From rune.kock at gmail.com Sat Jul 1 15:26:10 2006 From: rune.kock at gmail.com (Rune Kock) Date: Sat Jul 1 15:26:02 2006 Subject: [LARTC] why can not turn the bandwidth knob up to 100Mbit In-Reply-To: <20060628135906.82204.qmail@web15805.mail.cnb.yahoo.com> References: <20060628135906.82204.qmail@web15805.mail.cnb.yahoo.com> Message-ID: > (using "tc -s class show dev eth1" to list result,if the rate of class 1:21 > is 100Mbit,the result is between 99M and 100M; > if the rate of class 1:21 is 150Mbit ,the result is between 45M and 50M;) I wonder if this has something to do with what devik writes on the htb homepage: Limitation: when you operate with high rates on computer with low resolution timer you need some minimal burst and cburst to be set for all classes. Timer resolution on i386 systems is 10ms and 1ms on Alphas. The minimal burst can be computed as max_rate*timer_resolution. So that for 10Mbit on plain i386 you needs burst 12kb. If you set too small burst you will encounter smaller rate than you set. Latest tc tool will compute and set the smallest possible burst when it is not specified. From hijacker at oldum.net Sat Jul 1 15:53:49 2006 From: hijacker at oldum.net (Nikolay Kichukov) Date: Sat Jul 1 15:53:43 2006 Subject: [LARTC] Simple Rule to Cap P2P Uploads In-Reply-To: <20060628165057.19977.qmail@web55701.mail.re3.yahoo.com> References: <20060628165057.19977.qmail@web55701.mail.re3.yahoo.com> Message-ID: <1151762030.6342.4.camel@ccja.localhost> Hi Mathew, your adsl uplink is 64000 bps, correct? 102400kbps > 64kbps 3kbps != 3KB/sec Another point, tc syntax is 102400kbit, not 102400kbps(as far as I tested that). 3KB = 3*8 kbit Test that and let us know if this helps. -Nik On Wed, 2006-06-28 at 09:50 -0700, Mathew Brown wrote: > Hi, > I'm new at traffic control and was reading up on HTB and using it to > put an upper limit on traffic. I have a 256k DSL with 64k upload > (which translates to about 5/6KB uploads). The machine running the > P2P applications keeps filling up the 64K so my browsing from other > machines in the network ends up being very slow. Since there are > several P2P applications, I wanted to set the entire upload cap to > something like 3KB/s so it doesn't disrupt browsing. However, I would > also like to ssh and scp from this machine without having an upload > cap. The machine has a single interface to the network: eth0. I > tried the following tc lines but it appears to affect both the P2P > traffic and my ssh traffic, resulting in a very slow ssh sessions: > > tc qdisc add dev eth0 root handle 1: htb default 3 > tc class add dev eth0 parent 1: classid 1:1 htb rate 102400kbps ceil > 102400kbps > tc class add dev eth0 parent 1:1 classid 1:2 htb rate 102400kbps ceil > 102400kbps > tc class add dev eth0 parent 1:1 classid 1:3 htb rate 3kbps ceil 3kbps > tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip > dport 22 0xffff flowid 1:2 > > Any ideas? Thanks for your time. > > > ______________________________________________________________________ > Do you Yahoo!? > Next-gen email? Have it all with the all-new Yahoo! Mail Beta. > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- ?????? ??? ????????, ??? ?????. ?? ?????? ??? ?????, ?? ?????? ??? ????????... -????? ????? From hijacker at oldum.net Sat Jul 1 16:38:38 2006 From: hijacker at oldum.net (Nikolay Kichukov) Date: Sat Jul 1 16:38:32 2006 Subject: [LARTC] tc ingress policing with multiple subnets In-Reply-To: <449FD426.7060804@andyfurniss.entadsl.com> References: <002b01c69130$de91c270$0600a8c0@hpa> <449FD426.7060804@andyfurniss.entadsl.com> Message-ID: <1151764718.6342.19.camel@ccja.localhost> Hi Andy, please, have a look at my answers in the text below. On Mon, 2006-06-26 at 13:33 +0100, Andy Furniss wrote: > Nikolay Kichukov wrote: > > Hello everybody on the list, > > > > I have the following situation where I want to police the speed of > > incoming > > packets from specific subnets to 1024kbps and then police all the rest to > > 256kbps, which is the speed my ISP grants for the rest of the internet. > > If you are shaping ingress you will need to set a rate below the link > speed, or you won't do anything. > How about a rate that matches the link speed? Will 95% of the link be alright for ingress? > > > > So, eth1 is the one connected to the cable modem and then to the internet. > > > > I do: > > > > tc qdisc add dev eth1 ingress handle ffff: > > > > > > then: > > > > tc filter add dev eth1 parent ffff: protocol ip prio 1 u32 match ip src > > xx.yy.zz.0/24 police rate 1024kbit burst 10kb drop flowid ffff: > > tc filter add dev eth1 parent ffff: protocol ip prio 1 u32 match ip src > > pp.dd.df.0/23 police rate 1024kbit burst 10kb drop flowid ffff: > > ... > > ... > > and finally: > > > > tc filter add dev eth1 parent ffff: protocol ip prio 2 u32 match ip src > > 0.0.0.0/0 police rate 256kbit burst 10kb drop flowid ffff: > > > > > > My question is, is there a way I can limit the overall speed of incoming > > packets from all of those defined subnets to 1024kbps, as it seems in the > > above scenario that if packets from xx.yy.zz.0/24 subnet arrive at the > > speed > > of 1024kbps, and at the same time packets are arriving from > > pp.dd.df.0/23 at > > 1024kbps the overall would be 2048kbps, which I do not want. > > You can use a shared meter. > > ... police index 1 rate ...... > > I will read on about the index shared meter. Hope that will do what I need to achieve. > > > > Any comments or suggestions on this topic are welcomed. > > > > Another question I have is, what is the difference of the burst/buffer > > being 10kb or 90kb for example? What difference would that make? > > The detailed behaviour probably depends on rate estimators in kernel config. > > Roughly the burst/buffer is a virtual buffer that when full will cause > further packets to be dropped until it has drained enough over time to > pass them again. > So a buffer of 10kbytes will allow first 10kbytes to flow at the rate of the line and the next packets be shaped at the filter rate? example: tc filter add dev eth1 parent ffff: protocol ip prio 2 u32 match ip src 0.0.0.0/0 police rate 256kbit burst 10kb drop flowid ffff: if line speed is 512 kbit, the first downloaded 10kbytes will travel at 512kbit, and the packets afterwards will flow at the speed of 256kbit. Is that kind of correct? > If you are shaping ingress at near link speed I think smaller is better > - if you are shaping well below link speed like 1meg/100 then you can > use a bigger buffer. > > Andy. > I think I got that. Regards, -nik -- ?????? ??? ????????, ??? ?????. ?? ?????? ??? ?????, ?? ?????? ??? ????????... -????? ????? From posuna at ehas.org Sat Jul 1 17:42:40 2006 From: posuna at ehas.org (Pablo Osuna) Date: Sat Jul 1 17:42:33 2006 Subject: [LARTC] How to priorize VoIP in a Wi-Fi scenario? Default qdisc in Linux, PRIO, HTB and HFSC ... Message-ID: <1151768560.5095.75.camel@localhost.localdomain> Hi all, Long email but please be patient :) I am part of EHAS [1], a non profit organization which main goal is to improve the Healthcare assistance in isolated rural areas in developing countries. Recently we have developed a long distance Wi-Fi network in Cuzco (Peru). This network provides connectivity to 12 nodes (they are in fact Health Centers). As VoIP is a essential service in this scenario we have setup a software PBX (Asterisk). Also nodes can browse through Internet and we probably add video service (by WebCams) in the future. So we have three services, in order of priority: VoIP, video and data. As we want to priorize Voice and Video I have been studying in the last month how to do that with Linux. After reading lot of documentation [2] [3] [4], I have setup a testbed with a chain of 3 nodes in the laboratory. Using iperf I inject TCP traffic and every 20s a different flow of UDP traffic (to simulate VoIP, video and noise). I process the logs and get graphs from them: nodeA <--(channel1)--> nodeB <--(channel6)--> nodeC - 0-80s: TCP - 20-80s: TCP + UDP (voice) - 40-80s: TCP + UDP (voice) + UDP (video) - 60-80s: TCP + UDP (voice) + UDP (video) + UDP (noise) Basically I wanted to test which is the best qdisc to do this. I have setup two schemes: 1) One using PRIO as the main qdisc and some leaf classes as RED, SFQ and short pfifo queues. 2) And the second scheme uses HTB as the main qdisc with the same kind of leaf classes. And now some conclusions and questions: --- PRIO --- My concern is that I am getting very similar results when I setup PRIO and when I setup default qdisc (actually without doing nothing). PRIO setup is: tc qdisc add dev wlan0 root handle 1: prio tc filter add dev wlan0 parent 1:0 prio 1 protocol ip u32 match ip tos 0xa0 0xff flowid 1:1 tc filter add dev wlan0 parent 1:0 prio 2 protocol ip u32 match ip tos 0x60 0xff flowid 1:2 tc filter add dev wlan0 parent 1:0 prio 3 protocol ip u32 match ip tos 0x00 0xff flowid 1:3 tc qdisc add dev wlan0 parent 1:1 sfq perturb 10 tc qdisc add dev wlan0 parent 1:2 sfq perturb 10 tc qdisc add dev wlan0 parent 1:3 sfq perturb 10 VoIP traffic is marked with 0x0a and Video traffic with 0x60. The thing is that voice and video get the same throughput as UDP noise (TCP get nothing as it was expected). I expected to see VoIP beating video, and video beating noise but I saw these 3 flows getting the same throughput, as default behaviour. Can someone tell me what is the default qdisc running in Linux? I have read somewhere that the default qdisc was pfifo with 3 children. Maybe the default qdisc is in fact very similar to PRIO qdisc??? --- HTB --- With HTB I am getting much nicer results and I can see the difference among that and doing nothing. But there is a problem with this qdisc as it has been said in this list before: Lets presume we have 1Mbps of total throughput in the wireless links. When I reduce the speed of the wireless links to 0.5Mbps (that can be very normal in a real wireless scenario) and keep the HTB with same parameters from 1Mbps test, the results get much worse. I read that HTB root has to be the bottleneck but never understood well why ... can someone explain me that? --- HFSC --- I have read the English translation [4] (thanks Martin Brown!) but still do not get the whole idea behind this qdisc. Could it be a solution for unstable networks (in terms of variable bandwidth) as WiFi networks are? After reading [5] I have changed our HTB setup to a HFSC setup: First my HTB setup: tc qdisc add dev wlan0 root handle 1:0 htb tc class add dev wlan0 parent 1:0 classid 1:1 htb rate 0.95Mbit tc class add dev wlan0 parent 1:1 classid 1:2 htb rate 0.7Mbit ceil 0.95Mbit prio 0 tc class add dev wlan0 parent 1:1 classid 1:3 htb rate 0.29Mbit ceil 0.95Mbit prio 1 tc class add dev wlan0 parent 1:1 classid 1:4 htb rate 0.01Mbit ceil 0.95Mbit prio 2 tc qdisc add dev wlan0 parent 1:2 sfq perturb 10 tc qdisc add dev wlan0 parent 1:3 sfq perturb 10 tc qdisc add dev wlan0 parent 1:4 sfq perturb 10 tc filter add dev wlan0 parent 1:0 prio 1 protocol ip u32 match ip tos 0xa0 0xff flowid 1:2 tc filter add dev wlan0 parent 1:0 prio 2 protocol ip u32 match ip tos 0x60 0xff flowid 1:3 tc filter add dev wlan0 parent 1:0 prio 3 protocol ip u32 match ip tos 0x00 0xff flowid 1:4 And now my HFSC setup: tc qdisc add dev $INTWIRELESS root handle 1:0 hfsc tc class add dev $INTWIRELESS parent 1:0 classid 1:1 hfsc sc rate 0.95Mbit ul rate 0.95Mbit tc class add dev $INTWIRELESS parent 1:1 classid 1:2 hfsc sc rate 0.7Mbit ul rate 0.95Mbit tc class add dev $INTWIRELESS parent 1:1 classid 1:3 hfsc sc rate 0.29Mbit ul rate 0.95Mbit tc class add dev wlan0 parent 1:1 classid 1:4 hfsc sc rate 0.01Mbit ul rate 0.95Mbit tc qdisc add dev wlan0 parent 1:2 sfq perturb 10 tc qdisc add dev wlan0 parent 1:3 sfq perturb 10 tc qdisc add dev wlan0 parent 1:4 sfq perturb 10 tc filter add dev wlan0 parent 1:0 prio 1 protocol ip u32 match ip tos 0xa0 0xff flowid 1:2 tc filter add dev wlan0 parent 1:0 prio 2 protocol ip u32 match ip tos 0x60 0xff flowid 1:3 tc filter add dev wlan0 parent 1:0 prio 3 protocol ip u32 match ip tos 0x00 0xff flowid 1:4 The problem is that when I activate HFSC I lose the wireless connection between the nodes so probably I am doing something wrong. I know I am missing some HFSC parameters as dmax and umax but I do not know very well how to setup them. In case of saturation I just want to have VoIP with 70% of the resources, video with 29% and data with 1%. In case of no saturation I would like borrowing among them. Please, can someone tell me a nice HSFC setup to get this? On the other hand iperf probably is not the best tool but it is the only one I have tested. If someone has any other recommendation it is more than welcome :) Well, this was my first email to the list. Hope I am lucky and get some answers to my questions. I will keep doing tests and will post more results here. Regards: Pablo [1] http://www.ehas.org/index_html?set_language=en&cl=en [2] http://www.opalsoft.net/qos/DS.htm [3] http://lartc.org/ [4] http://linux-ip.net/tc/hfsc.en/ [5] http://mailman.ds9a.nl/pipermail/lartc/2006q2/018865.html From proclus at gnu-darwin.org Sat Jul 1 20:04:09 2006 From: proclus at gnu-darwin.org (proclus@gnu-darwin.org) Date: Sat Jul 1 20:04:22 2006 Subject: [LARTC] FOSS, Science, and Public activism Message-ID: <20060701180409.6D3EB6B0FE8@gnu-darwin.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 (Sorry if you get more than one copy of this message, but I felt that it was urgent to get this important info out.) The values of freedom and openness are crucial to understanding itself, so that civilization and public welfare now depend on them, as I argue below. These values may find their best expression in the free and open source software (FOSS) movement, and the foresightful example of FOSS developers should now be beneficially applied to many other disciplines in the context of a global and public Internet. It is crucial that we occasionally take time to discuss the reasons _why_ we release our source code, and this is one of those occasions. There are good reasons for the freedom and openness which are characteristics of FOSS development, reasons which should receive wider attention now that they can be readily communicated to other arenas. The consequences of doing otherwise are often catastrophic. For example, it incomprehensible that Genentech could consider withdrawing a cheap cure for blindness (ARMD) from the market. http://lists.essential.org/pipermail/random-bits/2006-june/001374.html The mechanism of this drug is public knowledge. http://sourceforge.net/mailarchive/forum.php?thread_id=14183567&forum_id=6042 This abhorrent situation is a great example of the kind of thing that will happen if people don't get behind the values of freedom and openness that we are espousing. Please let Genentech know that you find what they are doing offensive. Publicize the mechanism so that new compounds can be obtained as replacements. For the future, continued vociferous public activism is required to prevent such outrages from occurring in the future. It becomes clear that the compounds which come from common roots, fruits, and vegetables are a shared human heritage and the free and open source of the future. Tannins are another interesting case in point, because as molecules, and as anti-oxidents, they are similar to resveratrol (resV), and that molecular mechanism has been anchored to the public domain via a prior art declaration. It is a so-called CR-memetic, which may increase healthy human longevity by many decades. Here are some links about it. Resveratrol mechanism posts from GNU-Darwin list http://proclus.gnu-darwin.org/gdposts.html CR protocol for human bodies http://proclus.gnu-darwin.org/bootstrap.html Here is some important recent news about it. http://www.imminst.org/forum/index.php?s=&act=print&client=printer&f=237&t=10749 It is exciting to suppose that people can get off the pharmaceuticals that they are taking with calorie restriction or CR-memetics. I personally am trying to get off the cholesterol drug Pravachol, a statin compound, starting a few of weeks ago. Write me, and I'll let you know how it turns out. From the article... "Fontana says ... evidence of "younger" hearts in people on calorie restriction, suggest that humans on CR have the same adaptive responses as did animals whose rates of aging were slowed by CR." I think that it is time to look at the tannins in tobacco leaves. There may be other treasures lurking there too. As you may be aware there is ample public research into any possible beneficial compounds that may be obtained from tobacco leaves. The mechanisms are there waiting to be discovered. If you want to post them, just reply to me and I'd be delighted to host them. The public establishment of prior art is a time-honed method of entering inventions into the public domain. We now have other methods at our disposal as well. If you are planning to establish prior art against future CR-memetic related patents, you might want to have a look at www.creativecommons.org. Perhaps it goes without saying at this point that you should please choose a license that provides for free and broad public access to your memetic. In that way you will assure that the public health is served by anchoring them to the public common, where they cannot be exploited by those who would withhold them for their own profit. The DRM situation is precisely analogous to this. Can you imagine doing science in a world where your ability to read and write your data is filtered through secret protocols that are hidden from you? I recommend the Defective By Design campaign to fight the outrage of DRM, which is incompatible with the scientific pursuit. http://www.defectivebydesign.org/ It is clear that scientific tools must be demonstrably and penetratingly understood, or else our claims will likely be skewed and called into question. Free and open source software is a great example of how to make your science verifiable to the public. Establishing prior art against future patents is another good one, which is precisely analogous in method, making the result explicit to the public, free and open to all. Thank goodness for the free and open software movement, which gave us such a great example of how to serve the public in this manner. I am willing to grant that there are particular exceptions to these rules of freedom and openness, and such exceptions may be relatively harmless; however, let us posit the opposite, that freedom and openness are _not_ crucial to understanding. Think of the implications. When people are compelled to learn, they do not receive the intended message. It is not understood correctly or completely. When crucial facts are withheld from the people you are trying to teach they become paranoid, possibly unteachable. Freedom and openness are obviously the best approach to understanding. This is not a metaphor for the pursuit of science, but a fact. We are learning from nature, and it is ultimately required that our tools be demonstrably and penetratingly understood, or else we will receive incorrect lessons from nature. Clearly this requires public access to the source code and more. This is why many of us are pressing for public access to scientific publications. Moreover FOSS tools are becoming ever more important to the pursuit of the scientific endeavor itself. In our biophysics department we are obsolescing proprietary hardware and software in favor of open standards and free software, which is a widespread phenomenon in the science sector, and sure to continue. We build most of the workstations ourselves with commodity hardware, but we also have some clusters running Debian and FedoraCore. Some of you will know that I am the lead developer for the GNU-Darwin distribution. GNU-Darwin has a FOSS operating system, which is getting alot of press these days. Here is an example How Apple and Microsoft are advancing desktop Linux http://www.desktopLinux.com/news/ns7294331817.html I see the article as counter-productive against building a FOSS coalition that includes democracy, freedom, and public access activists, Apple, GNU-Darwin, GNU, and GNU/Linux all linked together in spectrum. It is important to alert the whole FOSS community that Darwin cannot be classified as a free or open source operation system as of the Darwin-8 revision, because AppleACPIplatform-39 which is required to boot the system is proprietary. It is notable that only the current version of Darwin from Apple is a non-free OS. GNU-Darwin has a free version, an earlier revision that includes the source code. It is FOSS, and we call upon Apple to maintain Darwin as such, as it has been in the past. We hope that the current situation with the kernel and ACPI driver will soon be remedied so that Darwin will continue as a FOSS OS. We are asking for free software developers to please write to the *nix core of Darwin, which is the core OS for both Mac OS X and GNU-Darwin OS. Darwin OS, which underlies both systems, comprises parts from GNU, the BSD's, mach, plus Apple's substantial contributions to the free software community. Be consistent with your philosophy and avoid linkage to proprietary binaries, such as OpenGL and CoreAudio, except when it is imperatively required in order to lead users to the values of software freedom. Under that principle, another reason to maintain compatibility with the *nix core, is so that your code will be readily portable to new platforms and usable by free-software-only aficionados too. GNU-Darwin OS is not an obsolete implementation of Darwin OS, or to be superseded by Mac OS X. We are trying to lead users to freedom, not away from it. By maintaining Darwin core compatibility your code will remain valuable as the marketplace and industry continues to evolve (trust me here), particularly as DRM-related problems continue to come forward. Of course, that means releasing your source code under a FOSS license, such as APSL. Darwin OS is a free and open source operating system that is not going away, so try to focus your coding towards supporting that standard instead of proprietary software. Here is the essence of the current problem with Darwin OS. Apple replaced working boot code with the following proprietary drivers, which are required for the system to boot. Darwin-7: AppleAPIC.kext/ Applei386genericplatform.kext/ Darwin-8: AppleACPIplatform In addition the kernel (xnu) has been taken proprietary in the recent revisions. We are not asking for Apple to give away such things, but rather to continue maintaining Darwin OS as FOSS, which it already was. After repeated attempts by many FOSS developers to get this situation remedied, nothing has happened. It is now time for us to better use the measures at our disposal in order to assure that Darwin OS remains free and open. If you are unhappy that xnu and the boot drivers have not been released, I would encourage you to spread your dissatisfaction to other forums, so that Apple will take notice and commit to a workable free and open Darwin OS from now on. Moving on to coalition strategy now, some of you may not know that GNU/Linux system administration is one of my day jobs. I manage a wide range of systems. Here is a screen-shot of my work desktop, so that you can see I use the same tools at work that I use at home at night on GNU-Darwin. (weekends too, so please read I am your friend) http://proclus.gnu-darwin.org/debian.html The only time that I ever use proprietary software is when I am trying to help other users learn free and open source free software. I'm a long time Apple and GNU/Linux user, and here is the old proof doc ;-}. http://proclus.tripod.com/indulge.html Now, it is embarrassing but, I want you to have a look at my cv. http://biophysics.med.jhmi.edu/love/thesis/cv6.html In all my years I have never used Microsoft Windows. There are only two exceptions to this statement, where I was helping Windows users to access our servers at Hopkins. Clearly, you can get a few things done without it ;-}. One of the primary reasons for founding GNU-Darwin was to help people to put Microsoft behind them, and it is definitely possible to do it now. You have many resources at your disposal to help you leave Microsoft behind. Look at the link below to see what you can do with free software. Apple, GNU-Darwin, GNU.org, and GNU/Linux will all help, and we are largely all helping together, because we have a shared foundation of free software. http://www.gnu-darwin.org/gdc/ Microsoft is only one example. That is why we are so insistent that Apple keep true to free and open source software principles. We should ultimately try to leave all proprietary software behind us, so that we can participate fully in the freedom and openness of the internet culture and public domain. What more do we need, when we have such a rich store of information and so many capable people at our sides? Finally, as a scientist, it is obvious to me that this situation is relevant current and ongoing discussion in the scientific community, and as such, it is also clear that many members of the various lists would be interested in the current state of Darwin with respect to FOSS and with respect to science. Here is the crucial point. The principles of FOSS and scientific inquiry converge. In practical terms, how else can you know is what happening in your experiments? Free and open source software, open standards, best promote the scientific endeavor by mirroring its method, but also they assure that the work is accessible to the public. Freedom and openness are crucial to understanding, and foundational to the scientific endeavor, and they should not be compromised. There are a few examples of exceptions, but clearly, this matter will find further debate in the appropriate forums. We should not quell debate because a few people are offended or complaining. - From a scientific perspective that would be incorrect. On that last point, I would suggest that Apple get on the right side of the debate, and they will make tremendous headway. Now is the time. Some people will find this message annoying and divisive, and the delete button is ready at hand for them, but other people will find it interesting and engaging. All as you like. Let us not quell discussion because a few people are annoyed. Some will call this a troll, but I hope that folks will see through such name-calling. Trolls are mythological creatures, so don't believe in them. Everyone has a right to have their opinion heard, even if those opinions are divisive or unpopular. It is clear that the idea of trolls is being used to attack freedom of expression. In fact, freedom of expression demands that we listen to the so-called-trolls sometimes, and if you are civil, it helps, so don't resort to name-calling. On cross-posting; when there are matters of urgent importance that affect a broad range of subscriber lists, courtesy must sometimes take a back seat, and cross-posting is an example of that. Cross-posting is to be encouraged when the subject of the post is on topic. Each of the various lists will respond in the way that seems appropriate to the people in that forum, and the threads on the various lists will diverge accordingly. As the threads diverge, the cross-posting addresses should be removed as needed. Relevance to all people is an unattainable goal, but messages of the broadest applicability should have the broadest reach, and discussion should not be stymied because some find it irrelevant. I have given this method due consideration; it is not trolling, not spam, not off-topic, and cross-posting is an example of something that is sometimes required according to the felt importance and relevance of a given subject matter. In summary, Freedom and openness are now the bedrock of our civilization and public welfare depends on these values, so that we should actively engage ourselves in preserving and making them happen. In keeping with these principles it is crucial to note that there are exceptions to etiquette, otherwise free expression will be overly channeled, damped, and ultimately suppressed in our forums. This notion of courtesy will certainly receive additional consideration, but meanwhile, let us together get to work on the activism now. Duly, I am amenable to valid criticism and able to respond, but please reply with kindness. Obviously, feel free to write back, copy, or send these comments along to anyone else as you see fit. Regards, Michael L. Love Ph.D Department of Biophysics and Biophysical Chemistry School of Medicine Johns Hopkins University 725 N. Wolfe Street Room 608B WBSB Baltimore MD 21205-2185 Interoffice Mail: 608B WBSB, SoM office: 410-614-2267 lab: 410-614-3179 fax: 410-502-6910 cell: 443-824-3451 http://www.gnu-darwin.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFEpIl6u0oI3iz5oZcRAtpQAJ9X7D6kq1vmWKXkG/3LBvx3gGrK1QCZAbgI 8Ww6QABLiZtmFmS9Ekea5nI= =a0Oy -----END PGP SIGNATURE----- From wlagmay at yanbulink.net Sun Jul 2 13:33:02 2006 From: wlagmay at yanbulink.net (Wennie V. Lagmay) Date: Sun Jul 2 13:32:58 2006 Subject: [LARTC] private to public IP Message-ID: <002c01c69dcb$475c96d0$7819a8c0@MYNOTEBOOK> Hi all, I want to create a log on Iptables wherein to store and to identify which private Ip is connected on public Ip on a certain date and time. Can you help me on this Thanks, Wennie From rajeshmahajan09 at gmail.com Sun Jul 2 21:31:22 2006 From: rajeshmahajan09 at gmail.com (Rajesh Mahajan) Date: Sun Jul 2 21:31:13 2006 Subject: [LARTC] IFB working Message-ID: How to use IFB as replacement of IMQ There is not much documentation about it Please explain with example -- Failure seldom stops you. What stops you is the fear of failure. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060703/60c971fd/attachment.htm From rune.kock at gmail.com Sun Jul 2 22:53:46 2006 From: rune.kock at gmail.com (Rune Kock) Date: Sun Jul 2 22:53:36 2006 Subject: [LARTC] IFB working In-Reply-To: References: Message-ID: > How to use IFB as replacement of IMQ > > There is not much documentation about it > Please explain with example This is the docs that I have been able to find. http://linux-net.osdl.org/index.php/IFB http://marc.theaimsgroup.com/?l=linux-netdev&m=110712327422706&w=2 http://www.mail-archive.com/netdev@vger.kernel.org/msg04846.html http://www.mail-archive.com/netdev@vger.kernel.org/msg04847.html http://www.mail-archive.com/netdev@vger.kernel.org/msg04900.html http://www.mail-archive.com/netdev@vger.kernel.org/msg04901.html Rune From alex at samad.com.au Mon Jul 3 00:35:14 2006 From: alex at samad.com.au (Alexander Samad) Date: Mon Jul 3 00:35:07 2006 Subject: [LARTC] private to public IP In-Reply-To: <002c01c69dcb$475c96d0$7819a8c0@MYNOTEBOOK> References: <002c01c69dcb$475c96d0$7819a8c0@MYNOTEBOOK> Message-ID: <20060702223514.GC1743@hufpuf.lan1.hme1.samad.com.au> On Sun, Jul 02, 2006 at 02:33:02PM +0300, Wennie V. Lagmay wrote: > Hi all, > I want to create a log on Iptables wherein to store and to identify which > private Ip is connected on public Ip on a certain date and time. Can you > help me on this tcpdump > > Thanks, > > Wennie > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From kajtek at biezanow.net Mon Jul 3 00:46:21 2006 From: kajtek at biezanow.net (Kajetan Staszkiewicz) Date: Mon Jul 3 00:46:19 2006 Subject: [LARTC] private to public IP In-Reply-To: <002c01c69dcb$475c96d0$7819a8c0@MYNOTEBOOK> References: <002c01c69dcb$475c96d0$7819a8c0@MYNOTEBOOK> Message-ID: <200607030046.25194.kajtek@biezanow.net> Dnia niedziela, 2 lipca 2006 13:33, Wennie V. Lagmay napisa?(a): > I want to create a log on Iptables wherein to store and to identify which > private Ip is connected on public Ip on a certain date and time. Can you > help me on this Maybe ulog? -- | pozdrawiam / greetings | powered by Trustix, Gentoo and FreeBSD | | Kajetan Staszkiewicz | jabber,email,www: vegeta()tuxpowered net | | Vegeta | IMQ devnames: http://www.tuxpowered.net | `------------------------^------------------------------------------' -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060703/0d5ad3c5/attachment.pgp From rajeshmahajan09 at gmail.com Mon Jul 3 05:37:56 2006 From: rajeshmahajan09 at gmail.com (Rajesh Mahajan) Date: Mon Jul 3 05:37:45 2006 Subject: [LARTC] IFB working In-Reply-To: References: Message-ID: All these documents have one line action mirred egress redirect dev dummy0 what I can understand out of this is that all packets in egress of device are being redirected to dummy0, where as the need is to inject dummy 0 with packets in ingress of the device so that shaping can be done for packets storming in for our system and not the packets leaving our system. Policing can be done but here the requirement is for Shaping (queueing). With IMQ ingress shaping does work fine but the only question I have is how to shape packets coming in ingress of the device I am enclosing my sample script suggest any changes that I can make to achieve the results. IP ADDRESS on which shaping needs to be done 10.1.1.15 (host running the script) IP ADDRESS from which packets are coming in ingress of eth0 which needs to be shaped: 10.1.1.100 Let me know the modifications required so that I am able to shape pakets destined for my system (10.1.1.15). kernel version: 2.6.16-2-686 iproute2 version: iproute2-ss060323 OS: Debian #!/bin/bash export TC="/sbin/tc" $TC qdisc del dev ifb0 root $TC qdisc add dev ifb0 root handle 1: htb default 2 $TC class add dev ifb0 parent 1: classid 1:2 htb rate 10Kbit ceil 12Kbit $TC filter add dev ifb0 parent 1: protocol ip prio 2 u32 match ip src 10.1.1.100/32 flowid 1:2 ifconfig ifb0 up $TC qdisc del dev eth0 root handle 1: htb default 2 $TC qdisc add dev eth0 root handle 1: htb default 2 $TC class add dev eth0 parent 1: classid 1:2 htb rate 10Kbit ceil 16Kbit $TC filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip src 10.1.1.100/32 flowid 1:2 action mirred egress redirect dev ifb0 Thanks in advance :) On 7/3/06, Rune Kock wrote: > > > How to use IFB as replacement of IMQ > > > > There is not much documentation about it > > Please explain with example > > This is the docs that I have been able to find. > > http://linux-net.osdl.org/index.php/IFB > http://marc.theaimsgroup.com/?l=linux-netdev&m=110712327422706&w=2 > http://www.mail-archive.com/netdev@vger.kernel.org/msg04846.html > http://www.mail-archive.com/netdev@vger.kernel.org/msg04847.html > http://www.mail-archive.com/netdev@vger.kernel.org/msg04900.html > http://www.mail-archive.com/netdev@vger.kernel.org/msg04901.html > > > Rune > -- Failure seldom stops you. What stops you is the fear of failure. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060703/4d2045cd/attachment.htm From vvitkov at gmail.com Mon Jul 3 13:19:17 2006 From: vvitkov at gmail.com (Vladimir Vitkov) Date: Mon Jul 3 13:19:12 2006 Subject: [LARTC] routing speciffic traffic over speciffic ISP Message-ID: Hi list, i have the following situ 2 ISP's one internal network. Load Balancing between the ISP's (with mpath) I want to route speciffic traffic over only one of the ISP's more specifficaly the ICQ traffic i have the following configs iptables -t mangle -A PREROUTING -p tcp --dport 5190 -j MARK --set-mark 0x5190 ip ru a from xxx.xxx.xxx.xxx prio 201 t isp_rules1 ip ru a fwmark 0x1 prio 301 lookup isp_rules1 ip ru a fwmark 0x5190 table isp_rules1 question: Is this correct because it is causing more problems than before it was employed? Is the sequence ok i.e. mark the needed traffic, then add a rule somewhere to direct it over one of the isps. thanks in advance -- ? ????????, ???????? ?????? http://www.netsecad.com http://www.supportbg.com From martin at linux-ip.net Mon Jul 3 17:15:19 2006 From: martin at linux-ip.net (Martin A. Brown) Date: Mon Jul 3 17:15:20 2006 Subject: [LARTC] Advanced routing routing table limits and rule design In-Reply-To: References: <44A55B87.3060101@positivenetworks.net> Message-ID: Good morning LARTC and, specifically, Wayne, : : I am trying to determine how to best increase the number of : : routing tables available in linux 2.6 to more than 255. : : You are in good company. The question seems to come up with some : frequency [0]...I'm beginning to think that it needs to be an : FAQ. Perhaps this will no longer be an FAQ. Since I just answered this question late last week, and my answer is now "wrong", I thought I would post a followup message. : Sadly, I haven't heard of anybody yet having done this, although : one of the key developers of the kernel VLAN code (Ben Greear) : has recently requested development on this point [1]. Just today, Patrick McHardy has posted a set of patches [0] [1] which accommodate the desire for more routing tables. Good luck and enjoy! -Martin [0] http://marc.theaimsgroup.com/?t=115191334700002&r=1&w=2 [1] http://marc.theaimsgroup.com/?l=linux-netdev&m=115191325909208&w=2 http://marc.theaimsgroup.com/?l=linux-netdev&m=115191325901440&w=2 http://marc.theaimsgroup.com/?l=linux-netdev&m=115191326012390&w=2 http://marc.theaimsgroup.com/?l=linux-netdev&m=115191325901420&w=2 http://marc.theaimsgroup.com/?l=linux-netdev&m=115191325911007&w=2 -- Martin A. Brown http://linux-ip.net/ From e1605project at hotmail.com Mon Jul 3 20:21:44 2006 From: e1605project at hotmail.com (*~ r a K u ~ *) Date: Mon Jul 3 20:21:35 2006 Subject: [LARTC] Can i attach another qdisc under classes or root qdisc? In-Reply-To: Message-ID: An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060704/433a7a07/attachment.html From thiago at vinhas.org Tue Jul 4 04:27:55 2006 From: thiago at vinhas.org (Thiago Vinhas) Date: Tue Jul 4 04:24:42 2006 Subject: [LARTC] multipath routing question Message-ID: <200607032327.55816.thiago@vinhas.org> Hi, I was reading some old posts on this list, and found this post (http://mailman.ds9a.nl/pipermail/lartc/2005q1/014963.html) with a link for a ip route script that is basically what I need. My question is: when adding ip route rules, should I remove the traditional default gateway of my linux router? Regards, Thiago Vinhas From timathewbrown at yahoo.com Tue Jul 4 15:30:59 2006 From: timathewbrown at yahoo.com (Mathew Brown) Date: Tue Jul 4 15:30:52 2006 Subject: [LARTC] Simple Rule to Cap P2P Uploads In-Reply-To: <1151762030.6342.4.camel@ccja.localhost> Message-ID: <20060704133059.94157.qmail@web55704.mail.re3.yahoo.com> Thanks for your reply Nikolay. I feel my first post was somewhat unclear. I hope the following information clears things up a little more: 1) The machine that I am trying to run do tc on has a single interface that connects it to the the rest of the network. 2) I sometimes have to ssh and scp files from that machine. 3) The machine runs various P2P applications. I don't want the sum of their uploads to exceed 3 KB/s. 4) As you mentioned, my ADSL uplink is 64000 bps 5) The machine that I have tc running on and the machine with the P2P uploads are the same machine. Thanks for your comments. I'll try to check out the kbps vs. kbits. But is the idea of what I'm trying to do now more clear? Nikolay Kichukov wrote: Hi Mathew, your adsl uplink is 64000 bps, correct? 102400kbps > 64kbps 3kbps != 3KB/sec Another point, tc syntax is 102400kbit, not 102400kbps(as far as I tested that). 3KB = 3*8 kbit Test that and let us know if this helps. -Nik On Wed, 2006-06-28 at 09:50 -0700, Mathew Brown wrote: > Hi, > I'm new at traffic control and was reading up on HTB and using it to > put an upper limit on traffic. I have a 256k DSL with 64k upload > (which translates to about 5/6KB uploads). The machine running the > P2P applications keeps filling up the 64K so my browsing from other > machines in the network ends up being very slow. Since there are > several P2P applications, I wanted to set the entire upload cap to > something like 3KB/s so it doesn't disrupt browsing. However, I would > also like to ssh and scp from this machine without having an upload > cap. The machine has a single interface to the network: eth0. I > tried the following tc lines but it appears to affect both the P2P > traffic and my ssh traffic, resulting in a very slow ssh sessions: > > tc qdisc add dev eth0 root handle 1: htb default 3 > tc class add dev eth0 parent 1: classid 1:1 htb rate 102400kbps ceil > 102400kbps > tc class add dev eth0 parent 1:1 classid 1:2 htb rate 102400kbps ceil > 102400kbps > tc class add dev eth0 parent 1:1 classid 1:3 htb rate 3kbps ceil 3kbps > tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip > dport 22 0xffff flowid 1:2 > > Any ideas? Thanks for your time. > > > ______________________________________________________________________ > Do you Yahoo!? > Next-gen email? Have it all with the all-new Yahoo! Mail Beta. > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- ?????????????????? ????????? ????????????????????????, ????????? ???????????????. ?????? ?????????????????? ????????? ???????????????, ?????? ?????????????????? ????????? ????????????????????????... -??????????????? ??????????????? --------------------------------- Yahoo! Music Unlimited - Access over 1 million songs.Try it free. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060704/a69eb14e/attachment.htm From abhishekm at cdac.in Wed Jul 5 11:04:38 2006 From: abhishekm at cdac.in (Abhishek Misra) Date: Wed Jul 5 11:04:38 2006 Subject: [LARTC] wifi network performance is degrading with iproute2 Message-ID: Hello, I used iproute2 to do iif specific routing on wifi routers with 2 wifi 802.11b interfaces on non overlapping interfaces. I set rule as follows on router-2 (shown below) use table 100 if incomming interface is wlan0 use table 200 if incomming interface is wlan1 all routes in table 100 have wlan1 as oif all routes in table 200 have wlan0 as oif --wlan0-- --wlan0---- router-1 + + router-2 + + router-3 + + + + --wlan1-- --wlan1---- (actual setup used 6 routers linerly) Theroy says that using 2 interfaces on different channels and ensuring that data recieved from one interface is forwerded on another will increace perfornamce. I did not observe the same. I found the performance reducing by 1.5 times when this static rule based routing is compared against OLSR Protocol. I used iperf for measurements. Both TCP and UDP performance was low. Please let me know your views on this. Is rule and multiple table lookup very time consuming ? From sebastian at wircomargentina.com.ar Wed Jul 5 21:32:59 2006 From: sebastian at wircomargentina.com.ar (Sebastian Muniz) Date: Wed Jul 5 21:32:52 2006 Subject: [LARTC] kernel udp rate limit Message-ID: <44AC13EB.7080007@wircomargentina.com.ar> Hi List. First post, be gentle please. Is there any limit in the linux UDP rate? I am using linux kernel 2.6 and iperf to measure bandwidth between two endpoints connected by 100 Mbits ethernet. Running (as root) iperf -u -s and iperf -u -c always gives me 1.05 Mbits/seg even when runned in the same machine. Can somebody clarify this? Thanks in advance. Sebastian From muthukumar at gmail.com Wed Jul 5 21:49:27 2006 From: muthukumar at gmail.com (Muthukumar S) Date: Wed Jul 5 21:49:18 2006 Subject: [LARTC] kernel udp rate limit In-Reply-To: <44AC13EB.7080007@wircomargentina.com.ar> References: <44AC13EB.7080007@wircomargentina.com.ar> Message-ID: iperf --help Client specific: -b, --bandwidth #[KM] for UDP, bandwidth to send at in bits/sec (default 1 Mbit/sec, implies -u) If you wanted to push 5 Mbit/sec you would say "iperf -c 1.0.0.1 --udp --bandwidth 5M" On 7/5/06, Sebastian Muniz wrote: > Hi List. > First post, be gentle please. > Is there any limit in the linux UDP rate? > > I am using linux kernel 2.6 and iperf to measure bandwidth > between two endpoints connected by 100 Mbits ethernet. > Running (as root) iperf -u -s > and iperf -u -c always gives me 1.05 Mbits/seg > even when runned in the same machine. > Can somebody clarify this? > > Thanks in advance. > Sebastian > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From russell-tcatm at stuart.id.au Thu Jul 6 02:39:36 2006 From: russell-tcatm at stuart.id.au (Russell Stuart) Date: Thu Jul 6 03:43:29 2006 Subject: [LARTC] Re: [PATCH 0/2] NET: Accurate packet scheduling for ATM/ADSL In-Reply-To: <44AA6D25.9000707@trash.net> References: <1150278004.26181.35.camel@localhost.localdomain> <1150286766.5233.15.camel@jzny2> <1150287983.3246.27.camel@ras.pc.brisbane.lube> <1150292693.5197.1.camel@jzny2> <1150843471.17455.2.camel@ras.pc.brisbane.lube> <15653CE98281AD4FBD7F70BCEE3666E53CD54A@comxexch01.comx.local> <1151000966.5392.34.camel@jzny2> <1151066247.4217.254.camel@ras.pc.brisbane.lube> <449C06E3.3090406@trash.net> <1151282720.4210.46.camel@ras.pc.brisbane.lube> <449FC0AF.1050904@trash.net> <44A0CE01.4010109@stuart.id.au> <44AA6D25.9000707@trash.net> Message-ID: <1152146376.4215.59.camel@ras.pc.brisbane.lube> On Tue, 2006-07-04 at 15:29 +0200, Patrick McHardy wrote: > Unfortunately I still didn't got to cleaning them up, so I'm sending > them in their preliminary state. Its not much that is missing, but > the netem usage of skb->cb needs to be integrated better, I failed > to move it to the qdisc_skb_cb so far because of circular includes. Cleanups aside, architecturally the bulk of your patch looks like a no-brainier to me. The calculation of packet length should be in one place. Caching it in skb->cb was a nice touch. > But nothing unfixable. I'm mostly interested if the current size-tables > can express what you need for ATM, I wasn't able to understand the > big comment in tc_core.c in your patch. Unfortunately you do things in the wrong order for ATM. See: http://mailman.ds9a.nl/pipermail/lartc/2006q1/018314.html for an overview of the problem, and then the attached email for a detailed description of how the current patch addresses it. It is a trivial fix. As I said earlier, RTAB and STAB contain the same numbers, just scaled differently. The ATM patch stuffed around with RTAB. With your patch in place it will have to do the same exactly the same thing with STAB - because RTAB and STAB carry the same data. So to me the two patches seem orthogonal. One observation is the size optimisation you applied to STAB, making it variable length, could also be applied to RTAB. In fact it should be. Then they would be identical, apart from the scaling. Even the lookup operation (performed in qdisc_init_len in your patch) would be identical. However, now you lot have made me go away and think, I have another idea on how to attack this. Perhaps it will be more palatable to you. It would replace RTAB and STAB with a 28 byte structure for most protocol stacks - well all I can think of off the top of my head, anyway. RTAB would have to remain for backwards compatibility, of course. -------------- next part -------------- An embedded message was scrubbed... From: Russell Stuart Subject: Re: Getting ATM patches into the kernel Date: Fri, 19 May 2006 22:59:34 +1000 Size: 10566 Url: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060706/fff4a390/attachment.mht From hijacker at oldum.net Thu Jul 6 08:32:16 2006 From: hijacker at oldum.net (Nikolay Kichukov) Date: Thu Jul 6 08:32:19 2006 Subject: [LARTC] Simple Rule to Cap P2P Uploads In-Reply-To: <20060704133059.94157.qmail@web55704.mail.re3.yahoo.com> References: <20060704133059.94157.qmail@web55704.mail.re3.yahoo.com> Message-ID: <978458167.3856.1.camel@hpa.oldum.net> Hello Mathew, Yes, it is all clear and your setup should work provided you changed the few tiny bits I suggested. Best, -Nik ? ??, 2006-07-04 ? 06:30 -0700, Mathew Brown ??????: > Thanks for your reply Nikolay. I feel my first post was somewhat > unclear. I hope the following information clears things up a little > more: > > 1) The machine that I am trying to run do tc on has a single interface > that connects it to the the rest of the network. > > 2) I sometimes have to ssh and scp files from that machine. > > 3) The machine runs various P2P applications. I don't want the sum of > their uploads to exceed 3 KB/s. > > 4) As you mentioned, my ADSL uplink is 64000 bps > > 5) The machine that I have tc running on and the machine with the P2P > uploads are the same machine. > > Thanks for your comments. I'll try to check out the kbps vs. kbits. > But is the idea of what I'm trying to do now more clear? > > Nikolay Kichukov wrote: > Hi Mathew, > your adsl uplink is 64000 bps, correct? > > 102400kbps > 64kbps > 3kbps != 3KB/sec > > Another point, tc syntax is 102400kbit, not 102400kbps(as far > as I > tested that). > > 3KB = 3*8 kbit > > Test that and let us know if this helps. > > -Nik > > On Wed, 2006-06-28 at 09:50 -0700, Mathew Brown wrote: > > Hi, > > I'm new at traffic control and was reading up on HTB and > using it to > > put an upper limit on traffic. I have a 256k DSL with 64k > upload > > (which translates to about 5/6KB uploads). The machine > running the > > P2P applications keeps filling up the 64K so my browsing > from other > > machines in the network ends up being very slow. Since there > are > > several P2P applications, I wanted to set the entire upload > cap to > > something like 3KB/s so it doesn't disrupt browsing. > However, I would > > also like to ssh and scp from this machine without having an > upload > > cap. The machine has a single interface to the network: > eth0. I > > tried the following tc lines but it appears to affect both > the P2P > > traffic and my ssh traffic, resulting in a very slow ssh > sessions: > > > > tc qdisc add dev eth0 root handle 1: htb default 3 > > tc class add dev eth0 parent 1: classid 1:1 htb rate > 102400kbps ceil > > 102400kbps > > tc class add dev eth0 parent 1:1 classid 1:2 htb rate > 102400kbps ceil > > 102400kbps > > tc class add dev eth0 parent 1:1 classid 1:3 htb rate 3kbps > ceil 3kbps > > tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 > match ip > > dport 22 0xffff flowid 1:2 > > > > Any ideas? Thanks for your time. > > > > > > > ______________________________________________________________________ > > Do you Yahoo!? > > Next-gen email? Have it all with the all-new Yahoo! Mail > Beta. > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- > ?????????????????? ????????? ????????????????????????, > ????????? ???????????????. > ?????? ?????????????????? ????????? ???????????????, ?????? > ?????????????????? ????????? ????????????????????????... > -??????????????? ??????????????? > > > > > > ______________________________________________________________________ > Yahoo! Music Unlimited - Access over 1 million songs. Try it free. From devnull at plugthebox.net Thu Jul 6 08:49:19 2006 From: devnull at plugthebox.net (devnull@plugthebox.net) Date: Thu Jul 6 08:43:44 2006 Subject: [LARTC] routing ssh to secondary uplink Message-ID: <1152168560.16154.0.camel@localhost.localdomain> Hello, I'm following this HOWTO http://linux-ip.net/html/adv-multi-internet.html to route outgoing SSH from a secondary ISP. I can see using tcpdump,jnettop,iftop that when one of the computers located in my internal network is trying to SSH to a box online using SSH, packets are routed via the secondary internet ethernet card. However, packets don't seem to know how to get back. my script: route add default gw 10.2.2.1 ip route add table 1 default via SECONDARYGW iptables -t mangle -A PREROUTING -p tcp --dport 22 -s 192.168.1.0/24 -j MARK --set-mark 1 iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to MYSECONDARYIP iptables -t nat -A POSTROUTING -o $EXT_NIC -s 192.168.1.0/24 -j SNAT --to MYPRIMARYIP ip rule add fwmark 1 table 1 ip route flush cache Sincerely, -- devnull@plugthebox.net From t.luettgert at pressestimmen.de Thu Jul 6 12:30:07 2006 From: t.luettgert at pressestimmen.de (Torsten Luettgert) Date: Thu Jul 6 12:29:58 2006 Subject: [LARTC] routing ssh to secondary uplink In-Reply-To: <1152168560.16154.0.camel@localhost.localdomain> References: <1152168560.16154.0.camel@localhost.localdomain> Message-ID: <1152181807.4365.7.camel@scaramouche.combox.de> On Do, 2006-07-06 at 09:49 +0300, devnull@plugthebox.net wrote: > Hello, > I'm following this HOWTO > http://linux-ip.net/html/adv-multi-internet.html to route outgoing SSH > from a secondary ISP. I can see using tcpdump,jnettop,iftop that when > one of the computers located in my internal network is trying to SSH to > a box online using SSH, packets are routed via the secondary internet > ethernet card. However, packets don't seem to know how to get back. I understand the two uplinks have different ethernet interfaces. Did you disable rp_filter? Perhaps echo 0 > /proc/sys/net/ipv4/conf/(interface for ssh)/rp_filter would help. You can also use tcpdump on that interface to see if the return packets arrive at your box, and on the inner interface to see if they leave it. Regards, Torsten From devnull at plugthebox.net Thu Jul 6 12:52:06 2006 From: devnull at plugthebox.net (devnull@plugthebox.net) Date: Thu Jul 6 12:46:42 2006 Subject: [LARTC] routing ssh to secondary uplink In-Reply-To: <1152181807.4365.7.camel@scaramouche.combox.de> References: <1152168560.16154.0.camel@localhost.localdomain> <1152181807.4365.7.camel@scaramouche.combox.de> Message-ID: <1152183126.16154.27.camel@localhost.localdomain> Hello, That worked. thanks =) On Thu, 2006-07-06 at 12:30 +0200, Torsten Luettgert wrote: > On Do, 2006-07-06 at 09:49 +0300, devnull@plugthebox.net wrote: > > Hello, > > I'm following this HOWTO > > http://linux-ip.net/html/adv-multi-internet.html to route outgoing SSH > > from a secondary ISP. I can see using tcpdump,jnettop,iftop that when > > one of the computers located in my internal network is trying to SSH to > > a box online using SSH, packets are routed via the secondary internet > > ethernet card. However, packets don't seem to know how to get back. > > I understand the two uplinks have different ethernet interfaces. > Did you disable rp_filter? Perhaps > > echo 0 > /proc/sys/net/ipv4/conf/(interface for ssh)/rp_filter > > would help. You can also use tcpdump on that interface to see if > the return packets arrive at your box, and on the inner interface > to see if they leave it. > > Regards, > Torsten > > -- devnull@plugthebox.net From derek at interdart.co.uk Thu Jul 6 13:17:40 2006 From: derek at interdart.co.uk (derek) Date: Thu Jul 6 13:17:32 2006 Subject: [LARTC] Logging dropped out-of-sequence packets on a load balanced router Message-ID: <44ACF154.6040308@interdart.co.uk> Hi, I am trying to get information on out-of-sequence packets being dropped on my load balanced multilink router. Can anyone give me any information on how best to log/track such packets? The router is based on Leaf Bering uClib 2.4 (kernel 2.4.26) The load balancing is being done using teql over a number of gre tunnels, each on a separate ethernet ADSL to a central box where the gre tunnels terminate and the packet stream hits the Internet. If one of the ADSL channels suffers from high latency then it seems that packets get dropped - I assume due to excessive packets being out of sequence on the remote end. The effect is particulary noticeable if one ADSL channel has a higher round trip latency than the others, or under heavy load if one channel has a lower speed. Best regards, Derek From bogdan at bistrita-net.ro Thu Jul 6 15:12:29 2006 From: bogdan at bistrita-net.ro (Bogdan Hojda) Date: Thu Jul 6 15:12:16 2006 Subject: [LARTC] Real time traffic Grapher In-Reply-To: <44A52945.1030204@netvision.com.py> References: <44A52945.1030204@netvision.com.py> Message-ID: <44AD0C3D.1040201@bistrita-net.ro> Julio E. Gonzalez P. wrote: > Just check-out bandwidthd. Excelent tool!. A little "abandonware" now... > but just works. > > http://bandwidthd.sourceforge.net/ > > Julio. Hello. I'm using bandwidthd too, but I have the following problem: every time I restart the computer, or restart just the bandwidthd daemon, I loose all the graphs that bandwidthd draw, and "counting" starts from 0. What showld I do? I'm using the standard bandwidthd.conf from Debian/Ubuntu distros, I modified just subnet and dev parameters. Thanks. -------------- next part -------------- A non-text attachment was scrubbed... Name: bogdan.vcf Type: text/x-vcard Size: 280 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060706/790742c5/bogdan.vcf From leeweejin at hotmail.com Thu Jul 6 18:35:50 2006 From: leeweejin at hotmail.com (lee weejin) Date: Thu Jul 6 18:35:42 2006 Subject: [LARTC] Optimization on Bandwidth Management-L7 filtering? In-Reply-To: <1151342066.30132.9.camel@localhost> Message-ID: >>>Try marking only first/new packages/connections, that will be analyzed by >>>layer-7 filter Question: Is it layer-7 filtering able to perform marking the first/new packages/connections? May I know how to do that? Thanks. >From: Andraz Sraka >To: lee weejin >CC: lartc@mailman.ds9a.nl >Subject: Re: [LARTC] Optimization on Bandwidth Management-L7 filtering? >Date: Mon, 26 Jun 2006 19:14:26 +0200 > >re > >On Sun, 2006-06-11 at 04:32 +0000, lee weejin wrote: > > Since all the incoming packets was checked one by one-(it is time > > consuming and will cause the processing delay if it is handling more > > than 50 PC at a time), thus i am thinking that is there any way to > > have a random checking on incoming packets ? Scipt or tools? so that > > it wont check all the incoming packets one follow by another one. >******************************************************************************** >Try marking only first/new packages/connections, that will be analyzed >by layer-7 filter in another chain and there do whole connecting mark >(-j CONNMARK --mark XX). Those mark packages/connections can be then >picked up by 'tc' for prioritizing traffic or netfilter for >rejecting/dropping/.. traffic. > >regards, > Andraz > >-- >BOFH excuse #62: > >need to wrap system in aluminum foil to fix problem ><< signature.asc >> ><< smime.p7s >> From usenet at teply.info Thu Jul 6 22:26:05 2006 From: usenet at teply.info (Florian E. Teply) Date: Thu Jul 6 22:25:55 2006 Subject: [LARTC] Translation in to german wanted?? Message-ID: <44AD71DD.10100@teply.info> Hiya List users, i'm rather new to this Mailinglist (about a couple of minutes to be precise ;-) ), but as i think this HOWTO is really great stuff, i just wanted to ask whether or not a translation into german language would be gladly received or not. To be honest, it's quite a task to translate all this, but as this HOWTO helped me a lot in setting up my routing, i just wanted to give something back. And even though i'm not too much into all this (in terms of knowledge that is), i thought a translation into my native tongue could maybe help a little in spreading the word. So, if it is your will, i would gladly try and produce yet another translation of this HOWTO ;-) Greetings, Florian From don at bowenvale.co.nz Fri Jul 7 15:21:28 2006 From: don at bowenvale.co.nz (Don Gould) Date: Fri Jul 7 15:21:53 2006 Subject: [LARTC] Hello New MAC / DHCP Request - How to spot the presents of a new MAC address... Message-ID: <44AE5FD8.1020307@bowenvale.co.nz> Hi All, How do I find out about new new DHCP connections as they appear? I want to write a script that will do some stuff based on a new ip request from a machine on my lan. ie - new user connects to the lan, DHCP server on my Linux (debian) gateway gives them an IP, my script is run automatically to change the firewall rules and start recording their presents, or if it's an unknown user it will add their MAC to a list of unknown users. More details of the application can be seen here: http://www.tcn.bowenvale.co.nz/component/option,com_wrapper/Itemid,23/ Cheers Don -- Don Gould www.thinkdesignprint.co.nz - www.tcn.bowenvale.co.nz - www.bowenvale.co.nz - SkypeMe: ThinkDesignPrint Upcoming events: Software Freedom Day - 16 September 2006 - www.softwarefreedomday.org -------------- next part -------------- A non-text attachment was scrubbed... Name: don.vcf Type: text/x-vcard Size: 309 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060708/53679b77/don.vcf From rajeshmahajan09 at gmail.com Sat Jul 8 09:40:57 2006 From: rajeshmahajan09 at gmail.com (Rajesh Mahajan) Date: Sat Jul 8 09:40:45 2006 Subject: [LARTC] IFB vs IMQ Message-ID: Is IFB realy replacement of IMQ Please Guide -- Failure seldom stops you. What stops you is the fear of failure. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060708/bc055a33/attachment.htm From leekembel at hotmail.com Sat Jul 8 19:27:17 2006 From: leekembel at hotmail.com (Lee Kembel) Date: Sat Jul 8 19:27:10 2006 Subject: [LARTC] routing multiple paths to inet Message-ID: I have a router used as a gateway for a small lan, I want half the machines to use one IP and half to use another IP when using SNAT to reach the internet. Both IPs are from the same ISP, same account, just different IPs. Heres what I'm trying: ------------------ LAN_IP="10.0.0.1" LAN_IFACE="eth0" EXT_IP_1="x.y.246.186" EXT_IFACE_1="eth1" EXT_IP_2="x.y.246.187" EXT_IFACE_2="eth2" INET_GW="x.y.246.254" LAN_NET="10.0.0.0/16" LAN_NET_SERVERS="10.0.0.0/24" ip route flush table main ip route flush table servers ip rule add from $LAN_NET_SERVERS table servers # First route ip route add $INET_NET dev $EXT_IFACE_2 ip route add default via $INET_GW dev $EXT_IFACE_2 # Second route, seems similar to the first but doesn�t work ip route add $INET_NET dev $EXT_IFACE_1 table servers ip route add default via $INET_GW dev $EXT_IFACE_1 table servers #At this point the command above fails with "RTNETLINK answers: network unreachable" ip route add $LAN_NET dev $LAN_IFACE ------------------ I don't understand why it says $INET_GW is on an unreachable network when I just added a route to that network ($INET_NET). I've spent hours reading and trying different things, I can't set up a route to the internet on anything but the main table (which strangely is very easy in contrast). Help? Lee From sheldonh at clue.co.za Sat Jul 8 20:46:32 2006 From: sheldonh at clue.co.za (Sheldon Hearn) Date: Sat Jul 8 20:46:58 2006 Subject: [LARTC] Hello New MAC / DHCP Request - How to spot the presents of a new MAC address... In-Reply-To: <44AE5FD8.1020307@bowenvale.co.nz> References: <44AE5FD8.1020307@bowenvale.co.nz> Message-ID: <200607082046.32174@axl.clue.co.za> On Friday 07 July 2006 15:21, Don Gould wrote: > ie - new user connects to the lan, DHCP server on my Linux (debian) > gateway gives them an IP, my script is run automatically to change > the firewall rules and start recording their presents, or if it's an > unknown user it will add their MAC to a list of unknown users. I'm sure you could engineer something really impressive, but you could probably get away with a lot less effort by simply tailing whatever dhcpd logs to (possibly /var/log/messages). Ciao, Sheldon. -- Sheldon Hearn IT Director Clue Technologies (PTY) Ltd Web: http://www.clue.co.za/ Mail: sheldonh@clue.co.za Office: +27-21-913-8840 Mobile: +27-83-564-3276 Timezone: SAST (+0200) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060708/30a33d9b/attachment.pgp From geoff.karl at gmail.com Sat Jul 8 23:14:24 2006 From: geoff.karl at gmail.com (Geoff Karl) Date: Sat Jul 8 23:14:12 2006 Subject: [LARTC] Mulitple VLANs containing the same ip subnet NATed on same box Message-ID: <78f747be0607081414i5ad45c8cqe07c309bd080d0@mail.gmail.com> I know this is not a normal request, but I would like to connect two vlans into the same box that have the same subnet on them, and then NAT them out to the Internet. We don't need to make any connections inbound to them, but only provide outbound access. Any suggestions on how to do this? If I can't do it with routing then I could use something like user-mode Linux, or other virtualization software. Thanks, Geoff From geoff.karl at gmail.com Sat Jul 8 23:39:30 2006 From: geoff.karl at gmail.com (Geoff Karl) Date: Sat Jul 8 23:39:17 2006 Subject: [LARTC] Mulitple VLANs containing the same ip subnet NATed on same box In-Reply-To: <44B023B7.20600@riverviewtech.net> References: <78f747be0607081414i5ad45c8cqe07c309bd080d0@mail.gmail.com> <44B023B7.20600@riverviewtech.net> Message-ID: <78f747be0607081439k476f6a92uea7725923531645e@mail.gmail.com> On 7/8/06, Grant Taylor wrote: > Geoff Karl wrote: > > I know this is not a normal request, but I would like to connect two > > vlans into the same box that have the same subnet on them, and then > > NAT them out to the Internet. > > > > We don't need to make any connections inbound to them, but only > > provide outbound access. > > > > Any suggestions on how to do this? > > Bridge the two VLAN interfaces together and assign your internal IP to the bridge interface. Then you will do standard NATing between your external interface and your bridge interface. By the way, inbound access will be just as easy as outbound. > > > If I can't do it with routing then I could use something like > > user-mode Linux, or other virtualization software. > > I don't think you need any thing as complicated as UML. > > You could even do this with 1 network interface with everything being VLANs. > > I.e. > > eth0.0001 VLAN for workstations > eth0.0002 VLAN for workstations > eth0.0003 VLAN for internet access > > eth0.0001 and eth0.0002 are bridge together yielding bri0 > > bri0 internal interface > eth0.0003 external interface > > NAT between bri0 and eth0.0003. > > If you ever added a second internet service provider, put them on eth0.0004 and update your routing. > > > > Grant. . . . > Thanks for the reply Grant. What would happen if workstations on the "workstations" vlan had the same ip addresses? Can i bridge two networks that have the same ip addresses without getting errors. Geoff From gtaylor at riverviewtech.net Sat Jul 8 23:39:58 2006 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Sat Jul 8 23:41:47 2006 Subject: [LARTC] Mulitple VLANs containing the same ip subnet NATed on same box In-Reply-To: <78f747be0607081414i5ad45c8cqe07c309bd080d0@mail.gmail.com> References: <78f747be0607081414i5ad45c8cqe07c309bd080d0@mail.gmail.com> Message-ID: <44B0262E.3010307@riverviewtech.net> Geoff Karl wrote: > I know this is not a normal request, but I would like to connect two > vlans into the same box that have the same subnet on them, and then > NAT them out to the Internet. > > We don't need to make any connections inbound to them, but only > provide outbound access. > > Any suggestions on how to do this? Bridge the two VLAN interfaces together and assign your internal IP to the bridge interface. Then you will do standard NATing between your external interface and your bridge interface. By the way, inbound access will be just as easy as outbound. > If I can't do it with routing then I could use something like > user-mode Linux, or other virtualization software. I don't think you need any thing as complicated as UML. You could even do this with 1 network interface with everything being VLANs. I.e. eth0.0001 VLAN for workstations eth0.0002 VLAN for workstations eth0.0003 VLAN for internet access eth0.0001 and eth0.0002 are bridge together yielding bri0 bri0 internal interface eth0.0003 external interface NAT between bri0 and eth0.0003. If you ever added a second internet service provider, put them on eth0.0004 and update your routing. Grant. . . . From gtaylor at riverviewtech.net Sat Jul 8 23:49:00 2006 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Sat Jul 8 23:50:41 2006 Subject: [LARTC] Mulitple VLANs containing the same ip subnet NATed on same box In-Reply-To: <78f747be0607081439k476f6a92uea7725923531645e@mail.gmail.com> References: <78f747be0607081414i5ad45c8cqe07c309bd080d0@mail.gmail.com> <44B023B7.20600@riverviewtech.net> <78f747be0607081439k476f6a92uea7725923531645e@mail.gmail.com> Message-ID: <44B0284C.6010104@riverviewtech.net> Geoff Karl wrote: > Thanks for the reply Grant. You are welcome. > What would happen if workstations on the "workstations" vlan had the > same ip addresses? Can i bridge two networks that have the same ip > addresses without getting errors. Well, seeing as how bridging (EBTables) is a layer 2 bridge, there would be no problem with having the same subnet on both sides of the bridge. Now if you are asking if there would be a problem with a workstation on VLAN 1 having the same IP as a workstation on VLAN 2, then you would end up with the same situation that you would as if both workstations were on the same VLAN. However, that being said, if these two workstations never needed to talk there are some things that you can do. You can set up some EBTables filtering rule to prevent the bridging of the two MAC addresses in question to the other side. I would block those MAC addresses from being bridged primarily to prevent a (pseudo) multi master type of situation. Consider if you will if workstation A2 ARPs for the (shared) IP of workstation A1 / B1. Both workstation A1 and B1 will reply to the ARP saying IP is at MAC . So workstation A2 will have two ARP replies to deal with, thus being an IP conflict. Wh ere as if you prevent workstation A1 and B1's MACs from being bridged, then both workstations will reply to the ARP, however the replies will not be bridged because they will be filtered out by source MAC. If you are wondering about the ARP reply form workstation B1 just broadcasting out in to the ether with the requester never actually talking to workstation B2, there is no real problem with this. Yes, it is wasted traffic, but there is no harm in it. This bridging while filtering out the conflicting source MACs will allow all other equipment on the networks to communicate with out any problem. Grant. . . . From acetyloholina at go2.pl Sun Jul 9 05:35:10 2006 From: acetyloholina at go2.pl (Mike) Date: Sun Jul 9 05:34:57 2006 Subject: [LARTC] Acessing multiply servers with same IP's Message-ID: <200607090535.10566.acetyloholina@go2.pl> Good day, My name is Mike and without further ado forgive me that I'll go straight to the point. rtlsrc-2.4.29-2.diff this patch is obsoleted, but it would come in handy when trying to solve the IP collisions in networks. I have situation around here becouse I intend to connect through my wifi card to many gateways with same IP adresses - 192.168.0.1 with /24 mask - then I'd like to use them all as Alternative routes, as far as I know it can be done for two of that kind gates, thanks to danieldg: right one hack, if you only wanted two: add a bridge interface to the wireless then you have wlan0 and br0, both the same then you could use ebtables to change the MACs of the bridge access and leave the direct wlan0 access alone (so it would use the "real" MAC) mhm, and when having two different MAC's I can have two different IP's but I can't make more than one bridge, can I ? no, not on one interface The last two lines speak of themselves, only one bridge, only one additional MAC, so possibility to use only two gateways. I know that's real simple when having each subnet connected to different iface it's just I'll run out of interfaces real fast if I'll connect these so. Can you propose anything in such situation? Best wishes, Mike -- Sun, 09 Jul 2006 03:58:25 +0200 From gtaylor at riverviewtech.net Sun Jul 9 05:57:04 2006 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Sun Jul 9 05:58:52 2006 Subject: [LARTC] Acessing multiply servers with same IP's In-Reply-To: <200607090535.10566.acetyloholina@go2.pl> References: <200607090535.10566.acetyloholina@go2.pl> Message-ID: <44B07E90.5020908@riverviewtech.net> Mike wrote: > Good day, > > My name is Mike and without further ado forgive me that I'll go straight to > the point. > > rtlsrc-2.4.29-2.diff this patch is obsoleted, but it would come in handy when > trying to solve the IP collisions in networks. I have situation around here > becouse I intend to connect through my wifi card to many gateways with same > IP adresses - 192.168.0.1 with /24 mask - then I'd like to use them all as > Alternative routes, as far as I know it can be done for two of that kind > gates, thanks to danieldg: > right > one hack, if you only wanted two: add a bridge interface to the > wireless > then you have wlan0 and br0, both the same > then you could use ebtables to change the MACs of the bridge access > and leave the direct wlan0 access alone (so it would use the "real" > MAC) > mhm, and when having two different MAC's I can have two different IP's > but I can't make more than one bridge, can I ? > no, not on one interface > > The last two lines speak of themselves, only one bridge, only one additional > MAC, so possibility to use only two gateways. I know that's real simple when > having each subnet connected to different iface it's just I'll run out of > interfaces real fast if I'll connect these so. > > Can you propose anything in such situation? > > Best wishes, > Mike Use more IPs. Use a combination of IPTables / EBTables to make your system believe that each different gateway has a different IP address. If you do this you can easily tell the system routing stack that it has multiple gateways to work with. Grant. . . . From russell-tcatm at stuart.id.au Mon Jul 10 10:44:10 2006 From: russell-tcatm at stuart.id.au (Russell Stuart) Date: Mon Jul 10 10:48:02 2006 Subject: [LARTC] Re: [PATCH 0/2] NET: Accurate packet scheduling for ATM/ADSL In-Reply-To: <44AE1497.6010904@trash.net> References: <1150278004.26181.35.camel@localhost.localdomain> <1150286766.5233.15.camel@jzny2> <1150287983.3246.27.camel@ras.pc.brisbane.lube> <1150292693.5197.1.camel@jzny2> <1150843471.17455.2.camel@ras.pc.brisbane.lube> <15653CE98281AD4FBD7F70BCEE3666E53CD54A@comxexch01.comx.local> <1151000966.5392.34.camel@jzny2> <1151066247.4217.254.camel@ras.pc.brisbane.lube> <449C06E3.3090406@trash.net> <1151282720.4210.46.camel@ras.pc.brisbane.lube> <449FC0AF.1050904@trash.net> <44A0CE01.4010109@stuart.id.au> <44AA6D25.9000707@trash.net> <1152146376.4215.59.camel@ras.pc.brisbane.lube> <44AE1497.6010904@trash.net> Message-ID: <1152521050.4236.180.camel@ras.pc.brisbane.lube> On Fri, 2006-07-07 at 10:00 +0200, Patrick McHardy wrote: > Russell Stuart wrote: > > Unfortunately you do things in the wrong order for ATM. > > See: http://mailman.ds9a.nl/pipermail/lartc/2006q1/018314.html > > for an overview of the problem, and then the attached email for > > a detailed description of how the current patch addresses it. > > It is a trivial fix. > > Actually that was the part I didn't understand, you keep talking > (also in that comment in tc_core.c) about an "unknown overhead". > What is that and why would it be unknown? The mail you attached > is quite long, is there an simple example that shows what you > mean? The "unknown overhead" is just the overhead passed to tc using the "tc ... overhead xxx" option. It is probably what you intended to put into your addend attribute. It is "unknown" because the kernel currently doesn't use it. It is passed in the tc_ratespec, but is ignored by the kernel as are most fields in there. The easy way to fix the "ATM" problem described in the big comment is simply to add the "overhead" to the packet length before doing the RTAB lookup. (Identical comments apply to STAB). If you don't accept this or understand why, then go read the "long emails" which attempt to explain it in detail. Jesper's initial version of the patch did just that, BTW. However if you do that then you have to adjust RTAB for all cases (not just ATM) to reflect that the kernel is now adding the overhead. Thus the RTAB tc sends to the kernel now changes for different kernel versions, making modern versions of tc incompatible with older kernels, and visa versa. I didn't consider that acceptable. My solution to this to give the kernel the old format RTAB (ie the one that assumed the kernel didn't add the overhead) and a small adjustment. This small adjustment is called cell_align in the ATM patch. You do the same thing with cell_align as the previous solution did with the overhead - ie add it in just before looking up RTAB. This is in effect all the kernel part of the ATM patch does - make the kernel accept the cell_align option, and add it to skb->len before looking up RTAB. The difference between cell_align and overhead is that cell_align is always 0 when there is no packetisation, and even when non zero it is small (less than 1< > However, now you lot have made me go away and think, I have > > another idea on how to attack this. Perhaps it will be > > more palatable to you. It would replace RTAB and STAB with > > a 28 byte structure for most protocol stacks - well all I can > > think of off the top of my head, anyway. RTAB would have to > > remain for backwards compatibility, of course. > > Can you describe in more detail? OK, but first I want to make the point that the only reason I suggest this is to get some sort of ATM patch into the kernel, as the current patch on the table is having a rough time. Alan Cox made the point earlier (if I understood him correctly) that this tabling lookup probably isn't a big win on modern CPU's - we may be better off moving it all into the kernel. Thinking about this, I tried to come up with a way of describing the mapping between skb->len and the on the wire packet length for every protocol I know. This is what I came up with. Assume we have a packet length L, which is to be transported by some protocol. For now we consider one protocol only, ie: TCP, PPP, ATM, Ethernet or whatever. I will generalise it to multiple protocols later. I think a generalised transformation can be made using using 5 numbers which are applied in this order: Overhead - A fixed overhead that is added to L. Mpu - Minimum packet size. If the result of (Overhead+L) is smaller that this, then the new result becomes this size. Round - The result is then rounded up to this many bytes. For protocols that always transmit single bytes this figure would be 1. If there were some protocol that transmitted data as 4 byte chunks then this would be 4. For ATM it is 48. CellPay - If the packet is broken down into smaller packets when sent, then this is the amount of data that will fit into each chunk. CallOver - This is the additional overhead each cell carries. The idea is the kernel would do this calculation on the fly for each packet. If you represent this set of number numbers as a comma separated list in the order they were presented above, then here are some examples: IP: 20 Ethernet: 18,64 PPP: 2 ATM: 0,0,48,48,5 It may be that 5 numbers are a overkill. It is for all protocols I am aware of - for those you could get away with 4. But I am no expert. The next step is to generalise for many protocols. As the protocols are stacked the length output by one protocol becoming the input length for the downstream one. So we just need to apply the same transformation serially. I will use '+' to indicate the stacking. For a typical ATM stack, PPPoE over LLC, we have: ppp:2+pppoe:6+ethernet:14,64+llc:8+all5:4+atm:0,0,48,48,5 If this were implemented naively, then the kernel would have to apply the above calculation 6 times, like this: Protocol InputLength OutputLength --------- ------------ ---------------- ppp skb->len skb->len+2 pppoe: skb->len+2 skb->len+2+6 ethernet: skb->len+2+6 skb->len+2+6+14 ... and so on. But it can be optimised. In this particular case we can combine those six operations into 1: adsl_pppoe_llc:34,64,48,48,5 The five numbers have the same meaning as before. It it not difficult to come up with a generalised rule that allows you to do this for most cases. For the remainder (if they exist - I can't think of any) the kernel would have to apply the transformation iteratively. Before going on, it is worth while comparing this to the current RTAB solution (and by implication STAB): 1. Oddly, the number of steps and hence speed for common protocols is probably the same. Compare: RTAB - You have to add an OverHead in the general case. - You have to scale by cell_log. - You have to ensure the overhead+skb->len doesn't overflow / underflow the RTAB. - You have to do the lookup. New - You have to add overhead. - You have to check the MPU. - You have to check if you have to apply Round,CellPay,CellOver - but you won't have to for any protocol except ATM. 2. Because of the cell_log, RTAB gives an 100% accurate answer 1 time in every (1<> 24); This method doesn't use division, and is probably faster on lower end CPU's. It would handle 100G Ethernet on a machine with Hz == 1000, and 1200 bits/sec on a machine with Hz == 10000. From e1605project at hotmail.com Mon Jul 10 11:41:59 2006 From: e1605project at hotmail.com (*~ r a K u ~ *) Date: Mon Jul 10 11:41:53 2006 Subject: [LARTC] Can i attach another qdisc under classes or root qdisc? Message-ID: An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060710/3f8903af/attachment.htm From gustavo at angulosolido.pt Mon Jul 10 13:25:51 2006 From: gustavo at angulosolido.pt (Gustavo Homem) Date: Mon Jul 10 13:25:46 2006 Subject: [LARTC] simple TOS based setup vs more complex ones Message-ID: <20060710112551.GF2177@angulosolido.pt> Hi, After reading section 9 of LARTC it seemed to me that a pure TOS based QoS setup with be sufficient for a small newtork. Interactive packets could have the highest priority, second highest for DNS and small HTTP packets and lowest prio for all others. The advantage is that, the setup would be simply a couple of iptables lines, because the default pfifo_fast qdisc already implements priorities. Questions: For this case, what is the recommended way to limit the outgoing rate to ensure that nothing is queued on the modem? Can this be done with pfifo_fast? Best regards Gustavo -- Angulo S?lido - Tecnologias de Informa??o http://angulosolido.pt From william.bohannan at spidersat.net Mon Jul 10 13:41:53 2006 From: william.bohannan at spidersat.net (William Bohannan) Date: Mon Jul 10 13:42:35 2006 Subject: [LARTC] learning iptables Message-ID: <20060710114226.59CE2459D@outpost.ds9a.nl> Hi I am currently learning iptables and would like to see the output of shorewall rules in iptables format, as I would like to make a script for the rules instead of using shorewall. Kind Regards William -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060710/fc30555f/attachment.html From nikky at mnet.bg Mon Jul 10 14:20:29 2006 From: nikky at mnet.bg (Nickola Kolev) Date: Mon Jul 10 14:20:23 2006 Subject: [LARTC] learning iptables In-Reply-To: <20060710114226.59CE2459D@outpost.ds9a.nl> References: <20060710114226.59CE2459D@outpost.ds9a.nl> Message-ID: <20060710152029.dd36dd81.nikky@mnet.bg> Hello, William, You can take a look at the man page of iptables-save. On Mon, 10 Jul 2006 11:41:53 -0000 "William Bohannan" wrote: > Hi > > I am currently learning iptables and would like to see the output of > shorewall rules in iptables format, as I would like to make a script > for the rules instead of using shorewall. > > > > Kind Regards > > > > William > > -- ????????, ?????? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060710/1bf2747c/attachment.pgp From martin at linux-ip.net Mon Jul 10 22:45:49 2006 From: martin at linux-ip.net (Martin A. Brown) Date: Mon Jul 10 22:45:59 2006 Subject: [LARTC] simple TOS based setup vs more complex ones In-Reply-To: <20060710112551.GF2177@angulosolido.pt> References: <20060710112551.GF2177@angulosolido.pt> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Gustavo, : After reading section 9 of LARTC it seemed to me that a pure TOS : based QoS setup with be sufficient for a small newtork. : Interactive packets could have the highest priority, second : highest for DNS and small HTTP packets and lowest prio for all : others. : : The advantage is that, the setup would be simply a couple of : iptables lines, because the default pfifo_fast qdisc already : implements priorities. In your proposed system, is still possible for a flood of DNS queries to cause queue depths upstream (and queue depths translate directly to queue backups and delays). : For this case, what is the recommended way to limit the outgoing : rate to ensure that nothing is queued on the modem? The answer depends on what you are trying to do. Consider HTB and/or HFSC. Although you might find that TBF is sufficient, you are already talking about ToS, so TBF probably won't cut the mustard in your situation. : Can this be done with pfifo_fast? Not really. Although, the actual qdisc proposed is different, please see this recent exchange [0] about prio qdisc. If you are using a work-conserving qdisc (i.e., a qdisc that performs no shaping), you'll not really be able to guarantee anything about the quality of traffic from one point to another. In order to offer some sort of guarantees on any link, your device must be the bottleneck. This requires shaping or, at least, some sort of non-work-conserving qdisc. Good luck, - -Martin [0] http://mailman.ds9a.nl/pipermail/lartc/2006q2/019130.html http://mailman.ds9a.nl/pipermail/lartc/2006q2/019138.html http://mailman.ds9a.nl/pipermail/lartc/2006q2/019143.html http://mailman.ds9a.nl/pipermail/lartc/2006q2/019158.html - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.71 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFEsryFHEoZD1iZ+YcRAmUAAKDb74IxaBWmCgHA8sd1Sy1SVXS4ZACfYkvD 5NhD00yJMOG5CeFTTFPPk+s= =RmHf -----END PGP SIGNATURE----- From gustavo at angulosolido.pt Tue Jul 11 01:43:40 2006 From: gustavo at angulosolido.pt (Gustavo Homem) Date: Tue Jul 11 01:43:41 2006 Subject: [LARTC] simple TOS based setup vs more complex ones In-Reply-To: References: <20060710112551.GF2177@angulosolido.pt> Message-ID: <20060710234340.GF15607@angulosolido.pt> Hi Martin, On Mon, Jul 10, 2006 at 03:45:49PM -0500, Martin A. Brown wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello Gustavo, > > : After reading section 9 of LARTC it seemed to me that a pure TOS > : based QoS setup with be sufficient for a small newtork. > : Interactive packets could have the highest priority, second > : highest for DNS and small HTTP packets and lowest prio for all > : others. > : > : The advantage is that, the setup would be simply a couple of > : iptables lines, because the default pfifo_fast qdisc already > : implements priorities. > > In your proposed system, is still possible for a flood of DNS > queries to cause queue depths upstream (and queue depths translate > directly to queue backups and delays). Sure, but I am talking about a simple setup that works for small networks. In such cases there won't be DNS floods, unless someone really wants to generate one. > > : For this case, what is the recommended way to limit the outgoing > : rate to ensure that nothing is queued on the modem? > > The answer depends on what you are trying to do. Consider HTB > and/or HFSC. Although you might find that TBF is sufficient, you > are already talking about ToS, so TBF probably won't cut the > mustard in your situation. > > : Can this be done with pfifo_fast? > > Not really. So the priorities are useless in real world with pfifo_fast, is that it? This is bit surprising, IIUC. This is why I asked. > Although, the actual qdisc proposed is different, > please see this recent exchange [0] about prio qdisc. > > If you are using a work-conserving qdisc (i.e., a qdisc that > performs no shaping), you'll not really be able to guarantee > anything about the quality of traffic from one point to another. > In order to offer some sort of guarantees on any link, your device > must be the bottleneck. This requires shaping or, at least, some > sort of non-work-conserving qdisc. > What I was initially looking for was just TOS marking + plus simple interface throtlling, i.e, the simplest form of shapping. If it can't be done with pfifo_fast, my next idea was something like: tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1: classid 1:1 htb rate 7000kbps ceil 7000kbps tc class add dev eth0 parent 1:1 classid 1:10 prio + iptables rules for setting TOS values Is this right? This seems to be similar to what you proposed here: http://mailman.ds9a.nl/pipermail/lartc/2006q2/019138.html For a not so simple approach but which seems to be working well, I have an adaption of Dan Singletary's script here: http://downloads.angulosolido.pt/QoS/ It uses directly HTB on both directions, for a setup with only 2 network interfaces which is very common (no kernel patching is needed). Do you want to comment? Still, I want to test the simplest possible solution and see how far one can go with only a few lines of bash, for both practical and pedagogical purposes. I think it's important to have a simple solution that works for typical scenarios (2 interfaces, linux router with NAT) on stock kernels. ** Best regards Gustavo ** nothing wrong about patching and compiling kernels, but it brings maintenance overhead everytime there is system upgrade for whatever reason -- Angulo S?lido - Tecnologias de Informa??o http://angulosolido.pt > Good luck, > > - -Martin > > [0] http://mailman.ds9a.nl/pipermail/lartc/2006q2/019130.html > http://mailman.ds9a.nl/pipermail/lartc/2006q2/019138.html > http://mailman.ds9a.nl/pipermail/lartc/2006q2/019143.html > http://mailman.ds9a.nl/pipermail/lartc/2006q2/019158.html > > - -- > Martin A. Brown > http://linux-ip.net/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: pgf-0.71 (http://linux-ip.net/sw/pine-gpg-filter/) > > iD8DBQFEsryFHEoZD1iZ+YcRAmUAAKDb74IxaBWmCgHA8sd1Sy1SVXS4ZACfYkvD > 5NhD00yJMOG5CeFTTFPPk+s= > =RmHf > -----END PGP SIGNATURE----- From martin at linux-ip.net Tue Jul 11 04:20:48 2006 From: martin at linux-ip.net (Martin A. Brown) Date: Tue Jul 11 04:21:01 2006 Subject: [LARTC] simple TOS based setup vs more complex ones In-Reply-To: <20060710234340.GF15607@angulosolido.pt> References: <20060710112551.GF2177@angulosolido.pt> <20060710234340.GF15607@angulosolido.pt> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gustavo, : Sure, but I am talking about a simple setup that works for small : networks. In such cases there won't be DNS floods, unless someone : really wants to generate one. Well, perhaps you could give it a try in your example network and see how it fares. It might fare very well 90% of the time. If so, then you have an OK solution. : So the priorities are useless in real world with pfifo_fast, is : that it? This is bit surprising, IIUC. This is why I asked. Priorities are useless in the real world on a link that we expect to be congested (e.g. an ADSL link). If the link is not congested, there's no problem with using priorities. The question is not whether priorities are useless, but rather, how often do you expect your link to be congested? : What I was initially looking for was just TOS marking + plus : simple interface throtlling, i.e, the simplest form of shapping. : If it can't be done with pfifo_fast, my next idea was something : like: : : tc qdisc add dev eth0 root handle 1: htb default 10 : tc class add dev eth0 parent 1: classid 1:1 htb rate 7000kbps ceil 7000kbps : tc class add dev eth0 parent 1:1 classid 1:10 prio : : + : : iptables rules for setting TOS values : : Is this right? This seems to be similar to what you proposed : here: : : http://mailman.ds9a.nl/pipermail/lartc/2006q2/019138.html Well, indeed, I did post that! While that may solve the problem of the bottleneck, I have to confess, it's not a very good solution either! I'll post a follow-up to that thread shortly. : For a not so simple approach but which seems to be working well, : I have an adaption of Dan Singletary's script here: : : http://downloads.angulosolido.pt/QoS/ : : It uses directly HTB on both directions, for a setup with only 2 : network interfaces which is very common (no kernel patching is : needed). HTB in both directions is probably the best way to go (shaping upload and shaping download). I haven't examined the HTB_shaper.sh assiduously, but from a quick review, it seems quite reasonable (and better than my off the cuff remark in the earlier thread). I'm not crazy about the dropping of the MTU, but otherwise, the script seems to make sense. Basically divide up link capacity into components and limit the total transmission rate to the link capacity (so we are the bottleneck). Then, put some packets in each class. It's so far the best (and most general) solution in this thread. : Still, I want to test the simplest possible solution and see how : far one can go with only a few lines of bash, for both practical : and pedagogical purposes. I think it's important to have a simple : solution that works for typical scenarios (2 interfaces, linux : router with NAT) on stock kernels. ** : : ** nothing wrong about patching and compiling kernels, but it : brings maintenance overhead everytime there is system upgrade : for whatever reason Understood on the kernel patching/compiling business. That's not usually something you want to throw at beginners. Well, if the goal is practical administration and pedagogy, I'd suggest tcng [0], since the "beauty" of tc is hidden from the user. The language of tcng feels more like a programming language than the arcana of tc. Good luck, - -Martin [0] http://tcng.sourceforge.net/ - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.71 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFEswsEHEoZD1iZ+YcRAhwGAJkBlygjpO6dfT9s+1/yHq91pSAJCQCg8E2a LRjKTkGjSvQHTLaFReomSlk= =ikoL -----END PGP SIGNATURE----- From gustavo at angulosolido.pt Tue Jul 11 04:42:26 2006 From: gustavo at angulosolido.pt (Gustavo Homem) Date: Tue Jul 11 04:42:18 2006 Subject: [LARTC] simple TOS based setup vs more complex ones In-Reply-To: References: <20060710112551.GF2177@angulosolido.pt> <20060710234340.GF15607@angulosolido.pt> Message-ID: <20060711024226.GH15607@angulosolido.pt> Hello again Martin, More comments below: > : So the priorities are useless in real world with pfifo_fast, is > : that it? This is bit surprising, IIUC. This is why I asked. > > Priorities are useless in the real world on a link that we expect to > be congested (e.g. an ADSL link). If the link is not congested, > there's no problem with using priorities. The question is not > whether priorities are useless, but rather, how often do you expect > your link to be congested? Good point... and the answer is: allways. With the low DSL uploads available a single connection will saturate it - we currently have 20Mbs/400kbps (!) services, for example. > > : What I was initially looking for was just TOS marking + plus > : simple interface throtlling, i.e, the simplest form of shapping. > : If it can't be done with pfifo_fast, my next idea was something > : like: > : > : tc qdisc add dev eth0 root handle 1: htb default 10 > : tc class add dev eth0 parent 1: classid 1:1 htb rate 7000kbps ceil 7000kbps > : tc class add dev eth0 parent 1:1 classid 1:10 prio > : > : + > : > : iptables rules for setting TOS values > : > : Is this right? This seems to be similar to what you proposed > : here: > : > : http://mailman.ds9a.nl/pipermail/lartc/2006q2/019138.html > > Well, indeed, I did post that! While that may solve the problem of > the bottleneck, I have to confess, it's not a very good solution > either! I'll post a follow-up to that thread shortly. > Great. Meanwhile, I just finished my first trial on this approach. The result is here: http://downloads.angulosolido.pt/QoS/PRIO_shaper.sh For SSH interactive traffic and Web Browsing while uploading and downloading, seems to work as well as HTB_shaper, it tested on a single machine. Of course there is no fairness on each prio band, so tests with multiple workstations should reveal the advantadges of HTB_shaper. > : For a not so simple approach but which seems to be working well, > : I have an adaption of Dan Singletary's script here: > : > : http://downloads.angulosolido.pt/QoS/ > : > : It uses directly HTB on both directions, for a setup with only 2 > : network interfaces which is very common (no kernel patching is > : needed). > > HTB in both directions is probably the best way to go (shaping > upload and shaping download). I haven't examined the HTB_shaper.sh > assiduously, but from a quick review, it seems quite reasonable > (and better than my off the cuff remark in the earlier thread). > > I'm not crazy about the dropping of the MTU, but otherwise, I found that it was causing problems, so that part is gone. > the > script seems to make sense. Basically divide up link capacity into > components and limit the total transmission rate to the link > capacity (so we are the bottleneck). > > Then, put some packets in each class. It's so far the best (and > most general) solution in this thread. > > : Still, I want to test the simplest possible solution and see how > : far one can go with only a few lines of bash, for both practical > : and pedagogical purposes. I think it's important to have a simple > : solution that works for typical scenarios (2 interfaces, linux > : router with NAT) on stock kernels. ** > : > : ** nothing wrong about patching and compiling kernels, but it > : brings maintenance overhead everytime there is system upgrade > : for whatever reason > > Understood on the kernel patching/compiling business. That's not > usually something you want to throw at beginners. > And I also don't like to throw it at myself, if it's not really necessary. (OT: I wonder, if the kernel team doesn't want to include IMQ, what's their recommended solution for this problem, on a router with more than 2 interfaces) > Well, if the goal is practical administration and pedagogy, I'd > suggest tcng [0], since the "beauty" of tc is hidden from the user. > The language of tcng feels more like a programming language than the > arcana of tc. > Thank you for the link. I wasn't aware of this project. Best regards Gustavo -- Angulo S?lido - Tecnologias de Informa??o http://angulosolido.pt > Good luck, > > - -Martin > > [0] http://tcng.sourceforge.net/ > > - -- > Martin A. Brown > http://linux-ip.net/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: pgf-0.71 (http://linux-ip.net/sw/pine-gpg-filter/) > > iD8DBQFEswsEHEoZD1iZ+YcRAhwGAJkBlygjpO6dfT9s+1/yHq91pSAJCQCg8E2a > LRjKTkGjSvQHTLaFReomSlk= > =ikoL > -----END PGP SIGNATURE----- From martin at linux-ip.net Tue Jul 11 04:45:47 2006 From: martin at linux-ip.net (Martin A. Brown) Date: Tue Jul 11 04:45:52 2006 Subject: VoIP using just prio qdisc? No. was [ [LARTC] Sanity Check ] In-Reply-To: References: <200606252208.29528.mdiehl@diehlnet.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all, : So, instead of trying to use a prio qdisc alone, try using a : single HTB class to limit your traffic to a given rate and then : embed your prio qdisc inside that. There are many other possible : options for nested qdiscs, and maybe somebody on this list will : make a recommendation to you for how s/he solved this problem. This is a correction/clarification for posterity. There is still a problem with the above, and I'd like to correct it and thank Gustavo Homem [0] for pointing out my possibly misleading advice here. Mike indicated that he was willing to let VoIP traffic out regardless of the cost to other flows. This means that the above solution might work acceptably for his needs in this situation... However, this is not a good general solution! When evaluating a traffic control mechanism for a particular solution, there are a number of different network characteristics that we need to keep in mind. The big three are throughput, delay and jitter. Each traffic control mechanism that we might employ affects at least one (and almost always more than one) of the above network characteristics. Selecting the correct mechanism for a given application depends on what we are willing to trade. Some people are willing to trade total throughput for delay (those of us who like responsive ssh sessions, for example). Some people MUST trade delay and jitter for throughput (VoIP applications). So, to return to the problem of a single PRIO qdisc (a work-conserving queuing discipline), how can we add some sort of non-work-conserving mechanism (shaping) and still take advantage of some prioritization. There are a number of ways to solve this problem, but let's look at the following options (+ = good, - = not-so-good): A. HTB qdisc, one class, with child PRIO qdisc + HTB shapes total dequeued traffic rate to the specified maximum rate. + PRIO qdisc ensures that traffic you classify as high priority always has preferential access to full link bandwidth (as limited by HTB's rate) - high priority flows can completely starve low priority flows B. PRIO qdisc, each class contains a TBF qdisc specifying transmisison rate + each class gets up to its TBF of throughput before it gets shaped. + each class gets is completely isolated from the other classes so if the sum of the rates of the TBF qdiscs does not exceed link bandwidth, you should see predictable delay and jitter - any given class could become backlogged easily and there's no sharing between classes C. HTB qdisc, HTB children classes[, children sfq or fifo qdiscs] + HTB shapes total dequeued traffic rate to the specified maximum rate. + HTB children classes can borrow from parent classes, if some bandwidth goes unused - must write filters to specify which class receives which packets The above is just an outline to point out some of the tradeoffs that need to be examined and understood when choosing a traffic control mechanism for any particular situation. I was probably a bit facile in my answer to Mike, so I hope this post clears up the ambiguity of the recommendation. Good luck and happy QoS! - -Martin [0] http://mailman.ds9a.nl/pipermail/lartc/2006q3/019232.html - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.71 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFEsxDdHEoZD1iZ+YcRAormAJsGkouYrqoM0q8Zgw0aCaXpZTMKkQCfbc+E UruTl/GvAVMHqGRqzUwwc0Q= =Sk64 -----END PGP SIGNATURE----- From martin at linux-ip.net Tue Jul 11 04:58:23 2006 From: martin at linux-ip.net (Martin A. Brown) Date: Tue Jul 11 04:58:27 2006 Subject: [LARTC] simple TOS based setup vs more complex ones In-Reply-To: <20060711024226.GH15607@angulosolido.pt> References: <20060710112551.GF2177@angulosolido.pt> <20060710234340.GF15607@angulosolido.pt> <20060711024226.GH15607@angulosolido.pt> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It's a tennis-game on the LARTC list, Gustavo! :) : > The question is not : > whether priorities are useless, but rather, how often do you expect : > your link to be congested? : : Good point... and the answer is: allways. : : With the low DSL uploads available a single connection will : saturate it - we currently have 20Mbs/400kbps (!) services, for : example. Strange ratio--20 to 1, but I don't know a great deal about DSL provisioning. : Meanwhile, I just finished my first trial on this approach. The : result is here: : : http://downloads.angulosolido.pt/QoS/PRIO_shaper.sh : : For SSH interactive traffic and Web Browsing while uploading and : downloading, seems to work as well as HTB_shaper, it tested on a : single machine. : : Of course there is no fairness on each prio band, so tests with : multiple workstations should reveal the advantadges of : HTB_shaper. Well, good luck with it. You could consider following the lartc.org HOWTO on PRIO qdiscs with embedded SFQs [0]. : > I'm not crazy about the dropping of the MTU, but otherwise, : : I found that it was causing problems, so that part is gone. While it's not a bad idea from a traffic control perspective, there are so many ramifications of changing the MTU that I don't find it worthwhile. : (OT: I wonder, if the kernel team doesn't want to include IMQ, : what's their recommended solution for this problem, on a router : with more than 2 interfaces) The developers have recently been working on something called ifb, which is intended to be a replacement for IMQ. I don't know too much about it, but there are snippets of documentation about the 'net if you are on good terms with google. - -Martin [0] http://lartc.org/howto/lartc.qdisc.classful.html#AEN903 - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.71 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFEsxPRHEoZD1iZ+YcRAsmrAJ9TkcLnQ2TpzJCxHtdk2ACHHN/D+QCfcBof 3aOuyJi5+ZWjlq45ES9xjfE= =CpY+ -----END PGP SIGNATURE----- From deslay at gmail.com Tue Jul 11 06:26:53 2006 From: deslay at gmail.com (Deslay) Date: Tue Jul 11 06:26:42 2006 Subject: [LARTC] A multi-isp with priority routing and GRE tunneling network problem. Message-ID: Hey guys, i have a problem with building a multi-isp gateway using a GNU/Linux box with priority routing enalbed and after all. any ideas what should i do? maybe a step by step intro? thanks in advanced. Deslay From prasad at atc.tcs.co.in Tue Jul 11 06:41:08 2006 From: prasad at atc.tcs.co.in (Prasad) Date: Tue Jul 11 06:40:59 2006 Subject: [LARTC] re-routing network traffic. Message-ID: <44B32BE4.8060804@atc.tcs.co.in> Hello All, The following is what I was trying to do: A packet [Dest: 10.10.10.2, Src: 10.10.10.30] has a route through "tunl0". The bigger problem is that "tunl0" is a tunnel between 10.10.10.2 and 10.10.10.20... Which means that after encapsulation takes place, the packet would look like [Dest: 10.10.10.2, Src: 10.10.10.20 [Dest: 10.10.10.2, Src: 10.10.10.30]]. Thing to be noted is that the destination of the packet before and after encapsulation is same! This is what I plan to do: 1. Create a route such that all packets to 10.10.10.2 go through tunl0 2. In POSTROUTING, if destination is 10.10.10.2 and the packet is not marked, mark it. 3. Create another route for the packets that are marked. Is this approach the right one, and is it possible to do such a thing - I am specially doubtful about the second step!! Thanks, Prasad From rajendra at subisu.net.np Tue Jul 11 08:57:37 2006 From: rajendra at subisu.net.np (rajendra@subisu.net.np) Date: Tue Jul 11 08:57:42 2006 Subject: [LARTC] tcng not working as expected Message-ID: <2346.202.63.240.23.1152601057.squirrel@mail.subisu.net.np> Hi, Looking at the following sample, shouldn't the client1_a be restricted to 35kBps even when there is 50kBps available. Please see the following configuration and suggest. What I wanted to do is I have clients grouped on VIP and Poor. The VIP clients and poor clients may be subscribed with the same bandwidth but I would like to prioritize the VIP clients. The VIP client will get the allocated rate. If VIP is not using the links then poor clients will get allocated rates, otherwise they are supressed. Among the VIP clients they will get the allocated bandwidth, some may be 64kbps, some may be 128kbps. e.g. In case of full utilization, the VIP client with 64kbps should get full 64kbps but the poor client with 128kbps may get much lower. I will appreciate your suggestion. regds, Rajendra. #include "fields.tc" #include "ports.tc" #define LANSIDE eth0 #define WANSIDE eth1 /*######### Shape DOWNLOAD Traffic ############*/ /*#############################################*/ dev LANSIDE { egress { class ( <$client1_a> ) if ip_dst == 10.10.10.24; class ( <$client1_b> ) if ip_dst == 10.10.10.22; class ( <$client2> ) if ip_dst == 10.10.10.23; htb() { //Total Bandwidth class (rate 50kBps, ceil 50kBps) { //VIP clients class (rate 40kBps, ceil 50kBps) { $client1_a = class (rate 35kBps, ceil 35kBps) ; $client1_b = class (rate 10kBps, ceil 10kBps) ; } //Poor clients class (rate 10kBps, ceil 50kBps) { $client2 = class (rate 35kBps, ceil 35kBps) ; } } } //End of qdiscs (HTB) } } //End of device (LANSIDE) /*######### Shape UPLOAD Traffic ##############*/ /*#############################################*/ ~ From jarkap at poczta.onet.pl Wed Jul 12 08:02:37 2006 From: jarkap at poczta.onet.pl (Jarek Poplawski) Date: Wed Jul 12 08:02:01 2006 Subject: [LARTC] [PATCH] IMQ for linux-2.6.17.4 with behavior param Message-ID: <44B4907D.6080503@poczta.onet.pl> Hi, I see some inertion on www.linuximq.net, while kernels are at full speed, so here is my testing proposition for IMQ with: - some minor bugs removed in imq.c (like improper err handling while registering queue handler), - changes in ipt_IMQ.c and ip6t_IMQ.c to work with linux-2.6.17.4 (iptables-1.3.5), - added functionality to change behavior with module parameter (without recompiling). I hope it should work, but testing was very limited (ipv6 not tested). Best regards, Jarek P. -------------- next part -------------- A non-text attachment was scrubbed... Name: linux-2.6.17.4-imq0.diff.tar.gz Type: application/x-gzip Size: 6808 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060712/37976abd/linux-2.6.17.4-imq0.diff.tar.bin From jarkap at poczta.onet.pl Thu Jul 13 10:39:41 2006 From: jarkap at poczta.onet.pl (Jarek Poplawski) Date: Thu Jul 13 10:39:15 2006 Subject: [LARTC] [PATCH] IMQ vs. local traffic Message-ID: <44B606CD.9020600@poczta.onet.pl> Hello, Some time ago I've read somewhere that local traffic in IMQ could hung up the whole system but it was corrected long time ago. So I was very surprised yesterday when it occurred not true. While testing IMQ I've observed for some time that - if you tag some local traffic with iptables both in pre- and postrouting - kernel is hunging up. It is happening quite quick with SMP compiled kernel but without SMP is also possible. After setting soft lockups debbuging they are visible. And then I've found this strange thing: packets outgoing from lo to any local address are hooked to IMQ queue from PREROUTING (on ingress). I know they are going there from OUTPUT for routing decision and should be delivered to hooks in PREROUTING like IMQ, but they also should not have IMQ flag set at the moment (they will be "tagged" by iptables in the POSTROUTING future!). But for some reasons (probably some shortcut) they do have this flag and IMQ egress queue is not on their way. So I added this short test in imq_nf_hook and my soft lockups are gone. Jarek P. PS: The included patch could be applied after linux-2.6.16-imq2 patch or eg. my yesterday version linux-2.6.17.4-imq0. -------------- next part -------------- diff -Nru linux-2.6.17.4-imq/drivers/net/imq.c linux-2.6.17.4-imq2/drivers/net/imq.c --- linux-2.6.17.4-imq/drivers/net/imq.c 2006-07-11 22:00:00.000000000 +0200 +++ linux-2.6.17.4-imq2/drivers/net/imq.c 2006-07-12 22:15:51.000000000 +0200 @@ -234,7 +234,8 @@ const struct net_device *outdev, int (*okfn)(struct sk_buff *)) { - if ((*pskb)->imq_flags & IMQ_F_ENQUEUE) + if ((*pskb)->imq_flags & IMQ_F_ENQUEUE && !(hook == NF_IP_PRE_ROUTING + && indev == &loopback_dev)) return NF_QUEUE; return NF_ACCEPT; From jarkap at poczta.onet.pl Fri Jul 14 07:42:47 2006 From: jarkap at poczta.onet.pl (Jarek Poplawski) Date: Fri Jul 14 07:42:14 2006 Subject: [LARTC] Re: [PATCH] IMQ vs. local traffic In-Reply-To: <44B606CD.9020600@poczta.onet.pl> References: <44B606CD.9020600@poczta.onet.pl> Message-ID: <44B72ED7.2060605@poczta.onet.pl> Jarek Poplawski wrote: ... > And then I've found this strange thing: packets outgoing from lo > to any local address are hooked to IMQ queue from PREROUTING (on > ingress). I know they are going there from OUTPUT for routing > decision and should be delivered to hooks in PREROUTING like IMQ, > but they also should not have IMQ flag set at the moment (they > will be "tagged" by iptables in the POSTROUTING future!). But for > some reasons (probably some shortcut) they do have this flag and > IMQ egress queue is not on their way. Bad diagnose! There is no shortcut. Only in my testing procedure: I've switched off the egress hook, so the IMQ flag traveled from POSTROUTING to PREROUTING not annoyed. I forgot it isn't the real device. Sorry for misleading. > So I added this short test in imq_nf_hook and my soft lockups > are gone. Nevertheles this method works. I dont't know why, yet. It exludes one direction of local traffic from queuing but who cares? Jarek P. From e1605project at hotmail.com Fri Jul 14 11:28:47 2006 From: e1605project at hotmail.com (*~ r a K u ~ *) Date: Fri Jul 14 11:28:42 2006 Subject: [LARTC] how different qdisc at root and leaf working??? Message-ID: An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060714/691a3ec8/attachment.htm From azez at ufomechanic.net Fri Jul 14 10:29:25 2006 From: azez at ufomechanic.net (Amin Azez) Date: Fri Jul 14 11:34:51 2006 Subject: [LARTC] Re: Bi-directional packet classification with ACK prioritization In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB255421@xavier.staff.greatlakes.net> References: <0633E0EDB4F25F43A2D7179CA11FAFAB255421@xavier.staff.greatlakes.net> Message-ID: <44B755E5.2010000@ufomechanic.net> * Eliot, Wireless and Server Administrator, Great Lakes Internet wrote, On 02/06/06 18:06: > Sorry for making this a cross-post, but the pressure is on for getting > this bandwidth shaper working. > > I have an interesting dilemma with bi-directional packet classification > while doing ACK prioritization. This is an overly simplified summary of > my setup: > > Internet > | > Eth0 > | > Router > | > Eth1 > | > Intranet > > > A client on the Intranet establishes a flow to a server on the Internet. > Packets get classified into 3 different priority bands. Priority 1 is > for VoIP, DNS, SSH, Telnet, and ACK packets with no data payload. > Priority 2 is for general traffic that does not fall into band 1 or band > 3. Priority 3 band is for P2P. > > When the flow (download) is established, it starts out with the packets > coming in on Priority Band 2. > > The client then sends an ACK packet to the server with no data payload. > > The router then classifies that ACK packet into Priority Band 1 and > saves the mark that was set to put it in that classification. > > A response then comes back from the server and the router restores the > mark it previously saved. Now it is flagged for Priority Band 1. I got round this by editing connmark and adding 2 more marks, one for each direction. When connmark is set, in the conntrack it sets that mark in the usual place and also in the slot for the current direction. When the conntrack is used to populate the skb mark, I take the current direction. So I get the best of both worlds. Sam From e1605project at hotmail.com Fri Jul 14 11:43:13 2006 From: e1605project at hotmail.com (*~ r a K u ~ *) Date: Fri Jul 14 11:43:11 2006 Subject: [LARTC] How adventage, disadventage, comparison between HTB and HFSC?? Message-ID: An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060714/a2946d66/attachment.html From martin at linux-ip.net Fri Jul 14 17:48:46 2006 From: martin at linux-ip.net (Martin A. Brown) Date: Fri Jul 14 17:48:54 2006 Subject: [LARTC] Can i attach another qdisc under classes or root qdisc? In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello again Raku, : you mean we can define "nested qdisc" but algorithm in nested : qdisc must same as parent class???? i'm not clear it and Is we : can define nested qdisc with algorithm different from parent : class????? Next try at explaining the concept: - qdiscs can be attached to egress (default), ingress and any class - classes may only be defined "underneath" (as children of) existing classful qdiscs (CBQ, HTB, PRIO, HFSC) - a classful qdisc may only have children classes of the same type (e.g., HTB qdisc can only have HTB classes; HFSC qdisc can only have HFSC classes) - classless qdiscs are leaf branches on the tree Be careful to distinguish classes from qdiscs. : tc qdisc add dev eth0 root handle 1: htb : //this left node hierachy for manage general package : tc class add dev eth0 parent 1: classid 1:1 htb rate 100kbps ceil 100kbps : //this right node hierachy for manage real time package : tc class add dev eth0 parent 1: classid 1:2 htb rate 100kbps ceil 100kbps : // from your adivse at step 4, attach brand-new after define class : but Is it true??? because algorithm new qdisc are different from : class algorithm that qdisc attach it. : tc qdisc add dev eth0 parent 1:2 classid 10:11 hfsc rate 100kbps : tc class add dev eth0 parent 10:11 classid 1:111 hfsc rate 100kbps ceil : 100kbps : tc class add dev eth0 parent 10:11 classid 1:112 hfsc rate 100kbps ceil : 100kbps Structurally speaking, there's nothing wrong with your hierarchy. When you try it out, however, you'll discover that you are not using the correct parameters for the hfsc qdisc and class specifications. : and Can somebody advise me about HOW TO do later in this topic. i : want to have got traffic shaper and my solotion is ... i want to : manage different traffic package (general package use and real : time package) so now i think about have got a problem with tc : command, ... i think it can't setting to manage different package : with different algorithm HTB and HFSC Do you have any idea about : how to setting tc command example???? thank you ? Raku, I don't know whether HTB or HFSC would be better for your application, but I can tell you that HTB is better-understood by a larger number of people. In the grand scheme of things, HFSC has seen far less use. It's an excellent concept, and if you'd like to know more about the concepts behind the queuing discipline, I'd suggest the HFSC article by Klaus Rechert and Patrick McHardy [0]. I think a simple hierarchy almost exactly like the one detailed in their article is probably what you want. It sounds like you have "realtime" traffic (e.g., VoIP) and bulk traffic. So, read their documentation, and try to configure your traffic control structures as they suggest. Once you have configured the traffic control structures, then add the filters to separate traffic into the appropriate classes, e.g.: FILTR="tc filter add dev $INTERFACE" # -- structure is built, now select some packets # $FILTR parent 1:0 protocol all prio 1 \ u32 match ip src 192.168.7.0/24 flowid 1:10 # -- example for grabbing anything at all # $FILTR parent 1:0 protocol all prio 1 \ u32 match u32 0x0 0x0 at 0 classid 1:11 # -- example for identifying all UDP traffic # $FILTR parent 1:0 protocol all prio 1 \ u32 match u8 0x11 0xff at 9 classid 1:12 These are just example filters (and probably not great examples at that). You should write your filters to select the traffic you want to place into each class. Finally, let me recommend that you keep your class structure as simple as possible. - -Martin [0] http://linux-ip.net/tc/hfsc.en/ - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.71 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFEt7zjHEoZD1iZ+YcRAqBEAKCnuuyDblK9pKvG4Og12HJovGt3HQCcD3LD u0rdSUkjmgmBJtJ/gpIfc0M= =V1fF -----END PGP SIGNATURE----- From martin at linux-ip.net Fri Jul 14 17:52:26 2006 From: martin at linux-ip.net (Martin A. Brown) Date: Fri Jul 14 17:52:30 2006 Subject: [LARTC] how different qdisc at root and leaf working??? In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Raku, : /bin/false qdisc add dev eth1 handle 1: root htb default 1 : /bin/false class add dev eth1 parent 1: classid 1:1 htb rate 2048Kbit : /bin/false class add dev eth1 parent 1:1 classid 1:21 htb rate 128Kbit ceil 512Kbit prio 2 quantum 1532 : /bin/false class add dev eth1 parent 1:21 classid 1:299 htb rate 256Kbit ceil 256Kbit prio 4 quantum 1532 : /bin/false qdisc add dev eth1 handle 299: parent 1:299 hfsc You must have renamed "tc" to "false". :) : use HTB only for shaper bandwidth in each sevice with setting parameter : rate??? : : use HFSC only for manage dequeue traffic after shaper bandwidth from : inner class??? In the above traffic control structure, you have not specified any classes for the HFSC qdisc. That means it's effectively doing nothing (useful). Check out my earlier mail--and good luck, - -Martin P.S., Can you convince your hotmail account not to send HTML mail? - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.71 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFEt728HEoZD1iZ+YcRAvocAJ9A1rMrv+ubsILi0g5rymI0zO2yWwCfQ3ME KmUumYYQYm01olICddwvCpg= =/BSx -----END PGP SIGNATURE----- From lesteves at ic.uff.br Fri Jul 14 22:56:56 2006 From: lesteves at ic.uff.br (Luciana Esteves Neves Hilario) Date: Fri Jul 14 22:56:29 2006 Subject: [LARTC] I need help with tc filters!!!!! Message-ID: <004e01c6a788$0be29f70$e10f14c8@setiba> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: router_qos_script.sh Type: application/octet-stream Size: 4903 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060714/0074bf05/router_qos_script.obj From doc at lanaticasylum.de Mon Jul 17 12:27:01 2006 From: doc at lanaticasylum.de (Marcus Schmid) Date: Mon Jul 17 12:26:49 2006 Subject: [LARTC] ipp2p patch for kernel 2.6.17.4 Message-ID: Hello! Our dormitory has a linux router w/ two DSL links to the Internet; we used ipp2p (http://ipp2p.org/) for filtering peer to peer traffic (as we can not tell whether the content transferred using such p2p tools has been obtained legally or not, so we block that traffic). Up to yesterday we were using kernel 2.6.10.11, which worked perfectly with ipp2p. Now we updated to kernel 2.6.17.4, and ipp2p was broken. We made a patch for ipp2p to bring the filter back to work again; maybe the patch is helpful to others, so we decided to put up a webpage for downloading the patch: http://www.sieglitzhof.net/~doc/ipp2p/ Ciao, Marcus Schmid ------------------------------------------------------------------------- The most difficult thing in the world is to know how to do a thing and to watch somebody else doing it wrong, without comment. From jonped at gmail.com Mon Jul 17 15:34:56 2006 From: jonped at gmail.com (Jon Pedersen) Date: Mon Jul 17 15:34:50 2006 Subject: [LARTC] How to add multiple filters and netem rules on a single interface? Message-ID: Hi! We want to run TCP streams to several port numbers through one interface, each with a different delay set by Netem. E.g. TCP streams to port 80 could have 50ms delay, while TCP streams to port 81 could have 100 ms delay and so on. We have tried to solve this by using a combination of tc filter and netem rules, but we can't get it quite right. We are considering one class per port, each with their own Netem delay and the following filter: tc filter add dev eth0 protocol ip parent (?) prio 1 u32 match ip protocol 6 0xff match u16 80 0xffff at 20 Is this possible? If so, how do you create the class hierarchy and how do you combine each filter with the netem rule? Thank you very much in advance! Jon Pedersen -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060717/30b3b0b3/attachment.htm From russell-tcatm at stuart.id.au Tue Jul 18 04:06:49 2006 From: russell-tcatm at stuart.id.au (Russell Stuart) Date: Tue Jul 18 04:45:54 2006 Subject: [LARTC] RE: [PATCH 0/2] NET: Accurate packet scheduling for ATM/ADSL In-Reply-To: <1151158431.6716.95.camel@jzny2> References: <1150278004.26181.35.camel@localhost.localdomain> <1150286766.5233.15.camel@jzny2> <1150287983.3246.27.camel@ras.pc.brisbane.lube> <1150292693.5197.1.camel@jzny2> <1150843471.17455.2.camel@ras.pc.brisbane.lube> <15653CE98281AD4FBD7F70BCEE3666E53CD54A@comxexch01.comx.local> <1151000966.5392.34.camel@jzny2> <1151066247.4217.254.camel@ras.pc.brisbane.lube> <1151158431.6716.95.camel@jzny2> Message-ID: <1153188409.13145.5.camel@ras.pc.brisbane.lube> On Sat, 2006-06-24 at 10:13 -0400, jamal wrote: > And yes, I was arguing that the tc scheme you describe would not be so > bad either if the cost of making a generic change is expensive. > Patrick seems to have a simple way to compensate generically for link > layer fragmentation, so i will not argue the practically; hopefully that > settles it? ;-> Things seem to have died down. Patrick's patch seemed unrelated to ATM to me. I did put up another suggestion, but I don't think anybody was too impressed with the idea. So that leave the current ATM patch as the only one we have on the table that addresses the ATM issue. Since you don't think it is "too bad", can we proceed with it? From moritz at uplink-verein.ch Tue Jul 18 18:58:13 2006 From: moritz at uplink-verein.ch (Moritz Gartenmeister) Date: Tue Jul 18 18:58:03 2006 Subject: [LARTC] ip tunnel and kernel 2.6.17.6 Message-ID: hi all i ran a few times in troubles with iproute an rtnetlink or netlink_dev with newer kernels. i.e. i can compile and recompile the kernel and iproute (all from sources)... and as soon as i like to add a route to a tunnel: ip route add 192.168.0.0/24 dev gre_tun i get: rtnetlink no such device. ip link / ip addr is showing the tunnel (also ifconfig). i assume, that the kernel doesn't support this feature or that iproute is not ready for this kernel. i also experienced troubles with other newer kernel. last known working kernel is 2.6.13. i didn't find any infos about which kernel is working (iproute tested against it) or any explanation about this. before i try something impossible and wasting more time, i ask you for some hints. regards, moritz From lists at andyfurniss.entadsl.com Tue Jul 18 23:56:42 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Tue Jul 18 23:55:37 2006 Subject: [LARTC] tc ingress policing with multiple subnets In-Reply-To: <1151764718.6342.19.camel@ccja.localhost> References: <002b01c69130$de91c270$0600a8c0@hpa> <449FD426.7060804@andyfurniss.entadsl.com> <1151764718.6342.19.camel@ccja.localhost> Message-ID: <44BD591A.3040008@andyfurniss.entadsl.com> Nikolay Kichukov wrote: >>If you are shaping ingress you will need to set a rate below the link >>speed, or you won't do anything. >> > > How about a rate that matches the link speed? Will 95% of the link be > alright for ingress? Ingress shaping is a kludge - you can do alot better than doing nothing, but depending on the speed/buffer size of the link and your requirements you will need to sacrifice alot more than 5%. 20% for a start and depending on traffic upto 50% - ouch. Andy. From lists at andyfurniss.entadsl.com Wed Jul 19 00:00:58 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Tue Jul 18 23:59:51 2006 Subject: [LARTC] I need help with tc filters!!!!! In-Reply-To: <004e01c6a788$0be29f70$e10f14c8@setiba> References: <004e01c6a788$0be29f70$e10f14c8@setiba> Message-ID: <44BD5A1A.506@andyfurniss.entadsl.com> Luciana Esteves Neves Hilario wrote: > Hi Everybody! > > I need help! I'm doing a tc script with tc filters that have match the Type of Service field in the IP header. This is the script I am using to setup the filters. > > tc filter add dev $DEV parent 1: protocol ip prio $PRIO_CONTROL u32 match ip protocol 6 0xff \ > > match u32 00190000 00ff0000 at 0 flowid 1:10 You don't say what the problem is - If it's that the tos doesn't match it may be because the last bit is supposed to be cleared/unused and you are matching set? Andy. From lists at andyfurniss.entadsl.com Wed Jul 19 00:05:27 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Wed Jul 19 00:04:25 2006 Subject: [LARTC] [PATCH] IMQ vs. local traffic In-Reply-To: <44B606CD.9020600@poczta.onet.pl> References: <44B606CD.9020600@poczta.onet.pl> Message-ID: <44BD5B27.1000104@andyfurniss.entadsl.com> Jarek Poplawski wrote: > PS: The included patch could be applied after linux-2.6.16-imq2 > patch or eg. my yesterday version linux-2.6.17.4-imq0. I think this should go/cc to the IMQ list linuximq@yahoogroups.com http://groups.yahoo.com/group/linuximq/ Subscribe by mail and you won't get asked for a yahoo ID. Andy. From lists at andyfurniss.entadsl.com Wed Jul 19 00:11:30 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Wed Jul 19 00:10:23 2006 Subject: [LARTC] IFB vs IMQ In-Reply-To: References: Message-ID: <44BD5C92.6090304@andyfurniss.entadsl.com> Rajesh Mahajan wrote: > Is IFB realy replacement of IMQ Mostly - it hooks before/after netfilter though, so if you really need IMQ to hook "in" netfilter (eg. to get denatted addresses on ingress so you can seperate INPUT and FORWARD traffic), you still need IMQ. Andy. From lists at andyfurniss.entadsl.com Wed Jul 19 00:35:24 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Wed Jul 19 00:34:16 2006 Subject: [LARTC] IFB working In-Reply-To: References: Message-ID: <44BD622C.3020204@andyfurniss.entadsl.com> Rajesh Mahajan wrote: > All these documents have one line > > action mirred egress redirect dev dummy0 > > what I can understand out of this is that all packets in egress of device > are being redirected to dummy0, where as the need is to inject dummy 0 with > packets in ingress of the device so that shaping can be done for packets > storming in for our system and not the packets leaving our system. > Policing can be done but here the requirement is for Shaping (queueing). > With IMQ ingress shaping does work fine but the only question I have is how > to shape packets coming in ingress of the device $TC qdisc add dev eth0 ingress $TC filter add dev eth0 parent ffff: \ protocol ip prio 10 u32 match ip src 192.168.0.10 \ flowid 1:0 \ action mirred egress redirect dev ifb0 Andy. From kavithak at pal.ece.iisc.ernet.in Wed Jul 19 08:08:17 2006 From: kavithak at pal.ece.iisc.ernet.in (kavita) Date: Wed Jul 19 08:08:25 2006 Subject: [LARTC] how to identify RTP packets? Message-ID: <4756.10.32.19.84.1153289297.squirrel@www.pal.ece.iisc.ernet.in> Hi, I am working on voice application. I want to identify RTP packets and set DSCP for those. Is there anyway to accomplish this task either using tc or iptables. Please help me.. Thank you -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From nikky at mnet.bg Wed Jul 19 09:38:50 2006 From: nikky at mnet.bg (Nickola Kolev) Date: Wed Jul 19 09:38:42 2006 Subject: [LARTC] how to identify RTP packets? In-Reply-To: <4756.10.32.19.84.1153289297.squirrel@www.pal.ece.iisc.ernet.in> References: <4756.10.32.19.84.1153289297.squirrel@www.pal.ece.iisc.ernet.in> Message-ID: <20060719103850.2c86bba3.nikky@mnet.bg> Hello, Kavita, On Wed, 19 Jul 2006 11:38:17 +0530 (IST) "kavita" wrote: > > > Hi, > > I am working on voice application. I want to identify RTP packets > and set DSCP for those. Is there anyway to accomplish this task either > using tc or iptables. Please help me.. Nope, you can't do that, because the transport stream is defined as src/dst port dinamically by the VoIP control channel, be it H.323/SIP/MGCP/Skinny/whateva. The only feasible way is to set ToS/DSCP into the VoIP endpoints/applications. I've seen many devices allowing you to set up speciffic ToS for the RTP stream. Well, of course you could you some sort of l7 classification, but that is speciffic to your needs. > Thank you [ cut ] Regards, Nickola -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060719/b71c198b/attachment.pgp From jarkap at poczta.onet.pl Wed Jul 19 09:44:24 2006 From: jarkap at poczta.onet.pl (Jarek Poplawski) Date: Wed Jul 19 09:44:38 2006 Subject: [LARTC] Re: [PATCH] IMQ vs. local traffic References: <44B606CD.9020600@poczta.onet.pl> <44BD5B27.1000104@andyfurniss.entadsl.com> Message-ID: Andy Furniss andyfurniss.entadsl.com> writes: > > Jarek Poplawski wrote: > > > PS: The included patch could be applied after linux-2.6.16-imq2 > > patch or eg. my yesterday version linux-2.6.17.4-imq0. > > I think this should go/cc to the IMQ list > > linuximq yahoogroups.com > > http://groups.yahoo.com/group/linuximq/ > > Subscribe by mail and you won't get asked for a yahoo ID. Hello, I had this intention from the start but when I havn't seen any changes on the web site (from 2006-03-25), no activity on the group site for long time and no posibility to read any archives of that group, I thought maybe here would be some more interest. I've seen some patches here, so I dared to send mine. The second receiver was Andre Correa (I think he tries to save his address). After your mail I looked at this group site again and, miracuously, I see some activity today, so I'll take your advice and subscribe. Thanks, Jarek P. From gustavo at angulosolido.pt Tue Jul 18 21:10:08 2006 From: gustavo at angulosolido.pt (Gustavo Homem) Date: Wed Jul 19 10:06:06 2006 Subject: [LARTC] skype specific QoS - assigning skype traffic to an HTB class Message-ID: <200607182010.09070.gustavo@angulosolido.pt> Hi, What do you think about this solution for skype specific QoS: function HTB_shape { ########################################################### # Shapes the traffic of an interface, limiting the late # # Arguments are DEV,RATE DEV=$1 RATE=$2 [...] PORT=dport if [ $DEV == $EXTIF ]; then PORT=sport fi iptables -t mangle -A MYSHAPER-$DEV -p tcp --$PORT 4000 -j MARK --set-mark 22 # skype configured to listen on 4000 iptables -t mangle -A MYSHAPER-$DEV -p udp --$PORT 4000 -j MARK --set-mark 22 [...] } [...] HTB_shape $INTIF $RATEDN HTB_shape $EXTIF $RATEUP ? According to http://www.skype.com/help/faq/technical.html we can choose the port that skype will use for sending and receiving traffic. For this example port 4000 was chosen, and that port is forwarded from the linux router to the internal machine that runs skype for both TCP and UDP traffic. The idea is that since we're shapping on the output of each interface, for the external interface we want to filter on the source port whereas for the internal one what matters is the destination port. The complete script is here: http://downloads.angulosolido.pt/QoS/HTB_shaper.sh Comments? Best regards Gustavo -- Angulo S?lido - Tecnologias de Informa??o http://angulosolido.pt From doudouyam at gmail.com Wed Jul 19 11:36:20 2006 From: doudouyam at gmail.com (doudouyam) Date: Wed Jul 19 11:36:11 2006 Subject: [LARTC] PRIO and CBQ Message-ID: <81c11a560607190236w529e467cl66749deb5bd8d5bc@mail.gmail.com> Hi, I'm work on traffic shaping and I would like to know if it's possible to mix differents Queueing Disciplines ?? I would like to combine the proporties of a PRIO discipline with that of a CBQ discipline. I read some documentation and I found nothing about that, can you help me ? I think to try something like that : tc qdisc add dev $DEV root handle 1: cbq ? tc class add dev $DEV parent 1: classid 1:1 cbq ? tc class add dev $DEV parent 1:1 classid 1:10 cbq ? tc class add dev $DEV parent 1:1 prio Normally I've this tree : 1:(cbq) | | 1:1 / \ / \ 1:10(cbq) 1:??(prio) Or something like that : tc qdisc add dev $DEV root handle 1: prio band 2 tc class add dev $DEV parent 1: classid 1:2 cbq ? tc class add dev $DEV parent 1:2 classid 1:3 cbq ? tc class add dev $DEV parent 1:2 classid 1:4 cbq ? tc qdisc add dev $DEV parent 1:1 handle 10: pfifo tc qdisc add dev $DEV parent 1:3 handle 30 sfq tc qdisc add dev $DEV parent 1:4 handle 40 sfq 1:(prio) / \ / \ 1:1 1:2 | / \ | / \ 10: 1:3 1:4 (pfifo) | | | | 30: 40: (sfq) (sfq) Is it possible ??? (the first solution seems to me not possible) Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060719/b56e7505/attachment-0001.htm From doudouyam at gmail.com Wed Jul 19 12:10:04 2006 From: doudouyam at gmail.com (doudouyam) Date: Wed Jul 19 12:09:52 2006 Subject: [LARTC] Re: PRIO and CBQ In-Reply-To: <81c11a560607190236w529e467cl66749deb5bd8d5bc@mail.gmail.com> References: <81c11a560607190236w529e467cl66749deb5bd8d5bc@mail.gmail.com> Message-ID: <81c11a560607190310g5c33333ar5fc5d1a81c0bd6c8@mail.gmail.com> I've made a mistake in the second case: tc qdisc add dev $DEV root handle 1: prio band 1 tc class add dev $DEV parent 1: classid 1:2 cbq ? tc class add dev $DEV parent 1:2 classid 1:3 cbq ? tc class add dev $DEV parent 1:2 classid 1:4 cbq ? tc qdisc add dev $DEV parent 1:1 handle 10: pfifo tc qdisc add dev $DEV parent 1:3 handle 30: sfq tc qdisc add dev $DEV parent 1:4 handle 40: sfq 1:(prio) / \ / \ 1:1 1:2 | / \ | / \ 10: 1:3 1:4 (pfifo) | | | | 30: 40: (sfq) (sfq) 2006/7/19, doudouyam : > > Hi, > I'm work on traffic shaping and I would like to know if it's possible to > mix differents Queueing Disciplines ?? > I would like to combine the proporties of a PRIO discipline with that of a > CBQ discipline. > I read some documentation and I found nothing about that, can you help me > ? > > I think to try something like that : > > tc qdisc add dev $DEV root handle 1: cbq ? > tc class add dev $DEV parent 1: classid 1:1 cbq ? > tc class add dev $DEV parent 1:1 classid 1:10 cbq ? > tc class add dev $DEV parent 1:1 prio > > Normally I've this tree : > > 1:(cbq) > | > | > 1:1 > / \ > / \ > 1:10(cbq) 1:??(prio) > > Or something like that : > > tc qdisc add dev $DEV root handle 1: prio band 2 > tc class add dev $DEV parent 1: classid 1:2 cbq ? > tc class add dev $DEV parent 1:2 classid 1:3 cbq ? > tc class add dev $DEV parent 1:2 classid 1:4 cbq ? > > tc qdisc add dev $DEV parent 1:1 handle 10: pfifo > tc qdisc add dev $DEV parent 1:3 handle 30 sfq > tc qdisc add dev $DEV parent 1:4 handle 40 sfq > > 1:(prio) > / \ > / \ > 1:1 1:2 > | / \ > | / \ > 10: 1:3 1:4 > (pfifo) | | > | | > 30: 40: > (sfq) (sfq) > > Is it possible ??? (the first solution seems to me not possible) > > > Thanks. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060719/1aab150e/attachment.html From lists at andyfurniss.entadsl.com Wed Jul 19 13:39:16 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Wed Jul 19 13:38:09 2006 Subject: [LARTC] How to add multiple filters and netem rules on a single interface? In-Reply-To: References: Message-ID: <44BE19E4.2030100@andyfurniss.entadsl.com> Andy Furniss wrote: > Jon Pedersen wrote: > >> Hi! >> >> We want to run TCP streams to several port numbers through one interface, >> each with a different delay set by Netem. >> E.g. TCP streams to port 80 could have 50ms delay, while TCP streams >> to port >> 81 could have 100 ms delay and so on. >> >> We have tried to solve this by using a combination of tc filter and netem >> rules, but we can't get it quite right. >> We are considering one class per port, each with their own Netem delay >> and >> the following filter: >> >> tc filter add dev eth0 protocol ip parent (?) prio 1 u32 match ip >> protocol 6 >> 0xff match u16 80 0xffff at 20 >> >> Is this possible? If so, how do you create the class hierarchy and how do >> you combine each filter with the netem rule? > > > I've only used netem for simple stuff so am not sure if it's possible > this way or not. > > Another way to try would be to use multiple ifbs and filter the > different traffic to those. > > Andy. > > > > > From doudouyam at gmail.com Wed Jul 19 15:15:18 2006 From: doudouyam at gmail.com (doudouyam) Date: Wed Jul 19 15:15:14 2006 Subject: [LARTC] Re: PRIO and CBQ In-Reply-To: <81c11a560607190310g5c33333ar5fc5d1a81c0bd6c8@mail.gmail.com> References: <81c11a560607190236w529e467cl66749deb5bd8d5bc@mail.gmail.com> <81c11a560607190310g5c33333ar5fc5d1a81c0bd6c8@mail.gmail.com> Message-ID: <81c11a560607190615j3736a045p9e3d8940d6308eee@mail.gmail.com> I found a script at http://www.docum.org/docum.org/ which answer at my question : tc qdisc del $DEV root tc qdisc add $DEV root handle 10: cbq bandwidth 10mbit avpkt 1000 tc class add $DEV parent 10:0 classid 10:1 cbq bandwidth 10mbit rate $RATE_TOT $OPTION prio 3 bounded isolated tc qdisc add $DEV parent 10:1 handle 20: prio Is it correct ? 2006/7/19, doudouyam : > > I've made a mistake in the second case: > > > > tc qdisc add dev $DEV root handle 1: prio band 1 > tc class add dev $DEV parent 1: classid 1:2 cbq ? > tc class add dev $DEV parent 1:2 classid 1:3 cbq ? > tc class add dev $DEV parent 1:2 classid 1:4 cbq ? > > tc qdisc add dev $DEV parent 1:1 handle 10: pfifo > tc qdisc add dev $DEV parent 1:3 handle 30: sfq > tc qdisc add dev $DEV parent 1:4 handle 40: sfq > > 1:(prio) > / \ > / \ > 1:1 1:2 > | / \ > | / \ > 10: 1:3 1:4 > (pfifo) | | > | | > 30: 40: > (sfq) (sfq) > > 2006/7/19, doudouyam : > > > Hi, > > I'm work on traffic shaping and I would like to know if it's possible to > > mix differents Queueing Disciplines ?? > > I would like to combine the proporties of a PRIO discipline with that of > > a CBQ discipline. > > I read some documentation and I found nothing about that, can you help > > me ? > > > > I think to try something like that : > > > > tc qdisc add dev $DEV root handle 1: cbq ? > > tc class add dev $DEV parent 1: classid 1:1 cbq ? > > tc class add dev $DEV parent 1:1 classid 1:10 cbq ? > > tc class add dev $DEV parent 1:1 prio > > > > Normally I've this tree : > > > > 1:(cbq) > > | > > | > > 1:1 > > / \ > > / \ > > 1:10(cbq) 1:??(prio) > > > > Or something like that : > > > > tc qdisc add dev $DEV root handle 1: prio band 2 > > tc class add dev $DEV parent 1: classid 1:2 cbq ? > > tc class add dev $DEV parent 1:2 classid 1:3 cbq ? > > tc class add dev $DEV parent 1:2 classid 1:4 cbq ? > > > > tc qdisc add dev $DEV parent 1:1 handle 10: pfifo > > tc qdisc add dev $DEV parent 1:3 handle 30 sfq > > tc qdisc add dev $DEV parent 1:4 handle 40 sfq > > > > 1:(prio) > > / \ > > / \ > > 1:1 1:2 > > | / \ > > | / \ > > 10: 1:3 1:4 > > (pfifo) | | > > | | > > 30: 40: > > (sfq) (sfq) > > > > Is it possible ??? (the first solution seems to me not possible) > > > > > > Thanks. > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060719/2ced1660/attachment.htm From rayvd at digitalpath.net Wed Jul 19 18:51:48 2006 From: rayvd at digitalpath.net (Ray Van Dolson) Date: Wed Jul 19 18:51:36 2006 Subject: [LARTC] What am I missing? Message-ID: <20060719165148.GA21024@digitalpath.net> On a custom compiled Linux 2.6.13 kernel... # tc qdisc add dev ppp145 handle ffff: ingress # tc filter add dev ppp145 parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 384kbit burst 10k drop flowid :1 RTNETLINK answers: Invalid argument This works fine on a CentOS machine and my Fedora Core 2 box with default kernel. I'm trying to figure out what is missing in the custom built 2.6.13 kernel. strace isn't real helpful, and there doesn't appear to be a way to make tc present more useful error messages... Non ingress filtering works. Here's an excerpt from kernel config: # # QoS and/or fair queueing # CONFIG_NET_SCHED=y CONFIG_NET_SCH_CLK_JIFFIES=y # CONFIG_NET_SCH_CLK_GETTIMEOFDAY is not set # CONFIG_NET_SCH_CLK_CPU is not set CONFIG_NET_SCH_CBQ=y CONFIG_NET_SCH_HTB=y CONFIG_NET_SCH_HFSC=y CONFIG_NET_SCH_PRIO=y CONFIG_NET_SCH_RED=y CONFIG_NET_SCH_SFQ=y CONFIG_NET_SCH_TEQL=y CONFIG_NET_SCH_TBF=y CONFIG_NET_SCH_GRED=y CONFIG_NET_SCH_DSMARK=y CONFIG_NET_SCH_NETEM=y CONFIG_NET_SCH_INGRESS=y CONFIG_NET_QOS=y CONFIG_NET_ESTIMATOR=y CONFIG_NET_CLS=y # CONFIG_NET_CLS_BASIC is not set CONFIG_NET_CLS_TCINDEX=y CONFIG_NET_CLS_ROUTE4=y CONFIG_NET_CLS_ROUTE=y CONFIG_NET_CLS_FW=y CONFIG_NET_CLS_U32=y CONFIG_CLS_U32_PERF=y CONFIG_NET_CLS_IND=y # CONFIG_CLS_U32_MARK is not set CONFIG_NET_CLS_RSVP=y CONFIG_NET_CLS_RSVP6=y # CONFIG_NET_EMATCH is not set # CONFIG_NET_CLS_ACT is not set CONFIG_NET_CLS_POLICE=y Any ideas? Can paste entire kernel config if necessary. From russell-tcatm at stuart.id.au Thu Jul 20 06:56:04 2006 From: russell-tcatm at stuart.id.au (Russell Stuart) Date: Thu Jul 20 07:50:39 2006 Subject: [LARTC] Re: [PATCH 0/2] NET: Accurate packet scheduling for ATM/ADSL In-Reply-To: <44BE46A6.8000207@trash.net> References: <1150278004.26181.35.camel@localhost.localdomain> <1150286766.5233.15.camel@jzny2> <1150287983.3246.27.camel@ras.pc.brisbane.lube> <1150292693.5197.1.camel@jzny2> <1150843471.17455.2.camel@ras.pc.brisbane.lube> <15653CE98281AD4FBD7F70BCEE3666E53CD54A@comxexch01.comx.local> <1151000966.5392.34.camel@jzny2> <1151066247.4217.254.camel@ras.pc.brisbane.lube> <1151158431.6716.95.camel@jzny2> <1153188409.13145.5.camel@ras.pc.brisbane.lube> <44BD56A4.9090002@andyfurniss.entadsl.com> <1153270932.4242.60.camel@ras.pc.brisbane.lube> <44BE46A6.8000207@trash.net> Message-ID: <1153371364.4231.61.camel@ras.pc.brisbane.lube> On Wed, 2006-07-19 at 16:50 +0200, Patrick McHardy wrote: > Please excuse my silence, I was travelling and am still catching up > with my mails. Sorry. Had I realised you were busy I would of waited. > > - As it stands, it doesn't help the qdiscs that use > > RTAB. So unless he proposes to remove RTAB entirely > > the ATM patch as it will still have to go in. > > Why? The length calculated by my STABs (or something similar) > is used by _all_ qdiscs. Not only for transmission time calculation, > but also for statistics and estimators. Oh. I didn't see where it is used for the time calculation in your patch. Did I miss something, or is that the unfinished bit? This is possibly my stumbling block. If you don't remove RTAB the ATM patch as stands will be needed. Your patch didn't remove RTAB, and you didn't say it was intended to, so I presume it wasn't going to. > If the length calculation > doesn't fit for ATM, that can be fixed. Yes of course. Just to be clear: as far as I am concerned this never was an issue. > > - A bit of effort was put into making this current > > ATM patch both backwards and forwards compatible. > > Patricks patch would work with newer kernels, > > obviously. Older kernels, and in particular the > > kernel that Debian is Etch is likely to distribute > > would miss out. > > True, but it provides more consistency, and making current > kernels behave better is more important than old kernels. I guess provided the new "tc" works with older kernels this is OK - although a disappoint to me. Works here being defined as "works as well as a previous the version of tc does". For me not working would be OK as well provided "tc" issued a warning message to the effect that it "needs kernel version XXX or above"", but doing that would probably require it to look at the kernel version. Looking at the kernel version in tc seems to be frowned upon. > You seem to have misunderstood my patch. It doesn't need to > touch RTABs, it just calculates the packet length as seen > on the wire (whereever it is) and uses that thoughout the > entire qdisc layer. No, you have it in reverse - as I said above. My problem is that your patch does not touch RTAB. Several qdiscs really don't care about the length of a packet (other than for keeping track of stats) - they just care about how long it takes to send. Off the top of my these are HTB, CBQ and TBF. They use RTAB to make this calculation. So unless you replace RTAB with STAB the current ATM patch will still be needed. > > One other point - the optimisation Patrick proposes > > for STAB (over RTAB) was to make the number of entries > > variable. This seems like a good idea. However there > > is no such thing as a free lunch, and if you did > > indeed reduce the number of entries to 16 for Ethernet > > (as I think Patrick suggested), then each entry would > > cover 1500/16 = 93 different packet lengths. Ie, > > entry 0 would cover packet lengths 0..93, entry 1 > > 94..186, and so on. A single entry can't be right > > for all those packet lengths, so again we are back > > to a average 30% error for typical VOIP length > > packets. > > My patch doesn't uses fixed sized cells, so it can deal > with anything, worst case is you use one cell per packet > size. Optimizing size and lookup speed for ethernet makes > a lot more sense than optimizing for ADSL. I was just responding to a point you made earlier, when you said STAB could only use 16 entries as opposed to the 256 used by RTAB. I suspect nobody would actually do that because of the inaccuracy it creates, so the comparison is perhaps unfair. I agree the flexibility of making STAB variable length is a good idea, and comes at 0 cost in the kernel. Andy Furniss wrote: > > Russell Stuart wrote: > >> The kernel will have to do a shift and a division > >> for each packet, which I assume is permissible. > > > > > > I guess that is for others to decide :-) I think Patrick has a point > > about sfq/htb drr, Like you I guess, I thought that alot of extra per > > packet calculations would have got an instant NO. > > Its only done once per packet (currently, it might be interesting to > override the length for specific classes and their childs, for example > if you do queueing on eth0 and have an DSL router one hop apart). > The division is gone in my patch btw. Unlike the packet length the time calculation can't be cached in the skb. Most classes in HTB/CBQ use different packet transmission rates. From russell-tcatm at stuart.id.au Thu Jul 20 07:47:54 2006 From: russell-tcatm at stuart.id.au (Russell Stuart) Date: Thu Jul 20 07:51:03 2006 Subject: [LARTC] Re: [PATCH 0/2] NET: Accurate packet scheduling for ATM/ADSL (RTAB BUG) In-Reply-To: <20060719210004.GB20264@ms2.inr.ac.ru> References: <1150843471.17455.2.camel@ras.pc.brisbane.lube> <15653CE98281AD4FBD7F70BCEE3666E53CD54A@comxexch01.comx.local> <1151000966.5392.34.camel@jzny2> <1151066247.4217.254.camel@ras.pc.brisbane.lube> <1151158431.6716.95.camel@jzny2> <1153188409.13145.5.camel@ras.pc.brisbane.lube> <44BD56A4.9090002@andyfurniss.entadsl.com> <1153270932.4242.60.camel@ras.pc.brisbane.lube> <44BE44E3.9080100@andyfurniss.entadsl.com> <20060719210004.GB20264@ms2.inr.ac.ru> Message-ID: <1153374474.4231.103.camel@ras.pc.brisbane.lube> On Thu, 2006-07-20 at 01:00 +0400, Alexey Kuznetsov wrote: > Hello! So you really do exist? I thought it was just rumour. > Well, if fixed point arithmetics is not a problem. It shouldn't be. Any decimal number can be expressed as a fraction, eg: 0.00123 = 123/100000 Which can be calculated as a multiply and a divide. With MTU's up to 2048, it should be possible to do this with 99.9999% accuracy (ie 2048/2^23). With a bit more work in userspace (ie in tc), it can be be reduced to a multiply and a shift. > Plus, remember, the function is not R*size, it is at least > R*size+addend, to account for link overhead. Plus account for padding > of small packets. Plus, when policing it should deaccount already added > link headers, QoS counts only network payload. Yes, it is flexible - and has served us well up until now. It doesn't work well for ATM, but with a small bit of extra calculation in the kernel it could. However, it turns out that ATM is a special case. If ATM's cell payload was 58 bytes instead of 48 bytes (say), then it would not be possible to produce a RTAB that had small errors (eg < 10%) for smallish packet sizes (< 290 bytes). I seem to have trouble explaining why in a concise way that people understand, so I won't try here. So when Alan Cox said our ATM patch didn't solve the packetisation problem in general, he was right as our patch just built upon RTAB. Patrick's STAB proposal in general either for that matter, as it is just another implementation of RTAB with the same limitations. The only way I can think of to solve it in general is to move many more calculations into the kernel - as I proposed in a long winded answer to Patrick earlier in this thread. But doing so would get rid of the table implementation and the flexibility it has given us to date. For that reason I feel uncomfortable with it. The engineering decision becomes this - are there any other protocols like ATM out there that could justify such a change? (In my more cynical moments I think of it differently - has/is the world going to make a second engineering fuck up on the scale of ATM again? How on earth did anyone decide that pushing data packets over ATM, as happens in ADSL, was a good idea?) I know of no other such protocols. But then I don't have an encyclopedic knowledge of comms protocols, so that doesn't mean much. I suspect you know a good deal more about them than I do. What say you? From jserink2004 at yahoo.com Thu Jul 20 08:16:24 2006 From: jserink2004 at yahoo.com (John Serink) Date: Thu Jul 20 08:16:11 2006 Subject: [LARTC] GRE over IPsec Cisco<-> Linux Message-ID: <20060720061624.90307.qmail@web54512.mail.yahoo.com> Hello Lartc Mailing List: Been working on something the last week and a half and ALMOST have it working.., just need a few pointers from the wizards on this mailing list to nail it. Ok, my setup is a hub and spoke arrangement, hub is Cisco 2821 with IOS 12.4. Spokes are ruggencom RX1000 routers, Debian based with the following versions installed: rx1000test:~# uname -a Linux rx1000test 2.6.8-16-486-rx #1 Wed Mar 15 15:33:23 UTC 2006 i586 GNU/Linux rx1000test:~# iptables -v iptables v1.2.11: no command specified rx1000test:~# shorewall version 2.2.3 rx1000test:~# ip -V ip utility, iproute2-ss041019 rx1000test:~# ipsec version Linux Openswan U2.2.0/K2.6.8-16-486-rx (native) Openswan is using the Kernel 2.6 native stack NOT klips. Here is my setup, only one spoke for now: 192.168.1.0/28 160.96.97.248 Dynamic 192.168.1.96/28 | 192.168.1.1 | | 192.168.1.97 | | | HUB | | SPOKE | | | | +------------+ | | +-----------+ | | | | | | | | | | | | +----------+ Cisco 2821 +--------INTERNET----------+ rx1000test+---------+ | | | | | | | +------------+ +-----------+ | | | 192.168.1.1(ipsec endpoint)----------------------(ipsec endpoint)192.168.1.97 192.168.1.1(gre endpoint)-----------------(gre endpoint)192.168.1.97 192.168.2.110 gre tunnel 192.178.2.96/28 192.168.2.97 Here is the setup on te Cisco: interface Tunnel6 ip address 192.168.2.110 255.255.255.240 tunnel source GigabitEthernet0/1 tunnel destination 192.168.1.97 exit ip route 0.0.0.0 0.0.0.0 160.96.97.250 ip route 192.168.1.96 255.255.255.240 Tunnel6 ip route 192.168.1.97 255.255.255.255 GigabitEthernet0/0 ! This last line is required to get around a recusive route error in the cisco Linux setup: IPSec.conf rx1000test:~# cat /etc/ipsec.conf # /etc/ipsec.conf - Openswan IPsec configuration file version 2.0 # conforms to second version of ipsec.conf specification config setup # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=none plutodebug=none interfaces=%defaultroute uniqueids=yes # Add connections here conn GDC1 authby=secret auto=start left=%defaultroute leftsourceip=192.168.1.97 leftid=@rx1000test leftsubnet=192.168.1.96/28 ike=aes128-md5-modp1024 esp=aes128-md5 right=160.96.97.248 rightsubnet=192.168.1.0/28 rightsourceip=192.168.1.1 type=tunnel pfs=yes keyingtries=0 #Disable Opportunistic Encryption include /etc/ipsec.d/examples/no_oe.conf The IPsec works fine except for the following caveats: 1. Spoke routers cannot ping each other, 2. The cisco has no interfaces for the scope routers so no qos can be done. Linux GRE setup: modprobe ip_gre ip tunnel add GDC1 mode gre remote 192.168.1.1 local 192.168.1.97 ttl 255 ip link set GDC1 up ip addr add 192.168.2.97/28 peer 192.168.2.110/28 dev GDC1 ip route del 192.168.1.0/28 via 160.96.97.248 ip route add 192.168.1.0/28 via 192.168.2.110 Ok, the ip route del was necessary to get rid of the IPSec route and replace it with the gre tunnel. Linux box status: rx1000test:~# ip addre show 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0a:dc:04:7d:dc brd ff:ff:ff:ff:ff:ff inet 192.168.1.97/28 brd 192.168.1.255 scope global eth1 4: eth2: mtu 1500 qdisc noop qlen 1000 link/ether 00:0a:dc:04:7d:dd brd ff:ff:ff:ff:ff:ff 6: w1adsl: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:77:77:77:7b:b3 brd ff:ff:ff:ff:ff:ff 9: gre0: mtu 1428 qdisc noop link/gre 0.0.0.0 brd 0.0.0.0 12: GDC1@NONE: mtu 1514 qdisc noqueue link/gre 192.168.1.97 peer 192.168.1.1 inet 192.168.2.97 peer 192.168.2.110/28 scope global GDC1 13: ppp1: mtu 1452 qdisc pfifo_fast qlen 3 link/ppp inet 202.42.98.62 peer 202.42.98.1/32 scope global ppp1 rx1000test:~# ip link show 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0a:dc:04:7d:dc brd ff:ff:ff:ff:ff:ff 4: eth2: mtu 1500 qdisc noop qlen 1000 link/ether 00:0a:dc:04:7d:dd brd ff:ff:ff:ff:ff:ff 6: w1adsl: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:77:77:77:7b:b3 brd ff:ff:ff:ff:ff:ff 9: gre0: mtu 1428 qdisc noop link/gre 0.0.0.0 brd 0.0.0.0 12: GDC1@NONE: mtu 1514 qdisc noqueue link/gre 192.168.1.97 peer 192.168.1.1 13: ppp1: mtu 1452 qdisc pfifo_fast qlen 3 link/ppp rx1000test:~# ip tun show gre0: gre/ip remote any local any ttl inherit nopmtudisc GDC1: gre/ip remote 192.168.1.1 local 192.168.1.97 ttl 255 rx1000test:~# ip route show 202.42.98.1 dev ppp1 proto kernel scope link src 202.42.98.62 192.168.1.0/28 via 192.168.2.110 dev GDC1 192.168.2.96/28 dev GDC1 proto kernel scope link src 192.168.2.97 192.168.1.96/28 dev eth1 proto kernel scope link src 192.168.1.97 default dev ppp1 scope link Now, here is my problem: 1. I can ping from the RX1000 ssh session into eth1(192.168.1.97) to all interfaces and hosts on the network(pefect), 2. From the cisco ssh into Gig0/0(real ip interface) I can ping all tunnel interfaces, all hosts on 192.168.1.0/28 but not 192.168.1.97(this makes sense, I'm outside the tunnel if ssh'd into the real IP interface), 3. All hosts on 192.168.1.0/28 can ping everything except addresses other than eth1 of RX1000 on 192.168.1.96/28. That is I get a ping response from 192.168.1.97 but not from any oterh hosts on that network. tcpdump -i GDC1 shows the ping coming from 192.168.1.7 to 192.168.1.101, but there is no reply. The ping and response from 192.168.1.7->192.168.1.97 is NOT going via GRE according to the Cisco debug and tcpdump. Pings to 192.168.1.101 form 192.168.1.7 do go via the tunnel but are never answered. tcpdump -i eth1 indicate that the echo request from 192.168.1.7 uses the tunnel to get to 192.168.1.97 but never leaves the interface. SO, number 3 is my big anomaly. The hosts that need access to the network, 192.168.1.96/28, don't have any and I can't figure out why. Note that I am runnign shorewall, if I stop shorewall nothing changes. ALso, have been watching /var/log/syslog with tail and there are no ping packets being blocked by shorewall. Does anybody have any ideas? Cheers, John __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From jserink2004 at yahoo.com Thu Jul 20 08:23:11 2006 From: jserink2004 at yahoo.com (John Serink) Date: Thu Jul 20 08:23:00 2006 Subject: [LARTC] Re: GRE over IPsec Cisco<-> Linux Message-ID: <20060720062311.59460.qmail@web54503.mail.yahoo.com> Forgot something, see below: --- John Serink wrote: > Hello Lartc Mailing List: > > Been working on something the last week and a half and ALMOST have it > working.., just need a few pointers from the wizards on this mailing list to > nail it. > > Ok, my setup is a hub and spoke arrangement, hub is Cisco 2821 with IOS 12.4. > Spokes are ruggencom RX1000 routers, Debian based with the following versions > installed: > > rx1000test:~# uname -a > Linux rx1000test 2.6.8-16-486-rx #1 Wed Mar 15 15:33:23 UTC 2006 i586 > GNU/Linux > rx1000test:~# iptables -v > iptables v1.2.11: no command specified > rx1000test:~# shorewall version > 2.2.3 > rx1000test:~# ip -V > ip utility, iproute2-ss041019 > rx1000test:~# ipsec version > Linux Openswan U2.2.0/K2.6.8-16-486-rx (native) > > Openswan is using the Kernel 2.6 native stack NOT klips. > > Here is my setup, only one spoke for now: > > 192.168.1.0/28 160.96.97.248 Dynamic > 192.168.1.96/28 > | 192.168.1.1 | | 192.168.1.97 | > | | HUB | | SPOKE | | > | | +------------+ | | +-----------+ | | > | | | | | | | | | | > +----------+ Cisco 2821 +--------INTERNET----------+ rx1000test+---------+ > | | | | | | > | +------------+ +-----------+ | > | | > 192.168.1.1(ipsec endpoint)----------------------(ipsec > endpoint)192.168.1.97 > 192.168.1.1(gre endpoint)-----------------(gre endpoint)192.168.1.97 > 192.168.2.110 gre tunnel 192.178.2.96/28 192.168.2.97 > > Here is the setup on te Cisco: > interface Tunnel6 > ip address 192.168.2.110 255.255.255.240 > tunnel source GigabitEthernet0/1 > tunnel destination 192.168.1.97 > exit > ip route 0.0.0.0 0.0.0.0 160.96.97.250 > ip route 192.168.1.96 255.255.255.240 Tunnel6 > ip route 192.168.1.97 255.255.255.255 GigabitEthernet0/0 > ! This last line is required to get around a recusive route error in the > cisco > > Linux setup: > IPSec.conf > rx1000test:~# cat /etc/ipsec.conf > # /etc/ipsec.conf - Openswan IPsec configuration file > version 2.0 # conforms to second version of ipsec.conf specification > config setup > # Debug-logging controls: "none" for (almost) none, "all" for lots. > klipsdebug=none > plutodebug=none > interfaces=%defaultroute > uniqueids=yes > > # Add connections here > > conn GDC1 > authby=secret > auto=start > left=%defaultroute > leftsourceip=192.168.1.97 > leftid=@rx1000test > leftsubnet=192.168.1.96/28 > ike=aes128-md5-modp1024 > esp=aes128-md5 > right=160.96.97.248 > rightsubnet=192.168.1.0/28 > rightsourceip=192.168.1.1 > type=tunnel > pfs=yes > keyingtries=0 > > > #Disable Opportunistic Encryption > include /etc/ipsec.d/examples/no_oe.conf > > The IPsec works fine except for the following caveats: > 1. Spoke routers cannot ping each other, > 2. The cisco has no interfaces for the scope routers so no qos can be done. > > Linux GRE setup: > modprobe ip_gre > ip tunnel add GDC1 mode gre remote 192.168.1.1 local 192.168.1.97 ttl 255 > ip link set GDC1 up > ip addr add 192.168.2.97/28 peer 192.168.2.110/28 dev GDC1 > ip route del 192.168.1.0/28 via 160.96.97.248 > ip route add 192.168.1.0/28 via 192.168.2.110 > > Ok, the ip route del was necessary to get rid of the IPSec route and replace > it > with the gre tunnel. > > Linux box status: > rx1000test:~# ip addre show > 1: lo: mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > 3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:0a:dc:04:7d:dc brd ff:ff:ff:ff:ff:ff > inet 192.168.1.97/28 brd 192.168.1.255 scope global eth1 > 4: eth2: mtu 1500 qdisc noop qlen 1000 > link/ether 00:0a:dc:04:7d:dd brd ff:ff:ff:ff:ff:ff > 6: w1adsl: mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:77:77:77:7b:b3 brd ff:ff:ff:ff:ff:ff > 9: gre0: mtu 1428 qdisc noop > link/gre 0.0.0.0 brd 0.0.0.0 > 12: GDC1@NONE: mtu 1514 qdisc noqueue > link/gre 192.168.1.97 peer 192.168.1.1 > inet 192.168.2.97 peer 192.168.2.110/28 scope global GDC1 > 13: ppp1: mtu 1452 qdisc pfifo_fast qlen 3 > link/ppp > inet 202.42.98.62 peer 202.42.98.1/32 scope global ppp1 > rx1000test:~# ip link show > 1: lo: mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > 3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:0a:dc:04:7d:dc brd ff:ff:ff:ff:ff:ff > 4: eth2: mtu 1500 qdisc noop qlen 1000 > link/ether 00:0a:dc:04:7d:dd brd ff:ff:ff:ff:ff:ff > 6: w1adsl: mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:77:77:77:7b:b3 brd ff:ff:ff:ff:ff:ff > 9: gre0: mtu 1428 qdisc noop > link/gre 0.0.0.0 brd 0.0.0.0 > 12: GDC1@NONE: mtu 1514 qdisc noqueue > link/gre 192.168.1.97 peer 192.168.1.1 > 13: ppp1: mtu 1452 qdisc pfifo_fast qlen 3 > link/ppp > rx1000test:~# ip tun show > gre0: gre/ip remote any local any ttl inherit nopmtudisc > GDC1: gre/ip remote 192.168.1.1 local 192.168.1.97 ttl 255 > rx1000test:~# ip route show > 202.42.98.1 dev ppp1 proto kernel scope link src 202.42.98.62 > 192.168.1.0/28 via 192.168.2.110 dev GDC1 > 192.168.2.96/28 dev GDC1 proto kernel scope link src 192.168.2.97 > 192.168.1.96/28 dev eth1 proto kernel scope link src 192.168.1.97 > default dev ppp1 scope link > > > Now, here is my problem: > 1. I can ping from the RX1000 ssh session into eth1(192.168.1.97) to all > interfaces and hosts on the network(pefect), > 2. From the cisco ssh into Gig0/0(real ip interface) I can ping all tunnel > interfaces, all hosts on 192.168.1.0/28 but not 192.168.1.97(this makes > sense, > I'm outside the tunnel if ssh'd into the real IP interface), > 3. All hosts on 192.168.1.0/28 can ping everything except addresses other > than > eth1 of RX1000 on 192.168.1.96/28. That is I get a ping response from > 192.168.1.97 but not from any oterh hosts on that network. tcpdump -i GDC1 > shows the ping coming from 192.168.1.7 to 192.168.1.101, but there is no > reply. > The ping and response from 192.168.1.7->192.168.1.97 is NOT going via GRE > according to the Cisco debug and tcpdump. Pings to 192.168.1.101 form > 192.168.1.7 do go via the tunnel but are never answered. tcpdump -i eth1 > indicate that the echo request from 192.168.1.7 uses the tunnel to get to > 192.168.1.97 but never leaves the interface. 4. I can ping any hosts on the 192.168.1.96/28 network from the ssh into gig0/0 on the cisco except for 192.168.1.97. > > SO, number 3 is my big anomaly. The hosts that need access to the network, > 192.168.1.96/28, don't have any and I can't figure out why. > > Note that I am runnign shorewall, if I stop shorewall nothing changes. ALso, > have been watching /var/log/syslog with tail and there are no ping packets > being blocked by shorewall. > > Does anybody have any ideas? > > Cheers, > John > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From lists at andyfurniss.entadsl.com Thu Jul 20 14:57:54 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Thu Jul 20 14:57:42 2006 Subject: [LARTC] police rate doesn't work ? In-Reply-To: References: Message-ID: <44BF7DD2.9010300@andyfurniss.entadsl.com> Vitale Alessandro wrote: > I would like to test police in ingress. > I use kernel 2.4.20. FWIW if you try a 2.6 whether or not policers will see marks will depend on your config - Packet action will give a new policer that hooks before netfilter. > I use this configuration: > > iptables -t mangle -A PREROUTING -i eth0 -s 10.31.12.2 -d 10.31.11.2 -p udp --dport 1001 -j MARK --set-mark 1 > iptables -t mangle -A PREROUTING -i eth0 -s 10.31.12.2 -d 10.31.11.2 -p udp --dport 1002 -j MARK --set-mark 2 > iptables -t mangle -A PREROUTING -i eth0 -s 10.31.12.2 -d 10.31.11.2 -p udp --dport 1003 -j MARK --set-mark 3 > iptables -t mangle -A PREROUTING -i eth0 -s 10.31.12.2 -d 10.31.11.2 -p udp --dport 1004 -j MARK --set-mark 4 > > tc qdisc add dev eth0 handle ffff: ingress > tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw police rate 2500000 burst 90k drop > tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 2 fw police rate 1500000 burst 90k drop > tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 3 fw police rate 1000000 burst 90k drop > > > I generate traffic with smartbits and i made this test: > 1)len packet layer2 64 byte, Is that actually possible on eth? packets per second 5500 = 2810000 bit per second > 2)len packet layer2 1000 byte, packets per second 350 = 2800000 bit per second > > The 2 test is good i receive a trafiic with 2500000 rate limit ! > The problem is with 1 test because i received full band 2810000 without any limit! > > Is there any problem with police rate? It doesn't work with small packets? > I've to set some other usefull parameter? On eth shapers/policers will see packets as ip length +14 but there are more overheads/mpu. Currently you can't specify mpu/overhead for policers, It may be added soon - but that will be 2.6s I guess. Andy. From nata at cnett.com.br Thu Jul 20 16:28:08 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Thu Jul 20 16:28:03 2006 Subject: [LARTC] QoS doubt about network machine Message-ID: <44BF92F8.8030805@cnett.com.br> Hello all, I am with a doubt about QoS solution... I have a 4 Mbit backbone coming from the telco I use... This is the link I serve to my clients, so I make this classes: $TC qdisc add dev $DL root handle 1: htb default 60 CLASS="/sbin/tc class add dev $DL parent" $CLASS 1: classid 1:1 htb rate 4096Kbit $CLASS 1:1 classid 1:10 htb rate 256Kbit ceil 3072Kbit burst 15k $CLASS 1:1 classid 1:20 htb rate 256Kbit ceil 1024Kbit burst 15k $CLASS 1:1 classid 1:30 htb rate 2048Kbit ceil 3072Kbit burst 15k $CLASS 1:1 classid 1:40 htb rate 256Kbit ceil 512Kbit burst 15k $CLASS 1:1 classid 1:50 htb rate 256Kbit ceil 256Kbit burst 15k $CLASS 1:1 classid 1:60 htb rate 1024Kbit ceil 2048Kbit burst 15k I use this classes to put some trafic (going out thru eth3, the interface that my clients are connected) like this: 10 - ssh, telnet 20 - voip, msn login, skype, dns 30 - http, https, clientes with garantee band 40 - mail, ftp 50 - p2p 60 - all the rest The problem is that I have a network server connected into my gateway by a switch. So I have this topology: router | |- ns1 - eth0 (gw) <> eth3 - clients |- ns2 (mail server / radius server) So when my clients try to connect to my ns2 mail server it gets shapped by class 40... I dont want that to happens... So I think in making something like this: $TC qdisc add dev $DL root handle 1: htb default 60 CLASS="/sbin/tc class add dev $DL parent" $CLASS 1: classid 1:1 htb rate 100Mbit $CLASS 1:1 classid 1:5 htb rate 100Mbit $CLASS 1:1 classid 1:10 htb rate 256Kbit ceil 3072Kbit burst 15k $CLASS 1:1 classid 1:20 htb rate 256Kbit ceil 1024Kbit burst 15k $CLASS 1:1 classid 1:30 htb rate 2048Kbit ceil 3072Kbit burst 15k $CLASS 1:1 classid 1:40 htb rate 256Kbit ceil 512Kbit burst 15k $CLASS 1:1 classid 1:50 htb rate 256Kbit ceil 256Kbit burst 15k $CLASS 1:1 classid 1:60 htb rate 1024Kbit ceil 2048Kbit burst 15k And them direct all traffic coming from my ns2 server (using u32 classifier and src address) to class 1:5... Is this correct? Att, Nataniel Klug From jserink2004 at yahoo.com Fri Jul 21 07:56:35 2006 From: jserink2004 at yahoo.com (John Serink) Date: Fri Jul 21 07:56:23 2006 Subject: [LARTC] GRE->IPSec, same problem simplified.... Message-ID: <20060721055635.48588.qmail@web54503.mail.yahoo.com> Hi All: I have a strange problem that was described in a previous mail but I have stripped the problem down to the following: I have a debian based router that I have setup IPSec with GRE over top. The tunnel addresses are 192.168.2.97 locally, the other side is 192.168.2.110. The tunnel is 192.168.2.96/28. The end points are locally 192.168.1.97(eth1) and 192.168.1.1 the other side's eth 1. Both local ethernet's are behind NAT of course. Now, I have ahost, 192.168.1.101 on the 192.168.1.96/28 network behind the debbian router. Here is my routing table: rx1000test:~# ip route show 202.42.98.1 dev ppp1 proto kernel scope link src 202.42.98.62 192.168.1.0/28 dev GDC1 scope link 192.168.1.96/28 dev eth1 scope link default dev ppp1 scope link This seems really simple to me, anything going to 192.168.1.0/28 must go through tunnel GDC1. Here is the tunnel: 15: GDC1@NONE: mtu 1428 qdisc noqueue link/gre 192.168.1.97 peer 192.168.1.1 inet 192.168.2.97 peer 192.168.2.110/28 scope global GDC1 Ok, now to check this I run tcpdump -i GDC1, tcpdump -i eth1 not tcp port 22 and I ping from 192.168.1.101 to 192.168.1.2, here is what I get: C:\>ping 192.168.1.2 -n 2 Pinging 192.168.1.2 with 32 bytes of data: Request timed out. Request timed out. Ping statistics for 192.168.1.2: Packets: Sent = 2, Received = 0, Lost = 2 (100% loss), rx1000test:~# tcpdump -i GDC1 tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to cooked socket tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on GDC1, link-type LINUX_SLL (Linux cooked), capture size 96 bytes 13:40:01.296907 IP 192.168.1.2 > 192.168.1.101: icmp 40: echo reply seq 7424 13:40:06.587157 IP 192.168.1.2 > 192.168.1.101: icmp 40: echo reply seq 7680 rx1000test:~# tcpdump -i eth1 not tcp port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 13:40:01.267813 IP 192.168.1.101 > 192.168.1.2: icmp 40: echo request seq 7424 13:40:06.571007 IP 192.168.1.101 > 192.168.1.2: icmp 40: echo request seq 7680 This is bizzare: The ping to 192.168.1.2, which is clearly part of the 192.168.1.0/28 network enters Eth1 but does does NOT go through the GDC1 tunnel on its way to 192.168.1.2....but the routing table tells us that it MUST go that way...no? Then the replay comes back via the tunnel but never goes out eth1. eh???? I am watching /var/log/syslog and shorewall is not doing anything, but just to make sure I stop shorewall and redo the test, exactly the same thing. Does anyone know WHY the pings to 192.168.1.2 are not going into the GDC1 tunnel? Does anyone know WHY the return pings do not get forwarded out eth1? Cheers, John __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From jarkap at poczta.onet.pl Fri Jul 21 15:45:18 2006 From: jarkap at poczta.onet.pl (Jarek Poplawski) Date: Fri Jul 21 15:45:32 2006 Subject: [LARTC] Re: QoS doubt about network machine References: <44BF92F8.8030805@cnett.com.br> Message-ID: Nataniel Klug cnett.com.br> writes: > > Hello all, > > I am with a doubt about QoS solution... I have a 4 Mbit backbone > coming from the telco I use... This is the link I serve to my clients, > so I make this classes: > > $TC qdisc add dev $DL root handle 1: htb default 60 > > CLASS="/sbin/tc class add dev $DL parent" > $CLASS 1: classid 1:1 htb rate 4096Kbit > $CLASS 1:1 classid 1:10 htb rate 256Kbit ceil 3072Kbit burst 15k > $CLASS 1:1 classid 1:20 htb rate 256Kbit ceil 1024Kbit burst 15k > $CLASS 1:1 classid 1:30 htb rate 2048Kbit ceil 3072Kbit burst 15k > $CLASS 1:1 classid 1:40 htb rate 256Kbit ceil 512Kbit burst 15k > $CLASS 1:1 classid 1:50 htb rate 256Kbit ceil 256Kbit burst 15k > $CLASS 1:1 classid 1:60 htb rate 1024Kbit ceil 2048Kbit burst 15k > ... > So when my clients try to connect to my ns2 mail server it gets > shapped by class 40... I dont want that to happens... So I think in > making something like this: > > $TC qdisc add dev $DL root handle 1: htb default 60 > > CLASS="/sbin/tc class add dev $DL parent" > $CLASS 1: classid 1:1 htb rate 100Mbit > $CLASS 1:1 classid 1:5 htb rate 100Mbit > $CLASS 1:1 classid 1:10 htb rate 256Kbit ceil 3072Kbit burst 15k > $CLASS 1:1 classid 1:20 htb rate 256Kbit ceil 1024Kbit burst 15k > $CLASS 1:1 classid 1:30 htb rate 2048Kbit ceil 3072Kbit burst 15k > $CLASS 1:1 classid 1:40 htb rate 256Kbit ceil 512Kbit burst 15k > $CLASS 1:1 classid 1:50 htb rate 256Kbit ceil 256Kbit burst 15k > $CLASS 1:1 classid 1:60 htb rate 1024Kbit ceil 2048Kbit burst 15k > > And them direct all traffic coming from my ns2 server (using u32 > classifier and src address) to class 1:5... > > Is this correct? I don't think so. Class 1:5 can now take all bandwidth of dev here. You should limit it's rate and a ceil as a minimum, but I think you would better add it as another root class: CLASS="/sbin/tc class add dev $DL parent" $CLASS 1: classid 1:1 htb rate 4096Kbit $CLASS 1: classid 1:5 htb rate 95Mbit $CLASS 1:1 classid 1:10 htb rate 256Kbit ceil 3072Kbit burst 15k $CLASS 1:1 classid 1:20 htb rate 256Kbit ceil 1024Kbit burst 15k $CLASS 1:1 classid 1:30 htb rate 2048Kbit ceil 3072Kbit burst 15k $CLASS 1:1 classid 1:40 htb rate 256Kbit ceil 512Kbit burst 15k $CLASS 1:1 classid 1:50 htb rate 256Kbit ceil 256Kbit burst 15k $CLASS 1:1 classid 1:60 htb rate 1024Kbit ceil 2048Kbit burst 15k And have a look at this bautiful page: http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm The second advice is to lower you numbers. Probably this rates are only nominally like this and in reality min. 10% lower. If you don't limit it yourself they will be limited elsewhere and you will have higher delays. 15k burst is also quite high so possible next delays. Mr Devera has very good advices there. Jarek P. From william.bohannan at spidersat.net Fri Jul 21 20:31:08 2006 From: william.bohannan at spidersat.net (William Bohannan) Date: Fri Jul 21 20:32:13 2006 Subject: [LARTC] linux transparent bridge running squid Message-ID: <20060721183200.66A5F3FB6@outpost.ds9a.nl> Hi I have been using Shorewall for a while now and find it very useful and easy to configure, I am learning iptables and having trouble getting the bridge to successfully work with squid, although I get it working with Shorewall straight away? Does anyone know the rules to successfully use squid with a transparent bridge? Internet ? router - (bridge eth0 ? eth1) ? local lan auto lo iface lo inet loopback auto br0 iface br0 inet static address 192.168.0.253 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.254 pre-up /sbin/ip link set eth0 up pre-up /sbin/ip link set eth1 up pre-up /usr/sbin/brctl addbr br0 pre-up /usr/sbin/brctl addif br0 eth0 pre-up /usr/sbin/brctl addif br0 eth1 iptables -A INPUT -i br0 -p tcp -d 192.168.0.253 -s 192.168.0.0 --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128 echo 1 > /proc/sys/net/ipv4/ip_forward with no luck ? kind regards william From andy at andybev.com Fri Jul 21 21:37:32 2006 From: andy at andybev.com (Andrew Beverley) Date: Fri Jul 21 21:37:30 2006 Subject: [LARTC] linux transparent bridge running squid In-Reply-To: <20060721183200.66A5F3FB6@outpost.ds9a.nl> References: <20060721183200.66A5F3FB6@outpost.ds9a.nl> Message-ID: <44C12CFC.6080109@andybev.com> > > iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128 > This is the same line I use and it works fine. What exactly is the problem? Is it clients don't use squid, clients can't access the web, or what? Andy From method at b.astral.ro Sat Jul 22 17:46:51 2006 From: method at b.astral.ro (Dan Cicioiu) Date: Sat Jul 22 17:46:46 2006 Subject: [LARTC] Re: GRE over IPsec Cisco<-> Linux In-Reply-To: <20060720062311.59460.qmail@web54503.mail.yahoo.com> References: <20060720062311.59460.qmail@web54503.mail.yahoo.com> Message-ID: <44C2486B.7030103@b.astral.ro> ip route 192.168.1.97 255.255.255.255 GigabitEthernet0/0 that's the problem delete the route and all should be ok John Serink wrote: > Forgot something, see below: > > --- John Serink wrote: > > >> Hello Lartc Mailing List: >> >> Been working on something the last week and a half and ALMOST have it >> working.., just need a few pointers from the wizards on this mailing list to >> nail it. >> >> Ok, my setup is a hub and spoke arrangement, hub is Cisco 2821 with IOS 12.4. >> Spokes are ruggencom RX1000 routers, Debian based with the following versions >> installed: >> >> rx1000test:~# uname -a >> Linux rx1000test 2.6.8-16-486-rx #1 Wed Mar 15 15:33:23 UTC 2006 i586 >> GNU/Linux >> rx1000test:~# iptables -v >> iptables v1.2.11: no command specified >> rx1000test:~# shorewall version >> 2.2.3 >> rx1000test:~# ip -V >> ip utility, iproute2-ss041019 >> rx1000test:~# ipsec version >> Linux Openswan U2.2.0/K2.6.8-16-486-rx (native) >> >> Openswan is using the Kernel 2.6 native stack NOT klips. >> >> Here is my setup, only one spoke for now: >> >> 192.168.1.0/28 160.96.97.248 Dynamic >> 192.168.1.96/28 >> | 192.168.1.1 | | 192.168.1.97 | >> | | HUB | | SPOKE | | >> | | +------------+ | | +-----------+ | | >> | | | | | | | | | | >> +----------+ Cisco 2821 +--------INTERNET----------+ rx1000test+---------+ >> | | | | | | >> | +------------+ +-----------+ | >> | | >> 192.168.1.1(ipsec endpoint)----------------------(ipsec >> endpoint)192.168.1.97 >> 192.168.1.1(gre endpoint)-----------------(gre endpoint)192.168.1.97 >> 192.168.2.110 gre tunnel 192.178.2.96/28 192.168.2.97 >> >> Here is the setup on te Cisco: >> interface Tunnel6 >> ip address 192.168.2.110 255.255.255.240 >> tunnel source GigabitEthernet0/1 >> tunnel destination 192.168.1.97 >> exit >> ip route 0.0.0.0 0.0.0.0 160.96.97.250 >> ip route 192.168.1.96 255.255.255.240 Tunnel6 >> ip route 192.168.1.97 255.255.255.255 GigabitEthernet0/0 >> ! This last line is required to get around a recusive route error in the >> cisco >> >> Linux setup: >> IPSec.conf >> rx1000test:~# cat /etc/ipsec.conf >> # /etc/ipsec.conf - Openswan IPsec configuration file >> version 2.0 # conforms to second version of ipsec.conf specification >> config setup >> # Debug-logging controls: "none" for (almost) none, "all" for lots. >> klipsdebug=none >> plutodebug=none >> interfaces=%defaultroute >> uniqueids=yes >> >> # Add connections here >> >> conn GDC1 >> authby=secret >> auto=start >> left=%defaultroute >> leftsourceip=192.168.1.97 >> leftid=@rx1000test >> leftsubnet=192.168.1.96/28 >> ike=aes128-md5-modp1024 >> esp=aes128-md5 >> right=160.96.97.248 >> rightsubnet=192.168.1.0/28 >> rightsourceip=192.168.1.1 >> type=tunnel >> pfs=yes >> keyingtries=0 >> >> >> #Disable Opportunistic Encryption >> include /etc/ipsec.d/examples/no_oe.conf >> >> The IPsec works fine except for the following caveats: >> 1. Spoke routers cannot ping each other, >> 2. The cisco has no interfaces for the scope routers so no qos can be done. >> >> Linux GRE setup: >> modprobe ip_gre >> ip tunnel add GDC1 mode gre remote 192.168.1.1 local 192.168.1.97 ttl 255 >> ip link set GDC1 up >> ip addr add 192.168.2.97/28 peer 192.168.2.110/28 dev GDC1 >> ip route del 192.168.1.0/28 via 160.96.97.248 >> ip route add 192.168.1.0/28 via 192.168.2.110 >> >> Ok, the ip route del was necessary to get rid of the IPSec route and replace >> it >> with the gre tunnel. >> >> Linux box status: >> rx1000test:~# ip addre show >> 1: lo: mtu 16436 qdisc noqueue >> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 >> inet 127.0.0.1/8 scope host lo >> 3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000 >> link/ether 00:0a:dc:04:7d:dc brd ff:ff:ff:ff:ff:ff >> inet 192.168.1.97/28 brd 192.168.1.255 scope global eth1 >> 4: eth2: mtu 1500 qdisc noop qlen 1000 >> link/ether 00:0a:dc:04:7d:dd brd ff:ff:ff:ff:ff:ff >> 6: w1adsl: mtu 1500 qdisc pfifo_fast qlen 1000 >> link/ether 00:77:77:77:7b:b3 brd ff:ff:ff:ff:ff:ff >> 9: gre0: mtu 1428 qdisc noop >> link/gre 0.0.0.0 brd 0.0.0.0 >> 12: GDC1@NONE: mtu 1514 qdisc noqueue >> link/gre 192.168.1.97 peer 192.168.1.1 >> inet 192.168.2.97 peer 192.168.2.110/28 scope global GDC1 >> 13: ppp1: mtu 1452 qdisc pfifo_fast qlen 3 >> link/ppp >> inet 202.42.98.62 peer 202.42.98.1/32 scope global ppp1 >> rx1000test:~# ip link show >> 1: lo: mtu 16436 qdisc noqueue >> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 >> 3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000 >> link/ether 00:0a:dc:04:7d:dc brd ff:ff:ff:ff:ff:ff >> 4: eth2: mtu 1500 qdisc noop qlen 1000 >> link/ether 00:0a:dc:04:7d:dd brd ff:ff:ff:ff:ff:ff >> 6: w1adsl: mtu 1500 qdisc pfifo_fast qlen 1000 >> link/ether 00:77:77:77:7b:b3 brd ff:ff:ff:ff:ff:ff >> 9: gre0: mtu 1428 qdisc noop >> link/gre 0.0.0.0 brd 0.0.0.0 >> 12: GDC1@NONE: mtu 1514 qdisc noqueue >> link/gre 192.168.1.97 peer 192.168.1.1 >> 13: ppp1: mtu 1452 qdisc pfifo_fast qlen 3 >> link/ppp >> rx1000test:~# ip tun show >> gre0: gre/ip remote any local any ttl inherit nopmtudisc >> GDC1: gre/ip remote 192.168.1.1 local 192.168.1.97 ttl 255 >> rx1000test:~# ip route show >> 202.42.98.1 dev ppp1 proto kernel scope link src 202.42.98.62 >> 192.168.1.0/28 via 192.168.2.110 dev GDC1 >> 192.168.2.96/28 dev GDC1 proto kernel scope link src 192.168.2.97 >> 192.168.1.96/28 dev eth1 proto kernel scope link src 192.168.1.97 >> default dev ppp1 scope link >> >> >> Now, here is my problem: >> 1. I can ping from the RX1000 ssh session into eth1(192.168.1.97) to all >> interfaces and hosts on the network(pefect), >> 2. From the cisco ssh into Gig0/0(real ip interface) I can ping all tunnel >> interfaces, all hosts on 192.168.1.0/28 but not 192.168.1.97(this makes >> sense, >> I'm outside the tunnel if ssh'd into the real IP interface), >> 3. All hosts on 192.168.1.0/28 can ping everything except addresses other >> than >> eth1 of RX1000 on 192.168.1.96/28. That is I get a ping response from >> 192.168.1.97 but not from any oterh hosts on that network. tcpdump -i GDC1 >> shows the ping coming from 192.168.1.7 to 192.168.1.101, but there is no >> reply. >> The ping and response from 192.168.1.7->192.168.1.97 is NOT going via GRE >> according to the Cisco debug and tcpdump. Pings to 192.168.1.101 form >> 192.168.1.7 do go via the tunnel but are never answered. tcpdump -i eth1 >> indicate that the echo request from 192.168.1.7 uses the tunnel to get to >> 192.168.1.97 but never leaves the interface. >> > 4. I can ping any hosts on the 192.168.1.96/28 network from the ssh into gig0/0 > on the cisco except for 192.168.1.97. > > >> SO, number 3 is my big anomaly. The hosts that need access to the network, >> 192.168.1.96/28, don't have any and I can't figure out why. >> >> Note that I am runnign shorewall, if I stop shorewall nothing changes. ALso, >> have been watching /var/log/syslog with tail and there are no ping packets >> being blocked by shorewall. >> >> Does anybody have any ideas? >> >> Cheers, >> John >> >> __________________________________________________ >> Do You Yahoo!? >> Tired of spam? Yahoo! Mail has the best spam protection around >> http://mail.yahoo.com >> >> > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > From luciano at lugmen.org.ar Sat Jul 22 18:30:11 2006 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Sat Jul 22 18:30:13 2006 Subject: [LARTC] linux transparent bridge running squid In-Reply-To: <20060721183200.66A5F3FB6@outpost.ds9a.nl> References: <20060721183200.66A5F3FB6@outpost.ds9a.nl> Message-ID: <200607221330.11210.luciano@lugmen.org.ar> El Friday 21 July 2006 15:31, William Bohannan escribi?: > Hi I have been using Shorewall for a while now and find it very useful and > easy to configure, I am learning iptables and having trouble getting the > bridge to successfully work with squid, although I get it working with > Shorewall straight away? Does anyone know the rules to successfully use > squid with a transparent bridge? > > Internet ? router - (bridge eth0 ? eth1) ? local lan > > auto lo > iface lo inet loopback > > auto br0 > iface br0 inet static > address 192.168.0.253 > netmask 255.255.255.0 > network 192.168.0.0 > broadcast 192.168.0.255 > gateway 192.168.0.254 > pre-up /sbin/ip link set eth0 up > pre-up /sbin/ip link set eth1 up > pre-up /usr/sbin/brctl addbr br0 > pre-up /usr/sbin/brctl addif br0 eth0 > pre-up /usr/sbin/brctl addif br0 eth1 > > iptables -A INPUT -i br0 -p tcp -d 192.168.0.253 -s 192.168.0.0 --dport > 3128 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -t nat -A > PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128 echo 1 > > /proc/sys/net/ipv4/ip_forward you are at Link layer in the bridge, packets dont travel up to Network layer, so iptables does not even see this packets. Either you can use ebtables[1] or see 'physdev' in iptables man page. [1]http://ebtables.sourceforge.net/ -- Luciano From lists at andyfurniss.entadsl.com Sat Jul 22 20:07:15 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Sat Jul 22 20:06:50 2006 Subject: [LARTC] UDP multicast stream and NAT In-Reply-To: <20051207221003.32802.qmail@web60924.mail.yahoo.com> References: <20051207221003.32802.qmail@web60924.mail.yahoo.com> Message-ID: <44C26953.3070104@andyfurniss.entadsl.com> Gabriel wrote: > Hi, my ISP is streaming some local concert using UDP > multicasting. I followed the instructions on the site which > described how to set VLC in order to view the stream, but > it didn't work. I am behind a Linux router/firewall doing > NAT. Using google, I quickly found out that the > netfilter/conntrack code doesn't support NATing multicast > traffic. I thought about bridging the internet facing > interface (eth0) and (one of) the internal interfaces (the > one my computer is plugged into). This way I could set my > IP to be public and no routing/NAT would be done on the > Linux box. The only problem is that the box has 2 more NICs > in it and there are other people connected to those NICs > that need to use that connection (hence need to be NATed). > > Then I tried thinking about a DMZ-like solution where my > box would be in the DMZ, but I can't see that working > either because I only have one public IP assigned. > > Can anyone think of any other way for me to be able to view > the stream? > > Thanks. > I recently changed ISP to one that does multicast so got a chance to play. If you want to do it properly then www.xorp.org is the place to look - I didn't as for our situation proper routing is a bit OTT. There is a project on sf.net called igmpproxy - I didn't really try with this as I read it didn't work, but more recently I've read that it is OK if you are carefull with the config. The way I did it it to use smcroute to set up static route(s) and issue igmp joins manually from the gateway. http://www.cschill.de/smcroute All I needed to do with iptables was to let multicast dst into the gateway. If the stream link is a .sdp you can read the addresses, if it's some propritory crap then tcpdump -nnvv net 224.0.0.0/4 on the lan side while the player is trying to connect to get them - one multicast address = dst on incoming one unicast addr for the source. eg. in the UK for the BBC1 1.2mbit H.264 stream - smcroute -d smcroute -a ppp0 132.185.224.80 233.122.227.151 eth0 smcroute -j ppp0 233.122.227.157 to stop smcroute -l ppp0 233.122.227.157 For those in the UK that can test the BBCs - half of them have been down whenever I've looked - so try several Andy. From radu at securesystems.ro Sat Jul 22 23:04:34 2006 From: radu at securesystems.ro (Radu Oprisan) Date: Sat Jul 22 23:04:35 2006 Subject: [LARTC] linux transparent bridge running squid In-Reply-To: <200607221330.11210.luciano@lugmen.org.ar> References: <20060721183200.66A5F3FB6@outpost.ds9a.nl> <200607221330.11210.luciano@lugmen.org.ar> Message-ID: <44C292E2.9070205@securesystems.ro> Luciano Ruete wrote: > El Friday 21 July 2006 15:31, William Bohannan escribi?: >> Hi I have been using Shorewall for a while now and find it very useful and >> easy to configure, I am learning iptables and having trouble getting the >> bridge to successfully work with squid, although I get it working with >> Shorewall straight away? Does anyone know the rules to successfully use >> squid with a transparent bridge? >> >> Internet ? router - (bridge eth0 ? eth1) ? local lan >> >> auto lo >> iface lo inet loopback >> >> auto br0 >> iface br0 inet static >> address 192.168.0.253 >> netmask 255.255.255.0 >> network 192.168.0.0 >> broadcast 192.168.0.255 >> gateway 192.168.0.254 >> pre-up /sbin/ip link set eth0 up >> pre-up /sbin/ip link set eth1 up >> pre-up /usr/sbin/brctl addbr br0 >> pre-up /usr/sbin/brctl addif br0 eth0 >> pre-up /usr/sbin/brctl addif br0 eth1 >> >> iptables -A INPUT -i br0 -p tcp -d 192.168.0.253 -s 192.168.0.0 --dport >> 3128 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -t nat -A >> PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128 echo 1 > >> /proc/sys/net/ipv4/ip_forward > > you are at Link layer in the bridge, packets dont travel up to Network layer, > so iptables does not even see this packets. > Either you can use ebtables[1] or see 'physdev' in iptables man page. > > [1]http://ebtables.sourceforge.net/ Also, i need to point this out, be very careful as not to include the squid machine in the ebtables redirect, as that could end up in an endless loop. From alishahi at amnafzar.com Sun Jul 23 18:43:51 2006 From: alishahi at amnafzar.com (S.Mehdi Sheikhalishahi) Date: Sun Jul 23 18:54:17 2006 Subject: [LARTC] Why SFQ? Message-ID: <44C3A747.60804@amnafzar.com> Hello, Why linux users use SFQ as leaf queueing discipline instead of RED and other? -- Best Regards, S.Mehdi Sheikhalishahi, Bye. From jarkap at poczta.onet.pl Mon Jul 24 15:01:55 2006 From: jarkap at poczta.onet.pl (Jarek Poplawski) Date: Mon Jul 24 15:02:14 2006 Subject: [LARTC] Re: What am I missing? References: <20060719165148.GA21024@digitalpath.net> Message-ID: Ray Van Dolson digitalpath.net> writes: > > On a custom compiled Linux 2.6.13 kernel... > > # tc qdisc add dev ppp145 handle ffff: ingress > # tc filter add dev ppp145 parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 384kbit > burst 10k drop flowid :1 > RTNETLINK answers: Invalid argument > > This works fine on a CentOS machine and my Fedora Core 2 box with default > kernel. I'm trying to figure out what is missing in the custom built 2.6.13 > kernel. strace isn't real helpful, and there doesn't appear to be a way to > make tc present more useful error messages... > > Non ingress filtering works. Here's an excerpt from kernel config: ... > Any ideas? Can paste entire kernel config if necessary. You didn't write anything about this box: distro or previous kernel. Maybe you should try to recompile or get newer version of iproute? Jarek P. From william.bohannan at spidersat.net Mon Jul 24 21:33:57 2006 From: william.bohannan at spidersat.net (William Bohannan) Date: Mon Jul 24 21:34:12 2006 Subject: [LARTC] linux transparent bridge running squid and dansguardian In-Reply-To: <200607221330.11210.luciano@lugmen.org.ar> Message-ID: <004b01c6af58$2156d740$3a02a8c0@william> Thanks or the quick reply. Although I have had no success, I have been trying all day using both physdev and ebtables, neither of which I can get working :( Please help - below is what I am currently using. *********************************************************************** #!/bin/sh PATH=/usr/sbin:/sbin:/bin:/usr/bin # # delete all existing rules. # iptables -F iptables -t nat -F iptables -t mangle -F iptables -X # Always accept loopback traffic iptables -A INPUT -i lo -j ACCEPT # Allow established connections, and those not coming from the outside iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow outgoing connections from the LAN side. iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT # Masquerade. iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Don't forward from the outside to the inside. #iptables -A FORWARD -i eth0 -o eth0 -j REJECT # Enable routing. echo 1 > /proc/sys/net/ipv4/ip_forward # This line tells ebtables to route (accept) the packages // going to port 80, instead of bridging them: ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT # This line tells ebtables to route (accept) the packages // going to port 80, instead of bridging them: iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080 # This line is from www.linux.com transparent proxy which allows port 8080 from the local network #iptables -A INPUT -i eth1 -p tcp -d 192.168.0.253 -s 192.168.0.0 --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -p tcp --dport 80 -m physdev --physdev-in eth1 --physdev-out eth0 -j ACCEPT ********************************************************************** Please help - if I use Shorewall it works first go? Internet - (eth0 - eth1) - local lan Kind regards William From nata at cnett.com.br Tue Jul 25 12:54:02 2006 From: nata at cnett.com.br (Nataniel Klug) Date: Tue Jul 25 12:54:01 2006 Subject: [LARTC] Routed network + web-cache Message-ID: <44C5F84A.1090703@cnett.com.br> Hello all, I have a small ISP and I work all my clients networks over a routed network (now I am using 201.35.16.0/24 and 200.140.222.128/25 for my clients). The gateway server of the ISP is capable of running a web-cache (only http) using squid but I dont want that my clients go to the internet with the proxy/cache IP. Like when they enter in this site www.meuip.com.br it shows only the proxy/gw server ip and not the client ip. There is some way to make this happens? Att, Nataniel Klug From viji_171 at yahoo.co.in Tue Jul 25 16:59:38 2006 From: viji_171 at yahoo.co.in (VijayaLakshmi Seshadri) Date: Tue Jul 25 16:59:31 2006 Subject: [LARTC] problem in Route add using netlink Message-ID: <20060725145938.68004.qmail@web8327.mail.in.yahoo.com> Hi all Iam trying to implement "route add " using netlink. The changes are not reflected in the routing table. I have given my code and screen shots of the routing tables. Can anybody tell me is there any mistake iam making in defining the fields . or any other mistake iam commiting thanxs viji //////////////////////////////////// CODE ////////////////////////////////////////////////////// #include #include #include #include #include #include #include #include #include #include #define BUFSIZE 192 struct route_info{ u_int dstAddr; u_int srcAddr; u_int gateWay; char ifName[IF_NAMESIZE]; }; void fillRoute (struct route_info *rinfo, const char* dstAddr, const char* srcAddr, const char* gateway, const char* ifName) { /* Convert from the standrad numbers and dots notation to binary data */ inet_aton("192.168.51.0", (struct in_addr *)&rinfo->dstAddr); inet_aton("192.168.51.90", (struct in_addr *)&rinfo->gateWay); } int addAttr (struct nlmsghdr *nlhdr, int maxlen, int type, void *data, int alen) { struct rtattr *rta; int len = RTA_LENGTH(alen); if (NLMSG_ALIGN(nlhdr->nlmsg_len) + len > maxlen) return -1; rta = (struct rtattr*)((char *)nlhdr + NLMSG_ALIGN(nlhdr->nlmsg_len)); rta->rta_type = type; rta->rta_len = len; memcpy(RTA_DATA(rta), data, alen); nlhdr->nlmsg_len = NLMSG_ALIGN(nlhdr->nlmsg_len) + len; return 0; } int main() { struct nlmsghdr *nlMsg; struct rtmsg *rtMsg; char dstAddr[30] ; char srcAddr[30] ; char gateway[30] ; char ifName[30]; char msgBuf[BUFSIZE]; struct route_info rinfo; int sock, len, msgSeq = 0; int val, i; /* Create Socket */ if((sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE)) < 0) perror("Socket Creation: "); /* Initialize the buffer */ memset(msgBuf, 0, BUFSIZE); /* point the header and the msg structure pointers into the buffer */ nlMsg = (struct nlmsghdr *)msgBuf; rtMsg = (struct rtmsg *)NLMSG_DATA(nlMsg); /* Fill in the nlmsg header*/ nlMsg->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg)); // Length ofmessage. nlMsg->nlmsg_type = RTM_NEWROUTE; // Get the routes from kernel routing table . nlMsg->nlmsg_flags = NLM_F_CREATE ; // The message is a request for dump. nlMsg->nlmsg_seq = msgSeq++; // Sequence of the message packet. nlMsg->nlmsg_pid = getpid(); // PID of process sending the request. rtMsg->rtm_family = AF_INET; rtMsg->rtm_table = RT_TABLE_UNSPEC; rtMsg->rtm_dst_len = 16; rtMsg->rtm_src_len = 16; rtMsg->rtm_scope = RT_SCOPE_UNIVERSE; rtMsg->rtm_type = RTN_UNICAST; rtMsg->rtm_protocol = RTPROT_UNSPEC; rtMsg->rtm_flags = RTM_F_NOTIFY; fillRoute (&rinfo, dstAddr, srcAddr, gateway, ifName); addAttr (nlMsg, BUFSIZE, RTA_DST, &rinfo.dstAddr, 4); addAttr (nlMsg, BUFSIZE, RTA_GATEWAY, &rinfo.gateWay, 4); /* Send the request */ if((val = send(sock, nlMsg, nlMsg->nlmsg_len,0 )) < 0){ printf("Write To Socket Failed...\n"); return -1; } printf (" No of Bytes sent %d \n", val); printf (" Value that is sent \n " ); for (i =0 ; i < val ; i ++) printf ("%u", msgBuf[i]); printf ("\n"); close(sock); return 0; } ////////////////////////////////////////////////////////////////////////////////////////////////////////// OUTPUT [root@vijdom]gcc netlink_addroute.c -o addroute [root@vijdom]# ./addroute No of Bytes sent 44 Value that is sent 4400024004000042949672398800216160000101008010429496723242949672085108050429496723242949672085190 ////////////////////////////////////////////////////////////////////////////////////////////////////////// SCREEN SHOTS Routing table before execution of program Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.51.0 * 255.255.255.0 U 0 0 0 eth0 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default embedded 0.0.0.0 UG 0 0 0 eth0 Routing table after the execution of program Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.51.0 * 255.255.255.0 U 0 0 0 eth0 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default embedded 0.0.0.0 UG 0 0 0 eth0 --------------------------------- Find out what India is talking about on Yahoo! Answers India. SMS memory full? Store all your important SMS in your Yahoo! Mail. Register for SMS BAK UP now! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060725/abb0f2eb/attachment.html From araul at adonet.ro Tue Jul 25 19:31:00 2006 From: araul at adonet.ro (Adorean Alexandru Raul) Date: Tue Jul 25 19:25:14 2006 Subject: [LARTC] Routed network + web-cache In-Reply-To: <44C5F84A.1090703@cnett.com.br> References: <44C5F84A.1090703@cnett.com.br> Message-ID: <44C65554.8000802@adonet.ro> Nataniel Klug wrote: > Hello all, > > I have a small ISP and I work all my clients networks over a routed > network (now I am using 201.35.16.0/24 and 200.140.222.128/25 for my > clients). > > The gateway server of the ISP is capable of running a web-cache > (only http) using squid but I dont want that my clients go to the > internet with the proxy/cache IP. Like when they enter in this site > www.meuip.com.br it shows only the proxy/gw server ip and not the > client ip. > > There is some way to make this happens? > > Att, > > Nataniel Klug > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > Yelow. From what i kow about squid it can't be done. You are stuck, becouse the proxy makes the request not the client thus you have proxy server ip. Some pages user a TCP header to recognise the ip behind the proxy server (X_FORWARDED_FOR i belive..) Good luck, Adorean Alexandru Raul From araul at adonet.ro Tue Jul 25 19:48:05 2006 From: araul at adonet.ro (Adorean Alexandru Raul) Date: Tue Jul 25 19:42:18 2006 Subject: [LARTC] problem in Route add using netlink In-Reply-To: <20060725145938.68004.qmail@web8327.mail.in.yahoo.com> References: <20060725145938.68004.qmail@web8327.mail.in.yahoo.com> Message-ID: <44C65955.1040605@adonet.ro> VijayaLakshmi Seshadri wrote: > Hi all > Iam trying to implement "route add " using netlink. The changes are > not reflected in the routing table. I have given my code and screen > shots of the routing tables. > > Can anybody tell me is there any mistake iam making in defining the > fields . > or any other mistake iam commiting > > thanxs > > viji > > //////////////////////////////////// CODE > ////////////////////////////////////////////////////// > #include > #include > #include > #include > #include > #include > #include > #include > #include > #include > #define BUFSIZE 192 > struct route_info{ > u_int dstAddr; > u_int srcAddr; > u_int gateWay; > char ifName[IF_NAMESIZE]; > }; > void fillRoute (struct route_info *rinfo, const char* dstAddr, > const char* srcAddr, const char* gateway, const char* > ifName) > { > /* Convert from the standrad numbers and dots notation > to binary data */ > inet_aton("192.168.51.0", (struct in_addr *)&rinfo->dstAddr); > inet_aton("192.168.51.90", (struct in_addr *)&rinfo->gateWay); > } > int addAttr (struct nlmsghdr *nlhdr, int maxlen, int type, > void *data, int alen) > { > struct rtattr *rta; > int len = RTA_LENGTH(alen); > if (NLMSG_ALIGN(nlhdr->nlmsg_len) + len > maxlen) > return -1; > rta = (struct rtattr*)((char *)nlhdr + > NLMSG_ALIGN(nlhdr->nlmsg_len)); > rta->rta_type = type; > rta->rta_len = len; > memcpy(RTA_DATA(rta), data, alen); > nlhdr->nlmsg_len = NLMSG_ALIGN(nlhdr->nlmsg_len) + len; > return 0; > } > int main() > { > struct nlmsghdr *nlMsg; > struct rtmsg *rtMsg; > char dstAddr[30] ; > char srcAddr[30] ; > char gateway[30] ; > char ifName[30]; > char msgBuf[BUFSIZE]; > struct route_info rinfo; > int sock, len, msgSeq = 0; > int val, i; > /* Create Socket */ > if((sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE)) < 0) > perror("Socket Creation: "); > /* Initialize the buffer */ > memset(msgBuf, 0, BUFSIZE); > /* point the header and the msg structure pointers into the > buffer */ > nlMsg = (struct nlmsghdr *)msgBuf; > rtMsg = (struct rtmsg *)NLMSG_DATA(nlMsg); > /* Fill in the nlmsg header*/ > nlMsg->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg)); // > Length ofmessage. > nlMsg->nlmsg_type = RTM_NEWROUTE; // Get > the routes from kernel routing table . > nlMsg->nlmsg_flags = NLM_F_CREATE ; // The message is a > request for dump. > nlMsg->nlmsg_seq = msgSeq++; // > Sequence of the message packet. > nlMsg->nlmsg_pid = getpid(); // PID > of process sending the request. > rtMsg->rtm_family = AF_INET; > rtMsg->rtm_table = RT_TABLE_UNSPEC; > rtMsg->rtm_dst_len = 16; > rtMsg->rtm_src_len = 16; > rtMsg->rtm_scope = RT_SCOPE_UNIVERSE; > rtMsg->rtm_type = RTN_UNICAST; > rtMsg->rtm_protocol = RTPROT_UNSPEC; > rtMsg->rtm_flags = RTM_F_NOTIFY; > fillRoute (&rinfo, dstAddr, srcAddr, gateway, ifName); > addAttr (nlMsg, BUFSIZE, RTA_DST, > &rinfo.dstAddr, 4); > addAttr (nlMsg, BUFSIZE, RTA_GATEWAY, > &rinfo.gateWay, 4); > /* Send the request */ > if((val = send(sock, nlMsg, nlMsg->nlmsg_len,0 )) < 0){ > printf("Write To Socket Failed...\n"); > return -1; > } > printf (" No of Bytes sent %d \n", val); > printf (" Value that is sent \n " ); > for (i =0 ; i < val ; i ++) > printf ("%u", msgBuf[i]); > printf ("\n"); > close(sock); > return 0; > } > > ////////////////////////////////////////////////////////////////////////////////////////////////////////// > OUTPUT > [root@vijdom]gcc netlink_addroute.c -o addroute > [root@vijdom]# ./addroute > No of Bytes sent 44 > Value that is sent > 4400024004000042949672398800216160000101008010429496723242949672085108050429496723242949672085190 > ////////////////////////////////////////////////////////////////////////////////////////////////////////// > > SCREEN SHOTS > > *Routing table before execution of program* > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref > Use Iface > 192.168.51.0 * 255.255.255.0 U 0 0 > 0 eth0 > 169.254.0.0 * 255.255.0.0 U 0 0 > 0 eth0 > 127.0.0.0 * 255.0.0.0 U 0 0 0 lo > default embedded 0.0.0.0 UG 0 0 > 0 eth0 > > *Routing table after the execution of program > *Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref > Use Iface > 192.168.51.0 * 255.255.255.0 U 0 0 > 0 eth0 > 169.254.0.0 * 255.255.0.0 U 0 0 > 0 eth0 > 127.0.0.0 * 255.0.0.0 U 0 0 0 lo > default embedded 0.0.0.0 UG 0 0 > 0 eth0 > > > > > > > ------------------------------------------------------------------------ > Find out what India is talking about on Yahoo! Answers India. > > SMS memory full? Store all your important SMS in your Yahoo! Mail. > Register for SMS BAK UP now! > > > ------------------------------------------------------------------------ > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > I have a similar network 4 /24 ip classess splitet in 7 regions. rhus i have to do routing. For this i use::: /sbin/ip route add class via ip for eatch region. ex::: /sbin/ip route add 89.34.23.0/26 via 81.181.180.21 89.34.23.0/26 > region ip address 81.181.180.21 > router ip This i what i use.... looking forward to learning about netlink, Good luck, Adorean Alexandru Raul From luciano at lugmen.org.ar Tue Jul 25 19:53:43 2006 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Tue Jul 25 19:49:57 2006 Subject: [LARTC] Routed network + web-cache In-Reply-To: <44C5F84A.1090703@cnett.com.br> References: <44C5F84A.1090703@cnett.com.br> Message-ID: <200607251453.43136.luciano@lugmen.org.ar> On Tuesday 25 July 2006 07:54, Nataniel Klug wrote: > Hello all, > > I have a small ISP and I work all my clients networks over a routed > network (now I am using 201.35.16.0/24 and 200.140.222.128/25 for my > clients). > > The gateway server of the ISP is capable of running a web-cache > (only http) using squid but I dont want that my clients go to the > internet with the proxy/cache IP. Like when they enter in this site > www.meuip.com.br it shows only the proxy/gw server ip and not the client > ip. > > There is some way to make this happens? yes, but you'll need a patched kernel, couse squid will need to bind non-local addresses. See the squid FAQ about this, and folow de link in there: http://www.squid-cache.org/Doc/FAQ/FAQ-7.html#ss7.13 -- Luciano From alexandre at ondainternet.com.br Tue Jul 25 19:56:03 2006 From: alexandre at ondainternet.com.br (Alexandre J. Correa - Onda Internet) Date: Tue Jul 25 19:55:29 2006 Subject: [LARTC] Routed network + web-cache In-Reply-To: <44C65554.8000802@adonet.ro> References: <44C5F84A.1090703@cnett.com.br> <44C65554.8000802@adonet.ro> Message-ID: <44C65B33.606@ondainternet.com.br> Nataniel, www.balabit.com/downloads/tproxy/linux-2.6/ patch squid, kernel and iptables !! Sds. Alexandre J Correa Onda Internet / OPinguim.net Webhosting www.ondainternet.com.br www.opinguim.net Adorean Alexandru Raul wrote: > Nataniel Klug wrote: >> Hello all, >> >> I have a small ISP and I work all my clients networks over a routed >> network (now I am using 201.35.16.0/24 and 200.140.222.128/25 for my >> clients). >> >> The gateway server of the ISP is capable of running a web-cache >> (only http) using squid but I dont want that my clients go to the >> internet with the proxy/cache IP. Like when they enter in this site >> www.meuip.com.br it shows only the proxy/gw server ip and not the >> client ip. >> >> There is some way to make this happens? >> >> Att, >> >> Nataniel Klug >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> > Yelow. > From what i kow about squid it can't be done. You are stuck, becouse > the proxy makes the request not the client thus you have proxy server ip. > > Some pages user a TCP header to recognise the ip behind the proxy > server (X_FORWARDED_FOR i belive..) > > Good luck, > Adorean Alexandru Raul > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From luciano at lugmen.org.ar Tue Jul 25 20:09:13 2006 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Tue Jul 25 20:05:36 2006 Subject: [LARTC] linux transparent bridge running squid and dansguardian In-Reply-To: <004b01c6af58$2156d740$3a02a8c0@william> References: <004b01c6af58$2156d740$3a02a8c0@william> Message-ID: <200607251509.13588.luciano@lugmen.org.ar> On Monday 24 July 2006 16:33, William Bohannan wrote: > Thanks or the quick reply. Although I have had no success, I have been > trying all day using both physdev and ebtables, neither of which I can get > working :( Please help - below is what I am currently using. > Try this, it is a one-line simple modified version of your first post script. If this proof of concept works, then add all the others iptables rules that you whant. iptables -F iptables -t nat -F iptables -t nat -A PREROUTING -m physdev --physdev-in eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 -- Luciano -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060725/0bbfc7dc/attachment.htm From Ted.Piotrowski at jhuapl.edu Tue Jul 25 22:05:46 2006 From: Ted.Piotrowski at jhuapl.edu (Piotrowski, Ted P.) Date: Tue Jul 25 22:05:33 2006 Subject: [LARTC] bandwidth limitation help Message-ID: <3C5BFF28444F434695FB134004DF014701B94422@aplesjustice.dom1.jhuapl.edu> Hi, I am new to the mailing list so I'm not sure if anybody reads these, but here goes nothing. I recently read: Linux Advanced Routing & Traffic Control HOWTO and have been trying to test my applications using bandwidth limitation. All the examples described in the HOWTO do not simulate the conditions I need to test my software. What I would like is for my bandwidth limitation to empty my UDP buffer at a given rate. I have tried using a simple TBF to do this, but all that happens is that my application floods the TBF buffer at link speed and the TBF buffer quickly overflows and drops packets. I want the packets to actually stay in the UDP buffer and be emptied at a given rate without modifying my application. I don't know if any of you are familiar with netem, but it can be used in conjuction with tc to add delay to a link. Surprisingly, packets delayed by netem appear to remain in the UDP buffer until it is time for them to be sent. I would like this same behavior of keeping the packets in the UDP buffer, but with bandwidth limitation on the rate at which the buffer empties, not just packet delay. Has anybody ever done anything like this or can point me to some resources? Thank you, Ted P. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060725/6ae3aaff/attachment.html From prasad at atc.tcs.co.in Wed Jul 26 07:42:14 2006 From: prasad at atc.tcs.co.in (Prasad) Date: Wed Jul 26 07:42:03 2006 Subject: [LARTC] IPSec tunnel mode, through a IPIP tunnel Message-ID: <44C700B6.1060903@atc.tcs.co.in> Hello Gurus, I am a small problem with routing and here are the details. Interfaces on my server: * ipsec0 - 172.19.58.94 * tunl0 - 172.19.58.94 * eth0 - 172.19.58.94 Now, the problem is that there is another host 172.19.58.200. All communication to 172.19.58.200 should be through tunl0, and all the data should be secured using IPSec (tunnel mode - because there are more machines on my network and 172.19.58.94 is the gateway through which they access 172.19.58.200). How can this be achived??? Here is what I did: 1. Default route for 172.19.58.200 is ipsec0 route add -host 172.19.58.200 dev ipsec0 2. Mark all packets after being routed through ipsec0 iptables -t mangle -A POSTROUTING -o ipsec0 -j mark --set-mark 1 3. Create a routing rule and add the new rule ip rule add fwmark 1 table tunnel 4. Create routing entries for table 'tunnel' ip route add 172.19.58.200 dev tunl0 Well, all this assumes that once the packet enters the ipsec tunnel, after encapsulation the packets are routed afresh based on the routing tables. Could the gurus help me fix this!!! Thanks, Prasad From prasad at atc.tcs.co.in Wed Jul 26 08:48:07 2006 From: prasad at atc.tcs.co.in (Prasad) Date: Wed Jul 26 08:47:56 2006 Subject: [LARTC] IPSec tunnel mode, through a IPIP tunnel In-Reply-To: <44C700B6.1060903@atc.tcs.co.in> References: <44C700B6.1060903@atc.tcs.co.in> Message-ID: <44C71027.8010009@atc.tcs.co.in> small info to add: I am using a 2.4 kernel (RH-9) and the packets currently are going through IPSec, then getting routed through eth0 directly (but I want them to go through tunl0) Prasad Prasad wrote: > > Hello Gurus, > > I am a small problem with routing and here are the details. > > Interfaces on my server: > * ipsec0 - 172.19.58.94 > * tunl0 - 172.19.58.94 > * eth0 - 172.19.58.94 > > Now, the problem is that there is another host 172.19.58.200. All > communication to 172.19.58.200 should be through tunl0, and all the > data should be secured using IPSec (tunnel mode - because there are > more machines on my network and 172.19.58.94 is the gateway through > which they access 172.19.58.200). How can this be achived??? > > Here is what I did: > > 1. Default route for 172.19.58.200 is ipsec0 > route add -host 172.19.58.200 dev ipsec0 > 2. Mark all packets after being routed through ipsec0 > iptables -t mangle -A POSTROUTING -o ipsec0 -j mark --set-mark 1 > 3. Create a routing rule and add the new rule > ip rule add fwmark 1 table tunnel > 4. Create routing entries for table 'tunnel' > ip route add 172.19.58.200 dev tunl0 > > Well, all this assumes that once the packet enters the ipsec tunnel, > after encapsulation the packets are routed afresh based on the routing > tables. Could the gurus help me fix this!!! > > Thanks, > Prasad > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From petre at kgb.ro Wed Jul 26 15:13:43 2006 From: petre at kgb.ro (Petre Bandac) Date: Wed Jul 26 15:11:47 2006 Subject: [LARTC] patching iptables for connlimit Message-ID: <20060726161343.097de260@localhost> hallo the patch described at http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-3.html#ss3.5 works for the FORWARD chain as well ? thanks, petre -- Petre Bandac Network Scientist - petre@kgb.ro -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060726/6d63fdc3/signature.pgp From pereyra.roberto at gmail.com Wed Jul 26 17:52:42 2006 From: pereyra.roberto at gmail.com (Roberto Pereyra) Date: Wed Jul 26 17:52:29 2006 Subject: [LARTC] ESFQ and bridges Message-ID: Hi ESFQ works with bridges ? Thanks a lot roberto -- Ing. Roberto Pereyra ContenidosOnline Looking for Linux Virtual Private Servers ? Click here: http://www.spry.com/hosting-affiliate/scripts/t.php?a_aid=426&a_bid=56 From andy at andybev.com Wed Jul 26 17:56:45 2006 From: andy at andybev.com (Andrew Beverley) Date: Wed Jul 26 17:56:44 2006 Subject: [LARTC] patching iptables for connlimit In-Reply-To: <20060726161343.097de260@localhost> References: <20060726161343.097de260@localhost> Message-ID: <44C790BD.1010800@andybev.com> > the patch described at > > http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-3.html#ss3.5 > > works for the FORWARD chain as well ? Yes I've just tried it and it works fine. If you want to use connlimit and you're using a recent kernel you'll need to take a look at the netfilter users mailing list for details on how to use connlimit with it. Take a look at: http://lists.netfilter.org/pipermail/netfilter/2006-July/066227.html and also the thread index for the other messages. Unfortunately the thread is split up into several places in the index. Andy Beverley From mf at mfedv.net Wed Jul 26 19:25:00 2006 From: mf at mfedv.net (Matthias Ferdinand) Date: Wed Jul 26 19:24:51 2006 Subject: [LARTC] static linking of /usr/sbin/tc? Message-ID: Hello, I am trying to revive an old linux server installation, which still has libc5. Sadly, most current software does not compile anymore on this system, including the tc utility. As with other tools (net-tools, coreutils, procps etc.) I tried to compile and statically link (LDFLAGS=-static) on a more recent linux machine and copy the static binaries over to the old machine. But no luck with tc. Even on the host where I compiled it (Debian Sarge 3.1), the static binary (/usr/local/iproute2-2.6.16-060323/usr/sbin/tc) does not see any qdisc: xoff:~# /sbin/tc qdisc ls dev eth0 qdisc pfifo_fast 0: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 xoff:~# /usr/local/iproute2-2.6.16-060323/usr/sbin/tc qdisc ls dev eth0 qdisc pfifo_fast 0: [Unknown qdisc, optlen=20] The source code makes use of dlopen() / dlsym() functions, which may be the reason for the failure. Does anybody know a way to make it work in a static binary? Regards Matthias From bugfood-ml at fatooh.org Wed Jul 26 19:49:27 2006 From: bugfood-ml at fatooh.org (Corey Hickey) Date: Wed Jul 26 19:49:14 2006 Subject: [LARTC] ESFQ and bridges In-Reply-To: References: Message-ID: <44C7AB27.5020706@fatooh.org> Roberto Pereyra wrote: > Hi > > ESFQ works with bridges ? ...just as well as any other qdisc... -Corey From shemminger at osdl.org Wed Jul 26 21:22:40 2006 From: shemminger at osdl.org (Stephen Hemminger) Date: Wed Jul 26 21:22:29 2006 Subject: [LARTC] static linking of /usr/sbin/tc? In-Reply-To: References: Message-ID: <20060726122240.07076818@localhost.localdomain> On Wed, 26 Jul 2006 19:25:00 +0200 Matthias Ferdinand wrote: > Hello, > > I am trying to revive an old linux server installation, which still has > libc5. Sadly, most current software does not compile anymore on this > system, including the tc utility. As with other tools (net-tools, > coreutils, procps etc.) I tried to compile and statically link > (LDFLAGS=-static) on a more recent linux machine and copy the static > binaries over to the old machine. > > But no luck with tc. Even on the host where I compiled it (Debian Sarge > 3.1), the static binary (/usr/local/iproute2-2.6.16-060323/usr/sbin/tc) > does not see any qdisc: > > xoff:~# /sbin/tc qdisc ls dev eth0 > qdisc pfifo_fast 0: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 > > xoff:~# /usr/local/iproute2-2.6.16-060323/usr/sbin/tc qdisc ls dev eth0 > qdisc pfifo_fast 0: [Unknown qdisc, optlen=20] > > The source code makes use of dlopen() / dlsym() functions, which may be the > reason for the failure. Does anybody know a way to make it work in a static > binary? > The dlopen() stuff is just to allow adding support for new qdisc's later. It also is introspective, it is used to find the qdisc's that are statically linked in. Why bother updating it? You could with some effort change tc to have a list of qdisc structure pointers and change get_qdisc_kind to walk the list. From mf at mfedv.net Wed Jul 26 22:23:12 2006 From: mf at mfedv.net (Matthias Ferdinand) Date: Wed Jul 26 22:23:04 2006 Subject: [LARTC] static linking of /usr/sbin/tc? In-Reply-To: <20060726122240.07076818@localhost.localdomain> References: <20060726122240.07076818@localhost.localdomain> Message-ID: <37EF00A45A0DD8427311E75C@[192.168.72.1]> --On Mittwoch, Juli 26, 2006 12:22:40 -0700 Stephen Hemminger wrote: > On Wed, 26 Jul 2006 19:25:00 +0200 > Matthias Ferdinand wrote: >> But no luck with tc. Even on the host where I compiled it (Debian Sarge >> 3.1), the static binary (/usr/local/iproute2-2.6.16-060323/usr/sbin/tc) >> does not see any qdisc: > You could with some effort change tc to have a list of qdisc structure > pointers and change get_qdisc_kind to walk the list. Thanks for the answer, but I guess that would be more trouble than it's worth, and probably nobody would use that patched stuff except myself. I can do QoS stuff on a Linux router nearby, it would have been just aesthetically pleasing to have it all available on the old server. Regards Matthias From avl at strace.net Thu Jul 27 15:23:49 2006 From: avl at strace.net (Dmitry Labutcky) Date: Thu Jul 27 15:22:38 2006 Subject: [LARTC] SRR qdisc Message-ID: <44C8BE65.6060107@strace.net> Hi all, I wrote new qdisc SRR (Simple Round Robin). This is just another reimplementation of round robin packets distributions. I'm not using SQF/ESFQ source code and algorithms in this scheduler. The main goal of this work is not given multistream download managers give all bandwidth resource. Please testing this: http://mordor.strace.net/sched-srr/ -- /bye ---------------------------------------------------------------------- Dmitry U.Labutcky System administrator of Swift Trace mail to: avl@strace.net Simferopol, Crimea, Ukraine phone: +380-652-516546 Yaltinskaya 20, office 502 From rayvd at digitalpath.net Thu Jul 27 18:45:16 2006 From: rayvd at digitalpath.net (Ray Van Dolson) Date: Thu Jul 27 18:45:11 2006 Subject: [LARTC] Re: What am I missing? Message-ID: <20060727164516.GA11363@digitalpath.net> Follow-up to my own post here: http://marc.theaimsgroup.com/?l=lartc&m=115332794424197&w=2 Problem ended up being that the tc included in the iproute RPM in Fedora Core 2 was built specifically against the headers in the glibc-kernheaders RPM. When I switched to a custom kernel (for built-in MPPE support), apparently some symbols referenced in the glibc-kernheaders package are not present in the non-RH kernel. This was causing my issue. Solution was to modify the .spec file for iproute and tell it to compile against my custom kernel's headers specifically. Specifically I had to make the following changes to the .spec file to get things to work: - Modify iproute2-2.4.7-kernel.patch to point to /usr/src/linux/include - Do not apply iproute2-2.4.7-misc.patch - Do not apply iproute2-2.4.7-in_port_t.patch This makes everything happy once again! I'm not sure what the consequenes are of not applying those RedHat patches, but the tool still works normally as far as I can tell. Ray From mfdutra at gmail.com Thu Jul 27 19:45:35 2006 From: mfdutra at gmail.com (Marlon Dutra) Date: Thu Jul 27 19:45:21 2006 Subject: [LARTC] Weird HTB behaviour in 2.6.17 Message-ID: <30dd942a0607271045o73dfc680r6bd2695e257a982b@mail.gmail.com> Hello, I've just compiled the kernel 2.6.17 and noticed an odd HTB behaviour. For instance: tc class add dev eth0 parent 1:1 classid 1:30 htb rate 1kbit ceil 750Kbit burst 15k tc filter add dev eth0 parent 1:0 protocol ip prio 15 u32 match ip dst 192.168.5.1 classid 1:30 The filter works ok and the traffic to 192.168.5.1 flows through the class 1:30, but the rate gets much higher than 750 Kbps. As far as I realized, the faster the processor is, the higher the traffic gets above the ceiling. I've seen that same behaviour in several machines with this kernel, both with Intel and AMD processors. With a dual Xeon 3 GHz, when my ceiling is 750 Kbps, I get the traffic about 5 Mbps. It seems to be something related to clock. http://mailman.ds9a.nl/pipermail/lartc/2005q3/016981.html In that post, there is another guy with the same problem, but with 2.6.11. Any clues? -- Marlon From altchill at hotmail.com Fri Jul 28 03:21:10 2006 From: altchill at hotmail.com (Jake Altchill) Date: Fri Jul 28 03:21:01 2006 Subject: [LARTC] Weird HTB behaviour in 2.6.17 In-Reply-To: <30dd942a0607271045o73dfc680r6bd2695e257a982b@mail.gmail.com> Message-ID: What kind of network cards do you have? What are the tc stats that you get on the class (anything about giants?)? There's something funny with the intel gig cards. Even if the mtu on them is set to 1500 there's something that breaks / confuses htb. If these are the cards you are using you need to explicitly set the mtu for your classes to 16500. >Hello, > >I've just compiled the kernel 2.6.17 and noticed an odd HTB behaviour. > >For instance: > >tc class add dev eth0 parent 1:1 classid 1:30 htb rate 1kbit ceil >750Kbit burst 15k >tc filter add dev eth0 parent 1:0 protocol ip prio 15 u32 match ip dst >192.168.5.1 classid 1:30 > >The filter works ok and the traffic to 192.168.5.1 flows through the >class 1:30, but the rate gets much higher than 750 Kbps. > >As far as I realized, the faster the processor is, the higher the >traffic gets above the ceiling. > >I've seen that same behaviour in several machines with this kernel, >both with Intel and AMD processors. With a dual Xeon 3 GHz, when my >ceiling is 750 Kbps, I get the traffic about 5 Mbps. > >It seems to be something related to clock. > >http://mailman.ds9a.nl/pipermail/lartc/2005q3/016981.html > >In that post, there is another guy with the same problem, but with 2.6.11. > >Any clues? _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From sinha.mrinal at yahoo.co.in Fri Jul 28 06:55:53 2006 From: sinha.mrinal at yahoo.co.in (Mrinal Sinha) Date: Fri Jul 28 06:55:43 2006 Subject: [LARTC] Problem with routing for multiple uplinks/providers using iproute2 Message-ID: <20060728045553.20874.qmail@web8601.mail.in.yahoo.com> hi all, we were trying to configure our system with 2 ethernet catds connected to two different providers using iproute2 so that it recieves and transmits data from both of them. We have followed the configuration as given on lartc's howto But the most wierd part of the story is that after we restart the system (We have put the script in rc.local) the system works fine and we can ping both our cards from anywhere in the world. But after sometime none of the cards can be pinged from outside but the site running on the system is accessible from everywhere. Does anyone has any idea where or wat we are doing wrong, i will really appreciate your help. Its just so confusing, hopefully its a silly error, (We are running FC-4 with dual Xeon processors) thnx in advance, Mrin --------------------------------- Here?s a new way to find what you're looking for - Yahoo! Answers -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060728/f8d36687/attachment.html From jarkap at poczta.onet.pl Fri Jul 28 09:29:55 2006 From: jarkap at poczta.onet.pl (Jarek Poplawski) Date: Fri Jul 28 09:29:19 2006 Subject: [LARTC] Re: Weird HTB behaviour in 2.6.17 In-Reply-To: <30dd942a0607271045o73dfc680r6bd2695e257a982b@mail.gmail.com> References: <30dd942a0607271045o73dfc680r6bd2695e257a982b@mail.gmail.com> Message-ID: On 27-07-2006 19:45, Marlon Dutra wrote: > Hello, > ... > > http://mailman.ds9a.nl/pipermail/lartc/2005q3/016981.html > > In that post, there is another guy with the same problem, but with 2.6.11. I can't see any problem there! If this guy expected lower rate for 1:39 class, he should have lower the ceil. This class had much higher traffic then the other class and probably was borrowing just when this stats were prepared. Jarek P. From rvokal at redhat.com Fri Jul 28 12:00:24 2006 From: rvokal at redhat.com (Radek =?ISO-8859-1?Q?Vok=E1l?=) Date: Fri Jul 28 10:01:16 2006 Subject: [LARTC] no PROMISC mode in ip link show Message-ID: <1154080824.9755.24.camel@localhost.localdomain> Hi When I start arpwatch or tcpdump the Ethernet card eth0 goes into promiscuous mode but I cannot see it with ifconfig eth0 or ip link show. The only way I can see it is when I looked at dmesg. Ifconfig uses the old style IOFLAG way to determine this but looking into ip code this is supposed to work even with newer kernels (I'm on 2.6.17 now with the latest iproute package) I found these links about the issue http://www.tcpdump.org/lists/workers/2001/01/msg00184.html http://lists.virus.org/bugtraq-0207/msg00363.html Radek -- Radek Vok?l From makevuy at ehas.org Fri Jul 28 14:43:06 2006 From: makevuy at ehas.org (makevuy) Date: Fri Jul 28 14:42:55 2006 Subject: [LARTC] Problem with iptables with -j TOS and MARK Message-ID: <44CA065A.9090903@ehas.org> Hy, I would want to mark the packets that are entering in a machine, with a mark for using diffserv with DSMARK. My machine has 2 interfaces, a ethernet and a wireless. The ethernet interface is eth1 and the other is wifi0. Firs, I would want to test that I would be able to mark the tos of the paquets that I would be receiving, for this I write in the console of my linux: iptables -A PREROUTING -i eth1 -t mangle -p udp -j TOS --set-tos 0x20 But the TOS doesn't change (I see this with ethereal) Waht could be the problem? I've tried the same with the MARK option: iptables -A PREROUTING -i eth1 -t mangle -p udp -j MARK --set-mark 0x20 and a DSMARK. Regards. -- Sandra Salmer?n Ntutumu Tlf. Analog: +34 914888405 / M?vil: 653574298 Tlf. IP desde FWD: 656212. Ext: 10 / Tel. IP desde EHAS: 010010 Fundaci?n EHAS: Enlace Hispanoamericano de Salud - www.ehas.org Telemedicina rural para zonas aisladas de pa?ses en desarrollo From hi100nu at yahoo.com Fri Jul 28 14:50:46 2006 From: hi100nu at yahoo.com (sonu chouhan) Date: Fri Jul 28 14:50:33 2006 Subject: [LARTC] Re:Problem with routing for multiple uplinks/providers Message-ID: <20060728125046.18266.qmail@web32514.mail.mud.yahoo.com> provide me complete detail of your linux box like firewall script (iptables script), kernel's .config file, multigatway file (i.e. /sbin/ip ....... commands file) so i can check and try to resolve your issue. sonu.... --------------------------------- Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail Beta. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060728/c636598d/attachment.htm From jarkap at poczta.onet.pl Fri Jul 28 15:57:32 2006 From: jarkap at poczta.onet.pl (Jarek Poplawski) Date: Fri Jul 28 15:57:52 2006 Subject: [LARTC] Re: Problem with iptables with -j TOS and MARK In-Reply-To: <44CA065A.9090903@ehas.org> References: <44CA065A.9090903@ehas.org> Message-ID: On 28-07-2006 14:43, makevuy wrote: > Hy, > > I would want to mark the packets that are entering in a machine, with a > mark for using diffserv with DSMARK. > > My machine has 2 interfaces, a ethernet and a wireless. The ethernet > interface is eth1 and the other is wifi0. > > Firs, I would want to test that I would be able to mark the tos of the > paquets that I would be receiving, for this I write in the console of my > linux: > > > iptables -A PREROUTING -i eth1 -t mangle -p udp -j TOS --set-tos 0x20 > > But the TOS doesn't change (I see this with ethereal) > > Waht could be the problem? If I can remember, TOS is inserted for real some time later, so try to investigate on forward or postrouting. Jarek P. From mfdutra at gmail.com Fri Jul 28 19:25:32 2006 From: mfdutra at gmail.com (Marlon Dutra) Date: Fri Jul 28 19:25:18 2006 Subject: [LARTC] Weird HTB behaviour in 2.6.17 In-Reply-To: References: <30dd942a0607271045o73dfc680r6bd2695e257a982b@mail.gmail.com> Message-ID: <30dd942a0607281025o30fe5345o784ce3e4dca5024b@mail.gmail.com> On 7/27/06, Jake Altchill wrote: > What kind of network cards do you have? When I noticed the problem, I was using a Dell server with an Intel e1000. But I reproduced the same problem in my desktop, that's an AMD Semprom with an nVidia ethernet card. So, different processor, chipset and nic. > What are the tc stats that you get on the class (anything about > giants?)? class htb 1:31 parent 1:1 leaf 31: prio 0 rate 1000bit ceil 750000bit burst 15Kb cburst 1974b Sent 11678670 bytes 2711 pkts (dropped 0, overlimits 0) rate 1725Kbit 43pps backlog 13p As you can see, I have rate in 1725Kbit when my ceiling is 750Kbit. That difference is low, since I'm testing on my Semprom. If I do the same on the Dell server, the difference is much higher. Some times over ten times the ceiling. With a 2.4 kernel, it works perfectly in both hardwares. > If these are the cards you are using you need to explicitly set the > mtu for your classes to 16500. Sorry, I didn't get it. How should I do that? -- Marlon From mfdutra at gmail.com Fri Jul 28 19:28:40 2006 From: mfdutra at gmail.com (Marlon Dutra) Date: Fri Jul 28 19:28:29 2006 Subject: [LARTC] Re: Weird HTB behaviour in 2.6.17 In-Reply-To: References: <30dd942a0607271045o73dfc680r6bd2695e257a982b@mail.gmail.com> Message-ID: <30dd942a0607281028l65f68d84w5daed2eee03dfc24@mail.gmail.com> On 7/28/06, Jarek Poplawski wrote: > I can't see any problem there! If this guy expected lower rate for > 1:39 class, he should have lower the ceil. This class had much higher > traffic then the other class and probably was borrowing just when this > stats were prepared. Indeed. In that case, there is no any problem. But I still have a problem here, as you can see in my last post. Regards. -- Marlon From lists at andyfurniss.entadsl.com Fri Jul 28 20:53:26 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri Jul 28 20:52:58 2006 Subject: [LARTC] Weird HTB behaviour in 2.6.17 In-Reply-To: <30dd942a0607281025o30fe5345o784ce3e4dca5024b@mail.gmail.com> References: <30dd942a0607271045o73dfc680r6bd2695e257a982b@mail.gmail.com> <30dd942a0607281025o30fe5345o784ce3e4dca5024b@mail.gmail.com> Message-ID: <44CA5D26.5030209@andyfurniss.entadsl.com> Marlon Dutra wrote: (anything about >> giants?)? > > > class htb 1:31 parent 1:1 leaf 31: prio 0 rate 1000bit ceil 750000bit > burst 15Kb cburst 1974b > Sent 11678670 bytes 2711 pkts (dropped 0, overlimits 0) > rate 1725Kbit 43pps backlog 13p > > As you can see, I see you snipped giants even though you were asked about them. Regardless 11678670/2711 > 1500 so specify your mtu next to every rate and ceil. Andy. From mfdutra at gmail.com Fri Jul 28 21:12:41 2006 From: mfdutra at gmail.com (Marlon Dutra) Date: Fri Jul 28 21:12:27 2006 Subject: [LARTC] Weird HTB behaviour in 2.6.17 In-Reply-To: <44CA5D26.5030209@andyfurniss.entadsl.com> References: <30dd942a0607271045o73dfc680r6bd2695e257a982b@mail.gmail.com> <30dd942a0607281025o30fe5345o784ce3e4dca5024b@mail.gmail.com> <44CA5D26.5030209@andyfurniss.entadsl.com> Message-ID: <30dd942a0607281212l4b9ca152j43bd088b5a5332b5@mail.gmail.com> On 7/28/06, Andy Furniss wrote: > I see you snipped giants even though you were asked about them. Oh sorry. Here it goes: class htb 1:31 parent 1:1 leaf 31: prio 0 rate 1000bit ceil 750000bit burst 15Kb cburst 1875b Sent 23991629 bytes 5227 pkts (dropped 0, overlimits 0) rate 1567Kbit 44pps lended: 150 borrowed: 5077 giants: 3986 tokens: -14728330 ctokens: -21365 > Regardless 11678670/2711 > 1500 so specify your mtu next to every rate > and ceil. I created the class with "mtu 1500" and the result is above, same behaviour. Afaik, the default mtu is 1600. By the way, my ethernet MTU is 1500. How can I prevent those giants? -- Marlon From lists at andyfurniss.entadsl.com Fri Jul 28 21:43:15 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri Jul 28 21:42:41 2006 Subject: [LARTC] Weird HTB behaviour in 2.6.17 In-Reply-To: <30dd942a0607281212l4b9ca152j43bd088b5a5332b5@mail.gmail.com> References: <30dd942a0607271045o73dfc680r6bd2695e257a982b@mail.gmail.com> <30dd942a0607281025o30fe5345o784ce3e4dca5024b@mail.gmail.com> <44CA5D26.5030209@andyfurniss.entadsl.com> <30dd942a0607281212l4b9ca152j43bd088b5a5332b5@mail.gmail.com> Message-ID: <44CA68D3.2040402@andyfurniss.entadsl.com> Marlon Dutra wrote: > On 7/28/06, Andy Furniss wrote: > >> I see you snipped giants even though you were asked about them. > > > Oh sorry. Here it goes: > > class htb 1:31 parent 1:1 leaf 31: prio 0 rate 1000bit ceil 750000bit > burst 15Kb cburst 1875b > Sent 23991629 bytes 5227 pkts (dropped 0, overlimits 0) > rate 1567Kbit 44pps > lended: 150 borrowed: 5077 giants: 3986 > tokens: -14728330 ctokens: -21365 > >> Regardless 11678670/2711 > 1500 so specify your mtu next to every rate >> and ceil. > > > I created the class with "mtu 1500" and the result is above, same > behaviour. Afaik, the default mtu is 1600. > > By the way, my ethernet MTU is 1500. > > How can I prevent those giants? It seems there is a problem with some nics not obeying mtu then (I mean ifconfig/ip mtu) maybe it's to do with tso or something. Normally you shouldn't have to specify mtu to tc if you are running 1500 - you only need to if you are bigger, which it looks like you are whatever ifconfig/ip says. I would find/lookup what you are really using and tell htb that and then check that the giants count is 0. Andy. > From shemminger at osdl.org Fri Jul 28 22:54:47 2006 From: shemminger at osdl.org (Stephen Hemminger) Date: Fri Jul 28 22:54:41 2006 Subject: [LARTC] HTB is buggy? In-Reply-To: <44CA68D3.2040402@andyfurniss.entadsl.com> References: <30dd942a0607271045o73dfc680r6bd2695e257a982b@mail.gmail.com> <30dd942a0607281025o30fe5345o784ce3e4dca5024b@mail.gmail.com> <44CA5D26.5030209@andyfurniss.entadsl.com> <30dd942a0607281212l4b9ca152j43bd088b5a5332b5@mail.gmail.com> <44CA68D3.2040402@andyfurniss.entadsl.com> Message-ID: <20060728135447.526d1d3c@localhost.localdomain> I believe there are some unresolved memory management issues with HTB. It looks like deleting the qdisc is causing some use after free or memory corruption problems. See: http://bugzilla.kernel.org/show_bug.cgi?id=6681 I don't use HTB so I have no idea if this a new or old problem. From lists at andyfurniss.entadsl.com Fri Jul 28 23:57:26 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri Jul 28 23:57:09 2006 Subject: [LARTC] Re: HTB is buggy? In-Reply-To: <20060728135447.526d1d3c@localhost.localdomain> References: <30dd942a0607271045o73dfc680r6bd2695e257a982b@mail.gmail.com> <30dd942a0607281025o30fe5345o784ce3e4dca5024b@mail.gmail.com> <44CA5D26.5030209@andyfurniss.entadsl.com> <30dd942a0607281212l4b9ca152j43bd088b5a5332b5@mail.gmail.com> <44CA68D3.2040402@andyfurniss.entadsl.com> <20060728135447.526d1d3c@localhost.localdomain> Message-ID: <44CA8846.3010909@andyfurniss.entadsl.com> Stephen Hemminger wrote: > I believe there are some unresolved memory management issues with HTB. > It looks like deleting the qdisc is causing some use after free or > memory corruption problems. > > See: > http://bugzilla.kernel.org/show_bug.cgi?id=6681 > > I don't use HTB so I have no idea if this a new or old problem. > Hmm he's doing crash (and oops) in command like tc filter del dev ethX protocol ip parent 1:0 prio 5 handle X:XX:XX u32 is that valid - I've always reccomended to del root qdisc and start again to change something. I don't know if it's documented anywhere - none of the man pages in iproute2 even mention del (OK remove is there) and tc-filters.8 is referenced but not there. It does say in tc.8 - Filters have a three part ID, which is only needed when using a hashed filter hierarchy, for which see tc-filters(8) so maybe it's just tc/kernel failing to give rtnetlink error - which is what I've seen before when trying to delete specific parts of trees. man tc-htb doesn't even mention tc filter anything. Andy. From altchill at hotmail.com Sat Jul 29 02:50:37 2006 From: altchill at hotmail.com (Jake Altchill) Date: Sat Jul 29 02:50:27 2006 Subject: [LARTC] Weird HTB behaviour in 2.6.17 In-Reply-To: <30dd942a0607281025o30fe5345o784ce3e4dca5024b@mail.gmail.com> Message-ID: Just append "mtu 16500" at the end of your qdisc and class (especially class) statements. Like this: tc class add dev eth0 parent 1:1 classid 1:30 htb rate 1kbit ceil 750Kbit burst 15k mtu 16500 I had a similar problem on Dell 2850s with intel e1000 cards. The mtu on the e1000 interfaces was set to the default 1500, but the cards didn't obey it all the time. I suspect that nVidia ethernet driver has similar problems. _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From kaber at trash.net Sat Jul 29 03:07:50 2006 From: kaber at trash.net (Patrick McHardy) Date: Sat Jul 29 03:07:37 2006 Subject: [LARTC] Weird HTB behaviour in 2.6.17 In-Reply-To: <44CA68D3.2040402@andyfurniss.entadsl.com> References: <30dd942a0607271045o73dfc680r6bd2695e257a982b@mail.gmail.com> <30dd942a0607281025o30fe5345o784ce3e4dca5024b@mail.gmail.com> <44CA5D26.5030209@andyfurniss.entadsl.com> <30dd942a0607281212l4b9ca152j43bd088b5a5332b5@mail.gmail.com> <44CA68D3.2040402@andyfurniss.entadsl.com> Message-ID: <44CAB4E6.90307@trash.net> Andy Furniss wrote: > Marlon Dutra wrote: > >> lended: 150 borrowed: 5077 giants: 3986 >> tokens: -14728330 ctokens: -21365 >> >>> Regardless 11678670/2711 > 1500 so specify your mtu next to every rate >>> and ceil. >> >> I created the class with "mtu 1500" and the result is above, same >> behaviour. Afaik, the default mtu is 1600. >> >> By the way, my ethernet MTU is 1500. >> >> How can I prevent those giants? > > > It seems there is a problem with some nics not obeying mtu then (I mean > ifconfig/ip mtu) maybe it's to do with tso or something. Right, the "problem" is related to TCP segmentation offloading (or GSO in current kernels). The card gets large chunks of data and is responsible for creating MTU-sized packets, which essentially means qdiscs get to see those large chunks of data. You can disable TSO using ethtool (but it will cost you performance) or configure your qdisc appropriately. From baltasar.cevc at former03.de Sat Jul 29 17:33:56 2006 From: baltasar.cevc at former03.de (former03 | Baltasar Cevc) Date: Sat Jul 29 17:33:51 2006 Subject: [LARTC] FWMark routing trouble Message-ID: <543407a389ac4ddaf401fe2030924454@former03.de> Hi everybody, I'm trying to set up routing for 2 links to the internet on a box which produces traffic itself (e.g. DNS) and will route all our local traffic. AS one route is quick and expensive and the other one slow and cheap, I want to be able to route packets for some high-level protocols to the second link. If I correctly understood table 3-2 in http://www.faqs.org/docs/iptables/traversingoftables.html that is not possible as the routing decision is taken even before the packet touches netfilter for the first time. Is that correct? Does anybody have some hints about how to work around? Thanx a lot! Baltasasar Baltasar Cevc _____ former 03 gmbh _____ infanteriestra?e 19 haus 6 eg _____ D-80797 muenchen _____ http://www.former03.de From Daniel at musketa.de Sun Jul 30 23:09:04 2006 From: Daniel at musketa.de (Daniel Musketa) Date: Sun Jul 30 23:08:57 2006 Subject: [LARTC] questions about HFSC, VoIP and (dynamic) ingress shaping Message-ID: <200607302309.05290.Daniel@musketa.de> Hello, I just found the great howto and started shaping my internet connection. The howto's last update is a liitle in the past now so I have some questions about how things are done the best way nowadays ;-) To ensure a stable and low latency voip communication I added an HFSC qdisc to device ppp0 (1 Mbit SDSL). There are two classes (by now): One for SIP and RTP and one for the rest. Question 1: I defined the voip qdisc as tc class add dev ppp0 parent 1:1 classid 1:11 \ hfsc sc umax 1500b dmax 30ms rate 500kbit ul rate 900kbit but "tc -s class show dev ppp0" shows class hfsc 1:11 parent 1:1 sc m1 0bit d 6.0ms m2 500000bit \ ul m1 0bit d 0us m2 900000bit Where does the "0bit d 6.0ms" come from, (what does the other stuff exactly mean) and what would be a good setting for voip traffic? This qdisc only affects outgoing traffic. But I also want to control incoming packets and keep the isp's queue empty. Question 2: What is the best solution for doing this: ingress qdisc, IMQ, ... (thers's only one link to isp)? Much traffic on this line is UDP traffic (OpenVPN). Question 3: If I do policing on incoming traffic, do UDP transmissions care about dropping and reduce transmit speed? If I begin to control incoming traffic I only want to drop packets that are non voip traffic. Question 4: Is it possible to control what packets are dropped? I always want to have enough bandwith for incoming voip traffic. But limiting the other stuff to static 180 kbit only because voip packets could sometimes reach a maximum of 800 kbit sounds not so good. My idea: A script that periodically (or even better: triggered by asterisk) controls the parameters for the ingress shaper (depending on the actual upload traffic produced by voip which could easily be measured with tc). Question 5: Is that possible? Is this necessary at all? Is there already a solution? Regards Daniel From andy at andybev.com Sun Jul 30 23:44:49 2006 From: andy at andybev.com (Andrew Beverley) Date: Sun Jul 30 23:44:49 2006 Subject: [LARTC] Traffic monitor with view of MARK Message-ID: <44CD2851.7050205@andybev.com> Hi, Does anyone know of a traffic monitoring program that will display a connection's MARK value as well as the normal information such as current rate? I use iptraf and ntop at the moment but neither seem capable of diplaying a connection's MARK value. Thanks, Andy From gustavo at angulosolido.pt Mon Jul 31 00:52:48 2006 From: gustavo at angulosolido.pt (Gustavo Homem) Date: Mon Jul 31 00:52:36 2006 Subject: [LARTC] questions about HFSC, VoIP and (dynamic) ingress shaping In-Reply-To: <200607302309.05290.Daniel@musketa.de> References: <200607302309.05290.Daniel@musketa.de> Message-ID: <20060730225248.GD15275@angulosolido.pt> On Sun, Jul 30, 2006 at 11:09:04PM +0200, Daniel Musketa wrote: > Hello, > > I just found the great howto and started shaping my internet connection. The > howto's last update is a liitle in the past now so I have some questions > about how things are done the best way nowadays ;-) > > > To ensure a stable and low latency voip communication I added an HFSC qdisc to > device ppp0 (1 Mbit SDSL). There are two classes (by now): One for SIP and > RTP and one for the rest. > > Question 1: I defined the voip qdisc as > > tc class add dev ppp0 parent 1:1 classid 1:11 \ > hfsc sc umax 1500b dmax 30ms rate 500kbit ul rate 900kbit > > but "tc -s class show dev ppp0" shows > > class hfsc 1:11 parent 1:1 sc m1 0bit d 6.0ms m2 500000bit \ > ul m1 0bit d 0us m2 900000bit > > Where does the "0bit d 6.0ms" come from, (what does the other stuff exactly > mean) and what would be a good setting for voip traffic? > > > > > This qdisc only affects outgoing traffic. But I also want to control incoming > packets and keep the isp's queue empty. > > Question 2: What is the best solution for doing this: ingress qdisc, IMQ, ... > (thers's only one link to isp)? > If you don't want to patch the kernel and your machine has only two network interfaces you can shape the outgoing traffic to the internal interface instead of the incoming traffic to the internal interface. I have an example script here: http://downloads.angulosolido.pt/QoS/HTB_shaper_adv.sh It uses HTB for shapping though. > > > Much traffic on this line is UDP traffic (OpenVPN). > > Question 3: If I do policing on incoming traffic, do UDP transmissions care > about dropping and reduce transmit speed? > > I don't think so, unless that is implemented at the application level. The UDP packets shouldn't be dropped unless that's acceptable to a certain extend (VoIP) or the application resends as necessary. > > > If I begin to control incoming traffic I only want to drop packets that are > non voip traffic. > > Question 4: Is it possible to control what packets are dropped? > Depends if you know the ports they use. If you know it, you just have to mark them accordingly. For example with skype it's a pain in the ass, as it seems not to respect the port chosen on the configuration. I solved that by reserving bandwidth per workstation, so that each one get's TOTAL/N, extensible to TOTAL of the others don't request it. For each workstation there is also a priority rank, but for cases like skype, whose ports we can't control, it ends up being up to each user to ensure there's enough bandwidth on her share for skype to work. Take a look at the link I pasted above. > > > I always want to have enough bandwith for incoming voip traffic. But limiting > the other stuff to static 180 kbit only because voip packets could sometimes > reach a maximum of 800 kbit sounds not so good. > Sure! > My idea: A script that periodically (or even better: triggered by asterisk) > controls the parameters for the ingress shaper (depending on the actual > upload traffic produced by voip which could easily be measured with tc). > > Question 5: Is that possible? Is this necessary at all? Is there already a > solution? > I don't think you need this. A setup with HTB solves this problem, since each traffic class has a defined RATE as well as a defined CEIL rate, which it will take whenever available. I can't comment about HFSC as I never used it. Best regards Gustavo > > > Regards > Daniel > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Angulo S?lido - Tecnologias de Informa??o http://angulosolido.pt From gustavo at angulosolido.pt Mon Jul 31 01:01:23 2006 From: gustavo at angulosolido.pt (Gustavo Homem) Date: Mon Jul 31 01:01:11 2006 Subject: [LARTC] questions about HFSC, VoIP and (dynamic) ingress shaping In-Reply-To: <20060730225248.GD15275@angulosolido.pt> References: <200607302309.05290.Daniel@musketa.de> <20060730225248.GD15275@angulosolido.pt> Message-ID: <20060730230123.GF15275@angulosolido.pt> On Sun, Jul 30, 2006 at 11:52:48PM +0100, Gustavo Homem wrote: > On Sun, Jul 30, 2006 at 11:09:04PM +0200, Daniel Musketa wrote: > > Hello, > > > > I just found the great howto and started shaping my internet connection. The > > howto's last update is a liitle in the past now so I have some questions > > about how things are done the best way nowadays ;-) > > > > > > To ensure a stable and low latency voip communication I added an HFSC qdisc to > > device ppp0 (1 Mbit SDSL). There are two classes (by now): One for SIP and > > RTP and one for the rest. > > > > Question 1: I defined the voip qdisc as > > > > tc class add dev ppp0 parent 1:1 classid 1:11 \ > > hfsc sc umax 1500b dmax 30ms rate 500kbit ul rate 900kbit > > > > but "tc -s class show dev ppp0" shows > > > > class hfsc 1:11 parent 1:1 sc m1 0bit d 6.0ms m2 500000bit \ > > ul m1 0bit d 0us m2 900000bit > > > > Where does the "0bit d 6.0ms" come from, (what does the other stuff exactly > > mean) and what would be a good setting for voip traffic? > > > > > > > > > > This qdisc only affects outgoing traffic. But I also want to control incoming > > packets and keep the isp's queue empty. > > > > Question 2: What is the best solution for doing this: ingress qdisc, IMQ, ... > > (thers's only one link to isp)? > > > > If you don't want to patch the kernel and your machine has only two network interfaces you can shape the outgoing traffic to the internal interface instead of the incoming traffic to the internal interface. I have an example script here: "you can shape the outgoing traffic to the internal interface instead of the incoming traffic to the *external* interface" > > http://downloads.angulosolido.pt/QoS/HTB_shaper_adv.sh > > It uses HTB for shapping though. > > > > > > > > > Much traffic on this line is UDP traffic (OpenVPN). > > > > Question 3: If I do policing on incoming traffic, do UDP transmissions care > > about dropping and reduce transmit speed? > > > > > > I don't think so, unless that is implemented at the application level. The UDP packets shouldn't be dropped unless that's acceptable to a certain extend (VoIP) or the application resends as necessary. > > > > > > > > If I begin to control incoming traffic I only want to drop packets that are > > non voip traffic. > > > > Question 4: Is it possible to control what packets are dropped? > > > > Depends if you know the ports they use. If you know it, you just have to mark them accordingly. > > For example with skype it's a pain in the ass, as it seems not to respect the port chosen on the configuration. I solved that by reserving bandwidth per workstation, so that each one get's TOTAL/N, extensible to TOTAL of the others don't request it. For each workstation there is also a priority rank, but for cases like skype, whose ports we can't control, it ends up being up to each user to ensure there's enough bandwidth on her share for skype to work. > > Take a look at the link I pasted above. > > > > > > > I always want to have enough bandwith for incoming voip traffic. But limiting > > the other stuff to static 180 kbit only because voip packets could sometimes > > reach a maximum of 800 kbit sounds not so good. > > > > Sure! > > > My idea: A script that periodically (or even better: triggered by asterisk) > > controls the parameters for the ingress shaper (depending on the actual > > upload traffic produced by voip which could easily be measured with tc). > > > > Question 5: Is that possible? Is this necessary at all? Is there already a > > solution? > > > > I don't think you need this. A setup with HTB solves this problem, since each traffic class has a defined RATE as well as a defined CEIL rate, which it will take whenever available. > > I can't comment about HFSC as I never used it. > > Best regards > Gustavo > > > > > > > Regards > > Daniel > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > -- > Angulo S?lido - Tecnologias de Informa??o > http://angulosolido.pt > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Angulo S?lido - Tecnologias de Informa??o http://angulosolido.pt From Daniel at musketa.de Mon Jul 31 01:49:20 2006 From: Daniel at musketa.de (Daniel Musketa) Date: Mon Jul 31 01:49:14 2006 Subject: [LARTC] questions about HFSC, VoIP and (dynamic) ingress shaping In-Reply-To: <20060730225248.GD15275@angulosolido.pt> References: <200607302309.05290.Daniel@musketa.de> <20060730225248.GD15275@angulosolido.pt> Message-ID: <200607310149.20928.Daniel@musketa.de> Hello, Gustavo, thank you for your answer. Am Montag, 31. Juli 2006 00:52 schrieb Gustavo Homem: > On Sun, Jul 30, 2006 at 11:09:04PM +0200, Daniel Musketa wrote: [...] > > This qdisc only affects outgoing traffic. But I also want to control > > incoming packets and keep the isp's queue empty. > > > > Question 2: What is the best solution for doing this: ingress qdisc, IMQ, > > ... (thers's only one link to isp)? > > If you don't want to patch the kernel and your machine has only two network > interfaces you can shape the outgoing traffic to the internal interface > instead of the incoming traffic to the internal interface. I have an > example script here: > > http://downloads.angulosolido.pt/QoS/HTB_shaper_adv.sh > > It uses HTB for shapping though. Sorry, I should have explained a little more detailed: (Nearly) all download traffic is initiated by the machine itself, so I can't use the "limiting the clients" trick here. > > Much traffic on this line is UDP traffic (OpenVPN). > > > > Question 3: If I do policing on incoming traffic, do UDP transmissions > > care about dropping and reduce transmit speed? > > I don't think so, unless that is implemented at the application level. The > UDP packets shouldn't be dropped unless that's acceptable to a certain > extend (VoIP) or the application resends as necessary. I am sure OpenVPN resends dropped packets (sooner or later) but don't know yet if it adapts its transmit rate to the rate of the reply packets ... > > If I begin to control incoming traffic I only want to drop packets that > > are non voip traffic. > > > > Question 4: Is it possible to control what packets are dropped? > > Depends if you know the ports they use. If you know it, you just have to > mark them accordingly. > > For example with skype it's a pain in the ass, The only voip traffic (over ppp0) is produced by an asterisk server (on the same machine). I know all used ports (SIP and RTP) and for outgoing packets I already mark them with iptables. > > My idea: A script that periodically (or even better: triggered by > > asterisk) controls the parameters for the ingress shaper (depending on > > the actual upload traffic produced by voip which could easily be measured > > with tc). > > > > Question 5: Is that possible? Is this necessary at all? Is there already > > a solution? > > I don't think you need this. A setup with HTB solves this problem, since > each traffic class has a defined RATE as well as a defined CEIL rate, which > it will take whenever available. But then I need IMQ and a patched kernel, right? > Best regards > Gustavo Muito obrigado pela sua ajuda ... Daniel From jarkap at poczta.onet.pl Mon Jul 31 08:23:40 2006 From: jarkap at poczta.onet.pl (Jarek Poplawski) Date: Mon Jul 31 08:23:12 2006 Subject: [LARTC] Re: Problem with iptables with -j TOS and MARK In-Reply-To: References: <44CA065A.9090903@ehas.org> Message-ID: On 28-07-2006 15:57, Jarek Poplawski wrote: > On 28-07-2006 14:43, makevuy wrote: >> Hy, >> >> I would want to mark the packets that are entering in a machine, with >> a mark for using diffserv with DSMARK. >> >> My machine has 2 interfaces, a ethernet and a wireless. The ethernet >> interface is eth1 and the other is wifi0. >> >> Firs, I would want to test that I would be able to mark the tos of the >> paquets that I would be receiving, for this I write in the console of >> my linux: >> >> >> iptables -A PREROUTING -i eth1 -t mangle -p udp -j TOS --set-tos 0x20 >> >> But the TOS doesn't change (I see this with ethereal) >> >> Waht could be the problem? > > If I can remember, TOS is inserted for real some time later, so try to > investigate on forward or postrouting. After short weekend testing my memory turned out to be faulty again - it can remember only every second bit (because it's old!). Iptables -j TOS and -j DSCP should change a tos field of ip headers at once (this could be seen with -j LOG everywhere after this setting). This field can influent the way a packet is classified by some qdisc like prio, but not directly - inner priority field is taken for this. And this priority is computed from tos only in forward. So probably ethereal showed packets before changes or you have some problem with iptables. Jarek P. From jarkap at poczta.onet.pl Mon Jul 31 09:03:20 2006 From: jarkap at poczta.onet.pl (Jarek Poplawski) Date: Mon Jul 31 09:03:00 2006 Subject: [LARTC] Re: problem in Route add using netlink In-Reply-To: <20060725145938.68004.qmail@web8327.mail.in.yahoo.com> References: <20060725145938.68004.qmail@web8327.mail.in.yahoo.com> Message-ID: On 25-07-2006 16:59, VijayaLakshmi Seshadri wrote: > Hi all > Iam trying to implement "route add " using netlink. The changes are not > reflected in the routing table. I have given my code and screen shots of > the routing tables. > > Can anybody tell me is there any mistake iam making in defining the fields . > or any other mistake iam commiting > > thanxs > > viji I had some free time at the weekend - it's probably to late and I hope you've found this bugs yet, but maybe someone else (like me) will be looking here some day with similar problem, so here is what I've found. Jarek P > > //////////////////////////////////// CODE > ////////////////////////////////////////////////////// > #include > #include > #include > #include > #include > #include > #include > #include > #include > #include > #define BUFSIZE 192 > struct route_info{ > u_int dstAddr; > u_int srcAddr; > u_int gateWay; > char ifName[IF_NAMESIZE]; > }; > void fillRoute (struct route_info *rinfo, const char* dstAddr, > const char* srcAddr, const char* gateway, const char* > ifName) > { > /* Convert from the standrad numbers and dots notation > to binary data */ > inet_aton("192.168.51.0", (struct in_addr *)&rinfo->dstAddr); > inet_aton("192.168.51.90", (struct in_addr *)&rinfo->gateWay); > } Of corse you always have to be sure to have the valid route to 192.168.51.90 on the testing box... > int addAttr (struct nlmsghdr *nlhdr, int maxlen, int type, > void *data, int alen) > { > struct rtattr *rta; > int len = RTA_LENGTH(alen); > if (NLMSG_ALIGN(nlhdr->nlmsg_len) + len > maxlen) > return -1; > rta = (struct rtattr*)((char *)nlhdr + > NLMSG_ALIGN(nlhdr->nlmsg_len)); > rta->rta_type = type; > rta->rta_len = len; > memcpy(RTA_DATA(rta), data, alen); > nlhdr->nlmsg_len = NLMSG_ALIGN(nlhdr->nlmsg_len) + len; > return 0; > } > int main() > { > struct nlmsghdr *nlMsg; > struct rtmsg *rtMsg; > char dstAddr[30] ; > char srcAddr[30] ; > char gateway[30] ; > char ifName[30]; > char msgBuf[BUFSIZE]; > struct route_info rinfo; > int sock, len, msgSeq = 0; > int val, i; > /* Create Socket */ > if((sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE)) < 0) > perror("Socket Creation: "); > /* Initialize the buffer */ > memset(msgBuf, 0, BUFSIZE); > /* point the header and the msg structure pointers into the > buffer */ > nlMsg = (struct nlmsghdr *)msgBuf; > rtMsg = (struct rtmsg *)NLMSG_DATA(nlMsg); > /* Fill in the nlmsg header*/ > nlMsg->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg)); // Length > ofmessage. > nlMsg->nlmsg_type = RTM_NEWROUTE; // Get > the routes from kernel routing table . > nlMsg->nlmsg_flags = NLM_F_CREATE ; // The message is a // the flag is needed here nlMsg->nlmsg_flags = NLM_F_CREATE | NLM_F_REQUEST; > request for dump. > nlMsg->nlmsg_seq = msgSeq++; // > Sequence of the message packet. > nlMsg->nlmsg_pid = getpid(); // PID of > process sending the request. > rtMsg->rtm_family = AF_INET; > rtMsg->rtm_table = RT_TABLE_UNSPEC; > rtMsg->rtm_dst_len = 16; > rtMsg->rtm_src_len = 16; // this should be address' lenghts in bits so: rtMsg->rtm_dst_len = 32; rtMsg->rtm_src_len = 32; > rtMsg->rtm_scope = RT_SCOPE_UNIVERSE; > rtMsg->rtm_type = RTN_UNICAST; > rtMsg->rtm_protocol = RTPROT_UNSPEC; > rtMsg->rtm_flags = RTM_F_NOTIFY; > fillRoute (&rinfo, dstAddr, srcAddr, gateway, ifName); > addAttr (nlMsg, BUFSIZE, RTA_DST, > &rinfo.dstAddr, 4); > addAttr (nlMsg, BUFSIZE, RTA_GATEWAY, > &rinfo.gateWay, 4); > /* Send the request */ > if((val = send(sock, nlMsg, nlMsg->nlmsg_len,0 )) < 0){ > printf("Write To Socket Failed...\n"); > return -1; > } > printf (" No of Bytes sent %d \n", val); > printf (" Value that is sent \n " ); > for (i =0 ; i < val ; i ++) > printf ("%u", msgBuf[i]); > printf ("\n"); > close(sock); > return 0; > } > > ////////////////////////////////////////////////////////////////////////////////////////////////////////// > OUTPUT > [root@vijdom]gcc netlink_addroute.c -o addroute > [root@vijdom]# ./addroute > No of Bytes sent 44 > Value that is sent > 4400024004000042949672398800216160000101008010429496723242949672085108050429496723242949672085190 > ////////////////////////////////////////////////////////////////////////////////////////////////////////// > > SCREEN SHOTS > > *Routing table before execution of program* > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > 192.168.51.0 * 255.255.255.0 U 0 0 0 eth0 > 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 > 127.0.0.0 * 255.0.0.0 U 0 0 0 lo > default embedded 0.0.0.0 UG 0 0 0 eth0 > > *Routing table after the execution of program > *Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > 192.168.51.0 * 255.255.255.0 U 0 0 0 eth0 > 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 > 127.0.0.0 * 255.0.0.0 U 0 0 0 lo > default embedded 0.0.0.0 UG 0 0 0 eth0 > > > > > > > ------------------------------------------------------------------------ > Find out what India is talking about on Yahoo! Answers India. > > SMS memory full? Store all your important SMS in your Yahoo! Mail. > Register for SMS BAK UP now! > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From jarkap at poczta.onet.pl Mon Jul 31 09:24:40 2006 From: jarkap at poczta.onet.pl (Jarek Poplawski) Date: Mon Jul 31 09:24:01 2006 Subject: [LARTC] Re: problem in Route add using netlink In-Reply-To: References: <20060725145938.68004.qmail@web8327.mail.in.yahoo.com> Message-ID: On 31-07-2006 09:03, Jarek Poplawski wrote: ... > Of corse you always have to be sure to have the valid route to Cursed! I wish I could "spel" too: http://www.cherwell.org/of_corse_we_can_spel Jarek P. From sinha.mrinal at yahoo.co.in Mon Jul 31 10:43:31 2006 From: sinha.mrinal at yahoo.co.in (Mrinal Sinha) Date: Mon Jul 31 10:43:23 2006 Subject: [LARTC] Problem with routing for multiple uplinks/providers using iproute2 In-Reply-To: <7a3751050607290434i7ac9213bx239d9cc3676933d5@mail.gmail.com> Message-ID: <20060731084331.64083.qmail@web8612.mail.in.yahoo.com> serban, thanks for the reply, i dont think thers any irq takin place still i am a newbie so will wish if u chk the two lines which has anythin to do with the eth* 169: 723767 725131 723893 724004 IO-APIC-level uhci_hcd:usb2, eth0 185: 57275 56839 56322 56789 IO-APIC-level uhci_hcd:usb4, eth1 we have made an rc.init file which contains the required command for iproute to be executed and this file gets executed by rc.local. So the rc.init file is, #!/bin/sh P1_NET=144.16.129.0/20 P2_NET=202.141.12.177/28 IF1=eth0 IF2=eth1 T1=vsnl T2=ernet P1=144.16.141.30 P2=202.141.12.177 IP1=144.16.129.50 IP2=202.141.12.183 ip route add $P1_NET dev $IF1 src $IP1 table $T1 ip route add default via $P1 table $T1 ip route add $P2_NET dev $IF2 src $IP2 table $T2 ip route add default via $P2 table $T2 ip route del default ip route add default scope global nexthop via 144.16.141.30 dev eth0 weight 1 nexthop via 202.141.12.178 dev eth1 weight 1 ip route add $P1_NET dev $IF1 src $IP1 ip route add $P2_NET dev $IF2 src $IP2 ip rule add from $IP1 table $T1 ip rule add from $IP2 table $T2 touch /var/lock/subsys/local echo "keycode 14 = BackSpace" | loadkeys hope this helps in understanding the problem thanks and Regards, Mrinal Serban Murariu wrote: could you paste your rc.local? also make sure that your nics are not doing any irq sharing; cat /proc/interrupts and look for a line that states (for example) 5: 409350163 XT-PIC eth2, eth1 --------------------------------- Here?s a new way to find what you're looking for - Yahoo! Answers --------------------------------- Here?s a new way to find what you're looking for - Yahoo! Answers -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060731/a1772ea0/attachment.html From rajeshmahajan09 at gmail.com Mon Jul 31 10:52:19 2006 From: rajeshmahajan09 at gmail.com (Rajesh Mahajan) Date: Mon Jul 31 10:52:05 2006 Subject: [LARTC] IFB vs IMQ In-Reply-To: <44BD5C92.6090304@andyfurniss.entadsl.com> References: <44BD5C92.6090304@andyfurniss.entadsl.com> Message-ID: can u please explain where IFB really place in linux network stack Is iptables rules applicable on it On 7/19/06, Andy Furniss wrote: > Rajesh Mahajan wrote: > > Is IFB realy replacement of IMQ > > Mostly - it hooks before/after netfilter though, so if you really need > IMQ to hook "in" netfilter (eg. to get denatted addresses on ingress so > you can seperate INPUT and FORWARD traffic), you still need IMQ. > > Andy. > From gustavo at angulosolido.pt Mon Jul 31 11:33:18 2006 From: gustavo at angulosolido.pt (Gustavo Homem) Date: Mon Jul 31 11:33:40 2006 Subject: [LARTC] questions about HFSC, VoIP and (dynamic) ingress shaping In-Reply-To: <200607310149.20928.Daniel@musketa.de> References: <200607302309.05290.Daniel@musketa.de> <20060730225248.GD15275@angulosolido.pt> <200607310149.20928.Daniel@musketa.de> Message-ID: <200607311033.18262.gustavo@angulosolido.pt> Hello Daniel, > > > > If you don't want to patch the kernel and your machine has only two > > network interfaces you can shape the outgoing traffic to the internal > > interface instead of the incoming traffic to the internal interface. I > > have an example script here: > > > > http://downloads.angulosolido.pt/QoS/HTB_shaper_adv.sh > > > > It uses HTB for shapping though. > > Sorry, I should have explained a little more detailed: (Nearly) all > download traffic is initiated by the machine itself, so I can't use the > "limiting the clients" trick here. Ah... I see... > > > Question 4: Is it possible to control what packets are dropped? > > > > Depends if you know the ports they use. If you know it, you just have to > > mark them accordingly. > > > > For example with skype it's a pain in the ass, > > The only voip traffic (over ppp0) is produced by an asterisk server (on the > same machine). I know all used ports (SIP and RTP) and for outgoing packets > I already mark them with iptables. > So you can match the to the appropriate class. > > > My idea: A script that periodically (or even better: triggered by > > > asterisk) controls the parameters for the ingress shaper (depending on > > > the actual upload traffic produced by voip which could easily be > > > measured with tc). > > > > > > Question 5: Is that possible? Is this necessary at all? Is there > > > already a solution? > > > > I don't think you need this. A setup with HTB solves this problem, since > > each traffic class has a defined RATE as well as a defined CEIL rate, > > which it will take whenever available. > > But then I need IMQ and a patched kernel, right? For the script I pointed you don't need it, because HTB is part of the standard kernel. However for your case, where most of the incoming traffic goes directly to the router machine I think so. If you decide to go that way, take a look at this howto: http://www.tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/index.html Boa sorte! Gustavo > > > Best regards > > Gustavo > > Muito obrigado pela sua ajuda ... > Daniel > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Angulo S?lido - Tecnologias de Informa??o http://angulosolido.pt From don at bowenvale.co.nz Mon Jul 31 13:49:18 2006 From: don at bowenvale.co.nz (Don Gould) Date: Mon Jul 31 13:49:30 2006 Subject: [LARTC] HOWTO: Hello New MAC / DHCP Request - How to spot the presents of a new MAC address... In-Reply-To: <200607082046.32174@axl.clue.co.za> References: <44AE5FD8.1020307@bowenvale.co.nz> <200607082046.32174@axl.clue.co.za> Message-ID: <44CDEE3E.3000606@bowenvale.co.nz> Sheldon Hearn wrote: > I'm sure you could engineer something really impressive, but you could > probably get away with a lot less effort by simply tailing whatever > dhcpd logs to (possibly /var/log/messages). Yes, that discussion has been had some where... Some research in to dnsmasq and a few emails to the guy who wrote it showed up the answer... > You may not need to make any source changes at all: dnsmasq will call a custom script whenever a DHCP lease is created or destroyed: see the --dhcp-script flag in the manpage for details. The MAC address and IP address and name of the host are passed to the script. -- Don Gould www.thinkdesignprint.co.nz - www.tcn.bowenvale.co.nz - www.bowenvale.co.nz - www.hearingbooks.co.nz - SkypeMe: ThinkDesignPrint From lists at andyfurniss.entadsl.com Mon Jul 31 15:41:49 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Mon Jul 31 15:41:08 2006 Subject: [LARTC] questions about HFSC, VoIP and (dynamic) ingress shaping In-Reply-To: <200607302309.05290.Daniel@musketa.de> References: <200607302309.05290.Daniel@musketa.de> Message-ID: <44CE089D.8080304@andyfurniss.entadsl.com> Daniel Musketa wrote: > Hello, > > I just found the great howto and started shaping my internet connection. The > howto's last update is a liitle in the past now so I have some questions > about how things are done the best way nowadays ;-) > > > To ensure a stable and low latency voip communication I added an HFSC qdisc to > device ppp0 (1 Mbit SDSL). There are two classes (by now): One for SIP and > RTP and one for the rest. > > Question 1: I defined the voip qdisc as > > tc class add dev ppp0 parent 1:1 classid 1:11 \ > hfsc sc umax 1500b dmax 30ms rate 500kbit ul rate 900kbit > > but "tc -s class show dev ppp0" shows > > class hfsc 1:11 parent 1:1 sc m1 0bit d 6.0ms m2 500000bit \ > ul m1 0bit d 0us m2 900000bit > > Where does the "0bit d 6.0ms" come from, (what does the other stuff exactly > mean) and what would be a good setting for voip traffic? I still get confused thinking about hfsc and the examples I've seen. I think it's because I can't get away from thinking about what really happens and the numbers like dmax must relate to something other than max delay, which will be related to your setup - hmm I suppose you should change the numbers to fit.... - see I'm confused again :-) Also the original paper and bsd docs relate to something different to linux hfsc which has link share and upper limit curves (which make it alot more useful). Just take it that any suggestions I make are probably wrong :-) You can specify the settings for a class in two ways and tc shows only one of them. dmax 30ms @ 500 kbit with 1500 packet - the bitrate latency of a 1500 byte packet @ 500kbit is 24ms you say 30 so there is 6ms "spare" so a plot of that curve will 6ms at 0bit and then 500kbit. This is more like I would have for a bulk class - which I would also make ls not rt/sc. Since this is voip I don't think you'll need anything like 1500 byte anyway. For rt/sc you can - as long as you adjust the other curves you can have an m1 of say 1mbit (ie link speed or if you have more than 1 rt link speed/number of rt classes) and an m2 of the long term rate like 500kbit - this I think is how a class for rt traffic should be specified. > This qdisc only affects outgoing traffic. But I also want to control incoming > packets and keep the isp's queue empty. > > Question 2: What is the best solution for doing this: ingress qdisc, IMQ, ... > (thers's only one link to isp)? Ingress shaping (by which I mean where you are the wrong end of a bottleneck) is not totally doable like egress - depends on link speed, requirements and what the users do to some extent. You will need to sacrifice bandwidth whether you police or shape - say 20% to 50%. You will need to keep buffers (virtual or real fairly short - headdropping would be nicer than tail for real queues, but you can't without hacking code) and waste bandwidth by dropping packets that already used your link (though you can think of these as coming out of what you already sacrificed, you will still be billed/metered if you pay like that). There are other tweaks you can try eg when I had a 500kbit link, getting out of tcp slowstart using connbytes to mark and sending first XkB bulk to a shorter lower rate queue than normal. IFB is an in kernel replacement for IMQ - there are still things you can't do with it or policers eg if you are doing nat and need to get the ingress traffic after it's been denatted by netfilter. > > Much traffic on this line is UDP traffic (OpenVPN). > > Question 3: If I do policing on incoming traffic, do UDP transmissions care > about dropping and reduce transmit speed? > Yes if it's tcp in udp for vpn then it will behave like tcp - for other udp it will be app specific. > > If I begin to control incoming traffic I only want to drop packets that are > non voip traffic. > > Question 4: Is it possible to control what packets are dropped? > Yes - well maybe, if you use policers + actions you can choose what happens to overrate traffic. I think you will need to test what really happens, though - maybe it will work out on average rather than for definate (I am thinking that the overlimits traffic does not get accounted for by meters/ rate estimators). > > > I always want to have enough bandwith for incoming voip traffic. But limiting > the other stuff to static 180 kbit only because voip packets could sometimes > reach a maximum of 800 kbit sounds not so good. > > My idea: A script that periodically (or even better: triggered by asterisk) > controls the parameters for the ingress shaper (depending on the actual > upload traffic produced by voip which could easily be measured with tc). > > Question 5: Is that possible? Is this necessary at all? Is there already a > solution? Could be one way to do it, though it maybe unneccesary depending on what you do eg ifb or policers - in fact I think both could work without scripting. One bonus of scripting would be if you can change things before the new ingress traffic starts - queueing/policing only react when it's too late so it's really hard to avoid brief (maybe insignificant for most people) latency bursts (this applies to every new tcp connection aswell). Andy. From lists at andyfurniss.entadsl.com Mon Jul 31 15:47:53 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Mon Jul 31 15:47:17 2006 Subject: [LARTC] IFB vs IMQ In-Reply-To: References: <44BD5C92.6090304@andyfurniss.entadsl.com> Message-ID: <44CE0A09.5060002@andyfurniss.entadsl.com> Rajesh Mahajan wrote: > can u please explain where IFB really place in linux network stack > > Is iptables rules applicable on it I don't know exactly - as for iptables rules, you can use marks if you are hooking ifb on egress as it's after netfilter. I suppose what's possible depends on your setup and what you need to do. Andy. From lists at andyfurniss.entadsl.com Mon Jul 31 15:53:21 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Mon Jul 31 15:52:40 2006 Subject: [LARTC] Why SFQ? In-Reply-To: <44C3A747.60804@amnafzar.com> References: <44C3A747.60804@amnafzar.com> Message-ID: <44CE0B51.8000606@andyfurniss.entadsl.com> S.Mehdi Sheikhalishahi wrote: > Hello, > Why linux users use SFQ as leaf queueing discipline instead of RED > and other? > We don't all - I guess alot of the examples do though. SFQ does rough fairness for individual connections within a class - nothing else does (well RED a bit). It does have less desireable aspects like perturb causing packet reordering and not using perturb means its less fair between flows. Andy. From lists at andyfurniss.entadsl.com Mon Jul 31 16:00:23 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Mon Jul 31 15:59:41 2006 Subject: [LARTC] SRR qdisc In-Reply-To: <44C8BE65.6060107@strace.net> References: <44C8BE65.6060107@strace.net> Message-ID: <44CE0CF7.1000105@andyfurniss.entadsl.com> Dmitry Labutcky wrote: > Hi all, > > I wrote new qdisc SRR (Simple Round Robin). This is just another > reimplementation > of round robin packets distributions. I'm not using SQF/ESFQ source code > and algorithms > in this scheduler. The main goal of this work is not given multistream > download managers > give all bandwidth resource. > Please testing this: http://mordor.strace.net/sched-srr/ > Haven't looked yet, but IIRC someone posted a patch on netdev for sfq to do this - possibly used jhash aswell. The man page incorrectly says sfq doesn't use dst port anyway IIRC. It would be nice to have something better than (e)sfq eg for esfq multi level - for user fairness and connection fairness within that. Preferably fair without packet reordering aswell - maybe a bit of a tall order. Andy. From mfdutra at gmail.com Mon Jul 31 18:53:35 2006 From: mfdutra at gmail.com (Marlon Dutra) Date: Mon Jul 31 18:53:23 2006 Subject: [LARTC] Weird HTB behaviour in 2.6.17 In-Reply-To: <44CAB4E6.90307@trash.net> References: <30dd942a0607271045o73dfc680r6bd2695e257a982b@mail.gmail.com> <30dd942a0607281025o30fe5345o784ce3e4dca5024b@mail.gmail.com> <44CA5D26.5030209@andyfurniss.entadsl.com> <30dd942a0607281212l4b9ca152j43bd088b5a5332b5@mail.gmail.com> <44CA68D3.2040402@andyfurniss.entadsl.com> <44CAB4E6.90307@trash.net> Message-ID: <30dd942a0607310953rf3c9389y9df5ad6b465308fc@mail.gmail.com> Hello, On 7/28/06, Patrick McHardy wrote: > Right, the "problem" is related to TCP segmentation offloading (or GSO > in current kernels). The card gets large chunks of data and is > responsible for creating MTU-sized packets, which essentially means > qdiscs get to see those large chunks of data. You can disable TSO > using ethtool (but it will cost you performance) or configure your > qdisc appropriately. Thanks a lot. It was exactly that. I turned the tso off and HTB is working properly. How can I know the largest chunk of data the kernel sends to the card, so that I can configure qdisc appropriately? In the last post, Jake Altchill recommended using mtu 16500 in the qdiscs, but I'm not sure whether that's a real or just a big number. Regards. -- Marlon From russell-tcatm at stuart.id.au Mon Jul 31 01:06:06 2006 From: russell-tcatm at stuart.id.au (Russell Stuart) Date: Mon Jul 31 23:32:24 2006 Subject: [LARTC] Re: [PATCH 0/2] NET: Accurate packet scheduling for ATM/ADSL In-Reply-To: <1153371364.4231.61.camel@ras.pc.brisbane.lube> References: <1150278004.26181.35.camel@localhost.localdomain> <1150286766.5233.15.camel@jzny2> <1150287983.3246.27.camel@ras.pc.brisbane.lube> <1150292693.5197.1.camel@jzny2> <1150843471.17455.2.camel@ras.pc.brisbane.lube> <15653CE98281AD4FBD7F70BCEE3666E53CD54A@comxexch01.comx.local> <1151000966.5392.34.camel@jzny2> <1151066247.4217.254.camel@ras.pc.brisbane.lube> <1151158431.6716.95.camel@jzny2> <1153188409.13145.5.camel@ras.pc.brisbane.lube> <44BD56A4.9090002@andyfurniss.entadsl.com> <1153270932.4242.60.camel@ras.pc.brisbane.lube> <44BE46A6.8000207@trash.net> <1153371364.4231.61.camel@ras.pc.brisbane.lube> Message-ID: <1154300766.4236.5.camel@ras.pc.brisbane.lube> On Thu, 2006-07-20 at 14:56 +1000, Russell Stuart wrote: > On Wed, 2006-07-19 at 16:50 +0200, Patrick McHardy wrote: > > Please excuse my silence, I was travelling and am still catching up > > with my mails. > > Sorry. Had I realised you were busy I would of > waited. > > > > - As it stands, it doesn't help the qdiscs that use > > > RTAB. So unless he proposes to remove RTAB entirely > > > the ATM patch as it will still have to go in. > > > > Why? The length calculated by my STABs (or something similar) > > is used by _all_ qdiscs. Not only for transmission time calculation, > > but also for statistics and estimators. > > Oh. I didn't see where it is used for the time > calculation in your patch. Did I miss something, > or is that the unfinished bit? > > This is possibly my stumbling block. If you don't remove > RTAB the ATM patch as stands will be needed. Your patch > didn't remove RTAB, and you didn't say it was intended to, > so I presume it wasn't going to. It has gone quiet again. In my mind the one unresolved issue is whether Patrick intended to remove RTAB with his patch. If not, the ATM patch as it stands will have to go in. Patrick - it would be nice to hear from you. From oscar at ufomechanic.net Tue Aug 1 11:28:23 2006 From: oscar at ufomechanic.net (Oscar Mechanic) Date: Tue Aug 1 11:28:15 2006 Subject: [LARTC] how to save iproute In-Reply-To: <1151768560.5095.75.camel@localhost.localdomain> References: <1151768560.5095.75.camel@localhost.localdomain> Message-ID: <1154424503.4282.52.camel@OSCARLAPLIN> Say if I have a few routes like this ip rule add from 19.21.12.12 lookup 200 ip route add default via 10.0.0.253 ip rule add to 13.1.2.2 lookup 201 ip route add default via 10.0.0.254 ip route add default via 10.0.0.254 How do I save them, I have looked through the list and have googled this Q for some time and do not have an concrete answers. I have read that you just save and rerun the command but that does not work as the "from all to" is not valid it has to be the "to" without the "from all". I have used multiple versions of iproute2 and still the same problem. I written a script and put in many sed's to get around problems but its nasty code. Surely someone solved this is there a "saveall" script or bin that is distro independant. Thanks. From baltasar.cevc at former03.de Tue Aug 1 11:54:17 2006 From: baltasar.cevc at former03.de (former03 | Baltasar Cevc) Date: Tue Aug 1 11:54:15 2006 Subject: [LARTC] IProute/conntrack issues Message-ID: Hi everybody, sorry for posting again, however I've moved the problem now ;-) After digging a bit deeper, I've successfully set up the routing as such, it works for incoming as well as outgoing packets that take the default route. Changing some of the routes using IP works as well. When I mark some outgoing packets in order to send them via another route (the fast leased line instead of the slow DSL link), packets go out there, the answer comes in, however, they never reach the internal host, as far as I can track down the problem the connection tracking does not recognize the answer as belonging to a known connection, so that the reverse NAT will fail (we use SNAT on outgoing packets). Any help or hints are appreciated! Thanx, Baltasar Some more information: ### Routing looks like ofc:/home/bc# ip ru sh 0: from all lookup local 5001: from /29 lookup IQ 5002: from lookup DSL 6001: from all fwmark 0x1 lookup IQ 6002: from all fwmark 0x2 lookup DSL 32765: from all lookup main 32766: from all lookup OVERRIDEdefault 32767: from all lookup default ofc:/home/bc# ip ro sh table IQ default via dev eth0 ofc:/home/bc# ip ro sh table DSL default dev ppp0 scope link main contains local the link routes, OVERRIDEdefault has same contents as DSL (default route via ppp0) Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 133 12567 ACCEPT all -- any any anywhere priv172.net.hoster03.de/12 16 3560 ACCEPT all -- any any anywhere priv192.net.hoster03.de/16 0 0 ACCEPT all -- any any anywhere priv10.net.hoster03.de/8 0 0 MARK tcp -- any any anywhere anywhere tcp dpt:www MARK set 0x1 ### excert from /proc/net/ip_conntrack tcp 6 38 SYN_RECV src=172.26.26.6 dst= sport=65431 dport=80 packets=1 bytes=60 src= dst= sport=80 dport=65431 packets=6 bytes=360 mark=0 use=1 ### tcpdump excerpt of eth0 11:34:22.048909 IP (tos 0x0, ttl 63, id 64917, offset 0, flags [DF], length: 60) .65431 > .www: S [tcp sum ok] 2180804841:2180804841(0) win 65535 11:34:22.069640 IP (tos 0x0, ttl 50, id 0, offset 0, flags [DF], length: 60) .www > .65431: S [tcp sum ok] 3611549187:3611549187(0) ack 2180804842 win 5792 [there are more packets like the last as the other host apparently tries to resend] [there are no packets on ppp0 at the time of the connection] -- Baltasar Cevc _____ former 03 gmbh _____ infanteriestra?e 19 haus 6 eg _____ D-80797 muenchen _____ http://www.former03.de From t.luettgert at pressestimmen.de Tue Aug 1 13:31:26 2006 From: t.luettgert at pressestimmen.de (Torsten Luettgert) Date: Tue Aug 1 13:30:47 2006 Subject: [LARTC] IProute/conntrack issues In-Reply-To: References: Message-ID: <1154431886.2379.10.camel@murdegern.cbxnet.de> On Tue, 2006-08-01 at 11:54 +0200, former03 | Baltasar Cevc wrote: > Hi everybody, > > When I mark some outgoing packets in order to send them via another > route (the fast leased line instead of the slow DSL link), packets go > out there, the answer comes in, however, they never reach the internal > host Sound like another case of /proc/sys/net/ipv4/conf/*/rp_filter needing to be set zero. rp_filter causes packets to be dropped that arrive at an interface the kernel wouldn't route the sender address to. Regards, Torsten From makevuy at ehas.org Tue Aug 1 14:18:39 2006 From: makevuy at ehas.org (makevuy) Date: Tue Aug 1 14:18:44 2006 Subject: [LARTC] About iptables with set --tos option Message-ID: <44CF469F.9080605@ehas.org> Hello, I want to set the TOS of packets that are entering in my network with value 0x00 (or other). For this, I'm using iptables with the next comand: iptables -t mangle -A FORWARD -i eth1 -s 0/0 -j TOS --set-tos 0x00 The problem ocurrs when my packets have a previous TOS of value difference from 0x00, because the comand do the next operation: OLD_TOS + 0x00 = OLD_TOS I would want to know if is possible with iptables, change the TOS of the packets, althought the TOS of the packets that are arriving to my network is difference from 0x00. Thanks ad Regards. -- Sandra Salmer?n Ntutumu Tlf. Analog: +34 914888405 / M?vil: 653574298 Tlf. IP desde FWD: 656212. Ext: 10 / Tel. IP desde EHAS: 010010 Fundaci?n EHAS: Enlace Hispanoamericano de Salud - www.ehas.org Telemedicina rural para zonas aisladas de pa?ses en desarrollo From baltasar.cevc at former03.de Tue Aug 1 14:34:47 2006 From: baltasar.cevc at former03.de (former03 | Baltasar Cevc) Date: Tue Aug 1 14:34:46 2006 Subject: [LARTC] IProute/conntrack issues In-Reply-To: <1154431886.2379.10.camel@murdegern.cbxnet.de> References: <1154431886.2379.10.camel@murdegern.cbxnet.de> Message-ID: <63122cff0208cb98ce0ad072534ed31b@former03.de> Hi Torsten, hi list, Thanx for help! On 01.08.2006, at 13:31, Torsten Luettgert wrote: > On Tue, 2006-08-01 at 11:54 +0200, former03 | Baltasar Cevc wrote: >> Hi everybody, >> >> When I mark some outgoing packets in order to send them via another >> route (the fast leased line instead of the slow DSL link), packets go >> out there, the answer comes in, however, they never reach the internal >> host > > Sound like another case of /proc/sys/net/ipv4/conf/*/rp_filter > needing to be set zero. That was indeed the problem. A follow up-question as I don't really understand connmark yet: is there a possiblity to mark ll connections (or packets thereof) related to marked connections? I want to route FTP connections via the secondary interface. For active mode that just works fine, however I don't know how to find out it's an outgoing ftp-data connection... Thanx, Baltasar -- Baltasar Cevc _____ former 03 gmbh _____ infanteriestra?e 19 haus 6 eg _____ D-80797 muenchen _____ http://www.former03.de From mark0201_tw at yahoo.com Wed Aug 2 08:48:15 2006 From: mark0201_tw at yahoo.com (Mark Chao) Date: Wed Aug 2 08:48:02 2006 Subject: [LARTC] iproute2-051007 TC static linked Makefile how to Message-ID: <20060802064815.55221.qmail@web60716.mail.yahoo.com> Hi All I'm the newbie in iproute2. For some reason, I have to use static linked instead of dynamic. My kernel is 2.4.18-14 (Redhat 8.0). After patching htb3.6_tc.diff, still comes out "Unknown qdisc "htb"..." by "tc qdisc add dev eth0 root handle 1: htb default 20" command. Or any examples/web link discuss about iproute2 static linked? Please advise! BR Mark __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From geraldhuet at yahoo.fr Wed Aug 2 10:55:41 2006 From: geraldhuet at yahoo.fr (gerald HUET) Date: Wed Aug 2 10:55:26 2006 Subject: [LARTC] iptables u32 kernel 2.6.17 Message-ID: <20060802085541.33422.qmail@web26504.mail.ukl.yahoo.com> hi everybody, I used to test this rules on my gateway : iptables -I FORWARD -p udp -m length --length 39 -m u32 --u32 '27&0x8f=7' --u32 '31=0x527c4833' -j DROP This was working with a 2.6.16 kernel but now i upgraded to 2.6.17 it give me the following message : [ 5333.870000] ip_tables: u32 match: invalid size 0 != 2028 iptables: Unknown error -1 I tried to do some modifications on ipt_u32.c following modifications which work for ipp2p (http://www.sieglitzhof.net/~doc/ipp2p/) without any succes. Does anyone have an explication why the problem occurs whith the new kernel and how to solve it ? Thanks in advance ___________________________________________________________________________ D?couvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/R?ponses pour partager vos connaissances, vos opinions et vos exp?riences. http://fr.answers.yahoo.com From msc at antzsystem.de Wed Aug 2 12:08:40 2006 From: msc at antzsystem.de (Markus Schulz) Date: Wed Aug 2 12:08:49 2006 Subject: [LARTC] FWMark routing trouble In-Reply-To: <543407a389ac4ddaf401fe2030924454@former03.de> References: <543407a389ac4ddaf401fe2030924454@former03.de> Message-ID: <200608021208.41393.msc@antzsystem.de> Am Samstag, 29. Juli 2006 17:33 schrieb former03 | Baltasar Cevc: > Hi everybody, > > I'm trying to set up routing for 2 links to the internet on a box > which produces traffic itself (e.g. DNS) and will route all our local > traffic. > > AS one route is quick and expensive and the other one slow and cheap, > I want to be able to route packets for some high-level protocols to > the second link. > > If I correctly understood table 3-2 in > http://www.faqs.org/docs/iptables/traversingoftables.html that is not > possible as the routing decision is taken even before the packet > touches netfilter for the first time. > > > Is that correct? Does anybody have some hints about how to work > around? It's possible with Policy Routing. Look at http://www.policyrouting.org/PolicyRoutingBook/ONLINE/TOC.html for documentation about it. (Simplest?) way to do it: (only short excerpt) - Mark the specific application packets with iptables in PREROUTING chain ... - add rules for routing fwmarked packets to seperate routing tables ip rule add fwmark table ip rule add fwmark table - build both routing tables ip route add default via $PTP1 dev src $IP1 proto static table ip route add default via $PTP2 dev src $IP2 proto static table (Proto static needs kernel patches, but you don't really need this) -- Markus Schulz From rvokal at redhat.com Wed Aug 2 15:15:00 2006 From: rvokal at redhat.com (=?ISO-8859-1?Q?Radek_Vok=E1l?=) Date: Wed Aug 2 15:14:56 2006 Subject: [LARTC] no PROMISC mode .. Message-ID: <44D0A554.1000300@redhat.com> Hi, I'm not convinced I'm facing a bug, I was reading some code and also reading some threads and finally reached this conclusion, please let me know if it's not clear enough and also if you don't agree : - The case it shows the flag with iproute is because it's using a single flag set. That was working on kernels linux <2.1.x. (2.0 etc.) Basically the mechanism was : --- strncpy(ifr.ifr_name, our_device, IFNAMSIZ); ioctl(sock, SIOCGIFFLAGS, &ifr); ifr.ifr_flags |= IFF_PROMISC; ioctl(sock, SIOCSIFFLAGS, &ifr); --- And only one could set the IFF_PROMISC, because if another process decided to set it too, then it was cleared... - Now, with kernels 2.2 and onwards, we have a different implementation of it, there's a counter of how many promiscuous requests have been set, and therefore a new implementation of the code to handle it and remove the one promiscuous limitation, that has been called a membership. This allows the kernel to have more than one request and remove the above problem. Today, a process has to request to be part of that "packet domain" and use the interface in promiscuous mode, then the counter will know if there's another request (so it can handle unsets), and then, if the process does not need anymore this mode, it will just request to be removed to that membership, decreasing the counter. The code nowadays is fairly close to this : ----- struct packet_mreq mr; [.....] memset(&mr,0,sizeof(mr)); mr.mr_ifindex = ifr.ifr_ifindex; mr.mr_type = PACKET_MR_PROMISC; setsockopt(sock, SOL_PACKET, PACKET_ADD_MEMBERSHIP, (char *)&mr, sizeof(mr)); ----- That would explain why I can't see it with ip or older ifconfig, any call set by ioctl(SIOCGIFFLAGS) can only bee seen by the same call family. I've checked pcap, and seems to do the right thing by setting it : ---- setsockopt(3, SOL_PACKET, PACKET_ADD_MEMBERSHIP, "\\3\\0\\0\\0\\1\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0", 16) = 0 ---- Hence I can't see it with neither ip or ifconfig. Is there any reason why (ip) is not using a membership check/set instead of using ioctl() ? Radek From t.luettgert at pressestimmen.de Wed Aug 2 15:52:39 2006 From: t.luettgert at pressestimmen.de (Torsten Luettgert) Date: Wed Aug 2 15:52:02 2006 Subject: [LARTC] iptables u32 kernel 2.6.17 In-Reply-To: <20060802085541.33422.qmail@web26504.mail.ukl.yahoo.com> References: <20060802085541.33422.qmail@web26504.mail.ukl.yahoo.com> Message-ID: <1154526759.2369.12.camel@murdegern.cbxnet.de> On Wed, 2006-08-02 at 10:55 +0200, gerald HUET wrote: > [ 5333.870000] ip_tables: u32 match: invalid size 0 != > 2028 > iptables: Unknown error -1 > > I tried to do some modifications on ipt_u32.c > following modifications which work for ipp2p > (http://www.sieglitzhof.net/~doc/ipp2p/) without any > succes. Hm, that should have worked - it's the same problem for all the little-maintained stuff in patch-o-matic. > Does anyone have an explication why the problem occurs > whith the new kernel and how to solve it ? The parameters to checkentry() and match() changed incompatibly between 2.6.16 and 2.6.17. The u32 match in current SVN works with 2.6.17 (but not with 2.6.16 or earlier). You need to svn co http://svn.netfilter.org/netfilter/trunk/patch-o-matic-ng then patch your kernel and recompile. Regards, Torsten From pch at packetconsulting.pl Wed Aug 2 23:30:29 2006 From: pch at packetconsulting.pl (Piotr Chytla) Date: Wed Aug 2 23:34:53 2006 Subject: [LARTC] iptables u32 kernel 2.6.17 In-Reply-To: <1154526759.2369.12.camel@murdegern.cbxnet.de> References: <20060802085541.33422.qmail@web26504.mail.ukl.yahoo.com> <1154526759.2369.12.camel@murdegern.cbxnet.de> Message-ID: <20060802213029.GA29316@packetconsulting.pl> On Wed, Aug 02, 2006 at 03:52:39PM +0200, Torsten Luettgert wrote: > On Wed, 2006-08-02 at 10:55 +0200, gerald HUET wrote: > > [ 5333.870000] ip_tables: u32 match: invalid size 0 != > > 2028 > > iptables: Unknown error -1 > > > > I tried to do some modifications on ipt_u32.c > > following modifications which work for ipp2p > > (http://www.sieglitzhof.net/~doc/ipp2p/) without any > > succes. > > Hm, that should have worked - it's the same problem for > all the little-maintained stuff in patch-o-matic. > > > Does anyone have an explication why the problem occurs > > whith the new kernel and how to solve it ? > > The parameters to checkentry() and match() changed > incompatibly between 2.6.16 and 2.6.17. > > The u32 match in current SVN works with 2.6.17 > (but not with 2.6.16 or earlier). > > You need to > svn co http://svn.netfilter.org/netfilter/trunk/patch-o-matic-ng > > then patch your kernel and recompile. apply also patch from attachment. 2.6.17 needs matchsize in ipt_match struct. triss:~# iptables -I FORWARD -p udp -m length --length 39 -m u32 --u32 '27&0x8f=7' --u32 '31=0x527c4833' -j DROP triss:~# iptables -L FORWARD -vn Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 length 39 u32 0x1f=0x527c4833 seems working. /pch -- Dyslexia bug unpatched since 1977 ... exploit has been leaked to the underground. -------------- next part -------------- --- ipt_u32.c 2006-08-02 22:34:29.000000000 +0200 +++ /usr/src/linux-2.6.17.6/net/ipv4/netfilter/ipt_u32.c 2006-08-02 22:45:43.000000000 +0200 @@ -217,6 +217,7 @@ static struct ipt_match u32_match = { .name = "u32", .match = &match, + .matchsize = sizeof(struct ipt_u32), .checkentry = &checkentry, .me = THIS_MODULE }; From shemminger at osdl.org Wed Aug 2 21:58:50 2006 From: shemminger at osdl.org (Stephen Hemminger) Date: Thu Aug 3 00:11:54 2006 Subject: [LARTC] [PATCH 2/6] htb: remove lock macro In-Reply-To: <20060802125636.3028ba91@dxpl.pdx.osdl.net> References: <20060802125636.3028ba91@dxpl.pdx.osdl.net> Message-ID: <20060802125850.748fb0aa@dxpl.pdx.osdl.net> Get rid of the macro's being used to obscure the locking. Signed-off-by: Stephen Hemminger --- net/sched/sch_htb.c | 18 ++++++++---------- 1 files changed, 8 insertions(+), 10 deletions(-) diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c index 73094e7..c0b80b7 100644 --- a/net/sched/sch_htb.c +++ b/net/sched/sch_htb.c @@ -72,8 +72,6 @@ #define HTB_HSIZE 16 /* classid hash siz #define HTB_EWMAC 2 /* rate average over HTB_EWMAC*HTB_HSIZE sec */ #define HTB_RATECM 1 /* whether to use rate computer */ #define HTB_HYSTERESIS 1/* whether to use mode hysteresis for speedup */ -#define HTB_QLOCK(S) spin_lock_bh(&(S)->dev->queue_lock) -#define HTB_QUNLOCK(S) spin_unlock_bh(&(S)->dev->queue_lock) #define HTB_VER 0x30011 /* major must be matched with number suplied by TC as version */ #if HTB_VER >> 16 != TC_HTB_PROTOVER @@ -667,7 +665,7 @@ static void htb_rate_timer(unsigned long struct list_head *p; /* lock queue so that we can muck with it */ - HTB_QLOCK(sch); + spin_lock_bh(&sch->dev->queue_lock); q->rttim.expires = jiffies + HZ; add_timer(&q->rttim); @@ -681,7 +679,7 @@ static void htb_rate_timer(unsigned long RT_GEN (cl->sum_bytes,cl->rate_bytes); RT_GEN (cl->sum_packets,cl->rate_packets); } - HTB_QUNLOCK(sch); + spin_unlock_bh(&sch->dev->queue_lock); } #endif @@ -1089,7 +1087,7 @@ static int htb_dump(struct Qdisc *sch, s unsigned char *b = skb->tail; struct rtattr *rta; struct tc_htb_glob gopt; - HTB_QLOCK(sch); + spin_lock_bh(&sch->dev->queue_lock); gopt.direct_pkts = q->direct_pkts; gopt.version = HTB_VER; @@ -1100,10 +1098,10 @@ static int htb_dump(struct Qdisc *sch, s RTA_PUT(skb, TCA_OPTIONS, 0, NULL); RTA_PUT(skb, TCA_HTB_INIT, sizeof(gopt), &gopt); rta->rta_len = skb->tail - b; - HTB_QUNLOCK(sch); + spin_unlock_bh(&sch->dev->queue_lock); return skb->len; rtattr_failure: - HTB_QUNLOCK(sch); + spin_unlock_bh(&sch->dev->queue_lock); skb_trim(skb, skb->tail - skb->data); return -1; } @@ -1116,7 +1114,7 @@ static int htb_dump_class(struct Qdisc * struct rtattr *rta; struct tc_htb_opt opt; - HTB_QLOCK(sch); + spin_lock_bh(&sch->dev->queue_lock); tcm->tcm_parent = cl->parent ? cl->parent->classid : TC_H_ROOT; tcm->tcm_handle = cl->classid; if (!cl->level && cl->un.leaf.q) @@ -1133,10 +1131,10 @@ static int htb_dump_class(struct Qdisc * opt.level = cl->level; RTA_PUT(skb, TCA_HTB_PARMS, sizeof(opt), &opt); rta->rta_len = skb->tail - b; - HTB_QUNLOCK(sch); + spin_unlock_bh(&sch->dev->queue_lock); return skb->len; rtattr_failure: - HTB_QUNLOCK(sch); + spin_unlock_bh(&sch->dev->queue_lock); skb_trim(skb, b - skb->data); return -1; } -- 1.4.0 From shemminger at osdl.org Wed Aug 2 21:56:36 2006 From: shemminger at osdl.org (Stephen Hemminger) Date: Thu Aug 3 00:12:08 2006 Subject: [LARTC] [PATCH 0/6] htb: cleanup Message-ID: <20060802125636.3028ba91@dxpl.pdx.osdl.net> The HTB scheduler code is a mess, this patch set does some basic house cleaning. The first four should cause no code change, but the last two need more testing. -- Stephen Hemminger "And in the Packet there writ down that doome" From shemminger at osdl.org Thu Aug 3 00:03:40 2006 From: shemminger at osdl.org (Stephen Hemminger) Date: Thu Aug 3 00:12:24 2006 Subject: [LARTC] [PATCH 5/6] htb: use hlist for hash lists. In-Reply-To: <20060802125636.3028ba91@dxpl.pdx.osdl.net> References: <20060802125636.3028ba91@dxpl.pdx.osdl.net> Message-ID: <20060802150340.7faabd1d@dxpl.pdx.osdl.net> Use hlist instead of list for the hash list. This saves space, and we can check for double delete better. Signed-off-by: Stephen Hemminger --- net/sched/sch_htb.c | 49 +++++++++++++++++++++++++++---------------------- 1 files changed, 27 insertions(+), 22 deletions(-) diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c index 528d5c5..7853c6f 100644 --- a/net/sched/sch_htb.c +++ b/net/sched/sch_htb.c @@ -104,7 +104,7 @@ #endif /* topology */ int level; /* our level (see above) */ struct htb_class *parent; /* parent class */ - struct list_head hlist; /* classid hash list item */ + struct hlist_node hlist; /* classid hash list item */ struct list_head sibling; /* sibling list item */ struct list_head children; /* children list */ @@ -163,8 +163,8 @@ static inline long L2T(struct htb_class struct htb_sched { struct list_head root; /* root classes list */ - struct list_head hash[HTB_HSIZE]; /* hashed by classid */ - struct list_head drops[TC_HTB_NUMPRIO]; /* active leaves (for drops) */ + struct hlist_head hash[HTB_HSIZE]; /* hashed by classid */ + struct list_head drops[TC_HTB_NUMPRIO];/* active leaves (for drops) */ /* self list - roots of self generating tree */ struct rb_root row[TC_HTB_MAXDEPTH][TC_HTB_NUMPRIO]; @@ -220,12 +220,13 @@ #endif static inline struct htb_class *htb_find(u32 handle, struct Qdisc *sch) { struct htb_sched *q = qdisc_priv(sch); - struct list_head *p; + struct hlist_node *p; + struct htb_class *cl; + if (TC_H_MAJ(handle) != sch->handle) return NULL; - list_for_each(p, q->hash + htb_hash(handle)) { - struct htb_class *cl = list_entry(p, struct htb_class, hlist); + hlist_for_each_entry(cl, p, q->hash + htb_hash(handle), hlist) { if (cl->classid == handle) return cl; } @@ -675,7 +676,9 @@ static void htb_rate_timer(unsigned long { struct Qdisc *sch = (struct Qdisc *)arg; struct htb_sched *q = qdisc_priv(sch); - struct list_head *p; + struct hlist_node *p; + struct htb_class *cl; + /* lock queue so that we can muck with it */ spin_lock_bh(&sch->dev->queue_lock); @@ -686,9 +689,8 @@ static void htb_rate_timer(unsigned long /* scan and recompute one bucket at time */ if (++q->recmp_bucket >= HTB_HSIZE) q->recmp_bucket = 0; - list_for_each(p, q->hash + q->recmp_bucket) { - struct htb_class *cl = list_entry(p, struct htb_class, hlist); + hlist_for_each_entry(cl,p, q->hash + q->recmp_bucket, hlist) { RT_GEN(cl->sum_bytes, cl->rate_bytes); RT_GEN(cl->sum_packets, cl->rate_packets); } @@ -1041,10 +1043,10 @@ static void htb_reset(struct Qdisc *sch) int i; for (i = 0; i < HTB_HSIZE; i++) { - struct list_head *p; - list_for_each(p, q->hash + i) { - struct htb_class *cl = - list_entry(p, struct htb_class, hlist); + struct hlist_node *p; + struct htb_class *cl; + + hlist_for_each_entry(cl, p, q->hash + i, hlist) { if (cl->level) memset(&cl->un.inner, 0, sizeof(cl->un.inner)); else { @@ -1091,7 +1093,7 @@ static int htb_init(struct Qdisc *sch, s INIT_LIST_HEAD(&q->root); for (i = 0; i < HTB_HSIZE; i++) - INIT_LIST_HEAD(q->hash + i); + INIT_HLIST_HEAD(q->hash + i); for (i = 0; i < TC_HTB_NUMPRIO; i++) INIT_LIST_HEAD(q->drops + i); @@ -1269,7 +1271,8 @@ static void htb_destroy_class(struct Qdi struct htb_class, sibling)); /* note: this delete may happen twice (see htb_delete) */ - list_del(&cl->hlist); + if (!hlist_unhashed(&cl->hlist)) + hlist_del(&cl->hlist); list_del(&cl->sibling); if (cl->prio_activity) @@ -1317,7 +1320,9 @@ static int htb_delete(struct Qdisc *sch, sch_tree_lock(sch); /* delete from hash and active; remainder in destroy_class */ - list_del_init(&cl->hlist); + if (!hlist_unhashed(&cl->hlist)) + hlist_del(&cl->hlist); + if (cl->prio_activity) htb_deactivate(q, cl); @@ -1381,7 +1386,7 @@ static int htb_change_class(struct Qdisc cl->refcnt = 1; INIT_LIST_HEAD(&cl->sibling); - INIT_LIST_HEAD(&cl->hlist); + INIT_HLIST_NODE(&cl->hlist); INIT_LIST_HEAD(&cl->children); INIT_LIST_HEAD(&cl->un.leaf.drop_list); @@ -1420,7 +1425,7 @@ static int htb_change_class(struct Qdisc cl->cmode = HTB_CAN_SEND; /* attach to the hash list and parent's family */ - list_add_tail(&cl->hlist, q->hash + htb_hash(classid)); + hlist_add_head(&cl->hlist, q->hash + htb_hash(classid)); list_add_tail(&cl->sibling, parent ? &parent->children : &q->root); } else @@ -1520,10 +1525,10 @@ static void htb_walk(struct Qdisc *sch, return; for (i = 0; i < HTB_HSIZE; i++) { - struct list_head *p; - list_for_each(p, q->hash + i) { - struct htb_class *cl = - list_entry(p, struct htb_class, hlist); + struct hlist_node *p; + struct htb_class *cl; + + hlist_for_each_entry(cl, p, q->hash + i, hlist) { if (arg->count < arg->skip) { arg->count++; continue; -- 1.4.0 From shemminger at osdl.org Thu Aug 3 00:09:29 2006 From: shemminger at osdl.org (Stephen Hemminger) Date: Thu Aug 3 00:12:50 2006 Subject: [LARTC] [PATCH 6/6] htb: rbtree cleanup In-Reply-To: <20060802125636.3028ba91@dxpl.pdx.osdl.net> References: <20060802125636.3028ba91@dxpl.pdx.osdl.net> Message-ID: <20060802150929.2e1ba806@dxpl.pdx.osdl.net> Add code to initialize rb tree nodes, and check for double deletion. This is not a real fix, but I can make it trap sometimes and may be a bandaid for: http://bugzilla.kernel.org/show_bug.cgi?id=6681 Signed-off-by: Stephen Hemminger --- net/sched/sch_htb.c | 34 +++++++++++++++++++++++++++------- 1 files changed, 27 insertions(+), 7 deletions(-) diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c index 7853c6f..3f3e9df 100644 --- a/net/sched/sch_htb.c +++ b/net/sched/sch_htb.c @@ -366,7 +366,7 @@ static void htb_add_to_wait_tree(struct * When we are past last key we return NULL. * Average complexity is 2 steps per call. */ -static void htb_next_rb_node(struct rb_node **n) +static inline void htb_next_rb_node(struct rb_node **n) { *n = rb_next(*n); } @@ -388,6 +388,18 @@ static inline void htb_add_class_to_row( } } +/* If this triggers, it is a bug in this code, but it need not be fatal */ +static void htb_safe_rb_erase(struct rb_node *rb, struct rb_root *root) +{ + if (RB_EMPTY_NODE(rb)) { + WARN_ON(1); + } else { + rb_erase(rb, root); + RB_CLEAR_NODE(rb); + } +} + + /** * htb_remove_class_from_row - removes class from its row * @@ -401,10 +413,12 @@ static inline void htb_remove_class_from while (mask) { int prio = ffz(~mask); + mask &= ~(1 << prio); if (q->ptr[cl->level][prio] == cl->node + prio) htb_next_rb_node(q->ptr[cl->level] + prio); - rb_erase(cl->node + prio, q->row[cl->level] + prio); + + htb_safe_rb_erase(cl->node + prio, q->row[cl->level] + prio); if (!q->row[cl->level][prio].rb_node) m |= 1 << prio; } @@ -472,7 +486,7 @@ static void htb_deactivate_prios(struct p->un.inner.ptr[prio] = NULL; } - rb_erase(cl->node + prio, p->un.inner.feed + prio); + htb_safe_rb_erase(cl->node + prio, p->un.inner.feed + prio); if (!p->un.inner.feed[prio].rb_node) mask |= 1 << prio; @@ -739,7 +753,7 @@ #define HTB_ACCNT(T,B,R) toks = diff + c htb_change_class_mode(q, cl, &diff); if (old_mode != cl->cmode) { if (old_mode != HTB_CAN_SEND) - rb_erase(&cl->pq_node, q->wait_pq + cl->level); + htb_safe_rb_erase(&cl->pq_node, q->wait_pq + cl->level); if (cl->cmode != HTB_CAN_SEND) htb_add_to_wait_tree(q, cl, diff); } @@ -782,7 +796,7 @@ static long htb_do_events(struct htb_sch if (time_after(cl->pq_key, q->jiffies)) { return cl->pq_key - q->jiffies; } - rb_erase(p, q->wait_pq + level); + htb_safe_rb_erase(p, q->wait_pq + level); diff = PSCHED_TDIFF_SAFE(q->now, cl->t_c, (u32) cl->mbuffer); htb_change_class_mode(q, cl, &diff); if (cl->cmode != HTB_CAN_SEND) @@ -1279,7 +1293,7 @@ static void htb_destroy_class(struct Qdi htb_deactivate(q, cl); if (cl->cmode != HTB_CAN_SEND) - rb_erase(&cl->pq_node, q->wait_pq + cl->level); + htb_safe_rb_erase(&cl->pq_node, q->wait_pq + cl->level); kfree(cl); } @@ -1370,6 +1384,8 @@ static int htb_change_class(struct Qdisc if (!cl) { /* new class */ struct Qdisc *new_q; + int prio; + /* check for valid classid */ if (!classid || TC_H_MAJ(classid ^ sch->handle) || htb_find(classid, sch)) @@ -1389,6 +1405,10 @@ static int htb_change_class(struct Qdisc INIT_HLIST_NODE(&cl->hlist); INIT_LIST_HEAD(&cl->children); INIT_LIST_HEAD(&cl->un.leaf.drop_list); + RB_CLEAR_NODE(&cl->pq_node); + + for (prio = 0; prio < TC_HTB_NUMPRIO; prio++) + RB_CLEAR_NODE(&cl->node[prio]); /* create leaf qdisc early because it uses kmalloc(GFP_KERNEL) so that can't be used inside of sch_tree_lock @@ -1404,7 +1424,7 @@ static int htb_change_class(struct Qdisc /* remove from evt list because of level change */ if (parent->cmode != HTB_CAN_SEND) { - rb_erase(&parent->pq_node, q->wait_pq); + htb_safe_rb_erase(&parent->pq_node, q->wait_pq); parent->cmode = HTB_CAN_SEND; } parent->level = (parent->parent ? parent->parent->level -- 1.4.0 From shemminger at osdl.org Thu Aug 3 00:09:43 2006 From: shemminger at osdl.org (Stephen Hemminger) Date: Thu Aug 3 00:13:12 2006 Subject: [LARTC] [PATCH 3/6] htb: if HTB_HYSTERIS cleanup In-Reply-To: <20060802125636.3028ba91@dxpl.pdx.osdl.net> References: <20060802125636.3028ba91@dxpl.pdx.osdl.net> Message-ID: <20060802150943.2b5f7de5@dxpl.pdx.osdl.net> Change the conditional compilation around HTB_HYSTERSIS since code was splitting mid expression. Signed-off-by: Stephen Hemminger --- net/sched/sch_htb.c | 27 +++++++++++++++++---------- 1 files changed, 17 insertions(+), 10 deletions(-) diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c index c0b80b7..d8c1a6b 100644 --- a/net/sched/sch_htb.c +++ b/net/sched/sch_htb.c @@ -483,6 +483,20 @@ static void htb_deactivate_prios(struct htb_remove_class_from_row(q,cl,mask); } +#if HTB_HYSTERESIS +static inline long htb_lowater(const struct htb_class *cl) +{ + return cl->cmode != HTB_CANT_SEND ? -cl->cbuffer : 0; +} +static inline long htb_hiwater(const struct htb_class *cl) +{ + return cl->cmode == HTB_CAN_SEND ? -cl->buffer : 0; +} +#else +#define htb_lowater(cl) (0) +#define htb_hiwater(cl) (0) +#endif + /** * htb_class_mode - computes and returns current class mode * @@ -499,19 +513,12 @@ htb_class_mode(struct htb_class *cl,long { long toks; - if ((toks = (cl->ctokens + *diff)) < ( -#if HTB_HYSTERESIS - cl->cmode != HTB_CANT_SEND ? -cl->cbuffer : -#endif - 0)) { + if ((toks = (cl->ctokens + *diff)) < htb_lowater(cl)) { *diff = -toks; return HTB_CANT_SEND; } - if ((toks = (cl->tokens + *diff)) >= ( -#if HTB_HYSTERESIS - cl->cmode == HTB_CAN_SEND ? -cl->buffer : -#endif - 0)) + + if ((toks = (cl->tokens + *diff)) >= htb_hiwater(cl)) return HTB_CAN_SEND; *diff = -toks; -- 1.4.0 From shemminger at osdl.org Thu Aug 3 00:11:50 2006 From: shemminger at osdl.org (Stephen Hemminger) Date: Thu Aug 3 00:13:29 2006 Subject: [LARTC] [PATCH 1/6] htb: remove broken debug code In-Reply-To: <20060802125636.3028ba91@dxpl.pdx.osdl.net> References: <20060802125636.3028ba91@dxpl.pdx.osdl.net> Message-ID: <20060802151150.2c320102@dxpl.pdx.osdl.net> The HTB network scheduler had debug code that wouldn't compile and confused and obfuscated the code, remove it. Signed-off-by: Stephen Hemminger --- net/sched/sch_htb.c | 302 ++++++--------------------------------------------- 1 files changed, 34 insertions(+), 268 deletions(-) diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c index 880a339..73094e7 100644 --- a/net/sched/sch_htb.c +++ b/net/sched/sch_htb.c @@ -70,7 +70,6 @@ #include #define HTB_HSIZE 16 /* classid hash size */ #define HTB_EWMAC 2 /* rate average over HTB_EWMAC*HTB_HSIZE sec */ -#undef HTB_DEBUG /* compile debugging support (activated by tc tool) */ #define HTB_RATECM 1 /* whether to use rate computer */ #define HTB_HYSTERESIS 1/* whether to use mode hysteresis for speedup */ #define HTB_QLOCK(S) spin_lock_bh(&(S)->dev->queue_lock) @@ -81,51 +80,6 @@ #if HTB_VER >> 16 != TC_HTB_PROTOVER #error "Mismatched sch_htb.c and pkt_sch.h" #endif -/* debugging support; S is subsystem, these are defined: - 0 - netlink messages - 1 - enqueue - 2 - drop & requeue - 3 - dequeue main - 4 - dequeue one prio DRR part - 5 - dequeue class accounting - 6 - class overlimit status computation - 7 - hint tree - 8 - event queue - 10 - rate estimator - 11 - classifier - 12 - fast dequeue cache - - L is level; 0 = none, 1 = basic info, 2 = detailed, 3 = full - q->debug uint32 contains 16 2-bit fields one for subsystem starting - from LSB - */ -#ifdef HTB_DEBUG -#define HTB_DBG_COND(S,L) (((q->debug>>(2*S))&3) >= L) -#define HTB_DBG(S,L,FMT,ARG...) if (HTB_DBG_COND(S,L)) \ - printk(KERN_DEBUG FMT,##ARG) -#define HTB_CHCL(cl) BUG_TRAP((cl)->magic == HTB_CMAGIC) -#define HTB_PASSQ q, -#define HTB_ARGQ struct htb_sched *q, -#define static -#undef __inline__ -#define __inline__ -#undef inline -#define inline -#define HTB_CMAGIC 0xFEFAFEF1 -#define htb_safe_rb_erase(N,R) do { BUG_TRAP((N)->rb_color != -1); \ - if ((N)->rb_color == -1) break; \ - rb_erase(N,R); \ - (N)->rb_color = -1; } while (0) -#else -#define HTB_DBG_COND(S,L) (0) -#define HTB_DBG(S,L,FMT,ARG...) -#define HTB_PASSQ -#define HTB_ARGQ -#define HTB_CHCL(cl) -#define htb_safe_rb_erase(N,R) rb_erase(N,R) -#endif - - /* used internaly to keep status of single class */ enum htb_cmode { HTB_CANT_SEND, /* class can't send and can't borrow */ @@ -136,9 +90,6 @@ enum htb_cmode { /* interior & leaf nodes; props specific to leaves are marked L: */ struct htb_class { -#ifdef HTB_DEBUG - unsigned magic; -#endif /* general class parameters */ u32 classid; struct gnet_stats_basic bstats; @@ -238,7 +189,6 @@ struct htb_sched int nwc_hit; /* this to disable mindelay complaint in dequeue */ int defcls; /* class where unclassified flows go to */ - u32 debug; /* subsystem debug levels */ /* filters for qdisc itself */ struct tcf_proto *filter_list; @@ -354,75 +304,21 @@ #endif return cl; } -#ifdef HTB_DEBUG -static void htb_next_rb_node(struct rb_node **n); -#define HTB_DUMTREE(root,memb) if(root) { \ - struct rb_node *n = (root)->rb_node; \ - while (n->rb_left) n = n->rb_left; \ - while (n) { \ - struct htb_class *cl = rb_entry(n, struct htb_class, memb); \ - printk(" %x",cl->classid); htb_next_rb_node (&n); \ - } } - -static void htb_debug_dump (struct htb_sched *q) -{ - int i,p; - printk(KERN_DEBUG "htb*g j=%lu lj=%lu\n",jiffies,q->jiffies); - /* rows */ - for (i=TC_HTB_MAXDEPTH-1;i>=0;i--) { - printk(KERN_DEBUG "htb*r%d m=%x",i,q->row_mask[i]); - for (p=0;prow[i][p].rb_node) continue; - printk(" p%d:",p); - HTB_DUMTREE(q->row[i]+p,node[p]); - } - printk("\n"); - } - /* classes */ - for (i = 0; i < HTB_HSIZE; i++) { - struct list_head *l; - list_for_each (l,q->hash+i) { - struct htb_class *cl = list_entry(l,struct htb_class,hlist); - long diff = PSCHED_TDIFF_SAFE(q->now, cl->t_c, (u32)cl->mbuffer); - printk(KERN_DEBUG "htb*c%x m=%d t=%ld c=%ld pq=%lu df=%ld ql=%d " - "pa=%x f:", - cl->classid,cl->cmode,cl->tokens,cl->ctokens, - cl->pq_node.rb_color==-1?0:cl->pq_key,diff, - cl->level?0:cl->un.leaf.q->q.qlen,cl->prio_activity); - if (cl->level) - for (p=0;pun.inner.feed[p].rb_node) continue; - printk(" p%d a=%x:",p,cl->un.inner.ptr[p]?rb_entry(cl->un.inner.ptr[p], struct htb_class,node[p])->classid:0); - HTB_DUMTREE(cl->un.inner.feed+p,node[p]); - } - printk("\n"); - } - } -} -#endif /** * htb_add_to_id_tree - adds class to the round robin list * * Routine adds class to the list (actually tree) sorted by classid. * Make sure that class is not already on such list for given prio. */ -static void htb_add_to_id_tree (HTB_ARGQ struct rb_root *root, +static void htb_add_to_id_tree (struct rb_root *root, struct htb_class *cl,int prio) { struct rb_node **p = &root->rb_node, *parent = NULL; - HTB_DBG(7,3,"htb_add_id_tree cl=%X prio=%d\n",cl->classid,prio); -#ifdef HTB_DEBUG - if (cl->node[prio].rb_color != -1) { BUG_TRAP(0); return; } - HTB_CHCL(cl); - if (*p) { - struct htb_class *x = rb_entry(*p,struct htb_class,node[prio]); - HTB_CHCL(x); - } -#endif + while (*p) { struct htb_class *c; parent = *p; c = rb_entry(parent, struct htb_class, node[prio]); - HTB_CHCL(c); + if (cl->classid > c->classid) p = &parent->rb_right; else @@ -440,16 +336,10 @@ #endif * already in the queue. */ static void htb_add_to_wait_tree (struct htb_sched *q, - struct htb_class *cl,long delay,int debug_hint) + struct htb_class *cl,long delay) { struct rb_node **p = &q->wait_pq[cl->level].rb_node, *parent = NULL; - HTB_DBG(7,3,"htb_add_wt cl=%X key=%lu\n",cl->classid,cl->pq_key); -#ifdef HTB_DEBUG - if (cl->pq_node.rb_color != -1) { BUG_TRAP(0); return; } - HTB_CHCL(cl); - if ((delay <= 0 || delay > cl->mbuffer) && net_ratelimit()) - printk(KERN_ERR "HTB: suspicious delay in wait_tree d=%ld cl=%X h=%d\n",delay,cl->classid,debug_hint); -#endif + cl->pq_key = q->jiffies + PSCHED_US2JIFFIE(delay); if (cl->pq_key == q->jiffies) cl->pq_key++; @@ -490,14 +380,11 @@ static void htb_next_rb_node(struct rb_n static inline void htb_add_class_to_row(struct htb_sched *q, struct htb_class *cl,int mask) { - HTB_DBG(7,2,"htb_addrow cl=%X mask=%X rmask=%X\n", - cl->classid,mask,q->row_mask[cl->level]); - HTB_CHCL(cl); q->row_mask[cl->level] |= mask; while (mask) { int prio = ffz(~mask); mask &= ~(1 << prio); - htb_add_to_id_tree(HTB_PASSQ q->row[cl->level]+prio,cl,prio); + htb_add_to_id_tree(q->row[cl->level]+prio,cl,prio); } } @@ -511,18 +398,16 @@ static __inline__ void htb_remove_class_ struct htb_class *cl,int mask) { int m = 0; - HTB_CHCL(cl); + while (mask) { int prio = ffz(~mask); mask &= ~(1 << prio); if (q->ptr[cl->level][prio] == cl->node+prio) htb_next_rb_node(q->ptr[cl->level]+prio); - htb_safe_rb_erase(cl->node + prio,q->row[cl->level]+prio); + rb_erase(cl->node + prio,q->row[cl->level]+prio); if (!q->row[cl->level][prio].rb_node) m |= 1 << prio; } - HTB_DBG(7,2,"htb_delrow cl=%X mask=%X rmask=%X maskdel=%X\n", - cl->classid,mask,q->row_mask[cl->level],m); q->row_mask[cl->level] &= ~m; } @@ -537,11 +422,9 @@ static void htb_activate_prios(struct ht { struct htb_class *p = cl->parent; long m,mask = cl->prio_activity; - HTB_DBG(7,2,"htb_act_prios cl=%X mask=%lX cmode=%d\n",cl->classid,mask,cl->cmode); - HTB_CHCL(cl); while (cl->cmode == HTB_MAY_BORROW && p && mask) { - HTB_CHCL(p); + m = mask; while (m) { int prio = ffz(~m); m &= ~(1 << prio); @@ -551,13 +434,11 @@ static void htb_activate_prios(struct ht reset bit in mask as parent is already ok */ mask &= ~(1 << prio); - htb_add_to_id_tree(HTB_PASSQ p->un.inner.feed+prio,cl,prio); + htb_add_to_id_tree(p->un.inner.feed+prio,cl,prio); } - HTB_DBG(7,3,"htb_act_pr_aft p=%X pact=%X mask=%lX pmode=%d\n", - p->classid,p->prio_activity,mask,p->cmode); p->prio_activity |= mask; cl = p; p = cl->parent; - HTB_CHCL(cl); + } if (cl->cmode == HTB_CAN_SEND && mask) htb_add_class_to_row(q,cl,mask); @@ -574,8 +455,7 @@ static void htb_deactivate_prios(struct { struct htb_class *p = cl->parent; long m,mask = cl->prio_activity; - HTB_DBG(7,2,"htb_deact_prios cl=%X mask=%lX cmode=%d\n",cl->classid,mask,cl->cmode); - HTB_CHCL(cl); + while (cl->cmode == HTB_MAY_BORROW && p && mask) { m = mask; mask = 0; @@ -591,16 +471,15 @@ static void htb_deactivate_prios(struct p->un.inner.ptr[prio] = NULL; } - htb_safe_rb_erase(cl->node + prio,p->un.inner.feed + prio); + rb_erase(cl->node + prio,p->un.inner.feed + prio); if (!p->un.inner.feed[prio].rb_node) mask |= 1 << prio; } - HTB_DBG(7,3,"htb_deact_pr_aft p=%X pact=%X mask=%lX pmode=%d\n", - p->classid,p->prio_activity,mask,p->cmode); + p->prio_activity &= ~mask; cl = p; p = cl->parent; - HTB_CHCL(cl); + } if (cl->cmode == HTB_CAN_SEND && mask) htb_remove_class_from_row(q,cl,mask); @@ -655,8 +534,6 @@ htb_change_class_mode(struct htb_sched * { enum htb_cmode new_mode = htb_class_mode(cl,diff); - HTB_CHCL(cl); - HTB_DBG(7,1,"htb_chging_clmode %d->%d cl=%X\n",cl->cmode,new_mode,cl->classid); if (new_mode == cl->cmode) return; @@ -681,7 +558,7 @@ htb_change_class_mode(struct htb_sched * static __inline__ void htb_activate(struct htb_sched *q,struct htb_class *cl) { BUG_TRAP(!cl->level && cl->un.leaf.q && cl->un.leaf.q->q.qlen); - HTB_CHCL(cl); + if (!cl->prio_activity) { cl->prio_activity = 1 << (cl->un.leaf.aprio = cl->un.leaf.prio); htb_activate_prios(q,cl); @@ -699,7 +576,7 @@ static __inline__ void htb_deactivate(struct htb_sched *q,struct htb_class *cl) { BUG_TRAP(cl->prio_activity); - HTB_CHCL(cl); + htb_deactivate_prios(q,cl); cl->prio_activity = 0; list_del_init(&cl->un.leaf.drop_list); @@ -739,7 +616,6 @@ #endif sch->q.qlen++; sch->bstats.packets++; sch->bstats.bytes += skb->len; - HTB_DBG(1,1,"htb_enq_ok cl=%X skb=%p\n",(cl && cl != HTB_DIRECT)?cl->classid:0,skb); return NET_XMIT_SUCCESS; } @@ -771,7 +647,6 @@ static int htb_requeue(struct sk_buff *s sch->q.qlen++; sch->qstats.requeues++; - HTB_DBG(1,1,"htb_req_ok cl=%X skb=%p\n",(cl && cl != HTB_DIRECT)?cl->classid:0,skb); return NET_XMIT_SUCCESS; } @@ -793,7 +668,6 @@ static void htb_rate_timer(unsigned long /* lock queue so that we can muck with it */ HTB_QLOCK(sch); - HTB_DBG(10,1,"htb_rttmr j=%ld\n",jiffies); q->rttim.expires = jiffies + HZ; add_timer(&q->rttim); @@ -803,8 +677,7 @@ static void htb_rate_timer(unsigned long q->recmp_bucket = 0; list_for_each (p,q->hash+q->recmp_bucket) { struct htb_class *cl = list_entry(p,struct htb_class,hlist); - HTB_DBG(10,2,"htb_rttmr_cl cl=%X sbyte=%lu spkt=%lu\n", - cl->classid,cl->sum_bytes,cl->sum_packets); + RT_GEN (cl->sum_bytes,cl->rate_bytes); RT_GEN (cl->sum_packets,cl->rate_packets); } @@ -828,7 +701,6 @@ static void htb_charge_class(struct htb_ { long toks,diff; enum htb_cmode old_mode; - HTB_DBG(5,1,"htb_chrg_cl cl=%X lev=%d len=%d\n",cl->classid,level,bytes); #define HTB_ACCNT(T,B,R) toks = diff + cl->T; \ if (toks > cl->B) toks = cl->B; \ @@ -837,24 +709,7 @@ #define HTB_ACCNT(T,B,R) toks = diff + c cl->T = toks while (cl) { - HTB_CHCL(cl); diff = PSCHED_TDIFF_SAFE(q->now, cl->t_c, (u32)cl->mbuffer); -#ifdef HTB_DEBUG - if (diff > cl->mbuffer || diff < 0 || PSCHED_TLESS(q->now, cl->t_c)) { - if (net_ratelimit()) - printk(KERN_ERR "HTB: bad diff in charge, cl=%X diff=%lX now=%Lu then=%Lu j=%lu\n", - cl->classid, diff, -#ifdef CONFIG_NET_SCH_CLK_GETTIMEOFDAY - q->now.tv_sec * 1000000ULL + q->now.tv_usec, - cl->t_c.tv_sec * 1000000ULL + cl->t_c.tv_usec, -#else - (unsigned long long) q->now, - (unsigned long long) cl->t_c, -#endif - q->jiffies); - diff = 1000; - } -#endif if (cl->level >= level) { if (cl->level == level) cl->xstats.lends++; HTB_ACCNT (tokens,buffer,rate); @@ -864,15 +719,14 @@ #endif } HTB_ACCNT (ctokens,cbuffer,ceil); cl->t_c = q->now; - HTB_DBG(5,2,"htb_chrg_clp cl=%X diff=%ld tok=%ld ctok=%ld\n",cl->classid,diff,cl->tokens,cl->ctokens); old_mode = cl->cmode; diff = 0; htb_change_class_mode(q,cl,&diff); if (old_mode != cl->cmode) { if (old_mode != HTB_CAN_SEND) - htb_safe_rb_erase(&cl->pq_node,q->wait_pq+cl->level); + rb_erase(&cl->pq_node,q->wait_pq+cl->level); if (cl->cmode != HTB_CAN_SEND) - htb_add_to_wait_tree (q,cl,diff,1); + htb_add_to_wait_tree (q,cl,diff); } #ifdef HTB_RATECM @@ -899,8 +753,7 @@ #endif static long htb_do_events(struct htb_sched *q,int level) { int i; - HTB_DBG(8,1,"htb_do_events l=%d root=%p rmask=%X\n", - level,q->wait_pq[level].rb_node,q->row_mask[level]); + for (i = 0; i < 500; i++) { struct htb_class *cl; long diff; @@ -910,30 +763,13 @@ static long htb_do_events(struct htb_sch cl = rb_entry(p, struct htb_class, pq_node); if (time_after(cl->pq_key, q->jiffies)) { - HTB_DBG(8,3,"htb_do_ev_ret delay=%ld\n",cl->pq_key - q->jiffies); return cl->pq_key - q->jiffies; } - htb_safe_rb_erase(p,q->wait_pq+level); + rb_erase(p,q->wait_pq+level); diff = PSCHED_TDIFF_SAFE(q->now, cl->t_c, (u32)cl->mbuffer); -#ifdef HTB_DEBUG - if (diff > cl->mbuffer || diff < 0 || PSCHED_TLESS(q->now, cl->t_c)) { - if (net_ratelimit()) - printk(KERN_ERR "HTB: bad diff in events, cl=%X diff=%lX now=%Lu then=%Lu j=%lu\n", - cl->classid, diff, -#ifdef CONFIG_NET_SCH_CLK_GETTIMEOFDAY - q->now.tv_sec * 1000000ULL + q->now.tv_usec, - cl->t_c.tv_sec * 1000000ULL + cl->t_c.tv_usec, -#else - (unsigned long long) q->now, - (unsigned long long) cl->t_c, -#endif - q->jiffies); - diff = 1000; - } -#endif htb_change_class_mode(q,cl,&diff); if (cl->cmode != HTB_CAN_SEND) - htb_add_to_wait_tree (q,cl,diff,2); + htb_add_to_wait_tree (q,cl,diff); } if (net_ratelimit()) printk(KERN_WARNING "htb: too many events !\n"); @@ -966,7 +802,7 @@ htb_id_find_next_upper(int prio,struct r * Find leaf where current feed pointers points to. */ static struct htb_class * -htb_lookup_leaf(HTB_ARGQ struct rb_root *tree,int prio,struct rb_node **pptr,u32 *pid) +htb_lookup_leaf(struct rb_root *tree,int prio,struct rb_node **pptr,u32 *pid) { int i; struct { @@ -981,8 +817,6 @@ htb_lookup_leaf(HTB_ARGQ struct rb_root sp->pid = pid; for (i = 0; i < 65535; i++) { - HTB_DBG(4,2,"htb_lleaf ptr=%p pid=%X\n",*sp->pptr,*sp->pid); - if (!*sp->pptr && *sp->pid) { /* ptr was invalidated but id is valid - try to recover the original or next ptr */ @@ -1002,7 +836,6 @@ htb_lookup_leaf(HTB_ARGQ struct rb_root } else { struct htb_class *cl; cl = rb_entry(*sp->pptr,struct htb_class,node[prio]); - HTB_CHCL(cl); if (!cl->level) return cl; (++sp)->root = cl->un.inner.feed[prio].rb_node; @@ -1022,15 +855,13 @@ htb_dequeue_tree(struct htb_sched *q,int struct sk_buff *skb = NULL; struct htb_class *cl,*start; /* look initial class up in the row */ - start = cl = htb_lookup_leaf (HTB_PASSQ q->row[level]+prio,prio, + start = cl = htb_lookup_leaf (q->row[level]+prio,prio, q->ptr[level]+prio,q->last_ptr_id[level]+prio); do { next: BUG_TRAP(cl); if (!cl) return NULL; - HTB_DBG(4,1,"htb_deq_tr prio=%d lev=%d cl=%X defic=%d\n", - prio,level,cl->classid,cl->un.leaf.deficit[level]); /* class can be empty - it is unlikely but can be true if leaf qdisc drops packets in enqueue routine or if someone used @@ -1044,7 +875,7 @@ next: if ((q->row_mask[level] & (1 << prio)) == 0) return NULL; - next = htb_lookup_leaf (HTB_PASSQ q->row[level]+prio, + next = htb_lookup_leaf (q->row[level]+prio, prio,q->ptr[level]+prio,q->last_ptr_id[level]+prio); if (cl == start) /* fix start if we just deleted it */ @@ -1061,15 +892,13 @@ next: } q->nwc_hit++; htb_next_rb_node((level?cl->parent->un.inner.ptr:q->ptr[0])+prio); - cl = htb_lookup_leaf (HTB_PASSQ q->row[level]+prio,prio,q->ptr[level]+prio, + cl = htb_lookup_leaf (q->row[level]+prio,prio,q->ptr[level]+prio, q->last_ptr_id[level]+prio); } while (cl != start); if (likely(skb != NULL)) { if ((cl->un.leaf.deficit[level] -= skb->len) < 0) { - HTB_DBG(4,2,"htb_next_cl oldptr=%p quant_add=%d\n", - level?cl->parent->un.inner.ptr[prio]:q->ptr[0][prio],cl->un.leaf.quantum); cl->un.leaf.deficit[level] += cl->un.leaf.quantum; htb_next_rb_node((level?cl->parent->un.inner.ptr:q->ptr[0])+prio); } @@ -1095,7 +924,6 @@ static void htb_delay_by(struct Qdisc *s mod_timer(&q->timer, q->jiffies + delay); sch->flags |= TCQ_F_THROTTLED; sch->qstats.overlimits++; - HTB_DBG(3,1,"htb_deq t_delay=%ld\n",delay); } static struct sk_buff *htb_dequeue(struct Qdisc *sch) @@ -1104,13 +932,8 @@ static struct sk_buff *htb_dequeue(struc struct htb_sched *q = qdisc_priv(sch); int level; long min_delay; -#ifdef HTB_DEBUG - int evs_used = 0; -#endif q->jiffies = jiffies; - HTB_DBG(3,1,"htb_deq dircnt=%d qlen=%d\n",skb_queue_len(&q->direct_queue), - sch->q.qlen); /* try to dequeue direct packets as high prio (!) to minimize cpu work */ if ((skb = __skb_dequeue(&q->direct_queue)) != NULL) { @@ -1131,9 +954,6 @@ #endif if (time_after_eq(q->jiffies, q->near_ev_cache[level])) { delay = htb_do_events(q,level); q->near_ev_cache[level] = q->jiffies + (delay ? delay : HZ); -#ifdef HTB_DEBUG - evs_used++; -#endif } else delay = q->near_ev_cache[level] - q->jiffies; @@ -1151,20 +971,8 @@ #endif } } } -#ifdef HTB_DEBUG - if (!q->nwc_hit && min_delay >= 10*HZ && net_ratelimit()) { - if (min_delay == LONG_MAX) { - printk(KERN_ERR "HTB: dequeue bug (%d,%lu,%lu), report it please !\n", - evs_used,q->jiffies,jiffies); - htb_debug_dump(q); - } else - printk(KERN_WARNING "HTB: mindelay=%ld, some class has " - "too small rate\n",min_delay); - } -#endif htb_delay_by (sch,min_delay > 5*HZ ? 5*HZ : min_delay); fin: - HTB_DBG(3,1,"htb_deq_end %s j=%lu skb=%p\n",sch->dev->name,q->jiffies,skb); return skb; } @@ -1198,7 +1006,6 @@ static void htb_reset(struct Qdisc* sch) { struct htb_sched *q = qdisc_priv(sch); int i; - HTB_DBG(0,1,"htb_reset sch=%p, handle=%X\n",sch,sch->handle); for (i = 0; i < HTB_HSIZE; i++) { struct list_head *p; @@ -1213,10 +1020,6 @@ static void htb_reset(struct Qdisc* sch) } cl->prio_activity = 0; cl->cmode = HTB_CAN_SEND; -#ifdef HTB_DEBUG - cl->pq_node.rb_color = -1; - memset(cl->node,255,sizeof(cl->node)); -#endif } } @@ -1238,10 +1041,6 @@ static int htb_init(struct Qdisc *sch, s struct rtattr *tb[TCA_HTB_INIT]; struct tc_htb_glob *gopt; int i; -#ifdef HTB_DEBUG - printk(KERN_INFO "HTB init, kernel part version %d.%d\n", - HTB_VER >> 16,HTB_VER & 0xffff); -#endif if (!opt || rtattr_parse_nested(tb, TCA_HTB_INIT, opt) || tb[TCA_HTB_INIT-1] == NULL || RTA_PAYLOAD(tb[TCA_HTB_INIT-1]) < sizeof(*gopt)) { @@ -1254,8 +1053,6 @@ #endif HTB_VER >> 16,HTB_VER & 0xffff,gopt->version); return -EINVAL; } - q->debug = gopt->debug; - HTB_DBG(0,1,"htb_init sch=%p handle=%X r2q=%d\n",sch,sch->handle,gopt->rate2quantum); INIT_LIST_HEAD(&q->root); for (i = 0; i < HTB_HSIZE; i++) @@ -1292,18 +1089,13 @@ static int htb_dump(struct Qdisc *sch, s unsigned char *b = skb->tail; struct rtattr *rta; struct tc_htb_glob gopt; - HTB_DBG(0,1,"htb_dump sch=%p, handle=%X\n",sch,sch->handle); HTB_QLOCK(sch); gopt.direct_pkts = q->direct_pkts; -#ifdef HTB_DEBUG - if (HTB_DBG_COND(0,2)) - htb_debug_dump(q); -#endif gopt.version = HTB_VER; gopt.rate2quantum = q->rate2quantum; gopt.defcls = q->defcls; - gopt.debug = q->debug; + gopt.debug = 0; rta = (struct rtattr*)b; RTA_PUT(skb, TCA_OPTIONS, 0, NULL); RTA_PUT(skb, TCA_HTB_INIT, sizeof(gopt), &gopt); @@ -1319,16 +1111,11 @@ rtattr_failure: static int htb_dump_class(struct Qdisc *sch, unsigned long arg, struct sk_buff *skb, struct tcmsg *tcm) { -#ifdef HTB_DEBUG - struct htb_sched *q = qdisc_priv(sch); -#endif struct htb_class *cl = (struct htb_class*)arg; unsigned char *b = skb->tail; struct rtattr *rta; struct tc_htb_opt opt; - HTB_DBG(0,1,"htb_dump_class handle=%X clid=%X\n",sch->handle,cl->classid); - HTB_QLOCK(sch); tcm->tcm_parent = cl->parent ? cl->parent->classid : TC_H_ROOT; tcm->tcm_handle = cl->classid; @@ -1410,11 +1197,7 @@ static struct Qdisc * htb_leaf(struct Qd static unsigned long htb_get(struct Qdisc *sch, u32 classid) { -#ifdef HTB_DEBUG - struct htb_sched *q = qdisc_priv(sch); -#endif struct htb_class *cl = htb_find(classid,sch); - HTB_DBG(0,1,"htb_get clid=%X q=%p cl=%p ref=%d\n",classid,q,cl,cl?cl->refcnt:0); if (cl) cl->refcnt++; return (unsigned long)cl; @@ -1433,7 +1216,6 @@ static void htb_destroy_filters(struct t static void htb_destroy_class(struct Qdisc* sch,struct htb_class *cl) { struct htb_sched *q = qdisc_priv(sch); - HTB_DBG(0,1,"htb_destrycls clid=%X ref=%d\n", cl?cl->classid:0,cl?cl->refcnt:0); if (!cl->level) { BUG_TRAP(cl->un.leaf.q); sch->q.qlen -= cl->un.leaf.q->q.qlen; @@ -1456,7 +1238,7 @@ static void htb_destroy_class(struct Qdi htb_deactivate (q,cl); if (cl->cmode != HTB_CAN_SEND) - htb_safe_rb_erase(&cl->pq_node,q->wait_pq+cl->level); + rb_erase(&cl->pq_node,q->wait_pq+cl->level); kfree(cl); } @@ -1465,7 +1247,6 @@ static void htb_destroy_class(struct Qdi static void htb_destroy(struct Qdisc* sch) { struct htb_sched *q = qdisc_priv(sch); - HTB_DBG(0,1,"htb_destroy q=%p\n",q); del_timer_sync (&q->timer); #ifdef HTB_RATECM @@ -1488,7 +1269,6 @@ static int htb_delete(struct Qdisc *sch, { struct htb_sched *q = qdisc_priv(sch); struct htb_class *cl = (struct htb_class*)arg; - HTB_DBG(0,1,"htb_delete q=%p cl=%X ref=%d\n",q,cl?cl->classid:0,cl?cl->refcnt:0); // TODO: why don't allow to delete subtree ? references ? does // tc subsys quarantee us that in htb_destroy it holds no class @@ -1512,11 +1292,7 @@ static int htb_delete(struct Qdisc *sch, static void htb_put(struct Qdisc *sch, unsigned long arg) { -#ifdef HTB_DEBUG - struct htb_sched *q = qdisc_priv(sch); -#endif struct htb_class *cl = (struct htb_class*)arg; - HTB_DBG(0,1,"htb_put q=%p cl=%X ref=%d\n",q,cl?cl->classid:0,cl?cl->refcnt:0); if (--cl->refcnt == 0) htb_destroy_class(sch,cl); @@ -1542,7 +1318,7 @@ static int htb_change_class(struct Qdisc parent = parentid == TC_H_ROOT ? NULL : htb_find (parentid,sch); hopt = RTA_DATA(tb[TCA_HTB_PARMS-1]); - HTB_DBG(0,1,"htb_chg cl=%p(%X), clid=%X, parid=%X, opt/prio=%d, rate=%u, buff=%d, quant=%d\n", cl,cl?cl->classid:0,classid,parentid,(int)hopt->prio,hopt->rate.rate,hopt->buffer,hopt->quantum); + rtab = qdisc_get_rtab(&hopt->rate, tb[TCA_HTB_RTAB-1]); ctab = qdisc_get_rtab(&hopt->ceil, tb[TCA_HTB_CTAB-1]); if (!rtab || !ctab) goto failure; @@ -1567,9 +1343,6 @@ static int htb_change_class(struct Qdisc INIT_LIST_HEAD(&cl->hlist); INIT_LIST_HEAD(&cl->children); INIT_LIST_HEAD(&cl->un.leaf.drop_list); -#ifdef HTB_DEBUG - cl->magic = HTB_CMAGIC; -#endif /* create leaf qdisc early because it uses kmalloc(GFP_KERNEL) so that can't be used inside of sch_tree_lock @@ -1585,7 +1358,7 @@ #endif /* remove from evt list because of level change */ if (parent->cmode != HTB_CAN_SEND) { - htb_safe_rb_erase(&parent->pq_node,q->wait_pq /*+0*/); + rb_erase(&parent->pq_node,q->wait_pq); parent->cmode = HTB_CAN_SEND; } parent->level = (parent->parent ? parent->parent->level @@ -1607,13 +1380,6 @@ #endif /* attach to the hash list and parent's family */ list_add_tail(&cl->hlist, q->hash+htb_hash(classid)); list_add_tail(&cl->sibling, parent ? &parent->children : &q->root); -#ifdef HTB_DEBUG - { - int i; - for (i = 0; i < TC_HTB_NUMPRIO; i++) cl->node[i].rb_color = -1; - cl->pq_node.rb_color = -1; - } -#endif } else sch_tree_lock(sch); /* it used to be a nasty bug here, we have to check that node @@ -1654,7 +1420,7 @@ static struct tcf_proto **htb_find_tcf(s struct htb_sched *q = qdisc_priv(sch); struct htb_class *cl = (struct htb_class *)arg; struct tcf_proto **fl = cl ? &cl->filter_list : &q->filter_list; - HTB_DBG(0,2,"htb_tcf q=%p clid=%X fref=%d fl=%p\n",q,cl?cl->classid:0,cl?cl->filter_cnt:q->filter_cnt,*fl); + return fl; } @@ -1663,7 +1429,7 @@ static unsigned long htb_bind_filter(str { struct htb_sched *q = qdisc_priv(sch); struct htb_class *cl = htb_find (classid,sch); - HTB_DBG(0,2,"htb_bind q=%p clid=%X cl=%p fref=%d\n",q,classid,cl,cl?cl->filter_cnt:q->filter_cnt); + /*if (cl && !cl->level) return 0; The line above used to be there to prevent attaching filters to leaves. But at least tc_index filter uses this just to get class @@ -1684,7 +1450,7 @@ static void htb_unbind_filter(struct Qdi { struct htb_sched *q = qdisc_priv(sch); struct htb_class *cl = (struct htb_class *)arg; - HTB_DBG(0,2,"htb_unbind q=%p cl=%p fref=%d\n",q,cl,cl?cl->filter_cnt:q->filter_cnt); + if (cl) cl->filter_cnt--; else -- 1.4.0 From shemminger at osdl.org Thu Aug 3 00:12:57 2006 From: shemminger at osdl.org (Stephen Hemminger) Date: Thu Aug 3 00:13:47 2006 Subject: [LARTC] [PATCH 6/6] htb: rbtree cleanup In-Reply-To: <20060802125636.3028ba91@dxpl.pdx.osdl.net> References: <20060802125636.3028ba91@dxpl.pdx.osdl.net> Message-ID: <20060802151257.21af2d0b@dxpl.pdx.osdl.net> Add code to initialize rb tree nodes, and check for double deletion. This is not a real fix, but I can make it trap sometimes and may be a bandaid for: http://bugzilla.kernel.org/show_bug.cgi?id=6681 Signed-off-by: Stephen Hemminger --- net/sched/sch_htb.c | 34 +++++++++++++++++++++++++++------- 1 files changed, 27 insertions(+), 7 deletions(-) diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c index 7853c6f..3f3e9df 100644 --- a/net/sched/sch_htb.c +++ b/net/sched/sch_htb.c @@ -366,7 +366,7 @@ static void htb_add_to_wait_tree(struct * When we are past last key we return NULL. * Average complexity is 2 steps per call. */ -static void htb_next_rb_node(struct rb_node **n) +static inline void htb_next_rb_node(struct rb_node **n) { *n = rb_next(*n); } @@ -388,6 +388,18 @@ static inline void htb_add_class_to_row( } } +/* If this triggers, it is a bug in this code, but it need not be fatal */ +static void htb_safe_rb_erase(struct rb_node *rb, struct rb_root *root) +{ + if (RB_EMPTY_NODE(rb)) { + WARN_ON(1); + } else { + rb_erase(rb, root); + RB_CLEAR_NODE(rb); + } +} + + /** * htb_remove_class_from_row - removes class from its row * @@ -401,10 +413,12 @@ static inline void htb_remove_class_from while (mask) { int prio = ffz(~mask); + mask &= ~(1 << prio); if (q->ptr[cl->level][prio] == cl->node + prio) htb_next_rb_node(q->ptr[cl->level] + prio); - rb_erase(cl->node + prio, q->row[cl->level] + prio); + + htb_safe_rb_erase(cl->node + prio, q->row[cl->level] + prio); if (!q->row[cl->level][prio].rb_node) m |= 1 << prio; } @@ -472,7 +486,7 @@ static void htb_deactivate_prios(struct p->un.inner.ptr[prio] = NULL; } - rb_erase(cl->node + prio, p->un.inner.feed + prio); + htb_safe_rb_erase(cl->node + prio, p->un.inner.feed + prio); if (!p->un.inner.feed[prio].rb_node) mask |= 1 << prio; @@ -739,7 +753,7 @@ #define HTB_ACCNT(T,B,R) toks = diff + c htb_change_class_mode(q, cl, &diff); if (old_mode != cl->cmode) { if (old_mode != HTB_CAN_SEND) - rb_erase(&cl->pq_node, q->wait_pq + cl->level); + htb_safe_rb_erase(&cl->pq_node, q->wait_pq + cl->level); if (cl->cmode != HTB_CAN_SEND) htb_add_to_wait_tree(q, cl, diff); } @@ -782,7 +796,7 @@ static long htb_do_events(struct htb_sch if (time_after(cl->pq_key, q->jiffies)) { return cl->pq_key - q->jiffies; } - rb_erase(p, q->wait_pq + level); + htb_safe_rb_erase(p, q->wait_pq + level); diff = PSCHED_TDIFF_SAFE(q->now, cl->t_c, (u32) cl->mbuffer); htb_change_class_mode(q, cl, &diff); if (cl->cmode != HTB_CAN_SEND) @@ -1279,7 +1293,7 @@ static void htb_destroy_class(struct Qdi htb_deactivate(q, cl); if (cl->cmode != HTB_CAN_SEND) - rb_erase(&cl->pq_node, q->wait_pq + cl->level); + htb_safe_rb_erase(&cl->pq_node, q->wait_pq + cl->level); kfree(cl); } @@ -1370,6 +1384,8 @@ static int htb_change_class(struct Qdisc if (!cl) { /* new class */ struct Qdisc *new_q; + int prio; + /* check for valid classid */ if (!classid || TC_H_MAJ(classid ^ sch->handle) || htb_find(classid, sch)) @@ -1389,6 +1405,10 @@ static int htb_change_class(struct Qdisc INIT_HLIST_NODE(&cl->hlist); INIT_LIST_HEAD(&cl->children); INIT_LIST_HEAD(&cl->un.leaf.drop_list); + RB_CLEAR_NODE(&cl->pq_node); + + for (prio = 0; prio < TC_HTB_NUMPRIO; prio++) + RB_CLEAR_NODE(&cl->node[prio]); /* create leaf qdisc early because it uses kmalloc(GFP_KERNEL) so that can't be used inside of sch_tree_lock @@ -1404,7 +1424,7 @@ static int htb_change_class(struct Qdisc /* remove from evt list because of level change */ if (parent->cmode != HTB_CAN_SEND) { - rb_erase(&parent->pq_node, q->wait_pq); + htb_safe_rb_erase(&parent->pq_node, q->wait_pq); parent->cmode = HTB_CAN_SEND; } parent->level = (parent->parent ? parent->parent->level -- 1.4.0 From t.luettgert at pressestimmen.de Thu Aug 3 01:47:34 2006 From: t.luettgert at pressestimmen.de (Torsten Luettgert) Date: Thu Aug 3 01:46:51 2006 Subject: [LARTC] iptables u32 kernel 2.6.17 In-Reply-To: <20060802213029.GA29316@packetconsulting.pl> References: <20060802085541.33422.qmail@web26504.mail.ukl.yahoo.com> <1154526759.2369.12.camel@murdegern.cbxnet.de> <20060802213029.GA29316@packetconsulting.pl> Message-ID: <1154562454.2391.3.camel@murdegern.cbxnet.de> On Wed, 2006-08-02 at 23:30 +0200, Piotr Chytla wrote: > apply also patch from attachment. 2.6.17 needs matchsize in ipt_match struct. Whoopsie. I missed that in the patch I sent to netfilter-devel a while ago. Thanks for doing it yourself. Regards, Torsten From vitula at kme.cz Thu Aug 3 08:17:33 2006 From: vitula at kme.cz (=?iso-8859-2?Q?Ing._V=EDt=ECzslav_Vitula?=) Date: Thu Aug 3 08:20:29 2006 Subject: [LARTC] Maximum count of qdiscs Message-ID: <000301c6b6c4$822f48e0$0300a8c0@KME.local> Hi, Fedora 4, 2.6.15.6 What is the maximum count of qdiscs attached to one dev ? It seems, that only 2048 qdiscs can be attached. Is this correct ? If I try to attache more qdiscs, it complains that file already exists and error talking to kernel. How to increase this count ? Thank You vitula -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060803/ac0afab6/attachment.html From aleksandr at mikrovisata.net Thu Aug 3 09:43:55 2006 From: aleksandr at mikrovisata.net (Aleksandr) Date: Thu Aug 3 09:43:41 2006 Subject: [LARTC] Maximum count of qdiscs In-Reply-To: <000301c6b6c4$822f48e0$0300a8c0@KME.local> References: <000301c6b6c4$822f48e0$0300a8c0@KME.local> Message-ID: <44D1A93B.2040703@mikrovisata.net> Ing. V?t?zslav Vitula wrote: > Hi, > Fedora 4, 2.6.15.6 > What is the maximum count of qdiscs attached to one dev ? > It seems, that only 2048 qdiscs can be attached. Is this correct ? > If I try to attache more qdiscs, it complains that file already exists > and error talking to kernel. I have attached 16128 htb classes with sfq qdiscs and currently have no problems. -- Pagarbiai, Aleksandr Perepliot?ikov UAB "Mikrovisatos TV", IT Departamentas From doudouyam at gmail.com Thu Aug 3 18:06:35 2006 From: doudouyam at gmail.com (doudouyam) Date: Thu Aug 3 18:06:22 2006 Subject: [LARTC] tc filter Message-ID: <81c11a560608030906t525d6232vf135053463ce6a8f@mail.gmail.com> Hi, Is it possible to make a filter with tc which exclude an IP like iptables ?? ex: iptable -t mangle -A PREROUTING -i eth0 -d ! 192.168.1.222 -j MARK ... I try the ! with tc but it doesn't work. Thanks, doude. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060803/dee061c8/attachment.htm From mrd at alkemio.org Thu Aug 3 21:57:00 2006 From: mrd at alkemio.org (Matthew R. Dempsky) Date: Thu Aug 3 21:56:48 2006 Subject: [LARTC] Ethernet equipment testing with two NICs Message-ID: <20060803195700.GA2994@odin.dempsky.org> I have a Linux 2.6.16 machine with two gigabit ethernet adapters that I would like to use for testing Ethernet equipment---right now just an Ethernet cable, but later switches, bridges, etc. I tried assigning the two adapters IPs of 192.168.50.1 and 192.168.51.1 and then setup the routing table to direct 192.168.51.0/24 traffic to the first adapter, and 192.168.50.0/24 traffic to the second, but when I run ``ping -I 192.168.50.1 192.168.51.1'' the packets are routed over lo instead of eth0/eth1. Can someone suggest an alternative setup that will work? Thanks. From michael.auckland at gmail.com Fri Aug 4 04:36:18 2006 From: michael.auckland at gmail.com (Michael) Date: Fri Aug 4 04:36:06 2006 Subject: [LARTC] route mail through different gateway Message-ID: <35207fdf0608031936y2fe970d6pb855fc2f7557d5de@mail.gmail.com> Hi All, I've got server with one LAN card eth0 ip=10.0.0.5 default access t ointernety done through ADSL router gw 10.0.0.1 we got second internet access through another ADSL router gw 10.0.0.2 I want to send all e-mail out through gw 10.0.0.2 How it can be done? I've tried to mark packets: iptables -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark 0x1 and ip ru add fwmark 0x1 table mail.out ip ro add default via 10.0.0.2 lookup mail.out But it is dosen't work Any help? -- -- Michael -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060804/063e5e9c/attachment.html From abel.martin.ruiz at gmail.com Fri Aug 4 12:09:26 2006 From: abel.martin.ruiz at gmail.com (=?ISO-8859-1?Q?Abel_Mart=EDn?=) Date: Fri Aug 4 12:09:11 2006 Subject: [LARTC] IFB support in 2.6.17 kernel Message-ID: <915136920608040309r5c7b0e6auf8990d1fddcaedc2@mail.gmail.com> Hi, I'm trying to activate IFB device support in a 2.6.17 kernel from Debian Sid. I read that IFB device is the replacement for IMQ device, but I haven't found any useful documentantion on how to activate this feature and the kernel documentation lacks of this information. I remember that IMQ could be activated in the 'Network devices' menu in 2.6.8 kernels, but this option no longer exists. Where can I find some information about this? I found a ifb.cfile in the kernel source directory tree, but I'm not sure if an ifb module will be generated, as this option doesn't seem to be available during the kernel configuration. Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060804/dc26fc15/attachment.htm From lists at andyfurniss.entadsl.com Fri Aug 4 12:49:32 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri Aug 4 12:49:22 2006 Subject: [LARTC] IFB support in 2.6.17 kernel In-Reply-To: <915136920608040309r5c7b0e6auf8990d1fddcaedc2@mail.gmail.com> References: <915136920608040309r5c7b0e6auf8990d1fddcaedc2@mail.gmail.com> Message-ID: <44D3263C.6060608@andyfurniss.entadsl.com> Abel Mart?n wrote: > Hi, > > I'm trying to activate IFB device support in a 2.6.17 kernel from Debian > Sid. I read that IFB device is the replacement for IMQ device, but I > haven't > found any useful documentantion on how to activate this feature and the > kernel documentation lacks of this information. I remember that IMQ > could be > activated in the 'Network devices' menu in 2.6.8 kernels, but this > option no > longer exists. Where can I find some information about this? I found a > ifb.cfile in the kernel source directory tree, but I'm not sure if an > ifb module > will be generated, as this option doesn't seem to be available during the > kernel configuration. > > Thanks. ifb = intermediate functional block in device drivers --> network device support depends on NET and NET_CLS_ACT (actions under qos and fair queuing) Andy From abel.martin.ruiz at gmail.com Fri Aug 4 13:56:47 2006 From: abel.martin.ruiz at gmail.com (=?ISO-8859-1?Q?Abel_Mart=EDn?=) Date: Fri Aug 4 13:56:36 2006 Subject: [LARTC] IFB support in 2.6.17 kernel In-Reply-To: <44D3263C.6060608@andyfurniss.entadsl.com> References: <915136920608040309r5c7b0e6auf8990d1fddcaedc2@mail.gmail.com> <44D3263C.6060608@andyfurniss.entadsl.com> Message-ID: <915136920608040456w66b39340hd233fa57bf433f95@mail.gmail.com> Hi Andy and Vadim! Thanks for your help. I already read http://linux-net.osdl.org/index.php/IFB, but is not enough for me. To be honest, I realized the problem is I must read the man pages for tc, considering traffic shaping is not a piece of cake. Copy & paste examples from the web won't help much doing traffic shaping. Sorry for the inconvenience. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060804/e6c83ae5/attachment.html From don at bowenvale.co.nz Sat Aug 5 11:57:27 2006 From: don at bowenvale.co.nz (Don Gould) Date: Sat Aug 5 11:57:39 2006 Subject: [LARTC] How to become your IP range... Message-ID: <44D46B87.4010003@bowenvale.co.nz> I have laptops visiting my network. If they're configured for DHCP then I have no problem. However if they're got static IPs set then I want my server to set it self up automatically to provide internet access. Eg. Laptop Ip: 192.168.6.234 - just because the owners admin decided to. Laptop default GW: 192.168.6.37 - also very random, but allowable... My servers lan side is eth1, on detecting a packets running around with the ip range above, it will then assign a new ip range to it self so that the laptop will function. Has anyone heard of an OSS system that will do this? Cheers Don -- Don Gould www.thinkdesignprint.co.nz - www.tcn.bowenvale.co.nz - www.bowenvale.co.nz - www.hearingbooks.co.nz - SkypeMe: ThinkDesignPrint From rmo at sunnmore.net Sat Aug 5 17:05:41 2006 From: rmo at sunnmore.net (Roy-Magne Mo) Date: Sat Aug 5 17:05:28 2006 Subject: [LARTC] How to become your IP range... In-Reply-To: <44D46B87.4010003@bowenvale.co.nz> References: <44D46B87.4010003@bowenvale.co.nz> Message-ID: <44D4B3C5.80601@sunnmore.net> Don Gould wrote: > I have laptops visiting my network. > > If they're configured for DHCP then I have no problem. > > However if they're got static IPs set then I want my server to set it > self up automatically to provide internet access. > > Eg. > > Laptop Ip: 192.168.6.234 - just because the owners admin decided to. > Laptop default GW: 192.168.6.37 - also very random, but allowable... > > My servers lan side is eth1, on detecting a packets running around with > the ip range above, it will then assign a new ip range to it self so > that the laptop will function. > > Has anyone heard of an OSS system that will do this? You are possibly looking for the proxy ARP feature, look into that. -- Roy-Magne Mo From oscar at ufomechanic.net Mon Aug 7 14:01:09 2006 From: oscar at ufomechanic.net (Oscar Mechanic) Date: Sun Aug 13 11:41:59 2006 Subject: [LARTC] route mail through different gateway In-Reply-To: <35207fdf0608031936y2fe970d6pb855fc2f7557d5de@mail.gmail.com> References: <35207fdf0608031936y2fe970d6pb855fc2f7557d5de@mail.gmail.com> Message-ID: <1154952069.4237.81.camel@OSCARLAPLIN> Silly mistake I always make is too forget to put in NAT on GW. But what you have done should work. Have you confirmed that this works on 10.0.0.5 ip route del default ip route add default via 10.0.0.2 ip route flush cache If that works maybe try # Dont know which one of these I think your right it should be output iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark 0x1 ip rule add from 10.0.0.0/8 fwmark 1 lookup 200 ip route add default via 10.0.0.2 table 200 # The I would try tcpdump -vv -ni eth? and look at the MACs # or and check the mark iptables -I POSTROUTING -p tcp --dport 25 -j LOG On Fri, 2006-08-04 at 14:36 +1200, Michael wrote: > Hi All, > > I've got server with one LAN card eth0 ip=10.0.0.5 > > default access t ointernety done through ADSL router gw 10.0.0.1 > we got second internet access through another ADSL router gw 10.0.0.2 > > I want to send all e-mail out through gw 10.0.0.2 > How it can be done? > I've tried to mark packets: > iptables -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark 0x1 > and > ip ru add fwmark 0x1 table mail.out > ip ro add default via 10.0.0.2 lookup mail.out > > But it is dosen't work > Any help? > > -- > -- > Michael > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nlhttp://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From lists at andyfurniss.entadsl.com Mon Aug 7 17:06:01 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Sun Aug 13 11:42:07 2006 Subject: [LARTC] tc filter In-Reply-To: <81c11a560608030906t525d6232vf135053463ce6a8f@mail.gmail.com> References: <81c11a560608030906t525d6232vf135053463ce6a8f@mail.gmail.com> Message-ID: <44D756D9.8070603@andyfurniss.entadsl.com> doudouyam wrote: > Hi, > Is it possible to make a filter with tc which exclude an IP like > iptables ?? > > ex: > iptable -t mangle -A PREROUTING -i eth0 -d ! 192.168.1.222 -j MARK ... > > I try the ! with tc but it doesn't work. > Thanks, > doude. Not directly, but you can just match the address then follow it with a filter that matches everything else. Andy. From justin at expertron.co.za Tue Aug 8 14:07:37 2006 From: justin at expertron.co.za (Justin Schoeman) Date: Sun Aug 13 11:43:45 2006 Subject: [LARTC] netfilter patch-o-matic: where did all the patches go? Message-ID: <44D87E89.10706@expertron.co.za> Hi all, I haven't been paying attention to this for a while, but now that I download the latest patch-o-matic-ng, I see that most of the patches are gone... Anybody have an idea where I can download the 'extras' repository? Specifically geoip. Thanks! -justin From samueldg at arcoscom.com Wed Aug 9 01:08:35 2006 From: samueldg at arcoscom.com (=?ISO-8859-1?Q?Samuel_D=EDaz_Garc=EDa?=) Date: Sun Aug 13 11:45:12 2006 Subject: [LARTC] Info about IFB Message-ID: <44D91973.2020805@arcoscom.com> Hi, I'm looking for info about IFB devices and how I can use it to incomming traffic shapping. Has IFB any web about it? Do any body known where I can find more info about it? I found this: http://linux-net.osdl.org/index.php/IFB But I can't stand fine how to use it to allow many ifb's devices or how to use it with "tc actions". Any help? Thanks -- Samuel D?az Garc?a Director Gerente ArcosCom Wireless, S.L.L. CIF: B11828068 c/ Romero Gago, 19 Arcos de la Frontera 11630 - Cadiz http://www.arcoscom.com mailto:samueldg@arcoscom.com msn: samueldg@arcoscom.com M?vil: 651 93 72 48 Tlfn.: 956 70 13 15 Fax: 956 70 34 83 From william.bohannan at spidersat.net Wed Aug 9 17:09:24 2006 From: william.bohannan at spidersat.net (William Bohannan) Date: Sun Aug 13 11:46:58 2006 Subject: [LARTC] getting a local name on a network Message-ID: <000001c6bbc5$d43e9360$0702a8c0@william> Hi I have written my firewall rules and it is working great, blocking p2p with layer7 and ipp2p between pm and 6am, also using ulog to get in all into mysql only problem is when it comes to accounting for the local traffic as all it shows is ip address, I have been looking around for a command to get the "windoz" name from an ip address then a quick script to change the log entries to also have names. Wondering if anyone has done this? Kind Regards William Bohannan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060809/496f52ba/attachment.html From jarkao2 at o2.pl Thu Aug 10 13:25:13 2006 From: jarkao2 at o2.pl (Jarek Poplawski) Date: Sun Aug 13 11:48:51 2006 Subject: [LARTC] Re: how to save iproute In-Reply-To: <1154424503.4282.52.camel@OSCARLAPLIN> References: <1151768560.5095.75.camel@localhost.localdomain> <1154424503.4282.52.camel@OSCARLAPLIN> Message-ID: On 01-08-2006 11:28, Oscar Mechanic wrote: > Say if I have a few routes like this > > ip rule add from 19.21.12.12 lookup 200 > ip route add default via 10.0.0.253 > ip rule add to 13.1.2.2 lookup 201 > ip route add default via 10.0.0.254 > ip route add default via 10.0.0.254 > > How do I save them, I have looked through the list and have googled this > Q for some time and do not have an concrete answers. I have read that > you just save and rerun the command but that does not work as the "from > all to" is not valid it has to be the "to" without the "from all". I > have used multiple versions of iproute2 and still the same problem. I > written a script and put in many sed's to get around problems but its > nasty code. Surely someone solved this is there a "saveall" script or > bin that is distro independant. Maybe I miss your point, but ip doesn't care if you write a command by hand (from shell) or run it from a shell script. If you don't use "from ...", it is the same as if you've written "from all". It doesn't contradict with "to ..." which is another parameter. After your last command there will be an error because it repeats the previous one. If you add in a script: set -x before the first command, you will see, which end with errors. Jarek P. From jarkao2 at o2.pl Thu Aug 10 15:14:54 2006 From: jarkao2 at o2.pl (Jarek Poplawski) Date: Sun Aug 13 11:49:32 2006 Subject: [LARTC] Re: route mail through different gateway In-Reply-To: <35207fdf0608031936y2fe970d6pb855fc2f7557d5de@mail.gmail.com> References: <35207fdf0608031936y2fe970d6pb855fc2f7557d5de@mail.gmail.com> Message-ID: On 04-08-2006 04:36, Michael wrote: > Hi All, > > I've got server with one LAN card eth0 ip=10.0.0.5 > > default access t ointernety done through ADSL router gw 10.0.0.1 > > we got second internet access through another ADSL router gw 10.0.0.2 > > > I want to send all e-mail out through gw 10.0.0.2 > How it can be done? > I've tried to mark packets: > iptables -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark 0x1 > and > ip ru add fwmark 0x1 table mail.out > ip ro add default via 10.0.0.2 lookup mail.out You mean: ip ro add default via 10.0.0.2 table mail.out Try this also: echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter Jarek P. PS: I hope you have this mail.out properly added (or replace this with a number e.g.: 100) and fwmark enabled in kernel config. From jarkao2 at o2.pl Thu Aug 10 15:38:54 2006 From: jarkao2 at o2.pl (Jarek Poplawski) Date: Sun Aug 13 11:49:39 2006 Subject: [LARTC] Re: tc filter In-Reply-To: <81c11a560608030906t525d6232vf135053463ce6a8f@mail.gmail.com> References: <81c11a560608030906t525d6232vf135053463ce6a8f@mail.gmail.com> Message-ID: On 03-08-2006 18:06, doudouyam wrote: > Hi, > Is it possible to make a filter with tc which exclude an IP like iptables ?? > > ex: > iptable -t mangle -A PREROUTING -i eth0 -d ! 192.168.1.222 > -j MARK ... Maybe there is something like this, I don't know, but you can try two filters in turn e.g.: # tc filter add dev eth0 parent 1: proto ip pref 100 \ u32 match ip dst 192.168.1.222 police drop (or some other "flowid 1:xx" instead of "police drop") # tc filter add dev eth0 parent 1: proto ip pref 101 \ u32 match ip dst 192.168.1.0/24 flowid 1:99 Jarek P. From doudouyam at gmail.com Fri Aug 11 15:43:08 2006 From: doudouyam at gmail.com (doudouyam) Date: Sun Aug 13 11:52:52 2006 Subject: [LARTC] problem with PRIO Message-ID: <81c11a560608110643y760f0f9flbbb5e551d318e2ba@mail.gmail.com> Hi, I try to use the PRIO scheduler on a 2.6.17 kernel. I use a simple configuration : $TC qdisc add dev $dev root handle 1: prio bands 2 priomap 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 $TC qdisc add dev $dev parent 1:1 handle 10:0 sfq perturb10 $TC qdisc add dev $dev parent 1:2 handle 20:0 sfq perturb 10 And i put filters for my trafic, the 2 streams are correctly put in each class but the stream in the the first class isn't prioritorize. Where is my mistake ? I test that on a montejade board (armv5 big endian) and i try with other architecture (x86 with 2.6.16 kernel) and I had the same problem. Can you help me ? Thanks Doude -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060811/a36175b1/attachment.html From covici at ccs.covici.com Sun Aug 13 04:04:49 2006 From: covici at ccs.covici.com (John covici) Date: Sun Aug 13 11:56:41 2006 Subject: [LARTC] trying to prioritize voip traffick Message-ID: <17630.35009.794502.706457@ccs.covici.com> I am using a server with asterisk and I am trying to prioritize voip traffick -- I am a newbie at this traffic shaping, so please bear with me. I used the script below and what happens is thatall traffic in the bulk class stops after a couple of minutes. Also, should I include the ports for rtp in the filter statements with the ports 5061 and 4569? Note I have a fairly big pipe -- supposed to be able to do the full 100mb out. Here is the script. #!/bin/sh ##################################### ############ VARIABLES ############## # # e=eth0 # interface t1=70Mbit # size of your WAN - remember you can't max this or you'll experience latency. 75-80% of max is a good place to start. el=100Mbit # size of eth0 w=7.5Mbit # weighting of your WAN (10% of t1) sizeCitrix=5Mbit sizeVoIP=55Mbit sizeBulk=10Mbit weightCitrix=0.5Mbit weightVoIP=5.5Mbit weightBulk=1Mbit # # ##################################### ##################################### # Delete any old rules # set -v set -x tc qdisc del root dev $e ## each class is able to take more bandwidth as it is available, but must ## surrender it as the higher priorities (2, 3, then 4) need it. ## The lower the priority number, the more priority it gets. Thus when ## there is extra bandwidth available, the lower number classes get it as ## they need it. # root qdisc / qdisc = queueing discipline # tc qdisc add dev $e root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 cell 8||exit 1 tc class add dev $e parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate $t1 weight $w prio 8 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded||exit 1 # child qdiscs (like child nodes on a tree) # tc class add dev $e parent 1:1 classid 1:3 cbq bandwidth 100Mbit rate $sizeCitrix weight $weightCitrix prio 8 allot 1514 cell 8 maxburst 20 avpkt 300 isolated||exit 1 tc qdisc add dev $e parent 1:3 handle 30: sfq perturb 20||exit 1 tc class add dev $e parent 1:1 classid 1:5 cbq bandwidth 100Mbit rate $sizeVoIP weight $weightVoIP prio 8 allot 1514 cell 8 maxburst 20 avpkt 204 bounded ||exit 1 tc class add dev $e parent 1:1 classid 1:9 cbq bandwidth 100Mbit rate $sizeBulk weight $weightBulk prio 8 allot 1514 cell 8 maxburst 20 avpkt 1000||exit 1 tc qdisc add dev $e parent 1:9 handle 90: sfq perturb 20||exit 1 ##################################### ############### Citrix ############## # # # SSH # tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip sport 22 0xffff flowid 1:3||exit 1 tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip dport 22 0xffff flowid 1:3||exit 1 ##################################### ############### VoIP ################ # # # IAX # this is the old format - IAX2 should be what's really seen going #on tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip sport 5061 0xffff flowid 1:5||exit 1 tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip dport 5061 0xffff flowid 1:5||exit 1 # IAX2 # tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip sport 4569 0xffff flowid 1:5||exit 1 tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip dport 4569 0xffff flowid 1:5||exit 1 ##################################### ######### Bulk / Default ############ # # tc filter add dev $e protocol ip parent 1:0 prio 3 u32 match ip src 0.0.0.0/0 flowid 1:9||exit 1 tc filter add dev $e protocol ip parent 1:0 prio 3 u32 match ip dst 0.0.0.0/0 flowid 1:9||exit 1 Any assistance would be appreciated. -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici covici@ccs.covici.com From tgraf at suug.ch Thu Aug 10 14:36:02 2006 From: tgraf at suug.ch (Thomas Graf) Date: Sun Aug 13 11:58:02 2006 Subject: [LARTC] Re: [PATCH 0/6] htb: cleanup In-Reply-To: <20060802.151816.30182208.davem@davemloft.net> References: <20060802125636.3028ba91@dxpl.pdx.osdl.net> <20060802.151816.30182208.davem@davemloft.net> Message-ID: <20060810123602.GE14627@postel.suug.ch> * David Miller 2006-08-02 15:18 > From: Stephen Hemminger > Date: Wed, 2 Aug 2006 12:56:36 -0700 > > > The HTB scheduler code is a mess, this patch set does some basic > > house cleaning. The first four should cause no code change, but the > > last two need more testing. > > These patches look fine to me. Once everyone think's they > are ready just let me know and I'll push them into net-2.6.19 I think they are ready. From kaber at trash.net Sun Aug 13 13:34:48 2006 From: kaber at trash.net (Patrick McHardy) Date: Sun Aug 13 13:34:29 2006 Subject: [LARTC] netfilter patch-o-matic: where did all the patches go? In-Reply-To: <44D87E89.10706@expertron.co.za> References: <44D87E89.10706@expertron.co.za> Message-ID: <44DF0E58.3050903@trash.net> Justin Schoeman wrote: > I haven't been paying attention to this for a while, but now that I > download the latest patch-o-matic-ng, I see that most of the patches are > gone... > > Anybody have an idea where I can download the 'extras' repository? > Specifically geoip. We removed all patches that we don't want to maintain ourselves. Most of the patches that are actually used by people are now maintained in external repositories, runme --download will fetch them for you. From tizone at gmail.com Sun Aug 13 22:18:25 2006 From: tizone at gmail.com (=?ISO-8859-1?Q?Andr=E9s_Ghigliazza?=) Date: Sun Aug 13 22:18:10 2006 Subject: [LARTC] ingress and flowid In-Reply-To: References: Message-ID: Hi there, I am trying to understand our router / firewall, that was configured by another person. It is a Debian GNU/Linux with several configurations with tc and iptables. I have a question about flowid in ingress qdisc. As fas as I know, this qdisc is a dummy one, and flowid is just used with :1 because the traffic have to be redirected to something. However, in our router, there are some filters of ingress qdisc, that have differents flowids (:1, :2 and :5). Does that have any sense? Thanks very much, tizo From simvirus at gmail.com Mon Aug 14 02:42:06 2006 From: simvirus at gmail.com (Sim) Date: Mon Aug 14 02:41:51 2006 Subject: [LARTC] HTB and BOND Interface Message-ID: Hi! Is it HTB fully compatible with BOND interface? I have this setup (mode= fault tolerance) : BOND0 -> ETH0 + ETH1 BOND1 -> ETH2 + ETH3 ( http://www.kernel.org/pub/linux/kernel/people/marcelo/linux-2.4/Documentation/networking/bonding.txt ) HTB work very well with Class over BOND0. If I add Class for BOND1 it generate balance errors. Also with HTB.init (http://sourceforge.net/projects/htbinit) I have the some problem bond0 (upload) bond0-10 bond0-10:15 bond0-10:20 bond0-10:20:25 bond1-10 (download) bond1-10:15 bond1-10:20 bond1-10:20:25 ( File bond0* and bond1* are identical ) Thanks for eventual answers! Sim From pereyra.roberto at gmail.com Mon Aug 14 12:27:51 2006 From: pereyra.roberto at gmail.com (Roberto Pereyra) Date: Mon Aug 14 12:27:35 2006 Subject: [LARTC] trying to prioritize voip traffick In-Reply-To: <17630.35009.794502.706457@ccs.covici.com> References: <17630.35009.794502.706457@ccs.covici.com> Message-ID: Hi Take a look to this link: http://www.krisk.org/astlinux/misc/astshape roberto 2006/8/12, John covici : > I am using a server with asterisk and I am trying to prioritize voip > traffick -- I am a newbie at this traffic shaping, so please bear with > me. I used the script below and what happens is thatall traffic in > the bulk class stops after a couple of minutes. Also, should I > include the ports for rtp in the filter statements with the ports 5061 > and 4569? Note I have a fairly big pipe -- supposed to be able to do > the full 100mb out. > > > Here is the script. > > #!/bin/sh > ##################################### > ############ VARIABLES ############## > # # > e=eth0 # interface > t1=70Mbit # size of your WAN - remember you can't max this or you'll experience latency. 75-80% of max is a good place to start. > el=100Mbit # size of eth0 > w=7.5Mbit # weighting of your WAN (10% of t1) > sizeCitrix=5Mbit > sizeVoIP=55Mbit > > sizeBulk=10Mbit > > weightCitrix=0.5Mbit > weightVoIP=5.5Mbit > weightBulk=1Mbit > > > # # > ##################################### > ##################################### > > # Delete any old rules # > set -v > set -x > tc qdisc del root dev $e > > ## each class is able to take more bandwidth as it is available, but must > ## surrender it as the higher priorities (2, 3, then 4) need it. > ## The lower the priority number, the more priority it gets. Thus when > ## there is extra bandwidth available, the lower number classes get it as > ## they need it. > > # root qdisc / qdisc = queueing discipline # > tc qdisc add dev $e root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 cell 8||exit 1 > > tc class add dev $e parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate $t1 weight $w prio 8 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded||exit 1 > > # child qdiscs (like child nodes on a tree) # > tc class add dev $e parent 1:1 classid 1:3 cbq bandwidth 100Mbit rate $sizeCitrix weight $weightCitrix prio 8 allot 1514 cell 8 maxburst 20 avpkt 300 isolated||exit 1 > tc qdisc add dev $e parent 1:3 handle 30: sfq perturb 20||exit 1 > > tc class add dev $e parent 1:1 classid 1:5 cbq bandwidth 100Mbit rate $sizeVoIP weight $weightVoIP prio 8 allot 1514 cell 8 maxburst 20 avpkt 204 bounded ||exit 1 > > > > tc class add dev $e parent 1:1 classid 1:9 cbq bandwidth 100Mbit rate $sizeBulk weight $weightBulk prio 8 allot 1514 cell 8 maxburst 20 avpkt 1000||exit 1 > tc qdisc add dev $e parent 1:9 handle 90: sfq perturb 20||exit 1 > > ##################################### > ############### Citrix ############## > # # > > # SSH # > tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip sport 22 0xffff flowid 1:3||exit 1 > tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip dport 22 0xffff flowid 1:3||exit 1 > > > ##################################### > ############### VoIP ################ > # # > > # IAX # this is the old format - IAX2 should be what's really seen going > #on > tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip sport 5061 0xffff flowid 1:5||exit 1 > tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip dport 5061 0xffff flowid 1:5||exit 1 > > # IAX2 # > tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip sport 4569 0xffff flowid 1:5||exit 1 > tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip dport 4569 0xffff flowid 1:5||exit 1 > > > ##################################### > ######### Bulk / Default ############ > # # > > tc filter add dev $e protocol ip parent 1:0 prio 3 u32 match ip src 0.0.0.0/0 flowid 1:9||exit 1 > tc filter add dev $e protocol ip parent 1:0 prio 3 u32 match ip dst 0.0.0.0/0 flowid 1:9||exit 1 > > > Any assistance would be appreciated. > > -- > Your life is like a penny. You're going to lose it. The question is: > How do > you spend it? > > John Covici > covici@ccs.covici.com > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Ing. Roberto Pereyra ContenidosOnline Looking for Linux Virtual Private Servers ? Click here: http://www.spry.com/hosting-affiliate/scripts/t.php?a_aid=426&a_bid=56 From pereyra.roberto at gmail.com Mon Aug 14 13:00:12 2006 From: pereyra.roberto at gmail.com (Roberto Pereyra) Date: Mon Aug 14 12:59:58 2006 Subject: [LARTC] enable p2p to some host (ipp2p) Message-ID: Hi I using ipp2p to block p2p traffic. How to enable to use p2p to me host in my net ? I using this setup: iptables -A FORWARD -m ipp2p --ipp2p --bit --apple --winmx --soul --ares -j DROP This setup: iptables -A FORWARD -m ipp2p --ipp2p --bit --apple --winmx --soul --ares -d ! mynet -j DROP iptables -A FORWARD -m ipp2p --ipp2p --bit --apple --winmx --soul --ares -s ! mynet -j DROP not works .... roberto -- Ing. Roberto Pereyra ContenidosOnline Looking for Linux Virtual Private Servers ? Click here: http://www.spry.com/hosting-affiliate/scripts/t.php?a_aid=426&a_bid=56 From simvirus at gmail.com Mon Aug 14 13:24:55 2006 From: simvirus at gmail.com (Sim) Date: Mon Aug 14 13:24:41 2006 Subject: [LARTC] Re: HTB and BOND Interface In-Reply-To: References: Message-ID: > Hi! > > Is it HTB fully compatible with BOND interface? > > I have this setup (mode= fault tolerance) : > > BOND0 -> ETH0 + ETH1 > BOND1 -> ETH2 + ETH3 > > ( http://www.kernel.org/pub/linux/kernel/people/marcelo/linux-2.4/Documentation/networking/bonding.txt > ) > > HTB work very well with Class over BOND0. > If I add Class for BOND1 it generate balance errors. > > Also with HTB.init (http://sourceforge.net/projects/htbinit) I have > the some problem > > bond0 (upload) > bond0-10 > bond0-10:15 > bond0-10:20 > bond0-10:20:25 > bond1-10 (download) > bond1-10:15 > bond1-10:20 > bond1-10:20:25 > > ( File bond0* and bond1* are identical ) > > Thanks for eventual answers! Can I create something about " tc qdisc add dev $DEV handle ffff: ingress " for use only BOND0 interface ? Here my actual script: /sbin/tc qdisc del dev bond0 root /sbin/tc qdisc add dev bond0 root handle 1 htb default 15 r2q 100 /sbin/tc class add dev bond0 parent 1: classid 1:10 htb rate 7.6Mbit burst 15k /sbin/tc class add dev bond0 parent 1:10 classid 1:15 htb rate 100Kbit ceil 1Mbit burst 15k /sbin/tc qdisc add dev bond0 parent 1:15 handle 15 sfq perturb 10 /sbin/tc class add dev bond0 parent 1:10 classid 1:20 htb rate 1.5Mbit ceil 6Mbit burst 15k /sbin/tc qdisc add dev bond0 parent 1:20 handle 20 sfq perturb 10 /sbin/tc filter add dev bond0 parent 1:0 protocol ip prio 100 u32 match ip src 192.168.2.0/24 classid 1:20 /sbin/tc filter add dev bond0 parent 1:0 protocol ip prio 100 u32 match ip src 192.168.3.0/24 classid 1:20 /sbin/tc filter add dev bond0 parent 1:0 protocol ip prio 100 u32 match ip src 192.168.6.0/24 classid 1:20 /sbin/tc class add dev bond0 parent 1:10 classid 1:30 htb rate 1.5Mbit ceil 6Mbit burst 15k /sbin/tc qdisc add dev bond0 parent 1:30 handle 30 sfq perturb 10 /sbin/tc filter add dev bond0 parent 1:0 protocol ip prio 100 u32 match ip src 192.168.4.0/24 classid 1:30 /sbin/tc filter add dev bond0 parent 1:0 protocol ip prio 100 u32 match ip src 192.168.5.0/24 classid 1:30 /sbin/tc filter add dev bond0 parent 1:0 protocol ip prio 100 u32 match ip dst 192.168.7.0/24 classid 1:30 /sbin/tc class add dev bond0 parent 1:10 classid 1:38 htb rate 2Mbit ceil 3Mbit burst 15k /sbin/tc qdisc add dev bond0 parent 1:38 handle 38 sfq perturb 10 /sbin/tc filter add dev bond0 parent 1:0 protocol ip prio 100 u32 match ip src 192.168.8.0/24 classid 1:38 /sbin/tc class add dev bond0 parent 1:10 classid 1:39 htb rate 1Mbit ceil 4Mbit burst 15k /sbin/tc qdisc add dev bond0 parent 1:39 handle 39 sfq perturb 10 /sbin/tc class add dev bond0 parent 1:39 classid 1:3956 htb rate 256Kbit ceil 1Mbit burst 15k /sbin/tc qdisc add dev bond0 parent 1:3956 handle 3956 sfq perturb 10 /sbin/tc filter add dev bond0 parent 1:0 protocol ip prio 100 u32 match ip src 192.168.9.15/32 classid 1:3956 /sbin/tc filter add dev bond0 parent 1:0 protocol ip prio 100 u32 match ip src 192.168.9.35/32 classid 1:3956 /sbin/tc class add dev bond0 parent 1:39 classid 1:3999 htb rate 768Kbit ceil 4Mbit burst 15k /sbin/tc qdisc add dev bond0 parent 1:3999 handle 3999 sfq perturb 10 /sbin/tc filter add dev bond0 parent 1:0 protocol ip prio 100 u32 match ip src 192.168.9.0/24 classid 1:3999 Thanks! From lburatti at zacmi.it Mon Aug 14 16:03:08 2006 From: lburatti at zacmi.it (lburatti@zacmi.it) Date: Mon Aug 14 16:02:55 2006 Subject: [LARTC] luca buratti is out of office Message-ID: Sar? assente dall'ufficio a partire dal 14/08/2006 e non torner? fino al 28/08/2006. Risponder? al messaggio al mio ritorno. Trend Scan Mail: this message is virus free. From jrompen at gmail.com Mon Aug 14 17:42:37 2006 From: jrompen at gmail.com (Jacques Rompen) Date: Mon Aug 14 17:42:26 2006 Subject: [LARTC] Routing packets over multiple links (NICS) all on the same ISP all with same gateway. Message-ID: <10c138640608140842x66bdc222q1f444e6d25f59582@mail.gmail.com> Ok ive been trying to get this to work for about half a year now. Ive searched all over the internet for a solution for my problem. Ive found some solutions, but they only led me to yet more problems. What we want to do is the following: I live in a student complex with 7 other people. Every room has its own internet connection from the same ISP. Ip, gateway, subnet are asigned through dhcp on mac-adres basis. Every internet connection is capped at 20mbit up/down. We want to get all computers on an internal network. So we need some sort of router that accepts all 8 internet connections and routes it out over a gbit nic -> switch -> internal network So we have a computer with 10 nics and "hopefully" enough internal bandwith. Attempt 1 I read that FreeBSD was the choice for network/router/servers. So after alot of problems installing FreeBSD i found out that FreeBSD doesnt support multiple gateway routing to start with. Attempt 2 Ive tried the nano guide http://www.ssi.bg/~ja/nano.txt with the julian patches on FC5 2.6 kernel. The problem there was that it only used 1 external nic. I think because all external connections had the same gateway. It didnt handle the routing like it supposed to do. Attempt 3: Ive tried to follow the following guide http://www.leglug.org/node/Load%20Balancing%20Across%20Multiple%20Links I first tried to use this script in a 2.6 kernel (no julian patch, ip_route_multipath_cache enabled) It could not find any match for the "-m random --average 50 " function. So after trying al kinds of things and searching the net a lot, i found out that 2.6 kernel doesnt support this random match?? Anyway, so ive installed Slackware 10.2 on the box with a 2.4.32 kernel. Ofcourse with multipath routing enabled in the kernel. Again it couldnt: load match 'random: /usr/lib/iptables/libipt_random.so' As far as i know it should be available in iptables 1.3.3 that comes with slackware 10.2. I know that trunking/bonding the 8 nics with the swicht in the complex would be the ideal solution, but first of all the isp won't do this, and seccond im not even sure if the switch supports this (if i could even get acces to it) Some help would be greatly apreciated. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060814/a79cb772/attachment.htm From luciano at lugmen.org.ar Mon Aug 14 18:21:22 2006 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Mon Aug 14 18:15:13 2006 Subject: [LARTC] Routing packets over multiple links (NICS) all on the same ISP all with same gateway. In-Reply-To: <10c138640608140842x66bdc222q1f444e6d25f59582@mail.gmail.com> References: <10c138640608140842x66bdc222q1f444e6d25f59582@mail.gmail.com> Message-ID: <200608141321.22643.luciano@lugmen.org.ar> On Monday 14 August 2006 12:42, Jacques Rompen wrote: > Ok ive been trying to get this to work for about half a year now. Ive > searched all over the internet for a solution for > my problem. Ive found some solutions, but they only led me to yet more > problems. > > What we want to do is the following: > I live in a student complex with 7 other people. Every room has its own > internet connection from the same ISP. > Ip, gateway, subnet are asigned through dhcp on mac-adres basis. Every > internet connection is capped at 20mbit > up/down. > We want to get all computers on an internal network. So we need some sort > of router that accepts all 8 internet > connections and routes it out over a gbit nic -> switch -> internal network > So we have a computer with 10 nics and "hopefully" enough internal > bandwith. one simple solution is in this post[1] (read all the thread if you whant a context). Bassically it uses iptables CONNMARK to remembre to which iface(and certanly wich src ip) each connection flow belongs. You will have to use same gw in all ifaces, maybe the ip route "onlink" ption(command line) make your script simpler. No need to use julian patch and certanly DO NOT USE CONFIG_IP_ROUTE_MULTIPATH_CACHED in your kernel config. Feel free to post any doubts. Greets. [1]http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html -- -- Luciano From tizone at gmail.com Mon Aug 14 22:21:10 2006 From: tizone at gmail.com (=?ISO-8859-1?Q?Andr=E9s_Ghigliazza?=) Date: Mon Aug 14 22:20:55 2006 Subject: [LARTC] tc and HTB Message-ID: Hi, I have a Debian that is connected to Internet in eth0, and to a LAN in eth1. I wanted to control traffic with HTB, dividing it depending on what kind of traffic is (Mail, Application Server and others). Would it be good to use HTB qdisc in eth0 egress to control outgoing traffic and HTB qdisc in eth1 egress to control incoming traffic? Or the only way to control incoming traffic is with eth0 ingress? Thanks very much, tizo From luciano at lugmen.org.ar Mon Aug 14 22:41:48 2006 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Mon Aug 14 22:35:42 2006 Subject: [LARTC] tc and HTB In-Reply-To: References: Message-ID: <200608141741.48488.luciano@lugmen.org.ar> On Monday 14 August 2006 17:21, Andr?s Ghigliazza wrote: > Hi, > > I have a Debian that is connected to Internet in eth0, and to a LAN in > eth1. I wanted to control traffic with HTB, dividing it depending on > what kind of traffic is (Mail, Application Server and others). > > Would it be good to use HTB qdisc in eth0 egress to control outgoing > traffic and HTB qdisc in eth1 egress to control incoming traffic? Or > the only way to control incoming traffic is with eth0 ingress? INET-eth0-Router-eth1-LAN in eth0 egress htb qdisc(you shape uplink here) in eth1 egress htb qdisc(you shape downlink here) this feets perfectly if it is the LAN traffic the one you whant to shape. If it is the traffic from the server itself you will need an ingress policy in eth0. -- Luciano From simvirus at gmail.com Mon Aug 14 23:17:58 2006 From: simvirus at gmail.com (Sim) Date: Mon Aug 14 23:17:44 2006 Subject: [LARTC] tc and HTB In-Reply-To: <200608141741.48488.luciano@lugmen.org.ar> References: <200608141741.48488.luciano@lugmen.org.ar> Message-ID: > > INET-eth0-Router-eth1-LAN > > in eth0 egress htb qdisc(you shape uplink here) > in eth1 egress htb qdisc(you shape downlink here) > > this feets perfectly if it is the LAN traffic the one you whant to shape. If > it is the traffic from the server itself you will need an ingress policy in > eth0. > Hi Luciano! Can you help me for use only one interface for upload/download? Is it possible shape traffic with " ingress policy " ? I haven't found documents for this policy. Thanks! Sim From luciano at lugmen.org.ar Tue Aug 15 01:23:06 2006 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Tue Aug 15 01:22:52 2006 Subject: [LARTC] tc and HTB In-Reply-To: References: <200608141741.48488.luciano@lugmen.org.ar> Message-ID: <200608142023.06265.luciano@lugmen.org.ar> El Monday 14 August 2006 18:17, Sim escribi?: > > INET-eth0-Router-eth1-LAN > > > > in eth0 egress htb qdisc(you shape uplink here) > > in eth1 egress htb qdisc(you shape downlink here) > > > > this feets perfectly if it is the LAN traffic the one you whant to shape. > > If it is the traffic from the server itself you will need an ingress > > policy in eth0. > > Hi Luciano! Can you help me for use only one interface for upload/download? > > Is it possible shape traffic with " ingress policy " ? > > I haven't found documents for this policy. This is LARTC mailing list and the first document to attend before posting a FAQ is to read the LARTC HOWTO. All from LARTC: http://lartc.org/howto/lartc.adv-qdisc.ingress.html http://lartc.org/howto/lartc.adv-filter.policing.html with examples like: http://lartc.org/howto/lartc.cookbook.synflood-protect.html Alternative you can use imq: http://lartc.org/howto/lartc.imq.html RTFM! (sorry can't avoid that :-P) -- Luciano From kristiadi_himawan at dtp.net.id Tue Aug 15 09:16:40 2006 From: kristiadi_himawan at dtp.net.id (Kristiadi Himawan) Date: Tue Aug 15 09:16:25 2006 Subject: [LARTC] smallest rate In-Reply-To: References: <17630.35009.794502.706457@ccs.covici.com> Message-ID: <44E174D8.7050407@dtp.net.id> Hi, anyone know the smallest rate for tc, is it possible using 0 bps ? From julius.junghans at gmx.de Tue Aug 15 17:17:16 2006 From: julius.junghans at gmx.de (Julius Junghans) Date: Tue Aug 15 17:18:36 2006 Subject: [LARTC] howto reduce the ping? Message-ID: <200608151717.17048.julius.junghans@gmx.de> Hi, with the attached config my gaming ping is still +20ms, even if the line isn't saturated..can anybody give me a hint how to get a better response time? my line: 1024/128kbit outbound: one htb qdisc for gaming (7kbps) prio 0 ceil 14kbps<- should get more traffic when needed. Htb again for irc and default. inbound: css, irc, p2p, default <- same shema as before, give css enough bandwith and allocate the rest for the other classes. Are packets in 1:10 (css) are transfered as fast as they arrive? Same config without line breaks: http://phpfi.com/140959 #!/bin/bash OUTBOUND_DEV=ppp0 INBOUND_DEV=imq0 start_outbound() { echo "Starting outbound" tc qdisc add dev ppp0 root handle 1: htb default 90 #max upload tc class add dev ppp0 parent 1: classid 1:1 htb rate 14kbps #css tc class add dev ppp0 parent 1:1 classid 1:10 htb rate 9kbps ceil 14kbps prio 1 iptables -t mangle -A POSTROUTING -p tcp --dport 27020:27039 -j CLASSIFY --set-class 1:10 iptables -t mangle -A POSTROUTING -p udp --dport 27000:27015 -j CLASSIFY --set-class 1:10 #irc tc class add dev ppp0 parent 1:1 classid 1:20 htb rate 1kbps ceil 1kbps prio 2 iptables -t mangle -A POSTROUTING -p tcp --dport 6667 -j CLASSIFY --set-class 1:20 #default tc class add dev ppp0 parent 1:1 classid 1:90 htb rate 4kbps ceil 4kbps prio 3 } stop_outbound_tc() { echo "Stopping outbound tc" tc qdisc del dev ppp0 root 2> /dev/null > /dev/null tc qdisc del dev ppp0 ingress 2> /dev/null > /dev/null } stop_outbound_iptables() { echo "Stopping outbound iptables" #css iptables -t mangle -D POSTROUTING -p tcp --dport 27020:27039 -j CLASSIFY --set-class 1:10 iptables -t mangle -D POSTROUTING -p udp --dport 27000:27015 -j CLASSIFY --set-class 1:10 #irc iptables -t mangle -D POSTROUTING -p tcp --dport 6667 -j CLASSIFY --set-class 1:20 #default iptables -t mangle -D POSTROUTING -j CLASSIFY --set-class 1:90 } start_inbound_device() { echo "Starting inbound device" ip link set $INBOUND_DEV up } stop_inbound_device() { echo "Stopping inbound device" ip link set $INBOUND_DEV down } start_inbound() { echo "Starting inbound" tc qdisc add dev imq0 root handle 1: htb default 90 #max download rate tc class add dev $INBOUND_DEV parent 1: classid 1:1 htb rate 110kbps #css tc class add dev $INBOUND_DEV parent 1:1 classid 1:10 htb rate 30kbps ceil 110kbps prio 1 iptables -t mangle -A PREROUTING -i ppp0 -p udp --sport 27000:27015 -j MARK --set-mark 1 iptables -t mangle -A PREROUTING -i ppp0 -p tcp --sport 27020:27039 -j MARK --set-mark 1 tc filter add dev $INBOUND_DEV parent 1:0 protocol ip prio 1 handle 1 fw classid 1:10 #irc tc class add dev $INBOUND_DEV parent 1:1 classid 1:20 htb rate 10kbps ceil 10kbps prio 2 iptables -t mangle -A PREROUTING -i ppp0 -p tcp --sport 6667 -j MARK --set-mark 2 tc filter add dev $INBOUND_DEV parent 1:0 protocol ip prio 2 handle 2 fw classid 1:20 #p2p tc class add dev $INBOUND_DEV parent 1:1 classid 1:30 htb rate 40kbps ceil 40kbps prio 3 iptables -t mangle -A PREROUTING -p tcp --dport 6881:6999 -j MARK --set-mark 3 tc filter add dev $INBOUND_DEV parent 1:0 protocol ip prio 3 handle 3 fw classid 1:30 #default tc class add dev $INBOUND_DEV parent 1:1 classid 1:90 htb rate 30kbps ceil 30kbps prio 4 #fetch all incoming stuff and redirect it to imq0 iptables -t mangle -A PREROUTING -i ppp0 -j IMQ --todev 0 } stop_inbound_tc() { echo "Stopping inbound tc" tc qdisc del dev $INBOUND_DEV root 2> /dev/null > /dev/null tc qdisc del dev $INBOUND_DEV ingress 2> /dev/null > /dev/null } stop_inbound_iptables() { echo "Stopping inbound iptables" #css iptables -t mangle -D PREROUTING -i ppp0 -p udp --sport 27000:27015 -j MARK --set-mark 1 iptables -t mangle -D PREROUTING -i ppp0 -p tcp --sport 27020:27039 -j MARK --set-mark 1 #irc iptables -t mangle -D PREROUTING -i ppp0 -p tcp --sport 6667 -j MARK --set-mark 2 #p2p iptables -t mangle -D PREROUTING -p tcp --dport 6881:6999 -j MARK --set-mark 3 #default iptables -t mangle -D PREROUTING -j MARK --set-mark 4 #fetch all incoming stuff and redirect it to imq0 iptables -t mangle -D PREROUTING -i ppp0 -j IMQ --todev 0 } start() { start_outbound start_inbound_device start_inbound } stop() { stop_outbound_tc stop_outbound_iptables stop_inbound_tc stop_inbound_device stop_inbound_iptables } show() { echo "Outbound --- Outbound --- Outbound --- Outbound --- Outbound --- Outbound" echo "qdisc: -------------------------------------" tc -s -d qdisc show dev $OUTBOUND_DEV echo "classes: -----------------------------------" tc -s class show dev $OUTBOUND_DEV echo "filters: -----------------------------------" tc filter show dev $OUTBOUND_DEV echo "Inbound --- Inbound --- Inbound --- Inbound --- Inbound --- Inbound" echo "qdisc: -------------------------------------" tc -s -d qdisc show dev $INBOUND_DEV echo "classes: -----------------------------------" tc -s class show dev $INBOUND_DEV echo "filters: -----------------------------------" tc filter show dev $INBOUND_DEV } case "$1" in start) start ;; stop) stop ;; show) show ;; *) echo "Usage: /etc/init.d/shaper {start|stop|show}" exit 1 ;; esac greets Julius From william.bohannan at spidersat.net Tue Aug 15 17:30:01 2006 From: william.bohannan at spidersat.net (William Bohannan) Date: Tue Aug 15 17:30:20 2006 Subject: [LARTC] smallest rate In-Reply-To: <44E174D8.7050407@dtp.net.id> Message-ID: <002001c6c07f$b42c2790$67020a0a@william> So far the smallest rate I have been able to get is 1, why not use a firewall if you want 0? Kind Regards William -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Kristiadi Himawan Sent: 15 August 2006 07:17 To: lartc@mailman.ds9a.nl Subject: [LARTC] smallest rate Hi, anyone know the smallest rate for tc, is it possible using 0 bps ? _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From william.bohannan at spidersat.net Tue Aug 15 17:36:43 2006 From: william.bohannan at spidersat.net (William Bohannan) Date: Tue Aug 15 17:37:35 2006 Subject: [LARTC] Accounting using ip addresses and ulogd Message-ID: <002101c6c080$a366ad80$67020a0a@william> Hi use traffic shaping on my local lan and it keeps all drops packets by logging them to mysql via ulogd. Since there is windows and apple users on the network I would like to have their "computer names" instead of ip address to make for easy accounting. Does anyone know of a script or tool to get the ip address of a drop packet and turn it into a computer name (via wins or something like that?)? Kind Regards William -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060815/edae2574/attachment.html From marek at piasta.pl Tue Aug 15 17:43:29 2006 From: marek at piasta.pl (Marek Kierdelewicz) Date: Tue Aug 15 17:38:02 2006 Subject: [LARTC] howto reduce the ping? In-Reply-To: <200608151717.17048.julius.junghans@gmx.de> References: <200608151717.17048.julius.junghans@gmx.de> Message-ID: <20060815174329.545d81e2@localhost.localdomain> > Hi, Hi there > > with the attached config my gaming ping is still +20ms, even if the > line isn't saturated..can anybody give me a hint how to get a better > response time? my line: 1024/128kbit Try using tc filters instead of CLASSIFY and see if that helps. I've seen some strange shaping behavior with it... Another thing is prioritizing some of the htb classes. You can set priority 1 for class 1:10 (css) and priority 2 for 1:20, 1:90 (lower is better). This way you're sure that css is getting max upload speed if any other traffic is fighting his way out of your coputer. You can do the same thing for download, but with your connection I think that upload will be the most likely bottleneck. cheers -- Marek Kierdelewicz Kierownik Dzia?u System?w Sieciowych, KoBa Manager of Network Systems Department, KoBa tel. (85) 7406466; fax. (85) 7406467 e-mail: admin@koba.pl From julius.junghans at gmx.de Tue Aug 15 20:38:38 2006 From: julius.junghans at gmx.de (Julius Junghans) Date: Tue Aug 15 20:39:56 2006 Subject: [LARTC] howto reduce the ping? In-Reply-To: <20060815174329.545d81e2@localhost.localdomain> References: <200608151717.17048.julius.junghans@gmx.de> <20060815174329.545d81e2@localhost.localdomain> Message-ID: <200608152038.40023.julius.junghans@gmx.de> Am Dienstag 15 August 2006 17:43 schrieb Marek Kierdelewicz: > > Hi, > > Hi there > > > with the attached config my gaming ping is still +20ms, even if the > > line isn't saturated..can anybody give me a hint how to get a better > > response time? my line: 1024/128kbit > > Try using tc filters instead of CLASSIFY and see if that helps. I've > seen some strange shaping behavior with it... Ive found only one explanation for port ranges on the mailing list and the author wasn't sure if it was correct...so i ask here: #port range 27020:27039, protocol tcp #iptables -t mangle -A POSTROUTING -p tcp --dport 27020:27039 -j CLASSIFY --set-class 1:10 tc filter add dev ppp0 protocol ip parent 1: prio 1 u32 match ip dport 27020 0x13 match ip protocol 6 0xff flowid 1:10 #port range 27000:27015, protocol udp #iptables -t mangle -A POSTROUTING -p udp --dport 27000:27015 -j CLASSIFY --set-class 1:10 tc filter add dev ppp0 protocol ip parent 1: prio 1 u32 match ip dport 27000 0x21 match ip protocol 17 0xff flowid 1:10 are the tc filters correct for the port ranges and the protocol? > > Another thing is prioritizing some of the htb classes. You can > set priority 1 for class 1:10 (css) and priority 2 for 1:20, 1:90 > (lower is better). This way you're sure that css is getting max upload > speed if any other traffic is fighting his way out of your coputer. > > You can do the same thing for download, but with your connection I > think that upload will be the most likely bottleneck. > > cheers From marek at piasta.pl Wed Aug 16 00:09:11 2006 From: marek at piasta.pl (Marek Kierdelewicz) Date: Wed Aug 16 00:03:23 2006 Subject: [LARTC] howto reduce the ping? In-Reply-To: <200608152038.40023.julius.junghans@gmx.de> References: <200608151717.17048.julius.junghans@gmx.de> <20060815174329.545d81e2@localhost.localdomain> <200608152038.40023.julius.junghans@gmx.de> Message-ID: <20060816000911.6e466722@localhost.localdomain> > #port range 27020:27039, protocol tcp > > #iptables -t mangle -A POSTROUTING -p tcp --dport 27020:27039 -j > CLASSIFY --set-class 1:10 > tc filter add dev ppp0 protocol ip parent 1: prio 1 u32 match ip > dport 27020 0x13 match ip protocol 6 0xff flowid 1:10 > My choice would be fw filter: iptables -t mangle -A POSTROUTING -p tcp --dport 27020:27039 -j MARK --set-mark 0x10 tc filter add dev ppp0 protocol ip parent 1:0 prio 1 handle 0x10 fw classid 1:10 > #port range 27000:27015, protocol udp > > #iptables -t mangle -A POSTROUTING -p udp --dport 27000:27015 -j > CLASSIFY --set-class 1:10 > tc filter add dev ppp0 protocol ip parent 1: prio 1 u32 match ip > dport 27000 0x21 match ip protocol 17 0xff flowid 1:10 iptables -t mangle -A POSTROUTING -p udp --dport 27000:27015 -j MARK --set-mark 0x10 (filter same as above...only one needed) tc filter add dev ppp0 protocol ip parent 1:0 prio 1 handle 0x10 fw classid 1:10 Hope that helps. cheers -- Marek Kierdelewicz Kierownik Dzia?u System?w Sieciowych, KoBa Manager of Network Systems Department, KoBa tel. (85) 7406466; fax. (85) 7406467 e-mail: admin@koba.pl From julius.junghans at gmx.de Wed Aug 16 01:34:51 2006 From: julius.junghans at gmx.de (Julius Junghans) Date: Wed Aug 16 01:36:04 2006 Subject: [LARTC] howto reduce the ping? In-Reply-To: <20060816000911.6e466722@localhost.localdomain> References: <200608151717.17048.julius.junghans@gmx.de> <200608152038.40023.julius.junghans@gmx.de> <20060816000911.6e466722@localhost.localdomain> Message-ID: <200608160134.52431.julius.junghans@gmx.de> Am Mittwoch 16 August 2006 00:09 schrieb Marek Kierdelewicz: > > #port range 27020:27039, protocol tcp > > > > #iptables -t mangle -A POSTROUTING -p tcp --dport 27020:27039 -j > > CLASSIFY --set-class 1:10 > > tc filter add dev ppp0 protocol ip parent 1: prio 1 u32 match ip > > dport 27020 0x13 match ip protocol 6 0xff flowid 1:10 > > My choice would be fw filter: > iptables -t mangle -A POSTROUTING -p tcp --dport 27020:27039 -j MARK > --set-mark 0x10 > tc filter add dev ppp0 protocol ip parent 1:0 prio 1 handle 0x10 fw > classid 1:10 Ah, thats what you mean. Tried to avoid iptables at all... Thx, will try that tomorrow. > > > #port range 27000:27015, protocol udp > > > > #iptables -t mangle -A POSTROUTING -p udp --dport 27000:27015 -j > > CLASSIFY --set-class 1:10 > > tc filter add dev ppp0 protocol ip parent 1: prio 1 u32 match ip > > dport 27000 0x21 match ip protocol 17 0xff flowid 1:10 > > iptables -t mangle -A POSTROUTING -p udp --dport 27000:27015 -j MARK > --set-mark 0x10 > > (filter same as above...only one needed) > tc filter add dev ppp0 protocol ip parent 1:0 prio 1 handle 0x10 fw > classid 1:10 > > Hope that helps. > > cheers greets Julius From jarkao2 at o2.pl Wed Aug 16 11:36:12 2006 From: jarkao2 at o2.pl (Jarek Poplawski) Date: Wed Aug 16 11:35:49 2006 Subject: [LARTC] Re: Routing packets over multiple links (NICS) all on the same ISP all with same gateway. In-Reply-To: <10c138640608140842x66bdc222q1f444e6d25f59582@mail.gmail.com> References: <10c138640608140842x66bdc222q1f444e6d25f59582@mail.gmail.com> Message-ID: On 14-08-2006 17:42, Jacques Rompen wrote: ... > What we want to do is the following: > I live in a student complex with 7 other people. Every room has its own > internet connection from the same ISP. > Ip, gateway, subnet are asigned through dhcp on mac-adres basis. Every > internet connection is capped at 20mbit > up/down. > We want to get all computers on an internal network. So we need some > sort of router that accepts all 8 internet > connections and routes it out over a gbit nic -> switch -> internal network > So we have a computer with 10 nics and "hopefully" enough internal bandwith. Maybe you have some other reasons to make one gateway but to have internal network you only need to set a second address from local range (not colliding with that used by ISP) on each box. But if you really need this together and with multipath, setting CONFIG_IP_ROUTE_MULTIPATH = "y" and CONFIG_IP_ROUTE_MULTIPATH_CACHED = "n" (!) should change multipath randomly. Jarek P. From jarkao2 at o2.pl Wed Aug 16 12:16:24 2006 From: jarkao2 at o2.pl (Jarek Poplawski) Date: Wed Aug 16 12:16:15 2006 Subject: [LARTC] Re: tc filter In-Reply-To: References: <81c11a560608030906t525d6232vf135053463ce6a8f@mail.gmail.com> Message-ID: On 10-08-2006 15:38, Jarek Poplawski wrote: ... > # tc filter add dev eth0 parent 1: proto ip pref 100 \ > u32 match ip dst 192.168.1.222 police drop Should be: # tc filter add dev eth0 parent 1: proto ip pref 100 \ u32 match ip dst 192.168.1.222 flowid 1: police \ conform-exceed drop/drop or: # tc filter add dev eth0 parent 1: proto ip pref 100 \ u32 match ip dst 192.168.1.222 flowid 1: action drop Jarek P. From jrompen at gmail.com Wed Aug 16 14:50:32 2006 From: jrompen at gmail.com (Jacques Rompen) Date: Wed Aug 16 14:50:16 2006 Subject: [LARTC] Re: Routing packets over multiple links (NICS) all on the same ISP all with same gateway. In-Reply-To: References: <10c138640608140842x66bdc222q1f444e6d25f59582@mail.gmail.com> Message-ID: <10c138640608160550v64ad239fw287ab7cfbcb7f150@mail.gmail.com> On 8/16/06, Jarek Poplawski wrote: > > On 14-08-2006 17:42, Jacques Rompen wrote: > ... > > What we want to do is the following: > > I live in a student complex with 7 other people. Every room has its own > > internet connection from the same ISP. > > Ip, gateway, subnet are asigned through dhcp on mac-adres basis. Every > > internet connection is capped at 20mbit > > up/down. > > We want to get all computers on an internal network. So we need some > > sort of router that accepts all 8 internet > > connections and routes it out over a gbit nic -> switch -> internal > network > > So we have a computer with 10 nics and "hopefully" enough internal > bandwith. > > Maybe you have some other reasons to make one gateway but to have > internal network you only need to set a second address from local > range (not colliding with that used by ISP) on each box. > > But if you really need this together and with multipath, setting > CONFIG_IP_ROUTE_MULTIPATH = "y" and > CONFIG_IP_ROUTE_MULTIPATH_CACHED = "n" (!) should change > multipath randomly. > > Jarek P. > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > The 2 ips on every box wouldnt work because: Most people here are complete network newbies, we want to connect more then 8 computers (most people have a laptop and pc), we would only have a 20mbit internal network. Im a bit confused. In the 2.4 kernel there issent even an option ip_route_multipath_cached, only ip_route_multipath. Or am i mistaking here? If there issent, then I couldnt have put it to 'Y' so why didnt the random function work? In the 2.6 kernel there is a option ip_route_multipath and ip_route_multipath_cached. But if i dont say 'Y' to ip_route_multipatch_cached i cant say yes to round_robin, random_match etc. I thought i needed that option random_match set to 'y'. (im not sure if its exactly spelled like that, but i'm talking about the four or five sub options to ip_route_multipath_cached) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060816/f15b7c98/attachment.htm From jrompen at gmail.com Wed Aug 16 15:11:56 2006 From: jrompen at gmail.com (Jacques Rompen) Date: Wed Aug 16 15:11:42 2006 Subject: [LARTC] Routing packets over multiple links (NICS) all on the same ISP all with same gateway. In-Reply-To: <200608141321.22643.luciano@lugmen.org.ar> References: <10c138640608140842x66bdc222q1f444e6d25f59582@mail.gmail.com> <200608141321.22643.luciano@lugmen.org.ar> Message-ID: <10c138640608160611w76a3498bv8d74d460541ddf4b@mail.gmail.com> On 8/14/06, Luciano Ruete wrote: > On Monday 14 August 2006 12:42, Jacques Rompen wrote: > > Ok ive been trying to get this to work for about half a year now. Ive > > searched all over the internet for a solution for > > my problem. Ive found some solutions, but they only led me to yet more > > problems. > > > > What we want to do is the following: > > I live in a student complex with 7 other people. Every room has its own > > internet connection from the same ISP. > > Ip, gateway, subnet are asigned through dhcp on mac-adres basis. Every > > internet connection is capped at 20mbit > > up/down. > > We want to get all computers on an internal network. So we need some > sort > > of router that accepts all 8 internet > > connections and routes it out over a gbit nic -> switch -> internal > network > > So we have a computer with 10 nics and "hopefully" enough internal > > bandwith. > > one simple solution is in this post[1] (read all the thread if you whant a > context). Bassically it uses iptables CONNMARK to remembre to which > iface(and > certanly wich src ip) each connection flow belongs. > > You will have to use same gw in all ifaces, maybe the ip route "onlink" > ption(command line) make your script simpler. No need to use julian patch > and > certanly DO NOT USE CONFIG_IP_ROUTE_MULTIPATH_CACHED in your kernel > config. > > Feel free to post any doubts. > > Greets. > > [1]http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html > -- > -- > Luciano Hi Luciano, Ive tried the above solution but then with juliano's patch instead of conmark. It didnt work then because this part of the script: ip ro add default nexthop via x.x.x.x dev eth1 weight 1 nexthop via y.y.y.y dev eth2 ip route add default table provider1 via x.x.x.x dev eth1 ip route add default table provider2 via y.y.y.y dev eth2 # and most important ip rule add fwmark 0x1 table provider1 ip rule add fwmark 0x2 table provider2 somehow looked at the default gateway x.x.x.x or y.y.y.y instead of to the "dev ethx" Because the gateway adresses were both the same x.x.x.x = y.y.y.y all the outgoing packets were routed out over eth1. Im not totaly sure, but the conmark line's only make sure that packets that go out over some nic get back over the same nic? Or do they infact fix the "same gateway"problem? This is why i tried to get the script from my first post with random match to work. This guy does exactly what i need to do, but somehow i can't get random match to work. You think i should use a 2.6 or a 2.4 kernel? Regards and thanks, Jacques -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060816/8c1d538e/attachment.html From jarkao2 at o2.pl Wed Aug 16 15:52:24 2006 From: jarkao2 at o2.pl (Jarek Poplawski) Date: Wed Aug 16 15:51:38 2006 Subject: [LARTC] Re: Routing packets over multiple links (NICS) all on the same ISP all with same gateway. In-Reply-To: <10c138640608160550v64ad239fw287ab7cfbcb7f150@mail.gmail.com> References: <10c138640608140842x66bdc222q1f444e6d25f59582@mail.gmail.com> <10c138640608160550v64ad239fw287ab7cfbcb7f150@mail.gmail.com> Message-ID: On 16-08-2006 14:50, Jacques Rompen wrote: ... > The 2 ips on every box wouldnt work because: Most people here are > complete network newbies, we want to connect more then 8 computers (most > people have a laptop and pc), we would only have a 20mbit internal network. > > Im a bit confused. In the 2.4 kernel there issent even an option > ip_route_multipath_cached, only ip_route_multipath. Or am i mistaking here? > If there issent, then I couldnt have put it to 'Y' so why didnt the > random function work? > > In the 2.6 kernel there is a option ip_route_multipath and > ip_route_multipath_cached. But if i dont say 'Y' to > ip_route_multipatch_cached i cant say yes to round_robin, random_match > etc. I thought i needed that option random_match set to 'y'. (im not > sure if its exactly spelled like that, but i'm talking about the four or > five sub options to ip_route_multipath_cached) As far as I know multipath cached should work for routing output of a current box but it's not working for router (if something has not changed lately). Multipath without "cached" should do simple randomization, but maybe for the begining it would be better to assign fixed paths by source ip and save experimenting with multipaths for later. Jarek P. From jrompen at gmail.com Wed Aug 16 16:18:31 2006 From: jrompen at gmail.com (Jacques Rompen) Date: Wed Aug 16 16:18:15 2006 Subject: [LARTC] Re: Routing packets over multiple links (NICS) all on the same ISP all with same gateway. In-Reply-To: References: <10c138640608140842x66bdc222q1f444e6d25f59582@mail.gmail.com> <10c138640608160550v64ad239fw287ab7cfbcb7f150@mail.gmail.com> Message-ID: <10c138640608160718m50bf56dbn35b121ed68e984d6@mail.gmail.com> On 8/16/06, Jarek Poplawski wrote: > > As far as I know multipath cached should work for routing output > of a current box but it's not working for router (if something > has not changed lately). Multipath without "cached" should do > simple randomization, but maybe for the begining it would be > better to assign fixed paths by source ip and save experimenting > with multipaths for later. > > Jarek P. Hi Jarek, I will try with only multipath. Ive tried the static routes. But still ive had trouble getting this code to work ip ro add default nexthop via x.x.x.x dev eth1 weight 1 nexthop via y.y.y.y dev eth2 ip route add default table provider1 via x.x.x.x dev eth1 ip route add default table provider2 via y.y.y.y dev eth2 because x.x.x.x = y.y.y.y in my case. Somehow it doesnt look at the eth device anymore. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060816/7f405bdc/attachment.htm From 2z7mbt002 at sneakemail.com Wed Aug 16 17:16:18 2006 From: 2z7mbt002 at sneakemail.com (Yves BLUSSEAU) Date: Wed Aug 16 17:16:15 2006 Subject: [LARTC] How to bypass traffic control for one IP Message-ID: <28632-76882@sneakemail.com> Hi all, i have a problem: i have an adsl modem that is connected to internet. I can't manage this modem. Between my PC and the modem i have a linux firewall that make the NAT and the traffic shapping. I have create a script that limit the bandwidth of the "external" interface of the firewall so i can manage my bandwidth for my internet application. The problem is that i need to access the adsl modem at full bandwith (100mbits) from my PC (through the linux firewall). So i need a configuration where all the internet IP are limited by the traffic control and where the IP of the modem is not slowdown by traffic shapping. Who have an idea for such configuration ? Thanks in advance. Yves -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060816/fb8632ec/attachment.html From luciano at lugmen.org.ar Wed Aug 16 18:03:44 2006 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Wed Aug 16 17:57:31 2006 Subject: [LARTC] Routing packets over multiple links (NICS) all on the same ISP all with same gateway. In-Reply-To: <10c138640608160611w76a3498bv8d74d460541ddf4b@mail.gmail.com> References: <10c138640608140842x66bdc222q1f444e6d25f59582@mail.gmail.com> <200608141321.22643.luciano@lugmen.org.ar> <10c138640608160611w76a3498bv8d74d460541ddf4b@mail.gmail.com> Message-ID: <200608161303.44888.luciano@lugmen.org.ar> On Wednesday 16 August 2006 10:11, Jacques Rompen wrote: > On 8/14/06, Luciano Ruete wrote: > > On Monday 14 August 2006 12:42, Jacques Rompen wrote: > > > Ok ive been trying to get this to work for about half a year now. Ive > > > searched all over the internet for a solution for > > > my problem. Ive found some solutions, but they only led me to yet more > > > problems. > > > > > > What we want to do is the following: > > > I live in a student complex with 7 other people. Every room has its own > > > internet connection from the same ISP. > > > Ip, gateway, subnet are asigned through dhcp on mac-adres basis. Every > > > internet connection is capped at 20mbit > > > up/down. > > > We want to get all computers on an internal network. So we need some > > > > sort > > > > > of router that accepts all 8 internet > > > connections and routes it out over a gbit nic -> switch -> internal > > > > network > > > > > So we have a computer with 10 nics and "hopefully" enough internal > > > bandwith. > > > > one simple solution is in this post[1] (read all the thread if you whant > > a context). Bassically it uses iptables CONNMARK to remembre to which > > iface(and > > certanly wich src ip) each connection flow belongs. > > > > You will have to use same gw in all ifaces, maybe the ip route "onlink" > > ption(command line) make your script simpler. No need to use julian patch > > and > > certanly DO NOT USE CONFIG_IP_ROUTE_MULTIPATH_CACHED in your kernel > > config. > > > > Feel free to post any doubts. > > > > Greets. > > > > [1]http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html > > -- > > -- > > Luciano > > Hi Luciano, > > Ive tried the above solution but then with juliano's patch instead of > conmark. It didnt work then because this part of the script: > > ip ro add default nexthop via x.x.x.x dev eth1 weight 1 nexthop via > y.y.y.y dev eth2 > ip route add default table provider1 via x.x.x.x dev eth1 > ip route add default table provider2 via y.y.y.y dev eth2 > # and most important > ip rule add fwmark 0x1 table provider1 > ip rule add fwmark 0x2 table provider2 > > somehow looked at the default gateway x.x.x.x or y.y.y.y instead of to the > "dev ethx" > Because the gateway adresses were both the same x.x.x.x = y.y.y.y all the > outgoing packets were routed out over eth1. ok, what if you try with onlink: ip ro add default nexthop via x.x.x.x eth1 onlink nexthop via x.x.x.x eth2 onlink and so on... > Im not totaly sure, but the conmark line's only make sure that packets that > go out over some nic get back over the same nic? Or do they infact fix the > "same gateway"problem? You are rigth, connmark does not solve the "same gw" problem, connmark is to guarantice that packet that belongs to a session dialog keeps the same src address. There is no need to patch the kernel, and it works perfectly well. > This is why i tried to get the script from my first post with random match > to work. This guy does exactly what i need to do, but somehow i can't get > random match to work. You think i should use a 2.6 or a 2.4 kernel? I heavly recommend you to use a 2.6 CONNMARK enabled kernel, without julian's patchset and without setting CONFIG_IP_ROUTE_MULTIPATH_CACHED (turn it off) in my experience this is the simplest and robust solution. Iptables random module comes with 2.6 stock kernel(at least now i can confirm 2.6.8 and above, but i think all 2.6), if the onlink tip does not work, you can compile a 2.6 kernel with random enabled and try again. You can post the script that you are ussing, it should convine PREROUTING -j MARK rules with ip ru add fw MARK table mytableX. -- Luciano From luciano at lugmen.org.ar Wed Aug 16 18:18:40 2006 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Wed Aug 16 18:12:14 2006 Subject: [LARTC] Routing packets over multiple links (NICS) all on the same ISP all with same gateway. In-Reply-To: <200608161303.44888.luciano@lugmen.org.ar> References: <10c138640608140842x66bdc222q1f444e6d25f59582@mail.gmail.com> <10c138640608160611w76a3498bv8d74d460541ddf4b@mail.gmail.com> <200608161303.44888.luciano@lugmen.org.ar> Message-ID: <200608161318.40236.luciano@lugmen.org.ar> On Wednesday 16 August 2006 13:03, Luciano Ruete wrote: > On Wednesday 16 August 2006 10:11, Jacques Rompen wrote: > > On 8/14/06, Luciano Ruete wrote: > > > On Monday 14 August 2006 12:42, Jacques Rompen wrote: > > > > Ok ive been trying to get this to work for about half a year now. Ive > > > > searched all over the internet for a solution for > > > > my problem. Ive found some solutions, but they only led me to yet > > > > more problems. > > > > > > > > What we want to do is the following: > > > > I live in a student complex with 7 other people. Every room has its > > > > own internet connection from the same ISP. > > > > Ip, gateway, subnet are asigned through dhcp on mac-adres basis. > > > > Every internet connection is capped at 20mbit > > > > up/down. > > > > We want to get all computers on an internal network. So we need some > > > > > > sort > > > > > > > of router that accepts all 8 internet > > > > connections and routes it out over a gbit nic -> switch -> internal > > > > > > network > > > > > > > So we have a computer with 10 nics and "hopefully" enough internal > > > > bandwith. > > > > > > one simple solution is in this post[1] (read all the thread if you > > > whant a context). Bassically it uses iptables CONNMARK to remembre to > > > which iface(and > > > certanly wich src ip) each connection flow belongs. > > > > > > You will have to use same gw in all ifaces, maybe the ip route "onlink" > > > ption(command line) make your script simpler. No need to use julian > > > patch and > > > certanly DO NOT USE CONFIG_IP_ROUTE_MULTIPATH_CACHED in your kernel > > > config. > > > > > > Feel free to post any doubts. > > > > > > Greets. > > > > > > [1]http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html > > > -- > > > -- > > > Luciano > > > > Hi Luciano, > > > > Ive tried the above solution but then with juliano's patch instead of > > conmark. It didnt work then because this part of the script: > > > > ip ro add default nexthop via x.x.x.x dev eth1 weight 1 nexthop via > > y.y.y.y dev eth2 > > ip route add default table provider1 via x.x.x.x dev eth1 > > ip route add default table provider2 via y.y.y.y dev eth2 > > # and most important > > ip rule add fwmark 0x1 table provider1 > > ip rule add fwmark 0x2 table provider2 > > > > somehow looked at the default gateway x.x.x.x or y.y.y.y instead of to > > the "dev ethx" > > Because the gateway adresses were both the same x.x.x.x = y.y.y.y all the > > outgoing packets were routed out over eth1. > > ok, what if you try with onlink: > ip ro add default nexthop via x.x.x.x eth1 onlink nexthop via x.x.x.x eth2 > onlink and so on... and forget to say, to be really shure, del any trace of x.x.x.x dev ethx scope link in "ip ro ls". Where x.x.x.x is the gw ip, the onlink will force to drop the packet on the named device even if there is no physical route to that host. -- Luciano From clowncoder at clowncode.net Wed Aug 16 19:21:43 2006 From: clowncoder at clowncode.net (clowncoder) Date: Wed Aug 16 19:21:34 2006 Subject: [LARTC] New ClowToolKit version availlable Message-ID: <1155748903.3839.9.camel@localhost.localdomain> Hello The real-time monitoring tool that can monitor all connexions of all interfaces and the qdisc has been cleaned of a few bugs. Try the new version at http://clowncode.net Regards to all of you. Clowncoder. From kartheekpn at yahoo.co.in Thu Aug 17 08:31:25 2006 From: kartheekpn at yahoo.co.in (KartheeK) Date: Thu Aug 17 08:31:12 2006 Subject: [LARTC] Bonding + Shaping --> Is it Possible? Message-ID: <20060817063125.22903.qmail@web8507.mail.in.yahoo.com> Hello All, I was curious to know if I can do traffic shaping on abonded Interface? Ex: I have to interfaces eth1 and eth2 which i have bonded together as bond0 , now the question is can I do shaping on eth1 and eth2 ?? Thanks KartheeK --------------------------------- Here's a new way to find what you're looking for - Yahoo! Answers Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. Get it NOW -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060817/9f3e2b67/attachment.htm From jarkao2 at o2.pl Thu Aug 17 08:54:11 2006 From: jarkao2 at o2.pl (Jarek Poplawski) Date: Thu Aug 17 08:53:42 2006 Subject: [LARTC] Re: Routing packets over multiple links (NICS) all on the same ISP all with same gateway. In-Reply-To: <10c138640608160718m50bf56dbn35b121ed68e984d6@mail.gmail.com> References: <10c138640608140842x66bdc222q1f444e6d25f59582@mail.gmail.com> <10c138640608160550v64ad239fw287ab7cfbcb7f150@mail.gmail.com> <10c138640608160718m50bf56dbn35b121ed68e984d6@mail.gmail.com> Message-ID: On 16-08-2006 16:18, Jacques Rompen wrote: > > > On 8/16/06, *Jarek Poplawski* > wrote: > > As far as I know multipath cached should work for routing output > of a current box but it's not working for router (if something > has not changed lately). Multipath without "cached" should do > simple randomization, but maybe for the begining it would be > better to assign fixed paths by source ip and save experimenting > with multipaths for later. > > Jarek P. > > > Hi Jarek, > > I will try with only multipath. > > Ive tried the static routes. But still ive had trouble getting this code > to work > ip ro add default nexthop via x.x.x.x dev eth1 weight 1 nexthop via > y.y.y.y dev eth2 > ip route add default table provider1 via x.x.x.x dev eth1 > ip route add default table provider2 via y.y.y.y dev eth2 > because x.x.x.x = y.y.y.y in my case. Somehow it doesnt look at the eth > device anymore. Anyway in my opinion it should work. Try something like this: #IP_ROUTE_MULTIPATH = "y" #(if 2.6.x IP_ROUTE_MULTIPATH_CACHED = "n" !) #Here with CONNMARK method (so without Anastasov's patch!). #Change 192.168.0.0/24 and eth0 to your local network #address/mask and interface. ip route add default nexthop via x.x.x.x dev eth1 \ nexthop via x.x.x.x dev eth2 ip route add 192.168.0.0/24 dev eth0 table 101 ip route add default via x.x.x.x dev eth1 table 101 ip route add 192.168.0.0/24 dev eth0 table 102 ip route add default via x.x.x.x dev eth2 table 102 ip rule add fwmark 1 table 101 ip rule add fwmark 2 table 102 iptables -t mangle -A POSTROUTING -o eth1 -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -o eth2 -j MARK --set-mark 2 iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter You should also add NAT (MASQERADE) rules. Nexthop devices will be changed randomly per flow (with some caching) so try with destinations from different networks. Jarek P. From hijacker at oldum.net Thu Aug 17 12:32:05 2006 From: hijacker at oldum.net (nikolay) Date: Thu Aug 17 12:31:58 2006 Subject: [LARTC] How to bypass traffic control for one IP References: <28632-76882@sneakemail.com> Message-ID: <016d01c6c1e8$630f5340$0600a8c0@hpa> why would you want to "access" the adsl modem at 100Mbps? What is the speed your ISP provides to the adsl modem? -nik ----- Original Message ----- From: "Yves BLUSSEAU" <2z7mbt002@sneakemail.com> To: Sent: Wednesday, August 16, 2006 6:16 PM Subject: [LARTC] How to bypass traffic control for one IP Hi all, i have a problem: i have an adsl modem that is connected to internet. I can't manage this modem. Between my PC and the modem i have a linux firewall that make the NAT and the traffic shapping. I have create a script that limit the bandwidth of the "external" interface of the firewall so i can manage my bandwidth for my internet application. The problem is that i need to access the adsl modem at full bandwith (100mbits) from my PC (through the linux firewall). So i need a configuration where all the internet IP are limited by the traffic control and where the IP of the modem is not slowdown by traffic shapping. Who have an idea for such configuration ? Thanks in advance. Yves -------------------------------------------------------------------------------- > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From shadur at systemec.nl Thu Aug 17 16:49:21 2006 From: shadur at systemec.nl (Rens Houben) Date: Thu Aug 17 16:48:50 2006 Subject: [LARTC] TCNG and filter priorities Message-ID: <20060817144921.GA6074@systemec.nl> Hello, A while ago I switched a bandwidth management setup from bash shell script using tc to a MUCH more readable tcng solution (yes, the same one I asked for help with earlier. It worked perfectly, thanks) and it's working very well. However, one of our clients now has a slightly unique situation, in that they're using colocation hosting to host their webserver with us, but keep the database server it connects to on their own connection, which only gets 2 Mbit to the outer world. I need to set up a special rule in the shaping script to specifically cover that connection and that connection only at a speed of 10 Mbit. Now back when I used tc directly I could just add a higher prio value to the tc filter statement, but I can't find the proper syntax to TCNG to make this setup work. What am I missing? -- Rens Houben | opinions are mine Resident linux guru and sysadmin | if my employers have one Systemec Internet Services. |they'll tell you themselves PGP key at http://marduk.systemec.nl/~shadur/shadur.key.asc From luciano at lugmen.org.ar Thu Aug 17 19:11:17 2006 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Thu Aug 17 19:04:49 2006 Subject: [LARTC] Re: Routing packets over multiple links (NICS) all on the same ISP all with same gateway. In-Reply-To: References: <10c138640608140842x66bdc222q1f444e6d25f59582@mail.gmail.com> <10c138640608160718m50bf56dbn35b121ed68e984d6@mail.gmail.com> Message-ID: <200608171411.17528.luciano@lugmen.org.ar> On Thursday 17 August 2006 03:54, Jarek Poplawski wrote: > On 16-08-2006 16:18, Jacques Rompen wrote: > > On 8/16/06, *Jarek Poplawski* > > > wrote: > > > > As far as I know multipath cached should work for routing output > > of a current box but it's not working for router (if something > > has not changed lately). Multipath without "cached" should do > > simple randomization, but maybe for the begining it would be > > better to assign fixed paths by source ip and save experimenting > > with multipaths for later. > > > > Jarek P. > > > > > > Hi Jarek, > > > > I will try with only multipath. > > > > Ive tried the static routes. But still ive had trouble getting this code > > to work > > ip ro add default nexthop via x.x.x.x dev eth1 weight 1 nexthop via > > y.y.y.y dev eth2 > > ip route add default table provider1 via x.x.x.x dev eth1 > > ip route add default table provider2 via y.y.y.y dev eth2 > > because x.x.x.x = y.y.y.y in my case. Somehow it doesnt look at the eth > > device anymore. > > Anyway in my opinion it should work. > Try something like this: > > #IP_ROUTE_MULTIPATH = "y" > #(if 2.6.x IP_ROUTE_MULTIPATH_CACHED = "n" !) > #Here with CONNMARK method (so without Anastasov's patch!). > #Change 192.168.0.0/24 and eth0 to your local network > #address/mask and interface. > > ip route add default nexthop via x.x.x.x dev eth1 \ > nexthop via x.x.x.x dev eth2 > > ip route add 192.168.0.0/24 dev eth0 table 101 > ip route add default via x.x.x.x dev eth1 table 101 > > ip route add 192.168.0.0/24 dev eth0 table 102 > ip route add default via x.x.x.x dev eth2 table 102 > > ip rule add fwmark 1 table 101 > ip rule add fwmark 2 table 102 > > iptables -t mangle -A POSTROUTING -o eth1 -j MARK --set-mark 1 > iptables -t mangle -A POSTROUTING -o eth2 -j MARK --set-mark 2 > > iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark > iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark > > echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter if all ethx are on the same switch, you will need: echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore #you can also do it in a per iface basis by default, if you recive an arp request(whohas) on a iface(iface1), asking for an ip that another iface(iface2) has, then the arp request is ansered with the MAC address of the first iface(iface1). If all devices are in the same fisical segment this can lead to a single device answer for all IPs, or to a total caos. This one is very hard to catch and i forgot to mention, now solved :-) -- Luciano From jrompen at gmail.com Thu Aug 17 19:48:39 2006 From: jrompen at gmail.com (Jacques Rompen) Date: Thu Aug 17 19:48:23 2006 Subject: [LARTC] Re: Routing packets over multiple links (NICS) all on the same ISP all with same gateway. In-Reply-To: <200608171411.17528.luciano@lugmen.org.ar> References: <10c138640608140842x66bdc222q1f444e6d25f59582@mail.gmail.com> <10c138640608160718m50bf56dbn35b121ed68e984d6@mail.gmail.com> <200608171411.17528.luciano@lugmen.org.ar> Message-ID: <10c138640608171048x7797d67bxcef05f3f1b64c0d8@mail.gmail.com> On 8/17/06, Luciano Ruete wrote: > > > > if all ethx are on the same switch, you will need: > echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore > #you can also do it in a per iface basis > > by default, if you recive an arp request(whohas) on a iface(iface1), > asking > for an ip that another iface(iface2) has, then the arp request is ansered > with the MAC address of the first iface(iface1). If all devices are in the > same fisical segment this can lead to a single device answer for all IPs, > or > to a total caos. > > This one is very hard to catch and i forgot to mention, now solved :-) > > -- > Luciano I will try all this tommorow, don't have acces to the box right now. About turning of arp. If you turn them all of, wouldnt the nics (ip's) be unfindable from the outside world? Or does the switch they connect to respond to such an arp request aswell? But what you are saying is that if i had a box with 2 nics each connected to a different ISP, so each nic with a different gateway and ip. That if nic1 would recieve a arp request for the ip from nic2, it would respond with mac-adres from nic1. So that could mean that all packets would come in over nic1, even if they have destination ip(nic2)? Seems to me that this is never realy desirable. Especialy if nic2 would have an static ip and i would unplug nic2 on purpose. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060817/538fdda8/attachment.html From luciano at lugmen.org.ar Thu Aug 17 21:02:52 2006 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Thu Aug 17 21:02:42 2006 Subject: [LARTC] Re: Routing packets over multiple links (NICS) all on the same ISP all with same gateway. In-Reply-To: <10c138640608171048x7797d67bxcef05f3f1b64c0d8@mail.gmail.com> References: <10c138640608140842x66bdc222q1f444e6d25f59582@mail.gmail.com> <200608171411.17528.luciano@lugmen.org.ar> <10c138640608171048x7797d67bxcef05f3f1b64c0d8@mail.gmail.com> Message-ID: <200608171602.52232.luciano@lugmen.org.ar> On Thursday 17 August 2006 14:48, Jacques Rompen wrote: > On 8/17/06, Luciano Ruete wrote: > > if all ethx are on the same switch, you will need: > > echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore > > #you can also do it in a per iface basis > > > > by default, if you recive an arp request(whohas) on a iface(iface1), > > asking > > for an ip that another iface(iface2) has, then the arp request is ansered > > with the MAC address of the first iface(iface1). If all devices are in > > the same fisical segment this can lead to a single device answer for all > > IPs, or > > to a total caos. > > > > This one is very hard to catch and i forgot to mention, now solved :-) > > > > -- > > Luciano > > I will try all this tommorow, don't have acces to the box right now. > > About turning of arp. If you turn them all of, wouldnt the nics (ip's) be > unfindable from the outside world? Or does the switch they connect to > respond to such an arp request aswell? what you're turning off is that the device answers arp(whohas) requests for ips that are not from that specific device itself. The ips assigned to the device will cotinue answer as normal. > But what you are saying is that if i had a box with 2 nics each connected > to a different ISP, so each nic with a different gateway and ip. That if > nic1 would recieve a arp request for the ip from nic2, it would respond > with mac-adres from nic1. exactly! > So that could mean that all packets would come in > over nic1, even if they have destination ip(nic2)? exactly, and will arrive destiny anyway, but they are incoming for the wrong iface. > Seems to me that this is > never realy desirable. It is a really cuestionable default, but for shure that there are reasons for this(maybe a thread in lkml archives could answer this cuestion), reasons that i do not know. > Especialy if nic2 would have an static ip and i > would unplug nic2 on purpose. well thats the other scenario where i face the same problem, first guess is obvious MAC cache, and you tend to think that is fucked up, and no, it is this crossed arp answer. -- Luciano From gregoriandres at yahoo.com.ar Fri Aug 18 03:46:08 2006 From: gregoriandres at yahoo.com.ar (LinuXKiD) Date: Fri Aug 18 03:45:59 2006 Subject: [LARTC] Routing packets over multiple links (NICS) all on thesame ISP all with same gateway. In-Reply-To: <200608161303.44888.luciano@lugmen.org.ar> Message-ID: Hi ! Luciano: thanks for your posts on lugmen.org.ar and lartc! I've read all of them, and I've a question: What diferrence bewtween this: -> ip ro add default NEXTHOP via x.x.x.x dev eth1 weight 1 \ NEXTHOP via y.y.y.y dev eth2 and this: -> ip route add x.x.x.x MPATH RR via y.y.y.y via z.z.z.z I work with 2.4 Kernel Series. Is connvenient upgrade to 2.6 ? Other question about this: iptables -t mangle -A POSTROUTING -o eth0 -j CONNMARK --set-mark 0x1 iptables -t mangle -A POSTROUTING -o eth1 -j CONNMARK --set-mark 0x2 My problem is that I use CONNMARK's marks in order to mark P2P traffic. Can I've a way to have diferents mark with CONNMARK ? Thank you!! Andres. From kartheekpn at yahoo.co.in Fri Aug 18 05:56:40 2006 From: kartheekpn at yahoo.co.in (KartheeK) Date: Fri Aug 18 05:56:26 2006 Subject: [LARTC] Bonding + Shaping --> Is it Possible? Message-ID: <20060818035640.39275.qmail@web8506.mail.in.yahoo.com> Skipped content of type multipart/alternative-------------- next part -------------- _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From samueldg at arcoscom.com Fri Aug 18 08:23:00 2006 From: samueldg at arcoscom.com (=?ISO-8859-1?Q?Samuel_D=EDaz_Garc=EDa?=) Date: Fri Aug 18 08:22:49 2006 Subject: [LARTC] Info about IFB In-Reply-To: <44D91973.2020805@arcoscom.com> References: <44D91973.2020805@arcoscom.com> Message-ID: <44E55CC4.2040600@arcoscom.com> Any help? Samuel D?az Garc?a escribi?: > Hi, I'm looking for info about IFB devices and how I can use it to > incomming traffic shapping. > > Has IFB any web about it? > Do any body known where I can find more info about it? > > I found this: > http://linux-net.osdl.org/index.php/IFB > > But I can't stand fine how to use it to allow many ifb's devices or how > to use it with "tc actions". > > Any help? > > Thanks > -- Samuel D?az Garc?a Director Gerente ArcosCom Wireless, S.L.L. CIF: B11828068 c/ Romero Gago, 19 Arcos de la Frontera 11630 - Cadiz http://www.arcoscom.com mailto:samueldg@arcoscom.com msn: samueldg@arcoscom.com M?vil: 651 93 72 48 Tlfn.: 956 70 13 15 Fax: 956 70 34 83 From lists at andyfurniss.entadsl.com Fri Aug 18 11:41:52 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri Aug 18 11:41:24 2006 Subject: [LARTC] Info about IFB In-Reply-To: <44D91973.2020805@arcoscom.com> References: <44D91973.2020805@arcoscom.com> Message-ID: <44E58B60.3040108@andyfurniss.entadsl.com> Samuel D?az Garc?a wrote: > Hi, I'm looking for info about IFB devices and how I can use it to > incomming traffic shapping. > > Has IFB any web about it? > Do any body known where I can find more info about it? > > I found this: > http://linux-net.osdl.org/index.php/IFB > > But I can't stand fine how to use it to allow many ifb's devices or how > to use it with "tc actions". > > Any help? > > Thanks > To use many you'll need to specify the number with modprobe - modprobe ifb numifbs=20 ip link ls should show them all - you need to ip link set up dev ifbXX aswell. to send arp coming in on eth0 to ifb19 which has a tbf on it (just to see counters - would be silly to really limit arp) ip link set up ifb19 tc qdisc add dev ifb19 root tbf limit 2k rate 20kbit buffer 2k tc qdisc add dev eth0 ingress tc filter add dev eth0 parent ffff: protocol arp prio 1 u32 match u32 0 0 flowid 1:1 action mirred egress redirect dev ifb19 The flowid 1:1 is what the classification will be when the packet returns from the ifb - unless you are shaping again (on a real dev - you can't chain ifbs) it doesn't really matter what you put, but you do need one as wothout it the rule will be accepted, but won't work (apart from as a counter) look at counters with - tc -s qdisc ls dev ifb19 tc -s filter ls dev eth0 parent ffff: If you want to do the same sort of thing on egress you need to put something classfull on the interface rather than the default pfifo_fast prio will do. Some examples show using marks aswell, it's not needed as such and doesn't always work as the netfilter bits keep getting out of sync with ifb. Andy. From lists at andyfurniss.entadsl.com Fri Aug 18 12:13:22 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri Aug 18 12:12:53 2006 Subject: [LARTC] howto reduce the ping? In-Reply-To: <200608151717.17048.julius.junghans@gmx.de> References: <200608151717.17048.julius.junghans@gmx.de> Message-ID: <44E592C2.3080509@andyfurniss.entadsl.com> Julius Junghans wrote: > Hi, > > with the attached config my gaming ping is still +20ms, even if the line isn't > saturated..can anybody give me a hint how to get a better response time? > my line: 1024/128kbit Does not saturated mean no other traffic - I mean if you really have 128kbit up eg. dsl then the bitrate latency of a 1500 byte packet is about 90ms so that's the best jitter you can get. Without tweaking and recompiling htb it's likely to be 2x that. You also have to consider overheads (you can patch for dsl/atm overheads), and with htb it's better to have your game class with a high rate and the lesser classes can just borrow the spare. You shouldn't see any difference in latency with/without htb on the interface - as long as there is no other traffic. If I had 128kbit up I would consider reducing mtu on ppp0 or using netfilter to mss clamp so that outbound bulk packets were smaller. For the ingress shaping to work you need to sacrifice bandwidth - quite alot for some traffic. you also need short queues so you drop packets. If you do not specify htb/hfsc will pickup queue lengths from the interface defaults - 3 for ppp, 32 for imq, 1000 for eth - not always what you want. Use counters to verify your classification is working - iptables -L -v -n tc -s class ls dev ppp0 etc Andy. From lists at andyfurniss.entadsl.com Fri Aug 18 12:28:16 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri Aug 18 12:27:41 2006 Subject: [LARTC] Re: tc filter In-Reply-To: References: <81c11a560608030906t525d6232vf135053463ce6a8f@mail.gmail.com> Message-ID: <44E59640.9040207@andyfurniss.entadsl.com> Jarek Poplawski wrote: > Should be: > # tc filter add dev eth0 parent 1: proto ip pref 100 \ > u32 match ip dst 192.168.1.222 flowid 1: police \ > conform-exceed drop/drop Looks a bit iffy but I haven't tried it - I thought that would be drop whether under or over - if it's valid at all without action/ a police rate. Andy. From lists at andyfurniss.entadsl.com Fri Aug 18 12:41:20 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri Aug 18 12:40:44 2006 Subject: [LARTC] enable p2p to some host (ipp2p) In-Reply-To: References: Message-ID: <44E59950.4080302@andyfurniss.entadsl.com> Roberto Pereyra wrote: > Hi > > I using ipp2p to block p2p traffic. > > How to enable to use p2p to me host in my net ? > > I using this setup: > > iptables -A FORWARD -m ipp2p --ipp2p --bit --apple --winmx --soul --ares > -j DROP > > > This setup: > > iptables -A FORWARD -m ipp2p --ipp2p --bit --apple --winmx --soul > --ares -d ! mynet -j DROP > > iptables -A FORWARD -m ipp2p --ipp2p --bit --apple --winmx --soul > --ares -s ! mynet -j DROP > > > not works .... Don't know really as I don't use ipp2p - but you could just match and return/accept mynet traffic before the ipp2p rules are hit. Andy. From lists at andyfurniss.entadsl.com Fri Aug 18 12:55:18 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri Aug 18 12:54:50 2006 Subject: [LARTC] ingress and flowid In-Reply-To: References: Message-ID: <44E59C96.6090304@andyfurniss.entadsl.com> Andr?s Ghigliazza wrote: > Hi there, > > I am trying to understand our router / firewall, that was configured > by another person. It is a Debian GNU/Linux with several > configurations with tc and iptables. > > I have a question about flowid in ingress qdisc. As fas as I know, > this qdisc is a dummy one, and flowid is just used with :1 because the > traffic have to be redirected to something. > > However, in our router, there are some filters of ingress qdisc, that > have differents flowids (:1, :2 and :5). Does that have any sense? If they are before the mirred egress redirect dev dummyX then they will not affect the shaping/classification on the dummy setup, but will be restored when the packets leave dummy - so you can shape again if say you were doing it on egress (you can't filter redirected packets twice to avoid loops). I don't know whether they carry over to egress when it's done on ingress. Andy. From linux at arcoscom.com Fri Aug 18 12:55:13 2006 From: linux at arcoscom.com (linux@arcoscom.com) Date: Fri Aug 18 12:55:06 2006 Subject: [LARTC] enable p2p to some host (ipp2p) In-Reply-To: <44E59950.4080302@andyfurniss.entadsl.com> References: <44E59950.4080302@andyfurniss.entadsl.com> Message-ID: <36002.195.55.244.106.1155898513.squirrel@www.arcoscom.com> In theory, for all p2p traffic matched by ipp2p you only need "--ipp2p" parameter, not the rest you put. You could use this: #FIRST allow your net p2p traffic: iptables -A FORWARD -d mynet -m ipp2p --ipp2p -j ACCEPT iptables -A FORWARD -s mynet -m ipp2p --ipp2p -j ACCEPT #Next, drop not your net p2p traffic: iptables -A FORWARD -m ipp2p --ipp2p -j DROP If these don't works (I remember some months ago I test it and don't works fine), you'll need many rules, one per p2p type of traffic, as this: iptables -A FORWARD -d mynet -m ipp2p --bit -j ACCEPT iptables -A FORWARD -s mynet -m ipp2p --bit -j ACCEPT iptables -A FORWARD -m ipp2p --bit -j DROP iptables -A FORWARD -d mynet -m ipp2p --apple -j ACCEPT iptables -A FORWARD -s mynet -m ipp2p --apple -j ACCEPT iptables -A FORWARD -m ipp2p --apple -j DROP ... iptables -A FORWARD -d mynet -m ipp2p --soul -j ACCEPT iptables -A FORWARD -s mynet -m ipp2p --soul -j ACCEPT iptables -A FORWARD -m ipp2p --soul -j DROP Or if you don't want to write much, you can use: export p2p_list="bit apple ... soul" for i in ${p2p_list}; do iptables -A FORWARD -d mynet -m ipp2p --$i -j ACCEPT iptables -A FORWARD -s mynet -m ipp2p --$i -j ACCEPT iptables -A FORWARD -m ipp2p --$i -j DROP done; > Roberto Pereyra wrote: >> Hi >> >> I using ipp2p to block p2p traffic. >> >> How to enable to use p2p to me host in my net ? >> >> I using this setup: >> >> iptables -A FORWARD -m ipp2p --ipp2p --bit --apple --winmx --soul --ares >> -j DROP >> >> >> This setup: >> >> iptables -A FORWARD -m ipp2p --ipp2p --bit --apple --winmx --soul >> --ares -d ! mynet -j DROP >> >> iptables -A FORWARD -m ipp2p --ipp2p --bit --apple --winmx --soul >> --ares -s ! mynet -j DROP >> >> >> not works .... > > Don't know really as I don't use ipp2p - but you could just match and > return/accept mynet traffic before the ipp2p rules are hit. > > Andy. > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From linux at arcoscom.com Fri Aug 18 13:23:20 2006 From: linux at arcoscom.com (ArcosCom Linux User) Date: Fri Aug 18 13:23:03 2006 Subject: [LARTC] Info about IFB In-Reply-To: <44E58B60.3040108@andyfurniss.entadsl.com> References: <44D91973.2020805@arcoscom.com> <44E58B60.3040108@andyfurniss.entadsl.com> Message-ID: <43381.195.55.244.106.1155900200.squirrel@www.arcoscom.com> I use IMQ to incomming traffic shaping (using u32 to match the source/destination MACs) With IMQ I use: iptables -t mangle -A PREROUTING -i $if_wan0 -j IMQ --to-dev 0 (for example) To enqueue packets into IMQ device and then shapping. With IMQ I can use modprobe to set the device count I need and so on. I really only want to replace IMQ scripts code with IFB, but, at least for now, I don't stand fine the packet flow using IFB. I stand now how to initialice ifbX with your example, good!! Now some aditional question about your example: With this line: tc qdisc add dev ifb19 root tbf limit 2k rate 20kbit buffer 2k You are initializing the qdisc for ibf in the same manner you could do with imq? With this lines: tc qdisc add dev eth0 ingress tc filter add dev eth0 parent ffff: protocol arp prio 1 u32 match u32 0 0 flowid 1:1 action mirred egress redirect dev ifb19 Are those analogous as this (my imq0 device as your ifb19 device): iptables -t mangle -A PREROUTING -i $if_wan0 -j IMQ --to-dev 0 ? The last, Do I only need add clases and qdiscs to ifb19 as if it where my imq0 device? Thanks and sorry for my english. El Vie, 18 de Agosto de 2006, 11:41, Andy Furniss escribi?: > Samuel D?az Garc?a wrote: >> Hi, I'm looking for info about IFB devices and how I can use it to >> incomming traffic shapping. >> >> Has IFB any web about it? >> Do any body known where I can find more info about it? >> >> I found this: >> http://linux-net.osdl.org/index.php/IFB >> >> But I can't stand fine how to use it to allow many ifb's devices or how >> to use it with "tc actions". >> >> Any help? >> >> Thanks >> > > To use many you'll need to specify the number with modprobe - > > modprobe ifb numifbs=20 > > ip link ls should show them all - you need to ip link set up dev ifbXX > aswell. > > to send arp coming in on eth0 to ifb19 which has a tbf on it (just to > see counters - would be silly to really limit arp) > > ip link set up ifb19 > tc qdisc add dev ifb19 root tbf limit 2k rate 20kbit buffer 2k > > tc qdisc add dev eth0 ingress > tc filter add dev eth0 parent ffff: protocol arp prio 1 u32 match u32 0 > 0 flowid 1:1 action mirred egress redirect dev ifb19 > > The flowid 1:1 is what the classification will be when the packet > returns from the ifb - unless you are shaping again (on a real dev - you > can't chain ifbs) it doesn't really matter what you put, but you do need > one as wothout it the rule will be accepted, but won't work (apart from > as a counter) > > look at counters with - > > tc -s qdisc ls dev ifb19 > tc -s filter ls dev eth0 parent ffff: > > If you want to do the same sort of thing on egress you need to put > something classfull on the interface rather than the default pfifo_fast > prio will do. > > Some examples show using marks aswell, it's not needed as such and > doesn't always work as the netfilter bits keep getting out of sync with > ifb. > > Andy. > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= Fri Aug 18 13:31:49 2006 From: =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= (=?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?=) Date: Fri Aug 18 13:31:42 2006 Subject: [LARTC] iproute2, alternative tables, no default route: routing trouble for localhost Message-ID: <1155900710.5745.34.camel@localhost.localdomain> Hi. The task: 1. There 3 servers and a router with 2 PPPoE connections (let call them: ppp0, ppp1). 2. There are several groups of Inet-clients to be served (Servers, Clients and Club). 3. The task is: - to route Club through the ppp1; - to Servers and Clients through ppp0; (Next is reproduced from memory and may be slightly incorrect) router # netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 a1.a2.a3.a4 0.0.0.0 255.255.255.255 U 0 0 0 ppp0 b1.b2.b3.b4 0.0.0.0 255.255.255.255 U 0 0 0 ppp1 router # cat /etc/iproute2/rt_tables # # reserved values # 255 local 254 main 253 default 0 unspec # # local # #1 inr.ruhep 200 Servers 201 Clients 202 Club router # ip rule ls 0: from all lookup local 32763: from 10.10.100.101/24 lookup Club 32764: from 10.10.100.100/24 lookup Clients 32765: from 192.168.1.0/24 lookup Servers 32766: from all lookup main 32767: from all lookup default router # ip route ls table Clients default via a1.a2.a3.a4 dev ppp0 router # ip route ls table Servers default via a1.a2.a3.a4 dev ppp0 router # ip route ls table Club default via b1.b2.b3.b4 dev ppp1 ======================================== So, to summarize, the is no default route in main routing table. Each group of clients is to be routed through its respective connection, and, when its connection is down it is not to be routed. This scheme works almost fine, 10.10.100.100/24 addresses are really being routed through ppp0, 10.10.100.101/24 through ppp1 and 192.168.1.0/24 (3 Servers) through ppp0. BUT the router itself (192.168.1.4) has no route to any host. I get "network is unreachable" to any connectiion attempt from 192.168.1.4. And I can't connect to this router from outside, because the packets have no route to be sent back. I thought that there is different routing politics for localhost and added default route to "local" table. 192.168.1.4 has started to have the route, but the rest of the scheme started to work incorrectly. So, the question is: how does the routing of packets comming from localhost is being accomplished? As to me there is a kind of "vicious circle" situation, because to enter alternative routing table there should already be "source address", but for localhost which have many source addresses it should decide which route it needs to have the corresponding "source address" be set. -- ??????????? ?????? From lists at andyfurniss.entadsl.com Fri Aug 18 14:42:45 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri Aug 18 14:41:54 2006 Subject: [LARTC] Info about IFB In-Reply-To: <43381.195.55.244.106.1155900200.squirrel@www.arcoscom.com> References: <44D91973.2020805@arcoscom.com> <44E58B60.3040108@andyfurniss.entadsl.com> <43381.195.55.244.106.1155900200.squirrel@www.arcoscom.com> Message-ID: <44E5B5C5.5090908@andyfurniss.entadsl.com> ArcosCom Linux User wrote: > I use IMQ to incomming traffic shaping (using u32 to match the > source/destination MACs) > > With IMQ I use: > > iptables -t mangle -A PREROUTING -i $if_wan0 -j IMQ --to-dev 0 > > (for example) > > To enqueue packets into IMQ device and then shapping. > > With IMQ I can use modprobe to set the device count I need and so on. > > I really only want to replace IMQ scripts code with IFB, but, at least for > now, I don't stand fine the packet flow using IFB. IFB on ingress will hook the packets before netfilter, so you can't use iptables to mark or get the denatted addresses like you can with IMQ - so it's not a total replacement. There may be a way to do it in the future. > > I stand now how to initialice ifbX with your example, good!! > > Now some aditional question about your example: > With this line: > > tc qdisc add dev ifb19 root tbf limit 2k rate 20kbit buffer 2k > > You are initializing the qdisc for ibf in the same manner you could do > with imq? Yes, you set up queues/filters the same as on imq. > > With this lines: > tc qdisc add dev eth0 ingress > tc filter add dev eth0 parent ffff: protocol arp prio 1 u32 match u32 0 > 0 flowid 1:1 action mirred egress redirect dev ifb19 > > Are those analogous as this (my imq0 device as your ifb19 device): > iptables -t mangle -A PREROUTING -i $if_wan0 -j IMQ --to-dev 0 tc qdisc add dev $if_wan0 ingress tc filter add dev $if_wan0 parent ffff: protocol ip ... would be the same - iptables only sees ip, with ingress filter you can do others aswell if you want - all, arp, 8021q or any ethertype protocol number (FWIW you need a different prio number for each different ethertype filter). > > ? > > The last, Do I only need add clases and qdiscs to ifb19 as if it where > my imq0 device? You'll need to filter aswell - on egress you can use iptables + marks (I don't think classify will work). But on ingress you can't use iptables because ifb is before netfilter. Andy. From marek at piasta.pl Fri Aug 18 14:52:35 2006 From: marek at piasta.pl (Marek Kierdelewicz) Date: Fri Aug 18 14:46:43 2006 Subject: [LARTC] iproute2, alternative tables, no default route: routing trouble for localhost In-Reply-To: <1155900710.5745.34.camel@localhost.localdomain> References: <1155900710.5745.34.camel@localhost.localdomain> Message-ID: <20060818145235.0012d511@localhost.localdomain> > Hi. Hi > router # cat /etc/iproute2/rt_tables > # > # reserved values > # > 255 local > 254 main > 253 default > 0 unspec > # Add default route to the "default" table .. it gets hit after your custom tables as you can see here: router # ip rule ls 0: from all lookup local 32763: from 10.10.100.101/24 lookup Club 32764: from 10.10.100.100/24 lookup Clients 32765: from 192.168.1.0/24 lookup Servers 32766: from all lookup main 32767: from all lookup default This should allow your router to connect out and receive connections. cheers -- Marek Kierdelewicz Kierownik Dzia?u System?w Sieciowych, KoBa Manager of Network Systems Department, KoBa tel. (85) 7406466; fax. (85) 7406467 e-mail: admin@koba.pl From =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= Fri Aug 18 15:15:38 2006 From: =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= (=?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?=) Date: Fri Aug 18 15:15:29 2006 Subject: [LARTC] iproute2, alternative tables, no default route: routing trouble for localhost In-Reply-To: <20060818145235.0012d511@localhost.localdomain> References: <1155900710.5745.34.camel@localhost.localdomain> <20060818145235.0012d511@localhost.localdomain> Message-ID: <1155906938.13440.37.camel@localhost.localdomain> ? ???, 18/08/2006 ? 14:52 +0200, Marek Kierdelewicz ?????: > > Hi. > > Hi > > > router # cat /etc/iproute2/rt_tables > > # > > # reserved values > > # > > 255 local > > 254 main > > 253 default > > 0 unspec > > # > > Add default route to the "default" table .. it gets hit after your > custom tables as you can see here: > > router # ip rule ls > 0: from all lookup local > 32763: from 10.10.100.101/24 lookup Club > 32764: from 10.10.100.100/24 lookup Clients > 32765: from 192.168.1.0/24 lookup Servers > 32766: from all lookup main > 32767: from all lookup default > > This should allow your router to connect out and receive connections. Would 10.10.100.101/24 and 10.10.100.100/24 hit that table too? That's not desirable because 10.10.100.101/24 should have no route if there is no one in Club table, and 10.10.100.100/24 should have no route if there no one in Clients table. -- ??????????? ?????? From raju at linux-delhi.org Fri Aug 18 15:21:01 2006 From: raju at linux-delhi.org (Raj Mathur) Date: Fri Aug 18 15:20:47 2006 Subject: [LARTC] Handle limit in filter Message-ID: <17637.48829.494838.331967@mail.linux-delhi.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I've written a minimal sort of Perl module that dynamically creates and destroys traffic control rules for specific IPs. I'm currently using it for a user bandwidth control application at a client site. The module essentially gets Ethernet device(s), IP address and in/out speeds as input and dynamically creates classes, queues and filters for controlling speeds on the incoming and outgoing interfaces. It calls /sbin/tc internally to make the rules. Similarly, when the user is logged out, the module deletes the rules that it made earlier. There are two issues I'm facing: 1. Is there any way remove filter rules without knowing the handle? I'd like to be able to remove the filter rule using the same set of data that I used to create it, but there doesn't seem to be any way to do that. Currently I'm parsing the whole ``tc filter show'' output to find out the handle of the rule I'm interested in, then using that handle in the ``tc remove'' command to delete the rule. Inelegant and inefficient, to say the least. 2. Can one have filter rules with handles > 800:fff? After the program has run for a while, the filter handle hits 800:fff, and then I can not delete any of the new rules at all. I'd be interested in knowing how to make tc reuse handles; failing that, increasing the number of unique handles would at least prevent my client from having to reboot the server every day. I'll be releasing the module under GPL once I've cleaned up the code and documented the methods a bit. Help on doing that appreciated. Regards, - -- Raju - -- Raj Mathur raju@kandalaya.org http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F It is the mind that moves -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.8 iD8DBQFE5b66yWjQ78xo0X8RAvNpAJ9kfvotl0Ife92qoyBPlqxC5G+cYACeNvAG rJT3lU8kd46ymbYcJwhb7e0= =oJKh -----END PGP SIGNATURE----- From hijacker at oldum.net Fri Aug 18 15:52:30 2006 From: hijacker at oldum.net (Nikolay Kichukov) Date: Fri Aug 18 15:52:23 2006 Subject: [LARTC] How to bypass traffic control for one IP In-Reply-To: <23741-26129@sneakemail.com> References: <28632-76882@sneakemail.com> <016d01c6c1e8$630f5340$0600a8c0@hpa> <5056-98503@sneakemail.com> <1155896549.3702.4.camel@ccja.localhost> <23741-26129@sneakemail.com> Message-ID: <1155909150.4496.10.camel@ccja.localhost> Okay, the following may or may not work: on the interface of the router that is connected to the adsl add an engress HTB qdisc. Then add classes accordingly. The first one with highest priority will be for the 4Mbit traffic. The classes after this one will be dependent on your likely. Add some tc filters. The first one will match if dst ip is $IP_OF_ADSL or dst port is $THE_BROADCAST_PORT_OF_THE_ADSL and it will use htb class with highest priority. Packets not having destination the adsl will be matched in the filters afterwords, thus shaped and so. However, I am not sure, if all of the packets will not go under that htb class, because in their destination header they all have the adsl IP(the default gateway). Maybe someone on the list will englight me on that topic. -nik On Fri, 2006-08-18 at 12:47 +0200, Yves BLUSSEAU wrote: > The adsl modem has two functions: it give me access to internet (max 80ko/s > upload) et it is use to broadcast video stream at more than 4Mo/s. > I can't manage the modem. > My PC, the firewall and the modem are locally connected at 100Mbits Full > Duplex. > Like I said i want to shape the upload to internet and only to internet. > So do you know a good configuration to shape all but not the traffic > directly send to the modem (to it's IP) ? > > Yves > > ----- Original Message ----- > From: "Nikolay Kichukov hijacker-at-oldum.net |Linux Advanced Routing & > Traffic Control project/1.0-Allow|" <...> > To: <..................> > Sent: Friday, August 18, 2006 12:22 PM > Subject: Re: [LARTC] How to bypass traffic control for one IP > > > You surely do need to send the video stream at full speed, but what is > the point of doing so if the adsl modem(router) will still shape the > upload at the speed that your ISP gives to you? > > That will only saturate the link. > > -nik > > On Thu, 2006-08-17 at 21:05 +0200, Yves ........ wrote: > > Because my asl modem is also a router and it is used to send broadcast > > video > > to another network and so i need to send video stream at full speed to the > > modem. > > ----- Original Message ----- > > From: "nikolay hijacker-at-oldum.net |Linux Advanced Routing & Traffic > > Control project/1.0-Allow|" <...> > > To: <..................> > > Sent: Thursday, August 17, 2006 12:32 PM > > Subject: Re: [LARTC] How to bypass traffic control for one IP > > > > > > > why would you want to "access" the adsl modem at 100Mbps? > > > > > > What is the speed your ISP provides to the adsl modem? > > > > > > -nik > > > ----- Original Message ----- > > > From: "Yves ........" <2z7mbt002@sneakemail.com> > > > To: > > > Sent: Wednesday, August 16, 2006 6:16 PM > > > Subject: [LARTC] How to bypass traffic control for one IP > > > > > > > > > Hi all, > > > > > > i have a problem: i have an adsl modem that is connected to internet. I > > > can't manage this modem. > > > Between my PC and the modem i have a linux firewall that make the NAT > > > and > > > the traffic shapping. > > > I have create a script that limit the bandwidth of the "external" > > > interface of the firewall so i can manage my bandwidth for my internet > > > application. > > > The problem is that i need to access the adsl modem at full bandwith > > > (100mbits) from my PC (through the linux firewall). > > > So i need a configuration where all the internet IP are limited by the > > > traffic control and where the IP of the modem is not slowdown by traffic > > > shapping. > > > > > > Who have an idea for such configuration ? > > > > > > Thanks in advance. > > > > > > Yves > > > > > > > > > -------------------------------------------------------------------------------- > > > > > > > > >> _______________________________________________ > > >> LARTC mailing list > > >> LARTC@mailman.ds9a.nl > > >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > >> > > > > > > > > -- ?????? ??? ????????, ??? ?????. ?? ?????? ??? ?????, ?? ?????? ??? ????????... -????? ????? From marek at piasta.pl Fri Aug 18 17:05:16 2006 From: marek at piasta.pl (Marek Kierdelewicz) Date: Fri Aug 18 16:59:23 2006 Subject: [LARTC] Handle limit in filter In-Reply-To: <17637.48829.494838.331967@mail.linux-delhi.org> References: <17637.48829.494838.331967@mail.linux-delhi.org> Message-ID: <20060818170516.02fcd467@localhost.localdomain> > Hi, Hi there! > > I've written a minimal sort of Perl module that dynamically creates > and destroys traffic control rules for specific IPs. I'm currently > using it for a user bandwidth control application at a client site. Been there, done that... Better regenerate whole tc config and load it using "tc -b". It's faster then many calls to tc binary (no context switching overhead). cheers -- Marek Kierdelewicz Kierownik Dzia?u System?w Sieciowych, KoBa Manager of Network Systems Department, KoBa tel. (85) 7406466; fax. (85) 7406467 e-mail: admin@koba.pl From =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= Fri Aug 18 18:51:16 2006 From: =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= (=?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?=) Date: Fri Aug 18 18:51:02 2006 Subject: [LARTC] iproute2, alternative tables, no default route: routing trouble for localhost [SOLVED] In-Reply-To: <1155900710.5745.34.camel@localhost.localdomain> References: <1155900710.5745.34.camel@localhost.localdomain> Message-ID: <1155919876.5745.62.camel@localhost.localdomain> I've found the answer in debian-firewall@lists.debian.org. First: I'm sorry, there was a typo while writing message. The correct subnets are 10.10.101.0/24 and 10.10.100.0/24, not 10.10.100.101/24 and 10.10.100.100/24. The solution is: # ip rule add dev lo table Servers as Pascal Hambourg advised, I'll quote: > > So, the question is: how does the routing of packets comming from > > localhost is being accomplished? > > In the same way as the routing of forwarded packets. From "ip rule" > point of view, locally generated traffic is selected with "iif lo" (see > iproute manual). Be aware that when the local source address is not > explicitly specified by the sending application, none of your custom > rules will match, so the "main" table will be used. But it contains no > default route. ? ???, 18/08/2006 ? 14:31 +0300, ??????????? ?????? ?????: > Hi. > > The task: > > 1. There 3 servers and a router with 2 PPPoE connections (let call them: > ppp0, ppp1). > 2. There are several groups of Inet-clients to be served (Servers, > Clients and Club). > 3. The task is: > - to route Club through the ppp1; > - to Servers and Clients through ppp0; > > (Next is reproduced from memory and may be slightly incorrect) > > router # netstat -nr > Kernel IP routing table > Destination Gateway Genmask Flags MSS Window irtt > Iface > 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 > eth0 > a1.a2.a3.a4 0.0.0.0 255.255.255.255 U 0 0 0 > ppp0 > b1.b2.b3.b4 0.0.0.0 255.255.255.255 U 0 0 0 > ppp1 > > router # cat /etc/iproute2/rt_tables > # > # reserved values > # > 255 local > 254 main > 253 default > 0 unspec > # > # local > # > #1 inr.ruhep > 200 Servers > 201 Clients > 202 Club > > router # ip rule ls > 0: from all lookup local > 32763: from 10.10.100.101/24 lookup Club > 32764: from 10.10.100.100/24 lookup Clients > 32765: from 192.168.1.0/24 lookup Servers > 32766: from all lookup main > 32767: from all lookup default > > router # ip route ls table Clients > default via a1.a2.a3.a4 dev ppp0 > > router # ip route ls table Servers > default via a1.a2.a3.a4 dev ppp0 > > router # ip route ls table Club > default via b1.b2.b3.b4 dev ppp1 > > ======================================== > > So, to summarize, the is no default route in main routing table. Each > group of clients is to be routed through its respective connection, and, > when its connection is down it is not to be routed. > > This scheme works almost fine, 10.10.100.100/24 addresses are really > being routed through ppp0, 10.10.100.101/24 through ppp1 and > 192.168.1.0/24 (3 Servers) through ppp0. BUT the router itself > (192.168.1.4) has no route to any host. I get "network is unreachable" > to any connectiion attempt from 192.168.1.4. And I can't connect to this > router from outside, because the packets have no route to be sent back. > > I thought that there is different routing politics for localhost and > added default route to "local" table. 192.168.1.4 has started to have > the route, but the rest of the scheme started to work incorrectly. > > So, the question is: how does the routing of packets comming from > localhost is being accomplished? > > As to me there is a kind of "vicious circle" situation, because to enter > alternative routing table there should already be "source address", but > for localhost which have many source addresses it should decide which > route it needs to have the corresponding "source address" be set. > -- ??????????? ?????? From cy at microembed.cn Fri Aug 18 18:14:56 2006 From: cy at microembed.cn (Richard Cai) Date: Fri Aug 18 18:55:52 2006 Subject: [LARTC] how to implement 802.1p QoS on Linux Message-ID: <44E5E780.8030802@microembed.cn> Hello everyone: How to implement 802.1p Qos on linux? Thanks From raju at linux-delhi.org Fri Aug 18 21:16:42 2006 From: raju at linux-delhi.org (Raj Mathur) Date: Fri Aug 18 21:16:28 2006 Subject: [LARTC] Handle limit in filter In-Reply-To: <20060818170516.02fcd467@localhost.localdomain> References: <17637.48829.494838.331967@mail.linux-delhi.org> <20060818170516.02fcd467@localhost.localdomain> Message-ID: <17638.4634.37306.164818@mail.linux-delhi.org> >>>>> "Marek" == Marek Kierdelewicz writes: >> I've written a minimal sort of Perl module that dynamically >> creates and destroys traffic control rules for specific IPs. >> I'm currently using it for a user bandwidth control application >> at a client site. Marek> Been there, done that... Marek> Better regenerate whole tc config and load it using "tc Marek> -b". It's faster then many calls to tc binary (no context Marek> switching overhead). I don't really know what effect resetting the tc configuration every few seconds would have on logged in users. What happens to the existing connections when the whole thing is reloaded? Will they jitter? Or roll over and die, or just continue behaving as they were? Wouldn't writing out commands for a few hundred connections into a file and loading that file take a significant amount of time? On the whole I'd prefer to do each connection as it comes up, so if that's possible at all. Regards, -- Raju -- Raj Mathur raju@kandalaya.org http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F It is the mind that moves From spam_dumpster2 at cox.net Sat Aug 19 00:45:28 2006 From: spam_dumpster2 at cox.net (Spam Dumpster) Date: Sat Aug 19 00:45:00 2006 Subject: [LARTC] RTNETLINK answers: File exists .. Network is unreachable Message-ID: <7.0.1.0.2.20060818153650.020f0340@cox.net> I am a Linux novice. I have set up a Linux Router that is running the 2.6.15-1.2054_FC5 kernel. I boot to an initial router state and then I experiment with various "tc" commands by executing them at the command prompt. I reboot often to restore the initial state. When I booted up the router today I got the following messages during the boot process: Bringing up interface eth0: RTNETLINK answers: File exists RTNETLINK answers: Network is unreachable Bringing up interface eth1: RTNETLINK answers: File exists RTNETLINK answers: Network is unreachable Will someone please enlighten me as to what is kind of problem is being indicated by these messages? Thanks, Bob From kajtek at biezanow.net Sat Aug 19 10:33:19 2006 From: kajtek at biezanow.net (Kajetan Staszkiewicz) Date: Sat Aug 19 10:33:03 2006 Subject: [LARTC] Handle limit in filter In-Reply-To: <17638.4634.37306.164818@mail.linux-delhi.org> References: <17637.48829.494838.331967@mail.linux-delhi.org> <20060818170516.02fcd467@localhost.localdomain> <17638.4634.37306.164818@mail.linux-delhi.org> Message-ID: <200608191033.29485.kajtek@biezanow.net> Dnia pi?tek, 18 sierpnia 2006 21:16, Raj Mathur napisa?(a): > >>>>> "Marek" == Marek Kierdelewicz writes: > >> I've written a minimal sort of Perl module that dynamically > >> creates and destroys traffic control rules for specific IPs. > >> I'm currently using it for a user bandwidth control application > >> at a client site. > > Marek> Been there, done that... > > Marek> Better regenerate whole tc config and load it using "tc > Marek> -b". It's faster then many calls to tc binary (no context > Marek> switching overhead). > > I don't really know what effect resetting the tc configuration every > few seconds would have on logged in users. What happens to the > existing connections when the whole thing is reloaded? Will they > jitter? Or roll over and die, or just continue behaving as they were? > > Wouldn't writing out commands for a few hundred connections into a > file and loading that file take a significant amount of time? I'm generating huge tc setup from database and loading it (which takes significant amount of time) only on router startup or reloading whole router configuration. To change speed limit of single host in network I'm using `tc class change`, which goes fast. -- | pozdrawiam / greetings | powered by Trustix, Gentoo and FreeBSD | | Kajetan Staszkiewicz | jabber,email,www: vegeta()tuxpowered net | | Vegeta | IMQ devnames: http://www.tuxpowered.net | `------------------------^------------------------------------------' -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060819/d60264cc/attachment.pgp From raju at linux-delhi.org Sat Aug 19 11:19:21 2006 From: raju at linux-delhi.org (Raj Mathur) Date: Sat Aug 19 11:19:10 2006 Subject: [LARTC] Handle limit in filter In-Reply-To: <200608191033.29485.kajtek@biezanow.net> References: <17637.48829.494838.331967@mail.linux-delhi.org> <20060818170516.02fcd467@localhost.localdomain> <17638.4634.37306.164818@mail.linux-delhi.org> <200608191033.29485.kajtek@biezanow.net> Message-ID: <17638.55193.412912.664725@mail.linux-delhi.org> >>>>> "Kajetan" == Kajetan Staszkiewicz writes: Kajetan> Dnia pi?tek, 18 sierpnia 2006 21:16, Raj Mathur Kajetan> napisa?(a): >> >>>>> "Marek" == Marek Kierdelewicz writes: >> >> I've written a minimal sort of Perl module that dynamically >> >> creates and destroys traffic control rules for specific IPs. >> >> I'm currently using it for a user bandwidth control >> application >> at a client site. >> Marek> Been there, done that... >> Marek> Better regenerate whole tc config and load it using "tc Marek> -b". It's faster then many calls to tc binary (no context Marek> switching overhead). >> I don't really know what effect resetting the tc configuration >> every few seconds would have on logged in users. What happens >> to the existing connections when the whole thing is reloaded? >> Will they jitter? Or roll over and die, or just continue >> behaving as they were? >> >> Wouldn't writing out commands for a few hundred connections >> into a file and loading that file take a significant amount of >> time? Kajetan> I'm generating huge tc setup from database and loading it Kajetan> (which takes significant amount of time) only on router Kajetan> startup or reloading whole router configuration. As I suspected... I wonder if Marek's solution would work in a significantly dynamic environment? Any thoughts Marek? Kajetan> To change speed limit of single host in network I'm using Kajetan> `tc class change`, which goes fast. I have to keep adding and deleting classes as users login and logout. I'm afraid change is not an option for me. Regards, -- Raju -- Raj Mathur raju@kandalaya.org http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F It is the mind that moves From hijacker at oldum.net Sat Aug 19 16:21:40 2006 From: hijacker at oldum.net (nikolay) Date: Sat Aug 19 16:21:36 2006 Subject: [LARTC] How to bypass traffic control for one IP References: <28632-76882@sneakemail.com> <016d01c6c1e8$630f5340$0600a8c0@hpa> <5056-98503@sneakemail.com> <1155896549.3702.4.camel@ccja.localhost> <23741-26129@sneakemail.com> <1155909150.4496.10.camel@ccja.localhost> <7344-83645@sneakemail.com> Message-ID: <008b01c6c39a$cb8f8bc0$0600a8c0@hpa> sure i write an example. it is all dependent on the ceil parameter on the class. so if the class for the internet is 80kbps, than you will have rate 80kb ceil 80kb thus this class will not be able to borrow bandwith from the class above it. example: tc qdisc add dev eth1 root handle 1: htb default 11 tc class add dev eth1 parent 1: classid 1:1 htb rate 48kb ceil 48kb tc class add dev eth1 parent 1:1 classid 1:10 htb rate 40kb ceil 40kb prio 1 tc class add dev eth1 parent 1:1 classid 1:11 htb rate 8kb ceil 8kb prio 2 What's next is to match the right packets into the right classes using filters. Let me know if that helps. btw eth1 will be the interface that is connected to the adsl router. and 48kbps is just an example, feel free to adjust those values. -nik ----- Original Message ----- From: "Yves BLUSSEAU" <2z7mbt002@sneakemail.com> To: Sent: Friday, August 18, 2006 5:05 PM Subject: Re: [LARTC] How to bypass traffic control for one IP > Thx nik, > > but what i don't understand is if that there no traffic to the first class > (4Mbit traffic) other class can borrow capacity from the first one. So the > traffic to internet is not limited to 80ko/s ? > If i'm wrong, can you write an example ? > > Thanks in advance, > Yves > > ----- Original Message ----- > From: "Nikolay Kichukov hijacker-at-oldum.net |Linux Advanced Routing & > Traffic Control project/1.0-Allow|" <...> > To: <..................> > Cc: > Sent: Friday, August 18, 2006 3:52 PM > Subject: Re: [LARTC] How to bypass traffic control for one IP > > > Okay, > the following may or may not work: > > on the interface of the router that is connected to the adsl add an > engress HTB qdisc. > > Then add classes accordingly. The first one with highest priority will > be for the 4Mbit traffic. > The classes after this one will be dependent on your likely. > > Add some tc filters. The first one will match if dst ip is $IP_OF_ADSL > or dst port is $THE_BROADCAST_PORT_OF_THE_ADSL and it will use htb class > with highest priority. > > Packets not having destination the adsl will be matched in the filters > afterwords, thus shaped and so. > > However, I am not sure, if all of the packets will not go under that htb > class, because in their destination header they all have the adsl IP(the > default gateway). > > Maybe someone on the list will englight me on that topic. > > -nik > > > On Fri, 2006-08-18 at 12:47 +0200, Yves ........ wrote: >> The adsl modem has two functions: it give me access to internet (max >> 80ko/s >> upload) et it is use to broadcast video stream at more than 4Mo/s. >> I can't manage the modem. >> My PC, the firewall and the modem are locally connected at 100Mbits Full >> Duplex. >> Like I said i want to shape the upload to internet and only to internet. >> So do you know a good configuration to shape all but not the traffic >> directly send to the modem (to it's IP) ? >> >> Yves >> >> ----- Original Message ----- >> From: "Nikolay Kichukov hijacker-at-oldum.net |Linux Advanced Routing & >> Traffic Control project/1.0-Allow|" <...> >> To: <..................> >> Sent: Friday, August 18, 2006 12:22 PM >> Subject: Re: [LARTC] How to bypass traffic control for one IP >> >> >> You surely do need to send the video stream at full speed, but what is >> the point of doing so if the adsl modem(router) will still shape the >> upload at the speed that your ISP gives to you? >> >> That will only saturate the link. >> >> -nik >> >> On Thu, 2006-08-17 at 21:05 +0200, Yves ........ wrote: >> > Because my asl modem is also a router and it is used to send broadcast >> > video >> > to another network and so i need to send video stream at full speed to >> > the >> > modem. >> > ----- Original Message ----- >> > From: "nikolay hijacker-at-oldum.net |Linux Advanced Routing & Traffic >> > Control project/1.0-Allow|" <...> >> > To: <..................> >> > Sent: Thursday, August 17, 2006 12:32 PM >> > Subject: Re: [LARTC] How to bypass traffic control for one IP >> > >> > >> > > why would you want to "access" the adsl modem at 100Mbps? >> > > >> > > What is the speed your ISP provides to the adsl modem? >> > > >> > > -nik >> > > ----- Original Message ----- >> > > From: "Yves ........" <2z7mbt002@sneakemail.com> >> > > To: >> > > Sent: Wednesday, August 16, 2006 6:16 PM >> > > Subject: [LARTC] How to bypass traffic control for one IP >> > > >> > > >> > > Hi all, >> > > >> > > i have a problem: i have an adsl modem that is connected to internet. >> > > I >> > > can't manage this modem. >> > > Between my PC and the modem i have a linux firewall that make the NAT >> > > and >> > > the traffic shapping. >> > > I have create a script that limit the bandwidth of the "external" >> > > interface of the firewall so i can manage my bandwidth for my >> > > internet >> > > application. >> > > The problem is that i need to access the adsl modem at full bandwith >> > > (100mbits) from my PC (through the linux firewall). >> > > So i need a configuration where all the internet IP are limited by >> > > the >> > > traffic control and where the IP of the modem is not slowdown by >> > > traffic >> > > shapping. >> > > >> > > Who have an idea for such configuration ? >> > > >> > > Thanks in advance. >> > > >> > > Yves >> > > >> > > >> > > -------------------------------------------------------------------------------- >> > > >> > > >> > >> _______________________________________________ >> > >> LARTC mailing list >> > >> LARTC@mailman.ds9a.nl >> > >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> > >> >> > > >> > > >> > > -- > ?????? ??? ????????, ??? ?????. > ?? ?????? ??? ?????, ?? ?????? ??? ????????... > -????? ????? > > > From marek at piasta.pl Sun Aug 20 11:23:16 2006 From: marek at piasta.pl (Marek Kierdelewicz) Date: Sun Aug 20 11:17:21 2006 Subject: [LARTC] Handle limit in filter In-Reply-To: <17638.55193.412912.664725@mail.linux-delhi.org> References: <17637.48829.494838.331967@mail.linux-delhi.org> <20060818170516.02fcd467@localhost.localdomain> <17638.4634.37306.164818@mail.linux-delhi.org> <200608191033.29485.kajtek@biezanow.net> <17638.55193.412912.664725@mail.linux-delhi.org> Message-ID: <20060820112316.2fa86329@localhost.localdomain> > Kajetan> I'm generating huge tc setup from database and loading it > Kajetan> (which takes significant amount of time) only on router > Kajetan> startup or reloading whole router configuration. > > As I suspected... I wonder if Marek's solution would work in a > significantly dynamic environment? Any thoughts Marek? Just try it... Generating large file with tc classes and filters and then loading it with "tc -b" takes less then 1s on most system. If you're worried about active connections - don't be. Shaping restart won't break them. I use this solution on routers with thousands of filters and classess and full restart intervals as low 1 min. It works well. > > Kajetan> To change speed limit of single host in network I'm using > Kajetan> `tc class change`, which goes fast. > > I have to keep adding and deleting classes as users login and logout. > I'm afraid change is not an option for me. Whatever you do, change/add/delete you can always pack commands in one file and load them with "tc -b". Again, it's faster. > > Regards, > > -- Raju Regards, -- Marek Kierdelewicz Kierownik Dzia?u System?w Sieciowych, KoBa Manager of Network Systems Department, KoBa tel. (85) 7406466; fax. (85) 7406467 e-mail: admin@koba.pl From jarkao2 at o2.pl Mon Aug 21 09:56:26 2006 From: jarkao2 at o2.pl (Jarek Poplawski) Date: Mon Aug 21 09:55:44 2006 Subject: [LARTC] Re: tc filter In-Reply-To: <44E59640.9040207@andyfurniss.entadsl.com> References: <81c11a560608030906t525d6232vf135053463ce6a8f@mail.gmail.com> <44E59640.9040207@andyfurniss.entadsl.com> Message-ID: On 18-08-2006 12:28, Andy Furniss wrote: > Jarek Poplawski wrote: > >> Should be: >> # tc filter add dev eth0 parent 1: proto ip pref 100 \ >> u32 match ip dst 192.168.1.222 flowid 1: police \ >> conform-exceed drop/drop > > Looks a bit iffy but I haven't tried it - I thought that would be drop > whether under or over - if it's valid at all without action/ a police rate. Maybe I should have written: "Should be with a fairly current iproute2 and kernel:". It's so called "New syntax" ("Old syntax" didn't work for me), to add exceed action for zero rate. According to help rate and burst should be included, but it works anyway. Jarek P. From tino.kriswanto at gmail.com Mon Aug 21 12:24:55 2006 From: tino.kriswanto at gmail.com (tino) Date: Mon Aug 21 12:24:48 2006 Subject: [LARTC] maximum number of class Message-ID: <004701c6c50c$1074b040$7a0989ca@bmsby010128> Hi, I just implement htb&cbq successfully. My question , How many number of class (at maximum) I can create ? I need 1500 class at least (for all campuss client host), attached inside 800mhz cpu 1,5G ram, 40G disk with linux 2.6 kernels regards, Tino -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060821/bb7d869d/attachment.htm From kartheekpn at yahoo.co.in Mon Aug 21 14:05:21 2006 From: kartheekpn at yahoo.co.in (KartheeK) Date: Mon Aug 21 14:05:13 2006 Subject: [LARTC] Bonding + Shaping --> Is it Possible? In-Reply-To: <20060818035640.39275.qmail@web8506.mail.in.yahoo.com> Message-ID: <20060821120524.32825.qmail@web8512.mail.in.yahoo.com> Hello All Any Body, Any Thoughts? Any Kind of feedback or suggestion is a welcome... KartheeK KartheeK wrote: Hello All, Has Any body of you worked on such a set up? KartheeK KartheeK wrote: Date: Thu, 17 Aug 2006 07:31:25 +0100 (BST) From: KartheeK To: lartc@mailman.ds9a.nl Subject: [LARTC] Bonding + Shaping --> Is it Possible? Hello All, I was curious to know if I can do traffic shaping on abonded Interface? Ex: I have to interfaces eth1 and eth2 which i have bonded together as bond0 , now the question is can I do shaping on eth1 and eth2 ?? Thanks KartheeK --------------------------------- Here's a new way to find what you're looking for - Yahoo! Answers Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. Get it NOW_______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc --------------------------------- Here's a new way to find what you're looking for - Yahoo! Answers Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. Get it NOW_______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc --------------------------------- Here's a new way to find what you're looking for - Yahoo! Answers Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. Get it NOW -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060821/f7ca385e/attachment.html From rvokal at redhat.com Mon Aug 21 14:07:04 2006 From: rvokal at redhat.com (Radek =?ISO-8859-1?Q?Vok=E1l?=) Date: Mon Aug 21 14:08:55 2006 Subject: [LARTC] [PATCH] missing flags for ip link Message-ID: <1156162024.2906.55.camel@localhost.localdomain> There's a flag 10000 that is not recognized by iproute. The kernel uses #define IFF_LOWER_UP 0x10000 /* driver signals L1 up */ #define IFF_DORMANT 0x20000 /* driver signals dormant */ -- Radek Vok?l -------------- next part -------------- A non-text attachment was scrubbed... Name: iproute2-2.6.16-flags.patch Type: text/x-patch Size: 318 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20060821/dfb14d79/iproute2-2.6.16-flags.bin From jrompen at gmail.com Mon Aug 21 14:20:33 2006 From: jrompen at gmail.com (Jacques Rompen) Date: Mon Aug 21 14:20:16 2006 Subject: [LARTC] Re: Routing packets over multiple links (NICS) all on the same ISP all with same gateway. In-Reply-To: <200608171602.52232.luciano@lugmen.org.ar> References: <10c138640608140842x66bdc222q1f444e6d25f59582@mail.gmail.com> <200608171411.17528.luciano@lugmen.org.ar> <10c138640608171048x7797d67bxcef05f3f1b64c0d8@mail.gmail.com> <200608171602.52232.luciano@lugmen.org.ar> Message-ID: <10c138640608210520j783f930egff3ded309e391824@mail.gmail.com> On 8/17/06, Luciano Ruete wrote: > > > > > I will try all this tommorow, don't have acces to the box right now. > > > > About turning of arp. If you turn them all of, wouldnt the nics (ip's) > be > > unfindable from the outside world? Or does the switch they connect to > > respond to such an arp request aswell? > > what you're turning off is that the device answers arp(whohas) requests > for > ips that are not from that specific device itself. The ips assigned to the > device will cotinue answer as normal. > > > But what you are saying is that if i had a box with 2 nics each > connected > > to a different ISP, so each nic with a different gateway and ip. That if > > nic1 would recieve a arp request for the ip from nic2, it would respond > > with mac-adres from nic1. > > exactly! > > > So that could mean that all packets would come in > > over nic1, even if they have destination ip(nic2)? > > exactly, and will arrive destiny anyway, but they are incoming for the > wrong > iface. > > > Seems to me that this is > > never realy desirable. > > It is a really cuestionable default, but for shure that there are reasons > for > this(maybe a thread in lkml archives could answer this cuestion), reasons > that i do not know. > > > Especialy if nic2 would have an static ip and i > > would unplug nic2 on purpose. > > well thats the other scenario where i face the same problem, first guess > is > obvious MAC cache, and you tend to think that is fucked up, and no, it is > this crossed arp answer. > > -- > Luciano Hi Luciano and Jarek, Thanks for all your help so far. Ive had some try on the box this weekend. Unfortunatly its not in the student complex anymore, but it will be very soon. So for now ive simulated the situation by connecting 2 nics to a switch and that switch to a router. This is the script i used so far, no NAT rules yet because i have no extra computer to connect to the box. Its Jareks script completed with some hints from Luciano ip route add default nexthop via x.x.x.x dev eth1 onlink\ nexthop via x.x.x.x dev eth2 onlink ip route add 192.168.0.0/24 dev eth0 table 101 ip route add default via x.x.x.x dev eth1 table 101 ip route add 192.168.0.0/24 dev eth0 table 102 ip route add default via x.x.x.x dev eth2 table 102 ip rule add fwmark 1 table 101 ip rule add fwmark 2 table 102 iptables -t mangle -A POSTROUTING -o eth1 -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -o eth2 -j MARK --set-mark 2 iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore I am thinking if it wouldn't be better to include a src = ipe1 to the "route add default" entries. ofcourse this would go wrong if i would recive a new ip from the isp on one of the nics. So if its not needed then i would rather leave it out. ive tested the script with ip route get from IPE1 to 204.152.189.113 ip route get from IPE2 to 204.152.189.113 it does indeed answer wit eth1 for the first and eth2 for the seccond. It didnt do this with my other attempts. Im not sure if this is a real vallid tes though. Regards, Jacques -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060821/9c37a87d/attachment.html From ntdabrain at yahoo.com Mon Aug 21 15:07:05 2006 From: ntdabrain at yahoo.com (Ntanzi Carrilho) Date: Mon Aug 21 15:06:52 2006 Subject: [LARTC] XML input Message-ID: <20060821130705.44511.qmail@web35315.mail.mud.yahoo.com> Hello! Is the traffic controller able to receive input in XML format? Regards Tanzi __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= Mon Aug 21 15:23:35 2006 From: =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= (=?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?=) Date: Mon Aug 21 15:39:13 2006 Subject: [LARTC] Bonding + Shaping --> Is it Possible? In-Reply-To: <20060821120524.32825.qmail@web8512.mail.in.yahoo.com> References: <20060821120524.32825.qmail@web8512.mail.in.yahoo.com> Message-ID: <1156166615.32116.15.camel@localhost.localdomain> I tryed to do some iptables rules on bonded interfaces and that didn't worked. I had to use "ebtables". BTW, what kind of bonding do you use? ? ???, 21/08/2006 ? 13:05 +0100, KartheeK ?????: > Hello All > > Any Body, Any Thoughts? > Any Kind of feedback or suggestion is a welcome... > > KartheeK > > KartheeK wrote: > Hello All, > > Has Any body of you worked on such a set up? > > KartheeK > > KartheeK wrote: > Date: Thu, 17 Aug 2006 07:31:25 +0100 (BST) > From: KartheeK > To: lartc@mailman.ds9a.nl > Subject: [LARTC] Bonding + Shaping --> Is it Possible? > > Hello All, > > I was curious to know if I can do traffic shaping on > abonded Interface? > Ex: I have to interfaces eth1 and eth2 which i have > bonded together as bond0 , now the question is can I > do shaping on eth1 and eth2 ?? > > Thanks > KartheeK > > > ______________________________________________________ > Here's a new way to find what you're looking for - > Yahoo! Answers > Send FREE SMS to your friend's mobile from Yahoo! > Messenger Version 8. Get it > NOW_______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > ______________________________________________________________ > Here's a new way to find what you're looking for - Yahoo! > Answers > Send FREE SMS to your friend's mobile from Yahoo! Messenger > Version 8. Get it > NOW_______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > ______________________________________________________________________ > Here's a new way to find what you're looking for - Yahoo! Answers > Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. > Get it NOW > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- ??????????? ?????? From goran.raovic at gmail.com Mon Aug 21 17:37:01 2006 From: goran.raovic at gmail.com (Goran Raovic) Date: Mon Aug 21 17:36:45 2006 Subject: [LARTC] tc filter don't match packets Message-ID: <732234b80608210837q143b7c5ai5c7bad9297623a17@mail.gmail.com> Hi, I have problem with this simple script: #!/bin/bash if [ "$1" == "del" ]; then tc qdisc del dev eth0 root handle 1: htb default 10 exit fi tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1: classid 1:1 htb rate 800kbit ceil 900kbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 300kbit ceil 600kbit tc class add dev eth0 parent 1:1 classid 1:11 htb rate 100kbit ceil 800kbit tc qdisc add dev eth0 parent 1:11 handle 11: pfifo limit 5 tc filter add dev eth0 parent 1:11 protocol ip prio 1 u32 match ip dport 80 0xffff flowid 1:11 unfortunaly when I start that scripts tc filter don't match packets with dport 80! Output of tc -s -d class show dev eth0 is: class htb 1:11 parent 1:1 leaf 11: prio 0 quantum 1000 rate 10000bit ceil 100000bit burst 1605b/8 mpu 0b overhead 0b cburst 1650b/8 mpu 0b overhead 0b level 0 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 1284000 ctokens: 132000 class htb 1:1 root rate 800000bit ceil 900000bit burst 2000b/8 mpu 0b overhead 0b cburst 2Kb/8 mpu 0b overhead 0b level 7 Sent 320 bytes 5 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 19360 ctokens: 17654 class htb 1:10 parent 1:1 prio 0 quantum 3750 rate 300000bit ceil 600000bit burst 1749b/8 mpu 0b overhead 0b cburst 1899b/8 mpu 0b overhead 0b level 0 Sent 320 bytes 5 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 5 borrowed: 0 giants: 0 tokens: 44960 ctokens: 24480 I use SuSE 10.1 with 2.6.16 . Have you any sugestion? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060821/e763d9e8/attachment.htm From jbold at inbox.lv Mon Aug 21 17:46:18 2006 From: jbold at inbox.lv (Jurijs Petrovs) Date: Mon Aug 21 17:46:02 2006 Subject: [LARTC] New hardware Message-ID: <1156175178.44e9d54a18bd1@www.inbox.lv> Hi! I want to upgrade hardware on my router (iptables, htb, >1000 users). Now it is based on usual desktop PC (Intel Prescott P4 3.00 Ghz, 1 Gb RAM). The reason of hardware upgrade is growing up number of users, also we are planning to increase upstream link from 100 Mbit/s to 1 Gbit/s. Iptables rules are now optimized with ipset tool, for tc I'm using hash tables as well. So I didn't know how to increase performance of my router without hardware upgrade... I’d appreciate if someone gives me advice – what system shows the best performance: 1) Server based router (with dual core Xeon CPU) 2) Desktop based router (with newest Intel Core 2 Duo CPU) 3) what about AMD (I have no personal experience with them)? As I know, 64-bit architecture in router specific tasks doesn’t give any performance boost? Maybe there are some other nuances that I need to know (kernel hacking, hardware hints)? I’m going to use standard Intel E1000 NIC for 1 Gbit/s speed line, is it a good choice? Thank in advance! Advertisement: Es iesu uz mobilo festivalu "re:loud"! 14 grupas, 2 skatuves, DJ telts, atrakcijas 1.septembri Mezaparka estrade www.reloud.lv -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060821/6fce648f/attachment.html From marek at piasta.pl Mon Aug 21 18:16:12 2006 From: marek at piasta.pl (Marek Kierdelewicz) Date: Mon Aug 21 18:10:18 2006 Subject: [LARTC] New hardware In-Reply-To: <1156175178.44e9d54a18bd1@www.inbox.lv> References: <1156175178.44e9d54a18bd1@www.inbox.lv> Message-ID: <20060821181612.25e0d962@localhost.localdomain> > Hi! Hi > reason of hardware upgrade is growing up number of users, also we are > planning to increase upstream link from 100 Mbit/s to 1 Gbit/s. If you want to move around 1Gbit/s you need PCI-X or PCI-E network interfaces (PCI bus would be a bottleneck). > 1) Server based router (with dual core Xeon CPU) I've been using for some time now router with 2xsingle-core Xeon CPU for servicing 2k+ users. It works well. > 2) Desktop based router (with newest Intel Core 2 Duo CPU) Did't have a pleasure. I'd like to hear some opinions on that one too. > 3) what about AMD (I have no personal experience with them)? I'm trying to use unorthodox hardware setup for fast router: Dual core AMD64 desktop motherboard with 2xPCIe x16 slots (SLI capable motherboard) two PCIe x4 intel E1000 Server network adapters Preliminary tests look promising. Network adapters mentioned above should in theory do better then previous PCI-X network adapters. > > As I know, 64-bit architecture in router specific tasks doesn’t > give any performance boost? Maybe there are some other nuances that I > need to know (kernel hacking, hardware hints)? I think 64-bit architectures can do much better then 32-bit ones... at least on 64-bit kernel. > > I’m going to use standard Intel E1000 NIC for 1 Gbit/s speed > line, is it a good choice? Best choice as far as I know. Anyone would sugest something else? Regards, -- Marek Kierdelewicz Kierownik Dzia?u System?w Sieciowych, KoBa Manager of Network Systems Department, KoBa tel. (85) 7406466; fax. (85) 7406467 e-mail: admin@koba.pl From kartheekpn at yahoo.co.in Mon Aug 21 18:30:20 2006 From: kartheekpn at yahoo.co.in (KartheeK) Date: Mon Aug 21 18:30:11 2006 Subject: [LARTC] Bonding + Shaping --> Is it Possible? In-Reply-To: <1156166615.32116.15.camel@localhost.localdomain> Message-ID: <20060821163023.67172.qmail@web8510.mail.in.yahoo.com> I have bonded two interfaces in mode 0 for load balancing and link sharing. My understanding is that "traffic control" happens, below bonding and hence this should be possible. I am currently short of lab equipments and am planning to try this some time this week end... I am curious about similar implemantations and/or thoughts,,,,,, ??????????? ?????? wrote: I tryed to do some iptables rules on bonded interfaces and that didn't worked. I had to use "ebtables". BTW, what kind of bonding do you use? ? ???, 21/08/2006 ? 13:05 +0100, KartheeK ?????: > Hello All > > Any Body, Any Thoughts? > Any Kind of feedback or suggestion is a welcome... > > KartheeK > > KartheeK wrote: > Hello All, > > Has Any body of you worked on such a set up? > > KartheeK > > KartheeK wrote: > Date: Thu, 17 Aug 2006 07:31:25 +0100 (BST) > From: KartheeK > To: lartc@mailman.ds9a.nl > Subject: [LARTC] Bonding + Shaping --> Is it Possible? > > Hello All, > > I was curious to know if I can do traffic shaping on > abonded Interface? > Ex: I have to interfaces eth1 and eth2 which i have > bonded together as bond0 , now the question is can I > do shaping on eth1 and eth2 ?? > > Thanks > KartheeK > > > ______________________________________________________ > Here's a new way to find what you're looking for - > Yahoo! Answers > Send FREE SMS to your friend's mobile from Yahoo! > Messenger Version 8. Get it > NOW_______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > ______________________________________________________________ > Here's a new way to find what you're looking for - Yahoo! > Answers > Send FREE SMS to your friend's mobile from Yahoo! Messenger > Version 8. Get it > NOW_______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > ______________________________________________________________________ > Here's a new way to find what you're looking for - Yahoo! Answers > Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. > Get it NOW > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- ??????????? ?????? --------------------------------- Here's a new way to find what you're looking for - Yahoo! Answers Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. Get it NOW -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060821/e4873f72/attachment.htm From rdzil.sk.lartc at gmail.com Mon Aug 21 20:37:36 2006 From: rdzil.sk.lartc at gmail.com (Robo R0b0) Date: Mon Aug 21 20:37:19 2006 Subject: [LARTC] IFB - Download: 1xWAN (Internet) 2xLAN (local) Message-ID: <3245374a0608211137j629e1f24t6f9ef6625c561319@mail.gmail.com> hello, i have eth0 (Internet) + eth1,eth2 (local), how to i use IFB in real for shaping Download, how to i redirect traffic from eth0 to ifb0 with "mark". I testing marking with iptables but any mark not working - always use "default" mark... thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060821/4c1fe32a/attachment.html From asle at dod.no Mon Aug 21 22:39:48 2006 From: asle at dod.no (=?ISO-8859-1?Q?Asle_Fest=F8?=) Date: Mon Aug 21 22:39:36 2006 Subject: [LARTC] QoS on a bridge+NAT Message-ID: I have a setup where I have three NIC in a Debian box. I have eth1 conected to internet and eth0 NAT'ed to 192.168.1.1. eth1 and eth2 are bridged together, given ip 192.168.122.2. What I want to achieve is to perform traffic shaping on the bridge as well as prioritizing the traffic from eth0 very low. (This is from trental flat ...) However it seems that I am unable to perform thhe traffic shaping from these two nets on eth1. Can somebody please help me? I am very new to traffic shaping but determined to learn ... Where should the root qdisc be attached to be able to prioritize between the two NICs eth 0 and eth2? Asle My files: /etc/network/interfaces: # The loopback network interface auto lo iface lo inet loopback auto br0 iface br0 inet static address 192.168.122.2 netmask 255.255.255.0 gateway 192.168.122.1 network 192.168.122.0 broadcast 192.168.122.255 pre-up /sbin/ip link set eth2 up pre-up /sbin/ip link set eth1 up pre-up /usr/sbin/brctl addbr br0 pre-up /usr/sbin/brctl addif br0 eth2 pre-up /usr/sbin/brctl addif br0 eth1 iface eth0 inet static address 192.168.1.1 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 My shaper script: #!/bin/bash # Wonder Shaper # please read the README before filling out these values # # Set the following values to somewhat less than your actual download # and uplink speed. In kilobits. Also set the device that is to be shaped. DOWNLINK=3400 UPLINK=350 DEV=eth1 #Speed for eth0 DOWNLINK2=60 UPLINK2=600 DEV2=eth0 # low priority OUTGOING traffic - you can leave this blank if you want # low priority source netmasks NOPRIOHOSTSRC=192.168.1.0/24 # low priority destination netmasks NOPRIOHOSTDST=192.168.1.0/24 ######################################################### if [ "$1" = "status" ] then tc -s qdisc ls dev $DEV tc -s qdisc ls dev $DEV2 tc -s class ls dev $DEV tc -s class ls dev $DEV2 exit fi # clean existing down- and uplink qdiscs, hide errors tc qdisc del dev $DEV root 2> /dev/null > /dev/null tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null tc qdisc del dev $DEV2 root 2> /dev/null > /dev/null tc qdisc del dev $DEV2 ingress 2> /dev/null > /dev/null ####Downlink/Uplink eth0 ####### #Rate limit single host #Out of eth0 #tc qdisc add dev $DEV2 handle 2: root tbf rate ${DOWNLINK2}kbit #latency 50ms burst 1540 #Into eth0 #tc qdisc add dev $DEV2 ingress #tc filter add dev $DEV2 parent ffff: protocol ip prio 50 u32 match ip #src \ # 192.168.1.0/24 police rate ${UPLINK2}kbit burst 5k drop flowid :1 ###### uplink # install root CBQ tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 10mbit # shape everything at $UPLINK speed - this prevents huge queues in your # DSL modem which destroy latency: # main class tc class add dev $DEV parent 1: classid 1:1 cbq rate ${UPLINK}kbit \ allot 1500 prio 5 bounded isolated # high prio class 1:10: tc class add dev $DEV parent 1:1 classid 1:10 cbq rate ${UPLINK}kbit \ allot 1600 prio 1 avpkt 1000 # bulk and default class 1:20 - gets slightly less traffic, # and a lower priority: tc class add dev $DEV parent 1:1 classid 1:20 cbq rate $[9*$UPLINK/10]kbit \ allot 1600 prio 2 avpkt 1000 # 'traffic we hate' tc class add dev $DEV parent 1:1 classid 1:30 cbq rate $[8*$UPLINK/10]kbit \ allot 1600 prio 2 avpkt 1000 # all get Stochastic Fairness: tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10 tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10 tc qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10 # start filters # TOS Minimum Delay (ssh, NOT scp) in 1:10: tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \ match ip tos 0x10 0xff flowid 1:10 # ICMP (ip protocol 1) in the interactive class 1:10 so we # can do measurements & impress our friends: tc filter add dev $DEV parent 1:0 protocol ip prio 11 u32 \ match ip protocol 1 0xff flowid 1:10 # prioritize small packets (<64 bytes) tc filter add dev $DEV parent 1: protocol ip prio 12 u32 \ match ip protocol 6 0xff \ match u8 0x05 0x0f at 0 \ match u16 0x0000 0xffc0 at 2 \ flowid 1:10 # Low prio for rental flat tc filter add dev $DEV parent 1: protocol ip prio 16 u32 \ match ip src 192.168.1.0/24 flowid 1:30 tc filter add dev $DEV parent 1: protocol ip prio 17 u32 \ match ip dst 192.168.1.0/24 flowid 1:30 # rest is 'non-interactive' ie 'bulk' and ends up in 1:20 tc filter add dev $DEV parent 1: protocol ip prio 18 u32 \ match ip dst 0.0.0.0/0 flowid 1:20 ########## downlink main ############# # slow downloads down to somewhat less than the real speed to prevent # queuing at our ISP. Tune to see how high you can set it. # ISPs tend to have *huge* queues to make sure big downloads are fast # # attach ingress policer: tc qdisc add dev $DEV handle ffff: ingress # filter *everything* to it (0.0.0.0/0), drop everything that's # coming in too fast: tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \ 0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1 From smohan at gmail.com Tue Aug 22 04:09:24 2006 From: smohan at gmail.com (Mohan Sundaram) Date: Tue Aug 22 04:09:49 2006 Subject: [LARTC] New hardware In-Reply-To: <20060821181612.25e0d962@localhost.localdomain> References: <1156175178.44e9d54a18bd1@www.inbox.lv> <20060821181612.25e0d962@localhost.localdomain> Message-ID: <44EA6754.6000909@vsnl.com> I used a SunFire x2100 which has 2 Ghz Opteron and PCI-Xpress slot into which I plugged in a dual port gigE Intel PCI-Xpress card. Got a raw forwarding performance of 800Kpps for 64B packets. This beat a CISCO 3845 which gave 600Kpps. Raw forwarding is one measure though it is not the end-all. Mohan Marek Kierdelewicz wrote: >> Hi! > > Hi > >> reason of hardware upgrade is growing up number of users, also we are >> planning to increase upstream link from 100 Mbit/s to 1 Gbit/s. > > If you want to move around 1Gbit/s you need PCI-X or PCI-E network > interfaces (PCI bus would be a bottleneck). > >> 1) Server based router (with dual core Xeon CPU) > > I've been using for some time now router with 2xsingle-core Xeon CPU > for servicing 2k+ users. It works well. > >> 2) Desktop based router (with newest Intel Core 2 Duo CPU) > > Did't have a pleasure. I'd like to hear some opinions on that one too. > >> 3) what about AMD (I have no personal experience with them)? > > I'm trying to use unorthodox hardware setup for fast router: > > Dual core AMD64 > desktop motherboard with 2xPCIe x16 slots (SLI capable motherboard) > two PCIe x4 intel E1000 Server network adapters > > Preliminary tests look promising. Network adapters mentioned above > should in theory do better then previous PCI-X network adapters. > >> As I know, 64-bit architecture in router specific tasks doesn’t >> give any performance boost? Maybe there are some other nuances that I >> need to know (kernel hacking, hardware hints)? > > I think 64-bit architectures can do much better then 32-bit ones... at > least on 64-bit kernel. > >> I’m going to use standard Intel E1000 NIC for 1 Gbit/s speed >> line, is it a good choice? > > Best choice as far as I know. Anyone would sugest something else? > > Regards, From araul at adonet.ro Tue Aug 22 07:27:31 2006 From: araul at adonet.ro (Adorean Alexandru Raul) Date: Tue Aug 22 07:20:59 2006 Subject: [LARTC] htb prioritise trafic Message-ID: <44EA95C3.2090100@adonet.ro> I have a router with about 300 clients connecting to it. It has htb with a class per client. I wnat to create a script to prioritise www trafic and ssh trafic over p2p trafic.... this is a sample of what i have now: /sbin/tc class add dev eth0 parent 1:5 classid 1:8012 htb rate 35Kbit ceil 281Kbit prio 6 /sbin/tc qdisc add dev eth0 parent 1:8012 handle 8012 sfq perturb 8 /sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip src 81.181.180.21 classid 1:8012 /sbin/tc class add dev eth1 parent 1:5 classid 1:8012 htb rate 35Kbit ceil 281Kbit prio 6 /sbin/tc qdisc add dev eth1 parent 1:8012 handle 8012 sfq perturb 8 /sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip dst 81.181.180.21 classid 1:8012 this is one client. I found something on wiki.lug.ro but i could not adapt it to my neads. Thank you for your time. From =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= Tue Aug 22 09:55:02 2006 From: =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= (=?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?=) Date: Tue Aug 22 09:55:46 2006 Subject: [LARTC] Bonding + Shaping --> Is it Possible? In-Reply-To: <20060821163023.67172.qmail@web8510.mail.in.yahoo.com> References: <20060821163023.67172.qmail@web8510.mail.in.yahoo.com> Message-ID: <1156233302.8448.2.camel@localhost.localdomain> So there is no difference between bonded interfaces. I mean that the same traffic goes on both. This case you can make shaping on your bond0 interface. This will work. Well, if the interface that looks to Clients is bond0, and interface that looks to Internet if eth0, then you make shaping of incoming traffic on bond0 and shaping of outgoing traffic on eth0. ? ???, 21/08/2006 ? 17:30 +0100, KartheeK ?????: > I have bonded two interfaces in mode 0 for load balancing and link > sharing. > My understanding is that "traffic control" happens, below bonding and > hence this should be possible. I am currently short of lab equipments > and am planning to try this some time this week end... > I am curious about similar implemantations and/or thoughts,,,,,, > > ??????????? ?????? wrote: > I tryed to do some iptables rules on bonded interfaces and > that didn't > worked. I had to use "ebtables". > > BTW, what kind of bonding do you use? > > ? ???, 21/08/2006 ? 13:05 +0100, KartheeK ?????: > > Hello All > > > > Any Body, Any Thoughts? > > Any Kind of feedback or suggestion is a welcome... > > > > KartheeK > > > > KartheeK wrote: > > Hello All, > > > > Has Any body of you worked on such a set up? > > > > KartheeK > > > > KartheeK wrote: > > Date: Thu, 17 Aug 2006 07:31:25 +0100 (BST) > > From: KartheeK > > To: lartc@mailman.ds9a.nl > > Subject: [LARTC] Bonding + Shaping --> Is it Possible? > > > > Hello All, > > > > I was curious to know if I can do traffic shaping on > > abonded Interface? > > Ex: I have to interfaces eth1 and eth2 which i have > > bonded together as bond0 , now the question is can I > > do shaping on eth1 and eth2 ?? > > > > Thanks > > KartheeK > > > > > > ______________________________________________________ > > Here's a new way to find what you're looking for - > > Yahoo! Answers > > Send FREE SMS to your friend's mobile from Yahoo! > > Messenger Version 8. Get it > > NOW_______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > > ______________________________________________________________ > > Here's a new way to find what you're looking for - Yahoo! > > Answers > > Send FREE SMS to your friend's mobile from Yahoo! Messenger > > Version 8. Get it > > NOW_______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > > > > ______________________________________________________________________ > > Here's a new way to find what you're looking for - Yahoo! > Answers > > Send FREE SMS to your friend's mobile from Yahoo! Messenger > Version 8. > > Get it NOW > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- > ??????????? ?????? > > > > > > ______________________________________________________________________ > Here's a new way to find what you're looking for - Yahoo! Answers > Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. > Get it NOW -- ??????????? ?????? From e.janz at barceloviajes.com Tue Aug 22 10:34:21 2006 From: e.janz at barceloviajes.com (e.janz@barceloviajes.com) Date: Tue Aug 22 10:34:35 2006 Subject: [LARTC] tc filter don't match packets In-Reply-To: <732234b80608210837q143b7c5ai5c7bad9297623a17@mail.gmail.com> Message-ID: Hi, in this simple case you must attach the filter to the root: [...] > tc qdisc add dev eth0 root handle 1: htb default 10 [...] > tc filter add dev eth0 parent 1:11 protocol ip prio 1 u32 match ip > dport 80 0xffff flowid 1:11 [...] Should be: tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dport 80 0xffff flowid 1:11 The traffic gets enqueued traversing the filters attached to each node but starting at the root node. You must provide a way to arrive to a leaf. In man tc-htb it says: "When enqueueing a packet, HTB starts at the root and uses various meth- ods to determine which class should receive the data. In the absence of uncommon configuration options, the process is rather easy. At each node we look for an instruction, and then go to the class the instruction refers us to. If the class found is a barren leaf-node (without children), we enqueue the packet there. If it is not yet a leaf node, we do the whole thing over again starting from that node. The following actions are performed, in order at each node we visit, until one sends us to another node, or terminates the process. (i) Consult filters attached to the class. If sent to a leafnode, we are done. Otherwise, restart. (ii) If none of the above returned with an instruction, enqueue at this node. This algorithm makes sure that a packet always ends up somewhere, even while you are busy building your configuration." In your case, the packets arrive to the root node to get enqueed but due to that there is no filter attached it will get to the default 10. I hope this helps, Regards, Eric Janz -- ADVERTENCIA LEGAL El contenido de este correo es confidencial y dirigido unicamente a su destinatario. Para acceder a su clausula de privacidad consulte http://www.barceloviajes.com/privacy LEGAL ADVISORY This message is confidential and intended only for the person or entity to which it is addressed. In order to read its privacy policy consult it at http://www.barceloviajes.com/privacy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060822/3470d9bd/attachment.htm From luciano at lugmen.org.ar Tue Aug 22 19:23:30 2006 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Tue Aug 22 22:58:56 2006 Subject: [LARTC] htb prioritise trafic In-Reply-To: <44EA95C3.2090100@adonet.ro> References: <44EA95C3.2090100@adonet.ro> Message-ID: <200608221423.30358.luciano@lugmen.org.ar> On Tuesday 22 August 2006 02:27, Adorean Alexandru Raul wrote: > I have a router with about 300 clients connecting to it. It has htb with > a class per client. > > I wnat to create a script to prioritise www trafic and ssh trafic over > p2p trafic.... > > > this is a sample of what i have now: > > /sbin/tc class add dev eth0 parent 1:5 classid 1:8012 htb rate 35Kbit > ceil 281Kbit prio 6 > /sbin/tc qdisc add dev eth0 parent 1:8012 handle 8012 sfq perturb 8 > /sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip > src 81.181.180.21 classid 1:8012 > > /sbin/tc class add dev eth1 parent 1:5 classid 1:8012 htb rate 35Kbit > ceil 281Kbit prio 6 > /sbin/tc qdisc add dev eth1 parent 1:8012 handle 8012 sfq perturb 8 > /sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip > dst 81.181.180.21 classid 1:8012 > > this is one client. > > I found something on wiki.lug.ro but i could not adapt it to my neads. > > > Thank you for your time. htb-gen[1] does exactly that, in a per-client basis and you can customize what is prio and what is not. And of course all gets automated. [1]http://freshmeat.net/projects/htb-gen/ PS: There is a new version comming(with lot of improbs)... but in a few weeks. -- Luciano From hijacker at oldum.net Tue Aug 22 21:27:22 2006 From: hijacker at oldum.net (Nikolay Kichukov) Date: Tue Aug 22 22:59:10 2006 Subject: [LARTC] How to bypass traffic control for one IP In-Reply-To: <5641-83855@sneakemail.com> References: <28632-76882@sneakemail.com> <016d01c6c1e8$630f5340$0600a8c0@hpa> <5056-98503@sneakemail.com> <1155896549.3702.4.camel@ccja.localhost> <23741-26129@sneakemail.com> <1155909150.4496.10.camel@ccja.localhost> <7344-83645@sneakemail.com> <008b01c6c39a$cb8f8bc0$0600a8c0@hpa> <5641-83855@sneakemail.com> Message-ID: <1156274843.3007.4.camel@ccja.localhost> and you do not read my example at all. tc qdisc add dev eth1 root handle 1: htb default 1 tc class add dev eth1 parent 1: classid 1:1 htb rate 4080kb ceil 4080kb tc class add dev eth1 parent 1:1 classid 1:10 htb rate 4000kb ceil 4000kb prio 1 tc class add dev eth1 parent 1:1 classid 1:11 htb rate 80kb ceil 80kb prio 2 and match the packets(with filters) with destination to the adsl to class 1:10 and all the rest to class 1:11. I do not know if that will work, butat least you can give it a try and then confirm if it is actually working or not working so someone else on the list can give you another hint... -nik On Mon, 2006-08-21 at 09:47 +0200, Yves BLUSSEAU wrote: > Thanks nik > > BUT, i know how the class and filter work and in your example you don't take > my problem in account because i need an unlimited class rate (or at least > 4Mbits) and a limited classe rate for internet (80kb for example). > Can you rewrite your example with this parameter ? > > Thanks in advance ! > > Yves > ----- Original Message ----- > From: "nikolay hijacker-at-oldum.net |Linux Advanced Routing & Traffic > Control project/1.0-Allow|" <...> > To: <..................> > Cc: > Sent: Saturday, August 19, 2006 4:21 PM > Subject: Re: [LARTC] How to bypass traffic control for one IP > > > sure i write an example. > it is all dependent on the ceil parameter on the class. > so if the class for the internet is 80kbps, than you will have rate 80kb > ceil 80kb thus this class will not be able to borrow bandwith from the class > above it. > > example: > > tc qdisc add dev eth1 root handle 1: htb default 11 > tc class add dev eth1 parent 1: classid 1:1 htb rate 48kb ceil 48kb > tc class add dev eth1 parent 1:1 classid 1:10 htb rate 40kb ceil 40kb prio 1 > tc class add dev eth1 parent 1:1 classid 1:11 htb rate 8kb ceil 8kb prio 2 > > What's next is to match the right packets into the right classes using > filters. > > Let me know if that helps. > > btw eth1 will be the interface that is connected to the adsl router. > > and 48kbps is just an example, feel free to adjust those values. > > -nik > ----- Original Message ----- > From: "Yves ........" <2z7mbt002@sneakemail.com> > To: > Sent: Friday, August 18, 2006 5:05 PM > Subject: Re: [LARTC] How to bypass traffic control for one IP > > > > Thx nik, > > > > but what i don't understand is if that there no traffic to the first class > > (4Mbit traffic) other class can borrow capacity from the first one. So the > > traffic to internet is not limited to 80ko/s ? > > If i'm wrong, can you write an example ? > > > > Thanks in advance, > > Yves > > > > ----- Original Message ----- > > From: "Nikolay Kichukov hijacker-at-oldum.net |Linux Advanced Routing & > > Traffic Control project/1.0-Allow|" <...> > > To: <..................> > > Cc: > > Sent: Friday, August 18, 2006 3:52 PM > > Subject: Re: [LARTC] How to bypass traffic control for one IP > > > > > > Okay, > > the following may or may not work: > > > > on the interface of the router that is connected to the adsl add an > > engress HTB qdisc. > > > > Then add classes accordingly. The first one with highest priority will > > be for the 4Mbit traffic. > > The classes after this one will be dependent on your likely. > > > > Add some tc filters. The first one will match if dst ip is $IP_OF_ADSL > > or dst port is $THE_BROADCAST_PORT_OF_THE_ADSL and it will use htb class > > with highest priority. > > > > Packets not having destination the adsl will be matched in the filters > > afterwords, thus shaped and so. > > > > However, I am not sure, if all of the packets will not go under that htb > > class, because in their destination header they all have the adsl IP(the > > default gateway). > > > > Maybe someone on the list will englight me on that topic. > > > > -nik > > > > > > On Fri, 2006-08-18 at 12:47 +0200, Yves ........ wrote: > >> The adsl modem has two functions: it give me access to internet (max > >> 80ko/s > >> upload) et it is use to broadcast video stream at more than 4Mo/s. > >> I can't manage the modem. > >> My PC, the firewall and the modem are locally connected at 100Mbits Full > >> Duplex. > >> Like I said i want to shape the upload to internet and only to internet. > >> So do you know a good configuration to shape all but not the traffic > >> directly send to the modem (to it's IP) ? > >> > >> Yves > >> > >> ----- Original Message ----- > >> From: "Nikolay Kichukov hijacker-at-oldum.net |Linux Advanced Routing & > >> Traffic Control project/1.0-Allow|" <...> > >> To: <..................> > >> Sent: Friday, August 18, 2006 12:22 PM > >> Subject: Re: [LARTC] How to bypass traffic control for one IP > >> > >> > >> You surely do need to send the video stream at full speed, but what is > >> the point of doing so if the adsl modem(router) will still shape the > >> upload at the speed that your ISP gives to you? > >> > >> That will only saturate the link. > >> > >> -nik > >> > >> On Thu, 2006-08-17 at 21:05 +0200, Yves ........ wrote: > >> > Because my asl modem is also a router and it is used to send broadcast > >> > video > >> > to another network and so i need to send video stream at full speed to > >> > the > >> > modem. > >> > ----- Original Message ----- > >> > From: "nikolay hijacker-at-oldum.net |Linux Advanced Routing & Traffic > >> > Control project/1.0-Allow|" <...> > >> > To: <..................> > >> > Sent: Thursday, August 17, 2006 12:32 PM > >> > Subject: Re: [LARTC] How to bypass traffic control for one IP > >> > > >> > > >> > > why would you want to "access" the adsl modem at 100Mbps? > >> > > > >> > > What is the speed your ISP provides to the adsl modem? > >> > > > >> > > -nik > >> > > ----- Original Message ----- > >> > > From: "Yves ........" <2z7mbt002@sneakemail.com> > >> > > To: > >> > > Sent: Wednesday, August 16, 2006 6:16 PM > >> > > Subject: [LARTC] How to bypass traffic control for one IP > >> > > > >> > > > >> > > Hi all, > >> > > > >> > > i have a problem: i have an adsl modem that is connected to internet. > >> > > I > >> > > can't manage this modem. > >> > > Between my PC and the modem i have a linux firewall that make the NAT > >> > > and > >> > > the traffic shapping. > >> > > I have create a script that limit the bandwidth of the "external" > >> > > interface of the firewall so i can manage my bandwidth for my > >> > > internet > >> > > application. > >> > > The problem is that i need to access the adsl modem at full bandwith > >> > > (100mbits) from my PC (through the linux firewall). > >> > > So i need a configuration where all the internet IP are limited by > >> > > the > >> > > traffic control and where the IP of the modem is not slowdown by > >> > > traffic > >> > > shapping. > >> > > > >> > > Who have an idea for such configuration ? > >> > > > >> > > Thanks in advance. > >> > > > >> > > Yves > >> > > > >> > > > >> > > -------------------------------------------------------------------------------- > >> > > > >> > > > >> > >> _______________________________________________ > >> > >> LARTC mailing list > >> > >> LARTC@mailman.ds9a.nl > >> > >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > >> > >> > >> > > > >> > > > >> > > > -- > > ?????? ??? ????????, ??? ?????. > > ?? ?????? ??? ?????, ?? ?????? ??? ????????... > > -????? ????? > > > > > > > > -- ?????? ??? ????????, ??? ?????. ?? ?????? ??? ?????, ?? ?????? ??? ????????... -????? ????? From marek at piasta.pl Wed Aug 23 09:51:41 2006 From: marek at piasta.pl (Marek Kierdelewicz) Date: Wed Aug 23 09:45:37 2006 Subject: [LARTC] New hardware In-Reply-To: <44EA6754.6000909@vsnl.com> References: <1156175178.44e9d54a18bd1@www.inbox.lv> <20060821181612.25e0d962@localhost.localdomain> <44EA6754.6000909@vsnl.com> Message-ID: <20060823095141.4eedcc80@localhost.localdomain> Hi there, > I used a SunFire x2100 which has 2 Ghz Opteron and PCI-Xpress slot > into which I plugged in a dual port gigE Intel PCI-Xpress card. What was the software configuration of this host? What kernel have you used for the test (compiled for x86 or amd64; dual-core aware sheduler or not). Out of the curiosity ... dual port nic generates one interrupt or two per port? I asume the first is more probable. This leads to another question - has interrupt been balanced between cores? > Got a raw forwarding performance of 800Kpps for 64B packets. This > beat a CISCO 3845 which gave 600Kpps. Thanks for the input :). Right now my production border router (BGP+some firewall rules+some QoS, vlans @ P4 3GHz Linux 2.6, 2xBroadcom PCI-X, 1xIntel E1000 PCI-X) is 91% saturated (CPU) at peek hours and during the time it forwards 344,8Kpps with avg. packet sized 69 bytes. I'll try to determine raw forwarding performance when box goes out of production env, so we'll have a clear comparison picture. regards, -- Marek Kierdelewicz Kierownik Dzia?u System?w Sieciowych, KoBa Manager of Network Systems Department, KoBa tel. (85) 7406466; fax. (85) 7406467 e-mail: admin@koba.pl From smohan at gmail.com Wed Aug 23 10:05:53 2006 From: smohan at gmail.com (Mohan Sundaram) Date: Wed Aug 23 10:05:47 2006 Subject: [LARTC] New hardware In-Reply-To: <20060823095141.4eedcc80@localhost.localdomain> References: <1156175178.44e9d54a18bd1@www.inbox.lv> <44EA6754.6000909@vsnl.com> <20060823095141.4eedcc80@localhost.localdomain> Message-ID: <44EC0C61.7010505@vsnl.com> Marek Kierdelewicz wrote: > Hi there, > >> I used a SunFire x2100 which has 2 Ghz Opteron and PCI-Xpress slot >> into which I plugged in a dual port gigE Intel PCI-Xpress card. > > What was the software configuration of this host? What kernel > have you used for the test (compiled for x86 or amd64; dual-core > aware sheduler or not). > stock x86 32 bit kernel 2.4.20. No dual core optimisations. > Out of the curiosity ... dual port nic generates one interrupt or two > per port? I asume the first is more probable. This leads to another > question - has interrupt been balanced between cores? I'm unaware of how it was configured. > >> Got a raw forwarding performance of 800Kpps for 64B packets. This >> beat a CISCO 3845 which gave 600Kpps. > > Thanks for the input :). > > Right now my production border router (BGP+some firewall rules+some QoS, > vlans @ P4 3GHz Linux 2.6, 2xBroadcom PCI-X, 1xIntel E1000 PCI-X) is 91% > saturated (CPU) at peek hours and during the time it forwards 344,8Kpps > with avg. packet sized 69 bytes. > The Opteron was 100% utilised at 800Kpps for 64B pkts. I could do bi-directional line rate on gigE for 512/1500B pkts (approx 500/164Kpps) with 65%/25% cpu utilisation > I'll try to determine raw forwarding performance when box goes out > of production env, so we'll have a clear comparison picture. > > regards, From smohan at gmail.com Wed Aug 23 10:09:19 2006 From: smohan at gmail.com (Mohan Sundaram) Date: Wed Aug 23 10:09:19 2006 Subject: [LARTC] New hardware In-Reply-To: <20060823095141.4eedcc80@localhost.localdomain> References: <1156175178.44e9d54a18bd1@www.inbox.lv> <44EA6754.6000909@vsnl.com> <20060823095141.4eedcc80@localhost.localdomain> Message-ID: <44EC0D2F.7050306@vsnl.com> Marek Kierdelewicz wrote: > Hi there, > >> I used a SunFire x2100 which has 2 Ghz Opteron and PCI-Xpress slot >> into which I plugged in a dual port gigE Intel PCI-Xpress card. > > What was the software configuration of this host? What kernel > have you used for the test (compiled for x86 or amd64; dual-core > aware sheduler or not). > > Out of the curiosity ... dual port nic generates one interrupt or two > per port? I asume the first is more probable. This leads to another > question - has interrupt been balanced between cores? > >> Got a raw forwarding performance of 800Kpps for 64B packets. This >> beat a CISCO 3845 which gave 600Kpps. > > Thanks for the input :). > > Right now my production border router (BGP+some firewall rules+some QoS, > vlans @ P4 3GHz Linux 2.6, 2xBroadcom PCI-X, 1xIntel E1000 PCI-X) is 91% > saturated (CPU) at peek hours and during the time it forwards 344,8Kpps > with avg. packet sized 69 bytes. > > I'll try to determine raw forwarding performance when box goes out > of production env, so we'll have a clear comparison picture. > > regards, The beauty was the price. $725 for the SUN hardware and $200 for the NIC card. The CISCO 3845 would cost 9K street minimum. Mohan From sawar at interia.pl Thu Aug 24 00:31:58 2006 From: sawar at interia.pl (Szymon Mroofka) Date: Thu Aug 24 00:32:58 2006 Subject: [LARTC] How to select Skype traffic?? Message-ID: <200608240031.58999.sawar@interia.pl> Hi, I have simple question about Skype. What are the methods of selecting packets which belongs to Skype?? I know about 7layer but I don't belive that is only way. Is 7layer realy good and stable solution for routers which must handle more than 1000 users ? Thanks in advance Pozdrawiam Szymon Turkiewicz From nnn at vsu.by Thu Aug 24 08:03:12 2006 From: nnn at vsu.by (Nikolay Nikolaev) Date: Thu Aug 24 08:02:54 2006 Subject: [LARTC] Layer-7 don't work In-Reply-To: <200608240031.58999.sawar@interia.pl> References: <200608240031.58999.sawar@interia.pl> Message-ID: <44ED4120.3040404@vsu.by> Szymon Mroofka ?????: > Hi, > > I have simple question about Skype. What are the methods of selecting packets > which belongs to Skype?? > I know about 7layer but I don't belive that is only way. > Is 7layer realy good and stable solution for routers which must handle more > than 1000 users ? > Hi everybody! I use Layer-7 filter for hook packets like this : $ipt -t mangle -N SKYPE $ipt -t mangle -A SKYPE -j MARK --set-mark 41 $ipt -t mangle -A SKYPE -j LOG --log-prefix "IPT. SKYPE: " --log-ip-options $ipt -t mangle -A SKYPE -j IMQ .... .... .... $ipt -t mangle -A PREROUTING -m layer7 --l7dir /etc/l7-protocols --l7proto dns -j DNS ... $ipt -t mangle -A PREROUTING -m layer7 --l7dir /etc/l7-protocols --l7proto skypetoskype -j SKYPE ... $ipt -t mangle -A PREROUTING -j OTHER the iptables -t mangle -L PREROUTING -n -v show it's correct, but I see in LOG and see this: Aug 23 10:57:16 gate kernel: IPT. SKYPE: IN=eth0 OUT= MAC=xx:xx:...xx SRC=10.10.0.114 DST=10.10.0.1 LEN=140 TOS=0x04 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=162 DPT=162 LEN=120 etc... grep 162 /etc/services snmp-trap 162/tcp snmptrap # Traps for SNMP snmp-trap 162/udp snmptrap # Traps for SNMP it's not SKYPE, i think .... it is normal? my kernel 2.6.15, iptables v 1.3.5 all pathced, all modules is load. thx. From alijawad1 at gmail.com Thu Aug 24 11:16:25 2006 From: alijawad1 at gmail.com (Ali Jawad) Date: Thu Aug 24 11:16:21 2006 Subject: [LARTC] Help On Upload Limiting Using CBQ.init Message-ID: <44ED6E69.3090503@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Guys Ive got an internet cafe on which I have a debian sarge box running. The Debian box acts as a gateway and it has masquerading on. I have 40 client PC and i do not want to assign more than 64k per pc for upload and the same is true for download too. Ive done alot of research and Ive read tutorials about CBQ and HTB. I found that CBQ.init is the best script to serve my needs. I was successfully able to limit download per client using the script. However I was not able to limit upload per client whatever method I used. Please HELP ME LIMIT THE UPLOADS ON A PER CLIENT BASIS. This is my Setup : INTERNET ---- eth0 DEBIAN eth1 -- LAN SWITCH ---40 PCS The working CBQ script that I use to limit download for a certain PC is: DEVICE=eth1,100Mbit,10Mbit RATE=64Kbit WEIGHT=6Kbit PRIO=5 RULE=192.168.1.166 The UPLOAD SCRIPT that I use to limit UPLOADS is "NOT WORKING" !! Upload Script "NOT WORKING" # -------------------------------------------------------------------------- DEVICE=eth0,10Mbit,1Mbit RATE=64Kbit WEIGHT=6Kbit PRIO=5 RULE=192.168.1.166, # -------------------------------------------------------------------------- As you can see I added the comma at the end of the Rule to indicate the source of the packet..any suggestions or help on how to make this work are welcome...!! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE7W5pkgA8mKGs24MRArpLAKC4qE/8ApbPDpjZHWegMWoxYnCfyQCgoenV y7sg+bdQP0L/4Cxv1yg23/o= =Vb6R -----END PGP SIGNATURE----- From nnn at vsu.by Thu Aug 24 13:09:04 2006 From: nnn at vsu.by (Nikolay Nikolaev) Date: Thu Aug 24 13:08:46 2006 Subject: [LARTC] Help On Upload Limiting Using CBQ.init In-Reply-To: <44ED6E69.3090503@gmail.com> References: <44ED6E69.3090503@gmail.com> Message-ID: <44ED88D0.3010407@vsu.by> Ali Jawad ?????: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Hi Guys > > Ive got an internet cafe on which I have a debian sarge box running. > The Debian box acts as a gateway and it has masquerading on. I have 40 > client PC and i do not want to assign more than 64k per pc for upload > and the same is true for download too. Ive done alot of research and Ive > read tutorials about CBQ and HTB. I found that CBQ.init is the best > script to serve my needs. I was successfully able to limit download per > client using the script. > However I was not able to limit upload per client whatever method I used. > > Please HELP ME LIMIT THE UPLOADS ON A PER CLIENT BASIS. I think you must use ESFQ qdisc for ^^^^^^^^^^ From bill.blum at gmail.com Thu Aug 24 15:32:24 2006 From: bill.blum at gmail.com (Bill Blum) Date: Thu Aug 24 15:32:05 2006 Subject: [LARTC] Suggestions/Pointers on where to begin my search for a solution? Message-ID: <6aa4d09a0608240632q47de4e83k89f6de0eb078bdd4@mail.gmail.com> Hi- I'm working in the IT department of a small liberal arts university-- we're getting *massacred* by P2P traffic. Informal testing/probing indicates that about 60% of our traffic from the dorms was P2P-- we've taken the initial step of hardlimiting the dorms to no more than 40% of outgoing university bandwidth. Also, we've blocked the 'standard' ports for KaZaa, Gnutella, etc. in our firewall/switch setup (Cisco Catalyst 6500 between us and the net at large).... However, the Powers That Be want a better, more effective solution--- without a performance hit for the VOIP phones on campus. Any suggestions on what part of the FM I should be reading/etc, so that I can make a better informed decision about how to proceed? Regards, Bill Blum -- Bill Blum Bill.Blum@gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060824/5d0a5683/attachment.html From smohan at gmail.com Thu Aug 24 16:09:00 2006 From: smohan at gmail.com (Mohan Sundaram) Date: Thu Aug 24 16:08:57 2006 Subject: [LARTC] Suggestions/Pointers on where to begin my search for asolution? In-Reply-To: <6aa4d09a0608240632q47de4e83k89f6de0eb078bdd4@mail.gmail.com> References: <6aa4d09a0608240632q47de4e83k89f6de0eb078bdd4@mail.gmail.com> Message-ID: <44EDB2FC.7080201@vsnl.com> Bill Blum wrote: > Hi- > I'm working in the IT department of a small liberal arts university-- > we're getting *massacred* by P2P traffic. > > Informal testing/probing indicates that about 60% of our traffic from > the dorms was P2P-- we've taken the initial step of hardlimiting the > dorms to no more than 40% of outgoing university bandwidth. Also, we've > blocked the 'standard' ports for KaZaa, Gnutella, etc. in our > firewall/switch setup (Cisco Catalyst 6500 between us and the net at > large).... > > However, the Powers That Be want a better, more effective solution--- > without a performance hit for the VOIP phones on campus. > > Any suggestions on what part of the FM I should be reading/etc, so that > I can make a better informed decision about how to proceed? > > Regards, > Bill Blum > > -- > Bill Blum > Bill.Blum@gmail.com > Try a Linuc m/c in between with ipp2p patch on iptables. Have you tried using the NBAR facility on the CISCO. That should also help. Mohan Sundaram From jasonb at edseek.com Thu Aug 24 18:34:18 2006 From: jasonb at edseek.com (Jason Boxman) Date: Thu Aug 24 18:34:03 2006 Subject: [LARTC] Layer-7 don't work In-Reply-To: <44ED4120.3040404@vsu.by> References: <200608240031.58999.sawar@interia.pl> <44ED4120.3040404@vsu.by> Message-ID: <46325.216.134.200.78.1156437258.squirrel@nebula.internal.foo> Nikolay Nikolaev wrote: > it's not SKYPE, i think .... it is normal? Yes. L7 relies on packet heuristics, so it may not always match the packets you're looking for. Some patterns are easier to discover and match than others. From b42-ml at srck.net Thu Aug 24 19:00:54 2006 From: b42-ml at srck.net (b42-ml@srck.net) Date: Thu Aug 24 19:00:44 2006 Subject: [LARTC] u32 mark hashing Message-ID: <1429.10.154.218.7.1156438854.squirrel@10.154.218.1> Hi, is it possible to use firewall mark as an u32 hash key? What i understood from the source code is that only 32-bit number inside of the packet can be used as a hash key, though fw mark can be matched using u32 match(with 2.6 kernel and recent iproute2 version). Thanks, -b42 From pch at packetconsulting.pl Thu Aug 24 21:15:26 2006 From: pch at packetconsulting.pl (Piotr Chytla) Date: Thu Aug 24 21:20:30 2006 Subject: [LARTC] How to select Skype traffic?? In-Reply-To: <200608240031.58999.sawar@interia.pl> References: <200608240031.58999.sawar@interia.pl> Message-ID: <20060824191526.GA2053@packetconsulting.pl> On Thu, Aug 24, 2006 at 12:31:58AM +0200, Szymon Mroofka wrote: > Hi, > > I have simple question about Skype. What are the methods of selecting packets > which belongs to Skype?? > I know about 7layer but I don't belive that is only way. > Is 7layer realy good and stable solution for routers which must handle more > than 1000 users ? > Check also this : http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf Intresting paper about skype, there are some iptables rules to match skype udp traffic . /pch -- Dyslexia bug unpatched since 1977 ... exploit has been leaked to the underground. From stanislav.nedelchev at gmail.com Fri Aug 25 11:00:43 2006 From: stanislav.nedelchev at gmail.com (Stanislav Nedelchev) Date: Fri Aug 25 11:00:31 2006 Subject: [LARTC] Now to make only Traffic Priority Message-ID: <44EEBC3B.3080708@gmail.com> Hi to everybody. I read some info and documentation but i still can't find how to make this simple setup for example . I just want to make priority of certain traffic without shaping the traffic . For example SSH and RDP first priority Mail second priority WEB and FTP third And everything else last priority. What will be the simple and best way to achieve this. I will appreciate every help . From sandu.andrei at gmail.com Fri Aug 25 11:52:00 2006 From: sandu.andrei at gmail.com (Andrei Sandu) Date: Fri Aug 25 11:51:42 2006 Subject: [LARTC] Help On Upload Limiting Using CBQ.init In-Reply-To: <44ED6E69.3090503@gmail.com> References: <44ED6E69.3090503@gmail.com> Message-ID: On 8/24/06, Ali Jawad wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Hi Guys > > Ive got an internet cafe on which I have a debian sarge box running. > The Debian box acts as a gateway and it has masquerading on. I have 40 > client PC and i do not want to assign more than 64k per pc for upload > and the same is true for download too. Ive done alot of research and Ive > read tutorials about CBQ and HTB. I found that CBQ.init is the best > script to serve my needs. I was successfully able to limit download per > client using the script. > However I was not able to limit upload per client whatever method I used. > > Please HELP ME LIMIT THE UPLOADS ON A PER CLIENT BASIS. > > This is my Setup : > > INTERNET ---- eth0 DEBIAN eth1 -- LAN SWITCH ---40 PCS > > The working CBQ script that I use to limit download for a certain PC is: > > DEVICE=eth1,100Mbit,10Mbit > RATE=64Kbit > WEIGHT=6Kbit > PRIO=5 > RULE=192.168.1.166 > > The UPLOAD SCRIPT that I use to limit UPLOADS is "NOT WORKING" !! > > Upload Script "NOT WORKING" > > # > -------------------------------------------------------------------------- > DEVICE=eth0,10Mbit,1Mbit > RATE=64Kbit > WEIGHT=6Kbit > PRIO=5 > RULE=192.168.1.166, > # > -------------------------------------------------------------------------- > > As you can see I added the comma at the end of the Rule to indicate the > source of the packet..any suggestions or help on how to make this work > are welcome...!! > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.4 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFE7W5pkgA8mKGs24MRArpLAKC4qE/8ApbPDpjZHWegMWoxYnCfyQCgoenV > y7sg+bdQP0L/4Cxv1yg23/o= > =Vb6R > -----END PGP SIGNATURE----- > You will not be able to shape the upload traffic for each client on eth0 ( after NAT all the packets have the same src address ). You can do policying or better u can use IMQ ( http://www.linuximq.net ) . -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060825/5d9aeda5/attachment.html From sandu.andrei at gmail.com Fri Aug 25 15:55:25 2006 From: sandu.andrei at gmail.com (Andrei Sandu) Date: Fri Aug 25 15:55:08 2006 Subject: [LARTC] Help On Upload Limiting Using CBQ.init In-Reply-To: <44EEFE70.8070404@gmail.com> References: <44ED6E69.3090503@gmail.com> <44EEFE70.8070404@gmail.com> Message-ID: On 8/25/06, Ali Jawad wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Andrei Sandu wrote: > > On 8/24/06, Ali Jawad wrote: > >> > > > > Hi Guys > > > > Ive got an internet cafe on which I have a debian sarge box running. > > The Debian box acts as a gateway and it has masquerading on. I have 40 > > client PC and i do not want to assign more than 64k per pc for upload > > and the same is true for download too. Ive done alot of research and Ive > > read tutorials about CBQ and HTB. I found that CBQ.init is the best > > script to serve my needs. I was successfully able to limit download per > > client using the script. > > However I was not able to limit upload per client whatever method I > used. > > > > Please HELP ME LIMIT THE UPLOADS ON A PER CLIENT BASIS. > > > > This is my Setup : > > > > INTERNET ---- eth0 DEBIAN eth1 -- LAN SWITCH ---40 PCS > > > > The working CBQ script that I use to limit download for a certain PC is: > > > > DEVICE=eth1,100Mbit,10Mbit > > RATE=64Kbit > > WEIGHT=6Kbit > > PRIO=5 > > RULE=192.168.1.166 > > > > The UPLOAD SCRIPT that I use to limit UPLOADS is "NOT WORKING" !! > > > > Upload Script "NOT WORKING" > > > > # > > > -------------------------------------------------------------------------- > > > > DEVICE=eth0,10Mbit,1Mbit > > RATE=64Kbit > > WEIGHT=6Kbit > > PRIO=5 > > RULE=192.168.1.166, > > # > > > -------------------------------------------------------------------------- > > > > > > As you can see I added the comma at the end of the Rule to indicate the > > source of the packet..any suggestions or help on how to make this work > > are welcome...!! > >> > > > You will not be able to shape the upload traffic for each client on > eth0 ( > > after NAT all the packets have the same src address ). You can do > policying > > or better u can use IMQ ( http://www.linuximq.net ) . > > > > ------------------------------------------------------------------------ > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > I might be wrong on this Andrei.."Iam Junior when it comes to traffic > shaping"..but I think that is is quite possible to shape outgoing > traffic that is being shaped without having to use CMQ . > > The idea is that masqueraded or SNATed traffic leaves the linux router > having the same src address i.e. the public address of the router in my > case. However IPTABLES or NETFILTER IN Linux has the following feature: > The POSTROUTING chain is the last chain in the iptables ..and it is part > of two tables the mangle table and the last table is the nat table. So > you can match traffic outgoing on the POSTROUTING chain if you match it > on the mangle table which precedes the nat table. > > > > -FORWARD(mangle)-FORWARD(filter)- > > - -PRE- -POST(mangle)-POST(nat) > > -INPUT-LOCAL-OUTPUT(mangle->Filter->NAT) > > As A result the following setup should work "Indeed it worked " > > > download section > > tc qdisc add dev eth1 root handle 11: cbq bandwidth 100Mbit avpkt \ > 1000 mpu 64 > tc class add dev eth1 parent 11:0 classid 11:1 cbq rate 50Kbit \ > weight 5Kbit allot 1514 prio 1 avpkt 1000 bounded > tc filter add dev eth1 parent 11:0 protocol ip handle 4 fw flowid 11:1 > > > > Upload Section > > tc qdisc add dev eth0 root handle 10: cbq bandwidth 10Mbit avpkt \ > 1000 mpu 64 > tc class add dev eth0 parent 10:0 classid 10:1 cbq rate 20Kbit \ > weight 2Kbit allot 1514 prio 1 avpkt 1000 bounded > tc filter add dev eth0 parent 10:0 protocol ip handle 3 fw flowid 10:1 > > > > Now the tricky part is to mark the packets so that they can be shaped > ..the following only works for natted traffic and does not work for > traffic generated on the router itself. > > For Download "Note that the mangle table precedes the nat table" > iptables -t mangle -A POSTROUTING -s ! 192.168.1.0/24 -d \ > 192.168.1.0/24 -j MARK --set-mark 4 > > For Upload > > iptables -t mangle -A FORWARD -s 192.168.1.0/24 -j MARK --set-mark 3 > > > I got the script idea from > > http://szabilinux.hu/bandwidth/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.4 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFE7v5wkgA8mKGs24MRAoCSAKCI0igWp2Km3/tbdi13ux5gB22GPACgptV7 > //xFDzU5P1aPCg7QxwaHnso= > =SWow > -----END PGP SIGNATURE----- > Yes, Ali, it can be done that way too, using fwmark. But in my opinion using IMQ it is much better and clean. IMQ was created specially for this kind of situations, when you want to do ingress shaping. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060825/f80b8c34/attachment.htm From nnn at vsu.by Sat Aug 26 07:43:01 2006 From: nnn at vsu.by (Nikolay Nikolaev) Date: Sat Aug 26 07:42:42 2006 Subject: [LARTC] IMQ action Message-ID: <44EFDF65.3030709@vsu.by> Hi. -j IMQ is equal -j ACCEPT...? i mean it after -j IMQ packet don't return in parent chain??? cause -j ACCEPT action accept the packet in the child chain and don't return it to parent... example: ipt="iptables -t mangle" $ipt -N HTTP $ipt -A HTTP -j IMQ // after this packet packets go to -t nat tables? or // it return to parent chain (PREROUTING) in mangle? $ipt -N OTHER $ipt -A OTHER -j IMQ $ipt -A PREROUTING [expression] -j HTTP $ipt -A PREROUTING -j OTHER all this I do for ingress traffic. thx. From marek at piasta.pl Sat Aug 26 09:31:21 2006 From: marek at piasta.pl (Marek Kierdelewicz) Date: Sat Aug 26 09:25:16 2006 Subject: [LARTC] Now to make only Traffic Priority In-Reply-To: <44EEBC3B.3080708@gmail.com> References: <44EEBC3B.3080708@gmail.com> Message-ID: <20060826093121.3a32f121@localhost.localdomain> > Hi to everybody. Hi > I just want to make priority of certain traffic without shaping the > traffic . > For example SSH and RDP first priority > Mail second priority > WEB and FTP third You can make something like that: $TC qdisc add dev $IF1 root handle 1: htb default 40 $TC class add dev $IF1 parent 1: classid 1:1 htb rate 100mbit ceil \ 100mbit burst 15k prio 1 $TC class add dev $IF1 parent 1:1 classid 1:10 htb rate 25mbit ceil \ 100mbit burst 15k prio 1 $TC class add dev $IF1 parent 1:1 classid 1:20 htb rate 25mbit ceil \ 100mbit burst 15k prio 2 $TC class add dev $IF1 parent 1:1 classid 1:30 htb rate 25mbit ceil \ 100mbit burst 15k prio 3 $TC class add dev $IF1 parent 1:1 classid 1:40 htb rate 25mbit ceil \ 100mbit burst 15k prio 4 Then you direct ssh and rdp with filters to the 1:10 class (prio 1 means highest prio), mail to 1:20, web+ftp to 1:30 and rest to 1:40. It's shaping, but works the way you want it. Another solution is using prio qdisc, for what you need to: - set up prio map (tos -> prio) - rewrite tos field of packets in PREROUTING chain of mangle table. I never used such solution, only read some theoretical stuff at following site: http://lartc.org/howto/lartc.qdisc.classless.html#AEN659 -- Marek Kierdelewicz Kierownik Dzia?u System?w Sieciowych, KoBa Manager of Network Systems Department, KoBa tel. (85) 7406466; fax. (85) 7406467 e-mail: admin@koba.pl From lsharpe at pacificwireless.com.au Mon Aug 28 06:09:48 2006 From: lsharpe at pacificwireless.com.au (Leigh Sharpe) Date: Mon Aug 28 06:09:40 2006 Subject: [LARTC] Applying the same class to multiple interfaces Message-ID: Hi All, I'm trying to do some traffic shaping on an ethernet bridge. Currently, I have the following setup working: ifconfig eth0 down brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 brctl stp br0 off ifconfig eth0 0.0.0.0 up ifconfig eth1 0.0.0.0 up ifconfig br0 up This creates a bridge consisting of eth0 and eth1. So far so good. I now want to use tc to shape traffic through this bridge. By applying the following, I am able to limit the given MAC address to 128K in each direction: tc qdisc add dev eth0 root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 mpu 64 tc qdisc add dev eth1 root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 mpu 64 tc class add dev eth0 parent 1:0 classid 1:1 cbq rate 128Kbit allot 1514 prio 1 avpkt 1000 bounded tc class add dev eth1 parent 1:0 classid 1:1 cbq rate 128Kbit allot 1514 prio 1 avpkt 1000 bounded tc filter add dev eth0 parent 1:0 protocol ip handle 1 fw flowid 1:1 tc filter add dev eth1 parent 1:0 protocol ip handle 1 fw flowid 1:1 ebtables -A FORWARD -s 00:10:A4:EC:65:E8 -j mark --set-mark 1 --mark-target ACCEPT ebtables -A FORWARD -d 00:10:A4:EC:65:E8 -j mark --set-mark 1 --mark-target ACCEPT This works OK, but it isn't quite what I want. I want to limit the traffic to 128K total. ie, 128K in one direction or the other, or 64K in each direction simultaneously, or 100K in one direction and 28K in the other, etc... I can't see anything in the tc docs which indicates that I can apply the same class and filter to multiple interfaces at once. I'd be happy enough with applying the same rate limit to a single interface, but measuring both ingress and egress traffic to come up with the lmit. Ultimately, of course, I'll be using different criteria to mark the packets. Regards, Leigh Leigh Sharpe Network Systems Engineer Pacific Wireless Ph +61 3 9584 8966 Mob 0408 009 502 email lsharpe@pacificwireless.com.au web www.pacificwireless.com.au -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060828/5ecc919f/attachment.html From =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= Mon Aug 28 08:26:09 2006 From: =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= (=?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?=) Date: Mon Aug 28 08:25:52 2006 Subject: [LARTC] Applying the same class to multiple interfaces In-Reply-To: References: Message-ID: <1156746369.3827.9.camel@localhost.localdomain> As you probably red there is no good way to shape incoming traffic. Shaping of incoming traffic is not recommended. This is no problem with this because you can (this is recomended) shape outgoing traffice on multiple interfaces. For example if you have a client on eth0 and Internet on eth1, and you want to shape client's traffic both direction: - to shape client's incoming traffic you shape its outgoing traffic on eth0 - to shape client's outgoing traffic you shape its outgoing traffic on eth1 Also, for your needs you can MARK packets with iptables on br0 interface. ebtables are more suitable for implementation of "smart switch". ? ???, 28/08/2006 ? 14:09 +1000, Leigh Sharpe ?????: > Hi All, > I'm trying to do some traffic shaping on an ethernet bridge. > Currently, I have the following setup working: > > ifconfig eth0 down > brctl addbr br0 > brctl addif br0 eth0 > brctl addif br0 eth1 > brctl stp br0 off > ifconfig eth0 0.0.0.0 up > ifconfig eth1 0.0.0.0 up > ifconfig br0 up > > This creates a bridge consisting of eth0 and eth1. So far so good. > > I now want to use tc to shape traffic through this bridge. By applying > the following, I am able to limit the given MAC address to 128K in > each direction: > > tc qdisc add dev eth0 root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 > mpu 64 > tc qdisc add dev eth1 root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 > mpu 64 > tc class add dev eth0 parent 1:0 classid 1:1 cbq rate 128Kbit allot > 1514 prio 1 avpkt 1000 bounded > tc class add dev eth1 parent 1:0 classid 1:1 cbq rate 128Kbit allot > 1514 prio 1 avpkt 1000 bounded > tc filter add dev eth0 parent 1:0 protocol ip handle 1 fw flowid 1:1 > tc filter add dev eth1 parent 1:0 protocol ip handle 1 fw flowid 1:1 > ebtables -A FORWARD -s 00:10:A4:EC:65:E8 -j mark --set-mark 1 > --mark-target ACCEPT > ebtables -A FORWARD -d 00:10:A4:EC:65:E8 -j mark --set-mark 1 > --mark-target ACCEPT > > This works OK, but it isn't quite what I want. I want to limit the > traffic to 128K total. ie, 128K in one direction or the other, or 64K > in each direction simultaneously, or 100K in one direction and 28K in > the other, etc... > I can't see anything in the tc docs which indicates that I can apply > the same class and filter to multiple interfaces at once. > I'd be happy enough with applying the same rate limit to a single > interface, but measuring both ingress and egress traffic to come up > with the lmit. > > Ultimately, of course, I'll be using different criteria to mark the > packets. > > > Regards, > Leigh > > Leigh Sharpe > Network Systems Engineer > Pacific Wireless > Ph +61 3 9584 8966 > Mob 0408 009 502 > email lsharpe@pacificwireless.com.au > web www.pacificwireless.com.au > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- ??????????? ?????? From lsharpe at pacificwireless.com.au Mon Aug 28 09:41:43 2006 From: lsharpe at pacificwireless.com.au (Leigh Sharpe) Date: Mon Aug 28 09:41:39 2006 Subject: [LARTC] Applying the same class to multiple interfaces In-Reply-To: <1156746369.3827.9.camel@localhost.localdomain> Message-ID: I don't actually want to shape incoming traffic. I want to limit the bandwidth of the bridge, so that their total throughput doesn't exceed a particular rate. To do this, I can?t limit on only one interface. I need to configure it so that eth0+eth1 never exceeds the bandwidth limit. Regards, Leigh Leigh Sharpe Network Systems Engineer Pacific Wireless Ph +61 3 9584 8966 Mob 0408 009 502 email lsharpe@pacificwireless.com.au web www.pacificwireless.com.au -----Original Message----- From: casper@meteor.dp.ua [mailto:casper@meteor.dp.ua] Sent: Monday, August 28, 2006 4:26 PM To: Leigh Sharpe Cc: lartc Subject: Re: [LARTC] Applying the same class to multiple interfaces As you probably red there is no good way to shape incoming traffic. Shaping of incoming traffic is not recommended. This is no problem with this because you can (this is recomended) shape outgoing traffice on multiple interfaces. For example if you have a client on eth0 and Internet on eth1, and you want to shape client's traffic both direction: - to shape client's incoming traffic you shape its outgoing traffic on eth0 - to shape client's outgoing traffic you shape its outgoing traffic on eth1 Also, for your needs you can MARK packets with iptables on br0 interface. ebtables are more suitable for implementation of "smart switch". ? ???, 28/08/2006 ? 14:09 +1000, Leigh Sharpe ?????: > Hi All, > I'm trying to do some traffic shaping on an ethernet bridge. > Currently, I have the following setup working: > > ifconfig eth0 down > brctl addbr br0 > brctl addif br0 eth0 > brctl addif br0 eth1 > brctl stp br0 off > ifconfig eth0 0.0.0.0 up > ifconfig eth1 0.0.0.0 up > ifconfig br0 up > > This creates a bridge consisting of eth0 and eth1. So far so good. > > I now want to use tc to shape traffic through this bridge. By applying > the following, I am able to limit the given MAC address to 128K in > each direction: > > tc qdisc add dev eth0 root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 > mpu 64 > tc qdisc add dev eth1 root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 > mpu 64 > tc class add dev eth0 parent 1:0 classid 1:1 cbq rate 128Kbit allot > 1514 prio 1 avpkt 1000 bounded > tc class add dev eth1 parent 1:0 classid 1:1 cbq rate 128Kbit allot > 1514 prio 1 avpkt 1000 bounded > tc filter add dev eth0 parent 1:0 protocol ip handle 1 fw flowid 1:1 > tc filter add dev eth1 parent 1:0 protocol ip handle 1 fw flowid 1:1 > ebtables -A FORWARD -s 00:10:A4:EC:65:E8 -j mark --set-mark 1 > --mark-target ACCEPT > ebtables -A FORWARD -d 00:10:A4:EC:65:E8 -j mark --set-mark 1 > --mark-target ACCEPT > > This works OK, but it isn't quite what I want. I want to limit the > traffic to 128K total. ie, 128K in one direction or the other, or 64K > in each direction simultaneously, or 100K in one direction and 28K in > the other, etc... > I can't see anything in the tc docs which indicates that I can apply > the same class and filter to multiple interfaces at once. > I'd be happy enough with applying the same rate limit to a single > interface, but measuring both ingress and egress traffic to come up > with the lmit. > > Ultimately, of course, I'll be using different criteria to mark the > packets. > > > Regards, > Leigh > > Leigh Sharpe > Network Systems Engineer > Pacific Wireless > Ph +61 3 9584 8966 > Mob 0408 009 502 > email lsharpe@pacificwireless.com.au > web www.pacificwireless.com.au > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- ??????????? ?????? From =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= Mon Aug 28 11:08:59 2006 From: =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= (=?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?=) Date: Mon Aug 28 11:08:45 2006 Subject: [LARTC] Applying the same class to multiple interfaces In-Reply-To: References: Message-ID: <1156756139.3847.12.camel@localhost.localdomain> Then probably you was on correct way, mark packets with ebtables and direct them to shaping classes you need. ? ???, 28/08/2006 ? 17:41 +1000, Leigh Sharpe ?????: > I don't actually want to shape incoming traffic. I want to limit the bandwidth of the bridge, so that their total throughput doesn't exceed a particular rate. To do this, I can?t limit on only one interface. I need to configure it so that eth0+eth1 never exceeds the bandwidth limit. > > > > Regards, > Leigh > > Leigh Sharpe > Network Systems Engineer > Pacific Wireless > Ph +61 3 9584 8966 > Mob 0408 009 502 > email lsharpe@pacificwireless.com.au > web www.pacificwireless.com.au > > -----Original Message----- > From: casper@meteor.dp.ua [mailto:casper@meteor.dp.ua] > Sent: Monday, August 28, 2006 4:26 PM > To: Leigh Sharpe > Cc: lartc > Subject: Re: [LARTC] Applying the same class to multiple interfaces > > As you probably red there is no good way to shape incoming traffic. > Shaping of incoming traffic is not recommended. This is no problem with > this because you can (this is recomended) shape outgoing traffice on > multiple interfaces. > > For example if you have a client on eth0 and Internet on eth1, and you > want to shape client's traffic both direction: > > - to shape client's incoming traffic you shape its outgoing traffic on > eth0 > > - to shape client's outgoing traffic you shape its outgoing traffic on > eth1 > > Also, for your needs you can MARK packets with iptables on br0 > interface. ebtables are more suitable for implementation of "smart > switch". > > ? ???, 28/08/2006 ? 14:09 +1000, Leigh Sharpe ?????: > > Hi All, > > I'm trying to do some traffic shaping on an ethernet bridge. > > Currently, I have the following setup working: > > > > ifconfig eth0 down > > brctl addbr br0 > > brctl addif br0 eth0 > > brctl addif br0 eth1 > > brctl stp br0 off > > ifconfig eth0 0.0.0.0 up > > ifconfig eth1 0.0.0.0 up > > ifconfig br0 up > > > > This creates a bridge consisting of eth0 and eth1. So far so good. > > > > I now want to use tc to shape traffic through this bridge. By applying > > the following, I am able to limit the given MAC address to 128K in > > each direction: > > > > tc qdisc add dev eth0 root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 > > mpu 64 > > tc qdisc add dev eth1 root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 > > mpu 64 > > tc class add dev eth0 parent 1:0 classid 1:1 cbq rate 128Kbit allot > > 1514 prio 1 avpkt 1000 bounded > > tc class add dev eth1 parent 1:0 classid 1:1 cbq rate 128Kbit allot > > 1514 prio 1 avpkt 1000 bounded > > tc filter add dev eth0 parent 1:0 protocol ip handle 1 fw flowid 1:1 > > tc filter add dev eth1 parent 1:0 protocol ip handle 1 fw flowid 1:1 > > ebtables -A FORWARD -s 00:10:A4:EC:65:E8 -j mark --set-mark 1 > > --mark-target ACCEPT > > ebtables -A FORWARD -d 00:10:A4:EC:65:E8 -j mark --set-mark 1 > > --mark-target ACCEPT > > > > This works OK, but it isn't quite what I want. I want to limit the > > traffic to 128K total. ie, 128K in one direction or the other, or 64K > > in each direction simultaneously, or 100K in one direction and 28K in > > the other, etc... > > I can't see anything in the tc docs which indicates that I can apply > > the same class and filter to multiple interfaces at once. > > I'd be happy enough with applying the same rate limit to a single > > interface, but measuring both ingress and egress traffic to come up > > with the lmit. > > > > Ultimately, of course, I'll be using different criteria to mark the > > packets. > > > > > > Regards, > > Leigh > > > > Leigh Sharpe > > Network Systems Engineer > > Pacific Wireless > > Ph +61 3 9584 8966 > > Mob 0408 009 502 > > email lsharpe@pacificwireless.com.au > > web www.pacificwireless.com.au > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- ??????????? ?????? From gregoriandres at yahoo.com.ar Mon Aug 28 15:03:15 2006 From: gregoriandres at yahoo.com.ar (LinuXKiD) Date: Mon Aug 28 15:02:45 2006 Subject: [LARTC] Now to make only Traffic Priority In-Reply-To: <20060826093121.3a32f121@localhost.localdomain> Message-ID: try IMQ http://www.linuximq.net/ regards. andres -> -----Mensaje original----- -> De: lartc-bounces@mailman.ds9a.nl -> [mailto:lartc-bounces@mailman.ds9a.nl]En nombre de Marek Kierdelewicz -> Enviado el: S?bado, 26 de Agosto de 2006 04:31 a.m. -> Para: lartc@mailman.ds9a.nl -> Asunto: Re: [LARTC] Now to make only Traffic Priority -> -> -> > Hi to everybody. -> -> Hi -> -> > I just want to make priority of certain traffic without shaping the -> > traffic . -> > For example SSH and RDP first priority -> > Mail second priority -> > WEB and FTP third -> -> You can make something like that: -> $TC qdisc add dev $IF1 root handle 1: htb default 40 -> $TC class add dev $IF1 parent 1: classid 1:1 htb rate 100mbit ceil \ -> 100mbit burst 15k prio 1 -> $TC class add dev $IF1 parent 1:1 classid 1:10 htb rate 25mbit ceil \ -> 100mbit burst 15k prio 1 -> $TC class add dev $IF1 parent 1:1 classid 1:20 htb rate 25mbit ceil \ -> 100mbit burst 15k prio 2 -> $TC class add dev $IF1 parent 1:1 classid 1:30 htb rate 25mbit ceil \ -> 100mbit burst 15k prio 3 -> $TC class add dev $IF1 parent 1:1 classid 1:40 htb rate 25mbit ceil \ -> 100mbit burst 15k prio 4 -> -> Then you direct ssh and rdp with filters to the 1:10 class (prio 1 -> means highest prio), mail to 1:20, web+ftp to 1:30 and rest to 1:40. -> -> It's shaping, but works the way you want it. -> -> Another solution is using prio qdisc, for what you need to: -> - set up prio map (tos -> prio) -> - rewrite tos field of packets in PREROUTING chain of mangle table. -> -> I never used such solution, only read some theoretical stuff at -> following site: -> http://lartc.org/howto/lartc.qdisc.classless.html#AEN659 -> -> -- -> Marek Kierdelewicz -> Kierownik Dzia?u System?w Sieciowych, KoBa -> Manager of Network Systems Department, KoBa -> tel. (85) 7406466; fax. (85) 7406467 -> e-mail: admin@koba.pl -> _______________________________________________ -> LARTC mailing list -> LARTC@mailman.ds9a.nl -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc __________________________________________________ Pregunt?. Respond?. Descubr?. Todo lo que quer?as saber, y lo que ni imaginabas, est? en Yahoo! Respuestas (Beta). ?Probalo ya! http://www.yahoo.com.ar/respuestas From linux at arcoscom.com Mon Aug 28 21:05:08 2006 From: linux at arcoscom.com (ArcosCom Linux User) Date: Mon Aug 28 21:04:52 2006 Subject: [LARTC] Multiple WAN + Multiple LAN + linux-igd Message-ID: <50182.80.32.64.202.1156791908.squirrel@www.arcoscom.com> Hi, I'm implementing a linux router with this characteristics: - Multiple adsl with each public ip's - Multiple LAN ethernets (in a bridge). - Linux IGD I have successfully implemented de 2 first steps, the adsl balanced fine (multipath routing), and the clients bridge fine. My problem is how to use that with linux-igd. My LAN bridge has STP and is implemented for high availibility, its working fine (and tested). I run upnpd with one wan iface as WAN iface and the bridge one as LAN iface and is working fine over that iface. All my public IPs are static, and I think I have only to put all my wan ifaces in the same bridge, but I don't know if multipath routing will work as now. I have no problem in configure a "without IP" bridge with all the wan ifaces, and put the public ips over the real iface, not the bridge (in the LAN BRIDGE, all private ips where into the bridge iface). But I don't know if this "theory" will work. The idea is put redirected ports into ALL WAN IFACES at the same time and allow upnpd works over all WAN IFACES at the same time. Will it work? (putting public ips over wan ifaces and no using ip for wan bridge iface). If it worked: Shall I have problems with arp protocol or anything? Any ideas? Anyone had implemented something as this? To summarize, I don't want help about multipath routing or bridging, I only need to know if "the theory" will work and if don't work any ideas on how to have this working. Many thanks!! P.D.: Sorry for my english. From lists at andyfurniss.entadsl.com Tue Aug 29 14:42:01 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Tue Aug 29 14:41:31 2006 Subject: [LARTC] Applying the same class to multiple interfaces In-Reply-To: References: Message-ID: <44F43619.3040701@andyfurniss.entadsl.com> Leigh Sharpe wrote: > This works OK, but it isn't quite what I want. I want to limit the > traffic to 128K total. ie, 128K in one direction or the other, or 64K in > each direction simultaneously, or 100K in one direction and 28K in the > other, etc... > I can't see anything in the tc docs which indicates that I can apply > the same class and filter to multiple interfaces at once. > I'd be happy enough with applying the same rate limit to a single > interface, but measuring both ingress and egress traffic to come up with > the lmit. > > Ultimately, of course, I'll be using different criteria to mark the > packets. If there is no br traffic to be included you can do it by using one ifb redirecting packets from egress on eth0/1. If it's more complicated you may need to redirect from ingress aswell - but I don't think ingress on eths will not have gone through brtables to be marked. Andy. From lists at andyfurniss.entadsl.com Tue Aug 29 14:54:58 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Tue Aug 29 14:54:29 2006 Subject: [LARTC] IMQ action In-Reply-To: <44EFDF65.3030709@vsu.by> References: <44EFDF65.3030709@vsu.by> Message-ID: <44F43922.7070201@andyfurniss.entadsl.com> Nikolay Nikolaev wrote: > Hi. > -j IMQ is equal -j ACCEPT...? i mean it after -j IMQ packet don't return > in parent chain??? cause -j ACCEPT action accept the packet in the child > chain and don't return it to parent... > example: > > ipt="iptables -t mangle" > > $ipt -N HTTP > $ipt -A HTTP -j IMQ // after this packet packets go to -t nat tables? > or // it return to parent chain (PREROUTING) in mangle? > > $ipt -N OTHER > $ipt -A OTHER -j IMQ > > $ipt -A PREROUTING [expression] -j HTTP > $ipt -A PREROUTING -j OTHER > > all this I do for ingress traffic. > thx. I don't think -j IMQ is terminating as an iptables rule. Whether it sees packets before / after (de)nat in prerouting depends on the kernel config options and gets logged for 2.6s. For 2.4s there is a patch to make it hook after nat. Andy. From lists at andyfurniss.entadsl.com Tue Aug 29 15:54:15 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Tue Aug 29 15:53:38 2006 Subject: [LARTC] IFB - Download: 1xWAN (Internet) 2xLAN (local) In-Reply-To: <3245374a0608211137j629e1f24t6f9ef6625c561319@mail.gmail.com> References: <3245374a0608211137j629e1f24t6f9ef6625c561319@mail.gmail.com> Message-ID: <44F44707.5030505@andyfurniss.entadsl.com> Robo R0b0 wrote: > hello, i have eth0 (Internet) + eth1,eth2 (local), how to i use IFB in real > for shaping Download, how to i redirect traffic from eth0 to ifb0 with > "mark". > I testing marking with iptables but any mark not working - always use > "default" mark... If there is no traffic from the internet to the shaping box then you can redirect from egress on eth1 and 2 to ifb0 and marks will work. You need something classful on eth1/2 so if you are not shaping already put prio as root. Andy. From lists at andyfurniss.entadsl.com Tue Aug 29 16:33:56 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Tue Aug 29 16:33:17 2006 Subject: [LARTC] QoS on a bridge+NAT In-Reply-To: References: Message-ID: <44F45054.6020104@andyfurniss.entadsl.com> Asle Fest? wrote: > I have a setup where I have three NIC in a Debian box. I have eth1 > conected to internet and eth0 NAT'ed to 192.168.1.1. eth1 and eth2 are > bridged together, given ip 192.168.122.2. > > What I want to achieve is to perform traffic shaping on the bridge as > well as prioritizing the traffic from eth0 very low. (This is from > trental flat ...) However it seems that I am unable to perform thhe > traffic shaping from these two nets on eth1. Can somebody please help > me? I am very new to traffic shaping but determined to learn ... > > Where should the root qdisc be attached to be able to prioritize > between the two NICs eth 0 and eth2? You should be able to do egress internet traffic on eth1 - you've just got to work out a way to classify it as from eth0/2. There are probably several depends what other traffic is about. You could mark -i eth0 -o br0 with iptables etc. For ingress the policer eg. from lartc will not let you do prio. If the shaping box is just forwarding ingress internet traffic then you could use one ifb and redirect inbound internet traffic when it leaves eth0 and eth2. Again you need a way to classify and ingress shaping is not totally possible like on egress, but if you sacrifice enough bandwidth and keep queues short then it's better than doing nothing. I've never used cbq so haven't looked at the script. Andy. From daniel.mail at terra.com.br Wed Aug 30 01:52:13 2006 From: daniel.mail at terra.com.br (daniel.mail) Date: Wed Aug 30 01:51:59 2006 Subject: [LARTC] Range of ports Message-ID: Hello, How can i set a range of ports on tc, and tc only works with tcp? or work with tcp and udp? Tank You -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060829/940dfe8d/attachment.htm From dor at ldc.net Wed Aug 30 16:07:26 2006 From: dor at ldc.net (Dmytro O. Redchuk) Date: Wed Aug 30 16:19:53 2006 Subject: [LARTC] pps limit ? Message-ID: <20060830140726.GA24152@ldc.net> Hello, list members, can i limit pps rate with linux? How? -m limit does not fit, as i understood: it can help with low rates only (is that true? any suggestions?) Thank you, -- _,-=._ /|_/| `-.} `=._,.-=-._., @ @._, `._ _,-. ) _,.-' ` G.m-"^m`m' Dmytro O. Redchuk From kajtek at biezanow.net Wed Aug 30 17:22:27 2006 From: kajtek at biezanow.net (Kajetan Staszkiewicz) Date: Wed Aug 30 17:22:07 2006 Subject: [LARTC] pps limit ? In-Reply-To: <20060830140726.GA24152@ldc.net> References: <20060830140726.GA24152@ldc.net> Message-ID: <200608301722.27174.kajtek@biezanow.net> Dnia ?roda, 30 sierpnia 2006 16:07, Dmytro O. Redchuk napisa?(a): > Hello, list members, > > can i limit pps rate with linux? How? > > -m limit does not fit, as i understood: it can help with low rates only > (is that true? any suggestions?) Maybe hashlimit? What do you exactly need to do? Here's what I use to rate pps for every host in network. In fact this is on 2.4 kernel with dstlimit (with some changes in source), but hashlimit works in the same way. $IPT -t mangle -I FORWARD -i eth1 -j LIMITPAK $IPT -t mangle -A LIMITPAK -i eth1 -s 192.168.0.0/24 -m dstlimit --dstlimit 75 --dstlimit-burst 200 --dstlimit-mode srcip --dstlimit-name eth1_0.0 -j RETURN $IPT -t mangle -A LIMITPAK -i eth1 -s 192.168.0.0/24 -j DROP $IPT -t mangle -A LIMITPAK -j RETURN -- | pozdrawiam / greetings | powered by Trustix, Gentoo and FreeBSD | | Kajetan Staszkiewicz | jabber,email,www: vegeta()tuxpowered net | | Vegeta | IMQ devnames: http://www.tuxpowered.net | `------------------------^------------------------------------------' From dor at ldc.net Thu Aug 31 08:06:56 2006 From: dor at ldc.net (Dmytro O. Redchuk) Date: Thu Aug 31 08:06:52 2006 Subject: [LARTC] pps limit ? In-Reply-To: <200608301722.27174.kajtek@biezanow.net> References: <20060830140726.GA24152@ldc.net> <200608301722.27174.kajtek@biezanow.net> Message-ID: <20060831060656.GC24152@ldc.net> On Wed, Aug 30, 2006 at 05:22:27PM +0200, Kajetan Staszkiewicz wrote: > Dnia ?roda, 30 sierpnia 2006 16:07, Dmytro O. Redchuk napisa?(a): > > Hello, list members, > > > > can i limit pps rate with linux? How? > > > > -m limit does not fit, as i understood: it can help with low rates only > > (is that true? any suggestions?) > > Maybe hashlimit? May be. I should try. Thanks. > What do you exactly need to do? Limit a host's traffic to, let's say, 8.5kpps, drop any "exceeded" packet. I guess, dstlimit will not help me too :-( Limiting such a rates on firewalls seems to be too expensive and i don't mention a firewall (iptables) as a tool for doing that. No, surely, i am asking for help :-) Is there any tools, which can handle and limit such pps rates? -m limit, if i can remember, accepts limits up to 10k, but it seems to be *terribly* wrong on limiting that... I wish i would be incorrect... > $IPT -t mangle -I FORWARD -i eth1 -j LIMITPAK [...] Thanks, anyway. > -- > | pozdrawiam / greetings | powered by Trustix, Gentoo and FreeBSD | > | Kajetan Staszkiewicz | jabber,email,www: vegeta()tuxpowered net | > | Vegeta | IMQ devnames: http://www.tuxpowered.net | > `------------------------^------------------------------------------' > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- _,-=._ /|_/| `-.} `=._,.-=-._., @ @._, `._ _,-. ) _,.-' ` G.m-"^m`m' Dmytro O. Redchuk From toto at fortesys.ro Thu Aug 31 10:22:36 2006 From: toto at fortesys.ro (Iosif Peterfi) Date: Thu Aug 31 10:18:09 2006 Subject: [LARTC] Simple PHP Internet Traffic Shaping Message-ID: <1157012557.22804.11.camel@wks-toto> Project "Simple PHP Internet Traffic Shaping" ('spits-0.0.8b') has released the new version of package 'spits'. You can download it from SourceForge.net by following this link: or browse Release Notes and ChangeLog by visiting this link: From rmo at sunnmore.net Thu Aug 31 12:35:32 2006 From: rmo at sunnmore.net (Roy-Magne Mo) Date: Thu Aug 31 12:35:21 2006 Subject: [LARTC] pps limit ? In-Reply-To: <20060830140726.GA24152@ldc.net> References: <20060830140726.GA24152@ldc.net> Message-ID: <44F6BB74.30307@sunnmore.net> Dmytro O. Redchuk wrote: > Hello, list members, > > can i limit pps rate with linux? How? > > -m limit does not fit, as i understood: it can help with low rates only > (is that true? any suggestions?) This is probably better achieved at the switch level. If this is for stopping viruses and DoS-attacks, then it's better to stop the traffic as close to the source as possible. -- Roy-Magne Mo From dor at ldc.net Thu Aug 31 13:03:58 2006 From: dor at ldc.net (Dmytro O. Redchuk) Date: Thu Aug 31 13:04:55 2006 Subject: [LARTC] pps limit ? In-Reply-To: <44F6BB74.30307@sunnmore.net> References: <20060830140726.GA24152@ldc.net> <44F6BB74.30307@sunnmore.net> Message-ID: <20060831110358.GF24152@ldc.net> On Thu, Aug 31, 2006 at 12:35:32PM +0200, Roy-Magne Mo wrote: > Dmytro O. Redchuk wrote: > >Hello, list members, > > > > can i limit pps rate with linux? How? > > > > -m limit does not fit, as i understood: it can help with low rates only > > (is that true? any suggestions?) > > This is probably better achieved at the switch level. If this is for > stopping viruses and DoS-attacks, then it's better to stop the traffic > as close to the source as possible. Mmm, probably i mentioned linux box acting as a bridge [too]. And, probably, not to stop, but to "prevent", by setting up some policy for pps rates. Probably, it's possible to set up some policing on Cisco Catalyst switch, but if linux would have some tools to do "the same", it would be better, as for me. And i don't like "police [rate-bps] ..." here, i like htb in the same situation :-) I need a kind of "police [rate-*pps*] ...", and, preferably, for linux. :-( It's like it's not possible, so i should review my considerations probably. Thank you. > > -- > Roy-Magne Mo -- _,-=._ /|_/| `-.} `=._,.-=-._., @ @._, `._ _,-. ) _,.-' ` G.m-"^m`m' Dmytro O. Redchuk From Alessandro.Vitale at elsag.it Thu Aug 31 14:36:59 2006 From: Alessandro.Vitale at elsag.it (Vitale Alessandro) Date: Thu Aug 31 14:36:45 2006 Subject: [LARTC] Problem with delay in htb class Message-ID: Hi, We've done a lots of tests on htb class to study behaviuor of delay. We use this simple configuration: tc qdisc add dev eth1 handle 1:0 root htb tc class add dev eth1 parent 1:0 classid 1:1 htb rate 5000000 ceil 5000000 burst 30000 quantum 1600 tc class add dev eth1 parent 1:1 classid 1:10 htb prio 1 rate 1000000 ceil 1000000 quantum 1600 tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle 1 fw classid 1:10 tc class add dev eth1 parent 1:1 classid 1:20 htb prio 1 rate 1500000 ceil 1500000 quantum 1600 tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle 2 fw classid 1:20 tc class add dev eth1 parent 1:1 classid 1:100 htb prio 1 rate 2500000 ceil 2500000 quantum 1600 tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle 10 fw classid 1:100 We create, with SmartBits device, 3 flows with this characteristics: 1? flows : lenght layer 2 64 - frame per second 1758 - bandwith total 900096 2? flows : lenght layer 2 1000 - frame per second 167 - bandwith total 1336000 3? flows : lenght layer 2 1500 - frame per second 187 - bandwith total 2244000 We are in conform traffic situation. The results of tests show us that a lots of packet of 3? flow have a certain delay (between 5ms - 100ms) but we can understand the reason. If we change the frame per second of 3? flows to 120 , we notice that the 2? flows have a certain delay too and nothing delay on the 3? flows!!!!!! How it can be possible ? How works qdisc pfifo_fast attached to each class ? Where can be generate this delayed ? We use htb version 3.7 on Kernel 2.4.20. Thank, thank, thank !!!! Ale&Enrick. From bmeier at infovia.com.ar Thu Aug 31 21:46:39 2006 From: bmeier at infovia.com.ar (Beat Meier) Date: Thu Aug 31 21:46:37 2006 Subject: [LARTC] How can I get min 64kbps max 128kbps bandwidth Message-ID: <44F73C9F.8080206@infovia.com.ar> Hi all I have read the lartc manual, I have read the some faqs but still don't know how to achive the following: I have a 512kbps line which I share with 8 customers. Now what I have is everyone gets max 64kbps. That's fine. DEV=ath0 DEV_MAX_RATE=6mbit DEV_RAT_LOW=64kbit DEV_RATE_HIGH=128kbit tc qdisc del dev $DEV root tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth $DEV_MAX_RATE cell 8 mpu 64 tc class add dev $DEV parent 1:0 classid 1:1 cbq bandwidth $DEV_MAX_RATE rate $DEV_RATE_HIGH avpkt 1000 prio 5 bounded isolated \ allot 1514 weight 1 maxburst 21 tc filter add dev $DEV parent 1: protocol ip prio 5 u32 match ip dst 0.0.0.0/0 flowid 1:1 But what I want is if there is unused bandwith i.e. others are not 'working' I want to divide this available bandwith euqal to the users who are working BUT only at a maxmimum of 128kbps. I.e. min 64kbps max 128kbps for every user. I now from reading that you can do such things with borrow but how?? Any help very welcome Thanks Beat From lsharpe at pacificwireless.com.au Fri Sep 1 07:55:51 2006 From: lsharpe at pacificwireless.com.au (Leigh Sharpe) Date: Fri Sep 1 07:55:50 2006 Subject: [LARTC] TC not recognising "mirred" argument Message-ID: Hi All, I'm trying to do some traffic shaping with IFB. I have installed Ubuntu 6.0.6 and upgraded to the 2.6.17.7 kernel. I have an ifb0 device. However, I think I may have the wrong version of TC installed, because it doesn't like the 'mirred' argument. What version of iproute should I be using, and how can I upgrade it? apt-get update iproute doesn't seem to help. (tc is a part of the iproute package, isn't it?) Regards, Leigh Leigh Sharpe Network Systems Engineer Pacific Wireless Ph +61 3 9584 8966 Mob 0408 009 502 email lsharpe@pacificwireless.com.au web www.pacificwireless.com.au -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060901/51330eab/attachment.html From lsharpe at pacificwireless.com.au Fri Sep 1 08:23:37 2006 From: lsharpe at pacificwireless.com.au (Leigh Sharpe) Date: Fri Sep 1 08:23:30 2006 Subject: [LARTC] multiple IFBs Message-ID: Hi all, Further to my previous questions, I need lots of IFBs on this thing. I have configured IFB as a module, and issuing a modprobe ifb loads it, but only gives me 2 IFBs (ifb0 and ifb1). How can I get more? I'm probably looking at needing about 20 on this project. Regards, Leigh Leigh Sharpe Network Systems Engineer Pacific Wireless Ph +61 3 9584 8966 Mob 0408 009 502 email lsharpe@pacificwireless.com.au web www.pacificwireless.com.au -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060901/721f1867/attachment.htm From doudouyam at gmail.com Fri Sep 1 15:57:53 2006 From: doudouyam at gmail.com (doudouyam) Date: Fri Sep 1 15:57:37 2006 Subject: [LARTC] HFSC help Message-ID: <81c11a560609010657k74a1bc23mb304d5ae127fc7e@mail.gmail.com> hi, I would like to use the HFSC scheduler for my QoS. I've 4 class and 2 of them need to control the bandwidth and the latencies so I think I must use HFSC. So I read some doc ( http://del.icio.us/tag/hfsc ) but its not very clear. I make some tests with differents parameters but I'm not able to use correctly this scheduler: $TC qdisc add dev $dev root handle 1: hfsc default 40 $TC class add dev $dev parent 1: classid 1:1 hfsc sc rate 10mbit ul rate 10mbit ### VOIP $TC class add dev $dev parent 1:1 classid 1:10 hfsc rt umax 1500b dmax 5ms rate 200kbit ls umax 1500b dmax 60ms rate 200kbit ul rate 200kbits ### Video $TC class add dev $dev parent 1:1 classid 1:20 hfsc rt umax 1500b dmax 10ms rate 5mbit ls umax 1500b dmax 60ms rate 5Mbit ul rate 5Mbit ## Data $TC class add dev $dev parent 1:1 classid 1:30 hfsc sc rate 1mbit ul rate 10mbit $TC class add dev $dev parent 1:1 classid 1:40 hfsc sc rate 1mbit ul rate 10mbit $TC qdisc add dev $dev parent 1:10 handle 10 sfq perturb 10 $TC qdisc add dev $dev parent 1:20 handle 20 sfq perturb 10 $TC qdisc add dev $dev parent 1:30 handle 30 sfq perturb 10 $TC qdisc add dev $dev parent 1:40 handle 40 sfq perturb 10 Can you help me ? i want a prioritize like this : 1 VOIP 2 VIDEO 3 Data1 (1:30) 4 Data2 (1:40) Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060901/a760ccc1/attachment.html From franco.daje at virgilio.it Fri Sep 1 16:27:01 2006 From: franco.daje at virgilio.it (Franco) Date: Fri Sep 1 16:26:48 2006 Subject: [LARTC] I not find in the kernel code the code of this command Message-ID: <007701c6cdd2$b0c36720$0201a8c0@PCFranco> Hi!, My problem is this: I'm searching, in kernel code, the code that implement thi command: tc filter add dev eth2 parent ffff: protocol ip prio 1 u32 match ip src 0.0.0.0/0 police rate $1 burst $2 drop flowid :1 I thought that this code was police.c but seem that it isn't i must implement a proc file in the code and recompiling the kernel. Please send eventual response to my mail address (franco.daje@virgilio.it) Thanks Franco -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20060901/09a1f25d/attachment.htm From andreas at stapelspeicher.org Fri Sep 1 20:01:53 2006 From: andreas at stapelspeicher.org (Andreas Mueller) Date: Fri Sep 1 20:02:58 2006 Subject: [LARTC] I not find in the kernel code the code of this command In-Reply-To: <007701c6cdd2$b0c36720$0201a8c0@PCFranco> References: <007701c6cdd2$b0c36720$0201a8c0@PCFranco> Message-ID: <20060901180153.GA6342@lintera> Franco wrote: > Hi!, > My problem is this: > I'm searching, in kernel code, the code that implement thi command: > > tc filter add dev eth2 parent ffff: protocol ip prio 1 u32 match ip src 0.0.0.0/0 police rate $1 burst $2 drop flowid :1 > > I thought that this code was police.c but seem that it isn't > i must implement a proc file in the code and recompiling the kernel. > > Please send eventual response to my mail address (franco.daje@virgilio.it) > > Thanks > > Franco > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc In 2.6.17.11 it should be in net/sched/act_police.c . Andreas From shemminger at osdl.org Fri Sep 1 22:02:16 2006 From: shemminger at osdl.org (Stephen Hemminger) Date: Fri Sep 1 22:02:03 2006 Subject: [LARTC] multiple IFBs In-Reply-To: References: Message-ID: <20060901130216.590b1fea@localhost.localdomain> On Fri, 1 Sep 2006 16:23:37 +1000 "Leigh Sharpe" wrote: > Hi all, > Further to my previous questions, I need lots of IFBs on this thing. > I have configured IFB as a module, and issuing a modprobe ifb loads it, > but only gives me 2 IFBs (ifb0 and ifb1). How can I get more? I'm > probably looking at needing about 20 on this project. > "Read the source Leigh" modprobe ifb numifbs=20 -- Stephen Hemminger From shemminger at osdl.org Fri Sep 1 22:03:59 2006 From: shemminger at osdl.org (Stephen Hemminger) Date: Fri Sep 1 22:03:49 2006 Subject: [LARTC] TC not recognising "mirred" argument In-Reply-To: References: Message-ID: <20060901130359.5d634cc9@localhost.localdomain> On Fri, 1 Sep 2006 15:55:51 +1000 "Leigh Sharpe" wrote: > Hi All, > I'm trying to do some traffic shaping with IFB. I have installed Ubuntu > 6.0.6 and upgraded to the 2.6.17.7 kernel. I have an ifb0 device. > However, I think I may have the wrong version of TC installed, because > it doesn't like the 'mirred' argument. > What version of iproute should I be using, and how can I upgrade it? > apt-get update iproute doesn't seem to help. (tc is a part of the > iproute package, isn't it?) > > > Regards, > Leigh > > Leigh Sharpe > Network Systems Engineer > Pacific Wireless > Ph +61 3 9584 8966 > Mob 0408 009 502 > email lsharpe@pacificwireless.com.au > web www.pacificwireless.com.au > > Current information: http://linux-net.osdl.org/index.php/iproute2 -- Stephen Hemminger