[LARTC] control p2p upload bandwidth rate

Nataniel Klug nata at cnett.com.br
Wed Jan 11 02:20:27 CET 2006 

Jody,

I have a script that makes connections for every user with his auth. So, in this script, I have two mark tags. Can I use this tip you give to ro0ot? My doubt is if I use this every time some user log it will be all executed again, it will not make me trouble?

Now I mark all packts from a client and forward this to some cbq/htb band control rules. It is working fine, but I have never made a test for longer time...

Thanks for your cooperation.

Att,

Nataniel Klug
  ----- Original Message ----- 
  From: Jody Shumaker 
  To: lartc at mailman.ds9a.nl 
  Sent: Thursday, December 22, 2005 5:48 PM
  Subject: Re: [LARTC] control p2p upload bandwidth rate


  Seems like eth0 is your IF connected to the itnernet, you need to do shaping on that for the upload.  Modifying the rates and using the same tc comands but on eth0 would likely do it.

  Also your script is flawed, the layer7 matching for most if not all of those protocols will only match on the first packet or two. After that the data for those connections won't match. I suggest you look into using CONNMARK target/matching so you can match all of the data, not just the first few packets. 

  With your setup it'd be used something along these lines:
  #before setting mark:
  #restores any saved mark
  iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
  #accepts the packet if it has a mark besides the default 0 and prevents the saved mark from being changed 
  iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT

  #use "-j MARK --set-mark #" here

  #after all the --set-mark's
  iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j CONNMARK --save-mark 
  iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT

  Without this, I'm not really sure how you were matching all packets for your download shaping.  Normally, only the first packet or two will have matching data in the TCP connection, and if you don't somehow mark the whole connection using the above, the majority of the bandwidth won't be shaped correctly. 

  - Jody



  On 12/22/05, ro0ot <ro0ot at phreaker.net> wrote:
    Hi all,

    I am running Slackware 10.1 with Kernel 2.6.14.3 includes iptables 1.3.4
    with layer 7

    My network diagram below: -
    INTERNET --- LINUX_ROUTER_FW --- PCs

    Below is my simple iptables script: - 

    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    iptables -t mangle -A POSTROUTING -m layer7 --l7proto applejuice -j MARK
    --set-mark 1
    iptables -t mangle -A POSTROUTING -m layer7 --l7proto ares -j MARK 
    --set-mark 1
    iptables -t mangle -A POSTROUTING -m layer7 --l7proto bittorrent -j MARK
    --set-mark 1
    iptables -t mangle -A POSTROUTING -m layer7 --l7proto directconnect -j
    MARK --set-mark 1
    iptables -t mangle -A POSTROUTING -m layer7 --l7proto edonkey -j MARK 
    --set-mark 1
    iptables -t mangle -A POSTROUTING -m layer7 --l7proto fasttrack -j MARK
    --set-mark 1
    iptables -t mangle -A POSTROUTING -m layer7 --l7proto gnucleuslan -j
    MARK --set-mark 1
    iptables -t mangle -A POSTROUTING -m layer7 --l7proto gnutella -j MARK 
    --set-mark 1
    iptables -t mangle -A POSTROUTING -m layer7 --l7proto napster -j MARK
    --set-mark 1
    iptables -t mangle -A POSTROUTING -m layer7 --l7proto openft -j MARK
    --set-mark 1

    Below is my simple tc script: - 

    tc qdisc del dev eth1 root
    tc qdisc add dev eth1 root handle 1: htb default 20
    tc class add dev eth1 parent 1: classid 1:1 htb rate 10240kbit ceil
    10240kbit
    tc class add dev eth1 parent 1:1 classid 1:11 htb rate 32kbit ceil 512kbit 
    tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle  1 fw
    classid 1:11
    tc qdisc add dev eth1 parent 1:11 sfq perturb 10

    I have no problem shaping the "PCs" p2p download bandwidth rate.  How 
    can I control the "PCs" p2p upload bandwidth rate?  Please help...thanks, :)

    Regards,
    ro0ot





    _______________________________________________
    LARTC mailing list
    LARTC at mailman.ds9a.nl
    http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc





------------------------------------------------------------------------------


  _______________________________________________
  LARTC mailing list
  LARTC at mailman.ds9a.nl
  http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060110/852b2081/attachment-0001.htm

More information about the LARTC mailing list