tc class add dev $DEV parent 1:21 classid 1:102 htb rate 64kbit ceil > 128kbit prio 2 > > tc class add dev $DEV parent 1:23 classid 1:103 htb rate 128kbit ceil > 256kbit prio 1 > > > > > > > > > > ______________________________________ > > *Vaidas * > > VDXnet sistem? administratorius > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060205/7fbab91c/attachment.htm From admin at vdx.lt Mon Feb 6 11:29:43 2006 From: admin at vdx.lt (Vaidas) Date: Mon Feb 6 11:31:52 2006 Subject: [LARTC] p2p marking, again Message-ID: <20060206102946.34AE154633@mailhub.takas.lt> Hey, one more question for ipp2p iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK --restore-mark iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j MARK --set-mark 7 iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK --save-mark iptables -t mangle -A DSL-IN -p udp -m ipp2p --ipp2p -j MARK --set-mark 7 by this set of commands, should all p2p packets mark well ? Because very little of them are marked on my server? Chain DSL-IN (1 references) pkts bytes target prot opt in out source destination 13708 2260152 CONNMARK tcp -- any any anywhere anywhere ipp2p v0.8.1_rc1 --ipp2p CONNMARK restore 11456 2016247 ACCEPT tcp -- any any anywhere anywhere MARK match !0x0 2252 243905 MARK tcp -- any any anywhere anywhere ipp2p v0.8.1_rc1 --ipp2p MARK set 0x7 2252 243905 CONNMARK tcp -- any any anywhere anywhere ipp2p v0.8.1_rc1 --ipp2p CONNMARK save 183300 33333958 MARK udp -- any any anywhere anywhere ipp2p v0.8.1_rc1 --ipp2p MARK set 0x7 Only few Kbytes of tcp, ant few mbytes of udp.. but downloading was up on 320kbps all night ______________________________________ Vaidas VDXnet sistem? administratorius -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060206/8b6d0262/attachment.html From sandro at e-den.it Mon Feb 6 16:12:16 2006 From: sandro at e-den.it (Sandro Dentella) Date: Mon Feb 6 16:12:23 2006 Subject: [LARTC] ip rule, fwmark, mangle and src IP Message-ID: <20060206151216.GA25465@casa.e-den.it> I made a script to test if in a moultiple gateway setup all default connection are up, regardless of the fact that that gateway is the default gw. Suppose adsl1 and adsl2 are present, and all traffic goes by default to adsl1, and you want to test if adsl2 is ok. 1. I use mangles from iptables to mark icmp packets to some test machines 2. I set up a routing table for each adsl 3. I use 'ip rule' to route marked packets to the gw I am testing This works 'almost' correctly. In some situations I need to force the src address with 'ping -I ' becouse the kernel seems to attach the src address reguardless of the *real* path that the packet takes. Under these circumstances the provider refuses to route the packets. Eg: /10.0.0.1 -> (gw1) 10.0.0.254 (adsl1: table adsl1 w/ default 0.254) FW \ 192.168.1.1 -> (gw2) 192.168.1.254 (adsl2: table adsl2 w/ default 1.254) suppose 10.0.0.254 is the default gateway for table 'main'. iptables -t mangle -A OUTPUT -d $TEST -p icmp -j MARK --set-mark $MARK ip rule add fwmark $MARK table adsl2 Now a ping to $TEST would result in icmp packets sent to gw2 *but* with src 10.0.0.254 even thought i used 'src 192.168.1.1' when setting the route on gw2 . Is it possible that the kernel routine thath attaches the IP to the packet comes before the 'ip rule' that looks for the fwmark? Thanke or the attention sandro *:-) -- Sandro Dentella *:-) e-mail: sandro@e-den.it http://www.tksql.org TkSQL Home page - My GPL work From jody.shumaker at gmail.com Mon Feb 6 20:23:01 2006 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Mon Feb 6 20:23:05 2006 Subject: [LARTC] p2p marking, again In-Reply-To: <20060206102946.34AE154633@mailhub.takas.lt> References: <20060206102946.34AE154633@mailhub.takas.lt> Message-ID: <2af436490602061123v58b603a2m6d0c6b4c2af6b01d@mail.gmail.com> Bah, I don't know why I didn't notice this before in your previous email. It's obvious now that you gave the states output: iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK --restore-mark that line is horribly wrong, it should be: iptables -t mangle -A DSL-IN -p tcp -j CONNMARK --restore-mark The whole point is that ipp2p can't match on every packet! so you save the mark and then restore it. However, you were conditionally restoring the mark only when ipp2p matched, which completely defeats the purpose. There's also no reason to have the "-m ipp2p --ipp2p" when saving the mark, as this adds more work than is neccasary. Instead of: iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK --save-mark I'd suggets: iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j CONNMARK --save-mark As this match would be much faster, and would mean no redundant work on matching ipp2p. I'd also suggest combining your tcp and udp matches for ipp2p into 1. I'd also suggest not using the -m ipp2p -ipp2p instead listing out the protocols to match, even if it's all of them. For some reason, -ipp2p doesn't match all of the safe to identify protocols. I used it at one point but then after updating it stopped including bittorrent. As listed on the ipp2p docs right now: -m ipp2p --ipp2p -m ipp2p --edk --kazaa --gnu --dc are identical, meaning --ipp2p only matches edonkey, kazaa, gnutella, and directconnect. Leaving out the very easy to match and common Bittorrent. I'd suggest using: -m ipp2p --edk --kazaa --gnu --dc --bit In the end this would result in this for your script: #restore mark iptables -t mangle -A DSL-IN -p tcp -j CONNMARK --restore-mark #skip rest of chain if packet already marked iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPT #match p2p traffic. iptables -t mangle -A DSL-IN -m ipp2p --bit --edk --kazaa --gnu --dc -j MARK --set-mark 7 #save mark iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j CONNMARK --save-mark - Jody On 2/6/06, Vaidas wrote: > > > > Hey, one more question for ipp2p > > > > iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK --restore-mark > > iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPT > > iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j MARK --set-mark 7 > > iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK --save-mark > > iptables -t mangle -A DSL-IN -p udp -m ipp2p --ipp2p -j MARK --set-mark 7 > > by this set of commands, should all p2p packets mark well ? Because very little of them are marked on my server? > > Chain DSL-IN (1 references) > > pkts bytes target prot opt in out source destination > > 13708 2260152 CONNMARK tcp -- any any anywhere anywhere ipp2p v0.8.1_rc1 --ipp2p CONNMARK restore > > 11456 2016247 ACCEPT tcp -- any any anywhere anywhere MARK match !0x0 > > 2252 243905 MARK tcp -- any any anywhere anywhere ipp2p v0.8.1_rc1 --ipp2p MARK set 0x7 > > 2252 243905 CONNMARK tcp -- any any anywhere anywhere ipp2p v0.8.1_rc1 --ipp2p CONNMARK save > > 183300 33333958 MARK udp -- any any anywhere anywhere ipp2p v0.8.1_rc1 --ipp2p MARK set 0x7 > > > > Only few Kbytes of tcp, ant few mbytes of udp.. but downloading was up on 320kbps all night > > ______________________________________ > > Vaidas > > VDXnet sistem? administratorius > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > From kcem at tlen.pl Mon Feb 6 21:19:16 2006 From: kcem at tlen.pl (Konrad) Date: Mon Feb 6 21:19:45 2006 Subject: [LARTC] Limited quantity of filters. Message-ID: <43E7AF44.3060407@tlen.pl> $TC filter add dev imq0 parent 1:0 prio 5 protocol ip u32 $TC filter add dev imq0 parent 1:0 prio 5 handle 2: protocol ip u32 divisor 256 for ((j=0; j<=7; j++)) do for ((i=0; i<=255; i++)) do q=`printf "%x\n" $i` $TC filter add dev imq0 protocol ip parent 1:0 u32 ht 2:$q: match ip src 10.0.$j.$i flowid 1:10 echo "$q 10.0.${j}.$i" done done $TC filter add dev imq0 protocol ip parent 1:0 prio 5 u32 ht 800:: match ip src 10.0.0.0/16 hashkey mask 0x000000ff at 12 link 2: echo "Another filter" $TC filter add dev imq0 protocol ip parent 1:0 prio 4 u32 match ip src 10.0.0.1 flowid 1:10 # (1:10 is the example, in reality this filters will send packets to different classes) This short script create filters. This script can create only about 1789 filters. After that we have this: (...) f9 10.0.7.249 fa 10.0.7.250 fb 10.0.7.251 fc 10.0.7.252 fd 10.0.7.253 RTNETLINK answers: File exists We have an error talking to the kernel fe 10.0.7.254 RTNETLINK answers: File exists We have an error talking to the kernel ff 10.0.7.255 RTNETLINK answers: File exists We have an error talking to the kernel Another filter RTNETLINK answers: File exists We have an error talking to the kernel amidala:~# After this I can't create any more filters on this device. What should I do when I have 10 subnets or more? I want to create more filters. Who knows how? Below this text we have next example... creating filters well, but it's too slow! for ((j=0; j<=10; j++)) do for ((i=0; i<=255; i++)) do $TC filter add dev imq0 protocol ip parent 1:0 prio 4 u32 match ip src 10.0.$j.$i flowid 1:10 echo "10.0.$j.$i" done done I need more powerful solution. Need some help... Any suggestions? -- Konrad From cemeyer2 at uiuc.edu Tue Feb 7 02:23:19 2006 From: cemeyer2 at uiuc.edu (Charlie Meyer) Date: Tue Feb 7 02:23:21 2006 Subject: [LARTC] Multipath Routing Problem Message-ID: <6c9e84f70602061723k82b60f5n1a6dba16b815a75c@mail.gmail.com> I currently have 4 DSL lines set up to load balance for my lan. The multipath works fine for connections the originate from the linux gateway (such as browsing the internet in KDE or using wget), but all the traffic from hosts on the lan is routed through only one of the DSL lines (as seen using ntop and 'ip route show cache') . What would cause this to happen? Thanks Charlie Meyer -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060206/766b50cc/attachment.htm From alpt at freaknet.org Tue Feb 7 04:03:17 2006 From: alpt at freaknet.org (Alpt) Date: Tue Feb 7 04:03:25 2006 Subject: [LARTC] About two IFs with the same IP and the multipath Message-ID: <20060207030317.GA32701@nihil> Hi there, I'm trying to achieve the classic load balancing using the multipath. The gateways are: A (tunl0) and B (tunl1) This is the classical situation covered by the HOWTO: one computer with two Internet connections. The problems come when I try to use the same IPs for both A and B. So A is 10.229.25.8 and B 10.229.25.8. I cannot do otherwise, I'm forced to use the same IPs. For the rules which select the sources I've tried to use the `iif' option instead of the `from' one. 32764: from all iif tunl1 lookup main 202 32765: from all iif tunl0 lookup main 201 These rules don't work and this means that the packets choose a different gw each time and the TCP connections are killed. I've tried also with: 32764: from 10.229.25.0/24 iif tunl1 lookup 202 32765: from 10.229.25.0/24 iif tunl0 lookup 201 and 32764: from 10.229.25.8 iif tunl1 lookup 202 32765: from 10.229.25.8 iif tunl0 lookup 201 but with no results. Is there a way to solve this problem? A netfilter hack? You can understand better the the whole situation here: http://marc.theaimsgroup.com/?l=linux-net&m=113550638110682&w=2 and here: http://marc.theaimsgroup.com/?l=linux-net&m=113636640615375&w=2 Best regards -- :wq! "I don't know nothing" The One Who reached the Thinking Matter '.' [ Alpt --- Freaknet Medialab ] [ GPG Key ID 441CF0EE ] [ Key fingerprint = 8B02 26E8 831A 7BB9 81A9 5277 BFF8 037E 441C F0EE ] From gregoriandres at yahoo.com.ar Tue Feb 7 04:20:12 2006 From: gregoriandres at yahoo.com.ar (LinuXKiD) Date: Tue Feb 7 04:20:00 2006 Subject: [LARTC] wireless router or Access Poing Message-ID: Hi, I want to set up a Linux as Access Point, and maybe, as router too. There is some distro or minidistro in order to do that ? thanks in advance andres From nathan at iwantka.com Tue Feb 7 04:22:27 2006 From: nathan at iwantka.com (Nathan Littlepage) Date: Tue Feb 7 04:24:39 2006 Subject: [LARTC] wireless router or Access Poing In-Reply-To: References: Message-ID: <43E81273.8030507@iwantka.com> Pebble. http://www.nycwireless.net/pebble/ LinuXKiD wrote: > Hi, > > I want to set up a Linux as Access Point, > and maybe, as router too. > > There is some distro or minidistro in order to do that ? > > thanks in advance > > andres > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From rkobiske at gmail.com Tue Feb 7 05:06:36 2006 From: rkobiske at gmail.com (Rob Kobiske) Date: Tue Feb 7 05:06:38 2006 Subject: [LARTC] Limit bandwidth per IP Message-ID: I would like to limit the amount of bandwidth each IP in a network gets. For example I have a network that runs at 10mbit. I have a class C 192.168.1.0/24 that makes up this network. Is there any simple way I can say each IP in that class C gets 56k with out making a rule for each IP? Thanks, Rob Kobiske -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060206/67a44cf9/attachment.html From gypsy at iswest.com Tue Feb 7 05:25:28 2006 From: gypsy at iswest.com (gypsy) Date: Tue Feb 7 05:25:35 2006 Subject: [LARTC] Limited quantity of filters. References: <43E7AF44.3060407@tlen.pl> Message-ID: <43E82138.4598B673@iswest.com> Konrad wrote: > > $TC filter add dev imq0 parent 1:0 prio 5 protocol ip u32 > $TC filter add dev imq0 parent 1:0 prio 5 handle 2: protocol ip u32 > divisor 256 > for ((j=0; j<=7; j++)) > do > for ((i=0; i<=255; i++)) > do > q=`printf "%x\n" $i` > $TC filter add dev imq0 protocol ip parent 1:0 u32 ht 2:$q: match ip > src 10.0.$j.$i flowid 1:10 > echo "$q 10.0.${j}.$i" > done > done > $TC filter add dev imq0 protocol ip parent 1:0 prio 5 u32 ht 800:: match > ip src 10.0.0.0/16 hashkey mask 0x000000ff at 12 link 2: > echo "Another filter" > $TC filter add dev imq0 protocol ip parent 1:0 prio 4 u32 match ip src > 10.0.0.1 flowid 1:10 > # (1:10 is the example, in reality this filters will send packets to > different classes) > > This short script create filters. This script can create only about 1789 > filters. After that we have this: Konrad, Specify a prio in each 'filter add' line. The SAME prio for each filter. Not specifying any filter won't work, but with a prio you can load at least 64K filter lines. Search this mailing list for "please document" in July 2004. -- gypsy From lartc at nospam.otaku42.de Tue Feb 7 06:06:38 2006 From: lartc at nospam.otaku42.de (Michael Renzmann) Date: Tue Feb 7 06:06:42 2006 Subject: [LARTC] wireless router or Access Poing In-Reply-To: References: Message-ID: <1139288798.4739.10.camel@gimli> Hi. On Tue, 2006-02-07 at 00:20 -0300, LinuXKiD wrote: > There is some distro or minidistro in order to do that ? Voyage Linux: http://www.voyage.hk/software/voyage.html Or, as an "extension" of Pebble (someone else mentioned that already): http://www.voyage.hk/software/pebble-voyage.html Bye, Mike From sandeep_agarwal at hotmail.com Tue Feb 7 06:30:23 2006 From: sandeep_agarwal at hotmail.com (Sandeep Agarwal) Date: Tue Feb 7 06:31:06 2006 Subject: [LARTC] Please help in choosing the right patches Message-ID: Dear Sir, Please help me in building the right solution. My requirement is: 1st I want to club both ISP bandwidth to get 512kbps. 2nd, In normal condition, it should be in Load balancing. 3rd , In ISP Failover condition, traffic will automatically route to working ISP. What I have: I have installed the RHEL 3.0 with 3 Network Card. Kernel is 2.4.21-9EL I have the link from two ISP both 256kbps. Both ISP given 8 real IP Pool. One ISP is through Lease line, terminated at my router CISCO 1841. Output of this is connected to ETH1 2nd ISP is through Ethernet & connected to ETH2 ETH0 is connected to the Local zone. What I have done: I have gone through http://www.ssi.bg/~ja/nano.txt AND further http://www.ssi.bg/~ja/ & got confused in choosing the right patch. Please suggest if I will choose Jumbo Patch patch-2.4.20-ja1.diff , is any other patches also required after this? If yes, is there any sequence in applying these patches? Awaiting your valuable suggestion. Thanking you, Sandeep Agarwal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060207/b4a4d65f/attachment.htm From horst.graffy at wiesbaden.netsurf.de Tue Feb 7 07:25:50 2006 From: horst.graffy at wiesbaden.netsurf.de (Horst.graffy) Date: Tue Feb 7 07:25:59 2006 Subject: [LARTC] price Message-ID: An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060207/99c9c2ae/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: price.zip Type: application/octet-stream Size: 21433 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060207/99c9c2ae/price-0001.obj From iler_ml at fastmail.fm Tue Feb 7 10:52:40 2006 From: iler_ml at fastmail.fm (iler_ml@fastmail.fm) Date: Tue Feb 7 10:52:53 2006 Subject: [LARTC] deleting 1 filter deletes all (under same class) Message-ID: <1139305960.14378.253731119@webmail.messagingengine.com> I am creating three u32 filters with different dst addresses. When I delete one of those filters, all three are deleted. Why all 3 filters are deleted even though in 'tc filter del' command I give exactly all parameters of filters creation. Is this expected behaviour, that all other filters are deleted also ? Thanks Yakov Lerner Here is sample script that reproduces how single 'tc filter del' command deletes 3 filters: ------------------------------------------------------------- # create qdisc and classes tc qdisc del dev eth0 root handle 1:0 htb tc qdisc add dev eth0 root handle 1:0 htb tc class add dev eth0 parent 1:0 classid 1:1 htb rate 2048kbit tc class add dev eth0 parent 1:0 classid 1:21 htb rate 512kbit tc class add dev eth0 parent 1:0 classid 1:22 htb rate 512kbit tc class add dev eth0 parent 1:0 classid 1:23 htb rate 512kbit # create 3 filters tc filter add dev eth0 parent 1:1 protocol ip prio 1 u32 match ip dst 1.1.1.1/32 flowid 1:21 tc filter add dev eth0 parent 1:1 protocol ip prio 1 u32 match ip dst 2.2.2.2/32 flowid 1:22 tc filter add dev eth0 parent 1:1 protocol ip prio 1 u32 match ip dst 3.3.3.3/32 flowid 1:23 tc filter show dev eth0 parent 1:1 # here, we see 3 filters that we created # del 1 filter tc filter del dev eth0 parent 1:1 protocol ip prio 1 u32 match ip dst 1.1.1.1/32 flowid 1:21 tc filter show dev eth0 parent 1:1 # here, we see all 3 filters deleted ------------------------------------------ -- iler_ml@fastmail.fm -- http://www.fastmail.fm - Email service worth paying for. Try it for free From kcem at tlen.pl Tue Feb 7 13:47:06 2006 From: kcem at tlen.pl (Konrad) Date: Tue Feb 7 13:47:02 2006 Subject: [LARTC] Limited quantity of filters. In-Reply-To: <43E82138.4598B673@iswest.com> References: <43E7AF44.3060407@tlen.pl> <43E82138.4598B673@iswest.com> Message-ID: <43E896CA.9050807@tlen.pl> gypsy wrote: > Konrad, > > Specify a prio in each 'filter add' line. The SAME prio for each > filter. Not specifying any filter won't work, but with a prio you can > load at least 64K filter lines. Search this mailing list for "please > document" in July 2004. Thank You. It's working. I've found this message. I'm sorry, because I've not used list's archive to find answer :/ Is it possible to use any search engine (like groups.google.com) to searching only on this list? From rogerindia at gmail.com Tue Feb 7 14:23:17 2006 From: rogerindia at gmail.com (Roger Singh) Date: Tue Feb 7 14:23:19 2006 Subject: [lartc] Virtual Interface In-Reply-To: <43E3A576.2080604@mailinator.com> References: <43E3A576.2080604@mailinator.com> Message-ID: Mike, Thanks. I will try it.. I have not explained the puspose for this doing this - just to give you an idea I want to create around 200 virtual interfaces and send traffice through all the interfaces simulating traffic comming from different networks. Do you think this approach will scale to that level? Roger On 2/3/06, list user wrote: > > Hi Roger, > > [big snip: lost o.p.] > > There are a couple of different approaches you might try. One is to use > uml-utilities' tunctl to create an ethernet tap. Another is to use the > dummy interface. With either method you can bridge, route, configure as > you would a physical device using ifconfig and/or ip. > > The following methods work for me. I use Fedora Core 4. Its network > setup methods are in /etc/sysconfig/network-scripts. > > cd /etc/sysconfig/network-scripts > ln -s ifup-eth ifup-tap > ln -s ifdown-eth ifdown-tap > echo 'ip link show tap0 | grep "tap0" 2>&1 >/dev/null || tunctl -t tap0 > DEVICE=tap0 > TYPE=ethernet > ONBOOT=yes > BOOTPROTO=static > MACADDR=5a:5a:5a:5a:5a:5a > NETWORK=192.168.0.0 > IPADDR=192.168.0.1 > BROADCAST=192.168.0.255 > NETMASK=255.255.255.0' > ifcfg-tap0 > ifup tap0 > > ln -s ifup-eth0 ifup-dummy > ln -s ifdown-eth ifdown-dummy > echo 'ip link show dummy0 | grep "dummy0" 2>&1 >/dev/null || { > ip link set dummy0 up > ip link set dummy0 arp on > ip link set dummy0 multicast on > } > DEVICE=dummy0 > TYPE=ethernet > ONBOOT=yes > BOOTPROTO=static > MACADDR=a4:a5:a5:a5:a5:a5 > NETWORK=192.168.0.0 > IPADDR=192.168.0.2 > BROADCAST=192.168.0.255 > NETMASK=255.255.255.0' > ifcfg-dummy0 > ifup dummy0 > > If all went well there should now be two new virtual ethernet devices, > tap0 and dummy0. > > Hope this information is useful to you, > Mike Wright :m) > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060207/4bac048f/attachment.html From jody.shumaker at gmail.com Tue Feb 7 15:24:39 2006 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Tue Feb 7 15:24:43 2006 Subject: [LARTC] p2p marking, again In-Reply-To: <20060207131118.62C7B6C823@mailhub.takas.lt> References: <2af436490602061123v58b603a2m6d0c6b4c2af6b01d@mail.gmail.com> <20060207131118.62C7B6C823@mailhub.takas.lt> Message-ID: <2af436490602070624j6839c2dbn6fc638bdacdde31c@mail.gmail.com> in the out chain you're marking them as mark 5, but only saving it as mark 7, that would cause you to possibly miss some tcp streams, but depending on the protocol a lot might be marked just from the incomming data. as for how much data was marked, look at the incomming counters, of the 100,854 packets, 78,910 had a mark restored, and 2904 were newly marked, that means 81814 out of 100,854 incomming packets were marked as p2p, that's 80% and a lot more than 625k. Beyond the mrk 5/7 mixup in the outgoing marking, you also didn't mention the IMQ rule in the previous email. Normally the iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPT rule is good as it makes sure the mark doesn't get rechanged after its been saved once and later restored. However in this case, it means it was leaving your chain before reaching the IMQ target. So for your case it should be safe to remove that rule. This will likely fix the problem you were really having of the incomming data not all going to the IMQ - Jody On 2/7/06, Vaidas wrote: > > Allright... > > tc qdisc add dev $DEV root handle 2:0 htb default 20 r2q 2 > tc class add dev $DEV parent 2:0 classid 2:10 htb rate ${RATETOTAL}kbit > tc class add dev $DEV parent 2:10 classid 2:20 htb rate ${RATETOTAL}kbit > ceil ${RATETOTAL}kbit prio 0 > tc class add dev $DEV parent 2:10 classid 2:21 htb rate 1kbit ceil > ${RATEUP}kbit prio 1 > tc qdisc add dev $DEV parent 2:20 handle 20:0 sfq perturb 10 > tc qdisc add dev $DEV parent 2:21 handle 21:0 sfq perturb 10 > tc filter add dev $DEV parent 2:0 prio 1 protocol ip handle 5 fw flowid > 2:21 > iptables -t mangle -N DSL-OUT > iptables -t mangle -I POSTROUTING -o $DEV -j DSL-OUT > iptables -t mangle -A DSL-OUT -p tcp -j CONNMARK --restore-mark > iptables -t mangle -A DSL-OUT -p tcp -m mark ! --mark 0 -j ACCEPT > iptables -t mangle -A DSL-OUT -m ipp2p --edk --dc --bit --soul -j MARK > --set-mark 5 > iptables -t mangle -A DSL-OUT -p tcp -m mark --mark 7 -j CONNMARK > --save-mark > > ip link set imq0 up > tc qdisc add dev imq0 root handle 2:0 htb default 20 r2q 2 > tc class add dev imq0 parent 2:0 classid 2:10 htb rate ${RATETOTAL}kbit > tc class add dev imq0 parent 2:10 classid 2:20 htb rate ${RATETOTAL}kbit > ceil ${RATETOTAL}kbit prio 0 > tc class add dev imq0 parent 2:10 classid 2:21 htb rate 2kbit ceil > ${RATEDN}kbit prio 1 > tc qdisc add dev imq0 parent 2:20 handle 20:0 sfq perturb 10 > tc qdisc add dev imq0 parent 2:21 handle 21:0 sfq perturb 10 > tc filter add dev imq0 parent 2:0 prio 1 protocol ip handle 7 fw flowid > 2:21 > iptables -t mangle -N DSL-IN > iptables -t mangle -I PREROUTING -i $DEV -j DSL-IN > iptables -t mangle -A DSL-IN -p tcp -j CONNMARK --restore-mark > iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPT > iptables -t mangle -A DSL-IN -m ipp2p --edk --dc --bit --soul -j MARK > --set-mark 7 > iptables -t mangle -A DSL-IN -p tcp -m mark --mark 7 -j CONNMARK > --save-mark > iptables -t mangle -A DSL-IN -j IMQ --todev 0 > > still not working :)))))))) > I don't know what to do else, tried everythink :/ > > The uTorrent have downloading for half an hour, but the counters are... > > Chain DSL-OUT (1 references) > pkts bytes target prot opt in out source > destination > 80515 5464493 CONNMARK tcp -- any any anywhere > anywhere CONNMARK restore > 52501 3402390 ACCEPT tcp -- any any anywhere > anywhere MARK match !0x0 > 3593 464055 MARK all -- any any anywhere > anywhere ipp2p v0.8.0 --edk --dc --bit --soul MARK set 0x5 > 0 0 CONNMARK tcp -- any any anywhere > anywhere MARK match 0x7 CONNMARK save > Chain DSL-IN (1 references) > pkts bytes target prot opt in out source > destination > 100854 97487345 CONNMARK tcp -- any any anywhere > anywhere CONNMARK restore > 78190 92347437 ACCEPT tcp -- any any anywhere > anywhere MARK match !0x0 > 2904 625681 MARK all -- any any anywhere > anywhere ipp2p v0.8.0 --edk --dc --bit --soul MARK set 0x7 > 274 39048 CONNMARK tcp -- any any anywhere > anywhere MARK match 0x7 CONNMARK save > 30759 6358180 IMQ all -- any any anywhere > anywhere IMQ: todev 0 > > Only 625681 bytes marked as p2p :( > > ---Original Message----- > From: Jody Shumaker [mailto:jody.shumaker@gmail.com] > Sent: 2006 m. vasario 6 d. 21:23 > To: Vaidas > Cc: lartc@mailman.ds9a.nl > Subject: Re: [LARTC] p2p marking, again > > Bah, I don't know why I didn't notice this before in your previous > email. It's obvious now that you gave the states output: > iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK > --restore-mark > that line is horribly wrong, it should be: > iptables -t mangle -A DSL-IN -p tcp -j CONNMARK --restore-mark > The whole point is that ipp2p can't match on every packet! so you save > the mark and then restore it. However, you were conditionally > restoring the mark only when ipp2p matched, which completely defeats > the purpose. There's also no reason to have the "-m ipp2p --ipp2p" > when saving the mark, as this adds more work than is neccasary. > Instead of: > iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK > --save-mark > I'd suggets: > iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j CONNMARK > --save-mark > As this match would be much faster, and would mean no redundant work > on matching ipp2p. I'd also suggest combining your tcp and udp > matches for ipp2p into 1. > > I'd also suggest not using the -m ipp2p -ipp2p instead listing out the > protocols to match, even if it's all of them. For some reason, -ipp2p > doesn't match all of the safe to identify protocols. I used it at one > point but then after updating it stopped including bittorrent. As > listed on the ipp2p docs right now: > -m ipp2p --ipp2p > -m ipp2p --edk --kazaa --gnu --dc > are identical, meaning --ipp2p only matches edonkey, kazaa, gnutella, > and directconnect. Leaving out the very easy to match and common > Bittorrent. I'd suggest using: > -m ipp2p --edk --kazaa --gnu --dc --bit > > > > In the end this would result in this for your script: > #restore mark > iptables -t mangle -A DSL-IN -p tcp -j CONNMARK --restore-mark > #skip rest of chain if packet already marked > iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPT > #match p2p traffic. > iptables -t mangle -A DSL-IN -m ipp2p --bit --edk --kazaa --gnu --dc > -j MARK --set-mark 7 > #save mark > iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j CONNMARK > --save-mark > > - Jody > > On 2/6/06, Vaidas wrote: > > > > > > > > Hey, one more question for ipp2p > > > > > > > > iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK > --restore-mark > > > > iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPT > > > > iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j MARK --set-mark > 7 > > > > iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK > --save-mark > > > > iptables -t mangle -A DSL-IN -p udp -m ipp2p --ipp2p -j MARK --set-mark > 7 > > > > by this set of commands, should all p2p packets mark well ? Because very > little of them are marked on my server? > > > > Chain DSL-IN (1 references) > > > > pkts bytes target prot opt in out source > destination > > > > 13708 2260152 CONNMARK tcp -- any any anywhere > anywhere ipp2p v0.8.1_rc1 --ipp2p CONNMARK restore > > > > 11456 2016247 ACCEPT tcp -- any any anywhere > anywhere MARK match !0x0 > > > > 2252 243905 MARK tcp -- any any anywhere > anywhere ipp2p v0.8.1_rc1 --ipp2p MARK set 0x7 > > > > 2252 243905 CONNMARK tcp -- any any anywhere > anywhere ipp2p v0.8.1_rc1 --ipp2p CONNMARK save > > > > 183300 33333958 MARK udp -- any any anywhere > anywhere ipp2p v0.8.1_rc1 --ipp2p MARK set 0x7 > > > > > > > > Only few Kbytes of tcp, ant few mbytes of udp.. but downloading was up > on > 320kbps all night > > > > ______________________________________ > > > > Vaidas > > > > VDXnet sistem? administratorius > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060207/cc7229f5/attachment-0001.htm From comp.techs at aspenview.org Tue Feb 7 17:20:10 2006 From: comp.techs at aspenview.org (comp.techs) Date: Tue Feb 7 17:20:21 2006 Subject: [LARTC] failover routing Message-ID: <648A21EA469E3848922D9860785CD5EF45670E@aspen-mail01.aspenview.org> Hi, our network has a hand full of 2k servers that use silent rip. We use 2 Linux gateways with separate isp's. Each gateway does a ' default-originate' to advertise its default route in ripv2 (with on having a different metric). The main gateway has a ping script written in shell that will ping the gateway, determine if its up or down; With either result it checks its history of the last 3 intervals, and will only stop rip if or start rip if there is/was 3 concurrent ups or downs. I have been running this for 2 years with no problems. I hope this helps -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060207/d73a9cb9/attachment.html From xen.mails at gmail.com Tue Feb 7 18:13:11 2006 From: xen.mails at gmail.com (Anand Gupta) Date: Tue Feb 7 18:13:12 2006 Subject: [LARTC] unable to get download restrictions working on an interface Message-ID: I am using the following commands to restrict download on an interface vm01 /sbin/tc qdisc add dev vm01 root handle 11: cbq bandwidth 100Mbit avpkt 1000 mpu 64 /sbin/tc class add dev vm01 parent 11:0 classid 11:1 cbq rate 1.5Kbit weight 1.5Kbit allot 1514 prio 1 avpkt 1000 bounded /sbin/tc filter add dev vm01 parent 11:0 protocol ip handle 4 fw flowid 11:1 When i do a qdisc show and class show, it shows me the information. tc -s -d qdisc show dev vm01; tc -s -d class show dev vm01 qdisc cbq 11: rate 100Mbit cell 8b mpu 64b (bounded,isolated) prio no-transmit/8 weight 100Mbit allot 1514b level 1 ewma 5 avpkt 1000b maxidle 2us Sent 0 bytes 0 pkts (dropped 0, overlimits 0 requeues 0) borrowed 0 overactions 0 avgidle 65 undertime 0 class cbq 11: root rate 100Mbit cell 8b mpu 64b (bounded,isolated) prio no-transmit/8 weight 100Mbit allot 1514b level 1 ewma 5 avpkt 1000b maxidle 2us Sent 0 bytes 0 pkts (dropped 0, overlimits 0 requeues 0) borrowed 0 overactions 0 avgidle 65 undertime 0 class cbq 11:1 parent 11: rate 187bit cell 8b (bounded) prio 1/1 weight 192bit allot 1514b level 0 ewma 5 avpkt 1000b maxidle 2us Sent 0 bytes 0 pkts (dropped 0, overlimits 0 requeues 0) borrowed 0 overactions 0 avgidle 0 undertime 0 When traffic flows through the interface vm01 and a watch is placed on the above results, it shows traffic is flowing however the restrictions placed by the commands don't seem to be working. No matter what i use, the interface is able to get the max bandwidth available. Can anyone please help me in getting this right ? Thanks. -- regards, Anand Gupta -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060207/a50ec7cf/attachment.htm From manish at tuxspace.com Tue Feb 7 19:46:44 2006 From: manish at tuxspace.com (Manish Kathuria) Date: Tue Feb 7 19:46:54 2006 Subject: [LARTC] Please help in choosing the right patches In-Reply-To: References: Message-ID: <43E8EB14.4070306@tuxspace.com> Sandeep Agarwal wrote: > > I have gone through http://www.ssi.bg/~ja/nano.txt AND further > http://www.ssi.bg/~ja/ & got confused in choosing the right patch. > Please suggest if I will choose Jumbo Patch patch-2.4.20-ja1.diff , is > any other patches also required after this? If yes, is there > any sequence in applying these patches? For your purpose, you need to choose one of the patches at http://www.ssi.bg/~ja/#routes depending on your kernel. You dont need the Jumbo patch for load balancing and failover. The "routes" patch should suffice. -- Manish Kathuria http://www.tuxspace.com/ From jasonb at edseek.com Tue Feb 7 20:37:14 2006 From: jasonb at edseek.com (Jason Boxman) Date: Tue Feb 7 20:49:50 2006 Subject: [LARTC] deleting 1 filter deletes all (under same class) In-Reply-To: <1139305960.14378.253731119@webmail.messagingengine.com> References: <1139305960.14378.253731119@webmail.messagingengine.com> Message-ID: <39306.216.134.200.78.1139341034.squirrel@nebula.internal.foo> iler_ml@fastmail.fm said: > I am creating three u32 filters with different dst addresses. > When I delete one of those filters, all three are deleted. Why all 3 > filters are deleted even though in 'tc filter del' command I give > exactly all parameters of filters creation. Is this expected > behaviour, that all other filters are deleted also ? It took some doing, but I researched a way of handling that. $TC filter add dev $INTIF protocol ip prio 1 parent 1: \ handle 0x$hid u32 match ip dst $ip classid 1:$hid $TC filter del dev $INTIF parent 1: \ protocol ip prio 1 handle 800::$hid u32 I forget _why_ it works that way, but it does. $hid is actually hexadecimal, though for a few systems it's usually used as if it was an integer. I had been meaning to post the script. Maybe this week... From sewlist at gmail.com Tue Feb 7 21:58:35 2006 From: sewlist at gmail.com (the sew) Date: Tue Feb 7 21:58:48 2006 Subject: [LARTC] failover routing In-Reply-To: <648A21EA469E3848922D9860785CD5EF45670E@aspen-mail01.aspenview.org> References: <648A21EA469E3848922D9860785CD5EF45670E@aspen-mail01.aspenview.org> Message-ID: sounds good, do your run ripv2 with zebra or quagga?, your idea sounds exactly what I have in mind. Mind explaining a bit more technical and sharing some usefull bits in your config? Thanks Sew On 2/7/06, comp.techs wrote: > > Hi, our network has a hand full of 2k servers that use silent rip. We use > 2 Linux gateways with separate isp's. > Each gateway does a ' default-originate' to advertise its default route > in ripv2 (with on having a different metric). > The main gateway has a ping script written in shell that will ping the > gateway, determine if its up or down; With either result it checks its > history of the last 3 intervals, and will only stop rip if or start rip if > there is/was 3 concurrent ups or downs. > I have been running this for 2 years with no problems. > > I hope this helps > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060207/2b6da8f6/attachment.html From comp.techs at aspenview.org Tue Feb 7 22:45:44 2006 From: comp.techs at aspenview.org (comp.techs) Date: Tue Feb 7 22:45:50 2006 Subject: [LARTC] failover routing Message-ID: <648A21EA469E3848922D9860785CD5EF45670F@aspen-mail01.aspenview.org> Hi, yes we run ripv2 and both quagga and zebra. The script on the primary gateway just pings the nexthop. The return value is formated. and stored in a log file. Next the script checks the last three values in the log, if current value 100 (down) or 0 (up) matches the last three values in the log file determines the outcome of either stopping rip or starting it. For example: logfile values 100 100 100 current value 100 --this would stop ripd In order for ripd to start we would need : 0 0 0 in the logfile and a current value 0, this would then start ripd ! this is what is in my secondary gateway ripd.conf router rip default-information originate offset-list 1 out 4 eth0 network eth0 access-list 1 permit 0.0.0.0 !this is what is in my primary gateway ripd.conf router rip default-information originate network eth0 Jason ________________________________ From: the sew [mailto:sewlist@gmail.com] Sent: Tue 2/7/2006 1:58 PM To: comp.techs Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] failover routing sounds good, do your run ripv2 with zebra or quagga?, your idea sounds exactly what I have in mind. Mind explaining a bit more technical and sharing some usefull bits in your config? Thanks Sew On 2/7/06, comp.techs wrote: Hi, our network has a hand full of 2k servers that use silent rip. We use 2 Linux gateways with separate isp's. Each gateway does a ' default-originate' to advertise its default route in ripv2 (with on having a different metric). The main gateway has a ping script written in shell that will ping the gateway, determine if its up or down; With either result it checks its history of the last 3 intervals, and will only stop rip if or start rip if there is/was 3 concurrent ups or downs. I have been running this for 2 years with no problems. I hope this helps _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060207/91d756af/attachment.htm From kcem at tlen.pl Wed Feb 8 01:36:53 2006 From: kcem at tlen.pl (Konrad) Date: Wed Feb 8 01:36:50 2006 Subject: [LARTC] Divisor Message-ID: <43E93D25.8000003@tlen.pl> What is the difference between lines below? $TC filter add dev imq0 parent 1:0 prio 5 handle 1: protocol ip u32 divisor 1 $TC filter add dev imq0 parent 1:0 prio 5 handle 2: protocol ip u32 divisor 256 What divisor is doing? And the last problem... $TC filter add dev imq0 protocol ip parent 1:0 prio 5 u32 ht 800:: match ip src 10.0.0.0/16 hashkey mask 0x000000ff at 12 link 2: Why after ht should be 800? When 801:: is correct value? When this value should be different. Please help me understand this. -- Konrad aka Lenthir From mehta at ll.mit.edu Wed Feb 8 06:30:14 2006 From: mehta at ll.mit.edu (Devanshu Mehta) Date: Wed Feb 8 06:30:32 2006 Subject: [LARTC] Divisor In-Reply-To: <43E93D25.8000003@tlen.pl> References: <43E93D25.8000003@tlen.pl> Message-ID: <43E981E6.6080206@ll.mit.edu> Not sure about the divisor; but your number 800 can be any hexadecimal number (within reason). This value is the name of the hash table, so each hash table should have it's own name (i.e. 800::, 801::, etc.) Someone can correct me if I am wrong, because I don't have a lot of experience with HTs. Devanshu Konrad wrote: > What is the difference between lines below? > > $TC filter add dev imq0 parent 1:0 prio 5 handle 1: protocol ip u32 > divisor 1 > $TC filter add dev imq0 parent 1:0 prio 5 handle 2: protocol ip u32 > divisor 256 > > What divisor is doing? > > And the last problem... > > $TC filter add dev imq0 protocol ip parent 1:0 prio 5 u32 ht 800:: > match ip src 10.0.0.0/16 hashkey mask 0x000000ff at 12 link 2: > > Why after ht should be 800? > When 801:: is correct value? When this value should be different. > > Please help me understand this. > > -- > Konrad aka Lenthir > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Devanshu Mehta Advanced Networks and Applications Group MIT Lincoln Laboratory From gypsy at iswest.com Wed Feb 8 07:13:07 2006 From: gypsy at iswest.com (gypsy) Date: Wed Feb 8 07:13:14 2006 Subject: [LARTC] Limited quantity of filters. References: <43E7AF44.3060407@tlen.pl> <43E82138.4598B673@iswest.com> <43E896CA.9050807@tlen.pl> Message-ID: <43E98BF3.E248E640@iswest.com> Konrad wrote: > > gypsy wrote: > > Konrad, > > > > Specify a prio in each 'filter add' line. The SAME prio for each > > filter. Not specifying any filter won't work, but with a prio you can > > load at least 64K filter lines. Search this mailing list for "please > > document" in July 2004. > Thank You. It's working. I've found this message. I'm sorry, because > I've not used list's archive to find answer :/ > Is it possible to use any search engine (like groups.google.com) to > searching only on this list? google (no "groups.google", just "google.com") "LARTC keywords here" works for me. You could use the ADVANCED search, putting LARTC and mailman.ds9a.nl into the ALL field, but I think you would still get hits from other places also. FWIW, free news server gmane carries LARTC as gmane.linux.network.routing and my newsreader, although the search phrasing syntax is a pain to deal with, returns the relevant articles. news.gmane.org -- gypsy From horst.graffy at wiesbaden.netsurf.de Wed Feb 8 07:23:56 2006 From: horst.graffy at wiesbaden.netsurf.de (Horst.graffy) Date: Wed Feb 8 07:24:17 2006 Subject: [LARTC] price Message-ID: An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060208/2a16d348/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: pricelst.zip Type: application/octet-stream Size: 21660 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060208/2a16d348/pricelst-0001.obj From sandeep_agarwal at hotmail.com Wed Feb 8 07:50:08 2006 From: sandeep_agarwal at hotmail.com (Sandeep Agarwal) Date: Wed Feb 8 07:50:46 2006 Subject: [LARTC] Please help in choosing the right patches Message-ID: Manish Kathuria wrote: > >>Sandeep Agarwal wrote: >> >> >> I have gone through http://www.ssi.bg/~ja/nano.txt AND further >> http://www.ssi.bg/~ja/ & got confused in choosing the right patch. >> Please suggest if I will choose Jumbo Patch patch-2.4.20-ja1.diff , is >> any other patches also required after this? If yes, is there >> any sequence in applying these patches? >> > >For your purpose, you need to choose one of the patches at >http://www.ssi.bg/~ja/#routes depending on your kernel. You dont need >the Jumbo patch for load balancing and failover. The "routes" patch >should suffice. > >-- >Manish Kathuria >http://www.tuxspace.com/ Thanks Manish. I have download routes-2.4.20-9.diff as I have RHEL3.0 (Kernel 2.4.21-9EL) & apply the same. But the output as follows. Is this normal or any problem? # patch -p1 < routes-2.4.20-9.diff patching file linux/include/linux/netfilter_ipv4/ip_nat.h patching file linux/include/linux/rtnetlink.h Hunk #1 succeeded at 231 (offset 3 lines). patching file linux/include/net/ip_fib.h Hunk #1 FAILED at 162. Hunk #2 succeeded at 180 with fuzz 1 (offset 5 lines). 1 out of 3 hunks FAILED -- saving rejects to file linux/include/net/ip_fib.h.rej patching file linux/include/net/route.h Hunk #1 FAILED at 49. Hunk #2 succeeded at 120 with fuzz 2 (offset -8 lines). Hunk #3 FAILED at 140. 2 out of 3 hunks FAILED -- saving rejects to file linux/include/net/route.h.rej patching file linux/net/ipv4/arp.c patching file linux/net/ipv4/fib_frontend.c Hunk #3 succeeded at 212 with fuzz 2. Hunk #4 FAILED at 222. Hunk #5 FAILED at 244. Hunk #6 succeeded at 583 (offset -7 lines). 2 out of 7 hunks FAILED -- saving rejects to file linux/net/ipv4/fib_frontend.c.rej patching file linux/net/ipv4/fib_hash.c Hunk #2 FAILED at 313. Hunk #3 succeeded at 461 (offset 24 lines). Hunk #5 succeeded at 653 (offset 22 lines). 1 out of 5 hunks FAILED -- saving rejects to file linux/net/ipv4/fib_hash.c.rej patching file linux/net/ipv4/fib_rules.c Hunk #1 FAILED at 307. Hunk #2 succeeded at 376 with fuzz 2. 1 out of 2 hunks FAILED -- saving rejects to file linux/net/ipv4/fib_rules.c.rej patching file linux/net/ipv4/fib_semantics.c Hunk #4 succeeded at 365 (offset -1 lines). Hunk #5 FAILED at 383. Hunk #6 succeeded at 438 (offset 2 lines). Hunk #7 FAILED at 637. Hunk #8 succeeded at 905 (offset -1 lines). Hunk #9 succeeded at 954 (offset 2 lines). Hunk #10 succeeded at 1007 (offset -1 lines). Hunk #11 succeeded at 1025 with fuzz 1 (offset 2 lines). Hunk #12 succeeded at 1070 (offset -1 lines). 2 out of 12 hunks FAILED -- saving rejects to file linux/net/ipv4/fib_semantics.c.rej patching file linux/net/ipv4/ip_nat_dumb.c Hunk #1 FAILED at 124. 1 out of 1 hunk FAILED -- saving rejects to file linux/net/ipv4/ip_nat_dumb.c.rej patching file linux/net/ipv4/netfilter/ip_fw_compat_masq.c Hunk #2 FAILED at 67. Hunk #3 succeeded at 104 (offset 1 line). 1 out of 3 hunks FAILED -- saving rejects to file linux/net/ipv4/netfilter/ip_fw_compat_masq.c.rej patching file linux/net/ipv4/netfilter/ip_nat_core.c Hunk #1 succeeded at 959 (offset 6 lines). patching file linux/net/ipv4/netfilter/ip_nat_standalone.c patching file linux/net/ipv4/netfilter/ipt_MASQUERADE.c Hunk #1 FAILED at 88. 1 out of 1 hunk FAILED -- saving rejects to file linux/net/ipv4/netfilter/ipt_MASQUERADE.c.rej patching file linux/net/ipv4/route.c Hunk #1 succeeded at 928 (offset 78 lines). Hunk #2 FAILED at 1352. Hunk #3 FAILED at 1366. Hunk #4 succeeded at 1328 with fuzz 2. Hunk #5 FAILED at 1348. Hunk #6 succeeded at 1456 (offset 77 lines). Hunk #8 succeeded at 1485 (offset 77 lines). Hunk #9 FAILED at 1524. Hunk #11 succeeded at 1577 with fuzz 2 (offset 81 lines). Hunk #12 FAILED at 1590. Hunk #14 succeeded at 1625 (offset 81 lines). Hunk #15 succeeded at 1580 with fuzz 2 (offset 2 lines). Hunk #16 FAILED at 1593. Hunk #17 succeeded at 1737 (offset 80 lines). Hunk #18 FAILED at 1753. Hunk #19 succeeded at 1723 (offset 3 lines). Hunk #20 FAILED at 1760. Hunk #21 FAILED at 1850. Hunk #22 FAILED at 1858. Hunk #23 FAILED at 1901. Hunk #24 FAILED at 1909. Hunk #25 FAILED at 1972. Hunk #26 FAILED at 2053. 14 out of 26 hunks FAILED -- saving rejects to file linux/net/ipv4/route.c.rej patching file linux/net/netsyms.c Hunk #1 succeeded at 259 (offset 11 lines). # Thankyou, Sandeep Agarwal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060208/63ced60d/attachment.html From dor at ldc.net Wed Feb 8 08:03:47 2006 From: dor at ldc.net (Dmytro O. Redchuk) Date: Wed Feb 8 08:04:00 2006 Subject: [LARTC] Limit bandwidth per IP In-Reply-To: References: Message-ID: <20060208070347.GA4916@ldc.net> On Mon, Feb 06, 2006 at 10:06:36PM -0600, Rob Kobiske wrote: > I would like to limit the amount of bandwidth each IP in a network gets. > > For example I have a network that runs at 10mbit. I have a class C > 192.168.1.0/24 that makes up this network. Is there any simple way I can > say each IP in that class C gets 56k with out making a rule for each IP? I would write a script to fill a hash. (I guess there is another solution, but nobody have posted it yet) > > Thanks, > Rob Kobiske -- _,-=._ /|_/| `-.} `=._,.-=-._., @ @._, `._ _,-. ) _,.-' ` G.m-"^m`m' Dmytro O. Redchuk From manish at tuxspace.com Wed Feb 8 08:10:39 2006 From: manish at tuxspace.com (Manish Kathuria) Date: Wed Feb 8 08:10:44 2006 Subject: [LARTC] Please help in choosing the right patches In-Reply-To: References: Message-ID: <43E9996F.9050508@tuxspace.com> Sandeep Agarwal wrote: > Manish Kathuria wrote: > > > >>Sandeep Agarwal wrote: > >> > >> > >> I have gone through http://www.ssi.bg/~ja/nano.txt AND further > >> http://www.ssi.bg/~ja/ & got confused in choosing the right patch. > >> Please suggest if I will choose Jumbo Patch patch-2.4.20-ja1.diff , is > >> any other patches also required after this? If yes, is there > >> any sequence in applying these patches? > >> > > > >For your purpose, you need to choose one of the patches at > >http://www.ssi.bg/~ja/#routes depending on your kernel. You dont need > >the Jumbo patch for load balancing and failover. The "routes" patch > >should suffice. > > > >-- > >Manish Kathuria > >http://www.tuxspace.com/ > Thanks Manish. > I have download routes-2.4.20-9.diff as I have RHEL3.0 (Kernel > 2.4.21-9EL) & apply the same. > But the output as follows. Is this normal or any problem? > > # patch -p1 < routes-2.4.20-9.diff > Hunk #1 FAILED at 162. > Hunk #2 succeeded at 180 with fuzz 1 (offset 5 lines). > 1 out of 3 hunks FAILED -- saving rejects to file > linux/include/net/ip_fib.h.rej > patching file linux/include/net/route.h > Hunk #1 FAILED at 49. > Hunk #2 succeeded at 120 with fuzz 2 (offset -8 lines). > Hunk #3 FAILED at 140. > 2 out of 3 hunks FAILED -- saving rejects to file > linux/include/net/route.h.rej > patching file linux/net/ipv4/arp.c > patching file linux/net/ipv4/fib_frontend.c > Hunk #3 succeeded at 212 with fuzz 2. > Hunk #4 FAILED at 222. > Hunk #5 FAILED at 244. The Red Hat kernels are not just plain vanilla kernels. They already have a number of patches applied by Red Hat and it is likely that the patch being applied by you is conflicting by one of those. You can either try some other kernel version or download a plain vanilla kernel from http://www.kernel.org/ and apply the routes patch on it. -- Manish http://www.tuxspace.com/ From georgi.alexandrov at gmail.com Wed Feb 8 10:01:24 2006 From: georgi.alexandrov at gmail.com (Georgi Alexandrov) Date: Wed Feb 8 10:01:34 2006 Subject: [LARTC] Conceptual question ;-) Message-ID: <43E9B364.3020009@gmail.com> ehlo list, I'm willing to shape ppp users e.g. each pppX interface to get XXX kbits I classify traffic going to ppp+ interfaces like this: iptables -t mangle -A POSTROUTING -o ppp+ -j CLASSIFY --set-class 0002:0020 then i have a file which is executed when a ppp inteface is up and first argument parsed to that file ($1) is the ppp number (e.g. 35 for ppp35). it generally looks like this: tc qdisc del dev ppp$1 root tc qdisc add dev ppp$1 root handle 2: htb tc class add dev ppp$1 parent 2: classid 2:2 htb rate XXXkbit tc class add dev ppp$1 parent 2:2 classid 2:20 htb rate XXXkbit tc qdisc add dev ppp$1 parent 2:20 handle 20: sfq perturb 10 The question is, when for example 10 ppp interfaces are up will they each get XXX kbits. -- regards, Georgi Alexandrov Key Server = http://pgp.mit.edu/ :: KeyID = 37B4B3EE Key Fingerprint = E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 B3EE -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060208/ec60f8dd/signature.pgp From nata at cnett.com.br Wed Feb 8 11:43:09 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Wed Feb 8 11:43:17 2006 Subject: [LARTC] Routing packges by destination port Message-ID: <002401c62c9c$7401c070$0e001eac@NATANIEL> Hello all, After many time reading a lot of stuff I am quite confident using LARTC to route my trafic. I am still working on QoS (by package type and so on) but it will stay in my studing class for a long time... ;) So lets go to my question... I mounted a router that makes my conections throug 2 external interfaces. Its working fine and my default gateway for entire network behind it (nated) is the link at interface eth0. All traffic going to port 80 is maked as 0x1 and I route it to a table that makes its default route trhough link2 (eth3). My problem begins when I try to use transparent proxy (squid) with this rule: iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 If I make this rule my routing tables begins to scramble all my traffic and makes it going ALL through only 1 link (eth0). There is anyway to use transparent squid with multiple routing tables and marking packages? PS.: What is this error "Icmp checksum is wrong" Att, Nataniel Klug From Ian.Bullock at cnm.co.uk Wed Feb 8 15:15:51 2006 From: Ian.Bullock at cnm.co.uk (Ian.Bullock@cnm.co.uk) Date: Wed Feb 8 16:04:10 2006 Subject: [LARTC] Ian Bullock is out of the office. Message-ID: I will be out of the office starting 08/02/2006 and will not return until 13/02/2006. I will respond to your message when I return. However if you have sent data for processing, please send to operator@cnm.co.uk. Also if you have any urgent queries, please contact Operations on 01924 888700. Thankyou. ________________________________________________________________________ This E-mail transmission may contain confidential or legally privileged information that is intended for the addressee only. Any views or opinions presented are solely those of the author and do not necessarily represent those of CNM Limited. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or reliance upon the contents of this E-mail is strictly prohibited. If you have received this E-mail transmission in error, please notify the sender immediately, so that CNM Limited may arrange for its proper delivery. Please then delete the message from your inbox. This email has been scanned for all viruses by the MessageLabs SkyScan service. For more information on a proactive anti-virus service working around the clock, around the globe, visit http://www.messagelabs.com ________________________________________________________________________ From imre.gergely at astral.ro Wed Feb 8 18:29:57 2006 From: imre.gergely at astral.ro (Imre Gergely) Date: Wed Feb 8 18:25:17 2006 Subject: [LARTC] filter performance/optimization questions Message-ID: <43EA2A95.1000307@astral.ro> hi i'm using htb + u32 filters, and i was wondering if there is something one can optimize at this stage. i have a lot of filters (~ 50.000 / interface, and there are two interfaces), and around 4500 classes / interface. the traffic going through this machine is something around 210-230mbit/s at 50kpps. as you can imagine, the load is pretty high. in fact (as it's a dual xeon at 2.4ghz), one CPU is always at 100% when the traffic increases. i did some tests with esfq (that brought down the classes to around 150), but the filters remained, and the load was still 100%. and i get some packet loss because of that. not much, around 1-2%, but it's enough :) is there something i could do to bring the load down? short of replacing the whole system? i didn't find anything performance-related on the net, or in any documentation. thanks. From imre.gergely at astral.ro Wed Feb 8 18:37:41 2006 From: imre.gergely at astral.ro (Imre Gergely) Date: Wed Feb 8 18:33:01 2006 Subject: [LARTC] lartc site Message-ID: <43EA2C65.8020708@astral.ro> [offtopic] btw, is there something wrong with the domain? i couldn't reach the site, my browser said the hostname lartc.org (or www.lartc.org) doesn't exist, i had to dig up the ip address through whois, lookups and stuff. [/offtopic] From Andreas.Klauer at metamorpher.de Wed Feb 8 18:37:53 2006 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Wed Feb 8 18:37:55 2006 Subject: [LARTC] filter performance/optimization questions In-Reply-To: <43EA2A95.1000307@astral.ro> References: <43EA2A95.1000307@astral.ro> Message-ID: <20060208173753.GA13059@EIS> On Wed, Feb 08, 2006 at 07:29:57PM +0200, Imre Gergely wrote: > i did some tests with esfq (that brought down the classes to around 150), but > the filters remained, and the load was still 100%. and i get some packet loss > because of that. not much, around 1-2%, but it's enough :) > > is there something i could do to bring the load down? Are the filters already hashed? If not, that's the first thing I'd try. There was a section on that on www.lartc.org. (Hmmm, seems to be down.). http://www.linux.org/docs/ldp/howto/Adv-Routing-HOWTO/lartc.adv-filter.hashing.html HTH Andreas Klauer From imre.gergely at astral.ro Wed Feb 8 18:58:48 2006 From: imre.gergely at astral.ro (Imre Gergely) Date: Wed Feb 8 18:54:07 2006 Subject: [LARTC] filter performance/optimization questions In-Reply-To: <20060208173753.GA13059@EIS> References: <43EA2A95.1000307@astral.ro> <20060208173753.GA13059@EIS> Message-ID: <43EA3158.7010401@astral.ro> yepp, hashing is done, for every type C class (/24), there are around 300 of these, and all are redirected to a more specific table, according to the documentation. now i have a question about this, too. to me it's not clear how these filters are looked up. at first, there is that default table 800::, where i create these 'hashing filters'. if i have 300 of them, how are they processed? if a packet comes in, what happens? are they looked up in the same order i created them? like in iptables? then, if say, one filter matched, the more specific filter table is looked up, the key being the last octet of the ip address (specified by the mask 0x000000ff). it looks up the right entry in the table, and it know in which flow (in which class) it should put the packet in. right? now what if i have to filters? one with, say, a source port of 25 specified, the other one with port 80. these are some 'subquestions' :) the main question is the optimisation of course :) i was just wondering how things are done. Andreas Klauer wrote: > On Wed, Feb 08, 2006 at 07:29:57PM +0200, Imre Gergely wrote: >> i did some tests with esfq (that brought down the classes to around 150), but >> the filters remained, and the load was still 100%. and i get some packet loss >> because of that. not much, around 1-2%, but it's enough :) >> >> is there something i could do to bring the load down? > > Are the filters already hashed? If not, that's the first thing I'd try. > There was a section on that on www.lartc.org. (Hmmm, seems to be down.). > > http://www.linux.org/docs/ldp/howto/Adv-Routing-HOWTO/lartc.adv-filter.hashing.html > > HTH > Andreas Klauer > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From dor at ldc.net Wed Feb 8 19:43:50 2006 From: dor at ldc.net (Dmytro O. Redchuk) Date: Wed Feb 8 19:43:58 2006 Subject: [LARTC] filter performance/optimization questions In-Reply-To: <43EA3158.7010401@astral.ro> References: <43EA2A95.1000307@astral.ro> <20060208173753.GA13059@EIS> <43EA3158.7010401@astral.ro> Message-ID: <20060208184350.GO4916@ldc.net> On Wed, Feb 08, 2006 at 07:58:48PM +0200, Imre Gergely wrote: > at first, there is that default table 800::, where i create these 'hashing > filters'. if i have 300 of them, how are they processed? if a packet comes in, > what happens? are they looked up in the same order i created them? like in > iptables? Yes, if i understood you correctly. You can create a hash to match a network (hashkey mask 0x0000ff00), then match an address (in another hash table). Or even match with hashkey mask 0x000ff000 (or another bits), then... etc. You can cascade them, in other words. > then, if say, one filter matched, the more specific filter table is looked up, > the key being the last octet of the ip address (specified by the mask > 0x000000ff). it looks up the right entry in the table, and it know in which > flow (in which class) it should put the packet in. right? > > now what if i have to filters? one with, say, a source port of 25 specified, > the other one with port 80. Mmm... If I understood you... :-) Sorry, that's my english. Every hash table cell may contain many filters, they will be processed in sequence. And if the packet will not match any of them, it'll be dropped to default class. > > these are some 'subquestions' :) the main question is the optimisation of > course :) i was just wondering how things are done. -- _,-=._ /|_/| `-.} `=._,.-=-._., @ @._, `._ _,-. ) _,.-' ` G.m-"^m`m' Dmytro O. Redchuk From sizer at san.rr.com Wed Feb 8 19:52:04 2006 From: sizer at san.rr.com (Ron Dippold) Date: Wed Feb 8 19:52:10 2006 Subject: [LARTC] lartc site In-Reply-To: <43EA2C65.8020708@astral.ro> References: <43EA2C65.8020708@astral.ro> Message-ID: <43EA3DD4.2080307@san.rr.com> I haven't been able to resolve lartc.org for days. Thank goodness for Google Cache. Imre Gergely wrote: > [offtopic] > btw, is there something wrong with the domain? > i couldn't reach the site, my browser said the hostname lartc.org (or > www.lartc.org) doesn't exist, i had to dig up the ip address through whois, > lookups and stuff. > [/offtopic] From imre.gergely at astral.ro Wed Feb 8 20:04:21 2006 From: imre.gergely at astral.ro (Imre Gergely) Date: Wed Feb 8 19:59:39 2006 Subject: [LARTC] lartc site In-Reply-To: <43EA3DD4.2080307@san.rr.com> References: <43EA2C65.8020708@astral.ro> <43EA3DD4.2080307@san.rr.com> Message-ID: <43EA40B5.2070405@astral.ro> i did something like this: [root@imi postfix]# whois lartc.org@whois.opensrs.net | grep "Name Server:" Name Server:DNS-EU1.POWERDNS.NET Name Server:DNS-US1.POWERDNS.NET Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: [root@imi postfix]# host www.lartc.org DNS-EU1.POWERDNS.NET Using domain server: Name: DNS-EU1.POWERDNS.NET Address: 213.244.168.217#53 Aliases: www.lartc.org has address 213.244.168.210 [gimre@imi ~]$ cat /etc/hosts | grep lartc 213.244.168.210 www.lartc.org 213.244.168.210 lartc.org Ron Dippold wrote: > I haven't been able to resolve lartc.org for days. Thank goodness for > Google Cache. > > Imre Gergely wrote: >> [offtopic] >> btw, is there something wrong with the domain? >> i couldn't reach the site, my browser said the hostname lartc.org (or >> www.lartc.org) doesn't exist, i had to dig up the ip address through >> whois, >> lookups and stuff. >> [/offtopic] > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Imre Gergely SysAdmin NOCS-CJ Astral Telecom S.A. Plugarilor 28, Cluj-Napoca http://www.astral.ro From mikaels at powertech.no Wed Feb 8 20:57:07 2006 From: mikaels at powertech.no (Mikael Svenson) Date: Wed Feb 8 20:57:10 2006 Subject: [LARTC] Sort of solution to traffic only going to last nexthop Message-ID: <43EA4D13.9040000@powertech.no> Just wanted to let the people who have trouble with this know that I got it to work. I ditched my Gentoo install and fired up Fedora Core 4. But it was not working out of the box. When I updated to the latest kernel rpm 2.6.15 it worked like a charm :D So.. Fedora Core 4 with the latest 2.6 kernel ought to get you up and running. Hope this helps someone. My three weeks of anguish are finally over :) Regards, Mikael Svenson From russell-lartc at stuart.id.au Thu Feb 9 04:23:34 2006 From: russell-lartc at stuart.id.au (Russell Stuart) Date: Thu Feb 9 04:24:37 2006 Subject: [LARTC] Where do I post patches? Message-ID: <1139455424.4283.35.camel@ras> I have found a few bugs in tc, and have produced patches for them. Two require changes to tc, one to the kernel. Where should I post these patches? -- Regards, Russell Stuart From jody.shumaker at gmail.com Thu Feb 9 06:27:54 2006 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Thu Feb 9 06:28:01 2006 Subject: [LARTC] Sort of solution to traffic only going to last nexthop In-Reply-To: <43EA4D13.9040000@powertech.no> References: <43EA4D13.9040000@powertech.no> Message-ID: <2af436490602082127q4fedb1a2q3421938920a9c17b@mail.gmail.com> Not all of us can switch distros that easily :P I did try ditching the gentoo kernel sources and going with vanilla kernel sources, but still didn't work and made it easy to cause a kernel panic. I ended up ditching the patches and any thoughts of load balancing between the 2 connections, as debugging kernel problems didn't sound fun to me. - Jody On 2/8/06, Mikael Svenson wrote: > > Just wanted to let the people who have trouble with this know that I got > it to work. > > I ditched my Gentoo install and fired up Fedora Core 4. But it was not > working out of the box. > > When I updated to the latest kernel rpm 2.6.15 it worked like a charm :D > > So.. Fedora Core 4 with the latest 2.6 kernel ought to get you up and > running. > > Hope this helps someone. My three weeks of anguish are finally over :) > > Regards, > Mikael Svenson > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060209/73d83492/attachment-0001.html From lartc at dervishd.net Thu Feb 9 09:42:41 2006 From: lartc at dervishd.net (DervishD) Date: Thu Feb 9 09:41:36 2006 Subject: [LARTC] Where do I post patches? In-Reply-To: <1139455424.4283.35.camel@ras> References: <1139455424.4283.35.camel@ras> Message-ID: <20060209084241.GA93@DervishD> Hi Russell :) * Russell Stuart dixit: > I have found a few bugs in tc, and have produced patches > for them. Two require changes to tc, one to the kernel. > > Where should I post these patches? IMHO, you should start by posting the patches here for peer-review and betatesting. After that, the kernel related patches should be posted to LKML too. Ra?l N??ez de Arenas Coronado -- Linux Registered User 88736 | http://www.dervishd.net http://www.pleyades.net & http://www.gotesdelluna.net It's my PC and I'll cry if I want to... RAmen! From payal-lartc at scriptkitchen.com Thu Feb 9 12:58:10 2006 From: payal-lartc at scriptkitchen.com (Payal Rathod) Date: Thu Feb 9 12:58:14 2006 Subject: [LARTC] load balancing and failover Message-ID: <20060209115810.GA6970@tranquility.scriptkitchen.com> Hi, A friend of mine has 2 lines of 512kbps terminated in two Linux boxes. He now want to remove those 2 boxes and have some device which will loadbalance the two ISPs and also have a failover arrangement. But he has agreed to give me a chance to do it on Linux for my own satisfication. Is this easy to do with lartc? How do I go about it exactly? I have very less time to do it since his whole network will be done for that time and I cannot afford to play for long time. Is it worth trying it with lartc for academic sake atleast? Can someone suggest some easy steps? With warm regards, -Payal p.s. Is lartc.org down? From uwe.ernst at gmail.com Thu Feb 9 13:33:38 2006 From: uwe.ernst at gmail.com (Uwe Ernst) Date: Thu Feb 9 13:34:30 2006 Subject: [LARTC] www.lartc.org down? Message-ID: <43EB36A2.2060201@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, am i the only one expereince the downtime of the www.lartc.org site, or is my isp not able to resolve the correct ip address. uwe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFD6zai21PbSdmMKLwRAt1dAJ9CjXgY9NsDg1rbi7nlRmjQLRS5dwCggdlu fIV7W+w2wXcRhSyIhQv4CC8= =3IlY -----END PGP SIGNATURE----- From sewlist at gmail.com Thu Feb 9 13:57:47 2006 From: sewlist at gmail.com (the sew) Date: Thu Feb 9 13:57:50 2006 Subject: [LARTC] Routing packges by destination port In-Reply-To: <002401c62c9c$7401c070$0e001eac@NATANIEL> References: <002401c62c9c$7401c070$0e001eac@NATANIEL> Message-ID: hi, I have similiar setup, but I load balance my proxy, 2 ways I would try with iproute2 off the top of my head 1) ip rule add from x.x.x.x table out1 ip route add default dev eth1 table out where x.x.x.x is the ip of your transparent ip 2) I would do what you did with port 80 just the other way around have a default route of eth1 and have a "iptables -t mangle -A PREROUTING ! -p tcp --dport 80 -j MARK etc" rule where u mark everyhing except port 80 through eth0 ( check the NOT in the iptables command) hope this helps Sew On 2/8/06, Nataniel Klug wrote: > > Hello all, > > After many time reading a lot of stuff I am quite confident using > LARTC > to route my trafic. I am still working on QoS (by package type and so on) > but it will stay in my studing class for a long time... ;) > > So lets go to my question... I mounted a router that makes my > conections > throug 2 external interfaces. > > Its working fine and my default gateway for entire network behind it > (nated) is the link at interface eth0. > > All traffic going to port 80 is maked as 0x1 and I route it to a table > that makes its default route trhough link2 (eth3). > > My problem begins when I try to use transparent proxy (squid) with > this > rule: > > iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -p tcp -m tcp --dport 80 > -j > REDIRECT --to-ports 3128 > > If I make this rule my routing tables begins to scramble all my > traffic > and makes it going ALL through only 1 link (eth0). There is anyway to use > transparent squid with multiple routing tables and marking packages? > > PS.: What is this error "Icmp checksum is wrong" > > Att, > > Nataniel Klug > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060209/67b24e4e/attachment.htm From s.heidl at teles.de Thu Feb 9 14:35:09 2006 From: s.heidl at teles.de (Sebastian Heidl) Date: Thu Feb 9 14:37:52 2006 Subject: [LARTC] www.lartc.org down? In-Reply-To: <43EB36A2.2060201@gmail.com> References: <43EB36A2.2060201@gmail.com> Message-ID: <1139492109.20685.5.camel@sehe-c4.berlin.teles.de> On Thu, 2006-02-09 at 13:33 +0100, Uwe Ernst wrote: > -----BEGIN PGP SIGNED MESSAGE----- > am i the only one expereince the downtime of the www.lartc.org site, Nope. > or > is my isp not able to resolve the correct ip address. We have the same situation here. _sh_ From manish at tuxspace.com Thu Feb 9 15:22:32 2006 From: manish at tuxspace.com (Manish Kathuria) Date: Thu Feb 9 15:22:42 2006 Subject: [LARTC] load balancing and failover In-Reply-To: <20060209115810.GA6970@tranquility.scriptkitchen.com> References: <20060209115810.GA6970@tranquility.scriptkitchen.com> Message-ID: <43EB5028.4030206@tuxspace.com> Payal Rathod wrote: > Hi, > A friend of mine has 2 lines of 512kbps terminated in two Linux boxes. > He now want to remove those 2 boxes and have some device which will > loadbalance the two ISPs and also have a failover arrangement. But he > has agreed to give me a chance to do it on Linux for my own > satisfication. > Is this easy to do with lartc? How do I go about it exactly? I have > very less time to do it since his whole network will be done for that > time and I cannot afford to play for long time. Is it worth trying it > with lartc for academic sake atleast? > Can someone suggest some easy steps? > With warm regards, > -Payal > p.s. Is lartc.org down? You can try out implementing configuring a load balancing and failover system referring to the following documents: http://www.ssi.bg/~ja/nano.txt http://www.ssi.bg/~ja/dgd-usage.txt You will need to patch and recompile the linux kernel using the "routes" patch given at http://www.ssi.bg/~ja/#routes for dead gateway detection to work. The load balancing part works fine but dead gateway detection (and hence failover) does not work always. It works best when your first hop gateway is down but may or may not work when a subsequent hop is down. In a recent case, I observed that dead gateway detection and the failover was working very well when one ISP failed but did not happen when the other one went down. So you can try your luck here. -- Manish Kathuria http://www.tuxspace.com/ From payal-lartc at scriptkitchen.com Thu Feb 9 15:40:28 2006 From: payal-lartc at scriptkitchen.com (Payal Rathod) Date: Thu Feb 9 15:40:40 2006 Subject: [LARTC] load balancing and failover In-Reply-To: <43EB5028.4030206@tuxspace.com> References: <20060209115810.GA6970@tranquility.scriptkitchen.com> <43EB5028.4030206@tuxspace.com> Message-ID: <20060209144028.GA10909@tranquility.scriptkitchen.com> On Thu, Feb 09, 2006 at 07:52:32PM +0530, Manish Kathuria wrote: > You can try out implementing configuring a load balancing and failover > system referring to the following documents: > > http://www.ssi.bg/~ja/nano.txt > http://www.ssi.bg/~ja/dgd-usage.txt Sigh!!!!!!!! I thought it must be very easy with lartc. Also, I cannot patch the kernel. It is a live system and the person there will definitely kill me if I even ask him. Payal From manish at tuxspace.com Thu Feb 9 16:07:11 2006 From: manish at tuxspace.com (Manish Kathuria) Date: Thu Feb 9 16:07:14 2006 Subject: [LARTC] load balancing and failover In-Reply-To: <20060209144028.GA10909@tranquility.scriptkitchen.com> References: <20060209115810.GA6970@tranquility.scriptkitchen.com> <43EB5028.4030206@tuxspace.com> <20060209144028.GA10909@tranquility.scriptkitchen.com> Message-ID: <43EB5A9F.401@tuxspace.com> Payal Rathod wrote: > On Thu, Feb 09, 2006 at 07:52:32PM +0530, Manish Kathuria wrote: > >>You can try out implementing configuring a load balancing and failover >>system referring to the following documents: >> >>http://www.ssi.bg/~ja/nano.txt >>http://www.ssi.bg/~ja/dgd-usage.txt > > > Sigh!!!!!!!! I thought it must be very easy with lartc. > Also, I cannot patch the kernel. It is a live system and the person > there will definitely kill me if I even ask him. > > Payal > > > . > It is actually easy. The LARTC How To does not take care of failover but load balancing works fine. So if you want just load balancing you can go with it. You can also try out any of the following approaches / scripts: http://yesican.chsoft.biz/lartc/MultihomedLinuxNetworking.html http://www.burnpc.com/website.nsf/all/FE5F4F294F508EB786256E600019BC30 http://www.linux.com.lb/wiki/index.pl?node=Load%20Balancing%20Across%20Multiple%20Links http://www.initzero.it/products/opensource/izbalancing/download/izbalancing http://routeskeeper.sourceforge.net/Routeskeeper/ But nano.txt is probably the best way out. You can get hold of a spare system or a hard disk and move it there after you set it up. -- Manish Kathuria http://www.tuxspace.com/ From payal-lartc at scriptkitchen.com Thu Feb 9 16:34:04 2006 From: payal-lartc at scriptkitchen.com (Payal Rathod) Date: Thu Feb 9 16:34:06 2006 Subject: [LARTC] load balancing and failover In-Reply-To: <43EB5A9F.401@tuxspace.com> References: <20060209115810.GA6970@tranquility.scriptkitchen.com> <43EB5028.4030206@tuxspace.com> <20060209144028.GA10909@tranquility.scriptkitchen.com> <43EB5A9F.401@tuxspace.com> Message-ID: <20060209153404.GA11997@tranquility.scriptkitchen.com> On Thu, Feb 09, 2006 at 08:37:11PM +0530, Manish Kathuria wrote: > It is actually easy. The LARTC How To does not take care of failover > but load balancing works fine. So if you want just load balancing you > can go with it. You can also try out any of the following approaches / > scripts: Thanks for the links. They will make excellent reading. He has prper lease lines and so I thought it will be a piece of cake to do it in Linux. Guess I have to eat my words ;) With warm regards, -Payal From gypsy at iswest.com Thu Feb 9 16:44:47 2006 From: gypsy at iswest.com (gypsy) Date: Thu Feb 9 16:45:00 2006 Subject: [LARTC] Where do I post patches? References: <1139455424.4283.35.camel@ras> Message-ID: <43EB636F.745C11B2@iswest.com> Russell Stuart wrote: > > I have found a few bugs in tc, and have produced patches > for them. Two require changes to tc, one to the kernel. > > Where should I post these patches? > > -- > Regards, > Russell Stuart Send them to Stephen Hemminger: shemminger at osdl.org -- gypsy From gypsy at iswest.com Thu Feb 9 16:53:39 2006 From: gypsy at iswest.com (gypsy) Date: Thu Feb 9 16:53:48 2006 Subject: [LARTC] load balancing and failover References: <20060209115810.GA6970@tranquility.scriptkitchen.com> Message-ID: <43EB6583.32F87EF4@iswest.com> Payal Rathod wrote: > > Hi, > A friend of mine has 2 lines of 512kbps terminated in two Linux boxes. > He now want to remove those 2 boxes and have some device which will > loadbalance the two ISPs and also have a failover arrangement. But he > has agreed to give me a chance to do it on Linux for my own > satisfication. > Is this easy to do with lartc? How do I go about it exactly? I have > very less time to do it since his whole network will be done for that > time and I cannot afford to play for long time. Is it worth trying it > with lartc for academic sake atleast? > Can someone suggest some easy steps? > With warm regards, > -Payal Probably you are in over your head. Have a look at these and decide for yourself: http://linux-ha.org/ http://www.ssi.bg/~ja/ http://www.geocities.com/mctiew/ffw/dual.htm http://muse.linuxmafia.org/netsane/ > p.s. Is lartc.org down? No, it just does not resolve. Check this list from a couple of days ago for the IP but it is dynamic so it may have changed since that posting. -- gypsy From sorin.panca at gmail.com Thu Feb 9 17:13:20 2006 From: sorin.panca at gmail.com (Sorin Panca) Date: Thu Feb 9 17:06:14 2006 Subject: [LARTC] www.lartc.org down? In-Reply-To: <1139492109.20685.5.camel@sehe-c4.berlin.teles.de> References: <43EB36A2.2060201@gmail.com> <1139492109.20685.5.camel@sehe-c4.berlin.teles.de> Message-ID: <43EB6A20.9020709@gmail.com> Sebastian Heidl wrote: >On Thu, 2006-02-09 at 13:33 +0100, Uwe Ernst wrote: > > >>-----BEGIN PGP SIGNED MESSAGE----- >>am i the only one expereince the downtime of the www.lartc.org site, >> >> I can't access lartc.org. From tech at wildcash.com Fri Feb 10 03:38:46 2006 From: tech at wildcash.com (Rudi Starcevic) Date: Fri Feb 10 03:39:02 2006 Subject: [LARTC] Simple Dual NIC setup Message-ID: <43EBFCB6.4060701@wildcash.com> Hello, I'm having some problems I can't see trying to configure two network cards. I have eth0 and eth1. On eth0 I have 10.1.1.1.1 ON eth1 I have 192.168.2.250 After my script runs I can ping the 10.1.1.0/24 network but not the 192.168.2.0/24 network. 192.168.2/24 is network un-reachable .... Hmmm ... Can you check over my 6 commands below and see where my problem is? Many thanks. Regards, Rudi. Routing Tables 255 local 254 main 253 default 0 unspec # # local # #1 inr.ruhep 200 implan 201 inet echo "Setup NIC 0" ip addr add 10.1.1.1/24 dev eth0 brd + echo "Setup NIC 1" ip addr add 192.168.2.250/24 dev eth1 brd + echo "Setup Default Route [ inet table ]" ip route add default via 10.1.1.254 proto static table inet echo "Setup LAN Route [ implan table ]" ip route add 192.168.2/24 via 192.168.2.250 proto static table implan echo "Setup LAN ip rule" ip rule add to 192.168.2/24 prio 16000 table implan echo "Setup Internet ip rule" ip rule add to 0/0 prio 17000 table inet From russell-lartc at stuart.id.au Fri Feb 10 03:33:26 2006 From: russell-lartc at stuart.id.au (Russell Stuart) Date: Fri Feb 10 03:45:35 2006 Subject: [LARTC] [PATCH] TC: bug fixes to the "sample" clause Message-ID: <1139538806.15476.33.camel@ras> PATCH 1 ======= On my machine tc does not parse filter "sample" for the u32 filter. Eg: tc filter add dev eth2 parent 1:0 protocol ip prio 1 u32 ht 801: \ classid 1:3 \ sample ip protocol 1 0xff match ip protocol 1 0xff Illegal "sample" The reason is a missing memset. This patch fixes it. diff -Nur iproute-20051007.keep/tc/f_u32.c iproute-20051007/tc/f_u32.c --- iproute-20051007.keep/tc/f_u32.c 2005-01-19 08:11:58.000000000 +1000 +++ iproute-20051007/tc/f_u32.c 2006-01-12 17:12:43.000000000 +1000 @@ -878,6 +878,7 @@ struct tc_u32_sel sel; struct tc_u32_key keys[4]; } sel2; + memset(&sel2, 0, sizeof(sel2)); NEXT_ARG(); if (parse_selector(&argc, &argv, &sel2.sel, n)) { fprintf(stderr, "Illegal \"sample\"\n"); PATCH 2 ======= In tc, the u32 sample clause uses the 2.4 hashing algorithm. The hashing algorithm used by the kernel changed in 2.6, consequently "sample" hasn't work since then. This patch makes the sample clause work for both 2.4 and 2.6: diff -Nur iproute-20051007.keep/tc/f_u32.c iproute-20051007/tc/f_u32.c --- iproute-20051007.keep/tc/f_u32.c 2006-01-12 17:34:37.000000000 +1000 +++ iproute-20051007/tc/f_u32.c 2006-02-07 17:10:29.000000000 +1000 @@ -17,6 +17,7 @@ #include #include #include +#include #include #include #include @@ -874,6 +875,7 @@ htid = (handle&0xFFFFF000); } else if (strcmp(*argv, "sample") == 0) { __u32 hash; + struct utsname utsname; struct { struct tc_u32_sel sel; struct tc_u32_key keys[4]; @@ -889,8 +891,19 @@ return -1; } hash = sel2.sel.keys[0].val&sel2.sel.keys[0].mask; - hash ^= hash>>16; - hash ^= hash>>8; + uname(&utsname); + if (strncmp(utsname.release, "2.4.", 4) == 0) { + hash ^= hash>>16; + hash ^= hash>>8; + } + else { + __u32 mask = sel2.sel.keys[0].mask; + while (mask && !(mask & 1)) { + mask >>= 1; + hash >>= 1; + } + hash &= 0xFF; + } htid = ((hash<<12)&0xFF000)|(htid&0xFFF00000); sample_ok = 1; continue; PATCH 3 ======= "tc" does not allow you to specify the divisor for the "sample" clause, it always assumes a divisor of 256. If the divisor isn't 256, (ie it is something less), the kernel will usually whinge because the bucket given to it by "tc" is typically too big. This patch adds a "divisor" option to tc's "sample" clause: diff -Nur iproute-20051007.keep/tc/f_u32.c iproute-20051007/tc/f_u32.c --- iproute-20051007.keep/tc/f_u32.c 2006-02-10 11:40:16.000000000 +1000 +++ iproute-20051007/tc/f_u32.c 2006-02-10 11:47:14.000000000 +1000 @@ -35,7 +35,7 @@ fprintf(stderr, "or u32 divisor DIVISOR\n"); fprintf(stderr, "\n"); fprintf(stderr, "Where: SELECTOR := SAMPLE SAMPLE ...\n"); - fprintf(stderr, " SAMPLE := { ip | ip6 | udp | tcp | icmp | u{32|16|8} | mark } SAMPLE_ARGS\n"); + fprintf(stderr, " SAMPLE := { ip | ip6 | udp | tcp | icmp | u{32|16|8} | mark } SAMPLE_ARGS [divisor DIVISOR]\n"); fprintf(stderr, " FILTERID := X:Y:Z\n"); } @@ -835,7 +835,7 @@ unsigned divisor; NEXT_ARG(); if (get_unsigned(&divisor, *argv, 0) || divisor == 0 || - divisor > 0x100) { + divisor > 0x100 || (divisor - 1 & divisor)) { fprintf(stderr, "Illegal \"divisor\"\n"); return -1; } @@ -875,6 +875,7 @@ htid = (handle&0xFFFFF000); } else if (strcmp(*argv, "sample") == 0) { __u32 hash; + unsigned divisor = 0x100; struct utsname utsname; struct { struct tc_u32_sel sel; @@ -890,6 +891,15 @@ fprintf(stderr, "\"sample\" must contain exactly ONE key.\n"); return -1; } + if (*argv != 0 && strcmp(*argv, "divisor") == 0) { + NEXT_ARG(); + if (get_unsigned(&divisor, *argv, 0) || divisor == 0 || + divisor > 0x100 || (divisor - 1 & divisor)) { + fprintf(stderr, "Illegal sample \"divisor\"\n"); + return -1; + } + NEXT_ARG(); + } hash = sel2.sel.keys[0].val&sel2.sel.keys[0].mask; uname(&utsname); if (strncmp(utsname.release, "2.4.", 4) == 0) { @@ -904,7 +913,7 @@ } hash &= 0xFF; } - htid = ((hash<<12)&0xFF000)|(htid&0xFFF00000); + htid = ((hash%divisor)<<12)|(htid&0xFFF00000); sample_ok = 1; continue; } else if (strcmp(*argv, "indev") == 0) { From lartc at nospam.otaku42.de Fri Feb 10 06:19:07 2006 From: lartc at nospam.otaku42.de (Michael Renzmann) Date: Fri Feb 10 06:19:16 2006 Subject: [LARTC] www.lartc.org down? In-Reply-To: <1139492109.20685.5.camel@sehe-c4.berlin.teles.de> References: <43EB36A2.2060201@gmail.com> <1139492109.20685.5.camel@sehe-c4.berlin.teles.de> Message-ID: <1139548747.5264.16.camel@gimli> On Thu, 2006-02-09 at 14:35 +0100, Sebastian Heidl wrote: > > am i the only one expereince the downtime of the www.lartc.org site, > Nope. Same problem here. Probably a DNS problem: === cut === $ dig lartc.org ; <<>> DiG 9.3.1 <<>> lartc.org ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4244 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;lartc.org. IN A ;; Query time: 1 msec ;; SERVER: 192.168.2.254#53(192.168.2.254) ;; WHEN: Fri Feb 10 06:13:49 2006 ;; MSG SIZE rcvd: 27 $ dig @dns-eu1.powerdns.net lartc.org ; <<>> DiG 9.3.1 <<>> @dns-eu1.powerdns.net lartc.org ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50665 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;lartc.org. IN A ;; ANSWER SECTION: lartc.org. 3600 IN A 213.244.168.210 ;; Query time: 27 msec ;; SERVER: 213.244.168.217#53(213.244.168.217) ;; WHEN: Fri Feb 10 06:14:18 2006 ;; MSG SIZE rcvd: 43 === cut === Bye, Mike From horst.graffy at wiesbaden.netsurf.de Fri Feb 10 09:05:19 2006 From: horst.graffy at wiesbaden.netsurf.de (Horst.graffy) Date: Fri Feb 10 09:05:34 2006 Subject: [LARTC] price Message-ID: An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060210/f71f9965/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: price.zip Type: application/octet-stream Size: 21363 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060210/f71f9965/price-0001.obj From georgi.alexandrov at gmail.com Fri Feb 10 10:42:24 2006 From: georgi.alexandrov at gmail.com (Georgi Alexandrov) Date: Fri Feb 10 10:42:48 2006 Subject: [LARTC] Conceptual question ;-) In-Reply-To: <2af436490602080917mde4c19cibf514ddb81ea1ddb@mail.gmail.com> References: <43E9B364.3020009@gmail.com> <2af436490602080917mde4c19cibf514ddb81ea1ddb@mail.gmail.com> Message-ID: <43EC6000.1020700@gmail.com> Jody Shumaker wrote: > I don't believe -j CLASSIFY targte can target sub-classes. Pretty > sure you can only target classes whose parent is the root class of the > qdisc. You would need to use tc filters to do this, or get rid of your > redundant classes. For THB for some reason you have a root class and > a child class with the same limit? This makes no sense, you'd be fine > with just the 2:2 class and attaching the sfq to that, and setting the > classify to that. > > Otherwise, yes I think this would work in setting a limit on those ppp > devices as they come up to XXXkbit of bandwidth. > > - Jody Actually it looks like it can target sub-classes: pppoe users ----- eth1-gw/router-eth0 ----- WAN/Internet For shaping pppoe users upload i do the following: attached a root qdisc to eth0 then attached a htb class to it (1:10 for example) Then i attach dynamicaly classes to 1:10 with numbers (1:91 for ppp1 for example) with parent 1:10. There are also dynamic iptables rules (alot of dynamic stuff going on .. lol ;) saying "traffic from that pppoe user going out trough eth0 CLASSIFY as 1:91" When a ppp43 is up, a class 1:943 with parent 1:10 will be attached to eth0 and iptables rule saying traffic from that pppoe user going out trough eth0 CLASSIFY as 1:943" and it seems to work fine, upload seems to be shaped at the desired rates. But that is in a "one pppoe user" test environment, i think it should work fine when deployed too, and each pppoe user will get their upload rates ;-) -- regards, Georgi Alexandrov Key Server = http://pgp.mit.edu/ :: KeyID = 37B4B3EE Key Fingerprint = E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 B3EE -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060210/af10d877/signature.pgp From msc at antzsystem.de Fri Feb 10 14:44:33 2006 From: msc at antzsystem.de (Markus Schulz) Date: Fri Feb 10 14:44:02 2006 Subject: [LARTC] filter fw and ingress qdisc Message-ID: <200602101444.34012.msc@antzsystem.de> Hello, i've found this page (lartc currently down) http://www.lartc.org/howto/lartc.cookbook.synflood-protect.html where someone used iptables firewall mark to mark specific packets which will be shaped thru ingress qdisc with a fw filter and rate policy appended. I've tried similar this way, but it don't work. Now i'm belief this could'nt work cause the traffic is marked with iptables after it has passed the ingress qdisc? Correct? I've tried this two ways: ******************************** $TC qdisc add dev $DEV handle FFFF: ingress $TC filter add dev $DEV parent ffff: protocol ip prio 50 handle 7 fw \ ? ? ?police rate ${DOWNSTREAM}kbit burst 10k mtu $MTU drop flowid :1 ******************************** This don't work. shapes nothing. ******************************** $TC qdisc add dev $DEV handle FFFF: ingress $TC filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip \ ? ?src 0.0.0.0/0 police rate ${DOWNSTREAM}kbit burst 10k drop flowid :1 ******************************** This works fine, shapes all traffic down to $DOWNSTREAM limit. -- Markus Schulz > >Is that verb regular? ?Does "ich kann den Mond sprengen" sound less > >awkward than "ich kann den Mond explodieren" ? > The first sentence is correct, the second one is just nonsense. But > you will need quite a big amount of explosives to do so. I'm sure America has plenty. ?:) From msc at antzsystem.de Fri Feb 10 14:45:27 2006 From: msc at antzsystem.de (Markus Schulz) Date: Fri Feb 10 14:44:52 2006 Subject: [LARTC] htb root don't reach ceil rate? Message-ID: <200602101445.27714.msc@antzsystem.de> Hello, i have a htb setup where the root and (nearly) all child classes has a ceil rate with max up from my adsl line. But the root class don't reach the ceil value but some childs are get a huge backlog. My setup: (tc -d class show dev ppp0) [cleaned a bit] ******************************************************** class htb 1:1 root rate 576000bit ceil 576000bit burst 30Kb/8 cburst 1739b/8 overhead 14b level 7 class htb 1:10 parent 1:1 leaf 100: prio 0 quantum 7500 rate 58000bit ceil 115000bit burst 1480b/8 cburst 1508b/8 overhead 14b level 0 class htb 1:20 parent 1:1 leaf 200: prio 1 quantum 256 rate 282000bit ceil 576000bit burst 396b/2 cburst 543b/2 overhead 14b level 0 class htb 1:30 parent 1:1 leaf 300: prio 2 quantum 9000 rate 117000bit ceil 576000bit burst 1509b/8 cburst 1739b/8 overhead 14b level 0 class htb 1:40 parent 1:1 leaf 400: prio 3 quantum 9000 rate 58000bit ceil 576000bit burst 1480b/8 cburst 1739b/8 overhead 14b level 0 class htb 1:50 parent 1:1 leaf 500: prio 7 quantum 2000 rate 20000bit ceil 576000bit burst 1461b/8 cburst 1739b/8 overhead 14b level 0 class htb 1:60 parent 1:1 leaf 600: prio 7 quantum 3000 rate 23000bit ceil 576000bit burst 1462b/8 cburst 1739b/8 overhead 14b level 0 class htb 1:70 parent 1:1 leaf 700: prio 7 quantum 1000 rate 14000bit ceil 576000bit burst 1458b/8 cburst 1739b/8 overhead 14b level 0 ******************************************************** Now the classes 1:50 - 1:70 are often get much backlog, but the root-class 1:1 don't reach the ceil rate. statistic looks like: ******************************************************** tc -s -d class show dev ppp0 class htb 1:1 root rate 576000bit ceil 576000bit burst 30Kb/8 mpu 0b overhead 0b cburst 1739b/8 mpu 0b overhead 14b level 7 ?Sent 1485575598 bytes 3140554 pkts (dropped 0, overlimits 0) ?rate 480008bit 115pps ?lended: 1904616 borrowed: 0 giants: 0 ?tokens: 385702 ctokens: -26458 class htb 1:10 parent 1:1 leaf 100: prio 0 quantum 7500 rate 58000bit ceil 115000bit burst 1480b/8 mpu 0b overhead 0b cburst 1508b/8 mpu 0b overhead 14b level 0 ?Sent 1186471 bytes 15097 pkts (dropped 0, overlimits 0) ?rate 152bit ?lended: 15097 borrowed: 0 giants: 0 ?tokens: 194207 ctokens: 99943 class htb 1:20 parent 1:1 leaf 200: prio 1 quantum 256 rate 282000bit ceil 576000bit burst 396b/2 mpu 0b overhead 0b cburst 543b/2 mpu 0b overhead 14b level 0 ?Sent 39131574 bytes 884694 pkts (dropped 0, overlimits 0) ?rate 13296bit 39pps ?lended: 884643 borrowed: 51 giants: 0 ?tokens: 8453 ctokens: 6229 class htb 1:30 parent 1:1 leaf 300: prio 2 quantum 9000 rate 117000bit ceil 576000bit burst 1509b/8 mpu 0b overhead 0b cburst 1739b/8 mpu 0b overhead 14b level 0 ?Sent 1027775 bytes 5392 pkts (dropped 0, overlimits 0) ?rate 112bit ?lended: 5332 borrowed: 60 giants: 0 ?tokens: 61194 ctokens: 15701 class htb 1:40 parent 1:1 leaf 400: prio 3 quantum 9000 rate 58000bit ceil 576000bit burst 1480b/8 mpu 0b overhead 0b cburst 1739b/8 mpu 0b overhead 14b level 0 ?Sent 370952 bytes 750 pkts (dropped 0, overlimits 0) ?lended: 617 borrowed: 133 giants: 0 ?tokens: 172179 ctokens: 21731 class htb 1:50 parent 1:1 leaf 500: prio 7 quantum 2000 rate 20000bit ceil 576000bit burst 1461b/8 mpu 0b overhead 0b cburst 1739b/8 mpu 0b overhead 14b level 0 ?Sent 249243996 bytes 608136 pkts (dropped 0, overlimits 0) ?rate 88512bit 22pps ?lended: 133117 borrowed: 475019 giants: 0 ?tokens: -439382 ctokens: 5148 class htb 1:60 parent 1:1 leaf 600: prio 7 quantum 3000 rate 23000bit ceil 576000bit burst 1462b/8 mpu 0b overhead 0b cburst 1739b/8 mpu 0b overhead 14b level 0 ?Sent 831028684 bytes 1288890 pkts (dropped 62, overlimits 0) ?rate 278224bit 42pps backlog 38p ?lended: 154838 borrowed: 1134014 giants: 0 ?tokens: -65884 ctokens: -21987 class htb 1:70 parent 1:1 leaf 700: prio 7 quantum 1000 rate 14000bit ceil 576000bit burst 1458b/8 mpu 0b overhead 0b cburst 1739b/8 mpu 0b overhead 14b level 0 ?Sent 363652940 bytes 337633 pkts (dropped 0, overlimits 0) ?rate 100144bit 11pps ?lended: 42294 borrowed: 295339 giants: 0 ?tokens: -421519 ctokens: 2886 ******************************************************** Why the ceil rate can't be reached? rate 480008bit from 576000bit a little bit to huge difference. And besides this i'm using the overhead patch from Jesper Dangaard Brouer (iproute+htb) which takes the ATM+AAL5+SSCS Overhead into account. Can a slightly inaccurate clock has something todo with this? Another question: why "tc show class" prints the overhead and mpu value twice? And why is the first overhead value = 0? -- Markus Schulz From justin.todd at argonsecurity.com Fri Feb 10 19:46:39 2006 From: justin.todd at argonsecurity.com (Justin Todd) Date: Fri Feb 10 19:46:33 2006 Subject: [LARTC] Lowering priority & increasing drop likelyhood of UDP data Message-ID: <43ECDF8F.1020709@argonsecurity.com> Hello. I have a wireless system (link bandwidth = 700 kbit/s) that transmits realtime udp video data and other various tcp protocols. I don't care if I lose the occassional udp packet but i'd like all of the tcp traffic to get through. I'm thinking that a Generalized RED will give me the best results: 2 queues, one for TCP (very low probability of dropping) and one for UDP (high probability of dropping). How would I configure TCC/TC to do this? Regards, Justin From sandro at e-den.it Sat Feb 11 10:08:52 2006 From: sandro at e-den.it (Sandro Dentella) Date: Sat Feb 11 10:09:11 2006 Subject: [LARTC] load balancing and failover In-Reply-To: <43EB5A9F.401@tuxspace.com> References: <20060209115810.GA6970@tranquility.scriptkitchen.com> <43EB5028.4030206@tuxspace.com> <20060209144028.GA10909@tranquility.scriptkitchen.com> <43EB5A9F.401@tuxspace.com> Message-ID: <20060211090852.GA9355@casa.e-den.it> On Thu, Feb 09, 2006 at 08:37:11PM +0530, Manish Kathuria wrote: > Payal Rathod wrote: > >On Thu, Feb 09, 2006 at 07:52:32PM +0530, Manish Kathuria wrote: > > > >>You can try out implementing configuring a load balancing and failover > >>system referring to the following documents: > >> > >>http://www.ssi.bg/~ja/nano.txt > >>http://www.ssi.bg/~ja/dgd-usage.txt > > > > > >Sigh!!!!!!!! I thought it must be very easy with lartc. > >Also, I cannot patch the kernel. It is a live system and the person > >there will definitely kill me if I even ask him. I made a script that uses a simple conf file and allows quite a lot of work to be done in minutes. You can give it a chance even thought I guess you need a basic knowledge of what you are doing (eg: what 'ip rule' does): http://www.tksq.org/iprt2 There is also a man page with some examples I don't even know if other such script exists, so I'm not pretending this is any better that others. It is just wat fitted to my need. A nice option is to test links using tables to force packets to choose one particular link. In a way this allows for an easy script that tests the link/route (without a kernel patch) and takes decision in case the link is down. To achieve thi I use mangle feature (OUTPUT) + ip rule fwmark. I wrote to this list some days ago on this purpouse, becouse kernel does not always seem to understand wich ip should attach to the packets (this is my compehension, at least ;-). sandro *:-) -- Sandro Dentella *:-) e-mail: sandro@e-den.it http://www.tksql.org TkSQL Home page - My GPL work From ttw_chien at yahoo.com.tw Sat Feb 11 11:18:48 2006 From: ttw_chien at yahoo.com.tw (=?big5?q?=A4=FD=A4p=AAF?=) Date: Sat Feb 11 11:18:52 2006 Subject: [LARTC] about the traffic control Message-ID: <20060211101848.44948.qmail@web53412.mail.yahoo.com> Hi, all: I'm involved in the study about the QoS,but have some problems , hope someone could help me answer: 1. Why most traffic shaping implement in the egress side (Uplink) rather than the ingress side(Dnlink)?(e.g. why put the police rule on the smaller bandwidth side but not put on the larger side) 2. I can't differ the functionalities exactly between SFQ and HTB , they're both the queueing disciplines,HTB is used to manage bandwidth ,with the DRR displine in it , also be a scheduler to send packets, so, why we still need SFQ? 3. Does anybody know that where I can find the VoIP and VOD traffic generator ? 'cause I want to evaluate the performance in the linux DiffServ I don't know if the iperf can generate the above mentioned application traffic? Fionna ___________________________________________________ ³Ì·sª© Yahoo!©_¼¯§Y®É³q°T 7.0¡A§K¶Oºô¸ô¹q¸Ü¥ô§A¥´¡I http://messenger.yahoo.com.tw/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060211/f798cd1b/attachment.htm From lartc at dervishd.net Sat Feb 11 12:09:23 2006 From: lartc at dervishd.net (DervishD) Date: Sat Feb 11 12:08:27 2006 Subject: [LARTC] about the traffic control In-Reply-To: <20060211101848.44948.qmail@web53412.mail.yahoo.com> References: <20060211101848.44948.qmail@web53412.mail.yahoo.com> Message-ID: <20060211110923.GB13442@DervishD> Hi Fionna :) * ???p?F dixit: > 1. Why most traffic shaping implement in the egress side (Uplink) rather > than the ingress side(Dnlink)?(e.g. why put the police rule on the smaller > bandwidth side but not put on the larger side) You cannot shape ingress traffic, because you cannot control the sending speed of the remote equipment. The only thing you can do is to drop packets, but that doesn't make bandwitdh smaller, it just cause less packets to arrive to applications, so while you effectively set a smaller bandwidth for applications, the cable BW is fully used. I suppose that ECN can be used to shape incoming traffic, but I don't know. Ra?l N??ez de Arenas Coronado -- Linux Registered User 88736 | http://www.dervishd.net http://www.pleyades.net & http://www.gotesdelluna.net It's my PC and I'll cry if I want to... RAmen! From ionut at topall.ro Sat Feb 11 13:34:43 2006 From: ionut at topall.ro (Popovici Ionut) Date: Sat Feb 11 13:35:20 2006 Subject: [LARTC] how mani class can i have Message-ID: <200602111234.k1BCYhGT017726@mail.topall.ro> i have 4096 ip's how many clasesc can i use i wanna to mark classes like ip 81.180.254.123 -> class 81180254123 or 89.32.32.49 -> class 89323249 can i use this kind of class? Thank's From jasonb at edseek.com Sat Feb 11 19:08:44 2006 From: jasonb at edseek.com (Jason Boxman) Date: Sat Feb 11 19:46:48 2006 Subject: [LARTC] how mani class can i have In-Reply-To: <200602111234.k1BCYhGT017726@mail.topall.ro> References: <200602111234.k1BCYhGT017726@mail.topall.ro> Message-ID: <200602111308.44843.jasonb@edseek.com> On Saturday 11 February 2006 07:34, Popovici Ionut wrote: > i have 4096 ip's how many clasesc can i use > i wanna to mark classes like ip > 81.180.254.123 -> class 81180254123 > or > 89.32.32.49 -> class 89323249 > can i use this kind of class? No, classes are identified by a hexadecimal number. I've never had to use more than 1 to FFF, so I don't know how much higher they go. You'd need some kind of association database if you're doing it by the last IP octet. 1 -> 1, 255 -> FF, ect. -- Jason Boxman http://edseek.com/ - Linux and FOSS stuff From jasonb at edseek.com Sat Feb 11 19:11:35 2006 From: jasonb at edseek.com (Jason Boxman) Date: Sat Feb 11 19:49:04 2006 Subject: [LARTC] load balancing and failover In-Reply-To: <20060211090852.GA9355@casa.e-den.it> References: <20060209115810.GA6970@tranquility.scriptkitchen.com> <43EB5A9F.401@tuxspace.com> <20060211090852.GA9355@casa.e-den.it> Message-ID: <200602111311.35889.jasonb@edseek.com> On Saturday 11 February 2006 04:08, Sandro Dentella wrote: > I made a script that uses a simple conf file and allows quite a lot of work > to be done in minutes. You can give it a chance even thought I guess you > need a basic knowledge of what you are doing (eg: what 'ip rule' does): > http://www.tksq.org/iprt2 $ host www.tksq.org www.tksq.org does not exist, try again -- Jason Boxman http://edseek.com/ - Linux and FOSS stuff From wonka at linkabu.net Sat Feb 11 20:19:30 2006 From: wonka at linkabu.net (Eduardo Bejar) Date: Sat Feb 11 20:23:47 2006 Subject: [LARTC] Route all LAN traffic through eth2 and keep web/mail traffic on eth0 Message-ID: <000001c62f40$158a37b0$06000100@veruca> Hi, I have the following config: 1 PC with 3 NICs, that shares internet connection to LAN. eth0 uses a public IP ($public_ip_1) eth1 uses a private IP ($private_ip) eth2 uses a public IP ($public_ip_2) I have a webserver and a mailserver accesible by $public_ip_1 (eth0) I have a LAN with all terminals using private IPs, and $private_ip (eth1) as gateway. $public_ip_1 and $public_ip_2 are from the same network segment (two consecutive IPs). eth0 and eth2 should use the same external IP as gateway (only 1 provider, so this is not a load balancing/multiple providers case). eth0 and eth2 are connected to the same switch. How can I route all LAN traffic via eth2 and keep web/mail traffic on eth0? And with this, make the LAN traffic use eth2's IP to connect to the Internet and the PC traffic use eth0? I tested masquerading through eth2 with iptables -t nat -A POSTROUTING -s $private_ip_net/255.255.255.0 -o eth2 -j MASQUERADE But LAN could not access the Internet, although the PC could. Someone told me something about ip rules, which I tested but it seems that they did not worked as both eth0 and eth2 should use the same gateway. Please send me any comments/help regarding this issue, Thanks! Edo From rkobiske at gmail.com Sat Feb 11 22:37:20 2006 From: rkobiske at gmail.com (Rob Kobiske) Date: Sat Feb 11 22:37:27 2006 Subject: [LARTC] how mani class can i have In-Reply-To: <200602111308.44843.jasonb@edseek.com> References: <200602111234.k1BCYhGT017726@mail.topall.ro> <200602111308.44843.jasonb@edseek.com> Message-ID: Does anyone have an examples on how this could be done. I am looking to limit the bandwidth for a /19 network. Basically i want to give each ip in the /19 network 64k. If anyone has any ideas or examples on doing this please let me know. Thanks, Rob Kobiske On 2/11/06, Jason Boxman wrote: > > On Saturday 11 February 2006 07:34, Popovici Ionut wrote: > > i have 4096 ip's how many clasesc can i use > > i wanna to mark classes like ip > > 81.180.254.123 -> class 81180254123 > > or > > 89.32.32.49 -> class 89323249 > > can i use this kind of class? > > No, classes are identified by a hexadecimal number. I've never had to use > more than 1 to FFF, so I don't know how much higher they go. > > You'd need some kind of association database if you're doing it by the > last IP > octet. 1 -> 1, 255 -> FF, ect. > > -- > > Jason Boxman > http://edseek.com/ - Linux and FOSS stuff > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060211/469d0921/attachment.html From eantoranz at gmail.com Sun Feb 12 00:33:59 2006 From: eantoranz at gmail.com (Edmundo Carmona) Date: Sun Feb 12 00:34:00 2006 Subject: [LARTC] Route all LAN traffic through eth2 and keep web/mail traffic on eth0 In-Reply-To: <000001c62f40$158a37b0$06000100@veruca> References: <000001c62f40$158a37b0$06000100@veruca> Message-ID: <65aa6af90602111533u7bcc3f64x719dd6164536f1a7@mail.gmail.com> well, you can certainly force packets coming from the LAN use one given interface. You have to use what's called "Policy Routing". You have to create a new routing table in /etc/iproute2/rt_tables (use any tect editor) Then you have to polute that routing table with the routing configuration you want to use for those packets you want to treat specially.... say: ip route add default gw gw_ip dev eth0 table newtable all you have to do now is force the packets from the lan to use that routing table instead of the default one... itr could be: ip rule add pref 32000 from lannetwork table newtable That sould force the lan traffic to go out through eth2 Maybe i could have made a mistake in my commands, but the ideas are around that. Read about policy routing. However, I see you are connected twice in the same subnet... that is a major problem, in my experience. Be careful with that... good luck! On 2/11/06, Eduardo Bejar wrote: > Hi, > > I have the following config: > > 1 PC with 3 NICs, that shares internet connection to LAN. > eth0 uses a public IP ($public_ip_1) > eth1 uses a private IP ($private_ip) > eth2 uses a public IP ($public_ip_2) > > I have a webserver and a mailserver accesible by $public_ip_1 (eth0) > I have a LAN with all terminals using private IPs, and $private_ip (eth1) as > gateway. > $public_ip_1 and $public_ip_2 are from the same network segment (two > consecutive IPs). > eth0 and eth2 should use the same external IP as gateway (only 1 provider, > so this is not a load balancing/multiple providers case). > eth0 and eth2 are connected to the same switch. > > How can I route all LAN traffic via eth2 and keep web/mail traffic on eth0? > And with this, make the LAN traffic use eth2's IP to connect to the Internet > and the PC traffic use eth0? > > I tested masquerading through eth2 with > iptables -t nat -A POSTROUTING -s $private_ip_net/255.255.255.0 -o eth2 -j > MASQUERADE > > But LAN could not access the Internet, although the PC could. > > Someone told me something about ip rules, which I tested but it seems that > they did not worked as both eth0 and eth2 should use the same gateway. > > Please send me any comments/help regarding this issue, > > Thanks! > > Edo > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From Andreas.Klauer at metamorpher.de Sun Feb 12 02:32:23 2006 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Sun Feb 12 02:32:36 2006 Subject: [LARTC] filter performance/optimization questions In-Reply-To: <43EA3158.7010401@astral.ro> References: <43EA2A95.1000307@astral.ro> <20060208173753.GA13059@EIS> <43EA3158.7010401@astral.ro> Message-ID: <20060212013223.GA23474@EIS> On Wed, Feb 08, 2006 at 07:58:48PM +0200, Imre Gergely wrote: > yepp, hashing is done, for every type C class (/24), there are around 300 of > these, and all are redirected to a more specific table, according to the > documentation. That's weird, then - with proper hashing, the total number of filter rules should not affect CPU load too much, since only very few of the filters actually have to be traversed. Maybe it's caused by something else, or the hashing does not work as expected. > now i have a question about this, too. to me it's not clear how these filters > are looked up. Good question. Actually I can't answer it properly. For my filters, the order either did not really matter or I had few enough of them to use the priority parameter to order them properly. Regards Andreas Klauer From vnulllists at pcnet.com.pl Sun Feb 12 12:30:42 2006 From: vnulllists at pcnet.com.pl (Jakub Wartak) Date: Sun Feb 12 12:28:51 2006 Subject: [LARTC] filter performance/optimization questions In-Reply-To: <43EA2A95.1000307@astral.ro> References: <43EA2A95.1000307@astral.ro> Message-ID: <200602121230.42902.vnulllists@pcnet.com.pl> Dnia ?roda, 8 lutego 2006 18:29, Imre Gergely napisa?: > hi > > i'm using htb + u32 filters, and i was wondering if there is something one > can optimize at this stage. i have a lot of filters (~ 50.000 / interface, > and there are two interfaces), and around 4500 classes / interface. the > traffic going through this machine is something around 210-230mbit/s at > 50kpps. as you can imagine, the load is pretty high. in fact (as it's a > dual xeon at 2.4ghz), one CPU is always at 100% when the traffic increases. > > i did some tests with esfq (that brought down the classes to around 150), > but the filters remained, and the load was still 100%. and i get some > packet loss because of that. not much, around 1-2%, but it's enough :) > > is there something i could do to bring the load down? short of replacing > the whole system? i didn't find anything performance-related on the net, or > in any documentation. > > thanks. Show your dmesg, cat /proc/interrupts ( or use itop to determine which card/interface is hogging ), lsmod and .config from kernel compilation Also show us ip -s link What ethcards do you have, is NAPI enabled on them ? You could also disable connection tracking if that's not done already. And finally, are you using any libpcap based application ? -- Jakub Wartak -vnull FreeBSD/OpenBSD/Linux/Solaris/Network Administrator http://vnull.pcnet.com.pl/ From ttw_chien at yahoo.com.tw Sun Feb 12 17:30:53 2006 From: ttw_chien at yahoo.com.tw (Fionna) Date: Sun Feb 12 17:31:11 2006 Subject: [LARTC] how to know the max. transmission rate? Message-ID: <20060212163053.46059.qmail@web53406.mail.yahoo.com> Hi,all When we allocate bandwidth to a host/device in LAN , how can we know the max. bandwidth the device(e.g.1394,ethernet,powerline..) can receive(in the idle condition, no other application occupy the bandwidth) ? Can RSVP signaling do that?or others ? Thanks Fionna ___________________________________________________ ³Ì·sª© Yahoo!©_¼¯§Y®É³q°T 7.0¡A§K¶Oºô¸ô¹q¸Ü¥ô§A¥´¡I http://messenger.yahoo.com.tw/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060213/83b7153e/attachment.htm From sandro at e-den.it Sun Feb 12 18:27:55 2006 From: sandro at e-den.it (Sandro Dentella) Date: Sun Feb 12 18:28:04 2006 Subject: [LARTC] load balancing and failover In-Reply-To: <200602111311.35889.jasonb@edseek.com> References: <20060209115810.GA6970@tranquility.scriptkitchen.com> <43EB5A9F.401@tuxspace.com> <20060211090852.GA9355@casa.e-den.it> <200602111311.35889.jasonb@edseek.com> Message-ID: <20060212172755.GA19855@casa.e-den.it> On Sat, Feb 11, 2006 at 01:11:35PM -0500, Jason Boxman wrote: > On Saturday 11 February 2006 04:08, Sandro Dentella wrote: > > > I made a script that uses a simple conf file and allows quite a lot of work > > to be done in minutes. You can give it a chance even thought I guess you > > need a basic knowledge of what you are doing (eg: what 'ip rule' does): > > http://www.tksq.org/iprt2 > > $ host www.tksq.org > www.tksq.org does not exist, try again Sorry, tksql: http://www.tksql.org/iprt2 *:-) From nata at cnett.com.br Sun Feb 12 20:37:46 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Sun Feb 12 20:38:00 2006 Subject: [LARTC] Route all LAN traffic through eth2 and keep web/mailtraffic on eth0 References: <000001c62f40$158a37b0$06000100@veruca> Message-ID: <004601c6300b$cd3e1810$41a1a8c0@NATANIEL> Eduardo, The idea is very simple simple. You must create two routing tables, one for each oustside world interface (read the LARTC howto on how to make it). Then all traffic coming from eth1 that want to go to the internet must go to interface eth2, so lets mark it: iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 1 Now we must send this maked packges to routing table that has default gateway to interface eth2: ip rule add prio 200 fwmark 1 table route-eth2 This is only an example. Read the LARTC howto them, if you still have any doubt, come back here. Att, Nataniel Klug Gerente Cyber Nett ----- Original Message ----- From: "Eduardo Bejar" To: Sent: Saturday, February 11, 2006 4:19 PM Subject: [LARTC] Route all LAN traffic through eth2 and keep web/mailtraffic on eth0 > Hi, > > I have the following config: > > 1 PC with 3 NICs, that shares internet connection to LAN. > eth0 uses a public IP ($public_ip_1) > eth1 uses a private IP ($private_ip) > eth2 uses a public IP ($public_ip_2) > > I have a webserver and a mailserver accesible by $public_ip_1 (eth0) > I have a LAN with all terminals using private IPs, and $private_ip (eth1) as > gateway. > $public_ip_1 and $public_ip_2 are from the same network segment (two > consecutive IPs). > eth0 and eth2 should use the same external IP as gateway (only 1 provider, > so this is not a load balancing/multiple providers case). > eth0 and eth2 are connected to the same switch. > > How can I route all LAN traffic via eth2 and keep web/mail traffic on eth0? > And with this, make the LAN traffic use eth2's IP to connect to the Internet > and the PC traffic use eth0? > > I tested masquerading through eth2 with > iptables -t nat -A POSTROUTING -s $private_ip_net/255.255.255.0 -o eth2 -j > MASQUERADE > > But LAN could not access the Internet, although the PC could. > > Someone told me something about ip rules, which I tested but it seems that > they did not worked as both eth0 and eth2 should use the same gateway. > > Please send me any comments/help regarding this issue, > > Thanks! > > Edo > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From sandeep_agarwal at hotmail.com Mon Feb 13 14:08:55 2006 From: sandeep_agarwal at hotmail.com (Sandeep Agarwal) Date: Mon Feb 13 14:09:42 2006 Subject: Few more quarries [was:] Re: [LARTC] Please help in choosing the right patches References: <20060208110006.6049E4581@outpost.ds9a.nl> Message-ID: Manish Kathuria wrote: > Sandeep Agarwal wrote: >> Manish Kathuria wrote: >> >>Sandeep Agarwal wrote: >> >> >> >> >> >> I have gone through http://www.ssi.bg/~ja/nano.txt AND further >> >> http://www.ssi.bg/~ja/ & got confused in choosing the right patch. >> >> Please suggest if I will choose Jumbo Patch patch-2.4.20-ja1.diff , >> is >> >> any other patches also required after this? If yes, is there >> >> any sequence in applying these patches? >> >> >> > >> >For your purpose, you need to choose one of the patches at >> >http://www.ssi.bg/~ja/#routes depending on your kernel. You dont need >> >the Jumbo patch for load balancing and failover. The "routes" patch >> >should suffice. >> > >> >-- >> >Manish Kathuria >> >http://www.tuxspace.com/ >> Thanks Manish. >> I have download routes-2.4.20-9.diff as I have RHEL3.0 (Kernel >> 2.4.21-9EL) & apply the same. >> But the output as follows. Is this normal or any problem? >> >> # patch -p1 < routes-2.4.20-9.diff > >> Hunk #1 FAILED at 162. >> Hunk #2 succeeded at 180 with fuzz 1 (offset 5 lines). >> 1 out of 3 hunks FAILED -- saving rejects to file >> linux/include/net/ip_fib.h.rej >> patching file linux/include/net/route.h >> Hunk #1 FAILED at 49. >> Hunk #2 succeeded at 120 with fuzz 2 (offset -8 lines). >> Hunk #3 FAILED at 140. >> 2 out of 3 hunks FAILED -- saving rejects to file >> linux/include/net/route.h.rej >> patching file linux/net/ipv4/arp.c >> patching file linux/net/ipv4/fib_frontend.c >> Hunk #3 succeeded at 212 with fuzz 2. >> Hunk #4 FAILED at 222. >> Hunk #5 FAILED at 244. > > The Red Hat kernels are not just plain vanilla kernels. They already > have a number of patches applied by Red Hat and it is likely that the > patch being applied by you is conflicting by one of those. You can > either try some other kernel version or download a plain vanilla kernel > from http://www.kernel.org/ and apply the routes patch on it. > > -- > Manish > http://www.tuxspace.com/ > Dear Mr. Manish, Now the multipath is working. Thank you for the support. I am also facing the nexthop down problem & working on the suggestion, which are already on the mailing list. List members suggestion are required on following more quarries: 1. Most of my lan users usages Remote Desktop Connection to one of our server hosted outside India. Whenever ISP1 link goes down (I have down it manually), their connection get lost. After approx 10 min, they are able to connect it again. Any pointer where I am wrong? 2. Out of 3 task (Load Balance, ISP Failover, Club Both ISP Bandwidth) Two task are complete. How can Club Bandwidth be implement on this box? 3. One Public IP device (VOIP) installed inside the LAN. I want to allow all traffic IN & OUT to this device. How to do this in this configuration? Currently there is no DMZ configuration in firewall. Thank you, Sandeep Agarwal From ian.t7 at hotmail.co.uk Mon Feb 13 21:32:09 2006 From: ian.t7 at hotmail.co.uk (Ian stuart Turnbull) Date: Mon Feb 13 21:32:20 2006 Subject: [LARTC] can all internet traffic be directed thru 1 computer on a Router? Message-ID: Hello al, Is it possible [indeed is this the right place] to add iptables to force all internet traffic to go thru a particular computer on a LAN? I have a 4 port Router/modem that contains a Busybox v0.61 Linux system. I am able to add entries to the iptables tho' I don't really know what it does yet. I want to be able to use Ethereal on this one computer to check what web pages my children are visiting - being fairly strict I don't want them visiting some of the more perverse sites. A friend told me this is possible. Can anyone help please. _________________________________________________________________ The new MSN Search Toolbar now includes Desktop search! http://toolbar.msn.co.uk/ From nata at cnett.com.br Tue Feb 14 11:25:36 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Tue Feb 14 11:26:04 2006 Subject: [LARTC] can all internet traffic be directed thru 1 computer on aRouter? References: Message-ID: <002e01c63150$fec11810$0e001eac@NATANIEL> Ian, Let me try to understand. You have a local network were you have many computers that have access to the internet. They all go through one modem/router. So now you want to put a gateway server betwen your LAN and the outside world so you can manage the traffic? It course can be done. If there is anything else you can serve us to make an analisys. Att, Nataniel Klug Gerente Cyber Nett Brazil ----- Original Message ----- From: "Ian stuart Turnbull" To: Sent: Monday, February 13, 2006 5:32 PM Subject: [LARTC] can all internet traffic be directed thru 1 computer on aRouter? > Hello al, > Is it possible [indeed is this the right place] to add iptables to force > all internet traffic to go thru a particular computer on a LAN? > I have a 4 port Router/modem that contains a Busybox v0.61 Linux system. I > am able to add entries to the iptables tho' I don't really know what it does > yet. I want to be able to use Ethereal on this one computer to check what > web pages my children are visiting - being fairly strict I don't want them > visiting some of the more perverse sites. > A friend told me this is possible. > Can anyone help please. > > _________________________________________________________________ > The new MSN Search Toolbar now includes Desktop search! > http://toolbar.msn.co.uk/ > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From imre.gergely at astral.ro Tue Feb 14 12:08:47 2006 From: imre.gergely at astral.ro (Imre Gergely) Date: Tue Feb 14 12:09:04 2006 Subject: [LARTC] filter performance/optimization questions In-Reply-To: <200602121230.42902.vnulllists@pcnet.com.pl> References: <43EA2A95.1000307@astral.ro> <200602121230.42902.vnulllists@pcnet.com.pl> Message-ID: <43F1BA3F.4010407@astral.ro> Jakub Wartak wrote: > Dnia ?roda, 8 lutego 2006 18:29, Imre Gergely napisa?: >> hi >> >> i'm using htb + u32 filters, and i was wondering if there is something one >> can optimize at this stage. i have a lot of filters (~ 50.000 / interface, >> and there are two interfaces), and around 4500 classes / interface. the >> traffic going through this machine is something around 210-230mbit/s at >> 50kpps. as you can imagine, the load is pretty high. in fact (as it's a >> dual xeon at 2.4ghz), one CPU is always at 100% when the traffic increases. >> >> i did some tests with esfq (that brought down the classes to around 150), >> but the filters remained, and the load was still 100%. and i get some >> packet loss because of that. not much, around 1-2%, but it's enough :) >> >> is there something i could do to bring the load down? short of replacing >> the whole system? i didn't find anything performance-related on the net, or >> in any documentation. >> >> thanks. > > Show your dmesg, cat /proc/interrupts ( or use itop to determine which > card/interface is hogging ), lsmod and .config from kernel compilation > Also show us ip -s link [root@btv root]# cat /proc/interrupts CPU0 CPU1 0: 55921457 383025821 IO-APIC-edge timer 1: 342 259 IO-APIC-edge i8042 2: 0 0 XT-PIC cascade 8: 0 0 IO-APIC-edge rtc 14: 1 13 IO-APIC-edge ide0 24: 2326117989 1473249 IO-APIC-level ioc0, eth1 25: 305396 1034030719 IO-APIC-level ioc1, eth2 28: 62532 2546645 IO-APIC-level eth0 NMI: 111277 253384 LOC: 438830354 438830358 ERR: 0 MIS: 0 (eth1 is the download interface. eth2 is the upload, on which currently is no htb) dmesg attached. [root@btv root]# lsmod Module Size Used by bcm5700 132208 0 e100 34304 0 mii 5440 1 e100 .config, ip -s link output attached. > What ethcards do you have, is NAPI enabled on them ? 02:09.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5704 Gigabit Ethernet (rev 03) 02:09.1 Ethernet controller: Broadcom Corporation NetXtreme BCM5704 Gigabit Ethernet (rev 03) > You could also disable connection tracking if that's not done already. iptables is used only on INPUT, for firewall. > And finally, are you using any libpcap based application ? only occasionaly, for a couple of seconds. note: the initial system as of starting the thread was replaced with this one. -------------- next part -------------- Bootdata ok (command line is root=/dev/md0 nousb) Linux version 2.6.9-2.ast-smp (root@firelog.b.astralnet.ro) (gcc version 3.3.3 20040412 (Red Hat Linux 3.3.3-7)) #1 SMP Sat Dec 18 13:31:32 EET 2004 BIOS-provided physical RAM map: BIOS-e820: 0000000000000000 - 000000000009fc00 (usable) BIOS-e820: 000000000009fc00 - 00000000000a0000 (reserved) BIOS-e820: 00000000000e0000 - 0000000000100000 (reserved) BIOS-e820: 0000000000100000 - 0000000040000000 (usable) BIOS-e820: 00000000ff7c0000 - 0000000100000000 (reserved) No mptable found. On node 0 totalpages: 262144 DMA zone: 4096 pages, LIFO batch:1 Normal zone: 258048 pages, LIFO batch:16 HighMem zone: 0 pages, LIFO batch:1 ACPI: Unable to locate RSDP Intel MultiProcessor Specification v1.4 Virtual Wire compatibility mode. OEM ID: TYAN <6>Product ID: S2880 <6>APIC at: 0xFEE00000 Processor #0 15:5 APIC version 16 Processor #1 15:5 APIC version 16 I/O APIC #2 Version 17 at 0xFEC00000. I/O APIC #3 Version 17 at 0xFEBFE000. I/O APIC #4 Version 17 at 0xFEBFF000. Processors: 2 Built 1 zonelists Kernel command line: root=/dev/md0 nousb console=tty0 Initializing CPU#0 PID hash table entries: 4096 (order: 12, 131072 bytes) time.c: Using 1.193182 MHz PIT timer. time.c: Detected 1793.890 MHz processor. Console: colour VGA+ 80x25 Dentry cache hash table entries: 262144 (order: 9, 2097152 bytes) Inode-cache hash table entries: 131072 (order: 8, 1048576 bytes) Memory: 1026520k/1048576k available (1809k kernel code, 21300k reserved, 664k data, 176k init) Calibrating delay loop... 3522.56 BogoMIPS (lpj=1761280) Mount-cache hash table entries: 256 (order: 0, 4096 bytes) CPU: L1 I Cache: 64K (64 bytes/line), D cache 64K (64 bytes/line) CPU: L2 Cache: 1024K (64 bytes/line) Using local APIC NMI watchdog using perfctr0 CPU: L1 I Cache: 64K (64 bytes/line), D cache 64K (64 bytes/line) CPU: L2 Cache: 1024K (64 bytes/line) CPU0: AMD Opteron(tm) Processor 244 stepping 08 per-CPU timeslice cutoff: 1024.01 usecs. task migration cache decay timeout: 2 msecs. Booting processor 1/1 rip 6000 rsp 10037f25f58 Initializing CPU#1 Calibrating delay loop... 3579.90 BogoMIPS (lpj=1789952) CPU: L1 I Cache: 64K (64 bytes/line), D cache 64K (64 bytes/line) CPU: L2 Cache: 1024K (64 bytes/line) AMD Opteron(tm) Processor 244 stepping 08 Total of 2 processors activated (7102.46 BogoMIPS). Using IO-APIC 2 Using IO-APIC 3 Using IO-APIC 4 Using local APIC timer interrupts. Detected 12.457 MHz APIC timer. checking TSC synchronization across 2 CPUs: passed. time.c: Using PIT/TSC based timekeeping. Brought up 2 CPUs checking if image is initramfs... it is NET: Registered protocol family 16 PCI: Using configuration type 1 mtrr: v2.0 (20020519) SCSI subsystem initialized PCI: Probing PCI hardware PCI: Probing PCI hardware (bus 00) PCI: Using IRQ router default [1022/746b] at 0000:00:07.3 PCI->APIC IRQ transform: (B0,I7,P3) -> 19 PCI->APIC IRQ transform: (B3,I0,P3) -> 19 PCI->APIC IRQ transform: (B3,I0,P3) -> 19 PCI->APIC IRQ transform: (B3,I6,P0) -> 18 PCI->APIC IRQ transform: (B2,I9,P0) -> 24 PCI->APIC IRQ transform: (B2,I9,P1) -> 25 PCI->APIC IRQ transform: (B2,I10,P0) -> 24 PCI->APIC IRQ transform: (B2,I10,P1) -> 25 PCI->APIC IRQ transform: (B1,I3,P0) -> 28 Real Time Clock Driver v1.12 hw_random: AMD768 system management I/O registers at 0x5000. hw_random hardware driver 1.0.0 loaded serio: i8042 AUX port at 0x60,0x64 irq 12 serio: i8042 KBD port at 0x60,0x64 irq 1 RAMDISK driver initialized: 16 RAM disks of 16384K size 1024 blocksize loop: loaded (max 8 devices) Uniform Multi-Platform E-IDE driver Revision: 7.00alpha2 ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx AMD8111: IDE controller at PCI slot 0000:00:07.1 AMD8111: chipset revision 3 AMD8111: not 100% native mode: will probe irqs later AMD8111: 0000:00:07.1 (rev 03) UDMA133 controller ide0: BM-DMA at 0xffa0-0xffa7, BIOS settings: hda:DMA, hdb:pio ide1: BM-DMA at 0xffa8-0xffaf, BIOS settings: hdc:pio, hdd:pio Probing IDE interface ide0... hda: GCR-8523B, ATAPI CD/DVD-ROM drive Using anticipatory io scheduler ide0 at 0x1f0-0x1f7,0x3f6 on irq 14 Probing IDE interface ide1... Probing IDE interface ide1... Probing IDE interface ide2... ide2: Wait for ready failed before probe ! Probing IDE interface ide3... ide3: Wait for ready failed before probe ! Probing IDE interface ide4... ide4: Wait for ready failed before probe ! Probing IDE interface ide5... ide5: Wait for ready failed before probe ! hda: ATAPI 52X CD-ROM drive, 128kB Cache, DMA Uniform CD-ROM driver Revision: 3.20 Fusion MPT base driver 3.01.16 Copyright (c) 1999-2004 LSI Logic Corporation mptbase: Initiating ioc0 bringup ioc0: 53C1030: Capabilities={Initiator} mptbase: Initiating ioc1 bringup ioc1: 53C1030: Capabilities={Initiator} Fusion MPT SCSI Host driver 3.01.16 scsi0 : ioc0: LSI53C1030, FwRev=01030600h, Ports=1, MaxQ=255, IRQ=24 Vendor: MAXTOR Model: ATLAS10K4_36SCA Rev: DFV0 Type: Direct-Access ANSI SCSI revision: 03 SCSI device sda: 71833096 512-byte hdwr sectors (36779 MB) SCSI device sda: drive cache: write back sda: sda1 sda2 Attached scsi disk sda at scsi0, channel 0, id 0, lun 0 Vendor: MAXTOR Model: ATLAS10K4_36SCA Rev: DFV0 Type: Direct-Access ANSI SCSI revision: 03 SCSI device sdb: 71833096 512-byte hdwr sectors (36779 MB) SCSI device sdb: drive cache: write back sdb: sdb1 sdb2 Attached scsi disk sdb at scsi0, channel 0, id 1, lun 0 scsi1 : ioc1: LSI53C1030, FwRev=01030600h, Ports=1, MaxQ=255, IRQ=25 mice: PS/2 mouse device common for all mice input: AT Translated Set 2 keyboard on isa0060/serio0 md: raid1 personality registered as nr 3 md: md driver 0.90.0 MAX_MD_DEVS=256, MD_SB_DISKS=27 u32 classifier NET: Registered protocol family 2 IP: routing cache hash table of 4096 buckets, 64Kbytes TCP: Hash tables configured (established 131072 bind 65536) ip_tables: (C) 2000-2002 Netfilter core team NET: Registered protocol family 1 NET: Registered protocol family 17 Bridge firewalling registered Freeing unused kernel memory: 176k freed md: Autodetecting RAID arrays. md: autorun ... md: considering sdb2 ... md: adding sdb2 ... md: sdb1 has different UUID to sdb2 md: adding sda2 ... md: sda1 has different UUID to sdb2 md: created md1 md: bind md: bind md: running: raid1: raid set md1 active with 2 out of 2 mirrors md: considering sdb1 ... md: adding sdb1 ... md: adding sda1 ... md: created md0 md: bind md: bind md: running: raid1: raid set md0 active with 2 out of 2 mirrors md: ... autorun DONE. md: Autodetecting RAID arrays. md: autorun ... md: ... autorun DONE. ReiserFS: md0: found reiserfs format "3.6" with standard journal ReiserFS: md0: using ordered data mode ReiserFS: md0: journal params: device md0, size 8192, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30 ReiserFS: md0: checking transaction log (md0) ReiserFS: md0: Using r5 hash to sort names Adding 1052152k swap on /dev/md1. Priority:-1 extents:1 -------------- next part -------------- # # Automatically generated make config: don't edit # Linux kernel version: 2.6.9-2.ast-smp # Sat Dec 18 13:29:36 2004 # CONFIG_X86_64=y CONFIG_64BIT=y CONFIG_X86=y CONFIG_MMU=y CONFIG_RWSEM_GENERIC_SPINLOCK=y CONFIG_X86_CMPXCHG=y CONFIG_EARLY_PRINTK=y CONFIG_HPET_TIMER=y CONFIG_HPET_EMULATE_RTC=y CONFIG_GENERIC_ISA_DMA=y CONFIG_GENERIC_IOMAP=y # # Code maturity level options # CONFIG_EXPERIMENTAL=y CONFIG_CLEAN_COMPILE=y # # General setup # CONFIG_LOCALVERSION="" CONFIG_SWAP=y CONFIG_SYSVIPC=y CONFIG_POSIX_MQUEUE=y CONFIG_BSD_PROCESS_ACCT=y CONFIG_BSD_PROCESS_ACCT_V3=y CONFIG_SYSCTL=y # CONFIG_AUDIT is not set CONFIG_LOG_BUF_SHIFT=17 # CONFIG_HOTPLUG is not set CONFIG_IKCONFIG=y CONFIG_IKCONFIG_PROC=y # CONFIG_EMBEDDED is not set CONFIG_KALLSYMS=y # CONFIG_KALLSYMS_ALL is not set # CONFIG_KALLSYMS_EXTRA_PASS is not set CONFIG_FUTEX=y CONFIG_EPOLL=y CONFIG_IOSCHED_NOOP=y CONFIG_IOSCHED_AS=y CONFIG_IOSCHED_DEADLINE=y CONFIG_IOSCHED_CFQ=y # CONFIG_CC_OPTIMIZE_FOR_SIZE is not set CONFIG_SHMEM=y # CONFIG_TINY_SHMEM is not set # # Loadable module support # CONFIG_MODULES=y CONFIG_MODULE_UNLOAD=y # CONFIG_MODULE_FORCE_UNLOAD is not set CONFIG_OBSOLETE_MODPARM=y CONFIG_MODVERSIONS=y CONFIG_KMOD=y CONFIG_STOP_MACHINE=y # # Processor type and features # CONFIG_MK8=y # CONFIG_MPSC is not set # CONFIG_GENERIC_CPU is not set CONFIG_X86_L1_CACHE_BYTES=64 CONFIG_X86_L1_CACHE_SHIFT=6 CONFIG_X86_TSC=y CONFIG_X86_GOOD_APIC=y # CONFIG_MICROCODE is not set CONFIG_X86_MSR=y CONFIG_X86_CPUID=y CONFIG_X86_IO_APIC=y CONFIG_X86_LOCAL_APIC=y CONFIG_MTRR=y CONFIG_SMP=y # CONFIG_PREEMPT is not set # CONFIG_SCHED_SMT is not set # CONFIG_K8_NUMA is not set CONFIG_HAVE_DEC_LOCK=y CONFIG_NR_CPUS=4 # CONFIG_GART_IOMMU is not set CONFIG_DUMMY_IOMMU=y CONFIG_X86_MCE=y # # Power management options # # CONFIG_PM is not set # CONFIG_PM_DEBUG is not set # # ACPI (Advanced Configuration and Power Interface) Support # # CONFIG_ACPI is not set CONFIG_ACPI_BOOT=y CONFIG_ACPI_BLACKLIST_YEAR=0 # # CPU Frequency scaling # # CONFIG_CPU_FREQ is not set # # Bus options (PCI etc.) # CONFIG_PCI=y CONFIG_PCI_DIRECT=y CONFIG_PCI_MMCONFIG=y CONFIG_UNORDERED_IO=y # CONFIG_PCI_MSI is not set # CONFIG_PCI_LEGACY_PROC is not set # CONFIG_PCI_NAMES is not set # # Executable file formats / Emulations # CONFIG_BINFMT_ELF=y # CONFIG_BINFMT_MISC is not set # CONFIG_IA32_EMULATION is not set # # Device Drivers # # # Generic Driver Options # CONFIG_STANDALONE=y CONFIG_PREVENT_FIRMWARE_BUILD=y # CONFIG_DEBUG_DRIVER is not set # # Memory Technology Devices (MTD) # # CONFIG_MTD is not set # # Parallel port support # # CONFIG_PARPORT is not set # # Plug and Play support # # # Block devices # # CONFIG_BLK_DEV_FD is not set # CONFIG_BLK_CPQ_DA is not set # CONFIG_BLK_CPQ_CISS_DA is not set # CONFIG_BLK_DEV_DAC960 is not set # CONFIG_BLK_DEV_UMEM is not set CONFIG_BLK_DEV_LOOP=y # CONFIG_BLK_DEV_CRYPTOLOOP is not set # CONFIG_BLK_DEV_NBD is not set # CONFIG_BLK_DEV_SX8 is not set CONFIG_BLK_DEV_RAM=y CONFIG_BLK_DEV_RAM_SIZE=16384 CONFIG_BLK_DEV_INITRD=y # CONFIG_LBD is not set # # ATA/ATAPI/MFM/RLL support # CONFIG_IDE=y CONFIG_BLK_DEV_IDE=y # # Please see Documentation/ide.txt for help/info on IDE drives # # CONFIG_BLK_DEV_IDE_SATA is not set # CONFIG_BLK_DEV_HD_IDE is not set CONFIG_BLK_DEV_IDEDISK=y CONFIG_IDEDISK_MULTI_MODE=y CONFIG_BLK_DEV_IDECD=y # CONFIG_BLK_DEV_IDETAPE is not set # CONFIG_BLK_DEV_IDEFLOPPY is not set # CONFIG_BLK_DEV_IDESCSI is not set # CONFIG_IDE_TASK_IOCTL is not set # CONFIG_IDE_TASKFILE_IO is not set # # IDE chipset support/bugfixes # CONFIG_IDE_GENERIC=y # CONFIG_BLK_DEV_CMD640 is not set CONFIG_BLK_DEV_IDEPCI=y CONFIG_IDEPCI_SHARE_IRQ=y # CONFIG_BLK_DEV_OFFBOARD is not set CONFIG_BLK_DEV_GENERIC=y # CONFIG_BLK_DEV_OPTI621 is not set CONFIG_BLK_DEV_RZ1000=y CONFIG_BLK_DEV_IDEDMA_PCI=y # CONFIG_BLK_DEV_IDEDMA_FORCED is not set CONFIG_IDEDMA_PCI_AUTO=y # CONFIG_IDEDMA_ONLYDISK is not set # CONFIG_BLK_DEV_AEC62XX is not set # CONFIG_BLK_DEV_ALI15X3 is not set CONFIG_BLK_DEV_AMD74XX=y # CONFIG_BLK_DEV_ATIIXP is not set # CONFIG_BLK_DEV_CMD64X is not set # CONFIG_BLK_DEV_TRIFLEX is not set # CONFIG_BLK_DEV_CY82C693 is not set # CONFIG_BLK_DEV_CS5520 is not set # CONFIG_BLK_DEV_CS5530 is not set # CONFIG_BLK_DEV_HPT34X is not set # CONFIG_BLK_DEV_HPT366 is not set # CONFIG_BLK_DEV_SC1200 is not set # CONFIG_BLK_DEV_PIIX is not set # CONFIG_BLK_DEV_NS87415 is not set # CONFIG_BLK_DEV_PDC202XX_OLD is not set # CONFIG_BLK_DEV_PDC202XX_NEW is not set # CONFIG_BLK_DEV_SVWKS is not set # CONFIG_BLK_DEV_SIIMAGE is not set # CONFIG_BLK_DEV_SIS5513 is not set # CONFIG_BLK_DEV_SLC90E66 is not set # CONFIG_BLK_DEV_TRM290 is not set # CONFIG_BLK_DEV_VIA82CXXX is not set # CONFIG_IDE_ARM is not set CONFIG_BLK_DEV_IDEDMA=y # CONFIG_IDEDMA_IVB is not set CONFIG_IDEDMA_AUTO=y # CONFIG_BLK_DEV_HD is not set # # SCSI device support # CONFIG_SCSI=y CONFIG_SCSI_PROC_FS=y # # SCSI support type (disk, tape, CD-ROM) # CONFIG_BLK_DEV_SD=y # CONFIG_CHR_DEV_ST is not set # CONFIG_CHR_DEV_OSST is not set # CONFIG_BLK_DEV_SR is not set # CONFIG_CHR_DEV_SG is not set # # Some SCSI devices (e.g. CD jukebox) support multiple LUNs # # CONFIG_SCSI_MULTI_LUN is not set # CONFIG_SCSI_CONSTANTS is not set # CONFIG_SCSI_LOGGING is not set # # SCSI Transport Attributes # # CONFIG_SCSI_SPI_ATTRS is not set # CONFIG_SCSI_FC_ATTRS is not set # # SCSI low-level drivers # # CONFIG_BLK_DEV_3W_XXXX_RAID is not set # CONFIG_SCSI_3W_9XXX is not set # CONFIG_SCSI_ACARD is not set # CONFIG_SCSI_AACRAID is not set # CONFIG_SCSI_AIC7XXX is not set # CONFIG_SCSI_AIC7XXX_OLD is not set # CONFIG_SCSI_AIC79XX is not set # CONFIG_MEGARAID_NEWGEN is not set # CONFIG_MEGARAID_LEGACY is not set # CONFIG_SCSI_SATA is not set # CONFIG_SCSI_BUSLOGIC is not set # CONFIG_SCSI_DMX3191D is not set # CONFIG_SCSI_EATA is not set # CONFIG_SCSI_EATA_PIO is not set # CONFIG_SCSI_FUTURE_DOMAIN is not set # CONFIG_SCSI_GDTH is not set # CONFIG_SCSI_IPS is not set # CONFIG_SCSI_INIA100 is not set # CONFIG_SCSI_SYM53C8XX_2 is not set # CONFIG_SCSI_IPR is not set # CONFIG_SCSI_QLOGIC_ISP is not set # CONFIG_SCSI_QLOGIC_FC is not set # CONFIG_SCSI_QLOGIC_1280 is not set CONFIG_SCSI_QLA2XXX=y # CONFIG_SCSI_QLA21XX is not set # CONFIG_SCSI_QLA22XX is not set # CONFIG_SCSI_QLA2300 is not set # CONFIG_SCSI_QLA2322 is not set # CONFIG_SCSI_QLA6312 is not set # CONFIG_SCSI_QLA6322 is not set # CONFIG_SCSI_DC395x is not set # CONFIG_SCSI_DC390T is not set # CONFIG_SCSI_DEBUG is not set # # Multi-device support (RAID and LVM) # CONFIG_MD=y CONFIG_BLK_DEV_MD=y # CONFIG_MD_LINEAR is not set # CONFIG_MD_RAID0 is not set CONFIG_MD_RAID1=y # CONFIG_MD_RAID10 is not set # CONFIG_MD_RAID5 is not set # CONFIG_MD_RAID6 is not set # CONFIG_MD_MULTIPATH is not set # CONFIG_BLK_DEV_DM is not set # # Fusion MPT device support # CONFIG_FUSION=y CONFIG_FUSION_MAX_SGE=40 # CONFIG_FUSION_CTL is not set # # IEEE 1394 (FireWire) support # # CONFIG_IEEE1394 is not set # # I2O device support # # CONFIG_I2O is not set # # Networking support # CONFIG_NET=y # # Networking options # CONFIG_PACKET=y CONFIG_PACKET_MMAP=y CONFIG_NETLINK_DEV=y CONFIG_UNIX=y # CONFIG_NET_KEY is not set CONFIG_INET=y # CONFIG_IP_MULTICAST is not set # CONFIG_IP_ADVANCED_ROUTER is not set # CONFIG_IP_PNP is not set # CONFIG_NET_IPIP is not set # CONFIG_NET_IPGRE is not set # CONFIG_ARPD is not set # CONFIG_SYN_COOKIES is not set # CONFIG_INET_AH is not set # CONFIG_INET_ESP is not set # CONFIG_INET_IPCOMP is not set # CONFIG_INET_TUNNEL is not set # # IP: Virtual Server Configuration # # CONFIG_IP_VS is not set # CONFIG_IPV6 is not set CONFIG_NETFILTER=y # CONFIG_NETFILTER_DEBUG is not set CONFIG_BRIDGE_NETFILTER=y # # IP: Netfilter Configuration # # CONFIG_IP_NF_CONNTRACK is not set # CONFIG_IP_NF_QUEUE is not set CONFIG_IP_NF_IPTABLES=y # CONFIG_IP_NF_MATCH_LIMIT is not set # CONFIG_IP_NF_MATCH_IPRANGE is not set # CONFIG_IP_NF_MATCH_MAC is not set CONFIG_IP_NF_MATCH_PKTTYPE=y # CONFIG_IP_NF_MATCH_MARK is not set CONFIG_IP_NF_MATCH_MULTIPORT=y # CONFIG_IP_NF_MATCH_TOS is not set # CONFIG_IP_NF_MATCH_RECENT is not set # CONFIG_IP_NF_MATCH_ECN is not set # CONFIG_IP_NF_MATCH_DSCP is not set # CONFIG_IP_NF_MATCH_AH_ESP is not set # CONFIG_IP_NF_MATCH_LENGTH is not set # CONFIG_IP_NF_MATCH_TTL is not set # CONFIG_IP_NF_MATCH_TCPMSS is not set # CONFIG_IP_NF_MATCH_OWNER is not set # CONFIG_IP_NF_MATCH_PHYSDEV is not set # CONFIG_IP_NF_MATCH_ADDRTYPE is not set # CONFIG_IP_NF_MATCH_REALM is not set # CONFIG_IP_NF_MATCH_SCTP is not set # CONFIG_IP_NF_MATCH_COMMENT is not set CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_TARGET_REJECT=y CONFIG_IP_NF_TARGET_LOG=y CONFIG_IP_NF_TARGET_ULOG=y # CONFIG_IP_NF_TARGET_TCPMSS is not set # CONFIG_IP_NF_MANGLE is not set # CONFIG_IP_NF_RAW is not set # CONFIG_IP_NF_ARPTABLES is not set # # Bridge: Netfilter Configuration # # CONFIG_BRIDGE_NF_EBTABLES is not set # # SCTP Configuration (EXPERIMENTAL) # # CONFIG_IP_SCTP is not set # CONFIG_ATM is not set CONFIG_BRIDGE=y # CONFIG_VLAN_8021Q is not set # CONFIG_DECNET is not set # CONFIG_LLC2 is not set # CONFIG_IPX is not set # CONFIG_ATALK is not set # CONFIG_X25 is not set # CONFIG_LAPB is not set # CONFIG_NET_DIVERT is not set # CONFIG_ECONET is not set # CONFIG_WAN_ROUTER is not set # CONFIG_NET_HW_FLOWCONTROL is not set # # QoS and/or fair queueing # CONFIG_NET_SCHED=y # CONFIG_NET_SCH_CLK_JIFFIES is not set # CONFIG_NET_SCH_CLK_GETTIMEOFDAY is not set CONFIG_NET_SCH_CLK_CPU=y # CONFIG_NET_SCH_CBQ is not set CONFIG_NET_SCH_HTB=y # CONFIG_NET_SCH_HFSC is not set # CONFIG_NET_SCH_PRIO is not set # CONFIG_NET_SCH_RED is not set CONFIG_NET_SCH_SFQ=y CONFIG_NET_SCH_ESFQ=y # CONFIG_NET_SCH_TEQL is not set # CONFIG_NET_SCH_TBF is not set # CONFIG_NET_SCH_GRED is not set # CONFIG_NET_SCH_DSMARK is not set # CONFIG_NET_SCH_NETEM is not set # CONFIG_NET_SCH_INGRESS is not set # CONFIG_NET_QOS is not set CONFIG_NET_CLS=y # CONFIG_NET_CLS_TCINDEX is not set # CONFIG_NET_CLS_ROUTE4 is not set # CONFIG_NET_CLS_ROUTE is not set # CONFIG_NET_CLS_FW is not set CONFIG_NET_CLS_U32=y # CONFIG_CLS_U32_PERF is not set # CONFIG_NET_CLS_IND is not set # # Network testing # # CONFIG_NET_PKTGEN is not set # CONFIG_NETPOLL is not set # CONFIG_NET_POLL_CONTROLLER is not set # CONFIG_HAMRADIO is not set # CONFIG_IRDA is not set # CONFIG_BT is not set CONFIG_NETDEVICES=y # CONFIG_DUMMY is not set # CONFIG_BONDING is not set # CONFIG_EQUALIZER is not set # CONFIG_TUN is not set # CONFIG_ETHERTAP is not set # # ARCnet devices # # CONFIG_ARCNET is not set # # Ethernet (10 or 100Mbit) # CONFIG_NET_ETHERNET=y CONFIG_MII=m # CONFIG_HAPPYMEAL is not set # CONFIG_SUNGEM is not set # CONFIG_NET_VENDOR_3COM is not set # # Tulip family network device support # # CONFIG_NET_TULIP is not set # CONFIG_HP100 is not set CONFIG_NET_PCI=y # CONFIG_PCNET32 is not set # CONFIG_AMD8111_ETH is not set # CONFIG_ADAPTEC_STARFIRE is not set # CONFIG_B44 is not set # CONFIG_FORCEDETH is not set # CONFIG_DGRS is not set # CONFIG_EEPRO100 is not set CONFIG_E100=m CONFIG_E100_NAPI=y # CONFIG_FEALNX is not set # CONFIG_NATSEMI is not set # CONFIG_NE2K_PCI is not set # CONFIG_8139CP is not set # CONFIG_8139TOO is not set # CONFIG_SIS900 is not set # CONFIG_EPIC100 is not set # CONFIG_SUNDANCE is not set # CONFIG_VIA_RHINE is not set # CONFIG_VIA_VELOCITY is not set # # Ethernet (1000 Mbit) # # CONFIG_ACENIC is not set # CONFIG_DL2K is not set # CONFIG_E1000 is not set # CONFIG_NS83820 is not set # CONFIG_HAMACHI is not set # CONFIG_YELLOWFIN is not set # CONFIG_R8169 is not set # CONFIG_SK98LIN is not set # CONFIG_TIGON3 is not set CONFIG_NET_BROADCOM=m # # Ethernet (10000 Mbit) # # CONFIG_IXGB is not set # CONFIG_S2IO is not set # # Token Ring devices # # CONFIG_TR is not set # # Wireless LAN (non-hamradio) # # CONFIG_NET_RADIO is not set # # Wan interfaces # # CONFIG_WAN is not set # CONFIG_FDDI is not set # CONFIG_HIPPI is not set # CONFIG_PPP is not set # CONFIG_SLIP is not set # CONFIG_NET_FC is not set # CONFIG_SHAPER is not set # CONFIG_NETCONSOLE is not set # # ISDN subsystem # # CONFIG_ISDN is not set # # Telephony Support # # CONFIG_PHONE is not set # # Input device support # CONFIG_INPUT=y # # Userland interfaces # CONFIG_INPUT_MOUSEDEV=y # CONFIG_INPUT_MOUSEDEV_PSAUX is not set CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024 CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768 # CONFIG_INPUT_JOYDEV is not set # CONFIG_INPUT_TSDEV is not set # CONFIG_INPUT_EVDEV is not set # CONFIG_INPUT_EVBUG is not set # # Input I/O drivers # # CONFIG_GAMEPORT is not set CONFIG_SOUND_GAMEPORT=y CONFIG_SERIO=y CONFIG_SERIO_I8042=y # CONFIG_SERIO_SERPORT is not set # CONFIG_SERIO_CT82C710 is not set # CONFIG_SERIO_PCIPS2 is not set # CONFIG_SERIO_RAW is not set # # Input Device Drivers # CONFIG_INPUT_KEYBOARD=y CONFIG_KEYBOARD_ATKBD=y # CONFIG_KEYBOARD_SUNKBD is not set # CONFIG_KEYBOARD_LKKBD is not set # CONFIG_KEYBOARD_XTKBD is not set # CONFIG_KEYBOARD_NEWTON is not set # CONFIG_INPUT_MOUSE is not set # CONFIG_INPUT_JOYSTICK is not set # CONFIG_INPUT_TOUCHSCREEN is not set # CONFIG_INPUT_MISC is not set # # Character devices # CONFIG_VT=y CONFIG_VT_CONSOLE=y CONFIG_HW_CONSOLE=y # CONFIG_SERIAL_NONSTANDARD is not set # # Serial drivers # # CONFIG_SERIAL_8250 is not set # # Non-8250 serial port support # CONFIG_UNIX98_PTYS=y # CONFIG_LEGACY_PTYS is not set # # IPMI # # CONFIG_IPMI_HANDLER is not set # # Watchdog Cards # # CONFIG_WATCHDOG is not set CONFIG_HW_RANDOM=y # CONFIG_NVRAM is not set CONFIG_RTC=y # CONFIG_DTLK is not set # CONFIG_R3964 is not set # CONFIG_APPLICOM is not set # # Ftape, the floppy tape device driver # # CONFIG_AGP is not set # CONFIG_DRM is not set # CONFIG_MWAVE is not set # CONFIG_RAW_DRIVER is not set # CONFIG_HANGCHECK_TIMER is not set # # I2C support # # CONFIG_I2C is not set # # Dallas's 1-wire bus # # CONFIG_W1 is not set # # Misc devices # # CONFIG_IBM_ASM is not set # # Multimedia devices # # CONFIG_VIDEO_DEV is not set # # Digital Video Broadcasting Devices # # CONFIG_DVB is not set # # Graphics support # # CONFIG_FB is not set # CONFIG_VIDEO_SELECT is not set # # Console display driver support # CONFIG_VGA_CONSOLE=y CONFIG_DUMMY_CONSOLE=y # # Sound # # CONFIG_SOUND is not set # # USB support # # CONFIG_USB is not set # # USB Gadget Support # # CONFIG_USB_GADGET is not set # # Firmware Drivers # # CONFIG_EDD is not set # # File systems # CONFIG_EXT2_FS=y # CONFIG_EXT2_FS_XATTR is not set CONFIG_EXT3_FS=y # CONFIG_EXT3_FS_XATTR is not set CONFIG_JBD=y # CONFIG_JBD_DEBUG is not set CONFIG_REISERFS_FS=y # CONFIG_REISERFS_CHECK is not set # CONFIG_REISERFS_PROC_INFO is not set # CONFIG_REISERFS_FS_XATTR is not set # CONFIG_JFS_FS is not set # CONFIG_XFS_FS is not set # CONFIG_MINIX_FS is not set # CONFIG_ROMFS_FS is not set # CONFIG_QUOTA is not set # CONFIG_AUTOFS_FS is not set # CONFIG_AUTOFS4_FS is not set # # CD-ROM/DVD Filesystems # CONFIG_ISO9660_FS=y CONFIG_JOLIET=y CONFIG_ZISOFS=y CONFIG_ZISOFS_FS=y # CONFIG_UDF_FS is not set # # DOS/FAT/NT Filesystems # # CONFIG_MSDOS_FS is not set # CONFIG_VFAT_FS is not set # CONFIG_NTFS_FS is not set # # Pseudo filesystems # CONFIG_PROC_FS=y CONFIG_PROC_KCORE=y CONFIG_SYSFS=y # CONFIG_DEVFS_FS is not set CONFIG_DEVPTS_FS_XATTR=y # CONFIG_DEVPTS_FS_SECURITY is not set CONFIG_TMPFS=y # CONFIG_HUGETLBFS is not set # CONFIG_HUGETLB_PAGE is not set CONFIG_RAMFS=y # # Miscellaneous filesystems # # CONFIG_ADFS_FS is not set # CONFIG_AFFS_FS is not set # CONFIG_HFS_FS is not set # CONFIG_HFSPLUS_FS is not set # CONFIG_BEFS_FS is not set # CONFIG_BFS_FS is not set # CONFIG_EFS_FS is not set # CONFIG_CRAMFS is not set # CONFIG_VXFS_FS is not set # CONFIG_HPFS_FS is not set # CONFIG_QNX4FS_FS is not set # CONFIG_SYSV_FS is not set # CONFIG_UFS_FS is not set # # Network File Systems # # CONFIG_NFS_FS is not set # CONFIG_NFSD is not set # CONFIG_EXPORTFS is not set # CONFIG_SMB_FS is not set # CONFIG_CIFS is not set # CONFIG_NCP_FS is not set # CONFIG_CODA_FS is not set # CONFIG_AFS_FS is not set # # Partition Types # # CONFIG_PARTITION_ADVANCED is not set CONFIG_MSDOS_PARTITION=y # # Native Language Support # CONFIG_NLS=y CONFIG_NLS_DEFAULT="cp437" CONFIG_NLS_CODEPAGE_437=y # CONFIG_NLS_CODEPAGE_737 is not set # CONFIG_NLS_CODEPAGE_775 is not set # CONFIG_NLS_CODEPAGE_850 is not set # CONFIG_NLS_CODEPAGE_852 is not set # CONFIG_NLS_CODEPAGE_855 is not set # CONFIG_NLS_CODEPAGE_857 is not set # CONFIG_NLS_CODEPAGE_860 is not set # CONFIG_NLS_CODEPAGE_861 is not set # CONFIG_NLS_CODEPAGE_862 is not set # CONFIG_NLS_CODEPAGE_863 is not set # CONFIG_NLS_CODEPAGE_864 is not set # CONFIG_NLS_CODEPAGE_865 is not set # CONFIG_NLS_CODEPAGE_866 is not set # CONFIG_NLS_CODEPAGE_869 is not set # CONFIG_NLS_CODEPAGE_936 is not set # CONFIG_NLS_CODEPAGE_950 is not set # CONFIG_NLS_CODEPAGE_932 is not set # CONFIG_NLS_CODEPAGE_949 is not set # CONFIG_NLS_CODEPAGE_874 is not set # CONFIG_NLS_ISO8859_8 is not set # CONFIG_NLS_CODEPAGE_1250 is not set # CONFIG_NLS_CODEPAGE_1251 is not set # CONFIG_NLS_ASCII is not set # CONFIG_NLS_ISO8859_1 is not set # CONFIG_NLS_ISO8859_2 is not set # CONFIG_NLS_ISO8859_3 is not set # CONFIG_NLS_ISO8859_4 is not set # CONFIG_NLS_ISO8859_5 is not set # CONFIG_NLS_ISO8859_6 is not set # CONFIG_NLS_ISO8859_7 is not set # CONFIG_NLS_ISO8859_9 is not set # CONFIG_NLS_ISO8859_13 is not set # CONFIG_NLS_ISO8859_14 is not set # CONFIG_NLS_ISO8859_15 is not set # CONFIG_NLS_KOI8_R is not set # CONFIG_NLS_KOI8_U is not set # CONFIG_NLS_UTF8 is not set # # Profiling support # # CONFIG_PROFILING is not set # # Kernel hacking # CONFIG_DEBUG_KERNEL=y CONFIG_MAGIC_SYSRQ=y # CONFIG_DEBUG_SLAB is not set # CONFIG_DEBUG_SPINLOCK is not set # CONFIG_DEBUG_SPINLOCK_SLEEP is not set # CONFIG_DEBUG_INFO is not set # CONFIG_INIT_DEBUG is not set # CONFIG_SCHEDSTATS is not set # # Security options # # CONFIG_SECURITY is not set # # Cryptographic options # # CONFIG_CRYPTO is not set # # Library routines # # CONFIG_CRC_CCITT is not set CONFIG_CRC32=y # CONFIG_LIBCRC32C is not set CONFIG_ZLIB_INFLATE=y -------------- next part -------------- [root@btv boot]# ip -s link 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 RX: bytes packets errors dropped overrun mcast compressed 0 2710124364407 0 0 0 0 23101357774864384 TX: bytes packets errors dropped carrier collsns compressed 0 400372556459043 0 0 122509647151104 0 996432412672 2: br0: mtu 1500 qdisc noqueue link/ether 00:e0:81:52:b3:f0 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast compressed 0 2749723 0 0 0 0 23102732164399104 TX: bytes packets errors dropped carrier collsns compressed 0 753923533 0 0 13636564114534579 0 996432412672 3: eth0: mtu 1500 qdisc htb qlen 1000 link/ether 00:0e:0c:2d:9c:aa brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast compressed 721554505728 3055010239163880 0 0 0 721554505728 23104106553933824 TX: bytes packets errors dropped carrier collsns compressed 0 1323164117391935913 0 0 3488165888539011740 0 996432412672 4: eth1: mtu 1500 qdisc htb qlen 1000 link/ether 00:e0:81:52:b3:f0 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 8589934593 16709553036063738355 481730 1 0 0 TX: bytes packets errors dropped carrier collsns compressed 0 4063249767694066231 0 0 3560223482576957619 0 1030792151040 5: eth2: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:e0:81:52:b3:f1 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 47244640256 10217949440105031124 155448 0 279172874240 0 TX: bytes packets errors dropped carrier collsns 0 6689862300978895217 0 0 0 0 From pstaszewski at artcom.pl Tue Feb 14 19:40:24 2006 From: pstaszewski at artcom.pl (=?UTF-8?B?UGF3ZcWCIFN0YXN6ZXdza2k=?=) Date: Tue Feb 14 19:40:41 2006 Subject: [LARTC] Re: filter performance/optimization questions (Imre Gergely) In-Reply-To: <20060214110956.45E8644C1@outpost.ds9a.nl> References: <20060214110956.45E8644C1@outpost.ds9a.nl> Message-ID: <43F22418.5090604@artcom.pl> Can you also post : mpstat -P ALL 1 20 iostat -x 1 10 and opreport --symbols ?? From stanislav.nedelchev at gmail.com Tue Feb 14 21:35:40 2006 From: stanislav.nedelchev at gmail.com (Stanislav Nedelchev) Date: Tue Feb 14 21:36:00 2006 Subject: [LARTC] Guarantee ICMP respond time ? Message-ID: <43F23F1C.9060505@gmail.com> Hello to all people there . Can i guarantee ICMP respond time no metter how loaded is internet line . i have typical NATed enviroiment like External IP |linux router| LAN - 192.168.0.0/24 i have example setup with IMQ but is it possible to be done also if i attache htb to eth0 and eth1 for example . if i start shaper ping i better that without shaper but it's not guarantted i mean response time is not like constant. Maybe i'm missing something. Is it possible with HTB ot with something else like CBQ ? here is my example setup echo "Loading Traffic Shaper IMQ0 Upload" tc qdisc del dev imq0 root tc qdisc add dev imq0 root handle 2: htb default 333 r2q 1 tc class add dev imq0 parent 2: classid 2:2 htb rate 192kbit #ICMP tc class add dev imq0 parent 2:2 classid 2:30 htb rate 32kbit prio 0 tc filter add dev imq0 parent 2:0 protocol ip handle 5 fw classid 2:30 tc qdisc add dev imq0 parent 2:30 handle 30: sfq perturb 1 tc class add dev imq0 parent 2:2 classid 2:24 htb rate 96kbit ceil 160kbit prio 1 tc filter add dev imq0 parent 2:0 protocol ip handle 1 fw classid 2:24 tc qdisc add dev imq0 parent 2:24 handle 24: sfq perturb 10 tc class add dev imq0 parent 2:2 classid 2:26 htb rate 32kbit ceil 128kbit prio 3 tc filter add dev imq0 parent 2:0 protocol ip handle 2 fw classid 2:26 #tc qdisc add dev imq0 parent 2:26 handle 26: sfq perturb 10 tc class add dev imq0 parent 2:2 classid 2:28 htb rate 16kbit ceil 64kbit prio 5 tc filter add dev imq0 parent 2:0 protocol ip handle 3 fw classid 2:28 #tc qdisc add dev imq0 parent 2:28 handle 28: sfq perturb 10 tc class add dev imq0 parent 2:2 classid 2:333 htb rate 16kbit ceil 128kbit prio 7 tc qdisc add dev imq0 parent 2:333 handle 333: sfq perturb 10 echo "Done" #----------------------------------------------------------------------------- #----------------------------------------------------------------------------- echo "Loading Traffic Shaper imq1 Upload" tc qdisc del dev imq1 root tc qdisc add dev imq1 root handle 2: htb default 333 r2q 1 tc class add dev imq1 parent 2: classid 2:2 htb rate 192kbit #ICMP tc class add dev imq1 parent 2:2 classid 2:30 htb rate 32kbit prio 0 tc filter add dev imq1 parent 2:0 protocol ip handle 5 fw classid 2:30 tc qdisc add dev imq1 parent 2:30 handle 30: sfq perturb 1 tc class add dev imq1 parent 2:2 classid 2:24 htb rate 96kbit ceil 160kbit prio 1 tc filter add dev imq1 parent 2:0 protocol ip handle 1 fw classid 2:24 tc qdisc add dev imq1 parent 2:24 handle 24: sfq perturb 10 tc class add dev imq1 parent 2:2 classid 2:26 htb rate 32kbit ceil 128kbit prio 3 tc filter add dev imq1 parent 2:0 protocol ip handle 2 fw classid 2:26 #tc qdisc add dev imq1 parent 2:26 handle 26: sfq perturb 10 tc class add dev imq1 parent 2:2 classid 2:28 htb rate 16kbit ceil 64kbit prio 5 tc filter add dev imq1 parent 2:0 protocol ip handle 3 fw classid 2:28 #tc qdisc add dev imq1 parent 2:28 handle 28: sfq perturb 10 tc class add dev imq1 parent 2:2 classid 2:333 htb rate 16kbit ceil 128kbit prio 7 tc qdisc add dev imq1 parent 2:333 handle 333: sfq perturb 10 echo "Done" #Priority 0 iptables -t mangle -I PREROUTING -p icmp -j MARK --set-mark 5 #Priority 1 iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 3389 -j MARK --set-mark 1 iptables -t mangle -A PREROUTING -i eth0 -p tcp --sport 3389 -j MARK --set-mark 1 #Priority 2 iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 25 -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -i eth0 -p tcp --sport 25 -j MARK --set-mark 2 #Priority 3 iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j MARK --set-mark 3 iptables -t mangle -A PREROUTING -i eth0 -p tcp --sport 80 -j MARK --set-mark 3 #Priority 0 iptables -t mangle -I POSTROUTING -p icmp -j MARK --set-mark 5 #Priority 1 iptables -t mangle -A POSTROUTING -i eth0 -p tcp --dport 3389 -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -i eth0 -p tcp --sport 3389 -j MARK --set-mark 1 #Priority 2 iptables -t mangle -A POSTROUTING -i eth0 -p tcp --dport 25 -j MARK --set-mark 2 iptables -t mangle -A POSTROUTING -i eth0 -p tcp --sport 25 -j MARK --set-mark 2 #Priority 3 iptables -t mangle -A POSTROUTING -i eth0 -p tcp --dport 80 -j MARK --set-mark 3 iptables -t mangle -A POSTROUTING -i eth0 -p tcp --sport 80 -j MARK --set-mark 3 From stanislav.nedelchev at gmail.com Tue Feb 14 22:26:07 2006 From: stanislav.nedelchev at gmail.com (Stanislav Nedelchev) Date: Tue Feb 14 22:26:20 2006 Subject: [LARTC] Guarantee ICMP respond time ? In-Reply-To: References: <43F23F1C.9060505@gmail.com> Message-ID: <43F24AEF.40205@gmail.com> Hi Robin , I didn'd want to fake ICMP echo_reply i forgot to mention that in this test i'm pinging my gateway to be shure that ping response is not bigger for some other reasonds i find that ping response is getting bigger some times with about 10ms but some times it;s doubles or even more but in most time is like constant. Here is some data if you find it intresting with shaper enabled 64 octets from 213.91.166.1: icmp_seq=22 ttl=254 time=30.9 ms 64 octets from 213.91.166.1: icmp_seq=23 ttl=254 time=40.9 ms 64 octets from 213.91.166.1: icmp_seq=24 ttl=254 time=14.3 ms 64 octets from 213.91.166.1: icmp_seq=25 ttl=254 time=14.4 ms 64 octets from 213.91.166.1: icmp_seq=26 ttl=254 time=34.2 ms 64 octets from 213.91.166.1: icmp_seq=27 ttl=254 time=14.2 ms 64 octets from 213.91.166.1: icmp_seq=28 ttl=254 time=14.2 ms 64 octets from 213.91.166.1: icmp_seq=29 ttl=254 time=14.2 ms 64 octets from 213.91.166.1: icmp_seq=30 ttl=254 time=31.1 ms 64 octets from 213.91.166.1: icmp_seq=31 ttl=254 time=14.3 ms 64 octets from 213.91.166.1: icmp_seq=32 ttl=254 time=14.2 ms 64 octets from 213.91.166.1: icmp_seq=33 ttl=254 time=130.9 ms without shaper enabled 64 octets from 213.91.166.1: icmp_seq=10 ttl=254 time=517.2 ms 64 octets from 213.91.166.1: icmp_seq=11 ttl=254 time=545.4 ms 64 octets from 213.91.166.1: icmp_seq=12 ttl=254 time=573.8 ms 64 octets from 213.91.166.1: icmp_seq=13 ttl=254 time=628.6 ms 64 octets from 213.91.166.1: icmp_seq=14 ttl=254 time=635.3 ms 64 octets from 213.91.166.1: icmp_seq=15 ttl=254 time=666.0 ms 64 octets from 213.91.166.1: icmp_seq=16 ttl=254 time=694.3 ms 64 octets from 213.91.166.1: icmp_seq=17 ttl=254 time=718.1 ms 64 octets from 213.91.166.1: icmp_seq=18 ttl=254 time=746.2 ms 64 octets from 213.91.166.1: icmp_seq=19 ttl=254 time=749.8 ms 64 octets from 213.91.166.1: icmp_seq=20 ttl=254 time=778.1 ms Hammond, Robin-David%KB3IEN wrote: > well if you want the line to look less conjested to a casual observer > you can fake the ICMP echo_reply. (best know which hosts are infact > on-line first). Faking the reply does not preclude actualy sending the > echo request, but allowing a duplicate (real) reply might look weird... > > > On Tue, 14 Feb 2006, Stanislav Nedelchev wrote: > >> Date: Tue, 14 Feb 2006 22:35:40 +0200 >> From: Stanislav Nedelchev >> To: lartc@mailman.ds9a.nl >> Subject: [LARTC] Guarantee ICMP respond time ? >> >> Hello to all people there . >> Can i guarantee ICMP respond time no metter how loaded is internet >> line . >> i have typical NATed enviroiment like >> >> External IP |linux router| LAN - 192.168.0.0/24 >> >> i have example setup with IMQ but is it possible to be done also if i >> attache htb to eth0 and eth1 for example . >> >> if i start shaper ping i better that without shaper but it's not >> guarantted i mean response time is not like constant. >> >> Maybe i'm missing something. >> Is it possible with HTB ot with something else like CBQ ? >> here is my example setup >> >> >> >> >> echo "Loading Traffic Shaper IMQ0 Upload" >> tc qdisc del dev imq0 root >> tc qdisc add dev imq0 root handle 2: htb default 333 r2q 1 >> >> tc class add dev imq0 parent 2: classid 2:2 htb rate 192kbit >> >> #ICMP >> tc class add dev imq0 parent 2:2 classid 2:30 htb rate 32kbit prio 0 >> tc filter add dev imq0 parent 2:0 protocol ip handle 5 fw classid 2:30 >> tc qdisc add dev imq0 parent 2:30 handle 30: sfq perturb 1 >> >> >> >> tc class add dev imq0 parent 2:2 classid 2:24 htb rate 96kbit ceil >> 160kbit prio 1 >> tc filter add dev imq0 parent 2:0 protocol ip handle 1 fw classid 2:24 >> >> tc qdisc add dev imq0 parent 2:24 handle 24: sfq perturb 10 >> >> tc class add dev imq0 parent 2:2 classid 2:26 htb rate 32kbit ceil >> 128kbit prio 3 >> tc filter add dev imq0 parent 2:0 protocol ip handle 2 fw classid 2:26 >> #tc qdisc add dev imq0 parent 2:26 handle 26: sfq perturb 10 >> >> tc class add dev imq0 parent 2:2 classid 2:28 htb rate 16kbit ceil >> 64kbit prio 5 >> tc filter add dev imq0 parent 2:0 protocol ip handle 3 fw classid 2:28 >> #tc qdisc add dev imq0 parent 2:28 handle 28: sfq perturb 10 >> >> tc class add dev imq0 parent 2:2 classid 2:333 htb rate 16kbit ceil >> 128kbit prio 7 >> tc qdisc add dev imq0 parent 2:333 handle 333: sfq perturb 10 >> >> echo "Done" >> >> #----------------------------------------------------------------------------- >> >> #----------------------------------------------------------------------------- >> >> >> >> echo "Loading Traffic Shaper imq1 Upload" >> tc qdisc del dev imq1 root >> tc qdisc add dev imq1 root handle 2: htb default 333 r2q 1 >> >> tc class add dev imq1 parent 2: classid 2:2 htb rate 192kbit >> >> #ICMP >> tc class add dev imq1 parent 2:2 classid 2:30 htb rate 32kbit prio 0 >> tc filter add dev imq1 parent 2:0 protocol ip handle 5 fw classid 2:30 >> tc qdisc add dev imq1 parent 2:30 handle 30: sfq perturb 1 >> >> >> >> tc class add dev imq1 parent 2:2 classid 2:24 htb rate 96kbit ceil >> 160kbit prio 1 >> tc filter add dev imq1 parent 2:0 protocol ip handle 1 fw classid 2:24 >> >> >> >> tc qdisc add dev imq1 parent 2:24 handle 24: sfq perturb 10 >> >> tc class add dev imq1 parent 2:2 classid 2:26 htb rate 32kbit ceil >> 128kbit prio 3 >> tc filter add dev imq1 parent 2:0 protocol ip handle 2 fw classid 2:26 >> #tc qdisc add dev imq1 parent 2:26 handle 26: sfq perturb 10 >> >> tc class add dev imq1 parent 2:2 classid 2:28 htb rate 16kbit ceil >> 64kbit prio 5 >> tc filter add dev imq1 parent 2:0 protocol ip handle 3 fw classid 2:28 >> #tc qdisc add dev imq1 parent 2:28 handle 28: sfq perturb 10 >> >> tc class add dev imq1 parent 2:2 classid 2:333 htb rate 16kbit ceil >> 128kbit prio 7 >> tc qdisc add dev imq1 parent 2:333 handle 333: sfq perturb 10 >> >> echo "Done" >> >> #Priority 0 >> iptables -t mangle -I PREROUTING -p icmp -j MARK --set-mark 5 >> >> #Priority 1 >> iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 3389 -j MARK >> --set-mark 1 >> iptables -t mangle -A PREROUTING -i eth0 -p tcp --sport 3389 -j MARK >> --set-mark 1 >> >> #Priority 2 >> iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 25 -j MARK >> --set-mark 2 >> iptables -t mangle -A PREROUTING -i eth0 -p tcp --sport 25 -j MARK >> --set-mark 2 >> >> #Priority 3 >> iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j MARK >> --set-mark 3 >> iptables -t mangle -A PREROUTING -i eth0 -p tcp --sport 80 -j MARK >> --set-mark 3 >> >> >> #Priority 0 >> iptables -t mangle -I POSTROUTING -p icmp -j MARK --set-mark 5 >> >> #Priority 1 >> iptables -t mangle -A POSTROUTING -i eth0 -p tcp --dport 3389 -j MARK >> --set-mark 1 >> iptables -t mangle -A POSTROUTING -i eth0 -p tcp --sport 3389 -j MARK >> --set-mark 1 >> >> #Priority 2 >> iptables -t mangle -A POSTROUTING -i eth0 -p tcp --dport 25 -j MARK >> --set-mark 2 >> iptables -t mangle -A POSTROUTING -i eth0 -p tcp --sport 25 -j MARK >> --set-mark 2 >> >> #Priority 3 >> iptables -t mangle -A POSTROUTING -i eth0 -p tcp --dport 80 -j MARK >> --set-mark 3 >> iptables -t mangle -A POSTROUTING -i eth0 -p tcp --sport 80 -j MARK >> --set-mark 3 >> >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> > > Microsoft: Where do you want to go tomorrow? > Linux: Where do you want to go today? > BSD: Are you guys coming, or what? > > > Robin-David Hammond KB3IEN > www.aresnyc.org. > From oivindg at gmail.com Wed Feb 15 13:42:53 2006 From: oivindg at gmail.com (Oivind) Date: Wed Feb 15 13:43:12 2006 Subject: [LARTC] leaky bucket on bursty multicast Message-ID: Hi all, I have an average 2mbit multicast stream that once in a while bursts high (up to 20mbit/s) in short periods (about 200ms). Could anyone please help me with directions using tc for configuing leaky bucket shaping to this stream? I have a 5mbit/s ceiling. My system is running gentoo linux 2.6.14, and I have compiled in all QoS modules. Thanks. Oivind From comp.techs at aspenview.org Wed Feb 15 17:11:20 2006 From: comp.techs at aspenview.org (comp.techs) Date: Wed Feb 15 17:11:47 2006 Subject: [LARTC] nat for nonconnected network Message-ID: <648A21EA469E3848922D9860785CD5EF456710@aspen-mail01.aspenview.org> Hi, how do you nat an address pool that is routed to a router but the router does not have/contain that network. For example: [isp 1.2.3.4] ----------[customer router 1.2.3.5]----->[dmz network] [route for 200.0.0.0/x get sent to customer router this address pool is assigned to customer, the isp is routing all 200.0.0.0/x to customer router] I would like to map address 200.0.0.x/32 to dmz servers (web,mail...etc), but I have 'isp interface' and 'dmz interface' What would be preferable using iptables of ip route, and is it possible to do this while not physically having this network bound the the customer system, or must I add the network to an interface such as lo? thx jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060215/631c8147/attachment.html From kenneth.kalmer at gmail.com Wed Feb 15 23:38:38 2006 From: kenneth.kalmer at gmail.com (Kenneth Kalmer) Date: Wed Feb 15 23:38:58 2006 Subject: [LARTC] Closed ports and traffic shaping Message-ID: First off, please excuse the cross post between lartc and netfiler, the line between the two is very blurred here (at least for me)... A thought just crossed my mind now while working on a new iptables/tc collaboration for a project. I use iptables to basically seal off a linux gateway, we're very restrictive on what users can do on the connection. For now I'm using destination port filtering, will bring in source port filtering for replies and layer-7 for some help later. Traffic shaping is done with tc using WRR. All traffic coming from the server's OUTPUT chain is classified differently from internet traffic, which passes through WRR (localhost is pfifo_fast). Now here is the question... If someone on the network attempts to use an aggressive file sharing program, one that keeps on connecting to random peers on random ports, and the server replies that the requested ports are unavailable ("REJECT --reject-with tcp-reset" for TCP, and "REJECT --reject-with icmp-port-unreachable" for UDP) where applicable; do these packets get classified as internet traffic or do they pass through the OUTPUT chain and get classified as local traffic? I know tcpdump hooks in before netfilter gets to work, but it looked like the errors came from the internet hosts and not localhost. What I'm getting at is if these error packers don't get classified differently from normal internet traffic they can potentially saturate your class doing shaping for internet traffic, right or wrong? I know you need a pretty aggressive piece of P2P to get this done... Any advice & insight would be appreciated -- Kenneth Kalmer kenneth.kalmer@gmail.com Folding@home stats http://fah-web.stanford.edu/cgi-bin/main.py?qtype=userpage&username=kenneth%2Ekalmer From nampreet at hotmail.com Thu Feb 16 06:07:35 2006 From: nampreet at hotmail.com (Nampreet Sarao) Date: Thu Feb 16 06:07:50 2006 Subject: [LARTC] help!! Message-ID: Nampreet Sarao wrote: > >hey i implemented the HTB with filters n queue discipline ..makin the code >of HTB too.. >was wonderin what all can i add to my project in traffic shaping... >I am plannin to make a GUI controlled utlity.. >Could u please guide or rather tell me some ideas n how to go about doin it > >Nampreet Pal Singh _________________________________________________________________ NRIs Zero balance Account. FREE Money Transfers with FREE DVD https://www.online.citibank.co.in/portal/rca_msntagofline.htm From jeremy at ossnetworks.org Thu Feb 16 19:48:51 2006 From: jeremy at ossnetworks.org (jeremy@ossnetworks.org) Date: Thu Feb 16 19:49:12 2006 Subject: [LARTC] tc filter problem Message-ID: <1140115731.43f4c913386c7@webmail.paonia.com> Hi, I'm using a linux 2.4.29 kernel and having trouble getting my filters added. The script I'm editing I actually use on a different system currently. Is this a tc/iproute/kernel type incompatibility? Any ideas how to debug it? Thanks, Jeremy # create a qdisc on T1 interface tc qdisc add dev w1g1 root handle 1: htb default 77 OK # create a master class tc class add dev w1g1 parent 1: classid 1:1 htb rate 1400kbit OK # create a leaf class tc class add dev w1g1 parent 1:1 classid 1:10 htb rate 175kbit \ ceil 1400kbit prio 0 OK # create a SFQ qdisc within our subclass tc qdisc add dev w1g1 parent 1:10 handle 10: sfq perturb 10 OK # filter traffic on iptables mark 10 tc filter add dev w1g1 parent 1:0 prio 0 protocol ip handle 10 fw flowid 1:10 Error: RTNETLINK answers: Invalid argument From antonio.pinizzotto at iit.cnr.it Thu Feb 16 21:58:46 2006 From: antonio.pinizzotto at iit.cnr.it (Antonio Pinizzotto) Date: Thu Feb 16 21:59:15 2006 Subject: [LARTC] TCP Delayed Ack Message-ID: <43F4E786.8080403@iit.cnr.it> Hi. Is it possible to disable the TCP Delayed Ack? I would need to do some TCP performance test and it could be very useful to be able to control this kernel parameter. Thanks. Antonio From dunadanmontaraz at hotmail.com Fri Feb 17 03:14:37 2006 From: dunadanmontaraz at hotmail.com (Roberto Scattini) Date: Fri Feb 17 03:14:52 2006 Subject: [LARTC] bridge & QoS Message-ID: hi everybody. i have a bridge, and i want to apply QoS with htb and layer7 on both interfaces(eth0 and eth1), should i apply qdiscs and classes to each individual interface (eth0 and eth1, not br0)? if someone is using layer7, which is the right place to put the iptables rules to assure that all packets (fom internet to LAN and viceversa) get analyzed for layer7 patterns, including those that are for/from the bridge (it will have an ip address)? (maybe iptables -A POSTROUTING -m layer7 --l7proto someproto -j MARK --set-mark 3 ?) thanks in advance. Roberto Scattini _________________________________________________________________ MSN Amor: busca tu ? naranja http://latam.msn.com/amor/ From gypsy at iswest.com Fri Feb 17 03:35:42 2006 From: gypsy at iswest.com (gypsy) Date: Fri Feb 17 03:35:49 2006 Subject: [LARTC] tc filter problem References: <1140115731.43f4c913386c7@webmail.paonia.com> Message-ID: <43F5367E.AEF6EB96@iswest.com> jeremy@ossnetworks.org wrote: > > Hi, > > I'm using a linux 2.4.29 kernel and having trouble getting my filters added. The > script I'm editing I actually use on a different system currently. Is this a > tc/iproute/kernel type incompatibility? Any ideas how to debug it? > > Thanks, Jeremy > > # create a qdisc on T1 interface > tc qdisc add dev w1g1 root handle 1: htb default 77 > OK > > # create a master class > tc class add dev w1g1 parent 1: classid 1:1 htb rate 1400kbit > OK > > # create a leaf class > tc class add dev w1g1 parent 1:1 classid 1:10 htb rate 175kbit \ > ceil 1400kbit prio 0 > OK > > # create a SFQ qdisc within our subclass > tc qdisc add dev w1g1 parent 1:10 handle 10: sfq perturb 10 > OK > > # filter traffic on iptables mark 10 > tc filter add dev w1g1 parent 1:0 prio 0 protocol ip handle 10 fw flowid 1:10 > Error: RTNETLINK answers: Invalid argument I just ran that script on a 2.4.32 kernel and it does not error. Be sure to destruct before running: tc qdisc del dev w1g1 root I doubt that the above is everything in your script. Because there is a problem with prio 49152 (tc -s filter show dev w1g1), my hunch is that you will find that "prio 0" is the problem. Try E.G. "prio 9" for all your filter lines. (Rhetorical: What device is w1g1?) -- gypsy From jeremy at ossnetworks.org Fri Feb 17 05:34:03 2006 From: jeremy at ossnetworks.org (jeremy@ossnetworks.org) Date: Fri Feb 17 05:34:10 2006 Subject: [LARTC] tc filter problem In-Reply-To: <43F5367E.AEF6EB96@iswest.com> References: <1140115731.43f4c913386c7@webmail.paonia.com> <43F5367E.AEF6EB96@iswest.com> Message-ID: <1140150843.43f5523b34067@webmail.paonia.com> I found my problem. Turned out I didn't have the QOS fwmark routing flag enabled in the kernel for that host. Those RTNETLINK errors are so useless. I wish this was documented in that section of the LARTC howto. I looked for where to submit that as a suggestion and just see 20 different authors listed. Documenting the required kernel settings for match u32, fwmark, etc. where they are each discussed would seem like a useful thing. BTW, w1g1 is a sangoma wanpipe T1. Jeremy Quoting gypsy : > jeremy@ossnetworks.org wrote: > > > > Hi, > > > > I'm using a linux 2.4.29 kernel and having trouble getting my filters > added. The > > script I'm editing I actually use on a different system currently. Is this > a > > tc/iproute/kernel type incompatibility? Any ideas how to debug it? > > > > Thanks, Jeremy > > > > # create a qdisc on T1 interface > > tc qdisc add dev w1g1 root handle 1: htb default 77 > > OK > > > > # create a master class > > tc class add dev w1g1 parent 1: classid 1:1 htb rate 1400kbit > > OK > > > > # create a leaf class > > tc class add dev w1g1 parent 1:1 classid 1:10 htb rate 175kbit \ > > ceil 1400kbit prio 0 > > OK > > > > # create a SFQ qdisc within our subclass > > tc qdisc add dev w1g1 parent 1:10 handle 10: sfq perturb 10 > > OK > > > > # filter traffic on iptables mark 10 > > tc filter add dev w1g1 parent 1:0 prio 0 protocol ip handle 10 fw flowid > 1:10 > > Error: RTNETLINK answers: Invalid argument > > I just ran that script on a 2.4.32 kernel and it does not error. Be > sure to destruct before running: > tc qdisc del dev w1g1 root > > I doubt that the above is everything in your script. Because there is a > problem with prio 49152 (tc -s filter show dev w1g1), my hunch is that > you will find that "prio 0" is the problem. Try E.G. "prio 9" for all > your filter lines. > > (Rhetorical: What device is w1g1?) > -- > gypsy > From regar_ba at yahoo.com Fri Feb 17 08:13:27 2006 From: regar_ba at yahoo.com (regar ucok) Date: Fri Feb 17 08:13:33 2006 Subject: [LARTC] unsubscribe from this mailing list In-Reply-To: <20060216110006.8BD2444ED@outpost.ds9a.nl> Message-ID: <20060217071327.52586.qmail@web30614.mail.mud.yahoo.com> __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From stevet0310 at yahoo.com Fri Feb 17 09:28:07 2006 From: stevet0310 at yahoo.com (Steve Tracey) Date: Fri Feb 17 09:28:14 2006 Subject: [LARTC] Packet vanishes after mangle-prerouting. Message-ID: <20060217082807.38219.qmail@web37409.mail.mud.yahoo.com> Can anyone tell me whether I have a routing problem, or an openVPN problem, or something else? I've stared at this for so long I think I must be looking in the wrong place! I have 3 machines: Machine A has single ethernet card, eth0, 192.168.5.5 Machine B has eth0, 192.168.5.? on the local net, eth1, 81.2.x.y to the internet, and tun0, 10.8.?.?, an openVPN tunnel, to C Machine C has eth0 to the internet and tun0, 10.8.?.?, back to B. Out on the internet is machine D, a publicly accessible http server - say 64.233.167.99, port 80. Machine B is set, as per the howto, to mark packets from A destined for D and route them out over tun0. Machine C then masquerades them out to D. I should mention that the tunnel works fine for access between A (or B) and C. In particular C can happily ping A over the tunnel. (And "everything else" is fine. "Normal" traffic has no problem.) The problem is that A cannot get replies from D. Using tcpdump and adding 'LOG' rules to iptables on A, B and C shows the packet going from A to B to C and out to D. The reply packet returns to C, crosses the tunnel to B and promptly vanishes. A log rule in the mangle prerouting list on B shows the packet from the tunnel: Feb 17 07:48:54 B kernel: [mangle prerouting src]: IN=tun0 OUT= \ MAC= SRC=64.233.167.99 DST=192.168.5.5 LEN=44 \ TOS=0x00 PREC=0x00 TTL=48 ID=34487 DF PROTO=TCP \ SPT=80 DPT=32882 WINDOW=8000 RES=0x00 ACK SYN URGP=0 Similar log rules in mangle-prerouting, and in the forward (and input) chains never log anything. The packet is never seen again. Can anyone tell me where to look next? Is this a routing problem or is something happening because of the tunnel setup? Or something else??? (Machine B is fairly vanilla Debian stable with 2.4.18 kernel.) Thanks for your patience! --------------------------------- Brings words and photos together (easily) with PhotoMail - it's free and works with Yahoo! Mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060217/32e74f61/attachment.htm From leandro.valim at podium.com.br Fri Feb 17 15:51:25 2006 From: leandro.valim at podium.com.br (Leandro Valim) Date: Fri Feb 17 14:51:35 2006 Subject: [LARTC] Load Balance/Backup Message-ID: <43F5E2ED.6070508@podium.com.br> Helo, Good Morning, Im have many problems with load balance/backup, In test made with lartc.org scripts, the balance not work 50/50 , and when i down the link, the internet comes down. I need a Balance like Round Robin, and when one link comes down, the internet not stop. In my mini-lab i have 2 links adsl, 3 ethernet card 2 for links and one for lan my links using DHCP for get configuration. Examples: link 1 : 200.133.144.121 link2 : 200.203.159.162 LAN: 192.168.0.1 Sorry, because im Brazilian student, and my english is bad. Thanks for help, Leandro Valim. From tami at disconnected.de Fri Feb 17 19:58:59 2006 From: tami at disconnected.de (Paul Zirnik) Date: Fri Feb 17 19:59:05 2006 Subject: [LARTC] Packet vanishes after mangle-prerouting. In-Reply-To: <20060217082807.38219.qmail@web37409.mail.mud.yahoo.com> References: <20060217082807.38219.qmail@web37409.mail.mud.yahoo.com> Message-ID: <200602171958.59410.tami@disconnected.de> On Friday 17 February 2006 09:28, Steve Tracey wrote: > The problem is that A cannot get replies from D. > Using tcpdump and adding 'LOG' rules to iptables on A, B > and C shows the packet going from A to B to C and out to > D. The reply packet returns to C, crosses the tunnel to B > and promptly vanishes. A log rule in the mangle prerouting > list on B shows the packet from the tunnel: > Feb 17 07:48:54 B kernel: [mangle prerouting src]: IN=tun0 OUT= \ > MAC= SRC=64.233.167.99 DST=192.168.5.5 LEN=44 \ > TOS=0x00 PREC=0x00 TTL=48 ID=34487 DF PROTO=TCP \ > SPT=80 DPT=32882 WINDOW=8000 RES=0x00 ACK SYN URGP=0 > > Similar log rules in mangle-prerouting, and in the forward (and > input) chains never log anything. The packet is never seen again. > > Can anyone tell me where to look next? Is this a routing problem > or is something happening because of the tunnel setup? Or > something else??? Looks like rp_filter catches this, try set rp_filter off on host B. Because packets from the internet normaly should come through eth1 on host B and not on tun0. see: http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html#AEN634 greets, Tami From stevet0310 at yahoo.com Sat Feb 18 08:42:54 2006 From: stevet0310 at yahoo.com (Steve Tracey) Date: Sat Feb 18 08:43:01 2006 Subject: [LARTC] Packet vanishes after mangle-prerouting. In-Reply-To: <200602171958.59410.tami@disconnected.de> Message-ID: <20060218074254.15578.qmail@web37412.mail.mud.yahoo.com> Got it in one! Thanks. All ok now. I'll go and read up on all the other conf variables. Thanks again. Paul Zirnik wrote: Looks like rp_filter catches this, try set rp_filter off on host B. Because packets from the internet normaly should come through eth1 on host B and not on tun0. see: http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html#AEN634 greets, Tami _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc --------------------------------- Brings words and photos together (easily) with PhotoMail - it's free and works with Yahoo! Mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060217/25f3ec4b/attachment.html From msc at antzsystem.de Sat Feb 18 19:24:24 2006 From: msc at antzsystem.de (Markus Schulz) Date: Sat Feb 18 19:24:36 2006 Subject: [LARTC] htb root don't reach ceil rate? In-Reply-To: <200602101445.27714.msc@antzsystem.de> References: <200602101445.27714.msc@antzsystem.de> Message-ID: <200602181924.25045.msc@antzsystem.de> Am Freitag, 10. Februar 2006 14:45 schrieb Markus Schulz: > tc -s -d class show dev ppp0 > class htb 1:1 root rate 576000bit ceil 576000bit burst 30Kb/8 mpu 0b > overhead 0b cburst 1739b/8 mpu 0b overhead 14b level 7 > ?Sent 1485575598 bytes 3140554 pkts (dropped 0, overlimits 0) > ?rate 480008bit 115pps > ?lended: 1904616 borrowed: 0 giants: 0 > ?tokens: 385702 ctokens: -26458 ok, i've understand now. Differenz comes from gross versus net data rates due to overhead of ATM-SAR and pppoe-overhead. All statistic values are netto values. -- Markus Schulz From bclark at eccotours.co.za Sat Feb 18 20:25:32 2006 From: bclark at eccotours.co.za (Brent Clark) Date: Sat Feb 18 20:25:18 2006 Subject: [LARTC] cant route out Message-ID: <43F774AC.7020201@eccotours.co.za> Hi all I seem to have a very weird problem. I have a gateway that allows me to route into the LAN etc, but for some reason I cant get traffic out. I have apprended a route like below to help me if its getting that far, and it defiantly is. $IPT -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j LOG --log-prefix "POST ROUTE: " --log-tcp-options --log-ip-options Feb 18 19:14:16 ukgate kernel: POST ROUTE: IN= OUT=eth0 SRC=10.0.0.74 DST=140.135.10.98 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=52278 DF PROTO=TCP SPT=1336 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402) Feb 18 19:14:16 ukgate kernel: POST ROUTE: IN= OUT=eth0 SRC=10.0.0.74 DST=219.159.9.103 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=52279 DF PROTO=TCP SPT=1337 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402) Feb 18 19:14:16 ukgate kernel: POST ROUTE: IN= OUT=eth0 SRC=10.0.0.74 DST=219.117.8.205 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=52280 DF PROTO=TCP SPT=1338 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402) ukgate:~# ip route show 217.206.34.80/28 dev eth0 proto kernel scope link src 217.206.34.82 10.0.0.0/24 dev eth1 proto kernel scope link src 10.0.0.4 default via 217.206.34.81 dev eth0 ukgate:~# And the weird thing is, is that tcpdump shows the client trying to connect ukgate:~# tcpdump -nn port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 19:21:59.735233 IP 10.0.0.4.1900 > 219.54.8.100.80: S 340139438:340139438(0) win 65535 19:21:59.735396 IP 10.0.0.4.1901 > 213.73.201.11.80: S 340204029:340204029(0) win 65535 19:22:01.734139 IP 10.0.0.4.1904 > 218.212.34.220.80: S 340860984:340860984(0) win 65535 19:22:02.706327 IP 10.0.0.4.1900 > 219.54.8.100.80: S 340139438:340139438(0) win 65535 19:22:02.706347 IP 10.0.0.4.1901 > 213.73.201.11.80: S 340204029:340204029(0) win 65535 19:22:04.717925 IP 10.0.0.4.1904 > 218.212.34.220.80: S 340860984:340860984(0) win 65535 If anyone could assist, I would be most grateful. Kind Regards Brent Clark P.s. I have echo 1 > /proc/sys/net/ipv4/ip_forward in my ruleset. From vincent-perrier at club-internet.fr Sun Feb 19 00:13:11 2006 From: vincent-perrier at club-internet.fr (vincent perrier) Date: Sun Feb 19 00:13:17 2006 Subject: [LARTC] kernel2web Message-ID: <1140304392.6203.16.camel@localhost.localdomain> A new interface and qdisc monitoring tool called kernel2web is available http://rawsoft.org. Note: you have to compile a kernel module for kernel 2.6. Vincent Perrier. From sebi at sebi.org Sun Feb 19 00:39:06 2006 From: sebi at sebi.org (Sebastian Bork) Date: Sun Feb 19 00:39:54 2006 Subject: [LARTC] cant route out In-Reply-To: <43F774AC.7020201@eccotours.co.za> References: <43F774AC.7020201@eccotours.co.za> Message-ID: <1140305946.12505.8.camel@eris.sebi.org> On Sa, 2006-02-18 at 21:25 +0200, Brent Clark wrote: > I have a gateway that allows me to route into the LAN etc, but for some reason I cant get traffic out. Are you sure NAT is working? It looks like the packets leave your gateway with addresses like 10.0.0.4 or 10.0.0.74 instead of being NAT'ed to the public address 217.206.34.82. From bclark at eccotours.co.za Sun Feb 19 14:32:36 2006 From: bclark at eccotours.co.za (Brent Clark) Date: Sun Feb 19 14:32:43 2006 Subject: [LARTC] cant route out In-Reply-To: <1140305946.12505.8.camel@eris.sebi.org> References: <43F774AC.7020201@eccotours.co.za> <1140305946.12505.8.camel@eris.sebi.org> Message-ID: <43F87374.6030705@eccotours.co.za> Sebastian Bork wrote: > On Sa, 2006-02-18 at 21:25 +0200, Brent Clark wrote: > > >>I have a gateway that allows me to route into the LAN etc, but for some reason I cant get traffic out. > > > Are you sure NAT is working? It looks like the packets leave your > gateway with addresses like 10.0.0.4 or 10.0.0.74 instead of being > NAT'ed to the public address 217.206.34.82. > HI Sebastian I figured it out late last night and I cursed my self for not figuring it out fast enough. But least I relearnt something. I appreciate your feedback. I really apprecite it. Kind Regards Brent Clark From nampreet at hotmail.com Sun Feb 19 18:29:05 2006 From: nampreet at hotmail.com (Nampreet Sarao) Date: Sun Feb 19 18:29:08 2006 Subject: [LARTC] controlling traffic going via FTP using tc Message-ID: hi how does one control traffic of ftp using tc.I tried few things ,dont know how to do it.Could you please guide me in it. Thanks in advance Nampreet _________________________________________________________________ All that you wanted to know about Ms Beautiful Lips http://server1.msn.co.in/Profile/katrina.asp From nix4me at cfl.rr.com Sun Feb 19 20:03:27 2006 From: nix4me at cfl.rr.com (nix4me) Date: Sun Feb 19 20:03:47 2006 Subject: [LARTC] controlling traffic going via FTP using tc In-Reply-To: References: Message-ID: <43F8C0FF.4030700@cfl.rr.com> Nampreet Sarao wrote: > hi > how does one control traffic of ftp using tc.I tried few things ,dont > know how to do it.Could you please guide me in it. > Thanks in advance > Nampreet > > _________________________________________________________________ > All that you wanted to know about Ms Beautiful Lips > http://server1.msn.co.in/Profile/katrina.asp > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > Here is how I do it. Works perfectly. #!/bin/bash #shaping passive and active outbound ftp traffic on an internal computer without affecting inbound and lan speed # mark the outbound passive ftp packets on ports 50000-51000 iptables -t mangle -D OUTPUT -o eth0 -j MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -N MYSHAPER-OUT iptables -t mangle -I OUTPUT -o eth0 -j MYSHAPER-OUT iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 20 iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 59999 -j MARK --set-mark 26 iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK --set-mark 26 iptables -t mangle -A MYSHAPER-OUT -p tcp -m length --length :64 -j MARK --set-mark 30 # clear it tc qdisc del dev eth0 root #add the root qdisk tc qdisc add dev eth0 root handle 1: htb default 20 #add main rate limit class tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit #add leaf classes tc class add dev eth0 parent 1:1 classid 1:2 htb rate 100mbit tc class add dev eth0 parent 1:1 classid 1:3 htb rate 40kbps tc class add dev eth0 parent 1:3 classid 1:31 htb rate 30kbps ceil 40kbps prio 2 tc class add dev eth0 parent 1:3 classid 1:32 htb rate 10kbps ceil 34kbps prio 1 #filter traffic into classes tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 20 fw flowid 1:2 tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 26 fw flowid 1:31 tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 30 fw flowid 1:32 From michiele at info.nl Mon Feb 20 13:54:35 2006 From: michiele at info.nl (Michiel van Es) Date: Mon Feb 20 13:54:38 2006 Subject: [LARTC] question about traffic control Message-ID: <43F9BC0B.5020606@info.nl> An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060220/0217da58/attachment.htm From GregScott at InfraSupportEtc.com Mon Feb 20 14:11:30 2006 From: GregScott at InfraSupportEtc.com (Greg Scott) Date: Mon Feb 20 14:11:34 2006 Subject: [LARTC] (no subject) Message-ID: <925A849792280C4E80C5461017A4B8A20320B9@mail733.InfraSupportEtc.com> Hello - I am using kernel 2.4.27 and running into behavior I don't know how to explain. I have 2 relevant interfaces. eth0 is external, eth1 is internal. My internal LAN is 10.10.10.0/24. My External range is 1.2.3.0/27 (dummied up). I have an H.323 videoconference device inside my internal LAN, but at IP Address 1.2.3.11/27. (IP Address dummied up.) I want to proxy ARP this device. Both eth0 and eth1 on my firewall have IP Addresses 1.2.3.2/27. eth1 also has IP Address 10.10.10.1/24 and is the default gateway for all my internal hosts. The router outside my firewall is 1.2.3.1. So the network looks like this (apologies if email butchers my ASCII art): 10.10.10.0/27 1.2.3.0/27 10.10.10.n internal hosts | <----+-----+--------+ +-------+------>to the Internet | | | | Proxied | | | H.323 device Firewall Router eth1 eth0 1.2.3.11 10.10.10.1 1.2.3.2 1.2.3.1 1.2.3.2 /proc/sys/net/ipv4/conf/eth0/proxy_arp is 1. /proc/sys/net/ipv4/conf/eth1/proxy_arp is 1. My firewall has a route to 1.2.3.11 dev eth1. The host at 1.2.3.11 has a default GW of 1.2.3.1. This is where it gets weird. The H.323 device should exchange a few TCP packets with the far end and then thousands of UDP packets. And I should see this stream on the firewall watching both interfaces. I run tcpdump in two different windows on the firewall - one for eth1, the other for eth0. When I initiate an outbound H.323 call from the device at .11, tcpdump on the firewall shows TCP packets flying on eth1, but nothing on eth0 - almost all the time. Calls don't complete most of the time, although one call kind of completed. Watching on the firewall, I saw a TCP conversation on eth1, but nothing on eth0. Very strange! One time a call completed all the way and UDP started flying - as it should. I saw a few UDP packets on eth0 and lots (thousands) of UDP packets on eth1. For the call that really completed, I would expect to see thousasnds of UDP packets on both eth0 and eth1 - but instead saw only a few on eth0. This behavior happens even with no firewall filtering rules in place. My NATed 10.10.10.nn internal hosts work fine - in fact, my email server posting this item to the list is one of those hosts. The obvious question - why such an old kernel? Because it's worked for everything I need so far and every 2.6.nn I try has other bugs with one module or another. My questions - was proxy ARP broken in the 2.4.27 days? Why doen't tcpdump show me packets on both interfaces of the firewall? Am I missing a setup ingredient someplace? Should the default GW on that H.323 device be .2 (the firewall) or .1 (the Internet router)? Does mixing NAT and proxy ARP create problems? Should I put the H.323 device in its own little DMZ? Thanks - Greg Scott -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060220/a01de3b1/attachment.html From GregScott at InfraSupportEtc.com Mon Feb 20 14:15:06 2006 From: GregScott at InfraSupportEtc.com (Greg Scott) Date: Mon Feb 20 14:15:07 2006 Subject: [LARTC] Proxy ARP and UDP Message-ID: <925A849792280C4E80C5461017A4B8A20320BA@mail733.InfraSupportEtc.com> Woops - my fat fingers hit the send key before I could put in a subject a minute ago. Hello - I am using kernel 2.4.27 and running into behavior I don't know how to explain. I have 2 relevant interfaces. eth0 is external, eth1 is internal. My internal LAN is 10.10.10.0/24. My External range is 1.2.3.0/27 (dummied up). I have an H.323 videoconference device inside my internal LAN, but at IP Address 1.2.3.11/27. (IP Address dummied up.) I want to proxy ARP this device. Both eth0 and eth1 on my firewall have IP Addresses 1.2.3.2/27. eth1 also has IP Address 10.10.10.1/24 and is the default gateway for all my internal hosts. The router outside my firewall is 1.2.3.1. So the network looks like this (apologies if email butchers my ASCII art): 10.10.10.0/27 1.2.3.0/27 10.10.10.n internal hosts | <----+-----+--------+ +-------+------>to the Internet | | | | Proxied | | | H.323 device Firewall Router eth1 eth0 1.2.3.11 10.10.10.1 1.2.3.2 1.2.3.1 1.2.3.2 /proc/sys/net/ipv4/conf/eth0/proxy_arp is 1. /proc/sys/net/ipv4/conf/eth1/proxy_arp is 1. My firewall has a route to 1.2.3.11 dev eth1. The host at 1.2.3.11 has a default GW of 1.2.3.1. This is where it gets weird. The H.323 device should exchange a few TCP packets with the far end and then thousands of UDP packets. And I should see this stream on the firewall watching both interfaces. I run tcpdump in two different windows on the firewall - one for eth1, the other for eth0. When I initiate an outbound H.323 call from the device at .11, tcpdump on the firewall shows TCP packets flying on eth1, but nothing on eth0 - almost all the time. Calls don't complete most of the time, although one call kind of completed. Watching on the firewall, I saw a TCP conversation on eth1, but nothing on eth0. Very strange! One time a call completed all the way and UDP started flying - as it should. I saw a few UDP packets on eth0 and lots (thousands) of UDP packets on eth1. For the call that really completed, I would expect to see thousasnds of UDP packets on both eth0 and eth1 - but instead saw only a few on eth0. This behavior happens even with no firewall filtering rules in place. My NATed 10.10.10.nn internal hosts work fine - in fact, my email server posting this item to the list is one of those hosts. The obvious question - why such an old kernel? Because it's worked for everything I need so far and every 2.6.nn I try has other bugs with one module or another. My questions - was proxy ARP broken in the 2.4.27 days? Why doen't tcpdump show me packets on both interfaces of the firewall? Am I missing a setup ingredient someplace? Should the default GW on that H.323 device be .2 (the firewall) or .1 (the Internet router)? Does mixing NAT and proxy ARP create problems? Should I put the H.323 device in its own little DMZ? Thanks - Greg Scott From ahasenack at terra.com.br Mon Feb 20 14:35:08 2006 From: ahasenack at terra.com.br (Andreas Hasenack) Date: Mon Feb 20 14:35:14 2006 Subject: [LARTC] calculating burst for TBF Message-ID: <20060220133506.GA3374@mandriva.com> I'm using tc from iproute-2.6.15 with a 2.6.12 kernel. I was testing the effects of the burst parameter in a tbf qdisc. Basically, I was testing this statement from the tc-tbf(8) manpage: "If your buffer is too small, packets may be dropped because more tokens arrive per timer tick than fit in your bucket. The minimum buffer size can be calculated by dividing the rate by HZ." So, for a 200kbit rate on intel, this would yeld me a minimum burst of 2000bits, or 250 bytes. I then do this: tc qdisc add dev eth0 handle 1: root tbf latency 50ms burst 250b rate 200kbit but all packets are dropped. I then rise burst to 300b, 400b, even 900b and it is still not working. It only starts working when I raise it to 2000b. Which, besides being the wrong unit (bits versus bytes), is the result of the rate/HZ calculation. The tc(8) manpage says that "b or a bare number = bytes", but it seems this parameter ends up being bits? If not, what is wrong then? From msc at antzsystem.de Mon Feb 20 14:47:06 2006 From: msc at antzsystem.de (Markus Schulz) Date: Mon Feb 20 14:47:18 2006 Subject: [LARTC] question about traffic control In-Reply-To: <43F9BC0B.5020606@info.nl> References: <43F9BC0B.5020606@info.nl> Message-ID: <200602201447.07381.msc@antzsystem.de> On Monday 20 February 2006 13:54, Michiel van Es wrote: > Hi, > I have the following situation: > 1 gateway box with 2 WAN interfaces (eth1 and eth2). > 1 LAN interface eth0 > default gateway is eth2 > I want to route all traffic with destination protocol tcp 22 (ssh) > NOT over the default gateway eth2 but force them to find it's route > over eth1. All other traffic must go the normal way over eth2. > > Is this possible with tc or an other tool? yes with iproute and little help from iptables for selecting which packets to route differently. look at http://www.linuxguruz.com/iptables/howto/2.4routing-11.html and please, don't send html mails to mailing lists. Markus Schulz From mlfreeman at gmail.com Mon Feb 20 17:32:13 2006 From: mlfreeman at gmail.com (Michael Freeman) Date: Mon Feb 20 17:32:17 2006 Subject: [LARTC] dual wan, dual router, one machine behind, route from both to / from one machine Message-ID: i apologize if this has been asked before, but things are too busy to preclude a full search of the list. i have both cable and dsl from the local providers here. due to wiring issues here, i've been forced to put the cable modem in one end of the house and the dsl modem in the other. the cable modem is firewalled off by a cisco pix 501 (192.168.2.12). the dsl modem is firewalled off by a 4 year old linksys dsl / cable router ( 192.168.2.1). behind the whole mess i have several PCs and a linksys wrt54gs running openwrt (192.168.2.3). if i set both 192.168.2.1 and 192.168.2.12 to forward ssh to 192.168.2.3(the wrt54gs running openwrt) and install iproute2 on the 54gs, what can i do to make sure that ssh coming in from the cable modem gets routed out the cable modem and ssh coming in from the dsl modem gets routed out the dsl modem? i tried setting up multiple default routes and (for some reason unknown to me) that worked exactly once, but then i did a power-off test of the config and it never worked since. assume i might be connecting over both routes from one random IP on the internet at any random time. doing that would allow me to harness the full and combined uplink capability of both lines. i know one solution would be to buy another wrt54gs and run openwrt on it, but i've looked all over town and no one has any of the old linux-friendly hardware versions still. they all have the new versions that run only vxworks. thanks, michael -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060220/03680f5d/attachment.htm From martin-lartc at wonderfrog.net Mon Feb 20 18:53:51 2006 From: martin-lartc at wonderfrog.net (Martin A. Brown) Date: Mon Feb 20 18:57:53 2006 Subject: [LARTC] question about traffic control In-Reply-To: <43F9BC0B.5020606@info.nl> References: <43F9BC0B.5020606@info.nl> Message-ID: Michiel, : I have the following situation: : 1 gateway box with 2 WAN interfaces (eth1 and eth2). : 1 LAN interface eth0 : default gateway is eth2 : I want to route all traffic with destination protocol tcp 22 (ssh) NOT : over the default gateway eth2 but force them to find it's route over : eth1. : All other traffic must go the normal way over eth2. : : Is this possible with tc or an other tool? You already have an answer from Markus Schulz, but I thought I might add a bit of help, too. You are describing a problem that can be solved with policy routing. Linux has long supported policy routing. Although I have not updated my documentation in quite some time, you may find this document [0] helpful in untangling the possible configurations to support policy routing. In short, one solution involves: - [optional] making an entry in the /etc/iproute2/rt_tables file "grep -q secondary /etc/iproute2/rt_tables \ || echo 3 secondary > /etc/iproute2/rt_tables" - adding a routing table with its default route pointed out eth1 "ip route add default via $ETH1_GW dev eth1 table secondary" - marking the traffic you wish to handle differently "iptables [ ... selectors ... ] -j MARK --set-mark 3" - modifying the RPDB to include select your secondary routing table for traffic with fwmark 3 "ip rule add fwmark 3 table secondary" That should get you most of the way there. Remember a few additional tips which often stump beginners with policy routing: - Think about the return packets. Are they handled according to your plan? - Turn off reverse path filtering (rp_filter) [1] - Make sure your (S)NAT rules are correct for packets leaving via eth1 (the other interface). Good luck, -Martin [0] http://linux-ip.net/html/adv-multi-internet.html [1] http://ipsysctl-tutorial.frozentux.net/chunkyhtml/theconfvariables.html#AEN634 -- Martin A. Brown --- Wonderfrog Enterprises --- martin@wonderfrog.net From gypsy at iswest.com Mon Feb 20 19:49:09 2006 From: gypsy at iswest.com (gypsy) Date: Mon Feb 20 19:49:24 2006 Subject: [LARTC] Proxy ARP and UDP References: <925A849792280C4E80C5461017A4B8A20320BA@mail733.InfraSupportEtc.com> Message-ID: <43FA0F25.93FC4722@iswest.com> Greg Scott wrote: > I have 2 relevant interfaces. eth0 is external, eth1 is internal. My > internal LAN is 10.10.10.0/24. My External range is 1.2.3.0/27 (dummied > up). I have an H.323 videoconference device inside my internal LAN, but > at IP Address 1.2.3.11/27. (IP Address dummied up.) I want to proxy > ARP this device. > > My questions - was proxy ARP broken in the 2.4.27 days? Why doen't > tcpdump show me packets on both interfaces of the firewall? Am I > missing a setup ingredient someplace? Should the default GW on that > H.323 device be .2 (the firewall) or .1 (the Internet router)? Does > mixing NAT and proxy ARP create problems? Should I put the H.323 device > in its own little DMZ? > > Thanks > > - Greg Scott No, not broken; proxy ARP works fine in 2.4.25 - .32. You should have a look at Martin Brown's proxy ARP script http://yesican.chsoft.biz/lartc/proxy-arp.sh and its config file http://yesican.chsoft.biz/lartc/proxy-arp.conf but I bet the problem is rp_filter. -- gypsy From qwerty at elusion.sk Mon Feb 20 22:59:33 2006 From: qwerty at elusion.sk (Boris Gereg) Date: Mon Feb 20 22:59:45 2006 Subject: [LARTC] HTB, strange capacity distribution Message-ID: <131577286.20060220225933@elusion.sk> Hello, after spending several hours reading archives, I decided to write new post. I successfully set up packet classification, made some basic HTB setup, made some simple graphical representation from HTB statistics data... BUT, I cannot figure out how to refine HTB to get this behaviour: I need that class "p2p" should be the last one to get some link capacity. If I set both RATE and CEIL for "p2p" to some constant value, everything is OK. When I set CEIL for "p2p" e.g. to 2048 kbps (total link capacity), "p2p" starts to get most of the link capacity and does not want to give capacity to other classes with higher priorities! I made a screen to help explain my problem. Please, see this picture: http://elusion.sk/visual_inet_hory.png Point A - "p2p" class (red line) has both RATE and CEIL set to fixed value. I started download from web to fill "www" class. You can see, "www" got remaining link capacity, "p2p" without a change - all as expected. Point B - I reset CEIL of "p2p" class to 2048 kbit (to use rest of the unused capacity by other classes with higher priorites, up to link capacity) Point C - I started the same download from web as in Point A and this is the PROBLEM. You can see, that "p2p" lowered a bit, and "www" class got some capacity. What I expect is, that "www" class get most of the link capacity and "p2p" class will fall to it's RATE, because "http" class has higher priority than "p2p" Point D - CEIL of "p2p" reset to fixed value Point E - I tried the same download from web just to be sure it works. This is my HTB config (using latest htb-init script): root: RATE=100Mbit ( local traffic: RATE=50Mbit CEIL=100Mbit PRIO=0 ) "ctrl" class: RATE=64kbit CEIL=256kbit PRIO=1 "other" class: RATE=128kbit CEIL=768kbit PRIO=2 "www" class: RATE=512kbit CEIL=2048kbit PRIO=3 "p2p" class: RATE=386kbit CEIL=386kbit (or 2048, for Points B and C in figure above) PRIO=4 All want to set up is: If class "www" with prio 3 gets fully utilized (I start 10 http downloads at the same time), I expect "p2p" class with prio 4 to fall down to it's RATE 386 kbit - to free capacity for "www" class In another words: I expect "www" to overrule "p2p" ("p2p" still getting it's RATE) Can someone help to explain this? Maybe I did not get purpose of PRIO setting, not sure. Help, please Best Regards, B. Gereg From Andreas.Klauer at metamorpher.de Mon Feb 20 23:59:29 2006 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Mon Feb 20 23:59:32 2006 Subject: [LARTC] HTB, strange capacity distribution In-Reply-To: <131577286.20060220225933@elusion.sk> References: <131577286.20060220225933@elusion.sk> Message-ID: <20060220225929.GA19681@EIS> On Mon, Feb 20, 2006 at 10:59:33PM +0100, Boris Gereg wrote: > I made a screen to help explain my problem. Please, see this picture: > http://elusion.sk/visual_inet_hory.png Nice graph. I assume this is on downstream, and you rely on HTB to drop packets for you. You may have read this in the archives already - it's much harder to shape downstream than upstream, because you can't really influence what the other side is sending you. So no matter what you do it's probably hard to get near-optimal results. > This is my HTB config (using latest htb-init script): I must admit I'm not familiar with htb-init. What are the parent-child relationships here? I'm missing the "internet" parent class that groups all the other traffics (except local) together. Does htb-init generate that on it's own somehow? If not, chances are your HTB tree is just exceeding your line capacity in general, as all classes are allowed to borrow without limit, rendering the prio setting uneffective, leading to random results. Could you post the output of 'tc -d qdisc/class show dev $DEVICE'? Regards, Andreas Klauer From GregScott at InfraSupportEtc.com Tue Feb 21 03:51:48 2006 From: GregScott at InfraSupportEtc.com (Greg Scott) Date: Tue Feb 21 03:51:50 2006 Subject: [LARTC] Proxy ARP and UDP Message-ID: <925A849792280C4E80C5461017A4B8A20320D2@mail733.InfraSupportEtc.com> Hmmmm - I turned off rp_filter (echo 0 > /proc/sys/net/ipv4/eth0/rp_filter - and eth1) and ran several test calls. It all worked. But I still don't understand why I see less than 1 percent of the packets on the eth0 interface with tcpdump. - Greg > but I bet the problem is rp_filter. > -- > gypsy From Andreas.Klauer at metamorpher.de Tue Feb 21 08:52:49 2006 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Tue Feb 21 08:52:55 2006 Subject: [LARTC] HTB, strange capacity distribution In-Reply-To: <1579686043.20060221004959@elusion.sk> References: <131577286.20060220225933@elusion.sk> <20060220225929.GA19681@EIS> <1579686043.20060221004959@elusion.sk> Message-ID: <20060221075249.GA10343@EIS> On Tue, Feb 21, 2006 at 12:49:59AM +0100, Boris Gereg wrote: > (first of all, please, how to reply to some article in LARTC via mail > to post it into right thread?) Using 'reply all', or 'reply list' if your mail software offers it. If all else fails, just hit 'reply' and add the mailing list to CC. > So, I am definitely shaping outgoing traffic (upstream) Yes, outgoing traffic from router to your network, which actually contains the downstream traffic from the internet. Right? > tc -d class show dev eth0 > > class htb 1:2 root rate 100000Kbit ceil 100000Kbit burst 51587b/8 mpu > 0b overhead 0b cburst 51587b/8 mpu 0b overhead 0b level 7 > > class htb 1:2000 parent 1:2 leaf 2000: prio 0 quantum 200000 rate > 50000Kbit ceil 100000Kbit burst 26593b/8 mpu 0b overhead 0b cburst > 51587b/8 mpu 0b overhead 0b level 0 > > class htb 1:3010 parent 1:2 leaf 3010: prio 1 quantum 1000 rate > 64000bit ceil 256000bit burst 1631b/8 mpu 0b overhead 0b cburst > 1727b/8 mpu 0b overhead 0b level 0 > > class htb 1:3020 parent 1:2 leaf 3020: prio 2 quantum 1600 rate > 128000bit ceil 768000bit burst 1663b/8 mpu 0b overhead 0b cburst > 1983b/8 mpu 0b overhead 0b level 0 > > class htb 1:3030 parent 1:2 leaf 3030: prio 3 quantum 6400 rate > 512000bit ceil 2048Kbit burst 1855b/8 mpu 0b overhead 0b cburst > 2623b/8 mpu 0b overhead 0b level 0 > > class htb 1:5040 parent 1:2 leaf 5040: prio 4 quantum 4825 rate > 386000bit ceil 386000bit burst 1792b/8 mpu 0b overhead 0b cburst > 1792b/8 mpu 0b overhead 0b level 0 It's as I suspected, your current HTB tree looks like this: 1: HTB Qdisc | \--- 1:2 HTB root class (100000Kbit:100000kbit) | \--- 1:2000 HTB leaf class (50000Kbit:100000Kbit) \--- 1:3010 HTB leaf class (64000bit:256000bit) \--- 1:3020 HTB leaf class (128000bit:768000bit) \--- 1:3030 HTB leaf class (512000bit:2048Kbit) \--- 1:5040 HTB leaf class (386000bit:386000bit) HTB classes borrow from their parent; in this setup, the parent class offers a whopping 100000Kbit for that purpose. Unless the 1:2000 class has got a very high priority and is maxing out the line all the time, there is no limit to borrowing at all, because the other classes will never reach the 100000Kbit from their parent. So the classes above are actually not limited by their rate, but by their ceil; the only class that will respect its rate in this setup is 1:5040, because it's got the same rate and ceil. Assuming that 1:5040 was your P2P class, if you set the ceil of this class to 2048Kbit, it will (try to) use 2048Kbit at all times, because the parent (thinks it) is able to offer it. You need a class that knows of your total internet bandwidth somewhere. Assuming that it is 2048Kbit, your tree should maybe look more like this: 1: HTB Qdisc | \--- 1:2 HTB root class (100000Kbit:100000kbit) | \--- 1:2000 HTB leaf class (50000Kbit:100000Kbit) | \--- 1:3000 HTB parent class (2048Kbit:2048Kbit) | \--- 1:3010 HTB leaf class (64000bit:256000bit) \--- 1:3020 HTB leaf class (128000bit:768000bit) \--- 1:3030 HTB leaf class (512000bit:2048Kbit) \--- 1:5040 HTB leaf class (386000bit:386000bit) In this setup, the 2048Kbit class is the limiting factor for the leaf classes, except for the 1:2000 class, which should be used for local LAN traffic only. HTH Andreas Klauer From qwerty at elusion.sk Tue Feb 21 14:21:36 2006 From: qwerty at elusion.sk (Boris Gereg) Date: Tue Feb 21 14:21:39 2006 Subject: [LARTC] HTB, strange capacity distribution In-Reply-To: <20060221075249.GA10343@EIS> References: <131577286.20060220225933@elusion.sk> <20060220225929.GA19681@EIS> <1579686043.20060221004959@elusion.sk> <20060221075249.GA10343@EIS> Message-ID: <1006637741.20060221142136@elusion.sk> Hello, thanks Andreas, I reconfigured HTB to get your suggested hierarhy: AK> 1: HTB Qdisc AK> | AK> \--- 1:2 HTB root class (100000Kbit:100000kbit) AK> | AK> \--- 1:2000 HTB leaf class (50000Kbit:100000Kbit) #local AK> | AK> \--- 1:3000 HTB parent class (2048Kbit:2048Kbit) AK> | AK> \--- 1:3010 HTB leaf class (64000bit:256000bit) #ctrl AK> \--- 1:3020 HTB leaf class (128000bit:768000bit) #other AK> \--- 1:3030 HTB leaf class (512000bit:2048Kbit) #www AK> \--- 1:5040 HTB leaf class (386000bit:386000bit) #p2p tc -d class show dev eth0 class htb 1:2 root rate 100000Kbit ceil 100000Kbit burst 51587b/8 mpu 0b overhead 0b cburst 51587b/8 mpu 0b overhead 0b level 7 # local: class htb 1:2000 parent 1:2 leaf 2000: prio 0 quantum 200000 rate 50000Kbit ceil 100000Kbit burst 26593b/8 mpu 0b overhead 0b cburst 51587b/8 mpu 0b overhead 0b level 0 # root for internet trafic class htb 1:3000 parent 1:2 rate 2048Kbit ceil 2048Kbit burst 2623b/8 mpu 0b overhead 0b cburst 2623b/8 mpu 0b overhead 0b level 6 # "ctrl" class class htb 1:3010 parent 1:3000 leaf 3010: prio 1 quantum 1000 rate 64000bit ceil 256000bit burst 1631b/8 mpu 0b overhead 0b cburst 1727b/8 mpu 0b overhead 0b level 0 # "other" class class htb 1:3020 parent 1:3000 leaf 3020: prio 2 quantum 1600 rate 128000bit ceil 768000bit burst 1663b/8 mpu 0b overhead 0b cburst 1983b/8 mpu 0b overhead 0b level 0 # "www" class class htb 1:3030 parent 1:3000 leaf 3030: prio 3 quantum 12800 rate 1024Kbit ceil 2048Kbit burst 2111b/8 mpu 0b overhead 0b cburst 2623b/8 mpu 0b overhead 0b level 0 # "p2p" class class htb 1:5040 parent 1:3000 leaf 5040: prio 4 quantum 1600 rate 128000bit ceil 256000bit burst 1663b/8 mpu 0b overhead 0b cburst 1727b/8 mpu 0b overhead 0b level 0 Sorry to say, results are not as expected. I made new measurements, please see following picture (based on HTB config above): http://elusion.sk/visual_inet_6.png Point A - until now, "p2" clas had CEIL 386 kbit. Now, I reset "p2p" class CEIL to 2048 kbit. As you can see, "p2p" rised as expected Point B - "www" class RATE-CEIL is 512-2048 kbit, "p2p" class RATE-CEIL is 128-2048 kbit. PROBLEM: why did not "www" get more capacity? Point C - "www" class RATE-CEIL is 1536-2048 kbit, "p2p" class RATE-CEIL is 128-2048 kbit. PROBLEM: RATE of "www" is 1536, but class did not get this capacity; "p2p" should fall to it's RATE 256 kbit Point D - "www" class RATE-CEIL is 1024-2048 kbit, "p2p" class RATE-CEIL is 128-2048 kbit - no change Point E - "www" class RATE-CEIL is 1024-2048 kbit, "p2p" class RATE-CEIL is 128-256 kbit - as expected: "p2p" is bounded to 256 kbit limit, so the rest of the capacity was used by "www" class I have expected that in points B, C and D, "p2p" class falls down to it's specified rate and "www" gets most of the capacity. But this is not happening - "p2p" will not fall down Any other things to test, please? Best regards, B. Gereg mailto:qwerty@elusion.sk -----Originalna sprava----- Od: Andreas Klauer [mailto:Andreas.Klauer@metamorpher.de] Poslane: Tuesday, February 21, 2006, 8:52:49 AM Komu: qwerty@elusion.sk Predmet: [LARTC] HTB, strange capacity distribution AK> On Tue, Feb 21, 2006 at 12:49:59AM +0100, Boris Gereg wrote: >> (first of all, please, how to reply to some article in LARTC via mail >> to post it into right thread?) AK> Using 'reply all', or 'reply list' if your mail software offers it. AK> If all else fails, just hit 'reply' and add the mailing list to CC. >> So, I am definitely shaping outgoing traffic (upstream) AK> Yes, outgoing traffic from router to your network, which actually AK> contains the downstream traffic from the internet. Right? >> tc -d class show dev eth0 >> >> class htb 1:2 root rate 100000Kbit ceil 100000Kbit burst 51587b/8 mpu >> 0b overhead 0b cburst 51587b/8 mpu 0b overhead 0b level 7 >> >> class htb 1:2000 parent 1:2 leaf 2000: prio 0 quantum 200000 rate >> 50000Kbit ceil 100000Kbit burst 26593b/8 mpu 0b overhead 0b cburst >> 51587b/8 mpu 0b overhead 0b level 0 >> >> class htb 1:3010 parent 1:2 leaf 3010: prio 1 quantum 1000 rate >> 64000bit ceil 256000bit burst 1631b/8 mpu 0b overhead 0b cburst >> 1727b/8 mpu 0b overhead 0b level 0 >> >> class htb 1:3020 parent 1:2 leaf 3020: prio 2 quantum 1600 rate >> 128000bit ceil 768000bit burst 1663b/8 mpu 0b overhead 0b cburst >> 1983b/8 mpu 0b overhead 0b level 0 >> >> class htb 1:3030 parent 1:2 leaf 3030: prio 3 quantum 6400 rate >> 512000bit ceil 2048Kbit burst 1855b/8 mpu 0b overhead 0b cburst >> 2623b/8 mpu 0b overhead 0b level 0 >> >> class htb 1:5040 parent 1:2 leaf 5040: prio 4 quantum 4825 rate >> 386000bit ceil 386000bit burst 1792b/8 mpu 0b overhead 0b cburst >> 1792b/8 mpu 0b overhead 0b level 0 AK> It's as I suspected, your current HTB tree looks like this: AK> 1: HTB Qdisc AK> | AK> \--- 1:2 HTB root class (100000Kbit:100000kbit) AK> | AK> \--- 1:2000 HTB leaf class (50000Kbit:100000Kbit) AK> \--- 1:3010 HTB leaf class (64000bit:256000bit) AK> \--- 1:3020 HTB leaf class (128000bit:768000bit) AK> \--- 1:3030 HTB leaf class (512000bit:2048Kbit) AK> \--- 1:5040 HTB leaf class (386000bit:386000bit) AK> HTB classes borrow from their parent; in this setup, the parent class AK> offers a whopping 100000Kbit for that purpose. Unless the 1:2000 class AK> has got a very high priority and is maxing out the line all the time, AK> there is no limit to borrowing at all, because the other classes will AK> never reach the 100000Kbit from their parent. AK> So the classes above are actually not limited by their rate, but by AK> their ceil; the only class that will respect its rate in this setup AK> is 1:5040, because it's got the same rate and ceil. AK> Assuming that 1:5040 was your P2P class, if you set the ceil of this AK> class to 2048Kbit, it will (try to) use 2048Kbit at all times, because AK> the parent (thinks it) is able to offer it. AK> You need a class that knows of your total internet bandwidth somewhere. AK> Assuming that it is 2048Kbit, your tree should maybe look more like this: AK> 1: HTB Qdisc AK> | AK> \--- 1:2 HTB root class (100000Kbit:100000kbit) AK> | AK> \--- 1:2000 HTB leaf class (50000Kbit:100000Kbit) AK> | AK> \--- 1:3000 HTB parent class (2048Kbit:2048Kbit) AK> | AK> \--- 1:3010 HTB leaf class (64000bit:256000bit) AK> \--- 1:3020 HTB leaf class (128000bit:768000bit) AK> \--- 1:3030 HTB leaf class (512000bit:2048Kbit) AK> \--- 1:5040 HTB leaf class (386000bit:386000bit) AK> In this setup, the 2048Kbit class is the limiting factor for the leaf AK> classes, except for the 1:2000 class, which should be used for local AK> LAN traffic only. AK> HTH AK> Andreas Klauer From laimis at email.lt Tue Feb 21 15:03:53 2006 From: laimis at email.lt (Laimis) Date: Tue Feb 21 15:03:56 2006 Subject: [LARTC] Best internet traffic shaping for small lan Message-ID: <20060221140353.7F0F961D0F@wind.delfi.lt> I'm admin of 50 clients. Sometimes I upgrading my internet traffic shaping script. I think rules of inetrnet traffic shaping is very important thing! I would like to ask some help from people, who understand something about SQUID ZPH and TC, to aim beter internet traffic shaping scripts. Squid has ZPH suport, becouse its responds to such commands as: zph_tos_local 8 zph_tos_peer 0 zph_tos_parent off Next 2 comands SQUID is not responding ( I think it's becouse of KERNEL..). As I readed about it on ZPH site, I think those 2 comands are not valued for my idea. :) zph_preserve_miss_tos on zph_preserve_miss_tos_mask 255 With help of TC I tried to configurate flow of SQUID packets, but I failed. I want with TC configurate eth0(lan) SQUID packets exept SQUID CACHE packet. I asking Your help!!! How must look like the TC script, wich could control all clients speed to internet? ZPH shapes I want to use with my IPShapig script. 1IP could get limit KB/S + SQUID CACHE. My IPShaping script controls every IP adress kbit/sec exept traffic to server: #!/bin/bash TC=/sbin/tc HOSTS_LIST="192.168.1.3 192.168.1.4 192.168.1.5 192.168.1.6 192.168.1. 7 192.168.1.8 192.168.1.9 192.168.1.10 192.168.1.11... DEV=eth0 # ethLAN IMQ=imq0 # --todev 0 NM=17 DN_BANDWIDTH=760Kbit # DN=105Kbit DN_RATE=70Kbit UP_BANDWIDTH=600Kbit # UP=70Kbit UP_RATE=50Kbit $TC qdisc add dev $DEV root handle 1: htb #default 50 $TC class add dev $DEV parent 1: classid 1:1 htb rate ${DN_BANDWIDTH} quantum 1500 iptables -t mangle -N DN_SHAPING ip link set $IMQ up $TC qdisc add dev $IMQ root handle 1: htb $TC class add dev $IMQ parent 1: classid 1:1 htb rate ${UP_BANDWIDTH} quantum 1500 iptables -t mangle -N UP_SHAPING for i in $HOSTS_LIST do IP=$(echo $i | awk -F '.' '{print $4}') # Download MARK tc class add dev $DEV parent 1:1 classid 1:$NM$IP htb rate ${DN_RATE} ceil ${DN} prio 0 quantum 1500 tc qdisc add dev $DEV parent 1:$NM$IP handle $NM$IP: sfq perturb 6 tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle $NM$IP fw flowid 1:$NM$IP tc class add dev $IMQ parent 1:1 classid 1:$NM$IP htb rate ${UP_RATE} ceil ${UP} prio 0 quantum 1500 tc qdisc add dev $IMQ parent 1:$NM$IP handle $NM$IP: sfq perturb 6 tc filter add dev $IMQ parent 1:0 prio 0 protocol ip handle $NM$IP fw flowid 1:$NM$IP iptables -t mangle -A DN_SHAPING -s ! 192.168.1.2 -d $i -j MARK --set-mark $NM$IP iptables -t mangle -A UP_SHAPING -s $i -d ! 192.168.1. 2 -j MARK --set-mark $NM$IP done iptables -t mangle -I POSTROUTING -o $DEV -j DN_SHAPING iptables -t mangle -I PREROUTING -i $DEV -j UP_SHAPING iptables -t mangle -A UP_SHAPING -j IMQ --todev 0 <--------------------===================================--------------------> DELFI mail pa?to sistema http://www.mail.lt From laimis at email.lt Tue Feb 21 15:11:35 2006 From: laimis at email.lt (Laimis) Date: Tue Feb 21 15:11:37 2006 Subject: [LARTC] Shaping by IP's Message-ID: <20060221141135.9F35961D6B@wind.delfi.lt> If in one time 3 IP adresses using internet. TC script: DEV=eth0 # LAN SERVER_IP=192.168.1.2 # eth0 ip address tc qdisc add dev $DEV root handle 1: htb default 255 tc class add dev $DEV parent 1: classid 1:1 htb rate 384Kbit quantum 1500 tc class add dev $DEV parent 1:1 classid 1:20 htb rate 128Kbit ceil 384Kbit prio 0 quantum 1500 tc class add dev $DEV parent 1:1 classid 1:21 htb rate 128Kbit ceil 384Kbit prio 0 quantum 1500 tc class add dev $DEV parent 1:1 classid 1:22 htb rate 128Kbit ceil 384Kbit prio 0 quantum 1500 tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 6 tc qdisc add dev $DEV parent 1:21 handle 21: sfq perturb 6 tc qdisc add dev $DEV parent 1:22 handle 22: sfq perturb 6 tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 20 fw flowid 1:20 tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 21 fw flowid 1:21 tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 22 fw flowid 1:22 iptables -t mangle -I POSTROUTING -o $DEV -s ! $SERVER_IP -d 192.168. 1.20 -j MARK --set-mark 20 iptables -t mangle -I POSTROUTING -o $DEV -s ! $SERVER_IP -d 192.168. 1.21 -j MARK --set-mark 21 iptables -t mangle -I POSTROUTING -o $DEV -s ! $SERVER_IP -d 192.168. 1.22 -j MARK --set-mark 22 If we swiched on 2 PC's (192.168.1.20 & 192.168.1.21) many p2p programs, FTP with many conections, and on 3d PC (192.168.1.22) FTP downloading with one conection. then 3d PC getin less than 128kbit. If i want that all 3 PC's get NOT LESS than 128kbit, what should I do with my script? If I could solve this BIG problem, than I could use it with my IPShaping script and user at night, when flow is free, he could get all internet speed. <--------------------===================================--------------------> DELFI mail pa?to sistema http://www.mail.lt From mailinglists at lucassen.org Tue Feb 21 17:25:17 2006 From: mailinglists at lucassen.org (richard lucassen) Date: Tue Feb 21 17:25:21 2006 Subject: [LARTC] invert u32 match selector Message-ID: <20060221172517.6e5a433c.mailinglists@lucassen.org> Is it possible to negate the "match" to the ip? I want to match all traffic to dport 80 NOT going to dst 1.2.3.4: $TC filter add dev ${DEV_IFB} parent 1:0 prio 2 protocol ip u32 \ match ip protocol 0x6 0xff \ match ip dport 80 0xffff \ match ip dst 1.2.3.4/32 \ classid 1:14 I can't find it in the docs. I tried "!" "\!" and "not" in several places, but always resulting in a "illegal match". R. -- ___________________________________________________________________ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+ From admin at vdx.lt Wed Feb 22 10:43:40 2006 From: admin at vdx.lt (Vaidas) Date: Wed Feb 22 10:43:48 2006 Subject: [LARTC] invert u32 match selector In-Reply-To: <20060221172517.6e5a433c.mailinglists@lucassen.org> Message-ID: <20060222094338.C50104088@outpost.ds9a.nl> With u32 you cannot negate, that's why it is lame... Use iptables for marking packets $TC filter add dev ${DEV_IFB} parent 1:0 prio 2 protocol ip handle 14 fw classid 1:14 Iptables -t mangle -A PREROUTING -p TCP --dport 80 -d ! 1.2.3.4 -j MARK --set-mark 14 -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of richard lucassen Sent: 2006 m. vasario 21 d. 18:25 To: lartc@mailman.ds9a.nl Subject: [LARTC] invert u32 match selector Is it possible to negate the "match" to the ip? I want to match all traffic to dport 80 NOT going to dst 1.2.3.4: $TC filter add dev ${DEV_IFB} parent 1:0 prio 2 protocol ip u32 \ match ip protocol 0x6 0xff \ match ip dport 80 0xffff \ match ip dst 1.2.3.4/32 \ classid 1:14 I can't find it in the docs. I tried "!" "\!" and "not" in several places, but always resulting in a "illegal match". R. -- ___________________________________________________________________ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+ _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc __________ NOD32 1.1415 (20060221) Information __________ This message was checked by NOD32 antivirus system. http://www.nod32.com From lists at aj.net-lab.net Wed Feb 22 11:20:23 2006 From: lists at aj.net-lab.net (Andreas John) Date: Wed Feb 22 11:20:25 2006 Subject: [LARTC] iproute2 dump nat Message-ID: <20060222102020.GB29724@imap.internetcave.org> Sorry for disturbung you, but I am not aware about a specialized forum/ml for iproute2. I try to use iproute2's dumb nat, I tried with kernels 2.4.27, .32 and 2.6.8. While DNAT is working fine, I am not able to do any SNAT: 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:04:e2:10:88:5f brd ff:ff:ff:ff:ff:ff inet 10.10.20.10/24 brd 10.135.28.255 scope global eth0 inet6 fe80::204:e2ff:fe10:885f/64 scope link valid_lft forever preferred_lft forever 3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:04:e2:10:80:d2 brd ff:ff:ff:ff:ff:ff inet 192.168.3.1/24 scope global eth1 I defined a ip rule: lb-test-11:/usr/src/packages# ip rul sh 0: from all lookup local 32764: from 192.168.3.2 lookup main map-to 10.10.20.11 32766: from all lookup main 32767: from all lookup default Packets comming in here (from 192.168.3.2): # tcpdump -i eth1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 16:53:07.472210 IP 192.168.3.2 > 10.10.20.80: icmp 64: echo request seq 1366 16:53:08.471939 IP 192.168.3.2 > 10.10.20.80: icmp 64: echo request seq 1367 16:53:09.471768 IP 192.168.3.2 > 10.10.20.80: icmp 64: echo request seq 1368 and go out here (They are _from_ 192.168.3.2 , so policy 32764 should match) # tcpdump -n -i eth0 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 16:54:45.454799 IP 192.168.3.2 > 10.10.20.80: icmp 64: echo request seq 1464 16:54:46.454559 IP 192.168.3.2 > 10.10.20.80: icmp 64: echo request seq 1465 16:54:47.454396 IP 192.168.3.2 > 10.10.20.80: icmp 64: echo request seq 1466 Source NAT is not takeing place. And no, I dont have any iptables rules in PREROUTING. Am I too dumb for or do I miss the point? Is there a way to log what policies are "hit" by packets? Best Regards, Andreas From mailinglists at lucassen.org Wed Feb 22 11:35:15 2006 From: mailinglists at lucassen.org (richard lucassen) Date: Wed Feb 22 11:35:17 2006 Subject: [LARTC] invert u32 match selector In-Reply-To: <20060222094338.C50104088@outpost.ds9a.nl> References: <20060221172517.6e5a433c.mailinglists@lucassen.org> <20060222094338.C50104088@outpost.ds9a.nl> Message-ID: <20060222113515.0dce15d2.mailinglists@lucassen.org> On Wed, 22 Feb 2006 11:43:40 +0200 "Vaidas" wrote: > With u32 you cannot negate, that's why it is lame... And why doesn't this work? (I send all port 80 to 1.2.3.4 to class 14 /before/ I send the rest to classid 13): $TC filter add dev ${DEV_IFB} parent 1:0 prio 2 protocol ip u32 \ match ip protocol 0x6 0xff \ match ip dport 80 0xffff \ match ip dst 1.2.3.4/32 \ classid 1:14 $TC filter add dev ${DEV_IFB} parent 1:0 prio 2 protocol ip u32 \ match ip protocol 0x6 0xff \ match ip dport 80 0xffff \ classid 1:13 Any ideas? > Use iptables for marking packets > > $TC filter add dev ${DEV_IFB} parent 1:0 prio 2 protocol ip handle 14 > fw classid 1:14 > > Iptables -t mangle -A PREROUTING -p TCP --dport 80 -d ! 1.2.3.4 -j > MARK --set-mark 14 Ok, thnx. That's of course a solution, but I just wondered if this were possible with u32... R. -- ___________________________________________________________________ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+ From lartc at ssi.bg Wed Feb 22 12:04:09 2006 From: lartc at ssi.bg (Anton Glinkov) Date: Wed Feb 22 12:04:13 2006 Subject: [LARTC] invert u32 match selector In-Reply-To: <20060222113515.0dce15d2.mailinglists@lucassen.org> References: <20060221172517.6e5a433c.mailinglists@lucassen.org> <20060222094338.C50104088@outpost.ds9a.nl> <20060222113515.0dce15d2.mailinglists@lucassen.org> Message-ID: <54179.217.79.71.231.1140606249.squirrel@217.79.71.231> You should change the prios. The first filter should have a lower prio number than the second. That means that it is processed first and whatever is not matched by it is passed on to filters with higher prio number. > On Wed, 22 Feb 2006 11:43:40 +0200 > "Vaidas" wrote: > >> With u32 you cannot negate, that's why it is lame... > > And why doesn't this work? (I send all port 80 to 1.2.3.4 to class 14 > /before/ I send the rest to classid 13): > > $TC filter add dev ${DEV_IFB} parent 1:0 prio 2 protocol ip u32 \ > match ip protocol 0x6 0xff \ > match ip dport 80 0xffff \ > match ip dst 1.2.3.4/32 \ > classid 1:14 > > $TC filter add dev ${DEV_IFB} parent 1:0 prio 2 protocol ip u32 \ > match ip protocol 0x6 0xff \ > match ip dport 80 0xffff \ > classid 1:13 > > Any ideas? > >> Use iptables for marking packets >> >> $TC filter add dev ${DEV_IFB} parent 1:0 prio 2 protocol ip handle 14 >> fw classid 1:14 >> >> Iptables -t mangle -A PREROUTING -p TCP --dport 80 -d ! 1.2.3.4 -j >> MARK --set-mark 14 > > Ok, thnx. That's of course a solution, but I just wondered if this were > possible with u32... > > R. > > -- > ___________________________________________________________________ > It is better to remain silent and be thought a fool, than to speak > aloud and remove all doubt. > > +------------------------------------------------------------------+ > | Richard Lucassen, Utrecht | > | Public key and email address: | > | http://www.lucassen.org/mail-pubkey.html | > +------------------------------------------------------------------+ > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Anton Glinkov network administrator From scamp at untergrund.net Wed Feb 22 14:33:32 2006 From: scamp at untergrund.net (Simon Kissel) Date: Wed Feb 22 14:33:40 2006 Subject: [LARTC] ICMP time exceeded in-transit sent from wrong interface Message-ID: <965501656.20060222143332@untergrund.net> Hi, I've got a rather confusing problem. My linux router box has several internet uplinks of various kinds (pppoe, ippp, ethernet). These uplinks are used by a tunnel to another location. It kinda looks like this: eth0 - internet uplink eth1 - LAN tun0 - tunnel device ppp0 - another internet uplink ... Routing is setup with iproute2 in a way that pakets with a source IP from the LAN are routed to the tun0 device. Both the tunnel and the LAN use public IP addresses. All of this works just fine. Pakets come in via the tunnel (phyiscally that would be eth0-tun0) and then get sent to eth1 (lan). So, eth0-tun0-eth1. It also works in the other direction: There is just one slight annoyance. Doing a traceroute from the outside, one would expect to see the following hops: far tunnel endpoint eth1 target in LAN. Instead, I see: far tunnel endpoint eth0 target in LAN. In other words (sorry, I'm not perfect at this): During the traceroute, a paket should arrive through tun0, and during forward to eth1 the TTL should get decremented, the kernel should notice the TTL has exceeded, and then it should back an "ICMP time exceeded in-transit" message. Well, that message gets generated, but it does not get sent from the interface IP of eth1, but instead of eth0. This makes it look like the route goes like tun0-eth0-eth1 instead of tun0-eth1. Checking with tcpdump I can see that in reality nothing gets routed to eth0 and back - it's only the ICMP message that gets sent from the wrong interface. My question now is: WHY does that happen, and what could I do against it? Is there some kernel setting or mechanism that decides which interface is used when sending ICMP time exceeded in-transit messages? My goal is that the message gets generated for the correct hop... Thanks in advance for any help and pointers! Simon From ahasenack at terra.com.br Wed Feb 22 17:35:47 2006 From: ahasenack at terra.com.br (Andreas Hasenack) Date: Wed Feb 22 17:35:52 2006 Subject: [LARTC] mysterious rebounce in htb Message-ID: <20060222163546.GG3443@mandriva.com> Attached is a graph obtained with ethereal where after time +/-45s there is a rebounce which I can't explain. Setup is this: - my machine starts to generate traffic at maximum speed against a target machine (using nc < /dev/zero here and nc -l > /dev/null there) - traffic pattern is: 0s: dst port 2500 (red) 20s: dst port 8000 (blue) 40s: kill port 2500 traffic 60s: kill port 8000 traffic - htb is limiting that traffic to 100mbps at all times (see below for htb configuration) Could that bounce be a result of some wrong configuration I have? Or some other traffic interfering with my measurements? I used a "host 10.0.16.10" filter in ethereal, and since the bounce is "compensated" in the other traffic I don't think it was some external interference, but who knows.6 htb config is created by this script. Note I created two root classes so that my regular work on this desktop doesn't interfere with the measurements and tests I'm performing (or so I hope): #!/bin/bash DEV=eth0 WWWPORT=8000 SMTPPORT=2500 MAPI=10.0.16.10 tc qdisc del dev $DEV root > /dev/null 2>&1 # root qdisc tc qdisc add dev $DEV handle 1: root htb default 2 # root classes tc class add dev $DEV classid 1:1 parent 1: htb rate 100kbps tc class add dev $DEV classid 1:2 parent 1: htb rate 90mbit tc qdisc add dev $DEV handle 2: parent 1:2 sfq perturb 10 # a/www tc class add dev $DEV classid 1:10 parent 1:1 htb rate 30kbps ceil 100kbps prio 0 tc qdisc add dev $DEV handle 10: parent 1:10 sfq perturb 10 # a/smtp tc class add dev $DEV classid 1:11 parent 1:1 htb rate 10kbps ceil 100kbps prio 0 tc qdisc add dev $DEV handle 20: parent 1:11 sfq perturb 10 # b tc class add dev $DEV classid 1:12 parent 1:1 htb rate 60kbps ceil 100kbps tc qdisc add dev $DEV handle 30: parent 1:12 sfq perturb 10 # qualquer coisa indo para a mapi8 cai na classe 1:1 tc filter add dev $DEV parent 1:0 prio 10 protocol ip u32 \ match ip dst $MAPI/32 \ flowid 1:1 # on 1:1: a/www -> 1:10 tc filter add dev $DEV parent 1:1 prio 5 protocol ip u32 \ match ip dst $MAPI/32 \ match ip protocol 0x06 0xff \ match ip dport $WWWPORT 0xffff \ flowid 1:10 # on 1:1: a/smtp -> 1:11 tc filter add dev $DEV parent 1:1 prio 5 protocol ip u32 \ match ip dst $MAPI/32 \ match ip protocol 0x06 0xff \ match ip dport $SMTPPORT 0xffff \ flowid 1:11 # on 1:1: b (telnet, for example) -> 1:12 tc filter add dev $DEV parent 1:1 prio 5 protocol ip u32 \ match ip dst $MAPI/32 \ match ip protocol 0x06 0xff \ match ip dport 23 0xffff \ flowid 1:12 -------------- next part -------------- A non-text attachment was scrubbed... Name: rebounce-ann.png Type: image/png Size: 6311 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060222/72158af5/rebounce-ann.png From Andreas.Klauer at metamorpher.de Wed Feb 22 18:15:42 2006 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Wed Feb 22 18:15:48 2006 Subject: [LARTC] HTB, strange capacity distribution In-Reply-To: <1006637741.20060221142136@elusion.sk> References: <131577286.20060220225933@elusion.sk> <20060220225929.GA19681@EIS> <1579686043.20060221004959@elusion.sk> <20060221075249.GA10343@EIS> <1006637741.20060221142136@elusion.sk> Message-ID: <20060222171542.GA10856@EIS> On Tue, Feb 21, 2006 at 02:21:36PM +0100, Boris Gereg wrote: > thanks Andreas, I reconfigured HTB to get your suggested hierarhy: One thing I forgot in my graph: Make sure that the rates always add up, i.e. the sum of the child class rates should equal the parent class rate. It's unlikely to be the cause of your problem, but it's important to get this right nevertheless. > Any other things to test, please? Just to see wether we are going into the right direction at all, could you run the following experiment: - Lower the rate and ceil of class 1:2 to 8096kbit. - Lower the rate and ceil of class 1:2000 to 7072kbit. - Lower the rate and ceil of class 1:3000 to 1024kbit. - For class 1:3010, set rate to 64kbit, ceil to 256kbit. - For class 1:3020, set rate to 128kbit, ceil to 768kbit. - For class 1:3040, set rate to 704kbit, ceil to 1024kbit. - For class 1:5040, set rate to 128kbit, ceil to 1024kbit. (You can adjust the rates for these classes as you like, just make sure that the sum is 1024kbit) If in this setup the shaping works as expected - WWW should get 704kbit at all times, P2P only slightly more than 128kbit while WWW downloads are active - then the limiting and distribution of HTB most likely works, and it's just too high rates or r2q/quantum that make it go bad. In this case, you'd have to measure realistic throughput rates of your network (even a 100mbit LAN may not be able to guarantee 100000kbit at all times) and of your internet connection (may not be able to serve 2048kbit at all times). For downstream shaping to work, you have to be the bottleneck. If you get the same problem in this setup (P2P taking all the bandwidth away from WWW), then the problem is most likely something different, and we have to look at it from a different angle. Regards Andreas Klauer From qwerty at elusion.sk Thu Feb 23 05:00:12 2006 From: qwerty at elusion.sk (Boris Gereg) Date: Thu Feb 23 05:00:19 2006 Subject: [LARTC] HTB, strange capacity distribution In-Reply-To: <20060222171542.GA10856@EIS> References: <131577286.20060220225933@elusion.sk> <20060220225929.GA19681@EIS> <1579686043.20060221004959@elusion.sk> <20060221075249.GA10343@EIS> <1006637741.20060221142136@elusion.sk> <20060222171542.GA10856@EIS> Message-ID: <846655753.20060223050012@elusion.sk> Hello Andreas, AK> Just to see wether we are going into the right direction at all, could AK> you run the following experiment: AK> - Lower the rate and ceil of class 1:2 to 8096kbit. AK> - Lower the rate and ceil of class 1:2000 to 7072kbit. AK> - Lower the rate and ceil of class 1:3000 to 1024kbit. AK> - For class 1:3010, set rate to 64kbit, ceil to 256kbit. AK> - For class 1:3020, set rate to 128kbit, ceil to 768kbit. AK> - For class 1:3040, set rate to 704kbit, ceil to 1024kbit. AK> - For class 1:5040, set rate to 128kbit, ceil to 1024kbit. I did what you suggested and the results are as expected! You can see this picture to verify: http://elusion.sk/visual_inet_7.png At 4:25 I started HTTP download. P2P class immediately droped down to it's RATE, WWW class got it's RATE. At 4:33 I stopped HTTP download, P2P class got rest of capacity. AK> ... it's just too high rates or r2q/quantum that make it go bad. In this AK> case, you'd have to measure realistic throughput rates of your network AK> (even a 100mbit LAN may not be able to guarantee 100000kbit at all times) AK> and of your internet connection (may not be able to serve 2048kbit at AK> all times). For downstream shaping to work, you have to be the bottleneck. There are messages in syslog like this: kernel: HTB: quantum of class 10002 is big. Consider r2q change. kernel: HTB: quantum of class 12000 is big. Consider r2q change. kernel: HTB: quantum of class 13010 is small. Consider r2q change. Please, are there some hints for setting r2q or quantum parameters? http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm does not give extensive information on this. Or, is it just the matter of testing and searching for optimal parameters? Anyway, thanks a lot Andreas. This was the most important break for me. Rest is just tuning. Best Regards B. Gereg From Andreas.Klauer at metamorpher.de Thu Feb 23 08:11:09 2006 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Thu Feb 23 08:11:24 2006 Subject: [LARTC] HTB, strange capacity distribution In-Reply-To: <846655753.20060223050012@elusion.sk> References: <131577286.20060220225933@elusion.sk> <20060220225929.GA19681@EIS> <1579686043.20060221004959@elusion.sk> <20060221075249.GA10343@EIS> <1006637741.20060221142136@elusion.sk> <20060222171542.GA10856@EIS> <846655753.20060223050012@elusion.sk> Message-ID: <20060223071109.GA10559@EIS> On Thu, Feb 23, 2006 at 05:00:12AM +0100, Boris Gereg wrote: > I did what you suggested and the results are as expected! > You can see this picture to verify: http://elusion.sk/visual_inet_7.png > > At 4:25 I started HTTP download. P2P class immediately droped down to > it's RATE, WWW class got it's RATE. At 4:33 I stopped HTTP download, > P2P class got rest of capacity. Alright. I suggest you do some measuring, to find out your real rates, and set HTB rates to be slightly lower so that you are the bottleneck. Most likely you'll have to experiment a little until you find the best setting for your setup. > Please, are there some hints for setting r2q or quantum parameters? Actually, I specify the quantum directly, with 'quantum $MTU' for every class. I don't know wether that's a good thing or a bad thing, but it worked very well for me, and seems to work well for others... at least nobody reported a problem to me so far that could be traced to be caused by this quantum setting. It should not be smaller than your MTU, and not too big. With a huge difference in rates (100Mbit vs 64kbit) there is no r2q that will fit all classes. So there is no other way as to set quantum directly at least for some classes (and I set it for all...). Regards Andreas Klauer From russell-lartc at stuart.id.au Thu Feb 23 09:38:09 2006 From: russell-lartc at stuart.id.au (Russell Stuart) Date: Thu Feb 23 09:38:22 2006 Subject: [LARTC] Is this possible? Message-ID: <1140683889.4367.35.camel@ras.pc.brisbane.lube> I am trying to do ingress flow control with htb + imq, and as could be expected it isn't working well. It works a lot better when I keep the htb ceiling well below what the link can actually carry - I guess because htb gets to throttle the TCP fast start before it causes packets to be dropped. The only problem is wasting all that bandwidth hurts. It occurred to me that the bandwidth needn't be wasted, if only I can convince HTB to reserve some bandwidth for a class. For example, lets say we have a 1000kbit link, and two classes sharing that link: - Voip - ie high prio real time, and - Web - background traffic. Right now, with htb or cbq or whatever, I can do this: Guaranteed Rate Ceiling Prio Link 700kbit 700kbit |--Voip 200kbit 700kbit 1 \--Web 300kbit 700kbit 2 This works, in that Voip won't be hit by new connections overloading the link before htb can bring then under control. But it wastes 300kbit of bandwidth in doing so. An observation. Lets say the link is carrying its rated capacity. Ie, there is 400kbit of Voip traffic, and 300kbit of web traffic. In this scenario, there is really no harm letting the Voip use the remaining 300kbit of spare capacity. The Voip traffic is already being shaped so delays are being introduced by the HTB filter anyway. If we let it use the remaining 300kb that shaping may disappear. Yes, it may now be hit by new incoming TCP traffic - but we may get lucky and it may not, whereas before it was always being shaped by HTB. To be more precise, I want to create some "headroom" that VOIP can use, but Web traffic can't. Here are some examples. In each case the link is maxed out. Packets arriving at filter Packets sent by Filter Voip Web Voip Web 0 BIG 0 700kbit 200kbit BIG 200kbit 500kbit 400kbit BIG 400kbit 300kbit 600kbit BIG 600kbit 300kbit BIG BIG 700kbit 300kbit As far as I can tell, HTB, nor any other qdisc for that matter, can be configured to do this. Am I correct? From Andreas.Klauer at metamorpher.de Thu Feb 23 10:23:58 2006 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Thu Feb 23 10:24:04 2006 Subject: [LARTC] Is this possible? In-Reply-To: <1140683889.4367.35.camel@ras.pc.brisbane.lube> References: <1140683889.4367.35.camel@ras.pc.brisbane.lube> Message-ID: <20060223092358.GA10554@EIS> On Thu, Feb 23, 2006 at 06:38:09PM +1000, Russell Stuart wrote: > For example, lets say we have a 1000kbit link, and two > classes sharing that link: > > - Voip - ie high prio real time, and > - Web - background traffic. Have you measured this link, i.e. when there is no activity and you start some Voip sessions, do they get a constant downstream of 1000kbit? It may very well be that you have to measure the real throughput and then go a little lower (since you have to be the bottleneck), however having to throw 30% of bandwidth away sounds a bit too harsh to me. > Guaranteed Rate Ceiling Prio > Link 700kbit 700kbit > |--Voip 200kbit 700kbit 1 > \--Web 300kbit 700kbit 2 Are there other classes as well, because the sum of Voip + Web rate is just 500kbit, where the parent class offers 700kbit? You should make sure that the sum of child class rates equals the parent class rate. HTB results get more predictable that way. > To be more precise, I want to create some "headroom" that > VOIP can use, but Web traffic can't. Usually, this "headroom" is the rate. In your example, Voip has 200kbit of bandwidth guaranteed. Web traffic can't use it unless of course there is no Voip traffic at all. Another way of indirect headroom would be to hard limit the Web class, i.e. give the Web class a lower ceil than the other classes. This way, there is bandwidth that the Web class can't use no matter what, even if the link is completely empty. Regards Andreas Klauer From pereyra.roberto at gmail.com Thu Feb 23 13:26:48 2006 From: pereyra.roberto at gmail.com (Roberto Pereyra) Date: Thu Feb 23 13:26:49 2006 Subject: [LARTC] ipp2p don't block Ares Message-ID: HI I have a bridge running ipp2p blocking Ares traffic and others protocols. This bridge works fine buts since two weeks can't block Ares traffic. All protocols block fine but Ares not (upload and download). Somebody are using ipp2p blocking the latest Ares version ? My system settings are: kernel : 2.6.13 iptables: 1.3.3 ipp2p: 0.81 rc1 iptables -L -v output: Chain FORWARD (policy ACCEPT 53M packets, 22G bytes) pkts bytes target prot opt in out source destination 2321K 194M DROP all -- any any anywhere anywhere ipp2p v0.8.1_rc1 --kazaa --gnu --edk --dc --bit --apple --soul --winmx --ares --mute --waste --xdcc Thanks for any help. roberto -- Ing. Roberto Pereyra ContenidosOnline Servidores BSD, Solaris y Linux Soporte t?cnico ISPs Jabber ID: rpereyra@lugmen.org.ar For reliable and professional DNS, use DNS Made Easy! http://www.dnsmadeeasy.com/u/14989 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060223/be9e4de7/attachment.htm From ro0ot at phreaker.net Thu Feb 23 14:28:28 2006 From: ro0ot at phreaker.net (ro0ot) Date: Thu Feb 23 14:30:36 2006 Subject: [LARTC] ipp2p don't block Ares In-Reply-To: References: Message-ID: <43FDB87C.6080609@phreaker.net> Hi, Did you try using L7-filter to block Ares? http://l7-filter.sourceforge.net/protocols Regards, ro0ot Roberto Pereyra wrote: > HI > > I have a bridge running ipp2p blocking Ares traffic and others protocols. > > This bridge works fine buts since two weeks can't block Ares traffic. > All protocols block fine but Ares not (upload and download). > > Somebody are using ipp2p blocking the latest Ares version ? > > My system settings are: > > kernel : 2.6.13 > iptables: 1.3.3 > ipp2p: 0.81 rc1 > > iptables -L -v output: > > Chain FORWARD (policy ACCEPT 53M packets, 22G bytes) > pkts bytes target prot opt in out source destination > 2321K 194M DROP all -- any any anywhere anywhere ipp2p > > > v0.8.1_rc1 --kazaa --gnu --edk --dc --bit --apple --soul --winmx --ares --mute --waste --xdcc > > Thanks for any help. > > roberto > > > -- > Ing. Roberto Pereyra > ContenidosOnline > Servidores BSD, Solaris y Linux > Soporte t?cnico ISPs > Jabber ID: rpereyra@lugmen.org.ar > > For reliable and professional DNS, use DNS Made Easy! > http://www.dnsmadeeasy.com/u/14989 > ------------------------------------------------------------------------ > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From Andreas.Klauer at metamorpher.de Thu Feb 23 15:12:17 2006 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Thu Feb 23 15:12:39 2006 Subject: [LARTC] ipp2p don't block Ares In-Reply-To: References: Message-ID: <20060223141217.GA12503@EIS> On Thu, Feb 23, 2006 at 09:26:48AM -0300, Roberto Pereyra wrote: > This bridge works fine buts since two weeks can't block Ares traffic. All > protocols block fine but Ares not (upload and download). > > Somebody are using ipp2p blocking the latest Ares version ? Did you already contact the author about this? If the Ares protocol changed, you've practically got a new protocol there, which requires it's own pattern for matching. If you can provide details about the new protocol (by dumping Ares packets or something) and help with testing, it should be not that hard to fix, provided the new protocol isn't something nasty. In case of a protocol change, other projects (like l7-filter) should suffer from this problem too. Maybe it'd be a good idea to test them and inform the authors as well. Regards Andreas Klauer From scamp at untergrund.net Thu Feb 23 15:18:53 2006 From: scamp at untergrund.net (Simon Kissel) Date: Thu Feb 23 15:18:07 2006 Subject: [LARTC] ICMP time exceeded in-transit sent from wrong interface In-Reply-To: <965501656.20060222143332@untergrund.net> References: <965501656.20060222143332@untergrund.net> Message-ID: <1858757722.20060223151853@untergrund.net> Just in case someone else in the future googles for this problem: SK> My question now is: WHY does that happen, and what could I do against SK> it? Is there some kernel setting or mechanism that decides which SK> interface is used when sending ICMP time exceeded in-transit messages? SK> My goal is that the message gets generated for the correct hop... This seems to be as designed by the kernel. The ICMP message gets sent from the target address of the original paket, if that address is local. If not, the ICMP message gets sent from 0, the default interface (which in my case is eth0). IMHO this is totally broken logic in the Kernel. For a router, the target address of the original paket will never be local. Instead the address of the interface the paket gets forwarded to should be used as the source address for the ICMP message. Simon From pereyra.roberto at gmail.com Thu Feb 23 16:12:16 2006 From: pereyra.roberto at gmail.com (Roberto Pereyra) Date: Thu Feb 23 16:12:24 2006 Subject: Fwd: [LARTC] ipp2p don't block Ares In-Reply-To: <20060223141217.GA12503@EIS> References: <20060223141217.GA12503@EIS> Message-ID: > If you can provide details about the new protocol (by dumping >Ares packets or something) and help with testing, it should be not that hard >to fix, provided the new protocol isn't something nasty. Hi How I can dump Ares packages ? Thanks roberto ---------- Forwarded message ---------- From: Andreas Klauer Date: 23-feb-2006 11:12 Subject: Re: [LARTC] ipp2p don't block Ares To: Roberto Pereyra Cc: lartc@mailman.ds9a.nl On Thu, Feb 23, 2006 at 09:26:48AM -0300, Roberto Pereyra wrote: > This bridge works fine buts since two weeks can't block Ares traffic. All > protocols block fine but Ares not (upload and download). > > Somebody are using ipp2p blocking the latest Ares version ? Did you already contact the author about this? If the Ares protocol changed, you've practically got a new protocol there, which requires it's own pattern for matching. If you can provide details about the new protocol (by dumping Ares packets or something) and help with testing, it should be not that hard to fix, provided the new protocol isn't something nasty. In case of a protocol change, other projects (like l7-filter) should suffer from this problem too. Maybe it'd be a good idea to test them and inform the authors as well. Regards Andreas Klauer -- Ing. Roberto Pereyra ContenidosOnline Servidores BSD, Solaris y Linux Soporte t?cnico ISPs Jabber ID: rpereyra@lugmen.org.ar For reliable and professional DNS, use DNS Made Easy! http://www.dnsmadeeasy.com/u/14989 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060223/60f9f2a3/attachment.html From Andreas.Klauer at metamorpher.de Thu Feb 23 18:02:50 2006 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Thu Feb 23 18:03:00 2006 Subject: Fwd: [LARTC] ipp2p don't block Ares In-Reply-To: References: <20060223141217.GA12503@EIS> Message-ID: <20060223170250.GB13737@EIS> On Thu, Feb 23, 2006 at 12:12:16PM -0300, Roberto Pereyra wrote: > How I can dump Ares packages ? There are a number of tools for this, for example tcpdump. You should really talk to the developer(s) about this, it depends on what they need. Dumping Ares packets specifically is a bit hard, since it seems that you can't match them - so you'd have to dump everything. You can increase the probability of getting Ares packages in a dump by doing this on an empty link that contains nothing but Ares traffic, or by similar criteria (e.g. dump packets of IPs that do nothing but Ares). Anyway, contact the author and see what he suggests. Most likely only the packets that open a connection are of interest. Regards Andreas Klauer From ahasenack at terra.com.br Thu Feb 23 18:12:30 2006 From: ahasenack at terra.com.br (Andreas Hasenack) Date: Thu Feb 23 18:12:33 2006 Subject: [LARTC] 1k: 1000 or 1024? Message-ID: <20060223171230.GI3411@mandriva.com> The docs[1][2] suggest it's 1024, but tc says something else: # tc qdisc add dev eth0 root tbf rate 1kbps latency 50ms burst 1500 # tc -s qdisc ls dev eth0 qdisc tbf 8009: rate 8000bit burst 1499b lat 48.8ms ^^^^^^^ Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 If 1k were 1024, then I would have 8192bit above. 1. http://www.docum.org/docum.org/faq/cache/74.html 2.http://ds9a.nl/2.4Networking/howto/lartc.qdisc.html#LARTC.QDISC.EXPLAIN From raju at linux-delhi.org Thu Feb 23 20:14:16 2006 From: raju at linux-delhi.org (Raj Mathur) Date: Thu Feb 23 20:14:40 2006 Subject: [LARTC] Balancing multiple connections and NAT Message-ID: <17406.2440.239945.166270@mail.linux-delhi.org> Hi, I have a client connected to the 'net through 3 ISP's. Have set up a Linux box to do routing and load sharing for the 3 connections. A fourth interface is connected to the LAN with private IP addresses. Am using iptables to SNAT traffic to the appropriate IP depending on the interface the packet gets routed onto. The setup looks something like this: Interface IP Gateway Table Network --------- -- ------- ----- ------- intA ipA gwA tableA netA intB ipB gwB tableB netB intC ipC gwC tableC netC [intD is the LAN interface] intD ipD (private) no gateway global netD This works fine most of the time, except that once in a while (every 5-10 minutes or so) packets going out on (e.g.) intB suddenly start getting NAT'ed to source address ipA (i.e. the address of another interface). Obviously this plays hell with the existing connections on that link! The ip commands I'm using are: /sbin/ip route add netA dev intA src ipA table tableA /sbin/ip route add netA dev intA src ipA /sbin/ip route add default via gwA table tableA /sbin/ip route add netB dev intB src ipB table tableB /sbin/ip route add netB dev intB src ipB /sbin/ip route add default via gwB table tableB /sbin/ip route add netC dev intC src ipC table tableC /sbin/ip route add netC dev intC src ipC /sbin/ip route add default via gwC table tableC /sbin/ip route add default scope global nexthop via gwB dev intB weight 1 nexthop via gwC dev intC weight 2 nexthop via gwA dev intA weight 2 /sbin/ip rule add from ipA table tableA /sbin/ip rule add from ipB table tableB /sbin/ip rule add from ipC table tableC The iptables commands are: /sbin/iptables -P FORWARD DROP # Enable full flow on the LAN /sbin/iptables -I FORWARD -s netD -i intD -j ACCEPT /sbin/iptables -I FORWARD -d netD -o intD -j ACCEPT # Allow all packets to go out /sbin/iptables -I OUTPUT -o intA -j ACCEPT /sbin/iptables -I OUTPUT -o intB -j ACCEPT /sbin/iptables -I OUTPUT -o intC -j ACCEPT /sbin/iptables -I OUTPUT -o intD -j ACCEPT /sbin/iptables -I INPUT -i intD -j ACCEPT /sbin/iptables -I INPUT -i lo -j ACCEPT /sbin/iptables -P INPUT DROP /sbin/iptables -A INPUT -i ! intD -m state --state RELATED,ESTABLISHED -j ACCEPT # Hmmm, why is this one there? /sbin/iptables -A INPUT -i intD -m state --state RELATED,ESTABLISHED -j ACCEPT # NAT depending on outbound interface /sbin/iptables -t nat -A POSTROUTING -s netD -o intA -j SNAT --to-source ipA /sbin/iptables -t nat -A POSTROUTING -s netD -o intB -j SNAT --to-source ipB /sbin/iptables -t nat -A POSTROUTING -s netD -o intC -j SNAT --to-source ipC Any idea why connections that are flowing perfectly would suddenly decide to start getting NAT'ed to the wrong source? Or some place on the 'net I can start looking? Regards, -- Raju -- Raj Mathur raju@kandalaya.org http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F It is the mind that moves From eantoranz at gmail.com Thu Feb 23 20:41:47 2006 From: eantoranz at gmail.com (Edmundo Carmona) Date: Thu Feb 23 20:41:48 2006 Subject: [LARTC] Balancing multiple connections and NAT In-Reply-To: <17406.2440.239945.166270@mail.linux-delhi.org> References: <17406.2440.239945.166270@mail.linux-delhi.org> Message-ID: <65aa6af90602231141x64df6e2en3749d967a635b395@mail.gmail.com> That's because the route to a host X has been changed. There's a routing decision to host X every so or so minutes. Ways to handle that? Boy, that can be tough. I've read of prople who use a different LAN IP for every public connection. So If you have 3 public connections, you should use three different IPs on the lan. Then, when you DNAT packets on the way in (from the internet), you mark those packets with a different fwmark for each internet connection. On POSTROUTING do a SNAT according to this fwmark to a different IP each (remember you have three inner IPs to choose from). Then when packets come back from your servers, they will be sent to three different IPs and you can tell packets that should go out one way or the other. Now, if you don't care about incoming (to your lan) connections but outgoing.... I guess you are very much out of luck.... unless you use some policy routing for stateful connections (I think that's the name of connections that DO care if you change the IP the connection is going through) so that they use a single interface all the time. On 2/23/06, Raj Mathur wrote: > Hi, > > I have a client connected to the 'net through 3 ISP's. Have set up a > Linux box to do routing and load sharing for the 3 connections. A > fourth interface is connected to the LAN with private IP addresses. > Am using iptables to SNAT traffic to the appropriate IP depending on > the interface the packet gets routed onto. The setup looks something > like this: > > Interface IP Gateway Table Network > --------- -- ------- ----- ------- > intA ipA gwA tableA netA > intB ipB gwB tableB netB > intC ipC gwC tableC netC > [intD is the LAN interface] > intD ipD (private) no gateway global netD > > This works fine most of the time, except that once in a while (every > 5-10 minutes or so) packets going out on (e.g.) intB suddenly start > getting NAT'ed to source address ipA (i.e. the address of another > interface). Obviously this plays hell with the existing connections > on that link! > > The ip commands I'm using are: > > /sbin/ip route add netA dev intA src ipA table tableA > /sbin/ip route add netA dev intA src ipA > /sbin/ip route add default via gwA table tableA > /sbin/ip route add netB dev intB src ipB table tableB > /sbin/ip route add netB dev intB src ipB > /sbin/ip route add default via gwB table tableB > /sbin/ip route add netC dev intC src ipC table tableC > /sbin/ip route add netC dev intC src ipC > /sbin/ip route add default via gwC table tableC > /sbin/ip route add default scope global nexthop via gwB dev intB weight 1 nexthop via gwC dev intC weight 2 nexthop via gwA dev intA weight 2 > /sbin/ip rule add from ipA table tableA > /sbin/ip rule add from ipB table tableB > /sbin/ip rule add from ipC table tableC > > The iptables commands are: > > /sbin/iptables -P FORWARD DROP > # Enable full flow on the LAN > /sbin/iptables -I FORWARD -s netD -i intD -j ACCEPT > /sbin/iptables -I FORWARD -d netD -o intD -j ACCEPT > # Allow all packets to go out > /sbin/iptables -I OUTPUT -o intA -j ACCEPT > /sbin/iptables -I OUTPUT -o intB -j ACCEPT > /sbin/iptables -I OUTPUT -o intC -j ACCEPT > /sbin/iptables -I OUTPUT -o intD -j ACCEPT > /sbin/iptables -I INPUT -i intD -j ACCEPT > /sbin/iptables -I INPUT -i lo -j ACCEPT > /sbin/iptables -P INPUT DROP > /sbin/iptables -A INPUT -i ! intD -m state --state RELATED,ESTABLISHED -j ACCEPT > # Hmmm, why is this one there? > /sbin/iptables -A INPUT -i intD -m state --state RELATED,ESTABLISHED -j ACCEPT > # NAT depending on outbound interface > /sbin/iptables -t nat -A POSTROUTING -s netD -o intA -j SNAT --to-source ipA > /sbin/iptables -t nat -A POSTROUTING -s netD -o intB -j SNAT --to-source ipB > /sbin/iptables -t nat -A POSTROUTING -s netD -o intC -j SNAT --to-source ipC > > Any idea why connections that are flowing perfectly would suddenly > decide to start getting NAT'ed to the wrong source? Or some place on > the 'net I can start looking? > > Regards, > > -- Raju > -- > Raj Mathur raju@kandalaya.org http://kandalaya.org/ > GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F > It is the mind that moves > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From ahasenack at terra.com.br Thu Feb 23 21:21:46 2006 From: ahasenack at terra.com.br (Andreas Hasenack) Date: Thu Feb 23 21:21:52 2006 Subject: [LARTC] userlevel should not need to know about HZ? Message-ID: <20060223202145.GL3411@mandriva.com> Kernel people tell me users should never need to know the value of HZ used by the currently running kernel. One kernel hacker even told me that Linus once changed the value from 100 to 1000 just to see user space programs break. However, it is needed for the buffer parameter in TBF. The tc-tbf(8) manpage: If your buffer is too small, packets may be dropped because more tokens arrive per timer tick than fit in your bucket. The mini- mum buffer size can be calculated by dividing the rate by HZ. My kernel (2.6.12), for example, doesn't have a CONFIG option in /proc/config.gz. I only found out the correct HZ value by looking into /usr/include/asm/param.h, and even there are two values: 1000 for __KERNEL__ and 250 for the rest. Newer kernels have CONFIG options and 1000 is just one of the possible values. So, how do we reliably calculate the minimum value for buffer/burst/maxburts? From nata at cnett.com.br Thu Feb 23 21:25:52 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Thu Feb 23 21:26:08 2006 Subject: [LARTC] Balancing multiple connections and NAT References: <17406.2440.239945.166270@mail.linux-delhi.org> Message-ID: <002601c638b7$58cb31c0$0e001eac@NATANIEL> Raj, I use something just like you make and for this problem I have patched my kernel with diff-routes patch (there is a link in LARTC) and I have make a little script that makes just a ping to an outside address every 5 min (cron job) and flush the route cache after this ping, like this: ip route flush cache So all cache will be lost (off course that conections that still exists will remain with their track to the destination). Att, Nataniel Klug ----- Original Message ----- From: "Raj Mathur" To: Sent: Thursday, February 23, 2006 4:14 PM Subject: [LARTC] Balancing multiple connections and NAT > Hi, > > I have a client connected to the 'net through 3 ISP's. Have set up a > Linux box to do routing and load sharing for the 3 connections. A > fourth interface is connected to the LAN with private IP addresses. > Am using iptables to SNAT traffic to the appropriate IP depending on > the interface the packet gets routed onto. The setup looks something > like this: > > Interface IP Gateway Table Network > --------- -- ------- ----- ------- > intA ipA gwA tableA netA > intB ipB gwB tableB netB > intC ipC gwC tableC netC > [intD is the LAN interface] > intD ipD (private) no gateway global netD > > This works fine most of the time, except that once in a while (every > 5-10 minutes or so) packets going out on (e.g.) intB suddenly start > getting NAT'ed to source address ipA (i.e. the address of another > interface). Obviously this plays hell with the existing connections > on that link! > > The ip commands I'm using are: > > /sbin/ip route add netA dev intA src ipA table tableA > /sbin/ip route add netA dev intA src ipA > /sbin/ip route add default via gwA table tableA > /sbin/ip route add netB dev intB src ipB table tableB > /sbin/ip route add netB dev intB src ipB > /sbin/ip route add default via gwB table tableB > /sbin/ip route add netC dev intC src ipC table tableC > /sbin/ip route add netC dev intC src ipC > /sbin/ip route add default via gwC table tableC > /sbin/ip route add default scope global nexthop via gwB dev intB weight 1 nexthop via gwC dev intC weight 2 nexthop via gwA dev intA weight 2 > /sbin/ip rule add from ipA table tableA > /sbin/ip rule add from ipB table tableB > /sbin/ip rule add from ipC table tableC > > The iptables commands are: > > /sbin/iptables -P FORWARD DROP > # Enable full flow on the LAN > /sbin/iptables -I FORWARD -s netD -i intD -j ACCEPT > /sbin/iptables -I FORWARD -d netD -o intD -j ACCEPT > # Allow all packets to go out > /sbin/iptables -I OUTPUT -o intA -j ACCEPT > /sbin/iptables -I OUTPUT -o intB -j ACCEPT > /sbin/iptables -I OUTPUT -o intC -j ACCEPT > /sbin/iptables -I OUTPUT -o intD -j ACCEPT > /sbin/iptables -I INPUT -i intD -j ACCEPT > /sbin/iptables -I INPUT -i lo -j ACCEPT > /sbin/iptables -P INPUT DROP > /sbin/iptables -A INPUT -i ! intD -m state --state RELATED,ESTABLISHED -j ACCEPT > # Hmmm, why is this one there? > /sbin/iptables -A INPUT -i intD -m state --state RELATED,ESTABLISHED -j ACCEPT > # NAT depending on outbound interface > /sbin/iptables -t nat -A POSTROUTING -s netD -o intA -j SNAT --to-source ipA > /sbin/iptables -t nat -A POSTROUTING -s netD -o intB -j SNAT --to-source ipB > /sbin/iptables -t nat -A POSTROUTING -s netD -o intC -j SNAT --to-source ipC > > Any idea why connections that are flowing perfectly would suddenly > decide to start getting NAT'ed to the wrong source? Or some place on > the 'net I can start looking? > > Regards, > > -- Raju > -- > Raj Mathur raju@kandalaya.org http://kandalaya.org/ > GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F > It is the mind that moves > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From russell-lartc at stuart.id.au Thu Feb 23 22:27:58 2006 From: russell-lartc at stuart.id.au (Russell Stuart) Date: Thu Feb 23 22:28:11 2006 Subject: [LARTC] Is this possible? In-Reply-To: <20060223092358.GA10554@EIS> References: <1140683889.4367.35.camel@ras.pc.brisbane.lube> <20060223092358.GA10554@EIS> Message-ID: <1140730078.4367.44.camel@ras.pc.brisbane.lube> On Thu, 2006-02-23 at 10:23 +0100, Andreas Klauer wrote: > On Thu, Feb 23, 2006 at 06:38:09PM +1000, Russell Stuart wrote: > > For example, lets say we have a 1000kbit link, and two > > classes sharing that link: > > > > - Voip - ie high prio real time, and > > - Web - background traffic. > > Have you measured this link, i.e. when there is no activity > and you start some Voip sessions, do they get a constant > downstream of 1000kbit? > > It may very well be that you have to measure the real throughput > and then go a little lower (since you have to be the bottleneck), > however having to throw 30% of bandwidth away sounds a bit too > harsh to me. The setup I gave was purely hypothetical. 300kbit headroom sounds way to high to me as well - any advice others may have on this would be appreciated. > Another way of indirect headroom would be to hard limit the Web class, > i.e. give the Web class a lower ceil than the other classes. This way, > there is bandwidth that the Web class can't use no matter what, even > if the link is completely empty. That is the right answer - it would achieve what I want. In hindsight it seems so obvious I don't know why I didn't think of it myself. Thanks for taking the time to answer my query. From luciano at lugmen.org.ar Thu Feb 23 23:08:27 2006 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Thu Feb 23 23:08:44 2006 Subject: [LARTC] HTB: far unequal behaivor at a slight conf rate change Message-ID: <200602231908.27900.luciano@lugmen.org.ar> Hi all! I'm working in a " _really_ end user simple", yet powerfull, flexible, scalable, GPL htb/htb-init front end, but now, in the "test fase" im facing an utlimate problem... Absoult minimalistic scenario: #Use a FIXEDFONT to read this #inet-ethx-|FIREWALL|-lan-ethx <-> |client_host_1| # #FIREWALL class(rate,ceil) at lan-ethx root->parent_all_host(256,256)->client_host_1(X,X)->host_1_prio(X*0.9,X) ->host_1_dfl(X*0.1,X) then i genrate equal traffic for the to leafs and: if X<=200 then "all works ok" the 'prio' class takes 90% of the rate the "dfl" class takes 10% of the rate if X>230 then "all works like no htb present at all" the 'prio' and 'dfl' class figth equaly for the rate Things that i have tried that don't help to solve the problem: -Play with several r2q/quantum convinations -Play with prio parameter for the leafs -Tray thiferent leaf's algo(sfq with quantum 1500,pfifo with limit 10) -change parent_all_hosts rate to a high value (ie:512,1024) I've attached simplified ad-hoc scripts that reproduce the scenarios: tc_at_200 (full tc/iptables commands to recreate the X<200 scenario) tc_at_230 (full tc/iptables commands to recreate the X>200 scenario) To test i run in the client_host_1 2 lftp instances ie: lftp -c "pget -n ftp://somehost/very.long.file" #4 tcp conns "stress" ;-) lftp -c "get http://samehost/very.long.file" note that first generates ftp traffic while second one is http traffic, the firewall marks will make that http goes in 'prio' class and ftp goes in 'dfl' class. I leave this traffic running... if i run ./tc_at_200 everithing goes to its place if i run ./tc_at_230 everithing goes wrong, the 4 ftp's 'dfl' traffic connection monopolice at lest 80% of the total rate. if i run ./tc_at_200 everithing goes to its place again and so on... Whell hope someone give me a hint on this! -- Luciano -------------- next part -------------- A non-text attachment was scrubbed... Name: tc_at_200 Type: application/x-shellscript Size: 1398 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060223/53e390ae/tc_at_200.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: tc_at_230 Type: application/x-shellscript Size: 1398 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060223/53e390ae/tc_at_230.bin From comp.techs at aspenview.org Thu Feb 23 23:24:52 2006 From: comp.techs at aspenview.org (comp.techs) Date: Thu Feb 23 23:24:56 2006 Subject: [LARTC] Gre Tos Message-ID: <648A21EA469E3848922D9860785CD5EF456712@aspen-mail01.aspenview.org> Hi, how does gre tunnels handle the TOS/DS field in the encapsulated packet? Is the value copied to the encapsulating ip header? thx jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060223/755f8732/attachment.htm From Andreas.Klauer at metamorpher.de Thu Feb 23 23:38:35 2006 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Thu Feb 23 23:38:48 2006 Subject: [LARTC] HTB: far unequal behaivor at a slight conf rate change In-Reply-To: <200602231908.27900.luciano@lugmen.org.ar> References: <200602231908.27900.luciano@lugmen.org.ar> Message-ID: <20060223223835.GA23114@EIS> On Thu, Feb 23, 2006 at 07:08:27PM -0300, Luciano Ruete wrote: > root->parent_all_host(256,256)->client_host_1(X,X)->host_1_prio(X*0.9,X) > ->host_1_dfl(X*0.1,X) What's the purpose of the 256kbit class? In the setup you posted, the 200/230kbit child class does not seem to have any siblings. Except for the root class, classes without siblings don't make sense. At least, I haven't seen any useful purpose for them so far. > I've attached simplified ad-hoc scripts that reproduce the scenarios: > tc_at_200 (full tc/iptables commands to recreate the X<200 scenario) > tc_at_230 (full tc/iptables commands to recreate the X>200 scenario) I haven't tested them, but they seem to be all right (except for the question above). I don't know if it will help at all, but could you post tc statistics for both 200 and 230 cases? You can get the statistics using 'tc -s -d qdisc/class show dev $iface' or similar command. Also, did you check wether HTB is complaining about anything in dmesg when setting up the 230 class tree? Which kernel version and iproute/tc version are you running? Just in case you're still suffering from old HTB bugs... Regards Andreas Klauer From Andreas.Klauer at metamorpher.de Thu Feb 23 23:47:26 2006 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Thu Feb 23 23:47:38 2006 Subject: [LARTC] userlevel should not need to know about HZ? In-Reply-To: <20060223202145.GL3411@mandriva.com> References: <20060223202145.GL3411@mandriva.com> Message-ID: <20060223224726.GB23114@EIS> On Thu, Feb 23, 2006 at 05:21:46PM -0300, Andreas Hasenack wrote: > Kernel people tell me users should never need to know the value of HZ > used by the currently running kernel. One kernel hacker even told me > that Linus once changed the value from 100 to 1000 just to see user > space programs break. Hmmm. Don't know the context of this statement, but from my (naive) point of view, TBF is not a user space program. The user space program is tc, and it just sets up structures in the kernel once. The shaping itself is done in kernel space. > So, how do we reliably calculate the minimum value for buffer/burst/maxburts? Trial & Error, not that I ever had much luck with TBF though... TBF doesn't really depend on the HZ value - you don't really need to know. Still, TBF is affected by the HZ, like many other parts of the kernel too. It can't be helped - dunno what else to say about it. Regards Andreas Klauer From msc at antzsystem.de Fri Feb 24 00:41:22 2006 From: msc at antzsystem.de (Markus Schulz) Date: Fri Feb 24 00:41:34 2006 Subject: [LARTC] Balancing multiple connections and NAT In-Reply-To: <17406.2440.239945.166270@mail.linux-delhi.org> References: <17406.2440.239945.166270@mail.linux-delhi.org> Message-ID: <200602240041.22508.msc@antzsystem.de> Am Donnerstag, 23. Februar 2006 20:14 schrieb Raj Mathur: > Hi, > > I have a client connected to the 'net through 3 ISP's. Have set up a > Linux box to do routing and load sharing for the 3 connections. A > fourth interface is connected to the LAN with private IP addresses. > Am using iptables to SNAT traffic to the appropriate IP depending on > the interface the packet gets routed onto. The setup looks something > like this: > > Interface IP Gateway Table Network > --------- -- ------- ----- ------- > intA ipA gwA tableA netA > intB ipB gwB tableB netB > intC ipC gwC tableC netC > [intD is the LAN interface] > intD ipD (private) no gateway global netD > > This works fine most of the time, except that once in a while (every > 5-10 minutes or so) packets going out on (e.g.) intB suddenly start > getting NAT'ed to source address ipA (i.e. the address of another > interface). Obviously this plays hell with the existing connections > on that link! you need a patch for NAT processing with multiple gateways. this will then save the routing information for each connection inside NAT structures, so that each packet of an established connection will be get routed over the same gateway. you can find the patches here: http://www.ssi.bg/~ja/#routes please read the guides (nano howto or dgd-usage) carefully. -- Markus Schulz From ahasenack at terra.com.br Fri Feb 24 00:45:12 2006 From: ahasenack at terra.com.br (Andreas Hasenack) Date: Fri Feb 24 00:45:28 2006 Subject: [LARTC] userlevel should not need to know about HZ? In-Reply-To: <20060223224726.GB23114@EIS> References: <20060223202145.GL3411@mandriva.com> <20060223224726.GB23114@EIS> Message-ID: <200602232045.13101.ahasenack@terra.com.br> Em Qui 23 Fev 2006 19:47, Andreas Klauer escreveu: > > So, how do we reliably calculate the minimum value for > > buffer/burst/maxburts? > > Trial & Error, not that I ever had much luck with TBF though... From my experiments, the minimum seems to be either MTU plus a few bytes or the result of rate/HZ, whichever is higher. From luciano at lugmen.org.ar Fri Feb 24 03:42:16 2006 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Fri Feb 24 03:42:29 2006 Subject: [LARTC] HTB: far unequal behaivor at a slight conf rate change In-Reply-To: <20060223223835.GA23114@EIS> References: <200602231908.27900.luciano@lugmen.org.ar> <20060223223835.GA23114@EIS> Message-ID: <200602232342.17692.luciano@lugmen.org.ar> El Thursday 23 February 2006 19:38, Andreas Klauer escribi?: > On Thu, Feb 23, 2006 at 07:08:27PM -0300, Luciano Ruete wrote: > > root->parent_all_host(256,256)->client_host_1(X,X)->host_1_prio(X*0.9,X) > > ->host_1_dfl(X*0.1,X) > > What's the purpose of the 256kbit class? In the setup you posted, > the 200/230kbit child class does not seem to have any siblings. > Except for the root class, classes without siblings don't make sense. > At least, I haven't seen any useful purpose for them so far. That's becouse the _real_ scenario will look like this: root->parent_all_hosts->client_host_1->prio ->dfl ->client_host_2->prio ->dfl ->client_host_3->prio ->dfl ->client_host_N->prio ->dfl I'will use this parent_all_host class to set the total_real iface rate. I've posted the reduced example for simplicity and to isolate the real problem. Anyway i've tested a new version of the example attaching the client direct to the root class witouth any luck. Script that i use for testing attached. Also full tc stadistics, taked from begining and after aprox 3~4 minutes. Here some highlights This is 'dfl' class class htb 1:7005 parent 1:7000[...]rate 23000bit ceil 230000bit Sent 4521301 bytes 3095 pkt (dropped 0, overlimits 0 requeues 0) lended: 467 borrowed: 2628 giants: 0 tokens: -2193687 ctokens: 8085 This is 'prio' class class htb 1:7004 parent 1:7000[...]rate 207000bit ceil 230000bit Sent 1741028 bytes 1168 pkt (dropped 0, overlimits 0 requeues 0) lended: 1168 borrowed: 0 giants: 0 tokens: 397670 ctokens: 8085 As you see, after 3 minutes the lower rate class has sent 3000 packets vs 1000 packets from the high rate one. Don't know what to think... > > I've attached simplified ad-hoc scripts that reproduce the scenarios: > > tc_at_200 (full tc/iptables commands to recreate the X<200 scenario) > > tc_at_230 (full tc/iptables commands to recreate the X>200 scenario) > > I haven't tested them, but they seem to be all right (except for the > question above). I don't know if it will help at all, but could you > post tc statistics for both 200 and 230 cases? You can get the statistics > using 'tc -s -d qdisc/class show dev $iface' or similar command. > Also, did you check wether HTB is complaining about anything in dmesg > when setting up the 230 class tree? no complaints > Which kernel version and iproute/tc version are you running? Just in case > you're still suffering from old HTB bugs... My test bed at this moment is a gentoo-kernel-2.6.14 in a x86 gentoo, in the server side(iproute2-2.6.11.20050310-r1), and a user-mode-linux-skas3-2.6.14. in the client side, with vde_switch daemon listening in a tuntap device. I suppose that htb is device independet, i hope it does not matter. I have production enviroments waiting for my results (a couple of small local ISPs, an a similar WISP), but the problem is that im coding this far from home, and beside the servers, i have no access to any of the clients to force the rates. If you think this enviroment is somewath "buggy" plz tell. Txs for your response! -- Luciano -------------- next part -------------- A non-text attachment was scrubbed... Name: tc_at_230_no_onlychild Type: application/x-shellscript Size: 1292 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060223/04e4e6c9/tc_at_230_no_onlychild.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: tc_debug_begining Type: text/x-java Size: 956 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060223/04e4e6c9/tc_debug_begining.java -------------- next part -------------- A non-text attachment was scrubbed... Name: tc_debug_final Type: text/x-java Size: 1008 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060223/04e4e6c9/tc_debug_final.java From gypsy at iswest.com Fri Feb 24 04:35:18 2006 From: gypsy at iswest.com (gypsy) Date: Fri Feb 24 04:35:25 2006 Subject: [LARTC] 1k: 1000 or 1024? References: <20060223171230.GI3411@mandriva.com> Message-ID: <43FE7EF6.8AFD2860@iswest.com> Andreas Hasenack wrote: > > The docs[1][2] suggest it's 1024, but tc says something else: > > # tc qdisc add dev eth0 root tbf rate 1kbps latency 50ms burst 1500 > > # tc -s qdisc ls dev eth0 > qdisc tbf 8009: rate 8000bit burst 1499b lat 48.8ms > ^^^^^^^ > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > > If 1k were 1024, then I would have 8192bit above. > > 1. http://www.docum.org/docum.org/faq/cache/74.html > 2.http://ds9a.nl/2.4Networking/howto/lartc.qdisc.html#LARTC.QDISC.EXPLAIN Those docs are old. tc was changed at the request of several members of this ML. Search the history in May and June of 2004 or read the Changelog in the source code. -- gypsy From gypsy at iswest.com Fri Feb 24 04:49:10 2006 From: gypsy at iswest.com (gypsy) Date: Fri Feb 24 04:49:17 2006 Subject: [LARTC] Is this possible? References: <1140683889.4367.35.camel@ras.pc.brisbane.lube> <20060223092358.GA10554@EIS> <1140730078.4367.44.camel@ras.pc.brisbane.lube> Message-ID: <43FE8236.372C591@iswest.com> Russell Stuart wrote: > > On Thu, 2006-02-23 at 10:23 +0100, Andreas Klauer wrote: > > On Thu, Feb 23, 2006 at 06:38:09PM +1000, Russell Stuart wrote: > > > For example, lets say we have a 1000kbit link, and two > > > classes sharing that link: > > > > > > - Voip - ie high prio real time, and > > > - Web - background traffic. > > > > Have you measured this link, i.e. when there is no activity > > and you start some Voip sessions, do they get a constant > > downstream of 1000kbit? > > > > It may very well be that you have to measure the real throughput > > and then go a little lower (since you have to be the bottleneck), > > however having to throw 30% of bandwidth away sounds a bit too > > harsh to me. > > The setup I gave was purely hypothetical. 300kbit > headroom sounds way to high to me as well - any > advice others may have on this would be appreciated. > > > Another way of indirect headroom would be to hard limit the Web class, > > i.e. give the Web class a lower ceil than the other classes. This way, > > there is bandwidth that the Web class can't use no matter what, even > > if the link is completely empty. > > That is the right answer - it would achieve what I want. > In hindsight it seems so obvious I don't know why I > didn't think of it myself. > > Thanks for taking the time to answer my query. Two more things. HTTP is a bursty protocol, so you need to think about the burst and cburst parameters you give it. If you want to squash TCP fast start, use a low burst which will backlog and eventually drop the excessive packets. On the other hand, my experience is that a slow started connection never increases its flow rate much even though the spec says it should. And you can get better precision from HTB by setting HYSTERYSIS (did I just misspell that?), thus dequeueing a single packet rather than a pair. I don't recommend that, but you should know about it. On many ATM links it is a godsend. In terms of headroom, I find that 85 % of real capacity always works, so I start with that and push up until something breaks. YMMV. -- gypsy From russell-lartc at stuart.id.au Fri Feb 24 06:03:31 2006 From: russell-lartc at stuart.id.au (Russell Stuart) Date: Fri Feb 24 06:03:46 2006 Subject: [LARTC] Is this possible? In-Reply-To: <43FE8236.372C591@iswest.com> References: <1140683889.4367.35.camel@ras.pc.brisbane.lube> <20060223092358.GA10554@EIS> <1140730078.4367.44.camel@ras.pc.brisbane.lube> <43FE8236.372C591@iswest.com> Message-ID: <1140757411.4357.39.camel@ras.pc.brisbane.lube> On Thu, 2006-02-23 at 19:49 -0800, gypsy wrote: > Two more things. HTTP is a bursty protocol, so you need to think about > the burst and cburst parameters you give it. I had already figured out that I had to send burst as small as possible. I recall reading both value is the > If you want to squash TCP > fast start, use a low burst which will backlog and eventually drop the > excessive packets. On the other hand, my experience is that a slow > started connection never increases its flow rate much even though the > spec says it should. And you can get better precision from HTB by > setting HYSTERYSIS (did I just misspell that?), thus dequeueing a single > packet rather than a pair. I don't recommend that, but you should know > about it. On many ATM links it is a godsend. I had already figured out that I had to sent burst as small as possible, but the HTB User Guide says "Latest tc tool will compute and set the smallest possible burst when it is not specified", so I had left it alone. In fact it defaults to 1919 bytes in my case. Looking at the TC source, this is calculated as: (rate_in_bytes_per_second / HZ) + mtu and then rounded up to the next entry in the rate table. Perhaps: max(rate_in_bytes_per_second / HZ, mtu) would of been a better choice. In my case that will evaluate to the mtu, so I will try that. > In terms of headroom, I find that 85 % of real capacity always works, so > I start with that and push up until something breaks. YMMV. Excellent! Thank you. From russell-lartc at stuart.id.au Fri Feb 24 06:11:53 2006 From: russell-lartc at stuart.id.au (Russell Stuart) Date: Fri Feb 24 06:12:02 2006 Subject: [LARTC] Is this possible? In-Reply-To: <43FE8236.372C591@iswest.com> References: <1140683889.4367.35.camel@ras.pc.brisbane.lube> <20060223092358.GA10554@EIS> <1140730078.4367.44.camel@ras.pc.brisbane.lube> <43FE8236.372C591@iswest.com> Message-ID: <1140757913.4357.48.camel@ras.pc.brisbane.lube> Sorry for the mess posted before. I hit send by mistake. On Thu, 2006-02-23 at 19:49 -0800, gypsy wrote: > Two more things. HTTP is a bursty protocol, so you need to think about > the burst and cburst parameters you give it. I had already figured out that I had to sent burst as small as possible, but the HTB User Guide says "Latest tc tool will compute and set the smallest possible burst when it is not specified", so I had left it alone. In fact it defaults to 1919 bytes in my case. Looking at the TC source, this is calculated as: (rate_in_bytes_per_second / HZ) + mtu and then rounded up to the next entry in the rate table. Perhaps: max(rate_in_bytes_per_second / HZ, mtu) would of been a better choice. In my case that will evaluate to the mtu, so I will try that. > If you want to squash TCP > fast start, use a low burst which will backlog and eventually drop the > excessive packets. On the other hand, my experience is that a slow > started connection never increases its flow rate much even though the > spec says it should. And you can get better precision from HTB by > setting HYSTERYSIS (did I just misspell that?), thus dequeueing a single > packet rather than a pair. I don't recommend that, but you should know > about it. On many ATM links it is a godsend. Looking at the kernel code, HTB_HYSTERESIS is set in kernel.org kernels as shipped. You have to unset it if you have large (>100K byte) bursts, apparently. > In terms of headroom, I find that 85 % of real capacity always works, so > I start with that and push up until something breaks. YMMV. Excellent! Thank you. From samgurung at rediffmail.com Fri Feb 24 08:24:48 2006 From: samgurung at rediffmail.com (Sameer Kr. Gurung) Date: Fri Feb 24 08:25:22 2006 Subject: [LARTC] Multiple providers routing Message-ID: <20060224072448.10082.qmail@webmail9.rediffmail.com> HI folks, I have a linux router connected to two separate internet connection from an ISP. There is a third interface ( ip -> 192.168.1.1 ) in the router connected to the local network. Configured the routing tables and added the rules and everything seems to be working fine from the routing box. Traceroute to external internet sites reveal that traffic is being routed correctly and that the failover mechanism is working. Now in my internal machines the gateway address is the set to the third interface of the router and the internal machines can ping the router ( 192.168.1.1 ). The problem is that the internal machines cant connect to the net. A quick check with pings and tcpdump revealed that the packets from the internal machines are arriving at the router and are being routed correctly... but are not coming BACK from the router to the internal machines. Any pointers as to why this is happening would be useful.... Thanks, Sameer Gurung samgurung@rediffmail.com g_sameer75@yahoo.com From admin at darktech.org.uk Fri Feb 24 10:25:51 2006 From: admin at darktech.org.uk (admin@darktech.org.uk) Date: Fri Feb 24 10:24:46 2006 Subject: [LARTC] tc and rrdtool graphs [ADSL-optimizer.dk] Message-ID: <83ade2a4ca63aa65c2b7c3bc0ac58224@192.168.1.4> anyone know how to use tc and rrdtool to create queue based graphs? im currently using http://www.adsl-optimizer.dk/ADSL-optimizer, of which the ddraw.cgi doesnt work properly on debian testing. im looking for graphs like this: http://www.adsl-optimizer.dk/graph-shots/12hours/ if anyones done this with adsl-optimizer, or has any suggestions where to start with creating graphs like this, then please reply. many thanks for your help. From Andreas.Klauer at metamorpher.de Fri Feb 24 10:36:13 2006 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Fri Feb 24 10:38:01 2006 Subject: [LARTC] HTB: far unequal behaivor at a slight conf rate change In-Reply-To: <200602232342.17692.luciano@lugmen.org.ar> References: <200602231908.27900.luciano@lugmen.org.ar> <20060223223835.GA23114@EIS> <200602232342.17692.luciano@lugmen.org.ar> Message-ID: <20060224093613.GA10794@EIS> On Thu, Feb 23, 2006 at 11:42:16PM -0300, Luciano Ruete wrote: > That's becouse the _real_ scenario will look like this: > > root->parent_all_hosts->client_host_1->prio > ->dfl [...] > ->client_host_N->prio > ->dfl Oh, okay, so you simplified it that way. All right. > As you see, after 3 minutes the lower rate class has sent 3000 packets vs 1000 > packets from the high rate one. Don't know what to think... There may be a misunderstanding between us, the way you modified your class tree now, it seems to have errors. I'll explain below. > My test bed at this moment is a gentoo Right. No complaints here. ;-) > with vde_switch daemon listening in a tuntap device. > I suppose that htb is device independet, i hope it does not matter. I don't have any experience with vde_switch and tuntap's (I don't even know what those are, so much for ignorance). The only device-dependent factor I came across with HTB so far is the overhead problem - not all devices have the same overhead (PPP over Ethernet or whatever). So HTB calculating the rate incorrectly is a possibility. It can be tuned using overhead/mpu parameters, however in order to do that, you'd need to know correct values first, and they can be a little hard to come by. I also doubt it's the cause of your problem in this case. > class htb 1:7005 parent 1:7000 leaf 7005: prio 3 quantum 1500 rate 23000bit ceil 230000bit burst 12Kb/8 mpu 0b overhead 0b cburst 1714b/8 mpu 0b overhead 0b level 0 > class htb 1:7004 parent 1:7000 leaf 7004: prio 1 quantum 1500 rate 207000bit ceil 230000bit burst 12Kb/8 mpu 0b overhead 0b cburst 1714b/8 mpu 0b overhead 0b level 0 > class htb 1:7000 root rate 256000bit ceil 256000bit burst 12Kb/8 mpu 0b overhead 0b cburst 1728b/8 mpu 0b overhead 0b level 7 The problem with this tree is that you took out the client class (the one with rate and ceil 230000bit). When I said that child classes without siblings don't make sense, I didn't mean to actually take out the child class, but rather take out the parent of this child class; in your example that would mean making the 230000bit class the root class. In your setup now, by just looking at the class tree, not the statistics, my guess would be that while each leaf class has a ceil of 230000bit, they won't share the same 230000kbit, but rather utilize the full 256kbit of their parent. That does not seem to be what you want. It still does not explain the rates in this setup, too. Especially the rate of the parent class seems low - if this is a testing environment where you are filling out the classes to their maximum, it's really odd that the parent class does not use it's full bandwidth. On the other hand, I don't know how accurate the rate statistics of HTB are. I don't have access to a properly working shaping setup right now to verify wether it's the same on my setup. If it isn't, I'd probably check first how much rate HTB can actually use, because it's a very bad situation for HTB when it thinks it can use more bandwidth than the link actually can guarantee. Regards Andreas Klauer From spiney at spiney.org Fri Feb 24 15:08:58 2006 From: spiney at spiney.org (Wolfgang Karall) Date: Fri Feb 24 15:08:52 2006 Subject: [LARTC] tc and rrdtool graphs [ADSL-optimizer.dk] In-Reply-To: <83ade2a4ca63aa65c2b7c3bc0ac58224@192.168.1.4> References: <83ade2a4ca63aa65c2b7c3bc0ac58224@192.168.1.4> Message-ID: <1140790138.18821.28.camel@t43p.spiney.org> On Fri, 2006-02-24 at 09:25 +0000, admin@darktech.org.uk wrote: > im looking for graphs like this: > http://www.adsl-optimizer.dk/graph-shots/12hours/ I produce similar output with a Munin (http://munin.sf.net) Plugin called polltc from http://talk.trekweb.com/~jasonb/software.shtml after writing a similar Munin-Plugin myself for private use (but Jason's definitely works better :). Regards WK -- Using Unison on the Nokia 770 http://linux.spiney.org/debian_linux_maemo_nokia_770_unison_port From sebi at sebi.org Fri Feb 24 16:20:33 2006 From: sebi at sebi.org (Sebastian Bork) Date: Fri Feb 24 16:21:40 2006 Subject: [LARTC] Balancing multiple connections and NAT In-Reply-To: <17406.2440.239945.166270@mail.linux-delhi.org> References: <17406.2440.239945.166270@mail.linux-delhi.org> Message-ID: <1140794433.4544.25.camel@eris.sebi.org> On Fr, 2006-02-24 at 00:44 +0530, Raj Mathur wrote: > I have a client connected to the 'net through 3 ISP's. Have set up a > Linux box to do routing and load sharing for the 3 connections. A > fourth interface is connected to the LAN with private IP addresses. > Am using iptables to SNAT traffic to the appropriate IP depending on > the interface the packet gets routed onto. I use exactly the same setup with a customer's conenction, the only difference: I use MASQUERADE instead of SNAT. I did not see anything like the problem you describe. Maybe because MAQUERADE works stateful, SNAT not? If you do not have a special reason for using SNAT, I think you should try MASQUERADE. If your problem persits, please tell me, as I have to look at my customer's setup very closely then, to catch this before anyone complains. From ahasenack at terra.com.br Fri Feb 24 18:57:29 2006 From: ahasenack at terra.com.br (Andreas Hasenack) Date: Fri Feb 24 18:58:42 2006 Subject: [LARTC] why isn't 1:1 getting the traffic? [filter question] Message-ID: <20060224175729.GF3794@mandriva.com> With the below script, whenever I ping 10.0.16.10 (which matches the only filter I have), traffic still get's sent to the default 1:2 class instead of 1:1 and I don't know why... Any hints? (kernel 2.6.12, iproute2-2.6.15) tc qdisc del dev eth0 root > /dev/null 2>&1 tc qdisc add dev eth0 handle 1: root htb default 2 tc class add dev eth0 classid 1:1 parent 1: htb rate 100kbps ceil 100kbps quantum 1500 tc class add dev eth0 classid 1:2 parent 1: htb rate 90mbit ceil 90mbit quantum 1500 tc qdisc add dev eth0 handle 2: parent 1:2 sfq perturb 10 tc class add dev eth0 classid 1:10 parent 1:1 htb prio 0 rate 30kbps quantum 1500 tc qdisc add dev eth0 handle 10: parent 1:10 sfq perturb 10 tc class add dev eth0 classid 1:11 parent 1:1 htb prio 0 rate 70kbps ceil 100kbps quantum 1500 tc qdisc add dev eth0 handle 20: parent 1:11 sfq perturb 10 tc class add dev eth0 classid 1:12 parent 1:1 htb rate 60kbps ceil 100kbps quantum 1500 tc qdisc add dev eth0 handle 30: parent 1:12 sfq perturb 10 tc filter add dev eth0 parent 1:0 prio 1 protocol ip u32 \ match ip dst 10.0.16.10/32 \ flowid 1:1 Status after pinging 10.0.16.10 a few times (notice traffic on 1:2, but not on 1:1): qdisc htb 1: r2q 10 default 2 direct_packets_stat 0 ver 3.17 Sent 516 bytes 7 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 2: parent 1:2 limit 128p quantum 1514b flows 128/1024 perturb 10sec Sent 516 bytes 7 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 10: parent 1:10 limit 128p quantum 1514b flows 128/1024 perturb 10sec Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 20: parent 1:11 limit 128p quantum 1514b flows 128/1024 perturb 10sec Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 30: parent 1:12 limit 128p quantum 1514b flows 128/1024 perturb 10sec Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 class htb 1:11 parent 1:1 leaf 20: prio 0 quantum 1500 rate 560000bit ceil 800000bit burst 1669b/8 mpu 0b overhead 0b cburst 1699b/8 mpu 0b overhead 0b level 0 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 24429 ctokens: 17408 class htb 1:1 root rate 800000bit ceil 800000bit burst 1699b/8 mpu 0b overhead 0b cburst 1699b/8 mpu 0b overhead 0b level 7 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 17408 ctokens: 17408 class htb 1:10 parent 1:1 leaf 10: prio 0 quantum 1500 rate 240000bit ceil 240000bit burst 1629b/8 mpu 0b overhead 0b cburst 1629b/8 mpu 0b overhead 0b level 0 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 55636 ctokens: 55636 class htb 1:2 root leaf 2: prio 0 quantum 1500 rate 90000Kbit ceil 90000Kbit burst 12836b/8 mpu 0b overhead 0b cburst 12836b/8 mpu 0b overhead 0b level 0 Sent 516 bytes 7 pkt (dropped 0, overlimits 0 requeues 0) rate 8bit 0pps backlog 0b 0p requeues 0 lended: 7 borrowed: 0 giants: 0 tokens: 1164 ctokens: 1164 class htb 1:12 parent 1:1 leaf 30: prio 0 quantum 1500 rate 480000bit ceil 800000bit burst 1659b/8 mpu 0b overhead 0b cburst 1699b/8 mpu 0b overhead 0b level 0 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 28329 ctokens: 17408 From raju at linux-delhi.org Fri Feb 24 19:53:15 2006 From: raju at linux-delhi.org (Raj Mathur) Date: Fri Feb 24 19:53:26 2006 Subject: [LARTC] Balancing multiple connections and NAT In-Reply-To: <1140794433.4544.25.camel@eris.sebi.org> References: <17406.2440.239945.166270@mail.linux-delhi.org> <1140794433.4544.25.camel@eris.sebi.org> Message-ID: <17407.22043.766649.753382@mail.linux-delhi.org> >>>>> "Sebastian" == Sebastian Bork writes: Sebastian> On Fr, 2006-02-24 at 00:44 +0530, Raj Mathur wrote: >> I have a client connected to the 'net through 3 ISP's. Have >> set up a Linux box to do routing and load sharing for the 3 >> connections. A fourth interface is connected to the LAN with >> private IP addresses. Am using iptables to SNAT traffic to the >> appropriate IP depending on the interface the packet gets >> routed onto. Sebastian> I use exactly the same setup with a customer's Sebastian> conenction, the only difference: I use MASQUERADE Sebastian> instead of SNAT. I did not see anything like the Sebastian> problem you describe. Maybe because MAQUERADE works Sebastian> stateful, SNAT not? If you do not have a special reason Sebastian> for using SNAT, I think you should try MASQUERADE. If Sebastian> your problem persits, please tell me, as I have to look Sebastian> at my customer's setup very closely then, to catch this Sebastian> before anyone complains. Well, both MASQUERADE and SNAT are stateful (MASQUERADE is just a special case of SNAT as far as I remember); however it's worth a shot if it's working for you. It's pretty easy to trap the wrong source IP errors -- going back to my example, just run: tcpdump -i intA -q -t -n ! host ipA tcpdump -i intB -q -t -n ! host ipB tcpdump -i intC -q -t -n ! host ipC Any IP packets that get displayed will be those with wrong source IPs. You may need to start some large FTP uploads or similar and watch for a while -- the problem manifests itself for me when the client is uploading 10+ MB files to his public FTP server. Of course, it may be present in other places also, but outgoing FTP comprises the bulk of his traffic so it's most patent there. Digressing a bit, from the responses I've got from this list, it seems that a kernel patch is required to make the whole load sharing + iptables NAT work properly. I'm a bit disappointed that this isn't part of the mainstream kernel -- any chances of it being rolled in upstream? Regards, -- Raju -- Raj Mathur raju@kandalaya.org http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F It is the mind that moves From ahasenack at terra.com.br Fri Feb 24 20:01:48 2006 From: ahasenack at terra.com.br (Andreas Hasenack) Date: Fri Feb 24 20:03:17 2006 Subject: [LARTC] tc filter can target only leaf classes? Message-ID: <20060224190143.GA6809@mandriva.com> (using htb) I'm trying to learn tc filter and it seems the flowid parameter can only point to leaf classes. Actually, it can point anywhere, but it doesn't seem to work unless it points to a leaf class. Is this correct? For example, I have this tree: eth0 | +------1:-------+ | | +------1:10 1:20 | | | 1:30 1:40 20: | | 30: 40: 1: is htb qdisc, with default pointing to minor 20. And this filter: iptables -t mangle -A OUTPUT -d $DSTHOST -j MARK --set-mark 1 tc filter add dev $DEV parent 1:0 prio 1 protocol ip \ handle 1 \ fw \ flowid 1:10 Now, I only see 1:10 getting the traffic if 1:30 and 1:40 don't exist. The moment I add 1:30, 1:40 and their qdiscs, the above filter stops working and this same traffic starts going to 1:20, which is the default set at 1:'s qdisc. Why does the filter stop working? I was expecting it to keep working and then I could further filter this traffic into 1:30 and 1:40 *at* 1:10. From ahasenack at terra.com.br Fri Feb 24 22:19:53 2006 From: ahasenack at terra.com.br (Andreas) Date: Fri Feb 24 22:20:06 2006 Subject: [LARTC] why isn't 1:1 getting the traffic? [filter question] In-Reply-To: <2af436490602241235g2d35394du1f3a039b7deda45b@mail.gmail.com> References: <20060224175729.GF3794@mandriva.com> <2af436490602241235g2d35394du1f3a039b7deda45b@mail.gmail.com> Message-ID: <43FF7879.6070802@terra.com.br> Jody Shumaker wrote: >>tc qdisc del dev eth0 root > /dev/null 2>&1 >>tc qdisc add dev eth0 handle 1: root htb default 2 >>tc class add dev eth0 classid 1:1 parent 1: htb rate 100kbps ceil 100kbps quantum 1500 >>tc class add dev eth0 classid 1:2 parent 1: htb rate 90mbit ceil 90mbit quantum 1500 > > > You're defining 2 root classes to the HTB qdisc, while it should > possibly have given an error, it seems to instead just put the first > one, 1:1, into a state of limbo where its never used. > > This was fairly obvious looking at your tc statistics output, where it > lists both 1:1 and 1:2 as roots with no parent. There can only be one > valid root class. Why? I need two virtual circuits. I don't want the 90mbit class interfere with the 200kbit class: no lending, no borrowing. > Should really set it up something like this with one main root: > tc qdisc add dev eth0 handle 1: root htb default 2 > tc class add dev eth0 classid 1:0 parent 1: htb rate 90100kbps ceil > 90100kbps quantum 1500 > tc class add dev eth0 classid 1:1 parent 1:0 htb rate 100kbps ceil > 100kbps quantum 1500 > tc class add dev eth0 classid 1:2 parent 1:0 htb rate 90mbit ceil > 90mbit quantum 1500 > > Then I imagine your tc filter would actually work. It actually works if I use a *leaf* class as the target of the filter (see my subsequent email). But this contradicts the documentation, which even mentions one could gain speed by adding further filters to other classes besides a root one. From Andreas.Klauer at metamorpher.de Sat Feb 25 00:01:07 2006 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Sat Feb 25 00:01:28 2006 Subject: [LARTC] why isn't 1:1 getting the traffic? [filter question] In-Reply-To: <43FF7879.6070802@terra.com.br> References: <20060224175729.GF3794@mandriva.com> <2af436490602241235g2d35394du1f3a039b7deda45b@mail.gmail.com> <43FF7879.6070802@terra.com.br> Message-ID: <20060224230107.GB18909@EIS> On Fri, Feb 24, 2006 at 06:19:53PM -0300, Andreas wrote: > >This was fairly obvious looking at your tc statistics output, where it > >lists both 1:1 and 1:2 as roots with no parent. There can only be one > >valid root class. > > Why? I need two virtual circuits. I don't want the 90mbit class > interfere with the 200kbit class: no lending, no borrowing. I think there can be more than just one root class - the question is just wether it makes sense or not. I prefer using one root class - after all, you only got one interface, and you have to make sure that you do not exceed the total interface capacity. Therefore, the root class is the interface limiter. You can add isolated circuits to that root class easily; as long as all child classes of the root class have the same rate and ceil, no lending or borrowing between them will be done, simply because it is not necessary. This way you get your desired features plus an overview on how much rate the physical interface actually has to offer - from my point of view, that's a win-win situation. > It actually works if I use a *leaf* class as the target of the filter > (see my subsequent email). But this contradicts the documentation, which > even mentions one could gain speed by adding further filters to other > classes besides a root one. I never got filters to work that do not point to leaf classes. Wether it is possible at all or not, I do not know. Maybe it was planned and turned out to be too complicated - maybe it is implemented but not working due to some undiscovered bug. I'm too lazy to look at the code right now. I usually end up using iptables for classification; I find it to be far more userfriendly than the tc filters, and you can group filters any way you want. Regards Andreas Klauer From gypsy at iswest.com Sat Feb 25 04:36:19 2006 From: gypsy at iswest.com (gypsy) Date: Sat Feb 25 04:36:26 2006 Subject: [LARTC] why isn't 1:1 getting the traffic? [filter question] References: <20060224175729.GF3794@mandriva.com> Message-ID: <43FFD0B3.1DB2A21C@iswest.com> Andreas Hasenack wrote: > > With the below script, whenever I ping 10.0.16.10 (which matches the > only filter I have), traffic still get's sent to the default 1:2 class > instead of 1:1 and I don't know why... Any hints? > > (kernel 2.6.12, iproute2-2.6.15) > > tc qdisc del dev eth0 root > /dev/null 2>&1 > tc qdisc add dev eth0 handle 1: root htb default 2 > tc class add dev eth0 classid 1:1 parent 1: htb rate 100kbps ceil 100kbps quantum 1500 > tc class add dev eth0 classid 1:2 parent 1: htb rate 90mbit ceil 90mbit quantum 1500 > tc qdisc add dev eth0 handle 2: parent 1:2 sfq perturb 10 > tc class add dev eth0 classid 1:10 parent 1:1 htb prio 0 rate 30kbps quantum 1500 > tc qdisc add dev eth0 handle 10: parent 1:10 sfq perturb 10 > tc class add dev eth0 classid 1:11 parent 1:1 htb prio 0 rate 70kbps ceil 100kbps quantum 1500 > tc qdisc add dev eth0 handle 20: parent 1:11 sfq perturb 10 > tc class add dev eth0 classid 1:12 parent 1:1 htb rate 60kbps ceil 100kbps quantum 1500 > tc qdisc add dev eth0 handle 30: parent 1:12 sfq perturb 10 > tc filter add dev eth0 parent 1:0 prio 1 protocol ip u32 \ > match ip dst 10.0.16.10/32 \ > flowid 1:1 > > Status after pinging 10.0.16.10 a few times (notice traffic on 1:2, but not on 1:1): > qdisc htb 1: r2q 10 default 2 direct_packets_stat 0 ver 3.17 > Sent 516 bytes 7 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc sfq 2: parent 1:2 limit 128p quantum 1514b flows 128/1024 perturb 10sec > Sent 516 bytes 7 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc sfq 10: parent 1:10 limit 128p quantum 1514b flows 128/1024 perturb 10sec > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc sfq 20: parent 1:11 limit 128p quantum 1514b flows 128/1024 perturb 10sec > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc sfq 30: parent 1:12 limit 128p quantum 1514b flows 128/1024 perturb 10sec > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > > class htb 1:11 parent 1:1 leaf 20: prio 0 quantum 1500 rate 560000bit ceil 800000bit burst 1669b/8 mpu 0b overhead 0b cburst 1699b/8 mpu 0b overhead 0b level 0 > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > lended: 0 borrowed: 0 giants: 0 > tokens: 24429 ctokens: 17408 > > class htb 1:1 root rate 800000bit ceil 800000bit burst 1699b/8 mpu 0b overhead 0b cburst 1699b/8 mpu 0b overhead 0b level 7 > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > lended: 0 borrowed: 0 giants: 0 > tokens: 17408 ctokens: 17408 > > class htb 1:10 parent 1:1 leaf 10: prio 0 quantum 1500 rate 240000bit ceil 240000bit burst 1629b/8 mpu 0b overhead 0b cburst 1629b/8 mpu 0b overhead 0b level 0 > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > lended: 0 borrowed: 0 giants: 0 > tokens: 55636 ctokens: 55636 > > class htb 1:2 root leaf 2: prio 0 quantum 1500 rate 90000Kbit ceil 90000Kbit burst 12836b/8 mpu 0b overhead 0b cburst 12836b/8 mpu 0b overhead 0b level 0 > Sent 516 bytes 7 pkt (dropped 0, overlimits 0 requeues 0) > rate 8bit 0pps backlog 0b 0p requeues 0 > lended: 7 borrowed: 0 giants: 0 > tokens: 1164 ctokens: 1164 > > class htb 1:12 parent 1:1 leaf 30: prio 0 quantum 1500 rate 480000bit ceil 800000bit burst 1659b/8 mpu 0b overhead 0b cburst 1699b/8 mpu 0b overhead 0b level 0 > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > lended: 0 borrowed: 0 giants: 0 > tokens: 28329 ctokens: 17408 Andreas, Your filter looks for protocol ip. Are you POSITIVE your ping uses ip? Try 'protocol all' rather than 'protocol ip'. -- gypsy From abhishekm at cdac.in Wed Mar 1 04:31:01 2006 From: abhishekm at cdac.in (Abhishek Misra) Date: Sat Feb 25 07:31:45 2006 Subject: [LARTC] query on Compiling References: <30580f240601161049l6fd18a5fq947ec20d3facca04@mail.gmail.com> Message-ID: <002201c63ce0$90bcf000$1206a8c0@dimple> Hello, Please let me know is it possible to compile linux network stack or say just UDP seprately. Entire kernel compilation takesa lot of time . I need to avoid that. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060228/81ae9585/attachment.htm From luciano at lugmen.org.ar Sat Feb 25 12:06:18 2006 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Sat Feb 25 12:06:32 2006 Subject: [LARTC] HTB: far unequal behaivor at a slight conf rate change [Solved] In-Reply-To: <20060224093613.GA10794@EIS> References: <200602231908.27900.luciano@lugmen.org.ar> <200602232342.17692.luciano@lugmen.org.ar> <20060224093613.GA10794@EIS> Message-ID: <200602250806.19133.luciano@lugmen.org.ar> El Friday 24 February 2006 06:36, Andreas Klauer escribi?: > On Thu, Feb 23, 2006 at 11:42:16PM -0300, Luciano Ruete wrote: > > with vde_switch daemon listening in a tuntap device. > > I suppose that htb is device independet, i hope it does not matter. > > I don't have any experience with vde_switch and tuntap's (I don't even know > what those are, so much for ignorance). The only device-dependent factor I > came across with HTB so far is the overhead problem - not all devices have > the same overhead (PPP over Ethernet or whatever). So HTB calculating the > rate incorrectly is a possibility. It can be tuned using overhead/mpu > parameters, however in order to do that, you'd need to know correct values > first, and they can be a little hard to come by. I also doubt it's the > cause of your problem in this case. you're rigth, and will not be the only time in this mail :-) > > class htb 1:7005 parent 1:7000 leaf 7005: prio 3 quantum 1500 rate > > 23000bit ceil 230000bit burst 12Kb/8 mpu 0b overhead 0b cburst 1714b/8 > > mpu 0b overhead 0b level 0 class htb 1:7004 parent 1:7000 leaf 7004: prio > > 1 quantum 1500 rate 207000bit ceil 230000bit burst 12Kb/8 mpu 0b overhead > > 0b cburst 1714b/8 mpu 0b overhead 0b level 0 class htb 1:7000 root rate > > 256000bit ceil 256000bit burst 12Kb/8 mpu 0b overhead 0b cburst 1728b/8 > > mpu 0b overhead 0b level 7 > > The problem with this tree is that you took out the client class (the one > with rate and ceil 230000bit). When I said that child classes without > siblings don't make sense, I didn't mean to actually take out the child > class, but rather take out the parent of this child class; in your example > that would mean making the 230000bit class the root class. > > In your setup now, by just looking at the class tree, not the statistics, > my guess would be that while each leaf class has a ceil of 230000bit, > they won't share the same 230000kbit, but rather utilize the full 256kbit > of their parent. That does not seem to be what you want. It still does > not explain the rates in this setup, too. yes, once again you're rigth, but i consider it irrelevant for the test that i was doing. Anyway, as you say, it still does not explain the situation... > Especially the rate of the parent class seems low - if this is a testing > environment where you are filling out the classes to their maximum, it's > really odd that the parent class does not use it's full bandwidth. On the > other hand, I don't know how accurate the rate statistics of HTB are. > I don't have access to a properly working shaping setup right now to > verify wether it's the same on my setup. > > If it isn't, I'd probably check first how much rate HTB can actually > use, because it's a very bad situation for HTB when it thinks it can > use more bandwidth than the link actually can guarantee. For the third time you are so rigth, i boot a second virtual machine, and test the same htb setup betwen the two virtual machins and using my gentoo as firewall. Obviously the bandwhidth between them can be considered infinite, and the setup works properly. So i made severals test to the link whit i was testing before and at any moment i get real 256kbit/s. This expains all the situation. Shame on me!!! I've added a FAQ about this to my project after this. When i have a first public release(wich will be son), i will post here(if does not bother) for one time only the project url, and some words of what it does. For now i leave a stable snaphost of my git tree at git-clone http://www.lugmen.org.ar/~luciano/git-repo/htb-gen/.git or simply point a browser to http://www.lugmen.org.ar/~luciano/git-repo/htb-gen/ Many tanks for your help! -- Luciano From andy.furniss at dsl.pipex.com Sat Feb 25 12:43:06 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sat Feb 25 12:43:00 2006 Subject: [LARTC] tc filter can target only leaf classes? In-Reply-To: <20060224190143.GA6809@mandriva.com> References: <20060224190143.GA6809@mandriva.com> Message-ID: <440042CA.8020207@dsl.pipex.com> Andreas Hasenack wrote: > (using htb) > > I'm trying to learn tc filter and it seems the flowid parameter can only > point to leaf classes. Actually, it can point anywhere, but it doesn't > seem to work unless it points to a leaf class. Is this correct? > > For example, I have this tree: > > eth0 > | > +------1:-------+ > | | > +------1:10 1:20 > | | | > 1:30 1:40 20: > | | > 30: 40: > > 1: is htb qdisc, with default pointing to minor 20. > > And this filter: > > iptables -t mangle -A OUTPUT -d $DSTHOST -j MARK --set-mark 1 > tc filter add dev $DEV parent 1:0 prio 1 protocol ip \ > handle 1 \ > fw \ > flowid 1:10 > > Now, I only see 1:10 getting the traffic if 1:30 and 1:40 don't exist. > The moment I add 1:30, 1:40 and their qdiscs, the above filter stops > working and this same traffic starts going to 1:20, which is the default > set at 1:'s qdisc. > > Why does the filter stop working? I was expecting it to keep working and > then I could further filter this traffic into 1:30 and 1:40 *at* 1:10. You need other filters with parent 1:10 to send to leafs below 1:10 Andy. From andy.furniss at dsl.pipex.com Sat Feb 25 12:45:50 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sat Feb 25 12:45:45 2006 Subject: [LARTC] why isn't 1:1 getting the traffic? [filter question] In-Reply-To: <20060224175729.GF3794@mandriva.com> References: <20060224175729.GF3794@mandriva.com> Message-ID: <4400436E.20901@dsl.pipex.com> Andreas Hasenack wrote: > With the below script, whenever I ping 10.0.16.10 (which matches the > only filter I have), traffic still get's sent to the default 1:2 class > instead of 1:1 and I don't know why... Any hints? > > (kernel 2.6.12, iproute2-2.6.15) > > tc qdisc del dev eth0 root > /dev/null 2>&1 > tc qdisc add dev eth0 handle 1: root htb default 2 > tc class add dev eth0 classid 1:1 parent 1: htb rate 100kbps ceil 100kbps quantum 1500 > tc class add dev eth0 classid 1:2 parent 1: htb rate 90mbit ceil 90mbit quantum 1500 > tc qdisc add dev eth0 handle 2: parent 1:2 sfq perturb 10 > tc class add dev eth0 classid 1:10 parent 1:1 htb prio 0 rate 30kbps quantum 1500 > tc qdisc add dev eth0 handle 10: parent 1:10 sfq perturb 10 > tc class add dev eth0 classid 1:11 parent 1:1 htb prio 0 rate 70kbps ceil 100kbps quantum 1500 > tc qdisc add dev eth0 handle 20: parent 1:11 sfq perturb 10 > tc class add dev eth0 classid 1:12 parent 1:1 htb rate 60kbps ceil 100kbps quantum 1500 > tc qdisc add dev eth0 handle 30: parent 1:12 sfq perturb 10 > tc filter add dev eth0 parent 1:0 prio 1 protocol ip u32 \ > match ip dst 10.0.16.10/32 \ > flowid 1:1 It's because 1:1 isn't a leaf, you need more filters with parent 1:1 to filter to the leaves. Andy. From andy.furniss at dsl.pipex.com Sat Feb 25 12:53:06 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sat Feb 25 12:53:03 2006 Subject: [LARTC] userlevel should not need to know about HZ? In-Reply-To: <200602232045.13101.ahasenack@terra.com.br> References: <20060223202145.GL3411@mandriva.com> <20060223224726.GB23114@EIS> <200602232045.13101.ahasenack@terra.com.br> Message-ID: <44004522.8030100@dsl.pipex.com> Andreas Hasenack wrote: > Em Qui 23 Fev 2006 19:47, Andreas Klauer escreveu: > >>>So, how do we reliably calculate the minimum value for >>>buffer/burst/maxburts? >> >>Trial & Error, not that I ever had much luck with TBF though... > > > From my experiments, the minimum seems to be either MTU plus a few bytes or > the result of rate/HZ, whichever is higher. Both the buffers need to be at least MTU and if you shape on eth MTU+14. You should set the limit buffer to the length of queue you want - 1*MTU(+14) is pretty useless for a limit but OK for burst. I am not sure about tbf and Hz if it's like htb you need to set burst big enough so its size * HZ can fill the link. Andy. From andy.furniss at dsl.pipex.com Sat Feb 25 15:34:43 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sat Feb 25 15:34:39 2006 Subject: [LARTC] Shaping by IP's In-Reply-To: <20060221141135.9F35961D6B@wind.delfi.lt> References: <20060221141135.9F35961D6B@wind.delfi.lt> Message-ID: <44006B03.2070400@dsl.pipex.com> Laimis wrote: > If in one time 3 IP adresses using internet. TC script: > > DEV=eth0 # LAN > SERVER_IP=192.168.1.2 # eth0 ip address > tc qdisc add dev $DEV root handle 1: htb default 255 > tc class add dev $DEV parent 1: classid 1:1 htb rate 384Kbit quantum > 1500 > > tc class add dev $DEV parent 1:1 classid 1:20 htb rate 128Kbit ceil > 384Kbit prio 0 quantum 1500 > tc class add dev $DEV parent 1:1 classid 1:21 htb rate 128Kbit ceil > 384Kbit prio 0 quantum 1500 > tc class add dev $DEV parent 1:1 classid 1:22 htb rate 128Kbit ceil > 384Kbit prio 0 quantum 1500 > > tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 6 > tc qdisc add dev $DEV parent 1:21 handle 21: sfq perturb 6 > tc qdisc add dev $DEV parent 1:22 handle 22: sfq perturb 6 > > tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 20 fw > flowid 1:20 > tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 21 fw > flowid 1:21 > tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 22 fw > flowid 1:22 > > iptables -t mangle -I POSTROUTING -o $DEV -s ! $SERVER_IP -d 192.168. > 1.20 -j MARK --set-mark 20 > iptables -t mangle -I POSTROUTING -o $DEV -s ! $SERVER_IP -d 192.168. > 1.21 -j MARK --set-mark 21 > iptables -t mangle -I POSTROUTING -o $DEV -s ! $SERVER_IP -d 192.168. > 1.22 -j MARK --set-mark 22 > > > If we swiched on 2 PC's (192.168.1.20 & 192.168.1.21) many p2p > programs, FTP with many conections, and on 3d PC > (192.168.1.22) FTP downloading with one conection. then 3d PC getin > less than 128kbit. If i want that all 3 PC's get > NOT LESS than 128kbit, what should I do with my script? You need to back off from your line rates. For ingress so you can shape at all and for egress to allow for overheads (you can get patches for dsl overheads). Quantum should be 1514 as you shape on eth and sfq is really meant for bulk traffic. It would be better to mark say small tcp and udp and give them priority with the rest going to sfq. I would also limit the length of the sfqs default of 128 is far too long for shaping at these rates - you want to drop packets especially for ingress. Perturb causes packet reordering so it's best set higher than 6 - I use 20. Andy. From andy.furniss at dsl.pipex.com Sat Feb 25 16:01:02 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sat Feb 25 16:00:57 2006 Subject: [LARTC] Shared ADSL SHAPER In-Reply-To: <200601301845.29753.rme@image.dk> References: <200601301845.29753.rme@image.dk> Message-ID: <4400712E.5060307@dsl.pipex.com> Rasmus Melgaard wrote: > Hi, > > I'm trying to make a shaper / firewall to improve sharing of bandwidth on a > ADSL (3mbit down / ? mbit up) > > Since the ADSL is very asymmetric, down is unimportant, I make a ingress rate > limit shaper to ensure, all shaping is at the Shaper, and not on the Router > or the ISP. > > The Idea is then to make one HTB hierarchy and have each client (IP) filtererd > and put in a child-HTB queue. This is the main idea, I have added prio to > each HTB-child to keep priorities for each client. > > I currently use a reduced setup with total-uplink limited to 160kbit, and i > run first the firewall script (first) and then the Shaper script, below. > > The problem is know that if a take Azureus, bittorrent client, and let it go > (no uplink limitation), it now kills its own downlink speed. If I limit the > uplink speed in Azureus the downlink will grow again, it is quiet obvious. > > I've tried adding some trick from the net, to especially improve ACK > performance, but it hasn't helped. I haven't checked the script but assuming it's OK I think that this could be fixed - I use the python client and it seems OK. When you back off you will get fairness from the client - so you should use sfq. You will need to priorotise small packets - I use < 128. You also need to limit the length of the sfq to say 20 - 30 so that you get plenty of drops and less acks for the download get piggybacked on the upload packets - bittorrent uses tcp full duplex which makes it a bit of a special case for shaping. Always remember that unless you patch/use overhead parameters that you need to back off from the advertises link rate. Andy. From andy.furniss at dsl.pipex.com Sat Feb 25 16:10:44 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sat Feb 25 16:10:35 2006 Subject: [LARTC] QOS server droping packets 4% loss In-Reply-To: <20060201105331.83590.qmail@web50802.mail.yahoo.com> References: <20060201105331.83590.qmail@web50802.mail.yahoo.com> Message-ID: <44007374.4000904@dsl.pipex.com> Calin Ilis wrote: > Hi all, > > I have a problem with htb and wonder if anybody has encountered this. > On my LAN I have more than 1000 clients, and I am using htb to shape the incoming trafic. The problem is that I am experiencing packet loss (about 4%) in the qos server. The server is droping packets even if my trafic is relatively moderate. > > I tried everithing estimator, senting the quantum etc etc but it doesn't seem to improve. Do you see the dropped packets counted with tc -s class ls dev eth0 ? Packet loss is normal for shaping tcp. Andy. From andy.furniss at dsl.pipex.com Sat Feb 25 16:32:23 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sat Feb 25 16:32:19 2006 Subject: [LARTC] htb root don't reach ceil rate? In-Reply-To: <200602181924.25045.msc@antzsystem.de> References: <200602101445.27714.msc@antzsystem.de> <200602181924.25045.msc@antzsystem.de> Message-ID: <44007887.8030700@dsl.pipex.com> Markus Schulz wrote: > Am Freitag, 10. Februar 2006 14:45 schrieb Markus Schulz: > > >>tc -s -d class show dev ppp0 >>class htb 1:1 root rate 576000bit ceil 576000bit burst 30Kb/8 mpu 0b >>overhead 0b cburst 1739b/8 mpu 0b overhead 14b level 7 >> Sent 1485575598 bytes 3140554 pkts (dropped 0, overlimits 0) >> rate 480008bit 115pps >> lended: 1904616 borrowed: 0 giants: 0 >> tokens: 385702 ctokens: -26458 > > > ok, i've understand now. Differenz comes from gross versus net data > rates due to overhead of ATM-SAR and pppoe-overhead. All statistic > values are netto values. > Yes - you can get patches to do egress overheads for dsl - if you know your exact type and are prepared to rebuild kernel or the modules and tc. Andy. From andy.furniss at dsl.pipex.com Sat Feb 25 16:42:12 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sat Feb 25 16:42:07 2006 Subject: [LARTC] htb root don't reach ceil rate? In-Reply-To: <44007887.8030700@dsl.pipex.com> References: <200602101445.27714.msc@antzsystem.de> <200602181924.25045.msc@antzsystem.de> <44007887.8030700@dsl.pipex.com> Message-ID: <44007AD4.4080203@dsl.pipex.com> >> ok, i've understand now. Differenz comes from gross versus net data >> rates due to overhead of ATM-SAR and pppoe-overhead. All statistic >> values are netto values. >> > > Yes - you can get patches to do egress overheads for dsl - if you know > your exact type and are prepared to rebuild kernel or the modules and tc. Oops didn't see you were already patched - htb counters still see things at ip level. FWIW You still can't really use 576000 - one of my modems would do it's aaal5/0 qos in whole cells so being slightly less, also if you start/restart the shaper on a live link the queue formed may never empty. Running 286kbit on a 288kbit ATM rate line has never gone over for me and slowly drains if the modem buffer is full when started. Andy. From andy.furniss at dsl.pipex.com Sat Feb 25 17:04:06 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sat Feb 25 17:04:01 2006 Subject: [LARTC] invert u32 match selector In-Reply-To: <20060222113515.0dce15d2.mailinglists@lucassen.org> References: <20060221172517.6e5a433c.mailinglists@lucassen.org> <20060222094338.C50104088@outpost.ds9a.nl> <20060222113515.0dce15d2.mailinglists@lucassen.org> Message-ID: <44007FF6.20302@dsl.pipex.com> richard lucassen wrote: > On Wed, 22 Feb 2006 11:43:40 +0200 > "Vaidas" wrote: > > >>With u32 you cannot negate, that's why it is lame... > > > And why doesn't this work? (I send all port 80 to 1.2.3.4 to class 14 > /before/ I send the rest to classid 13): > > $TC filter add dev ${DEV_IFB} parent 1:0 prio 2 protocol ip u32 \ > match ip protocol 0x6 0xff \ > match ip dport 80 0xffff \ > match ip dst 1.2.3.4/32 \ > classid 1:14 > > $TC filter add dev ${DEV_IFB} parent 1:0 prio 2 protocol ip u32 \ > match ip protocol 0x6 0xff \ > match ip dport 80 0xffff \ > classid 1:13 > > Any ideas? Looks OK to me - try what Anton suggested to be safe but order is usually enough. I guess IFB means this is ingress - if you are doing nat / or the ip you match is on that machine maybe it not passing ifb with the address you expect. Andy. From martin-lartc at wonderfrog.net Sun Feb 26 05:05:02 2006 From: martin-lartc at wonderfrog.net (Martin A. Brown) Date: Sun Feb 26 05:09:08 2006 Subject: [LARTC] Multiple providers routing In-Reply-To: <20060224072448.10082.qmail@webmail9.rediffmail.com> References: <20060224072448.10082.qmail@webmail9.rediffmail.com> Message-ID: Greetings Sameer, : I have a linux router connected to two separate internet : connection from an ISP. There is a third interface ( ip -> : 192.168.1.1 ) in the router connected to the local network. : Configured the routing tables and added the rules and everything : seems to be working fine from the routing box. Traceroute to : external internet sites reveal that traffic is being routed : correctly and that the failover mechanism is working. : : Now in my internal machines the gateway address is the set to the : third interface of the router and the internal machines can ping : the router ( 192.168.1.1 ). The problem is that the internal : machines cant connect to the net. A quick check with pings and : tcpdump revealed that the packets from the internal machines are : arriving at the router and are being routed correctly... but are : not coming BACK from the router to the internal machines. : : Any pointers as to why this is happening would be useful.... Quick, experienced guess: # sysctl net.ipv4.conf.default.rp_filter If the answer provided is: net.ipv4.conf.default.rp_filter = 1 Then, you'll need to flip the reverse path filtering toggle [0]. When this sysctl is set to 1, the kernel automatically drops packets incoming from the "wrong" interface according to the primary ('main') routing table. Good luck, -Martin [0] http://ipsysctl-tutorial.frozentux.net/chunkyhtml/theconfvariables.html#AEN634 -- Martin A. Brown --- Wonderfrog Enterprises --- martin@wonderfrog.net From GregScott at InfraSupportEtc.com Sun Feb 26 05:55:27 2006 From: GregScott at InfraSupportEtc.com (Greg Scott) Date: Sun Feb 26 05:54:33 2006 Subject: [LARTC] Proxy ARP and UDP Message-ID: <925A849792280C4E80C5461017A4B8A203211A@mail733.InfraSupportEtc.com> As it turns out, not seeing proxy ARP traffic on the outside interface has other consequences. I do some traffic shaping and noticed in my testing that the outbound traffic isn't being shaped. This drove me crazy until it suddenly dawned on me - tcpdump shows almost no traffic on the outside interface even though a full H.323 UDP stream is flying across the Internet to and from my proxy ARP'd device behind my firewall. I know lots of data is flying across both interfaces because I can see the results. Yet as far as any software is concerned, almost nothing is going in or out of my outside interface. Is this a normal proxy ARP behavior? Traffic is definitely flying across both interfaces. Why doesn't any software see traffic in and out of the outside interface? Should I try a newer kernel than 2.4.27? I guess I could shape the internal interface for anything routing across to the Internet but it just makes more sense to shape the interface at the boundary. Here is the network layout again: 10.10.10.0/27 1.2.3.0/27 10.10.10.n (fictional public IP range) internal hosts | <----+-----+--------+ +-------+------>to the Internet | | | | Proxied | | | H.323 device Firewall Router eth1 eth0 1.2.3.11 10.10.10.1 1.2.3.2 1.2.3.1 1.2.3.2 /proc/sys/net/ipv4/conf/eth0/proxy_arp is 1. /proc/sys/net/ipv4/conf/eth1/proxy_arp is 1. /proc/sys/net/ipv4/conf/eth0/rp_filter is 0. /proc/sys/net/ipv4/conf/eth1/rp_filter is 0. /proc/sys/net/ipv4/conf/ip_forward is 1. My firewall has a route to 1.2.3.11 dev eth1. - Greg Scott -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Greg Scott Sent: Monday, February 20, 2006 8:52 PM To: gypsy; lartc@mailman.ds9a.nl Subject: RE: [LARTC] Proxy ARP and UDP Hmmmm - I turned off rp_filter (echo 0 > /proc/sys/net/ipv4/eth0/rp_filter - and eth1) and ran several test calls. It all worked. But I still don't understand why I see less than 1 percent of the packets on the eth0 interface with tcpdump. - Greg > but I bet the problem is rp_filter. > -- > gypsy _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From sebi at sebi.org Fri Feb 24 22:22:00 2006 From: sebi at sebi.org (Sebastian Bork) Date: Sun Feb 26 17:47:12 2006 Subject: [LARTC] Balancing multiple connections and NAT In-Reply-To: <17407.22043.766649.753382@mail.linux-delhi.org> References: <17406.2440.239945.166270@mail.linux-delhi.org> <1140794433.4544.25.camel@eris.sebi.org> <17407.22043.766649.753382@mail.linux-delhi.org> Message-ID: <1140816120.6837.6.camel@eris.sebi.org> On Sa, 2006-02-25 at 00:23 +0530, Raj Mathur wrote: > >>>>> "Sebastian" == Sebastian Bork writes: > Sebastian> I use exactly the same setup with a customer's > Sebastian> conenction, the only difference: I use MASQUERADE > Sebastian> instead of SNAT. I did not see anything like the > Sebastian> problem you describe. Maybe because MAQUERADE works > Sebastian> stateful, SNAT not? If you do not have a special reason > Sebastian> for using SNAT, I think you should try MASQUERADE. If > Sebastian> your problem persits, please tell me, as I have to look > Sebastian> at my customer's setup very closely then, to catch this > Sebastian> before anyone complains. > > Well, both MASQUERADE and SNAT are stateful (MASQUERADE is just a > special case of SNAT as far as I remember); however it's worth a shot > if it's working for you. > > It's pretty easy to trap the wrong source IP errors -- going back to > my example, just run: Done. It happens here, too. But now it gets really strange: the data (I tried scp) goes out on IF1 with IF2's source address. The ACK packets come in on IF2. The connection works anyway ... *That's* what I'd call really cool load-balancing. From mailinglists at lucassen.org Sun Feb 26 18:38:08 2006 From: mailinglists at lucassen.org (richard lucassen) Date: Sun Feb 26 18:38:08 2006 Subject: [LARTC] invert u32 match selector In-Reply-To: <44007FF6.20302@dsl.pipex.com> References: <20060221172517.6e5a433c.mailinglists@lucassen.org> <20060222094338.C50104088@outpost.ds9a.nl> <20060222113515.0dce15d2.mailinglists@lucassen.org> <44007FF6.20302@dsl.pipex.com> Message-ID: <20060226183808.57c0e2f0.mailinglists@lucassen.org> On Sat, 25 Feb 2006 16:04:06 +0000 Andy Furniss wrote: > > And why doesn't this work? (I send all port 80 to 1.2.3.4 to class > > 14 /before/ I send the rest to classid 13): > > > > $TC filter add dev ${DEV_IFB} parent 1:0 prio 2 protocol ip u32 \ > > match ip protocol 0x6 0xff \ > > match ip dport 80 0xffff \ > > match ip dst 1.2.3.4/32 \ > > classid 1:14 > > > > $TC filter add dev ${DEV_IFB} parent 1:0 prio 2 protocol ip u32 \ > > match ip protocol 0x6 0xff \ > > match ip dport 80 0xffff \ > > classid 1:13 > > > > Any ideas? > > Looks OK to me - try what Anton suggested to be safe but order is > usually enough. ok, thnx. > I guess IFB means this is ingress - if you are doing nat / or the ip > you match is on that machine maybe it not passing ifb with the address > you expect. Hmm, I don't think so because the ip is the machine itself and it won't be translated... R. -- ___________________________________________________________________ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+ From ahasenack at terra.com.br Sun Feb 26 19:22:52 2006 From: ahasenack at terra.com.br (Andreas Hasenack) Date: Sun Feb 26 19:23:01 2006 Subject: [LARTC] tc filter can target only leaf classes? In-Reply-To: <440042CA.8020207@dsl.pipex.com> References: <20060224190143.GA6809@mandriva.com> <440042CA.8020207@dsl.pipex.com> Message-ID: <200602261522.53136.ahasenack@terra.com.br> Em S?b 25 Fev 2006 08:43, Andy Furniss escreveu: > > Why does the filter stop working? I was expecting it to keep working and > > then I could further filter this traffic into 1:30 and 1:40 *at* 1:10. > > You need other filters with parent 1:10 to send to leafs below 1:10 Thanks, that was (part of) it. I had tested with other filters on 1:10, but the problem was the filters themselves which were not correct. Just for the record, I was using iptables MARK target to first mark packets going to a host and then attempting to set another mark on 1:10 on the same packets depending on the destination port so they would be sent to 1:30 or 1:40. I now tested with u32 on 1:0 sending traffic to 1:10 and with fw on 1:10 sending packets to 1:30 and 1:40 using the iptables mark and it's working just fine. From klaus at ipp2p.org Sun Feb 26 20:53:49 2006 From: klaus at ipp2p.org (Klaus) Date: Sun Feb 26 20:53:51 2006 Subject: [LARTC] ipp2p don't block Ares In-Reply-To: <20060223141217.GA12503@EIS> References: <20060223141217.GA12503@EIS> Message-ID: <4402074D.80400@ipp2p.org> Hi, Andreas Klauer wrote: > On Thu, Feb 23, 2006 at 09:26:48AM -0300, Roberto Pereyra wrote: > >>This bridge works fine buts since two weeks can't block Ares traffic. All >>protocols block fine but Ares not (upload and download). >> >>Somebody are using ipp2p blocking the latest Ares version ? > > > Did you already contact the author about this? If the Ares protocol changed, > you've practically got a new protocol there, which requires it's own pattern > for matching. If you can provide details about the new protocol (by dumping > Ares packets or something) and help with testing, it should be not that hard > to fix, provided the new protocol isn't something nasty. Ares is a proprietary protocol and they change their signatures (even the login signatures) with every new version. AFAIK ipp2p should block the newest version of ares (at least the login). Traffic shaping does not work at the moment, because ares encrypts the data connections with an unknown method and without any good signatures. I will check the newest version of ares this week and update the ares pattern if needed. My real job keeps me very busy at the moment (and I have been ill for three weeks now), but I will try to bring out a new version of ipp2p with some bug fixes very soon. Klaus, maintainer of ipp2p From steinar.pedersen at gmail.com Sun Feb 26 21:39:03 2006 From: steinar.pedersen at gmail.com (Steinar Pedersen) Date: Sun Feb 26 21:39:14 2006 Subject: [LARTC] Delay before shaping kicks in Message-ID: <1d273d050602261239t116ba896m47c686eacc97672a@mail.gmail.com> I am shaping traffic very sucessfully, but I still have one problem that I just can't figure out the solution to. When my backbone becomes saturated with traffic, I use prio to diffreciate between users, so that those who need it most, actually gets their service. BUT... when using prio, it actually takes a few seconds before the service they need is given to them. An example: One user downloads with 10mbit (full speed of the link) Another user with higher priority starts downloading, and for the first few seconds only get a fraction of what he really needs, but then suddenly, the speed increases, and the low-prio user looses his speed. Is there a way to make this "kick in" start faster? I checked the net/sched/sch_htb.c and found: #define HTB_EWMAC 2 /* rate average over HTB_EWMAC*HTB_HSIZE sec */ Could decreasing this to like 1 second fix the issue? Steinar Pedersen -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060226/9800b2f0/attachment.html From gypsy at iswest.com Sun Feb 26 22:40:48 2006 From: gypsy at iswest.com (gypsy) Date: Sun Feb 26 22:40:54 2006 Subject: [LARTC] Proxy ARP and UDP References: <925A849792280C4E80C5461017A4B8A203211A@mail733.InfraSupportEtc.com> Message-ID: <44022060.81E9B4F1@iswest.com> Greg Scott wrote: > > As it turns out, not seeing proxy ARP traffic on the outside interface > has other consequences. I do some traffic shaping and noticed in my > testing that the outbound traffic isn't being shaped. This drove me > crazy until it suddenly dawned on me - tcpdump shows almost no traffic > on the outside interface even though a full H.323 UDP stream is flying > across the Internet to and from my proxy ARP'd device behind my > firewall. I know lots of data is flying across both interfaces because > I can see the results. Yet as far as any software is concerned, almost > nothing is going in or out of my outside interface. > > Is this a normal proxy ARP behavior? Traffic is definitely flying > across both interfaces. Why doesn't any software see traffic in and out > of the outside interface? Should I try a newer kernel than 2.4.27? Greg, Please, if you want answers, provide enough information for us to help. In the absence of any shaping configuration script, it is useless to speculate about why you see nothing being shaped. I will say that UDP is not "protocol ip". Neither is ARP nor ICMP. In the absence of the parameters you are passing to tcpdump, nothing can be said about why you are not seeing the expected traffic on the external IF. Run 'cat /proc/net/ip_conntrack | grep udp' There is nothing wrong with your .27 kernel! I have done something similar to what you seem to be trying to do for years running kernels from 2.4.25 through .32 and never had any problem at all with proxy ARP (except for the mental part ;) -- gypsy From GregScott at InfraSupportEtc.com Mon Feb 27 13:28:22 2006 From: GregScott at InfraSupportEtc.com (Greg Scott) Date: Mon Feb 27 13:27:28 2006 Subject: [LARTC] Proxy ARP and UDP Message-ID: <925A849792280C4E80C5461017A4B8A203211C@mail733.InfraSupportEtc.com> OK - Here is how I am running tcpdump. Not really much to tell. In one window: tcpdump -i eth1 -n And then in another window: tcpdump -i eth0 -n If I were filtering anything with tcpdump I would be pretty embarrassed. :) eth0 is the interface pointing to the Internet. eth1 is inside. For every several thousand packets that tcpdump shows me on eth1, I see maybe one or two on eth0 when running any traffic at all between the Internet and my proxy ARP'd device. Since these are conversations with a host on the other side of the Internet I should see packets flying across both interfaces. But I don't. I only see packets flying across the inside interface, except for a very small subset that I see on the outside interface. This behavior makes no sense. How is it possible that any connection between my proxy ARP'd host and the Internet works if virtually no traffic is moving across the outside interface???? The obvious answer - it isn't. Traffic must in fact be moving across the outside interface, otherwise my proxy ARP'd device would never see it. So the only possible conclusion is, the traffic must he happening someplace where tcpdump and evidently also the traffic shaping code does not see it. Don't believe me? Try it yourself. Send a bunch of pings from somewhere across the Internet to your proxy ARP'd device and watch your outside interface. I'll bet you don't see them. But your proxy ARP'd device will see them, assuming you have some firewall rules that allow this. It will reply and the requesting host outside the Internet will see the echo reply packets coming back. But your outside firewall interface will look dead even though the echo request/reply packets are clearly flying across it. Look for yourself if you don't believe me. Here is my traffic shaping script. Again, pretty basic stuff - nothing fancy. And it isn't relevant to my issue. TC="/sbin/tc" $TC qdisc del dev $INET_IFACE root $TC qdisc del dev $TRUSTED1_IFACE root $TC qdisc del dev $DMZ_IFACE root $TC qdisc add dev $INET_IFACE root handle 1: prio # This *instantly* creates classes 1:1, 1:2, 1:3 $TC qdisc add dev $TRUSTED1_IFACE root handle 2: prio # This *instantly* creates classes 2:1, 2:2, 2:3 $TC qdisc add dev $INET_IFACE parent 1:1 handle 11: pfifo $TC qdisc add dev $INET_IFACE parent 1:2 handle 12: pfifo $TC qdisc add dev $INET_IFACE parent 1:3 handle 13: pfifo $TC qdisc add dev $TRUSTED1_IFACE parent 2:1 handle 21: pfifo $TC qdisc add dev $TRUSTED1_IFACE parent 2:2 handle 22: pfifo $TC qdisc add dev $TRUSTED1_IFACE parent 2:3 handle 23: pfifo # # This assigns traffic to/from $PUBLIC_VTC1_IP and $PRIVATE_VTC1_IP # to the highest priority band of the queue for the appropriate # interface, and the rest to the next-highest proirity band. # # VTC1 $TC filter add dev $INET_IFACE parent 1:0 protocol ip prio 1 u32 \ match ip dst $PUBLIC_VTC1_IP flowid 1:1 $TC filter add dev $INET_IFACE parent 1:0 protocol ip prio 1 u32 \ match ip src $PUBLIC_VTC1_IP flowid 1:1 # VTC2 $TC filter add dev $INET_IFACE parent 1:0 protocol ip prio 1 u32 \ match ip dst $PUBLIC_VTC2_IP flowid 1:1 $TC filter add dev $INET_IFACE parent 1:0 protocol ip prio 1 u32 \ match ip src $PUBLIC_VTC2_IP flowid 1:1 # Everyone else $TC filter add dev $INET_IFACE parent 1:0 protocol ip prio 2 u32 \ match ip src 0.0.0.0/0 flowid 1:2 $TC filter add dev $TRUSTED1_IFACE parent 2:0 protocol ip prio 2 u32 \ match ip src 0.0.0.0/0 flowid 2:2 exit > Greg, > >Please, if you want answers, provide enough information for us to help. > >In the absence of any shaping configuration script, it is useless to >speculate about why you see nothing being shaped. I will say that UDP >is not "protocol ip". Neither is ARP nor ICMP. > >In the absence of the parameters you are passing to tcpdump, nothing can >be said about why you are not seeing the expected traffic on the external IF. > >Run 'cat /proc/net/ip_conntrack | grep udp' > >There is nothing wrong with your .27 kernel! I have done something >similar to what you seem to be trying to do for years running kernels >from 2.4.25 through .32 and never had any problem at all with proxy ARP >(except for the mental part ;) >-- >gypsy From pereyra.roberto at gmail.com Mon Feb 27 14:08:37 2006 From: pereyra.roberto at gmail.com (Roberto Pereyra) Date: Mon Feb 27 14:08:41 2006 Subject: [LARTC] ipp2p don't block Ares In-Reply-To: References: <20060223141217.GA12503@EIS> <4402074D.80400@ipp2p.org> Message-ID: Hi Klaus >AFAIK ipp2p should block the newest version of ares (at least the >login). Yes, ipp2p block latest version Ares login (looks connecting ...) but without connecting upload and download files. I have the same bridge setup and some weeks back the blocking worked well. How I can help you ? roberto 2006/2/26, Klaus : > > Hi, > > > Andreas Klauer wrote: > > On Thu, Feb 23, 2006 at 09:26:48AM -0300, Roberto Pereyra wrote: > > > >>This bridge works fine buts since two weeks can't block Ares traffic. > All > >>protocols block fine but Ares not (upload and download). > >> > >>Somebody are using ipp2p blocking the latest Ares version ? > > > > > > Did you already contact the author about this? If the Ares protocol > changed, > > you've practically got a new protocol there, which requires it's own > pattern > > for matching. If you can provide details about the new protocol (by > dumping > > Ares packets or something) and help with testing, it should be not that > hard > > to fix, provided the new protocol isn't something nasty. > > Ares is a proprietary protocol and they change their signatures (even > the login signatures) with every new version. > > AFAIK ipp2p should block the newest version of ares (at least the > login). Traffic shaping does not work at the moment, because ares > encrypts the data connections with an unknown method and without any > good signatures. I will check the newest version of ares this week and > update the ares pattern if needed. > > My real job keeps me very busy at the moment (and I have been ill for > three weeks now), but I will try to bring out a new version of ipp2p > with some bug fixes very soon. > > Klaus, > maintainer of ipp2p > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Ing. Roberto Pereyra ContenidosOnline Servidores BSD, Solaris y Linux Soporte t?cnico ISPs Jabber ID: rpereyra@lugmen.org.ar For reliable and professional DNS, use DNS Made Easy! http://www.dnsmadeeasy.com/u/14989 -- Ing. Roberto Pereyra ContenidosOnline Servidores BSD, Solaris y Linux Soporte t?cnico ISPs Jabber ID: rpereyra@lugmen.org.ar For reliable and professional DNS, use DNS Made Easy! http://www.dnsmadeeasy.com/u/14989 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060227/f7d4d631/attachment.htm From pereyra.roberto at gmail.com Mon Feb 27 14:08:48 2006 From: pereyra.roberto at gmail.com (Roberto Pereyra) Date: Mon Feb 27 14:08:59 2006 Subject: [LARTC] ipp2p don't block Ares In-Reply-To: References: <20060223141217.GA12503@EIS> <4402074D.80400@ipp2p.org> Message-ID: 2006/2/27, Roberto Pereyra : > > > > Hi Klaus > > >AFAIK ipp2p should block the newest version of ares (at least the > >login). > > Yes, ipp2p block latest version Ares login (looks connecting ...) but > without connecting upload and download files. > > I have the same bridge setup and some weeks back the blocking worked well. > > How I can help you ? > > roberto > > > > > 2006/2/26, Klaus : > > > > Hi, > > > > > > Andreas Klauer wrote: > > > On Thu, Feb 23, 2006 at 09:26:48AM -0300, Roberto Pereyra wrote: > > > > > >>This bridge works fine buts since two weeks can't block Ares traffic. > > All > > >>protocols block fine but Ares not (upload and download). > > >> > > >>Somebody are using ipp2p blocking the latest Ares version ? > > > > > > > > > Did you already contact the author about this? If the Ares protocol > > changed, > > > you've practically got a new protocol there, which requires it's own > > pattern > > > for matching. If you can provide details about the new protocol (by > > dumping > > > Ares packets or something) and help with testing, it should be not > > that hard > > > to fix, provided the new protocol isn't something nasty. > > > > Ares is a proprietary protocol and they change their signatures (even > > the login signatures) with every new version. > > > > AFAIK ipp2p should block the newest version of ares (at least the > > login). Traffic shaping does not work at the moment, because ares > > encrypts the data connections with an unknown method and without any > > good signatures. I will check the newest version of ares this week and > > update the ares pattern if needed. > > > > My real job keeps me very busy at the moment (and I have been ill for > > three weeks now), but I will try to bring out a new version of ipp2p > > with some bug fixes very soon. > > > > Klaus, > > maintainer of ipp2p > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > -- > Ing. Roberto Pereyra > ContenidosOnline > Servidores BSD, Solaris y Linux > Soporte t?cnico ISPs > Jabber ID: rpereyra@lugmen.org.ar > > For reliable and professional DNS, use DNS Made Easy! > http://www.dnsmadeeasy.com/u/14989 > > > -- > Ing. Roberto Pereyra > ContenidosOnline > Servidores BSD, Solaris y Linux > Soporte t?cnico ISPs > Jabber ID: rpereyra@lugmen.org.ar > > For reliable and professional DNS, use DNS Made Easy! > http://www.dnsmadeeasy.com/u/14989 > -- Ing. Roberto Pereyra ContenidosOnline Servidores BSD, Solaris y Linux Soporte t?cnico ISPs Jabber ID: rpereyra@lugmen.org.ar For reliable and professional DNS, use DNS Made Easy! http://www.dnsmadeeasy.com/u/14989 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060227/cb433597/attachment.html From sebi at sebi.org Mon Feb 27 21:27:50 2006 From: sebi at sebi.org (Sebastian Bork) Date: Mon Feb 27 21:29:28 2006 Subject: [LARTC] Balancing multiple connections and NAT In-Reply-To: <1140816120.6837.6.camel@eris.sebi.org> References: <17406.2440.239945.166270@mail.linux-delhi.org> <1140794433.4544.25.camel@eris.sebi.org> <17407.22043.766649.753382@mail.linux-delhi.org> <1140816120.6837.6.camel@eris.sebi.org> Message-ID: <1141072070.4462.11.camel@eris.sebi.org> On Fr, 2006-02-24 at 22:22 +0100, Sebastian Bork wrote: > Done. It happens here, too. But now it gets really strange: the data (I > tried scp) goes out on IF1 with IF2's source address. The ACK packets > come in on IF2. The connection works anyway ... *That's* what I'd call > really cool load-balancing. It obviously only worked with my setup because two of the three routes end on the same router of the upstream provider. As soon as the other provider is used for a route, everything breaks down. I'll try those patches tomorrow. From krishan at philips.com Tue Feb 28 07:51:34 2006 From: krishan at philips.com (Krishan) Date: Tue Feb 28 07:52:57 2006 Subject: [LARTC] QoS in Linux Message-ID: Hello All, I am interested in QoS provided by Linux, when I looked into IP header I came accross ToS field, also while going more into detail about QoS I found that the QoS based on ToS is serviced thru DiffServ which in turn gives more priority to packets with higher value is ToS field, but I am not able to understand when we finally call dev->hard_start_xmit routine of underlying device type driver, how these packets are given high priority or low priority in the device queue. Please advice me here, Thanks -krishan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060228/af505707/attachment.htm From dasenjo at gmail.com Tue Feb 28 12:56:53 2006 From: dasenjo at gmail.com (=?ISO-8859-1?Q?Diego_Andr=E9s_Asenjo_Gonzalez?=) Date: Tue Feb 28 12:56:58 2006 Subject: [LARTC] Htb queueing problem Message-ID: <44043A85.6080302@gmail.com> Hi everybody! I'm using an edge bridge box with two ethernet cards to shape traffic in a WAN link. I'm running Debian 3.1 stable with kernel 2.6.8 and iproute from packages. I recompiled the kernel with the following built-in options: [*] 802.1d Ethernet Bridging [*] QoS and/or fair queueing <*> HTB packet scheduler <*> SFQ queue [*] QoS support <*> Firewall based classifier <*> U32 classifier I can mark packages with iptables, but I _can't_ make the packages get queued in an specific class. Please, take a look on this sample script that guarantees 64kbit (rate), 72kbit (ceil) to the packets coming from the host 172.16.0.185 to the 172.16.1.0/24 network with 10000-10100 destination ports: # Flush tc qdiscs: /sbin/tc qdisc del dev eth0 root >/dev/null 2>&1 /sbin/tc qdisc del dev eth1 root >/dev/null 2>&1 # Create root qdiscs: /sbin/tc qdisc add dev eth0 root handle 1: htb default 1000 /sbin/tc qdisc add dev eth1 root handle 2: htb default 1000 # Create root class (1:1 2:1) : /sbin/tc class add dev eth0 parent 1: classid 1:1 htb rate 3456kbit ceil 3456kbit burst 0 prio 1 /sbin/tc class add dev eth1 parent 2: classid 2:1 htb rate 3584kbit ceil 3584kbit burst 0 prio 1 # Create default class (1:1000 2:1000) : /sbin/tc class add dev eth0 parent 1:1 classid 1:1000 htb rate 3350kbit ceil 3500kbit burst 0 prio 5 /sbin/tc class add dev eth1 parent 2:1 classid 2:1000 htb rate 3350kbit ceil 3500kbit burst 0 prio 5 # Create classes (1:44 2:44) : /sbin/tc class add dev eth0 parent 1:1 classid 1:44 htb rate 64kbit ceil 72kbit burst 8kbit prio 1 quantum 1536 /sbin/tc class add dev eth1 parent 2:1 classid 2:44 htb rate 64kbit ceil 72kbit burst 8kbit prio 1 quantum 1536 # Flushing iptables rules: /sbin/iptables -F -t mangle # iptables classify /sbin/iptables -A POSTROUTING -t mangle -p udp -s 172.16.0.185/32 --sport 10000:10100 -d 172.16.1.0/24 -j CLASSIFY --set-class 2:44 Now the statistics: bridge:~# iptables -L -t mangle -v 34302 2415K CLASSIFY udp -- any any 172.16.0.185 172.16.1.0/24 udp spts:10000:10100 CLASSIFY set 2:44 bridge:~# tc -s cl sh dev eth1 class htb 2:44 parent 2:1 prio 1 rate 64000bit ceil 72000bit burst 1023b cburst 1608b Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 131070 ctokens: 183067 class htb 2:1 root rate 3584Kbit ceil 3584Kbit burst 2Kb cburst 2Kb Sent 4686617538 bytes 6922322 pkts (dropped 0, overlimits 0) rate 1936bit 2pps lended: 3691 borrowed: 0 giants: 0 tokens: 4461 ctokens: 4461 class htb 2:1000 parent 2:1 prio 5 rate 3350Kbit ceil 3500Kbit burst 2017b cburst 2Kb Sent 4686617538 bytes 6922322 pkts (dropped 0, overlimits 0) rate 1936bit 2pps lended: 6918631 borrowed: 3691 giants: 0 tokens: 4700 ctokens: 4543 As you can see, the packets are mraked by iptables but get queued through the default class. I'm getting frustated and I will appreciate all suggestions and comments. I'm using now -j CLASSIFY but I have used -j MARK and u32 tc filters with the same results. Thanks a lot for reading. Bye. From igor at niponet.com.br Wed Mar 1 00:11:08 2006 From: igor at niponet.com.br (Igor Okimoto) Date: Wed Mar 1 00:12:08 2006 Subject: [LARTC] CBQ or HTB Message-ID: <20060228231202.75AD14035@outpost.ds9a.nl> Which diference of I to use the CBQ and the HTB? I need priority a many ports.. same ports are 5060(voip),25(mail) and 3128(squid) It's a my example off cbq arquive : DEVICE=eth0,10Mbit,1Mbit RATE=500Kbit WEIGHT=50Kbit PRIO=5 RULE=:5060 BOUNDED=yes ISOLATED=yes I need specific a rate or is not!? Igor -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060228/131a33dd/attachment.html From andy.furniss at dsl.pipex.com Wed Mar 1 15:48:18 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Wed Mar 1 15:48:29 2006 Subject: [LARTC] Htb queueing problem In-Reply-To: <44043A85.6080302@gmail.com> References: <44043A85.6080302@gmail.com> Message-ID: <4405B432.10301@dsl.pipex.com> Diego Andr?s Asenjo Gonzalez wrote: > Hi everybody! > > I'm using an edge bridge box with two ethernet cards to shape traffic in > a WAN link. I'm running Debian 3.1 stable with kernel 2.6.8 and iproute > from packages. I recompiled the kernel with the following built-in options: > > [*] 802.1d Ethernet Bridging > > [*] QoS and/or fair queueing > <*> HTB packet scheduler > <*> SFQ queue > > [*] QoS support > <*> Firewall based classifier > <*> U32 classifier As I select everything I don't know if this is enough - also I think you need to select classify in netfilter the section. > > I can mark packages with iptables, but I _can't_ make the packages get > queued in an specific class. Please, take a look on this sample script > that guarantees 64kbit (rate), 72kbit (ceil) It's nicer with htb to give interactive more bandwidth and higher prio than bulk. Also remember when setting rates that htb will see ip packets as ip length + 14 when used on ethX to the packets coming from > the host 172.16.0.185 to the 172.16.1.0/24 network with 10000-10100 > destination ports: > > # Flush tc qdiscs: > /sbin/tc qdisc del dev eth0 root >/dev/null 2>&1 > /sbin/tc qdisc del dev eth1 root >/dev/null 2>&1 > > # Create root qdiscs: > /sbin/tc qdisc add dev eth0 root handle 1: htb default 1000 > /sbin/tc qdisc add dev eth1 root handle 2: htb default 1000 > > # Create root class (1:1 2:1) : > /sbin/tc class add dev eth0 parent 1: classid 1:1 htb rate 3456kbit ceil > 3456kbit burst 0 prio 1 > /sbin/tc class add dev eth1 parent 2: classid 2:1 htb rate 3584kbit ceil > 3584kbit burst 0 prio 1 > > # Create default class (1:1000 2:1000) : > /sbin/tc class add dev eth0 parent 1:1 classid 1:1000 htb rate 3350kbit > ceil 3500kbit burst 0 prio 5 > /sbin/tc class add dev eth1 parent 2:1 classid 2:1000 htb rate 3350kbit > ceil 3500kbit burst 0 prio 5 > > # Create classes (1:44 2:44) : > /sbin/tc class add dev eth0 parent 1:1 classid 1:44 htb rate 64kbit ceil > 72kbit burst 8kbit prio 1 quantum 1536 > /sbin/tc class add dev eth1 parent 2:1 classid 2:44 htb rate 64kbit ceil > 72kbit burst 8kbit prio 1 quantum 1536 > > # Flushing iptables rules: > /sbin/iptables -F -t mangle > > # iptables classify > /sbin/iptables -A POSTROUTING -t mangle -p udp -s 172.16.0.185/32 > --sport 10000:10100 -d 172.16.1.0/24 -j CLASSIFY --set-class 2:44 > > Now the statistics: > > bridge:~# iptables -L -t mangle -v > 34302 2415K CLASSIFY udp -- any any 172.16.0.185 > 172.16.1.0/24 udp spts:10000:10100 CLASSIFY set 2:44 > > bridge:~# tc -s cl sh dev eth1 > class htb 2:44 parent 2:1 prio 1 rate 64000bit ceil 72000bit burst 1023b > cburst 1608b > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > lended: 0 borrowed: 0 giants: 0 > tokens: 131070 ctokens: 183067 > > class htb 2:1 root rate 3584Kbit ceil 3584Kbit burst 2Kb cburst 2Kb > Sent 4686617538 bytes 6922322 pkts (dropped 0, overlimits 0) > rate 1936bit 2pps > lended: 3691 borrowed: 0 giants: 0 > tokens: 4461 ctokens: 4461 > > class htb 2:1000 parent 2:1 prio 5 rate 3350Kbit ceil 3500Kbit burst > 2017b cburst 2Kb > Sent 4686617538 bytes 6922322 pkts (dropped 0, overlimits 0) > rate 1936bit 2pps > lended: 6918631 borrowed: 3691 giants: 0 > tokens: 4700 ctokens: 4543 > > As you can see, the packets are mraked by iptables but get queued > through the default class. You need an -o eth1 in the iptables rule for a proper count. I'm getting frustated and I will appreciate > all suggestions and comments. > > I'm using now -j CLASSIFY but I have used -j MARK and u32 tc filters > with the same results. I am not sure what else is wrong I don't use classify, maybe check that there isn't any decimal/hex mismatch ie. try 0x44. Andy. From andy.furniss at dsl.pipex.com Wed Mar 1 15:53:27 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Wed Mar 1 15:53:32 2006 Subject: [LARTC] QoS in Linux In-Reply-To: References: Message-ID: <4405B567.8000800@dsl.pipex.com> Krishan wrote: > Hello All, I am interested in QoS provided by Linux, when I looked into IP > header I came accross ToS field, also while going more into detail about > QoS I found that the QoS based on ToS is serviced thru DiffServ which in > turn gives more priority to packets with higher value is ToS field, but I > am not able to understand when we finally call dev->hard_start_xmit > routine of underlying device type driver, how these packets are given high > priority or low priority in the device queue. I don't think they normally are - unless it's drivers support it. If you want to shape you normally need to use htb/cbq/hfsc/tbf to rate limit below the speed of the device and avoid overfilling it's buffer. Andy. From andy.furniss at dsl.pipex.com Wed Mar 1 15:56:21 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Wed Mar 1 15:56:20 2006 Subject: [LARTC] Delay before shaping kicks in In-Reply-To: <1d273d050602261239t116ba896m47c686eacc97672a@mail.gmail.com> References: <1d273d050602261239t116ba896m47c686eacc97672a@mail.gmail.com> Message-ID: <4405B615.3070405@dsl.pipex.com> Steinar Pedersen wrote: > I am shaping traffic very sucessfully, but I still have one problem that I > just can't figure out the solution to. > When my backbone becomes saturated with traffic, I use prio to diffreciate > between users, so that those who > need it most, actually gets their service. BUT... when using prio, it > actually takes a few seconds before the service they > need is given to them. > > An example: > > One user downloads with 10mbit (full speed of the link) > Another user with higher priority starts downloading, and for the first few > seconds only get a fraction of what he really needs, but then suddenly, the > speed increases, and the low-prio user looses his speed. > > Is there a way to make this "kick in" start faster? > > I checked the net/sched/sch_htb.c and found: > #define HTB_EWMAC 2 /* rate average over HTB_EWMAC*HTB_HSIZE sec */ > > Could decreasing this to like 1 second fix the issue? It's more likely to be because you are not allowing for overheads and have the rate on htb too high for the link so packets get queued elsewhere. Andy. From andy.furniss at dsl.pipex.com Wed Mar 1 16:01:10 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Wed Mar 1 16:01:10 2006 Subject: [LARTC] invert u32 match selector In-Reply-To: <20060226183808.57c0e2f0.mailinglists@lucassen.org> References: <20060221172517.6e5a433c.mailinglists@lucassen.org> <20060222094338.C50104088@outpost.ds9a.nl> <20060222113515.0dce15d2.mailinglists@lucassen.org> <44007FF6.20302@dsl.pipex.com> <20060226183808.57c0e2f0.mailinglists@lucassen.org> Message-ID: <4405B736.5090303@dsl.pipex.com> richard lucassen wrote: >>I guess IFB means this is ingress - if you are doing nat / or the ip >>you match is on that machine maybe it not passing ifb with the address >>you expect. > > > Hmm, I don't think so because the ip is the machine itself and it won't > be translated... Yes it should still have the interface address of the device it came in on - are you sure the packets are getting to ifb alright? Andy. From chrisk at spidernet.net Wed Mar 1 16:35:26 2006 From: chrisk at spidernet.net (Christos Karaviotis) Date: Wed Mar 1 16:35:32 2006 Subject: [LARTC] new to TC need help Message-ID: <6.1.1.1.2.20060301172138.02240a78@nautilus.spidernet.net> Hello, I am new to TC and need some help with something that I need to do I have the following setup which works just fine but with a little problem. I need the user 172.16.1.100 in the case that it is using both classes never to exceed 256kbit now it goes up to 512kbit because both classes offer 256 each. How can I finally restrict this user to only 256kbit no matter what. ==================================================================================== # Initial Classes (Default) tc qdisc del dev eth1 root tc qdisc add dev eth1 root handle 1: htb default 30 # root qdisk tc class add dev eth1 parent 1: classid 1:1 htb rate 10240kbit ceil 10240kbit # Child class # tc class add dev eth1 parent 1:1 classid 1:10 htb rate 2048kbit ceil 3072kbit prio 1 tc class add dev eth1 parent 1:1 classid 1:20 htb rate 128kbit ceil 512kbit prio 2 tc class add dev eth1 parent 1:1 classid 1:30 htb rate 100kbit ceil 512kbit prio 3 tc class add dev eth1 parent 1:1 classid 1:50 htb rate 5120kbit ceil 6144kbit # tc qdisc add dev eth1 parent 1:10 handle 10: htb # Premium Class tc qdisc add dev eth1 parent 1:20 handle 20: htb tc qdisc add dev eth1 parent 1:30 handle 30: htb tc qdisc add dev eth1 parent 1:50 handle 50: htb # Local Traffic # Per User Configuration # User 172.16.1.100 tc class add dev eth1 parent 10:0 classid 10:100 htb rate 256kbit tc class add dev eth1 parent 50:0 classid 50:100 htb rate 256kbit tc filter add dev eth1 protocol ip parent 1:0 u32 match ip dst 172.16.1.100/32 classid 1:10 tc filter add dev eth1 protocol ip parent 10:0 u32 match ip dst 172.16.1.100/32 classid 10:100 tc filter add dev eth1 protocol ip parent 1:0 u32 match ip src 194.154.159.84/32 match ip dst 172.16.1.100/32 flowid 1:50 tc filter add dev eth1 protocol ip parent 50:0 u32 match ip src 194.154.159.84/32 match ip dst 172.16.1.100/32 flowid 50:100 # ============================================================================================ Thank you in advance From Ian.Bullock at cnm.co.uk Wed Mar 1 17:01:21 2006 From: Ian.Bullock at cnm.co.uk (Ian.Bullock@cnm.co.uk) Date: Wed Mar 1 17:04:47 2006 Subject: [LARTC] Ian Bullock is out of the office. Message-ID: I will be out of the office starting 01/03/2006 and will not return until 03/03/2006. I will respond to your message when I return. However if you have sent data for processing, please send to operator@cnm.co.uk. Also if you have any urgent queries, please contact Operations on 01924 888700. Thankyou. ________________________________________________________________________ This E-mail transmission may contain confidential or legally privileged information that is intended for the addressee only. Any views or opinions presented are solely those of the author and do not necessarily represent those of CNM Limited. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or reliance upon the contents of this E-mail is strictly prohibited. If you have received this E-mail transmission in error, please notify the sender immediately, so that CNM Limited may arrange for its proper delivery. Please then delete the message from your inbox. This email has been scanned for all viruses by the MessageLabs SkyScan service. For more information on a proactive anti-virus service working around the clock, around the globe, visit http://www.messagelabs.com ________________________________________________________________________ From dasenjo at gmail.com Wed Mar 1 18:39:22 2006 From: dasenjo at gmail.com (=?ISO-8859-1?Q?Diego_Andr=E9s_Asenjo_Gonzalez?=) Date: Wed Mar 1 18:39:29 2006 Subject: [LARTC] Htb queueing problem In-Reply-To: <4405B432.10301@dsl.pipex.com> References: <44043A85.6080302@gmail.com> <4405B432.10301@dsl.pipex.com> Message-ID: <4405DC4A.40902@gmail.com> Hi and thanks for replying! > > As I select everything I don't know if this is enough - also I think > you need to select classify in netfilter the section. I also select almost everything in the netfilter section, including MARK and CLASSIFY. I simplified the script mantaining the most important part (the "outgoing" traffic). I am now using the iptables MARK way, and still did not get any shape: #!/bin/bash TC=/sbin/tc IPT=/sbin/iptables # Flush tc qdiscs: $TC qdisc del dev eth1 root >/dev/null 2>&1 # Create root qdiscs: $TC qdisc add dev eth1 root handle 2: htb default 1000 # Create root class (1:1 2:1) : $TC class add dev eth1 parent 2: classid 2:1 htb rate 3584kbit ceil 3584kbit burst 0 prio 1 # Create default class (1:1000 2:1000) : $TC class add dev eth1 parent 2:1 classid 2:1000 htb rate 3300kbit ceil 3350kbit burst 0 prio 5 # Create classes (1/2:2 tel_pereira) : $TC class add dev eth1 parent 2:1 classid 2:2 htb rate 64kbit ceil 72kbit burst 8kbit prio 1 quantum 1536 # Create filters (100/200 + 2) $TC filter add dev eth1 protocol ip parent 2:0 prio 1 handle 0x44 fw flowid 2:2 # Flushing iptables rules: $IPT -F -t mangle $IPT -A FORWARD -t mangle -p udp -s 172.16.0.185/32 -i eth1 --sport 10000:10100 -d 172.16.1.0/24 -j MARK --set-mark 0x44 The statistics remains the same: bridge:~# iptables -L -t mangle -v Chain FORWARD (policy ACCEPT 76M packets, 34G bytes) pkts bytes target prot opt in out source destination 1123 67380 MARK udp -- any any 172.16.0.185 172.16.1.0/24 udp spts:10000:10100 MARK set 0x44 There are iptables marks ... bridge:~# tc -s cl sh dev eth1 class htb 2:2 parent 2:1 prio 1 rate 64Kbit ceil 72Kbit burst 1023b cburst 1691b Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 128000 ctokens: 187999 But nothing is queued through the specified class :s, there is no shaping at all. I'm going insane, ?Could it be a bug? ?A package error? Thanks for your help! From makevuy at ehas.org Wed Mar 1 19:57:42 2006 From: makevuy at ehas.org (makevuy) Date: Wed Mar 1 19:57:55 2006 Subject: [LARTC] TC with bandwith adaptative for Wireless network Message-ID: <4405EEA6.4050604@ehas.org> Hello, I would want interested in implemeting QoS for a wireless network, where we have variated services like: VOIP, ssh, ftp, www, mail, ftp ...etc Like we Know, this kind of network have high variation in bandwith of link. we want to introduce a form of adapting the parameter of qdisc that depends of bandwith, with this variances. In sumarize, an adaptative design with the bandwith of each Wifi link. Is that possible with linux?, what can we do this? or what could be the best strategy? Thanks for all and Regards. -- Sandra Salmer?n Ntutumu Tel. +34 914888405 / M?vil: 653574298 Fundaci?n EHAS: Enlace Hispanoamericano de Salud - www.ehas.org Telemedicina rural para zonas aisladas de pa?ses en desarrollo From ahasenack at terra.com.br Wed Mar 1 20:07:16 2006 From: ahasenack at terra.com.br (Andreas Hasenack) Date: Wed Mar 1 20:07:22 2006 Subject: [LARTC] Htb queueing problem In-Reply-To: <4405B432.10301@dsl.pipex.com> References: <44043A85.6080302@gmail.com> <4405B432.10301@dsl.pipex.com> Message-ID: <20060301190715.GA5041@mandriva.com> On Wed, Mar 01, 2006 at 02:48:18PM +0000, Andy Furniss wrote: > than bulk. Also remember when setting rates that htb will see ip packets > as ip length + 14 when used on ethX Could you elaborate on this a bit? I suppose you also meant this in an earlier message when you mentioned that the overhead was not included in the bw calculations. From luciano at lugmen.org.ar Wed Mar 1 20:47:02 2006 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Wed Mar 1 20:47:14 2006 Subject: [LARTC] Software Anounce: htb frontend, for multiple hosts auto bandwidth management Message-ID: <200603011647.03567.luciano@lugmen.org.ar> Hi all, i've coded htb-gen, a GPL htb frontend and much more... htb-gen is meant to be an easy, scalable, yet powerfull, bandwidth management tool. You can set up/down portions of bandwith for each host or network, that goes trough your router/firewall. Prioritary traffic(web, mail, gaming, ftp, voip, streaming) is preferred over Junk traffic(kazaa, emule, etc). Also dynamic bandwith borrow and re-assignation is done betwen host thanks to htb boundaries. A web-frontend for config is avaible as well, so remote management is possible. All bash based so it can be used in embedded routers/firewalls (wired/wireless). Two backend are aviable: -generates raw tc commands -generates htb-init conf files (util for integration) The packet clasification is done by iptables Download is aviable at project page: http://www.freshmeat.net/projects/htb-gen/ A conf file mai look like this: #???????????????down????down????up ?????up #???????????????min?????max?????min?????max #ip?????????????(rate)??(ceil)??(rate)??(ceil) 192.168.1.2 ? ? 0 ? ? ? 64 ? ? ?0 ? ? ? 32 192.168.1.3 ? ? 0 ? ? ? 128 ? ? 0 ? ? ? 64 192.168.1.4 ? ? 0 ? ? ? 256 ? ? 0 ? ? ? 128 10.0.0.1/30 ? ? 256 ? ? 512 ? ? 128 ? ? 256 200.80.22.2 ? ? 256 ? ? 256 ? ? 256 ? ? 256 As you see -Is extremly easy to maintain a large amount of hosts/networks ?-ips from different newtorks are allowed(they have to pass FORWARD anyway) ?-newtork syntax is allowed, bw will be assigned to the network ?-fixed rate support, i can garantee some bw. ?-A 0(zero) in rate means that it will be automagickly calculated based on the ceil weigth, and the unassigned bandwidth ?-there are a lot more of posibilties, see DOCS Some deep explanation: The bw that you assign for each host is divided like this (this can be easy addapted if you know a litle bit of iptables): -Prio traffic - packets smallest than 100bytes (tcp ACKs, most icmp messages) - all icmp traffic (icmp messages) - all udp traffic (voip, streaming, real time gaiming, etc...) - some tcp ports (seteable in conf file, ie: http,pop3,imap,ssh...) -Default traffic (junk traffic) - all traffic that do not mach any of the above (ie:emule, torrent, kazaa, gnutella...and so on) By thefault the host bandwidth is shared betwen this two kind of traffic, but the script grants that anytime that i use "prio traffic" it will climb up to 90%, till that 'prio traffic' ends. This % can be modified if you want, see the 'rate_dfl_percet' value in conf. Also is posible to save junk bandwith assigning only a % of host ceil to the dfl traffic, see 'ceil_dfl_percet'. This will help to have several host sharing bw without almost any complaint. Regards! -- Luciano -- Luciano From andy.furniss at dsl.pipex.com Wed Mar 1 20:56:44 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Wed Mar 1 20:56:40 2006 Subject: [LARTC] Htb queueing problem In-Reply-To: <4405DC4A.40902@gmail.com> References: <44043A85.6080302@gmail.com> <4405B432.10301@dsl.pipex.com> <4405DC4A.40902@gmail.com> Message-ID: <4405FC7C.1070103@dsl.pipex.com> Diego Andr?s Asenjo Gonzalez wrote: > Hi and thanks for replying! > >> >> As I select everything I don't know if this is enough - also I think >> you need to select classify in netfilter the section. > > > > I also select almost everything in the netfilter section, including MARK > and CLASSIFY. I simplified the script mantaining the most important part > (the "outgoing" traffic). I am now using the iptables MARK way, and > still did not get any shape: Ahh OK > $IPT -A FORWARD -t mangle -p udp -s 172.16.0.185/32 -i eth1 --sport > 10000:10100 -d 172.16.1.0/24 -j MARK --set-mark 0x44 This should be -o eth1 or you should be shaping it on eth0 or if it's for the shaping box you need to do some sort of ingress shaping/policing. Andy. From andy.furniss at dsl.pipex.com Wed Mar 1 21:16:08 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Wed Mar 1 21:16:03 2006 Subject: [LARTC] Htb queueing problem In-Reply-To: <20060301190715.GA5041@mandriva.com> References: <44043A85.6080302@gmail.com> <4405B432.10301@dsl.pipex.com> <20060301190715.GA5041@mandriva.com> Message-ID: <44060108.1090000@dsl.pipex.com> Andreas Hasenack wrote: > On Wed, Mar 01, 2006 at 02:48:18PM +0000, Andy Furniss wrote: > >>than bulk. Also remember when setting rates that htb will see ip packets >>as ip length + 14 when used on ethX > > > Could you elaborate on this a bit? > I suppose you also meant this in an earlier message when you mentioned > that the overhead was not included in the bw calculations. Maybe maybe not - There are even more overheads than 14 on eth and I may also have meant dsl overheads which you need to allow for using patches because everything gets padded out to a whole number of ATM cells. As for the IP length + 14, it's because htb uses skb->len and on eth thats ip+14 on ppp it's just ip length - I don't know about other interfaces, you can use HTBs counters to test it. For eth I often see people use 10 or 100mbit as ceils without adding overheads to HTB - which you can (38-14=24 I suppose), but even then in practice you need to ceil at slightly less than 10/100mbit. Andy. From andy.furniss at dsl.pipex.com Wed Mar 1 22:03:27 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Wed Mar 1 22:03:20 2006 Subject: [LARTC] leaky bucket on bursty multicast In-Reply-To: References: Message-ID: <44060C1F.4090006@dsl.pipex.com> Oivind wrote: > Hi all, > I have an average 2mbit multicast stream that once in a while bursts > high (up to 20mbit/s) in short periods (about 200ms). Could anyone > please help me with directions using tc for configuing leaky bucket > shaping to this stream? I have a 5mbit/s ceiling. > > My system is running gentoo linux 2.6.14, and I have compiled in all > QoS modules. I suppose it depends what you want to do with the burst ie. propogate it ,smooth it without loss or drop packets to maintain a rate. Andy. From dasenjo at gmail.com Thu Mar 2 04:56:48 2006 From: dasenjo at gmail.com (=?ISO-8859-1?Q?Diego_Andr=E9s_Asenjo_Gonzalez?=) Date: Thu Mar 2 04:56:50 2006 Subject: [LARTC] Htb queueing problem In-Reply-To: <4405FC7C.1070103@dsl.pipex.com> References: <44043A85.6080302@gmail.com> <4405B432.10301@dsl.pipex.com> <4405DC4A.40902@gmail.com> <4405FC7C.1070103@dsl.pipex.com> Message-ID: <44066D00.7060307@gmail.com> Hi again! >> $IPT -A FORWARD -t mangle -p udp -s 172.16.0.185/32 -i eth1 --sport >> 10000:10100 -d 172.16.1.0/24 -j MARK --set-mark 0x44 > > > This should be -o eth1 or you should be shaping it on eth0 or if it's > for the shaping box you need to do some sort of ingress shaping/policing. Sorry, a typo :p. You pointed clearly the "-o eth1" in the previous message. Really, is the first time that I use -i or -o in the rule. One point is that the box is a bridge between a LAN and a router, eth0 is in the LAN and eth1 in the router. So, I thought I can ommit the interface. Anyway, I think that this is an strange situation: there are marked (maybe not "well" marked) packages, but there is no traffic. I am trying with the -o option. > > Andy. > Thanks and bye. From russell-lartc at stuart.id.au Thu Mar 2 08:30:03 2006 From: russell-lartc at stuart.id.au (Russell Stuart) Date: Thu Mar 2 08:30:24 2006 Subject: [LARTC] Patch to allow for the ATM "cell tax" Message-ID: <1141284603.10264.168.camel@ras.pc.brisbane.lube> I have been trying to optimise my ADSL connections for VOIP. Funny things were happening - for example increasing the ping packet size by 50% had no effect, but then adding one byte had a major effect. It took me a while to figure out that I was seeing the effects of the fixed ATM cell size. This is probably obvious to some of you. For the rest: ADSL uses ATM as its transport. An ATM "packet" is called a cell. A cell has a fixed length of 48 bytes of data, plus 5 bytes of header. If there is not enough data to occupy the cell, padding is added. Thus if you get unlucky there could be up to 47 bytes of padding. This 47 bytes isn't really noticeable for large packets, such as found in Web Traffic, as it is only 3% of the total packet size. It isn't even really noticeable for normal sources of interactive traffic, because typical interactive traffic (eg telnet, ssh & irc) is so low volume, and hence doesn't take up much of your link capacity. Thus in both cases the total percentage of your link capacity devoted to carrying this "padding" (aka wasted bandwidth) is low. In VOIP the situation changes. Firstly, the packets are small, occupying only 2 to 3 cells. Secondly, it saturates the link. Thus if you are doing VOIP, up to 1/3 of your links capacity can be this padding. It is not difficult using tc as it stands to generate a rate table does a fairly good job of estimating the bandwidth used on your ADSL link by large packets, or by small packets of a consistent size. You can't do both. You can play with the figures (overhead and base rate) and get all sorts of trade offs. If you are prepared to overestimate the links carrying capacity at some packet sizes, (a serious error for VOIP), then you can get the worst case error down to around 20%. If you don't want at overestimate link capacity under any circumstances, the worst case error rises to a 40% underestimate. The following patch to tc allows it to perform an exact ATM / ADSL rate calculation. It adds one extra keyword to the "tc class add htb ..." command line: "atm". There isn't a lot of spare bits hanging around to record this, so the patch adds the feature at the expense of always forcing the "overhead" parameter to be even. With the patch, these commands will generate a correct rate table for: PPPoA + VC/Mux: tc class add htb ... overhead 10 atm PPPoA + VC/LLC: tc class add htb ... overhead 18 atm PPPoE + VC/Mux: tc class add htb ... overhead 34 atm PPPoE + VC/LLC: tc class add htb ... overhead 42 atm When using this command lines, you always specify the ADSL link capacity as quoted by the modem. Eg, if you are controlling incoming traffic on a 512k/128k link, you specify the link speed as 512000bps. For those of you running Debian sarge or unstable, you can find a patched version of tc here: http://www.stuart.id.au/russell/files/debian/sarge/iproute diff -Nur iproute-20051007.keep/tc/q_htb.c iproute-20051007/tc/q_htb.c --- iproute-20051007.keep/tc/q_htb.c 2006-03-02 14:50:51.000000000 +1000 +++ iproute-20051007/tc/q_htb.c 2006-03-02 15:50:31.000000000 +1000 @@ -349,6 +349,7 @@ " burst max bytes burst which can be accumulated during idle period {computed}\n" " mpu minimum packet size used in rate computations\n" " overhead per-packet size overhead used in rate computations\n" + " atm include atm cell tax in rate computations\n" " ceil definite upper class rate (no borrows) {rate}\n" " cburst burst but for ceil {computed}\n" @@ -416,7 +417,7 @@ unsigned buffer=0,cbuffer=0; int cell_log=-1,ccell_log = -1; unsigned mtu, mpu; - unsigned char mpu8 = 0, overhead = 0; + unsigned char mpu8 = 0, overhead = 0, atm=0; struct rtattr *tail; memset(&opt, 0, sizeof(opt)); mtu = 1600; /* eth packet len */ @@ -440,9 +441,11 @@ } } else if (matches(*argv, "overhead") == 0) { NEXT_ARG(); - if (get_u8(&overhead, *argv, 10)) { + if (get_u8(&overhead, *argv, 10) || (overhead & 1)) { explain1("overhead"); return -1; } + } else if (matches(*argv, "atm") == 0) { + atm = 1; } else if (matches(*argv, "quantum") == 0) { NEXT_ARG(); if (get_u32(&opt.quantum, *argv, 10)) { @@ -515,7 +518,7 @@ if (!cbuffer) cbuffer = opt.ceil.rate / get_hz() + mtu; /* encode overhead and mpu, 8 bits each, into lower 16 bits */ - mpu = (unsigned)mpu8 | (unsigned)overhead << 8; + mpu = (unsigned)mpu8 | (unsigned)(overhead + atm) << 8; opt.ceil.mpu = mpu; opt.rate.mpu = mpu; if ((cell_log = tc_calc_rtable(opt.rate.rate, rtab, cell_log, mtu, mpu)) < 0) { @@ -575,12 +578,16 @@ sprint_size(buffer, b1), 1<rate.cell_log, sprint_size(hopt->rate.mpu&0xFF, b2), - sprint_size((hopt->rate.mpu>>8)&0xFF, b3)); + sprint_size((hopt->rate.mpu>>8)&0xFE, b3)); + if (hopt->rate.mpu & 0x100) + fprintf(f, "atm "); fprintf(f, "cburst %s/%u mpu %s overhead %s ", sprint_size(cbuffer, b1), 1<ceil.cell_log, sprint_size(hopt->ceil.mpu&0xFF, b2), - sprint_size((hopt->ceil.mpu>>8)&0xFF, b3)); + sprint_size((hopt->ceil.mpu>>8)&0xFE, b3)); + if (hopt->ceil.mpu & 0x100) + fprintf(f, "atm "); fprintf(f, "level %d ", (int)hopt->level); } else { fprintf(f, "burst %s ", sprint_size(buffer, b1)); diff -Nur iproute-20051007.keep/tc/tc_core.c iproute-20051007/tc/tc_core.c --- iproute-20051007.keep/tc/tc_core.c 2006-03-02 14:50:51.000000000 +1000 +++ iproute-20051007/tc/tc_core.c 2006-03-02 15:48:38.000000000 +1000 @@ -43,6 +43,32 @@ } /* + * Calculate the link layer frame size using into information encoded + * in the mpu. + */ +static unsigned frame_size(unsigned size, unsigned mpu) { + unsigned min_packet_size = mpu & 0xFF; + unsigned overhead = (mpu >> 8) & 0xFE; + unsigned atm_cell_tax = (mpu & 0x100) != 0; + const unsigned atm_header = 5; + const unsigned atm_payload = 48; + + size += overhead; + if (size < min_packet_size) + size = min_packet_size; + if (atm_cell_tax) { + int cells = size / atm_payload; + int tail = size % atm_payload; + if (tail != 0) { + size += atm_payload - tail; + cells += 1; + } + size += atm_header * cells; + } + return size; +} + +/* rtab[pkt_len>>cell_log] = pkt_xmit_time */ @@ -50,23 +76,16 @@ unsigned mpu) { int i; - unsigned overhead = (mpu >> 8) & 0xFF; - mpu = mpu & 0xFF; - - if (mtu == 0) - mtu = 2047; if (cell_log < 0) { + if (mtu == 0) + mtu = 2047; cell_log = 0; while ((mtu>>cell_log) > 255) cell_log++; } for (i=0; i<256; i++) { - unsigned sz = (i< Hi list! I have a LAN server with Gentoo Linux. It's a Pentium III at 1000 MHz with 256 MB SDRAM. I've implemented a QoS solution with HTB and SFQ. Here is the diagram: _______________________________________________________________________ 1:--+----1:1 - [ counter-strike & icmp ] rate=1Mbit; ceil=1Mbit; | prio 0; (u32 filter by ports) | |----1:2 - [ Internet ] rate=1.5Mbit; ceil=rate; prio 1; | | (RNR=rate) RNR = Root iNet Rate | | | |---1:20 - [ normal traffic ] rate=90% of $RNR; ceil=$RNR; | | prio 0; (u32 filter by ports) | | | \---1:21 - [ p2p traffic ] (default class) rate=1kbit; | ceil=90% of $RNR; prio 1 | |----1:3 - [ MAN ] rate=1Mbit; ceil=10Mbit-$RNR; prio 1 | | (RMC=ceil) RMC = Root MAN Ceil | | MAN destinations are marked with 0x1 Marker | | | |---1:30 - [ normal traffic ] | | rate=500kbit;ceil=($RMC-$RNR-1)kbit; | | prio 0; (u32 filter by ports AND fw mark) | | | \---1:31 - [ p2p traffic ] rate=1kbit; ceil=($RMC-$RNR-1)kbit; | prio 1; (u32 filter by fw mark) | \----1:4 - [ LAN ] rate=89Mbit; ceil=89Mbit ________________________________________________________________________ dev is eth0 and eth1; eth0 is connected at the Internet and eth1 is connected at my LAN. My problem: when connecting from LAN to outside counter-strike servers i have a 280-1500 ms lag. For counter-strike to be playable i need to have a lag of 0 to 65 ms. If I tc qdisc del dev eth* root; i have a lag of 45 to 120 ms. How can I improve response times? Has anyone any ideea? I can change the server to a Pentium III at 1000 MHz with RIMM. Would that help? Or is there a software solution? Thank you in advance! Sorin From msc at antzsystem.de Thu Mar 2 14:37:58 2006 From: msc at antzsystem.de (Markus Schulz) Date: Thu Mar 2 14:38:09 2006 Subject: [LARTC] Patch to allow for the ATM "cell tax" In-Reply-To: <1141284603.10264.168.camel@ras.pc.brisbane.lube> References: <1141284603.10264.168.camel@ras.pc.brisbane.lube> Message-ID: <200603021437.58824.msc@antzsystem.de> Am Donnerstag, 2. M?rz 2006 08:30 schrieb Russell Stuart: > I have been trying to optimise my ADSL connections for VOIP. > Funny things were happening - for example increasing the ping > packet size by 50% had no effect, but then adding one byte > had a major effect. It took me a while to figure out that I > was seeing the effects of the fixed ATM cell size. [ ADSL - ATM/AAL5/LLC Overhead description ] this stuff is well documented in Jesper Dangaard Brouer master thesis found at: http://www.adsl-optimizer.dk/thesis/ There exists also patches which do static overhead rate table calculation (incl. ATM Cell alignment) or per packet overhead calculation for htb or other qdiscs. Why you don't use the existing overhead parameter? It's useless to have two parameters which do the exact same thing (existing overhead and your atm). Only ATM Cell alignment must be added to rate table calculation. -- Markus Schulz From msc at antzsystem.de Thu Mar 2 14:51:54 2006 From: msc at antzsystem.de (Markus Schulz) Date: Thu Mar 2 14:52:28 2006 Subject: [LARTC] Patch to allow for the ATM "cell tax" In-Reply-To: <200603021437.58824.msc@antzsystem.de> References: <1141284603.10264.168.camel@ras.pc.brisbane.lube> <200603021437.58824.msc@antzsystem.de> Message-ID: <200603021451.54192.msc@antzsystem.de> Am Donnerstag, 2. M?rz 2006 14:37 schrieb Markus Schulz: > Am Donnerstag, 2. M?rz 2006 08:30 schrieb Russell Stuart: > > I have been trying to optimise my ADSL connections for VOIP. > > Funny things were happening - for example increasing the ping > > packet size by 50% had no effect, but then adding one byte > > had a major effect. It took me a while to figure out that I > > was seeing the effects of the fixed ATM cell size. > > [ ADSL - ATM/AAL5/LLC Overhead description ] > > this stuff is well documented in Jesper Dangaard Brouer master thesis > found at: http://www.adsl-optimizer.dk/thesis/ > > There exists also patches which do static overhead rate table > calculation (incl. ATM Cell alignment) or per packet overhead > calculation for htb or other qdiscs. > > Why you don't use the existing overhead parameter? It's useless to > have two parameters which do the exact same thing (existing overhead > and your atm). > Only ATM Cell alignment must be added to rate table calculation. But it would be nice if this would be patched into upstream iproute source. Then there is no need of patching for qos at adsl links. -- Markus Schulz From vnulllists at pcnet.com.pl Thu Mar 2 15:23:01 2006 From: vnulllists at pcnet.com.pl (Jakub Wartak) Date: Thu Mar 2 15:19:34 2006 Subject: [LARTC] counter-strike In-Reply-To: <4406DABD.8050700@gmail.com> References: <4406DABD.8050700@gmail.com> Message-ID: <200603021523.01132.vnulllists@pcnet.com.pl> Dnia czwartek, 2 marca 2006 12:45, Sorin Panca napisa?: > Hi list! > > > How can I improve response times? Has anyone any ideea? I can change the > server to a Pentium III at 1000 MHz with RIMM. Would that help? > Or is there a software solution? You should use PRIO to divide traffic into 2 classes 1) ultra-critical ( here : cs game ) 2) other 3) very low prio ( more info is on www.voip-info.org , section : QoS under Linux ) you just have to mark CS packets and put them into the right PRIO class -- Jakub Wartak -vnull FreeBSD/OpenBSD/Linux/Solaris/Network Administrator http://vnull.pcnet.com.pl/ From Andreas.Klauer at metamorpher.de Thu Mar 2 16:07:44 2006 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Thu Mar 2 16:07:57 2006 Subject: [LARTC] counter-strike In-Reply-To: <4406DABD.8050700@gmail.com> References: <4406DABD.8050700@gmail.com> Message-ID: <20060302150744.GA12637@EIS> On Thu, Mar 02, 2006 at 01:45:01PM +0200, Sorin Panca wrote: > _______________________________________________________________________ > > > 1:--+----1:1 - [ counter-strike & icmp ] rate=1Mbit; ceil=1Mbit; > | prio 0; (u32 filter by ports) > | > |----1:2 - [ Internet ] rate=1.5Mbit; ceil=rate; prio 1; > | | (RNR=rate) RNR = Root iNet Rate > | | > | |---1:20 - [ normal traffic ] rate=90% of $RNR; ceil=$RNR; > | | prio 0; (u32 filter by ports) > | | > | \---1:21 - [ p2p traffic ] (default class) rate=1kbit; > | ceil=90% of $RNR; prio 1 > | > |----1:3 - [ MAN ] rate=1Mbit; ceil=10Mbit-$RNR; prio 1 > | | (RMC=ceil) RMC = Root MAN Ceil > | | MAN destinations are marked with 0x1 Marker > | | > | |---1:30 - [ normal traffic ] > | | rate=500kbit;ceil=($RMC-$RNR-1)kbit; > | | prio 0; (u32 filter by ports AND fw mark) > | | > | \---1:31 - [ p2p traffic ] rate=1kbit; ceil=($RMC-$RNR-1)kbit; > | prio 1; (u32 filter by fw mark) > | > \----1:4 - [ LAN ] rate=89Mbit; ceil=89Mbit > > ________________________________________________________________________ I assume that CS actually goes out to Internet and/or MAN, depending on the location of the server. I would make one CS class for each. Otherwise you may have 1MBit CS (which goes out to Internet) plus 1.5MBit Internet, which will work only if you got 2.5MBit Internet guaranteed in total. Likewise with MAN. Unless you really got that much bandwidth, this setup will not give you any good results at all. You could also use PRIO qdisc as a child to the HTB Internet / MAN classes to give CS absolute priority over HTTP over P2P. This approach worked very well for me and my flatmates, also for gaming. But that's on a way slower line and without Internet/MAN distinction, so we've been happy with 200ms (versus 1000-5000ms when unshaped) pings. Regards Andreas Klauer From andy.furniss at dsl.pipex.com Thu Mar 2 16:49:41 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Thu Mar 2 16:49:30 2006 Subject: [LARTC] Patch to allow for the ATM "cell tax" In-Reply-To: <1141284603.10264.168.camel@ras.pc.brisbane.lube> References: <1141284603.10264.168.camel@ras.pc.brisbane.lube> Message-ID: <44071415.2090506@dsl.pipex.com> Russell Stuart wrote: > The following patch to tc allows it to perform an exact > ATM / ADSL rate calculation. I probably haven't read the patch properly - but I don't think you can do it exactly without patching net/sched/sched_htb.c aswell. Specifically you need to add overhead - 1 before htb shifts the length to get the slot num (-1 because you need to get 48 and 49 payload length to map to different slots 47 and 48 do). The table should be filled according to this. It adds one extra keyword > to the "tc class add htb ..." command line: "atm". There > isn't a lot of spare bits hanging around to record this, > so the patch adds the feature at the expense of always > forcing the "overhead" parameter to be even. > > With the patch, these commands will generate a correct > rate table for: > > PPPoA + VC/Mux: tc class add htb ... overhead 10 atm > PPPoA + VC/LLC: tc class add htb ... overhead 18 atm > PPPoE + VC/Mux: tc class add htb ... overhead 34 atm > PPPoE + VC/LLC: tc class add htb ... overhead 42 atm Also remember that if you shape on ethX 14 bytes are already added to ip length when htb looks up rate, so pppoa/vcmux would need to be negative. > > When using this command lines, you always specify the ADSL > link capacity as quoted by the modem. Eg, if you are > controlling incoming traffic on a 512k/128k link, you > specify the link speed as 512000bps. You need to look at the atm user rate shown by your modem, for me in the past it was 288/576 this was sold as 250/500 by teleco and 256/512 by isp. You also need to back off a couple of kbit (egress - ingress more for different reasons) - one of my modems does cell qos bases on rate of whole cells/sec - don't kmow how common that is. Also if you run exactly on the rate and queue formed when starting/restarting scripts it would not drain till the traffic stopped. Andy. From andy.furniss at dsl.pipex.com Thu Mar 2 16:59:35 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Thu Mar 2 16:59:30 2006 Subject: [LARTC] Htb queueing problem In-Reply-To: <44066D00.7060307@gmail.com> References: <44043A85.6080302@gmail.com> <4405B432.10301@dsl.pipex.com> <4405DC4A.40902@gmail.com> <4405FC7C.1070103@dsl.pipex.com> <44066D00.7060307@gmail.com> Message-ID: <44071667.3050804@dsl.pipex.com> Diego Andr?s Asenjo Gonzalez wrote: > Hi again! > >>> $IPT -A FORWARD -t mangle -p udp -s 172.16.0.185/32 -i eth1 --sport >>> 10000:10100 -d 172.16.1.0/24 -j MARK --set-mark 0x44 >> >> >> >> This should be -o eth1 or you should be shaping it on eth0 or if it's >> for the shaping box you need to do some sort of ingress shaping/policing. > > > Sorry, a typo :p. You pointed clearly the "-o eth1" in the previous > message. Really, is the first time that I use -i or -o in the rule. One > point is that the box is a bridge between a LAN and a router, eth0 is in > the LAN and eth1 in the router. So, I thought I can ommit the interface. > > Anyway, I think that this is an strange situation: there are marked > (maybe not "well" marked) packages, but there is no traffic. I am trying > with the -o option. > It could be the bridging - I've never tried maybe you could look into ebtables or just use tc/u32 to do the matching. Andy. From m.innocenti at cineca.it Thu Mar 2 17:20:26 2006 From: m.innocenti at cineca.it (m.innocenti@cineca.it) Date: Thu Mar 2 17:21:02 2006 Subject: [LARTC] Htb queueing problem In-Reply-To: <44066D00.7060307@gmail.com> References: <44043A85.6080302@gmail.com> <4405B432.10301@dsl.pipex.com> <4405DC4A.40902@gmail.com> <4405FC7C.1070103@dsl.pipex.com> <44066D00.7060307@gmail.com> Message-ID: <44071B52.1010806@cineca.it> Diego Andr?s Asenjo Gonzalez ha scritto: > Sorry, a typo :p. You pointed clearly the "-o eth1" in the previous > message. Really, is the first time that I use -i or -o in the rule. One > point is that the box is a bridge between a LAN and a router, eth0 is in > the LAN and eth1 in the router. So, I thought I can ommit the interface. You have to use physdev on a bridge (-m physdev --physdev-out eth1). -- ********************************************************************** Marco Innocenti Gruppo Infrastruttura e Sicurezza CINECA phone:+39 0516171553 / fax:+39 0516132198 Via Magnanelli 6/3 e-mail: innocenti@cineca.it 40033 Casalecchio di Reno Bologna (Italia) ********************************************************************** From mart.frauenlob at chello.at Thu Mar 2 17:24:03 2006 From: mart.frauenlob at chello.at (Mart Frauenlob) Date: Thu Mar 2 17:24:23 2006 Subject: [LARTC] Dual ISP routing and NAT problem Message-ID: <44071C23.7040206@chello.at> Hello newsgroup, I hope somebody with more routing experience then me can help me with the problem I have. The setup is as described below. A dual internet provider routing, multiple local area networks, and a dmz network with one public and one private ip range. I followed the instructions at lartc.org, and so far everything is working. The default route is via 'PROV_STATIC', only packets comming from LAN 192.168.111.0/24 are routed via 'PROV_DSL'. Now if I want to do network address translation via iptables for certain traffic coming into the dsl interface ppp0, packets never reach their destination. DNAT into DMZ or any of the LANs over the eth0 interface works as expected. So for example applying a DNAT rule like: 'iptables -t nat -A PREROUTING -i ppp0 -d 217.92.8.242 -p tcp --dport 80 -j DNAT --to-destination 62.155.170.254' fails. Same for NAT attempts into the LANs 192.168.112.0/24 and 192.168.113.0/24. While DNAT into LAN 192.168.111.0/24 works perfectly. So I think the problem is that traffic from the DMZ and those two LANs have the ip rules applied to end up in the the table 'PROV_STATIC'. Which usually is what I want, but not in this case, where I want port or protocol specific traffic to be routed differntly. Is there a way to 'override' the default routing behaviour for i.e. http traffic? I tried the iptables ROUTE target, but did not get it working, but could of course be my error. Is there anything wrong with my current routing tables? Thank you for any help you can give. Best regards, Mart <-------------------------------------------------> Setup: Firewall / Router: 2 external interfaces 3 lan interfaces 1 dmz interface External interfaces: 1 - PROV_STATIC: IP: 62.155.170.250 Network: 62.155.170.248/30 Interface: static interface eth0 global default route via: 62.155.170.249 2 - PROV_DSL: IP: 217.92.8.242 Peer: 217.6.98.186 Interface: DSL interface ppp0 (pppoe over eth1) DMZ interface: IP_1: 62.155.170.253 Network_1: 62.155.170.252/30 IP_2: 192.168.0.1 Network_2: 192.168.0.0/24 Interface: eth4 LAN interfaces: 1: IP: 192.168.111.1 Network: 192.168.111.0/24 Interface: eth5 2: IP: 192.168.112.1 Network: 192.168.112.0/24 Interface: eth2 3: IP: 192.168.113.1 Network: 192.168.113.0/24 Interface: eth3 igor:/# ip route list table PROV_DSL 217.6.98.186 dev ppp0 proto kernel scope link src 217.92.8.242 62.155.170.248/30 dev eth0 scope link src 62.155.170.250 62.155.170.252/30 dev eth4 proto kernel scope link src 62.155.170.253 192.168.112.0/24 dev eth2 proto kernel scope link src 192.168.112.1 192.168.113.0/24 dev eth3 proto kernel scope link src 192.168.113.1 192.168.0.0/24 dev eth4 proto kernel scope link src 192.168.0.1 192.168.111.0/24 dev eth5 proto kernel scope link src 192.168.111.1 10.0.0.0/8 via 192.168.111.3 dev eth5 proto kernel src 192.168.111.1 127.0.0.0/8 dev lo scope link default via 217.6.98.186 dev ppp0 igor:/# ip route list table PROV_STATIC 217.6.98.186 dev ppp0 proto kernel scope link src 217.92.8.242 62.155.170.248/30 dev eth0 scope link src 62.155.170.250 62.155.170.252/30 dev eth4 proto kernel scope link src 62.155.170.253 192.168.112.0/24 dev eth2 proto kernel scope link src 192.168.112.1 192.168.113.0/24 dev eth3 proto kernel scope link src 192.168.113.1 192.168.0.0/24 dev eth4 proto kernel scope link src 192.168.0.1 192.168.111.0/24 dev eth5 proto kernel scope link src 192.168.111.1 10.0.0.0/8 via 192.168.111.3 dev eth5 proto kernel src 192.168.111.1 127.0.0.0/8 dev lo scope link default via 62.155.170.249 dev eth0 igor:/# ip route list 217.6.98.186 dev ppp0 proto kernel scope link src 217.92.8.242 62.155.170.248/30 dev eth0 proto kernel scope link src 62.155.170.250 62.155.170.252/30 dev eth4 proto kernel scope link src 62.155.170.253 192.168.112.0/24 dev eth2 proto kernel scope link src 192.168.112.1 192.168.113.0/24 dev eth3 proto kernel scope link src 192.168.113.1 192.168.0.0/24 dev eth4 proto kernel scope link src 192.168.0.1 192.168.111.0/24 dev eth5 proto kernel scope link src 192.168.111.1 10.0.0.0/8 via 192.168.111.3 dev eth5 proto kernel default via 62.155.170.249 dev eth0 igor:/# ip rule list 0: from all lookup local 32759: from 192.168.0.0/24 lookup PROV_STATIC 32760: from 62.155.170.252/30 lookup PROV_STATIC 32761: from 192.168.113.0/24 lookup PROV_STATIC 32762: from 192.168.112.0/24 lookup PROV_STATIC 32763: from 192.168.111.0/24 lookup PROV_DSL 32764: from 217.92.8.242 lookup PROV_DSL 32765: from 62.155.170.250 lookup PROV_STATIC 32766: from all lookup main 32767: from all lookup default <-------------------------------------------------> From luciano at lugmen.org.ar Thu Mar 2 17:56:05 2006 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Thu Mar 2 17:56:28 2006 Subject: [LARTC] Htb queueing problem In-Reply-To: <44071667.3050804@dsl.pipex.com> References: <44043A85.6080302@gmail.com> <44066D00.7060307@gmail.com> <44071667.3050804@dsl.pipex.com> Message-ID: <200603021356.05759.luciano@lugmen.org.ar> El Thursday 02 March 2006 12:59, Andy Furniss escribi?: > Diego Andr?s Asenjo Gonzalez wrote: > > Hi again! > > > >>> $IPT -A FORWARD -t mangle -p udp -s 172.16.0.185/32 -i eth1 --sport > >>> 10000:10100 -d 172.16.1.0/24 -j MARK --set-mark 0x44 > >> > >> This should be -o eth1 or you should be shaping it on eth0 or if it's > >> for the shaping box you need to do some sort of ingress > >> shaping/policing. > > > > Sorry, a typo :p. You pointed clearly the "-o eth1" in the previous > > message. Really, is the first time that I use -i or -o in the rule. One > > point is that the box is a bridge between a LAN and a router, eth0 is in > > the LAN and eth1 in the router. So, I thought I can ommit the interface. > > > > Anyway, I think that this is an strange situation: there are marked > > (maybe not "well" marked) packages, but there is no traffic. I am trying > > with the -o option. > > It could be the bridging - I've never tried maybe you could look into > ebtables or just use tc/u32 to do the matching. Setting the apropiates routes and proxy_arp in 1, is a way to do a bridge but at ip layer. This allows to use iptables and other ip layer tools whitouth any problem, and it's completly transparent as the bridge. Use iptables for a bridge is certanly not a good idea. That's why ebtables was created. -- Luciano -- Luciano From sorin.panca at gmail.com Thu Mar 2 19:17:43 2006 From: sorin.panca at gmail.com (Sorin Panca) Date: Thu Mar 2 19:17:56 2006 Subject: [LARTC] counter-strike In-Reply-To: <200603021523.01132.vnulllists@pcnet.com.pl> References: <4406DABD.8050700@gmail.com> <200603021523.01132.vnulllists@pcnet.com.pl> Message-ID: <440736C7.6020507@gmail.com> Jakub Wartak wrote: >You should use PRIO to divide traffic into 2 classes >1) ultra-critical ( here : cs game ) >2) other >3) very low prio > >( more info is on www.voip-info.org , section : QoS under Linux ) >you just have to mark CS packets and put them into the right PRIO class > > > Class 1:1 has prio 0 in htb and filters. other classes have a higher priority. I've made a test. I've added 1: ---- 1:1 --- 10: htb class sfq and bloked all other ports and traffic. With this setup I was unable to lower the ping to be less than 280. This made me come to the conclusion that ANY_ classification would introduce a packet delay. So if I use prio qdisc wouldn't that be a classification? This is why I created the CS class as a root class. To answer to the other mail: CS maximum bandwidth consumption is about 500k. That is why the sum never exeeds the netrate. People in my LAN play almost exclusively in MAN, not in the Internet. I allocated such high bandwidth because htb would allocate the spare based on classes' rates ratios. And since 1:1 is a root class as 1:2 and 1:3 (MAN and Internet respectively) it had to have such a rate even if it is not found in my real bandwidth. From dasenjo at gmail.com Thu Mar 2 19:27:21 2006 From: dasenjo at gmail.com (=?ISO-8859-1?Q?Diego_Andr=E9s_Asenjo_Gonzalez?=) Date: Thu Mar 2 19:27:30 2006 Subject: [LARTC] Htb queueing problem In-Reply-To: <44071B52.1010806@cineca.it> References: <44043A85.6080302@gmail.com> <4405B432.10301@dsl.pipex.com> <4405DC4A.40902@gmail.com> <4405FC7C.1070103@dsl.pipex.com> <44066D00.7060307@gmail.com> <44071B52.1010806@cineca.it> Message-ID: <44073909.1050503@gmail.com> Hello! Thanks to all for your responses. m.innocenti@cineca.it wrote: >You have to use physdev on a bridge (-m physdev --physdev-out eth1). > > Yes, you are right. Taken from ebtables FAQ: * Can I use ebtables with iptables? Yes, it's possible to use ebtables together with iptables, there are no incompatibility issues. * I'm using a 2.6 or higher kernel and my iptables rules won't match on the bridge port devices, what's wrong? Instead there is now an iptables match module, called |physdev|, that can be used to filter on the bridge ports. I hope physdev is going to be the solution. Bye and thanks again. From Andreas.Klauer at metamorpher.de Thu Mar 2 19:53:49 2006 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Thu Mar 2 19:54:17 2006 Subject: [LARTC] counter-strike In-Reply-To: <440736C7.6020507@gmail.com> References: <4406DABD.8050700@gmail.com> <200603021523.01132.vnulllists@pcnet.com.pl> <440736C7.6020507@gmail.com> Message-ID: <20060302185349.GA14603@EIS> On Thu, Mar 02, 2006 at 08:17:43PM +0200, Sorin Panca wrote: > I've made a test. I've added > 1: ---- 1:1 --- 10: > htb class sfq If that SFQ is the standard sfq with a queuelength of 128 packets, it might be responsible for some of the delay. Unless you have connections in there that can choke the whole bandwidth (probably possible with CS if you set the rates up, I don't know), you may not need SFQ for interactive bands at all. > People in my LAN play almost exclusively in MAN, not in the Internet. I > allocated such high bandwidth because htb would allocate the spare based > on classes' rates ratios. And since 1:1 is a root class as 1:2 and 1:3 > (MAN and Internet respectively) it had to have such a rate even if it is > not found in my real bandwidth. I don't think I follow your explanation here. How do you expect HTB to guarantee a rate for a class (that's what it claims to do) when there is no bandwidth to back it up. I've never dealt with MANs before, so I may be completely wrong. Usually you should not have more than one root class, and you should not let HTB think it can use more bandwidth than there actually is. It's extremely hard to understand the logic behind setups like this and therefore likely to get unexpected results from them. Regards Andreas Klauer From anders at anduras.de Thu Mar 2 20:47:23 2006 From: anders at anduras.de (Sven Anders) Date: Thu Mar 2 20:47:17 2006 Subject: [LARTC] Problem with duplicate route entry Message-ID: <44074BCB.1000809@anduras.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello! I have a problem with a duplicate route entry, when using a pre-installed route and automatic take-over by the "heartbeat" daemon, which adds an address and the kernel adds an route automatically. Maybe anyone has an explanation... > ip addr 1: lo: mtu 16436 qdisc noqueue inet 127.0.0.1/8 scope host lo 2: eth0: mtu 1514 qdisc pfifo_fast qlen 1000 inet 10.10.20.100/32 scope global eth0 > ip route 127.0.0.0 dev lo scope link 10.10.20.0/24 dev eth0 scope link default via 10.10.20.1 dev eth0 - -- Now I add a route for my ha net: > ip route add 10.100.0.0/24 dev eth0 > ip route 127.0.0.0 dev lo scope link 10.10.20.0/24 dev eth0 scope link 10.100.0.0/24 dev eth0 scope link default via 10.10.20.1 dev eth0 - -- The 'heartbeat' will add an address on switch-over: > ip addr add 10.100.0.1/24 brd 10.100.0.255 dev eth0 ip addr 1: lo: mtu 16436 qdisc noqueue inet 127.0.0.1/8 scope host lo 2: eth0: mtu 1514 qdisc pfifo_fast qlen 1000 inet 10.10.20.100/32 scope global eth0 inet 10.100.0.1/24 brd 10.100.0.255 scope global eth0 > ip route 127.0.0.0 dev lo scope link 10.10.20.0/24 dev eth0 scope link 10.100.0.0/24 dev eth0 scope link 10.100.0.0/24 dev eth0 proto kernel scope link src 10.100.0.1 default via 10.10.20.1 dev eth0 My question is: Why did the kernel add a duplicate routing entry, shouldn't it notice the existance and avoid this?? Is this a bug of the kernel? Regards Sven Anders - -- Sven Anders () Ascii Ribbon Campaign /\ Support plain text e-mail ANDURAS service solutions AG Innstra?e 71 - 94036 Passau - Germany Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEB0vK5lKZ7Feg4EcRAm9JAJ98WdYNLdYD675zXgxeWgDR67cRZQCgp/il 1k0Rv3YVrMUcynZtOUVnATQ= =LJ/1 -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: anders.vcf Type: text/x-vcard Size: 339 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060302/d11c18f0/anders.vcf From anders at anduras.de Thu Mar 2 20:52:58 2006 From: anders at anduras.de (Sven Anders) Date: Thu Mar 2 20:52:54 2006 Subject: [LARTC] [RFC] Controlling the auto-route setting behaviour of the kernel Message-ID: <44074D1A.3010001@anduras.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello! I implemented a patch to control the behaviour of the kernel when setting routes automatically when adding a new network address. You can select the types of routes you want to be set automatically. This enables the user - as an example - to set all routes in the local table automatically, but leave the main table untouched. (This is the special case I needed.) If you want you can disable it completly by writing 0 to /proc/sys/net/ipv4/ip_autoroute. I would like to see this in the kernel, but nobody on the netdev mailing list seems to care. Any comments or ideas about this? Stephen? Regards Sven - -- Sven Anders () Ascii Ribbon Campaign /\ Support plain text e-mail ANDURAS service solutions AG Innstra?e 71 - 94036 Passau - Germany Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEB00Z5lKZ7Feg4EcRAobZAJ9mOQlJYDB1uky3+rmtW+CDzbIh8QCghzb0 ZoudrAS+zKag4mMxaaWlwjU= =xHTP -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: ip_autoroute.patch Type: text/x-diff Size: 2926 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060302/e4694213/ip_autoroute.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060302/e4694213/signature.pgp -------------- next part -------------- A non-text attachment was scrubbed... Name: anders.vcf Type: text/x-vcard Size: 339 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060302/e4694213/anders.vcf From ad at heliosphan.co.uk Thu Mar 2 20:54:58 2006 From: ad at heliosphan.co.uk (Adam James) Date: Thu Mar 2 20:55:52 2006 Subject: [LARTC] Patch to allow for the ATM "cell tax" In-Reply-To: <44071415.2090506@dsl.pipex.com> References: <1141284603.10264.168.camel@ras.pc.brisbane.lube> <44071415.2090506@dsl.pipex.com> Message-ID: <1141329299.10677.26.camel@heliosphan.kernelpanic.co.uk> Hi, On Thu, 2006-03-02 at 15:49 +0000, Andy Furniss wrote: > Russell Stuart wrote: > > > The following patch to tc allows it to perform an exact > > ATM / ADSL rate calculation. > > I probably haven't read the patch properly - but I don't think you can > do it exactly without patching net/sched/sched_htb.c aswell. > Specifically you need to add overhead - 1 before htb shifts the length > to get the slot num (-1 because you need to get 48 and 49 payload length > to map to different slots 47 and 48 do). The table should be filled > according to this. As Markus mentioned in another post on this thread, Jesper Dangaard Brouer (http://www.adsl-optimizer.dk) has already written an iproute2 and Linux kernel patch that implements the above. ATM cell alignment is done in tc_core.c, and the per packet overhead is passed to the relevant kernel modules. I have made some very minor changes to the patches, so that they apply cleanly to iproute2-20051007 and kernel 2.6.15. You will find them attached to this mail. > > When using this command lines, you always specify the ADSL > > link capacity as quoted by the modem. Eg, if you are > > controlling incoming traffic on a 512k/128k link, you > > specify the link speed as 512000bps. > > You need to look at the atm user rate shown by your modem, for me in the > past it was 288/576 this was sold as 250/500 by teleco and 256/512 by isp. > > You also need to back off a couple of kbit (egress - ingress more for > different reasons) - one of my modems does cell qos bases on rate of > whole cells/sec - don't kmow how common that is. Also if you run exactly > on the rate and queue formed when starting/restarting scripts it would > not drain till the traffic stopped. Setting the MTU to 1478 is probably a good idea to prevent excessive cell usage. Reasoning behind this being: 1488 is the largest multiple of 48 under 1500, less 2 bytes for the PPP header and 8 for the AAL5 footer. Perhaps you can confirm this isn't way off the mark Andy? :) -- Adam James -------------- next part -------------- A non-text attachment was scrubbed... Name: iproute2-ATM-align+overhead.patch Type: text/x-patch Size: 5683 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060302/da694064/iproute2-ATM-alignoverhead-0001.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: linux-2.6.15-overhead.patch Type: text/x-patch Size: 3272 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060302/da694064/linux-2.6.15-overhead-0001.bin From sorin.panca at gmail.com Thu Mar 2 21:13:29 2006 From: sorin.panca at gmail.com (Sorin Panca) Date: Thu Mar 2 21:13:46 2006 Subject: [LARTC] counter-strike In-Reply-To: <20060302185349.GA14603@EIS> References: <4406DABD.8050700@gmail.com> <200603021523.01132.vnulllists@pcnet.com.pl> <440736C7.6020507@gmail.com> <20060302185349.GA14603@EIS> Message-ID: <440751E9.5030805@gmail.com> Andreas Klauer wrote: >If that SFQ is the standard sfq with a queuelength of 128 packets, >it might be responsible for some of the delay. > The command was: sfq perturb 10 > Unless you have >connections in there that can choke the whole bandwidth (probably >possible with CS if you set the rates up, I don't know), you may >not need SFQ for interactive bands at all. > > > I'll be glad to use pfifo_fast but adding that qdisc explicitly I get a segmentation fault. If I don't add a leaf qdisc, how can I be sure pfifo_fast is used? Or it's just a pfifo? >>People in my LAN play almost exclusively in MAN, not in the Internet. I >>allocated such high bandwidth because htb would allocate the spare based >>on classes' rates ratios. And since 1:1 is a root class as 1:2 and 1:3 >>(MAN and Internet respectively) it had to have such a rate even if it is >>not found in my real bandwidth. >> >> "//Any unused bandwidth can be used by any class which needs it (in proportion of its allocated share)." >From http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm _In proportion of its allocated share._ // >I've never dealt with MANs before, so I may be completely wrong. >Usually you should not have more than one root class, and you should >not let HTB think it can use more bandwidth than there actually is. >It's extremely hard to understand the logic behind setups like this >and therefore likely to get unexpected results from them. > > I am certain that CS does not have large banwidth requierments, but it needs very low latency. If I was to allocate a real bandwidth quantum, then the competition between CS and other traffic (MAN and Internet) would not be fair even if it has the lowest prio. So I had to lie htb about the available bandwidth based upon the fact that bandwidth requirements for CS are low and bursty. HTB would not allocate bandwidth to a service that doesn't need it. (Or so I think; I may be wrong about that... Please correct me if I do.). I need more that one root class, because the bandwidths are separate and not supperposable. So what MAN can spare, Internet cannot use and vice-versa. (And MAN can spare a lot!) I tested a setup with a 1:A root class and 1:1; 1:2; 1:3 and 1:4 were child classes of 1:A. I got the same results. But I needed to lower the latency so I deleted that 1:A root class... From andy.furniss at dsl.pipex.com Thu Mar 2 22:35:35 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Thu Mar 2 22:35:22 2006 Subject: [LARTC] Patch to allow for the ATM "cell tax" In-Reply-To: <1141329299.10677.26.camel@heliosphan.kernelpanic.co.uk> References: <1141284603.10264.168.camel@ras.pc.brisbane.lube> <44071415.2090506@dsl.pipex.com> <1141329299.10677.26.camel@heliosphan.kernelpanic.co.uk> Message-ID: <44076527.9030402@dsl.pipex.com> Adam James wrote: > As Markus mentioned in another post on this thread, Jesper Dangaard > Brouer (http://www.adsl-optimizer.dk) has already written an iproute2 > and Linux kernel patch that implements the above. ATM cell alignment is > done in tc_core.c, and the per packet overhead is passed to the relevant > kernel modules. > > I have made some very minor changes to the patches, so that they apply > cleanly to iproute2-20051007 and kernel 2.6.15. You will find them > attached to this mail. Just remember to take 14 from your overhead if your modem is connected via eth rather than ppp etc. This means you need to put a negative overhead (can you?) if using pppoa/vcmux > Setting the MTU to 1478 is probably a good idea to prevent excessive > cell usage. Reasoning behind this being: 1488 is the largest multiple of > 48 under 1500, less 2 bytes for the PPP header and 8 for the AAL5 > footer. > > Perhaps you can confirm this isn't way off the mark Andy? :) 1478 is optimal if your overhead is 10 - I use it. For the pppoes I don't think you gain much as you loose tcp data efficiency by using smaller packets. Andy. From russell-lartc at stuart.id.au Thu Mar 2 23:18:52 2006 From: russell-lartc at stuart.id.au (Russell Stuart) Date: Thu Mar 2 23:19:06 2006 Subject: [LARTC] Patch to allow for the ATM "cell tax" In-Reply-To: <200603021451.54192.msc@antzsystem.de> References: <1141284603.10264.168.camel@ras.pc.brisbane.lube> <200603021437.58824.msc@antzsystem.de> <200603021451.54192.msc@antzsystem.de> Message-ID: <1141337933.10264.237.camel@ras.pc.brisbane.lube> On Thu, 2006-03-02 at 14:51 +0100, Markus Schulz wrote: > > Why you don't use the existing overhead parameter? It's useless to > > have two parameters which do the exact same thing (existing overhead > > and your atm). > > Only ATM Cell alignment must be added to rate table calculation. The overhead and atm options don't do the "exact same thing". If the atm option is present, tc includes the atm cell alignment overheads in the rate table calculation. Otherwise it doesn't. As atm cell overheads aren't a fixed amount (they vary in a non-linear fashion between 6 and 202 bytes), you can't use the overhead option to calculate them. > But it would be nice if this would be patched into upstream iproute > source. Then there is no need of patching for qos at adsl links. Yes. After posting my patch I went away and had a think, and realised that because of rounding issues my calculation of atm cell overhead would be wrong in some cases. The only fix I could think of was to modify the kernel. I was not aware of Jesper's adsl-optimiser patches until you pointed them out just now. Having looked at them two things stand out: a. Jesper had already come across the rate calculation problem and had solved it. His solution and my intended solution are the same. The problem is caused by the scaling of the packet size prior to looking up the rate table. The easy solution is to add the overhead in the kernel, rather than having tc include the overhead in the pre-calculated rate table. This is what Jesper's kernel patch does. (The rate table is indexed by packet size, and returns the amount of time required to send a packet of that size. It is a fixed size table of 256 entries (0..255). Since packets can be bigger than 255 bytes long, the packet size is first scaled so it will fit into the 0..255 range. Scaling is achieved by dividing the packet size by a power of 2 (ie 1, 2, 4, 8, etc). A scale factor of 8 handles packet sizes of 1024..2047, so this is what most links end up using.) If you don't patch the kernel, the rate calculated by the kernel will be wrong around 10% of the time (as opposed to very nearly 100% of the time if you don't use the patch at all). 2. Jasper didn't make including the atm cell overhead optional - so it is included for all links, whether they use atm or not. Thus he doesn't have an "atm" parameter. This means it isn't general purpose, and could not be distributes as part of the standard tc package. In any case, apart from those two relatively minor differences the two patches are the identical in what they achieve and how they do it. Personally, I didn't care much about any of this before VOIP because when it is all said and done, the 3% error you get for large packet sizes is easily accounted for by just adjusting the rate accordingly. That doesn't work when the error rate rises to 40%, as it does for VOIP. As VOIP is going to become a significant part of internet traffic in the not too distant future, I think it is time to consider including some combination of these patches into the main line. From shemminger at osdl.org Thu Mar 2 23:23:02 2006 From: shemminger at osdl.org (Stephen Hemminger) Date: Thu Mar 2 23:23:05 2006 Subject: [LARTC] Patch to allow for the ATM "cell tax" In-Reply-To: <1141337933.10264.237.camel@ras.pc.brisbane.lube> References: <1141284603.10264.168.camel@ras.pc.brisbane.lube> <200603021437.58824.msc@antzsystem.de> <200603021451.54192.msc@antzsystem.de> <1141337933.10264.237.camel@ras.pc.brisbane.lube> Message-ID: <20060302142302.2ee626fe@localhost.localdomain> On Fri, 03 Mar 2006 08:18:52 +1000 Russell Stuart wrote: > On Thu, 2006-03-02 at 14:51 +0100, Markus Schulz wrote: > > > Why you don't use the existing overhead parameter? It's useless to > > > have two parameters which do the exact same thing (existing overhead > > > and your atm). > > > Only ATM Cell alignment must be added to rate table calculation. > > The overhead and atm options don't do the "exact same > thing". If the atm option is present, tc includes the > atm cell alignment overheads in the rate table > calculation. Otherwise it doesn't. > > As atm cell overheads aren't a fixed amount (they vary > in a non-linear fashion between 6 and 202 bytes), you > can't use the overhead option to calculate them. > > > But it would be nice if this would be patched into upstream iproute > > source. Then there is no need of patching for qos at adsl links. > > I will put it in iproute2 commands when a definitive set of patches is sent to me. So far, it still looks like it needs some fine tuning. From jasonb at edseek.com Thu Mar 2 23:45:28 2006 From: jasonb at edseek.com (Jason Boxman) Date: Thu Mar 2 23:45:42 2006 Subject: [LARTC] Patch to allow for the ATM "cell tax" In-Reply-To: <20060302142302.2ee626fe@localhost.localdomain> References: <1141284603.10264.168.camel@ras.pc.brisbane.lube> <200603021437.58824.msc@antzsystem.de> <200603021451.54192.msc@antzsystem.de> <1141337933.10264.237.camel@ras.pc.brisbane.lube> <20060302142302.2ee626fe@localhost.localdomain> Message-ID: <40107.216.134.200.78.1141339528.squirrel@nebula.internal.foo> Stephen Hemminger said: > On Fri, 03 Mar 2006 08:18:52 +1000 > Russell Stuart wrote: > >> On Thu, 2006-03-02 at 14:51 +0100, Markus Schulz wrote: >> > > Why you don't use the existing overhead parameter? It's useless to >> > > have two parameters which do the exact same thing (existing overhead >> > > and your atm). >> > > Only ATM Cell alignment must be added to rate table calculation. >> >> The overhead and atm options don't do the "exact same >> thing". If the atm option is present, tc includes the >> atm cell alignment overheads in the rate table >> calculation. Otherwise it doesn't. >> >> As atm cell overheads aren't a fixed amount (they vary >> in a non-linear fashion between 6 and 202 bytes), you >> can't use the overhead option to calculate them. >> >> > But it would be nice if this would be patched into upstream iproute >> > source. Then there is no need of patching for qos at adsl links. >> >> > > I will put it in iproute2 commands when a definitive set of patches > is sent to me. So far, it still looks like it needs some fine tuning. I'll test the patch from Russell Stuart in the next few days, I hope. I'd love to eventually see it in iproute2. :) From russell-lartc at stuart.id.au Fri Mar 3 00:44:27 2006 From: russell-lartc at stuart.id.au (Russell Stuart) Date: Fri Mar 3 00:44:39 2006 Subject: [LARTC] Patch to allow for the ATM "cell tax" In-Reply-To: <20060302142302.2ee626fe@localhost.localdomain> References: <1141284603.10264.168.camel@ras.pc.brisbane.lube> <200603021437.58824.msc@antzsystem.de> <200603021451.54192.msc@antzsystem.de> <1141337933.10264.237.camel@ras.pc.brisbane.lube> <20060302142302.2ee626fe@localhost.localdomain> Message-ID: <1141343067.10264.309.camel@ras.pc.brisbane.lube> On Thu, 2006-03-02 at 14:23 -0800, Stephen Hemminger wrote: > I will put it in iproute2 commands when a definitive set of patches > is sent to me. So far, it still looks like it needs some fine tuning. Yes, they need some fine tuning. My ultimate goal here is to get something into the main line that makes tc/htb work well for VOIP. I don't care whether it is my patch, or something else. Jesper's patch is more mature, and as such is probably the better starting point. The only problem with using them is this statement on his web site: "Commercial use of my work including the ADSL-optimizer is not allowed without my knowledge and consent. The ADSL-optimizer will be released under the GNU public license." Coming from a Debian background, statements like this can be a problem. A statement somewhere that clarifies the patches are released under the GPL (and thus can be used commercially) need to be made somewhere. Either on the web site, or in the patch themselves. The combined issues from both sets of patches that need to be sorted are: 1. Changes to the kernel so the rate calculation can be 100% accurate. (Already in Jesper's patch - I must verify it is backward compatible.) 2. Making the ATM calculation optional via a command line option. (Already in my patch.) 3. Allowing the overhead figure to be negative so that the patch will work with PPPoA. (This is an issue with both patches.) 4. Jesper clarifying the license on his patch. From jasonb at edseek.com Fri Mar 3 01:27:13 2006 From: jasonb at edseek.com (Jason Boxman) Date: Fri Mar 3 01:27:20 2006 Subject: [LARTC] Patch to allow for the ATM "cell tax" In-Reply-To: <1141284603.10264.168.camel@ras.pc.brisbane.lube> References: <1141284603.10264.168.camel@ras.pc.brisbane.lube> Message-ID: <200603021927.14012.jasonb@edseek.com> On Thursday 02 March 2006 02:30, Russell Stuart wrote: > I have been trying to optimise my ADSL connections for VOIP. > Funny things were happening - for example increasing the ping > packet size by 50% had no effect, but then adding one byte > had a major effect. It took me a while to figure out that I > was seeing the effects of the fixed ATM cell size. > diff -Nur iproute-20051007.keep/tc/q_htb.c iproute-20051007/tc/q_htb.c > --- iproute-20051007.keep/tc/q_htb.c 2006-03-02 14:50:51.000000000 +1000 > +++ iproute-20051007/tc/q_htb.c 2006-03-02 15:50:31.000000000 +1000 Any chance something like this can be applied to q_tbf? It's been classful for a while and I find a tbf with a prio under it works quite well for my configuration. Jesper's patch indicates untested support for other schedulers including tbf, so it's certainly possible. Thanks. -- Jason Boxman http://edseek.com/ - Linux and FOSS stuff From russell-lartc at stuart.id.au Fri Mar 3 01:43:05 2006 From: russell-lartc at stuart.id.au (Russell Stuart) Date: Fri Mar 3 01:43:14 2006 Subject: [LARTC] Patch to allow for the ATM "cell tax" In-Reply-To: <200603021927.14012.jasonb@edseek.com> References: <1141284603.10264.168.camel@ras.pc.brisbane.lube> <200603021927.14012.jasonb@edseek.com> Message-ID: <1141346585.10264.338.camel@ras.pc.brisbane.lube> On Thu, 2006-03-02 at 19:27 -0500, Jason Boxman wrote: > Any chance something like this can be applied to q_tbf? It's been classful > for a while and I find a tbf with a prio under it works quite well for my > configuration. Jesper's patch indicates untested support for other > schedulers including tbf, so it's certainly possible. It would not be much more effort to add it to all qdisc's it applies to, really. What happens is identical in all cases. From msc at antzsystem.de Fri Mar 3 02:23:09 2006 From: msc at antzsystem.de (Markus Schulz) Date: Fri Mar 3 02:23:20 2006 Subject: [LARTC] Patch to allow for the ATM "cell tax" In-Reply-To: <1141329299.10677.26.camel@heliosphan.kernelpanic.co.uk> References: <1141284603.10264.168.camel@ras.pc.brisbane.lube> <44071415.2090506@dsl.pipex.com> <1141329299.10677.26.camel@heliosphan.kernelpanic.co.uk> Message-ID: <200603030223.09545.msc@antzsystem.de> Am Donnerstag, 2. M?rz 2006 20:54 schrieb Adam James: > Hi, > > On Thu, 2006-03-02 at 15:49 +0000, Andy Furniss wrote: > > Russell Stuart wrote: > > > The following patch to tc allows it to perform an exact > > > ATM / ADSL rate calculation. > > > > I probably haven't read the patch properly - but I don't think you > > can do it exactly without patching net/sched/sched_htb.c aswell. > > Specifically you need to add overhead - 1 before htb shifts the > > length to get the slot num (-1 because you need to get 48 and 49 > > payload length to map to different slots 47 and 48 do). The table > > should be filled according to this. > > As Markus mentioned in another post on this thread, Jesper Dangaard > Brouer (http://www.adsl-optimizer.dk) has already written an iproute2 > and Linux kernel patch that implements the above. ATM cell alignment > is done in tc_core.c, and the per packet overhead is passed to the > relevant kernel modules. once again i have thought about this topic and tried to built a rate table with exactly the same behaviour as the htb-overhead patch from Jesper. But now as static patch for iproute's tc, without need for patching htb or other kernel modules. But in all my experiments i can't calculate an equivalent rate table. It differs in behaviour from per packet calculated overhead. But i don't see the difference in mathematics in both calculations. I think it must be possible, but can't see my fault. With a rate table of at least one entry from zero (or 40b) to it is possible. But, is it possible with only 256 rate table entries? I've attached a simple program, which implements three versions of calculations. Two of them use a rate table, at first the static version (without htb-overhead patch), second one with "simulated" kernel patch (like Jesper's one) and at least a "realtime calculation" as a reference value. The second rate table is 100% equivalent to realtime calc. But the static version differs for some ip-length values from it. And i don't understand why. Perhaps someone can point me to the difference? The program is only for testing rate tables calculations. It would be nice to do it without a htb or other qdisc module patch. And i think it should be possible :) -- Markus Schulz -------------- next part -------------- A non-text attachment was scrubbed... Name: rate-table.c Type: text/x-csrc Size: 2824 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060303/d1a8c950/rate-table-0001.c From msc at antzsystem.de Fri Mar 3 02:49:25 2006 From: msc at antzsystem.de (Markus Schulz) Date: Fri Mar 3 02:49:30 2006 Subject: [LARTC] Patch to allow for the ATM "cell tax" In-Reply-To: <1141337933.10264.237.camel@ras.pc.brisbane.lube> References: <1141284603.10264.168.camel@ras.pc.brisbane.lube> <200603021451.54192.msc@antzsystem.de> <1141337933.10264.237.camel@ras.pc.brisbane.lube> Message-ID: <200603030249.25874.msc@antzsystem.de> Am Donnerstag, 2. M?rz 2006 23:18 schrieb Russell Stuart: > On Thu, 2006-03-02 at 14:51 +0100, Markus Schulz wrote: > > > Why you don't use the existing overhead parameter? It's useless > > > to have two parameters which do the exact same thing (existing > > > overhead and your atm). > > > Only ATM Cell alignment must be added to rate table calculation. > > The overhead and atm options don't do the "exact same > thing". If the atm option is present, tc includes the > atm cell alignment overheads in the rate table > calculation. Otherwise it doesn't. yes, i know the difference in overhead from AAL5/LLC/pppoe stuff and ATM Cell alignment. > As atm cell overheads aren't a fixed amount (they vary > in a non-linear fashion between 6 and 202 bytes), you > can't use the overhead option to calculate them. > > > But it would be nice if this would be patched into upstream iproute > > source. Then there is no need of patching for qos at adsl links. > > Yes. > > After posting my patch I went away and had a think, > and realised that because of rounding issues my > calculation of atm cell overhead would be wrong in > some cases. The only fix I could think of was to > modify the kernel. i have thought again about this topic and wrote a test program for rate table calculations. But until now without luck (see my other posting on lartc). It would be nice to do it without kernel patching. > I was not aware of Jesper's adsl-optimiser patches > until you pointed them out just now. Having looked > at them two things stand out: > > a. Jesper had already come across the rate calculation > problem and had solved it. His solution and my > intended solution are the same. > > The problem is caused by the scaling of the packet > size prior to looking up the rate table. The > easy solution is to add the overhead in the kernel, > rather than having tc include the overhead in the > pre-calculated rate table. This is what Jesper's > kernel patch does. yes, and it's not (my|the) preferred way. Are you sure it can't be done with static rate table? > > (The rate table is indexed by packet size, and > returns the amount of time required to send a packet > of that size. It is a fixed size table of 256 > entries (0..255). Since packets can be bigger than > 255 bytes long, the packet size is first scaled so > it will fit into the 0..255 range. Scaling is > achieved by dividing the packet size by a power of 2 > (ie 1, 2, 4, 8, etc). A scale factor of 8 handles > packet sizes of 1024..2047, so this is what most > links end up using.) > > If you don't patch the kernel, the rate calculated by > the kernel will be wrong around 10% of the time (as > opposed to very nearly 100% of the time if you don't > use the patch at all). the rate table difference varies with different overhead parameters. you can try it with my program (see my other lartc posting). But i think it must be possible to compensate this. But i can't see my fault. > 2. Jasper didn't make including the atm cell overhead > optional - so it is included for all links, whether > they use atm or not. Thus he doesn't have an "atm" > parameter. This means it isn't general purpose, and > could not be distributes as part of the standard tc > package. yes, thats important. But it would be better if we have this as boolean option rather than a second overhead argument. Add a boolean option for cell alignment and use existing overhead parameter for aal5/ppp/pppoe/llc stuff. > In any case, apart from those two relatively minor > differences the two patches are the identical in what > they achieve and how they do it. yes, except the slightly different rate tables you (and me) mentioned above. > Personally, I didn't care much about any of this > before VOIP because when it is all said and done, the > 3% error you get for large packet sizes is easily > accounted for by just adjusting the rate accordingly. if we could do it better, we should do it :) > That doesn't work when the error rate rises to 40%, as > it does for VOIP. As VOIP is going to become a > significant part of internet traffic in the not too > distant future, I think it is time to consider including > some combination of these patches into the main line. 100% agree. -- Markus Schulz This is Linux Land- In silent nights you can hear the windows machines rebooting From russell-lartc at stuart.id.au Fri Mar 3 02:54:52 2006 From: russell-lartc at stuart.id.au (Russell Stuart) Date: Fri Mar 3 02:55:05 2006 Subject: [LARTC] Patch to allow for the ATM "cell tax" In-Reply-To: <200603030223.09545.msc@antzsystem.de> References: <1141284603.10264.168.camel@ras.pc.brisbane.lube> <44071415.2090506@dsl.pipex.com> <1141329299.10677.26.camel@heliosphan.kernelpanic.co.uk> <200603030223.09545.msc@antzsystem.de> Message-ID: <1141350892.10264.366.camel@ras.pc.brisbane.lube> On Fri, 2006-03-03 at 02:23 +0100, Markus Schulz wrote: > The second rate table is 100% equivalent to realtime calc. But the > static version differs for some ip-length values from it. And i don't > understand why. > Perhaps someone can point me to the difference? > The program is only for testing rate tables calculations. > > It would be nice to do it without a htb or other qdisc module patch. And > i think it should be possible :) It is not possible. The basic operation performed by the kernel is, in pseudo code: time_to_send_packet = rate_table[packet_length(packet)] However, rate_table is always exactly 256 entries long. An MTU is around 1500 bytes, so a large packet this would index past the end of the table. This means the packet length must be scaled back to a value that fits within 0..255. Divisions are not allowed within the kernel, so the scaling is done using a right shift. In effect, for typical MTU's, the packet_length is divided by 8. That is, 8 is the multiple of two (ie 8 = 2^N) such that (1500 / 8 < 256). So the rate table really looks like this: packet_length 0..7 = rate_table[0] packet_length 8..15 = rate_table[1] packet_length 16..23 = rate_table[2] packet_length 14..31 = rate_table[3] packet_length 32..39 = rate_table[4] packet_length 40..47 = rate_table[5] packet_length 48..55 = rate_table[6] : Now by pure luck, this works with an ATM cell, if we know the packet length accurately. It works because the boundary 40..47/48..55 is exactly where we want it to be - on a cell boundary. This is because 48 is evenly divisible by 16, and so our luck would continue up to MTU's of 4095 (= 256 * 16 - 1). Now consider what happens if we include an overhead the kernel doesn't know about. Lets say 2 bytes. Now our rate table looks like this: packet_length 2..9 = rate_table[0] packet_length 10..17 = rate_table[1] packet_length 18..25 = rate_table[2] packet_length 16..33 = rate_table[3] packet_length 35..41 = rate_table[4] packet_length 42..49 = rate_table[5] packet_length 50..57 = rate_table[6] : Now the cell boundary occurs within a single rate table entry, 42..49. There is no way that single rate table table entry can be correct for both 42..48, and 49, so it all falls in a heap. The simplest solution appears to be to make the kernel aware of the overhead. That way it can always compute the correct packet length before computing the atm cell overhead, and we are back to the original case where the atm payload length changed between rate table cells, and all is good again. That of course requires a patch to the kernel. But even without the patch you are still better off with having tc include the atm cell overhead in the rate table. It will be wrong about 10% of the time (4 packet lengths in 48), as opposed to being wrong all of the time. From msc at antzsystem.de Fri Mar 3 03:23:34 2006 From: msc at antzsystem.de (Markus Schulz) Date: Fri Mar 3 03:23:47 2006 Subject: [LARTC] Patch to allow for the ATM "cell tax" In-Reply-To: <1141350892.10264.366.camel@ras.pc.brisbane.lube> References: <1141284603.10264.168.camel@ras.pc.brisbane.lube> <200603030223.09545.msc@antzsystem.de> <1141350892.10264.366.camel@ras.pc.brisbane.lube> Message-ID: <200603030323.34653.msc@antzsystem.de> Am Freitag, 3. M?rz 2006 02:54 schrieb Russell Stuart: > On Fri, 2006-03-03 at 02:23 +0100, Markus Schulz wrote: > > The second rate table is 100% equivalent to realtime calc. But the > > static version differs for some ip-length values from it. And i > > don't understand why. > > Perhaps someone can point me to the difference? > > The program is only for testing rate tables calculations. > > > > It would be nice to do it without a htb or other qdisc module > > patch. And i think it should be possible :) > > It is not possible. > [.. convincing reasons ..] okay, thanks. After writing some rate tables on a paper i'm really understand the problematic. We need a htb patch or bigger rate tables (#==mtu) :) -- Markus Schulz A: Because it breaks the logical sequence of discussion Q: Why is top posting bad? From gentoo at databit7.com Fri Mar 3 03:27:03 2006 From: gentoo at databit7.com (gentoo@databit7.com) Date: Fri Mar 3 03:27:25 2006 Subject: [LARTC] Patch to allow for the ATM "cell tax" In-Reply-To: <44076527.9030402@dsl.pipex.com> References: <1141284603.10264.168.camel@ras.pc.brisbane.lube> <44071415.2090506@dsl.pipex.com> <1141329299.10677.26.camel@heliosphan.kernelpanic.co.uk> <44076527.9030402@dsl.pipex.com> Message-ID: On netBSD setting the MTU also seems to set the MRU, is this the case here to? should people have thier DSLAMs configured for the same MTU? > Just remember to take 14 from your overhead if your modem is connected > via eth rather than ppp etc. This means you need to put a negative > overhead (can you?) if using pppoa/vcmux > > > > Setting the MTU to 1478 is probably a good idea to prevent excessive > > cell usage. Reasoning behind this being: 1488 is the largest multiple of > > 48 under 1500, less 2 bytes for the PPP header and 8 for the AAL5 > > footer. > > > > Perhaps you can confirm this isn't way off the mark Andy? :) > > 1478 is optimal if your overhead is 10 - I use it. > > For the pppoes I don't think you gain much as you loose tcp data > efficiency by using smaller packets. > > Andy. > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > Robin-David Hammond KB3IEN www.aresnyc.org. From luciano at lugmen.org.ar Fri Mar 3 08:40:01 2006 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Fri Mar 3 08:40:10 2006 Subject: [LARTC] Software Anounce: htb frontend, for multiple hosts auto bandwidth management In-Reply-To: <200603011647.03567.luciano@lugmen.org.ar> References: <200603011647.03567.luciano@lugmen.org.ar> Message-ID: <200603030440.01363.luciano@lugmen.org.ar> El Wednesday 01 March 2006 16:47, Luciano Ruete escribi?: > Hi all, i've coded htb-gen, a GPL htb frontend and much more... > > htb-gen is meant to be an easy, scalable, yet powerfull, bandwidth > management tool. Ok, a brain-o of my part, let the "first public release" without upload shape working at all, a new version of the package is aviable at: http://www.freshmeat.net/projects/htb-gen/ hotlinks to the updated packages: Tarball http://www.praga.org.ar/dev/htb-gen/packages/htb-gen-0.8.3-1.tar.gz Deb http://www.praga.org.ar/dev/htb-gen/packages/htb-gen_0.8.3-1_all.deb RPM http://www.praga.org.ar/dev/htb-gen/packages/htb-gen-0.8.3-1.noarch.rpm If you have downloaded it, Plz update! PS: i don't pretend disturb the list traffic every time i made a release, this was the first public release, and the first bug! :-), after this, no messages any more. -- Luciano From ahasenack at terra.com.br Fri Mar 3 14:43:19 2006 From: ahasenack at terra.com.br (Andreas Hasenack) Date: Fri Mar 3 14:43:23 2006 Subject: [LARTC] Patch to allow for the ATM "cell tax" In-Reply-To: <200603021927.14012.jasonb@edseek.com> References: <1141284603.10264.168.camel@ras.pc.brisbane.lube> <200603021927.14012.jasonb@edseek.com> Message-ID: <20060303134318.GB3263@mandriva.com> On Thu, Mar 02, 2006 at 07:27:13PM -0500, Jason Boxman wrote: > Any chance something like this can be applied to q_tbf? It's been classful > for a while and I find a tbf with a prio under it works quite well for my tbf qdisc is classfull? From sorin.panca at gmail.com Fri Mar 3 16:18:15 2006 From: sorin.panca at gmail.com (Sorin Panca) Date: Fri Mar 3 16:18:37 2006 Subject: [LARTC] RE: counter-strike Message-ID: <44085E37.8080408@gmail.com> Hi list! I did this: 2: root qdisc prio 2:1 counter-strike 2:2 --> 1: htb qdisc for other traffic. 2:3 unused The shaping ocurrs both on the external and the internal interfaces. ping is in this case 500 - 1200 ms. without shapeing it is between 150 and 200 ms. :( Any ideas? Would ingress qdisc help or make things worse? -------------- next part -------------- #!/bin/sh EXT=eth0 INT=eth1 tc=`which tc` ipt=`which iptables` HWR=10240 RNR=2048 LR=102400 RMC=$[ $HWR-$RNR ] u=kbit;U=Mbit BURST=8k CBURST=15k LOWLATENCY="27005 27015 27016 27017 27019 27020" OTHER="21 22 25 80 110 443 554 995 1718 5050 5900 6667 7000 10000" MAN="0x1" ME="86.107.182.1 192.168.0.1" ME2="193.226.120.153" NET="86.107.182.0/25" for DEV in `echo $INT $EXT `; do $tc qdisc del dev $DEV root &>/dev/null $tc qdisc add dev $DEV root handle 2: prio $tc qdisc add dev $DEV parent 2:2 handle 1: htb default 21 # if [ "$DEV" = "$EXT" ]; then # $tc class add dev $DEV parent 1: classid 1:A htb prio 0 rate $HWR$u ceil $HWR$u # else # $tc class add dev $DEV parent 1: classid 1:A htb prio 0 rate 100Mbit ceil 100Mbit # fi $tc class add dev $DEV parent 1: classid 1:2 htb prio 1 rate $[ $RNR/2 ]$u ceil $RNR$u $tc class add dev $DEV parent 1: classid 1:3 htb prio 2 rate $[ $RNR/2 ]$u ceil $RMC$u if [ "$DEV" = "$INT" ]; then $tc class add dev $DEV parent 1: classid 1:4 htb prio 4 rate $[ $LR-$HWR ]$u ceil $[ $LR-$HWR ]$u; fi $tc class add dev $DEV parent 1:2 classid 1:20 htb prio 0 rate $[ $RNR/4 ]$u ceil $[ $RNR-200 ]$u burst $BURST cburst $CBURST $tc class add dev $DEV parent 1:2 classid 1:21 htb prio 1 rate 1$u ceil $[ $RNR-500 ]$u $tc class add dev $DEV parent 1:3 classid 1:30 htb prio 0 rate $[ $RNR/2 ]$u ceil $[ $RMC*9/10 ]$u burst $BURST cburst $CBURST $tc class add dev $DEV parent 1:3 classid 1:31 htb prio 1 rate 1$u ceil $[ $RMC*8/10 ]$u $tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10 $tc qdisc add dev $DEV parent 1:21 handle 21: sfq perturb 10 $tc qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10 $tc qdisc add dev $DEV parent 1:31 handle 31: sfq perturb 10 if [ "$DEV" = "$INT" ]; then $tc qdisc add dev $DEV parent 1:4 handle 40: sfq perturb 10; fi if [ "$DEV" = "$EXT" ]; then WAY=dport; WAY2=src; else WAY=sport; WAY2=dst; fi for PORT in `echo $LOWLATENCY `; do $tc filter add dev $DEV parent 1: protocol ip prio 0 u32 match ip $WAY $PORT 0xffff flowid 2:1 done if [ "$DEV" = "$INT" ]; then for ADDR in `echo $ME `; do $tc filter add dev $DEV parent 1: protocol ip prio 6 u32 match ip src $ADDR flowid 1:4 done else $tc filter add dev $DEV parent 1: protocol ip prio 2 u32 match ip src $ME2 flowid 1:30 fi $tc filter add dev $DEV parent 1: protocol ip prio 1 u32 match ip protocol 1 0xff flowid 2:1 for PORT in `echo $OTHER `; do $tc filter add dev $DEV parent 1: protocol ip prio 4 u32 match mark 1 0xffffffff match ip $WAY $PORT 0xffff flowid 1:30 $tc filter add dev $DEV parent 1: protocol ip prio 3 u32 match ip $WAY $PORT 0xffff flowid 1:20 done $tc filter add dev $DEV parent 1: protocol ip prio 6 u32 match mark 0x1 0xffffffff flowid 1:31 $tc filter add dev $DEV parent 1: protocol ip prio 5 u32 match ip $WAY2 $NET flowid 1:21 done From jasonb at edseek.com Fri Mar 3 17:18:00 2006 From: jasonb at edseek.com (Jason Boxman) Date: Fri Mar 3 17:19:56 2006 Subject: [LARTC] Patch to allow for the ATM "cell tax" In-Reply-To: <20060303134318.GB3263@mandriva.com> References: <1141284603.10264.168.camel@ras.pc.brisbane.lube> <200603021927.14012.jasonb@edseek.com> <20060303134318.GB3263@mandriva.com> Message-ID: <200603031118.00804.jasonb@edseek.com> On Friday 03 March 2006 08:43, Andreas Hasenack wrote: > On Thu, Mar 02, 2006 at 07:27:13PM -0500, Jason Boxman wrote: > > Any chance something like this can be applied to q_tbf? It's been > > classful for a while and I find a tbf with a prio under it works quite > > well for my > > tbf qdisc is classfull? It has been since like 2.6.9, yes. I was as surprised as you, but I use it with a leaf prio all the time and have for a year now. -- Jason Boxman http://edseek.com/ - Linux and FOSS stuff From ahasenack at terra.com.br Fri Mar 3 17:45:18 2006 From: ahasenack at terra.com.br (Andreas Hasenack) Date: Fri Mar 3 17:45:22 2006 Subject: [LARTC] Patch to allow for the ATM "cell tax" In-Reply-To: <200603031118.00804.jasonb@edseek.com> References: <1141284603.10264.168.camel@ras.pc.brisbane.lube> <200603021927.14012.jasonb@edseek.com> <20060303134318.GB3263@mandriva.com> <200603031118.00804.jasonb@edseek.com> Message-ID: <20060303164515.GD3263@mandriva.com> On Fri, Mar 03, 2006 at 11:18:00AM -0500, Jason Boxman wrote: > On Friday 03 March 2006 08:43, Andreas Hasenack wrote: > > On Thu, Mar 02, 2006 at 07:27:13PM -0500, Jason Boxman wrote: > > > Any chance something like this can be applied to q_tbf? It's been > > > classful for a while and I find a tbf with a prio under it works quite > > > well for my > > > > tbf qdisc is classfull? > > It has been since like 2.6.9, yes. I was as surprised as you, but I use it > with a leaf prio all the time and have for a year now. If this is correct, then the docs are really in bad shape. They are not only outdated, but just plain wrong in many cases. But tbf is still not your regular classfull qdisc, or I'm missinterpreting things: # tc qdisc add dev eth0 handle 1: root tbf rate 300kbit burst 10k latency 10ms # tc class add dev eth0 classid 1:1 parent 1: tbf Error: Qdisc "tbf" is classless. or # tc qdisc add dev eth0 handle 1: root tbf rate 300kbit burst 10k latency 10ms # tc class add dev eth0 classid 1:1 parent 1: prio Error: Qdisc "prio" is classless. I'm using iproute2-2.6.15 and kernel-2.6.12 From Henrik at ostergaard.net Fri Mar 3 17:55:24 2006 From: Henrik at ostergaard.net (Henrik Ostergaard Madsen) Date: Fri Mar 3 17:55:30 2006 Subject: [LARTC] Multicast only working in promiscuous mode Message-ID: <4408830C.24632.1D2751@localhost> Hi, I am trying to set up a uPnP server on a Linux box (Debian Sarge Stable kernel 2.6.8). uPnP works using multicast packages for locating servers. This does however seem to fail unless I set the relevant NIC in promiscuous mode. If I do so, it works well. I have added ip route add 224.0.0.0/4 dev eth0 and echo 1 >/proc/sys/net/ipv4/ip_forward and the kernel is set up to enable multicast (and routing), extract from the .config of the kernel: # # Networking options # CONFIG_PACKET=y CONFIG_PACKET_MMAP=y # CONFIG_NETLINK_DEV is not set CONFIG_UNIX=y CONFIG_NET_KEY=y CONFIG_INET=y CONFIG_IP_MULTICAST=y CONFIG_IP_ADVANCED_ROUTER=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_IP_ROUTE_FWMARK=y CONFIG_IP_ROUTE_NAT=y CONFIG_IP_ROUTE_MULTIPATH=y CONFIG_IP_ROUTE_TOS=y CONFIG_IP_ROUTE_VERBOSE=y # CONFIG_IP_PNP is not set CONFIG_NET_IPIP=y CONFIG_NET_IPGRE=y CONFIG_NET_IPGRE_BROADCAST=y CONFIG_IP_MROUTE=y CONFIG_IP_PIMSM_V1=y CONFIG_IP_PIMSM_V2=y # CONFIG_ARPD is not set CONFIG_SYN_COOKIES=y CONFIG_INET_AH=y CONFIG_INET_ESP=y CONFIG_INET_IPCOMP=y The server is also used as a firewall using iptables and iproute2 and thus also serves as a gateway for the uPnP clients. Something is missing, and I do not want the NIC to be in promiscuous mode permanently if it can be avioded. What do I do wrong? Regards Henrik From jasonb at edseek.com Fri Mar 3 19:45:31 2006 From: jasonb at edseek.com (Jason Boxman) Date: Fri Mar 3 19:45:47 2006 Subject: [LARTC] Patch to allow for the ATM "cell tax" Message-ID: <59891.216.134.200.78.1141411531.squirrel@nebula.internal.foo> Andreas Hasenack said: > On Fri, Mar 03, 2006 at 11:18:00AM -0500, Jason Boxman wrote: >> On Friday 03 March 2006 08:43, Andreas Hasenack wrote: >> > On Thu, Mar 02, 2006 at 07:27:13PM -0500, Jason Boxman wrote: >> > > Any chance something like this can be applied to q_tbf? It's been classful for a while and I find a tbf with a prio under it works quite well for my >> > >> > tbf qdisc is classfull? >> >> It has been since like 2.6.9, yes. I was as surprised as you, but I use it >> with a leaf prio all the time and have for a year now. > > If this is correct, then the docs are really in bad shape. They are not only outdated, but just plain wrong in many cases. Yes. > But tbf is still not your regular classfull qdisc, or I'm missinterpreting things: tc qdisc add dev eth0 root handle 1: tbf rate ${RATE}kbit \ burst 1600 limit 1 tc qdisc add dev eth0 parent 1:1 handle 2: prio bands 4 tc qdisc add dev eth0 parent 2:1 handle 10: pfifo limit 10 tc qdisc add dev eth0 parent 2:2 handle 20: pfifo limit 10 tc qdisc add dev eth0 parent 2:3 handle 30: pfifo limit 10 tc qdisc add dev eth0 parent 2:4 handle 40: tbf rate \ $(($RATE-32))kbit burst 1600 limit 1 tc qdisc add dev eth0 parent 40:1 handle 33: sfq perturb 1 But, you're right. Classful is probably the wrong way of saying it. Perhaps I meant you can attach a different queueing disipline besides using tbf. It's more like tbf has a nested bfifo attached, which you can replace with anything you want since around 2.6.9. I guess I'm used to using prio and tbf, where you can attach various leaf qdiscs and have more leaf qdiscs attached. It's certainly not the same thing as cbq, htb, or hfsc. Oops. My bad. It's still a useful approach I find, though. For a single user I found a prio, but limited by tbf, works quite well for my DSL connection. The ATM "cell tax" is the final barrier I'm hoping to break down soon. I've just been too lazy to mess with it. I had Ed's patch for DSL for `tc` a while ago, but I was too lazy to patch it back into recent Debian iproute packages and then rebuild. From ahasenack at terra.com.br Fri Mar 3 20:34:17 2006 From: ahasenack at terra.com.br (Andreas Hasenack) Date: Fri Mar 3 20:34:25 2006 Subject: [LARTC] Patch to allow for the ATM "cell tax" In-Reply-To: <59891.216.134.200.78.1141411531.squirrel@nebula.internal.foo> References: <59891.216.134.200.78.1141411531.squirrel@nebula.internal.foo> Message-ID: <20060303193416.GA3364@mandriva.com> On Fri, Mar 03, 2006 at 01:45:31PM -0500, Jason Boxman wrote: > Andreas Hasenack said: > > On Fri, Mar 03, 2006 at 11:18:00AM -0500, Jason Boxman wrote: > >> On Friday 03 March 2006 08:43, Andreas Hasenack wrote: > >> > On Thu, Mar 02, 2006 at 07:27:13PM -0500, Jason Boxman wrote: > >> > > Any chance something like this can be applied to q_tbf? It's been > classful for a while and I find a tbf with a prio under it works > quite well for my > >> > > >> > tbf qdisc is classfull? > >> > >> It has been since like 2.6.9, yes. I was as surprised as you, but I use it > >> with a leaf prio all the time and have for a year now. > > > > If this is correct, then the docs are really in bad shape. They are not > only outdated, but just plain wrong in many cases. > > Yes. > > > But tbf is still not your regular classfull qdisc, or I'm missinterpreting > things: > > tc qdisc add dev eth0 root handle 1: tbf rate ${RATE}kbit \ > burst 1600 limit 1 > tc qdisc add dev eth0 parent 1:1 handle 2: prio bands 4 > tc qdisc add dev eth0 parent 2:1 handle 10: pfifo limit 10 > tc qdisc add dev eth0 parent 2:2 handle 20: pfifo limit 10 > tc qdisc add dev eth0 parent 2:3 handle 30: pfifo limit 10 > tc qdisc add dev eth0 parent 2:4 handle 40: tbf rate \ > $(($RATE-32))kbit burst 1600 limit 1 > tc qdisc add dev eth0 parent 40:1 handle 33: sfq perturb 1 > > But, you're right. Classful is probably the wrong way of saying it. > > Perhaps I meant you can attach a different queueing disipline besides using > tbf. It's more like tbf has a nested bfifo attached, which you can replace > with anything you want since around 2.6.9. > > I guess I'm used to using prio and tbf, where you can attach various leaf > qdiscs and have more leaf qdiscs attached. It's certainly not the same > thing as cbq, htb, or hfsc. Oops. My bad. Thanks for the example and the explanation, it was very helpful. It also means I can try new things :) From nix4me at cfl.rr.com Sat Mar 4 01:00:00 2006 From: nix4me at cfl.rr.com (nix4me) Date: Sat Mar 4 01:00:01 2006 Subject: [LARTC] my shaping rules wont work on nat box Message-ID: <4408D880.4060100@cfl.rr.com> I am currently running the following script on an internal machine to shape outbound ftp and email traffic. I am trying to move the script to my nat router (ipcop with 2 nic cards) so that it shapes the whol