From jbiscont at info.fundp.ac.be Sun Apr 2 21:39:10 2006 From: jbiscont at info.fundp.ac.be (Julien Bisconti) Date: Sun Apr 2 21:39:09 2006 Subject: [LARTC] tc patched doesn't work with WFQ Message-ID: <4430285E.2080306@info.fundp.ac.be> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I was searching for few days in this mailing list but I didn't find how to solve my tc problem. Feel free to ask me more details if you think there are relevant. I'm using a Gentoo 2.4.32-gentoo-r2 and I'm trying to test a *weighted fair queuing* (WFQ) implementation. See http://home.sch.bme.hu/~tusi/wfq/ I patched the kernel and loaded the sch_wfq module, I patched iproute2/tc and compile everything. I tried the command - ------------ # tc qdisc add dev eth0 root handle 1:0 wfq 1 ifspped 12500000 Unknown qdisc "wfq", hence option "1" is unparsable # - ------------ the problem is that tc doesn't recognize the qdisc wfq. I tried to compile wfq as a module and into the kernel, both gave the same error message. I also check this : - ------------ # tc qdisc add dev eth0 root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 mpu 64 - ------------ and tc works fine !!! I really don't understand what am I doing wrong???? Everything needed in the kernel is loaded, and when I compile *sch_wfq* as a module, I retry the tc command above (the first one). I had the error mesage, and I see (with lsmod) that the module is "unused". Well, it's pretty obvious that tc didn't use it. Any help is needed, thank you in advance. - -- Julien BISCONTI M.Sc. student in Computer Science, University of Namur FUNDP, Belgium -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEMCheT4AXxTE7uXcRAr9dAJ9/y60SIhegqE7v400MofKYvsrn8gCgp5w7 CNbQJlUvK08CyQNlfjx7qc0= =LzWe -----END PGP SIGNATURE----- From gypsy at iswest.com Mon Apr 3 02:39:04 2006 From: gypsy at iswest.com (gypsy) Date: Mon Apr 3 02:39:09 2006 Subject: [LARTC] tc patched doesn't work with WFQ References: <4430285E.2080306@info.fundp.ac.be> Message-ID: <44306EA8.3467006F@iswest.com> Julien Bisconti wrote: > Hi, > > I was searching for few days in this mailing list but I didn't find how to solve my tc problem. > Feel free to ask me more details if you think there are relevant. > > I'm using a Gentoo 2.4.32-gentoo-r2 and I'm trying to test a *weighted fair queuing* (WFQ) > implementation. See http://home.sch.bme.hu/~tusi/wfq/ > > I patched the kernel and loaded the sch_wfq module, I patched iproute2/tc and compile everything. I think you will find that the patch to iproute2 is too old. The iproute used to create it has a date in year 2000 and iproute2 has changed substantially since then. I suggest you contact the author and request a new patch. -- gypsy From jbiscont at info.fundp.ac.be Mon Apr 3 09:25:04 2006 From: jbiscont at info.fundp.ac.be (Julien Bisconti) Date: Mon Apr 3 09:26:41 2006 Subject: [LARTC] tc patched doesn't work with WFQ In-Reply-To: <44306EA8.3467006F@iswest.com> References: <4430285E.2080306@info.fundp.ac.be> <44306EA8.3467006F@iswest.com> Message-ID: <4430CDD0.6090006@info.fundp.ac.be> gypsy wrote: > Julien Bisconti wrote: >> Hi, >> >> I was searching for few days in this mailing list but I didn't find how to solve my tc problem. >> Feel free to ask me more details if you think there are relevant. >> >> I'm using a Gentoo 2.4.32-gentoo-r2 and I'm trying to test a *weighted fair queuing* (WFQ) >> implementation. See http://home.sch.bme.hu/~tusi/wfq/ >> >> I patched the kernel and loaded the sch_wfq module, I patched iproute2/tc and compile everything. > > I think you will find that the patch to iproute2 is too old. The > iproute used to create it has a date in year 2000 and iproute2 has > changed substantially since then. Thank you so MUCH!!! > > I suggest you contact the author and request a new patch. I sent him email but no reply so far. I think I'm going to do it by myself. Thank you again. Julien > -- > gypsy > > -- Julien BISCONTI M.Sc. student in Computer Science, University of Namur FUNDP, Belgium From sandeep_agarwal at hotmail.com Mon Apr 3 14:47:23 2006 From: sandeep_agarwal at hotmail.com (Sandeep Agarwal) Date: Mon Apr 3 14:47:41 2006 Subject: [LARTC] FTP problem in Load Balancing..... Message-ID: Hi, Now the load balancing is working fine. Thanks for the list members. Now two problems i am facing... 1. Users are not able to download the file though FTP connection. They are using IE from their desktop as they was doing earlier like ftp://ftp.site.com on to page right click & login as the user/pass allocated to them. They are able to see the contents at there but whenever they are going to download the file, msg appears as you do not have the privileges to download. Any pointer where I am wrong? 2. In case of nexthope down, I have to manually down the interface & do the required changes as suggested on the list. As my programming skills is zero, can someone send me the scripts to automatically this process? Thank you Sandeep From dez at otenet.gr Mon Apr 3 15:19:18 2006 From: dez at otenet.gr (Dez Cadena) Date: Mon Apr 3 15:19:17 2006 Subject: [LARTC] multiple gateways problem In-Reply-To: <20060403100005.DAF6E40E2@outpost.ds9a.nl> References: <20060403100005.DAF6E40E2@outpost.ds9a.nl> Message-ID: <443120D6.6050900@otenet.gr> I have the following situation: I have a linux box (not in router-mode) with 2 NICs and 2 gateways. I want to be able to switch gateways when one of them is "down". The tricky part is that, by "down" I dont mean an unreachable gateway, but a gateway that is reacable but for some reason cannot route packets. any pointers would be appreciated From shemminger at osdl.org Mon Apr 3 19:04:06 2006 From: shemminger at osdl.org (Stephen Hemminger) Date: Mon Apr 3 19:03:56 2006 Subject: [LARTC] tc patched doesn't work with WFQ In-Reply-To: <4430CDD0.6090006@info.fundp.ac.be> References: <4430285E.2080306@info.fundp.ac.be> <44306EA8.3467006F@iswest.com> <4430CDD0.6090006@info.fundp.ac.be> Message-ID: <20060403100406.0f62e47a@localhost.localdomain> On Mon, 03 Apr 2006 09:25:04 +0200 Julien Bisconti wrote: > > > gypsy wrote: > > Julien Bisconti wrote: > >> Hi, > >> > >> I was searching for few days in this mailing list but I didn't find how to solve my tc problem. > >> Feel free to ask me more details if you think there are relevant. > >> > >> I'm using a Gentoo 2.4.32-gentoo-r2 and I'm trying to test a *weighted fair queuing* (WFQ) > >> implementation. See http://home.sch.bme.hu/~tusi/wfq/ > >> > >> I patched the kernel and loaded the sch_wfq module, I patched iproute2/tc and compile everything. > > > > I think you will find that the patch to iproute2 is too old. The > > iproute used to create it has a date in year 2000 and iproute2 has > > changed substantially since then. > > Thank you so MUCH!!! > > > > > I suggest you contact the author and request a new patch. > > I sent him email but no reply so far. I think I'm going to do it by myself. > > Thank you again. > > Julien Also, since tc supports shared libraries for additional queue disciplines. You could set it up to build a .so and put in /usr/lib/tc. Then you wouldn't need to rebuild all of iproute2. From msc at antzsystem.de Mon Apr 3 22:26:40 2006 From: msc at antzsystem.de (Markus Schulz) Date: Mon Apr 3 22:26:55 2006 Subject: [LARTC] FTP problem in Load Balancing..... In-Reply-To: References: Message-ID: <200604032226.40543.msc@antzsystem.de> Am Montag, 3. April 2006 14:47 schrieb Sandeep Agarwal: > Hi, > > Now the load balancing is working fine. Thanks for the list members. > Now two problems i am facing... > > 1. Users are not able to download the file though FTP connection. > They are using IE from their desktop as they was doing earlier > like ftp://ftp.site.com > on to page right click & login as the user/pass allocated to > them. They are able to see the contents at there but whenever they > are going to download the file, msg appears as you do not have the > privileges to download. > Any pointer where I am wrong? Seems, that her ftp-data connection seems to go out thru another uplink then the control connection. Most ftp-servers denies this (site-to-site) transfer mode. I don't know any available solution to this problem, except to route all ftp-traffic (data and control connection) thru a specific device. For this you need to select all ftp-packets (iptables) and route them thru one of your uplink devices (simple ip rule add fwmark ... stuff) For non-pasv ftp-transfer mode it's possible to implement a patch to the ftp-nat-helper module for selection proper (means the same) uplink device under respect of uplink device from control connection. But so far there is no patch i know about. -- Markus Schulz From nata at cnett.com.br Mon Apr 3 22:27:48 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Mon Apr 3 22:27:56 2006 Subject: [LARTC] QoS Solution for an ISP - Need help on my build tryout Message-ID: <44318544.7070003@cnett.com.br> Hello all, I am doing many trys on put a QoS Solution to work at my ISP/WISP. I have this network topology: router <> eth0.srv <> eth1.srv <> clients I just want to make that ALL http, mail, ssh and icmp traffic have preference in any instace. So, what I tryed to do was this: My link has 3096 Kbps upload and 3096 Kbps download (it is a ppp from a telecom) I set a class (tc class) in both interfaces making all trafic going to default class 1:20 that has prio 5. In this class I put a max velocidade of 2500 Kbps. Them I made a filter that will direct all marked (with mark 40) packets to class 1:10 in both interfaces and this class has prio 1 and parent to 1:0. I have marked packges like this: iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j MARK --set-mark 40 iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j MARK --set-mark 40 I made this for every port and every protocol I want but I could not make this QoS works fine. This is still too slow (http browsing). Can someone help me? Att, Nataniel Klug From J.Kraaijeveld at Askesis.nl Tue Apr 4 08:55:37 2006 From: J.Kraaijeveld at Askesis.nl (Joost Kraaijeveld) Date: Tue Apr 4 08:55:44 2006 Subject: [LARTC] Not routing for 1 host? Message-ID: Hi, I want to stop routing for 1 particular host in my network. I thought that this would do it: iptables -D INPUT -d aaa.bbb.ccc.ddd -j DROP iptables -D INPUT -s aaa.bbb.ccc.ddd -j DROP But that still shows traffic. What is the corract way to do that? Groeten, Joost Kraaijeveld Askesis B.V. Molukkenstraat 14 6524NB Nijmegen tel: 024-3888063 / 06-51855277 fax: 024-3608416 e-mail: J.Kraaijeveld@Askesis.nl web: www.askesis.nl From mv at inv.cz Tue Apr 4 09:00:43 2006 From: mv at inv.cz (Martin Volf) Date: Tue Apr 4 09:00:42 2006 Subject: [LARTC] Not routing for 1 host? In-Reply-To: References: Message-ID: <4432199B.3090607@inv.cz> Joost Kraaijeveld wrote: > Hi, > > I want to stop routing for 1 particular host in my network. I thought that this would do it: > > iptables -D INPUT -d aaa.bbb.ccc.ddd -j DROP > iptables -D INPUT -s aaa.bbb.ccc.ddd -j DROP > > But that still shows traffic. What is the corract way to do that? Hello, maybe iptables -I FORWARD -d aaa.bbb.ccc.ddd -j DROP iptables -I FORWARD -s aaa.bbb.ccc.ddd -j DROP Martin From dor at ldc.net Tue Apr 4 09:09:03 2006 From: dor at ldc.net (Dmytro O. Redchuk) Date: Tue Apr 4 09:09:09 2006 Subject: [LARTC] Not routing for 1 host? In-Reply-To: References: Message-ID: <20060404070903.GD4419@ldc.net> On Tue, Apr 04, 2006 at 08:55:37AM +0200, Joost Kraaijeveld wrote: > Hi, > > I want to stop routing for 1 particular host in my network. I thought that this would do it: > > iptables -D INPUT -d aaa.bbb.ccc.ddd -j DROP > iptables -D INPUT -s aaa.bbb.ccc.ddd -j DROP > > But that still shows traffic. What is the corract way to do that? If you'd like to do it in this way -- use FORWARD instead of INPUT. Forwarded traffic never travels INPUT/OUTPUT chains. The same but better, possibly: # iptables -I FORWARD 1 -i -s aaa.bbb.ccc.ddd -j DROP # if host is not being NAT'ed: iptables -I FORWARD 1 -i -d aaa.bbb.ccc.ddd -j DROP Start with this, and read the manual :-) (You shouldn't use `-D' above anyway) You could use policy routing, too, I guess. > > Groeten, > > Joost Kraaijeveld > Askesis B.V. > Molukkenstraat 14 > 6524NB Nijmegen > tel: 024-3888063 / 06-51855277 > fax: 024-3608416 > e-mail: J.Kraaijeveld@Askesis.nl > web: www.askesis.nl -- _,-=._ /|_/| `-.} `=._,.-=-._., @ @._, `._ _,-. ) _,.-' ` G.m-"^m`m' Dmytro O. Redchuk From J.Kraaijeveld at Askesis.nl Tue Apr 4 09:20:10 2006 From: J.Kraaijeveld at Askesis.nl (Joost Kraaijeveld) Date: Tue Apr 4 09:20:08 2006 Subject: [LARTC] Not routing for 1 host? Message-ID: lartc-bounces@mailman.ds9a.nl wrote: > Hi, > > I want to stop routing for 1 particular host in my network. I > thought that this would do it: > > iptables -D INPUT -d aaa.bbb.ccc.ddd -j DROP > iptables -D INPUT -s aaa.bbb.ccc.ddd -j DROP Ooops, silly me. Should be (as others pointed out): iptables -A INPUT -d aaa.bbb.ccc.ddd -j DROP iptables -A INPUT -s aaa.bbb.ccc.ddd -j DROP BTW: I always think very hard, RTFM and search with Google before I ask a stupid question... Groeten, Joost Kraaijeveld Askesis B.V. Molukkenstraat 14 6524NB Nijmegen tel: 024-3888063 / 06-51855277 fax: 024-3608416 e-mail: J.Kraaijeveld@Askesis.nl web: www.askesis.nl From J.Kraaijeveld at Askesis.nl Tue Apr 4 09:25:21 2006 From: J.Kraaijeveld at Askesis.nl (Joost Kraaijeveld) Date: Tue Apr 4 09:25:19 2006 Subject: [LARTC] Not routing for 1 host? Message-ID: lartc-bounces@mailman.ds9a.nl wrote: > lartc-bounces@mailman.ds9a.nl wrote: >> Hi, >> >> I want to stop routing for 1 particular host in my network. I >> thought that this would do it: >> >> iptables -D INPUT -d aaa.bbb.ccc.ddd -j DROP >> iptables -D INPUT -s aaa.bbb.ccc.ddd -j DROP > Ooops, silly me. Should be (as others pointed out): > > iptables -A INPUT -d aaa.bbb.ccc.ddd -j DROP > iptables -A INPUT -s aaa.bbb.ccc.ddd -j DROP > > BTW: I always think very hard, RTFM and search with Google > before I ask a stupid question... And I have to learn to type /copy & paste /pay attention to what I am doing iptables -A FORWARD -d aaa.bbb.ccc.ddd -j DROP iptables -A FORWARD -s aaa.bbb.ccc.ddd -j DROP Groeten, Joost Kraaijeveld Askesis B.V. Molukkenstraat 14 6524NB Nijmegen tel: 024-3888063 / 06-51855277 fax: 024-3608416 e-mail: J.Kraaijeveld@Askesis.nl web: www.askesis.nl From dor at ldc.net Tue Apr 4 09:34:44 2006 From: dor at ldc.net (Dmytro O. Redchuk) Date: Tue Apr 4 09:34:48 2006 Subject: [LARTC] Not routing for 1 host? In-Reply-To: References: Message-ID: <20060404073444.GE4419@ldc.net> On Tue, Apr 04, 2006 at 09:25:21AM +0200, Joost Kraaijeveld wrote: > lartc-bounces@mailman.ds9a.nl wrote: > > lartc-bounces@mailman.ds9a.nl wrote: > >> Hi, > >> > >> I want to stop routing for 1 particular host in my network. I > >> thought that this would do it: > >> > >> iptables -D INPUT -d aaa.bbb.ccc.ddd -j DROP > >> iptables -D INPUT -s aaa.bbb.ccc.ddd -j DROP > > Ooops, silly me. Should be (as others pointed out): > > > > iptables -A INPUT -d aaa.bbb.ccc.ddd -j DROP > > iptables -A INPUT -s aaa.bbb.ccc.ddd -j DROP > > > > BTW: I always think very hard, RTFM and search with Google > > before I ask a stupid question... > > And I have to learn to type /copy & paste /pay attention to what I am doing > > iptables -A FORWARD -d aaa.bbb.ccc.ddd -j DROP > iptables -A FORWARD -s aaa.bbb.ccc.ddd -j DROP try iptables -I FORWARD 1 ...... to make this rule the first one. > > Groeten, > > Joost Kraaijeveld > Askesis B.V. > Molukkenstraat 14 > 6524NB Nijmegen > tel: 024-3888063 / 06-51855277 > fax: 024-3608416 > e-mail: J.Kraaijeveld@Askesis.nl > web: www.askesis.nl -- _,-=._ /|_/| `-.} `=._,.-=-._., @ @._, `._ _,-. ) _,.-' ` G.m-"^m`m' Dmytro O. Redchuk From adamt at commspeed.net Tue Apr 4 19:54:27 2006 From: adamt at commspeed.net (Adam M. Towarnyckyj) Date: Tue Apr 4 19:54:27 2006 Subject: [LARTC] Problems matching by mac address Message-ID: <48DC429CB053B64EAD91BDD1DE106A1152C021@es1.corp.commspeed.net> Hey all, I recently read on a prior post as well as the FAQ that packets can be limited by mac address using the u32 filter. I attempted this and, while all the commands went through with no errors, it is not limiting at all. I'm attempting to limit all IP traffic to a specific destination mac address (00:12:3f:05:43:7f). Here is a quick rundown of the commands I've used: tc qdisc add dev eth1 root handle 1: prio tc qdisc add dev eth1 parent 1:1 handle 11: pfifo tc qdisc add dev eth1 parent 1:2 handle 12: htb tc class add dev eth1 parent 12: classid 12:10 htb rate 128kbit tc qdisc add dev eth1 parent 12:10 sfq quantum 1514 perturb 15 tc filter add dev eth1 protocol ip parent 12: prio 5 u32 match u16 0x0800 0xFFFF at -2 match u32 0x3f05437f 0xFFFFFF at -12 match u16 0x0012 0xFFFF at -14 flowid 12:10 eth1 is the outgoing interface on a bridge I have setup. When I download a large file through the bridge, it is still showing 7Mbit on a 10Mbit network. The weird part is, everything limits just fine if I change the filter to match by IP destination instead of mac address destination. The only problem with this is that I require it be done by mac address. The filter by ip I use is: tc filter add dev eth1 protocol ip parent 12: prio 5 u32 match ip dst xxx.xxx.xxx.xxx/32 flowid 12:10 Filtering by destination IP has worked for me for months now just fine. The only problem is, I'm opening up DHCP to a pool and want to limit by destination mac address since I can't be sure what IP someone is getting without interaction with the dhcp lease file. Does anyone notice anything I may be doing wrong? Your help would be much appreciated. Thanks. Adam -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060404/4f0499c6/attachment.htm From nata at cnett.com.br Tue Apr 4 20:00:17 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Tue Apr 4 20:00:25 2006 Subject: [LARTC] Another question (now about u32) Message-ID: <4432B431.7070104@cnett.com.br> Hello all, I am trying to match some conections using u32 but I tryed this: [root@ns1 ~]# tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip src 0/0 match ip dst 0/0 match ip sport 80 0xffff flowid 1:10 RTNETLINK answers: Invalid argument We have an error talking to the kernel [root@ns1 ~]# I have this class at device eth1: [root@ns1 ~]# tc class show dev eth1 class htb 1:1 root rate 100Mbit ceil 100Mbit burst 18412b cburst 51587b class htb 1:10 parent 1:1 leaf 10: prio 1 rate 3Mbit ceil 3Mbit burst 18Kb cburst 3099b class htb 1:20 parent 1:1 leaf 20: prio 5 rate 500Kbit ceil 500Kbit burst 18Kb cburst 1849b And this qdisc: [root@ns1 ~]# tc qdisc show dev eth1 qdisc htb 1: r2q 10 default 20 direct_packets_stat 10 qdisc sfq 10: parent 1:10 limit 128p quantum 1514b perturb 10sec qdisc sfq 20: parent 1:20 limit 128p quantum 1514b perturb 10sec I have looked into kernel and into this paramenter: Networking > Networking Options > U32 Classifier (module) It is enable as a module. Can someone help me? My box is a Fedora Core 3 using kernel 2.6.13.4. PS.: Thanks all guys who have answered me about my other question (QoS). It was very useful hints. Now I think my QoS is working almost 100% ok. Att, Nataniel Klug From ard at kwaak.net Tue Apr 4 20:32:40 2006 From: ard at kwaak.net (Ard van Breemen) Date: Tue Apr 4 20:32:53 2006 Subject: [LARTC] Possible kernel bug with routes In-Reply-To: <4427B6E4.5020804@anduras.de> References: <44074BCB.1000809@anduras.de> <001a01c63e36$bb42a160$32030a0a@cxt.pl> <4427B6E4.5020804@anduras.de> Message-ID: <20060404183240.GJ1427@kwaak.net> On Mon, Mar 27, 2006 at 11:56:52AM +0200, Sven Anders wrote: > > ip route add 10.100.0.0/24 dev eth0 proto kernel scope link > RTNETLINK answers: File exists s/add/append/ > I thought they are different!?! > Is here any difference I did not see? > If they are not different, why does the kernel not recognize it > (see above) and avoid the duplicate entry? add prevents duplicates, append just adds. > Another question: > > Why can't I set a route on an interface that is down? That's by some design. Use patches from linuxvirtualserver.org if you want them to exist. > I can set an address, so why not a route? You don't set an address... The address exists only at the moment the interface comes up. Before that you don't have the address (active in your ip stack) > I there a reason for that? > As far as I understand routing should be handled independed from > the addresses... Jups > Example: > > ip link set down dev eth0 > > ip addr add 10.100.0.1/24 dev eth0 > > ip route add 10.100.0.0/24 dev eth0 proto kernel scope link > RTNETLINK answers: Network is down The ip is not there yet. ip link set up dev eth0 # Activate interfaces ip a add 127.0.0.1/32 dev eth0 # Bind interface to ipv4 stack ip a add 10.100.0.1/32 dev lo # We need a public ip on our ip stack # Add the route to the interface with sane src ip. ip route add 10.100.0.0/24 dev eth0 src 10.100.0.1 > PPS: Why is ANYBODY still ignoring this e-mail for over 3 weeks????? People are busy :-) From jody.shumaker at gmail.com Tue Apr 4 20:52:26 2006 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Tue Apr 4 20:52:26 2006 Subject: [LARTC] Another question (now about u32) In-Reply-To: <4432B431.7070104@cnett.com.br> References: <4432B431.7070104@cnett.com.br> Message-ID: <2af436490604041152i7aad9a41u6c8ea9465863b72b@mail.gmail.com> On 4/4/06, Nataniel Klug wrote: > Hello all, > > I am trying to match some conections using u32 but I tryed this: > > [root@ns1 ~]# tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 > match ip src 0/0 match ip dst 0/0 match ip sport 80 0xffff flowid 1:10 > RTNETLINK answers: Invalid argument > We have an error talking to the kernel > [root@ns1 ~]# > Just a quick guess, but why are you bothering with this: match ip src 0/0 match ip dst 0/0 It's very likely that is causing the invalid argument error, and doesn't seem necassary at all. Should at least try the more simplified command: tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip sport 80 0xffff flowid 1:10 - Jody From nata at cnett.com.br Tue Apr 4 20:59:16 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Tue Apr 4 20:59:21 2006 Subject: [LARTC] Another question (now about u32) In-Reply-To: <2af436490604041152i7aad9a41u6c8ea9465863b72b@mail.gmail.com> References: <4432B431.7070104@cnett.com.br> <2af436490604041152i7aad9a41u6c8ea9465863b72b@mail.gmail.com> Message-ID: <4432C204.8030302@cnett.com.br> Jody, Tryed, not working, same error: [root@ns1 ~]# tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip sport 80 0xffff flowid 1:10 RTNETLINK answers: Invalid argument We have an error talking to the kernel Att, Nataniel Klug Jody Shumaker escreveu: > On 4/4/06, Nataniel Klug wrote: > >> Hello all, >> >> I am trying to match some conections using u32 but I tryed this: >> >> [root@ns1 ~]# tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 >> match ip src 0/0 match ip dst 0/0 match ip sport 80 0xffff flowid 1:10 >> RTNETLINK answers: Invalid argument >> We have an error talking to the kernel >> [root@ns1 ~]# >> >> > > Just a quick guess, but why are you bothering with this: match ip src > 0/0 match ip dst 0/0 > It's very likely that is causing the invalid argument error, and > doesn't seem necassary at all. Should at least try the more > simplified command: > tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip > sport 80 0xffff flowid 1:10 > > - Jody > > From nata at cnett.com.br Tue Apr 4 21:06:58 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Tue Apr 4 21:07:05 2006 Subject: [LARTC] Another question (now about u32) In-Reply-To: <4432B431.7070104@cnett.com.br> References: <4432B431.7070104@cnett.com.br> Message-ID: <4432C3D2.1090201@cnett.com.br> Guys, I tryed to make the u32 module up, but didnt work as well: [root@ns1 sched]# ls cls_fw.ko cls_rsvp.ko sch_cbq.ko sch_gred.ko sch_htb.ko sch_netem.ko sch_red.ko sch_tbf.ko cls_route.ko cls_u32.ko sch_dsmark.ko sch_hfsc.ko sch_ingress.ko sch_prio.ko sch_sfq.ko sch_teql.ko [root@ns1 sched]# modprobe cls_u32 [root@ns1 sched]# lsmod Module Size Used by cls_u32 8324 0 sch_htb 19072 2 ipt_MARK 2688 43 cls_fw 5248 4 sch_sfq 6016 5 sch_cbq 17536 1 iptable_mangle 3072 1 ipt_LOG 7552 2 iptable_filter 3200 1 ipt_ipp2p 7552 0 agpgart 33632 0 i2c_viapro 8592 0 i2c_core 21504 1 i2c_viapro 8139too 30464 0 mii 5760 1 8139too ext3 132232 4 mbcache 17028 1 ext3 jbd 83736 1 ext3 [root@ns1 sched]# tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip sport 80 0xffff flowid 1:10 RTNETLINK answers: Invalid argument We have an error talking to the kernel Att, Nataniel Klug Nataniel Klug escreveu: > Hello all, > > I am trying to match some conections using u32 but I tryed this: > > [root@ns1 ~]# tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 > match ip src 0/0 match ip dst 0/0 match ip sport 80 0xffff flowid 1:10 > RTNETLINK answers: Invalid argument > We have an error talking to the kernel > [root@ns1 ~]# > > > I have this class at device eth1: > > [root@ns1 ~]# tc class show dev eth1 > class htb 1:1 root rate 100Mbit ceil 100Mbit burst 18412b cburst 51587b > class htb 1:10 parent 1:1 leaf 10: prio 1 rate 3Mbit ceil 3Mbit burst > 18Kb cburst 3099b > class htb 1:20 parent 1:1 leaf 20: prio 5 rate 500Kbit ceil 500Kbit > burst 18Kb cburst 1849b > > And this qdisc: > > [root@ns1 ~]# tc qdisc show dev eth1 > qdisc htb 1: r2q 10 default 20 direct_packets_stat 10 > qdisc sfq 10: parent 1:10 limit 128p quantum 1514b perturb 10sec > qdisc sfq 20: parent 1:20 limit 128p quantum 1514b perturb 10sec > > I have looked into kernel and into this paramenter: > > Networking > Networking Options > U32 Classifier (module) > > It is enable as a module. > > Can someone help me? My box is a Fedora Core 3 using kernel 2.6.13.4. > > PS.: Thanks all guys who have answered me about my other question > (QoS). It was very useful hints. Now I think my QoS is working almost > 100% ok. > > Att, > > Nataniel Klug > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From alexeyt at freeshell.org Wed Apr 5 00:15:05 2006 From: alexeyt at freeshell.org (Alexey Toptygin) Date: Wed Apr 5 00:15:16 2006 Subject: [LARTC] Problems matching by mac address In-Reply-To: <48DC429CB053B64EAD91BDD1DE106A1152C021@es1.corp.commspeed.net> References: <48DC429CB053B64EAD91BDD1DE106A1152C021@es1.corp.commspeed.net> Message-ID: On Tue, 4 Apr 2006, Adam M. Towarnyckyj wrote: > I recently read on a prior post as well as the FAQ that > packets can be limited by mac address using the u32 filter. I attempted > this and, while all the commands went through with no errors, it is not > limiting at all. I'm attempting to limit all IP traffic to a specific > destination mac address (00:12:3f:05:43:7f). Here is a quick rundown of > the commands I've used: Not sure that this will help, but > tc qdisc add dev eth1 parent 1:2 handle 12: htb > tc class add dev eth1 parent 12: classid 12:10 htb rate 128kbit no ceil? > tc filter add dev eth1 protocol ip parent 12: prio 5 u32 match u16 > 0x0800 0xFFFF at -2 match u32 0x3f05437f 0xFFFFFF at -12 match u16 > 0x0012 0xFFFF at -14 flowid 12:10 Shouldn't that be "match u32 0x3f05437f 0xFFFFFFFF at -12" (2 more Fs) Also, what you sent didn't have any rules to classify from root down to 12: so the above filter won't be consulted... Alexey From GregScott at InfraSupportEtc.com Wed Apr 5 01:23:29 2006 From: GregScott at InfraSupportEtc.com (Greg Scott) Date: Wed Apr 5 01:22:08 2006 Subject: [LARTC] Proxy ARP and UDP Message-ID: <925A849792280C4E80C5461017A4B8A206F44F@mail733.InfraSupportEtc.com> I found the problem! It was me and it was dumb... This was the network layout: 10.10.10.0/24 1.2.3.0/27 10.10.10.n internal hosts | <----+-----+--------+ +-------+------>to the Internet | | | | Proxied | | | H.323 device Firewall Router eth1 eth0 1.2.3.11 10.10.10.1 1.2.3.2 1.2.3.1 1.2.3.2 The problem was, before doing proxy ARP, my h.323 device was set up with NAT and it had a 10.nnn IP Address. The outside interface on my firewall had 1.2.3.11 as a secondary address and NATed the appropriate stuff to the H.323 device. I changed all that to use proxy ARP - but I forgot to get rid of the secondary IP Address on eth0 of the firewall. I changed all my scripts but forgot to change that IP Address in the live, running system. Woops! - Greg Scott -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Greg Scott Sent: Monday, February 27, 2006 6:28 AM To: gypsy; lartc@mailman.ds9a.nl Subject: RE: [LARTC] Proxy ARP and UDP OK - Here is how I am running tcpdump. Not really much to tell. In one window: tcpdump -i eth1 -n And then in another window: tcpdump -i eth0 -n If I were filtering anything with tcpdump I would be pretty embarrassed. :) eth0 is the interface pointing to the Internet. eth1 is inside. For every several thousand packets that tcpdump shows me on eth1, I see maybe one or two on eth0 when running any traffic at all between the Internet and my proxy ARP'd device. Since these are conversations with a host on the other side of the Internet I should see packets flying across both interfaces. But I don't. I only see packets flying across the inside interface, except for a very small subset that I see on the outside interface. This behavior makes no sense. How is it possible that any connection between my proxy ARP'd host and the Internet works if virtually no traffic is moving across the outside interface???? The obvious answer - it isn't. Traffic must in fact be moving across the outside interface, otherwise my proxy ARP'd device would never see it. So the only possible conclusion is, the traffic must he happening someplace where tcpdump and evidently also the traffic shaping code does not see it. Don't believe me? Try it yourself. Send a bunch of pings from somewhere across the Internet to your proxy ARP'd device and watch your outside interface. I'll bet you don't see them. But your proxy ARP'd device will see them, assuming you have some firewall rules that allow this. It will reply and the requesting host outside the Internet will see the echo reply packets coming back. But your outside firewall interface will look dead even though the echo request/reply packets are clearly flying across it. Look for yourself if you don't believe me. Here is my traffic shaping script. Again, pretty basic stuff - nothing fancy. And it isn't relevant to my issue. TC="/sbin/tc" $TC qdisc del dev $INET_IFACE root $TC qdisc del dev $TRUSTED1_IFACE root $TC qdisc del dev $DMZ_IFACE root $TC qdisc add dev $INET_IFACE root handle 1: prio # This *instantly* creates classes 1:1, 1:2, 1:3 $TC qdisc add dev $TRUSTED1_IFACE root handle 2: prio # This *instantly* creates classes 2:1, 2:2, 2:3 $TC qdisc add dev $INET_IFACE parent 1:1 handle 11: pfifo $TC qdisc add dev $INET_IFACE parent 1:2 handle 12: pfifo $TC qdisc add dev $INET_IFACE parent 1:3 handle 13: pfifo $TC qdisc add dev $TRUSTED1_IFACE parent 2:1 handle 21: pfifo $TC qdisc add dev $TRUSTED1_IFACE parent 2:2 handle 22: pfifo $TC qdisc add dev $TRUSTED1_IFACE parent 2:3 handle 23: pfifo # # This assigns traffic to/from $PUBLIC_VTC1_IP and $PRIVATE_VTC1_IP # to the highest priority band of the queue for the appropriate # interface, and the rest to the next-highest proirity band. # # VTC1 $TC filter add dev $INET_IFACE parent 1:0 protocol ip prio 1 u32 \ match ip dst $PUBLIC_VTC1_IP flowid 1:1 $TC filter add dev $INET_IFACE parent 1:0 protocol ip prio 1 u32 \ match ip src $PUBLIC_VTC1_IP flowid 1:1 # VTC2 $TC filter add dev $INET_IFACE parent 1:0 protocol ip prio 1 u32 \ match ip dst $PUBLIC_VTC2_IP flowid 1:1 $TC filter add dev $INET_IFACE parent 1:0 protocol ip prio 1 u32 \ match ip src $PUBLIC_VTC2_IP flowid 1:1 # Everyone else $TC filter add dev $INET_IFACE parent 1:0 protocol ip prio 2 u32 \ match ip src 0.0.0.0/0 flowid 1:2 $TC filter add dev $TRUSTED1_IFACE parent 2:0 protocol ip prio 2 u32 \ match ip src 0.0.0.0/0 flowid 2:2 exit > Greg, > >Please, if you want answers, provide enough information for us to help. > >In the absence of any shaping configuration script, it is useless to >speculate about why you see nothing being shaped. I will say that UDP >is not "protocol ip". Neither is ARP nor ICMP. > >In the absence of the parameters you are passing to tcpdump, nothing can >be said about why you are not seeing the expected traffic on the external IF. > >Run 'cat /proc/net/ip_conntrack | grep udp' > >There is nothing wrong with your .27 kernel! I have done something >similar to what you seem to be trying to do for years running kernels >from 2.4.25 through .32 and never had any problem at all with proxy ARP >(except for the mental part ;) >-- >gypsy _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From jim.lloyd at mac.com Wed Apr 5 01:33:33 2006 From: jim.lloyd at mac.com (Jim Lloyd) Date: Wed Apr 5 01:33:39 2006 Subject: [LARTC] Request for guidance Message-ID: Hello all, I have leased 1/3rd of a rack (14U space) in a top notch data center. I'll be racking a layer 2 managed switch (a Dell PowerConnect 5224), four of my own servers (1U Opteron servers, single socket, dual core, dual NIC), as well 2 servers for 2 friends who will be subleasing from me. The package includes 6Mbps of bandwidth, burstable to 100Mbps. Bandwidth is tracked with 5-min samples, and as long as my 95th percentile is less than 6Mbps each month, there is no extra charge for bandwidth. I would like to use tc bandwidth shaping so that I can 1) ensure that I never have to pay for extra bandwidth in any month 2) be able to guarantee all servers a predefined minimum slice of bandwidth I am a software engineer and have only in the last couple years acquired some spotty knowledge of advanced networking concepts. I have been pouring over available documentation the last several days and it is very clear that I can satisfy my minimum requirements quite easily. However, its also clear that there is the potential for me to do some very fancy things that might be too fancy for my own good. So, I am looking for a little guidance from some experts willing to steer me in the right direction. For example, I have a choice between setting up one server as either a router or a bridge. The bridge approach seems quite interesting/ powerful, but I wonder if it would introduce unnecessary complexity that I would later regret. So far, it seems like the main advantage of a bridge is that if it has problems, I can easily bypass it. Otherwise, there is just the coolness factor of having a transparent firewall. I may want to carve up the /25 network assigned to me by the data center into some smaller networks (a /28 network for each of my friends, a /26 network for me), each with their own VLAN, so that with one firewall I can protect all servers from external attacks, but also protect my subleasers from each other. I can probably get my host to carve up the /25 network for me. If not, then I am forced to be a router. At first I thought this precluded configuring as a bridge, but now I see that I can configure a server as both a router and a bridge. I have a strong suspicion that is too fancy for my own good. One question I have is not so much about linux routing & traffic control, but instead a question about VLANs. If I configure server as a bridge, it needs to be logically between the data center's upstream router, and my layer 2 switch. I can of course do that by instructing the datacenter to do the physical cabling that way. However, if I understand VLANs correctly, I can also just instruct the datacenter to cable everything to my switch. I would then make a two-port VLAN between the upstream router and the external interface of my bridge, and should get the same effect. Is that correct? The following are two things I am interested in trying to do in the future (if possible), but should probably wait to do until I have had some experience with a simpler configuration, but I would like mention now anyway. One reason is that if I don't do them now, I can't test them while I still have the servers in my possession, where I can most easily recover from mistakes. How risky will it be to make changes like the following to the setup remotely, if I want to minimize the chance of paying a sysadmin at the datacenter $100/ hour to help me recover from a mistake? It is possible that I will run some p2p service from one or more servers. If so, there may be as much of a need to control inbound bandwidth as there is to control outbound bandwidth. I understand that one can't do shaping on ingress. From the documentation I have seen so far, I haven't seen a clear example of controlling inbound bandwidth to a bridge via an egress qdisc on the internal interface. If I do that, should I use RED for that purpose? Finally, there is one thing that it would be nice to be able to do in the future, which is to try to do my bandwidth shaping based on the 5- min samples and 95th percentile measurements, and ideally understand the monthly billing cycle. Suppose that without bandwidth shaping my 95%-ile for one month would be 10Mbps or more. Is there a way to do bandwidth shaping so that I can allow 4.5% of my traffic in a month to be unmodified, but still have my 95%-ile be just under the 6Mbps limit? FYI, I'll most likely be running Fedora Core 5, x86_64 on my servers, including the one that serves as the firewall/(router|bridge), unless someone here has good reason to steer me to a different configuration. Thanks in advance for any guidance. I plan to write up my configuration and lessons learned and will of course give credit in that write-up to all that contribute. Jim p.s. I have room for one more server in the rack in case anyone is interested in subleasing. I'm not looking to profit from subleasing, so your share of the cost would be a just prorated share of the total cost. Contact me privately at this email address if interested. From nata at cnett.com.br Wed Apr 5 14:03:30 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Wed Apr 5 14:03:38 2006 Subject: [LARTC] Configuration of my QoS ruleset (now working fine with u32 classifier) Message-ID: <4433B212.9010002@cnett.com.br> Hello all, As I have promised I am sending my QoS rules. This now works fine with u32 classifier (and parent 1:0 that I could not understand why it did not worked well before). Att, Nataniel Klug ------------------------ #!/bin/sh #------ # Script de QoS Cyber Nett #------ # Nataniel Klug # suporte@cnett.com.br #------ TC="/sbin/tc" IPT="/usr/local/sbin/iptables" DL="eth1" #------ # Apagando regras antigas de QoS #------ $TC qdisc del dev $DL root 2> /dev/null > /dev/null $TC qdisc del dev $DL ingress 2> /dev/null > /dev/null #------ # Regras para a placa eth1 #------ $TC qdisc add dev $DL root handle 1: htb default 40 CLASS="/sbin/tc class add dev $DL parent" $CLASS 1: classid 1:1 htb rate 3096Kbit $CLASS 1:1 classid 1:10 htb rate 2048Kbit ceil 3096Kbit $CLASS 1:1 classid 1:20 htb rate 1024Kbit ceil 3096Kbit $CLASS 1:1 classid 1:30 htb rate 1024Kbit ceil 2048Kbit $CLASS 1:1 classid 1:40 htb rate 512Kbit ceil 2048Kbit QDISC="/sbin/tc qdisc add dev $DL parent" $QDISC 1:10 handle 10: sfq perturb 10 $QDISC 1:20 handle 20: sfq perturb 10 $QDISC 1:30 handle 30: sfq perturb 10 $QDISC 1:40 handle 40: sfq perturb 10 FILTER="/sbin/tc filter add dev $DL parent 1:0 protocol ip prio 1 u32" #---- # Regras com maior prioridade # APENAS NAVEGACAO E PING #---- $FILTER match ip sport 80 0xffff flowid 1:10 $FILTER match ip sport 443 0xffff flowid 1:10 $FILTER match ip sport 3128 0xffff flowid 1:10 $FILTER match ip protocol 1 0xff flowid 1:10 #---- # Regra especial para o conteudo # ns2.cnett.com.br #---- $FILTER match ip src 200.163.208.4/32 flowid 1:10 $FILTER match ip src 200.163.208.5/32 flowid 1:10 #---- # Regras com prioridade mediana # DNS, SSH, Telnet #---- $FILTER match ip sport 22 0xffff flowid 1:20 $FILTER match ip sport 23 0xffff flowid 1:20 $FILTER match ip sport 53 0xffff flowid 1:20 $FILTER match ip sport 2202 0xffff flowid 1:20 #---- # Regras com prioridade baixa # Mail #---- $FILTER match ip sport 25 0xffff flowid 1:30 $FILTER match ip sport 110 0xffff flowid 1:30 From colomboe at msec.it Wed Apr 5 15:18:06 2006 From: colomboe at msec.it (Emanuele Colombo) Date: Wed Apr 5 15:18:06 2006 Subject: [LARTC] Tocken Bucket with priority? Message-ID: Hi. I'm trying to get a traffic shaper like this: ------ VoIP pkts --> | |_| ------ \ | ---O -> ------ / Data pkts --> | ------ In this shaper voip packets are in a different queue than any other kind of packet. I want a data packet to be served only when no packets are in the voip queue (when voip queue is empty). Furthermore the total traffic that leaves this shaper needs to be limited to a specific (and precise) value of bandwidth, like a token bucket. I can't use something like this (PRIO + TBF) because in this way when "data congestion" happens, voip packets may be lost too(packet drop appens on the TBF queue): ------ VoIP pkts --> | |_| ------ \ ----- | O ---> |---O -> ------ / ----- Data pkts --> | ------ I also can't use HTB because it doesn't provide a priority mechanism like my needs, and CBQ because his bandwidth limiting algorithm isn't very precise (according to the documentation). How can I solve this problem using tc qdiscs? Thanks -- Emanuele -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060405/31dc1c9d/attachment.html From ahasenack at terra.com.br Wed Apr 5 15:24:20 2006 From: ahasenack at terra.com.br (Andreas Hasenack) Date: Wed Apr 5 15:24:22 2006 Subject: [LARTC] Tocken Bucket with priority? In-Reply-To: References: Message-ID: <20060405132419.GH3839@mandriva.com> On Wed, Apr 05, 2006 at 03:18:06PM +0200, Emanuele Colombo wrote: > Hi. I'm trying to get a traffic shaper like this: > > > ------ > VoIP pkts --> | |_| > ------ \ | > ---O -> > ------ / > Data pkts --> | > ------ > > In this shaper voip packets are in a different queue than any other kind of > packet. I want a data packet to be served only when no packets are in the > voip queue (when voip queue is empty). > Furthermore the total traffic that leaves this shaper needs to be limited to > a specific (and precise) value of bandwidth, like a token bucket. > > > I can't use something like this (PRIO + TBF) because in this way when "data > congestion" happens, voip packets may be lost too(packet drop appens on the > TBF queue): > > ------ > VoIP pkts --> | |_| > ------ \ ----- | > O ---> |---O -> > ------ / ----- > Data pkts --> | > ------ > > I also can't use HTB because it doesn't provide a priority mechanism like my > needs, and CBQ because his bandwidth limiting algorithm isn't very precise > (according to the documentation). What about using HTB and *then* using PRIO as its leaf class? You would use HTB only to shape. From colomboe at msec.it Wed Apr 5 16:41:26 2006 From: colomboe at msec.it (Emanuele Colombo) Date: Wed Apr 5 16:41:27 2006 Subject: [LARTC] Tocken Bucket with priority? In-Reply-To: <20060405132419.GH3839@mandriva.com> References: <20060405132419.GH3839@mandriva.com> Message-ID: > What about using HTB and *then* using PRIO as its leaf class? You would > use HTB only to shape. Thanks, it could be a good idea! I'll try this as soon as possible. Thanks! -- Emanuele From nata at cnett.com.br Wed Apr 5 20:30:46 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Wed Apr 5 20:30:54 2006 Subject: [LARTC] QoS - Ping problem Message-ID: <44340CD6.1030907@cnett.com.br> Hello all, I have set my QoS solution and now I am facing a little problem... When I ping to my server it has some lost packages: Estat?sticas do Ping para 172.30.0.1: Pacotes: SENDED = 1029, RETURNED = 880, LOST = 149 (14% de perda), Aproximar um n?mero redondo de vezes em milissegundos: M?nimo = 0ms, M?ximo = 686ms, M?dia = 105ms If I disable my QoS ping stats to be ok. I even have tryed to make a filter for ICMP protocol (using u32 as it is writen into LARTC how-to) but it did not work. How can I solve this problem? ------------------------------------------------------------------------ #!/bin/sh #------ # Script de QoS Cyber Nett #------ # Nataniel Klug # suporte@cnett.com.br #------ TC="/sbin/tc" IPT="/usr/local/sbin/iptables" $IPT -t mangle -X $IPT -t mangle -F DL="eth1" #------ # Apagando regras antigas de QoS #------ $TC qdisc del dev $DL root 2> /dev/null > /dev/null $TC qdisc del dev $DL ingress 2> /dev/null > /dev/null #------ # Regras para a placa eth1 #------ $TC qdisc add dev $DL root handle 1: htb default 50 CLASS="/sbin/tc class add dev $DL parent" $CLASS 1: classid 1:1 htb rate 3072Kbit $CLASS 1:1 classid 1:10 htb rate 1024Kbit ceil 1024Kbit $CLASS 1:1 classid 1:20 htb rate 1536Kbit ceil 2560Kbit $CLASS 1:1 classid 1:30 htb rate 512Kbit ceil 1024Kbit $CLASS 1:1 classid 1:40 htb rate 512Kbit ceil 1024Kbit $CLASS 1:1 classid 1:50 htb rate 512Kbit ceil 1024Kbit QDISC="/sbin/tc qdisc add dev $DL parent" $QDISC 1:10 handle 10: sfq perturb 10 $QDISC 1:20 handle 20: sfq perturb 10 $QDISC 1:30 handle 30: sfq perturb 10 $QDISC 1:40 handle 40: sfq perturb 10 $QDISC 1:50 handle 50: sfq perturb 10 FILTER="/sbin/tc filter add dev $DL parent 1:0 protocol ip prio 1 u32" $FILTER match ip sport 22 0xffff flowid 1:10 $FILTER match ip sport 23 0xffff flowid 1:10 $FILTER match ip sport 2202 0xffff flowid 1:10 $FILTER match ip sport 80 0xffff flowid 1:20 $FILTER match ip sport 443 0xffff flowid 1:20 $FILTER match ip sport 3128 0xffff flowid 1:20 $FILTER match ip sport 53 0xffff flowid 1:30 $FILTER match ip sport 25 0xffff flowid 1:30 $FILTER match ip sport 110 0xffff flowid 1:30 $FILTER match ip sport 21 0xffff flowid 1:40 From jody.shumaker at gmail.com Wed Apr 5 23:11:27 2006 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Wed Apr 5 23:11:26 2006 Subject: [LARTC] QoS - Ping problem In-Reply-To: <44340CD6.1030907@cnett.com.br> References: <44340CD6.1030907@cnett.com.br> Message-ID: <2af436490604051411n66584173u7e1ca6b0f4f0c7fa@mail.gmail.com> > CLASS="/sbin/tc class add dev $DL parent" > $CLASS 1: classid 1:1 htb rate 3072Kbit > $CLASS 1:1 classid 1:10 htb rate 1024Kbit ceil 1024Kbit > $CLASS 1:1 classid 1:20 htb rate 1536Kbit ceil 2560Kbit > $CLASS 1:1 classid 1:30 htb rate 512Kbit ceil 1024Kbit > $CLASS 1:1 classid 1:40 htb rate 512Kbit ceil 1024Kbit > $CLASS 1:1 classid 1:50 htb rate 512Kbit ceil 1024Kbit > For starters you might want to fix these rates. 1024+1536+512+512+512 != 3072 Over allocating may be causing the high number of dropped packets, and its at least worth fixing before trying anything else. Make sure child classes rates never add up to greater than the parents rate, in your case 3072Kbit. Beyond that though I don't see anything obvious. You're using sfq which what I usually see recommended to increase the queue size and avoid dropped packets. - Jody From listas at slater-i.com Thu Apr 6 13:25:04 2006 From: listas at slater-i.com (Javier Suarez) Date: Thu Apr 6 13:27:27 2006 Subject: [LARTC] Load Balancing problem Message-ID: <4434FA90.2040203@slater-i.com> Hello all I continue fighting with load balancing, I though it was easier :-/ Here is the script with my configuration #!/bin/sh IFI=eth0 IPI=192.168.10.155 NMI=24 IFE1=eth1 IPE1=192.168.1.128 NWE1=192.168.1.0 NME1=24 BRD1=192.168.1.255 GWE1=192.168.1.1 IFE2=eth2 IPE2=192.168.254.128 NWE2=192.168.254.0 NME2=24 BRD2=192.168.254.255 GWE2=192.168.254.254 ip link set $IFI up ip addr add $IPI/$NMI brd + dev IFI ip rule add prio 50 table main ip route del default table main ip link set $IFE1 up ip addr flush dev $IFE1 ip addr add $IPE1/$NME1 brd $BRD1 dev $IFE1 ip link set $IFE2 up ip addr flush dev $IFE2 ip addr add $IPE2/$NME2 brd $BRD2 dev $IFE2 ip rule add prio 201 from $NWE1/$NME1 table 201 ip route add default via $GWE1 dev $IFE1 src $IPE1 proto static table 201 ip route append prohibit default table 201 metric 1 proto static ip rule add prio 202 from $NWE2/$NME2 table 202 ip route add default via $GWE2 dev $IFE2 src $IPE2 proto static table 202 ip route append prohibit default table 202 metric 1 proto static ip rule add prio 222 table 222 ip route add default table 222 proto static nexthop via $GWE1 dev $IFE1 nexthop via $GWE2 dev $IFE2 This is a copy/paste from http://www.ssi.bg/~ja/nano.txt configuration Some tests... root@enrutizador:~# ip rule 0: from all lookup local 50: from all lookup main 201: from 192.168.1.0/24 lookup 201 202: from 192.168.254.0/24 lookup 202 222: from all lookup 222 32766: from all lookup main 32767: from all lookup default root@enrutizador:~# ip route list table main 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.128 192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.155 192.168.254.0/24 dev eth2 proto kernel scope link src 192.168.254.128 root@enrutizador:~# ip route list table 201 default via 192.168.1.1 dev eth1 proto static src 192.168.1.128 prohibit default proto static metric 1 root@enrutizador:~# ip route list table 202 default via 192.168.254.254 dev eth2 proto static src 192.168.254.128 prohibit default proto static metric 1 root@enrutizador:~# ip route list table 222 default proto static nexthop via 192.168.1.1 dev eth1 weight 1 nexthop via 192.168.254.254 dev eth2 weight 1 The problem is that load balancing isnt't working :-/ root@enrutizador:~# for x in $(seq 1 10); do ip r g 130.206.1.$x; done 130.206.1.1 via 192.168.1.1 dev eth1 src 192.168.1.128 cache mtu 1500 advmss 1460 hoplimit 64 130.206.1.2 via 192.168.1.1 dev eth1 src 192.168.1.128 cache mtu 1500 advmss 1460 hoplimit 64 130.206.1.3 via 192.168.1.1 dev eth1 src 192.168.1.128 cache mtu 1500 advmss 1460 hoplimit 64 130.206.1.4 via 192.168.1.1 dev eth1 src 192.168.1.128 cache mtu 1500 advmss 1460 hoplimit 64 130.206.1.5 via 192.168.1.1 dev eth1 src 192.168.1.128 cache mtu 1500 advmss 1460 hoplimit 64 130.206.1.6 via 192.168.1.1 dev eth1 src 192.168.1.128 cache mtu 1500 advmss 1460 hoplimit 64 130.206.1.7 via 192.168.1.1 dev eth1 src 192.168.1.128 cache mtu 1500 advmss 1460 hoplimit 64 130.206.1.8 via 192.168.1.1 dev eth1 src 192.168.1.128 cache mtu 1500 advmss 1460 hoplimit 64 130.206.1.9 via 192.168.1.1 dev eth1 src 192.168.1.128 cache mtu 1500 advmss 1460 hoplimit 64 130.206.1.10 via 192.168.1.1 dev eth1 src 192.168.1.128 cache mtu 1500 advmss 1460 hoplimit 64 I think everything is ok, but obviusly itsn't Thanks for your help Javier From ragunath_er at yahoo.com Thu Apr 6 13:31:58 2006 From: ragunath_er at yahoo.com (ragunath venkatapathy) Date: Thu Apr 6 13:31:56 2006 Subject: [LARTC] SNMP EXTENSION Message-ID: <20060406113158.12284.qmail@web31604.mail.mud.yahoo.com> Hi ALL, I am trying to use the SNMP extension of michel http://x-ray.prokon.cz/data/snmp/ i pached the snmpd damon as mentioned in the README but when i run "snmpwalk -c community target enterprises.18756" i get this error "snmpwalk: No securityName specified (Sub-id not found: (top) -> enterprises)" any idea ? Thanks , venkat --------------------------------- New Yahoo! Messenger with Voice. Call regular phones from your PC and save big. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060406/676a6fda/attachment.htm From ragunath_er at yahoo.com Thu Apr 6 14:24:10 2006 From: ragunath_er at yahoo.com (ragunath venkatapathy) Date: Thu Apr 6 14:24:12 2006 Subject: [LARTC] SNMP EXTENSION Message-ID: <20060406122410.41188.qmail@web31602.mail.mud.yahoo.com> Hi All, I found this error in /var/log/snmpd.log can i find a simple sample snmp.conf file? /usr/local/share/snmp/snmpd.conf: line 42: Error: Blank line following disk token. /usr/local/share/snmp/snmpd.conf: line 68: Error: Blank line following file token. /usr/local/share/snmp/snmpd.conf: line 69: Error: Blank line following file token. /usr/local/share/snmp/snmpd.conf: line 70: Error: Blank line following file token. /usr/local/share/snmp/snmpd.conf: line 71: Error: Blank line following file token. /usr/local/share/snmp/snmpd.conf: line 72: Error: Blank line following file token. /usr/local/share/snmp/snmpd.conf: line 73: Error: Blank line following file token. /usr/local/share/snmp/snmpd.conf: line 74: Error: Blank line following file token. /usr/local/share/snmp/snmpd.conf: line 75: Error: Blank line following file token. /usr/local/share/snmp/snmpd.conf: line 76: Error: Blank line following file token. net-snmp: 10 error(s) in config file(s) /usr/local/share/snmp/snmpd.conf: line 42: Error: Blank line following disk token. /usr/local/share/snmp/snmpd.conf: line 68: Error: Blank line following file token. /usr/local/share/snmp/snmpd.conf: line 69: Error: Blank line following file token. /usr/local/share/snmp/snmpd.conf: line 70: Error: Blank line following file token. /usr/local/share/snmp/snmpd.conf: line 71: Error: Blank line following file token. /usr/local/share/snmp/snmpd.conf: line 72: Error: Blank line following file token. /usr/local/share/snmp/snmpd.conf: line 73: Error: Blank line following file token. /usr/local/share/snmp/snmpd.conf: line 74: Error: Blank line following file token. /usr/local/share/snmp/snmpd.conf: line 75: Error: Blank line following file token. /usr/local/share/snmp/snmpd.conf: line 76: Error: Blank line following file token. net-snmp: 10 error(s) in config file(s) Warning: no access control information configured. It's unlikely this agent can serve any useful purpose in this state. Run "snmpconf -g basic_setup" to help you configure the snmpd.conf file for this agent. NET-SNMP version 5.1.4 thanks venkat --------------------------------- New Yahoo! Messenger with Voice. Call regular phones from your PC and save big. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060406/a9433c45/attachment.html From nata at cnett.com.br Thu Apr 6 15:03:21 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Thu Apr 6 15:05:15 2006 Subject: [LARTC] QoS - Ping problem In-Reply-To: <2af436490604051411n66584173u7e1ca6b0f4f0c7fa@mail.gmail.com> References: <44340CD6.1030907@cnett.com.br> <2af436490604051411n66584173u7e1ca6b0f4f0c7fa@mail.gmail.com> Message-ID: <44351199.3090903@cnett.com.br> >> CLASS="/sbin/tc class add dev $DL parent" >> $CLASS 1: classid 1:1 htb rate 3072Kbit >> $CLASS 1:1 classid 1:10 htb rate 1024Kbit ceil 1024Kbit >> $CLASS 1:1 classid 1:20 htb rate 1536Kbit ceil 2560Kbit >> $CLASS 1:1 classid 1:30 htb rate 512Kbit ceil 1024Kbit >> $CLASS 1:1 classid 1:40 htb rate 512Kbit ceil 1024Kbit >> $CLASS 1:1 classid 1:50 htb rate 512Kbit ceil 1024Kbit >> >> > > For starters you might want to fix these rates. > 1024+1536+512+512+512 != 3072 > > Over allocating may be causing the high number of dropped packets, and > its at least worth fixing before trying anything else. Make sure child > classes rates never add up to greater than the parents rate, in your > case 3072Kbit. Beyond that though I don't see anything obvious. You're > using sfq which what I usually see recommended to increase the queue > size and avoid dropped packets. > > - Jody > > Jody, Thanks for your help. I changed the rules about child process and it have no effect on ping time, my script now shows like the one it is into the end of this email. Ping response: Estat?sticas do Ping para 172.30.0.1: Pacotes: SENDED = 10, RECEIVED = 6, LOST = 4 (40% LOST), Aproximar um n?mero redondo de vezes em milissegundos: M?nimo = 315ms, M?ximo = 423ms, M?dia = 371ms If I put this filter: $FILTER match ip protocol 1 0xff flowid 1:10 Then I will have a very good response time from outside world server (like pinging into a big domain like www.uol.com.br), but when I try to ping into my own server (the gateway of my network) it returns that big size time and a big lost: Estat?sticas do Ping para 200.221.2.45: Pacotes: Enviados = 4, Recebidos = 4, Perdidos = 0 (0% de perda), Aproximar um n?mero redondo de vezes em milissegundos: M?nimo = 17ms, M?ximo = 21ms, M?dia = 18ms Att, Nataniel Klug ------------------------------------------------------------------------ #!/bin/sh #------ # Script de QoS Cyber Nett #------ # Nataniel Klug # suporte@cnett.com.br #------ TC="/sbin/tc" IPT="/usr/local/sbin/iptables" DL="eth1" #------ # Apagando regras antigas de QoS #------ $TC qdisc del dev $DL root 2> /dev/null > /dev/null $TC qdisc del dev $DL ingress 2> /dev/null > /dev/null #------ # Regras para a placa eth1 #------ $TC qdisc add dev $DL root handle 1: htb default 50 CLASS="/sbin/tc class add dev $DL parent" $CLASS 1: classid 1:1 htb rate 3072Kbit $CLASS 1:1 classid 1:10 htb rate 256Kbit $CLASS 1:1 classid 1:20 htb rate 1024Kbit ceil 2048Kbit $CLASS 1:1 classid 1:30 htb rate 512Kbit ceil 1024Kbit $CLASS 1:1 classid 1:40 htb rate 512Kbit ceil 512Kbit $CLASS 1:1 classid 1:50 htb rate 512Kbit ceil 512Kbit QDISC="/sbin/tc qdisc add dev $DL parent" $QDISC 1:10 handle 10: sfq perturb 10 $QDISC 1:20 handle 20: sfq perturb 10 $QDISC 1:30 handle 30: sfq perturb 10 $QDISC 1:40 handle 40: sfq perturb 10 $QDISC 1:50 handle 50: sfq perturb 10 FILTER="/sbin/tc filter add dev $DL parent 1:0 protocol ip prio 1 u32" $FILTER match ip protocol 1 0xff flowid 1:10 $FILTER match ip sport 22 0xffff flowid 1:10 $FILTER match ip sport 23 0xffff flowid 1:10 $FILTER match ip sport 2202 0xffff flowid 1:10 $FILTER match ip sport 80 0xffff flowid 1:20 $FILTER match ip sport 443 0xffff flowid 1:20 $FILTER match ip sport 3128 0xffff flowid 1:20 $FILTER match ip sport 53 0xffff flowid 1:30 $FILTER match ip sport 25 0xffff flowid 1:30 $FILTER match ip sport 110 0xffff flowid 1:30 $FILTER match ip sport 21 0xffff flowid 1:40 From colomboe at msec.it Thu Apr 6 16:27:04 2006 From: colomboe at msec.it (Emanuele Colombo) Date: Thu Apr 6 16:27:03 2006 Subject: [LARTC] Tocken Bucket with priority? In-Reply-To: <20060405132419.GH3839@mandriva.com> References: <20060405132419.GH3839@mandriva.com> Message-ID: > What about using HTB and *then* using PRIO as its leaf class? You would > use HTB only to shape. Hi! I tried your solution and it seems to work. Yet i'm experiencing an unexpected behaviour: when i try to fill the highest priority queue (expecting the lower priority traffic to starve), i see that the higher priority queue starts to grow, while some lower priority packets are served. This means that upon congestion of the link, the shaper stops working properly and does not apply a strict priority policy. I was wondering about the granularity of the service: in fact it may happen that, if the granularity is, say, 5 packets, the scheduler sees the higher priority queue empty, and it serves a "train" of 5 packets from the lower priority queue; while it is serving those packets, new packets arrive in the high priority queue, and have to wait until the scheuler have fully served the lower priority train. To avoid such a behaviour, i looked for a parameter that sets the granularity, but the documentation is not that clear about it: what are the parameters that set the granularity? Is it a problem of prio or of htb? Thanx in advance Emanuele From nata at cnett.com.br Thu Apr 6 18:18:27 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Thu Apr 6 18:18:35 2006 Subject: [LARTC] QoS - Ping problem In-Reply-To: <2af436490604051411n66584173u7e1ca6b0f4f0c7fa@mail.gmail.com> References: <44340CD6.1030907@cnett.com.br> <2af436490604051411n66584173u7e1ca6b0f4f0c7fa@mail.gmail.com> Message-ID: <44353F53.6030401@cnett.com.br> Jody, I think I have founded the problem. This interface uses a Realtek RTL8139D network pci card. I have made many tests and I am thinking that this is the problem. When I sended all traffic to another network card (3Com 905-TXM) it worked fine. I will redo my concept about this hole thing. Thanks for all answers I have get. Att, Nataniel Klug Jody Shumaker escreveu: >> CLASS="/sbin/tc class add dev $DL parent" >> $CLASS 1: classid 1:1 htb rate 3072Kbit >> $CLASS 1:1 classid 1:10 htb rate 1024Kbit ceil 1024Kbit >> $CLASS 1:1 classid 1:20 htb rate 1536Kbit ceil 2560Kbit >> $CLASS 1:1 classid 1:30 htb rate 512Kbit ceil 1024Kbit >> $CLASS 1:1 classid 1:40 htb rate 512Kbit ceil 1024Kbit >> $CLASS 1:1 classid 1:50 htb rate 512Kbit ceil 1024Kbit >> >> > > For starters you might want to fix these rates. > 1024+1536+512+512+512 != 3072 > > Over allocating may be causing the high number of dropped packets, and > its at least worth fixing before trying anything else. Make sure child > classes rates never add up to greater than the parents rate, in your > case 3072Kbit. Beyond that though I don't see anything obvious. You're > using sfq which what I usually see recommended to increase the queue > size and avoid dropped packets. > > - Jody > > From alex at samad.com.au Fri Apr 7 00:04:18 2006 From: alex at samad.com.au (Alexander Samad) Date: Fri Apr 7 00:04:22 2006 Subject: [LARTC] Multi default gateway and 2.4.30 Message-ID: <20060406220418.GB7764@hufpuf.lan1.hme1.samad.com.au> Hi I have just moved my firewall from a 2.6 debian machine to a 2.4.30 openwrt (linksys wrt54gs) box. I orginially had this working with 2 isp, 1 cable 1 adsl and dyndns. Now when i have moved to 2.4.30 I am having problems. Everything else is working fine except when I DNAT packets from the firewall to an internal address, ie my web browser is inside so I DNAT from the external IP to the internal web server. now I am getting time outs, upon investigation what is happening is that packets are coming in, getting DNAT'ed, the web server is returning them, they get un DNAT, but a new call to the routing table is made and it seems to bypass the ip rules rules I have, all traffic that terminates on the external IP is okay and doesn't suffer from the problem. I remember reading about patches for the iproute and the kernel but I haven't kept up to date with those since I started using 2.6 Am i missing a patch ?? Thanks -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060407/287a44fc/attachment.pgp From alex at samad.com.au Fri Apr 7 00:27:53 2006 From: alex at samad.com.au (Alexander Samad) Date: Fri Apr 7 00:27:53 2006 Subject: [LARTC] Multi default gateway and 2.4.30 In-Reply-To: <20060406220418.GB7764@hufpuf.lan1.hme1.samad.com.au> References: <20060406220418.GB7764@hufpuf.lan1.hme1.samad.com.au> Message-ID: <20060406222753.GD7764@hufpuf.lan1.hme1.samad.com.au> On Fri, Apr 07, 2006 at 08:04:18AM +1000, Alexander Samad wrote: > Hi > > I have just moved my firewall from a 2.6 debian machine to a 2.4.30 > openwrt (linksys wrt54gs) box. > > I orginially had this working with 2 isp, 1 cable 1 adsl and dyndns. > > Now when i have moved to 2.4.30 I am having problems. Everything else > is working fine except when I DNAT packets from the firewall to an > internal address, ie my web browser is inside so I DNAT from the > external IP to the internal web server. > > now I am getting time outs, upon investigation what is happening is that > packets are coming in, getting DNAT'ed, the web server is returning > them, they get un DNAT, but a new call to the routing table is made and > it seems to bypass the ip rules rules I have, all traffic that > terminates on the external IP is okay and doesn't suffer from the > problem. > > I remember reading about patches for the iproute and the kernel but I > haven't kept up to date with those since I started using 2.6 > > Am i missing a patch ?? > > Thanks > > Had anothe look through the archives, via google and found a thread about 2.4.29 and the fact that the default routes shouldn't be in the main table. I have removed the default routes and placed them in the default table and things seem to be okay now. Is this a know problem ???? > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060407/c8af91e8/attachment-0001.pgp From alex at samad.com.au Fri Apr 7 03:33:27 2006 From: alex at samad.com.au (Alexander Samad) Date: Fri Apr 7 03:33:30 2006 Subject: [LARTC] Multi default gateway and 2.4.30 In-Reply-To: <20060406222753.GD7764@hufpuf.lan1.hme1.samad.com.au> References: <20060406220418.GB7764@hufpuf.lan1.hme1.samad.com.au> <20060406222753.GD7764@hufpuf.lan1.hme1.samad.com.au> Message-ID: <20060407013327.GE7764@hufpuf.lan1.hme1.samad.com.au> On Fri, Apr 07, 2006 at 08:27:53AM +1000, Alexander Samad wrote: > On Fri, Apr 07, 2006 at 08:04:18AM +1000, Alexander Samad wrote: > > Hi > > > > I have just moved my firewall from a 2.6 debian machine to a 2.4.30 > > openwrt (linksys wrt54gs) box. > > > > I orginially had this working with 2 isp, 1 cable 1 adsl and dyndns. > > > > Now when i have moved to 2.4.30 I am having problems. Everything else > > is working fine except when I DNAT packets from the firewall to an > > internal address, ie my web browser is inside so I DNAT from the > > external IP to the internal web server. > > > > now I am getting time outs, upon investigation what is happening is that > > packets are coming in, getting DNAT'ed, the web server is returning > > them, they get un DNAT, but a new call to the routing table is made and > > it seems to bypass the ip rules rules I have, all traffic that > > terminates on the external IP is okay and doesn't suffer from the > > problem. > > > > I remember reading about patches for the iproute and the kernel but I > > haven't kept up to date with those since I started using 2.6 > > > > Am i missing a patch ?? > > > > Thanks > > > > > > Had anothe look through the archives, via google and found a thread > about 2.4.29 and the fact that the default routes shouldn't be in the > main table. > > I have removed the default routes and placed them in the default table > and things seem to be okay now. > > Is this a know problem ???? Oops bumbling fingers type the wrong addresses in tcpdump, make no difference. it is like ip ru is not being used after un natting is happening > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060407/174ccd21/attachment.pgp From stanislav.nedelchev at gmail.com Fri Apr 7 12:32:21 2006 From: stanislav.nedelchev at gmail.com (Stanislav Nedelchev) Date: Fri Apr 7 12:32:46 2006 Subject: [LARTC] PRIO and u32 matching problem Message-ID: <44363FB5.3020003@gmail.com> Hi to everybody I'm trying to use PRIO qdisc to prioritize the traffic but i have strange problem maybe I'm missing sometging. First i add root qdisc like this tc qdisc add dev eth0 root handle 1: prio it's fine after this i try to match traffic by tos field but i get error invalid match tc filter add dev eth0 parent 1:0 prio 1 protocol ip u32 \ match ip tos 0x10 0xff \ match ip tos 0x12 0xff \ match ip tos 0x14 0xff \ match ip tos 0x16 0xff \ flowid 1:1 if i use it with only one match it's working like this. tc filter add dev eth0 parent 1:0 prio 1 protocol ip u32 \ match ip tos 0x10 0xff \ flowid 1:1 i match traffic by type of TOS and put it to different classes but when i get statistic of the class there is no data. What is wrong? here is the example # tc -s -d qdisc show qdisc prio 1: dev eth0 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 30140564 bytes 42329 pkts (dropped 0, overlimits 0) qdisc prio 1: dev eth1 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 2765825 bytes 29850 pkts (dropped 0, overlimits 0) ~# tc -s -d class show dev eth0 class prio 1:1 parent 1: Sent 0 bytes 0 pkts (dropped 0, overlimits 0) class prio 1:2 parent 1: Sent 0 bytes 0 pkts (dropped 0, overlimits 0) class prio 1:3 parent 1: Sent 0 bytes 0 pkts (dropped 0, overlimits 0) tc -s -d filter show dev eth0 filter parent 1: protocol ip pref 1 u32 filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1 (rule hit 45901 success 3595) match 00100000/00ff0000 at 0 (success 3595 ) filter parent 1: protocol ip pref 1 u32 fh 800::801 order 2049 key ht 800 bkt 0 flowid 1:1 (rule hit 42306 success 0) match 00120000/00ff0000 at 0 (success 0 ) filter parent 1: protocol ip pref 1 u32 fh 800::802 order 2050 key ht 800 bkt 0 flowid 1:1 (rule hit 42306 success 0) match 00140000/00ff0000 at 0 (success 0 ) filter parent 1: protocol ip pref 1 u32 fh 800::803 order 2051 key ht 800 bkt 0 flowid 1:1 (rule hit 42306 success 0) match 00160000/00ff0000 at 0 (success 0 ) filter parent 1: protocol ip pref 2 u32 filter parent 1: protocol ip pref 2 u32 fh 801: ht divisor 1 filter parent 1: protocol ip pref 2 u32 fh 801::800 order 2048 key ht 801 bkt 0 flowid 1:2 (rule hit 42306 success 17877) match 00000000/00ff0000 at 0 (success 17877 ) filter parent 1: protocol ip pref 2 u32 fh 801::801 order 2049 key ht 801 bkt 0 flowid 1:2 (rule hit 24429 success 0) match 00040000/00ff0000 at 0 (success 0 ) filter parent 1: protocol ip pref 2 u32 fh 801::802 order 2050 key ht 801 bkt 0 flowid 1:2 (rule hit 24427 success 0) match 00060000/00ff0000 at 0 (success 0 ) filter parent 1: protocol ip pref 2 u32 fh 801::803 order 2051 key ht 801 bkt 0 flowid 1:2 (rule hit 24426 success 0) match 00180000/00ff0000 at 0 (success 0 ) filter parent 1: protocol ip pref 2 u32 fh 801::804 order 2052 key ht 801 bkt 0 flowid 1:2 (rule hit 24424 success 0) match 001a0000/00ff0000 at 0 (success 0 ) filter parent 1: protocol ip pref 2 u32 fh 801::805 order 2053 key ht 801 bkt 0 flowid 1:2 (rule hit 24424 success 0) match 001c0000/00ff0000 at 0 (success 0 ) filter parent 1: protocol ip pref 2 u32 fh 801::806 order 2054 key ht 801 bkt 0 flowid 1:2 (rule hit 24424 success 0) match 001e0000/00ff0000 at 0 (success 0 ) filter parent 1: protocol ip pref 3 u32 filter parent 1: protocol ip pref 3 u32 fh 802: ht divisor 1 filter parent 1: protocol ip pref 3 u32 fh 802::800 order 2048 key ht 802 bkt 0 flowid 1:3 (rule hit 24424 success 0) match 00020000/00ff0000 at 0 (success 0 ) filter parent 1: protocol ip pref 3 u32 fh 802::801 order 2049 key ht 802 bkt 0 flowid 1:3 (rule hit 24424 success 0) match 00080000/00ff0000 at 0 (success 0 ) filter parent 1: protocol ip pref 3 u32 fh 802::802 order 2050 key ht 802 bkt 0 flowid 1:3 (rule hit 24424 success 0) match 000a0000/00ff0000 at 0 (success 0 ) filter parent 1: protocol ip pref 3 u32 fh 802::803 order 2051 key ht 802 bkt 0 flowid 1:3 (rule hit 24424 success 0) match 000c0000/00ff0000 at 0 (success 0 ) filter parent 1: protocol ip pref 3 u32 fh 802::804 order 2052 key ht 802 bkt 0 flowid 1:3 (rule hit 24424 success 0) match 000e0000/00ff0000 at 0 (success 0 ) From martin-lartc at wonderfrog.net Fri Apr 7 17:13:46 2006 From: martin-lartc at wonderfrog.net (Martin A. Brown) Date: Fri Apr 7 17:18:20 2006 Subject: [LARTC] Tocken Bucket with priority? In-Reply-To: References: <20060405132419.GH3839@mandriva.com> Message-ID: Hi there Emanuele, : I tried your solution and it seems to work. Yet i'm experiencing : an unexpected behaviour: when i try to fill the highest priority : queue (expecting the lower priority traffic to starve), i see : that the higher priority queue starts to grow, while some lower : priority packets are served. This means that upon congestion of : the link, the shaper stops working properly and does not apply a : strict priority policy. : : I was wondering about the granularity of the service: in fact it : may happen that, if the granularity is, say, 5 packets, the : scheduler sees the higher priority queue empty, and it serves a : "train" of 5 packets from the lower priority queue; while it is : serving those packets, new packets arrive in the high priority : queue, and have to wait until the scheuler have fully served the : lower priority train. To avoid such a behaviour, i looked for a : parameter that sets the granularity, but the documentation is not : that clear about it: what are the parameters that set the : granularity? Is it a problem of prio or of htb? I realize I'm jumping in a bit late on this item, but I don't quite understand why HTB as below should not work for you. Have you tried a configuration like the below? You must know your available bandwidth for this trick to work, but the following configuration approximates a PRIO qdisc, but gives you the benefit of shaping. class $parent, rate $MAX, ceil $MAX | +- class $voip, rate ( 0.95 * $MAX), ceil $MAX | +- class $other, rate ( 0.05 * $MAX), ceil $MAX Remember that all the shaping and prioritizing in the world will not help you if you are not the bottleneck. Your shaping/prioritizing device must be the choke point. While I don't have any direct experience with VoIP, I can imagine that you might see an increased latency as a result of queuing delay in your VoIP class. To limit latency induced by queuing delay, you could create a child of the $voip class with bfifo or pfifo qdisc of a specified depth/size. If, however, this is necessary, you may simply need more bandwidth. And, as an attempt to answer your question above....perhaps you could try fiddling with the quantum setting on a given class. When a given class has exceeded its rate, it can only transmit quantum bytes per dequeue opportunity. Good luck, -Martin -- Martin A. Brown --- Wonderfrog Enterprises --- martin@wonderfrog.net From forgamedev at yahoo.com Fri Apr 7 17:51:18 2006 From: forgamedev at yahoo.com (pfer) Date: Fri Apr 7 17:51:19 2006 Subject: [LARTC] "action pass random determ/netrand reclassify --value--": granularity problems Message-ID: <20060407155118.46485.qmail@web54306.mail.yahoo.com> Hi all! I'm trying to do proportional marking of real-time traffic to indicate link congestion, and for that, I wish to use the DSMARK filter to mark from, say EF to 0xcc. (an unused DSCP value) By proportional, I mean, if congestion on the egress link is, say 38%, then I shall remark 38 packets of every 100 leaving eth0. I already wrote some scripts, and I can measure the overload ratio, decide when congestion occurs locally, and modify any filter from C code in runtime with system calls. Problem is, from what I get from the /doc library from the newest iproute2 package, when using ACTIONS with DETERM or NETRAND, followed by a value, that number is an INTEGER, and thus it says: action drop random netrand ok 10 --> allow 1 out 10 randomly and action drop random determ ok 2 --> deterministically accept every second packet This seems to behave like: every nth, so I can't have anything more than 50%, and even below 50%, levels are stepped, like 33%, 25%, etc. What I would like to do is: action pass random determ continue RATIO, so when RATIO is 0, it would pass all packets, when it is not, it would step to the next filter (the DSMARK remarker) before sending. But I need stepping at % ratio, (meaning if insisting on nth-method, the value could be: every 100/74-th packet, which is obviously not an integer. Could you give me some ideas? Anyone used something like this before? Any advice/help is highly appreciated. Ferenc --------------------------------- Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060407/182403de/attachment.html From nata at cnett.com.br Fri Apr 7 20:26:00 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Fri Apr 7 20:26:13 2006 Subject: [LARTC] u32 and iptables do not work together Message-ID: <4436AEB8.1070300@cnett.com.br> Hello all, I am trying to make a filter into my QoS rules and I founded that when I try to use filters u32 and with fwmark they do not work together. This is the filter I use, just and example, for u32: $TC filter add dev $DL parent 1:0 protocol ip prio 1 u32 match ip sport 22 0xffff flowid 1:10 This is working fine. Now if I try to mark a package that I want it to go to the same class (1:10) it get an error: $IPT -t mangle -A PREROUTING -s 200.163.208.4 -j MARK --set-mark 10 Then I tryed to make the filter for this: $TC filter add dev $DL parent 1:0 protocol ip prio 1 handle 10 fw classid 1:10 RETURNS: [root@ns1 rc.d]# /sbin/tc filter add dev eth3 parent 1:0 protocol ip prio 1 handle 10 fw classid 1:10 RTNETLINK answers: Invalid argument We have an error talking to the kernel [root@ns1 rc.d]# Anyone knows what can I do? My full script (the one that is working fine is at the end). Att, Nataniel Klug ------ #!/bin/sh #------ # Script de QoS Cyber Nett #------ # Nataniel Klug # suporte@cnett.com.br #------ TC="/sbin/tc" IPT="/usr/local/sbin/iptables" DL="eth3" #------ # Apagando regras antigas de QoS #------ $TC qdisc del dev $DL root 2> /dev/null > /dev/null $TC qdisc del dev $DL ingress 2> /dev/null > /dev/null #------ # Regras para a placa eth1 #------ $TC qdisc add dev $DL root handle 1: htb default 50 CLASS="/sbin/tc class add dev $DL parent" $CLASS 1: classid 1:1 htb rate 3072Kbit $CLASS 1:1 classid 1:10 htb rate 256Kbit prio 1 $CLASS 1:1 classid 1:20 htb rate 1024Kbit ceil 2048Kbit prio 2 $CLASS 1:1 classid 1:30 htb rate 512Kbit ceil 512Kbit prio 3 $CLASS 1:1 classid 1:40 htb rate 512Kbit ceil 512Kbit prio 3 $CLASS 1:1 classid 1:50 htb rate 512Kbit ceil 512Kbit prio 4 QDISC="/sbin/tc qdisc add dev $DL parent" $QDISC 1:10 handle 10: sfq perturb 10 $QDISC 1:20 handle 20: sfq perturb 10 $QDISC 1:30 handle 30: sfq perturb 10 $QDISC 1:40 handle 40: sfq perturb 10 $QDISC 1:50 handle 50: sfq perturb 10 FILTER="/sbin/tc filter add dev $DL parent 1:0 protocol ip prio 1 u32" $FILTER match ip protocol 1 0xff flowid 1:10 $FILTER match ip sport 22 0xffff flowid 1:10 $FILTER match ip sport 23 0xffff flowid 1:10 $FILTER match ip sport 2202 0xffff flowid 1:10 $FILTER match ip sport 6121 0xffff flowid 1:10 $FILTER match ip sport 5121 0xffff flowid 1:10 $FILTER match ip sport 80 0xffff flowid 1:20 $FILTER match ip sport 443 0xffff flowid 1:20 $FILTER match ip sport 3128 0xffff flowid 1:20 $FILTER match ip src 200.189.176.206/32 flowid 1:20 $FILTER match ip src 200.189.176.205/32 flowid 1:20 $FILTER match ip sport 5065 0xffff flowid 1:20 $FILTER match ip sport 5070 0xffff flowid 1:20 $FILTER match ip sport 53 0xffff flowid 1:30 $FILTER match ip sport 25 0xffff flowid 1:30 $FILTER match ip sport 110 0xffff flowid 1:30 $FILTER match ip sport 21 0xffff flowid 1:40 From Andreas.Klauer at metamorpher.de Fri Apr 7 20:45:26 2006 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Fri Apr 7 20:45:26 2006 Subject: [LARTC] u32 and iptables do not work together In-Reply-To: <4436AEB8.1070300@cnett.com.br> References: <4436AEB8.1070300@cnett.com.br> Message-ID: <20060407184526.GA15414@EIS> On Fri, Apr 07, 2006 at 03:26:00PM -0300, Nataniel Klug wrote: > RTNETLINK answers: Invalid argument > We have an error talking to the kernel This message usually translates to: 'tc understood your syntax just fine, and tried to tell the kernel about it, but the kernel did not understand, most likely because it does not support this feature.' Do you have 'Netfilter marks support' enabled? (Just a guess, may be a different setting) Regards Andreas Klauer From nata at cnett.com.br Fri Apr 7 21:09:17 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Fri Apr 7 21:09:36 2006 Subject: [LARTC] u32 and iptables do not work together In-Reply-To: <20060407184526.GA15414@EIS> References: <4436AEB8.1070300@cnett.com.br> <20060407184526.GA15414@EIS> Message-ID: <4436B8DD.4010909@cnett.com.br> Andreas, This is not the problem becouse if I disable the rules I am using, and use other script just with rules using fwmark them the other script works fine. Att, Nataniel Klug Andreas Klauer escreveu: > On Fri, Apr 07, 2006 at 03:26:00PM -0300, Nataniel Klug wrote: > >> RTNETLINK answers: Invalid argument >> We have an error talking to the kernel >> > > This message usually translates to: 'tc understood your syntax just > fine, and tried to tell the kernel about it, but the kernel did not > understand, most likely because it does not support this feature.' > > Do you have 'Netfilter marks support' enabled? > (Just a guess, may be a different setting) > > Regards > Andreas Klauer > > From jasonb at edseek.com Fri Apr 7 21:51:59 2006 From: jasonb at edseek.com (Jason Boxman) Date: Fri Apr 7 21:52:08 2006 Subject: [LARTC] SNMP EXTENSION In-Reply-To: <20060406113158.12284.qmail@web31604.mail.mud.yahoo.com> References: <20060406113158.12284.qmail@web31604.mail.mud.yahoo.com> Message-ID: <37820.216.134.200.78.1144439519.squirrel@nebula.internal.foo> ragunath venkatapathy wrote: > Hi ALL, > I am trying to use the SNMP extension of michel > http://x-ray.prokon.cz/data/snmp/ > > i pached the snmpd damon as mentioned in the README > but when i run "snmpwalk -c community target enterprises.18756" > i get this error "snmpwalk: No securityName specified (Sub-id not found: > (top) -> enterprises)" > > any idea ? I was originally going to query that via polltc, but it seems unsupported, so I abandoned it and query the `tc` binary directly instead. Not so good across the network, though. From etg at setcom.bg Fri Apr 7 21:54:43 2006 From: etg at setcom.bg (Evgeni Gechev) Date: Fri Apr 7 21:54:55 2006 Subject: [LARTC] u32 and iptables do not work together In-Reply-To: <4436B8DD.4010909@cnett.com.br> References: <4436AEB8.1070300@cnett.com.br> <20060407184526.GA15414@EIS> <4436B8DD.4010909@cnett.com.br> Message-ID: <4436C383.5060509@setcom.bg> Nataniel Klug wrote: > Andreas, > > This is not the problem becouse if I disable the rules I am using, and > use other script just with rules using fwmark them the other script > works fine. > > Att, > > Nataniel Klug > > Andreas Klauer escreveu: >> On Fri, Apr 07, 2006 at 03:26:00PM -0300, Nataniel Klug wrote: >> >>> RTNETLINK answers: Invalid argument >>> We have an error talking to the kernel >>> >> >> This message usually translates to: 'tc understood your syntax just >> fine, and tried to tell the kernel about it, but the kernel did not >> understand, most likely because it does not support this feature.' >> >> Do you have 'Netfilter marks support' enabled? >> (Just a guess, may be a different setting) >> >> Regards >> Andreas Klauer >> >> > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > tc filter add dev DEVICE parent M:N protocol ip prio 100 u32 match ip dst A.B.C.D/M match mark 0x0001 0xffff flowid P:Q From jasonb at edseek.com Fri Apr 7 21:57:07 2006 From: jasonb at edseek.com (Jason Boxman) Date: Fri Apr 7 21:57:10 2006 Subject: [LARTC] Tocken Bucket with priority? In-Reply-To: References: <20060405132419.GH3839@mandriva.com> Message-ID: <53538.216.134.200.78.1144439827.squirrel@nebula.internal.foo> Emanuele Colombo wrote: >> What about using HTB and *then* using PRIO as its leaf class? You would >> use HTB only to shape. > > Hi! > I tried your solution and it seems to work. Yet i'm experiencing an > unexpected behaviour: when i try to fill the highest priority queue > (expecting the lower priority traffic to starve), i see that the > higher priority queue starts to grow, while some lower priority > packets are served. This means that upon congestion of the link, the > shaper stops working properly and does not apply a strict priority > policy. > > I was wondering about the granularity of the service: in fact it may > happen that, if the granularity is, say, 5 packets, the scheduler sees > the higher priority queue empty, and it serves a "train" of 5 packets > from the lower priority queue; while it is serving those packets, new > packets arrive in the high priority queue, and have to wait until the > scheuler have fully served the lower priority train. > To avoid such a behaviour, i looked for a parameter that sets the > granularity, but the documentation is not that clear about it: what > are the parameters that set the granularity? Is it a problem of prio > or of htb? One thing you may try is to recompile sch_htb with HTB_HYSTERESIS[1] set to 0. You'll get improved performance on slower links where you need the accurancy. [1] http://edseek.com/~jasonb/articles/traffic_shaping/buildkernel.html From stanislav.nedelchev at gmail.com Fri Apr 7 22:15:42 2006 From: stanislav.nedelchev at gmail.com (Stanislav Nedelchev) Date: Fri Apr 7 22:15:45 2006 Subject: [LARTC] Re: routing between 2 lines problem , after starting squid In-Reply-To: <48581776050630083558054672@mail.gmail.com> References: <48581776050630083558054672@mail.gmail.com> Message-ID: <4436C86E.1040907@gmail.com> It's Solved Stanislav Nedelchev wrote: > i'm using one line on eth2 only for web traffic > eth1 is my internal line and eth0 is my main line to internet . > i'm marking packets like this > > i have default route on eth0 > > iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j MARK > --set-mark 66 > iptables -t mangle -A PREROUTING -i eth1 -p tcp --sport 80 -j MARK > --set-mark 66 > iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 3128 -j MARK > --set-mark 66 > iptables -t mangle -A PREROUTING -i eth1 -p tcp --sport 3128 -j MARK > --set-mark 66 > > iptables -t mangle -A FORWARD -p tcp --sport 80 -j MARK --set-mark 66 > iptables -t mangle -A FORWARD -p tcp --dport 80 -j MARK --set-mark 66 > iptables -t mangle -A FORWARD -p tcp --sport 3128 -j MARK --set-mark 66 > iptables -t mangle -A FORWARD -p tcp --dport 3128 -j MARK --set-mark 66 > > > iptables -t nat -A POSTROUTING -o eth2 -p tcp --dport 80 -s > 192.168.0.0/24 -d ! 192.168.0.0/16 -j MASQUERADE > iptables -t nat -A POSTROUTING -o eth2 -p tcp --dport 3128 -s > 192.168.0.0/24 -d ! 192.168.0.0/16 -j MASQUERADE > > i have also > /sbin/ip route add 192.168.0.0/24 dev eth1 table natips > /sbin/ip route add 127.0.0.0/8 dev lo scope link table natips > /sbin/ip route add default via 217.10.248.1 dev eth2 table natips > /sbin/ip route flush cache > /sbin/ip rule add fwmark 66 table natips > > > squid is running > on 192.168.0.1:3128 > > without squid it's working i'm using second line for web traffic > with squid it's not working > > can anybody help me > > Thanks in advance. > From adamt at commspeed.net Fri Apr 7 23:06:26 2006 From: adamt at commspeed.net (Adam M. Towarnyckyj) Date: Fri Apr 7 23:06:28 2006 Subject: [LARTC] Problems matching by mac address Message-ID: <48DC429CB053B64EAD91BDD1DE106A1152C259@es1.corp.commspeed.net> Hey Alexey, Thanks for the input. I think that lack of two F's was a typo on my part but I tried it anyways and it still does not work. I also added the ceil to it with no luck. I'm a bit confused on what you meant by not having any rules to classify from root down to 12:. Can you elaborate or show me an example? As I stated before, this is pretty much the exact setup I used when I filtered by destination IP. The only thing I'm changing now is the actual filter command. Everything else has been in place for a while. Thanks. Adam -----Original Message----- From: Alexey Toptygin [mailto:alexeyt@freeshell.org] Sent: Tuesday, April 04, 2006 3:15 PM To: Adam M. Towarnyckyj Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] Problems matching by mac address On Tue, 4 Apr 2006, Adam M. Towarnyckyj wrote: > I recently read on a prior post as well as the FAQ that > packets can be limited by mac address using the u32 filter. I attempted > this and, while all the commands went through with no errors, it is not > limiting at all. I'm attempting to limit all IP traffic to a specific > destination mac address (00:12:3f:05:43:7f). Here is a quick rundown of > the commands I've used: Not sure that this will help, but > tc qdisc add dev eth1 parent 1:2 handle 12: htb > tc class add dev eth1 parent 12: classid 12:10 htb rate 128kbit no ceil? > tc filter add dev eth1 protocol ip parent 12: prio 5 u32 match u16 > 0x0800 0xFFFF at -2 match u32 0x3f05437f 0xFFFFFF at -12 match u16 > 0x0012 0xFFFF at -14 flowid 12:10 Shouldn't that be "match u32 0x3f05437f 0xFFFFFFFF at -12" (2 more Fs) Also, what you sent didn't have any rules to classify from root down to 12: so the above filter won't be consulted... Alexey From jody.shumaker at gmail.com Fri Apr 7 23:10:15 2006 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Fri Apr 7 23:10:15 2006 Subject: [LARTC] u32 and iptables do not work together In-Reply-To: <4436B8DD.4010909@cnett.com.br> References: <4436AEB8.1070300@cnett.com.br> <20060407184526.GA15414@EIS> <4436B8DD.4010909@cnett.com.br> Message-ID: <2af436490604071410h4e876191y513ea4aec916026@mail.gmail.com> On 4/7/06, Nataniel Klug wrote: > Andreas, > > This is not the problem becouse if I disable the rules I am using, and > use other script just with rules using fwmark them the other script > works fine. > > Att, > > Nataniel Klug > > Andreas Klauer escreveu: > > On Fri, Apr 07, 2006 at 03:26:00PM -0300, Nataniel Klug wrote: > > > >> RTNETLINK answers: Invalid argument > >> We have an error talking to the kernel > >> > > > > This message usually translates to: 'tc understood your syntax just > > fine, and tried to tell the kernel about it, but the kernel did not > > understand, most likely because it does not support this feature.' > > > > Do you have 'Netfilter marks support' enabled? > > (Just a guess, may be a different setting) > > > > Regards > > Andreas Klauer > > > > When comparing your commands to mine, i noticed that you are never incrementing the prio. Possibly try your command but with prio 2. I seem to recall having issues when i was only using one prio for everything, but incrementing it with each group of filters seemed to work better. Currently i have filter rules like this: tc filter add dev $DEV parent 1:0 protocol ip prio 8 handle ${MARKP2P} fw classid 1:13 which is followed by tc filter add dev $DEV parent 1: protocol ip prio 12 u32 \ match ip tos 0x10 0xff \ flowid 1:11 If this doesn't work, then it is likely some kernel options you need to enable, or possible you need to recompile iptables/tc? - Jody From andy.furniss at dsl.pipex.com Fri Apr 7 23:46:19 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Fri Apr 7 23:45:27 2006 Subject: [LARTC] __Very__ Low Bandwidth In-Reply-To: <442D44FE.7070105@infomatrix.com> References: <442D44FE.7070105@infomatrix.com> Message-ID: <4436DDAB.7010300@dsl.pipex.com> Matthew Pearson wrote: > I am using the script below to simulate a very low bandwidth connection. > I found that I could turn the bandwidth knob down to about 4kbit, but > below that I didn't get any traffic through. I've had a look at this > generally, but couldn't find an answer. It doesn't even seem like the > first reply packet gets through. I have tried it with much bigger > buffers, but this doesn't help. > > I found that if I put a web proxy on the machine that is running this, > then the minimum I can turn the bandwidth down to is 12kbit and below > that the web browser doesn't get anything back. > > Is this because the delay is so great that things are getting thrown > away by the kernel? Could I munge the packets to turn up the TTL or > something similar? > > Many thanks for some excellent tools. > > Matthew Pearson > > #!/bin/bash > > CLIENT1=192.168.1.190/32 > CLIENT2=192.168.1.191/32 > OPER=add; > DEV=eth0 > RATE=3kbit > PEAKRATE=3kbit > BUFFER1=10kb > BUFFER2=10kb > > echo -e "Attach Egress policy..." > tc qdisc $OPER dev $DEV root handle 1:0 htb default 15 > tc class $OPER dev $DEV parent 1:0 classid 1:1 htb rate 240kbit > > tc class $OPER dev $DEV parent 1:1 classid 1:2 htb rate 240kbit ceil > 240kbit > tc class $OPER dev $DEV parent 1:1 classid 1:3 htb rate 240kbit ceil > 240kbit > tc class $OPER dev $DEV parent 1:1 classid 1:15 htb rate 240kbit ceil > 240kbit > > tc qdisc $OPER dev $DEV parent 1:2 handle 2:0 tbf rate $RATE burst $RATE > limit $BUFFER1 peakrate $PEAKRATE mtu 1600 I don't really get using tbf under htb - but it may be OK. The reason it fails <12kbit is because you use it for burst - which is a buffer length so <12kbit won't pass a 1500 byte packet. Andy. From andy.furniss at dsl.pipex.com Sat Apr 8 00:03:30 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sat Apr 8 00:02:35 2006 Subject: [LARTC] leaky bucket on bursty multicast In-Reply-To: References: <44060C1F.4090006@dsl.pipex.com> Message-ID: <4436E1B2.8050907@dsl.pipex.com> Oivind wrote: > On 3/1/06, Andy Furniss wrote: > >>Oivind wrote: >> >>>Hi all, >>>I have an average 2mbit multicast stream that once in a while bursts >>>high (up to 20mbit/s) in short periods (about 200ms). Could anyone >>>please help me with directions using tc for configuing leaky bucket >>>shaping to this stream? I have a 5mbit/s ceiling. >>> >>>My system is running gentoo linux 2.6.14, and I have compiled in all >>>QoS modules. >> >>I suppose it depends what you want to do with the burst ie. propogate it >>,smooth it without loss or drop packets to maintain a rate. > > > I would like to smooth the bursts out at the ceiling bandwidth without > any packet drops (unless an unacceptable lengthy burst of course). Sorry for not replying earlier, I lost this one. What you want should be OK with htb/tbf/hfsc ratelimiting at 5meg - just choose a leaf queue/buffer length that can absorb the burst. Andy. From andy.furniss at dsl.pipex.com Sat Apr 8 00:23:13 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sat Apr 8 00:22:20 2006 Subject: [LARTC] packet marking: only a ratio, not all In-Reply-To: <20060330135657.77550.qmail@web54304.mail.yahoo.com> References: <20060330135657.77550.qmail@web54304.mail.yahoo.com> Message-ID: <4436E651.7000705@dsl.pipex.com> pfer wrote: > Hi all! > > In short: > > Anybody wrote a patch for DSMARK to make it capable of marking > only a ratio (a given arg to the tc command) of the packets it gets? > Say, 20%? Or, do I have to hack into the source? Alternatives, > like a filter spitting packets to 2 different DSMARK based on this ratio? > > In long: > > I'm a hungarian univ student involved in a project (RMD-QoS stuff) > which needs the following: > > \ This node has 3 ingress and 1 egress link, all have for ex. 10 Mbit > \ limit to their traffic. > \ > --- node ----- Suppose ingress traffic is: 8 + 3 +5 = 16 while the egress > / link will be congested with 10. Because this node is a simple, > / intradomain router, we would like to notify the downstream > / edge node about this congestion, to tear down some of the flows > causing it. (Congestion occured via for. ex. a net failure) > > What the protocol (draft) says, is that the edge will be notified of the level of the congestion, which will be calculated by this proportional data packet marking method, to avoid additional signaling. > Say, if 16 would go on a link with 10 capacity, congested core-node will mark > 60% of the packets it sends to the output of the link to another DSCP. > > I thought about DSMARK first, but that is incapable of doing this stuff. > (or I think so :) > Ideas? > > PS: I did not check the archives rigorously, so sorry if I am asking trivial things. > > PS2: Since I checked not to get mails from this list, please send your answer > to forgamedev@yahoo.com. I am not sure I get the logic of what you are trying to do for this paticular setup, but there are examples of using policers with meters shared across ingress links to dsmark overlimits packets in the iproute2 sources. Andy. From pch at packetconsulting.pl Sat Apr 8 12:03:10 2006 From: pch at packetconsulting.pl (Piotr Chytla) Date: Sat Apr 8 12:08:09 2006 Subject: [LARTC] u32 and iptables do not work together In-Reply-To: <4436AEB8.1070300@cnett.com.br> References: <4436AEB8.1070300@cnett.com.br> Message-ID: <20060408100310.GA30546@packetconsulting.pl> On Fri, Apr 07, 2006 at 03:26:00PM -0300, Nataniel Klug wrote: > Hello all, > Hello > I am trying to make a filter into my QoS rules and I founded that > when I try to use filters u32 and with fwmark they do not work together. > This is the filter I use, just and example, for u32: > > $TC filter add dev $DL parent 1:0 protocol ip prio 1 u32 match ip sport > 22 0xffff flowid 1:10 > > This is working fine. Now if I try to mark a package that I want it > to go to the same class (1:10) it get an error: > > $IPT -t mangle -A PREROUTING -s 200.163.208.4 -j MARK --set-mark 10 > > Then I tryed to make the filter for this: > > $TC filter add dev $DL parent 1:0 protocol ip prio 1 handle 10 fw > classid 1:10 > In 2.4.x kernerls u32 and fwmark can't work together , you can only mark by u32 or fwmark . In 2.6.x kernela I think from 2.6.8 or something, you can use fwmark as u32 key In menuconfig check Networking/Networking support/Networking options/ and you have "Use nfmark as a key in U32 classifier". Example : tc filter add dev eth0 protocol ip parent 1:0 prio 5 u32 \ match mark 0x0090 0xffff \ match ip dst 4.4.4.4 \ flowid 1:90 /pch -- Dyslexia bug unpatched since 1977 ... exploit has been leaked to the underground. From mailinglists at lucassen.org Sat Apr 8 12:30:17 2006 From: mailinglists at lucassen.org (richard lucassen) Date: Sat Apr 8 12:30:16 2006 Subject: [LARTC] source routing does not work with extra ip addresses Message-ID: <20060408123017.4a108613.mailinglists@lucassen.org> I set up this config: +------+ -+ ISP1 +--+ +------+ | +-------+ +--+ linux | +------+ | +-------+ -+ ISP2 +--+ +------+ No problem. Standard setup with two ISP's. Both routed subnets. Default gateway is ISP1. No magic here. Now I put a server behind the Linux box. I want the server to be reachable on an /extra/ IP in the routed subnet of ISP2. +------+ -+ ISP1 +--+ +------+ | +-------+ +-----------------+ +--+ linux +--+ server 10.0.0.2 | +------+ | +-------+ +-----------------+ -+ ISP2 +--+ +------+ router ISP2: 1.2.3.1/24 dev ISP2: eth1 Linux box eth1: 1.2.3.2/24 external ip ISP2 for server 10.0.0.2: 1.2.3.3 arp -s 1.2.3.3 aa:bb:cc:dd:ee:ff pub ip route add 1.2.3.3 via 10.0.0.2 iptables -t nat -A PREROUTING -i eth1 -d 1.2.3.3 -j DNAT --to 10.0.0.2 When pinging 1.2.3.3, the packets get in through eth1 (ok), but the replies are following the default route through eth0 (wrong) Even a ip rule add from 1.2.3.3 lookup table_eth1 doesn't change this behaviour. It is working ok when I add the address 1.2.3.3 directly to eth1: ip a a 1.2.3.3 dev eth1 Why is this? R. -- ___________________________________________________________________ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+ From colomboe at msec.it Sat Apr 8 12:37:32 2006 From: colomboe at msec.it (Emanuele Colombo) Date: Sat Apr 8 12:37:33 2006 Subject: [LARTC] Tocken Bucket with priority? In-Reply-To: References: <20060405132419.GH3839@mandriva.com> Message-ID: 2006/4/7, Martin A. Brown : > > Hi there Emanuele, > > I realize I'm jumping in a bit late on this item, but I don't quite > understand why HTB as below should not work for you. Have you tried > a configuration like the below? You must know your available > bandwidth for this trick to work, but the following configuration > approximates a PRIO qdisc, but gives you the benefit of shaping. > > class $parent, rate $MAX, ceil $MAX > | > +- class $voip, rate ( 0.95 * $MAX), ceil $MAX > | > +- class $other, rate ( 0.05 * $MAX), ceil $MAX > > Remember that all the shaping and prioritizing in the world will not > help you if you are not the bottleneck. Your shaping/prioritizing > device must be the choke point. I've already tried this way... with VoIP traffic this solution doesn't work very well, because data traffic tries to use as much bandwidth as possible, and it creates some jitter and delay on voice data... > While I don't have any direct experience with VoIP, I can imagine > that you might see an increased latency as a result of queuing delay > in your VoIP class. To limit latency induced by queuing delay, you > could create a child of the $voip class with bfifo or pfifo qdisc of > a specified depth/size. If, however, this is necessary, you may > simply need more bandwidth. don't need more bandwidth, I need that data bandwith is reduced! > And, as an attempt to answer your question above....perhaps you > could try fiddling with the quantum setting on a given class. When > a given class has exceeded its rate, it can only transmit quantum > bytes per dequeue opportunity. I tried changing quantum and r2q parameters of HTB, but I can't solve this problem... setting a low value of quantum results in decreasing real throughput, and it also introduces dependence on packet size... Another test I've done is to create only a prio qdisc (without HTB) and make the phisical layer slower than incoming traffic. It appears to be a problem of prio, because the same problem of queuing in high priority queue happens. Emanuele From colomboe at msec.it Sat Apr 8 12:43:13 2006 From: colomboe at msec.it (Emanuele Colombo) Date: Sat Apr 8 12:43:11 2006 Subject: [LARTC] Tocken Bucket with priority? In-Reply-To: <53538.216.134.200.78.1144439827.squirrel@nebula.internal.foo> References: <20060405132419.GH3839@mandriva.com> <53538.216.134.200.78.1144439827.squirrel@nebula.internal.foo> Message-ID: 2006/4/7, Jason Boxman : > One thing you may try is to recompile sch_htb with HTB_HYSTERESIS[1] set to 0. > > You'll get improved performance on slower links where you need the accurancy. > > [1] http://edseek.com/~jasonb/articles/traffic_shaping/buildkernel.html Ok, I'll try, thanks! Emanuele From nata at cnett.com.br Sat Apr 8 13:21:40 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Sat Apr 8 13:21:51 2006 Subject: [LARTC] u32 and iptables do not work together In-Reply-To: <2af436490604071410h4e876191y513ea4aec916026@mail.gmail.com> References: <4436AEB8.1070300@cnett.com.br> <20060407184526.GA15414@EIS> <4436B8DD.4010909@cnett.com.br> <2af436490604071410h4e876191y513ea4aec916026@mail.gmail.com> Message-ID: <44379CC4.9010309@cnett.com.br> Jody, I think it worked fine... This is my new script (below the text). I just dont know how can I know if this traffic is relly going to the class I send it... hehehehe... I am marking Skype packages using L7-Filter like this: $IPT -t mangle -A PREROUTING -m layer7 --l7proto skypetoskype -j MARK --set-mark 10 Att, Nataniel Klug -------------------------------- #!/bin/sh #------ # Script de QoS Cyber Nett #------ # Nataniel Klug # suporte@cnett.com.br #------ TC="/sbin/tc" IPT="/usr/local/sbin/iptables" DL="eth3" #------ # Apagando regras antigas de QoS #------ $TC qdisc del dev $DL root 2> /dev/null > /dev/null $TC qdisc del dev $DL ingress 2> /dev/null > /dev/null #------ # Regras para a placa eth1 #------ $TC qdisc add dev $DL root handle 1: htb default 50 CLASS="/sbin/tc class add dev $DL parent" $CLASS 1: classid 1:1 htb rate 3072Kbit $CLASS 1:1 classid 1:10 htb rate 384Kbit prio 1 $CLASS 1:1 classid 1:20 htb rate 1024Kbit ceil 2048Kbit prio 2 $CLASS 1:1 classid 1:30 htb rate 512Kbit ceil 512Kbit prio 3 $CLASS 1:1 classid 1:40 htb rate 512Kbit ceil 512Kbit prio 4 $CLASS 1:1 classid 1:50 htb rate 640Kbit ceil 640Kbit prio 5 QDISC="/sbin/tc qdisc add dev $DL parent" $QDISC 1:10 handle 10: sfq perturb 10 $QDISC 1:20 handle 20: sfq perturb 10 $QDISC 1:30 handle 30: sfq perturb 10 $QDISC 1:40 handle 40: sfq perturb 10 $QDISC 1:50 handle 50: sfq perturb 10 FILTER="/sbin/tc filter add dev $DL parent 1:0 protocol" $FILTER ip prio 11 u32 match ip protocol 1 0xff flowid 1:10 $FILTER ip prio 12 u32 match ip sport 22 0xffff flowid 1:10 $FILTER ip prio 12 u32 match ip sport 23 0xffff flowid 1:10 $FILTER ip prio 12 u32 match ip sport 2202 0xffff flowid 1:10 $FILTER ip prio 13 u32 match ip sport 6121 0xffff flowid 1:10 $FILTER ip prio 13 u32 match ip sport 5121 0xffff flowid 1:10 $FILTER ip prio 14 handle 10 fw classid 1:10 $FILTER ip prio 21 u32 match ip sport 80 0xffff flowid 1:20 $FILTER ip prio 21 u32 match ip sport 443 0xffff flowid 1:20 $FILTER ip prio 21 u32 match ip sport 3128 0xffff flowid 1:20 $FILTER ip prio 22 u32 match ip src 200.189.176.206/32 flowid 1:20 $FILTER ip prio 22 u32 match ip src 200.189.176.205/32 flowid 1:20 $FILTER ip prio 22 u32 match ip sport 5065 0xffff flowid 1:20 $FILTER ip prio 22 u32 match ip sport 5070 0xffff flowid 1:20 $FILTER ip prio 31 u32 match ip sport 53 0xffff flowid 1:30 $FILTER ip prio 32 u32 match ip sport 25 0xffff flowid 1:30 $FILTER ip prio 32 u32 match ip sport 110 0xffff flowid 1:30 $FILTER ip prio 41 u32 match ip sport 21 0xffff flowid 1:40 From pch at packetconsulting.pl Sat Apr 8 15:18:01 2006 From: pch at packetconsulting.pl (Piotr Chytla) Date: Sat Apr 8 15:23:01 2006 Subject: [LARTC] u32 and iptables do not work together In-Reply-To: <44379CC4.9010309@cnett.com.br> References: <4436AEB8.1070300@cnett.com.br> <20060407184526.GA15414@EIS> <4436B8DD.4010909@cnett.com.br> <2af436490604071410h4e876191y513ea4aec916026@mail.gmail.com> <44379CC4.9010309@cnett.com.br> Message-ID: <20060408131801.GB31153@packetconsulting.pl> On Sat, Apr 08, 2006 at 08:21:40AM -0300, Nataniel Klug wrote: > I think it worked fine... This is my new script (below the text). I just > dont know how can I know if this traffic is relly going to the class I > send it... hehehehe... I am marking Skype packages using L7-Filter like > this: > If you want to see packets in class you can use sch_log, quite good module, you must attach it to class and you will see every packet in this class in tcpdump. http://kernel.umbrella.ro/net/sch_log/v0.4/sch_log-0.4.tar.gz or Vincent Perrier's sch_spy (I don't have url). /pch -- Dyslexia bug unpatched since 1977 ... exploit has been leaked to the underground. From Andreas.Klauer at metamorpher.de Sat Apr 8 15:37:54 2006 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Sat Apr 8 15:37:52 2006 Subject: [LARTC] u32 and iptables do not work together In-Reply-To: <20060408131801.GB31153@packetconsulting.pl> References: <4436AEB8.1070300@cnett.com.br> <20060407184526.GA15414@EIS> <4436B8DD.4010909@cnett.com.br> <2af436490604071410h4e876191y513ea4aec916026@mail.gmail.com> <44379CC4.9010309@cnett.com.br> <20060408131801.GB31153@packetconsulting.pl> Message-ID: <20060408133754.GA26568@EIS> On Sat, Apr 08, 2006 at 03:18:01PM +0200, Piotr Chytla wrote: > On Sat, Apr 08, 2006 at 08:21:40AM -0300, Nataniel Klug wrote: > > I think it worked fine... This is my new script (below the text). I just > > dont know how can I know if this traffic is relly going to the class I > > send it... hehehehe... I am marking Skype packages using L7-Filter like > > this: > > > If you want to see packets in class you can use sch_log, quite good > module, you must attach it to class and you will see every packet > in this class in tcpdump. Or, without additional software, and a bit less of information, you could just have a look at the tc statistics. In case of mixed classes you can temporarily create an extra class for the packets you want to test filters on. If packets go into this class and it's the same number as are marked by iptables, the classification works. Regards Andreas Klauer From william.bohannan at spidersat.net Sat Apr 8 16:21:20 2006 From: william.bohannan at spidersat.net (William Bohannan) Date: Sat Apr 8 16:22:34 2006 Subject: [LARTC] bridge + extra nic traffic shaping Message-ID: <000001c65b17$be6344f0$34030a0a@ACCSSWILLIAM> Hi I am using traffic shaping on br0 and working nicely. Only problem is when I nat off br0 with a third nic I run into the following problems when traffic shaping: Wondering if anyone has had success with the following layout??? ______br0(eth0,eth1)---------eth1 --- local network | | (public address) Internet 1--- eth0 | (public address) |-------------------- eth2 --- local network (private ip via nat from br0) (private address and behind nat) ive done some further tests. and got these results @ eth2: bridge mode router mode UP DOWN UP DOWN eth0,eth1 YES NO NO NO eth0,eth2 YES NO NO YES eth0,br0 YES NO YES NO eth1,eth2 NO NO NO YES eth1,br0 NO NO YES NO eth2,br0 NO NO NO YES many thanks william -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060408/dd497e65/attachment-0001.htm From Ian.Bullock at cnm.co.uk Sat Apr 8 17:01:17 2006 From: Ian.Bullock at cnm.co.uk (Ian.Bullock@cnm.co.uk) Date: Sat Apr 8 17:05:12 2006 Subject: [LARTC] Ian Bullock is out of the office. Message-ID: I will be out of the office starting 08/04/2006 and will not return until 17/04/2006. I will respond to your message when I return. However if you have sent data for processing, please send to operator@cnm.co.uk. Also if you have any urgent queries, please contact Operations on 01924 888700. Thankyou. ________________________________________________________________________ This E-mail transmission may contain confidential or legally privileged information that is intended for the addressee only. Any views or opinions presented are solely those of the author and do not necessarily represent those of CNM Limited. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or reliance upon the contents of this E-mail is strictly prohibited. If you have received this E-mail transmission in error, please notify the sender immediately, so that CNM Limited may arrange for its proper delivery. Please then delete the message from your inbox. This email has been scanned for all viruses by the MessageLabs SkyScan service. For more information on a proactive anti-virus service working around the clock, around the globe, visit http://www.messagelabs.com ________________________________________________________________________ From martin-lartc at wonderfrog.net Sat Apr 8 18:07:00 2006 From: martin-lartc at wonderfrog.net (Martin A. Brown) Date: Sat Apr 8 18:11:44 2006 Subject: [LARTC] source routing does not work with extra ip addresses In-Reply-To: <20060408123017.4a108613.mailinglists@lucassen.org> References: <20060408123017.4a108613.mailinglists@lucassen.org> Message-ID: Hello there, : Now I put a server behind the Linux box. I want the server to be : reachable on an /extra/ IP in the routed subnet of ISP2. Does server have one or two IP addresses? Best solution? Use two IP addresses on server. : router ISP2: 1.2.3.1/24 : dev ISP2: eth1 : Linux box eth1: 1.2.3.2/24 : external ip ISP2 for server 10.0.0.2: 1.2.3.3 : arp -s 1.2.3.3 aa:bb:cc:dd:ee:ff pub : ip route add 1.2.3.3 via 10.0.0.2 : iptables -t nat -A PREROUTING -i eth1 -d 1.2.3.3 -j DNAT --to 10.0.0.2 : : When pinging 1.2.3.3, the packets get in through eth1 (ok), but the : replies are following the default route through eth0 (wrong) The problem is routing. Return packets from your server are handled in the main routing table. There isn't yet an RPDB entry directing traffic from 10.0.0.2 to use table_eth1. Your RPDB entry looks like this: : ip rule add from 1.2.3.3 lookup table_eth1 Try changing this (or adding another rule): ip rule add from 10.0.0.2 lookup table_eth1 instead. Now, your server should have Internet access strictly on the link handled by ISP2. If you would like to handle inbound traffic on both links, then add a secondary IP address to your server, and enter another DNAT rule which specifies another NAT mapping for the secondary IP. -Martin -- Martin A. Brown --- Wonderfrog Enterprises --- martin@wonderfrog.net From mailinglists at lucassen.org Sat Apr 8 19:33:30 2006 From: mailinglists at lucassen.org (richard lucassen) Date: Sat Apr 8 19:33:27 2006 Subject: [LARTC] source routing does not work with extra ip addresses In-Reply-To: References: <20060408123017.4a108613.mailinglists@lucassen.org> Message-ID: <20060408193330.69ad42fc.mailinglists@lucassen.org> On Sat, 8 Apr 2006 11:07:00 -0500 "Martin A. Brown" wrote: > : Now I put a server behind the Linux box. I want the server to be > : reachable on an /extra/ IP in the routed subnet of ISP2. > > Does server have one or two IP addresses? Best solution? Use two > IP addresses on server. Hmmm, one for ISP1 and one for ISP2? That would be a nice idea to workaround this problem :-) > : When pinging 1.2.3.3, the packets get in through eth1 (ok), but the > : replies are following the default route through eth0 (wrong) > > The problem is routing. Return packets from your server are handled > in the main routing table. There isn't yet an RPDB entry directing > traffic from 10.0.0.2 to use table_eth1. Your RPDB entry looks like > this: > > : ip rule add from 1.2.3.3 lookup table_eth1 > > Try changing this (or adding another rule): > > ip rule add from 10.0.0.2 lookup table_eth1 Nope. I already tried that, but no way. > instead. Now, your server should have Internet access strictly on > the link handled by ISP2. No. The packets are returned through ISP1. > If you would like to handle inbound traffic on both links, then add > a secondary IP address to your server, and enter another DNAT rule > which specifies another NAT mapping for the secondary IP. That's a very nice idea, but packets keep on entering the wrong table (default), I think it's a bug somewhere in the kernel. It only works when the ip is direct on the external interface of the Linuxbox, but as soon as 1 tcp port is translated, the return packets for that translated port get into the wrong (default) table. Even when using fw marks it doesn't work. I mark all packets coming from the servers second ip address with '1' and a simple ip ru a fwmark 1 table t_eth1 should do the job. But no way. Packets keep on getting out through ISP1 (t_eth0). This is the real test: 10.0.2.1 is the server, 10.0.2.3 is its second ip. 10.0.2.1 = external 10.1.3.100 10.0.2.3 = external 192.168.201.3 # ip r s 192.168.201.3 via 10.0.2.3 dev eth2 10.1.3.100 via 10.0.2.1 dev eth2 10.0.2.0/24 dev eth2 proto kernel scope link src 10.0.2.2 192.168.201.0/24 dev eth1 proto kernel scope link src 192.168.201.2 10.1.3.0/24 dev eth0 proto kernel scope link src 10.1.3.101 default via 10.1.3.1 dev eth0 # ip ru s 0: from all lookup local 32762: from all fwmark 0x1 lookup t_eth1 32764: from 192.168.201.2 lookup t_eth1 32765: from 10.1.3.101 lookup t_eth0 32766: from all lookup main 32767: from all lookup default # ip r s t t_eth0 10.0.2.0/24 dev eth2 scope link 10.1.3.0/24 dev eth0 scope link src 10.1.3.101 127.0.0.0/8 dev lo scope link default via 10.1.3.1 dev eth0 # ip r s t t_eth1 10.0.2.0/24 dev eth2 scope link 192.168.201.0/24 dev eth1 scope link src 192.168.201.2 127.0.0.0/8 dev lo scope link default via 192.168.201.1 dev eth1 Any hints are welcome... btw: iproute2-ss06011, kernel 2.6.16.2, iptables 1.3.5 R. -- ___________________________________________________________________ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+ -- ___________________________________________________________________ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+ From martin-lartc at wonderfrog.net Sat Apr 8 22:31:24 2006 From: martin-lartc at wonderfrog.net (Martin A. Brown) Date: Sat Apr 8 22:35:58 2006 Subject: [LARTC] source routing does not work with extra ip addresses In-Reply-To: <20060408193330.69ad42fc.mailinglists@lucassen.org> References: <20060408123017.4a108613.mailinglists@lucassen.org> <20060408193330.69ad42fc.mailinglists@lucassen.org> Message-ID: Hello again, : > Does server have one or two IP addresses? Best solution? Use two : > IP addresses on server. : : Hmmm, one for ISP1 and one for ISP2? That would be a nice idea to : workaround this problem :-) Only way I have done this myself, although I recall somebody else on LARTC using connmark with nfmark and/or the ROUTE target to solve this problem using only a single IP. Perhaps the archive will help you here.... : > Try changing this (or adding another rule): : > : > ip rule add from 10.0.0.2 lookup table_eth1 : : Nope. I already tried that, but no way. : No. The packets are returned through ISP1. : : > If you would like to handle inbound traffic on both links, then add : > a secondary IP address to your server, and enter another DNAT rule : > which specifies another NAT mapping for the secondary IP. : : That's a very nice idea, but packets keep on entering the wrong : table (default), I think it's a bug somewhere in the kernel. While the kernel certainly has seen bugs before and will see more, I hope you don't mind if I continue to entertain a bit of skepticism on this point. :) : It only works when the ip is direct on the external interface of : the Linuxbox, but as soon as 1 tcp port is translated, the return : packets for that translated port get into the wrong (default) : table. : : Even when using fw marks it doesn't work. I mark all packets coming : from the servers second ip address with '1' and a simple : : ip ru a fwmark 1 table t_eth1 : : should do the job. But no way. Packets keep on getting out : through ISP1 (t_eth0). : : This is the real test: : : 10.0.2.1 is the server, 10.0.2.3 is its second ip. : 10.0.2.1 = external 10.1.3.100 : 10.0.2.3 = external 192.168.201.3 OK, got it! : # ip r s : 192.168.201.3 via 10.0.2.3 dev eth2 : 10.1.3.100 via 10.0.2.1 dev eth2 [ snipped main and ancillary routing tables except for unusual and possibly extraneous routes. ] Routing tables t_eth0 and t_eth1 look fine, although t_eth0 and main should be exactly the same. I believe your two host routes (for 192.168.201.3 and 10.1.3.100) are unnecessary and simply complicate your scenario. I still think your problem is in the RPDB and addressing of the packet at routing time. I do not believe (check the KPTD and its offspring [0] [1]) that the packet's source address has yet been rewritten. Think about this, and look at your RPDB: : # ip ru s : 0: from all lookup local : 32762: from all fwmark 0x1 lookup t_eth1 : 32764: from 192.168.201.2 lookup t_eth1 : 32765: from 10.1.3.101 lookup t_eth0 : 32766: from all lookup main : 32767: from all lookup default The addresses you have entered are the public side addresses. When the server transmits packets, these packets will have the 10.0.2.1 and 10.0.2.3 addresses for source addresses. The RPDB should include references to these private addresses instead of the addresses available on the public side. : btw: iproute2-ss06011, kernel 2.6.16.2, iptables 1.3.5 I hope this helps, and thanks for the detailed listing of your configuration. It's always helpful. Best of luck, -Martin [0] http://www.docum.org/docum.org/kptd/ [1] http://linux-ip.net/nf/nfk-traversal.eps http://linux-ip.net/nf/nfk-traversal.png -- Martin A. Brown --- Wonderfrog Enterprises --- martin@wonderfrog.net From andrew.lyon at josims.com Sat Apr 8 22:49:22 2006 From: andrew.lyon at josims.com (Andrew Lyon) Date: Sat Apr 8 22:51:07 2006 Subject: [LARTC] iproute v2.6.15 20060110 kernel 2.4.31-gentoo-r1 ip route show do es not show all routes? Message-ID: <592F914D209FD942908826DFF2277A2D0205416D@COMMSSERVER> I am using policy based routing and I have 3 route tables setup, ADSLLink1, ADSLLink2, and ADSLLoadBalanced, "ip route show " will show me the routes that I have added to the first two, but not from ADSLLoadBalanced, it will show the last route that was added to the table but no others. There are approx 16 routes added to the table, I know they are there because they work, I cannot add them again, and I can delete them (but not delete them again without adding them). It did work with 4 routes added to the table I seem to recall, but I cannot test that again as the machine is in use and rather important. Where does iproute ip read the routes from? Is there a proc entry that I can read to check if the kernel is exposing them or if the fault lies in iproute? Thanks Andy Ignore this text, it disables our lame email disclaimer from being appended to this email: JOSEDV001TAG ;) From lists at danielwebb.us Sun Apr 9 06:12:35 2006 From: lists at danielwebb.us (Daniel Webb) Date: Sun Apr 9 06:12:35 2006 Subject: [LARTC] Simultaneous iptables calls Message-ID: <20060409041235.GG2858@drivebymail.com> Run this as one process: #!/bin/sh while [ 1 = 1 ]; do iptables -t mangle -F chain1 iptables -t mangle -X chain1 iptables -t mangle -N chain1 || exit 1 done Run this as another process: #!/bin/sh while [ 1 = 1 ]; do iptables -t mangle -F chain2 iptables -t mangle -X chain2 iptables -t mangle -N chain2 || exit 1 done and you get: iptables: No chain/target/match by that name iptables: No chain/target/match by that name iptables: Unknown error 4294967295 iptables: Unknown error 4294967295 iptables: Chain already exists iptables: Unknown error 4294967295 iptables: Unknown error 4294967295 iptables: Unknown error 4294967295 iptables v1.3.5: can't initialize iptables table `mangle': Bad file descriptor Perhaps iptables or your kernel needs to be upgraded. <... etc> I'm don't understand the things going on under the surface, so maybe there is a reason it's impossible to have some kind of locking to prevent this, like for example, with chmod: #!/bin/sh while [ 1 = 1 ]; do chmod 777 mod_me done #!/bin/sh while [ 1 = 1 ]; do chmod 666 mod_me done (no errors) From mailinglists at lucassen.org Sun Apr 9 12:12:20 2006 From: mailinglists at lucassen.org (richard lucassen) Date: Sun Apr 9 12:12:22 2006 Subject: [LARTC] Re: source routing does not work with extra ip addresses In-Reply-To: References: <20060408123017.4a108613.mailinglists@lucassen.org> <20060408193330.69ad42fc.mailinglists@lucassen.org> Message-ID: <20060409121220.341663a9.mailinglists@lucassen.org> On Sat, 8 Apr 2006 15:31:24 -0500 "Martin A. Brown" wrote: > Only way I have done this myself, although I recall somebody else on > LARTC using connmark with nfmark and/or the ROUTE target to solve > this problem using only a single IP. Perhaps the archive will help > you here.... Ok. I have a working workaround now using fwmarks and a second ip on the server. That was a very good idea. Thnx! Bu so far so good. Now I'd like to get it working with 1 ip.. > : That's a very nice idea, but packets keep on entering the wrong > : table (default), I think it's a bug somewhere in the kernel. > > While the kernel certainly has seen bugs before and will see more, I > hope you don't mind if I continue to entertain a bit of skepticism > on this point. :) Ok, it's not a bug in the kernel, it's a bug in the docs :) [..] > Routing tables t_eth0 and t_eth1 look fine, although t_eth0 and main > should be exactly the same. I believe your two host routes (for > 192.168.201.3 and 10.1.3.100) are unnecessary and simply complicate > your scenario. Hmm. You're right. I just need 1 extra table, not two. I just followed the docs in the lartc-howto, I'll have a closer look at their example there. I think that 1 extra table does the same job in that example http://www.lartc.org/lartc.html#LARTC.RPDB.MULTIPLE-LINKS > I still think your problem is in the RPDB and addressing of the > packet at routing time. I do not believe (check the KPTD and its > offspring [0] [1]) that the packet's source address has yet been > rewritten. Think about this, and look at your RPDB: > > : # ip ru s > : 0: from all lookup local > : 32762: from all fwmark 0x1 lookup t_eth1 > : 32764: from 192.168.201.2 lookup t_eth1 > : 32765: from 10.1.3.101 lookup t_eth0 > : 32766: from all lookup main > : 32767: from all lookup default > > The addresses you have entered are the public side addresses. When > the server transmits packets, these packets will have the 10.0.2.1 > and 10.0.2.3 addresses for source addresses. The RPDB should > include references to these private addresses instead of the > addresses available on the public side. Once again you're right. I accidently commented out the necessary "ip r f c" (flush cache) in the script, that's why it didn't work (immediately). But finally I resolved the problem using the CONNMARK. This is the setup I'm talking about: http://www.lucassen.org/divers/ar-test.pdf I don't know if this is the right way to do this, but it seems to work well. I mark all packets coming in to 192.168.201.3 through eth1 with mark 1: iptables -t mangle -A PREROUTING -i eth1 -d 192.168.201.3 \ -j CONNMARK --set-mark 1 I mark the return packets with the same mark: iptables -t mangle -A PREROUTING -i eth2 -s 10.0.2.1 \ -j CONNMARK --restore-mark A simple ip rule add fwmark 1 table t_eth1 ip r f c does the rest. I have now 1 ip address on the server and two routes to the internet. And 1 extra table instead of two ;-) Thnx for your help, R. -- ___________________________________________________________________ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+ From erik at slagter.name Sun Apr 9 12:53:18 2006 From: erik at slagter.name (Erik Slagter) Date: Sun Apr 9 12:53:16 2006 Subject: [LARTC] Trying to do some very simple ingress limiting, no success Message-ID: <1144579998.5694.18.camel@localhost.localdomain> Hi, I am trying to do some simple ingress limiting based on fwmark. I know the ability and sense to do INGRESS limiting is ehm... limited ;-) but still I want to try it. I tried several things. === 1 === tcq ingress handle ffff: tcf parent ffff: protocol ip prio 1 handle 1 fw police rate 12mbit burst 10k drop tcf parent ffff: protocol ip prio 1 handle 2 fw police rate 10mbit burst 10k drop tcf parent ffff: protocol ip prio 1 handle 3 fw police rate 1mbit burst 10k drop This installs OK, but the filters are never called. The netfilter stats show the marks are set though. To make sure it's not just the tc stats output that's borked, I changed the bw limits to a rediculous low value, and indeed, no effect at all. === 2 === tcq ingress handle ffff: tcq parent ffff: handle 10 htb tcc parent ffff: htb rate 12mbit tcc parent ffff: htb rate 10mbit tcc parent ffff: htb rate 1mbit tcf parent ffff: protocol ip prio 1 fw I tricked tc into attaching a htb to the root qdisc. This gives no errors but also doesn't seem to do anything. If you use tc show qdisc|filter|class the qdisc,filters and classes are not even shown, so I guess it's borked (tc should have given an error that it won't work). ======== IMHO it isn't that complex I want to achieve... The example of the synflood protector also doesn't work, btw. I am using linux 2.6.16.1 and these rules to mark: iptables -t mangle -N classify-high iptables -t mangle -A classify-high -j MARK --set-mark 1 iptables -t mangle -A classify-high -j ACCEPT iptables -t mangle -N classify-medium iptables -t mangle -A classify-medium -j MARK --set-mark 2 iptables -t mangle -A classify-medium -j ACCEPT iptables -t mangle -N classify-low iptables -t mangle -A classify-low -j MARK --set-mark 3 iptables -t mangle -A classify-low -j ACCEPT The "ACCEPT"s are necessary, otherwise the classification will overflow and all packets are marked with "3". Thanks in advance. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2771 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060409/6769fa32/smime.bin From andy.furniss at dsl.pipex.com Sun Apr 9 15:00:29 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sun Apr 9 15:00:25 2006 Subject: [LARTC] Trying to do some very simple ingress limiting, no success In-Reply-To: <1144579998.5694.18.camel@localhost.localdomain> References: <1144579998.5694.18.camel@localhost.localdomain> Message-ID: <4439056D.7030008@dsl.pipex.com> Erik Slagter wrote: > Hi, > > I am trying to do some simple ingress limiting based on fwmark. I know > the ability and sense to do INGRESS limiting is ehm... limited ;-) but > still I want to try it. > > I tried several things. > > === 1 === > > tcq ingress handle ffff: > tcf parent ffff: protocol ip prio 1 handle 1 fw police rate 12mbit burst 10k drop > tcf parent ffff: protocol ip prio 1 handle 2 fw police rate 10mbit burst 10k drop > tcf parent ffff: protocol ip prio 1 handle 3 fw police rate 1mbit burst 10k drop > > This installs OK, but the filters are never called. The netfilter stats > show the marks are set though. To make sure it's not just the tc stats > output that's borked, I changed the bw limits to a rediculous low value, > and indeed, no effect at all. > There are two policers now the old one will work as you want but you need to change your kernel config. Unselect packet action and you should be able to choose a different policer. Or you could try using tc filters instead of netfilter - I don't know if it will be possible for what you want as I can't see the rules that mark. > === 2 === > > tcq ingress handle ffff: > tcq parent ffff: handle 10 htb > tcc parent ffff: htb rate 12mbit > tcc parent ffff: htb rate 10mbit > tcc parent ffff: htb rate 1mbit > tcf parent ffff: protocol ip prio 1 fw > > I tricked tc into attaching a htb to the root qdisc. This gives no errors > but also doesn't seem to do anything. If you use tc show qdisc|filter|class > the qdisc,filters and classes are not even shown, so I guess it's borked > (tc should have given an error that it won't work). > > ======== This has never worked if you want a queue on ingress you need to use IMQ (in the case that you need netfilter PREROUTING marks) or IFB (kernel >= 2.6.16) but this will hook before netfilter - so no marks. Andy. From erik at slagter.name Sun Apr 9 15:09:34 2006 From: erik at slagter.name (Erik Slagter) Date: Sun Apr 9 15:09:37 2006 Subject: [LARTC] Trying to do some very simple ingress limiting, no success In-Reply-To: <4439056D.7030008@dsl.pipex.com> References: <1144579998.5694.18.camel@localhost.localdomain> <4439056D.7030008@dsl.pipex.com> Message-ID: <1144588174.5694.27.camel@localhost.localdomain> On Sun, 2006-04-09 at 14:00 +0100, Andy Furniss wrote: > Erik Slagter wrote: > > Hi, > > > > I am trying to do some simple ingress limiting based on fwmark. I know > > the ability and sense to do INGRESS limiting is ehm... limited ;-) but > > still I want to try it. > > > > I tried several things. > > > > === 1 === > > > > tcq ingress handle ffff: > > tcf parent ffff: protocol ip prio 1 handle 1 fw police rate 12mbit burst 10k drop > > tcf parent ffff: protocol ip prio 1 handle 2 fw police rate 10mbit burst 10k drop > > tcf parent ffff: protocol ip prio 1 handle 3 fw police rate 1mbit burst 10k drop > > > > This installs OK, but the filters are never called. The netfilter stats > > show the marks are set though. To make sure it's not just the tc stats > > output that's borked, I changed the bw limits to a rediculous low value, > > and indeed, no effect at all. > > > There are two policers now the old one will work as you want but you > need to change your kernel config. Unselect packet action and you should > be able to choose a different policer. Found it and deselected it. Now making new kernel... The "old" policer is marked as "obsolete", so I guess it will go away. What am I supposed to replace it with, then? > Or you could try using tc filters instead of netfilter - I don't know if > it will be possible for what you want as I can't see the rules that mark. It's probably possible, but I already have quite a large set of netfilter rules. I don't want to make the whole thing even more complicated by also adding lots of tc stuff, I'd rather have the tc/iproute things as simple as possible. > This has never worked if you want a queue on ingress you need to use IMQ > (in the case that you need netfilter PREROUTING marks) or IFB (kernel >= > 2.6.16) but this will hook before netfilter - so no marks. For IMQ I need to patch the kernel (feasible) and the netfilter tools (not feasible :-() I just learned. And you're just telling me I cannot use IFB. Bummer. Anyway, if there is any simple (!) way to implement what I am searching for, I am happy. I will try your "old policer version" suggestion asap. Thanks for your help. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2771 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060409/4ff1b351/smime.bin From andy.furniss at dsl.pipex.com Sun Apr 9 15:42:18 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sun Apr 9 15:42:15 2006 Subject: [LARTC] Trying to do some very simple ingress limiting, no success In-Reply-To: <1144588174.5694.27.camel@localhost.localdomain> References: <1144579998.5694.18.camel@localhost.localdomain> <4439056D.7030008@dsl.pipex.com> <1144588174.5694.27.camel@localhost.localdomain> Message-ID: <44390F3A.70409@dsl.pipex.com> Erik Slagter wrote: > > Found it and deselected it. Now making new kernel... > > The "old" policer is marked as "obsolete", so I guess it will go away. > > What am I supposed to replace it with, then? There may be a way in the future to get netfilter state with an ematch/meta data (I don't know the detail Thomas Graf has mentioned it). > For IMQ I need to patch the kernel (feasible) and the netfilter tools > (not feasible :-() I just learned. I didn't know there is a problrm with IMQ + netfilter. Andy. From anders at anduras.de Sun Apr 9 20:10:02 2006 From: anders at anduras.de (Sven Anders) Date: Sun Apr 9 20:09:22 2006 Subject: [LARTC] Possible kernel bug with routes In-Reply-To: <20060404183240.GJ1427@kwaak.net> References: <44074BCB.1000809@anduras.de> <001a01c63e36$bb42a160$32030a0a@cxt.pl> <4427B6E4.5020804@anduras.de> <20060404183240.GJ1427@kwaak.net> Message-ID: <44394DFA.5060605@anduras.de> First of all: Thanks for the answer!!!! Ard van Breemen schrieb: > On Mon, Mar 27, 2006 at 11:56:52AM +0200, Sven Anders wrote: > >>> ip route add 10.100.0.0/24 dev eth0 proto kernel scope link >> RTNETLINK answers: File exists > > s/add/append/ > >> I thought they are different!?! >> Is here any difference I did not see? >> If they are not different, why does the kernel not recognize it >> (see above) and avoid the duplicate entry? > > add prevents duplicates, append just adds. Ok, this would prevent the error, but it does not explain the error itself. Did you tried it yourself? All I want to know is, if I did a mistake. If so, please explain my error... >> Another question: >> >> Why can't I set a route on an interface that is down? > > That's by some design. Use patches from linuxvirtualserver.org if > you want them to exist. Ok, I will try it... But what's the reason for this design? I think, this test could be done in user-space and did not have to be in the kernel. > >> PPS: Why is ANYBODY still ignoring this e-mail for over 3 weeks????? > > People are busy :-) Ok, I understand this, but for over three weeks with so many people on this mailing list?? :-) Regards Sven -- Sven Anders () Ascii Ribbon Campaign /\ Support plain text e-mail ANDURAS service solutions AG Innstra?e 71 - 94036 Passau - Germany Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55 -------------- next part -------------- A non-text attachment was scrubbed... Name: anders.vcf Type: text/x-vcard Size: 339 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060409/82f1609f/anders-0001.vcf From lists at sperling.no Sun Apr 9 20:42:42 2006 From: lists at sperling.no (Erik S. Johansen) Date: Sun Apr 9 20:47:50 2006 Subject: [LARTC] Conntrack, nat and multipath - what is wrong here? Message-ID: <200604092142.47556.lists@sperling.no> I have a gentoo 2.6.14 box with 4 nics, LAN/DMZ/PUB1/PUB2 LAN and DMZ have a 1918 /22 each, PUB1 and PUB2 have a /29 each of which 5 ips are assigned. Using the mangle table, I give all packets a mark (according to local policies) in the range 1-10. Using ip rule, i pass marks 1-5 through the pub1 route table, and marks 6-10 through the pub2 routing table. Using the nat table, I SNAT to one of the 10 IPs assigned from the two /29's. 1) Now, if i remove the default route (via PUB1 gw) from the main table, everything halts. Why? 2) If I pass a forwarded tcp syn packet out on the PUB2 interface, with the correct SNAT ip, I can see the syn+ack returning from the external server. Logging then indicates that this packet gets passed through mangle/PREROUTING, after which it appears to simply be lost. It's definitely not going out on any of the 4 NICs. This contrasts with packets being passed out on PUB1, where everything works fine, conntrack recognizes the syn+ack and the reply gets correctly forwarded to the LAN box i'm using to test. It *seems* like conntrack simply is not able to match the incoming syn+ack with the outgoing syn. BUT, if i try to connect to the dsl router on PUB2, everything's fine. I suspect i got something very wrong with my routing rules/tables, but I can't figure out what. Addresses shown are sanitized, 1.1.1.136/29 is PUB1, 2.2.2.116/29 is PUB2, 3.3.3.* is the external server i've been testing against. eth0: LAN eth1: DMZ eth2: PUB2 eth3: PUB1 eos ~ # ip rule show 0: from all lookup local 30000: from all fwmark 0x1 lookup pub1 30000: from all fwmark 0x2 lookup pub1 30000: from all fwmark 0x3 lookup pub1 30000: from all fwmark 0x4 lookup pub1 30000: from all fwmark 0x5 lookup pub1 30000: from all fwmark 0x6 lookup pub2 30000: from all fwmark 0x7 lookup pub2 30000: from all fwmark 0x8 lookup pub2 30000: from all fwmark 0x9 lookup pub2 30000: from all fwmark 0xa lookup pub2 31000: from 1.1.1.139 lookup pub1 31000: from 1.1.1.140 lookup pub1 31000: from 1.1.1.141 lookup pub1 31000: from 1.1.1.142 lookup pub1 31000: from 1.1.1.137 lookup pub1 31000: from 2.2.2.218 lookup pub2 31000: from 2.2.2.219 lookup pub2 31000: from 2.2.2.220 lookup pub2 31000: from 2.2.2.221 lookup pub2 31000: from 2.2.2.222 lookup pub2 33000: from all lookup main eos ~ # ip route show table pub1 1.1.1.136/29 dev eth3 scope link src 1.1.1.139 2.2.2.216/29 dev eth2 scope link src 2.2.2.218 192.168.4.0/22 dev eth1 scope link src 192.168.4.1 192.168.0.0/22 dev eth0 scope link src 192.168.0.1 127.0.0.0/8 dev lo scope link default via 1.1.1.138 dev eth3 eos ~ # ip route show table pub2 1.1.1.136/29 dev eth3 scope link src 1.1.1.139 2.2.2.216/29 dev eth2 scope link src 2.2.2.218 192.168.4.0/22 dev eth1 scope link src 192.168.4.1 192.168.0.0/22 dev eth0 scope link src 192.168.0.1 127.0.0.0/8 dev lo scope link default via 2.2.2.217 dev eth2 eos ~ # ip route show table main 1.1.1.136/29 dev eth3 proto kernel scope link src 1.1.1.139 2.2.2.216/29 dev eth2 proto kernel scope link src 2.2.2.218 192.168.4.0/22 dev eth1 proto kernel scope link src 192.168.4.1 192.168.0.0/22 dev eth0 proto kernel scope link src 192.168.0.1 127.0.0.0/8 dev lo scope link default via 1.1.1.138 dev eth3 eos ~ # iptables -t filter -nvL Chain INPUT (policy ACCEPT 5314 packets, 2615K bytes) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `filter/INPUT:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `filter/INPUT:' Chain FORWARD (policy ACCEPT 184K packets, 162M bytes) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `filter/FORWARD:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `filter/FORWARD:' Chain OUTPUT (policy ACCEPT 2261 packets, 277K bytes) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `filter/OUTPUT:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `filter/OUTPUT:' eos ~ # iptables -t mangle -nvL Chain PREROUTING (policy ACCEPT 188K packets, 165M bytes) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `mangle/PREROUTING:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/PREROUTING:' 2 468 MARK14 all -- * * 0.0.0.0/0 192.168.4.0/22 state NEW 2903 2444K MARK13 all -- * * 0.0.0.0/0 192.168.0.0/22 state NEW 60 6098 MARK12 all -- * * 0.0.0.0/0 1.1.1.136/29 state NEW 1692 136K MARK11 all -- * * 0.0.0.0/0 2.2.2.216/29 state NEW 0 0 MARK6 tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 state NEW 109 5232 MARK6 tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:119 state NEW 54 2592 MARK6 tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:119 state NEW 0 0 MARK2 all -- * * 192.168.1.20 213.239.111.0/29 state NEW 3223 243K MARK10 all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW 1054 66052 MARK1 all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW Chain INPUT (policy ACCEPT 5409 packets, 2648K bytes) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `mangle/INPUT:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/INPUT:' Chain FORWARD (policy ACCEPT 188K packets, 165M bytes) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `mangle/FORWARD:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/FORWARD:' Chain OUTPUT (policy ACCEPT 2302 packets, 283K bytes) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `mangle/OUTPUT:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/OUTPUT:' Chain POSTROUTING (policy ACCEPT 190K packets, 165M bytes) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `mangle/POSTROUTING:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/POSTROUTING:' Chain MARK1 (1 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK1:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK1:' 1054 66052 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0x1 1054 66052 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain MARK10 (1 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK10:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK10:' 3223 243K MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0xa 3223 243K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain MARK11 (1 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK11:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK11:' 1692 136K MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0xb 1692 136K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain MARK12 (1 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK12:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK12:' 60 6098 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0xc 60 6098 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain MARK13 (1 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK13:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK13:' 2903 2444K MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0xd 2903 2444K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain MARK14 (1 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK14:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK14:' 2 468 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0xe 2 468 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain MARK2 (1 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK2:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK2:' 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0x2 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain MARK3 (0 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK3:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK3:' 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0x3 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain MARK4 (0 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK4:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK4:' 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0x4 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain MARK5 (0 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK5:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK5:' 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0x5 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain MARK6 (3 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK6:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK6:' 163 7824 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0x6 163 7824 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain MARK7 (0 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK7:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK7:' 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0x7 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain MARK8 (0 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK8:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK8:' 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0x8 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain MARK9 (0 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK9:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK9:' 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0x9 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 eos ~ # iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 5623 packets, 453K bytes) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `nat/PREROUTING:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `nat/PREROUTING:' Chain POSTROUTING (policy ACCEPT 10 packets, 607 bytes) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `nat/POSTROUTING:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `nat/POSTROUTING:' 1053 66000 SNAT_1 all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x1 0 0 SNAT_2 all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x2 0 0 SNAT_3 all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x3 0 0 SNAT_4 all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x4 0 0 SNAT_5 all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x5 168 8064 SNAT_6 all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x6 0 0 SNAT_7 all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x7 0 0 SNAT_8 all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x8 0 0 SNAT_9 all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x9 2606 211K SNAT_10 all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0xa 0 0 SNAT_11 all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0xb 0 0 SNAT_12 all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0xc Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `nat/OUTPUT:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `nat/OUTPUT:' Chain SNAT_1 (1 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_1:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_1:' 1053 66000 SNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:1.1.1.139 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain SNAT_10 (1 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_10:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_10:' 2606 211K SNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:2.2.2.222 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain SNAT_11 (1 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_11:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_11:' 0 0 SNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:2.2.2.218 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain SNAT_12 (1 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_12:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_12:' 0 0 SNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:1.1.1.139 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain SNAT_13 (0 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_13:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_13:' 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain SNAT_14 (0 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_14:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_14:' 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain SNAT_2 (1 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_2:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_2:' 0 0 SNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:1.1.1.140 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain SNAT_3 (1 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_3:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_3:' 0 0 SNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:1.1.1.141 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain SNAT_4 (1 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_4:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_4:' 0 0 SNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:1.1.1.142 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain SNAT_5 (1 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_5:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_5:' 0 0 SNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:1.1.1.137 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain SNAT_6 (1 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_6:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_6:' 168 8064 SNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:2.2.2.218 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain SNAT_7 (1 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_7:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_7:' 0 0 SNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:2.2.2.219 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain SNAT_8 (1 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_8:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_8:' 0 0 SNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:2.2.2.220 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain SNAT_9 (1 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_9:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_9:' 0 0 SNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:2.2.2.221 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Logging/tcpdump from an attempt to connect to port 25 on a remote server: Apr 9 21:55:47 eos mangle/PREROUTING:IN=eth0 OUT= MAC=00:40:f4:6b:6c:c1:00:01:02:1c:6f:29:08:00 SRC=192.168.1.20 DST=3.3.3.228 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=41341 DF PROTO=TCP SPT=53218 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 Apr 9 21:55:47 eos mangle/MARK6:IN=eth0 OUT= MAC=00:40:f4:6b:6c:c1:00:01:02:1c:6f:29:08:00 SRC=192.168.1.20 DST=3.3.3.228 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=41341 DF PROTO=TCP SPT=53218 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 Apr 9 21:55:47 eos nat/PREROUTING:IN=eth0 OUT= MAC=00:40:f4:6b:6c:c1:00:01:02:1c:6f:29:08:00 SRC=192.168.1.20 DST=3.3.3.228 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=41341 DF PROTO=TCP SPT=53218 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 Apr 9 21:55:47 eos mangle/FORWARD:IN=eth0 OUT=eth2 SRC=192.168.1.20 DST=3.3.3.228 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=41341 DF PROTO=TCP SPT=53218 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 Apr 9 21:55:47 eos filter/FORWARD:IN=eth0 OUT=eth2 SRC=192.168.1.20 DST=3.3.3.228 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=41341 DF PROTO=TCP SPT=53218 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 Apr 9 21:55:47 eos mangle/POSTROUTING:IN= OUT=eth2 SRC=192.168.1.20 DST=3.3.3.228 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=41341 DF PROTO=TCP SPT=53218 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 Apr 9 21:55:47 eos nat/POSTROUTING:IN= OUT=eth2 SRC=192.168.1.20 DST=3.3.3.228 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=41341 DF PROTO=TCP SPT=53218 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 Apr 9 21:55:47 eos nat/SNAT_6:IN= OUT=eth2 SRC=192.168.1.20 DST=3.3.3.228 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=41341 DF PROTO=TCP SPT=53218 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 Apr 9 21:55:48 eos mangle/PREROUTING:IN=eth2 OUT= MAC=00:08:a1:90:aa:a1:00:14:7f:03:e5:1c:08:00 SRC=3.3.3.228 DST=2.2.2.218 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=TCP SPT=25 DPT=53218 WINDOW=5792 RES=0x00 ACK SYN URGP=0 Apr 9 21:55:52 eos mangle/PREROUTING:IN=eth2 OUT= MAC=00:08:a1:90:aa:a1:00:14:7f:03:e5:1c:08:00 SRC=3.3.3.228 DST=2.2.2.218 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=TCP SPT=25 DPT=53218 WINDOW=5792 RES=0x00 ACK SYN URGP=0 tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes 21:55:47.998524 IP (tos 0x10, ttl 63, id 41341, offset 0, flags [DF], proto: TCP (6), length: 60) 2.2.2.218.53218 > 3.3.3.228.25: S, cksum 0x6efb (correct), 2404082705:2404082705(0) win 5840 21:55:48.179397 IP (tos 0x0, ttl 51, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) 3.3.3.228.25 > 2.2.2.218.53218: S, cksum 0x0b36 (correct), 58918797:58918797(0) ack 2404082706 win 5792 21:55:52.175813 IP (tos 0x0, ttl 51, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) 3.3.3.228.25 > 2.2.2.218.53218: S, cksum 0xfb9a (correct), 58918797:58918797(0) ack 2404082706 win 5792 21:55:58.175073 IP (tos 0x0, ttl 51, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) 3.3.3.228.25 > 2.2.2.218.53218: S, cksum 0xe42a (correct), 58918797:58918797(0) ack 2404082706 win 5792 21:55:58.775150 IP (tos 0x0, ttl 51, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) 3.3.3.228.25 > 2.2.2.218.53217: S, cksum 0xc92d (correct), 4258850729:4258850729(0) ack 2314333557 win 5792 21:56:10.177052 IP (tos 0x0, ttl 51, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) 3.3.3.228.25 > 2.2.2.218.53218: S, cksum 0xb54a (correct), 58918797:58918797(0) ack 2404082706 win 5792 Logging/tcpdump from an attempt to connect to port 25 on the PUB2 dsl router, this works: Apr 9 21:56:52 eos mangle/PREROUTING:IN=eth0 OUT= MAC=00:40:f4:6b:6c:c1:00:01:02:1c:6f:29:08:00 SRC=192.168.1.20 DST=2.2.2.217 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=34524 DF PROTO=TCP SPT=55398 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 Apr 9 21:56:52 eos mangle/MARK11:IN=eth0 OUT= MAC=00:40:f4:6b:6c:c1:00:01:02:1c:6f:29:08:00 SRC=192.168.1.20 DST=2.2.2.217 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=34524 DF PROTO=TCP SPT=55398 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 Apr 9 21:56:52 eos nat/PREROUTING:IN=eth0 OUT= MAC=00:40:f4:6b:6c:c1:00:01:02:1c:6f:29:08:00 SRC=192.168.1.20 DST=2.2.2.217 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=34524 DF PROTO=TCP SPT=55398 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 Apr 9 21:56:52 eos mangle/FORWARD:IN=eth0 OUT=eth2 SRC=192.168.1.20 DST=2.2.2.217 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=34524 DF PROTO=TCP SPT=55398 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 Apr 9 21:56:52 eos filter/FORWARD:IN=eth0 OUT=eth2 SRC=192.168.1.20 DST=2.2.2.217 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=34524 DF PROTO=TCP SPT=55398 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 Apr 9 21:56:52 eos mangle/POSTROUTING:IN= OUT=eth2 SRC=192.168.1.20 DST=2.2.2.217 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=34524 DF PROTO=TCP SPT=55398 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 Apr 9 21:56:52 eos nat/POSTROUTING:IN= OUT=eth2 SRC=192.168.1.20 DST=2.2.2.217 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=34524 DF PROTO=TCP SPT=55398 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 Apr 9 21:56:52 eos nat/SNAT_11:IN= OUT=eth2 SRC=192.168.1.20 DST=2.2.2.217 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=34524 DF PROTO=TCP SPT=55398 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 Apr 9 21:56:52 eos mangle/PREROUTING:IN=eth2 OUT= MAC=00:08:a1:90:aa:a1:00:14:7f:03:e5:1c:08:00 SRC=2.2.2.217 DST=2.2.2.218 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=46172 PROTO=TCP SPT=25 DPT=55398 WINDOW=0 RES=0x00 ACK RST URGP=0 Apr 9 21:56:52 eos mangle/FORWARD:IN=eth2 OUT=eth0 SRC=2.2.2.217 DST=192.168.1.20 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=46172 PROTO=TCP SPT=25 DPT=55398 WINDOW=0 RES=0x00 ACK RST URGP=0 Apr 9 21:56:52 eos filter/FORWARD:IN=eth2 OUT=eth0 SRC=2.2.2.217 DST=192.168.1.20 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=46172 PROTO=TCP SPT=25 DPT=55398 WINDOW=0 RES=0x00 ACK RST URGP=0 Apr 9 21:56:52 eos mangle/POSTROUTING:IN= OUT=eth0 SRC=2.2.2.217 DST=192.168.1.20 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=46172 PROTO=TCP SPT=25 DPT=55398 WINDOW=0 RES=0x00 ACK RST URGP=0 tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes 21:56:52.306357 IP (tos 0x10, ttl 63, id 34524, offset 0, flags [DF], proto: TCP (6), length: 60) 2.2.2.218.55398 > 2.2.2.217.25: S, cksum 0xaa49 (correct), 2474919495:2474919495(0) win 5840 21:56:52.306836 IP (tos 0x0, ttl 64, id 46172, offset 0, flags [none], proto: TCP (6), length: 40) 2.2.2.217.25 > 2.2.2.218.55398: R, cksum 0x7679 (correct), 0:0(0) ack 2474919496 win 0 21:57:22.589506 IP (tos 0x0, ttl 51, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) 3.3.3.228.25 > 2.2.2.218.53218: S, cksum 0x9a78 (correct), 58918797:58918797(0) ack 2404082706 win 5792 --E.S. Johansen -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060409/a868efdb/attachment-0001.pgp From ranmakun at arnet.com.ar Sun Apr 9 21:24:20 2006 From: ranmakun at arnet.com.ar (Francisco) Date: Sun Apr 9 21:24:01 2006 Subject: [LARTC] tc counters "problem" Message-ID: <200604091624.20565.ranmakun@arnet.com.ar> Hi, I'm using tc and HTB to shape my outgoing ADSL traffic. I was trying to make some graphs on the classes by meassuring the "sent bytes" of each class using rrdtool to store the data (as kbps after conversion). I expected that meassuring the root class I would get values similar that the ones I get measuring the interface counters but they differ by a large amount. Is there something obvious I'm missing here?, is this approach correct? Thank you. Francisco kaori ~ # tc -s class show dev ppp0 class htb 1:1 root rate 200000bit ceil 200000bit burst 6Kb/8 mpu 0b overhead 0b cburst 1699b/8 mpu 0b overhead 0b level 7 Sent 378286130 bytes 2185057 pkt (dropped 0, overlimits 0 requeues 0) rate 182312bit 29pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 168756 ctokens: -13270 class htb 1:10 parent 1:1 leaf 10: prio 1 rate 200000bit ceil 200000bit burst 6Kb/8 mpu 0b overhead 0b cburst 1699b/8 mpu 0b overhead 0b level 0 Sent 115548283 bytes 1520567 pkt (dropped 0, overlimits 0 requeues 0) rate 1848bit 4pps backlog 0b 0p requeues 0 lended: 1520567 borrowed: 0 giants: 0 tokens: 250020 ctokens: 67994 class htb 1:20 parent 1:1 leaf 20: prio 2 rate 180000bit ceil 180000bit burst 6Kb/8 mpu 0b overhead 0b cburst 1689b/8 mpu 0b overhead 0b level 0 Sent 262755089 bytes 664505 pkt (dropped 0, overlimits 0 requeues 0) rate 180456bit 25pps backlog 0b 15p requeues 0 lended: 664490 borrowed: 0 giants: 0 tokens: 113243 ctokens: -89463 class htb 1:30 parent 1:1 leaf 30: prio 3 rate 1000bit ceil 120000bit burst 6Kb/8 mpu 0b overhead 0b cburst 1659b/8 mpu 0b overhead 0b level 0 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 50331648 ctokens: 113321 class htb 1:40 parent 1:1 leaf 40: prio 4 rate 1000bit ceil 60000bit burst 6Kb/8 mpu 0b overhead 0b cburst 1629b/8 mpu 0b overhead 0b level 0 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 50331648 ctokens: 222548 From Andreas.Klauer at metamorpher.de Sun Apr 9 21:50:48 2006 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Sun Apr 9 21:50:50 2006 Subject: [LARTC] tc counters "problem" In-Reply-To: <200604091624.20565.ranmakun@arnet.com.ar> References: <200604091624.20565.ranmakun@arnet.com.ar> Message-ID: <20060409195048.GA10917@EIS> On Sun, Apr 09, 2006 at 04:24:20PM -0300, Francisco wrote: > I expected that meassuring the root class I would get values similar that > the ones I get measuring the interface counters but they differ by a > large amount. The statistics you posted seem to be fine. Which interface counters are you talking about? tc starts counting only after the qdiscs/classes were created, so if you have a separate count somewhere which started counting some other time, the difference will of course be huge (as far as total packet count is concerned). Regards Andreas Klauer From ranmakun at arnet.com.ar Mon Apr 10 00:42:14 2006 From: ranmakun at arnet.com.ar (Francisco) Date: Mon Apr 10 00:43:35 2006 Subject: [LARTC] tc counters "problem" In-Reply-To: <20060409195048.GA10917@EIS> References: <200604091624.20565.ranmakun@arnet.com.ar> <20060409195048.GA10917@EIS> Message-ID: <200604091942.14257.ranmakun@arnet.com.ar> The interface that I'm using is ppp0, the classes/qdiscs are created with the interface (from /etc/ppp/ip-up file) but that doesn't matter anyway, the way the two graphics are created is: at time 0 look the total amount of bytes/bits transfered at time 5 (mins) I look the amount of bytes/bits transfered and do: (bits(t=5) - bits(t=0))/(300secs) = bps (similar with bytes) and repeat every five minutes, this is how MRTG graphs. So it really doesn't matter if the counters are different, what matters is the difference between time x and time y. The interface counters and the tc counters are fetched by SNMP and I'm 100% sure that my interface graph is accurate, I just don't understand why there is so much difference with the tc ones. On the other hand, I just made a test with a file transfer resetting all counters: file: 14675760 lego.pdf iptables: Chain OUTPUT (policy ACCEPT 478208 packets, 1617032905 bytes) pkts bytes target prot opt in out source destination 10725 15568354 MARK tcp -- any ppp0 anywhere anywhere tcp spt:http MARK set 0x1e tc: class htb 1:30 parent 1:1 leaf 30: prio 3 rate 1000bit ceil 120000bit burst 6Kb/8 mpu 0b overhead 0b cburst 1659b/8 mpu 0b overhead 0b level 0 Sent 15568302 bytes 10724 pkt (dropped 0, overlimits 0 requeues 0) rate 112bit 0pps backlog 0b 0p requeues 0 lended: 99 borrowed: 10625 giants: 0 tokens: -13832192 ctokens: -671 All this seems file, the bytes match, etc. So I'm not sure what I'm doing wrong. I'll keep investigating, I just wanted to know if any of you saw something wrong with my reasoning or if there were known issues with the counters. Francisco El Domingo, 9 de Abril de 2006 16:50, Andreas Klauer escribi?: > On Sun, Apr 09, 2006 at 04:24:20PM -0300, Francisco wrote: > > I expected that meassuring the root class I would get values similar that > > the ones I get measuring the interface counters but they differ by a > > large amount. > > The statistics you posted seem to be fine. Which interface counters are > you talking about? tc starts counting only after the qdiscs/classes were > created, so if you have a separate count somewhere which started counting > some other time, the difference will of course be huge (as far as total > packet count is concerned). > > Regards > Andreas Klauer From matthew.pearson at infomatrix.com Mon Apr 10 09:52:33 2006 From: matthew.pearson at infomatrix.com (Matthew Pearson) Date: Mon Apr 10 09:53:25 2006 Subject: [LARTC] __Very__ Low Bandwidth In-Reply-To: <4436DDAB.7010300@dsl.pipex.com> References: <442D44FE.7070105@infomatrix.com> <4436DDAB.7010300@dsl.pipex.com> Message-ID: <443A0EC1.2060302@infomatrix.com> Thank you Andy. I'll have another look at it and change the values to get it to do what I need. Again, thank you. Matthew Pearson Andy Furniss wrote: > Matthew Pearson wrote: >> I am using the script below to simulate a very low bandwidth >> connection. I found that I could turn the bandwidth knob down to >> about 4kbit, but below that I didn't get any traffic through. I've had >> a look at this generally, but couldn't find an answer. It doesn't even >> seem like the first reply packet gets through. I have tried it with >> much bigger buffers, but this doesn't help. >> >> I found that if I put a web proxy on the machine that is running this, >> then the minimum I can turn the bandwidth down to is 12kbit and below >> that the web browser doesn't get anything back. >> >> Is this because the delay is so great that things are getting thrown >> away by the kernel? Could I munge the packets to turn up the TTL or >> something similar? >> >> Many thanks for some excellent tools. >> >> Matthew Pearson >> >> #!/bin/bash >> >> CLIENT1=192.168.1.190/32 >> CLIENT2=192.168.1.191/32 >> OPER=add; >> DEV=eth0 >> RATE=3kbit >> PEAKRATE=3kbit >> BUFFER1=10kb >> BUFFER2=10kb >> >> echo -e "Attach Egress policy..." >> tc qdisc $OPER dev $DEV root handle 1:0 htb default 15 >> tc class $OPER dev $DEV parent 1:0 classid 1:1 htb rate 240kbit >> >> tc class $OPER dev $DEV parent 1:1 classid 1:2 htb rate 240kbit ceil >> 240kbit >> tc class $OPER dev $DEV parent 1:1 classid 1:3 htb rate 240kbit ceil >> 240kbit >> tc class $OPER dev $DEV parent 1:1 classid 1:15 htb rate 240kbit ceil >> 240kbit >> >> tc qdisc $OPER dev $DEV parent 1:2 handle 2:0 tbf rate $RATE burst >> $RATE limit $BUFFER1 peakrate $PEAKRATE mtu 1600 > > I don't really get using tbf under htb - but it may be OK. > > The reason it fails <12kbit is because you use it for burst - which is a > buffer length so <12kbit won't pass a 1500 byte packet. > > Andy. From ephemeric at gmail.com Mon Apr 10 10:04:24 2006 From: ephemeric at gmail.com (Robert Gabriel) Date: Mon Apr 10 10:04:28 2006 Subject: [LARTC] EF & AF filters with HTB Message-ID: Hello all, Please could someone help me with this, I have been trying for days to get this to work. I would like to have BE, AF & EF classes with HTB qdisc. I can't find any scripts online where this has been done. If I enable this filter: #tc filter add dev eth0 parent 2:0 protocol ip prio 1 \ #tcindex mask 0xf0 shift 4 pass_on then BE & AF classification seems to be fine but EF breaks & no packets go under that class. I the filter is commented out then EF & BE classes are fine. Script excerpt: # Main DS Marker & Classifier (1:0) echo -e "Installing root DS marker, queue discipline and filter...\n" tc qdisc add dev $DEVICE handle 1:0 root dsmark indices 64 set_tc_index tc filter add dev $DEVICE parent 1:0 protocol ip prio 1 tcindex mask 0xfc shift 2 # Main HTB Queue Discipline (2:0) & Class (2:1) echo -e "Installing main HTB queue discipline and class...\n" tc qdisc add dev $DEVICE parent 1:0 handle 2:0 htb tc class add dev $DEVICE parent 2:0 classid 2:1 htb rate 120Kbit ceil 120Kbit # EF Class (2:10) echo -e "Installing EF class, PFIFO queue discipline and filter...\n" tc class add dev $DEVICE parent 2:1 classid 2:10 htb rate 60Kbit ceil 120Kbit tc qdisc add dev $DEVICE parent 2:10 pfifo limit 5 tc filter add dev $DEVICE parent 2:0 protocol ip prio 1 handle 46 tcindex \ classid 2:10 # BE Class (2:20) echo -e "Installing BE class, RED queue discipline and filter...\n" tc class add dev $DEVICE parent 2:1 classid 2:20 htb rate 40Kbit ceil 120Kbit tc qdisc add dev $DEVICE parent 2:20 red limit 60KB min 3KB max 7.5KB \ burst 10 avpkt 1000 bandwidth 120Kbit probability 0.02 ecn tc filter add dev $DEVICE parent 2:0 protocol ip prio 2 handle 0 tcindex \ mask 0 classid 2:20 # AF Class 1 tc class add dev eth0 parent 2:1 classid 2:30 htb rate 20Kbit ceil 120Kbit tc qdisc add dev eth0 parent 2:30 gred setup DPs 3 default 2 grio tc qdisc change dev eth0 parent 2:30 gred limit 60KB min 15KB max 45KB \ burst 20 avpkt 1000 bandwidth 120Kbit DP 1 probability 0.02 prio 2 tc qdisc change dev eth0 parent 2:30 gred limit 60KB min 15KB max 45KB \ burst 20 avpkt 1000 bandwidth 120Kbit DP 2 probability 0.04 prio 3 tc qdisc change dev eth0 parent 2:30 gred limit 60KB min 15KB max 45KB \ burst 20 avpkt 1000 bandwidth 120Kbit DP 3 probability 0.06 prio 4 tc filter add dev eth0 parent 2:0 protocol ip prio 1 \ handle 1 tcindex classid 2:30 pass_on tc filter add dev eth0 parent 1:0 protocol ip prio 1 \ handle 10 tcindex classid 1:111 tc filter add dev eth0 parent 1:0 protocol ip prio 1 \ handle 12 tcindex classid 1:112 tc filter add dev eth0 parent 1:0 protocol ip prio 1 \ handle 14 tcindex classid 1:113 #tc filter add dev eth0 parent 2:0 protocol ip prio 1 \ #tcindex mask 0xf0 shift 4 pass_on From lists at sperling.no Mon Apr 10 11:17:46 2006 From: lists at sperling.no (Erik S. Johansen) Date: Mon Apr 10 11:22:01 2006 Subject: [LARTC] Conntrack, nat and multipath - what is wrong here? In-Reply-To: <200604092142.47556.lists@sperling.no> References: <200604092142.47556.lists@sperling.no> Message-ID: <200604101217.51641.lists@sperling.no> As a side note, if I put both dsls on eth2 and use the same ruleset, things start working. I still need that default route in the main table though. --E.S. Johansen -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060410/27eacecc/attachment.pgp From lists at sperling.no Mon Apr 10 13:16:36 2006 From: lists at sperling.no (Erik S. Johansen) Date: Mon Apr 10 13:20:51 2006 Subject: [LARTC] Conntrack, nat and multipath - what is wrong here? In-Reply-To: <200604092142.47556.lists@sperling.no> References: <200604092142.47556.lists@sperling.no> Message-ID: <200604101416.41963.lists@sperling.no> And yet another reply-to-self. Please just ignore the question and shoot me, i've spent 3 days debugging this with rpf enabled... --E.S. Johansen -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060410/c105f17d/attachment.pgp From erik at slagter.name Mon Apr 10 14:36:48 2006 From: erik at slagter.name (Erik Slagter) Date: Mon Apr 10 14:36:47 2006 Subject: [LARTC] Trying to do some very simple ingress limiting, no success In-Reply-To: <4439056D.7030008@dsl.pipex.com> References: <1144579998.5694.18.camel@localhost.localdomain> <4439056D.7030008@dsl.pipex.com> Message-ID: <1144672608.3195.2.camel@localhost.localdomain> On Sun, 2006-04-09 at 14:00 +0100, Andy Furniss wrote: > There are two policers now the old one will work as you want but you > need to change your kernel config. Unselect packet action and you should > be able to choose a different policer. This indeed did the trick! Thanks! Stupid that tc & kernel allow all of this, don't give any sort of error but simply refuse to work. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2771 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060410/b3a38122/smime.bin From erik at slagter.name Mon Apr 10 14:38:10 2006 From: erik at slagter.name (Erik Slagter) Date: Mon Apr 10 14:38:10 2006 Subject: [LARTC] Trying to do some very simple ingress limiting, no success In-Reply-To: <44390F3A.70409@dsl.pipex.com> References: <1144579998.5694.18.camel@localhost.localdomain> <4439056D.7030008@dsl.pipex.com> <1144588174.5694.27.camel@localhost.localdomain> <44390F3A.70409@dsl.pipex.com> Message-ID: <1144672691.3195.5.camel@localhost.localdomain> On Sun, 2006-04-09 at 14:42 +0100, Andy Furniss wrote: > > The "old" policer is marked as "obsolete", so I guess it will go away. > > What am I supposed to replace it with, then? > > There may be a way in the future to get netfilter state with an > ematch/meta data (I don't know the detail Thomas Graf has mentioned it). Is there already a tc man page that reveals all of this :-( > > For IMQ I need to patch the kernel (feasible) and the netfilter tools > > (not feasible :-() I just learned. > > I didn't know there is a problrm with IMQ + netfilter. You just told me ;-) The IMQ handling is done before the netfilter handling... -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2771 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060410/cac36495/smime.bin From erik at slagter.name Mon Apr 10 14:47:14 2006 From: erik at slagter.name (Erik Slagter) Date: Mon Apr 10 14:47:12 2006 Subject: [LARTC] Conntrack, nat and multipath - what is wrong here? In-Reply-To: <200604101416.41963.lists@sperling.no> References: <200604092142.47556.lists@sperling.no> <200604101416.41963.lists@sperling.no> Message-ID: <1144673234.3195.10.camel@localhost.localdomain> On Mon, 2006-04-10 at 14:16 +0300, Erik S. Johansen wrote: > And yet another reply-to-self. Please just ignore the question and shoot me, > i've spent 3 days debugging this with rpf enabled... I've been bitten by the same more than once :-( Maybe that help a little bit ;-) -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2771 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060410/bdc298ab/smime.bin From forgamedev at yahoo.com Mon Apr 10 15:26:34 2006 From: forgamedev at yahoo.com (pfer) Date: Mon Apr 10 15:26:31 2006 Subject: [LARTC] Re: EF & AF filters with HTB Message-ID: <20060410132634.18600.qmail@web54312.mail.yahoo.com> Hi Robert! If I get you right, you wish to use HTB at a node for doing some QoS for packets based the DSCP they already have, and NOT marking them to have that AF, etc. ( have you checked http://www.opalsoft.net/qos/DS-310.htm? he has some nice scripts ) Why not simply use an u32 match on the TOS field for filtering under your main htb? Why do you need DSMARK? (haven't tried, but should work fine) For ex. having htb main shaper at 1:0 gives tc filter add dev eth0 parent 1:0 protocol ip prio 2 u32 match ip tos 0xb8 0xff flowid 1:10 (the EF htb branch is at 1:10) tc filter add dev eth0 parent 1:0 protocol ip prio 3 u32 match ip tos 0x28 0xff flowid 1:20 (the AF11 htb branch is at 1:20) At for bulk, create the htb main with: "default 30", and add an 1:30 class with needed rate + burst and red/sfq/etc. U won't need any filter for this, anything unclassified (anything other than EF or AF11) will get there. If I get you wrong, and you wish to re-mark those packets, I have some scripts for that, too. Contact me at forgamedev@yahoo.com, and I will send them to you. PS: since I also have some scripts to test, and they resemble yours, can you tell me whether they are correct? First I wish to re-mark packets based on u32 ip src match, with: tc qdisc add dev eth0 handle 1:0 root dsmark indices 4 tc class change dev eth0 classid 1:1 dsmark mask 0x3 value 0xb8 ..some filters under 1:0 to send packets to 1:1 to remark them... and then comes a htb at 2:0 having 1:0 (the dsmark qdisc) as parent with few branches. Can I expect that htb qdisc at 2:0 will already have the effects of dsmark at 1:0 (remarked packets)? Thanks, Ferenc __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From mailinglists at lucassen.org Mon Apr 10 15:41:15 2006 From: mailinglists at lucassen.org (richard lucassen) Date: Mon Apr 10 15:41:13 2006 Subject: [LARTC] Re: Trying to do some very simple ingress limiting, no success In-Reply-To: <1144672691.3195.5.camel@localhost.localdomain> References: <1144579998.5694.18.camel@localhost.localdomain> <4439056D.7030008@dsl.pipex.com> <1144588174.5694.27.camel@localhost.localdomain> <44390F3A.70409@dsl.pipex.com> <1144672691.3195.5.camel@localhost.localdomain> Message-ID: <20060410154115.213b6ad0.mailinglists@lucassen.org> On Mon, 10 Apr 2006 14:38:10 +0200 Erik Slagter wrote: > > I didn't know there is a problrm with IMQ + netfilter. > > You just told me ;-) > > The IMQ handling is done before the netfilter handling... That's IFB, not IMQ. IFB is an intermediate functional block that appeared in kernel 2.6.16. IFB is a device, IMQ is a iptables target (and a device) And IMQ is a kernel patch (and iptables has to be patched as well) while IFB is in the mainstream kernel. -- ___________________________________________________________________ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+ From forgamedev at yahoo.com Mon Apr 10 15:48:48 2006 From: forgamedev at yahoo.com (pfer) Date: Mon Apr 10 15:48:50 2006 Subject: [LARTC] RE: packet marking: only a ratio, not all Message-ID: <20060410134848.17949.qmail@web54305.mail.yahoo.com> Hi Andy! I haven't checked the iproute sources for that, but maybe I was not clear: What I need is not having ALL packets re-marked when they are overlimit, or sent to any class, etc.. I want them to be remarked at a ratio. (eg. 2%) And granularity is important, if I have to re-mark with a 20% ratio, I wish to remark every 5th, and not mark 20 continously at not mark other 80 continously. ( Why I need this: A protocol (RMD-QoS-NSLP) I want to implement has this syntax to signal if a link is congested to some edge nodes at the border of a domain. ) Do you have a solution for this? I believe what you suggested is not this, is it? And I already found a 'somewhat' solution: filter actions See my mail with subject: "action pass random determ/netrand reclassify -value-": granularity problems With: tc filter add dev eth0 parent X protocol ip prio Y u32 match ip src 0/0 flowid Z action continue random determ pass 5 I believe I am able to send every 5th package to class Z (for remarking with dsmark) and the other 4/5 to the next filter (with continue), which can send the packet to the link. This results in marking 20% of all the packets this interface gets (via u32 match ip src 0/0). Do you think this works? I still have not tried. I believe "continue" gives the packet to the next filter (order determined by filter command sequence) and "pass" gives it to the "flowid Z". Or, does "pass" actually sends the packet to the wire? Thanks for the info, Ferenc --- Andy Furniss wrote: > pfer wrote: > > Hi all! > > > > In short: > > > > Anybody wrote a patch for DSMARK to make it > capable of marking > > only a ratio (a given arg to the tc command) of > the packets it gets? > > Say, 20%? Or, do I have to hack into the source? > Alternatives, > > like a filter spitting packets to 2 different > DSMARK based on this ratio? > > > > In long: > > > > I'm a hungarian univ student involved in a > project (RMD-QoS stuff) > > which needs the following: > > > > \ This node has 3 ingress and > 1 egress link, all have for ex. 10 Mbit > > \ limit to their traffic. > > \ > > --- node ----- Suppose ingress traffic is: 8 > + 3 +5 = 16 while the egress > > / link will be congested with > 10. Because this node is a simple, > > / intradomain router, we > would like to notify the downstream > > / edge node about this > congestion, to tear down some of the flows > > causing it. (Congestion > occured via for. ex. a net failure) > > > > What the protocol (draft) says, is that the edge > will be notified of the level of the congestion, > which will be calculated by this proportional data > packet marking method, to avoid additional > signaling. > > Say, if 16 would go on a link with 10 capacity, > congested core-node will mark > > 60% of the packets it sends to the output of the > link to another DSCP. > > > > I thought about DSMARK first, but that is > incapable of doing this stuff. > > (or I think so :) > > Ideas? > > > > PS: I did not check the archives rigorously, so > sorry if I am asking trivial things. > > > > PS2: Since I checked not to get mails from this > list, please send your answer > > to forgamedev@yahoo.com. > > I am not sure I get the logic of what you are trying > to do for this > paticular setup, but there are examples of using > policers with meters > shared across ingress links to dsmark overlimits > packets in the iproute2 > sources. > > Andy. > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From erik at slagter.name Mon Apr 10 15:51:47 2006 From: erik at slagter.name (Erik Slagter) Date: Mon Apr 10 15:51:58 2006 Subject: [LARTC] Re: Trying to do some very simple ingress limiting, no success In-Reply-To: <20060410154115.213b6ad0.mailinglists@lucassen.org> References: <1144579998.5694.18.camel@localhost.localdomain> <4439056D.7030008@dsl.pipex.com> <1144588174.5694.27.camel@localhost.localdomain> <44390F3A.70409@dsl.pipex.com> <1144672691.3195.5.camel@localhost.localdomain> <20060410154115.213b6ad0.mailinglists@lucassen.org> Message-ID: <1144677107.3195.13.camel@localhost.localdomain> On Mon, 2006-04-10 at 15:41 +0200, richard lucassen wrote: > On Mon, 10 Apr 2006 14:38:10 +0200 > Erik Slagter wrote: > > > > I didn't know there is a problrm with IMQ + netfilter. > > > > You just told me ;-) > > > > The IMQ handling is done before the netfilter handling... > > That's IFB, not IMQ. IFB is an intermediate functional block that > appeared in kernel 2.6.16. IFB is a device, IMQ is a iptables target > (and a device) > > And IMQ is a kernel patch (and iptables has to be patched as well) while > IFB is in the mainstream kernel. Sorry for the mix-up. Anyway, the result is the same. Cannot use IMQ because patching iproute2 is not feasible, cannot use IFB because it's at the wrong location in the chain. And the simple approach I wanted in the first place, now works. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2771 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060410/09ec268b/smime.bin From mitcoiv at abv.bg Mon Apr 10 16:04:57 2006 From: mitcoiv at abv.bg (mitko ivanov) Date: Mon Apr 10 16:04:55 2006 Subject: [LARTC] (no subject) Message-ID: <836383194.186161144677897859.JavaMail.nobody@app8.ni.bg> ----------------------------------------------------------------- http://Host.GBG.bg - ?????? ??????? ?? ??????? ? ?????? ????? From mailinglists at lucassen.org Mon Apr 10 16:10:41 2006 From: mailinglists at lucassen.org (richard lucassen) Date: Mon Apr 10 16:10:38 2006 Subject: [LARTC] Re: Trying to do some very simple ingress limiting, no success In-Reply-To: <1144677107.3195.13.camel@localhost.localdomain> References: <1144579998.5694.18.camel@localhost.localdomain> <4439056D.7030008@dsl.pipex.com> <1144588174.5694.27.camel@localhost.localdomain> <44390F3A.70409@dsl.pipex.com> <1144672691.3195.5.camel@localhost.localdomain> <20060410154115.213b6ad0.mailinglists@lucassen.org> <1144677107.3195.13.camel@localhost.localdomain> Message-ID: <20060410161041.406c24a3.mailinglists@lucassen.org> On Mon, 10 Apr 2006 15:51:47 +0200 Erik Slagter wrote: > > That's IFB, not IMQ. IFB is an intermediate functional block that > > appeared in kernel 2.6.16. IFB is a device, IMQ is a iptables target > > (and a device) > > > > And IMQ is a kernel patch (and iptables has to be patched as well) > > while IFB is in the mainstream kernel. > > Sorry for the mix-up. > > Anyway, the result is the same. > > Cannot use IMQ because patching iproute2 is not feasible, cannot use > IFB because it's at the wrong location in the chain. You don't need to patch iproute2 for IMQ, just iptables and the kernel. IMQ lives well together with all other stuff AFAIK. R. -- ___________________________________________________________________ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+ From erik at slagter.name Mon Apr 10 16:29:24 2006 From: erik at slagter.name (Erik Slagter) Date: Mon Apr 10 16:29:20 2006 Subject: [LARTC] Re: Trying to do some very simple ingress limiting, no success In-Reply-To: <20060410161041.406c24a3.mailinglists@lucassen.org> References: <1144579998.5694.18.camel@localhost.localdomain> <4439056D.7030008@dsl.pipex.com> <1144588174.5694.27.camel@localhost.localdomain> <44390F3A.70409@dsl.pipex.com> <1144672691.3195.5.camel@localhost.localdomain> <20060410154115.213b6ad0.mailinglists@lucassen.org> <1144677107.3195.13.camel@localhost.localdomain> <20060410161041.406c24a3.mailinglists@lucassen.org> Message-ID: <1144679364.3195.15.camel@localhost.localdomain> On Mon, 2006-04-10 at 16:10 +0200, richard lucassen wrote: > > Cannot use IMQ because patching iproute2 is not feasible, cannot use > > IFB because it's at the wrong location in the chain. > > You don't need to patch iproute2 for IMQ, just iptables and the kernel. > IMQ lives well together with all other stuff AFAIK. Hmmm, if you mean the iptables program, then same story :-( -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2771 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060410/386f7be4/smime.bin From mailinglists at lucassen.org Mon Apr 10 16:32:39 2006 From: mailinglists at lucassen.org (richard lucassen) Date: Mon Apr 10 16:32:36 2006 Subject: [LARTC] Re: Trying to do some very simple ingress limiting, no success In-Reply-To: <1144679364.3195.15.camel@localhost.localdomain> References: <1144579998.5694.18.camel@localhost.localdomain> <4439056D.7030008@dsl.pipex.com> <1144588174.5694.27.camel@localhost.localdomain> <44390F3A.70409@dsl.pipex.com> <1144672691.3195.5.camel@localhost.localdomain> <20060410154115.213b6ad0.mailinglists@lucassen.org> <1144677107.3195.13.camel@localhost.localdomain> <20060410161041.406c24a3.mailinglists@lucassen.org> <1144679364.3195.15.camel@localhost.localdomain> Message-ID: <20060410163239.366284e0.mailinglists@lucassen.org> On Mon, 10 Apr 2006 16:29:24 +0200 Erik Slagter wrote: > On Mon, 2006-04-10 at 16:10 +0200, richard lucassen wrote: > > > Cannot use IMQ because patching iproute2 is not feasible, cannot > > > use IFB because it's at the wrong location in the chain. > > > > You don't need to patch iproute2 for IMQ, just iptables and the > > kernel. IMQ lives well together with all other stuff AFAIK. > > Hmmm, if you mean the iptables program, then same story :-( You just create two extra .so files, that's all. The patch works well with iptables-1.3.5. -- ___________________________________________________________________ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+ From openswan at obs.bg Mon Apr 10 16:41:22 2006 From: openswan at obs.bg (openswan) Date: Mon Apr 10 16:40:56 2006 Subject: [LARTC] Where is the documentation for IFB ? Message-ID: <443A6E92.1050409@obs.bg> Hi all, Can you tell me where is the documentation for the new IFB (implemented in kernels > 2.6.16). Thanks in advance! Nikolay From nata at cnett.com.br Mon Apr 10 18:23:37 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Mon Apr 10 18:54:17 2006 Subject: [LARTC] u32 and iptables do not work together In-Reply-To: <20060408133754.GA26568@EIS> References: <4436AEB8.1070300@cnett.com.br> <20060407184526.GA15414@EIS> <4436B8DD.4010909@cnett.com.br> <2af436490604071410h4e876191y513ea4aec916026@mail.gmail.com> <44379CC4.9010309@cnett.com.br> <20060408131801.GB31153@packetconsulting.pl> <20060408133754.GA26568@EIS> Message-ID: <443A8689.1020201@cnett.com.br> Thank you all for the answers... Andreas Klauer escreveu: > On Sat, Apr 08, 2006 at 03:18:01PM +0200, Piotr Chytla wrote: > >> On Sat, Apr 08, 2006 at 08:21:40AM -0300, Nataniel Klug wrote: >> >>> I think it worked fine... This is my new script (below the text). I just >>> dont know how can I know if this traffic is relly going to the class I >>> send it... hehehehe... I am marking Skype packages using L7-Filter like >>> this: >>> >>> >> If you want to see packets in class you can use sch_log, quite good >> module, you must attach it to class and you will see every packet >> in this class in tcpdump. >> > > Or, without additional software, and a bit less of information, > you could just have a look at the tc statistics. In case of mixed > classes you can temporarily create an extra class for the packets > you want to test filters on. > > If packets go into this class and it's the same number as are marked > by iptables, the classification works. > > Regards > Andreas Klauer > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From nata at cnett.com.br Mon Apr 10 22:21:35 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Mon Apr 10 22:21:37 2006 Subject: [LARTC] I dont want to shape a host Message-ID: <443ABE4F.7070806@cnett.com.br> Hello all, I am still reading about my QoS rules and I need that one of my servers (that is into my LAN but has an routing ip address) did not get into the qos rules I have. So I want that all traffic coming or going to that specifc host did not get shapped by any traffic control and do not get even into a QoS class. How can I do this? Att, Nataniel Klug From andy.furniss at dsl.pipex.com Mon Apr 10 22:33:58 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Mon Apr 10 22:33:41 2006 Subject: [LARTC] Where is the documentation for IFB ? In-Reply-To: <443A6E92.1050409@obs.bg> References: <443A6E92.1050409@obs.bg> Message-ID: <443AC136.5000706@dsl.pipex.com> openswan wrote: > Hi all, > > Can you tell me where is the documentation for the new IFB (implemented > in kernels > 2.6.16). > Thanks in advance! Below is a copy of Jamal's example posted on netdev. You can use it on ingress and egress, on egress you need a classful qdisc on the interface(s) - prio should do if you are not shaping on the nic(s) you steal from. Andy. What this script will demonstrate is the following sequence: 1) any packet coming going out on eth0 10.0.0.229 is classified as class 1:10 and redirected to ifb0. 2) a) on reaching ifb0 the packet is classified as class 1:2 b) subjected to a token buffer shaping of rate 20kbit/s c) sent back to eth0 3) on coming back to eth0, the classificaction 1:10 is still valid and this packet is put through an HTB classifier which limits the rate to 256Kbps export TC="/root/tc" $TC qdisc del dev ifb0 root handle 1: prio $TC qdisc add dev ifb0 root handle 1: prio $TC qdisc add dev ifb0 parent 1:1 handle 10: sfq $TC qdisc add dev ifb0 parent 1:2 handle 20: tbf \ rate 20kbit buffer 1600 limit 3000 $TC qdisc add dev ifb0 parent 1:3 handle 30: sfq $TC filter add dev ifb0 parent 1: protocol ip prio 1 u32 \ match ip dst 11.0.0.0/24 flowid 1:1 $TC filter add dev ifb0 parent 1: protocol ip prio 2 u32 \ match ip dst 10.0.0.0/24 flowid 1:2 ifconfig ifb0 up $TC qdisc del dev eth0 root handle 1: htb default 2 $TC qdisc add dev eth0 root handle 1: htb default 2 $TC class add dev eth0 parent 1: classid 1:1 htb rate 800Kbit $TC class add dev eth0 parent 1: classid 1:2 htb rate 800Kbit $TC class add dev eth0 parent 1:1 classid 1:10 htb rate 256kbit ceil 384kbit $TC class add dev eth0 parent 1:1 classid 1:20 htb rate 512kbit ceil 648kbit $TC filter add dev eth0 parent 1: protocol ip prio 1 u32 \ match ip dst 10.0.0.229/32 flowid 1:10 \ action mirred egress redirect dev ifb0 A Little test (be careful if you are sshed in and are classifying on that IP, counters may be not easy to follow) ----- A ping ... mambo:~# ping -c2 10.0.0.229 // first at ifb0 // observe that second filter twice being successful mambo:~# $TC -s filter show dev ifb0 parent 1: filter protocol ip pref 1 u32 filter protocol ip pref 1 u32 fh 800: ht divisor 1 filter protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1 (rule hit 2 success 0) match 0b000000/ffffff00 at 16 (success 0 ) filter protocol ip pref 2 u32 filter protocol ip pref 2 u32 fh 801: ht divisor 1 filter protocol ip pref 2 u32 fh 801::800 order 2048 key ht 801 bkt 0 flowid 1:2 (rule hit 2 success 2) match 0a000000/ffffff00 at 16 (success 2 ) //next the qdisc numbers .. //Observe that 1:2 has 2 packets mambo:~# $TC -s qdisc show dev ifb0 qdisc prio 1: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 196 bytes 2 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 10: parent 1:1 limit 128p quantum 1514b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc tbf 20: parent 1:2 rate 20000bit burst 1599b lat 546.9ms Sent 196 bytes 2 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 30: parent 1:3 limit 128p quantum 1514b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 // Next look at eth0 // observe class 1:10 which is where the pings went through after // they came back from the ifb0 device. mambo:~# $TC -s class show dev eth0 class htb 1:1 root rate 800000bit ceil 800000bit burst 1699b cburst 1699b Sent 196 bytes 2 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 16425 ctokens: 16425 class htb 1:10 parent 1:1 prio 0 rate 256000bit ceil 384000bit burst 1631b cburst 1647b Sent 196 bytes 2 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 2 borrowed: 0 giants: 0 tokens: 49152 ctokens: 33110 class htb 1:2 root prio 0 rate 800000bit ceil 800000bit burst 1699b cburst 1699b Sent 47714 bytes 321 pkt (dropped 0, overlimits 0 requeues 0) rate 3920bit 3pps backlog 0b 0p requeues 0 lended: 321 borrowed: 0 giants: 0 tokens: 16262 ctokens: 16262 class htb 1:20 parent 1:1 prio 0 rate 512000bit ceil 648000bit burst 1663b cburst 1680b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 26624 ctokens: 21251 ----- mambo:~# $TC -s filter show dev eth0 parent 1: filter protocol ip pref 1 u32 filter protocol ip pref 1 u32 fh 800: ht divisor 1 filter protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:10 (rule hit 235 success 4) match 0a0000e5/ffffffff at 16 (success 4 ) action order 1: mirred (Egress Redirect to device ifb0) stolen index 2 ref 1 bind 1 installed 114 sec used 100 sec Action statistics: Sent 196 bytes 2 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 From martin-lartc at wonderfrog.net Tue Apr 11 03:18:12 2006 From: martin-lartc at wonderfrog.net (Martin A. Brown) Date: Tue Apr 11 03:22:50 2006 Subject: [LARTC] I dont want to shape a host In-Reply-To: <443ABE4F.7070806@cnett.com.br> References: <443ABE4F.7070806@cnett.com.br> Message-ID: Nataniel, There are probably a handful of ways to solve this problem. Two pop to mind right away. : I am still reading about my QoS rules and I need that one of my : servers (that is into my LAN but has an routing ip address) did : not get into the qos rules I have. So I want that all traffic : coming or going to that specifc host did not get shapped by any : traffic control and do not get even into a QoS class. How can I : do this? Option A: specify "default 0" in your HTB qdisc declaration ============================================================ If you install the HTB qdisc with a "default 0" parameter, you are telling HTB to dequeue unclassified packets as fast as the hardware will accept the packets. Here's an example: tc qdisc add dev eth0 root handle 1:0 htb default 0 Now, any unclassified packets will simply be dequeued as fast as your hardware can do it. If you are trying to remain the bottleneck between you and the Internet, it is quite likely that this configuration will defeat your goal. Option B: make a deeper HTB tree ============================================================ Build the following: class 1:0, rate = ceil = hardware maximum bitrate class 2:0, rate = low, ceil = hardware maximum bitrate class 3:0, rate = low, ceil = maximum for everybody else root +--- HTB 2:0 --- your "routing ip" (public | / server?) goes here +-- HTB 1:0 --- \ +--- HTB 3:0 | +--- HTB 3:1 +--- HTB 3:2 +--- HTB 3:3 | ... +--- HTB 3:N Now, you simply attach your filters to 1:0, like you did before, and put all traffic for your "routing ip" into the 2:0 class. If the rate on class 2:0 stays "low", but its ceiling is the same as the rate/ceil on 1:0, then you'll effectively get borrowing up to maximum available throughput for HTB 2:0. Good luck, -Martin -- Martin A. Brown --- Wonderfrog Enterprises --- martin@wonderfrog.net From gnychis at cmu.edu Tue Apr 11 03:44:47 2006 From: gnychis at cmu.edu (George P Nychis) Date: Tue Apr 11 03:44:45 2006 Subject: [LARTC] created new q_disc, inserted module, tc tells me unknown qdisc Message-ID: <1737.128.2.140.234.1144719887.squirrel@128.2.140.234> Hi, I am trying to install a proprietary qdisc made for research, it is not publically released yet, however its been used several times so i know it works. The files included are: q_xcp.c: static int xcp_parse_opt() static int xcp_print_opt() static int xcp_print_xstats() struct qdisc_util xcp_util = { "NULL", "xcp" ..... }; sch_xcp.c: static int xcp_enqueue() static int xcp_requeue() static struct sk_buff * xcp_dequeue() .... .... struct Qdisc_ops xcp_qdisc_ops ={ NULL,NULL,"xcp",.... }; printk(KERN_INFO "XCP qdisc module loaded.\n"); return register_qdisc(&xcp_qdisc_ops); So, i make everything successfully, it creates q_xcp.so and copies it to /usr/lib and sch_xcp.o which it copies to /lib/modules/... so then I "insmod sch_xcp" and i see in dmesg: "XCP qdisc module loaded." I then try: "tc qdisc add dev eth0 root xcp capacity 10Mbit limit 500" and get: "Unknown qdisc "xcp", hence option "capacity" is unparsable" So then I read the INSTALL further to find some sort of solution and it mentions: This again assumes "tc" version is 2.4.7. If your "tc" is a different version, download the iproute2 source code, and edit Makefile to point "TC_INCLUDE" to "-I..../iproute2/include -I..../iproute2/tc" So, i did that, and i recompiled the q_xcp.so: lanthanum-ini src-1.0.1 # make q_xcp.so cc -O2 -fPIC -I/var/tmp/portage/iproute2-2.6.11.20050310-r1/work/iproute2-2.6.11/include/ -I/var/tmp/portage/iproute2-2.6.11.20050310-r1/work/iproute2-2.6.11/tc_include -o q_xcp.o -c q_xcp.c ld -shared -o q_xcp.so q_xcp.o rm -f q_xcp.o But i still get the same error.... so then my very final last effort was to move q_xcp.c to my iproute2 source code tc/ directory and added this to the makefile: TCMODULES += q_xcp.o Then I compiled tc, and i check tc to see if the xcp qdisc functions were loaded: lanthanum-ini tc # nm tc | grep xcp 080531ec t xcp_parse_opt 080533e0 t xcp_print_opt 08053426 t xcp_print_xstats 08070cc0 D xcp_util And finally: lanthanum-ini tc # ./tc qdisc add dev ath0 root xcp capacity 54Mbit limit 500 Unknown qdisc "xcp", hence option "capacity" is unparsable I have no clue :( I figured that putting the .so into /usr/lib would have been enough. Sorry for the long e-mail, I hope someone can help, and thank you for your time even if you don't know the solution but read this :) - George From shep at alum.mit.edu Tue Apr 11 06:27:12 2006 From: shep at alum.mit.edu (Tim Shepard) Date: Tue Apr 11 06:27:26 2006 Subject: [LARTC] created new q_disc, inserted module, tc tells me unknown qdisc In-Reply-To: Your message of Mon, 10 Apr 2006 21:44:47 -0400. <1737.128.2.140.234.1144719887.squirrel@128.2.140.234> Message-ID: To debug this you'll probably want to have a look at the get_qdisc_kind() routine in tc/tc.c in the iproute sources and understand how it uses dlopen() to find the routines to parse the arguments to the various different qdisc implementations.. I hope this helps. Is your xcp-implementing qdisc code available anywhere yet? Are you using the same packet format as the folks at ISI are using in their FreeBSD implementation? (They wrote a internet draft describing the XCP packet format a year or two ago.) -Tim Shepard shep@alum.mit.edu From gnychis at cmu.edu Tue Apr 11 06:33:31 2006 From: gnychis at cmu.edu (George Nychis) Date: Tue Apr 11 06:33:13 2006 Subject: [LARTC] created new q_disc, inserted module, tc tells me unknown qdisc In-Reply-To: References: Message-ID: <443B319B.7060407@cmu.edu> Hey Tim, I will take a look at that routine, it just seems no matter what I do I cannot seem to find out why it determines it does not have xcp qdisc support. I will look deeper into it. I am not sure if it has been released to the public yet. I am using Yongguang Zhang and Tom Henderson's Linux implementation. I am also not sure it is the same packet formated as the ISI FreeBSD implementation. Tom pre-released it to me for my research on the topic, I think I will ask him if it is public yet, because if so I think I could find help a lot easier :) I will get back to you with what I find. Thanks! George Tim Shepard wrote: > To debug this you'll probably want to have a look at the > get_qdisc_kind() routine in tc/tc.c in the iproute sources and > understand how it uses dlopen() to find the routines to parse the > arguments to the various different qdisc implementations.. > > I hope this helps. > > > Is your xcp-implementing qdisc code available anywhere yet? Are you > using the same packet format as the folks at ISI are using in their > FreeBSD implementation? (They wrote a internet draft describing the > XCP packet format a year or two ago.) > > -Tim Shepard > shep@alum.mit.edu > From ephemeric at gmail.com Tue Apr 11 09:42:14 2006 From: ephemeric at gmail.com (Robert Gabriel) Date: Tue Apr 11 09:42:12 2006 Subject: [LARTC] Re: EF & AF filters with HTB In-Reply-To: <20060410132634.18600.qmail@web54312.mail.yahoo.com> References: <20060410132634.18600.qmail@web54312.mail.yahoo.com> Message-ID: Hello Ferenc, The big picture is to put voice in EF class, have AF classes & BE class. Asterisk can mark packets, but I'm marking with 'iptables' & classifying (filtering) as per the requested help. We want HTB for EF class to guarantee the bandwidth & to be able to borrow/lend between classes should there be no voice or data on the link. We are looking to roll this out at many sites & to partake in DS domains, hence the need to fully understand DiffServ. . My biggest issue was understanding how to filter packets to their correct classes, then I found this: http://kabru.eecs.umich.edu/qos_network/diffserv/DiffServ_prototype/qdisc and explained very nicely: http://kabru.eecs.umich.edu/qos_network/diffserv/DiffServ_prototype/setting_qdisc.ps What you have shown me is good, it's simpler & will work just as well. Look at the above link for the script, I would like to run something like that but with HTB & PFIFO for the EF class. Their explanation helps, I'm busy trying to put something together now. I haven't tried to remark packets yet so I'm unsure as to what the exact procedure is. What frustrates me is that there is no debug or logging to test scenarios. Has anyone done voice HTB with EF, AF & BE classes? On 10/04/06, pfer wrote: > Hi Robert! > > If I get you right, you wish to use HTB at a node > for doing some QoS for packets based the DSCP they > already have, and NOT marking them to have that AF, > etc. > > ( > have you checked > http://www.opalsoft.net/qos/DS-310.htm? > he has some nice scripts > ) > > Why not simply use an u32 match on the TOS field for > filtering under your main htb? Why do you need DSMARK? > (haven't tried, but should work fine) > > For ex. having htb main shaper at 1:0 gives > > tc filter add dev eth0 parent 1:0 protocol ip prio 2 > u32 match ip tos 0xb8 0xff flowid 1:10 > (the EF htb branch is at 1:10) > > tc filter add dev eth0 parent 1:0 protocol ip prio 3 > u32 match ip tos 0x28 0xff flowid 1:20 > (the AF11 htb branch is at 1:20) > > At for bulk, create the htb main with: "default 30", > and add an 1:30 class with needed rate + burst and > red/sfq/etc. > U won't need any filter for this, anything > unclassified > (anything other than EF or AF11) will get there. > > If I get you wrong, and you wish to re-mark those > packets, I have some scripts for that, too. > > Contact me at forgamedev@yahoo.com, and I will send > them to you. > > PS: > since I also have some scripts to test, and they > resemble yours, can you tell me whether they are > correct? > > First I wish to re-mark packets based on u32 ip src > match, with: > > tc qdisc add dev eth0 handle 1:0 root dsmark indices 4 > > tc class change dev eth0 classid 1:1 dsmark mask 0x3 > value 0xb8 > > ..some filters under 1:0 to send packets to 1:1 to > remark them... > > and then comes a htb at 2:0 having 1:0 (the dsmark > qdisc) as parent with few branches. > > Can I expect that htb qdisc at 2:0 will already have > the effects of dsmark at 1:0 (remarked packets)? > > Thanks, > > Ferenc > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From foxy202 at gmail.com Tue Apr 11 11:33:40 2006 From: foxy202 at gmail.com (foxy 202) Date: Tue Apr 11 11:33:38 2006 Subject: [LARTC] strange iptables mangle problem Message-ID: Hi all, I manage network with two connections with l00Mbit In the past when network wasn't so load everything was OK, now in pick hours load over border server from 1.0 to 1.5 / it isn't so big / and for me is very strange why I have increasing of ping timeout from 0.5- 5ms in normal hour to 50-100 ms in pick hours.. server is with good hardware AMD 64 Dualcore 3800+ Intel Gigabit Ethernet 1 GB RAM Debian sarge 2.6.16 #2 SMP kernel I use about 240 mangle rules with iptables to mark download traffic and to limit it but when I try to load more rules server increase load and begin to drop packages :( my question is why when I try to load new 200 mangle rules / only mangle rules / server increase load average and ping timeout increase to 50-100 ms ? and second is what is better solution for networks with more then 100Mbit traffic .. to use iptables mangle rules + u32 or to use more u32 filters and less mangle rules ? Actually I don't have experience with so big traffic and I need any advice is welcome. Best Regards Emil -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060411/25798d24/attachment.htm From ephemeric at gmail.com Tue Apr 11 15:05:22 2006 From: ephemeric at gmail.com (Robert Gabriel) Date: Tue Apr 11 15:05:22 2006 Subject: [LARTC] Re: EF & AF filters with HTB In-Reply-To: <20060410132634.18600.qmail@web54312.mail.yahoo.com> References: <20060410132634.18600.qmail@web54312.mail.yahoo.com> Message-ID: Hello again, Many thanks for your help. I have done as you suggested, I can't get the other way to work. I guess keep it simple, right? We might need to remark at a later stage, I want to test this. Have you looked at http://www.opalsoft.net/qos/DS-29.htm yet? Please could you confirm something? Is the below right in terms of flowids for the AF1 class? With another example they use flowid 1:111, flowid 1:112, flowid 1:113. # HTB echo -e "Installing HTB queue discipline...\n" tc qdisc add dev $DEVICE handle 1:0 root htb tc class add dev $DEVICE parent 1:0 classid 1:1 htb rate 128Kbit ceil 128Kbit # EF echo -e "Installing EF class...\n" tc class add dev $DEVICE parent 1:1 classid 1:10 htb rate 60Kbit ceil 128Kbit tc qdisc add dev $DEVICE parent 1:10 pfifo limit 5 tc filter add dev $DEVICE parent 1:0 protocol ip prio 1 u32 match ip tos 0xb8 0xff flowid 1:10 # AF 1 echo -e "Installing AF11, AF12, AF13 classes...\n" tc class add dev $DEVICE parent 1:1 classid 1:11 htb rate 12Kbit ceil 128Kbit tc qdisc add dev $DEVICE parent 1:11 gred setup DPs 3 default 2 grio tc qdisc change dev $DEVICE parent 1:11 gred limit 60KB min 15KB max 45KB \ burst 20 avpkt 1000 bandwidth 128Kbit DP 1 probability 0.02 prio 2 tc qdisc change dev $DEVICE parent 1:11 gred limit 60KB min 15KB max 45KB \ burst 20 avpkt 1000 bandwidth 128Kbit DP 2 probability 0.04 prio 3 tc qdisc change dev $DEVICE parent 1:11 gred limit 60KB min 15KB max 45KB \ burst 20 avpkt 1000 bandwidth 128Kbit DP 3 probability 0.06 prio 4 tc filter add dev $DEVICE parent 1:0 protocol ip prio 2 u32 match ip tos 0x28 0xff flowid 1:11 tc filter add dev $DEVICE parent 1:0 protocol ip prio 2 u32 match ip tos 0x30 0xff flowid 1:11 tc filter add dev $DEVICE parent 1:0 protocol ip prio 2 u32 match ip tos 0x38 0xff flowid 1:11 On 10/04/06, pfer wrote: > Hi Robert! > > If I get you right, you wish to use HTB at a node > for doing some QoS for packets based the DSCP they > already have, and NOT marking them to have that AF, > etc. > > ( > have you checked > http://www.opalsoft.net/qos/DS-310.htm? > he has some nice scripts > ) > > Why not simply use an u32 match on the TOS field for > filtering under your main htb? Why do you need DSMARK? > (haven't tried, but should work fine) > > For ex. having htb main shaper at 1:0 gives > > tc filter add dev eth0 parent 1:0 protocol ip prio 2 > u32 match ip tos 0xb8 0xff flowid 1:10 > (the EF htb branch is at 1:10) > > tc filter add dev eth0 parent 1:0 protocol ip prio 3 > u32 match ip tos 0x28 0xff flowid 1:20 > (the AF11 htb branch is at 1:20) > > At for bulk, create the htb main with: "default 30", > and add an 1:30 class with needed rate + burst and > red/sfq/etc. > U won't need any filter for this, anything > unclassified > (anything other than EF or AF11) will get there. > > If I get you wrong, and you wish to re-mark those > packets, I have some scripts for that, too. > > Contact me at forgamedev@yahoo.com, and I will send > them to you. > > PS: > since I also have some scripts to test, and they > resemble yours, can you tell me whether they are > correct? > > First I wish to re-mark packets based on u32 ip src > match, with: > > tc qdisc add dev eth0 handle 1:0 root dsmark indices 4 > > tc class change dev eth0 classid 1:1 dsmark mask 0x3 > value 0xb8 > > ..some filters under 1:0 to send packets to 1:1 to > remark them... > > and then comes a htb at 2:0 having 1:0 (the dsmark > qdisc) as parent with few branches. > > Can I expect that htb qdisc at 2:0 will already have > the effects of dsmark at 1:0 (remarked packets)? > > Thanks, > > Ferenc > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From ydubinsky at dmpcorp.com Tue Apr 11 15:44:58 2006 From: ydubinsky at dmpcorp.com (Yvon Dubinsky) Date: Tue Apr 11 15:47:09 2006 Subject: [LARTC] trying to find out how much is on a drive? Message-ID: <7.0.1.0.2.20060411093758.05e01228@dmpcorp.com> I have a Ferdora 2 machine with 2 drives in it one has the OS and the main drive for our Samba server on it and the other is the Mirror drive. What I am trying to find out is how much is on the primary drive. When I use the "du" command I get a number that seems to be off. I have the mirror drive mounted to the primary drive, and it apears as though when I do the "du" command from the root of the drive is adds in some of the files from the mirror drive. What I am trying to figure out is if there is a way to use the "du" command and exclude the mounted mirror drive in my total amount. I used the command du -ch, which gave the grand total in human form which is what I want but it seems to include the mirror drive also. How do I exclude it from adding in the mirror. Thanks, Yvon Dubinsky e-commerce admin From Edwin.Whitelaw at nrvunwired.net Tue Apr 11 16:24:16 2006 From: Edwin.Whitelaw at nrvunwired.net (Edwin Whitelaw) Date: Tue Apr 11 16:24:19 2006 Subject: [LARTC] Htb queueing problem Message-ID: <443BBC10.20105@nrvunwired.net> A note to confirm that "-m physdev --physdev-is-bridged" in the iptables command does enable iptables to work in a bridged environment. I was fighting the same problem and this indeed solved it. Below is my test script running on a two NIC Debian 3.1 266MHz bridge. Before adding the physdev flag, only the "tc filter" commands worked but now the iptables commands also correctly classify the packets both with the MARK and CLASSIFY approaches. Note that the tc classes were setup to give clear indication of which class was affecting the flow. Edwin ---------test tc script---------- #!/bin/bash RATE=8000 #if [ x$1 = 'xstop' ]; then if [ tc ]; then echo "Deleting qdisc for eth1" tc qdisc del dev eth1 root fi tc qdisc add dev eth1 root handle 1:0 htb default 90 tc class add dev eth1 parent 1:0 classid 1:1 htb rate ${RATE}kbit ceil ${RATE}kbit tc class add dev eth1 parent 1:1 classid 1:10 htb rate 3000kbit ceil 3000kbit tc class add dev eth1 parent 1:1 classid 1:20 htb rate 1500kbit ceil 1500kbit tc class add dev eth1 parent 1:1 classid 1:30 htb rate 1000kbit ceil 1000kbit tc class add dev eth1 parent 1:1 classid 1:50 htb rate 500kbit ceil 500kbit tc class add dev eth1 parent 1:1 classid 1:90 htb rate 256kbit ceil 256kbit tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10 tc qdisc add dev eth1 parent 1:30 handle 30: sfq perturb 10 tc qdisc add dev eth1 parent 1:50 handle 50: sfq perturb 10 tc qdisc add dev eth1 parent 1:90 handle 90: sfq perturb 10 #tc filter add dev eth1 parent 1:0 protocol ip u32 match ip sport 80 0xffff classid 1:10 #tc filter add dev eth1 parent 1:0 protocol ip u32 match ip sport 22 0xffff classid 1:20 #tc filter add dev eth1 parent 1:0 protocol ip u32 match ip sport 25 0xffff classid 1:50 #tc filter add dev eth1 parent 1:0 protocol ip u32 match ip sport 110 0xffff classid 1:50 iptables -F -t mangle #out #iptables -t mangle -A POSTROUTING -m physdev --physdev-is-bridged -p tcp --sport 80 -j MARK --set-mark 2 #iptables -t mangle -A FORWARD -o eth1 -p tcp --sport 22 -j MARK --set-mark 1 #iptables -t mangle -A FORWARD -o eth1 -p tcp --sport 25 -j MARK --set-mark 1 #iptables -t mangle -A FORWARD -o eth1 -p tcp --sport 110 -j MARK --set-mark 1 # iptables -t mangle -A POSTROUTING -m physdev --physdev-is-bridged -p tcp --sport 80 -j CLASSIFY --set-class 1:50 iptables -t mangle -A POSTROUTING -m physdev --physdev-is-bridged -p tcp --sport 139 -j CLASSIFY --set-class 1:10 iptables -t mangle -A POSTROUTING -m physdev --physdev-is-bridged -p tcp --sport 22 -j CLASSIFY --set-class 1:10 iptables -t mangle -A POSTROUTING -m physdev --physdev-is-bridged -p tcp --sport 25 -j CLASSIFY --set-class 1:10 iptables -t mangle -A POSTROUTING -m physdev --physdev-is-bridged -p tcp --sport 110 -j CLASSIFY --set-class 1:10 #tc filter add dev eth1 parent 1:0 protocol ip handle 1 fw classid 1:10 #tc filter add dev eth1 parent 1:0 protocol ip handle 2 fw classid 1:20 #tc filter add dev eth1 parent 1:0 protocol ip handle 3 fw classid 1:30 #tc filter add dev eth1 parent 1:0 protocol ip handle 5 fw classid 1:50 #tc filter add dev eth1 parent 1:0 protocol ip handle 9 fw classid 1:90 -- <=+=+=+==+=+=+==+=+=+=+=+=+=+=+=> Edwin Whitelaw, P.E. New River Valley Unwired, LLC 2200 Lonesome Dove Dr Christiansburg, VA 24073 540-239-0318 From forgamedev at yahoo.com Tue Apr 11 16:32:43 2006 From: forgamedev at yahoo.com (pfer) Date: Tue Apr 11 16:32:44 2006 Subject: [LARTC] Re: EF & AF filters with HTB In-Reply-To: Message-ID: <20060411143243.13767.qmail@web54305.mail.yahoo.com> Hi Robert! It's good to see that I could help :). It took me a while to figure things out too. As for opalsoft.net, I suggest you to read all the linux diffserv stuff, it is very useful. I based many of my scripts on what can found there (read that site month ago and still I find new things), though I believe some examles, like af-htb are there for educational reasons, as he also claims it, not for practical usage. To sum up, I would suggest to only use EF and BE, or EF and AF11 first, test it with ping/iperf/etc. and tc qdisc/class/filter -s -d show, ethereal... Only then go for complex stuff. Script: Overall it looks good for me. Why not use 1:20 for AF if you used 1:10 for EF? Just clearer, I believe. I never used gred, so I can't help much on that. Anyway if you asked for that, I do not see why would you use 1:111 or such. Classids are only guidelines. parent ".." says where to attach the rule, flowid ".." says where to send the packet for classification. As your AF filters say, AF11,AF12,AF13 packets will all be directed to 1:11, and share the default 12kbit. To add: I believe you can concatenate matches if all will direct packets to same class, so can have a filter like: tc filter add dev $DEVICE parent 1:0 protocol ip prio 2 u32 match ip tos 0x28 0xff match ip tos 0x30 0xff match ip tos 0x38 0xff flowid 1:11 But check this, I'm not sure. Finally, I do not know what will happen to BE if you run this setup. Where will it go? I would create the main htb under 1:0 with default 30, so send anything unmatched (BE) to 1:30. Hope somewhere I wrote something you wanted,or I don't get your question. Ferenc __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From rani79 at idm.net.lb Tue Apr 11 17:49:29 2006 From: rani79 at idm.net.lb (Rani Ahmed) Date: Tue Apr 11 17:49:28 2006 Subject: [LARTC] Shaping per IP in PPPoE Message-ID: <443BD009.4040502@idm.net.lb> hi all. i am currently now serving PPPoE in my area. i had a script generated from tcng that worked perfectly before i started serving PPPoE. the issue is not in the script it self BUT in that "tc" code is not shaping on the ethernet anymore BUT INSTEAD on the pppX devices. I tested it and talking jargon, what should i do? The issue is that for each PPPoE login, PPPoE-server creates on the server a pppX device. that is 10 logins means 10 ppp devices. from ppp0 till ppp9. and one might die upon disconnection. From nata at cnett.com.br Tue Apr 11 17:58:34 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Tue Apr 11 17:58:41 2006 Subject: [LARTC] I dont want to shape a host In-Reply-To: References: <443ABE4F.7070806@cnett.com.br> Message-ID: <443BD22A.50004@cnett.com.br> Martin, Thanks for the answer. I will study your topology and try to make this happens. Att, Nataniel Klug Martin A. Brown escreveu: > Nataniel, > > There are probably a handful of ways to solve this problem. Two pop > to mind right away. > > : I am still reading about my QoS rules and I need that one of my > : servers (that is into my LAN but has an routing ip address) did > : not get into the qos rules I have. So I want that all traffic > : coming or going to that specifc host did not get shapped by any > : traffic control and do not get even into a QoS class. How can I > : do this? > > Option A: specify "default 0" in your HTB qdisc declaration > ============================================================ > If you install the HTB qdisc with a "default 0" parameter, you are > telling HTB to dequeue unclassified packets as fast as the hardware > will accept the packets. Here's an example: > > tc qdisc add dev eth0 root handle 1:0 htb default 0 > > Now, any unclassified packets will simply be dequeued as fast as > your hardware can do it. If you are trying to remain the bottleneck > between you and the Internet, it is quite likely that this > configuration will defeat your goal. > > > Option B: make a deeper HTB tree > ============================================================ > Build the following: > > class 1:0, rate = ceil = hardware maximum bitrate > class 2:0, rate = low, ceil = hardware maximum bitrate > class 3:0, rate = low, ceil = maximum for everybody else > > > > root +--- HTB 2:0 --- your "routing ip" (public > | / server?) goes here > +-- HTB 1:0 --- > \ > +--- HTB 3:0 > | > +--- HTB 3:1 > +--- HTB 3:2 > +--- HTB 3:3 > | ... > +--- HTB 3:N > > Now, you simply attach your filters to 1:0, like you did before, and > put all traffic for your "routing ip" into the 2:0 class. If the > rate on class 2:0 stays "low", but its ceiling is the same as the > rate/ceil on 1:0, then you'll effectively get borrowing up to > maximum available throughput for HTB 2:0. > > Good luck, > > -Martin > > From adamt at commspeed.net Tue Apr 11 19:39:22 2006 From: adamt at commspeed.net (Adam M. Towarnyckyj) Date: Tue Apr 11 19:39:21 2006 Subject: [LARTC] Problems matching by mac address Message-ID: <48DC429CB053B64EAD91BDD1DE106A1152C375@es1.corp.commspeed.net> Sorry for bumping this one, but I wanted to know if anyone else had any ideas as well. I'm a bit baffled as to why this isn't working. Thanks. Adam -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Adam M. Towarnyckyj Sent: Friday, April 07, 2006 2:06 PM To: lartc@mailman.ds9a.nl Subject: RE: [LARTC] Problems matching by mac address Hey Alexey, Thanks for the input. I think that lack of two F's was a typo on my part but I tried it anyways and it still does not work. I also added the ceil to it with no luck. I'm a bit confused on what you meant by not having any rules to classify from root down to 12:. Can you elaborate or show me an example? As I stated before, this is pretty much the exact setup I used when I filtered by destination IP. The only thing I'm changing now is the actual filter command. Everything else has been in place for a while. Thanks. Adam -----Original Message----- From: Alexey Toptygin [mailto:alexeyt@freeshell.org] Sent: Tuesday, April 04, 2006 3:15 PM To: Adam M. Towarnyckyj Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] Problems matching by mac address On Tue, 4 Apr 2006, Adam M. Towarnyckyj wrote: > I recently read on a prior post as well as the FAQ that > packets can be limited by mac address using the u32 filter. I attempted > this and, while all the commands went through with no errors, it is not > limiting at all. I'm attempting to limit all IP traffic to a specific > destination mac address (00:12:3f:05:43:7f). Here is a quick rundown of > the commands I've used: Not sure that this will help, but > tc qdisc add dev eth1 parent 1:2 handle 12: htb > tc class add dev eth1 parent 12: classid 12:10 htb rate 128kbit no ceil? > tc filter add dev eth1 protocol ip parent 12: prio 5 u32 match u16 > 0x0800 0xFFFF at -2 match u32 0x3f05437f 0xFFFFFF at -12 match u16 > 0x0012 0xFFFF at -14 flowid 12:10 Shouldn't that be "match u32 0x3f05437f 0xFFFFFFFF at -12" (2 more Fs) Also, what you sent didn't have any rules to classify from root down to 12: so the above filter won't be consulted... Alexey _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From shemminger at osdl.org Tue Apr 11 20:16:44 2006 From: shemminger at osdl.org (Stephen Hemminger) Date: Tue Apr 11 20:16:46 2006 Subject: [LARTC] Re: created new q_disc, inserted module, tc tells me unknown qdisc In-Reply-To: <1707.128.2.140.234.1144719699.squirrel@128.2.140.234> References: <1707.128.2.140.234.1144719699.squirrel@128.2.140.234> Message-ID: <20060411111644.59573edc@localhost.localdomain> On Mon, 10 Apr 2006 21:41:39 -0400 (EDT) "George P Nychis" wrote: > Hi, > > I am trying to install a proprietary qdisc made for research, it is not publically released yet, however its been used several times so i know it works. > > The files included are: > q_xcp.c: > static int xcp_parse_opt() > static int xcp_print_opt() > static int xcp_print_xstats() > struct qdisc_util xcp_util = { "NULL", "xcp" ..... }; > > sch_xcp.c: > static int xcp_enqueue() > static int xcp_requeue() > static struct sk_buff * xcp_dequeue() > .... > .... > struct Qdisc_ops xcp_qdisc_ops ={ NULL,NULL,"xcp",.... }; > > printk(KERN_INFO "XCP qdisc module loaded.\n"); > return register_qdisc(&xcp_qdisc_ops); > > > So, i make everything successfully, it creates q_xcp.so and copies it to /usr/lib and sch_xcp.o which it copies to /lib/modules/... so then I "insmod sch_xcp" and i see in dmesg: > "XCP qdisc module loaded." > > I then try: > "tc qdisc add dev eth0 root xcp capacity 10Mbit limit 500" and get: > "Unknown qdisc "xcp", hence option "capacity" is unparsable" > > So then I read the INSTALL further to find some sort of solution and it mentions: > This again assumes "tc" version is 2.4.7. If your "tc" is a different > version, download the iproute2 source code, and edit Makefile to > point "TC_INCLUDE" to "-I..../iproute2/include -I..../iproute2/tc" > > So, i did that, and i recompiled the q_xcp.so: > lanthanum-ini src-1.0.1 # make q_xcp.so > cc -O2 -fPIC -I/var/tmp/portage/iproute2-2.6.11.20050310-r1/work/iproute2-2.6.11/include/ -I/var/tmp/portage/iproute2-2.6.11.20050310-r1/work/iproute2-2.6.11/tc_include -o q_xcp.o -c q_xcp.c > ld -shared -o q_xcp.so q_xcp.o > rm -f q_xcp.o > > But i still get the same error.... so then my very final last effort was to move q_xcp.c to my iproute2 source code tc/ directory and added this to the makefile: > TCMODULES += q_xcp.o > > Then I compiled tc, and i check tc to see if the xcp qdisc functions were loaded: > lanthanum-ini tc # nm tc | grep xcp > 080531ec t xcp_parse_opt > 080533e0 t xcp_print_opt > 08053426 t xcp_print_xstats > 08070cc0 D xcp_util > > And finally: > lanthanum-ini tc # ./tc qdisc add dev ath0 root xcp capacity 54Mbit limit 500 > Unknown qdisc "xcp", hence option "capacity" is unparsable > > > I have no clue :( I figured that putting the .so into /usr/lib would have been enough. Sorry for the long e-mail, I hope someone can help, and thank you for your time even if you don't know the solution but read this :) > > - George > The .so needs to go in /usr/lib/tc (assuming you are running relatively recent version of iproute2 tools). Read source to tc.c where it calls dlopen. From gnychis at cmu.edu Tue Apr 11 21:26:50 2006 From: gnychis at cmu.edu (George P Nychis) Date: Tue Apr 11 21:26:50 2006 Subject: [LARTC] Re: created new q_disc, inserted module, tc tells me unknown qdisc In-Reply-To: <20060411111644.59573edc@localhost.localdomain> References: <1707.128.2.140.234.1144719699.squirrel@128.2.140.234> <20060411111644.59573edc@localhost.localdomain> Message-ID: <3568.128.2.140.234.1144783610.squirrel@128.2.140.234> > On Mon, 10 Apr 2006 21:41:39 -0400 (EDT) "George P Nychis" > wrote: > >> Hi, >> >> I am trying to install a proprietary qdisc made for research, it is not >> publically released yet, however its been used several times so i know >> it works. >> >> The files included are: q_xcp.c: static int xcp_parse_opt() static int >> xcp_print_opt() static int xcp_print_xstats() struct qdisc_util xcp_util >> = { "NULL", "xcp" ..... }; >> >> sch_xcp.c: static int xcp_enqueue() static int xcp_requeue() static struct >> sk_buff * xcp_dequeue() .... .... struct Qdisc_ops xcp_qdisc_ops ={ >> NULL,NULL,"xcp",.... }; >> >> printk(KERN_INFO "XCP qdisc module loaded.\n"); return >> register_qdisc(&xcp_qdisc_ops); >> >> >> So, i make everything successfully, it creates q_xcp.so and copies it >> to /usr/lib and sch_xcp.o which it copies to /lib/modules/... so then I >> "insmod sch_xcp" and i see in dmesg: "XCP qdisc module loaded." >> >> I then try: "tc qdisc add dev eth0 root xcp capacity 10Mbit limit 500" >> and get: "Unknown qdisc "xcp", hence option "capacity" is unparsable" >> >> So then I read the INSTALL further to find some sort of solution and it >> mentions: This again assumes "tc" version is 2.4.7. If your "tc" is a >> different version, download the iproute2 source code, and edit Makefile >> to point "TC_INCLUDE" to "-I..../iproute2/include -I..../iproute2/tc" >> >> So, i did that, and i recompiled the q_xcp.so: lanthanum-ini src-1.0.1 # >> make q_xcp.so cc -O2 -fPIC >> -I/var/tmp/portage/iproute2-2.6.11.20050310-r1/work/iproute2-2.6.11/inc >> lude/ >> -I/var/tmp/portage/iproute2-2.6.11.20050310-r1/work/iproute2-2.6.11/tc_ >> include -o q_xcp.o -c q_xcp.c ld -shared -o q_xcp.so q_xcp.o rm -f >> q_xcp.o >> >> But i still get the same error.... so then my very final last effort >> was to move q_xcp.c to my iproute2 source code tc/ directory and added >> this to the makefile: TCMODULES += q_xcp.o >> >> Then I compiled tc, and i check tc to see if the xcp qdisc functions >> were loaded: lanthanum-ini tc # nm tc | grep xcp 080531ec t xcp_parse_opt >> 080533e0 t xcp_print_opt 08053426 t xcp_print_xstats 08070cc0 D xcp_util >> >> >> And finally: lanthanum-ini tc # ./tc qdisc add dev ath0 root xcp >> capacity 54Mbit limit 500 Unknown qdisc "xcp", hence option "capacity" >> is unparsable >> >> >> I have no clue :( I figured that putting the .so into /usr/lib would >> have been enough. Sorry for the long e-mail, I hope someone can help, >> and thank you for your time even if you don't know the solution but >> read this :) >> >> - George >> > > The .so needs to go in /usr/lib/tc (assuming you are running relatively > recent version of iproute2 tools). > > Read source to tc.c where it calls dlopen. > > Still didn't seem to solve the problem :\ In my tc.c i have: snprintf(buf, sizeof(buf), "/usr/lib/tc/q_%s.so", str); Also: lanthanum-ini tc # ls /usr/lib/tc experimental.dist normal.dist pareto.dist paretonormal.dist q_netem.so q_xcp.so And finally: lanthanum-ini tc # tc qdisc add dev ath0 root xcp capacity 54Mbit limit 500 Unknown qdisc "xcp", hence option "capacity" is unparsable Maybe i should add debugging in tc.c and see if it sees the .so and fails to load it or something. Any other suggestions? Thanks for all the responses, George From gnychis at cmu.edu Tue Apr 11 21:53:28 2006 From: gnychis at cmu.edu (George P Nychis) Date: Tue Apr 11 21:53:25 2006 Subject: [LARTC] Re: created new q_disc, inserted module, tc tells me unknown qdisc In-Reply-To: <3568.128.2.140.234.1144783610.squirrel@128.2.140.234> References: <1707.128.2.140.234.1144719699.squirrel@128.2.140.234> <20060411111644.59573edc@localhost.localdomain> <3568.128.2.140.234.1144783610.squirrel@128.2.140.234> Message-ID: <3650.128.2.140.234.1144785208.squirrel@128.2.140.234> I am getting closer... I added debugging, and noticed that it looks for: snprintf(buf, sizeof(buf), "%s_qdisc_util", str); However in q_xcp.c it had: struct qdisc_util xcp_util = { so I changed that to xcp_qdisc_util, and now i run tc: lanthanum-ini tc # tc qdisc add dev ath0 root xcp capacity 54Mbit limit 100 Segmentation fault This happens on this line: q = dlsym(dlh, buf); Since this is very hard for people to help me without the source code, i did ask the author if it has been release publically and am waiting for a response. In the meantime, it seems as though maybe instead of trying to get this to work with a newer version of tc, i should install an old version of tc that the module was original made for. Though if anyone else has ideas let me know. Thanks for all the help - George >> On Mon, 10 Apr 2006 21:41:39 -0400 (EDT) "George P Nychis" >> wrote: >> >>> Hi, >>> >>> I am trying to install a proprietary qdisc made for research, it is >>> not publically released yet, however its been used several times so i >>> know it works. >>> >>> The files included are: q_xcp.c: static int xcp_parse_opt() static >>> int xcp_print_opt() static int xcp_print_xstats() struct qdisc_util >>> xcp_util = { "NULL", "xcp" ..... }; >>> >>> sch_xcp.c: static int xcp_enqueue() static int xcp_requeue() static >>> struct sk_buff * xcp_dequeue() .... .... struct Qdisc_ops >>> xcp_qdisc_ops ={ NULL,NULL,"xcp",.... }; >>> >>> printk(KERN_INFO "XCP qdisc module loaded.\n"); return >>> register_qdisc(&xcp_qdisc_ops); >>> >>> >>> So, i make everything successfully, it creates q_xcp.so and copies it >>> to /usr/lib and sch_xcp.o which it copies to /lib/modules/... so >>> then I "insmod sch_xcp" and i see in dmesg: "XCP qdisc module loaded." >>> >>> >>> I then try: "tc qdisc add dev eth0 root xcp capacity 10Mbit limit >>> 500" and get: "Unknown qdisc "xcp", hence option "capacity" is >>> unparsable" >>> >>> So then I read the INSTALL further to find some sort of solution and >>> it mentions: This again assumes "tc" version is 2.4.7. If your "tc" >>> is a different version, download the iproute2 source code, and edit >>> Makefile to point "TC_INCLUDE" to "-I..../iproute2/include >>> -I..../iproute2/tc" >>> >>> So, i did that, and i recompiled the q_xcp.so: lanthanum-ini >>> src-1.0.1 # make q_xcp.so cc -O2 -fPIC >>> -I/var/tmp/portage/iproute2-2.6.11.20050310-r1/work/iproute2-2.6.11/i >>> nc lude/ >>> -I/var/tmp/portage/iproute2-2.6.11.20050310-r1/work/iproute2-2.6.11/t >>> c_ include -o q_xcp.o -c q_xcp.c ld -shared -o q_xcp.so q_xcp.o rm -f >>> q_xcp.o >>> >>> But i still get the same error.... so then my very final last effort >>> was to move q_xcp.c to my iproute2 source code tc/ directory and >>> added this to the makefile: TCMODULES += q_xcp.o >>> >>> Then I compiled tc, and i check tc to see if the xcp qdisc functions >>> were loaded: lanthanum-ini tc # nm tc | grep xcp 080531ec t >>> xcp_parse_opt 080533e0 t xcp_print_opt 08053426 t xcp_print_xstats >>> 08070cc0 D xcp_util >>> >>> >>> And finally: lanthanum-ini tc # ./tc qdisc add dev ath0 root xcp >>> capacity 54Mbit limit 500 Unknown qdisc "xcp", hence option >>> "capacity" is unparsable >>> >>> >>> I have no clue :( I figured that putting the .so into /usr/lib would >>> have been enough. Sorry for the long e-mail, I hope someone can >>> help, and thank you for your time even if you don't know the solution >>> but read this :) >>> >>> - George >>> >> >> The .so needs to go in /usr/lib/tc (assuming you are running relatively >> recent version of iproute2 tools). >> >> Read source to tc.c where it calls dlopen. >> >> > > Still didn't seem to solve the problem :\ > > In my tc.c i have: snprintf(buf, sizeof(buf), "/usr/lib/tc/q_%s.so", str); > > > Also: lanthanum-ini tc # ls /usr/lib/tc experimental.dist normal.dist > pareto.dist paretonormal.dist q_netem.so q_xcp.so > > And finally: lanthanum-ini tc # tc qdisc add dev ath0 root xcp capacity > 54Mbit limit 500 Unknown qdisc "xcp", hence option "capacity" is > unparsable > > Maybe i should add debugging in tc.c and see if it sees the .so and fails > to load it or something. > > Any other suggestions? > > Thanks for all the responses, George > > _______________________________________________ LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > -- From martin-lartc at wonderfrog.net Tue Apr 11 21:58:39 2006 From: martin-lartc at wonderfrog.net (Martin A. Brown) Date: Tue Apr 11 22:03:16 2006 Subject: [LARTC] Shaping per IP in PPPoE In-Reply-To: <443BD009.4040502@idm.net.lb> References: <443BD009.4040502@idm.net.lb> Message-ID: Hello Rani, : i am currently now serving PPPoE in my area. i had a script : generated from tcng that worked perfectly before i started : serving PPPoE. the issue is not in the script it self BUT in that : "tc" code is not shaping on the ethernet anymore BUT INSTEAD on : the pppX devices. I tested it and talking jargon, what should i : do? : : The issue is that for each PPPoE login, PPPoE-server creates on : the server a pppX device. that is 10 logins means 10 ppp devices. : from ppp0 till ppp9. and one might die upon disconnection. I'd suggest simply using the pppoe ip-up configuration scripts to call the appropriate tc or tcng commands. Since ip-up should be called something like this: ip-up ppp0 $TTY $SPEED 192.168.0.4 10.0.0.4 $OTHER Is ip-up called by YOUR pppoe-server binary? I am not able to test this. you should be able to create a script that would either execute tc commands or a create tcng file on the fly. I created the basic structure of such a script below, although you could probably add/replace your own shell functions (tc_sfq, tc_my_complex_config) with a much more complex traffic control configuration. Good luck, -Martin #! /bin/bash # # -- add queuing to an interface brought up by pppd, 2006-04-11; -MAB # GPL # # ip-up dev="$1" && shift pty="$1" && shift spd="$1" && shift lip="$1" && shift rip="$1" && shift logger () { command logger -it "${0##*/}" -- "$@" ; } abort () { logger "$@" ; exit 1 ; } tc_tbf () { local dev="$1" && shift local lip="$1" && shift local rip="$1" && shift test "$dev" = "" && abort "${FUNCNAME}() called with no device name" test "$lip" = "" && abort "${FUNCNAME}() called with no local IP" test "$rip" = "" && abort "${FUNCNAME}() called with no remote IP" cat <<-EOTC tc qdisc add dev $dev root handle 1:0 tbf rate 1544kbit limit 20kB burst 3kB EOTC } # -- run all commands in a single shell that we instruct to quit on any error # tc_tbf "$dev" "$lip" "$rip" | bash -e # -- did the shell complete successfully? # test "$?" -gt 0 && abort "Could not install traffic control on $dev." logger "Installed traffic control configuration on $dev." # -- end of file -- Martin A. Brown --- Wonderfrog Enterprises --- martin@wonderfrog.net From pawan7000 at yahoo.com Tue Apr 11 22:09:21 2006 From: pawan7000 at yahoo.com (Pawan Bajaj) Date: Tue Apr 11 22:09:24 2006 Subject: [LARTC] HTB statistics granularity Message-ID: <20060411200921.76301.qmail@web50008.mail.yahoo.com> Hi, I am running HTB and using the following command to get rate and pps statistics: tc -s class show dev eth0 However what I am seeing is that if I run the command over and over again, I see the sent bytes and sent packets increment however the rate and pps have the following issues: 1. The rate and pps values only seem to update after every 15 seconds 2. They do not show until about after five seconds that the traffic has been running? 3. If I run traffic constantly at 1500 kbps and then stop it, it takes about 3 to 4 minutes for the rate to go back to 0 kbps. Does anyone know: a) How are the rate and pps being calculated? b) Is there a way to get a precise rate and pps for the last 10 seconds? (issue of rate taking 3-4 mins to get to zero as opposed to instantly) Thanks in advance! --------------------------------- How low will we go? Check out Yahoo! Messenger?s low PC-to-Phone call rates. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060411/498de18b/attachment.html From shep at alum.mit.edu Tue Apr 11 22:29:41 2006 From: shep at alum.mit.edu (Tim Shepard) Date: Tue Apr 11 22:29:51 2006 Subject: [LARTC] Re: created new q_disc, inserted module, tc tells me unknown qdisc In-Reply-To: Your message of Tue, 11 Apr 2006 15:26:50 -0400. <3568.128.2.140.234.1144783610.squirrel@128.2.140.234> Message-ID: > Maybe i should add debugging in tc.c and see if it sees the .so and fails to load it or something. Yes. I would do that next. Compile tc with -g and then run it under gdb and step through that part to see what happens. -Tim Shepard shep@alum.mit.edu From jody.shumaker at gmail.com Tue Apr 11 22:34:28 2006 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Tue Apr 11 22:34:28 2006 Subject: [LARTC] HTB statistics granularity In-Reply-To: <20060411200921.76301.qmail@web50008.mail.yahoo.com> References: <20060411200921.76301.qmail@web50008.mail.yahoo.com> Message-ID: <2af436490604111334n79216ef0q4f283510f740c17f@mail.gmail.com> > b) Is there a way to get a precise rate and pps for the last 10 seconds? > (issue of rate taking 3-4 mins to get to zero as opposed to instantly) Run the command, record the number of bytes and packets sent. (tc -s class show dev ppp0) Wait exactly 10 seconds (sleep 10) Run the command again, record the new values (tc -s class show dev ppp0) Compare the difference between the bytes and packets sent, divide by 10. As to the rest of your questions, I have no idea. I've only ever used the rate from the commend to get a rough idea of the current rate. Otherwise I use the bytes sent measurement to generate some rrdgraph's in which case doing measurements of bytes sent every 60 seconds is perfectly accurate for those 60 seconds as long as roll-over hasn't occured. - Jody From dunadanmontaraz at hotmail.com Wed Apr 12 03:04:37 2006 From: dunadanmontaraz at hotmail.com (Roberto Scattini) Date: Wed Apr 12 03:04:39 2006 Subject: [LARTC] Shaping per IP in PPPoE In-Reply-To: <443BD009.4040502@idm.net.lb> Message-ID: hi, i use the roaringpenguin pppoe-server and limit the bandwidth per interface with this script: (im using freeradius plugins too, thats the reason of the /var/run/radattr.pppx file) (/etc/ppp/ip-up.d/0pppx_up) #!/bin/sh DOWN=`cat /var/run/radattr.$1 | grep 'RP-Downstream-Speed-Limit' | cut -d ' ' -f 2` UP=`cat /var/run/radattr.$1 | grep 'RP-Upstream-Speed-Limit' | cut -d ' ' -f 2` # limit Download Bandwidth with a simple htb qdisc and class (add QoS here?...) /sbin/tc qdisc add dev $1 root handle 1: htb default 1 /sbin/tc class add dev $1 parent 1: classid 1:1 htb rate ${DOWN}kbit ceil ${DOWN}kbit burst 1540 /sbin/tc qdisc add dev $1 handle ffff: ingress /sbin/tc filter add dev $1 parent ffff: protocol ip prio 50 u32 \ match ip src 0.0.0.0/0 \ police rate ${UP}kbit burst 10k drop flowid :1 and have another script for deleting the rules (/etc/ppp/ip-down.d/0pppx_down): #!/bin/sh /sbin/tc qdisc del dev $1 root /sbin/tc qdisc del dev $1 ingress ppp executes this scripts each time an interface gets up or down. hope it helps. Roberto Scattini From: Rani Ahmed To: lartc@mailman.ds9a.nl Subject: [LARTC] Shaping per IP in PPPoE Date: Tue, 11 Apr 2006 18:49:29 +0300 hi all. i am currently now serving PPPoE in my area. i had a script generated from tcng that worked perfectly before i started serving PPPoE. the issue is not in the script it self BUT in that "tc" code is not shaping on the ethernet anymore BUT INSTEAD on the pppX devices. I tested it and talking jargon, what should i do? The issue is that for each PPPoE login, PPPoE-server creates on the server a pppX device. that is 10 logins means 10 ppp devices. from ppp0 till ppp9. and one might die upon disconnection. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc _________________________________________________________________ Sabe m?s sobre la pr?xima generaci?n del MSN Messenger. http://imagine-msn.com/minisites/messenger/default.aspx?locale=es-ar From gypsy at iswest.com Wed Apr 12 03:10:40 2006 From: gypsy at iswest.com (gypsy) Date: Wed Apr 12 03:10:46 2006 Subject: [LARTC] created new q_disc, inserted module, tc tells me unknown qdisc References: <1737.128.2.140.234.1144719887.squirrel@128.2.140.234> Message-ID: <443C5390.C6BFA3CB@iswest.com> George P Nychis wrote: > > Hi, > > I am trying to install a proprietary qdisc made for research, it is not publically released yet, however its been used several times so i know it works. > > The files included are: > q_xcp.c: > static int xcp_parse_opt() > static int xcp_print_opt() > static int xcp_print_xstats() > struct qdisc_util xcp_util = { "NULL", "xcp" ..... }; > > sch_xcp.c: > static int xcp_enqueue() > static int xcp_requeue() > static struct sk_buff * xcp_dequeue() > .... > .... > struct Qdisc_ops xcp_qdisc_ops ={ NULL,NULL,"xcp",.... }; > > printk(KERN_INFO "XCP qdisc module loaded.\n"); > return register_qdisc(&xcp_qdisc_ops); > > So, i make everything successfully, it creates q_xcp.so and copies it to /usr/lib and sch_xcp.o which it copies to /lib/modules/... so then I "insmod sch_xcp" and i see in dmesg: > "XCP qdisc module loaded." > > I then try: > "tc qdisc add dev eth0 root xcp capacity 10Mbit limit 500" and get: > "Unknown qdisc "xcp", hence option "capacity" is unparsable" > > So then I read the INSTALL further to find some sort of solution and it mentions: > This again assumes "tc" version is 2.4.7. If your "tc" is a different > version, download the iproute2 source code, and edit Makefile to > point "TC_INCLUDE" to "-I..../iproute2/include -I..../iproute2/tc" > > So, i did that, and i recompiled the q_xcp.so: > lanthanum-ini src-1.0.1 # make q_xcp.so > cc -O2 -fPIC -I/var/tmp/portage/iproute2-2.6.11.20050310-r1/work/iproute2-2.6.11/include/ -I/var/tmp/portage/iproute2-2.6.11.20050310-r1/work/iproute2-2.6.11/tc_include -o q_xcp.o -c q_xcp.c > ld -shared -o q_xcp.so q_xcp.o > rm -f q_xcp.o > > But i still get the same error.... so then my very final last effort was to move q_xcp.c to my iproute2 source code tc/ directory and added this to the makefile: > TCMODULES += q_xcp.o > > Then I compiled tc, and i check tc to see if the xcp qdisc functions were loaded: > lanthanum-ini tc # nm tc | grep xcp > 080531ec t xcp_parse_opt > 080533e0 t xcp_print_opt > 08053426 t xcp_print_xstats > 08070cc0 D xcp_util > > And finally: > lanthanum-ini tc # ./tc qdisc add dev ath0 root xcp capacity 54Mbit limit 500 > Unknown qdisc "xcp", hence option "capacity" is unparsable > > I have no clue :( I figured that putting the .so into /usr/lib would have been enough. Sorry for the long e-mail, I hope someone can help, and thank you for your time even if you don't know the solution but read this :) > > - George George, Please show us iproute/include/linux/pkt_sched.h There shouldn't be anything there the author wishes to keep private. -- gypsy From gnychis at cmu.edu Wed Apr 12 03:41:02 2006 From: gnychis at cmu.edu (George P Nychis) Date: Wed Apr 12 03:41:03 2006 Subject: [LARTC] created new q_disc, inserted module, tc tells me unknown qdisc In-Reply-To: <443C5390.C6BFA3CB@iswest.com> References: <1737.128.2.140.234.1144719887.squirrel@128.2.140.234> <443C5390.C6BFA3CB@iswest.com> Message-ID: <1132.128.2.140.234.1144806062.squirrel@128.2.140.234> > George P Nychis wrote: >> >> Hi, >> >> I am trying to install a proprietary qdisc made for research, it is not >> publically released yet, however its been used several times so i know >> it works. >> >> The files included are: q_xcp.c: static int xcp_parse_opt() static int >> xcp_print_opt() static int xcp_print_xstats() struct qdisc_util xcp_util >> = { "NULL", "xcp" ..... }; >> >> sch_xcp.c: static int xcp_enqueue() static int xcp_requeue() static struct >> sk_buff * xcp_dequeue() .... .... struct Qdisc_ops xcp_qdisc_ops ={ >> NULL,NULL,"xcp",.... }; >> >> printk(KERN_INFO "XCP qdisc module loaded.\n"); return >> register_qdisc(&xcp_qdisc_ops); >> >> So, i make everything successfully, it creates q_xcp.so and copies it >> to /usr/lib and sch_xcp.o which it copies to /lib/modules/... so then I >> "insmod sch_xcp" and i see in dmesg: "XCP qdisc module loaded." >> >> I then try: "tc qdisc add dev eth0 root xcp capacity 10Mbit limit 500" >> and get: "Unknown qdisc "xcp", hence option "capacity" is unparsable" >> >> So then I read the INSTALL further to find some sort of solution and it >> mentions: This again assumes "tc" version is 2.4.7. If your "tc" is a >> different version, download the iproute2 source code, and edit Makefile >> to point "TC_INCLUDE" to "-I..../iproute2/include -I..../iproute2/tc" >> >> So, i did that, and i recompiled the q_xcp.so: lanthanum-ini src-1.0.1 # >> make q_xcp.so cc -O2 -fPIC >> -I/var/tmp/portage/iproute2-2.6.11.20050310-r1/work/iproute2-2.6.11/inc >> lude/ >> -I/var/tmp/portage/iproute2-2.6.11.20050310-r1/work/iproute2-2.6.11/tc_ >> include -o q_xcp.o -c q_xcp.c ld -shared -o q_xcp.so q_xcp.o rm -f >> q_xcp.o >> >> But i still get the same error.... so then my very final last effort >> was to move q_xcp.c to my iproute2 source code tc/ directory and added >> this to the makefile: TCMODULES += q_xcp.o >> >> Then I compiled tc, and i check tc to see if the xcp qdisc functions >> were loaded: lanthanum-ini tc # nm tc | grep xcp 080531ec t xcp_parse_opt >> 080533e0 t xcp_print_opt 08053426 t xcp_print_xstats 08070cc0 D xcp_util >> >> >> And finally: lanthanum-ini tc # ./tc qdisc add dev ath0 root xcp >> capacity 54Mbit limit 500 Unknown qdisc "xcp", hence option "capacity" >> is unparsable >> >> I have no clue :( I figured that putting the .so into /usr/lib would >> have been enough. Sorry for the long e-mail, I hope someone can help, >> and thank you for your time even if you don't know the solution but >> read this :) >> >> - George > > George, > > Please show us iproute/include/linux/pkt_sched.h > > There shouldn't be anything there the author wishes to keep private. -- > gypsy > > They did not include the iproute source code that they used... they only included the q_xcp.c to create the q_xcp.so ... therefore my pkt_sched.h i am using is from this build: iproute2-2.6.11.20050310-r1 I can certainly post it if you need, just let me know From gypsy at iswest.com Wed Apr 12 04:25:10 2006 From: gypsy at iswest.com (gypsy) Date: Wed Apr 12 04:25:13 2006 Subject: [LARTC] strange iptables mangle problem References: Message-ID: <443C6506.90C3B729@iswest.com> foxy 202 wrote: > > Hi all, > I manage network with two connections with l00Mbit > In the past when network wasn't so load everything was OK, now > in pick hours load over border server from 1.0 to 1.5 / it isn't so > big / > and for me is very strange why I have increasing of ping timeout > from 0.5- 5ms in normal hour to 50-100 ms in pick hours.. > > server is with good hardware > AMD 64 Dualcore 3800+ > Intel Gigabit Ethernet > 1 GB RAM > Debian sarge 2.6.16 #2 SMP kernel > > I use about 240 mangle rules with iptables to mark download traffic > and to > limit it but when I try to load more rules server increase load and > begin to drop > packages :( > > my question is why when I try to load new 200 mangle rules / only > mangle rules / server increase load average and ping timeout increase > to 50-100 ms > and second is what is better solution for networks with more then > 100Mbit traffic .. > to use iptables mangle rules + u32 or to use more u32 filters and > less mangle rules ? > > Actually I don't have experience with so big traffic and I need any > advice is welcome. > > > Best Regards > Emil Emil, I don't have any real answers but I encountered the same problem you have, except your hardware is a lot better than mine. I'd load 255 rules and the keyboard would become unresponsive and the network was terribly slow. Not just pings, everything. I changed the NIC and that helped. I've forgotten what I replaced it with, but it uses the Tulip driver and it is 100Mbit. I changed iptables source code for connection tracking. TCP conntrack is set to track connections for 5 DAYS! If I recall correctly, I changed that to 20 minutes. That reduced the size of /proc/net/ip_conntrack and that at least made the keyboard OK, but it was still not enough. You should search the mailing list archives for hashing. (I gave up trying to maintain 255 marks.) -- gypsy From petre at kgb.ro Wed Apr 12 12:58:56 2006 From: petre at kgb.ro (Petre Bandac) Date: Wed Apr 12 12:55:40 2006 Subject: [LARTC] shaping on several ppp interfaces Message-ID: <20060412135856.4976d449@localhost> hallo I have the following schema pptpd server, with clients connecting to it and getting access to inside LAN resources; however, there are some roaming clients that have huge files to download and so eating all the bandwidth how can I have the whole x kbps be available on a single ppp interface, if there are none up, and, in reverse, guarantee to all ppp interfaces up at a given time x/nr_ppp_interfaces_up kbps ? thanks, petre -- Petre Bandac Network Scientist - petre@kgb.ro From sewlist at gmail.com Wed Apr 12 14:52:27 2006 From: sewlist at gmail.com (the sew) Date: Wed Apr 12 14:52:25 2006 Subject: [LARTC] Class C network 223.255.255.x Message-ID: Hi, Most networks are using either 10.x.x.x or 172.x.x.x or 192.168.x.x , but was curious If I can use the range 223.255.255.x for my backbone routing, this looks like a nice block to use as most ppl don't use this, specially if you build quite a big intranet what about the whole 223.x.x.x block, will this be used on the internet? sorry if its a stupid questions Thanks Sew -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060412/97e03459/attachment.htm From erik at slagter.name Wed Apr 12 15:51:06 2006 From: erik at slagter.name (Erik Slagter) Date: Wed Apr 12 15:51:06 2006 Subject: [LARTC] Class C network 223.255.255.x In-Reply-To: References: Message-ID: <1144849866.4108.29.camel@localhost.localdomain> On Wed, 2006-04-12 at 14:52 +0200, the sew wrote: > Most networks are using either 10.x.x.x or 172.x.x.x or 192.168.x.x , > but was curious If I can use the range 223.255.255.x for my backbone > routing, this looks like a nice block to use as most ppl don't use > this, specially if you build quite a big intranet > > what about the whole 223.x.x.x block, will this be used on the > internet? These are valid routable ip adresses, so you'd better not use them for your own purposes. What is wrong with the official private ranges? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2771 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060412/f1bb4220/smime.bin From andy.furniss at dsl.pipex.com Wed Apr 12 15:52:52 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Wed Apr 12 15:52:19 2006 Subject: [LARTC] Re: packet marking: only a ratio, not all In-Reply-To: <20060410134848.17949.qmail@web54305.mail.yahoo.com> References: <20060410134848.17949.qmail@web54305.mail.yahoo.com> Message-ID: <443D0634.80607@dsl.pipex.com> pfer wrote: > Hi Andy! > > I haven't checked the iproute sources for that, > but maybe I was not clear: > > What I need is not having ALL packets re-marked when > they are overlimit, or sent to any class, etc.. > > I want them to be remarked at a ratio. (eg. 2%) > > And granularity is important, if I have to re-mark > with > a 20% ratio, I wish to remark every 5th, and not mark > 20 continously at not mark other 80 continously. Hmm with the example you give of 3x10 feeding 1x10 egress I don't see how it's going to work as is - I googled RMD-QoS-NSLP and have to admit I know zero about that - so you are alot more qualified than me WRT that. I can't really do more than list a few thoughts. What happens if ingress > 2x egress. You want to mark every nth packet on egress but this will be before the flooded bottleneck - so you will then have to drop some of them. The example of 16mbit ingress going to 10mbit egress will not happen for long if tcp is involved - it will back off. Relating bandwidth use to packet counting will need the packets to all be the same size. (maybe doesn't matter for you) It may be doable - I just don't know and haven't played with actions enough to answer questions on that. One thought you could use IFB/IMQ or something to double queue so that the egress marker sees the traffic already cut down to 10mbit and there will be no further dropping. You'll still need to use state from ingress meters - or maybe your code for that. Thomas Graf wrote ematch which is in kernel (I don't know of any examples of usage, but the code has comments on how to write your own). He eventually wanted them to be able to do clever things like use meta data to control tc/classification I beleive. Andy. From andy.furniss at dsl.pipex.com Wed Apr 12 16:48:47 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Wed Apr 12 16:48:12 2006 Subject: [LARTC] trying to find out how much is on a drive? In-Reply-To: <7.0.1.0.2.20060411093758.05e01228@dmpcorp.com> References: <7.0.1.0.2.20060411093758.05e01228@dmpcorp.com> Message-ID: <443D134F.6090408@dsl.pipex.com> Yvon Dubinsky wrote: > I have a Ferdora 2 machine with 2 drives in it one has the OS and > the main drive for our Samba server on it and the other is the Mirror > drive. What I am trying to find out is how much is on the primary > drive. When I use the "du" command I get a number that seems to be > off. I have the mirror drive mounted to the primary drive, and it > apears as though when I do the "du" command from the root of the drive > is adds in some of the files from the mirror drive. What I am trying to > figure out is if there is a way to use the "du" command and exclude the > mounted mirror drive in my total amount. I used the command du -ch, > which gave the grand total in human form which is what I want but it > seems to include the mirror drive also. How do I exclude it from adding > in the mirror. Thanks, Have you tried df -h Andy. From andy.furniss at dsl.pipex.com Wed Apr 12 16:51:01 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Wed Apr 12 16:50:26 2006 Subject: [LARTC] Detect and mark 'bulk' http traffic In-Reply-To: <20060315212105.05lxbt99vog4oc8o@www.simplelists.com> References: <20060315212105.05lxbt99vog4oc8o@www.simplelists.com> Message-ID: <443D13D5.3060200@dsl.pipex.com> Andrew Beverley wrote: > To give fast web browsing on my network, I prioritise http traffic by marking it > all into a high priority band ('30'). This generally works quite well, as > unidentified traffic such as p2p falls by default into a lower priority band > ('40'). > > However, I would like to de-prioritise anyone doing large downloads over http, > which currently get high priority. Is there a way I can mark a connection > differently (ie into band '40') once it has got over a certain threshold of > date transfer? If you use netfilter you can use connbytes for this. Andy. From gypsy at iswest.com Wed Apr 12 17:02:01 2006 From: gypsy at iswest.com (gypsy) Date: Wed Apr 12 17:02:05 2006 Subject: [LARTC] created new q_disc, inserted module, tc tells me unknown qdisc References: <1737.128.2.140.234.1144719887.squirrel@128.2.140.234> <443C5390.C6BFA3CB@iswest.com> <1132.128.2.140.234.1144806062.squirrel@128.2.140.234> Message-ID: <443D1669.F3230B30@iswest.com> George P Nychis wrote: > > > George P Nychis wrote: > >> > >> Hi, > >> > >> I am trying to install a proprietary qdisc made for research, it is not > >> publically released yet, however its been used several times so i know > >> it works. > >> > >> The files included are: q_xcp.c: static int xcp_parse_opt() static int > >> xcp_print_opt() static int xcp_print_xstats() struct qdisc_util xcp_util > >> = { "NULL", "xcp" ..... }; > >> > >> sch_xcp.c: static int xcp_enqueue() static int xcp_requeue() static struct > >> sk_buff * xcp_dequeue() .... .... struct Qdisc_ops xcp_qdisc_ops ={ > >> NULL,NULL,"xcp",.... }; > >> > >> printk(KERN_INFO "XCP qdisc module loaded.\n"); return > >> register_qdisc(&xcp_qdisc_ops); > >> > >> So, i make everything successfully, it creates q_xcp.so and copies it > >> to /usr/lib and sch_xcp.o which it copies to /lib/modules/... so then I > >> "insmod sch_xcp" and i see in dmesg: "XCP qdisc module loaded." > >> > >> I then try: "tc qdisc add dev eth0 root xcp capacity 10Mbit limit 500" > >> and get: "Unknown qdisc "xcp", hence option "capacity" is unparsable" > >> > >> So then I read the INSTALL further to find some sort of solution and it > >> mentions: This again assumes "tc" version is 2.4.7. If your "tc" is a > >> different version, download the iproute2 source code, and edit Makefile > >> to point "TC_INCLUDE" to "-I..../iproute2/include -I..../iproute2/tc" > >> > >> So, i did that, and i recompiled the q_xcp.so: lanthanum-ini src-1.0.1 # > >> make q_xcp.so cc -O2 -fPIC > >> -I/var/tmp/portage/iproute2-2.6.11.20050310-r1/work/iproute2-2.6.11/inc > >> lude/ > >> -I/var/tmp/portage/iproute2-2.6.11.20050310-r1/work/iproute2-2.6.11/tc_ > >> include -o q_xcp.o -c q_xcp.c ld -shared -o q_xcp.so q_xcp.o rm -f > >> q_xcp.o > >> > >> But i still get the same error.... so then my very final last effort > >> was to move q_xcp.c to my iproute2 source code tc/ directory and added > >> this to the makefile: TCMODULES += q_xcp.o > >> > >> Then I compiled tc, and i check tc to see if the xcp qdisc functions > >> were loaded: lanthanum-ini tc # nm tc | grep xcp 080531ec t xcp_parse_opt > >> 080533e0 t xcp_print_opt 08053426 t xcp_print_xstats 08070cc0 D xcp_util > >> > >> > >> And finally: lanthanum-ini tc # ./tc qdisc add dev ath0 root xcp > >> capacity 54Mbit limit 500 Unknown qdisc "xcp", hence option "capacity" > >> is unparsable > >> > >> I have no clue :( I figured that putting the .so into /usr/lib would > >> have been enough. Sorry for the long e-mail, I hope someone can help, > >> and thank you for your time even if you don't know the solution but > >> read this :) > >> > >> - George > > > > George, > > > > Please show us iproute/include/linux/pkt_sched.h > > > > There shouldn't be anything there the author wishes to keep private. -- > > gypsy > > > > > > They did not include the iproute source code that they used... they only included the q_xcp.c to create the q_xcp.so ... therefore my pkt_sched.h i am using is from this build: iproute2-2.6.11.20050310-r1 > > I can certainly post it if you need, just let me know George, Then you probably need to revert to an iproute2 source that included xcp. In pkt_sched.h you need a struct that defines the parameters xcp can accept: enum { TCA_XCP_PARM1, TCA_XCP_PARM2, TCA_XCP_PARM3, }; and in ~/tc/Makefile you need TCMODULES += q_xcp.o -- gypsy From andy.furniss at dsl.pipex.com Wed Apr 12 17:04:33 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Wed Apr 12 17:03:57 2006 Subject: [LARTC] HFSC and default qdisc backlog In-Reply-To: <045701c64e0e$8d6282f0$1414a8c0@provsol.int> References: <045701c64e0e$8d6282f0$1414a8c0@provsol.int> Message-ID: <443D1701.4070404@dsl.pipex.com> James Nelson wrote: > Thanks for all of your help Patrick! > > Just so I'm clear. If hfsc at the class level shows no overlimits and no > packet dropps, then hfsc is not effecting my traffic any different (from a > throughput perspective computational computer slowness aside) then if i had > no traffic shapping in place? Noting what Patrick says as a caveat. But if you set up a rt class in hfsc at the moment (it may change soon) you can sort of get a feel for what's gone on historically by looking at the requeue counters (can't remember if tc -s class ls will do or tc -s qdisc ls with child queues on the class is needed). If you have a rt class you probably don't want it to ever be backlogged - it won't be very rt anymore (OK you could have short queue & drop). If a rt class has become backlogged in the past then you will see requeues - it may not be perfect, but I would say big number = bad, 0 = good. Andy. From ephemeric at gmail.com Wed Apr 12 17:06:17 2006 From: ephemeric at gmail.com (Robert Gabriel) Date: Wed Apr 12 17:06:23 2006 Subject: [LARTC] trying to find out how much is on a drive? In-Reply-To: <443D134F.6090408@dsl.pipex.com> References: <7.0.1.0.2.20060411093758.05e01228@dmpcorp.com> <443D134F.6090408@dsl.pipex.com> Message-ID: Try 'du -chsx /*'. This should exclude other filesystems. On 12/04/06, Andy Furniss wrote: > Yvon Dubinsky wrote: > > I have a Ferdora 2 machine with 2 drives in it one has the OS and > > the main drive for our Samba server on it and the other is the Mirror > > drive. What I am trying to find out is how much is on the primary > > drive. When I use the "du" command I get a number that seems to be > > off. I have the mirror drive mounted to the primary drive, and it > > apears as though when I do the "du" command from the root of the drive > > is adds in some of the files from the mirror drive. What I am trying to > > figure out is if there is a way to use the "du" command and exclude the > > mounted mirror drive in my total amount. I used the command du -ch, > > which gave the grand total in human form which is what I want but it > > seems to include the mirror drive also. How do I exclude it from adding > > in the mirror. Thanks, > > Have you tried df -h > > Andy. > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From forgamedev at yahoo.com Wed Apr 12 18:39:03 2006 From: forgamedev at yahoo.com (pfer) Date: Wed Apr 12 18:39:04 2006 Subject: [LARTC] Re: packet marking: only a ratio, not all In-Reply-To: <443D0634.80607@dsl.pipex.com> Message-ID: <20060412163903.10191.qmail@web54303.mail.yahoo.com> Hello! Well I won't go into protocol details, but I do not care if an intra-domain node will be congested via packets on ingress. I will drop them, but check with "tc .. show .." how much I get on byte-level. Based on this, and maximum egress transmission rate of this congested node, I calculate Overload%, and remark leaving packets at that ratio. Anyway this setup will serve as a demo, having reservations thoughout the domain for UDP video packet streams only. I wrote to netdev-linux mailing list about how to hack in the sources of tc something like: for every packet if(rand()<(percent/100)) do_action ,where rand() gives a float of 0..1 but haven't got any answer yet. I'm pretty much confused where an "action" gets executed, and how for.ex. "random determ 2" modifies that. I will check this ematch stuff, but doesn't sound me the solution. I just thought this ratio-marking stuff to be a little less exotic and people already doing it. Could you point me to someone who will probably help me with this? Thanks, Ferenc --- Andy Furniss wrote: > pfer wrote: > > Hi Andy! > > > > I haven't checked the iproute sources for that, > > but maybe I was not clear: > > > > What I need is not having ALL packets re-marked > when > > they are overlimit, or sent to any class, etc.. > > > > I want them to be remarked at a ratio. (eg. 2%) > > > > And granularity is important, if I have to re-mark > > with > > a 20% ratio, I wish to remark every 5th, and not > mark > > 20 continously at not mark other 80 continously. > > Hmm with the example you give of 3x10 feeding 1x10 > egress I don't see > how it's going to work as is - I googled > RMD-QoS-NSLP and have to admit > I know zero about that - so you are alot more > qualified than me WRT that. > > I can't really do more than list a few thoughts. > > What happens if ingress > 2x egress. > > You want to mark every nth packet on egress but this > will be before the > flooded bottleneck - so you will then have to drop > some of them. > > The example of 16mbit ingress going to 10mbit egress > will not happen for > long if tcp is involved - it will back off. > > Relating bandwidth use to packet counting will need > the packets to all > be the same size. (maybe doesn't matter for you) > > It may be doable - I just don't know and haven't > played with actions > enough to answer questions on that. > > One thought you could use IFB/IMQ or something to > double queue so that > the egress marker sees the traffic already cut down > to 10mbit and there > will be no further dropping. You'll still need to > use state from ingress > meters - or maybe your code for that. > > Thomas Graf wrote ematch which is in kernel (I don't > know of any > examples of usage, but the code has comments on how > to write your own). > He eventually wanted them to be able to do clever > things like use meta > data to control tc/classification I beleive. > > Andy. > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From forgamedev at yahoo.com Wed Apr 12 18:45:30 2006 From: forgamedev at yahoo.com (pfer) Date: Wed Apr 12 18:45:28 2006 Subject: [LARTC] dsmark qdisc does not go without set_tc_index Message-ID: <20060412164530.33533.qmail@web54305.mail.yahoo.com> Hi all! Anyone got the same problem? If I: tc qdisc add dev eth0 handle 1:0 root dsmark indices 4 set_tc_index it works fine. If I: tc qdisc add dev eth0 handle 1:0 root dsmark indices 4 it says: RTNETLINK answers: Invalid argument I just don't need that set_tc_index stuff for marking. Ferenc __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From forgamedev at yahoo.com Wed Apr 12 19:01:13 2006 From: forgamedev at yahoo.com (pfer) Date: Wed Apr 12 19:01:14 2006 Subject: [LARTC] please ignore my last mail Message-ID: <20060412170113.86693.qmail@web54311.mail.yahoo.com> Ugh, it was some odd iproute version problem. 2-6-15 works fine. Sorry __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From andy.furniss at dsl.pipex.com Wed Apr 12 20:51:11 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Wed Apr 12 20:50:33 2006 Subject: [LARTC] QoS - Ping problem In-Reply-To: <44340CD6.1030907@cnett.com.br> References: <44340CD6.1030907@cnett.com.br> Message-ID: <443D4C1F.3020806@dsl.pipex.com> Nataniel Klug wrote: > # Regras para a placa eth1 > #------ > $TC qdisc add dev $DL root handle 1: htb default 50 You are using htb default on eth - unless you make a filter for arp it will also end up in 1:50 which may or may not be the problem - you should fix it anyway. tc filter add ..... protocol arp u32 match u32 0 0 .... or stop using htb default class and make a catch all ip filter to send the rest to 50. Andy. From alchemyx at uznam.net.pl Wed Apr 12 21:26:01 2006 From: alchemyx at uznam.net.pl (=?ISO-8859-2?Q?Micha=B3_Margula?=) Date: Wed Apr 12 21:25:16 2006 Subject: [LARTC] ESFQ not so fair? Message-ID: <443D5449.20706@uznam.net.pl> Hello! I am using since yesterday ESFQ instead of N HTB queues. It mostly works OK, but when somebody is using one single sesion (for example downloading file via FTP), it gets weird speed. For example it is 20 kilobytes pres second, then drops down to 9, then 20 again, and then slowly to 0 and stops. But when using download accelererator of some kind or bittorrent client which uses many connections, speed seems to be stable. I am using esfq that way: qdisc add dev eth0 parent 1:4 handle 4:0 esfq perturb 600 hash fwmark divisor 13 qdisc add dev eth1 parent 1:2 handle 2:0 esfq perturb 600 hash dst divisor 13 On eth0 every IP is marked with different value by IPMARK module. On eth1 it is not necessary so I use dst hash. I have more values than 2^13 so I can't use direct hash. Any ideas? Is it possible to use bigger divisor or algorithm is not designed to deal with bigger hash? Any ideas will be appreciated! -- Micha? Margula, alchemyx@uznam.net.pl, http://alchemyx.uznam.net.pl/ "W ?yciu pi?kne s? tylko chwile" [Ryszard Riedel] From nata at cnett.com.br Wed Apr 12 21:26:42 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Wed Apr 12 21:27:00 2006 Subject: [LARTC] QoS - Ping problem In-Reply-To: <443D4C1F.3020806@dsl.pipex.com> References: <44340CD6.1030907@cnett.com.br> <443D4C1F.3020806@dsl.pipex.com> Message-ID: <443D5472.2050709@cnett.com.br> Andy, I will try to make this rule and see what happens. Thanks. Att, Nataniel Klug Andy Furniss escreveu: > Nataniel Klug wrote: > >> # Regras para a placa eth1 >> #------ >> $TC qdisc add dev $DL root handle 1: htb default 50 > > You are using htb default on eth - unless you make a filter for arp it > will also end up in 1:50 which may or may not be the problem - you > should fix it anyway. > > tc filter add ..... protocol arp u32 match u32 0 0 .... > > or stop using htb default class and make a catch all ip filter to send > the rest to 50. > > Andy. > > From andy.furniss at dsl.pipex.com Wed Apr 12 23:10:32 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Wed Apr 12 23:09:54 2006 Subject: [LARTC] Problems matching by mac address In-Reply-To: <48DC429CB053B64EAD91BDD1DE106A1152C375@es1.corp.commspeed.net> References: <48DC429CB053B64EAD91BDD1DE106A1152C375@es1.corp.commspeed.net> Message-ID: <443D6CC8.3090301@dsl.pipex.com> Adam M. Towarnyckyj wrote: > Sorry for bumping this one, but I wanted to know if anyone else had any > ideas as well. I'm a bit baffled as to why this isn't working. Thanks. Hmm this is a strange one - I tried both ip and mac version of your script (on non-bridged eth) and both "work" ie the traffic ends up in htb 12:10 and gets shaped. I tested with proftpd as sender - it's going to be important to test both with the same app that sets tos bits for prio - probably also worth putting a bfifo on 1:3 just for stats as default prio is three band. Now what I don't get is in both cases if I do tc -s filter ls parent 12:0 I don't get any matches, so would have expected them to have gone through htb as default - unshaped not 12:10 - strange. Will have to think/try different kernel and tc versions. Did you do both tests with the same tos bit setting sender app? Alexey's point about filtering to 12:0 is because normally if you set up a tree structure for filters you need a filter rule on root to pass traffic down to child(ren) - prios automatic filtering seems to do it - but not as I expected. Andy. From andy.furniss at dsl.pipex.com Wed Apr 12 23:35:58 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Wed Apr 12 23:35:19 2006 Subject: [LARTC] ESFQ not so fair? In-Reply-To: <443D5449.20706@uznam.net.pl> References: <443D5449.20706@uznam.net.pl> Message-ID: <443D72BE.6030003@dsl.pipex.com> Micha? Margula wrote: > Hello! > > I am using since yesterday ESFQ instead of N HTB queues. It mostly > works OK, but when somebody is using one single sesion (for example > downloading file via FTP), it gets weird speed. For example it is 20 > kilobytes pres second, then drops down to 9, then 20 again, and then > slowly to 0 and stops. But when using download accelererator of some > kind or bittorrent client which uses many connections, speed seems to be > stable. > > I am using esfq that way: > > qdisc add dev eth0 parent 1:4 handle 4:0 esfq perturb 600 hash > fwmark divisor 13 > qdisc add dev eth1 parent 1:2 handle 2:0 esfq perturb 600 hash dst > divisor 13 > > On eth0 every IP is marked with different value by IPMARK module. On > eth1 it is not necessary so I use dst hash. I have more values than 2^13 > so I can't use direct hash. > > Any ideas? Is it possible to use bigger divisor or algorithm is not > designed to deal with bigger hash? Any ideas will be appreciated! > Corey Hickey changed his esfq to use jhash for dst/src/fw - copy of his announce below. Andy. Corey Hickey wrote: > In a recent thread on this list, Robert Kurjata provided me a patch to add > hashing by iptables mark to the Linux 2.4 version of ESFQ. Thanks to that > contribution, I was able to easily add support to the 2.6 port I maintain. > > I found out, however, that the existing hash algorithm results in a lot of > colllisions when the range of hashed values is small. The purturbation > spreads the collisions out a little, but the result still wasn't very > fair, especially when hashing only three fwmark values: 0, 1 and 2. > > So, I wrote an alternative hash function. It's quite simple, and as long > as the range of input values is smaller than the hash table (default 1024, > up to 16384), collisions will not happen at all. See the updated README > file for more details. > > Home page: > http://fatooh.org/esfq-2.6/ > > Direct URL: > http://fatooh.org/esfq-2.6/esfq-2.6.13.tar.gz > > README (also available in the tar.gz): > http://fatooh.org/esfq-2.6/current/README > > Try it out, have fun, and if you find a bug or have a suggestion please > send me an email. > > -Corey From alchemyx at uznam.net.pl Wed Apr 12 23:43:52 2006 From: alchemyx at uznam.net.pl (=?ISO-8859-2?Q?Micha=B3_Margula?=) Date: Wed Apr 12 23:42:55 2006 Subject: [LARTC] ESFQ not so fair? In-Reply-To: <443D72BE.6030003@dsl.pipex.com> References: <443D5449.20706@uznam.net.pl> <443D72BE.6030003@dsl.pipex.com> Message-ID: <443D7498.1000206@uznam.net.pl> Andy Furniss napisa?(a): > > Corey Hickey changed his esfq to use jhash for dst/src/fw - copy of his > announce below. > > Andy. Thanks, but I am already using his patch :-). It happens with that patch, I haven't tried original version at all. -- Micha? Margula, alchemyx@uznam.net.pl, http://alchemyx.uznam.net.pl/ "W ?yciu pi?kne s? tylko chwile" [Ryszard Riedel] From kaber at trash.net Wed Apr 12 23:52:46 2006 From: kaber at trash.net (Patrick McHardy) Date: Wed Apr 12 23:55:20 2006 Subject: [LARTC] ESFQ not so fair? In-Reply-To: <443D72BE.6030003@dsl.pipex.com> References: <443D5449.20706@uznam.net.pl> <443D72BE.6030003@dsl.pipex.com> Message-ID: <443D76AE.9090905@trash.net> Andy Furniss wrote: > Corey Hickey changed his esfq to use jhash for dst/src/fw - copy of his > announce below. > > Andy. > > Corey Hickey wrote: >> So, I wrote an alternative hash function. It's quite simple, and as long >> as the range of input values is smaller than the hash table (default > 1024, >> up to 16384), collisions will not happen at all. See the updated README >> file for more details. Using jhash is a probably a good idea, the "improved" hash is broken and will cause reordering in some circumstances: return (h - q->dyn_min) * (q->hash_divisor - 1) / q->dyn_range; dyn_min, dyn_max and dyn_range, as their name suggests, are adjusted dynamically, so the hash function changes whenever one of these values changes, resulting in reordering of packets belonging to a single flow. From andy.furniss at dsl.pipex.com Thu Apr 13 00:19:33 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Thu Apr 13 00:19:07 2006 Subject: [LARTC] ESFQ not so fair? In-Reply-To: <443D76AE.9090905@trash.net> References: <443D5449.20706@uznam.net.pl> <443D72BE.6030003@dsl.pipex.com> <443D76AE.9090905@trash.net> Message-ID: <443D7CF5.1020903@dsl.pipex.com> Patrick McHardy wrote: > Andy Furniss wrote: > >>Corey Hickey changed his esfq to use jhash for dst/src/fw - copy of his >>announce below. > > Using jhash is a probably a good idea, the "improved" hash is broken > and will cause reordering in some circumstances: > > return (h - q->dyn_min) * (q->hash_divisor - 1) / q->dyn_range; > > dyn_min, dyn_max and dyn_range, as their name suggests, are adjusted > dynamically, so the hash function changes whenever one of these values > changes, resulting in reordering of packets belonging to a single flow. > Oops I thought he did use jhash don't know where I got that from. Andy. From andy.furniss at dsl.pipex.com Thu Apr 13 00:24:18 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Thu Apr 13 00:23:37 2006 Subject: [LARTC] ESFQ not so fair? In-Reply-To: <443D7498.1000206@uznam.net.pl> References: <443D5449.20706@uznam.net.pl> <443D72BE.6030003@dsl.pipex.com> <443D7498.1000206@uznam.net.pl> Message-ID: <443D7E12.4070903@dsl.pipex.com> Micha? Margula wrote: > Andy Furniss napisa?(a): > >> >> Corey Hickey changed his esfq to use jhash for dst/src/fw - copy of >> his announce below. >> >> Andy. > > > Thanks, but I am already using his patch :-). It happens with that > patch, I haven't tried original version at all. > Ahh OK - looks like Patrick spotted the problem I guess Corey will see this thread. His limit is 2^14 though, which is why I thought you must be using a different one. Andy. From adamt at commspeed.net Thu Apr 13 01:08:53 2006 From: adamt at commspeed.net (Adam M. Towarnyckyj) Date: Thu Apr 13 01:08:53 2006 Subject: [LARTC] Problems matching by mac address Message-ID: <48DC429CB053B64EAD91BDD1DE106A1152C4D4@es1.corp.commspeed.net> Andy, Thanks for investigating so extensively. However, I'm an idiot and made a fundamental mistake in networking that I should have realized in the first place. I completely didn't think about the fact that the filter is looking at the data link layer of the packet and that this gets changed through each device. The test machine is set up behind a router. Also, to answer your question, I'm using a download test app on a web server I set up, so I'm basically using the same program for testing the throughput each time. Sorry if I wasted anyone's time on this. With me, it's always something obvious I missed and usually I don't realize until after I have investigated every FAQ, Googled the hell out of the question, and posted to a list. If anyone has any ideas on how I can accomplish destination mac address filtering through multiple hops, I'd love to hear them. Otherwise, I think I'm going back to the drawing board on this one. Adam Interesting.... Outlook doesn't recognize "Googled" as a verb... -----Original Message----- From: Andy Furniss [mailto:andy.furniss@dsl.pipex.com] Sent: Wednesday, April 12, 2006 2:11 PM To: Adam M. Towarnyckyj Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] Problems matching by mac address Adam M. Towarnyckyj wrote: > Sorry for bumping this one, but I wanted to know if anyone else had any > ideas as well. I'm a bit baffled as to why this isn't working. Thanks. Hmm this is a strange one - I tried both ip and mac version of your script (on non-bridged eth) and both "work" ie the traffic ends up in htb 12:10 and gets shaped. I tested with proftpd as sender - it's going to be important to test both with the same app that sets tos bits for prio - probably also worth putting a bfifo on 1:3 just for stats as default prio is three band. Now what I don't get is in both cases if I do tc -s filter ls parent 12:0 I don't get any matches, so would have expected them to have gone through htb as default - unshaped not 12:10 - strange. Will have to think/try different kernel and tc versions. Did you do both tests with the same tos bit setting sender app? Alexey's point about filtering to 12:0 is because normally if you set up a tree structure for filters you need a filter rule on root to pass traffic down to child(ren) - prios automatic filtering seems to do it - but not as I expected. Andy. From andy.furniss at dsl.pipex.com Thu Apr 13 02:36:21 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Thu Apr 13 02:35:39 2006 Subject: [LARTC] Re: packet marking: only a ratio, not all In-Reply-To: <20060412163903.10191.qmail@web54303.mail.yahoo.com> References: <20060412163903.10191.qmail@web54303.mail.yahoo.com> Message-ID: <443D9D05.6050203@dsl.pipex.com> pfer wrote: > Hello! > > Well I won't go into protocol details, but > I do not care if an intra-domain node will be > congested via packets on ingress. I will drop them, > but check with "tc .. show .." how much I get on > byte-level. Based on this, and maximum egress > transmission rate of this congested node, I calculate > Overload%, and remark leaving packets at that ratio. OK I guess you know what you want - just thinking there wouldn't be much overload% if tcp was about and you were dropping. > > Anyway this setup will serve as a demo, having > reservations thoughout the domain for UDP video packet > streams only. > > I wrote to netdev-linux mailing list about how to hack > in the sources of tc something like: > > for every packet > if(rand()<(percent/100)) > do_action > > ,where rand() gives a float of 0..1 If that's userspace tc it may be OK - no floats in kernel code AFAIK. > > Could you point me to someone who will probably help > me with this? I think netdev is the right place. Andy. From bugfood-ml at fatooh.org Thu Apr 13 04:46:35 2006 From: bugfood-ml at fatooh.org (Corey Hickey) Date: Thu Apr 13 04:46:31 2006 Subject: [LARTC] ESFQ not so fair? In-Reply-To: <443D76AE.9090905@trash.net> References: <443D5449.20706@uznam.net.pl> <443D72BE.6030003@dsl.pipex.com> <443D76AE.9090905@trash.net> Message-ID: <443DBB8B.5030706@fatooh.org> Patrick McHardy wrote: > Andy Furniss wrote: >> Corey Hickey changed his esfq to use jhash for dst/src/fw - copy of his >> announce below. >> >> Andy. >> >> Corey Hickey wrote: >>> So, I wrote an alternative hash function. It's quite simple, and as long >>> as the range of input values is smaller than the hash table (default >> 1024, >>> up to 16384), collisions will not happen at all. See the updated README >>> file for more details. > > Using jhash is a probably a good idea, the "improved" hash is broken > and will cause reordering in some circumstances: > > return (h - q->dyn_min) * (q->hash_divisor - 1) / q->dyn_range; > > dyn_min, dyn_max and dyn_range, as their name suggests, are adjusted > dynamically, so the hash function changes whenever one of these values > changes, resulting in reordering of packets belonging to a single flow. That should stabilize after it's been running a while and has seen the normal range of IP addresses. Anyway, I agree, it's not very good. Working on ESFQ some more has been on my long-term TODO list, but what with getting distracted by mplayer development I didn't get around to it... and now I have 1.2 real jobs and 1.0 girlfriends and don't have time for much programming. :) If any of you want to send patches to this list and they don't look bad to other readers of the list I'll happily apply them and make a new release. Other than that, I can't help you much for now. Thanks, Corey From gnychis at cmu.edu Thu Apr 13 07:42:55 2006 From: gnychis at cmu.edu (George P Nychis) Date: Thu Apr 13 07:42:58 2006 Subject: [LARTC] created new q_disc, inserted module, tc tells me unknown qdisc In-Reply-To: <443D1669.F3230B30@iswest.com> References: <1737.128.2.140.234.1144719887.squirrel@128.2.140.234> <443C5390.C6BFA3CB@iswest.com> <1132.128.2.140.234.1144806062.squirrel@128.2.140.234> <443D1669.F3230B30@iswest.com> Message-ID: <2277.128.2.140.234.1144906975.squirrel@128.2.140.234> > George P Nychis wrote: >> >>> George P Nychis wrote: >>>> >>>> Hi, >>>> >>>> I am trying to install a proprietary qdisc made for research, it is >>>> not publically released yet, however its been used several times so >>>> i know it works. >>>> >>>> The files included are: q_xcp.c: static int xcp_parse_opt() static >>>> int xcp_print_opt() static int xcp_print_xstats() struct qdisc_util >>>> xcp_util = { "NULL", "xcp" ..... }; >>>> >>>> sch_xcp.c: static int xcp_enqueue() static int xcp_requeue() static >>>> struct sk_buff * xcp_dequeue() .... .... struct Qdisc_ops >>>> xcp_qdisc_ops ={ NULL,NULL,"xcp",.... }; >>>> >>>> printk(KERN_INFO "XCP qdisc module loaded.\n"); return >>>> register_qdisc(&xcp_qdisc_ops); >>>> >>>> So, i make everything successfully, it creates q_xcp.so and copies >>>> it to /usr/lib and sch_xcp.o which it copies to /lib/modules/... so >>>> then I "insmod sch_xcp" and i see in dmesg: "XCP qdisc module >>>> loaded." >>>> >>>> I then try: "tc qdisc add dev eth0 root xcp capacity 10Mbit limit >>>> 500" and get: "Unknown qdisc "xcp", hence option "capacity" is >>>> unparsable" >>>> >>>> So then I read the INSTALL further to find some sort of solution >>>> and it mentions: This again assumes "tc" version is 2.4.7. If your >>>> "tc" is a different version, download the iproute2 source code, and >>>> edit Makefile to point "TC_INCLUDE" to "-I..../iproute2/include >>>> -I..../iproute2/tc" >>>> >>>> So, i did that, and i recompiled the q_xcp.so: lanthanum-ini >>>> src-1.0.1 # make q_xcp.so cc -O2 -fPIC >>>> -I/var/tmp/portage/iproute2-2.6.11.20050310-r1/work/iproute2-2.6.11 >>>> /inc lude/ >>>> -I/var/tmp/portage/iproute2-2.6.11.20050310-r1/work/iproute2-2.6.11 >>>> /tc_ include -o q_xcp.o -c q_xcp.c ld -shared -o q_xcp.so q_xcp.o rm >>>> -f q_xcp.o >>>> >>>> But i still get the same error.... so then my very final last >>>> effort was to move q_xcp.c to my iproute2 source code tc/ directory >>>> and added this to the makefile: TCMODULES += q_xcp.o >>>> >>>> Then I compiled tc, and i check tc to see if the xcp qdisc >>>> functions were loaded: lanthanum-ini tc # nm tc | grep xcp 080531ec >>>> t xcp_parse_opt 080533e0 t xcp_print_opt 08053426 t xcp_print_xstats >>>> 08070cc0 D xcp_util >>>> >>>> >>>> And finally: lanthanum-ini tc # ./tc qdisc add dev ath0 root xcp >>>> capacity 54Mbit limit 500 Unknown qdisc "xcp", hence option >>>> "capacity" is unparsable >>>> >>>> I have no clue :( I figured that putting the .so into /usr/lib >>>> would have been enough. Sorry for the long e-mail, I hope someone >>>> can help, and thank you for your time even if you don't know the >>>> solution but read this :) >>>> >>>> - George >>> >>> George, >>> >>> Please show us iproute/include/linux/pkt_sched.h >>> >>> There shouldn't be anything there the author wishes to keep private. >>> -- gypsy >>> >>> >> >> They did not include the iproute source code that they used... they >> only included the q_xcp.c to create the q_xcp.so ... therefore my >> pkt_sched.h i am using is from this build: iproute2-2.6.11.20050310-r1 >> >> I can certainly post it if you need, just let me know > > George, > > Then you probably need to revert to an iproute2 source that included xcp. > In pkt_sched.h you need a struct that defines the parameters xcp can > accept: > > enum { TCA_XCP_PARM1, TCA_XCP_PARM2, TCA_XCP_PARM3, }; > > and in ~/tc/Makefile you need TCMODULES += q_xcp.o -- gypsy > > I think what I'm most confused about this pkt_sched.h thing is that the code works with version 2.4.7 of iproute2 ... in 2.4.7 of iproute2 there is no pkt_sched.h anywhere to be found in the source code. However in the newest version of iproute2 which I am trying to get this functionality to work in, there is a pkt_sched.h My last observation, is that in q_xcp.h it includes pkt_sched_xcp.h which has: struct tc_xcp_qopt { __u32 first_param; __u32 second_param; }; So I am assuming i need to add something like the enum thing to pkt_sched.h in the new iproute2 source... however what are the proper names I need to use in the enum? I don't expect you to know the names, however, what do i match them with? Thanks! George -- From ephemeric at gmail.com Thu Apr 13 08:51:13 2006 From: ephemeric at gmail.com (Robert Gabriel) Date: Thu Apr 13 08:51:10 2006 Subject: [LARTC] dsmark qdisc does not go without set_tc_index In-Reply-To: <20060412164530.33533.qmail@web54305.mail.yahoo.com> References: <20060412164530.33533.qmail@web54305.mail.yahoo.com> Message-ID: It works fine on my system. Maybe try deleting qdiscs first. On 12/04/06, pfer wrote: > Hi all! > > Anyone got the same problem? > > If I: > > tc qdisc add dev eth0 handle 1:0 root dsmark indices 4 > set_tc_index > > it works fine. > > If I: > > tc qdisc add dev eth0 handle 1:0 root dsmark indices 4 > > it says: > RTNETLINK answers: Invalid argument > > I just don't need that set_tc_index stuff for marking. > > Ferenc > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From sewlist at gmail.com Thu Apr 13 09:53:47 2006 From: sewlist at gmail.com (the sew) Date: Thu Apr 13 09:53:45 2006 Subject: [LARTC] Class C network 223.255.255.x In-Reply-To: <1144849866.4108.29.camel@localhost.localdomain> References: <1144849866.4108.29.camel@localhost.localdomain> Message-ID: Nothing wrong with the official, my backbone is expanding quite alot and we adding quite alot of businesses with cables in building, and we use pppoe and radus to asign ip addresses, just looking for a block of addresses that most companies will never use. Sew On 4/12/06, Erik Slagter wrote: > > On Wed, 2006-04-12 at 14:52 +0200, the sew wrote: > > Most networks are using either 10.x.x.x or 172.x.x.x or 192.168.x.x , > > but was curious If I can use the range 223.255.255.x for my backbone > > routing, this looks like a nice block to use as most ppl don't use > > this, specially if you build quite a big intranet > > > > what about the whole 223.x.x.x block, will this be used on the > > internet? > > These are valid routable ip adresses, so you'd better not use them for > your own purposes. > > What is wrong with the official private ranges? > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060413/d7a06d62/attachment.htm From alchemyx at uznam.net.pl Thu Apr 13 12:58:20 2006 From: alchemyx at uznam.net.pl (=?ISO-8859-2?Q?Micha=B3_Margula?=) Date: Thu Apr 13 12:57:19 2006 Subject: [LARTC] ESFQ not so fair? In-Reply-To: <443DBB8B.5030706@fatooh.org> References: <443D5449.20706@uznam.net.pl> <443D72BE.6030003@dsl.pipex.com> <443D76AE.9090905@trash.net> <443DBB8B.5030706@fatooh.org> Message-ID: <443E2ECC.5080504@uznam.net.pl> Corey Hickey napisa?(a): >> Using jhash is a probably a good idea, the "improved" hash is broken >> and will cause reordering in some circumstances: >> >> return (h - q->dyn_min) * (q->hash_divisor - 1) / q->dyn_range; >> >> dyn_min, dyn_max and dyn_range, as their name suggests, are adjusted >> dynamically, so the hash function changes whenever one of these values >> changes, resulting in reordering of packets belonging to a single flow. > > > That should stabilize after it's been running a while and has seen the > normal range of IP addresses. Anyway, I agree, it's not very good. > I am changing size of HTB queue at 01:00 AM and then back at 06:00 AM. So it is quite possible that hash used by esfq will never go stable? If I know range of input values will hardcoding that into esfq help? Or maybe there is something similair to esfq with direct hash but a larger one (16 bits should be enough). I don't care about memory usage, mostly important is performance. I am going to get uplink from another company and having another few thousands of HTB qdisc is not wise idea :-). -- Micha? Margula, alchemyx@uznam.net.pl, http://alchemyx.uznam.net.pl/ "W ?yciu pi?kne s? tylko chwile" [Ryszard Riedel] From william.bohannan at spidersat.net Thu Apr 13 16:01:14 2006 From: william.bohannan at spidersat.net (William Bohannan) Date: Thu Apr 13 16:02:37 2006 Subject: [LARTC] transparent bridge Message-ID: <004c01c65f02$c1c5d920$40020a0a@ACCSSWILLIAM> Hi installed Debian with bridging enabled then I install squid. Squid work if I manually enter proxy setting in firefox. Then I ran the following to make it transparent: echo 1 > /proc/sys/net/ipv4/ip_forward ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128 Now all I get when I go to firefox is a blank page and down the bottom is: Waiting for www.google.com.au ... Please need help.. I have tried the squid forum and looked everywhere :-( Many thanks william -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060413/046c804c/attachment.html From wlt at obsidian-studios.com Thu Apr 13 16:36:06 2006 From: wlt at obsidian-studios.com (William L. Thomson Jr.) Date: Thu Apr 13 16:36:05 2006 Subject: [LARTC] Re: [JAXLUG] Reply-to not set right. In-Reply-To: <443E5344.402@serent.com> References: <443E5344.402@serent.com> Message-ID: <1144938966.9514.27.camel@wlt.obsidian-studios.com> On Thu, 2006-04-13 at 09:33 -0400, Kurt Guenther wrote: > It looks like the reply to isn't set up on the list server? No it's changed. In a nut shell. Hitting reply sends reply to sender of email. Defaults to private. Just about every mailer has a Reply To All, which does just that. So in the case of mailing lists. It seems many are migrating in that direction. Which technically is the proper way to go. >From a habit and laziness standpoint it's a total pain. From a technical and logical point of view. It makes total sense. This came up not to long ago on the LARTC list. I was for it being the old way. Till a user provided the following. After reading all (long reads but necessarily) I reversed my stance and had to agree with list admins decision. First read: http://www.unicom.com/pw/reply-to-harmful.html Then, the rebuttal: http://marc.merlins.org/netrants/reply-to-useful.html Finally, the rebuttal to the rebuttal: http://marc.merlins.org/netrants/listreplyto.txt -- Sincerely, William L. Thomson Jr. Obsidian-Studios, Inc. http://www.obsidian-studios.com From wlt at obsidian-studios.com Thu Apr 13 16:37:30 2006 From: wlt at obsidian-studios.com (William L. Thomson Jr.) Date: Thu Apr 13 16:37:31 2006 Subject: [LARTC] Re: [JAXLUG] Reply-to not set right. In-Reply-To: <1144938966.9514.27.camel@wlt.obsidian-studios.com> References: <443E5344.402@serent.com> <1144938966.9514.27.camel@wlt.obsidian-studios.com> Message-ID: <1144939050.9514.29.camel@wlt.obsidian-studios.com> Wrong list, sorry, did not hit reply to all, and added wrong list in CC, sorry. -- Sincerely, William L. Thomson Jr. Obsidian-Studios, Inc. http://www.obsidian-studios.com From erik at slagter.name Fri Apr 14 12:36:20 2006 From: erik at slagter.name (Erik Slagter) Date: Fri Apr 14 12:36:29 2006 Subject: [LARTC] Class C network 223.255.255.x In-Reply-To: References: <1144849866.4108.29.camel@localhost.localdomain> Message-ID: <1145010980.9938.12.camel@localhost.localdomain> On Thu, 2006-04-13 at 09:53 +0200, the sew wrote: > Nothing wrong with the official, my backbone is expanding quite alot > and we adding quite alot of businesses with cables in building, and we > use pppoe and radus to asign ip addresses, just looking for a block of > addresses that most companies will never use. I assume your connected companies are using routeable ranges? If not, I assume you're doing NAT? In the first case imho there is no reason to not use a valid private range... -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2771 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060414/16f03a18/smime.bin From rani79 at idm.net.lb Fri Apr 14 17:01:26 2006 From: rani79 at idm.net.lb (Rani Ahmed) Date: Fri Apr 14 17:02:00 2006 Subject: [LARTC] Shaping per IP in PPPoE borrowing or sharing Uplink or Downlink Message-ID: <443FB946.6050205@idm.net.lb> helo again. I think this question i am asking is worth: we know that pppoe-server creates a pppX device on each connection done to it. So, when i have to shape, i have to shape each pppX connection device on itself alone. What i know is that the borrowing method on one device by itself, e.g. ppp0, alone using HTB or the like. this means that i have to create for another device, e.g. ppp1, its own HTB or CBQ tree. So, how can i in PPPoE technology setup sharing or borrowing between all the pppX devices so it won't let network starvation problem float on surface? Thanks. From martin-lartc at wonderfrog.net Fri Apr 14 17:20:05 2006 From: martin-lartc at wonderfrog.net (Martin A. Brown) Date: Fri Apr 14 17:24:46 2006 Subject: [LARTC] Shaping per IP in PPPoE borrowing or sharing Uplink or Downlink In-Reply-To: <443FB946.6050205@idm.net.lb> References: <443FB946.6050205@idm.net.lb> Message-ID: Hello again Rani, : helo again. I think this question i am asking is worth: : : we know that pppoe-server creates a pppX device on each : connection done to it. So, when i have to shape, i have to shape : each pppX connection device on itself alone. What i know is that : the borrowing method on one device by itself, e.g. ppp0, alone : using HTB or the like. this means that i have to create for : another device, e.g. ppp1, its own HTB or CBQ tree. : : So, how can i in PPPoE technology setup sharing or borrowing : between all the pppX devices so it won't let network starvation : problem float on surface? You should probably consider IMQ [0] or the new-ish IFB [1]. With either tool, you'll be able to create a traffic control structure which spans multiple output devices. Good luck, -Martin [0] IMQ = Intermediate Queuing Device http://www.linuximq.net/ http://lartc.org/howto/lartc.imq.html http://wiki.nix.hu/cgi-bin/twiki/view/IMQ/HowToInstall [1] IFB = Intermediate Functional Block http://mailman.ds9a.nl/pipermail/lartc/2006q2/018641.html http://marc.theaimsgroup.com/?l=linux-netdev&m=113674224714758&w=2 -- Martin A. Brown --- Wonderfrog Enterprises --- martin@wonderfrog.net From lartc at ssi.bg Sat Apr 15 10:39:26 2006 From: lartc at ssi.bg (Anton Glinkov) Date: Sat Apr 15 10:39:27 2006 Subject: [LARTC] Shaping per IP in PPPoE borrowing or sharing Uplink or Downlink In-Reply-To: <443FB946.6050205@idm.net.lb> References: <443FB946.6050205@idm.net.lb> Message-ID: <2075.217.79.89.183.1145090366.squirrel@217.79.89.183> If they are all on the same ethernet device, you can match them with: tc filter add dev ${DEVICE} parent 1: protocol all u32 \ match u16 0x8864 0xFFFF at -2 flowid 1:${ID} 8864 is the PPP session ethernet protocol you can play around with u32 if you want to match tos or ports and stuff.. > helo again. I think this question i am asking is worth: > > we know that pppoe-server creates a pppX device on each connection done > to it. > So, when i have to shape, i have to shape each pppX connection device on > itself alone. > What i know is that the borrowing method on one device by itself, e.g. > ppp0, alone using HTB or the like. this means that i have to create for > another device, e.g. ppp1, its own HTB or CBQ tree. > > So, how can i in PPPoE technology setup sharing or borrowing between all > the pppX devices so it won't let network starvation problem float on > surface? > > Thanks. > -- Anton Glinkov network administrator From yaneti at declera.com Sat Apr 15 11:58:11 2006 From: yaneti at declera.com (Yanko Kaneti) Date: Sat Apr 15 11:58:08 2006 Subject: [LARTC] htb overrate with 2.6.16 Message-ID: <1145095091.18168.26.camel@indigo.declera.com> Hi Here is something that worked with with 2.6.10-1.771_FC2smp and stopped working when I upgraded to 2.6.16-1.2069_FC4smp. These are fedora kernels and the network controller is an Intel Gbit (e1000) running a 100 Mbps Full Duplex. Don't know how or if this matters but the 2.6.10 kernel has CONFIG_X86_HZ=1000 and the 2.6.16 has CONFIG_HZ=250 The idea is to just shape to , say 2Mbit, a certain kind of traffic everything else should goes unshaped. # tc qdisc add dev eth0 root handle 1: htb default 20 # tc class add dev eth0 parent 1: classid 1:2 htb rate 2Mbit # tc qdisc add dev eth0 parent 1:2 sfq perturb 10 # tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 50 fw flowid 1:2 This was working as expected with 2.6.10 I've tried creating a proper 1:1 100Mbit parent to be the default but it didn't help. And it was working fine without it on 2.6.10 With the 2.6.16 kernel I get results like # tc -s -d class show dev eth0 class htb 1:2 root leaf 800b: prio 0 quantum 25000 rate 2000Kbit ceil 2000Kbit burst 2600b/8 mpu 0b overhead 0b cburst 2600b/8 mpu 0b overhead 0b level 0 Sent 189796883 bytes 20626 pkt (dropped 0, overlimits 0 requeues 0) rate 3484Kbit 45pps backlog 0b 0p requeues 0 lended: 20627 borrowed: 0 giants: 30926 tokens: -9768 ctokens: -9768 As you can see the correctly calculated rate is way above the ceiling and I've seen it go as fast as this certain type of traffic can go (something like 8-10Mbits), i.e. the class doesn't seem to shape at all. No drops or overlimits. FWIW the cbq in 2.6.10 kernel was working fine as well until the controller changed from a 100Mbit it a Gbit one and thats why I switched to htb. The cbq in 2.6.16 is still similarly broken (in a different than htb way) Thanks in advance for any insight on this. Yanko From efgonzalez at gmail.com Sat Apr 15 15:58:58 2006 From: efgonzalez at gmail.com (=?ISO-8859-1?Q?Eduardo_Fern=E1ndez?=) Date: Sat Apr 15 15:58:57 2006 Subject: [LARTC] Problems in Dead Gateway Detection / Failover - Multiple ISP Links In-Reply-To: <43D8CEAE.3010006@tuxspace.com> References: <43D8CEAE.3010006@tuxspace.com> Message-ID: Hi! Did you finally write a script for dead gateway detection beyond first hop? Did you find any other solution to this problem? I'm quite interested and I bet other multipath users here are interested too. My linux router has 10 dsl links (adding 15 more in short), when one of the dsl routers goes down the kernel does not always notice. Don't know why. Also, if a dsl route is up but the internet link is down dead gateway detection doesn't work either. Thanks! Edu On 1/26/06, Manish Kathuria wrote: > Hello, > > I have configured a load balancing router using Julian's patches and as > described in "nano.txt" for two ISP links as shown below. > > > > ISP 1 ISP 2 > . . > | | > | | > | | > | WAN WAN | > +-\-+ +-\-+ > | | | | > |R1 | GW1 GW2 |R2 | > | |------. --------| | > | | | | | | > +---+ | | +---+ > EXT1 | | EXT2 > +\----\-+ > | | > | LINUX | > | ROUTER| > | | > | | > | | > +---/---+ > | INT IF > | > | > | > /----------------\ > | LAN | > | | > \----------------/ > > > LAN NETWORK = 192.168.100.0/24 > INT IF = 192.168.100.1 > > ISP1 NETWORK = 10.20.30.128/29 > R1 - ROUTER1 > GW1 = 10.20.30.129 > EXT1 = 10.20.30.130 > > ISP2 NETWORK = 172.16.32.128/29 > R2 - ROUTER2 > GW2 = 172.16.32.129 > EXT2 = 172.16.32.130 > > Both the ISPs have provided /29 subnets of Public IPs. The above > mentioned addresses are just for example. > > The gateways for both the ISPs are routers placed at the same location > which are further connected through Radio Link and Leased Line. > > Things work fine as long as both the ISP links are alive. While testing > the dead gateway detection and failover functionality we observed that > if we make the first hop gateway (i.e Router R1 or R2) of one of the > ISPs dead by either disconnecting the ethernet cable between Linux > Router and R1/R2 or by switching off the gateway (R1/R2) itself, dead > gateway detection takes place and failover to the other ISP takes place. > However, if there is a problem in the ISP connectivity at any of the > subsequent hops, there is no dead gateway detection and failover also > does not take place. I have tested this on various linux kernels from > 2.4 as well as 2.6 series. > > Somehow I have never faced a similar problem before and things have been > working perfectly. In real life situation here, the first hop gateway is > rarely going to be down so dead gateway detection and failover is going > to be required whenever there is some connectivity problem at any of the > later hops. So that's where dead gateway detection needs to work. > > What could be the reason ? How can this be resolved ? I would appreciate > any pointers or suggestions. > > Thanks, > > Manish Kathuria > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From andy.furniss at dsl.pipex.com Sat Apr 15 18:14:50 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sat Apr 15 18:13:49 2006 Subject: [LARTC] Problems matching by mac address In-Reply-To: <48DC429CB053B64EAD91BDD1DE106A1152C4D4@es1.corp.commspeed.net> References: <48DC429CB053B64EAD91BDD1DE106A1152C4D4@es1.corp.commspeed.net> Message-ID: <44411BFA.20503@dsl.pipex.com> Adam M. Towarnyckyj wrote: > Andy, > > Thanks for investigating so extensively. However, I'm an idiot and made > a fundamental mistake in networking that I should have realized in the > first place. I completely didn't think about the fact that the filter is > looking at the data link layer of the packet and that this gets changed > through each device. The test machine is set up behind a router. Also, > to answer your question, I'm using a download test app on a web server I > set up, so I'm basically using the same program for testing the > throughput each time. > > Sorry if I wasted anyone's time on this. With me, it's always something > obvious I missed and usually I don't realize until after I have > investigated every FAQ, Googled the hell out of the question, and posted > to a list. No problem - I don't know how to solve your new problem. I retried the test on a 2.6.15 with tc 051107 and the counters are OK now when I tc -s filter ls dev eth0 parent 12:0. One thing - I always considered the match 0x0800 0xFFFF at -2 to be redundant if you say protocol ip in the filter - so I ended up using the following, which I think is a bit easier to read with mac of target machine 00:C1:26:0F:04:AD. tc filter add dev eth0 protocol ip parent 12: prio 1 u32 \ match u16 0x00c1 0xffff at -14 \ match u32 0x260f04ad 0xffffffff at -12 \ flowid 12:10 Andy. From mrasero at tcor.net Sun Apr 16 00:57:57 2006 From: mrasero at tcor.net (Miguel Angel Rasero (TCOR)) Date: Sun Apr 16 00:58:03 2006 Subject: [LARTC] mutiple gateways problem Message-ID: <44417A75.4050208@tcor.net> Hello, i have had a terribe day today, why? because i have been so 4 or 5 hours trying to do work this and i have not finished it. I feel very pleased if anything can help me. I have two isp connections: eth0: dhcp ip1: 82.198.*.* gw1: 82.198.*.* and a router adsl in ip 192.168.0.253: eth1: static ip2: 192.168.0.254 gw1: 192.168.0.253 the same machine has 3 more networks cards but i am using only 4 at this time: eth0: internet connection 1 eth1: network range 1 (192.168.0.0/24) and adsl internet connection 2 eth2: network range 2 (192.168.2.0/24) eth3: network range 3 (192.168.3.0/24) well i have created two tables in rt_tables like this: ---------------------- # # reserved values # 255 local 254 main 253 default 0 unspec # # local # #1 inr.ruhep 200 aulas 201 oficinas --------------------- and i have been trying to route from source to any or another table. ip rule add from 192.168.2.0/24 table aulas ip rule add from 192.168.3.0/24 table aulas ip route add default via 192.168.0.253 dev eth1 table aulas ip route add 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.254 table aulas ip route add 192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254 table aulas ip route add 192.168.3.0/24 dev eth3 proto kernel scope link src 192.168.3.254 table aulas ip rule add fwmark 4 table aulas (this is for dport 80 marked with iptables go from adsl too) #oficinas ip rule add from 192.168.0.0/24 table oficinas ip route add default via 82.198.*.* dev eth0 table oficinas ip route add 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.254 table oficinas ip route add 192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254 table oficinas ip route add 192.168.3.0/24 dev eth3 proto kernel scope link src 192.168.3.254 table oficinas ip route add 82.198.*.*/25 dev eth0 proto kernel scope link src 82.198.*.* table oficinas $IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -d ! 192.168.0.0/16 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -s 192.168.2.0/24 -d ! 192.168.0.0/16 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -s 192.168.3.0/24 -d ! 192.168.0.0/16 -j MASQUERADE well i know the iptables can become more specific with snat but i have tried too. The rules works because if i delete the local range routes i havent get response from lan packets too so it is classified correctly but only works the gateway that its in default route in the main table, if i delete the default main no one range works, if i use the eth0 default only table oficinas works and if i use default eth1 only aulas table works. I have tried with nexthop adding the two gateways in default but it doesnt works well either. Can anyone help me please? Software Versions: Distro: Debian Testing Kernel: 2.4.32 iptables: 2.3.3 iproute2-ss051007 Thanks in advance. From andy.furniss at dsl.pipex.com Sun Apr 16 01:13:33 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sun Apr 16 01:12:27 2006 Subject: [LARTC] htb overrate with 2.6.16 In-Reply-To: <1145095091.18168.26.camel@indigo.declera.com> References: <1145095091.18168.26.camel@indigo.declera.com> Message-ID: <44417E1D.50301@dsl.pipex.com> Yanko Kaneti wrote: > Hi > > Here is something that worked with with 2.6.10-1.771_FC2smp and stopped > working when I upgraded to 2.6.16-1.2069_FC4smp. > These are fedora kernels and the network controller is an Intel Gbit > (e1000) running a 100 Mbps Full Duplex. > Don't know how or if this matters but the 2.6.10 kernel has > CONFIG_X86_HZ=1000 and the 2.6.16 has CONFIG_HZ=250 > > The idea is to just shape to , say 2Mbit, a certain kind of traffic > everything else should goes unshaped. > > # tc qdisc add dev eth0 root handle 1: htb default 20 Why default 20 - if you don't have 1:20 it would be better to use default 0 which is unshaped and is the default - so ommitting default is the same - unclassifed traffic goes through unshaped. > # tc class add dev eth0 parent 1: classid 1:2 htb rate 2Mbit > # tc qdisc add dev eth0 parent 1:2 sfq perturb 10 > # tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 50 fw flowid 1:2 > > This was working as expected with 2.6.10 > I've tried creating a proper 1:1 100Mbit parent to be the default but it > didn't help. And it was working fine without it on 2.6.10 > > With the 2.6.16 kernel I get results like > > # tc -s -d class show dev eth0 > class htb 1:2 root leaf 800b: prio 0 quantum 25000 rate 2000Kbit ceil 2000Kbit burst 2600b/8 mpu 0b overhead 0b cburst 2600b/8 mpu 0b overhead 0b level 0 > Sent 189796883 bytes 20626 pkt (dropped 0, overlimits 0 requeues 0) > rate 3484Kbit 45pps backlog 0b 0p requeues 0 > lended: 20627 borrowed: 0 giants: 30926 The giants are the problem - if you specify mtu XXXXX on 1:2 class it should work. Or you could consider setting mtu on nic to 1500 if that is practical for you ie. this traffic is headed somewhere that is going to frag it down to 1500 anyway. Andy. From yaneti at declera.com Sun Apr 16 02:19:15 2006 From: yaneti at declera.com (Yanko Kaneti) Date: Sun Apr 16 02:19:12 2006 Subject: [LARTC] htb overrate with 2.6.16 In-Reply-To: <44417E1D.50301@dsl.pipex.com> References: <1145095091.18168.26.camel@indigo.declera.com> <44417E1D.50301@dsl.pipex.com> Message-ID: <1145146755.18168.43.camel@indigo.declera.com> On Sun, 2006-04-16 at 00:13 +0100, Andy Furniss wrote: > Yanko Kaneti wrote: > > Hi > > > > Here is something that worked with with 2.6.10-1.771_FC2smp and stopped > > working when I upgraded to 2.6.16-1.2069_FC4smp. > > These are fedora kernels and the network controller is an Intel Gbit > > (e1000) running a 100 Mbps Full Duplex. > > Don't know how or if this matters but the 2.6.10 kernel has > > CONFIG_X86_HZ=1000 and the 2.6.16 has CONFIG_HZ=250 > > > > The idea is to just shape to , say 2Mbit, a certain kind of traffic > > everything else should goes unshaped. > > > > # tc qdisc add dev eth0 root handle 1: htb default 20 > > Why default 20 - if you don't have 1:20 it would be better to use > default 0 which is unshaped and is the default - so ommitting default is > the same - unclassifed traffic goes through unshaped. No reason. I obviously missed the explanation for the 0 class. Will omit default in the future. > > # tc class add dev eth0 parent 1: classid 1:2 htb rate 2Mbit > > # tc qdisc add dev eth0 parent 1:2 sfq perturb 10 > > # tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 50 fw flowid 1:2 > > > > This was working as expected with 2.6.10 > > I've tried creating a proper 1:1 100Mbit parent to be the default but it > > didn't help. And it was working fine without it on 2.6.10 > > > > With the 2.6.16 kernel I get results like > > > > # tc -s -d class show dev eth0 > > class htb 1:2 root leaf 800b: prio 0 quantum 25000 rate 2000Kbit ceil 2000Kbit burst 2600b/8 mpu 0b overhead 0b cburst 2600b/8 mpu 0b overhead 0b level 0 > > Sent 189796883 bytes 20626 pkt (dropped 0, overlimits 0 requeues 0) > > rate 3484Kbit 45pps backlog 0b 0p requeues 0 > > lended: 20627 borrowed: 0 giants: 30926 > > The giants are the problem - if you specify mtu XXXXX on 1:2 class it > should work. > Or you could consider setting mtu on nic to 1500 if that is practical > for you ie. this traffic is headed somewhere that is going to frag it > down to 1500 anyway. Setting mtu 16500 for the class fixed it. But I wonder where did these giants come from in the first place? The mtu of the interface is and was 1500. Or so ifconfig and ip link tell me. Or this is some other mtu we are talking about... Thanks Yanko From andy.furniss at dsl.pipex.com Sun Apr 16 04:03:29 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sun Apr 16 04:02:22 2006 Subject: [LARTC] htb overrate with 2.6.16 In-Reply-To: <1145146755.18168.43.camel@indigo.declera.com> References: <1145095091.18168.26.camel@indigo.declera.com> <44417E1D.50301@dsl.pipex.com> <1145146755.18168.43.camel@indigo.declera.com> Message-ID: <4441A5F1.9020409@dsl.pipex.com> Yanko Kaneti wrote: > Setting mtu 16500 for the class fixed it. But I wonder where did these > giants come from in the first place? The mtu of the interface is and was > 1500. Or so ifconfig and ip link tell me. Or this is some other mtu we > are talking about... Hmm I didn't expect that - maybe there is some problem with the nic drivers not obeying kernel - is there any tso offload etc. at work here ? Andy. From yaneti at declera.com Sun Apr 16 04:37:53 2006 From: yaneti at declera.com (Yanko Kaneti) Date: Sun Apr 16 04:37:50 2006 Subject: [LARTC] htb overrate with 2.6.16 In-Reply-To: <1145095091.18168.26.camel@indigo.declera.com> References: <1145095091.18168.26.camel@indigo.declera.com> Message-ID: <1145155073.18168.53.camel@indigo.declera.com> On Sun, 2006-04-16 at 03:03 +0100, Andy Furniss wrote: > Yanko Kaneti wrote: > > > Setting mtu 16500 for the class fixed it. But I wonder where did these > > giants come from in the first place? The mtu of the interface is and was > > 1500. Or so ifconfig and ip link tell me. Or this is some other mtu we > > are talking about... > > Hmm I didn't expect that - maybe there is some problem with the nic > drivers not obeying kernel - is there any tso offload etc. at work here ? Yes and its on by default. The interface mtu still says 1500. I've tried deleting and attaching the qdisc+class (without explicit large mtu) with both tso on (ethtool -K eth0 tso on) and tso off , it doesnt seem to matter - giants appear in both cases. With large mtu for the class no giants with both tso on and off. Yanko From andy.furniss at dsl.pipex.com Sun Apr 16 20:40:01 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sun Apr 16 20:38:58 2006 Subject: [LARTC] htb overrate with 2.6.16 In-Reply-To: <1145155073.18168.53.camel@indigo.declera.com> References: <1145095091.18168.26.camel@indigo.declera.com> <1145155073.18168.53.camel@indigo.declera.com> Message-ID: <44428F81.1090604@dsl.pipex.com> Yanko Kaneti wrote: > On Sun, 2006-04-16 at 03:03 +0100, Andy Furniss wrote: > >>Yanko Kaneti wrote: >> >> >>>Setting mtu 16500 for the class fixed it. But I wonder where did these >>>giants come from in the first place? The mtu of the interface is and was >>>1500. Or so ifconfig and ip link tell me. Or this is some other mtu we >>>are talking about... >> >>Hmm I didn't expect that - maybe there is some problem with the nic >>drivers not obeying kernel - is there any tso offload etc. at work here ? > > > Yes and its on by default. The interface mtu still says 1500. > I've tried deleting and attaching the qdisc+class (without explicit > large mtu) with both tso on (ethtool -K eth0 tso on) and tso off , it > doesnt seem to matter - giants appear in both cases. > With large mtu for the class no giants with both tso on and off. > > Yanko > > I think you need to ask fedora or intel driver maintainer about this. AIUI tso is not in vanilla kernels and the patches are quite invasive. Andy. From yaneti at declera.com Sun Apr 16 22:03:52 2006 From: yaneti at declera.com (Yanko Kaneti) Date: Sun Apr 16 22:03:49 2006 Subject: [LARTC] htb overrate with 2.6.16 In-Reply-To: <44428F81.1090604@dsl.pipex.com> References: <1145095091.18168.26.camel@indigo.declera.com> <1145155073.18168.53.camel@indigo.declera.com> <44428F81.1090604@dsl.pipex.com> Message-ID: <1145217832.18656.24.camel@indigo.declera.com> On Sun, 2006-04-16 at 19:40 +0100, Andy Furniss wrote: > Yanko Kaneti wrote: > > On Sun, 2006-04-16 at 03:03 +0100, Andy Furniss wrote: > > > >>Yanko Kaneti wrote: > >> > >> > >>>Setting mtu 16500 for the class fixed it. But I wonder where did these > >>>giants come from in the first place? The mtu of the interface is and was > >>>1500. Or so ifconfig and ip link tell me. Or this is some other mtu we > >>>are talking about... > >> > >>Hmm I didn't expect that - maybe there is some problem with the nic > >>drivers not obeying kernel - is there any tso offload etc. at work here ? > > > > > > Yes and its on by default. The interface mtu still says 1500. > > I've tried deleting and attaching the qdisc+class (without explicit > > large mtu) with both tso on (ethtool -K eth0 tso on) and tso off , it > > doesnt seem to matter - giants appear in both cases. > > With large mtu for the class no giants with both tso on and off. > > > > I think you need to ask fedora or intel driver maintainer about this. > AIUI tso is not in vanilla kernels and the patches are quite invasive. Well, as much as google tells me TSO has been in the kernel and enabled since 2.5.33 and e1000 was the first driver to support it. The FC4 2.6.16 kernel doesn't have any tso related patches as can be seen here http://cvs.fedora.redhat.com/viewcvs/rpms/kernel/FC-4/ Since my immediate problem was solved with the mtu param I plan on forgetting about htb and traffic control in general for the time being :) Thanks again. Cheers Yanko From andy.furniss at dsl.pipex.com Sun Apr 16 23:10:12 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sun Apr 16 23:08:57 2006 Subject: [LARTC] htb overrate with 2.6.16 In-Reply-To: <1145217832.18656.24.camel@indigo.declera.com> References: <1145095091.18168.26.camel@indigo.declera.com> <1145155073.18168.53.camel@indigo.declera.com> <44428F81.1090604@dsl.pipex.com> <1145217832.18656.24.camel@indigo.declera.com> Message-ID: <4442B2B4.7050800@dsl.pipex.com> Yanko Kaneti wrote: >>I think you need to ask fedora or intel driver maintainer about this. >>AIUI tso is not in vanilla kernels and the patches are quite invasive. > > > Well, as much as google tells me TSO has been in the kernel and enabled > since 2.5.33 and e1000 was the first driver to support it. > The FC4 2.6.16 kernel doesn't have any tso related patches as can be > seen here http://cvs.fedora.redhat.com/viewcvs/rpms/kernel/FC-4/ Ahh OK I must have been thinking of another card. Andy. From gnychis at cmu.edu Mon Apr 17 00:44:21 2006 From: gnychis at cmu.edu (George P Nychis) Date: Mon Apr 17 00:44:20 2006 Subject: [LARTC] how to do probabilistic packet loss in kernel? Message-ID: <4902.128.2.140.224.1145227461.squirrel@128.2.140.224> Hi, I am using iproute2 to setup fowarding, adding routes like "ip route add 192.168.1.3 via 192.168.1.2" I was wondering where in the kernel I can insert probabilistic packet loss only for forwarded packets? So that for instance I can drop 5% of all forwarded packets? I don't need help with the actual code, just need help finding where to insert this code :) Thanks! George From martin at linux-ip.net Mon Apr 17 02:13:54 2006 From: martin at linux-ip.net (Martin A. Brown) Date: Mon Apr 17 02:18:34 2006 Subject: [LARTC] how to do probabilistic packet loss in kernel? In-Reply-To: <4902.128.2.140.224.1145227461.squirrel@128.2.140.224> References: <4902.128.2.140.224.1145227461.squirrel@128.2.140.224> Message-ID: Greetings George, : I am using iproute2 to setup fowarding, adding routes like "ip : route add 192.168.1.3 via 192.168.1.2" : : I was wondering where in the kernel I can insert probabilistic : packet loss only for forwarded packets? So that for instance I : can drop 5% of all forwarded packets? : : I don't need help with the actual code, just need help finding : where to insert this code :) I believe you are looking for the netem qdisc [0]. Here's just a snippet from Stephen Hemminger's wiki page to help you imagine how you could use netem to introduce probabilistic packet loss. # tc qdisc add dev eth0 parent 1:3 handle 30: netem \ delay 200ms 10ms distribution normal Good luck, -Martin [0] http://linux-net.osdl.org/index.php/Netem -- Martin A. Brown --- http://linux-ip.net/ --- martin@linux-ip.net From gnychis at cmu.edu Mon Apr 17 02:36:41 2006 From: gnychis at cmu.edu (George Nychis) Date: Mon Apr 17 02:34:54 2006 Subject: [LARTC] how to do probabilistic packet loss in kernel? In-Reply-To: References: <4902.128.2.140.224.1145227461.squirrel@128.2.140.224> Message-ID: <4442E319.50309@cmu.edu> Thanks Martin and Roman. I will definately look into this. I have a question for you though... in terms of adding loss like this, this will not interact with hardware layer rate control of wireless cards right? For instance... dropping from 54Mbit to 11Mbit on an 802.11g card when loss certain loss begins occuring Martin A. Brown wrote: > Greetings George, > > : I am using iproute2 to setup fowarding, adding routes like "ip > : route add 192.168.1.3 via 192.168.1.2" > : > : I was wondering where in the kernel I can insert probabilistic > : packet loss only for forwarded packets? So that for instance I > : can drop 5% of all forwarded packets? > : > : I don't need help with the actual code, just need help finding > : where to insert this code :) > > I believe you are looking for the netem qdisc [0]. Here's just a > snippet from Stephen Hemminger's wiki page to help you imagine how > you could use netem to introduce probabilistic packet loss. > > # tc qdisc add dev eth0 parent 1:3 handle 30: netem \ > delay 200ms 10ms distribution normal > > Good luck, > > -Martin > > [0] http://linux-net.osdl.org/index.php/Netem > From martin at linux-ip.net Mon Apr 17 03:21:23 2006 From: martin at linux-ip.net (Martin A. Brown) Date: Mon Apr 17 03:26:06 2006 Subject: [LARTC] how to do probabilistic packet loss in kernel? In-Reply-To: <4442E319.50309@cmu.edu> References: <4902.128.2.140.224.1145227461.squirrel@128.2.140.224> <4442E319.50309@cmu.edu> Message-ID: Hello again, : I have a question for you though... in terms of adding loss like : this, this will not interact with hardware layer rate control of : wireless cards right? : : For instance... dropping from 54Mbit to 11Mbit on an 802.11g card : when loss certain loss begins occuring Outgoing packets pass through the traffic control system (netem qdisc, in this case) just before being dequeued to the driver. The actual behaviour of the kernel, in this case, depends on a sanely coded driver. I assume a sanely coded driver, in which case this is what you should see when the hardware cannot accept packet for transmission: 0. netem (or any other qdisc, for that matter) will operate as configured (inducing loss, delaying, reordering or prioritizing your outgoing packets) 1. eventually qdisc_restart() will call hardware driver 2A. [if success] packet is transmitted 2B. [if failure] the hardware driver cannot handle the packet for some reason (TX ring full, link failure or other problem); it will propagate an error condition to higher layer 3. qdisc_restart(), receiving such an error will cause the packet to be requeued [0] 4. goto step 1 My source for this answer documents kernel 2.4, although the code in the networking stack seems to be fundamentally the same in this case. See the DataTAG report entitled "A Map of the Networking Code in Linux Kernel 2.4.20" [1]. On page 19, Section 4.3.1, the authors refer to the function net/sched/sch_generic.c which includes qdisc_restart(). So, strictly speaking, there should be no interaction between your use of the netem qdisc and lower layer rate control (lossy transmissions and any compensatory mechanisms between radios). Note! Both of the sources for my answer are from old documentation (and, of course, ongoing general knowledge of the traffic control system). I believe that the kernel still operates in this fashion, but would absolutely welcome any corrections from those who are more intimately familiar with the kernel and hardware perspective. Good luck, George, -Martin [0] http://qos.ittc.ku.edu/howto/node11.html http://qos.ittc.ku.edu/howto/ [1] http://datatag.web.cern.ch/datatag/papers/tr-datatag-2004-1.pdf -- Martin A. Brown --- http://linux-ip.net/ --- martin@linux-ip.net From gnychis at cmu.edu Mon Apr 17 04:53:46 2006 From: gnychis at cmu.edu (George P Nychis) Date: Mon Apr 17 04:53:46 2006 Subject: [LARTC] how to do probabilistic packet loss in kernel? In-Reply-To: References: <4902.128.2.140.224.1145227461.squirrel@128.2.140.224> <4442E319.50309@cmu.edu> Message-ID: <2959.128.237.238.138.1145242426.squirrel@128.237.238.138> Okay i need a little help. So, I have this qdisc module q_xcp.so that was compiled for tc version 2.4.7, so I have version 2.4.7 for q_xcp.so to work properly. I tried using q_xcp.so with a the newest version of iproute/tc but it seems as though since version 2.4.7 qdisc_util structure has changed some and i keep getting seg faults trying to use q_xcp. For instance, in the newer versions of tc, i see qdisc's structures defined like: struct qdisc_util netem_qdisc_util = { }; and in the same newer versions, in tc.c get_qdisc_kind, before it calls "q = dlsym(dlh, buf);" ... it sets buf to "%s_qdisc_util" however in the old version of tc that q_xcp was made for, it sets buf to "%s_util" so I guess my main question is, do you know of a version of iproute/tc that uses this old structure that has netem support? I tried copying the q_netem.c code from the newer version of iproute and trying to compile it for an old version of ip route... but its just not working out nicely at all I'd greatly appreciate any help. Thanks! George > Hello again, > > : I have a question for you though... in terms of adding loss like : this, > this will not interact with hardware layer rate control of : wireless > cards right? : : For instance... dropping from 54Mbit to 11Mbit on an > 802.11g card : when loss certain loss begins occuring > > Outgoing packets pass through the traffic control system (netem qdisc, in > this case) just before being dequeued to the driver. The actual behaviour > of the kernel, in this case, depends on a sanely coded driver. I assume a > sanely coded driver, in which case this is what you should see when the > hardware cannot accept packet for transmission: > > 0. netem (or any other qdisc, for that matter) will operate as configured > (inducing loss, delaying, reordering or prioritizing your outgoing > packets) 1. eventually qdisc_restart() will call hardware driver 2A. [if > success] packet is transmitted 2B. [if failure] the hardware driver cannot > handle the packet for some reason (TX ring full, link failure or other > problem); it will propagate an error condition to higher layer 3. > qdisc_restart(), receiving such an error will cause the packet to be > requeued [0] 4. goto step 1 > > My source for this answer documents kernel 2.4, although the code in the > networking stack seems to be fundamentally the same in this case. See the > DataTAG report entitled "A Map of the Networking Code in Linux Kernel > 2.4.20" [1]. On page 19, Section 4.3.1, the authors refer to the function > net/sched/sch_generic.c which includes qdisc_restart(). > > So, strictly speaking, there should be no interaction between your use of > the netem qdisc and lower layer rate control (lossy transmissions and any > compensatory mechanisms between radios). > > Note! Both of the sources for my answer are from old documentation (and, > of course, ongoing general knowledge of the traffic control system). I > believe that the kernel still operates in this fashion, but would > absolutely welcome any corrections from those who are more intimately > familiar with the kernel and hardware perspective. > > Good luck, George, > > -Martin > > [0] http://qos.ittc.ku.edu/howto/node11.html http://qos.ittc.ku.edu/howto/ > [1] http://datatag.web.cern.ch/datatag/papers/tr-datatag-2004-1.pdf > > -- Martin A. Brown --- http://linux-ip.net/ --- martin@linux-ip.net > > -- From gnychis at cmu.edu Mon Apr 17 05:12:55 2006 From: gnychis at cmu.edu (George P Nychis) Date: Mon Apr 17 05:12:54 2006 Subject: [LARTC] how to do probabilistic packet loss in kernel? In-Reply-To: <2959.128.237.238.138.1145242426.squirrel@128.237.238.138> References: <4902.128.2.140.224.1145227461.squirrel@128.2.140.224> <4442E319.50309@cmu.edu> <2959.128.237.238.138.1145242426.squirrel@128.237.238.138> Message-ID: <3216.128.237.238.138.1145243575.squirrel@128.237.238.138> Sorry to spam, but just to save anyone trying to help some time, I modified q_xcp to work with newer version of iproute2/tc now :) So now I can use netem! Thanks for everyones help. - George > Okay i need a little help. > > So, I have this qdisc module q_xcp.so that was compiled for tc version > 2.4.7, so I have version 2.4.7 for q_xcp.so to work properly. I tried > using q_xcp.so with a the newest version of iproute/tc but it seems as > though since version 2.4.7 qdisc_util structure has changed some and i > keep getting seg faults trying to use q_xcp. For instance, in the newer > versions of tc, i see qdisc's structures defined like: struct qdisc_util > netem_qdisc_util = { }; > > and in the same newer versions, in tc.c get_qdisc_kind, before it calls > "q = dlsym(dlh, buf);" ... it sets buf to "%s_qdisc_util" > > however in the old version of tc that q_xcp was made for, it sets buf to > "%s_util" > > so I guess my main question is, do you know of a version of iproute/tc > that uses this old structure that has netem support? I tried copying the > q_netem.c code from the newer version of iproute and trying to compile it > for an old version of ip route... but its just not working out nicely at > all > > I'd greatly appreciate any help. > > Thanks! George > > >> Hello again, >> >> : I have a question for you though... in terms of adding loss like : >> this, this will not interact with hardware layer rate control of : >> wireless cards right? : : For instance... dropping from 54Mbit to 11Mbit >> on an 802.11g card : when loss certain loss begins occuring >> >> Outgoing packets pass through the traffic control system (netem qdisc, >> in this case) just before being dequeued to the driver. The actual >> behaviour of the kernel, in this case, depends on a sanely coded driver. >> I assume a sanely coded driver, in which case this is what you should >> see when the hardware cannot accept packet for transmission: >> >> 0. netem (or any other qdisc, for that matter) will operate as >> configured (inducing loss, delaying, reordering or prioritizing your >> outgoing packets) 1. eventually qdisc_restart() will call hardware >> driver 2A. [if success] packet is transmitted 2B. [if failure] the >> hardware driver cannot handle the packet for some reason (TX ring full, >> link failure or other problem); it will propagate an error condition to >> higher layer 3. qdisc_restart(), receiving such an error will cause the >> packet to be requeued [0] 4. goto step 1 >> >> My source for this answer documents kernel 2.4, although the code in >> the networking stack seems to be fundamentally the same in this case. >> See the DataTAG report entitled "A Map of the Networking Code in Linux >> Kernel 2.4.20" [1]. On page 19, Section 4.3.1, the authors refer to the >> function net/sched/sch_generic.c which includes qdisc_restart(). >> >> So, strictly speaking, there should be no interaction between your use >> of the netem qdisc and lower layer rate control (lossy transmissions and >> any compensatory mechanisms between radios). >> >> Note! Both of the sources for my answer are from old documentation >> (and, of course, ongoing general knowledge of the traffic control >> system). I believe that the kernel still operates in this fashion, but >> would absolutely welcome any corrections from those who are more >> intimately familiar with the kernel and hardware perspective. >> >> Good luck, George, >> >> -Martin >> >> [0] http://qos.ittc.ku.edu/howto/node11.html >> http://qos.ittc.ku.edu/howto/ [1] >> http://datatag.web.cern.ch/datatag/papers/tr-datatag-2004-1.pdf >> >> -- Martin A. Brown --- http://linux-ip.net/ --- martin@linux-ip.net >> >> > > > -- > > _______________________________________________ LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > -- From gnychis at cmu.edu Mon Apr 17 05:42:20 2006 From: gnychis at cmu.edu (George P Nychis) Date: Mon Apr 17 05:42:24 2006 Subject: [LARTC] how to do probabilistic packet loss in kernel? In-Reply-To: References: Your message of Sun, 16 Apr 2006 22:53:46 -0400. <2959.128.237.238.138.1145242426.squirrel@128.237.238.138> Message-ID: <3488.128.237.238.138.1145245340.squirrel@128.237.238.138> Hey Tim, Thanks for your constant help. I managed to port q_xcp.c to work in modern versions of tc. I am using the 2.4.32 kernel and compiled in netem support into the kernel. I then compiled iproute2-2.6.11 including tc that came with it, which installed q_xcp.so to /usr/lib/tc and q_netem.so to /usr/lib/tc I then try: tc qdisc change dev ath0 root netem loss .1% and get: RTNETLINK answers: Invalid argument I also tried: tc qdisc change dev eth0 root netem duplicate 1% and get the same exact Invalid argument response... Any ideas here? Thanks! George > It sounds like you should simply port your research q_xcp.c to work in the > more modern versions of tc. That port should be straightforward once you > understand how the netem_qdisc_util works. > > To make debugging easier, you can always link q_xcp.o into the binary at > build time by adding the appropriate thing to the make file, and compile > the whole thing with -g so that it is easier to debug. > > -Tim Shepard shep@alum.mit.edu > > -- From shashikant.mundlik at gmail.com Mon Apr 17 09:02:20 2006 From: shashikant.mundlik at gmail.com (Shashikant Mundlik) Date: Mon Apr 17 09:02:13 2006 Subject: [LARTC] Problems in Dead Gateway Detection / Failover - MultipleISP Links Message-ID: <44433d76.59d0ec0e.62bf.5163@mx.gmail.com> Hi There, I am also trying to do the same for my network. I have two links from different ISPs and I want to configure a failover and load balancing Linux router. I am facing same problem here, that how to detect link failure and let Linux box switch the gateway. I know it works when the first gateway is physically down and not reachable. But what to do if my link is up but there is problem at nexthop level and its not routing packets to destination. Please tell me if this can be overcome by setting multipath routing. Another way I can think of doing this is to use a script which will check if the default route is alive every 15 mins and if not it will make changes in routing table and route the packets through different link. I don't know if this is the best way to do this. If any one know how to do this better please share. If you guys thinks this can work, lets help each other to write such scrip. I am new to LARTC and just now started learning it to solve my network problems. Please help me to achieve this. Thanks in advance. Regards, Shashikant Mundlik Pune, India. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060417/07bc9c42/attachment.html From c.purnomo at gmail.com Mon Apr 17 12:56:34 2006 From: c.purnomo at gmail.com (Cahyo Purnomo) Date: Mon Apr 17 12:56:33 2006 Subject: [LARTC] HTB How To ?? Message-ID: <47eb54d60604170356j3b8dcf51o4c14131547306ab3@mail.gmail.com> Dear All, I wanna to implement of bandwith shapingin my office using HTB, any body suggest about the case ? Below the acl ip range i want to limit : 1. staf (10.0.0.1 - 3) --> limit to 10kbyte/s 2. lab (10.0.0.4 - 6) --> limit to 5kbyte/s 3. bos (10.0.0.7 - 9) --> limit to 20kbyte/s 4. admin (10.0.0.10 - 12) --> no limit thanks all 4 ur advise -- Warm Regards, Cahyo P. KLAS (Kelompok Linux Arek Suroboyo) Hi-Tech Mall Jl. Kusuma Bangsa Surabaya, Jawa Timur From alessandro.ren at opservices.com.br Mon Apr 17 16:01:12 2006 From: alessandro.ren at opservices.com.br (Alessandro Ren) Date: Mon Apr 17 16:01:25 2006 Subject: [LARTC] Problems in Dead Gateway Detection / Failover - MultipleISP Links In-Reply-To: <44433d76.59d0ec0e.62bf.5163@mx.gmail.com> References: <44433d76.59d0ec0e.62bf.5163@mx.gmail.com> Message-ID: <44439FA8.3070803@opservices.com.br> I have a script that connects to 20 diferent sites on the port 80 coming from each link interface a have on my linux router. If I reach less than 20% of my sites, I assume the link is down and do all the routing and firewall adjustments to make the traffic goes to other routes, removing the problematic link out, setting ip rules, routes in tables and the main multipath default route and commenting in the firewall the MARKs the would go via the link thats down and it also sets QoS and tries to bring the link that is down back UP. Althought I've tested with only 3 links, it supports any number of them. It's works very nice so far. []s. Shashikant Mundlik wrote: > Hi There, > > I am also trying to do the same for my network. > I have two links from different ISPs and I want to configure a > failover and load balancing Linux router. > > I am facing same problem here, that how to detect link failure and let > Linux box switch the gateway. > > I know it works when the first gateway is physically down and not > reachable. But what to do if my link is up but there is problem at > nexthop level and its not routing packets to destination. > > Please tell me if this can be overcome by setting multipath routing. > > Another way I can think of doing this is to use a script which will > check if the default route is alive every 15 mins and if not it will > make changes in routing table and route the packets through different > link. > > I don't know if this is the best way to do this. If any one know how > to do this better please share. > > If you guys thinks this can work, lets help each other to write such > scrip. > > I am new to LARTC and just now started learning it to solve my network > problems. > > Please help me to achieve this. > > Thanks in advance. > > Regards, > > > Shashikant Mundlik > > Pune, India. > > ------------------------------------------------------------------------ > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- __________________________________________________ *Alessandro Ren* /*OpServices*/ /*Luciana de Abreu, 471 - Sala 403*/ /*Porto Alegre, RS - CEP 90570-060*/ *(* phone 55(51)3061-3588 *4* fax 55(51)3061-3588 *Q* mobile 55(51)8151-8212 *:* email alessandro.ren@opservices.com.br __________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060417/c2dee5d9/attachment.htm From shashikant.mundlik at gmail.com Mon Apr 17 17:10:04 2006 From: shashikant.mundlik at gmail.com (Shashikant Mundlik) Date: Mon Apr 17 17:10:12 2006 Subject: [LARTC] Problems in Dead Gateway Detection / Failover - MultipleISP Links In-Reply-To: <44439FA8.3070803@opservices.com.br> Message-ID: <4443afd2.68a0e4b7.1c72.ffffcad0@mx.gmail.com> Hi Ren, Thanks for your help. But how do you check that you reach less than 20 of your sites. (do you mean 20 websites?). Will you able to share the script? That will be great help. Thanks and regards, Shashikant Mundlik System Administrator UBICS, Pune Phone: 91 20 2729 1004 x 138 Mobile : 91 9372 044015 www.ubics.com The UB Group DISCLAIMER AND PRIVILEGE NOTICE: This e-mail message contains confidential, copyright, proprietary and legally privileged information. It should not be used by anyone who is not the original intended recipient. If you have erroneously received this message, please delete it immediately and notify the sender. The recipient must note and understand that any views expressed in this message are those of the individual sender and no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of UBICS, Inc. _____ From: Alessandro Ren [mailto:alessandro.ren@opservices.com.br] Sent: Monday, April 17, 2006 7:31 PM To: smundlik@ubicsindia.com Cc: manish@tuxspace.com; lartc@mailman.ds9a.nl Subject: Re: [LARTC] Problems in Dead Gateway Detection / Failover - MultipleISP Links I have a script that connects to 20 diferent sites on the port 80 coming from each link interface a have on my linux router. If I reach less than 20% of my sites, I assume the link is down and do all the routing and firewall adjustments to make the traffic goes to other routes, removing the problematic link out, setting ip rules, routes in tables and the main multipath default route and commenting in the firewall the MARKs the would go via the link thats down and it also sets QoS and tries to bring the link that is down back UP. Althought I've tested with only 3 links, it supports any number of them. It's works very nice so far. []s. Shashikant Mundlik wrote: Hi There, I am also trying to do the same for my network. I have two links from different ISPs and I want to configure a failover and load balancing Linux router. I am facing same problem here, that how to detect link failure and let Linux box switch the gateway. I know it works when the first gateway is physically down and not reachable. But what to do if my link is up but there is problem at nexthop level and its not routing packets to destination. Please tell me if this can be overcome by setting multipath routing. Another way I can think of doing this is to use a script which will check if the default route is alive every 15 mins and if not it will make changes in routing table and route the packets through different link. I don't know if this is the best way to do this. If any one know how to do this better please share. If you guys thinks this can work, lets help each other to write such scrip. I am new to LARTC and just now started learning it to solve my network problems. Please help me to achieve this. Thanks in advance. Regards, Shashikant Mundlik Pune, India. _____ _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- __________________________________________________ Alessandro Ren OpServices Luciana de Abreu, 471 - Sala 403 Porto Alegre, RS - CEP 90570-060 * phone 55(51)3061-3588 * fax 55(51)3061-3588 * mobile 55(51)8151-8212 * email alessandro.ren@opservices.com.br __________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060417/9b29d42b/attachment-0001.html From alessandro.ren at opservices.com.br Mon Apr 17 17:16:50 2006 From: alessandro.ren at opservices.com.br (Alessandro Ren) Date: Mon Apr 17 17:17:10 2006 Subject: [LARTC] Problems in Dead Gateway Detection / Failover - MultipleISP Links In-Reply-To: <4443afd2.68a0e4b7.1c72.ffffcad0@mx.gmail.com> References: <4443afd2.68a0e4b7.1c72.ffffcad0@mx.gmail.com> Message-ID: <4443B162.6030303@opservices.com.br> I bind to the interface IP and connect to 20 different sites or more, the sites are listed in a text file, using the TCP connect in perl. Off course, the ip rule tables the the marks in the firewall must be set correcly so you know that the connections are going through the right interface. I can share de script, it's a litle complex in its structus, as it depends on some external scripts, but I will try the share and problably get more and better ideas to do the fail over / multi path routing. I will prepare and sent a email with it shortly. []s. Shashikant Mundlik wrote: > Hi Ren, > > Thanks for your help. But how do you check that you reach less than 20 > of your sites. (do you mean 20 websites?). > Will you able to share the script? > That will be great help. > > Thanks and regards, > > > *Shashikant** Mundlik * > > > > System Administrator > > UBICS, Pune > Phone: 91 20 2729 1004 x 138 > Mobile : 91 9372 044015 > > > > www.ubics.com > > The UB Group > > DISCLAIMER AND PRIVILEGE NOTICE: > This e-mail message contains confidential, copyright, proprietary and > legally privileged information. It should not be used by anyone who is > not the original intended recipient. If you have erroneously received > this message, please delete it immediately and notify the sender. The > recipient must note and understand that any views expressed in this > message are those of the individual sender and no binding nature of > the message shall be implied or assumed unless the sender does so > expressly with due authority of UBICS, Inc. > > > > > > ------------------------------------------------------------------------ > *From:* Alessandro Ren [mailto:alessandro.ren@opservices.com.br] > *Sent:* Monday, April 17, 2006 7:31 PM > *To:* smundlik@ubicsindia.com > *Cc:* manish@tuxspace.com; lartc@mailman.ds9a.nl > *Subject:* Re: [LARTC] Problems in Dead Gateway Detection / Failover - > MultipleISP Links > > > I have a script that connects to 20 diferent sites on the port 80 > coming from each link interface a have on my linux router. > If I reach less than 20% of my sites, I assume the link is down > and do all the routing and firewall adjustments to make the traffic > goes to other routes, removing the problematic link out, setting ip > rules, routes in tables and the main multipath default route and > commenting in the firewall the MARKs the would go via the link thats > down and it also sets QoS and tries to bring the link that is down > back UP. > Althought I've tested with only 3 links, it supports any number of > them. > It's works very nice so far. > > []s. > > > Shashikant Mundlik wrote: >> Hi There, >> >> I am also trying to do the same for my network. >> I have two links from different ISPs and I want to configure a >> failover and load balancing Linux router. >> >> I am facing same problem here, that how to detect link failure and >> let Linux box switch the gateway. >> >> I know it works when the first gateway is physically down and not >> reachable. But what to do if my link is up but there is problem at >> nexthop level and its not routing packets to destination. >> >> Please tell me if this can be overcome by setting multipath routing. >> >> Another way I can think of doing this is to use a script which will >> check if the default route is alive every 15 mins and if not it will >> make changes in routing table and route the packets through different >> link. >> >> I don't know if this is the best way to do this. If any one know how >> to do this better please share. >> >> If you guys thinks this can work, lets help each other to write such >> scrip. >> >> I am new to LARTC and just now started learning it to solve my >> network problems. >> >> Please help me to achieve this. >> >> Thanks in advance. >> >> Regards, >> >> >> Shashikant Mundlik >> >> Pune, India. >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> > > -- > __________________________________________________ > *Alessandro Ren* > /*OpServices*/ > /*Luciana de Abreu, 471 - Sala 403*/ > /*Porto Alegre, RS - CEP 90570-060*/ > > *(* phone 55(51)3061-3588 > *4* fax 55(51)3061-3588 > *Q* mobile 55(51)8151-8212 > *:* email alessandro.ren@opservices.com.br > > > __________________________________________________ -- __________________________________________________ *Alessandro Ren* /*OpServices*/ /*Luciana de Abreu, 471 - Sala 403*/ /*Porto Alegre, RS - CEP 90570-060*/ *(* phone 55(51)3061-3588 *4* fax 55(51)3061-3588 *Q* mobile 55(51)8151-8212 *:* email alessandro.ren@opservices.com.br __________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060417/23299a68/attachment.htm From shashikant.mundlik at gmail.com Mon Apr 17 17:40:42 2006 From: shashikant.mundlik at gmail.com (Shashikant Mundlik) Date: Mon Apr 17 17:40:47 2006 Subject: [LARTC] Problems in Dead Gateway Detection / Failover - MultipleISP Links In-Reply-To: <4443B162.6030303@opservices.com.br> Message-ID: <4443b700.67aae59b.0211.45dc@mx.gmail.com> Thanks a lot Ren! That will be a great help. Thanks, Shashikant Mundlik _____ From: Alessandro Ren [mailto:alessandro.ren@opservices.com.br] Sent: Monday, April 17, 2006 8:47 PM To: smundlik@ubicsindia.com Cc: manish@tuxspace.com; lartc@mailman.ds9a.nl Subject: Re: [LARTC] Problems in Dead Gateway Detection / Failover - MultipleISP Links I bind to the interface IP and connect to 20 different sites or more, the sites are listed in a text file, using the TCP connect in perl. Off course, the ip rule tables the the marks in the firewall must be set correcly so you know that the connections are going through the right interface. I can share de script, it's a litle complex in its structus, as it depends on some external scripts, but I will try the share and problably get more and better ideas to do the fail over / multi path routing. I will prepare and sent a email with it shortly. []s. Shashikant Mundlik wrote: Hi Ren, Thanks for your help. But how do you check that you reach less than 20 of your sites. (do you mean 20 websites?). Will you able to share the script? That will be great help. Thanks and regards, Shashikant Mundlik System Administrator UBICS, Pune Phone: 91 20 2729 1004 x 138 Mobile : 91 9372 044015 www.ubics.com The UB Group DISCLAIMER AND PRIVILEGE NOTICE: This e-mail message contains confidential, copyright, proprietary and legally privileged information. It should not be used by anyone who is not the original intended recipient. If you have erroneously received this message, please delete it immediately and notify the sender. The recipient must note and understand that any views expressed in this message are those of the individual sender and no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of UBICS, Inc. _____ From: Alessandro Ren [mailto:alessandro.ren@opservices.com.br] Sent: Monday, April 17, 2006 7:31 PM To: smundlik@ubicsindia.com Cc: manish@tuxspace.com; lartc@mailman.ds9a.nl Subject: Re: [LARTC] Problems in Dead Gateway Detection / Failover - MultipleISP Links I have a script that connects to 20 diferent sites on the port 80 coming from each link interface a have on my linux router. If I reach less than 20% of my sites, I assume the link is down and do all the routing and firewall adjustments to make the traffic goes to other routes, removing the problematic link out, setting ip rules, routes in tables and the main multipath default route and commenting in the firewall the MARKs the would go via the link thats down and it also sets QoS and tries to bring the link that is down back UP. Althought I've tested with only 3 links, it supports any number of them. It's works very nice so far. []s. Shashikant Mundlik wrote: Hi There, I am also trying to do the same for my network. I have two links from different ISPs and I want to configure a failover and load balancing Linux router. I am facing same problem here, that how to detect link failure and let Linux box switch the gateway. I know it works when the first gateway is physically down and not reachable. But what to do if my link is up but there is problem at nexthop level and its not routing packets to destination. Please tell me if this can be overcome by setting multipath routing. Another way I can think of doing this is to use a script which will check if the default route is alive every 15 mins and if not it will make changes in routing table and route the packets through different link. I don't know if this is the best way to do this. If any one know how to do this better please share. If you guys thinks this can work, lets help each other to write such scrip. I am new to LARTC and just now started learning it to solve my network problems. Please help me to achieve this. Thanks in advance. Regards, Shashikant Mundlik Pune, India. _____ _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- __________________________________________________ Alessandro Ren OpServices Luciana de Abreu, 471 - Sala 403 Porto Alegre, RS - CEP 90570-060 * phone 55(51)3061-3588 * fax 55(51)3061-3588 * mobile 55(51)8151-8212 * email alessandro.ren@opservices.com.br __________________________________________________ -- __________________________________________________ Alessandro Ren OpServices Luciana de Abreu, 471 - Sala 403 Porto Alegre, RS - CEP 90570-060 * phone 55(51)3061-3588 * fax 55(51)3061-3588 * mobile 55(51)8151-8212 * email alessandro.ren@opservices.com.br __________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060417/86b40094/attachment-0001.html From gregoriandres at yahoo.com.ar Mon Apr 17 17:59:17 2006 From: gregoriandres at yahoo.com.ar (LinuXKiD) Date: Mon Apr 17 17:59:21 2006 Subject: [LARTC] Sip Traffic Message-ID: Hi. there is a way to MARK udp VOIP (SIP) traffic, in order to put in a highest prio class ? Traffic flow seems start on udp 5060 port, but next both server and client seems jump to a random(?) port. I can't use CONNMARK because is udp traffic. I only see a pattern for L7 patch in order to SIP traffic identification , but I run 2.4 kernel series . When you patch 2.4 kernel with L7 patch, later, Connmark (patch o matic ) can't apply. (conflicts) thank you. -- Andres From gregoriandres at yahoo.com.ar Mon Apr 17 18:30:40 2006 From: gregoriandres at yahoo.com.ar (LinuXKiD) Date: Mon Apr 17 18:30:24 2006 Subject: [LARTC] Problems in Dead Gateway Detection / Failover- MultipleISP Links In-Reply-To: <4443B162.6030303@opservices.com.br> Message-ID: Hi, I've some similar: I croned a perl script that every 2 minutes check via ICMP some referential host ( for each "default route"). If some route is down , I take off it from "default routes table". But I think that make it by TCP connect at 80 port is better. bests. andres -----Mensaje original----- De: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl]En nombre de Alessandro Ren Enviado el: Lunes, 17 de Abril de 2006 12:17 p.m. Para: smundlik@ubicsindia.com CC: lartc@mailman.ds9a.nl Asunto: Re: [LARTC] Problems in Dead Gateway Detection / Failover- MultipleISP Links I bind to the interface IP and connect to 20 different sites or more, the sites are listed in a text file, using the TCP connect in perl. Off course, the ip rule tables the the marks in the firewall must be set correcly so you know that the connections are going through the right interface. I can share de script, it's a litle complex in its structus, as it depends on some external scripts, but I will try the share and problably get more and better ideas to do the fail over / multi path routing. I will prepare and sent a email with it shortly. []s. Shashikant Mundlik wrote: Hi Ren, Thanks for your help. But how do you check that you reach less than 20 of your sites. (do you mean 20 websites?). Will you able to share the script? That will be great help. Thanks and regards, Shashikant Mundlik System Administrator UBICS, Pune Phone: 91 20 2729 1004 x 138 Mobile : 91 9372 044015 www.ubics.com The UB Group DISCLAIMER AND PRIVILEGE NOTICE: This e-mail message contains confidential, copyright, proprietary and legally privileged information. It should not be used by anyone who is not the original intended recipient. If you have erroneously received this message, please delete it immediately and notify the sender. The recipient must note and understand that any views expressed in this message are those of the individual sender and no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of UBICS, Inc. From: Alessandro Ren [mailto:alessandro.ren@opservices.com.br] Sent: Monday, April 17, 2006 7:31 PM To: smundlik@ubicsindia.com Cc: manish@tuxspace.com; lartc@mailman.ds9a.nl Subject: Re: [LARTC] Problems in Dead Gateway Detection / Failover - MultipleISP Links I have a script that connects to 20 diferent sites on the port 80 coming from each link interface a have on my linux router. If I reach less than 20% of my sites, I assume the link is down and do all the routing and firewall adjustments to make the traffic goes to other routes, removing the problematic link out, setting ip rules, routes in tables and the main multipath default route and commenting in the firewall the MARKs the would go via the link thats down and it also sets QoS and tries to bring the link that is down back UP. Althought I've tested with only 3 links, it supports any number of them. It's works very nice so far. []s. Shashikant Mundlik wrote: Hi There, I am also trying to do the same for my network. I have two links from different ISPs and I want to configure a failover and load balancing Linux router. I am facing same problem here, that how to detect link failure and let Linux box switch the gateway. I know it works when the first gateway is physically down and not reachable. But what to do if my link is up but there is problem at nexthop level and its not routing packets to destination. Please tell me if this can be overcome by setting multipath routing. Another way I can think of doing this is to use a script which will check if the default route is alive every 15 mins and if not it will make changes in routing table and route the packets through different link. I don't know if this is the best way to do this. If any one know how to do this better please share. If you guys thinks this can work, lets help each other to write such scrip. I am new to LARTC and just now started learning it to solve my network problems. Please help me to achieve this. Thanks in advance. Regards, Shashikant Mundlik Pune, India. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- __________________________________________________ Alessandro Ren OpServices Luciana de Abreu, 471 - Sala 403 Porto Alegre, RS - CEP 90570-060 ( phone 55(51)3061-3588 4 fax 55(51)3061-3588 Q mobile 55(51)8151-8212 : email alessandro.ren@opservices.com.br __________________________________________________ -- __________________________________________________ Alessandro Ren OpServices Luciana de Abreu, 471 - Sala 403 Porto Alegre, RS - CEP 90570-060 ( phone 55(51)3061-3588 4 fax 55(51)3061-3588 Q mobile 55(51)8151-8212 : email alessandro.ren@opservices.com.br __________________________________________________ From alessandro.ren at opservices.com.br Mon Apr 17 19:11:42 2006 From: alessandro.ren at opservices.com.br (Alessandro Ren) Date: Mon Apr 17 19:11:55 2006 Subject: [LARTC] Problems in Dead Gateway Detection / Failover - MultipleISP Links In-Reply-To: <4443b700.67aae59b.0211.45dc@mx.gmail.com> References: <4443b700.67aae59b.0211.45dc@mx.gmail.com> Message-ID: <4443CC4E.1020904@opservices.com.br> So, I will try to explain how all the parts get together but in any doubt, just ask me: The main script is check_links_balanced.pl and it runs on the crontab in my case each minute or 2 minutes. In the beginning of the script there are some setups: $OPNET_CONF="/usr/local/scripts/opnet.conf"; We have a service the we call OpNet, that's why the OPNET thing, so, this is where the configurations for the links are, I will attach my configuration so you can base yours, very simple. $RCFIREWALL="/etc/rc.d/rc.firewall"; Where your firewall script is, the main script need to check if the firewall is ok and change it if a link goes DOWN ou UP. # hosts file $HOSTS_FILE="/usr/local/scripts/hosts.txt"; The lists of hosts, can be IPs ou names. # logfile $LOGFILE="/var/log/check_links_balanced.log"; Well, the log ifle to see how things are going # mininal % os hosts that must be UP to consider a link UP $CRITICAL=30; So, you have to create an entry for each link and the /etc/iproute2/rt_tables using LINK1 , LINK2 and so on for the table name for each link that you have. This is important, because everything in connected to the link number, like, LINK1, the firewall mark 1 will send packets to the LINK1, will use the configurations of the rc.LINK1, will set the wshaper.LINK1 script and so on. Ok, so you will have a /etc/rc.d/rc.LINKx and /etc/rc.d/wshaper.LINKx for each link, these rc.LINKx will set the routing table LINKx properly and put the link UP, whether its a ethernet or ADSL with a PPP interface. For PPP interfaces, we will have some extra configurations in /etc/ppp, like /etc/ppp/ip-up that will have to set some routes when the ADSL goes UP, based on th interface, it will set default route for the table LINKx and set up rules, removing old rules if the IP is dynamic and setting the new one for the new IP interface. In /etc/ppp/peers you must create one configuraion for each PPP interface you have and each one gets an fixed name, using unit x, so I know the PPP0 will always be the same ADSL, otherwise linux will choose the number of the PPP interface dynamicly, and everything would be lost. I also have one configuration for each PPPOE interface. The only thing that I can not do yet is work widh DHCP interfaces, I have still to see show dhclient can be used to to the same thing a I do with the PPP interfaces. The firewall has to have the following in mangle: # here, one for each link wiht a MARK, in this case # LINK1 - eth1 - is a cable with fixed IP. and LINK2 is and ADSL $iptables -A OUTPUT -t mangle -o eth1 -j MARK --set-mark 1 $iptables -A OUTPUT -t mangle -o ppp0 -j MARK --set-mark 2 # CONNMARK PREROUTING # pakets with state invalid can not be used with CONNMARK $iptables -t mangle -A PREROUTING -j MARK --set-mark 10 -m state --state INVALID $iptables -t mangle -A PREROUTING -j RETURN -m state --state INVALID # if the paket belongs to an already known an "tagged" connection # then copy conmark -> mark and go ahead with routing $iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark $iptables -t mangle -A PREROUTING -j RETURN -m mark ! --mark 0 # if it is a "untagged" connection and coming from an outside inteface # then save this as connmark and copy connmark -> mark $iptables -t mangle -A PREROUTING -j CONNMARK --set-mark 1 -i eth1 $iptables -t mangle -A PREROUTING -j CONNMARK --set-mark 2 -i ppp0 $iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark # CONNMARK POSTROUTING $iptables -A POSTROUTING -t mangle -m mark ! --mark 0 -j RETURN $iptables -A POSTROUTING -t mangle -j MARK --set-mark 1 -m state --state NEW -o eth1 $iptables -A POSTROUTING -t mangle -j MARK --set-mark 2 -m state --state NEW -o ppp0 $iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark -m state --state NEW This will balanced the internet access and you can set some connections to go a specific link # Secure sites always via the same link, to keep integrity $iptables -A PREROUTING -p tcp -t mangle -s 192.168.0.0/16 --dport 5000 -j MARK --set-mark 1 So here LAN access to port TCP 5000 will always get out via LINK1, when LINK1 is DOWN, the main scripts will comment this line OUT and run rc.firewall, so this packets will the go though the other links. See if you have tree links, you culd do that $iptables -A PREROUTING -p tcp -t mangle -s 192.168.0.0/16 --dport 5000 -j MARK --set-mark 3 $iptables -A PREROUTING -p tcp -t mangle -s 192.168.0.0/16 --dport 5000 -j MARK --set-mark 2 I will mark the same packts three time, CPU waste, but the packet would via LINK2, if LINK2 goes down, they would go via LINK3, if LINK3 and LINK2 goes down, the lines get commented, the packets go via the remaing link or links. In the end of the scripts you have to have the NAT part # NAT eth1 IP=`/usr/local/scripts/get_ip_interface.pl eth1` $iptables -A POSTROUTING -t nat -m mark --mark 1 -j SNAT --to-source $IP # NAT ppp0 IP=`/usr/local/scripts/get_ip_interface.pl ppp0` $iptables -A POSTROUTING -t nat -m mark --mark 2 -j SNAT --to-source $IP You see that I first get the interface IP, that because the IP can change for dynamic links and the NAT must be reset to the new IP. Well, attached are the main script, the main configuration, the rc.LINKx and wshaper.LINKx that I use for my links as the ADSL configuration that I use here. I know this setup is complex and it took me a long time to get to it. I will answer any questions regarding it to try and help. I am using kernel 2.6.x and it also works for kernel 2.4.x with the CONNMAK patch. So, I am also attaching configure.pl script that generates all these configurations, yes, I've made it easy even for me. You can download the scripts and examples from here http://www.opservices.com.br/check_links_balanced.tgz Any help or improvements, let me now. []s. -- __________________________________________________ *Alessandro Ren* /*OpServices*/ /*Luciana de Abreu, 471 - Sala 403*/ /*Porto Alegre, RS - CEP 90570-060*/ *(* phone 55(51)3061-3588 *4* fax 55(51)3061-3588 *Q* mobile 55(51)8151-8212 *:* email alessandro.ren@opservices.com.br __________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060417/bdf8e794/attachment.htm From andy.furniss at dsl.pipex.com Mon Apr 17 21:03:30 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Mon Apr 17 21:03:27 2006 Subject: [LARTC] htb overrate with 2.6.16 In-Reply-To: <1145217832.18656.24.camel@indigo.declera.com> References: <1145095091.18168.26.camel@indigo.declera.com> <1145155073.18168.53.camel@indigo.declera.com> <44428F81.1090604@dsl.pipex.com> <1145217832.18656.24.camel@indigo.declera.com> Message-ID: <4443E682.2030800@dsl.pipex.com> Yanko Kaneti wrote: > On Sun, 2006-04-16 at 19:40 +0100, Andy Furniss wrote: > >>Yanko Kaneti wrote: >> >>>On Sun, 2006-04-16 at 03:03 +0100, Andy Furniss wrote: >>> >>> >>>>Yanko Kaneti wrote: >>>> >>>> >>>> >>>>>Setting mtu 16500 for the class fixed it. But I wonder where did these >>>>>giants come from in the first place? The mtu of the interface is and was >>>>>1500. Or so ifconfig and ip link tell me. Or this is some other mtu we >>>>>are talking about... >>>> >>>>Hmm I didn't expect that - maybe there is some problem with the nic >>>>drivers not obeying kernel - is there any tso offload etc. at work here ? >>> >>> >>>Yes and its on by default. The interface mtu still says 1500. >>>I've tried deleting and attaching the qdisc+class (without explicit >>>large mtu) with both tso on (ethtool -K eth0 tso on) and tso off , it >>>doesnt seem to matter - giants appear in both cases. >>>With large mtu for the class no giants with both tso on and off. >>> >> >>I think you need to ask fedora or intel driver maintainer about this. >>AIUI tso is not in vanilla kernels and the patches are quite invasive. > > > Well, as much as google tells me TSO has been in the kernel and enabled > since 2.5.33 and e1000 was the first driver to support it. > The FC4 2.6.16 kernel doesn't have any tso related patches as can be > seen here http://cvs.fedora.redhat.com/viewcvs/rpms/kernel/FC-4/ > > Since my immediate problem was solved with the mtu param I plan on > forgetting about htb and traffic control in general for the time > being :) Thanks again. One more thing I just thought - sfq sets its quantum from the dev mtu. While I always thought that the "must be >=mtu" comment in the source was a bit OTT, it still "should" be >= mtu for the drr to be 0(1) for cpu work. You can set it explicitly by adding quantum=X on the sfq line. For ethernet X is mtu + 14. Andy. From kaber at trash.net Mon Apr 17 21:32:49 2006 From: kaber at trash.net (Patrick McHardy) Date: Mon Apr 17 21:32:47 2006 Subject: [LARTC] htb overrate with 2.6.16 In-Reply-To: <4443E682.2030800@dsl.pipex.com> References: <1145095091.18168.26.camel@indigo.declera.com> <1145155073.18168.53.camel@indigo.declera.com> <44428F81.1090604@dsl.pipex.com> <1145217832.18656.24.camel@indigo.declera.com> <4443E682.2030800@dsl.pipex.com> Message-ID: <4443ED61.80902@trash.net> Andy Furniss wrote: >> Well, as much as google tells me TSO has been in the kernel and enabled >> since 2.5.33 and e1000 was the first driver to support it. The FC4 >> 2.6.16 kernel doesn't have any tso related patches as can be >> seen here http://cvs.fedora.redhat.com/viewcvs/rpms/kernel/FC-4/ >> >> Since my immediate problem was solved with the mtu param I plan on >> forgetting about htb and traffic control in general for the time >> being :) Thanks again. > > > One more thing I just thought - sfq sets its quantum from the dev mtu. One more possibility: current kernels support UDP fragmentation offload (UFO), which has similar effects as TSO. The in-tree e1000 driver doesn't support it, but maybe the fedora one does. Changes in the fragmentation behaviour of conntrack in 2.6.16 could also be responsible (if you're using it). Can you please post your NAT and marking rules, routing rules etc? From glenn at ruc.dk Mon Apr 17 22:10:14 2006 From: glenn at ruc.dk (Glenn Moeller-Holst) Date: Mon Apr 17 22:10:35 2006 Subject: [LARTC] W(RED) curve implementation in Linux DiffServ Message-ID: Hi! I have a Traffic Control/QoS question about the W(RED - Random Early Detection/Discard) curve implementation in the Traffic Control environment. Is this the right curve for RED - has it been tried to be implemented in the Traffic Control environment?: An Analytical RED Function Design Guaranteeing Stable System Behavior: http://www.ist-mobydick.org/publications/aqm_iscc2003.pdf Citat: "... The resulting function is non-linear and can be described by a polynomial expression. The advantage of this function lies not only in avoiding heavy oscillations but also in avoiding link under-utilization at low loads. The applicability of the derived function is independent of the load range, no parameters are to be adjusted. Compared to the original linear drop function applicability is extended by far. For implementation the shape of the derived function can be approximated with a normalized power function of the queue size. Our example with realistic system parameters gives an approximation function of the cubic of the queue size. The effort to implement the approximated cubic function is not much higher compared to the linear function..." - RED is mentioned here in the previous 2.4 kernel: http://www.linuxguruz.com/iptables/howto/2.4routing-14.html Quote: "... In order to cope with transient congestion on links, backbone routers will often implement large queues. Unfortunately, while these queues are good for throughput, they can substantially increase latency and cause TCP connections to behave very bursty during congestion. ... RED statistically drops packets from flows before it reaches its hard limit. This causes a congested backbone link to slow more gracefully, and prevents retransmit synchronisation. This also helps TCP find its 'fair' speed faster by allowing some packets to get dropped sooner keeping queue sizes low and latency under control. The probability of a packet being dropped from a particular connection is proportional to its bandwidth usage rather than the number of packets it transmits. ..." thanks, Glenn Moeller-Holst From yaneti at declera.com Mon Apr 17 23:02:10 2006 From: yaneti at declera.com (Yanko Kaneti) Date: Mon Apr 17 23:02:10 2006 Subject: [LARTC] htb overrate with 2.6.16 In-Reply-To: <4443ED61.80902@trash.net> References: <1145095091.18168.26.camel@indigo.declera.com> <1145155073.18168.53.camel@indigo.declera.com> <44428F81.1090604@dsl.pipex.com> <1145217832.18656.24.camel@indigo.declera.com> <4443E682.2030800@dsl.pipex.com> <4443ED61.80902@trash.net> Message-ID: <1145307730.7698.12.camel@indigo.declera.com> On Mon, 2006-04-17 at 21:32 +0200, Patrick McHardy wrote: > Andy Furniss wrote: > >> Well, as much as google tells me TSO has been in the kernel and enabled > >> since 2.5.33 and e1000 was the first driver to support it. The FC4 > >> 2.6.16 kernel doesn't have any tso related patches as can be > >> seen here http://cvs.fedora.redhat.com/viewcvs/rpms/kernel/FC-4/ > >> > >> Since my immediate problem was solved with the mtu param I plan on > >> forgetting about htb and traffic control in general for the time > >> being :) Thanks again. > > > > > > One more thing I just thought - sfq sets its quantum from the dev mtu. Riiight. I should have tried without the sfq earlier. Without it this works as expected without explicit mtu setting for the htb class. And no giants. # tc qdisc add dev eth0 root handle 1: htb # tc class add dev eth0 parent 1: classid 1:2 htb rate 2Mbit # tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 50 fw flowid 1:2 > One more possibility: current kernels support UDP fragmentation offload > (UFO), which has similar effects as TSO. The in-tree e1000 driver > doesn't support it, but maybe the fedora one does. No mention of ufo or e1000 in any of the patches that can be found in the url above. > Changes in the fragmentation behaviour of conntrack in 2.6.16 could also > be responsible (if you're using it). Can you please post your NAT and > marking rules, routing rules etc? Here are the "interesting" rules where the packets in question pass. Have no rules other than the ones in the mangle table mangle OUTPUT -m owner --uid-owner shaped -j userchain userchain .... -m length --length 512:65535 -j MARK --set-mark 0x32 -> the fw filter From asparks at doublesparks.net Tue Apr 18 04:12:52 2006 From: asparks at doublesparks.net (Alan Sparks) Date: Tue Apr 18 04:13:01 2006 Subject: [LARTC] Forwarding connections/packets across interfaces In-Reply-To: <44442A75.2080900@karan.org> References: <200604171047.21253.lists@benjamindsmith.com> <302ce8b50604171127w285be4bdl3b689b1877f711d@mail.gmail.com> <200604171327.00549.lists@benjamindsmith.com> <4443FE6C.5030907@karan.org> <444427C0.4020102@karan.org> <44442A75.2080900@karan.org> Message-ID: <44444B24.8000401@doublesparks.net> Have a inter-interface routing issue, hoping someone can either throw a clue or point me where I can get one. This is on a CentOS 3 system. Have interfaces eth0 and eth1. eth0 is connected to internal network, eth1 to separate distinct network. The default route on the box is set to the roter address on the eth1 network. I have static routes defined to send local network traffic to eth0 and eth0's router. I have a mail server (and a test program as well) that binds to an address on eth1, and tries to connect to an address on eth0's network. Connections just time out. I've tested connections where I did not bind to a specific interface and I can make the connection. I've set ip_forward=1, and rp_filter=0 on all interfaces, and still cannot get a connection from eth1's address to something off of eth0's networks. Firewalls are disabled on the host. Is there additional voodoo that needs to be set to allow traffic to cross from one interface to the other? Thanks in advance for any advice or pointers. I hope I've made the problem clear enough... -Alan -- Alan Sparks, UNIX/Linux Systems Integration and Administration From martin at linux-ip.net Tue Apr 18 04:36:42 2006 From: martin at linux-ip.net (Martin A. Brown) Date: Tue Apr 18 04:41:24 2006 Subject: [LARTC] Forwarding connections/packets across interfaces In-Reply-To: <44444B24.8000401@doublesparks.net> References: <200604171047.21253.lists@benjamindsmith.com> <302ce8b50604171127w285be4bdl3b689b1877f711d@mail.gmail.com> <200604171327.00549.lists@benjamindsmith.com> <4443FE6C.5030907@karan.org> <444427C0.4020102@karan.org> <44442A75.2080900@karan.org> <44444B24.8000401@doublesparks.net> Message-ID: Greetings Alan, : I have a mail server (and a test program as well) that binds to : an address on eth1, and tries to connect to an address on eth0's : network. Connections just time out. I've tested connections : where I did not bind to a specific interface and I can make the : connection. : : I've set ip_forward=1, and rp_filter=0 on all interfaces, and : still cannot get a connection from eth1's address to something : off of eth0's networks. Firewalls are disabled on the host. Well....I don't think you should need to remove rp_filter unless you are performing policy routing in addition to the simple routing configuration you describe. : Is there additional voodoo that needs to be set to allow traffic : to cross from one interface to the other? Did you pay your semi-annual chicken-sacrificing bill? If not, I may not be able to help you. OK, seriously, I have just tested exactly this sort of connection on a similarly configured network. It works exactly as you want it to. I'm guessing that you have some packet filter somewhere which is interfering. How would you be able to tell? First, watch traffic to see if it is ever leaving your router, and watch on your mailserver to see that traffic is arriving: router# tcpdump -nn -i eth0 host $MAILSERVER_IP mailserver# tcpdump -nn -i eth0 host $ROUTER_IP_0 or host $ROUTER_IP_1 Now, make those connections from your router (with your TCP testing tool of choice): router# socat - TCP4:$MAILSERVER_IP:$SERVICE,bind=$eth0_IP router# nc -vvs $eth1_IP $MAILSERVER_IP $SERVICE If you don't see any traffic leaving your router, is it possible that you have a strange POSTROUTING rule which does not refer to output interface? Good luck, -Martin -- Martin A. Brown http://linux-ip.net/ From asparks at doublesparks.net Tue Apr 18 05:28:22 2006 From: asparks at doublesparks.net (Alan Sparks) Date: Tue Apr 18 05:28:32 2006 Subject: [LARTC] Forwarding connections/packets across interfaces In-Reply-To: References: <200604171047.21253.lists@benjamindsmith.com> <302ce8b50604171127w285be4bdl3b689b1877f711d@mail.gmail.com> <200604171327.00549.lists@benjamindsmith.com> <4443FE6C.5030907@karan.org> <444427C0.4020102@karan.org> <44442A75.2080900@karan.org> <44444B24.8000401@doublesparks.net> Message-ID: <44445CD6.1050406@doublesparks.net> Martin A. Brown wrote: > Did you pay your semi-annual chicken-sacrificing bill? If not, I > may not be able to help you. > That bill is paid, but my ticket on the clue train isn't... Hour after I wrote that, I realized there's not return path for packets. At least to that source address. Have a potential solution working using SNAT. Thanks for indulging me. -Alan -- Alan Sparks, UNIX/Linux Systems Integration and Administration From sandu.andrei at gmail.com Tue Apr 18 08:30:18 2006 From: sandu.andrei at gmail.com (Andrei Sandu) Date: Tue Apr 18 08:30:17 2006 Subject: [LARTC] Route cache Message-ID: Hi, I have a P4 @ 3Ghz router running Debian. It shapes traffic ( about 500-600 classes ), about 1000 iptables rules, and it does BGP too, so i get about 1300+ routes in the routing table. The problem is the load is too high on this system. I found a solution to my problem, turning off the route cache, but i dont know how to implement it, I was wondering if anyone found a way to disable the route caching system inside the kernel, to improve router performance in high traffic conditions. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060418/bf55e02b/attachment.html From william.bohannan at spidersat.net Tue Apr 18 11:14:38 2006 From: william.bohannan at spidersat.net (William Bohannan) Date: Tue Apr 18 11:15:53 2006 Subject: [LARTC] Sip Traffic In-Reply-To: Message-ID: <005d01c662c8$8770dda0$0802a8c0@ACCSSWILLIAM> Hi I am pretty much a newbie, I found with sip if I match ports 5060 and 10000 - 20000 it works I noticed on some phones the use 13000 - 14000 and others use 18000 - 19000. there is a new sip-contrack out although I haven't tried it yet. william -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of LinuXKiD Sent: 17 April 2006 15:59 To: lartc Subject: [LARTC] Sip Traffic Hi. there is a way to MARK udp VOIP (SIP) traffic, in order to put in a highest prio class ? Traffic flow seems start on udp 5060 port, but next both server and client seems jump to a random(?) port. I can't use CONNMARK because is udp traffic. I only see a pattern for L7 patch in order to SIP traffic identification , but I run 2.4 kernel series . When you patch 2.4 kernel with L7 patch, later, Connmark (patch o matic ) can't apply. (conflicts) thank you. -- Andres _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From gregoriandres at yahoo.com.ar Tue Apr 18 12:45:29 2006 From: gregoriandres at yahoo.com.ar (LinuXKiD) Date: Tue Apr 18 12:45:27 2006 Subject: [LARTC] Sip Traffic In-Reply-To: <005d01c662c8$8770dda0$0802a8c0@ACCSSWILLIAM> Message-ID: mmm... intresting.... http://sipx-wiki.calivia.com/index.php/HowTo_configure_iptables ip_conntrack_sip Someone has tried it ? works on 2.4 kernel series ? thanks -> -> -> Hi I am pretty much a newbie, I found with sip if I match ports 5060 and -> 10000 - 20000 it works I noticed on some phones the use 13000 - 14000 and -> others use 18000 - 19000. there is a new sip-contrack out although I -> haven't tried it yet. -> -> william -> -> -----Original Message----- -> From: lartc-bounces@mailman.ds9a.nl -> [mailto:lartc-bounces@mailman.ds9a.nl] -> On Behalf Of LinuXKiD -> Sent: 17 April 2006 15:59 -> To: lartc -> Subject: [LARTC] Sip Traffic -> -> -> Hi. -> -> there is a way to MARK udp VOIP (SIP) traffic, -> in order to put in a highest prio class ? -> -> Traffic flow seems start on udp 5060 port, but -> next both server and client seems jump to a -> random(?) port. -> -> I can't use CONNMARK because is udp traffic. -> -> I only see a pattern for L7 patch in order to -> SIP traffic identification , but I run 2.4 -> kernel series . -> -> When you patch 2.4 kernel with L7 patch, -> later, Connmark (patch o matic ) can't apply. -> (conflicts) -> -> thank you. -> -- -> Andres -> _______________________________________________ -> LARTC mailing list -> LARTC@mailman.ds9a.nl -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -> From andy.furniss at dsl.pipex.com Tue Apr 18 13:25:06 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Tue Apr 18 13:25:02 2006 Subject: [LARTC] htb overrate with 2.6.16 In-Reply-To: <1145307730.7698.12.camel@indigo.declera.com> References: <1145095091.18168.26.camel@indigo.declera.com> <1145155073.18168.53.camel@indigo.declera.com> <44428F81.1090604@dsl.pipex.com> <1145217832.18656.24.camel@indigo.declera.com> <4443E682.2030800@dsl.pipex.com> <4443ED61.80902@trash.net> <1145307730.7698.12.camel@indigo.declera.com> Message-ID: <4444CC92.4090901@dsl.pipex.com> Yanko Kaneti wrote: >>>One more thing I just thought - sfq sets its quantum from the dev mtu. > > > Riiight. I should have tried without the sfq earlier. Without it this > works as expected without explicit mtu setting for the htb class. And no > giants. > > # tc qdisc add dev eth0 root handle 1: htb > # tc class add dev eth0 parent 1: classid 1:2 htb rate 2Mbit > # tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 50 fw flowid 1:2 I wouldn't have expected that to make any difference to the giants. Looking again at your stats - Sent 189796883 bytes 20626 pkt (dropped 0, overlimits 0 requeues 0) rate 3484Kbit 45pps backlog 0b 0p requeues 0 lended: 20627 borrowed: 0 giants: 30926 tokens: -9768 ctokens: -9768 The giants count is higher than the packet count so now I am really confused. Andy. From andy.furniss at dsl.pipex.com Tue Apr 18 13:36:24 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Tue Apr 18 13:36:21 2006 Subject: [LARTC] htb overrate with 2.6.16 In-Reply-To: <4444CC92.4090901@dsl.pipex.com> References: <1145095091.18168.26.camel@indigo.declera.com> <1145155073.18168.53.camel@indigo.declera.com> <44428F81.1090604@dsl.pipex.com> <1145217832.18656.24.camel@indigo.declera.com> <4443E682.2030800@dsl.pipex.com> <4443ED61.80902@trash.net> <1145307730.7698.12.camel@indigo.declera.com> <4444CC92.4090901@dsl.pipex.com> Message-ID: <4444CF38.4040008@dsl.pipex.com> Andy Furniss wrote: > Looking again at your stats - > > Sent 189796883 bytes 20626 pkt (dropped 0, overlimits 0 requeues 0) > rate 3484Kbit 45pps backlog 0b 0p requeues 0 > lended: 20627 borrowed: 0 giants: 30926 > tokens: -9768 ctokens: -9768 > > The giants count is higher than the packet count so now I am really > confused. Doh - I suppose thats just the way HTB counts so you add them together. Andy. From andy.furniss at dsl.pipex.com Tue Apr 18 15:05:31 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Tue Apr 18 15:05:40 2006 Subject: [LARTC] htb overrate with 2.6.16 In-Reply-To: <4444CF38.4040008@dsl.pipex.com> References: <1145095091.18168.26.camel@indigo.declera.com> <1145155073.18168.53.camel@indigo.declera.com> <44428F81.1090604@dsl.pipex.com> <1145217832.18656.24.camel@indigo.declera.com> <4443E682.2030800@dsl.pipex.com> <4443ED61.80902@trash.net> <1145307730.7698.12.camel@indigo.declera.com> <4444CC92.4090901@dsl.pipex.com> <4444CF38.4040008@dsl.pipex.com> Message-ID: <4444E41B.8030305@dsl.pipex.com> Andy Furniss wrote: > Andy Furniss wrote: > >> Looking again at your stats - >> >> Sent 189796883 bytes 20626 pkt (dropped 0, overlimits 0 requeues 0) >> rate 3484Kbit 45pps backlog 0b 0p requeues 0 >> lended: 20627 borrowed: 0 giants: 30926 >> tokens: -9768 ctokens: -9768 >> >> The giants count is higher than the packet count so now I am really >> confused. > > > Doh - I suppose thats just the way HTB counts so you add them together. LOL - Third try, testing on lo which is confusing and maybe misleading but it looks like the giants count gets doubled up but the packet count doesn't. Andy. From chentschel at arnet.com.ar Tue Apr 18 15:33:26 2006 From: chentschel at arnet.com.ar (chentschel@arnet.com.ar) Date: Tue Apr 18 15:40:21 2006 Subject: [LARTC] Sip Traffic Message-ID: <200604181333.k3IDXQ524083@webserver5.arnet.com.ar> Mensaje citado por: LinuXKiD : > > mmm... intresting.... :) indeed.. > Someone has tried it ? I suppose, i have received very goog feedback about it. > works on 2.4 kernel series ? Only > 2.6.11. (rusty newnat api) BTW, using the \"helper\" extension in IPTABLES is possible to mark sip related traffic easily > thanks Cheers. __________________________________ Registrate desde http://servicios.arnet.com.ar/registracion/registracion.asp?origenid=9 y participá de todos los beneficios del Portal Arnet. From ard at kwaak.net Tue Apr 18 20:59:42 2006 From: ard at kwaak.net (Ard van Breemen) Date: Tue Apr 18 20:59:44 2006 Subject: [LARTC] Route cache In-Reply-To: References: Message-ID: <20060418185942.GH12627@kwaak.net> Hi, On Tue, Apr 18, 2006 at 09:30:18AM +0300, Andrei Sandu wrote: > I have a P4 @ 3Ghz router running Debian. It shapes traffic ( about > 500-600 classes ), about 1000 iptables rules, and it does BGP too, so i get > about > 1300+ routes in the routing table. The problem is the load is too high on That's not so much: avb@YYY:~$ ip ro sh|wc -l 188583 Yes, that's the internet with peering and all... > this system. I found a solution to my problem, turning off the route cache, > but i dont know how to implement it, You realise that your solution doesn't really sound good? ;-) > I was wondering if anyone found a way to disable the route caching system > inside the kernel, to improve router performance in high traffic conditions. Again: turning off route caching really does not sound good. Especially if you have different routes. What you need to do is increase your cache thresholds... ard@XXX(master):~$ ip ro sh cache|wc -l 41180 This system does a lot of traffic, and it still is cleaning it's nose. Depending on where your system is, you should put stuff into your sysctl.conf: net/ipv4/neigh/default/gc_thresh1=8192 net/ipv4/neigh/default/gc_thresh2=16384 net/ipv4/neigh/default/gc_thresh3=32768 net/ipv4/route/gc_elasticity=8 net/ipv4/route/gc_interval=30 net/ipv4/route/gc_min_interval=2 net/ipv4/route/gc_thresh=? etc... Anyway: I don't think that routing is really your issue. Maybe you should look into optimising the shaping and/or iptables ruleset. ard@XXX(master):~$ sudo iptables -L -n|wc -l 2166 ard@XXX(master):~$ sudo iptables -L -n -t nat|wc -l 192 etc... And of course, the BIG question: did you do a: insmod ip_conntrack hashsize=4194304 ? Having a small hashsize for the connection tracking table is of course the biggest problem for most users. -- begin LOVE-LETTER-FOR-YOU.txt.vbs I am a signature virus. Distribute me until the bitter end From arik.funke at gmx.de Wed Apr 19 01:47:37 2006 From: arik.funke at gmx.de (Arik Raffael Funke) Date: Wed Apr 19 01:55:02 2006 Subject: [LARTC] Matching with Layer7 vs. IPP2P Message-ID: Hi, can anybody comment on the cost of matching with IPP2P vs. Layer7. Also, does a iptables rule with more complicated matching mechanism also slow down processing if all the packets are matched before they reach the rule. I.e. is the mere existence of a potentially costly rule already slowing down processing or only if packets are actually processed by it? Thanks very much in advance. Best regards, Arik From jandre at megaserve.net Wed Apr 19 09:35:37 2006 From: jandre at megaserve.net (Jandre Olivier) Date: Wed Apr 19 09:23:47 2006 Subject: [LARTC] Matching with Layer7 vs. IPP2P In-Reply-To: References: Message-ID: <4445E849.1040608@megaserve.net> I was just about to post the same post, I currently use ipp2p and it works pretty well, It just doesnt seem to track morpheous(fasttrack) protocols, otherwise it works pretty well. I have quite alot of connections and havent seen any performance issues. My next step is to add L7 as well with ipp2p to completely block/shape p2p. However I find L7 bit more tricky than ipp2p to compile Cannot comment on L7 J Arik Raffael Funke wrote: > Hi, > > can anybody comment on the cost of matching with IPP2P vs. Layer7. > > Also, does a iptables rule with more complicated matching mechanism also > slow down processing if all the packets are matched before they reach > the rule. I.e. is the mere existence of a potentially costly rule > already slowing down processing or only if packets are actually > processed by it? > > Thanks very much in advance. > > Best regards, > Arik > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- /*---------------------------------------------------------------------*/ __ _ ---------- / / (_)__ __ ____ __ --------- ------- / /__/ / _ \/ // /\ \/ / -------- ---- /____/_/_//_/\_,_/ /_/\_\ ------ localhost@localdomain.za.net From gnychis at cmu.edu Wed Apr 19 15:55:51 2006 From: gnychis at cmu.edu (George Nychis) Date: Wed Apr 19 15:56:15 2006 Subject: [offlist] Re: [LARTC] how to do probabilistic packet loss in kernel? In-Reply-To: References: <4902.128.2.140.224.1145227461.squirrel@128.2.140.224> <4442E319.50309@cmu.edu> <2959.128.237.238.138.1145242426.squirrel@128.237.238.138> Message-ID: <44464167.40702@cmu.edu> Hey Martin, I was able to do it with netem and its working great now. I've actually moved on to another challenge, I would like to drop packets at the hardware level such as to see rate control. Because when netem drops a packet, TCP responds, however the lower level card will not interact because it never sees the loss. What I want to do is somehow cause the card to send a corrupted packet based on a probability, or not send the packet but make it think that it did. I'm using madwifi and I've found in the code where it does rate control and sends out the data, so i'm hoping to make this happen, but having troubles! So if anyone else has any ideas on how to get rate control interactive packet loss, i'd love it. - George Martin A. Brown wrote: > Hello George, > > Unfortunately, I cannot answer your most recent question. I'm > hoping that Stephen Hemminger can answer your question. He is > subscribed to the LARTC list, is also the author of netem and > seems to be a smart cookie. > > Good luck, > > -Martin > From arik.funke at gmx.de Wed Apr 19 20:14:18 2006 From: arik.funke at gmx.de (Arik Raffael Funke) Date: Wed Apr 19 20:14:52 2006 Subject: [LARTC] Re: Matching with Layer7 vs. IPP2P In-Reply-To: <4445E849.1040608@megaserve.net> References: <4445E849.1040608@megaserve.net> Message-ID: L7 compiled fine on Fedora Core 4 with kernel 2.6.12.6 with following procedure: 1. patched kernel sources with ipp2p using patch-o-matic-ng 2. patched kernel with the patch file from l7 3. patched iptables-1.3.5 with l7 4. make/install iptables 5. make/install kernel I had to adjust the destination directories for iptables to fit Fedora's convention. Best regards, Arik Jandre Olivier wrote: > I was just about to post the same post, > > I currently use ipp2p and it works pretty well, It just doesnt seem to > track morpheous(fasttrack) protocols, otherwise it works pretty well. I > have quite alot of connections and havent seen any performance issues. > My next step is to add L7 as well with ipp2p to completely block/shape p2p. > > However I find L7 bit more tricky than ipp2p to compile > Cannot comment on L7 > > J > > > Arik Raffael Funke wrote: >> Hi, >> >> can anybody comment on the cost of matching with IPP2P vs. Layer7. >> >> Also, does a iptables rule with more complicated matching mechanism >> also slow down processing if all the packets are matched before they >> reach the rule. I.e. is the mere existence of a potentially costly >> rule already slowing down processing or only if packets are actually >> processed by it? >> >> Thanks very much in advance. >> >> Best regards, >> Arik From gregoriandres at yahoo.com.ar Wed Apr 19 20:33:00 2006 From: gregoriandres at yahoo.com.ar (LinuXKiD) Date: Wed Apr 19 20:32:59 2006 Subject: [LARTC] Re: Matching with Layer7 vs. IPP2P In-Reply-To: Message-ID: Ok How match hosts ? How is your FC4 performance with that settings ? bests andres. -> -> L7 compiled fine on Fedora Core 4 with kernel 2.6.12.6 with following -> procedure: -> 1. patched kernel sources with ipp2p using patch-o-matic-ng -> 2. patched kernel with the patch file from l7 -> 3. patched iptables-1.3.5 with l7 -> 4. make/install iptables -> 5. make/install kernel -> -> I had to adjust the destination directories for iptables to fit Fedora's -> convention. -> -> Best regards, -> Arik -> -> Jandre Olivier wrote: -> > I was just about to post the same post, -> > -> > I currently use ipp2p and it works pretty well, It just doesnt seem to -> > track morpheous(fasttrack) protocols, otherwise it works -> pretty well. I -> > have quite alot of connections and havent seen any performance issues. -> > My next step is to add L7 as well with ipp2p to completely -> block/shape p2p. -> > -> > However I find L7 bit more tricky than ipp2p to compile -> > Cannot comment on L7 -> > -> > J -> > -> > -> > Arik Raffael Funke wrote: -> >> Hi, -> >> -> >> can anybody comment on the cost of matching with IPP2P vs. Layer7. -> >> -> >> Also, does a iptables rule with more complicated matching mechanism -> >> also slow down processing if all the packets are matched before they -> >> reach the rule. I.e. is the mere existence of a potentially costly -> >> rule already slowing down processing or only if packets are actually -> >> processed by it? -> >> -> >> Thanks very much in advance. -> >> -> >> Best regards, -> >> Arik -> -> _______________________________________________ -> LARTC mailing list -> LARTC@mailman.ds9a.nl -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From sewlist at gmail.com Thu Apr 20 10:14:42 2006 From: sewlist at gmail.com (the sew) Date: Thu Apr 20 10:14:41 2006 Subject: [LARTC] pppoe question Message-ID: Hi THere, sorry if this is a stupid question or does not belong to this forum. I've set my DEFROUTE=no in my ifcfg-ppp0 and when I bring the ppp0 up, it deletes my old default load balance routes which I do not want, as I just want the interface to be up, but not touching my default routes any advice Thanks SEW From rani79 at idm.net.lb Thu Apr 20 10:38:25 2006 From: rani79 at idm.net.lb (Rani Ahmed) Date: Thu Apr 20 10:38:24 2006 Subject: [LARTC] Shaping per IP in PPPoE borrowing or sharing Uplink or Downlink In-Reply-To: <2075.217.79.89.183.1145090366.squirrel@217.79.89.183> References: <443FB946.6050205@idm.net.lb> <2075.217.79.89.183.1145090366.squirrel@217.79.89.183> Message-ID: <44474881.7010100@idm.net.lb> thanks for your help. but i am not that much used to tc. i use tcng. so how should i write that in tcng? Anton Glinkov wrote: >If they are all on the same ethernet device, you can match them with: >tc filter add dev ${DEVICE} parent 1: protocol all u32 \ >match u16 0x8864 0xFFFF at -2 flowid 1:${ID} > >8864 is the PPP session ethernet protocol > >you can play around with u32 if you want to match tos or ports and stuff.. > > > >>helo again. I think this question i am asking is worth: >> >>we know that pppoe-server creates a pppX device on each connection done >>to it. >>So, when i have to shape, i have to shape each pppX connection device on >>itself alone. >>What i know is that the borrowing method on one device by itself, e.g. >>ppp0, alone using HTB or the like. this means that i have to create for >>another device, e.g. ppp1, its own HTB or CBQ tree. >> >>So, how can i in PPPoE technology setup sharing or borrowing between all >>the pppX devices so it won't let network starvation problem float on >>surface? >> >>Thanks. >> >> >> > > > From mailinglists at lucassen.org Thu Apr 20 11:18:05 2006 From: mailinglists at lucassen.org (richard lucassen) Date: Thu Apr 20 11:18:07 2006 Subject: [LARTC] per connection shaping Message-ID: <20060420111805.019f2398.mailinglists@lucassen.org> Is there a qdisc that allows a per connection maximization? E.g.: bandwidth 1Mb, four sessions RDP and a per session limit of 250kb R. -- ___________________________________________________________________ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+ From alessandro.ren at opservices.com.br Thu Apr 20 15:17:11 2006 From: alessandro.ren at opservices.com.br (Alessandro Ren) Date: Thu Apr 20 15:17:27 2006 Subject: [LARTC] pppoe question In-Reply-To: References: Message-ID: <444789D7.6080204@opservices.com.br> Yes, edit the script adsl-connect problably in in /sbin and remove the route del command, better, just comment it out. I had the same poblem and that solved it. []s. the sew wrote: > Hi THere, > > sorry if this is a stupid question or does not belong to this forum. > > I've set my DEFROUTE=no in my ifcfg-ppp0 and when I bring the ppp0 > up, it deletes my old default load balance routes which I do not want, > as I just want the interface to be up, but not touching my default > routes > > any advice > > Thanks > > SEW > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- __________________________________________________ *Alessandro Ren* /*OpServices*/ /*Luciana de Abreu, 471 - Sala 403*/ /*Porto Alegre, RS - CEP 90570-060*/ *(* phone 55(51)3061-3588 *4* fax 55(51)3061-3588 *Q* mobile 55(51)8151-8212 *:* email alessandro.ren@opservices.com.br __________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060420/9f4fd8d2/attachment.htm From sewlist at gmail.com Thu Apr 20 15:26:53 2006 From: sewlist at gmail.com (the sew) Date: Thu Apr 20 15:26:50 2006 Subject: [LARTC] Re: pppoe question In-Reply-To: <444789D7.6080204@opservices.com.br> References: <444789D7.6080204@opservices.com.br> Message-ID: ah thanks so much!! Sew On 4/20/06, Alessandro Ren wrote: > > Yes, edit the script adsl-connect problably in in /sbin and remove > the route del command, better, just comment it out. > I had the same poblem and that solved it. > > []s. > > the sew wrote: > > Hi THere, > > > > sorry if this is a stupid question or does not belong to this forum. > > > > I've set my DEFROUTE=no in my ifcfg-ppp0 and when I bring the ppp0 > > up, it deletes my old default load balance routes which I do not want, > > as I just want the interface to be up, but not touching my default > > routes > > > > any advice > > > > Thanks > > > > SEW > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > -- > __________________________________________________ > *Alessandro Ren* > /*OpServices*/ > /*Luciana de Abreu, 471 - Sala 403*/ > /*Porto Alegre, RS - CEP 90570-060*/ > > *(* phone 55(51)3061-3588 > *4* fax 55(51)3061-3588 > *Q* mobile 55(51)8151-8212 > *:* email alessandro.ren@opservices.com.br > > > __________________________________________________ > > From ron.braley at berbee.com Thu Apr 20 18:18:32 2006 From: ron.braley at berbee.com (Braley, Ron) Date: Thu Apr 20 18:18:40 2006 Subject: [LARTC] EBTables, iproute, etc. Message-ID: <74F2EC4F6261A140AFDBC3661C4672A7447E80@CTG-MSNEXC01.staff.berbee.com> Good morning, I'm writing to ask for collaboration in finding an improvement to a particular process. Today: To get traffic for our IDS sensors and a billing system, we collect everything at our core switches (2) by connecting a SPAN port from each switch to a server (so, 2 interfaces collecting traffic). That server changes the destination MAC address on all traffic to that of another server running iproute and sends it out a third interface. The server running iproute collects the traffic on one interface, and sends traffic to different sub interfaces depending on the network; a switch connected to the outgoing traffic allows connection of the IDS sensors, billing system, etc. The challenge: I'd like to be able to do one of the following: 1. Just run iproute, having it take the traffic from the SPAN ports and policy route without having to have the first server change destination MAC addresses. a. Can iproute do policy routing on traffic not destined for it in the first place (i.e. by having the interfaces in promiscuous mode)? b. If not, then does iproute contain functionality that would allow it to sense all traffic and change the destination MAC address or IP address? 2. Have EBTables and iproute running on the same box if #1 above isn't possible. a. Can we do this without having to have more interfaces in the box, connected to each other with crossover cables? Thanks in advance for offering feedback or suggestions regarding what we hope to do. Ron -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060420/cb9988d3/attachment.html From manish at tuxspace.com Fri Apr 21 03:48:58 2006 From: manish at tuxspace.com (Manish Kathuria) Date: Fri Apr 21 03:49:13 2006 Subject: [LARTC] Problems in Dead Gateway Detection / Failover - Multiple ISP Links In-Reply-To: References: <43D8CEAE.3010006@tuxspace.com> Message-ID: <44483A0A.50107@tuxspace.com> Eduardo Fern?ndez wrote: > Hi! > > Did you finally write a script for dead gateway detection beyond first > hop? Did you find any other solution to this problem? I'm quite > interested and I bet other multipath users here are interested too. > > My linux router has 10 dsl links (adding 15 more in short), when one > of the dsl routers goes down the kernel does not always notice. Don't > know why. Also, if a dsl route is up but the internet link is down > dead gateway detection doesn't work either. > > Thanks! > > Edu > > If you follow the nano.txt procedure and apply the patches, it works perfectly as long as the first hop is dead. But to ensure failover, when connectivity goes down at any of the hops, you can use the nano.txt for configuring the interfaces and multipath routes (call it default configuration) and also run a script in the background to modify the routes as described below. 1. Periodically keep on checking if a remote host is reachable from each of the gateways by pinging it after every n seconds. 2. If the remote host is not reachable after a number of tries (which you can decide according to your own specific situation) from a particular gateway, remove that route. If you have just two internet links, there would be only one gateway left. But if you have more than two links alive you can again define multipath routes with appropriate weights for the active gateways. The possible combinations will increase exponentially with the increase in number of internet links so you will have to factor is all the cases in the script. 3. Restore the default configuration when the remote host is reachable from all the gateways. I am not too sure how its going to behave with 10 links because if the links are not so stable it will result in very frequent changes. -- Manish Kathuria http://www.tuxspace.com / From ranmakun at arnet.com.ar Fri Apr 21 04:19:18 2006 From: ranmakun at arnet.com.ar (Francisco) Date: Fri Apr 21 04:19:08 2006 Subject: [LARTC] Sip Traffic In-Reply-To: References: Message-ID: <200604202319.19042.ranmakun@arnet.com.ar> L7 filter works very well too: http://l7-filter.sourceforge.net/ Although I didn't try it with sip, I use it to control my P2P and server applications and have a very usable ADSL link at almost 100% utilization of my upstream. El Martes, 18 de Abril de 2006 07:45, LinuXKiD escribi?: > mmm... intresting.... > > http://sipx-wiki.calivia.com/index.php/HowTo_configure_iptables > > ip_conntrack_sip > > Someone has tried it ? > > works on 2.4 kernel series ? > > thanks > > > > > -> > -> > -> Hi I am pretty much a newbie, I found with sip if I match ports 5060 and > -> 10000 - 20000 it works I noticed on some phones the use 13000 - 14000 > and -> others use 18000 - 19000. there is a new sip-contrack out although > I -> haven't tried it yet. > -> > -> william > -> > -> -----Original Message----- > -> From: lartc-bounces@mailman.ds9a.nl > -> [mailto:lartc-bounces@mailman.ds9a.nl] > -> On Behalf Of LinuXKiD > -> Sent: 17 April 2006 15:59 > -> To: lartc > -> Subject: [LARTC] Sip Traffic > -> > -> > -> Hi. > -> > -> there is a way to MARK udp VOIP (SIP) traffic, > -> in order to put in a highest prio class ? > -> > -> Traffic flow seems start on udp 5060 port, but > -> next both server and client seems jump to a > -> random(?) port. > -> > -> I can't use CONNMARK because is udp traffic. > -> > -> I only see a pattern for L7 patch in order to > -> SIP traffic identification , but I run 2.4 > -> kernel series . > -> > -> When you patch 2.4 kernel with L7 patch, > -> later, Connmark (patch o matic ) can't apply. > -> (conflicts) > -> > -> thank you. > -> -- > -> Andres > -> _______________________________________________ > -> LARTC mailing list > -> LARTC@mailman.ds9a.nl > -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -> > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From jasonb at edseek.com Fri Apr 21 04:25:01 2006 From: jasonb at edseek.com (Jason Boxman) Date: Fri Apr 21 04:25:09 2006 Subject: [LARTC] Sip Traffic In-Reply-To: <200604202319.19042.ranmakun@arnet.com.ar> References: <200604202319.19042.ranmakun@arnet.com.ar> Message-ID: <200604202225.01313.jasonb@edseek.com> On Thursday 20 April 2006 22:19, Francisco wrote: > L7 filter works very well too: > http://l7-filter.sourceforge.net/ > > Although I didn't try it with sip, I use it to control my P2P and server > applications and have a very usable ADSL link at almost 100% utilization of > my upstream. Does any of that include eMule traffic? I stopped having success with eMule protocols and L7 a year or two ago and the pattern hasn't been updated in ages. -- Jason Boxman http://edseek.com/ - Linux and FOSS stuff From gnychis at cmu.edu Fri Apr 21 21:24:43 2006 From: gnychis at cmu.edu (George Nychis) Date: Fri Apr 21 06:53:59 2006 Subject: [LARTC] any alternative to netem drop? slow In-Reply-To: <200604202225.01313.jasonb@edseek.com> References: <200604202319.19042.ranmakun@arnet.com.ar> <200604202225.01313.jasonb@edseek.com> Message-ID: <4449317B.5020300@cmu.edu> Hi, I was wondering if there is any alternative to netem drop probability... the reason I ask is that whenever I turn it on I get about 500KB/sec less throughput with 0% packet loss The caveat is that it must work with 2.4.32 :) Thanks! George Jason Boxman wrote: >On Thursday 20 April 2006 22:19, Francisco wrote: > > >>L7 filter works very well too: >>http://l7-filter.sourceforge.net/ >> >>Although I didn't try it with sip, I use it to control my P2P and server >>applications and have a very usable ADSL link at almost 100% utilization of >>my upstream. >> >> > >Does any of that include eMule traffic? I stopped having success with eMule >protocols and L7 a year or two ago and the pattern hasn't been updated in >ages. > > > From coricim at gmail.com Fri Apr 21 09:24:32 2006 From: coricim at gmail.com (Marius Corici) Date: Fri Apr 21 09:24:31 2006 Subject: [LARTC] Sip Traffic In-Reply-To: <200604202319.19042.ranmakun@arnet.com.ar> References: <200604202319.19042.ranmakun@arnet.com.ar> Message-ID: <2abc33350604210024r6733b223w139ed78b578789af@mail.gmail.com> About SIP: the traffic does not "jump" at a random port, it is another type of traffic that you see afterwards, it's the RTP stream. SIP is used only for signaling a session hence the name Session Initiation Protocol. The SIP messages contain the IP Address + Port where the RTP flow will appear. The RTP might not have the same IP address as the SIP destination. If you want to prioritize SIP and RTP you can use your own SIP Proxy (i'm using SER from www.iptel.org) with somekind of gateway (RTPPROXY may be just enough for an end user). By the way, if some SIP clients do not find port 5060 free, they choose cvasi-randomly another port. Marius On 4/21/06, Francisco wrote: > > L7 filter works very well too: > http://l7-filter.sourceforge.net/ > > Although I didn't try it with sip, I use it to control my P2P and server > applications and have a very usable ADSL link at almost 100% utilization > of > my upstream. > > > El Martes, 18 de Abril de 2006 07:45, LinuXKiD escribi?: > > mmm... intresting.... > > > > http://sipx-wiki.calivia.com/index.php/HowTo_configure_iptables > > > > ip_conntrack_sip > > > > Someone has tried it ? > > > > works on 2.4 kernel series ? > > > > thanks > > > > > > > > > > -> > > -> > > -> Hi I am pretty much a newbie, I found with sip if I match ports 5060 > and > > -> 10000 - 20000 it works I noticed on some phones the use 13000 - 14000 > > and -> others use 18000 - 19000. there is a new sip-contrack out > although > > I -> haven't tried it yet. > > -> > > -> william > > -> > > -> -----Original Message----- > > -> From: lartc-bounces@mailman.ds9a.nl > > -> [mailto:lartc-bounces@mailman.ds9a.nl] > > -> On Behalf Of LinuXKiD > > -> Sent: 17 April 2006 15:59 > > -> To: lartc > > -> Subject: [LARTC] Sip Traffic > > -> > > -> > > -> Hi. > > -> > > -> there is a way to MARK udp VOIP (SIP) traffic, > > -> in order to put in a highest prio class ? > > -> > > -> Traffic flow seems start on udp 5060 port, but > > -> next both server and client seems jump to a > > -> random(?) port. > > -> > > -> I can't use CONNMARK because is udp traffic. > > -> > > -> I only see a pattern for L7 patch in order to > > -> SIP traffic identification , but I run 2.4 > > -> kernel series . > > -> > > -> When you patch 2.4 kernel with L7 patch, > > -> later, Connmark (patch o matic ) can't apply. > > -> (conflicts) > > -> > > -> thank you. > > -> -- > > -> Andres > > -> _______________________________________________ > > -> LARTC mailing list > > -> LARTC@mailman.ds9a.nl > > -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > -> > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060421/f38331e1/attachment.htm From sewlist at gmail.com Fri Apr 21 11:04:30 2006 From: sewlist at gmail.com (the sew) Date: Fri Apr 21 11:04:29 2006 Subject: [LARTC] icmp latency question Message-ID: Hi, Our company's main line is quite busy the whole day and my shaping is working perfect, however even if I give icmp priority the pings still jump around quite a bit. We do have a backup line which hardly get used only if the main line drops. I've set ip rule to route all icmp through that and now the pings are perfect. Will this make a difference for the game players etc, with this low ping? or does the lagg on the game get effected by the throughput? Thanks Sew From bizzam at gmail.com Fri Apr 21 15:17:46 2006 From: bizzam at gmail.com (Marco Bizzantino) Date: Fri Apr 21 15:17:42 2006 Subject: [LARTC] Split traffic problem Message-ID: <8bdf26640604210617j50d42935l7bbe6f1881c46b31@mail.gmail.com> Hi all I have a problem splitting traffic behind 2 adsl. My situation: _________router2 | lan1 ------- fw ----------- router1 | lan2----------| lan1 use router1, lan2 router2. The linux default gw is set to router2, lan2 browse internet without any problem (icmp, tcp..). Lan1 is blocked. >From lan1 i can ping router1, and i've set this iproute rules: ip route add 10.0.0.0/24 dev dmz0 table cnet ip route add 195.43.x.x dev bad0 table cnet (firewall interface ip address connected to router1) ip route add 192.168.1.0/24 dev lan0 table cnet ip route add default via 195.43.x.x dev bad0 table cnet (router1 ip address) ip rule add from 195.43.x.x/29 lookup cnet ip rule add to 195.43.x.x/29 lookup cnet ip rule add from 10.0.0.0/24 lookup cnet ip rule add to 10.0.0.0/24 lookup cnet Now, i try to ping a public dns server from lan1 ping 194.20.8.1 PING 194.20.8.1 (194.20.8.1) 56(84) bytes of data. --- 194.20.8.1 ping statistics --- 5 packets transmitted, 0 received, 100% packet loss, time 3999ms tcpdump on my firewall, monitoring interface bad0 connected to router1 show: 15:09:35.148181 IP 195.43.186.50 > urano.inet.it: icmp 64: echo request seq 1 15:09:35.171411 IP urano.inet.it > 195.43.186.50: icmp 64: echo reply seq 1 15:09:36.147390 IP 195.43.186.50 > urano.inet.it: icmp 64: echo request seq 2 15:09:36.177859 IP urano.inet.it > 195.43.186.50: icmp 64: echo reply seq 2 15:09:37.146904 IP 195.43.186.50 > urano.inet.it: icmp 64: echo request seq 3 15:09:37.173226 IP urano.inet.it > 195.43.186.50: icmp 64: echo reply seq 3 [...] it seems ok.. but it isn't.. Any suggestion? My firewall log don't show anything, i tried to open all port in forward, but the result is still the same. best regards Marco From gregoriandres at yahoo.com.ar Fri Apr 21 21:32:16 2006 From: gregoriandres at yahoo.com.ar (LinuXKiD) Date: Fri Apr 21 21:32:12 2006 Subject: [LARTC] Sip Traffic In-Reply-To: <200604202319.19042.ranmakun@arnet.com.ar> Message-ID: sounds good :-) BTW, someone has tried "ip_conntrack_sip" module from netfilter ???? (in order match and priorize VoIP Traffic ? -SIP and RTP- ) thank you -> -----Mensaje original----- -> De: lartc-bounces@mailman.ds9a.nl -> [mailto:lartc-bounces@mailman.ds9a.nl]En nombre de Francisco -> Enviado el: Jueves, 20 de Abril de 2006 11:19 p.m. -> Para: lartc@mailman.ds9a.nl -> Asunto: Re: [LARTC] Sip Traffic -> -> -> L7 filter works very well too: -> http://l7-filter.sourceforge.net/ -> -> Although I didn't try it with sip, I use it to control my P2P and server -> applications and have a very usable ADSL link at almost 100% -> utilization of -> my upstream. -> -> -> El Martes, 18 de Abril de 2006 07:45, LinuXKiD escribi?: -> > mmm... intresting.... -> > -> > http://sipx-wiki.calivia.com/index.php/HowTo_configure_iptables -> > -> > ip_conntrack_sip -> > -> > Someone has tried it ? -> > -> > works on 2.4 kernel series ? -> > -> > thanks -> > -> > -> > -> > -> > -> -> > -> -> > -> Hi I am pretty much a newbie, I found with sip if I match -> ports 5060 and -> > -> 10000 - 20000 it works I noticed on some phones the use -> 13000 - 14000 -> > and -> others use 18000 - 19000. there is a new sip-contrack -> out although -> > I -> haven't tried it yet. -> > -> -> > -> william -> > -> -> > -> -----Original Message----- -> > -> From: lartc-bounces@mailman.ds9a.nl -> > -> [mailto:lartc-bounces@mailman.ds9a.nl] -> > -> On Behalf Of LinuXKiD -> > -> Sent: 17 April 2006 15:59 -> > -> To: lartc -> > -> Subject: [LARTC] Sip Traffic -> > -> -> > -> -> > -> Hi. -> > -> -> > -> there is a way to MARK udp VOIP (SIP) traffic, -> > -> in order to put in a highest prio class ? -> > -> -> > -> Traffic flow seems start on udp 5060 port, but -> > -> next both server and client seems jump to a -> > -> random(?) port. -> > -> -> > -> I can't use CONNMARK because is udp traffic. -> > -> -> > -> I only see a pattern for L7 patch in order to -> > -> SIP traffic identification , but I run 2.4 -> > -> kernel series . -> > -> -> > -> When you patch 2.4 kernel with L7 patch, -> > -> later, Connmark (patch o matic ) can't apply. -> > -> (conflicts) -> > -> -> > -> thank you. -> > -> -- -> > -> Andres -> > -> _______________________________________________ -> > -> LARTC mailing list -> > -> LARTC@mailman.ds9a.nl -> > -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -> > -> -> > -> > _______________________________________________ -> > LARTC mailing list -> > LARTC@mailman.ds9a.nl -> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -> _______________________________________________ -> LARTC mailing list -> LARTC@mailman.ds9a.nl -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From gregoriandres at yahoo.com.ar Fri Apr 21 21:50:00 2006 From: gregoriandres at yahoo.com.ar (LinuXKiD) Date: Fri Apr 21 21:49:56 2006 Subject: [LARTC] Sip Traffic In-Reply-To: <2abc33350604210024r6733b223w139ed78b578789af@mail.gmail.com> Message-ID: -> About SIP: the traffic does not "jump" at a random port, it is -> another type of traffic that you see afterwards, it's the RTP stream. OK!, Thank you. I understand. -> SIP is used only for signaling a session hence the name Session -> Initiation Protocol. The SIP messages contain the IP Address + -> Port where the RTP flow will appear. The RTP might not have the -> same IP address as the SIP destination. If you want to -> prioritize SIP and RTP you can use your own SIP Proxy (i'm using -> SER from www.iptel.org) with somekind of gateway (RTPPROXY may -> be just enough for an end user). Ok, thank you. I'm newbie with VoIP . AFAIK , Ser is a router. But I need to priorize SIP traffic on my (very)custom router linux.2.4.28. There is a way to integrate openSer with it ? best regards andres From ranmakun at arnet.com.ar Sat Apr 22 05:17:14 2006 From: ranmakun at arnet.com.ar (Francisco) Date: Sat Apr 22 05:17:04 2006 Subject: [LARTC] Sip Traffic In-Reply-To: <200604202225.01313.jasonb@edseek.com> References: <200604202319.19042.ranmakun@arnet.com.ar> <200604202225.01313.jasonb@edseek.com> Message-ID: <200604220017.14394.ranmakun@arnet.com.ar> eMule detection works very well, this has really changed the way I use my upload bandwidth. El Jueves, 20 de Abril de 2006 23:25, Jason Boxman escribi?: > On Thursday 20 April 2006 22:19, Francisco wrote: > > L7 filter works very well too: > > http://l7-filter.sourceforge.net/ > > > > Although I didn't try it with sip, I use it to control my P2P and server > > applications and have a very usable ADSL link at almost 100% utilization > > of my upstream. > > Does any of that include eMule traffic? I stopped having success with > eMule protocols and L7 a year or two ago and the pattern hasn't been > updated in ages. From GregScott at InfraSupportEtc.com Mon Apr 24 04:54:37 2006 From: GregScott at InfraSupportEtc.com (Greg Scott) Date: Mon Apr 24 04:52:58 2006 Subject: [LARTC] Sip Traffic Message-ID: <925A849792280C4E80C5461017A4B8A206F4FF@mail733.InfraSupportEtc.com> Why not just prioritize everything that comes to/from that SIP phone? So forget about ports, just prioritize the IP Address? Use the IP Address to identify traffic you want to move with elevated priority. Just a thought... - Greg -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Francisco Sent: Friday, April 21, 2006 10:17 PM To: lartc@mailman.ds9a.nl Subject: Re: [LARTC] Sip Traffic eMule detection works very well, this has really changed the way I use my upload bandwidth. El Jueves, 20 de Abril de 2006 23:25, Jason Boxman escribi?: > On Thursday 20 April 2006 22:19, Francisco wrote: > > L7 filter works very well too: > > http://l7-filter.sourceforge.net/ > > > > Although I didn't try it with sip, I use it to control my P2P and server > > applications and have a very usable ADSL link at almost 100% utilization > > of my upstream. > > Does any of that include eMule traffic? I stopped having success with > eMule protocols and L7 a year or two ago and the pattern hasn't been > updated in ages. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From talk2ram at gmail.com Mon Apr 24 07:02:41 2006 From: talk2ram at gmail.com (ram) Date: Mon Apr 24 07:02:39 2006 Subject: [LARTC] High Traffic Using HTB Tools Message-ID: Hi all I have worked on HTB for the Customers traffic with VLANs working great, just b/w Limiting, not borrowing from each other class. but i never tried i high traffic Like 100MB internet Port with 100MB Traffic to internet iam trying to apply the rules in my Back Bone Router ( Linux RHEL AS 4.0) What is the people suggestion, how many of them in the list tested this kind of Trafic Just looking to add Filters only voice 80% for the http, rest. 20% for VoIP ( SIP, RTP, H323) what will be the impact on traffic, before i would go live and put them rule in place i would like ask people suggestions And is there any sample examples above, for the borrowing Like Voice is not used rest should be used if the Http is not used rest Voice should used, on best effort Basis Could some one Guide me sample configs and suggestions Ram -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060424/7f529850/attachment.html From coricim at gmail.com Mon Apr 24 08:40:14 2006 From: coricim at gmail.com (Marius Corici) Date: Mon Apr 24 08:40:12 2006 Subject: [LARTC] Sip Traffic In-Reply-To: <925A849792280C4E80C5461017A4B8A206F4FF@mail733.InfraSupportEtc.com> References: <925A849792280C4E80C5461017A4B8A206F4FF@mail733.InfraSupportEtc.com> Message-ID: <2abc33350604232340h7172a062u8f205ccc83d3e57e@mail.gmail.com> >Why not just prioritize everything that comes to/from that SIP phone? So forget about ports, just prioritize the IP >Address? Use the IP Address to identify traffic you want to move with elevated priority. Just a thought... If we got to this, what if the end user is a laptop and wants to do e-mule too? I am just asking, maybe there is an idea here... Marius -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060424/7001a893/attachment.htm From chentschel at arnet.com.ar Mon Apr 24 14:33:30 2006 From: chentschel at arnet.com.ar (chentschel@arnet.com.ar) Date: Mon Apr 24 14:40:19 2006 Subject: [LARTC] Sip Traffic Message-ID: <200604241233.k3OCXUp29053@webserver5.arnet.com.ar> Hi, Why don\'t just use \"--helper sip\" extension in IPTABLES with ip_conntrack_sip loaded. That would see, and track RTP trafic in the machine. Please, if you do send me feed about the module. Thanks. CH. Mensaje citado por: Marius Corici : > >Why not just prioritize everything that comes to/from that SIP phone? So > forget about ports, just prioritize the IP >Address? Use the IP Address to > identify traffic you want to move with elevated priority. Just a > thought..> . > > If we got to this, what if the end user is a laptop and wants to do e-mule > too? I am just asking, maybe there is an idea here... > > Marius > __________________________________ Registrate desde http://servicios.arnet.com.ar/registracion/registracion.asp?origenid=9 y participá de todos los beneficios del Portal Arnet. From martin at linux-ip.net Mon Apr 24 15:51:53 2006 From: martin at linux-ip.net (Martin A. Brown) Date: Mon Apr 24 15:56:39 2006 Subject: [LARTC] EBTables, iproute, etc. In-Reply-To: <74F2EC4F6261A140AFDBC3661C4672A7447E80@CTG-MSNEXC01.staff.berbee.com> References: <74F2EC4F6261A140AFDBC3661C4672A7447E80@CTG-MSNEXC01.staff.berbee.com> Message-ID: Ron, : Today: To get traffic for our IDS sensors and a billing system, : we collect everything at our core switches (2) by connecting a : SPAN port from each switch to a server (so, 2 interfaces : collecting traffic). That server changes the destination MAC : address on all traffic to that of another server running iproute : and sends it out a third interface. The server running iproute : collects the traffic on one interface, and sends traffic to : different sub interfaces depending on the network; a switch : connected to the outgoing traffic allows connection of the IDS : sensors, billing system, etc. This, right? --- two SPAN ports / +----------+ / +----------+ +----------+ | switch |-----| | | | +==========+ | eth_rewr |-----| p_router |----- other systems | switch |-----| | | | +----------+ +----------+ +----------+ So, you essentially want to conflate the eth_rewr box and the p_router box, correct? : 1. Just run iproute, having it take the traffic from the SPAN : ports and policy route without having to have the first server : change destination MAC addresses. : a. Can iproute do policy routing on traffic not destined for it in : the first place (i.e. by having the interfaces in : promiscuous mode)? : b. If not, then does iproute contain functionality that would allow : it to sense all traffic and change the destination MAC : address or IP address? Strictly speaking, the problem here doesn't have anything at all to do with iproute. The switch is transmitting frames with ethernet headers bound for their real destinations. The eth_rewr box simply rewrites the ethernet frame headers so that they have the MAC address of the p_router interface. I can't see how this proposed solution will be viable for you. : 2. Have EBTables and iproute running on the same box if #1 above isn't : possible. : : a. Can we do this without having to have more interfaces in the : box, connected to each other with crossover cables? I think this approach is much more likely to yield fruit. Although I have not yet done anything like this. Consider using the ebtables broute/BROUTING table/chain. You may find this documentation [0] helpful in looking at the problem again. In particular, Joshua Snyder's diagram [1] should be able to illustrate to you a possible solution where ebtables and iproute are running on the same box. To quote from the ebtables manpage: The targets DROP and ACCEPT have special meaning in the broute table. DROP actually means the frame has to be routed, while ACCEPT means the frame has to be bridged. Thus, you should be able to do something like the following on the policy router (assume your MAC on eth1/br0 is 00:80:c8:e8:1e:fc): ebtables --table broute \ --append BROUTING \ --in-if eth1 \ --dst ! 00:80:c8:e8:1e:fc \ --jump redirect --redirect-target DROP So, now you have frames leaping happily up to the IP stack and your policy router. I don't know what the performance implications are of running both ebtables and policy routing on the same machine. Good luck, -Martin [0] http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html [1] http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png -- Martin A. Brown http://linux-ip.net/ From luciano at elo.com.br Mon Apr 24 15:57:14 2006 From: luciano at elo.com.br (Luciano) Date: Mon Apr 24 15:57:17 2006 Subject: [LARTC] Backlog with less rate than defined In-Reply-To: <2abc33350604232340h7172a062u8f205ccc83d3e57e@mail.gmail.com> Message-ID: <003101c667a6$ff102cc0$0900fe0a@LucianoNotebook> Hi all, I setup a Linux machine to act as Lan Authentication server. So, the same script that redirect the http connection to a login web page, it create some queues to limit traffic, login by login. The PC uses only 1 ethernet interface that receive the packets source routed to it and forward/nat to the external gateway using the same interface. For each login I create a queue like that: tc class add dev '.$if_externa.' parent 1:1 classid 1:'.$filaDown.' htb rate '.$banda_down.'kbit ceil '.$banda_down.'kbit prio 1' tc filter add dev $if_externa protocol ip parent 1:0 prio 1 handle ::$filaDown u32 match ip dst $ipcliente/32 flowid 1:$filaDown My problem is that most of the queues created does NOT get full rate as defined. I can see the packets entering backlog with much less rate than defined, ex: class htb 1:b1 parent 1:1 prio 1 rate 256Kbit ceil 256Kbit burst 1926b cburst 1926b Sent 6644151 bytes 5435 pkts (dropped 0, overlimits 0) rate 669bps backlog 107p Some help ? Thanks in advance, Luciano Lima From gregoriandres at yahoo.com.ar Mon Apr 24 18:55:36 2006 From: gregoriandres at yahoo.com.ar (LinuXKiD) Date: Mon Apr 24 18:55:25 2006 Subject: [LARTC] Sip Traffic In-Reply-To: <200604241233.k3OCXUp29053@webserver5.arnet.com.ar> Message-ID: This post is from Samuel Garcia. (thank you ) -> -> I tried it with kernel 2.6.15.x and many pom-ng patches and those modules -> (conntrack and nat) hangs up the system. -> -> I don't recommend it, at least for now over 2.6.x kernel series. -> -> Regards -> -> -> Hi, -> Why don\'t just use \"--helper sip\" extension in -> IPTABLES with ip_conntrack_sip loaded. That would see, and track -> RTP trafic in the machine. -> -> Please, if you do send me feed about the module. -> Thanks. -> CH. -> -> Mensaje citado por: Marius Corici : -> -> > >Why not just prioritize everything that comes to/from that -> SIP phone? So -> > forget about ports, just prioritize the IP >Address? Use the -> IP Address to -> > identify traffic you want to move with elevated priority. Just a -> > thought..> . -> > -> > If we got to this, what if the end user is a laptop and wants -> to do e-mule -> > too? I am just asking, maybe there is an idea here... -> > -> > Marius -> > -> -> __________________________________ -> Registrate desde http://servicios.arnet.com.ar/registracion/registracion.asp?origenid=9 y particip? de todos los beneficios del Portal Arnet. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From chentschel at arnet.com.ar Mon Apr 24 23:48:18 2006 From: chentschel at arnet.com.ar (chentschel@arnet.com.ar) Date: Mon Apr 24 22:46:59 2006 Subject: [LARTC] Sip Traffic Message-ID: <200604242148.k3OLmIL14265@webserver7.arnet.com.ar> Hi, well there\'s a line to change in ip_conntrack_sip.c. The \'hangup\' if because the ip_ct_refresh() function. That\'s documented BTW in the netfilter list. I\'m sorry don\'t have the time to submit a patch to the netfilter svn. I\'ll try to do it. Cheers. Christian Hentschel Mensaje citado por: LinuXKiD : > > > This post is from Samuel Garcia. (thank you ) > > -> > -> I tried it with kernel 2.6.15.x and many pom-ng patches and those > modules > -> (conntrack and nat) hangs up the system. > -> > -> I don\'t recommend it, at least for now over 2.6.x kernel series. > -> > -> Regards > -> > > > > > > > > > -> > -> Hi, > -> Why don\\\'t just use \\\"--helper sip\\\" extension in > -> IPTABLES with ip_conntrack_sip loaded. That would see, and track > -> RTP trafic in the machine. > -> > -> Please, if you do send me feed about the module. > -> Thanks. > -> CH. > -> > -> Mensaje citado por: Marius Corici : > -> > -> > >Why not just prioritize everything that comes to/from that > -> SIP phone? So > -> > forget about ports, just prioritize the IP >Address? Use the > -> IP Address to > -> > identify traffic you want to move with elevated priority. Just a > -> > thought..> . > -> > > -> > If we got to this, what if the end user is a laptop and wants > -> to do e-mule > -> > too? I am just asking, maybe there is an idea here... > -> > > -> > Marius > -> > > -> > -> __________________________________ > -> Registrate desde > http://servicios.arnet.com.ar/registracion/registracion.asp?origenid=9 y > participá de todos los beneficios del Portal Arnet. > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > __________________________________ Registrate desde http://servicios.arnet.com.ar/registracion/registracion.asp?origenid=9 y participá de todos los beneficios del Portal Arnet. From andy.furniss at dsl.pipex.com Tue Apr 25 01:33:11 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Tue Apr 25 01:32:55 2006 Subject: [LARTC] Backlog with less rate than defined In-Reply-To: <003101c667a6$ff102cc0$0900fe0a@LucianoNotebook> References: <003101c667a6$ff102cc0$0900fe0a@LucianoNotebook> Message-ID: <444D6037.90906@dsl.pipex.com> Luciano wrote: > Hi all, > > I setup a Linux machine to act as Lan Authentication server. So, the > same script that redirect the http connection to a login web page, it > create some queues to limit traffic, login by login. > > The PC uses only 1 ethernet interface that receive the packets source > routed to it and forward/nat to the external gateway using the same > interface. > > For each login I create a queue like that: > > tc class add dev '.$if_externa.' parent 1:1 classid 1:'.$filaDown.' htb > rate '.$banda_down.'kbit ceil '.$banda_down.'kbit prio 1' > tc filter add dev $if_externa protocol ip parent 1:0 prio 1 handle > ::$filaDown u32 match ip dst $ipcliente/32 flowid 1:$filaDown > > My problem is that most of the queues created does NOT get full rate as > defined. I can see the packets entering backlog with much less rate than > defined, ex: > > class htb 1:b1 parent 1:1 prio 1 rate 256Kbit ceil 256Kbit burst 1926b > cburst 1926b > Sent 6644151 bytes 5435 pkts (dropped 0, overlimits 0) > rate 669bps backlog 107p Htb rate average can be quite long and misleading. I would tcpdump and see whether the rate looks OK with that. If not see what the dequeue behaviour is - you don't show all your rules, if you are using htb default class on root and shaping eth remember arp will get delayed there unless you filter it elsewhere. Andy. From luciano at elo.com.br Tue Apr 25 21:20:13 2006 From: luciano at elo.com.br (Luciano) Date: Tue Apr 25 21:20:19 2006 Subject: RES: [LARTC] Backlog with less rate than defined In-Reply-To: <444D6037.90906@dsl.pipex.com> Message-ID: <002001c6689d$49b439a0$0900fe0a@LucianoNotebook> Hi Andy, I?m not sure if I understood what you told about arp packets. I use htb default but the problem occurs even when the default queue rate is low (it is almost always low in rate and pps). The attached files are: Rc.local - criation of the basic queues including default Regras.inc - criation of each queue when the user login Queues - statistics of the basic queues Thanks for help, Luciano -----Mensagem original----- De: Andy Furniss [mailto:andy.furniss@dsl.pipex.com] Enviada em: segunda-feira, 24 de abril de 2006 20:33 Para: Luciano Cc: lartc@mailman.ds9a.nl; Jader@elo.com.br Assunto: Re: [LARTC] Backlog with less rate than defined Luciano wrote: > Hi all, > > I setup a Linux machine to act as Lan Authentication server. So, the > same script that redirect the http connection to a login web page, it > create some queues to limit traffic, login by login. > > The PC uses only 1 ethernet interface that receive the packets source > routed to it and forward/nat to the external gateway using the same > interface. > > For each login I create a queue like that: > > tc class add dev '.$if_externa.' parent 1:1 classid 1:'.$filaDown.' htb > rate '.$banda_down.'kbit ceil '.$banda_down.'kbit prio 1' > tc filter add dev $if_externa protocol ip parent 1:0 prio 1 handle > ::$filaDown u32 match ip dst $ipcliente/32 flowid 1:$filaDown > > My problem is that most of the queues created does NOT get full rate as > defined. I can see the packets entering backlog with much less rate than > defined, ex: > > class htb 1:b1 parent 1:1 prio 1 rate 256Kbit ceil 256Kbit burst 1926b > cburst 1926b > Sent 6644151 bytes 5435 pkts (dropped 0, overlimits 0) > rate 669bps backlog 107p Htb rate average can be quite long and misleading. I would tcpdump and see whether the rate looks OK with that. If not see what the dequeue behaviour is - you don't show all your rules, if you are using htb default class on root and shaping eth remember arp will get delayed there unless you filter it elsewhere. Andy. -------------- next part -------------- A non-text attachment was scrubbed... Name: regras.inc Type: application/octet-stream Size: 891 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060425/5c41f590/regras.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: queues Type: application/octet-stream Size: 1244 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060425/5c41f590/queues.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: rc.local Type: application/octet-stream Size: 1916 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060425/5c41f590/rc.obj From andy.furniss at dsl.pipex.com Wed Apr 26 01:16:29 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Wed Apr 26 01:16:25 2006 Subject: RES: [LARTC] Backlog with less rate than defined In-Reply-To: <002001c6689d$49b439a0$0900fe0a@LucianoNotebook> References: <002001c6689d$49b439a0$0900fe0a@LucianoNotebook> Message-ID: <444EADCD.4050505@dsl.pipex.com> Luciano wrote: > Hi Andy, > > I?m not sure if I understood what you told about arp packets. > I use htb default but the problem occurs even when the default queue > rate is low (it is almost always low in rate and pps). It's still not ideal even if it's not the cause - sfq default length is 128 packets so if they were mtu size when it's full thats 1.5sec delay + drops - and the stats show drops. class htb 1:efff parent 1:1 leaf efff: prio 1 rate 1Mbit ceil 1Mbit burst 2909b cburst 2909b Sent 1113213839 bytes 9059857 pkts (dropped 61529, overlimits 0) rate 1130bps 13pps lended: 9059857 borrowed: 0 giants: 0 I would not use default on eth. Also 100mbit eth is not 100mbit at ip level, which is almost what htb sees (ip+14), so 1:1 needs to be less - but if children don't add up to that then it won't hurt. You could just send all unmatched ip to 1:efff with a low prio filter - tc filter add dev eth0 protocol ip parent 1:0 prio 99 u32 match u32 0 0 flowid 1:efff then arp will not get shaped. I notice you use handle on filters maybe OK but I usually only see it with hashing or fw. > > The attached files are: > Rc.local - criation of the basic queues including default > Regras.inc - criation of each queue when the user login > Queues - statistics of the basic queues Have you measured the rate another way? Andy. From sophana at zizi.ath.cx Wed Apr 26 16:26:27 2006 From: sophana at zizi.ath.cx (sophana) Date: Wed Apr 26 16:26:42 2006 Subject: [LARTC] Sip Traffic In-Reply-To: References: Message-ID: <444F8313.7020703@zizi.ath.cx> what about using a sip proxy? I'm not sure, but the rtp traffic goes though the sip proxy does it? then you can prioritize traffic with the sip proxy process user id (assuming that you can have a proxy on your router) I have a much more basic question: I installed a qos script based on wondershaper, which is htb based. With voip, the result is not correct (I've lot of bandwidth with max prio) How can I mix absolute priority (for voip) with htb? Thanks LinuXKiD wrote: >Hi. > >there is a way to MARK udp VOIP (SIP) traffic, >in order to put in a highest prio class ? > >Traffic flow seems start on udp 5060 port, but >next both server and client seems jump to a >random(?) port. > >I can't use CONNMARK because is udp traffic. > >I only see a pattern for L7 patch in order to >SIP traffic identification , but I run 2.4 >kernel series . > >When you patch 2.4 kernel with L7 patch, >later, Connmark (patch o matic ) can't apply. >(conflicts) > >thank you. >-- >Andres >_______________________________________________ >LARTC mailing list >LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > From jv.suri at gmail.com Wed Apr 26 16:55:58 2006 From: jv.suri at gmail.com (Suresh Babu) Date: Wed Apr 26 16:55:55 2006 Subject: [LARTC] Sip Traffic In-Reply-To: <444F8313.7020703@zizi.ath.cx> References: <444F8313.7020703@zizi.ath.cx> Message-ID: <35a277ac0604260755j4a9d3cf7xcecda5580b1c88d6@mail.gmail.com> I think RTP traffic doesn`t flow through SIP proxy. Only SIP packets flows through SIP proxy and RTP traffic flows end to end. correct me if i`m not. Regards, Suresh Babu On 4/26/06, sophana wrote: > > what about using a sip proxy? > I'm not sure, but the rtp traffic goes though the sip proxy does it? > then you can prioritize traffic with the sip proxy process user id > (assuming that you can have a proxy on your router) > > I have a much more basic question: > I installed a qos script based on wondershaper, which is htb based. > With voip, the result is not correct (I've lot of bandwidth with max prio) > How can I mix absolute priority (for voip) with htb? > > Thanks > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060426/2cd53d4f/attachment.htm From corey at core-techweb.com Wed Apr 26 17:43:45 2006 From: corey at core-techweb.com (corey@core-techweb.com) Date: Wed Apr 26 17:43:54 2006 Subject: [LARTC] Usubscribe In-Reply-To: <20060417031308.F3E7544EB@outpost.ds9a.nl> References: <20060417031308.F3E7544EB@outpost.ds9a.nl> Message-ID: <60598.68.148.151.1.1146066225.squirrel@webmail.hosting-thenet.com> From sophana at zizi.ath.cx Wed Apr 26 18:01:17 2006 From: sophana at zizi.ath.cx (sophana) Date: Wed Apr 26 18:01:17 2006 Subject: [LARTC] Sip Traffic In-Reply-To: <35a277ac0604260755j4a9d3cf7xcecda5580b1c88d6@mail.gmail.com> References: <444F8313.7020703@zizi.ath.cx> <35a277ac0604260755j4a9d3cf7xcecda5580b1c88d6@mail.gmail.com> Message-ID: <444F994D.8030105@zizi.ath.cx> Suresh Babu wrote: > I think RTP traffic doesn`t flow through SIP proxy. Only SIP packets > flows through SIP proxy and RTP traffic flows end to end. > > correct me if i`m not. > would it depend on the kind of sip proxy? I thought that one of the sip proxy functions was to resolve rtp NAT problems. > > I have a much more basic question: > I installed a qos script based on wondershaper, which is htb based. > With voip, the result is not correct (I've lot of bandwidth with > max prio) > How can I mix absolute priority (for voip) with htb? > > Thanks > can someone please answer that (surely basic) question? What structure should I have? prio on top? From lmcconnell at devonshire.co.uk Wed Apr 26 18:00:38 2006 From: lmcconnell at devonshire.co.uk (Luke McConnell) Date: Wed Apr 26 18:02:30 2006 Subject: [LARTC] HTB - Rate errors Message-ID: <12421721E1085D499E852084C41F9A28378960@OTLONEXCH1.london.officetiger.com> Hi, I'm trying to get HTB working correctly on Centos4 (RHEL-based) with kernel 2.6.9-34.EL. I have two gigabit network interfaces bridged together and I have created the following: tc qdisc add dev eth2 root handle 1: htb default 1 r2q 8000 tc class add dev eth2 parent 1: classid 1:1 htb rate 100Mbit burst 24k cburst 24k (I have been trying different parameters). The network is passing ~80MBits of traffic but HTB is not seeing the rate correctly (which obviously causes problems when I try to shape a sub-set of the traffic). These are approx 1 second apart: [root@ ~]# tc -s -d class sh dev eth2 class htb 1:1 root prio 0 quantum 1562 rate 100Mbit ceil 100Mbit burst 24Kb/8 mpu 0b overhead 0b cburst 24Kb/8 mpu 0b overhead 0b level 0 Sent 654872932 bytes 830973 pkts (dropped 0, overlimits 0 requeues 0) rate 7827086bit 9941pps lended: 830973 borrowed: 0 giants: 0 tokens: 1479 ctokens: 1479 [root@ ~]# tc -s -d class sh dev eth2 class htb 1:1 root prio 0 quantum 1562 rate 100Mbit ceil 100Mbit burst 24Kb/8 mpu 0b overhead 0b cburst 24Kb/8 mpu 0b overhead 0b level 0 Sent 663902498 bytes 842747 pkts (dropped 0, overlimits 0 requeues 0) rate 7827086bit 9941pps lended: 842747 borrowed: 0 giants: 0 tokens: 1527 ctokens: 1527 That's a transfer of around 9MBytes, yet HTB is only reporting just under 8Mbits/sec. Has anyone got any suggestions for me to try? Many thanks, Luke From coricim at gmail.com Wed Apr 26 18:27:05 2006 From: coricim at gmail.com (Marius Corici) Date: Wed Apr 26 18:27:07 2006 Subject: [LARTC] Sip Traffic In-Reply-To: <444F994D.8030105@zizi.ath.cx> References: <444F8313.7020703@zizi.ath.cx> <35a277ac0604260755j4a9d3cf7xcecda5580b1c88d6@mail.gmail.com> <444F994D.8030105@zizi.ath.cx> Message-ID: <2abc33350604260927kc4abb08n2adf5a7249f61564@mail.gmail.com> the RTP traffic does not go through the SIP Proxy. Some solutions to control the voice traffic exist. One is RTP Proxy which communicates with a SER (SIP Express Router) or OpenSER and does as stated in the name, proxying for RTP. As a side efect the outbound ports are known. SIP Proxies do more then nat traversal (in fact this is one of the weak points in the SIP Protocol). For more info read RFC 3261. Marius On 4/26/06, sophana wrote: > > Suresh Babu wrote: > > > I think RTP traffic doesn`t flow through SIP proxy. Only SIP packets > > flows through SIP proxy and RTP traffic flows end to end. > > > > correct me if i`m not. > > > would it depend on the kind of sip proxy? > I thought that one of the sip proxy functions was to resolve rtp NAT > problems. > > > > > I have a much more basic question: > > I installed a qos script based on wondershaper, which is htb based. > > With voip, the result is not correct (I've lot of bandwidth with > > max prio) > > How can I mix absolute priority (for voip) with htb? > > > > Thanks > > > can someone please answer that (surely basic) question? > What structure should I have? > prio on top? > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060426/2a4af07e/attachment.html From luciano at lugmen.org.ar Wed Apr 26 18:54:50 2006 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Wed Apr 26 18:54:56 2006 Subject: [LARTC] HTB - Rate errors In-Reply-To: <12421721E1085D499E852084C41F9A28378960@OTLONEXCH1.london.officetiger.com> References: <12421721E1085D499E852084C41F9A28378960@OTLONEXCH1.london.officetiger.com> Message-ID: <200604261354.51359.luciano@lugmen.org.ar> El Wednesday 26 April 2006 13:00, Luke McConnell escribi?: > Hi, > > I'm trying to get HTB working correctly on Centos4 (RHEL-based) with > kernel 2.6.9-34.EL. I have two gigabit network interfaces bridged > together and I have created the following: > > tc qdisc add dev eth2 root handle 1: htb default 1 r2q 8000 > tc class add dev eth2 parent 1: classid 1:1 htb rate 100Mbit burst 24k > cburst 24k > > (I have been trying different parameters). > > The network is passing ~80MBits of traffic but HTB is not seeing the > rate correctly (which obviously causes problems when I try to shape a > sub-set of the traffic). These are approx 1 second apart: > > [root@ ~]# tc -s -d class sh dev eth2 > class htb 1:1 root prio 0 quantum 1562 rate 100Mbit ceil 100Mbit burst > 24Kb/8 mpu 0b overhead 0b cburst 24Kb/8 mpu 0b overhead 0b level 0 > Sent 654872932 bytes 830973 pkts (dropped 0, overlimits 0 requeues 0) > rate 7827086bit 9941pps > lended: 830973 borrowed: 0 giants: 0 > tokens: 1479 ctokens: 1479 > > [root@ ~]# tc -s -d class sh dev eth2 > class htb 1:1 root prio 0 quantum 1562 rate 100Mbit ceil 100Mbit burst > 24Kb/8 mpu 0b overhead 0b cburst 24Kb/8 mpu 0b overhead 0b level 0 > Sent 663902498 bytes 842747 pkts (dropped 0, overlimits 0 requeues 0) > rate 7827086bit 9941pps > lended: 842747 borrowed: 0 giants: 0 > tokens: 1527 ctokens: 1527 > > That's a transfer of around 9MBytes, yet HTB is only reporting just > under 8Mbits/sec. Has anyone got any suggestions for me to try? CentOS's tc version(iproute2-ss040831) is known to have buggy rates(at least for htb). You have to multiply by 8 the rate value. You can use htb-stats[1] script made bye jjo ciarlante, it is bery usefull to see real-time htb class rates, this script has a (soft)fix for the bug in CentOS and display htb rates correctly. [1] http://freshmeat.net/projects/htb-stats/ -- Luciano From william.bohannan at spidersat.net Wed Apr 26 19:55:03 2006 From: william.bohannan at spidersat.net (William Bohannan) Date: Wed Apr 26 19:56:21 2006 Subject: [LARTC] trying to get time control working Message-ID: <003d01c6695a$9220e400$043bdcc1@ACCSSWILLIAM> Hi I am currently trying to get time control working but come up with an error.. /sbin/iptables -t mangle -A ms-chain-eth0-1:11 -m time --datestart 2006:01:26:17:00:00 --datestop 2006:12:26:18:00:00 -j CLASSIFY --set-class 1:111 iptables: Unknown error 4294967295 iptables -m tos -help displays the help for it I am using Debian with kernel 2.6.15-2, iproute2-2.6.16-060323, iptables 1.3.5, patch-o-matic-ng-20060330. Any help would be most greatful Regards, William From william.bohannan at spidersat.net Wed Apr 26 19:58:56 2006 From: william.bohannan at spidersat.net (William Bohannan) Date: Wed Apr 26 19:59:39 2006 Subject: [LARTC] trying to get time working - had error in first email Message-ID: <004301c6695b$1ce555d0$043bdcc1@ACCSSWILLIAM> Hi I am currently trying to get time control working but come up with an error.. /sbin/iptables -t mangle -A ms-chain-eth0-1:11 -m time --datestart 2006:01:26:17:00:00 --datestop 2006:12:26:18:00:00 -j CLASSIFY --set-class 1:111 iptables: Unknown error 4294967295 iptables -m time -help displays the help for it I am using Debian with kernel 2.6.15-2, iproute2-2.6.16-060323, iptables 1.3.5, patch-o-matic-ng-20060330. Any help would be most greatful Regards, William From gnychis at cmu.edu Thu Apr 27 00:46:30 2006 From: gnychis at cmu.edu (George Nychis) Date: Thu Apr 27 00:46:32 2006 Subject: [LARTC] how to change classful netem loss probability? Message-ID: <444FF846.7050600@cmu.edu> Hi, I am using netem to add loss and then adding another qdisc within netem according to the wiki. Then i want to change the netem drop probability without having to delete the qdisc and recreate it. I try it but I get invalid argument: thorium-ini hedpe # tc qdisc add dev ath0 root handle 1:0 netem drop 1% thorium-ini hedpe # tc qdisc add dev ath0 parent 1:1 handle 10: xcp capacity 54Mbit limit 500 thorium-ini hedpe # tc -s qdisc ls dev ath0 qdisc netem 1: limit 1000 loss 1% Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc xcp 10: parent 1:1 capacity 52734Kbit limit 500p Sent 0 bytes 0 pkts (dropped 0, overlimits 0) thorium-ini hedpe # tc qdisc change dev ath0 root handle 1:0 netem drop 1% RTNETLINK answers: Invalid argument thorium-ini hedpe # tc qdisc change dev ath0 root netem drop 1% RTNETLINK answers: Invalid argument any ideas? Thanks! George From rootlinux at yahoo.com Thu Apr 27 05:35:08 2006 From: rootlinux at yahoo.com (root linux) Date: Thu Apr 27 05:35:04 2006 Subject: [LARTC] load balancing with three providers Message-ID: <20060427033508.92738.qmail@web33309.mail.mud.yahoo.com> Here is my load balancing routes: - ip ro add default scope global nexthop via 192.168.200.254 dev eth0 weight 4 nexthop via 60.1.2.9 dev eth3 weight 1 nexthop via 60.1.3.7 dev eth4 weight 1 192.168.200.254 - Have 5Mbps 60.1.2.9 - Have 1.5Mbps 60.1.3.7 - Have 1.5Mbps But, I still see lots of traffic goes to 60.1.2.9 and 60.1.3.7 The 60.1.2.9 hits 1.4Mbps and the 60.1.3.7 hits 1.3Mbps whereas the 192.168.200.254 only hits 2.5Mbps Why? Regards, rootlinux __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From corey at core-techweb.com Thu Apr 27 08:21:40 2006 From: corey at core-techweb.com (corey@core-techweb.com) Date: Thu Apr 27 08:21:44 2006 Subject: [LARTC] Unsubscribe In-Reply-To: <20060426224648.B3F954515@outpost.ds9a.nl> References: <20060426224648.B3F954515@outpost.ds9a.nl> Message-ID: <62463.68.148.151.1.1146118900.squirrel@webmail.hosting-thenet.com> > Send LARTC mailing list submissions to > lartc@mailman.ds9a.nl > > To subscribe or unsubscribe via the World Wide Web, visit > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > or, via email, send a message with subject or body 'help' to > lartc-request@mailman.ds9a.nl > > You can reach the person managing the list at > lartc-owner@mailman.ds9a.nl > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of LARTC digest..." > > > Today's Topics: > > 1. Re: Sip Traffic (sophana) > 2. Re: Sip Traffic (Suresh Babu) > 3. Usubscribe (corey@core-techweb.com) > 4. Re: Sip Traffic (sophana) > 5. HTB - Rate errors (Luke McConnell) > 6. Re: Sip Traffic (Marius Corici) > 7. Re: HTB - Rate errors (Luciano Ruete) > 8. trying to get time control working (William Bohannan) > 9. trying to get time working - had error in first email > (William Bohannan) > 10. how to change classful netem loss probability? (George Nychis) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 26 Apr 2006 16:26:27 +0200 > From: sophana > Subject: Re: [LARTC] Sip Traffic > To: lartc@mailman.ds9a.nl > Message-ID: <444F8313.7020703@zizi.ath.cx> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > what about using a sip proxy? > I'm not sure, but the rtp traffic goes though the sip proxy does it? > then you can prioritize traffic with the sip proxy process user id > (assuming that you can have a proxy on your router) > > I have a much more basic question: > I installed a qos script based on wondershaper, which is htb based. > With voip, the result is not correct (I've lot of bandwidth with max prio) > How can I mix absolute priority (for voip) with htb? > > Thanks > > LinuXKiD wrote: > >>Hi. >> >>there is a way to MARK udp VOIP (SIP) traffic, >>in order to put in a highest prio class ? >> >>Traffic flow seems start on udp 5060 port, but >>next both server and client seems jump to a >>random(?) port. >> >>I can't use CONNMARK because is udp traffic. >> >>I only see a pattern for L7 patch in order to >>SIP traffic identification , but I run 2.4 >>kernel series . >> >>When you patch 2.4 kernel with L7 patch, >>later, Connmark (patch o matic ) can't apply. >>(conflicts) >> >>thank you. >>-- >>Andres >>_______________________________________________ >>LARTC mailing list >>LARTC@mailman.ds9a.nl >>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> >> >> > > > > ------------------------------ > > Message: 2 > Date: Wed, 26 Apr 2006 20:25:58 +0530 > From: "Suresh Babu" > Subject: Re: [LARTC] Sip Traffic > To: lartc@mailman.ds9a.nl > Message-ID: > <35a277ac0604260755j4a9d3cf7xcecda5580b1c88d6@mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > I think RTP traffic doesn`t flow through SIP proxy. Only SIP packets flows > through SIP proxy and RTP traffic flows end to end. > > correct me if i`m not. > > Regards, > Suresh Babu > > > On 4/26/06, sophana wrote: >> >> what about using a sip proxy? >> I'm not sure, but the rtp traffic goes though the sip proxy does it? >> then you can prioritize traffic with the sip proxy process user id >> (assuming that you can have a proxy on your router) >> >> I have a much more basic question: >> I installed a qos script based on wondershaper, which is htb based. >> With voip, the result is not correct (I've lot of bandwidth with max >> prio) >> How can I mix absolute priority (for voip) with htb? >> >> Thanks >> > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://mailman.ds9a.nl/pipermail/lartc/attachments/20060426/2cd53d4f/attachment-0001.htm > > ------------------------------ > > Message: 3 > Date: Wed, 26 Apr 2006 09:43:45 -0600 (MDT) > From: corey@core-techweb.com > Subject: [LARTC] Usubscribe > To: lartc@mailman.ds9a.nl > Message-ID: > <60598.68.148.151.1.1146066225.squirrel@webmail.hosting-thenet.com> > Content-Type: text/plain;charset=iso-8859-1 > > > > > > ------------------------------ > > Message: 4 > Date: Wed, 26 Apr 2006 18:01:17 +0200 > From: sophana > Subject: Re: [LARTC] Sip Traffic > To: lartc@mailman.ds9a.nl > Message-ID: <444F994D.8030105@zizi.ath.cx> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Suresh Babu wrote: > >> I think RTP traffic doesn`t flow through SIP proxy. Only SIP packets >> flows through SIP proxy and RTP traffic flows end to end. >> >> correct me if i`m not. >> > would it depend on the kind of sip proxy? > I thought that one of the sip proxy functions was to resolve rtp NAT > problems. > >> >> I have a much more basic question: >> I installed a qos script based on wondershaper, which is htb based. >> With voip, the result is not correct (I've lot of bandwidth with >> max prio) >> How can I mix absolute priority (for voip) with htb? >> >> Thanks >> > can someone please answer that (surely basic) question? > What structure should I have? > prio on top? > > > > ------------------------------ > > Message: 5 > Date: Wed, 26 Apr 2006 17:00:38 +0100 > From: "Luke McConnell" > Subject: [LARTC] HTB - Rate errors > To: > Message-ID: > <12421721E1085D499E852084C41F9A28378960@OTLONEXCH1.london.officetiger.com> > > Content-Type: text/plain; charset="us-ascii" > > Hi, > > I'm trying to get HTB working correctly on Centos4 (RHEL-based) with > kernel 2.6.9-34.EL. I have two gigabit network interfaces bridged > together and I have created the following: > > tc qdisc add dev eth2 root handle 1: htb default 1 r2q 8000 > tc class add dev eth2 parent 1: classid 1:1 htb rate 100Mbit burst 24k > cburst 24k > > (I have been trying different parameters). > > The network is passing ~80MBits of traffic but HTB is not seeing the > rate correctly (which obviously causes problems when I try to shape a > sub-set of the traffic). These are approx 1 second apart: > > [root@ ~]# tc -s -d class sh dev eth2 > class htb 1:1 root prio 0 quantum 1562 rate 100Mbit ceil 100Mbit burst > 24Kb/8 mpu 0b overhead 0b cburst 24Kb/8 mpu 0b overhead 0b level 0 > Sent 654872932 bytes 830973 pkts (dropped 0, overlimits 0 requeues 0) > rate 7827086bit 9941pps > lended: 830973 borrowed: 0 giants: 0 > tokens: 1479 ctokens: 1479 > > [root@ ~]# tc -s -d class sh dev eth2 > class htb 1:1 root prio 0 quantum 1562 rate 100Mbit ceil 100Mbit burst > 24Kb/8 mpu 0b overhead 0b cburst 24Kb/8 mpu 0b overhead 0b level 0 > Sent 663902498 bytes 842747 pkts (dropped 0, overlimits 0 requeues 0) > rate 7827086bit 9941pps > lended: 842747 borrowed: 0 giants: 0 > tokens: 1527 ctokens: 1527 > > That's a transfer of around 9MBytes, yet HTB is only reporting just > under 8Mbits/sec. Has anyone got any suggestions for me to try? > > Many thanks, > > Luke > > > > > > ------------------------------ > > Message: 6 > Date: Wed, 26 Apr 2006 18:27:05 +0200 > From: "Marius Corici" > Subject: Re: [LARTC] Sip Traffic > To: sophana > Cc: lartc@mailman.ds9a.nl > Message-ID: > <2abc33350604260927kc4abb08n2adf5a7249f61564@mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > the RTP traffic does not go through the SIP Proxy. Some solutions to > control > the voice traffic exist. > One is RTP Proxy which communicates with a SER (SIP Express Router) or > OpenSER and does as stated in the name, proxying for RTP. As a side efect > the outbound ports are known. > SIP Proxies do more then nat traversal (in fact this is one of the weak > points in the SIP Protocol). For more info read RFC 3261. > > Marius > > On 4/26/06, sophana wrote: >> >> Suresh Babu wrote: >> >> > I think RTP traffic doesn`t flow through SIP proxy. Only SIP packets >> > flows through SIP proxy and RTP traffic flows end to end. >> > >> > correct me if i`m not. >> > >> would it depend on the kind of sip proxy? >> I thought that one of the sip proxy functions was to resolve rtp NAT >> problems. >> >> > >> > I have a much more basic question: >> > I installed a qos script based on wondershaper, which is htb >> based. >> > With voip, the result is not correct (I've lot of bandwidth with >> > max prio) >> > How can I mix absolute priority (for voip) with htb? >> > >> > Thanks >> > >> can someone please answer that (surely basic) question? >> What structure should I have? >> prio on top? >> >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://mailman.ds9a.nl/pipermail/lartc/attachments/20060426/2a4af07e/attachment-0001.html > > ------------------------------ > > Message: 7 > Date: Wed, 26 Apr 2006 13:54:50 -0300 > From: Luciano Ruete > Subject: Re: [LARTC] HTB - Rate errors > To: lartc@mailman.ds9a.nl > Message-ID: <200604261354.51359.luciano@lugmen.org.ar> > Content-Type: text/plain; charset="iso-8859-1" > > El Wednesday 26 April 2006 13:00, Luke McConnell escribi?: >> Hi, >> >> I'm trying to get HTB working correctly on Centos4 (RHEL-based) with >> kernel 2.6.9-34.EL. I have two gigabit network interfaces bridged >> together and I have created the following: >> >> tc qdisc add dev eth2 root handle 1: htb default 1 r2q 8000 >> tc class add dev eth2 parent 1: classid 1:1 htb rate 100Mbit burst 24k >> cburst 24k >> >> (I have been trying different parameters). >> >> The network is passing ~80MBits of traffic but HTB is not seeing the >> rate correctly (which obviously causes problems when I try to shape a >> sub-set of the traffic). These are approx 1 second apart: >> >> [root@ ~]# tc -s -d class sh dev eth2 >> class htb 1:1 root prio 0 quantum 1562 rate 100Mbit ceil 100Mbit burst >> 24Kb/8 mpu 0b overhead 0b cburst 24Kb/8 mpu 0b overhead 0b level 0 >> Sent 654872932 bytes 830973 pkts (dropped 0, overlimits 0 requeues 0) >> rate 7827086bit 9941pps >> lended: 830973 borrowed: 0 giants: 0 >> tokens: 1479 ctokens: 1479 >> >> [root@ ~]# tc -s -d class sh dev eth2 >> class htb 1:1 root prio 0 quantum 1562 rate 100Mbit ceil 100Mbit burst >> 24Kb/8 mpu 0b overhead 0b cburst 24Kb/8 mpu 0b overhead 0b level 0 >> Sent 663902498 bytes 842747 pkts (dropped 0, overlimits 0 requeues 0) >> rate 7827086bit 9941pps >> lended: 842747 borrowed: 0 giants: 0 >> tokens: 1527 ctokens: 1527 >> >> That's a transfer of around 9MBytes, yet HTB is only reporting just >> under 8Mbits/sec. Has anyone got any suggestions for me to try? > > CentOS's tc version(iproute2-ss040831) is known to have buggy rates(at > least > for htb). You have to multiply by 8 the rate value. > > You can use htb-stats[1] script made bye jjo ciarlante, it is bery usefull > to > see real-time htb class rates, this script has a (soft)fix for the bug in > CentOS and display htb rates correctly. > > [1] http://freshmeat.net/projects/htb-stats/ > -- > Luciano > > > ------------------------------ > > Message: 8 > Date: Wed, 26 Apr 2006 17:55:03 -0000 > From: "William Bohannan" > Subject: [LARTC] trying to get time control working > To: > Message-ID: <003d01c6695a$9220e400$043bdcc1@ACCSSWILLIAM> > Content-Type: text/plain; charset="us-ascii" > > Hi > > I am currently trying to get time control working but come up with an > error.. > > /sbin/iptables -t mangle -A ms-chain-eth0-1:11 -m time --datestart > 2006:01:26:17:00:00 --datestop 2006:12:26:18:00:00 -j CLASSIFY --set-class > 1:111 > > iptables: Unknown error 4294967295 > > iptables -m tos -help > > displays the help for it > > > I am using Debian with kernel 2.6.15-2, iproute2-2.6.16-060323, iptables > 1.3.5, patch-o-matic-ng-20060330. > > Any help would be most greatful > > > Regards, > > William > > > > ------------------------------ > > Message: 9 > Date: Wed, 26 Apr 2006 17:58:56 -0000 > From: "William Bohannan" > Subject: [LARTC] trying to get time working - had error in first email > To: > Message-ID: <004301c6695b$1ce555d0$043bdcc1@ACCSSWILLIAM> > Content-Type: text/plain; charset="us-ascii" > > Hi > > I am currently trying to get time control working but come up with an > error.. > > /sbin/iptables -t mangle -A ms-chain-eth0-1:11 -m time --datestart > 2006:01:26:17:00:00 --datestop 2006:12:26:18:00:00 -j CLASSIFY --set-class > 1:111 > > iptables: Unknown error 4294967295 > > iptables -m time -help > > displays the help for it > > > I am using Debian with kernel 2.6.15-2, iproute2-2.6.16-060323, iptables > 1.3.5, patch-o-matic-ng-20060330. > > Any help would be most greatful > > > Regards, > > William > > > > ------------------------------ > > Message: 10 > Date: Wed, 26 Apr 2006 18:46:30 -0400 > From: George Nychis > Subject: [LARTC] how to change classful netem loss probability? > To: LARTC@mailman.ds9a.nl, netdev@vger.kernel.org > Message-ID: <444FF846.7050600@cmu.edu> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Hi, > > I am using netem to add loss and then adding another qdisc within netem > according to the wiki. Then i want to change the netem drop probability > without having to delete the qdisc and recreate it. I try it but I get > invalid argument: > > thorium-ini hedpe # tc qdisc add dev ath0 root handle 1:0 netem drop 1% > thorium-ini hedpe # tc qdisc add dev ath0 parent 1:1 handle 10: xcp > capacity 54Mbit limit 500 > thorium-ini hedpe # tc -s qdisc ls dev ath0 > qdisc netem 1: limit 1000 loss 1% > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > qdisc xcp 10: parent 1:1 capacity 52734Kbit limit 500p > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > thorium-ini hedpe # tc qdisc change dev ath0 root handle 1:0 netem drop 1% > RTNETLINK answers: Invalid argument > thorium-ini hedpe # tc qdisc change dev ath0 root netem drop 1% > RTNETLINK answers: Invalid argument > > any ideas? > > Thanks! > George > > > ------------------------------ > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > End of LARTC Digest, Vol 14, Issue 42 > ************************************* > From jody.shumaker at gmail.com Thu Apr 27 15:51:54 2006 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Thu Apr 27 15:51:50 2006 Subject: [LARTC] Unsubscribe In-Reply-To: <62463.68.148.151.1.1146118900.squirrel@webmail.hosting-thenet.com> References: <20060426224648.B3F954515@outpost.ds9a.nl> <62463.68.148.151.1.1146118900.squirrel@webmail.hosting-thenet.com> Message-ID: <2af436490604270651m557f5d86k62d557977caefb95@mail.gmail.com> At the bottom of every single e-mail on this list are directions on how to correctly unsubscribe. Could you please not make a fool of yourself (twice) and actually read them? - Jody From darko at veze.net Thu Apr 27 21:16:20 2006 From: darko at veze.net (Darko) Date: Thu Apr 27 18:15:34 2006 Subject: [LARTC] Is there ping2? Message-ID: <200604271916.20914.darko@veze.net> Hi, I would like to set up access to Internet via two providers. When they both works OK I use ip route add default scope global nexthop via x.x.x.x dev eth0 weight 1 nexthop via y.y.y.y.y dev eth1 weight 1 Next, I use script that regularly pings their upper providers for see if some of providers are down. If one is down I want to guide all communications via other interface. If second one is down - ip route del default ip route add default via x.x.x.x It works OK but at that moment I can't ping any nonlocal address thru eth1 so I can't check when provider come up. ping z.z.z.z -I eth1 - gives nothing Tcpdump shows that eth1 broadcast arp request for nonlocal address ?!? Tables for both interfaces are setup correctly and it seems that ping checks only main table. At same time when haven't default route via provider and that provider is up, all communication initialized by peers on Internet going on nondefault interface, even pings, works OK. When the default routes manually sets back to go thru both ones it comes back to normal . One more strange thing is that my script works OK for over one year until I have to change netmask and default gw for one provider. TIA, Darko From luciano at elo.com.br Thu Apr 27 22:08:34 2006 From: luciano at elo.com.br (Luciano) Date: Thu Apr 27 22:08:50 2006 Subject: RES: RES: [LARTC] Backlog with less rate than defined In-Reply-To: <444EADCD.4050505@dsl.pipex.com> Message-ID: <002301c66a36$5f916460$0900fe0a@LucianoNotebook> Hi Andy, I changed the configuration with no default on htb, sending unmatched ip packets to a limited queue. It?s now working fine. Thanks a lot. Luciano -----Mensagem original----- De: Andy Furniss [mailto:andy.furniss@dsl.pipex.com] Enviada em: ter?a-feira, 25 de abril de 2006 20:16 Para: Luciano Cc: lartc@mailman.ds9a.nl; Jader@elo.com.br Assunto: Re: RES: [LARTC] Backlog with less rate than defined Luciano wrote: > Hi Andy, > > I?m not sure if I understood what you told about arp packets. > I use htb default but the problem occurs even when the default queue > rate is low (it is almost always low in rate and pps). It's still not ideal even if it's not the cause - sfq default length is 128 packets so if they were mtu size when it's full thats 1.5sec delay + drops - and the stats show drops. class htb 1:efff parent 1:1 leaf efff: prio 1 rate 1Mbit ceil 1Mbit burst 2909b cburst 2909b Sent 1113213839 bytes 9059857 pkts (dropped 61529, overlimits 0) rate 1130bps 13pps lended: 9059857 borrowed: 0 giants: 0 I would not use default on eth. Also 100mbit eth is not 100mbit at ip level, which is almost what htb sees (ip+14), so 1:1 needs to be less - but if children don't add up to that then it won't hurt. You could just send all unmatched ip to 1:efff with a low prio filter - tc filter add dev eth0 protocol ip parent 1:0 prio 99 u32 match u32 0 0 flowid 1:efff then arp will not get shaped. I notice you use handle on filters maybe OK but I usually only see it with hashing or fw. > > The attached files are: > Rc.local - criation of the basic queues including default > Regras.inc - criation of each queue when the user login > Queues - statistics of the basic queues Have you measured the rate another way? Andy. From elmono222 at gmail.com Thu Apr 27 23:21:50 2006 From: elmono222 at gmail.com (Juan Felipe Botero) Date: Thu Apr 27 23:21:46 2006 Subject: [LARTC] A doubt Message-ID: HI I am working in a project and i needed to know if the combination HTB+SFQ, works well.. So i started to do a test with tcng. I put during 20 minutes 4 types of traffic between 2 computers, a http file transfer, a ftp file transfer, a tftp file transer and a ssh interactive transfer. In all the protocols with file transfer (FTP, HTTP, TFTP) i obtained good results, the percentage of bandwidth was looked like previously formed, but in the ssh interactive transfer, the real percentage of bandwidth was extremely superior to the formed percentage. Do some of you know if is the interactive traffic well supported with this queueing disciplines????????????????????????????? -- Juan Felipe Botero Ingeniero de sistemas Universidad de Antioquia -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060427/a41f2256/attachment.htm From luciano at lugmen.org.ar Thu Apr 27 23:29:01 2006 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Thu Apr 27 23:29:12 2006 Subject: [LARTC] MULTIPATH: how to control chache expiration time? Message-ID: <200604271829.01362.luciano@lugmen.org.ar> I have a 2.6.12(ubuntu-patchset), kernel recompiled with this routing options: [*] IP: advanced router [*] IP: policy routing [*] IP: equal cost multipath Load balancing is working great, but i have problems whits long term tcp flows (like msn-messenger or vpns or any other type of long term ip based conection). I assume this is because after a period of time, the per-host route cache expires and packets get re-routed, sometimes unfortunley, from a diferent iface. It is to remark that i'm not doing NAT in this box, just routing, the nat is done in each of the nexthops listed(so, no julian's patches applied). i've found[1] that: /proc/sys/net/ipv4/route/secret_interval "instructs the kernel how often to blow away ALL route hash entries regardless of how new/old they are" - Put the secret_interval to 1 day, will solve my problem?, cause i think that neither a day is enough (i have ssh sessions open for more than that) - There are other values i have to have in consideration?(route tables cache/hash size/mem) -Do someone knows a better aprouch? Another thing(besides the previous problem) is that if i compile the kernel whit (CONFIG_IP_ROUTE_MULTIPATH_CACHED) enabled: [*] IP: equal cost multipath with caching support (EXPERIMENTAL) The multipath sotps working and all packets get routed to the las iface in the nexthops statements. I try compiling the four multipath modules/algos an modprobing its, but same result. Because of that i have to go back to equal cost multipath whit CONFIG_IP_ROUTE_MULTIPATH_CACHED disabled. If someone can give me a hint on this will be nice to, because some thing keeps etching. (sorry if this is not pure english) [1]http://lwn.net/Articles/145406/ Just in case some commands output: root@server1:/backup/ftp# ip ro ls table adsl 192.168.10.37 via 192.168.90.3 dev eth2 192.168.100.0/24 dev eth1 proto kernel scope link src 192.168.100.1 192.168.50.0/24 dev eth2 proto kernel scope link src 192.168.50.1 192.168.3.0/24 dev eth6 proto kernel scope link src 192.168.3.2 192.168.2.0/24 dev eth5 proto kernel scope link src 192.168.2.2 192.168.1.0/24 dev eth4 proto kernel scope link src 192.168.1.2 192.168.90.0/24 dev eth2 proto kernel scope link src 192.168.90.1 default proto static nexthop via 192.168.1.1 dev eth4 weight 1 nexthop via 192.168.2.1 dev eth5 weight 1 nexthop via 192.168.3.1 dev eth6 weight 1 root@server1:/backup/ftp# ip ro show cache | egrep 'eth4|eth5|eth6' -B1 | tail -n20 201.216.128.100 from 192.168.90.5 via 192.168.3.1 dev eth6 src 192.168.90.1 -- 192.168.90.5 from 201.240.149.1 dev eth2 src 192.168.1.2 cache mtu 1500 advmss 1460 hoplimit 64 iif eth5 -- cache mtu 1500 advmss 1460 hoplimit 64 iif eth2 200.114.138.45 from 192.168.90.5 via 192.168.1.1 dev eth4 src 192.168.90.1 -- 192.168.90.5 from 200.74.39.52 dev eth2 src 192.168.1.2 cache mtu 1500 advmss 1460 hoplimit 64 iif eth5 71.80.214.141 from 192.168.90.5 via 192.168.1.1 dev eth4 src 192.168.90.1 -- cache mtu 1500 advmss 1460 hoplimit 64 iif eth2 24.86.57.13 from 192.168.90.5 via 192.168.1.1 dev eth4 src 192.168.90.1 -- 192.168.90.5 from 69.66.58.31 dev eth2 src 192.168.1.2 cache mtu 1500 advmss 1460 hoplimit 64 iif eth5 -- 192.168.90.5 from 61.228.9.180 dev eth2 src 192.168.1.2 cache mtu 1500 advmss 1460 hoplimit 64 iif eth4 root@server1:/backup/ftp# grep ROUTE /boot/config-2.6.12-luciano.1 CONFIG_IP_ADVANCED_ROUTER=y CONFIG_IP_ROUTE_FWMARK=y CONFIG_IP_ROUTE_MULTIPATH=y # CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set CONFIG_IP_ROUTE_VERBOSE=y CONFIG_IP_MROUTE=y CONFIG_BRIDGE_EBT_BROUTE=m # CONFIG_DECNET_ROUTER is not set CONFIG_WAN_ROUTER=m CONFIG_NET_CLS_ROUTE4=m CONFIG_NET_CLS_ROUTE=y CONFIG_WAN_ROUTER_DRIVERS=y root@server1:/backup/ftp# From gnychis at cmu.edu Fri Apr 28 03:18:23 2006 From: gnychis at cmu.edu (George P Nychis) Date: Fri Apr 28 03:18:25 2006 Subject: [LARTC] how to change classful netem loss probability? In-Reply-To: <444FF846.7050600@cmu.edu> References: <444FF846.7050600@cmu.edu> Message-ID: <32923.128.2.140.234.1146187103.squirrel@128.2.140.234> And if its not possible to change the probability, is there another method I can use instead? > Hi, > > I am using netem to add loss and then adding another qdisc within netem > according to the wiki. Then i want to change the netem drop probability > without having to delete the qdisc and recreate it. I try it but I get > invalid argument: > > thorium-ini hedpe # tc qdisc add dev ath0 root handle 1:0 netem drop 1% > thorium-ini hedpe # tc qdisc add dev ath0 parent 1:1 handle 10: xcp > capacity 54Mbit limit 500 thorium-ini hedpe # tc -s qdisc ls dev ath0 qdisc > netem 1: limit 1000 loss 1% Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > qdisc xcp 10: parent 1:1 capacity 52734Kbit limit 500p Sent 0 bytes 0 pkts > (dropped 0, overlimits 0) thorium-ini hedpe # tc qdisc change dev ath0 > root handle 1:0 netem drop 1% RTNETLINK answers: Invalid argument > thorium-ini hedpe # tc qdisc change dev ath0 root netem drop 1% RTNETLINK > answers: Invalid argument > > any ideas? > > Thanks! George _______________________________________________ LARTC mailing > list LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > -- From coricim at gmail.com Fri Apr 28 09:15:27 2006 From: coricim at gmail.com (Marius Corici) Date: Fri Apr 28 09:15:25 2006 Subject: [LARTC] a dynamic nat problem Message-ID: <2abc33350604280015q576547edg7ec0cd150a0a63be@mail.gmail.com> A --------------------------------- B ---------------------------> signaling ---> introducing rules in the nat tables ---------------------------> data for the newly introduced rules In my problem I have two machines: A and B. A is sending a signal for introducing a rule in the NAT tables (libiptc stuff) and imediately afterwards stars sending the data to the newly created nat rule. The race condition is clear. Can you help me please with any ideas on how to solve this problem. Marius -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060428/d197cf45/attachment.html From coricim at gmail.com Fri Apr 28 09:18:46 2006 From: coricim at gmail.com (Marius Corici) Date: Fri Apr 28 09:18:47 2006 Subject: [LARTC] about raw table Message-ID: <2abc33350604280018p5da76ce5j8c617e42947b774f@mail.gmail.com> I have two questions about the raw table of the iptables. 1. in all the documentation it is said that the packages with the target NOTRACK will not be connection tracked. Do they pass through the nat tables. Can I make on them SNAT or DNAT? 2. if a rule from the raw table is deleted, the flow that went to that rule will be conntracked by nat afterwards or not? Marius -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060428/facfb547/attachment.htm From shemminger at osdl.org Fri Apr 28 19:24:21 2006 From: shemminger at osdl.org (Stephen Hemminger) Date: Fri Apr 28 19:24:21 2006 Subject: [LARTC] how to change classful netem loss probability? In-Reply-To: <32923.128.2.140.234.1146187103.squirrel@128.2.140.234> References: <444FF846.7050600@cmu.edu> <32923.128.2.140.234.1146187103.squirrel@128.2.140.234> Message-ID: <20060428102421.7d304ca6@localhost.localdomain> Loss was broken, patch sent. The following works now: # tc qdisc add dev eth1 root handle 1:0 netem loss 20% # tc qdisc add dev eth1 parent 1:1 handle 10: tbf \ rate 256kbit buffer 1600 limit 3000 # ping -f -c 1000 shell 1000 packets transmitted, 781 received, 21% packet loss, time 3214ms rtt min/avg/max/mdev = 0.187/0.398/3.763/0.730 ms, ipg/ewma 3.217/0.538 ms # tc qdisc chang dev eth1 handle 1: netem loss 1% # ping -f -c 1000 shell 1000 packets transmitted, 990 received, 1% packet loss, time 2922ms rtt min/avg/max/mdev = 0.187/2.739/3.298/0.789 ms, ipg/ewma 2.924/2.084 ms From dpsims at dpsims.com Sun Apr 30 01:43:35 2006 From: dpsims at dpsims.com (David Sims) Date: Sun Apr 30 01:43:35 2006 Subject: [LARTC] Advice.... Message-ID: Hi folks, I have a network which uses a Linux policy based router to allocate traffic from 2500 devices based loosely on 'class of service' across three different ISP pipes... It works great... Now I want to solve another problem: I have a network connection to another company with that company's router on my premise. They provide an ethernet with a /24 network worth of addressing for me to use (say 10.1.1.0/24).... This address space gets one-to-one NATed in their router into their company's internal address space.... I want to set up a /27 network in my address space which I can then NAT into the 'no mans land' address space provided by the other company (i.e., 10.1.1.0/24)... and I would like to create these addresses in my network inside the Linux policy based router machine. The way I would envision this working is that someone wanting to use a resource in the other company would call a local address (say 192.168.99.x/32 which would be one of the addresses hosted by my policy based router)... This call would then get translated in the Linux policy based router into the 'no mans land) addressing (10.1.1.x/32) and passed into the other company's network after being NATed by their router.... Two questions: a) how would I setup the addressing in my Linux router (i.e., I don't fully understand Matthew Marsh's discussion of addresses... Would I associate these addresses with an interface? or ?? b) would this overall idea work ok?? TIA, Dave From unga888 at yahoo.com Sun Apr 30 08:26:08 2006 From: unga888 at yahoo.com (Unga) Date: Sun Apr 30 08:26:06 2006 Subject: [LARTC] How to write a catch all rule? Message-ID: <20060430062608.14452.qmail@web38406.mail.mud.yahoo.com> Hi all I'm new to Qos and iproute2, but studied well the documentation. According to http://lartc.org/howto/lartc.qdisc.filters.html, catch all rule should be written as follows: tc filter add dev eth0 protocol ip parent 10: prio 2 \ flowid 10:2 But it doesn't work because filtertype is missing. Can somebody please kindly explain how to write a catch all rule? Many thanks in advance. Best Regards Unga __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From unki at netshadow.at Sun Apr 30 09:30:02 2006 From: unki at netshadow.at (Andreas Unterkircher) Date: Sun Apr 30 09:30:07 2006 Subject: [LARTC] How to write a catch all rule? In-Reply-To: <20060430062608.14452.qmail@web38406.mail.mud.yahoo.com> References: <20060430062608.14452.qmail@web38406.mail.mud.yahoo.com> Message-ID: <4454677A.8000106@netshadow.at> http://mailman.ds9a.nl/pipermail/lartc/2005q3/016774.html Unga schrieb: > Hi all > > I'm new to Qos and iproute2, but studied well the > documentation. > > According to > http://lartc.org/howto/lartc.qdisc.filters.html, catch > all rule should be written as follows: > > tc filter add dev eth0 protocol ip parent 10: prio 2 > \ > flowid 10:2 > > But it doesn't work because filtertype is missing. > > Can somebody please kindly explain how to write a > catch all rule? > > Many thanks in advance. > > Best Regards > Unga > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From dpsims at dpsims.com Sun Apr 30 18:23:15 2006 From: dpsims at dpsims.com (David Sims) Date: Sun Apr 30 18:23:11 2006 Subject: [LARTC] Is there a way.... Message-ID: Hi, I want to use Linux to do FASTNAT between some 192.168.x.x addresses in a routed network on one side and a single 10.0.0.x/24 on the other side. I want to do one-to-one NAT but in a dynamic way... such that a calling address is NATed into the next available 10.0.0.x/24.... in a round robin sort of way... IS there a way to do this using LARTC?? If not LARTC, then how?? This sort of thing is common in many-to-one NAT (port-address translation)... but I need each call to come from a separate NATed IP address to support my application (TN3270 session)... It's OK to reuse addresses after a call (session) is complete, but each session needs to come from it's own fixed (for the session) IP address.... Clues? Suggestions? TIA, Dave From valentin.ursu at ulbsibiu.ro Sun Apr 30 23:32:00 2006 From: valentin.ursu at ulbsibiu.ro (Mihai Valentin Ursu) Date: Sun Apr 30 22:32:28 2006 Subject: [LARTC] PPPoe, Bgp Message-ID: <44552CD0.4000600@ulbsibiu.ro> Refering to pppoe i have next problem : I asked my isp if i can buy a class of real ip`s to be routed by them. They said elegantly it can`t be done . I want opinions . I am using an ADSL connection through a Speedtouch 510 configured in bridge. About Bgp : i asked someone if i can peer 2 different locations on 2 different ip`s using private asn number and he said yes , and what i don`t understood is how can do that peer without using bgp. Thanks. Gladly waiting an answer. From tami at disconnected.de Mon May 1 02:57:22 2006 From: tami at disconnected.de (Paul Zirnik) Date: Mon May 1 02:57:21 2006 Subject: [LARTC] Is there a way.... In-Reply-To: References: Message-ID: <200605010257.23050.tami@disconnected.de> On Sunday 30 April 2006 18:23, David Sims wrote: > Hi, > > I want to use Linux to do FASTNAT between some 192.168.x.x addresses > in a routed network on one side and a single 10.0.0.x/24 on the other > side. I want to do one-to-one NAT but in a dynamic way... such that a > calling address is NATed into the next available 10.0.0.x/24.... in a > round robin sort of way... IS there a way to do this using LARTC?? If > not LARTC, then how?? > > This sort of thing is common in many-to-one NAT (port-address > translation)... but I need each call to come from a separate NATed IP > address to support my application (TN3270 session)... It's OK to reuse > addresses after a call (session) is complete, but each session needs to > come from it's own fixed (for the session) IP address.... > > Clues? Suggestions? I never tryed it, but as far i know (understand:) this can be done with a normal iptables rule. Using SNAT target and a range in --to-source From the manpage: If you specify more than one source address, either via an address range or multiple --to-source options, a simple round-robin (one after another in cycle) takes place between these adresses. greets, Tami From alchemyx at uznam.net.pl Mon May 1 09:42:49 2006 From: alchemyx at uznam.net.pl (=?UTF-8?B?TWljaGHFgiBNYXJndWxh?=) Date: Mon May 1 09:42:45 2006 Subject: [LARTC] PPPoe, Bgp In-Reply-To: <44552CD0.4000600@ulbsibiu.ro> References: <44552CD0.4000600@ulbsibiu.ro> Message-ID: <4455BBF9.4030806@uznam.net.pl> Mihai Valentin Ursu napisa?(a): > Refering to pppoe i have next problem : > I asked my isp if i can buy a class of real ip`s to be routed by them. > They said elegantly it can`t be done . > I want opinions . > I am using an ADSL connection through a Speedtouch 510 configured in > bridge. > Technically it is possible to do, but probably that is their policy. At my company we also don't give more than one public IP per customers device (computer, router, whatever). > About Bgp : > i asked someone if i can peer 2 different locations on 2 different ip`s > using private asn number and he said yes , and what i don`t understood > is how can do that peer > without using bgp. You need to explain in details what you want to do, because I can't understand why you would need to make BGP peering between only two points. -- Micha? Margula, alchemyx@uznam.net.pl, http://alchemyx.uznam.net.pl/ "W ?yciu pi?kne s? tylko chwile" [Ryszard Riedel] From colman at ppllc.com Mon May 1 16:52:08 2006 From: colman at ppllc.com (Jake Colman) Date: Mon May 1 16:52:06 2006 Subject: [LARTC] Traffic Shaping with Shorewall Message-ID: <7664kpn6g7.fsf@pennsylvania.ppllc.com> Does anyone here implement traffic shaping with shorewall? I need to shape BitTorrent traffic on my network so that upload/downloads do not overwhelm normal function or, even more importantly, my imminent conversion to VOIP for all telephone service. I followed the shorewall documentation guide but am not sure if what I have done is the Right Way Of Doing Things. Nor am I satsified with the results so far. I am using CableVision's Optimum Online for my broadband connection and am about to install SunRocket for my VOIP. I will be attacing the relevant file settings I have used. I'd appreciate any help with tweaking this configuration to maximuze my throughput. My goal is to ensure that, regardless of the number of torrents being downloaded/uploaded, my VOIP quality does not degrade and that my web/email/etc access works as quickly as it does without the BitTorrent active. By the way, I use port forwarding to forward specific BitTorrent ports to specific inbound computers behind my firewall. This way, I can maximize my BitTorrent download/upload performance since the connection is two-way. I still want this limited, however, so that it does not eat up all my bandwidth. This is a home network with about 5 nodes, several of whom are teenagers. The network configuration uses a simple two-NIC server; the modem connects to eth1 and the internal network is on eth0. Finally, would incorporation of ipp2p into my rules help me in any way? My kernel (gentoo) is already build to support ipp2p and I already have the module loaded and iptables is working with it. So if ipp2p would be helpful I'm already set up for it. Thanks for any help. Here are my files: tcdevices: eth1 3800kbit 800kbit tcrules: 1 0.0.0.0/0 0.0.0.0/0 icmp echo-request 1 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 2 0.0.0.0/0 0.0.0.0/0 tcp - 50001:50009 2 0.0.0.0/0 0.0.0.0/0 tcp - 50011:50019 2 0.0.0.0/0 0.0.0.0/0 tcp - 50021:50029 tcclasses: eth1 1 100kbit full 1 tcp-ack,tos-minimize-delay eth1 2 100kbit 200kbit 2 eth1 3 full/3 full 3 default -- Jake Colman Sr. Applications Developer Principia Partners LLC Harborside Financial Center 1001 Plaza Two Jersey City, NJ 07311 (201) 209-2467 www.principiapartners.com From jody.shumaker at gmail.com Mon May 1 17:46:47 2006 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Mon May 1 17:46:45 2006 Subject: [LARTC] Traffic Shaping with Shorewall In-Reply-To: <7664kpn6g7.fsf@pennsylvania.ppllc.com> References: <7664kpn6g7.fsf@pennsylvania.ppllc.com> Message-ID: <2af436490605010846w4112f7f5se59dd93256c6399b@mail.gmail.com> ipp2p is absolutely necessary if you want to shape bittorrent. The only time your current rules will match is when people connect to your bittorrent client, otherwise the port that is used is random. I'd also recommend including a rule to match on 6881-6889 the default bittorrent ports, as some people still use them, and it helps match a few more people that have turned on encryption and ipp2p won't match (or you could refuse encryption in your client if it supports it). If you do use ipp2p make sure to enable bittorrent matching, and make sure to use connmark's correctly. I have no knowledge of shorewall so I don't know what it can do for you in this regard. Example of how i'm using ipp2p: iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark iptables -t mangle -A PREROUTING -p tcp -m mark --mark $MARKP2P -j ACCEPT iptables -t mangle -A PREROUTING -m ipp2p --bit --edk --kazaa --gnu --dc -j MARK --set-mark $MARKP2P iptables -t mangle -A PREROUTING -p tcp -m mark --mark $MARKP2P -j CONNMARK --save-mark iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT tc filter add dev $DEV parent 1:0 protocol ip prio 8 handle $MARKP2P fw classid 1:13 - Jody On 5/1/06, Jake Colman wrote: > > Does anyone here implement traffic shaping with shorewall? I need to shape > BitTorrent traffic on my network so that upload/downloads do not overwhelm > normal function or, even more importantly, my imminent conversion to VOIP for > all telephone service. I followed the shorewall documentation guide but am > not sure if what I have done is the Right Way Of Doing Things. Nor am I > satsified with the results so far. > > I am using CableVision's Optimum Online for my broadband connection and am > about to install SunRocket for my VOIP. I will be attacing the relevant file > settings I have used. I'd appreciate any help with tweaking this > configuration to maximuze my throughput. My goal is to ensure that, > regardless of the number of torrents being downloaded/uploaded, my VOIP > quality does not degrade and that my web/email/etc access works as quickly as > it does without the BitTorrent active. > > By the way, I use port forwarding to forward specific BitTorrent ports to > specific inbound computers behind my firewall. This way, I can maximize my > BitTorrent download/upload performance since the connection is two-way. I > still want this limited, however, so that it does not eat up all my > bandwidth. This is a home network with about 5 nodes, several of whom are > teenagers. The network configuration uses a simple two-NIC server; the modem > connects to eth1 and the internal network is on eth0. > > Finally, would incorporation of ipp2p into my rules help me in any way? My > kernel (gentoo) is already build to support ipp2p and I already have the > module loaded and iptables is working with it. So if ipp2p would be helpful > I'm already set up for it. > > Thanks for any help. > > Here are my files: > > tcdevices: > eth1 3800kbit 800kbit > > > tcrules: > 1 0.0.0.0/0 0.0.0.0/0 icmp echo-request > 1 0.0.0.0/0 0.0.0.0/0 icmp echo-reply > 2 0.0.0.0/0 0.0.0.0/0 tcp - 50001:50009 > 2 0.0.0.0/0 0.0.0.0/0 tcp - 50011:50019 > 2 0.0.0.0/0 0.0.0.0/0 tcp - 50021:50029 > > > tcclasses: > eth1 1 100kbit full 1 tcp-ack,tos-minimize-delay > eth1 2 100kbit 200kbit 2 > eth1 3 full/3 full 3 default > > > -- > Jake Colman > Sr. Applications Developer > Principia Partners LLC > Harborside Financial Center > 1001 Plaza Two > Jersey City, NJ 07311 > (201) 209-2467 > www.principiapartners.com > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From David.Martin at enseirb.fr Mon May 1 20:08:59 2006 From: David.Martin at enseirb.fr (David Martin) Date: Mon May 1 20:04:45 2006 Subject: [LARTC] retrieving informations from Psched for Qos Message-ID: <44564EBB.207@Enseirb.fr> Hi I'm working actually on a project about Qos configuration on a linux computer. I need to access (read/write) at the informations generated by the "tc" command. I think that these informations are in the /proc/net/psched file, but I only got 4 hexadecimal number in it.. Can anyone help me? David From gypsy at iswest.com Tue May 2 04:43:09 2006 From: gypsy at iswest.com (gypsy) Date: Tue May 2 04:43:11 2006 Subject: [LARTC] retrieving informations from Psched for Qos References: <44564EBB.207@Enseirb.fr> Message-ID: <4456C73D.2ECF04EC@iswest.com> David Martin wrote: > > Hi > > I'm working actually on a project about Qos configuration on a linux > computer. > I need to access (read/write) at the informations generated by the "tc" > command. > I think that these informations are in the /proc/net/psched file, but I > only got 4 hexadecimal number in it.. > > Can anyone help me? > > David Have a look here: http://www.coverfire.com/lql/ -- gypsy From sebi at sebi.org Sun Apr 30 00:59:01 2006 From: sebi at sebi.org (Sebastian Bork) Date: Tue May 2 09:50:46 2006 Subject: [LARTC] icmp latency question In-Reply-To: References: Message-ID: <4453EFB5.2070700@eris.sebi.org> the sew wrote: > Our company's main line is quite busy the whole day and my shaping is > working perfect, however even if I give icmp priority the pings still > jump around quite a bit. > > We do have a backup line which hardly get used only if the main line > drops. I've set ip rule to route all icmp through that and now the > pings are perfect. > > Will this make a difference for the game players etc, with this low > ping? or does the lagg on the game get effected by the throughput? Sorry, I don't want to offend you, but your mail has been the cause for the first good laugh of the day. To get good results for online gaming, the roundtrip time of the packets to and from the game servers needs to be good, and it should be fairly constant, without sudden increases in the "lag time". To test this RTT, most people use ping, as ICMP echo requests/replies are the perfect tool for measuring this. What you did was not to improve the RTT of the packets in the data stream to and from game servers, but to falsify the results of RTT tests done with ICMP. Now your measurements look perfect, without any change to the real lag your gamers will experience. You should not take "you need a good ping for gaming" literally. Really, games do *not* use ICMP to connect to the servers. ;o) I begin to doubt the wisdom of including rules for ICMP priorisation in the many tc examples out there. Really, it does not make sense to send out the packets used to test the average and best/worst case RTT of a network as fast as the link allows at the cost of letting other traffic wait, because then the result of a ping will have nothing to do with what the sender of that ping wanted to know. Just my ? 0.02, Sebi -- Sebastian Bork ("`-''-/").___..--''"`-._ `6_ 6 ) `-. ( ).`-.__.`) Untere Karlsstr. 16, 34117 Kassel (_Y_.)' ._ ) `._ `. ``-..-` Cellular phone: +49 163 6780023 _..`--'_..-_/ /--'_.' ,' _____________________________________(il),-'' (li),' ((!.-' **meow** From sewlist at gmail.com Tue May 2 10:07:48 2006 From: sewlist at gmail.com (the sew) Date: Tue May 2 10:07:47 2006 Subject: [LARTC] Re: icmp latency question In-Reply-To: <4453EFB5.2070700@eris.sebi.org> References: <4453EFB5.2070700@eris.sebi.org> Message-ID: Glad I could have been some entertainment, Thanks for clearing that up. Sorry about the stupid question, at least I know now Sew On 4/30/06, Sebastian Bork wrote: > the sew wrote: > > Our company's main line is quite busy the whole day and my shaping is > > working perfect, however even if I give icmp priority the pings still > > jump around quite a bit. > > > > We do have a backup line which hardly get used only if the main line > > drops. I've set ip rule to route all icmp through that and now the > > pings are perfect. > > > > Will this make a difference for the game players etc, with this low > > ping? or does the lagg on the game get effected by the throughput? > > Sorry, I don't want to offend you, but your mail has been the cause for > the first good laugh of the day. > > To get good results for online gaming, the roundtrip time of the packets > to and from the game servers needs to be good, and it should be fairly > constant, without sudden increases in the "lag time". To test this RTT, > most people use ping, as ICMP echo requests/replies are the perfect tool > for measuring this. > > What you did was not to improve the RTT of the packets in the data > stream to and from game servers, but to falsify the results of RTT tests > done with ICMP. Now your measurements look perfect, without any change > to the real lag your gamers will experience. > > You should not take "you need a good ping for gaming" literally. Really, > games do *not* use ICMP to connect to the servers. ;o) > > I begin to doubt the wisdom of including rules for ICMP priorisation in > the many tc examples out there. Really, it does not make sense to send > out the packets used to test the average and best/worst case RTT of a > network as fast as the link allows at the cost of letting other traffic > wait, because then the result of a ping will have nothing to do with > what the sender of that ping wanted to know. > > Just my ? 0.02, > Sebi > > -- > Sebastian Bork ("`-''-/").___..--''"`-._ > `6_ 6 ) `-. ( ).`-.__.`) > Untere Karlsstr. 16, 34117 Kassel (_Y_.)' ._ ) `._ `. ``-..-` > Cellular phone: +49 163 6780023 _..`--'_..-_/ /--'_.' ,' > _____________________________________(il),-'' (li),' ((!.-' **meow** > > From unga888 at yahoo.com Tue May 2 17:16:21 2006 From: unga888 at yahoo.com (Unga) Date: Tue May 2 17:16:18 2006 Subject: [LARTC] Are VoIP clients supposed to set TOS to minimum delay? Message-ID: <20060502151621.76022.qmail@web38405.mail.mud.yahoo.com> Hi all Tcpdump shows Kphone UDP traffic has not set as minimum delay traffic! This is a tcpdump from My-IP to Other-IP: 13:07:14.704501 IP (tos 0x0, ttl 64, id 813, offset 0, flags [DF], proto: UDP (17), length: 120) My-IP.32784 > Other-IP.10384: UDP, length 92 0x0000: 4500 0078 032d 4000 4011 0fce db4a 37e4 0x0010: d5ba 3e91 8010 2890 0064 50f7 8008 032e 0x0020: ff63 f69f 0a00 0000 d4d4 d4d4 d4d4 d4d4 0x0030: d4d5 d5d5 Here TOS is 0x0, that is, normal traffic! Are VoIP clients supposed to set TOS to minimum delay? Is there any reason for this? Or is this something developers over looked? Many thanks in advance. Best Regards Unga __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From andy at andybev.com Tue May 2 23:10:09 2006 From: andy at andybev.com (Andrew Beverley) Date: Tue May 2 23:11:56 2006 Subject: [LARTC] icmp latency question In-Reply-To: <4453EFB5.2070700@eris.sebi.org> References: <4453EFB5.2070700@eris.sebi.org> Message-ID: <4457CAB1.8060601@andybev.com> >> Our company's main line is quite busy the whole day and my shaping is >> working perfect, however even if I give icmp priority the pings still >> jump around quite a bit. > Sorry, I don't want to offend you, but your mail has been the cause for > the first good laugh of the day. It may have been a stupid question, but it does raise an issue I have noticed. Even if I give maximum priority to SSH/ICMP, I notice that the latency does still jump around. Is this because I've not set up the queueing discipline very well? For SSH I have: tc class add dev imq0 parent 1:1 classid 1:10 htb rate 50kbit ceil 800kbit prio 1 tc qdisc add dev imq0 parent 1:10 handle 10: sfq perturb 10 tc filter add dev imq0 parent 1:0 prio 0 protocol ip handle 10 fw flowid 1:10 For other traffic I increase prio number and flowid. e.g: tc class add dev imq0 parent 1:1 classid 1:40 htb rate 90kbit ceil 600kbit prio 4 tc qdisc add dev imq0 parent 1:40 handle 40: sfq perturb 10 tc filter add dev imq0 parent 1:0 prio 0 protocol ip handle 40 fw flowid 1:40 The parent is: tc qdisc add dev imq0 root handle 1: htb default 40 From jasonb at edseek.com Tue May 2 23:24:49 2006 From: jasonb at edseek.com (Jason Boxman) Date: Tue May 2 23:26:44 2006 Subject: [LARTC] icmp latency question In-Reply-To: <4457CAB1.8060601@andybev.com> References: <4453EFB5.2070700@eris.sebi.org> <4457CAB1.8060601@andybev.com> Message-ID: <48480.24.73.78.146.1146605089.squirrel@nebula.internal.foo> Andrew Beverley wrote: > For SSH I have: > tc class add dev imq0 parent 1:1 classid 1:10 htb rate 50kbit ceil 800kbit > prio 1 > tc qdisc add dev imq0 parent 1:10 handle 10: sfq perturb 10 > tc filter add dev imq0 parent 1:0 prio 0 protocol ip handle 10 fw flowid > 1:10 sfq's default queue of 128 may cause you some pain. You could try a pfifo 10 or recompile after modifying sch_sfq.c in your kernel tree. Also, using the prio parameter with htb may not do what you expect when you exceed your specified rate. The htb documentation explains the effects in detail. You could also get spikes from running over an ATM link where your specified rate and the actual ATM link utilization will likely differ. From jkamenik at patton.com Tue May 2 23:58:01 2006 From: jkamenik at patton.com (John Kamenik) Date: Tue May 2 23:57:58 2006 Subject: [LARTC] Non-unique IP removal issue Message-ID: <9AD3500C-07F9-47BD-9450-568C7C9D9421@patton.com> I have come across an interesting issue when adding non-unique IPs to an interface. I am not sure this is the right place for this issue but I couldn't find anything online about it. The issue is that "ip addr del" ignores the mask and deletes the first matching IP. I know adding non-unique IP to same ethernet doesn't really make sense, but it is possible via "ip addr add"; so it should be possible to undo. Here is the step-by-step: 1. ip addr add 1/32 dev eth2 2. ip addr add 1/24 dev eth2 3. ip addr show dev eth2 2: eth2: mtu 68 qdisc pfifo_fast qlen 1000 ... inet 1.0.0.0/32 scope global eth2 inet 1.0.0.0/24 scope global eth2 4. ip addr del 1/24 dev eth2 5. ip addr show dev eth2 2: eth2: mtu 68 qdisc pfifo_fast qlen 1000 ... inet 1.0.0.0/24 scope global eth2 If you compare the first output to the second you will notice that 1/32 was removed. However, if you look at the "ip addr del" command 1/24 was removed not 1/32. Does anyone know if this is a bug? a known issue? expected behavior? or something only I am seeing? From subscriptions at navig.ca Wed May 3 19:22:30 2006 From: subscriptions at navig.ca (G Georgiev) Date: Wed May 3 19:18:09 2006 Subject: [LARTC] SNAT on IPSEC tunnel with kernel 2.6/KAME tools? Message-ID: <200605031322.30125.subscriptions@navig.ca> Hi, Could not conceive an working set-up for an IPSEC VPN made with racoon/setkey on which I have one address on my side acting as an SNAT router for all traffic from my network to a network segment on the far side. my network --- my gateway ---------------------- remote network 10.0.0.0/24 - 10.0.0.1 (10.253.0.2) -- tunnel - 192.168.0.0/22 All traffic starts on my side, so if I can SNAT/MASQUERADE packets to the tunnel address (10.253.0.2) it shall work. This would have been possible with FreeSwan, as it created network interfaces (ipsec0, ipsec1..), however with setkey there is no way of making it. The VPN starts on the gateway, simply all traffic destinate to 192.168.0.0/22 should get an SNAT to 10.253.0.2 and go via the tunnel. SNAT however is available only in POSTROUTING chain, and no outgoing interface really exists with setkey. So, next rule should be implemented on the gateway: "Packets going to 192.168.0.0/22 should be SNAT to 10.253.0.2 and go via the tunnel" Some ideas? Thanks, George. From elmono222 at gmail.com Fri May 5 00:37:10 2006 From: elmono222 at gmail.com (Juan Felipe Botero) Date: Fri May 5 00:37:07 2006 Subject: [LARTC] Question about netmeeting Message-ID: Hi, i want to control in my network, the netmeeting transfer of traffic, how can i control the audio or video transfer whether this services use dynamics ports? thanks -- Juan Felipe Botero Ingeniero de sistemas Universidad de Antioquia -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060504/c5164f13/attachment.html From gnychis at cmu.edu Fri May 5 01:35:08 2006 From: gnychis at cmu.edu (George P Nychis) Date: Fri May 5 01:35:05 2006 Subject: [LARTC] how to change classful netem loss probability? In-Reply-To: <20060428102421.7d304ca6@localhost.localdomain> References: <444FF846.7050600@cmu.edu> <32923.128.2.140.234.1146187103.squirrel@128.2.140.234> <20060428102421.7d304ca6@localhost.localdomain> Message-ID: <32893.128.2.140.234.1146785708.squirrel@128.2.140.234> where did you send this patch? I don't think I ever got it > Loss was broken, patch sent. > > The following works now: > > # tc qdisc add dev eth1 root handle 1:0 netem loss 20% > > # tc qdisc add dev eth1 parent 1:1 handle 10: tbf \ rate 256kbit buffer > 1600 limit 3000 # ping -f -c 1000 shell > > 1000 packets transmitted, 781 received, 21% packet loss, time 3214ms rtt > min/avg/max/mdev = 0.187/0.398/3.763/0.730 ms, ipg/ewma 3.217/0.538 ms > > # tc qdisc chang dev eth1 handle 1: netem loss 1% # ping -f -c 1000 shell > > 1000 packets transmitted, 990 received, 1% packet loss, time 2922ms rtt > min/avg/max/mdev = 0.187/2.739/3.298/0.789 ms, ipg/ewma 2.924/2.084 ms > > > > -- From cemeyer2 at uiuc.edu Fri May 5 02:55:24 2006 From: cemeyer2 at uiuc.edu (Charlie Meyer) Date: Fri May 5 02:55:37 2006 Subject: [LARTC] Traffic Accounting Message-ID: <000001c66fde$998fd180$159c7e82@MURPHY> Hello, Is there an easy way, either by scripting or some software project or something similar, to do automatic traffic accounting. I am looking to be able to give each host on my LAN a specific quota of data transfer for a given previous period of time, for example 1 GB in the previous 24 hours. If they exceed that limit, I would like to be able to have the system automatically rate limit that host to a specific speed. When the host has gone back under the limit, I would like the system to automatically remove the speed restrictions. Has anyone implemented such a system or know of an easy way to do so? Thanks Charlie Meyer Department of Computer Science University of Illinois at Urbana-Champaign -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060504/db6fcc63/attachment.htm From david_list at boreham.org Fri May 5 03:02:31 2006 From: david_list at boreham.org (David Boreham) Date: Fri May 5 03:02:27 2006 Subject: [LARTC] Question about netmeeting In-Reply-To: References: Message-ID: <445AA427.8000504@boreham.org> Juan Felipe Botero wrote: > Hi, i want to control in my network, the netmeeting transfer of > traffic, how can i control the audio or video transfer whether this > services use dynamics ports? Netmeeting is evil : avoid if possible. The new Skype with Video actually works quite well, and it doesn't 'frequency hop' ports like it's trying to evade detection ;) Basically NM was designed in the pre-NAT, pre-firewall era. From kaber at trash.net Fri May 5 15:39:29 2006 From: kaber at trash.net (Patrick McHardy) Date: Fri May 5 15:39:25 2006 Subject: [LARTC] SNAT on IPSEC tunnel with kernel 2.6/KAME tools? In-Reply-To: <200605031322.30125.subscriptions@navig.ca> References: <200605031322.30125.subscriptions@navig.ca> Message-ID: <445B5591.3080404@trash.net> G Georgiev wrote: > Hi, > > Could not conceive an working set-up for an IPSEC VPN made with racoon/setkey > on which I have one address on my side acting as an SNAT router for all > traffic from my network to a network segment on the far side. > > my network --- my gateway ---------------------- remote network > 10.0.0.0/24 - 10.0.0.1 (10.253.0.2) -- tunnel - 192.168.0.0/22 > > All traffic starts on my side, so if I can SNAT/MASQUERADE packets to the > tunnel address (10.253.0.2) it shall work. This would have been possible with > FreeSwan, as it created network interfaces (ipsec0, ipsec1..), however with > setkey there is no way of making it. > > The VPN starts on the gateway, simply all traffic destinate to 192.168.0.0/22 > should get an SNAT to 10.253.0.2 and go via the tunnel. SNAT however is > available only in POSTROUTING chain, and no outgoing interface really exists > with setkey. > > So, next rule should be implemented on the gateway: "Packets going to > 192.168.0.0/22 should be SNAT to 10.253.0.2 and go via the tunnel" > > Some ideas? Starting with 2.6.16 the kernel supports NAT with IPsec and includes a "policy" match, which allows you to do similar things like the "-o ipsec0" matching done with klips. From nata at cnett.com.br Fri May 5 16:20:28 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Fri May 5 16:20:29 2006 Subject: [LARTC] Matching interface using U32(?) Message-ID: <445B5F2C.604@cnett.com.br> Hello all, I am trying to make a little bit more complex QoS/Shapping form and I need to shape a PPPoE conection that I serve to my clients. So this is the scope: client connects using pppoe so it gets an IP address (from pppoe pool) and open an interface into my linux box interface for this client is ppp0 client has got an ip 1.1.1.2/32 and it is poiting to pppoe-server 1.1.1.1 So, if i want to shape download for this client its really easy and I make a htb rule that shapes all traffic into ppp0... My problem is when I have to shape upload traffic. All my traffic goes for eth0 to the world. I tryed to make this rule: $TC class add dev eth0 parent 1:1 classid 1:500 htb rate 200Kbit ceil 200Kbit $TC filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip src 1.1.1.2/32 flowid 1:500 But this rule is not matching the upload connection. If i put the same rule to an IP (i set an ip into client) this rule works but into pppoe conection it did not work properly. Someone has some tip to match the interface that the conection is coming from? Like I wanna match all traffic coming from ppp0 and going throw eth0 to be shapped?! There is anyway to make this work? Att, Nataniel Klug From gnychis at cmu.edu Fri May 5 17:08:23 2006 From: gnychis at cmu.edu (George Nychis) Date: Fri May 5 17:05:16 2006 Subject: [LARTC] where i can find this netem patch? In-Reply-To: <20060428102421.7d304ca6@localhost.localdomain> References: <444FF846.7050600@cmu.edu> <32923.128.2.140.234.1146187103.squirrel@128.2.140.234> <20060428102421.7d304ca6@localhost.localdomain> Message-ID: <445B6A67.7020809@cmu.edu> Hi, I need help finding this patch that Stephen made. He sent me a patch, but i do not think its related to the patch that solved this problem. I will include the patch he did forward to me at the bottom. However here is the problem, i even rtied his misspelling of change :) thorium-ini 15849-tests # tc qdisc add dev ath0 root handle 1:0 netem drop 0% thorium-ini 15849-tests # tc qdisc add dev ath0 parent 1:1 handle 10: xcp capacity 54Mbit limit 500 thorium-ini 15849-tests # tc qdisc change dev ath0 root handle 1:0 netem drop 1% RTNETLINK answers: Invalid argument thorium-ini 15849-tests # tc qdisc chang dev ath0 root handle 1:0 netem drop 1% RTNETLINK answers: Invalid argument thorium-ini 15849-tests # tc qdisc change dev ath0 root handle 1: netem drop 1% RTNETLINK answers: Invalid argument here is the patch i was forwarded, but did not solve this problem: --- linux-2.6.orig/net/sched/sch_netem.c +++ linux-2.6/net/sched/sch_netem.c @@ -167,7 +167,7 @@ static int netem_enqueue(struct sk_buff if (count == 0) { sch->qstats.drops++; kfree_skb(skb); - return NET_XMIT_DROP; + return NET_XMIT_BYPASS; } /* I'd greatly appreciate any help solving the change problem. Thanks! George Stephen Hemminger wrote: > Loss was broken, patch sent. > > The following works now: > > # tc qdisc add dev eth1 root handle 1:0 netem loss 20% > > # tc qdisc add dev eth1 parent 1:1 handle 10: tbf \ > rate 256kbit buffer 1600 limit 3000 > # ping -f -c 1000 shell > > 1000 packets transmitted, 781 received, 21% packet loss, time 3214ms > rtt min/avg/max/mdev = 0.187/0.398/3.763/0.730 ms, ipg/ewma 3.217/0.538 ms > > # tc qdisc chang dev eth1 handle 1: netem loss 1% > # ping -f -c 1000 shell > > 1000 packets transmitted, 990 received, 1% packet loss, time 2922ms > rtt min/avg/max/mdev = 0.187/2.739/3.298/0.789 ms, ipg/ewma 2.924/2.084 ms > > > From subscriptions at navig.ca Fri May 5 18:37:20 2006 From: subscriptions at navig.ca (G Georgiev) Date: Fri May 5 18:33:00 2006 Subject: [LARTC] SNAT on IPSEC tunnel with kernel 2.6/KAME tools? In-Reply-To: <445B5591.3080404@trash.net> References: <200605031322.30125.subscriptions@navig.ca> <445B5591.3080404@trash.net> Message-ID: <200605051237.20580.subscriptions@navig.ca> Thanks, Will try out that - will upgrade the kernel and see how it works. George. On Friday 05 May 2006 09:39 am, Patrick McHardy wrote: > G Georgiev wrote: > > Hi, > > > > Could not conceive an working set-up for an IPSEC VPN made with > > racoon/setkey on which I have one address on my side acting as an SNAT > > router for all traffic from my network to a network segment on the far > > side. > > > > my network --- my gateway ---------------------- remote network > > 10.0.0.0/24 - 10.0.0.1 (10.253.0.2) -- tunnel - 192.168.0.0/22 > > > > All traffic starts on my side, so if I can SNAT/MASQUERADE packets to > > the tunnel address (10.253.0.2) it shall work. This would have been > > possible with FreeSwan, as it created network interfaces (ipsec0, > > ipsec1..), however with setkey there is no way of making it. > > > > The VPN starts on the gateway, simply all traffic destinate to > > 192.168.0.0/22 should get an SNAT to 10.253.0.2 and go via the tunnel. > > SNAT however is available only in POSTROUTING chain, and no outgoing > > interface really exists with setkey. > > > > So, next rule should be implemented on the gateway: "Packets going to > > 192.168.0.0/22 should be SNAT to 10.253.0.2 and go via the tunnel" > > > > Some ideas? > > Starting with 2.6.16 the kernel supports NAT with IPsec and includes > a "policy" match, which allows you to do similar things like > the "-o ipsec0" matching done with klips. From shemminger at osdl.org Fri May 5 19:15:38 2006 From: shemminger at osdl.org (Stephen Hemminger) Date: Fri May 5 19:15:40 2006 Subject: [LARTC] Re: [Netem] where i can find this netem patch? In-Reply-To: <445B6A67.7020809@cmu.edu> References: <444FF846.7050600@cmu.edu> <32923.128.2.140.234.1146187103.squirrel@128.2.140.234> <20060428102421.7d304ca6@localhost.localdomain> <445B6A67.7020809@cmu.edu> Message-ID: <20060505101538.5dfc5021@localhost.localdomain> On Fri, 05 May 2006 11:08:23 -0400 George Nychis wrote: > Hi, > > I need help finding this patch that Stephen made. > > He sent me a patch, but i do not think its related to the patch that > solved this problem. I will include the patch he did forward to me at > the bottom. > However here is the problem, i even rtied his misspelling of change :) > > thorium-ini 15849-tests # tc qdisc add dev ath0 root handle 1:0 netem > drop 0% > thorium-ini 15849-tests # tc qdisc add dev ath0 parent 1:1 handle 10: > xcp capacity 54Mbit limit 500 > thorium-ini 15849-tests # tc qdisc change dev ath0 root handle 1:0 netem > drop 1% > RTNETLINK answers: Invalid argument > The problem was you are giving handle 1:0 so the change request was going to xcp. And xcp doesn't understand netem rtnetlink message. You want to do: # tc qdisc change dev ath0 root netem drop 1% From william.bohannan at spidersat.net Fri May 5 20:07:50 2006 From: william.bohannan at spidersat.net (William Bohannan) Date: Fri May 5 20:09:04 2006 Subject: [LARTC] iptables time match mangle stage Message-ID: <001601c6706e$e0dc5f50$043bdcc1@ACCSSWILLIAM> Hi I am having problems trying to get a time match with iptables 1.3.5 and the latest pom it says time match only works in the prerouting stage but I really need to use the classify command which only works in the postrouting. Does any one have a patch for 2.6 kernel, latest pom and iptables 1.3.5 so time matching can occur in the post routing? machinenemae login: ipt_time loading ipt_time: error, only valid for PRE_ROUTING, LOCAL_IN, FORWARD and OUTPUT) many thanks william From Edwin.Whitelaw at nrvunwired.net Sat May 6 01:04:30 2006 From: Edwin.Whitelaw at nrvunwired.net (Edwin Whitelaw) Date: Sat May 6 01:04:26 2006 Subject: [LARTC] iptables CLASSIFY vs fwmark? Message-ID: <445BD9FE.7000400@nrvunwired.net> Could someone comment on the benefits of using CLASSIFY vs fwmark (or vice versa) in iptables? I'm getting ready to implement some basic tc for VoIP and most of the examples seem to use the (older?) fwmark syntax. Should I convert these to CLASSIFY? Can the two syntaxes be mixed? Also with U32? TIA, Edwin -- <=+=+=+==+=+=+==+=+=+=+=+=+=+=+=> Edwin Whitelaw, P.E. New River Valley Unwired, LLC 2200 Lonesome Dove Dr Christiansburg, VA 24073 540-239-0318 From linux at pilot.org.ua Sat May 6 09:05:16 2006 From: linux at pilot.org.ua (Denis Ovsienko) Date: Sat May 6 09:05:11 2006 Subject: [LARTC] iptables CLASSIFY vs fwmark? In-Reply-To: <445BD9FE.7000400@nrvunwired.net> References: <445BD9FE.7000400@nrvunwired.net> Message-ID: <20060506110516.739ee09e.linux@pilot.org.ua> > Could someone comment on the benefits of using CLASSIFY vs fwmark (or > vice versa) in iptables? One benefit I see is that one avoids extra filters, this can be useful with lots of classes. -- DO4-UANIC From Edwin.Whitelaw at nrvunwired.net Sat May 6 13:58:07 2006 From: Edwin.Whitelaw at nrvunwired.net (Edwin Whitelaw) Date: Sat May 6 13:58:05 2006 Subject: [LARTC] iptables CLASSIFY vs fwmark? In-Reply-To: <20060506110516.739ee09e.linux@pilot.org.ua> References: <445BD9FE.7000400@nrvunwired.net> <20060506110516.739ee09e.linux@pilot.org.ua> Message-ID: <445C8F4F.2040103@nrvunwired.net> My observation also, but one example shows using fwmark in the PREROUTING chain while CLASSIFY can be used in POSTROUTING only (correct?). My experience with tc at this point is limited but sometimes added flexibility is useful, even if it's a little more effort. Edwin Denis Ovsienko wrote: >> Could someone comment on the benefits of using CLASSIFY vs fwmark (or >> vice versa) in iptables? >> > One benefit I see is that one avoids extra filters, this can be useful > with lots of classes. > > -- <=+=+=+==+=+=+==+=+=+=+=+=+=+=+=> Edwin Whitelaw, P.E. New River Valley Unwired, LLC 2200 Lonesome Dove Dr Christiansburg, VA 24073 540-239-0318 From erez0001 at gmail.com Sun May 7 13:12:46 2006 From: erez0001 at gmail.com (Erez D) Date: Sun May 7 13:12:42 2006 Subject: [LARTC] voip and firewall Message-ID: <6c32b540605070412t2436c608mbcc7334ee8d1be2f@mail.gmail.com> hi my company just installed a new firewall. i had an ATA (grandstream handytone) that was connected via the internet to asterisk at my home. this ATA does not work anymore ( i can dial, but have no incoming audio, people can dial to me but it disconnects when i answer) this is due to the new firewall. however, i have a voip software (x-lite) that works very well, even with the new firewall. can anyone tell me what is the difference (and how can i make my ATA work again) thanks, erez. btw. please no tunneling solutions etc ... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060507/b48f8922/attachment.html From william.bohannan at spidersat.net Sun May 7 16:42:02 2006 From: william.bohannan at spidersat.net (William Bohannan) Date: Sun May 7 16:43:05 2006 Subject: [LARTC] iptables CLASSIFY vs fwmark? In-Reply-To: <445C8F4F.2040103@nrvunwired.net> Message-ID: <004001c671e4$70f0f6c0$043bdcc1@ACCSSWILLIAM> Using fwmark would mean that packets have to pass two filter systems. First iptables, where the got marked and then the tc-filter ruleset where the mark needs to be matched again. And this is something I want to avoid because this means worse performance, so I was wondering if there is a possible way to do time matching with classify instead of forward mark?? Anyone have a patch for time matching so it can be used in the postrouting section? Kind Regards William -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Edwin Whitelaw Sent: 06 May 2006 11:58 To: Denis Ovsienko Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] iptables CLASSIFY vs fwmark? My observation also, but one example shows using fwmark in the PREROUTING chain while CLASSIFY can be used in POSTROUTING only (correct?). My experience with tc at this point is limited but sometimes added flexibility is useful, even if it's a little more effort. Edwin Denis Ovsienko wrote: >> Could someone comment on the benefits of using CLASSIFY vs fwmark (or >> vice versa) in iptables? >> > One benefit I see is that one avoids extra filters, this can be useful > with lots of classes. > > -- <=+=+=+==+=+=+==+=+=+=+=+=+=+=+=> Edwin Whitelaw, P.E. New River Valley Unwired, LLC 2200 Lonesome Dove Dr Christiansburg, VA 24073 540-239-0318 _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From william.bohannan at spidersat.net Sun May 7 16:43:34 2006 From: william.bohannan at spidersat.net (William Bohannan) Date: Sun May 7 16:44:08 2006 Subject: [LARTC] time matching in the mangle stage?? is it possible?? Message-ID: <004101c671e4$a789dcb0$043bdcc1@ACCSSWILLIAM> Hi I am having problems trying to get a time match with iptables 1.3.5 and the latest pom it says time match only works in the prerouting stage but I really need to use the classify command which only works in the postrouting. Does any one have a patch for 2.6 kernel, latest pom and iptables 1.3.5 so time matching can occur in the post routing? machinenemae login: ipt_time loading ipt_time: error, only valid for PRE_ROUTING, LOCAL_IN, FORWARD and OUTPUT) many thanks william From andy.furniss at dsl.pipex.com Sun May 7 20:02:10 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sun May 7 19:57:31 2006 Subject: [LARTC] time matching in the mangle stage?? is it possible?? In-Reply-To: <004101c671e4$a789dcb0$043bdcc1@ACCSSWILLIAM> References: <004101c671e4$a789dcb0$043bdcc1@ACCSSWILLIAM> Message-ID: <445E3622.6060400@dsl.pipex.com> William Bohannan wrote: the classify command which only works in the postrouting. I'd try it, I think it works everywhere now the even if old docs say different. Andy. From andy.furniss at dsl.pipex.com Sun May 7 21:18:29 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sun May 7 21:13:43 2006 Subject: [LARTC] Matching interface using U32(?) In-Reply-To: <445B5F2C.604@cnett.com.br> References: <445B5F2C.604@cnett.com.br> Message-ID: <445E4805.7060608@dsl.pipex.com> Nataniel Klug wrote: > Hello all, > > I am trying to make a little bit more complex QoS/Shapping form and I > need to shape a PPPoE conection that I serve to my clients. So this is > the scope: > > client connects using pppoe so it gets an IP address (from pppoe pool) > and open an interface into my linux box > interface for this client is ppp0 > client has got an ip 1.1.1.2/32 and it is poiting to pppoe-server 1.1.1.1 > > So, if i want to shape download for this client its really easy and I > make a htb rule that shapes all traffic into ppp0... My problem is when > I have to shape upload traffic. All my traffic goes for eth0 to the > world. I tryed to make this rule: > > $TC class add dev eth0 parent 1:1 classid 1:500 htb rate 200Kbit ceil > 200Kbit > $TC filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip src > 1.1.1.2/32 flowid 1:500 protocol ip on the filter is the problem - Without trying I am not sure what will work but in the case of vlans you can just sat protocol 8021q. If pppoe doesn't work try its' ethertype number - you could also use protocol all and match the ethertype protocol number with u32 and a negative offset. > > But this rule is not matching the upload connection. If i put the > same rule to an IP (i set an ip into client) this rule works but into > pppoe conection it did not work properly. > > Someone has some tip to match the interface that the conection is > coming from? Like I wanna match all traffic coming from ppp0 and going > throw eth0 to be shapped?! There is anyway to make this work? If you are running >2.6.16 then you could use IFB and attach a queue to each ppp. There is a kernel config option for u32 to mach indev - I don't know the syntax,though. Andy. From andy.furniss at dsl.pipex.com Sun May 7 21:27:09 2006 From: andy.furniss at dsl.pipex.com (Andy Furniss) Date: Sun May 7 21:22:22 2006 Subject: [LARTC] How to write a catch all rule? In-Reply-To: <4454677A.8000106@netshadow.at> References: <20060430062608.14452.qmail@web38406.mail.mud.yahoo.com> <4454677A.8000106@netshadow.at> Message-ID: <445E4A0D.1090705@dsl.pipex.com> Andreas Unterkircher wrote: > http://mailman.ds9a.nl/pipermail/lartc/2005q3/016774.html tc filter add dev eth0 parent 1:0 protocol all u32 match u32 0 0 flowid 1:1 That will match all. Someone told me once that the difference between it working and not on a large rule set was the explicit inclusion of prio XX. To the OP you may mean all ip (as in the lartc example) - in which case replace the all with ip and give it a higher prio number than the other rules/ put it last. Protocol all will catch arp etc aswell which may not be what you want./ One gotcha is that the highest prio on a filter is 1 so don't use 0 or that filter may be "last". Andy. From andy at andybev.com Mon May 8 01:32:42 2006 From: andy at andybev.com (Andrew Beverley) Date: Mon May 8 01:33:31 2006 Subject: [LARTC] icmp latency question In-Reply-To: <48480.24.73.78.146.1146605089.squirrel@nebula.internal.foo> References: <4453EFB5.2070700@eris.sebi.org> <4457CAB1.8060601@andybev.com> <48480.24.73.78.146.1146605089.squirrel@nebula.internal.foo> Message-ID: <20060508003242.opfl7dz7i848kggs@www.simplelists.com> Many thanks for the reply. > sfq's default queue of 128 may cause you some pain. You could try a pfifo > 10 or recompile after modifying sch_sfq.c in your kernel tree. I tried the above (modifying to 10) but didn't notice much difference. > Also, using > the prio parameter with htb may not do what you expect when you exceed your > specified rate. The htb documentation explains the effects in detail. I couldn't access the website at luxik.cdi.cz/~devik/qos/htb/. Is it documented elsewhere? > You could also get spikes from running over an ATM link where your specified > rate and the actual ATM link utilization will likely differ. Possibly may be the case. As suggested in the 'Practical Guide to Linux Traffic Control' I also tried setting HTB_HYSTERESIS to zero in sch_htb.c but again didn't notice much difference. Anyway, this is currently the least of my worries, see my new thread! Andy From andy at andybev.com Mon May 8 01:43:07 2006 From: andy at andybev.com (Andrew Beverley) Date: Mon May 8 01:43:52 2006 Subject: [LARTC] Detecting p2p traffic Message-ID: <20060508004307.qkuxq25v4occs4gk@www.simplelists.com> After varying degrees of success with p2p detection modules, I would like to write the following rules using iptables to reliably identify p2p traffic: 1. If a host on the network has 5 or more simutaneous tcp connections to ports above 1024, mark all connections to ports 1024 and above as 60. 2. If a host has received (or sent) UDP packets from 5 different hosts' ports above 1024 in a minute then classify all UDP traffic to and from that host above port 1024 as 60. Number 1 can almost be acheived using something similar to: iptables .. --dport 1024: -m connlimit --connlimit-above 5 -j MARK --set-mark 60 Unfortunately though it still leaves 5 connections slurping up plenty of bandwidth. I have no ideas for number 2. Anybody any ideas? On my network all p2p traffic falls into these categories, and I don't mind overmatching with other traffic. Thanks, Andy From daniel at internux.co.id Mon May 8 02:07:50 2006 From: daniel at internux.co.id (Daniel Harold L.) Date: Mon May 8 02:07:06 2006 Subject: [LARTC] HTB How To ?? In-Reply-To: <47eb54d60604170356j3b8dcf51o4c14131547306ab3@mail.gmail.com> References: <47eb54d60604170356j3b8dcf51o4c14131547306ab3@mail.gmail.com> Message-ID: <200605080807.50861.daniel@internux.co.id> On Monday April 17 2006 18:56, Cahyo Purnomo wrote: > Dear All, > > I wanna to implement of bandwith shapingin my office using HTB, any > body suggest about the case ? > > Below the acl ip range i want to limit : > 1. staf (10.0.0.1 - 3) --> limit to 10kbyte/s > 2. lab (10.0.0.4 - 6) --> limit to 5kbyte/s > 3. bos (10.0.0.7 - 9) --> limit to 20kbyte/s > 4. admin (10.0.0.10 - 12) --> no limit > > thanks all 4 ur advise Please read first the manual at lartc.org Regards, Daniel From ragunath_er at yahoo.com Mon May 8 17:10:30 2006 From: ragunath_er at yahoo.com (ragunath venkatapathy) Date: Mon May 8 17:10:31 2006 Subject: [LARTC] have any one tried Snmp extension to Net-SNMP daemon Message-ID: <20060508151030.94999.qmail@web31609.mail.mud.yahoo.com> Dear all, I am looking for a way for creating a gui for managing qos in linux , i came across snmp extension to net snmp at http://x-ray.prokon.cz/data/snmp/ and i found qosd-0.0.1-13122003.tgz , in which there is a client server program using soap which was realy intresting but when i tried to compile it ended up with many errors ,, does and one have tried it , or have any documentation about using these thing. i started with the problem in SOAP_DEGIN_NAMESPACE, but it was resolved with i added a file soapdefs.h which contain #ifndef _soapdefs_h #define _soapdefs_h 1 #define SOAP_BEGIN_NAMESPACE(ns) #define SOAP_END_NAMESPACE(ns) #endif and added CFLAGS = -Wall -Wno-parentheses -c -I$(INCLUDE) -I$(TMP) -DWITH_SOAPDEFS_H to make file now the error is gon but now i have error like gcc -Wall -Wno-parentheses -c -Iinclude -Itmp -DWITH_SOAPDEFS_H -c -o src/server/lex/lex.yy.o src/server/lex/lex.yy.c src/server/lex/lex.yy.c:1117: warning: 'yyunput' defined but not used gcc -Wall -Wno-parentheses -c -Iinclude -Itmp -DWITH_SOAPDEFS_H -c -o src/server/lex/y.tab.o src/server/lex/y.tab.c src/server/lex/y.tab.c: In function 'yyparse': src/server/lex/y.tab.c:1064: warning: implicit declaration of function 'yylex' gcc -Wall -Wno-parentheses -c -Iinclude -Itmp -DWITH_SOAPDEFS_H -c -o src/soap/soapC.o src/soap/soapC.c src/soap/soapC.c: In function 'soap_in_SOAP_ENV__Fault': src/soap/soapC.c:1884: warning: passing argument 8 of 'soap_id_forward' makes integer from pointer without a cast src/soap/soapC.c:1884: error: too few arguments to function 'soap_id_forward' src/soap/soapC.c: In function 'soap_in_SOAP_ENV__Detail': src/soap/soapC.c:1974: warning: passing argument 8 of 'soap_id_forward' makes integer from pointer without a cast src/soap/soapC.c:1974: error: too few arguments to function 'soap_id_forward' src/soap/soapC.c: In function 'soap_in_SOAP_ENV__Code': src/soap/soapC.c:2076: warning: passing argument 8 of 'soap_id_forward' makes integer from pointer without a cast src/soap/soapC.c:2076: error: too few arguments to function 'soap_id_forward' src/soap/soapC.c: In function 'soap_in_SOAP_ENV__Header': src/soap/soapC.c:2153: warning: passing argument 8 of 'soap_id_forward' makes integer from pointer without a cast src/soap/soapC.c:2153: error: too few arguments to function 'soap_id_forward' src/soap/soapC.c: In function 'soap_in_ns__get_common _options': src/soap/soapC.c:2237: warning: passing argument 8 of 'soap_id_forward' makes integer from pointer without a cast src/soap/soapC.c:2237: error: too few arguments to function 'soap_id_forward' src/soap/soapC.c: In function 'soap_in_ns__common_options': src/soap/soapC.c:2321: warning: passing argument 8 of 'soap_id_forward' makes integer from pointer without a cast src/soap/soapC.c:2321: error: too few arguments to function 'soap_id_forward' src/soap/soapC.c: In function 'soap_in_ns__get_filter_u32': src/soap/soapC.c:2403: warning: passing argument 8 of 'soap_id_forward' makes integer from pointer without a cast src/soap/soapC.c:2403: error: too few arguments to function 'soap_id_forward' src/soap/soapC.c: In function 'soap_in_ns__filter_u32': src/soap/soapC.c:2487: warning: passing argument 8 of 'soap_id_forward' makes integer from pointer without a cast src/soap/soapC.c:2487: error: too few arguments to function 'soap_id_forward' src/soap/soapC.c: In function 'soap_in_ns__get_filter_fw': src/soap/soapC.c:2569: warning: passing argument 8 of 'soap_id_forward' makes integer from pointer without a cast src/soap/soapC.c:2569: error: too few arguments to function 'soap_id_forward' src/soap/soapC.c: In function 'soap_in_ns__filter_fw': src/soap/soapC.c:2653: warning: passing argument 8 of 'soap_id_forward' makes integer from pointer without a cast src/soap/soapC.c:2653: error: too few arguments to function 'soap_id_forward' what can be done , the documentation in very less or just null please help me Thanks in advance, ragunath kodethredum pial --------------------------------- New Yahoo! Messenger with Voice. Call regular phones from your PC and save big. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060508/4619a750/attachment.htm From sebi at sebi.org Sat May 6 08:46:26 2006 From: sebi at sebi.org (Sebastian Bork) Date: Mon May 8 20:13:22 2006 Subject: [LARTC] icmp latency question In-Reply-To: <4457CAB1.8060601@andybev.com> References: <4453EFB5.2070700@eris.sebi.org> <4457CAB1.8060601@andybev.com> Message-ID: <445C4642.9010908@eris.sebi.org> Andrew Beverley wrote: > It may have been a stupid question, but it does raise an issue I have > noticed. Even if I give maximum priority to SSH/ICMP, I notice that the > latency does still jump around. Is this because I've not set up the > queueing discipline very well? Did you shorten the queue on the network interface? If there are already some packets which the kernel dequeued to the interface, your ICMP packet will have to wait until they have been sent. The only longer queue should be the one in the kernel, because only there the high priority traffic gets queued before the already waiting packets, all hardware queues are FIFOs. > For SSH I have: > tc qdisc add dev imq0 parent 1:10 handle 10: sfq perturb 10 You should not use sfq for high priority traffic, it is only useful for bulk traffic - there should never be as much high priority traffic as to make sfq needed to stop one flow from starving another, and if you use it, your latency will rise. -- Sebastian Bork ("`-''-/").___..--''"`-._ `6_ 6 ) `-. ( ).`-.__.`) Untere Karlsstr. 16, 34117 Kassel (_Y_.)' ._ ) `._ `. ``-..-` Cellular phone: +49 163 6780023 _..`--'_..-_/ /--'_.' ,' _____________________________________(il),-'' (li),' ((!.-' **meow** From jasonb at edseek.com Mon May 8 21:20:57 2006 From: jasonb at edseek.com (Jason Boxman) Date: Mon May 8 21:21:03 2006 Subject: [LARTC] have any one tried Snmp extension to Net-SNMP daemon In-Reply-To: <20060508151030.94999.qmail@web31609.mail.mud.yahoo.com> References: <20060508151030.94999.qmail@web31609.mail.mud.yahoo.com> Message-ID: <200605081520.57860.jasonb@edseek.com> On Monday 08 May 2006 11:10, ragunath venkatapathy wrote: > Dear all, > I am looking for a way for creating a gui for managing qos in linux , > i came across snmp extension to net snmp at > http://x-ray.prokon.cz/data/snmp/ > > and i found qosd-0.0.1-13122003.tgz , > in which there is a client server program using soap which was realy > intresting but when i tried to compile it ended up with many errors ,, I had similar errors and gave up on it back in 2004. I guess it's not maintained any longer. -- Jason Boxman http://edseek.com/ - Linux and FOSS stuff From jasonb at edseek.com Mon May 8 21:22:45 2006 From: jasonb at edseek.com (Jason Boxman) Date: Mon May 8 21:22:42 2006 Subject: [LARTC] Detecting p2p traffic In-Reply-To: <20060508004307.qkuxq25v4occs4gk@www.simplelists.com> References: <20060508004307.qkuxq25v4occs4gk@www.simplelists.com> Message-ID: <200605081522.45715.jasonb@edseek.com> On Sunday 07 May 2006 19:43, Andrew Beverley wrote: > After varying degrees of success with p2p detection modules, I would like > to write the following rules using iptables to reliably identify p2p > traffic: > > On my network all p2p traffic falls into these categories, and I don't mind > overmatching with other traffic. If you can, you could look into compiling and using ipp2p against your kernel. I find it works extremely well with my p2p traffic from edonkey protocol(s). You may have success with L7-Filter, too. You can probably use both at the same time, but I've never tried as ipp2p works for me. -- Jason Boxman http://edseek.com/ - Linux and FOSS stuff From oscar at ufomechanic.net Tue May 9 10:02:26 2006 From: oscar at ufomechanic.net (Oscar Mechanic) Date: Tue May 9 10:02:45 2006 Subject: [LARTC] have any one tried Snmp extension to Net-SNMP daemon In-Reply-To: <200605081520.57860.jasonb@edseek.com> References: <20060508151030.94999.qmail@web31609.mail.mud.yahoo.com> <200605081520.57860.jasonb@edseek.com> Message-ID: <1147161746.4623.2.camel@OSCARLAPLIN> I would suggest you read snmpd.conf man page and figure out how to use the "pass" parameter. Then link this up to tc. You could write your own mib in C or perl. But I am sure you will find after using "pass" this can deal with your needs. On Mon, 2006-05-08 at 15:20 -0400, Jason Boxman wrote: > On Monday 08 May 2006 11:10, ragunath venkatapathy wrote: > > Dear all, > > I am looking for a way for creating a gui for managing qos in linux , > > i came across snmp extension to net snmp at > > http://x-ray.prokon.cz/data/snmp/ > > > > and i found qosd-0.0.1-13122003.tgz , > > in which there is a client server program using soap which was realy > > intresting but when i tried to compile it ended up with many errors ,, > > I had similar errors and gave up on it back in 2004. I guess it's not > maintained any longer. From nata at cnett.com.br Tue May 9 13:11:31 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Tue May 9 13:11:44 2006 Subject: [LARTC] Matching interface using U32(?) In-Reply-To: <445E4805.7060608@dsl.pipex.com> References: <445B5F2C.604@cnett.com.br> <445E4805.7060608@dsl.pipex.com> Message-ID: <446078E3.8070008@cnett.com.br> Andy I make it work using iptables mark... I just had to change some parts of the script and it is, now, working fine. Att, Nataniel Klug Andy Furniss escreveu: > Nataniel Klug wrote: >> Hello all, >> >> I am trying to make a little bit more complex QoS/Shapping form >> and I need to shape a PPPoE conection that I serve to my clients. So >> this is the scope: >> >> client connects using pppoe so it gets an IP address (from pppoe >> pool) and open an interface into my linux box >> interface for this client is ppp0 >> client has got an ip 1.1.1.2/32 and it is poiting to pppoe-server >> 1.1.1.1 >> >> So, if i want to shape download for this client its really easy >> and I make a htb rule that shapes all traffic into ppp0... My problem >> is when I have to shape upload traffic. All my traffic goes for eth0 >> to the world. I tryed to make this rule: >> >> $TC class add dev eth0 parent 1:1 classid 1:500 htb rate 200Kbit ceil >> 200Kbit >> $TC filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip >> src 1.1.1.2/32 flowid 1:500 > > protocol ip on the filter is the problem - Without trying I am not > sure what will work but in the case of vlans you can just sat protocol > 8021q. > > If pppoe doesn't work try its' ethertype number - you could also use > protocol all and match the ethertype protocol number with u32 and a > negative offset. > >> >> But this rule is not matching the upload connection. If i put the >> same rule to an IP (i set an ip into client) this rule works but into >> pppoe conection it did not work properly. >> >> Someone has some tip to match the interface that the conection is >> coming from? Like I wanna match all traffic coming from ppp0 and >> going throw eth0 to be shapped?! There is anyway to make this work? > > If you are running >2.6.16 then you could use IFB and attach a queue > to each ppp. > > There is a kernel config option for u32 to mach indev - I don't know > the syntax,though. > > Andy. > > From ephemeric at gmail.com Tue May 9 14:59:09 2006 From: ephemeric at gmail.com (Robert Gabriel) Date: Tue May 9 14:59:04 2006 Subject: [LARTC] Route by destination port? Message-ID: Hello all, We have two ADSL lines configured on a single box, hence interfaces ppp0 & ppp1. Is there a way to route packets to ppp0, say based on destination port 80 & other traffic like voice through ppp1? Thanks. From erez0001 at gmail.com Tue May 9 15:13:41 2006 From: erez0001 at gmail.com (Erez D) Date: Tue May 9 15:13:37 2006 Subject: [LARTC] Route by destination port? In-Reply-To: References: Message-ID: <6c32b540605090613q1aeee18co6e35399b57a4aa0d@mail.gmail.com> somthing like: iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 5 ip rule add fwmark 5 table 50 ip route add table 50 $isp dev ppp0 erez. On 5/9/06, Robert Gabriel wrote: > > Hello all, > > We have two ADSL lines configured on a single box, hence interfaces ppp0 & > ppp1. > > Is there a way to route packets to ppp0, say based on destination port > 80 & other traffic like voice through ppp1? > > Thanks. > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060509/4af30aa0/attachment.html From ephemeric at gmail.com Tue May 9 15:58:40 2006 From: ephemeric at gmail.com (Robert Gabriel) Date: Tue May 9 15:58:50 2006 Subject: [LARTC] Route by destination port? In-Reply-To: <6c32b540605090613q1aeee18co6e35399b57a4aa0d@mail.gmail.com> References: <6c32b540605090613q1aeee18co6e35399b57a4aa0d@mail.gmail.com> Message-ID: Thanks! Much appreciated. On 09/05/06, Erez D wrote: > somthing like: > > iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 5 > ip rule add fwmark 5 table 50 > ip route add table 50 $isp dev ppp0 > > erez. > > > On 5/9/06, Robert Gabriel wrote: > > > Hello all, > > We have two ADSL lines configured on a single box, hence interfaces ppp0 & > ppp1. > > Is there a way to route packets to ppp0, say based on destination port > 80 & other traffic like voice through ppp1? > > Thanks. > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From nata at cnett.com.br Tue May 9 16:35:28 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Tue May 9 16:35:37 2006 Subject: [LARTC] How to match 2 networks using 2 ethernet cards sharing bandwidght? Message-ID: <4460A8B0.6020403@cnett.com.br> Hello all, I have this situation: eth0 - internet backbone eth1 - network 192.168.0.0/24 (clients) eth2 - network 192.168.1.0/24 (clients) My problem is that this two networks, one into each interface, need to share 256 Kbps. I could not make a way to shape this both networks becouse they are in different interfaces. Anyone knows some way to make it happen? Att, Nataniel Klug From support8 at greatlakes.net Tue May 9 20:10:51 2006 From: support8 at greatlakes.net (Eliot, Wireless and Server Administrator, Great Lakes Internet) Date: Tue May 9 20:08:02 2006 Subject: [LARTC] tc del class not working Message-ID: <0633E0EDB4F25F43A2D7179CA11FAFAB25530F@xavier.staff.greatlakes.net> When I start my script: * - Creating classes on br1 for upload control ... * - tc class add dev br1 parent 2:0 classid 2:46 hfsc ls m1 576.0Kbit d 2000ms m2 192.0Kbit ul m2 384Kbit ... [ ok ] * - tc class add dev br1 parent 2:46 classid 2:47 hfsc sc umax 1500b dmax 30ms rate 80Kbit . [ ok ] * - tc class add dev br1 parent 2:46 classid 2:48 hfsc ls m2 152.0Kbit ul m2 152.0Kbit ... [ ok ] * - tc class add dev br1 parent 2:46 classid 2:49 hfsc rt m2 76.00Kbit ls m2 152.0Kbit ul m2 304Kbit ... [ ok ] * - Creating classes on wivl4 for download control ... * - tc class add dev wivl4 parent 5:0 classid 5:46 hfsc ls m1 1536.0Kbit d 2000ms m2 256.00Kbit ul m2 1024Kbit ... [ ok ] * - tc class add dev wivl4 parent 5:46 classid 5:47 hfsc sc umax 1500b dmax 30ms rate 80Kbit [ ok ] * - tc class add dev wivl4 parent 5:46 classid 5:48 hfsc ls m2 472.0Kbit ul m2 472.0Kbit ... [ ok ] * - tc class add dev wivl4 parent 5:46 classid 5:49 hfsc rt m2 236.00Kbit ls m2 472.0Kbit ul m2 944Kbit ... [ ok ] * - Adding rules to classify traffic for 00:05:9e:80:e1:3b ... * - iptables -A macfilter -m mac --mac-source 00:05:9e:80:e1:3b ... [ ok ] * - iptables -A macfilter_nat -t nat -m mac --mac-source 00:05:9e:80:e1:3b ... [ ok ] * - Adding rules to flag VoIP traffic ... * - iptables -A PREROUTING -t mangle -p udp -m mac --mac-source 00:05:9e:80:e1:3b -m multiport --ports 53,4569,5060,10000:20000 -j MARK --set-mark 47 ... [ ok ] * - iptables -A PREROUTING -t mangle -p tcp -m mac --mac-source 00:05:9e:80:e1:3b -m multiport --ports 22,23,53 -j MARK --set-mark 47 ... [ ok ] * - iptables -A PREROUTING -t mangle -p icmp -m mac --mac-source 00:05:9e:80:e1:3b -j MARK --set-mark 47 ... [ ok ] * - iptables -A PREROUTING -t mangle -m mark --mark 47 -j CONNMARK --save-mark ... [ ok ] * - Adding rules to flag P2P traffic ... * - iptables -A PREROUTING -t mangle -m mac --mac-source 00:05:9e:80:e1:3b -m ipp2p --ipp2p -j MARK --set-mark 48 ... [ ok ] * - iptables -A PREROUTING -t mangle -m mark --mark 48 -j CONNMARK --save-mark ... [ ok ] * - Adding rules to flag General traffic ... * - iptables -A PREROUTING -t mangle -m mac --mac-source 00:05:9e:80:e1:3b -j MARK --set-mar [ ok ] * - iptables -A PREROUTING -t mangle -m mark --mark 49 -j CONNMARK --save-mark ... [ ok ] * - Adding rules to classify traffic on br1 ... * - iptables -A POSTROUTING -t mangle -o br1 -m mark --mark 47 -j CLASSIFY --set-class 2:47 [ ok ] * - iptables -A POSTROUTING -t mangle -o br1 -m mark --mark 48 -j CLASSIFY --set-class 2:48 [ ok ] * - iptables -A POSTROUTING -t mangle -o br1 -m mark --mark 49 -j CLASSIFY --set-class 2:49 [ ok ] * - Adding rules to classify traffic on wivl4 ... * - iptables -A POSTROUTING -t mangle -o wivl4 -m mark --mark 47 -j CLASSIFY --set-class 5:47 [ ok ] * - iptables -A POSTROUTING -t mangle -o wivl4 -m mark --mark 48 -j CLASSIFY --set-class 5:48 [ ok ] * - iptables -A POSTROUTING -t mangle -o wivl4 -m mark --mark 49 -j CLASSIFY --set-class 5:49 [ ok ] It is all added correctly. Now, I stop the traffic shaping: * - iptables -D macfilter -m mac --mac-source 00:05:9e:80:e1:3b ... [ ok ] * - iptables -D macfilter_nat -t nat -m mac --mac-source 00:05:9e:80:e1:3b ... [ ok ] * - Deleting rules to flag VoIP traffic ... * - iptables -D PREROUTING -t mangle -p udp -m mac --mac-source 00:05:9e:80:e1:3b -m multiport --ports 53,4569,5060,10000:20000 -j MARK --set-mark 47 ... [ ok ] * - iptables -D PREROUTING -t mangle -p tcp -m mac --mac-source 00:05:9e:80:e1:3b -m multiport --ports 22,23,53 -j MARK --set-mark 47 ... [ ok ] * - iptables -D PREROUTING -t mangle -p icmp -m mac --mac-source 00:05:9e:80:e1:3b -j MARK --set-mark 47 ... [ ok ] * - iptables -D PREROUTING -t mangle -m mark --mark 47 -j CONNMARK --save-mark ... [ ok ] * - Deleting rules to flag P2P traffic ... * - iptables -D PREROUTING -t mangle -m mac --mac-source 00:05:9e:80:e1:3b -m ipp2p --ipp2p -j MARK --set-mark 48 ... [ ok ] * - iptables -D PREROUTING -t mangle -m mark --mark 48 -j CONNMARK --save-mark ... [ ok ] * - Deleting rules to flag General traffic ... * - iptables -D PREROUTING -t mangle -m mac --mac-source 00:05:9e:80:e1:3b -j MARK --set-mar [ ok ] * - iptables -D PREROUTING -t mangle -m mark --mark 49 -j CONNMARK --save-mark ... [ ok ] * - Deleting rules to classify traffic on br1 ... * - iptables -D POSTROUTING -t mangle -o br1 -m mark --mark 47 -j CLASSIFY --set-class 2:47 [ ok ] * - iptables -D POSTROUTING -t mangle -o br1 -m mark --mark 48 -j CLASSIFY --set-class 2:48 [ ok ] * - iptables -D POSTROUTING -t mangle -o br1 -m mark --mark 49 -j CLASSIFY --set-class 2:49 [ ok ] * - Deleting rules to classify traffic on wivl4 ... * - iptables -D POSTROUTING -t mangle -o wivl4 -m mark --mark 47 -j CLASSIFY --set-class 5:47 [ ok ] * - iptables -D POSTROUTING -t mangle -o wivl4 -m mark --mark 48 -j CLASSIFY --set-class 5:48 [ ok ] * - iptables -D POSTROUTING -t mangle -o wivl4 -m mark --mark 49 -j CLASSIFY --set-class 5:49 [ ok ] * Deleting bandwidth management for gsoule ... * - Deleting classes on br1 for upload control ... * - tc class del dev br1 parent 2:46 classid 2:47 hfsc sc umax 1500b dmax 30ms rate 80Kbit . [ ok ] * - tc class del dev br1 parent 2:46 classid 2:48 hfsc ls m2 152.0Kbit ul m2 152.0Kbit ... [ ok ] * - tc class del dev br1 parent 2:46 classid 2:49 hfsc rt m2 76.00Kbit ls m2 152.0Kbit ul m2 304Kbit ... [ ok ] * - tc class del dev br1 parent 2:0 classid 2:46 hfsc ls m1 576.0Kbit d 2000ms m2 192.0Kbit ul m2 384Kbit ... * >>>>> RTNETLINK answers: Device or resource busy [ !! ] * - Deleting classes on wivl4 for download control ... * - tc class del dev wivl4 parent 5:46 classid 5:47 hfsc sc umax 1500b dmax 30ms rate 80Kbit [ ok ] * - tc class del dev wivl4 parent 5:46 classid 5:48 hfsc ls m2 472.0Kbit ul m2 472.0Kbit ... [ ok ] * - tc class del dev wivl4 parent 5:46 classid 5:49 hfsc rt m2 236.00Kbit ls m2 472.0Kbit ul m2 944Kbit ... [ ok ] * - tc class del dev eth1 parent 5:0 classid 5:46 hfsc ls m1 1536.0Kbit d 2000ms m2 256.00Kbit ul m2 1024Kbit ... * >>>>> RTNETLINK answers: No such file or directory [ !! ] Those two rules do not get removed. I do not understand why they are failing. The del rules are exactly the same as the add rules, except they say del instead of add. I can clear the rules by deleting the root qdiscs on the interface, but that removes all rules for the entire interface, which is not the desired operation. Also, a quick test by hand shows that it is only from having a child class assigned to it that it becomes un-deletable. This works fine: wireless-r1 raddb # tc class add dev wivl4 parent 5:0 classid 5:56 hfsc ls m1 1536.0Kbit d 2000ms m2 256.00Kbit ul m2 1024Kbit wireless-r1 raddb # tc class del dev wivl4 parent 5:0 classid 5:56 hfsc ls m1 1536.0Kbit d 2000ms m2 256.00Kbit ul m2 1024Kbit This does not: wireless-r1 raddb # tc class add dev wivl4 parent 5:0 classid 5:56 hfsc ls m1 1536.0Kbit d 2000ms m2 256.00Kbit ul m2 1024Kbit wireless-r1 raddb # tc class add dev wivl4 parent 5:56 classid 5:57 hfsc sc umax 1500b dmax 30ms rate 80Kbit wireless-r1 raddb # tc class del dev wivl4 parent 5:56 classid 5:57 hfsc sc umax 1500b dmax 30ms rate 80Kbit wireless-r1 raddb # tc class del dev wivl4 parent 5:0 classid 5:56 hfsc ls m1 1536.0Kbit d 2000ms m2 256.00Kbit ul m2 1024Kbit RTNETLINK answers: Device or resource busy I have looked everywhere trying to figure this out. Does anyone have any ideas? Thanks. Eliot Gable Certified Wireless Network Administrator (CWNA) Certified Wireless Security Professional (CWSP) Cisco Certified Network Associate (CCNA) CompTIA Security+ Certified CompTIA Network+ Certified Network and Systems Administrator Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 (810) 679-3395 (877) 558-8324 Now offering Broadband Wireless Internet access in Croswell, Lexington, Brown City, Yale, and Sandusky. Call for details. From jasonb at edseek.com Tue May 9 23:04:26 2006 From: jasonb at edseek.com (Jason Boxman) Date: Tue May 9 23:08:17 2006 Subject: [LARTC] Route by destination port? In-Reply-To: References: Message-ID: <200605091704.27048.jasonb@edseek.com> On Tuesday 09 May 2006 08:59, Robert Gabriel wrote: > Hello all, > > We have two ADSL lines configured on a single box, hence interfaces ppp0 & > ppp1. > > Is there a way to route packets to ppp0, say based on destination port > 80 & other traffic like voice through ppp1? Yes, I ended up doing it this way[1]. Works great so far. [1] http://edseek.com/archives/2006/05/01/configuring-multipath-routing-for-ports-without-balancing/ -- Jason Boxman http://edseek.com/ - Linux and FOSS stuff From andreas at stapelspeicher.org Wed May 10 00:17:59 2006 From: andreas at stapelspeicher.org (Andreas Mueller) Date: Wed May 10 00:18:04 2006 Subject: [LARTC] tc del class not working In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB25530F@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB25530F@xavier.staff.greatlakes.net> Message-ID: <20060509221759.GA3892@lintera> Hi, this is a bug in the sch_hfsc.c module, the level count doesn't get adjusted correctly. The following patch works for me, but is not a beauty and may be wrong. Andreas Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: ... > Also, a quick test by hand shows that it is only from having a child > class assigned to it that it becomes un-deletable. ... > > This does not: > > wireless-r1 raddb # tc class add dev wivl4 parent 5:0 classid 5:56 hfsc > ls m1 1536.0Kbit d 2000ms m2 256.00Kbit ul m2 1024Kbit > > wireless-r1 raddb # tc class add dev wivl4 parent 5:56 classid 5:57 hfsc > sc umax 1500b dmax 30ms rate 80Kbit > > wireless-r1 raddb # tc class del dev wivl4 parent 5:56 classid 5:57 hfsc > sc umax 1500b dmax 30ms rate 80Kbit > > wireless-r1 raddb # tc class del dev wivl4 parent 5:0 classid 5:56 hfsc > ls m1 1536.0Kbit d 2000ms m2 256.00Kbit ul m2 1024Kbit > RTNETLINK answers: Device or resource busy ... From andreas at stapelspeicher.org Wed May 10 00:19:49 2006 From: andreas at stapelspeicher.org (Andreas Mueller) Date: Wed May 10 00:19:54 2006 Subject: [LARTC] tc del class not working In-Reply-To: <20060509221759.GA3892@lintera> References: <0633E0EDB4F25F43A2D7179CA11FAFAB25530F@xavier.staff.greatlakes.net> <20060509221759.GA3892@lintera> Message-ID: <20060509221949.GB3892@lintera> I allways forget attachments. ;) -------------- next part -------------- --- linux/net/sched/sch_hfsc.c~ 2006-01-15 07:16:02.000000000 +0100 +++ linux/net/sched/sch_hfsc.c 2006-05-10 00:07:07.000000000 +0200 @@ -970,14 +970,15 @@ { struct hfsc_class *p; unsigned int level; - + int adj = 0; do { level = 0; list_for_each_entry(p, &cl->children, siblings) { if (p->level > level) level = p->level; + adj = 1; } - cl->level = level + 1; + cl->level = level + adj; } while ((cl = cl->cl_parent) != NULL); } From kaber at trash.net Wed May 10 06:43:52 2006 From: kaber at trash.net (Patrick McHardy) Date: Wed May 10 06:43:50 2006 Subject: [LARTC] tc del class not working In-Reply-To: <20060509221949.GB3892@lintera> References: <0633E0EDB4F25F43A2D7179CA11FAFAB25530F@xavier.staff.greatlakes.net> <20060509221759.GA3892@lintera> <20060509221949.GB3892@lintera> Message-ID: <44616F88.4000304@trash.net> Andreas Mueller wrote: > I allways forget attachments. ;) > > > ------------------------------------------------------------------------ > > --- linux/net/sched/sch_hfsc.c~ 2006-01-15 07:16:02.000000000 +0100 > +++ linux/net/sched/sch_hfsc.c 2006-05-10 00:07:07.000000000 +0200 > @@ -970,14 +970,15 @@ > { > struct hfsc_class *p; > unsigned int level; > - > + int adj = 0; > do { > level = 0; > list_for_each_entry(p, &cl->children, siblings) { > if (p->level > level) > level = p->level; > + adj = 1; > } > - cl->level = level + 1; > + cl->level = level + adj; > } while ((cl = cl->cl_parent) != NULL); > } Nice catch, this could result in quite some undesirable behaviour. The unconditional + 1 seems to be a thinko originating in class addition. A slightly prettier fix would be to just change if (p->level > level) level = p->level to if (p->level >= level) level = p->level + 1 If you send me a patch which does that and a proper Signed-off-by: line I'll push it upstream for 2.6.17. From ephemeric at gmail.com Wed May 10 10:55:22 2006 From: ephemeric at gmail.com (Robert Gabriel) Date: Wed May 10 10:55:23 2006 Subject: [LARTC] Route by destination port? In-Reply-To: <200605091704.27048.jasonb@edseek.com> References: <200605091704.27048.jasonb@edseek.com> Message-ID: Thanks, your document helped plenty. Does this work well with only the ROUTE target for Netfilter? Does anyone know what the earliest kernel version is that supports this target? On 09/05/06, Jason Boxman wrote: > On Tuesday 09 May 2006 08:59, Robert Gabriel wrote: > > Hello all, > > > > We have two ADSL lines configured on a single box, hence interfaces ppp0 & > > ppp1. > > > > Is there a way to route packets to ppp0, say based on destination port > > 80 & other traffic like voice through ppp1? > > Yes, I ended up doing it this way[1]. Works great so far. > > [1] > http://edseek.com/archives/2006/05/01/configuring-multipath-routing-for-ports-without-balancing/ > > -- > > Jason Boxman > http://edseek.com/ - Linux and FOSS stuff > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From alessandrovitale at libero.it Wed May 10 14:36:25 2006 From: alessandrovitale at libero.it (alessandrovitale@libero.it) Date: Wed May 10 14:36:22 2006 Subject: [LARTC] tc patched doesn't work with WFQ TOO Message-ID: I've the same problem of Julien Bisconti. Can someone help me ? I try to compile iproute2 for my target ppc 8260. Thank you ! From johnm at advocap.org Wed May 10 16:03:44 2006 From: johnm at advocap.org (John McMonagle) Date: Wed May 10 16:03:59 2006 Subject: [LARTC] Problem with routing 2 isps with 2.6.15 kernel Message-ID: <4461F2C0.7010500@advocap.org> Doing routing based on this: http://lartc.org/howto/lartc.rpdb.multiple-links.html Have done it for over a year. Tried a new 2.6.15 kernel. Firewall is based on debian sarge. Most things work ok dnat snat etc. Can simultaneous ssh in to an internal host via both isps with no problems. At the moment the default route is via eth2. root@fonroute:~# ip rule 0: from all lookup local 200: from all lookup 200 201: from 216.170.136.0/24 lookup isp1 201: from 24.196.120.28/30 lookup isp2 222: from all lookup multi 32766: from all lookup main 32767: from all lookup default root@fonroute:~# ip route list table 200 192.168.0.0/16 via 192.168.2.254 dev eth0 root@fonroute:~# ip route list table isp1 default via 216.170.136.1 dev eth1 proto static src 216.170.136.82 prohibit default proto static metric 1 root@fonroute:~# ip route list table isp2 default via 24.196.120.29 dev eth2 proto static src 24.196.120.30 prohibit default proto static metric 1 root@fonroute:~# ip route list table multi default via 24.196.120.29 dev eth2 proto static What always fails is: ssh into internal host via eth1. >From there ssh or ping back to the original host. One thing I have noticed the there are far less connections in /proc/net/ip_conntrack but connections I was testing are listed. Was holding off posting until I could describe it better but running out of time :-( Sorry I know this is not enough. I need to put it on another kernel soon but I can try on another firewall if anyone has any ideas to try. Thanks John -- John McMonagle IT Manager Advocap Inc. From muthukumar at gmail.com Wed May 10 21:39:02 2006 From: muthukumar at gmail.com (Muthukumar S) Date: Wed May 10 21:38:57 2006 Subject: [LARTC] HTB at 100+ Mbits/sec Message-ID: Hello all, I've been trying to test HTB performance for different link bandwidths to find potential limits and this is what I have so far: http://home.comcast.net/~msethuraman/htbtest/ Can members please go over the setup, test procedure and the results and answer a few questions? 1. Is the testing methodology okay and can the results be considered accurate? If so, is this a decent representation of behavior outside the lab? 2. Does anyone know of any limits (theoretical or observed) beyond which HTB will not work or will be inaccurate? 3. I've never quite understood the recommendation for setting the root HTB to 85-90% of the link. All these tests used 100%. Can someone please explain or point me to some explanations for the 90% recommendation and why it is considered necessary? If you need more information, please let me know. Thanks a lot! -- Muthu From unga888 at yahoo.com Thu May 11 09:57:26 2006 From: unga888 at yahoo.com (Unga) Date: Thu May 11 09:57:25 2006 Subject: [LARTC] Settings DS field: Does it make sense? Message-ID: <20060511075726.99420.qmail@web38414.mail.mud.yahoo.com> Hi all I can set the DS field to EF of outgoing VoIP RTP packets, but does it makes any sense to routers? Do routers look at the DS field for routing decisions or do routers classify packets based on other criteria and subsequently sets the DS field? I'm bit of confused here, could somebody give me some light here. Thanks. Regards Unga __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From subscriptions at navig.ca Thu May 11 17:01:12 2006 From: subscriptions at navig.ca (G Georgiev) Date: Thu May 11 16:57:22 2006 Subject: [LARTC] SNAT on IPSEC tunnel with kernel 2.6/KAME tools? In-Reply-To: <4462DE99.3020906@trash.net> References: <200605031322.30125.subscriptions@navig.ca> <200605102245.11025.subscriptions@navig.ca> <4462DE99.3020906@trash.net> Message-ID: <200605111101.12051.subscriptions@navig.ca> Could you (or someone else on the list) just tell me how this can be done with the netfilter? I could not find a way for it. I am with kernel 2.6.16-14 now. The problem, again: > Could not conceive an working set-up for an IPSEC VPN made with > racoon/setkey on which I have one address on my side acting as an SNAT > router for all traffic from my network to a network segment on the far > side. > > my network --- my gateway ---------------------- remote network > 10.0.0.0/24 - 10.0.0.1 (10.253.0.2) -- tunnel - 192.168.0.0/22 > > The VPN starts on the gateway, simply all traffic destinate to > 192.168.0.0/22 should get an SNAT to 10.253.0.2 and go via the tunnel. > SNAT however is available only in POSTROUTING chain, and no outgoing > interface really exists with setkey. > So, next rule should be implemented on the gateway: "Packets going to > 192.168.0.0/22 should be SNAT to 10.253.0.2 and go via the tunnel" George. From support8 at greatlakes.net Thu May 11 19:02:20 2006 From: support8 at greatlakes.net (Eliot, Wireless and Server Administrator, Great Lakes Internet) Date: Thu May 11 18:59:44 2006 Subject: [LARTC] HFSC and prioritization Message-ID: <0633E0EDB4F25F43A2D7179CA11FAFAB25533F@xavier.staff.greatlakes.net> I'm using HFSC to limit bandwidth for our wireless customers. However, I'd also like the bandwidth prioritized based on packet type. This is what I'm trying right now, and I'd just like some input from anyone out there knowledgeable in this on whether it does what I want it to do: Eth1 -> HFSC ........|-> HFSC (User1) (Min 512 Kb, Max 1024 Kb, Burst 1536 Kb@2s) ........|...|-> Prio_qdisc ........|.......|-> 1 ........|.......|...|->HFSC VoIP/Interactive(max 30ms, Real 128Kb) ........|.......| ........|.......|-> 2 ........|.......|...|->HFSC Web,FTP(Min 512Kb,Max 1024Kb,Burst 1536Kb@2s) ........|.......| ........|.......|-> 3 ........|...........|->HFSC P2P(Min 0 Kb, Max 1024 Kb, all shared) ........| ........|-> HFSC (User2) (etc) ..etc... What I'm aiming for is: No matter what type of traffic is being transferred, the user is guaranteed 512Kbps and can max out at 1024Kbps, but can also burst up to 1536Kbps for 2 seconds. VoIP / SSH / Telnet / non-data ACK packets get priority over everything else. It would be guaranteed 128Kbps of bandwidth if it were needed. Ideally, it would not reserve that bandwidth unless it was actually needed. It should also get more bandwidth than 128Kbps if it is needed, but anything after 128Kbps it has to fight for with everything else (except it has a higher priority so it should win out in 99.99999% of cases?) Web, FTP, and other unclassifiable traffic would get second priority and would be guaranteed 512Kbps of bandwidth with a maximum of 1024Kbps and can burst up to 1536Kbps for 2 seconds. Finally, P2P traffic is not guaranteed anything, but could use all available bandwidth if the user is not doing anything else. No matter how much bandwidth P2P wants, if something else needs bandwidth, the other traffic should win out and receive the bandwidth. These are my actual rules: # Base user class tc class add dev wivl4 parent 5:0 classid 5:130 hfsc ls m1 1536.0Kbit d 2000ms m2 512.00Kbit ul m2 1024Kbit # Priority queue tc qdisc add dev wivl4 parent 5:130 handle 134: prio bands 3 tc qdisc add dev wivl4 parent 134:1 handle 135: hfsc default 1 tc qdisc add dev wivl4 parent 134:2 handle 136: hfsc default 1 tc qdisc add dev wivl4 parent 134:3 handle 137: hfsc default 1 # VoIP / Interactive tc class add dev wivl4 parent 135: classid 135:1 hfsc sc umax 1500b dmax 30ms rate 128Kbit # Web tc class add dev wivl4 parent 136: classid 136:1 hfsc rt m2 512.00Kbit ls m2 512.0Kbit ul m2 1024Kbit # P2P tc class add dev wivl4 parent 137: classid 137:1 hfsc ls m2 1024.0Kbit ul m2 1024.0Kbit Does this look appropriate? Eliot Gable Certified Wireless Network Administrator (CWNA) Certified Wireless Security Professional (CWSP) Cisco Certified Network Associate (CCNA) CompTIA Security+ Certified CompTIA Network+ Certified Network and Systems Administrator Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 (810) 679-3395 (877) 558-8324 Now offering Broadband Wireless Internet access in Croswell, Lexington, Brown City, Yale, and Sandusky. Call for details. From muthukumar at gmail.com Thu May 11 19:18:57 2006 From: muthukumar at gmail.com (Muthukumar S) Date: Thu May 11 19:18:52 2006 Subject: Fwd: [LARTC] HTB at 100+ Mbits/sec In-Reply-To: <2af436490605101445p2b30b21dr16ba6af77c910fec@mail.gmail.com> References: <2af436490605101445p2b30b21dr16ba6af77c910fec@mail.gmail.com> Message-ID: Forwarding this to the list just so its in the archives. ---------- Forwarded message ---------- From: Jody Shumaker Date: May 10, 2006 3:45 PM Subject: Re: [LARTC] HTB at 100+ Mbits/sec To: Muthukumar S > 3. I've never quite understood the recommendation for setting the root > HTB to 85-90% of the link. All these tests used 100%. Can someone > please explain or point me to some explanations for the 90% > recommendation and why it is considered necessary? 85-90% is just a recommendation, in reality it just needs to be slightly lower than the actual max bandwidth. The reason for this is to insure you are the bottleneck. If you aren't the bottleneck, then it's likely there will a queue at the the other bottleneck that will diminish the value to any shaping you do. Often the 85-90% figure is given because people may be told by their isp they have 512kbit, but in reality it rarely performs that much due to noisy lines etc. Personally I'd suggest measuring the actual max bandwidth and then set the limit below that. In my case my isp claims i have 2mbit upload, in testing I found myself to have 1840.8kbit/s upload, and thus set my max to 1836kbit/s to give myself 5kbit/s of room in case noise varies and my actual upload max varies. compare to my isp's claimed 2mbit though, this is 91.8%. If I had just used the 90% guideline it would of been accurate. In the past though, I've been able to use 504kbit on a 512kbit connection because testing found it to consistently get a real throughput of around 508kbit. - Jody From muthukumar at gmail.com Thu May 11 19:20:02 2006 From: muthukumar at gmail.com (Muthukumar S) Date: Thu May 11 19:19:56 2006 Subject: [LARTC] HTB at 100+ Mbits/sec In-Reply-To: References: Message-ID: Forwarding this to the list just so its in the archives. ---------- Forwarded message ---------- From: Larry Brigman Date: May 11, 2006 10:16 AM Subject: Re: [LARTC] HTB at 100+ Mbits/sec To: Muthukumar S On 5/10/06, Muthukumar S wrote: > Hello all, > > I've been trying to test HTB performance for different link bandwidths > to find potential limits and this is what I have so far: > > http://home.comcast.net/~msethuraman/htbtest/ > > Can members please go over the setup, test procedure and the results > and answer a few questions? > > 1. Is the testing methodology okay and can the results be considered > accurate? If so, is this a decent representation of behavior outside > the lab? Iperf has a demonstrated behavior that when running more than one copy at the same time on the same box (client side); that the timing of each will start to effect the other copies. This is a function of how Iperf does it's timing (spin loops). If you are just wanting to test HTB, the router/bw limiter will be in the way of making accurate measurements of what HTB is doing to the traffic. Also with the router in the middle and using TCP; TCP will try to level itself to the path bw between the end points. UDP might be a better method here as you have no round trip. > > 2. Does anyone know of any limits (theoretical or observed) beyond > which HTB will not work or will be inaccurate? None that I know of. Most likely the limits will be that of the driver/hardware not allowing you to reach wire saturation (ie YMMV). > > 3. I've never quite understood the recommendation for setting the root > HTB to 85-90% of the link. All these tests used 100%. Can someone > please explain or point me to some explanations for the 90% > recommendation and why it is considered necessary? > The basic reasoning for limiting to < 100% of link rate is to make sure none of the choke points on the path have any reason to discard your packets. The burst and cburst parameters allow HTB to overstep the limited rate for some period of time when coming from an under-utilized link. This burst rate may be enough for your cable/DSL modem which does not have a large buffer to discard packets. Most of what I have seen here seem to indicated that a 95-98% of link rate when using rate-shaping disciplines typically works well provided you don't have too large of burst parameters. From jody.shumaker at gmail.com Thu May 11 20:25:29 2006 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Thu May 11 20:25:25 2006 Subject: [LARTC] HTB at 100+ Mbits/sec In-Reply-To: References: <2af436490605101445p2b30b21dr16ba6af77c910fec@mail.gmail.com> Message-ID: <2af436490605111125s7cf494f0p3cb3c1e92c30be8d@mail.gmail.com> On 5/10/06, Muthukumar S wrote: > First up, thanks for the response Jody. I appreciate your taking the > time to answer. > > So in essence what this means is that I will not be able to use the > maximum that the link allows if I'm shaping traffic? Please correct me > if I got this wrong - let's say my ISP claims 512 Kbit/s upload and > real throughput varies between 450 Kbit/s and 500 Kbit/s. So if I > shaped traffic using 450 Kbit/s as the root qdisc, I would lose out on > the occasions when the line does allow more than 450 Kbit/s? > Unfortunately yes, if you want the shaping to work well you need to set it appropiately. No real way to have it vary dynamically. Basically what happens when you're not the bottleneck is that ping times will go up as data will queue at the other bottleneck, and your bandwidth allotments will no longer accurately represent the connection. They'll have less of an effect as TCP throttling starts having to kick in. I imagine if you designed the rules you could have the ratio between your classes still honored, and only have the increased lag or possibility for packet loss. To do this if you knew it was always atleast 450k but sometimes 500k, set the rates for all the child classes to add up to 450k, but use 500k as the highest ceiling and for the base class. Then in this case it should still continue to split the 450k evenly between the classes as you described, but still using up to the 500k when its available. Not sure how well this would work though as I've usually been more concerned with keeping the latency down, and set the ceil such that the majority of the time its slightly below the real bandwidth. - Jody P.S. Thanks for forwarding the email to the list, I alway forget to hit reply to all. From jody.shumaker at gmail.com Thu May 11 22:19:53 2006 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Thu May 11 22:19:50 2006 Subject: [LARTC] HFSC and prioritization In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB25533F@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB25533F@xavier.staff.greatlakes.net> Message-ID: <2af436490605111319l17615c50w76e1f0d97a5c4fa3@mail.gmail.com> > # Base user class > tc class add dev wivl4 parent 5:0 classid 5:130 hfsc ls m1 1536.0Kbit d > 2000ms m2 512.00Kbit ul m2 1024Kbit > > # Priority queue > tc qdisc add dev wivl4 parent 5:130 handle 134: prio bands 3 > tc qdisc add dev wivl4 parent 134:1 handle 135: hfsc default 1 > tc qdisc add dev wivl4 parent 134:2 handle 136: hfsc default 1 > tc qdisc add dev wivl4 parent 134:3 handle 137: hfsc default 1 > > # VoIP / Interactive > tc class add dev wivl4 parent 135: classid 135:1 hfsc sc umax 1500b dmax > 30ms rate 128Kbit > > # Web > tc class add dev wivl4 parent 136: classid 136:1 hfsc rt m2 512.00Kbit > ls m2 512.0Kbit ul m2 1024Kbit > > # P2P > tc class add dev wivl4 parent 137: classid 137:1 hfsc ls m2 1024.0Kbit > ul m2 1024.0Kbit > > > Does this look appropriate? > > My understanding of HFSC is limited, but i'm fairly sure its similar to all other qdiscs in one respect that would make the config you have shown, not actually work as you've described. Each of those HFSC qdiscs is a seperate entity, no sharing will occur between those HFSC classes because each one belongs to a different qdisc. If you implemented this, the priority portion would likely work, but if all 3 classes were sending they would be trying for their individual max, resulting in a combined total send of 3072kbps. If you want what you've described then there would need to be some sort of way to define that same priority within one HSFC between the classes. I know HTB has the prio parameter but I've never found good documentation on HSFC and don't know if it has an equivalent. Of course all of what I said would be wrong if HSFC has inter-qdisc communication but I highly doubt that as it seems to go against the design of most qdiscs. What is there for good HSFC documentation out there right now anyways? Thanks, Jody From subscriptions at navig.ca Fri May 12 04:28:44 2006 From: subscriptions at navig.ca (G Georgiev) Date: Fri May 12 04:24:56 2006 Subject: [LARTC] SNAT on IPSEC tunnel with kernel 2.6/KAME tools? In-Reply-To: <200605111101.12051.subscriptions@navig.ca> References: <200605031322.30125.subscriptions@navig.ca> <4462DE99.3020906@trash.net> <200605111101.12051.subscriptions@navig.ca> Message-ID: <200605112228.44022.subscriptions@navig.ca> ???????OK, ????????Found a solution - if some is interested - assigned the near end of the IPSEC tunnel address to the internal interface; this way got a POSTROUTING chain available and did an SNAT there: ip addr add 10.253.0.2 dev eth0; ip route add to unicast 192.168.4.0/24 via 10.253.0.2 iptables -t nat -A POSTROUTING -d 192.168.4.0/24 -j SNAT --to 10.253.0.2 ????????Looks to work just fine, despite being not so 'clean' - I would prefer to have a separate interface for the VPN, not to assign an alias to eth0. Does not work with lo instead of eth0. ????????George. On Thursday 11 May 2006 11:01 am, G Georgiev wrote: > Could you (or someone else on the list) just tell me how this can be done > with the netfilter? I could not find a way for it. I am with kernel > 2.6.16-14 > > now. The problem, again: > > Could not conceive an working set-up for an IPSEC VPN made with > > racoon/setkey on which I have one address on my side acting as an SNAT > > router for all traffic from my network to a network segment on the far > > side. > > > > my network --- my gateway ---------------------- remote network > > 10.0.0.0/24 - 10.0.0.1 (10.253.0.2) -- tunnel - 192.168.0.0/22 > > > > The VPN starts on the gateway, simply all traffic destinate to > > 192.168.0.0/22 should get an SNAT to 10.253.0.2 and go via the tunnel. > > SNAT however is available only in POSTROUTING chain, and no outgoing > > interface really exists with setkey. > > > > So, next rule should be implemented on the gateway: "Packets going > > to 192.168.0.0/22 should be SNAT to 10.253.0.2 and go via the tunnel" > > George. > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From kaber at trash.net Fri May 12 07:04:17 2006 From: kaber at trash.net (Patrick McHardy) Date: Fri May 12 07:04:13 2006 Subject: [LARTC] SNAT on IPSEC tunnel with kernel 2.6/KAME tools? In-Reply-To: <200605112228.44022.subscriptions@navig.ca> References: <200605031322.30125.subscriptions@navig.ca> <4462DE99.3020906@trash.net> <200605111101.12051.subscriptions@navig.ca> <200605112228.44022.subscriptions@navig.ca> Message-ID: <44641751.2090909@trash.net> G Georgiev wrote: > OK, > > Found a solution - if some is interested - assigned the near end of > the IPSEC tunnel address to the internal interface; this way got a > POSTROUTING chain available and did an SNAT there: > > ip addr add 10.253.0.2 dev eth0; > ip route add to unicast 192.168.4.0/24 via 10.253.0.2 > iptables -t nat -A POSTROUTING -d 192.168.4.0/24 -j SNAT --to 10.253.0.2 > > Looks to work just fine, despite being not so 'clean' - I would prefer > to have a separate interface for the VPN, not to assign an alias to eth0. > Does not work with lo instead of eth0. A few hints: - lo doesn't work because IPsec is disabled by default on loopback. Check /proc/sys/net/ipv4/conf//disable_{policy,xfrm}. If you disable rp_filter you can even route the IPsec network to lo and it will work (or use dummy if working with a seperate interface makes it easier for your). - you don't need the extra address and route, just SNAT is enough - The policy match can be used to express something similar to "-i ipsec0" and "-o ipsec0". From kaber at trash.net Fri May 12 07:24:15 2006 From: kaber at trash.net (Patrick McHardy) Date: Fri May 12 07:24:09 2006 Subject: [LARTC] HFSC and prioritization In-Reply-To: <2af436490605111319l17615c50w76e1f0d97a5c4fa3@mail.gmail.com> References: <0633E0EDB4F25F43A2D7179CA11FAFAB25533F@xavier.staff.greatlakes.net> <2af436490605111319l17615c50w76e1f0d97a5c4fa3@mail.gmail.com> Message-ID: <44641BFF.8070009@trash.net> Jody Shumaker wrote: > My understanding of HFSC is limited, but i'm fairly sure its similar > to all other qdiscs in one respect that would make the config you have > shown, not actually work as you've described. Each of those HFSC > qdiscs is a seperate entity, no sharing will occur between those HFSC > classes because each one belongs to a different qdisc. If you > implemented this, the priority portion would likely work, but if all > 3 classes were sending they would be trying for their individual max, > resulting in a combined total send of 3072kbps. Correct. > If you want what > you've described then there would need to be some sort of way to > define that same priority within one HSFC between the classes. I know > HTB has the prio parameter but I've never found good documentation on > HSFC and don't know if it has an equivalent. HFSC doesn't support strict priorities (and neither does HTB, the priorities just affect unused bandwidth and is still limited by the ceiling). At least in the case of HFSC this is intentional, strict priority is not very friendly because it allows traffic to be entirely excluded, HFSC's goals are to enable flexible sharing by allowing to seperately specify bandwidth and delay requirements. If you really want strict priority you can use the prio qdisc as _child_ of HFSC. > Of course all of what I said would be wrong if HSFC has inter-qdisc > communication but I highly doubt that as it seems to go against the > design of most qdiscs. > > What is there for good HSFC documentation out there right now anyways? There is the original papers by Hui Zhang et al., which is mostly about the theory and not very suitable for users - but still worth reading if you're not scared by use of some math. There used to be some documentation called "HFSC for Router Plugins", which is partially applicable for Linux .. and some ALTQ and *BSD documentation which is partially applicable as well. Besides that there seem to be a few german student research projects about this subject, but all I know of are in german. Last thing I know of is an article written by a friend of mine for the german Linux Magazin, unfortunately also only in german, but reviewed by myself and mostly correct (klaus.geekserver.net/hfsc/hfsc.html) - translations are welcome :) From kaber at trash.net Fri May 12 07:31:16 2006 From: kaber at trash.net (Patrick McHardy) Date: Fri May 12 07:31:15 2006 Subject: [LARTC] HFSC and prioritization In-Reply-To: <44641BFF.8070009@trash.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB25533F@xavier.staff.greatlakes.net> <2af436490605111319l17615c50w76e1f0d97a5c4fa3@mail.gmail.com> <44641BFF.8070009@trash.net> Message-ID: <44641DA4.6090108@trash.net> Patrick McHardy wrote: > Jody Shumaker wrote: > >>What is there for good HSFC documentation out there right now anyways? > > > There is the original papers by Hui Zhang et al., which is mostly > about the theory and not very suitable for users - but still worth > reading if you're not scared by use of some math. > There used to be some documentation called "HFSC for Router Plugins", > which is partially applicable for Linux .. and some ALTQ and *BSD > documentation which is partially applicable as well. Besides that > there seem to be a few german student research projects about this > subject, but all I know of are in german. Last thing I know of is > an article written by a friend of mine for the german Linux Magazin, > unfortunately also only in german, but reviewed by myself and mostly > correct (klaus.geekserver.net/hfsc/hfsc.html) - translations are > welcome :) I forgot to mention, there is actually a quite easy way to get started with HFSC if you already have a working HTB setup. Just delete the "prio" statements, replace "htb" by "hfsc", "rate" by "sc rate", "ceil" by "ul rate" and delete all the remaining htb specific parameters and you have something working. From kaber at trash.net Fri May 12 10:03:00 2006 From: kaber at trash.net (Patrick McHardy) Date: Fri May 12 10:02:59 2006 Subject: [LARTC] HFSC and prioritization In-Reply-To: <44643E35.80405@zoomnet.ro> References: <0633E0EDB4F25F43A2D7179CA11FAFAB25533F@xavier.staff.greatlakes.net> <2af436490605111319l17615c50w76e1f0d97a5c4fa3@mail.gmail.com> <44641BFF.8070009@trash.net> <44643E35.80405@zoomnet.ro> Message-ID: <44644134.2000004@trash.net> Alexandru Dragoi wrote: > I think i'd like more docs in english about hfsc. Me too. I don't have time to write one myself (and I'm not good at this), but I can assist if anyone wants to do it. > I would like to know > also some tips about scalability at large amount of traffic, like more > than 100mbit and more than 20kpps. I had a setup one that share 200mbit > on 2 imq devices(both with a parent class of 200mbit), each with about > 1000 hfsc classes. About 2 classes with only rt courves, another 2 with > rt and ls and ul courves, and the rest (end users) with ls and ul > courves. All only with m2 parametter. And at high traffic packet loss > appeared. After switching to htb, no more packet loss. > > Thanks in advance. Mhh .. I know of setups where HFSC is running with 10k classes and high bandwidth (>= 100mbit, don't know the exact amount). When switchting to rbtrees I made some benchmarks and it performed almost identical to HTB, so my guess is that its related to IMQ, which still seems to be pretty broken. It could of course also be a different configuration mistake, hard to tell without seeing the actual configuration. From lists at andyfurniss.entadsl.com Fri May 12 15:33:05 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri May 12 15:32:32 2006 Subject: [LARTC] HFSC and prioritization In-Reply-To: <44641DA4.6090108@trash.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB25533F@xavier.staff.greatlakes.net> <2af436490605111319l17615c50w76e1f0d97a5c4fa3@mail.gmail.com> <44641BFF.8070009@trash.net> <44641DA4.6090108@trash.net> Message-ID: <44648E91.4020800@andyfurniss.entadsl.com> Patrick McHardy wrote: > Patrick McHardy wrote: > >>Jody Shumaker wrote: >> >> >>>What is there for good HSFC documentation out there right now anyways? >> >> >>There is the original papers by Hui Zhang et al., which is mostly >>about the theory and not very suitable for users - but still worth >>reading if you're not scared by use of some math. >>There used to be some documentation called "HFSC for Router Plugins", >>which is partially applicable for Linux .. and some ALTQ and *BSD >>documentation which is partially applicable as well. Besides that >>there seem to be a few german student research projects about this >>subject, but all I know of are in german. Last thing I know of is >>an article written by a friend of mine for the german Linux Magazin, >>unfortunately also only in german, but reviewed by myself and mostly >>correct (klaus.geekserver.net/hfsc/hfsc.html) - translations are >>welcome :) > > > I forgot to mention, there is actually a quite easy way to get > started with HFSC if you already have a working HTB setup. Just > delete the "prio" statements, replace "htb" by "hfsc", > "rate" by "sc rate", "ceil" by "ul rate" and delete all the > remaining htb specific parameters and you have something working. One thing to note is that HFSC will drop, rather than pass unshaped, traffic that is unclassified. So if you don't use a default class and don't filter arp to a class then HFSC will appear broken whereas HTB will work. Andy. From jody.shumaker at gmail.com Fri May 12 17:30:16 2006 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Fri May 12 17:30:14 2006 Subject: [LARTC] HFSC and prioritization In-Reply-To: <44641BFF.8070009@trash.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB25533F@xavier.staff.greatlakes.net> <2af436490605111319l17615c50w76e1f0d97a5c4fa3@mail.gmail.com> <44641BFF.8070009@trash.net> Message-ID: <2af436490605120830x1d0895b5i54f98e02056994c5@mail.gmail.com> > HFSC doesn't support strict priorities (and neither does HTB, the > priorities just affect unused bandwidth and is still limited by the > ceiling). At least in the case of HFSC this is intentional, strict > priority is not very friendly because it allows traffic to be > entirely excluded, HFSC's goals are to enable flexible sharing by > allowing to seperately specify bandwidth and delay requirements. > If you really want strict priority you can use the prio qdisc as > _child_ of HFSC. > I always forget this about the prio and HTB. With HSFC does use of the the max latency settings possibly get the desired goal from using prio? I think this is what always appealed to me about HSFC from the little I could understand. That if I had an interactive class, it'd always favor getting those packets through sooner than others, trying to honor a latency, if I set it up correctly. > > What is there for good HSFC documentation out there right now anyways? > > There is the original papers by Hui Zhang et al., which is mostly > about the theory and not very suitable for users - but still worth > reading if you're not scared by use of some math. > There used to be some documentation called "HFSC for Router Plugins", > which is partially applicable for Linux .. and some ALTQ and *BSD > documentation which is partially applicable as well. Besides that > there seem to be a few german student research projects about this > subject, but all I know of are in german. Last thing I know of is > an article written by a friend of mine for the german Linux Magazin, > unfortunately also only in german, but reviewed by myself and mostly > correct (klaus.geekserver.net/hfsc/hfsc.html) - translations are > welcome :) > Unfortunately the original papers were a bit too confusing for me when I last read them. I could understand parts of it, but translating that into hsfc options I would actually want to use, I couldn't do. This german article looks like it'd have a lot of the clerification I'd need, but a babelfish translation was still too difficult to understand. If someone's up for writing a good translation I'd greatly appreciate it. - Jody From muthukumar at gmail.com Fri May 12 17:32:30 2006 From: muthukumar at gmail.com (Muthukumar S) Date: Fri May 12 17:32:28 2006 Subject: [LARTC] HTB at 100+ Mbits/sec In-Reply-To: <2af436490605111125s7cf494f0p3cb3c1e92c30be8d@mail.gmail.com> References: <2af436490605101445p2b30b21dr16ba6af77c910fec@mail.gmail.com> <2af436490605111125s7cf494f0p3cb3c1e92c30be8d@mail.gmail.com> Message-ID: I'll try using 450 K and setting a higher ceil to see how it works. Also I was wondering what limits (if any) the kernel timer resolution imposes on HTB. Thanks! Muthu On 5/11/06, Jody Shumaker wrote: > On 5/10/06, Muthukumar S wrote: > > First up, thanks for the response Jody. I appreciate your taking the > > time to answer. > > > > So in essence what this means is that I will not be able to use the > > maximum that the link allows if I'm shaping traffic? Please correct me > > if I got this wrong - let's say my ISP claims 512 Kbit/s upload and > > real throughput varies between 450 Kbit/s and 500 Kbit/s. So if I > > shaped traffic using 450 Kbit/s as the root qdisc, I would lose out on > > the occasions when the line does allow more than 450 Kbit/s? > > > > Unfortunately yes, if you want the shaping to work well you need to > set it appropiately. No real way to have it vary dynamically. > Basically what happens when you're not the bottleneck is that ping > times will go up as data will queue at the other bottleneck, and your > bandwidth allotments will no longer accurately represent the > connection. They'll have less of an effect as TCP throttling starts > having to kick in. > > I imagine if you designed the rules you could have the ratio between > your classes still honored, and only have the increased lag or > possibility for packet loss. To do this if you knew it was always > atleast 450k but sometimes 500k, set the rates for all the child > classes to add up to 450k, but use 500k as the highest ceiling and > for the base class. Then in this case it should still continue to > split the 450k evenly between the classes as you described, but still > using up to the 500k when its available. Not sure how well this would > work though as I've usually been more concerned with keeping the > latency down, and set the ceil such that the majority of the time its > slightly below the real bandwidth. > > - Jody > > P.S. Thanks for forwarding the email to the list, I alway forget to > hit reply to all. > From muthukumar at gmail.com Fri May 12 17:35:21 2006 From: muthukumar at gmail.com (Muthukumar S) Date: Fri May 12 17:35:22 2006 Subject: [LARTC] HTB at 100+ Mbits/sec In-Reply-To: References: Message-ID: > Iperf has a demonstrated behavior that when running more than one copy at the > same time on the same box (client side); that the timing of each will > start to effect > the other copies. This is a function of how Iperf does it's timing > (spin loops). What traffic generators would you recommend? What do other members use? Has anyone used TG (http://www.postel.org/tg/)? Thanks! - Muthu From larry.brigman at gmail.com Fri May 12 18:36:01 2006 From: larry.brigman at gmail.com (Larry Brigman) Date: Fri May 12 18:36:03 2006 Subject: [LARTC] HTB at 100+ Mbits/sec In-Reply-To: References: Message-ID: On 5/12/06, Muthukumar S wrote: > > Iperf has a demonstrated behavior that when running more than one copy at the > > same time on the same box (client side); that the timing of each will > > start to effect > > the other copies. This is a function of how Iperf does it's timing > > (spin loops). > > What traffic generators would you recommend? What do other members > use? Has anyone used TG (http://www.postel.org/tg/)? > I have looked at TG but would recommend D-ITG (http://www.grid.unina.it/software/ITG/) at this point as it seems to have more work recently. That said I have downloaded TG but have not ran it too much. Back to Iperf. The reason I mention the timing issue is, really only an issue when you are running multiple copies and you really want very stable inter-packet timing. If you want to use Iperf for bandwidth testing and want to run multiple copies. Get the source and find the client send routines where it is using the delay function and replace that with usleep. This change allows (in my testing) upwards of 15 copies of Iperf running at the same time without major interactions. For a single stream Iperf is the most flexible program of the bunch Just for info, here is a site that has both monitoring (mostly) tools and traffic generation tools. http://www.slac.stanford.edu/xorg/nmtf/nmtf-tools.html From kaber at trash.net Fri May 12 18:42:34 2006 From: kaber at trash.net (Patrick McHardy) Date: Fri May 12 18:42:28 2006 Subject: [LARTC] HFSC and prioritization In-Reply-To: <44648E91.4020800@andyfurniss.entadsl.com> References: <0633E0EDB4F25F43A2D7179CA11FAFAB25533F@xavier.staff.greatlakes.net> <2af436490605111319l17615c50w76e1f0d97a5c4fa3@mail.gmail.com> <44641BFF.8070009@trash.net> <44641DA4.6090108@trash.net> <44648E91.4020800@andyfurniss.entadsl.com> Message-ID: <4464BAFA.2030103@trash.net> Andy Furniss wrote: > One thing to note is that HFSC will drop, rather than pass unshaped, > traffic that is unclassified. > > So if you don't use a default class and don't filter arp to a class then > HFSC will appear broken whereas HTB will work. Good point, that is a trap that might easily make it appear as if HFSC is stalling under some conditions. From kaber at trash.net Fri May 12 18:56:38 2006 From: kaber at trash.net (Patrick McHardy) Date: Fri May 12 18:56:37 2006 Subject: [LARTC] HFSC and prioritization In-Reply-To: <2af436490605120830x1d0895b5i54f98e02056994c5@mail.gmail.com> References: <0633E0EDB4F25F43A2D7179CA11FAFAB25533F@xavier.staff.greatlakes.net> <2af436490605111319l17615c50w76e1f0d97a5c4fa3@mail.gmail.com> <44641BFF.8070009@trash.net> <2af436490605120830x1d0895b5i54f98e02056994c5@mail.gmail.com> Message-ID: <4464BE46.4080609@trash.net> Jody Shumaker wrote: >> HFSC doesn't support strict priorities (and neither does HTB, the >> priorities just affect unused bandwidth and is still limited by the >> ceiling). At least in the case of HFSC this is intentional, strict >> priority is not very friendly because it allows traffic to be >> entirely excluded, HFSC's goals are to enable flexible sharing by >> allowing to seperately specify bandwidth and delay requirements. >> If you really want strict priority you can use the prio qdisc as >> _child_ of HFSC. >> > > I always forget this about the prio and HTB. With HSFC does use of > the the max latency settings possibly get the desired goal from using > prio? I think this is what always appealed to me about HSFC from the > little I could understand. That if I had an interactive class, it'd > always favor getting those packets through sooner than others, trying > to honor a latency, if I set it up correctly. Exactly. I think strict priority is mostly used because of laziness, unknown conditions or unflexible algorithms. You almost never want one kind of traffic to be able to stall everything else (which BTW raises some doubts about Linux's default choice of a 3band prio qdisc). HFSC solves one and a half of these problems: without seperated bandwidth/delay specifications you are unable to express that some traffic should get good delay but doesn't need much guaranteed bandwidth, so you have to use priorities. The half solved problem is unknown conditions, it can also work in work-conserving mode, which means that it will work fine on wireless or similar networks or without any maximum bandwidth specification, but in that case it can only provide fair sharing, no absolute guarantees. Only half-solved because the unknown condition could also be the amount of bandwidth or the delay required, in which case strict priority might be the only viable option. From luciano at lugmen.org.ar Fri May 12 19:07:09 2006 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Fri May 12 19:01:46 2006 Subject: [LARTC] HTB at 100+ Mbits/sec In-Reply-To: References: Message-ID: <200605121407.09762.luciano@lugmen.org.ar> On Friday 12 May 2006 12:35, Muthukumar S wrote: > > Iperf has a demonstrated behavior that when running more than one copy at > > the same time on the same box (client side); that the timing of each will > > start to effect > > the other copies. This is a function of how Iperf does it's timing > > (spin loops). > > What traffic generators would you recommend? What do other members > use? Has anyone used TG (http://www.postel.org/tg/)? Activate chargen as tcp or udp stream at any port using inetd or xinetd. Then for tcp tests*: curl http://$host:$port/ > /dev/null or cd /dev/ && lftpget http://$host:$port/null both show traffic rate, but curl show more stats. For chargen udp test... don't know really, maybe netcat can help. * all this is a jjo-tip[tm] -- Luciano -- Luciano From alex at zoomnet.ro Fri May 12 19:49:00 2006 From: alex at zoomnet.ro (Alexandru Dragoi) Date: Fri May 12 19:48:57 2006 Subject: [LARTC] HFSC and prioritization In-Reply-To: <44644134.2000004@trash.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB25533F@xavier.staff.greatlakes.net> <2af436490605111319l17615c50w76e1f0d97a5c4fa3@mail.gmail.com> <44641BFF.8070009@trash.net> <44643E35.80405@zoomnet.ro> <44644134.2000004@trash.net> Message-ID: <4464CA8C.3020600@zoomnet.ro> Patrick McHardy wrote: >Alexandru Dragoi wrote: > > > >>I think i'd like more docs in english about hfsc. >> >> > >Me too. I don't have time to write one myself (and I'm not good at >this), but I can assist if anyone wants to do it. > > > > >>I would like to know >>also some tips about scalability at large amount of traffic, like more >>than 100mbit and more than 20kpps. I had a setup one that share 200mbit >>on 2 imq devices(both with a parent class of 200mbit), each with about >>1000 hfsc classes. About 2 classes with only rt courves, another 2 with >>rt and ls and ul courves, and the rest (end users) with ls and ul >>courves. All only with m2 parametter. And at high traffic packet loss >>appeared. After switching to htb, no more packet loss. >> >>Thanks in advance. >> >> > > >Mhh .. I know of setups where HFSC is running with 10k classes and high >bandwidth (>= 100mbit, don't know the exact amount). When switchting to >rbtrees I made some benchmarks and it performed almost identical to HTB, >so my guess is that its related to IMQ, which still seems to be pretty >broken. It could of course also be a different configuration mistake, >hard to tell without seeing the actual configuration. >_______________________________________________ >LARTC mailing list >LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > Hello, here are some lines of the hfsc script i used. #!/bin/bash tc=/sbin/tc $tc qdisc add dev imq0 root handle 1: hfsc default 3 $tc class add dev imq0 parent 1: classid 1:3 hfsc ls m2 200mbit ul m2 200mbit $tc class add dev imq0 parent 1: classid 1:2 hfsc ls m2 200mbit ul m2 200mbit $tc qdisc add dev imq1 root handle 1: hfsc default 3 $tc class add dev imq1 parent 1: classid 1:3 hfsc ls m2 20mbit ul m2 20mbit $tc class add dev imq1 parent 1: classid 1:2 hfsc ls m2 20mbit ul m2 20mbit $tc qdisc add dev imq2 root handle 1: hfsc default 3 $tc class add dev imq2 parent 1: classid 1:3 hfsc ls m2 200mbit ul m2 200mbit $tc class add dev imq2 parent 1: classid 1:2 hfsc ls m2 200mbit ul m2 200mbit $tc qdisc add dev imq3 root handle 1: hfsc default 3 $tc class add dev imq3 parent 1: classid 1:3 hfsc ls m2 20mbit ul m2 20mbit $tc class add dev imq3 parent 1: classid 1:2 hfsc ls m2 20mbit ul m2 20mbit ## An important client $tc class add dev imq0 parent 1:2 classid 1:0x6031 hfsc rt m2 100mbit $tc qdisc add dev imq0 parent 1:0x6031 sfq $tc filter add dev imq0 parent 1: protocol ip prio 10 u32 match ip dst x.y.z.0/22 flowid 1:0x6031 $tc class add dev imq1 parent 1:2 classid 1:0x6031 hfsc rt m2 9mbit $tc qdisc add dev imq1 parent 1:0x6031 sfq $tc filter add dev imq1 parent 1: protocol ip prio 10 u32 match ip dst x.y.z.0/22 flowid 1:0x6031 $tc class add dev imq2 parent 1:2 classid 1:0x6031 hfsc rt m2 100mbit $tc qdisc add dev imq2 parent 1:0x6031 sfq $tc filter add dev imq2 parent 1: protocol ip prio 10 u32 match ip src x.y.z.0/22 flowid 1:0x6031 $tc class add dev imq3 parent 1:2 classid 1:0x6031 hfsc rt m2 9mbit $tc qdisc add dev imq3 parent 1:0x6031 sfq $tc filter add dev imq3 parent 1: protocol ip prio 10 u32 match ip src x.y.z.0/22 flowid 1:0x6031 There were also a client with rt m2 20mbit ls m2 20mbit ul m2 100mbit on imq0 and im2, then rt m2 5mbit ls m2 5mbit ul m2 10mbit on other 2 imqs. The rest of clients , arround 1000, has each something like: $tc class add dev imq0 parent 1:2 classid 1:0x116a hfsc ls m2 16Kbit ul m2 20480Kbit $tc qdisc add dev imq0 parent 1:0x116a sfq $tc filter add dev imq0 parent 1: protocol ip prio 10 u32 match ip dst a.b.c.d/32 flowid 1:0x116a $tc class add dev imq1 parent 1:2 classid 1:0x116a hfsc ls m2 16Kbit ul m2 256Kbit $tc qdisc add dev imq1 parent 1:0x116a sfq $tc filter add dev imq1 parent 1: protocol ip prio 10 u32 match ip dst a.b.c.d/32 flowid 1:0x116a $tc class add dev imq2 parent 1:2 classid 1:0x116a hfsc ls m2 16Kbit ul m2 20480Kbit $tc qdisc add dev imq2 parent 1:0x116a sfq $tc filter add dev imq2 parent 1: protocol ip prio 10 u32 match ip src a.b.c.d/32 flowid 1:0x116a $tc class add dev imq3 parent 1:2 classid 1:0x116a hfsc ls m2 16Kbit ul m2 256Kbit $tc qdisc add dev imq3 parent 1:0x116a sfq $tc filter add dev imq3 parent 1: protocol ip prio 10 u32 match ip src a.b.c.d/32 flowid 1:0x116a Some of them has rates half or double than the numbers above, depending how much they pay. Last lines of script are: $tc class change dev imq0 parent 1: classid 1:3 hfsc ls m2 16Kbit ul m2 256Kbit $tc class change dev imq1 parent 1: classid 1:3 hfsc ls m2 8Kbit ul m2 128Kbit $tc class change dev imq2 parent 1: classid 1:3 hfsc ls m2 16Kbit ul m2 256Kbit $tc class change dev imq3 parent 1: classid 1:3 hfsc ls m2 8Kbit ul m2 128Kbit Now, the machine has multiple interfaces, i think 2 gigabit cards with about 5-6 vlans. The ideea of imqs was to shape only traffic that comes or goes from or to some vlans, traffic between clients being unshaped. The machine also did bgp with 1400 prefixes learned and default route, everything running on an 2.6.11 kernel, i think. I'm sure there was a need for lots of tuning, like u32 hash filters .. and many others. With this setup on high traffic things went crazy, like packet loss, real time classes also didn;t get theyr traffic and so on. But ONLY changing from hfsc to a htb, things worked much better, and the important clients got theyr guatanteed bandwidth. Since then .. things changed a lot, u32 hash filters are used, with htb, i get a job somewhere else and so on. :) Any ideas about what i did there are really welcome. Thank You. From antonio.dibacco at aruba.it Fri May 12 22:30:32 2006 From: antonio.dibacco at aruba.it (Antonio Di Bacco) Date: Fri May 12 22:28:43 2006 Subject: [LARTC] Routing through a Point to Point link Message-ID: <200605122230.32665.antonio.dibacco@aruba.it> Hi all, I have two identical linux boxes (A e B), each one with two interfaces: an ethernet (eth0 with ip 192.168.1.50) and an hdlc (hdlc0). The two boxes are only connected via a link through their hdlc interfaces. Because they have to be exactly the same, if I have to assign an ip address to hdlc0 of A then the hdlc0 of B should have the same ip address. Each one should have a default route that cannot coincide with the hdlc interface. Every linux box has a web server. When I connect with my notebook to box A I want to reach the web server on A typing in my browser http://192.168.1.50 and I want to reach web server on B typing http://192.168.1.50:8080 . Some one knows how could it be possible? Thank you for your help, Antonio. From sebyte at smolny.plus.com Sun May 14 01:11:30 2006 From: sebyte at smolny.plus.com (Sebastian Tennant) Date: Sun May 14 03:25:00 2006 Subject: [LARTC] Simple routing question from networking newbie Message-ID: <87ac9lwme5.fsf@smolny.plus.com> I've recently got a new modem. In fact, it's a modem-router with NAT functionality. Before I had a plain modem-modem, and I was able to access my workstation from my remote server using the IP address assigned to me by my ISP. Now however, that IP address only reaches the modem-router and the IP address of my workstation is set by my modem-router to 192.168.0.2 How can I reach my workstation now that I have to go through the modem-router? For instance, if I want to ssh into my remote server and issue a command that copies a file from my remote server to my workstation using scp: $ scp file.txt sebyte@aaa.bbb.ccc.ddd:/home/sebyte/Desktop/file.txt what IP address should I use? Obviously 192.168.0.2 is not going to work. sdt From sawar at interia.pl Mon May 15 01:25:03 2006 From: sawar at interia.pl (Szymon Mroofka) Date: Mon May 15 01:24:59 2006 Subject: [LARTC] Simple routing question from networking newbie In-Reply-To: <87ac9lwme5.fsf@smolny.plus.com> References: <87ac9lwme5.fsf@smolny.plus.com> Message-ID: <200605150125.03380.sawar@interia.pl> Dnia niedziela, 14 maja 2006 01:11, Sebastian Tennant napisa?: > I've recently got a new modem. In fact, it's a modem-router with NAT > functionality. Before I had a plain modem-modem, and I was able to > access my workstation from my remote server using the IP address > assigned to me by my ISP. Now however, that IP address only reaches > the modem-router and the IP address of my workstation is set by my > modem-router to 192.168.0.2 > > How can I reach my workstation now that I have to go through the > modem-router? > > For instance, if I want to ssh into my remote server and issue a > command that copies a file from my remote server to my workstation > using scp: > > $ scp file.txt sebyte@aaa.bbb.ccc.ddd:/home/sebyte/Desktop/file.txt > > what IP address should I use? Obviously 192.168.0.2 is not going to > work. > > sdt > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc Hi, you have to use port forwarding and / or DMZ funcionality on your router if it has it. For instance you can forward port 22 from router to your internal box where ssh deamon is running. Than you can use your public ip form isp x.y.z.a:22 to reach your ssh deamon. Pozdrawiam From sebyte at smolny.plus.com Mon May 15 02:42:07 2006 From: sebyte at smolny.plus.com (Sebastian Tennant) Date: Mon May 15 02:42:17 2006 Subject: [LARTC] Re: Simple routing question from networking newbie References: <87ac9lwme5.fsf@smolny.plus.com> <200605150125.03380.sawar@interia.pl> Message-ID: <87y7x4unj4.fsf@smolny.plus.com> Quoth Szymon Mroofka : >> For instance, if I want to ssh into my remote server and issue a >> command that copies a file from my remote server to my workstation >> using scp: >> >> $ scp file.txt sebyte@aaa.bbb.ccc.ddd:/home/sebyte/Desktop/file.txt >> >> what IP address should I use? Obviously 192.168.0.2 is not going to >> work. > you have to use port forwarding and / or DMZ funcionality on your > router if it has it. For instance you can forward port 22 from > router to your internal box where ssh deamon is running. Than you > can use your public ip form isp x.y.z.a:22 to reach your ssh deamon. Ah... OK. Hmm.. I'll look into it, and hopefully come back with a more intelligent question than simply "What do they do?" sdt From hawk at diku.dk Sun May 14 22:27:45 2006 From: hawk at diku.dk (Jesper Dangaard Brouer) Date: Mon May 15 04:07:51 2006 Subject: [LARTC] HTB at 100+ Mbits/sec In-Reply-To: References: <2af436490605101445p2b30b21dr16ba6af77c910fec@mail.gmail.com> <2af436490605111125s7cf494f0p3cb3c1e92c30be8d@mail.gmail.com> Message-ID: On Fri, 12 May 2006, Muthukumar S wrote: > > Also I was wondering what limits (if any) the kernel timer resolution > imposes on HTB. > The kernel timer resolution does have an impact on the precision of HTB (the delay jitter). I have done some detailed studies in my master thesis. Which is located at: http://www.adsl-optimizer.dk/thesis/. You should look at chapter 7. Read section 7.3.2 "Timer Granularity" (page 71) and section 7.3.3 "Improving Granularity" (page 73) Figure 7.8 (page 75), shows how the delay jitter bound is improved when changing the timer from HZ=100 to HZ=1500. For the discusion about, why the you need to reduce the bandwidth to less that the actual bandwidth, you should look at Chapter 6 "Achieving Queue Control". Especially if you have an ADSL link. Greeting, Jesper Brouer -- ------------------------------------------------------------------- MSc. Master of Computer Science Dept. of Computer Science, University of Copenhagen Author of http://www.adsl-optimizer.dk ------------------------------------------------------------------- From robb.bossley at gmail.com Mon May 15 05:04:14 2006 From: robb.bossley at gmail.com (Robb Bossley) Date: Mon May 15 05:04:10 2006 Subject: [LARTC] Re: Simple routing question from networking newbie In-Reply-To: <87y7x4unj4.fsf@smolny.plus.com> References: <87ac9lwme5.fsf@smolny.plus.com> <200605150125.03380.sawar@interia.pl> <87y7x4unj4.fsf@smolny.plus.com> Message-ID: <5c6851530605142004x83bc547h5caffa162f345951@mail.gmail.com> This might be an instance where ssh -L could be your friend. Robb On 5/14/06, Sebastian Tennant wrote: > Quoth Szymon Mroofka : > >> For instance, if I want to ssh into my remote server and issue a > >> command that copies a file from my remote server to my workstation > >> using scp: > >> > >> $ scp file.txt sebyte@aaa.bbb.ccc.ddd:/home/sebyte/Desktop/file.txt > >> > >> what IP address should I use? Obviously 192.168.0.2 is not going to > >> work. > > > you have to use port forwarding and / or DMZ funcionality on your > > router if it has it. For instance you can forward port 22 from > > router to your internal box where ssh deamon is running. Than you > > can use your public ip form isp x.y.z.a:22 to reach your ssh deamon. > > Ah... OK. Hmm.. I'll look into it, and hopefully come back with a > more intelligent question than simply "What do they do?" > > sdt > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From dennis at loop.com.tw Mon May 15 12:50:00 2006 From: dennis at loop.com.tw (Nai-Hsien) Date: Mon May 15 12:50:03 2006 Subject: [LARTC] point-to-point ethernet link Message-ID: <075f01c6780d$50a49870$0102000a@loop.com.tw> I have an embedded linux board (main board), which has multiple Ethernet interfaces, and a daughter card, which has one Ethernet interface. The diagram is shown as following. +---------+ +----------------------------+ | daughter |--------------------| ptp |---------------- | card | Ethernet | Main board |---------------- Ethernet links with IP +---------+ | |---------------- addresses +----------------------------+ I am looking for a method to manage the daughter card with single IP address. I tried to build a point-to-point Ethernet link on main board. However, it does not work. Is there any solution to route packets to ptp port while the ptp port does not have an IP address? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060515/6d8bce10/attachment.htm From lburatti at zacmi.it Mon May 15 16:01:35 2006 From: lburatti at zacmi.it (lburatti@zacmi.it) Date: Mon May 15 16:01:31 2006 Subject: [LARTC] luca buratti is out of office Message-ID: Sar? assente dall'ufficio a partire dal 15/05/2006 e non torner? fino al 12/06/2006. Risponder? al messaggio al mio ritorno. Trend Scan Mail: this message is virus free. From jdgeier at gmail.com Mon May 15 20:50:43 2006 From: jdgeier at gmail.com (Jon-david Geier) Date: Mon May 15 20:50:41 2006 Subject: [LARTC] Issue with ip aliases and routing Message-ID: I need to get this working. I have a single interface eth0 with a primary adress of x.x.214.162 on a /30 block network. This interface is properly set up and works fine, however, I also have five aliased adresses on the same interface: eth0:1 @ x.x.6.230, eth0:2 @ x.x.6.235, eth0:3 @ x.x.6.240, eth0:4 @ x.x.6.245, and eth0:5 @ x.x.6.250. All of these adresses are on a /27 block network. After setting these adresses up I tested that they were functional ( at least to the local machine ) by pinging each adress all of which responded from the local machine. The next thing I did was I set a route statement to set the primary ( x.x.214.162 ) as the gateway for the x.x.6.224 network via this statement: route add -net x.x.6.224 netmask 255.255.255.224 gw x.x.214.162. I thought this was all I needed in order to be able to access the aliased adresses externaly from the machine. Unfortunatley this is not the case. I have ensured that ip forwarding is enabled and that the adresses are setup correctly. I have also atempted to use the same route statment with iproute2 via : ip route add 38.98.6.224/27dev eth0 proto kernel scope link src 38.99.214.162 and I am still unable to access the adresses externaly from the machine. I have even brought down iptables to test that there is no conflict there. Here are the configuration files. [root@landuconsulting ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 BOOTPROTO=static BROADCAST=38.99.214.163 IPADDR=38.99.214.162 NETMASK=255.255.255.252 NETWORK=38.99.214.160 HWADDR=00:16:35:6A:85:09 ONBOOT=yes TYPE=Ethernet [root@landuconsulting ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0:1 DEVICE=eth0:1 BOOTPROTO=static BROADCAST=38.98.6.255 IPADDR=38.98.6.230 NETMASK=255.255.255.224 NETWORK=38.98.6.224 ONBOOT=yes TYPE=Ethernet [root@landuconsulting ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0:2 DEVICE=eth0:2 BOOTPROTO=static BROADCAST=38.98.6.255 IPADDR=38.98.6.235 NETMASK=255.255.255.224 NETWORK=38.98.6.224 ONBOOT=yes TYPE=Ethernet [root@landuconsulting ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0:3 DEVICE=eth0:3 BOOTPROTO=static BROADCAST=38.98.6.255 IPADDR=38.98.6.240 NETMASK=255.255.255.224 NETWORK=38.98.6.224 ONBOOT=yes TYPE=Ethernet [root@landuconsulting ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0:4 DEVICE=eth0:4 BOOTPROTO=static BROADCAST=38.98.6.255 IPADDR=38.98.6.245 NETMASK=255.255.255.224 NETWORK=38.98.6.224 ONBOOT=yes TYPE=Ethernet [root@landuconsulting ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0:5 DEVICE=eth0:5 BOOTPROTO=static BROADCAST=38.98.6.255 IPADDR=38.98.6.250 NETMASK=255.255.255.224 NETWORK=38.98.6.224 ONBOOT=yes TYPE=Ethernet [root@landuconsulting ~]# cat /etc/sysctl.conf # Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details. # Controls IP packet forwarding net.ipv4.ip_forward = 1 # Controls source route verification net.ipv4.conf.default.rp_filter = 1 1 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1 [root@landuconsulting ~]# cat /etc/rc.local #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. touch /var/lock/subsys/local route add -net 38.98.6.224 netmask 255.255.255.224 gw 38.99.214.162 I'm pretty sure that I'm missing just some small detail but for some reason it evades my notice. Any assitance you can provide me with would be grately appreciated. Thank you for your time. Jd Geier -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060515/0102da8c/attachment.html From antonio.dibacco at aruba.it Mon May 15 21:26:29 2006 From: antonio.dibacco at aruba.it (Antonio Di Bacco) Date: Mon May 15 21:24:26 2006 Subject: [LARTC] point-to-point ethernet link In-Reply-To: <075f01c6780d$50a49870$0102000a@loop.com.tw> References: <075f01c6780d$50a49870$0102000a@loop.com.tw> Message-ID: <200605152126.30078.antonio.dibacco@aruba.it> I have a similar problem, you can read what was posted in netfilter-request@lists.netfilter.org or send there your question. Bye, Antonio. On Monday 15 May 2006 12:50, Nai-Hsien wrote: > I have an embedded linux board (main board), which has multiple Ethernet > interfaces, and a daughter card, which has one Ethernet interface. The > diagram is shown as following. > > +---------+ +----------------------------+ > > | daughter |--------------------| ptp > | |---------------- card | Ethernet | > | Main board |---------------- Ethernet links with IP > > +---------+ | > |---------------- addresses > +----------------------------+ > > I am looking for a method to manage the daughter card with single IP > address. I tried to build a point-to-point Ethernet link on main board. > However, it does not work. Is there any solution to route packets to ptp > port while the ptp port does not have an IP address? From martin at linux-ip.net Mon May 15 21:24:24 2006 From: martin at linux-ip.net (Martin A. Brown) Date: Mon May 15 21:24:46 2006 Subject: [LARTC] Issue with ip aliases and routing In-Reply-To: References: Message-ID: Hello Jon-david Geier, : After setting these adresses up I tested that they were : functional ( at least to the local machine ) by pinging each : adress all of which responded from the local machine. If you can ping the addresses from the machine itself, then they have been successfully added to the interface (eth0). You can confirm this, of course by listing all of the addresses on eth0: # ip address show dev eth0 This should show all of your addresses. Note that the term alias for additional IP addresses on an interface is deprecated. The use of the label (e.g., eth0:1, eth0:4) is simply a backwards-compatible convenience for ifconfig. The iproute tools show a slightly more accurate picture of the networking stack. (xref also, for some possibly unexpected behaviour of the IP stack when an interface is "down" [0] FAQ) : The next thing I did was I set a : route statement to set the primary ( x.x.214.162 ) as the gateway for the : x.x.6.224 network via this statement: route add -net x.x.6.224 netmask : 255.255.255.224 gw x.x.214.162. This is probably not necessary. Let's use your eth0:1 as an example. When the network startup scripts bring up this IP, you'll see the address appear on the interface ("ip address show"), and you should see a route to the network appear. Here's roughly what I would expect to see on your machine (different link layer address for sure): # ip addr show dev eth0 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:30:1b:af:78:51 brd ff:ff:ff:ff:ff:ff inet 38.99.214.162/30 brd 38.99.214.163 scope global eth0 inet 38.98.6.230/27 brd 38.98.6.255 scope global eth0:1 inet 38.98.6.235/27 brd 38.98.6.255 scope global secondary eth0:2 inet 38.98.6.240/27 brd 38.98.6.255 scope global secondary eth0:3 inet 38.98.6.245/27 brd 38.98.6.255 scope global secondary eth0:4 inet 38.98.6.250/27 brd 38.98.6.255 scope global secondary eth0:5 inet6 fe80::230:1bff:feaf:7851/64 scope link valid_lft forever preferred_lft forever # ip route show dev eth0 38.98.6.224/27 proto kernel scope link src 38.98.6.230 38.99.214.160/30 proto kernel scope link src 38.98.6.230 default via 38.99.214.161 Note the following potential pitfall. If you were to remove the IP address 38.98.6.230 from eth0, all of the other ones would also be removed [1]. : I thought this was all I needed in order to be able to access the : aliased adresses externaly from the machine. Unfortunatley this : is not the case. I have ensured that ip forwarding is enabled and : that the adresses are setup correctly. Is the machine a router? If "landuconsulting" is not a router, then you do not need (nor want) IP forwarding enabled. : I have also atempted to use the same route statment with iproute2 : via : ip route add 38.98.6.224/27 dev eth0 proto kernel scope : link src 38.99.214.162 and I am still unable to access the : adresses externaly from the machine. So, you are testing to see if you can reach 38.98.214.162 and 38.98.6.230 (and friends) from a remote location? Are you sure the upstream route exists? Here's how to use tcpdump to test on landuconsulting: # tcpdump -nn -i eth0 net 38.98.6.224/27 or arp Now, generate your inbound traffic to any of your additional addresses. Watch for ARP requests. Is your machine answering them? It is quite possible that your upstream router does not have a route to 38.98.6.224/27 to your local Ethernet. That's something you need to fix on the upstream router, not on the host you are configuring with many IP addresses. : I have even brought down iptables to test that there is no : conflict there. Here are the configuration files. [ config files snipped, summary retained ] eth0 38.99.214.162 eth0:1 38.98.6.230 eth0:2 38.98.6.235 eth0:3 38.98.6.240 eth0:4 38.98.6.245 eth0:5 38.98.6.250 [ snipped sysctl.conf; nothing unusual-looking there ] : [root@landuconsulting ~]# cat /etc/rc.local : # !/bin/sh : # : # This script will be executed *after* all the other init scripts. : # You can put your own initialization stuff in here if you don't : # want to do the full Sys V style init stuff. : : touch /var/lock/subsys/local : route add -net 38.98.6.224 netmask 255.255.255.224 gw 38.99.214.162 Yank this line. It is not required. : I'm pretty sure that I'm missing just some small detail but for : some reason it evades my notice. Any assitance you can provide me : with would be grately appreciated. Thank you for your time. Good luck, -Martin [0] http://linux-net.osdl.org/index.php/IPv4 [1] http://linux-ip.net/html/tools-ip-address.html#tools-ip-address-del -- Martin A. Brown http://linux-ip.net/ From larry.brigman at gmail.com Mon May 15 21:33:17 2006 From: larry.brigman at gmail.com (Larry Brigman) Date: Mon May 15 21:33:15 2006 Subject: [LARTC] HTB at 100+ Mbits/sec In-Reply-To: References: <2af436490605101445p2b30b21dr16ba6af77c910fec@mail.gmail.com> <2af436490605111125s7cf494f0p3cb3c1e92c30be8d@mail.gmail.com> Message-ID: On 5/14/06, Jesper Dangaard Brouer wrote: > > On Fri, 12 May 2006, Muthukumar S wrote: > > > > > Also I was wondering what limits (if any) the kernel timer resolution > > imposes on HTB. > > > > The kernel timer resolution does have an impact on the precision of HTB > (the delay jitter). > > I have done some detailed studies in my master thesis. Which is located > at: http://www.adsl-optimizer.dk/thesis/. looks like the site is down, at least for me. From sebyte at smolny.plus.com Mon May 15 22:48:14 2006 From: sebyte at smolny.plus.com (Sebastian Tennant) Date: Mon May 15 22:48:22 2006 Subject: [LARTC] Re: Simple routing question from networking newbie References: <87ac9lwme5.fsf@smolny.plus.com> <200605150125.03380.sawar@interia.pl> <87y7x4unj4.fsf@smolny.plus.com> <5c6851530605142004x83bc547h5caffa162f345951@mail.gmail.com> Message-ID: <87ejyvc8vl.fsf@smolny.plus.com> >> you have to use port forwarding and / or DMZ funcionality on your >> router if it has it. For instance you can forward port 22 from >> router to your internal box where ssh deamon is running. Than you >> can use your public ip form isp x.y.z.a:22 to reach your ssh deamon. Assuming 'port forwarding' is the same as 'port redirection' on D-Link modem-routers (a sort-of reverse NAT), then I've enabled TCP packets to pass through to 192.168.0.2 on port 22... but it hasn't helped. I've also tried enabling 'DMZ state' and making 192.168.0.2 the DMZ IP address... but again, to no avail. In both cases scp just says 'connection refused'. No matter because I've found another way. Emacs users should check out tramp mode if they haven't heard of it. Thanks all. sdt From jdgeier at gmail.com Tue May 16 01:10:08 2006 From: jdgeier at gmail.com (Jon-david Geier) Date: Tue May 16 01:10:04 2006 Subject: [LARTC] Issue with ip aliases and routing In-Reply-To: References: Message-ID: Hello Jon-david Geier, If you can ping the addresses from the machine itself, then they have been successfully added to the interface (eth0). You can confirm this, of course by listing all of the addresses on eth0: # ip addr show dev eth0 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:30:1b:af:78:51 brd ff:ff:ff:ff:ff:ff inet 38.99.214.162/30 brd 38.99.214.163 scope global eth0 inet 38.98.6.230/27 brd 38.98.6.255 scope global eth0:1 inet 38.98.6.235/27 brd 38.98.6.255 scope global secondary eth0:2 inet 38.98.6.240/27 brd 38.98.6.255 scope global secondary eth0:3 inet 38.98.6.245/27 brd 38.98.6.255 scope global secondary eth0:4 inet 38.98.6.250/27 brd 38.98.6.255 scope global secondary eth0:5 inet6 fe80::230:1bff:feaf:7851/64 scope link valid_lft forever preferred_lft forever //cool thats what mine looks like there # ip route show dev eth0 38.98.6.224/27 proto kernel scope link src 38.98.6.230 38.99.214.160/30 proto kernel scope link src 38.98.6.230 default via 38.99.214.161 // mine looks different here //[root@landuconsulting ~]# ip route show dev eth0 //38.99.214.160/30 proto kernel scope link src 38.99.214.162 //38.98.6.224/27 proto kernel scope link src 38.98.6.230 //169.254.0.0/16 scope link //default via 38.99.214.161 //should I remove this line "38.99.214.160/30 proto kernel scope link src 38.99.214.162" //and replace it with this line:"38.99.214.160/30 proto kernel scope link src 38.98.6.230" Note the following potential pitfall. If you were to remove the IP address 38.98.6.230 from eth0, all of the other ones would also be removed [1]. //noted Is the machine a router? If "landuconsulting" is not a router, then you do not need (nor want) IP forwarding enabled. //removed ip_forwarding So, you are testing to see if you can reach 38.98.214.162 and 38.98.6.230 (and friends) from a remote location? Are you sure the upstream route exists? Here's how to use tcpdump to test on landuconsulting: # tcpdump -nn -i eth0 net 38.98.6.224/27 or arp Now, generate your inbound traffic to any of your additional addresses. Watch for ARP requests. Is your machine answering them? //nope It is quite possible that your upstream router does not have a route to 38.98.6.224/27 to your local Ethernet. //I'm calling them in 30 to verify. That's something you need to fix on the upstream router, not on the host you are configuring with many IP addresses. Good luck, -Martin Thank you Martin. JD [0] http://linux-net.osdl.org/index.php/IPv4 [1] http://linux-ip.net/html/tools-ip-address.html#tools-ip-address-del -- Martin A. Brown http://linux-ip.net/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060515/119d47c6/attachment.htm From hawk at diku.dk Tue May 16 09:52:54 2006 From: hawk at diku.dk (Jesper Dangaard Brouer) Date: Tue May 16 09:52:53 2006 Subject: [LARTC] HTB at 100+ Mbits/sec In-Reply-To: References: <2af436490605101445p2b30b21dr16ba6af77c910fec@mail.gmail.com> <2af436490605111125s7cf494f0p3cb3c1e92c30be8d@mail.gmail.com> Message-ID: On Mon, 15 May 2006, Larry Brigman wrote: > On 5/14/06, Jesper Dangaard Brouer wrote: >> >> On Fri, 12 May 2006, Muthukumar S wrote: >> >>> >>> Also I was wondering what limits (if any) the kernel timer resolution >>> imposes on HTB. >>> >> >> The kernel timer resolution does have an impact on the precision of HTB >> (the delay jitter). >> >> I have done some detailed studies in my master thesis. Which is located >> at: http://www.adsl-optimizer.dk/thesis/. > > looks like the site is down, at least for me. It is up again... I have just restarted apache, don't know why apache was dead... Hilsen Jesper Brouer -- ------------------------------------------------------------------- MSc. Master of Computer Science Dept. of Computer Science, University of Copenhagen Author of http://www.adsl-optimizer.dk ------------------------------------------------------------------- From ragunath_er at yahoo.com Tue May 16 12:07:07 2006 From: ragunath_er at yahoo.com (ragunath venkatapathy) Date: Tue May 16 12:07:04 2006 Subject: [LARTC] rtbl_talk() call failed Message-ID: <20060516100707.97534.qmail@web31612.mail.mud.yahoo.com> Hi , I compiled the qosd-0.0.1-13122003.tgz code found in http://x-ray.prokon.cz/data/snmp/ , but i have a problem when i run it , i get an error rtnetlink call failed, reason: 2 , no such file or directory i found this line in the file delete_object_util.c rtnl_talk(&rth, &req.n, 0, 0, NULL,NULL,NULL); result=errno; if(result!=0) syslog(LOG_2,"rtnetlink call failed, reason: %i, %s", result, strerror(result)); rtnl_close(&rth); return(result); whatis rtnl_talk() do ?? help me please, thanks ragu --------------------------------- Blab-away for as little as 1?/min. Make PC-to-Phone Calls using Yahoo! Messenger with Voice. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060516/9d094e00/attachment.html From lists at andyfurniss.entadsl.com Tue May 16 12:23:31 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Tue May 16 12:22:13 2006 Subject: [LARTC] HTB at 100+ Mbits/sec In-Reply-To: References: Message-ID: <4469A823.4000108@andyfurniss.entadsl.com> Muthukumar S wrote: >> Iperf has a demonstrated behavior that when running more than one copy >> at the >> same time on the same box (client side); that the timing of each will >> start to effect >> the other copies. This is a function of how Iperf does it's timing >> (spin loops). > > > What traffic generators would you recommend? What do other members > use? Has anyone used TG (http://www.postel.org/tg/)? Whatever you use if it's tcp and you run multi instances I wouldn't take much note about the numbers it gives. In your case - at high speed polling counters would be a better way to see things. I've done more in the way of wan speed testing and tbf/htb are not very good at simulating a slow link. HFSC is better. If you care about tcp then you need to use netem aswell to add some delay. If you don't then because the first packets don't get delayed the tcp sender knows you are on a lan and will/did (maybe bic) behave differently, like retransmitting a chunk of packets while the first bulk onees are sitting in your buffer waiting. Andy. From elmono222 at gmail.com Tue May 16 18:13:37 2006 From: elmono222 at gmail.com (Juan Felipe Botero) Date: Tue May 16 18:13:34 2006 Subject: [LARTC] Hi, a doubt Message-ID: How can i put a port range in a tcng or tc configuration Does somebody know??? It?s important -- Juan Felipe Botero Ingeniero de sistemas Universidad de Antioquia -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060516/30eb4bc9/attachment.htm From linux at pilot.org.ua Thu May 18 07:34:38 2006 From: linux at pilot.org.ua (Denis Ovsienko) Date: Thu May 18 07:34:38 2006 Subject: [LARTC] Routing through a Point to Point link In-Reply-To: <200605122230.32665.antonio.dibacco@aruba.it> References: <200605122230.32665.antonio.dibacco@aruba.it> Message-ID: <20060518093438.085802df.linux@pilot.org.ua> If one can't tell one host from another, one can't build a network. -- DO4-UANIC From abhishekm at cdac.in Thu May 18 00:33:33 2006 From: abhishekm at cdac.in (Abhishek Misra) Date: Thu May 18 13:32:36 2006 Subject: [LARTC] access control list equivalent on lunix References: Message-ID: <003001c67a01$eed043a0$1206a8c0@abhishek> Hello, Please let me know if there is any thing equivalent to access control list for linux routers thank you From shemminger at osdl.org Thu May 18 20:00:46 2006 From: shemminger at osdl.org (Stephen Hemminger) Date: Thu May 18 20:00:48 2006 Subject: [LARTC] access control list equivalent on lunix In-Reply-To: <003001c67a01$eed043a0$1206a8c0@abhishek> References: <003001c67a01$eed043a0$1206a8c0@abhishek> Message-ID: <20060518110046.3a54a326@localhost.localdomain> On Thu, 18 May 2006 04:03:33 +0530 "Abhishek Misra" wrote: > Hello, > > Please let me know if there is any thing equivalent to access control list > for linux routers > Iptables From support8 at greatlakes.net Fri May 19 16:31:36 2006 From: support8 at greatlakes.net (Eliot, Wireless and Server Administrator, Great Lakes Internet) Date: Fri May 19 16:30:05 2006 Subject: [LARTC] iptables CLASSIFY and MARK not working? Message-ID: <0633E0EDB4F25F43A2D7179CA11FAFAB255388@xavier.staff.greatlakes.net> I have to match my packets based on MAC address, which I cannot do in the POSTROUTING chain, so I do it in PREROUTING using MARK. Then, I match on the MARK in the POSTROUTING chain to do a CLASSIFY. But this does not seem to work: wireless-r1 bwlimit # iptables -L -v -n -t mangle Chain PREROUTING (policy ACCEPT 3353K packets, 941M bytes) pkts bytes target prot opt in out source destination 12527 11M CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore 3227 130K MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MAC 00:05:9E:81:3D:07 MARK set 0x30 3231 132K CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x30 CONNMARK save 0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 MAC 00:05:9E:81:3D:07 multiport ports 53,4569,5060,10000:20000 MARK set 0x2f 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 MAC 00:05:9E:81:3D:07 multiport ports 22,23,53 MARK set 0x2f 3 180 MARK icmp -- * * 0.0.0.0/0 0.0.0.0/0 MAC 00:05:9E:81:3D:07 MARK set 0x2f 3222 129K MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x10 MAC 00:05:9E:81:3D:07 MARK set 0x2f 0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 MAC 00:05:9E:81:3D:07 MARK set 0x2f 0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 MAC 00:05:9E:81:3D:07 MARK set 0x2f 10272 10M CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x2f CONNMARK save 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MAC 00:05:9E:81:3D:07 ipp2p v0.8.0 --ipp2p MARK set 0x31 0 0 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x31 CONNMARK save Chain INPUT (policy ACCEPT 1177K packets, 165M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 1157K packets, 703M bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 535K packets, 95M bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 1613K packets, 790M bytes) pkts bytes target prot opt in out source destination 3225 129K CLASSIFY all -- * br1 0.0.0.0/0 0.0.0.0/0 MARK match 0x2f CLASSIFY set 47:1 2 506 CLASSIFY all -- * br1 0.0.0.0/0 0.0.0.0/0 MARK match 0x30 CLASSIFY set 48:1 0 0 CLASSIFY all -- * br1 0.0.0.0/0 0.0.0.0/0 MARK match 0x31 CLASSIFY set 49:1 6352 9321K CLASSIFY all -- * wivl4 0.0.0.0/0 0.0.0.0/0 MARK match 0x2f CLASSIFY set 47:1 4 1932 CLASSIFY all -- * wivl4 0.0.0.0/0 0.0.0.0/0 MARK match 0x30 CLASSIFY set 48:1 0 0 CLASSIFY all -- * wivl4 0.0.0.0/0 0.0.0.0/0 MARK match 0x31 CLASSIFY set 49:1 wireless-r1 bwlimit # tc -s qdisc show dev wivl4 qdisc prio 5: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 11887911 bytes 8179 pkt (dropped 878, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc htb 26: parent 5:1 r2q 10 default 1 direct_packets_stat 0 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc htb 27: parent 5:2 r2q 10 default 1 direct_packets_stat 0 Sent 10657 bytes 162 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc htb 28: parent 5:3 r2q 10 default 1 direct_packets_stat 0 Sent 11877254 bytes 8017 pkt (dropped 878, overlimits 1120 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc htb 47: parent 26:1 r2q 10 default 1 direct_packets_stat 0 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc htb 48: parent 27:1 r2q 10 default 1 direct_packets_stat 0 Sent 10657 bytes 162 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc htb 49: parent 28:1 r2q 10 default 1 direct_packets_stat 0 Sent 11877254 bytes 8017 pkt (dropped 878, overlimits 1120 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 wireless-r1 bwlimit # tc -s class show dev wivl4 class prio 5:1 parent 5: leaf 26: class prio 5:2 parent 5: leaf 27: class prio 5:3 parent 5: leaf 28: class htb 26:1 root leaf 47: prio 0 rate 30000Kbit ceil 30000Kbit burst 16593b cburst 16593b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 4532 ctokens: 4532 class htb 27:1 root leaf 48: prio 0 rate 60000Kbit ceil 60000Kbit burst 31590b cburst 31590b Sent 54187 bytes 790 pkt (dropped 0, overlimits 0 requeues 0) rate 624bit 1pps backlog 0b 0p requeues 0 lended: 790 borrowed: 0 giants: 0 tokens: 4306 ctokens: 4306 class htb 28:1 root leaf 49: prio 0 rate 10000Kbit ceil 10000Kbit burst 6598b cburst 6598b Sent 16539369 bytes 11178 pkt (dropped 1160, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 11178 borrowed: 0 giants: 0 tokens: 5368 ctokens: 5368 class htb 47:1 root prio 1 rate 80000bit ceil 128000bit burst 125Kb cburst 8000b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 13107200 ctokens: 512000 class htb 48:1 root prio 2 rate 2048Kbit ceil 3072Kbit burst 3000Kb cburst 192000b Sent 54187 bytes 790 pkt (dropped 0, overlimits 0 requeues 0) rate 624bit 1pps backlog 0b 0p requeues 0 lended: 790 borrowed: 0 giants: 0 tokens: 12287744 ctokens: 511831 class htb 49:1 root prio 3 rate 960000bit ceil 960000bit burst 960000b cburst 60000b Sent 16539369 bytes 11178 pkt (dropped 1160, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 11178 borrowed: 0 giants: 0 tokens: 8191591 ctokens: 511591 In the iptables rules, you'll see that the bulk of the traffic I'm sending through is getting marked with 0x2f (47 decimal). In the POSTROUTING chain, it is being classified as 47:1. In fact, nothing at all is getting classified as 49:1. But, in the TC class and qdisc displays, everything is coming up under the 49:1 instead of the 47:1. What happened? Either I have some weird typo I'm not seeing, or this is just not working the way I'm expecting it to. Anyone have any thoughts on this? Thanks. Eliot Gable Certified Wireless Network Administrator (CWNA) Certified Wireless Security Professional (CWSP) Cisco Certified Network Associate (CCNA) CompTIA Security+ Certified CompTIA Network+ Certified Network and Systems Administrator Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 (810) 679-3395 (877) 558-8324 Now offering Broadband Wireless Internet access in Croswell, Lexington, Brown City, Yale, and Sandusky. Call for details. From unki at netshadow.at Fri May 19 19:31:43 2006 From: unki at netshadow.at (Andreas Unterkircher) Date: Fri May 19 19:31:22 2006 Subject: [LARTC] iptables CLASSIFY and MARK not working? In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB255388@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB255388@xavier.staff.greatlakes.net> Message-ID: <446E00FF.1010305@netshadow.at> Have you checked that the ip_conntrack module is loaded or compiled into the kernel? If not the mark is lost... Cheers, Andreas Eliot, Wireless and Server Administrator, Great Lakes Internet schrieb: > I have to match my packets based on MAC address, which I cannot do in > the POSTROUTING chain, so I do it in PREROUTING using MARK. Then, I > match on the MARK in the POSTROUTING chain to do a CLASSIFY. But this > does not seem to work: > > wireless-r1 bwlimit # iptables -L -v -n -t mangle > Chain PREROUTING (policy ACCEPT 3353K packets, 941M bytes) > pkts bytes target prot opt in out source > destination > 12527 11M CONNMARK all -- * * 0.0.0.0/0 > 0.0.0.0/0 CONNMARK restore > 3227 130K MARK all -- * * 0.0.0.0/0 > 0.0.0.0/0 MAC 00:05:9E:81:3D:07 MARK set 0x30 > 3231 132K CONNMARK all -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x30 CONNMARK save > 0 0 MARK udp -- * * 0.0.0.0/0 > 0.0.0.0/0 MAC 00:05:9E:81:3D:07 multiport ports > 53,4569,5060,10000:20000 MARK set 0x2f > 0 0 MARK tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 MAC 00:05:9E:81:3D:07 multiport ports 22,23,53 MARK > set 0x2f > 3 180 MARK icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 MAC 00:05:9E:81:3D:07 MARK set 0x2f > 3222 129K MARK tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp flags:0x18/0x10 MAC 00:05:9E:81:3D:07 MARK set > 0x2f > 0 0 MARK udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:53 MAC 00:05:9E:81:3D:07 MARK set 0x2f > 0 0 MARK udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp spt:53 MAC 00:05:9E:81:3D:07 MARK set 0x2f > 10272 10M CONNMARK all -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x2f CONNMARK save > 0 0 MARK all -- * * 0.0.0.0/0 > 0.0.0.0/0 MAC 00:05:9E:81:3D:07 ipp2p v0.8.0 --ipp2p MARK set > 0x31 > 0 0 CONNMARK all -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x31 CONNMARK save > > Chain INPUT (policy ACCEPT 1177K packets, 165M bytes) > pkts bytes target prot opt in out source > destination > > Chain FORWARD (policy ACCEPT 1157K packets, 703M bytes) > pkts bytes target prot opt in out source > destination > > Chain OUTPUT (policy ACCEPT 535K packets, 95M bytes) > pkts bytes target prot opt in out source > destination > > Chain POSTROUTING (policy ACCEPT 1613K packets, 790M bytes) > pkts bytes target prot opt in out source > destination > 3225 129K CLASSIFY all -- * br1 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x2f CLASSIFY set 47:1 > 2 506 CLASSIFY all -- * br1 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x30 CLASSIFY set 48:1 > 0 0 CLASSIFY all -- * br1 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x31 CLASSIFY set 49:1 > 6352 9321K CLASSIFY all -- * wivl4 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x2f CLASSIFY set 47:1 > 4 1932 CLASSIFY all -- * wivl4 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x30 CLASSIFY set 48:1 > 0 0 CLASSIFY all -- * wivl4 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x31 CLASSIFY set 49:1 > > wireless-r1 bwlimit # tc -s qdisc show dev wivl4 > qdisc prio 5: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 > Sent 11887911 bytes 8179 pkt (dropped 878, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc htb 26: parent 5:1 r2q 10 default 1 direct_packets_stat 0 > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc htb 27: parent 5:2 r2q 10 default 1 direct_packets_stat 0 > Sent 10657 bytes 162 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc htb 28: parent 5:3 r2q 10 default 1 direct_packets_stat 0 > Sent 11877254 bytes 8017 pkt (dropped 878, overlimits 1120 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc htb 47: parent 26:1 r2q 10 default 1 direct_packets_stat 0 > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc htb 48: parent 27:1 r2q 10 default 1 direct_packets_stat 0 > Sent 10657 bytes 162 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc htb 49: parent 28:1 r2q 10 default 1 direct_packets_stat 0 > Sent 11877254 bytes 8017 pkt (dropped 878, overlimits 1120 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > > wireless-r1 bwlimit # tc -s class show dev wivl4 > class prio 5:1 parent 5: leaf 26: > > class prio 5:2 parent 5: leaf 27: > > class prio 5:3 parent 5: leaf 28: > > class htb 26:1 root leaf 47: prio 0 rate 30000Kbit ceil 30000Kbit burst > 16593b cburst 16593b > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > lended: 0 borrowed: 0 giants: 0 > tokens: 4532 ctokens: 4532 > > class htb 27:1 root leaf 48: prio 0 rate 60000Kbit ceil 60000Kbit burst > 31590b cburst 31590b > Sent 54187 bytes 790 pkt (dropped 0, overlimits 0 requeues 0) > rate 624bit 1pps backlog 0b 0p requeues 0 > lended: 790 borrowed: 0 giants: 0 > tokens: 4306 ctokens: 4306 > > class htb 28:1 root leaf 49: prio 0 rate 10000Kbit ceil 10000Kbit burst > 6598b cburst 6598b > Sent 16539369 bytes 11178 pkt (dropped 1160, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > lended: 11178 borrowed: 0 giants: 0 > tokens: 5368 ctokens: 5368 > > class htb 47:1 root prio 1 rate 80000bit ceil 128000bit burst 125Kb > cburst 8000b > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > lended: 0 borrowed: 0 giants: 0 > tokens: 13107200 ctokens: 512000 > > class htb 48:1 root prio 2 rate 2048Kbit ceil 3072Kbit burst 3000Kb > cburst 192000b > Sent 54187 bytes 790 pkt (dropped 0, overlimits 0 requeues 0) > rate 624bit 1pps backlog 0b 0p requeues 0 > lended: 790 borrowed: 0 giants: 0 > tokens: 12287744 ctokens: 511831 > > class htb 49:1 root prio 3 rate 960000bit ceil 960000bit burst 960000b > cburst 60000b > Sent 16539369 bytes 11178 pkt (dropped 1160, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > lended: 11178 borrowed: 0 giants: 0 > tokens: 8191591 ctokens: 511591 > > > In the iptables rules, you'll see that the bulk of the traffic I'm > sending through is getting marked with 0x2f (47 decimal). In the > POSTROUTING chain, it is being classified as 47:1. In fact, nothing at > all is getting classified as 49:1. But, in the TC class and qdisc > displays, everything is coming up under the 49:1 instead of the 47:1. > What happened? Either I have some weird typo I'm not seeing, or this is > just not working the way I'm expecting it to. Anyone have any thoughts > on this? > > Thanks. > > Eliot Gable > Certified Wireless Network Administrator (CWNA) > Certified Wireless Security Professional (CWSP) > Cisco Certified Network Associate (CCNA) > CompTIA Security+ Certified > CompTIA Network+ Certified > Network and Systems Administrator > Great Lakes Internet, Inc. > 112 North Howard > Croswell, MI 48422 > (810) 679-3395 > (877) 558-8324 > > Now offering Broadband Wireless Internet access in Croswell, Lexington, > Brown City, Yale, and Sandusky. Call for details. > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From jody.shumaker at gmail.com Fri May 19 21:26:57 2006 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Fri May 19 21:26:52 2006 Subject: [LARTC] iptables CLASSIFY and MARK not working? In-Reply-To: <446E00FF.1010305@netshadow.at> References: <0633E0EDB4F25F43A2D7179CA11FAFAB255388@xavier.staff.greatlakes.net> <446E00FF.1010305@netshadow.at> Message-ID: <2af436490605191226w118f7235m264e2601e1eecdb0@mail.gmail.com> On 5/19/06, Andreas Unterkircher wrote: > Have you checked that the ip_conntrack module is loaded or compiled into > the kernel? > If not the mark is lost... > > Cheers, > Andreas > I doubt that's the issue. I do however recall there being issues with using iptables classify to targets that were more than 1 level deep in the tc qdisc hierarchy. In such situations it works much better if you instead use a tc filter on the mark instead of an iptables classify. Is there any particular reason you're using classify on a mark instead of a tc filter on the mark? - Jody From elmono222 at gmail.com Sun May 21 00:35:34 2006 From: elmono222 at gmail.com (Juan Felipe Botero) Date: Sun May 21 00:35:29 2006 Subject: [LARTC] Hi, a important doubt Message-ID: How can i put a port range in a tcng or tc configuration > > Does somebody know??? > > It?s important, cause i need to regulate the bandwidth from the TCP port > 1054 until TCP port 1200, how can i do that???????? > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060520/f804e335/attachment.html From andreas at stapelspeicher.org Sun May 21 01:17:01 2006 From: andreas at stapelspeicher.org (Andreas Mueller) Date: Sun May 21 01:17:05 2006 Subject: [LARTC] Hi, a important doubt In-Reply-To: References: Message-ID: <20060520231701.GA4047@lintera> In tcng you can use common comparators on "if", for example: if tcp_sport > 1000 && tcp_sport < 1200 .... tcng translates this to several u32 matches with masks for tc use, which is afaik the only way with tc to match a port-range. It may be easier to do this with iptables (although I dislike using two different interfaces for one purpose). Andreas Juan Felipe Botero wrote: > How can i put a port range in a tcng or tc configuration > > > >Does somebody know??? > > > >It?s important, cause i need to regulate the bandwidth from the TCP port > >1054 until TCP port 1200, how can i do that???????? > > > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From andy at andybev.com Mon May 22 08:26:35 2006 From: andy at andybev.com (Andrew Beverley) Date: Mon May 22 08:26:36 2006 Subject: [LARTC] Detecting p2p traffic In-Reply-To: <200605081522.45715.jasonb@edseek.com> References: <20060508004307.qkuxq25v4occs4gk@www.simplelists.com> <200605081522.45715.jasonb@edseek.com> Message-ID: <4471599B.1080102@andybev.com> Jason Boxman wrote: > On Sunday 07 May 2006 19:43, Andrew Beverley wrote: >> After varying degrees of success with p2p detection modules, I would like >> to write the following rules using iptables to reliably identify p2p >> traffic: >> > >> On my network all p2p traffic falls into these categories, and I don't mind >> overmatching with other traffic. > > If you can, you could look into compiling and using ipp2p against your kernel. > I find it works extremely well with my p2p traffic from edonkey protocol(s). > You may have success with L7-Filter, too. You can probably use both at the > same time, but I've never tried as ipp2p works for me. Thanks - I tried both ipp2p and l7-filter. I found that on the whole they worked well, but on the network of 50 clients there was always a couple that it didn't detect. I also wanted to put something in place that didn't need upgrading - if and when I move on someone will have to keep updating ipp2p and l7-filter on the server. Andy From andy at andybev.com Mon May 22 08:39:50 2006 From: andy at andybev.com (Andrew Beverley) Date: Mon May 22 08:39:55 2006 Subject: [LARTC] Detecting p2p traffic In-Reply-To: <118619310605090257q55e02186gee615d01dc059750@mail.gmail.com> References: <20060508004307.qkuxq25v4occs4gk@www.simplelists.com> <118619310605090257q55e02186gee615d01dc059750@mail.gmail.com> Message-ID: <44715CB6.2000006@andybev.com> Ryan Castellucci wrote: > On 5/7/06, Andrew Beverley wrote: >> After varying degrees of success with p2p detection modules, I >> would like to write the following rules using iptables to reliably >> identify p2p traffic: >> >> 1. If a host on the network has 5 or more simutaneous tcp >> connections to ports above 1024, mark all connections to ports 1024 >> and above as 60. >> >> 2. If a host has received (or sent) UDP packets from 5 different >> hosts' ports above 1024 in a minute then classify all UDP traffic >> to and from that host above port 1024 as 60. >> >> Number 1 can almost be acheived using something similar to: >> iptables .. --dport 1024: -m connlimit --connlimit-above 5 -j MARK >> --set-mark 60 >> >> Unfortunately though it still leaves 5 connections slurping up >> plenty of bandwidth. >> >> I have no ideas for number 2. >> >> Anybody any ideas? > > Take a look at the 'recent' and 'set' stuff. You can use it to > create groups of 'naughty' users and match against those groups. > Recent is probably better in this case. I achieved most of this with 'set'. I create an iptree ipset list that times out after 60 seconds. If the above are detected then the user's IP address is added to the ipset, and any subsequent traffic from the user destined to or from ports above 1024 is marked at a lower priority. The one thing I haven't managed yet is detecting many different UDP ports within a set time period. Instead I match on UDP traffic packets longer then 1000 bytes, which seems to work on the whole but I'd like to get it to detect on different port numbers as it is less likely to over match. Andy From samueldg at arcoscom.com Mon May 22 08:42:52 2006 From: samueldg at arcoscom.com (Samuel =?iso-8859-1?Q?D=EDaz_Garc=EDa?=) Date: Mon May 22 08:42:48 2006 Subject: [LARTC] Detecting p2p traffic In-Reply-To: <4471599B.1080102@andybev.com> References: <20060508004307.qkuxq25v4occs4gk@www.simplelists.com> <200605081522.45715.jasonb@edseek.com> <4471599B.1080102@andybev.com> Message-ID: <52487.195.55.244.106.1148280172.squirrel@www.arcoscom.com> I'm using the 2 modules at the same, and the problems I encounter are: 1) l7-filter need to patch kernel (you can't skip this), and for this reason in my recent scripts I'm putting "module detection procedures" to allow me disable this module when no exists. 2) With a little manual changes into .h files and .c headers includes section, you can compile kernel module and iptables extensions for ipp2p, with this sources, you can upgrade you kernel and put a detection script into init scripts to detect, compile and install ipp2p without problems. 3) I use p2p detection modules in this way: a) Marking p2p traffic in mangle table. b) Limiting bandwidth with tc. c) Using connlimit iptables extension in filter table to drop tcp "new p2p connections" when they reaches a limit. Perhaps this help a bit. Regards -- Samuel D?az Garc?a ArcosCom Wireless, S.L.L. CIF: B11828068 c/ Romero Gago, 19 Arcos de la Frontera 11630 - Cadiz http://www.arcoscom.com mailto:samueldg@arcoscom.com msn: samueldg@arcoscom.com Tlfn.: 956 70 13 15 Fax: 956 70 34 83 El Lun, 22 de Mayo de 2006, 8:26, Andrew Beverley escribi?: > Jason Boxman wrote: >> On Sunday 07 May 2006 19:43, Andrew Beverley wrote: >>> After varying degrees of success with p2p detection modules, I would >>> like >>> to write the following rules using iptables to reliably identify p2p >>> traffic: >>> >> >>> On my network all p2p traffic falls into these categories, and I don't >>> mind >>> overmatching with other traffic. >> >> If you can, you could look into compiling and using ipp2p against your >> kernel. >> I find it works extremely well with my p2p traffic from edonkey >> protocol(s). >> You may have success with L7-Filter, too. You can probably use both at >> the >> same time, but I've never tried as ipp2p works for me. > > Thanks - I tried both ipp2p and l7-filter. I found that on the whole > they worked well, but on the network of 50 clients there was always a > couple that it didn't detect. I also wanted to put something in place > that didn't need upgrading - if and when I move on someone will have to > keep updating ipp2p and l7-filter on the server. > > Andy > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From luciano at lugmen.org.ar Mon May 22 16:25:48 2006 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Mon May 22 16:19:09 2006 Subject: [LARTC] Detecting p2p traffic In-Reply-To: <4471599B.1080102@andybev.com> References: <20060508004307.qkuxq25v4occs4gk@www.simplelists.com> <200605081522.45715.jasonb@edseek.com> <4471599B.1080102@andybev.com> Message-ID: <200605221125.48995.luciano@lugmen.org.ar> On Monday 22 May 2006 03:26, Andrew Beverley wrote: > Jason Boxman wrote: > > On Sunday 07 May 2006 19:43, Andrew Beverley wrote: > >> After varying degrees of success with p2p detection modules, I would > >> like to write the following rules using iptables to reliably identify > >> p2p traffic: > > > > > > > >> On my network all p2p traffic falls into these categories, and I don't > >> mind overmatching with other traffic. > > > > If you can, you could look into compiling and using ipp2p against your > > kernel. I find it works extremely well with my p2p traffic from edonkey > > protocol(s). You may have success with L7-Filter, too. You can probably > > use both at the same time, but I've never tried as ipp2p works for me. > > Thanks - I tried both ipp2p and l7-filter. I found that on the whole > they worked well, but on the network of 50 clients there was always a > couple that it didn't detect. I also wanted to put something in place > that didn't need upgrading - if and when I move on someone will have to > keep updating ipp2p and l7-filter on the server. There is an alternative method that i've used and is infallible detecting p2p. Find out what is *not* p2p traffic in your network and give it the appropriate bandwidth/priority. Then the rest will be p2p traffic. This is the same approach used to build firewall rules, which is close all traffic and start open ports/protocols till all works ok. So at first maybe there will be some false positives, but with yours clients feedback and a Little of network analysis all goes to the right place. Some clues on what is not p2p: - packets with size<100bytes - tcp ports 80,21,22,25,110 and so on... - all udp, some p2p protocols use it for control but AFAIK is not used in data transfers, and if it is, you can still use a size rule ie: udp<900bytes - other protocols as icmp igmp esp... -- Luciano From support8 at greatlakes.net Mon May 22 23:56:25 2006 From: support8 at greatlakes.net (Eliot, Wireless and Server Administrator, Great Lakes Internet) Date: Mon May 22 23:53:21 2006 Subject: [LARTC] iptables CLASSIFY and MARK not working? Message-ID: <0633E0EDB4F25F43A2D7179CA11FAFAB2553A8@xavier.staff.greatlakes.net> You were exactly right here. Moving to the filters instead of the iptables classify solved the issue. As for performance, I have not yet benchmarked it to determine if the filters are fast enough for the number of users I need this to support. Eliot Gable Certified Wireless Network Administrator (CWNA) Certified Wireless Security Professional (CWSP) Cisco Certified Network Associate (CCNA) CompTIA Security+ Certified CompTIA Network+ Certified Network and System Engineer Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 (810) 679-3395 (877) 558-8324 Now offering Broadband Wireless Internet access in Croswell, Lexington, Brown City, Yale, Worth Township, and Sandusky. Call for details. -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Jody Shumaker Sent: Friday, May 19, 2006 3:27 PM To: Andreas Unterkircher Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] iptables CLASSIFY and MARK not working? On 5/19/06, Andreas Unterkircher wrote: > Have you checked that the ip_conntrack module is loaded or compiled into > the kernel? > If not the mark is lost... > > Cheers, > Andreas > I doubt that's the issue. I do however recall there being issues with using iptables classify to targets that were more than 1 level deep in the tc qdisc hierarchy. In such situations it works much better if you instead use a tc filter on the mark instead of an iptables classify. Is there any particular reason you're using classify on a mark instead of a tc filter on the mark? - Jody _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From support8 at greatlakes.net Tue May 23 01:28:48 2006 From: support8 at greatlakes.net (Eliot, Wireless and Server Administrator, Great Lakes Internet) Date: Tue May 23 01:25:45 2006 Subject: [LARTC] Routing and Redundancy Delima Message-ID: <0633E0EDB4F25F43A2D7179CA11FAFAB2553A9@xavier.staff.greatlakes.net> My setup: LAN A | |-- Wireless-r1 --| |-- Wireless-r2 --| ..................| .................LAN B LAN A is my primary (external) LAN. LAN B is my wireless LAN. LAN A does iBGP and OSPF routing. Each wireless router does the following: 2 Bridged Ethernet + STP connections to LAN A 2 Bridged Ethernet + STP connections to LAN B 2 VLANs on LAN A 5 VLANs on LAN B UCARP on each wireless VLAN (5). Quagga - zebra, bgpd, ospfd (on LAN A) UCARP provides a virtual IP address for the gateway for each VLAN on the wireless side. The goal is to provide complete, hot-failover redundancy to wireless-r2 in the event wireless-r1 goes down (maintenance, failure, etc). Ideally, the system should not loose a single packet in the event of a failure. UCARP can accomplish this (already tested). If traffic is being routed from the Internet to the wireless side by going through wireless-r2, there is no issue with bringing down the interfaces on the wireless side of wireless-r1 -- traffic reroutes accordingly with no packet loss. If the traffic is being routed through wireless-r1 by default, we loose (at most) 2 packets, but sometimes none, when we bring down the ethernet connectivity on the wireless side of wireless-r1. My real issue comes in with the fact that sometimes, OSPF chooses wireless-r2 as the default route from the Internet to the customer and UCARP uses wireless-r1 for the reverse direction. The iptables rules and bandwidth shaping rules ruly on connection tracking and marking to limit bandwidth and do statistics and things. Since half of each flow is going through the other router, things do not get handled entirely correctly. Also, in certain circumstances, it is possible to get the wireless bridged interfaces to stop passing traffic while not triggering a route down message through OSPF, which basically causes the traffic to come to a dead stop as OSPF thinks the route still exists, but UCARP does not. UCARP fails over in this instance, but not the routing. So, my real question in all of this is how do I get UCARP and Quagga to talk to each other and update each other on their state. Essentially, I would like to get UCARP to turn off actual routing (but not route updates) through the machine if UCARP is in slave mode. Also, when UCARP goes to master mode, it should turn the routing back on. I think I can accomplish this much by modifying my vip-up and vip-down shell scripts to change the metric on the route so that the slave metric is higher than the master metric. Unfortunately, going the other way is much more difficult. How in the world do I get Quagga to put UCARP in slave mode if the OSPF routing goes down, and then put UCARP in master mode when OSPF comes back up? I've seen times when Quagga looses its OSPF neighbors and needs ospfd to be restarted. When something like this happens, UCARP should go into slave mode and the backup router should kick in. I'm not sure how to pull this off short of a cronjob, which seems like a hack, and probably won't react fast enough to prevent an outage. Anyone have any suggestions on solving these issues? PS. I'm also going to try the Quagga and UCARP lists, but I thought I would pose this question here, too, since it is for advanced routing and traffic control, which is precisely what I'm trying to do. Thanks in advance. Eliot Gable Certified Wireless Network Administrator (CWNA) Certified Wireless Security Professional (CWSP) Cisco Certified Network Associate (CCNA) CompTIA Security+ Certified CompTIA Network+ Certified Network and System Engineer Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 (810) 679-3395 (877) 558-8324 Now offering Broadband Wireless Internet access in Croswell, Lexington, Brown City, Yale, Worth Township, and Sandusky. Call for details. From jody.shumaker at gmail.com Tue May 23 06:32:35 2006 From: jody.shumaker at gmail.com (Jody Shumaker) Date: Tue May 23 06:32:32 2006 Subject: [LARTC] iptables CLASSIFY and MARK not working? In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB2553A8@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB2553A8@xavier.staff.greatlakes.net> Message-ID: <2af436490605222132p59729ac2md19b156daca778da@mail.gmail.com> On 5/22/06, Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: > You were exactly right here. Moving to the filters instead of the > iptables classify solved the issue. As for performance, I have not yet > benchmarked it to determine if the filters are fast enough for the > number of users I need this to support. > > And makes me wonder if its a bug or a design choice that iptables classify doesn't handle this. If the performance isn't acceptable, you might want to look into that. Or look into tc filters and hashing which can improve performance depending on the filters. - Jody From ephemeric at gmail.com Tue May 23 09:11:57 2006 From: ephemeric at gmail.com (Robert Gabriel) Date: Tue May 23 09:11:56 2006 Subject: [LARTC] QoS book Message-ID: Hello all, Can anyone recommend a good book which thoroughly explains QoS from a Linux perspective? Something with TC examples & the like. I've looked at the following: http://www.amazon.com/gp/product/1580533418/qid=1148368189/sr=1-2/ref=sr_1_2/102-2819973-6353768?s=books&v=glance&n=283155 Engineering Internet QoS. Thanks. From justin at expertron.co.za Tue May 23 09:37:29 2006 From: justin at expertron.co.za (Justin Schoeman) Date: Tue May 23 09:38:15 2006 Subject: [LARTC] Netfilter/Iptables does not NAT all packets? Message-ID: <4472BBB9.1080003@expertron.co.za> Hi all, I am having a small problem with netfilter on Linux kernel 2.6.11.4. It seems not all packets are hitting the pre-routing chain. In pre-routing, I have the following rules: $IPTABLES -t nat -A PREROUTING -i $IF_OUT -d 10.50.18.22 -j DNAT --to-destination 192.168.1.22 $IPTABLES -t nat -A PREROUTING -i $IF_OUT -d ! 10.50.18.21 -m limit --limit 5/second -j LOG --log-prefix "non-nat input: " As you can see all packets arriving for 10.50.18.22 should be natted to 192.168.1.22, and anything else should be logged. If I look at the rule stats, there are no matches on the log rule, so in theory, all packets are DNAT'ed? However, when looking at the logs for the filter:INPUT chain, I see packets destined for 10.50.18.22 are being logged and dropped. So somehow, these packets made it through the nat:PREROUTING chain WITHOUT being natted. Any ideas? It also seems like some response packets (only seen ack and fin-ack packets so far) are not being successfully connection tracked. Could this be part of the problem? Any help/info appreciated. Thanks, Justin From kenneth.kalmer at gmail.com Tue May 23 11:12:02 2006 From: kenneth.kalmer at gmail.com (Kenneth Kalmer) Date: Tue May 23 11:11:56 2006 Subject: [LARTC] Shaping of pppoe clients Message-ID: Guys After reading through the archives I found some insightful ways to be able to shape traffic to pppoe clients from the server. I have two questions on the topic of setting up a pppoe server however... 1. The clients will all be connected to each other using a normal ethernet network, the segments connected with managed switches. The capacity is roughly 500 nodes. Will these pppoe sessions interfere with each other or not? 2. I'd like to know if anyone has tried to shape pppoe client traffic by placing a transparent bridge between the servers and clients, and shaping on this bridge. I'm just testing the water here, after what I read in other threads it will be easier to just use a set of carefully crafted ip-up & ip-down scripts with pppd rather than the bridge. But nonetheless, opinions are always needed. Thanks guys -- Kenneth Kalmer kenneth.kalmer@gmail.com Folding@home stats http://fah-web.stanford.edu/cgi-bin/main.py?qtype=userpage&username=kenneth%2Ekalmer From georgi.alexandrov at gmail.com Tue May 23 12:32:34 2006 From: georgi.alexandrov at gmail.com (Georgi Alexandrov) Date: Tue May 23 12:32:32 2006 Subject: [LARTC] Shaping of pppoe clients In-Reply-To: References: Message-ID: <4472E4C2.4090209@gmail.com> Kenneth Kalmer wrote: > Guys > > After reading through the archives I found some insightful ways to be > able to shape traffic to pppoe clients from the server. I have two > questions on the topic of setting up a pppoe server however... > > 1. The clients will all be connected to each other using a normal > ethernet network, the segments connected with managed switches. The > capacity is roughly 500 nodes. Will these pppoe sessions interfere > with each other or not? What do you mean by 'interfere' here? > > 2. I'd like to know if anyone has tried to shape pppoe client traffic > by placing a transparent bridge between the servers and clients, and > shaping on this bridge. I'm just testing the water here, after what I > read in other threads it will be easier to just use a set of carefully > crafted ip-up & ip-down scripts with pppd rather than the bridge. But > nonetheless, opinions are always needed. I use the ip-up and ip-down scripts, and a radius exec attribute so probably I can help with them. I'm planning on segmenting such a network with linux bridges for better filtering and QoS control. But that's yet to come ;-) > Thanks guys > -- regards, Georgi Alexandrov key server - http://pgp.mit.edu/ :: key id - 0x37B4B3EE key fingerprint - E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 B3EE -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060523/b2435d4a/signature.pgp From kenneth.kalmer at gmail.com Tue May 23 14:12:32 2006 From: kenneth.kalmer at gmail.com (Kenneth Kalmer) Date: Tue May 23 14:12:40 2006 Subject: [LARTC] Shaping of pppoe clients In-Reply-To: <4472E4C2.4090209@gmail.com> References: <4472E4C2.4090209@gmail.com> Message-ID: On 5/23/06, Georgi Alexandrov wrote: > Kenneth Kalmer wrote: > > Guys > > > > > > 1. The clients will all be connected to each other using a normal > > ethernet network, the segments connected with managed switches. The > > capacity is roughly 500 nodes. Will these pppoe sessions interfere > > with each other or not? > What do you mean by 'interfere' here? A colleague of mine thought that these sessions might interfere with one another. On second thought, I'm not even going to explain this... > > 2. I'd like to know if anyone has tried to shape pppoe client traffic > > by placing a transparent bridge between the servers and clients, and > > shaping on this bridge. I'm just testing the water here, after what I > > read in other threads it will be easier to just use a set of carefully > > crafted ip-up & ip-down scripts with pppd rather than the bridge. But > > nonetheless, opinions are always needed. > I use the ip-up and ip-down scripts, and a radius exec attribute so probably > I can help with them. I assume that the exec attribute is in essence similair to what ip-up is, executing an arbitrary command under certain circumstances. Will look into it, thanks... > I'm planning on segmenting such a network with linux bridges for better > filtering and QoS control. But that's yet to come ;-) The keyword here is "better", and that was my argument for using a bridge in the first place. It would appear to be easier to shape & filter away from the messy scripts of pppd & radius servers, but this raises the next issue. For the bridge, is the pppoe sessions identifiable using say source & destination ips, as opposed to pppoe traffic... I know if I perform a tcpdump on the interface that I connect to my adsl modem I only see the traffic as pppoe... Logic tells me that the bridge would suffer the same consequenses... > > Thanks guys > > > > > -- > regards, > Georgi Alexandrov > > key server - http://pgp.mit.edu/ :: key id - 0x37B4B3EE > key fingerprint - E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 B3EE -- Kenneth Kalmer kenneth.kalmer@gmail.com Folding@home stats http://fah-web.stanford.edu/cgi-bin/main.py?qtype=userpage&username=kenneth%2Ekalmer From ephemeric at gmail.com Tue May 23 14:34:57 2006 From: ephemeric at gmail.com (Robert Gabriel) Date: Tue May 23 14:35:24 2006 Subject: [LARTC] Re: QoS book In-Reply-To: References: Message-ID: Thanks, I have already checked it out & these sites: http://kabru.eecs.umich.edu/qos_network/diffserv/DiffServ_prototype/qdisc http://linux-ip.net/articles/Traffic-Control-HOWTO/ http://edseek.com/~jasonb/articles/traffic_shaping/ http://luxik.cdi.cz/~devik/qos/htb/ http://www.opalsoft.net/qos/ The documentation is so disparate, it's highly frustrating... On 23/05/06, Robert Gabriel wrote: > Hello all, > > Can anyone recommend a good book which thoroughly explains QoS from a > Linux perspective? Something with TC examples & the like. I've looked > at the following: > > http://www.amazon.com/gp/product/1580533418/qid=1148368189/sr=1-2/ref=sr_1_2/102-2819973-6353768?s=books&v=glance&n=283155 > > Engineering Internet QoS. > > Thanks. > From jasonb at edseek.com Tue May 23 15:58:57 2006 From: jasonb at edseek.com (Jason Boxman) Date: Tue May 23 15:59:01 2006 Subject: [LARTC] Re: QoS book In-Reply-To: References: Message-ID: <34483.216.134.200.78.1148392737.squirrel@nebula.internal.foo> Robert Gabriel wrote: > Thanks, I have already checked it out & these sites: > > http://edseek.com/~jasonb/articles/traffic_shaping/ > > The documentation is so disparate, it's highly frustrating... That's disappointing. What can I add to help or clarify? Thanks. From gnychis at cmu.edu Tue May 23 18:17:27 2006 From: gnychis at cmu.edu (George Nychis) Date: Tue May 23 18:17:22 2006 Subject: [LARTC] how to debug RTNETLINK invalid argument? Message-ID: <44733597.4000208@cmu.edu> Hey, I am getting an invalid argument trying to insert a qdisc: [root@emu-5 iproute2]# tc qdisc add dev eth0 root xcp capacity 50Mbit limit 500 RTNETLINK answers: Invalid argument I'm not sure whats wrong here, because i can successfully insert this qdisc on other computers of mine. How can i debug this? Thanks! George From larry.brigman at gmail.com Tue May 23 18:23:38 2006 From: larry.brigman at gmail.com (Larry Brigman) Date: Tue May 23 18:23:31 2006 Subject: [LARTC] how to debug RTNETLINK invalid argument? In-Reply-To: <44733597.4000208@cmu.edu> References: <44733597.4000208@cmu.edu> Message-ID: On 5/23/06, George Nychis wrote: > Hey, > > I am getting an invalid argument trying to insert a qdisc: > > [root@emu-5 iproute2]# tc qdisc add dev eth0 root xcp capacity 50Mbit > limit 500 > RTNETLINK answers: Invalid argument > > I'm not sure whats wrong here, because i can successfully insert this > qdisc on other computers of mine. > > How can i debug this? > Check to see which kernel versions you have on the boxes that work and the one that does not. Also check to see if you have the latest version of iproute2 installed on the machine that does not work. From gnychis at cmu.edu Tue May 23 19:12:54 2006 From: gnychis at cmu.edu (George Nychis) Date: Tue May 23 19:12:48 2006 Subject: [LARTC] how to debug RTNETLINK invalid argument? In-Reply-To: References: <44733597.4000208@cmu.edu> Message-ID: <44734296.4050807@cmu.edu> Larry Brigman wrote: > On 5/23/06, George Nychis wrote: >> Hey, >> >> I am getting an invalid argument trying to insert a qdisc: >> >> [root@emu-5 iproute2]# tc qdisc add dev eth0 root xcp capacity 50Mbit >> limit 500 >> RTNETLINK answers: Invalid argument >> >> I'm not sure whats wrong here, because i can successfully insert this >> qdisc on other computers of mine. >> >> How can i debug this? >> > Check to see which kernel versions you have on the boxes that work and > the one that > does not. Also check to see if you have the latest version of > iproute2 installed on the > machine that does not work. > They are both running the exact same kernel and version of iproute2, however they are in different environments, what could the environment have to do with it? Thanks! George From larry.brigman at gmail.com Tue May 23 19:51:58 2006 From: larry.brigman at gmail.com (Larry Brigman) Date: Tue May 23 19:51:54 2006 Subject: [LARTC] how to debug RTNETLINK invalid argument? In-Reply-To: <44734296.4050807@cmu.edu> References: <44733597.4000208@cmu.edu> <44734296.4050807@cmu.edu> Message-ID: On 5/23/06, George Nychis wrote: > > > Larry Brigman wrote: > > On 5/23/06, George Nychis wrote: > >> Hey, > >> > >> I am getting an invalid argument trying to insert a qdisc: > >> > >> [root@emu-5 iproute2]# tc qdisc add dev eth0 root xcp capacity 50Mbit > >> limit 500 > >> RTNETLINK answers: Invalid argument > >> > >> I'm not sure whats wrong here, because i can successfully insert this > >> qdisc on other computers of mine. > >> > >> How can i debug this? > >> > > Check to see which kernel versions you have on the boxes that work and > > the one that > > does not. Also check to see if you have the latest version of > > iproute2 installed on the > > machine that does not work. > > > > They are both running the exact same kernel and version of iproute2, > however they are in different environments, what could the environment > have to do with it? > Modules that are not loaded? modprobe.conf? lsmod on both boxes looking for specific networking modules. From gnychis at cmu.edu Wed May 24 01:29:23 2006 From: gnychis at cmu.edu (George Nychis) Date: Wed May 24 01:29:09 2006 Subject: [LARTC] how to debug RTNETLINK invalid argument? In-Reply-To: References: <44733597.4000208@cmu.edu> <44734296.4050807@cmu.edu> Message-ID: <44739AD3.7090904@cmu.edu> Larry Brigman wrote: > On 5/23/06, George Nychis wrote: >> >> >> Larry Brigman wrote: >> > On 5/23/06, George Nychis wrote: >> >> Hey, >> >> >> >> I am getting an invalid argument trying to insert a qdisc: >> >> >> >> [root@emu-5 iproute2]# tc qdisc add dev eth0 root xcp capacity 50Mbit >> >> limit 500 >> >> RTNETLINK answers: Invalid argument >> >> >> >> I'm not sure whats wrong here, because i can successfully insert this >> >> qdisc on other computers of mine. >> >> >> >> How can i debug this? >> >> >> > Check to see which kernel versions you have on the boxes that work and >> > the one that >> > does not. Also check to see if you have the latest version of >> > iproute2 installed on the >> > machine that does not work. >> > >> >> They are both running the exact same kernel and version of iproute2, >> however they are in different environments, what could the environment >> have to do with it? >> > Modules that are not loaded? modprobe.conf? > lsmod on both boxes looking for specific networking modules. > What modules would qdisc's be dependent on? The weird thing is, netem works on both machines... therefore I know qdisc's in general are working. Lets just say its not working on my other machine, how do i go about debugging it on the one machine alone? - George From kc at ih.unsw.edu.au Wed May 24 02:02:38 2006 From: kc at ih.unsw.edu.au (Kelvin Chu) Date: Wed May 24 01:41:26 2006 Subject: [LARTC] QoS book In-Reply-To: References: Message-ID: <20060524000238.GA6336@ih.unsw.edu.au> that one is quite good for a general overview of QoS Disclamer: got taught by the prof that wrote it On Tue, May 23, 2006 at 09:11:57AM +0200, Robert Gabriel wrote: > Hello all, > > Can anyone recommend a good book which thoroughly explains QoS from a > Linux perspective? Something with TC examples & the like. I've looked > at the following: > > http://www.amazon.com/gp/product/1580533418/qid=1148368189/sr=1-2/ref=sr_1_2/102-2819973-6353768?s=books&v=glance&n=283155 > > Engineering Internet QoS. > > Thanks. > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From larry.brigman at gmail.com Wed May 24 02:21:23 2006 From: larry.brigman at gmail.com (Larry Brigman) Date: Wed May 24 02:21:26 2006 Subject: [LARTC] how to debug RTNETLINK invalid argument? In-Reply-To: <44739AD3.7090904@cmu.edu> References: <44733597.4000208@cmu.edu> <44734296.4050807@cmu.edu> <44739AD3.7090904@cmu.edu> Message-ID: On 5/23/06, George Nychis wrote: > Larry Brigman wrote: > > On 5/23/06, George Nychis wrote: > >> Larry Brigman wrote: > >> > On 5/23/06, George Nychis wrote: > >> >> Hey, > >> >> > >> >> I am getting an invalid argument trying to insert a qdisc: > >> >> > >> >> [root@emu-5 iproute2]# tc qdisc add dev eth0 root xcp capacity 50Mbit > >> >> limit 500 > >> >> RTNETLINK answers: Invalid argument > >> >> > >> >> I'm not sure whats wrong here, because i can successfully insert this > >> >> qdisc on other computers of mine. > >> >> > >> >> How can i debug this? > >> >> > >> > Check to see which kernel versions you have on the boxes that work and > >> > the one that > >> > does not. Also check to see if you have the latest version of > >> > iproute2 installed on the > >> > machine that does not work. > >> > > >> > >> They are both running the exact same kernel and version of iproute2, > >> however they are in different environments, what could the environment > >> have to do with it? > >> > > Modules that are not loaded? modprobe.conf? > > lsmod on both boxes looking for specific networking modules. > > > > What modules would qdisc's be dependent on? The weird thing is, netem > works on both machines... therefore I know qdisc's in general are > working. Lets just say its not working on my other machine, how do i go > about debugging it on the one machine alone? > Has the tc command been changed recently from your customized version back to the standard release (ie yum running via cron) or your environment path changed to pick up the wrong tc command? From gnychis at cmu.edu Wed May 24 03:04:24 2006 From: gnychis at cmu.edu (George Nychis) Date: Wed May 24 03:04:09 2006 Subject: [LARTC] how to debug RTNETLINK invalid argument? In-Reply-To: References: <44733597.4000208@cmu.edu> <44734296.4050807@cmu.edu> <44739AD3.7090904@cmu.edu> Message-ID: <4473B118.3070405@cmu.edu> Larry Brigman wrote: > On 5/23/06, George Nychis wrote: >> Larry Brigman wrote: >> > On 5/23/06, George Nychis wrote: >> >> Larry Brigman wrote: >> >> > On 5/23/06, George Nychis wrote: >> >> >> Hey, >> >> >> >> >> >> I am getting an invalid argument trying to insert a qdisc: >> >> >> >> >> >> [root@emu-5 iproute2]# tc qdisc add dev eth0 root xcp capacity >> 50Mbit >> >> >> limit 500 >> >> >> RTNETLINK answers: Invalid argument >> >> >> >> >> >> I'm not sure whats wrong here, because i can successfully insert >> this >> >> >> qdisc on other computers of mine. >> >> >> >> >> >> How can i debug this? >> >> >> >> >> > Check to see which kernel versions you have on the boxes that >> work and >> >> > the one that >> >> > does not. Also check to see if you have the latest version of >> >> > iproute2 installed on the >> >> > machine that does not work. >> >> > >> >> >> >> They are both running the exact same kernel and version of iproute2, >> >> however they are in different environments, what could the environment >> >> have to do with it? >> >> >> > Modules that are not loaded? modprobe.conf? >> > lsmod on both boxes looking for specific networking modules. >> > >> >> What modules would qdisc's be dependent on? The weird thing is, netem >> works on both machines... therefore I know qdisc's in general are >> working. Lets just say its not working on my other machine, how do i go >> about debugging it on the one machine alone? >> > > Has the tc command been changed recently from your customized version back > to the standard release (ie yum running via cron) or your environment > path changed to > pick up the wrong tc command? > the tc I am using is the standard tc, i didn't change anything about tc, only trying to use a new custom qdisc with it... i'm not sure honestly, theres no way to figure out why i'm getting the invalid argument? From shemminger at osdl.org Wed May 24 03:40:11 2006 From: shemminger at osdl.org (Stephen Hemminger) Date: Wed May 24 03:40:18 2006 Subject: [LARTC] how to debug RTNETLINK invalid argument? In-Reply-To: <4473B118.3070405@cmu.edu> References: <44733597.4000208@cmu.edu> <44734296.4050807@cmu.edu> <44739AD3.7090904@cmu.edu> <4473B118.3070405@cmu.edu> Message-ID: <4473B97B.4090100@osdl.org> > the tc I am using is the standard tc, i didn't change anything about tc, > only trying to use a new custom qdisc with it... i'm not sure honestly, > theres no way to figure out why i'm getting the invalid argument? > A common problem is that some distro's put tc in /sbin and other's in /usr/sbin. You may have the old version in you path. From luciano at lugmen.org.ar Wed May 24 04:12:09 2006 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Wed May 24 04:11:58 2006 Subject: [LARTC] how to debug RTNETLINK invalid argument? In-Reply-To: <44733597.4000208@cmu.edu> References: <44733597.4000208@cmu.edu> Message-ID: <200605232312.09465.luciano@lugmen.org.ar> El Tuesday 23 May 2006 13:17, George Nychis escribi?: > Hey, > > I am getting an invalid argument trying to insert a qdisc: > > [root@emu-5 iproute2]# tc qdisc add dev eth0 root xcp capacity 50Mbit > limit 500 > RTNETLINK answers: Invalid argument > > I'm not sure whats wrong here, because i can successfully insert this > qdisc on other computers of mine. > > How can i debug this? maybe strace (system calls and signals trace) can give you some clues. strace tc qdisc add dev eth0 root xcp capacity 50Mbit limit 500 -- Luciano -- Luciano From georgi.alexandrov at gmail.com Wed May 24 08:51:14 2006 From: georgi.alexandrov at gmail.com (Georgi Alexandrov) Date: Wed May 24 08:51:09 2006 Subject: [LARTC] Shaping of pppoe clients In-Reply-To: References: <4472E4C2.4090209@gmail.com> Message-ID: <44740262.4000108@gmail.com> Kenneth Kalmer wrote: > The keyword here is "better", and that was my argument for using a > bridge in the first place. It would appear to be easier to shape & > filter away from the messy scripts of pppd & radius servers, but this > raises the next issue. For the bridge, is the pppoe sessions > identifiable using say source & destination ips, as opposed to pppoe > traffic... I know if I perform a tcpdump on the interface that I > connect to my adsl modem I only see the traffic as pppoe... Logic > tells me that the bridge would suffer the same consequenses... Yes, that was my concern too. Maybe someone else on the list that has already went trought this may share the experience. I will test it as soon as I get my hands on a spare machine ;-) -- regards, Georgi Alexandrov key server - http://pgp.mit.edu/ :: key id - 0x37B4B3EE key fingerprint - E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 B3EE -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060524/5a586309/signature.pgp From ephemeric at gmail.com Wed May 24 09:13:05 2006 From: ephemeric at gmail.com (Robert Gabriel) Date: Wed May 24 09:12:59 2006 Subject: [LARTC] Re: QoS book In-Reply-To: <34483.216.134.200.78.1148392737.squirrel@nebula.internal.foo> References: <34483.216.134.200.78.1148392737.squirrel@nebula.internal.foo> Message-ID: Sorry Jason, I didn't mean your site in particular. What frustrates me is that there are no book(s) for this. I'm so tired of having five hundred printed pages lying around, incomplete man pages, undocumented command options etc. Hence my point being, the convoluted nature of all of this. How is anyone supposed to make sense of all of this without breaking his brain like Leonardo Balliache puts it so aptly in his documentation? It's bits & pieces lying around that scare away potential users. On 23/05/06, Jason Boxman wrote: > Robert Gabriel wrote: > > Thanks, I have already checked it out & these sites: > > > > > http://edseek.com/~jasonb/articles/traffic_shaping/ > > > > > The documentation is so disparate, it's highly frustrating... > > That's disappointing. What can I add to help or clarify? > > Thanks. > > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From oivindg at gmail.com Wed May 24 13:18:25 2006 From: oivindg at gmail.com (Oivind) Date: Wed May 24 13:18:19 2006 Subject: [LARTC] leaky bucket on bursty multicast In-Reply-To: <4436E1B2.8050907@dsl.pipex.com> References: <44060C1F.4090006@dsl.pipex.com> <4436E1B2.8050907@dsl.pipex.com> Message-ID: Thanks for replying :) I have been playing a bit with the following setup, but unfortunately I am confused about how to specify the queue length of my multicast class below, to absorb the small bursts seen. It would be great with an example, for example with a megabyte buffer. # QDISC tc qdisc replace dev eth3 root handle 1: htb default 30 # CLASSES # root class tc class replace dev eth3 parent 1: classid 1:1 htb rate 5mbit ceil 5mbit burst 50Kb cburst 100Kb # multicast class tc class replace dev eth3 parent 1:1 classid 1:15 htb rate 5mbit ceil 5mbit burst 50Kb cburst 100Kb # other traffic tc class replace dev eth3 parent 1:1 classid 1:30 htb rate 1mbit ceil 5mbit #filters here (not shown) Thanks, Oivind On 4/8/06, Andy Furniss wrote: > > Oivind wrote: > > On 3/1/06, Andy Furniss wrote: > > > >>Oivind wrote: > >> > >>>Hi all, > >>>I have an average 2mbit multicast stream that once in a while bursts > >>>high (up to 20mbit/s) in short periods (about 200ms). Could anyone > >>>please help me with directions using tc for configuing leaky bucket > >>>shaping to this stream? I have a 5mbit/s ceiling. > >>> > >>>My system is running gentoo linux 2.6.14, and I have compiled in all > >>>QoS modules. > >> > >>I suppose it depends what you want to do with the burst ie. propogate it > >>,smooth it without loss or drop packets to maintain a rate. > > > > > > I would like to smooth the bursts out at the ceiling bandwidth without > > any packet drops (unless an unacceptable lengthy burst of course). > > Sorry for not replying earlier, I lost this one. > > What you want should be OK with htb/tbf/hfsc ratelimiting at 5meg - just > choose a leaf queue/buffer length that can absorb the burst. > > Andy. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060524/8ddc82fa/attachment.htm From dennis at loop.com.tw Wed May 24 14:45:43 2006 From: dennis at loop.com.tw (Nai-Hsien) Date: Wed May 24 14:45:48 2006 Subject: [LARTC] poor performance for building route cache Message-ID: <0a4701c67f2f$f8b48b50$0102000a@loop.com.tw> I did a test shown as following diagram. (The DUT is running Linux with NAPI ethernet driver.) I add 1000 routes into DUT then use the Smartbits port1 to send packets (with destinations to all the 1000 networks) to the DUT then receive them back from the port 2. The packets are sending in a rate that is much lower than half of throughput of the DUT. The DUT will lose some packets if the DUT has empty route cache before the packets are sent. Once the DUT builds the route cache, the DUT can properly forward all packets to the other port without any loose. I guess that the issue is caused by heavy loading for building route cache. I just doubt that the system can have such poor performance for building route cache. Does anybody have any comment? Thank you. Smartbits port 1 ----------- DUT ------------ Smartbits port2 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060524/ac54d21e/attachment.html From gnychis at cmu.edu Wed May 24 16:14:00 2006 From: gnychis at cmu.edu (George Nychis) Date: Wed May 24 16:13:47 2006 Subject: [LARTC] how to debug RTNETLINK invalid argument? In-Reply-To: <200605232312.09465.luciano@lugmen.org.ar> References: <44733597.4000208@cmu.edu> <200605232312.09465.luciano@lugmen.org.ar> Message-ID: <44746A28.5050906@cmu.edu> Luciano Ruete wrote: > El Tuesday 23 May 2006 13:17, George Nychis escribi?: >> Hey, >> >> I am getting an invalid argument trying to insert a qdisc: >> >> [root@emu-5 iproute2]# tc qdisc add dev eth0 root xcp capacity 50Mbit >> limit 500 >> RTNETLINK answers: Invalid argument >> >> I'm not sure whats wrong here, because i can successfully insert this >> qdisc on other computers of mine. >> >> How can i debug this? > > maybe strace (system calls and signals trace) can give you some clues. > > strace tc qdisc add dev eth0 root xcp capacity 50Mbit limit 500 > Heres what I get as the output: execve("/sbin/tc", ["tc", "qdisc", "add", "dev", "eth0", "root", "xcp", "capacity", "50Mbit", "limit", "500"], [/* 22 vars */]) = 0 uname({sys="Linux", node="emu-5", ...}) = 0 set_tid_address(0) = -1 ENOSYS (Function not implemented) brk(0) = 0x80705cc brk(0x8071000) = 0x8071000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=63789, ...}) = 0 old_mmap(NULL, 63789, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40000000 close(3) = 0 open("/lib/libresolv.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360\223"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=81316, ...}) = 0 old_mmap(0x4e2d7000, 80040, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x4e2d7000 mprotect(0x4e2e6000, 18600, PROT_NONE) = 0 old_mmap(0x4e2e7000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xf000) = 0x4e2e7000 old_mmap(0x4e2e9000, 6312, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4e2e9000 close(3) = 0 open("/lib/i686/libm.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0\263G"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=215248, ...}) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40010000 old_mmap(0x44478000, 139424, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x44478000 old_mmap(0x44499000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x20000) = 0x44499000 close(3) = 0 open("/lib/libdl.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260\333"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=16908, ...}) = 0 old_mmap(0x473fd000, 12388, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x473fd000 old_mmap(0x473ff000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x473ff000 close(3) = 0 open("/lib/i686/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p36D4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=1499368, ...}) = 0 old_mmap(0x4434e000, 1211684, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x4434e000 mprotect(0x4446f000, 27940, PROT_NONE) = 0 old_mmap(0x44470000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x121000) = 0x44470000 old_mmap(0x44474000, 7460, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x44474000 close(3) = 0 mprotect(0x44470000, 8192, PROT_READ) = 0 mprotect(0x473ff000, 4096, PROT_READ) = 0 mprotect(0x44499000, 4096, PROT_READ) = 0 mprotect(0x4e2e7000, 4096, PROT_READ) = 0 mprotect(0xb8b000, 4096, PROT_READ) = 0 munmap(0x40000000, 63789) = 0 brk(0) = 0x8071000 brk(0x8092000) = 0x8092000 open("/proc/net/psched", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40000000 read(3, "000c8000 000f4240 000f4240 00000"..., 4096) = 36 close(3) = 0 munmap(0x40000000, 4096) = 0 socket(PF_NETLINK, SOCK_RAW, 0) = 3 setsockopt(3, SOL_SOCKET, SO_SNDBUF, [32768], 4) = 0 setsockopt(3, SOL_SOCKET, SO_RCVBUF, [32768], 4) = 0 bind(3, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0 getsockname(3, {sa_family=AF_NETLINK, pid=5407, groups=00000000}, [12]) = 0 time(NULL) = 1148447549 open("/usr/lib/tc/q_xcp.so", O_RDONLY) = 4 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\270\5\0"..., 512) = 512 fstat64(4, {st_mode=S_IFREG|0755, st_size=4192, ...}) = 0 old_mmap(NULL, 6908, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x40000000 old_mmap(0x40001000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0) = 0x40001000 close(4) = 0 sendto(3, "\24\0\0\0\22\0\1\3>\353sD\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20 recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\264\0\0\0\20\0\2\0>\353sD\37\25\0\0\0\0\4\3\1\0\0\0I\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 920 recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0>\353sD\37\25\0\0\0\0\0\0\1\0\0\0I\0\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 20 sendmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"8\0\0\0$\0\5\6?\353sD\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\377"..., 56}], msg_controllen=0, msg_flags=0}, 0) = 56 recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"$\0\0\0\2\0\0\0?\353sD\37\25\0\0\352\377\377\3778\0\0\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 36 dup(2) = 4 fcntl64(4, F_GETFL) = 0x8001 (flags O_WRONLY|O_LARGEFILE) close(4) = 0 write(2, "RTNETLINK answers: Invalid argum"..., 36RTNETLINK answers: Invalid argument ) = 36 close(3) = 0 exit_group(2) = ? From gnychis at cmu.edu Wed May 24 17:06:40 2006 From: gnychis at cmu.edu (George Nychis) Date: Wed May 24 17:06:35 2006 Subject: [LARTC] how to debug RTNETLINK invalid argument? In-Reply-To: <44746A28.5050906@cmu.edu> References: <44733597.4000208@cmu.edu> <200605232312.09465.luciano@lugmen.org.ar> <44746A28.5050906@cmu.edu> Message-ID: <44747680.9010903@cmu.edu> George Nychis wrote: > > Luciano Ruete wrote: >> El Tuesday 23 May 2006 13:17, George Nychis escribi?: >>> Hey, >>> >>> I am getting an invalid argument trying to insert a qdisc: >>> >>> [root@emu-5 iproute2]# tc qdisc add dev eth0 root xcp capacity 50Mbit >>> limit 500 >>> RTNETLINK answers: Invalid argument >>> >>> I'm not sure whats wrong here, because i can successfully insert this >>> qdisc on other computers of mine. >>> >>> How can i debug this? >> maybe strace (system calls and signals trace) can give you some clues. >> >> strace tc qdisc add dev eth0 root xcp capacity 50Mbit limit 500 >> > > Heres what I get as the output: > > execve("/sbin/tc", ["tc", "qdisc", "add", "dev", "eth0", "root", "xcp", > "capacity", "50Mbit", "limit", "500"], [/* 22 vars */]) = 0 > uname({sys="Linux", node="emu-5", ...}) = 0 > set_tid_address(0) = -1 ENOSYS (Function not > implemented) > brk(0) = 0x80705cc > brk(0x8071000) = 0x8071000 > access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or > directory) > open("/etc/ld.so.cache", O_RDONLY) = 3 > fstat64(3, {st_mode=S_IFREG|0644, st_size=63789, ...}) = 0 > old_mmap(NULL, 63789, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40000000 > close(3) = 0 > open("/lib/libresolv.so.2", O_RDONLY) = 3 > read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360\223"..., > 512) = 512 > fstat64(3, {st_mode=S_IFREG|0755, st_size=81316, ...}) = 0 > old_mmap(0x4e2d7000, 80040, PROT_READ|PROT_EXEC, > MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x4e2d7000 > mprotect(0x4e2e6000, 18600, PROT_NONE) = 0 > old_mmap(0x4e2e7000, 8192, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xf000) = 0x4e2e7000 > old_mmap(0x4e2e9000, 6312, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4e2e9000 > close(3) = 0 > open("/lib/i686/libm.so.6", O_RDONLY) = 3 > read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0\263G"..., > 512) = 512 > fstat64(3, {st_mode=S_IFREG|0755, st_size=215248, ...}) = 0 > old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, > -1, 0) = 0x40010000 > old_mmap(0x44478000, 139424, PROT_READ|PROT_EXEC, > MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x44478000 > old_mmap(0x44499000, 8192, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x20000) = 0x44499000 > close(3) = 0 > open("/lib/libdl.so.2", O_RDONLY) = 3 > read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260\333"..., > 512) = 512 > fstat64(3, {st_mode=S_IFREG|0755, st_size=16908, ...}) = 0 > old_mmap(0x473fd000, 12388, PROT_READ|PROT_EXEC, > MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x473fd000 > old_mmap(0x473ff000, 8192, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x473ff000 > close(3) = 0 > open("/lib/i686/libc.so.6", O_RDONLY) = 3 > read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p36D4\0"..., > 512) = 512 > fstat64(3, {st_mode=S_IFREG|0755, st_size=1499368, ...}) = 0 > old_mmap(0x4434e000, 1211684, PROT_READ|PROT_EXEC, > MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x4434e000 > mprotect(0x4446f000, 27940, PROT_NONE) = 0 > old_mmap(0x44470000, 16384, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x121000) = 0x44470000 > old_mmap(0x44474000, 7460, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x44474000 > close(3) = 0 > mprotect(0x44470000, 8192, PROT_READ) = 0 > mprotect(0x473ff000, 4096, PROT_READ) = 0 > mprotect(0x44499000, 4096, PROT_READ) = 0 > mprotect(0x4e2e7000, 4096, PROT_READ) = 0 > mprotect(0xb8b000, 4096, PROT_READ) = 0 > munmap(0x40000000, 63789) = 0 > brk(0) = 0x8071000 > brk(0x8092000) = 0x8092000 > open("/proc/net/psched", O_RDONLY) = 3 > fstat64(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0 > mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, > 0) = 0x40000000 > read(3, "000c8000 000f4240 000f4240 00000"..., 4096) = 36 > close(3) = 0 > munmap(0x40000000, 4096) = 0 > socket(PF_NETLINK, SOCK_RAW, 0) = 3 > setsockopt(3, SOL_SOCKET, SO_SNDBUF, [32768], 4) = 0 > setsockopt(3, SOL_SOCKET, SO_RCVBUF, [32768], 4) = 0 > bind(3, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0 > getsockname(3, {sa_family=AF_NETLINK, pid=5407, groups=00000000}, [12]) = 0 > time(NULL) = 1148447549 > open("/usr/lib/tc/q_xcp.so", O_RDONLY) = 4 > read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\270\5\0"..., > 512) = 512 > fstat64(4, {st_mode=S_IFREG|0755, st_size=4192, ...}) = 0 > old_mmap(NULL, 6908, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, > 0) = 0x40000000 > old_mmap(0x40001000, 4096, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0) = 0x40001000 > close(4) = 0 > sendto(3, "\24\0\0\0\22\0\1\3>\353sD\0\0\0\0\0\0\0\0", 20, 0, > {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20 > recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, > msg_iov(1)=[{"\264\0\0\0\20\0\2\0>\353sD\37\25\0\0\0\0\4\3\1\0\0\0I\0"..., > 16384}], msg_controllen=0, msg_flags=0}, 0) = 920 > recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, > msg_iov(1)=[{"\24\0\0\0\3\0\2\0>\353sD\37\25\0\0\0\0\0\0\1\0\0\0I\0\0"..., > 16384}], msg_controllen=0, msg_flags=0}, 0) = 20 > > sendmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, > msg_iov(1)=[{"8\0\0\0$\0\5\6?\353sD\0\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\377"..., > 56}], msg_controllen=0, msg_flags=0}, 0) = 56 > recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, > msg_iov(1)=[{"$\0\0\0\2\0\0\0?\353sD\37\25\0\0\352\377\377\3778\0\0\0"..., > 16384}], msg_controllen=0, msg_flags=0}, 0) = 36 > dup(2) = 4 > fcntl64(4, F_GETFL) = 0x8001 (flags > O_WRONLY|O_LARGEFILE) > close(4) = 0 > write(2, "RTNETLINK answers: Invalid argum"..., 36RTNETLINK answers: > Invalid argument > ) = 36 > close(3) = 0 > exit_group(2) = ? > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > Here is an strace from the machine that it is working on: execve("/usr/sbin/tc", ["tc", "qdisc", "add", "dev", "ath0", "root", "xcp", "capacity", "50Mbit", "limit", "500"], [/* 40 vars */]) = 0 uname({sys="Linux", node="thorium-ini", ...}) = 0 brk(0) = 0x80765ec access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=74093, ...}) = 0 mmap2(NULL, 74093, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open("/lib/libresolv.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000%\0\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=64568, ...}) = 0 mmap2(NULL, 76020, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x4002a000 mmap2(0x40039000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xe) = 0x40039000 mmap2(0x4003b000, 6388, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4003b000 close(3) = 0 open("/lib/libm.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0P4\0\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=153240, ...}) = 0 mmap2(NULL, 135328, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x4003d000 mmap2(0x4005d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x20) = 0x4005d000 close(3) = 0 open("/lib/libdl.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\v\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=10440, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4005f000 mmap2(NULL, 12392, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x40060000 mmap2(0x40062000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0x40062000 close(3) = 0 open("/lib/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\36T\1\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=1191488, ...}) = 0 mmap2(NULL, 1138036, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x40064000 mmap2(0x40174000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x10f) = 0x40174000 mmap2(0x40178000, 7540, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40178000 close(3) = 0 mprotect(0x40174000, 4096, PROT_READ) = 0 mprotect(0x40015000, 4096, PROT_READ) = 0 munmap(0x40017000, 74093) = 0 open("/dev/urandom", O_RDONLY) = 3 read(3, "gq\22\210", 4) = 4 close(3) = 0 brk(0) = 0x80765ec brk(0x80975ec) = 0x80975ec brk(0x8098000) = 0x8098000 open("/proc/net/psched", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000 read(3, "000c8000 000f4240 000f4240 00000"..., 1024) = 36 close(3) = 0 munmap(0x40017000, 4096) = 0 brk(0x8097000) = 0x8097000 socket(PF_NETLINK, SOCK_RAW, 0) = 3 setsockopt(3, SOL_SOCKET, SO_SNDBUF, [32768], 4) = 0 setsockopt(3, SOL_SOCKET, SO_RCVBUF, [32768], 4) = 0 bind(3, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0 getsockname(3, {sa_family=AF_NETLINK, pid=14175, groups=00000000}, [12]) = 0 time(NULL) = 1148483135 open("/usr/lib/tc/q_xcp.so", O_RDONLY) = 4 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320\5\0"..., 512) = 512 fstat64(4, {st_mode=S_IFREG|0755, st_size=4468, ...}) = 0 mmap2(NULL, 7136, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x40017000 mmap2(0x40018000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0) = 0x40018000 close(4) = 0 sendto(3, "\24\0\0\0\22\0\1\3@vtD\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20 recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\264\0\0\0\20\0\2\0@vtD_7\0\0\0^\4\3\1\0\0\0I\0\0\0\0\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0@vtD_7\0\0\0\0\0\0\1\0\0\0I\0\0\0\0\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = sendmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"8\0\0\0$\0\5\6AvtD\0\0\0\0\0\0\0\0\7\0\0\0\0\0\0\0\377"..., 56}], msg_controllen=0, msg_flags=0}, 0) = 56 recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"$\0\0\0\2\0\0\0AvtD_7\0\0\0\0\0\0008\0\0\0$\0\5\6AvtD"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3 close(3) = 0 exit_group(0) = ? Process 14175 detached From gnychis at cmu.edu Wed May 24 17:24:53 2006 From: gnychis at cmu.edu (George Nychis) Date: Wed May 24 17:24:38 2006 Subject: [LARTC] how to debug RTNETLINK invalid argument? In-Reply-To: <44747680.9010903@cmu.edu> References: <44733597.4000208@cmu.edu> <200605232312.09465.luciano@lugmen.org.ar> <44746A28.5050906@cmu.edu> <44747680.9010903@cmu.edu> Message-ID: <44747AC5.60108@cmu.edu> Well it turns out that the problem may very well be the environment, it seems as though i'm getting a hint in dmesg: [root@emu-5 net]# dmesg request_module[sch_xcp]: fork failed, errno 1 that occurs after trying to add the qdisc through tc so it seems to be failing because a fork is failing in the module, which I am guessing is an environment problem. Anyone suggestions? I'll keep trying! - George From vikram.malvi at hurix.com Thu May 25 07:09:31 2006 From: vikram.malvi at hurix.com (Vikram Malvi) Date: Thu May 25 07:11:37 2006 Subject: [LARTC] How to limit bandwidth in iptables -- HELP Message-ID: <44753C0B.6030009@hurix.com> Hi, Can anybody help me out, how to manage or limit bandwidth through iptables while having internet connection on eth0 and working as a gateway in LAN. Thnaks in Advance. Vikram -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2797 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060525/031e1a9c/smime.bin From martin at linux-ip.net Thu May 25 07:21:29 2006 From: martin at linux-ip.net (Martin A. Brown) Date: Thu May 25 07:21:47 2006 Subject: [LARTC] How to limit bandwidth in iptables -- HELP In-Reply-To: <44753C0B.6030009@hurix.com> References: <44753C0B.6030009@hurix.com> Message-ID: Greetings Vikram, : Can anybody help me out, how to manage or limit bandwidth through : iptables while having internet connection on eth0 and working as : a gateway in LAN. Just recently, somebody identified several of the most common resources used to understand the traffic control mechanisms available in the Linux kernel. These mechanisms are quite complex and he was lamenting the distributed nature of these documents. Much is available, however online. Try the following: [0] Jason Boxman's article on Linux QoS [1] my own article on the entire system and select parts [2] Leonardo Balliache's view into the underbelly of the beast [3] the venerable Linux Advanced Routing and Traffic Control HOWTO To provide you a bit of context before you get started, iptables can only help you with traffic control. The traffic control system can function in concert with iptables, but is a completely separate system. Best of luck, -Martin [0] http://edseek.com/~jasonb/articles/traffic_shaping/ [1] http://linux-ip.net/articles/Traffic-Control-HOWTO/ [2] http://www.opalsoft.net/qos/ [3] http://lartc.org/ -- Martin A. Brown http://linux-ip.net/ From vikram.malvi at hurix.com Thu May 25 07:28:35 2006 From: vikram.malvi at hurix.com (Vikram Malvi) Date: Thu May 25 07:28:40 2006 Subject: [LARTC] How to limit bandwidth in iptables -- HELP In-Reply-To: References: <44753C0B.6030009@hurix.com> Message-ID: <44754083.20200@hurix.com> Thanx a lot Martin :) Martin A. Brown wrote: >Greetings Vikram, > > : Can anybody help me out, how to manage or limit bandwidth through > : iptables while having internet connection on eth0 and working as > : a gateway in LAN. > >Just recently, somebody identified several of the most common >resources used to understand the traffic control mechanisms >available in the Linux kernel. These mechanisms are quite complex >and he was lamenting the distributed nature of these documents. > >Much is available, however online. Try the following: > > [0] Jason Boxman's article on Linux QoS > [1] my own article on the entire system and select parts > [2] Leonardo Balliache's view into the underbelly of the beast > [3] the venerable Linux Advanced Routing and Traffic Control HOWTO > >To provide you a bit of context before you get started, iptables can >only help you with traffic control. The traffic control system can >function in concert with iptables, but is a completely separate >system. > >Best of luck, > >-Martin > > [0] http://edseek.com/~jasonb/articles/traffic_shaping/ > [1] http://linux-ip.net/articles/Traffic-Control-HOWTO/ > [2] http://www.opalsoft.net/qos/ > [3] http://lartc.org/ > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2797 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060525/a9c7f3d4/smime.bin From paul.fleischer at gmail.com Thu May 25 09:58:09 2006 From: paul.fleischer at gmail.com (Paul Fleischer) Date: Thu May 25 09:58:08 2006 Subject: [LARTC] TC and IPv6 filters Message-ID: Hi, The LARTC states that it is not possible to create filters with TC for IPv6 packets. Is this situation still unchanged? I'm in need for it for an implementation of a modified version of the TIA-1039, http://www.packet.cc/TIA1039ID.htm. I'm not sure if this is the correct mailing list. If not I apologize and hope that someone can point me in the right direction :-) Cheer, Paul Fleischer From ephemeric at gmail.com Thu May 25 16:51:34 2006 From: ephemeric at gmail.com (Robert Gabriel) Date: Thu May 25 16:51:29 2006 Subject: [LARTC] How to limit bandwidth in iptables -- HELP In-Reply-To: References: <44753C0B.6030009@hurix.com> Message-ID: That must have been me lamenting. Sure, there is plenty online, but sometimes difficult to collate & appreciate I guess. Anyway, try these too: http://www.docum.org This site has an EXCELLENT FAQ section, it answered many questions I had, like burst, cburst, quantum etc. It also has tests with graphs that show what happens when one adjusts these values. There are excellent links too. Well done to Stef Coene! http://kabru.eecs.umich.edu/qos_network/diffserv/DiffServ_prototype/qdisc Now this is some of the best work I've come across! Using DS marking & an excellent filter explanation. Definately higher grade. Maybe we could start a repository with the best information around? Suggestions anyone? Or just a page somewhere with the most up to date links etc.? If anyone from O'Reilly is reading this, PLEASE start a book! On 25/05/06, Martin A. Brown wrote: > > Greetings Vikram, > > : Can anybody help me out, how to manage or limit bandwidth through > : iptables while having internet connection on eth0 and working as > : a gateway in LAN. > > Just recently, somebody identified several of the most common > resources used to understand the traffic control mechanisms > available in the Linux kernel. These mechanisms are quite complex > and he was lamenting the distributed nature of these documents. > > Much is available, however online. Try the following: > > [0] Jason Boxman's article on Linux QoS > [1] my own article on the entire system and select parts > [2] Leonardo Balliache's view into the underbelly of the beast > [3] the venerable Linux Advanced Routing and Traffic Control HOWTO > > To provide you a bit of context before you get started, iptables can > only help you with traffic control. The traffic control system can > function in concert with iptables, but is a completely separate > system. > > Best of luck, > > -Martin > > [0] http://edseek.com/~jasonb/articles/traffic_shaping/ > [1] http://linux-ip.net/articles/Traffic-Control-HOWTO/ > [2] http://www.opalsoft.net/qos/ > [3] http://lartc.org/ > > -- > Martin A. Brown > http://linux-ip.net/ > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From rabs at dimension-virtual.com Fri May 26 09:29:09 2006 From: rabs at dimension-virtual.com (=?utf-8?q?Ra=C3=BAl_Alexis_Betancor_Santana?=) Date: Fri May 26 09:29:12 2006 Subject: [LARTC] 2 DSL providers, 1 GW IP and Vlans Message-ID: <200605260829.10177.rabs@dimension-virtual.com> Hi all, I'm trying to put a linux GW running with this seput: Internet -> DSL Modem -> VLAN2 \ eth2.2 Linux > Lan eth2.3 / Internet -> DSL Modem -> VLAN3 The real problema is that each of the DSL modem gives me by dhcp the same GW IP, so only one of the routes could run at the same time, because I have 2 routes 2 Public IP's (in the same network, its a /24 net) and 1 GW IP with 2 diferrent MAC's (each of the DSL modem give out it onw LAN MAC along with the GW IP as part of the DHCP reply) It is posible to run a multiroute/failover config in this situation? -- Saludos. Ra?l Alexis Betancor Santana Director Gerente Dimensi?n Virtual S.L. From mainardistefano at gmail.com Sat May 27 23:28:12 2006 From: mainardistefano at gmail.com (Stefano Mainardi) Date: Sat May 27 23:28:07 2006 Subject: [LARTC] HTB shaping & borrowing info Message-ID: Hello to everybody, We want integrate in a router/firewall (Debian Based, 2.6 Kernel), an HTB shaper. The goal is to divide the traffic for classes of workstations, at example in three classes, let say A, B and C. Example: A 70 Mb/s B 20 Mb/s C 10 Mb/s If B don't make traffic, 7/8 of 20Mb/s must be assigned to A and all the rest at B We have used CBQ and HTB, with poor succes. Anybody can help me please? Many thanks -- Stefano Mainardi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060527/292cb3e9/attachment.htm From Andreas.Klauer at metamorpher.de Sat May 27 23:50:19 2006 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Sat May 27 23:50:12 2006 Subject: [LARTC] HTB shaping & borrowing info In-Reply-To: References: Message-ID: <20060527215019.GA12536@EIS> On Sat, May 27, 2006 at 11:28:12PM +0200, Stefano Mainardi wrote: > The goal is to divide the traffic for classes of workstations, at example in > three classes, let say A, B and C. Sounds simple enough... > If B don't make traffic, 7/8 of 20Mb/s must be assigned to A and all the > rest at B Why would you assign traffic at B if it doesn't make traffic? > We have used CBQ and HTB, with poor succes. > Anybody can help me please? Post your HTB script and I (and probably others) will have a look at it. Regards Andreas Klauer From mainardistefano at gmail.com Sun May 28 00:11:10 2006 From: mainardistefano at gmail.com (Stefano Mainardi) Date: Sun May 28 00:11:09 2006 Subject: Fwd: [LARTC] HTB shaping & borrowing info In-Reply-To: References: <20060527215019.GA12536@EIS> Message-ID: 2006/5/27, Andreas Klauer : > > If B don't make traffic, 7/8 of 20Mb/s must be assigned to A and all the > > rest at B > > Why would you assign traffic at B if it doesn't make traffic? Sorry, "all the rest at A" :) > > Post your HTB script and I (and probably others) will have a look at it. This is the script: // #!/bin/bash STEFANO="00:0F:B0:5F:A6:AD" NEWDEV="00:13:D4:20:3B:46" VPN3="00:13:A1:60:3B:AA" MARK_STEFANO=1 MARK_PAOLO=2 MARK_VPN4=3 tc qdisc del dev eth1 root iptables -t mange -F iptables -t mangle -A PREROUTING -i eth0 -m mac -mac-source $STEFANO -j MARK -set-mark $MARK_STEFANO iptables -t mangle -A PREROUTING -i eth0 -m mac -mac-source $PAOLO -j MARK -set-mark $MARK_PAOLO iptables -t mangle -A PREROUTING -i eth0 -m mac -mac-source $VPN4 -j MARK -set-mark $MARK_VPN4 tc qdisc add dev eth1 root handle 11: htb tc class add dev eth1 parent 11:0 classid 11:1 htb rate 100Mbit ceil 100Mbit burst 6k cburst 64k quantum 1600 tc class add dev eth1 parent 11:1 classid 11:2 htb rate 70Mbit ceil 70Mbit burst 6k cburst 64k quantum 1600 tc class add dev eth1 parent 11:1 classid 11:3 htb rate 20Mbit ceil 20Mbit burst 6k cburst 64k quantum 1600 tc class add dev eth1 parent 11:1 classid 11:4 htb rate 10Mbit ceil 10Mbit burst 6k cburst 64k quantum 1600 tc qdisc add dev eth1 parent 11:2 handle 20: sfq preturb 10 tc qdisc add dev eth1 parent 11:3 handle 20: sfq preturb 10 tc qdisc add dev eth1 parent 11:4 handle 20: sfq preturb 10 tc filter add dev eth1 protocol ip handle $MARK_STEFANO fw flowid 11:2 tc filter add dev eth1 protocol ip handle $MARK_PAOLO fw flowid 11:3 tc filter add dev eth1 protocol ip handle $MARK_VPN4 fw flowid 11:2 \\ We have tested this script with CEIL=RATE, and CEIL=100Mbit, but i view that the data-rate calculated for each PC is not proportional to the traffic assigned at Firewall. Many thanks. -- Stefano Mainardi Presidente Associazione ILDN - Italian Linux Distro Network Mobile: 349/3917212 Skype: mainardistefano IM (ICQ): 250-292-408 Blog: http://www.mainardistefano.org -- Stefano Mainardi Presidente Associazione ILDN - Italian Linux Distro Network Mobile: 349/3917212 Skype: mainardistefano IM (ICQ): 250-292-408 Blog: http://www.mainardistefano.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060528/c2d2a383/attachment.html From Andreas.Klauer at metamorpher.de Sun May 28 01:24:02 2006 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Sun May 28 01:23:57 2006 Subject: Fwd: [LARTC] HTB shaping & borrowing info In-Reply-To: References: <20060527215019.GA12536@EIS> Message-ID: <20060527232402.GA13037@EIS> On Sun, May 28, 2006 at 12:11:10AM +0200, Stefano Mainardi wrote: > >> If B don't make traffic, 7/8 of 20Mb/s must be assigned to A and all the > >> rest at B > > Sorry, "all the rest at A" :) So, in other words, A is allowed to take bandwidth from B. B and C stick to their bandwidth limits. A tree like this could probably accomplish this: HTB qdisc | \--- HTB root class (100mbit) | \--- HTB class (90mbit|90mbit) | | | \--- HTB class A (70mbit|90mbit) | \--- HTB class B (20mbit|20mbit) | \--- HTB class C (10mbit|10mbit) This way, C and B never borrow any bandwidth (as they have rate==ceil), and if A borrows, it will be from B, as the parent class (which has rate==ceil as well) will never borrow from C. > We have tested this script with CEIL=RATE, and CEIL=100Mbit, but i view that > the data-rate calculated for each PC is not proportional to the traffic > assigned at Firewall. HTB expects to be able to use the full specified rate at any point of time, so you probably should use something lower than 100mbit as a base value. Even in 100mbit networks, you never actually get this rate, due to overhead, collisions, etc. Other than that, are there really just these three classes of traffic going out on eth1? The setup should work, as long as the classification is working properly. Regards Andreas Klauer From mainardistefano at gmail.com Sun May 28 02:04:57 2006 From: mainardistefano at gmail.com (Stefano Mainardi) Date: Sun May 28 02:04:50 2006 Subject: Fwd: [LARTC] HTB shaping & borrowing info In-Reply-To: <20060527232402.GA13037@EIS> References: <20060527215019.GA12536@EIS> <20060527232402.GA13037@EIS> Message-ID: 2006/5/28, Andreas Klauer : > > So, in other words, A is allowed to take bandwidth from B. > B and C stick to their bandwidth limits. There is a misunderstanding, sorry. I need to know if it is possible to manage in a dynamic way the assignment of traffic to workstations and of the traffic that they could use. Like I said above, in the case that B is not producing traffic, 7/8 of the 20 MB/s need to be assigned to A and the remaining 1/8 will remain to B. As final result A,B,C could exchange dynamically their "banda". Is possible, to change dynamically their band assignment? -- Stefano Mainardi Presidente Associazione ILDN - Italian Linux Distro Network Mobile: 349/3917212 Skype: mainardistefano IM (ICQ): 250-292-408 Blog: http://www.mainardistefano.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060528/2df44ac8/attachment.htm From Andreas.Klauer at metamorpher.de Sun May 28 02:25:36 2006 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Sun May 28 02:25:30 2006 Subject: Fwd: [LARTC] HTB shaping & borrowing info In-Reply-To: References: <20060527215019.GA12536@EIS> <20060527232402.GA13037@EIS> Message-ID: <20060528002536.GA13418@EIS> On Sun, May 28, 2006 at 02:04:57AM +0200, Stefano Mainardi wrote: > Like I said above, in the case that B is not producing traffic, 7/8 of the > 20 MB/s need to be assigned to A and the remaining 1/8 will remain to B. Well, reducing the ceil of A by 1/8 of B's bandwidth in the tree I posted earlier would do that. > Is possible, to change dynamically their band assignment? The bandwidth in HTB is dynamic, as classes are allowed to borrow bandwidth from other classes depending on their rate-ceil settings. In the tree I posted, the bandwidth behaviour is as follows: 10mbit will be reserved for C at all times, B can use up to 20mbit, A has 70mbit reserved, but can also use 20mbit of B if B is idle. If the borrowing/lending bandwidth between HTB classes is not dynamic enough for you, the only other option you have is to somehow externally delete/create new HTB classes on the fly, which is not a good solution in most situations. Regards Andreas Klauer From rajendra at subisu.net.np Sun May 28 17:57:03 2006 From: rajendra at subisu.net.np (rajendra@subisu.net.np) Date: Sun May 28 17:57:08 2006 Subject: [LARTC] TCNG HTB Branching the class not working. (bug or what) Message-ID: <3572.202.51.76.70.1148831823.squirrel@mail.subisu.net.np> Hi, I am new to traffic control in linux. However, i have able to grab many new knowledge in recent days. I find tcng somewhat easy to use (although lack proper doc. of its usage). I want to control traffic of several IP Addresses connected to my LANSIDE. What I want is , i want to separate certain bandwidth to all my clients. dev "etho" { htb() { class ( rate 400kbps, ceil 400kbps) if ip_dst == 192.168.0.9 class ( rate 400kbps, ceil 400kbps) if ip_dst == 192.168.0.10 ..... and so on for every IP. } It compiles and work well with no syntax error. However For each IP I want to prioritize the traffic. Say, priority 1 for http traffic and priority 2 for other, each host limiting within their allocated bandwidth. I tried the following configuration, and also compiled without syntax error. But it did not work. Starnge, when I looked tc files (#tcc files.tc), it generates unusal tc commnds. I guess, its a bug on tcc compiler or it happens to my box due to some misconfgurations? Please look at the following example where I have a problem [root@server traffic]# cat test1.tc #include "fields.tc" #include "ports.tc" #define LANSIDE eth0 #define WANSIDE eth1 /*######### Shape DOWNLOAD Traffic ############*/ /*#############################################*/ dev LANSIDE { htb() { //Main link bandwidth class (rate 128kbps, ceil 128kbps) { //Client 1 class (rate 128kbps, ceil 128kbps) if ip_dst == 192.168.0.9 { class (prio 1, rate 128kbps, ceil 128kbps) if tcp_sport == 80; class (prio 2, rate 128kbps, ceil 128kbps) if 1; } //Client 2 class (rate 64kbps, ceil 64kbps) if ip_dst == 192.168.0.20 { class (prio 1, rate 64kbps, ceil 64kbps) if tcp_sport ==80; class (prio 2, rate 128kbps, ceil 128kbps) if 1; } } // end of root class } //End of qdiscs (HTB) } //End of device (LANSIDE) [root@server traffic]# tcc -r test1.tc tc qdisc del dev eth0 root # ================================ Device eth0 ================================ tc qdisc add dev eth0 handle 1:0 root htb tc class add dev eth0 parent 1:0 classid 1:1 htb rate 16000bps ceil 16000bps tc class add dev eth0 parent 1:1 classid 1:2 htb rate 16000bps ceil 16000bps tc class add dev eth0 parent 1:2 classid 1:3 htb rate 16000bps ceil 16000bps prio 1 tc class add dev eth0 parent 1:2 classid 1:4 htb rate 16000bps ceil 16000bps prio 2 tc class add dev eth0 parent 1:1 classid 1:5 htb rate 8000bps ceil 8000bps tc class add dev eth0 parent 1:5 classid 1:6 htb rate 8000bps ceil 8000bps prio 1 tc class add dev eth0 parent 1:5 classid 1:7 htb rate 16000bps ceil 16000bps prio 2 tc filter add dev eth0 parent 1:1 protocol all prio 1 u32 match u32 0xc0a80009 0xffffffff at 16 classid 1:2 tc filter add dev eth0 parent 1:1 protocol all prio 1 handle 1:0:0 u32 divisor 1 tc filter add dev eth0 parent 1:1 protocol all prio 1 u32 match u8 0x6 0xff at 9 offset at 0 mask 0f00 shift 6 eat link 1:0:0 tc filter add dev eth0 parent 1:1 protocol all prio 1 handle 1:0:1 u32 ht 1:0:0 match u16 0x50 0xffff at 0 classid 1:3 tc filter add dev eth0 parent 1:1 protocol all prio 1 u32 match u32 0x0 0x0 at 0 classid 1:4 SEE here we haven't got any u32 filter for classes 1:5, 1:6 or 1:7. What is the problem? Is it a bug?? As each class has filter, defines in .tc file why tcc could not make a filter for this. One thing, I haven't succeeded in using tcng branching the class aas above. Even a simple configuration (although it compiles). But it works if I do not branch any class. I will appreciate your help. With regds, Rajendra Adhikari Subisucable Internet Kathmandu, Nepal. From mail at iceberg.pl Sun May 28 21:31:29 2006 From: mail at iceberg.pl (Rafal Krypa) Date: Sun May 28 22:56:37 2006 Subject: [LARTC] Fair shaping over link with variable parameters Message-ID: <20060528193129.GA15843@iceberg.netwerke.eu.org> Hi. I would like to ask you for advice. I am trying to construct following shaping solution: * several users are using one link to the Internet * all of them have equal priority and should be given fair amount of bandwidth * no kind of traffic is considered more important than other * our Internet connection has no CIR, only "maximum dl/ul speeds" given by provider * most important: our outgoing and incoming traffic must be shaped to some rate that will provide possibly low latency. For users that do not have active connections I'd like to ensure no more than 100ms latency for ping or any other low-traffic connections For several years of my experiments with traffic shaping over Linux I found no tool for creating such system. For example, HTB require given, constant 'ceil' parameter. I would like to have some qdisc that can automatically adjush its rate/ceil parameter depending on achieved latency. The rest of the job would be quite pretty done by ESFQ. Could you point me to anything adequate to my needs? -- /"\ Rafal Krypa \ / =========== X ASCII Ribbon Campaign / \ against HTML mail -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2333 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060528/8a6ef261/smime.bin From rajendra at subisu.net.np Mon May 29 07:47:44 2006 From: rajendra at subisu.net.np (rajendra@subisu.net.np) Date: Mon May 29 07:47:46 2006 Subject: [LARTC] TCNG HTB priority and bandwidth Message-ID: <3232.202.51.76.76.1148881664.squirrel@mail.subisu.net.np> Hi, I have several users on the lanside each allocated separate IP addresses. I need to allocate th traffic to each IP addresses certain portion of total uplink. Say, 192.168.0.2 rate 128kbps, ceil 128kbps. 192.168.0.3 rate 65kbps, ceil 128kbps 129.168.0.4 rate 64kbps, ceil 64kbps. and so on.... Also, for each user i would like to prioritize the traffic within the allocated bandwidth. say for (192.168.0.2 rate 128kbps, ceil128kbps), i would like to set prio 1 for http or https traffic and prio 2 for others. Please suggest how do i achieve this using tcng and htb, or any other solution. With regds, Rajendra Adhikari From Andreas.Klauer at metamorpher.de Mon May 29 15:00:55 2006 From: Andreas.Klauer at metamorpher.de (Andreas Klauer) Date: Mon May 29 15:00:53 2006 Subject: [LARTC] Fair shaping over link with variable parameters In-Reply-To: <20060528193129.GA15843@iceberg.netwerke.eu.org> References: <20060528193129.GA15843@iceberg.netwerke.eu.org> Message-ID: <20060529130055.GA7121@EIS> On Sun, May 28, 2006 at 09:31:29PM +0200, Rafal Krypa wrote: > I am trying to construct following shaping solution: > * several users are using one link to the Internet > * all of them have equal priority and should be given fair amount of bandwidth > * no kind of traffic is considered more important than other > * our Internet connection has no CIR, only "maximum dl/ul speeds" given by > provider > * most important: our outgoing and incoming traffic must be shaped to some rate > that will provide possibly low latency. For users that do not have active > connections I'd like to ensure no more than 100ms latency for ping or any > other low-traffic connections http://www.metamorpher.de/fairnat ...not what you're looking for probably, but as close as I could get to fair sharing. But then again, I only have (or rather, had) a small home network with a cheap, constant-rate dialup connection. > For several years of my experiments with traffic shaping over Linux I found no > tool for creating such system. For example, HTB require given, constant 'ceil' > parameter. I would like to have some qdisc that can automatically adjush its > rate/ceil parameter depending on achieved latency. How do you measure latency? Regards Andreas Klauer From luciano at lugmen.org.ar Mon May 29 16:02:53 2006 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Mon May 29 15:55:24 2006 Subject: [LARTC] TCNG HTB priority and bandwidth In-Reply-To: <3232.202.51.76.76.1148881664.squirrel@mail.subisu.net.np> References: <3232.202.51.76.76.1148881664.squirrel@mail.subisu.net.np> Message-ID: <200605291102.53530.luciano@lugmen.org.ar> On Monday 29 May 2006 02:47, rajendra@subisu.net.np wrote: > Hi, > I have several users on the lanside each allocated separate IP addresses. > I need to allocate th traffic to each IP addresses certain portion of > total uplink. > > Say, 192.168.0.2 rate 128kbps, ceil 128kbps. > 192.168.0.3 rate 65kbps, ceil 128kbps > 129.168.0.4 rate 64kbps, ceil 64kbps. > and so on.... > > Also, for each user i would like to prioritize the traffic within the > allocated bandwidth. > > say for (192.168.0.2 rate 128kbps, ceil128kbps), i would like to set prio > 1 for http or https traffic and prio 2 for others. > > Please suggest how do i achieve this using tcng and htb, or any other > solution. I think htb-gen[1] fits perfectly* in the scenario that you've described. [1] http://freshmeat.net/projects/htb-gen/ -- Luciano *and not because i'm the author P) From mail at iceberg.pl Mon May 29 16:31:06 2006 From: mail at iceberg.pl (Rafal Krypa) Date: Mon May 29 16:31:39 2006 Subject: [LARTC] Fair shaping over link with variable parameters In-Reply-To: <20060529130055.GA7121@EIS> References: <20060528193129.GA15843@iceberg.netwerke.eu.org> <20060529130055.GA7121@EIS> Message-ID: <20060529143106.GA3411@iceberg.netwerke.eu.org> On 29.May, Andreas Klauer wrote: > > For several years of my experiments with traffic shaping over Linux I found no > > tool for creating such system. For example, HTB require given, constant 'ceil' > > parameter. I would like to have some qdisc that can automatically adjush its > > rate/ceil parameter depending on achieved latency. > > How do you measure latency? I want to assure, for users that do not have any active downloads, low delays for any new low traffic connection. For meausurement purposes I want to use simple ping (but without rules prioritizing ICMP packets on the router). The goal is to achieve 100 miliseconds round trip times during high link usage by other clients. But the router has to adapt to current link parameters and that's the hardest part. -- /"\ Rafal Krypa \ / =========== X ASCII Ribbon Campaign / \ against HTML mail -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2333 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060529/8bd6a7b3/smime.bin From mainardistefano at gmail.com Mon May 29 17:28:38 2006 From: mainardistefano at gmail.com (Stefano Mainardi) Date: Mon May 29 17:28:33 2006 Subject: Fwd: [LARTC] HTB shaping & borrowing info In-Reply-To: <20060528002536.GA13418@EIS> References: <20060527215019.GA12536@EIS> <20060527232402.GA13037@EIS> <20060528002536.GA13418@EIS> Message-ID: 2006/5/28, Andreas Klauer : > > > Is possible, to change dynamically their band assignment? > > The bandwidth in HTB is dynamic, as classes are allowed to borrow > bandwidth from other classes depending on their rate-ceil settings. Thanks for the precious tips. I've seen that "ceil rate" with TC is a constant, i want to know if is possible to make dynamic based on the load of the network? > If the borrowing/lending bandwidth between HTB classes is not > dynamic enough for you, the only other option you have is to > somehow externally delete/create new HTB classes on the fly, > which is not a good solution in most situations. With this solution, i can think to create a series of HTB classes for various situation. But is impossible to think! :( Or create a daemon that watch the load of the network and switch from HTB classes to another. -- Stefano Mainardi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060529/8d924fa0/attachment.html From rajendra at subisu.net.np Mon May 29 19:43:15 2006 From: rajendra at subisu.net.np (rajendra@subisu.net.np) Date: Mon May 29 19:43:20 2006 Subject: [LARTC] TCNG HTB prioritize traffic for each IP separately. In-Reply-To: <200605291102.53530.luciano@lugmen.org.ar> References: <3232.202.51.76.76.1148881664.squirrel@mail.subisu.net.np> <200605291102.53530.luciano@lugmen.org.ar> Message-ID: <4079.202.51.76.76.1148924595.squirrel@mail.subisu.net.np> Hi, Yes! This (htb-gen software) perfectly meets my demand. I have also drawn a similar solution with tcng but unable to prioritize traffic for each user separately. Again, I seek someone would help me about how to do it with tcng. I have prioritize the traffic but the higher priority traffic completely stops the flow of lower prio traffic. I want the higher priority traffic be using the 90% of the allocated bandwith to the user and remaing 10% to the lower priority traffic. I would be grateful if someone shows me a sample code for using tcng. Here is the code I did, but could not achieve my goal. dev "eth0" { htb() { // This is the class for first client. He will be allocated 128kbps // And within this 128kbps, traffic are prioritized. class (rate 128 kbps, ceil 128 kbps) if ip_dst == 192.168.0.20 { prio { class (1) if tcp_sport == 80 || tcp_sport == 443 || tcp_sport == 22; class (2) if 1; //The high prio has completely halted the low prio traffic. } } // Another user, no traffic prioritization for him. class (rate 400 kbps, ceil 400 kbps) if ip_dst == 192.168.0.15; // And there may be many other users who I will allocate the // traffic as above and each may or may not have prioritization separately. } } With above setup, when the user (192.168.0.20) downloads every kinds of traffic, the high priority sucks all 128kbps of b/w leaving low prio traffic absolutely dead. How could I setup the user (192.168.0.20) such that when there is full traffic of all kinds the high prio traffic uses about 90% of 128kbps and remaining used by low prio traffic. Anyway, "htb-gen by Luciano" did it for me. Is there a way I could define first, 2nd and 3rd proiority traffic in "htb-gen by Luciano"? You only have features of high and low prio and that is too set for every users. Anyway, it does most of all what I want, but do not use tcng. However, I have a thirst to complete my setup with tcng. If someone need a quick solution, htb-gen is easy and reliable. Thanks Luciano for this. Okay, I have yet another query regarding HTB. When the sum of the rates is greater than the total rate/ceil of the total downlink then how will htb behave. Talking only about download, say, I have a link of 512 kbps down and I have 5 users each allocated 128kbps down and 5 other users with each 64kbps down, it is assumed that only few comes online at a time. So, until the users those have the sum of current rates less than or equal to 512kbps the HTB works fine. But what if all the user comes online at a time and use the kink to their full extent. How will the bandwidth shared among users. What does the htb theory says regarding this? I read in htb faq but the scenario it depicted is not so clear to relate with this scenario. > On Monday 29 May 2006 02:47, rajendra@subisu.net.np wrote: >> Hi, >> I have several users on the lanside each allocated separate IP >> addresses. >> I need to allocate th traffic to each IP addresses certain portion of >> total uplink. >> >> Say, 192.168.0.2 rate 128kbps, ceil 128kbps. >> 192.168.0.3 rate 65kbps, ceil 128kbps >> 129.168.0.4 rate 64kbps, ceil 64kbps. >> and so on.... >> >> Also, for each user i would like to prioritize the traffic within the >> allocated bandwidth. >> >> say for (192.168.0.2 rate 128kbps, ceil128kbps), i would like to set >> prio >> 1 for http or https traffic and prio 2 for others. >> >> Please suggest how do i achieve this using tcng and htb, or any other >> solution. > > I think htb-gen[1] fits perfectly* in the scenario that you've described. > > [1] http://freshmeat.net/projects/htb-gen/ > -- > Luciano > *and not because i'm the author P) > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From rajendra at subisu.net.np Mon May 29 19:44:42 2006 From: rajendra at subisu.net.np (rajendra@subisu.net.np) Date: Mon May 29 19:44:42 2006 Subject: [LARTC] TCNG HTB prioritize traffic for each IP separately. In-Reply-To: <200605291102.53530.luciano@lugmen.org.ar> References: <3232.202.51.76.76.1148881664.squirrel@mail.subisu.net.np> <200605291102.53530.luciano@lugmen.org.ar> Message-ID: <4059.202.51.76.76.1148924682.squirrel@mail.subisu.net.np> Hi, Yes! This (htb-gen software) perfectly meets my demand. I have also drawn a similar solution with tcng but unable to prioritize traffic for each user separately. Again, I seek someone would help me about how to do it with tcng. I have prioritize the traffic but the higher priority traffic completely stops the flow of lower prio traffic. I want the higher priority traffic be using the 90% of the allocated bandwith to the user and remaing 10% to the lower priority traffic. I would be grateful if someone shows me a sample code for using tcng. Here is the code I did, but could not achieve my goal. dev "eth0" { htb() { // This is the class for first client. He will be allocated 128kbps // And within this 128kbps, traffic are prioritized. class (rate 128 kbps, ceil 128 kbps) if ip_dst == 192.168.0.20 { prio { class (1) if tcp_sport == 80 || tcp_sport == 443 || tcp_sport == 22; class (2) if 1; //The high prio has completely halted the low prio traffic. } } // Another user, no traffic prioritization for him. class (rate 400 kbps, ceil 400 kbps) if ip_dst == 192.168.0.15; // And there may be many other users who I will allocate the // traffic as above and each may or may not have prioritization separately. } } With above setup, when the user (192.168.0.20) downloads every kinds of traffic, the high priority sucks all 128kbps of b/w leaving low prio traffic absolutely dead. How could I setup the user (192.168.0.20) such that when there is full traffic of all kinds the high prio traffic uses about 90% of 128kbps and remaining used by low prio traffic. Anyway, "htb-gen by Luciano" did it for me. Is there a way I could define first, 2nd and 3rd proiority traffic in "htb-gen by Luciano"? You only have features of high and low prio and that is too set for every users. Anyway, it does most of all what I want, but do not use tcng. However, I have a thirst to complete my setup with tcng. If someone need a quick solution, htb-gen is easy and reliable. Thanks Luciano for this. Okay, I have yet another query regarding HTB. When the sum of the rates is greater than the total rate/ceil of the total downlink then how will htb behave. Talking only about download, say, I have a link of 512 kbps down and I have 5 users each allocated 128kbps down and 5 other users with each 64kbps down, it is assumed that only few comes online at a time. So, until the users those have the sum of current rates less than or equal to 512kbps the HTB works fine. But what if all the user comes online at a time and use the kink to their full extent. How will the bandwidth shared among users. What does the htb theory says regarding this? I read in htb faq but the scenario it depicted is not so clear to relate with this scenario. > On Monday 29 May 2006 02:47, rajendra@subisu.net.np wrote: >> Hi, >> I have several users on the lanside each allocated separate IP >> addresses. >> I need to allocate th traffic to each IP addresses certain portion of >> total uplink. >> >> Say, 192.168.0.2 rate 128kbps, ceil 128kbps. >> 192.168.0.3 rate 65kbps, ceil 128kbps >> 129.168.0.4 rate 64kbps, ceil 64kbps. >> and so on.... >> >> Also, for each user i would like to prioritize the traffic within the >> allocated bandwidth. >> >> say for (192.168.0.2 rate 128kbps, ceil128kbps), i would like to set >> prio >> 1 for http or https traffic and prio 2 for others. >> >> Please suggest how do i achieve this using tcng and htb, or any other >> solution. > > I think htb-gen[1] fits perfectly* in the scenario that you've described. > > [1] http://freshmeat.net/projects/htb-gen/ > -- > Luciano > *and not because i'm the author P) > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From tor.bigpurple at gmail.com Tue May 30 08:05:38 2006 From: tor.bigpurple at gmail.com (John Doe) Date: Tue May 30 08:05:41 2006 Subject: [LARTC] routing between two lans Message-ID: <003301c683af$13a7b030$7600a8c0@l337ibm> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: fullnetwork.gif Type: image/gif Size: 16071 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060529/aefa20bc/fullnetwork-0001.gif From erik at slagter.name Tue May 30 11:34:04 2006 From: erik at slagter.name (Erik Slagter) Date: Tue May 30 11:34:06 2006 Subject: [LARTC] routing between two lans In-Reply-To: <003301c683af$13a7b030$7600a8c0@l337ibm> References: <003301c683af$13a7b030$7600a8c0@l337ibm> Message-ID: <1148981644.9933.32.camel@localhost.localdomain> > > I am looking for some help, I basically want to forward/route > traffic via > > sandy (see attatchment) between two lan's. This looks like a question from a networking course exam ;-) A you sure this is a real-life situation? Anyway, this seems to be a very simple layout that you don't need LARTC for... -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2771 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060530/4a614864/smime.bin From mainardistefano at gmail.com Tue May 30 13:02:11 2006 From: mainardistefano at gmail.com (Stefano Mainardi) Date: Tue May 30 13:02:08 2006 Subject: Fwd: [LARTC] HTB shaping & borrowing info In-Reply-To: <20060528002536.GA13418@EIS> References: <20060527215019.GA12536@EIS> <20060527232402.GA13037@EIS> <20060528002536.GA13418@EIS> Message-ID: Andreas, if I want that A,B,C can borrow bandwidth from each other? How i can the structure of HTB tree? Stefano 2006/5/28, Andreas Klauer : > > On Sun, May 28, 2006 at 02:04:57AM +0200, Stefano Mainardi wrote: > > Like I said above, in the case that B is not producing traffic, 7/8 of > the > > 20 MB/s need to be assigned to A and the remaining 1/8 will remain to B. > > Well, reducing the ceil of A by 1/8 of B's bandwidth in the tree I > posted earlier would do that. > > > Is possible, to change dynamically their band assignment? > > The bandwidth in HTB is dynamic, as classes are allowed to borrow > bandwidth from other classes depending on their rate-ceil settings. > > In the tree I posted, the bandwidth behaviour is as follows: > > 10mbit will be reserved for C at all times, B can use up to 20mbit, > A has 70mbit reserved, but can also use 20mbit of B if B is idle. > > If the borrowing/lending bandwidth between HTB classes is not > dynamic enough for you, the only other option you have is to > somehow externally delete/create new HTB classes on the fly, > which is not a good solution in most situations. > > Regards > Andreas Klauer > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060530/389c2171/attachment.html From vinod_chandran at multitech.co.in Tue May 30 16:32:19 2006 From: vinod_chandran at multitech.co.in (Vinod Chandran) Date: Tue May 30 16:41:32 2006 Subject: [LARTC] Problems with Routing and Masquerading Message-ID: <447C5773.3000608@multitech.co.in> Hi, I have a linux box which balances load between two interfaces ( say WAN1 and WAN2). I have masquerading on for any request coming from LAN to the outside world. The setup is in such a way that WAN1 drops packets with source ip belonging to WAN2's network and viceversa. For some strange reason, I find that packet coming out from the WAN interface has source address of WAN2 and thereby getting dropped. When I check the route cache , I find that for the same source and destination, I have two route cache entries 192.168.52.66 192.168.26.73 192.168.19.76 0 0 0 eth1 192.168.52.66 192.168.26.73 192.168.20.25 i 0 0 23 eth2 Here 192.168.19.76 is the WAN1 gateway and 192.168.20.25 is WAN2 gateway, as we see the packets are going out through WAN2 , but the masquerading has happened to the WAN1 IP address. It seems to me that the root of the problem is the creation of the two cache entries. Any idea why this happens, and how it can be avoided. Thanks and Regards, Vinod C From erik at slagter.name Tue May 30 17:01:49 2006 From: erik at slagter.name (Erik Slagter) Date: Tue May 30 17:01:54 2006 Subject: [LARTC] Problems with Routing and Masquerading In-Reply-To: <447C5773.3000608@multitech.co.in> References: <447C5773.3000608@multitech.co.in> Message-ID: <1149001309.9933.47.camel@localhost.localdomain> On Tue, 2006-05-30 at 20:02 +0530, Vinod Chandran wrote: > It seems to me that the root of the problem is the creation of the two > cache entries. Any idea why this happens, and how it can be avoided. What does "ip route get" say? I think this tool will be the key to the solution, look at the "src address". -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2771 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060530/835c92dd/smime.bin From vinod_chandran at multitech.co.in Tue May 30 17:01:20 2006 From: vinod_chandran at multitech.co.in (Vinod Chandran) Date: Tue May 30 17:09:31 2006 Subject: [LARTC] Problems with Routing and Masquerading In-Reply-To: <1149001309.9933.47.camel@localhost.localdomain> References: <447C5773.3000608@multitech.co.in> <1149001309.9933.47.camel@localhost.localdomain> Message-ID: <447C5E40.1080008@multitech.co.in> Hi Erik, Ip route get returns 192.168.26.73 via 192.168.19.76 dev eth1 src 192.168.19.29 cache mtu 1500 advmss 1460 Here too it gives me WAN1s IP address which is the same as the masqueraded one, but the packets are seen going out through WAN2. Thanks and Regards, Vinod C Erik Slagter wrote: >On Tue, 2006-05-30 at 20:02 +0530, Vinod Chandran wrote: > > >>It seems to me that the root of the problem is the creation of the two >>cache entries. Any idea why this happens, and how it can be avoided. >> >> > >What does "ip route get" say? I think this tool will be the key to the >solution, look at the "src address". > > >------------------------------------------------------------------------ > >_______________________________________________ >LARTC mailing list >LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From luciano at lugmen.org.ar Tue May 30 18:15:43 2006 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Tue May 30 18:08:14 2006 Subject: [LARTC] Problems with Routing and Masquerading In-Reply-To: <447C5773.3000608@multitech.co.in> References: <447C5773.3000608@multitech.co.in> Message-ID: <200605301315.43331.luciano@lugmen.org.ar> On Tuesday 30 May 2006 11:32, Vinod Chandran wrote: > Hi, > > I have a linux box which balances load between two interfaces ( say WAN1 > and WAN2). I have masquerading on for any request coming from LAN to the > outside world. If WAN ips are static, you can use iptables -t nat ... -o WAN1 -j SNAT --to x.x.x.x iptables -t nat ... -o WAN2 -j SNAT --to x.x.x.x AFAICR using MASQUERADE with multipath is not recommended (but maybe this is outdated, plz correct me if I'm wrong) > The setup is in such a way that WAN1 drops packets with source ip > belonging to WAN2's network and viceversa. > For some strange reason, I find that packet coming out from the WAN > interface has source address of WAN2 and thereby getting dropped. > > When I check the route cache , I find that for the same source and > destination, I have two route cache entries TOS is also computed to make a route cache entry, so it is possible and natural to 2 entries with same src and dst. Be aware that some ssh clients change the packet TOS after negotiation has been done, this could cause you get routed over a different link in the middle of your session, making impossible to do a simple ssh. > 192.168.52.66 192.168.26.73 192.168.19.76 0 0 0 > eth1 192.168.52.66 192.168.26.73 192.168.20.25 i 0 0 > 23 eth2 > > Here 192.168.19.76 is the WAN1 gateway and 192.168.20.25 is WAN2 > gateway, as we see the packets are going out through WAN2 , but the > masquerading has happened to the WAN1 IP address. > > It seems to me that the root of the problem is the creation of the two > cache entries. Any idea why this happens, and how it can be avoided. i think the root of the problem is that you are using MASQUERADE and not SNAT. And somehow MASQUERADE has not an accurate method to guess the right ip address to do the NAT. Besides that, you need to solve the problems that multipath will arise, like TOS situation described above or route cache expiration, that could made long term conns to be routed over a new iface. The solutions i know are CONNMARK(kernel>=2.6.12) and julian's patches[1]. Personally i prefer CONNMARK. [1] http://www.ssi.bg/~ja/ -- Luciano From andrew.lyon at josims.com Tue May 30 18:13:05 2006 From: andrew.lyon at josims.com (Andrew Lyon) Date: Tue May 30 18:16:33 2006 Subject: [LARTC] Problems with Routing and Masquerading Message-ID: <592F914D209FD942908826DFF2277A2D0205439D@COMMSSERVER> >AFAICR using MASQUERADE with multipath is not recommended (but maybe this is outdated, plz correct me if I'm wrong) I have had problems using MASQUERADE with multipath on a 2.4.31 kernel box, with two outbound default routes I got messages about "rustys brain broke" and things like ICMP etc suffered packet loss. Not recommended, SNAT works perfectly :) Andy Registered Office: J.O. Sims Ltd, Pudding Lane, Pinchbeck, Spalding, Lincs. PE11 3TJ Company reg No: 2084187 Vat reg No: GB 437 4621 47 Tel: +44 (0) 1775 842100 Fax: +44 (0) 1775 842101 Web: www.josims.com Email:enquiries@josims.com The information contained in this e-mail is confidential and is intended for the addressee only. The contents of this e-mail must not be disclosed or copied without the sender's consent. If you are not the intended recipient of the message, please notify the sender immediately, and delete the message. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. No commitment may be inferred from the contents unless explicitly stated. The company does not take any responsibility for the personal views of the author. This message has been scanned for viruses before sending, but the company does not accept any responsibility for infection and recommends that you scan any attachments.JOSEDV001TAG From andrew.lyon at josims.com Tue May 30 18:18:35 2006 From: andrew.lyon at josims.com (Andrew Lyon) Date: Tue May 30 18:22:02 2006 Subject: [LARTC] Problems with Routing and Masquerading Message-ID: <592F914D209FD942908826DFF2277A2D0205439E@COMMSSERVER> My apologies for sending email disclaimer crap to the list, I forgot the magic string to prevent it from being appended :(. Oops. Andy JOSEDV001TAG -----Original Message----- From: Andrew Lyon [mailto:andrew.lyon@josims.com] Sent: 30 May 2006 17:13 To: 'lartc@mailman.ds9a.nl' Subject: RE: [LARTC] Problems with Routing and Masquerading >AFAICR using MASQUERADE with multipath is not recommended (but maybe >this is outdated, plz correct me if I'm wrong) I have had problems using MASQUERADE with multipath on a 2.4.31 kernel box, with two outbound default routes I got messages about "rustys brain broke" and things like ICMP etc suffered packet loss. Not recommended, SNAT works perfectly :) Andy Registered Office: J.O. Sims Ltd, Pudding Lane, Pinchbeck, Spalding, Lincs. PE11 3TJ Company reg No: 2084187 Vat reg No: GB 437 4621 47 Tel: +44 (0) 1775 842100 Fax: +44 (0) 1775 842101 Web: www.josims.com Email:enquiries@josims.com The information contained in this e-mail is confidential and is intended for the addressee only. The contents of this e-mail must not be disclosed or copied without the sender's consent. If you are not the intended recipient of the message, please notify the sender immediately, and delete the message. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. No commitment may be inferred from the contents unless explicitly stated. The company does not take any responsibility for the personal views of the author. This message has been scanned for viruses before sending, but the company does not accept any responsibility for infection and recommends that you scan any attachments.JOSEDV001TAG _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From jasonb at edseek.com Tue May 30 18:23:06 2006 From: jasonb at edseek.com (Jason Boxman) Date: Tue May 30 18:26:31 2006 Subject: [LARTC] Problems with Routing and Masquerading In-Reply-To: <200605301315.43331.luciano@lugmen.org.ar> References: <447C5773.3000608@multitech.co.in> <200605301315.43331.luciano@lugmen.org.ar> Message-ID: <38392.216.134.200.78.1149006186.squirrel@nebula.internal.foo> Luciano Ruete wrote: > Besides that, you need to solve the problems that multipath will arise, like > TOS situation described above or route cache expiration, that could made > long > term conns to be routed over a new iface. The solutions i know are > CONNMARK(kernel>=2.6.12) and julian's patches[1]. > Personally i prefer CONNMARK. Could you elaborate a little more on the CONNMARK method? Thanks. From luciano at lugmen.org.ar Tue May 30 19:10:32 2006 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Tue May 30 19:03:01 2006 Subject: [LARTC] Problems with Routing and Masquerading In-Reply-To: <38392.216.134.200.78.1149006186.squirrel@nebula.internal.foo> References: <447C5773.3000608@multitech.co.in> <200605301315.43331.luciano@lugmen.org.ar> <38392.216.134.200.78.1149006186.squirrel@nebula.internal.foo> Message-ID: <200605301410.32719.luciano@lugmen.org.ar> On Tuesday 30 May 2006 13:23, Jason Boxman wrote: > Luciano Ruete wrote: > > > > Besides that, you need to solve the problems that multipath will arise, > > like TOS situation described above or route cache expiration, that could > > made long > > term conns to be routed over a new iface. The solutions i know are > > CONNMARK(kernel>=2.6.12) and julian's patches[1]. > > Personally i prefer CONNMARK. > > Could you elaborate a little more on the CONNMARK method? #by-pass rules if it is already MARKed iptables -t mangle -A POSTROUTING -m mark --mark ! 0 -j ACCEPT #1st packets(from a connection) will arrive here iptables -t mangle -A POSTROUTING -o eth1 -j MARK --set-mark 0x1 iptables -t mangle -A POSTROUTING -o eth2 -j MARK --set-mark 0x2 iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark #restore mark before ROUTING decision iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark #route commands ip ro add default nexthop via x.x.x.x dev eth1 weight 1 nexthop via y.y.y.y dev eth2 ip route add default table provider1 via x.x.x.x dev eth1 ip route add default table provider2 via y.y.y.y dev eth2 # and most important ip rule add fwmark 0x1 table provider1 ip rule add fwmark 0x2 table provider2 Some notes: -The example uses 2 ifaces, but is scalable to any (i have it working with 5) -FORWARD could be used instead of POSRTOUTING, it depends on your needs -If you have a large network, think in change the default conntrack table size and hash-size ip_conntrack hashsize=xxx echo xxx > /proc/sys/net/ipv4/ip_conntrack_max #lnstat is your friend, will help to find the magic numbers lnstat -f ip_conntrack -i 1 -c 1 -Full discussion about this solution on this thread[1][2] (sorry spanish only) -Credits to diego woitasen who point me out to this kind of solution [1] http://www.lugmen.org.ar/pipermail/lug-list/2006-April/041078.html [2] http://www.lugmen.org.ar/pipermail/lug-list/2006-May/041084.html -- Luciano From support8 at greatlakes.net Tue May 30 21:25:58 2006 From: support8 at greatlakes.net (Eliot, Wireless and Server Administrator, Great Lakes Internet) Date: Tue May 30 21:22:47 2006 Subject: [LARTC] iptables CLASSIFY and MARK not working? Message-ID: <0633E0EDB4F25F43A2D7179CA11FAFAB2553F9@xavier.staff.greatlakes.net> Ok, I ran into a different issue with using the tc filters which basically puts me right back to using the iptables classify target -- which means that I am running right back into the same problem I was on before. As a refresher, the problem is that the classify target, while matching in the postrouting chain of the mangle table, is not actually directing the traffic through the correct TC class. Now, I took a look through the iptables classify target code in iptables and in the Linux kernel. From what I have deciphered thus far, it does not appear likely that there is a bug in the code in iptables. In fact, it is a very small amount of code. Essentially, the iptables code runs through its normal hooks and simply does a sscanf on the --set-class option to convert the string into numbers. Then it uses the TC_H_MAKE macro in the packet scheduler code to create a scheduler handle (by shifting the major node number left 16 bits and ORing in the minor node number). This 32-bit handle is then stored in the socket buffer priority field (skb->priority) for use in the scheduler. That's the end of the iptables code. At this point, it is up to the scheduler algorithms to handle the placement of the packets into the correct class. // From hfsc_classify() if (TC_H_MAJ(skb->priority ^ sch->handle) == 0 && (cl = hfsc_find_class(skb->priority, sch)) != NULL) if (cl->level == 0) return cl; // filter code cut out // From htb_classify() /* allow to select class by setting skb->priority to valid classid; note that nfmark can be used too by attaching filter fw with no rules in it */ if (skb->priority == sch->handle) return HTB_DIRECT; /* X:0 (direct flow) selected */ if ((cl = htb_find(skb->priority,sch)) != NULL && cl->level == 0) return cl; // filter code cut out // From cbq_classify() /* * Step 1. If skb->priority points to one of our classes, use it. */ if (TC_H_MAJ(prio^sch->handle) == 0 && (cl = cbq_class_lookup(q, prio)) != NULL) return cl; // filter code cut out So, it would appear that we are doing essentially this logic: If the priority field is set such that it contains a major node number (a handle) that is equal to the handle for the current qdisc, then we try to find a class that matches the priority field. If the find function does not find a class, we fall back on the filter code to pick a class. If the find function does find a class, we check to make sure the class is a leaf node (HTB and HFSC). If it is a leaf node, we return a pointer to the class. On CBQ, we just return a pointer to the class without a leaf node check. This logic seems pretty straight forward. So, if this is failing, there can only be a couple of reasons: 1) The skb->priority field is blank when this function starts 2) The skb->priority field contains an invalid class id. 3) The skb->priority field does not reference the handle we are inside of 4) The handle and class specified in the skb->priority field is not a leaf node 5) The code elsewhere in tc is messed up. Now, I have double checked my rules to verify that the class IDs match up: Chain POSTROUTING (policy ACCEPT 15224 packets, 1809K bytes) pkts bytes target prot opt in out source destination 27 1792 CLASSIFY all -- * br1 0.0.0.0/0 0.0.0.0/0 MARK match 0x1f8 CLASSIFY set 1:504 11 4569 CLASSIFY all -- * br1 0.0.0.0/0 0.0.0.0/0 MARK match 0x1f9 CLASSIFY set 1:505 0 0 CLASSIFY all -- * br1 0.0.0.0/0 0.0.0.0/0 MARK match 0x1fa CLASSIFY set 1:506 19 2172 CLASSIFY all -- * wivl4 0.0.0.0/0 0.0.0.0/0 MARK match 0x1f8 CLASSIFY set 5:504 10 640 CLASSIFY all -- * wivl4 0.0.0.0/0 0.0.0.0/0 MARK match 0x1f9 CLASSIFY set 5:505 0 0 CLASSIFY all -- * wivl4 0.0.0.0/0 0.0.0.0/0 MARK match 0x1fa CLASSIFY set 5:506 3960 252K CLASSIFY all -- * br1 0.0.0.0/0 0.0.0.0/0 MARK match 0x1fe CLASSIFY set 1:510 8 4485 CLASSIFY all -- * br1 0.0.0.0/0 0.0.0.0/0 MARK match 0x1ff CLASSIFY set 1:511 0 0 CLASSIFY all -- * br1 0.0.0.0/0 0.0.0.0/0 MARK match 0x200 CLASSIFY set 1:512 3899 235K CLASSIFY all -- * wivl4 0.0.0.0/0 0.0.0.0/0 MARK match 0x1fe CLASSIFY set 5:510 20 1064 CLASSIFY all -- * wivl4 0.0.0.0/0 0.0.0.0/0 MARK match 0x1ff CLASSIFY set 5:511 0 0 CLASSIFY all -- * wivl4 0.0.0.0/0 0.0.0.0/0 MARK match 0x200 CLASSIFY set 5:512 wireless-r1 ~ # tc -s class show dev wivl4 class hfsc 5: root Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 1 class hfsc 5:505 parent 5: sc m1 160000bit d 2.0s m2 0bit ul m1 160000bit d 2.0s m2 0bit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 5:1 parent 5: sc m1 0bit d 2.6ms m2 30000Kbit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 5:504 parent 5: sc m1 400000bit d 30.0ms m2 128000bit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 5:2 parent 5: ls m1 60000Kbit d 2.0s m2 60000Kbit ul m1 60000Kbit d 2.0s m2 60000Kbit Sent 566530 bytes 8797 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 8797 work 566530 bytes level 0 class hfsc 5:3 parent 5: ls m1 10000Kbit d 2.0s m2 10000Kbit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 5:510 parent 5: sc m1 400000bit d 30.0ms m2 128000bit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 5:511 parent 5: sc m1 2560Kbit d 2.0s m2 480000bit ul m1 2560Kbit d 2.0s m2 1920Kbit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 5:512 parent 5: ls m1 960000bit d 2.0s m2 960000bit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 You'll notice that the iptables rules show matches for class 5:510, 5:511, and others; yet, the only class taking traffic here is 5:2. Now, this proves that options 2 & 3 above are not the case. That leaves: 1) The skb->priority field is blank when this function starts 4) The handle and class specified in the skb->priority field is not a leaf node 5) The code elsewhere in tc is messed up. As for option #4, we can show that there are no children for the class by also taking a look at the qdiscs for the interface: qdisc hfsc 5: default 2 Sent 593904 bytes 9198 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 Well, there is only 1 qdisc. Since there are no other classes listed that say they are a child of 5:510 or 5:511, then obviously 5:510 must be a leaf node. Thus, option #4 is negated. Does anyone have any clues on this? Thanks. Eliot Gable Certified Wireless Network Administrator (CWNA) Certified Wireless Security Professional (CWSP) Cisco Certified Network Associate (CCNA) CompTIA Security+ Certified CompTIA Network+ Certified Network and System Engineer Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 (810) 679-3395 (877) 558-8324 Now offering Broadband Wireless Internet access in Croswell, Lexington, Brown City, Yale, Worth Township, and Sandusky. Call for details. -----Original Message----- From: Jody Shumaker [mailto:jody.shumaker@gmail.com] Sent: Tuesday, May 23, 2006 12:33 AM To: Eliot, Wireless and Server Administrator, Great Lakes Internet Cc: Andreas Unterkircher; lartc@mailman.ds9a.nl Subject: Re: [LARTC] iptables CLASSIFY and MARK not working? On 5/22/06, Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: > You were exactly right here. Moving to the filters instead of the > iptables classify solved the issue. As for performance, I have not yet > benchmarked it to determine if the filters are fast enough for the > number of users I need this to support. > > And makes me wonder if its a bug or a design choice that iptables classify doesn't handle this. If the performance isn't acceptable, you might want to look into that. Or look into tc filters and hashing which can improve performance depending on the filters. - Jody From jasonb at edseek.com Tue May 30 21:49:08 2006 From: jasonb at edseek.com (Jason Boxman) Date: Tue May 30 21:49:09 2006 Subject: [LARTC] iptables CLASSIFY and MARK not working? In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB2553F9@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB2553F9@xavier.staff.greatlakes.net> Message-ID: <43871.216.134.200.78.1149018548.squirrel@nebula.internal.foo> Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: > > Ok, I ran into a different issue with using the tc filters which > basically puts me right back to using the iptables classify target -- > which means that I am running right back into the same problem I was on > before. > > > qdisc hfsc 5: default 2 > Sent 593904 bytes 9198 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 default 2 is why the traffic is ending up in 5:2. > > Well, there is only 1 qdisc. Since there are no other classes listed > that say they are a child of 5:510 or 5:511, then obviously 5:510 must > be a leaf node. Thus, option #4 is negated. > > Does anyone have any clues on this? You may try assigning traffic to leaf qdiscs hanging off the leaf classes on your hierarchy. So, give 5:510 a pfifo or something to test with and target that ID instead. From luciano at lugmen.org.ar Tue May 30 22:12:32 2006 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Tue May 30 22:04:56 2006 Subject: [LARTC] iptables CLASSIFY and MARK not working? In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB2553F9@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB2553F9@xavier.staff.greatlakes.net> Message-ID: <200605301712.32792.luciano@lugmen.org.ar> On Tuesday 30 May 2006 16:25, Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: [snip] > You'll notice that the iptables rules show matches for class 5:510, > 5:511, and others; yet, the only class taking traffic here is 5:2. just to exaust possibilities... i think that 5:2 is working cause 0x2==2(decimal), but 0x510!=510(decimal) 0x1fe==510(decimal) in my experience iptables output is in HEX wile tc otput is in DEC So give a try with tc class==510 iptables MARK==1fe and so on... -- Luciano From support8 at greatlakes.net Tue May 30 22:13:27 2006 From: support8 at greatlakes.net (Eliot, Wireless and Server Administrator, Great Lakes Internet) Date: Tue May 30 22:10:19 2006 Subject: [LARTC] iptables CLASSIFY and MARK not working? Message-ID: <0633E0EDB4F25F43A2D7179CA11FAFAB255401@xavier.staff.greatlakes.net> Ok, I tried this: tc qdisc add dev wivl4 parent 5:510 handle 475:0 sfq tc qdisc add dev wivl4 parent 5:511 handle 476:0 sfq tc qdisc add dev wivl4 parent 5:512 handle 477:0 sfq iptables -A POSTROUTING -t mangle -o wivl4 -m mark --mark 510 -j CLASSIFY --set-class 475:0 iptables -A POSTROUTING -t mangle -o wivl4 -m mark --mark 511 -j CLASSIFY --set-class 476:0 iptables -A POSTROUTING -t mangle -o wivl4 -m mark --mark 512 -j CLASSIFY --set-class 477:0 Now I have: Chain POSTROUTING (policy ACCEPT 190K packets, 141M bytes) pkts bytes target prot opt in out source destination 1593 65864 CLASSIFY all -- * br1 0.0.0.0/0 0.0.0.0/0 MARK match 0x1fe CLASSIFY set 455:0 0 0 CLASSIFY all -- * br1 0.0.0.0/0 0.0.0.0/0 MARK match 0x1ff CLASSIFY set 456:0 0 0 CLASSIFY all -- * br1 0.0.0.0/0 0.0.0.0/0 MARK match 0x200 CLASSIFY set 457:0 2323 3226K CLASSIFY all -- * wivl4 0.0.0.0/0 0.0.0.0/0 MARK match 0x1fe CLASSIFY set 475:0 0 0 CLASSIFY all -- * wivl4 0.0.0.0/0 0.0.0.0/0 MARK match 0x1ff CLASSIFY set 476:0 0 0 CLASSIFY all -- * wivl4 0.0.0.0/0 0.0.0.0/0 MARK match 0x200 CLASSIFY set 477:0 So, packets are still matching and being sent to 475:0. But, I get this in my tc output: wireless-r1 bwlimit # tc -s qdisc show dev wivl4 qdisc hfsc 5: default 2 Sent 5632424 bytes 4070 pkt (dropped 6, overlimits 7 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 475: parent 5:510 limit 128p quantum 1514b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 476: parent 5:511 limit 128p quantum 1514b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 477: parent 5:512 limit 128p quantum 1514b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 469: parent 5:504 limit 128p quantum 1514b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 470: parent 5:505 limit 128p quantum 1514b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 wireless-r1 bwlimit # tc -s class show dev wivl4 class hfsc 5: root Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 1 class hfsc 5:505 parent 5: leaf 470: sc m1 160000bit d 2.0s m2 0bit ul m1 160000bit d 2.0s m2 0bit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 5:1 parent 5: sc m1 0bit d 2.6ms m2 30000Kbit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 5:504 parent 5: leaf 469: sc m1 400000bit d 30.0ms m2 128000bit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 5:2 parent 5: ls m1 60000Kbit d 2.0s m2 60000Kbit ul m1 60000Kbit d 2.0s m2 60000Kbit Sent 8104251 bytes 6064 pkt (dropped 7, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 6064 work 8104251 bytes level 0 class hfsc 5:3 parent 5: ls m1 10000Kbit d 2.0s m2 10000Kbit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 5:510 parent 5: leaf 475: sc m1 400000bit d 30.0ms m2 128000bit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 5:511 parent 5: leaf 476: sc m1 2560Kbit d 2.0s m2 480000bit ul m1 2560Kbit d 2.0s m2 1920Kbit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 5:512 parent 5: leaf 477: ls m1 960000bit d 2.0s m2 960000bit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 So, nothing is hitting 475:0, and everything is still hitting 5:2. As I understand it, the default class is only used for packets that are not explicitly given a calss. It should not be overriding explicitly set classes. Eliot Gable Certified Wireless Network Administrator (CWNA) Certified Wireless Security Professional (CWSP) Cisco Certified Network Associate (CCNA) CompTIA Security+ Certified CompTIA Network+ Certified Network and System Engineer Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 (810) 679-3395 (877) 558-8324 Now offering Broadband Wireless Internet access in Croswell, Lexington, Brown City, Yale, Worth Township, and Sandusky. Call for details. -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Jason Boxman Sent: Tuesday, May 30, 2006 3:49 PM To: lartc@mailman.ds9a.nl Subject: RE: [LARTC] iptables CLASSIFY and MARK not working? Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: > > Ok, I ran into a different issue with using the tc filters which > basically puts me right back to using the iptables classify target -- > which means that I am running right back into the same problem I was on > before. > > > qdisc hfsc 5: default 2 > Sent 593904 bytes 9198 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 default 2 is why the traffic is ending up in 5:2. > > Well, there is only 1 qdisc. Since there are no other classes listed > that say they are a child of 5:510 or 5:511, then obviously 5:510 must > be a leaf node. Thus, option #4 is negated. > > Does anyone have any clues on this? You may try assigning traffic to leaf qdiscs hanging off the leaf classes on your hierarchy. So, give 5:510 a pfifo or something to test with and target that ID instead. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From support8 at greatlakes.net Tue May 30 22:19:19 2006 From: support8 at greatlakes.net (Eliot, Wireless and Server Administrator, Great Lakes Internet) Date: Tue May 30 22:16:12 2006 Subject: [LARTC] iptables CLASSIFY and MARK not working? Message-ID: <0633E0EDB4F25F43A2D7179CA11FAFAB255402@xavier.staff.greatlakes.net> >From iptables libipt_classify.c: static void print_class(unsigned int priority, int numeric) { printf("%x:%x ", TC_H_MAJ(priority)>>16, TC_H_MIN(priority)); } /* Prints out the targinfo. */ static void print(const struct ipt_ip *ip, const struct ipt_entry_target *target, int numeric) { const struct ipt_classify_target_info *clinfo = (const struct ipt_classify_target_info *)target->data; printf("CLASSIFY set "); print_class(clinfo->priority, numeric); } It does appear to be printing in hex. It also appears to be reading in hex: int string_to_priority(const char *s, unsigned int *p) { unsigned int i, j; if (sscanf(s, "%x:%x", &i, &j) != 2) return 1; *p = TC_H_MAKE(i<<16, j); return 0; } So, let's see if that works. Eliot Gable Certified Wireless Network Administrator (CWNA) Certified Wireless Security Professional (CWSP) Cisco Certified Network Associate (CCNA) CompTIA Security+ Certified CompTIA Network+ Certified Network and System Engineer Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 (810) 679-3395 (877) 558-8324 Now offering Broadband Wireless Internet access in Croswell, Lexington, Brown City, Yale, Worth Township, and Sandusky. Call for details. -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Luciano Ruete Sent: Tuesday, May 30, 2006 4:13 PM To: lartc@mailman.ds9a.nl Subject: Re: [LARTC] iptables CLASSIFY and MARK not working? On Tuesday 30 May 2006 16:25, Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: [snip] > You'll notice that the iptables rules show matches for class 5:510, > 5:511, and others; yet, the only class taking traffic here is 5:2. just to exaust possibilities... i think that 5:2 is working cause 0x2==2(decimal), but 0x510!=510(decimal) 0x1fe==510(decimal) in my experience iptables output is in HEX wile tc otput is in DEC So give a try with tc class==510 iptables MARK==1fe and so on... -- Luciano _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From support8 at greatlakes.net Tue May 30 22:25:04 2006 From: support8 at greatlakes.net (Eliot, Wireless and Server Administrator, Great Lakes Internet) Date: Tue May 30 22:21:51 2006 Subject: [LARTC] iptables CLASSIFY and MARK not working? Message-ID: <0633E0EDB4F25F43A2D7179CA11FAFAB255403@xavier.staff.greatlakes.net> Chain POSTROUTING (policy ACCEPT 222K packets, 157M bytes) pkts bytes target prot opt in out source destination 6401 3653K CLASSIFY all -- * wivl4 0.0.0.0/0 0.0.0.0/0 MARK match 0x1fe CLASSIFY set 1db:0 It matches like normal, but this time is pointing to a hex classid. wireless-r1 bwlimit # tc -s qdisc show dev wivl4 qdisc hfsc 5: default 2 Sent 18976288 bytes 26059 pkt (dropped 3222, overlimits 5751 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 475: parent 5:510 limit 128p quantum 1514b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 476: parent 5:511 limit 128p quantum 1514b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 477: parent 5:512 limit 128p quantum 1514b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 469: parent 5:504 limit 128p quantum 1514b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 470: parent 5:505 limit 128p quantum 1514b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 But qdisc 475 is still not getting packets. Neither is its parent class: class hfsc 5:510 parent 5: leaf 475: sc m1 400000bit d 30.0ms m2 128000bit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 Any other thoughts? Eliot Gable Certified Wireless Network Administrator (CWNA) Certified Wireless Security Professional (CWSP) Cisco Certified Network Associate (CCNA) CompTIA Security+ Certified CompTIA Network+ Certified Network and System Engineer Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 (810) 679-3395 (877) 558-8324 Now offering Broadband Wireless Internet access in Croswell, Lexington, Brown City, Yale, Worth Township, and Sandusky. Call for details. -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Eliot, Wireless and Server Administrator, Great Lakes Internet Sent: Tuesday, May 30, 2006 4:19 PM To: Luciano Ruete; lartc@mailman.ds9a.nl Subject: RE: [LARTC] iptables CLASSIFY and MARK not working? >From iptables libipt_classify.c: static void print_class(unsigned int priority, int numeric) { printf("%x:%x ", TC_H_MAJ(priority)>>16, TC_H_MIN(priority)); } /* Prints out the targinfo. */ static void print(const struct ipt_ip *ip, const struct ipt_entry_target *target, int numeric) { const struct ipt_classify_target_info *clinfo = (const struct ipt_classify_target_info *)target->data; printf("CLASSIFY set "); print_class(clinfo->priority, numeric); } It does appear to be printing in hex. It also appears to be reading in hex: int string_to_priority(const char *s, unsigned int *p) { unsigned int i, j; if (sscanf(s, "%x:%x", &i, &j) != 2) return 1; *p = TC_H_MAKE(i<<16, j); return 0; } So, let's see if that works. Eliot Gable Certified Wireless Network Administrator (CWNA) Certified Wireless Security Professional (CWSP) Cisco Certified Network Associate (CCNA) CompTIA Security+ Certified CompTIA Network+ Certified Network and System Engineer Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 (810) 679-3395 (877) 558-8324 Now offering Broadband Wireless Internet access in Croswell, Lexington, Brown City, Yale, Worth Township, and Sandusky. Call for details. -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Luciano Ruete Sent: Tuesday, May 30, 2006 4:13 PM To: lartc@mailman.ds9a.nl Subject: Re: [LARTC] iptables CLASSIFY and MARK not working? On Tuesday 30 May 2006 16:25, Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: [snip] > You'll notice that the iptables rules show matches for class 5:510, > 5:511, and others; yet, the only class taking traffic here is 5:2. just to exaust possibilities... i think that 5:2 is working cause 0x2==2(decimal), but 0x510!=510(decimal) 0x1fe==510(decimal) in my experience iptables output is in HEX wile tc otput is in DEC So give a try with tc class==510 iptables MARK==1fe and so on... -- Luciano _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From raju at linux-delhi.org Wed May 31 04:03:52 2006 From: raju at linux-delhi.org (Raj Mathur) Date: Wed May 31 04:04:31 2006 Subject: [LARTC] Problems with Routing and Masquerading In-Reply-To: <38392.216.134.200.78.1149006186.squirrel@nebula.internal.foo> References: <447C5773.3000608@multitech.co.in> <200605301315.43331.luciano@lugmen.org.ar> <38392.216.134.200.78.1149006186.squirrel@nebula.internal.foo> Message-ID: <17532.63880.631947.55928@mail.linux-delhi.org> >>>>> "Jason" == Jason Boxman writes: Jason> Luciano Ruete wrote: >> Besides that, you need to solve the problems that multipath >> will arise, like TOS situation described above or route cache >> expiration, that could made long term conns to be routed over a >> new iface. The solutions i know are CONNMARK(kernel>=2.6.12) >> and julian's patches[1]. Personally i prefer CONNMARK. Jason> Could you elaborate a little more on the CONNMARK method? I second that motion -- not too clear on the interaction between SNAT, multiple interfaces, multiple default routes and CONNMARK . If someone could take out the time to make a complete example with (say) 2 outgoing interfaces, I promise a small GPL script in exchange which would automate the whole process. Actually the script's already made, but it doesn't use CONNMARK and suffers from the problems Jason describes and as documented in: http://mailman.ds9a.nl/pipermail/lartc/2006q1/018220.html Regards, -- Raju -- Raj Mathur raju@kandalaya.org http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F It is the mind that moves From vinod_chandran at multitech.co.in Wed May 31 14:26:31 2006 From: vinod_chandran at multitech.co.in (Vinod Chandran) Date: Wed May 31 14:34:45 2006 Subject: [LARTC] Problems with Routing and Masquerading In-Reply-To: <17532.63880.631947.55928@mail.linux-delhi.org> References: <447C5773.3000608@multitech.co.in> <200605301315.43331.luciano@lugmen.org.ar> <38392.216.134.200.78.1149006186.squirrel@nebula.internal.foo> <17532.63880.631947.55928@mail.linux-delhi.org> Message-ID: <447D8B77.3060609@multitech.co.in> Hi, Thanks Jason for the solution. With CONNMARK, I was able to route the packets properly. Yeah, the problem was seen only for SSH sessions, I didnot see the problem with the Telnet and Ping sessions. TOS could be the answer to that. The only change I had to do as far the CONNMARK solution was that in the PREROUTING chain, I had to add the rule with "-i eth0" where eth0 is my LAN, otherwise the return packets were not reaching the box in LAN. Thanks and Regards, Vinod C Raj Mathur wrote: >>>>>>"Jason" == Jason Boxman writes: >>>>>> >>>>>> > > Jason> Luciano Ruete wrote: > >> Besides that, you need to solve the problems that multipath > >> will arise, like TOS situation described above or route cache > >> expiration, that could made long term conns to be routed over a > >> new iface. The solutions i know are CONNMARK(kernel>=2.6.12) > >> and julian's patches[1]. Personally i prefer CONNMARK. > > Jason> Could you elaborate a little more on the CONNMARK method? > >I second that motion -- not too clear on the interaction between SNAT, >multiple interfaces, multiple default routes and CONNMARK mode="metoo">. If someone could take out the time to make a complete >example with (say) 2 outgoing interfaces, I promise a small GPL script >in exchange which would automate the whole process. > >Actually the script's already made, but it doesn't use CONNMARK and >suffers from the problems Jason describes and as documented in: > > http://mailman.ds9a.nl/pipermail/lartc/2006q1/018220.html > >Regards, > >-- Raju > > From fermin.galan at cttc.es Wed May 31 15:02:29 2006 From: fermin.galan at cttc.es (=?iso-8859-1?Q?Ferm=EDn_Gal=E1n_M=E1rquez?=) Date: Wed May 31 15:02:34 2006 Subject: [LARTC] IPSec tunnels and routing: strange behaviour Message-ID: <001e01c684b2$7905dbb0$303d5854@cttc.es> Hello, My name is Ferm?n Gal?n and I'm currently working with IPSec tunnels. Recently, I was setting a IPSec tunnelling sample scenario (maybe the simplest one :), where I observed some strange behaviour that I like to describe in the list, just in the case somebody knows what can be the cause, please. The scenario involves four hosts configured in the following way: C1-(NET1)-R1-(BONE)-R2-(NET2)-C2 NET1: 10.70.1.0/24 BONE: 10.1.1.0/24 NET2: 10.70.3.0/24 Facts: - C1 (10.70.1.2) is directly connected to R1 (10.70.1.1). - C2 (10.70.3.2) is directly connected to R2 (10.70.3.1) - R1 (10.1.1.123) is directly connected to R2 (10.1.1.106). - Forwarding is enabled in R1 and R2 (I mean, 'echo 1 > /proc/sys/net/ipv4/ip_forward') - Route in C1: 10.70.3.0/24->10.70.1.1 (I mean, 'route add -net 10.70.3.0/24 gw 10.70.1.1' was executed in C1) - Route in C2: 10.70.1.0/24->10.70.3.1 (I mean, 'route add -net 10.70.1.0/24 gw 10.70.3.1' was executed in C2) - Using Linux kernel 2.6.14.2 in all hosts. R1 and R2 use with native IPSec support, ipsec-tool version 0.5.2, racoon version 0.5.2. - A IPSec tunnel is configured R1-R2. Configuration for setkey in R1: #!/usr/sbin/setkey -f flush; spdflush; spdadd 10.70.1.0/24 10.70.3.0/24 any -P out ipsec esp/tunnel/10.1.1.123-10.1.1.106/require; spdadd 10.70.3.0/24 10.70.1.0/24 any -P in ipsec esp/tunnel/10.1.1.106-10.1.1.123/require; Configuration for setkey in R2. #!/usr/sbin/setkey -f flush; spdflush; spdadd 10.70.1.0/24 10.70.3.0/24 any -P in ipsec esp/tunnel/10.1.1.123-10.1.1.106/require; spdadd 10.70.3.0/24 10.70.1.0/24 any -P out ipsec esp/tunnel/10.1.1.106-10.1.1.123/require; - Using racoon for IKE negotation based on automatic keying with pre-shared secrets. The test I performed in this scenario consists pinging from C1 to C2 (I mean, 'ping 10.70.3.2' executed in C1). When I do so, racoon negociates the SAs for the tunnel, but the ping doesn't work end to end. I've checked with Ethereal that ICMP request goes C1 to R1, R1 sent a packet with ESP payload and the this packets is received by R2. However, R2 doesn't deencapsulate it and forward to C2. The strange fact is that if I establish a route in R1 to reach NET2 and other in R2 to reach NET1 (I mean, executing 'route add -net 10.70.3.0/24 gw 10.1.1.106' in R1 and 'route add -net 10.70.1.0/24 gw 10.1.1.123' in R2) the ping works perfectly! Therefore, it seems that each peer of the tunnel needs to know the routes "behind" the other peer (using that peer as gateway), not for encapsulate-and-forward (note that R1 encapsulates and forward to R2 properly) but for deencapsulate-and-forward. I found this behaviour a bit anoying, because the tunnel definition contains all the routing information (specifying in the setkey configuration the source-dest maching of the packets that will be pushed into the tunnel). Why then R2 needs a route (in the kernel route table) to 10.70.1.0/24 when de-encapsulates a packet comming from that network? Maybe my setkey configuration is wrong, my reasoning is wrong or I'm missing something... Please, any help/futher test ideas/comments is really welcome in order to understand how tunnels are actually working. Thanks in advance! :) Best regards, -------------------- Ferm?n Gal?n M?rquez CTTC - Centre Tecnol?gic de Telecomunicacions de Catalunya Parc Mediterrani de la Tecnologia, Av. del Canal Ol?mpic s/n, 08860 Castelldefels, Spain Room 1.02 Tel : +34 93 645 29 12 Fax : +34 93 645 29 01 Email address: fermin.galan@cttc.es From J.Kraaijeveld at Askesis.nl Wed May 31 15:07:46 2006 From: J.Kraaijeveld at Askesis.nl (Joost Kraaijeveld) Date: Wed May 31 15:07:41 2006 Subject: [LARTC] Routing based on source address Message-ID: <1149080866.7550.7.camel@localhost> Hi, Is it possible to create a routing rule that depends on the source host/network, besides the target host/network? E.g. route everything from 192.168.0.x to 10.0.0.1, and route everything from 192.168.1.x to 10.0.0.1. TIA -- Groeten, Joost Kraaijeveld Askesis B.V. Molukkenstraat 14 6524NB Nijmegen tel: 024-3888063 / 06-51855277 fax: 024-3608416 web: www.askesis.nl From erez0001 at gmail.com Wed May 31 16:38:13 2006 From: erez0001 at gmail.com (Erez D) Date: Wed May 31 16:38:08 2006 Subject: [LARTC] Routing based on source address In-Reply-To: <1149080866.7550.7.camel@localhost> References: <1149080866.7550.7.camel@localhost> Message-ID: <6c32b540605310738h63c4a846qd19dcfe0a781bfa8@mail.gmail.com> yes, see my posting at http://mailman.ds9a.nl/pipermail/lartc/2006q2/018843.html erez. On 5/31/06, Joost Kraaijeveld wrote: > > Hi, > > Is it possible to create a routing rule that depends on the source > host/network, besides the target host/network? > > E.g. route everything from 192.168.0.x to 10.0.0.1, and route everything > from 192.168.1.x to 10.0.0.1. > > TIA > > -- > Groeten, > > Joost Kraaijeveld > Askesis B.V. > Molukkenstraat 14 > 6524NB Nijmegen > tel: 024-3888063 / 06-51855277 > fax: 024-3608416 > web: www.askesis.nl > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060531/f4bd8ba8/attachment.html From martin at linux-ip.net Wed May 31 17:23:00 2006 From: martin at linux-ip.net (Martin A. Brown) Date: Wed May 31 17:23:01 2006 Subject: [LARTC] Routing based on source address In-Reply-To: <1149080866.7550.7.camel@localhost> References: <1149080866.7550.7.camel@localhost> Message-ID: Joost, : Is it possible to create a routing rule that depends on the : source host/network, besides the target host/network? : : E.g. route everything from 192.168.0.x to 10.0.0.1, and route : everything from 192.168.1.x to 10.0.0.1. Yes. If I understand your question correctly, you have described a classic case of policy routing. Policy routing allows you to use packet attributes and meta-attributes other than the destination IP/network for route selection. These documents [0] and [1] are a few years old, but everything described still functions this way. You will want to learn about how to use the routing policy database (RPDB) and then you'll need to create multiple routing tables. The RPDB controls whether and which of the routing tables is selected based on things like Type of Service (ToS), source address, netfilter mark and/or ingress interface. And here are two tips: A. turn off reverse path filtering [2] B. think about the return path of packets, too Forgetting to account for the return path of packets seems to be a commonly encountered problem when implementing policy routing solutions. I suggest the copy_routing_table shell function [3], which can be run like this: # printf "%s %s\n" 5 provider_b >> /etc/iproute2/rt_tables # copy_routing_table provider_b Now, there's an exact copy of the main routing table in the routing table provider_b (number 5). Next step is to change the default route for that routing table: # ip route change default table provider_b via 10.0.0.1 # ip rule add from 192.168.0.0/24 table provider_b # ip rule add from 192.168.1.0/24 table provider_b Good luck, -Martin [0] http://linux-ip.net/html/routing-rpdb.html [1] http://linux-ip.net/html/routing-selection.html [2] http://lartc.org/howto/lartc.kernel.html#LARTC.KERNEL.RPF [3] function for copying a routing table # - - - - - - - - - - - copy_routing_table () { # - - - - - - - - - - - # # -- accepts at least one parameter: # # $1: table identifier for the routing table to create # $2: optional source table identifier # test "$#" -lt "1" && return DTABLE=$1 test "$#" -gt "1" && STABLE="$2" test "$STABLE" = "" && STABLE="main" ip route flush table $DTABLE ip route show table $STABLE | while read ROUTE ; do ip route add table $DTABLE $ROUTE done } -- Martin A. Brown http://linux-ip.net/ From jasonb at edseek.com Wed May 31 17:52:54 2006 From: jasonb at edseek.com (Jason Boxman) Date: Wed May 31 17:55:36 2006 Subject: [LARTC] Problems with Routing and Masquerading In-Reply-To: <447D8B77.3060609@multitech.co.in> References: <447C5773.3000608@multitech.co.in> <200605301315.43331.luciano@lugmen.org.ar> <38392.216.134.200.78.1149006186.squirrel@nebula.internal.foo> <17532.63880.631947.55928@mail.linux-delhi.org> <447D8B77.3060609@multitech.co.in> Message-ID: <39333.216.134.200.78.1149090774.squirrel@nebula.internal.foo> Vinod Chandran wrote: > Hi, > > Thanks Jason for the solution. With CONNMARK, I was able to route the > packets properly. Cool, but I don't think that was me. From fermin.galan at cttc.es Wed May 31 20:01:29 2006 From: fermin.galan at cttc.es (=?iso-8859-1?Q?Ferm=EDn_Gal=E1n_M=E1rquez?=) Date: Wed May 31 20:01:30 2006 Subject: [LARTC] Linux router performance Message-ID: <004e01c684dc$3dfc3c10$303d5854@cttc.es> Hi, I wonder about the performance of a Linux box used as router (I guest I'm not the first :). Althought I know it mainly depends on the hardware, I'm trying to find some references on the topic or comparations with other routing solutions (FreeBSD box used as router, Cisco, etc). For example, http://facweb.cti.depaul.edu/jyu/Publications/Yu-Linux-TSM2004.pdf (althought is related with Linux-briding more than with Linux-routing) shows in Figure 14 that with an AMD Duron 1.3GHz 512M RAM a throughput of 90 Mbps can be achieved. Anybody knows any other similar analysis, please? Best regards, -------------------- Ferm?n Gal?n M?rquez CTTC - Centre Tecnol?gic de Telecomunicacions de Catalunya Parc Mediterrani de la Tecnologia, Av. del Canal Ol?mpic s/n, 08860 Castelldefels, Spain Room 1.02 Tel : +34 93 645 29 12 Fax : +34 93 645 29 01 Email address: fermin.galan@cttc.es From lists at aj.net-lab.net Wed May 31 22:27:10 2006 From: lists at aj.net-lab.net (Andreas John) Date: Wed May 31 22:27:03 2006 Subject: [LARTC] Linux router performance In-Reply-To: <004e01c684dc$3dfc3c10$303d5854@cttc.es> References: <004e01c684dc$3dfc3c10$303d5854@cttc.es> Message-ID: <447DFC1E.60007@aj.net-lab.net> Hi, Maybe: Khan, Sohel; Waheed, Abdul (2003): High Performance Routing on PCshttp://www.ccse.kfupm.edu.sa/~sohel/networking/references/Routing.pdf A rule of thumb: - with current COTS hardware and (standard) PCI Bus, you can reach the maximum of the PCI bus bandwidth. That's 1 GB/s, e.h. two NICs with 500 Meg/s each ( one in and one out ) - with PCI-X and in the future PCI-express you'll for sure be able to reach more performance. I didnt find a sponsor for a test-lab yet :) - in DoS secnarios it may get worse :/ I heavily depends on driver type (polling and NAPI preferred). The problem with the performace is _always_ the number of interrupts, nothing else is a bottleneck (well, we didn't talk about thousands of iptables rules yet, but you ask for a 'maximum'). - The question you have to ask in high-performance scenarios is not "MBit/s" but MPPS (megapackets per seconds). FreeBSD and Linux broke the 1 MPPS barrier some time ago (on dual xeons). rgds, Andreas Ferm?n Gal?n M?rquez wrote: > Hi, > > I wonder about the performance of a Linux box used as router (I guest I'm > not the first :). Althought I know it mainly depends on the hardware, I'm > trying to find some references on the topic or comparations with other > routing solutions (FreeBSD box used as router, Cisco, etc). For example, > http://facweb.cti.depaul.edu/jyu/Publications/Yu-Linux-TSM2004.pdf > (althought is related with Linux-briding more than with Linux-routing) shows > in Figure 14 that with an AMD Duron 1.3GHz 512M RAM a throughput of 90 Mbps > can be achieved. > > Anybody knows any other similar analysis, please? > > Best regards, > > -------------------- > Ferm?n Gal?n M?rquez > CTTC - Centre Tecnol?gic de Telecomunicacions de Catalunya > Parc Mediterrani de la Tecnologia, Av. del Canal Ol?mpic s/n, 08860 > Castelldefels, Spain > Room 1.02 > Tel : +34 93 645 29 12 > Fax : +34 93 645 29 01 > Email address: fermin.galan@cttc.es > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From c-d.hailfinger.devel.2006 at gmx.net Thu Jun 1 01:24:32 2006 From: c-d.hailfinger.devel.2006 at gmx.net (Carl-Daniel Hailfinger) Date: Thu Jun 1 01:26:44 2006 Subject: [LARTC] Linux router performance In-Reply-To: <004e01c684dc$3dfc3c10$303d5854@cttc.es> References: <004e01c684dc$3dfc3c10$303d5854@cttc.es> Message-ID: <447E25B0.6030104@gmx.net> Ferm?n Gal?n M?rquez wrote: > Hi, > > I wonder about the performance of a Linux box used as router (I guest I'm > not the first :). Althought I know it mainly depends on the hardware, I'm > trying to find some references on the topic or comparations with other > routing solutions (FreeBSD box used as router, Cisco, etc). For example, > http://facweb.cti.depaul.edu/jyu/Publications/Yu-Linux-TSM2004.pdf > (althought is related with Linux-briding more than with Linux-routing) shows > in Figure 14 that with an AMD Duron 1.3GHz 512M RAM a throughput of 90 Mbps > can be achieved. On an AMD Athlon64 3200+ (2 GHz) I was able to saturate 2 PCI-Express gigabit cards (but that was with 1500 byte packets). Never tried more although the box has 6 interfaces capable of gigabit, 4 of them attached via PCI-Express. Regards, Carl-Daniel -- http://www.hailfinger.org/ From gdamjan at mail.net.mk Thu Jun 1 02:34:43 2006 From: gdamjan at mail.net.mk (Damjan) Date: Thu Jun 1 02:34:38 2006 Subject: [LARTC] Linux router performance In-Reply-To: <447E25B0.6030104@gmx.net> References: <004e01c684dc$3dfc3c10$303d5854@cttc.es> <447E25B0.6030104@gmx.net> Message-ID: <20060601003443.GA27762@legolas.on.net.mk> > > I wonder about the performance of a Linux box used as router (I guest I'm > > not the first :). Althought I know it mainly depends on the hardware, I'm > > trying to find some references on the topic or comparations with other > > routing solutions (FreeBSD box used as router, Cisco, etc). For example, > > http://facweb.cti.depaul.edu/jyu/Publications/Yu-Linux-TSM2004.pdf > > (althought is related with Linux-briding more than with Linux-routing) shows > > in Figure 14 that with an AMD Duron 1.3GHz 512M RAM a throughput of 90 Mbps > > can be achieved. > > On an AMD Athlon64 3200+ (2 GHz) I was able to saturate 2 PCI-Express > gigabit cards (but that was with 1500 byte packets). Never tried more > although the box has 6 interfaces capable of gigabit, 4 of them attached > via PCI-Express. But that's _only_ 83333 packets/s isn't it. -- damjan | ?????? This is my jabber ID --> damjan@bagra.net.mk -- not my mail address, it's a Jabber ID --^ :) From c-d.hailfinger.devel.2006 at gmx.net Thu Jun 1 02:44:57 2006 From: c-d.hailfinger.devel.2006 at gmx.net (Carl-Daniel Hailfinger) Date: Thu Jun 1 02:47:07 2006 Subject: [LARTC] Linux router performance In-Reply-To: <20060601003443.GA27762@legolas.on.net.mk> References: <004e01c684dc$3dfc3c10$303d5854@cttc.es> <447E25B0.6030104@gmx.net> <20060601003443.GA27762@legolas.on.net.mk> Message-ID: <447E3889.3040204@gmx.net> Damjan wrote: >>> I wonder about the performance of a Linux box used as router (I guest I'm >>> not the first :). Althought I know it mainly depends on the hardware, I'm >>> trying to find some references on the topic or comparations with other >>> routing solutions (FreeBSD box used as router, Cisco, etc). For example, >>> http://facweb.cti.depaul.edu/jyu/Publications/Yu-Linux-TSM2004.pdf >>> (althought is related with Linux-briding more than with Linux-routing) shows >>> in Figure 14 that with an AMD Duron 1.3GHz 512M RAM a throughput of 90 Mbps >>> can be achieved. >> On an AMD Athlon64 3200+ (2 GHz) I was able to saturate 2 PCI-Express >> gigabit cards (but that was with 1500 byte packets). Never tried more >> although the box has 6 interfaces capable of gigabit, 4 of them attached >> via PCI-Express. > > But that's _only_ 83333 packets/s isn't it. Hm. How do you arrive at that result? I get twice the numbers. nic a: 1 gbit in -> nic b: 1 gbit out nic b: 1 gbit in -> nic a: 1 gbit out total 2 gbit 2 gbit /(1500*8 bit/frame) ~ 160k packets/s Please note that I did not test with smaller frame sizes, so 1Mp/s may be possible (I'll test that if I have some spare time). Regards, Carl-Daniel -- http://www.hailfinger.org/ From alex at samad.com.au Thu Jun 1 03:59:31 2006 From: alex at samad.com.au (Alexander Samad) Date: Thu Jun 1 03:59:32 2006 Subject: [LARTC] Linux router performance In-Reply-To: <447E3889.3040204@gmx.net> References: <004e01c684dc$3dfc3c10$303d5854@cttc.es> <447E25B0.6030104@gmx.net> <20060601003443.GA27762@legolas.on.net.mk> <447E3889.3040204@gmx.net> Message-ID: <20060601015931.GA12493@hufpuf.lan1.hme1.samad.com.au> On Thu, Jun 01, 2006 at 02:44:57AM +0200, Carl-Daniel Hailfinger wrote: > Damjan wrote: > >>> I wonder about the performance of a Linux box used as router (I guest I'm > >>> not the first :). Althought I know it mainly depends on the hardware, I'm > >>> trying to find some references on the topic or comparations with other > >>> routing solutions (FreeBSD box used as router, Cisco, etc). For example, > >>> http://facweb.cti.depaul.edu/jyu/Publications/Yu-Linux-TSM2004.pdf > >>> (althought is related with Linux-briding more than with Linux-routing) shows > >>> in Figure 14 that with an AMD Duron 1.3GHz 512M RAM a throughput of 90 Mbps > >>> can be achieved. > >> On an AMD Athlon64 3200+ (2 GHz) I was able to saturate 2 PCI-Express > >> gigabit cards (but that was with 1500 byte packets). Never tried more > >> although the box has 6 interfaces capable of gigabit, 4 of them attached > >> via PCI-Express. > > > > But that's _only_ 83333 packets/s isn't it. > > Hm. How do you arrive at that result? I get twice the numbers. > nic a: 1 gbit in -> nic b: 1 gbit out > nic b: 1 gbit in -> nic a: 1 gbit out > total 2 gbit > 2 gbit /(1500*8 bit/frame) ~ 160k packets/s > > Please note that I did not test with smaller frame sizes, so 1Mp/s > may be possible (I'll test that if I have some spare time). what if you test inbound and outbound at the same time - the cards should be capable of full duplex ? > > > Regards, > Carl-Daniel > -- > http://www.hailfinger.org/ > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060601/f507f761/attachment.pgp From c-d.hailfinger.devel.2006 at gmx.net Thu Jun 1 04:03:29 2006 From: c-d.hailfinger.devel.2006 at gmx.net (Carl-Daniel Hailfinger) Date: Thu Jun 1 04:05:40 2006 Subject: [LARTC] Linux router performance In-Reply-To: <20060601015931.GA12493@hufpuf.lan1.hme1.samad.com.au> References: <004e01c684dc$3dfc3c10$303d5854@cttc.es> <447E25B0.6030104@gmx.net> <20060601003443.GA27762@legolas.on.net.mk> <447E3889.3040204@gmx.net> <20060601015931.GA12493@hufpuf.lan1.hme1.samad.com.au> Message-ID: <447E4AF1.3050009@gmx.net> Alexander Samad wrote: > On Thu, Jun 01, 2006 at 02:44:57AM +0200, Carl-Daniel Hailfinger wrote: >> Damjan wrote: >>>>> I wonder about the performance of a Linux box used as router (I guest I'm >>>>> not the first :). Althought I know it mainly depends on the hardware, I'm >>>>> trying to find some references on the topic or comparations with other >>>>> routing solutions (FreeBSD box used as router, Cisco, etc). For example, >>>>> http://facweb.cti.depaul.edu/jyu/Publications/Yu-Linux-TSM2004.pdf >>>>> (althought is related with Linux-briding more than with Linux-routing) shows >>>>> in Figure 14 that with an AMD Duron 1.3GHz 512M RAM a throughput of 90 Mbps >>>>> can be achieved. >>>> On an AMD Athlon64 3200+ (2 GHz) I was able to saturate 2 PCI-Express >>>> gigabit cards (but that was with 1500 byte packets). Never tried more >>>> although the box has 6 interfaces capable of gigabit, 4 of them attached >>>> via PCI-Express. >>> But that's _only_ 83333 packets/s isn't it. >> Hm. How do you arrive at that result? I get twice the numbers. >> nic a: 1 gbit in -> nic b: 1 gbit out >> nic b: 1 gbit in -> nic a: 1 gbit out >> total 2 gbit >> 2 gbit /(1500*8 bit/frame) ~ 160k packets/s >> >> Please note that I did not test with smaller frame sizes, so 1Mp/s >> may be possible (I'll test that if I have some spare time). > > what if you test inbound and outbound at the same time - the cards > should be capable of full duplex ? I tested 1 gbit in and 1 gbit out per nic at the same time. That's how I arrived at my results. Regards, Carl-Daniel -- http://www.hailfinger.org/ From alex at samad.com.au Thu Jun 1 04:21:03 2006 From: alex at samad.com.au (Alexander Samad) Date: Thu Jun 1 04:21:00 2006 Subject: [LARTC] Linux router performance In-Reply-To: <447E4AF1.3050009@gmx.net> References: <004e01c684dc$3dfc3c10$303d5854@cttc.es> <447E25B0.6030104@gmx.net> <20060601003443.GA27762@legolas.on.net.mk> <447E3889.3040204@gmx.net> <20060601015931.GA12493@hufpuf.lan1.hme1.samad.com.au> <447E4AF1.3050009@gmx.net> Message-ID: <20060601022103.GB12493@hufpuf.lan1.hme1.samad.com.au> On Thu, Jun 01, 2006 at 04:03:29AM +0200, Carl-Daniel Hailfinger wrote: > Alexander Samad wrote: > > On Thu, Jun 01, 2006 at 02:44:57AM +0200, Carl-Daniel Hailfinger wrote: > >> Damjan wrote: > >>>>> I wonder about the performance of a Linux box used as router (I guest I'm > >>>>> not the first :). Althought I know it mainly depends on the hardware, I'm > >>>>> trying to find some references on the topic or comparations with other > >>>>> routing solutions (FreeBSD box used as router, Cisco, etc). For example, > >>>>> http://facweb.cti.depaul.edu/jyu/Publications/Yu-Linux-TSM2004.pdf > >>>>> (althought is related with Linux-briding more than with Linux-routing) shows > >>>>> in Figure 14 that with an AMD Duron 1.3GHz 512M RAM a throughput of 90 Mbps > >>>>> can be achieved. > >>>> On an AMD Athlon64 3200+ (2 GHz) I was able to saturate 2 PCI-Express > >>>> gigabit cards (but that was with 1500 byte packets). Never tried more > >>>> although the box has 6 interfaces capable of gigabit, 4 of them attached > >>>> via PCI-Express. > >>> But that's _only_ 83333 packets/s isn't it. > >> Hm. How do you arrive at that result? I get twice the numbers. > >> nic a: 1 gbit in -> nic b: 1 gbit out > >> nic b: 1 gbit in -> nic a: 1 gbit out > >> total 2 gbit > >> 2 gbit /(1500*8 bit/frame) ~ 160k packets/s > >> > >> Please note that I did not test with smaller frame sizes, so 1Mp/s > >> may be possible (I'll test that if I have some spare time). > > > > what if you test inbound and outbound at the same time - the cards > > should be capable of full duplex ? > > I tested 1 gbit in and 1 gbit out per nic at the same time. That's > how I arrived at my results. sorry I might be being very dense on this, but 2 nics 1G in and out shouldn't that be 4gbit / (1500*8 bit/frame) ~ 320k packets/s My presumption is that the nic can send and recieve at the same time > > Regards, > Carl-Daniel > -- > http://www.hailfinger.org/ > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060601/94abf172/attachment.pgp From c-d.hailfinger.devel.2006 at gmx.net Thu Jun 1 06:52:16 2006 From: c-d.hailfinger.devel.2006 at gmx.net (Carl-Daniel Hailfinger) Date: Thu Jun 1 06:54:26 2006 Subject: [LARTC] Linux router performance In-Reply-To: <20060601022103.GB12493@hufpuf.lan1.hme1.samad.com.au> References: <004e01c684dc$3dfc3c10$303d5854@cttc.es> <447E25B0.6030104@gmx.net> <20060601003443.GA27762@legolas.on.net.mk> <447E3889.3040204@gmx.net> <20060601015931.GA12493@hufpuf.lan1.hme1.samad.com.au> <447E4AF1.3050009@gmx.net> <20060601022103.GB12493@hufpuf.lan1.hme1.samad.com.au> Message-ID: <447E7280.703@gmx.net> Alexander Samad wrote: > On Thu, Jun 01, 2006 at 04:03:29AM +0200, Carl-Daniel Hailfinger wrote: >> Alexander Samad wrote: >>> On Thu, Jun 01, 2006 at 02:44:57AM +0200, Carl-Daniel Hailfinger wrote: >>>> Damjan wrote: >>>>>>> I wonder about the performance of a Linux box used as router (I guest I'm >>>>>>> not the first :). Althought I know it mainly depends on the hardware, I'm >>>>>>> trying to find some references on the topic or comparations with other >>>>>>> routing solutions (FreeBSD box used as router, Cisco, etc). For example, >>>>>>> http://facweb.cti.depaul.edu/jyu/Publications/Yu-Linux-TSM2004.pdf >>>>>>> (althought is related with Linux-briding more than with Linux-routing) shows >>>>>>> in Figure 14 that with an AMD Duron 1.3GHz 512M RAM a throughput of 90 Mbps >>>>>>> can be achieved. >>>>>> On an AMD Athlon64 3200+ (2 GHz) I was able to saturate 2 PCI-Express >>>>>> gigabit cards (but that was with 1500 byte packets). Never tried more >>>>>> although the box has 6 interfaces capable of gigabit, 4 of them attached >>>>>> via PCI-Express. >>>>> But that's _only_ 83333 packets/s isn't it. >>>> Hm. How do you arrive at that result? I get twice the numbers. >>>> nic a: 1 gbit in -> nic b: 1 gbit out >>>> nic b: 1 gbit in -> nic a: 1 gbit out >>>> total 2 gbit >>>> 2 gbit /(1500*8 bit/frame) ~ 160k packets/s >>>> >>>> Please note that I did not test with smaller frame sizes, so 1Mp/s >>>> may be possible (I'll test that if I have some spare time). >>> what if you test inbound and outbound at the same time - the cards >>> should be capable of full duplex ? >> I tested 1 gbit in and 1 gbit out per nic at the same time. That's >> how I arrived at my results. > sorry I might be being very dense on this, but 2 nics 1G in and out > shouldn't that be > 4gbit / (1500*8 bit/frame) ~ 320k packets/s No, because you can count each packet passing through the router only once. If the machine works as a router, each entering packet also has to leave, so if the router has 2 interfaces A+B, you can have 1 Gbit from A to B and 1 Gbit from B to A. Your calculation would be correct if the machine is a server and generates and consumes all traffic locally. > My presumption is that the nic can send and recieve at the same time Yes. Regards, Carl-Daniel -- http://www.hailfinger.org/ From andrew.lyon at josims.com Thu Jun 1 10:46:37 2006 From: andrew.lyon at josims.com (Andrew Lyon) Date: Thu Jun 1 10:50:02 2006 Subject: [LARTC] Linux router performance Message-ID: <592F914D209FD942908826DFF2277A2D020543B6@COMMSSERVER> x>On an AMD Athlon64 3200+ (2 GHz) I was able to saturate 2 PCI-Express gigabit cards (but that was with 1500 byte packets). Never tried more although the box has 6 interfaces capable of gigabit, >4 of them attached via PCI-Express. What NIC's are you using? Are they multiport or do you have several pci-express single port cards? Andy Registered Office: J.O. Sims Ltd, Pudding Lane, Pinchbeck, Spalding, Lincs. PE11 3TJ Company reg No: 2084187 Vat reg No: GB 437 4621 47 Tel: +44 (0) 1775 842100 Fax: +44 (0) 1775 842101 Web: www.josims.com Email:enquiries@josims.com The information contained in this e-mail is confidential and is intended for the addressee only. The contents of this e-mail must not be disclosed or copied without the sender's consent. If you are not the intended recipient of the message, please notify the sender immediately, and delete the message. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. No commitment may be inferred from the contents unless explicitly stated. The company does not take any responsibility for the personal views of the author. This message has been scanned for viruses before sending, but the company does not accept any responsibility for infection and recommends that you scan any attachments.JOSEDV001TAG From vinod_chandran at multitech.co.in Thu Jun 1 11:28:21 2006 From: vinod_chandran at multitech.co.in (Vinod Chandran) Date: Thu Jun 1 11:40:18 2006 Subject: [LARTC] Problems with Routing and Masquerading In-Reply-To: <39333.216.134.200.78.1149090774.squirrel@nebula.internal.foo> References: <447C5773.3000608@multitech.co.in> <200605301315.43331.luciano@lugmen.org.ar> <38392.216.134.200.78.1149006186.squirrel@nebula.internal.foo> <17532.63880.631947.55928@mail.linux-delhi.org> <447D8B77.3060609@multitech.co.in> <39333.216.134.200.78.1149090774.squirrel@nebula.internal.foo> Message-ID: <447EB335.6080708@multitech.co.in> Oh yeah, my bad! Thanks Luciano for the solution. Regards, Vinod C Jason Boxman wrote: >Vinod Chandran wrote: > > >>Hi, >> >>Thanks Jason for the solution. With CONNMARK, I was able to route the >>packets properly. >> >> > >Cool, but I don't think that was me. > > > >_______________________________________________ >LARTC mailing list >LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > From list at datapart-as.no Thu Jun 1 13:23:11 2006 From: list at datapart-as.no (Ronny Aasen) Date: Thu Jun 1 13:23:17 2006 Subject: [LARTC] Linux router performance In-Reply-To: <447DFC1E.60007@aj.net-lab.net> References: <004e01c684dc$3dfc3c10$303d5854@cttc.es> <447DFC1E.60007@aj.net-lab.net> Message-ID: <1149160991.15222.11.camel@ronny-work.gaupne01.local> On Wed, 2006-05-31 at 22:27 +0200, Andreas John wrote: > Hi, > > Maybe: > Khan, Sohel; Waheed, Abdul (2003): High Performance Routing on > PCshttp://www.ccse.kfupm.edu.sa/~sohel/networking/references/Routing.pdf > > A rule of thumb: > - with current COTS hardware and (standard) PCI Bus, you can reach the > maximum of the PCI bus bandwidth. That's 1 GB/s, e.h. two NICs with 500 > Meg/s each ( one in and one out ) > - with PCI-X and in the future PCI-express you'll for sure be able to > reach more performance. I didnt find a sponsor for a test-lab yet :) > - in DoS secnarios it may get worse :/ I heavily depends on driver type > (polling and NAPI preferred). ofcouse prefered. Does it exsist a list of driver/nic combos that are know to support NAPI on linux on stock kernels ? -- Ronny Aasen From c-d.hailfinger.devel.2006 at gmx.net Thu Jun 1 13:46:28 2006 From: c-d.hailfinger.devel.2006 at gmx.net (Carl-Daniel Hailfinger) Date: Thu Jun 1 13:48:39 2006 Subject: [LARTC] Linux router performance In-Reply-To: <592F914D209FD942908826DFF2277A2D020543B6@COMMSSERVER> References: <592F914D209FD942908826DFF2277A2D020543B6@COMMSSERVER> Message-ID: <447ED394.9080104@gmx.net> Andrew Lyon wrote: > >On an AMD Athlon64 3200+ (2 GHz) I was able to saturate 2 PCI-Express > >gigabit cards (but that was with 1500 byte packets). Never tried more > >although the box has 6 interfaces capable of gigabit, >4 of them attached > >via PCI-Express. > > What NIC's are you using? Are they multiport or do you have several > pci-express single port cards? Single-Port SK-9E21D with sky2 driver version 0.13a. I'm going to retry with SK-9E82 dual port cards soon. Regards, Carl-Daniel -- http://www.hailfinger.org/ From mainardistefano at gmail.com Thu Jun 1 16:25:16 2006 From: mainardistefano at gmail.com (Stefano Mainardi) Date: Thu Jun 1 16:25:12 2006 Subject: [LARTC] For leaf classes is best PFIFO or SFQ? Message-ID: Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: ds-lb-284.gif Type: image/gif Size: 11398 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060601/891a76f6/ds-lb-284.gif From mainardistefano at gmail.com Thu Jun 1 16:31:43 2006 From: mainardistefano at gmail.com (Stefano Mainardi) Date: Thu Jun 1 16:31:37 2006 Subject: [LARTC] For leaf classes is best PFIFO or SFQ? Message-ID: Hi to all, i'm following this guide (http://www.opalsoft.net/qos/DS-28.htm), is very detailed, but i'm a bit confused about queuing disciplinse of leaf classes. In this guide the author uses PFIFO (see the scheme that i attached at message) in this way: # tc class add dev eth0 parent 1:21 handle 210: pfifo lmit 10 # tc class add dev eth0 parent 1:22 handle 220: pfifo lmit 10 # tc class add dev eth0 parent 1:23 handle 230: pfifo lmit 10 # tc class add dev eth0 parent 1:24 handle 240: pfifo lmit 10 # tc class add dev eth0 parent 1:31 handle 310: pfifo lmit 10 # tc class add dev eth0 parent 1:32 handle 320: pfifo lmit 10 # tc class add dev eth0 parent 1:33 handle 330: pfifo lmit 10 # tc class add dev eth0 parent 1:34 handle 340: pfifo lmit 10 But is not better use SFQ, like this? # tc class add dev eth0 parent 1:21 handle 210: sfq preturb 10 # tc class add dev eth0 parent 1:22 handle 220: sfq preturb 10 # tc class add dev eth0 parent 1:23 handle 230: sfq preturb 10 . . . What's the real difference? Best Regards -- Stefano Mainardi Presidente Associazione ILDN - Italian Linux Distro Network Mobile: 349/3917212 Skype: mainardistefano IM (ICQ): 250-292-408 Blog: http://www.mainardistefano.org From support8 at greatlakes.net Thu Jun 1 20:13:52 2006 From: support8 at greatlakes.net (Eliot, Wireless and Server Administrator, Great Lakes Internet) Date: Thu Jun 1 20:10:48 2006 Subject: [LARTC] iptables CLASSIFY and MARK not working? Message-ID: <0633E0EDB4F25F43A2D7179CA11FAFAB255414@xavier.staff.greatlakes.net> > On Tuesday 30 May 2006 16:25, Eliot, Wireless and Server Administrator, > Great Lakes Internet wrote: > [snip] > > You'll notice that the iptables rules show matches for class 5:510, > > 5:511, and others; yet, the only class taking traffic here is 5:2. > > just to exaust possibilities... > > i think that 5:2 is working cause > 0x2==2(decimal), but > 0x510!=510(decimal) > 0x1fe==510(decimal) > > in my experience iptables output is in HEX wile tc otput is in DEC > So give a try with > tc class==510 > iptables MARK==1fe > and so on... Yes, iptables uses HEX: int string_to_priority(const char *s, unsigned int *p) { unsigned int i, j; if (sscanf(s, "%x:%x", &i, &j) != 2) return 1; *p = TC_H_MAKE(i<<16, j); return 0; } In fact, not only does iptables use HEX for input/output of these rules, but so does TC (the strtoul explicitly states base 16): int get_qdisc_handle(__u32 *h, const char *str) { __u32 maj; char *p; maj = TC_H_UNSPEC; if (strcmp(str, "none") == 0) goto ok; maj = strtoul(str, &p, 16); if (p == str) return -1; maj <<= 16; if (*p != ':' && *p!=0) return -1; ok: *h = maj; return 0; } int get_tc_classid(__u32 *h, const char *str) { __u32 maj, min; char *p; maj = TC_H_ROOT; if (strcmp(str, "root") == 0) goto ok; maj = TC_H_UNSPEC; if (strcmp(str, "none") == 0) goto ok; maj = strtoul(str, &p, 16); if (p == str) { maj = 0; if (*p != ':') return -1; } if (*p == ':') { if (maj >= (1<<16)) return -1; maj <<= 16; str = p+1; min = strtoul(str, &p, 16); if (*p != 0) return -1; if (min >= (1<<16)) return -1; maj |= min; } else if (*p != 0) return -1; ok: *h = maj; return 0; } So, I have updated all my rules to use HEX instead of DEC. Here are my new rules: - Creating qdiscs on interfaces - tc qdisc add dev br1 root handle 1: hfsc default 2 - tc class add dev br1 parent 1:0 classid 1:1 hfsc sc umax 1500b dmax 3ms rate 30Mbit - tc class add dev br1 parent 1:0 classid 1:2 hfsc ls m1 60Mbit d 2s m2 60Mbit ul m1 60Mbit d 2s m2 60Mbit - tc class add dev br1 parent 1:0 classid 1:3 hfsc ls m1 10Mbit d 2s m2 10Mbit - tc qdisc add dev wivl4 root handle 5: hfsc default 2 - tc class add dev wivl4 parent 5:0 classid 5:1 hfsc sc umax 1500b dmax 3ms rate 30Mbit - tc class add dev wivl4 parent 5:0 classid 5:2 hfsc ls m1 60Mbit d 2s m2 60Mbit ul m1 60Mbit d 2s m2 60Mbit - tc class add dev wivl4 parent 5:0 classid 5:3 hfsc ls m1 10Mbit d 2s m2 10Mbit - Starting bandwidth shaping for user - tc class add dev br1 parent 0x1:0 classid 0x1:0x1FE hfsc sc umax 1500b dmax 30ms rate 128Kbit - tc class add dev br1 parent 0x1:0 classid 0x1:0x1FF hfsc ls m1 640Kbit d 2000ms m2 128Kbit rt m1 640Kbit d 2000ms m2 128Kbit ul m1 640Kbit d 2000ms m2 512Kbit - tc class add dev br1 parent 0x1:0 classid 0x1:0x200 hfsc ls m1 256Kbit d 2000ms m2 256Kbit - tc qdisc add dev br1 parent 0x1:0x1FE handle 0x1C7:0 sfq - tc qdisc add dev br1 parent 0x1:0x1FF handle 0x1C8:0 sfq - tc qdisc add dev br1 parent 0x1:0x200 handle 0x1C9:0 sfq - tc class add dev wivl4 parent 0x5:0 classid 0x5:0x1FE hfsc sc umax 1500b dmax 30ms rate 128Kbit - tc class add dev wivl4 parent 0x5:0 classid 0x5:0x1FF hfsc ls m1 2560Kbit d 2000ms m2 512Kbit rt m1 2560Kbit d 2000ms m2 512Kbit ul m1 2560Kbit d 2000ms m2 2048Kbit - tc class add dev wivl4 parent 0x5:0 classid 0x5:0x200 hfsc ls m1 1024Kbit d 2000ms m2 1024Kbit - tc qdisc add dev wivl4 parent 0x5:0x1FE handle 0x1DB:0 sfq - tc qdisc add dev wivl4 parent 0x5:0x1FF handle 0x1DC:0 sfq - tc qdisc add dev wivl4 parent 0x5:0x200 handle 0x1DD:0 sfq - Adding rules to classify traffic for 00:05:9E:81:3D:07 - iptables -A macfilter -m mac --mac-source 00:05:9E:81:3D:07 - iptables -I macfilter_nat -t nat -m mac --mac-source 00:05:9E:81:3D:07 -j ACCEPT - Adding rules to flag General traffic - iptables -A PREROUTING -t mangle -m mac --mac-source 00:05:9E:81:3D:07 -j MARK --set-mark 0x1FF - iptables -A PREROUTING -t mangle -m mark --mark 0x1FF -j CONNMARK --save-mark - Adding rules to flag VoIP/Interactive traffic - iptables -A PREROUTING -t mangle -p udp -m mac --mac-source 00:05:9E:81:3D:07 -m multiport --ports 53,4569,5060,10000:20000 -j MARK --set-mark 510 - iptables -A PREROUTING -t mangle -p tcp -m mac --mac-source 00:05:9E:81:3D:07 -m multiport --ports 22,23,53 -j MARK --set-mark 0x1FE - iptables -A PREROUTING -t mangle -p icmp -m mac --mac-source 00:05:9E:81:3D:07 -j MARK --set-mark 0x1FE - iptables -A PREROUTING -t mangle -p tcp --tcp-flags ACK,PSH ACK -m length --length 0:128 -m mac --mac-source 00:05:9E:81:3D:07 -j MARK --set-mark 0x1FE - iptables -A PREROUTING -t mangle -p udp --dport 53 -m mac --mac-source 00:05:9E:81:3D:07 -j MARK --set-mark 0x1FE - iptables -A PREROUTING -t mangle -p udp --sport 53 -m mac --mac-source 00:05:9E:81:3D:07 -j MARK --set-mark 0x1FE - iptables -A PREROUTING -t mangle -m mark --mark 0x1FE -j CONNMARK --save-mark - Adding rules to flag P2P traffic - iptables -A PREROUTING -t mangle -m mac --mac-source 00:05:9E:81:3D:07 -m ipp2p --ipp2p -j MARK --set-mark 0x200 - iptables -A PREROUTING -t mangle -m mark --mark 0x200 -j CONNMARK --save-mark - iptables -I FORWARD -t mangle -m mark --mark 0x1FE -j ACCEPT - iptables -I FORWARD -t mangle -m mark --mark 0x1FF -j ACCEPT - iptables -I FORWARD -t mangle -m mark --mark 0x200 -j ACCEPT - Adding rules to classify traffic on br1 - iptables -A POSTROUTING -t mangle -o br1 -m mark --mark 0x1FE -j CLASSIFY --set-class 0x1C7:0 - iptables -A POSTROUTING -t mangle -o br1 -m mark --mark 0x1FF -j CLASSIFY --set-class 0x1C8:0 - iptables -A POSTROUTING -t mangle -o br1 -m mark --mark 0x200 -j CLASSIFY --set-class 0x1C9:0 - Adding rules to classify traffic on wivl4 - iptables -A POSTROUTING -t mangle -o wivl4 -m mark --mark 0x1FE -j CLASSIFY --set-class 0x1DB:0 - iptables -A POSTROUTING -t mangle -o wivl4 -m mark --mark 0x1FF -j CLASSIFY --set-class 0x1DC:0 - iptables -A POSTROUTING -t mangle -o wivl4 -m mark --mark 0x200 -j CLASSIFY --set-class 0x1DD:0 However, this still does not work: Chain POSTROUTING (policy ACCEPT 812K packets, 441M bytes) pkts bytes target prot opt in out source destination 2071 129K CLASSIFY all -- * br1 0.0.0.0/0 0.0.0.0/0 MARK match 0x1fe CLASSIFY set 1c7:0 2 521 CLASSIFY all -- * br1 0.0.0.0/0 0.0.0.0/0 MARK match 0x1ff CLASSIFY set 1c8:0 0 0 CLASSIFY all -- * br1 0.0.0.0/0 0.0.0.0/0 MARK match 0x200 CLASSIFY set 1c9:0 2760 4060K CLASSIFY all -- * wivl4 0.0.0.0/0 0.0.0.0/0 MARK match 0x1fe CLASSIFY set 1db:0 3 500 CLASSIFY all -- * wivl4 0.0.0.0/0 0.0.0.0/0 MARK match 0x1ff CLASSIFY set 1dc:0 0 0 CLASSIFY all -- * wivl4 0.0.0.0/0 0.0.0.0/0 MARK match 0x200 CLASSIFY set 1dd:0 wireless-r1 bwlimit # tc -s qdisc show dev wivl4 qdisc hfsc 5: default 2 Sent 8554815 bytes 7797 pkt (dropped 6, overlimits 13 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 1db: parent 5:1fe limit 128p quantum 1514b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 1dc: parent 5:1ff limit 128p quantum 1514b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 1dd: parent 5:200 limit 128p quantum 1514b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 I am really at a loss here. I am targeting a qdisc directly with the classify command in iptables. I am using HEX throughout my rule base. The numbers all line up correctly (iptables classify numbers match a valid class/qdisc id in tc). Each classid is globally unique (it is used only once). I am using the latest iptables, the latest tc, and the latest kernel. I have even verified that both iptables and tc are reading/writing to skb->priority in the code base. Short of modifying the iptables and tc code in the kernel and in the userspace programs to print out debugging information, I am not sure what else to do. Can anyone at least verify that iptables CLASSIFY target actually works on their system? That would at least be helpful. And if it works on your system, can you try pasting my rules into your system and see if they work? If anyone else has any more ideas, I would love to entertain them. Eliot Gable Certified Wireless Network Administrator (CWNA) Certified Wireless Security Professional (CWSP) Cisco Certified Network Associate (CCNA) CompTIA Security+ Certified CompTIA Network+ Certified Network and System Engineer Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 (810) 679-3395 (877) 558-8324 From kaber at trash.net Thu Jun 1 20:22:39 2006 From: kaber at trash.net (Patrick McHardy) Date: Thu Jun 1 20:22:33 2006 Subject: [LARTC] iptables CLASSIFY and MARK not working? In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB255414@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB255414@xavier.staff.greatlakes.net> Message-ID: <447F306F.3080708@trash.net> Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: > However, this still does not work: > > Chain POSTROUTING (policy ACCEPT 812K packets, 441M bytes) > pkts bytes target prot opt in out source > destination > 2071 129K CLASSIFY all -- * br1 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x1fe CLASSIFY set 1c7:0 > 2 521 CLASSIFY all -- * br1 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x1ff CLASSIFY set 1c8:0 > 0 0 CLASSIFY all -- * br1 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x200 CLASSIFY set 1c9:0 > 2760 4060K CLASSIFY all -- * wivl4 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x1fe CLASSIFY set 1db:0 > 3 500 CLASSIFY all -- * wivl4 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x1ff CLASSIFY set 1dc:0 > 0 0 CLASSIFY all -- * wivl4 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x200 CLASSIFY set 1dd:0 > > > wireless-r1 bwlimit # tc -s qdisc show dev wivl4 > qdisc hfsc 5: default 2 > Sent 8554815 bytes 7797 pkt (dropped 6, overlimits 13 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc sfq 1db: parent 5:1fe limit 128p quantum 1514b > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc sfq 1dc: parent 5:1ff limit 128p quantum 1514b > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc sfq 1dd: parent 5:200 limit 128p quantum 1514b > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 I already told you why this doesn't work, you have to classify to the _classes_, not the qdiscs. From support8 at greatlakes.net Thu Jun 1 20:49:51 2006 From: support8 at greatlakes.net (Eliot, Wireless and Server Administrator, Great Lakes Internet) Date: Thu Jun 1 20:46:31 2006 Subject: [LARTC] iptables CLASSIFY and MARK not working? Message-ID: <0633E0EDB4F25F43A2D7179CA11FAFAB255415@xavier.staff.greatlakes.net> -----Original Message----- From: Patrick McHardy [mailto:kaber@trash.net] Sent: Thursday, June 01, 2006 2:23 PM To: Eliot, Wireless and Server Administrator, Great Lakes Internet Cc: lartc@mailman.ds9a.nl; Netfilter Development Mailinglist Subject: Re: [LARTC] iptables CLASSIFY and MARK not working? > Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: > > However, this still does not work: > > > > Chain POSTROUTING (policy ACCEPT 812K packets, 441M bytes) > > pkts bytes target prot opt in out source > > destination > > 2071 129K CLASSIFY all -- * br1 0.0.0.0/0 > > 0.0.0.0/0 MARK match 0x1fe CLASSIFY set 1c7:0 > > 2 521 CLASSIFY all -- * br1 0.0.0.0/0 > > 0.0.0.0/0 MARK match 0x1ff CLASSIFY set 1c8:0 > > 0 0 CLASSIFY all -- * br1 0.0.0.0/0 > > 0.0.0.0/0 MARK match 0x200 CLASSIFY set 1c9:0 > > 2760 4060K CLASSIFY all -- * wivl4 0.0.0.0/0 > > 0.0.0.0/0 MARK match 0x1fe CLASSIFY set 1db:0 > > 3 500 CLASSIFY all -- * wivl4 0.0.0.0/0 > > 0.0.0.0/0 MARK match 0x1ff CLASSIFY set 1dc:0 > > 0 0 CLASSIFY all -- * wivl4 0.0.0.0/0 > > 0.0.0.0/0 MARK match 0x200 CLASSIFY set 1dd:0 > > > > > > wireless-r1 bwlimit # tc -s qdisc show dev wivl4 > > qdisc hfsc 5: default 2 > > Sent 8554815 bytes 7797 pkt (dropped 6, overlimits 13 requeues 0) > > rate 0bit 0pps backlog 0b 0p requeues 0 > > qdisc sfq 1db: parent 5:1fe limit 128p quantum 1514b > > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > > rate 0bit 0pps backlog 0b 0p requeues 0 > > qdisc sfq 1dc: parent 5:1ff limit 128p quantum 1514b > > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > > rate 0bit 0pps backlog 0b 0p requeues 0 > > qdisc sfq 1dd: parent 5:200 limit 128p quantum 1514b > > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > > rate 0bit 0pps backlog 0b 0p requeues 0 > > > I already told you why this doesn't work, you have to classify to > the _classes_, not the qdiscs. These rules make it go to the classes instead of the qdisc: - Adding rules to classify traffic on br1 ... - iptables -A POSTROUTING -t mangle -o br1 -m mark --mark 0x1FE -j CLASSIFY --set-class 0x5:0x1FE - iptables -A POSTROUTING -t mangle -o br1 -m mark --mark 0x1FF -j CLASSIFY --set-class 0x5:0x1FF - iptables -A POSTROUTING -t mangle -o br1 -m mark --mark 0x200 -j CLASSIFY --set-class 0x5:0x200 - Adding rules to classify traffic on wivl4 ... - iptables -A POSTROUTING -t mangle -o wivl4 -m mark --mark 0x1FE -j CLASSIFY --set-class 0x5:0x1FE - iptables -A POSTROUTING -t mangle -o wivl4 -m mark --mark 0x1FF -j CLASSIFY --set-class 0x5:0x1FF - iptables -A POSTROUTING -t mangle -o wivl4 -m mark --mark 0x200 -j CLASSIFY --set-class 0x5:0x200 Chain POSTROUTING (policy ACCEPT 887K packets, 495M bytes) pkts bytes target prot opt in out source destination 8662 508K CLASSIFY all -- * br1 0.0.0.0/0 0.0.0.0/0 MARK match 0x1fe CLASSIFY set 5:1fe 14 8253 CLASSIFY all -- * br1 0.0.0.0/0 0.0.0.0/0 MARK match 0x1ff CLASSIFY set 5:1ff 0 0 CLASSIFY all -- * br1 0.0.0.0/0 0.0.0.0/0 MARK match 0x200 CLASSIFY set 5:200 845 222K CLASSIFY all -- * wivl4 0.0.0.0/0 0.0.0.0/0 MARK match 0x1fe CLASSIFY set 5:1fe 22 5286 CLASSIFY all -- * wivl4 0.0.0.0/0 0.0.0.0/0 MARK match 0x1ff CLASSIFY set 5:1ff 0 0 CLASSIFY all -- * wivl4 0.0.0.0/0 0.0.0.0/0 MARK match 0x200 CLASSIFY set 5:200 And yet, still nothing hits the classes: wireless-r1 ~ # tc -s class show dev wivl4 class hfsc 5: root Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 1 class hfsc 5:1fe parent 5: leaf 1db: sc m1 400000bit d 30.0ms m2 128000bit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 5:1 parent 5: sc m1 0bit d 2.6ms m2 30000Kbit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 5:1ff parent 5: leaf 1dc: sc m1 2560Kbit d 2.0s m2 512000bit ul m1 2560Kbit d 2.0s m2 2048Kbit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 5:2 parent 5: ls m1 60000Kbit d 2.0s m2 60000Kbit ul m1 60000Kbit d 2.0s m2 60000Kbit Sent 19906674 bytes 13396 pkt (dropped 9, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 13396 work 19906674 bytes level 0 class hfsc 5:200 parent 5: leaf 1dd: ls m1 1024Kbit d 2.0s m2 1024Kbit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 5:3 parent 5: ls m1 10000Kbit d 2.0s m2 10000Kbit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 5:1fa parent 5: leaf 1d7: ls m1 64000bit d 2.0s m2 64000bit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 5:1f8 parent 5: leaf 1d5: sc m1 400000bit d 30.0ms m2 128000bit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 5:1f9 parent 5: leaf 1d6: sc m1 160000bit d 2.0s m2 32000bit ul m1 160000bit d 2.0s m2 128000bit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 wireless-r1 ~ # tc -s class show dev br1 class hfsc 1: root Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 1 class hfsc 1:1fe parent 1: leaf 1c7: sc m1 400000bit d 30.0ms m2 128000bit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 1:1 parent 1: sc m1 0bit d 2.6ms m2 30000Kbit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 1:1ff parent 1: leaf 1c8: sc m1 640000bit d 2.0s m2 128000bit ul m1 640000bit d 2.0s m2 512000bit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 1:2 parent 1: ls m1 60000Kbit d 2.0s m2 60000Kbit ul m1 60000Kbit d 2.0s m2 60000Kbit Sent 856222 bytes 10041 pkt (dropped 13, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 10041 work 856222 bytes level 0 class hfsc 1:200 parent 1: leaf 1c9: ls m1 256000bit d 2.0s m2 256000bit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 1:3 parent 1: ls m1 10000Kbit d 2.0s m2 10000Kbit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 1:1fa parent 1: leaf 1c3: ls m1 32000bit d 2.0s m2 32000bit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 1:1f8 parent 1: leaf 1c1: sc m1 400000bit d 30.0ms m2 128000bit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 1:1f9 parent 1: leaf 1c2: sc m1 80000bit d 2.0s m2 16000bit ul m1 80000bit d 2.0s m2 64000bit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 No matter how I write these rules, it always still goes to the default class (5:2 or 1:2). If this is still wrong, please give me an example of what I should be writing. Eliot Gable Certified Wireless Network Administrator (CWNA) Certified Wireless Security Professional (CWSP) Cisco Certified Network Associate (CCNA) CompTIA Security+ Certified CompTIA Network+ Certified Network and System Engineer Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 (810) 679-3395 (877) 558-8324 From ramsurrunv at mx.uom.ac.mu Thu Jun 1 20:57:32 2006 From: ramsurrunv at mx.uom.ac.mu (ramsurrunv@mx.uom.ac.mu) Date: Thu Jun 1 20:57:27 2006 Subject: [LARTC] Not understanding network setup!! Message-ID: <1154.202.123.9.97.1149188252.squirrel@mx.uom.ac.mu> Hi to all, +-------+ eth1 +-------+ | |==========| | 'network 1' ----| A | | B |---- 'network 2' | |==========| | +-------+ eth2 +-------+ A and B are routers # tc qdisc add dev eth1 root teql0 # tc qdisc add dev eth2 root teql0 # ip link set dev teql0 up On router A: # ip addr add dev eth1 10.0.0.0/31 # ip addr add dev eth2 10.0.0.2/31 # ip addr add dev teql0 10.0.0.4/31 On router B: # ip addr add dev eth1 10.0.0.1/31 # ip addr add dev eth2 10.0.0.3/31 # ip addr add dev teql0 10.0.0.5/31 The above has been quoted from LARTC HOWTO. I would like to know the following things: 1) Are the 10.0.0.0/31, 10.0.0.2/31, 10.0.0.3/31...different networks? Are the devices eth1, eth2 and teql0 on each router part of 3 different networks? 2) What is the reason for doing the "/31" thing? CAn't we use network addresses such as 192.168.0.0/24, 192.168.10.0/24 and so on for the devices eth1, eth2 and teql0? Warm regards, Visham From support8 at greatlakes.net Thu Jun 1 21:12:24 2006 From: support8 at greatlakes.net (Eliot, Wireless and Server Administrator, Great Lakes Internet) Date: Thu Jun 1 21:09:01 2006 Subject: [LARTC] For leaf classes is best PFIFO or SFQ? Message-ID: <0633E0EDB4F25F43A2D7179CA11FAFAB255417@xavier.staff.greatlakes.net> SFQ would be the better option in most cases since it prioritizes packets based on flows in a round-robin fashion. Essentially, it allows multiple flows to receive equal bandwidth in a given class. PFIFO would allow one flow to starve out the rest. Eliot Gable Certified Wireless Network Administrator (CWNA) Certified Wireless Security Professional (CWSP) Cisco Certified Network Associate (CCNA) CompTIA Security+ Certified CompTIA Network+ Certified Network and System Engineer Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 (810) 679-3395 (877) 558-8324 Now offering Broadband Wireless Internet access in Croswell, Lexington, Brown City, Yale, Worth Township, and Sandusky. Call for details. -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Stefano Mainardi Sent: Thursday, June 01, 2006 10:32 AM To: lartc@mailman.ds9a.nl Subject: [LARTC] For leaf classes is best PFIFO or SFQ? Hi to all, i'm following this guide (http://www.opalsoft.net/qos/DS-28.htm), is very detailed, but i'm a bit confused about queuing disciplinse of leaf classes. In this guide the author uses PFIFO (see the scheme that i attached at message) in this way: # tc class add dev eth0 parent 1:21 handle 210: pfifo lmit 10 # tc class add dev eth0 parent 1:22 handle 220: pfifo lmit 10 # tc class add dev eth0 parent 1:23 handle 230: pfifo lmit 10 # tc class add dev eth0 parent 1:24 handle 240: pfifo lmit 10 # tc class add dev eth0 parent 1:31 handle 310: pfifo lmit 10 # tc class add dev eth0 parent 1:32 handle 320: pfifo lmit 10 # tc class add dev eth0 parent 1:33 handle 330: pfifo lmit 10 # tc class add dev eth0 parent 1:34 handle 340: pfifo lmit 10 But is not better use SFQ, like this? # tc class add dev eth0 parent 1:21 handle 210: sfq preturb 10 # tc class add dev eth0 parent 1:22 handle 220: sfq preturb 10 # tc class add dev eth0 parent 1:23 handle 230: sfq preturb 10 . . . What's the real difference? Best Regards -- Stefano Mainardi Presidente Associazione ILDN - Italian Linux Distro Network Mobile: 349/3917212 Skype: mainardistefano IM (ICQ): 250-292-408 Blog: http://www.mainardistefano.org _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From kaber at trash.net Thu Jun 1 21:09:10 2006 From: kaber at trash.net (Patrick McHardy) Date: Thu Jun 1 21:09:21 2006 Subject: [LARTC] iptables CLASSIFY and MARK not working? In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB255415@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB255415@xavier.staff.greatlakes.net> Message-ID: <447F3B56.7010200@trash.net> Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: > These rules make it go to the classes instead of the qdisc: > > Chain POSTROUTING (policy ACCEPT 887K packets, 495M bytes) > pkts bytes target prot opt in out source > destination > 8662 508K CLASSIFY all -- * br1 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x1fe CLASSIFY set 5:1fe > 14 8253 CLASSIFY all -- * br1 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x1ff CLASSIFY set 5:1ff > 0 0 CLASSIFY all -- * br1 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x200 CLASSIFY set 5:200 > 845 222K CLASSIFY all -- * wivl4 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x1fe CLASSIFY set 5:1fe > 22 5286 CLASSIFY all -- * wivl4 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x1ff CLASSIFY set 5:1ff > 0 0 CLASSIFY all -- * wivl4 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x200 CLASSIFY set 5:200 > > > > And yet, still nothing hits the classes: > > > > wireless-r1 ~ # tc -s class show dev wivl4 > class hfsc 5: root > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > period 0 level 1 > > class hfsc 5:1fe parent 5: leaf 1db: sc m1 400000bit d 30.0ms m2 > 128000bit > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > period 0 level 0 > > class hfsc 5:1 parent 5: sc m1 0bit d 2.6ms m2 30000Kbit > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > period 0 level 0 > > class hfsc 5:1ff parent 5: leaf 1dc: sc m1 2560Kbit d 2.0s m2 512000bit > ul m1 2560Kbit d 2.0s m2 2048Kbit > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > period 0 level 0 > > class hfsc 5:2 parent 5: ls m1 60000Kbit d 2.0s m2 60000Kbit ul m1 > 60000Kbit d 2.0s m2 60000Kbit > Sent 19906674 bytes 13396 pkt (dropped 9, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > period 13396 work 19906674 bytes level 0 > > class hfsc 5:200 parent 5: leaf 1dd: ls m1 1024Kbit d 2.0s m2 1024Kbit > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > period 0 level 0 > > class hfsc 5:3 parent 5: ls m1 10000Kbit d 2.0s m2 10000Kbit > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > period 0 level 0 > > class hfsc 5:1fa parent 5: leaf 1d7: ls m1 64000bit d 2.0s m2 64000bit > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > period 0 level 0 > > class hfsc 5:1f8 parent 5: leaf 1d5: sc m1 400000bit d 30.0ms m2 > 128000bit > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > period 0 level 0 > > class hfsc 5:1f9 parent 5: leaf 1d6: sc m1 160000bit d 2.0s m2 32000bit > ul m1 160000bit d 2.0s m2 128000bit > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > period 0 level 0 > > > wireless-r1 ~ # tc -s class show dev br1 > class hfsc 1: root > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > period 0 level 1 > > class hfsc 1:1fe parent 1: leaf 1c7: sc m1 400000bit d 30.0ms m2 > 128000bit > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > period 0 level 0 > > class hfsc 1:1 parent 1: sc m1 0bit d 2.6ms m2 30000Kbit > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > period 0 level 0 > > class hfsc 1:1ff parent 1: leaf 1c8: sc m1 640000bit d 2.0s m2 128000bit > ul m1 640000bit d 2.0s m2 512000bit > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > period 0 level 0 > > class hfsc 1:2 parent 1: ls m1 60000Kbit d 2.0s m2 60000Kbit ul m1 > 60000Kbit d 2.0s m2 60000Kbit > Sent 856222 bytes 10041 pkt (dropped 13, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > period 10041 work 856222 bytes level 0 > > class hfsc 1:200 parent 1: leaf 1c9: ls m1 256000bit d 2.0s m2 256000bit > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > period 0 level 0 > > class hfsc 1:3 parent 1: ls m1 10000Kbit d 2.0s m2 10000Kbit > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > period 0 level 0 > > class hfsc 1:1fa parent 1: leaf 1c3: ls m1 32000bit d 2.0s m2 32000bit > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > period 0 level 0 > > class hfsc 1:1f8 parent 1: leaf 1c1: sc m1 400000bit d 30.0ms m2 > 128000bit > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > period 0 level 0 > > class hfsc 1:1f9 parent 1: leaf 1c2: sc m1 80000bit d 2.0s m2 16000bit > ul m1 80000bit d 2.0s m2 64000bit > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > period 0 level 0 > > > > No matter how I write these rules, it always still goes to the default > class (5:2 or 1:2). If this is still wrong, please give me an example of > what I should be writing. The bridge case doesn't work because you're using the wrong major number (5 instead of 1), the wivl4 rules look correct. I just tested HFSC+CLASSIFY and it works fine for me. What kind of device is wivl4? From support8 at greatlakes.net Thu Jun 1 21:13:44 2006 From: support8 at greatlakes.net (Eliot, Wireless and Server Administrator, Great Lakes Internet) Date: Thu Jun 1 21:10:34 2006 Subject: [LARTC] Not understanding network setup!! Message-ID: <0633E0EDB4F25F43A2D7179CA11FAFAB255418@xavier.staff.greatlakes.net> -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of ramsurrunv@mx.uom.ac.mu Sent: Thursday, June 01, 2006 2:58 PM To: lartc@mailman.ds9a.nl Subject: [LARTC] Not understanding network setup!! > Hi to all, > > +-------+ eth1 +-------+ > | |==========| | > 'network 1' ----| A | | B |---- 'network 2' > | |==========| | > +-------+ eth2 +-------+ > > A and B are routers > > # tc qdisc add dev eth1 root teql0 > # tc qdisc add dev eth2 root teql0 > # ip link set dev teql0 up > > On router A: > > # ip addr add dev eth1 10.0.0.0/31 > # ip addr add dev eth2 10.0.0.2/31 > # ip addr add dev teql0 10.0.0.4/31 > > On router B: > > # ip addr add dev eth1 10.0.0.1/31 > # ip addr add dev eth2 10.0.0.3/31 > # ip addr add dev teql0 10.0.0.5/31 > > > The above has been quoted from LARTC HOWTO. I would like to know the > following things: > > 1) Are the 10.0.0.0/31, 10.0.0.2/31, 10.0.0.3/31...different networks? Are > the devices eth1, eth2 and teql0 on each router part of 3 different > networks? I very much doubt the above was quoted on the LARTC HOWTO. Please point us to where you saw this. It is completely wrong. First, 10.0.0.0/31 would be a network address. Second, a 31 bit subnet is meaningless. It only offers two addresses, the network address at 10.0.0.0 and the broadcast address at 10.0.0.1. That leaves no available addresses for host addresses. You probably mean /30 instead of /31. If you were using a /30, then you would run: ip addr add 10.0.0.1/30 dev eth1 ip addr add 10.0.0.5/30 dev eth2 ip addr add 10.0.0.9/30 dev teql0 The .1, .5, and .9 would be the first available addresses in their respective subnets. On router B, you would run: ip addr add 10.0.0.2/30 dev eth1 ip addr add 10.0.0.6/30 dev eth2 ip addr add 10.0.0.10/30 dev teql0 The .2, .6, and .10 addresses would be the second and final available host addresses on their respective subnets. And yes, each device sits on a different network when configured like this. The teql0 device simply lets you load balance across the two eth devices. > 2) What is the reason for doing the "/31" thing? CAn't we use network > addresses such as 192.168.0.0/24, 192.168.10.0/24 and so on for the > devices eth1, eth2 and teql0? You could use the 192.168.0.0/24 type addresses just as easily. The only difference is in how many addresses are available for hosts on the network block. By using a /30, you allow 2 host addresses and only 2 host addresses. Using the /24 network, you allow 254 host addresses. That seems rather wasteful when all you need is 2, doesn't it? Eliot Gable Certified Wireless Network Administrator (CWNA) Certified Wireless Security Professional (CWSP) Cisco Certified Network Associate (CCNA) CompTIA Security+ Certified CompTIA Network+ Certified Network and System Engineer Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 (810) 679-3395 (877) 558-8324 Now offering Broadband Wireless Internet access in Croswell, Lexington, Brown City, Yale, Worth Township, and Sandusky. Call for details.http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From support8 at greatlakes.net Thu Jun 1 21:38:38 2006 From: support8 at greatlakes.net (Eliot, Wireless and Server Administrator, Great Lakes Internet) Date: Thu Jun 1 21:35:21 2006 Subject: [LARTC] iptables CLASSIFY and MARK not working? Message-ID: <0633E0EDB4F25F43A2D7179CA11FAFAB255419@xavier.staff.greatlakes.net> -----Original Message----- From: Patrick McHardy [mailto:kaber@trash.net] Sent: Thursday, June 01, 2006 3:09 PM To: Eliot, Wireless and Server Administrator, Great Lakes Internet Cc: lartc@mailman.ds9a.nl; Netfilter Development Mailinglist Subject: Re: [LARTC] iptables CLASSIFY and MARK not working? > The bridge case doesn't work because you're using the wrong major > number (5 instead of 1), the wivl4 rules look correct. I just tested > HFSC+CLASSIFY and it works fine for me. What kind of device is wivl4? I knew I was going to typo something when I did all that hex conversion this morning. Here is the corrected ruleset: - Adding rules to classify traffic on br1 ... - iptables -A POSTROUTING -t mangle -o br1 -m mark --mark 0x1FE -j CLASSIFY --set-class 0x1:0x1FE - iptables -A POSTROUTING -t mangle -o br1 -m mark --mark 0x1FF -j CLASSIFY --set-class 0x1:0x1FF - iptables -A POSTROUTING -t mangle -o br1 -m mark --mark 0x200 -j CLASSIFY --set-class 0x1:0x200 - Adding rules to classify traffic on wivl4 ... - iptables -A POSTROUTING -t mangle -o wivl4 -m mark --mark 0x1FE -j CLASSIFY --set-class 0x5:0x1FE - iptables -A POSTROUTING -t mangle -o wivl4 -m mark --mark 0x1FF -j CLASSIFY --set-class 0x5:0x1FF - iptables -A POSTROUTING -t mangle -o wivl4 -m mark --mark 0x200 -j CLASSIFY --set-class 0x5:0x200 Here are the new test results: Chain POSTROUTING (policy ACCEPT 900K packets, 496M bytes) pkts bytes target prot opt in out source destination 865 67524 CLASSIFY all -- * br1 0.0.0.0/0 0.0.0.0/0 MARK match 0x1fe CLASSIFY set 1:1fe 16 1216 CLASSIFY all -- * br1 0.0.0.0/0 0.0.0.0/0 MARK match 0x1ff CLASSIFY set 1:1ff 0 0 CLASSIFY all -- * br1 0.0.0.0/0 0.0.0.0/0 MARK match 0x200 CLASSIFY set 1:200 840 91456 CLASSIFY all -- * wivl4 0.0.0.0/0 0.0.0.0/0 MARK match 0x1fe CLASSIFY set 5:1fe 16 1216 CLASSIFY all -- * wivl4 0.0.0.0/0 0.0.0.0/0 MARK match 0x1ff CLASSIFY set 5:1ff 0 0 CLASSIFY all -- * wivl4 0.0.0.0/0 0.0.0.0/0 MARK match 0x200 CLASSIFY set 5:200 wireless-r1 bwlimit # tc -s class show dev br1 class hfsc 1: root Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 1 class hfsc 1:1fe parent 1: leaf 1c7: sc m1 400000bit d 30.0ms m2 128000bit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 1:1 parent 1: sc m1 0bit d 2.6ms m2 30000Kbit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 1:1ff parent 1: leaf 1c8: sc m1 640000bit d 2.0s m2 128000bit ul m1 640000bit d 2.0s m2 512000bit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 1:2 parent 1: ls m1 60000Kbit d 2.0s m2 60000Kbit ul m1 60000Kbit d 2.0s m2 60000Kbit Sent 187981 bytes 1698 pkt (dropped 3, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 1698 work 187981 bytes level 0 class hfsc 1:200 parent 1: leaf 1c9: ls m1 256000bit d 2.0s m2 256000bit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 1:3 parent 1: ls m1 10000Kbit d 2.0s m2 10000Kbit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 1:1fa parent 1: leaf 1c3: ls m1 32000bit d 2.0s m2 32000bit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 1:1f8 parent 1: leaf 1c1: sc m1 400000bit d 30.0ms m2 128000bit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 1:1f9 parent 1: leaf 1c2: sc m1 80000bit d 2.0s m2 16000bit ul m1 80000bit d 2.0s m2 64000bit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 Both devices (br1 and wivl4) are bridged interfaces with spanning tree turned on. They also do VLANs. Specifically, vconfig was used to create a VLAN (in this case, VLAN 4) on two interfaces: eth2 and eth3. These two VLAN interfaces were called e2v4 and e3v4. Then, brctl was used to bridge the two VLAN interfaces (e2v4 and e3v4) into a new interface called wivl4. Spanning tree was then enabled on wivl4. The MTU size was then adjusted -4 bytes to accommodate the VLAN tagging. Also, did you happen to try my specific rules (under different devices) to see if they work? If possible, could you try creating a VLAN interface and test on that interface? Then try a bridged interface. And finally, a bridged VLAN interface. I will try to set this all up on a different machine without the bridged VLANs and see if it works there. Eliot Gable Certified Wireless Network Administrator (CWNA) Certified Wireless Security Professional (CWSP) Cisco Certified Network Associate (CCNA) CompTIA Security+ Certified CompTIA Network+ Certified Network and System Engineer Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 (810) 679-3395 (877) 558-8324 Now offering Broadband Wireless Internet access in Croswell, Lexington, Brown City, Yale, Worth Township, and Sandusky. Call for details. From kaber at trash.net Thu Jun 1 21:44:12 2006 From: kaber at trash.net (Patrick McHardy) Date: Thu Jun 1 21:44:07 2006 Subject: [LARTC] iptables CLASSIFY and MARK not working? In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB255419@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB255419@xavier.staff.greatlakes.net> Message-ID: <447F438C.4080606@trash.net> Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: > Both devices (br1 and wivl4) are bridged interfaces with spanning tree > turned on. They also do VLANs. Specifically, vconfig was used to create > a VLAN (in this case, VLAN 4) on two interfaces: eth2 and eth3. These > two VLAN interfaces were called e2v4 and e3v4. Then, brctl was used to > bridge the two VLAN interfaces (e2v4 and e3v4) into a new interface > called wivl4. Spanning tree was then enabled on wivl4. The MTU size was > then adjusted -4 bytes to accommodate the VLAN tagging. Any chance you got bridge netfilter enabled? If so please disable it and try again (or set the bridge-nf-call-iptables sysctl to 0). > Also, did you happen to try my specific rules (under different devices) > to see if they work? No, just tried CLASSIFY with my own HFSC setup, which is pretty similar. > If possible, could you try creating a VLAN interface and test on that > interface? Then try a bridged interface. And finally, a bridged VLAN > interface. > > I will try to set this all up on a different machine without the bridged > VLANs and see if it works there. I checked the code, neither VLAN nor bridge should matter. From support8 at greatlakes.net Thu Jun 1 21:58:44 2006 From: support8 at greatlakes.net (Eliot, Wireless and Server Administrator, Great Lakes Internet) Date: Thu Jun 1 21:55:24 2006 Subject: [LARTC] iptables CLASSIFY and MARK not working? Message-ID: <0633E0EDB4F25F43A2D7179CA11FAFAB25541A@xavier.staff.greatlakes.net> -----Original Message----- From: Patrick McHardy [mailto:kaber@trash.net] Sent: Thursday, June 01, 2006 3:44 PM To: Eliot, Wireless and Server Administrator, Great Lakes Internet Cc: lartc@mailman.ds9a.nl; Netfilter Development Mailinglist Subject: Re: [LARTC] iptables CLASSIFY and MARK not working? > Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: > > Both devices (br1 and wivl4) are bridged interfaces with spanning tree > > turned on. They also do VLANs. Specifically, vconfig was used to create > > a VLAN (in this case, VLAN 4) on two interfaces: eth2 and eth3. These > > two VLAN interfaces were called e2v4 and e3v4. Then, brctl was used to > > bridge the two VLAN interfaces (e2v4 and e3v4) into a new interface > > called wivl4. Spanning tree was then enabled on wivl4. The MTU size was > > then adjusted -4 bytes to accommodate the VLAN tagging. > > Any chance you got bridge netfilter enabled? If so please disable > it and try again (or set the bridge-nf-call-iptables sysctl to 0). > > Also, did you happen to try my specific rules (under different devices) > to see if they work? > > No, just tried CLASSIFY with my own HFSC setup, which is pretty > similar. > > > If possible, could you try creating a VLAN interface and test on that > > interface? Then try a bridged interface. And finally, a bridged VLAN > > interface. > > > > I will try to set this all up on a different machine without the bridged > > VLANs and see if it works there. > > I checked the code, neither VLAN nor bridge should matter. Bridged iptables (ebtables) is not enabled in the kernel and I cannot seem to find a variable "bridge-nf-call-iptables" to set with sysctl: wireless-r1 linux # sysctl -w bridge-nf-call-iptables=0 error: "bridge-nf-call-iptables" is an unknown key There is also no /proc/sys/net/*/bridge anything. I assume that means this is not something I need to worry about? Eliot Gable Certified Wireless Network Administrator (CWNA) Certified Wireless Security Professional (CWSP) Cisco Certified Network Associate (CCNA) CompTIA Security+ Certified CompTIA Network+ Certified Network and System Engineer Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 (810) 679-3395 (877) 558-8324 Now offering Broadband Wireless Internet access in Croswell, Lexington, Brown City, Yale, Worth Township, and Sandusky. Call for details. From kaber at trash.net Thu Jun 1 22:01:36 2006 From: kaber at trash.net (Patrick McHardy) Date: Thu Jun 1 22:01:28 2006 Subject: [LARTC] iptables CLASSIFY and MARK not working? In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB25541A@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB25541A@xavier.staff.greatlakes.net> Message-ID: <447F47A0.7000104@trash.net> Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: > Bridged iptables (ebtables) is not enabled in the kernel and I cannot > seem to find a variable "bridge-nf-call-iptables" to set with sysctl: > > wireless-r1 linux # sysctl -w bridge-nf-call-iptables=0 > error: "bridge-nf-call-iptables" is an unknown key > > There is also no /proc/sys/net/*/bridge anything. I assume that means > this is not something I need to worry about? Not sure yet, the problem would be created by CONFIG_BRIDGE_NETFILTER, not ebtables itself. Check for "/proc/sys/net/bridge/bridge-nf-call-iptables". I'm actually pretty sure that this is indeed what's causing the problem, bridge netfilter defers calling the IP POST_ROUTING hook until the packet was already transmitted over the device (and before it goes out the underlying device), which means when it hits the CLASSIFY target it already passed through the qdisc. From support8 at greatlakes.net Thu Jun 1 22:09:41 2006 From: support8 at greatlakes.net (Eliot, Wireless and Server Administrator, Great Lakes Internet) Date: Thu Jun 1 22:06:18 2006 Subject: [LARTC] iptables CLASSIFY and MARK not working? Message-ID: <0633E0EDB4F25F43A2D7179CA11FAFAB25541B@xavier.staff.greatlakes.net> THANK YOU! That solved the problem. I found the file you specified and it was indeed enabled. After disabling it, it is now working! Eliot Gable Certified Wireless Network Administrator (CWNA) Certified Wireless Security Professional (CWSP) Cisco Certified Network Associate (CCNA) CompTIA Security+ Certified CompTIA Network+ Certified Network and System Engineer Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 (810) 679-3395 (877) 558-8324 Now offering Broadband Wireless Internet access in Croswell, Lexington, Brown City, Yale, Worth Township, and Sandusky. Call for details. -----Original Message----- From: Patrick McHardy [mailto:kaber@trash.net] Sent: Thursday, June 01, 2006 4:02 PM To: Eliot, Wireless and Server Administrator, Great Lakes Internet Cc: lartc@mailman.ds9a.nl; Netfilter Development Mailinglist Subject: Re: [LARTC] iptables CLASSIFY and MARK not working? Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: > Bridged iptables (ebtables) is not enabled in the kernel and I cannot > seem to find a variable "bridge-nf-call-iptables" to set with sysctl: > > wireless-r1 linux # sysctl -w bridge-nf-call-iptables=0 > error: "bridge-nf-call-iptables" is an unknown key > > There is also no /proc/sys/net/*/bridge anything. I assume that means > this is not something I need to worry about? Not sure yet, the problem would be created by CONFIG_BRIDGE_NETFILTER, not ebtables itself. Check for "/proc/sys/net/bridge/bridge-nf-call-iptables". I'm actually pretty sure that this is indeed what's causing the problem, bridge netfilter defers calling the IP POST_ROUTING hook until the packet was already transmitted over the device (and before it goes out the underlying device), which means when it hits the CLASSIFY target it already passed through the qdisc. From kaber at trash.net Thu Jun 1 22:10:24 2006 From: kaber at trash.net (Patrick McHardy) Date: Thu Jun 1 22:10:16 2006 Subject: [LARTC] iptables CLASSIFY and MARK not working? In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB25541B@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB25541B@xavier.staff.greatlakes.net> Message-ID: <447F49B0.90804@trash.net> Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: > THANK YOU! > > That solved the problem. I found the file you specified and it was > indeed enabled. After disabling it, it is now working! Good to hear. This crap is causing one weird problem after another, we really need to get rid of it. From lists at andyfurniss.entadsl.com Thu Jun 1 22:24:38 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Thu Jun 1 22:22:17 2006 Subject: [LARTC] Fair shaping over link with variable parameters In-Reply-To: <20060528193129.GA15843@iceberg.netwerke.eu.org> References: <20060528193129.GA15843@iceberg.netwerke.eu.org> Message-ID: <447F4D06.30607@andyfurniss.entadsl.com> Rafal Krypa wrote: > Hi. > I would like to ask you for advice. > I am trying to construct following shaping solution: > * several users are using one link to the Internet > * all of them have equal priority and should be given fair amount of bandwidth > * no kind of traffic is considered more important than other > * our Internet connection has no CIR, only "maximum dl/ul speeds" given by > provider What you can or can't do will depend on the exact nature and behavior of the link. > * most important: our outgoing and incoming traffic must be shaped to some rate > that will provide possibly low latency. For users that do not have active > connections I'd like to ensure no more than 100ms latency for ping or any > other low-traffic connections 100ms - that would be hard to guarantee on a slow fixed rate link, in some situations you may need to sacrifice 50% of ingress bandwidth. It depends on how fast the link is and how slow it gets and how it is slowed. > > > For several years of my experiments with traffic shaping over Linux I found no > tool for creating such system. For example, HTB require given, constant 'ceil' > parameter. I would like to have some qdisc that can automatically adjush its > rate/ceil parameter depending on achieved latency. The rest of the job would be > quite pretty done by ESFQ. > Could you point me to anything adequate to my needs? > There is no qdisc that has variable rates. I've just got a link with variable down speed and have played around with policers to see what's possible. I haven't done much and it doesn't work too well - though it works enough to carry on trying to see what's possible. I still don't know whether it can ever work enough to be left "unnatended". If you have few users and know your traffic and have a fairly fast link and know how it behaves there may be a way - at least to do alot better than doing nothing. Andy. From lists at andyfurniss.entadsl.com Thu Jun 1 22:29:06 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Thu Jun 1 22:26:44 2006 Subject: [LARTC] Shaping of pppoe clients In-Reply-To: <44740262.4000108@gmail.com> References: <4472E4C2.4090209@gmail.com> <44740262.4000108@gmail.com> Message-ID: <447F4E12.1070609@andyfurniss.entadsl.com> Georgi Alexandrov wrote: > Kenneth Kalmer wrote: > >>The keyword here is "better", and that was my argument for using a >>bridge in the first place. It would appear to be easier to shape & >>filter away from the messy scripts of pppd & radius servers, but this >>raises the next issue. For the bridge, is the pppoe sessions >>identifiable using say source & destination ips, as opposed to pppoe >>traffic... I know if I perform a tcpdump on the interface that I >>connect to my adsl modem I only see the traffic as pppoe... Logic >>tells me that the bridge would suffer the same consequenses... > > Yes, that was my concern too. Maybe someone else on the list that has > already > went trought this may share the experience. > I will test it as soon as I get my hands on a spare machine ;-) I would have thought you can do it with u32 on ip or mac address. Look up ethertype(s) for pppoe and then give it as the protocol number for the tc filter - I assume ipheader will start 8 bytes after eth payload - never played with pppoe, though. Andy. From lists at andyfurniss.entadsl.com Thu Jun 1 22:33:45 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Thu Jun 1 22:31:25 2006 Subject: Fwd: [LARTC] HTB shaping & borrowing info In-Reply-To: References: <20060527215019.GA12536@EIS> Message-ID: <447F4F29.7060203@andyfurniss.entadsl.com> Stefano Mainardi wrote: > tc class add dev eth1 parent 11:1 classid 11:2 htb rate 70Mbit ceil 70Mbit > burst 6k cburst 64k quantum 1600 I am not sure if it matters in this case with the big cburst - but remember burst * 8 * HZ will be the bit rate a class can reach. Andy. From hawk at diku.dk Thu Jun 1 22:33:50 2006 From: hawk at diku.dk (Jesper Dangaard Brouer) Date: Thu Jun 1 22:33:47 2006 Subject: [LARTC] Linux router performance In-Reply-To: <447DFC1E.60007@aj.net-lab.net> References: <004e01c684dc$3dfc3c10$303d5854@cttc.es> <447DFC1E.60007@aj.net-lab.net> Message-ID: Hi I'm sure that Robert can provide us with some interesting numbers. I have just tested routing performance on a AMD opteron 270 (dual core), here I can route 400 kpps (tg3 netcards on PCI-X). I use the kernel module "pktgen" to generate the packets (64 bytes in size). Cheers, Jesper Brouer -- ------------------------------------------------------------------- MSc. Master of Computer Science Dept. of Computer Science, University of Copenhagen Author of http://www.adsl-optimizer.dk ------------------------------------------------------------------- On Wed, 31 May 2006, Andreas John wrote: > Hi, > > Maybe: > Khan, Sohel; Waheed, Abdul (2003): High Performance Routing on > PCshttp://www.ccse.kfupm.edu.sa/~sohel/networking/references/Routing.pdf > > A rule of thumb: > - with current COTS hardware and (standard) PCI Bus, you can reach the > maximum of the PCI bus bandwidth. That's 1 GB/s, e.h. two NICs with 500 > Meg/s each ( one in and one out ) > - with PCI-X and in the future PCI-express you'll for sure be able to > reach more performance. I didnt find a sponsor for a test-lab yet :) > - in DoS secnarios it may get worse :/ I heavily depends on driver type > (polling and NAPI preferred). The problem with the performace is > _always_ the number of interrupts, nothing else is a bottleneck (well, > we didn't talk about thousands of iptables rules yet, but you ask for a > 'maximum'). > - The question you have to ask in high-performance scenarios is not > "MBit/s" but MPPS (megapackets per seconds). FreeBSD and Linux broke the > 1 MPPS barrier some time ago (on dual xeons). > > rgds, > Andreas > > Ferm?n Gal?n M?rquez wrote: >> Hi, >> >> I wonder about the performance of a Linux box used as router (I guest I'm >> not the first :). Althought I know it mainly depends on the hardware, I'm >> trying to find some references on the topic or comparations with other >> routing solutions (FreeBSD box used as router, Cisco, etc). For example, >> http://facweb.cti.depaul.edu/jyu/Publications/Yu-Linux-TSM2004.pdf >> (althought is related with Linux-briding more than with Linux-routing) shows >> in Figure 14 that with an AMD Duron 1.3GHz 512M RAM a throughput of 90 Mbps >> can be achieved. >> >> Anybody knows any other similar analysis, please? >> >> Best regards, >> >> -------------------- >> Ferm?n Gal?n M?rquez >> CTTC - Centre Tecnol?gic de Telecomunicacions de Catalunya >> Parc Mediterrani de la Tecnologia, Av. del Canal Ol?mpic s/n, 08860 >> Castelldefels, Spain >> Room 1.02 >> Tel : +34 93 645 29 12 >> Fax : +34 93 645 29 01 >> Email address: fermin.galan@cttc.es From mainardistefano at gmail.com Thu Jun 1 22:37:35 2006 From: mainardistefano at gmail.com (Stefano Mainardi) Date: Thu Jun 1 22:37:31 2006 Subject: Fwd: [LARTC] HTB shaping & borrowing info In-Reply-To: <447F4F29.7060203@andyfurniss.entadsl.com> References: <20060527215019.GA12536@EIS> <447F4F29.7060203@andyfurniss.entadsl.com> Message-ID: Hi Andy, how i must setup the value for CBURST for my situation? Have you read? Ste 2006/6/1, Andy Furniss : > > Stefano Mainardi wrote: > > > tc class add dev eth1 parent 11:1 classid 11:2 htb rate 70Mbit ceil > 70Mbit > > burst 6k cburst 64k quantum 1600 > > I am not sure if it matters in this case with the big cburst - but > remember burst * 8 * HZ will be the bit rate a class can reach. > > Andy. > -- Stefano Mainardi Presidente Associazione ILDN - Italian Linux Distro Network Mobile: 349/3917212 Skype: mainardistefano IM (ICQ): 250-292-408 Blog: http://www.mainardistefano.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060601/5caabf42/attachment.htm From lists at andyfurniss.entadsl.com Thu Jun 1 22:46:23 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Thu Jun 1 22:44:02 2006 Subject: Fwd: [LARTC] HTB shaping & borrowing info In-Reply-To: References: <20060527215019.GA12536@EIS> <447F4F29.7060203@andyfurniss.entadsl.com> Message-ID: <447F521F.2030704@andyfurniss.entadsl.com> Stefano Mainardi wrote: > Hi Andy, > how i must setup the value for CBURST for my situation? Have you read? > I think the burst is too small - In your case I would just not specify either burst and let htb choose them. Andy. > Ste > > 2006/6/1, Andy Furniss : > >> >> Stefano Mainardi wrote: >> >> > tc class add dev eth1 parent 11:1 classid 11:2 htb rate 70Mbit ceil >> 70Mbit >> > burst 6k cburst 64k quantum 1600 >> >> I am not sure if it matters in this case with the big cburst - but >> remember burst * 8 * HZ will be the bit rate a class can reach. >> >> Andy. >> > > > From mainardistefano at gmail.com Thu Jun 1 22:46:19 2006 From: mainardistefano at gmail.com (Stefano Mainardi) Date: Thu Jun 1 22:46:20 2006 Subject: Fwd: [LARTC] HTB shaping & borrowing info In-Reply-To: <447F521F.2030704@andyfurniss.entadsl.com> References: <20060527215019.GA12536@EIS> <447F4F29.7060203@andyfurniss.entadsl.com> <447F521F.2030704@andyfurniss.entadsl.com> Message-ID: Ok, i try without CBURST value. Thanks ;) 2006/6/1, Andy Furniss : > > Stefano Mainardi wrote: > > Hi Andy, > > how i must setup the value for CBURST for my situation? Have you read? > > > > I think the burst is too small - In your case I would just not specify > either burst and let htb choose them. > > Andy. > > > Ste > > > > 2006/6/1, Andy Furniss : > > > >> > >> Stefano Mainardi wrote: > >> > >> > tc class add dev eth1 parent 11:1 classid 11:2 htb rate 70Mbit ceil > >> 70Mbit > >> > burst 6k cburst 64k quantum 1600 > >> > >> I am not sure if it matters in this case with the big cburst - but > >> remember burst * 8 * HZ will be the bit rate a class can reach. > >> > >> Andy. > >> > > > > > > > > -- Stefano Mainardi Presidente Associazione ILDN - Italian Linux Distro Network Mobile: 349/3917212 Skype: mainardistefano IM (ICQ): 250-292-408 Blog: http://www.mainardistefano.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060601/8cbf8582/attachment.html From lists at andyfurniss.entadsl.com Thu Jun 1 22:59:19 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Thu Jun 1 22:56:58 2006 Subject: Fwd: [LARTC] HTB shaping & borrowing info In-Reply-To: References: <20060527215019.GA12536@EIS> <447F4F29.7060203@andyfurniss.entadsl.com> <447F521F.2030704@andyfurniss.entadsl.com> Message-ID: <447F5527.5000504@andyfurniss.entadsl.com> Stefano Mainardi wrote: > Ok, i try without CBURST value. Without burst aswell ... Andy. From mainardistefano at gmail.com Thu Jun 1 23:13:18 2006 From: mainardistefano at gmail.com (Stefano Mainardi) Date: Thu Jun 1 23:13:12 2006 Subject: Fwd: [LARTC] HTB shaping & borrowing info In-Reply-To: <447F5527.5000504@andyfurniss.entadsl.com> References: <20060527215019.GA12536@EIS> <447F4F29.7060203@andyfurniss.entadsl.com> <447F521F.2030704@andyfurniss.entadsl.com> <447F5527.5000504@andyfurniss.entadsl.com> Message-ID: Ops BURST...sorry! And CBURST value you think that is correct? 2006/6/1, Andy Furniss : > > Stefano Mainardi wrote: > > Ok, i try without CBURST value. > > Without burst aswell ... > > Andy. > -- Stefano Mainardi Presidente Associazione ILDN - Italian Linux Distro Network Mobile: 349/3917212 Skype: mainardistefano IM (ICQ): 250-292-408 Blog: http://www.mainardistefano.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060601/eac964b0/attachment.htm From lists at andyfurniss.entadsl.com Thu Jun 1 23:57:53 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Thu Jun 1 23:55:23 2006 Subject: Fwd: [LARTC] HTB shaping & borrowing info In-Reply-To: References: <20060527215019.GA12536@EIS> <447F4F29.7060203@andyfurniss.entadsl.com> <447F521F.2030704@andyfurniss.entadsl.com> <447F5527.5000504@andyfurniss.entadsl.com> Message-ID: <447F62E1.8030607@andyfurniss.entadsl.com> Stefano Mainardi wrote: > Ops BURST...sorry! > And CBURST value you think that is correct? I would leave that out aswell and let htb choose it from the rate of the class. Andy. From jarkap at poczta.onet.pl Fri Jun 2 08:50:16 2006 From: jarkap at poczta.onet.pl (Jarek Poplawski) Date: Fri Jun 2 08:55:04 2006 Subject: [LARTC] Re: Not understanding network setup!! In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB255418@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB255418@xavier.staff.greatlakes.net> Message-ID: Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: > -----Original Message----- > From: lartc-bounces@mailman.ds9a.nl > [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of > ramsurrunv@mx.uom.ac.mu > Sent: Thursday, June 01, 2006 2:58 PM > To: lartc@mailman.ds9a.nl > Subject: [LARTC] Not understanding network setup!! > >> Hi to all, ... > First, 10.0.0.0/31 would be a network address. Second, a 31 bit subnet > is meaningless. It only offers two addresses, the network address at > 10.0.0.0 and the broadcast address at 10.0.0.1. That leaves no available > addresses for host addresses. You probably mean /30 instead of /31. If > you were using a /30, then you would run: > > ip addr add 10.0.0.1/30 dev eth1 > ip addr add 10.0.0.5/30 dev eth2 > ip addr add 10.0.0.9/30 dev teql0 > > The .1, .5, and .9 would be the first available addresses in their > respective subnets. You probably mean /28 instead of /30: ip addr add 10.0.0.9/28 dev teql0 Jarek P. From ramsurrunv at mx.uom.ac.mu Fri Jun 2 09:22:34 2006 From: ramsurrunv at mx.uom.ac.mu (ramsurrunv@mx.uom.ac.mu) Date: Fri Jun 2 09:22:38 2006 Subject: [LARTC] Not understanding network setup!! In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB255418@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB255418@xavier.staff.greatlakes.net> Message-ID: <1157.172.22.62.53.1149232954.squirrel@mx.uom.ac.mu> Hi to all, > I very much doubt the above was quoted on the LARTC HOWTO. Please point us to where you saw this. It is completely wrong. > This is where I got it from: http://www.lartc.org/lartc.html#LARTC.LOADSHARE - (Chapter 10. Load sharing over multiple interfaces). I actually implemented the setup blindly without understandig it and it worked..When I tried to change the topology of the network and the ip addresses, then I got problems. This is what I'm trying to do: __________ _____________ _________ | | | | | | | eth1|-------|eth0 FW1 eth1|-------|eth1 | | | |_____________| | | PC_A--|eth0 PC_B | |PC_C eth0|--PC_D | | _____________ | | | eth2|-------|eth0 FW2 eth1|-------|eth2 | |__________| |_____________| |_________| The configurations on the respective PCs are: PC_A: eth0 = 192.168.0.10/24 #ip route add default via 192.168.0.1 PC_B: eth0 = 192.168.0.1/24 eth1 = 192.168.10.10/24 eth2 = 192.168.40.10/24 FW1: eth0 = 192.168.10.11/24 eth1 = 192.168.20.11/24 FW2: eth0 = 192.168.40.11/24 eth1 = 192.168.50.11/24 PC_C: eth0 = 192.168.30.1/24 eth1 = 192.168.20.10/24 eth2 = 192.168.50.10/24 PC_D: eth0 = 192.168.30.10/24 #ip route add default via 192.168.30.1 I'm trying to load balance the traffic from PC_A to PC_D over the two PCs FW1 and FW2, using teql. I tried to follow the steps in the LARTC HOWTO but it's not working. Actually I'm having problems setting up the routing on these PCs with regard to teql. I simply don't know how to do it. I have enabled ip forwarding (ip_forward) and disabled reverse path filtering (rp_filter) on PC_B, PC_C, FW1 & FW2 for all NICs. B & C have 2.6.16 kernels with kernel options like advanced routing (CONFIG_IP_ADVANCED_ROUTER) and multipath route support selected. When I ping from PC_A to PC_D, I'm getting "Destination host Unreachable" msg. What am I doing wrong? I know you guys are really good at this kind of stuff..pls help me out. Warm regards, Visham From jarkap at poczta.onet.pl Fri Jun 2 09:51:14 2006 From: jarkap at poczta.onet.pl (Jarek Poplawski) Date: Fri Jun 2 09:50:46 2006 Subject: [LARTC] Re: For leaf classes is best PFIFO or SFQ? In-Reply-To: References: Message-ID: Stefano Mainardi wrote: > Hi to all, > i'm following this guide (http://www.opalsoft.net/qos/DS-28.htm), is > very detailed, but i'm a bit confused about queuing disciplinse of > leaf classes. > > In this guide the author uses PFIFO (see the scheme that i attached at > message) in this way: > > # tc class add dev eth0 parent 1:21 handle 210: pfifo lmit 10 rather that way: # tc qdisc add dev eth0 parent 1:21 handle 210: pfifo limit 10 Jarek P. From jarkap at poczta.onet.pl Fri Jun 2 16:20:11 2006 From: jarkap at poczta.onet.pl (Jarek Poplawski) Date: Sun Jun 4 11:18:22 2006 Subject: [LARTC] Re: Not understanding network setup!! In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB25541E@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB25541E@xavier.staff.greatlakes.net> Message-ID: <4480491B.2040901@poczta.onet.pl> Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: >> -----Original Message----- >> From: Jarek Poplawski [mailto:jarkap@poczta.onet.pl] >> Sent: Friday, June 02, 2006 9:57 AM >> To: Eliot, Wireless and Server Administrator, Great Lakes Internet >> Cc: lartc@mailman.ds9a.nl >> Subject: Re: [LARTC] Re: Not understanding network setup!! >> ... >> Maybe we are thinking about something else but I don't think: >> "If you were using a /30, then" ... ".5, and .9 would be the >> first available addresses in their respective subnets" is all >> correct. > > 10.0.0.0/30: > > 10.0.0.0 - NETWORK ADDRESS > 10.0.0.1 - HOST > 10.0.0.2 - HOST > 10.0.0.3 - BROADCAST ADDRESS > > First available address is .1 > > 10.0.0.4/30: > > 10.0.0.4 - NETWORK ADDRESS > 10.0.0.5 - HOST > 10.0.0.6 - HOST > 10.0.0.7 - BROADCAST ADDRESS > > First available address is .5 > > 10.0.0.8/30: > > 10.0.0.8 - NETWORK ADDRESS > 10.0.0.9 - HOST > 10.0.0.10 - HOST > 10.0.0.11 - BROADCAST ADDRESS > > First available address is .9 > > Thus: > > "The .1, .5, and .9 would be the first available addresses in their > respective subnets." > > Is a true statement. > > How are you interpreting this? OH! Now I understand! I'm sorry for bothering you and many thanks for this clare explaining. Jarek P. From ramsurrunv at mx.uom.ac.mu Sat Jun 3 21:46:02 2006 From: ramsurrunv at mx.uom.ac.mu (ramsurrunv@mx.uom.ac.mu) Date: Sun Jun 4 11:19:29 2006 Subject: [LARTC] Not understanding network setup!! In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB255437@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB255437@xavier.staff.greatlakes.net> Message-ID: <1091.202.123.0.185.1149363962.squirrel@mx.uom.ac.mu> Understood..many thx for all the help.. By the way, do you know if there's a way to distinguish between the ACK packet sent during the connection establishment phase of a TCP connection and subsequent ACK packets sent during the data transfer phase. I now that the ACK number sent during the connection establishment will be equal to the 'sequence number for the SYN in the SYN/ACK packet' + 1 Is there a way to distinguish between this 3rd packet and any other ACK packet during data transfer w/o having to keep track of sequence numbers? Are there other characteristics or options that are set in the former and not in the latter? Basically I want to capture the three packets sent during the connection establishment phase of TCP. How can I do that? Warm regards, Visham From ramsurrunv at mx.uom.ac.mu Sat Jun 3 18:36:03 2006 From: ramsurrunv at mx.uom.ac.mu (ramsurrunv@mx.uom.ac.mu) Date: Sun Jun 4 11:19:45 2006 Subject: [LARTC] Not understanding network setup!! In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB255425@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB255425@xavier.staff.greatlakes.net> Message-ID: <1129.202.123.10.118.1149352563.squirrel@mx.uom.ac.mu> Dear Eliot, thx for the explanations..i'll try the transparent firewall setup and tell you how it goes. However, I would like to know how you would have set routing for a topology like the one below using bonding, where S1, S2 and S3 are servers (Layer 3 devices), and not firewalls. ______________ _____________ | | | | | eth1|-------|eth0 S1 | | | |_____________| PC_A--| | | | _____________ |eth0 PC_B eth2|-------|eth0 S2 | | | |_____________| | | | | _____________ | eth3|-------|eth0 S3 | |______________| |_____________| Warm regards, Visham From ramsurrunv at mx.uom.ac.mu Fri Jun 2 20:29:18 2006 From: ramsurrunv at mx.uom.ac.mu (ramsurrunv@mx.uom.ac.mu) Date: Sun Jun 4 11:20:02 2006 Subject: [LARTC] Not understanding network setup!! In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB25541D@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB25541D@xavier.staff.greatlakes.net> Message-ID: <1177.202.123.11.77.1149272958.squirrel@mx.uom.ac.mu> Dear Eliot, Many thx for all the efforts you're making to help me out..I've been battling with this for over two weeks now :( I had a few questions to ask you: 1) Does bonding support per-packet loadbalancing like teql does? 2) Is it compulsory to assign eth1 & eth2 ip addresses in teql setups like in the howto or can simply use them w/o ip addrs as in the bonding setup example you gave? 3) In the setup you propose with the transparent firewall, I don't think it'll work because since different networks are involved, only a router can forward packets between different networks. The bridge can only perform packet switching on one network. It can actually extend a particular network but it cannot join two different networks. That, I believe, is the work of a router. Please correct if you feel I'm wrong. 4) Do you believe it is possible to implement teql for the topology I'm working on, i.e using firewalls with ip addrs? I tried it many times but no success. The main problem was that I didn't know to what network to have the teql0 device on PC_B & PC_C point to? In the example in the LARTC HOWTO, the teql0 on Router A pointed to the teql0 device on the Router B. However, in the topology I'm trying to set up, I didn't know to which device to point to because of the intermediate networks that we have (for FW1 & FW2). Do you think I should use a multipath route on PC_B & PC_C, some thing like this: ip route add default scope global nexthop via 192.168.10.11 dev eth1 weight 1 nexthop via 192.168.40.11 dev eth2 weight 1 I tried it but no success. The teql0 device won't balanve traffic between the devices..don't know if I made a mistake in the formulation of the command!! Can you suggest me anything..I have enough PCs to test things that you might suggest me. Warm regards, Visham From lists at andyfurniss.entadsl.com Sat Jun 3 16:40:00 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Sun Jun 4 11:35:49 2006 Subject: [LARTC] Re: Bi-directional packet classification with ACK prioritization In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB255421@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB255421@xavier.staff.greatlakes.net> Message-ID: <44819F40.8050004@andyfurniss.entadsl.com> Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: > This problem will be true for generally classified traffic and P2P > traffic. I would use tc filters in one direction if I could possibly > distinguish P2P traffic from other types of traffic with them. You can match mark with u32 rather than fw - you then get to use masks and can and it with other matches - like MAC. You can also and/or marks with netfilter. Andy. From mlopezb at udesa.edu.ar Fri Jun 2 21:27:15 2006 From: mlopezb at udesa.edu.ar (Matias Lopez Bergero) Date: Sun Jun 4 11:45:44 2006 Subject: [LARTC] netbios over slow-speed link. need advice Message-ID: <44809113.8020005@udesa.edu.ar> Hello, I have set up a VPN link using IPsec with OpenSwan between two Linux boxes, and I am using this tunnel to communicate a bunch of w9x/2k client with a w2k file server. The thing is that, the WAN link where the tunnel is set, has a bandwidth of 128kbps, and the browsing of the file server, and the opening of a file like for example, a word document, takes a lot of time. This times of file opening seem to vary very often. They go from 1,5 minutes to 15 minutes. I haven't seeing the 15 minutes open file time, but the users had told me that it happens from time to time. I wonder, maybe one of you guys, had find your selves in a similar situation and can give some advice. I am not sure, if the netbios communications with this file server are working right, and I would like to know, if it is possible, how to tune the scenario to get it to work properly or at lease, how to view the state of this communications. Any ideas will be most welcome. TIA! BR, Matias. From mainardistefano at gmail.com Sat Jun 3 19:54:12 2006 From: mainardistefano at gmail.com (Stefano Mainardi) Date: Sun Jun 4 12:46:01 2006 Subject: [LARTC] How to "explode" tc rules maked by HTB.init? Message-ID: Hi to all, i'm using htb.init for configuring my shaper. Now i want to know if it possible to show how htb.init make and use TC, anyone has tried it? Many thanks. -- Stefano Mainardi Presidente Associazione ILDN - Italian Linux Distro Network Mobile: 349/3917212 Skype: mainardistefano IM (ICQ): 250-292-408 Blog: http://www.mainardistefano.org From mainardistefano at gmail.com Sat Jun 3 03:56:46 2006 From: mainardistefano at gmail.com (Stefano Mainardi) Date: Sun Jun 4 14:12:59 2006 Subject: [LARTC] How to explde HTB.INIT tc commands? In-Reply-To: References: Message-ID: Hi to all, i'm using htb.init for configuring my shaper. Now i want to know if it possible to show how htb.init make and use TC, anyone has tried it? Many thanks. -- Stefano Mainardi Presidente Associazione ILDN - Italian Linux Distro Network Mobile: 349/3917212 Skype: mainardistefano IM (ICQ): 250-292-408 Blog: http://www.mainardistefano.org From mainardistefano at gmail.com Fri Jun 2 16:15:37 2006 From: mainardistefano at gmail.com (Stefano Mainardi) Date: Sun Jun 4 16:15:36 2006 Subject: [LARTC] How to explde HTB.INIT tc commands? Message-ID: Hi to all, i'm using htb.init for configuring my shaper. Now i want to know if it possible to show how htb.init make and use TC, anyone has tried it? Many thanks. -- Stefano Mainardi Presidente Associazione ILDN - Italian Linux Distro Network Mobile: 349/3917212 Skype: mainardistefano IM (ICQ): 250-292-408 Blog: http://www.mainardistefano.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060602/827ba1a7/attachment.html From martin at linux-ip.net Sun Jun 4 17:18:41 2006 From: martin at linux-ip.net (Martin A. Brown) Date: Sun Jun 4 17:18:47 2006 Subject: [LARTC] Not understanding network setup!! In-Reply-To: <1091.202.123.0.185.1149363962.squirrel@mx.uom.ac.mu> References: <0633E0EDB4F25F43A2D7179CA11FAFAB255437@xavier.staff.greatlakes.net> <1091.202.123.0.185.1149363962.squirrel@mx.uom.ac.mu> Message-ID: Visham, : By the way, do you know if there's a way to distinguish between : the ACK packet sent during the connection establishment phase of : a TCP connection and subsequent ACK packets sent during the data : transfer phase. : : I now that the ACK number sent during the connection : establishment will be equal to the 'sequence number for the SYN : in the SYN/ACK packet' + 1 : : Is there a way to distinguish between this 3rd packet and any : other ACK packet during data transfer w/o having to keep track of : sequence numbers? Are there other characteristics or options that : are set in the former and not in the latter? : : Basically I want to capture the three packets sent during the : connection establishment phase of TCP. How can I do that? How many times (or how quickly) do you need to do this? I have a somewhat simple-minded solution for you, but it doesn't scale, and may not actually solve you problem(s). If you have anything more than a few connections on which you wish to snoop (to see that they have successfully completed the handshake) my solution will not work for you. I have used this to capture the first three packets exchanged on a particular TCP connection: tcpdump -nni $INTERFACE -c 3 host $TARGET and port $DPORT and \ '( tcp[tcpflags] & tcp-syn = tcp-syn or tcp[tcpflags] & tcp-ack = tcp-ack )' If you are looking at inbound traffic to one of your servers, that can be a bit trickier. You could, however tcpdump the entire stream line-bufferered and write a filter (sed/perl) that prints out only lines showing SYN flag and lines containing 'ack 1 win'. 10:16:11.232505 IP xx.yy.zz.44.7284 > aa.bb.cc.130.25: S 2114067570:2114067570(0) win 5840 10:16:11.257184 IP aa.bb.cc.130.25 > xx.yy.zz.44.7284: S 1756590593:1756590593(0) ack 2114067571 win 5792 10:16:11.257242 IP xx.yy.zz.44.7284 > aa.bb.cc.130.25: . ack 1 win 1460 Good luck, -Martin -- Martin A. Brown http://linux-ip.net/ From mainardistefano at gmail.com Fri Jun 2 13:09:35 2006 From: mainardistefano at gmail.com (Stefano Mainardi) Date: Sun Jun 4 17:41:10 2006 Subject: [LARTC] Re: For leaf classes is best PFIFO or SFQ? In-Reply-To: References: Message-ID: 2006/6/2, Jarek Poplawski : > > Stefano Mainardi wrote: > > Hi to all, > > i'm following this guide (http://www.opalsoft.net/qos/DS-28.htm), is > > very detailed, but i'm a bit confused about queuing disciplinse of > > leaf classes. > > > > In this guide the author uses PFIFO (see the scheme that i attached at > > message) in this way: > > > > # tc class add dev eth0 parent 1:21 handle 210: pfifo lmit 10 > > rather that way: > > # tc qdisc add dev eth0 parent 1:21 handle 210: pfifo limit 10 therefore??? I do not understand ... -- Stefano Mainardi Presidente Associazione ILDN - Italian Linux Distro Network Mobile: 349/3917212 Skype: mainardistefano IM (ICQ): 250-292-408 Blog: http://www.mainardistefano.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060602/15a5e7ee/attachment.htm From sewlist at gmail.com Fri Jun 2 14:07:46 2006 From: sewlist at gmail.com (the sew) Date: Sun Jun 4 17:55:33 2006 Subject: [LARTC] sangoma cards in linux Message-ID: Hi There, we only have a /29 internet routable network from our ISP and a Cisco 1601 router with serial interface doing all the routing. I was thinking of replacing that cisco with a linux box with a sangoma card, also using quagga with ospf on for my internel networks has anyone have expierence with this? thanks Sew From martin at linux-ip.net Sun Jun 4 18:02:10 2006 From: martin at linux-ip.net (Martin A. Brown) Date: Sun Jun 4 18:02:10 2006 Subject: [LARTC] sangoma cards in linux In-Reply-To: References: Message-ID: Hello there, : we only have a /29 internet routable network from our ISP and a : Cisco 1601 router with serial interface doing all the routing. : : I was thinking of replacing that cisco with a linux box with a : sangoma card, also using quagga with ospf on for my internel : networks I can't speak directly to quagga and ospf, but I can provide an encomium for the Sangoma cards. I have used the Sangoma cards (since 2000 or so, starting with the S508/FT1) and found them to be extraordinarily reliable. Their technical support is also very good. I have seen these cards used in Australia and the U.S. and recommend them wholeheartedly. Good luck, -Martin -- Martin A. Brown http://linux-ip.net/ From c-d.hailfinger.devel.2006 at gmx.net Sun Jun 4 18:07:30 2006 From: c-d.hailfinger.devel.2006 at gmx.net (Carl-Daniel Hailfinger) Date: Sun Jun 4 18:09:52 2006 Subject: [LARTC] How to explde HTB.INIT tc commands? In-Reply-To: References: Message-ID: <44830542.8060609@gmx.net> Stefano Mainardi wrote: > Hi to all, > [...] You already sent that mail three times in less than 30 hours. Please stop. Somebody will answer if he/she knows. Regards, Carl-Daniel From jonas.jasas at gmail.com Fri Jun 2 22:42:25 2006 From: jonas.jasas at gmail.com (Jonas Jasas) Date: Sun Jun 4 18:25:41 2006 Subject: [LARTC] IMQ + NAT Message-ID: Hello, I have eth0 - internet eth1..4 - local networks on eth0 i do $IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE I want to balance out/in load for eth1..4 and localhost (mainly squid). Nat makes impossible to do it on eth0, so I installed IMQ. I need to get to on imq0 unnnated in/out traffic that I could make priorities for protocols and networks. Do somthing like this: prate=1Mbit localhost: rate=500kbit, ceil=prate vnc: rate=100kbit, ceil=prate web: rate=100kbit, ceilp=prate mail: rate=100kbit, ceil=prate eth1: rate=400kbit, ceil=prate ftp: rate=10kbit, ceil=prate .... eth2..4: rate=100kbit, ceil=prate (eth2...eth4 would split the same 100kbit) rdp: rate=90kbit, ceil=prate ...... This load balance would be applyed for outgoing and incoming internet traffic. Where and how in iptables would be correct to "-j IMQ" ? Thank you! From kajtek at biezanow.net Sun Jun 4 18:27:03 2006 From: kajtek at biezanow.net (Kajetan Staszkiewicz) Date: Sun Jun 4 18:26:52 2006 Subject: [LARTC] Re: For leaf classes is best PFIFO or SFQ? In-Reply-To: References: Message-ID: <200606041827.10048.kajtek@biezanow.net> Dnia pi?tek, 2 czerwca 2006 13:09, Stefano Mainardi napisa?(a): > 2006/6/2, Jarek Poplawski : > > Stefano Mainardi wrote: > > > Hi to all, > > > i'm following this guide (http://www.opalsoft.net/qos/DS-28.htm), is > > > very detailed, but i'm a bit confused about queuing disciplinse of > > > leaf classes. > > > > > > In this guide the author uses PFIFO (see the scheme that i attached at > > > message) in this way: > > > > > > # tc class add dev eth0 parent 1:21 handle 210: pfifo lmit 10 ^^^^^ > > > > rather that way: > > > > # tc qdisc add dev eth0 parent 1:21 handle 210: pfifo limit 10 ^^^^^ > > therefore??? I do not understand ... Well, pfifo is a discipline at the end of class, not the class. I'm using sfq for every customer (the are limited to 256/384/512kbit), so they will be able to use the Internet even when using p2p programs. -- | pozdrawiam / greetings | powered by Trustix, Gentoo and FreeBSD | | Kajetan Staszkiewicz | jabber,email,www: vegeta()tuxpowered net | | Vegeta | IMQ devnames: http://www.tuxpowered.net | `------------------------^------------------------------------------' -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060604/1cc5c5bd/attachment.pgp From ramsurrunv at mx.uom.ac.mu Sun Jun 4 18:31:48 2006 From: ramsurrunv at mx.uom.ac.mu (ramsurrunv@mx.uom.ac.mu) Date: Sun Jun 4 18:31:59 2006 Subject: [LARTC] Not understanding network setup!! In-Reply-To: References: <0633E0EDB4F25F43A2D7179CA11FAFAB255437@xavier.staff.greatlakes.net> <1091.202.123.0.185.1149363962.squirrel@mx.uom.ac.mu> Message-ID: <1111.202.123.11.213.1149438708.squirrel@mx.uom.ac.mu> Hi Martin, > How many times (or how quickly) do you need to do this? I have a > somewhat simple-minded solution for you, but it doesn't scale, and > may not actually solve you problem(s). I actually need this for as long as the machine communicates with other PCs. > If you are looking at inbound traffic to one of your servers, that > can be a bit trickier. I have to capture those three packets for each and every TCP stream that is initiated. Also, I'm looking only for outbound communication, i.e emanating from the PC on which I'm trying to catch the packets. So the ACK packet will be generated on the PC itself. But the problem how do I capture that particular ACK packet and not the other ACK packets during data transfer phase, w/o keeping track of IP address/port no. pairs. Warm regards, Visham From martin at linux-ip.net Sun Jun 4 23:11:53 2006 From: martin at linux-ip.net (Martin A. Brown) Date: Sun Jun 4 23:11:57 2006 Subject: [LARTC] Not understanding network setup!! In-Reply-To: <1111.202.123.11.213.1149438708.squirrel@mx.uom.ac.mu> References: <0633E0EDB4F25F43A2D7179CA11FAFAB255437@xavier.staff.greatlakes.net> <1091.202.123.0.185.1149363962.squirrel@mx.uom.ac.mu> <1111.202.123.11.213.1149438708.squirrel@mx.uom.ac.mu> Message-ID: Visham, : I have to capture those three packets for each and every TCP : stream that is initiated. Also, I'm looking only for outbound : communication, i.e emanating from the PC on which I'm trying to : catch the packets. So the ACK packet will be generated on the PC : itself. But the problem how do I capture that particular ACK : packet and not the other ACK packets during data transfer phase, : w/o keeping track of IP address/port no. pairs. It sounds like argus [0] may provide a better solution to your problem. You will get much more information than you'd get with tcpdump, but you'll get at least what you describe. -Martin [0] http://www.qosient.com/argus/ -- Martin A. Brown http://linux-ip.net/ From ramsurrunv at mx.uom.ac.mu Mon Jun 5 07:29:44 2006 From: ramsurrunv at mx.uom.ac.mu (ramsurrunv@mx.uom.ac.mu) Date: Fri Jun 16 08:30:47 2006 Subject: [LARTC] Not understanding network setup!! In-Reply-To: References: <0633E0EDB4F25F43A2D7179CA11FAFAB255437@xavier.staff.greatlakes.net> <1091.202.123.0.185.1149363962.squirrel@mx.uom.ac.mu> <1111.202.123.11.213.1149438708.squirrel@mx.uom.ac.mu> Message-ID: <1066.172.22.62.53.1149485384.squirrel@mx.uom.ac.mu> Many thx for the info Martin..I'll look at it right away. Warm regards, Visham From rani79 at idm.net.lb Mon Jun 5 08:45:46 2006 From: rani79 at idm.net.lb (Rani Ahmed) Date: Fri Jun 16 08:31:54 2006 Subject: [LARTC] how to write in tcng this PPPoE filter? Message-ID: <4483D31A.6050302@idm.net.lb> can some one please how to transform this into TCNG code? tc filter add dev ${DEVICE} parent 1: protocol all u32 \ match u16 0x8864 0xFFFF at -2 flowid 1:${ID} 8864 is the PPP session ethernet protocol the above code is used to shape all PPPoE traffic on the same device so this way i can make use of the borrowing facilty which is not given by PPPoE. PPPoE gives me each time a device => each device is an independent device and an independent queue => no borrowing at all. thanks. From mainardistefano at gmail.com Mon Jun 5 11:37:22 2006 From: mainardistefano at gmail.com (Stefano Mainardi) Date: Fri Jun 16 08:33:22 2006 Subject: [LARTC] How to explde HTB.INIT tc commands? In-Reply-To: <44830542.8060609@gmx.net> References: <44830542.8060609@gmx.net> Message-ID: 2006/6/4, Carl-Daniel Hailfinger : > Stefano Mainardi wrote: > > Hi to all, > > [...] > > You already sent that mail three times in less than 30 hours. > Please stop. I know, is a error of my SMTP. > > Somebody will answer if he/she knows. I know too. htb.init compile, i've found it. Regards -- Stefano Mainardi Presidente Associazione ILDN - Italian Linux Distro Network Mobile: 349/3917212 Skype: mainardistefano IM (ICQ): 250-292-408 Blog: http://www.mainardistefano.org From support8 at greatlakes.net Mon Jun 5 15:00:06 2006 From: support8 at greatlakes.net (Eliot, Wireless and Server Administrator, Great Lakes Internet) Date: Fri Jun 16 08:34:59 2006 Subject: [LARTC] Not understanding network setup!! Message-ID: <0633E0EDB4F25F43A2D7179CA11FAFAB255446@xavier.staff.greatlakes.net> > -----Original Message----- > From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] > On Behalf Of ramsurrunv@mx.uom.ac.mu > Sent: Sunday, June 04, 2006 12:32 PM > To: Martin A. Brown > Cc: lartc@mailman.ds9a.nl; ramsurrunv@mx.uom.ac.mu > Subject: RE: [LARTC] Not understanding network setup!! > > Hi Martin, > > > How many times (or how quickly) do you need to do this? I have a > > somewhat simple-minded solution for you, but it doesn't scale, and > > may not actually solve you problem(s). > > I actually need this for as long as the machine communicates with other > PCs. > > > If you are looking at inbound traffic to one of your servers, that > > can be a bit trickier. > > I have to capture those three packets for each and every TCP stream that > is initiated. Also, I'm looking only for outbound communication, i.e > emanating from the PC on which I'm trying to catch the packets. So the ACK > packet will be generated on the PC itself. But the problem how do I > capture that particular ACK packet and not the other ACK packets during > data transfer phase, w/o keeping track of IP address/port no. pairs. The way I would do this is write a small userspace capturing tool that runs as a daemon all the time and watches the packets as they traverse the machine. I have written a small libpcap based program which does something similar. You are free to use whatever code you need from it as long as the code will not be included in anything that is resold: http://eliot.kayandee.net/traflog.php This program simply counts traffic on a per-MAC and per-IP basis. It also provides both MAC->IP and IP->MAC lookup tables. It should be fairly trivial (as in no more than a days worth of work) to modify it to suit your needs. Eliot Gable Certified Wireless Network Administrator (CWNA) Certified Wireless Security Professional (CWSP) Cisco Certified Network Associate (CCNA) CompTIA Security+ Certified CompTIA Network+ Certified Network and System Engineer Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 (810) 679-3395 (877) 558-8324 Now offering Broadband Wireless Internet access in Croswell, Lexington, Brown City, Yale, Worth Township, and Sandusky. Call for details. From luciano at lugmen.org.ar Mon Jun 5 20:56:53 2006 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Fri Jun 16 08:37:04 2006 Subject: [LARTC] How to explde HTB.INIT tc commands? In-Reply-To: References: Message-ID: <200606051556.53677.luciano@lugmen.org.ar> On Friday 02 June 2006 11:15, Stefano Mainardi wrote: > Hi to all, > i'm using htb.init for configuring my shaper. > > Now i want to know if it possible to show how htb.init make and use TC, > anyone has tried it? ./htb.init compile #(RTFM) -- Luciano From gdamjan at mail.net.mk Tue Jun 6 02:57:33 2006 From: gdamjan at mail.net.mk (Damjan) Date: Fri Jun 16 08:38:51 2006 Subject: [LARTC] Re: For leaf classes is best PFIFO or SFQ? In-Reply-To: <200606041827.10048.kajtek@biezanow.net> References: <200606041827.10048.kajtek@biezanow.net> Message-ID: <20060606005732.GA20188@legolas.on.net.mk> > Well, pfifo is a discipline at the end of class, not the class. > > I'm using sfq for every customer (the are limited to 256/384/512kbit), so they > will be able to use the Internet even when using p2p programs. But p2p programs create a lot of connection flows, so statistically SFQ will give the p2p a lot more traffic to them, compared to just several flows for "normal" trafic like http, pop3 and smtp. Or you're doing something else too? -- damjan | ?????? This is my jabber ID --> damjan@bagra.net.mk -- not my mail address, it's a Jabber ID --^ :) From ramsurrunv at mx.uom.ac.mu Tue Jun 6 08:07:19 2006 From: ramsurrunv at mx.uom.ac.mu (ramsurrunv@mx.uom.ac.mu) Date: Fri Jun 16 08:41:07 2006 Subject: [LARTC] Not understanding network setup!! In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB255446@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB255446@xavier.staff.greatlakes.net> Message-ID: <1106.172.22.62.53.1149574039.squirrel@mx.uom.ac.mu> Eliot, thx for the link..i'll check the program and see if I can use it. Warm regards, Visham From lists at andyfurniss.entadsl.com Tue Jun 6 16:35:20 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri Jun 16 08:43:06 2006 Subject: [LARTC] IMQ + NAT In-Reply-To: References: Message-ID: <448592A8.1020001@andyfurniss.entadsl.com> Jonas Jasas wrote: > Hello, > > I have > eth0 - internet > eth1..4 - local networks > on eth0 i do $IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE > > I want to balance out/in load for eth1..4 and localhost (mainly > squid). Nat makes impossible to do it on eth0, so I installed IMQ. I > need to get to on imq0 unnnated in/out traffic that I could make > priorities for protocols and networks. Do somthing like this: > prate=1Mbit > > localhost: rate=500kbit, ceil=prate > vnc: rate=100kbit, ceil=prate > web: rate=100kbit, ceilp=prate > mail: rate=100kbit, ceil=prate > eth1: rate=400kbit, ceil=prate > ftp: rate=10kbit, ceil=prate > .... > eth2..4: rate=100kbit, ceil=prate (eth2...eth4 would split the same > 100kbit) > rdp: rate=90kbit, ceil=prate > ...... > > This load balance would be applyed for outgoing and incoming internet > traffic. Where and how in iptables would be correct to "-j IMQ" ? Whether IMQ hooks before or after NAT is in the kernel config for 2.6 and needs patches for 2.4. You need AB = after prerouting, before postrouting (though you could do the latter with marks). IMQ logs where it hooks WRT NAT when loaded. Ingress traffic will be hooked by -j IMQ --todev 0 in PREROUTING mangle, egress by -j IMQ --todev 1 in POSTROUTING mangle. Andy. From kaber at trash.net Thu Jun 8 09:41:59 2006 From: kaber at trash.net (Patrick McHardy) Date: Fri Jun 16 08:50:22 2006 Subject: [LARTC] iptables CLASSIFY and MARK not working? In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB255436@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB255436@xavier.staff.greatlakes.net> Message-ID: <4487D4C7.9060604@trash.net> Eliot, Wireless and Server Administrator, Great Lakes Internet wrote: > Eh. What a pain. If I disable this, then ebtables will not call iptables > after the ebtables are finished running. I figured out that I could use > ebtables to match the destination MAC address like I needed for the > other problem I posted (See "Bi-directional packet classification with > ACK prioritization" thread for details). However, in order for that to > work, I have to have bridge-nf-call-iptables enabled. Essentially, I can > use the ebtables to flag the packets going to a destination MAC address > and then inside the iptables POSTROUTING mangle chain, I can pick up > that flag and reflag packets based on their Layer 3 and 4 information. > But, then I run right back into the problem of this thread in that the > packets are going through the TC qdiscs and classes before they hit the > POSTROUTING mangle chain. > > Now, what confuses me is that I have this nice big printout of the order > that the packets traverse ebtables, iptables, and tc which was made by > Josh over at ImageStream (see > http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png for the image) > which clearly shows that it should go through ebtables POSTROUTING nat, > then iptables POSTROUTING mangle, then iptables POSTROUTING nat, then TC > qdisc classification, then TC qdisc deque. Also, after reading > http://benix.tamu.edu/unix/linux-bridge-ebtables.htm, it seems pretty > clear that the image depiction should be correct. But, since this is not > happening, either the code has changed or both those sources are just > wrong. I guess both are wrong. > Do you happen to have any idea how I can get this straightened out? Do > we need to rewrite part of the code to make this work correctly? If that > is what it takes, I would be more than happy to look into doing that. Fixing this is one of my short-term TODO items, most likely before 2.6.18. > Maybe we can write a --destination-mac option for the iptables MAC > matching module? Is that information available to iptables in the > POSTROUTING mangle or nat chains? If not, would it be at all possible to > make it available? That would solve this problem very nicely. No, iptables can't reliably get at this information (it might need to be resolved first). From ivb at is.ua Fri Jun 9 13:09:25 2006 From: ivb at is.ua (Igor Belikov) Date: Fri Jun 16 08:55:37 2006 Subject: [LARTC] tc don't working under SUSE 10.0 OSS Message-ID: <1833386941.20060609140925@is.ua> Hello, I can't force tc to work under SUSE 10.0 OSS. Before this we have working system under SUSE 9.1 (with kernel 2.6.15.4), and consider to move this system to another hardware. I install SUSE 10.0, first with kernel from distributive, than with kernel 2.6.16.18, than with 2.6.15.4 (the same version as on working system), but I can't force tc to work. The configuration on both systems is almost the same. I can't figure out in what direction I need to dig to solve the problem. Anybody can help me? Is problem in SUSE distributive, or in my wry hands? In old (working) server was installed: iproute2 2.6.15-060110, iptables 1.3.5, patch-o-matic-ng 20060124 (only IPMARK patch) In new server I try from all counted above versions to latests ones: iproute2 2.6.16-060323, patch-o-matic-ng 20060606 -- Best regards, Igor mailto:ivb@is.ua From mainardistefano at gmail.com Fri Jun 9 19:04:00 2006 From: mainardistefano at gmail.com (Stefano Mainardi) Date: Fri Jun 16 08:56:51 2006 Subject: [LARTC] TC on virtual NIC, and how to manage the incoming traffic Message-ID: Hello list, i thank you for the precious info you gave me, they were really useful in my work. I need to work with TC on a virtual interface. Is it possible ? How ? There is any doc on this topic ? And foremost, is my idea of working with TC on a virtual interface viable ? I am wondering if to control the traffic which comes in on a specific inferface is better to use TC's filter or mark the packets with the MANGLE TABLE of IProute ? Or something different at all ? Thanks to anyone will respond! -- Stefano Mainardi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060609/d9a84467/attachment-0001.html From smohan at vsnl.com Sat Jun 10 08:33:22 2006 From: smohan at vsnl.com (S Mohan) Date: Fri Jun 16 08:58:31 2006 Subject: [LARTC] Linux router performance In-Reply-To: <447E3889.3040204@gmx.net> Message-ID: <002301c68c57$cb33c990$0224640a@SMOHAN> Damjan wrote: >>> On an AMD Athlon64 3200+ (2 GHz) I was able to saturate 2 PCI-Express >>> gigabit cards (but that was with 1500 byte packets). Never tried more >>> although the box has 6 interfaces capable of gigabit, 4 of them attached >>> via PCI-Express. >> >> But that's _only_ 83333 packets/s isn't it. > >Hm. How do you arrive at that result? I get twice the numbers. >nic a: 1 gbit in -> nic b: 1 gbit out >nic b: 1 gbit in -> nic a: 1 gbit out >total 2 gbit >2 gbit /(1500*8 bit/frame) ~ 160k packets/s > >Please note that I did not test with smaller frame sizes, so 1Mp/s >may be possible (I'll test that if I have some spare time). I've done some benchmarks on a Sunfire x2100 with 2 port PCI Express ethernet cards. It switches 800KPPS for 64B packets. Regards Mohan From leeweejin at hotmail.com Sun Jun 11 06:32:49 2006 From: leeweejin at hotmail.com (lee weejin) Date: Fri Jun 16 09:02:16 2006 Subject: [LARTC] Optimization on Bandwidth Management-L7 filtering? In-Reply-To: <446E00FF.1010305@netshadow.at> Message-ID: An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060611/4c753569/attachment.html From alchemyx at uznam.net.pl Wed Jun 14 12:09:04 2006 From: alchemyx at uznam.net.pl (=?ISO-8859-2?Q?Micha=B3_Margula?=) Date: Fri Jun 16 09:14:13 2006 Subject: [LARTC] fwmark filter doesn't work as expected Message-ID: <448FE040.4000009@uznam.net.pl> Hello! Currently I am marking packets with IPMARK, and then using following rules: 1: class add dev eth0 parent 1:4 classid 1:100a htb rate $rate ceil $ceil quantum 1600 2: qdisc add dev eth0 parent 1:100a handle 100a:0 sfq perturb 10 3: filter add dev eth0 protocol ip parent 1:0 pref 30 handle 4106 fw classid 1:100a 4: class add dev eth1 parent 1:2 classid 1:100a htb rate $rate ceil $ceil quantum 1600 5: qdisc add dev eth1 parent 1:100a handle 100a:0 sfq perturb 10 6: filter add dev eth1 protocol ip parent 1:0 pref 30 u32 match ip dst 10.100.0.10 flowid 1:100a Tried to remove line 3 and just putting one line instead: filter add dev eth0 parent 1:0 protocol ip pref 30 fw But it does not work. Any ideas? -- Micha? Margula, alchemyx@uznam.net.pl, http://alchemyx.uznam.net.pl/ "W ?yciu pi?kne s? tylko chwile" [Ryszard Riedel] From lists at andyfurniss.entadsl.com Wed Jun 14 17:32:29 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri Jun 16 09:16:00 2006 Subject: [LARTC] Re: [PATCH 0/2] NET: Accurate packet scheduling for ATM/ADSL In-Reply-To: <1150286766.5233.15.camel@jzny2> References: <1150278004.26181.35.camel@localhost.localdomain> <1150286766.5233.15.camel@jzny2> Message-ID: <44902C0D.1010709@andyfurniss.entadsl.com> jamal wrote: > I have taken linux-kernel off the list. > > Russell's site is inaccessible to me (I actually think this is related > to some DNS issues i may be having) and your masters is too long to > spend 2 minutes and glean it; so heres a question or two for you: > > - Have you tried to do a long-lived session such as a large FTP and > seen how far off the deviation was? That would provide some interesting > data point. > - To be a devil's advocate (and not claim there is no issue), where do > you draw the line with "overhead"? Me and many others have run a smilar hack for years, there is also a userspace project still alive which does the same. The difference is that without it I would need to sacrifice almost half my 288kbit atm/dsl showtime bandwidth to be sure of control. With the modification I can run at 286kbit / 288 and know I will never have jitter worse than the bitrate latency of a mtu packet. The 286 figure was choses to allow a full buffer to drain/ allow for timer innaccuracy etc. On a p200 with tsc, 2.6.12 it's never gone over for me - though talking of timers I notice on my desktop 2.6.16 I gain 2 minutes a day now. Andy. From devik at cdi.cz Thu Jun 15 11:49:27 2006 From: devik at cdi.cz (Martin Devera) Date: Fri Jun 16 09:18:23 2006 Subject: [LARTC] Re: [PATCH 0/2] Runtime configuration of HTB's HYSTERESIS option In-Reply-To: <1150362059.5578.13.camel@ras.pc.brisbane.lube> References: <1150362059.5578.13.camel@ras.pc.brisbane.lube> Message-ID: <44912D27.4010503@cdi.cz> Russell Stuart wrote: > The HTB qdisc has a compile time option, HTB_HYSTERESIS, > that trades accuracy of traffic classification for CPU > time. These patches change hysteresis to be a runtime > option under the control of "tc". > > The effects of HYSTERESIS on HTB's accuracy are significant > (see chapter 7, section 7.3.1, pp 69-70 in Jesper Brouer's > thesis: http://www.adsl-optimizer.dk/thesis/ ), whereas > HTB's CPU usage on modern machines using broadband links > is minimal. Currently HYSTERESIS is on by default, and > requires a kernel re-compile to change. Altering it to > be a runtime option will make life easier for the bulk of > its users. At time of HTB implementation I needed to reach 100MBit speed on relatively slow box. The hysteresis was a way. On other side I used hand-made TSC based measure tool to compute exact (15%) performance gain. Today I'd measure it using oprofile. When rethinking it again I'd suggest to re-measure real performance impact for both flat and deep class hierarchy and consider switching the hysteresis off by default (or even to remove the code if the gain is negligible). If it is the case then it is the cleanest solution IMHO. On other side I see no problem with attached patches. Have you tested patched kernel with old "tc" tool ? thanks for your effort, Martin From vinod_chandran at multitech.co.in Mon Jun 5 10:45:24 2006 From: vinod_chandran at multitech.co.in (Vinod Chandran) Date: Fri Jun 16 09:23:37 2006 Subject: [LARTC] Static routing with multiple interfaces Message-ID: <4483EF24.3060608@multitech.co.in> Hi, I am facing some strange problem with multipath routing. I have set up a rule stating that any packets coming from a certain ip address <192.168.52.66> should use an interface < eth1> For this, I used the following commands /ip rule add from 192.168.52.66 table 200 ip route add default table 200 via 192.168.19.76 dev eth1/ Here 192.168.19.76 is eth1's gateway. This is how my rule structure looks /0: from all lookup local 49: from 192.168.52.66 lookup 200 50: from all lookup main 222: from all lookup 222 32766: from all lookup main 32767: from all lookup 253/ However this is not working, I have packets still going out through the other interface when sent from 192.168.51.66. This is how my default table (222) looks /default proto static nexthop via 192.168.19.76 dev eth1 weight 1 nexthop via 192.168.20.25 dev eth2 weight 1 / I dont have a default route in the main or local table. Is there something that I am missing to get the static rule working? Thanks and Regards, Vinod C From hi100nu at yahoo.com Fri Jun 16 08:41:00 2006 From: hi100nu at yahoo.com (sonu chouhan) Date: Fri Jun 16 09:26:43 2006 Subject: [LARTC] problem with multi gatway routing Message-ID: <20060616064100.41934.qmail@web32512.mail.mud.yahoo.com> hi, i wann to make multigateway routing and i read ur how to on http://lartc.org/howto/lartc.rpdb.multiple-links.html and create some rules which i am sending u, but with this rules i am not able to do multigateway routing on my linux router so plz help me out. thanks the rules are given below IF0=eth0 IF1=eth1 IF2=eth2 IP1=192.168.1.2 IP2=61.246.243.86 P1=192.168.1.1 P2=61.246.243.81 P1_NET=192.168.1.0/24 P2_NET=61.246.243.0/28 P0_NET=10.10.0.0/16 ip route add 192.168.1.0/24 dev eth1 src 192.168.1.2 table T1 ip route add default via 192.168.1.1 table T1 ip route add 61.246.243.0/28 dev eth2 src 61.246.243.86 table T2 ip route add default via 61.246.243.81 table T2 ip route add 192.168.1.0/24 dev eth1 src 192.168.1.2 ip route add 61.246.243.0/28 dev eth2 src 61.246.243.86 ip route add default via 192.168.1.1 ip rule add from 192.168.1.2 table T1 ip rule add from 61.246.243.86 table T2 ip route add 10.10.0.0/16 dev eth0 table T1 ip route add 61.246.243.0/28 dev eth2 table T1 ip route add 127.0.0.0/8 dev lo table T1 ip route add 10.10.0.0/16 dev eth0 table T2 ip route add 192.168.1.0/24 dev eth1 table T2 ip route add 127.0.0.0/8 dev lo table T2 ip route add default scope global nexthop via $P1 dev $IF1 weight 1 nexthop via $P2 dev $IF2 weight 1 echo 1 > /proc/sys/net/ipv4/ip_forward IT=/usr/local/sbin/iptables FO=FORWARD IN=INPUT OT=OUTPUT PRE=PREROUTING POST=POSTROUTING MQ=MASQUERADE ######################## Flust all chains ################################## /sbin/iptables -F FORWARD /sbin/iptables -F OUTPUT /sbin/iptables -F INPUT /sbin/iptables -F -t nat /sbin/iptables -F -t mangle ####################### Set the default policy ############################# /sbin/iptables -P INPUT ACCEPT /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -P FORWARD ACCEPT /sbin/iptables -t nat -A POSTROUTING -j MASQUERADE --------------------------------- Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1?/min. --------------------------------- Ring'em or ping'em. Make PC-to-phone calls as low as 1?/min with Yahoo! Messenger with Voice. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060615/68ba73ba/attachment.htm From ivb at is.ua Fri Jun 9 13:09:25 2006 From: ivb at is.ua (Igor Belikov) Date: Fri Jun 16 09:27:08 2006 Subject: [LARTC] tc don't working under SUSE 10.0 OSS Message-ID: <1833386941.20060609140925@is.ua> Hello, I can't force tc to work under SUSE 10.0 OSS. Before this we have working system under SUSE 9.1 (with kernel 2.6.15.4), and consider to move this system to another hardware. I install SUSE 10.0, first with kernel from distributive, than with kernel 2.6.16.18, than with 2.6.15.4 (the same version as on working system), but I can't force tc to work. The configuration on both systems is almost the same. I can't figure out in what direction I need to dig to solve the problem. Anybody can help me? Is problem in SUSE distributive, or in my wry hands? In old (working) server was installed: iproute2 2.6.15-060110, iptables 1.3.5, patch-o-matic-ng 20060124 (only IPMARK patch) In new server I try from all counted above versions to latests ones: iproute2 2.6.16-060323, patch-o-matic-ng 20060606 -- Best regards, Igor mailto:ivb@is.ua From tasoss at gmail.com Fri Jun 16 09:12:35 2006 From: tasoss at gmail.com (tasos) Date: Fri Jun 16 09:27:58 2006 Subject: [LARTC] compilation on slackware 10.2 Message-ID: <346d745a0606160012p174cfda4n505eb0abaea5b62f@mail.gmail.com> hello people and nice to meet you. tasoss@starla:~/tcng$ ./configure Reading configuration defaults from ./config building tcsim: yes Kernel source: /home/tasoss/linux-2.6.16.20 Kernel version: 2.6.16 iproute2 source: /home/tasoss/iproute2-2.6.16-060323 iproute2 version: 060323 Host byte order: little endian tcng command: /home/tasoss/tcng/bin/tcng YACC is: yacc $ is not identifier: -$ tc supports "action": yes building the manual: NO install directory: /usr/local tasoss@starla:~/tcng$ ----------------------------------------- make[2]: Entering directory `/home/tasoss/tcng/tcsim' ./setup.klib ./setup.klib: line 119: /home/tasoss/linux-2.6.16.20/net/sched/police.c: No such file or directory make[2]: *** [klib/.ready] Error 1 make[2]: Leaving directory `/home/tasoss/tcng/tcsim' make[1]: *** [tcsim] Error 2 make[1]: Leaving directory `/home/tasoss/tcng/tcsim' make: *** [all] Error 1 ------------------------------------------ tcng is compiled fine,but what can i do with tcsim? Moreover i would like to suggest me some good documentation about tc/tcng(traffic control generally?) except for what tldp has already. And finally,my first step it to limit my adsl upload bandwidth from 128Kbps to 90kbps for example.Is it a one-line command? Thank you in advance :-) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060616/dcde82cc/attachment-0001.html From russell-tcatm at stuart.id.au Thu Jun 15 11:00:59 2006 From: russell-tcatm at stuart.id.au (Russell Stuart) Date: Fri Jun 16 09:40:59 2006 Subject: [LARTC] [PATCH 0/2] Runtime configuration of HTB's HYSTERESIS option Message-ID: <1150362059.5578.13.camel@ras.pc.brisbane.lube> The HTB qdisc has a compile time option, HTB_HYSTERESIS, that trades accuracy of traffic classification for CPU time. These patches change hysteresis to be a runtime option under the control of "tc". The effects of HYSTERESIS on HTB's accuracy are significant (see chapter 7, section 7.3.1, pp 69-70 in Jesper Brouer's thesis: http://www.adsl-optimizer.dk/thesis/ ), whereas HTB's CPU usage on modern machines using broadband links is minimal. Currently HYSTERESIS is on by default, and requires a kernel re-compile to change. Altering it to be a runtime option will make life easier for the bulk of its users. Further documentation on the patch and its usage can be found here: http://www.stuart.id.au/russell/files/tc/tc-atm This is a combined effort of Jesper Brouer and Russell Stuart, to get these patches into the upstream kernel. Let the discussion start about what we need to change to get this upstream? We see this as a feature enhancement, as such hope that it can be queued in davem's net-2.6.18.git tree. -- Regards Russell Stuart and Jesper Brouer From russell-tcatm at stuart.id.au Thu Jun 15 11:01:49 2006 From: russell-tcatm at stuart.id.au (Russell Stuart) Date: Fri Jun 16 09:41:30 2006 Subject: [LARTC] [PATCH 2/2] Runtime configuration of HTB's HYSTERESIS option (userspace) Message-ID: <1150362109.5578.16.camel@ras.pc.brisbane.lube> The HTB qdisc has a compile time option, HTB_HYSTERESIS, that trades accuracy of traffic classification for CPU time. These patches change hysteresis to be a runtime option under the control of "tc". The effects of HYSTERESIS on HTB's accuracy are significant (see chapter 7, section 7.3.1, pp 69-70 in Jesper Brouer's thesis: http://www.adsl-optimizer.dk/thesis/ ), whereas HTB's CPU usage on modern machines using broadband links is minimal. Currently HYSTERESIS is on by default, and requires a kernel re-compile to change. Altering it to be a runtime option will make life easier for the bulk of its users. Further documentation on the patch and its usage can be found here: http://www.stuart.id.au/russell/files/tc/tc-atm Signed-off-by: Russell Stuart Signed-off-by: Jesper Dangaard Brouer --- diff -Nurp iproute2.orig/include/linux/pkt_sched.h iproute2/include/linux/pkt_sched.h --- iproute2.orig/include/linux/pkt_sched.h 2006-06-13 11:53:27.000000000 +1000 +++ iproute2/include/linux/pkt_sched.h 2006-06-13 11:54:50.000000000 +1000 @@ -232,6 +232,10 @@ struct tc_gred_sopt #define TC_HTB_MAXDEPTH 8 #define TC_HTB_PROTOVER 3 /* the same as HTB and TC's major */ +struct tc_htb_hopt +{ + __u32 nohyst; +}; struct tc_htb_opt { struct tc_ratespec rate; @@ -259,6 +263,7 @@ enum TCA_HTB_INIT, TCA_HTB_CTAB, TCA_HTB_RTAB, + TCA_HTB_NOHYST, __TCA_HTB_MAX, }; diff -Nurp iproute2.orig/tc/q_htb.c iproute2/tc/q_htb.c --- iproute2.orig/tc/q_htb.c 2006-06-13 11:53:27.000000000 +1000 +++ iproute2/tc/q_htb.c 2006-06-13 11:54:50.000000000 +1000 @@ -35,7 +35,7 @@ static void explain(void) " r2q DRR quantums are computed as rate in Bps/r2q {10}\n" " debug string of 16 numbers each 0-3 {0}\n\n" "... class add ... htb rate R1 [burst B1] [mpu B] [overhead O] [atm]\n" - " [prio P] [slot S] [pslot PS]\n" + " [prio P] [slot S] [pslot PS] [nohyst]\n" " [ceil R2] [cburst B2] [mtu MTU] [quantum Q]\n" " rate rate allocated to this class (class can still borrow)\n" " burst max bytes burst which can be accumulated during idle period {computed}\n" @@ -46,6 +46,7 @@ static void explain(void) " cburst burst but for ceil {computed}\n" " mtu max packet size we create rate map for {1600}\n" " prio priority of leaf; lower are served first {0}\n" + " nohyst disable hysteresis (heavier on CPU but more accurate)\n" " quantum how much bytes to serve from leaf at once {use r2q}\n" "\nTC HTB version %d.%d\n",HTB_TC_VER>>16,HTB_TC_VER&0xffff ); @@ -104,6 +105,7 @@ static int htb_parse_class_opt(struct qd { int ok=0; struct tc_htb_opt opt; + struct tc_htb_hopt hopt; __u32 rtab[256],ctab[256]; unsigned buffer=0,cbuffer=0; int cell_log=-1,ccell_log = -1; @@ -114,6 +116,7 @@ static int htb_parse_class_opt(struct qd struct rtattr *tail; memset(&opt, 0, sizeof(opt)); mtu = 1600; /* eth packet len */ + memset(&hopt, 0, sizeof(hopt)); while (argc > 0) { if (matches(*argv, "prio") == 0) { @@ -132,6 +135,8 @@ static int htb_parse_class_opt(struct qd if (get_u8(&mpu8, *argv, 10)) { explain1("mpu"); return -1; } + } else if (matches(*argv, "nohyst") == 0) { + hopt.nohyst = 1; } else if (matches(*argv, "overhead") == 0) { NEXT_ARG(); if (get_s8(&overhead, *argv, 10)) { @@ -221,14 +226,16 @@ static int htb_parse_class_opt(struct qd addattr_l(n, 2024, TCA_HTB_PARMS, &opt, sizeof(opt)); addattr_l(n, 3024, TCA_HTB_RTAB, rtab, 1024); addattr_l(n, 4024, TCA_HTB_CTAB, ctab, 1024); + addattr_l(n, 5024, TCA_HTB_NOHYST, &hopt, sizeof(hopt)); tail->rta_len = (void *) NLMSG_TAIL(n) - (void *) tail; return 0; } static int htb_print_opt(struct qdisc_util *qu, FILE *f, struct rtattr *opt) { - struct rtattr *tb[TCA_HTB_RTAB+1]; + struct rtattr *tb[TCA_HTB_MAX+1]; struct tc_htb_opt *hopt; + struct tc_htb_hopt *uhopt; struct tc_htb_glob *gopt; double buffer,cbuffer; SPRINT_BUF(b1); @@ -238,7 +245,7 @@ static int htb_print_opt(struct qdisc_ut if (opt == NULL) return 0; - parse_rtattr_nested(tb, TCA_HTB_RTAB, opt); + parse_rtattr_nested(tb, TCA_HTB_MAX, opt); if (tb[TCA_HTB_PARMS]) { @@ -278,6 +285,13 @@ static int htb_print_opt(struct qdisc_ut fprintf(f, "buffer [%08x] cbuffer [%08x] ", hopt->buffer,hopt->cbuffer); } + if (tb[TCA_HTB_NOHYST]) { + uhopt = RTA_DATA(tb[TCA_HTB_NOHYST]); + if (RTA_PAYLOAD(tb[TCA_HTB_NOHYST]) < sizeof(*uhopt)) return -1; + + if (uhopt->nohyst) + fprintf(f, "nohyst "); + } if (tb[TCA_HTB_INIT]) { gopt = RTA_DATA(tb[TCA_HTB_INIT]); if (RTA_PAYLOAD(tb[TCA_HTB_INIT]) < sizeof(*gopt)) return -1; -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060615/d3de087e/attachment.pgp From russell-tcatm at stuart.id.au Thu Jun 15 11:01:28 2006 From: russell-tcatm at stuart.id.au (Russell Stuart) Date: Fri Jun 16 09:41:51 2006 Subject: [LARTC] [PATCH 1/2] Runtime configuration of HTB's HYSTERESIS option (kernel) Message-ID: <1150362088.5578.15.camel@ras.pc.brisbane.lube> The HTB qdisc has a compile time option, HTB_HYSTERESIS, that trades accuracy of traffic classification for CPU time. These patches change hysteresis to be a runtime option under the control of "tc". The effects of HYSTERESIS on HTB's accuracy are significant (see chapter 7, section 7.3.1, pp 69-70 in Jesper Brouer's thesis: http://www.adsl-optimizer.dk/thesis/ ), whereas HTB's CPU usage on modern machines using broadband links is minimal. Currently HYSTERESIS is on by default, and requires a kernel re-compile to change. Altering it to be a runtime option will make life easier for the bulk of its users. Further documentation on the patch and its usage can be found here: http://www.stuart.id.au/russell/files/tc/tc-atm Signed-off-by: Russell Stuart Signed-off-by: Jesper Dangaard Brouer --- diff -Nurp kernel-source-2.6.11.orig/include/linux/pkt_sched.h kernel-source-2.6.11/include/linux/pkt_sched.h --- kernel-source-2.6.11.orig/include/linux/pkt_sched.h 2005-03-02 17:38:13.000000000 +1000 +++ kernel-source-2.6.11/include/linux/pkt_sched.h 2006-06-13 11:34:25.000000000 +1000 @@ -231,6 +231,10 @@ struct tc_gred_sopt #define TC_HTB_MAXDEPTH 8 #define TC_HTB_PROTOVER 3 /* the same as HTB and TC's major */ +struct tc_htb_hopt +{ + __u32 nohyst; +}; struct tc_htb_opt { struct tc_ratespec rate; @@ -258,6 +262,7 @@ enum TCA_HTB_INIT, TCA_HTB_CTAB, TCA_HTB_RTAB, + TCA_HTB_NOHYST, __TCA_HTB_MAX, }; diff -Nurp kernel-source-2.6.11.orig/net/sched/sch_htb.c kernel-source-2.6.11/net/sched/sch_htb.c --- kernel-source-2.6.11.orig/net/sched/sch_htb.c 2005-03-02 17:38:12.000000000 +1000 +++ kernel-source-2.6.11/net/sched/sch_htb.c 2006-06-13 11:34:25.000000000 +1000 @@ -73,7 +73,6 @@ #define HTB_EWMAC 2 /* rate average over HTB_EWMAC*HTB_HSIZE sec */ #undef HTB_DEBUG /* compile debugging support (activated by tc tool) */ #define HTB_RATECM 1 /* whether to use rate computer */ -#define HTB_HYSTERESIS 1/* whether to use mode hysteresis for speedup */ #define HTB_QLOCK(S) spin_lock_bh(&(S)->dev->queue_lock) #define HTB_QUNLOCK(S) spin_unlock_bh(&(S)->dev->queue_lock) #define HTB_VER 0x30011 /* major must be matched with number suplied by TC as version */ @@ -190,6 +189,7 @@ struct htb_class /* class attached filters */ struct tcf_proto *filter_list; int filter_cnt; + int nohyst; /* Don't use hysteresis htb_class_mode */ int warned; /* only one warning about non work conserving .. */ @@ -622,20 +622,14 @@ static __inline__ enum htb_cmode htb_class_mode(struct htb_class *cl,long *diff) { long toks; + long hysteresis = + (cl->nohyst || cl->cmode == HTB_CANT_SEND) ? 0 : -cl->cbuffer; - if ((toks = (cl->ctokens + *diff)) < ( -#if HTB_HYSTERESIS - cl->cmode != HTB_CANT_SEND ? -cl->cbuffer : -#endif - 0)) { + if ((toks = (cl->ctokens + *diff)) < hysteresis) { *diff = -toks; return HTB_CANT_SEND; } - if ((toks = (cl->tokens + *diff)) >= ( -#if HTB_HYSTERESIS - cl->cmode == HTB_CAN_SEND ? -cl->buffer : -#endif - 0)) + if ((toks = (cl->tokens + *diff)) >= hysteresis) return HTB_CAN_SEND; *diff = -toks; @@ -1323,6 +1317,7 @@ static int htb_dump_class(struct Qdisc * unsigned char *b = skb->tail; struct rtattr *rta; struct tc_htb_opt opt; + struct tc_htb_hopt hopt; HTB_DBG(0,1,"htb_dump_class handle=%X clid=%X\n",sch->handle,cl->classid); @@ -1342,6 +1337,8 @@ static int htb_dump_class(struct Qdisc * opt.quantum = cl->un.leaf.quantum; opt.prio = cl->un.leaf.prio; opt.level = cl->level; RTA_PUT(skb, TCA_HTB_PARMS, sizeof(opt), &opt); + hopt.nohyst = cl->nohyst; + RTA_PUT(skb, TCA_HTB_NOHYST, sizeof(hopt), &hopt); rta->rta_len = skb->tail - b; HTB_QUNLOCK(sch); return skb->len; @@ -1527,11 +1524,12 @@ static int htb_change_class(struct Qdisc struct htb_class *cl = (struct htb_class*)*arg,*parent; struct rtattr *opt = tca[TCA_OPTIONS-1]; struct qdisc_rate_table *rtab = NULL, *ctab = NULL; - struct rtattr *tb[TCA_HTB_RTAB]; + struct rtattr *tb[TCA_HTB_MAX]; struct tc_htb_opt *hopt; + struct tc_htb_hopt *uhopt; /* extract all subattrs from opt attr */ - if (!opt || rtattr_parse_nested(tb, TCA_HTB_RTAB, opt) || + if (!opt || rtattr_parse_nested(tb, TCA_HTB_MAX, opt) || tb[TCA_HTB_PARMS-1] == NULL || RTA_PAYLOAD(tb[TCA_HTB_PARMS-1]) < sizeof(*hopt)) goto failure; @@ -1544,6 +1542,10 @@ static int htb_change_class(struct Qdisc ctab = qdisc_get_rtab(&hopt->ceil, tb[TCA_HTB_CTAB-1]); if (!rtab || !ctab) goto failure; + uhopt = RTA_DATA(tb[TCA_HTB_NOHYST-1]); + if (uhopt != NULL && RTA_PAYLOAD(tb[TCA_HTB_NOHYST-1]) < sizeof(*uhopt)) + goto failure; + if (!cl) { /* new class */ struct Qdisc *new_q; /* check for valid classid */ @@ -1636,6 +1638,7 @@ static int htb_change_class(struct Qdisc cl->cbuffer = hopt->cbuffer; if (cl->rate) qdisc_put_rtab(cl->rate); cl->rate = rtab; if (cl->ceil) qdisc_put_rtab(cl->ceil); cl->ceil = ctab; + if (uhopt) cl->nohyst = uhopt->nohyst; sch_tree_unlock(sch); *arg = (unsigned long)cl; -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060615/ccfdb39b/attachment.pgp From met0d at yes.nu Fri Jun 16 09:52:46 2006 From: met0d at yes.nu (Tomas Bonnedahl) Date: Fri Jun 16 09:52:38 2006 Subject: [LARTC] Linux router performance In-Reply-To: <004e01c684dc$3dfc3c10$303d5854@cttc.es> References: <004e01c684dc$3dfc3c10$303d5854@cttc.es> Message-ID: <4492634E.70201@yes.nu> Ferm?n Gal?n M?rquez skrev: > Hi, > > I wonder about the performance of a Linux box used as router (I guest I'm > not the first :). Althought I know it mainly depends on the hardware, I'm > trying to find some references on the topic or comparations with other > routing solutions (FreeBSD box used as router, Cisco, etc). For example, > http://facweb.cti.depaul.edu/jyu/Publications/Yu-Linux-TSM2004.pdf > (althought is related with Linux-briding more than with Linux-routing) shows > in Figure 14 that with an AMD Duron 1.3GHz 512M RAM a throughput of 90 Mbps > can be achieved. > > Anybody knows any other similar analysis, please? > > Best regards, > > -------------------- > Ferm?n Gal?n M?rquez > CTTC - Centre Tecnol?gic de Telecomunicacions de Catalunya > Parc Mediterrani de la Tecnologia, Av. del Canal Ol?mpic s/n, 08860 > Castelldefels, Spain > Room 1.02 > Tel : +34 93 645 29 12 > Fax : +34 93 645 29 01 > Email address: fermin.galan@cttc.es > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > This was seen on the mailing list a couple of years ago, doesnt say much but it shows what could be done. On Mon, 02 Dec 2002 22:30:10 +0100 Anton Tinchev wrote: > > Hi, > > first i wonna thank you for the great work. > > I have few slack boxes with several 3com cards that acts as routers. > > Some of them has 50+ vlans, 100 000+ routing entries, full BGP (zebra) with 10+ peers > > and routes 50-70 mb/s traffic. Everithing is rock solid, few months uptimes. > Sounds pretty impressive, really. I admire such setups. > > I wona to upgrade some of my cards and need advice what to use. > > On 100+mb/s interrups killing my boxes - 20 000+/s (yes, coalescing, i know:)) > > What to use? tigon2 or tigon3 for gigabit? (3c985 or 3c996) > None of them! Or at least not tigon3! I've tried to use one (3c996-T), and I experienced strange system lockups. The board is a dual Tyan Tiger MP with couple of Athlon MP 1600+. It was just hanging from time to time with completely no output of any kind. Just rock solid lockup. :/ Anyway, I changed to a good old 3c905C and now I don't have any problems. Well, I'm serving at half of your rate, but anyway. So, I would suggest using HP equipment. At least I've heard that it works quote well. From hawk at diku.dk Fri Jun 16 10:23:06 2006 From: hawk at diku.dk (Jesper Dangaard Brouer) Date: Fri Jun 16 10:23:02 2006 Subject: [LARTC] Linux router performance (fwd) Message-ID: I think that Robert Olssons post never made it through the filters... ---------- Forwarded message ---------- Date: Fri, 2 Jun 2006 12:32:53 +0200 From: Robert Olsson To: Jesper Dangaard Brouer Cc: Andreas John , Robert Olsson , lartc@mailman.ds9a.nl Subject: Re: [LARTC] Linux router performance Jesper Dangaard Brouer writes: > > Hi > > I'm sure that Robert can provide us with some interesting numbers. > > I have just tested routing performance on a AMD opteron 270 (dual core), > here I can route 400 kpps (tg3 netcards on PCI-X). I use the kernel > module "pktgen" to generate the packets (64 bytes in size). 400 kpps is decent but it all depends on your setup what you're testing. Single flow? Number of packets in environment with hi-number of flows. ( Forces lookup of dst cache, route lookup and garbage collection) is the most challenging Also how to handle filters eventually stateful information. For single flow tests most things end up in L2-cache and we most limited to latency. Bus latency, Memory latency etc. Large packets bus and memory bandwidth. We've seen 500 kpps in some of our production routers for BGP and about 500 filters. Dual Opteron 2.6 GHz. But you need to have a "setup" routing so it can make best use of your HW. Cheers. --ro From hawk at diku.dk Fri Jun 16 10:26:03 2006 From: hawk at diku.dk (Jesper Dangaard Brouer) Date: Fri Jun 16 10:25:57 2006 Subject: [LARTC] [PATCH 0/2] NET: Accurate packet scheduling for ATM/ADSL Message-ID: (Resend message bounced to LARTC) The Linux traffic's control engine inaccurately calculates transmission times for packets sent over ADSL links. For some packet sizes the error rises to over 50%. This occurs because ADSL uses ATM as its link layer transport, and ATM transmits packets in fixed sized 53 byte cells. The following patches to iproute2 and the kernel add an option to calculate traffic transmission times over all ATM links, including ADSL, with perfect accuracy. A longer presentation of the patch, its rational, what it does and how to use it can be found here: http://www.stuart.id.au/russell/files/tc/tc-atm/ A earlier version of the patch, and a _detailed_ empirical investigation of its effects can be found here: http://www.adsl-optimizer.dk/ The patches are both backwards and forwards compatible. This means unpatched kernels will work with a patched version of iproute2, and an unpatched iproute2 will work on patches kernels. This is a combined effort of Jesper Brouer and Russell Stuart, to get these patches into the upstream kernel. Let the discussion start about what we need to change to get this upstream? We see this as a feature enhancement, as thus hope that it can be queued in davem's net-2.6.18.git tree. --- Regards, Jesper Brouer & Russell Stuart. From hawk at diku.dk Fri Jun 16 10:26:38 2006 From: hawk at diku.dk (Jesper Dangaard Brouer) Date: Fri Jun 16 10:26:49 2006 Subject: [LARTC] [PATCH 1/2] NET: Accurate packet scheduling for ATM/ADSL (kernel) Message-ID: (Resend message bounced to LARTC) The Linux traffic's control engine inaccurately calculates transmission times for packets sent over ADSL links. For some packet sizes the error rises to over 50%. This occurs because ADSL uses ATM as its link layer transport, and ATM transmits packets in fixed sized 53 byte cells. This changes the kernel rate table lookup, to be able to lookup packet transmission times over all ATM links, including ADSL, with perfect accuracy. The accuracy is dependent on the rate table that is calculated in userspace by iproute2 command tc. A longer presentation of the patch, its rational, what it does and how to use it can be found here: http://www.stuart.id.au/russell/files/tc/tc-atm/ A earlier version of the patch, and a _detailed_ empirical investigation of its effects can be found here: http://www.adsl-optimizer.dk/ Signed-off-by: Jesper Dangaard Brouer Signed-off-by: Russell Stuart --- diff -Nurp kernel-source-2.6.16.orig/include/linux/pkt_sched.h kernel-source-2.6.16/include/linux/pkt_sched.h --- kernel-source-2.6.16.orig/include/linux/pkt_sched.h 2006-03-20 15:53:29.000000000 +1000 +++ kernel-source-2.6.16/include/linux/pkt_sched.h 2006-06-13 11:42:12.000000000 +1000 @@ -77,8 +77,9 @@ struct tc_ratespec { unsigned char cell_log; unsigned char __reserved; - unsigned short feature; - short addend; + unsigned short feature; /* Always 0 in pre-atm patch kernels */ + char cell_align; /* Always 0 in pre-atm patch kernels */ + unsigned char __unused; unsigned short mpu; __u32 rate; }; diff -Nurp kernel-source-2.6.16.orig/include/net/sch_generic.h kernel-source-2.6.16/include/net/sch_generic.h --- kernel-source-2.6.16.orig/include/net/sch_generic.h 2006-03-20 15:53:29.000000000 +1000 +++ kernel-source-2.6.16/include/net/sch_generic.h 2006-06-13 11:42:12.000000000 +1000 @@ -307,4 +307,18 @@ drop: return NET_XMIT_DROP; } +/* Lookup a qdisc_rate_table to determine how long it will take to send a + packet given its size. + */ +static inline u32 qdisc_l2t(struct qdisc_rate_table* rtab, int pktlen) +{ + int slot = pktlen + rtab->rate.cell_align; + if (slot < 0) + slot = 0; + slot >>= rtab->rate.cell_log; + if (slot > 255) + return rtab->data[255] + 1; + return rtab->data[slot]; +} + #endif diff -Nurp kernel-source-2.6.16.orig/net/sched/act_police.c kernel-source-2.6.16/net/sched/act_police.c --- kernel-source-2.6.16.orig/net/sched/act_police.c 2006-03-20 15:53:29.000000000 +1000 +++ kernel-source-2.6.16/net/sched/act_police.c 2006-06-13 11:42:12.000000000 +1000 @@ -33,8 +33,8 @@ #include #include -#define L2T(p,L) ((p)->R_tab->data[(L)>>(p)->R_tab->rate.cell_log]) -#define L2T_P(p,L) ((p)->P_tab->data[(L)>>(p)->P_tab->rate.cell_log]) +#define L2T(p,L) qdisc_l2t((p)->R_tab,L) +#define L2T_P(p,L) qdisc_l2t((p)->P_tab,L) #define PRIV(a) ((struct tcf_police *) (a)->priv) /* use generic hash table */ diff -Nurp kernel-source-2.6.16.orig/net/sched/sch_cbq.c kernel-source-2.6.16/net/sched/sch_cbq.c --- kernel-source-2.6.16.orig/net/sched/sch_cbq.c 2006-03-20 15:53:29.000000000 +1000 +++ kernel-source-2.6.16/net/sched/sch_cbq.c 2006-06-13 11:42:12.000000000 +1000 @@ -193,7 +193,7 @@ struct cbq_sched_data }; -#define L2T(cl,len) ((cl)->R_tab->data[(len)>>(cl)->R_tab->rate.cell_log]) +#define L2T(cl,len) qdisc_l2t((cl)->R_tab,len) static __inline__ unsigned cbq_hash(u32 h) diff -Nurp kernel-source-2.6.16.orig/net/sched/sch_htb.c kernel-source-2.6.16/net/sched/sch_htb.c --- kernel-source-2.6.16.orig/net/sched/sch_htb.c 2006-03-20 15:53:29.000000000 +1000 +++ kernel-source-2.6.16/net/sched/sch_htb.c 2006-06-13 11:42:12.000000000 +1000 @@ -206,12 +206,10 @@ struct htb_class static __inline__ long L2T(struct htb_class *cl,struct qdisc_rate_table *rate, int size) { - int slot = size >> rate->rate.cell_log; - if (slot > 255) { + long result = qdisc_l2t(rate, size); + if (result > rate->data[255]) cl->xstats.giants++; - slot = 255; - } - return rate->data[slot]; + return result; } struct htb_sched diff -Nurp kernel-source-2.6.16.orig/net/sched/sch_tbf.c kernel-source-2.6.16/net/sched/sch_tbf.c --- kernel-source-2.6.16.orig/net/sched/sch_tbf.c 2006-03-20 15:53:29.000000000 +1000 +++ kernel-source-2.6.16/net/sched/sch_tbf.c 2006-06-13 11:42:12.000000000 +1000 @@ -132,8 +132,8 @@ struct tbf_sched_data struct Qdisc *qdisc; /* Inner qdisc, default - bfifo queue */ }; -#define L2T(q,L) ((q)->R_tab->data[(L)>>(q)->R_tab->rate.cell_log]) -#define L2T_P(q,L) ((q)->P_tab->data[(L)>>(q)->P_tab->rate.cell_log]) +#define L2T(q,L) qdisc_l2t((q)->R_tab,L) +#define L2T_P(q,L) qdisc_l2t((q)->P_tab,L) static int tbf_enqueue(struct sk_buff *skb, struct Qdisc* sch) { From hawk at diku.dk Fri Jun 16 10:27:09 2006 From: hawk at diku.dk (Jesper Dangaard Brouer) Date: Fri Jun 16 10:27:08 2006 Subject: [LARTC] [PATCH 2/2] NET: Accurate packet scheduling for ATM/ADSL (userspace) Message-ID: (Resend message bounced to LARTC) The Linux traffic's control engine inaccurately calculates transmission times for packets sent over ADSL links. For some packet sizes the error rises to over 50%. This occurs because ADSL uses ATM as its link layer transport, and ATM transmits packets in fixed sized 53 byte cells. This changes the userspace tool iproute2/tc by adding an option to calculate traffic transmission times (rate table) over all ATM links, including ADSL, with perfect accuracy. A longer presentation of the patch, its rational, what it does and how to use it can be found here: http://www.stuart.id.au/russell/files/tc/tc-atm/ A earlier version of the patch, and a _detailed_ empirical investigation of its effects can be found here: http://www.adsl-optimizer.dk/ Signed-off-by: Jesper Dangaard Brouer Signed-off-by: Russell Stuart --- diff -Nurp iproute2.orig/include/linux/pkt_sched.h iproute2/include/linux/pkt_sched.h --- iproute2.orig/include/linux/pkt_sched.h 2005-12-10 09:27:44.000000000 +1000 +++ iproute2/include/linux/pkt_sched.h 2006-06-13 11:53:27.000000000 +1000 @@ -77,8 +77,9 @@ struct tc_ratespec { unsigned char cell_log; unsigned char __reserved; - unsigned short feature; - short addend; + unsigned short feature; /* Always 0 in pre-atm patch kernels */ + char cell_align; /* Always 0 in pre-atm patch kernels */ + unsigned char __unused; unsigned short mpu; __u32 rate; }; diff -Nurp iproute2.orig/tc/m_police.c iproute2/tc/m_police.c --- iproute2.orig/tc/m_police.c 2005-01-19 08:11:58.000000000 +1000 +++ iproute2/tc/m_police.c 2006-06-13 11:53:27.000000000 +1000 @@ -35,7 +35,7 @@ struct action_util police_action_util = static void explain(void) { fprintf(stderr, "Usage: ... police rate BPS burst BYTES[/BYTES] [ mtu BYTES[/BYTES] ]\n"); - fprintf(stderr, " [ peakrate BPS ] [ avrate BPS ]\n"); + fprintf(stderr, " [ peakrate BPS ] [ avrate BPS ] [ overhead OVERHEAD ] [ atm ]\n"); fprintf(stderr, " [ ACTIONTERM ]\n"); fprintf(stderr, "Old Syntax ACTIONTERM := action [/NOTEXCEEDACT] \n"); fprintf(stderr, "New Syntax ACTIONTERM := conform-exceed [/NOTEXCEEDACT] \n"); @@ -134,7 +134,10 @@ int act_parse_police(struct action_util __u32 ptab[256]; __u32 avrate = 0; int presult = 0; - unsigned buffer=0, mtu=0, mpu=0; + unsigned buffer=0, mtu=0; + __u8 mpu=0; + __s8 overhead=0; + int atm=0; int Rcell_log=-1, Pcell_log = -1; struct rtattr *tail; @@ -184,7 +187,7 @@ int act_parse_police(struct action_util fprintf(stderr, "Double \"mpu\" spec\n"); return -1; } - if (get_size(&mpu, *argv)) { + if (get_u8(&mpu, *argv, 10)) { explain1("mpu"); return -1; } @@ -198,6 +201,18 @@ int act_parse_police(struct action_util explain1("rate"); return -1; } + } else if (strcmp(*argv, "overhead") == 0) { + NEXT_ARG(); + if (p.rate.rate) { + fprintf(stderr, "Double \"overhead\" spec\n"); + return -1; + } + if (get_s8(&overhead, *argv, 10)) { + explain1("overhead"); + return -1; + } + } else if (strcmp(*argv, "atm") == 0) { + atm = 1; } else if (strcmp(*argv, "avrate") == 0) { NEXT_ARG(); if (avrate) { @@ -264,22 +279,12 @@ int act_parse_police(struct action_util } if (p.rate.rate) { - if ((Rcell_log = tc_calc_rtable(p.rate.rate, rtab, Rcell_log, mtu, mpu)) < 0) { - fprintf(stderr, "TBF: failed to calculate rate table.\n"); - return -1; - } + tc_calc_ratespec(&p.rate, rtab, p.rate.rate, Rcell_log, mtu, mpu, atm, overhead); p.burst = tc_calc_xmittime(p.rate.rate, buffer); - p.rate.cell_log = Rcell_log; - p.rate.mpu = mpu; } p.mtu = mtu; if (p.peakrate.rate) { - if ((Pcell_log = tc_calc_rtable(p.peakrate.rate, ptab, Pcell_log, mtu, mpu)) < 0) { - fprintf(stderr, "POLICE: failed to calculate peak rate table.\n"); - return -1; - } - p.peakrate.cell_log = Pcell_log; - p.peakrate.mpu = mpu; + tc_calc_ratespec(&p.peakrate, ptab, p.peakrate.rate, Pcell_log, mtu, mpu, atm, overhead); } tail = NLMSG_TAIL(n); diff -Nurp iproute2.orig/tc/q_cbq.c iproute2/tc/q_cbq.c --- iproute2.orig/tc/q_cbq.c 2005-07-06 08:37:15.000000000 +1000 +++ iproute2/tc/q_cbq.c 2006-06-13 11:53:27.000000000 +1000 @@ -32,6 +32,7 @@ static void explain_class(void) fprintf(stderr, " [ prio NUMBER ] [ cell BYTES ] [ ewma LOG ]\n"); fprintf(stderr, " [ estimator INTERVAL TIME_CONSTANT ]\n"); fprintf(stderr, " [ split CLASSID ] [ defmap MASK/CHANGE ]\n"); + fprintf(stderr, " [ overhead BYTES ] [ atm ]\n"); } static void explain(void) @@ -52,7 +53,10 @@ static int cbq_parse_opt(struct qdisc_ut struct tc_ratespec r; struct tc_cbq_lssopt lss; __u32 rtab[256]; - unsigned mpu=0, avpkt=0, allot=0; + unsigned avpkt=0, allot=0; + __u8 mpu=0; + __s8 overhead=0; + int atm=0; int cell_log=-1; int ewma_log=-1; struct rtattr *tail; @@ -102,7 +106,7 @@ static int cbq_parse_opt(struct qdisc_ut } } else if (strcmp(*argv, "mpu") == 0) { NEXT_ARG(); - if (get_size(&mpu, *argv)) { + if (get_u8(&mpu, *argv, 10)) { explain1("mpu"); return -1; } @@ -113,6 +117,14 @@ static int cbq_parse_opt(struct qdisc_ut explain1("allot"); return -1; } + } else if (strcmp(*argv, "overhead") == 0) { + NEXT_ARG(); + if (get_s8(&overhead, *argv, 10)) { + explain1("overhead"); + return -1; + } + } else if (strcmp(*argv, "atm") == 0) { + atm = 1; } else if (strcmp(*argv, "help") == 0) { explain(); return -1; @@ -137,12 +149,7 @@ static int cbq_parse_opt(struct qdisc_ut if (allot < (avpkt*3)/2) allot = (avpkt*3)/2; - if ((cell_log = tc_calc_rtable(r.rate, rtab, cell_log, allot, mpu)) < 0) { - fprintf(stderr, "CBQ: failed to calculate rate table.\n"); - return -1; - } - r.cell_log = cell_log; - r.mpu = mpu; + tc_calc_ratespec(&r, rtab, r.rate, cell_log, allot, mpu, atm, overhead); if (ewma_log < 0) ewma_log = TC_CBQ_DEF_EWMA; @@ -175,7 +182,9 @@ static int cbq_parse_class_opt(struct qd struct tc_cbq_fopt fopt; struct tc_cbq_ovl ovl; __u32 rtab[256]; - unsigned mpu=0; + __u8 mpu=0; + __s8 overhead = 0; + int atm = 0; int cell_log=-1; int ewma_log=-1; unsigned bndw = 0; @@ -289,10 +298,18 @@ static int cbq_parse_class_opt(struct qd lss.change |= TCF_CBQ_LSS_AVPKT; } else if (strcmp(*argv, "mpu") == 0) { NEXT_ARG(); - if (get_size(&mpu, *argv)) { + if (get_u8(&mpu, *argv, 10)) { explain1("mpu"); return -1; } + } else if (strcmp(*argv, "overhead") == 0) { + NEXT_ARG(); + if (get_s8(&overhead, *argv, 10)) { + explain1("overhead"); + return -1; + } + } else if (strcmp(*argv, "atm") == 0) { + atm = 1; } else if (strcmp(*argv, "weight") == 0) { NEXT_ARG(); if (get_size(&wrr.weight, *argv)) { @@ -336,12 +353,7 @@ static int cbq_parse_class_opt(struct qd unsigned pktsize = wrr.allot; if (wrr.allot < (lss.avpkt*3)/2) wrr.allot = (lss.avpkt*3)/2; - if ((cell_log = tc_calc_rtable(r.rate, rtab, cell_log, pktsize, mpu)) < 0) { - fprintf(stderr, "CBQ: failed to calculate rate table.\n"); - return -1; - } - r.cell_log = cell_log; - r.mpu = mpu; + tc_calc_ratespec(&r, rtab, r.rate, cell_log, pktsize, mpu, atm, overhead); } if (ewma_log < 0) ewma_log = TC_CBQ_DEF_EWMA; @@ -463,8 +475,12 @@ static int cbq_print_opt(struct qdisc_ut fprintf(f, "rate %s ", buf); if (show_details) { fprintf(f, "cell %ub ", 1<cell_log); - if (r->mpu) - fprintf(f, "mpu %ub ", r->mpu); + if (r->mpu & 0xff) + fprintf(f, "mpu %ub ", (__u8)r->mpu); + if ((r->mpu >> 8)) + fprintf(f, "overhead %db ", (__s8)(r->mpu >> 8)); + if (r->feature & 0x0001) + fprintf(f, "atm "); } } if (lss && lss->flags) { diff -Nurp iproute2.orig/tc/q_htb.c iproute2/tc/q_htb.c --- iproute2.orig/tc/q_htb.c 2005-01-19 08:11:58.000000000 +1000 +++ iproute2/tc/q_htb.c 2006-06-13 11:53:27.000000000 +1000 @@ -34,14 +34,14 @@ static void explain(void) " default minor id of class to which unclassified packets are sent {0}\n" " r2q DRR quantums are computed as rate in Bps/r2q {10}\n" " debug string of 16 numbers each 0-3 {0}\n\n" - "... class add ... htb rate R1 [burst B1] [mpu B] [overhead O]\n" + "... class add ... htb rate R1 [burst B1] [mpu B] [overhead O] [atm]\n" " [prio P] [slot S] [pslot PS]\n" " [ceil R2] [cburst B2] [mtu MTU] [quantum Q]\n" " rate rate allocated to this class (class can still borrow)\n" " burst max bytes burst which can be accumulated during idle period {computed}\n" " mpu minimum packet size used in rate computations\n" " overhead per-packet size overhead used in rate computations\n" - + " atm include atm cell tax in rate computations\n" " ceil definite upper class rate (no borrows) {rate}\n" " cburst burst but for ceil {computed}\n" " mtu max packet size we create rate map for {1600}\n" @@ -107,8 +107,10 @@ static int htb_parse_class_opt(struct qd __u32 rtab[256],ctab[256]; unsigned buffer=0,cbuffer=0; int cell_log=-1,ccell_log = -1; - unsigned mtu, mpu; - unsigned char mpu8 = 0, overhead = 0; + unsigned mtu; + __u8 mpu8=0; + __s8 overhead=0; + int atm=0; struct rtattr *tail; memset(&opt, 0, sizeof(opt)); mtu = 1600; /* eth packet len */ @@ -132,9 +134,11 @@ static int htb_parse_class_opt(struct qd } } else if (matches(*argv, "overhead") == 0) { NEXT_ARG(); - if (get_u8(&overhead, *argv, 10)) { + if (get_s8(&overhead, *argv, 10)) { explain1("overhead"); return -1; } + } else if (matches(*argv, "atm") == 0) { + atm = 1; } else if (matches(*argv, "quantum") == 0) { NEXT_ARG(); if (get_u32(&opt.quantum, *argv, 10)) { @@ -206,23 +210,11 @@ static int htb_parse_class_opt(struct qd if (!buffer) buffer = opt.rate.rate / get_hz() + mtu; if (!cbuffer) cbuffer = opt.ceil.rate / get_hz() + mtu; -/* encode overhead and mpu, 8 bits each, into lower 16 bits */ - mpu = (unsigned)mpu8 | (unsigned)overhead << 8; - opt.ceil.mpu = mpu; opt.rate.mpu = mpu; - - if ((cell_log = tc_calc_rtable(opt.rate.rate, rtab, cell_log, mtu, mpu)) < 0) { - fprintf(stderr, "htb: failed to calculate rate table.\n"); - return -1; - } + /* encode overhead and mpu, 8 bits each, into lower 16 bits */ + tc_calc_ratespec(&opt.rate, rtab, opt.rate.rate, cell_log, mtu, mpu8, atm, overhead); + tc_calc_ratespec(&opt.ceil, ctab, opt.ceil.rate, cell_log, mtu, mpu8, atm, overhead); opt.buffer = tc_calc_xmittime(opt.rate.rate, buffer); - opt.rate.cell_log = cell_log; - - if ((ccell_log = tc_calc_rtable(opt.ceil.rate, ctab, cell_log, mtu, mpu)) < 0) { - fprintf(stderr, "htb: failed to calculate ceil rate table.\n"); - return -1; - } opt.cbuffer = tc_calc_xmittime(opt.ceil.rate, cbuffer); - opt.ceil.cell_log = ccell_log; tail = NLMSG_TAIL(n); addattr_l(n, 1024, TCA_OPTIONS, NULL, 0); @@ -267,12 +259,16 @@ static int htb_print_opt(struct qdisc_ut sprint_size(buffer, b1), 1<rate.cell_log, sprint_size(hopt->rate.mpu&0xFF, b2), - sprint_size((hopt->rate.mpu>>8)&0xFF, b3)); + sprint_size((__s8)(hopt->rate.mpu>>8), b3)); + if (hopt->rate.feature & 0x0001) + fprintf(f, "atm "); fprintf(f, "cburst %s/%u mpu %s overhead %s ", sprint_size(cbuffer, b1), 1<ceil.cell_log, sprint_size(hopt->ceil.mpu&0xFF, b2), - sprint_size((hopt->ceil.mpu>>8)&0xFF, b3)); + sprint_size((__s8)(hopt->ceil.mpu>>8), b3)); + if (hopt->ceil.feature & 0x0001) + fprintf(f, "atm "); fprintf(f, "level %d ", (int)hopt->level); } else { fprintf(f, "burst %s ", sprint_size(buffer, b1)); diff -Nurp iproute2.orig/tc/q_tbf.c iproute2/tc/q_tbf.c --- iproute2.orig/tc/q_tbf.c 2005-01-19 08:11:58.000000000 +1000 +++ iproute2/tc/q_tbf.c 2006-06-13 11:53:27.000000000 +1000 @@ -26,7 +26,7 @@ static void explain(void) { fprintf(stderr, "Usage: ... tbf limit BYTES burst BYTES[/BYTES] rate KBPS [ mtu BYTES[/BYTES] ]\n"); - fprintf(stderr, " [ peakrate KBPS ] [ latency TIME ]\n"); + fprintf(stderr, " [ peakrate KBPS ] [ latency TIME ] [ overhead OVERHEAD ] [ atm ]\n"); } static void explain1(char *arg) @@ -43,7 +43,10 @@ static int tbf_parse_opt(struct qdisc_ut struct tc_tbf_qopt opt; __u32 rtab[256]; __u32 ptab[256]; - unsigned buffer=0, mtu=0, mpu=0, latency=0; + unsigned buffer=0, mtu=0, latency=0; + __u8 mpu=0; + __s8 overhead=0; + int atm=0; int Rcell_log=-1, Pcell_log = -1; struct rtattr *tail; @@ -103,7 +106,7 @@ static int tbf_parse_opt(struct qdisc_ut fprintf(stderr, "Double \"mpu\" spec\n"); return -1; } - if (get_size(&mpu, *argv)) { + if (get_u8(&mpu, *argv, 10)) { explain1("mpu"); return -1; } @@ -119,6 +122,20 @@ static int tbf_parse_opt(struct qdisc_ut return -1; } ok++; + } else if (strcmp(*argv, "overhead") == 0) { + NEXT_ARG(); + if (overhead) { + fprintf(stderr, "Double \"overhead\" spec\n"); + return -1; + } + if (get_s8(&overhead, *argv, 10)) { + explain1("overhead"); + return -1; + } + ok++; + } else if (strcmp(*argv, "atm") == 0) { + atm = 1; + ok++; } else if (matches(*argv, "peakrate") == 0) { NEXT_ARG(); if (opt.peakrate.rate) { @@ -170,21 +187,11 @@ static int tbf_parse_opt(struct qdisc_ut opt.limit = lim; } - if ((Rcell_log = tc_calc_rtable(opt.rate.rate, rtab, Rcell_log, mtu, mpu)) < 0) { - fprintf(stderr, "TBF: failed to calculate rate table.\n"); - return -1; - } + tc_calc_ratespec(&opt.rate, rtab, opt.rate.rate, Rcell_log, mtu, mpu, atm, overhead); opt.buffer = tc_calc_xmittime(opt.rate.rate, buffer); - opt.rate.cell_log = Rcell_log; - opt.rate.mpu = mpu; if (opt.peakrate.rate) { - if ((Pcell_log = tc_calc_rtable(opt.peakrate.rate, ptab, Pcell_log, mtu, mpu)) < 0) { - fprintf(stderr, "TBF: failed to calculate peak rate table.\n"); - return -1; - } + tc_calc_ratespec(&opt.peakrate, ptab, opt.peakrate.rate, Pcell_log, mtu, mpu, atm, overhead); opt.mtu = tc_calc_xmittime(opt.peakrate.rate, mtu); - opt.peakrate.cell_log = Pcell_log; - opt.peakrate.mpu = mpu; } tail = NLMSG_TAIL(n); @@ -220,8 +227,12 @@ static int tbf_print_opt(struct qdisc_ut fprintf(f, "rate %s ", sprint_rate(qopt->rate.rate, b1)); buffer = ((double)qopt->rate.rate*tc_core_tick2usec(qopt->buffer))/1000000; if (show_details) { - fprintf(f, "burst %s/%u mpu %s ", sprint_size(buffer, b1), - 1<rate.cell_log, sprint_size(qopt->rate.mpu, b2)); + fprintf(f, "burst %s/%u mpu %s overhead %d ", sprint_size(buffer, b1), + 1<rate.cell_log, + sprint_size(qopt->rate.mpu & 0xFF, b2), + (__s8)(qopt->rate.mpu >> 8)); + if (qopt->rate.feature & 0x0001) + fprintf(f, "atm "); } else { fprintf(f, "burst %s ", sprint_size(buffer, b1)); } @@ -232,8 +243,12 @@ static int tbf_print_opt(struct qdisc_ut if (qopt->mtu || qopt->peakrate.mpu) { mtu = ((double)qopt->peakrate.rate*tc_core_tick2usec(qopt->mtu))/1000000; if (show_details) { - fprintf(f, "mtu %s/%u mpu %s ", sprint_size(mtu, b1), - 1<peakrate.cell_log, sprint_size(qopt->peakrate.mpu, b2)); + fprintf(f, "mtu %s/%u mpu %s overhead %d ", sprint_size(mtu, b1), + 1<peakrate.cell_log, + sprint_size(qopt->peakrate.mpu & 0xFF, b2), + (__s8)(qopt->peakrate.mpu >> 8)); + if (qopt->peakrate.feature & 0x0001) + fprintf(f, "atm "); } else { fprintf(f, "minburst %s ", sprint_size(mtu, b1)); } diff -Nurp iproute2.orig/tc/tc_core.c iproute2/tc/tc_core.c --- iproute2.orig/tc/tc_core.c 2004-07-31 06:26:15.000000000 +1000 +++ iproute2/tc/tc_core.c 2006-06-13 11:53:27.000000000 +1000 @@ -23,6 +23,9 @@ #include "tc_core.h" +#define ATM_CELL_SIZE 53 +#define ATM_CELL_PAYLOAD 48 + static __u32 t2us=1; static __u32 us2t=1; static double tick_in_usec = 1; @@ -43,33 +46,124 @@ unsigned tc_calc_xmittime(unsigned rate, } /* - rtab[pkt_len>>cell_log] = pkt_xmit_time + * Calculate the ATM cell overhead. ATM sends each packet in 48 byte + * chunks, the last chunk being padded if necessary. Each chunk carries + * an additional 5 byte overhead - the ATM header. */ +static int tc_align_to_cells(int size) +{ + int cells; + + cells = size / ATM_CELL_PAYLOAD; + if (size % ATM_CELL_PAYLOAD != 0) + cells++; + return cells * ATM_CELL_SIZE; +} -int tc_calc_rtable(unsigned bps, __u32 *rtab, int cell_log, unsigned mtu, - unsigned mpu) +/* + * The number this function calculates is subtle. Ignore it and just believe + * it works if you have a choice, otherwise .. + * + * If there we are calculating the ATM cell overhead the kernel calculations + * will be out sometimes if the range of packet sizes spanned by one + * rate table element crosses an ATM cell boundary. Consider these three + * senarios: + * (a) the packet is sent across the ATM link with