From gypsy at iswest.com Sun Oct 1 22:28:42 2006 From: gypsy at iswest.com (gypsy) Date: Sun Oct 1 22:29:07 2006 Subject: [LARTC] mrtg monitoring shaped traffic Message-ID: <452024FA.83BE387@iswest.com> Dave, In a post to LARTC on 18 Sep 06 you said "I run MRTG on all outbound traffic". I'm a newbie with respect to mrtg. I have rrdtool and mrtg built on my Linux box but I have no SNMP so "nothing works". Could you please provide basic instructions for implementing mrtg with respect to traffic shaping? What is needed? Net-SNMP? OpenSNMP? If yes, what is SNMP used for and how is it configured to provide information for traffic shaping? Please also provide whatever configuration is appropriate for mrtg. How does one "make the resulting graphs fairly public"? Abuse is not an issue but seeing how much traffic is in which queue is vital. Thanks for any help. -- gypsy From dor at ldc.net Mon Oct 2 17:33:05 2006 From: dor at ldc.net (Dmytro O. Redchuk) Date: Mon Oct 2 17:58:47 2006 Subject: [LARTC] py-htbstat Message-ID: <20061002153305.GM3426@ldc.net> Hi all, updated py-htbstat: http://www2.ldc.net/~dor/py-htbstat/ Some screenshots: http://www2.ldc.net/~dor/py-htbstat/shots/shots.html It's now possible to use classids in form 'xxxx:xxxx' now (actually i dont know why i've made it to use '1:xxxx' only :-) -- _,-=._ /|_/| `-.} `=._,.-=-._., @ @._, `._ _,-. ) _,.-' ` G.m-"^m`m' Dmytro O. Redchuk From shemminger at osdl.org Mon Oct 2 22:55:52 2006 From: shemminger at osdl.org (Stephen Hemminger) Date: Mon Oct 2 22:56:00 2006 Subject: [LARTC] [ANNOUNCE] iproute2-2.6.18-061002 Message-ID: <20061002135552.4acb6892@freekitty> This is a much delayed update to the iproute2 command set. It can be downloaded from: http://developer.osdl.org/dev/iproute2/download/iproute2-2.6.18-061002.tar.gz Repository: git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git For more info on iproute2 see: http://linux-net.osdl.org/index.php/Iproute2 The version number includes the kernel version to denote what features are supported. The same source should build on older systems, but obviously the newer kernel features won't be available. As much as possible, this package tries to be source compatible across releases. Summary of changes: - converted to git - build fixes for some distributions - bug fix for xfrm monitor - alignment fixes for cris - documentation corrections - many small bug fixes - new tc monitor mode Contributors to this release Jamal Hadi Salim Patrick McHardy Andy Gay Jesper Dangaard Brouer Vince Worthington Git changelog is a bit of a mess, so if I missed your name sorry. From bclark at eccotours.co.za Tue Oct 3 13:49:00 2006 From: bclark at eccotours.co.za (Brent Clark) Date: Tue Oct 3 13:48:04 2006 Subject: [LARTC] Cant get transparent proxy to route out new ISP. Message-ID: <45224E2C.9050503@eccotours.co.za> Hi all Could someone please me with my current setup. I just got another DSL line and I have my routing and marking the packets etc so that I can decided the fate as to which ISP I would like to route my traffic out of etc. I managed to get squid to be used as a trasparent proxy, but im forced to use the default gw of the machine and for the likes of my I cant figure out to send traffic out the new ISP. So my question / request for help is, Would anyone please advise me as to how I can choose what ISP I can route my transparent proxy. I was thinking that maybe it is a POSTROUTING marking that I need to do, and the the routing tables will take care of the rest. Kinds Regards and thank you in advance. Brent Clark From hi100nu at yahoo.com Tue Oct 3 19:18:15 2006 From: hi100nu at yahoo.com (sonu chouhan) Date: Tue Oct 3 19:18:25 2006 Subject: [LARTC] ipp2p not work in iptables-1.3.6 In-Reply-To: <20061003100005.7C2794067@outpost.ds9a.nl> Message-ID: <20061003171815.54564.qmail@web32506.mail.mud.yahoo.com> hi all, I had compiled iptables 1.3.6 on my redhat enterprises linux-4 box with kernel 2.6.16.17, but in this setup ipp2p-0.8.2 not working after upgrade of iptables from 1.3.5 to 1.3.6, so plz help me out. thanks in advance sonu... --------------------------------- Do you Yahoo!? Get on board. You're invited to try the new Yahoo! Mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061003/6c311ee8/attachment.htm From bclark at eccotours.co.za Wed Oct 4 12:18:34 2006 From: bclark at eccotours.co.za (Brent Clark) Date: Wed Oct 4 12:17:31 2006 Subject: [LARTC] SNMP to detect that a Cisco router.... Message-ID: <45238A7A.8060604@eccotours.co.za> Hey all Would anyone know how you use SNMP to detect that a Cisco router is using an alternative (redundant) interface and then change the routing settings on your firewall. Kind Regards Brent Clark From cleber at digitel.com.br Wed Oct 4 12:56:41 2006 From: cleber at digitel.com.br (cleber@digitel.com.br) Date: Wed Oct 4 12:56:49 2006 Subject: [LARTC] SNMP to detect that a Cisco router.... Message-ID: Hi dear, If I understand, you're trying to change a varbind (Cisco SNMP variable) of your cisco router through the SNMP command. So, in this case you can make a SNMPWALK command to know all varbinds (OID) and after you'll change the specific varbind using the SNMPSET command as you want. Oh, First of all you need to enable the SNMP protocol in your Cisco router. Best regards, Cleber De Conto Pettinelli Pre-Sales Engineer Phone: +55 51 3358 3130 Mobile: +55 51 9256 4879 SIP: cleber@voip.digitel.com.br Skype: cleberpettinelli MSN: cleberpettinelli@hotmail.com E-mail: cleber@digitel.com.br Web: http://www.digitel.com.br DIGITEL S/A IND?STRIA ELETR?NICA Brent Clark Sent by: lartc-bounces@mailman.ds9a.nl 04/10/2006 07:18 To: lartc@mailman.ds9a.nl cc: Subject: [LARTC] SNMP to detect that a Cisco router.... Hey all Would anyone know how you use SNMP to detect that a Cisco router is using an alternative (redundant) interface and then change the routing settings on your firewall. Kind Regards Brent Clark _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061004/678d1445/attachment.html From jcarneiro at dls.pt Wed Oct 4 13:05:24 2006 From: jcarneiro at dls.pt (Joao Carneiro - DLS) Date: Wed Oct 4 13:06:07 2006 Subject: [LARTC] SNMP to detect that a Cisco router.... In-Reply-To: <45238A7A.8060604@eccotours.co.za> Message-ID: Hi there, I believe that you could use snmp traps from your cisco router to notify your system and then have a script that would make proper action. -----Mensagem original----- De: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] Em nome de Brent Clark Enviada: quarta-feira, 4 de Outubro de 2006 11:19 Para: lartc@mailman.ds9a.nl Assunto: [LARTC] SNMP to detect that a Cisco router.... Hey all Would anyone know how you use SNMP to detect that a Cisco router is using an alternative (redundant) interface and then change the routing settings on your firewall. Kind Regards Brent Clark _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc Esta mensagem de correio electr?nico e qualquer dos seus ficheiros anexos, caso existam, s?o confidenciais e destinados apenas a bclark@eccotours.co.za, lartc@mailman.ds9a.nl, podendo conter informa??o confidencial, privilegiada, a qual n?o devera ser divulgada, copiada, gravada ou distribuida nos termos da lei vigente. Se n?o ? o destinatario da mensagem, ou se ela lhe foi enviada por engano, agradecemos que n?o fa?a uso ou divulga??o da mesma. A distribui??o ou utiliza??o da informa??o nela contida ? VEDADA. Se recebeu esta mensagem por engano, por favor avise-nos de imediato, por correio electr?nico, para o endere?o jcarneiro@dls.pt, e apague este e-mail do seu sistema. Obrigado. This message (and any associated files) is intended only for the use of bclark@eccotours.co.za, lartc@mailman.ds9a.nl, and may contain information that is confidential, subject to copyright or constitutes a trade secret. If you are not the intended recipient you are hereby notified that any dissemination, copying or distribution of this message, or files associated with this message, is strictly prohibited. If you have received this message in error, please notify us immediately by replying to jcarneiro@dls.pt, and deleting it from your computer. Thanks -------------------------------------------------------- From sawar at interia.pl Wed Oct 4 21:05:42 2006 From: sawar at interia.pl (sAwAr) Date: Wed Oct 4 21:05:57 2006 Subject: [LARTC] Intel or AMD is better processor for router (800+ users) Message-ID: <20061004190542.02D884B321C@poczta.interia.pl> Hi I would like to ask you which processor is beter solution for router? Please shortly explain why? I have about 800 users. For each I create 2 htb classes and 4 filters. Moreower router have dhcp serwer and lots of iptables rules. I'm interested in P4 3Ghz HT and AMD Athlon 64 3000+. What is beter choice for my needs? What parametrs of processors are important: clock, cache, fsb or something else ? Thanks in advance Pozdrawiam Szymon Turkiewicz ---------------------------------------------------------------------- Jestes kierowca? To poczytaj! >>> http://link.interia.pl/f199e From dunadanmontaraz at hotmail.com Wed Oct 4 22:45:26 2006 From: dunadanmontaraz at hotmail.com (Roberto Scattini) Date: Wed Oct 4 22:45:32 2006 Subject: [LARTC] traffic shaping Message-ID: hi everyone: does anybody know a way of shaping dhcp clients bandwidth? the only way of doing this that i know is using pppoe-server and limit the ppp interface, but it seems to be a little problematic protocol for me. im looking for a solution that doesnt require too many changes in the client too. my search in google led me to a strange white paper from juniper networks, introducing a protocol that they call IPoE (IP over Ethernet) that is a combination of DHCP and 802.1x. this seems to be something similar to what im looking for, but i still didnt have found a way of limiting each client bandwidth. anyone is working with something similar? thanks in advance Roberto Scattini _________________________________________________________________ MSN Amor: busca tu ? naranja http://latam.msn.com/amor/ From surda at shurdix.com Wed Oct 4 23:22:00 2006 From: surda at shurdix.com (Peter Surda) Date: Wed Oct 4 23:22:05 2006 Subject: [LARTC] SNMP docs Message-ID: <452425F8.6000403@shurdix.com> Hello, I apologise for misusing this mailing list, but I noticed that similar questions are being asked and there are people that might have the necessary answer for my problem. If you think this is OT, you are welcome to reply privately. To make it short, I need to initiate port reauthentication on switches (HP Procurve, but I think this may be standardised to some extent) via SNMPv3. I assume this is possible, but can't find the proper documentation. To explain this in a little more detail, I want to do per SNMP what the following does over ssh/telnet (assuming I want to do it on port "A1" and I am able to find out that "A1" is port #1): ----------------------------- config aaa port-access supplicant A1 initialize aaa port-access web-based A1 reauthenticate aaa port-access mac-based A1 reauthenticate ----------------------------- I already have some perl code to do snmp writes, I just can't find what variable and value to use for this purpose. Sometimes, access policy for a user changes and I want it to be enforced immediately, not after (s)he reboots or the auto refresh kick in. PS. don't tell me to use the the HP program (PCM/IDM/whatever). Yours sincerely, Peter -- http://www.shurdix.org - Linux distribution for routers and firewalls From c-d.hailfinger.devel.2006 at gmx.net Wed Oct 4 23:34:24 2006 From: c-d.hailfinger.devel.2006 at gmx.net (Carl-Daniel Hailfinger) Date: Wed Oct 4 23:33:59 2006 Subject: [LARTC] [ANNOUNCE] iproute2-2.6.18-061002 In-Reply-To: <20061002135552.4acb6892@freekitty> References: <20061002135552.4acb6892@freekitty> Message-ID: <452428E0.8050003@gmx.net> Stephen Hemminger wrote: > This is a much delayed update to the iproute2 command set. > It can be downloaded from: > http://developer.osdl.org/dev/iproute2/download/iproute2-2.6.18-061002.tar.gz Thanks! Are there any plans to merge the "ip arp" patches at http://www.ssi.bg/~ja/#iparp ? Apologies if this has already been rejected before. Searching the archives I couldn't find such a discussion. Regards, Carl-Daniel -- http://www.hailfinger.org/ From shemminger at osdl.org Wed Oct 4 21:18:19 2006 From: shemminger at osdl.org (Stephen Hemminger) Date: Thu Oct 5 00:00:20 2006 Subject: [LARTC] [ANNOUNCE] iproute2-2.6.18-061002 In-Reply-To: <452428E0.8050003@gmx.net> References: <20061002135552.4acb6892@freekitty> <452428E0.8050003@gmx.net> Message-ID: <20061004121819.65594372@freekitty> On Wed, 04 Oct 2006 23:34:24 +0200 Carl-Daniel Hailfinger wrote: > Stephen Hemminger wrote: > > This is a much delayed update to the iproute2 command set. > > It can be downloaded from: > > http://developer.osdl.org/dev/iproute2/download/iproute2-2.6.18-061002.tar.gz > > Thanks! > > Are there any plans to merge the "ip arp" patches at > http://www.ssi.bg/~ja/#iparp ? Apologies if this has already > been rejected before. Searching the archives I couldn't find > such a discussion. > > > Regards, > Carl-Daniel > > When the kernel patches were accepted by the mainline kernel, then I'll update iproute2. -- Stephen Hemminger From Jon.J.Flechsenhaar at boeing.com Thu Oct 5 01:29:51 2006 From: Jon.J.Flechsenhaar at boeing.com (Flechsenhaar, Jon J) Date: Thu Oct 5 01:30:02 2006 Subject: [LARTC] QoS HTB burst and cburst parameters-FLEX Message-ID: <0E24ED2A7F9AA349A8633E6A56A64BE0027A80D9@XCH-SW-2V1.sw.nos.boeing.com> All: Does anyone know what the burst and cburst parameter do? My understanding so far: * I see a lot of different definitions on the web. It seems like burst is the number of bytes sent before serving other queues/classes. So if burst was 1000 bytes and class rate was 100kibit per second. It would send 1000 bytes each time the scheduler service that queue to a rate of 100 kbit per second? Also does anyone know how the burst and cburst parameters are configured by default? * Looking for a formula and all the parts to come up with the automatically configrued number that is show with the below command * "tc -s -d class show dev eth1" Thanks Jon Flechsenhaar Boeing WNW Team Network Services (714)-762-1231 202-E7 From martin at linux-ip.net Thu Oct 5 02:56:53 2006 From: martin at linux-ip.net (Martin A. Brown) Date: Thu Oct 5 02:58:01 2006 Subject: [LARTC] QoS HTB burst and cburst parameters-FLEX In-Reply-To: <0E24ED2A7F9AA349A8633E6A56A64BE0027A80D9@XCH-SW-2V1.sw.nos.boeing.com> References: <0E24ED2A7F9AA349A8633E6A56A64BE0027A80D9@XCH-SW-2V1.sw.nos.boeing.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings Jon, : Does anyone know what the burst and cburst parameter do? Consider the burst parameter the bucket used until an HTB class is transmitting at its rate. Consider the cburst parameter the bucket used when an HTB class is transmitting at or above rate, but below ceil. : * I see a lot of different definitions on the web. It seems like : burst is the number of bytes sent before serving other : queues/classes. So if burst was 1000 bytes and class rate was : 100kibit per second. It would send 1000 bytes each time the : scheduler service that queue to a rate of 100 kbit per second? Here's how I would succinctly describe the interrelationships between burst, quantum, cburst and the scheduling algorithm: A given leaf class is transmitting below rate ============================================= Each time our leaf class has the opportunity to dequeue packets, it will dequeue as many packets as possible until it reaches burst. A given leaf class is transmitting above rate ============================================= Each time our leaf class has the opportunity to dequeue packets, it will dequeue quantum packets and yield its turn to the next class. This prevents a single class from starving its sibling classes for borrowing from the parent. : Also does anyone know how the burst and cburst parameters are : configured by default? This, I cannot answer for you. You may find my longer description of the borrowing model and HTB in general useful [0], and in particular, the diagram may be helpful for visualizing the system, however, for your needs I would recommend that you study the results that Stef Coene posted several years ago on the use of burst and cburst [2]. Best of luck, - -Martin [0] http://tldp.org/HOWTO/Traffic-Control-HOWTO/classful-qdiscs.html#qc-htb [1] http://linux-ip.net/traffic-control/htb-class.png http://linux-ip.net/traffic-control/htb-class.pdf [2] http://www.docum.org/docum.org/tests/htb/burst/ - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFFJFhbHEoZD1iZ+YcRAk0SAJ9ecaU4oxNtEitM1Uwjwor9a8uXEQCfWscM ka5Cf1RKFW6eFb84wbzkJTU= =Jynq -----END PGP SIGNATURE----- From indunil75 at gmail.com Thu Oct 5 05:53:09 2006 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Thu Oct 5 05:53:12 2006 Subject: [LARTC] Re: LARTC Digest, Vol 20, Issue 4 In-Reply-To: <20061004100008.5461E4084@outpost.ds9a.nl> References: <20061004100008.5461E4084@outpost.ds9a.nl> Message-ID: <7ed6b0aa0610042053r6c3ba44euf2c2e4613cf90215@mail.gmail.com> Hi, I think you now have 2 Links to the internet. You want to route web traffic (transparent proxy triffic) via one link and the rest via the other link. If it is the case, It is possible to do. I have done it. here I have mentioned eth0 and eth1 eth0 is connected to one link (link1) eth1 is connected to other link (link2) , via this link, web traffic will be routed. echo 210 link1 >> /etc/iproute2/rt_tables echo 211 link2 >> /etc/iproute2/rt_tables ip route add ipaddressofonegateway dev eth0 table link1 ip route add default via ipaddressofonegateway dev eth0 table link1 ip route add ipaddressoftheohtergateway dev eth1 table link2 ip route add default via ipaddressoftheohtergateway dev eth1 table link2 iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 1 ip rule add fwmark 1 pri 100 table link2 iptables -t nat -o eth1 -j SNAT --to-source ipaddressofeh1 echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter ip rule add from ipaddressofeth0 pri 200 table link1 ip rule add from ipaddressofeth1 pri 300 table link2 that's it. and also , you can reffer to this URL http://www.debian-administration.org/articles/379 On 10/4/06, lartc-request@mailman.ds9a.nl < lartc-request@mailman.ds9a.nl> wrote: > > Send LARTC mailing list submissions to > lartc@mailman.ds9a.nl > > To subscribe or unsubscribe via the World Wide Web, visit > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > or, via email, send a message with subject or body 'help' to > lartc-request@mailman.ds9a.nl > > You can reach the person managing the list at > lartc-owner@mailman.ds9a.nl > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of LARTC digest..." > > > Today's Topics: > > 1. Cant get transparent proxy to route out new ISP. (Brent Clark) > 2. ipp2p not work in iptables-1.3.6 (sonu chouhan) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 03 Oct 2006 13:49:00 +0200 > From: Brent Clark > Subject: [LARTC] Cant get transparent proxy to route out new ISP. > To: lartc@mailman.ds9a.nl > Message-ID: < 45224E2C.9050503@eccotours.co.za> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Hi all > > Could someone please me with my current setup. > > I just got another DSL line and I have my routing and marking the packets > etc so that I can decided the fate as to which ISP I would like to route my > traffic out of etc. > > I managed to get squid to be used as a trasparent proxy, but im forced to > use the default gw of the machine and for the likes of my I cant figure out > to > send traffic out the new ISP. > > So my question / request for help is, Would anyone please advise me as to > how I can choose what ISP I can route my transparent proxy. > > I was thinking that maybe it is a POSTROUTING marking that I need to do, > and the the routing tables will take care of the rest. > > Kinds Regards and thank you in advance. > > Brent Clark > > > > > ------------------------------ > > Message: 2 > Date: Tue, 3 Oct 2006 10:18:15 -0700 (PDT) > From: sonu chouhan < hi100nu@yahoo.com> > Subject: [LARTC] ipp2p not work in iptables-1.3.6 > To: lartc@mailman.ds9a.nl > Message-ID: < 20061003171815.54564.qmail@web32506.mail.mud.yahoo.com> > Content-Type: text/plain; charset="iso-8859-1" > > hi all, > I had compiled iptables 1.3.6 on my redhat enterprises linux-4 box with > kernel 2.6.16.17, but in this setup ipp2p-0.8.2 not working after upgrade > of iptables from 1.3.5 to 1.3.6, so plz help me out. > thanks in advance > > sonu... > > > --------------------------------- > Do you Yahoo!? > Get on board. You're invited to try the new Yahoo! Mail. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://mailman.ds9a.nl/pipermail/lartc/attachments/20061003/6c311ee8/attachment.html > > ------------------------------ > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > End of LARTC Digest, Vol 20, Issue 4 > ************************************ > -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061005/0840b076/attachment.htm From kwhite at telsource.com Fri Oct 6 06:06:08 2006 From: kwhite at telsource.com (Kevin White) Date: Fri Oct 6 06:06:23 2006 Subject: [LARTC] Two upstream gateways, only use one unless it fails? Message-ID: <4525D630.1040401@telsource.com> I'm looking at setting up a system with two upstream Internet routers, the second to be used only if the first fails. There's a lot of information on using Julian's patches (the nano document), and I'm still digesting all of it. It looks pretty slick, and I think it will work...but I don't see if I can actually set up multipath and have the kernel not use the second interface unless it has to. It looks like I can only set weight and set up a percentage rule. Am I missing something? Can I say "here are two routes, always use route one unless you can't?" Thanks, Kevin From pasik at iki.fi Fri Oct 6 13:38:57 2006 From: pasik at iki.fi (Pasi =?iso-8859-1?Q?K=E4rkk=E4inen?=) Date: Fri Oct 6 13:39:08 2006 Subject: [LARTC] Intel or AMD is better processor for router (800+ users) In-Reply-To: <20061004190542.02D884B321C@poczta.interia.pl> References: <20061004190542.02D884B321C@poczta.interia.pl> Message-ID: <20061006113857.GA27360@edu.joroinen.fi> On Wed, Oct 04, 2006 at 09:05:42PM +0200, sAwAr wrote: > > Hi > > I would like to ask you which processor is beter solution for router? Please > shortly explain why? > > I have about 800 users. For each I create 2 htb classes and 4 filters. > Moreower router have dhcp serwer and lots of iptables rules. > > I'm interested in P4 3Ghz HT and AMD Athlon 64 3000+. What is beter choice for > my needs? What parametrs of processors are important: clock, cache, fsb or > something else ? > > Thanks in advance > I would go for a big cache.. and of course more MHz the better. Also be sure to calculate the memory requirements, each conntracked connection requires some kernel memory. I would recommend choosing HP, IBM or other good brand for firewall like that. I was firewalling+natting+routing 2000+ users for years with P3 1GHz without any problems. -- Pasi ^ . . Linux / - \ Choice.of.the .Next.Generation. From pauloric at contato.com.br Fri Oct 6 13:46:19 2006 From: pauloric at contato.com.br (Paulo Ricardo Bruck) Date: Fri Oct 6 13:46:30 2006 Subject: [LARTC] Re: LARTC Digest, Vol 20, Issue 7 In-Reply-To: <20061006100006.71FA7410D@outpost.ds9a.nl> References: <20061006100006.71FA7410D@outpost.ds9a.nl> Message-ID: <1160135179.13572.13.camel@pauloric.intranet> > Message: 1 > Date: Fri, 06 Oct 2006 00:06:08 -0400 > From: Kevin White > Subject: [LARTC] Two upstream gateways, only use one unless it fails? > To: lartc@mailman.ds9a.nl > Message-ID: <4525D630.1040401@telsource.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > I'm looking at setting up a system with two upstream Internet routers, > the second to be used only if the first fails. > > There's a lot of information on using Julian's patches (the nano > document), and I'm still digesting all of it. It looks pretty slick, > and I think it will work...but I don't see if I can actually set up > multipath and have the kernel not use the second interface unless it has > to. It looks like I can only set weight and set up a percentage rule. > > Am I missing something? Can I say "here are two routes, always use > route one unless you can't?" > > Thanks, > > Kevin Hi Kevin You can use multipath with different weights see below taken from lartc.org... ############### cute################## 4.2.2. Load balancing The second question is how to balance traffic going out over the two providers. This is actually not hard if you already have set up split access as above. Instead of choosing one of the two providers as your default route, you now set up the default route to be a multipath route. In the default kernel this will balance routes over the two providers. It is done as follows (once more building on the example in the section on split-access): ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \ nexthop via $P2 dev $IF2 weight 1 This will balance the routes over both providers. The weight parameters can be tweaked to favor one provider over the other. ####################cute###################### Then you can do something like this: ip route add default scope global nexthop via $P1 dev $IF1 weight 100 \ nexthop via $P2 dev $IF2 weight 1 ^^^^^^^^^^ > ************************************ best regards -- Paulo Ricardo Bruck - consultor Contato Global Solutions - http://www.contato.com.br fone 011 5031-4932 011 5034-1732 cel 011 9235-4327 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Esta =?ISO-8859-1?Q?=E9?= uma parte de mensagem assinada digitalmente Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20061006/70f95805/attachment.pgp From aleksander at krediidiinfo.ee Fri Oct 6 13:54:52 2006 From: aleksander at krediidiinfo.ee (Aleksander) Date: Fri Oct 6 13:54:57 2006 Subject: [LARTC] Intel or AMD is better processor for router (800+ users) In-Reply-To: <20061004190542.02D884B321C@poczta.interia.pl> References: <20061004190542.02D884B321C@poczta.interia.pl> Message-ID: <4526440C.6000904@krediidiinfo.ee> sAwAr wrote: > I would like to ask you which processor is beter solution for router? Please > shortly explain why? I'd like to add a question. What Gigabit PCI-E NICs do people prefer for a server/router. What would be the maximum bandwidth to expect between two Gigabit NICs connecting two subnets? How important is the processor when the packets are not mangled/NAT-ted, only routed? Thanks, Alex From dasho at ma-isp.com Fri Oct 6 16:46:47 2006 From: dasho at ma-isp.com (Dashamir Hoxha) Date: Fri Oct 6 16:47:45 2006 Subject: [LARTC] Two outbound internet links, using one network interface Message-ID: <45266C57.4010106@ma-isp.com> Hi, I am trying to categorize the network traffic and to send it out across two different providers. For this I mark the packets in the firewall (in the PREROUTING chain of table mangle), and then use another routing table for the marked packets, which has a different gateway from the main routing table. Basicaly I am following the cookbook example in this page: http://linux-ip.net/html/adv-multi-internet.html with some small changes and modifications. The most important difference is that I am trying to use just one external network interface, which is connected through a hub/switch to both of the ISP links. I add two different IPs to this interface, corresponding to each providers network. Then the masquerading is done with a rule like this: # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE instead of: # iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source 67.17.28.12 # iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 205.254.211.179 For the traffic that is generated in the LAN behind the box, it works, but for the traffic that is generated in the localhost (routing box), it does not work. Indeed, it cannot possibly work for the localhost with a setup like this (with only one external interface). As it can be seen in this document: http://www.faqs.org/docs/iptables/traversingoftables.html (Table 3-2. Source local host) routing decision happens before the packet enters the chains of the iptables (the chain PREROUTING is not tranversed in this case). This is not a big problem (it is not so important that the traffic of the routing box be categorized as well), but trying to solve it, I came up with another solution, which seems simpler.The idea is to use something like this: --------------------------------------------------------------------------------- IPT=/sbin/iptables PORT_LIST="22 53" GATEWAY1=192.168.10.1 GATEWAY2=192.168.100.1 for PORT in $PORT_LIST do $IPT -t nat -A POSTROUTING -o eth0 \ -p tcp --dport $PORT -j SNAT --to-source $GATEWAY2 done $IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1 ----------------------------------------------------------------------------- I have not tested it yet but I don't see why it should not work. Also, I have seen somewhere that using two IPs on the same interface may be risky (may have security implications), but I don't see what they can be. If somebody has any idea of them and how to avoid them, please let me know. E.g. I have heard about "IP spoofing" but I don't understand what it is. Regards, Dashamir From marek at piasta.pl Fri Oct 6 17:25:59 2006 From: marek at piasta.pl (Marek Kierdelewicz) Date: Fri Oct 6 17:18:22 2006 Subject: [LARTC] Intel or AMD is better processor for router (800+ users) In-Reply-To: <20061004190542.02D884B321C@poczta.interia.pl> References: <20061004190542.02D884B321C@poczta.interia.pl> Message-ID: <20061006172559.52f9ac28@localhost.localdomain> > Hi Hi > I'm interested in P4 3Ghz HT and AMD Athlon 64 3000+. What is beter > choice for my needs? What parametrs of processors are important: > clock, cache, fsb or something else ? I think you could do well with P4 3GHz HT. It would be cheapest and most effective choice. With HT enabled kernel two nic-s could be configured that each nic's interrupt is serviced by another processor. I recommend reading this article: http://lwn.net/Articles/145406/ P4 will suffice as long as you will keep your config optimised (hashing tc filters, using ipset instead of long sequences of iptables rules ...). cheers, Marek Kierdelewicz From imthiyaz at peopletech.co.in Sat Oct 7 16:44:14 2006 From: imthiyaz at peopletech.co.in (imthiyaz@peopletech.co.in) Date: Sat Oct 7 16:50:12 2006 Subject: [LARTC] Multivoip 3010 Message-ID: <380-220061067144414546@M2W025.mail2web.com> Anyone has configued Multivoip 3010 with Asterisk ? I am tring to configure this box to work with asterisk . Thanks Imthiyaz -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ . From zoilo at xs4all.nl Sun Oct 8 12:14:11 2006 From: zoilo at xs4all.nl (Zoilo Gomez) Date: Sun Oct 8 12:14:12 2006 Subject: [LARTC] Two outbound internet links, using one network interface In-Reply-To: <45266C57.4010106@ma-isp.com> References: <45266C57.4010106@ma-isp.com> Message-ID: <4528CF73.7010706@xs4all.nl> Dashamir Hoxha wrote: > Hi, > > I am trying to categorize the network traffic and to send it out > across two different providers. > For this I mark the packets in the firewall (in the PREROUTING chain > of table mangle), > and then use another routing table for the marked packets, which has a > different gateway > from the main routing table. Basicaly I am following the cookbook > example in this page: > http://linux-ip.net/html/adv-multi-internet.html > with some small changes and modifications. > > The most important difference is that I am trying to use just one > external network interface, > which is connected through a hub/switch to both of the ISP links. I > add two different IPs > to this interface, corresponding to each providers network. Then the > masquerading is done > with a rule like this: > > # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > instead of: > > # iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source 67.17.28.12 > # iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source > 205.254.211.179 > How about using iproute2 (instead of MASQ / SNAT rule): => ip route add 192.168.10.0/24 dev eth0 src 192.168.10.1 => ip route add 192.168.100.0/24 dev eth0 src 192.168.100.1 > For the traffic that is generated in the LAN behind the box, it works, > but for the > traffic that is generated in the localhost (routing box), it does not > work. > Indeed, it cannot possibly work for the localhost with a setup like > this (with only > one external interface). As it can be seen in this document: > http://www.faqs.org/docs/iptables/traversingoftables.html > (Table 3-2. Source local host) > routing decision happens before the packet enters the chains of the > iptables > (the chain PREROUTING is not tranversed in this case). > > This is not a big problem (it is not so important that the traffic of > the routing box > be categorized as well), but trying to solve it, I came up with > another solution, > which seems simpler.The idea is to use something like this: > > --------------------------------------------------------------------------------- > > IPT=/sbin/iptables > PORT_LIST="22 53" > GATEWAY1=192.168.10.1 > GATEWAY2=192.168.100.1 > > for PORT in $PORT_LIST > do > $IPT -t nat -A POSTROUTING -o eth0 \ > -p tcp --dport $PORT -j SNAT --to-source $GATEWAY2 > done > > $IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1 > ----------------------------------------------------------------------------- > > I have not tested it yet but I don't see why it should not work. > > Also, I have seen somewhere that using two IPs on the same interface > may be risky > (may have security implications), but I don't see what they can be. If > somebody has > any idea of them and how to avoid them, please let me know. E.g. I > have heard about > "IP spoofing" but I don't understand what it is. Using VLANs, you can separate the networks on the link level instead. This is the same (in software) as using 2 different LAN ports (in hardware). Regards, Z. From dor at ldc.net Tue Oct 10 16:34:20 2006 From: dor at ldc.net (Dmytro O. Redchuk) Date: Tue Oct 10 16:34:42 2006 Subject: [LARTC] py-htbstat In-Reply-To: <20061002153305.GM3426@ldc.net> References: <20061002153305.GM3426@ldc.net> Message-ID: <20061010143417.GR6263@ldc.net> On Mon, Oct 02, 2006 at 06:33:05PM +0300, Dmytro O. Redchuk wrote: > Hi all, > > updated py-htbstat: http://www2.ldc.net/~dor/py-htbstat/ > Some screenshots: http://www2.ldc.net/~dor/py-htbstat/shots/shots.html Updated with some bugfixes. Changelog: http://www2.ldc.net/~dor/py-htbstat/0.2.2/CHANGELOG Release notes: http://www2.ldc.net/~dor/py-htbstat/0.2.2/v0.2.2-dor1-RELNOTES Thanks for bugreports :-) Sorry for bugs :-( -- _,-=._ /|_/| `-.} `=._,.-=-._., @ @._, `._ _,-. ) _,.-' ` G.m-"^m`m' Dmytro O. Redchuk From aleksander at krediidiinfo.ee Tue Oct 10 21:58:44 2006 From: aleksander at krediidiinfo.ee (Aleksander) Date: Tue Oct 10 21:58:50 2006 Subject: [LARTC] Intel or AMD is better processor for router (800+ users) In-Reply-To: <20061006172559.52f9ac28@localhost.localdomain> References: <20061004190542.02D884B321C@poczta.interia.pl> <20061006172559.52f9ac28@localhost.localdomain> Message-ID: <452BFB74.10104@krediidiinfo.ee> Marek Kierdelewicz wrote: > I think you could do well with P4 3GHz HT. It would be cheapest and > most effective choice. With HT enabled kernel two nic-s could be > configured that each nic's interrupt is serviced by another > processor. > > I recommend reading this article: > http://lwn.net/Articles/145406/ > > P4 will suffice as long as you will keep your config optimised (hashing > tc filters, using ipset instead of long sequences of iptables > rules ...). Hi, The referenced article mentions this in the chapter "4.2.3.1 CPUs should only following one NIC". The author highly recommends disabling IRQ balancing in the kernel config, but does not clarify what this does. I tried googling but didn't find much info. What does it exactly do, and why is disabling it recommended/required? It seems to me, IRQ balancing does not allow to specify interrupts per device but assigns them automatically on the run, correct? While searching the web, I found reports about big performance increases in 3D rendering due to disabling the feature. Can this be true and why? Thanks, Alex From dasho at ma-isp.com Wed Oct 11 08:37:11 2006 From: dasho at ma-isp.com (Dashamir Hoxha) Date: Wed Oct 11 08:37:48 2006 Subject: [LARTC] Two outbound internet links, using one network interface In-Reply-To: <45266C57.4010106@ma-isp.com> References: <45266C57.4010106@ma-isp.com> Message-ID: <452C9117.4010508@ma-isp.com> Dashamir Hoxha wrote: > Hi, > > I am trying to categorize the network traffic and to send it out > across two different providers. > For this I mark the packets in the firewall (in the PREROUTING chain > of table mangle), > and then use another routing table for the marked packets, which has a > different gateway > from the main routing table. Basicaly I am following the cookbook > example in this page: > http://linux-ip.net/html/adv-multi-internet.html > with some small changes and modifications. > > The most important difference is that I am trying to use just one > external network interface, > which is connected through a hub/switch to both of the ISP links. I > add two different IPs > to this interface, corresponding to each providers network. Then the > masquerading is done > with a rule like this: > > # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > instead of: > > # iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source 67.17.28.12 > # iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source > 205.254.211.179 > > For the traffic that is generated in the LAN behind the box, it works, > but for the > traffic that is generated in the localhost (routing box), it does not > work. > Indeed, it cannot possibly work for the localhost with a setup like > this (with only > one external interface). As it can be seen in this document: > http://www.faqs.org/docs/iptables/traversingoftables.html > (Table 3-2. Source local host) > routing decision happens before the packet enters the chains of the > iptables > (the chain PREROUTING is not tranversed in this case). > > This is not a big problem (it is not so important that the traffic of > the routing box > be categorized as well), but trying to solve it, I came up with > another solution, > which seems simpler.The idea is to use something like this: > > --------------------------------------------------------------------------------- > > IPT=/sbin/iptables > PORT_LIST="22 53" > GATEWAY1=192.168.10.1 > GATEWAY2=192.168.100.1 > > for PORT in $PORT_LIST > do > $IPT -t nat -A POSTROUTING -o eth0 \ > -p tcp --dport $PORT -j SNAT --to-source $GATEWAY2 > done > > $IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1 > ----------------------------------------------------------------------------- > > > > I have not tested it yet but I don't see why it should not work. From the testing and meditation that I have done up to now, I have arrived at the conclusion that this is not a solution for the problem of traffic categorization. The reason is that POSTROUTING happens after the routing decision is taken, so the route that is chosen is not affected by the source IP of the packet. Am I right? > > Also, I have seen somewhere that using two IPs on the same interface > may be risky > (may have security implications), but I don't see what they can be. If > somebody has > any idea of them and how to avoid them, please let me know. E.g. I > have heard about > "IP spoofing" but I don't understand what it is. > > Regards, > Dashamir > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From radu at securesystems.ro Wed Oct 11 13:05:12 2006 From: radu at securesystems.ro (Radu Oprisan) Date: Wed Oct 11 13:05:51 2006 Subject: [LARTC] Two outbound internet links, using one network interface In-Reply-To: <452C9117.4010508@ma-isp.com> References: <45266C57.4010106@ma-isp.com> <452C9117.4010508@ma-isp.com> Message-ID: <452CCFE8.4030602@securesystems.ro> Dashamir Hoxha wrote: > Dashamir Hoxha wrote: >> Hi, >> >> I am trying to categorize the network traffic and to send it out >> across two different providers. >> For this I mark the packets in the firewall (in the PREROUTING chain >> of table mangle), >> and then use another routing table for the marked packets, which has >> a different gateway >> from the main routing table. Basicaly I am following the cookbook >> example in this page: >> http://linux-ip.net/html/adv-multi-internet.html >> with some small changes and modifications. >> >> The most important difference is that I am trying to use just one >> external network interface, >> which is connected through a hub/switch to both of the ISP links. I >> add two different IPs >> to this interface, corresponding to each providers network. Then the >> masquerading is done >> with a rule like this: >> >> # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE instead of: >> >> # iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source 67.17.28.12 >> # iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source >> 205.254.211.179 >> >> For the traffic that is generated in the LAN behind the box, it >> works, but for the >> traffic that is generated in the localhost (routing box), it does not >> work. >> Indeed, it cannot possibly work for the localhost with a setup like >> this (with only >> one external interface). As it can be seen in this document: >> http://www.faqs.org/docs/iptables/traversingoftables.html >> (Table 3-2. Source local host) >> routing decision happens before the packet enters the chains of the >> iptables >> (the chain PREROUTING is not tranversed in this case). >> >> This is not a big problem (it is not so important that the traffic of >> the routing box >> be categorized as well), but trying to solve it, I came up with >> another solution, >> which seems simpler.The idea is to use something like this: >> >> --------------------------------------------------------------------------------- >> >> IPT=/sbin/iptables >> PORT_LIST="22 53" >> GATEWAY1=192.168.10.1 >> GATEWAY2=192.168.100.1 >> >> for PORT in $PORT_LIST >> do >> $IPT -t nat -A POSTROUTING -o eth0 \ >> -p tcp --dport $PORT -j SNAT --to-source $GATEWAY2 >> done >> >> $IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1 >> ----------------------------------------------------------------------------- >> >> >> >> I have not tested it yet but I don't see why it should not work. > for PORT in $PORT_LIST do $IPT -t nat -A PREROUTING -i eth_clients \ -p tcp --dport $PORT -j MARK --set-mark 0x01 done $IPT -t nat -A POSTROUTING -o eth0 -m mark --mark 0x01 -j SNAT --to-source $GATEWAY2 $IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1 > From the testing and meditation that I have done up to now, I have > arrived > at the conclusion that this is not a solution for the problem of > traffic categorization. > The reason is that POSTROUTING happens after the routing decision is > taken, > so the route that is chosen is not affected by the source IP of the > packet. > Am I right? > >> >> Also, I have seen somewhere that using two IPs on the same interface >> may be risky >> (may have security implications), but I don't see what they can be. >> If somebody has >> any idea of them and how to avoid them, please let me know. E.g. I >> have heard about >> "IP spoofing" but I don't understand what it is. >> >> Regards, >> Dashamir >> >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> >> > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From radu at securesystems.ro Wed Oct 11 13:17:23 2006 From: radu at securesystems.ro (Radu Oprisan) Date: Wed Oct 11 13:17:55 2006 Subject: [LARTC] Two outbound internet links, using one network interface In-Reply-To: <452CCFE8.4030602@securesystems.ro> References: <45266C57.4010106@ma-isp.com> <452C9117.4010508@ma-isp.com> <452CCFE8.4030602@securesystems.ro> Message-ID: <452CD2C3.6070902@securesystems.ro> Radu Oprisan wrote: > Dashamir Hoxha wrote: >> Dashamir Hoxha wrote: >>> Hi, >>> >>> I am trying to categorize the network traffic and to send it out >>> across two different providers. >>> For this I mark the packets in the firewall (in the PREROUTING chain >>> of table mangle), >>> and then use another routing table for the marked packets, which has >>> a different gateway >>> from the main routing table. Basicaly I am following the cookbook >>> example in this page: >>> http://linux-ip.net/html/adv-multi-internet.html >>> with some small changes and modifications. >>> >>> The most important difference is that I am trying to use just one >>> external network interface, >>> which is connected through a hub/switch to both of the ISP links. >>> I add two different IPs >>> to this interface, corresponding to each providers network. Then the >>> masquerading is done >>> with a rule like this: >>> >>> # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE instead of: >>> >>> # iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source >>> 67.17.28.12 >>> # iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source >>> 205.254.211.179 >>> >>> For the traffic that is generated in the LAN behind the box, it >>> works, but for the >>> traffic that is generated in the localhost (routing box), it does >>> not work. >>> Indeed, it cannot possibly work for the localhost with a setup like >>> this (with only >>> one external interface). As it can be seen in this document: >>> http://www.faqs.org/docs/iptables/traversingoftables.html >>> (Table 3-2. Source local host) >>> routing decision happens before the packet enters the chains of the >>> iptables >>> (the chain PREROUTING is not tranversed in this case). >>> >>> This is not a big problem (it is not so important that the traffic >>> of the routing box >>> be categorized as well), but trying to solve it, I came up with >>> another solution, >>> which seems simpler.The idea is to use something like this: >>> >>> --------------------------------------------------------------------------------- >>> >>> IPT=/sbin/iptables >>> PORT_LIST="22 53" >>> GATEWAY1=192.168.10.1 >>> GATEWAY2=192.168.100.1 >>> >>> for PORT in $PORT_LIST >>> do >>> $IPT -t nat -A POSTROUTING -o eth0 \ >>> -p tcp --dport $PORT -j SNAT --to-source $GATEWAY2 >>> done >>> >>> $IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1 >>> ----------------------------------------------------------------------------- >>> >>> >>> >>> I have not tested it yet but I don't see why it should not work. >> > > for PORT in $PORT_LIST > do > $IPT -t mangle -A PREROUTING -i eth_clients \ -p tcp --dport $PORT -j MARK --set-mark 0x01 > done > > $IPT -t nat -A POSTROUTING -o eth0 -m mark --mark 0x01 -j SNAT > --to-source $GATEWAY2 > $IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1 I'm sorry.... From dasho at ma-isp.com Wed Oct 11 14:29:38 2006 From: dasho at ma-isp.com (Dashamir Hoxha) Date: Wed Oct 11 14:30:07 2006 Subject: [LARTC] Two outbound internet links, using one network interface In-Reply-To: <452CD2C3.6070902@securesystems.ro> References: <45266C57.4010106@ma-isp.com> <452C9117.4010508@ma-isp.com> <452CCFE8.4030602@securesystems.ro> <452CD2C3.6070902@securesystems.ro> Message-ID: <452CE3B2.6040900@ma-isp.com> Radu Oprisan wrote: > Radu Oprisan wrote: >> Dashamir Hoxha wrote: >>> Dashamir Hoxha wrote: >>>> Hi, >>>> >>>> I am trying to categorize the network traffic and to send it out >>>> across two different providers. >>>> For this I mark the packets in the firewall (in the PREROUTING >>>> chain of table mangle), >>>> and then use another routing table for the marked packets, which >>>> has a different gateway >>>> from the main routing table. Basicaly I am following the cookbook >>>> example in this page: >>>> http://linux-ip.net/html/adv-multi-internet.html >>>> with some small changes and modifications. >>>> >>>> The most important difference is that I am trying to use just one >>>> external network interface, >>>> which is connected through a hub/switch to both of the ISP links. >>>> I add two different IPs >>>> to this interface, corresponding to each providers network. Then >>>> the masquerading is done >>>> with a rule like this: >>>> >>>> # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE instead of: >>>> >>>> # iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source >>>> 67.17.28.12 >>>> # iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source >>>> 205.254.211.179 >>>> >>>> For the traffic that is generated in the LAN behind the box, it >>>> works, but for the >>>> traffic that is generated in the localhost (routing box), it does >>>> not work. >>>> Indeed, it cannot possibly work for the localhost with a setup like >>>> this (with only >>>> one external interface). As it can be seen in this document: >>>> http://www.faqs.org/docs/iptables/traversingoftables.html >>>> (Table 3-2. Source local host) >>>> routing decision happens before the packet enters the chains of the >>>> iptables >>>> (the chain PREROUTING is not tranversed in this case). >>>> >>>> This is not a big problem (it is not so important that the traffic >>>> of the routing box >>>> be categorized as well), but trying to solve it, I came up with >>>> another solution, >>>> which seems simpler.The idea is to use something like this: >>>> >>>> --------------------------------------------------------------------------------- >>>> >>>> IPT=/sbin/iptables >>>> PORT_LIST="22 53" >>>> GATEWAY1=192.168.10.1 >>>> GATEWAY2=192.168.100.1 >>>> >>>> for PORT in $PORT_LIST >>>> do >>>> $IPT -t nat -A POSTROUTING -o eth0 \ >>>> -p tcp --dport $PORT -j SNAT --to-source $GATEWAY2 >>>> done >>>> >>>> $IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1 >>>> ----------------------------------------------------------------------------- >>>> >>>> >>>> >>>> I have not tested it yet but I don't see why it should not work. >>> >> >> for PORT in $PORT_LIST >> do >> > $IPT -t mangle -A PREROUTING -i eth_clients \ > -p tcp --dport $PORT -j MARK --set-mark 0x01 >> done >> >> $IPT -t nat -A POSTROUTING -o eth0 -m mark --mark 0x01 -j SNAT >> --to-source $GATEWAY2 >> $IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1 > I'm sorry.... Ok, it may work like this, I have to try it. By the way, instead of $GATEWAY1 and $GATEWAY2 above, $IP1 and $IP2 must be used instead; it was a mistake. From dasho at ma-isp.com Wed Oct 11 14:38:42 2006 From: dasho at ma-isp.com (Dashamir Hoxha) Date: Wed Oct 11 14:40:23 2006 Subject: [LARTC] Two outbound internet links, using one network interface In-Reply-To: <4528CF73.7010706@xs4all.nl> References: <45266C57.4010106@ma-isp.com> <4528CF73.7010706@xs4all.nl> Message-ID: <452CE5D2.50308@ma-isp.com> Using VLANs, you can separate the networks on the link level instead. This is the same (in software) as using 2 different LAN ports (in hardware). Thanks for the suggestion. I am trying it, and it seems very easy to be used. However the problem is that it is not working. I am doing it like this: # /sbin/modprobe 8021q # /sbin/vconfig add eth0 2 # /sbin/ip link set eth0.2 up # /sbin/ip addr add 192.168.10.2/24 dev eth0.2 When I try: `ping 192.168.10.1` it says "Destination Host Unreachable". Both IPs are connected to the same switch. Does anybody know what can be wrong? Dashamir From zealot0630 at gmail.com Wed Oct 11 15:03:21 2006 From: zealot0630 at gmail.com (Zealot) Date: Wed Oct 11 15:03:23 2006 Subject: [LARTC] Multicst routing problem Message-ID: <452CEB99.7000405@gmail.com> I want to send a multicast packet to multiple gre tunnel, but the packet only went to where the routing table configured to. ex. when use ip route add 224.0.0.0/4 via gre0 then the packet go to gre0 when use ip route add 224.0.0.0/4 via gre1 then the packet go to gre1 when use ip route add 224.0.0.0/4 nexthop via gre1 nexthop via gre0 then the packet go to either gre or gre1 randomly, but not both ( is it for load balance ? ) how to configure the routing table let the packet go to both of gre tunnels ? From alex at zoomnet.ro Wed Oct 11 15:36:00 2006 From: alex at zoomnet.ro (Alexandru Dragoi) Date: Wed Oct 11 15:36:35 2006 Subject: [LARTC] Two outbound internet links, using one network interface In-Reply-To: <452CE5D2.50308@ma-isp.com> References: <45266C57.4010106@ma-isp.com> <4528CF73.7010706@xs4all.nl> <452CE5D2.50308@ma-isp.com> Message-ID: <452CF340.3070305@zoomnet.ro> Dashamir Hoxha wrote: > Using VLANs, you can separate the networks on the link level instead. > This is the same (in software) as using 2 different LAN ports (in > hardware). > > Thanks for the suggestion. I am trying it, and it seems very easy to > be used. > However the problem is that it is not working. > I am doing it like this: > > # /sbin/modprobe 8021q > # /sbin/vconfig add eth0 2 > # /sbin/ip link set eth0.2 up > # /sbin/ip addr add 192.168.10.2/24 dev eth0.2 > > When I try: `ping 192.168.10.1` it says "Destination Host Unreachable". > Both IPs are connected to the same switch. Does anybody know what can > be wrong? > > Dashamir > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc You need a switch with 802.1q vlan support (cisco for example). The network card need to be pluged in a switch port in "trunk" mode, and the providers each in its access switch port in specified vlan (like 2). From Jon.J.Flechsenhaar at boeing.com Wed Oct 11 18:27:00 2006 From: Jon.J.Flechsenhaar at boeing.com (Flechsenhaar, Jon J) Date: Wed Oct 11 18:27:36 2006 Subject: [LARTC] HTB_HYSTERESIS Message-ID: <0E24ED2A7F9AA349A8633E6A56A64BE0027A80E6@XCH-SW-2V1.sw.nos.boeing.com> All: I have been told that HTB_HYSTERESIS might have some effect on rate calculations. This file is usually in /usr/src/linux/net/sched/sch_htb.c. If I change this file I have to re-compile. I am not quite sure how to do this. Can someone list the steps necessary to re-compile or point me to a doc that explains how to do so. Thanks. Jon Flechsenhaar Boeing WNW Team Network Services (714)-762-1231 202-E7 From pio_mendez at hotmail.com Wed Oct 11 18:31:40 2006 From: pio_mendez at hotmail.com (Pio Mendez) Date: Wed Oct 11 18:31:46 2006 Subject: [LARTC] Two outbound internet links, using one network interface In-Reply-To: <452CE3B2.6040900@ma-isp.com> Message-ID: PREROUTING chain is not traversed by local traffic, but OUTPUT chain does. What about this script? --------------------------------------------------------------------------------- IPT=/sbin/iptables PORT_LIST="22 53" for PORT in $PORT_LIST do $IPT -t mangle -A PREROUTING -p tcp --dport $PORT -s -j MARK --set-mark 4 $IPT -t mangle -A OUTPUT -p tcp --dport $PORT -s -j MARK --set-mark 4 done iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ip route add 192.168.10.0/24 dev eth0 table 4 ip route add default via 192.168.10.1 table 4 ip rule add fwmark 4 table 4 Paolo Malfatti CiDiS Camiri _________________________________________________________________ Charla con tus amigos en l?nea mediante MSN Messenger: http://messenger.latam.msn.com/ From gypsy at iswest.com Thu Oct 12 04:33:45 2006 From: gypsy at iswest.com (gypsy) Date: Thu Oct 12 04:34:17 2006 Subject: [LARTC] HTB_HYSTERESIS References: <0E24ED2A7F9AA349A8633E6A56A64BE0027A80E6@XCH-SW-2V1.sw.nos.boeing.com> Message-ID: <452DA989.BBFCF672@iswest.com> "Flechsenhaar, Jon J" wrote: > > All: > > I have been told that HTB_HYSTERESIS might have some effect on rate > calculations. This file is usually in > /usr/src/linux/net/sched/sch_htb.c. If I change this file I have to > re-compile. I am not quite sure how to do this. > > Can someone list the steps necessary to re-compile or point me to a doc > that explains how to do so. Thanks. > > Jon Flechsenhaar > Boeing WNW Team > Network Services > (714)-762-1231 > 202-E7 cd /usr/src/linux make modules make modules_install From mingching.tiew at redtone.com Thu Oct 12 04:52:28 2006 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Thu Oct 12 04:53:03 2006 Subject: [LARTC] Drop packets using tc ? Message-ID: <00ad01c6eda9$74606c50$0100a8c0@newlife> I have a linux bridge in an embedded system with limited tools. I want to drop these packets from flowing across the bridge, NETBEUI - TCP port 135-139 UDP port 137-139 TCP/UDP port 445 Also all broadcast and multicast. Is there a way to accomplish it using 'tc' ? If the packets cannot be dropped, I will be happy enough if it can be classified and put to some lowest priority. [ I don't have ebtables. 'iptables' is there but since it's a bridge, it's probably useless. I do have 'tc'. ] Regards. From Pierre.Le-Marec at alcatel.fr Thu Oct 12 12:03:03 2006 From: Pierre.Le-Marec at alcatel.fr (Pierre.Le-Marec@alcatel.fr) Date: Thu Oct 12 12:03:14 2006 Subject: [LARTC] help In-Reply-To: <20061012100006.6F68A4497@outpost.ds9a.nl> Message-ID: lartc-request@mail man.ds9a.nl To: lartc@mailman.ds9a.nl Sent by: cc: lartc-bounces@mail Subject: LARTC Digest, Vol 20, Issue 13 man.ds9a.nl 12/10/2006 12:00 Please respond to lartc Send LARTC mailing list submissions to lartc@mailman.ds9a.nl To subscribe or unsubscribe via the World Wide Web, visit http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc or, via email, send a message with subject or body 'help' to lartc-request@mailman.ds9a.nl You can reach the person managing the list at lartc-owner@mailman.ds9a.nl When replying, please edit your Subject line so it is more specific than "Re: Contents of LARTC digest..." Today's Topics: 1. Drop packets using tc ? (Ming-Ching Tiew) ---------------------------------------------------------------------- Message: 1 Date: Thu, 12 Oct 2006 10:52:28 +0800 From: "Ming-Ching Tiew" Subject: [LARTC] Drop packets using tc ? To: Message-ID: <00ad01c6eda9$74606c50$0100a8c0@newlife> Content-Type: text/plain; charset="iso-8859-1" I have a linux bridge in an embedded system with limited tools. I want to drop these packets from flowing across the bridge, NETBEUI - TCP port 135-139 UDP port 137-139 TCP/UDP port 445 Also all broadcast and multicast. Is there a way to accomplish it using 'tc' ? If the packets cannot be dropped, I will be happy enough if it can be classified and put to some lowest priority. [ I don't have ebtables. 'iptables' is there but since it's a bridge, it's probably useless. I do have 'tc'. ] Regards. ------------------------------ _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc End of LARTC Digest, Vol 20, Issue 13 ************************************* From pio_mendez at hotmail.com Thu Oct 12 15:02:49 2006 From: pio_mendez at hotmail.com (Pio Mendez) Date: Thu Oct 12 15:02:54 2006 Subject: [LARTC] Two outbound internet links, using one network interface In-Reply-To: <452E36FF.6070204@ma-isp.com> Message-ID: An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061012/3e9b65e2/attachment.htm From imthiyaz at peopletech.co.in Thu Oct 12 18:49:56 2006 From: imthiyaz at peopletech.co.in (imthiyaz@peopletech.co.in) Date: Thu Oct 12 18:50:11 2006 Subject: [LARTC] routing between two isp Message-ID: <380-2200610412164956764@M2W103.mail2web.com> I have three ethernet card and two of them connected to diffrent ISP and has diffrent gateways. And one ethernet card is connected to local lan. I have installed iptables and configured the firwall to work as nat gateway for the users. Now I want to route only mail traffic to the perticular ISP and which I am not able to do it. I have done iproute configuration what ever lartc said. But still I am able to access internet only through one ISP. can someone tell me how can I load blance between two ISPs connected to single machine. Thanks Imthiyaz -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ . From dasho at ma-isp.com Fri Oct 13 08:27:55 2006 From: dasho at ma-isp.com (Dashamir Hoxha) Date: Fri Oct 13 08:28:36 2006 Subject: [LARTC] routing between two isp In-Reply-To: <380-2200610412164956764@M2W103.mail2web.com> References: <380-2200610412164956764@M2W103.mail2web.com> Message-ID: <452F31EB.9050707@ma-isp.com> Have a look at this: http://linux-ip.net/html/adv-multi-internet.html imthiyaz@peopletech.co.in wrote: > I have three ethernet card and two of them connected to diffrent ISP and > has diffrent gateways. And one ethernet card is connected to local lan. I > have installed iptables and configured the firwall to work as nat gateway > for the users. > > Now I want to route only mail traffic to the perticular ISP and which I am > not able to do it. I have done iproute configuration what ever lartc said. > But still I am able to access internet only through one ISP. > > can someone tell me how can I load blance between two ISPs connected to > single machine. > > Thanks > Imthiyaz > > -------------------------------------------------------------------- > mail2web - Check your email from the web at > http://mail2web.com/ . > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > From dasho at ma-isp.com Fri Oct 13 08:49:19 2006 From: dasho at ma-isp.com (Dashamir Hoxha) Date: Fri Oct 13 08:49:36 2006 Subject: [LARTC] Two outbound internet links, using one network interface In-Reply-To: References: Message-ID: <452F36EF.2050107@ma-isp.com> Pio Mendez wrote: > PREROUTING chain is not traversed by local traffic, but OUTPUT chain > does. I think that OUTPUT is traversed after routing decision is taken, so it is still the same problem. Alexandru Dragoi wrote: > You need a switch with 802.1q vlan support (cisco for example). The > network card need to be pluged in a switch port in "trunk" mode, and > the providers each in its access switch port in specified vlan (like 2). Since I don't have a switch like that, then I guess I should go back to the first solution, adding two IP-s to the same network interface. The problem of localhost traffic not being categorized, still exists, but this is not so important, since the box is going to serve like a router. So, the solution, up to now looks like this: -------------8<---------------------------------- ip link set eth0 up ip address flush eth0 ip address add $IP1 dev eth0 ip address add $IP2 dev eth0 route add to default via $GATEWAY1 ip route flush table 2 ip route show table main | grep -Ev ^default \ | while read ROUTE ; do ip route add table 2 $ROUTE ; done ip route add table 2 default via $GATEWAY2 ip rule del fwmark 2 table 2 2>/dev/null ip rule add fwmark 2 table 2 PORT_LIST="22 53" for PORT in $PORT_LIST do iptables -t mangle -A PREROUTING -m tcp -p tcp -dport $PORT -j MARK --set-mark 0x2 done iptables -t nat -A POSTROUTING -o eth0 -m mark --mark 0x2 -j SNAT --to-source $IP2 iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $IP1 ------------8<--------------------------------- Thanks to Radu Oprisan for the SNAT rules suggestion, because in general they are better than -j MASQUERADE. What remains to be done now is: 1 - What are the (security) problems related to this solution (two IPs in one interface) and how to avoid them. 2 - How to do backup connection, i.e. when one of the lines goes down, the other one is used automaticly. One way may be to use ping, in order to discover when a gateway is down, and then to switch to the other. Has anybody any idea on these topics? Thanks. Dashamir From dasho at ma-isp.com Fri Oct 13 09:01:45 2006 From: dasho at ma-isp.com (Dashamir Hoxha) Date: Fri Oct 13 09:02:14 2006 Subject: [LARTC] Two outbound internet links, using one network interface In-Reply-To: References: Message-ID: <452F39D9.6090101@ma-isp.com> Pio Mendez wrote: > > > > >Pio Mendez wrote: > >>PREROUTING chain is not traversed by local traffic, but OUTPUT > >>chain does. > > > >I think that OUTPUT is traversed after routing decision is taken, so > >it is still the same problem. > > > I'm using OUTPUT chain in production environment to balance squid > box traffic between 2 ISP, so I'm sure that you can reroute output > packets using mangle OUTPUT chain. > > After traversing mangle and nat OUTPUT chains there is another > routing process. Please check this diagram: > > http://www.imagestream.com/~josh/PacketFlow.png > > Pio Mendez is right. I have just tested it and it works. Now the script becomes something like this: -------------8<---------------------------------- ip link set eth0 up ip address flush eth0 ip address add $IP1 dev eth0 ip address add $IP2 dev eth0 route add to default via $GATEWAY1 ip route flush table 2 ip route show table main | grep -Ev ^default \ | while read ROUTE ; do ip route add table 2 $ROUTE ; done ip route add table 2 default via $GATEWAY2 ip rule del fwmark 2 table 2 2>/dev/null ip rule add fwmark 2 table 2 iptables -t mangle -N MARK-RULES iptables -t mangle -A PREROUTING -j MARK-RULES iptables -t mangle -A OUTPUT -j MARK-RULES PORT_LIST="22 53" for PORT in $PORT_LIST do iptables -t mangle -A MARK-RULES -m tcp -p tcp -dport $PORT -j MARK --set-mark 0x2 done iptables -t nat -A POSTROUTING -o eth0 -m mark --mark 0x2 -j SNAT --to-source $IP2 iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $IP1 ------------8<--------------------------------- From sandu.andrei at gmail.com Fri Oct 13 09:04:36 2006 From: sandu.andrei at gmail.com (Andrei Sandu) Date: Fri Oct 13 09:04:41 2006 Subject: [LARTC] Cant get transparent proxy to route out new ISP. In-Reply-To: <45224E2C.9050503@eccotours.co.za> References: <45224E2C.9050503@eccotours.co.za> Message-ID: You can do that by inserting this into your squid.conf configuration file: tcp_outgoing_address IP Note, that the IP you put there is the IP assigned by the ISP you want to route the proxy traffic through. You should also have : ip rule from IP table DSL_ISP_TABLE_NAME to route packets from that IP by looking up this table: ip r a default via XX.XX.XX.XX table DSL_ISP_TABLE_NAME where you specify the default gateway provided by your second ISP. Hope this will help you, Andrei Sandu. On 10/3/06, Brent Clark wrote: > > Hi all > > Could someone please me with my current setup. > > I just got another DSL line and I have my routing and marking the packets > etc so that I can decided the fate as to which ISP I would like to route my > traffic out of etc. > > I managed to get squid to be used as a trasparent proxy, but im forced to > use the default gw of the machine and for the likes of my I cant figure out > to > send traffic out the new ISP. > > So my question / request for help is, Would anyone please advise me as to > how I can choose what ISP I can route my transparent proxy. > > I was thinking that maybe it is a POSTROUTING marking that I need to do, > and the the routing tables will take care of the rest. > > Kinds Regards and thank you in advance. > > Brent Clark > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061013/61541531/attachment.html From justin at expertron.co.za Fri Oct 13 10:26:14 2006 From: justin at expertron.co.za (Justin Schoeman) Date: Fri Oct 13 10:26:11 2006 Subject: [LARTC] Ethernet packet loss - frame errors Message-ID: <452F4DA6.8030505@expertron.co.za> Hi all, I have the following problem. A Linux box configured as a bridge. One interface connects to the router via a crossover cable, the other connects to a switch via the cable that used to go to the router. Now I get the following: [root@localhost net]# ifconfig eth3 eth3 Link encap:Ethernet HWaddr 00:03:2D:07:61:5D UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:1969134 errors:0 dropped:0 overruns:0 frame:176459 TX packets:2186662 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:492595115 (469.7 Mb) TX bytes:579725462 (552.8 Mb) Interrupt:17 eth3 is the interface that connects to the switch. As you can see, 1 in 10 rx packets are framing errors. What are possible causes for this? The cable is a constant, so is not likely to cause problems, so what else can possibly cause such a high number of frame errors? Any help appreciated. Thanks, Justin From sandu.andrei at gmail.com Fri Oct 13 10:34:17 2006 From: sandu.andrei at gmail.com (Andrei Sandu) Date: Fri Oct 13 10:34:24 2006 Subject: [LARTC] Ethernet packet loss - frame errors In-Reply-To: <452F4DA6.8030505@expertron.co.za> References: <452F4DA6.8030505@expertron.co.za> Message-ID: Possibly the length of the cable ? On 10/13/06, Justin Schoeman wrote: > > Hi all, > > I have the following problem. A Linux box configured as a bridge. One > interface connects to the router via a crossover cable, the other > connects to a switch via the cable that used to go to the router. > > Now I get the following: > > [root@localhost net]# ifconfig eth3 > eth3 Link encap:Ethernet HWaddr 00:03:2D:07:61:5D > UP BROADCAST MULTICAST MTU:1500 Metric:1 > RX packets:1969134 errors:0 dropped:0 overruns:0 frame:176459 > TX packets:2186662 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:492595115 (469.7 Mb) TX bytes:579725462 (552.8 Mb) > Interrupt:17 > > eth3 is the interface that connects to the switch. As you can see, 1 in > 10 rx packets are framing errors. > > What are possible causes for this? The cable is a constant, so is not > likely to cause problems, so what else can possibly cause such a high > number of frame errors? > > Any help appreciated. > > Thanks, > > Justin > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061013/d7ae770d/attachment.htm From temp02 at bluereef.com.au Fri Oct 13 10:40:11 2006 From: temp02 at bluereef.com.au (Andrew Hall) Date: Fri Oct 13 10:40:22 2006 Subject: [LARTC] Non-classful per source capping Message-ID: <055501c6eea3$34204d90$6401a8c0@bluereef.local> Hello, I've been looking for a kernel implementation of simple bandwidth capping that will allow simple per (source) IP based bandwidth capping without the overheads associated with something like classful HTB. I have been unable to find anything exising that does this. In principle I'd like the code to dynamically setup a bucket/hash per source IP, monitor and cap an absolute ceiling. I have no need for sharing or guarantees of assured rates, just the simple cap per source. Can anyone please point me to any existing implementation or point me to some code that I can refactor to do what I need if you know of any. Thanks, Andrew. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061013/16393475/attachment.html From indunil75 at gmail.com Fri Oct 13 10:43:11 2006 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Fri Oct 13 10:43:14 2006 Subject: [LARTC] load balancing Message-ID: <7ed6b0aa0610130143o3efc2367k268e63d17ba72ef9@mail.gmail.com> http://www.linuxquestions.org/linux/answers/Networking/Spanning_Multiple_DSLs -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061013/1124f2c8/attachment.htm From justin at expertron.co.za Fri Oct 13 10:44:23 2006 From: justin at expertron.co.za (Justin Schoeman) Date: Fri Oct 13 10:44:27 2006 Subject: [LARTC] Ethernet packet loss - frame errors In-Reply-To: References: <452F4DA6.8030505@expertron.co.za> Message-ID: <452F51E7.6040504@expertron.co.za> Andrei Sandu wrote: > Possibly the length of the cable ? It is a 5m cable. It is also the 'common' cable - it is unplugged from the router and plugged into the bridge (the other side stays in the switch). -justin > On 10/13/06, *Justin Schoeman* > wrote: > > Hi all, > > I have the following problem. A Linux box configured as a bridge. One > interface connects to the router via a crossover cable, the other > connects to a switch via the cable that used to go to the router. > > Now I get the following: > > [root@localhost net]# ifconfig eth3 > eth3 Link encap:Ethernet HWaddr 00:03:2D:07:61:5D > UP BROADCAST MULTICAST MTU:1500 Metric:1 > RX packets:1969134 errors:0 dropped:0 overruns:0 frame:176459 > TX packets:2186662 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:492595115 ( 469.7 Mb) TX bytes:579725462 (552.8 Mb) > Interrupt:17 > > eth3 is the interface that connects to the switch. As you can see, 1 in > 10 rx packets are framing errors. > > What are possible causes for this? The cable is a constant, so is not > likely to cause problems, so what else can possibly cause such a high > number of frame errors? > > Any help appreciated. > > Thanks, > > Justin > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > ------------------------------------------------------------------------ > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From indunil75 at gmail.com Fri Oct 13 10:54:22 2006 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Fri Oct 13 10:54:26 2006 Subject: [LARTC] load balancing Message-ID: <7ed6b0aa0610130154m32d44b78j950e227d4faedbd6@mail.gmail.com> try this echo "11 line1" >> /etc/iproute2/rt_tables echo "12 line2" >> /etc/iproute2/rt_tables ip route add 1.2.3.0/29 dev eth0 src 1.2.3.6table line1 ip route add default via 1.2.3.5 table line1 ip route add 192.168.6.0/24 dev eth1 src 192.168.6.4 table line2 ip route add default via 192.168.6.254 table line2 ip rule add from1.2.3.6 table line1 ip rule add from 192.168.6.4 table line2 ip route add default scope global nexthop via 1.2.3.5dev eth0 weight 1 nexthop via 192.168.6.254 dev eth1 weight 1 pls change ips accordingly. and add these to rc.local file -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061013/d64ba52f/attachment.html From e1605projecter at yahoo.com Fri Oct 13 14:28:32 2006 From: e1605projecter at yahoo.com (Thossapron Apinyapanha) Date: Fri Oct 13 14:28:38 2006 Subject: [LARTC] HFSC question?? Message-ID: <20061013122832.56363.qmail@web35501.mail.mud.yahoo.com> 1. HFSC have 4 curve such sc, rc, ls, ul and 1.1 In leaf class can specify rc for guarantee service (bandwidth and delay) and If want to sharing fairness exceess service, we must specify ls and ul curve too (ls curve with paramater m2 specify at lease sharing bandwidth in that class will receive and ul curve mean maximum bandwidth in that class will receive) so i'm doubt .. about if i specify sc curve in leaf class too, what 's it mean?? rc, ls, ul + sc -> what's it mean? rc + sc -> what's it mean? In interior class can't specify rc curve but we can specify ls curve for doing link-sharing criterion and can sharing fairness excess service too. but so if i specify sc curve in leaf class too, what 's it mean?? like how different if i specify "ls, ul and sc" and "ls, ul"??? In root class, what is it mean if i specify sc -> what's it mean? ls +ul -> what's it mean? 1.2 so can i conclude ls, ul, rc are subset 's sc curve. and in each curve we can calculate banwidth and delay bound .????? because all 4 curve have same parameter such m1 ,d , m2 2. i read a lot of HFSC paper about paramter (m1,d,m2) some paper tell me ... d is interval time (first will sending with m1 rate but after interval d parameter, it will change rate to m2) but some paper tell me .. d is delay bound in that class (first will sending with m1 rate but when after exceed delay bound, it will change rate to m2) what 's it true?? 2.1 if d are interval time so how HFSC calculate delay? 2.2 Is it true? -> "delay bound calculation from service curve" 3. this is my big problem with HFSC thoery ... in HFSC has 2 criterion such real time and link-sharing criterion so when packet coming in traffic control linux box hfsc will checking eligible time in each packege If eligible time < t (i'm don't understand how eligble working or how it classify eligible package or not?) or it's package that dangerouse for exceed deadline time so it manage package with "real time criterion" and choosing package with lowest deadline time for dequeue but if it's not, it will manage with "link sharing criterion" and choosing package with lowest vertual time (this is a big don't unstand why choose lowest vertual time? because it's mean class with have lowest will choose to dequeue and what about another class that vertual time are now low?? how it can manage??? and i don't understand why must choose lowest not max vertual time? Is it relative with fairness excess service all class? 4. my lab... i found bandwidth allocation by HFSC comparation with HTB ... found At first time that class starting up, HFSC will receive banwidth nearly upperlimit rate nomatter in that time have a lot class active???? (it's like can send with burst rate in HTB) so comparation with HTB, At first time that class starting up, HTB receive bandwidth not peak like burst but it use interval time for increase bandwidth until start with rate and then with ceil. 5. i read a lot of HTB 's tc command case, with try to test burst situation , i don't know why burst parameter their specify not much like 12kbit (but rate and ceil rate are so different from 12kbit such 200kbit so i will follow them,, but after plot graph .... i don't see burst characteristic at first time class active ... Is i'm wrong to use burst paramter value 12 kbit???? it's too small????? are 5. from my lab -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061013/b39523c9/attachment.htm From e1605projecter at yahoo.com Fri Oct 13 14:41:14 2006 From: e1605projecter at yahoo.com (Thossapron Apinyapanha) Date: Fri Oct 13 14:41:20 2006 Subject: [LARTC] HTB has 2 bucket? Message-ID: <20061013124114.4573.qmail@web35504.mail.mud.yahoo.com> in HTB use 2 bucket for manage 2 rate??? first bucket -> keep token for sending with rate second bucket -> keep ctoken for sending with ceil rate Is it true?? may be i'm misunderstand about token/bucket thoery -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061013/c985e915/attachment.html From martin at linux-ip.net Fri Oct 13 14:56:02 2006 From: martin at linux-ip.net (Martin A. Brown) Date: Fri Oct 13 14:57:08 2006 Subject: [LARTC] HTB has 2 bucket? In-Reply-To: <20061013124114.4573.qmail@web35504.mail.mud.yahoo.com> References: <20061013124114.4573.qmail@web35504.mail.mud.yahoo.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetinsg Thossapron, : in HTB use 2 bucket for manage 2 rate??? first bucket -> keep : token for sending with rate second bucket -> keep ctoken for : sending with ceil rate Is it true?? may be i'm misunderstand : about token/bucket thoery Yes, there are two different buckets used. One bucket is for tokens, another bucket is for ctokens. Brief picture of association of parameters: rate: burst, tokens ceil: cburst, ctokens See the upper right corner of this diagram [0]. In particular, I should warn you that the SFQ qdisc in this diagram is the one which is granted the dequeue opportunity, so although packets mostly flow from left to right in this diagram, the SFQ is displayed to the left of the HTB rate/ceil buckets, even though logically this is reversed. Good luck, - -Martin [0] http://linux-ip.net/traffic-control/htb-class.png - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFFL4zmHEoZD1iZ+YcRAm1mAJ42tQy4cRL88JnuwR2/YR3zrRoTOACfbLtu ccrh3V/7eBzDlpRvWTgOtZs= =RqAV -----END PGP SIGNATURE----- From shemminger at osdl.org Fri Oct 13 21:10:31 2006 From: shemminger at osdl.org (Stephen Hemminger) Date: Fri Oct 13 21:12:01 2006 Subject: [LARTC] Ethernet packet loss - frame errors In-Reply-To: <452F4DA6.8030505@expertron.co.za> References: <452F4DA6.8030505@expertron.co.za> Message-ID: <20061013121031.192549da@dxpl.pdx.osdl.net> On Fri, 13 Oct 2006 10:26:14 +0200 Justin Schoeman wrote: > Hi all, > > I have the following problem. A Linux box configured as a bridge. One > interface connects to the router via a crossover cable, the other > connects to a switch via the cable that used to go to the router. > > Now I get the following: > > [root@localhost net]# ifconfig eth3 > eth3 Link encap:Ethernet HWaddr 00:03:2D:07:61:5D > UP BROADCAST MULTICAST MTU:1500 Metric:1 > RX packets:1969134 errors:0 dropped:0 overruns:0 frame:176459 > TX packets:2186662 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:492595115 (469.7 Mb) TX bytes:579725462 (552.8 Mb) > Interrupt:17 > > eth3 is the interface that connects to the switch. As you can see, 1 in > 10 rx packets are framing errors. > > What are possible causes for this? The cable is a constant, so is not > likely to cause problems, so what else can possibly cause such a high > number of frame errors? > > Any help appreciated. > > Thanks, > > Justin > What speed and driver? From e1605projecter at yahoo.com Sat Oct 14 09:42:43 2006 From: e1605projecter at yahoo.com (Thossapron Apinyapanha) Date: Sat Oct 14 09:43:00 2006 Subject: [LARTC] HTB has 2 bucket? Message-ID: <20061014074243.88038.qmail@web35503.mail.mud.yahoo.com> thank you for your reply i'm doubt about before i known , there have two bucket. my assumption is ... first bucket for keep token sending with rate guarantee and this bucket size are same as burst size and in every minute ... number of token will create at least rate token but max with burst size but after true is ... HTB have 2 bucket My assumption are true for htb technique to handle "burst traffic"??? first bucket size for keep token is burst size for handle when burst traffic coming. every minute, number of token will create at least rate token for guarantee bandwidth but max with burst size and support burst (i'm not sure if max token are burst size, at first time to handle burst traffic. htb will use all token in bucket but when next second??? Bucket are empty? so max bucket size may be bigger than burst size??) when class use banwidth exceed rate, class will borrow banwidth from parent class so class will use ctoken that keep in another bucket(bucket for keeping ctoken and ctoken are come from only parent' token) i don't understand when burst traffic coming how htb choose between 2 bucket are use? i see picture from http://linux-ip.net/traffic-control/htb-class.png don't understand. why must checking in ctoken before token Is it true? because burst traffic will use token more than token in first Bucket. so it will skip to check ctoken. Is it max enough, it will use all token in first+bucket and ctoken in secoond Bucket because for theory htb to handle burst traffic, htb allow to sending with burst rate until average rate equal to burst threadhold, htb will change rate to rate guarantee, if use only token in first bucket to handle burst traffic i think this mechanism will use token and among sending with burst rate if number of available token are qual or more than little bit num of rate token for guarantee bandwidth, it will change to sending with rate guarantee? (i'm not sure for my assumtion, If my assumption are wrong. can you tell me the trueth?) advise me please, thank you ----- Original Message ---- From: Martin A. Brown To: Thossapron Apinyapanha Cc: lartc lartc Sent: Friday, October 13, 2006 7:56:02 PM Subject: Re: [LARTC] HTB has 2 bucket? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetinsg Thossapron, : in HTB use 2 bucket for manage 2 rate??? first bucket -> keep : token for sending with rate second bucket -> keep ctoken for : sending with ceil rate Is it true?? may be i'm misunderstand : about token/bucket thoery Yes, there are two different buckets used. One bucket is for tokens, another bucket is for ctokens. Brief picture of association of parameters: rate: burst, tokens ceil: cburst, ctokens See the upper right corner of this diagram [0]. In particular, I should warn you that the SFQ qdisc in this diagram is the one which is granted the dequeue opportunity, so although packets mostly flow from left to right in this diagram, the SFQ is displayed to the left of the HTB rate/ceil buckets, even though logically this is reversed. Good luck, - -Martin [0] http://linux-ip.net/traffic-control/htb-class.png - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFFL4zmHEoZD1iZ+YcRAm1mAJ42tQy4cRL88JnuwR2/YR3zrRoTOACfbLtu ccrh3V/7eBzDlpRvWTgOtZs= =RqAV -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061014/62c74015/attachment-0001.htm From e1605projecter at yahoo.com Sat Oct 14 09:42:53 2006 From: e1605projecter at yahoo.com (Thossapron Apinyapanha) Date: Sat Oct 14 09:43:09 2006 Subject: [LARTC] HTB has 2 bucket? Message-ID: <20061014074253.94526.qmail@web35514.mail.mud.yahoo.com> thank you for your reply i'm doubt about before i known , there have two bucket. my assumption is ... first bucket for keep token sending with rate guarantee and this bucket size are same as burst size and in every minute ... number of token will create at least rate token but max with burst size but after true is ... HTB have 2 bucket My assumption are true for htb technique to handle "burst traffic"??? first bucket size for keep token is burst size for handle when burst traffic coming. every minute, number of token will create at least rate token for guarantee bandwidth but max with burst size and support burst (i'm not sure if max token are burst size, at first time to handle burst traffic. htb will use all token in bucket but when next second??? Bucket are empty? so max bucket size may be bigger than burst size??) when class use banwidth exceed rate, class will borrow banwidth from parent class so class will use ctoken that keep in another bucket(bucket for keeping ctoken and ctoken are come from only parent' token) i don't understand when burst traffic coming how htb choose between 2 bucket are use? i see picture from http://linux-ip.net/traffic-control/htb-class.png don't understand. why must checking in ctoken before token Is it true? because burst traffic will use token more than token in first Bucket. so it will skip to check ctoken. Is it max enough, it will use all token in first+bucket and ctoken in secoond Bucket because for theory htb to handle burst traffic, htb allow to sending with burst rate until average rate equal to burst threadhold, htb will change rate to rate guarantee, if use only token in first bucket to handle burst traffic i think this mechanism will use token and among sending with burst rate if number of available token are qual or more than little bit num of rate token for guarantee bandwidth, it will change to sending with rate guarantee? (i'm not sure for my assumtion, If my assumption are wrong. can you tell me the trueth?) advise me please, thank you ----- Original Message ---- From: Martin A. Brown To: Thossapron Apinyapanha Cc: lartc lartc Sent: Friday, October 13, 2006 7:56:02 PM Subject: Re: [LARTC] HTB has 2 bucket? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetinsg Thossapron, : in HTB use 2 bucket for manage 2 rate??? first bucket -> keep : token for sending with rate second bucket -> keep ctoken for : sending with ceil rate Is it true?? may be i'm misunderstand : about token/bucket thoery Yes, there are two different buckets used. One bucket is for tokens, another bucket is for ctokens. Brief picture of association of parameters: rate: burst, tokens ceil: cburst, ctokens See the upper right corner of this diagram [0]. In particular, I should warn you that the SFQ qdisc in this diagram is the one which is granted the dequeue opportunity, so although packets mostly flow from left to right in this diagram, the SFQ is displayed to the left of the HTB rate/ceil buckets, even though logically this is reversed. Good luck, - -Martin [0] http://linux-ip.net/traffic-control/htb-class.png - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFFL4zmHEoZD1iZ+YcRAm1mAJ42tQy4cRL88JnuwR2/YR3zrRoTOACfbLtu ccrh3V/7eBzDlpRvWTgOtZs= =RqAV -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061014/962276a7/attachment.html From dasho at ma-isp.com Sat Oct 14 11:29:31 2006 From: dasho at ma-isp.com (Dashamir Hoxha) Date: Sat Oct 14 11:29:56 2006 Subject: [LARTC] Two outbound internet links, using one network interface In-Reply-To: <452F39D9.6090101@ma-isp.com> References: <452F39D9.6090101@ma-isp.com> Message-ID: <4530ADFB.6010202@ma-isp.com> Dashamir Hoxha wrote: > Pio Mendez wrote: >> >> >> >> >Pio Mendez wrote: >> >>PREROUTING chain is not traversed by local traffic, but OUTPUT >> >>chain does. >> > >> >I think that OUTPUT is traversed after routing decision is >> taken, so >> >it is still the same problem. >> >> >> I'm using OUTPUT chain in production environment to balance squid >> box traffic between 2 ISP, so I'm sure that you can reroute output >> packets using mangle OUTPUT chain. >> >> After traversing mangle and nat OUTPUT chains there is another >> routing process. Please check this diagram: >> >> http://www.imagestream.com/~josh/PacketFlow.png >> >> > Pio Mendez is right. I have just tested it and it works. If I use: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE instead of: iptables -t nat -A POSTROUTING -o eth0 -m mark --mark 0x2 -j SNAT --to-source $IP2 iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $IP1 it seems not to work. So, maybe I didn't test it properly and actualy it doesn't work. Anyway, it is not so important. Dashamir > Now the script becomes something like this: > > -------------8<---------------------------------- > ip link set eth0 up > ip address flush eth0 > ip address add $IP1 dev eth0 > ip address add $IP2 dev eth0 > > route add to default via $GATEWAY1 > > ip route flush table 2 > ip route show table main | grep -Ev ^default \ > | while read ROUTE ; do ip route add table 2 $ROUTE ; done > ip route add table 2 default via $GATEWAY2 > > ip rule del fwmark 2 table 2 2>/dev/null > ip rule add fwmark 2 table 2 > > iptables -t mangle -N MARK-RULES > iptables -t mangle -A PREROUTING -j MARK-RULES > iptables -t mangle -A OUTPUT -j MARK-RULES > > PORT_LIST="22 53" > for PORT in $PORT_LIST > do > iptables -t mangle -A MARK-RULES -m tcp -p tcp -dport $PORT -j MARK > --set-mark 0x2 > done > > iptables -t nat -A POSTROUTING -o eth0 -m mark --mark 0x2 -j SNAT > --to-source $IP2 > iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $IP1 > ------------8<--------------------------------- > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From korta.lartc at neuf.fr Sat Oct 14 13:10:51 2006 From: korta.lartc at neuf.fr (KORTA) Date: Sat Oct 14 13:10:44 2006 Subject: [LARTC] Problem with two providers:Need to route packets on the interface on which they arrives. Message-ID: <000601c6ef81$692240f0$3b66c2d0$%lartc@neuf.fr> Hello, i would like to know how to resolve a problem. I have a debian router with 3 interfaces (LAN, and two internet providers (Provider A, Provider B)). The default route is configured to use the provider A The problem is that, When an external connection arrives from provider B to an internal server (with nat), the packet is routed to the default route: I explain: - A packet arrives from provider B in direction of a internal server - The router performs nat operation - The internal server generates a response - The router routes the packet on the interface Provider A Consequently, The connection cannot been established I want to know if its possible to configure my debian router to route packets to the interface on which packet arrives. In the example, packets should have been routed by the interface connected to provider B If yes, do you know how to do that ? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061014/bed8e7cf/attachment.htm From marek at piasta.pl Sat Oct 14 13:46:57 2006 From: marek at piasta.pl (Marek Kierdelewicz) Date: Sat Oct 14 13:47:04 2006 Subject: [LARTC] Intel or AMD is better processor for router (800+ users) In-Reply-To: <452BFB74.10104@krediidiinfo.ee> References: <20061004190542.02D884B321C@poczta.interia.pl> <20061006172559.52f9ac28@localhost.localdomain> <452BFB74.10104@krediidiinfo.ee> Message-ID: <20061014134657.1ca38db8@localhost.localdomain> > The author highly recommends disabling IRQ balancing in the kernel > config, but does not clarify what this does. I tried googling but > didn't find much info. What does it exactly do, and why is disabling > it recommended/required? I haven't seen irq balance option in kernels for some time now. > It seems to me, IRQ balancing does not allow to specify interrupts > per device but assigns them automatically on the run, correct? It seems so. As I mentioned earlier I havn't seen irq balance option in recent kernels. Static irq2cpu assignment works well (even on HT processors). > While searching the web, I found reports about big performance > increases in 3D rendering due to disabling the feature. Can this be > true and why? I don't have a clue. I can say one thing - static irq2cpu assignment worx4me on linux routers hauling 400+kpps. Without it only one core/processor would be used. cheers, Marek Kierdelewicz From oscar at ufomechanic.net Sat Oct 14 13:56:14 2006 From: oscar at ufomechanic.net (Oscar Mechanic) Date: Sat Oct 14 13:56:33 2006 Subject: [LARTC] Problem with two providers:Need to route packets on the interface on which they arrives. In-Reply-To: <000601c6ef81$692240f0$3b66c2d0$%lartc@neuf.fr> References: <000601c6ef81$692240f0$3b66c2d0$%lartc@neuf.fr> Message-ID: <1160826974.4371.12.camel@OSCARLAPLIN> There is a simple way a hard way to do this. You could use connmark in iptables. And then use ip rule & routes to set route based on that. As I am not going to replicate this to test I wont try and guess commands. Easiest configure 2 IP's on server. DNAT like iptables -t nat -I PREROUTING 1 -i ethA -j DNAT --to-destination <10.0.0.A> iptables -t nat -I PREROUTING 1 -i ethB -j DNAT --to-destination <10.0.0.B> ip rule add from 10.0.0.B lookup 120 ip route add default via table 120 Thats the easiest I can think of. On Sat, 2006-10-14 at 13:10 +0200, KORTA wrote: > Hello, > > > > i would like to know how to resolve a problem. > > > > I have a debian router with 3 interfaces (LAN, and two internet > providers (Provider A, Provider B)). > > > > The default route is configured to use the provider A > > > > The problem is that, > > When an external connection arrives from provider B to an internal > server (with nat), the packet is routed to the default route: > > I explain: > > - A packet arrives from provider B in direction of a internal > server > > - The router performs nat operation > > - The internal server generates a response > > - The router routes the packet on the interface Provider A > > > > Consequently, The connection cannot been established > > > > I want to know if its possible to configure my debian router to route > packets to the interface on which packet arrives. In the example, > packets should have been routed by the interface connected to provider > B > > > > If yes, do you know how to do that ? > > > > Thanks. > > > > > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nlhttp://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From justin at expertron.co.za Sat Oct 14 15:18:32 2006 From: justin at expertron.co.za (Justin Schoeman) Date: Sat Oct 14 15:18:34 2006 Subject: [LARTC] Ethernet packet loss - frame errors In-Reply-To: <20061013121031.192549da@dxpl.pdx.osdl.net> References: <452F4DA6.8030505@expertron.co.za> <20061013121031.192549da@dxpl.pdx.osdl.net> Message-ID: <4530E3A8.5020608@expertron.co.za> Stephen Hemminger wrote: > On Fri, 13 Oct 2006 10:26:14 +0200 > Justin Schoeman wrote: > >> Hi all, >> >> I have the following problem. A Linux box configured as a bridge. One >> interface connects to the router via a crossover cable, the other >> connects to a switch via the cable that used to go to the router. >> >> Now I get the following: >> >> [root@localhost net]# ifconfig eth3 >> eth3 Link encap:Ethernet HWaddr 00:03:2D:07:61:5D >> UP BROADCAST MULTICAST MTU:1500 Metric:1 >> RX packets:1969134 errors:0 dropped:0 overruns:0 frame:176459 >> TX packets:2186662 errors:0 dropped:0 overruns:0 carrier:0 >> collisions:0 txqueuelen:1000 >> RX bytes:492595115 (469.7 Mb) TX bytes:579725462 (552.8 Mb) >> Interrupt:17 >> >> eth3 is the interface that connects to the switch. As you can see, 1 in >> 10 rx packets are framing errors. >> >> What are possible causes for this? The cable is a constant, so is not >> likely to cause problems, so what else can possibly cause such a high >> number of frame errors? >> >> Any help appreciated. >> >> Thanks, >> >> Justin >> > > What speed and driver? sky 2 driver, hardcoded for 100Mbps full duplex. -justin From korta.lartc at neuf.fr Sat Oct 14 19:21:24 2006 From: korta.lartc at neuf.fr (KORTA) Date: Sat Oct 14 19:21:24 2006 Subject: [LARTC] Problem with two providers:Need to route packets on the interface on which they arrives. In-Reply-To: <1160826974.4371.12.camel@OSCARLAPLIN> References: <000601c6ef81$692240f0$3b66c2d0$%lartc@neuf.fr> <1160826974.4371.12.camel@OSCARLAPLIN> Message-ID: <000001c6efb5$2d2a3e20$877eba60$%lartc@neuf.fr> I made a picture If a packet arrives from provider B, I want that the packet will be routed by the same provider even if the default route is provider A. You gave me the syntax to route from source address, I just want to know if there is possible to route packets depends on which interface they arrives. Tx -----Message d'origine----- De?: Oscar Mechanic [mailto:oscar@ufomechanic.net] Envoy??: samedi 14 octobre 2006 13:56 ??: KORTA Cc?: lartc@mailman.ds9a.nl Objet?: Re: [LARTC] Problem with two providers:Need to route packets on the interface on which they arrives. There is a simple way a hard way to do this. You could use connmark in iptables. And then use ip rule & routes to set route based on that. As I am not going to replicate this to test I wont try and guess commands. Easiest configure 2 IP's on server. DNAT like iptables -t nat -I PREROUTING 1 -i ethA -j DNAT --to-destination <10.0.0.A> iptables -t nat -I PREROUTING 1 -i ethB -j DNAT --to-destination <10.0.0.B> ip rule add from 10.0.0.B lookup 120 ip route add default via table 120 Thats the easiest I can think of. On Sat, 2006-10-14 at 13:10 +0200, KORTA wrote: > Hello, > > > > i would like to know how to resolve a problem. > > > > I have a debian router with 3 interfaces (LAN, and two internet > providers (Provider A, Provider B)). > > > > The default route is configured to use the provider A > > > > The problem is that, > > When an external connection arrives from provider B to an internal > server (with nat), the packet is routed to the default route: > > I explain: > > - A packet arrives from provider B in direction of a internal > server > > - The router performs nat operation > > - The internal server generates a response > > - The router routes the packet on the interface Provider A > > > > Consequently, The connection cannot been established > > > > I want to know if its possible to configure my debian router to route > packets to the interface on which packet arrives. In the example, > packets should have been routed by the interface connected to provider > B > > > > If yes, do you know how to do that ? > > > > Thanks. > > > > > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nlhttp://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -------------- next part -------------- A non-text attachment was scrubbed... Name: Diagramme1.jpeg Type: image/jpeg Size: 10692 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20061014/e1ca1bbe/Diagramme1-0001.jpeg From oscar at ufomechanic.net Sat Oct 14 19:44:32 2006 From: oscar at ufomechanic.net (Oscar Mechanic) Date: Sat Oct 14 19:44:40 2006 Subject: [LARTC] Problem with two providers:Need to route packets on the interface on which they arrives. In-Reply-To: <000001c6efb5$2d2a3e20$877eba60$%lartc@neuf.fr> References: <000601c6ef81$692240f0$3b66c2d0$%lartc@neuf.fr> <1160826974.4371.12.camel@OSCARLAPLIN> <000001c6efb5$2d2a3e20$877eba60$%lartc@neuf.fr> Message-ID: <1160847872.4268.22.camel@OSCARLAPLIN> Hi Yep, I understand so looking at this. What I describe below is the simplest way I can think of doing it. Else you should look at connmark or even the wonderful ebtables. modem A IP 192.168.0.254 next hop 192.168.0.253 modem B IP 172.16.30.254 next hop 172.16.30.254 Server address is 10.0.0.12 and 10.0.0.13 if packet comes from MODEM A DNAT to server address 10.0.0.12 if packet comes from MODEM B DNAT to server address 10.0.0.13 Req from modem A responce ACK from sever 10.0.0.12 comes back and it chooses default route modem A Req from modem B responce ACK from server 10.0.0.13 comes back and it chooses route from table 120 Cause you have added rule ip rule add from 10.0.0.13 lookup 120 ip route add default via 172.16.30.254 table 120 -or- ip route add from 10.0.0.13 via 172.16.30.254 (but I like tables so I suggest above) Some may look at this as a bad solution as it creates hidden solution specific info. Now if you want to make this a better solution look at connmark and mark. And ip rule add fwmark XX lookup X. I know this would work but you will have to figure it out. Also you have ipt_ROUTE but I have little success with this. On Sat, 2006-10-14 at 19:21 +0200, KORTA wrote: > I made a picture > If a packet arrives from provider B, I want that the packet will be routed > by the same provider even if the default route is provider A. > > You gave me the syntax to route from source address, > I just want to know if there is possible to route packets depends on which > interface they arrives. > Tx > > > -----Message d'origine----- > De : Oscar Mechanic [mailto:oscar@ufomechanic.net] > Envoy? : samedi 14 octobre 2006 13:56 > ? : KORTA > Cc : lartc@mailman.ds9a.nl > Objet : Re: [LARTC] Problem with two providers:Need to route packets on the > interface on which they arrives. > > There is a simple way a hard way to do this. You could use > connmark in iptables. And then use ip rule & routes to set > route based on that. As I am not going to replicate this to test > I wont try and guess commands. > > Easiest configure 2 IP's on server. > > DNAT like > iptables -t nat -I PREROUTING 1 -i ethA -j DNAT --to-destination > <10.0.0.A> > iptables -t nat -I PREROUTING 1 -i ethB -j DNAT --to-destination > <10.0.0.B> > > ip rule add from 10.0.0.B lookup 120 > ip route add default via table 120 > > Thats the easiest I can think of. > > > > On Sat, 2006-10-14 at 13:10 +0200, KORTA wrote: > > Hello, > > > > > > > > i would like to know how to resolve a problem. > > > > > > > > I have a debian router with 3 interfaces (LAN, and two internet > > providers (Provider A, Provider B)). > > > > > > > > The default route is configured to use the provider A > > > > > > > > The problem is that, > > > > When an external connection arrives from provider B to an internal > > server (with nat), the packet is routed to the default route: > > > > I explain: > > > > - A packet arrives from provider B in direction of a internal > > server > > > > - The router performs nat operation > > > > - The internal server generates a response > > > > - The router routes the packet on the interface Provider A > > > > > > > > Consequently, The connection cannot been established > > > > > > > > I want to know if its possible to configure my debian router to route > > packets to the interface on which packet arrives. In the example, > > packets should have been routed by the interface connected to provider > > B > > > > > > > > If yes, do you know how to do that ? > > > > > > > > Thanks. > > > > > > > > > > > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nlhttp://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From pch at packetconsulting.pl Sat Oct 14 21:31:48 2006 From: pch at packetconsulting.pl (Piotr Chytla) Date: Sat Oct 14 21:32:59 2006 Subject: [LARTC] /proc/net/dev counters Message-ID: <20061014193148.GA25817@packetconsulting.pl> Hi Maybe my problem is litle offtopic to this list , but maybe someone had something similar like this , and have some good solution . Ok, I've have router with four intel e1000 pci-x(2x100Mhz/2x133Mhz) nics that push about 200Mbit/s , and I'm using nload for realtime traffic monitoring. Everything was great until I've updated kernel to 2.6.17.13 . After update nload is showing some crazy values . I've tried to get counters from /proc/net/dev (like nload). root@kaermorhen:~# while true; do cat /proc/net/dev|grep eth0; sleep 1; done eth0:1013729758 572932250 0 1882102 0 0 0 0 1572910106 3860638290 0 0 0 0 0 0 eth0:1055515817 573004372 0 1882102 0 0 0 0 1601291109 3860694606 0 0 0 0 0 0 eth0:1055515817 573004372 0 1882102 0 0 0 0 1601291109 3860694606 0 0 0 0 0 0 eth0:1097729573 573076432 0 1882102 0 0 0 0 1629536436 3860751311 0 0 0 0 0 0 eth0:1097729573 573076432 0 1882102 0 0 0 0 1629536436 3860751311 0 0 0 0 0 0 eth0:1139487258 573148469 0 1882102 0 0 0 0 1658034498 3860807633 0 0 0 0 0 0 eth0:1139487258 573148469 0 1882102 0 0 0 0 1658034498 3860807633 0 0 0 0 0 0 eth0:1181148113 573220076 0 1882102 0 0 0 0 1685931047 3860863738 0 0 0 0 0 0 Between second and third second counter increase of 0 bytes, 1055515817-1055515817=0 the same for fourth and fifth ( on mrtg graphs I've about 140Mbit/s incoming traffic - 17.5 MB/s ). On other router I've kernel 2.6.14.7 , e1000/2xe100 32bit nics , and interfece counters in /proc/net/dev are looking good: eth0:2101453114 3324697664 3604 3441 3441 92 0 1347064 867323793 3458783738 0 0 0 0 0 0 eth0:2107451373 3324705778 3604 3441 3441 92 0 1347066 874688831 3458792480 0 0 0 0 0 0 eth0:2113352907 3324713495 3604 3441 3441 92 0 1347066 881546913 3458800862 0 0 0 0 0 0 eth0:2119707847 3324721929 3604 3441 3441 92 0 1347069 889060588 3458809975 0 0 0 0 0 0 eth0:2125601276 3324729816 3604 3441 3441 92 0 1347070 896165072 3458818569 0 0 0 0 0 0 2113352907-2107451373=5901534 (traffic on intefece about 40Mbit/s = 5MB/s) - seems good. Both routers have CONFIG_HZ=1000, two cpus, and bofh are using e1000/e100 driver with enabled NAPI. Besides I've similar thing on laptop, 2.6.14 , Broadcom BCM4401-B0 nic (b44) :) Why interface counters are increasing so slowy? this behavior can be changed? or in other way this is normal behavior or some bug , feature? /pch -- Dyslexia bug unpatched since 1977 ... exploit has been leaked to the underground. From justin at expertron.co.za Mon Oct 16 16:09:39 2006 From: justin at expertron.co.za (Justin Schoeman) Date: Wed Nov 1 20:26:38 2006 Subject: [LARTC] Ethernet packet loss - frame errors In-Reply-To: <452F4DA6.8030505@expertron.co.za> References: <452F4DA6.8030505@expertron.co.za> Message-ID: <453392AE.6020009@expertron.co.za> OK - Just finished more testing, and it seems to be a bug in the sky2 driver... ping -s 1450 -f xxx.xxx.xxx.xxx works perfectly, but ping -s 1500 -f xxx.xxx.xxx.xxx fails 100% with all packets being logged as frame errors. -justin Justin Schoeman wrote: > Hi all, > > I have the following problem. A Linux box configured as a bridge. One > interface connects to the router via a crossover cable, the other > connects to a switch via the cable that used to go to the router. > > Now I get the following: > > [root@localhost net]# ifconfig eth3 > eth3 Link encap:Ethernet HWaddr 00:03:2D:07:61:5D > UP BROADCAST MULTICAST MTU:1500 Metric:1 > RX packets:1969134 errors:0 dropped:0 overruns:0 frame:176459 > TX packets:2186662 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:492595115 (469.7 Mb) TX bytes:579725462 (552.8 Mb) > Interrupt:17 > > eth3 is the interface that connects to the switch. As you can see, 1 in > 10 rx packets are framing errors. > > What are possible causes for this? The cable is a constant, so is not > likely to cause problems, so what else can possibly cause such a high > number of frame errors? > > Any help appreciated. > > Thanks, > > Justin > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From cleber at digitel.com.br Mon Oct 16 19:59:48 2006 From: cleber at digitel.com.br (cleber@digitel.com.br) Date: Wed Nov 1 20:28:27 2006 Subject: [LARTC] South Korean Information Message-ID: Hi everyone, I'm searching someone from South Korea to help us to get information about telecommunication market. Are there some people in this list that live in South Korea and liked to help us with this issue? We're also searching partners to represent our company in this place. An example for relevant information are papers and web links about the numbers of telecommunication (E1 or T1 technology, TDM or IP, percentage, etc) Hope to heard about you soon. Best regards, Cleber De Conto Pettinelli Pre-Sales Engineer Phone: +55 51 3358 3130 Mobile: +55 51 9256 4879 SIP: cleber@voip.digitel.com.br Skype: cleberpettinelli MSN: cleberpettinelli@hotmail.com E-mail: cleber@digitel.com.br Web: http://www.digitel.com.br DIGITEL S/A IND?STRIA ELETR?NICA -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061016/d4eee37b/attachment.html From shemminger at osdl.org Mon Oct 16 23:11:18 2006 From: shemminger at osdl.org (Stephen Hemminger) Date: Wed Nov 1 20:29:04 2006 Subject: [LARTC] Ethernet packet loss - frame errors In-Reply-To: <4530E3A8.5020608@expertron.co.za> References: <452F4DA6.8030505@expertron.co.za> <20061013121031.192549da@dxpl.pdx.osdl.net> <4530E3A8.5020608@expertron.co.za> Message-ID: <20061016130018.387835d3@freekitty> On Sat, 14 Oct 2006 15:18:32 +0200 Justin Schoeman wrote: > Stephen Hemminger wrote: > > On Fri, 13 Oct 2006 10:26:14 +0200 > > Justin Schoeman wrote: > > > >> Hi all, > >> > >> I have the following problem. A Linux box configured as a bridge. One > >> interface connects to the router via a crossover cable, the other > >> connects to a switch via the cable that used to go to the router. > >> > >> Now I get the following: > >> > >> [root@localhost net]# ifconfig eth3 > >> eth3 Link encap:Ethernet HWaddr 00:03:2D:07:61:5D > >> UP BROADCAST MULTICAST MTU:1500 Metric:1 > >> RX packets:1969134 errors:0 dropped:0 overruns:0 frame:176459 > >> TX packets:2186662 errors:0 dropped:0 overruns:0 carrier:0 > >> collisions:0 txqueuelen:1000 > >> RX bytes:492595115 (469.7 Mb) TX bytes:579725462 (552.8 Mb) > >> Interrupt:17 > >> > >> eth3 is the interface that connects to the switch. As you can see, 1 in > >> 10 rx packets are framing errors. > >> > >> What are possible causes for this? The cable is a constant, so is not > >> likely to cause problems, so what else can possibly cause such a high > >> number of frame errors? > >> > >> Any help appreciated. > >> > >> Thanks, > >> > >> Justin > >> > > > > What speed and driver? > > sky 2 driver, hardcoded for 100Mbps full duplex. > In that driver, frame errors come from receiving fragments. Fragments are any packet shorter 64 bytes and has an invalid CRC. These might occur if you have got a duplex mismatch. -- Stephen Hemminger From lsharpe at pacificwireless.com.au Wed Oct 18 07:57:40 2006 From: lsharpe at pacificwireless.com.au (Leigh Sharpe) Date: Wed Nov 1 20:32:31 2006 Subject: [LARTC] changing 802.1p priority Message-ID: Hi All, Is it possible to mangle the 802.1p priority bit on a packet as it gets bridged? I can't find anything in either the iptables or ebtables docs to tell me how it's done. Regards, Leigh Leigh Sharpe Network Systems Engineer Pacific Wireless Ph +61 3 9584 8966 Mob 0408 009 502 email lsharpe@pacificwireless.com.au web www.pacificwireless.com.au -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061018/4ef87cf8/attachment.html From soho at paralax.org Wed Oct 18 15:23:44 2006 From: soho at paralax.org (Svetoslav) Date: Wed Nov 1 20:33:20 2006 Subject: [LARTC] Need new way to improve SMP scalability for network router Message-ID: <45362AE0.7090009@paralax.org> Hi, Currently I use dual cpu xeon server x86-64 with hp enabled two intel Gbit Nics 82547 I have assigned every NIC irq to one phisical procesor but the two virtual procesors stay idle and are not used for ether routeing or shaping Is there a way to split work from two NICs on 4 CPUs ? From Jon.J.Flechsenhaar at boeing.com Wed Oct 18 19:04:06 2006 From: Jon.J.Flechsenhaar at boeing.com (Flechsenhaar, Jon J) Date: Wed Nov 1 20:33:44 2006 Subject: [LARTC] Errors with GRED after upgrading to 2.6.18 kernel Message-ID: <0E24ED2A7F9AA349A8633E6A56A64BE0027A80FB@XCH-SW-2V1.sw.nos.boeing.com> ALL: <> I have attached the current script that I am using. $TC qdisc add dev $EDEV parent 2:20 gred setup DPs 3 default 2 grio $TC qdisc change dev $EDEV parent 2:20 gred DP 1 limit $lim min $minTh max $maxTh avpkt $avgPL burst $bursty bandwidth $netBand probability 0.02 prio 2 $TC qdisc change dev $EDEV parent 2:20 gred DP 2 limit $lim min $minTh max $maxTh avpkt $avgPL burst $bursty bandwidth $netBand probability 0.04 prio 3 $TC qdisc change dev $EDEV parent 2:20 gred DP 3 limit $lim min $minTh max $maxTh avpkt $avgPL burst $bursty bandwidth $netBand probability 0.06 prio 4 ### GRED for AF2 $TC qdisc add dev $EDEV parent 2:30 gred setup DPs 3 default 2 grio $TC qdisc change dev $EDEV parent 2:30 gred DP 1 limit $lim min $minTh max $maxTh avpkt $avgPL burst $bursty bandwidth $netBand probability 0.02 prio 2 $TC qdisc change dev $EDEV parent 2:30 gred DP 2 limit $lim min $minTh max $maxTh avpkt $avgPL burst $bursty bandwidth $netBand probability 0.04 prio 3 $TC qdisc change dev $EDEV parent 2:30 gred DP 3 limit $lim min $minTh max $maxTh avpkt $avgPL burst $bursty bandwidth $netBand probability 0.06 prio 4 ### GRED for AF3 $TC qdisc add dev $EDEV parent 2:40 gred setup DPs 3 default 2 grio $TC qdisc change dev $EDEV parent 2:40 gred DP 1 limit $lim min $minTh max $maxTh avpkt $avgPL burst $bursty bandwidth $netBand probability 0.02 prio 2 $TC qdisc change dev $EDEV parent 2:40 gred DP 2 limit $lim min $minTh max $maxTh avpkt $avgPL burst $bursty bandwidth $netBand probability 0.04 prio 3 $TC qdisc change dev $EDEV parent 2:40 gred DP 3 limit $lim min $minTh max $maxTh avpkt $avgPL burst $bursty bandwidth $netBand probability 0.06 prio 4 ### GRED for AF4 $TC qdisc add dev $EDEV parent 2:50 gred setup DPs 3 default 2 grio $TC qdisc change dev $EDEV parent 2:50 gred DP 1 limit $lim min $minTh max $maxTh avpkt $avgPL burst $bursty bandwidth $netBand probability 0.02 prio 2 $TC qdisc change dev $EDEV parent 2:50 gred DP 2 limit $lim min $minTh max $maxTh avpkt $avgPL burst $bursty bandwidth $netBand probability 0.04 prio 3 $TC qdisc change dev $EDEV parent 2:50 gred DP 3 limit $lim min $minTh max $maxTh avpkt $avgPL burst $bursty bandwidth $netBand probability 0.06 prio 4 Each DP3 line gives me an error. If I comment it out the error goes away. The line translates to below. I get an error with the following line ++ /usr/sbin/tc qdisc change dev eth0 parent 2:20 gred DP 3 limit 60kb min 10kb max 20kb avpkt 1500 burst 9 bandwidth 500kbit probability 0.06 prio 4 RTNETLINK answers: Invalid argument after each DP 3 on each gred. This starting happening after I upgraded to 2.6.18 from 2.4.20 kernel. Anyone have any ideas? Jon Flechsenhaar Boeing WNW Team Network Services (714)-762-1231 202-E7 -------------- next part -------------- A non-text attachment was scrubbed... Name: diffserv-gred_10-06 Type: application/octet-stream Size: 8831 bytes Desc: diffserv-gred_10-06 Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20061018/adb93c9f/diffserv-gred_10-06-0001.obj From korta.lartc at neuf.fr Wed Oct 18 19:53:55 2006 From: korta.lartc at neuf.fr (KORTA) Date: Wed Nov 1 20:33:46 2006 Subject: [LARTC] Problem with two providers:Need to route packets on the interface on which they arrives. In-Reply-To: <1160847872.4268.22.camel@OSCARLAPLIN> References: <000601c6ef81$692240f0$3b66c2d0$%lartc@neuf.fr> <1160826974.4371.12.camel@OSCARLAPLIN> <000001c6efb5$2d2a3e20$877eba60$%lartc@neuf.fr> <1160847872.4268.22.camel@OSCARLAPLIN> Message-ID: <000001c6f2de$638c2bf0$2aa483d0$%lartc@neuf.fr> I cannot do that because i forgot to mention that there is another router which performs nat operation located between the lan and the debian. I'm blocked on this problem. Anybody knows perhars a good site or a good link which contains documentation about contrack , connmark, etc.. I hope somebody can help me. I want to know if it's possible to configure my debian router to route packets to the interface on which packet arrives. ?? -----Message d'origine----- De : Oscar Mechanic [mailto:oscar@ufomechanic.net] Envoy? : samedi 14 octobre 2006 19:45 ? : KORTA Cc : lartc@mailman.ds9a.nl Objet : RE: [LARTC] Problem with two providers:Need to route packets on the interface on which they arrives. Hi Yep, I understand so looking at this. What I describe below is the simplest way I can think of doing it. Else you should look at connmark or even the wonderful ebtables. modem A IP 192.168.0.254 next hop 192.168.0.253 modem B IP 172.16.30.254 next hop 172.16.30.254 Server address is 10.0.0.12 and 10.0.0.13 if packet comes from MODEM A DNAT to server address 10.0.0.12 if packet comes from MODEM B DNAT to server address 10.0.0.13 Req from modem A responce ACK from sever 10.0.0.12 comes back and it chooses default route modem A Req from modem B responce ACK from server 10.0.0.13 comes back and it chooses route from table 120 Cause you have added rule ip rule add from 10.0.0.13 lookup 120 ip route add default via 172.16.30.254 table 120 -or- ip route add from 10.0.0.13 via 172.16.30.254 (but I like tables so I suggest above) Some may look at this as a bad solution as it creates hidden solution specific info. Now if you want to make this a better solution look at connmark and mark. And ip rule add fwmark XX lookup X. I know this would work but you will have to figure it out. Also you have ipt_ROUTE but I have little success with this. On Sat, 2006-10-14 at 19:21 +0200, KORTA wrote: > I made a picture > If a packet arrives from provider B, I want that the packet will be routed > by the same provider even if the default route is provider A. > > You gave me the syntax to route from source address, > I just want to know if there is possible to route packets depends on which > interface they arrives. > Tx > > > -----Message d'origine----- > De : Oscar Mechanic [mailto:oscar@ufomechanic.net] > Envoy? : samedi 14 octobre 2006 13:56 > ? : KORTA > Cc : lartc@mailman.ds9a.nl > Objet : Re: [LARTC] Problem with two providers:Need to route packets on the > interface on which they arrives. > > There is a simple way a hard way to do this. You could use > connmark in iptables. And then use ip rule & routes to set > route based on that. As I am not going to replicate this to test > I wont try and guess commands. > > Easiest configure 2 IP's on server. > > DNAT like > iptables -t nat -I PREROUTING 1 -i ethA -j DNAT --to-destination > <10.0.0.A> > iptables -t nat -I PREROUTING 1 -i ethB -j DNAT --to-destination > <10.0.0.B> > > ip rule add from 10.0.0.B lookup 120 > ip route add default via table 120 > > Thats the easiest I can think of. > > > > On Sat, 2006-10-14 at 13:10 +0200, KORTA wrote: > > Hello, > > > > > > > > i would like to know how to resolve a problem. > > > > > > > > I have a debian router with 3 interfaces (LAN, and two internet > > providers (Provider A, Provider B)). > > > > > > > > The default route is configured to use the provider A > > > > > > > > The problem is that, > > > > When an external connection arrives from provider B to an internal > > server (with nat), the packet is routed to the default route: > > > > I explain: > > > > - A packet arrives from provider B in direction of a internal > > server > > > > - The router performs nat operation > > > > - The internal server generates a response > > > > - The router routes the packet on the interface Provider A > > > > > > > > Consequently, The connection cannot been established > > > > > > > > I want to know if its possible to configure my debian router to route > > packets to the interface on which packet arrives. In the example, > > packets should have been routed by the interface connected to provider > > B > > > > > > > > If yes, do you know how to do that ? > > > > > > > > Thanks. > > > > > > > > > > > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nlhttp://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From alessandro.ren at opservices.com.br Thu Oct 19 14:56:52 2006 From: alessandro.ren at opservices.com.br (Alessandro Ren) Date: Wed Nov 1 20:36:50 2006 Subject: [LARTC] Problem with two providers:Need to route packets on the interface on which they arrives. In-Reply-To: <000601c6ef81$692240f0$3b66c2d0$%lartc@neuf.fr> References: <000601c6ef81$692240f0$3b66c2d0$%lartc@neuf.fr> Message-ID: <45377614.1060704@opservices.com.br> KORTA wrote: > > Hello, > > > > i would like to know how to resolve a problem. > > > > I have a debian router with 3 interfaces (LAN, and two internet > providers (Provider A, Provider B)). > > > > The default route is configured to use the provider A > > > > The problem is that, > > When an external connection arrives from provider B to an internal > server (with nat), the packet is routed to the default route: > > I explain: > > - A packet arrives from provider B in direction of a internal > server > > - The router performs nat operation > > - The internal server generates a response > > - The router routes the packet on the interface Provider A > > > > Consequently, The connection cannot been established > > > > I want to know if its possible to configure my debian router to route > packets to the interface on which packet arrives. In the example, > packets should have been routed by the interface connected to provider B > > > > If yes, do you know how to do that ? > > > > Thanks. > > > I think tha CONNTRACK solves this problem for you, putting packets that comes in and out, using PREROUTING and POSTROUTING. []s. From devnull at plugthebox.net Wed Oct 25 11:24:22 2006 From: devnull at plugthebox.net (plugthebox.net /dev/null) Date: Wed Nov 1 20:56:59 2006 Subject: [LARTC] htb/iptables for ISP Message-ID: <1161768263.19237.12.camel@localhost> Hello, I'm working on a customized Linux firewall/router for a small/medium ISP (1200 users) we have almost 4 ranges of internal IPs and i want to limit each IP to a certain speed. The problem is that i'm storing all info about the user including IP and bandwidth rates on a MySQL server, then dump all the htb/sfq lines on a file (which takes 3 minutes) and then i run these files. This process kills my machine for 3-4 minutes until dumping all htb/sqf/iptables into files and running these files (remember that i almost have 1200 IPs, and each IP has 6 HTB+SFQ line with 2 iptables) Is there another method more efficient than re-running my files every time i add/edit/del a user? Sincerely, From kajtek at biezanow.net Sat Oct 28 20:48:46 2006 From: kajtek at biezanow.net (Kajetan Staszkiewicz) Date: Wed Nov 1 21:03:38 2006 Subject: [LARTC] connmark on ifb interfaces Message-ID: <200610282048.46669.kajtek@biezanow.net> Hello I'm trying to switch from IMQ to IFB but I have a problem with traffic marked by ipp2p module. Looks like when traffic is redirected from ethX to ifbX it looses information about MARK. Here's what I do to get ingress traffic to go to ifb interface: $TC qdisc add dev eth1.42 ingress $TC filter add dev eth1.42 parent ffff: protocol ip prio 10 u32 \ match u32 0 0 flowid 1:1 \ action mirred egress redirect dev ifb2 At ethX I have packet in all classes. Most of them have tc filters matching src/dst ports. One has tc filter matching handle 0x01 fw. At ifbX i have the same setup, but class with filter matching 0x01 gets no traffic. -- | pozdrawiam / greetings | powered by Trustix, Gentoo and FreeBSD | | Kajetan Staszkiewicz | jabber,email,www: vegeta()tuxpowered net | | Vegeta | IMQ devnames: http://www.tuxpowered.net | `------------------------^------------------------------------------' From J.Kraaijeveld at Askesis.nl Tue Oct 31 13:36:08 2006 From: J.Kraaijeveld at Askesis.nl (Joost Kraaijeveld) Date: Wed Nov 1 21:09:52 2006 Subject: [LARTC] TEQL: how to notice link down? Message-ID: <1162298168.5268.2.camel@panoramix> Is it possible to detect if a link is down in a TEQL device, so that I will receive a mail on such occasion? TIA -- Groeten, Joost Kraaijeveld Askesis B.V. Molukkenstraat 14 6524NB Nijmegen tel: 024-3888063 / 06-51855277 fax: 024-3608416 web: www.askesis.nl From shemminger at osdl.org Wed Nov 1 20:47:36 2006 From: shemminger at osdl.org (Stephen Hemminger) Date: Wed Nov 1 21:16:30 2006 Subject: [LARTC] Ethernet packet loss - frame errors In-Reply-To: <453392AE.6020009@expertron.co.za> References: <452F4DA6.8030505@expertron.co.za> <453392AE.6020009@expertron.co.za> Message-ID: <20061101114736.25039d1b@localhost.localdomain> On Mon, 16 Oct 2006 16:09:50 +0200 Justin Schoeman wrote: > OK - Just finished more testing, and it seems to be a bug in the sky2 > driver... > > ping -s 1450 -f xxx.xxx.xxx.xxx > > works perfectly, but > > ping -s 1500 -f xxx.xxx.xxx.xxx > > fails 100% with all packets being logged as frame errors. > > -justin > Do you have an MTU mismatch? If the sender assumes it can send large packets, and the receiver doesn't expect them it might cause it. From serge_lozovsky at yahoo.com Thu Nov 2 00:33:40 2006 From: serge_lozovsky at yahoo.com (Sergiy Lozovsky) Date: Thu Nov 2 00:33:53 2006 Subject: [LARTC] QoS + TOS field Message-ID: <20061101233340.8315.qmail@web38804.mail.mud.yahoo.com> Hi, I'm trying to figure out how to use Linux QoS. Default setting has three queues (bands) and should prioretise outgoing tarffic based on TOS field. I try to test that by flooding Ethernet interface by netperf or iptraf and running ping -f with -Q and without Q. -Q doesn't affect ping results, it suffers anyway. It seems that I don't understand something. I verified that -Q traffic goes through higher prority queue. I can make it work if I shape traffic at lower priority queue, but I would like to avoid that, becuase can't always predict bandidth of connection. I would appreciate any insight on that. Thanks, Serge. ____________________________________________________________________________________ We have the perfect Group for you. Check out the handy changes to Yahoo! Groups (http://groups.yahoo.com) From gdamjan at mail.net.mk Thu Nov 2 01:26:00 2006 From: gdamjan at mail.net.mk (Damjan) Date: Thu Nov 2 01:26:06 2006 Subject: [LARTC] changing 802.1p priority In-Reply-To: References: Message-ID: <20061102002600.GA11204@legolas.on.net.mk> > Is it possible to mangle the 802.1p priority bit on a packet as it gets > bridged? I can't find anything in either the iptables or ebtables docs > to tell me how it's done. Isn't 802.1p part of the VLAN (802.1q) tags ... you can set mappings for the 802.1p tags with the vconfig tool. -- damjan | ?????? This is my jabber ID --> damjan@bagra.net.mk -- not my mail address, it's a Jabber ID --^ :) From gdamjan at mail.net.mk Thu Nov 2 01:28:26 2006 From: gdamjan at mail.net.mk (Damjan) Date: Thu Nov 2 01:28:30 2006 Subject: [LARTC] Need new way to improve SMP scalability for network router In-Reply-To: <45362AE0.7090009@paralax.org> References: <45362AE0.7090009@paralax.org> Message-ID: <20061102002826.GB11204@legolas.on.net.mk> > Currently I use dual cpu xeon server x86-64 with hp enabled > two intel Gbit Nics 82547 > I have assigned every NIC irq to one phisical procesor but the two > virtual procesors stay idle > and are not used for ether routeing or shaping > Is there a way to split work from two NICs on 4 CPUs ? What do you expect to get? There are no 4 real CPUs. The only benefit that the HT technology has is when you need very fast switching between process/threads ... in this case the kernel should be prety good at it, and won't see any benefit from HT. (I guess you are talking about HT.. you've said hp up there) -- damjan | ?????? This is my jabber ID --> damjan@bagra.net.mk -- not my mail address, it's a Jabber ID --^ :) From sewlist at gmail.com Thu Nov 2 08:13:04 2006 From: sewlist at gmail.com (the sew) Date: Thu Nov 2 08:13:25 2006 Subject: [LARTC] src routing and fwmark Message-ID: Hi, I've got 2 lines from two diffrent ISP's, one is a leased line and another a DSL line, I route certain ips over the DSL line for faster access and would like email to go over the leased line as it has a static ip and is our sending mailserver ip I would like to send mail to the same ips that is routed over DSL via the leased line, otherwise my server gets blacklisted with the DSL ip my routing table 164.148.0.0/14 dev ppp0 scope link 196.0.0.0/8 dev ppp0 scope link default via 196.34.17.1 dev eth0 proto zebra equalize If I send mail to a ip on 196.0.0.0/8 on port 25 it must go via 196.34.17.1 my other routing tables: 200 dmz 201 ppp ip rule add fwmark 25 table dmz ip route add default via 196.34.17.1 table dmz iptables -t mangle -A OUTPUT -p tcp --dport 25 -j MARk --set-mark 25 I can see the packets get matched but still goes via ppp0, is there anyway to overcome this? Thanks Sew -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061102/0de4eb7c/attachment-0001.html From e1605projecter at yahoo.com Thu Nov 2 10:23:22 2006 From: e1605projecter at yahoo.com (Thossapron Apinyapanha) Date: Thu Nov 2 10:23:29 2006 Subject: [LARTC] tool classify L7 packet Message-ID: <20061102092322.19229.qmail@web35502.mail.mud.yahoo.com> Please Advise me, Now I have got a problem about ? Finding Tools In Linux (Opensource) that Can capture traffic packet and save it in log file or trace file. But it can classify Layer7 packet too Because I need to implement application that count number of packet in each application after packet pass through linux box which be like traffic control Please advise me. Ps. Can snort classifies Layer7 packet? Ps. I have just read on paper about ip table command they tell it has new feature is ?Log? in new target so If i use iptable with layer7 filter when I classify and found layer7 packet .it will save this event to log file and i can count number of it later in log file?? Can I do that?? Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061102/dd5d1555/attachment.htm From orrie at seznam.cz Fri Nov 3 00:56:45 2006 From: orrie at seznam.cz (Ales Klok) Date: Fri Nov 3 00:56:55 2006 Subject: [LARTC] connmark on ifb interfaces Message-ID: <013f01c6feda$8d696ca0$c0ad6659@zion> >Hello > >I'm trying to switch from IMQ to IFB but I have a problem with traffic marked >by ipp2p module. Looks like when traffic is redirected from ethX to ifbX it >looses information about MARK. > >Here's what I do to get ingress traffic to go to ifb interface: I think you can't use iptables on ingress ifbX iface because packets get to ifbX prior to netfilter. You have to use IMQ for that. Orrie -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061103/86688946/attachment.html From pupilla at hotmail.com Fri Nov 3 17:16:17 2006 From: pupilla at hotmail.com (Marco Berizzi) Date: Fri Nov 3 17:16:59 2006 Subject: [LARTC] qos inside ipsec tunnel Message-ID: Hello everybody. I would like to do some kind of shaping inside an ipsec tunnel implemented by Openswan and linux 2.6.18.x with xfrm (no KLIPS): for example, to limit outbound smtp traffic inside the tunnel. Question: where should I attach the qdisc to? Eth0? I'm asking this, because tcpdump only see the ESP packet on the eth0 and not the 'clear' packet. TIA This is my simple network schema: ____ private lan A / | |eth1 +---+----+ | | | 2.6.18 | |openswan| Ipsec gateway | | +---+----+ |eth0 | I| P|i S|n E|t C|e |r T|n U|e N|t N| E| L|eth0 +---+----+ | | | 2.6.18 | |openswan| Ipsec gateway | | +---+----+ |eth1 | \____ private lan B From martin.bene at icomedias.com Fri Nov 3 17:50:18 2006 From: martin.bene at icomedias.com (Martin Bene) Date: Fri Nov 3 17:50:24 2006 Subject: AW: [LARTC] qos inside ipsec tunnel In-Reply-To: Message-ID: Hi Marco, > Hello everybody. > I would like to do some kind of shaping inside an > ipsec tunnel implemented by Openswan and linux > 2.6.18.x with xfrm (no KLIPS): for example, to > limit outbound smtp traffic inside the tunnel. > Question: where should I attach the qdisc to? Eth0? > I'm asking this, because tcpdump only see the ESP > packet on the eth0 and not the 'clear' packet. Heh - just subscribed to LARC list because I'm working on a similar problem. Yes, you'll have to attach your classes to eth0 device. However, by the time qos gets to see the packets, they'll be encrypted, so you won't be able to just use tc filter with u32 classifier to select on port 25. What should work is to mark the packets in PREROUTING in the mangle table and assign them to the classes you want based on the fwmark: iptables -t mangle -A PREROUTING -d /24 -p tcp -m multiport --port 25 -j MARK --set-mark 102 tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 102 fw flowid 1:20 Hope this helps, Martin From minfrin at sharp.fm Sat Nov 4 01:09:03 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Sat Nov 4 01:09:23 2006 Subject: [LARTC] Strategy for penalising IPs with too many simultaneous sessions Message-ID: <454BDA1F.2010301@sharp.fm> Hi all, I have been trying to investigate traffic shaping in an effort to solve the "unfriendly network apps" problem on a test network. I have a basis by which I'd like to shape traffic, but studying the howto doesn't uncover and existing qdisc that seems to fit what I would like to do. The problem I would like to address is to prevent an IP address opening 10 simultaneous streams from drowning out another IP address that opened 1 stream. I would like to penalise IP addresses where two or more simultaneous sessions are in effect, by adding a delay to the streams such that the total bandwidth used by the IP address is capped at a declining curve. In other words, assuming that the data you are sending is constrained behind you by a 1mbps bottleneck. When an IP has one session detected, their traffic is passed through, and normal rules apply. When an IP has two sessions detected, their combined sent traffic towards the IP is delayed and shaped down to say 800kbps. When an IP has three sessions detected, their combined sent traffic towards the IP is delayed and shaped down to say 600kbps. The starting point of how many sessions can be open before penalising takes effect, the starting point of the curve and the gradient of the curve would obviously be subject to lots of experimentation and would be set by the admin. The nett effect I am looking for, is that a user who chooses to open multiple simultaneous streams, should see a noticable decrease in maximum throughput, in an effort to discourage them from swamping the network with sessions. My question is, does a qdisc exist that implements something like this? Is this a reasonable thing to do, or will a strategy like this not work, and if not, why not? (for the purposes of me better understanding the issues). Regards, Graham -- From shemminger at osdl.org Sat Nov 4 01:17:50 2006 From: shemminger at osdl.org (Stephen Hemminger) Date: Sat Nov 4 01:17:59 2006 Subject: [LARTC] Strategy for penalising IPs with too many simultaneous sessions In-Reply-To: <454BDA1F.2010301@sharp.fm> References: <454BDA1F.2010301@sharp.fm> Message-ID: <20061103161750.4c938f91@freekitty> On Sat, 04 Nov 2006 02:09:03 +0200 Graham Leggett wrote: > Hi all, > > I have been trying to investigate traffic shaping in an effort to solve > the "unfriendly network apps" problem on a test network. > > I have a basis by which I'd like to shape traffic, but studying the > howto doesn't uncover and existing qdisc that seems to fit what I would > like to do. > > The problem I would like to address is to prevent an IP address opening > 10 simultaneous streams from drowning out another IP address that opened > 1 stream. > > I would like to penalise IP addresses where two or more simultaneous > sessions are in effect, by adding a delay to the streams such that the > total bandwidth used by the IP address is capped at a declining curve. > > In other words, assuming that the data you are sending is constrained > behind you by a 1mbps bottleneck. > > When an IP has one session detected, their traffic is passed through, > and normal rules apply. > > When an IP has two sessions detected, their combined sent traffic > towards the IP is delayed and shaped down to say 800kbps. > > When an IP has three sessions detected, their combined sent traffic > towards the IP is delayed and shaped down to say 600kbps. > > The starting point of how many sessions can be open before penalising > takes effect, the starting point of the curve and the gradient of the > curve would obviously be subject to lots of experimentation and would be > set by the admin. > > The nett effect I am looking for, is that a user who chooses to open > multiple simultaneous streams, should see a noticable decrease in > maximum throughput, in an effort to discourage them from swamping the > network with sessions. > > My question is, does a qdisc exist that implements something like this? > > Is this a reasonable thing to do, or will a strategy like this not work, > and if not, why not? (for the purposes of me better understanding the > issues). > > Regards, How about making a modified version of RED that works by doing: enqueue(skb) { if (qlen < min) { skb_queue(q, skb); return; } if (qlen > threshold) { drop(skb); return; } skb1 = queue[random() % qlen]; if (skb->protocol == IP && skb1->protocol == IP && skb->src.ip == skb1->src.ip) { drop(skb); drop(skb1); return; } skb_enqueue(q, skb); } There will be issues since the queue is no longer work conserving. But it will penalize overloaders. From mohan.tux at gmail.com Sat Nov 4 02:25:51 2006 From: mohan.tux at gmail.com (Mohan Sundaram) Date: Sat Nov 4 02:26:06 2006 Subject: AW: [LARTC] qos inside ipsec tunnel In-Reply-To: References: Message-ID: <454BEC1F.40801@vsnl.com> Martin Bene wrote: > Hi Marco, > >> Hello everybody. >> I would like to do some kind of shaping inside an >> ipsec tunnel implemented by Openswan and linux >> 2.6.18.x with xfrm (no KLIPS): for example, to >> limit outbound smtp traffic inside the tunnel. >> Question: where should I attach the qdisc to? Eth0? >> I'm asking this, because tcpdump only see the ESP >> packet on the eth0 and not the 'clear' packet. > > Heh - just subscribed to LARC list because I'm working on a similar > problem. > > Yes, you'll have to attach your classes to eth0 device. However, by the > time qos gets to see the packets, they'll be encrypted, so you won't be > able to just use tc filter with u32 classifier to select on port 25. > > What should work is to mark the packets in PREROUTING in the mangle > table and assign them to the classes you want based on the fwmark: > > iptables -t mangle -A PREROUTING -d /24 -p > tcp -m multiport --port 25 -j MARK --set-mark 102 > tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 102 fw > flowid 1:20 > > Hope this helps, Martin Has anyone tested this? Does the mark get carried across encapsulations or is the packet context a new one on encapsulation? I know that IPSec RFC says inner packet headers have to be copied to the outer header. Does that include the TOS byte too? Do not know what OpenSWAN does. If that were the case, assigning TOS prior to encapsulation and classifying by TOS at the device will work. Mohan From mohan.tux at gmail.com Sat Nov 4 02:38:04 2006 From: mohan.tux at gmail.com (Mohan Sundaram) Date: Sat Nov 4 02:38:18 2006 Subject: [LARTC] Strategy for penalising IPs with too many simultaneous sessions In-Reply-To: <454BDA1F.2010301@sharp.fm> References: <454BDA1F.2010301@sharp.fm> Message-ID: <454BEEFC.4030707@vsnl.com> Graham Leggett wrote: > Hi all, > > I have been trying to investigate traffic shaping in an effort to solve > the "unfriendly network apps" problem on a test network. > > I have a basis by which I'd like to shape traffic, but studying the > howto doesn't uncover and existing qdisc that seems to fit what I would > like to do. > > The problem I would like to address is to prevent an IP address opening > 10 simultaneous streams from drowning out another IP address that opened > 1 stream. > > I would like to penalise IP addresses where two or more simultaneous > sessions are in effect, by adding a delay to the streams such that the > total bandwidth used by the IP address is capped at a declining curve. > > In other words, assuming that the data you are sending is constrained > behind you by a 1mbps bottleneck. > > When an IP has one session detected, their traffic is passed through, > and normal rules apply. > > When an IP has two sessions detected, their combined sent traffic > towards the IP is delayed and shaped down to say 800kbps. > > When an IP has three sessions detected, their combined sent traffic > towards the IP is delayed and shaped down to say 600kbps. > > The starting point of how many sessions can be open before penalising > takes effect, the starting point of the curve and the gradient of the > curve would obviously be subject to lots of experimentation and would be > set by the admin. > > The nett effect I am looking for, is that a user who chooses to open > multiple simultaneous streams, should see a noticable decrease in > maximum throughput, in an effort to discourage them from swamping the > network with sessions. > > My question is, does a qdisc exist that implements something like this? > > Is this a reasonable thing to do, or will a strategy like this not work, > and if not, why not? (for the purposes of me better understanding the > issues). > > Regards, > Graham I've my misgivings with this scheme. What you are doing makes sense only if the number of connections is a constrained resource. If bandwidth is the constraint, then shaping by source IP irrespective of number of connections will do the job. As far as I've seen, routers can support 200k connections and this is sufficient for many large LANs - say 500 node LAN with 400 connections per node. In many cases, the user may not know how many connections he is opening or which app is consuming connections. Thus, the user may not be in a position to take remedial action and hence will be at a disadvantage. I'm questioning the need for such a scheme really. Mohan From martin.bene at icomedias.com Sat Nov 4 07:09:23 2006 From: martin.bene at icomedias.com (Martin Bene) Date: Sat Nov 4 07:09:30 2006 Subject: AW: AW: [LARTC] qos inside ipsec tunnel In-Reply-To: <454BEC1F.40801@vsnl.com> Message-ID: Hi Mohan, > > What should work is to mark the packets in PREROUTING in the mangle > > table and assign them to the classes you want based on the fwmark: > Has anyone tested this? Does the mark get carried across > encapsulations or is the packet context a new one on > encapsulation? Yes, I have tested this. The fwmark is preserved/copied to the encrypted packet. I've set up a test system using 4 virtual machines in a vmware environment to give me two ipsec routers and a seperate client for each :-) > I know that IPSec RFC says inner packet > headers have to be copied to the outer header. > Does that include the TOS byte too? Do not know what OpenSWAN > does. If that were the case, assigning TOS prior to > encapsulation and classifying by TOS at the device will work. Openswan shouldn't come into the picuture in this case: original poster isn't using the openswan ipsec stack (klips), just the userspace tools, so we're just dealing with the standard/in-kernel ipsec implementation. I haven't tried setting/classifying by tos - I'm happy with the fwmark method. Bye, Martin From surda at shurdix.com Sat Nov 4 11:00:22 2006 From: surda at shurdix.com (Peter Surda) Date: Sat Nov 4 11:00:38 2006 Subject: [LARTC] htb/iptables for ISP In-Reply-To: <1161768263.19237.12.camel@localhost> References: <1161768263.19237.12.camel@localhost> Message-ID: <454C64B6.4060109@shurdix.com> plugthebox.net /dev/null wrote: > Hello, hi > This process > kills my machine for 3-4 minutes until dumping all htb/sqf/iptables into > files and running these files (remember that i almost have 1200 IPs, and > each IP has 6 HTB+SFQ line with 2 iptables) both iptables and tc have a batch mode, and both support changing instead of deleting/creating. Yours sincerely, Peter -- http://www.shurdix.org - Linux distribution for routers and firewalls From minfrin at sharp.fm Sat Nov 4 12:14:52 2006 From: minfrin at sharp.fm (Graham Leggett) Date: Sat Nov 4 12:15:09 2006 Subject: [LARTC] Strategy for penalising IPs with too many simultaneous sessions In-Reply-To: <454BEEFC.4030707@vsnl.com> References: <454BDA1F.2010301@sharp.fm> <454BEEFC.4030707@vsnl.com> Message-ID: <454C762C.2040207@sharp.fm> Mohan Sundaram wrote: > I've my misgivings with this scheme. > > What you are doing makes sense only if the number of connections is a > constrained resource. If bandwidth is the constraint, then shaping by > source IP irrespective of number of connections will do the job. As far > as I've seen, routers can support 200k connections and this is > sufficient for many large LANs - say 500 node LAN with 400 connections > per node. > > In many cases, the user may not know how many connections he is opening > or which app is consuming connections. Thus, the user may not be in a > position to take remedial action and hence will be at a disadvantage. In the network in question, bandwidth is minimal (many many users sharing 512kbps). As a result, unlike in typical networks where simultaneous connections are statistically insignificant, in this case one user running many bittorrents can pretty much wipe out network performance to a ratio of 20 to 1 or more. The typical response I have seen to this scenario is to try and prioritise certain protocols over others, but this strategy has the disadvantage of dictating to the user that they can only use those certain protocols. What I would like to do instead is allow the user to use any protocol they like, with the caveat that attempting to open many connections simultaneously will result in a steadily decreasing share of the pipe, rather than a steadily increasing one. Regards, Graham -- From surda at shurdix.com Sat Nov 4 16:40:20 2006 From: surda at shurdix.com (Peter Surda) Date: Sat Nov 4 16:40:25 2006 Subject: [LARTC] Strategy for penalising IPs with too many simultaneous sessions In-Reply-To: <454C762C.2040207@sharp.fm> References: <454BDA1F.2010301@sharp.fm> <454BEEFC.4030707@vsnl.com> <454C762C.2040207@sharp.fm> Message-ID: <454CB464.5090101@shurdix.com> Graham Leggett wrote: > In the network in question, bandwidth is minimal (many many users > sharing 512kbps). You could try WRR. It doesn't work by connection count, but works very well in scenario you described. Yours sincerely, Peter -- http://www.shurdix.org - Linux distribution for routers and firewalls From netcerebrum at gmail.com Sun Nov 5 20:23:27 2006 From: netcerebrum at gmail.com (Net Cerebrum) Date: Sun Nov 5 20:23:43 2006 Subject: [LARTC] Multi Homed Host Message-ID: Can someone refer me to any links which explain how to configure a stand alone linux host (not a router) with 2 ISP links in such a way that the traffic is distributed between the 2 ISPs ? Thank you, -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061106/9384fba7/attachment.htm From jan at aims.ac.za Sun Nov 5 21:33:41 2006 From: jan at aims.ac.za (Jan Groenewald) Date: Sun Nov 5 21:34:32 2006 Subject: [LARTC] Multi Homed Host In-Reply-To: References: Message-ID: <20061105203341.GJ15520@aims.ac.za> Hi On Mon, Nov 06, 2006 at 12:53:27AM +0530, Net Cerebrum wrote: > Can someone refer me to any links which explain how to configure a stand > alone linux host (not a router) with 2 ISP links in such a way that the > traffic is distributed between the 2 ISPs ? http://lartc.org/howto/lartc.rpdb.multiple-links.html cheers, Jan -- .~. /V\ Jan Groenewald /( )\ www.aims.ac.za ^^-^^ From andy at andybev.com Sun Nov 5 22:47:19 2006 From: andy at andybev.com (Andrew Beverley) Date: Sun Nov 5 23:06:03 2006 Subject: [LARTC] Strategy for penalising IPs with too many simultaneous sessions In-Reply-To: <454C762C.2040207@sharp.fm> References: <454BDA1F.2010301@sharp.fm> <454BEEFC.4030707@vsnl.com> <454C762C.2040207@sharp.fm> Message-ID: <1162763239.4255.7.camel@andybev.localdomain> > What I would like to do instead is allow the user to use any protocol > they like, with the caveat that attempting to open many connections > simultaneously will result in a steadily decreasing share of the pipe, > rather than a steadily increasing one. I solved this in a similar but slightly different way. I use connlimit to monitor for when a user has 5 or more connections on ports above 1024. When they have, they are dropped into an ipset; all their traffic is then monitored and any traffic on ports above 1024 is dropped to a very low priority. This has the advantage that web browsing they do is unaffected. Also, it's slightly safer than your proposed method - I have seen instances when just normal surfing of the web can create 5 connections or more. Something like this (eth0 is the user's network): iptables -t mangle -A PREROUTING -p tcp -i eth0 --dport 1024: -m \ connlimit --connlimit-above 5 -j SET --add-set p2p src iptables -t mangle -A FORWARD -o eth0 -p tcp -m multiport --sport \ 1024:65535 -m set --set p2p dst -j MARK --set-mark 60 iptables -t mangle -A FORWARD -i eth0 -p tcp -m multiport --dport \ 1024:65535 -m set --set p2p src -j MARK --set-mark 60 You'll have to compile your kernel with ipset and connlimit support. Andy Beverley From jserink2004 at yahoo.com Sun Nov 5 23:33:02 2006 From: jserink2004 at yahoo.com (John Serink) Date: Sun Nov 5 23:33:10 2006 Subject: AW: [LARTC] qos inside ipsec tunnel In-Reply-To: <454BEC1F.40801@vsnl.com> Message-ID: <20061105223302.85109.qmail@web54508.mail.yahoo.com> Bring up a GRE tunnel inside the IPSec tunnel. Then use tc to shape the BW on the tunnel, Then use tc to shape the BW on the outgoing interface, eg ppp1. Cheers, John --- Mohan Sundaram wrote: > Martin Bene wrote: > > Hi Marco, > > > >> Hello everybody. > >> I would like to do some kind of shaping inside an > >> ipsec tunnel implemented by Openswan and linux > >> 2.6.18.x with xfrm (no KLIPS): for example, to > >> limit outbound smtp traffic inside the tunnel. > >> Question: where should I attach the qdisc to? Eth0? > >> I'm asking this, because tcpdump only see the ESP > >> packet on the eth0 and not the 'clear' packet. > > > > Heh - just subscribed to LARC list because I'm working on a similar > > problem. > > > > Yes, you'll have to attach your classes to eth0 device. However, by the > > time qos gets to see the packets, they'll be encrypted, so you won't be > > able to just use tc filter with u32 classifier to select on port 25. > > > > What should work is to mark the packets in PREROUTING in the mangle > > table and assign them to the classes you want based on the fwmark: > > > > iptables -t mangle -A PREROUTING -d /24 -p > > tcp -m multiport --port 25 -j MARK --set-mark 102 > > tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 102 fw > > flowid 1:20 > > > > Hope this helps, Martin > Has anyone tested this? Does the mark get carried across encapsulations > or is the packet context a new one on encapsulation? I know that IPSec > RFC says inner packet headers have to be copied to the outer header. > Does that include the TOS byte too? Do not know what OpenSWAN does. If > that were the case, assigning TOS prior to encapsulation and classifying > by TOS at the device will work. > > Mohan > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > ____________________________________________________________________________________ We have the perfect Group for you. Check out the handy changes to Yahoo! Groups (http://groups.yahoo.com) From marek at piasta.pl Sun Nov 5 23:55:19 2006 From: marek at piasta.pl (Marek Kierdelewicz) Date: Sun Nov 5 23:55:23 2006 Subject: ***SPAM*** Re: [LARTC] Need new way to improve SMP scalability for network router In-Reply-To: <20061102002826.GB11204@legolas.on.net.mk> References: <45362AE0.7090009@paralax.org> <20061102002826.GB11204@legolas.on.net.mk> Message-ID: <20061105235519.6fedf418@localhost.localdomain> > > and are not used for ether routeing or shaping > > Is there a way to split work from two NICs on 4 CPUs ? Put in two more nics and assign new interrupts to virtual processors. It should work. > What do you expect to get? There are no 4 real CPUs. The only benefit > that the HT technology has is when you need very fast switching > between process/threads ... in this case the kernel should be prety > good at it, and won't see any benefit from HT. In fact you CAN use virtual processors made available by HT to assign interrupts to them. This solution works well. I've seen P4-HT hauling 500.000 packets per second, with BGP and 70% utilisation. cheers, Marek Kierdelewicz From webmaster at generalsynthesis.com Mon Nov 6 04:46:15 2006 From: webmaster at generalsynthesis.com (EKC) Date: Mon Nov 6 04:46:23 2006 Subject: [LARTC] Ingress qdisc bypassed on SNAT'ed traffic? Message-ID: <355a4e960611051946s4759a7c2k5e8dbe9aa3755342@mail.gmail.com> Hello, I am using the following iptables POSTROUTING rule to NAT some RFC 1918 addresses: iptables -t nat -A POSTROUTING -s 192.168.19.23 ! 192.168.0.0/255.255.0.0 -p tcp --dport 80 -j SNAT --to-source 10.32.4.2 (I am using SNAT instead of MASQUERADE for performance reasons). I have several addresses on the 192.168.0.0/16 subnet that I am SNAT'ing similarly. Problem is, 'tc -s filter show parent ffff: dev bond0' is reporting that the ingress qdisc rule's for each of these RFC1918 addresses are being bypassed: tc qdisc add dev bond0 ingress tc filter add dev bond0 parent ffff: protocol ip prio 10 u32 match ip dst 192.168.19.23/32 flowid 1:1 action police rate 100kbps burst 200kb drop However, the same lartc ingress filter rules work fine when run on the NAT gateway address (10.32.4.2). I suppose this means that the ingress filter is being run too early in the PREROUTING chain to catch the NAT'ed destination address. Is there a patch to change this behaviour? I've also tried using connmark to no avail. I would rather avoid using IMQ since my ingress QOS needs are pretty simple. Any suggestions? Thanks! Eser Chamoglu From mohan.tux at gmail.com Mon Nov 6 05:05:08 2006 From: mohan.tux at gmail.com (Mohan Sundaram) Date: Mon Nov 6 05:05:26 2006 Subject: [LARTC] Ingress qdisc bypassed on SNAT'ed traffic? In-Reply-To: <355a4e960611051946s4759a7c2k5e8dbe9aa3755342@mail.gmail.com> References: <355a4e960611051946s4759a7c2k5e8dbe9aa3755342@mail.gmail.com> Message-ID: <454EB474.4050702@vsnl.com> EKC wrote: > Hello, > However, the same lartc ingress filter rules work fine when run on the > NAT gateway address (10.32.4.2). The QoS processing is done just before the device queue for egress or immediately after ingress from the device. Thus using the 192.168.x.x addresses for tc filters will not work. Using the gateway address works as that is the IP on the incoming packet's header. > > I suppose this means that the ingress filter is being run too early in > the PREROUTING chain to catch the NAT'ed destination address. Is there > a patch to change this behaviour? I've not seen one. > > I've also tried using connmark to no avail. Ingress QoS works much before packet hits all this stuff. > > I would rather avoid using IMQ since my ingress QOS needs are pretty > simple. AFAIK, there is no other choice/way here. > > Any suggestions? One wa of doing this is to use one NAT IP per subnet and shape based on that NAT IP for ingress. However, this assumes you have as many addresses on the gateway as the subnet. I'm using you do as the NAT'ted IP is also a RFC1918 address. That leads to a more basic question - why NAT when both are RFC1918 addresses? Mohan From webmaster at generalsynthesis.com Mon Nov 6 05:24:25 2006 From: webmaster at generalsynthesis.com (EKC) Date: Mon Nov 6 05:24:30 2006 Subject: [LARTC] Ingress qdisc bypassed on SNAT'ed traffic? In-Reply-To: <454EB474.4050702@vsnl.com> References: <355a4e960611051946s4759a7c2k5e8dbe9aa3755342@mail.gmail.com> <454EB474.4050702@vsnl.com> Message-ID: <355a4e960611052024v494d870l77e621d0e18e216c@mail.gmail.com> Unfortunately, that NAT gateway address should have been a routable address (I'm debugging this in vmware at the moment). Considering that, it looks like I'm going to have to play around with IMQ. On 11/5/06, Mohan Sundaram wrote: > EKC wrote: > > Hello, > > > However, the same lartc ingress filter rules work fine when run on the > > NAT gateway address (10.32.4.2). > The QoS processing is done just before the device queue for egress or > immediately after ingress from the device. Thus using the 192.168.x.x > addresses for tc filters will not work. Using the gateway address works > as that is the IP on the incoming packet's header. > > > > I suppose this means that the ingress filter is being run too early in > > the PREROUTING chain to catch the NAT'ed destination address. Is there > > a patch to change this behaviour? > I've not seen one. > > > > I've also tried using connmark to no avail. > Ingress QoS works much before packet hits all this stuff. > > > > I would rather avoid using IMQ since my ingress QOS needs are pretty > > simple. > AFAIK, there is no other choice/way here. > > > > Any suggestions? > One wa of doing this is to use one NAT IP per subnet and shape based on > that NAT IP for ingress. However, this assumes you have as many > addresses on the gateway as the subnet. I'm using you do as the NAT'ted > IP is also a RFC1918 address. That leads to a more basic question - why > NAT when both are RFC1918 addresses? > > Mohan > > From golem at mtm-info.pl Mon Nov 6 10:53:25 2006 From: golem at mtm-info.pl (GolemMTM) Date: Mon Nov 6 10:53:27 2006 Subject: [LARTC] Dual CPU performance in routing Message-ID: <183728573.20061106105325@mtm-info.pl> Hello I have question, currently using linux box as router. It only route packets. Currently there is 80k packets/sec and this cause 90% CPU usage on Intel Celeron 3ghz CPU. Did multiprocessor system like 2x XEON DP 3.4ghz will divide CPU usage between 2 CPU and will allow double routing performance ? -- Golem From dor at ldc.net Mon Nov 6 11:11:52 2006 From: dor at ldc.net (Dmytro O. Redchuk) Date: Mon Nov 6 11:12:04 2006 Subject: [LARTC] Dual CPU performance in routing In-Reply-To: <183728573.20061106105325@mtm-info.pl> References: <183728573.20061106105325@mtm-info.pl> Message-ID: <20061106101152.GA28087@ldc.net> On Mon, Nov 06, 2006 at 10:53:25AM +0100, GolemMTM wrote: > Hello > > I have question, currently using linux box as router. It only route packets. > Currently there is 80k packets/sec and this cause 90% CPU usage on > Intel Celeron 3ghz CPU. > Did multiprocessor system like 2x XEON DP 3.4ghz will divide CPU > usage between 2 CPU and will allow double routing performance ? If you have two physical eth cards and will assign different irq for different CPU -- it will. Not sure about double, but significant, i'd say. > > > -- > Golem -- _,-=._ /|_/| `-.} `=._,.-=-._., @ @._, `._ _,-. ) _,.-' ` G.m-"^m`m' Dmytro O. Redchuk From martin.bene at icomedias.com Mon Nov 6 11:15:01 2006 From: martin.bene at icomedias.com (Martin Bene) Date: Mon Nov 6 11:15:15 2006 Subject: [LARTC] qos inside ipsec tunnel In-Reply-To: <20061105223302.85109.qmail@web54508.mail.yahoo.com> Message-ID: Ji John, > Bring up a GRE tunnel inside the IPSec tunnel. > Then use tc to shape the BW on the tunnel, > Then use tc to shape the BW on the outgoing interface, eg ppp1. I don't see what advantage you get from the nested tunnel configuration you propose - why not simply shape on ppp1 and be done with it? Bye, Martin From alex at zoomnet.ro Mon Nov 6 11:21:12 2006 From: alex at zoomnet.ro (Alexandru Dragoi) Date: Mon Nov 6 11:21:47 2006 Subject: [LARTC] Dual CPU performance in routing In-Reply-To: <183728573.20061106105325@mtm-info.pl> References: <183728573.20061106105325@mtm-info.pl> Message-ID: <454F0C98.10003@zoomnet.ro> GolemMTM wrote: > Hello > > I have question, currently using linux box as router. It only route packets. > Currently there is 80k packets/sec and this cause 90% CPU usage on > Intel Celeron 3ghz CPU. > Did multiprocessor system like 2x XEON DP 3.4ghz will divide CPU > usage between 2 CPU and will allow double routing performance ? > > > It will improve performance if irqs are balanced, but not double. Also, 90% seems like a lot. If you use firewalling (many linear rules) and qos (many linear u32 filter rules), they will cost a lot of performance, you will se that with top, on soft interrupts (si). I suggest you to use intel gigabit cards on pci64. From john.douglass at oit.gatech.edu Mon Nov 6 21:05:11 2006 From: john.douglass at oit.gatech.edu (John Douglass) Date: Mon Nov 6 21:05:26 2006 Subject: [LARTC] Two uplinks, two networks and policy routing help requested Message-ID: <454F9577.2070005@oit.gatech.edu> I am hoping that someone with more experience and knowledge than I can assist me in finding a solution ;) We have a RedHat AS4 box with 5 interfaces. Two interfaces serve two different networks and two interfaces connect to two different uplinks. The fifth interface is our management interface. Since a picture is worth a thousand words I attempted to come up with a diagram: http://studpup74.googlepages.com/networkproblem (I did not want to post this image to the list :) If anyone with this experience has a few moments to assist us, I would be very grateful. Let me know if you need additional information. - John Douglass, Georgia Tech From henry.bin at gmail.com Tue Nov 7 07:25:58 2006 From: henry.bin at gmail.com (Henry Bin) Date: Tue Nov 7 07:26:02 2006 Subject: [LARTC] linux-2.4.22 + bridge + traffic control by MAC. Message-ID: <6ec85fe20611062225t1bee861fq93ed5cb9f66c3ff6@mail.gmail.com> Dear all, I am working on a linux box (2.4.22 kernel) which is used as a bridge. And I want to add traffic control rules on it by client's MAC. Does anyone has such experience on how to do that? Thank you very much!! Best regards, Henry -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061107/cfa1f195/attachment.html From =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= Tue Nov 7 10:50:54 2006 From: =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= (=?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?=) Date: Tue Nov 7 10:51:39 2006 Subject: [LARTC] linux-2.4.22 + bridge + traffic control by MAC. In-Reply-To: <6ec85fe20611062225t1bee861fq93ed5cb9f66c3ff6@mail.gmail.com> References: <6ec85fe20611062225t1bee861fq93ed5cb9f66c3ff6@mail.gmail.com> Message-ID: <1162893054.4064.19.camel@localhost.localdomain> ? ???, 07/11/2006 ? 14:25 +0800, Henry Bin ?????: > Dear all, > > I am working on a linux box (2.4.22 kernel) which is used as a > bridge. And I want to add traffic control rules on it by client's MAC. Does anyone has such experience on how to do that? Thank you very much!! bridge-utils iptables ebtables -- ??????????? ?????? From =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= Tue Nov 7 15:40:58 2006 From: =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= (=?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?=) Date: Tue Nov 7 15:41:30 2006 Subject: [LARTC] Troubles DNATing UDP Message-ID: <1162910458.32208.44.camel@localhost.localdomain> Hi. I have strange troubles with DNATing UDP packets. The situation: 1. We have local network 10.10.0.0/16 2. We have a "server network" 192.168.1.0/25 connected with local network by a router 10.10.100.1 (other ip 192.168.1.1). 3. Web server is located at 192.168.1.2 4. There are HW pingers in the net 10.10.0.0/16 whose do ping 10.10.100.1 every second. The ping is the UDP packet with both source and destination ports set to 4000. 5. There is software to decode ping packets and produce/update html report. I want to install the ping-analizing software at the web-server (192.168.1.2) and connect it with localy running apache to have a web page with ping-report. As the pingers ping (send UDP packets) to 10.10.100.1 I was trying to redirect them to 192.168.1.2 by: iptables -t nat -I PREROUTING 1 -p udp --dport 4000 -j DNAT --to-destination 192.168.1.2:4000 iptables -I FORWARD -p udp --dport 4000 -d 192.168.1.2 -j ACCEPT Neither of those rules not catching the packets, they all reach 10.10.100.1 INPUT chain. Those rule counters are zero. If I do: iptables -t mangle -I PREROUTING 1 -p udp --dport 4000 this rule catch needed packets, but not in NAT tables! Why? I tryed same with TCP: iptables -t nat -I PREROUTING 1 -p tcp --dport 4000 -j DNAT --to-destination 192.168.1.2:4000 iptables -I FORWARD -p tcp --dport 4000 -d 192.168.1.2 -j ACCEPT and this works fine, I can see packets at 192.168.1.2 when doing telnet 10.10.100.1 4000 from the localnet. Here is tcpdump from 10.10.100.1: # tcpdump -i br0 port 4000 -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on br0, link-type EN10MB (Ethernet), capture size 96 bytes 16:36:53.202130 IP 10.10.100.23.4000 > 10.10.100.1.4000: UDP, length: 74 16:36:54.092413 IP 10.10.100.21.4000 > 10.10.100.1.4000: UDP, length: 74 16:36:54.143128 IP 10.10.100.22.4000 > 10.10.100.1.4000: UDP, length: 74 16:36:55.291886 IP 10.10.100.23.4000 > 10.10.100.1.4000: UDP, length: 74 16:36:55.545621 IP 10.10.100.22.4000 > 10.10.100.1.4000: UDP, length: 74 16:36:55.743096 IP 10.10.100.21.4000 > 10.10.100.1.4000: UDP, length: 74 Once again, all those packets reach INPUT chain, rules in -t nat -I PREROUTING not working. So here is the question: Does the UDP is being DNAT'ed differently comparing with TCP? What is the difference? How can I DNAT them? Thanks in advance. P.S. This king of UDP ping doesn't require responce, its just to see which remote point is still alive. -- ??????????? ?????? From henry.bin at gmail.com Wed Nov 8 10:25:31 2006 From: henry.bin at gmail.com (Henry Bin) Date: Wed Nov 8 10:25:44 2006 Subject: [LARTC] linux-2.4.22 + bridge + traffic control by MAC. In-Reply-To: <1162893054.4064.19.camel@localhost.localdomain> References: <6ec85fe20611062225t1bee861fq93ed5cb9f66c3ff6@mail.gmail.com> <1162893054.4064.19.camel@localhost.localdomain> Message-ID: <6ec85fe20611080125j57472d43wbc8115222af4b417@mail.gmail.com> On 11/7/06, ??????????? ?????? wrote: > ? ???, 07/11/2006 ? 14:25 +0800, Henry Bin ?????: > > Dear all, > > > > I am working on a linux box (2.4.22 kernel) which is used as a > > bridge. And I want to add traffic control rules on it by client's MAC. Does anyone has such experience on how to do that? Thank you very much!! > > bridge-utils > iptables > ebtables > Oh, could you please give me a example about how to do that? What's I want is to limit the bandwidth for specified MAC. For example, I just want to give 3Mbps bandwidth to the PC which has MAC address--00:40:33:44:23:44. Thanks a lot! > -- > ??????????? ?????? > > From mohan.tux at gmail.com Wed Nov 8 12:37:52 2006 From: mohan.tux at gmail.com (Mohan Sundaram) Date: Wed Nov 8 12:38:18 2006 Subject: [LARTC] linux-2.4.22 + bridge + traffic control by MAC. In-Reply-To: <6ec85fe20611080125j57472d43wbc8115222af4b417@mail.gmail.com> References: <6ec85fe20611062225t1bee861fq93ed5cb9f66c3ff6@mail.gmail.com> <"11 62893054.4064.19.camel"@localhost.localdomain> <6ec85fe20611080125j57472d43wbc8115222af4b417@mail.gmail.com> Message-ID: <4551C190.1000603@vsnl.com> Henry Bin wrote: > On 11/7/06, ??????????? ?????? wrote: >> ? ???, 07/11/2006 ? 14:25 +0800, Henry Bin ?????: >> > Dear all, >> > >> > I am working on a linux box (2.4.22 kernel) which is used as a >> > bridge. And I want to add traffic control rules on it by client's >> MAC. Does anyone has such experience on how to do that? Thank you very >> much!! >> >> bridge-utils >> iptables >> ebtables >> > Oh, could you please give me a example about how to do that? > What's I want is to limit the bandwidth for specified MAC. For > example, I just want to give 3Mbps bandwidth to the PC which has MAC > address--00:40:33:44:23:44. > > Thanks a lot! >> -- >> ??????????? ?????? >> You can mark (fwmark) a packet based on the source MAC in iptables/ebtables. In the case of bridge, the packet needs to be marked by ebtables. tc allows classification by fwmark. Create a class and assign 3Mbps rate to it. Create a tc filter to send all traffic with fwmark 1 to this class. Create a ebtables rule that marks all packets coming from MAC address--00:40:33:44:23:44 with fwmark 1. Mohan From philipp.leusmann at rwth-aachen.de Wed Nov 8 12:52:33 2006 From: philipp.leusmann at rwth-aachen.de (Philipp Leusmann) Date: Wed Nov 8 12:52:47 2006 Subject: [LARTC] Why did I need strange ceiling settings? Message-ID: <002001c7032c$60ce5dd0$0200a8c0@marvin> Hi all, I recently installed traffic shaping on my ADSL line with a nominal upload rate of 1MBit. My Modem says it has an upload bitrate of 843 kbits. So I thought, to use a ceiling of 800kbit for the root qdisc is a good idea. But with that setting I only achieved upload rates of around 300kbits whereas I reached around 650 kbits without traffic shaping. Yesterday I played a little with the ceiling value and found that increasing it to 175kBps did the job. Could anybody please explain this strange behaviour? My shaping script looks as follows: From makevuy at ehas.org Wed Nov 8 13:10:10 2006 From: makevuy at ehas.org (makevuy) Date: Wed Nov 8 13:10:16 2006 Subject: [LARTC] QoS over Wireless network Message-ID: <4551C922.7040002@ehas.org> Hy, I would want to give QoS a one wireless network. Do you know if exist any qdisc specific for this??. I know that the most modern qdisc is HFSC, is this true??. Thanks for all and Regards. -- Sandra Salmer?n Ntutumu Tlf. Analog: +34 914888405. Ext:10 / M?vil: 653574298 Tlf. IP desde FWD: 656212. Ext: 10 / Tel. IP desde EHAS: 010010 Fundaci?n EHAS: Enlace Hispanoamericano de Salud - www.ehas.org Telemedicina rural para zonas aisladas de pa?ses en desarrollo From administrator at netwlan.net Wed Nov 8 13:39:08 2006 From: administrator at netwlan.net (administrator@netwlan.net) Date: Wed Nov 8 13:39:15 2006 Subject: [LARTC] Looking for new ideas to improve linux router performace Message-ID: <005801c70332$e2a74690$641497c1@sysadmin> Hello, I have 2 dual CPU Xeon 3Ghz HT enabled Linux routers and each one of them serving 2 class C with pick traffic on router about 300Mbit full duplex 2 x Ethernet controller: Intel Corporation 82546GB Gigabit Ethernet Controller (rev 03) 1GB ram And 2 x Ethernet controller: Broadcom Corporation NetXtreme BCM5703 Gigabit Ethernet (rev 10) 1GB ram Both routers have about 600 iptables rules, 4000 tc rules with HFSC scheduler and 300 static routes I have implemented tc filter hashing which improve performance but my goal is to push those machines to the limit with 4 class C and double above rules and traffic Currently system takes no more then 60% CPU time at pick per working CPU as every NIC has been set on different CPU, and I have two idle CPUs on each machine . Currently Linux kernels are coming with timer interrupt of 1000hz max which in my opinion is not enough Also there is no way to serve interrupts from one NIC on two processors. I'm open for suggestions Thanks to all in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061108/92551aa9/attachment.htm From administrator at netwlan.net Wed Nov 8 14:13:03 2006 From: administrator at netwlan.net (administrator@netwlan.net) Date: Wed Nov 8 14:13:05 2006 Subject: [LARTC] Two uplinks, two networks and policy routing help requested Message-ID: <000701c70337$9f51c7d0$641497c1@sysadmin> You can accomplish this in two ways: 1. Put two routers on the place of this one and solve two internal networks to see each other trough two routers with static route. 2. if two outgoing connections are to ISPs then solution can be with one router but with BGP so two networks can go out with both ISP 3 There is third solution also called source routing but this is not a stable solution and can get you in major trouble. -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of John Douglass Sent: Monday, November 06, 2006 10:05 PM To: lartc@mailman.ds9a.nl Subject: [LARTC] Two uplinks, two networks and policy routing help requested I am hoping that someone with more experience and knowledge than I can assist me in finding a solution ;) We have a RedHat AS4 box with 5 interfaces. Two interfaces serve two different networks and two interfaces connect to two different uplinks. The fifth interface is our management interface. Since a picture is worth a thousand words I attempted to come up with a diagram: http://studpup74.googlepages.com/networkproblem (I did not want to post this image to the list :) If anyone with this experience has a few moments to assist us, I would be very grateful. Let me know if you need additional information. - John Douglass, Georgia Tech _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From prasadvvv at lucent.com Wed Nov 8 14:37:04 2006 From: prasadvvv at lucent.com (Vendra, Hari Prasad V V P CH S H (Prasad)) Date: Wed Nov 8 14:37:16 2006 Subject: [LARTC] Patch for Increasing Routing tables in Fedora Core 3 ( Kernel 2.6 ) Message-ID: <6733C768256DEC42A72BAFEFA9CF06D21DBB61D2@ii0015exch002u.iprc.lucent.com> Hi, Is there any patch available for increasing routing tables from 256 to higher number for Fedora Core 3 and above. Regards, Prasad. From administrator at netwlan.net Wed Nov 8 14:39:59 2006 From: administrator at netwlan.net (administrator@netwlan.net) Date: Wed Nov 8 14:40:03 2006 Subject: [LARTC] Looking for new ideas to improve linux router performace In-Reply-To: <1518898288.20061108151601@astafjev.com> Message-ID: <000001c7033b$6261aa30$641497c1@sysadmin> The reasons for higher CPU usage is that my iptables rules are linear without them CPU usage drops from 60% to 30% pick and during day time it is not more then 20% write now I don't have time to implement ipset As for "Timer frequency" 250 no accurate traffic control at high speeds can be achieved. Also for 6 class C my bandwidth while be 900Mbit not 400Mbit. -----Original Message----- From: Konstantin Astafjev [mailto:konstantin@astafjev.com] Sent: Wednesday, November 08, 2006 3:16 PM To: administrator@netwlan.net Subject: Re: [LARTC] Looking for new ideas to improve linux router performace Hello administrator, Wednesday, November 8, 2006, 2:39:08 PM, you wrote: > I have 2 dual CPU Xeon 3Ghz HT enabled Linux routers and each one > of them serving 2 class C with pick traffic on router about 300Mbit full duplex I have 1 common desktop PC router with Athlon64 1800MHz 1GB RAM serving 6 C classes with one Intel server NIC at about 400Mbit load of full duplex in average. > Both routers have about 600 iptables rules, 4000 tc rules with HFSC scheduler and 300 static routes I have more then 1000 iptables rules (not linear, but in tree search variant), about 3000 tc filter rules with HTB, only one default route. And of course I'm using hash tables. BTW, is there any method to classify fwmark in hash tables? Cause right now I have to use TOS for that. :( > I have implemented tc filter hashing which improve performance > > but my goal is to push those machines to the limit with 4 class C > and double above rules and traffic I plan to increase quantity of clients to 8 C classes on this week. > Currently system takes no more then 60% CPU time at pick per > working CPU as every NIC has been set on different CPU, CPU load of mine is about 45% at peak and I have only one CPU. > ?Currently Linux kernels are coming with timer interrupt of 1000hz > max which in my opinion is not enough If you are about "Timer frequency" then mine is set to 250 HZ. > ?Also there is no way to serve interrupts from one NIC on two processors. I have a 2 Opteron (4 cores) server right now with 2 tg3 NICs. I'll try to do an experiment to use it as a router. I'm also afraid that the other 3 cores will not be used. :( Very interesting numbers for me. Damn, I though my CPU load is to high, but now I wondering why is yours higher? ;) -- Best regards, Konstantin From lsharpe at pacificwireless.com.au Wed Nov 8 22:57:49 2006 From: lsharpe at pacificwireless.com.au (Leigh Sharpe) Date: Wed Nov 8 22:58:22 2006 Subject: [LARTC] linux-2.4.22 + bridge + traffic control by MAC. In-Reply-To: <6ec85fe20611080125j57472d43wbc8115222af4b417@mail.gmail.com> Message-ID: Here: http://ebtables.sourceforge.net/examples/example5.html Is exactly what you want to do. Regards, Leigh Leigh Sharpe Network Systems Engineer Pacific Wireless Ph +61 3 9584 8966 Mob 0408 009 502 email lsharpe@pacificwireless.com.au web www.pacificwireless.com.au -----Original Message----- From: Henry Bin [mailto:henry.bin@gmail.com] Sent: Wednesday, November 08, 2006 8:26 PM To: casper@meteor.dp.ua Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] linux-2.4.22 + bridge + traffic control by MAC. On 11/7/06, ??????????? ?????? wrote: > ? ???, 07/11/2006 ? 14:25 +0800, Henry Bin ?????: > > Dear all, > > > > I am working on a linux box (2.4.22 kernel) which is used as a > > bridge. And I want to add traffic control rules on it by client's MAC. Does anyone has such experience on how to do that? Thank you very much!! > > bridge-utils > iptables > ebtables > Oh, could you please give me a example about how to do that? What's I want is to limit the bandwidth for specified MAC. For example, I just want to give 3Mbps bandwidth to the PC which has MAC address--00:40:33:44:23:44. Thanks a lot! > -- > ??????????? ?????? > > From indunil75 at gmail.com Thu Nov 9 10:50:04 2006 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Thu Nov 9 10:50:14 2006 Subject: [LARTC] Fwd: How to block Yahoo , MSN messanger and Kazza with IPTABLES In-Reply-To: <7ed6b0aa0611090149u1335d99fnd97c95b1b8f1e2b1@mail.gmail.com> References: <7ed6b0aa0611090149u1335d99fnd97c95b1b8f1e2b1@mail.gmail.com> Message-ID: <7ed6b0aa0611090150t4cb135f7s20fccd0c5dbd4c48@mail.gmail.com> Hi, I want to block Yahoo Messenger, MSN messanger and Kazza with IPTABLES as my local network users always go there. How Can I do it? I am not runnig iptables as a script nor have I put anything in my rc.local. But instaed, I input the commands and save it by using the below cmmand /etc/init.d/iptables save and I restart it /etc/init.d/iptables restart My box runs on Cent OS 4.4. Help needed. -- Thank you Indunil Jayasooriya -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061109/0a05f171/attachment.html From dam2000 at gmail.com Thu Nov 9 12:17:58 2006 From: dam2000 at gmail.com (dAm2K) Date: Thu Nov 9 12:18:04 2006 Subject: [LARTC] Re: How to block Yahoo , MSN messanger and Kazza with IPTABLES In-Reply-To: <7ed6b0aa0611090150t4cb135f7s20fccd0c5dbd4c48@mail.gmail.com> References: <7ed6b0aa0611090149u1335d99fnd97c95b1b8f1e2b1@mail.gmail.com> <7ed6b0aa0611090150t4cb135f7s20fccd0c5dbd4c48@mail.gmail.com> Message-ID: <2855d4bf0611090317q1685a09fgc8b79dc6b898045a@mail.gmail.com> 2006/11/9, Indunil Jayasooriya : > I want to block Yahoo Messenger, MSN messanger and Kazza with IPTABLES as > my local network users always go there. > > How Can I do it? Read this howto first... http://www.linuxguruz.com/iptables/howto/iptables-HOWTO.html 1) Close all traffic (do this locally, or you will not be able to reach your firewal!!): iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP 2) Do NAT: iptables -t nat -A POSTROUTING -s YOUR_NET/YOUR_MASK -j MASQUERADE 3) Accept "syn" packets you need in FORWARD chain. You may need to accept other stuff like icmp, dns, related||established... Ex: iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s YOUR_NET/YOUR_MASK -p tcp -m tcp --dport http -j ACCEPT iptables -A FORWARD -s YOUR_NET/YOUR_MASK -p tcp -m tcp --dport https -j ACCEPT iptables -A FORWARD -s YOUR_NET/YOUR_MASK -p tcp -m tcp --dport domain -j ACCEPT iptables -A FORWARD -s YOUR_NET/YOUR_MASK -p udp -m udp --dport domain -j ACCEPT iptables -A FORWARD -s YOUR_NET/YOUR_MASK -p icmp -j ACCEPT 4) Install and configure an HTTP proxy behind your firewall (ex. SQUID), and pay attention at your ACL, an open proxy is very dangerous!! -- dAm2K, you know I'm there! From sewlist at gmail.com Thu Nov 9 15:56:16 2006 From: sewlist at gmail.com (the sew) Date: Thu Nov 9 15:56:22 2006 Subject: [LARTC] Two uplinks, two networks and policy routing help requested In-Reply-To: <454F9577.2070005@oit.gatech.edu> References: <454F9577.2070005@oit.gatech.edu> Message-ID: I'm not much of a expert, but I would try some of the following I would try src routing ip rule add fwmark 1 table network1 ip route add default via 128.61.111.242/241(depending on gateway) table network1 iptables -t mangle -A PREROUTING -s 128.61.110.0/24 -j MARK --set-mark 1 ip rule add fwmark 2 table network2 ip route add default via 199.77.254.106/105 table network2 iptables -t mangle -A PREROUTING -s 143.215.204.0/27 -j MARK --set-mark 2 this is just some samples, u can alot more in dept with src routing, but I would try this first u can also do dynamic routing with ospf and set your links costs if u want to set priorities on links etc, otherwise go big with BGP routing Like I said, im no expert , hope it helps Sew On 11/6/06, John Douglass wrote: > I am hoping that someone with more experience and knowledge than I can > assist me in finding a solution ;) > > We have a RedHat AS4 box with 5 interfaces. Two interfaces serve two > different networks and two interfaces connect to two different uplinks. > The fifth interface is our management interface. > > Since a picture is worth a thousand words I attempted to come up with a > diagram: > > http://studpup74.googlepages.com/networkproblem > > (I did not want to post this image to the list :) > > If anyone with this experience has a few moments to assist us, I would > be very grateful. Let me know if you need additional information. > > - John Douglass, Georgia Tech > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From sewlist at gmail.com Thu Nov 9 16:01:16 2006 From: sewlist at gmail.com (the sew) Date: Thu Nov 9 16:01:22 2006 Subject: [LARTC] Fwd: How to block Yahoo , MSN messanger and Kazza with IPTABLES In-Reply-To: <7ed6b0aa0611090150t4cb135f7s20fccd0c5dbd4c48@mail.gmail.com> References: <7ed6b0aa0611090149u1335d99fnd97c95b1b8f1e2b1@mail.gmail.com> <7ed6b0aa0611090150t4cb135f7s20fccd0c5dbd4c48@mail.gmail.com> Message-ID: iptables has some powerfull rules u can use to block msn and yahoo and p2p software I would use a transpert proxy with squid and ipp2p ( http://www.ipp2p.org ) which is a extension module for iptables which can block p2p which is very difficult to track for example iptables -A FORWARD -m ipp2p --ipp2p -j DROP hope it helps Sew On 11/9/06, Indunil Jayasooriya wrote: > Hi, > > I want to block Yahoo Messenger, MSN messanger and Kazza with IPTABLES as > my local network users always go there. > > How Can I do it? > > I am not runnig iptables as a script nor have I put anything in my rc.local. > But instaed, I input the commands and save it by using the below cmmand > > /etc/init.d/iptables save > > and I restart it > > /etc/init.d/iptables restart > > > My box runs on Cent OS 4.4. > > Help needed. > > -- > Thank you > Indunil Jayasooriya > > > -- > Thank you > Indunil Jayasooriya > > From henry.bin at gmail.com Fri Nov 10 03:45:55 2006 From: henry.bin at gmail.com (Henry Bin) Date: Fri Nov 10 03:46:02 2006 Subject: [LARTC] linux-2.4.22 + bridge + traffic control by MAC. In-Reply-To: References: <6ec85fe20611080125j57472d43wbc8115222af4b417@mail.gmail.com> Message-ID: <6ec85fe20611091845t1fa956c0h3e12e79dbbc8297c@mail.gmail.com> Great! It should be helpful! Thanks a lot! Best Regards, Henry On 11/9/06, Leigh Sharpe wrote: > Here: > > http://ebtables.sourceforge.net/examples/example5.html > > Is exactly what you want to do. > > Regards, > Leigh > > Leigh Sharpe > Network Systems Engineer > Pacific Wireless > Ph +61 3 9584 8966 > Mob 0408 009 502 > email lsharpe@pacificwireless.com.au > web www.pacificwireless.com.au > > -----Original Message----- > From: Henry Bin [mailto:henry.bin@gmail.com] > Sent: Wednesday, November 08, 2006 8:26 PM > To: casper@meteor.dp.ua > Cc: lartc@mailman.ds9a.nl > Subject: Re: [LARTC] linux-2.4.22 + bridge + traffic control by MAC. > > On 11/7/06, ??????????? ?????? wrote: > > ? ???, 07/11/2006 ? 14:25 +0800, Henry Bin ?????: > > > Dear all, > > > > > > I am working on a linux box (2.4.22 kernel) which is used as a > > > bridge. And I want to add traffic control rules on it by client's MAC. Does anyone has such experience on how to do that? Thank you very much!! > > > > bridge-utils > > iptables > > ebtables > > > Oh, could you please give me a example about how to do that? > What's I want is to limit the bandwidth for specified MAC. For > example, I just want to give 3Mbps bandwidth to the PC which has MAC > address--00:40:33:44:23:44. > > Thanks a lot! > > -- > > ??????????? ?????? > > > > > > From =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= Fri Nov 10 12:37:36 2006 From: =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= (=?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?=) Date: Fri Nov 10 12:38:13 2006 Subject: [LARTC] Troubles DNATing UDP In-Reply-To: <1162910458.32208.44.camel@localhost.localdomain> References: <1162910458.32208.44.camel@localhost.localdomain> Message-ID: <1163158657.4061.3.camel@localhost.localdomain> Did my message hit the list? Once again, is there any difference in DNAT'ing TCP and UDP, maybe there is difference related to different kinds/types of UDP packet? ? ???, 07/11/2006 ? 16:40 +0200, ??????????? ?????? ?????: > Hi. > > I have strange troubles with DNATing UDP packets. > > The situation: > > 1. We have local network 10.10.0.0/16 > 2. We have a "server network" 192.168.1.0/25 connected with local > network by a router 10.10.100.1 (other ip 192.168.1.1). > 3. Web server is located at 192.168.1.2 > 4. There are HW pingers in the net 10.10.0.0/16 whose do ping > 10.10.100.1 every second. The ping is the UDP packet with both source > and destination ports set to 4000. > 5. There is software to decode ping packets and produce/update html > report. > > I want to install the ping-analizing software at the web-server > (192.168.1.2) and connect it with localy running apache to have a web > page with ping-report. > > As the pingers ping (send UDP packets) to 10.10.100.1 I was trying to > redirect them to 192.168.1.2 by: > > iptables -t nat -I PREROUTING 1 -p udp --dport 4000 -j DNAT > --to-destination 192.168.1.2:4000 > iptables -I FORWARD -p udp --dport 4000 -d 192.168.1.2 -j ACCEPT > > Neither of those rules not catching the packets, they all reach > 10.10.100.1 INPUT chain. Those rule counters are zero. > > If I do: > > iptables -t mangle -I PREROUTING 1 -p udp --dport 4000 > > this rule catch needed packets, but not in NAT tables! Why? > > I tryed same with TCP: > > iptables -t nat -I PREROUTING 1 -p tcp --dport 4000 -j DNAT > --to-destination 192.168.1.2:4000 > iptables -I FORWARD -p tcp --dport 4000 -d 192.168.1.2 -j ACCEPT > > and this works fine, I can see packets at 192.168.1.2 when doing telnet > 10.10.100.1 4000 from the localnet. > > Here is tcpdump from 10.10.100.1: > > # tcpdump -i br0 port 4000 -n > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > listening on br0, link-type EN10MB (Ethernet), capture size 96 bytes > 16:36:53.202130 IP 10.10.100.23.4000 > 10.10.100.1.4000: UDP, length: 74 > 16:36:54.092413 IP 10.10.100.21.4000 > 10.10.100.1.4000: UDP, length: 74 > 16:36:54.143128 IP 10.10.100.22.4000 > 10.10.100.1.4000: UDP, length: 74 > 16:36:55.291886 IP 10.10.100.23.4000 > 10.10.100.1.4000: UDP, length: 74 > 16:36:55.545621 IP 10.10.100.22.4000 > 10.10.100.1.4000: UDP, length: 74 > 16:36:55.743096 IP 10.10.100.21.4000 > 10.10.100.1.4000: UDP, length: 74 > > Once again, all those packets reach INPUT chain, rules in -t nat -I > PREROUTING not working. > > So here is the question: Does the UDP is being DNAT'ed differently > comparing with TCP? What is the difference? How can I DNAT them? > > Thanks in advance. > > P.S. This king of UDP ping doesn't require responce, its just to see > which remote point is still alive. > -- ??????????? ?????? From dam2000 at gmail.com Fri Nov 10 16:39:42 2006 From: dam2000 at gmail.com (dAm2K) Date: Fri Nov 10 16:39:47 2006 Subject: [LARTC] Re: Troubles DNATing UDP In-Reply-To: <1163158657.4061.3.camel@localhost.localdomain> References: <1162910458.32208.44.camel@localhost.localdomain> <1163158657.4061.3.camel@localhost.localdomain> Message-ID: <2855d4bf0611100739m61be108bv73d289593ff7a84c@mail.gmail.com> > > Once again, all those packets reach INPUT chain, rules in -t nat -I > > PREROUTING not working. > > > > So here is the question: Does the UDP is being DNAT'ed differently > > comparing with TCP? What is the difference? How can I DNAT them? If your HW UDP pinger's default gateway is your natting firewall, try to ping directly the 192.168.1.2 web server. If default gateway is another router, try adding the route 192.168.1.0/25 to you HW pingers and ping directly 192.168.1.2. If this is not possible (and you are UDP pinging you firewall) open dport 4000 udp in INPUT chain on your firewall and do natting: iptables -t filter -A INPUT -p udp -m udp -s 10.10.0.0/16 -d 10.10.100.1 --dport 4000 -j ACCEPT iptables -t nat -A PREROUTING -p udp -m udp -s 10.10.0.0/16 -d 10.10.100.1 --dport 4000 -j DNAT --to-destination 192.168.1.2 This way 192.168.1.2 host should receive udp packets coming from the firewall. My setup is running smoothly with UDP and NAT, I'm using with playstation online games... Hope this help. Bye, Dino. -- dAm2K, you know I'm there! From gtaylor at riverviewtech.net Fri Nov 10 17:31:50 2006 From: gtaylor at riverviewtech.net (Taylor, Grant) Date: Fri Nov 10 17:31:58 2006 Subject: [LARTC] Troubles DNATing UDP In-Reply-To: <1162910458.32208.44.camel@localhost.localdomain> References: <1162910458.32208.44.camel@localhost.localdomain> Message-ID: <4554A976.9030808@riverviewtech.net> ??????????? ?????? wrote: > As the pingers ping (send UDP packets) to 10.10.100.1 I was trying to > redirect them to 192.168.1.2 by: > > iptables -t nat -I PREROUTING 1 -p udp --dport 4000 -j DNAT > --to-destination 192.168.1.2:4000 > iptables -I FORWARD -p udp --dport 4000 -d 192.168.1.2 -j ACCEPT (Before morning coffee...) One quick question / point. Your source and destination ports are both 4000 right? (I presuming yes.) Your PREROUTING rule is looking to DNAT any UDP traffic that has a destination port of 4000 to 192.168.1.2. What happens to the reply traffic from 192.168.1.2 that is destined to port 4000 on 10.0.x.y? > Neither of those rules not catching the packets, they all reach > 10.10.100.1 INPUT chain. Those rule counters are zero. Hum. Try adding a rule similar to this: iptables -t nat -I PREROUTING 1 -p udp --dport 4000 -j LOG To see if you can match the packets at all. > If I do: > > iptables -t mangle -I PREROUTING 1 -p udp --dport 4000 > > this rule catch needed packets, but not in NAT tables! Why? I would expect that you could match the packets any where they traverse the kernel. > Here is tcpdump from 10.10.100.1: > > # tcpdump -i br0 port 4000 -n > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > listening on br0, link-type EN10MB (Ethernet), capture size 96 bytes > 16:36:53.202130 IP 10.10.100.23.4000 > 10.10.100.1.4000: UDP, length: 74 > 16:36:54.092413 IP 10.10.100.21.4000 > 10.10.100.1.4000: UDP, length: 74 > 16:36:54.143128 IP 10.10.100.22.4000 > 10.10.100.1.4000: UDP, length: 74 > 16:36:55.291886 IP 10.10.100.23.4000 > 10.10.100.1.4000: UDP, length: 74 > 16:36:55.545621 IP 10.10.100.22.4000 > 10.10.100.1.4000: UDP, length: 74 > 16:36:55.743096 IP 10.10.100.21.4000 > 10.10.100.1.4000: UDP, length: 74 Hum... > Once again, all those packets reach INPUT chain, rules in -t nat -I > PREROUTING not working. You appear to be using a bridge interface, not a real network interface. (Not that this is a problem.) Do you have the "Bridged IP/ARP packets filtering" option enabled in the kernel? If you do, this option will enable NetFilter Layer 3 filtering at the EBTables Layer 2 level. I.e. you can use IPTables to filter bridged traffic. In this case you will need to write rules to allow your bridged traffic to flow through, as it is dependent on your Table / CHAIN default policies. > So here is the question: Does the UDP is being DNAT'ed differently > comparing with TCP? What is the difference? How can I DNAT them? I do not think that the problem is with the protocol(s) per say, but rather the filtering that is in place. Will you please do an iptables-save output so that we can see your entire firewall script to better evaluate what is going on. > Thanks in advance. No problem. > P.S. This king of UDP ping doesn't require responce, its just to see > which remote point is still alive. Sorry, I have to ask. How are you going to be able to tell if a point is active if you do not get a reply? Are you looking for some sort of anomaly in reply / error (or lack there of) traffic to determine if a point is active? Grant. . . . From lists at andyfurniss.entadsl.com Sat Nov 11 13:17:14 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Sat Nov 11 13:17:12 2006 Subject: [LARTC] Why did I need strange ceiling settings? In-Reply-To: <002001c7032c$60ce5dd0$0200a8c0@marvin> References: <002001c7032c$60ce5dd0$0200a8c0@marvin> Message-ID: <4555BF4A.40406@andyfurniss.entadsl.com> Philipp Leusmann wrote: > Hi all, > > I recently installed traffic shaping on my ADSL line with a nominal upload > rate of 1MBit. My Modem says it has an upload bitrate of 843 kbits. > So I thought, to use a ceiling of 800kbit for the root qdisc is a good idea. > But with that setting I only achieved upload rates of around 300kbits > whereas I reached around 650 kbits without traffic shaping. > Yesterday I played a little with the ceiling value and found that increasing > it to 175kBps did the job. > Could anybody please explain this strange behaviour? > > My shaping script looks as follows: I see nothing :-) DSL usually uses atm and the showtime rate of your modem is at this level. (FWIW 843kbit is not a valid DSL rate (multiple of 32kbit). You can patch (may be mainline eventually) kernel/tc to do atm rates in which case you can set egress rate close to showtime rate. Without this 80% or less will be needed (depends on traffic packet size). As for other wierdness - could be that htb/hfsc sometimes choose lame defaults (3/1 IIRC) for queue length on interfaces with low/0 default Q len - ppp/vlan/br etc. So add some qdiscs to leaf classes so you can choose your own lengths. Andy. From lists at andyfurniss.entadsl.com Sat Nov 11 13:21:01 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Sat Nov 11 13:20:57 2006 Subject: [LARTC] QoS over Wireless network In-Reply-To: <4551C922.7040002@ehas.org> References: <4551C922.7040002@ehas.org> Message-ID: <4555C02D.9070003@andyfurniss.entadsl.com> makevuy wrote: > Hy, > > I would want to give QoS a one wireless network. Do you know if exist > any qdisc specific for this??. I know that the most modern qdisc is > HFSC, is this true??. > > Thanks for all and Regards. > Wireless is hard because it's single duplex with collisions - traffic shaping really needs you to know howmuch bandwidth you have .... You may be able get something that's better than nothing by using ifb and sending ingress and egress to one queue - but I've never tried as I don't have any wireless kit. Andy. From lists at andyfurniss.entadsl.com Sat Nov 11 13:23:18 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Sat Nov 11 13:23:17 2006 Subject: [LARTC] Ingress qdisc bypassed on SNAT'ed traffic? In-Reply-To: <355a4e960611052024v494d870l77e621d0e18e216c@mail.gmail.com> References: <355a4e960611051946s4759a7c2k5e8dbe9aa3755342@mail.gmail.com> <454EB474.4050702@vsnl.com> <355a4e960611052024v494d870l77e621d0e18e216c@mail.gmail.com> Message-ID: <4555C0B6.8000407@andyfurniss.entadsl.com> EKC wrote: > Unfortunately, that NAT gateway address should have been a routable > address (I'm debugging this in vmware at the moment). > > Considering that, it looks like I'm going to have to play around with IMQ. If you say no to packet action in kernel config then you get to choose the old policer - which does hook after deNAT. Andy. From lists at andyfurniss.entadsl.com Sat Nov 11 13:54:00 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Sat Nov 11 13:53:55 2006 Subject: [LARTC] Strategy for penalising IPs with too many simultaneous sessions In-Reply-To: <454C762C.2040207@sharp.fm> References: <454BDA1F.2010301@sharp.fm> <454BEEFC.4030707@vsnl.com> <454C762C.2040207@sharp.fm> Message-ID: <4555C7E8.4070802@andyfurniss.entadsl.com> Graham Leggett wrote: > Mohan Sundaram wrote: > >> I've my misgivings with this scheme. >> >> What you are doing makes sense only if the number of connections is a >> constrained resource. If bandwidth is the constraint, then shaping by >> source IP irrespective of number of connections will do the job. As >> far as I've seen, routers can support 200k connections and this is >> sufficient for many large LANs - say 500 node LAN with 400 connections >> per node. >> >> In many cases, the user may not know how many connections he is >> opening or which app is consuming connections. Thus, the user may not >> be in a position to take remedial action and hence will be at a >> disadvantage. > > > In the network in question, bandwidth is minimal (many many users > sharing 512kbps). As a result, unlike in typical networks where > simultaneous connections are statistically insignificant, in this case > one user running many bittorrents can pretty much wipe out network > performance to a ratio of 20 to 1 or more. > > The typical response I have seen to this scenario is to try and > prioritise certain protocols over others, but this strategy has the > disadvantage of dictating to the user that they can only use those > certain protocols. > > What I would like to do instead is allow the user to use any protocol > they like, with the caveat that attempting to open many connections > simultaneously will result in a steadily decreasing share of the pipe, > rather than a steadily increasing one. Your aims are admirable - I left my last ISP because they implemented app discrimination. Maybe they couldn't set their ellacoyas to do it fairly - whatever. Your situation is different - many many on 512kbs (512kbit or 4mbit?) either way the problem is that you are trying to shape ingress from the wrong end of the bottleneck which just isn't easy or totally doable. Egress shouldn't be affected by number of connections. As you have found the more connections the harder ingress shaping becomes - and you may need to sacrifice 50% of your bandwidth to keep control. There are things that can be tweaked regarding your setup - queue lengths being the main one. If you give users their own queues then you have to compromise - either the total is too long for your link or you have too short a queue for each user. ESFQ is the only thing (need to patch) that will do user fairness and maintain a queue len setting for the link (would be nice if hfsc etc could do this - may be possible to hack it as I see there is a drop function on leaf queues IIRC). Another hack is to make the esfq head drop (assumes you only send bulk/established connections to it). Without patching/hacking the think to do is use short queues to make sure you drop packets often so the tcp senders don't flood your ISP/teleco buffer. On 512kbit I also used to send new connections to an even shorter queue (new marked using iptables connbytes), this gets them out of tcp slowstart quicker. Bittorrent is slightly harder as it uses tcp full duplex for bulk - so acks tend to get piggybacked and stuck in egress queues meaning that non piggybacked acks overtake them (assuming your egress is set this way) and ack big chunks of a window at once causing burstiness - using short queues for egress bt helps this. You are always goinng to be somewhat screwed when ingress shaping as nothing happens to your shaping untill it's too late - maybe someone will make an ingress shaper one day that can be a bit predictive and back off other traffic for new connections sooner rather than later. Andy. From lists at andyfurniss.entadsl.com Sat Nov 11 14:05:24 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Sat Nov 11 14:05:18 2006 Subject: [LARTC] QoS + TOS field In-Reply-To: <20061101233340.8315.qmail@web38804.mail.mud.yahoo.com> References: <20061101233340.8315.qmail@web38804.mail.mud.yahoo.com> Message-ID: <4555CA94.8010307@andyfurniss.entadsl.com> Sergiy Lozovsky wrote: > Hi, > > I'm trying to figure out how to use Linux QoS. Default > setting has three queues (bands) and should prioretise > outgoing tarffic based on TOS field. I try to test > that by flooding Ethernet interface by netperf or > iptraf and running ping -f with -Q and without Q. -Q > doesn't affect ping results, it suffers anyway. It > seems that I don't understand something. I verified > that -Q traffic goes through higher prority queue. > > I can make it work if I shape traffic at lower > priority queue, but I would like to avoid that, > becuase can't always predict bandidth of connection. > > I would appreciate any insight on that. Works for me - well if you don't shape then you will have a nic driver dependant buffer after the queue maybe yours is bigger - but if you start enough tcps to get a big backlog then you should be able see the difference. Andy. From lists at andyfurniss.entadsl.com Sat Nov 11 14:10:10 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Sat Nov 11 14:10:03 2006 Subject: [LARTC] Errors with GRED after upgrading to 2.6.18 kernel In-Reply-To: <0E24ED2A7F9AA349A8633E6A56A64BE0027A80FB@XCH-SW-2V1.sw.nos.boeing.com> References: <0E24ED2A7F9AA349A8633E6A56A64BE0027A80FB@XCH-SW-2V1.sw.nos.boeing.com> Message-ID: <4555CBB2.6040707@andyfurniss.entadsl.com> Flechsenhaar, Jon J wrote: > ALL: > > > <> > > I have attached the current script that I am using. > > $TC qdisc add dev $EDEV parent 2:20 gred setup DPs 3 default 2 grio > $TC qdisc change dev $EDEV parent 2:20 gred DP 1 limit $lim min $minTh > max $maxTh avpkt $avgPL burst $bursty bandwidth $netBand probability > 0.02 prio 2 > $TC qdisc change dev $EDEV parent 2:20 gred DP 2 limit $lim min $minTh > max $maxTh avpkt $avgPL burst $bursty bandwidth $netBand probability > 0.04 prio 3 > $TC qdisc change dev $EDEV parent 2:20 gred DP 3 limit $lim min $minTh > max $maxTh avpkt $avgPL burst $bursty bandwidth $netBand probability > 0.06 prio 4 > ### GRED for AF2 > > $TC qdisc add dev $EDEV parent 2:30 gred setup DPs 3 default 2 grio > $TC qdisc change dev $EDEV parent 2:30 gred DP 1 limit $lim min $minTh > max $maxTh avpkt $avgPL burst $bursty bandwidth $netBand probability > 0.02 prio 2 > $TC qdisc change dev $EDEV parent 2:30 gred DP 2 limit $lim min $minTh > max $maxTh avpkt $avgPL burst $bursty bandwidth $netBand probability > 0.04 prio 3 > $TC qdisc change dev $EDEV parent 2:30 gred DP 3 limit $lim min $minTh > max $maxTh avpkt $avgPL burst $bursty bandwidth $netBand probability > 0.06 prio 4 > ### GRED for AF3 > > $TC qdisc add dev $EDEV parent 2:40 gred setup DPs 3 default 2 grio > $TC qdisc change dev $EDEV parent 2:40 gred DP 1 limit $lim min $minTh > max $maxTh avpkt $avgPL burst $bursty bandwidth $netBand probability > 0.02 prio 2 > $TC qdisc change dev $EDEV parent 2:40 gred DP 2 limit $lim min $minTh > max $maxTh avpkt $avgPL burst $bursty bandwidth $netBand probability > 0.04 prio 3 > $TC qdisc change dev $EDEV parent 2:40 gred DP 3 limit $lim min $minTh > max $maxTh avpkt $avgPL burst $bursty bandwidth $netBand probability > 0.06 prio 4 > ### GRED for AF4 > > $TC qdisc add dev $EDEV parent 2:50 gred setup DPs 3 default 2 grio > $TC qdisc change dev $EDEV parent 2:50 gred DP 1 limit $lim min $minTh > max $maxTh avpkt $avgPL burst $bursty bandwidth $netBand probability > 0.02 prio 2 > $TC qdisc change dev $EDEV parent 2:50 gred DP 2 limit $lim min $minTh > max $maxTh avpkt $avgPL burst $bursty bandwidth $netBand probability > 0.04 prio 3 > $TC qdisc change dev $EDEV parent 2:50 gred DP 3 limit $lim min $minTh > max $maxTh avpkt $avgPL burst $bursty bandwidth $netBand probability > 0.06 prio 4 > > Each DP3 line gives me an error. If I comment it out the error goes > away. The line translates to below. > > I get an error with the following line > ++ /usr/sbin/tc qdisc change dev eth0 parent 2:20 gred DP 3 limit 60kb > min 10kb max 20kb avpkt 1500 burst 9 bandwidth 500kbit probability 0.06 > prio 4 RTNETLINK answers: Invalid argument > > after each DP 3 on each gred. > > This starting happening after I upgraded to 2.6.18 from 2.4.20 kernel. > Anyone have any ideas? I would ask on netdev about this one - I don't use GRED - the last changes I can remember were by Thomas Graf, I don't think he lurks here anymore. Andy. From oscar at ufomechanic.net Sat Nov 11 14:42:04 2006 From: oscar at ufomechanic.net (Oscar Mechanic) Date: Sat Nov 11 14:43:13 2006 Subject: [LARTC] Strategy for penalising IPs with too many simultaneous sessions In-Reply-To: <4555C7E8.4070802@andyfurniss.entadsl.com> References: <454BDA1F.2010301@sharp.fm> <454BEEFC.4030707@vsnl.com> <454C762C.2040207@sharp.fm> <4555C7E8.4070802@andyfurniss.entadsl.com> Message-ID: <1163252524.9192.32.camel@OSCARLAPLIN> As Andy muted there are commercial products that will attempt to do this for you like Allot/Elacoya/DBAM the implementation and testing is where this scenarios fail. It sounds good in theory until you do it then all these odd network errors start occurring. Cause you are now in the debate as what defines an open or closed connection. But here is what I know. Look at simplest: dstlimit This module allows you to limit the packet per second (pps) rate on a per destination IP or per destination port base. As opposed to the ?limit? match, every destination ip / destination port has it?s own limit. Performance is a problem with the above another iptables target is connrate you can use this to limit connections from a set of IP addresses. So what you need to do is build up a list of IP in a timer set and limit them however. recent Allows you to dynamically create a list of IP addresses and then match against that list in a few different ways. Here is a hack method of doing it imagining you are using layer7 patch. Note you could do this using a span port if you dont want to be inline. Every 10 minutes cat /proc/net/ip_conntrack put the output into a database. Then use SQL group by statements to count the number of connections per IP address src and say limit it to the TOP x%. Put this x% into a ipset and ratelimit the connections OR stop them creating new connections for 10 minutes use the ctstate to stop it. Or you can be fancy and redirect them to a webpage and until they click OK they are still in the ipset. Enjoy reading about /proc/sys/.../*conntrack* params. 1 Huge double sided warning don't deploy this until you have really tested it. The definition of what a connection is when it is defined as open or closed is a complex subject e.g. each ping is that a connection? Or are you only going to limit UDP/TCP in which case what about tunnelling. Remember if someone has a virus that creates connections this is another problem. On Sat, 2006-11-11 at 12:54 +0000, Andy Furniss wrote: > Graham Leggett wrote: > > Mohan Sundaram wrote: > > > >> I've my misgivings with this scheme. > >> > >> What you are doing makes sense only if the number of connections is a > >> constrained resource. If bandwidth is the constraint, then shaping by > >> source IP irrespective of number of connections will do the job. As > >> far as I've seen, routers can support 200k connections and this is > >> sufficient for many large LANs - say 500 node LAN with 400 connections > >> per node. > >> > >> In many cases, the user may not know how many connections he is > >> opening or which app is consuming connections. Thus, the user may not > >> be in a position to take remedial action and hence will be at a > >> disadvantage. > > > > > > In the network in question, bandwidth is minimal (many many users > > sharing 512kbps). As a result, unlike in typical networks where > > simultaneous connections are statistically insignificant, in this case > > one user running many bittorrents can pretty much wipe out network > > performance to a ratio of 20 to 1 or more. > > > > The typical response I have seen to this scenario is to try and > > prioritise certain protocols over others, but this strategy has the > > disadvantage of dictating to the user that they can only use those > > certain protocols. > > > > What I would like to do instead is allow the user to use any protocol > > they like, with the caveat that attempting to open many connections > > simultaneously will result in a steadily decreasing share of the pipe, > > rather than a steadily increasing one. > > Your aims are admirable - I left my last ISP because they implemented > app discrimination. Maybe they couldn't set their ellacoyas to do it > fairly - whatever. > > Your situation is different - many many on 512kbs (512kbit or 4mbit?) > either way the problem is that you are trying to shape ingress from the > wrong end of the bottleneck which just isn't easy or totally doable. > Egress shouldn't be affected by number of connections. > > As you have found the more connections the harder ingress shaping > becomes - and you may need to sacrifice 50% of your bandwidth to keep > control. > > There are things that can be tweaked regarding your setup - queue > lengths being the main one. If you give users their own queues then you > have to compromise - either the total is too long for your link or you > have too short a queue for each user. ESFQ is the only thing (need to > patch) that will do user fairness and maintain a queue len setting for > the link (would be nice if hfsc etc could do this - may be possible to > hack it as I see there is a drop function on leaf queues IIRC). > > Another hack is to make the esfq head drop (assumes you only send > bulk/established connections to it). > > Without patching/hacking the think to do is use short queues to make > sure you drop packets often so the tcp senders don't flood your > ISP/teleco buffer. On 512kbit I also used to send new connections to an > even shorter queue (new marked using iptables connbytes), this gets them > out of tcp slowstart quicker. > > Bittorrent is slightly harder as it uses tcp full duplex for bulk - so > acks tend to get piggybacked and stuck in egress queues meaning that non > piggybacked acks overtake them (assuming your egress is set this way) > and ack big chunks of a window at once causing burstiness - using short > queues for egress bt helps this. > > You are always goinng to be somewhat screwed when ingress shaping as > nothing happens to your shaping untill it's too late - maybe someone > will make an ingress shaper one day that can be a bit predictive and > back off other traffic for new connections sooner rather than later. > > Andy. > > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nlhttp://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From kaber at trash.net Sat Nov 11 14:53:14 2006 From: kaber at trash.net (Patrick McHardy) Date: Sat Nov 11 14:53:22 2006 Subject: [LARTC] Errors with GRED after upgrading to 2.6.18 kernel In-Reply-To: <0E24ED2A7F9AA349A8633E6A56A64BE0027A80FB@XCH-SW-2V1.sw.nos.boeing.com> References: <0E24ED2A7F9AA349A8633E6A56A64BE0027A80FB@XCH-SW-2V1.sw.nos.boeing.com> Message-ID: <4555D5CA.7070006@trash.net> Flechsenhaar, Jon J wrote: > $TC qdisc add dev $EDEV parent 2:20 gred setup DPs 3 default 2 grio > after each DP 3 on each gred. > > This starting happening after I upgraded to 2.6.18 from 2.4.20 kernel. > Anyone have any ideas?? I think DPs start at zero, so you have 0, 1 and 2. 3 is out of bounds and is reported as an error in current kernel. From lists at andyfurniss.entadsl.com Sat Nov 11 16:03:43 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Sat Nov 11 16:03:38 2006 Subject: [LARTC] HFSC question?? In-Reply-To: <20061013122832.56363.qmail@web35501.mail.mud.yahoo.com> References: <20061013122832.56363.qmail@web35501.mail.mud.yahoo.com> Message-ID: <4555E64F.8000103@andyfurniss.entadsl.com> Thossapron Apinyapanha wrote: > 1. HFSC have 4 curve such sc, rc, ls, ul and > 1.1 In leaf class can specify rc for guarantee service (bandwidth and delay) > and If want to sharing fairness exceess service, we must specify ls and ul curve too > (ls curve with paramater m2 specify at lease sharing bandwidth in that class will receive and > ul curve mean maximum bandwidth in that class will receive) > so i'm doubt .. about if i specify sc curve in leaf class too, what 's it mean?? > rc, ls, ul + sc -> what's it mean? > rc + sc -> what's it mean? On leaf sc = rt + ls ie. rt upto it's limit but able to go higher if there is spare bandwidth to borrow with no rt guarentees. On inner classes I guess sc is the same as ls. > > In interior class can't specify rc curve but we can specify ls curve for doing link-sharing criterion > and can sharing fairness excess service too. > but so if i specify sc curve in leaf class too, what 's it mean?? like > how different if i specify "ls, ul and sc" and "ls, ul"??? > > In root class, what is it mean if i specify > sc -> what's it mean? > ls +ul -> what's it mean? > > 1.2 so can i conclude ls, ul, rc are subset 's sc curve. > and in each curve we can calculate banwidth and delay bound .????? > because all 4 curve have same parameter such m1 ,d , m2 > > 2. i read a lot of HFSC paper about paramter (m1,d,m2) > some paper tell me ... d is interval time > (first will sending with m1 rate but after interval d parameter, it will change > rate to m2) > but some paper tell me .. d is delay bound in that class > (first will sending with m1 rate but when after exceed delay bound, > it will change rate to m2) > what 's it true?? Look at the picture on p10 of sigcom paper - I think d in (m1,d,m2) is x which is either the same as d max or different depending on the shape of the curve. Linux HFSC will convert (umax, dmax, rate) to (m1,d,m2). > 2.1 if d are interval time so how HFSC calculate delay? > 2.2 Is it true? -> "delay bound calculation from service curve" > > 3. this is my big problem with HFSC thoery ... > in HFSC has 2 criterion such real time and link-sharing criterion > so when packet coming in traffic control linux box > hfsc will checking eligible time in each packege > If eligible time < t > (i'm don't understand how eligble working or how it classify eligible package or not?) > or it's package that dangerouse for exceed deadline time > so it manage package with "real time criterion" and choosing > package with lowest deadline time for dequeue > > but if it's not, it will manage with "link sharing criterion" > and choosing package with lowest vertual time > (this is a big don't unstand why choose lowest vertual time? > because it's mean class with have lowest will choose to dequeue > and what about another class that vertual time are now low?? > how it can manage??? > and i don't understand why must choose lowest not max vertual time? > Is it relative with fairness excess service all class? I guess time moves on so vt on classes gets lower. > > 4. my lab... i found bandwidth allocation by HFSC > comparation with HTB ... found > At first time that class starting up, HFSC will receive banwidth nearly > upperlimit rate nomatter in that time have a lot class active???? > (it's like can send with burst rate in HTB) > so comparation with HTB, > At first time that class starting up, HTB receive bandwidth not peak like > burst but it use interval time for increase bandwidth until start with rate and then with ceil. > Hmm, for how long (bytes) does that burst happen with hfsc, what rates? I know emperically that rt classes are sort of work conserving in the Linux (and BSD?) implementations. The algorithm in the paper is different and more non work conserving as I see it. > 5. i read a lot of HTB 's tc command case, with try to test burst situation , > i don't know why burst parameter their specify not much like 12kbit > (but rate and ceil rate are so different from 12kbit such 200kbit > so i will follow them,, but after plot graph .... i don't see burst characteristic > at first time class active ... > Is i'm wrong to use burst paramter value 12 kbit???? it's too small????? > are > Burst is a buffer size so 12kbit=1.5kB slightly less than a 1500 byte packet if shaping on eth (IPlen +14). Also the max rate of a backlogged class is burst * Hz. On slow links setting burst < pktlen/low doesn't hurt. Andy. From jan at aims.ac.za Sat Nov 11 19:01:00 2006 From: jan at aims.ac.za (Jan Groenewald) Date: Sat Nov 11 19:01:31 2006 Subject: [LARTC] Strategy for penalising IPs with too many simultaneous sessions In-Reply-To: <454BEEFC.4030707@vsnl.com> References: <454BDA1F.2010301@sharp.fm> <454BEEFC.4030707@vsnl.com> Message-ID: <20061111180100.GJ5850@aims.ac.za> Hi On Sat, Nov 04, 2006 at 07:08:04AM +0530, Mohan Sundaram wrote: > What you are doing makes sense only if the number of connections is a > constrained resource. If bandwidth is the constraint, then shaping by > source IP irrespective of number of connections will do the job. As far > as I've seen, routers can support 200k connections and this is > sufficient for many large LANs - say 500 node LAN with 400 connections > per node. I have this situation where the source IPs change on a wireless mesh. I want fair nat. I found the fairnat script and have been reading the lartc howto, but am not sure how to proceed. (fairnat at http://www.metamorpher.de/fairnat/) I want everyone to burst to (almost, a specified percentage like 90%) full, but when all IPs are on, to share fairly irrespective of number of connections. The IPs change dynamically. If the user doesn't know why their P2P or download manager is slowing them down, their problem. They can run whatever they want. I just don't want one user to flood out the rest, and there should be a little spare so it doesn't take time to correct for light users. Oh, and upload limiting (also fairly) for the lot would be good, as this rate is limited, e.g. 512 down and 128 up. And it is running on freifunk on a Linksys WRT 54 GL, so performance might be an issue on the 200Mhz processor. At the moment freifunk comes with ingress (by internal destination IP) limiting quite nicely. The number of clients is expected to be 0 to 64. I can deal with large numbers of clients later, if it ever happens. cheers, Jan -- .~. /V\ Jan Groenewald /( )\ www.aims.ac.za ^^-^^ From local.usr at gmail.com Sat Nov 11 22:00:01 2006 From: local.usr at gmail.com (user local) Date: Sat Nov 11 22:00:17 2006 Subject: [LARTC] Multi Homed Host In-Reply-To: <20061105203341.GJ15520@aims.ac.za> References: <20061105203341.GJ15520@aims.ac.za> Message-ID: 2006/11/5, Jan Groenewald : > > Hi > > On Mon, Nov 06, 2006 at 12:53:27AM +0530, Net Cerebrum wrote: > > Can someone refer me to any links which explain how to configure a > stand > > alone linux host (not a router) with 2 ISP links in such a way that > the > > traffic is distributed between the 2 ISPs ? > > http://lartc.org/howto/lartc.rpdb.multiple-links.html What if the the ISP providing "that routes to often-used sites" gets down? Will the router deal w/ this situation providing new routes through the other provider or it will be a mess on LAN? (e.g. private LAN w/ two possible connections: one w/ a fixed public IP, but very slow -- 64 kb/s, and the other one through another private LAN, but w/ (much) higher bandwidth -- about 1Mb/s; ISP provided forwarders: when "Internet is down" on either configuration, congestion is obvious). -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061111/6236e47a/attachment.htm From koffiejunkielistlurker at koffiejunkie.za.net Sat Nov 11 23:58:48 2006 From: koffiejunkielistlurker at koffiejunkie.za.net (Hans du Plooy) Date: Sat Nov 11 23:58:53 2006 Subject: [LARTC] Lartc documentation version? Message-ID: <1163285928.891.31.camel@theluggage.hansdp.za.net> Hi guys, I'm just lurking and learning. Went to the lartc web page to read the howto. The page says the current version is 1.0.0 but in the pdf, on page 2 it says "Revision: 1.43" - Which is it? Also, the instructions for cvs checkout gives me this: Logging in to :pserver:anon@outpost.ds9a.nl:2401/var/cvsroot CVS password: cvs [login aborted]: connect to outpost.ds9a.nl(213.244.168.210):2401 failed: Connection refused I'm using the password suggested on the page. Thanks Hans From Philipp.Leusmann at rwth-aachen.de Sun Nov 12 16:51:54 2006 From: Philipp.Leusmann at rwth-aachen.de (Philipp Leusmann) Date: Sun Nov 12 16:52:21 2006 Subject: [LARTC] Why did I need strange ceiling settings? (full version) Message-ID: <002901c70672$7fde9340$0200a8c0@marvin> Sorry I pressed the wrong key and sent the message too early... > -----Urspr?ngliche Nachricht----- > Von: Philipp Leusmann [mailto:philipp.leusmann@rwth-aachen.de] > Gesendet: Mittwoch, 8. November 2006 12:53 > An: 'lartc@mailman.ds9a.nl' > Betreff: Why did I need strange ceiling settings? > > Hi all, > > I recently installed traffic shaping on my ADSL line with a nominal upload > rate of 1MBit. My Modem says it has an upload bitrate of 843 kbits. > So I thought, to use a ceiling of 800kbit for the root qdisc is a good > idea. > But with that setting I only achieved upload rates of around 300kbits > whereas I reached around 650 kbits without traffic shaping. > Yesterday I played a little with the ceiling value and found that > increasing it to 175kBps did the job. > Could anybody please explain this strange behaviour? > > My shaping script looks as follows: UPRATE="175kbps" P2PRATE="20kbps" PRIORATE1="80kbps" PRIORATE2="50kbps" PRIORATE3="40kbps" PRIORATE4="5kbps" MTU="`/sbin/ifconfig $EXTIF | grep 'MTU' | awk '{print $6}' | sed -e 's/.*://'`" # Quantum QUANTUM1=$(($MTU*4)) QUANTUM2=$(($MTU*3)) QUANTUM3=$(($MTU*2)) QUANTUM4=$MTU # Burst ## removed bursts #BURST1="6k" #BURST2="4k" #BURST3="2k" #BURST4="0k" #CBURST1="3k" #CBURST2="2k" #CBURST3="1k" #CBURST4="0k" echo "Set queue length for IFACE" # Set queue length for IFACE ifconfig $IFACE txqueuelen 16 echo "Trying to delete old ruleset. Will give error if it does not exist" tc qdisc del dev $IFACE root echo "Specify queue discipline" # Specify queue discipline tc qdisc add dev $IFACE root handle 1:0 htb default 103 echo "Set root class" # Set root class tc class add dev $IFACE parent 1:0 classid 1:1 htb rate $UPRATE ceil $UPRATE echo "Specify sub classes" # Specify sub classes tc class add dev $IFACE parent 1:1 classid 1:101 htb rate $PRIORATE1 ceil $UPRATE quantum $QUANTUM1 prio 0 tc class add dev $IFACE parent 1:1 classid 1:102 htb rate $PRIORATE2 ceil $UPRATE quantum $QUANTUM2 prio 1 tc class add dev $IFACE parent 1:1 classid 1:103 htb rate $PRIORATE3 ceil $UPRATE quantum $QUANTUM3 prio 2 tc class add dev $IFACE parent 1:1 classid 1:104 htb rate $PRIORATE4 ceil $P2PRATE quantum $QUANTUM4 prio 3 echo "Filter packets" # Filter packets tc filter add dev $IFACE parent 1:0 protocol ip prio 0 handle $MARKPRIO1 fw classid 1:101 tc filter add dev $IFACE parent 1:0 protocol ip prio 1 handle $MARKPRIO2 fw classid 1:102 tc filter add dev $IFACE parent 1:0 protocol ip prio 2 handle $MARKPRIO3 fw classid 1:103 tc filter add dev $IFACE parent 1:0 protocol ip prio 3 handle $MARKPRIO4 fw classid 1:104 UPRATE="175kbps" P2PRATE="20kbps" PRIORATE1="80kbps" PRIORATE2="50kbps" PRIORATE3="40kbps" PRIORATE4="5kbps" MTU="`/sbin/ifconfig $EXTIF | grep 'MTU' | awk '{print $6}' | sed -e 's/.*://'`" # Quantum QUANTUM1=$(($MTU*4)) QUANTUM2=$(($MTU*3)) QUANTUM3=$(($MTU*2)) QUANTUM4=$MTU # Burst ## removed bursts #BURST1="6k" #BURST2="4k" #BURST3="2k" #BURST4="0k" #CBURST1="3k" #CBURST2="2k" #CBURST3="1k" #CBURST4="0k" echo "Set queue length for IFACE" # Set queue length for IFACE ifconfig $IFACE txqueuelen 16 echo "Trying to delete old ruleset. Will give error if it does not exist" tc qdisc del dev $IFACE root echo "Specify queue discipline" # Specify queue discipline tc qdisc add dev $IFACE root handle 1:0 htb default 103 echo "Set root class" # Set root class tc class add dev $IFACE parent 1:0 classid 1:1 htb rate $UPRATE ceil $UPRATE echo "Specify sub classes" # Specify sub classes tc class add dev $IFACE parent 1:1 classid 1:101 htb rate $PRIORATE1 ceil $UPRATE quantum $QUANTUM1 prio 0 tc class add dev $IFACE parent 1:1 classid 1:102 htb rate $PRIORATE2 ceil $UPRATE quantum $QUANTUM2 prio 1 tc class add dev $IFACE parent 1:1 classid 1:103 htb rate $PRIORATE3 ceil $UPRATE quantum $QUANTUM3 prio 2 tc class add dev $IFACE parent 1:1 classid 1:104 htb rate $PRIORATE4 ceil $P2PRATE quantum $QUANTUM4 prio 3 echo "Filter packets" # Filter packets tc filter add dev $IFACE parent 1:0 protocol ip prio 0 handle $MARKPRIO1 fw classid 1:101 tc filter add dev $IFACE parent 1:0 protocol ip prio 1 handle $MARKPRIO2 fw classid 1:102 tc filter add dev $IFACE parent 1:0 protocol ip prio 2 handle $MARKPRIO3 fw classid 1:103 tc filter add dev $IFACE parent 1:0 protocol ip prio 3 handle $MARKPRIO4 fw classid 1:104 Thanks in advance and sorry for the incomplete posting. Greetings, Philipp From e1605projecter at yahoo.com Sun Nov 12 19:18:44 2006 From: e1605projecter at yahoo.com (Thossapron Apinyapanha) Date: Sun Nov 12 19:18:51 2006 Subject: [LARTC] Script for get bandwidth statistic from iptable Message-ID: <20061112181844.11788.qmail@web35501.mail.mud.yahoo.com> i search a lot forum how to get bandwidth statistic such number of packet, total byte in each application protocol by using IPTABLES + netfilter-layer7 but i don't know which script for getting it in log file and use data after get it for plotting graph later my IPTABLES command like this iptables -t mangle -N all iptables -t mangle -A POSTROUTING -j all iptables -t mangle -A POSTROUTING -p udp --sport 4444 -j CLASSIFY --set-class 1:11 iptables -t mangle -A POSTROUTING -m layer7 --l7proto mms -j CLASSIFY --set-class 1:12 iptables -t mangle -A POSTROUTING -m layer7 --l7proto telnet -j CLASSIFY --set-class 1:13 iptables -t mangle -A POSTROUTING -m layer7 --l7proto ftp ftp-data -j CLASSIFY --set-class 1:14 iptables -t mangle -A POSTROUTING -m layer7 --l7proto http -j CLASSIFY --set-class 1:15 please advise me about perl script -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061112/6eec66bc/attachment.html From lists at andyfurniss.entadsl.com Sun Nov 12 21:32:16 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Sun Nov 12 21:32:03 2006 Subject: [LARTC] bridge stops bridging Message-ID: <455784D0.6090501@andyfurniss.entadsl.com> I recently upgraded my gateway to a pIII 600 with a zyxel 4 port nic (tulip) and bridge eth0 and eth1, eth0 is a crossover cable to my PC eth1 a switch. I don't have ifconfig on this box (LFS) and couldn't find any examples of bridging using ip - maybe this is relevant maybe not - I've tried a few combinations of different orders of setting things up. Is there a magic one? There is normally no traffic across the bridge - it is all to/from br0 (It's still "needed" though, for games that use ipx/same subnet and I multicast out of br0 (Don't know how to add a mcast route to more than one if). I expected things to just bridge, but this does not always happen (maybe timeout) eg pinging a box on the switch from box on eth0 fails at ip level - arp passes eth0 both ways, but I can't see any ip with tcpdump on eth0, pinging from a box on the switch however doesn't get arp replies from eth0. I can fix it by running a script on the bridge box to toggle eth0 down/up, which forces learning and all is then OK. brctl showmacs br0 looks no different whether it's working or not - all macs are shown and traffic to/from br0 always works. Kernel (tainted by dsl modem) is 2.6.17.11, iproute2-ss060323, bridge-utils 1.1. STP off (turning on doesn't fix) Andy. From lists at andyfurniss.entadsl.com Sun Nov 12 21:50:57 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Sun Nov 12 21:50:43 2006 Subject: [LARTC] Why did I need strange ceiling settings? (full version) In-Reply-To: <002901c70672$7fde9340$0200a8c0@marvin> References: <002901c70672$7fde9340$0200a8c0@marvin> Message-ID: <45578931.9070009@andyfurniss.entadsl.com> Philipp Leusmann wrote: You will need to back off from the rates more and use kbit of course. > tc qdisc add dev $IFACE root handle 1:0 htb default 103 default is bad if $IFACE is eth your arp will go here, also if eth Quantum should be set to ip mtu + 14. > > echo "Set root class" > # Set root class > tc class add dev $IFACE parent 1:0 classid 1:1 htb rate $UPRATE ceil $UPRATE > echo "Specify sub classes" > # Specify sub classes > tc class add dev $IFACE parent 1:1 classid 1:101 htb rate $PRIORATE1 ceil > $UPRATE quantum $QUANTUM1 prio 0 > tc class add dev $IFACE parent 1:1 classid 1:102 htb rate $PRIORATE2 ceil > $UPRATE quantum $QUANTUM2 prio 1 > tc class add dev $IFACE parent 1:1 classid 1:103 htb rate $PRIORATE3 ceil > $UPRATE quantum $QUANTUM3 prio 2 > tc class add dev $IFACE parent 1:1 classid 1:104 htb rate $PRIORATE4 ceil > $P2PRATE quantum $QUANTUM4 prio 3 Using different quantums makes more sense if classes have the same prio - like this the higher prio classes get all spare anyway if they need it. > > echo "Filter packets" > # Filter packets > tc filter add dev $IFACE parent 1:0 protocol ip prio 0 handle $MARKPRIO1 fw > classid 1:101 > tc filter add dev $IFACE parent 1:0 protocol ip prio 1 handle $MARKPRIO2 fw > classid 1:102 > tc filter add dev $IFACE parent 1:0 protocol ip prio 2 handle $MARKPRIO3 fw > classid 1:103 > tc filter add dev $IFACE parent 1:0 protocol ip prio 3 handle $MARKPRIO4 fw > classid 1:104 Makes no difference as such in this case, but highest prio for filters is 1. Andy. From lists at andyfurniss.entadsl.com Sun Nov 12 21:54:59 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Sun Nov 12 21:54:42 2006 Subject: [LARTC] Lartc documentation version? In-Reply-To: <1163285928.891.31.camel@theluggage.hansdp.za.net> References: <1163285928.891.31.camel@theluggage.hansdp.za.net> Message-ID: <45578A23.8030500@andyfurniss.entadsl.com> Hans du Plooy wrote: > Hi guys, > > I'm just lurking and learning. Went to the lartc web page to read the > howto. The page says the current version is 1.0.0 but in the pdf, on > page 2 it says "Revision: 1.43" - Which is it? > > Also, the instructions for cvs checkout gives me this: > > Logging in to :pserver:anon@outpost.ds9a.nl:2401/var/cvsroot > CVS password: > cvs [login aborted]: connect to outpost.ds9a.nl(213.244.168.210):2401 > failed: Connection refused > > I'm using the password suggested on the page. LARTC hasn't been updated for ages AFAIK - there was talk of setting up a wiki on linux-net.osdl.org but bert said he would do one himself.... Andy. From lists at andyfurniss.entadsl.com Sun Nov 12 22:01:51 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Sun Nov 12 22:01:36 2006 Subject: [LARTC] Script for get bandwidth statistic from iptable In-Reply-To: <20061112181844.11788.qmail@web35501.mail.mud.yahoo.com> References: <20061112181844.11788.qmail@web35501.mail.mud.yahoo.com> Message-ID: <45578BBF.8020701@andyfurniss.entadsl.com> Thossapron Apinyapanha wrote: > i search a lot forum how to get bandwidth statistic such number of packet, total byte in each application protocol by using IPTABLES + netfilter-layer7 > > but i don't know which script for getting it in log file and use data after get it for plotting graph later > > my IPTABLES command like this > > iptables -t mangle -N all > iptables -t mangle -A POSTROUTING -j all > iptables -t mangle -A POSTROUTING -p udp --sport 4444 -j CLASSIFY --set-class 1:11 > iptables -t mangle -A POSTROUTING -m layer7 --l7proto mms -j CLASSIFY --set-class 1:12 > iptables -t mangle -A POSTROUTING -m layer7 --l7proto telnet -j CLASSIFY --set-class 1:13 > iptables -t mangle -A POSTROUTING -m layer7 --l7proto ftp ftp-data -j CLASSIFY --set-class 1:14 > iptables -t mangle -A POSTROUTING -m layer7 --l7proto http -j CLASSIFY --set-class 1:15 > > > please advise me about perl script Don't know about scripts as such - iptables -Lvn will give stats. I think the above will need connmark aswell to work properly. I haven't tried l7 but suspect the above rules will only classify the first packets of each connection. Andy. From netcerebrum at gmail.com Mon Nov 13 07:01:50 2006 From: netcerebrum at gmail.com (Net Cerebrum) Date: Mon Nov 13 07:02:04 2006 Subject: [LARTC] Bridge and Router on the same device Message-ID: I want to configure a device with three network interfaces where two of them would bridge two segments of the LAN subnet and the third one would be connected to the WAN link. eth0 - 10.10.10.2/24 to be connected to the internet gateway having IP 10.10.10.1/24 (also the default gateway for the device) eth1 and eth2 bridged as br0 with IP address 172.16.100.1 connected to different segments of the subnet 172.16.100.0/24. WAN (10.10.10.1) | | eth0 (10.10.10.2) -----eth1 eth2------ LAN (172.16.100.0/24) LAN (172.16.100.0/24) I plan to configure the Bridge IP (172.16.100.1) as the default gateway for the LAN and also regulate the traffic between the two bridged interfaces (eth1 and eth2) using a user space tool. Further since the traffic meant for internet would pass through eth0, there would be a need to regulate the traffic between eth1 and eth0 and also eth2 and eth0. Is the above arrangement feasible ? Would it be possible to define static routes on this device itself involving hosts reachable through either of the interfaces. Thank you in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061113/5ba508e8/attachment.htm From =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= Mon Nov 13 08:23:33 2006 From: =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= (=?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?=) Date: Mon Nov 13 08:24:13 2006 Subject: [LARTC] Re: Troubles DNATing UDP In-Reply-To: <2855d4bf0611100739m61be108bv73d289593ff7a84c@mail.gmail.com> References: <1162910458.32208.44.camel@localhost.localdomain> <1163158657.4061.3.camel@localhost.localdomain> <2855d4bf0611100739m61be108bv73d289593ff7a84c@mail.gmail.com> Message-ID: <1163402613.4052.9.camel@localhost.localdomain> ? ???, 10/11/2006 ? 16:39 +0100, dAm2K ?????: > > > Once again, all those packets reach INPUT chain, rules in -t nat -I > > > PREROUTING not working. > > > > > > So here is the question: Does the UDP is being DNAT'ed differently > > > comparing with TCP? What is the difference? How can I DNAT them? > > If your HW UDP pinger's default gateway is your natting firewall, try > to ping directly the 192.168.1.2 web server. If default gateway is > another router, try adding the route 192.168.1.0/25 to you HW pingers > and ping directly 192.168.1.2. That would probably help, but it is not desirable. The topology may change, so it's better ping the closest roouter and to natting in it. > If this is not possible (and you are UDP pinging you firewall) open > dport 4000 udp in INPUT chain on your firewall and do natting: > > iptables -t filter -A INPUT -p udp -m udp -s 10.10.0.0/16 -d > 10.10.100.1 --dport 4000 -j ACCEPT > iptables -t nat -A PREROUTING -p udp -m udp -s 10.10.0.0/16 -d > 10.10.100.1 --dport 4000 -j DNAT --to-destination 192.168.1.2 > > This way 192.168.1.2 host should receive udp packets coming from the firewall. This is what I've done. But, packets are reaching INPUT chain, counters of the first rule are increasing, and packets are not reaching second rule, it's counters are zero all the time. And DNAT'ing not working :/ > My setup is running smoothly with UDP and NAT, I'm using with > playstation online games... > > Hope this help. Bye, Dino. > -- ??????????? ?????? From =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= Mon Nov 13 08:33:52 2006 From: =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= (=?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?=) Date: Mon Nov 13 08:34:15 2006 Subject: [LARTC] Troubles DNATing UDP In-Reply-To: <4554A976.9030808@riverviewtech.net> References: <1162910458.32208.44.camel@localhost.localdomain> <4554A976.9030808@riverviewtech.net> Message-ID: <1163403232.4396.20.camel@localhost.localdomain> ? ???, 10/11/2006 ? 10:31 -0600, Taylor, Grant ?????: > ??????????? ?????? wrote: > > > > > As the pingers ping (send UDP packets) to 10.10.100.1 I was trying to > > redirect them to 192.168.1.2 by: > > > > iptables -t nat -I PREROUTING 1 -p udp --dport 4000 -j DNAT > > --to-destination 192.168.1.2:4000 > > iptables -I FORWARD -p udp --dport 4000 -d 192.168.1.2 -j ACCEPT > > (Before morning coffee...) > > One quick question / point. Your source and destination ports are both 4000 > right? (I presuming yes.) Your PREROUTING rule is looking to DNAT any UDP > traffic that has a destination port of 4000 to 192.168.1.2. What happens to > the reply traffic from 192.168.1.2 that is destined to port 4000 on 10.0.x.y? There is not such traffic as that kind of ping not supposed to do replay. Explain latter. > > Neither of those rules not catching the packets, they all reach > > 10.10.100.1 INPUT chain. Those rule counters are zero. > > Hum. Try adding a rule similar to this: > > iptables -t nat -I PREROUTING 1 -p udp --dport 4000 -j LOG > > To see if you can match the packets at all. I did that, nothing is matched. This is strange. > > If I do: > > > > iptables -t mangle -I PREROUTING 1 -p udp --dport 4000 > > > > this rule catch needed packets, but not in NAT tables! Why? > > I would expect that you could match the packets any where they traverse the > kernel. > > > > > Here is tcpdump from 10.10.100.1: > > > > # tcpdump -i br0 port 4000 -n > > tcpdump: verbose output suppressed, use -v or -vv for full protocol > > decode > > listening on br0, link-type EN10MB (Ethernet), capture size 96 bytes > > 16:36:53.202130 IP 10.10.100.23.4000 > 10.10.100.1.4000: UDP, length: 74 > > 16:36:54.092413 IP 10.10.100.21.4000 > 10.10.100.1.4000: UDP, length: 74 > > 16:36:54.143128 IP 10.10.100.22.4000 > 10.10.100.1.4000: UDP, length: 74 > > 16:36:55.291886 IP 10.10.100.23.4000 > 10.10.100.1.4000: UDP, length: 74 > > 16:36:55.545621 IP 10.10.100.22.4000 > 10.10.100.1.4000: UDP, length: 74 > > 16:36:55.743096 IP 10.10.100.21.4000 > 10.10.100.1.4000: UDP, length: 74 > > Hum... > > > Once again, all those packets reach INPUT chain, rules in -t nat -I > > PREROUTING not working. > > You appear to be using a bridge interface, not a real network interface. > (Not that this is a problem.) > > Do you have the "Bridged IP/ARP packets filtering" option enabled in the > kernel? If you do, this option will enable NetFilter Layer 3 filtering at > the EBTables Layer 2 level. I.e. you can use IPTables to filter bridged > traffic. In this case you will need to write rules to allow your bridged > traffic to flow through, as it is dependent on your Table / CHAIN default > policies. There are alot of other udp and tcp traffic already comming through. > > So here is the question: Does the UDP is being DNAT'ed differently > > comparing with TCP? What is the difference? How can I DNAT them? > > I do not think that the problem is with the protocol(s) per say, but rather > the filtering that is in place. > > Will you please do an iptables-save output so that we can see your entire > firewall script to better evaluate what is going on. I'll study the situation once again today and send the entire rules if no luck. > > Thanks in advance. > > No problem. > > > P.S. This king of UDP ping doesn't require responce, its just to see > > which remote point is still alive. > > Sorry, I have to ask. How are you going to be able to tell if a point is > active if you do not get a reply? Are you looking for some sort of anomaly > in reply / error (or lack there of) traffic to determine if a point is active? You should get 1 packet per second from each HW pinger, if you don't get or get less than 1packet/s from particular HW pinger, then there are problems with the route to that HW pinger. For debugging purpose it's possible to ping clients in between and figure out where the problem starts to take place. -- ??????????? ?????? From namtansod_ at hotmail.com Mon Nov 13 09:53:54 2006 From: namtansod_ at hotmail.com (Hotmail staff) Date: Mon Nov 13 09:54:09 2006 Subject: [LARTC] i have a question with queuing discipline. Message-ID: i have a question with queuing discipline " if i create many classs with sfq and cbq and ... i would like to know about qos . which queuing discipline will be chosen first. ( not use priority ) (queuing discipline) sfq---------> packet incoming packet outgoing cbq--------> Thank you . _________________________________________________________________ Be the one of the first to try the NEW Windows Live Mail. http://ideas.live.com/programPage.aspx?versionId=5d21c51a-b161-4314-9b0e-4911fb2b2e6d From Philipp.Leusmann at rwth-aachen.de Mon Nov 13 09:59:52 2006 From: Philipp.Leusmann at rwth-aachen.de (Philipp Leusmann) Date: Mon Nov 13 10:05:07 2006 Subject: AW: [LARTC] Why did I need strange ceiling settings? (full version) In-Reply-To: <45578931.9070009@andyfurniss.entadsl.com> Message-ID: <001401c70702$156bbde0$0200a8c0@marvin> > -----Urspr?ngliche Nachricht----- > Von: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] > Im Auftrag von Andy Furniss > Gesendet: Sonntag, 12. November 2006 21:51 > An: Philipp Leusmann > Cc: lartc@mailman.ds9a.nl > Betreff: Re: [LARTC] Why did I need strange ceiling settings? (full > version) > > Philipp Leusmann wrote: > > You will need to back off from the rates more and use kbit of course. > > > tc qdisc add dev $IFACE root handle 1:0 htb default 103 > > default is bad if $IFACE is eth your arp will go here, also if eth > Quantum should be set to ip mtu + 14. $IFACE is ppp0. Does this make difference? And you would recommend to use no backup at all? Regards, Philipp From wonka at linkabu.net Mon Nov 13 18:45:27 2006 From: wonka at linkabu.net (Eduardo Bejar) Date: Mon Nov 13 18:45:52 2006 Subject: [LARTC] Traffic monitor per IP Message-ID: <033601c7074b$81f30ec0$6bb1a8c0@veruca> Hi, I?ve been using iptraf for real time traffic monitoring and it works fine. But I would like to know if anyone knows other package to monitor traffic per IP in real time, without requiring each IP's MAC address as I have some terminals behind a router that hides their MAC. Cacti/MRTG works like this but not in real time. Thanks for your ideas. Regards, Edo From lists at andyfurniss.entadsl.com Tue Nov 14 00:49:33 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Tue Nov 14 00:49:29 2006 Subject: AW: [LARTC] Why did I need strange ceiling settings? (full version) In-Reply-To: <001401c70702$156bbde0$0200a8c0@marvin> References: <001401c70702$156bbde0$0200a8c0@marvin> Message-ID: <4559048D.7080704@andyfurniss.entadsl.com> Philipp Leusmann wrote: > >>-----Urspr?ngliche Nachricht----- >>Von: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] >>Im Auftrag von Andy Furniss >>Gesendet: Sonntag, 12. November 2006 21:51 >>An: Philipp Leusmann >>Cc: lartc@mailman.ds9a.nl >>Betreff: Re: [LARTC] Why did I need strange ceiling settings? (full >>version) >> >>Philipp Leusmann wrote: >> >>You will need to back off from the rates more and use kbit of course. >> >> >>>tc qdisc add dev $IFACE root handle 1:0 htb default 103 >> >>default is bad if $IFACE is eth your arp will go here, also if eth >>Quantum should be set to ip mtu + 14. > > > $IFACE is ppp0. Does this make difference? Yes - using htb default is safe on ppp and quantum doesn't need 14 adding. One caveat, if you get ppp MTU by script what if mtu on ppp is really big - my old ISP used to ask (during ppp negotiation) for mru of about 32k (aal5 mtu), which meant that mtu on the ppp was set to 32k. > And you would recommend to use no backup at all? Had it been eth then you could have made a catch all ip filter with lower prio to get anything else. You could also have made a filter for arp/other non ip - but if non ip trafic levels are low I would just let them through unshaped, which is what htb does if you don't specify a default class / use default 0. (hfsc is the opposite - unclassified gets dropped by default). Try setting uprate ceil to 600kbit and make sure the sum of rates doesn't exceed it. Upload for a few minutes and while still uploading do - tc -s -d class ls dev ppp0 and post the output. Andy. post the output From Jon.J.Flechsenhaar at boeing.com Tue Nov 14 00:58:14 2006 From: Jon.J.Flechsenhaar at boeing.com (Flechsenhaar, Jon J) Date: Tue Nov 14 00:58:23 2006 Subject: [LARTC] Ingress queuing In-Reply-To: <4559048D.7080704@andyfurniss.entadsl.com> Message-ID: <0E24ED2A7F9AA349A8633E6A56A64BE0027A812E@XCH-SW-2V1.sw.nos.boeing.com> Hey all: I want to limit incoming traffic to around 300 packets per second. When I receive higher amounts than that it kills my processor and causes problems with UML. Can anyone point me to a way to do this? Thanks a lot. Jon From Jon.J.Flechsenhaar at boeing.com Tue Nov 14 01:06:31 2006 From: Jon.J.Flechsenhaar at boeing.com (Flechsenhaar, Jon J) Date: Tue Nov 14 01:06:38 2006 Subject: [LARTC] In-Reply-To: <0E24ED2A7F9AA349A8633E6A56A64BE0027A812E@XCH-SW-2V1.sw.nos.boeing.com> Message-ID: <0E24ED2A7F9AA349A8633E6A56A64BE0027A812F@XCH-SW-2V1.sw.nos.boeing.com> All I'm a little confused about something. I'm using GRED and HTB deployed in a AF/EF terms of service environment. I am rate limiting to 550 kbps. If I take GRED off my leaf HTB classes then FIFO will take over. The problem I see is that my rate received goes up to 700 kbps rather than 550 with GRED. Questions: My question is what is causing the rate limit? HTB or GRED/FIFO - Does HTB say start dropping... and then GRED or FIFO is the method at which to drop? Is GRED more accurate because it is dropping before the rate limit is breached? (early drop) Is FIFO higher because it drops after the rate has been breached? From radu at securesystems.ro Tue Nov 14 01:23:08 2006 From: radu at securesystems.ro (Radu Oprisan) Date: Tue Nov 14 01:23:59 2006 Subject: [LARTC] Traffic monitor per IP In-Reply-To: <033601c7074b$81f30ec0$6bb1a8c0@veruca> References: <033601c7074b$81f30ec0$6bb1a8c0@veruca> Message-ID: <45590C6C.8000605@securesystems.ro> Eduardo Bejar wrote: > Hi, > > I?ve been using iptraf for real time traffic monitoring and it works fine. > But I would like to know if anyone knows other package to monitor traffic > per IP in real time, without requiring each IP's MAC address as I have some > terminals behind a router that hides their MAC. Cacti/MRTG works like this > but not in real time. > > Thanks for your ideas. I used at one time or another zorbiptraffic something. You can find it at http://www.atout.be/ It is sort of real time. I mean as real time as a web app can be. From Daniel at Musketa.de Tue Nov 14 09:03:49 2006 From: Daniel at Musketa.de (Daniel Musketa) Date: Tue Nov 14 09:04:13 2006 Subject: [LARTC] Traffic monitor per IP In-Reply-To: <033601c7074b$81f30ec0$6bb1a8c0@veruca> References: <033601c7074b$81f30ec0$6bb1a8c0@veruca> Message-ID: <200611140903.49913.Daniel@Musketa.de> On Monday 13 November 2006 18:45, Eduardo Bejar wrote: > But I would like to know if anyone knows other package to monitor traffic > per IP in real time, without requiring each IP's MAC address as I have some iftop And have a look at the view modes activated by pressing s, d and p ... Daniel From Philipp.Leusmann at rwth-aachen.de Tue Nov 14 11:01:58 2006 From: Philipp.Leusmann at rwth-aachen.de (Philipp Leusmann) Date: Tue Nov 14 11:02:09 2006 Subject: AW: AW: [LARTC] Why did I need strange ceiling settings? (full version) In-Reply-To: <4559048D.7080704@andyfurniss.entadsl.com> Message-ID: <001501c707d3$ed71caa0$0200a8c0@marvin> Hi andy, I reset the ceiling to 600kbit and get same same bad results as before. Also I set all classes to use the same quantum which is mtu (it is 1488 here). Here is the output you requested: miles:~# tc -s -d class ls dev ppp0 class htb 1:101 parent 1:1 leaf 8019: prio 0 quantum 1488 rate 150000bit ceil 600000bit burst 1674b/8 mpu 0b overhead 0b cburst 1899b/8 mpu 0b overhead 0b level 0 Sent 130659 bytes 806 pkts (dropped 0, overlimits 0) rate 224bit lended: 632 borrowed: 174 giants: 0 tokens: 84164 ctokens: 24117 class htb 1:1 root rate 600000bit ceil 600000bit burst 1899b/8 mpu 0b overhead 0b cburst 1899b/8 mpu 0b overhead 0b level 7 Sent 27239843 bytes 29309 pkts (dropped 0, overlimits 0) rate 286640bit 34pps lended: 16484 borrowed: 0 giants: 0 tokens: -66101 ctokens: -66101 class htb 1:103 parent 1:1 leaf 801b: prio 2 quantum 1488 rate 250000bit ceil 600000bit burst 1724b/8 mpu 0b overhead 0b cburst 1899b/8 mpu 0b overhead 0b level 0 Sent 27111784 bytes 28505 pkts (dropped 0, overlimits 0) rate 286232bit 34pps backlog 2p lended: 12193 borrowed: 16310 giants: 0 tokens: -83395 ctokens: -41934 class htb 1:102 parent 1:1 leaf 801a: prio 1 quantum 1488 rate 150000bit ceil 600000bit burst 1674b/8 mpu 0b overhead 0b cburst 1899b/8 mpu 0b overhead 0b level 0 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 91601 ctokens: 25976 class htb 1:104 parent 1:1 leaf 801c: prio 3 quantum 1488 rate 50000bit ceil 200000bit burst 1624b/8 mpu 0b overhead 0b cburst 1699b/8 mpu 0b overhead 0b level 0 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 266600 ctokens: 69726 I hope this helps to track down the problem. Thanks, Philipp > -----Urspr?ngliche Nachricht----- > Von: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] > Im Auftrag von Andy Furniss > Gesendet: Dienstag, 14. November 2006 00:50 > An: Philipp Leusmann > Cc: lartc@mailman.ds9a.nl > Betreff: Re: AW: [LARTC] Why did I need strange ceiling settings? (full > version) > > Philipp Leusmann wrote: > > > >>-----Urspr?ngliche Nachricht----- > >>Von: lartc-bounces@mailman.ds9a.nl [mailto:lartc- > bounces@mailman.ds9a.nl] > >>Im Auftrag von Andy Furniss > >>Gesendet: Sonntag, 12. November 2006 21:51 > >>An: Philipp Leusmann > >>Cc: lartc@mailman.ds9a.nl > >>Betreff: Re: [LARTC] Why did I need strange ceiling settings? (full > >>version) > >> > >>Philipp Leusmann wrote: > >> > >>You will need to back off from the rates more and use kbit of course. > >> > >> > >>>tc qdisc add dev $IFACE root handle 1:0 htb default 103 > >> > >>default is bad if $IFACE is eth your arp will go here, also if eth > >>Quantum should be set to ip mtu + 14. > > > > > > $IFACE is ppp0. Does this make difference? > > Yes - using htb default is safe on ppp and quantum doesn't need 14 > adding. One caveat, if you get ppp MTU by script what if mtu on ppp is > really big - my old ISP used to ask (during ppp negotiation) for mru of > about 32k (aal5 mtu), which meant that mtu on the ppp was set to 32k. > > > And you would recommend to use no backup at all? > > Had it been eth then you could have made a catch all ip filter with > lower prio to get anything else. You could also have made a filter for > arp/other non ip - but if non ip trafic levels are low I would just let > them through unshaped, which is what htb does if you don't specify a > default class / use default 0. (hfsc is the opposite - unclassified gets > dropped by default). > > Try setting uprate ceil to 600kbit and make sure the sum of rates > doesn't exceed it. > > Upload for a few minutes and while still uploading do - > > tc -s -d class ls dev ppp0 > > and post the output. > > Andy. > > > post the output > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From lartc at winlink.ru Tue Nov 14 14:15:19 2006 From: lartc at winlink.ru (Ron McKown) Date: Tue Nov 14 14:15:29 2006 Subject: [LARTC] NAT/MASQ with multiple external static IPs Message-ID: <4559C167.3050300@winlink.ru> Hello everyone, really not sure if this is a LARTC question or not, but I have several hundred users all MASQ'd behind a single static IP. Users are reporting that certain websites are blacklisting that single static external IP for various reasons. What I would like to do is use several external IP's and have a MASQ'd user getting a random one each time. Here is a very simplified example: eth0: 1.2.3.4 eth0:1 1.2.3.5 eth0:2 1.2.3.6 eth0:3 1.2.3.7 eth1: 192.168.0.0/16 Whereas, a user will sent out and given one of the eth0 addresses by random. Any clue where to start looking? Thanks! Ron ron@winlink.ru From =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= Tue Nov 14 14:23:40 2006 From: =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= (=?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?=) Date: Tue Nov 14 14:24:21 2006 Subject: [LARTC] NAT/MASQ with multiple external static IPs In-Reply-To: <4559C167.3050300@winlink.ru> References: <4559C167.3050300@winlink.ru> Message-ID: <1163510620.4081.14.camel@localhost.localdomain> ? ???, 14/11/2006 ? 16:15 +0300, Ron McKown ?????: > Hello everyone, > really not sure if this is a LARTC question or not, but I have several > hundred users all MASQ'd behind a single static IP. Users are reporting > that certain websites are blacklisting that single static external IP > for various reasons. > > What I would like to do is use several external IP's and have a MASQ'd > user getting a random one each time. > > Here is a very simplified example: > > eth0: 1.2.3.4 > eth0:1 1.2.3.5 > eth0:2 1.2.3.6 > eth0:3 1.2.3.7 > > eth1: 192.168.0.0/16 > > Whereas, a user will sent out and given one of the eth0 addresses by random. > > Any clue where to start looking? # man iptables .......... SNAT This target is only valid in the nat table, in the POSTROUTING chain. It specifies that the source address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one type of option: --to-source ipaddr[-ipaddr][:port-port] which can specify a single new source IP address, an inclusive range of IP addresses, and optionally, a port range (which is only valid if the rule also specifies -p tcp or -p udp). If no port range is specified, then source ports below 512 will be mapped to other ports below 512: those between 512 and 1023 inclusive will be mapped to ports below 1024, and other ports will be mapped to 1024 or above. Where possible, no port alter- ation will occur. You can add several --to-source options. If you specify more than one source address, either via an address range or multiple --to-source options, a simple round-robin (one after another in cycle) takes place between these adresses. .......... -- ??????????? ?????? From andrewm at intoweb.co.za Tue Nov 14 14:48:41 2006 From: andrewm at intoweb.co.za (Andrew McGill) Date: Tue Nov 14 14:48:54 2006 Subject: [LARTC] netmask 255.255.255.255 vs ip route add via ... (bug?) Message-ID: Greetings routing folks, I want to use the netmask 255.255.255.255 to insulate (not quite isolate) machines on a shared subnet from each other. This works just fine on win XP, but Linux iproute will not acccept the gateway address in one step -- neither on the command line nor via DHCP: Here's the interface, set up with a netmask of /32: # ip addr ... 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:08:74:48:1f:0c brd ff:ff:ff:ff:ff:ff inet 192.168.1.6/32 brd 192.168.1.255 scope global eth0 inet6 fe80::208:74ff:fe48:1f0c/64 scope link valid_lft forever preferred_lft forever ... And here's me trying to add the route: # ip route add default via 192.168.1.17 RTNETLINK answers: Network is unreachable Hmm ... erk ... workaround ... add a host route first, then add it as a default route ... # sudo ip route add 192.168.1.17 dev eth0 # sudo ip route add default via 192.168.1.17 And this is what we get ... (yep, it works) # ip route ls 192.168.1.17 dev eth0 scope link default via 192.168.1.17 dev eth0 But wait! We can delete the host route! And it works just fine (you *can* try this at home folks). # sudo ip route del 192.168.1.17 # ip route ls default via 192.168.1.17 dev eth0 So why did we need that host route? It should be possible to add the gateway directly, or it should be impossible to delete it once something "depends" on it. The current behaviour seems a little unbalanced (and, for my strange purposes, inconvenient :) Tested on Ubuntu 6.06 Dapper (Kernel: 2.6.15, iproute2 20041019) Looks the same on Fedora Core 3, (Kernel 2.6.11.8, iproute2 2.6.9) &:-) -- Disclaimer: this disclaimer and your base are us From Jon.J.Flechsenhaar at boeing.com Tue Nov 14 19:25:48 2006 From: Jon.J.Flechsenhaar at boeing.com (Flechsenhaar, Jon J) Date: Tue Nov 14 19:27:13 2006 Subject: [LARTC] netmask 255.255.255.255 vs ip route add via ... (bug?) In-Reply-To: Message-ID: <0E24ED2A7F9AA349A8633E6A56A64BE0027A8131@XCH-SW-2V1.sw.nos.boeing.com> Does it work if you do this? Ip route add -net x.x.x.x netmask 255.255.255.255 gw x.x.x.x Jon Flechsenhaar Boeing WNW Team Network Services (714)-762-1231 202-E7 -----Original Message----- From: Andrew McGill [mailto:andrewm@intoweb.co.za] Sent: Tuesday, November 14, 2006 5:49 AM To: lartc@mailman.ds9a.nl Subject: [LARTC] netmask 255.255.255.255 vs ip route add via ... (bug?) Greetings routing folks, I want to use the netmask 255.255.255.255 to insulate (not quite isolate) machines on a shared subnet from each other. This works just fine on win XP, but Linux iproute will not acccept the gateway address in one step -- neither on the command line nor via DHCP: Here's the interface, set up with a netmask of /32: # ip addr ... 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:08:74:48:1f:0c brd ff:ff:ff:ff:ff:ff inet 192.168.1.6/32 brd 192.168.1.255 scope global eth0 inet6 fe80::208:74ff:fe48:1f0c/64 scope link valid_lft forever preferred_lft forever ... And here's me trying to add the route: # ip route add default via 192.168.1.17 RTNETLINK answers: Network is unreachable Hmm ... erk ... workaround ... add a host route first, then add it as a default route ... # sudo ip route add 192.168.1.17 dev eth0 # sudo ip route add default via 192.168.1.17 And this is what we get ... (yep, it works) # ip route ls 192.168.1.17 dev eth0 scope link default via 192.168.1.17 dev eth0 But wait! We can delete the host route! And it works just fine (you *can* try this at home folks). # sudo ip route del 192.168.1.17 # ip route ls default via 192.168.1.17 dev eth0 So why did we need that host route? It should be possible to add the gateway directly, or it should be impossible to delete it once something "depends" on it. The current behaviour seems a little unbalanced (and, for my strange purposes, inconvenient :) Tested on Ubuntu 6.06 Dapper (Kernel: 2.6.15, iproute2 20041019) Looks the same on Fedora Core 3, (Kernel 2.6.11.8, iproute2 2.6.9) &:-) -- Disclaimer: this disclaimer and your base are us _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From pio_mendez at hotmail.com Tue Nov 14 19:53:22 2006 From: pio_mendez at hotmail.com (Pio Mendez) Date: Tue Nov 14 19:53:32 2006 Subject: [LARTC] netmask 255.255.255.255 vs ip route add via ... (bug?) In-Reply-To: Message-ID: An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061114/d987822d/attachment.html From =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= Tue Nov 14 20:02:12 2006 From: =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= (=?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?=) Date: Tue Nov 14 20:02:30 2006 Subject: [LARTC] Troubles DNATing UDP In-Reply-To: <1163158657.4061.3.camel@localhost.localdomain> References: <1162910458.32208.44.camel@localhost.localdomain> <1163158657.4061.3.camel@localhost.localdomain> Message-ID: <1163530932.8589.31.camel@localhost.localdomain> Well, I did more testing/research today... 1. I've found some posts telling about the bug in the kernel prior to 2.6.13 about ip_conntack and UNREPLIED connections probably related to my problem. Later I've found some posts telling that the bug still appear in most modern kernels. 2. I tryed to reproduce this problem in other inveronment. I've written program that sends udp packets (source and destination ports 4000) similar to those produced by HW pingers. And I felt no problem DNAT'ing packets sent from 2 machines on both 2.6.8 and 2.6.17 kernels. While doing that I've mentioned one strange thing. The output of "tcpdump -v -v" in reproduced case always show different UDP ID for each packet, while in real case it show the same UDP ID for all HW pingers for all packets. Does somebody know that is UDP ID and should it be related to this problem? Just in case: # tcpdump -i br0 port 4000 -v -n tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 96 bytes 20:58:21.636684 IP (tos 0x0, ttl 64, id 6552, offset 0, flags [none], length: 102) 10.10.100.22.4000 > 192.168.1.2.4000: UDP, length: 74 20:58:22.888548 IP (tos 0x0, ttl 64, id 6552, offset 0, flags [none], length: 102) 10.10.100.21.4000 > 192.168.1.2.4000: UDP, length: 74 20:58:23.065247 IP (tos 0x0, ttl 64, id 6552, offset 0, flags [none], length: 102) 10.10.100.22.4000 > 192.168.1.2.4000: UDP, length: 74 20:58:23.351091 IP (tos 0x0, ttl 64, id 6552, offset 0, flags [none], length: 102) 10.10.100.23.4000 > 192.168.1.2.4000: UDP, length: 74 3. I've played with the router in real case and found out that the problem not always appear. Having the rule: iptables -t nat -A PREROUTING -d 10.10.100.1 -p udp -m udp --dport 4000 -j DNAT --to-destination 192.168.1.2 and doing ifdown br0, then ifup br0, and looking in /proc/net/ip_conntrack: One time I got: udp 17 29 src=10.10.100.23 dst=10.10.100.1 sport=4000 dport=4000 [UNREPLIED] src=192.168.1.2 dst=10.10.100.23 sport=4000 dport=4000 use=1 udp 17 28 src=10.10.100.21 dst=10.10.100.1 sport=4000 dport=4000 [UNREPLIED] src=10.10.100.1 dst=10.10.100.21 sport=4000 dport=4000 use=2 udp 17 29 src=10.10.100.22 dst=10.10.100.1 sport=4000 dport=4000 [UNREPLIED] src=192.168.1.2 dst=10.10.100.22 sport=4000 dport=4000 use=1 (note this "src=10.10.100.1" for second rule). 10.10.100.23 and 10.10.100.22 got through. Several next times I got 2 others to work. And finally I got all of them to work: udp 17 29 src=10.10.100.23 dst=10.10.100.1 sport=4000 dport=4000 [UNREPLIED] src=192.168.1.2 dst=10.10.100.23 sport=4000 dport=4000 use=1 udp 17 28 src=10.10.100.21 dst=10.10.100.1 sport=4000 dport=4000 [UNREPLIED] src=192.168.1.2 dst=10.10.100.21 sport=4000 dport=4000 use=1 udp 17 29 src=10.10.100.22 dst=10.10.100.1 sport=4000 dport=4000 [UNREPLIED] src=192.168.1.2 dst=10.10.100.22 sport=4000 dport=4000 use=1 To conclude, right now I have all packets being DNAT'd like I want, but I guess this is until next reboot :/ -- ??????????? ?????? From lists at andyfurniss.entadsl.com Tue Nov 14 20:39:11 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Tue Nov 14 20:39:05 2006 Subject: AW: AW: [LARTC] Why did I need strange ceiling settings? (full version) In-Reply-To: <001501c707d3$ed71caa0$0200a8c0@marvin> References: <001501c707d3$ed71caa0$0200a8c0@marvin> Message-ID: <455A1B5F.3010609@andyfurniss.entadsl.com> Philipp Leusmann wrote: > Hi andy, > > I reset the ceiling to 600kbit and get same same bad results as before. Also > I set all classes to use the same quantum which is mtu (it is 1488 here). > Here is the output you requested: > > class htb 1:103 parent 1:1 leaf 801b: prio 2 quantum 1488 rate 250000bit > ceil 600000bit burst 1724b/8 mpu 0b overhead 0b cburst 1899b/8 mpu 0b > overhead 0b level 0 > Sent 27111784 bytes 28505 pkts (dropped 0, overlimits 0) > rate 286232bit 34pps backlog 2p > lended: 12193 borrowed: 16310 giants: 0 > tokens: -83395 ctokens: -41934 That is strange - assuming that upload is tcp, there are no drops and only a backlog of 2. When uploading you are somewhat dependant on the size of the window advertised by the far end - also loss, which in this case is not by htb, will make your cwind small. I think what you need to do is tcpdump -s 100 -w dumpfile the connection from the start and have a look/ post what's going on. Another way to see if it's external loss is on the sender do a few netstat -s | grep retrans and look at the counter. Small chance there could be some window scaling mismatch caused by a broken router in the way. The loss could be isp/target server dropping or - You mentioned a nominal upload rate of 1mbit which you don't reach. If you are synced at a low target SNR margin then some modems will doggedly hold the line and take the loss - others will drop and resync (often at a similar rate as the extra noise that causes the resync is gone when it retrains). I have to limit my downrate to 75% of 6db speed and it still drops sometimes. My up is solid, though, as it's limited to 50% due to the product I am on (448/up to 8128 - horribly asymmetric if I could sync at 8128) As to why shaping on/off makes such a difference - I am not sure, you are backlogged so there is some limiting happening, so maybe the higher speeds achieved without htb rely on being able to burst out full speed whenever loss is low. Andy. From martin at linux-ip.net Wed Nov 15 02:48:42 2006 From: martin at linux-ip.net (Martin A. Brown) Date: Wed Nov 15 02:50:03 2006 Subject: [LARTC] netmask 255.255.255.255 vs ip route add via ... (bug?) In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings Andrew McGill, : I want to use the netmask 255.255.255.255 to insulate (not quite : isolate) machines on a shared subnet from each other. This works : just fine on win XP, but Linux iproute will not acccept the : gateway address in one step -- neither on the command line nor : via DHCP: Try using the onlink nexthop flag for your route: # ip route add onlink default via 192.168.1.17 This marks the route for entry even though the local routing table may not have a route to the nexthop destination. In your case, this is a valid parameter, and should prevent the need for you to add the host route only to remove it. : So why did we need that host route? You need the host route to the destination as a simple sanity check. - From the perspective of the kernel, there's no route to 192.168.1.17 if the IP bound to your interface is a /32. When you add the route, the sanity check succeeds. Essentially, you are suppressing this sanity check by using the onlink parameter, which says "Yes, I know there's no route to IP 192.168.1.17 out this interface, but I know the IP is there on this link layer anyway, so set the route anyway and stop griping."* Good luck, - -Martin * RTNETLINK answers: Network is unreachable - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFFWnH+HEoZD1iZ+YcRAsu2AKDixJF7A0LMClN8snQVq1zk9DV4dQCeIW7R HMtOMud8Kt5yQLskMK7HwDY= =PVyl -----END PGP SIGNATURE----- From iam4u4real at yahoo.com Wed Nov 15 12:05:00 2006 From: iam4u4real at yahoo.com (Seye Omotoso) Date: Wed Nov 15 12:05:12 2006 Subject: [LARTC] need bandwidth manager Message-ID: <20061115110500.80986.qmail@web52410.mail.yahoo.com> dear sir, i want to install and configure bandwidth manager using Rednat Linux server, i saw the codes to use from website but the problem is how to apply the code, will i be entering the code one after the other at shell prompt or put it in a notepad or how can I use the codes? I am a network engineer and I am new to using Linux Sever. Thank you Regards, Seye ____________________________________________________________________________________ Sponsored Link Online degrees - find the right program to advance your career. Www.nextag.com From Daniel at musketa.de Wed Nov 15 12:07:56 2006 From: Daniel at musketa.de (Daniel Musketa) Date: Wed Nov 15 12:08:12 2006 Subject: [LARTC] Shaping incoming VoIP traffic fails Message-ID: <200611151207.57109.Daniel@musketa.de> Hello, I'm trying to get lossless VoIP traffic over my 3000k/500k ADSL line. Shaping outgoing traffic is no problem: I set total ceil for outgiong device (ppp0) to 450kbit and put VoIP into highest prio class. Even during full upload the voice is clean on the other end. Now I tried to get the same result for incoming data. I attached HTB to eth1 where the incoming voip traffic is forwarded to. But even when I set the ceiling for other traffic as low as 800kbit there are drop outs in incoming voice while "full" downloading. Could I setup HTB better than below? Should I reduce eth1's queue length (now 1000)? If yes, how? Thanks. Daniel -------- 8< -------- INT=eth1 # creating root and root class tc qdisc add dev $INT root handle 1: htb default 10 tc class add dev $INT parent 1: classid 1:1 htb rate 1000mbit prio 0 # class for not forwarded traffic (and sfq leaf) tc class add dev $INT parent 1:1 classid 1:10 htb \ rate 997mbit ceil 1000mbit prio 1 tc qdisc add dev $INT parent 1:10 handle 10: sfq perturb 10 # class for forwarded traffic tc class add dev $INT parent 1:1 classid 1:11 htb \ rate 2500kbit ceil 2500kbit prio 0 # class for highest prio VOIP (and sfq leaf) tc class add dev $INT parent 1:11 classid 1:110 htb \ rate 200kbit ceil 2500kbit prio 0 tc qdisc add dev $INT parent 1:110 handle 110: sfq perturb 10 # class for higher prio traffic (and sfq leaf) tc class add dev $INT parent 1:11 classid 1:111 \ htb rate 1200kbit ceil 1500kbit prio 1 tc qdisc add dev $INT parent 1:111 handle 111: sfq perturb 10 # class for low prio traffic (and sfq leaf) tc class add dev $INT parent 1:11 classid 1:112 htb \ rate 100kbit ceil 800kbit prio 2 tc qdisc add dev $INT parent 1:112 handle 112: sfq perturb 10 # filters for forwarded traffic tc filter add dev $INT parent 1: prio 0 protocol ip handle 110 fw flowid 1:110 tc filter add dev $INT parent 1: prio 1 protocol ip handle 111 fw flowid 1:111 tc filter add dev $INT parent 1: prio 2 protocol ip handle 112 fw flowid 1:112 # iptables ruels for marking forwarded traffic # put everything to lowest prio iptables -t mangle -A FORWARD -o $INT -j MARK --set-mark 112 # VOIP traffic -> 110 iptables -t mangle -A FORWARD -o $INT -p udp --sport sip \ -j MARK --set-mark 110 iptables -t mangle -A FORWARD -o $INT -p udp --dport sip \ -j MARK --set-mark 110 iptables -t mangle -A FORWARD -o $INT -p udp --dport 10000:10500 \ -j MARK --set-mark 110 # higher prio iptables -t mangle -A FORWARD -o $INT -p tcp -m multiport \ --sports 22,80,443,143 -j MARK --set-mark 111 iptables -t mangle -A FORWARD -o $INT -p icmp -j MARK --set-mark 111 -------- >8 -------- From alex at zoomnet.ro Wed Nov 15 13:27:34 2006 From: alex at zoomnet.ro (Alexandru Dragoi) Date: Wed Nov 15 13:27:32 2006 Subject: [LARTC] netmask 255.255.255.255 vs ip route add via ... (bug?) In-Reply-To: References: Message-ID: <455B07B6.4010103@zoomnet.ro> Martin A. Brown wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Greetings Andrew McGill, > > : I want to use the netmask 255.255.255.255 to insulate (not quite > : isolate) machines on a shared subnet from each other. This works > : just fine on win XP, but Linux iproute will not acccept the > : gateway address in one step -- neither on the command line nor > : via DHCP: > > Try using the onlink nexthop flag for your route: > > # ip route add onlink default via 192.168.1.17 > shouldn't be # ip route add onlink default via 192.168.1.17 dev $DEV ? Because from the point of view of the kernel, 192.168.1.17 is unreachable, it must know the interface. > This marks the route for entry even though the local routing table > may not have a route to the nexthop destination. In your case, this > is a valid parameter, and should prevent the need for you to add the > host route only to remove it. > > : So why did we need that host route? > > You need the host route to the destination as a simple sanity check. > - From the perspective of the kernel, there's no route to 192.168.1.17 > if the IP bound to your interface is a /32. When you add the route, > the sanity check succeeds. > > Essentially, you are suppressing this sanity check by using the > onlink parameter, which says "Yes, I know there's no route to IP > 192.168.1.17 out this interface, but I know the IP is there on this > link layer anyway, so set the route anyway and stop griping."* > > Good luck, > > - -Martin > > * RTNETLINK answers: Network is unreachable > > - -- > Martin A. Brown > http://linux-ip.net/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) > > iD8DBQFFWnH+HEoZD1iZ+YcRAsu2AKDixJF7A0LMClN8snQVq1zk9DV4dQCeIW7R > HMtOMud8Kt5yQLskMK7HwDY= > =PVyl > -----END PGP SIGNATURE----- > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From Daniel at musketa.de Wed Nov 15 13:30:04 2006 From: Daniel at musketa.de (Daniel Musketa) Date: Wed Nov 15 13:30:21 2006 Subject: [LARTC] Shaping incoming VoIP traffic fails In-Reply-To: <200611151207.57109.Daniel@musketa.de> References: <200611151207.57109.Daniel@musketa.de> Message-ID: <200611151330.04357.Daniel@musketa.de> On Wednesday 15 November 2006 12:07, Daniel Musketa wrote: > Could I setup HTB better than below? Should I reduce eth1's queue length > (now 1000)? If yes, how? The txqueuelen can be changed by ip link set eth1 txqlen I tried values of 100 and 3 but can't hear an improvement. I can watch traffic coming in on ppp0 with `iftop` and it never exeeds 900kbit. Why could a 2000kbit headroom be not enough for clean receiving of 80kbit VoIP data? Daniel From martin at linux-ip.net Wed Nov 15 15:04:03 2006 From: martin at linux-ip.net (Martin A. Brown) Date: Wed Nov 15 15:05:23 2006 Subject: [LARTC] netmask 255.255.255.255 vs ip route add via ... (bug?) In-Reply-To: <455B07B6.4010103@zoomnet.ro> References: <455B07B6.4010103@zoomnet.ro> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alexandru, : > # ip route add onlink default via 192.168.1.17 : > : shouldn't be : : # ip route add onlink default via 192.168.1.17 dev $DEV : ? : : Because from the point of view of the kernel, 192.168.1.17 is : unreachable, it must know the interface. Absolutely! Thank you for the correction of my ommission. - -Martin - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFFWx5ZHEoZD1iZ+YcRAizdAKCM9yVTH40l60mbxFx05ftapB9bPwCg4jKh AGbZhbm15DCRTrtwnBtAlpk= =yAvc -----END PGP SIGNATURE----- From andrewm at intoweb.co.za Wed Nov 15 15:20:27 2006 From: andrewm at intoweb.co.za (Andrew McGill) Date: Wed Nov 15 15:20:45 2006 Subject: [LARTC] netmask 255.255.255.255 vs ip route add via ... (bug?) In-Reply-To: References: <455B07B6.4010103@zoomnet.ro> Message-ID: On Wednesday Nov 15, 2006 around 8:04am, Martin A. Brown wrote, ... > : # ip route add onlink default via 192.168.1.17 dev $DEV > : ? > : > : Because from the point of view of the kernel, 192.168.1.17 is > : unreachable, it must know the interface. > > Absolutely! Thank you for the correction of my ommission. Is there a reason that 'onlink' is not the default behaviour when the device is specified? Would onlink add some information that is missing? e.g. ip route add 12.0.0.0/8 via 5.5.5.5 dev eth0 should mean that 5.5.5.5 is directly connected to eth0 (rightly or wrongly). &:-) -- Overflow in kitchen sink. Do you want to report this error? From pupilla at hotmail.com Wed Nov 15 16:21:22 2006 From: pupilla at hotmail.com (Marco Berizzi) Date: Wed Nov 15 16:22:16 2006 Subject: [LARTC] bypassing qdisc for some traffic Message-ID: Hello everybody. I would like to enable QoS on the internal firewall NIC (eth2) to prevent bandwidth saturation from ftp downloads (for example). This is my firewall schema. ___ private network (100bit/s FD) / / /\ | / //\\ |/ || |eth2 \\ | \\ traffic flow from dmz +-----+-----+ \\ to private network | | || (from eth1 to eth2) | linux | || | router | | & +--eth1------DMZ (100bit/s FD) | Squid | | | +-----+-----+ | |eth0 (HDSL 2mbit/s) | +--------+ | ISP | | router | | | +--------+ Problem: I don't want to limit traffic from eth1 to eth2. Is there a clean way to bypass the qdisc for certain kind of traffic (all traffic from eth1)? From Daniel at musketa.de Wed Nov 15 16:43:10 2006 From: Daniel at musketa.de (Daniel Musketa) Date: Wed Nov 15 16:43:22 2006 Subject: [LARTC] bypassing qdisc for some traffic In-Reply-To: References: Message-ID: <200611151643.10569.Daniel@musketa.de> > Problem: I don't want to limit traffic from eth1 to > eth2. Is there a clean way to bypass the qdisc for > certain kind of traffic (all traffic from eth1)? You can create a 100mbit root class 1: rate 100mbit default 11, containing two subclasses: 1:10 rate 2mbit and 1:11 rate 98mbit ceil 100mbit. Use iptables to mark all traffic coming from eth0 to go to 1:10 ... Daniel From andy at andybev.com Wed Nov 15 17:47:22 2006 From: andy at andybev.com (Andrew Beverley) Date: Wed Nov 15 17:49:00 2006 Subject: [LARTC] need bandwidth manager In-Reply-To: <20061115110500.80986.qmail@web52410.mail.yahoo.com> References: <20061115110500.80986.qmail@web52410.mail.yahoo.com> Message-ID: <1163609242.4037.7.camel@andybev.localdomain> > i want to install and configure bandwidth manager > using Rednat Linux server, i saw the codes to use from > website but the problem is how to apply the code, will > i be entering the code one after the other at shell > prompt or put it in a notepad or how can I use the > codes? You can do either, but I suggest you put them in a bash script, which means that you will be able to run them again more easily. Make sure you start your script with '#!/bin/bash' and make it executable (chmod +x scriptname). Andy Beverley From abel.martin.ruiz at gmail.com Thu Nov 16 10:50:34 2006 From: abel.martin.ruiz at gmail.com (=?ISO-8859-1?Q?Abel_Mart=EDn?=) Date: Thu Nov 16 10:51:16 2006 Subject: [LARTC] Bridge and Router on the same device In-Reply-To: References: Message-ID: <915136920611160150m520c9c00o6c0c5c5467397668@mail.gmail.com> On 11/13/06, Net Cerebrum wrote: > I want to configure a device with three network interfaces where two of them > would bridge two segments of the LAN subnet and the third one would be > connected to the WAN link. > > eth0 - 10.10.10.2/24 to be connected to the internet gateway having IP > 10.10.10.1/24 (also the default gateway for the device) > eth1 and eth2 bridged as br0 with IP address 172.16.100.1 connected to > different segments of the subnet 172.16.100.0/24. > > > WAN (10.10.10.1) > | > | > eth0 (10.10.10.2) > > > > -----eth1 > eth2------ > LAN (172.16.100.0/24) LAN > (172.16.100.0/24) > > > I plan to configure the Bridge IP ( 172.16.100.1) as the default gateway for > the LAN and also regulate the traffic between the two bridged interfaces > (eth1 and eth2) using a user space tool. Further since the traffic meant for > internet would pass through eth0, there would be a need to regulate the > traffic between eth1 and eth0 and also eth2 and eth0. > > Is the above arrangement feasible ? Would it be possible to define static > routes on this device itself involving hosts reachable through either of the > interfaces. > > Thank you in advance. > I think it's possible, but, what does "regulating traffic between the two bridged interfaces"? Remember that a bridge works at the data link layer, so I think it won't be possible filter bridged traffic at higher layers (TCP/IP) on the bridge device. Maybe you can filter at network and transport layers on the physical interfaces which are attached to the bridge (eth1, eth2) with iptables if you really need it. Don't know if you mean filtering by saying "regulating". Routing and bridging is possible. The default gateway for the hosts in 172.16.100.0/24 should be 172.16.100.1, and there's nothing wrong with using a IP which is bonded to a bridge interface. For traffic that needs to be routed from the 172.16.100.0/24 network through the WAN interface you can treat the bridge as a physical interface. 10.10.10.1 should be the default gateway for this machine. Regards. From larry.brigman at gmail.com Thu Nov 16 17:37:13 2006 From: larry.brigman at gmail.com (Larry Brigman) Date: Thu Nov 16 17:37:18 2006 Subject: [LARTC] Shaping incoming VoIP traffic fails In-Reply-To: <200611151330.04357.Daniel@musketa.de> References: <200611151207.57109.Daniel@musketa.de> <200611151330.04357.Daniel@musketa.de> Message-ID: On 11/15/06, Daniel Musketa wrote: > On Wednesday 15 November 2006 12:07, Daniel Musketa wrote: > > Could I setup HTB better than below? Should I reduce eth1's queue length > > (now 1000)? If yes, how? > > The txqueuelen can be changed by > > ip link set eth1 txqlen > > I tried values of 100 and 3 but can't hear an improvement. > > I can watch traffic coming in on ppp0 with `iftop` and it never exeeds > 900kbit. Why could a 2000kbit headroom be not enough for clean receiving of > 80kbit VoIP data? Because you are not on the controlling side. The router upstream of you doesn't have the concept of priority of the voip traffic so what comes first, goes out first. Also if the download side can send at a higher rate than you line can handle, there will be a queue of packets at the router handling the bandwidth limititation. From doudouyam at gmail.com Thu Nov 16 18:26:06 2006 From: doudouyam at gmail.com (doudouyam) Date: Thu Nov 16 18:26:16 2006 Subject: [LARTC] HTB prio: global or per class ? Message-ID: <81c11a560611160926seb0c72ey4a6426a364274849@mail.gmail.com> Hi all, Is the prio specification in the htb class global or is it on a per class basis ? A simple example: class 1:10 parent 1: class 1:100 parent 1:10 prio 3 class 1:200 parent 1:10 prio 7 class 1:201 parent 1:200 prio 1 class 1:202 parent 1:200 prio 2 Which class will get excessive bandwidth first? 100 or 201/202 ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061116/4262493c/attachment.htm From Daniel at musketa.de Thu Nov 16 23:16:34 2006 From: Daniel at musketa.de (Daniel Musketa) Date: Thu Nov 16 23:49:31 2006 Subject: [LARTC] Shaping incoming VoIP traffic fails In-Reply-To: References: <200611151207.57109.Daniel@musketa.de> <200611151330.04357.Daniel@musketa.de> Message-ID: <200611162316.36105.Daniel@musketa.de> Am Donnerstag, 16. November 2006 17:37 schrieb Larry Brigman: > On 11/15/06, Daniel Musketa wrote: > > I can watch traffic coming in on ppp0 with `iftop` and it never exeeds > > 900kbit. Why could a 2000kbit headroom be not enough for clean receiving > > of 80kbit VoIP data? > > Because [...] what comes first, goes out first. Also if the download > side can send at a higher rate than you line can handle, there > will be a queue of packets at the router handling the bandwidth > limititation. `iftop` shows me a rate of 800kbit for packets going out to the LAN on eth1. This is the ceil value for egress shaping from router to LAN. But I also can watch the download rate of packets coming in from ppp0. And it's never more than 900kbit, so TCP's mechanism of lowering TX speed after delayed/missing ACKs seems to work. To me it looks as if there wasn't a filled queue on the ISP's side of the line. `tc -s ...` shows me a backlog of about 20p in the "download class". I still can't understand why more than 2 Mbit free bandwith and an empty queue can cause drop outs ... mmh ... Daniel From narendra.c.tulpule at motorola.com Fri Nov 17 02:49:59 2006 From: narendra.c.tulpule at motorola.com (Tulpule Naren-MGI2846) Date: Fri Nov 17 02:50:07 2006 Subject: [LARTC] Direct queue priority in HTB In-Reply-To: <200611162316.36105.Daniel@musketa.de> Message-ID: Hi, newbie question. In sch_htb.c:htb_dequeue() there is a comment "try to dequeue direct packets as high prio (!) to minimize cpu work". Does that mean that any unclassified packet (no class/filter applicable) is scheduled as the highest priority packet in HTB? If yes, what is the reason that the direct queue is not treated as the lowest priority best-effort? TIA for any info. -- Naren. Narendra C. Tulpule Principal Firmware Engineer, Staff 6450 Sequence Dr +1-858-404-2650 San Diego, CA 92121 narendra.c.tulpule@motorola.com From alancupid at yahoo.com Fri Nov 17 04:50:27 2006 From: alancupid at yahoo.com (alan tan) Date: Fri Nov 17 04:50:51 2006 Subject: [LARTC] HTB and bridge Message-ID: <20061117035027.14612.qmail@web90401.mail.mud.yahoo.com> I have 2 nic card with fedora installed. Now, do i need to install any bridge or gateway? or straight install and configue HTB? My objective is to limit bandwidth in and out from the ethernet card. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061116/da34d6e5/attachment.html From alancupid at yahoo.com Fri Nov 17 04:58:12 2006 From: alancupid at yahoo.com (alan tan) Date: Fri Nov 17 04:58:24 2006 Subject: [LARTC] HTB and bridge Message-ID: <20061117035812.40808.qmail@web90404.mail.mud.yahoo.com> My objective is to limit bandwidth through each user's IP\ THanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061116/8c4f024d/attachment.htm From heath at gaggle.net Fri Nov 17 04:59:22 2006 From: heath at gaggle.net (Heath Henderson) Date: Fri Nov 17 04:59:42 2006 Subject: [LARTC] Generic Linux Router ? From newbie Message-ID: <25804006.1322741163735966014.JavaMail.root@gnmailrelay1.gaggle.net> Hello list, I apologize for the simplicity of this email. I have been given the task of setting up a failover connection at out office using old parts. Well, a few days and a couple of installs later, I have a successful configuration, but I am having an issue with my iptables setup. As I am new to the routing scene, I wondered if there was someone who would be able to help point me in the right directions. I have a LAN router setup running CentOS 4.2, this box has 4 nics in it. Ips are as Follows. 192.168.19.1 (primariy WAN route) 192.168.20.1 (secondary WAN route) 192.168.21.1 (default PCLAN) 192.168.22.1 (VOIP LAN) Currently I have a Firewall sitting on the Primary WAN connection as well as one on the secondary Wan connection (2 physical Firewalls). There are a few problems which I have not been able to overcome. I have been successful in getting ipfwd working, but now have noticed a new issue. The goal internally was to allow the primary link to fail and then have our internet connection switch to the secondary wan route. (I have to do this through a script since I technically have a network between my primary fw and my secondary fw. (this doesn't usually go down!). This I think is easy enough, my Script will adjust the default route internally for this to be routed out. HOWEVER,,,,,, Our office uses a report server they have to be able to hit from the outside of our network when on the road. We have a Port forward setup on the firewalls to forward into the internal port on the server they need to access. But, the problem is, from the outside, users can only hit and access the firewall which is currently the default route for the internal network to get out. The firewall can ping from its internal interface all of the internal networks, but we can't seem to get through otherwise. I would be happy to detail more information if needed, but I wondered if there was someone who would be able to lead me to a configuration which might allow this setup to work. Thanks -- Heath Henderson heath@gaggle.net 1800 288 7750 -- From mkathuria at tuxtechnologies.co.in Fri Nov 17 09:43:31 2006 From: mkathuria at tuxtechnologies.co.in (Manish Kathuria) Date: Mon Nov 20 23:51:54 2006 Subject: [LARTC] Bridge and Router on the same device In-Reply-To: <915136920611160150m520c9c00o6c0c5c5467397668@mail.gmail.com> References: <915136920611160150m520c9c00o6c0c5c5467397668@mail.gmail.com> Message-ID: <1df4abe60611170043o2316c075s93952a140ad0e7a2@mail.gmail.com> On 11/16/06, Abel Mart?n wrote: > On 11/13/06, Net Cerebrum wrote: > > > > > I plan to configure the Bridge IP ( 172.16.100.1) as the default gateway for > > the LAN and also regulate the traffic between the two bridged interfaces > > (eth1 and eth2) using a user space tool. Further since the traffic meant for > > internet would pass through eth0, there would be a need to regulate the > > traffic between eth1 and eth0 and also eth2 and eth0. > > > > Is the above arrangement feasible ? Would it be possible to define static > > routes on this device itself involving hosts reachable through either of the > > interfaces. > > > > Thank you in advance. > > > > I think it's possible, but, what does "regulating traffic between the > two bridged interfaces"? Remember that a bridge works at the data link > layer, so I think it won't be possible filter bridged traffic at > higher layers (TCP/IP) on the bridge device. Maybe you can filter at > network and transport layers on the physical interfaces which are > attached to the bridge (eth1, eth2) with iptables if you really need > it. Don't know if you mean filtering by saying "regulating". > > Regards. > You can also check out ebtables and use them for filtering. http://ebtables.sourceforge.net/ -- Manish Kathuria Tux Technologies http://www.tuxtechnologies.co.in/ From lists at andyfurniss.entadsl.com Fri Nov 17 12:09:14 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Mon Nov 20 23:52:30 2006 Subject: [LARTC] Shaping incoming VoIP traffic fails In-Reply-To: <200611151207.57109.Daniel@musketa.de> References: <200611151207.57109.Daniel@musketa.de> Message-ID: <455D985A.7000903@andyfurniss.entadsl.com> Daniel Musketa wrote: > Hello, > > I'm trying to get lossless VoIP traffic over my 3000k/500k ADSL line. Shaping > outgoing traffic is no problem: I set total ceil for outgiong device (ppp0) > to 450kbit and put VoIP into highest prio class. Even during full upload the > voice is clean on the other end. > > Now I tried to get the same result for incoming data. I attached HTB to eth1 > where the incoming voip traffic is forwarded to. But even when I set the > ceiling for other traffic as low as 800kbit there are drop outs in incoming > voice while "full" downloading. > > Could I setup HTB better than below? Should I reduce eth1's queue length (now > 1000)? If yes, how? If you use child qdiscs on classes then you set qlen with their params, only people that don't bother need to play with txqueuelen. ... sfq perturb 10 limit 16 .... I think in this case - gig eth and because of gso/tso then it would be better not to shape on eth, but put ifb on ingress of ppp0. If you really needed to use eth rather than ifb I would not use a default/ use default 0 and only classify traffic from wan - unclassified goes unshaped with htb. You use iptables so may prefer the latter - but it looks like you could make tc rules to do the same for you in this case. I would also give voip more of the bandwidth (rate) and make the lesser classes borrow. Sfq is really only for bulk - not that it should make much difference as your voip class should never be backlogged, if set up as above. To use ifb something like - modprobe ifb tc qdisc add dev ppp0 ingress ip link set ifb0 up tc filter add dev ppp0 parent ffff: \ protocol ip prio 10 u32 match u32 0 0 \ flowid 1:0 \ action mirred egress redirect dev ifb0 Then add your htb rules/filters to ifb0 FWIW 64kbit 50pps voip = 80kbit IP level, for my dsl pppoa = 116kbit at atm level, for other pppoXs maybe 53*8*50 bit/s more. You can patch for dsl(atm) overheads, or wait for an in kernel solution. Andy. From orrie at seznam.cz Fri Nov 17 12:34:15 2006 From: orrie at seznam.cz (Ales Klok) Date: Mon Nov 20 23:53:01 2006 Subject: [LARTC] Direct queue priority in HTB In-Reply-To: References: Message-ID: <455D9E37.2070205@seznam.cz> Tulpule Naren-MGI2846 wrote: > Hi, > newbie question. In sch_htb.c:htb_dequeue() there is a comment "try > to dequeue direct packets as high prio (!) to minimize cpu work". Does > that mean that any unclassified packet (no class/filter applicable) is > scheduled as the highest priority packet in HTB? If yes, what is the > reason that the direct queue is not treated as the lowest priority > best-effort? > TIA for any info. > > -- Naren. > > Narendra C. Tulpule Principal Firmware Engineer, Staff > 6450 Sequence Dr +1-858-404-2650 > San Diego, CA 92121 narendra.c.tulpule@motorola.com > Yes, unclassified traffic is dequeued at hardware speed bypassing any defined qdiscs. It is up to you to specify default class and make it low prio. Right now i can't thnik of any reason for that behavior. /ak From Philipp.Leusmann at rwth-aachen.de Sat Nov 18 11:54:27 2006 From: Philipp.Leusmann at rwth-aachen.de (Philipp Leusmann) Date: Mon Nov 20 23:58:01 2006 Subject: AW: AW: AW: [LARTC] Why did I need strange ceiling settings? (fullversion) In-Reply-To: <455A1B5F.3010609@andyfurniss.entadsl.com> Message-ID: <001501c70aff$eca7d9f0$0200a8c0@marvin> Hi Andy, I made the dumpfile and will send it to you in a separate private email. I cannot see anything suspicious, but maybe I am not looking for the right thing. Same goes for netstat -s | grep retrans : The count does not rise during the transfer. For the modem, here is what it says: down up Bit-rate (fast) : 15694 915 Bit-rate (relative cap.) : 100 % 100 % Bit-rate (max) : 15694 915 FEC error (fast) : 7116 0 CRC error (fast) : 13421 0 HEC error (fast) : 5051 0 Noise margin : 8.3 dB 8.5 dB Attenuation : 16.0 dB 12.8 dB Transmit power : 22.3 dBm 12.3 dBm First channel : 64 33 Last channel : 505 59 Channel gaps : 95 110 127 188 191 243 291 348 All this is very irritating. I don?t think it depends on the remote host, because it appears on every remote I try. Are you sure that tc makes everything right? I would say it?s the easiest point of failure. Do you have any more ideas? Thanks, Philipp > -----Urspr?ngliche Nachricht----- > Von: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] > Im Auftrag von Andy Furniss > Gesendet: Dienstag, 14. November 2006 20:39 > An: Philipp Leusmann > Cc: lartc@mailman.ds9a.nl > Betreff: Re: AW: AW: [LARTC] Why did I need strange ceiling settings? > (fullversion) > > Philipp Leusmann wrote: > > Hi andy, > > > > I reset the ceiling to 600kbit and get same same bad results as before. > Also > > I set all classes to use the same quantum which is mtu (it is 1488 > here). > > Here is the output you requested: > > > > > class htb 1:103 parent 1:1 leaf 801b: prio 2 quantum 1488 rate 250000bit > > ceil 600000bit burst 1724b/8 mpu 0b overhead 0b cburst 1899b/8 mpu 0b > > overhead 0b level 0 > > Sent 27111784 bytes 28505 pkts (dropped 0, overlimits 0) > > rate 286232bit 34pps backlog 2p > > lended: 12193 borrowed: 16310 giants: 0 > > tokens: -83395 ctokens: -41934 > > That is strange - assuming that upload is tcp, there are no drops and > only a backlog of 2. > > When uploading you are somewhat dependant on the size of the window > advertised by the far end - also loss, which in this case is not by htb, > will make your cwind small. > > I think what you need to do is tcpdump -s 100 -w dumpfile the connection > from the start and have a look/ post what's going on. > > Another way to see if it's external loss is on the sender do a few > > netstat -s | grep retrans > > and look at the counter. > > Small chance there could be some window scaling mismatch caused by a > broken router in the way. > > The loss could be isp/target server dropping or - > > You mentioned a nominal upload rate of 1mbit which you don't reach. If > you are synced at a low target SNR margin then some modems will doggedly > hold the line and take the loss - others will drop and resync (often at > a similar rate as the extra noise that causes the resync is gone when it > retrains). I have to limit my downrate to 75% of 6db speed and it still > drops sometimes. My up is solid, though, as it's limited to 50% due to > the product I am on (448/up to 8128 - horribly asymmetric if I could > sync at 8128) > > As to why shaping on/off makes such a difference - I am not sure, you > are backlogged so there is some limiting happening, so maybe the higher > speeds achieved without htb rely on being able to burst out full speed > whenever loss is low. > > Andy. > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From atlantos at gmail.com Fri Nov 17 14:53:04 2006 From: atlantos at gmail.com (Viktar Sakovich) Date: Tue Nov 21 00:04:08 2006 Subject: [LARTC] HTB prio: global or per class ? In-Reply-To: <81c11a560611162357o6b97efb3t768f5081c64d2081@mail.gmail.com> References: <81c11a560611160926seb0c72ey4a6426a364274849@mail.gmail.com> <06111620392300.01376@localhost> <81c11a560611162357o6b97efb3t768f5081c64d2081@mail.gmail.com> Message-ID: <06111715530400.00818@localhost> On Friday 17 November 2006 09:57, you wrote: > Okay > > Which among you rightly? Who tests that ? Me for example. > If the the prio is global, it's strange and not very usefull and limit a > lot the HTB scheduler. I agree. But it's the way it works. > Normaly if HTB respecte the diffserv, the prio are per class basis. > Why is it global a > > 2006/11/16, Viktar Sakovich : > > On Thursday 16 November 2006 19:26, you wrote: > > > Hi all, > > > > > > Is the prio specification in the htb class global or is it on a per > > > class basis ? > > > > > > A simple example: > > > > > > class 1:10 parent 1: > > > class 1:100 parent 1:10 prio 3 > > > > > > class 1:200 parent 1:10 prio 7 > > > class 1:201 parent 1:200 prio 1 > > > class 1:202 parent 1:200 prio 2 > > > > > > Which class will get excessive bandwidth first? 100 or 201/202 ? > > > > Prio specification in the htb class is global. In this example 201/202 > > will > > get all bandwidth. From hazelsnitzel0 at cox.net Mon Nov 20 17:18:07 2006 From: hazelsnitzel0 at cox.net (Hazelsnitzel) Date: Tue Nov 21 00:08:10 2006 Subject: [LARTC] LSA increase? Newbie question Message-ID: <7.0.1.0.2.20061120074721.021aeaa0@cox.net> Greetings, I have been asked to use NetEm to do a laboratory emulation of some low performance links of subset of a target network. My task manager has asked me to determine whether LSAs will increase in the lab configuration as compared to the target network. The subset of the target network that I have to emulate consists of 6 routers, A..F, in the following configuration, where (i) and (ii) represent two difference sets of link performance characteristics: ...A---(i)----- | ...B---(i)----D---(ii)----E---(i)----F... | ...C---(i)----- In the lab network, routers A..F will be connected to the same Linux box which will use NetEm to emulate the link characteristics. However, the Linux box will be using static routing. My intuition tells me that LSAs would not increase because the Linux box will be using static routing, but I don't know anything about OSPF. Can someone else chime in on this? Thanks in advance, Bob From orrie at seznam.cz Fri Nov 17 12:19:53 2006 From: orrie at seznam.cz (Ales Klok) Date: Tue Nov 21 00:09:30 2006 Subject: [LARTC] HTB prio: global or per class ? In-Reply-To: <81c11a560611160926seb0c72ey4a6426a364274849@mail.gmail.com> References: <81c11a560611160926seb0c72ey4a6426a364274849@mail.gmail.com> Message-ID: <455D9AD9.8030500@seznam.cz> 201 will get excessive bandwidth first. /ak doudouyam wrote: > Hi all, > > Is the prio specification in the htb class global or is it on a per class basis ? > > A simple example: > > class 1:10 parent 1: > class 1:100 parent 1:10 prio 3 > > > class 1:200 parent 1:10 prio 7 > class 1:201 parent 1:200 prio 1 > class 1:202 parent 1:200 prio 2 > > Which class will get excessive bandwidth first? 100 or 201/202 ? From drew.einhorn at gmail.com Tue Nov 21 00:43:50 2006 From: drew.einhorn at gmail.com (drew einhorn) Date: Tue Nov 21 00:44:00 2006 Subject: [LARTC] Fwd: Traffic Shaping on a Transparent Bridge not working! In-Reply-To: References: Message-ID: I'm trying to shape traffic on a Devil-Linux box. This note was originally sent to their maillist, because the LARTC list appears to have been down for the past few days. My mailbox was just flooded with a half dozen or so confirmation requests in response to my repeated attempts to subscribe to this list. ---------- Forwarded message ---------- From: drew einhorn Date: Nov 19, 2006 11:51 PM Subject: Traffic Shaping on a Transparent Bridge not working! To: devil-linux-discuss@lists.sourceforge.net My first DL project was going well. Then I ran into problems attempting to shape my bandwidth. First I'll describe the parts that I believe are working correctly. I have a DL 1.2.11 box running the default kernel, 2.4.33.3-grsec I have br0 bridging all four ports eth0, eth1, eth2, eth3 on a quad port pci card. The bridge has not been assigned an ip number on the theory that this makes it much more difficult to attack. The bridge connects four devices on the 3bit public static ip block from my ISP. I have a single port ethernet pci card, eth4 with a static ip, on my internal private ip network. It is used for remote managent of the DL box from anywhere on my internal network. eth0 is connected to my ISP's router via the ethernet port on my ISDN modem. I know ISDN is a nearly dead technology, but it's the best thing my crappy telco offers. Tried a satellite ISP, but that's another long and sad story. eth1 is connected to a hardened publicly accessible host. eth2 and eth3 are connected to the WAN ports on a couple of Linksys Cable/DSL routers. Eventually most of their functions will migrate to the DL box, but that is more than I wanted to bite off in my first DL project. The first Linksys box NATs one of my public ips to my internal private ip network. The second Linksys box is newer and includes a wireless access point used by a couple neighbors. It NATs a second public ip to a separate private ip network. All of the above appears to be working as expected. After pondering the mysteries of traffic shaping I decided to start with wondershaper 1.1a from lartc.org, rather than starting from scratch. Tried both the cbq and htb versions without any success. RTFM time. The htb section of http://lartc.org/howto/index.html is easier reading than the cbq section. And the howto claims htb is better anyway. Let's focus on the htb version of wondershaper. OK, First we edit wshaper.htb and configure the shell variables. Then we run: sh -x wshaper.htb to echo the commands as they are executed. Then we start pinging the router at the other end of the ISDN line. Then we start downloading a file to generate some traffic that really needs to be shaped. Then we run: sh -x wshaper.htb status to gather some statistics then we kill the download. then we sh -x wshaper.htb stop to shut down the malfunctioning shaper. Here's the output from the ping: $ ping 67.0.192.10 PING 67.0.192.10 (67.0.192.10) 56(84) bytes of data. Link is idle, normal ping times. 64 bytes from 67.0.192.10: icmp_seq=0 ttl=254 time=48.5 ms 64 bytes from 67.0.192.10: icmp_seq=1 ttl=254 time=48.4 ms 64 bytes from 67.0.192.10: icmp_seq=2 ttl=254 time=48.4 ms 64 bytes from 67.0.192.10: icmp_seq=3 ttl=254 time=48.4 ms 64 bytes from 67.0.192.10: icmp_seq=4 ttl=254 time= 48.5 ms 64 bytes from 67.0.192.10: icmp_seq=5 ttl=254 time=67.8 ms 64 bytes from 67.0.192.10: icmp_seq=6 ttl=254 time=48.3 ms 64 bytes from 67.0.192.10: icmp_seq=7 ttl=254 time=48.2 ms Download starts. Shaping is not working! Queues in router and/or ISDN modem grow, and ping times rapidly become huge. 64 bytes from 67.0.192.10: icmp_seq=8 ttl=254 time=184 ms 64 bytes from 67.0.192.10: icmp_seq=9 ttl=254 time=1080 ms 64 bytes from 67.0.192.10: icmp_seq=10 ttl=254 time=2025 ms 64 bytes from 67.0.192.10: icmp_seq=11 ttl=254 time=1551 ms 64 bytes from 67.0.192.10: icmp_seq=12 ttl=254 time=1078 ms 64 bytes from 67.0.192.10: icmp_seq=13 ttl=254 time=896 ms 64 bytes from 67.0.192.10: icmp_seq=14 ttl=254 time=1088 ms 64 bytes from 67.0.192.10: icmp_seq=15 ttl=254 time=1171 ms 64 bytes from 67.0.192.10: icmp_seq=16 ttl=254 time=1272 ms 64 bytes from 67.0.192.10: icmp_seq=17 ttl=254 time=1280 ms 64 bytes from 67.0.192.10: icmp_seq=18 ttl=254 time=1101 ms 64 bytes from 67.0.192.10: icmp_seq=19 ttl=254 time=1258 ms 64 bytes from 67.0.192.10: icmp_seq=20 ttl=254 time=1211 ms 64 bytes from 67.0.192.10: icmp_seq=21 ttl=254 time=1259 ms 64 bytes from 67.0.192.10: icmp_seq=22 ttl=254 time=1373 ms 64 bytes from 67.0.192.10: icmp_seq=23 ttl=254 time=1424 ms 64 bytes from 67.0.192.10: icmp_seq=24 ttl=254 time=1461 ms 64 bytes from 67.0.192.10: icmp_seq=25 ttl=254 time=1277 ms 64 bytes from 67.0.192.10: icmp_seq=26 ttl=254 time=1521 ms 64 bytes from 67.0.192.10: icmp_seq=27 ttl=254 time=1467 ms 64 bytes from 67.0.192.10: icmp_seq=28 ttl=254 time=1335 ms 64 bytes from 67.0.192.10: icmp_seq=29 ttl=254 time=1329 ms 64 bytes from 67.0.192.10: icmp_seq=30 ttl=254 time=1386 ms 64 bytes from 67.0.192.10: icmp_seq=31 ttl=254 time=1360 ms 64 bytes from 67.0.192.10: icmp_seq=32 ttl=254 time=1416 ms 64 bytes from 67.0.192.10: icmp_seq=33 ttl=254 time=1480 ms 64 bytes from 67.0.192.10: icmp_seq=34 ttl=254 time=1345 ms 64 bytes from 67.0.192.10: icmp_seq=35 ttl=254 time=1356 ms 64 bytes from 67.0.192.10: icmp_seq=36 ttl=254 time=1370 ms 64 bytes from 67.0.192.10: icmp_seq=37 ttl=254 time=1278 ms 64 bytes from 67.0.192.10: icmp_seq=38 ttl=254 time=1612 ms 64 bytes from 67.0.192.10: icmp_seq=39 ttl=254 time=1520 ms 64 bytes from 67.0.192.10: icmp_seq=40 ttl=254 time=1322 ms 64 bytes from 67.0.192.10: icmp_seq=41 ttl=254 time=1545 ms Kill the download. queues drain and ping times return to normal 64 bytes from 67.0.192.10 : icmp_seq=42 ttl=254 time=975 ms 64 bytes from 67.0.192.10: icmp_seq=43 ttl=254 time=67.4 ms 64 bytes from 67.0.192.10: icmp_seq=44 ttl=254 time= 73.6 ms 64 bytes from 67.0.192.10: icmp_seq=45 ttl=254 time=45.2 ms 64 bytes from 67.0.192.10: icmp_seq=46 ttl=254 time=45.2 ms 64 bytes from 67.0.192.10: icmp_seq=47 ttl=254 time=44.8 ms And, here's the shell commands and their output: root@Devil:~ # sh -x wshaper.htb + DOWNLINK=100 + UPLINK=100 + DEV=eth0 + NOPRIOHOSTSRC= + NOPRIOHOSTDST= + NOPRIOPORTSRC= + NOPRIOPORTDST= + '[' '' = status ']' + tc qdisc del dev eth0 root + tc qdisc del dev eth0 ingress + '[' '' = stop ']' + tc qdisc add dev eth0 root handle 1: htb default 20 + tc class add dev eth0 parent 1: classid 1:1 htb rate 100kbit burst 6k + tc class add dev eth0 parent 1:1 classid 1:10 htb rate 100kbit burst 6k prio 1 + tc class add dev eth0 parent 1:1 classid 1:20 htb rate 90kbit burst 6k prio 2 + tc class add dev eth0 parent 1:1 classid 1:30 htb rate 80kbit burst 6k prio 2 + tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10 + tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10 + tc qdisc add dev eth0 parent 1:30 handle 30: sfq perturb 10 + tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 match ip tos 0x10 0xff flowid 1:10 + tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 match ip protocol 1 0xff flowid 1:10 + tc filter add dev eth0 parent 1: protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid 1:10 + tc filter add dev eth0 parent 1: protocol ip prio 18 u32 match ip dst 0.0.0.0/0 flowid 1:20 + tc qdisc add dev eth0 handle ffff: ingress + tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 100kbit burst 10k drop flowid :1 root@Devil:~ # sh -x wshaper.htb status + DOWNLINK=100 + UPLINK=100 + DEV=eth0 + NOPRIOHOSTSRC= + NOPRIOHOSTDST= + NOPRIOPORTSRC= + NOPRIOPORTDST= + '[' status = status ']' + tc -s qdisc ls dev eth0 qdisc htb 1: r2q 10 default 20 direct_packets_stat 0 Sent 18649 bytes 191 pkts (dropped 0, overlimits 0) qdisc sfq 10: parent 1:10 limit 128p quantum 1514b perturb 10sec Sent 10582 bytes 147 pkts (dropped 0, overlimits 0) qdisc sfq 20: parent 1:20 limit 128p quantum 1514b perturb 10sec Sent 8067 bytes 44 pkts (dropped 0, overlimits 0) qdisc sfq 30: parent 1:30 limit 128p quantum 1514b perturb 10sec Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc ingress ffff: ---------------- Sent 0 bytes 0 pkts (dropped 0, overlimits 0) + tc -s class ls dev eth0 class htb 1:1 root rate 100000bit ceil 100000bit burst 6Kb cburst 1724b Sent 18649 bytes 191 pkts (dropped 0, overlimits 0) rate 1320bit 1pps lended: 0 borrowed: 0 giants: 0 tokens: 398459 ctokens: 108855 class htb 1:10 parent 1:1 leaf 10: prio 1 rate 100000bit ceil 100000bit burst 6Kb cburst 1724b Sent 10582 bytes 147 pkts (dropped 0, overlimits 0) rate 656bit 1pps lended: 147 borrowed: 0 giants: 0 tokens: 398459 ctokens: 108855 class htb 1:20 parent 1:1 leaf 20: prio 2 rate 90000bit ceil 90000bit burst 6Kb cburst 1711b Sent 8067 bytes 44 pkts (dropped 0, overlimits 0) rate 712bit lended: 44 borrowed: 0 giants: 0 tokens: 432284 ctokens: 109555 class htb 1:30 parent 1:1 leaf 30: prio 2 rate 80000bit ceil 80000bit burst 6Kb cburst 1699b Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 503316 ctokens: 139264 + exit root@Devil:~ # sh -x wshaper.htb stop + DOWNLINK=100 + UPLINK=100 + DEV=eth0 + NOPRIOHOSTSRC= + NOPRIOHOSTDST= + NOPRIOPORTSRC= + NOPRIOPORTDST= + '[' stop = status ']' + tc qdisc del dev eth0 root + tc qdisc del dev eth0 ingress + '[' stop = stop ']' + exit root@Devil :~ # Don't think we generated enough uplink traffic to exercise the htb qdiscs. But it doesn't look like the ingress qdisc is working at all. I'm out of ideas for now. -- Drew Einhorn From bob.beers at gmail.com Tue Nov 21 01:46:00 2006 From: bob.beers at gmail.com (Bob Beers) Date: Tue Nov 21 01:46:08 2006 Subject: [LARTC] Re: iptables rule not matching after stream begins In-Reply-To: <4f6ba3b0611200730j337ad29xc69dd63b205060c4@mail.gmail.com> References: <4f6ba3b0611200730j337ad29xc69dd63b205060c4@mail.gmail.com> Message-ID: <4f6ba3b0611201646k750995d3oe0cd605890b7f2a7@mail.gmail.com> Trying again, after re-subscribing: On 11/20/06, Bob Beers wrote: > Hello, > > I want to dynamically create DNAT rules for > RTP streams (port-mapping for a SIP proxy). > > If my proxy adds the rule before the first packet > of the RTP stream hits the port, all is well. But, if > the stream begins arriving before my rule is in > place, it never matches. I cannot always be > sure that the info for setting up the rule > arrives sufficiently ahead of the stream. > > I suspect if there is a simple resolution to my > problem. Does anyone else see this behavior, > and will share with me the solution? > > Apologies if there is a better place to seek an > answer to this question, please redirect me as > necessary. > > I am using kernel 2.6.15.4, and iptables 1.3.3. > > My rules are similar to this: > iptables -I PREROUTING -t nat -p UDP \ > -d --dport \ > -j DNAT --to-destination > iptables -I FORWARD -p UDP \ > -d --dport > -- -Bob From flophousejoe-lartc-zvbbfzu at halibutdepot.org Tue Nov 21 02:00:09 2006 From: flophousejoe-lartc-zvbbfzu at halibutdepot.org (Flophouse Joe) Date: Tue Nov 21 02:00:15 2006 Subject: [LARTC] Re: iptables rule not matching after stream begins In-Reply-To: <4f6ba3b0611201646k750995d3oe0cd605890b7f2a7@mail.gmail.com> References: <4f6ba3b0611200730j337ad29xc69dd63b205060c4@mail.gmail.com> <4f6ba3b0611201646k750995d3oe0cd605890b7f2a7@mail.gmail.com> Message-ID: On Mon, 20 Nov 2006, Bob Beers wrote: >> I want to dynamically create DNAT rules for >> RTP streams (port-mapping for a SIP proxy). Have you considered testing any of the patches from netfilter's patch-o-matic? There are two patches that seem promising. Quoting from the netfilter website: http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-rtsp-conntrack rtsp-conntrack - RTSP connection tracking and nat helper Author: Tom Marshall Status: Beta - needs some testing and porting to 2.6.x This patch adds CONFIG_IP_NF_RTSP: support for the RTSP protocol. This allows UDP transports to be setup properly, including RTP and RDT. http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-sip-conntrack-nat ip-conntrack-nat - SIP connection tracking and NAT helper Author: Christian Hentschel Status: Alpha This adds CONFIG_IP_NF_SIP: SIP support module for netfilter connection tracking and NAT. The SIP conntrack/NAT modules support the connection tracking/NATing of the data streams requested on the dynamic RTP/RTCP ports, as well as mangling of SIP requests/responses. Joe From lists at andyfurniss.entadsl.com Tue Nov 21 02:45:54 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Tue Nov 21 02:45:54 2006 Subject: [LARTC] Direct queue priority in HTB In-Reply-To: <455D9E37.2070205@seznam.cz> References: <455D9E37.2070205@seznam.cz> Message-ID: <45625A52.4060307@andyfurniss.entadsl.com> Ales Klok wrote: > Tulpule Naren-MGI2846 wrote: > >> Hi, >> newbie question. In sch_htb.c:htb_dequeue() there is a comment "try >> to dequeue direct packets as high prio (!) to minimize cpu work". Does >> that mean that any unclassified packet (no class/filter applicable) is >> scheduled as the highest priority packet in HTB? If yes, what is the >> reason that the direct queue is not treated as the lowest priority >> best-effort? >> TIA for any info. >> >> -- Naren. >> >> Narendra C. Tulpule Principal Firmware Engineer, Staff >> 6450 Sequence Dr +1-858-404-2650 >> San Diego, CA 92121 narendra.c.tulpule@motorola.com >> > > > Yes, unclassified traffic is dequeued at hardware speed bypassing any > defined qdiscs. It is up to you to specify default class and make it low > prio. Right now i can't thnik of any reason for that behavior. > /ak You want arp/dhcp etc. to go to a low prio class? Andy. From jaquesleroux at gmail.com Tue Nov 21 06:38:52 2006 From: jaquesleroux at gmail.com (Jaques le Roux) Date: Tue Nov 21 06:38:57 2006 Subject: [LARTC] Fwd: Traffic Shaping on a Transparent Bridge not working! In-Reply-To: References: Message-ID: <25c8b6d30611202138s7a88bb81me1810833ad9f2f08@mail.gmail.com> I have also tried the Wondershaper script in the past when first getting into QoS etc.. This script only really helps for egress shaping for those who have DSL lines and a lot of uplink traffic, and want to bring down response times for gaming etc... Try FairNat , It doesn't support multiple subnets, but since you have seperate external IP's, it might just be able to help. I use(and modified mine), and currently working very well. Thinking of trying HSFC , instead of HTB in the future, but getting docs that make sense is my current problem... I hope this helps, since I am also quite new to all this myself. But sure is fun fiddling ;-). Jaques On 21/11/06, drew einhorn wrote: > > I'm trying to shape traffic on a Devil-Linux box. > > This note was originally sent to their maillist, > because the LARTC list appears to have been down > for the past few days. My mailbox was just flooded > with a half dozen or so confirmation requests in response > to my repeated attempts to subscribe to this list. > > ---------- Forwarded message ---------- > From: drew einhorn > Date: Nov 19, 2006 11:51 PM > Subject: Traffic Shaping on a Transparent Bridge not working! > To: devil-linux-discuss@lists.sourceforge.net > > > My first DL project was going well. Then I ran into problems attempting > to shape my bandwidth. > > First I'll describe the parts that I believe are working correctly. > > I have a DL 1.2.11 box running the default kernel, 2.4.33.3-grsec > > I have br0 bridging all four ports eth0, eth1, eth2, eth3 on a quad port > pci card. The bridge has not been assigned an ip number on the theory > that this makes it much more difficult to attack. The bridge connects > four devices on the 3bit public static ip block from my ISP. > > I have a single port ethernet pci card, eth4 with a static ip, on my > internal private ip network. It is used for remote managent of the DL > box from anywhere on my internal network. > > eth0 is connected to my ISP's router via the ethernet port on my > ISDN modem. I know ISDN is a nearly dead technology, but it's the best > thing my crappy telco offers. Tried a satellite ISP, but that's another > long and sad story. > > eth1 is connected to a hardened publicly accessible host. > > eth2 and eth3 are connected to the WAN ports on a couple of Linksys > Cable/DSL routers. Eventually most of their functions will migrate to the > DL box, but that is more than I wanted to bite off in my first DL project. > > The first Linksys box NATs one of my public ips to my internal private > ip network. The second Linksys box is newer and includes a wireless > access point used by a couple neighbors. It NATs a second public ip to > a separate private ip network. > > All of the above appears to be working as expected. > > After pondering the mysteries of traffic shaping I decided to start with > wondershaper 1.1a from lartc.org, rather than starting from scratch. > > Tried both the cbq and htb versions without any success. > > RTFM time. The htb section of http://lartc.org/howto/index.html is easier > reading than the cbq section. And the howto claims htb is better anyway. > Let's focus on the htb version of wondershaper. > > OK, First we edit wshaper.htb and configure the shell variables. Then we > run: sh -x wshaper.htb > to echo the commands as they are executed. > > Then we start pinging the router at the other end of the ISDN line. > > Then we start downloading a file to generate some traffic that really > needs to be shaped. > > Then we run: sh -x wshaper.htb status > to gather some statistics > > then we kill the download. > > then we sh -x wshaper.htb stop to shut down the malfunctioning shaper. > > Here's the output from the ping: > > $ ping 67.0.192.10 > PING 67.0.192.10 (67.0.192.10) 56(84) bytes of data. > > Link is idle, normal ping times. > > 64 bytes from 67.0.192.10: icmp_seq=0 ttl=254 time=48.5 ms > 64 bytes from 67.0.192.10: icmp_seq=1 ttl=254 time=48.4 ms > 64 bytes from 67.0.192.10: icmp_seq=2 ttl=254 time=48.4 ms > 64 bytes from 67.0.192.10: icmp_seq=3 ttl=254 time=48.4 ms > 64 bytes from 67.0.192.10: icmp_seq=4 ttl=254 time= 48.5 ms > 64 bytes from 67.0.192.10: icmp_seq=5 ttl=254 time=67.8 ms > 64 bytes from 67.0.192.10: icmp_seq=6 ttl=254 time=48.3 ms > 64 bytes from 67.0.192.10: icmp_seq=7 ttl=254 time=48.2 ms > > Download starts. Shaping is not working! Queues in > router and/or ISDN modem grow, and ping times rapidly > become huge. > > 64 bytes from 67.0.192.10: icmp_seq=8 ttl=254 time=184 ms > 64 bytes from 67.0.192.10: icmp_seq=9 ttl=254 time=1080 ms > 64 bytes from 67.0.192.10: icmp_seq=10 ttl=254 time=2025 ms > 64 bytes from 67.0.192.10: icmp_seq=11 ttl=254 time=1551 ms > 64 bytes from 67.0.192.10: icmp_seq=12 ttl=254 time=1078 ms > 64 bytes from 67.0.192.10: icmp_seq=13 ttl=254 time=896 ms > 64 bytes from 67.0.192.10: icmp_seq=14 ttl=254 time=1088 ms > 64 bytes from 67.0.192.10: icmp_seq=15 ttl=254 time=1171 ms > 64 bytes from 67.0.192.10: icmp_seq=16 ttl=254 time=1272 ms > 64 bytes from 67.0.192.10: icmp_seq=17 ttl=254 time=1280 ms > 64 bytes from 67.0.192.10: icmp_seq=18 ttl=254 time=1101 ms > 64 bytes from 67.0.192.10: icmp_seq=19 ttl=254 time=1258 ms > 64 bytes from 67.0.192.10: icmp_seq=20 ttl=254 time=1211 ms > 64 bytes from 67.0.192.10: icmp_seq=21 ttl=254 time=1259 ms > 64 bytes from 67.0.192.10: icmp_seq=22 ttl=254 time=1373 ms > 64 bytes from 67.0.192.10: icmp_seq=23 ttl=254 time=1424 ms > 64 bytes from 67.0.192.10: icmp_seq=24 ttl=254 time=1461 ms > 64 bytes from 67.0.192.10: icmp_seq=25 ttl=254 time=1277 ms > 64 bytes from 67.0.192.10: icmp_seq=26 ttl=254 time=1521 ms > 64 bytes from 67.0.192.10: icmp_seq=27 ttl=254 time=1467 ms > 64 bytes from 67.0.192.10: icmp_seq=28 ttl=254 time=1335 ms > 64 bytes from 67.0.192.10: icmp_seq=29 ttl=254 time=1329 ms > 64 bytes from 67.0.192.10: icmp_seq=30 ttl=254 time=1386 ms > 64 bytes from 67.0.192.10: icmp_seq=31 ttl=254 time=1360 ms > 64 bytes from 67.0.192.10: icmp_seq=32 ttl=254 time=1416 ms > 64 bytes from 67.0.192.10: icmp_seq=33 ttl=254 time=1480 ms > 64 bytes from 67.0.192.10: icmp_seq=34 ttl=254 time=1345 ms > 64 bytes from 67.0.192.10: icmp_seq=35 ttl=254 time=1356 ms > 64 bytes from 67.0.192.10: icmp_seq=36 ttl=254 time=1370 ms > 64 bytes from 67.0.192.10: icmp_seq=37 ttl=254 time=1278 ms > 64 bytes from 67.0.192.10: icmp_seq=38 ttl=254 time=1612 ms > 64 bytes from 67.0.192.10: icmp_seq=39 ttl=254 time=1520 ms > 64 bytes from 67.0.192.10: icmp_seq=40 ttl=254 time=1322 ms > 64 bytes from 67.0.192.10: icmp_seq=41 ttl=254 time=1545 ms > > Kill the download. queues drain and ping times return to normal > > 64 bytes from 67.0.192.10 : icmp_seq=42 ttl=254 time=975 ms > 64 bytes from 67.0.192.10: icmp_seq=43 ttl=254 time=67.4 ms > 64 bytes from 67.0.192.10: icmp_seq=44 ttl=254 time= 73.6 ms > 64 bytes from 67.0.192.10: icmp_seq=45 ttl=254 time=45.2 ms > 64 bytes from 67.0.192.10: icmp_seq=46 ttl=254 time=45.2 ms > 64 bytes from 67.0.192.10: icmp_seq=47 ttl=254 time=44.8 ms > > > And, here's the shell commands and their output: > > root@Devil:~ # sh -x wshaper.htb > + DOWNLINK=100 > + UPLINK=100 > + DEV=eth0 > + NOPRIOHOSTSRC= > + NOPRIOHOSTDST= > + NOPRIOPORTSRC= > + NOPRIOPORTDST= > + '[' '' = status ']' > + tc qdisc del dev eth0 root > + tc qdisc del dev eth0 ingress > + '[' '' = stop ']' > + tc qdisc add dev eth0 root handle 1: htb default 20 > + tc class add dev eth0 parent 1: classid 1:1 htb rate 100kbit burst 6k > + tc class add dev eth0 parent 1:1 classid 1:10 htb rate 100kbit burst 6k > prio 1 > + tc class add dev eth0 parent 1:1 classid 1:20 htb rate 90kbit burst 6k > prio 2 > + tc class add dev eth0 parent 1:1 classid 1:30 htb rate 80kbit burst 6k > prio 2 > + tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10 > + tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10 > + tc qdisc add dev eth0 parent 1:30 handle 30: sfq perturb 10 > + tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 match ip > tos 0x10 0xff flowid 1:10 > + tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 match ip > protocol 1 0xff flowid 1:10 > + tc filter add dev eth0 parent 1: protocol ip prio 10 u32 match ip > protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 > match u8 0x10 0xff at 33 flowid 1:10 > + tc filter add dev eth0 parent 1: protocol ip prio 18 u32 match ip > dst 0.0.0.0/0 flowid 1:20 > + tc qdisc add dev eth0 handle ffff: ingress > + tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match ip > src 0.0.0.0/0 police rate 100kbit burst 10k drop flowid :1 > > > root@Devil:~ # sh -x wshaper.htb status > + DOWNLINK=100 > + UPLINK=100 > + DEV=eth0 > + NOPRIOHOSTSRC= > + NOPRIOHOSTDST= > + NOPRIOPORTSRC= > + NOPRIOPORTDST= > + '[' status = status ']' > + tc -s qdisc ls dev eth0 > qdisc htb 1: r2q 10 default 20 direct_packets_stat 0 > Sent 18649 bytes 191 pkts (dropped 0, overlimits 0) > qdisc sfq 10: parent 1:10 limit 128p quantum 1514b perturb 10sec > Sent 10582 bytes 147 pkts (dropped 0, overlimits 0) > qdisc sfq 20: parent 1:20 limit 128p quantum 1514b perturb 10sec > Sent 8067 bytes 44 pkts (dropped 0, overlimits 0) > qdisc sfq 30: parent 1:30 limit 128p quantum 1514b perturb 10sec > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > qdisc ingress ffff: ---------------- > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > + tc -s class ls dev eth0 > class htb 1:1 root rate 100000bit ceil 100000bit burst 6Kb cburst 1724b > Sent 18649 bytes 191 pkts (dropped 0, overlimits 0) > rate 1320bit 1pps > lended: 0 borrowed: 0 giants: 0 > tokens: 398459 ctokens: 108855 > > class htb 1:10 parent 1:1 leaf 10: prio 1 rate 100000bit ceil > 100000bit burst 6Kb cburst 1724b > Sent 10582 bytes 147 pkts (dropped 0, overlimits 0) > rate 656bit 1pps > lended: 147 borrowed: 0 giants: 0 > tokens: 398459 ctokens: 108855 > > class htb 1:20 parent 1:1 leaf 20: prio 2 rate 90000bit ceil 90000bit > burst 6Kb cburst 1711b > Sent 8067 bytes 44 pkts (dropped 0, overlimits 0) > rate 712bit > lended: 44 borrowed: 0 giants: 0 > tokens: 432284 ctokens: 109555 > > class htb 1:30 parent 1:1 leaf 30: prio 2 rate 80000bit ceil 80000bit > burst 6Kb cburst 1699b > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > lended: 0 borrowed: 0 giants: 0 > tokens: 503316 ctokens: 139264 > > + exit > root@Devil:~ # sh -x wshaper.htb stop > + DOWNLINK=100 > + UPLINK=100 > + DEV=eth0 > + NOPRIOHOSTSRC= > + NOPRIOHOSTDST= > + NOPRIOPORTSRC= > + NOPRIOPORTDST= > + '[' stop = status ']' > + tc qdisc del dev eth0 root > + tc qdisc del dev eth0 ingress > + '[' stop = stop ']' > + exit > > root@Devil :~ # > > Don't think we generated enough uplink traffic to exercise the htb qdiscs. > > But it doesn't look like the ingress qdisc is working at all. > > I'm out of ideas for now. > > -- > Drew Einhorn > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061121/e94cbb52/attachment-0001.html From rangi at ngen.net.nz Tue Nov 21 07:20:06 2006 From: rangi at ngen.net.nz (Rangi Biddle) Date: Tue Nov 21 07:24:25 2006 Subject: [LARTC] VPN Solution Message-ID: <002801c70d35$199a9f60$0101010a@lamachine> Greetings List Members, I'll firstly apologise if this isn't the place that I should be posting this message but here goes. What I want to do is have a VPN (PPTP/IPSEC/CIPE/etc) server, but it must support more than one simultaneous connection. I currently have a PPTP VPN server setup that has port 1723 and protocol 47 DNAT'd through to the internal IP address of the VPN server and I have not been able to have more than one connection at a time. I am considering setting up the VPN server as a gateway (for lack of a better word) and instead of DNATing the connections through to the internal IP I would setup a DMZ with the VPN server as the only host. My only concern in doing so is that if it does not work what other options do I have besides getting a different connection type such as fibre? I'm trying to do this as cheaply as possible. Any and all comments/suggestions are welcome. Rangi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061121/fa4f4700/attachment.html From gtaylor at riverviewtech.net Tue Nov 21 07:15:05 2006 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Tue Nov 21 07:32:37 2006 Subject: [LARTC] VPN Solution In-Reply-To: <002801c70d35$199a9f60$0101010a@lamachine> References: <002801c70d35$199a9f60$0101010a@lamachine> Message-ID: <45629969.9050208@riverviewtech.net> On 11/21/06 00:20, Rangi Biddle wrote: > What I want to do is have a VPN (PPTP/IPSEC/CIPE/etc) server, but it > must support more than one simultaneous connection. > > I currently have a PPTP VPN server setup that has port 1723 and protocol > 47 DNAT?d through to the internal IP address of the VPN server and I > have not been able to have more than one connection at a time. I am > considering setting up the VPN server as a gateway (for lack of a better > word) and instead of DNATing the connections through to the internal IP > I would setup a DMZ with the VPN server as the only host. My only > concern in doing so is that if it does not work what other options do I > have besides getting a different connection type such as fibre? I?m > trying to do this as cheaply as possible. Can / will you provide some more information such as what type of client will be connecting to the VPN concentrator? I believe the 1 concurrent connection you are referring to is a limitation of IPTables match extension for PPTP tunnels. If you put the VPN Concentrator such that it is directly routable you should have better luck. Beyond PPTP, you can look in to IPSec or SSLTunnel, or any number of other products. However to be able to determine which of the products is best suited to your situation, we need to know more about your situation. Grant. . . . From rangi at ngen.net.nz Tue Nov 21 07:38:18 2006 From: rangi at ngen.net.nz (Rangi Biddle) Date: Tue Nov 21 07:42:38 2006 Subject: [LARTC] RE: VPN Solution Message-ID: <000601c70d37$a48d3b30$0101010a@lamachine> Hi Guys and thanks for the replies so far. Sorry for the lack of information, but if you have questions I am more than willing to answer them. > Can / will you provide some more information such as what type of client will be connecting to the VPN concentrator? The clients that will be connecting to the VPN server will be Windows clients. This is why I chose to build a PPTP VPN server as there would be no additional software to install on any of the clients. > I believe the 1 concurrent connection you are referring to is a limitation of IPTables match extension for PPTP tunnels. If you put the VPN > Concentrator such that it is directly routable you should have better luck. What do you mean by directly routable? Are you referring to the DMZ suggestion I made earlier or something else such as bridging the connection? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061121/c64ee3bf/attachment.htm From rangi at ngen.net.nz Tue Nov 21 09:16:25 2006 From: rangi at ngen.net.nz (Rangi Biddle) Date: Tue Nov 21 09:20:50 2006 Subject: [LARTC] RE: VPN Solution Message-ID: <001101c70d45$590edfc0$0101010a@lamachine> Hi Grant, > Is your VPN concentrator / server directly on the internet or is there some sort of port forwarding going on. You could use a DMZ, if the machine in > the DMZ had a globally routable IP, i.e. did not use port forwarding of any sort. Unfortunately the VPN server does not explicitly have a public IP address that would allow it to receive connections. At present, the VPN server is currently sitting behind a DSL router which has a public IP and is receiving connections via DNAT, in particular port 1723 (PPTP) and protocol 47 (GRE). The DMZ setup that the DSL router offers is basically having all connections on the public IP DNAT through to the internal IP address of the VPN server. I have been able to verify this, as the router itself runs a minimal linux environment which includes using IPTables for its firewalling capabilities (D-Link branded DSL router). Also, I have already mentioned that moving to another type of connection such as fibre isn't an option as I cannot afford a connection of this type (I live in New Zealand). Other alternative connections to DSL are not very affordable and we are very limited to the connection types that we can choose from. At present the range of connections are as follows: Dial-Up - Far too slow DSL - Affordable and very quick ISDN - Far too pricey ($900 per month not including data charges) Cable - Only available in certain areas in New Zealand Fibre - Far far too pricey ($1,500 per month - 2 Mbps National / 512k International) Fibre by far would be the best option as I would receive around 7 public IP addresses but as you can see from the cost it just isn't very feasible for only a VPN solution. As you also mentioned in your previous email about the limitation of IPTables . is there any workarounds such as using the patch-o-matic patches? Any comments/suggestions are welcome from anyone. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061121/3f341b65/attachment.html From rangi at ngen.net.nz Tue Nov 21 09:36:49 2006 From: rangi at ngen.net.nz (Rangi Biddle) Date: Tue Nov 21 09:41:21 2006 Subject: [LARTC] RE: VPN Solution Message-ID: <002201c70d48$3845bf90$0101010a@lamachine> > Hum. Is your DSL modem built in to the router you are using, or could you supplant your router with a / your Linux box? > If you can put your Linux box directly on the internet, then your VPN concentrator will (inherently) be directly on the net too. Unfortunately my router is combined with the DSL modem effectively a single CPE. > I believe the limitation, which may have been patched and with out being aware of it as I don't use PPTP (yet), is in the helper module for > connection tracking for PPTP. I would have to refresh my self on the PPTP protocol and it's interaction with IPTables. I suggest you do some more > reading on the mailing list as well as on NetFilter.org to see if you can find out something else. I have just come across some information that says that the connection tracking support for PPTP connections in particular is now part of the mainstream kernel ( >= 2.6.14 ). I am currently downloading version 2.6.18-3 and will let you know how it goes. PS. I'm using CentOS which probably isn't the best choice for hacking things to pieces - guess that serves me right. I believe debian (Sarge) has support for pptp_conntrack in it already so I might give that a go as well. If you're interested I am more than happy to discuss this matter off the mailing lists, but perhaps may serve a better purpose by being on the lists for future reference for others. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061121/a604f270/attachment-0001.htm From bob.beers at gmail.com Tue Nov 21 15:10:42 2006 From: bob.beers at gmail.com (Bob Beers) Date: Tue Nov 21 15:10:54 2006 Subject: [LARTC] Re: iptables rule not matching after stream begins In-Reply-To: References: <4f6ba3b0611200730j337ad29xc69dd63b205060c4@mail.gmail.com> <4f6ba3b0611201646k750995d3oe0cd605890b7f2a7@mail.gmail.com> Message-ID: <4f6ba3b0611210610t62b24e7es9cc9ece120581d1d@mail.gmail.com> Thank you, Joe, for your response On 11/20/06, Flophouse Joe wrote: > Have you considered testing any of the patches from netfilter's > patch-o-matic? I will consider doing just that. > > There are two patches that seem promising. Quoting from the netfilter > website: > > http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-rtsp-conntrack ... > http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-sip-conntrack-nat ... Thanks for the pointers. But, I think my problem is really more basic. I only mentioned that it was SIP related for background. Let me try to restate my question: Is it a common problem that inserting a rule after a (UDP) stream is established does not match the rule, even though the exact same rule for the exact same stream does match, as long as it is inserted before the first packet of the stream arrives? If so, (that it is a common, or at least known, problem), how does one overcome this problem? Is there a way to "disconnect" the stream, once the rule is installed, so that can match? Like I said in the original post, everything works right, as long as my rule wins the race with the first packet. Any other hints most welcome, meanwhile I will examine the two patches mentioned. Thanks, > > Joe > Bob From alexeyt at freeshell.org Tue Nov 21 16:26:13 2006 From: alexeyt at freeshell.org (Alexey Toptygin) Date: Tue Nov 21 16:26:27 2006 Subject: [LARTC] Re: iptables rule not matching after stream begins In-Reply-To: <4f6ba3b0611210610t62b24e7es9cc9ece120581d1d@mail.gmail.com> References: <4f6ba3b0611200730j337ad29xc69dd63b205060c4@mail.gmail.com> <4f6ba3b0611201646k750995d3oe0cd605890b7f2a7@mail.gmail.com> <4f6ba3b0611210610t62b24e7es9cc9ece120581d1d@mail.gmail.com> Message-ID: On Tue, 21 Nov 2006, Bob Beers wrote: > Let me try to restate my question: > > Is it a common problem that inserting a rule after a (UDP) stream is > established does not match the rule, even though the exact same > rule for the exact same stream does match, as long as it is inserted > before the first packet of the stream arrives? This is the way it is designed: PREROUTING rules in the nat table are only checked for packets that haven't already been assigned to a connection. If you want, you can use the conntrack tool to flush the connection states after you add a new rule. Alexey From bob.beers at gmail.com Tue Nov 21 17:05:23 2006 From: bob.beers at gmail.com (Bob Beers) Date: Tue Nov 21 17:05:30 2006 Subject: [LARTC] Re: iptables rule not matching after stream begins In-Reply-To: References: <4f6ba3b0611200730j337ad29xc69dd63b205060c4@mail.gmail.com> <4f6ba3b0611201646k750995d3oe0cd605890b7f2a7@mail.gmail.com> <4f6ba3b0611210610t62b24e7es9cc9ece120581d1d@mail.gmail.com> Message-ID: <4f6ba3b0611210805g167b393dk7861b5ce38edeae8@mail.gmail.com> On 11/21/06, Alexey Toptygin wrote: > On Tue, 21 Nov 2006, Bob Beers wrote: > > > Let me try to restate my question: > > > > Is it a common problem that inserting a rule after a (UDP) stream is > > established does not match the rule, even though the exact same > > rule for the exact same stream does match, as long as it is inserted > > before the first packet of the stream arrives? > > This is the way it is designed: PREROUTING rules in the nat table are only > checked for packets that haven't already been assigned to a connection. If > you want, you can use the conntrack tool to flush the connection states > after you add a new rule. Ah, yes, this sounds like what I need. Please excuse my ignorance, but how does one "use the conntrack tool to flush the connection states after you add a new rule"? I have read through several tutorials and the iptables man pages, but did not yet find this particular gem. In my ideal solution, I would flush only the connection in question, to avoid any perturbance of other connections. I guess you mean this: and/or this: I will RTF documentation, now that I see it ... But, I wonder, is there a shortcut to the behavior I want through iptables --ctstatus and friends? > > Alexey > Thank you all very much for the hints so far. Bob From alexeyt at freeshell.org Tue Nov 21 19:46:00 2006 From: alexeyt at freeshell.org (Alexey Toptygin) Date: Tue Nov 21 19:46:13 2006 Subject: [LARTC] Re: iptables rule not matching after stream begins In-Reply-To: <4f6ba3b0611210805g167b393dk7861b5ce38edeae8@mail.gmail.com> References: <4f6ba3b0611200730j337ad29xc69dd63b205060c4@mail.gmail.com> <4f6ba3b0611201646k750995d3oe0cd605890b7f2a7@mail.gmail.com> <4f6ba3b0611210610t62b24e7es9cc9ece120581d1d@mail.gmail.com> <4f6ba3b0611210805g167b393dk7861b5ce38edeae8@mail.gmail.com> Message-ID: On Tue, 21 Nov 2006, Bob Beers wrote: > > > I guess you mean this: > > and/or this: > Yep. > But, I wonder, is there a shortcut to the behavior I want > through iptables --ctstatus and friends? Not really. Even if you match the packet with --ctstate, I don't believe there is any iptables target that would delete the connection of the current packet (and presumably drop the packet?). Even if you could, you'd still have to wait for the next packet to come along and set up a new connection entry, so there's no advantage over deleting the connection with a userspace tool, and it would be a terrible hack. Alexey From pereyra.roberto at gmail.com Tue Nov 21 21:54:38 2006 From: pereyra.roberto at gmail.com (Roberto Pereyra) Date: Tue Nov 21 21:54:49 2006 Subject: [LARTC] ipp2p seems not mark to control bitlord Message-ID: Hi I using the latest ipp2p version and it mark bittorrent traffic well but seems not work with bitlord. The rules that mark and control bittorrent not works with bitlord. I using the scripts from ipp2p main web site to mark and to control p2p. Somebody knows if ipp2p can mark and control bitlord. Thanks in advance. Roberto -- Ing. Roberto Pereyra ContenidosOnline Looking for Linux Virtual Private Servers ? Click here: http://www.spry.com/hosting-affiliate/scripts/t.php?a_aid=426&a_bid=56 From rangi at ngen.net.nz Wed Nov 22 03:20:46 2006 From: rangi at ngen.net.nz (Rangi Biddle) Date: Wed Nov 22 03:25:09 2006 Subject: [LARTC] RE: VPN Solution Message-ID: <000901c70ddc$d53cb440$0101010a@lamachine> Hi List, This is an update for anyone that has been attempting to get a PPTP VPN working using PopTop with more than one simultaneous connection from an external source to a PPTP VPN behind a router that is NATing connections through. I assume that whoever is setting this up has some general knowledge of linux and how to compile a kernel. I also make the assumption that you already have a PPTP server up and running but are requiring more than one simultaneous connection. I also offer no warranties or take on any responsibility on whether or not this breaks your system and causes damage of any kind. With that said, I used the most recent kernel (2.6.18.3) and used all the default settings and added in all (except the experimental) iptables modules. I also added in PPP MPPE support (even though it is experimental). To make things easier on myself I compiled the kernel as a binary RPM package since the distro that I am using uses RPMs. After installing the new kernel I made modifications to my boot loader (in my case grub) to use the new kernel and then rebooted the system. I used the following IPTables rules: iptables -t nat -A POSTROUTING -j MASQUERADE - (Very general masquerading - not recommended and should be tied down to specific subnets) iptables -A INPUT -p tcp -dport 1723 -j ACCEPT (Accept inbound PPTP connections) iptables -A INPUT -p gre -j ACCEPT (Accept inbound GRE connections) iptables -A OUTPUT -p gre -j ACCEPT (Accept outbound GRE connections) I executed the command: service iptables save to save my newly added iptables rules. I then edited /etc/rc.local and added in the following lines modprobe ip_nat_pptp modprobe ip_conntrack_pptp Which loads the additional modules needed for PPTP NAT connections and finally rebooted the system once more to make sure everything starts up as expected. If you have any problems please mail them to the list and I will see if I can be of some assistance. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061122/9dcff2c1/attachment.html From gtaylor at riverviewtech.net Wed Nov 22 15:55:31 2006 From: gtaylor at riverviewtech.net (Taylor, Grant) Date: Mon Dec 4 15:48:28 2006 Subject: [LARTC] RE: VPN Solution In-Reply-To: <000901c70ddc$d53cb440$0101010a@lamachine> References: <000901c70ddc$d53cb440$0101010a@lamachine> Message-ID: <456464E3.3010901@riverviewtech.net> Rangi Biddle wrote: > This is an update for anyone that has been attempting to get a PPTP VPN > working using PopTop with more than one simultaneous connection from an > external source to a PPTP VPN behind a router that is NATing connections > through. I assume that whoever is setting this up has some general > knowledge of linux and how to compile a kernel. I also make the > assumption that you already have a PPTP server up and running but are > requiring more than one simultaneous connection. I also offer no > warranties or take on any responsibility on whether or not this breaks > your system and causes damage of any kind. ... > If you have any problems please mail them to the list and I will see if > I can be of some assistance. So I take it that you were you able to get PPTP / PopTop working the way you wanted with multiple concurrent PPTP connections? Grant. . . . From pupilla at hotmail.com Wed Nov 22 17:03:38 2006 From: pupilla at hotmail.com (Marco Berizzi) Date: Mon Dec 4 15:49:26 2006 Subject: [LARTC] Action 4 device ifb0 ifindex 7 Message-ID: Hi everybody. I'm receiving this error message: Action 4 device ifb0 ifindex 7 when I issue this command: tc filter add dev eth1 parent ffff: protocol ip prio 1 u32 \ match u32 0 0 action mirred egress redirect dev ifb0 I'm using linux 2.6.19-rc6 with tc version ss061002 Hints? From pupilla at hotmail.com Wed Nov 22 17:12:49 2006 From: pupilla at hotmail.com (Marco Berizzi) Date: Mon Dec 4 15:50:05 2006 Subject: [LARTC] ipsec and ifb device Message-ID: Hi everybody. I would like to know how incoming ipsec packets (from eth0 for example) interact with ifb device. For example: I want to redirect all incoming packets from eth0 to ifb0 for shaping. What happens to esp and the relative clear packets? By default both are seeing on the incoming device. From lists at andyfurniss.entadsl.com Wed Nov 22 21:05:41 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Mon Dec 4 15:51:00 2006 Subject: AW: AW: AW: [LARTC] Why did I need strange ceiling settings? (fullversion) In-Reply-To: <001501c70aff$eca7d9f0$0200a8c0@marvin> References: <001501c70aff$eca7d9f0$0200a8c0@marvin> Message-ID: <4564AD95.1040004@andyfurniss.entadsl.com> Philipp Leusmann wrote: > Hi Andy, > > I made the dumpfile and will send it to you in a separate private email. I > cannot see anything suspicious, but maybe I am not looking for the right > thing. Did you get my offlist reply about that? > Same goes for netstat -s | grep retrans : The count does not rise during the > transfer. > For the modem, here is what it says: > down up > Bit-rate (fast) : 15694 915 > Bit-rate (relative cap.) : 100 % 100 % > Bit-rate (max) : 15694 915 > FEC error (fast) : 7116 0 > CRC error (fast) : 13421 0 > HEC error (fast) : 5051 0 > Noise margin : 8.3 dB 8.5 dB > Attenuation : 16.0 dB 12.8 dB > Transmit power : 22.3 dBm 12.3 dBm > First channel : 64 33 > Last channel : 505 59 > Channel gaps : 95 110 127 188 191 243 291 348 0 upstream errors may mean your modem isn't reporting/getting them properly from the far end, but if the uptime of those stats isn't too short, the errors don't look too bad anyway. As for what I said about showtime rate being multiple of 32kbit I was thinking adsl, I guess it's different for adsl2(+), I suppose the FEC overheads could be deducted first aswell (We don't get FEC on fast in the UK) Andy. From alancupid at yahoo.com Thu Nov 23 10:18:15 2006 From: alancupid at yahoo.com (alan tan) Date: Mon Dec 4 15:54:00 2006 Subject: [LARTC] HTB GUI Message-ID: <20061123091815.89629.qmail@web90406.mail.mud.yahoo.com> Hi, I have many example of HTB GUI . All is already well developed, which discussed in this link. However, can anyone teach me what software to use to build a own web based GUI HTB software in Fedoracore ( Linux based) ? Thanks Regards Alan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061123/2eb8a606/attachment.html From alancupid at yahoo.com Thu Nov 23 10:18:15 2006 From: alancupid at yahoo.com (alan tan) Date: Mon Dec 4 15:54:05 2006 Subject: [LARTC] HTB GUI Message-ID: <20061123091815.89629.qmail@web90406.mail.mud.yahoo.com> Hi, I have many example of HTB GUI . All is already well developed, which discussed in this link. However, can anyone teach me what software to use to build a own web based GUI HTB software in Fedoracore ( Linux based) ? Thanks Regards Alan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061123/2eb8a606/attachment-0001.html From ntdabrain at yahoo.com Thu Nov 23 15:33:34 2006 From: ntdabrain at yahoo.com (Ntanzi Carrilho) Date: Mon Dec 4 15:55:56 2006 Subject: [LARTC] Calculate GRED Parameters Message-ID: <81170.63649.qm@web35315.mail.mud.yahoo.com> hi, Is there a way to calculate Gred parameters, given a desired delay (e.g 100ms)? Thanx Ntanzi ____________________________________________________________________________________ Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail beta. http://new.mail.yahoo.com From iam4u4real at yahoo.com Thu Nov 23 18:50:18 2006 From: iam4u4real at yahoo.com (Seye Omotoso) Date: Mon Dec 4 15:56:11 2006 Subject: [LARTC] Linux DHPC In-Reply-To: <81c11a560611160926seb0c72ey4a6426a364274849@mail.gmail.com> Message-ID: <659750.9482.qm@web52406.mail.yahoo.com> Dear sir, I am trying to install Linux server using DHCP, I have downloaded the DHCP file and installed. etho is the LAN point giving the Linux server connection to Internet and I want to configure eth1 to give DHCP to the clients. With the instruction I got from the Internet, I have to copy conf file to /etc which I have done,I want to add codes to conf file to make it DHCP but the code is not saving into conf file in /etc. Meanwhile when I finished installation I couldn't find conf file but 'configure' file so I rename the 'configure' to be 'conf' .What do you think I can do? Thank you. Sincerely, Seye --------------------------------- Everyone is raving about the all-new Yahoo! Mail beta. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061123/bc6ece02/attachment.htm From drew.einhorn at gmail.com Thu Nov 23 19:19:53 2006 From: drew.einhorn at gmail.com (drew einhorn) Date: Mon Dec 4 15:56:16 2006 Subject: [LARTC] Reassigning a flow to a different queue Message-ID: I'd like to initially assign all http flows to a interactive priority queue. But if the cumulative amount of traffic exceeds a threshold, I'd like to reassign it to a low priority bulk queue. Say someone is doing an http download of a huge .iso. Is this possible? -- Drew Einhorn From c-d.hailfinger.devel.2006 at gmx.net Thu Nov 23 21:08:44 2006 From: c-d.hailfinger.devel.2006 at gmx.net (Carl-Daniel Hailfinger) Date: Mon Dec 4 15:57:00 2006 Subject: [LARTC] tc actions and accounting Message-ID: <4565FFCC.5090502@gmx.net> Hi, I'd like to account the data going out to an interface after shaping and policing. At the moment, I'm using ipt_ACCOUNT for per-IP accounting, but it counts packets regardless if they are dropped or not. Using tc counters directly would force me to install one tc rule per IP which I'd rather avoid. My idea was to use tc actions with ipt_ACCOUNT, but I have no idea what will be counted and how to specify an action for only some of the data *after* shaping and policing. The tc action documentation seems to suggest that the actions happen at the time of PREROUTING/POSTROUTING in netfilter, so that would not work for me. As an alternative, I searched for a tc equivalent of ipt_ACCOUNT, but I found nothing. My previous attempt to solve a similar problem is here: http://mailman.ds9a.nl/pipermail/lartc/2005q2/016271.html Regards, Carl-Daniel From alancupid at yahoo.com Fri Nov 24 03:18:50 2006 From: alancupid at yahoo.com (alan tan) Date: Mon Dec 4 15:58:28 2006 Subject: [LARTC] HTB GUI Message-ID: <20061124021850.15797.qmail@web90409.mail.mud.yahoo.com> Hi, I have many example of HTB GUI . All is already well developed, which discussed in this link. However, can anyone teach me what software to use to build a own web based GUI HTB software in Fedoracore ( Linux based) ? Thanks Regards Alan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061123/1b89ed52/attachment.html From lartc at winlink.ru Fri Nov 24 13:05:38 2006 From: lartc at winlink.ru (Ron McKown) Date: Mon Dec 4 16:01:54 2006 Subject: [LARTC] NAT/MASQ with multiple external static IPs In-Reply-To: <1163527928.8590.9.camel@localhost.localdomain> References: <4559C167.3050300@winlink.ru> <1163510620.4081.14.camel@localhost.localdomain> <4559C776.5030408@winlink.ru> <1163527928.8590.9.camel@localhost.localdomain> Message-ID: <4566E012.7090803@winlink.ru> ??????????? ?????? wrote: > I don't think so. You should (need) use either -j MASQUERADE or -j SNAT. > MASQUERADE is almost the same with SNAT, it more convient for NAT'ing on > ppp interfaces where there are different IP on each connect, that's way > it doesn't have --to-source option (it takes the address from the > outgoing interface). > > The correct way would probably be: > > iptables -A POSTROUTING -t nat -s 1.2.3.4 -o eth0 -j SNAT --to-source > 1.2.3.5-1.2.3.7 > > OR > > iptables -A POSTROUTING -t nat -s 1.2.3.4 -o eth0 -j SNAT --to-source > 1.2.3.5 --to-source 1.2.3.6 --to-source 1.2.3.7 > > I understand, so outbound packets will convert to the (--to-source) address outbound. But how will packets coming back in find their way back to the original client? For example, if I had this rule: iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j SNAT --to-source 1.2.3.4 then sure, a packet from IP 192.168.0.50 goes out just fine. But then I would need a DNAT rule to send packets back to that internal IP address. How would that work? Am I looking at this the right way? From t.luettgert at pressestimmen.de Sat Nov 25 01:05:38 2006 From: t.luettgert at pressestimmen.de (Torsten Luettgert) Date: Mon Dec 4 16:04:35 2006 Subject: [LARTC] Fail-over uplink problem Message-ID: <1164413138.13235.5.camel@elida.cbxnet.de> Hi list, I have a problem I thought was simple first, but now I'm stuck. In a nutshell, it's about redundant uplinks at an outside location. Crude ASCII-Art follows: Internet | | +------------+ | cisco with | | uplinks | +------------+ | | ATM interface +----------+ ... | alvarion | | | wireless | +-------+ | base | | DSL | +----------+ | modem | ||| +-------+ +------------+ | | wireless | | | subscriber | / +------------+ / | / +-------------+ | small linux | | box | +-------------+ | target net The target net is connected via a 20 MBit wireless connection which should be the "normal" route, and a 2 MBit DSL connection as backup. Switching to the backup line should work automatically. There are link networks between the linux box and the DSL modem and between the linux box and the base (subscriber is acting as a bridge). We control all the equipment, including the cisco. So I thought I'd use quagga and build a small OSPF or RIP between the linux box and the cisco where the linux box announces the target net. The wireless route would have higher priority because of the higher line speed. But how do I set the "default route" on the box? I don't want to redistribute BGP into OSPF on the cisco, it knows 2x20,000 routes from two uplink peers and the linux box is really small (300 MHz Celeron with 128 MB RAM). Thanks in advance for any advice. - Torsten From pupilla at hotmail.com Mon Nov 27 12:46:45 2006 From: pupilla at hotmail.com (Marco Berizzi) Date: Mon Dec 4 16:15:12 2006 Subject: [LARTC] ipsec and ifb device Message-ID: Hi everybody. I would like to know how incoming ipsec packets (from eth0 for example) interact with ifb device. For example: I want to redirect all incoming packets from eth0 to ifb0 for shaping. What happens to esp and the relative clear packets? By default both are seeing on the incoming device. From marek at piasta.pl Wed Nov 29 00:16:07 2006 From: marek at piasta.pl (Marek Kierdelewicz) Date: Mon Dec 4 16:24:28 2006 Subject: [LARTC] using cpu cycle counter on smp Message-ID: <20061129001607.42f5bece@localhost> Hi there, I was wondering if it's possible to use PSCHED_CPU (cpu cycle counter as clock source for QoS). Normally kernel menuconfig forbids it due to lack of synchronization of counters on different cpu, but: http://uwsg.iu.edu/hypermail/linux/kernel/9902.0/0053.html and quoting interesting part... ------------- checking TSC synchronization across CPUs: BIOS BUG: CPU#0 improperly initialized, has -25 usecs TSC skew! FIXED. BIOS BUG: CPU#1 improperly initialized, has 25 usecs TSC skew! FIXED. ------------- ... we can see TSC is synchronized during boot process. So, is it or is it not possible/prudent to use PSCHED_CPU on x86/x86_64, where TSCs are used? pozdrawiam, Marek Kierdelewicz From linux at arcoscom.com Fri Dec 1 16:19:47 2006 From: linux at arcoscom.com (ArcosCom Linux User) Date: Mon Dec 4 16:34:32 2006 Subject: [LARTC] ROUTE target broken under 2.6.18.3 kernel Message-ID: <50267.84.123.236.132.1164986387.squirrel@www.arcoscom.com> I had problems with 2.6.19 kernel, appears to be some "binaries" problems about iptables and kernel modules, then I pass to try the 2.6.18.3 kernel to tests some things. When I put -j ROUTE into -t mangle table and PREROUTING chain, I have no problems, but when I try -j ROUTE into POSTROUTING chain, my system loss all network access (and it is posible it crash, I'm not there to view screen). My system has: SMP kernel (dual Xeon 3,0 GHz) 2.6.18.3 kernel + connlimit + layer7 + ROUTE patches 1.3.5 iptables (FC5 distro sources) with connlimit + layer7 + ROUTE patches (as I see, I only need change the makefile into distro sources to allow connlimit and ROUTE work) The command that break off network (and posibility crash the machine) is: iptables -t mangle -A POSTROUTING -p tcp --dport msnp -j ROUTE --gw --continue I have 2 uplinks with 2 diferents gw ip's, and I detected disconnection problems with messenger clients (amsn, windows msn, msn-messenger, gaim, etc....) and I only want to route all msn traffic into only one uplink. Any help about this? It is really a bug with ROUTE Patch and 2.6.8.3 kernel? Or its a bug with the 1.3.5 iptables version (FC5 distro sources). Please, help me a bit to solve this problem. Thanks From rangi at ngen.net.nz Wed Nov 22 21:13:28 2006 From: rangi at ngen.net.nz (Rangi Biddle) Date: Mon Dec 4 16:43:50 2006 Subject: [LARTC] RE: VPN Solution Message-ID: <001e01c70e72$afb7afe0$0101010a@lamachine> > So I take it that you were you able to get PPTP / PopTop working the way you wanted with multiple concurrent PPTP connections? Yup! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061123/d5447189/attachment.htm From hijacker at oldum.net Mon Dec 4 16:29:44 2006 From: hijacker at oldum.net (nikolay) Date: Mon Dec 4 16:48:51 2006 Subject: [LARTC] Linux DHPC References: <659750.9482.qm@web52406.mail.yahoo.com> Message-ID: <00b801c717b9$0685d050$0600a8c0@hpa> Hello, You will also need to install the dhcp server to be able to assign IP addresses to other. -nik ----- Original Message ----- From: "Seye Omotoso" To: Sent: Thursday, November 23, 2006 7:50 PM Subject: [LARTC] Linux DHPC > Dear sir, > > I am trying to install Linux server using DHCP, I have downloaded the DHCP > file and installed. etho is the LAN point giving the Linux server > connection to Internet and I want to configure eth1 to give DHCP to the > clients. > > With the instruction I got from the Internet, I have to copy conf file to > /etc which I have done,I want to add codes to conf file to make it DHCP > but the code is not saving into conf file in /etc. Meanwhile when I > finished installation I couldn't find conf file but 'configure' file so I > rename the 'configure' to be 'conf' .What do you think I can do? Thank > you. > > Sincerely, > Seye > > > --------------------------------- > Everyone is raving about the all-new Yahoo! Mail beta. -------------------------------------------------------------------------------- > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From lists at andyfurniss.entadsl.com Wed Nov 22 22:57:26 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Mon Dec 4 16:49:05 2006 Subject: [LARTC] Fwd: Traffic Shaping on a Transparent Bridge not working! In-Reply-To: References: Message-ID: <4564C7C6.8020305@andyfurniss.entadsl.com> drew einhorn wrote: > RTFM time. The htb section of http://lartc.org/howto/index.html is easier > reading than the cbq section. And the howto claims htb is better anyway. > Let's focus on the htb version of wondershaper. Yes HTB/HFSC should br better for slow links, unfortunatly wondershaper is flawed as noted below. This may not be your problem here, though. > Then we start downloading a file to generate some traffic that really > needs to be shaped. Shaping from the wrong end of the bottleneck is not nice and the slower the link the harder it is. It's better than not shaping (policing in this case). > root@Devil:~ # sh -x wshaper.htb > + DOWNLINK=100 > + UPLINK=100 > + DEV=eth0 > + NOPRIOHOSTSRC= > + NOPRIOHOSTDST= > + NOPRIOPORTSRC= > + NOPRIOPORTDST= > + '[' '' = status ']' > + tc qdisc del dev eth0 root > + tc qdisc del dev eth0 ingress > + '[' '' = stop ']' > + tc qdisc add dev eth0 root handle 1: htb default 20 It's not a good idea to use default on eth, unless you explicitly handle arp. IIRC WS was tested on ppp so I guess thats why. Not specifying default lets unclassified through unshaped and you can, and do make a catchall ip filter later for 20 anyway. > + tc class add dev eth0 parent 1: classid 1:1 htb rate 100kbit burst 6k > + tc class add dev eth0 parent 1:1 classid 1:10 htb rate 100kbit burst > 6k prio 1 > + tc class add dev eth0 parent 1:1 classid 1:20 htb rate 90kbit burst 6k > prio 2 > + tc class add dev eth0 parent 1:1 classid 1:30 htb rate 80kbit burst 6k > prio 2 Rates can't add up to more than parent rate/ceil I guess the test case used didn't expose this when WS was published. I would use something like - ... 1:10 htb rate 80kbit ceil 100kbit ... 1:20 htb rate 15kbit ceil 100kbit 1:30 htb rate 5kbit ceil 100kbit > + tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10 > + tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10 > + tc qdisc add dev eth0 parent 1:30 handle 30: sfq perturb 10 > + tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 match ip > tos 0x10 0xff flowid 1:10 > + tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 match ip > protocol 1 0xff flowid 1:10 > + tc filter add dev eth0 parent 1: protocol ip prio 10 u32 match ip > protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 > match u8 0x10 0xff at 33 flowid 1:10 > + tc filter add dev eth0 parent 1: protocol ip prio 18 u32 match ip > dst 0.0.0.0/0 flowid 1:20 This filter should catch all IP so default not needed. > + tc qdisc add dev eth0 handle ffff: ingress > + tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match ip > src 0.0.0.0/0 police rate 100kbit burst 10k drop flowid :1 I am suprised this did nothing - at low speeds you may need to back off a bit more. If I were shaping 128kbit link I would be tempted to mss clamp/set mtus lower as 1500byte packets have long bitrate latency - depends on your requirememts and I am not sure you can mss clamp with this bridge setup. > + tc -s qdisc ls dev eth0 > qdisc htb 1: r2q 10 default 20 direct_packets_stat 0 > Sent 18649 bytes 191 pkts (dropped 0, overlimits 0) > qdisc sfq 10: parent 1:10 limit 128p quantum 1514b perturb 10sec > Sent 10582 bytes 147 pkts (dropped 0, overlimits 0) > qdisc sfq 20: parent 1:20 limit 128p quantum 1514b perturb 10sec > Sent 8067 bytes 44 pkts (dropped 0, overlimits 0) > qdisc sfq 30: parent 1:30 limit 128p quantum 1514b perturb 10sec > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) Looks OK, we are testing ingress anyway. I would use limit XX on sfqs as 128 default is a very long time @ low bitrates. > qdisc ingress ffff: ---------------- > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) 0 bytes - something wrong here. Filter looks OK, but it's not seeing traffic. I haven't got a 2.4 box, I do have a br on a 2.6 box and just tested on eth0 - works OK with those rules. Counters on eth0 egress look OK so I assume all traffic is IP - tcpdump. I wonder if it's something to do with bridging (I don't understand some behavior of mine), maybe ingress on eth0 has a different ethertype at that point. Try this instead - tc qdisc add dev eth0 handle ffff: ingress tc filter add dev eth0 parent ffff: protocol arp prio 1 u32 match u32 0 0 flowid :1 tc filter add dev eth0 parent ffff: protocol all prio 2 u32 match u32 0 0 police rate 100kbit burst 10k drop flowid :2 Aggh just thought of something else - tempted to delete above, but will leave incase it works. The thing is 2.4 and 2.6(default config) use different policers. On 2.4 it hooks after PREROUTING and on 2.6 before. Maybe old policer + bridge isn't going to work for that reason. Andy. From rangi at ngen.net.nz Mon Dec 4 21:27:20 2006 From: rangi at ngen.net.nz (Rangi Biddle) Date: Mon Dec 4 21:32:00 2006 Subject: [LARTC] HTB GUI In-Reply-To: <20061123091815.89629.qmail@web90406.mail.mud.yahoo.com> Message-ID: <003101c717e2$9c5c9770$0101010a@lamachine> Hi Alan, > can anyone teach me what software to use to build a own web based GUI HTB software in Fedoracore ( Linux based) ? Thanks That really is a very open question to be asking. There are so many different programming languages that can work with a web server 2 that spring to mind are PHP and Perl. What may be of more benefit for you would be to visit each of the respective websites www.php.net (PHP) or www.perl.com (Perl) and perhaps look at some of the examples on those sites. Depending on what you plan to do PHP may be a better choice over Perl (I'm not going to argue with anyone here) or vice versa it really comes down to your requirements and or future requirements. That said, I would probably suggest Perl as it has an extensive library of user contributed classes and code that is available from CPAN (www.cpan.org ) and it is most likely that you will find something there that will allow you to finish your project sooner. You will also need to look at installing the apache web server module mod_perl in order to get your perl scripts working with apache. (Again, not arguing with anyone over this) As for teaching you how to build a web based GUI, I'm afraid I just don't have the time but there are plenty of resources available on the internet that you can learn from including IRC channels and websites to name just a few. I hope this helps Rangi _____ From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of alan tan Sent: Thursday, 23 November 2006 10:18 p.m. To: lartc@mailman.ds9a.nl; lartc@mailman.ds9a.nl Subject: [LARTC] HTB GUI Hi, I have many example of HTB GUI . All is already well developed, which discussed in this link . However, can anyone teach me what software to use to build a own web based GUI HTB software in Fedoracore ( Linux based) ? Thanks Regards Alan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061205/9fc43cad/attachment-0001.html From mark at dueck.bz Mon Dec 4 21:43:50 2006 From: mark at dueck.bz (Mark Dueck) Date: Mon Dec 4 21:44:06 2006 Subject: [LARTC] HTB GUI In-Reply-To: <003101c717e2$9c5c9770$0101010a@lamachine> References: <20061123091815.89629.qmail@web90406.mail.mud.yahoo.com> <003101c717e2$9c5c9770$0101010a@lamachine> Message-ID: <6.2.5.6.0.20061204144026.01e57e80@dueck.bz> An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061204/8ad65a73/attachment.htm From gtaylor at riverviewtech.net Tue Dec 5 02:36:31 2006 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Tue Dec 5 02:57:09 2006 Subject: [LARTC] Fail-over uplink problem In-Reply-To: <1164413138.13235.5.camel@elida.cbxnet.de> References: <1164413138.13235.5.camel@elida.cbxnet.de> Message-ID: <4574CD1F.8080802@riverviewtech.net> On 11/24/06 18:05, Torsten Luettgert wrote: > I have a problem I thought was simple first, but now I'm stuck. > In a nutshell, it's about redundant uplinks at an outside location. > Crude ASCII-Art follows: It has been experience that things that seem simple seldom are. :s > Internet > | | > +------------+ > | cisco with | > | uplinks | > +------------+ > | | ATM interface > +----------+ ... > | alvarion | | > | wireless | +-------+ > | base | | DSL | > +----------+ | modem | > ||| +-------+ > +------------+ | > | wireless | | > | subscriber | / > +------------+ / > | / > +-------------+ > | small linux | > | box | > +-------------+ > | > target net Yep, this is one of things that is not as simple as it seems. > The target net is connected via a 20 MBit wireless connection which > should be the "normal" route, and a 2 MBit DSL connection as backup. > Switching to the backup line should work automatically. There are link > networks between the linux box and the DSL modem and between the linux > box and the base (subscriber is acting as a bridge). By "... link networks between ..." do you mean that the DSL modem and / or the subscriber unit are not directly connected to the Linux box? I.e. you can not rely on the ethernet link state. (I'll presume yes for discussion.) > We control all the equipment, including the cisco. So I thought I'd use > quagga and build a small OSPF or RIP between the linux box and the > cisco where the linux box announces the target net. The wireless route > would have higher priority because of the higher line speed. That seems a bit of over kill, at least on the Linux end. However, seeing as how I'm not really that proficient at Cisco, I'm not sure what choice(s) you will have. > But how do I set the "default route" on the box? I don't want to > redistribute BGP into OSPF on the cisco, it knows 2x20,000 routes from > two uplink peers and the linux box is really small (300 MHz Celeron > with 128 MB RAM). I would write a small daemon (Perl script) that would periodically test the link to the Cisco equipment. If the primary link is down, try the backup. Are you dealing with NATed traffic, or is your TargetNet a globally routable subnet? If TargetNet is globally routable, things are a bit easier as in you don't have to maintain NAT states. I would recommend that you not have the same subnet on the DSL and the wireless link. This way, you can set up two different routing tables, one for the DSL and one for the wireless link. Then you can have your daemon monitor / test connectivity to the targets. Have your daemon do a quick "ip rule" update and "ip route flush cache" when the links change. Something else you could try would be to have each link be a different subnet and have two different default routes, each with a different metric. The routers should use the route with the lower metric. If for some reason the lower metric does not work, the router should fall back to the higher metric. However for this to work, I think one piece of equipment would have to be the aggregation point on each end. If your equipment setup would allow this, I think this would be an easier / safer / more maintainable route to go. However if you can not do this, think along the lines of my other suggestion. If you can provide more information on your specific scenario, I'd be more than happy to refine my recommendations. Grant. . . . From s.cramatte at wanadoo.fr Tue Dec 5 13:00:01 2006 From: s.cramatte at wanadoo.fr (=?ISO-8859-1?Q?S=E9bastien_CRAMATTE?=) Date: Tue Dec 5 13:00:23 2006 Subject: [LARTC] Bridge HFSC QOS questions ... Message-ID: <45755F41.50500@wanadoo.fr> Hello, I've got somes questions about Bridge and QOS ... I've got a serveur with 2 interfaces eth0,eth1 inside br0 bridge ... nothing of special ... If I understand all, normally I should configure TC class and qdisc on each physical or use ebtables to manage packets on output ... right ? I've attached my qos_script that hsfc and layer7 module. I use only Iptables in this script... might be should I use ebtables too ? Does anyone can take a look to this script and tell me If I've done any errors because seems that not works :( Thanks for the help S?bastien -------------- next part -------------- SPEED=30 DEV=eth0 CL1="-j CLASSIFY --set-class 1:10" CL2="-j CLASSIFY --set-class 1:11" CL3="-j CLASSIFY --set-class 1:12" CL4="-j CLASSIFY --set-class 1:13" CL5="-j CLASSIFY --set-class 1:14" RET="-j RETURN" echo -n "+ Create root queue discipline for ${DEV} cpe interface " tc qdisc add dev ${DEV} root handle 1: hfsc default 13 echo "[done]" iptables -t mangle -A POSTROUTING -j LOG iptables -t mangle -N SHAPPER iptables -t mangle -A POSTROUTING -j SHAPPER # add main rate limit class echo -n " + Create class for CPE SHAPPING " tc class add dev ${DEV} parent 1: classid 1:1 hfsc sc rate ${SPEED}mbit ul rate ${SPEED}mbit echo "[done]" # Interactive traffic: guarantee realtime full uplink for 50ms, then # 1/10 of the uplink echo -n " + Append subclass for low delay " tc class add dev ${DEV} parent 1:1 classid 1:10 hfsc \ rt m1 ${SPEED}mbit d 50ms m2 $[1*$SPEED/10]mbit \ ls m1 ${SPEED}mbit d 50ms m2 $[3*$SPEED/10]mbit \ ul rate ${SPEED}mbit # To speed up downloads while an upload is going on, put short ACK # packets in the interactive class: iptables -t mangle -A SHAPPER -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -m length --length :64 $CL1 iptables -t mangle -A SHAPPER -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -m length --length :64 $RET # ICMP in the interactive class iptables -t mangle -A SHAPPER -p icmp $CL1 iptables -t mangle -A SHAPPER -p icmp $RET # All traffic optimized for minimize monetary cost TOS 0x02 iptables -t mangle -A SHAPPER -m tos --tos 0x02 $CL1 iptables -t mangle -A SHAPPER -m tos --tos 0x02 $RET # All traffic optimized for minimize delay TOS 0x10 iptables -t mangle -A SHAPPER -m tos --tos 0x10 $CL1 iptables -t mangle -A SHAPPER -m tos --tos 0x10 $RET # Interactive port #iptables -t mangle -A SHAPPER -p tcp -m multiport --sports ftp,ftp $CL1 #iptables -t mangle -A SHAPPER -p tcp -m multiport --sports ssh,ftp $RET # All udp dns traffic iptables -t mangle -A SHAPPER -p udp --dport 53 $CL1 iptables -t mangle -A SHAPPER -p udp --dport 53 $RET echo "[done]" # VoIP: guarantee full uplink for 200ms, then 5/10 echo -n " + Append subclass for VoIP traffic " tc class add dev ${DEV} parent 1:1 classid 1:11 hfsc \ sc m1 ${SPEED}mbit d 200ms m2 $[5*$SPEED/10]mbit \ ul rate ${SPEED}kbit iptables -t mangle -A SHAPPER -p tcp -m multiport --sports sip $CL2 iptables -t mangle -A SHAPPER -p tcp -m multiport --sports sip $RET iptables -t mangle -A SHAPPER -p tcp -m multiport --dport 10000:20000 $CL2 iptables -t mangle -A SHAPPER -p tcp -m multiport --dport 10000:20000 $RET echo "[done]" # smtp traffic: don't guarantee anything for the first 10 seconds, # then guarantee 1/20 echo -n " + Append subclass for high reliability traffic " tc class add dev ${DEV} parent 1:1 classid 1:12 hfsc \ sc m1 0 d 10s m2 $[1*$SPEED/20]mbit \ ul rate ${SPEED}mbit iptables -t mangle -A SHAPPER -p tcp -m multiport --sports smtp,ssmtp $CL3 iptables -t mangle -A SHAPPER -p tcp -m multiport --sports smtp,ssmtp $RET iptables -t mangle -A SHAPPER -m tos --tos 0x04 $CL3 iptables -t mangle -A SHAPPER -m tos --tos 0x04 $RET echo "[done]" # p2p traffic: don't guarantee anything for the first 20 seconds, # then guarantee 1/20 echo -n " + Append subclass for P2P " tc class add dev $DEV parent 1:1 classid 1:14 hfsc \ sc m1 0 d 20s m2 $[1*$SPEED/20]mbit \ ul rate ${SPEED}mbit iptables -t mangle -A SHAPPER -m layer7 --l7proto edonkey $CL5 iptables -t mangle -A SHAPPER -m layer7 --l7proto edonkey $RET iptables -t mangle -A SHAPPER -m layer7 --l7proto fasttrack $CL5 iptables -t mangle -A SHAPPER -m layer7 --l7proto fasttrack $RET iptables -t mangle -A SHAPPER -m layer7 --l7proto bittorrent $CL5 iptables -t mangle -A SHAPPER -m layer7 --l7proto bittorrent $RET echo "[done]" # Default traffic: don't guarantee anything for the first two seconds, echo -n " + Append subclass for high bandwith, low latency traffic (default) " tc class add dev $DEV parent 1:1 classid 1:13 hfsc \ sc m1 0 d 2s m2 $[1*$SPEED/20]mbit \ ul rate ${SPEED}mbit iptables -t mangle -A SHAPPER -m tos --tos 0x08 $CL4 iptables -t mangle -A SHAPPER -m tos --tos 0x08 $RET iptables -t mangle -A SHAPPER $CL4 iptables -t mangle -A SHAPPER $RET echo "[done]" -------------- next part -------------- A non-text attachment was scrubbed... Name: s.cramatte.vcf Type: text/x-vcard Size: 443 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20061205/ceac49e9/s.cramatte.vcf From tom71713-misc at inqone.com Tue Dec 5 15:53:57 2006 From: tom71713-misc at inqone.com (Tom Smith) Date: Tue Dec 5 15:54:24 2006 Subject: [LARTC] Traffic control on a single interface Message-ID: <45758805.1030901@inqone.com> I'm in the process of replacing a Novell server that had a single NIC and routed traffic from our local network to either the Internet or to the Corporate office. I have this configuration working now but we've run in to some bandwidth problems. The server that I have set up now is Linux. It uses a different IP for Samba than for the DNS/DHCP and routing (different VMs in VMware Server). What I'd like to do is configure the traffic control to do several things: 1) It needs to be able to control traffic leaving our local network and going to either Corporate (via point-to-point T-1) or the Internet (via fractional T-1). 2) It needs to be able to control traffic coming IN TO our network from remote VPN connections. 3) Telnet and SSH traffic should be real time. 4) All other local traffic (that is, traffic not leaving our local network) needs to be real time AND at local network speeds. It there a good way to achieve these goals given that the router only has one NIC in it? Or might there be a better way of doing this? Thanks, in advance, for your help. ~ Tom From marek at piasta.pl Tue Dec 5 16:31:21 2006 From: marek at piasta.pl (Marek Kierdelewicz) Date: Tue Dec 5 16:17:05 2006 Subject: [LARTC] Traffic control on a single interface In-Reply-To: <45758805.1030901@inqone.com> References: <45758805.1030901@inqone.com> Message-ID: <20061205163121.731bec07@localhost> Hi there, > > It there a good way to achieve these goals given that the router > only has one NIC in it? Connect the NIC to managed L2 switch. Configure connection as a trunk carrying some vlans. Configure remaining L2 switch ports as untagged and assign them do appropriate vlans. Functionally you'll have Linux router with more NICs (groups of untagged switch ports will be equivalent to one linux NIC). On linux system you'll have separate interfaces like eth0.1 eth0.2 and so on. This can significantly ease task of shaping and routing your traffic the way you want it. Another option is using IFB/IMQ for shaping traffic, but such setup won't be too straightforward and bug-prune. pozdrawiam -- Marek Kierdelewicz Kierownik Dzia?u System?w Sieciowych, KoBa Network Department Manager, KoBa tel. (85) 7406466; fax. (85) 7406467 e-mail: admin@koba.pl From t.luettgert at pressestimmen.de Tue Dec 5 16:44:45 2006 From: t.luettgert at pressestimmen.de (Torsten Luettgert) Date: Tue Dec 5 16:44:52 2006 Subject: [LARTC] Fail-over uplink problem In-Reply-To: <4574CD1F.8080802@riverviewtech.net> References: <1164413138.13235.5.camel@elida.cbxnet.de> <4574CD1F.8080802@riverviewtech.net> Message-ID: <1165333486.12736.25.camel@sokrates.cff> On Mo, 2006-12-04 at 19:36 -0600, Grant Taylor wrote: > On 11/24/06 18:05, Torsten Luettgert wrote: > By "... link networks between ..." do you mean that the DSL modem > and / or the subscriber unit are not directly connected to the > Linux box? I.e. you can not rely on the ethernet link state. > (I'll presume yes for discussion.) They are indeed directly connected, but I still don't want to rely on the link state. I meant there are two /30 networks just for the linux box and modem/subscriber. > > We control all the equipment, including the cisco. So I thought I'd use > > quagga and build a small OSPF or RIP between the linux box and the > > cisco where the linux box announces the target net. The wireless route > > would have higher priority because of the higher line speed. > > That seems a bit of over kill, at least on the Linux end. > However, seeing as how I'm not really that proficient at Cisco, > I'm not sure what choice(s) you will have. It actually worked except for one showstopper on the cisco :-( The solution was "default-information originate always", btw., just for the archives. This command is identical in Cisco IOS and quagga. The problem: my cisco only accepts direct neighbours for OSPF, so I built GRE tunnels and everything was fine... except the default route (of course) pointed into the tunnel, and I'm not keen on sending 20 MBit through GRE, what with all the MTU, fragmentation and router CPU load problems. > I would write a small daemon (Perl script) that would periodically > test the link to the Cisco equipment. If the primary link is down, > try the backup. That's what I'm doing now. I didn't want to originally: I can easily make the linux box send packets upstream via the backup route, but I would need my script log in on the cisco and change routes. Gives me a bad taste. > Are you dealing with NATed traffic, or is your TargetNet a > globally routable subnet? If TargetNet is globally routable, > things are a bit easier as in you don't have to maintain NAT > states. No NAT there :-) > I would recommend that you not have the same subnet on the DSL > and the wireless link. This way, you can set up two different > routing tables, one for the DSL and one for the wireless link. > Then you can have your daemon monitor / test connectivity to > the targets. Have your daemon do a quick "ip rule" update and > "ip route flush cache" when the links change. That sounds good for the linux side. > Something else you could try would be to have each link be a > different subnet and have two different default routes, each > with a different metric. The routers should use the route > with the lower metric. If for some reason the lower metric > does not work, the router should fall back to the higher metric. How would it "know" the line is down? In my experience, in most cases the interface stays up just fine, but packets vanish because of radio problems or something. Thanks for your suggestions, Torsten From s.cramatte at wanadoo.fr Tue Dec 5 21:14:04 2006 From: s.cramatte at wanadoo.fr (=?UTF-8?B?U8OpYmFzdGllbiBDUkFNQVRURQ==?=) Date: Tue Dec 5 21:14:10 2006 Subject: [LARTC] Bridge HFSC QOS ... strange TC values ... In-Reply-To: <45755F41.50500@wanadoo.fr> References: <45755F41.50500@wanadoo.fr> Message-ID: <4575D30C.2030101@wanadoo.fr> Hello, I?ve setuped HFSC QOS using as this script http://automatthias.wordpress.com/2006/06/30/hfsc-and-voip/ I've a bridge with eth0 and eth1 inside br0 I haven't use ebtables, just iptables. I neeed to have different value on upload and download this why I've setuped QOS on 2 interfaces Is very strange but root (2:) and main parent (2:2 ) queues still empty with HFSC I've got another shapper running with HTB and these 2 queues have got a value ????? # tc -s -d class show dev eth1 class hfsc 2: root Sent 0 bytes 0 pkts (dropped 0, overlimits 0) period 24 work 13844803460630839320 bytes rtwork 20444467840 bytes level 3466779352 class hfsc 2:22 parent 2:2 sc m1 0bit d 10.0s m2 1000Kbit ul m1 0bit d 0us m2 30000Kbit Sent 0 bytes 0 pkts (dropped 0, overlimits 0) period 24 work 13844803460630839320 bytes rtwork 20444467840 bytes level 3466779352 class hfsc 2:23 parent 2:2 sc m1 0bit d 2.0s m2 1000Kbit ul m1 0bit d 0us m2 30000Kbit Sent 3545998683 bytes 2796571 pkts (dropped 299, overlimits 0) period 24 work 13844803460630839320 bytes rtwork 20444467840 bytes level 3466779352 class hfsc 2:2 parent 2: sc m1 0bit d 0us m2 30000Kbit ul m1 0bit d 0us m2 30000Kbit Sent 0 bytes 0 pkts (dropped 0, overlimits 0) period 24 work 13844803460630839320 bytes rtwork 20444467840 bytes level 3466779352 class hfsc 2:20 parent 2:2 rt m1 30000Kbit d 50.0ms m2 3000Kbit ls m1 30000Kbit d 50.0ms m2 9000Kbit ul m1 0bit d 0us m2 30000Kbit Sent 0 bytes 0 pkts (dropped 0, overlimits 0) period 24 work 13844803460630839320 bytes rtwork 20444467840 bytes level 3466779352 class hfsc 2:21 parent 2:2 sc m1 30000Kbit d 200.0ms m2 15000Kbit ul m1 0bit d 0us m2 30000bit Sent 0 bytes 0 pkts (dropped 0, overlimits 0) period 24 work 13844803460630839320 bytes rtwork 20444467840 bytes level 3466779352 class hfsc 2:24 parent 2:2 sc m1 0bit d 20.0s m2 1000Kbit ul m1 0bit d 0us m2 30000Kbit Sent 0 bytes 0 pkts (dropped 0, overlimits 0) period 24 work 13844803460630839320 bytes rtwork 20444467840 bytes level 3466779352 I hope that someone could give me an hand. I can send the script I use regards -------------- next part -------------- A non-text attachment was scrubbed... Name: s.cramatte.vcf Type: text/x-vcard Size: 456 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20061205/a731f028/s.cramatte.vcf From gtaylor at riverviewtech.net Tue Dec 5 22:19:20 2006 From: gtaylor at riverviewtech.net (Taylor, Grant) Date: Tue Dec 5 22:19:24 2006 Subject: [LARTC] Fail-over uplink problem In-Reply-To: <1165333486.12736.25.camel@sokrates.cff> References: <1164413138.13235.5.camel@elida.cbxnet.de> <4574CD1F.8080802@riverviewtech.net> <1165333486.12736.25.camel@sokrates.cff> Message-ID: <4575E258.7060500@riverviewtech.net> Torsten Luettgert wrote: > They are indeed directly connected, but I still don't want to rely > on the link state. I meant there are two /30 networks just for the > linux box and modem/subscriber. *nod* > The problem: my cisco only accepts direct neighbours for OSPF, so I > built GRE tunnels and everything was fine... except the default route > (of course) pointed into the tunnel, and I'm not keen on sending > 20 MBit through GRE, what with all the MTU, fragmentation and > router CPU load problems. Ok, maybe I'm not understanding why your router is not seen as a direct neighbor. Or is this like a Cisco CDP thing where a piece of layer 3 equipment will see a layer 2 switch as a neighbor verses the other piece of layer 3 equipment on the other side of the layer 2 switch? Indeed. Nor would I relish sending that much traffic through any sort of tunnel. > That's what I'm doing now. I didn't want to originally: I can easily > make the linux box send packets upstream via the backup route, but I > would need my script log in on the cisco and change routes. Gives me > a bad taste. *nod* > No NAT there :-) Good. > That sounds good for the linux side. *nod* > How would it "know" the line is down? In my experience, in most > cases the interface stays up just fine, but packets vanish > because of radio problems or something. Don't hold me to this, but I think it has something to do with ARP caching. If your Cisco knows that it needs to send the packets to a gateway that is in it's broadcast domain it will ARP for the gateways MAC so that it can send the packets to it. If for some reason the ARP requests fail, the Cisco will know that the gateway's IP is unreachable and thus that it needs to use an alternant route. Sorry, I can not get any more specific than that. I'm not even really sure that what I said is entirely accurate, that is just the understanding that I have had based on my experiences. Grant. . . . From nata at cnett.psi.br Wed Dec 6 14:23:11 2006 From: nata at cnett.psi.br (Nataniel Klug) Date: Wed Dec 6 17:24:14 2006 Subject: [LARTC] Configuring a QoS Box + Cliente Bandwidth Control Message-ID: <4576C43F.3020808@cnett.psi.br> Hello all, I am trying to configure a linux box to make some QoS into my netowork and, at the same box, control my clients bandwidth. I have this classes created: ---------------------------------------------------------------- UP="eth0" # wan infocontabil DL01="eth2" # lan clientes $TC qdisc del dev $DL01 root 2> /dev/null > /dev/null $TC qdisc del dev $DL01 ingress 2> /dev/null > /dev/null $TC qdisc del dev $UP root 2> /dev/null > /dev/null $TC qdisc del dev $UP ingress 2> /dev/null > /dev/null $TC qdisc add dev $DL01 root handle 1: htb default 40 CLASS="/sbin/tc class add dev $DL01 parent" $CLASS 1: classid 1:1 htb rate 100Mbit $CLASS 1:1 classid 1:5 htb rate 100Mbit ceil 100Mbit $CLASS 1: classid 1:2 htb rate 972Kbit $CLASS 1:2 classid 1:10 htb rate 128Kbit ceil 256Kbit prio 0 $CLASS 1:2 classid 1:20 htb rate 512Kbit ceil 768Kbit prio 0 $CLASS 1:2 classid 1:30 htb rate 128Kbit ceil 512Kbit prio 1 $CLASS 1:2 classid 1:40 htb rate 204Kbit ceil 512Kbit ---------------------------------------------------------------- Here, as you can see, I made some rules to control my network. I have a class 1:1 that serves only inside my network, so this is not limited. I just use this option for some IPs that belongs to my own phisical network. This is working fine as a QoS becouse I send my traffic as follow: CLASS 1:10 --> interactive (ssh, telnet) CLASS 1:20 --> http and https CLASS 1:30 --> pop, smtp and ftp CLASS 1:40 --> all the rest This is the way my network work better. Now my problem is: I have a bunch of clients direct connect into eth2 device and I need that, this clients, have some bandwidht control. Consider this: Client IP range: 192.168.0.0/24 Download band: 32 Kbit for each IP So I made a script just like this: ----------------------------- DL="eth2" CONT="99" for i in `cat /etc/firewall/qos/hosts.32k` do CONT=`expr $CONT + 1` $TC class add dev $DL parent 1:2 classid 1:${CONT} htb rate 32Kbit ceil 32Kbit $TC filter add dev $DL parent 1:0 protocol ip prio 1 u32 match ip dst ${i}/32 flowid 1:${CONT} done ----------------------------- I put thi just after the CLASS stuff. Now my clients are all full controlled, but my QoS do not work. There is some way to make this happens? PS.: In the end of this email is my full QOS script. Att, Nataniel Klug --------------- start - qos.sh --------------- #!/bin/sh #------ # Script de QoS Cyber Nett #------ # Nataniel Klug # suporte@cnett.com.br #------ TC="/sbin/tc" IPT="/usr/local/sbin/iptables" DIR="/etc/firewall/qos" UP="eth0" # wan infocontabil DL01="eth2" # lan clientes DL02="eth3" # lan infocontabil #----- # Limpando iptables # Aplicando save as marcas (final de cada INTERFACE) #----- $IPT -t mangle -F $IPT -t mangle -X $IPT -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark $IPT -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT # marcando pacotes # referente ao P2P P2PMARK="20" $IPT -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark $P2PMARK $IPT -t mangle -A PREROUTING -p udp -m ipp2p --ipp2p -j MARK --set-mark $P2PMARK $IPT -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark $P2PMARK $IPT -t mangle -A PREROUTING -p udp -m ipp2p --ipp2p -j MARK --set-mark $P2PMARK # referente ao skype SKYPEMARK="21" $IPT -t mangle -A PREROUTING -p tcp -m layer7 --l7proto skypetoskype -j MARK --set-mark $SKYPEMARK $IPT -t mangle -A PREROUTING -p tcp -m layer7 --l7proto skypeout -j MARK --set-mark $SKYPEMARK $IPT -t mangle -A PREROUTING -p udp -m layer7 --l7proto skypetoskype -j MARK --set-mark $SKYPEMARK $IPT -t mangle -A PREROUTING -p udp -m layer7 --l7proto skypeout -j MARK --set-mark $SKYPEMARK # referente ao msn MSN="22" $IPT -t mangle -A PREROUTING -p all -m layer7 --l7proto msnmessenger -j MARK --set-mark $MSN # referente ao ssh SSH="23" $IPT -t mangle -A PREROUTING -p all -m layer7 --l7proto ssh -j MARK --set-mark $SSH #---- # SALVANDO MARCAS DO IPTABLES #---- $IPT -t mangle -A PREROUTING -j CONNMARK --save-mark #------ # Apagando regras antigas de QoS #------ $TC qdisc del dev $DL01 root 2> /dev/null > /dev/null $TC qdisc del dev $DL01 ingress 2> /dev/null > /dev/null $TC qdisc del dev $DL02 root 2> /dev/null > /dev/null $TC qdisc del dev $DL02 ingress 2> /dev/null > /dev/null $TC qdisc del dev $UP root 2> /dev/null > /dev/null $TC qdisc del dev $UP ingress 2> /dev/null > /dev/null #------ # CRIANDRO REGRAS DE DOWNLOAD #------ #=========# # IF ETH3 # # $DL02 # #=========# $TC qdisc add dev $DL02 root handle 1: htb default 5 # criandro classes CLASS="/sbin/tc class add dev $DL02 parent" # classe de comunicacao com a rede Infocontabil $CLASS 1: classid 1:1 htb rate 100Mbit $CLASS 1:1 classid 1:5 htb rate 100Mbit ceil 100Mbit # classe de redes externas #$CLASS 1: classid 1:2 htb rate 512Kbit #$CLASS 1:2 classid 1:10 htb rate 128Kbit ceil 256Kbit prio 0 #$CLASS 1:2 classid 1:20 htb rate 256Kbit ceil 512Kbit prio 0 #$CLASS 1:2 classid 1:30 htb rate 32Kbit ceil 128Kbit prio 1 #$CLASS 1:2 classid 1:40 htb rate 64Kbit ceil 128Kbit # criandro a fair queue QDISC="/sbin/tc qdisc add dev $DL02 parent" $QDISC 1:5 handle 5: sfq perturb 10 #$QDISC 1:10 handle 10: sfq perturb 10 #$QDISC 1:20 handle 20: sfq perturb 10 #$QDISC 1:30 handle 30: sfq perturb 10 # criandro filtros FILTER="/sbin/tc filter add dev $DL02 parent 1:0 protocol ip" # regras para servidores e redes da CNett for i in `cat $DIR/infocontabil.network | awk '{print $2}'` do $FILTER prio 1 u32 match ip src $i flowid 1:5 done # regras para a classe 1:10 # trafego interativo # PROTOCOLOS #$FILTER prio 1 u32 match ip protocol 1 0xff flowid 1:10 # PORTAS #for i in `cat $DIR/prio0.src.ports | awk '{print $2}'` #do # $FILTER prio 1 u32 match ip sport $i 0xffff flowid 1:10 #done # MARCACAO DE PACOTES #$IPT -t mangle -A POSTROUTING -o $DL02 -m mark --mark $SKYPEMARK -j CLASSIFY --set-class 1:10 #$IPT -t mangle -A POSTROUTING -o $DL02 -m mark --mark $MSN -j CLASSIFY --set-class 1:10 #$IPT -t mangle -A POSTROUTING -o $DL02 -m mark --mark $SSH -j CLASSIFY --set-class 1:10 # regras para a classe 1:20 # trafego de disponibilidade # PORTAS #for i in `cat $DIR/prio1.src.ports | awk '{print $2}'` #do # $FILTER prio 1 u32 match ip sport $i 0xffff flowid 1:20 #done # regras para a classe 1:30 # trafego de disponibilidade # PORTAS #for i in `cat $DIR/prio2.src.ports | awk '{print $2}'` #do # $FILTER prio 1 u32 match ip sport $i 0xffff flowid 1:30 #done #=========# # IF ETH2 # # $DL01 # #=========# $TC qdisc add dev $DL01 root handle 1: htb default 40 # criandro classes CLASS="/sbin/tc class add dev $DL01 parent" # classe de comunicacao com a rede Infocontabil $CLASS 1: classid 1:1 htb rate 100Mbit $CLASS 1:1 classid 1:5 htb rate 100Mbit ceil 100Mbit # classe de redes externas $CLASS 1: classid 1:2 htb rate 972Kbit $CLASS 1:2 classid 1:10 htb rate 128Kbit ceil 256Kbit prio 0 $CLASS 1:2 classid 1:20 htb rate 512Kbit ceil 768Kbit prio 0 $CLASS 1:2 classid 1:30 htb rate 128Kbit ceil 512Kbit prio 1 $CLASS 1:2 classid 1:40 htb rate 204Kbit ceil 512Kbit #**** # ADICIONA REGRAS DE CONTROLE DE BANDA # DOWNLOAD $DIR/banda.dl # classe p2p #$CLASS 1: classid 1:3 htb rate 512Kbit #$CLASS 1:3 classid 1:45 htb rate 512Kbit ceil 512Kbit # criandro a fair queue QDISC="/sbin/tc qdisc add dev $DL01 parent" #$QDISC 1:5 handle 5: sfq perturb 10 $QDISC 1:10 handle 10: sfq perturb 10 $QDISC 1:20 handle 20: sfq perturb 10 $QDISC 1:30 handle 30: sfq perturb 10 # criandro filtros FILTER="/sbin/tc filter add dev $DL01 parent 1:0 protocol ip" # regras para servidores e redes da CNett for i in `cat $DIR/infocontabil.network | awk '{print $2}'` do $FILTER prio 1 u32 match ip src $i flowid 1:5 done # regras para a classe 1:10 # trafego interativo # PROTOCOLOS $FILTER prio 1 u32 match ip protocol 1 0xff flowid 1:10 # PORTAS for i in `cat $DIR/prio0.src.ports | awk '{print $2}'` do $FILTER prio 1 u32 match ip sport $i 0xffff flowid 1:10 done # MARCACAO DE PACOTES $IPT -t mangle -A POSTROUTING -o $DL01 -m mark --mark $SKYPEMARK -j CLASSIFY --set-class 1:10 $IPT -t mangle -A POSTROUTING -o $DL01 -m mark --mark $MSN -j CLASSIFY --set-class 1:10 $IPT -t mangle -A POSTROUTING -o $DL01 -m mark --mark $SSH -j CLASSIFY --set-class 1:10 # regras para a classe 1:20 # trafego de disponibilidade # PORTAS for i in `cat $DIR/prio1.src.ports | awk '{print $2}'` do $FILTER prio 1 u32 match ip sport $i 0xffff flowid 1:20 done # regras para a classe 1:30 # trafego de disponibilidade # PORTAS for i in `cat $DIR/prio2.src.ports | awk '{print $2}'` do $FILTER prio 1 u32 match ip sport $i 0xffff flowid 1:30 done # regras para a classe 1:45 # trafego ruim # MARCACAO DE PACOTES $IPT -t mangle -A POSTROUTING -o $DL01 -m mark --mark $P2PMARK -j ACCEPT #------ # CRIANDO REGRAS DE UPLOAD #------ #=========# # IF ETH0 # # $UP # #=========# $TC qdisc add dev $UP root handle 1: htb default 40 # criandro classes CLASS="/sbin/tc class add dev $UP parent" # classe de comunicacao com a rede Infocontabil $CLASS 1: classid 1:1 htb rate 100Mbit $CLASS 1:1 classid 1:5 htb rate 100Mbit ceil 100Mbit # classe de redes externas $CLASS 1: classid 1:2 htb rate 972Kbit $CLASS 1:2 classid 1:10 htb rate 128Kbit ceil 256Kbit prio 0 $CLASS 1:2 classid 1:20 htb rate 512Kbit ceil 768Kbit prio 0 $CLASS 1:2 classid 1:30 htb rate 128Kbit ceil 512Kbit prio 1 $CLASS 1:2 classid 1:40 htb rate 204Kbit ceil 512Kbit #**** # ADICIONA REGRAS DE CONTROLE DE BANDA # UPLOAD $DIR/banda.up # classe p2p #$CLASS 1: classid 1:3 htb rate 512Kbit #$CLASS 1:3 classid 1:45 htb rate 512Kbit ceil 512Kbit # criandro a fair queue QDISC="/sbin/tc qdisc add dev $UP parent" #$QDISC 1:5 handle 5: sfq perturb 10 $QDISC 1:10 handle 10: sfq perturb 10 $QDISC 1:20 handle 20: sfq perturb 10 $QDISC 1:30 handle 30: sfq perturb 10 # criandro filtros FILTER="/sbin/tc filter add dev $UP parent 1:0 protocol ip" # regras para servidores e redes da Infocontabil for i in `cat $DIR/infocontabil.network | awk '{print $2}'` do $FILTER prio 1 u32 match ip dst $i flowid 1:5 done # regras para a classe 1:10 # trafego interativo # PROTOCOLOS $FILTER prio 1 u32 match ip protocol 1 0xff flowid 1:10 # PORTAS for i in `cat $DIR/prio0.src.ports | awk '{print $2}'` do $FILTER prio 1 u32 match ip dport $i 0xffff flowid 1:10 done # MARCACAO DE PACOTES $IPT -t mangle -A POSTROUTING -o $UP -m mark --mark $SKYPEMARK -j CLASSIFY --set-class 1:10 $IPT -t mangle -A POSTROUTING -o $UP -m mark --mark $MSN -j CLASSIFY --set-class 1:10 $IPT -t mangle -A POSTROUTING -o $UP -m mark --mark $SSH -j CLASSIFY --set-class 1:10 # regras para a classe 1:20 # trafego de disponibilidade # PORTAS for i in `cat $DIR/prio1.src.ports | awk '{print $2}'` do $FILTER prio 1 u32 match ip dport $i 0xffff flowid 1:20 done # regras para a classe 1:30 # trafego de disponibilidade # PORTAS for i in `cat $DIR/prio2.src.ports | awk '{print $2}'` do $FILTER prio 1 u32 match ip dport $i 0xffff flowid 1:30 done # regras para a classe 1:45 # trafego ruim # MARCACAO DE PACOTES $IPT -t mangle -A POSTROUTING -o $UP -m mark --mark $P2PMARK -j ACCEPT --------------------- end - qos.sh ---------------------- --------------------- start - banda.dl -------------------- #!/bin/sh #------ # Nataniel Klug # suporte@cnett.com.br #------ TC="/sbin/tc" IPT="/usr/local/sbin/iptables" DL="eth2" CONT="99" #**** # clientes 32k for i in `cat /etc/firewall/qos/hosts.32k` do CONT=`expr $CONT + 1` $TC class add dev $DL parent 1:2 classid 1:${CONT} htb rate 32Kbit ceil 32Kbit $TC filter add dev $DL parent 1:0 protocol ip prio 1 u32 match ip dst ${i}/32 flowid 1:${CONT} done ---------------------- end - banda.dl ------------------- ----------------------- start - banda.up ------------------ #!/bin/sh #------ # Nataniel Klug # suporte@cnett.com.br #------ TC="/sbin/tc" IPT="/usr/local/sbin/iptables" UP="eth0" CONT="99" #**** # clientes 32k for i in `cat /etc/firewall/qos/hosts.32k` do CONT=`expr $CONT + 1` $TC class add dev $UP parent 1:2 classid 1:${CONT} htb rate 16Kbit ceil 16Kbit $TC filter add dev $UP parent 1:0 protocol ip prio 1 u32 match ip src ${i}/32 flowid 1:${CONT} done ------------------------end - banda.up ------------------------- From Alessandro.Vitale at elsag.it Wed Dec 6 17:24:16 2006 From: Alessandro.Vitale at elsag.it (Vitale Alessandro) Date: Wed Dec 6 17:24:26 2006 Subject: [LARTC] Problem with patch atm ! Message-ID: I Patch the kernel and tc with 'Patches to Linux's traffic control engineto allow it to accurately calculate ATM traffic rates' I use a router with eth0 e adsl interface, i launch this script to have shaping on eth0 egress interface: tc qdisc add dev eth0 root tbf rate 10000000 burst 100k latency 20ms mtu 1500 mpu 64 i The traffic enters on adsl and go out on eth0 , but the problem is rate limit on eth0 is not accurate !! Do i have to use the overhead option ? How can i use this with snap encapsulation on my atm ? P.S. When traffic enters on eth0 and go out on adsl and i launch this script: tc qdisc add dev atm0/0 root tbf rate 500000 burst 100k latency 50ms atm overhead 16 all works fine ! thank ! From gtaylor at riverviewtech.net Wed Dec 6 19:59:52 2006 From: gtaylor at riverviewtech.net (Taylor, Grant) Date: Wed Dec 6 19:59:54 2006 Subject: [LARTC] Patch to allow for the ATM "cell tax" In-Reply-To: <1141284603.10264.168.camel@ras.pc.brisbane.lube> References: <1141284603.10264.168.camel@ras.pc.brisbane.lube> Message-ID: <45771328.60801@riverviewtech.net> Russell Stuart wrote: > The following patch to tc allows it to perform an exact > ATM / ADSL rate calculation. It adds one extra keyword > to the "tc class add htb ..." command line: "atm". There > isn't a lot of spare bits hanging around to record this, > so the patch adds the feature at the expense of always > forcing the "overhead" parameter to be even. > > With the patch, these commands will generate a correct > rate table for: > > PPPoA + VC/Mux: tc class add htb ... overhead 10 atm > PPPoA + VC/LLC: tc class add htb ... overhead 18 atm > PPPoE + VC/Mux: tc class add htb ... overhead 34 atm > PPPoE + VC/LLC: tc class add htb ... overhead 42 atm What would be the appropriate parameters for an RFC 1483 / 2684 LLC Encapsulation or VC Multiplexing? Would the values above adjusted for the removal of PPPoX compensate? Grant. . . . From eye.of.the.8eholder at gmail.com Wed Dec 6 21:00:15 2006 From: eye.of.the.8eholder at gmail.com (Eye of the Beholder) Date: Wed Dec 6 21:00:25 2006 Subject: [LARTC] ADSL traffic shaping to improve latency Message-ID: <20061206220015.083bd7b7@ktinos.gov> Hello. I have a 1024/256kbit ADSL and tried to shape outgoing traffic in order to improve latency. Here is my config. UPLOAD_RATE="256" UPRATE="$[4*$UPLOAD_RATE/5]" (a little smaller) UP70="$[7*$UPRATE/10]kbit" UP30="$[3*$UPRATE/10]kbit" UP20="$[2*$UPRATE/10]kbit" UPRATE="${UPRATE}kbit" IF="eth2" IPTABLES="iptables -t mangle -A POSTROUTING " (Initialize) tc qdisc del dev $IF root >& /dev/null iptables -t mangle -F (Root qdisc / class) tc qdisc add dev $IF root handle 1: htb default 20 tc class add dev $IF parent 1: classid 1:1 htb rate 100mbit (class for lan traffic) tc class add dev $IF parent 1:1 classid 1:100 htb rate 100mbit quantum 100000 (parent class for adsl traffic) tc class add dev $IF parent 1:1 classid 1:3 htb rate $UPRATE (different classes) tc class add dev $IF parent 1:3 classid 1:70 htb rate $UP70 ceil $UPRATE prio 1 tc class add dev $IF parent 1:3 classid 1:30 htb rate $UP30 ceil $UPRATE prio 2 quantum 1200 tc class add dev $IF parent 1:3 classid 1:20 htb rate $UP20 ceil $UPRATE prio 3 quantum 1200 (queues) tc qdisc add dev $IF parent 1:100 handle 100: sfq perturb 10 tc qdisc add dev $IF parent 1:70 handle 70: sfq perturb 10 tc qdisc add dev $IF parent 1:30 handle 30: sfq perturb 10 tc qdisc add dev $IF parent 1:20 handle 20: sfq perturb 10 (filters) tc filter add dev $IF parent 1:0 protocol ip handle 100 fw classid 1:100 tc filter add dev $IF parent 1:0 prio 1 protocol ip handle 7 fw classid 1:70 tc filter add dev $IF parent 1:0 prio 2 protocol ip handle 3 fw classid 1:30 tc filter add dev $IF parent 1:0 prio 3 protocol ip handle 2 fw classid 1:20 (Mark packets) (Interactive class (70%)) $IPTABLES -p icmp -j MARK --set-mark 7 $IPTABLES -p icmp -j RETURN $IPTABLES -p tcp --dport 22 -j MARK --set-mark 7 $IPTABLES -p tcp --dport 22 -j RETURN $IPTABLES -p tcp --dport 6667 -j MARK --set-mark 7 $IPTABLES -p tcp --dport 6667 -j RETURN $IPTABLES -p tcp --dport 53 -j MARK --set-mark 7 $IPTABLES -p tcp --dport 53 -j RETURN $IPTABLES -p udp --dport 53 -j MARK --set-mark 7 $IPTABLES -p udp --dport 53 -j RETURN (30% Class) $IPTABLES -p tcp -m multiport --dport 20,21,25,80,443,995 -j MARK --set-mark 3 $IPTABLES -p tcp -m multiport --dport 20,21,25,80,443,995 -j RETURN (Lan class) $IPTABLES -d 192.168.1.0/24 -j MARK --set-mark 100 $IPTABLES -d 192.168.1.0/24 -j RETURN (anything else) $IPTABLES -j MARK --set-mark 2 (I changed the default "quantum" values because i got messages "HTB: quantum of class 10001 is big/small. Consider r2q change." but my tc didn't accept r2q as a parameter.) I have tested that different packets get different marks (with iptables -v -t mangle -L) and also that they go to the different classes (with tc -s -d class show dev eth2) so i guess my rules are correct. However, i put a large file to download in order to test and during the download i get 1500-2500ms ping times. Should the icmp packets not be of greater priority than the ftp packets ? Is there something wrong with my script ? Thank you for your time. From register at flintz.de Wed Dec 6 23:19:35 2006 From: register at flintz.de (FB) Date: Wed Dec 6 23:19:43 2006 Subject: [LARTC] Iptables matching on IFB Message-ID: <20061206232015.0eb3201b@tresor> Hey folks, I stumbled across the Mastershaper project ( http://www.mastershaper.org/ ) but I have a little problem: I wanted to shape the traffic coming from the router itself aswell as coming from the LAN behind the router, for that task I need IMQ, but with IMQ iptables-(layer7)-matching is not possible. Now I've talked with the programmer and he said the following: >The problem is not only MasterShaper - it's simply that iptables can't >match on IMQ interfaces directly. The only way would be to MARK packets >before and then match with tc-filter on the IMQ interfaces. But this >means that two subsystems handle packets and I think this will cause >much more overhead. > >Perhaps you can try if iptables is able to match on IFB interfaces >which are already included since some kernel versions and let me know. >If it works I will try to implement this in MS. > >Cheers, >Unki So, does anyone of you know if iptables matching is possible on an IFB interface? I would try it myself but sadly I can't experiment with my router currently :-( Thanks in advance for any help -FB From marek at piasta.pl Thu Dec 7 00:08:03 2006 From: marek at piasta.pl (Marek Kierdelewicz) Date: Wed Dec 6 23:53:33 2006 Subject: [LARTC] Iptables matching on IFB In-Reply-To: <20061206232015.0eb3201b@tresor> References: <20061206232015.0eb3201b@tresor> Message-ID: <20061207000803.6cabb2a0@localhost> > Hey folks, Hi! > So, does anyone of you know if iptables matching is possible on an > IFB interface? I would try it myself but sadly I can't experiment > with my router currently :-( As far as I know IFB doesn't have any netfilter hooks and you can't use it in netfilter. You can however match incomming traffic using tc (u32 filter) and use actions (available in 2.6 kernels) to mark(fwmark)/police/redirect traffic. Hope that helps. pozdrawiam -- Marek Kierdelewicz Kierownik Dzia?u System?w Sieciowych, KoBa Network Department Manager, KoBa tel. (85) 7406466; fax. (85) 7406467 e-mail: admin@koba.pl From s.cramatte at wanadoo.fr Thu Dec 7 01:52:53 2006 From: s.cramatte at wanadoo.fr (=?ISO-8859-1?Q?S=E9bastien_CRAMATTE?=) Date: Thu Dec 7 01:52:58 2006 Subject: [LARTC] IFB on 2.6.18.3 ... In-Reply-To: <20061206232015.0eb3201b@tresor> References: <20061206232015.0eb3201b@tresor> Message-ID: <457765E5.5070801@wanadoo.fr> Hello I've got a 2.6.18.3 kernel and I search which options I should activate for IFB support Regards -------------- next part -------------- A non-text attachment was scrubbed... Name: s.cramatte.vcf Type: text/x-vcard Size: 443 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20061207/0614ba3a/s.cramatte.vcf From =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= Thu Dec 7 10:40:10 2006 From: =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= (=?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?=) Date: Thu Dec 7 10:39:47 2006 Subject: [LARTC] iptables -m dstlimit Message-ID: <1165484410.3874.5.camel@localhost.localdomain> Which kernel supports the iptables' -m dstlimit? Do I need a patch or something else to get it to work? Is it too experimental? -- ??????????? ?????? From kajtek at biezanow.net Thu Dec 7 11:09:25 2006 From: kajtek at biezanow.net (Kajetan Staszkiewicz) Date: Thu Dec 7 11:09:41 2006 Subject: [LARTC] iptables -m dstlimit In-Reply-To: <1165484410.3874.5.camel@localhost.localdomain> References: <1165484410.3874.5.camel@localhost.localdomain> Message-ID: <200612071109.29168.kajtek@biezanow.net> Dnia czwartek, 7 grudnia 2006 10:40, ??????????? ?????? napisa?(a): > Which kernel supports the iptables' -m dstlimit? > Do I need a patch or something else to get it to work? > Is it too experimental? Now it is called hashlimit, it is in new 2.6 kernels already. -- | pozdrawiam / greetings | powered by Trustix, Gentoo and FreeBSD | | Kajetan Staszkiewicz | jabber,email,www: vegeta()tuxpowered net | | Vegeta | IMQ devnames: http://tuxpowered.net | `------------------------^------------------------------------------' -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20061207/bd186636/attachment.pgp From pupilla at hotmail.com Thu Dec 7 11:11:32 2006 From: pupilla at hotmail.com (Marco Berizzi) Date: Thu Dec 7 11:12:08 2006 Subject: [LARTC] IFB on 2.6.18.3 ... References: <20061206232015.0eb3201b@tresor> <457765E5.5070801@wanadoo.fr> Message-ID: > I've got a 2.6.18.3 kernel and I search which options I should activate > for IFB support > Regards Device Drivers ---> Network device support ---> [*] Network device support Intermediate Functional Block support Of course, it also depend on 'QoS and/or fair queueing' under 'networking options' For other info see also 'doc/actions' on the iproute2 source tarball. From =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= Thu Dec 7 12:17:58 2006 From: =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= (=?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?=) Date: Thu Dec 7 12:17:30 2006 Subject: [LARTC] iptables -m dstlimit In-Reply-To: <200612071109.29168.kajtek@biezanow.net> References: <1165484410.3874.5.camel@localhost.localdomain> <200612071109.29168.kajtek@biezanow.net> Message-ID: <1165490278.3874.8.camel@localhost.localdomain> ? ???, 07/12/2006 ? 11:09 +0100, Kajetan Staszkiewicz ?????: > Dnia czwartek, 7 grudnia 2006 10:40, ??????????? ?????? napisa?(a): > > > Which kernel supports the iptables' -m dstlimit? > > Do I need a patch or something else to get it to work? > > Is it too experimental? > > Now it is called hashlimit, it is in new 2.6 kernels already. Thanks for explaination. I don't have ipt_hashlimit.ko in 2.6.8, but I have one in 2.6.17. Will check later. -- ??????????? ?????? From s.cramatte at wanadoo.fr Thu Dec 7 13:11:10 2006 From: s.cramatte at wanadoo.fr (=?ISO-8859-1?Q?S=E9bastien_CRAMATTE?=) Date: Thu Dec 7 13:11:15 2006 Subject: [LARTC] Where can I found ESFQ patch for a 2.6.18 kernel (fatooh.org is down ? ) In-Reply-To: References: <20061206232015.0eb3201b@tresor> <457765E5.5070801@wanadoo.fr> Message-ID: <457804DE.1030706@wanadoo.fr> Hello, Where can I found ESFQ patch for a 2.6.18 kernel... http://fatooh.org/*esfq*-2.6/ seems to be down .... -------------- next part -------------- A non-text attachment was scrubbed... Name: s.cramatte.vcf Type: text/x-vcard Size: 443 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20061207/6414843f/s.cramatte.vcf From etg at setcom.bg Thu Dec 7 13:15:24 2006 From: etg at setcom.bg (Evgeni Gechev) Date: Thu Dec 7 13:15:35 2006 Subject: [LARTC] Where can I found ESFQ patch for a 2.6.18 kernel (fatooh.org is down ? ) In-Reply-To: <457804DE.1030706@wanadoo.fr> References: <20061206232015.0eb3201b@tresor> <457765E5.5070801@wanadoo.fr> <457804DE.1030706@wanadoo.fr> Message-ID: <457805DC.6040809@setcom.bg> Se'bastien CRAMATTE ??????: > Hello, > > Where can I found ESFQ patch for a 2.6.18 kernel... > http://fatooh.org/*esfq*-2.6/ > > seems to be down .... > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > http://www.abclinuxu.cz/blog/mirek/2006/11/10/157349 From s.cramatte at wanadoo.fr Thu Dec 7 14:57:10 2006 From: s.cramatte at wanadoo.fr (=?UTF-8?B?U8OpYmFzdGllbiBDUkFNQVRURQ==?=) Date: Thu Dec 7 14:57:16 2006 Subject: [LARTC] Where can I found ESFQ patch for a 2.6.18 kernel (fatooh.org is down ? ) In-Reply-To: <457805DC.6040809@setcom.bg> References: <20061206232015.0eb3201b@tresor> <457765E5.5070801@wanadoo.fr> <457804DE.1030706@wanadoo.fr> <457805DC.6040809@setcom.bg> Message-ID: <45781DB6.3020300@wanadoo.fr> Evgeni Gechev a ?crit : > Se'bastien CRAMATTE ??????: >> Hello, >> >> Where can I found ESFQ patch for a 2.6.18 kernel... >> http://fatooh.org/*esfq*-2.6/ >> >> seems to be down .... >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> > http://www.abclinuxu.cz/blog/mirek/2006/11/10/157349 > > Thanks a lot I've tried to download NF-HIPAC patch too but tell me that I must be registered and I don't understand czetch :( ... Regards -------------- next part -------------- A non-text attachment was scrubbed... Name: s.cramatte.vcf Type: text/x-vcard Size: 456 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20061207/016b5505/s.cramatte.vcf From koffiejunkielistlurker at koffiejunkie.za.net Thu Dec 7 20:45:24 2006 From: koffiejunkielistlurker at koffiejunkie.za.net (Hans du Plooy) Date: Thu Dec 7 20:44:57 2006 Subject: [LARTC] Somewhat basic routing question Message-ID: <1165520724.5675.25.camel@theluggage.hansdp.za.net> Hi guys, I realise this is problaby more basic than what this list is intended for, but I had no luck elswhere. Short version: I have previously used these lines on a server with two network interfaces, two public IPs, and one common default gateway, to make sure that connections coming into eth1 is replied to replied to via the same interface. eth0 is 196.xx.xx.35, eth1 is 196.xx.xx.54, gateway is 196.xx.xx.1: ip rule add from 196.xx.xx.54 table eth1 prio 3000 ip route add table eth1 via 196.xx.xx.1 dev eth1 Will this work with private two network cards, two private IPs, and two gateways in the same IP range? eth0 192.168.1.18 with gw 192.168.1.6 and eth1 192.168.1.17 with gw 192.168.1.1. The two gateways are NAT-ing firewalls, will this make a difference? Thanks Hans Long version: I have to mail server (receiving only) on a network with two NAT-ing firewalls, all in the same range. It looks like this: +-------------+ Internet --- | Firewall | | 192.168.1.6 | +-------------+ | +--------------+ | 192.168.1.18 | | Mail | | 192.168.1.17 | +--------------+ | +--------------+ Internet --- | Firewall | | 192.168.1.1 | +--------------+ The first firwall forward incoming connections on port 25 to 192.168.1.17, while the second firewall forward port 25 to 192.168.1.18. My requirement is simple. Connections connections need to go out via the interface that they came in on. Right now the box replies via 192.168.1.6 (the default gw) regardless of where the connection came in. I also have only remote access, so I can't afford to mess up :-) Thanks Hans From koffiejunkielistlurker at koffiejunkie.za.net Thu Dec 7 20:51:27 2006 From: koffiejunkielistlurker at koffiejunkie.za.net (Hans du Plooy) Date: Thu Dec 7 20:50:59 2006 Subject: [LARTC] Somewhat basic routing question In-Reply-To: <1165520724.5675.25.camel@theluggage.hansdp.za.net> References: <1165520724.5675.25.camel@theluggage.hansdp.za.net> Message-ID: <1165521087.5675.28.camel@theluggage.hansdp.za.net> I somehow missed this: http://lartc.org/lartc.html#LARTC.RPDB.MULTIPLE-LINKS - looks like what I'm wanting. But it doesn't mention wether the provders are just routers or NAT-ing routers/firewalls. Will NAT impact? Also just to add to my original mail, the box in question is not a gateway, it doesn't provide connectivity to anyone. It's just a mail server than has to use the extra line to act as a backup MX. Thanks Hans From fubar at us.ibm.com Thu Dec 7 22:46:11 2006 From: fubar at us.ibm.com (Jay Vosburgh) Date: Thu Dec 7 22:48:16 2006 Subject: [LARTC] Somewhat basic routing question In-Reply-To: <1165520724.5675.25.camel@theluggage.hansdp.za.net> References: <1165520724.5675.25.camel@theluggage.hansdp.za.net> Message-ID: <200612072146.kB7LkBgv020537@death.nxdomain.ibm.com> Hans du Plooy wrote: [...] >Will this work with private two network cards, two private IPs, and two >gateways in the same IP range? eth0 192.168.1.18 with gw 192.168.1.6 >and eth1 192.168.1.17 with gw 192.168.1.1. The two gateways are NAT-ing >firewalls, will this make a difference? I don't know if the NAT business will make a difference, but I've set up multiple-network multiple-gateway configurations more or less like this (substituting your own network values): Configure with policy routes such that responses to inbound traffic for the respective interfaces is routed back out over the same interface. For example: ip rule add from 10.176.13/24 table 50 ip rule add from 10.176.14/24 table 60 For your purposes, "ip rule add iif ethX" may work better (since the network match won't necessarily segregate anything, as both of your interfaces are on the same network). ip route add table 50 10.176.13/24 dev ethX src 10.176.13.x ip route add table 50 default dev ethX src 10.176.13.x via 10.176.13.1 Where 10.176.13.1 is the gateway for that particular network (or interface, in your case), and 10.176.13.x is the host's IP address on that network. The other network, 10.176.14/24 on table 60 in this example, is configured similarly, but with the appropriate .14 network values. A global default route can be left in the main routing table for traffic not originating inbound from 10.176.13 or 10.176.14 (or via the appropriate iif, depending on how you set it up). I think you'd need to test a bit to check for the proper configuration, which may be hard via only remote access. -J --- -Jay Vosburgh, IBM Linux Technology Center, fubar@us.ibm.com From bugfood-ml at fatooh.org Fri Dec 8 11:15:26 2006 From: bugfood-ml at fatooh.org (Corey Hickey) Date: Fri Dec 8 11:15:42 2006 Subject: [LARTC] Where can I found ESFQ patch for a 2.6.18 kernel (fatooh.org is down ? ) In-Reply-To: <457804DE.1030706@wanadoo.fr> References: <20061206232015.0eb3201b@tresor> <457765E5.5070801@wanadoo.fr> <457804DE.1030706@wanadoo.fr> Message-ID: <45793B3E.2070202@fatooh.org> S?bastien CRAMATTE wrote: > Hello, > > Where can I found ESFQ patch for a 2.6.18 kernel... > http://fatooh.org/*esfq*-2.6/ > > seems to be down .... You just got unlucky--last night I moved to a different server. As long as your DNS cache isn't completely stale, fatooh.org should be reachable now. -Corey From bugfood-ml at fatooh.org Fri Dec 8 11:22:04 2006 From: bugfood-ml at fatooh.org (Corey Hickey) Date: Fri Dec 8 11:22:04 2006 Subject: [LARTC] Where can I found ESFQ patch for a 2.6.18 kernel (fatooh.org is down ? ) In-Reply-To: <45793B3E.2070202@fatooh.org> References: <20061206232015.0eb3201b@tresor> <457765E5.5070801@wanadoo.fr> <457804DE.1030706@wanadoo.fr> <45793B3E.2070202@fatooh.org> Message-ID: <45793CCC.3030908@fatooh.org> Corey Hickey wrote: > S?bastien CRAMATTE wrote: >> Hello, >> >> Where can I found ESFQ patch for a 2.6.18 kernel... >> http://fatooh.org/*esfq*-2.6/ >> >> seems to be down .... > > You just got unlucky--last night I moved to a different server. As long > as your DNS cache isn't completely stale, fatooh.org should be reachable > now. Also, I guess I should mention that the URL doesn't have asterisks. correct: http://fatooh.org/esfq-2.6/ incorrect: http://fatooh.org/*esfq*-2.6/ I see a few recent requests for the wrong page in my apache log. -Corey From s.cramatte at wanadoo.fr Fri Dec 8 20:31:45 2006 From: s.cramatte at wanadoo.fr (=?ISO-8859-1?Q?S=E9bastien_CRAMATTE?=) Date: Fri Dec 8 20:31:52 2006 Subject: [LARTC] Does it possible to use HSFC with ESFQ ? In-Reply-To: <45793CCC.3030908@fatooh.org> References: <20061206232015.0eb3201b@tresor> <457765E5.5070801@wanadoo.fr> <457804DE.1030706@wanadoo.fr> <45793B3E.2070202@fatooh.org> <45793CCC.3030908@fatooh.org> Message-ID: <4579BDA1.7010704@wanadoo.fr> Hello, Does it possible to use HSFC with ESFQ ? Where can I find more litterature about ESFQ ? -------------- next part -------------- A non-text attachment was scrubbed... Name: s.cramatte.vcf Type: text/x-vcard Size: 443 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20061208/29919ada/s.cramatte.vcf From fabricio.feijo at gmail.com Fri Dec 8 21:12:23 2006 From: fabricio.feijo at gmail.com (=?ISO-8859-1?Q?Fabr=EDcio_F._Feij=F3?=) Date: Fri Dec 8 21:12:28 2006 Subject: [LARTC] May problem with iproute2 nexthop? Message-ID: <8249921d0612081212j32efd138n38c1a1c031a1524b@mail.gmail.com> Hi, I am new in LARTC list. I had intermediate skills in networking. What I tried to do: Use 2 links with loadsharing + falt toletant (to add bandwitdh) ok ! I am use Debian Etch in router/fw With kernel debian default + routes-2.6.17-12.diff patch The Problem: The iproute2 just route thought the last gateway of nexthop rule. I was running tcpdump in 2 terminals, tcpdump -nni eth0 ... tcpdump -nni eth1 ... When the mark rule is set to --set-mark 0x1 they use eth0 When the mark rule is set to --set-mark 0x2 they use eth1 When the mark rule is set to --set-mark 0x3 they use the last gateway in rule with nexthop. exemple1: default proto static nexthop via 200.253.10.129 dev eth1 weight 1 nexthop via 201.49.17.1 dev eth0 weight 1 connections was sending through 201.49.17.1 eth0 exemple2: default proto static nexthop via 201.49.17.1 dev eth0 weight 1 nexthop via 200.253.10.129 dev eth1 weight 1 connections was sending through 200.253.10.129 eth1 But dont use both at the same time. Someone can help with this thread? My conf was based in http://www.ssi.bg/~ja/nano.txt article CSD0101LNX00F:~# uname -a Linux CSD0101LNX00F 2.6.17-2006-12-08 #1 Fri Dec 8 14:09:37 BRT 2006 i686 GNU/Linux CSD0101LNX00F:~# cat /etc/iproute2/rt_tables 255 local 254 main 253 default 0 unspec 200 router1 201 router2 202 router3 CSD0101LNX00F:~# ip route 200.253.10.128/26 dev eth1 proto kernel scope link src 200.253.10.137 201.49.17.0/25 dev eth0 proto kernel scope link src 201.49.17.50 10.0.0.0/22 dev eth3 proto kernel scope link src 10.0.0.1 172.31.0.0/22 dev eth2 proto kernel scope link src 172.31.0.175 CSD0101LNX00F:~# ip route show table router1 201.49.17.50 via 201.49.17.1 dev eth0 200.253.10.128/26 dev eth1 proto kernel scope link src 200.253.10.137 201.49.17.0/25 dev eth0 proto kernel scope link src 201.49.17.50 10.0.0.0/22 dev eth3 proto kernel scope link src 10.0.0.1 172.31.0.0/22 dev eth2 proto kernel scope link src 172.31.0.175 default via 201.49.17.1 dev eth0 CSD0101LNX00F:~# ip route show table router2 200.253.10.137 via 200.253.10.129 dev eth1 200.253.10.128/26 dev eth1 proto kernel scope link src 200.253.10.137 201.49.17.0/25 dev eth0 proto kernel scope link src 201.49.17.50 10.0.0.0/22 dev eth3 proto kernel scope link src 10.0.0.1 172.31.0.0/22 dev eth2 proto kernel scope link src 172.31.0.175 default via 200.253.10.129 dev eth1 CSD0101LNX00F:~# ip route show table router3 default proto static nexthop via 200.253.10.129 dev eth1 weight 1 nexthop via 201.49.17.1 dev eth0 weight 1 CSD0101LNX00F:~# ip rule 0: from all lookup 255 25: from all fwmark 0x3 lookup router3 26: from 201.49.17.50 lookup router1 27: from 200.253.10.137 lookup router2 29: from all fwmark 0x1 lookup router1 30: from all fwmark 0x2 lookup router2 32766: from all lookup main 32767: from all lookup default Iptables Mark rule: CSD0101LNX00F:~# iptables-save |grep MARK -A PREROUTING -i eth2 -j MARK --set-mark 0x3 Iptables NAT rules: CSD0101LNX00F:~# iptables-save |grep POSTROUTING :POSTROUTING ACCEPT [55:4157] -A POSTROUTING -s 172.31.0.0/255.255.252.0 -o eth0 -j MASQUERADE -A POSTROUTING -s 172.31.0.0/255.255.252.0 -o eth1 -j SNAT --to-source 200.253.10.137 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061208/4b6dc35c/attachment.htm From vytautas at pelikanas.ktu.lt Sat Dec 9 00:56:43 2006 From: vytautas at pelikanas.ktu.lt (Vytautas Krakauskas) Date: Sat Dec 9 00:56:55 2006 Subject: [LARTC] ipp2p 0.8.2 fix for iptables 1.3.6 Message-ID: <4579FBBB.2000503@pelikanas.ktu.lt> There are some problems with iptables 1.3.6 loading ipp2p dynamic library libipt_ipp2p.so. One would usually get error like this: # iptables -m ipp2p -h iptables v1.3.6: X Couldn't load match `ipp2p' Solution is to use gcc instead of ld to create the library. It worked for me on Debian Sarge, but maybe someone else could try on other distributions? -- Vytautas -------------- next part -------------- --- ipp2p-0.8.2/Makefile 2006-12-09 03:17:52.000000000 +0200 +++ ipp2p-0.8.2-fix/Makefile 2006-12-09 03:10:37.000000000 +0200 @@ -64,7 +64,7 @@ libipt_ipp2p.so: libipt_ipp2p.c ipt_ipp2p.h $(CC) $(CFLAGS) $(IPTABLES_OPTION) $(IPTABLES_INCLUDE) -fPIC -c libipt_ipp2p.c - ld -shared -o libipt_ipp2p.so libipt_ipp2p.o + $(CC) -shared -o libipt_ipp2p.so libipt_ipp2p.o clean: -rm -f *.o *.so *.ko .*.cmd *.mod.c From hardwyrd at gmail.com Sat Dec 9 02:38:15 2006 From: hardwyrd at gmail.com (hard wyrd) Date: Sat Dec 9 02:38:25 2006 Subject: [LARTC] High Availability and Load Balancing Message-ID: <1fa3b300612081738w2496967ra2999af6fe352519@mail.gmail.com> Hi All, I am currently researching on doing high availability and load balancing with a couple of Linux servers, most specifically doing service takeover on top of Heartbeat. The scenario is: - 2 DSL lines from a single provider - 1 Broadband line from another provider Internet / | \ | | | / | \ | | | / | \ Line1 Line2 Line3 SRV1--------- SRV2----------SRV3 | HB1 | HB2 | | | | ___\__________|__________/_____ | L A N | |_____________________________| Servers : SRV1, SRV2, SRV3 Heartbeat lines: HB1, HB2 The aim would be if any line slows down or goes down, the other remaining server or servers will provide the internet connection automatically. Is the diagram correct and is it possible? or do you have any suggestions or a better way to approach this? Are there any other components aside from the Linux kernel and Heartbeat that will be required? Is there a particular Linux kernel that might be required to do this application? I would certainly appreciate your inputs. I am still very relatively new to implementing high availability on Linux. I would also really appreciate it if you can provide steps that might be able to let me fast track my experimentation. Thanks for your help and best regards! -- "A dog that has no bite, barks loudest." Registered Linux User #400165 Subscribed to: LARTC, Open-ITLUG, PRUG, KLUG, sybase.public.ase.linux -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061209/1c43ec7f/attachment.html From bugfood-ml at fatooh.org Sat Dec 9 03:29:20 2006 From: bugfood-ml at fatooh.org (Corey Hickey) Date: Sat Dec 9 03:29:25 2006 Subject: [LARTC] Re: Does it possible to use HSFC with ESFQ ? In-Reply-To: <4579BDA1.7010704@wanadoo.fr> References: <20061206232015.0eb3201b@tresor> <457765E5.5070801@wanadoo.fr> <457804DE.1030706@wanadoo.fr> <45793B3E.2070202@fatooh.org> <45793CCC.3030908@fatooh.org> <4579BDA1.7010704@wanadoo.fr> Message-ID: <457A1F80.4070401@fatooh.org> S?bastien CRAMATTE wrote: > Hello, > > Does it possible to use HSFC with ESFQ ? I suppose so, since HFSC appears to be a classful queueing discipline. I've never used HFSC myself--for lack of necessity, I've been out of touch with Linux traffic control progress in recent years. Try it yourself and see what happens. > Where can I find more litterature about ESFQ ? All I know about ESFQ is documented in the readme. http://fatooh.org/esfq-2.6/current/README For more information, read the source or search google for "stochastic fairness queueing". -Corey From s.cramatte at wanadoo.fr Sat Dec 9 21:04:15 2006 From: s.cramatte at wanadoo.fr (=?ISO-8859-1?Q?S=E9bastien_CRAMATTE?=) Date: Sat Dec 9 21:04:36 2006 Subject: [LARTC] QOS schedule daywork/night rules ... Usefull ? In-Reply-To: <4579BDA1.7010704@wanadoo.fr> References: <20061206232015.0eb3201b@tresor> <457765E5.5070801@wanadoo.fr> <457804DE.1030706@wanadoo.fr> <45793B3E.2070202@fatooh.org> <45793CCC.3030908@fatooh.org> <4579BDA1.7010704@wanadoo.fr> Message-ID: <457B16BF.5040605@wanadoo.fr> Hello, Recently I've seen an QOS appliance based on Linux. This server will include lots of features but looking closer I'm not sure that all are usefull ... For example, this appliance allow to setup QOS rules according to a schedule : daywork, weekend, night, ... This scheduler apply rules in functions of datetime periods. Do you think that is interestant feature ? Considering that we use here HTB,ESFQ with a minimum bandwith, a maximum and priority ... Regards -------------- next part -------------- A non-text attachment was scrubbed... Name: s.cramatte.vcf Type: text/x-vcard Size: 443 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20061209/ade47c0a/s.cramatte.vcf From syncmaster4 at gmail.com Sun Dec 10 17:55:32 2006 From: syncmaster4 at gmail.com (syncmaster4) Date: Sun Dec 10 17:55:53 2006 Subject: [LARTC] traffic shaping vpn (GRE) traffic Message-ID: <8cf5f0480612100855k56470461hdac146e0f2db7757@mail.gmail.com> Looking for some advise from the experts out there. We do simple traffice shaping and I'm having trouble figuring out how to shape vpn traffic using a tc filter. The following filter works fine for SSH tc filter add dev eth2 parent 1:0 protocol ip u32 match ip sport 22 0xffff classid 1:10 The following throws and "Illegal match" error when trying to filter GRE traffic. tc filter add dev eth2 parent 1:0 protocol ip u32 \ match ip protocol 47 0xff \ match ip u16 0x10 00ff at 24 \ classid 1:10 Any pointers are greatly appreciated! CentOS 4.4 - 2.6.9-42.0.3.ELsmp Thanks! Craig -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061210/112ba26d/attachment.html From pch at packetconsulting.pl Sun Dec 10 18:14:12 2006 From: pch at packetconsulting.pl (Piotr Chytla) Date: Sun Dec 10 18:17:18 2006 Subject: [LARTC] Where can I found ESFQ patch for a 2.6.18 kernel (fatooh.org is down ? ) In-Reply-To: <45781DB6.3020300@wanadoo.fr> References: <20061206232015.0eb3201b@tresor> <457765E5.5070801@wanadoo.fr> <457804DE.1030706@wanadoo.fr> <457805DC.6040809@setcom.bg> <45781DB6.3020300@wanadoo.fr> Message-ID: <20061210171412.GA27666@packetconsulting.pl> On Thu, Dec 07, 2006 at 02:57:10PM +0100, S?bastien CRAMATTE wrote: > I've tried to download NF-HIPAC patch too but tell me that I must be > registered and I don't understand czetch :( ... > nf-hipac for 2.6.17.x(may also work with 2.6.18) is here : http://thor.packetconsulting.pl/~pch/patches/nf-hipac-0.9.1-2.6.17.patch.gz /pch -- Dyslexia bug unpatched since 1977 ... exploit has been leaked to the underground. From s.cramatte at wanadoo.fr Mon Dec 11 02:59:40 2006 From: s.cramatte at wanadoo.fr (=?ISO-8859-1?Q?S=E9bastien_CRAMATTE?=) Date: Mon Dec 11 02:59:55 2006 Subject: [LARTC] Does anyone have got an iproute2+esfq package for debian ? In-Reply-To: <45793B3E.2070202@fatooh.org> References: <20061206232015.0eb3201b@tresor> <457765E5.5070801@wanadoo.fr> <457804DE.1030706@wanadoo.fr> <45793B3E.2070202@fatooh.org> Message-ID: <457CBB8C.7020309@wanadoo.fr> Does anyone have got an iproute2+esfq package for debian sarge ? I've got many error trying building it from source ... I use debian sarge 3.1 and gcc 3.3.5-3 I've started getting a recent iproute2 package from backports.org and esfq-iprout2.patch from fatooh.org #apt-get source iproute #cd /usr/src/iproute-20061002 this command doesn't create tc/q_esfq.c file #patch -p1 --dry-run < ../esfq-iproute2.patch I must use #patch -p1 < ../esfq-iproute2.patch patching file include/linux/pkt_sched.h Hunk #1 succeeded at 579 (offset 433 lines). Just after If I use "dpkg-buildpackage" or I I try ./configure and make I obtain this #make ... gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -DCONFIG_GACT -DCONFIG_GACT_PROB -c -o q_esfq.o q_esfq.c q_esfq.c: In function `esfq_parse_opt': q_esfq.c:41: error: storage size of `opt' isn't known q_esfq.c:45: error: `TCA_SFQ_HASH_CLASSIC' undeclared (first use in this function) q_esfq.c:45: error: (Each undeclared identifier is reported only once q_esfq.c:45: error: for each function it appears in.) q_esfq.c:94: error: `TCA_SFQ_HASH_DST' undeclared (first use in this function) q_esfq.c:97: error: `TCA_SFQ_HASH_SRC' undeclared (first use in this function) q_esfq.c:100: error: `TCA_SFQ_HASH_FWMARK' undeclared (first use in this function) q_esfq.c:103: error: `TCA_SFQ_HASH_DSTDIR' undeclared (first use in this function) q_esfq.c:106: error: `TCA_SFQ_HASH_SRCDIR' undeclared (first use in this function) q_esfq.c:109: error: `TCA_SFQ_HASH_FWMARKDIR' undeclared (first use in this function) q_esfq.c:41: warning: unused variable `opt' q_esfq.c: In function `esfq_print_opt': q_esfq.c:140: error: dereferencing pointer to incomplete type q_esfq.c:143: error: dereferencing pointer to incomplete type q_esfq.c:146: error: dereferencing pointer to incomplete type q_esfq.c:146: error: dereferencing pointer to incomplete type q_esfq.c:146: error: dereferencing pointer to incomplete type q_esfq.c:148: error: dereferencing pointer to incomplete type q_esfq.c:149: error: dereferencing pointer to incomplete type q_esfq.c:152: error: dereferencing pointer to incomplete type q_esfq.c:154: error: `TCA_SFQ_HASH_CLASSIC' undeclared (first use in this function) q_esfq.c:157: error: `TCA_SFQ_HASH_DST' undeclared (first use in this function) q_esfq.c:160: error: `TCA_SFQ_HASH_SRC' undeclared (first use in this function) q_esfq.c:163: error: `TCA_SFQ_HASH_FWMARK' undeclared (first use in this function) q_esfq.c:166: error: `TCA_SFQ_HASH_DSTDIR' undeclared (first use in this function) q_esfq.c:169: error: `TCA_SFQ_HASH_SRCDIR' undeclared (first use in this function) q_esfq.c:172: error: `TCA_SFQ_HASH_FWMARKDIR' undeclared (first use in this function) make[1]: *** [q_esfq.o] Error 1 make[1]: Leaving directory `/usr/src/iproute-20061002/tc' make[1]: Entering directory `/usr/src/iproute-20061002/misc' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/usr/src/iproute-20061002/misc' make[1]: Entering directory `/usr/src/iproute-20061002/netem' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/usr/src/iproute-20061002/netem' make[1]: Entering directory `/usr/src/iproute-20061002/genl' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/usr/src/iproute-20061002/genl' ... -------------- next part -------------- A non-text attachment was scrubbed... Name: s.cramatte.vcf Type: text/x-vcard Size: 443 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20061211/36c71fa9/s.cramatte.vcf From s.cramatte at wanadoo.fr Mon Dec 11 03:05:56 2006 From: s.cramatte at wanadoo.fr (=?ISO-8859-1?Q?S=E9bastien_CRAMATTE?=) Date: Mon Dec 11 03:06:07 2006 Subject: [LARTC] Does anyone have got an iproute2+esfq package for debian ? In-Reply-To: <457CBB8C.7020309@wanadoo.fr> References: <20061206232015.0eb3201b@tresor> <457765E5.5070801@wanadoo.fr> <457804DE.1030706@wanadoo.fr> <45793B3E.2070202@fatooh.org> <457CBB8C.7020309@wanadoo.fr> Message-ID: <457CBD04.5010804@wanadoo.fr> Note I use a 2.6.18.3 kernel with a ESFQ patch from http://www.abclinuxu.cz/blog/mirek/2006/11/10/157349 No hunks, the patch is applied correctly and I've builded the Kernel without problems S?bastien CRAMATTE a ?crit : > Does anyone have got an iproute2+esfq package for debian sarge ? > I've got many error trying building it from source ... > > I use debian sarge 3.1 and gcc 3.3.5-3 > > I've started getting a recent iproute2 package from backports.org > and esfq-iprout2.patch from fatooh.org > > #apt-get source iproute > #cd /usr/src/iproute-20061002 > > this command doesn't create tc/q_esfq.c file > #patch -p1 --dry-run < ../esfq-iproute2.patch > > I must use > #patch -p1 < ../esfq-iproute2.patch > patching file include/linux/pkt_sched.h > Hunk #1 succeeded at 579 (offset 433 lines). > > > Just after If I use "dpkg-buildpackage" or I I try ./configure > and make I obtain this > > #make > ... > gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include > -DRESOLVE_HOSTNAMES -DCONFIG_GACT -DCONFIG_GACT_PROB -c -o q_esfq.o > q_esfq.c > q_esfq.c: In function `esfq_parse_opt': > q_esfq.c:41: error: storage size of `opt' isn't known > q_esfq.c:45: error: `TCA_SFQ_HASH_CLASSIC' undeclared (first use in this > function) > q_esfq.c:45: error: (Each undeclared identifier is reported only once > q_esfq.c:45: error: for each function it appears in.) > q_esfq.c:94: error: `TCA_SFQ_HASH_DST' undeclared (first use in this > function) > q_esfq.c:97: error: `TCA_SFQ_HASH_SRC' undeclared (first use in this > function) > q_esfq.c:100: error: `TCA_SFQ_HASH_FWMARK' undeclared (first use in this > function) > q_esfq.c:103: error: `TCA_SFQ_HASH_DSTDIR' undeclared (first use in this > function) > q_esfq.c:106: error: `TCA_SFQ_HASH_SRCDIR' undeclared (first use in this > function) > q_esfq.c:109: error: `TCA_SFQ_HASH_FWMARKDIR' undeclared (first use in > this function) > q_esfq.c:41: warning: unused variable `opt' > q_esfq.c: In function `esfq_print_opt': > q_esfq.c:140: error: dereferencing pointer to incomplete type > q_esfq.c:143: error: dereferencing pointer to incomplete type > q_esfq.c:146: error: dereferencing pointer to incomplete type > q_esfq.c:146: error: dereferencing pointer to incomplete type > q_esfq.c:146: error: dereferencing pointer to incomplete type > q_esfq.c:148: error: dereferencing pointer to incomplete type > q_esfq.c:149: error: dereferencing pointer to incomplete type > q_esfq.c:152: error: dereferencing pointer to incomplete type > q_esfq.c:154: error: `TCA_SFQ_HASH_CLASSIC' undeclared (first use in > this function) > q_esfq.c:157: error: `TCA_SFQ_HASH_DST' undeclared (first use in this > function) > q_esfq.c:160: error: `TCA_SFQ_HASH_SRC' undeclared (first use in this > function) > q_esfq.c:163: error: `TCA_SFQ_HASH_FWMARK' undeclared (first use in this > function) > q_esfq.c:166: error: `TCA_SFQ_HASH_DSTDIR' undeclared (first use in this > function) > q_esfq.c:169: error: `TCA_SFQ_HASH_SRCDIR' undeclared (first use in this > function) > q_esfq.c:172: error: `TCA_SFQ_HASH_FWMARKDIR' undeclared (first use in > this function) > make[1]: *** [q_esfq.o] Error 1 > make[1]: Leaving directory `/usr/src/iproute-20061002/tc' > make[1]: Entering directory `/usr/src/iproute-20061002/misc' > make[1]: Nothing to be done for `all'. > make[1]: Leaving directory `/usr/src/iproute-20061002/misc' > make[1]: Entering directory `/usr/src/iproute-20061002/netem' > make[1]: Nothing to be done for `all'. > make[1]: Leaving directory `/usr/src/iproute-20061002/netem' > make[1]: Entering directory `/usr/src/iproute-20061002/genl' > make[1]: Nothing to be done for `all'. > make[1]: Leaving directory `/usr/src/iproute-20061002/genl' > ... > > > > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- ZEN SOLUCIONES - Be in XForms take your "Concentr?" S?bastien CRAMATTE C/ Alfonso X el Sabio, 29 30565 Las Torres de Cotillas (Murcia) ESPA?A Mobile : +34 627 66 52 83 E-mail : scramatte@zensoluciones.com Site : www.zensoluciones.com Skype : scramatte Msn : scramatte@hotmail.com Jabber: scramatte@jabber.org VoIP: +33 1 7090 3413 -- CONCENTR? xml entreprise grade framework http://concentre.zensoluciones.com -- This e-mail is privileged and may contain confidential information intended only for the person(s) named above. If you receive this e-mail in error, please notify the sender immediately and delete it. E-mail and internet transmissions can't be warrant privacy, integrity or correct reception. The sender will not be liable for any damages resulting. Este mensaje va dirigido, de manera exclusiva, a su destinatario y puede contener informaciones confidential. En caso de haber recibido este mensaje por error, informe al emisor imediadamente y proceda a su eliminaci?n. El correo electr?nico y las comunicaciones por medio de Internet no permiten garantizar la confidencialidad de los mensajes transmitidos, as? como tampoco su integridad o su correcta recepci?n. El emisor no asume responsabilidad alguna por tales circunstancias. Ce message est destin? exclusivement ? son destinataire et peut contenir des informations confidentielles. En cas de r?ception d'un tel message par erreur, informez l'exp?diteur imm?diatement et proc?dez ? son effacement. Il n'est pas possible de garantir la confidentialit?, l'int?grit? ou la r?ception correcte du courrier ?lectronique ainsi que des communications par internet. L'exp?diteur ne peut ?tre tenu pour responsable d'?ventuels dommages commis. -------------- next part -------------- A non-text attachment was scrubbed... Name: s.cramatte.vcf Type: text/x-vcard Size: 443 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20061211/0440364b/s.cramatte.vcf From s.cramatte at wanadoo.fr Mon Dec 11 04:15:51 2006 From: s.cramatte at wanadoo.fr (=?ISO-8859-1?Q?S=E9bastien_CRAMATTE?=) Date: Mon Dec 11 04:16:00 2006 Subject: [LARTC] QOS, Bridge and IMQ ? In-Reply-To: <457CBD04.5010804@wanadoo.fr> References: <20061206232015.0eb3201b@tresor> <457765E5.5070801@wanadoo.fr> <457804DE.1030706@wanadoo.fr> <45793B3E.2070202@fatooh.org> <457CBB8C.7020309@wanadoo.fr> <457CBD04.5010804@wanadoo.fr> Message-ID: <457CCD67.8080000@wanadoo.fr> Hello I try to setup QOS into bridge context. But this not very clear for me So assuming that : eth1 = LAN eth0 = INTERNET br0 Link encap:Ethernet HWaddr 00:30:48:87:99:28 inet addr:xxx.xxx.xxx.xxx Bcast:xxx.xxx.xxx.xxx Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5697373 errors:0 dropped:0 overruns:0 frame:0 TX packets:164166 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:320113723 (305.2 MiB) TX bytes:35162676 (33.5 MiB) eth0 Link encap:Ethernet HWaddr 00:30:48:87:99:28 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:12797225 errors:0 dropped:0 overruns:0 frame:0 TX packets:164149 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:1045689736 (997.2 MiB) TX bytes:35893643 (34.2 MiB) Base address:0xc000 Memory:f2000000-f2020000 eth1 Link encap:Ethernet HWaddr 00:30:48:87:99:29 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Base address:0xd100 Memory:f1000000-f1020000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:20 errors:0 dropped:0 overruns:0 frame:0 TX packets:20 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1480 (1.4 KiB) TX bytes:1480 (1.4 KiB) I'm seen somewhere that eth0, eth1 should be set in promisc mode and that the network script to this for me ... Bun in fact, I'm not sure that my eth0 and eth1 are in promisc mode ... For the outgoing I've made an iptables user table to redirect outbound traffic If I put eth0 instead of br0 as outgoing interface the traffic is not shapped ??? iptables -t mangle -N OUT iptables -t mangle -A POSTROUTING -j LOG iptables -t mangle -A POSTROUTING -o br0 -j OUT In my log I've got this ... Dec 11 04:07:02 gestor1 kernel: IN= OUT=br0 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx Logically, due to the same problem I can't do something like this to shape the inboud traffic : #ip link set imq0 up #iptables -t mangle -A POSTROUTING -o eth1 -j IMQ --todev 0 Regards Thanks for your help -------------- next part -------------- A non-text attachment was scrubbed... Name: s.cramatte.vcf Type: text/x-vcard Size: 443 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20061211/a95c43fd/s.cramatte.vcf From s.cramatte at wanadoo.fr Mon Dec 11 04:34:06 2006 From: s.cramatte at wanadoo.fr (=?ISO-8859-1?Q?S=E9bastien_CRAMATTE?=) Date: Mon Dec 11 04:34:12 2006 Subject: [MAYBE RESOLVED?] [LARTC] QOS, Bridge and IMQ ? In-Reply-To: <457CCD67.8080000@wanadoo.fr> References: <20061206232015.0eb3201b@tresor> <457765E5.5070801@wanadoo.fr> <457804DE.1030706@wanadoo.fr> <45793B3E.2070202@fatooh.org> <457CBB8C.7020309@wanadoo.fr> <457CBD04.5010804@wanadoo.fr> <457CCD67.8080000@wanadoo.fr> Message-ID: <457CD1AE.9010300@wanadoo.fr> Well I've read that with 2.6 I can use physdev : iptables -t mangle -A POSTROUTING -o br0 -m physdev --physdev-out eth0 -j OUT and surely this should work ? isn't it ? iptables -t mangle -A POSTROUTING -i br0 -m physdev --physdev-in eth1 -j IMQ --todev 0 regards S?bastien CRAMATTE a ?crit : > Hello > > I try to setup QOS into bridge context. But this not very clear for me > So assuming that : > eth1 = LAN > eth0 = INTERNET > > br0 Link encap:Ethernet HWaddr 00:30:48:87:99:28 > inet addr:xxx.xxx.xxx.xxx Bcast:xxx.xxx.xxx.xxx > Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:5697373 errors:0 dropped:0 overruns:0 frame:0 > TX packets:164166 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:320113723 (305.2 MiB) TX bytes:35162676 (33.5 MiB) > > eth0 Link encap:Ethernet HWaddr 00:30:48:87:99:28 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:12797225 errors:0 dropped:0 overruns:0 frame:0 > TX packets:164149 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:100 > RX bytes:1045689736 (997.2 MiB) TX bytes:35893643 (34.2 MiB) > Base address:0xc000 Memory:f2000000-f2020000 > > eth1 Link encap:Ethernet HWaddr 00:30:48:87:99:29 > UP BROADCAST MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) > Base address:0xd100 Memory:f1000000-f1020000 > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:20 errors:0 dropped:0 overruns:0 frame:0 > TX packets:20 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:1480 (1.4 KiB) TX bytes:1480 (1.4 KiB) > > I'm seen somewhere that eth0, eth1 should be set in promisc mode and > that the network script to this for me ... > Bun in fact, I'm not sure that my eth0 and eth1 are in promisc mode ... > > For the outgoing I've made an iptables user table to redirect outbound > traffic > If I put eth0 instead of br0 as outgoing interface the traffic is not > shapped ??? > > iptables -t mangle -N OUT > iptables -t mangle -A POSTROUTING -j LOG > iptables -t mangle -A POSTROUTING -o br0 -j OUT > > In my log I've got this ... > > Dec 11 04:07:02 gestor1 kernel: IN= OUT=br0 SRC=xxx.xxx.xxx.xxx > DST=xxx.xxx.xxx.xxx > > Logically, due to the same problem I can't do something like this to > shape the inboud traffic : > > #ip link set imq0 up > #iptables -t mangle -A POSTROUTING -o eth1 -j IMQ --todev 0 > > Regards > > Thanks for your help > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- ZEN SOLUCIONES - Be in XForms take your "Concentr?" S?bastien CRAMATTE C/ Alfonso X el Sabio, 29 30565 Las Torres de Cotillas (Murcia) ESPA?A Mobile : +34 627 66 52 83 E-mail : scramatte@zensoluciones.com Site : www.zensoluciones.com Skype : scramatte Msn : scramatte@hotmail.com Jabber: scramatte@jabber.org VoIP: +33 1 7090 3413 -- CONCENTR? xml entreprise grade framework http://concentre.zensoluciones.com -- This e-mail is privileged and may contain confidential information intended only for the person(s) named above. If you receive this e-mail in error, please notify the sender immediately and delete it. E-mail and internet transmissions can't be warrant privacy, integrity or correct reception. The sender will not be liable for any damages resulting. Este mensaje va dirigido, de manera exclusiva, a su destinatario y puede contener informaciones confidential. En caso de haber recibido este mensaje por error, informe al emisor imediadamente y proceda a su eliminaci?n. El correo electr?nico y las comunicaciones por medio de Internet no permiten garantizar la confidencialidad de los mensajes transmitidos, as? como tampoco su integridad o su correcta recepci?n. El emisor no asume responsabilidad alguna por tales circunstancias. Ce message est destin? exclusivement ? son destinataire et peut contenir des informations confidentielles. En cas de r?ception d'un tel message par erreur, informez l'exp?diteur imm?diatement et proc?dez ? son effacement. Il n'est pas possible de garantir la confidentialit?, l'int?grit? ou la r?ception correcte du courrier ?lectronique ainsi que des communications par internet. L'exp?diteur ne peut ?tre tenu pour responsable d'?ventuels dommages commis. -------------- next part -------------- A non-text attachment was scrubbed... Name: s.cramatte.vcf Type: text/x-vcard Size: 443 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20061211/7f335575/s.cramatte-0001.vcf From bugfood-ml at fatooh.org Mon Dec 11 05:24:48 2006 From: bugfood-ml at fatooh.org (Corey Hickey) Date: Mon Dec 11 05:24:55 2006 Subject: [LARTC] Does anyone have got an iproute2+esfq package for debian ? In-Reply-To: <457CBB8C.7020309@wanadoo.fr> References: <20061206232015.0eb3201b@tresor> <457765E5.5070801@wanadoo.fr> <457804DE.1030706@wanadoo.fr> <45793B3E.2070202@fatooh.org> <457CBB8C.7020309@wanadoo.fr> Message-ID: <457CDD90.8050508@fatooh.org> First of all, you have to understand that if you use the "reply" function of your email program, your message will be marked as a reply to the message you replied to. Changing the subject line doesn't make a difference. Unless you are actually replying to a message, you _must_ use your email program's "new message" function. Probably you don't see this effect because you're not using a threaded view to list your email messages, but it tends to annoy those of us who do. By now it's too late, but please remember next time you want to ask a question. Meanwhile... S?bastien CRAMATTE wrote: > Does anyone have got an iproute2+esfq package for debian sarge ? > I've got many error trying building it from source ... > > I use debian sarge 3.1 and gcc 3.3.5-3 > > I've started getting a recent iproute2 package from backports.org > and esfq-iprout2.patch from fatooh.org My ESFQ patches are created to work with the original source; distributions tend to modify the source of packages with their own customizations. In this case, it appears one of those customizations if incompatible. The latest iproute2 release with the latest ESFQ patch builds fine for me. http://linux-net.osdl.org/index.php/Iproute2 This section from the ESFQ README may be of use to you: You don't necessarily have to install the entire patched version of iproute2 if you don't want to (perhaps you would rather keep your distribution's package). All you need is the tc binary. # cp -p tc/tc /sbin/tc-esfq # chown root:root /sbin/tc-esfq Just modify your scripts to use /sbin/tc-esfq instead of /sbin/tc. > #apt-get source iproute > #cd /usr/src/iproute-20061002 > > this command doesn't create tc/q_esfq.c file > #patch -p1 --dry-run < ../esfq-iproute2.patch Of course. That's the point of --dry-run: to see what errors might happen without screwing up a source tree by half-applying a broken or outdated patch. :) -Corey From umesh at websurfer.com.np Mon Dec 11 07:28:22 2006 From: umesh at websurfer.com.np (Umesh Upreti) Date: Mon Dec 11 07:29:00 2006 Subject: [LARTC] Policy routing in linux Message-ID: <20061211062850.948703FEB@outpost.ds9a.nl> Hello everybody, I am very much eager to know policy routing in linux . Can anyone help me. Regards, umesh -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061211/dc1ad47b/attachment.htm From hijacker at oldum.net Mon Dec 11 10:00:51 2006 From: hijacker at oldum.net (Nikolay Kichukov) Date: Mon Dec 11 10:01:12 2006 Subject: [LARTC] Policy routing in linux In-Reply-To: <20061211062850.948703FEB@outpost.ds9a.nl> References: <20061211062850.948703FEB@outpost.ds9a.nl> Message-ID: <457D1E43.4000705@oldum.net> Hello Umesh, Try reading on the manuals on the web and then ask specific questions if you do not understand a given part. Maybe someone here will be able to provide more details on the subject then. Thanks, -Nik Umesh Upreti wrote: > Hello everybody, > I am very much eager to know policy routing in linux . > > Can anyone help me. > > > > Regards, > > umesh > > > ------------------------------------------------------------------------ > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From hijacker at oldum.net Mon Dec 11 10:06:24 2006 From: hijacker at oldum.net (Nikolay Kichukov) Date: Mon Dec 11 10:06:43 2006 Subject: [LARTC] traffic shaping vpn (GRE) traffic In-Reply-To: <8cf5f0480612100855k56470461hdac146e0f2db7757@mail.gmail.com> References: <8cf5f0480612100855k56470461hdac146e0f2db7757@mail.gmail.com> Message-ID: <457D1F90.5070704@oldum.net> Hello syncmaster4, I am not much of an routing expert myself, but if you are getting the Illegal match error message, try looking in the command syntax or the kernel config to check if you compiled all the necessary modules for the command you are using. Have you got support for protocol 47? Just guessing here. -Nik syncmaster4 wrote: > Looking for some advise from the experts out there. > > We do simple traffice shaping and I'm having trouble figuring out how to > shape vpn traffic using a tc filter. > > The following filter works fine for SSH > tc filter add dev eth2 parent 1:0 protocol ip u32 match ip sport 22 > 0xffff classid 1:10 > > The following throws and "Illegal match" error when trying to filter GRE > traffic. > tc filter add dev eth2 parent 1:0 protocol ip u32 \ > match ip protocol 47 0xff \ > match ip u16 0x10 00ff at 24 \ > classid 1:10 > > Any pointers are greatly appreciated! > > CentOS 4.4 - 2.6.9-42.0.3.ELsmp > > Thanks! > Craig > > > ------------------------------------------------------------------------ > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From indunil75 at gmail.com Mon Dec 11 12:07:32 2006 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Mon Dec 11 12:07:44 2006 Subject: [LARTC] policy - routing Message-ID: <7ed6b0aa0612110307g6464a5b3pfa9934ac9b378f4@mail.gmail.com> http://tldp.org/HOWTO/Adv-Routing-HOWTO/ http://www.debian-administration.org/articles/379 -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061211/2ca24f4b/attachment.html From pupilla at hotmail.com Mon Dec 11 12:15:45 2006 From: pupilla at hotmail.com (Marco Berizzi) Date: Mon Dec 11 12:16:19 2006 Subject: [LARTC] load balacing with https home banking Message-ID: Hello everybody. I'm running linux 2.6.19 with nth match to alternatively snat outgoing connections to two different ip addresses for load balancing between two adsl lines: Here is: $IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m multiport --dports 80,443 -m statistic --mode nth --every 2 -j SNAT --to adslA $IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m multiport --dports 80,443 -j SNAT --to adslB Things are working pretty good, but some applications (https home banking for example), don't work correctly (because the remote server see two different ip addresses). Is there any trick to tell iptables to snat always with the same source ip for the same destination host? I have also modified SNAT with SAME, but no luck. TIA From hijacker at oldum.net Mon Dec 11 19:04:14 2006 From: hijacker at oldum.net (Nikolay Kichukov) Date: Mon Dec 11 19:04:24 2006 Subject: [LARTC] traffic shaping vpn (GRE) traffic In-Reply-To: <8cf5f0480612110401o71ab6a13h9275745e339f478d@mail.gmail.com> References: <8cf5f0480612100855k56470461hdac146e0f2db7757@mail.gmail.com> <457D1F90.5070704@oldum.net> <8cf5f0480612110401o71ab6a13h9275745e339f478d@mail.gmail.com> Message-ID: <457D9D9E.1020308@oldum.net> Hello Craig, Is it linux flavour specific kernel you are using? I guess there might be no tc support for the kind of match you are tring to do, but iptables support included. Those I presume might be different kernel options. In the first place, if anyone can say if the syntax of the following command is okay would be best choice: tc filter add dev eth2 parent 1:0 protocol ip u32 \ match ip protocol 47 0xff \ match ip u16 0x10 00ff at 24 \ classid 1:10 I am also CCing the LARTC list hoping anyone with more experience will know the answer. -Nik syncmaster4 wrote: > Hi Nikolay, > > I am using the standard kernel but we are able to successully allow GRE > traffic through IPTABLES running on this same computer. So I am > assuming we > do have support for GRE since we are able to successfully NAT it. > > I am far from a kernel/iptables/tc expert so maybe my assumption is > completely wrong... > > Thanks! > Craig > > > On 12/11/06, Nikolay Kichukov wrote: >> >> Hello syncmaster4, >> I am not much of an routing expert myself, but if you are getting the >> Illegal match error message, try looking in the command syntax or the >> kernel config to check if you compiled all the necessary modules for the >> command you are using. >> >> Have you got support for protocol 47? Just guessing here. >> >> -Nik >> >> syncmaster4 wrote: >> > Looking for some advise from the experts out there. >> > >> > We do simple traffice shaping and I'm having trouble figuring out >> how to >> > shape vpn traffic using a tc filter. >> > >> > The following filter works fine for SSH >> > tc filter add dev eth2 parent 1:0 protocol ip u32 match ip sport 22 >> > 0xffff classid 1:10 >> > >> > The following throws and "Illegal match" error when trying to filter >> GRE >> > traffic. >> > tc filter add dev eth2 parent 1:0 protocol ip u32 \ >> > match ip protocol 47 0xff \ >> > match ip u16 0x10 00ff at 24 \ >> > classid 1:10 >> > >> > Any pointers are greatly appreciated! >> > >> > CentOS 4.4 - 2.6.9-42.0.3.ELsmp >> > >> > Thanks! >> > Craig >> > >> > >> > >> ------------------------------------------------------------------------ >> > >> > _______________________________________________ >> > LARTC mailing list >> > LARTC@mailman.ds9a.nl >> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> > From Jon.J.Flechsenhaar at boeing.com Mon Dec 11 19:17:02 2006 From: Jon.J.Flechsenhaar at boeing.com (Flechsenhaar, Jon J) Date: Mon Dec 11 19:17:19 2006 Subject: [LARTC] Limit pps not just bandwidth (kbps) on ingress Message-ID: <0E24ED2A7F9AA349A8633E6A56A64BE0027A8163@XCH-SW-2V1.sw.nos.boeing.com> I want to limit pps (packets per second) not just bandwidth on the ingress side. I can do this using IP tables but I'm curious if there is a way to do this with TC. Thanks. Jon Flechsenhaar Boeing WNW Team Network Services (714)-762-1231 202-E7 From alexandre at ondainternet.com.br Mon Dec 11 20:27:08 2006 From: alexandre at ondainternet.com.br (Alexandre J. Correa - Onda Internet) Date: Mon Dec 11 19:25:37 2006 Subject: [LARTC] load balacing with https home banking In-Reply-To: References: Message-ID: <457DB10C.6040908@ondainternet.com.br> you can try static ips of home banking like: $IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m multiport -d 200.200.200.1 --dports 80,443 -j SNAT --to-source adslB where 200.200.200.1 is ip of homebanking site... and it?s going out via adslB Marco Berizzi wrote: > Hello everybody. > I'm running linux 2.6.19 with nth match to > alternatively snat outgoing connections to > two different ip addresses for load balancing > between two adsl lines: > Here is: > > $IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m > multiport --dports 80,443 -m statistic --mode nth --every 2 -j SNAT --to > adslA > $IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m > multiport --dports 80,443 -j SNAT --to adslB > > Things are working pretty good, but some > applications (https home banking for example), > don't work correctly (because the remote > server see two different ip addresses). Is > there any trick to tell iptables to snat > always with the same source ip for the same > destination host? I have also modified SNAT > with SAME, but no luck. > > TIA > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Sds. Alexandre J. Correa Onda Internet www.ondainternet.com.br Linux User ID #142329 From lists at andyfurniss.entadsl.com Mon Dec 11 20:24:30 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Mon Dec 11 20:24:25 2006 Subject: [LARTC] traffic shaping vpn (GRE) traffic In-Reply-To: <8cf5f0480612100855k56470461hdac146e0f2db7757@mail.gmail.com> References: <8cf5f0480612100855k56470461hdac146e0f2db7757@mail.gmail.com> Message-ID: <457DB06E.2050104@andyfurniss.entadsl.com> syncmaster4 wrote: > Looking for some advise from the experts out there. > > We do simple traffice shaping and I'm having trouble figuring out how to > shape vpn traffic using a tc filter. > > The following filter works fine for SSH > tc filter add dev eth2 parent 1:0 protocol ip u32 match ip sport 22 0xffff > classid 1:10 > > The following throws and "Illegal match" error when trying to filter GRE > traffic. > tc filter add dev eth2 parent 1:0 protocol ip u32 \ > match ip protocol 47 0xff \ > match ip u16 0x10 00ff at 24 \ > classid 1:10 > > Any pointers are greatly appreciated! You don't need the ip in match ip u16. Possibly also put 0x before 00ff and I am not sure what that will actually match. Andy. From lists at andyfurniss.entadsl.com Mon Dec 11 20:29:28 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Mon Dec 11 20:29:20 2006 Subject: [LARTC] Iptables matching on IFB In-Reply-To: <20061206232015.0eb3201b@tresor> References: <20061206232015.0eb3201b@tresor> Message-ID: <457DB198.9000104@andyfurniss.entadsl.com> FB wrote: > Hey folks, > > I stumbled across the Mastershaper project > ( http://www.mastershaper.org/ ) but I have a little problem: > I wanted to shape the traffic coming from the router If you really mean coming from rather than coming into then you don't need ifb or imq. itself aswell as > coming from the LAN behind the router, for that task I need IMQ, but > with IMQ iptables-(layer7)-matching is not possible. Now I've talked > with the programmer and he said the following: > > >>The problem is not only MasterShaper - it's simply that iptables can't >>match on IMQ interfaces directly. The only way would be to MARK packets >>before and then match with tc-filter on the IMQ interfaces. But this >>means that two subsystems handle packets and I think this will cause >>much more overhead. >> >>Perhaps you can try if iptables is able to match on IFB interfaces >>which are already included since some kernel versions and let me know. >>If it works I will try to implement this in MS. I wouldn't be too bothered about doing it this way with imq - if you really need to. >> >>Cheers, >>Unki > > > So, does anyone of you know if iptables matching is possible on an IFB > interface? I would try it myself but sadly I can't experiment with my > router currently :-( ifb is before iptables on ingress and after on egress, so you can only use it with iptables on egress. Andy. From lists at andyfurniss.entadsl.com Mon Dec 11 20:32:03 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Mon Dec 11 20:31:59 2006 Subject: [LARTC] Does it possible to use HSFC with ESFQ ? In-Reply-To: <4579BDA1.7010704@wanadoo.fr> References: <20061206232015.0eb3201b@tresor> <457765E5.5070801@wanadoo.fr> <457804DE.1030706@wanadoo.fr> <45793B3E.2070202@fatooh.org> <45793CCC.3030908@fatooh.org> <4579BDA1.7010704@wanadoo.fr> Message-ID: <457DB233.1090100@andyfurniss.entadsl.com> S?bastien CRAMATTE wrote: > Hello, > > Does it possible to use HSFC with ESFQ ? Should be OK on ls - and as *sfq was only meant for bulk you shouldn't need to put it on rt. Andy. From linux at arcoscom.com Mon Dec 11 20:44:36 2006 From: linux at arcoscom.com (ArcosCom Linux User) Date: Mon Dec 11 20:41:59 2006 Subject: [LARTC] iptables 1.3.7, kernel 2.6.19, ROUTE and Layer7 issues Message-ID: <54905.84.123.236.132.1165866276.squirrel@www.arcoscom.com> Hi, I'm having problems with this configuration: iptables 1.3.7 (vanilla or repackaged for fc5) kernel 2.6.19 (vanilla) ROUTE 1.11 (last pom-ng) layer7-filter 2.6 (last in sf.net) connlimit (last pom-ng) When I try to use -j ROUTE in any chain in mangle table I have this error: [root@myhost ~]# iptables -v -t mangle -A POSTROUTING -p tcp --dport msnp -j ROUTE --gw $chat_gw ROUTE tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:1863 ROUTE gw:80.32.61.1 iptables: Invalid argument [root@myhost ~]# dmesg | grep "ROUTE" ipt_ROUTE: targinfosize 0 != 40 [root@myhost ~]# cat /var/log/messages | grep "ROUTE" Dec 11 20:32:50 myhost kernel: ipt_ROUTE: targinfosize 0 != 40 With layer7 filter, I have a problem too, but it has no dmesg or syslog entry: [root@myhost ~]# iptables -v -t mangle -A PREROUTING -m layer7 --l7proto msnmessenger 0 opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto msnmessenger iptables: Invalid argument Does anyone help me please? I need any more recent patch? More info: SMP machine (dual Xeon) Thanks From simone84bo at email.it Mon Dec 11 21:22:39 2006 From: simone84bo at email.it (Simone84bo) Date: Mon Dec 11 21:22:36 2006 Subject: [LARTC] Link aggregation Message-ID: <516225965ca7c72455b2355a0d11c270@85.18.136.107> Hello everybody, I am a (very) beginner in linux routing. I would like to solve in general term (the kind and amount of traffic aren't known)this problem: A router links some client with two net across two interface. I'd like to know how should I be setting the router in this case. and how to share the traffic on the two interfaces. Like I said, I'm no expert, hope it help. Thanks Simone -- Email.it, the professional e-mail, gratis per te: http://www.email.it/f Sponsor: Stupisci i tuoi Amici con le Fantastiche Idee Regalo D-Mail ! Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=5889&d=20061211 From fabricio.feijo at gmail.com Mon Dec 11 22:13:16 2006 From: fabricio.feijo at gmail.com (=?ISO-8859-1?Q?Fabr=EDcio_F._Feij=F3?=) Date: Mon Dec 11 22:13:23 2006 Subject: [LARTC] load balacing with https home banking In-Reply-To: References: Message-ID: <8249921d0612111313i23304ae5v8a54c444d1811f6@mail.gmail.com> I was reading something about -m conmark, where u can set a mark to each connection and make it persistent at the initial connection link. On 12/11/06, Marco Berizzi wrote: > > Hello everybody. > I'm running linux 2.6.19 with nth match to > alternatively snat outgoing connections to > two different ip addresses for load balancing > between two adsl lines: > Here is: > > $IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m > multiport --dports 80,443 -m statistic --mode nth --every 2 -j SNAT --to > adslA > $IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m > multiport --dports 80,443 -j SNAT --to adslB > > Things are working pretty good, but some > applications (https home banking for example), > don't work correctly (because the remote > server see two different ip addresses). Is > there any trick to tell iptables to snat > always with the same source ip for the same > destination host? I have also modified SNAT > with SAME, but no luck. > > TIA > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061211/95d375b5/attachment-0001.htm From rob0 at gmx.co.uk Tue Dec 12 02:16:28 2006 From: rob0 at gmx.co.uk (/dev/rob0) Date: Tue Dec 12 02:16:48 2006 Subject: [LARTC] OpenVPN, proxy ARP for an entire subnet (Linux endpoints) Message-ID: <200612111916.29306.rob0@gmx.co.uk> "A Tale of TTL Troubles" I was hired to implement VPN for a subnet. The owner has a /27 at his home site, and he wanted to have the machines there answering BOTH on those IP addresses and some addresses at a remote colocation provider. Make sense? Not to me either. :( I think he's trying to fool his customers into thinking he has a physical presence in the colocation city. But it's his money, and a very interesting issue. I set up a simple openvpn peer-mode tunnel. It mostly seems to work, except return packets back through the VPN are giving me trouble. Sorry, I'm not allowed to post details, so IP addresses are munged. :( HOME_SITE_NET=x.x.x.0/27 [ 0-31 ] HOME_DEF_GATEWAY=x.x.x.1 (I have no access to this router.) HOME_VPN_ENDPOINT=x.x.x.4, a/k/a y.y.y.38 REMOTE_SITE_NET=y.y.y.0/24 (out of this I was told to bind .38 on the VPN peer and route .39 through .60 via the VPN. Sigh ... CIDR masks would have been nice.) REMOTE_DEF_GATEWAY=y.y.y.1 (I have no access to this router either.) REMOTE_VPN_ENDPOINT=y.y.y.37, a/k/a 192.168.255.37 (The latter is only used for the tunnel traffic.) Routing on HOME_VPN_ENDPOINT : [root@localhost ~]# ip route list y.y.y.39 dev eth0 scope link 192.168.255.37 dev tun0 proto kernel scope link src y.y.y.38 y.y.y.40/29 dev eth0 scope link y.y.y.48/28 dev eth0 scope link x.x.x.0/27 dev eth0 proto kernel scope link src x.x.x.4 169.254.0.0/16 dev eth0 scope link default via x.x.x.1 dev eth0 [root@localhost ~]# ip route list table colo default via 192.168.255.37 dev tun0 src y.y.y.38 [root@localhost ~]# ip rule list 0: from all lookup local 32763: from y.y.y.48/28 lookup colo 32764: from y.y.y.40/29 lookup colo 32765: from y.y.y.39 lookup colo 32766: from all lookup main 32767: from all lookup default The 3 "dev eth0 scope link" routes are what was needed to cover .39 through .60. It goes over, to .63, oh well. One of the machines is x.x.x.6 and y.y.y.39, .49, .59, and .60 on the VPN. It's my guinea pig, hereinafter called "www". CentOS release 4.4 (Final) 2.6.9-42.ELsmp on each of www and HOME_VPN_ENDPOINT; I think REMOTE_VPN_ENDPOINT is similar, but I don't think it's the problem. [root@www ~]# ip route list y.y.y.0/27 dev eth0 proto kernel scope link src y.y.y.6 169.254.0.0/16 dev eth0 scope link default via y.y.y.1 dev eth0 [root@www ~]# ip rule list 0: from all lookup local 32765: from x.x.x.32/27 lookup vpn 32766: from all lookup main 32767: from all lookup default [root@www ~]# ip route list table vpn default via y.y.y.4 dev eth0 I tested the routing by using my own IP in an iptables -j LOG rule, followed by an nmap -sP of the range. [root@localhost ~]# iptables-save # Generated by iptables-save v1.2.11 on Mon Dec 11 09:10:27 2006 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :LogVpn - [0:0] -A FORWARD -d y.y.y.32/255.255.255.224 -j LogVpn -A FORWARD -s y.y.y.32/255.255.255.224 -j LogVpn -A LogVpn -s my.IP.add.ress -j LOG --log-prefix "5Vpn IN: " -A LogVpn -d my.IP.add.ress -j LOG --log-prefix "5Vpn OUT: " COMMIT # Completed on Mon Dec 11 09:10:27 2006 Results of the scan: all but y.y.y.39 were up. Logs: um, rather than ask you to pick through all that, I'll summarise: [root@localhost ~]# dmesg | grep ^5Vpn ... .39 worked perfectly. The ping and HTTP requests came IN=tun0 and OUT=eth0; the replies came IN=eth0 and OUT=tun0. The inbound ICMP had TTL=39. The inbound HTTP had TTL=33, a difference of 6. .49 seemed to have a routing loop, and the "www" host apparently didn't answer the ARP queries. We only got "5Vpn IN:" packets, none "OUT:". Each packet passed through 3 times, with ICMP TTL values of 34, 22 and 10, and HTTP TTL values of 26, 14, and 2. Interestingly, each time the IN and OUT interface was eth0. And coincidentally (?) it's 13 hops from me to www's VPN IP, and 11 hops from www to REMOTE_VPN_ENDPOINT going through HOME_DEF_GATEWAY. .59 and .60 both worked, but the return packets must have gone through HOME_DEF_GATEWAY, because both IN=eth0 and OUT=eth0. for each of the "IN:" and "OUT:" packets. Inbound TTL values were 38 and 47 for ICMP, and 34 and 40 for HTTP, on each of .59 and .60 respectively. Meanwhile, over on www I set up similar log rules, and the results for this scan pretty well aligned with the logs on HOME_VPN_ENDPOINT. Same TTLs on inbound as noted above. Nothing was logged for .49 in or out, again leading me to think that www ignored the ARP queries. I wait awhile, try again, and I get different results. But never does everything work right. This is nuts!! Looks like sometimes www won't answer ARP for its locally-bound IP addresses, and the rules on HOME_VPN_ENDPOINT are being ignored. And how the VPN packets could possibly come in on eth0 is beyond me. What am I missing here? What can I try? One idea I had, was possibly to do proxy ARP on the HOME site too. Tell the HOME machines to use 192.168.255.37 as the default route in their vpn tables. That takes HOME_VPN_ENDPOINT routing rules out of the equation. Trying that now, similar intermittent results. ARRRRRRRRRGH!! -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From linux at arcoscom.com Tue Dec 12 09:24:38 2006 From: linux at arcoscom.com (ArcosCom Linux User) Date: Tue Dec 12 09:22:10 2006 Subject: [LARTC] Re: iptables 1.3.7, kernel 2.6.19, ROUTE and Layer7 issues In-Reply-To: <54905.84.123.236.132.1165866276.squirrel@www.arcoscom.com> References: <54905.84.123.236.132.1165866276.squirrel@www.arcoscom.com> Message-ID: <57631.195.55.244.106.1165911878.squirrel@www.arcoscom.com> Any help about this? Thanks El Lun, 11 de Diciembre de 2006, 20:44, ArcosCom Linux User escribi?: > Hi, I'm having problems with this configuration: > iptables 1.3.7 (vanilla or repackaged for fc5) > kernel 2.6.19 (vanilla) > ROUTE 1.11 (last pom-ng) > layer7-filter 2.6 (last in sf.net) > connlimit (last pom-ng) > > When I try to use -j ROUTE in any chain in mangle table I have this error: > > [root@myhost ~]# iptables -v -t mangle -A POSTROUTING -p tcp --dport msnp > -j ROUTE --gw $chat_gw > ROUTE tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:1863 ROUTE > gw:80.32.61.1 > iptables: Invalid argument > > [root@myhost ~]# dmesg | grep "ROUTE" > ipt_ROUTE: targinfosize 0 != 40 > > [root@myhost ~]# cat /var/log/messages | grep "ROUTE" > Dec 11 20:32:50 myhost kernel: ipt_ROUTE: targinfosize 0 != 40 > > With layer7 filter, I have a problem too, but it has no dmesg or syslog > entry: > > [root@myhost ~]# iptables -v -t mangle -A PREROUTING -m layer7 --l7proto > msnmessenger > 0 opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto > msnmessenger > iptables: Invalid argument > > Does anyone help me please? I need any more recent patch? > > More info: > SMP machine (dual Xeon) > > Thanks > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From kaber at trash.net Tue Dec 12 09:34:31 2006 From: kaber at trash.net (Patrick McHardy) Date: Tue Dec 12 09:31:12 2006 Subject: [LARTC] Re: iptables 1.3.7, kernel 2.6.19, ROUTE and Layer7 issues In-Reply-To: <57631.195.55.244.106.1165911878.squirrel@www.arcoscom.com> References: <54905.84.123.236.132.1165866276.squirrel@www.arcoscom.com> <57631.195.55.244.106.1165911878.squirrel@www.arcoscom.com> Message-ID: <457E6997.1050001@trash.net> ArcosCom Linux User wrote: > El Lun, 11 de Diciembre de 2006, 20:44, ArcosCom Linux User escribi?: > >>Hi, I'm having problems with this configuration: >> iptables 1.3.7 (vanilla or repackaged for fc5) >> kernel 2.6.19 (vanilla) >> ROUTE 1.11 (last pom-ng) >> layer7-filter 2.6 (last in sf.net) >> connlimit (last pom-ng) >> >>When I try to use -j ROUTE in any chain in mangle table I have this error: >> >>[root@myhost ~]# iptables -v -t mangle -A POSTROUTING -p tcp --dport msnp >>-j ROUTE --gw $chat_gw >>ROUTE tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:1863 ROUTE >>gw:80.32.61.1 >>iptables: Invalid argument >> >>[root@myhost ~]# dmesg | grep "ROUTE" >>ipt_ROUTE: targinfosize 0 != 40 The ROUTE target needs to set the targetsize field in struct ipt_target. It probably needs other adjustments for 2.6.19 as well. I would just use normal policy routing .. From s.cramatte at wanadoo.fr Tue Dec 12 11:27:54 2006 From: s.cramatte at wanadoo.fr (=?ISO-8859-1?Q?S=E9bastien_CRAMATTE?=) Date: Tue Dec 12 11:28:03 2006 Subject: [LARTC] Layer7 module doesn't detect nothing on my bridge with a 2.6.18.3 kernel Message-ID: <457E842A.5010200@wanadoo.fr> Hello I've setuped a QOS bridge under debian 3.1 using 2.6.18.3 kernel + iptables 1.3.6 I've patched the kernel an Iptables with esfq+layer7 without problems. This simple script doesn't log nothing ... And I'm sure to have eMule traffic (I've checked with tcpdump ) If I remove " -m layer7 --l7proto edonkey \" line I can see iptables log in /var/log/kern.log I've test with other protocols like skype or messenger ... layer7 filter seems to be simply ignored ... Syslog or kern.log still empty ... #!/bin/sh DEV=eth0 BR=br0 SHAPPER=CPE iptables -t mangle -N ${SHAPPER} iptables -t mangle -A POSTROUTING -o ${BR} -m physdev --physdev-out ${DEV} \-j ${SHAPPER} iptables -t mangle -A ${SHAPPER} \ -m layer7 --l7proto edonkey \ -j LOG --log-prefix eMule As you can see below my eth0 and eth1 interface are not in PROMISC mode because I use physdev module and user iptables chain to redirect all traffic #ifconfig br0 Link encap:Ethernet HWaddr 00:30:48:87:99:28 inet addr:xxx.xxx.xxx.xxx Bcast: xxx.xxx.xxx.xxx Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:146572 errors:0 dropped:0 overruns:0 frame:0 TX packets:14813 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:13160188 (12.5 MiB) TX bytes:2391735 (2.2 MiB) eth0 Link encap:Ethernet HWaddr 00:30:48:87:99:28 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:588665 errors:0 dropped:0 overruns:0 frame:0 TX packets:226155 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:170415971 (162.5 MiB) TX bytes:138342082 (131.9 MiB) Base address:0xc000 Memory:f2000000-f2020000 eth1 Link encap:Ethernet HWaddr 00:30:48:87:99:29 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:211410 errors:0 dropped:0 overruns:0 frame:0 TX packets:566435 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:135919959 (129.6 MiB) TX bytes:162558207 (155.0 MiB) Base address:0xd100 Memory:f1000000-f1020000 # lsmod Module Size Used by ipt_ipp2p 6400 0 ipt_LOG 5248 2 xt_multiport 2176 4 ipt_layer7 8840 14 cls_u32 5636 6 sch_esfq 4736 10 xt_CLASSIFY 1024 28 xt_limit 1280 0 ipt_TOS 1152 0 xt_length 1152 6 ipt_tos 896 2 sch_htb 12544 2 xt_physdev 1808 2 floppy 44580 0 e1000 100032 0 ehci_hcd 22152 0 uhci_hcd 16012 0 usbcore 86148 3 ehci_hcd,uhci_hcd i82875p_edac 3332 0 dm_mod 34488 5 rtc 6708 0 Any Ideas Thanks for your help Regards S?bastien From linux at arcoscom.com Tue Dec 12 12:44:21 2006 From: linux at arcoscom.com (ArcosCom Linux User) Date: Tue Dec 12 12:41:44 2006 Subject: [LARTC] Re: Routing & NAT Problem take #2 In-Reply-To: <117F5E7DA31C17478948DC39E01B948B400F58@frost.PlumSoftwareLtd.local> References: <117F5E7DA31C17478948DC39E01B948B400F58@frost.PlumSoftwareLtd.local> Message-ID: <46154.195.55.244.106.1165923861.squirrel@www.arcoscom.com> Try to SNAT the incoming conection too, then your server see only the 200.x.x.x IP for the incoming calls. You have DNAT for redirections, add a postrouting SNAT. I supose that you are DNATing in PREROUTING and you will add a rule (only for example) for SNAT the incoming calls from 200.x.x.x router: iptables -t nat -A POSTROUTING -d -j MASQUERADE Perhaps you'll need to put before that rule some rules to allow internal traffic to that server without SNAT. Other solution is to configure the routing fules/tables/filters in your routers to more specific fules/filters. Perhaps LARTC is better list than this to allow you to find a good answer about your routing problem. Regards P.D.: My english isn't perfect, sorry. El Mar, 12 de Diciembre de 2006, 11:29, Matt escribi?: > > > Related problem to the earlier one, I'm afraid. Current network layout: > > > Internet > | > ----100.100.251.217---- > / (router) \ Internet > | | | > 100.100.251.220 100.100.251.218 200.200.64.139 > | | | > 192.168.100.x \ / > (Office Network) \ / > Linux Multihomed Router > 192.168.0.254 > | > | > 192.168.0.6 > Internal Server > > > I got the above working on our test bed, where users can get to the > internal server 192.168.0.6 via either Internet connection. The problem is > getting from our Office Network to 200.200.64.139:56100 > > What appears to be happening is this: > > 1. Packet is sent from internal router, arrives at 100.100.251.220, is > routed through 100.100.251.217 to the Internet. > 2. Packet arrives at 200.200.64.139, DNAT'd to 192.168.0.6. > 3. Internal Server replies, sends it to it's default gateway > (192.168.0.254) > 4. Linux server sees 100.100.251.220 as destination, sends to > 100.100.251.218 instead of back out of 200.200.64.139. (This is not > expected as I'm marking incoming connections at the linux router using > CONNMARK/MARK, and connections go in and out of the correct interface when > the destination is outside the 100.100.251.216/29 network) > > (Note: I don't know if the returning connections are SNAT'd back to > 200.200.64.139) > > So... > > Is there a way around this? i.e. so that the multihoming still works? > > It seems that normal routing to the 100.100.251.216/29 network takes > precedence over my connection marked rule, that would instruct the packet > to be sent out over the correct interface (and maybe therefore SNAT'd > correctly too). > > Not sure what's going on. Can anyone point me in the correct direction? > > Thanks, > > Matt > > From Matt at PlumSoftware.co.uk Tue Dec 12 13:42:25 2006 From: Matt at PlumSoftware.co.uk (Matt) Date: Tue Dec 12 13:41:52 2006 Subject: [LARTC] Multihoming & routing & NAT problem Message-ID: <117F5E7DA31C17478948DC39E01B948B400F5F@frost.PlumSoftwareLtd.local> As suggested on the netfilter list, I'm posting here too: Current network layout: Internet | ----100.100.251.217---- / (router) \ Internet | | | 100.100.251.220 100.100.251.218 200.200.64.139 | | | 192.168.100.x \ / (Office Network) \ / Linux Multihomed Router 192.168.0.254 | | 192.168.0.6 Internal Server I got the above working on our test bed, where users can get to the internal server 192.168.0.6 via either Internet connection. The problem is getting from our Office Network to 200.200.64.139:56100 What appears to be happening is this: 1. Packet is sent from internal router, arrives at 100.100.251.220, is routed through 100.100.251.217 to the Internet. 2. Packet arrives at 200.200.64.139, DNAT'd to 192.168.0.6. 3. Internal Server replies, sends it to it's default gateway (192.168.0.254) 4. Linux server sees 100.100.251.220 as destination, sends to 100.100.251.218 instead of back out of 200.200.64.139. (This is not expected as I'm marking incoming connections at the linux router using CONNMARK/MARK, and connections go in and out of the correct interface when the destination is outside the 100.100.251.216/29 network) (Note: I don't know if the returning connections are SNAT'd back to 200.200.64.139) So... Is there a way around this? i.e. so that the multihoming still works? It seems that normal routing to the 100.100.251.216/29 network takes precedence over my connection marked rule, that would instruct the packet to be sent out over the correct interface (and maybe therefore SNAT'd correctly too). Not sure what's going on. Can anyone point me in the correct direction? Thanks, Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061212/0d3abe19/attachment.html From jatoledano at gmail.com Tue Dec 12 14:07:16 2006 From: jatoledano at gmail.com (Javier A Toledano) Date: Tue Dec 12 14:07:23 2006 Subject: [LARTC] Routing Problem Message-ID: Routing Problem Internet | | DSL Router with NAT Enabled 192.168.93.2/24 | | | | 192.168.93.1/24 (eth1) | Linux Multihomed Router -- 10.0.0.25/8 (eth0) ------------------10.0.0.1 (host) | | 192.168.10.2/24 (eth2) | | | | 192.168.10.49 (host) The linux is running Centos 4.2. I have 3 ethernet cards, eth1 (davicom Semiconductor, Inc 21x4x DEC -Tulip Compatible), eth0 (VIA Technologies, Ic VT6105 Rhine III) Eth2 (intel Corporation 82547Gi Gigabit Ethernet Controller) I don't have any rules of iptables applied to the kernel. the content of sysctl.conf is below: # Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details. # Controls IP packet forwarding net.ipv4.ip_forward = 1 # Controls source route verification net.ipv4.conf.default.rp_filter = 0 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1 The problem is that forwarding is enabled but when I try to probe connectivity from a host in the 10.0.0.0 net , eg 10.0.0.1 making an echo request to a host in 192.168.10.0 net , eg 192.168.10.49 the icmp packets arrive to the linux box (interface eth0) but don't traverset it. After I iniate an echo request from 192.168.10.49 to 10.0.0.1, the packets iniatated in 10.0.0.0 net starts to traverse the router magically. It seems that It needs a packet from the 192.168.10.0 to start working. I would appreciate any idea. Thanks in advance. Javier Toledano From fdelawarde at wirelessmundi.com Tue Dec 12 15:44:23 2006 From: fdelawarde at wirelessmundi.com (=?ISO-8859-1?Q?Fran=E7ois_Delawarde?=) Date: Tue Dec 12 15:50:31 2006 Subject: [LARTC] SIP, NAT, and load balancing problems Message-ID: <457EC047.7090404@wirelessmundi.com> Hello all, I have a linux machine with a SIP server (Asterisk) and 2 WAN interfaces (NATed) configured to do load balancing. I experienced problems with the SIP/RTP protocols and load balancing, because when initiating a call to an external SIP Host, a new RTP flow starts from the server to the Host, that sometimes uses another default route (due to the nexthop configuration). As i have two different public IPs, the external host gets confused while receiving flows from different IPs, and doesn't work (or sometimes we only have one-way communication). __________ | |-eth1---|Router ISP 1|---WAN 1 LAN---eth0-|SIP Server| |__________|-eth2---|Router ISP 2|---WAN 2 What I basicly want is to force all traffic from my SIP server to pass by a unique WAN interface (eth2), or to find a solution that would force multiple sessions from the same IP to use the same WAN interface. Reading various forums and mailing lists, I decided to try to do "output re-routing" to all traffic sent to the wrong interface: (5060 is SIP port and 10000-20000 are the possible RTP ports) 1. using FWMARK and iproute2: iptables -t mangle -A OUTPUT -o eth1 -p udp --sport 5060 -j MARK --set-mark 0x101 iptables -t mangle -A OUTPUT -o eth1 -p udp --sport 10000:20000 -j MARK --set-mark 0x101 ip rule add prio 101 fwmark 0x101 table 101 ip route add default via 192.168.2.1 dev eth2 src 192.168.2.2 table 101 iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE The redirection is working, but the source port is changed by the MASQUERADE, and this doesn't work with SIP/RTP, which contain reply information (ip/port) inside its packets. 2. iptables ROUTE target: iptables -t mangle -A OUTPUT -o eth1 -p udp --dport 5060 -j ROUTE --oif eth2 --gw 192.168.2.1 --continue iptables -t mangle -A OUTPUT -o eth1 -p udp --dport 10000:20000 -j ROUTE --oif eth2 --gw 192.168.2.1 --continue iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE Even with SNAT or MASQUERADE rules, the source IP of the packet is not changed when using these ROUTE targets, the router connected to eth2 then drops the packets. Below you can find my network configuration (rules, routes and addresses). Anyone has an idea of how i could resolve this problem? Thanks, Fran?ois. From andrewm at intoweb.co.za Tue Dec 12 20:54:05 2006 From: andrewm at intoweb.co.za (Andrew McGill) Date: Tue Dec 12 20:54:24 2006 Subject: [LARTC] SIP, NAT, and load balancing problems In-Reply-To: <457EC047.7090404@wirelessmundi.com> References: <457EC047.7090404@wirelessmundi.com> Message-ID: On Tuesday Dec 12, 2006 around 3:44pm, Fran?ois Delawarde wrote, > Hello all, > > I have a linux machine with a SIP server (Asterisk) and 2 WAN interfaces > (NATed) configured to do load balancing. I experienced problems with the > SIP/RTP protocols and load balancing, because when initiating a call to an > external SIP Host, a new RTP flow starts from the server to the Host, that > sometimes uses another default route (due to the nexthop configuration). As i > have two different public IPs, the external host gets confused while > receiving flows from different IPs, and doesn't work (or sometimes we only > have one-way communication). There is a similar problem with openvpn which the --multihome patch in 2.1_rc* solves (SOL_IP / IP_PKTINFO option on the socket). Unless the application (asterisk in your case) chooses to bind a UDP socket to a particular IP address, the routing subsystem will assign the IP address. Since UDP is connectionless, there is no reason to use the same IP address as the incoming 'connection'. (ip_conntrack doesn't count.) *You* may be able to solve the problem with some creative use of the CONNMARK target (I didn't succeed). The best solution, in the absence of a kernel hack to treat UDP as a connection-oriented protocol, is to fix asterisk (IMHO, IANAKH). &:-) > > __________ > | |-eth1---|Router ISP 1|---WAN 1 > LAN---eth0-|SIP Server| > |__________|-eth2---|Router ISP 2|---WAN 2 > > > What I basicly want is to force all traffic from my SIP server to pass by a > unique WAN interface (eth2), or to find a solution that would force multiple > sessions from the same IP to use the same WAN interface. Reading various > forums and mailing lists, I decided to try to do "output re-routing" to all > traffic sent to the wrong interface: > > (5060 is SIP port and 10000-20000 are the possible RTP ports) > > 1. using FWMARK and iproute2: > > iptables -t mangle -A OUTPUT -o eth1 -p udp --sport 5060 -j MARK --set-mark > 0x101 > iptables -t mangle -A OUTPUT -o eth1 -p udp --sport 10000:20000 -j MARK > --set-mark 0x101 > ip rule add prio 101 fwmark 0x101 table 101 > ip route add default via 192.168.2.1 dev eth2 src 192.168.2.2 table 101 > iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE > iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE > > The redirection is working, but the source port is changed by the MASQUERADE, > and this doesn't work with SIP/RTP, which contain reply information (ip/port) > inside its packets. > > > 2. iptables ROUTE target: > > iptables -t mangle -A OUTPUT -o eth1 -p udp --dport 5060 -j ROUTE --oif eth2 > --gw 192.168.2.1 --continue > iptables -t mangle -A OUTPUT -o eth1 -p udp --dport 10000:20000 -j ROUTE > --oif eth2 --gw 192.168.2.1 --continue > iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE > iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE > > Even with SNAT or MASQUERADE rules, the source IP of the packet is not > changed when using these ROUTE targets, the router connected to eth2 then > drops the packets. > > > Below you can find my network configuration (rules, routes and addresses). > Anyone has an idea of how i could resolve this problem? > > Thanks, > Fran?ois. > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > -- Disclaimer: our lawyers will sue us if you copy this disclaimer From s.cramatte at wanadoo.fr Tue Dec 12 22:02:26 2006 From: s.cramatte at wanadoo.fr (=?UTF-8?B?U8OpYmFzdGllbiBDUkFNQVRURQ==?=) Date: Tue Dec 12 22:03:21 2006 Subject: [LARTC] About HFSC ? Message-ID: <457F18E2.5090208@wanadoo.fr> Hello, I?ve read this Article avout VOIP and HFSC http://automatthias.wordpress.com/2006/06/30/hfsc-and-voip/ I?ve got few questions ? Considering this tc class add dev $DEV parent 1:1 classid 1:2 hfsc \ rt m1 ${UPLINK}kbit d 50ms m2 $[1*$UPLINK/10]kbit \ ls m1 ${UPLINK}kbit d 50ms m2 $[3*$UPLINK/10]kbit \ ul rate ${UPLINK}kbit rt = realtime curve ls = linksharing curve but m1 = ? m2 = ? d = dmax ? I?ve found this article too http://linux-ip.net/articles/hfsc.en/ And for example this line is quite diferent ! tc class add dev eth0 parent 1:10 classid 1:12 hfsc sc umax 1500b dmax 30ms rate 100kbit ul rate 1000kbit Does anyone could you light me ? Regards From gtaylor at riverviewtech.net Wed Dec 13 00:50:06 2006 From: gtaylor at riverviewtech.net (Taylor, Grant) Date: Wed Dec 13 00:50:09 2006 Subject: [LARTC] Multihoming & routing & NAT problem In-Reply-To: <117F5E7DA31C17478948DC39E01B948B400F5F@frost.PlumSoftwareLtd.local> References: <117F5E7DA31C17478948DC39E01B948B400F5F@frost.PlumSoftwareLtd.local> Message-ID: <457F402E.6060509@riverviewtech.net> Matt wrote: > I got the above working on our test bed, where users can get to the > internal server 192.168.0.6 via either Internet connection. The problem > is getting from our Office Network to 200.200.64.139:56100 *nod* This is a weird routing issue. (See below.) > What appears to be happening is this: > > 1. Packet is sent from internal router, arrives at 100.100.251.220, is > routed through 100.100.251.217 to the Internet. > 2. Packet arrives at 200.200.64.139, DNAT'd to 192.168.0.6. > 3. Internal Server replies, sends it to it's default gateway > (192.168.0.254) > 4. Linux server sees 100.100.251.220 as destination, sends to > 100.100.251.218 instead of back out of 200.200.64.139. (This is not > expected as I'm marking incoming connections at the linux router using > CONNMARK/MARK, and connections go in and out of the correct interface > when the destination is outside the 100.100.251.216/29 network) Presuming that you are not doing any custom routing with IPRoute2, this is as I would expect. What is happening is your "Linux Multihomed Router" has a direct route back to your office's internet router. Per standard routing mechanisms, your router will choose a directly connected route, or any other (non default) route that it knows of over your default route. So, really your Linux router is doing what it should be doing. Unfortunately what it should be doing is not what you want it to be doing. > (Note: I don't know if the returning connections are SNAT'd back to > 200.200.64.139) A simple TCPDump will tell you if this is the case or not. However, I suspect that the packets are being SNATed to 100.100.251.218. > Is there a way around this? i.e. so that the multihoming still works? Yes, multiple. One is to make your office router know that it can reach the 200.200.64.139 host via the 100.100.251.218 router. However, this is probably not what you really want to do. I say this is probably not want you want to do b/c I'm willing to bet that you are wanting to be able to test things across the internet from your office, which would be circumvented with this routing. > It seems that normal routing to the 100.100.251.216/29 network takes > precedence over my connection marked rule, that would instruct the > packet to be sent out over the correct interface (and maybe therefore > SNAT'd correctly too). Yes (see above). This is because IPTables usually does not interact with any routing decisions. (Usually b/c IPTables can be configured to do exactly that.) IPTables usually acts on packets before and after routing decisions have been made. > Not sure what's going on. Can anyone point me in the correct direction? A different and probably my recommended solution (presuming that you want the traffic to cross the internet) would be to use a custom routing table for traffic that is to use the 200.200.64.139 interface. This custom routing table would not include any knowledge of the 100.100.251.218 network. Thus any traffic back to the office at 100.100.251.220 would be routed through the default gateway and out across the internet back to the office. Presuming that you have MARK and CONNMARK working correctly you could use an "ip rule" to look for the firewall mark to instruct the Linux kernel to use the alternant routing table. Grant. . . . From gtaylor at riverviewtech.net Wed Dec 13 04:47:01 2006 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Wed Dec 13 05:09:53 2006 Subject: [LARTC] A word about bridgeing to the wise... Message-ID: <457F77B5.9060206@riverviewtech.net> I have seen and responded to many different bridging related firewalling questions as of late. There seems to be a common assumption that IPTables does not and / or can not see bridged traffic. This is not the case. If you enable the "Bridged IP/ARP packets filtering" (CONFIG_BRIDGE_NETFILTER) option IPTables can see and act on bridged traffic. If this is turned on and you have a default filter:FORWARD policy of DENY, or a catch all rule of DENY, you will need to explicitly allow bridged traffic to be forwarded. (excerpt from menuconfig) "Enabling this option will let arptables resp. iptables see bridged ARP resp. IP traffic. If you want a bridging firewall, you probably want this option enabled." I hope this helps others avoid problems in the future. Grant. . . . From rob0 at gmx.co.uk Wed Dec 13 07:06:31 2006 From: rob0 at gmx.co.uk (/dev/rob0) Date: Wed Dec 13 07:06:44 2006 Subject: [LARTC] OpenVPN, proxy ARP for an entire subnet (Linux endpoints) In-Reply-To: <200612111916.29306.rob0@gmx.co.uk> References: <200612111916.29306.rob0@gmx.co.uk> Message-ID: <200612130006.31365.rob0@gmx.co.uk> On Monday 11 December 2006 19:16, I wrote: > "A Tale of TTL Troubles" > > I was hired to implement VPN for a subnet. The owner has a /27 at his > home site, and he wanted to have the machines there answering BOTH on > those IP addresses and some addresses at a remote colocation > provider. snip > Sorry, I'm not allowed to post details, so IP addresses are munged. > :( I have more information, and as it concerns my own IP addresses now, this doesn't require munging. > HOME_SITE_NET=x.x.x.0/27 [ 0-31 ] > HOME_DEF_GATEWAY=x.x.x.1 (I have no access to this router.) > HOME_VPN_ENDPOINT=x.x.x.4, a/k/a y.y.y.38 > > REMOTE_SITE_NET=y.y.y.0/24 > (out of this I was told to bind .38 on the VPN peer and route .39 > through .60 via the VPN. Sigh ... CIDR masks would have been > nice.) > REMOTE_DEF_GATEWAY=y.y.y.1 (I have no access to this router either.) > REMOTE_VPN_ENDPOINT=y.y.y.37, a/k/a 192.168.255.37 > (The latter is only used for the tunnel traffic.) (I omitted OS and kernel for this: it's CentOS 4.2 / 2.6.9-22.ELsmp.) MyHomeNet=192.168.6.0/24 # Yes, RFC 1918, but that is not significant MyHomeGateway=192.168.6.1 # Slamd64 10.2, 2.6.18.3 from kernel.org MyHomeVPNpeer=192.168.6.4, a/k/a 72.9.234.116 # Slackware 10.0, 2.4.31 # (with VMware patch, but I doubt that matters.) MyRemoteNet=72.9.234.112/29 # .112-.114 are in use, .118 reserved MyRemoteGateway=72.9.234.65 # no access to this machine MyRemoteVPNpeer=72.9.234.112/26, a/k/a 192.168.6.12 (The latter is only used for the tunnel traffic.) # Slackware 10.1, 2.6.10-skas3-v7 (the User-mode Linux patch) That is correct: we have a /29 out of the /26. So the network and broadcast addresses are not a factor. > Routing on HOME_VPN_ENDPOINT : > > [root@localhost ~]# ip route list > y.y.y.39 dev eth0 scope link > 192.168.255.37 dev tun0 proto kernel scope link src y.y.y.38 > y.y.y.40/29 dev eth0 scope link > y.y.y.48/28 dev eth0 scope link > x.x.x.0/27 dev eth0 proto kernel scope link src x.x.x.4 > 169.254.0.0/16 dev eth0 scope link > default via x.x.x.1 dev eth0 > [root@localhost ~]# ip route list table colo > default via 192.168.255.37 dev tun0 src y.y.y.38 > [root@localhost ~]# ip rule list > 0: from all lookup local > 32763: from y.y.y.48/28 lookup colo > 32764: from y.y.y.40/29 lookup colo > 32765: from y.y.y.39 lookup colo > 32766: from all lookup main > 32767: from all lookup default > > The 3 "dev eth0 scope link" routes are what was needed to cover .39 > through .60. It goes over, to .63, oh well. Routing on MyHomeVPNpeer: root@whn:~# ip route list 192.168.6.12 dev tun0 proto kernel scope link src 72.9.234.116 72.9.234.119 dev eth0 scope link 72.9.234.117 dev eth0 scope link 72.9.234.115 dev eth0 scope link 192.168.6.0/24 dev eth0 proto kernel scope link src 192.168.6.4 127.0.0.0/8 dev lo scope link default via 192.168.6.1 dev eth0 metric 1 root@whn:~# ip rule list 0: from all lookup local 32762: from 72.9.234.119 lookup thanks 32763: from 72.9.234.115 lookup thanks 32764: from 72.9.234.117 lookup thanks 32765: from 72.9.234.116 lookup thanks 32766: from all lookup main 32767: from all lookup default root@whn:~# ip route list table thanks default via 192.168.6.12 dev tun0 Of course /proc/sys/net/ipv4/ip_forward is "1". That's also true on the ones featured in our last episode. > One of the machines is x.x.x.6 and y.y.y.39, .49, .59, and .60 on the > VPN. It's my guinea pig, hereinafter called "www". CentOS release 4.4 > (Final) 2.6.9-42.ELsmp on each of www and HOME_VPN_ENDPOINT; I think > REMOTE_VPN_ENDPOINT is similar, but I don't think it's the problem. MyHomeGateway, the Slamd64 machine, was the volunteer for our sadistic experiments. Here I do not think the fact that it's the default gateway for MyHomeVPNpeer is significant, because results prove that traffic moves in both directions through the VPN. > [root@www ~]# ip route list > y.y.y.0/27 dev eth0 proto kernel scope link src y.y.y.6 > 169.254.0.0/16 dev eth0 scope link > default via y.y.y.1 dev eth0 > [root@www ~]# ip rule list > 0: from all lookup local > 32765: from x.x.x.32/27 lookup vpn > 32766: from all lookup main > 32767: from all lookup default > [root@www ~]# ip route list table vpn > default via y.y.y.4 dev eth0 If you don't mind I'm again going to munge my real home IP address. That's not a factor anyway. Routes and addresses on MyHomeGateway: root@miniluv:~# ip addr list 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: dummy0: mtu 1500 qdisc noop link/ether ce:23:26:b7:ef:0c brd ff:ff:ff:ff:ff:ff 3: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:30:48:56:ed:12 brd ff:ff:ff:ff:ff:ff inet 192.168.6.1/24 brd 192.168.6.255 scope global eth0 inet 72.9.234.117/32 scope global eth0 inet 72.9.234.115/32 scope global eth0 inet 72.9.234.119/32 scope global eth0 valid_lft forever preferred_lft forever 4: eth1: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:80:c8:1b:72:4c brd ff:ff:ff:ff:ff:ff inet my.ip.add.ress/nm brd isp.brd.cast.ip scope global eth1 valid_lft forever preferred_lft forever root@miniluv:~# ip route list 192.168.6.0/24 dev eth0 proto kernel scope link src 192.168.6.1 isp.su.bn.et/nm dev eth1 proto kernel scope link src my.ip.add.ress 127.0.0.0/8 dev lo scope link default via isp.rou.ter.ip dev eth1 root@miniluv:~# ip rule list 0: from all lookup local 32763: from 72.9.234.119 lookup vpn 32764: from 72.9.234.115 lookup vpn 32765: from 72.9.234.117 lookup vpn 32766: from all lookup main 32767: from all lookup default root@miniluv:~# ip route list table vpn default via 192.168.6.4 dev eth0 > I tested the routing by using my own IP in an iptables -j LOG rule, > followed by an nmap -sP of the range. This time I did it from a third site, but to get a better picture I added logging in raw/PREROUTING too. This time the logging was at the RemoteVPNpeer rather than the local one, but anyway, it shows everything moving as expected. (LocalVPNpeer, being a 2.4.31 host, doesn't have iptable_raw.) > [root@localhost ~]# iptables-save > # Generated by iptables-save v1.2.11 on Mon Dec 11 09:10:27 2006 > *filter > > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > :LogVpn - [0:0] > > -A FORWARD -d y.y.y.32/255.255.255.224 -j LogVpn > -A FORWARD -s y.y.y.32/255.255.255.224 -j LogVpn > -A LogVpn -s my.IP.add.ress -j LOG --log-prefix "5Vpn IN: " > -A LogVpn -d my.IP.add.ress -j LOG --log-prefix "5Vpn OUT: " > COMMIT > # Completed on Mon Dec 11 09:10:27 2006 Here I'll only show the significant parts of iptables-save on RemoteVPNpeer: # Generated by iptables-save v1.2.11 on Wed Dec 13 04:17:29 2006 *raw :PREROUTING ACCEPT [149316:38901352] :OUTPUT ACCEPT [155833:112104141] -A PREROUTING -s 72.9.234.112/29 -d 3rd.par.ty.IP -j LOG --log-prefix "3-raw OUT: " -A PREROUTING -s 3rd.par.ty.IP -d 72.9.234.112/29 -j LOG --log-prefix "3-raw IN: " COMMIT [ ... ] # Generated by iptables-save v1.2.11 on Wed Dec 13 04:17:29 2006 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] [ ... ] -A INPUT -j Reject -A FORWARD -s 3rd.par.ty.IP -j LogVpn -A FORWARD -d 3rd.par.ty.IP -j LogVpn [ ... ] -A LogVpn -s 3rd.par.ty.IP -d 72.9.234.112/29 -j LOG --log-prefix "3-filter IN: " -A LogVpn -s 72.9.234.112/29 -d 3rd.par.ty.IP -j LOG --log-prefix "3-filter OUT: " -A LogVpn -j ACCEPT [ ... ] So, every packet is logged twice, once in raw and once in filter. And to ensure that all requests are replied, everything from 3rd.par.ty.IP is accepted before any other filter/FORWARD rules. > Results of the scan: all but y.y.y.39 were up. Logs: um, rather than > ask you to pick through all that, I'll summarise: Results of the scan from 3rd.par.ty.IP of 72.9.234.115-119 showed all but .118 is up. And the logs were pristine: "raw IN:" and "filter IN:" for each ICMP echo and HTTP request in perfect numeric sequence. After those were similarly-arranged "raw OUT:" and "filter OUT:" logs for ICMP and HTTP replies. The IN: packets all came in eth0, the OUT: ones all went out tun0, and the filter ones showed both interfaces properly. What is the difference here? Mainly OS and kernel, I think. Did I miss anything? So, any input here at all? Could this be an obscure bug in the Centos (RHEL) kernels? How to proceed? -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From gtaylor at riverviewtech.net Wed Dec 13 07:40:00 2006 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Wed Dec 13 08:02:36 2006 Subject: [LARTC] SIP, NAT, and load balancing problems In-Reply-To: <457EC047.7090404@wirelessmundi.com> References: <457EC047.7090404@wirelessmundi.com> Message-ID: <457FA040.4050807@riverviewtech.net> On 12/12/06 08:44, Fran?ois Delawarde wrote: > I have a linux machine with a SIP server (Asterisk) and 2 WAN interfaces > (NATed) configured to do load balancing. I experienced problems with the > SIP/RTP protocols and load balancing, because when initiating a call to > an external SIP Host, a new RTP flow starts from the server to the Host, > that sometimes uses another default route (due to the nexthop > configuration). As i have two different public IPs, the external host > gets confused while receiving flows from different IPs, and doesn't work > (or sometimes we only have one-way communication). IMHO this is what I would expect SIP VoIP traffic to do in this scenario. > What I basicly want is to force all traffic from my SIP server to pass > by a unique WAN interface (eth2), or to find a solution that would force > multiple sessions from the same IP to use the same WAN interface. > Reading various forums and mailing lists, I decided to try to do "output > re-routing" to all traffic sent to the wrong interface: > > (5060 is SIP port and 10000-20000 are the possible RTP ports) > The redirection is working, but the source port is changed by the > MASQUERADE, and this doesn't work with SIP/RTP, which contain reply > information (ip/port) inside its packets. If Asterisk is running directly on the firewall box, why are you even MASQUERADEing or SNATing the packets? Why not have Asterisk bind directly to the external IP? This way MASQUERADE will not get in your way as far as changing the ports on you. > Even with SNAT or MASQUERADE rules, the source IP of the packet is not > changed when using these ROUTE targets, the router connected to eth2 > then drops the packets. Sorry, I have not worked with the ROUTE target so I can not help. > Below you can find my network configuration (rules, routes and > addresses). Anyone has an idea of how i could resolve this problem? I'm looking, but for some reason I can not find it. ;) Some things to consider: - Set up a routing table just for Asterisk. - Identify Asterisk traffic via MARKed packets. - MARK the packets based on the OWNER match extension. To do this Asterisk would need to run as it's own user, which should not be a problem. Grant. . . . From linux at arcoscom.com Wed Dec 13 09:31:05 2006 From: linux at arcoscom.com (ArcosCom Linux User) Date: Wed Dec 13 09:28:47 2006 Subject: [LARTC] Re: iptables 1.3.7, kernel 2.6.19, ROUTE and Layer7 issues In-Reply-To: <457E6997.1050001@trash.net> References: <54905.84.123.236.132.1165866276.squirrel@www.arcoscom.com> <57631.195.55.244.106.1165911878.squirrel@www.arcoscom.com> <457E6997.1050001@trash.net> Message-ID: <36479.195.55.244.106.1165998665.squirrel@www.arcoscom.com> Thanks for your response. I'm using multiple gateways for internet connection and having problems with random disconection, and I not use ROUTE usually, but I was trying to force only one gateway for one type of traffic (which the clients lost conections and are having issues). I know I can use -j MARK or -j CONNMARK and this mark to filter, but I'm using marks for another purposes and I can't use it for routing. The box is a dual xeon and the kernel has been compiled SMP enabled. I haven't tested ROUTE yet with this kernel (2.6.19), but with 2.6.18.x I were having a problem with -j ROUTE in -t mangle and POSTROUTING chain. Perhaps ROUTE need a more in deepth revision? Do I help more reporting the bug into netfilter-bugzilla? Thanks a lot. El Mar, 12 de Diciembre de 2006, 9:34, Patrick McHardy escribi?: > ArcosCom Linux User wrote: >> El Lun, 11 de Diciembre de 2006, 20:44, ArcosCom Linux User escribi?: >> >>>Hi, I'm having problems with this configuration: >>> iptables 1.3.7 (vanilla or repackaged for fc5) >>> kernel 2.6.19 (vanilla) >>> ROUTE 1.11 (last pom-ng) >>> layer7-filter 2.6 (last in sf.net) >>> connlimit (last pom-ng) >>> >>>When I try to use -j ROUTE in any chain in mangle table I have this >>> error: >>> >>>[root@myhost ~]# iptables -v -t mangle -A POSTROUTING -p tcp --dport >>> msnp >>>-j ROUTE --gw $chat_gw >>>ROUTE tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:1863 >>> ROUTE >>>gw:80.32.61.1 >>>iptables: Invalid argument >>> >>>[root@myhost ~]# dmesg | grep "ROUTE" >>>ipt_ROUTE: targinfosize 0 != 40 > > > The ROUTE target needs to set the targetsize field in struct ipt_target. > It probably needs other adjustments for 2.6.19 as well. I would just use > normal policy routing .. > > > From kaber at trash.net Wed Dec 13 09:38:21 2006 From: kaber at trash.net (Patrick McHardy) Date: Wed Dec 13 09:38:50 2006 Subject: [LARTC] Re: iptables 1.3.7, kernel 2.6.19, ROUTE and Layer7 issues In-Reply-To: <36479.195.55.244.106.1165998665.squirrel@www.arcoscom.com> References: <54905.84.123.236.132.1165866276.squirrel@www.arcoscom.com> <57631.195.55.244.106.1165911878.squirrel@www.arcoscom.com> <457E6997.1050001@trash.net> <36479.195.55.244.106.1165998665.squirrel@www.arcoscom.com> Message-ID: <457FBBFD.6060009@trash.net> ArcosCom Linux User wrote: > Thanks for your response. > > I'm using multiple gateways for internet connection and having problems > with random disconection, and I not use ROUTE usually, but I was trying to > force only one gateway for one type of traffic (which the clients lost > conections and are having issues). > > I know I can use -j MARK or -j CONNMARK and this mark to filter, but I'm > using marks for another purposes and I can't use it for routing. Everything using marks supports bitmasks in 2.6.19. > The box is a dual xeon and the kernel has been compiled SMP enabled. > > I haven't tested ROUTE yet with this kernel (2.6.19), but with 2.6.18.x I > were having a problem with -j ROUTE in -t mangle and POSTROUTING chain. > > Perhaps ROUTE need a more in deepth revision? As I said, it needs to fill in the targetsize field and probably needs to adjust the target function signature. > Do I help more reporting the bug into netfilter-bugzilla? Its still down, but the ROUTE patch is unmaintained anyway. From linux at arcoscom.com Wed Dec 13 10:12:50 2006 From: linux at arcoscom.com (ArcosCom Linux User) Date: Wed Dec 13 10:10:13 2006 Subject: [LARTC] Re: iptables 1.3.7, kernel 2.6.19, ROUTE and Layer7 issues In-Reply-To: <457FBBFD.6060009@trash.net> References: <54905.84.123.236.132.1165866276.squirrel@www.arcoscom.com> <57631.195.55.244.106.1165911878.squirrel@www.arcoscom.com> <457E6997.1050001@trash.net> <36479.195.55.244.106.1165998665.squirrel@www.arcoscom.com> <457FBBFD.6060009@trash.net> Message-ID: <44824.195.55.244.106.1166001170.squirrel@www.arcoscom.com> Then, the actual and updated and maintained substitute for ROUTE is using CONNMARK and/or MARK and then add filters/rules to routes table with ip. Am I in the truth? Sorry for my out-of-date knoledge of these things and for the "obvious" questions. Thanks a lot. El Mie, 13 de Diciembre de 2006, 9:38, Patrick McHardy escribi?: > ArcosCom Linux User wrote: >> Thanks for your response. >> >> I'm using multiple gateways for internet connection and having problems >> with random disconection, and I not use ROUTE usually, but I was trying >> to >> force only one gateway for one type of traffic (which the clients lost >> conections and are having issues). >> >> I know I can use -j MARK or -j CONNMARK and this mark to filter, but I'm >> using marks for another purposes and I can't use it for routing. > > Everything using marks supports bitmasks in 2.6.19. > >> The box is a dual xeon and the kernel has been compiled SMP enabled. >> >> I haven't tested ROUTE yet with this kernel (2.6.19), but with 2.6.18.x >> I >> were having a problem with -j ROUTE in -t mangle and POSTROUTING chain. >> >> Perhaps ROUTE need a more in deepth revision? > > As I said, it needs to fill in the targetsize field and probably needs > to adjust the target function signature. > >> Do I help more reporting the bug into netfilter-bugzilla? > > Its still down, but the ROUTE patch is unmaintained anyway. > From kaber at trash.net Wed Dec 13 10:17:02 2006 From: kaber at trash.net (Patrick McHardy) Date: Wed Dec 13 10:17:19 2006 Subject: [LARTC] Re: iptables 1.3.7, kernel 2.6.19, ROUTE and Layer7 issues In-Reply-To: <44824.195.55.244.106.1166001170.squirrel@www.arcoscom.com> References: <54905.84.123.236.132.1165866276.squirrel@www.arcoscom.com> <57631.195.55.244.106.1165911878.squirrel@www.arcoscom.com> <457E6997.1050001@trash.net> <36479.195.55.244.106.1165998665.squirrel@www.arcoscom.com> <457FBBFD.6060009@trash.net> <44824.195.55.244.106.1166001170.squirrel@www.arcoscom.com> Message-ID: <457FC50E.70009@trash.net> ArcosCom Linux User wrote: > Then, the actual and updated and maintained substitute for ROUTE is using > CONNMARK and/or MARK and then add filters/rules to routes table with ip. > Am I in the truth? That has always been the better way. The route target is a hack, I'm don't know why it exists at all. From fdelawarde at wirelessmundi.com Wed Dec 13 11:12:19 2006 From: fdelawarde at wirelessmundi.com (=?ISO-8859-1?Q?Fran=E7ois_Delawarde?=) Date: Wed Dec 13 11:20:45 2006 Subject: [LARTC] SIP, NAT, and load balancing problems In-Reply-To: <457FA040.4050807@riverviewtech.net> References: <457EC047.7090404@wirelessmundi.com> <457FA040.4050807@riverviewtech.net> Message-ID: <457FD203.9010402@wirelessmundi.com> Thank you for suggestions, below are my comments: Grant Taylor wrote: >> The redirection is working, but the source port is changed by the >> MASQUERADE, and this doesn't work with SIP/RTP, which contain reply >> information (ip/port) inside its packets. > > If Asterisk is running directly on the firewall box, why are you even > MASQUERADEing or SNATing the packets? Why not have Asterisk bind > directly to the external IP? This way MASQUERADE will not get in your > way as far as changing the ports on you. It's actually the first thing i tried, but as I need to offer service to both WAN and LAN, and the Asterisk SIP cannot bind to multiple IPs. It only offers to bind it to a unique IP or 0.0.0.0 (and from the feedback i got, they don't intend to implement that any time soon). I could probably run multiple instances or implement this myself, but I don't have that much talent and time to do those complicated things. :-) >> Below you can find my network configuration (rules, routes and >> addresses). Anyone has an idea of how i could resolve this problem? > > I'm looking, but for some reason I can not find it. ;) > > Some things to consider: > - Set up a routing table just for Asterisk. > - Identify Asterisk traffic via MARKed packets. > - MARK the packets based on the OWNER match extension. To do this > Asterisk would need to run as it's own user, which should not be a > problem. I tried the owner match thing, maybe I did it wrong, but I end up with the same type of problems. When Asterisk needs to send traffic to WAN, it seem to bind to one of the two WAN IPs at random, and I end up with the same NATing problems when it chooses the wrong interface/IP. I also tried to inverse that: MARK all packets that are not Asterisk, put a special rule/table for that traffic and configure "default" (from all) routing table to only one WAN interface. I'm not 100% sure if i did it correctly, but do you think it's worth trying again? Maybe this could be the type of solution I'm looking for if only i knew a little more about that. Do you know how a process chooses an IP when binding to 0.0.0.0? Is the kernel doing this, and how/when? Maybe I could cheat in that case, and make Asterisk or the kernel or whichever does the binding think that there is only one WAN interface. Also do you think that I could use some help from the netfilter SIP helper? I didn't try but I think it would probably do the same. > Grant. . . . > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > Thanks a lot for your time, Fran?ois.... From fdelawarde at wirelessmundi.com Wed Dec 13 11:33:30 2006 From: fdelawarde at wirelessmundi.com (=?ISO-8859-1?Q?Fran=E7ois_Delawarde?=) Date: Wed Dec 13 11:40:35 2006 Subject: [LARTC] SIP, NAT, and load balancing problems In-Reply-To: References: <457EC047.7090404@wirelessmundi.com> Message-ID: <457FD6FA.7090709@wirelessmundi.com> Andrew McGill wrote: > On Tuesday Dec 12, 2006 around 3:44pm, Fran?ois Delawarde wrote, > >> Hello all, >> >> I have a linux machine with a SIP server (Asterisk) and 2 WAN >> interfaces (NATed) configured to do load balancing. I experienced >> problems with the SIP/RTP protocols and load balancing, because when >> initiating a call to an external SIP Host, a new RTP flow starts from >> the server to the Host, that sometimes uses another default route >> (due to the nexthop configuration). As i have two different public >> IPs, the external host gets confused while receiving flows from >> different IPs, and doesn't work (or sometimes we only have one-way >> communication). > > There is a similar problem with openvpn which the --multihome patch in > 2.1_rc* solves (SOL_IP / IP_PKTINFO option on the socket). Unless the > application (asterisk in your case) chooses to bind a UDP socket to a > particular IP address, the routing subsystem will assign the IP > address. Since UDP is connectionless, there is no reason to use the > same IP address as the incoming 'connection'. (ip_conntrack doesn't > count.) I cannot bind Asterisk to a particular IP address, as I need to use it for both LAN and WAN, but if the routing subsystem assigns the IP, does it take into account netfilter MARK and special rules, or do you know a way to "force" this routing subsystem into assigning an IP address? I'm trying to understand when and how this IP address is chosen, and see if I can act at that level (doing NAT and ROUTE things doesn't seem to work a lot, and it's probably too "late" to work the problem. > > *You* may be able to solve the problem with some creative use of the > CONNMARK target (I didn't succeed). The best solution, in the absence > of a kernel hack to treat UDP as a connection-oriented protocol, is to > fix asterisk (IMHO, IANAKH). > > &:-) I was thinking of trying that along with the netfilter SIP helper, but I don't even understand how helpers work yet. If you have an idea of how i could use those things, it would also be worth trying. Thank you very much, Fran?ois. From Matt at PlumSoftware.co.uk Wed Dec 13 12:15:38 2006 From: Matt at PlumSoftware.co.uk (Matt) Date: Wed Dec 13 12:15:18 2006 Subject: [LARTC] RE: Routing & NAT Problem take #2 Message-ID: <117F5E7DA31C17478948DC39E01B948B400F66@frost.PlumSoftwareLtd.local> Cross posted to Netfilter and LARTC... Grant & ArcosCom Linux User Thanks for your replies. Firstly, one problem was with my Token Bucket Filler on one of the interfaces, as it was dropping lots of packets and stopping connections from working over that interface. This lead to some strange results, with apparent partial success. Secondly, I've decided against trying to get it working over the Internet, as actually it makes better sense for us if it doesn't. (it works a little quicker) Grant - yes, this is a wierd routing issue! :) We looked at various multihoming solutions, and they either involved excessive cost with AS numbers and BGP and cisco routers, pointless montly renting for a third partly to do similar, and then I found that we could do something more or less the same without any of the cost using Linux... and here we are. It doesn't matter to us that users have to change IP address to use the 2nd line. We don't users on the 2nd line unless the 1st line is broken as it is also our office internet line! Anyway, thanks again, your comments helped me understand what was going on at the wire. Cheers! Matt On 12/12/06 04:29, Matt wrote: > I got the above working on our test bed, where users can get to the internal server 192.168.0.6 via either Internet connection. The problem is getting from our Office Network to 200.200.64.139:56100 *nod* This is a weird routing issue. (See below.) > What appears to be happening is this: > > 1. Packet is sent from internal router, arrives at 100.100.251.220, is routed through 100.100.251.217 to the Internet. > 2. Packet arrives at 200.200.64.139, DNAT'd to 192.168.0.6. > 3. Internal Server replies, sends it to it's default gateway (192.168.0.254) > 4. Linux server sees 100.100.251.220 as destination, sends to 100.100.251.218 instead of back out of 200.200.64.139. (This is not expected as I'm marking incoming connections at the linux router using CONNMARK/MARK, and connections go in and out of the correct interface when the destination is outside the 100.100.251.216/29 network) Presuming that you are not doing any custom routing with IPRoute2, this is as I would expect. What is happening is your "Linux Multihomed Router" has a direct route back to your office's internet router. Per standard routing mechanisms, your router will choose a directly connected route, or any other (non default) route that it knows of over your default route. So, really your Linux router is doing what it should be doing. Unfortunately what it should be doing is not what you want it to be doing. > (Note: I don't know if the returning connections are SNAT'd back to 200.200.64.139) A simple TCPDump will tell you if this is the case or not. However, I suspect that the packets are being SNATed to 100.100.251.218. > Is there a way around this? i.e. so that the multihoming still works? Yes, multiple. One is to make your office router know that it can reach the 200.200.64.139 host via the 100.100.251.218 router. However, this is probably not what you really want to do. I say this is probably not want you want to do b/c I'm willing to bet that you are wanting to be able to test things across the internet from your office, which would be circumvented with this routing. > It seems that normal routing to the 100.100.251.216/29 network takes precedence over my connection marked rule, that would instruct the packet to be sent out over the correct interface (and maybe therefore SNAT'd correctly too). Yes (see above). This is because IPTables usually does not interact with any routing decisions. (Usually b/c IPTables can be configured to do exactly that.) IPTables usually acts on packets before and after routing decisions have been made. > Not sure what's going on. Can anyone point me in the correct direction? A different and probably my recommended solution (presuming that you want the traffic to cross the internet) would be to use a custom routing table for traffic that is to use the 200.200.64.139 interface. This custom routing table would not include any knowledge of the 100.100.251.218 network. Thus any traffic back to the office at 100.100.251.220 would be routed through the default gateway and out across the internet back to the office. Presuming that you have MARK and CONNMARK working correctly you could use an "ip rule" to look for the firewall mark to instruct the Linux kernel to use the alternant routing table. Grant. . . . From WBohannan at spidersat.com.gh Wed Dec 13 15:28:45 2006 From: WBohannan at spidersat.com.gh (William Bohannan) Date: Wed Dec 13 15:28:05 2006 Subject: [LARTC] classid, prio and position Message-ID: <4D411FB02758FE45915E9724339093F6152DCD@intranet.scpl.local> Having a problem with classid and prio and position. Wondering if someone could help? Below I have pasted a part of my current rules, now it consists of one chain and two pipes. If they both use 60Kbit which one would get priority? Would it be the one with the better prio or the one with the lower classid or would it be the one which is first on the list? /sbin/tc class add dev eth1 parent 1:1 classid 1:11 htb rate 2000kbit ceil 2000kbit prio 3 quantum 1532 /sbin/iptables -t mangle -N test-chain-eth1-1:11 /sbin/iptables -t mangle -A test-all-chains -m connmark --mark 0x44444445 -j protocop-chain-eth1-1:11 /sbin/iptables -t mangle -A test-all -m physdev --physdev-in eth0 -s 192.168.2.0/24 -d 192.168.2.0/24 -j MARK --set-mark 0x44444445 /sbin/iptables -t mangle -A test-all -m physdev --physdev-in eth0 -s 192.168.2.0/24 -d 192.168.2.0/24 -j RETURN /sbin/tc class add dev eth1 parent 1:11 classid 1:1001 htb rate 8Kbit ceil 60Kbit prio 4 quantum 1532 /sbin/tc qdisc add dev eth1 handle 1001: parent 1:1001 sfq /sbin/iptables -t mangle -A test-chain-eth1-1:11 -p tcp -m multiport --port 81,3003,82,10000 -j CLASSIFY --set-class 1:1001 /sbin/iptables -t mangle -A test-chain-eth1-1:11 -p tcp -m multiport --port 81,3003,82,10000 -j RETURN /sbin/tc class add dev eth1 parent 1:11 classid 1:1002 htb rate 8Kbit ceil 60Kbit prio 2 quantum 1532 /sbin/tc qdisc add dev eth1 handle 1002: parent 1:1002 sfq /sbin/iptables -t mangle -A test-chain-eth1-1:11 -p icmp -j CLASSIFY --set-class 1:1002 /sbin/iptables -t mangle -A test-chain-eth1-1:11 -p icmp -j RETURN Kind Regards William From gtaylor at riverviewtech.net Wed Dec 13 16:05:34 2006 From: gtaylor at riverviewtech.net (Taylor, Grant) Date: Wed Dec 13 16:05:24 2006 Subject: [LARTC] Routing Problem In-Reply-To: References: Message-ID: <458016BE.9010005@riverviewtech.net> Javier A Toledano wrote: > Routing Problem > The problem is that forwarding is enabled but when I try to probe > connectivity from a host in the 10.0.0.0 net , eg 10.0.0.1 making an > echo request > to a host in 192.168.10.0 net , eg 192.168.10.49 the icmp packets > arrive to the linux box (interface eth0) but don't traverset it. > After I iniate an echo request from 192.168.10.49 to 10.0.0.1, the > packets iniatated in 10.0.0.0 net starts to traverse the router > magically. > It seems that It needs a packet from the 192.168.10.0 to start working. > > I would appreciate any idea. I'm not a CentOS user so I can not say for sure. However I would expect that (despite what you say) that there is some sort of IPTables stateful packet inspection going on from your 10/ network to your 192.168/ network. If this is indeed the case and the rule is a basic state of ESTABLISHED, RELATED, then any traffic from 10/ to 192.168/ AFTER you sent traffic from 192.168/ to 10/ would be considered RELATED and thus allowed through. However, if as you say, there are no IPTables rules in play at all something else is interfering with your traffic, what it would be, I'm not sure. Try running iptables-save to make sure that there are absolutely no rules in effect any where. Grant. . . . (Reposted to the mailing list verses directly back to the OP.) From gtaylor at riverviewtech.net Wed Dec 13 16:30:20 2006 From: gtaylor at riverviewtech.net (Taylor, Grant) Date: Wed Dec 13 16:30:11 2006 Subject: [LARTC] SIP, NAT, and load balancing problems In-Reply-To: <457FD203.9010402@wirelessmundi.com> References: <457EC047.7090404@wirelessmundi.com> <457FA040.4050807@riverviewtech.net> <457FD203.9010402@wirelessmundi.com> Message-ID: <45801C8C.5040804@riverviewtech.net> Fran?ois Delawarde wrote: > Thank you for suggestions, below are my comments: You are welcome. > It's actually the first thing i tried, but as I need to offer service to > both WAN and LAN, and the Asterisk SIP cannot bind to multiple IPs. It > only offers to bind it to a unique IP or 0.0.0.0 (and from the feedback > i got, they don't intend to implement that any time soon). I could > probably run multiple instances or implement this myself, but I don't > have that much talent and time to do those complicated things. :-) Um, I'm going to have to disagree with you. I have run Asterisk in the past (in production) where it would bind to multiple IPs. The only caveat that I can think of is that it may only bind to one IP in a subnet, or some other strangeness with this. .... I just logged in to a colleague's system that is running Asterisk for about 4 different subnets on one system. Asterisk is bound to 0.0.0.0 so that it can serve any and all subnets. If you would like help configuring Asterisk bind to multiple subnets let me know (via direct email) and I'll be glad to try to help. > I tried the owner match thing, maybe I did it wrong, but I end up with > the same type of problems. When Asterisk needs to send traffic to WAN, > it seem to bind to one of the two WAN IPs at random, and I end up with > the same NATing problems when it chooses the wrong interface/IP. I also > tried to inverse that: MARK all packets that are not Asterisk, put a > special rule/table for that traffic and configure "default" (from all) > routing table to only one WAN interface. I'm not 100% sure if i did it > correctly, but do you think it's worth trying again? If Asterisk is only listening to one IP and you are routing to get to your other network, you could end up with some really weird issues that will be very difficult to over come, probably MUCH harder than resolving the issue with Asterisk only binding to one interface. > Maybe this could be the type of solution I'm looking for if only i knew > a little more about that. Do you know how a process chooses an IP when > binding to 0.0.0.0? Is the kernel doing this, and how/when? Maybe I > could cheat in that case, and make Asterisk or the kernel or whichever > does the binding think that there is only one WAN interface. As I understand it, when processes let the system choose the proper IP to use, the system will chose the IP that is associate with the closest route to the destination. In short, if the target is on Subnet A, then the IP for Subnet A will be used. If the target is on Subnet B, then the IP for Subnet B will be used. > Also do you think that I could use some help from the netfilter SIP > helper? I didn't try but I think it would probably do the same. I'm not familiar with the SIP connection tracking helper. However, I do believe it would be worth your time to investigate it to see if it will help you. If you do continue to SNAT / MASQUERADE your outbound SIP traffic, there is a good chance that the SIP helper will indeed help. This is of course presuming that the SIP helper is meant to help the SNAT / MASQUERADE module correctly choose the information that gets put in to packets. Think about how the FTP connection tracking helper works when dealing with active / passive data streams and ports. Grant. . . . From arik.funke at gmx.de Wed Dec 13 18:55:47 2006 From: arik.funke at gmx.de (Arik Raffael Funke) Date: Wed Dec 13 18:56:26 2006 Subject: [LARTC] ipp2p Problem Message-ID: Hello, can anybody interpret what the following means: [root@funke ipp2p-0.8.0]# iptables -t mangle -A MarkList0x666-ipp2p -p tcp -m ipp2p --edk -j MarkSet0x666 iptables: Unknown error 4294967295 ----- I have installed ipp2p-0.8.0 via: make copied ipt_ipp2p.ko to my kernel lib dir copied libipt_ipp2p.so to my iptables lib dir insmod ipt_ipp2p gives the following in dmesg: IPP2P v0.8.0 loading iptables -m ipp2p --help shows as expected the help for ipp2p But the command given at the beginning does not work. It give in dmesg: ip_tables: ipp2p match: invalid size 0 != 8 Thanks for the help! Regards, Arik From kajtek at biezanow.net Wed Dec 13 19:24:01 2006 From: kajtek at biezanow.net (Kajetan Staszkiewicz) Date: Wed Dec 13 19:24:37 2006 Subject: [LARTC] ipp2p Problem In-Reply-To: References: Message-ID: <200612131924.02032.kajtek@biezanow.net> Dnia ?roda, 13 grudnia 2006 18:55, Arik Raffael Funke napisa?(a): > But the command given at the beginning does not work. It give in dmesg: > ip_tables: ipp2p match: invalid size 0 != 8 I had same problems when I had too new kernel with too old ipp2p. Try 0.8.2. -- | pozdrawiam / greetings | powered by Trustix, Gentoo and FreeBSD | | Kajetan Staszkiewicz | jabber,email,www: vegeta()tuxpowered net | | Vegeta | IMQ devnames: http://tuxpowered.net | `------------------------^------------------------------------------' From gtaylor at riverviewtech.net Wed Dec 13 21:48:33 2006 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Wed Dec 13 21:48:26 2006 Subject: [LARTC] SIP, NAT, and load balancing problems In-Reply-To: <45803576.3020902@wirelessmundi.com> References: <457EC047.7090404@wirelessmundi.com> <457FA040.4050807@riverviewtech.net> <457FD203.9010402@wirelessmundi.com> <45801C8C.5040804@riverviewtech.net> <45803576.3020902@wirelessmundi.com> Message-ID: <45806721.7020504@riverviewtech.net> Fran?ois Delawarde wrote: > What i meant is that people (in #asterisk on freenode) told me that > Asterisk could be bound to a unique IP, or to all IPs (binding it to > 0.0.0.0). But if you know a way to bind it to only some IPs, then yeah! > I need your help :-) I guess we need to put something in the bindaddr > parameter of sip.conf. Right now I have: > > [general] > bindaddr=0.0.0.0 > > I have 3 IPs in 3 interfaces: > eth0 (LAN): 192.168.10.1 > eth1 (WAN): 192.168.1.2 (gw 192.168.1.1) > eth2 (WAN): 192.168.2.2 (gw 192.168.2.1) > > How can I bind Asterisk SIP to 192.168.10.1 and 192.168.2.2 only, to > work around my load balancing problem? I'll email you off the mailing list as this does not pertain to LARTC. >> If Asterisk is only listening to one IP and you are routing to get to >> your other network, you could end up with some really weird issues >> that will be very difficult to over come, probably MUCH harder than >> resolving the issue with Asterisk only binding to one interface. > > I don't really understand what you mean, but that's right, i have really > weird issues. What I was saying is that if Asterisk is only bound to one IP address, be it loopback, eth0, eth1, or even a dummy0 interface, you will have to route traffic to that address. If you can indeed only bind Asterisk to only one IP address or all IP addresses on the system, I would recommend that you use DummyNet to bind Asterisk to. However this may be a problem down when NATing comes in to play. (More on this later.) Supposing that you bind Asterisk to the dummy0 interface, either all equipment will need to its self know how, or the default router for the equipment will need to know how to reach the subnet on the dummy0 interface. This usually means that you will have to have the default gateway for all client systems / phones know how to reach the subnet on the dummy0 interface. I.e. the default gateway will have to have a route to the subnet on the dummy0 interface via the interface on the Asterisk box facing the router(s). Consider: +----------------------+ | Asterisk Box | | [A.B.C.D/NM]-|---(INet) (192.168.0.0/24)---|-[192.168.0.254/24] | | [192.2.0.254/24] | | | | +----------------------+ | [dummy0] In this case, 192.168.0.254/24 is the LAN, the internet is it's own IP, and 192.2.0.254/24 is assigned to the dummy0 interface. If you bind Asterisk to the 192.2.0.254 IP on the dummy0 interface, you will have to route all traffic that is to or from Asterisk in to and out of the dummy0 network. Now that you can easily see that you would have to route traffic in to and out of the dummy0 interface, I can probably better explain the weird routing issue that you have. You are binding Asterisk to an IP on your system. No matter what IP you bind Asterisk to, traffic from any other subnet will have to be routed to that subnet to reach Asterisk. With this in mind, now consider if you bind Asterisk to one WAN interface, traffic to / from your LAN or the other WAN interface will have to be routed to be able to reach Asterisk. If you bind Asterisk to the LAN interface, traffic to / from either WAN will have to be routed to be able to reach Asterisk. Usually routing traffic is not an issue. However, as you have pointed out, when you MASQUERADE traffic as it leaves either of your WAN interfaces, the port numbers are changed and thus breaking your SIP connection. So, you need to be able to not alter the SIP packet stream. So, what you need to really do is only alter traffic that is not originating / terminating on your firewall. You could do this a few different ways. Probably the easiest way would be to not MASQUERADE any traffic, save for traffic that originates on your LAN, not the firewall / Asterisk box it's self. You will probably also need to do something to make sure that your SIP traffic is not subject to load balancing. If you set up some sort of identifier for your SIP traffic, say locally originated / terminated, you could use a custom routing table to not load balance the traffic via multiple next hops. One advantage of having Asterisk bind to a completely different IP, i.e. on the dummy0 interface is that you could set up a rule that looked for source or target IPs in the subnet on dummy0 as a VERY easy and clear identifier as the traffic would belong to Asterisk. > What happens in my case, where default subnet (0.0.0.0/0 subnet) has two > IPs (2 WAN with load balancing)? And do you know at what moment this IP > is chosen? Do you think I can trick the routing subsystem (or whoever > decides the IP) to force the decision? Sorry, I don't know what moment the decision is made. Nor do I think you could ""Trick the routing sub system once it has made a decision. Sure, you can do some things to over ride which interface is used to carry out the decision that was made. I think what would be better would be to influence / control the possibilities that the routing sub system has to choose from. > I'll try to check on that, if i can't resolve the issue with Asterisk > bindings. *nod* Grant. . . . From gtaylor at riverviewtech.net Wed Dec 13 22:57:44 2006 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Wed Dec 13 22:57:35 2006 Subject: [LARTC] SIP, NAT, and load balancing problems In-Reply-To: <005501c71efb$745d61d0$0101010a@lamachine> References: <005501c71efb$745d61d0$0101010a@lamachine> Message-ID: <45807758.7000702@riverviewtech.net> Rangi Biddle wrote: > What do you think of perhaps Francois using SER? Well, I don't have a problem with SIP Express Router and / or / verses Asterisk (or any other SIP Soft Switch for that matter), however, I think the OP will still be facing the same problem. That problem being binding a daemon to a single IP address and routing traffic to / from it with out messing up the packets. I am going to presume that Asterisk and / or SER will only be bound to a specific interface, not all of them. I'm not sure why the OP only wants to bind Asterisk to a single interface verses all of them, though I'm going to guess that s/he has a good reason for doing so. It may be a case that Asterisk as the soft switch should be bound to the internal interface and SER bound to the external interface. This way, the SIP traffic can be passed through both interfaces natively, via both daemons. However, I think this would be more undo complexity for very little gain. Grant. . . . From cemeyer2 at uiuc.edu Wed Dec 13 23:07:46 2006 From: cemeyer2 at uiuc.edu (Charlie Meyer) Date: Wed Dec 13 23:07:55 2006 Subject: [LARTC] load balancing Message-ID: <003d01c71f03$1f68bff0$fe0a10ac@MURPHY> I ive set up a working linux router with load balancing as per the lartc guide. Everything is working properly, except for the load balancing does not seem to be equally balance the load. The first line gets about 60% of the incoming load, the 2nd line gets about 40%, and the 3rd line hardly gets any of it at all. The outgoing load is evenly balanced among all three lines. I did not set any weights when I set up the route, so this is confusing to me. BTW, I have been using ntop as well as ibmonitor to view the load over each line. when I have tried setting weights, such as 1 for the first line, 2 for the second line, and 4 for the second line, it still doesn't balance correctly. I am using fedora core 6 with all the latest packages and kernel as per yum. any ideas here would be greatly appreciated thanks -charlie -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061213/5e69fd9d/attachment.html From gtaylor at riverviewtech.net Wed Dec 13 23:42:03 2006 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Wed Dec 13 23:41:52 2006 Subject: [LARTC] load balancing In-Reply-To: <003d01c71f03$1f68bff0$fe0a10ac@MURPHY> References: <003d01c71f03$1f68bff0$fe0a10ac@MURPHY> Message-ID: <458081BB.7020909@riverviewtech.net> Charlie Meyer wrote: > I ive set up a working linux router with load balancing as per the lartc > guide. Everything is working properly, except for the load balancing > does not seem to be equally balance the load. The first line gets about > 60% of the incoming load, the 2^nd line gets about 40%, and the 3^rd > line hardly gets any of it at all. The outgoing load is evenly balanced > among all three lines. > > I did not set any weights when I set up the route, so this is confusing > to me. BTW, I have been using ntop as well as ibmonitor to view the load > over each line. > > when I have tried setting weights, such as 1 for the first line, 2 for > the second line, and 4 for the second line, it still doesn?t balance > correctly. > > I am using fedora core 6 with all the latest packages and kernel as per yum. > > any ideas here would be greatly appreciated Keep in mind that you do not have any control of the traffic that is inbound to you. The only thing that you can control is the traffic that you send. So, what is probably happening is that your system is load balancing the out bound traffic, which is being replied to by the server. Consider you have 3 connections, one out bound request each. Unless you are dealing with globally routable IP addresses behind your system and are not NATing at your system, responses to out bound requests will come back in to the same IP that the request originated from. With that in mind, consider one reply being a 512 byte response, one reply being a 1k byte response, and one reply being a 20 k byte response. In this case, one connection will receive 512 bytes, another 1 k byte, and the last 20 k bytes. I think we can all agree that this is FAR from a load balanced scenario. However, we do not have any control over the reverse route, this is at best our providers control. If each link is with a different provider, there is no way to load balance the traffic back to our system. If, by chance the links are all with one provider and they are willing to work with you and you do not have any reverse path filtering in place, the provider could spread the load across all the links evenly. However, this is way beyond the scope of "Load Balancing" under Linux, or any thing else for that matter, and thus is more or less just accepted. If you would like, I can go in to more depth as to why this does not work as is and what would have to be done to make this work. Incidentally, this is also why QoS does not really work well on inbound. Grant. . . . From gtaylor at riverviewtech.net Wed Dec 13 23:44:28 2006 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Wed Dec 13 23:44:18 2006 Subject: [LARTC] SIP, NAT, and load balancing problems In-Reply-To: <005601c71f02$90779460$0101010a@lamachine> References: <005601c71f02$90779460$0101010a@lamachine> Message-ID: <4580824C.7010803@riverviewtech.net> Rangi Biddle wrote: > I was thinking more along the lines of using SER as a proxy that would proxy > the WAN connections to Asterisk. Without knowing the number of connections > Francois is expecting to receive on the WAN interface it may or may not be > the solution to his issue and but if he does have a large amount of > connections it would allow him to scale the system as needed by installing > more SER systems. *nod* Now you are talking more about the scalability of a Linux based VoIP solution, which is beyond the scope of the LARTC. Granted, LARTC will have a role in such a solution, but that role is just one small piece of the over all much larger solution. Grant. . . . From kaber at trash.net Wed Dec 13 23:57:11 2006 From: kaber at trash.net (Patrick McHardy) Date: Wed Dec 13 23:53:50 2006 Subject: [LARTC] SIP, NAT, and load balancing problems In-Reply-To: <457FD6FA.7090709@wirelessmundi.com> References: <457EC047.7090404@wirelessmundi.com> <457FD6FA.7090709@wirelessmundi.com> Message-ID: <45808547.3080109@trash.net> Fran?ois Delawarde wrote: > I was thinking of trying that along with the netfilter SIP helper, but I > don't even understand how helpers work yet. If you have an idea of how i > could use those things, it would also be worth trying. Just load ip_nat_sip, it should adjust the SDP information according to the NATing done on the connection. You need to make sure though that the RTP stream really does use the same connection (and NAT) as the SIP connection, which is best done by using CONNMARK and fwmark based routing. From linux at arcoscom.com Thu Dec 14 01:51:13 2006 From: linux at arcoscom.com (ArcosCom Linux User) Date: Thu Dec 14 01:48:25 2006 Subject: [LARTC] Layer7 module doesn't detect nothing on my bridge with a 2.6.18.3 kernel In-Reply-To: <457E842A.5010200@wanadoo.fr> References: <457E842A.5010200@wanadoo.fr> Message-ID: <57744.84.123.236.186.1166057473.squirrel@www.arcoscom.com> With: linux-2.6.18.5 iptables-1.3.7 layer7-2.7 Is working fine (normal and SMP configs), with linux-2.6.19.x not. See: Chain PREROUTING (policy ACCEPT 174K packets, 91M bytes) num pkts bytes target prot opt in out source destination 1 13957 1482K 0 -- * * 0.0.0.0/0 0.0.0.0/0 ipp2p v0.8.2 --ipp2p 2 81516 66M 0 -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto edonkey Regards El Mar, 12 de Diciembre de 2006, 11:27, S?bastien CRAMATTE escribi?: > Hello > > I've setuped a QOS bridge under debian 3.1 using 2.6.18.3 kernel + > iptables 1.3.6 > > I've patched the kernel an Iptables with esfq+layer7 without problems. > > > This simple script doesn't log nothing ... And I'm sure to have eMule > traffic (I've checked with tcpdump ) > If I remove " -m layer7 --l7proto edonkey \" line I can see > iptables log in /var/log/kern.log > I've test with other protocols like skype or messenger ... layer7 filter > seems to be simply ignored ... > > Syslog or kern.log still empty ... > > #!/bin/sh > > DEV=eth0 > BR=br0 > SHAPPER=CPE > > iptables -t mangle -N ${SHAPPER} > iptables -t mangle -A POSTROUTING -o ${BR} > -m physdev --physdev-out ${DEV} > \-j ${SHAPPER} > > iptables -t mangle -A ${SHAPPER} \ > -m layer7 --l7proto edonkey \ > -j LOG --log-prefix eMule > > As you can see below my eth0 and eth1 interface are not in PROMISC mode > because > I use physdev module and user iptables chain to redirect all traffic > > #ifconfig > > br0 Link encap:Ethernet HWaddr 00:30:48:87:99:28 > inet addr:xxx.xxx.xxx.xxx Bcast: xxx.xxx.xxx.xxx Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:146572 errors:0 dropped:0 overruns:0 frame:0 > TX packets:14813 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:13160188 (12.5 MiB) TX bytes:2391735 (2.2 MiB) > > eth0 Link encap:Ethernet HWaddr 00:30:48:87:99:28 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:588665 errors:0 dropped:0 overruns:0 frame:0 > TX packets:226155 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:100 > RX bytes:170415971 (162.5 MiB) TX bytes:138342082 (131.9 MiB) > Base address:0xc000 Memory:f2000000-f2020000 > > eth1 Link encap:Ethernet HWaddr 00:30:48:87:99:29 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:211410 errors:0 dropped:0 overruns:0 frame:0 > TX packets:566435 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:100 > RX bytes:135919959 (129.6 MiB) TX bytes:162558207 (155.0 MiB) > Base address:0xd100 Memory:f1000000-f1020000 > > # lsmod > Module Size Used by > ipt_ipp2p 6400 0 > ipt_LOG 5248 2 > xt_multiport 2176 4 > ipt_layer7 8840 14 > cls_u32 5636 6 > sch_esfq 4736 10 > xt_CLASSIFY 1024 28 > xt_limit 1280 0 > ipt_TOS 1152 0 > xt_length 1152 6 > ipt_tos 896 2 > sch_htb 12544 2 > xt_physdev 1808 2 > floppy 44580 0 > e1000 100032 0 > ehci_hcd 22152 0 > uhci_hcd 16012 0 > usbcore 86148 3 ehci_hcd,uhci_hcd > i82875p_edac 3332 0 > dm_mod 34488 5 > rtc 6708 0 > > > > Any Ideas > Thanks for your help > > Regards > > S?bastien > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From s.cramatte at wanadoo.fr Thu Dec 14 02:35:08 2006 From: s.cramatte at wanadoo.fr (=?ISO-8859-1?Q?S=E9bastien_CRAMATTE?=) Date: Thu Dec 14 02:35:29 2006 Subject: [LARTC][RESOLVED] Layer7 module doesn't detect nothing on my bridge with a 2.6.18.3 kernel Message-ID: <4580AA4C.6040708@wanadoo.fr> Hello, loading conntrack resolve my problem ... layer 7 have got a dependency with conntrack but doesn't load it automaticaly... so module is loaded but no packets match with l7-protocols ... reported as a bug http://sourceforge.net/tracker/index.php?func=detail&aid=1596065&group_id=80085&atid=558668 regards ArcosCom Linux User a ?crit : > With: > linux-2.6.18.5 > iptables-1.3.7 > layer7-2.7 > > Is working fine (normal and SMP configs), with linux-2.6.19.x not. > > See: > > Chain PREROUTING (policy ACCEPT 174K packets, 91M bytes) > num pkts bytes target prot opt in out source > destination > 1 13957 1482K 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 ipp2p v0.8.2 --ipp2p > 2 81516 66M 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 LAYER7 l7proto edonkey > > Regards > > El Mar, 12 de Diciembre de 2006, 11:27, S?bastien CRAMATTE escribi?: > >> Hello >> >> I've setuped a QOS bridge under debian 3.1 using 2.6.18.3 kernel + >> iptables 1.3.6 >> >> I've patched the kernel an Iptables with esfq+layer7 without problems. >> >> >> This simple script doesn't log nothing ... And I'm sure to have eMule >> traffic (I've checked with tcpdump ) >> If I remove " -m layer7 --l7proto edonkey \" line I can see >> iptables log in /var/log/kern.log >> I've test with other protocols like skype or messenger ... layer7 filter >> seems to be simply ignored ... >> >> Syslog or kern.log still empty ... >> >> #!/bin/sh >> >> DEV=eth0 >> BR=br0 >> SHAPPER=CPE >> >> iptables -t mangle -N ${SHAPPER} >> iptables -t mangle -A POSTROUTING -o ${BR} >> -m physdev --physdev-out ${DEV} >> \-j ${SHAPPER} >> >> iptables -t mangle -A ${SHAPPER} \ >> -m layer7 --l7proto edonkey \ >> -j LOG --log-prefix eMule >> >> As you can see below my eth0 and eth1 interface are not in PROMISC mode >> because >> I use physdev module and user iptables chain to redirect all traffic >> >> #ifconfig >> >> br0 Link encap:Ethernet HWaddr 00:30:48:87:99:28 >> inet addr:xxx.xxx.xxx.xxx Bcast: xxx.xxx.xxx.xxx Mask:255.255.255.0 >> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 >> RX packets:146572 errors:0 dropped:0 overruns:0 frame:0 >> TX packets:14813 errors:0 dropped:0 overruns:0 carrier:0 >> collisions:0 txqueuelen:0 >> RX bytes:13160188 (12.5 MiB) TX bytes:2391735 (2.2 MiB) >> >> eth0 Link encap:Ethernet HWaddr 00:30:48:87:99:28 >> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 >> RX packets:588665 errors:0 dropped:0 overruns:0 frame:0 >> TX packets:226155 errors:0 dropped:0 overruns:0 carrier:0 >> collisions:0 txqueuelen:100 >> RX bytes:170415971 (162.5 MiB) TX bytes:138342082 (131.9 MiB) >> Base address:0xc000 Memory:f2000000-f2020000 >> >> eth1 Link encap:Ethernet HWaddr 00:30:48:87:99:29 >> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 >> RX packets:211410 errors:0 dropped:0 overruns:0 frame:0 >> TX packets:566435 errors:0 dropped:0 overruns:0 carrier:0 >> collisions:0 txqueuelen:100 >> RX bytes:135919959 (129.6 MiB) TX bytes:162558207 (155.0 MiB) >> Base address:0xd100 Memory:f1000000-f1020000 >> >> # lsmod >> Module Size Used by >> ipt_ipp2p 6400 0 >> ipt_LOG 5248 2 >> xt_multiport 2176 4 >> ipt_layer7 8840 14 >> cls_u32 5636 6 >> sch_esfq 4736 10 >> xt_CLASSIFY 1024 28 >> xt_limit 1280 0 >> ipt_TOS 1152 0 >> xt_length 1152 6 >> ipt_tos 896 2 >> sch_htb 12544 2 >> xt_physdev 1808 2 >> floppy 44580 0 >> e1000 100032 0 >> ehci_hcd 22152 0 >> uhci_hcd 16012 0 >> usbcore 86148 3 ehci_hcd,uhci_hcd >> i82875p_edac 3332 0 >> dm_mod 34488 5 >> rtc 6708 0 >> >> >> >> Any Ideas >> Thanks for your help >> >> Regards >> >> S?bastien >> >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> >> > > > > > ArcosCom Linux User a ?crit : > With: > linux-2.6.18.5 > iptables-1.3.7 > layer7-2.7 > > Is working fine (normal and SMP configs), with linux-2.6.19.x not. > > See: > > Chain PREROUTING (policy ACCEPT 174K packets, 91M bytes) > num pkts bytes target prot opt in out source > destination > 1 13957 1482K 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 ipp2p v0.8.2 --ipp2p > 2 81516 66M 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 LAYER7 l7proto edonkey > > Regards > > El Mar, 12 de Diciembre de 2006, 11:27, S?bastien CRAMATTE escribi?: > >> Hello >> >> I've setuped a QOS bridge under debian 3.1 using 2.6.18.3 kernel + >> iptables 1.3.6 >> >> I've patched the kernel an Iptables with esfq+layer7 without problems. >> >> >> This simple script doesn't log nothing ... And I'm sure to have eMule >> traffic (I've checked with tcpdump ) >> If I remove " -m layer7 --l7proto edonkey \" line I can see >> iptables log in /var/log/kern.log >> I've test with other protocols like skype or messenger ... layer7 filter >> seems to be simply ignored ... >> >> Syslog or kern.log still empty ... >> >> #!/bin/sh >> >> DEV=eth0 >> BR=br0 >> SHAPPER=CPE >> >> iptables -t mangle -N ${SHAPPER} >> iptables -t mangle -A POSTROUTING -o ${BR} >> -m physdev --physdev-out ${DEV} >> \-j ${SHAPPER} >> >> iptables -t mangle -A ${SHAPPER} \ >> -m layer7 --l7proto edonkey \ >> -j LOG --log-prefix eMule >> >> As you can see below my eth0 and eth1 interface are not in PROMISC mode >> because >> I use physdev module and user iptables chain to redirect all traffic >> >> #ifconfig >> >> br0 Link encap:Ethernet HWaddr 00:30:48:87:99:28 >> inet addr:xxx.xxx.xxx.xxx Bcast: xxx.xxx.xxx.xxx Mask:255.255.255.0 >> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 >> RX packets:146572 errors:0 dropped:0 overruns:0 frame:0 >> TX packets:14813 errors:0 dropped:0 overruns:0 carrier:0 >> collisions:0 txqueuelen:0 >> RX bytes:13160188 (12.5 MiB) TX bytes:2391735 (2.2 MiB) >> >> eth0 Link encap:Ethernet HWaddr 00:30:48:87:99:28 >> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 >> RX packets:588665 errors:0 dropped:0 overruns:0 frame:0 >> TX packets:226155 errors:0 dropped:0 overruns:0 carrier:0 >> collisions:0 txqueuelen:100 >> RX bytes:170415971 (162.5 MiB) TX bytes:138342082 (131.9 MiB) >> Base address:0xc000 Memory:f2000000-f2020000 >> >> eth1 Link encap:Ethernet HWaddr 00:30:48:87:99:29 >> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 >> RX packets:211410 errors:0 dropped:0 overruns:0 frame:0 >> TX packets:566435 errors:0 dropped:0 overruns:0 carrier:0 >> collisions:0 txqueuelen:100 >> RX bytes:135919959 (129.6 MiB) TX bytes:162558207 (155.0 MiB) >> Base address:0xd100 Memory:f1000000-f1020000 >> >> # lsmod >> Module Size Used by >> ipt_ipp2p 6400 0 >> ipt_LOG 5248 2 >> xt_multiport 2176 4 >> ipt_layer7 8840 14 >> cls_u32 5636 6 >> sch_esfq 4736 10 >> xt_CLASSIFY 1024 28 >> xt_limit 1280 0 >> ipt_TOS 1152 0 >> xt_length 1152 6 >> ipt_tos 896 2 >> sch_htb 12544 2 >> xt_physdev 1808 2 >> floppy 44580 0 >> e1000 100032 0 >> ehci_hcd 22152 0 >> uhci_hcd 16012 0 >> usbcore 86148 3 ehci_hcd,uhci_hcd >> i82875p_edac 3332 0 >> dm_mod 34488 5 >> rtc 6708 0 >> >> >> >> Any Ideas >> Thanks for your help >> >> Regards >> >> S?bastien >> >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> >> > > > > > From fdelawarde at wirelessmundi.com Thu Dec 14 12:44:57 2006 From: fdelawarde at wirelessmundi.com (=?ISO-8859-1?Q?Fran=E7ois_Delawarde?=) Date: Thu Dec 14 12:50:56 2006 Subject: [LARTC] SIP, NAT, and load balancing problems In-Reply-To: <45806721.7020504@riverviewtech.net> References: <457EC047.7090404@wirelessmundi.com> <457FA040.4050807@riverviewtech.net> <457FD203.9010402@wirelessmundi.com> <45801C8C.5040804@riverviewtech.net> <45803576.3020902@wirelessmundi.com> <45806721.7020504@riverviewtech.net> Message-ID: <45813939.7010604@wirelessmundi.com> I unfortunately think that I can't use that solution (if I understood it well). My box actually has two functions, it's an Asterisk box and a load balancing router. For LAN clients, as this box represents their default gateway, there would be no problem in implementing a pure routing solution. I could create a new subnet on a dummy interface, and reconfigure all LAN SIP phones to point to that IP, the box itself would route packets to its dummy interface. For WAN clients, what I need is to have a unique interface (a unique public IP) accepting SIP connections, and outgoing traffic always passing by this interface. My current issue is with outgoing SIP/RTP traffic that sometimes gets load-balanced and uses the other public IP, which i have to force to the other interface, with lots of NATing/Re-Routing problems, as a single call can have multiple UDP flows (SIP and RTPs). My main problem with the DummyNet solution on the WAN side is that I cannot access to the internet routers behind this box, so I can't add routes to reach a new subnet. This means that I'm back with the same type of problem trying to NAT, but this time not only the box's outgoing traffic, but also the clients incoming traffic, for them to reach the dummy0 interface. Tell me if i'm wrong, but that solutions appears to me as more complicated in my particular case. Aouch, that's much harder than I thought it would be. :-( Fran?ois. Grant Taylor wrote: > Fran?ois Delawarde wrote: >> What i meant is that people (in #asterisk on freenode) told me that >> Asterisk could be bound to a unique IP, or to all IPs (binding it to >> 0.0.0.0). But if you know a way to bind it to only some IPs, then >> yeah! I need your help :-) I guess we need to put something in the >> bindaddr parameter of sip.conf. Right now I have: >> >> [general] >> bindaddr=0.0.0.0 >> >> I have 3 IPs in 3 interfaces: >> eth0 (LAN): 192.168.10.1 >> eth1 (WAN): 192.168.1.2 (gw 192.168.1.1) >> eth2 (WAN): 192.168.2.2 (gw 192.168.2.1) >> >> How can I bind Asterisk SIP to 192.168.10.1 and 192.168.2.2 only, to >> work around my load balancing problem? > > I'll email you off the mailing list as this does not pertain to LARTC. > >>> If Asterisk is only listening to one IP and you are routing to get >>> to your other network, you could end up with some really weird >>> issues that will be very difficult to over come, probably MUCH >>> harder than resolving the issue with Asterisk only binding to one >>> interface. >> >> I don't really understand what you mean, but that's right, i have >> really weird issues. > > What I was saying is that if Asterisk is only bound to one IP address, > be it loopback, eth0, eth1, or even a dummy0 interface, you will have to > route traffic to that address. > > If you can indeed only bind Asterisk to only one IP address or all IP > addresses on the system, I would recommend that you use DummyNet to bind > Asterisk to. However this may be a problem down when NATing comes in to > play. (More on this later.) > > Supposing that you bind Asterisk to the dummy0 interface, either all > equipment will need to its self know how, or the default router for the > equipment will need to know how to reach the subnet on the dummy0 > interface. This usually means that you will have to have the default > gateway for all client systems / phones know how to reach the subnet on > the dummy0 interface. I.e. the default gateway will have to have a > route to the subnet on the dummy0 interface via the interface on the > Asterisk box facing the router(s). > > Consider: > +----------------------+ > | Asterisk Box | > | [A.B.C.D/NM]-|---(INet) > (192.168.0.0/24)---|-[192.168.0.254/24] | > | [192.2.0.254/24] | > | | | > +----------------------+ > | > [dummy0] > > In this case, 192.168.0.254/24 is the LAN, the internet is it's own > IP, and 192.2.0.254/24 is assigned to the dummy0 interface. If you > bind Asterisk to the 192.2.0.254 IP on the dummy0 interface, you will > have to route all traffic that is to or from Asterisk in to and out of > the dummy0 network. > > Now that you can easily see that you would have to route traffic in to > and out of the dummy0 interface, I can probably better explain the > weird routing issue that you have. You are binding Asterisk to an IP > on your system. No matter what IP you bind Asterisk to, traffic from > any other subnet will have to be routed to that subnet to reach Asterisk. > > With this in mind, now consider if you bind Asterisk to one WAN > interface, traffic to / from your LAN or the other WAN interface will > have to be routed to be able to reach Asterisk. If you bind Asterisk > to the LAN interface, traffic to / from either WAN will have to be > routed to be able to reach Asterisk. > > Usually routing traffic is not an issue. However, as you have pointed > out, when you MASQUERADE traffic as it leaves either of your WAN > interfaces, the port numbers are changed and thus breaking your SIP > connection. > > So, you need to be able to not alter the SIP packet stream. So, what > you need to really do is only alter traffic that is not originating / > terminating on your firewall. You could do this a few different ways. > Probably the easiest way would be to not MASQUERADE any traffic, save > for traffic that originates on your LAN, not the firewall / Asterisk > box it's self. > > You will probably also need to do something to make sure that your SIP > traffic is not subject to load balancing. If you set up some sort of > identifier for your SIP traffic, say locally originated / terminated, > you could use a custom routing table to not load balance the traffic > via multiple next hops. > > One advantage of having Asterisk bind to a completely different IP, > i.e. on the dummy0 interface is that you could set up a rule that > looked for source or target IPs in the subnet on dummy0 as a VERY easy > and clear identifier as the traffic would belong to Asterisk. > >> What happens in my case, where default subnet (0.0.0.0/0 subnet) has >> two IPs (2 WAN with load balancing)? And do you know at what moment >> this IP is chosen? Do you think I can trick the routing subsystem (or >> whoever decides the IP) to force the decision? > > Sorry, I don't know what moment the decision is made. Nor do I think > you could ""Trick the routing sub system once it has made a decision. > Sure, you can do some things to over ride which interface is used to > carry out the decision that was made. I think what would be better > would be to influence / control the possibilities that the routing sub > system has to choose from. > >> I'll try to check on that, if i can't resolve the issue with Asterisk >> bindings. > > *nod* > > > > Grant. . . . > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From WBohannan at spidersat.com.gh Thu Dec 14 12:55:22 2006 From: WBohannan at spidersat.com.gh (William Bohannan) Date: Thu Dec 14 12:53:57 2006 Subject: [LARTC] blocking traffic on the FORWARD chain using physdev Message-ID: <4D411FB02758FE45915E9724339093F6152F0E@intranet.scpl.local> Currently using physdev on a bridge to try and isolate certain paths across and to the bridge. It all works except when trying to stop the flow in one direction on the FORWARD chain?? Can someone please help?? Below is the testing done so far. eth1 <---> BRIDGE <---> eth0 # Block (eth0 ---> eth1) - blocks both directions and not just one?? iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP # Block (eth0 <--- eth1) - blocks both directions and not just one?? iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP # Block (eth0 ---> BRIDGE) - working iptables -A INPUT -m physdev --physdev-in eth0 -p icmp -j DROP # Block (eth0 <--- BRIDGE) - working iptables -A OUTPUT -m physdev --physdev-out eth0 -p icmp -j DROP # Block (eth1 ---> BRIDGE) - working iptables -A INPUT -m physdev --physdev-in eth1 -p icmp -j DROP # Block (eth1 <--- BRIDGE) - working iptables -A OUTPUT -m physdev --physdev-out eth1 -p icmp -j DROP Kind Regards William From fdelawarde at wirelessmundi.com Thu Dec 14 12:59:05 2006 From: fdelawarde at wirelessmundi.com (=?ISO-8859-15?Q?Fran=E7ois_Delawarde?=) Date: Thu Dec 14 13:00:39 2006 Subject: [LARTC] SIP, NAT, and load balancing problems In-Reply-To: <45808547.3080109@trash.net> References: <457EC047.7090404@wirelessmundi.com> <457FD6FA.7090709@wirelessmundi.com> <45808547.3080109@trash.net> Message-ID: <45813C89.4030007@wirelessmundi.com> I have ip_nat_sip compiled in the kernel (and not as a module). Is that an issue? Could you give me an example of how I could do using CONNMARK and fwmark based routing if I have an outgoing RTP flow bound to the wrong interface? Thanks a lot, Fran?ois. Patrick McHardy wrote: > Fran?ois Delawarde wrote: >> I was thinking of trying that along with the netfilter SIP helper, but I >> don't even understand how helpers work yet. If you have an idea of how i >> could use those things, it would also be worth trying. > > Just load ip_nat_sip, it should adjust the SDP information according to > the NATing done on the connection. You need to make sure though that > the RTP stream really does use the same connection (and NAT) as the > SIP connection, which is best done by using CONNMARK and fwmark based > routing. > > From oscar at ufomechanic.net Thu Dec 14 13:26:37 2006 From: oscar at ufomechanic.net (Oscar Mechanic) Date: Thu Dec 14 13:26:50 2006 Subject: [LARTC] blocking traffic on the FORWARD chain using physdev In-Reply-To: <4D411FB02758FE45915E9724339093F6152F0E@intranet.scpl.local> References: <4D411FB02758FE45915E9724339093F6152F0E@intranet.scpl.local> Message-ID: <1166099198.4538.101.camel@OSCARLAPLIN> Hi Physdev may no longer be supported soon something to do with hooks and how this is difficult to support. I have stopped using it cause I found some odd behavior in physdev-in, out seemed fine I remember. I use ebtables and marks for this now. On Thu, 2006-12-14 at 20:55 +0900, William Bohannan wrote: > Currently using physdev on a bridge to try and isolate certain paths > across and to the bridge. It all works except when trying to stop the > flow in one direction on the FORWARD chain?? Can someone please help?? > > Below is the testing done so far. > > eth1 <---> BRIDGE <---> eth0 > > # Block (eth0 ---> eth1) - blocks both directions and not just one?? > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP > > # Block (eth0 <--- eth1) - blocks both directions and not just one?? > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP > > # Block (eth0 ---> BRIDGE) - working > iptables -A INPUT -m physdev --physdev-in eth0 -p icmp -j DROP > > # Block (eth0 <--- BRIDGE) - working > iptables -A OUTPUT -m physdev --physdev-out eth0 -p icmp -j DROP > > # Block (eth1 ---> BRIDGE) - working > iptables -A INPUT -m physdev --physdev-in eth1 -p icmp -j DROP > > # Block (eth1 <--- BRIDGE) - working > iptables -A OUTPUT -m physdev --physdev-out eth1 -p icmp -j DROP > > > Kind Regards > William > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nlhttp://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From WBohannan at spidersat.com.gh Thu Dec 14 13:34:56 2006 From: WBohannan at spidersat.com.gh (William Bohannan) Date: Thu Dec 14 13:33:01 2006 Subject: [LARTC] blocking traffic on the FORWARD chain using physdev In-Reply-To: <1166099198.4538.101.camel@OSCARLAPLIN> Message-ID: <4D411FB02758FE45915E9724339093F6152F12@intranet.scpl.local> Thanks for that. Would you be able to give a simple example on how to block outgoing traffic using ebtables and icmp? as I get an error when using icmp? ebtables -A FORWARD -i eth1 -p icmp -j DROP Error message - "Problem with the specified protocol." Kind Regards William -----Original Message----- From: Oscar Mechanic [mailto:oscar@ufomechanic.net] Sent: 14 December 2006 12:27 To: William Bohannan Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] blocking traffic on the FORWARD chain using physdev Hi Physdev may no longer be supported soon something to do with hooks and how this is difficult to support. I have stopped using it cause I found some odd behavior in physdev-in, out seemed fine I remember. I use ebtables and marks for this now. On Thu, 2006-12-14 at 20:55 +0900, William Bohannan wrote: > Currently using physdev on a bridge to try and isolate certain paths > across and to the bridge. It all works except when trying to stop the > flow in one direction on the FORWARD chain?? Can someone please help?? > > Below is the testing done so far. > > eth1 <---> BRIDGE <---> eth0 > > # Block (eth0 ---> eth1) - blocks both directions and not just one?? > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP > > # Block (eth0 <--- eth1) - blocks both directions and not just one?? > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP > > # Block (eth0 ---> BRIDGE) - working > iptables -A INPUT -m physdev --physdev-in eth0 -p icmp -j DROP > > # Block (eth0 <--- BRIDGE) - working > iptables -A OUTPUT -m physdev --physdev-out eth0 -p icmp -j DROP > > # Block (eth1 ---> BRIDGE) - working > iptables -A INPUT -m physdev --physdev-in eth1 -p icmp -j DROP > > # Block (eth1 <--- BRIDGE) - working > iptables -A OUTPUT -m physdev --physdev-out eth1 -p icmp -j DROP > > > Kind Regards > William > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nlhttp://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lar tc From oscar at ufomechanic.net Thu Dec 14 13:41:00 2006 From: oscar at ufomechanic.net (Oscar Mechanic) Date: Thu Dec 14 13:41:12 2006 Subject: [LARTC] blocking traffic on the FORWARD chain using physdev In-Reply-To: <4D411FB02758FE45915E9724339093F6152F12@intranet.scpl.local> References: <4D411FB02758FE45915E9724339093F6152F12@intranet.scpl.local> Message-ID: <1166100061.4538.105.camel@OSCARLAPLIN> Are you sure you want to block ICMP how about PMTU ebtables -I FORWARD 1 -i eth0 -p ip --ip-protocol icmp On Thu, 2006-12-14 at 21:34 +0900, William Bohannan wrote: > Thanks for that. Would you be able to give a simple example on how to > block outgoing traffic using ebtables and icmp? as I get an error when > using icmp? > > ebtables -A FORWARD -i eth1 -p icmp -j DROP > > Error message - "Problem with the specified protocol." > > > Kind Regards > William > > > -----Original Message----- > From: Oscar Mechanic [mailto:oscar@ufomechanic.net] > Sent: 14 December 2006 12:27 > To: William Bohannan > Cc: lartc@mailman.ds9a.nl > Subject: Re: [LARTC] blocking traffic on the FORWARD chain using physdev > > Hi > > Physdev may no longer be supported soon something to do with hooks > and how this is difficult to support. I have stopped using it cause I > found some odd behavior in physdev-in, out seemed fine I remember. I use > ebtables and marks for this now. > > > On Thu, 2006-12-14 at 20:55 +0900, William Bohannan wrote: > > Currently using physdev on a bridge to try and isolate certain paths > > across and to the bridge. It all works except when trying to stop the > > flow in one direction on the FORWARD chain?? Can someone please help?? > > > > Below is the testing done so far. > > > > eth1 <---> BRIDGE <---> eth0 > > > > # Block (eth0 ---> eth1) - blocks both directions and not just one?? > > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP > > > > # Block (eth0 <--- eth1) - blocks both directions and not just one?? > > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP > > > > # Block (eth0 ---> BRIDGE) - working > > iptables -A INPUT -m physdev --physdev-in eth0 -p icmp -j DROP > > > > # Block (eth0 <--- BRIDGE) - working > > iptables -A OUTPUT -m physdev --physdev-out eth0 -p icmp -j DROP > > > > # Block (eth1 ---> BRIDGE) - working > > iptables -A INPUT -m physdev --physdev-in eth1 -p icmp -j DROP > > > > # Block (eth1 <--- BRIDGE) - working > > iptables -A OUTPUT -m physdev --physdev-out eth1 -p icmp -j DROP > > > > > > Kind Regards > > William > > > > _______________________________________________ > > LARTC mailing list > > > LARTC@mailman.ds9a.nlhttp://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lar > tc > From e1605projecter at yahoo.com Thu Dec 14 17:38:37 2006 From: e1605projecter at yahoo.com (Thossapron Apinyapanha) Date: Thu Dec 14 17:38:56 2006 Subject: [LARTC] hfsc rule command problem Message-ID: <20061214163837.7668.qmail@web35507.mail.mud.yahoo.com> My hfsc rule .. tc qdisc add dev eth2 handle 1: root hfsc iptables -t mangle -N ms-all iptables -t mangle -N ms-all-chains iptables -t mangle -N ms-prerouting iptables -t mangle -A PREROUTING -j ms-prerouting iptables -t mangle -A ms-prerouting -j CONNMARK --restore-mark iptables -t mangle -A ms-prerouting -p udp --dport 4444 -j MARK --set-mark 1 iptables -t mangle -A ms-prerouting -p udp -m multiport --dports 1755,5005,1024:4443,4445:5500 -j MARK --set-mark 1 iptables -t mangle -A ms-prerouting -p tcp --dport 23 -j MARK --set-mark 1 iptables -t mangle -A ms-prerouting -p tcp -m multiport --dports 20,21,5001:5004,5006:5100 -j MARK --set-mark 2 iptables -t mangle -A ms-prerouting -p tcp --dport 80 -j MARK --set-mark 2 iptables -t mangle -A ms-prerouting -j CONNMARK --save-mark iptables -t mangle -A FORWARD -o eth2 -j ms-all iptables -t mangle -A POSTROUTING -o eth2 -j ms-all-chains tc class add dev eth2 parent 1: classid 1:1 hfsc sc m2 10000kbit tc filter add dev eth2 parent 1:0 protocol all u32 match u32 0 0 classid 1:1 tc class add dev eth2 parent 1:1 classid 1:11 hfsc ls m2 3500kbit ul m2 10000kbit iptables -t mangle -N ms-chain-eth2-1:11 iptables -t mangle -A ms-all-chains -m mark --mark 1 -j ms-chain-eth2-1:11 iptables -t mangle -A ms-all -o eth2 -j ms-chain-eth2-1:11 tc class add dev eth2 parent 1:11 classid 1:111 hfsc rt m1 3500kbit d 10s m2 200kbit ls m2 3500kbit ul m2 3500kbit tc qdisc add dev eth2 handle 111: parent 1:111 sfq iptables -t mangle -A ms-chain-eth2-1:11 -p udp --dport 4444 -j CLASSIFY --set-class 1:111 iptables -t mangle -A ms-chain-eth2-1:11 -p udp --dport 4444 -j RETURN tc class add dev eth2 parent 1:11 classid 1:112 hfsc rt m1 3500kbit d 10s m2 1300kbit ls m2 3500kbit ul m2 3500kbit tc qdisc add dev eth2 handle 112: parent 1:112 sfq iptables -t mangle -A ms-chain-eth2-1:11 -p udp -m multiport --dports 1755,5005,1024:4443,4445:5500 -j CLASSIFY --set-class 1:112 iptables -t mangle -A ms-chain-eth2-1:11 -p udp -m multiport --dports 1755,5005,1024:4443,4445:5500 -j RETURN tc class add dev eth2 parent 1:11 classid 1:113 hfsc rt m1 3500kbit d 10s m2 1500kbit ls m2 3500kbit ul m2 3500kkbit tc qdisc add dev eth2 handle 113: parent 1:113 sfq iptables -t mangle -A ms-chain-eth2-1:11 -p tcp --dport 23 -j CLASSIFY --set-class 1:113 iptables -t mangle -A ms-chain-eth2-1:11 -p tcp --dport 23 -j RETURN tc class add dev eth2 parent 1:11 classid 1:199 hfsc rt m1 3500kbit d 10s m2 500kbit ls m2 3500kbit ul m2 3500kbit tc qdisc add dev eth2 handle 199: parent 1:199 sfq iptables -t mangle -A ms-chain-eth2-1:11 -j CLASSIFY --set-class 1:199 iptables -t mangle -A ms-chain-eth2-1:11 -j RETURN tc class add dev eth2 parent 1:1 classid 1:12 hfsc ls m2 7500kbit ul m2 10000kbit iptables -t mangle -N ms-chain-eth2-1:12 iptables -t mangle -A ms-all-chains -m mark --mark 2 -j ms-chain-eth2-1:12 iptables -t mangle -A ms-all -o eth2 -j ms-chain-eth2-1:12 tc class add dev eth2 parent 1:12 classid 1:121 hfsc ls m2 3500kbit ul m2 7500kbit tc qdisc add dev eth2 handle 121: parent 1:121 sfq iptables -t mangle -A ms-chain-eth2-1:12 -p tcp -m multiport --dports 20,21,5001:5004,5006:5100 -j CLASSIFY --set-class 1:121 iptables -t mangle -A ms-chain-eth2-1:12 -p tcp -m multiport --dports 20,21,5001:5004,5006:5100 -j RETURN tc class add dev eth2 parent 1:12 classid 1:122 hfsc ls m2 3500kbit ul m2 7500kbit tc qdisc add dev eth2 handle 122: parent 1:122 sfq iptables -t mangle -A ms-chain-eth2-1:12 -p tcp --dport 80 -j CLASSIFY --set-class 1:122 iptables -t mangle -A ms-chain-eth2-1:12 -p tcp --dport 80 -j RETURN tc class add dev eth2 parent 1:12 classid 1:299 hfsc rt m1 3500kbit d 10s m2 500kbit ls m2 500kbit ul m2 7500kbit tc qdisc add dev eth2 handle 299: parent 1:299 sfq iptables -t mangle -A ms-chain-eth2-1:12 -j CLASSIFY --set-class 1:299 iptables -t mangle -A ms-chain-eth2-1:12 -j RETURN I have got a big problem, I don?t know my rule are wrong?? My rule are like this Root Real time class Non-real time class #interior class (Voip ,MMS, Telnet, default) (HTTP FTP default) #leaf class My setting rate in each class is Real time class guarantee rate: 3500kbit max rate: 10000kbit VoIP guarantee rate: 200kbit max rate: 3500kbit MMS guarantee rate: 1300kbit max rate: 3500kbit Telnet guarantee rate: 1500kbit max rate: 3500kbit Default guarantee rate: 500kbit max rate: 3500kbit Non Real time class HTTP guarantee rate: 7500kbit max rate: 10000kbit FTP guarantee rate: 3500kbit max rate: 7500kbit Default guarantee rate: 3500kbit max rate: 7500kbit I need to input traffic with so very load to shaper about 10Mbit by traffic generator but nomatter I try to change input rate by decrease rate from 10Mbit until input rate less than all of guarantee rate in each class, the result is after about 10s all input traffic are error (can?t send anymore traffic) First, I think, it must relative with percentage between TCP and UDP about If it have a lot UDP, TCP may be lost because request time out and need to retransmission again (it make overflow of network load so much in incoming queue and at last it full and can?t sent anymore traffic to shaper. So nomatter I try to decrease rate down until 2Mbit, all are die. And My last choice is input traffic with rate same as each rate in all class so .. after 10s ,can?t input traffic anymore So Is it true about HFSC can?t manage traffic that very load about 10Mbit??? Second, I?m doubt about level in hierarchical rule are the factor for happen so much delay? In my lab, I?m compare between 2 level (root and leaf class) and input traffic all about 600Kbit ? the result is ok but if I change to 3 level (root interior and leaf class) after 10s, it down and can?t send anymore So my question 1. Is my rule are setting wrong?? About parameter or filter iptable (but after I test this filter iptable with htb , it?s ok and very good) 2. Is it true about HFSC can?t manage traffic load more than 1Mbit ?? 3. I have a lot question but I don?t know what is wrong? My rule or hfsc can?t manage load traffic thank you ____________________________________________________________________________________ Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail beta. http://new.mail.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061214/f6574794/attachment-0001.html From lists at andyfurniss.entadsl.com Thu Dec 14 21:32:12 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Thu Dec 14 21:32:12 2006 Subject: [LARTC] hfsc rule command problem In-Reply-To: <20061214163837.7668.qmail@web35507.mail.mud.yahoo.com> References: <20061214163837.7668.qmail@web35507.mail.mud.yahoo.com> Message-ID: <4581B4CC.2010904@andyfurniss.entadsl.com> Thossapron Apinyapanha wrote: > tc class add dev eth2 parent 1: classid 1:1 hfsc sc m2 10000kbit If it's really 10mbit eth, 10mbit rate is too high. > tc class add dev eth2 parent 1:11 classid 1:199 hfsc rt m1 3500kbit d 10s m2 500kbit ls m2 3500kbit ul m2 3500kbit > tc qdisc add dev eth2 handle 199: parent 1:199 sfq sfq is really for bulk, with the added complication that it won't quite be right on an hfsc rt class - if backlogged hfsc rt de/re queues to get the next packet length, but sfq (as I read it) doesn't reset the "turn pointer" when it requeues. Probably OK if you really need it I suppose - but then rt classes should probably not get backlogged (excepting bursts maybe) > Real time class guarantee rate: 3500kbit max rate: 10000kbit > VoIP guarantee rate: 200kbit max rate: 3500kbit > MMS guarantee rate: 1300kbit max rate: 3500kbit > Telnet guarantee rate: 1500kbit max rate: 3500kbit > Default guarantee rate: 500kbit max rate: 3500kbit They are not going to be rt as such once over their guaranteed rates. > 2. Is it true about HFSC can?t manage traffic load more than 1Mbit ?? The problem is I think, your use of default - If you don't use it hfsc will drop unclassified traffic, htb will let it through unshaped, so it is in someways needed more on hfsc (though you can filter non ip). You could use it but not send any ip traffic to it, or you could explicitly filter arp (& other non ip) to a dedicated rt class with enough bandwidth. Delaying/dropping arp is not something you should do... Andy. From lists at andyfurniss.entadsl.com Thu Dec 14 23:15:15 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Thu Dec 14 23:15:14 2006 Subject: [LARTC] About HFSC ? In-Reply-To: <457F18E2.5090208@wanadoo.fr> References: <457F18E2.5090208@wanadoo.fr> Message-ID: <4581CCF3.4000602@andyfurniss.entadsl.com> S?bastien CRAMATTE wrote: > Hello, > > I?ve read this Article avout VOIP and HFSC > http://automatthias.wordpress.com/2006/06/30/hfsc-and-voip/ > > I?ve got few questions ? > > Considering this > > tc class add dev $DEV parent 1:1 classid 1:2 hfsc \ > rt m1 ${UPLINK}kbit d 50ms m2 $[1*$UPLINK/10]kbit \ > ls m1 ${UPLINK}kbit d 50ms m2 $[3*$UPLINK/10]kbit \ > ul rate ${UPLINK}kbit That command and the script look a bit iffy to me - but then I could be wrong and often am :-) > > rt = realtime curve > ls = linksharing curve > > but > m1 = ? m1 = slope/rate of the first part of the curve. > m2 = ? m2 = slope/rate of the second part. > d = dmax ? I think they will be equal if m1>m2, but not if m1 References: <20061206220015.083bd7b7@ktinos.gov> Message-ID: <4581D1EA.4020709@andyfurniss.entadsl.com> Eye of the Beholder wrote: > Hello. > > I have a 1024/256kbit ADSL and tried to shape outgoing traffic in order > to improve latency. > > Here is my config. > > UPLOAD_RATE="256" > UPRATE="$[4*$UPLOAD_RATE/5]" (a little smaller) Depends on traffic - you may need to go smaller if there are lots of small packets, you can patch for dsl/atm overheads. > UP70="$[7*$UPRATE/10]kbit" > UP30="$[3*$UPRATE/10]kbit" > UP20="$[2*$UPRATE/10]kbit" > UPRATE="${UPRATE}kbit" You should really make these add up to 100 not 120. > > IF="eth2" > IPTABLES="iptables -t mangle -A POSTROUTING " > > (Initialize) > tc qdisc del dev $IF root >& /dev/null > iptables -t mangle -F > > > (Root qdisc / class) > tc qdisc add dev $IF root handle 1: htb default 20 Your arp will go to default which is not nice. > tc class add dev $IF parent 1: classid 1:1 htb rate 100mbit > > (class for lan traffic) > tc class add dev $IF parent 1:1 classid 1:100 htb rate 100mbit quantum 100000 > (parent class for adsl traffic) > tc class add dev $IF parent 1:1 classid 1:3 htb rate $UPRATE (different classes) > tc class add dev $IF parent 1:3 classid 1:70 htb rate $UP70 ceil $UPRATE prio 1 > tc class add dev $IF parent 1:3 classid 1:30 htb rate $UP30 ceil $UPRATE prio 2 > quantum 1200 > tc class add dev $IF parent 1:3 classid 1:20 htb rate $UP20 ceil $UPRATE prio 3 > quantum 1200 > > (queues) > tc qdisc add dev $IF parent 1:100 handle 100: sfq perturb 10 > tc qdisc add dev $IF parent 1:70 handle 70: sfq perturb 10 > tc qdisc add dev $IF parent 1:30 handle 30: sfq perturb 10 > tc qdisc add dev $IF parent 1:20 handle 20: sfq perturb 10 > > (filters) > tc filter add dev $IF parent 1:0 protocol ip handle 100 fw classid 1:100 > tc filter add dev $IF parent 1:0 prio 1 protocol ip handle 7 fw classid 1:70 > tc filter add dev $IF parent 1:0 prio 2 protocol ip handle 3 fw classid 1:30 > tc filter add dev $IF parent 1:0 prio 3 protocol ip handle 2 fw classid 1:20 > > (Mark packets) I would just -J RETURN for lan traffic here and not use htb defaut or the 100meg class/marking > > (Interactive class (70%)) > $IPTABLES -p icmp -j MARK --set-mark 7 > $IPTABLES -p icmp -j RETURN > $IPTABLES -p tcp --dport 22 -j MARK --set-mark 7 > $IPTABLES -p tcp --dport 22 -j RETURN > $IPTABLES -p tcp --dport 6667 -j MARK --set-mark 7 > $IPTABLES -p tcp --dport 6667 -j RETURN > $IPTABLES -p tcp --dport 53 -j MARK --set-mark 7 > $IPTABLES -p tcp --dport 53 -j RETURN > $IPTABLES -p udp --dport 53 -j MARK --set-mark 7 > $IPTABLES -p udp --dport 53 -j RETURN > > (30% Class) > $IPTABLES -p tcp -m multiport --dport 20,21,25,80,443,995 -j MARK > --set-mark 3 $IPTABLES -p tcp -m multiport --dport 20,21,25,80,443,995 > -j RETURN > > (Lan class) > $IPTABLES -d 192.168.1.0/24 -j MARK --set-mark 100 > $IPTABLES -d 192.168.1.0/24 -j RETURN > > (anything else) > $IPTABLES -j MARK --set-mark 2 > > (I changed the default "quantum" values because i got messages "HTB: quantum of class > 10001 is big/small. Consider r2q change." but my tc didn't accept r2q as a parameter.) > The 100meg class should go and I would set quantum to 1514 on the remaining (1514 because a 1500 ip length packet is seen as 1514 on an eth interface) > > I have tested that different packets get different marks (with iptables > -v -t mangle -L) and also that they go to the different classes (with tc -s -d class > show dev eth2) so i guess my rules are correct. > > However, i put a large file to download in order to test and during the > download i get 1500-2500ms ping times. This only shapes upload, shaping download is harder. I have written lots about this before - see archives. Andy. From lists at andyfurniss.entadsl.com Thu Dec 14 23:45:17 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Thu Dec 14 23:45:12 2006 Subject: [LARTC] Reassigning a flow to a different queue In-Reply-To: References: Message-ID: <4581D3FD.6040503@andyfurniss.entadsl.com> drew einhorn wrote: > I'd like to initially assign all http flows to a interactive priority > queue. > But if the cumulative amount of traffic exceeds a threshold, I'd like > to reassign it to a low priority bulk queue. Say someone is doing an > http download of a huge .iso. > > Is this possible? > You could use iptables connbytes - but that is not cumulative for multiple connections. Andy. From lists at andyfurniss.entadsl.com Fri Dec 15 00:01:23 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri Dec 15 00:01:18 2006 Subject: [LARTC] Limit pps not just bandwidth (kbps) on ingress In-Reply-To: <0E24ED2A7F9AA349A8633E6A56A64BE0027A8163@XCH-SW-2V1.sw.nos.boeing.com> References: <0E24ED2A7F9AA349A8633E6A56A64BE0027A8163@XCH-SW-2V1.sw.nos.boeing.com> Message-ID: <4581D7C3.9070608@andyfurniss.entadsl.com> Flechsenhaar, Jon J wrote: > I want to limit pps (packets per second) not just bandwidth on the > ingress side. I can do this using IP tables but I'm curious if there is > a way to do this with TC. > Thanks. I don't think so, maybe you could ask on netdev netdev@vger.kernel.org and/or jamal hadi@cyberus.ca. Seems like it could be a useful addition for policers. Andy. From shemminger at osdl.org Fri Dec 15 00:46:27 2006 From: shemminger at osdl.org (Stephen Hemminger) Date: Fri Dec 15 00:46:35 2006 Subject: [LARTC] [announce] iproute2 2.6.19-061214 Message-ID: <20061214154627.78ff25c0@freekitty> This is an update to the iproute2 command set. It can be downloaded from: http://developer.osdl.org/dev/iproute2/download/iproute2-2.6.18-061214.tar.gz Repository: git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git For more info on iproute2 see: http://linux-net.osdl.org/index.php/Iproute2 The version number includes the kernel version to denote what features are supported. The same source should build on older systems, but obviously the newer kernel features won't be available. As much as possible, this package tries to be source compatible across releases. Changes from 2.6.18-061002 to 2.6.19-061214: Boian Bonev: Display local route table name correctly in output of: Hasso Tepper: Fixes for tc help commands jamal: Multicast computation off by one Update generic netlink header Add controller support for new features exposed clarify "ok" and "pass" Fix missing class/flowid oddity Mention need for db dev package update xfrm async events make muticast group to bitmask conversion generic update xfrm monitoring to use nl_mgrp Masahide NAKAMURA: ADDR: Fix print format for lifetimes. ADDR: Enable to add IPv6 address with valid/preferred lifetime. ADDR: Define 0xFFFFFFFFU as INFINITY_LIFE_TIME regarding to the kernel. TUNNEL: Split common functions to export them. TUNNEL: Import ip6tunnel.c. TUNNEL: IPv6-over-IPv6 tunnel support. XFRM: sub policy support. XFRM: Mobile IPv6 route optimization support. XFRM: support report message by monitor. XFRM: Mobility header support. Noriaki TAKAMIYA: ADDR: Add the 'change' and 'replace' commands to the IPv6 address manipulation context. Patrick McHardy: [IPROUTE]: Add support for routing rule fwmark masks Stephen Hemminger: Man page for ss submitted by Alex Wirt Typo in man page Trap possible overflow in usec values to netem genl Makefile LDFLAGS SA and SP in IPSec BEET mode. Route metrics decode bug. lnstat man page Man page for rtmon Update to 2.6.19 headers Add more includes Change to post 2.6.19 sanitized headers Eliminate trailing whitespace Thomas Graf: Add support for inverted selectors Add rule notification support to ip monitor From Ow.Mun.Heng at wdc.com Fri Dec 15 09:27:20 2006 From: Ow.Mun.Heng at wdc.com (Ow Mun Heng) Date: Fri Dec 15 09:40:26 2006 Subject: [LARTC] ipp2p Problem In-Reply-To: <200612131924.02032.kajtek@biezanow.net> References: <200612131924.02032.kajtek@biezanow.net> Message-ID: <1166171240.3544.32.camel@neuromancer.home.net> On Wed, 2006-12-13 at 19:24 +0100, Kajetan Staszkiewicz wrote: > Dnia ?roda, 13 grudnia 2006 18:55, Arik Raffael Funke napisa?(a): > > > But the command given at the beginning does not work. It give in dmesg: > > ip_tables: ipp2p match: invalid size 0 != 8 > > I had same problems when I had too new kernel with too old ipp2p. Try 0.8.2. Solved it via upgrade to 0.8.2 as well From =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= Fri Dec 15 18:44:43 2006 From: =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= (=?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?=) Date: Fri Dec 15 18:43:50 2006 Subject: [LARTC] catching DNAT'ed packet Message-ID: <1166204683.4051.36.camel@localhost.localdomain> Hi. I have a Server's network with some servers in it, all with 192.168.1.0/25 ips. There is also a router in that network with ip 192.168.1.1. This router also connected to a client's network 10.10.0.0/16 with ip 10.10.100.1. All services on each server are given their virtual address from one of two virtual networks 192.168.1.128/28 and 192.168.1.144/28. 192.168.1.128/28 is for freely available services, and 192.168.1.144/28 is for services available only to authenticated ips. There is a DNAT working on the router to map virtual ip/port to realip/realport. That all works fine. For axample: users connecting to 192.168.1.129:80 are brought to 192.168.1.2:80 users connecting to 192.168.1.145:80 are brought to 192.168.1.2:81 I have to put all traffic I need for accounting to "-j ULOG --ulog-nlgroup 10". And, packets should have ips seen to users. For axample: 10.10.102.50 -> 192.168.1.145:80 192.168.1.145:80 -> 10.10.102.50 and 10.10.102.50 -> 192.168.1.129:80 192.168.1.129:80 -> 10.10.102.50 BUT, instead I have: 10.10.102.50 -> 192.168.1.145:80 192.168.1.2:81 -> 10.10.102.50 and 10.10.102.50 -> 192.168.1.129:80 192.168.1.2:80 -> 10.10.102.50 So, I can ulog the packet's in "state seen by users" only in client->server direction, and I was unable to do that in server-clients direction! Here are iptables rules (I don't want to ulog packets to/from the router itself): iptables -t mangle -A PREROUTING -i br0 -j IPCAD_out iptables -t mangle -A POSTROUTING -o br0 -j IPCAD_in iptables -t mangle -A IPCAD_out -d 10.10.100.1 -j RETURN iptables -t mangle -A IPCAD_out -d 192.168.1.1 -j RETURN iptables -t mangle -A IPCAD_out -j ULOG --ulog-nlgroup 10 iptables -t mangle -A IPCAD_in -s 10.10.100.1 -j RETURN iptables -t mangle -A IPCAD_in -s 192.168.1.1 -j RETURN iptables -t mangle -A IPCAD_in -j ULOG --ulog-nlgroup 10 Is it possible to catch un-DNAT'ed packet??? -- ??????????? ?????? From alan.franzoni.xyz at gmail.com Sat Dec 16 00:39:37 2006 From: alan.franzoni.xyz at gmail.com (Alan Franzoni) Date: Sat Dec 16 00:39:55 2006 Subject: [LARTC] Per-process QoS on Linux? Message-ID: Hello, I've tried searching for this but I don't seem to be able to find a way to search past archives in this list. Is there a way to get a per-process qos functionality in linux? At this very moment, I'm using with success a kind of 'workaround' in my server, which involves creating multiple virtual ethernet interfaces with different IPs and binding servers/daemons to different IPs. Now, I'd like to use qos on my desktop as well, so I'd like to give a low traffic priority to one software, and an higher one to another... is there any way to get that accomplished? -- Alan Franzoni - Togli .xyz dalla mia email per contattarmi. Remove .xyz from my address in order to contact me. - GPG Key Fingerprint (Key ID = FE068F3E): 5C77 9DC3 BD5B 3A28 E7BC 921A 0255 42AA FE06 8F3E -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061216/2e228f0b/attachment.htm From dean at arctic.org Sat Dec 16 04:51:59 2006 From: dean at arctic.org (dean gaudet) Date: Sat Dec 16 04:52:09 2006 Subject: [LARTC] Per-process QoS on Linux? In-Reply-To: References: Message-ID: i use a mixture of multiple IP addrs and IPTOS (see http://arctic.org/~dean/mod_iptos/ for an apache 1.3.x module to set IPTOS on a per response basis). but for uid specifically you can also use "iptables blahblah -m owner --uid-owner $uid -j MARK --set-mark N" and then match the mark with tc. tc filter add dev $foo protocol ip parent 1: prio X handle N fw flowid A:B -dean On Sat, 16 Dec 2006, Alan Franzoni wrote: > Hello, > I've tried searching for this but I don't seem to be able to find a way to > search past archives in this list. > > Is there a way to get a per-process qos functionality in linux? At this very > moment, I'm using with success a kind of 'workaround' in my server, which > involves creating multiple virtual ethernet interfaces with different IPs > and binding servers/daemons to different IPs. > > Now, I'd like to use qos on my desktop as well, so I'd like to give a low > traffic priority to one software, and an higher one to another... is there > any way to get that accomplished? > > -- > Alan Franzoni > - > Togli .xyz dalla mia email per contattarmi. > Remove .xyz from my address in order to contact me. > - > GPG Key Fingerprint (Key ID = FE068F3E): > 5C77 9DC3 BD5B 3A28 E7BC 921A 0255 42AA FE06 8F3E > From alan.franzoni.xyz at gmail.com Sat Dec 16 12:56:14 2006 From: alan.franzoni.xyz at gmail.com (Alan Franzoni) Date: Sat Dec 16 12:56:33 2006 Subject: [LARTC] Per-process QoS on Linux? In-Reply-To: References: Message-ID: Both your suggestions were good, and I'm now experimenting. Thank you! -- Alan Franzoni - Togli .xyz dalla mia email per contattarmi. Remove .xyz from my address in order to contact me. - GPG Key Fingerprint (Key ID = FE068F3E): 5C77 9DC3 BD5B 3A28 E7BC 921A 0255 42AA FE06 8F3E -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061216/a20cc420/attachment.html From mehta.salil at gmail.com Sat Dec 16 20:15:23 2006 From: mehta.salil at gmail.com (Salil Mehta) Date: Sat Dec 16 20:15:29 2006 Subject: [LARTC] How can I Snoop L3 level IGMP packet at L2 level(Bridging level). Message-ID: Hi All, I have to develop IGMPSnoop application within kernel 2.6. For the same purpose, I would have to Snoop L3 level IGMP packet at L2 level(Bridging level). Can anybody suggests how it can be done. Does Netfilter library support this kind of feature. Thanks In Anticipation Maverick -- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061217/fcd054be/attachment.htm From alex at zoomnet.ro Sat Dec 16 22:19:24 2006 From: alex at zoomnet.ro (Alexandru Dragoi) Date: Sat Dec 16 22:19:50 2006 Subject: [LARTC] Tc u32 divisor value Message-ID: <458462DC.1050906@zoomnet.ro> Hello, I wonder if there is a way to have a divisor bigger than 256 when creating hash tables with u32. It would really be great. Thanks From mehta.salil at gmail.com Sat Dec 16 22:48:52 2006 From: mehta.salil at gmail.com (Salil Mehta) Date: Sat Dec 16 22:48:58 2006 Subject: [LARTC] How can I add INTERNAL commands to shell? Message-ID: Hi, How can I add a new commands (Internal not shell based external commands) to OS *command interpreter* i.e shell (bash, sh, ksh etc..) Is there any document available for that? Can I know where can I get the source code of bash/sh? Also, I wanna know where does parsing of commands within the shell code happens. Thanks In Anticipation Regards Maverick -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061217/842f3e5d/attachment.html From JGavin at netuxsolutions.com Sun Dec 17 00:18:35 2006 From: JGavin at netuxsolutions.com (Joe Gavin) Date: Sun Dec 17 00:18:43 2006 Subject: [LARTC] --set-mark policy routing problem Message-ID: <4A528114E4F50642AEDB26933C5F111602B334@coretex.ns.local> In its current configuration one of our Linux boxes has 2 DSL modems that connect to the same service provider. On the router packets coming in from the network destined for the internet are marked alternating using nth match those packets are supposed to be picked up by iproute2 and routed out the physical connections based on that mark, thereby doubling the outbound bandwidth. The problem is that only 1 of the DSL modems gets used to send the traffic. I have verified that the mark is being set. Apparently iproute2 is not applying the policy routing correctly. Has anyone encountered similar problems? In a related but different problem the local box marks packets in a similar manner using the output mangle chain but these marks are not honored by iproute2. They are routed based on the default route in the main table.(if no default route in main table they go nowhere) The iproute2 rules are like : ip ro add table 20 default dev ppp1 ip ru add fwmark 2 table 20 I feel like I am missing something that should be obvious. This box is also doing NAT so is it possible that I am seeing some odd interaction? Joe Gavin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061216/549f96eb/attachment.htm From mehta.salil at gmail.com Sun Dec 17 00:49:37 2006 From: mehta.salil at gmail.com (Salil Mehta) Date: Sun Dec 17 00:49:44 2006 Subject: [LARTC] where can I find source code of bridge control utility (brctl).(bridge-utils-0.9.5.tar.gz) Message-ID: Hi All, Can anybody suggests where can I find source code of bridge control utility (brctl).(bridge-utils-0.9.5.tar.gz) Regards -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061217/1eeb3ec1/attachment.html From lists at andyfurniss.entadsl.com Sun Dec 17 12:59:33 2006 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Sun Dec 17 12:59:43 2006 Subject: [LARTC] where can I find source code of bridge control utility (brctl).(bridge-utils-0.9.5.tar.gz) In-Reply-To: References: Message-ID: <45853125.6010706@andyfurniss.entadsl.com> Salil Mehta wrote: > Hi All, > > Can anybody suggests where can I find source code of bridge control utility > (brctl).(bridge-utils-0.9.5.tar.gz) There's a link (for 1.2) on the linux-net bridge page. http://linux-net.osdl.org/index.php/Bridge Andy. From alijawad1 at gmail.com Sun Dec 17 23:57:48 2006 From: alijawad1 at gmail.com (Ali Jawad) Date: Sun Dec 17 23:57:55 2006 Subject: [LARTC] Need help with this simple CBQ setup NEWBIE Message-ID: Hi Iam using the script below to limit usage for the computers on my lan with respect to download and upload I have a 256kb up and 256 kb down connection, I want limit the speed of each computer to 64kbyte down and 32 up as a maximum. The script below works however it limits the up and down of the whole specified network to 64/32 ... what do I have to edit so that the script handles the requests on a per computer basis instead of a network as a whole. Thx for any suggestions #Download Section tc qdisc add dev eth2 root handle 11: cbq bandwidth 100Mbit avpkt \ 1000 mpu 64 tc class add dev eth2 parent 11:0 classid 11:1 cbq rate 64Kbit \ weight 6Kbit allot 1514 prio 1 avpkt 1000 bounded tc filter add dev eth2 parent 11:0 protocol ip handle 4 fw flowid 11:1 iptables -t mangle -A POSTROUTING -s ! 192.168.128.16/28 -d \ 192.168.128.16/28 -j MARK --set-mark 4 #Upload Section tc qdisc add dev eth0 root handle 10: cbq bandwidth 10Mbit avpkt \ 1000 mpu 64 tc class add dev eth0 parent 10:0 classid 10:1 cbq rate 30Kbit \ weight 3Kbit allot 1514 prio 1 avpkt 1000 bounded tc filter add dev eth0 parent 10:0 protocol ip handle 3 fw flowid 10:1 iptables -t mangle -A FORWARD -s 192.168.128.16/28 -j MARK --set-mark 3 -- With Regards Ali Jawad From gtaylor at riverviewtech.net Mon Dec 18 03:51:44 2006 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Mon Dec 18 04:15:45 2006 Subject: [LARTC] Interesting article about punching holes in firewalls... Message-ID: <45860240.2040102@riverviewtech.net> I ran across an interesting article (http://www.heise-security.co.uk/articles/print/82481) (1) that I think any and all firewall administrators should take a few moments to read. I personally have known that using "-m state --state ESTABLISHED,RELATED" was not the most secure thing to use for returning traffic. Namely this will allow you to make a valid connection to a web server, say to retrieve a picture. Then said web server could send malicious traffic back to your computer and pass through your firewall. This is because the traffic coming from the web server to your computer is now deemed as RELATED. Previously I have written this off as not needing to worry about this (much) YET. Yet being the operative word. I have long known that I would, especially on more secure installs (read not SOHO) need to filter inbound traffic based on source / destination port. I just have not thought that it was important enough to do presently for my clientele. Unfortunately, the day where we do as much filtering on related traffic as we do on non related traffic may be closer at hand than we all would like to admit. :( Grant. . . . (1) Is a /. article "How Skype Punches Holes in Firewalls" (http://it.slashdot.org/article.pl?sid=06/12/15/191205) From rvokal at redhat.com Tue Dec 19 09:42:57 2006 From: rvokal at redhat.com (=?UTF-8?B?UmFkZWsgVm9rw6Fs?=) Date: Tue Dec 19 09:42:55 2006 Subject: [LARTC] (null) in ip route get Message-ID: <4587A611.60809@redhat.com> I'm seeing strange output with iproute 2.6.18 and 2.6.19 with ip route get. Instead of (null) I would expect to see sth like mtu. Does anyone have good explanation for it? $ ip route get 123.45.67.1 123.45.67.1 via 10.32.0.254 dev eth0 src 10.32.0.193 cache (null) 1500 ssthresh 1460 advmss 64 -- Radek Vok?l Base OS Engineering - Team Lead Office: +420 543 422 235 Red Hat Inc. http://www.redhat.com From =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= Tue Dec 19 11:01:53 2006 From: =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= (=?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?=) Date: Tue Dec 19 11:00:48 2006 Subject: [LARTC] catching DNAT'ed packet In-Reply-To: <1166204683.4051.36.camel@localhost.localdomain> References: <1166204683.4051.36.camel@localhost.localdomain> Message-ID: <1166522513.9727.3.camel@localhost.localdomain> Maybe my question was too complex, I would try to make it simple... Is it possible to catch un-DNAT'ed packet with -j ULOG target? ? ???, 15/12/2006 ? 19:44 +0200, ??????????? ?????? ?????: > Hi. > > I have a Server's network with some servers in it, all with > 192.168.1.0/25 ips. There is also a router in that network with ip > 192.168.1.1. This router also connected to a client's network > 10.10.0.0/16 with ip 10.10.100.1. > > All services on each server are given their virtual address from one of > two virtual networks 192.168.1.128/28 and 192.168.1.144/28. > 192.168.1.128/28 is for freely available services, and 192.168.1.144/28 > is for services available only to authenticated ips. > > There is a DNAT working on the router to map virtual ip/port to > realip/realport. That all works fine. > > For axample: > users connecting to 192.168.1.129:80 are brought to 192.168.1.2:80 > users connecting to 192.168.1.145:80 are brought to 192.168.1.2:81 > > I have to put all traffic I need for accounting to "-j ULOG > --ulog-nlgroup 10". And, packets should have ips seen to users. For > axample: > > 10.10.102.50 -> 192.168.1.145:80 > 192.168.1.145:80 -> 10.10.102.50 > and > 10.10.102.50 -> 192.168.1.129:80 > 192.168.1.129:80 -> 10.10.102.50 > > BUT, instead I have: > > 10.10.102.50 -> 192.168.1.145:80 > 192.168.1.2:81 -> 10.10.102.50 > and > 10.10.102.50 -> 192.168.1.129:80 > 192.168.1.2:80 -> 10.10.102.50 > > So, I can ulog the packet's in "state seen by users" only in > client->server direction, and I was unable to do that in server-clients > direction! > > Here are iptables rules (I don't want to ulog packets to/from the router > itself): > > iptables -t mangle -A PREROUTING -i br0 -j IPCAD_out > iptables -t mangle -A POSTROUTING -o br0 -j IPCAD_in > > iptables -t mangle -A IPCAD_out -d 10.10.100.1 -j RETURN > iptables -t mangle -A IPCAD_out -d 192.168.1.1 -j RETURN > iptables -t mangle -A IPCAD_out -j ULOG --ulog-nlgroup 10 > > iptables -t mangle -A IPCAD_in -s 10.10.100.1 -j RETURN > iptables -t mangle -A IPCAD_in -s 192.168.1.1 -j RETURN > iptables -t mangle -A IPCAD_in -j ULOG --ulog-nlgroup 10 > > Is it possible to catch un-DNAT'ed packet??? > -- ??????????? ?????? From johnphilips42 at yahoo.com Wed Dec 20 00:38:18 2006 From: johnphilips42 at yahoo.com (John Philips) Date: Wed Dec 20 00:38:30 2006 Subject: [LARTC] Override dead Message-ID: <20061219233819.11564.qmail@web57814.mail.re3.yahoo.com> Hello, Like others which have posted to this list, I configured a load balancing router using Julian's patches as described in "nano.txt" for multiple ISP links. It works perfectly when all ISPs are up and running. Here's a sample diagram: ISP A ISP B | | | WAN | WAN +---+------+ +---+------+ | DSL | | DSL | | Router A | | Router B | +---+------+ +---+------+ | LAN (1.1.1.1) | LAN (2.2.2.1) | | | +---------+ | | eth0 | Linux | eth1 | +-------+ Router +---------+ (1.1.1.2) | | (2.2.2.2) +----+----+ | eth2 | Local Network The problem is that there are times when the provider's network goes down, but our router is still able to communicate with the provider's router. For example, in the diagram above assume that ISP A's DSL network is down - the Linux Router is still able to ping DSL Router A. So, a workaround I tried was to run a shell script once every minute as a cron job. The script runs two tests. First it tries to ping the DSL router. If that succeeds, it then tries to ping an Internet site such as google.com. The ping commands use the -I parameter to make sure the packets go out the right interface. If either of the tests fails, I adjust the load balancing rule and remove the "nexthop" parameter for the particular interface that is down. Here's an example: Balancing rule if both interfaces are up: ip route add default table balancing proto static\ nexthop via 1.1.1.1 dev eth0 weight 1\ nexthop via 2.2.2.2 dev eth1 weight 1 Balancing rule if second DSL line is down: ip route add default table balancing proto static\ nexthop via 1.1.1.1 dev eth0 weight 1 Ok, that all works fine and dandy. The problem is that if one of the WANs gets marked as down and it's removed from the balancing rule, all future ping tests to Internet hosts specifically using that interface end up failing. The behavior is very strange. Say that eth1 is one of the WANs which was tested as down and removed from the balancing rule. If I then try to ping an Internet host using eth1 like this "ping 128.101.101.101 -I eth1", the router sends ARP requests out eth1 asking for the MAC adddress which corresponds to 128.101.101.101! Has anyone experienced this problem before? What I'd really like is to be able to manually mark an interface as "dead" without actually taking it down or removing it from the load balancing route. When you run "ip route list table balancing", it will tell you if an interface is dead or not. The only downfall is as I explained at the beginning of this e-mail - there are cases where the Linux router itself can still ping the DSL router connected to it, but that DSL's Internet connection is not functional. If the actual commands I run would be helpful, please ask and I'll post them (they're basically copied from nano.txt). Thanks! __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From luciano at lugmen.org.ar Wed Dec 20 01:21:30 2006 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Wed Dec 20 01:21:32 2006 Subject: [LARTC] load balacing with https home banking In-Reply-To: References: Message-ID: <200612192121.30180.luciano@lugmen.org.ar> On Monday 11 December 2006 08:15, Marco Berizzi wrote: > Hello everybody. > I'm running linux 2.6.19 with nth match to > alternatively snat outgoing connections to > two different ip addresses for load balancing > between two adsl lines: > Here is: > > $IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m > multiport --dports 80,443 -m statistic --mode nth --every 2 -j SNAT --to > adslA > $IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m > multiport --dports 80,443 -j SNAT --to adslB > > Things are working pretty good, but some > applications (https home banking for example), > don't work correctly (because the remote > server see two different ip addresses). Is > there any trick to tell iptables to snat > always with the same source ip for the same > destination host? I have also modified SNAT > with SAME, but no luck. You need to use iptables CONNMARK to keep track of "wich conn" with "wich ISP", see this[1] thread for reference and a nano HOWTO. [1]http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html -- Luciano From senthil at multitech.co.in Wed Dec 20 06:56:24 2006 From: senthil at multitech.co.in (senthil) Date: Wed Dec 20 06:52:49 2006 Subject: [LARTC] Disable netfilter for bridged traffic Message-ID: <4588D088.3050702@multitech.co.in> Hi All, Can anybody suggests how can I disable netfilter for bridged traffic in linux-2.4.27 kernel ? Thanks and Regards, Senthil From pupilla at hotmail.com Wed Dec 20 10:06:44 2006 From: pupilla at hotmail.com (Marco Berizzi) Date: Wed Dec 20 10:07:00 2006 Subject: [LARTC] load balacing with https home banking References: <200612192121.30180.luciano@lugmen.org.ar> Message-ID: Luciano Ruete wrote: > You need to use iptables CONNMARK to keep track of "wich conn" with "wich > ISP", see this[1] thread for reference and a nano HOWTO. > > [1]http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html Thanks for the hint, however the really setup is a little different and AFAIK the connmark approach doesn't help. This linux box have three ip addresses: 1 for the main internet link (hdsl_ip) plus 2 other for the two adsl connection (all binded to eth0). The default gateway's box is the hdsl ISP router. This is used for ipsec tunnels (driven by swan), and other 'serious' traffic: /sbin/route add default gw hdsl_router metric 1 Then there is the route for the two adsl links, which are used for internet surfing traffic: ip route add default equalize table adsl \ nexthop dev eth0 via adsl_router_A weight 1 \ nexthop dev eth0 via adsl_router_B weight 1 ip rule add fwmark 1 table adsl priority 400 $IPTABLES -t mangle -A OUTPUT --protocol tcp -m multiport --dports 80,443 -j MARK --set-mark 1 Squid is running on top of this same box. What I'm trying to do is to split the browsing traffic (that generated by squid) to the two adsl lines. The problem is the packet source ip sent by squid which is taken from the default route, so I must nat these packet with these rule: $IPTABLES -t nat -A POSTROUTING -s hdsl_ip --protocol tcp -m multiport --dports 80,443 -m statistic --mode nth --every 2 -j SNAT --to adsl_A $IPTABLES -t nat -A POSTROUTING -s hdsl_ip --protocol tcp -m multiport --dports 80,443 -j SNAT --to adsl_B From alijawad1 at gmail.com Wed Dec 20 10:23:41 2006 From: alijawad1 at gmail.com (Ali Jawad) Date: Wed Dec 20 10:23:50 2006 Subject: [LARTC] Need Help with this simple CBQ scripts Message-ID: Hi Iam using the script below to limit usage for the computers on my lan with respect to download and upload I have a 256kb up and 256 kb down connection, I want limit the speed of each computer to 64kbyte down and 32 up as a maximum. The script below works however it limits the up and down of the whole specified network to 64/32 ... what do I have to edit so that the script handles the requests on a per computer basis instead of a network as a whole. Thx for any suggestions #Download Section tc qdisc add dev eth2 root handle 11: cbq bandwidth 100Mbit avpkt \ 1000 mpu 64 tc class add dev eth2 parent 11:0 classid 11:1 cbq rate 64Kbit \ weight 6Kbit allot 1514 prio 1 avpkt 1000 bounded tc filter add dev eth2 parent 11:0 protocol ip handle 4 fw flowid 11:1 iptables -t mangle -A POSTROUTING -s ! 192.168.128.16/28 -d \ 192.168.128.16/28 -j MARK --set-mark 4 #Upload Section tc qdisc add dev eth0 root handle 10: cbq bandwidth 10Mbit avpkt \ 1000 mpu 64 tc class add dev eth0 parent 10:0 classid 10:1 cbq rate 30Kbit \ weight 3Kbit allot 1514 prio 1 avpkt 1000 bounded tc filter add dev eth0 parent 10:0 protocol ip handle 3 fw flowid 10:1 iptables -t mangle -A FORWARD -s 192.168.128.16/28 -j MARK --set-mark 3 -- With Regards Ali Jawad From =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= Wed Dec 20 11:12:41 2006 From: =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= (=?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?=) Date: Wed Dec 20 11:11:47 2006 Subject: [LARTC] load balacing with https home banking In-Reply-To: <200612192121.30180.luciano@lugmen.org.ar> References: <200612192121.30180.luciano@lugmen.org.ar> Message-ID: <1166609561.3753.5.camel@localhost.localdomain> Look at this: iptables v1.3.6 Kernel 2.6.17 man iptables search for "SAME" target: SAME Similar to SNAT/DNAT depending on chain: it takes a range of addresses (`--to 1.2.3.4-1.2.3.7') and gives a client the same source-/destina- tion-address for each connection. --to - Addresses to map source to. May be specified more than once for multiple ranges. --nodst Don't use the destination-ip in the calculations when selecting the new source-ip ? ???, 19/12/2006 ? 21:21 -0300, Luciano Ruete ?????: > On Monday 11 December 2006 08:15, Marco Berizzi wrote: > > Hello everybody. > > I'm running linux 2.6.19 with nth match to > > alternatively snat outgoing connections to > > two different ip addresses for load balancing > > between two adsl lines: > > Here is: > > > > $IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m > > multiport --dports 80,443 -m statistic --mode nth --every 2 -j SNAT --to > > adslA > > $IPTABLES -t nat -A POSTROUTING -s my_ip --protocol tcp -m > > multiport --dports 80,443 -j SNAT --to adslB > > > > Things are working pretty good, but some > > applications (https home banking for example), > > don't work correctly (because the remote > > server see two different ip addresses). Is > > there any trick to tell iptables to snat > > always with the same source ip for the same > > destination host? I have also modified SNAT > > with SAME, but no luck. > > You need to use iptables CONNMARK to keep track of "wich conn" with "wich > ISP", see this[1] thread for reference and a nano HOWTO. > > [1]http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html -- ??????????? ?????? From pupilla at hotmail.com Wed Dec 20 11:30:50 2006 From: pupilla at hotmail.com (Marco Berizzi) Date: Wed Dec 20 11:30:53 2006 Subject: [LARTC] load balacing with https home banking References: <200612192121.30180.luciano@lugmen.org.ar> <1166609561.3753.5.camel@localhost.localdomain> Message-ID: ??????????? ?????? wrote: > search for "SAME" target: I have already tried. See below. > > > destination host? I have also modified SNAT > > > with SAME, but no luck. From arik.funke at gmx.de Wed Dec 20 13:58:54 2006 From: arik.funke at gmx.de (Arik Raffael Funke) Date: Wed Dec 20 13:59:32 2006 Subject: [LARTC] Re: ipp2p Problem In-Reply-To: <200612131924.02032.kajtek@biezanow.net> References: <200612131924.02032.kajtek@biezanow.net> Message-ID: Kajetan Staszkiewicz wrote: > Dnia ?roda, 13 grudnia 2006 18:55, Arik Raffael Funke napisa?(a): > >> But the command given at the beginning does not work. It give in dmesg: >> ip_tables: ipp2p match: invalid size 0 != 8 > > I had same problems when I had too new kernel with too old ipp2p. Try 0.8.2. Thanks. That was indeed the solution. Regards, Arik From WBohannan at spidersat.com.gh Wed Dec 20 17:32:52 2006 From: WBohannan at spidersat.com.gh (William Bohannan) Date: Wed Dec 20 17:33:06 2006 Subject: [LARTC] blocking traffic on the FORWARD chain using physdev In-Reply-To: <1166100061.4538.105.camel@OSCARLAPLIN> Message-ID: <4D411FB02758FE45915E9724339093F615342F@intranet.scpl.local> Still can't seem to block on the FORWARD chain in one direction. I tried ebtables -I FORWARD 1 -i eth0 -p ip --ip-protocol icmp -j DROP Just as a test no other rules enabled at all (in iptables, tc or ebtables), and it blocks both directions. Please can someone help? Kind Regards William -----Original Message----- From: Oscar Mechanic [mailto:oscar@ufomechanic.net] Sent: 14 December 2006 12:41 To: William Bohannan Cc: lartc@mailman.ds9a.nl Subject: RE: [LARTC] blocking traffic on the FORWARD chain using physdev Are you sure you want to block ICMP how about PMTU ebtables -I FORWARD 1 -i eth0 -p ip --ip-protocol icmp On Thu, 2006-12-14 at 21:34 +0900, William Bohannan wrote: > Thanks for that. Would you be able to give a simple example on how to > block outgoing traffic using ebtables and icmp? as I get an error when > using icmp? > > ebtables -A FORWARD -i eth1 -p icmp -j DROP > > Error message - "Problem with the specified protocol." > > > Kind Regards > William > > > -----Original Message----- > From: Oscar Mechanic [mailto:oscar@ufomechanic.net] > Sent: 14 December 2006 12:27 > To: William Bohannan > Cc: lartc@mailman.ds9a.nl > Subject: Re: [LARTC] blocking traffic on the FORWARD chain using physdev > > Hi > > Physdev may no longer be supported soon something to do with hooks > and how this is difficult to support. I have stopped using it cause I > found some odd behavior in physdev-in, out seemed fine I remember. I use > ebtables and marks for this now. > > > On Thu, 2006-12-14 at 20:55 +0900, William Bohannan wrote: > > Currently using physdev on a bridge to try and isolate certain paths > > across and to the bridge. It all works except when trying to stop the > > flow in one direction on the FORWARD chain?? Can someone please help?? > > > > Below is the testing done so far. > > > > eth1 <---> BRIDGE <---> eth0 > > > > # Block (eth0 ---> eth1) - blocks both directions and not just one?? > > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP > > > > # Block (eth0 <--- eth1) - blocks both directions and not just one?? > > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP > > > > # Block (eth0 ---> BRIDGE) - working > > iptables -A INPUT -m physdev --physdev-in eth0 -p icmp -j DROP > > > > # Block (eth0 <--- BRIDGE) - working > > iptables -A OUTPUT -m physdev --physdev-out eth0 -p icmp -j DROP > > > > # Block (eth1 ---> BRIDGE) - working > > iptables -A INPUT -m physdev --physdev-in eth1 -p icmp -j DROP > > > > # Block (eth1 <--- BRIDGE) - working > > iptables -A OUTPUT -m physdev --physdev-out eth1 -p icmp -j DROP > > > > > > Kind Regards > > William > > > > _______________________________________________ > > LARTC mailing list > > > LARTC@mailman.ds9a.nlhttp://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lar > tc > From WBohannan at spidersat.com.gh Wed Dec 20 17:37:20 2006 From: WBohannan at spidersat.com.gh (William Bohannan) Date: Wed Dec 20 17:37:27 2006 Subject: [LARTC] blocking traffic on the FORWARD chain using physdev In-Reply-To: <4D411FB02758FE45915E9724339093F615342F@intranet.scpl.local> Message-ID: <4D411FB02758FE45915E9724339093F6153432@intranet.scpl.local> All good, had input instead of forward on the establish / related now fixed. To test I used: iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m physdev --physdev-in eth0 -p icmp -j DROP works great! Kind Regards William -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of William Bohannan Sent: 20 December 2006 16:33 To: oscar@ufomechanic.net Cc: lartc@mailman.ds9a.nl Subject: RE: [LARTC] blocking traffic on the FORWARD chain using physdev Still can't seem to block on the FORWARD chain in one direction. I tried ebtables -I FORWARD 1 -i eth0 -p ip --ip-protocol icmp -j DROP Just as a test no other rules enabled at all (in iptables, tc or ebtables), and it blocks both directions. Please can someone help? Kind Regards William -----Original Message----- From: Oscar Mechanic [mailto:oscar@ufomechanic.net] Sent: 14 December 2006 12:41 To: William Bohannan Cc: lartc@mailman.ds9a.nl Subject: RE: [LARTC] blocking traffic on the FORWARD chain using physdev Are you sure you want to block ICMP how about PMTU ebtables -I FORWARD 1 -i eth0 -p ip --ip-protocol icmp On Thu, 2006-12-14 at 21:34 +0900, William Bohannan wrote: > Thanks for that. Would you be able to give a simple example on how to > block outgoing traffic using ebtables and icmp? as I get an error when > using icmp? > > ebtables -A FORWARD -i eth1 -p icmp -j DROP > > Error message - "Problem with the specified protocol." > > > Kind Regards > William > > > -----Original Message----- > From: Oscar Mechanic [mailto:oscar@ufomechanic.net] > Sent: 14 December 2006 12:27 > To: William Bohannan > Cc: lartc@mailman.ds9a.nl > Subject: Re: [LARTC] blocking traffic on the FORWARD chain using physdev > > Hi > > Physdev may no longer be supported soon something to do with hooks > and how this is difficult to support. I have stopped using it cause I > found some odd behavior in physdev-in, out seemed fine I remember. I use > ebtables and marks for this now. > > > On Thu, 2006-12-14 at 20:55 +0900, William Bohannan wrote: > > Currently using physdev on a bridge to try and isolate certain paths > > across and to the bridge. It all works except when trying to stop the > > flow in one direction on the FORWARD chain?? Can someone please help?? > > > > Below is the testing done so far. > > > > eth1 <---> BRIDGE <---> eth0 > > > > # Block (eth0 ---> eth1) - blocks both directions and not just one?? > > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP > > > > # Block (eth0 <--- eth1) - blocks both directions and not just one?? > > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP > > > > # Block (eth0 ---> BRIDGE) - working > > iptables -A INPUT -m physdev --physdev-in eth0 -p icmp -j DROP > > > > # Block (eth0 <--- BRIDGE) - working > > iptables -A OUTPUT -m physdev --physdev-out eth0 -p icmp -j DROP > > > > # Block (eth1 ---> BRIDGE) - working > > iptables -A INPUT -m physdev --physdev-in eth1 -p icmp -j DROP > > > > # Block (eth1 <--- BRIDGE) - working > > iptables -A OUTPUT -m physdev --physdev-out eth1 -p icmp -j DROP > > > > > > Kind Regards > > William > > > > _______________________________________________ > > LARTC mailing list > > > LARTC@mailman.ds9a.nlhttp://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lar > tc > _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From brenwilliam at gmail.com Wed Dec 20 17:40:52 2006 From: brenwilliam at gmail.com (Brenda Lindsay Williams) Date: Wed Dec 20 17:40:57 2006 Subject: [LARTC] Concerning IP over ATM & IP over Ethernet. Message-ID: Hi there.I'm Brenda from the Australia,I wanna work on a project relating to VOIP QoS.I wanna evaluate IP over ATM against IP over Ethernet on the following parameters relating to voice and video traffic; bandwidth consumption packet loss packet delay(latency) jitter traffic thoroughput Is this project feasible?Can I use NS to simulate the models?I hope you reply.Thanks. Best regards. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061220/c7286b77/attachment.htm From gtaylor at riverviewtech.net Wed Dec 20 20:36:31 2006 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Wed Dec 20 20:36:19 2006 Subject: [LARTC] Concerning IP over ATM & IP over Ethernet. In-Reply-To: References: Message-ID: <458990BF.9090101@riverviewtech.net> Brenda Lindsay Williams wrote: > Hi there.I'm Brenda from the Australia,I wanna work on a project > relating to VOIP QoS.I wanna evaluate IP over ATM against IP over > Ethernet on the following parameters relating to voice and video traffic; > > bandwidth consumption > packet loss > packet delay(latency) > jitter > traffic thoroughput > > Is this project feasible?Can I use NS to simulate the models?I hope you > reply.Thanks. Do some reading on the 'patch to allow for the ATM "cell tax"' thread previously this year. I think you will find some links to some good information on what you are wanting to do. Something to keep in mind is the difference between Classical IP directly on an ATM VC verses Bridged Ethernet (RFC 1483 / 2684) and it's associated PPPoE there in.. There is also ATM LAN Emulation to content with. http://mailman.ds9a.nl/pipermail/lartc/2006q1/018287.html Grant. . . . From mark at dueck.bz Wed Dec 20 23:43:28 2006 From: mark at dueck.bz (Mark Dueck) Date: Wed Dec 20 23:43:42 2006 Subject: [LARTC] Session Limiting per host In-Reply-To: <6.2.5.6.0.20061204144026.01e57e80@dueck.bz> References: <20061123091815.89629.qmail@web90406.mail.mud.yahoo.com> <003101c717e2$9c5c9770$0101010a@lamachine> <6.2.5.6.0.20061204144026.01e57e80@dueck.bz> Message-ID: <6.2.5.6.0.20061220163351.01e43cb0@dueck.bz> Someone else asked a similar question a few weeks ago, but he wanted to do some advanced "if this then that" session limiting.. Has someone here done session limiting per host? My situation is this: I have 2 direcway (Hughes now) satellites that I'm sharing out to some clients. I only get about 50 sessions per sat, so if any one of my clients has limewire or emule open with it's default sessions set to 300, no one can browse, or it's extremely sluggish. I had a Hotbrick doing the dual wan, and it had session limiting per IP address. Now the hotbrick failed on me, and I need something else to limit the sessions. Just a simple limit of say 15 sessions per IP, or 15 new sessions / second per IP. This site http://www.gentoo.org/doc/en/articles/dynamic-iptables-firewalls.xml#doc_chap3 has some very good scripts, one that almost does that, but it's not a "through traffic" limit. It's a limit directly to itself. Will this work, or what modifications would need to be made to it? I'm not really advanced enough in linux, and have not had the time to really try it. Thanks Mark From gtaylor at riverviewtech.net Thu Dec 21 01:03:35 2006 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Thu Dec 21 01:03:21 2006 Subject: [LARTC] Session Limiting per host In-Reply-To: <6.2.5.6.0.20061220163351.01e43cb0@dueck.bz> References: <20061123091815.89629.qmail@web90406.mail.mud.yahoo.com> <003101c717e2$9c5c9770$0101010a@lamachine> <6.2.5.6.0.20061204144026.01e57e80@dueck.bz> <6.2.5.6.0.20061220163351.01e43cb0@dueck.bz> Message-ID: <4589CF57.6040808@riverviewtech.net> Mark Dueck wrote: > My situation is this: I have 2 direcway (Hughes now) satellites that I'm > sharing out to some clients. I only get about 50 sessions per sat, so > if any one of my clients has limewire or emule open with it's default > sessions set to 300, no one can browse, or it's extremely sluggish. > > I had a Hotbrick doing the dual wan, and it had session limiting per IP > address. Now the hotbrick failed on me, and I need something else to > limit the sessions. Just a simple limit of say 15 sessions per IP, or > 15 new sessions / second per IP. Take a look at the connlimit match extension. connlimit Allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block). [!] --connlimit-above n match if the number of existing tcp connections is (not) above n --connlimit-mask bits group hosts using mask Examples: # allow 2 telnet connections per client host iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT # you can also match the other way around: iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT # limit the nr of parallel http requests to 16 per class C sized network (24 bit netmask) iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT Grant. . . . From surda at shurdix.com Thu Dec 21 08:10:51 2006 From: surda at shurdix.com (Peter Surda) Date: Thu Dec 21 08:11:16 2006 Subject: [LARTC] Interesting article about punching holes in firewalls... In-Reply-To: <45860240.2040102@riverviewtech.net> References: <45860240.2040102@riverviewtech.net> Message-ID: <458A337B.1060400@shurdix.com> Grant Taylor schrieb: > I personally have known that using "-m state --state > ESTABLISHED,RELATED" was not the most secure thing to use for returning > traffic. Actually, what the described method accomplishes is not defeating the "firewall" part, but the "NAT" part. If one of the hosts was not behind a NAT, the traffic would flow even with ESTABLISHED,RELATED, because it belongs to active "connection". > Namely this will allow you to make a valid connection to a web > server, say to retrieve a picture. Then said web server could send > malicious traffic back to your computer and pass through your firewall. Please note it does not allow you to create a new connection, just use POTENTIAL connections that wouldn't work due to NAT. > Grant. . . . Yours sincerely, Peter -- http://www.shurdix.org - Linux distribution for routers and firewalls From c-d.hailfinger.devel.2006 at gmx.net Thu Dec 21 08:57:29 2006 From: c-d.hailfinger.devel.2006 at gmx.net (Carl-Daniel Hailfinger) Date: Thu Dec 21 08:57:44 2006 Subject: [LARTC] Interesting article about punching holes in firewalls... In-Reply-To: <45860240.2040102@riverviewtech.net> References: <45860240.2040102@riverviewtech.net> Message-ID: <458A3E69.50600@gmx.net> Grant Taylor wrote: > I ran across an interesting article > (http://www.heise-security.co.uk/articles/print/82481) (1) that I think > any and all firewall administrators should take a few moments to read. The article only reiterates the same old stories and FUD which have been known for years. > I personally have known that using "-m state --state > ESTABLISHED,RELATED" was not the most secure thing to use for returning > traffic. Namely this will allow you to make a valid connection to a web > server, say to retrieve a picture. Then said web server could send > malicious traffic back to your computer and pass through your firewall. > This is because the traffic coming from the web server to your computer > is now deemed as RELATED. Previously I have written this off as not This is wrong on so many levels. Please reread the article. Then read the source code of your favourite firewalling system. All of those "attacks" require cooperation from your side. And if you (or someone using the computer you try to protect) are actively cooperating with the attacker, "fixing" the firewall should be the least important of your problems. A small hint about the most obvious problem in your web server example: HTTP does not have any concept of RELATED connections. You could claim FTP was used to download the image, but then your scenario would require a FTP server instead of a web (HTTP(S)) server. I'm still seeing people who absolutely want to deploy the iptables UNCLEAN match to "make their network more secure". Regards, Carl-Daniel -- http://www.hailfinger.org/ From gregoriandres at yahoo.com.ar Thu Dec 21 10:49:33 2006 From: gregoriandres at yahoo.com.ar (LinuXKiD) Date: Thu Dec 21 12:27:50 2006 Subject: [LARTC] zph patch website broken ? Message-ID: Hi, I used to patch my squid with ZPH patch on http://www.it-academy.bg/zph/ > The idea behind this patch is to allow classification > of packets generated from the squid cache engine towards > clients. > The classification is based on whether the content is > being served from cache (a cache HIT), or > is being retrieved from a remote server (a cache MISS). Very useful patch ! How ever, since a time ago, I can't reach above link... If Marin or somebody see this mail , please advice that web site is offline. Is hosting the problem ?? best regards Andres. __________________________________________________ Pregunt?. Respond?. Descubr?. Todo lo que quer?as saber, y lo que ni imaginabas, est? en Yahoo! Respuestas (Beta). ?Probalo ya! http://www.yahoo.com.ar/respuestas From gtaylor at riverviewtech.net Thu Dec 21 16:37:24 2006 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Thu Dec 21 16:37:10 2006 Subject: [LARTC] Interesting article about punching holes in firewalls... In-Reply-To: <458A3E69.50600@gmx.net> References: <45860240.2040102@riverviewtech.net> <458A3E69.50600@gmx.net> Message-ID: <458AAA34.6010201@riverviewtech.net> Carl-Daniel Hailfinger wrote: >> I personally have known that using "-m state --state >> ESTABLISHED,RELATED" was not the most secure thing to use for returning >> traffic. Namely this will allow you to make a valid connection to a web >> server, say to retrieve a picture. Then said web server could send >> malicious traffic back to your computer and pass through your firewall. >> This is because the traffic coming from the web server to your computer >> is now deemed as RELATED. Previously I have written this off as not > > This is wrong on so many levels. Please reread the article. Then read > the source code of your favourite firewalling system. All of those > "attacks" require cooperation from your side. And if you (or someone > using the computer you try to protect) are actively cooperating with > the attacker, "fixing" the firewall should be the least important of > your problems. I have read the article. I suspect that my uncertainty has to do with lack of how the SPI portion of the code works. I am not qualified to read the source code to make an informed opinion. I was (mis)believing that the SPI was very simple in the fact that it would classify any returning traffic coming back from a host as related. Now, I'm getting the impression that this is not the case and that only specific packets are considered related. Can / will someone that is more versed in programming / reading source code please give me a brief overview of how the kernel decides what is and is not related. Grant. . . . From rob0 at gmx.co.uk Thu Dec 21 16:55:48 2006 From: rob0 at gmx.co.uk (/dev/rob0) Date: Thu Dec 21 16:55:59 2006 Subject: [LARTC] Interesting article about punching holes in firewalls... In-Reply-To: <458AAA34.6010201@riverviewtech.net> References: <45860240.2040102@riverviewtech.net> <458A3E69.50600@gmx.net> <458AAA34.6010201@riverviewtech.net> Message-ID: <200612210955.48703.rob0@gmx.co.uk> On Thursday 21 December 2006 09:37, Grant Taylor wrote: > I have read the article. I suspect that my uncertainty has to do > with lack of how the SPI portion of the code works. I am not > qualified to read the source code to make an informed opinion. I was > (mis)believing that the SPI was very simple in the fact that it would > classify any returning traffic coming back from a host as related. > Now, I'm getting the impression that this is not the case and that > only specific packets are considered related. > > Can / will someone that is more versed in programming / reading > source code please give me a brief overview of how the kernel decides > what is and is not related. That is not me, but I have in the past had the same question answered on the netfilter list. The protocol-specific helper drivers such as ip_conntrack_$PROTOCOL are the ones that defined state "RELATED". If you're not using a "helped" protocol, you will have no RELATED packets. -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From shemminger at osdl.org Wed Dec 20 22:23:29 2006 From: shemminger at osdl.org (Stephen Hemminger) Date: Thu Dec 21 22:24:32 2006 Subject: [LARTC] Interesting article about punching holes in firewalls... In-Reply-To: <45860240.2040102@riverviewtech.net> References: <45860240.2040102@riverviewtech.net> Message-ID: <20061220132329.61fc18da@freekitty> On Sun, 17 Dec 2006 20:51:44 -0600 Grant Taylor wrote: > I ran across an interesting article > (http://www.heise-security.co.uk/articles/print/82481) (1) that I think > any and all firewall administrators should take a few moments to read. > > I personally have known that using "-m state --state > ESTABLISHED,RELATED" was not the most secure thing to use for returning > traffic. Namely this will allow you to make a valid connection to a web > server, say to retrieve a picture. Then said web server could send > malicious traffic back to your computer and pass through your firewall. > This is because the traffic coming from the web server to your > computer is now deemed as RELATED. Previously I have written this off > as not needing to worry about this (much) YET. Yet being the operative > word. I have long known that I would, especially on more secure > installs (read not SOHO) need to filter inbound traffic based on source > / destination port. I just have not thought that it was important > enough to do presently for my clientele. Unfortunately, the day where > we do as much filtering on related traffic as we do on non related > traffic may be closer at hand than we all would like to admit. :( > > > > Grant. . . . > > > (1) Is a /. article "How Skype Punches Holes in Firewalls" > (http://it.slashdot.org/article.pl?sid=06/12/15/191205) > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc This isn't new, it STUNT (Simple Traversal of UDP through NAT and TCP). See: http://nutss.gforge.cis.cornell.edu/stunt.php It has been studied by Internet researchers for a while. But for most users, NAT is an impediment to connectivity, and STUNT is a good thing. You should be able to block it with netfilter connection tracking. -- Stephen Hemminger From adamneat at anoti.com Sun Dec 24 01:02:56 2006 From: adamneat at anoti.com (Adam Neat) Date: Sun Dec 24 01:03:31 2006 Subject: [LARTC] Question regarding Split Access description Message-ID: <200612240003.kBO0341c015159@saturn-ng2.iridiumhosting.com> Hi All, I'm a big user of the LARTC document but am currently stuck with a question around section 4.2 (http://lartc.org/howto/lartc.rpdb.multiple-links.html) in relation to "Routing for multiple uplinks/providers". I'm wanting to do a similar setup to the diagram where I have - lets just say for the moment - two uplink providers where I want to route over two SHDSL lines for performance and availability. I have two separate IP ranges; one from each, and I plan to give key servers on the Local Network two IPs. In your example your ip route commands are inferring one router - if I had two routers, one connected to each of the two providers, are those setup commands applicable, by changing the destination values to be the internet Ethernet interface of the other router for the other link? Eg: Router 1 - Provider 1: ip route add $P1_NET dev $IF1 src $IP1 table T1 ip route add default via $P1 table T1 ip route add $P2_NET gw $RTR2 src $IP2 table T2 ip route add default via $P1 ip rule add from $IP1 table T1 ip rule add from $IP2 table T2 ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \ nexthop via $P2 gw $RTR2 weight 1 Router 2 - Provider 2: ip route add $P2_NET dev $IF2 src $IP2 table T2 ip route add default via $P2 table T2 ip route add $P1_NET gw $RTR1 src $IP1 table T2 ip route add default via $P2 ip rule add from $IP1 table T1 ip rule add from $IP2 table T2 ip route add default scope global nexthop via $P2 dev $IF1 weight 1 \ nexthop via $P1 gw $RTR1 weight 1 Then for each machine on the network, would I give them two default routes (one to each gw) or? I can't seem to get my head around how this should work and I'm low on spare lab machines to test this out. Appreciate any guidance, Season Greetings and Regards Adam -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061224/7926d855/attachment.html From adamneat at anoti.com Sun Dec 24 08:03:41 2006 From: adamneat at anoti.com (Adam Neat) Date: Sun Dec 24 08:04:13 2006 Subject: [LARTC] RE: Question regarding Split Access description Message-ID: <200612240703.kBO73l1c018220@saturn-ng2.iridiumhosting.com> All, Further to this email below, in order to get split access load balancing across the two SHDSL services in the diagram below, I'm thinking it makes more sense to have the standard split access configuration (as outlined in section 4.2 of the LARTC document) would make more sense. That is, on the ETH RTR, have this: ip route add $P1_NET dev $IF1 src $IP1 table T1 ip route add default via $P1 table T1 ip route add $P2_NET dev $IF2 src $IP2 table T2 ip route add default via $P2 table T2 ip route add $P1_NET dev $IF1 src $IP1 ip route add $P2_NET dev $IF2 src $IP2 ip route add default via $P1 ip rule add from $IP1 table T1 ip rule add from $IP2 table T2 ________ +------------+ / y.y.y.1/30 | | | +-------------+ SHDSL RTR1 +-- SHDSL line-- __ y.y.y.2/30 | | | b.b.b.b/32 / ___/ \_ +------+-------+ +------------+ | _/ \__ | if1 | / / \ | | | | Local network -----+if3 ETH RTR | | Internet \_ __/ | | | \__ __/ | if2 | \ \___/ +------+-------+ +------------+ | x.x.x.2/30 | | | \ +-------------+ SHDSL RTR2 +--SHDSL line-- x.x.x.1/30 | | a.a.a.a/32 | +------------+ \________ This way the complexity in having multiple default routes from two IP ranges (one from each provider) from the hosts in the local network (web app server, email, etc) is removed by having just the IF3 interface on the ETH RTR as the default route for the local network servers, and then using the split access approach above on the ETH RTR to do the outbound load balancing. Can anyone confirm if this is a sensible and doable approach? Regards Adam _____ From: Adam Neat [mailto:adamneat@anoti.com] Sent: Sunday, 24 December 2006 11:03 AM To: 'lartc@mailman.ds9a.nl' Cc: 'bert.hubert@netherlabs.nl' Subject: Question regarding Split Access description Hi All, I'm a big user of the LARTC document but am currently stuck with a question around section 4.2 (http://lartc.org/howto/lartc.rpdb.multiple-links.html) in relation to "Routing for multiple uplinks/providers". I'm wanting to do a similar setup to the diagram where I have - lets just say for the moment - two uplink providers where I want to route over two SHDSL lines for performance and availability. I have two separate IP ranges; one from each, and I plan to give key servers on the Local Network two IPs. In your example your ip route commands are inferring one router - if I had two routers, one connected to each of the two providers, are those setup commands applicable, by changing the destination values to be the internet Ethernet interface of the other router for the other link? Eg: Router 1 - Provider 1: ip route add $P1_NET dev $IF1 src $IP1 table T1 ip route add default via $P1 table T1 ip route add $P2_NET gw $RTR2 src $IP2 table T2 ip route add default via $P1 ip rule add from $IP1 table T1 ip rule add from $IP2 table T2 ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \ nexthop via $P2 gw $RTR2 weight 1 Router 2 - Provider 2: ip route add $P2_NET dev $IF2 src $IP2 table T2 ip route add default via $P2 table T2 ip route add $P1_NET gw $RTR1 src $IP1 table T2 ip route add default via $P2 ip rule add from $IP1 table T1 ip rule add from $IP2 table T2 ip route add default scope global nexthop via $P2 dev $IF1 weight 1 \ nexthop via $P1 gw $RTR1 weight 1 Then for each machine on the network, would I give them two default routes (one to each gw) or? I can't seem to get my head around how this should work and I'm low on spare lab machines to test this out. Appreciate any guidance, Season Greetings and Regards Adam -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061224/14f40a24/attachment-0001.htm From randywallacejr at gmail.com Sun Dec 24 16:38:39 2006 From: randywallacejr at gmail.com (Randy Wallace) Date: Sun Dec 24 16:38:54 2006 Subject: [LARTC] RE: Question regarding Split Access description (Adam Neat) Message-ID: <861508be0612240738t5d860c53wd5e32c136ebd6f56@mail.gmail.com> IMHO, i believe that it would be more realistic to have one router providing load balancing/dead gateway to one/several subnet(s). otherwise, each server/user would have to do their own load balancing for each subnet! that, or you would need 3 routers, one for each subnet and a linux router doing the load balancing in the middle. with 3 routers, the load balancing configurations shouldn't change, just ip addresses there is a discussion of how to use DNAT (port forwarding) at http://www.ssi.bg/~ja/dgd-usage.txt with dead gateway detection xx.xx.xx.x1/32--->SHDSL#1 (wan0)/ xx.xx.xx.x2/32 server(s) ------> Switch -------> (lan0) Linux Router -- ex. LAMP Server ip 192.168.1.1/28 (wan1)\ ip 192.168.1.2/28 yy.yy.yy.y1/32--->SHDSL#2 gw 192.168.1.1 yy.yy.yy.y2/32 ip rule add prio 10 table main ip rule add prio 20 from xx.xx.xx.x1/32 table 20 ip route append default via xx.xx.xx.x2 dev wan0 src xx.xx.xx.x1 table 20 ip rule add prio 30 from yy.yy.yy.y1/32 table 30 ip route append default via yy.yy.yy.y2 dev wan1 src yy.yy.yy.y1 table 30 ip rule add prio 100 from 192.168.1.0/28 table 100 ip route add default table 100 \ nexthop via xx.xx.xx.x1 dev wan0 \ nexthop via yy.yy.yy.y1 dev wan1 the key is using 192.168.1.1 as the gateway ipTables masq and dnat rules could take care of src and dest ip addressing to xx.xx.xx.x1 and yy.yy.yy.y1. i prefer keeping some routing in iptables as a firewall advantage. iptables -t nat -A POSTROUTING -o wan0 -j MASQUERADE iptables -t nat -A POSTROUTING -o wan1 -j MASQUERADE iptables -t nat -A PREROUTING -p tcp -d xx.xx.xx.x1 --dport 80 \ -j DNAT --to-destination 192.168.1.2 iptables -t nat -A PREROUTING -p tcp -d yy.yy.yy.y1 --dport 80 \ -j DNAT --to-destination 192.168.1.2 DNS Records, at godaddy.com for example, should specify both xx.xx.xx.x1 and yy.yy.yy.y1 for the LAMP. then you would have a path to both SHDSL connections from the internet for one domain. this makes the most sense to me, but isn't the only solution, the only fault i can see is that there is one major point of failure. From alijawad1 at gmail.com Sun Dec 24 19:21:44 2006 From: alijawad1 at gmail.com (Ali Jawad) Date: Sun Dec 24 19:21:50 2006 Subject: [LARTC] How Message-ID: Hi Ive been reading, testing and applying what Iam reading in the LARTC tutorial for a couple of days, I do not wish to use ready made scripts because that means I will always come back and ask the same question again. So Ive been wondering if I have 10 computers and I do want to limit the download for each of those 10 computers to 10 kbyte per second. I would create a leaf class and match the traffic that comes from those networks using either (below are only example cases to explain my point) : # tc filter add dev eth0 parent 10:0 protocol ip prio 1 u32 \ match ip src 1.2.3.4/32 flowid 10:1 OR # tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle 6 fw flowid 1:1 # iptables -A PREROUTING -t mangle -s 1.2.3.4/32 -j MARK --set-mark 6 And let's suppose I created my classes like this diagram : root 1: | _1:1_ / / / 10: / 10:1 If I have the hierachy displayed above, and that the leaf class 10:1 is the class that limits the download rate to my requested 10 kbyte per second. Using either of the matches above will redirect all matched packets through the filter of the matching class. But in this case cumulative bandwidth of the traffic computers on the matching network will be limited to 10kbyte. What do I have to do so that the traffic of each host on the network will get a download limit of 10 kbyte per second. Do I have to create classes 10:n where n is the number of hosts, or do I have to change my matching pattern. Or can I create a class that will match the traffic of each host in the network individually ? Below is my current setup : tc qdisc add dev eth2 root handle 11: cbq bandwidth 100Mbit avpkt \ 1000 mpu 64 tc class add dev eth2 parent 11:0 classid 11:1 cbq rate 100Kbit \ weight 10Kbit allot 1514 prio 1 avpkt 1000 bounded tc filter add dev eth2 parent 11:0 protocol ip handle 4 fw flowid 11:1 iptables -t mangle -A POSTROUTING -s ! 192.168.128.16/28 -d \ 192.168.128.16/28 -j MARK --set-mark 4 -- With Regards Ali Jawad From alijawad1 at gmail.com Sun Dec 24 21:18:17 2006 From: alijawad1 at gmail.com (Ali Jawad) Date: Sun Dec 24 21:18:21 2006 Subject: [LARTC] How to classify packets per host on same class Message-ID: Hi Ive been reading, testing and applying what Iam reading in the LARTC tutorial for a couple of days, I do not wish to use ready made scripts because that means I will always come back and ask the same question again. So Ive been wondering if I have 10 computers and I do want to limit the download for each of those 10 computers to 10 kbyte per second. I would create a leaf class and match the traffic that comes from those networks using either (below are only example cases to explain my point) : # tc filter add dev eth0 parent 10:0 protocol ip prio 1 u32 \ match ip src 1.2.3.4/32 flowid 10:1 OR # tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle 6 fw flowid 1:1 # iptables -A PREROUTING -t mangle -s 1.2.3.4/32 -j MARK --set-mark 6 And let's suppose I created my classes like this diagram : root 1: | _1:1_ / / / 10: / 10:1 If I have the hierachy displayed above, and that the leaf class 10:1 is the class that limits the download rate to my requested 10 kbyte per second. Using either of the matches above will redirect all matched packets through the filter of the matching class. But in this case cumulative bandwidth of the traffic computers on the matching network will be limited to 10kbyte. What do I have to do so that the traffic of each host on the network will get a download limit of 10 kbyte per second. Do I have to create classes 10:n where n is the number of hosts, or do I have to change my matching pattern. Or can I create a class that will match the traffic of each host in the network individually ? Below is my current setup : tc qdisc add dev eth2 root handle 11: cbq bandwidth 100Mbit avpkt \ 1000 mpu 64 tc class add dev eth2 parent 11:0 classid 11:1 cbq rate 100Kbit \ weight 10Kbit allot 1514 prio 1 avpkt 1000 bounded tc filter add dev eth2 parent 11:0 protocol ip handle 4 fw flowid 11:1 iptables -t mangle -A POSTROUTING -s ! 192.168.128.16/28 -d \ 192.168.128.16/28 -j MARK --set-mark 4 -- With Regards Ali Jawad From lburatti at zacmi.it Mon Dec 25 16:01:09 2006 From: lburatti at zacmi.it (lburatti@zacmi.it) Date: Mon Dec 25 16:01:25 2006 Subject: [LARTC] luca buratti is out of office Message-ID: Sar? assente dall'ufficio a partire dal 25/12/2006 e non torner? fino al 08/01/2007. Risponder? al messaggio al mio ritorno. Trend Scan Mail: this message is virus free. From cl.player at gmail.com Tue Dec 26 04:02:23 2006 From: cl.player at gmail.com (clplayer clplayer) Date: Tue Dec 26 04:02:33 2006 Subject: [LARTC] Curious situation of htb Message-ID: Dear all, I'm now developing the qos mechanism on my mechine. I have read the documents of both the web site "HTB Home" and "lartc.org". But it confuses me that what is the accurate definition of the argument "rate"? It seems to be "the minimum rate which is guaranteed for a class" in the user guide of HTB Home, but in the manpage of lartc.org it is defined as "the maximun rate quaranteed for a class." I have tried two ways implementing the qos mechanism. First I setup the qos configuration by tc, and classification is done by the u32 classifier. In this case, no matter how the classes' rate set, the total bandwidth of 100Mbps will always be about 75Mbps and each class is assigned the bandwidth in the scale. To work with some tunnel or random-port transmission, another program was applied to set the priority value of the structure sk_buff as the classid the packet belongs to. In this case, the total bandwidth is limited at the rate we set, so do all the classes set. My question is that, why it differs from the two mechanism? Which one will be the correct result? Thank you very much. Best regards, Y.K. Peng. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061226/2a7119cc/attachment.html From pmferr at dei.uc.pt Tue Dec 26 12:48:48 2006 From: pmferr at dei.uc.pt (Pedro Miguel da Fonseca Marques Ferreira) Date: Tue Dec 26 12:49:29 2006 Subject: [LARTC] RSVP/RSVP6 Enabling a linux box is not working: Why ? Message-ID: <017701c728e3$d00f7670$6af60b0a@Horizon> Hi. I just went thru reading all of the howto and have a working implementation of RSVP over UDP encapsulation that i would linke to test, made in Java. For this, I would like to use a Linux Box as a RSVP enabled router. However, I have tried and tried to make RSVP work on linux and failed. So I wonder what I am doing wrong. Basically, on the linux box what I am doing is turning eth0 and eth1 to CBQ with bandwidth 100Mbps and avpkt 1500 bytes: Tc qdisc add dev eth0 root cbq bandwidth 100Mbps avpkt 1500 Tc qdisc add dev eth1 root cbq bandwidth 100Mbps avpkt 1500 Then I add filters for rsvp, for example: Tc filter add dev eth0 parent 8000: protocol ip rsvp Tc filter add dev eth1 parent 8001: protocol ip rsvp But, on my windows XP box, when I try to pathping -n -R the linux box, it says the linux box is not RSVP AWARE. Can someone give-me a hint on what am I doing wrong here ? Also, can someone clarify me as if linux RSVP supports UDP encapsulation as the Standard RSVP provides on ports 1698,1699 ? (RFC2205) Any help appreciated. Thank you. Pedro Miguel da Fonseca Marques Ferreira, Lic. MsC. PhD Student at DEI-FCTUC, University of Coimbra Polo II, Pinhal de Marrocos 3030 Coimbra Portugal Email: pmferr@dei.uc.pt Web: http://eden.dei.uc.pt/~pmferr/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061226/a5c6d981/attachment.htm From adamneat at anoti.com Tue Dec 26 13:46:45 2006 From: adamneat at anoti.com (Adam Neat) Date: Tue Dec 26 13:46:59 2006 Subject: [LARTC] RE: Question regarding Split Access description (Adam Neat) In-Reply-To: <861508be0612240738t5d860c53wd5e32c136ebd6f56@mail.gmail.com> Message-ID: <200612261246.kBQCkf1c010274@saturn-ng2.iridiumhosting.com> Randy - thanks for the reply - it was a big help. I agree with your points - the single router approach would be easier, but I'm conscious of availability. My thinking is that with a 3 node approach (1 node for Provider 1 uplink, 1 node for provider 2 uplink, and the 3rd router for the internal core router), if one of the border routers go down we loose half the connectivity; we'd also look to run a standard active-standby LVS node to provide HA on the single core router. At this stage, we're leaning towards the three node approach but we're not 100% sure if this will work with the configuration I outlined below. Provider 1 Provider 2 | | SDSL SDSL | | Border Rtr 1 Border Rtr 2 | | +--------+ +-----+ +--Core Rtr 1--+ | +--------------+--------------+ | | | Server1 Server 2 Server 3 As I noted above, core router 1 would be HA'd in an active standby. Cheers Adam -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Randy Wallace Sent: Monday, 25 December 2006 2:39 AM To: lartc@mailman.ds9a.nl Subject: [LARTC] RE: Question regarding Split Access description (Adam Neat) IMHO, i believe that it would be more realistic to have one router providing load balancing/dead gateway to one/several subnet(s). otherwise, each server/user would have to do their own load balancing for each subnet! that, or you would need 3 routers, one for each subnet and a linux router doing the load balancing in the middle. with 3 routers, the load balancing configurations shouldn't change, just ip addresses there is a discussion of how to use DNAT (port forwarding) at http://www.ssi.bg/~ja/dgd-usage.txt with dead gateway detection xx.xx.xx.x1/32--->SHDSL#1 (wan0)/ xx.xx.xx.x2/32 server(s) ------> Switch -------> (lan0) Linux Router -- ex. LAMP Server ip 192.168.1.1/28 (wan1)\ ip 192.168.1.2/28 yy.yy.yy.y1/32--->SHDSL#2 gw 192.168.1.1 yy.yy.yy.y2/32 ip rule add prio 10 table main ip rule add prio 20 from xx.xx.xx.x1/32 table 20 ip route append default via xx.xx.xx.x2 dev wan0 src xx.xx.xx.x1 table 20 ip rule add prio 30 from yy.yy.yy.y1/32 table 30 ip route append default via yy.yy.yy.y2 dev wan1 src yy.yy.yy.y1 table 30 ip rule add prio 100 from 192.168.1.0/28 table 100 ip route add default table 100 \ nexthop via xx.xx.xx.x1 dev wan0 \ nexthop via yy.yy.yy.y1 dev wan1 the key is using 192.168.1.1 as the gateway ipTables masq and dnat rules could take care of src and dest ip addressing to xx.xx.xx.x1 and yy.yy.yy.y1. i prefer keeping some routing in iptables as a firewall advantage. iptables -t nat -A POSTROUTING -o wan0 -j MASQUERADE iptables -t nat -A POSTROUTING -o wan1 -j MASQUERADE iptables -t nat -A PREROUTING -p tcp -d xx.xx.xx.x1 --dport 80 \ -j DNAT --to-destination 192.168.1.2 iptables -t nat -A PREROUTING -p tcp -d yy.yy.yy.y1 --dport 80 \ -j DNAT --to-destination 192.168.1.2 DNS Records, at godaddy.com for example, should specify both xx.xx.xx.x1 and yy.yy.yy.y1 for the LAMP. then you would have a path to both SHDSL connections from the internet for one domain. this makes the most sense to me, but isn't the only solution, the only fault i can see is that there is one major point of failure. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From andre.correa at pobox.com Wed Dec 27 17:59:31 2006 From: andre.correa at pobox.com (Andre D. Correa) Date: Wed Dec 27 17:59:54 2006 Subject: [LARTC] Advanced Policy Routing not working properly Message-ID: <4592A673.6010303@pobox.com> Hi list, I'm trying to setup a Linux box with a complicated source routing and could use a hand from you. The box has 4 NICs and lots of VLANs attached. It is a firewall and router in the following scenario: (obs: IP addresses have being changed for security purposes) - eth0 holds the default route (GW: 200.1.0.1, Firewall: 200.1.0.2); - The box is routing and sometimes source routing, with no problems; - We got our own ASN with a IP range assigned: 101.30.0.0/20; - We have a Cisco router responsible for BGP sessions of our ASN. This router is already talking to our neighbors and connects to the Firewall on eth2.887 (Router: 101.30.15.249, Firewall: 101.30.15.250); - We have old ISP's IP addresses used on lots of VLAN interfaces, ex: 200.1.2.0/26, 200.1.3.0/24, etc; - The default route is still pointing to our old ISP and cannot be changed by now; So far so good, but: - We created a testing VLAN, eth2.6, and assigned the address 101.30.0.1/28 to the Firewall and 101.30.0.2 to a testing machine (machine-X); - if we create a source routing like this: ip route add default via 101.30.15.249 table MyASN # IP of BGP router ip rule add from 101.30.0.0/28 table MyASN we can see the Internet and the Internet see us through our BGP router and neighbors, BUT we cannot see hosts at IP addresses of our old ISP (those directly connected to the Firewall). The reason is simple, table MyASN has no entry to these old addresses. The easy way to go is to insert static routes on MyASN, but it is a bad solution when you have lots of subnets in use and changes occur frequently. The old and new addresses (from my old ISP and from my ASN) must communicate but I cannot keep updating MyASN table. I tried some workarounds with no good results and here is where I need a hand. All the workarounds I tried expect that in the above scenario if a host on old ISP's IP address, lets say 200.1.2.2, pings my testing server: machine-X on 101.30.0.2, packets should show up on the sender host interface and go out on machine-x interface. I expect this as the _main_ table has a route to machine-x (directly connected to the Firewall) so the box should know where to send packets. It doesn't happen like this. The packets goes nowhere. They come on the sender host interface but never go out on machine-x interface. If I insert a route to 200.1.2.2 on table MyASN I start to see traffic coming and going. Why is this happening? Shouldn't the box just forward traffic when there is a route in the _main_ table regardless of existing or not a route of return? Or shouldn't it, at least, send this traffic to its default gateway? Any comments and suggestions are appreciated. Regards. -------------------------------------------------------------------- Andre D. Correa, CISSP | Visite meus projetos pessoais: andre.correa (at) pobox.com | Visit my personal projects: http://andre.hiperlinks.com.br | - http://www.malware.com.br/ Sao Paulo / SP / Brazil | - http://www.linuximq.net/ -------------------------------------------------------------------- From martin at linux-ip.net Wed Dec 27 22:41:55 2006 From: martin at linux-ip.net (Martin A. Brown) Date: Wed Dec 27 22:43:28 2006 Subject: [LARTC] Curious situation of htb In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings Y.K. Peng, : But it confuses me that what is the accurate definition of the : argument "rate"? In order to understand the HTB concept of rate, you must understand buckets. Read about either token buckets (e.g. Linux TBF [0]) or leaky buckets (the generic idea) [1]. : It seems to be "the minimum rate which is guaranteed for a class" : in the user guide of HTB Home, but in the manpage of lartc.org it : is defined as "the maximun rate quaranteed for a class." The difference is merely a matter of perspective. You may think of it as you find most fitting for your understanding. To understand the term in the context of HTB, it helps to understand the entire borrowing model: * HTB will always allow a packet in a leaf class to be dequeued if that class has not yet exceeded its "rate". (This leaf class is guaranteed a minimum "rate" of packet transmission.) * HTB may attempt to transmit a packet from a leaf class if that leaf class is above "rate" but below "ceil". In order to transmit a packet when transmission of that packet will exceed "rate", the leaf class will ask its parent class (which may ask its parent class (which may ask ...) ) if it may borrow (properly, "use") a token to dequeue the pending packet. If the entire hierarchy of classes has an available token, then that token is counted. * HTB will never attempt to transmit a packet from a leaf class which has exceeded its "ceil", an administrative absolute maximum for this leaf class. This borrowing logic holds true for all intermediate and root classes, but packets are only dequeued from leaf HTB classes. : First I setup the qos configuration by tc, and classification is : done by the u32 classifier. In this case, no matter how the : classes' rate set, the total bandwidth of 100Mbps will always be : about 75Mbps and each class is assigned the bandwidth in the : scale. : : To work with some tunnel or random-port transmission, another : program was applied to set the priority value of the structure : sk_buff as the classid the packet belongs to. In this case, the : total bandwidth is limited at the rate we set, so do all the : classes set. : : My question is that, why it differs from the two mechanism? Which : one will be the correct result? Unfortunately, I'm unable to interpret what your experiment was, so will not be able to address this question. I can only guess that you didn't use the "default" parameter on your HTB qdisc itself: tc qdisc add dev $DEV root handle 1:0 default $DEFAULT_CLASS If you do not specify a default class for otherwise unclassified traffic AND if you do not include a classifier as a catch-all: # -- catch all classifier # tc filter add dev eth0 parent 1:0 protocol ip prio 1 \ u32 match ip src 0.0.0.0/0 then any unclassified traffic will be dequeued as fast as the hardware allows [2]. Good luck, - -Martin [0] http://tldp.org/HOWTO/Traffic-Control-HOWTO/classless-qdiscs.html#qs-tbf http://lartc.org/howto/lartc.qdisc.classless.html [1] http://linux-ip.net/gl/tcng/node54.html http://en.wikipedia.org/wiki/Leaky_bucket [2] http://www.docum.org/docum.org/docs/htb/ - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFFkuinHEoZD1iZ+YcRAlgCAKC8WUFHfSMpj513SrXk6PXvRFtaEACgtDvV EaUDBj5i+vPdBjafnq7idLc= =dg5o -----END PGP SIGNATURE----- From indunil75 at gmail.com Thu Dec 28 06:51:53 2006 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Thu Dec 28 06:52:05 2006 Subject: [LARTC] How to add a route to a network via 2 gateways. Message-ID: <7ed6b0aa0612272151k6f6cd72aj11c7f95a81e5fef9@mail.gmail.com> Hi iproute2, I have a network to reach which is 192.168.2.0/24. It is a branch of the company. I have currently added a route to that network via one gateway ( 192.168.0.254) in following way. ip route add 192.168.2.0/24 via 192.168.0.254 Now, We got another gateway which is 192.168.0.250. Now I want to add a route to the same network which is 192.168.2.0/24 via this gateway ( 192.168.0.250) as well. Then I will have 2 paths to the same network. One path should be primary and the other path should be backup. everything should go via primary path. if the primary path goes down, the backup path should be active. That is the purpose of doing this. Pls let me know whether it is possible or not? if possible, How can I achieve this goal. -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061228/133c727b/attachment.html From WBohannan at spidersat.com.gh Thu Dec 28 19:21:45 2006 From: WBohannan at spidersat.com.gh (William Bohannan) Date: Thu Dec 28 19:22:12 2006 Subject: [LARTC] filter policy drop and allow transparent proxy Message-ID: <4D411FB02758FE45915E9724339093F61A7135@intranet.scpl.local> Trying to use the policy drop rule with the bridged firewall, when I removed the first line the transparent proxy works great? It seems a bit strange as from reading several articles on it I thought the following occurs. 1st line - if it doest match it gets dropped on the local filter input. 2nd line - redirects the traffic off the link layer into the network layer ready for line 3. 3rd line - redirects the port 80 to 8080 and then goes to the local process (squid) through the input filter 4th line - input filter accepts the traffic over riding the global reject policy. iptables -P INPUT DROP ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -A INPUT -p tcp --dport 80 -m physdev --physdev-in eth1 --physdev-out eth0 -j ACCEPT Any help would be most welcome. Kind Regards William From jasbir.k at gmail.com Thu Dec 28 19:37:22 2006 From: jasbir.k at gmail.com (Jasbir Khehra) Date: Thu Dec 28 19:37:41 2006 Subject: [LARTC] filter policy drop and allow transparent proxy In-Reply-To: <4D411FB02758FE45915E9724339093F61A7135@intranet.scpl.local> References: <4D411FB02758FE45915E9724339093F61A7135@intranet.scpl.local> Message-ID: <45940EE2.1030904@gmail.com> William Bohannan wrote: > Trying to use the policy drop rule with the bridged firewall, when I > removed the first line the transparent proxy works great? It seems a > bit strange as from reading several articles on it I thought the > following occurs. > 1st line - if it doest match it gets dropped on the local filter input. > 2nd line - redirects the traffic off the link layer into the network > layer ready for line 3. > 3rd line - redirects the port 80 to 8080 and then goes to the local > process (squid) through the input filter > 4th line - input filter accepts the traffic over riding the global > reject policy. > > iptables -P INPUT DROP > ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 > --ip-destination-port 80 -j redirect --redirect-target ACCEPT > iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT > --to-port 8080 > iptables -A INPUT -p tcp --dport 80 -m physdev --physdev-in eth1 > --physdev-out eth0 -j ACCEPT > > Any help would be most welcome. > > Kind Regards > William > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > The 4th line should look for packets on dport 8080 instead of 80 -Jasbir From WBohannan at spidersat.com.gh Thu Dec 28 20:24:17 2006 From: WBohannan at spidersat.com.gh (William Bohannan) Date: Thu Dec 28 20:24:33 2006 Subject: [LARTC] filter policy drop and allow transparent proxy In-Reply-To: <45940EE2.1030904@gmail.com> Message-ID: <4D411FB02758FE45915E9724339093F61A7136@intranet.scpl.local> Thanks for the quick response Jasbir. Tried doing as you said with no luck, changed dport to port 8080 on the 4th line (see below). Same as before if you remove line 1 the transparent proxy works. iptables -P INPUT DROP ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1 --physdev-out eth0 -j ACCEPT Kind Regards William -----Original Message----- From: Jasbir Khehra [mailto:jasbir.k@gmail.com] Sent: 28 December 2006 18:37 To: William Bohannan Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] filter policy drop and allow transparent proxy William Bohannan wrote: > Trying to use the policy drop rule with the bridged firewall, when I > removed the first line the transparent proxy works great? It seems a > bit strange as from reading several articles on it I thought the > following occurs. > 1st line - if it doest match it gets dropped on the local filter input. > 2nd line - redirects the traffic off the link layer into the network > layer ready for line 3. > 3rd line - redirects the port 80 to 8080 and then goes to the local > process (squid) through the input filter > 4th line - input filter accepts the traffic over riding the global > reject policy. > > iptables -P INPUT DROP > ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 > --ip-destination-port 80 -j redirect --redirect-target ACCEPT > iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT > --to-port 8080 > iptables -A INPUT -p tcp --dport 80 -m physdev --physdev-in eth1 > --physdev-out eth0 -j ACCEPT > > Any help would be most welcome. > > Kind Regards > William > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > The 4th line should look for packets on dport 8080 instead of 80 -Jasbir From mingching.tiew at redtone.com Fri Dec 29 02:20:42 2006 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Fri Dec 29 02:22:45 2006 Subject: [LARTC] Using iptables level7/ipp2p match in a bridge Message-ID: <020c01c72ae7$8e9722f0$0100a8c0@newlife> Subject almost says it all, I wonder if there is a way for me to use iptables matches like l7 and/or ipp2p match in a bridge ( one ethernet in and one ethernet out ) ? Regards. From gtaylor at riverviewtech.net Fri Dec 29 02:31:40 2006 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Fri Dec 29 02:31:19 2006 Subject: [LARTC] Using iptables level7/ipp2p match in a bridge In-Reply-To: <020c01c72ae7$8e9722f0$0100a8c0@newlife> References: <020c01c72ae7$8e9722f0$0100a8c0@newlife> Message-ID: <45946FFC.60407@riverviewtech.net> Ming-Ching Tiew wrote: > Subject almost says it all, I wonder if there is a way for me > to use iptables matches like l7 and/or ipp2p match in a > bridge ( one ethernet in and one ethernet out ) ? Yes there is. Read my previous post (http://mailman.ds9a.nl/pipermail/lartc/2006q4/019935.html) for more information. In short, what you want to do is enable IPTables (layer 3 and up) to be able to operate on bridged (layer 2) traffic. "Bridged IP/ARP packets filtering" will allow you to do exactly what you are wanting to do. Grant. . . . From mingching.tiew at redtone.com Fri Dec 29 03:04:14 2006 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Fri Dec 29 03:05:27 2006 Subject: [LARTC] Using iptables level7/ipp2p match in a bridge References: <020c01c72ae7$8e9722f0$0100a8c0@newlife> <45946FFC.60407@riverviewtech.net> Message-ID: <021c01c72aed$a3ecf660$0100a8c0@newlife> From: "Grant Taylor" > > Yes there is. Read my previous post > (http://mailman.ds9a.nl/pipermail/lartc/2006q4/019935.html) for more > information. In short, what you want to do is enable IPTables (layer 3 > and up) to be able to operate on bridged (layer 2) traffic. "Bridged > IP/ARP packets filtering" will allow you to do exactly what you are > wanting to do. > Thank you for a reply which comes in so useful. I would like to get into a bit more details. Assuming I have already enable the kernel options, do you mean if I want to mark ipp2p traffic, I will do something like this :- iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 6 If I set more options such as "-i eth0 -o eth1" will I be able to capture the traffic more particularly ? Regards From imipak at yahoo.com Fri Dec 29 07:55:09 2006 From: imipak at yahoo.com (Jonathan Day) Date: Fri Dec 29 07:55:18 2006 Subject: [LARTC] Packet dropping schemes Message-ID: <998368.59257.qm@web31509.mail.mud.yahoo.com> There are a VERY large number of packet dropping schemes in existence, of which some have been implemented for Linux and others have implementations in Open Source environments that could probably be ported. I thought I'd be a nuisance and list the schemes I know of and the status (as far as I know it). What I would like is if people who (a) know of implementations that should be here could add them, and (b) know of compelling reasons why a scheme should NEVER (or almost never) be used could give the reason. The problem I'm having is that with 17 different schemes, I can only find Open Source implementations of three, and one of those is only for *BSDs. If for no other reason than Linux makes network research relatively trivial, I have to believe that the other algorithms are either in public patches that hardly anyone knows about, OR there is a catastrophic flaw of some kind that makes using them in a general-purpose OS a Really Bad Idea. So, where are they and/or what is the problem with them? RED (Implemented as a queue) Generic RED (Implemented as a queue) Stabilized RED Fair RED Adaptive RED Gentle RED Exponential RED RED+ BLUE (BSD implementation) Stocchastic BLUE BLACK GREEN PURPLE WHITE CHOKe MAFIC HAWK (For those who have got this far, MAFIC and HAWK are intrusion/attack countermeasure dropping schemes and look very intriguing.) __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From jasbir.k at gmail.com Fri Dec 29 09:40:29 2006 From: jasbir.k at gmail.com (Jasbir Khehra) Date: Fri Dec 29 09:41:50 2006 Subject: [LARTC] filter policy drop and allow transparent proxy In-Reply-To: <4D411FB02758FE45915E9724339093F61A7136@intranet.scpl.local> References: <4D411FB02758FE45915E9724339093F61A7136@intranet.scpl.local> Message-ID: <4594D47D.1080709@gmail.com> William Bohannan wrote: > Thanks for the quick response Jasbir. Tried doing as you said with no > luck, changed dport to port 8080 on the 4th line (see below). Same as > before if you remove line 1 the transparent proxy works. > > > iptables -P INPUT DROP > ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 > --ip-destination-port 80 -j redirect --redirect-target ACCEPT > iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT > --to-port 8080 > iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1 > --physdev-out eth0 -j ACCEPT > > Kind Regards > > William Need to do some debugging. Set default INPUT policy to ACCEPT and add various rules in the INPUT chain (without any target action ) to verify which rules are matching. for example: iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1 --physdev-out eth0 iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth0 --physdev-out eth1 iptables -A INPUT -p tcp --dport 8080 -i br0 Then check out the output of: iptables -nvL INPUT HTH Jasbir From indunil75 at gmail.com Fri Dec 29 12:11:06 2006 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Fri Dec 29 12:11:11 2006 Subject: [LARTC] Fwd: How to add a route to a network via 2 gateways. In-Reply-To: <7ed6b0aa0612272151k6f6cd72aj11c7f95a81e5fef9@mail.gmail.com> References: <7ed6b0aa0612272151k6f6cd72aj11c7f95a81e5fef9@mail.gmail.com> Message-ID: <7ed6b0aa0612290311j1fa19044wbf8512d2d72f75e8@mail.gmail.com> Hi iproute2, I have a network to reach which is 192.168.2.0/24. It is a branch of the company. I have currently added a route to that network via one gateway (192.168.0.254) in following way. ip route add 192.168.2.0/24 via 192.168.0.254 Now, We got another gateway which is 192.168.0.250. Now I want to add a route to the same network which is 192.168.2.0/24 via this gateway ( 192.168.0.250) as well. Then I will have 2 paths to the same network. One path should be primary and the other path should be backup. everything should go via primary path. if the primary path goes down, the backup path should be active. That is the purpose of doing this. Pls let me know whether it is possible or not? if possible, How can I achieve this goal. -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20061229/93c0876a/attachment.htm From WBohannan at spidersat.com.gh Fri Dec 29 14:34:41 2006 From: WBohannan at spidersat.com.gh (William Bohannan) Date: Fri Dec 29 14:34:49 2006 Subject: [LARTC] filter policy drop and allow transparent proxy In-Reply-To: <4594D47D.1080709@gmail.com> Message-ID: <4D411FB02758FE45915E9724339093F61A71AA@intranet.scpl.local> Did exactly what you said and added the following lines to the code to make: iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT echo "1" > /proc/sys/net/ipv4/ip_forward iptables -P INPUT DROP ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1 --physdev-out eth0 -j ACCEPT iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth0 --physdev-out eth1 -j ACCEPT Still had no luck. The output you asked for: server1:~# iptables -nvL INPUT Chain INPUT (policy DROP 35 packets, 2223 bytes) pkts bytes target prot opt in out source destination 2 146 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 255 17920 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in eth0 multiport ports 81,82,3003 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in eth1 multiport ports 81,82,3003 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 PHYSDEV match --physdev-in eth1 --physdev-out eth0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 PHYSDEV match --physdev-in eth0 --physdev-out eth1 Kind Regards William -----Original Message----- From: Jasbir Khehra [mailto:jasbir.k@gmail.com] Sent: 29 December 2006 08:40 To: lartc@mailman.ds9a.nl Cc: William Bohannan Subject: Re: [LARTC] filter policy drop and allow transparent proxy William Bohannan wrote: > Thanks for the quick response Jasbir. Tried doing as you said with no > luck, changed dport to port 8080 on the 4th line (see below). Same as > before if you remove line 1 the transparent proxy works. > > > iptables -P INPUT DROP > ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 > --ip-destination-port 80 -j redirect --redirect-target ACCEPT > iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT > --to-port 8080 > iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1 > --physdev-out eth0 -j ACCEPT > > Kind Regards > > William Need to do some debugging. Set default INPUT policy to ACCEPT and add various rules in the INPUT chain (without any target action ) to verify which rules are matching. for example: iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth1 --physdev-out eth0 iptables -A INPUT -p tcp --dport 8080 -m physdev --physdev-in eth0 --physdev-out eth1 iptables -A INPUT -p tcp --dport 8080 -i br0 Then check out the output of: iptables -nvL INPUT HTH Jasbir From bkhl at elektrubadur.se Sat Dec 30 00:40:48 2006 From: bkhl at elektrubadur.se (=?utf-8?Q?Bj=C3=B6rn_Lindstr=C3=B6m?=) Date: Sat Dec 30 00:45:14 2006 Subject: [LARTC] Trouble selecting network interface by port Message-ID: <871wmixocf.fsf@killalla.dreaming> I have a connection to the Internet (on eth1), and over this I also have a PPTP tunnel set up (on ppp0). Temporarily I use the (slower) PPTP tunnel for everything, but I really just have to use it for some specific purposes, which are distinguishable by port. So, I want to direct only some specific ports to ppp0, using eth1 for the rest. I have tried following the instructions on http://lartc.org/howto/lartc.netfilter.html CONFIG_IP_ADVANCED_ROUTER, CONFIG_IP_MULTIPLE_TABLES and CONFIG_IP_ROUTE_FWMARK is enabled in the kernel. I have added the line "201 tunnel.out" to /etc/iproute2/rt_tables . After the PPTP tunnel comes up, the following is run. $TUNNEL is the PPTP tunnel (ppp0), and $EXTIF my regular WAN interface (eth1). # Open firewall for the tunnel. iptables -A FORWARD -i ${TUNNEL} -o eth0 -m state --state \ ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -o ${TUNNEL} -j ACCEPT iptables -t nat -A POSTROUTING -o ${TUNNEL} -j MASQUERADE # Mark packets that should be routed through the tunnel iptables -A PREROUTING -i ${EXTIF} -t mangle -p tcp --dport 80 \ -j MARK --set-mark 1 # Generate route for the tunnel ip rule add fwmark 1 table tunnel.out ip route add default dev ${TUNNEL} table tunnel.out I'm testing this with port 80 so that I can check the result by running a script that returns my IP on a remote server. After doing all this, the remote server still sees my as the IP for eth1. Can anyone see what I have overlooked here? Thank you, Bj?rn Lindstr?m