From linkerro at gmail.com Thu Jan 4 15:48:04 2007 From: linkerro at gmail.com (Radu Iscu) Date: Thu Jan 4 15:48:31 2007 Subject: [LARTC] [HTB] Individual band for each IP in an IP range Message-ID: <86ef77950701040648u17765a16r6f1a4fbe06e15629@mail.gmail.com> Hello, I'm using shorewall at the moment, but I'm asking this because I'm thinking on switching to htb from a script if this isn't possible from shorewall. Is it possible to get HTB to treat each individual IP in an IP range as a separate leaf, so I don't have to insert a separate HTB rule for every new user? Thanks a bunch, Iscu. From linux at arcoscom.com Thu Jan 4 22:32:48 2007 From: linux at arcoscom.com (ArcosCom Linux User) Date: Thu Jan 4 22:29:25 2007 Subject: [LARTC] Re: dst cache overflow In-Reply-To: <60665.10.1.1.10.1167776653.squirrel@www.arcoscom.com> References: <60665.10.1.1.10.1167776653.squirrel@www.arcoscom.com> Message-ID: <55635.10.1.1.10.1167946368.squirrel@www.arcoscom.com> The log says: Dec 30 00:52:27 cura kernel: dst cache overflow Dec 30 00:52:27 cura kernel: MASQUERADE: No route: Rusty's brain broke! Dec 30 00:52:27 cura kernel: dst cache overflow Dec 30 00:52:28 cura kernel: zlan0: received tcn bpdu on port 1(eth0) Dec 30 00:52:28 cura kernel: zlan0: topology change detected, propagating Dec 30 00:52:28 cura kernel: dst cache overflow Dec 30 00:52:30 cura kernel: zlan0: received tcn bpdu on port 1(eth0) Dec 30 00:52:30 cura kernel: zlan0: topology change detected, propagating Dec 30 00:52:32 cura kernel: zlan0: received tcn bpdu on port 1(eth0) Dec 30 00:52:32 cura kernel: zlan0: topology change detected, propagating Dec 30 00:52:32 cura kernel: printk: 15 messages suppressed. Dec 30 00:52:32 cura kernel: dst cache overflow Dec 30 00:52:34 cura kernel: zlan0: received tcn bpdu on port 1(eth0) Dec 30 00:52:34 cura kernel: zlan0: topology change detected, propagating Dec 30 00:52:36 cura kernel: zlan0: received tcn bpdu on port 1(eth0) Dec 30 00:52:36 cura kernel: zlan0: topology change detected, propagating Dec 30 00:52:37 cura kernel: printk: 40 messages suppressed. Dec 30 00:52:37 cura kernel: dst cache overflow zlan0 is a bridge (with STP configured) between some LANs. Thanks P.D.: I'm a bit desesperated with this error, I changed "MASQUERADE" with "SNAT" with no sense. Some hours after router is booted up, the network appears to be UP but all ifaces haven't responses. El Mar, 2 de Enero de 2007, 23:24, ArcosCom Linux User escribi?: > Hi all, I'm having this problem with this system configuration: > 1) iptables 1.3.7 > 2) kernel 2.6.19.1 > 3) SMP computer > 4) 2 external links + 2 internal (bridged). > > Some hours after the system is working without any troubles, all network > devices stop respond. > > Anyone could help me to fix this problem? > > Googling some ours I detect that this was a problem with old kernels and > were solved with 2.6.11 kernel version. > > Any help will be appretiated. > > Regards. > > P.D.: With MASQUERADE the problem begans more quickly than with SNAT > target. From alex at zoomnet.ro Thu Jan 4 22:39:45 2007 From: alex at zoomnet.ro (Alexandru Dragoi) Date: Thu Jan 4 22:39:59 2007 Subject: [LARTC] Re: dst cache overflow In-Reply-To: <55635.10.1.1.10.1167946368.squirrel@www.arcoscom.com> References: <60665.10.1.1.10.1167776653.squirrel@www.arcoscom.com> <55635.10.1.1.10.1167946368.squirrel@www.arcoscom.com> Message-ID: <459D7421.7070909@zoomnet.ro> ArcosCom Linux User wrote: > The log says: > > Dec 30 00:52:27 cura kernel: dst cache overflow > Dec 30 00:52:27 cura kernel: MASQUERADE: No route: Rusty's brain broke! > Dec 30 00:52:27 cura kernel: dst cache overflow > Dec 30 00:52:28 cura kernel: zlan0: received tcn bpdu on port 1(eth0) > Dec 30 00:52:28 cura kernel: zlan0: topology change detected, propagating > Dec 30 00:52:28 cura kernel: dst cache overflow > Dec 30 00:52:30 cura kernel: zlan0: received tcn bpdu on port 1(eth0) > Dec 30 00:52:30 cura kernel: zlan0: topology change detected, propagating > Dec 30 00:52:32 cura kernel: zlan0: received tcn bpdu on port 1(eth0) > Dec 30 00:52:32 cura kernel: zlan0: topology change detected, propagating > Dec 30 00:52:32 cura kernel: printk: 15 messages suppressed. > Dec 30 00:52:32 cura kernel: dst cache overflow > Dec 30 00:52:34 cura kernel: zlan0: received tcn bpdu on port 1(eth0) > Dec 30 00:52:34 cura kernel: zlan0: topology change detected, propagating > Dec 30 00:52:36 cura kernel: zlan0: received tcn bpdu on port 1(eth0) > Dec 30 00:52:36 cura kernel: zlan0: topology change detected, propagating > Dec 30 00:52:37 cura kernel: printk: 40 messages suppressed. > Dec 30 00:52:37 cura kernel: dst cache overflow > > zlan0 is a bridge (with STP configured) between some LANs. > > Thanks > > P.D.: I'm a bit desesperated with this error, I changed "MASQUERADE" with > "SNAT" with no sense. Some hours after router is booted up, the network > appears to be UP but all ifaces haven't responses. > > El Mar, 2 de Enero de 2007, 23:24, ArcosCom Linux User escribi?: > >> Hi all, I'm having this problem with this system configuration: >> 1) iptables 1.3.7 >> 2) kernel 2.6.19.1 >> 3) SMP computer >> 4) 2 external links + 2 internal (bridged). >> >> Some hours after the system is working without any troubles, all network >> devices stop respond. >> >> Anyone could help me to fix this problem? >> >> Googling some ours I detect that this was a problem with old kernels and >> were solved with 2.6.11 kernel version. >> >> Any help will be appretiated. >> >> Regards. >> >> P.D.: With MASQUERADE the problem begans more quickly than with SNAT >> target. >> > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > The generic solution is to make less/better use of the CPU resources. In particular, it is good to tune a lot of parrametters, like /proc/sys/net/ipv4/neigh/default/gc_threshx, where x is 1,2 or 3. echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh2 echo 16384 > /proc/sys/net/ipv4/neigh/default/gc_thresh3 Then, check/tune whatever consume CPU, iptables firewall, tc filters, lots of routes and heavy pachekts/second traffic, and so on. You can check with top how resources are used, for start. From alex at zoomnet.ro Thu Jan 4 22:42:52 2007 From: alex at zoomnet.ro (Alexandru Dragoi) Date: Thu Jan 4 22:42:57 2007 Subject: [LARTC] Re: dst cache overflow In-Reply-To: <459D7421.7070909@zoomnet.ro> References: <60665.10.1.1.10.1167776653.squirrel@www.arcoscom.com> <55635.10.1.1.10.1167946368.squirrel@www.arcoscom.com> <459D7421.7070909@zoomnet.ro> Message-ID: <459D74DC.8040100@zoomnet.ro> Alexandru Dragoi wrote: > ArcosCom Linux User wrote: > >> The log says: >> >> Dec 30 00:52:27 cura kernel: dst cache overflow >> Dec 30 00:52:27 cura kernel: MASQUERADE: No route: Rusty's brain broke! >> Dec 30 00:52:27 cura kernel: dst cache overflow >> Dec 30 00:52:28 cura kernel: zlan0: received tcn bpdu on port 1(eth0) >> Dec 30 00:52:28 cura kernel: zlan0: topology change detected, propagating >> Dec 30 00:52:28 cura kernel: dst cache overflow >> Dec 30 00:52:30 cura kernel: zlan0: received tcn bpdu on port 1(eth0) >> Dec 30 00:52:30 cura kernel: zlan0: topology change detected, propagating >> Dec 30 00:52:32 cura kernel: zlan0: received tcn bpdu on port 1(eth0) >> Dec 30 00:52:32 cura kernel: zlan0: topology change detected, propagating >> Dec 30 00:52:32 cura kernel: printk: 15 messages suppressed. >> Dec 30 00:52:32 cura kernel: dst cache overflow >> Dec 30 00:52:34 cura kernel: zlan0: received tcn bpdu on port 1(eth0) >> Dec 30 00:52:34 cura kernel: zlan0: topology change detected, propagating >> Dec 30 00:52:36 cura kernel: zlan0: received tcn bpdu on port 1(eth0) >> Dec 30 00:52:36 cura kernel: zlan0: topology change detected, propagating >> Dec 30 00:52:37 cura kernel: printk: 40 messages suppressed. >> Dec 30 00:52:37 cura kernel: dst cache overflow >> >> zlan0 is a bridge (with STP configured) between some LANs. >> >> Thanks >> >> P.D.: I'm a bit desesperated with this error, I changed "MASQUERADE" with >> "SNAT" with no sense. Some hours after router is booted up, the network >> appears to be UP but all ifaces haven't responses. >> >> El Mar, 2 de Enero de 2007, 23:24, ArcosCom Linux User escribi?: >> >> >>> Hi all, I'm having this problem with this system configuration: >>> 1) iptables 1.3.7 >>> 2) kernel 2.6.19.1 >>> 3) SMP computer >>> 4) 2 external links + 2 internal (bridged). >>> >>> Some hours after the system is working without any troubles, all network >>> devices stop respond. >>> >>> Anyone could help me to fix this problem? >>> >>> Googling some ours I detect that this was a problem with old kernels and >>> were solved with 2.6.11 kernel version. >>> >>> Any help will be appretiated. >>> >>> Regards. >>> >>> P.D.: With MASQUERADE the problem begans more quickly than with SNAT >>> target. >>> >>> >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> >> > The generic solution is to make less/better use of the CPU resources. In > particular, it is good to tune a lot of parrametters, like > /proc/sys/net/ipv4/neigh/default/gc_threshx, where x is 1,2 or 3. > > echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 > echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh2 > echo 16384 > /proc/sys/net/ipv4/neigh/default/gc_thresh3 > > Then, check/tune whatever consume CPU, iptables firewall, tc filters, > lots of routes and heavy pachekts/second traffic, and so on. You can > check with top how resources are used, for start. > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > Now i see the bpdu packets received by your bridge. Seem you may have some network loop, wich generated lots of broadcast traffic (wich includes arp). From alan.romaniuc at inteligensa.com.br Fri Jan 5 12:33:39 2007 From: alan.romaniuc at inteligensa.com.br (Alan Romaniuc) Date: Fri Jan 5 12:33:56 2007 Subject: [LARTC] Load Balancing Problems Message-ID: <459E3793.6040805@inteligensa.com.br> Hi, I have a router that got its second link. I was trying to do load balancing, but i can not get it to work properly. Just one link works at time, and is always the second in the command ip route add default table 222 proto static. Am I missing something? My script is below. I am using Debian, tried with kernel 2.6.19 (my compilation) or debian's one (2.6.18-3-486), same results Thanks ========================================================================= ip rule add prio 50 table main ip route del default table main ip rule add prio $PRIO1 from $NET1 table $PRIO1 ip route add default via $IPGW1 dev $INTERFACE1 src $IP1 proto static table $PRIO1 ip route append prohibit default table $PRIO1 metric 1 proto static ip rule add prio $PRIO2 from $NET2 table $PRIO2 ip route add default via $IPGW2 dev $INTERFACE2 src $IP2 proto static table $PRIO2 ip route append prohibit default table $PRIO2 metric 1 proto static ip rule add prio 222 table 222 ip route add default table 222 proto static \ nexthop via $IPGW1 dev $INTERFACE1 weight $WE1 \ nexthop via $IPGW2 dev $INTERFACE2 weight $WE2 ================================================================= -- Alan Romaniuc From s.cramatte at wanadoo.fr Fri Jan 5 15:01:36 2007 From: s.cramatte at wanadoo.fr (=?ISO-8859-1?Q?S=E9bastien_CRAMATTE?=) Date: Fri Jan 5 15:01:55 2007 Subject: [LARTC] HTB burst howto ? Message-ID: <459E5A40.2000409@wanadoo.fr> Hello First of all : Happy new year ! Does anyone can explain me or give me resource of how can I setup burst on HTB classes ... I've got a 20Mb of bandwith with burst to ~ 24Mb I haven't understand well how to cburst , burst parameters (calculate values) ! Seems that If I don't specify these parameters the bandwith is shapped to 20Mb without any burst ? I've found this discussion http://mailman.ds9a.nl/pipermail/lartc/2001q4/001972.html Does anyone can light me ? Regards S?bastien From radu at securesystems.ro Sat Jan 6 19:30:55 2007 From: radu at securesystems.ro (Radu Oprisan) Date: Sat Jan 6 19:31:19 2007 Subject: [LARTC] Disable netfilter for bridged traffic In-Reply-To: <4588D088.3050702@multitech.co.in> References: <4588D088.3050702@multitech.co.in> Message-ID: <459FEADF.5060609@securesystems.ro> senthil wrote: > Hi All, > Can anybody suggests how can I disable netfilter for bridged traffic in > linux-2.4.27 kernel ? If i understand the question, then you just need to ignore the interfaces for the bridge. iptables -I FORWARD -i eth_bridge_1 -j RETURN iptables -I FORWARD -i eth_bridge_2 -j RETURN iptables -I FORWARD -i bridge -j RETURN same for input and output if you don't need a firewall for the ip address assigned on the bridge interface or you don't have an ip address assigned. From alan.romaniuc at inteligensa.com.br Mon Jan 8 16:58:20 2007 From: alan.romaniuc at inteligensa.com.br (Alan Romaniuc) Date: Mon Jan 8 16:58:49 2007 Subject: [LARTC] Load Balancing Problems Message-ID: <45A26A1C.1030302@inteligensa.com.br> I am having with loadbalancing. I can get it working never.... I have this scenario: INTRANET -------- (IP0, INTERFACE0) ROUTER (IP1,INTERFACE1) ---- NET1 --- (IPGW1) EXTRANET 1 | |----(IP2,INTERFACE2) ---- NET2 --- (IPGW2) EXTRANET 2 I have a Debian box with debian kernel, and I have a my kernel too, ith patches from Julian's route patch page. Here is my scritp... copied from lartc ==== ip route add $NET1 dev $INTERFACE1 src $IP1 table $TABLE1 ip route add default via $IPGW1 table $TABLE1 ip route add $NET2 dev $INTERFACE2 src $IP2 table $TABLE2 ip route add default via $IPGW2 table $TABLE2 ip route add $NET1 dev $INTERFACE1 src $IP1 ip route add $NET2 dev $INTERFACE2 src $IP2 #ip route add default via $IPGW1 ip rule add from $IP1 table $TABLE1 ip rule add from $IP2 table $TABLE2 # MAGIC LINE !!!!!!!!!!!!!!!!!!!!!!! ip route add default scope global \ nexthop via $IPGW1 dev $INTERFACE1 weight $WE1 \ nexthop via $IPGW2 dev $INTERFACE2 weight $WE2 ip route add $NET0 dev $INTERFACE0 table $TABLE1 ip route add $NET2 dev $INTERFACE2 table $TABLE1 ip route add 127.0.0.0/8 dev lo table $TABLE1 ip route add $NET0 dev $INTERFACE0 table $TABLE2 ip route add $NET1 dev $INTERFACE1 table $TABLE2 ip route add 127.0.0.0/8 dev lo table $TABLE2 #Extra rule for cable router if [ "$ROUTER1" ]; then ip route add $ROUTER1 dev $INTERFACE1 src $IP1 fi ====== with this script, I am getting always rooted using the second gateway from "MAGIC LINE", with am i doing a download (bittorrent for example) and redefine the routes (changing the first by the second) I can get a full download speedy (link1 + link2 bitrate) and both interface works normally. If I stop my torrent, flush the table, and start the download again, only the second link will work again, so load balancing never works... here is some more debug information: >>ip rule 0: from all lookup 255 32764: from 189.1.1.130 lookup uplink_e 32765: from 201.1.1.88 lookup uplink_v 32766: from all lookup main 32767: from all lookup default >>ip route 192.168.100.1 dev eth_virtua scope link src 201.6.156.88 189.1.1.128/26 dev eth_embratel proto kernel scope link src 189.1.1.130 10.0.0.0/24 dev eth_wifi proto kernel scope link src 10.0.0.1 192.168.1.0/24 dev eth_intra1 proto kernel scope link src 192.168.1.1 201.1.1.0/24 dev eth_virtua proto kernel scope link src 201.1.1.88 default nexthop via 201.1.1.1 dev eth_virtua weight 1 nexthop via 189.1.1.129 dev eth_embratel weight 1 >>Iptables (All ACCEPT) $IPTABLES -t nat -A POSTROUTING -o $INTERFACE1 -j SNAT --to-source $IP1 $IPTABLES -t nat -A POSTROUTING -o $INTERFACE2 -j SNAT --to-source $IP2 >>rt_tables # # reserved values # 255 local 254 main 253 default 0 unspec # # local # #1 inr.ruhep 203 uplink_e 202 uplink_v PS: Ip numbers are not real .... :/ Thanks in advance for any help; -- Alan Romaniuc Phone : +55 11 5105-4955 Mobile : +55 11 8270-2520 alan.romaniuc@inteligensa.com.br INTELIGENSA DO BRASIL Rua Quintana, 887, 5o. andar - Brooklin 04569-011 - S?o Paulo - SP - BRASIL www.inteligensa.com.br From WBohannan at spidersat.com.gh Mon Jan 8 19:21:59 2007 From: WBohannan at spidersat.com.gh (William Bohannan) Date: Mon Jan 8 19:22:19 2007 Subject: [LARTC] TC on multiple nics Message-ID: <4D411FB02758FE45915E9724339093F61A7608@intranet.scpl.local> Happy New Year. Finally got my fw and tc rules down pat for the bridge, now interested in introducing a third nic to have nat on the box as well. Does anyone have a idea of a good place to start reading up on the subject, mainly interested in how to setup the flow direction to start with as to get a overall understanding of the flow, found that help best. Internet --- eth0 --- eth1 --- bridge(eth0/eth1) Now trying... Internet --- eth0 --- eth1 --- bridge (eth0/eth1) |----- eth2 --- nat (eth0/eth2) Would this be how it is done (started at least ;) )? Please advise? # create the required tables and route traffic to them /sbin/iptables -t mangle -N server-all /sbin/iptables -t mangle -N server-all-chains /sbin/iptables -t mangle -N server-prerouting /sbin/iptables -t mangle -A PREROUTING -j server-prerouting /sbin/iptables -t mangle -A server-prerouting -j CONNMARK --restore-mark # bridge traffic - input (eth0 -> eth1) /sbin/tc qdisc add dev eth1 handle 1: root htb default 1 /sbin/iptables -t mangle -A server-prerouting -m physdev --physdev-in eth0 --physdev-out eth1-j protocop-all /sbin/iptables -t mangle -A POSTROUTING -m physdev --physdev-in eth0 physdev-out eth1 -j server-all-chains /sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 3000Kbit /sbin/tc filter add dev eth1 parent 1:0 protocol all u32 match u32 0 0 classid 1:1 # bridge traffic - output (eth1 -> eth0) /sbin/tc qdisc add dev eth0 handle 1: root htb default 1 /sbin/iptables -t mangle -A server-prerouting -m physdev --physdev-in eth1 --physdev-out eth0-j protocop-all /sbin/iptables -t mangle -A POSTROUTING -m physdev --physdev-in eth1 --physdev-out eth0 -j server-all-chains /sbin/tc class add dev eth0 parent 1: classid 1:1 htb rate 3000Kbit /sbin/tc filter add dev eth0 parent 1:0 protocol all u32 match u32 0 0 classid 1:1 # nat traffic - input (eth0 -> eth2) /sbin/tc qdisc add dev eth1 handle 1: root htb default 1 /sbin/iptables -t mangle -A server-prerouting -m physdev --physdev-in eth0 --physdev-out eth2-j protocop-all /sbin/iptables -t mangle -A POSTROUTING -m physdev --physdev-in eth0 physdev-out eth2 -j server-all-chains /sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 3000Kbit /sbin/tc filter add dev eth1 parent 1:0 protocol all u32 match u32 0 0 classid 1:1 # nat traffic - output (eth0 -> eth2) /sbin/tc qdisc add dev eth0 handle 1: root htb default 1 /sbin/iptables -t mangle -A server-prerouting -m physdev --physdev-in eth2 --physdev-out eth0-j protocop-all /sbin/iptables -t mangle -A POSTROUTING -m physdev --physdev-in eth2 --physdev-out eth0 -j server-all-chains /sbin/tc class add dev eth0 parent 1: classid 1:1 htb rate 3000Kbit /sbin/tc filter add dev eth0 parent 1:0 protocol all u32 match u32 0 0 classid 1:1 # nat traffic - input (eth2 -> eth1) /sbin/tc qdisc add dev eth1 handle 1: root htb default 1 /sbin/iptables -t mangle -A server-prerouting -m physdev --physdev-in eth1 --physdev-out eth2-j protocop-all /sbin/iptables -t mangle -A POSTROUTING -m physdev --physdev-in eth1 physdev-out eth2 -j server-all-chains /sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 3000Kbit /sbin/tc filter add dev eth1 parent 1:0 protocol all u32 match u32 0 0 classid 1:1 # nat traffic - output (eth1 -> eth2) /sbin/tc qdisc add dev eth0 handle 1: root htb default 1 /sbin/iptables -t mangle -A server-prerouting -m physdev --physdev-in eth2 --physdev-out eth1-j protocop-all /sbin/iptables -t mangle -A POSTROUTING -m physdev --physdev-in eth2 --physdev-out eth1 -j server-all-chains /sbin/tc class add dev eth0 parent 1: classid 1:1 htb rate 3000Kbit /sbin/tc filter add dev eth0 parent 1:0 protocol all u32 match u32 0 0 classid 1:1 Then simply create the rules for all the classids? And have a fallback for each classid. Kind Regards William From s.cramatte at wanadoo.fr Mon Jan 8 21:25:09 2007 From: s.cramatte at wanadoo.fr (=?ISO-8859-1?Q?S=E9bastien_CRAMATTE?=) Date: Mon Jan 8 21:25:33 2007 Subject: [LARTC] How can I do traffic shapping for passive ftp ? Message-ID: <45A2A8A5.4010000@wanadoo.fr> Hello I've setuped a bridge with iptables + layer + ipp2p + tc I don't know how to shape passive ftp ? If I put rules on port 20, 21 or using layer 7 iptables accounting still empty ... When I done a tcpdump I can see that othe port than 20 or 21 are used ... Any Ideas of how I can achieve this ? Regards From gtaylor at riverviewtech.net Tue Jan 9 03:28:59 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Tue Jan 9 03:33:41 2007 Subject: [LARTC] Using iptables level7/ipp2p match in a bridge In-Reply-To: <021c01c72aed$a3ecf660$0100a8c0@newlife> References: <020c01c72ae7$8e9722f0$0100a8c0@newlife> <45946FFC.60407@riverviewtech.net> <021c01c72aed$a3ecf660$0100a8c0@newlife> Message-ID: <45A2FDEB.8020706@riverviewtech.net> On 12/28/06 20:04, Ming-Ching Tiew wrote: > Thank you for a reply which comes in so useful. I would like to get into > a bit more details. Assuming I have already enable the kernel options, > do you mean if I want to mark ipp2p traffic, I will do something like this :- You are welcome. > iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 6 Yes, with "Bridged IP/ARP packets filtering" you can do that. > If I set more options such as "-i eth0 -o eth1" will I be able to capture > the traffic more particularly ? In short yes. "Bridged IP/ARP packets filtering" allows IPTables to see bridged traffic. This means that any filtering you can do with IPTables can now be done on bridged traffic. Grant. . . . From gtaylor at riverviewtech.net Tue Jan 9 03:41:25 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Tue Jan 9 03:46:08 2007 Subject: [LARTC] Trouble selecting network interface by port In-Reply-To: <871wmixocf.fsf@killalla.dreaming> References: <871wmixocf.fsf@killalla.dreaming> Message-ID: <45A300D5.9040706@riverviewtech.net> On 12/29/06 17:40, Bj?rn Lindstr?m wrote: > # Mark packets that should be routed through the tunnel > iptables -A PREROUTING -i ${EXTIF} -t mangle -p tcp --dport 80 \ > -j MARK --set-mark 1 > I'm testing this with port 80 so that I can check the result by > running a script that returns my IP on a remote server. > > After doing all this, the remote server still sees my as the IP for > eth1. Can anyone see what I have overlooked here? It looks like you are marking packets that are inbound on your external interface. Did you perhaps mean to mark packets inbound on your internal interface and thus outbound from your system? Grant. . . . From hijacker at oldum.net Tue Jan 9 08:32:42 2007 From: hijacker at oldum.net (Nikolay Kichukov) Date: Tue Jan 9 08:33:10 2007 Subject: [LARTC] How can I do traffic shapping for passive ftp ? In-Reply-To: <45A2A8A5.4010000@wanadoo.fr> References: <45A2A8A5.4010000@wanadoo.fr> Message-ID: <45A3451A.4060202@oldum.net> Hello Sebastien, If you are configuring the server side(where the ftpd is running) then you can tell the ftpd which ports to use for those passive connections in its configuration file. Then you can apply your rules on those ports ;-) HTH, -nik S?bastien CRAMATTE wrote: > Hello > > I've setuped a bridge with iptables + layer + ipp2p + tc > I don't know how to shape passive ftp ? > > If I put rules on port 20, 21 or using layer 7 iptables accounting > still empty ... > When I done a tcpdump I can see that othe port than 20 or 21 are used ... > > Any Ideas of how I can achieve this ? > > Regards > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From kajtek at biezanow.net Tue Jan 9 09:14:29 2007 From: kajtek at biezanow.net (Kajetan Staszkiewicz) Date: Tue Jan 9 09:15:11 2007 Subject: [LARTC] How can I do traffic shapping for passive ftp ? In-Reply-To: <45A2A8A5.4010000@wanadoo.fr> References: <45A2A8A5.4010000@wanadoo.fr> Message-ID: <200701090914.29687.kajtek@biezanow.net> Dnia poniedzia?ek, 8 stycznia 2007 21:25, S?bastien CRAMATTE napisa?(a): > Hello > > I've setuped a bridge with iptables + layer + ipp2p + tc > I don't know how to shape passive ftp ? > > If I put rules on port 20, 21 or using layer 7 iptables accounting > still empty ... > When I done a tcpdump I can see that othe port than 20 or 21 are used ... Use ip_nat_ftp and ip_conntrack_ftp modules. Then mark ftp traffic with helper match. example: iptables -t mangle -A FORWARD -m helper --helper ftp -j MARK --set-mark 0x03 -- | pozdrawiam / greetings | powered by Trustix, Gentoo and FreeBSD | | Kajetan Staszkiewicz | jabber,email,www: vegeta()tuxpowered net | | Vegeta | IMQ devnames: http://tuxpowered.net | `------------------------^------------------------------------------' From s.cramatte at wanadoo.fr Tue Jan 9 10:41:32 2007 From: s.cramatte at wanadoo.fr (=?ISO-8859-2?Q?S=E9bastien_CRAMATTE?=) Date: Tue Jan 9 10:41:58 2007 Subject: [LARTC] How can I do traffic shapping for passive ftp ? In-Reply-To: <200701090914.29687.kajtek@biezanow.net> References: <45A2A8A5.4010000@wanadoo.fr> <200701090914.29687.kajtek@biezanow.net> Message-ID: <45A3634C.2040705@wanadoo.fr> Kajetan Staszkiewicz a ?crit : > Dnia poniedzia?ek, 8 stycznia 2007 21:25, S?bastien CRAMATTE napisa?(a): > > >> Hello >> >> I've setuped a bridge with iptables + layer + ipp2p + tc >> I don't know how to shape passive ftp ? >> >> If I put rules on port 20, 21 or using layer 7 iptables accounting >> still empty ... >> When I done a tcpdump I can see that othe port than 20 or 21 are used ... >> > > Use ip_nat_ftp and ip_conntrack_ftp modules. Then mark ftp traffic with helper > match. > > example: > iptables -t mangle -A FORWARD -m helper --helper ftp -j MARK --set-mark 0x03 > > > I haven't specifiy that I don't use NAT. I use this QoS manager for a very small ISP and I can't control ftp server Upgrading Layer7 protocols seems thas is ok ... Regards From luciano at lugmen.org.ar Tue Jan 9 14:36:23 2007 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Tue Jan 9 14:36:53 2007 Subject: [LARTC] Load Balancing Problems In-Reply-To: <459E3793.6040805@inteligensa.com.br> References: <459E3793.6040805@inteligensa.com.br> Message-ID: <200701091036.23540.luciano@lugmen.org.ar> On Friday 05 January 2007 08:33, Alan Romaniuc wrote: > Hi, > > I have a router that got its second link. I was trying to do load > balancing, but i can not get it to work properly. > > Just one link works at time, and is always the second in the command ip > route add default table 222 proto static. > > Am I missing something? My script is below. I am using Debian, tried > with kernel 2.6.19 (my compilation) or debian's one (2.6.18-3-486), > same results Try "your compilation" without CONFIG_IP_ROUTE_MULTIPATH_CACHED there are several threads on this topic in the archive, one as reference: http://archives.free.net.ph/message/20060618.150532.8a6cc07f.en.html If it solves the problem, maybe is time to contact the author of Multipath Cached and send some report. -- Luciano From luciano at lugmen.org.ar Tue Jan 9 14:43:31 2007 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Tue Jan 9 14:44:00 2007 Subject: [LARTC] Disable netfilter for bridged traffic In-Reply-To: <459FEADF.5060609@securesystems.ro> References: <4588D088.3050702@multitech.co.in> <459FEADF.5060609@securesystems.ro> Message-ID: <200701091043.31823.luciano@lugmen.org.ar> On Saturday 06 January 2007 15:30, Radu Oprisan wrote: > senthil wrote: > > Hi All, > > Can anybody suggests how can I disable netfilter for bridged traffic in > > linux-2.4.27 kernel ? > > If i understand the question, then you just need to ignore the > interfaces for the bridge. this is not necesary cause bridged traffic is "layer 2" traffic, and there is not a chance that netfiter(layer 3) saw it. There is ebtables and iptables "physdev" in 2.6, to filter bridged traffic. -- Luciano From luciano at lugmen.org.ar Tue Jan 9 14:52:37 2007 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Tue Jan 9 14:53:04 2007 Subject: [LARTC] filtering in layer 2 [but is not a bridge] Message-ID: <200701091052.37604.luciano@lugmen.org.ar> I have a linux AP with prism2 (hostap) wireless nic. I whant to filter traffic that pass betwen clients of the AP, this is layer 2 traffic (802.11) and netfilter does not sees it, at first i think in physdev target, but is for layer2 bridged interfaces, and this is not the case. There is a way to filter layer2 traffic independet if it is from a bridged iface or not? -- Luciano From zoilo at xs4all.nl Tue Jan 9 15:00:22 2007 From: zoilo at xs4all.nl (Zoilo Gomez) Date: Tue Jan 9 15:00:29 2007 Subject: [LARTC] filtering in layer 2 [but is not a bridge] In-Reply-To: <200701091052.37604.luciano@lugmen.org.ar> References: <200701091052.37604.luciano@lugmen.org.ar> Message-ID: <45A39FF6.5080608@xs4all.nl> ebtables Luciano Ruete wrote: >I have a linux AP with prism2 (hostap) wireless nic. > >I whant to filter traffic that pass betwen clients of the AP, this is layer 2 >traffic (802.11) and netfilter does not sees it, at first i think in physdev >target, but is for layer2 bridged interfaces, and this is not the case. > >There is a way to filter layer2 traffic independet if it is from a bridged >iface or not? > > From alan.romaniuc at inteligensa.com.br Tue Jan 9 23:42:35 2007 From: alan.romaniuc at inteligensa.com.br (Alan Romaniuc) Date: Tue Jan 9 23:42:32 2007 Subject: [LARTC] Load Balancing Problems In-Reply-To: <200701091036.23540.luciano@lugmen.org.ar> References: <459E3793.6040805@inteligensa.com.br> <200701091036.23540.luciano@lugmen.org.ar> Message-ID: <45A41A5B.201@inteligensa.com.br> Hi all, After setting the CONFIG_IP_ROUTE_MULTIPATH_CACHED to no and apply patches from http://www.ssi.bg/~ja/#routes , everything is working fine. No more problems with the two uplinks and one route only. Thanks for the help... I've been fighting with that for one week.... I will point this solution in another places too. Thanks again, Alan Luciano Ruete escreveu: > On Friday 05 January 2007 08:33, Alan Romaniuc wrote: > >> Hi, >> >> I have a router that got its second link. I was trying to do load >> balancing, but i can not get it to work properly. >> >> Just one link works at time, and is always the second in the command ip >> route add default table 222 proto static. >> >> Am I missing something? My script is below. I am using Debian, tried >> with kernel 2.6.19 (my compilation) or debian's one (2.6.18-3-486), >> same results >> > > Try "your compilation" without CONFIG_IP_ROUTE_MULTIPATH_CACHED > > there are several threads on this topic in the archive, one as reference: > http://archives.free.net.ph/message/20060618.150532.8a6cc07f.en.html > > If it solves the problem, maybe is time to contact the author of Multipath > Cached and send some report. > From roger38 at mdve.net Wed Jan 10 05:41:58 2007 From: roger38 at mdve.net (Roger Venable) Date: Wed Jan 10 05:42:06 2007 Subject: [LARTC] TCNG on openSuSE 10.2 Message-ID: <38547.68.79.89.67.1168404118.squirrel@68.79.89.67> I'm trying to get TCNG working on an openSuSE 10.2 machine, may I ask for compilation help here, or is it out of context for this list? Did something replace TCNG? Roger Venable Ann Arbor, Michigan, USA From kaber at trash.net Wed Jan 10 06:58:31 2007 From: kaber at trash.net (Patrick McHardy) Date: Wed Jan 10 06:58:40 2007 Subject: [LARTC] Re: iptables 1.3.7, kernel 2.6.19, ROUTE and Layer7 issues In-Reply-To: References: <54905.84.123.236.132.1165866276.squirrel@www.arcoscom.com> <57631.195.55.244.106.1165911878.squirrel@www.arcoscom.com> <457E6997.1050001@trash.net> <36479.195.55.244.106.1165998665.squirrel@www.arcoscom.com> <457FBBFD.6060009@trash.net> Message-ID: <45A48087.8090200@trash.net> Krzysztof Oledzki wrote: >> Its still down, but the ROUTE patch is unmaintained anyway. > > > How about attached (and inlined) patch. BTW - is it possible to add a > Kconfig entry after a specific text, like with Makefile.ladd? > > > [POM-NG] ROUTE: 2.6.19 compatibility fix > > Make both IPv4 and IPv6 versions compatible with 2.6.19 Thanks Krzysztof, applied. I would prefer to have someone maintain it externally though. Jan, are you still interested in doing that? If you need help or webspace for an external repository please let me know. From kaber at trash.net Wed Jan 10 08:15:58 2007 From: kaber at trash.net (Patrick McHardy) Date: Wed Jan 10 08:16:12 2007 Subject: [LARTC] Re: dst cache overflow In-Reply-To: <55635.10.1.1.10.1167946368.squirrel@www.arcoscom.com> References: <60665.10.1.1.10.1167776653.squirrel@www.arcoscom.com> <55635.10.1.1.10.1167946368.squirrel@www.arcoscom.com> Message-ID: <45A492AE.2030909@trash.net> ArcosCom Linux User wrote: > The log says: > > Dec 30 00:52:27 cura kernel: dst cache overflow > Dec 30 00:52:27 cura kernel: MASQUERADE: No route: Rusty's brain broke! > Dec 30 00:52:27 cura kernel: dst cache overflow > Dec 30 00:52:28 cura kernel: zlan0: received tcn bpdu on port 1(eth0) > Dec 30 00:52:28 cura kernel: zlan0: topology change detected, propagating > Dec 30 00:52:28 cura kernel: dst cache overflow > Dec 30 00:52:30 cura kernel: zlan0: received tcn bpdu on port 1(eth0) > Dec 30 00:52:30 cura kernel: zlan0: topology change detected, propagating > Dec 30 00:52:32 cura kernel: zlan0: received tcn bpdu on port 1(eth0) > Dec 30 00:52:32 cura kernel: zlan0: topology change detected, propagating > Dec 30 00:52:32 cura kernel: printk: 15 messages suppressed. > Dec 30 00:52:32 cura kernel: dst cache overflow > Dec 30 00:52:34 cura kernel: zlan0: received tcn bpdu on port 1(eth0) > Dec 30 00:52:34 cura kernel: zlan0: topology change detected, propagating > Dec 30 00:52:36 cura kernel: zlan0: received tcn bpdu on port 1(eth0) > Dec 30 00:52:36 cura kernel: zlan0: topology change detected, propagating > Dec 30 00:52:37 cura kernel: printk: 40 messages suppressed. > Dec 30 00:52:37 cura kernel: dst cache overflow > > zlan0 is a bridge (with STP configured) between some LANs. > > Thanks > > P.D.: I'm a bit desesperated with this error, I changed "MASQUERADE" with > "SNAT" with no sense. Some hours after router is booted up, the network > appears to be UP but all ifaces haven't responses. The MASQUERADE message is just an effect of the problem. Please describe your setup in more detail (what kind of devices, how are they connected, ebtables/iptables rules, routing, ...). From kaber at trash.net Wed Jan 10 13:53:49 2007 From: kaber at trash.net (Patrick McHardy) Date: Wed Jan 10 13:53:59 2007 Subject: [LARTC] Re: iptables 1.3.7, kernel 2.6.19, ROUTE and Layer7 issues In-Reply-To: References: <54905.84.123.236.132.1165866276.squirrel@www.arcoscom.com> <57631.195.55.244.106.1165911878.squirrel@www.arcoscom.com> <457E6997.1050001@trash.net> <36479.195.55.244.106.1165998665.squirrel@www.arcoscom.com> <457FBBFD.6060009@trash.net> <45A48087.8090200@trash.net> Message-ID: <45A4E1DD.8070001@trash.net> Jan Engelhardt wrote: > On Jan 10 2007 06:58, Patrick McHardy wrote: > >>I would prefer to have someone maintain it externally though. Jan, are >>you still interested in doing that? If you need help or webspace for >>an external repository please let me know. > > > I would give it a try. Though I would really prefer to have it in the > kernel and iptables rather than pomng or pomng-external. In my > opinion that simplifies maintainability. Changes in the netfilter API > seem to be the most common reason for patching (someone changed the > xt_match->match and xt_target->target signatures in 2.6.20 again!), > and keeping out-of-tree modules compiling with kernel-du-jour can be > an #ifdef pita. Then it's really preferable to have 2.6.18 have a > xt_FOOBAR with netfilter-2.6.18 signatures, and 2.6.20 with > netfilter-2.6.20. Especially since many people run distributions with > RPM/DEBified iptables, so the POM `runme` will not be easy to > accomplish for the casual user. (I currently do have that issue - > after doing `svn up` on pomng, I have to manually move the changes to > (my) kernel rpm and (my) iptables rpm, because the days of `make > install` are GONE for me - at least I try.) > > I understand that POM does not require to compile with all > kernels-of-the-last-three-months, but this also simplifies > integration for end users. They do not need to backport/forward port > indated/outdated out-of-tree modules and, at best, do not even need > to recompile the kernel. > > Of course there are some modules that continue being out-of-tree > because they would not fit in (imagine a 500K geoip.c with a > compiled-in big string array). Not sure what to do about them. > Perhaps do it like chaostables [2.6.18-2.6.20], trying to keep it > working for a limited set of kernels. > > Oh well, that said, my ideal plan would be to get ROUTE TARPIT > connlimit and u32 into mainline in one go, and perhaps, after review > and discussion, chaostables and some of the others that live in > Krzystof's patchlet collection. ROUTE will not go in, its a bad hack and shouldn't be used (which is why I would prefer to get rid of it). Haven't looked at TARPIT and connlimit in a long time, we can think about it. From kaber at trash.net Wed Jan 10 13:57:44 2007 From: kaber at trash.net (Patrick McHardy) Date: Wed Jan 10 13:57:54 2007 Subject: [LARTC] Re: dst cache overflow In-Reply-To: <43702.195.55.244.106.1168431388.squirrel@www.arcoscom.com> References: <60665.10.1.1.10.1167776653.squirrel@www.arcoscom.com> <55635.10.1.1.10.1167946368.squirrel@www.arcoscom.com> <45A492AE.2030909@trash.net> <43702.195.55.244.106.1168431388.squirrel@www.arcoscom.com> Message-ID: <45A4E2C8.8030302@trash.net> ArcosCom Linux User wrote: > The configuration is: > 1) linux box with 2.6.19.1 kernel with these patches/modules: > a) l7-filter > b) multipath patch (from nano-howto) > c) IMQ > d) ipp2p > e) connlimit > 2) 4 ethernet interfaces: > a) 2 external (eth1 and eth3) interfaces with balanced links (as > described in nato-howto). > b) 2 internal ineterfaces (eth0 and eth2) in bridge zlan0 with STP > enabled and configured. > 3) For tests I load manually ALL conntrack/nat kernel modules. Please try to reproduce this without all these whacky patches (or at least without multipath and IMQ). From kuolung at ms.kuolung.net Wed Jan 10 14:29:05 2007 From: kuolung at ms.kuolung.net (Kuolung) Date: Wed Jan 10 14:30:00 2007 Subject: [LARTC] Load Balancing Problems References: <459E3793.6040805@inteligensa.com.br><200701091036.23540.luciano@lugmen.org.ar> <45A41A5B.201@inteligensa.com.br> Message-ID: <010a01c734bb$63dd88a0$3b01a8c0@KuolungC> Hi , Are U test it for same remote site and same client ?? ----- Original Message ----- From: "Alan Romaniuc" To: Sent: Wednesday, January 10, 2007 6:42 AM Subject: Re: [LARTC] Load Balancing Problems > > Hi all, > > After setting the CONFIG_IP_ROUTE_MULTIPATH_CACHED to no and apply patches > from http://www.ssi.bg/~ja/#routes , everything is working fine. No more > problems with the two uplinks and one route only. > > Thanks for the help... I've been fighting with that for one week.... > > I will point this solution in another places too. > > Thanks again, > > Alan > > > > > Luciano Ruete escreveu: >> On Friday 05 January 2007 08:33, Alan Romaniuc wrote: >> >>> Hi, >>> >>> I have a router that got its second link. I was trying to do load >>> balancing, but i can not get it to work properly. >>> >>> Just one link works at time, and is always the second in the command ip >>> route add default table 222 proto static. >>> >>> Am I missing something? My script is below. I am using Debian, tried >>> with kernel 2.6.19 (my compilation) or debian's one (2.6.18-3-486), >>> same results >>> >> >> Try "your compilation" without CONFIG_IP_ROUTE_MULTIPATH_CACHED >> >> there are several threads on this topic in the archive, one as reference: >> http://archives.free.net.ph/message/20060618.150532.8a6cc07f.en.html >> >> If it solves the problem, maybe is time to contact the author of >> Multipath Cached and send some report. >> > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From linux at arcoscom.com Wed Jan 10 12:40:33 2007 From: linux at arcoscom.com (ArcosCom Linux User) Date: Wed Jan 10 15:23:36 2007 Subject: [LARTC] Re: dst cache overflow In-Reply-To: <45A492AE.2030909@trash.net> References: <60665.10.1.1.10.1167776653.squirrel@www.arcoscom.com> <55635.10.1.1.10.1167946368.squirrel@www.arcoscom.com> <45A492AE.2030909@trash.net> Message-ID: <60568.195.55.244.106.1168429233.squirrel@www.arcoscom.com> The configuration is: 1) linux box with 2.6.19.1 kernel with these patches/modules: a) l7-filter b) multipath patch (from nano-howto) c) IMQ d) ipp2p e) connlimit 2) 4 ethernet interfaces: a) 2 external (eth1 and eth3) interfaces with balanced links (as described in nato-howto). b) 2 internal ineterfaces (eth0 and eth2) in bridge zlan0 with STP enabled and configured. 3) For tests I load manually ALL conntrack/nat kernel modules. My first attempt (to allow UPnP daemon to handle only 1 external iface) where put eth1 and eth3 in a bridge without STP enabled and the NAT were done only with -j MASQUERADE and appeared to work fine, but when I run some amule clients along the network, the problem appear in one day (after some weeks working without peers to peers software). Then I broke the wan bridge and put each static external IP into their iface, and the problem appears too in two days instead 1 day. My next step were use SNAT instead MASQUERADE and the problem appears 3 days after the change. Always I had the multipath enableded along these described steps. A production linux box with 2.6.17.14 kernel and the same patches/modules and only 1 wan iface and 1 lan iface and with connlimit match enabled by host is working fine with 100 more p2p traffic than the test machine (the linux box that has de dst cache overflow problem). If you need more info about this to help me in solve this problem, please, say me, I'll get all you need and put here. Thanks El Mie, 10 de Enero de 2007, 8:15, Patrick McHardy escribi?: > ArcosCom Linux User wrote: >> The log says: >> >> Dec 30 00:52:27 cura kernel: dst cache overflow >> Dec 30 00:52:27 cura kernel: MASQUERADE: No route: Rusty's brain broke! >> Dec 30 00:52:27 cura kernel: dst cache overflow >> Dec 30 00:52:28 cura kernel: zlan0: received tcn bpdu on port 1(eth0) >> Dec 30 00:52:28 cura kernel: zlan0: topology change detected, >> propagating >> Dec 30 00:52:28 cura kernel: dst cache overflow >> Dec 30 00:52:30 cura kernel: zlan0: received tcn bpdu on port 1(eth0) >> Dec 30 00:52:30 cura kernel: zlan0: topology change detected, >> propagating >> Dec 30 00:52:32 cura kernel: zlan0: received tcn bpdu on port 1(eth0) >> Dec 30 00:52:32 cura kernel: zlan0: topology change detected, >> propagating >> Dec 30 00:52:32 cura kernel: printk: 15 messages suppressed. >> Dec 30 00:52:32 cura kernel: dst cache overflow >> Dec 30 00:52:34 cura kernel: zlan0: received tcn bpdu on port 1(eth0) >> Dec 30 00:52:34 cura kernel: zlan0: topology change detected, >> propagating >> Dec 30 00:52:36 cura kernel: zlan0: received tcn bpdu on port 1(eth0) >> Dec 30 00:52:36 cura kernel: zlan0: topology change detected, >> propagating >> Dec 30 00:52:37 cura kernel: printk: 40 messages suppressed. >> Dec 30 00:52:37 cura kernel: dst cache overflow >> >> zlan0 is a bridge (with STP configured) between some LANs. >> >> Thanks >> >> P.D.: I'm a bit desesperated with this error, I changed "MASQUERADE" >> with >> "SNAT" with no sense. Some hours after router is booted up, the network >> appears to be UP but all ifaces haven't responses. > > > The MASQUERADE message is just an effect of the problem. Please describe > your setup in more detail (what kind of devices, how are they connected, > ebtables/iptables rules, routing, ...). > > From linux at arcoscom.com Wed Jan 10 14:15:02 2007 From: linux at arcoscom.com (ArcosCom Linux User) Date: Wed Jan 10 15:58:04 2007 Subject: [LARTC] Opinions about pom/patches [was: iptables 1.3.7, kernel 2.6.19, ROUTE and Layer7 issues] In-Reply-To: References: <54905.84.123.236.132.1165866276.squirrel@www.arcoscom.com> <57631.195.55.244.106.1165911878.squirrel@www.arcoscom.com> <457E6997.1050001@trash.net> <36479.195.55.244.106.1165998665.squirrel@www.arcoscom.com> <457FBBFD.6060009@trash.net> <45A48087.8090200@trash.net> Message-ID: <53212.195.55.244.106.1168434902.squirrel@www.arcoscom.com> I think so, there are many old matches that are stables and I have to apply many times when I update the kernel. If they where into kernel and iptables (because they are now not as experimental than many months/years ago) these problem when new kernel releases and/or iptables releases disapears very quickly. I have a great headache now, I had to patch my kernel, patch iptables, update iproute to allow "mark-and" operations for routing. Yes, I can adapt many thinks and forgot many routing/filtering functionality, but then, my linux box will be useless for the purposes I deploy it. I have no problem in patch and upgrade thinks, my problem is that I have no time to do all these steps every any important bug, improvement is released. To allow compatibility with my installed distro (one in production and another in testing), I had to readapt the RPM's and modify specs to put there the patch. Usually is easy, but when netfilter changes its internals structs (that I have no knoledgement) I can't correct the patches and adapt them. When I readapt RPM's, I can use them into my systems, and I think many users should want them for their systems and the same purpose as me and I don't know where I can send them to allow people to use them (perhaps I make a simple webpage for that and a RPM repository, but I can't use my lines to allow comunity to massive download the rpm's). Too punctual work that comunity can't improve or maintain because they hasn't got access. Perhaps, when I finish the testing and all the problems I have got in testing environtment were solved, I can make a good repository to allow community to download and upload thinks, but now, I had time to make it. The real problems of all these, I think, are : 1) That the time from a fix/release goes out to that change appears into the distro repositories are enought. 2) Another problem is when there are bugs are fixed in versios and that fix is not backported to prior versions and distros mainteneers have to backport the fix to preserve stable state of the distro package (less features than actual stable sources, but stable system). 3) Another problem is that the patches for bugfixes are not public or easy accesible for normal users as me, and then I not only need to learn how to patch, make and upgrade (or rpm/deb build), I need to learn too how to extract the bugfix patch I need to solve one problem in my kernel/iptables/module/etc... version, what are the developer list, subscribe, where are the development sources that correct the problem, how I can download the patch, etc... I know that all these project are diferent communities, but if all comunities make more easy to the end user some tasks, the users learns more quickly how to contribute and work with the many projects and tecknologies. Don't know how projects could make the thinks easy, but, in case of netfilter, some tables explaining what matches are included in kernel (and from what version) allow users to know what kernel version can use for certain purposes. For example, I know h323 where added into kernel at 2.6.17 kernel version, but the community appears to be working into 2.6.16.x version to stabilize it and and backported many bugfixes from 2.6.19.x to 2.6.16.x. I think 2.6.16.x kernel is the more stable at these days, but if I want h323 conntrack modules I can't use pom-ńg because h323 is not in pom-ng today, and if I use old pom-ng, I know I will use a module with some bugs corrected in 2.6.18.x kernel. Do I explained a problem that have many users than me? Another example, some body say in the lists that using "mark" will allow me to change routes by "mark value" or by "and-mark mask", fine, that were to substitute ROUTE tarjet. I think that is a correct solution but ... What are the implications? 1) I can't see any documentation in netfilter or iproute. 2) My distro don't update the packages, I have to do it manually. 3) When I have an updated iproute package, kernel package, iptables package and I finish and test the configuration, I have the knowledte to write a little explanation/how-to to allow users to know how and don't waste their time looking for the steps ... some hours after I found a wiki, I need to register, etc.... When I finished all the needed steps to allow me to write a "more or less" public super-mini-howto I forgot the steps and I, finally, don't write the info, because my systems are working for my purposes, I have my paper with my hand annotations and I need to continue working in more tasks. Sorry for the big e-mail, but it is only my user opinion about these type o things. Sorry for my poor english. Regards El Mie, 10 de Enero de 2007, 12:53, Jan Engelhardt escribi?: > > On Jan 10 2007 06:58, Patrick McHardy wrote: >>Krzysztof Oledzki wrote: >>>> Its still down, but the ROUTE patch is unmaintained anyway. >>> >>> How about attached (and inlined) patch. BTW - is it possible to add a >>> Kconfig entry after a specific text, like with Makefile.ladd? >>> >>> [POM-NG] ROUTE: 2.6.19 compatibility fix >>> >>> Make both IPv4 and IPv6 versions compatible with 2.6.19 >> >> >>Thanks Krzysztof, applied. >> >>I would prefer to have someone maintain it externally though. Jan, are >>you still interested in doing that? If you need help or webspace for >>an external repository please let me know. > > I would give it a try. Though I would really prefer to have it in the > kernel and iptables rather than pomng or pomng-external. In my > opinion that simplifies maintainability. Changes in the netfilter API > seem to be the most common reason for patching (someone changed the > xt_match->match and xt_target->target signatures in 2.6.20 again!), > and keeping out-of-tree modules compiling with kernel-du-jour can be > an #ifdef pita. Then it's really preferable to have 2.6.18 have a > xt_FOOBAR with netfilter-2.6.18 signatures, and 2.6.20 with > netfilter-2.6.20. Especially since many people run distributions with > RPM/DEBified iptables, so the POM `runme` will not be easy to > accomplish for the casual user. (I currently do have that issue - > after doing `svn up` on pomng, I have to manually move the changes to > (my) kernel rpm and (my) iptables rpm, because the days of `make > install` are GONE for me - at least I try.) > > I understand that POM does not require to compile with all > kernels-of-the-last-three-months, but this also simplifies > integration for end users. They do not need to backport/forward port > indated/outdated out-of-tree modules and, at best, do not even need > to recompile the kernel. > > Of course there are some modules that continue being out-of-tree > because they would not fit in (imagine a 500K geoip.c with a > compiled-in big string array). Not sure what to do about them. > Perhaps do it like chaostables [2.6.18-2.6.20], trying to keep it > working for a limited set of kernels. > > Oh well, that said, my ideal plan would be to get ROUTE TARPIT > connlimit and u32 into mainline in one go, and perhaps, after review > and discussion, chaostables and some of the others that live in > Krzystof's patchlet collection. > > Opinions, please? > > > -`J' > -- > > From linux at arcoscom.com Wed Jan 10 13:16:28 2007 From: linux at arcoscom.com (ArcosCom Linux User) Date: Wed Jan 10 15:59:31 2007 Subject: [LARTC] Re: dst cache overflow In-Reply-To: <45A492AE.2030909@trash.net> References: <60665.10.1.1.10.1167776653.squirrel@www.arcoscom.com> <55635.10.1.1.10.1167946368.squirrel@www.arcoscom.com> <45A492AE.2030909@trash.net> Message-ID: <43702.195.55.244.106.1168431388.squirrel@www.arcoscom.com> The configuration is: 1) linux box with 2.6.19.1 kernel with these patches/modules: a) l7-filter b) multipath patch (from nano-howto) c) IMQ d) ipp2p e) connlimit 2) 4 ethernet interfaces: a) 2 external (eth1 and eth3) interfaces with balanced links (as described in nato-howto). b) 2 internal ineterfaces (eth0 and eth2) in bridge zlan0 with STP enabled and configured. 3) For tests I load manually ALL conntrack/nat kernel modules. My first attempt (to allow UPnP daemon to handle only 1 external iface) where put eth1 and eth3 in a bridge without STP enabled and the NAT were done only with -j MASQUERADE and appeared to work fine, but when I run some amule clients along the network, the problem appear in one day (after some weeks working without peers to peers software). Then I broke the wan bridge and put each static external IP into their iface, and the problem appears too in two days instead 1 day. My next step were use SNAT instead MASQUERADE and the problem appears 3 days after the change. Always I had the multipath enableded along these described steps. A production linux box with 2.6.17.14 kernel and the same patches/modules and only 1 wan iface and 1 lan iface and with connlimit match enabled by host is working fine with 100 more p2p traffic than the test machine (the linux box that has de dst cache overflow problem). If you need more info about this to help me in solve this problem, please, say me, I'll get all you need and put here. Thanks El Mie, 10 de Enero de 2007, 8:15, Patrick McHardy escribi?: > ArcosCom Linux User wrote: >> The log says: >> >> Dec 30 00:52:27 cura kernel: dst cache overflow >> Dec 30 00:52:27 cura kernel: MASQUERADE: No route: Rusty's brain broke! >> Dec 30 00:52:27 cura kernel: dst cache overflow >> Dec 30 00:52:28 cura kernel: zlan0: received tcn bpdu on port 1(eth0) >> Dec 30 00:52:28 cura kernel: zlan0: topology change detected, >> propagating >> Dec 30 00:52:28 cura kernel: dst cache overflow >> Dec 30 00:52:30 cura kernel: zlan0: received tcn bpdu on port 1(eth0) >> Dec 30 00:52:30 cura kernel: zlan0: topology change detected, >> propagating >> Dec 30 00:52:32 cura kernel: zlan0: received tcn bpdu on port 1(eth0) >> Dec 30 00:52:32 cura kernel: zlan0: topology change detected, >> propagating >> Dec 30 00:52:32 cura kernel: printk: 15 messages suppressed. >> Dec 30 00:52:32 cura kernel: dst cache overflow >> Dec 30 00:52:34 cura kernel: zlan0: received tcn bpdu on port 1(eth0) >> Dec 30 00:52:34 cura kernel: zlan0: topology change detected, >> propagating >> Dec 30 00:52:36 cura kernel: zlan0: received tcn bpdu on port 1(eth0) >> Dec 30 00:52:36 cura kernel: zlan0: topology change detected, >> propagating >> Dec 30 00:52:37 cura kernel: printk: 40 messages suppressed. >> Dec 30 00:52:37 cura kernel: dst cache overflow >> >> zlan0 is a bridge (with STP configured) between some LANs. >> >> Thanks >> >> P.D.: I'm a bit desesperated with this error, I changed "MASQUERADE" >> with >> "SNAT" with no sense. Some hours after router is booted up, the network >> appears to be UP but all ifaces haven't responses. > > > The MASQUERADE message is just an effect of the problem. Please describe > your setup in more detail (what kind of devices, how are they connected, > ebtables/iptables rules, routing, ...). > > From linux at arcoscom.com Wed Jan 10 14:17:40 2007 From: linux at arcoscom.com (ArcosCom Linux User) Date: Wed Jan 10 16:00:44 2007 Subject: [LARTC] Re: dst cache overflow In-Reply-To: <45A492AE.2030909@trash.net> References: <60665.10.1.1.10.1167776653.squirrel@www.arcoscom.com> <55635.10.1.1.10.1167946368.squirrel@www.arcoscom.com> <45A492AE.2030909@trash.net> Message-ID: <53385.195.55.244.106.1168435060.squirrel@www.arcoscom.com> The configuration is: 1) linux box with 2.6.19.1 kernel with these patches/modules: a) l7-filter b) multipath patch (from nano-howto) c) IMQ d) ipp2p e) connlimit 2) 4 ethernet interfaces: a) 2 external (eth1 and eth3) interfaces with balanced links (as described in nato-howto). b) 2 internal ineterfaces (eth0 and eth2) in bridge zlan0 with STP enabled and configured. 3) For tests I load manually ALL conntrack/nat kernel modules. My first attempt (to allow UPnP daemon to handle only 1 external iface) where put eth1 and eth3 in a bridge without STP enabled and the NAT were done only with -j MASQUERADE and appeared to work fine, but when I run some amule clients along the network, the problem appear in one day (after some weeks working without peers to peers software). Then I broke the wan bridge and put each static external IP into their iface, and the problem appears too in two days instead 1 day. My next step were use SNAT instead MASQUERADE and the problem appears 3 days after the change. Always I had the multipath enableded along these described steps. A production linux box with 2.6.17.14 kernel and the same patches/modules and only 1 wan iface and 1 lan iface and with connlimit match enabled by host is working fine with 100 more p2p traffic than the test machine (the linux box that has de dst cache overflow problem). If you need more info about this to help me in solve this problem, please, say me, I'll get all you need and put here. Thanks El Mie, 10 de Enero de 2007, 8:15, Patrick McHardy escribi?: > ArcosCom Linux User wrote: >> The log says: >> >> Dec 30 00:52:27 cura kernel: dst cache overflow >> Dec 30 00:52:27 cura kernel: MASQUERADE: No route: Rusty's brain broke! >> Dec 30 00:52:27 cura kernel: dst cache overflow >> Dec 30 00:52:28 cura kernel: zlan0: received tcn bpdu on port 1(eth0) >> Dec 30 00:52:28 cura kernel: zlan0: topology change detected, >> propagating >> Dec 30 00:52:28 cura kernel: dst cache overflow >> Dec 30 00:52:30 cura kernel: zlan0: received tcn bpdu on port 1(eth0) >> Dec 30 00:52:30 cura kernel: zlan0: topology change detected, >> propagating >> Dec 30 00:52:32 cura kernel: zlan0: received tcn bpdu on port 1(eth0) >> Dec 30 00:52:32 cura kernel: zlan0: topology change detected, >> propagating >> Dec 30 00:52:32 cura kernel: printk: 15 messages suppressed. >> Dec 30 00:52:32 cura kernel: dst cache overflow >> Dec 30 00:52:34 cura kernel: zlan0: received tcn bpdu on port 1(eth0) >> Dec 30 00:52:34 cura kernel: zlan0: topology change detected, >> propagating >> Dec 30 00:52:36 cura kernel: zlan0: received tcn bpdu on port 1(eth0) >> Dec 30 00:52:36 cura kernel: zlan0: topology change detected, >> propagating >> Dec 30 00:52:37 cura kernel: printk: 40 messages suppressed. >> Dec 30 00:52:37 cura kernel: dst cache overflow >> >> zlan0 is a bridge (with STP configured) between some LANs. >> >> Thanks >> >> P.D.: I'm a bit desesperated with this error, I changed "MASQUERADE" >> with >> "SNAT" with no sense. Some hours after router is booted up, the network >> appears to be UP but all ifaces haven't responses. > > > The MASQUERADE message is just an effect of the problem. Please describe > your setup in more detail (what kind of devices, how are they connected, > ebtables/iptables rules, routing, ...). > > From linux at arcoscom.com Wed Jan 10 14:21:15 2007 From: linux at arcoscom.com (ArcosCom Linux User) Date: Wed Jan 10 16:04:22 2007 Subject: [LARTC] Opinions about pom/patches [was: iptables 1.3.7, kernel 2.6.19, ROUTE and Layer7 issues] In-Reply-To: References: <54905.84.123.236.132.1165866276.squirrel@www.arcoscom.com> <57631.195.55.244.106.1165911878.squirrel@www.arcoscom.com> <457E6997.1050001@trash.net> <36479.195.55.244.106.1165998665.squirrel@www.arcoscom.com> <457FBBFD.6060009@trash.net> <45A48087.8090200@trash.net> Message-ID: <54696.195.55.244.106.1168435275.squirrel@www.arcoscom.com> I think so, there are many old matches that are stables and I have to apply many times when I update the kernel. If they where into kernel and iptables (because they are now not as experimental than many months/years ago) these problem when new kernel releases and/or iptables releases disapears very quickly. I have a great headache now, I had to patch my kernel, patch iptables, update iproute to allow "mark-and" operations for routing. Yes, I can adapt many thinks and forgot many routing/filtering functionality, but then, my linux box will be useless for the purposes I deploy it. I have no problem in patch and upgrade thinks, my problem is that I have no time to do all these steps every any important bug, improvement is released. To allow compatibility with my installed distro (one in production and another in testing), I had to readapt the RPM's and modify specs to put there the patch. Usually is easy, but when netfilter changes its internals structs (that I have no knoledgement) I can't correct the patches and adapt them. When I readapt RPM's, I can use them into my systems, and I think many users should want them for their systems and the same purpose as me and I don't know where I can send them to allow people to use them (perhaps I make a simple webpage for that and a RPM repository, but I can't use my lines to allow comunity to massive download the rpm's). Too punctual work that comunity can't improve or maintain because they hasn't got access. Perhaps, when I finish the testing and all the problems I have got in testing environtment were solved, I can make a good repository to allow community to download and upload thinks, but now, I had time to make it. The real problems of all these, I think, are : 1) That the time from a fix/release goes out to that change appears into the distro repositories are enought. 2) Another problem is when there are bugs are fixed in versios and that fix is not backported to prior versions and distros mainteneers have to backport the fix to preserve stable state of the distro package (less features than actual stable sources, but stable system). 3) Another problem is that the patches for bugfixes are not public or easy accesible for normal users as me, and then I not only need to learn how to patch, make and upgrade (or rpm/deb build), I need to learn too how to extract the bugfix patch I need to solve one problem in my kernel/iptables/module/etc... version, what are the developer list, subscribe, where are the development sources that correct the problem, how I can download the patch, etc... I know that all these project are diferent communities, but if all comunities make more easy to the end user some tasks, the users learns more quickly how to contribute and work with the many projects and tecknologies. Don't know how projects could make the thinks easy, but, in case of netfilter, some tables explaining what matches are included in kernel (and from what version) allow users to know what kernel version can use for certain purposes. For example, I know h323 where added into kernel at 2.6.17 kernel version, but the community appears to be working into 2.6.16.x version to stabilize it and and backported many bugfixes from 2.6.19.x to 2.6.16.x. I think 2.6.16.x kernel is the more stable at these days, but if I want h323 conntrack modules I can't use pom-ńg because h323 is not in pom-ng today, and if I use old pom-ng, I know I will use a module with some bugs corrected in 2.6.18.x kernel. Do I explained a problem that have many users than me? Another example, some body say in the lists that using "mark" will allow me to change routes by "mark value" or by "and-mark mask", fine, that were to substitute ROUTE tarjet. I think that is a correct solution but ... What are the implications? 1) I can't see any documentation in netfilter or iproute. 2) My distro don't update the packages, I have to do it manually. 3) When I have an updated iproute package, kernel package, iptables package and I finish and test the configuration, I have the knowledte to write a little explanation/how-to to allow users to know how and don't waste their time looking for the steps ... some hours after I found a wiki, I need to register, etc.... When I finished all the needed steps to allow me to write a "more or less" public super-mini-howto I forgot the steps and I, finally, don't write the info, because my systems are working for my purposes, I have my paper with my hand annotations and I need to continue working in more tasks. Sorry for the big e-mail, but it is only my user opinion about these type o things. Sorry for my poor english. Regards El Mie, 10 de Enero de 2007, 12:53, Jan Engelhardt escribi?: > On Jan 10 2007 06:58, Patrick McHardy wrote: >>Krzysztof Oledzki wrote: >>>> Its still down, but the ROUTE patch is unmaintained anyway. >>> How about attached (and inlined) patch. BTW - is it possible to add a Kconfig entry after a specific text, like with Makefile.ladd? >>> [POM-NG] ROUTE: 2.6.19 compatibility fix >>> Make both IPv4 and IPv6 versions compatible with 2.6.19 >>Thanks Krzysztof, applied. >>I would prefer to have someone maintain it externally though. Jan, are you still interested in doing that? If you need help or webspace for an external repository please let me know. > I would give it a try. Though I would really prefer to have it in the kernel and iptables rather than pomng or pomng-external. In my > opinion that simplifies maintainability. Changes in the netfilter API seem to be the most common reason for patching (someone changed the xt_match->match and xt_target->target signatures in 2.6.20 again!), and keeping out-of-tree modules compiling with kernel-du-jour can be an #ifdef pita. Then it's really preferable to have 2.6.18 have a xt_FOOBAR with netfilter-2.6.18 signatures, and 2.6.20 with > netfilter-2.6.20. Especially since many people run distributions with RPM/DEBified iptables, so the POM `runme` will not be easy to > accomplish for the casual user. (I currently do have that issue - after doing `svn up` on pomng, I have to manually move the changes to (my) kernel rpm and (my) iptables rpm, because the days of `make install` are GONE for me - at least I try.) > I understand that POM does not require to compile with all > kernels-of-the-last-three-months, but this also simplifies > integration for end users. They do not need to backport/forward port indated/outdated out-of-tree modules and, at best, do not even need to recompile the kernel. > Of course there are some modules that continue being out-of-tree because they would not fit in (imagine a 500K geoip.c with a > compiled-in big string array). Not sure what to do about them. > Perhaps do it like chaostables [2.6.18-2.6.20], trying to keep it working for a limited set of kernels. > Oh well, that said, my ideal plan would be to get ROUTE TARPIT > connlimit and u32 into mainline in one go, and perhaps, after review and discussion, chaostables and some of the others that live in > Krzystof's patchlet collection. > Opinions, please? > -`J' > -- From linux at arcoscom.com Wed Jan 10 14:20:39 2007 From: linux at arcoscom.com (ArcosCom Linux User) Date: Wed Jan 10 16:06:24 2007 Subject: [LARTC] Re: dst cache overflow In-Reply-To: <45A492AE.2030909@trash.net> References: <60665.10.1.1.10.1167776653.squirrel@www.arcoscom.com> <55635.10.1.1.10.1167946368.squirrel@www.arcoscom.com> <45A492AE.2030909@trash.net> Message-ID: <54528.195.55.244.106.1168435239.squirrel@www.arcoscom.com> The configuration is: 1) linux box with 2.6.19.1 kernel with these patches/modules: a) l7-filter b) multipath patch (from nano-howto) c) IMQ d) ipp2p e) connlimit 2) 4 ethernet interfaces: a) 2 external (eth1 and eth3) interfaces with balanced links (as described in nato-howto). b) 2 internal ineterfaces (eth0 and eth2) in bridge zlan0 with STP enabled and configured. 3) For tests I load manually ALL conntrack/nat kernel modules. My first attempt (to allow UPnP daemon to handle only 1 external iface) where put eth1 and eth3 in a bridge without STP enabled and the NAT were done only with -j MASQUERADE and appeared to work fine, but when I run some amule clients along the network, the problem appear in one day (after some weeks working without peers to peers software). Then I broke the wan bridge and put each static external IP into their iface, and the problem appears too in two days instead 1 day. My next step were use SNAT instead MASQUERADE and the problem appears 3 days after the change. Always I had the multipath enableded along these described steps. A production linux box with 2.6.17.14 kernel and the same patches/modules and only 1 wan iface and 1 lan iface and with connlimit match enabled by host is working fine with 100 more p2p traffic than the test machine (the linux box that has de dst cache overflow problem). If you need more info about this to help me in solve this problem, please, say me, I'll get all you need and put here. Thanks El Mie, 10 de Enero de 2007, 8:15, Patrick McHardy escribi?: > ArcosCom Linux User wrote: >> The log says: >> Dec 30 00:52:27 cura kernel: dst cache overflow >> Dec 30 00:52:27 cura kernel: MASQUERADE: No route: Rusty's brain broke! Dec 30 00:52:27 cura kernel: dst cache overflow >> Dec 30 00:52:28 cura kernel: zlan0: received tcn bpdu on port 1(eth0) Dec 30 00:52:28 cura kernel: zlan0: topology change detected, >> propagating >> Dec 30 00:52:28 cura kernel: dst cache overflow >> Dec 30 00:52:30 cura kernel: zlan0: received tcn bpdu on port 1(eth0) Dec 30 00:52:30 cura kernel: zlan0: topology change detected, >> propagating >> Dec 30 00:52:32 cura kernel: zlan0: received tcn bpdu on port 1(eth0) Dec 30 00:52:32 cura kernel: zlan0: topology change detected, >> propagating >> Dec 30 00:52:32 cura kernel: printk: 15 messages suppressed. >> Dec 30 00:52:32 cura kernel: dst cache overflow >> Dec 30 00:52:34 cura kernel: zlan0: received tcn bpdu on port 1(eth0) Dec 30 00:52:34 cura kernel: zlan0: topology change detected, >> propagating >> Dec 30 00:52:36 cura kernel: zlan0: received tcn bpdu on port 1(eth0) Dec 30 00:52:36 cura kernel: zlan0: topology change detected, >> propagating >> Dec 30 00:52:37 cura kernel: printk: 40 messages suppressed. >> Dec 30 00:52:37 cura kernel: dst cache overflow >> zlan0 is a bridge (with STP configured) between some LANs. >> Thanks >> P.D.: I'm a bit desesperated with this error, I changed "MASQUERADE" with >> "SNAT" with no sense. Some hours after router is booted up, the network appears to be UP but all ifaces haven't responses. > The MASQUERADE message is just an effect of the problem. Please describe your setup in more detail (what kind of devices, how are they connected, ebtables/iptables rules, routing, ...). From hawk at diku.dk Wed Jan 10 16:01:17 2007 From: hawk at diku.dk (Jesper Dangaard Brouer) Date: Wed Jan 10 16:15:54 2007 Subject: [LARTC] Re: dst cache overflow In-Reply-To: <54528.195.55.244.106.1168435239.squirrel@www.arcoscom.com> References: <60665.10.1.1.10.1167776653.squirrel@www.arcoscom.com> <55635.10.1.1.10.1167946368.squirrel@www.arcoscom.com> <45A492AE.2030909@trash.net> <54528.195.55.244.106.1168435239.squirrel@www.arcoscom.com> Message-ID: On Wed, 10 Jan 2007, ArcosCom Linux User wrote: > El Mie, 10 de Enero de 2007, 8:15, Patrick McHardy escribi?: >> ArcosCom Linux User wrote: >>> The log says: >>> Dec 30 00:52:27 cura kernel: dst cache overflow The log message "dst cache overflow" is normally related to overflow of the route cache. The max_size of the route cache can be adjusted through /proc/sys/net/ipv4/route/max_size. What is your settings in /proc/sys/net/ipv4/route/? Run command: grep . /proc/sys/net/ipv4/route/* Hilsen Jesper Brouer -- ------------------------------------------------------------------- MSc. Master of Computer Science Dept. of Computer Science, University of Copenhagen Author of http://www.adsl-optimizer.dk ------------------------------------------------------------------- From linux at arcoscom.com Wed Jan 10 12:33:09 2007 From: linux at arcoscom.com (ArcosCom Linux User) Date: Wed Jan 10 16:29:29 2007 Subject: [LARTC] Re: dst cache overflow In-Reply-To: <45A492AE.2030909@trash.net> References: <60665.10.1.1.10.1167776653.squirrel@www.arcoscom.com> <55635.10.1.1.10.1167946368.squirrel@www.arcoscom.com> <45A492AE.2030909@trash.net> Message-ID: <59046.195.55.244.106.1168428789.squirrel@www.arcoscom.com> The configuration is: 1) linux box with 2.6.19.1 kernel with these patches/modules: a) l7-filter b) multipath patch (from nano-howto) c) IMQ d) ipp2p e) connlimit 2) 4 ethernet interfaces: a) 2 external (eth1 and eth3) interfaces with balanced links (as described in nato-howto). b) 2 internal ineterfaces (eth0 and eth2) in bridge zlan0 with STP enabled and configured. 3) For tests I load manually ALL conntrack/nat kernel modules. My first attempt (to allow UPnP daemon to handle only 1 external iface) where put eth1 and eth3 in a bridge without STP enabled and the NAT were done only with -j MASQUERADE and appeared to work fine, but when I run some amule clients along the network, the problem appear in one day (after some weeks working without peers to peers software). Then I broke the wan bridge and put each static external IP into their iface, and the problem appears too in two days instead 1 day. My next step were use SNAT instead MASQUERADE and the problem appears 3 days after the change. Always I had the multipath enableded along these described steps. A production linux box with 2.6.17.14 kernel and the same patches/modules and only 1 wan iface and 1 lan iface and with connlimit match enabled by host is working fine with 100 more p2p traffic than the test machine (the linux box that has de dst cache overflow problem). If you need more info about this to help me in solve this problem, please, say me, I'll get all you need and put here. Thanks El Mie, 10 de Enero de 2007, 8:15, Patrick McHardy escribi?: > ArcosCom Linux User wrote: >> The log says: >> >> Dec 30 00:52:27 cura kernel: dst cache overflow >> Dec 30 00:52:27 cura kernel: MASQUERADE: No route: Rusty's brain broke! >> Dec 30 00:52:27 cura kernel: dst cache overflow >> Dec 30 00:52:28 cura kernel: zlan0: received tcn bpdu on port 1(eth0) >> Dec 30 00:52:28 cura kernel: zlan0: topology change detected, >> propagating >> Dec 30 00:52:28 cura kernel: dst cache overflow >> Dec 30 00:52:30 cura kernel: zlan0: received tcn bpdu on port 1(eth0) >> Dec 30 00:52:30 cura kernel: zlan0: topology change detected, >> propagating >> Dec 30 00:52:32 cura kernel: zlan0: received tcn bpdu on port 1(eth0) >> Dec 30 00:52:32 cura kernel: zlan0: topology change detected, >> propagating >> Dec 30 00:52:32 cura kernel: printk: 15 messages suppressed. >> Dec 30 00:52:32 cura kernel: dst cache overflow >> Dec 30 00:52:34 cura kernel: zlan0: received tcn bpdu on port 1(eth0) >> Dec 30 00:52:34 cura kernel: zlan0: topology change detected, >> propagating >> Dec 30 00:52:36 cura kernel: zlan0: received tcn bpdu on port 1(eth0) >> Dec 30 00:52:36 cura kernel: zlan0: topology change detected, >> propagating >> Dec 30 00:52:37 cura kernel: printk: 40 messages suppressed. >> Dec 30 00:52:37 cura kernel: dst cache overflow >> >> zlan0 is a bridge (with STP configured) between some LANs. >> >> Thanks >> >> P.D.: I'm a bit desesperated with this error, I changed "MASQUERADE" >> with >> "SNAT" with no sense. Some hours after router is booted up, the network >> appears to be UP but all ifaces haven't responses. > > > The MASQUERADE message is just an effect of the problem. Please describe > your setup in more detail (what kind of devices, how are they connected, > ebtables/iptables rules, routing, ...). > > From linux at arcoscom.com Wed Jan 10 17:01:44 2007 From: linux at arcoscom.com (ArcosCom Linux User) Date: Wed Jan 10 16:58:05 2007 Subject: [LARTC] Re: dst cache overflow In-Reply-To: References: <60665.10.1.1.10.1167776653.squirrel@www.arcoscom.com> <55635.10.1.1.10.1167946368.squirrel@www.arcoscom.com> <45A492AE.2030909@trash.net> <54528.195.55.244.106.1168435239.squirrel@www.arcoscom.com> Message-ID: <34737.84.123.236.132.1168444904.squirrel@www.arcoscom.com> Here are: # grep . /proc/sys/net/ipv4/route/* /proc/sys/net/ipv4/route/error_burst:5000 /proc/sys/net/ipv4/route/error_cost:1000 grep: /proc/sys/net/ipv4/route/flush: Operaci?n no permitida /proc/sys/net/ipv4/route/gc_elasticity:8 /proc/sys/net/ipv4/route/gc_interval:60 /proc/sys/net/ipv4/route/gc_min_interval:0 /proc/sys/net/ipv4/route/gc_min_interval_ms:500 /proc/sys/net/ipv4/route/gc_thresh:32768 /proc/sys/net/ipv4/route/gc_timeout:300 /proc/sys/net/ipv4/route/max_delay:10 /proc/sys/net/ipv4/route/max_size:524288 /proc/sys/net/ipv4/route/min_adv_mss:256 /proc/sys/net/ipv4/route/min_delay:2 /proc/sys/net/ipv4/route/min_pmtu:552 /proc/sys/net/ipv4/route/mtu_expires:600 /proc/sys/net/ipv4/route/redirect_load:20 /proc/sys/net/ipv4/route/redirect_number:9 /proc/sys/net/ipv4/route/redirect_silence:20480 /proc/sys/net/ipv4/route/secret_interval:600 El Mie, 10 de Enero de 2007, 16:01, Jesper Dangaard Brouer escribi?: > > > On Wed, 10 Jan 2007, ArcosCom Linux User wrote: > >> El Mie, 10 de Enero de 2007, 8:15, Patrick McHardy escribi?: >>> ArcosCom Linux User wrote: >>>> The log says: >>>> Dec 30 00:52:27 cura kernel: dst cache overflow > > The log message "dst cache overflow" is normally related to overflow of > the route cache. The max_size of the route cache can be adjusted through > /proc/sys/net/ipv4/route/max_size. > > What is your settings in /proc/sys/net/ipv4/route/? > > Run command: > grep . /proc/sys/net/ipv4/route/* > > Hilsen > Jesper Brouer > > -- > ------------------------------------------------------------------- > MSc. Master of Computer Science > Dept. of Computer Science, University of Copenhagen > Author of http://www.adsl-optimizer.dk > ------------------------------------------------------------------- From Jon.J.Flechsenhaar at boeing.com Wed Jan 10 17:52:50 2007 From: Jon.J.Flechsenhaar at boeing.com (Flechsenhaar, Jon J) Date: Wed Jan 10 17:52:58 2007 Subject: [LARTC] RSVP source code Message-ID: <0E24ED2A7F9AA349A8633E6A56A64BE0027A818E@XCH-SW-2V1.sw.nos.boeing.com> All: I'm trying to get RSVP running on a Linux machine. The machine is currently Fedora. I have read rfc 2205. Does anyone know where I can get the RSVP source code to install on the machine. Or does anyone know of some documentation that might help in doing this? Thanks, Jon Flechsenhaar Boeing WNW Team Network Services (714)-762-1231 202-E7 From t.luettgert at pressestimmen.de Wed Jan 10 19:32:05 2007 From: t.luettgert at pressestimmen.de (Torsten Luettgert) Date: Wed Jan 10 19:32:12 2007 Subject: [LARTC] Re: dst cache overflow In-Reply-To: <54528.195.55.244.106.1168435239.squirrel@www.arcoscom.com> References: <60665.10.1.1.10.1167776653.squirrel@www.arcoscom.com> <55635.10.1.1.10.1167946368.squirrel@www.arcoscom.com> <45A492AE.2030909@trash.net> <54528.195.55.244.106.1168435239.squirrel@www.arcoscom.com> Message-ID: <1168453925.2787.13.camel@sokrates.cff> On Mi, 2007-01-10 at 14:20 +0100, ArcosCom Linux User wrote: > The configuration is: > 1) linux box with 2.6.19.1 kernel with these patches/modules: > a) l7-filter > b) multipath patch (from nano-howto) > c) IMQ That's interesting - how did you get IMQ into 2.6.19.1? Afaik, the most recent patch is for 2.6.17, and there were some rejects if you try to patch it into 2.6.19. Regards, Torsten From badis.tebbani at gmail.com Wed Jan 10 19:47:42 2007 From: badis.tebbani at gmail.com (TEBBANI BADIS) Date: Wed Jan 10 19:47:46 2007 Subject: [LARTC] Wireless LAN Message-ID: Hello, I am afraid if I post in an inaproprate forrum. I am novice in the traffic control TC with Linux. I have a R&D project and i should to apply a lot of QoS mecanisms in a wireless environement! I have an access point witch is rely to a PC and three laptops. The PC play a role of a controleur. All traffic must travers throw it. I have configure the AP to only play a role of a forwarder. The tables are configured also and all traffic passe throw the PC. My problem is how i can (begin) use TC in order to differentiate wireless users? have you examples? good tutorials? Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070110/9fa1bddb/attachment.html From hawk at diku.dk Wed Jan 10 20:40:31 2007 From: hawk at diku.dk (Jesper Dangaard Brouer) Date: Wed Jan 10 21:00:20 2007 Subject: [LARTC] Re: dst cache overflow In-Reply-To: <34737.84.123.236.132.1168444904.squirrel@www.arcoscom.com> References: <60665.10.1.1.10.1167776653.squirrel@www.arcoscom.com> <55635.10.1.1.10.1167946368.squirrel@www.arcoscom.com> <45A492AE.2030909@trash.net> <54528.195.55.244.106.1168435239.squirrel@www.arcoscom.com> <34737.84.123.236.132.1168444904.squirrel@www.arcoscom.com> Message-ID: The values looks reasonable, garbage collection start (gc_thresh:32768) fairly early, but I often see that the GC cannot keep up. The maximum size of the route cache max_size=524288 is okay, but it depends on the usage pattern. On my production systems I has increased max_size to 2 million, to keep up! Another interesting value is secret_interval:600, which is the interval the route cache is flushed, in seconds, that is 10 minuts. 524288/600 = 873 packet/sec to new destinations. You should realize that filling the route cache in 10 minuts can happen, as it only requires 873 packet/sec to new destinations. What to do next: Monitor the route cache, to see whats actually happening. The route cache counters are located in /proc/net/stat/rt_cache, but is not very human readable. Use the tool "rtstat" to monitor the route cache. The rtstat tool can be downloaded from Roberts site: ftp://robur.slu.se/pub/Linux/net-development/rt_cache_stat Cheers, Jesper Brouer -- ------------------------------------------------------------------- MSc. Master of Computer Science Dept. of Computer Science, University of Copenhagen Author of http://www.adsl-optimizer.dk ------------------------------------------------------------------- On Wed, 10 Jan 2007, ArcosCom Linux User wrote: > Here are: > > # grep . /proc/sys/net/ipv4/route/* > /proc/sys/net/ipv4/route/error_burst:5000 > /proc/sys/net/ipv4/route/error_cost:1000 > grep: /proc/sys/net/ipv4/route/flush: Operaci?n no permitida > /proc/sys/net/ipv4/route/gc_elasticity:8 > /proc/sys/net/ipv4/route/gc_interval:60 > /proc/sys/net/ipv4/route/gc_min_interval:0 > /proc/sys/net/ipv4/route/gc_min_interval_ms:500 > /proc/sys/net/ipv4/route/gc_thresh:32768 > /proc/sys/net/ipv4/route/gc_timeout:300 > /proc/sys/net/ipv4/route/max_delay:10 > /proc/sys/net/ipv4/route/max_size:524288 > /proc/sys/net/ipv4/route/min_adv_mss:256 > /proc/sys/net/ipv4/route/min_delay:2 > /proc/sys/net/ipv4/route/min_pmtu:552 > /proc/sys/net/ipv4/route/mtu_expires:600 > /proc/sys/net/ipv4/route/redirect_load:20 > /proc/sys/net/ipv4/route/redirect_number:9 > /proc/sys/net/ipv4/route/redirect_silence:20480 > /proc/sys/net/ipv4/route/secret_interval:600 > > > El Mie, 10 de Enero de 2007, 16:01, Jesper Dangaard Brouer escribi?: >> >> >> On Wed, 10 Jan 2007, ArcosCom Linux User wrote: >> >>> El Mie, 10 de Enero de 2007, 8:15, Patrick McHardy escribi?: >>>> ArcosCom Linux User wrote: >>>>> The log says: >>>>> Dec 30 00:52:27 cura kernel: dst cache overflow >> >> The log message "dst cache overflow" is normally related to overflow of >> the route cache. The max_size of the route cache can be adjusted through >> /proc/sys/net/ipv4/route/max_size. >> >> What is your settings in /proc/sys/net/ipv4/route/? >> >> Run command: >> grep . /proc/sys/net/ipv4/route/* >> >> Hilsen >> Jesper Brouer >> >> -- >> ------------------------------------------------------------------- >> MSc. Master of Computer Science >> Dept. of Computer Science, University of Copenhagen >> Author of http://www.adsl-optimizer.dk >> ------------------------------------------------------------------- From linux at arcoscom.com Wed Jan 10 21:14:00 2007 From: linux at arcoscom.com (ArcosCom Linux User) Date: Wed Jan 10 21:10:17 2007 Subject: [LARTC] dst cache overflow (bridged wan interfaces) Message-ID: <41878.84.123.236.132.1168460040.squirrel@www.arcoscom.com> I recompiled yet 2.6.19.1 kernel (using iptables with the same patches too). The configuration for this test is: 1) linux box with 2.6.19.1 kernel (SMP machine) with these patches/modules: a) l7-filter b) ipp2p c) connlimit d) set 2) 4 ethernet interfaces: a) 2 external (eth1 and eth3) interfaces with balanced links (as described in nato-howto) bridged as wan0 with static IPs assigned to wan0 and wan0:1 b) 2 internal ineterfaces (eth0 and eth2) in bridge zlan0 with STP enabled and configured. IPTABLES relevant configuration: # iptables -t nat -vn -L POSTROUTING Chain POSTROUTING (policy ACCEPT 185 packets, 16649 bytes) pkts bytes target prot opt in out source destination 26 1529 MASQUERADE 0 -- * wan0 10.1.1.0/27 0.0.0.0/0 0 0 MASQUERADE 0 -- * wan0:1 10.1.1.0/27 0.0.0.0/0 ROUTES CONFIGURATION: # service rt status === REGLAS DE ENRUTAMIENTO === 0: from all lookup local 50: from all lookup main 151: from NET_PUB1 lookup 151 152: from NET_PUB2 lookup 152 220: from all lookup 220 32766: from all lookup main 32767: from all lookup default === TABLAS DE RUTAS === === MAIN === NET_PUB1/26 dev wan0 proto kernel scope link src IP_PUB1 NET_PUB2/24 dev wan0 proto kernel scope link src IP_PUB2 192.168.3.0/24 dev zlan0 proto kernel scope link src 192.168.3.247 192.168.2.0/24 dev zlan0 proto kernel scope link src 192.168.2.247 192.168.1.0/24 dev zlan0 proto kernel scope link src 192.168.1.247 10.1.1.0/24 dev zlan0 proto kernel scope link src 10.1.1.6 169.254.0.0/16 dev zlan0 scope link 239.0.0.0/8 dev zlan0 scope link === wan0 TABLA 151 === default via GW_PUB1 dev wan0 proto static src IP_PUB1 prohibit default proto static metric 1 === wan0 TABLA 152 === default via GW_PUB2 dev wan0 proto static src IP_PUB2 prohibit default proto static metric 1 === TABLA 220 (defecto) === default proto static nexthop via GW_PUB1 dev wan0 weight 1 nexthop via GW_PUB2 dev wan0 weight 1 ROUTING parameters configuration: # grep . /proc/sys/net/ipv4/route/* /proc/sys/net/ipv4/route/error_burst:5000 /proc/sys/net/ipv4/route/error_cost:1000 grep: /proc/sys/net/ipv4/route/flush: Operaci?n no permitida /proc/sys/net/ipv4/route/gc_elasticity:8 /proc/sys/net/ipv4/route/gc_interval:60 /proc/sys/net/ipv4/route/gc_min_interval:0 /proc/sys/net/ipv4/route/gc_min_interval_ms:500 /proc/sys/net/ipv4/route/gc_thresh:32768 /proc/sys/net/ipv4/route/gc_timeout:300 /proc/sys/net/ipv4/route/max_delay:10 /proc/sys/net/ipv4/route/max_size:524288 /proc/sys/net/ipv4/route/min_adv_mss:256 /proc/sys/net/ipv4/route/min_delay:2 /proc/sys/net/ipv4/route/min_pmtu:552 /proc/sys/net/ipv4/route/mtu_expires:600 /proc/sys/net/ipv4/route/redirect_load:20 /proc/sys/net/ipv4/route/redirect_number:9 /proc/sys/net/ipv4/route/redirect_silence:20480 /proc/sys/net/ipv4/route/secret_interval:600 When I test it along some weeks with intensive traffic I'll put here more info about this test. If somebody has any idea on how to solve the problem, please, tell us. I'm a bit desesperate with this issue. Regards From rangi at ngen.net.nz Thu Jan 11 04:26:18 2007 From: rangi at ngen.net.nz (Rangi Biddle) Date: Thu Jan 11 04:31:12 2007 Subject: [LARTC] IPP2P Problem Message-ID: <00a401c73530$44ae1470$0101010a@lamachine> Hi Guys, I am currently using linux kernel 2.6.18.6 + l7filter patch, iptables 1.3.7 and have managed to compile the ipp2p shared object which is now sitting in /lib/iptables. However when I run the following I get this following error [root@ngen-ap ~]# iptables -m ipp2p --help iptables v1.3.7: Couldn't load match `ipp2p' Try `iptables -h' or 'iptables --help' for more information. I can verify that the shared object is in /lib/iptables [root@ngen-ap ~]# ls /lib/iptables/ | grep pp2p libipt_ipp2p.so I have checked the permissions on the file [root@ngen-ap ~]# ls /lib/iptables/ -l | grep pp2p -rwxr-xr-x 1 root root 8448 Jan 11 02:00 libipt_ipp2p.so The system is a CentOS 4.4 system with all the latest updates applied Any help would be appreciated Regards, Rangi PS. The module was loading perfectly fine before upgrading to iptables 1.3.7 - and yes I recompiled the ipp2p module again after upgrading to iptables 1.3.7 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070111/d83a0ce6/attachment.htm From chilek at chilan.com Thu Jan 11 10:01:14 2007 From: chilek at chilan.com (Tomasz Chilinski) Date: Thu Jan 11 10:01:31 2007 Subject: [LARTC] IPP2P Problem In-Reply-To: <00a401c73530$44ae1470$0101010a@lamachine> References: <00a401c73530$44ae1470$0101010a@lamachine> Message-ID: <20070111085631.M57993@chilan.com> On Thu, 11 Jan 2007 16:26:18 +1300, Rangi Biddle wrote > Hi Guys, Hi Rangi. > I am currently using linux kernel 2.6.18.6 + l7filter patch, > iptables 1.3.7 and have managed to compile the ipp2p shared object > which is now sitting in /lib/iptables. > > However when I run the following I get this following error > > [root@ngen-ap ~]# iptables -m ipp2p --help > > iptables v1.3.7: Couldn't load match `ipp2p' > > Try `iptables -h' or 'iptables --help' for more information. In ipp2p Makefile find libipt_ipp2p.so make definition and make sure you've got: $(CC) -shared -o libipt_ipp2p.so libipt_ipp2p.o Probably there's ld -shared -o libipt_ipp2p.so libipt_ipp2p.o over there and it's mistake. > Regards, > Rangi Bests, Tomasz. From dariuse at progmera.lt Thu Jan 11 10:32:44 2007 From: dariuse at progmera.lt (Darius Evseicikas) Date: Thu Jan 11 10:32:36 2007 Subject: [LARTC] help Message-ID: <01d801c73563$72c33a60$6407000a@k100> Pagarbiai Darius Evseicikas ================== UAB "PROGMERA" Maironio g. 3, LT-60149, Raseiniai tel./faks. +370 428 70329 mob. +370 699 97390 ICQ 297832308 Informacija ?iame prane?ime gali b?ti konfidenciali. Ji skirta tik asmeniui, kuriam yra adresuota. Jei J?s nesate tas asmuo (arba atsakingas u? ?io prane?imo pristatym? tam asmeniui), J?s negalite skaityti, kopijuoti ar bet kaip platinti ?io prane?imo viso ar i? dalies ir skleisti jame esan?ios informacijos. Jei ?? prane?im? gavote per klaid?, pra?ome informuoti apie tai siunt?j? ir i?kart i?trinti visas ?io prane?imo kopijas i? J?s? sistemos. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070111/74c741c0/attachment.html From luciano at lugmen.org.ar Thu Jan 11 12:56:42 2007 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Thu Jan 11 12:56:52 2007 Subject: [LARTC] filtering in layer 2 [but is not a bridge] In-Reply-To: <45A39FF6.5080608@xs4all.nl> References: <200701091052.37604.luciano@lugmen.org.ar> <45A39FF6.5080608@xs4all.nl> Message-ID: <200701110856.43061.luciano@lugmen.org.ar> On Tuesday 09 January 2007 11:00, Zoilo Gomez wrote: > ebtables from ebtables home page: "The ebtables utility enables basic Ethernet frame filtering on a Linux bridge" I have _not_ a bridge (that's why i put it in the subject), i have a Linux AP that forward traffic betwen clients at 802.11 level. -- Luciano From zoilo at xs4all.nl Thu Jan 11 13:01:16 2007 From: zoilo at xs4all.nl (Zoilo Gomez) Date: Thu Jan 11 13:01:32 2007 Subject: [LARTC] filtering in layer 2 [but is not a bridge] In-Reply-To: <200701110856.43061.luciano@lugmen.org.ar> References: <200701091052.37604.luciano@lugmen.org.ar> <45A39FF6.5080608@xs4all.nl> <200701110856.43061.luciano@lugmen.org.ar> Message-ID: <45A6270C.1060807@xs4all.nl> Isn't an AP just a bridge with a wireless interface? Luciano Ruete wrote: >On Tuesday 09 January 2007 11:00, Zoilo Gomez wrote: > > >>ebtables >> >> > >from ebtables home page: >"The ebtables utility enables basic Ethernet frame filtering on a Linux >bridge" > >I have _not_ a bridge (that's why i put it in the subject), i have a Linux AP >that forward traffic betwen clients at 802.11 level. > > > From chilek at chilan.com Thu Jan 11 22:34:20 2007 From: chilek at chilan.com (Tomasz Chilinski) Date: Thu Jan 11 22:34:26 2007 Subject: [LARTC] IPP2P Problem In-Reply-To: <00fb01c735b7$5b3d2690$0101010a@lamachine> References: <20070111085631.M57993@chilan.com> <00fb01c735b7$5b3d2690$0101010a@lamachine> Message-ID: <20070111213114.M67162@chilan.com> On Fri, 12 Jan 2007 08:33:17 +1300, Rangi Biddle wrote > Hi Tomasz, Hi Rangi. > Thank you for the reply. > > I have checked the Makefile and unfortunately it is using the respective > gcc. Output of Makefile below: > > libipt_ipp2p.so: libipt_ipp2p.c ipt_ipp2p.h > $(CC) $(CFLAGS) $(IPTABLES_OPTION) $(IPTABLES_INCLUDE) -fPIC > -c libipt_ipp2p.c What about line below?! ;-) ************* ld -shared -o libipt_ipp2p.so libipt_ipp2p.o ************* Replace ld by $(CC). > Any other suggestions? As above ;-) > Rangi Bests, Tomasz. From linux at arcoscom.com Fri Jan 12 02:06:12 2007 From: linux at arcoscom.com (ArcosCom Linux User) Date: Fri Jan 12 02:02:22 2007 Subject: [LARTC] Re: dst cache overflow In-Reply-To: References: <60665.10.1.1.10.1167776653.squirrel@www.arcoscom.com> <55635.10.1.1.10.1167946368.squirrel@www.arcoscom.com> <45A492AE.2030909@trash.net> <54528.195.55.244.106.1168435239.squirrel@www.arcoscom.com> <34737.84.123.236.132.1168444904.squirrel@www.arcoscom.com> Message-ID: <53037.84.123.236.132.1168563972.squirrel@www.arcoscom.com> Thanks, good tool: I'm using it to take a view into the routes table. El Mie, 10 de Enero de 2007, 20:40, Jesper Dangaard Brouer escribi?: > > The values looks reasonable, garbage collection start (gc_thresh:32768) > fairly early, but I often see that the GC cannot keep up. > > The maximum size of the route cache max_size=524288 is okay, but it > depends on the usage pattern. On my production systems I has increased > max_size to 2 million, to keep up! > > Another interesting value is secret_interval:600, which is the interval > the route cache is flushed, in seconds, that is 10 minuts. > > 524288/600 = 873 packet/sec to new destinations. > > You should realize that filling the route cache in 10 minuts can happen, > as it only requires 873 packet/sec to new destinations. > > > What to do next: > > Monitor the route cache, to see whats actually happening. The route cache > counters are located in /proc/net/stat/rt_cache, but is not very human > readable. Use the tool "rtstat" to monitor the route cache. > > The rtstat tool can be downloaded from Roberts site: > ftp://robur.slu.se/pub/Linux/net-development/rt_cache_stat > > Cheers, > Jesper Brouer > > -- > ------------------------------------------------------------------- > MSc. Master of Computer Science > Dept. of Computer Science, University of Copenhagen > Author of http://www.adsl-optimizer.dk > ------------------------------------------------------------------- > > > > On Wed, 10 Jan 2007, ArcosCom Linux User wrote: > >> Here are: >> >> # grep . /proc/sys/net/ipv4/route/* >> /proc/sys/net/ipv4/route/error_burst:5000 >> /proc/sys/net/ipv4/route/error_cost:1000 >> grep: /proc/sys/net/ipv4/route/flush: Operaci?n no permitida >> /proc/sys/net/ipv4/route/gc_elasticity:8 >> /proc/sys/net/ipv4/route/gc_interval:60 >> /proc/sys/net/ipv4/route/gc_min_interval:0 >> /proc/sys/net/ipv4/route/gc_min_interval_ms:500 >> /proc/sys/net/ipv4/route/gc_thresh:32768 >> /proc/sys/net/ipv4/route/gc_timeout:300 >> /proc/sys/net/ipv4/route/max_delay:10 >> /proc/sys/net/ipv4/route/max_size:524288 >> /proc/sys/net/ipv4/route/min_adv_mss:256 >> /proc/sys/net/ipv4/route/min_delay:2 >> /proc/sys/net/ipv4/route/min_pmtu:552 >> /proc/sys/net/ipv4/route/mtu_expires:600 >> /proc/sys/net/ipv4/route/redirect_load:20 >> /proc/sys/net/ipv4/route/redirect_number:9 >> /proc/sys/net/ipv4/route/redirect_silence:20480 >> /proc/sys/net/ipv4/route/secret_interval:600 >> >> >> El Mie, 10 de Enero de 2007, 16:01, Jesper Dangaard Brouer escribi?: >>> >>> >>> On Wed, 10 Jan 2007, ArcosCom Linux User wrote: >>> >>>> El Mie, 10 de Enero de 2007, 8:15, Patrick McHardy escribi?: >>>>> ArcosCom Linux User wrote: >>>>>> The log says: >>>>>> Dec 30 00:52:27 cura kernel: dst cache overflow >>> >>> The log message "dst cache overflow" is normally related to overflow of >>> the route cache. The max_size of the route cache can be adjusted >>> through >>> /proc/sys/net/ipv4/route/max_size. >>> >>> What is your settings in /proc/sys/net/ipv4/route/? >>> >>> Run command: >>> grep . /proc/sys/net/ipv4/route/* >>> >>> Hilsen >>> Jesper Brouer >>> >>> -- >>> ------------------------------------------------------------------- >>> MSc. Master of Computer Science >>> Dept. of Computer Science, University of Copenhagen >>> Author of http://www.adsl-optimizer.dk >>> ------------------------------------------------------------------- > From linux at arcoscom.com Fri Jan 12 02:13:09 2007 From: linux at arcoscom.com (ArcosCom Linux User) Date: Fri Jan 12 02:09:27 2007 Subject: [LARTC] dst cache overflow (bridged wan interfaces) In-Reply-To: <41878.84.123.236.132.1168460040.squirrel@www.arcoscom.com> References: <41878.84.123.236.132.1168460040.squirrel@www.arcoscom.com> Message-ID: <58296.84.123.236.132.1168564389.squirrel@www.arcoscom.com> The problem appears to be in the routes patch (after 1 day with 1 workstation with amule configured very agresively). I'm trying now the 2.6.19.2 kernel with the configuration exposed here, I'll tell you if the problem were (or not) the patch for dead-gw-detection/multipath-routes from nano-howto. Perhaps this patch is for specific configuration and need more accurate routes config (don't know). As I said: I'll say if I the problem persist in some days. Thank you very much. Regards El Mie, 10 de Enero de 2007, 21:14, ArcosCom Linux User escribi?: > I recompiled yet 2.6.19.1 kernel (using iptables with the same patches > too). > > The configuration for this test is: > 1) linux box with 2.6.19.1 kernel (SMP machine) with these > patches/modules: > a) l7-filter > b) ipp2p > c) connlimit > d) set > 2) 4 ethernet interfaces: > a) 2 external (eth1 and eth3) interfaces with balanced links (as > described in nato-howto) bridged as wan0 with static IPs assigned to > wan0 and wan0:1 > b) 2 internal ineterfaces (eth0 and eth2) in bridge zlan0 with STP > enabled and configured. > > IPTABLES relevant configuration: > # iptables -t nat -vn -L POSTROUTING > Chain POSTROUTING (policy ACCEPT 185 packets, 16649 bytes) > pkts bytes target prot opt in out source > destination > 26 1529 MASQUERADE 0 -- * wan0 10.1.1.0/27 > 0.0.0.0/0 > 0 0 MASQUERADE 0 -- * wan0:1 10.1.1.0/27 > 0.0.0.0/0 > > > ROUTES CONFIGURATION: > # service rt status > === REGLAS DE ENRUTAMIENTO === > 0: from all lookup local > 50: from all lookup main > 151: from NET_PUB1 lookup 151 > 152: from NET_PUB2 lookup 152 > 220: from all lookup 220 > 32766: from all lookup main > 32767: from all lookup default > === TABLAS DE RUTAS === > === MAIN === > NET_PUB1/26 dev wan0 proto kernel scope link src IP_PUB1 > NET_PUB2/24 dev wan0 proto kernel scope link src IP_PUB2 > 192.168.3.0/24 dev zlan0 proto kernel scope link src 192.168.3.247 > 192.168.2.0/24 dev zlan0 proto kernel scope link src 192.168.2.247 > 192.168.1.0/24 dev zlan0 proto kernel scope link src 192.168.1.247 > 10.1.1.0/24 dev zlan0 proto kernel scope link src 10.1.1.6 > 169.254.0.0/16 dev zlan0 scope link > 239.0.0.0/8 dev zlan0 scope link > === wan0 TABLA 151 === > default via GW_PUB1 dev wan0 proto static src IP_PUB1 > prohibit default proto static metric 1 > === wan0 TABLA 152 === > default via GW_PUB2 dev wan0 proto static src IP_PUB2 > prohibit default proto static metric 1 > === TABLA 220 (defecto) === > default proto static > nexthop via GW_PUB1 dev wan0 weight 1 > nexthop via GW_PUB2 dev wan0 weight 1 > > ROUTING parameters configuration: > # grep . /proc/sys/net/ipv4/route/* > /proc/sys/net/ipv4/route/error_burst:5000 > /proc/sys/net/ipv4/route/error_cost:1000 > grep: /proc/sys/net/ipv4/route/flush: Operaci?n no permitida > /proc/sys/net/ipv4/route/gc_elasticity:8 > /proc/sys/net/ipv4/route/gc_interval:60 > /proc/sys/net/ipv4/route/gc_min_interval:0 > /proc/sys/net/ipv4/route/gc_min_interval_ms:500 > /proc/sys/net/ipv4/route/gc_thresh:32768 > /proc/sys/net/ipv4/route/gc_timeout:300 > /proc/sys/net/ipv4/route/max_delay:10 > /proc/sys/net/ipv4/route/max_size:524288 > /proc/sys/net/ipv4/route/min_adv_mss:256 > /proc/sys/net/ipv4/route/min_delay:2 > /proc/sys/net/ipv4/route/min_pmtu:552 > /proc/sys/net/ipv4/route/mtu_expires:600 > /proc/sys/net/ipv4/route/redirect_load:20 > /proc/sys/net/ipv4/route/redirect_number:9 > /proc/sys/net/ipv4/route/redirect_silence:20480 > /proc/sys/net/ipv4/route/secret_interval:600 > > When I test it along some weeks with intensive traffic I'll put here more > info about this test. > > If somebody has any idea on how to solve the problem, please, tell us. I'm > a bit desesperate with this issue. > > Regards > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From linux at arcoscom.com Fri Jan 12 21:26:30 2007 From: linux at arcoscom.com (ArcosCom Linux User) Date: Fri Jan 12 21:22:50 2007 Subject: [LARTC] Example on using fwmark with masks. Please help!! Message-ID: <52633.84.123.236.132.1168633590.squirrel@www.arcoscom.com> Hi, could anyone provides any example about the use of ip route command to force the use of one route using masks in the mark? The configuration is: 1 LAN (zlan0) iface N WAN (wan0 ... wanN) ifaces with static IPs and load balanced. iptables 1.3.7 kernel 2.6.19.2 iproute 2.6.19 I'm yet setting marks into packets for QoS and its working, I now want to set some bits (OR) at the end of the mark. For example, I want to use 0x8000 to add another mark to the packet for routing. The packet is market yet with a QoS mark (--set-mark), 0x5 (for example). I need: 1) The packet been marked with 0x8000 OR 0x0005 = 0x8005 2) Route the packet with 0x8005 AND 0x8000 = 0x8000 over wan0 (for example) 3) Classify the packet with 0x8005 AND 0x0005 into wan0 1:4 class (for example) I know how to do this not having sense about MASKs, but ... Could anybody put here how to do it with them? Another question: What is the length of the mask? 16bit? 32bit? Thanks!! From gerryw at it-procorp.com Fri Jan 12 19:25:25 2007 From: gerryw at it-procorp.com (gerryw@it-procorp.com) Date: Fri Jan 12 23:22:04 2007 Subject: [LARTC] Linux as T1 router Message-ID: Hello All, I am thinking about using a linux server as a T1 router. I have searched the list, but have not found a discussion about what I'm trying to do. I have a situation where the Cisco router I'm using will not handle the additional bandwidth I added recently. Unfortunately, I cannot afford the Cisco unit that will. I would like to know if anyone has successfully done this. I have been looking at the Sangoma T1 cards. Would anyone be so kind as to share their experience in this area. Any advice would be much appreciated. Thanks, -G -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070112/ac56a3c6/attachment.htm From gtaylor at riverviewtech.net Sat Jan 13 04:54:03 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Sat Jan 13 04:59:46 2007 Subject: [LARTC] filtering in layer 2 [but is not a bridge] In-Reply-To: <45A6270C.1060807@xs4all.nl> References: <200701091052.37604.luciano@lugmen.org.ar> <45A39FF6.5080608@xs4all.nl> <200701110856.43061.luciano@lugmen.org.ar> <45A6270C.1060807@xs4all.nl> Message-ID: <45A857DB.2030208@riverviewtech.net> On 01/11/07 06:01, Zoilo Gomez wrote: > Isn't an AP just a bridge with a wireless interface? In a sense, yes. However the 802.11 wireless side of the bridge is a very complex physical layer, (IMHO) more so than 802.3 ethernet. Host AP is probably listening to requests at the physical tranceiver level. If the Host AP is operating in an AP mode (wouldn't it be?) it will have to be involved in passing the traffic from one 802.11 client to another. This is really a form of bridging on the physical layer, not layer 2 in the kernel. Thus EB / IP Tables will not help here. I have not (yet) personally worked with Host AP, though I plan to. As such, I'm not sure if it includes functionality to filter the traffic that it sees. I wonder if it would be a possibility to (theoretically) move / extend the functionality of Host AP such that each associated wireless client would (logically / theoretically) appear as a separate interface to a custom bridge that could then be presented / controlled via EBTables. However, this is quite likely exceeding the 802.11 specification in such a way that it would really no longer be 802.11. Something to keep in mind is that in Infrastructure wireless mode, one wireless client has to talk to the AP and have the AP talk to another wireless client on it's behalf. I believe this is the ""bridging that the OP is referring to. Note, I use the term bridging loosely here. On a side note, how well do you like Host AP? Grant. . . . From gtaylor at riverviewtech.net Sat Jan 13 05:00:30 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Sat Jan 13 05:06:08 2007 Subject: [LARTC] Linux as T1 router In-Reply-To: References: Message-ID: <45A8595E.6050905@riverviewtech.net> On 01/12/07 12:25, gerryw@it-procorp.com wrote: > I am thinking about using a linux server as a T1 router. I have searched > the list, but have not found a discussion about what I'm trying to do. I > have a situation where the Cisco router I'm using will not handle the > additional bandwidth I added recently. Unfortunately, I cannot afford > the Cisco unit that will. I would like to know if anyone has > successfully done this. I have been looking at the Sangoma T1 cards. > Would anyone be so kind as to share their experience in this area. Any > advice would be much appreciated. What you are proposing should not be a problem at all. I personally have not used Linux as a T1 router (yet). Consider if you will that there are people using Linux to filter / bridge / rate limit / you name it with gigabit network interfaces, so I don't think the 1.5 Mbps that a T1 will present will be a problem at all. My only concern would be in which card you choose and what sort of interface it presents to the system in addition to what sort of management tools you have available. I would recommend that you try to stay away from proprietary vendor provided drivers. Not that they will not work, but how many different kernel versions will they support? Will you be able to do what you want to do with it down the road, or will you be locked in to a specific configuration? Just my $.02 worth. Grant. . . . From dpsims at dpsims.com Sat Jan 13 06:03:31 2007 From: dpsims at dpsims.com (David Sims) Date: Sat Jan 13 06:03:47 2007 Subject: [LARTC] Linux as T1 router In-Reply-To: References: Message-ID: Hi, I do not have experience with running a linux router with a T-1 card in it, but I _do_ run a linux box which serves as an egress device and provides policy based routing across three different ISPs using source addresses.... This network has about 1200 workstations and uses around 30 different Class C networks.. iproute2 provides a nice way of allocating Internet traffic generated by all these machines across two different T-1s and a 3 Meg connection depending on where the traffic originates... and it runs on a standard desktop PC (i.e., cheap) with a couple of NIC cards in it... iproute2 also provides the ability to 'blackhole' a particular host (or hosts) and deny access to the Internet for those who misbehave or become infected with one scanning virus or another... I am looking for a nice command line tool that I could run on this policy based router that would allow me to more easily identify misbehavers and machines with viruses... I have tried a few tools such as jnettop, iftop, iptraf, pktstat and darkstat, but while each does what it was designed to do fairly nicely, I haven't yet found the tool I am looking for... Any suggestions out there?? Regards, Dave **************************************************************************** On Fri, 12 Jan 2007 gerryw@it-procorp.com wrote: > Hello All, > > I am thinking about using a linux server as a T1 router. I have searched > the list, but have not found a discussion about what I'm trying to do. I > have a situation where the Cisco router I'm using will not handle the > additional bandwidth I added recently. Unfortunately, I cannot afford the > Cisco unit that will. I would like to know if anyone has successfully done > this. I have been looking at the Sangoma T1 cards. Would anyone be so kind > as to share their experience in this area. Any advice would be much > appreciated. > > Thanks, > -G > > From zutph3n at gmail.com Sat Jan 13 12:54:24 2007 From: zutph3n at gmail.com (zutph3n@gmail.com) Date: Sat Jan 13 12:55:24 2007 Subject: [LARTC] multipath device round robin not working? Message-ID: <45A8C870.2010806@gmail.com> Hi, I have a linux server running kernel 2.6.19 that is connected with 2 seperate 100Mbit links to the same isp: +---+ +---------------+ | I | +---------------+ | | | S | | | | eth0 --+--------------+ P | | | | | | S | | | | linux 2.6.19 | | W |========================| ISP GATEWAY | | | | I | | | | eth1 --+--------------+ T | | | | | | C | | | +---------------+ | H | +---------------+ +---+ Both links have their own ip but have the same gateway. The problem is I can't seem to get egress traffic load balanced over the 2 nics. IP config after boot (dhcp from isp) ip a: 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:00:00:00:00:0f brd ff:ff:ff:ff:ff:ff inet 10.0.0.110/24 brd 10.0.0.255 scope global eth0 3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:00:00:00:00:ed brd ff:ff:ff:ff:ff:ff inet 10.0.0.120/24 brd 10.0.0.255 scope global eth1 Default routing table after boot ip r: 10.0.0.0/24 dev eth0 scope link 10.0.0.0/24 dev eth1 scope link metric 1 127.0.0.0/8 dev lo scope link default via 10.0.0.1 dev eth0 default via 10.0.0.1 dev eth1 metric 1 I enabled ip_forward and set arp_ignore to 1 for eth0 and eth1 to make sure the correct nic answers to arp requests. I tried to get the egress load balancing to work by replacing the above two default routes with: ip route add default mpath drr nexthop via 10.0.0.1 dev eth0 weight 1 onlink nexthop via 10.0.0.1 dev eth1 weight 1 onlink I assumed that with mpath device round robin both nics would be used more or less equally, but the reality is only one of the nics actually works and the second nic even stops responding to arp requests. Am I doing something totally wrong or impossible here or is the device round robin code not working properly? From zoilo at xs4all.nl Sat Jan 13 14:42:51 2007 From: zoilo at xs4all.nl (Zoilo Gomez) Date: Sat Jan 13 14:43:01 2007 Subject: [LARTC] filtering in layer 2 [but is not a bridge] In-Reply-To: <45A857DB.2030208@riverviewtech.net> References: <200701091052.37604.luciano@lugmen.org.ar> <45A39FF6.5080608@xs4all.nl> <200701110856.43061.luciano@lugmen.org.ar> <45A6270C.1060807@xs4all.nl> <45A857DB.2030208@riverviewtech.net> Message-ID: <45A8E1DB.4060108@xs4all.nl> Thank you for your clarification, Grant. In a different setup, I have been using Access Points (i.e. Trendnet TEW453APB) with the 'wireless isolation' flag enabled in the configuration setup. In this configuration, wireless clients cannot see each other, and all traffic is forwarded to the Linux router. But I must admit that I never looked into this using Host AP. Still, I would expect that there should be a way to achieve this kind of configuration using Host AP....? Grant Taylor wrote: > On 01/11/07 06:01, Zoilo Gomez wrote: > >> Isn't an AP just a bridge with a wireless interface? > > > In a sense, yes. However the 802.11 wireless side of the bridge is a > very complex physical layer, (IMHO) more so than 802.3 ethernet. > > Host AP is probably listening to requests at the physical tranceiver > level. If the Host AP is operating in an AP mode (wouldn't it be?) it > will have to be involved in passing the traffic from one 802.11 client > to another. This is really a form of bridging on the physical layer, > not layer 2 in the kernel. Thus EB / IP Tables will not help here. > > I have not (yet) personally worked with Host AP, though I plan to. As > such, I'm not sure if it includes functionality to filter the traffic > that it sees. > > I wonder if it would be a possibility to (theoretically) move / extend > the functionality of Host AP such that each associated wireless client > would (logically / theoretically) appear as a separate interface to a > custom bridge that could then be presented / controlled via EBTables. > However, this is quite likely exceeding the 802.11 specification in > such a way that it would really no longer be 802.11. > > Something to keep in mind is that in Infrastructure wireless mode, one > wireless client has to talk to the AP and have the AP talk to another > wireless client on it's behalf. I believe this is the ""bridging that > the OP is referring to. Note, I use the term bridging loosely here. > > On a side note, how well do you like Host AP? > > > > Grant. . . . > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From alex at samad.com.au Sun Jan 14 10:26:18 2007 From: alex at samad.com.au (Alex Samad) Date: Sun Jan 14 10:26:44 2007 Subject: [LARTC] multipath device round robin not working? In-Reply-To: <45A8C870.2010806@gmail.com> References: <45A8C870.2010806@gmail.com> Message-ID: <20070114092618.GA19650@samad.com.au> On Sat, Jan 13, 2007 at 12:54:24PM +0100, zutph3n@gmail.com wrote: > Hi, > > I have a linux server running kernel 2.6.19 that is connected with 2 > seperate 100Mbit links to the same isp: > > > +---+ > +---------------+ | I | > +---------------+ > | | | S | > | | > | eth0 --+--------------+ P | > | | > | | | S | > | | > | linux 2.6.19 | | W |========================| ISP > GATEWAY | > | | | I | > | | > | eth1 --+--------------+ T | > | | > | | | C | > | | > +---------------+ | H | > +---------------+ > +---+ > > Both links have their own ip but have the same gateway. The problem is I > can't seem to get egress traffic load balanced over the 2 nics. > > IP config after boot (dhcp from isp) > ip a: > > 1: lo: mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 brd 127.255.255.255 scope host lo > > 2: eth0: mtu 1500 qdisc > pfifo_fast qlen 1000 > link/ether 00:00:00:00:00:0f brd ff:ff:ff:ff:ff:ff > inet 10.0.0.110/24 brd 10.0.0.255 scope global eth0 > > 3: eth1: mtu 1500 qdisc > pfifo_fast qlen 1000 > link/ether 00:00:00:00:00:ed brd ff:ff:ff:ff:ff:ff > inet 10.0.0.120/24 brd 10.0.0.255 scope global eth1 > > Default routing table after boot > ip r: > > 10.0.0.0/24 dev eth0 scope link > 10.0.0.0/24 dev eth1 scope link metric 1 > 127.0.0.0/8 dev lo scope link > default via 10.0.0.1 dev eth0 > default via 10.0.0.1 dev eth1 metric 1 > > I enabled ip_forward and set arp_ignore to 1 for eth0 and eth1 to make > sure the correct nic answers to arp requests. > > I tried to get the egress load balancing to work by replacing the above > two default routes with: > > ip route add default mpath drr nexthop via 10.0.0.1 dev eth0 weight 1 > onlink nexthop via 10.0.0.1 dev eth1 weight 1 onlink > > I assumed that with mpath device round robin both nics would be used > more or less equally, but the reality is only one of the nics actually > works and the second nic even stops responding to arp requests. > > Am I doing something totally wrong or impossible here or is the device > round robin code not working properly? Curiosity but why use such a setup is your ISP link > 2Gbp/s ? Why not bond if you want HA. why its not round robining. I am going to guess but this line default via 10.0.0.1 dev eth0 costs less to use than default via 10.0.0.1 dev eth1 metric 1 so it should never use the second. I say guess cause I don't know what the default metric is if you do add one. What you want it to look something like is default proto static metric 5 nexthop via 144.132.144.1 dev vlan2 weight 5 nexthop via 10.20.20.230 dev ppp0 weight 20 There is a link to a howto on the web site that steps out how to set this up Alex > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070114/a736235c/attachment.pgp From martin at linux-ip.net Sun Jan 14 19:00:41 2007 From: martin at linux-ip.net (Martin A. Brown) Date: Sun Jan 14 19:02:21 2007 Subject: [LARTC] Linux as T1 router In-Reply-To: References: Message-ID: Greetings, : I am thinking about using a linux server as a T1 router. I have : searched the list, but have not found a discussion about what I'm : trying to do. I have a situation where the Cisco router I'm using : will not handle the additional bandwidth I added recently. : Unfortunately, I cannot afford the Cisco unit that will. I would : like to know if anyone has successfully done this. I have been : looking at the Sangoma T1 cards. Would anyone be so kind as to : share their experience in this area. Any advice would be much : appreciated. I can recommend the Sangoma T1 cards. I have been using the S508 (ISA) and S514 (PCI) models since 1999. These cards and the (open source) drivers and management software are easy to use. The company is responsive and supportive of their product. The Sangoma crew have worked over the years to contribute their drivers into the stock kernel, so it is likely (unless the card you choose is a newly released card) that your card will be supported by your default distribution of choice. The software management tools are provided by a separate package, including tools for configuring the (optional) onboard CSU/DSU and diagnosing the frames received by the unit. Best of all, I can report that I have only ever found one bug in working with their software and drivers, and this was a corner-case bug that they had identified before I reported it to them (several years ago). In short, the software and hardware is very reliable. -Martin -- Martin A. Brown http://linux-ip.net/ From emin.gencpinar at gmail.com Sun Jan 14 20:41:35 2007 From: emin.gencpinar at gmail.com (Emin Gencpinar) Date: Sun Jan 14 20:41:41 2007 Subject: [LARTC] Linux as a multicast router Message-ID: Hi all, We want linux (ubuntu) with 2.6 kernel to act as multicast router and to pass multicast packets between different subnets. And linux machine as router has two network cards having two different subnets assigned onto. We first worked "sysctl -w net.ipv4.ip_forward=1" line on linux shell that made linux to work as unicast router. (like host, the multicast packets were discarded at NIC). Then at weekend we heard about "sysctl -w net.ipv4.conf.all.mc_forward=1" line that is said to satisfy multicast routing requirement, but we did not try this yet. Is this last line enough to work linux as multicast router ? There is also one alternative we found: XORP ( Open Source IP Router ) http://www.xorp.org/livecd.html#getting But this works from live cd. We want to also use linux shell at the same time. And also we did not try this tool yet. It is enough to use the linux as router, we do not consider the router algorithms or any other thing. Thanks in advance... Emin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070114/7e953b89/attachment.htm From linux at arcoscom.com Sun Jan 14 22:17:04 2007 From: linux at arcoscom.com (ArcosCom Linux User) Date: Sun Jan 14 22:13:00 2007 Subject: [LARTC] dst cache overflow (bridged wan interfaces) [appears to be SOLVED] In-Reply-To: <58296.84.123.236.132.1168564389.squirrel@www.arcoscom.com> References: <41878.84.123.236.132.1168460040.squirrel@www.arcoscom.com> <58296.84.123.236.132.1168564389.squirrel@www.arcoscom.com> Message-ID: <42024.84.123.236.132.1168809424.squirrel@www.arcoscom.com> Yes, the problem appears to be in the http://www.ssi.bg/~ja/#routes patch. Perhaps this patch is to any purposes and break the routes table or something about it. I tested for 2 days now with 4 pcs and amule/azureus configured very agressively to enable connections quickly and monitorized with "rtstat" util (as someone point to me) and I had seen how is working the routing in the linux box more numerically. I had take sense on all the comments about this problem and how to optimize the routing, ??THANKS TO ALL!! Appears I can run fine with this configuration and use in production environment, but I'll wait for 2 or 3 weeks before pass it into production. Thanks to all!! El Vie, 12 de Enero de 2007, 2:13, ArcosCom Linux User escribi?: > The problem appears to be in the routes patch (after 1 day with 1 > workstation with amule configured very agresively). > > I'm trying now the 2.6.19.2 kernel with the configuration exposed here, > I'll tell you if the problem were (or not) the patch for > dead-gw-detection/multipath-routes from nano-howto. Perhaps this patch is > for specific configuration and need more accurate routes config (don't > know). > > As I said: I'll say if I the problem persist in some days. > > Thank you very much. > > Regards > > El Mie, 10 de Enero de 2007, 21:14, ArcosCom Linux User escribi?: >> I recompiled yet 2.6.19.1 kernel (using iptables with the same patches >> too). >> >> The configuration for this test is: >> 1) linux box with 2.6.19.1 kernel (SMP machine) with these >> patches/modules: >> a) l7-filter >> b) ipp2p >> c) connlimit >> d) set >> 2) 4 ethernet interfaces: >> a) 2 external (eth1 and eth3) interfaces with balanced links (as >> described in nato-howto) bridged as wan0 with static IPs assigned to >> wan0 and wan0:1 >> b) 2 internal ineterfaces (eth0 and eth2) in bridge zlan0 with STP >> enabled and configured. >> >> IPTABLES relevant configuration: >> # iptables -t nat -vn -L POSTROUTING >> Chain POSTROUTING (policy ACCEPT 185 packets, 16649 bytes) >> pkts bytes target prot opt in out source >> destination >> 26 1529 MASQUERADE 0 -- * wan0 10.1.1.0/27 >> 0.0.0.0/0 >> 0 0 MASQUERADE 0 -- * wan0:1 10.1.1.0/27 >> 0.0.0.0/0 >> >> >> ROUTES CONFIGURATION: >> # service rt status >> === REGLAS DE ENRUTAMIENTO === >> 0: from all lookup local >> 50: from all lookup main >> 151: from NET_PUB1 lookup 151 >> 152: from NET_PUB2 lookup 152 >> 220: from all lookup 220 >> 32766: from all lookup main >> 32767: from all lookup default >> === TABLAS DE RUTAS === >> === MAIN === >> NET_PUB1/26 dev wan0 proto kernel scope link src IP_PUB1 >> NET_PUB2/24 dev wan0 proto kernel scope link src IP_PUB2 >> 192.168.3.0/24 dev zlan0 proto kernel scope link src 192.168.3.247 >> 192.168.2.0/24 dev zlan0 proto kernel scope link src 192.168.2.247 >> 192.168.1.0/24 dev zlan0 proto kernel scope link src 192.168.1.247 >> 10.1.1.0/24 dev zlan0 proto kernel scope link src 10.1.1.6 >> 169.254.0.0/16 dev zlan0 scope link >> 239.0.0.0/8 dev zlan0 scope link >> === wan0 TABLA 151 === >> default via GW_PUB1 dev wan0 proto static src IP_PUB1 >> prohibit default proto static metric 1 >> === wan0 TABLA 152 === >> default via GW_PUB2 dev wan0 proto static src IP_PUB2 >> prohibit default proto static metric 1 >> === TABLA 220 (defecto) === >> default proto static >> nexthop via GW_PUB1 dev wan0 weight 1 >> nexthop via GW_PUB2 dev wan0 weight 1 >> >> ROUTING parameters configuration: >> # grep . /proc/sys/net/ipv4/route/* >> /proc/sys/net/ipv4/route/error_burst:5000 >> /proc/sys/net/ipv4/route/error_cost:1000 >> grep: /proc/sys/net/ipv4/route/flush: Operaci?n no permitida >> /proc/sys/net/ipv4/route/gc_elasticity:8 >> /proc/sys/net/ipv4/route/gc_interval:60 >> /proc/sys/net/ipv4/route/gc_min_interval:0 >> /proc/sys/net/ipv4/route/gc_min_interval_ms:500 >> /proc/sys/net/ipv4/route/gc_thresh:32768 >> /proc/sys/net/ipv4/route/gc_timeout:300 >> /proc/sys/net/ipv4/route/max_delay:10 >> /proc/sys/net/ipv4/route/max_size:524288 >> /proc/sys/net/ipv4/route/min_adv_mss:256 >> /proc/sys/net/ipv4/route/min_delay:2 >> /proc/sys/net/ipv4/route/min_pmtu:552 >> /proc/sys/net/ipv4/route/mtu_expires:600 >> /proc/sys/net/ipv4/route/redirect_load:20 >> /proc/sys/net/ipv4/route/redirect_number:9 >> /proc/sys/net/ipv4/route/redirect_silence:20480 >> /proc/sys/net/ipv4/route/secret_interval:600 >> >> When I test it along some weeks with intensive traffic I'll put here >> more >> info about this test. >> >> If somebody has any idea on how to solve the problem, please, tell us. >> I'm >> a bit desesperate with this issue. >> >> Regards >> >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> > > > > From linux at arcoscom.com Sun Jan 14 22:19:55 2007 From: linux at arcoscom.com (ArcosCom Linux User) Date: Sun Jan 14 22:15:53 2007 Subject: [LARTC] Re: Example on using fwmark with masks. Please help!! In-Reply-To: <52633.84.123.236.132.1168633590.squirrel@www.arcoscom.com> References: <52633.84.123.236.132.1168633590.squirrel@www.arcoscom.com> Message-ID: <42219.84.123.236.132.1168809595.squirrel@www.arcoscom.com> Any help? El Vie, 12 de Enero de 2007, 21:26, ArcosCom Linux User escribi?: > Hi, > could anyone provides any example about the use of ip route command to > force the use of one route using masks in the mark? > > The configuration is: > 1 LAN (zlan0) iface > N WAN (wan0 ... wanN) ifaces with static IPs and load balanced. > iptables 1.3.7 > kernel 2.6.19.2 > iproute 2.6.19 > > I'm yet setting marks into packets for QoS and its working, I now want to > set some bits (OR) at the end of the mark. > > For example, I want to use 0x8000 to add another mark to the packet for > routing. The packet is market yet with a QoS mark (--set-mark), 0x5 (for > example). > > I need: > 1) The packet been marked with 0x8000 OR 0x0005 = 0x8005 > 2) Route the packet with 0x8005 AND 0x8000 = 0x8000 over wan0 (for > example) > 3) Classify the packet with 0x8005 AND 0x0005 into wan0 1:4 class (for > example) > > I know how to do this not having sense about MASKs, but ... Could anybody > put here how to do it with them? > > Another question: What is the length of the mask? 16bit? 32bit? > > Thanks!! > > > > > > From gtaylor at riverviewtech.net Mon Jan 15 05:14:32 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Mon Jan 15 05:20:37 2007 Subject: [LARTC] multipath device round robin not working? In-Reply-To: <45A8C870.2010806@gmail.com> References: <45A8C870.2010806@gmail.com> Message-ID: <45AAFFA8.1010709@riverviewtech.net> On 01/13/07 05:54, zutph3n@gmail.com wrote: > Both links have their own ip but have the same gateway. The problem is I > can't seem to get egress traffic load balanced over the 2 nics. I don't know if it is still a problem or not, but I ran in to something very similar a LONG time ago (mid 2.4). Basically what I found was the problem was that (I believe) multi-path routing really is multi gateway routing. I.e. load balancing across two (or more) different gateways. In your case, and the case that I had, all the IPs in the world did not make any difference b/c each path had the same default gateway. My solution at the time was to use UML routers to provide different subnets to the box doing ECMP routing. Each UML basically NATed from the one upstream network to a small downstream private subnet that was unique for each link. This allowed the box doing ECMP to see different gateways. This worked great until I hit a memory limit on connection state. I should probably say that the problem I ran in to was not a problem with ECMP but the number of hosts that I was trying to NAT with the amount of RAM that was on the box. I was able to resolve this by adding RAM to the box to provide a larger Connection State Table. For the record, the box was running a mid 2.4 kernel with a subnet that was the size of 4 class C networks (2048 IPs) on a box that had 256 MB of RAM. I ended up taking the box up to 2 GB of RAM and things have been working GREAT ever sense. I do believe this memory / connection state problem has been resolved long ago. However the system is working and payed for and the client is perfectly happy with what is in place and sees no reason to do any thing with it. (If any one would like more details, just ask.) Grant. . . . From tami at disconnected.de Mon Jan 15 19:59:01 2007 From: tami at disconnected.de (Paul Zirnik) Date: Mon Jan 15 19:59:48 2007 Subject: [LARTC] Linux as a multicast router In-Reply-To: References: Message-ID: <200701151959.02062.tami@disconnected.de> On Sunday 14 January 2007 20:41, Emin Gencpinar wrote: > Hi all, > > We want linux (ubuntu) with 2.6 kernel to act as multicast router and to > pass multicast packets between different subnets. And linux machine as > router has two network cards having two different subnets assigned onto. We > first worked > "sysctl -w net.ipv4.ip_forward=1" > line on linux shell that made linux to work as unicast router. (like host, > the multicast packets were discarded at NIC). Then at weekend we heard > about > > "sysctl -w net.ipv4.conf.all.mc_forward=1" > line that is said to satisfy multicast routing requirement, but we did not > try this yet. Is this last line enough to work linux as multicast router ? No, you need some kind of routing daemon for multicast forwarding/routing. Look for "mrouted" or "zebra". There is a HowTo for multicast, but no big infos on multicast forwarding/routing .... http://www.linuxjunkies.org/html/Multicast-HOWTO.html > There is also one alternative we found: XORP ( Open Source IP Router ) > http://www.xorp.org/livecd.html#getting > But this works from live cd. We want to also use linux shell at the same > time. And also we did not try this tool yet. Sorry, no clue about this. But if it is a Linux based live cd i'm sure you, can also install it on disk :) > It is enough to use the linux as router, we do not consider the router > algorithms or any other thing. regards, Tami From gtaylor at riverviewtech.net Tue Jan 16 01:44:54 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Tue Jan 16 01:51:12 2007 Subject: [LARTC] multipath device round robin not working? In-Reply-To: <45ABF00D.1060908@gmail.com> References: <45A8C870.2010806@gmail.com> <45AAFFA8.1010709@riverviewtech.net> <45ABF00D.1060908@gmail.com> Message-ID: <45AC2006.1040409@riverviewtech.net> On 01/15/07 15:20, zutph3n@gmail.com wrote: > Wow, that's a complicated solution. Nicely done:) But I think that's a > bit too complicated for my setup.... thx for the input anyway. Thanks. Indeed the set up is not simple. You may consider talking with your ISP and seeing if they can assign one of your links an IP on a different subnet. I have found that ISPs that are worth their salt are willing to work with you to help you resolve these types of problems. Grant. . . . From roman at skula.com Tue Jan 16 01:57:17 2007 From: roman at skula.com (Roman Skula) Date: Tue Jan 16 01:57:32 2007 Subject: [LARTC] egress bandwidth not limited / limited extremely inaccurately Message-ID: <45AC22ED.4060107@skula.com> I'm just-so-fresh to the list, so hello everyone. I'm having a realy hard time with setting up very simple bandwidth management. What I am trying to do is setup a 10Mbit interface to send at only 1920kbit to most of the network (to make sure it hardly ever tops 2mbit). I did succeed with the ingress traffic... With egress however, I get very odd results at different speeds. With HTB: If i try to throttle at 0.5mbit for example, a windows box on 1mbit ADSL line is capable of downloading at ~64k from the box i'm limiting, while a bsd box on a 4mbit DSL line happily downloads at ~200k. Limiting to 2mbit looks like there are no results at all With TBF: The dowloads from the limited box are always ~5k, at least to what I've observed with different configurations (even with limits at 2mbit). I'm doing all of that directly on the Internet with public IPs. I think I've read all the TLDP and LARTC to no results, so would greatly appreciate any help with strictly cutting the bandwidth ath ~1920kbit. What am I missing? The scrips I've tried (or tried their variants): #tc qdisc add dev eth0 root handle 1: htb default 20 #tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit #tc class add dev eth0 parent 1:1 classid 1:10 htb rate 9.5mbit #tc class add dev eth0 parent 1:1 classid 1:20 htb rate 0.5mbit #tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10 #tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10 #tc filter add dev eth0 parent 1: protocol ip u32 match ip dst a.b.c.d/24 flowid 1:10 #tc qdisc add dev eth0 root tbf rate 0.5mbit burst 5kb latency 70ms peakrate 1mbit minburst 1540 (yes that does 0.5mbit limiting, but it would be a start...) #tc qdisc add dev eth0 root handle 1: htb default 20 #tc class add dev eth0 parent 1: classid 1:1 htb rate 1920kbit #tc class add dev eth0 parent 1:1 classid 1:10 htb rate 128kbit prio 1 #tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1792kbit prio 2 #tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10 #tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10 #tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 match ip tos 0x10 0xff flowid 1:10 #tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 match ip protocol 1 0xff flowid 1:10 I use the latest iproute2 from the gentoo portage, marked as stable on amd64: sys-apps/iproute2-2.6.16.20060323/ I manually setup to NIC at server boot, with: #!/bin/sh mii-tool -F 10baseT-FD eth0 (but I had the same problems before I did that when the box was in a private LAN) The server details are: (serenity:~) # uname -a89zx Linux serenity 2.6.18-gentoo-r4 #1 SMP Mon Jan 15 12:33:56 CET 2007 x86_64 Intel(R) Pentium(R) D CPU 3.00GHz GenuineIntel GNU/Linux (this is genkernel generated) (serenity:~) # grep -i config_hz /etc/kernels/kernel-config-x86_64-2.6.18-gentoo-r4 # CONFIG_HZ_100 is not set CONFIG_HZ_250=y # CONFIG_HZ_1000 is not set CONFIG_HZ=250 (serenity:~) # lspci | grep -i ether 05:04.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5714 Gigabit Ethernet (rev a3) 05:04.1 Ethernet controller: Broadcom Corporation NetXtreme BCM5714 Gigabit Ethernet (rev a3) (serenity:~) # lsmod Module Size Used by sch_sfq 7424 0 sch_htb 18944 1 act_police 8480 1 cls_u32 9480 2 sch_ingress 5248 1 sch_tbf 8320 0 ipt_LOG 8192 1 xt_limit 4352 1 xt_state 3840 1 ip_conntrack 53092 1 xt_state xt_tcpudp 4864 5 iptable_filter 4736 1 iptable_mangle 4480 0 ip_tables 22312 2 iptable_filter,iptable_mangle x_tables 18824 5 ipt_LOG,xt_limit,xt_state,xt_tcpudp,ip_tables (serenity:~) # iptables -nL Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 flags:0x17/0x02 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:0x17/0x02 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x17/0x02 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 flags:0x17/0x02 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:20000:20100 flags:0x17/0x02 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `iptables-IN-policy: ' Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination (the mangle tables are empty) Regards, -- Roman Sku?a (http://roman.skula.com) From martin at linux-ip.net Tue Jan 16 15:45:15 2007 From: martin at linux-ip.net (Martin A. Brown) Date: Tue Jan 16 15:47:14 2007 Subject: [LARTC] Advanced Policy Routing not working properly In-Reply-To: <4592A673.6010303@pobox.com> References: <4592A673.6010303@pobox.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings Andre Correa, : ip route add default via 101.30.15.249 table MyASN # IP of BGP router : ip rule add from 101.30.0.0/28 table MyASN : : we can see the Internet and the Internet see us through our BGP : router and neighbors, BUT we cannot see hosts at IP addresses of : our old ISP (those directly connected to the Firewall). The : reason is simple, table MyASN has no entry to these old : addresses. The easy way to go is to insert static routes on : MyASN, but it is a bad solution when you have lots of subnets in : use and changes occur frequently. By altering the manner in which you make your routing decisions, you should be able to solve your problem fairly easily. The key is to understand how to take advantage of the routing policy database. Given your description, you have a main routing table (table 254) and a table named MyASN (let's say table 250). You have a number of locally connected networks, and you can manage these networks all in a single routing table...let's call it legacynets (table 240). The legacynets routing table should only contain routes for the locally connected networks in your old netblock. # ip rule add prio 32000 from 101.30.0.0/28 table MyASN # ip rule add prio 31000 from all table legacynets # ip rule show 0: from all lookup local 31000: from all lookup legacynets 32000: from 101.30.0.0/28 lookup MyASN 32766: from all lookup main 32767: from all lookup default Now, ask yourself what happens at route lookup time. Let's say we have a single inbound packet from 101.30.0.0/28 to 200.1.3.17. * kernel checks the routing cache; if cached route is found select that route, otherwise perform routing lookup * check the routing policy database, to determine which routing table to select for first lookup * priority 0 (highest) requires us to check the local routing table (lookup in local routing table for 200.1.3.17); no route found? return to routing policy database to see which is the next table to select for lookup * lookup route for 200.1.3.17 in table known as legacynets I hope that it's obvious at this point how you can generalize this solution for your network. Here are a few items: * copy_routing_table is a quick-n-dirty function which populates one routing table based on the contents of another [0] * you can, alternatively use the "throw" route to escape a routing table and continue to traverse the RPDB, in the event that you have a destination that you'd like to handle separately: ip route add throw 200.1.3.17 table legacynets A route like the above would mean that lookups in the routing table for legacynets would (effectively) return to the RPDB for the selection of the next viable routing table. : All the workarounds I tried expect that in the above scenario if : a host on old ISP's IP address, lets say 200.1.2.2, pings my : testing server: machine-X on 101.30.0.2, packets should show up : on the sender host interface and go out on machine-x interface. I : expect this as the _main_ table has a route to machine-x : (directly connected to the Firewall) so the box should know where : to send packets. It doesn't happen like this. The packets goes : nowhere. They come on the sender host interface but never go out : on machine-x interface. If I insert a route to 200.1.2.2 on table : MyASN I start to see traffic coming and going. Without twiddles to the sysctl settings, a (well-behaved) Linux router will not send packets out the same interface on which it receives them*. : Why is this happening? Shouldn't the box just forward traffic : when there is a route in the _main_ table regardless of existing : or not a route of return? Or shouldn't it, at least, send this : traffic to its default gateway? With more knowledge about the routing process (see also [1]) and routing policy database, it should be a bit more obvious why this happens. I suggest that for each packet (or flow) that is not working, you walk through the route selection process. This will help you internalize the kernel's routing logic and the solution should jump to your mind. (Hint: It probably involves a route lookup in a routing table containing a default route before a routing table containing a more specific route.) Good luck, - -Martin * For those who like to quibble, it is certainly possible to do this, but it is a fairly sane default to suppress logical one-armed router scenarios. If you know what you are doing, there's nothing wrong with this configuration. [0] # - - - - - - - - - - - copy_routing_table () { # - - - - - - - - - - - # # -- accepts one parameter: # # $1: table identifier for the routing table to create # test "$#" -lt "1" && return DTABLE=$1 test "$#" -gt "1" && STABLE="$2" test "$STABLE" = "" && STABLE="main" ip route flush table "$DTABLE" ip route show table "$STABLE" | grep -Ev '^default' \ | while read ROUTE ; do ip route add table "$DTABLE" $ROUTE done } [1] http://linux-ip.net/html/routing-selection.html - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFFrOT/HEoZD1iZ+YcRAgwTAJ4qOm6DECDdvmAyk2qQ2FkSWClzAwCgiTiP hZRW7ypLM65/pj+D0JmlMcA= =hZeL -----END PGP SIGNATURE----- From lists at andyfurniss.entadsl.com Tue Jan 16 15:53:18 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Tue Jan 16 15:53:12 2007 Subject: [LARTC] egress bandwidth not limited / limited extremely inaccurately In-Reply-To: <45AC22ED.4060107@skula.com> References: <45AC22ED.4060107@skula.com> Message-ID: <45ACE6DE.2020002@andyfurniss.entadsl.com> Roman Skula wrote: > 05:04.1 Ethernet controller: Broadcom Corporation NetXtreme BCM5714 > Gigabit Ethernet (rev a3) You may need to turn off segmentation offload with ethtool -k Andy. From roman at skula.com Tue Jan 16 18:05:26 2007 From: roman at skula.com (Roman Skula) Date: Tue Jan 16 18:05:36 2007 Subject: [LARTC] egress bandwidth not limited / limited extremely inaccurately In-Reply-To: <45ACE6DE.2020002@andyfurniss.entadsl.com> References: <45AC22ED.4060107@skula.com> <45ACE6DE.2020002@andyfurniss.entadsl.com> Message-ID: <45AD05D6.1070301@skula.com> Andy Furniss napisa?(a): > Roman Skula wrote: >> 05:04.1 Ethernet controller: Broadcom Corporation NetXtreme BCM5714 >> Gigabit Ethernet (rev a3) > You may need to turn off segmentation offload with ethtool -k A huge, wet kiss for you, this turned my sky blue again. :) Many thanks! Best of wishes, -- Roman Sku?a (http://roman.skula.com) From linux at arcoscom.com Tue Jan 16 20:46:14 2007 From: linux at arcoscom.com (ArcosCom Linux User) Date: Tue Jan 16 20:42:26 2007 Subject: [LARTC] Re: Example on using fwmark with masks. Please help!! In-Reply-To: <52633.84.123.236.132.1168633590.squirrel@www.arcoscom.com> References: <52633.84.123.236.132.1168633590.squirrel@www.arcoscom.com> Message-ID: <56110.84.123.236.132.1168976774.squirrel@www.arcoscom.com> Do anybody explain this theme a bit? Please, I need help with this. Thanks!!!! El Vie, 12 de Enero de 2007, 21:26, ArcosCom Linux User escribi?: > Hi, > could anyone provides any example about the use of ip route command to > force the use of one route using masks in the mark? > > The configuration is: > 1 LAN (zlan0) iface > N WAN (wan0 ... wanN) ifaces with static IPs and load balanced. > iptables 1.3.7 > kernel 2.6.19.2 > iproute 2.6.19 > > I'm yet setting marks into packets for QoS and its working, I now want to > set some bits (OR) at the end of the mark. > > For example, I want to use 0x8000 to add another mark to the packet for > routing. The packet is market yet with a QoS mark (--set-mark), 0x5 (for > example). > > I need: > 1) The packet been marked with 0x8000 OR 0x0005 = 0x8005 > 2) Route the packet with 0x8005 AND 0x8000 = 0x8000 over wan0 (for > example) > 3) Classify the packet with 0x8005 AND 0x0005 into wan0 1:4 class (for > example) > > I know how to do this not having sense about MASKs, but ... Could anybody > put here how to do it with them? > > Another question: What is the length of the mask? 16bit? 32bit? > > Thanks!! > > > > > > From alex at samad.com.au Tue Jan 16 20:52:27 2007 From: alex at samad.com.au (Alex Samad) Date: Tue Jan 16 20:52:36 2007 Subject: [LARTC] multipath device round robin not working? In-Reply-To: <45AC2006.1040409@riverviewtech.net> References: <45A8C870.2010806@gmail.com> <45AAFFA8.1010709@riverviewtech.net> <45ABF00D.1060908@gmail.com> <45AC2006.1040409@riverviewtech.net> Message-ID: <20070116195227.GM19650@samad.com.au> On Mon, Jan 15, 2007 at 06:44:54PM -0600, Grant Taylor wrote: > On 01/15/07 15:20, zutph3n@gmail.com wrote: > >Wow, that's a complicated solution. Nicely done:) But I think that's a > >bit too complicated for my setup.... thx for the input anyway. > > Thanks. > > Indeed the set up is not simple. You may consider talking with your ISP > and seeing if they can assign one of your links an IP on a different subnet. > > I have found that ISPs that are worth their salt are willing to work > with you to help you resolve these types of problems. > > > > Grant. . . . something else to look for, because you have 2 nics in the same broadcast domain (http://cactuswax.net/blog/articles/2006/09/arp_ignore.html) explains about arp_ignore. In its default setup you are going to find i nic is going to arp respond for both IP addresses! > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070117/8f383a24/attachment.pgp From gtaylor at riverviewtech.net Wed Jan 17 06:04:35 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Wed Jan 17 06:11:11 2007 Subject: [LARTC] multipath device round robin not working? In-Reply-To: <592F914D209FD942908826DFF2277A2D0329E353@COMMSSERVER> References: <592F914D209FD942908826DFF2277A2D0329E353@COMMSSERVER> Message-ID: <45ADAE63.6000903@riverviewtech.net> On 01/16/07 04:01, Andrew Lyon wrote: > Can you suggest how this can be done with 2.6 as we will be upgrading our > server soon and I don't think ECMP patch exists for 2.6? The patch does not exist because ECMP is in the main line kernel. Networking -> Networking options -> IP: advanced router IP: equal cost multipath Grant. . . . From pereyra.roberto at gmail.com Wed Jan 17 12:12:08 2007 From: pereyra.roberto at gmail.com (Roberto Pereyra) Date: Wed Jan 17 12:12:21 2007 Subject: [LARTC] bridge and ipp2p question Message-ID: Hi all !!! I have a firewall bridge (not router) with two nics that filter p2p with ipp2p. All works fine but now I need to add a third nic to route all p2p traffic through this nic. It is that possible with a bridge ? Later (with other server) connect to this nic I do loading balancing with two adsl lines to route all p2p traffic. Any hint ? Any howto ? Thanks in advance. roberto -- Ing. Roberto Pereyra ContenidosOnline Looking for Linux Virtual Private Servers ? Click here: http://www.spry.com/hosting-affiliate/scripts/t.php?a_aid=426&a_bid=56 From marek at piasta.pl Wed Jan 17 12:12:54 2007 From: marek at piasta.pl (Marek Kierdelewicz) Date: Wed Jan 17 12:13:24 2007 Subject: [LARTC] egress bandwidth not limited / limited extremely inaccurately In-Reply-To: <45ACE6DE.2020002@andyfurniss.entadsl.com> References: <45AC22ED.4060107@skula.com> <45ACE6DE.2020002@andyfurniss.entadsl.com> Message-ID: <20070117121254.187050cc@rudymobile.alcanet> Hi there, >> 05:04.1 Ethernet controller: Broadcom Corporation NetXtreme BCM5714 >> Gigabit Ethernet (rev a3) >You may need to turn off segmentation offload with ethtool -k That's very interesting. Do you have any more information on this subject? Does tso in general distrupt accuracy of tc ops or is it the case only with Broadcom nics? Any links would be very much appreciated. Thanks for response in advance! cheers, Marek Kierdelewicz From johnphilips42 at yahoo.com Wed Jan 17 17:37:43 2007 From: johnphilips42 at yahoo.com (John Philips) Date: Wed Jan 17 17:37:48 2007 Subject: [LARTC] Use l7-filter on router performing NAT? Message-ID: <503831.31961.qm@web57812.mail.re3.yahoo.com> Hey guys, Here's an easy one. Is it possible to use the l7-filter extension on a box that performs NAT? The HOWTO says the filter only works 100% of the time if it can see both sides of the connection. I tried putting the l7 MARK rules in the POSTROUTING chain on a box that does NAT and it does successfully mark some packets. I'm not 100% sure if it's working, or if it should work this way. I've searched the mailing list archives and Google but haven't found an answer. Thanks! ____________________________________________________________________________________ Never miss an email again! Yahoo! Toolbar alerts you the instant new Mail arrives. http://tools.search.yahoo.com/toolbar/features/mail/ From mpearson at usachoice.net Wed Jan 17 21:28:07 2007 From: mpearson at usachoice.net (Mike Pearson) Date: Wed Jan 17 21:28:17 2007 Subject: [LARTC] restricting bandwidth using TC Message-ID: <45AE86D7.6060501@usachoice.net> Hello, I am trying to get the TC command to work on our debian box to limit traffic in and out to 12 Meg. The command I am using is: tc qdisc add dev eth0 root tbf rate 12000kbit latency 25ms burst 1600 tc qdisc add dev eth1 root tbf rate 12000kbit latency 25ms burst 1600 The problem I am having is that the bandwidth exceeds the 12 Meg by almost 5 Meg. Any help is appreciated. Thanks Mike Pearson From lists at andyfurniss.entadsl.com Wed Jan 17 22:11:46 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Wed Jan 17 22:11:49 2007 Subject: [LARTC] egress bandwidth not limited / limited extremely inaccurately In-Reply-To: <20070117121254.187050cc@rudymobile.alcanet> References: <45AC22ED.4060107@skula.com> <45ACE6DE.2020002@andyfurniss.entadsl.com> <20070117121254.187050cc@rudymobile.alcanet> Message-ID: <45AE9112.2000703@andyfurniss.entadsl.com> Marek Kierdelewicz wrote: > Hi there, > > >>>05:04.1 Ethernet controller: Broadcom Corporation NetXtreme BCM5714 >>>Gigabit Ethernet (rev a3) > > >>You may need to turn off segmentation offload with ethtool -k > > > That's very interesting. Do you have any more information on this > subject? Does tso in general distrupt accuracy of tc ops or is it the > case only with Broadcom nics? Any links would be very much appreciated. I don't have any gig eth, but it's not just Broadcom. There have been other posts on here where people have needed to increase htb's mtu parameter to get htb to handle it - despite the interface being 1500. For shaping traffic for a slow link that is not going to be nice - you could end up dropping multiple tcp segments at once, and it will hurt jitter. I don't imagine it's right to do it for shaping at gig speed either, maybe the default long queue on eth saves dropping. I suppose those using gig eth and shaping routed traffic at 1500 MTU will not notice unless they try and shape locally generated aswell. Andy. From lists at andyfurniss.entadsl.com Wed Jan 17 22:18:26 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Wed Jan 17 22:18:25 2007 Subject: [LARTC] egress bandwidth not limited / limited extremely inaccurately In-Reply-To: <45AD05D6.1070301@skula.com> References: <45AC22ED.4060107@skula.com> <45ACE6DE.2020002@andyfurniss.entadsl.com> <45AD05D6.1070301@skula.com> Message-ID: <45AE92A2.90400@andyfurniss.entadsl.com> Roman Skula wrote: > Andy Furniss napisa?(a): > >>Roman Skula wrote: >> >>>05:04.1 Ethernet controller: Broadcom Corporation NetXtreme BCM5714 >>>Gigabit Ethernet (rev a3) >> >>You may need to turn off segmentation offload with ethtool -k > > A huge, wet kiss for you, this turned my sky blue again. :) Lol - I forgot to mention: be carefull about using htb default, your arp/other link layer end up there. If you don't specify a default htb will let them through unshaped, you can make a filter to catch the unclassified IP traffic and send it to the class you want. Andy. From hijacker at oldum.net Thu Jan 18 09:11:21 2007 From: hijacker at oldum.net (Nikolay Kichukov) Date: Thu Jan 18 08:12:31 2007 Subject: [LARTC] egress bandwidth not limited / limitedextremely inaccurately References: <45AC22ED.4060107@skula.com> <45ACE6DE.2020002@andyfurniss.entadsl.com><45AD05D6.1070301@skula.com> <45AE92A2.90400@andyfurniss.entadsl.com> Message-ID: <002a01c73ad8$50e43af0$0200a8c0@ccja> Hello Andy, How do one create such a filter to catch arp/other link layer traffic? Can you give us one such example? Thanks, -nik ----- Original Message ----- From: "Andy Furniss" To: "Roman Skula" Cc: Sent: Wednesday, January 17, 2007 10:18 PM Subject: Re: [LARTC] egress bandwidth not limited / limitedextremely inaccurately > Roman Skula wrote: > > Andy Furniss napisa?(a): > > > >>Roman Skula wrote: > >> > >>>05:04.1 Ethernet controller: Broadcom Corporation NetXtreme BCM5714 > >>>Gigabit Ethernet (rev a3) > >> > >>You may need to turn off segmentation offload with ethtool -k > > > > A huge, wet kiss for you, this turned my sky blue again. :) > > Lol - I forgot to mention: be carefull about using htb default, your > arp/other link layer end up there. If you don't specify a default htb > will let them through unshaped, you can make a filter to catch the > unclassified IP traffic and send it to the class you want. > > Andy. > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From lnookx at googlemail.com Thu Jan 18 16:13:05 2007 From: lnookx at googlemail.com (lee nookx) Date: Thu Jan 18 16:13:24 2007 Subject: [LARTC] Validating QoS Message-ID: <40d14a940701180713j583384ei3f9a786dafea0380@mail.gmail.com> Hi all, I have been tasked with "implementing QoS" on one of our networks. Looking at the documents of LARTC I believe I can implement most of what we want just using netfilter rules and tc. So far, so good. My question though is how can I analyse how much of an improvement I can expect to achieve using these kinds of solutions. Does anyone here have any experiences that they can share with me? Thanks, lee -- From marco.casaroli at gmail.com Thu Jan 18 16:55:55 2007 From: marco.casaroli at gmail.com (Marco Aurelio) Date: Thu Jan 18 16:56:04 2007 Subject: [LARTC] bridge and ipp2p question In-Reply-To: References: Message-ID: <92ed523b0701180755n2416b085gc8edc385310615e7@mail.gmail.com> This is not possible because ipp2p does not match every p2p packet but only some essential signaling packets. By filtering these packets, the p2p client cannot estabilish connections to transfer data, and that's how it filters it. Sometimes, ipp2p 'discovers' that this is a p2p related connection after the connection has been established, and then drops the signaling packets. And since you are not an AS and you have one different address per connection, you cannot route packets with a different source address than the one the connection has been established. I have a different approach on this, it is not a perfect soulution, but it work quite well on some enviroments: I route all the traffic through one NIC (the garbage p2p connection) and then (with iptables or u32) direct the important traffic by port (HTTP, FTP, IRC, MSN, DNS, SMTP, POP, etc) through the other NIC (the non-p2p connection). Then I filter (with ipp2p) the p2p traffic on the non-p2p NIC because some p2p clients try to mask the connections as it were these services. This works quite well, but you need to know every service your clients use. I use this on a router, I never tested this with a bridge, but it may work too. -- Marco On 1/17/07, Roberto Pereyra wrote: > > Hi all !!! > > I have a firewall bridge (not router) with two nics that filter p2p with > ipp2p. > > All works fine but now I need to add a third nic to route all p2p traffic > through this nic. > > It is that possible with a bridge ? > > Later (with other server) connect to this nic I do loading balancing > with two adsl lines to route all p2p traffic. > > Any hint ? > > Any howto ? > > Thanks in advance. > > roberto > > > -- > Ing. Roberto Pereyra > ContenidosOnline > Looking for Linux Virtual Private Servers ? Click here: > http://www.spry.com/hosting-affiliate/scripts/t.php?a_aid=426&a_bid=56 > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070118/6f69d5ee/attachment.htm From rangi at ngen.net.nz Thu Jan 18 20:51:05 2007 From: rangi at ngen.net.nz (Rangi Biddle) Date: Thu Jan 18 20:55:51 2007 Subject: [LARTC] IPP2P Problem In-Reply-To: <20070111213114.M67162@chilan.com> Message-ID: <003301c73b3a$017fe790$0101010a@lamachine> Hi Tomasz, I got the original post that you made regarding the solution below, but by the looks of things the `Thank you` mail didn't get posted. I took another look at the Makefile and sure enough that was the line that was causing the problem. So ... many thanks to you again and here's hoping you receive this `Thank you` mail again. Regards, Rangi -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Tomasz Chilinski Sent: Friday, 12 January 2007 10:34 a.m. To: Rangi Biddle Cc: lartc@mailman.ds9a.nl Subject: RE: [LARTC] IPP2P Problem On Fri, 12 Jan 2007 08:33:17 +1300, Rangi Biddle wrote > Hi Tomasz, Hi Rangi. > Thank you for the reply. > > I have checked the Makefile and unfortunately it is using the respective > gcc. Output of Makefile below: > > libipt_ipp2p.so: libipt_ipp2p.c ipt_ipp2p.h > $(CC) $(CFLAGS) $(IPTABLES_OPTION) $(IPTABLES_INCLUDE) -fPIC > -c libipt_ipp2p.c What about line below?! ;-) ************* ld -shared -o libipt_ipp2p.so libipt_ipp2p.o ************* Replace ld by $(CC). > Any other suggestions? As above ;-) > Rangi Bests, Tomasz. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.410 / Virus Database: 268.16.13/634 - Release Date: 17/01/2007 From lists at andyfurniss.entadsl.com Fri Jan 19 00:26:36 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri Jan 19 00:26:32 2007 Subject: [LARTC] egress bandwidth not limited / limitedextremely inaccurately In-Reply-To: <002a01c73ad8$50e43af0$0200a8c0@ccja> References: <45AC22ED.4060107@skula.com> <45ACE6DE.2020002@andyfurniss.entadsl.com><45AD05D6.1070301@skula.com> <45AE92A2.90400@andyfurniss.entadsl.com> <002a01c73ad8$50e43af0$0200a8c0@ccja> Message-ID: <45B0022C.9020705@andyfurniss.entadsl.com> Nikolay Kichukov wrote: > Hello Andy, > How do one create such a filter to catch arp/other link layer traffic? Can > you give us one such example? A quick test on ingress #tc qdisc add dev eth0 ingress Classify all ip traffic #tc filter add dev eth0 parent ffff: prio 1 protocol ip u32 match u32 0 0 flowid :1 All arp #tc filter add dev eth0 parent ffff: prio 2 protocol arp u32 match u32 0 0 flowid :2 Anything else #tc filter add dev eth0 parent ffff: prio 3 protocol all u32 match u32 0 0 flowid :3 Look at the counters #tc -s filter ls dev eth0 parent ffff: Delete everything ingress on eth0 #tc qdisc del dev eth0 ingress You can use ethertype protocol numbers in place of arp/ip. Use the prio to make sure the catch alls are last in the filters you use - prio 1 is the highest for filters. Andy. From radu at securesystems.ro Fri Jan 19 04:01:11 2007 From: radu at securesystems.ro (Radu Oprisan) Date: Fri Jan 19 04:02:00 2007 Subject: [LARTC] restricting bandwidth using TC In-Reply-To: <45AE86D7.6060501@usachoice.net> References: <45AE86D7.6060501@usachoice.net> Message-ID: <45B03477.9040407@securesystems.ro> Mike Pearson wrote: > Hello, > > I am trying to get the TC command to work on our debian box to limit > traffic in and out to 12 Meg. The command I am using is: > > tc qdisc add dev eth0 root tbf rate 12000kbit latency 25ms burst 1600 > tc qdisc add dev eth1 root tbf rate 12000kbit latency 25ms burst 1600 > > The problem I am having is that the bandwidth exceeds the 12 Meg by > almost 5 Meg. > Any help is appreciated. > > Thanks > > Mike Pearson You're question can't be answered until you explain to us what you are truly trying to do. What does in and out mean to you? Does it mean download and upload? Download and upload to another machine/network or to the box on which you run tc? Please complete the dotted lines... From tomlobato at gmail.com Fri Jan 19 06:00:35 2007 From: tomlobato at gmail.com (Tom Lobato) Date: Fri Jan 19 06:00:41 2007 Subject: [LARTC] DGD patch not detecting dead gateway Message-ID: <7fe14e000701182100l5b1474eai853a0077c821a835@mail.gmail.com> Hello all! I applied http://www.ssi.bg/~ja/routes-2.6.8-10.diff patch to kernel 2.6.8.1 and it works fine, or almost fine. It does the load balancing well, but when one link is dropped it continues to try it. At the end of http://www.ssi.bg/~ja/nano.txt it is said to ping gateway 1 and gateway 2, for the kernel to know if that route is working, but since my linux is connected to the links through 1 dedicated link and one adsl modem, I tryied to: 1) remove ethernet cable from linux nic: the patch worked well, began to send traffic only to the yet working, link. 2) remove telephone line from adsl modem (or external ethernet cable from the dedic. link switch): the patch didn't work, continued trying to send traffic to the dropped link. So, I think its happening because linux, since it can ping the switch (or adsl modem) thinks that link is good. Did you have this problem? Some hint? Thank you! Tom Lobato From hijacker at oldum.net Fri Jan 19 09:37:15 2007 From: hijacker at oldum.net (Nikolay Kichukov) Date: Fri Jan 19 09:37:37 2007 Subject: [LARTC] egress bandwidth not limited / limitedextremely inaccurately In-Reply-To: <45B0022C.9020705@andyfurniss.entadsl.com> References: <45AC22ED.4060107@skula.com> <45ACE6DE.2020002@andyfurniss.entadsl.com><45AD05D6.1070301@skula.com> <45AE92A2.90400@andyfurniss.entadsl.com> <002a01c73ad8$50e43af0$0200a8c0@ccja> <45B0022C.9020705@andyfurniss.entadsl.com> Message-ID: <45B0833B.5090504@oldum.net> Cheers Andy, That clarifies;-) Regards, -nik Andy Furniss wrote: > Nikolay Kichukov wrote: >> Hello Andy, >> How do one create such a filter to catch arp/other link layer traffic? >> Can >> you give us one such example? > > A quick test on ingress > > #tc qdisc add dev eth0 ingress > > Classify all ip traffic > > #tc filter add dev eth0 parent ffff: prio 1 protocol ip u32 match u32 0 > 0 flowid :1 > > All arp > > #tc filter add dev eth0 parent ffff: prio 2 protocol arp u32 match u32 0 > 0 flowid :2 > > Anything else > > #tc filter add dev eth0 parent ffff: prio 3 protocol all u32 match u32 0 > 0 flowid :3 > > Look at the counters > > #tc -s filter ls dev eth0 parent ffff: > > Delete everything ingress on eth0 > > #tc qdisc del dev eth0 ingress > > > You can use ethertype protocol numbers in place of arp/ip. > Use the prio to make sure the catch alls are last in the filters you use > - prio 1 is the highest for filters. > > Andy. > From azez at ufomechanic.net Fri Jan 19 10:24:05 2007 From: azez at ufomechanic.net (Amin Azez) Date: Fri Jan 19 10:24:18 2007 Subject: [l7-filter-developers] [LARTC] Use l7-filter on router performing NAT? In-Reply-To: <503831.31961.qm@web57812.mail.re3.yahoo.com> References: <503831.31961.qm@web57812.mail.re3.yahoo.com> Message-ID: <45B08E35.7040903@ufomechanic.net> POSTROUTING chain of which table? NAT should not affect things, as long as - as you say - both directions are going through the box. It sounds like you are "not sure" if it's working. Use connmark target too to save the mark in the conntrack and look in /proc/net/ip_conntrack Also use iptables -vn ... -L to see that l7 count go up as more packets for matched conntracks go by. Sam * John Philips wrote, On 17/01/07 16:37: > Hey guys, > > Here's an easy one. > > Is it possible to use the l7-filter extension on a box > that performs NAT? The HOWTO says the filter only > works 100% of the time if it can see both sides of the > connection. I tried putting the l7 MARK rules in the > POSTROUTING chain on a box that does NAT and it does > successfully mark some packets. I'm not 100% sure if > it's working, or if it should work this way. > > I've searched the mailing list archives and Google but > haven't found an answer. > > Thanks! > > > > ____________________________________________________________________________________ > Never miss an email again! > Yahoo! Toolbar alerts you the instant new Mail arrives. > http://tools.search.yahoo.com/toolbar/features/mail/ > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > L7-filter-developers mailing list > L7-filter-developers@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/l7-filter-developers > From h.hoxha at atnet.al Fri Jan 19 12:13:05 2007 From: h.hoxha at atnet.al (hhoxha) Date: Fri Jan 19 14:45:55 2007 Subject: [LARTC] 2.6.17 kernels and equalize patch Message-ID: Hi Everybody in the list I have a situation like this ------ (IP1) linux |----eth0.40------ | router | | | box | (IP2) |------|Client Router ( Destiantion Net DNET) |----eth0.41------ | | /27 subnet ------ I just want to balance the load of bandwidth per packet based between the two vlan interfaces to Client Destination network What i have done is : ////////// bash#/sbin/ip route add equalize $DNET scope global nexthop via $IP1 dev eth0.40 weight 1 nexthop via $IP2 dev eth0.41 weight 1 ///////// bash#ip route show $DNET $DNET equalize nexthop via $IP1 dev eth0.40 weight 1 nexthop via $IP2 dev eth0.41 weight 1 But the traffic towards the $DNET does not seem equalized at all It goes out allways to the same interface Is this a problem of route caching or the equalize patch needs to be applied to 2.6.17 kernel , or then I am missing something ??? Thanks a lot Hysen Hoxha Albtelco Albania From pereyra.roberto at gmail.com Fri Jan 19 15:05:59 2007 From: pereyra.roberto at gmail.com (Roberto Pereyra) Date: Fri Jan 19 15:06:04 2007 Subject: [LARTC] bridge and ipp2p question In-Reply-To: <92ed523b0701180755n2416b085gc8edc385310615e7@mail.gmail.com> References: <92ed523b0701180755n2416b085gc8edc385310615e7@mail.gmail.com> Message-ID: Thanks Marco. Very useful your reply. Roberto 2007/1/18, Marco Aurelio : > This is not possible because ipp2p does not match every p2p packet but only > some essential signaling packets. By filtering these packets, the p2p client > cannot estabilish connections to transfer data, and that's how it filters > it. > > Sometimes, ipp2p 'discovers' that this is a p2p related connection after > the connection has been established, and then drops the signaling packets. > > And since you are not an AS and you have one different address per > connection, you cannot route packets with a different source address than > the one the connection has been established. > > I have a different approach on this, it is not a perfect soulution, but it > work quite well on some enviroments: > > I route all the traffic through one NIC (the garbage p2p connection) and > then (with iptables or u32) direct the important traffic by port (HTTP, FTP, > IRC, MSN, DNS, SMTP, POP, etc) through the other NIC (the non-p2p > connection). Then I filter (with ipp2p) the p2p traffic on the non-p2p NIC > because some p2p clients try to mask the connections as it were these > services. This works quite well, but you need to know every service your > clients use. > > I use this on a router, I never tested this with a bridge, but it may work > too. > > -- Marco > > > On 1/17/07, Roberto Pereyra wrote: > > > > Hi all !!! > > > > I have a firewall bridge (not router) with two nics that filter p2p with > ipp2p. > > > > All works fine but now I need to add a third nic to route all p2p traffic > > through this nic. > > > > It is that possible with a bridge ? > > > > Later (with other server) connect to this nic I do loading balancing > > with two adsl lines to route all p2p traffic. > > > > Any hint ? > > > > Any howto ? > > > > Thanks in advance. > > > > roberto > > > > > > -- > > Ing. Roberto Pereyra > > ContenidosOnline > > Looking for Linux Virtual Private Servers ? Click here: > > > http://www.spry.com/hosting-affiliate/scripts/t.php?a_aid=426&a_bid=56 > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > -- > Marco -- Ing. Roberto Pereyra ContenidosOnline Looking for Linux Virtual Private Servers ? Click here: http://www.spry.com/hosting-affiliate/scripts/t.php?a_aid=426&a_bid=56 From luciano at lugmen.org.ar Fri Jan 19 16:37:54 2007 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Fri Jan 19 16:38:10 2007 Subject: [LARTC] 2.6.17 kernels and equalize patch In-Reply-To: References: Message-ID: <200701191237.54988.luciano@lugmen.org.ar> On Friday 19 January 2007 08:13, hhoxha wrote: > Hi > Everybody in the list > > I have a situation like this > > ------ (IP1) > linux |----eth0.40------ | > router | | | > box | (IP2) |------|Client Router ( Destiantion Net DNET) > > |----eth0.41------ | | /27 subnet > > ------ > > > I just want to balance the load of bandwidth per packet based between the > two vlan interfaces to Client Destination network > What i have done is : > > ////////// > bash#/sbin/ip route add equalize $DNET scope global nexthop via > $IP1 dev eth0.40 weight 1 nexthop via $IP2 dev eth0.41 > weight 1 > ///////// > bash#ip route show $DNET > > $DNET equalize > nexthop via $IP1 dev eth0.40 weight 1 > nexthop via $IP2 dev eth0.41 weight 1 > > But the traffic towards the $DNET does not seem equalized at all > It goes out allways to the same interface > > Is this a problem of route caching or the equalize patch needs to be > applied to 2.6.17 kernel , or then I am missing something ??? Equalize is a patch for 2.4, it never get's mainline, and there is no 2.6 version AFAIK.The iproute option is there, but without the patch does nothing. -- Luciano From chilek at chilan.com Fri Jan 19 17:22:12 2007 From: chilek at chilan.com (Tomasz Chilinski) Date: Fri Jan 19 17:22:15 2007 Subject: [LARTC] 2.6.17 kernels and equalize patch In-Reply-To: References: Message-ID: <20070119162155.M15234@chilan.com> On Fri, 19 Jan 2007 12:37:54 -0300, Luciano Ruete wrote > Equalize is a patch for 2.4, it never get's mainline, and there is > no 2.6 version AFAIK.The iproute option is there, but without the > patch does nothing. Interesting. I used vanilla 2.4 and didn't need equalize patch. Are you sure equalize patch is needed for 2.4? > -- > Luciano Bests, Tomasz Chilinski. From mkathuria at tuxtechnologies.co.in Fri Jan 19 19:45:14 2007 From: mkathuria at tuxtechnologies.co.in (Manish Kathuria) Date: Fri Jan 19 19:45:21 2007 Subject: [LARTC] DGD patch not detecting dead gateway In-Reply-To: <7fe14e000701182100l5b1474eai853a0077c821a835@mail.gmail.com> References: <7fe14e000701182100l5b1474eai853a0077c821a835@mail.gmail.com> Message-ID: <1df4abe60701191045q32c78d97h1ebee0846b5181f@mail.gmail.com> On 1/19/07, Tom Lobato wrote: > Hello all! > > I applied http://www.ssi.bg/~ja/routes-2.6.8-10.diff patch to kernel > 2.6.8.1 and it works fine, or almost fine. It does the load balancing > well, but when one link is dropped it continues to try it. > At the end of http://www.ssi.bg/~ja/nano.txt it is said to ping > gateway 1 and gateway 2, for the kernel to know if that route is > working, but since my linux is connected to the links through 1 > dedicated link and one adsl modem, I tryied to: > 1) remove ethernet cable from linux nic: the patch worked well, > began to send traffic only to the yet working, link. > 2) remove telephone line from adsl modem (or external ethernet > cable from the dedic. link switch): the patch didn't work, continued > trying to send traffic to the dropped link. > So, I think its happening because linux, since it can ping the > switch (or adsl modem) thinks that link is good. > > Did you have this problem? Some hint? > Thank you! > My experience has been mixed. The patch worked very well in many cases but in some it worked only if the first hop gateway was down and not any of the subsequent hops. So as you mentioned its happening since it can ping the switch / modem, it thinks the link is good. You can make a script which will keep on running in the background and check it the links are up or not and if any of the links is down, it can change the default route and provide a failover. -- Manish Kathuria Tux Technologies http://www.tuxtechnologies.co.in/ From simone84bo at email.it Sat Jan 20 00:05:18 2007 From: simone84bo at email.it (Simone84bo) Date: Sat Jan 20 00:05:14 2007 Subject: [LARTC] HTB? (NEWBIE) Message-ID: <01585ec188c0b5cce2d81d492b5930e2@85.18.136.107> Hi to all I am studying HTB on LARTC how to. I realize a simple configuration on router: tc qdisc add dev eth0 root handle 1: htb default 30 tc class add dev eth0 parent 1: classid 1:1 htb rate 3mbit burst 15k tc class add dev eth0 parent 1:1 classid 1:10 htb rate 2mbit burst 15k tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1mbit burst 15k tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10 tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10 tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip dport 80 0xffff flowid 1:10 After this configuration I make a ssh connection between client and server. How the guide say I expect to see on router (with command tc -s qdisc ls dev eth0) that unclassified traffic, like ssh, get rounded to 20: but it doesn't happen. The count of ssh traffic packet result only on root qdisc. Why? A second question if i want to limited rate of all my router which configuration can i realize? Thanks -- Email.it, the professional e-mail, gratis per te: http://www.email.it/f Sponsor: Problemi di Liquidit?? Con Logos Finanziaria 30.000 ? in 24 ore a dipendenti e lavoratori autonomi con rimborsi fino a 120 mesi, clicca qui Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=2911&d=20070120 From jordisd at gmail.com Sat Jan 20 00:38:13 2007 From: jordisd at gmail.com (Jordi Segues) Date: Sat Jan 20 00:38:20 2007 Subject: [LARTC] HTB? (NEWBIE) In-Reply-To: <01585ec188c0b5cce2d81d492b5930e2@85.18.136.107> References: <01585ec188c0b5cce2d81d492b5930e2@85.18.136.107> Message-ID: <9e04a9140701191538l16a5aeecof4d63b4e5457b1e9@mail.gmail.com> You should propably try: tc qdisc add dev eth0 root handle 1: htb default 20 and not 30 cause your default class is 20 no? On 1/20/07, Simone84bo wrote: > Hi to all > I am studying HTB on LARTC how to. I realize a simple configuration on > router: > tc qdisc add dev eth0 root handle 1: htb default 30 > tc class add dev eth0 parent 1: classid 1:1 htb rate 3mbit burst 15k > tc class add dev eth0 parent 1:1 classid 1:10 htb rate 2mbit burst 15k > tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1mbit burst 15k > tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10 > tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10 > tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip dport 80 > 0xffff flowid 1:10 > > After this configuration I make a ssh connection between client and server. > How the guide say I expect to see on router (with command tc -s qdisc ls dev > eth0) that unclassified traffic, like ssh, get rounded to 20: but it doesn't > happen. The count of ssh traffic packet result only on root qdisc. Why? > A second question if i want to limited rate of all my router which > configuration can i realize? > > Thanks > -- > Email.it, the professional e-mail, gratis per te: http://www.email.it/f > > Sponsor: > Problemi di Liquidit?? Con Logos Finanziaria 30.000 ? in 24 ore a > dipendenti e lavoratori autonomi con rimborsi fino a 120 mesi, clicca qui > > Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=2911&d=20070120 > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Jordi Segu?s Daina ------------------------------------------------------- Andorra GSM: (+376) 35 35 68 France GSM: (+33) (0)6 81 88 35 55 E-m@il / MSN: jordisd@gmail.com AIM: superjordix Skype: callto://superjordix ------------------------------------------------------- http://www.JordiX.com From gtaylor at riverviewtech.net Sat Jan 20 05:13:06 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Sat Jan 20 05:20:24 2007 Subject: [LARTC] DGD patch not detecting dead gateway In-Reply-To: <1df4abe60701191045q32c78d97h1ebee0846b5181f@mail.gmail.com> References: <7fe14e000701182100l5b1474eai853a0077c821a835@mail.gmail.com> <1df4abe60701191045q32c78d97h1ebee0846b5181f@mail.gmail.com> Message-ID: <45B196D2.3040802@riverviewtech.net> On 01/19/07 12:45, Manish Kathuria wrote: > My experience has been mixed. The patch worked very well in many cases > but in some it worked only if the first hop gateway was down and not > any of the subsequent hops. So as you mentioned its happening since it > can ping the switch / modem, it thinks the link is good. You can make > a script which will keep on running in the background and check it the > links are up or not and if any of the links is down, it can change the > default route and provide a failover. I have been tasked with writing such a script. In my scenario, I'm taking it a bit further though. I am planing on having my script test the actual service that I'm trying to connect to. I.e. connect to port 80 and request a page. I'm having to go this route because I've had sporadic MTU issues in one of our (primary) paths. The provider is suppose to be repairing the problem, however I need a solution before that can happen. I am planing on writing a small daemon, probably in Perl, that will run the tests. What I don't have a good way to do is alter the routing tables, short of shelling out and running ip directly. I would like to know if any one knows of any other way to alter the routing tables / rules short of calling a shell command. Grant. . . . From bbartlomiej at gmail.com Sat Jan 20 17:37:27 2007 From: bbartlomiej at gmail.com (Bartek Krawczyk) Date: Sat Jan 20 17:37:43 2007 Subject: [LARTC] HTB? (NEWBIE) In-Reply-To: <01585ec188c0b5cce2d81d492b5930e2@85.18.136.107> References: <01585ec188c0b5cce2d81d492b5930e2@85.18.136.107> Message-ID: <4B5ABF0B-DA9A-44D1-8ACC-1B955CD64934@gmail.com> On Jan 20, 2007, at 12:05 AM, Simone84bo wrote: > Hi to all > I am studying HTB on LARTC how to. I realize a simple configuration on > router: > tc qdisc add dev eth0 root handle 1: htb default 30 > tc class add dev eth0 parent 1: classid 1:1 htb rate 3mbit burst 15k > tc class add dev eth0 parent 1:1 classid 1:10 htb rate 2mbit burst 15k > tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1mbit burst 15k > tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10 > tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10 > tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip > dport 80 > 0xffff flowid 1:10 > > After this configuration I make a ssh connection between client and > server. > How the guide say I expect to see on router (with command tc -s > qdisc ls dev > eth0) that unclassified traffic, like ssh, get rounded to 20: but > it doesn't > happen. The count of ssh traffic packet result only on root qdisc. > Why? > A second question if i want to limited rate of all my router which > configuration can i realize? You'd see that if you used filter on port 22 instead of 80. 'Cause 22 is the port of ssh. And your default class is wrong. It should be 1,10 or 20. 10 or 20 preferably. regards -- Bartek Krawczyk JID: bkrawczyk@jabberpl.org GG: 2094683 From pereyra.roberto at gmail.com Sun Jan 21 21:06:55 2007 From: pereyra.roberto at gmail.com (Roberto Pereyra) Date: Sun Jan 21 21:07:14 2007 Subject: [LARTC] mark and route traffic in a bridge Message-ID: Hi all !! I would to like to mark and route some kind of traffic (ie: outbound www, now by simplicity) ---inet1--------eth0------------| | | linux | --eth1------- clientes ---inet2(90.0.0.1)--------eth2-| | I have eth0 and eth1 bridged (eth2 is not bridged). I would to route www outbound clients traffic through eth2. This scheme works ? I wrote this scripts: a) add this line to /etc/iproute2/rt_tables 200 web b) I assign ip to eth2: /sbin/ifconfig eth2 90.0.0.2 c) Mark outbound www packets from clients: /usr/local/sbin/iptables -A PREROUTING -t mangle -m physdev --physdev-in eth1 -p tcp --dport 80 -j MARK --set-mark 2 d) I routing this marked packets /sbin/ip rule add fwmark 2 table web /sbin/ip route add default via 90.0.0.1 dev eth2 table web e) Now I run iptraf listen eth2 but through eth2 is nothing of traffic. What's a doing wrong ? How I can do it with a bridge ? Thanks in advance for any hint and excuse my english. roberto -- Ing. Roberto Pereyra ContenidosOnline Looking for Linux Virtual Private Servers ? Click here: http://www.spry.com/hosting-affiliate/scripts/t.php?a_aid=426&a_bid=56 From dan at 34q.eu Mon Jan 22 01:43:21 2007 From: dan at 34q.eu (Dan) Date: Mon Jan 22 01:44:54 2007 Subject: [LARTC] Advice on TC/Iptables Configurations Message-ID: <00b101c73dbe$50f98980$f2ec9c80$@eu> Hi Everyone, First post to the list - hope I have hit the right list for all of the questions below! I have several queries over the "front end" infrastructure of a vast data center infrastructure we are planning, connecting 20ish services to the BGP Routed infrastructure being provided by our datacenter provider. There are around 10-30 thousand end users of these services, and I have 100M total bandwidth across the two connections (I can weight the traffic down them as I choose). The setup looks a little like this: (Dual I/Net Connections) ( on BGP Routed Network) | | | | -------------------- | | ----------- ----------- |Fw/Shpr 1| |Fw/Shpr 2| ----------- ----------- | | ------------------- | -------------------- |Core Switches, etc| -------------------- | | | [Lots of Connections] [ to lots of servers] I am essentially provided with two RJ45 Plugs on the end of two Cat5 Gig Cables, and around 50 IP Addresses for all of my services. In the diagram above, the two connections are represented at the top, and the Core infrastructure and services at the bottom. I need the ability to traffic shape, firewall, and have redundancy; the plan being to do this on the 2 boxes marked Fw/Spr 1 and 2 respectively, which will be running Linux (with an Internal and External Gig interface each). So, the questions: 1) Is it best to NAT in this scenario, or bridge and use the public IP's internally, or 'route' them (by having the BGP Routers point the relevant routes at FW's), in terms of performance? 2) Is it best to run an active/passive or active/active scenario with the front end firewalls (bearing in mind I could use something like Linux HA)? 3) Would it be worth, performance wise, splitting out the firewall function from the tc function (ie. Add a further two boxes between the core and front end firewalls for traffic shaping)? Is this going to give me a huge performance gain? 4) In your opinion, will two run-of-the mill average rack servers be able to keep up with around 2000-3000 connections and about 100-200M throughput, whilst using IpTables and Traffic Control (assuming alot of iptables NAT, around 100 rules, and a few htb configs)? 5) If I start sending outbound traffic to multiple default gateways, will I have a huge performance hit if I use the 'random packet distribution' function of iptables? Whats the best way to distribute traffic to two default gateways? 6) Whats the best way, if I were to use an active/active scenario on the firewalls, to handle outbound traffic (bearing in mind I would need to sync the bandwidth usage for the shapers somehow)? 7) Is there any easy way to use some sort of 'virtual ip' as a default gateway, for the internal servers, to allow the outbound packets to be distributed between the two firewalls in a load-balanced manner? 8) Lastly - Am I crazy to do this (bearing in mind the throughput and no. of end users) with Linux rather than dedicated hardware firewalls and packet shapers?! Thanks for any replies in advance - apologies for the long message! Kind Regards Dan From sawar at interia.pl Mon Jan 22 09:49:28 2007 From: sawar at interia.pl (sAwAr) Date: Mon Jan 22 09:49:49 2007 Subject: [LARTC] LoadBalancing on many asimetric different dsl's. Message-ID: <20070122084928.10D7721C893@poczta.interia.pl> Hi, my company have just bought new network and I have question about one problem. As in topic we must use few completely different dsl's and balance traffic between them. 2M/0,5M 4Mb/0,5M 8M/0,5M M=Mb/s I've never done such thing before so I have doubts how it will work. If the links are symmetric 2/2 4/4 8/8 there is no problem because with weights I can compensate the difference between them and achieve nice results. But what in my situation? My questions are: how to set load balancing to get all links equally loaded and avoid situation when the up load will be full and download almost empty? I believe this situation can happen due to fact that load balancing is based on flows and for example p2p or smpt/pop3 will eat whole upload. If my problem isn't clear I'll try to explain it better later. Thanks in advance. Pozdrawiam sawar ---------------------------------------------------------------------- Wolne adresy pocztowe @interia.eu >>> http://link.interia.pl/f19e8 From jordisd at gmail.com Mon Jan 22 10:03:21 2007 From: jordisd at gmail.com (Jordi Segues) Date: Mon Jan 22 10:03:26 2007 Subject: [LARTC] LoadBalancing on many asimetric different dsl's. In-Reply-To: <20070122084928.10D7721C893@poczta.interia.pl> References: <20070122084928.10D7721C893@poczta.interia.pl> Message-ID: <9e04a9140701220103x2aa8bd1aw1538c3709d11e9f6@mail.gmail.com> Hello, I've done this some montsh ago, with a command like: ip route add default equalize scope global nexthop via $EXTGW1 dev $EXTIF1 weight 1 nexthop via $EXTGW2 dev $EXTIF2 weight 1 However, this is not the problem. While loadbalancing of simple requests worked fine, there where problems when you worked with connections. I mean HTTPS, of FTP connection for example. The problem was fo me that the system trys to send packets of the same connection throught different gateways, so with different IP source (each DSL connection was from different ISP). This caused the server not to understand why the same connection sent packets with 2 different source IP ;) Well, I hope you understand me. If you would do real load balancing, and in a proper way, you should not only do it by link charge, but route packets by connection to. (routing all packets of the same connection through the same gateway) This is caused because you must flush the route cache some times (or packets to a destination will allways take the same route, wich is not a loadbalance). So if someone has done it and doesn't have this problem, I'm interested too :) Thanks! Jordi Segues On 22 Jan 2007 09:49:28 +0100, sAwAr wrote: > Hi, > > my company have just bought new network and I have question about one problem. > As in topic we must use few completely different dsl's and balance traffic between them. > 2M/0,5M 4Mb/0,5M 8M/0,5M > M=Mb/s > I've never done such thing before so I have doubts how it will work. If the links are symmetric 2/2 4/4 8/8 there is no problem because with weights I can compensate the difference between them and achieve nice results. But what in my situation? > My questions are: how to set load balancing to get all links equally loaded and avoid situation when the up load will be full and download almost empty? I believe this situation can happen due to fact that load balancing is based on flows and for example p2p or smpt/pop3 will eat whole upload. > If my problem isn't clear I'll try to explain it better later. > > > Thanks in advance. > Pozdrawiam > sawar > > ---------------------------------------------------------------------- > Wolne adresy pocztowe @interia.eu >>> http://link.interia.pl/f19e8 > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Jordi Segu?s Daina ------------------------------------------------------- Andorra GSM: (+376) 35 35 68 France GSM: (+33) (0)6 81 88 35 55 E-m@il / MSN: jordisd@gmail.com AIM: superjordix Skype: callto://superjordix ------------------------------------------------------- http://www.JordiX.com From alex at samad.com.au Mon Jan 22 12:18:23 2007 From: alex at samad.com.au (Alex Samad) Date: Mon Jan 22 12:18:33 2007 Subject: [LARTC] LoadBalancing on many asimetric different dsl's. In-Reply-To: <9e04a9140701220103x2aa8bd1aw1538c3709d11e9f6@mail.gmail.com> References: <20070122084928.10D7721C893@poczta.interia.pl> <9e04a9140701220103x2aa8bd1aw1538c3709d11e9f6@mail.gmail.com> Message-ID: <20070122111823.GC3981@samad.com.au> On Mon, Jan 22, 2007 at 10:03:21AM +0100, Jordi Segues wrote: > Hello, > > I've done this some montsh ago, with a command like: > ip route add default equalize scope global nexthop via $EXTGW1 dev > $EXTIF1 weight 1 nexthop via $EXTGW2 dev $EXTIF2 weight 1 > > However, this is not the problem. > While loadbalancing of simple requests worked fine, there where > problems when you worked with connections. I mean HTTPS, of FTP > connection for example. > > The problem was fo me that the system trys to send packets of the same > connection throught different gateways, so with different IP source > (each DSL connection was from different ISP). This caused the server > not to understand why the same connection sent packets with 2 > different source IP ;) > Well, I hope you understand me. > > If you would do real load balancing, and in a proper way, you should > not only do it by link charge, but route packets by connection to. > (routing all packets of the same connection through the same gateway) > This is caused because you must flush the route cache some times (or > packets to a destination will allways take the same route, wich is not > a loadbalance). > > So if someone has done it and doesn't have this problem, I'm interested too > :) the above is actually covered in the wiki howto. Bu tyou need to setup snat on each interface, then connection tracking takes care of sending each stream out the right interface, you need to use snat and not MASQ. Then you need to setup up some ip rule tables for each of the interfaces. my ip ru looks like this 0: from all lookup local 200: from 144.132.145.38 lookup cable 201: from 60.241.248.86 lookup adsl 32766: from all lookup main 32767: from all lookup default my ip r sh tab default default proto static metric 5 nexthop via 144.132.144.1 dev vlan2 weight 1 nexthop via 10.20.20.230 dev ppp0 weight 20 default via 10.20.20.230 dev ppp0 src 60.241.248.86 metric 20 default via 144.132.144.1 dev vlan2 src 144.132.145.38 metric 30 This works fine for me, I have tracked packets with tcpdump on both the server and the client. Alex > > Thanks! > > Jordi Segues > > On 22 Jan 2007 09:49:28 +0100, sAwAr wrote: > >Hi, > > > >my company have just bought new network and I have question about one > >problem. > >As in topic we must use few completely different dsl's and balance traffic > >between them. > >2M/0,5M 4Mb/0,5M 8M/0,5M > >M=Mb/s > >I've never done such thing before so I have doubts how it will work. If > >the links are symmetric 2/2 4/4 8/8 there is no problem because with > >weights I can compensate the difference between them and achieve nice > >results. But what in my situation? > >My questions are: how to set load balancing to get all links equally > >loaded and avoid situation when the up load will be full and download > >almost empty? I believe this situation can happen due to fact that load > >balancing is based on flows and for example p2p or smpt/pop3 will eat > >whole upload. > >If my problem isn't clear I'll try to explain it better later. > > > > > >Thanks in advance. > >Pozdrawiam > >sawar > > > >---------------------------------------------------------------------- > >Wolne adresy pocztowe @interia.eu >>> http://link.interia.pl/f19e8 > > > >_______________________________________________ > >LARTC mailing list > >LARTC@mailman.ds9a.nl > >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > -- > Jordi Segu?s Daina > ------------------------------------------------------- > Andorra GSM: (+376) 35 35 68 > France GSM: (+33) (0)6 81 88 35 55 > E-m@il / MSN: jordisd@gmail.com > AIM: superjordix > Skype: callto://superjordix > ------------------------------------------------------- > http://www.JordiX.com > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070122/b71b8cfc/attachment.pgp From tim at haak.co.uk Mon Jan 22 12:35:33 2007 From: tim at haak.co.uk (Tim Haak) Date: Mon Jan 22 12:36:19 2007 Subject: [LARTC] routing patches seem to break output nat Message-ID: <45B4A185.4080306@haak.co.uk> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: tim.vcf Type: text/x-vcard Size: 113 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070122/87f771bc/tim.vcf From jordisd at gmail.com Mon Jan 22 13:21:32 2007 From: jordisd at gmail.com (Jordi Segues) Date: Mon Jan 22 13:21:38 2007 Subject: [LARTC] LoadBalancing on many asimetric different dsl's. In-Reply-To: <20070122111823.GC3981@samad.com.au> References: <20070122084928.10D7721C893@poczta.interia.pl> <9e04a9140701220103x2aa8bd1aw1538c3709d11e9f6@mail.gmail.com> <20070122111823.GC3981@samad.com.au> Message-ID: <9e04a9140701220421i47e11336p10fab7c3b05145e9@mail.gmail.com> > the above is actually covered in the wiki howto. Bu tyou need to setup snat on > each interface, then connection tracking takes care of sending each stream out > the right interface, you need to use snat and not MASQ. Great news :) And thankyou for the details. But could you give the link to the wiki howto? I only found old doc. Thanks! > > Then you need to setup up some ip rule tables for each of the interfaces. > > > my ip ru looks like this > > 0: from all lookup local > 200: from 144.132.145.38 lookup cable > 201: from 60.241.248.86 lookup adsl > 32766: from all lookup main > 32767: from all lookup default > > > my ip r sh tab default > > default proto static metric 5 > nexthop via 144.132.144.1 dev vlan2 weight 1 > nexthop via 10.20.20.230 dev ppp0 weight 20 > default via 10.20.20.230 dev ppp0 src 60.241.248.86 metric 20 > default via 144.132.144.1 dev vlan2 src 144.132.145.38 metric 30 > > > This works fine for me, I have tracked packets with tcpdump on both the server > and the client. > > Alex > > > > > > > Thanks! > > > > Jordi Segues > > > > On 22 Jan 2007 09:49:28 +0100, sAwAr wrote: > > >Hi, > > > > > >my company have just bought new network and I have question about one > > >problem. > > >As in topic we must use few completely different dsl's and balance traffic > > >between them. > > >2M/0,5M 4Mb/0,5M 8M/0,5M > > >M=Mb/s > > >I've never done such thing before so I have doubts how it will work. If > > >the links are symmetric 2/2 4/4 8/8 there is no problem because with > > >weights I can compensate the difference between them and achieve nice > > >results. But what in my situation? > > >My questions are: how to set load balancing to get all links equally > > >loaded and avoid situation when the up load will be full and download > > >almost empty? I believe this situation can happen due to fact that load > > >balancing is based on flows and for example p2p or smpt/pop3 will eat > > >whole upload. > > >If my problem isn't clear I'll try to explain it better later. > > > > > > > > >Thanks in advance. > > >Pozdrawiam > > >sawar > > > > > >---------------------------------------------------------------------- > > >Wolne adresy pocztowe @interia.eu >>> http://link.interia.pl/f19e8 > > > > > >_______________________________________________ > > >LARTC mailing list > > >LARTC@mailman.ds9a.nl > > >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > > -- > > Jordi Segu?s Daina > > ------------------------------------------------------- > > Andorra GSM: (+376) 35 35 68 > > France GSM: (+33) (0)6 81 88 35 55 > > E-m@il / MSN: jordisd@gmail.com > > AIM: superjordix > > Skype: callto://superjordix > > ------------------------------------------------------- > > http://www.JordiX.com > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFFtJ1/kZz88chpJ2MRAhGKAJ9xthAZnQ/ovr82sa/x5j4BFJGgWwCgvtWa > dS7qseaia3GnZK/n8szE98Y= > =zLpL > -----END PGP SIGNATURE----- > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > -- Jordi Segu?s Daina ------------------------------------------------------- Andorra GSM: (+376) 35 35 68 France GSM: (+33) (0)6 81 88 35 55 E-m@il / MSN: jordisd@gmail.com AIM: superjordix Skype: callto://superjordix ------------------------------------------------------- http://www.JordiX.com From alex at samad.com.au Mon Jan 22 13:41:54 2007 From: alex at samad.com.au (Alex Samad) Date: Mon Jan 22 13:42:04 2007 Subject: [LARTC] LoadBalancing on many asimetric different dsl's. In-Reply-To: <9e04a9140701220421i47e11336p10fab7c3b05145e9@mail.gmail.com> References: <20070122084928.10D7721C893@poczta.interia.pl> <9e04a9140701220103x2aa8bd1aw1538c3709d11e9f6@mail.gmail.com> <20070122111823.GC3981@samad.com.au> <9e04a9140701220421i47e11336p10fab7c3b05145e9@mail.gmail.com> Message-ID: <20070122124154.GH3981@samad.com.au> On Mon, Jan 22, 2007 at 01:21:32PM +0100, Jordi Segues wrote: > >the above is actually covered in the wiki howto. Bu tyou need to setup > >snat on > >each interface, then connection tracking takes care of sending each stream > >out > >the right interface, you need to use snat and not MASQ. > > Great news :) > And thankyou for the details. > But could you give the link to the wiki howto? > I only found old doc. been a while since i had a look, quick google gave me this http://lartc.org/howto/lartc.rpdb.multiple-links.html I have this booked market as the wiki http://linux-net.osdl.org/index.php/Main_Page But I think the former is what you want > > Thanks! > > > > >Then you need to setup up some ip rule tables for each of the interfaces. > > > > > >my ip ru looks like this > > > >0: from all lookup local > >200: from 144.132.145.38 lookup cable > >201: from 60.241.248.86 lookup adsl > >32766: from all lookup main > >32767: from all lookup default > > > > > >my ip r sh tab default > > > >default proto static metric 5 > > nexthop via 144.132.144.1 dev vlan2 weight 1 > > nexthop via 10.20.20.230 dev ppp0 weight 20 > >default via 10.20.20.230 dev ppp0 src 60.241.248.86 metric 20 > >default via 144.132.144.1 dev vlan2 src 144.132.145.38 metric 30 > > > > > >This works fine for me, I have tracked packets with tcpdump on both the > >server > >and the client. > > > >Alex > > > > > > > >> > >> Thanks! > >> > >> Jordi Segues > >> > >> On 22 Jan 2007 09:49:28 +0100, sAwAr wrote: > >> >Hi, > >> > > >> >my company have just bought new network and I have question about one > >> >problem. > >> >As in topic we must use few completely different dsl's and balance > >traffic > >> >between them. > >> >2M/0,5M 4Mb/0,5M 8M/0,5M > >> >M=Mb/s > >> >I've never done such thing before so I have doubts how it will work. If > >> >the links are symmetric 2/2 4/4 8/8 there is no problem because with > >> >weights I can compensate the difference between them and achieve nice > >> >results. But what in my situation? > >> >My questions are: how to set load balancing to get all links equally > >> >loaded and avoid situation when the up load will be full and download > >> >almost empty? I believe this situation can happen due to fact that load > >> >balancing is based on flows and for example p2p or smpt/pop3 will eat > >> >whole upload. > >> >If my problem isn't clear I'll try to explain it better later. > >> > > >> > > >> >Thanks in advance. > >> >Pozdrawiam > >> >sawar > >> > > >> >---------------------------------------------------------------------- > >> >Wolne adresy pocztowe @interia.eu >>> http://link.interia.pl/f19e8 > >> > > >> >_______________________________________________ > >> >LARTC mailing list > >> >LARTC@mailman.ds9a.nl > >> >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > >> > > >> > >> > >> -- > >> Jordi Segu?s Daina > >> ------------------------------------------------------- > >> Andorra GSM: (+376) 35 35 68 > >> France GSM: (+33) (0)6 81 88 35 55 > >> E-m@il / MSN: jordisd@gmail.com > >> AIM: superjordix > >> Skype: callto://superjordix > >> ------------------------------------------------------- > >> http://www.JordiX.com > >> _______________________________________________ > >> LARTC mailing list > >> LARTC@mailman.ds9a.nl > >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > >> > > > > > >-----BEGIN PGP SIGNATURE----- > >Version: GnuPG v1.4.6 (GNU/Linux) > > > >iD8DBQFFtJ1/kZz88chpJ2MRAhGKAJ9xthAZnQ/ovr82sa/x5j4BFJGgWwCgvtWa > >dS7qseaia3GnZK/n8szE98Y= > >=zLpL > >-----END PGP SIGNATURE----- > > > > > >_______________________________________________ > >LARTC mailing list > >LARTC@mailman.ds9a.nl > >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > > -- > Jordi Segu?s Daina > ------------------------------------------------------- > Andorra GSM: (+376) 35 35 68 > France GSM: (+33) (0)6 81 88 35 55 > E-m@il / MSN: jordisd@gmail.com > AIM: superjordix > Skype: callto://superjordix > ------------------------------------------------------- > http://www.JordiX.com > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070122/4f729d2c/attachment.pgp From linux42 at freemail.hu Mon Jan 22 15:31:04 2007 From: linux42 at freemail.hu (Nagy Gabor Peter) Date: Mon Jan 22 15:31:08 2007 Subject: [LARTC] traffic shaping question Message-ID: <20070122143104.GC17795@swordfish.capgemini.hu> Hi list, I have read the lartc 9th chapter, the bandwidth management part. I think I understand the principle, but I have a question. So I have a firewall that has several different interfaces. The most important for my question is the Internet interface, which is a 2mbps leased line. I have an interface into the protected network, I have a DMZ interface, and I have an interface with direct connection to a client. Here is what I need: Internet -> DMZ + Internet -> LAN + Internet -> firewall traffic together should not exceed 1.5mbps At the moment I have a tbf, that limits everything that goes to the LAN, and another that limits everything going to the internet. I would like to shape the incoming traffic from the internet. OK, I understand that I cannot influence the senders out there not to try to send me packets, I can only influence how fast these packets are sent from me. But can I somehow treat all incoming traffic together? Because my knowledge at the moment is only some shaping possibilities on the LAN interface and on the DMZ interface. I have only one idea, but I don't know if it is feasible, and if it is, how to do that. So I thought that I will create a virtual interface, and route all traffic from the Internet through this one. So incoming on Internet interface, outgoing on virtual interface, and from there incoming on the firewall machine, or outgoing on the LAN or the DMZ interface. Does it sound good? How can I do that? (I suppose I have to read other chapters in the lartc guide. Could you point me out where to start? What to look for?) Or is there another solution? What would you recommend? Cheers, Gabor From pupilla at hotmail.com Mon Jan 22 17:26:32 2007 From: pupilla at hotmail.com (Marco Berizzi) Date: Mon Jan 22 17:26:48 2007 Subject: [LARTC] traffic shaping question References: <20070122143104.GC17795@swordfish.capgemini.hu> Message-ID: Nagy Gabor Peter wrote: > So I thought that I will create a virtual interface, and route all > traffic from the Internet through this one. So incoming on Internet > interface, outgoing on virtual interface, and from there incoming on the > firewall machine, or outgoing on the LAN or the DMZ interface. > > Does it sound good? How can I do that? (I suppose I have to read other > chapters in the lartc guide. Could you point me out where to start? What > to look for?) Yes. The virtual interface is called IFB. Look at the iproute2 package source under doc/actions From Jon.J.Flechsenhaar at boeing.com Mon Jan 22 17:58:01 2007 From: Jon.J.Flechsenhaar at boeing.com (Flechsenhaar, Jon J) Date: Mon Jan 22 17:58:21 2007 Subject: [LARTC] HTB? (NEWBIE) In-Reply-To: <01585ec188c0b5cce2d81d492b5930e2@85.18.136.107> References: <01585ec188c0b5cce2d81d492b5930e2@85.18.136.107> Message-ID: <0E24ED2A7F9AA349A8633E6A56A64BE0027A81A8@XCH-SW-2V1.sw.nos.boeing.com> How the guide say I expect to see on router (with command tc -s qdisc ls dev eth0) that unclassified traffic, like ssh, get rounded to 20: but it doesn't happen. - Traffic just doesn't get rounded to a class. If you want traffic going to a class you need to specify a filter. Did you by chance man the default class 1:30. Any traffic not classified should end up there. - Packet shaping is only done on the Egress/root side of an interface. That is why you will only see stats for that. You won't see stats for the ingress side. Does this answer any of your questions? Jon Flechsenhaar Boeing WNW Team Network Services (714)-762-1231 202-E7 -----Original Message----- From: Simone84bo [mailto:simone84bo@email.it] Sent: Friday, January 19, 2007 3:05 PM To: lartc@mailman.ds9a.nl Subject: [LARTC] HTB? (NEWBIE) Hi to all I am studying HTB on LARTC how to. I realize a simple configuration on router: tc qdisc add dev eth0 root handle 1: htb default 30 tc class add dev eth0 parent 1: classid 1:1 htb rate 3mbit burst 15k tc class add dev eth0 parent 1:1 classid 1:10 htb rate 2mbit burst 15k tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1mbit burst 15k tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10 tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10 tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip dport 80 0xffff flowid 1:10 After this configuration I make a ssh connection between client and server. How the guide say I expect to see on router (with command tc -s qdisc ls dev eth0) that unclassified traffic, like ssh, get rounded to 20: but it doesn't happen. The count of ssh traffic packet result only on root qdisc. Why? A second question if i want to limited rate of all my router which configuration can i realize? Thanks -- Email.it, the professional e-mail, gratis per te: http://www.email.it/f Sponsor: Problemi di Liquidit?? Con Logos Finanziaria 30.000 ? in 24 ore a dipendenti e lavoratori autonomi con rimborsi fino a 120 mesi, clicca qui Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=2911&d=20070120 _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From michael_soulier at mitel.com Mon Jan 22 20:21:13 2007 From: michael_soulier at mitel.com (Michael P. Soulier) Date: Mon Jan 22 20:21:19 2007 Subject: [LARTC] routing in tunnel mode Message-ID: <20070122192113.GE20873@e-smith.com> Hello, Looking here http://www.ipsec-howto.org/x299.html I've set up a vpn in transport mode with two linux boxes. I'm now trying to set it up in tunnel mode. After using the example keys, trying to ping, it doesn't work because the route network isn't routable. This mention is in the howto "If you tunnel is not working, please check your routing. Your hosts need to know that they should send the packets for the opposite network to you vpn gateway. The easiest setup would be using your vpn gateway as default gateway." But how does one set up a route like that, since the network is multiple hops away, the route command isn't going to accept it? [root@vmware-espresso1 ~]# route add -net 172.16.113.0 netmask 255.255.255.0 gw 10.33.15.145 SIOCADDRT: Network is unreachable Some help please. Mike -- Michael P. Soulier , 613-592-2122 x2522 "Any intelligent fool can make things bigger and more complex... It takes a touch of genius - and a lot of courage to move in the opposite direction." --Albert Einstein From michael_soulier at mitel.com Mon Jan 22 20:44:42 2007 From: michael_soulier at mitel.com (Michael P. Soulier) Date: Mon Jan 22 20:44:53 2007 Subject: [LARTC] ipip tunnel docs broken Message-ID: <20070122194442.GG20873@e-smith.com> Hello, Looking here http://lartc.org/howto/lartc.tunnel.ip-ip.html It says to load a new_tunnel.o module. There is no such module on 2.6.9, so where would I find up-to-date documentation on ip tunnels in the Linux kernel? Thanks, Mike -- Michael P. Soulier , 613-592-2122 x2522 "Any intelligent fool can make things bigger and more complex... It takes a touch of genius - and a lot of courage to move in the opposite direction." --Albert Einstein From tim.stoop at gmail.com Mon Jan 22 21:02:39 2007 From: tim.stoop at gmail.com (Tim Stoop) Date: Mon Jan 22 21:02:59 2007 Subject: [LARTC] aes unsupported algorithm for ipsec? Message-ID: <5beee6a0701221202v7de335c9r39d48ceb9041ff62@mail.gmail.com> Hi all, I'm trying to create a IPsec tunnel from a Debian Etch machine to a Cisco PIX. Part of my config is the following: add x.x.x.x x.x.x.x esp 34501 -m tunnel -E aes-ctr "abcdefghijklmnop"; When I try to set this using setkey, it fails with the following message: line 9: unsupported algorithm at [abcdefghijklmnop] parse failed, line 9. Can anyone tell me what I'm doing wrong? -- Gegroet, Tim From bizquik at weednet.ro Mon Jan 22 21:11:07 2007 From: bizquik at weednet.ro (Danut Chereches) Date: Mon Jan 22 21:11:13 2007 Subject: [LARTC] two internet providers Message-ID: <45B51A5B.2030508@weednet.ro> hello i have slackware installed and i have two internet connections , ADSL(2,5mbps) + CableModem(1mbps) i want to share the connections in a small network NAT for the ADSL connection, and a proxy server for the cablemodem connection i searched all over the internet (probably not where i was supposed to) but i could'n find a solution if someone could give me a tip i would really appreciate it sorry for my english From sawar at interia.pl Tue Jan 23 01:11:23 2007 From: sawar at interia.pl (sAwAr) Date: Tue Jan 23 01:11:35 2007 Subject: [LARTC] LoadBalancing on many asimetric different dsl's. Message-ID: <20070123001123.A0F4429B096@poczta.interia.pl> Thanks for all your answers. I ask my question in different way because I still don't get answer which will be satysfying for me. Did anybody set similar configuration in the past? Have someone any suggestions how to set it to configure loadbalancing to avoid situation when one link is empty or only upload is used and other links are full. Does weights ensure that upload and download on all links with different up/down speeds will be equally loaded? Pozdrawiam sawar > On Mon, Jan 22, 2007 at 01:21:32PM +0100, Jordi Segues wrote: > > >the above is actually covered in the wiki howto. Bu tyou need to setup > > > >snat on > > >each interface, then connection tracking takes care of sending each > stream > > >out > > >the right interface, you need to use snat and not MASQ. > > > > Great news :) > > And thankyou for the details. > > But could you give the link to the wiki howto? > > I only found old doc. > been a while since i had a look, quick google gave me this > > http://lartc.org/howto/lartc.rpdb.multiple-links.html > > I have this booked market as the wiki > http://linux-net.osdl.org/index.php/Main_Page > > But I think the former is what you want > > > > > Thanks! > > > > > > > >Then you need to setup up some ip rule tables for each of the > interfaces. > > > > > > > > >my ip ru looks like this > > > > > >0: from all lookup local > > >200: from 144.132.145.38 lookup cable > > >201: from 60.241.248.86 lookup adsl > > >32766: from all lookup main > > >32767: from all lookup default > > > > > > > > >my ip r sh tab default > > > > > >default proto static metric 5 > > > nexthop via 144.132.144.1 dev vlan2 weight 1 > > > nexthop via 10.20.20.230 dev ppp0 weight 20 > > >default via 10.20.20.230 dev ppp0 src 60.241.248.86 metric 20 > > >default via 144.132.144.1 dev vlan2 src 144.132.145.38 metric 30 > > > > > > > > >This works fine for me, I have tracked packets with tcpdump on both the > > > >server > > >and the client. > > > > > >Alex > > > > > > > > > > > >> > > >> Thanks! > > >> > > >> Jordi Segues > > >> > > >> On 22 Jan 2007 09:49:28 +0100, sAwAr >sawar@interia.pl> wrote: > > >> >Hi, > > >> > > > >> >my company have just bought new network and I have question about > one > > >> >problem. > > >> >As in topic we must use few completely different dsl's and balance > > >traffic > > >> >between them. > > >> >2M/0,5M 4Mb/0,5M 8M/0,5M > > >> >M=Mb/s > > >> >I've never done such thing before so I have doubts how it will work. > If > > >> >the links are symmetric 2/2 4/4 8/8 there is no problem because > with > > >> >weights I can compensate the difference between them and achieve > nice > > >> >results. But what in my situation? > > >> >My questions are: how to set load balancing to get all links > equally > > >> >loaded and avoid situation when the up load will be full and > download > > >> >almost empty? I believe this situation can happen due to fact that > load > > >> >balancing is based on flows and for example p2p or smpt/pop3 will > eat > > >> >whole upload. > > >> >If my problem isn't clear I'll try to explain it better later. > > >> > > > >> > > > >> >Thanks in advance. > > >> >Pozdrawiam > > >> >sawar > > >> > > > >> > >---------------------------------------------------------------------- > > >> >Wolne adresy pocztowe @interia.eu >>> http://link.interia.pl/f19e8 > > >> > > > >> >_______________________________________________ > > >> >LARTC mailing list > > >> >LARTC@mailman.ds9a.nl > > >> >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > >> > > > >> > > >> > > >> -- > > >> Jordi Segu?s Daina > > >> ------------------------------------------------------- > > >> Andorra GSM: (+376) 35 35 68 > > >> France GSM: (+33) (0)6 81 88 35 55 > > >> E-m@il / MSN: jordisd@gmail.com > > >> AIM: superjordix > > >> Skype: callto://superjordix > > >> ------------------------------------------------------- > > >> http://www.JordiX.com > > >> _______________________________________________ > > >> LARTC mailing list > > >> LARTC@mailman.ds9a.nl > > >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > >> > > > > > > > > >-----BEGIN PGP SIGNATURE----- > > >Version: GnuPG v1.4.6 (GNU/Linux) > > > > > >iD8DBQFFtJ1/kZz88chpJ2MRAhGKAJ9xthAZnQ/ovr82sa/x5j4BFJGgWwCgvtWa > > >dS7qseaia3GnZK/n8szE98Y= > > >=zLpL > > >-----END PGP SIGNATURE----- > > > > > > > > >_______________________________________________ > > >LARTC mailing list > > >LARTC@mailman.ds9a.nl > > >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > > > > > > > > -- > > Jordi Segu?s Daina > > ------------------------------------------------------- > > Andorra GSM: (+376) 35 35 68 > > France GSM: (+33) (0)6 81 88 35 55 > > E-m@il / MSN: jordisd@gmail.com > > AIM: superjordix > > Skype: callto://superjordix > > ------------------------------------------------------- > > http://www.JordiX.com > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > ---------------------------------------------------------------------- Co robi Indianin w banku? Zobacz >> http://link.interia.pl/f19e4 From tomlobato at gmail.com Tue Jan 23 01:40:38 2007 From: tomlobato at gmail.com (Tom Lobato) Date: Tue Jan 23 01:38:22 2007 Subject: [LARTC] DGD patch not detecting dead gateway In-Reply-To: <1df4abe60701191045q32c78d97h1ebee0846b5181f@mail.gmail.com> References: <7fe14e000701182100l5b1474eai853a0077c821a835@mail.gmail.com> <1df4abe60701191045q32c78d97h1ebee0846b5181f@mail.gmail.com> Message-ID: <45B55986.6020402@gmail.com> Hi! Thank you. Manish Kathuria escreveu: > On 1/19/07, Tom Lobato wrote: >> Hello all! >> >> I applied http://www.ssi.bg/~ja/routes-2.6.8-10.diff patch to kernel >> 2.6.8.1 and it works fine, or almost fine. It does the load balancing >> well, but when one link is dropped it continues to try it. >> At the end of http://www.ssi.bg/~ja/nano.txt it is said to ping >> gateway 1 and gateway 2, for the kernel to know if that route is >> working, but since my linux is connected to the links through 1 >> dedicated link and one adsl modem, I tryied to: >> 1) remove ethernet cable from linux nic: the patch worked well, >> began to send traffic only to the yet working, link. >> 2) remove telephone line from adsl modem (or external ethernet >> cable from the dedic. link switch): the patch didn't work, continued >> trying to send traffic to the dropped link. >> So, I think its happening because linux, since it can ping the >> switch (or adsl modem) thinks that link is good. >> >> Did you have this problem? Some hint? >> Thank you! >> > > My experience has been mixed. The patch worked very well in many cases > but in some it worked only if the first hop gateway was down and not > any of the subsequent hops. So as you mentioned its happening since it > can ping the switch / modem, it thinks the link is good. You can make > a script which will keep on running in the background and check it the > links are up or not and if any of the links is down, it can change the > default route and provide a failover. > Oh yes, in really I already made such scripts, before to know this patch, using "4.2. Routing for multiple uplinks/providers" from Adv-Routing-HOWTO information. But facing this problem, I think the best solution is to use it again. Somebody know if there is working in progress for solve this? Is there some goal for include this patch to the mainstream kernel? What is the possibility of it? Tom Lobato From mingching.tiew at redtone.com Tue Jan 23 08:06:36 2007 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Tue Jan 23 08:08:06 2007 Subject: [LARTC] determine internet connection duration Message-ID: <00af01c73ebd$054fb7c0$0100a8c0@newlife> Anyone has idea of what would be the best way to track connection time some a particular user to the internet ? Imagine a wifi network where the users will connect to the system via DHCP ( there is no PPPOE session involved ). If there is a need to track internet usage based on connection time ( to the internet ), what would be the best way to track it ? Appreciate any input or ideas. From =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= Tue Jan 23 09:46:24 2007 From: =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= (=?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?=) Date: Tue Jan 23 09:46:57 2007 Subject: [LARTC] iptables rules disappearing!!! Message-ID: <1169541984.4380.16.camel@localhost.localdomain> Hi all. I have got to see a strange thing. Some of my iptables' rules are disaprearing after several days!!! I have many rules like: # iptables -t mangle -A $MYCHAIN -s $SRC_IP -d $DST_IP -j MARK --set-mark $MARK for classifying traffic for shaping, total about 100 rules with different 20 marks, and rules like # iptables -A FORWARD -m mark --mark $MARK for accounting shaping classes, total 20 rules (for all marks). The are also many other filtering and nat rules. Some of the mark rules in FORWARD chain are disapearing after several days. How can this happen? Can this happen without user intrusion? Considering that all those rules are inserted during boot by iptables-restore. I double checked that during ppp up/down rules inserted/removed only in "-t mangle", "-t nat" and "-A USERCHAIN". System: Debian Sarge, 2.6.8-3-k7, iptables v1.2.11 -- ??????????? ?????? From pupilla at hotmail.com Tue Jan 23 10:20:11 2007 From: pupilla at hotmail.com (Marco Berizzi) Date: Tue Jan 23 10:20:33 2007 Subject: [LARTC] aes unsupported algorithm for ipsec? References: <5beee6a0701221202v7de335c9r39d48ceb9041ff62@mail.gmail.com> Message-ID: Tim Stoop wrote: > Hi all, > > I'm trying to create a IPsec tunnel from a Debian Etch machine to a > Cisco PIX. Part of my config is the following: > > add x.x.x.x x.x.x.x esp 34501 -m tunnel -E aes-ctr "abcdefghijklmnop"; > > When I try to set this using setkey, it fails with the following message: > > line 9: unsupported algorithm at [abcdefghijklmnop] > parse failed, line 9. > > Can anyone tell me what I'm doing wrong? did you try to 'modprobe aes'? From tim.stoop at gmail.com Tue Jan 23 10:23:44 2007 From: tim.stoop at gmail.com (Tim Stoop) Date: Tue Jan 23 10:23:53 2007 Subject: [LARTC] aes unsupported algorithm for ipsec? In-Reply-To: References: <5beee6a0701221202v7de335c9r39d48ceb9041ff62@mail.gmail.com> Message-ID: <5beee6a0701230123x5c316179k8db474d43bf21a2@mail.gmail.com> Hi Marco, On 1/23/07, Marco Berizzi wrote: > > did you try to 'modprobe aes'? > Yeah and lsmod showes that aes is loaded into the kernel. -- Gegroet, Tim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070123/9f3023d0/attachment-0001.html From hijacker at oldum.net Tue Jan 23 13:14:32 2007 From: hijacker at oldum.net (Nikolay Kichukov) Date: Tue Jan 23 13:14:48 2007 Subject: [LARTC] routing in tunnel mode In-Reply-To: <20070122192113.GE20873@e-smith.com> References: <20070122192113.GE20873@e-smith.com> Message-ID: <45B5FC28.5080708@oldum.net> Hello there, it does not matter what type of network you are trying to reach, the Network unreachable error message suggests, that the router does not know on which interface(physical) to forward the packets with destination -net ! Before the lane you wrote, try this: route add -net xx.xx.xxx.xxx dev YOURDEVICE YOURDEVICE will be the device that the network is connected to the router via. If it is a sit tunnel, then YOURDEVICE = sit0. HTH, -Nikolay Kichukov Michael P. Soulier wrote: > Hello, > > Looking here > > http://www.ipsec-howto.org/x299.html > > I've set up a vpn in transport mode with two linux boxes. I'm now trying to > set it up in tunnel mode. After using the example keys, trying to ping, it > doesn't work because the route network isn't routable. > > This mention is in the howto > > "If you tunnel is not working, please check your routing. Your hosts need to > know that they should send the packets for the opposite network to you vpn > gateway. The easiest setup would be using your vpn gateway as default > gateway." > > But how does one set up a route like that, since the network is multiple hops > away, the route command isn't going to accept it? > > [root@vmware-espresso1 ~]# route add -net 172.16.113.0 netmask 255.255.255.0 > gw 10.33.15.145 > SIOCADDRT: Network is unreachable > > Some help please. > > Mike From tim at haak.co.uk Tue Jan 23 15:10:44 2007 From: tim at haak.co.uk (Tim Haak) Date: Tue Jan 23 15:11:34 2007 Subject: [LARTC] routing patches seem to break output nat Message-ID: <45B61764.5030902@haak.co.uk> Hi We have applied the routing patches from http://www.ssi.bg/%7Eja/#routes. To 2.6.15 this seems to have broken our output natting. Has anyone else experienced this or any advice on how to fix. Is this working on the newer kernel i.e. 2.6.19 ? Any help would be appreciated. -- Tim Haak -------------- next part -------------- A non-text attachment was scrubbed... Name: tim.vcf Type: text/x-vcard Size: 113 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070123/9651baa4/tim.vcf From michael_soulier at mitel.com Tue Jan 23 16:15:00 2007 From: michael_soulier at mitel.com (Michael P. Soulier) Date: Tue Jan 23 16:15:06 2007 Subject: [LARTC] routing in tunnel mode In-Reply-To: <20070122192113.GE20873@e-smith.com> References: <20070122192113.GE20873@e-smith.com> Message-ID: <20070123151459.GL20873@e-smith.com> On 22/01/07 Michael P. Soulier did say: > This mention is in the howto > > "If you tunnel is not working, please check your routing. Your hosts need to > know that they should send the packets for the opposite network to you vpn > gateway. The easiest setup would be using your vpn gateway as default > gateway." > > But how does one set up a route like that, since the network is multiple hops > away, the route command isn't going to accept it? Brain fart. This was written for the clients on the private networks being connected. It seemed like it was written for the vpn gateways. The policy seems sufficient for routing, although I had expected the more traditional routing tools to play a part. Mike -- Michael P. Soulier , 613-592-2122 x2522 "Any intelligent fool can make things bigger and more complex... It takes a touch of genius - and a lot of courage to move in the opposite direction." --Albert Einstein From marco.casaroli at gmail.com Tue Jan 23 16:46:08 2007 From: marco.casaroli at gmail.com (Marco Aurelio) Date: Tue Jan 23 16:46:12 2007 Subject: [LARTC] LARTC Wiki Message-ID: <92ed523b0701230746x242726b1w123782b4ff9ea53d@mail.gmail.com> Hi all, Since the mail list receives a lot of repeated subjects (for example: "i have two adsl lines..."), maybe these specific issues should be treated on the LARTC Guide, or maybe if we had an wiki? Is there a LARTC Wiki? If not, what do you think about creating one? Thanks -- Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070123/6176fd89/attachment.html From jordisd at gmail.com Tue Jan 23 16:49:46 2007 From: jordisd at gmail.com (Jordi Segues) Date: Tue Jan 23 16:49:53 2007 Subject: [LARTC] LARTC Wiki In-Reply-To: <92ed523b0701230746x242726b1w123782b4ff9ea53d@mail.gmail.com> References: <92ed523b0701230746x242726b1w123782b4ff9ea53d@mail.gmail.com> Message-ID: <9e04a9140701230749v6b7383e4s425818ec8bf628f4@mail.gmail.com> Yes, specially this subject (2 adsl lines...) ;) It would be cool to have a wiki.. anyone motivated to create one? On 1/23/07, Marco Aurelio wrote: > Hi all, > > Since the mail list receives a lot of repeated subjects (for example: "i > have two adsl lines..."), maybe these specific issues should be treated on > the LARTC Guide, or maybe if we had an wiki? > > Is there a LARTC Wiki? > > If not, what do you think about creating one? > > Thanks > > -- > Marco > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > -- Jordi Segu?s Daina ------------------------------------------------------- Andorra GSM: (+376) 35 35 68 France GSM: (+33) (0)6 81 88 35 55 E-m@il / MSN: jordisd@gmail.com AIM: superjordix Skype: callto://superjordix ------------------------------------------------------- http://www.JordiX.com From andy at andybev.com Tue Jan 23 16:53:23 2007 From: andy at andybev.com (Andrew Beverley) Date: Tue Jan 23 16:52:46 2007 Subject: [LARTC] LARTC Wiki In-Reply-To: <92ed523b0701230746x242726b1w123782b4ff9ea53d@mail.gmail.com> References: <92ed523b0701230746x242726b1w123782b4ff9ea53d@mail.gmail.com> Message-ID: <1169567604.4250.16.camel@andybev.localdomain> I'm not aware of one, and I think it's an excellent idea. There's some great software available for LARTC, and some of the documentation is very good, but unfortunately it's all a bit disparate. A wiki would be a great start. I'd be happy to host one and transfer stuff into it unless someone else has a better idea/offer? Andy Beverley On Tue, 2007-01-23 at 12:46 -0300, Marco Aurelio wrote: > Hi all, > > Since the mail list receives a lot of repeated subjects (for example: > "i have two adsl lines..."), maybe these specific issues should be > treated on the LARTC Guide, or maybe if we had an wiki? > > Is there a LARTC Wiki? > > If not, what do you think about creating one? > > Thanks > > -- > Marco > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From mark at suso.org Tue Jan 23 16:54:49 2007 From: mark at suso.org (Mark Krenz) Date: Tue Jan 23 16:54:58 2007 Subject: [LARTC] LARTC Wiki In-Reply-To: <1169567604.4250.16.camel@andybev.localdomain> References: <92ed523b0701230746x242726b1w123782b4ff9ea53d@mail.gmail.com> <1169567604.4250.16.camel@andybev.localdomain> Message-ID: <20070123155448.GR27787@arvo.suso.org> I also think that this would be a good idea. Having examples rulesets and related firewall and QOS stuff. On Tue, Jan 23, 2007 at 03:53:23PM GMT, Andrew Beverley [andy@andybev.com] said the following: > I'm not aware of one, and I think it's an excellent idea. > > There's some great software available for LARTC, and some of the > documentation is very good, but unfortunately it's all a bit disparate. > A wiki would be a great start. > > I'd be happy to host one and transfer stuff into it unless someone else > has a better idea/offer? > > Andy Beverley > > > On Tue, 2007-01-23 at 12:46 -0300, Marco Aurelio wrote: > > Hi all, > > > > Since the mail list receives a lot of repeated subjects (for example: > > "i have two adsl lines..."), maybe these specific issues should be > > treated on the LARTC Guide, or maybe if we had an wiki? > > > > Is there a LARTC Wiki? > > > > If not, what do you think about creating one? > > > > Thanks > > > > -- > > Marco > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Mark S. Krenz IT Director Suso Technology Services, Inc. http://suso.org/ From bugfood-ml at fatooh.org Tue Jan 23 20:16:04 2007 From: bugfood-ml at fatooh.org (Corey Hickey) Date: Tue Jan 23 20:16:10 2007 Subject: [LARTC] [ANNOUNCE] ESFQ for Linux 2.6.19.2 (with jhash!) Message-ID: <45B65EF4.8090600@fatooh.org> ESFQ's original hashing algorithm never worked particularly well for the src or dst hash types: close IP addresses, such as 10.0.0.1 and 10.0.0.2 often hashed to the same number, even with many different perturbation values. This prevented the src and dst hash types from working adequately with small and medium-sized network ranges. A while ago, I added the src_direct and dst_direct hash types in an effort to work around the collision problem. The direct hash types were collision-free if handled properly. Unfortunately, they only worked properly for relatively small ranges of input, and as such required some care in usage. I have now (finally) converted ESFQ to use jhash, which is far easier to use than I had ever thought. Collisions are still possible with jhash, but they occur evenly, regardless of input range or distribution--as it should be. When perturbation values are used, 10.0.0.1 and 10.0.0.2 are just as likely to collide as 1.2.3.4 and 56.78.90.123. The src_direct, dst_direct, and fwmark_direct hash type hacks are no longer useful, and I intend to deprecate them in the next release. Send me an email if you have a reason I should leave the *_direct hash types alone. Home page: http://fatooh.org/esfq-2.6/ Direct URL: http://fatooh.org/esfq-2.6/esfq-2.6.19.2.tar.gz README (also available in the tar.gz): http://fatooh.org/esfq-2.6/current/README Try it out, have fun, and if you find a bug or have a suggestion please send me an email. -Corey From alex at samad.com.au Tue Jan 23 21:13:23 2007 From: alex at samad.com.au (Alex Samad) Date: Tue Jan 23 21:13:35 2007 Subject: [LARTC] LARTC Wiki In-Reply-To: <1169567604.4250.16.camel@andybev.localdomain> References: <92ed523b0701230746x242726b1w123782b4ff9ea53d@mail.gmail.com> <1169567604.4250.16.camel@andybev.localdomain> Message-ID: <20070123201323.GI3981@samad.com.au> On Tue, Jan 23, 2007 at 03:53:23PM +0000, Andrew Beverley wrote: > I'm not aware of one, and I think it's an excellent idea. > > There's some great software available for LARTC, and some of the > documentation is very good, but unfortunately it's all a bit disparate. > A wiki would be a great start. > > I'd be happy to host one and transfer stuff into it unless someone else > has a better idea/offer? > > Andy Beverley Last time there was talk of a wiki this address was given http://linux-net.osdl.org/index.php/Main_Page This link below gives the details on how to setup a multi link connection http://lartc.org/howto/lartc.rpdb.multiple-links.html Alex > > > On Tue, 2007-01-23 at 12:46 -0300, Marco Aurelio wrote: > > Hi all, > > > > Since the mail list receives a lot of repeated subjects (for example: > > "i have two adsl lines..."), maybe these specific issues should be > > treated on the LARTC Guide, or maybe if we had an wiki? > > > > Is there a LARTC Wiki? > > > > If not, what do you think about creating one? > > > > Thanks > > > > -- > > Marco > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070124/64e13063/attachment.pgp From tiago.silva at zmail.pt Tue Jan 23 23:09:58 2007 From: tiago.silva at zmail.pt (=?ISO-8859-1?Q?Tiago_Bruno_Esp=EDrito_Santo_Silva?=) Date: Tue Jan 23 23:10:15 2007 Subject: [LARTC] LARTC Wiki In-Reply-To: <20070123201323.GI3981@samad.com.au> References: <92ed523b0701230746x242726b1w123782b4ff9ea53d@mail.gmail.com> <1169567604.4250.16.camel@andybev.localdomain> <20070123201323.GI3981@samad.com.au> Message-ID: <45B687B6.7080704@zmail.pt> I think that wiki is not the same thing, and...after all...is not the LARTC official wiki... Isn't the LARTC mailing list more popular? I think it is...and a wiki is the way to go...imho Alex Samad wrote: > On Tue, Jan 23, 2007 at 03:53:23PM +0000, Andrew Beverley wrote: > >> I'm not aware of one, and I think it's an excellent idea. >> >> There's some great software available for LARTC, and some of the >> documentation is very good, but unfortunately it's all a bit disparate. >> A wiki would be a great start. >> >> I'd be happy to host one and transfer stuff into it unless someone else >> has a better idea/offer? >> >> Andy Beverley >> > > Last time there was talk of a wiki this address was given > > > http://linux-net.osdl.org/index.php/Main_Page > > > This link below gives the details on how to setup a multi link connection > http://lartc.org/howto/lartc.rpdb.multiple-links.html > > > Alex > > >> On Tue, 2007-01-23 at 12:46 -0300, Marco Aurelio wrote: >> >>> Hi all, >>> >>> Since the mail list receives a lot of repeated subjects (for example: >>> "i have two adsl lines..."), maybe these specific issues should be >>> treated on the LARTC Guide, or maybe if we had an wiki? >>> >>> Is there a LARTC Wiki? >>> >>> If not, what do you think about creating one? >>> >>> Thanks >>> >>> -- >>> Marco >>> _______________________________________________ >>> LARTC mailing list >>> LARTC@mailman.ds9a.nl >>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>> >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> From ja at ssi.bg Tue Jan 23 23:31:43 2007 From: ja at ssi.bg (Julian Anastasov) Date: Tue Jan 23 23:26:16 2007 Subject: [LARTC] routing patches seem to break output nat In-Reply-To: <45B61764.5030902@haak.co.uk> References: <45B61764.5030902@haak.co.uk> Message-ID: Hello, On Tue, 23 Jan 2007, Tim Haak wrote: > We have applied the routing patches from > http://www.ssi.bg/%7Eja/#routes. To 2.6.15 this seems to have broken our > output natting. Has anyone else experienced this or any advice on how to > fix. Is this working on the newer kernel i.e. 2.6.19 ? Any help would be > appreciated. Month ago Bart Duchesne found a problem with the routes patch for 2.6 where reply packet for -j DNAT connections initiated in OUTPUT are dropped in pre-routing. I now updated the patches and if you have the same problem you can try the new diffs from today, eg. http://www.ssi.bg/~ja/routes-2.6.19-13.diff The fix for old patches is to remove the following extra check (2 lines from net/ipv4/route.c) which obviously aborts ip_route_input() with EINVAL for RTN_LOCAL when replies from remote host are destined to our local IP: + if (lsrc && res.type != RTN_UNICAST && res.type != RTN_NAT) + goto e_inval; Regards -- Julian Anastasov From gypsy at iswest.com Wed Jan 24 04:34:31 2007 From: gypsy at iswest.com (gypsy) Date: Wed Jan 24 04:34:55 2007 Subject: [LARTC] LARTC Wiki References: <92ed523b0701230746x242726b1w123782b4ff9ea53d@mail.gmail.com> <1169567604.4250.16.camel@andybev.localdomain> <20070123155448.GR27787@arvo.suso.org> Message-ID: <45B6D3C7.A08E3232@iswest.com> Mark Krenz wrote: > > I also think that this would be a good idea. Having examples rulesets > and related firewall and QOS stuff. > > On Tue, Jan 23, 2007 at 03:53:23PM GMT, Andrew Beverley [andy@andybev.com] said the following: > > I'm not aware of one, and I think it's an excellent idea. > > > > There's some great software available for LARTC, and some of the > > documentation is very good, but unfortunately it's all a bit disparate. > > A wiki would be a great start. > > > > I'd be happy to host one and transfer stuff into it unless someone else > > has a better idea/offer? > > > > Andy Beverley > > > > > > On Tue, 2007-01-23 at 12:46 -0300, Marco Aurelio wrote: > > > Hi all, > > > > > > Since the mail list receives a lot of repeated subjects (for example: > > > "i have two adsl lines..."), maybe these specific issues should be > > > treated on the LARTC Guide, or maybe if we had an wiki? > > > > > > Is there a LARTC Wiki? > > > > > > If not, what do you think about creating one? > > > > > > Thanks > > > > > > -- > > > Marco The existing wiki is at http://linux-net.osdl.org -- gypsy From pereyra.roberto at gmail.com Wed Jan 24 11:29:11 2007 From: pereyra.roberto at gmail.com (Roberto Pereyra) Date: Wed Jan 24 11:29:22 2007 Subject: [LARTC] know if packets are marked Message-ID: Hi !! I marking packets in a bridge: Mark outbound www packets from clients: /usr/local/sbin/iptables -A PREROUTING -t mangle -m physdev --physdev-in eth1 -p tcp --dport 80 -j MARK --set-mark 2 How I can know if this packets are marked ? roberto -- Ing. Roberto Pereyra ContenidosOnline Looking for Linux Virtual Private Servers ? Click here: http://www.spry.com/hosting-affiliate/scripts/t.php?a_aid=426&a_bid=56 From tim at haak.co.uk Wed Jan 24 12:17:15 2007 From: tim at haak.co.uk (Tim Haak) Date: Wed Jan 24 12:17:41 2007 Subject: [LARTC] routing patches seem to break output nat In-Reply-To: References: <45B61764.5030902@haak.co.uk> Message-ID: <45B7403B.2050807@haak.co.uk> Hi thanks for the quick response that seemed to work :) Tim Haak email: tim@haak.co.uk cel: 0837787100 The executioner is, I hear, very expert, and my neck is very slender. -- Anne Boleyn Julian Anastasov wrote: > Hello, > > On Tue, 23 Jan 2007, Tim Haak wrote: > > >> We have applied the routing patches from >> http://www.ssi.bg/%7Eja/#routes. To 2.6.15 this seems to have broken our >> output natting. Has anyone else experienced this or any advice on how to >> fix. Is this working on the newer kernel i.e. 2.6.19 ? Any help would be >> appreciated. >> > > Month ago Bart Duchesne found a problem with the > routes patch for 2.6 where reply packet for -j DNAT connections initiated > in OUTPUT are dropped in pre-routing. I now updated the patches and if you > have the same problem you can try the new diffs from today, eg. > > http://www.ssi.bg/~ja/routes-2.6.19-13.diff > > The fix for old patches is to remove the following extra check > (2 lines from net/ipv4/route.c) which obviously aborts ip_route_input() > with EINVAL for RTN_LOCAL when replies from remote host are destined to > our local IP: > > + if (lsrc && res.type != RTN_UNICAST && res.type != RTN_NAT) > + goto e_inval; > > Regards > > -- > Julian Anastasov > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070124/e285d17d/attachment.html From JGavin at netuxsolutions.com Wed Jan 24 15:25:44 2007 From: JGavin at netuxsolutions.com (Joe Gavin) Date: Wed Jan 24 15:25:52 2007 Subject: [LARTC] Are There better EQL devices Message-ID: <4A528114E4F50642AEDB26933C5F111602B373@coretex.ns.local> I have set up one of our routers to use a TEQL Device to direct the outbound traffic but I would like to have a bit more control with how it sends out traffic. Is there a "better" EQL device that would allow me to say set the rate of the connections and have it fill up the first pipe then dump to the second then the third and so on so that an outbound connection could use the combined outbound connection more efficiently? Joe Gavin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070124/de61a9d0/attachment.htm From t.luettgert at pressestimmen.de Wed Jan 24 15:51:57 2007 From: t.luettgert at pressestimmen.de (Torsten Luettgert) Date: Wed Jan 24 15:52:04 2007 Subject: [LARTC] know if packets are marked In-Reply-To: References: Message-ID: <1169650317.2855.4.camel@sokrates.cff> On Mi, 2007-01-24 at 07:29 -0300, Roberto Pereyra wrote: > /usr/local/sbin/iptables -A PREROUTING -t mangle -m physdev > --physdev-in eth1 -p tcp --dport 80 -j MARK --set-mark 2 > > How I can know if this packets are marked ? On the same machine (your bridge), you can match the mark later with iptables ... -m mark --mark value[/mask] ... and there is a classifier for tc, too, I think. The mark doesn't stay on the packets once they leave your bridge, though, so you can't match them on other boxes. Regards, Torsten From godsharp at gmail.com Wed Jan 24 16:14:56 2007 From: godsharp at gmail.com (GodSharp) Date: Wed Jan 24 17:17:37 2007 Subject: [LARTC] ip alias + dsl modem Message-ID: <000001c73fca$6a805f10$640a0a0a@eve24> Hi Guys, Just wondering for some reason when I switched providers(DSL) IP aliasing stopped working. And, I am not sure what kind of modem this is, the previous one had some Ethernet ports at the back(it has a bult-in 4 port switch) the new doesn't have one, only a single Ethernet port and It is directly connected to my Linux box. My provider gave me a /24 subnet and 9 useable IP's. # ip a s eth2 6: eth2: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:08:a1:72:c1:f5 brd ff:ff:ff:ff:ff:ff inet xxx.xxx.xxx.50/24 brd xxx.xxx.xxx.255 scope global eth2 inet xxx.xxx.xxx.51/24 brd xxx.xxx.xxx.255 scope global secondary eth2 inet xxx.xxx.xxx.52/24 brd xxx.xxx.xxx.255 scope global secondary eth2 inet xxx.xxx.xxx.53/24 brd xxx.xxx.xxx.255 scope global secondary eth2 inet xxx.xxx.xxx.54/24 brd xxx.xxx.xxx.255 scope global secondary eth2 inet xxx.xxx.xxx.55/24 brd xxx.xxx.xxx.255 scope global secondary eth2 inet xxx.xxx.xxx.56/24 brd xxx.xxx.xxx.255 scope global secondary eth2 inet xxx.xxx.xxx.57/24 brd xxx.xxx.xxx.255 scope global secondary eth2 inet xxx.xxx.xxx.58/24 brd xxx.xxx.xxx.255 scope global secondary eth2 -- settings -- ip link set eth2 up ip addr flush dev eth2 ip addr add xxx.xxx.xxx.50/24 brd xxx.xxx.xxx.255 dev eth2 ip addr add xxx.xxx.xxx.51/24 brd xxx.xxx.xxx.255 dev eth2 ip addr add xxx.xxx.xxx.52/24 brd xxx.xxx.xxx.255 dev eth2 ip addr add xxx.xxx.xxx.53/24 brd xxx.xxx.xxx.255 dev eth2 ip addr add xxx.xxx.xxx.54/24 brd xxx.xxx.xxx.255 dev eth2 ip addr add xxx.xxx.xxx.55/24 brd xxx.xxx.xxx.255 dev eth2 ip addr add xxx.xxx.xxx.56/24 brd xxx.xxx.xxx.255 dev eth2 ip addr add xxx.xxx.xxx.57/24 brd xxx.xxx.xxx.255 dev eth2 ip addr add xxx.xxx.xxx.58/24 brd xxx.xxx.xxx.255 dev eth2 ip route add default via xxx.xxx.xxx.1 --- end settings --- /proc/sys/net/ipv4/ip_forward is 1 /proc/sys/net/ipv4/ip_dynaddr is 1 works: ping google.com -I eth2 works: ping google.com -I xxx.xxx.xxx.50 not working: ping google.com -I xxx.xxx.xxx.58 >From the outside I can ping xxx.xxx.xxx.50 but cannot ping any secondary IP's. I tried tcpdump but didn't receive any replies from the secondary ip's I got replies from the primary IP though. If I remove the secondary IP's and use it on another computer the secondary IP works. It looks like I can only use 1 IP per computer(per mac). What seems to be the problem? Is it the modem? I am not sure about adsl's and their type of settings (bridge/router) and I would like to contact my provider. But I am having troubles on asking them regarding the problem. If there's a technical explanation regarding this or some trick it would help me clarify them or me. There are no filters involved(iptables). On my previous provider aliasing works both are dsl's. From unki at netshadow.at Wed Jan 24 18:15:26 2007 From: unki at netshadow.at (Andreas Unterkircher) Date: Wed Jan 24 18:16:02 2007 Subject: [LARTC] know if packets are marked In-Reply-To: References: Message-ID: <1169658926.3200.2.camel@kuecken.unki.net> Also connection tracking (cat /proc/net/ip_conntrack) if loaded will show up the mark id (mark=). Andreas On Wed, 2007-01-24 at 07:29 -0300, Roberto Pereyra wrote: > Hi !! > > I marking packets in a bridge: > > Mark outbound www packets from clients: > > /usr/local/sbin/iptables -A PREROUTING -t mangle -m physdev > --physdev-in eth1 -p tcp --dport 80 -j MARK --set-mark 2 > > How I can know if this packets are marked ? > > roberto > From dan at 34q.eu Wed Jan 24 18:22:14 2007 From: dan at 34q.eu (Dan) Date: Wed Jan 24 18:24:23 2007 Subject: [LARTC] Thoughput Message-ID: <006f01c73fdc$30f4c0d0$92de4270$@eu> Hi, I am after a feel of the throughput capabilities for TC and Iptables in comparison to dedicated hardware. I have heard talk about 1Gb+ throughput with minimal performance impact using 50ish TC rules and 100+ Iptables rules. Is there anyone here running large throughput / large configurations, and if so, what sort of figures? Regards Dan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070124/a25fd586/attachment.html From s.cramatte at wanadoo.fr Wed Jan 24 20:04:22 2007 From: s.cramatte at wanadoo.fr (=?ISO-8859-1?Q?S=E9bastien_CRAMATTE?=) Date: Wed Jan 24 20:04:30 2007 Subject: [LARTC] Where can I get a patch to use ipt_time module on POSROUTING chain Message-ID: <45B7ADB6.3040205@wanadoo.fr> Hello, Does someone know where can I get a patch to use ipt_time module on POSTROUTING chain ? The original patch won't works on POSTROUTING I've setup my server as QoS bridge with Layer7, ipp2p so all my rules are on POSTROUTING chain ... Regards From alex at samad.com.au Wed Jan 24 22:34:19 2007 From: alex at samad.com.au (Alex Samad) Date: Wed Jan 24 22:34:30 2007 Subject: [LARTC] ip alias + dsl modem In-Reply-To: <000001c73fca$6a805f10$640a0a0a@eve24> References: <000001c73fca$6a805f10$640a0a0a@eve24> Message-ID: <20070124213419.GW3981@samad.com.au> On Thu, Jan 25, 2007 at 12:14:56AM +0900, GodSharp wrote: > Hi Guys, > > Just wondering for some reason when I switched providers(DSL) IP aliasing > stopped working. And, I am not sure what kind of modem this is, the previous > one had some Ethernet ports at the back(it has a bult-in 4 port switch) the > new doesn't have one, only a single Ethernet port and It is directly > connected to my Linux box. > > My provider gave me a /24 subnet and 9 useable IP's. > > # ip a s eth2 > 6: eth2: mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:08:a1:72:c1:f5 brd ff:ff:ff:ff:ff:ff > inet xxx.xxx.xxx.50/24 brd xxx.xxx.xxx.255 scope global eth2 > inet xxx.xxx.xxx.51/24 brd xxx.xxx.xxx.255 scope global secondary eth2 > inet xxx.xxx.xxx.52/24 brd xxx.xxx.xxx.255 scope global secondary eth2 > inet xxx.xxx.xxx.53/24 brd xxx.xxx.xxx.255 scope global secondary eth2 > inet xxx.xxx.xxx.54/24 brd xxx.xxx.xxx.255 scope global secondary eth2 > inet xxx.xxx.xxx.55/24 brd xxx.xxx.xxx.255 scope global secondary eth2 > inet xxx.xxx.xxx.56/24 brd xxx.xxx.xxx.255 scope global secondary eth2 > inet xxx.xxx.xxx.57/24 brd xxx.xxx.xxx.255 scope global secondary eth2 > inet xxx.xxx.xxx.58/24 brd xxx.xxx.xxx.255 scope global secondary eth2 > > -- settings -- > ip link set eth2 up > ip addr flush dev eth2 > ip addr add xxx.xxx.xxx.50/24 brd xxx.xxx.xxx.255 dev eth2 > ip addr add xxx.xxx.xxx.51/24 brd xxx.xxx.xxx.255 dev eth2 > ip addr add xxx.xxx.xxx.52/24 brd xxx.xxx.xxx.255 dev eth2 > ip addr add xxx.xxx.xxx.53/24 brd xxx.xxx.xxx.255 dev eth2 > ip addr add xxx.xxx.xxx.54/24 brd xxx.xxx.xxx.255 dev eth2 > ip addr add xxx.xxx.xxx.55/24 brd xxx.xxx.xxx.255 dev eth2 > ip addr add xxx.xxx.xxx.56/24 brd xxx.xxx.xxx.255 dev eth2 > ip addr add xxx.xxx.xxx.57/24 brd xxx.xxx.xxx.255 dev eth2 > ip addr add xxx.xxx.xxx.58/24 brd xxx.xxx.xxx.255 dev eth2 > ip route add default via xxx.xxx.xxx.1 > --- end settings --- > > /proc/sys/net/ipv4/ip_forward is 1 > /proc/sys/net/ipv4/ip_dynaddr is 1 > > works: ping google.com -I eth2 > works: ping google.com -I xxx.xxx.xxx.50 > not working: ping google.com -I xxx.xxx.xxx.58 have you tried ip route get it will tell you what the kernel is thinking on how its going to route the packet. you might also need to setup some ip rule lines for each of the secondary addresses. but first try pinging the next hop with each of the addresses ! > > >From the outside I can ping xxx.xxx.xxx.50 but cannot ping any secondary > IP's. > > I tried tcpdump but didn't receive any replies from the secondary ip's I got > replies from the primary IP though. > > If I remove the secondary IP's and use it on another computer the secondary > IP works. It looks like I can > only use 1 IP per computer(per mac). What seems to be the problem? Is it the > modem? I am not sure about adsl's and their type of settings (bridge/router) > and I would like to contact my provider. But I am having troubles on asking > them regarding the problem. If there's a technical explanation regarding > this or some trick it would help me clarify them or me. > > There are no filters involved(iptables). On my previous provider aliasing > works both are dsl's. > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070125/218292ff/attachment-0001.pgp From gypsy at iswest.com Thu Jan 25 08:04:20 2007 From: gypsy at iswest.com (gypsy) Date: Thu Jan 25 08:04:47 2007 Subject: [LARTC] ip alias + dsl modem References: <000001c73fca$6a805f10$640a0a0a@eve24> Message-ID: <45B85674.9334950F@iswest.com> GodSharp wrote: > > Hi Guys, > > Just wondering for some reason when I switched providers(DSL) IP aliasing > stopped working. And, I am not sure what kind of modem this is, the previous > one had some Ethernet ports at the back(it has a bult-in 4 port switch) the > new doesn't have one, only a single Ethernet port and It is directly > connected to my Linux box. > > My provider gave me a /24 subnet and 9 useable IP's. > > # ip a s eth2 > 6: eth2: mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:08:a1:72:c1:f5 brd ff:ff:ff:ff:ff:ff > inet xxx.xxx.xxx.50/24 brd xxx.xxx.xxx.255 scope global eth2 > inet xxx.xxx.xxx.51/24 brd xxx.xxx.xxx.255 scope global secondary eth2 > inet xxx.xxx.xxx.52/24 brd xxx.xxx.xxx.255 scope global secondary eth2 > inet xxx.xxx.xxx.53/24 brd xxx.xxx.xxx.255 scope global secondary eth2 > inet xxx.xxx.xxx.54/24 brd xxx.xxx.xxx.255 scope global secondary eth2 > inet xxx.xxx.xxx.55/24 brd xxx.xxx.xxx.255 scope global secondary eth2 > inet xxx.xxx.xxx.56/24 brd xxx.xxx.xxx.255 scope global secondary eth2 > inet xxx.xxx.xxx.57/24 brd xxx.xxx.xxx.255 scope global secondary eth2 > inet xxx.xxx.xxx.58/24 brd xxx.xxx.xxx.255 scope global secondary eth2 > > -- settings -- > ip link set eth2 up > ip addr flush dev eth2 > ip addr add xxx.xxx.xxx.50/24 brd xxx.xxx.xxx.255 dev eth2 > ip addr add xxx.xxx.xxx.51/24 brd xxx.xxx.xxx.255 dev eth2 > ip addr add xxx.xxx.xxx.52/24 brd xxx.xxx.xxx.255 dev eth2 > ip addr add xxx.xxx.xxx.53/24 brd xxx.xxx.xxx.255 dev eth2 > ip addr add xxx.xxx.xxx.54/24 brd xxx.xxx.xxx.255 dev eth2 > ip addr add xxx.xxx.xxx.55/24 brd xxx.xxx.xxx.255 dev eth2 > ip addr add xxx.xxx.xxx.56/24 brd xxx.xxx.xxx.255 dev eth2 > ip addr add xxx.xxx.xxx.57/24 brd xxx.xxx.xxx.255 dev eth2 > ip addr add xxx.xxx.xxx.58/24 brd xxx.xxx.xxx.255 dev eth2 > ip route add default via xxx.xxx.xxx.1 > --- end settings --- > > /proc/sys/net/ipv4/ip_forward is 1 > /proc/sys/net/ipv4/ip_dynaddr is 1 My brain refuses to engage this evening, but I think you mean rp_filter, not ip_dynaddr. -- buck From marek at piasta.pl Thu Jan 25 15:40:16 2007 From: marek at piasta.pl (Marek Kierdelewicz) Date: Thu Jan 25 15:16:14 2007 Subject: [LARTC] Thoughput In-Reply-To: <006f01c73fdc$30f4c0d0$92de4270$@eu> References: <006f01c73fdc$30f4c0d0$92de4270$@eu> Message-ID: <20070125154016.2a45cd30@localhost> > Hi, Hi > I am after a feel of the throughput capabilities for TC and Iptables > in comparison to dedicated hardware. I have heard talk about 1Gb+ > throughput with minimal performance impact using 50ish TC rules and > 100+ Iptables rules. More important than bandwidth is packets per seconds. Calculate your average packet size (measure bandwith and packets in some time window and calculate per second values). It's not the number of rules (tc or firewall) that matter most but thier composition. You should use hashing tc filters when possible and "set" iptables module (instead of many iptables rules) to offload cpu. If you don't need connection tracking (NAT and stuff) - disable it. > Is there anyone here running large throughput / large > configurations, and if so, what sort of figures? You can easily achieve 600k pps on AMD 64 x2 5200 with mean 70% cpu utilization at peek hours. You must bind irqs of nics to different cores (look in /proc/irq/NUM/smp_affinity) to achieve symmetric load of both cores (sometimes its difficult). Similar speed can be achieved with Xeon 3,2GHz with HT (the old one). I havn't tested new Xeons in the network field and I'm curious myself how would they manage. One can put more cores and more nics into the box and achieve even more throuput. Problem is balancing load between the cores. Your setup will be as effective as most used core. I think that using Cisco EtherChannel (and any other bonding/trunking technique that allows round robin traffic distribution between physical links) would allow the ideal distribution of load between cores. Has anyone tried this? cheers, Marek Kierdelewicz From andy at andybev.com Thu Jan 25 18:41:24 2007 From: andy at andybev.com (Andrew Beverley) Date: Thu Jan 25 18:40:59 2007 Subject: [LARTC] Opinions about pom/patches [was: iptables 1.3.7, kernel 2.6.19, ROUTE and Layer7 issues] In-Reply-To: <54696.195.55.244.106.1168435275.squirrel@www.arcoscom.com> References: <54905.84.123.236.132.1165866276.squirrel@www.arcoscom.com> <57631.195.55.244.106.1165911878.squirrel@www.arcoscom.com> <457E6997.1050001@trash.net> <36479.195.55.244.106.1165998665.squirrel@www.arcoscom.com> <457FBBFD.6060009@trash.net> <45A48087.8090200@trash.net> <54696.195.55.244.106.1168435275.squirrel@www.arcoscom.com> Message-ID: <1169746884.4253.51.camel@andybev.localdomain> Sorry, a bit late replying to this but just wanted to add my thoughts. > I think so, there are many old matches that are stables and I have to > apply many times when I update the kernel. If they where into kernel and > iptables (because they are now not as experimental than many months/years > ago) these problem when new kernel releases and/or iptables releases > disapears very quickly. > > I have a great headache now, I had to patch my kernel, patch iptables, > update iproute to allow "mark-and" operations for routing. Yes, I can > adapt many thinks and forgot many routing/filtering functionality, but > then, my linux box will be useless for the purposes I deploy it. > > I have no problem in patch and upgrade thinks, my problem is that I have > no time to do all these steps every any important bug, improvement is > released. I would also like to see as many of the POM included in the stable kernel. It's a bit of a headache to patch in what I want each time I update the kernel, and on a fresh system I have to install CURL just to update POM just to add connlimit to the kernel... It's also a bit of a problem because I am looking to hand my server over to professional support. I've got to explain to them that if they ever update the kernel that it will need patching. If they don't, or forget, then it will significantly affect the system's performance in the particular situation. Finally, I can't help but think it puts off newcomers. Although fairly simple when you know what you're doing, when someone comes from a point-and-click windows background it is incredibly complicated! The two I would like to see in the main kernel are connlimit (stable for a few years?) and ipset. Regards, Andy Beverley From mkathuria at tuxtechnologies.co.in Sat Jan 27 15:40:49 2007 From: mkathuria at tuxtechnologies.co.in (Manish Kathuria) Date: Sat Jan 27 15:41:09 2007 Subject: [LARTC] DGD patch not detecting dead gateway In-Reply-To: <45B196D2.3040802@riverviewtech.net> References: <7fe14e000701182100l5b1474eai853a0077c821a835@mail.gmail.com> <1df4abe60701191045q32c78d97h1ebee0846b5181f@mail.gmail.com> <45B196D2.3040802@riverviewtech.net> Message-ID: <1df4abe60701270640x69bebb21ve51611d5039aa3a4@mail.gmail.com> On 1/20/07, Grant Taylor wrote: > On 01/19/07 12:45, Manish Kathuria wrote: > > My experience has been mixed. The patch worked very well in many cases > > but in some it worked only if the first hop gateway was down and not > > any of the subsequent hops. So as you mentioned its happening since it > > can ping the switch / modem, it thinks the link is good. You can make > > a script which will keep on running in the background and check it the > > links are up or not and if any of the links is down, it can change the > > default route and provide a failover. > > I have been tasked with writing such a script. In my scenario, I'm > taking it a bit further though. I am planing on having my script test > the actual service that I'm trying to connect to. I.e. connect to port > 80 and request a page. I'm having to go this route because I've had > sporadic MTU issues in one of our (primary) paths. The provider is > suppose to be repairing the problem, however I need a solution before > that can happen. The method I have adopted is to use a shell script which pings a popular remote site 's IP (for example www.yahoo.com or www.google.com) through each of the interfaces every 10 seconds. The default multipath route is replaced by a single default gateway if reply is not received for 4 consecutive tries from one of the links. This is to avoid very frequent failovers. However, the link is treated as live as soon as a ping reply is received and the multipath route is activated. -- Manish Kathuria Tux Technologies http://www.tuxtechnologies.co.in/ From mkathuria at tuxtechnologies.co.in Sat Jan 27 16:11:14 2007 From: mkathuria at tuxtechnologies.co.in (Manish Kathuria) Date: Sat Jan 27 16:11:18 2007 Subject: [LARTC] two internet providers In-Reply-To: <45B51A5B.2030508@weednet.ro> References: <45B51A5B.2030508@weednet.ro> Message-ID: <1df4abe60701270711i442d29c2gcd32f5f40d3bf20c@mail.gmail.com> On 1/23/07, Danut Chereches wrote: > hello > > i have slackware installed and i have two internet connections , > ADSL(2,5mbps) + CableModem(1mbps) > i want to share the connections in a small network > NAT for the ADSL connection, and a proxy server for the cablemodem > connection > i searched all over the internet (probably not where i was supposed to) > but i could'n find a solution > if someone could give me a tip i would really appreciate it > The simplest solution would be to use two systems, one connected to the Cable Modem and running proxy server on it and the other one connected to ADSL connection and with packet forwarding enabled and iptables rules for the NAT and forwarding the traffic. The first system can be specified in the proxy server settings and the IP of the second system can be specified as the gateway for the clients. You can also configure the squid proxy server to act as a transparent proxy and redirect the outgoing port 80 traffic through it using iptables rules on the gateway. If you want to use a single system as the gateway and proxy server, you can configure it to use multiple gateways and divide the outgoing traffic where the web traffic (and ftp, if desired) is routed through the Cable Modem and the rest through the ADSL connection. You can also specify the outgoing tcp address in squid proxy server configuration. Please also see the LARTC How To and the documentation for ip tool. -- Manish Kathuria Tux Technologies http://www.tuxtechnologies.co.in/ From mkathuria at tuxtechnologies.co.in Sat Jan 27 17:12:57 2007 From: mkathuria at tuxtechnologies.co.in (Manish Kathuria) Date: Sat Jan 27 17:13:03 2007 Subject: [LARTC] DGD patch not detecting dead gateway In-Reply-To: References: <7fe14e000701182100l5b1474eai853a0077c821a835@mail.gmail.com> <1df4abe60701191045q32c78d97h1ebee0846b5181f@mail.gmail.com> <45B196D2.3040802@riverviewtech.net> <1df4abe60701270640x69bebb21ve51611d5039aa3a4@mail.gmail.com> Message-ID: <1df4abe60701270812u2b29065dj5818566db19bf2a@mail.gmail.com> On 1/27/07, Geoff Dornan wrote: > Hi > > Can you post your script please? > > Cheers > geoff > > > On 1/20/07, Grant Taylor wrote: > > On 01/19/07 12:45, Manish Kathuria wrote: > > > My experience has been mixed. The patch worked very well in many > cases > > > but in some it worked only if the first hop gateway was down and not > > > any of the subsequent hops. So as you mentioned its happening since > it > > > can ping the switch / modem, it thinks the link is good. You can > make > > > a script which will keep on running in the background and check it > the > > > links are up or not and if any of the links is down, it can change > the > > > default route and provide a failover. > > > > I have been tasked with writing such a script. In my scenario, I'm > > taking it a bit further though. I am planing on having my script test > > the actual service that I'm trying to connect to. I.e. connect to > port > > 80 and request a page. I'm having to go this route because I've had > > sporadic MTU issues in one of our (primary) paths. The provider is > > suppose to be repairing the problem, however I need a solution before > > that can happen. > > The method I have adopted is to use a shell script which pings a > popular remote site 's IP (for example www.yahoo.com or > www.google.com) through each of the interfaces every 10 seconds. The > default multipath route is replaced by a single default gateway if > reply is not received for 4 consecutive tries from one of the links. > This is to avoid very frequent failovers. However, the link is treated > as live as soon as a ping reply is received and the multipath route > is activated. > The script is appended. It assumes that you have followed the steps as described in nano.txt with or without applying the patches. Though it appears to be very simplistic, its working great at a number of locations. #!/bin/bash -x TESTIP=www.yahoo.com CHECK=0 ISPA=1 ISPB=1 LINKSTATUS=1 COUNTA=0 COUNTB=0 EXTIF1=eth1 EXTIF2=eth2 GW1=172.16.1.1 GW2=192.168.1.1 W1=1 W2=1 while : ; do ping -I $EXTIF1 -c 1 $TESTIP > /dev/null 2>&1 RETVAL=$? if [ $RETVAL -ne 0 ]; then COUNTA=`expr $COUNTA + 1` else COUNTA=0 fi if [ $COUNTA -ge 4 ]; then ISPA=0 else ISPA=1 fi ping -I $EXTIF2 -c 1 $TESTIP > /dev/null 2>&1 RETVAL=$? if [ $RETVAL -ne 0 ]; then COUNTB=`expr $COUNTB + 1` else COUNTB=0 fi if [ $COUNTB -ge 4 ]; then ISPB=0 else ISPB=1 fi if [ $ISPA -eq 1 ]; then if [ $ISPB -eq 1 ]; then NEWSTATUS=1 elif [ $ISPB -eq 0 ]; then NEWSTATUS=2 fi elif [ $ISPA -eq 0 ]; then if [ $ISPB -eq 1 ]; then NEWSTATUS=3 fi fi case $LINKSTATUS in 1) if [ $NEWSTATUS -eq 2 ]; then ip route replace default via $GW1 dev $EXTIF1 elif [ $NEWSTATUS -eq 3 ]; then ip route replace default via $GW2 dev $EXTIF2 fi;; 2) if [ $NEWSTATUS -eq 1 ]; then ip route del default ip route replace default table 222 proto static \ nexthop via $GW1 dev $EXTIF1 weight $W1\ nexthop via $GW2 dev $EXTIF2 weight $W2 elif [ $NEWSTATUS -eq 3 ]; then ip route replace default via $GW2 dev $EXTIF2 fi;; 3) if [ $NEWSTATUS -eq 1 ]; then ip route del default ip route replace default table 222 proto static \ nexthop via $GW1 dev $EXTIF1 weight $W1\ nexthop via $GW2 dev $EXTIF2 weight $W2 elif [ $NEWSTATUS -eq 2 ]; then ip route replace default via $GW1 dev $EXTIF1 fi;; *) echo;; esac LINKSTATUS=$NEWSTATUS sleep 10 done Let me know if you can think of any improvements or modifications. -- Manish Kathuria Tux Technologies http://www.tuxtechnologies.co.in/ From cemeyer2 at uiuc.edu Sun Jan 28 03:57:28 2007 From: cemeyer2 at uiuc.edu (Charlie Meyer) Date: Sun Jan 28 03:58:06 2007 Subject: [LARTC] two internet providers In-Reply-To: <1df4abe60701270711i442d29c2gcd32f5f40d3bf20c@mail.gmail.com> References: <45B51A5B.2030508@weednet.ro> <1df4abe60701270711i442d29c2gcd32f5f40d3bf20c@mail.gmail.com> Message-ID: <5B8B3D66554D0246BF6D224D9E8169E001E6B23D@snshbea106.4smartphone.snx> This would be really easy to do with one box. Have an interface for the cable modem, and an interface for the dsl. Have your default route go to the dsl modem (ip route add/change default table main dev eth via xxx.xxx.xxx.xxx . Then you can configure whatever proxy you are going to use to use the other interface. I have done similar setups using squid as the proxy with transparent redirection as well as using the Dante SOCKS server, both have configuration options to use a specific interface for their traffic. Let me know if you have any questions, id be happy to provide further detail. -- Charlie Meyer University of Illinois at Urbana-Champaign College of Engineering - Department of Computer Science Phi Kappa Psi - Property Manager cemeyer2@uiuc.edu -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Manish Kathuria Sent: Saturday, January 27, 2007 9:11 AM To: Danut Chereches Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] two internet providers On 1/23/07, Danut Chereches wrote: > hello > > i have slackware installed and i have two internet connections , > ADSL(2,5mbps) + CableModem(1mbps) > i want to share the connections in a small network > NAT for the ADSL connection, and a proxy server for the cablemodem > connection > i searched all over the internet (probably not where i was supposed to) > but i could'n find a solution > if someone could give me a tip i would really appreciate it > The simplest solution would be to use two systems, one connected to the Cable Modem and running proxy server on it and the other one connected to ADSL connection and with packet forwarding enabled and iptables rules for the NAT and forwarding the traffic. The first system can be specified in the proxy server settings and the IP of the second system can be specified as the gateway for the clients. You can also configure the squid proxy server to act as a transparent proxy and redirect the outgoing port 80 traffic through it using iptables rules on the gateway. If you want to use a single system as the gateway and proxy server, you can configure it to use multiple gateways and divide the outgoing traffic where the web traffic (and ftp, if desired) is routed through the Cable Modem and the rest through the ADSL connection. You can also specify the outgoing tcp address in squid proxy server configuration. Please also see the LARTC How To and the documentation for ip tool. -- Manish Kathuria Tux Technologies http://www.tuxtechnologies.co.in/ _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From covici at ccs.covici.com Sun Jan 28 04:23:03 2007 From: covici at ccs.covici.com (John covici) Date: Sun Jan 28 04:23:16 2007 Subject: [LARTC] possible packet forwarding or routing problem Message-ID: <17852.5911.991893.721515@ccs.covici.com> Hi. I have a system with two network cards -- eth0 is a public ip address and eth1 is on an internal network. Now I have all the packet forwards enabled, and there is a route from eth1 to the internal network, but if a computer on the internal network sets his gateway to the box, he can't traceroute past the box to the internet. There are no iptable rules yet. Here is the routing table as produced by route. Destination Gateway Genmask Flags Metric Ref Use Iface 64.183.125.208 * 255.255.255.248 U 0 0 0 eth0 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 default rrcs-64-183-125 0.0.0.0 UG 0 0 0 eth0 What am I doing wrong here? Any assistance would be appreciated. -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici covici@ccs.covici.com From lists at llondel.org Sun Jan 28 09:43:19 2007 From: lists at llondel.org (David Hough) Date: Sun Jan 28 09:43:44 2007 Subject: [LARTC] possible packet forwarding or routing problem In-Reply-To: <17852.5911.991893.721515@ccs.covici.com> References: <17852.5911.991893.721515@ccs.covici.com> Message-ID: <45BC6227.5060604@llondel.org> John covici wrote: > Hi. I have a system with two network cards -- eth0 is a public ip > address and eth1 is on an internal network. Now I have all the packet > forwards enabled, and there is a route from eth1 to the internal > network, but if a computer on the internal network sets his gateway to > the box, he can't traceroute past the box to the internet. There > are no iptable rules yet. > > Here is the routing table as produced by route. > Destination Gateway Genmask Flags Metric Ref Use Iface > 64.183.125.208 * 255.255.255.248 U 0 0 0 eth0 > 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 > 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 > default rrcs-64-183-125 0.0.0.0 UG 0 0 0 eth0 > > > What am I doing wrong here? > > Any assistance would be appreciated. > Two things spring to mind. 1. What result do you get from "cat /proc/sys/net/ipv4/ip_forward"? If it's zero then you haven't got forwarding enabled. 2. Even if it is enabled, stuff on the LAN will head out to the big wide world with a 192.168.1.x address on it and get eaten by any properly-configured router outside. To fix the first one, just "echo 1 > /proc/sys/net/ipv4/ip_forward" to enable forwarding. To fix the second one, you'll need a bunch of iptables rules to set up NAT so all outbound traffic goes out using your public IP. -- Dave http://www.llondel.org So many gadgets, so little time From tomlobato at gmail.com Sun Jan 28 17:12:03 2007 From: tomlobato at gmail.com (Tom Lobato) Date: Sun Jan 28 17:12:13 2007 Subject: [LARTC] DGD patch not detecting dead gateway In-Reply-To: <45B55986.6020402@gmail.com> References: <7fe14e000701182100l5b1474eai853a0077c821a835@mail.gmail.com> <1df4abe60701191045q32c78d97h1ebee0846b5181f@mail.gmail.com> <45B55986.6020402@gmail.com> Message-ID: <7fe14e000701280812u55b87308p331ed368e2d6412a@mail.gmail.com> Hi! Manish Kathuria Wrote: > > The method I have adopted is to use a shell script which pings a > popular remote site 's IP (for example www.yahoo.com or > www.google.com) through each of the interfaces every 10 seconds. The > default multipath route is replaced by a single default gateway if > reply is not received for 4 consecutive tries from one of the links. > This is to avoid very frequent failovers. However, the link is treated > as live as soon as a ping reply is received and the multipath route > is activated. Now I'm using the ping options: ping -n -w 10 -c 2 -I $lnk1_dev $lnk1_pingtarget But so I'm getting some false negatives. Can you show what ping options you use? Tom Lobato -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070128/8bd85059/attachment.html From mkathuria at tuxtechnologies.co.in Sun Jan 28 17:35:26 2007 From: mkathuria at tuxtechnologies.co.in (Manish Kathuria) Date: Sun Jan 28 17:35:35 2007 Subject: [LARTC] DGD patch not detecting dead gateway In-Reply-To: <7fe14e000701280812u55b87308p331ed368e2d6412a@mail.gmail.com> References: <7fe14e000701182100l5b1474eai853a0077c821a835@mail.gmail.com> <1df4abe60701191045q32c78d97h1ebee0846b5181f@mail.gmail.com> <45B55986.6020402@gmail.com> <7fe14e000701280812u55b87308p331ed368e2d6412a@mail.gmail.com> Message-ID: <1df4abe60701280835w41d169e2h6c181ebbdd68d494@mail.gmail.com> On 1/28/07, Tom Lobato wrote: > > Manish Kathuria Wrote: > > > > The method I have adopted is to use a shell script which pings a > > popular remote site 's IP (for example www.yahoo.com or > > www.google.com) through each of the interfaces every 10 seconds. The > > default multipath route is replaced by a single default gateway if > > reply is not received for 4 consecutive tries from one of the links. > > This is to avoid very frequent failovers. However, the link is treated > > as live as soon as a ping reply is received and the multipath route > > is activated. > Now I'm using the ping options: > > ping -n -w 10 -c 2 -I $lnk1_dev $lnk1_pingtarget > > But so I'm getting some false negatives. Can you show what ping options you > use? > Tom Lobato > Please see the script posted earlier. The simple ping command with the following options is repeated every 10 seconds using an endless loop. ping -I $EXTIF1 -c 1 $TESTIP > /dev/null 2>&1 -- Manish Kathuria Tux Technologies http://www.tuxtechnologies.co.in/ From covici at ccs.covici.com Sun Jan 28 19:53:43 2007 From: covici at ccs.covici.com (John covici) Date: Sun Jan 28 19:54:01 2007 Subject: [LARTC] possible packet forwarding or routing problem In-Reply-To: <45BC6227.5060604@llondel.org> References: <17852.5911.991893.721515@ccs.covici.com> <45BC6227.5060604@llondel.org> Message-ID: <17852.61751.964223.763968@ccs.covici.com> on Sunday 01/28/2007 David Hough(lists@llondel.org) wrote > John covici wrote: > > Hi. I have a system with two network cards -- eth0 is a public ip > > address and eth1 is on an internal network. Now I have all the packet > > forwards enabled, and there is a route from eth1 to the internal > > network, but if a computer on the internal network sets his gateway to > > the box, he can't traceroute past the box to the internet. There > > are no iptable rules yet. > > > > Here is the routing table as produced by route. > > Destination Gateway Genmask Flags Metric Ref Use Iface > > 64.183.125.208 * 255.255.255.248 U 0 0 0 eth0 > > 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 > > 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 > > default rrcs-64-183-125 0.0.0.0 UG 0 0 0 eth0 > > > > > > What am I doing wrong here? > > > > Any assistance would be appreciated. > > > Two things spring to mind. > > 1. What result do you get from "cat /proc/sys/net/ipv4/ip_forward"? If > it's zero then you haven't got forwarding enabled. > > 2. Even if it is enabled, stuff on the LAN will head out to the big wide > world with a 192.168.1.x address on it and get eaten by any > properly-configured router outside. > > To fix the first one, just "echo 1 > /proc/sys/net/ipv4/ip_forward" to > enable forwarding. > > To fix the second one, you'll need a bunch of iptables rules to set up > NAT so all outbound traffic goes out using your public IP. > -- > Dave > http://www.llondel.org > So many gadgets, so little time > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici covici@ccs.covici.com From administrator at netwlan.net Mon Jan 29 11:04:11 2007 From: administrator at netwlan.net (Ivan Vladimirov) Date: Mon Jan 29 11:05:16 2007 Subject: [LARTC] Bridging multiple vlans on linux router Message-ID: <45BDC69B.8070008@netwlan.net> An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070129/64d0901d/attachment.htm From liste at kurgan.org Mon Jan 29 13:17:03 2007 From: liste at kurgan.org (Fabio Muzzi) Date: Mon Jan 29 13:17:29 2007 Subject: [LARTC] Questions about mutiple providers Message-ID: <615095102.20070129131703@kurgan.org> Hi, this is my first post to the list. I have googled a lot, and still cannot find a proper solution. I hope someone here will be able to shed some light on my doubts. I have set up a firewall using kernel 2.6.15 (Debian) that does NAT for 100 clients, and uses two different ISPs, using the howto found at http://lartc.org/howto/lartc.rpdb.multiple-links.html. I have *not* patched my kernel. The rounting setup is taken from the howto, and it basically works, I see packets flowing out of both WAN interfaces, and everyting seems to work properly for packets that are generated from the firewall itself. I have set up NAT rules in postrouting table, this way: iptables -t nat -A POSTROUTING -o $WAN -j SNAT -s 10.0.0.0/16 --to-source 217.221.234.74 iptables -t nat -A POSTROUTING -o $WAN2 -j SNAT -s 10.0.0.0/16 --to-source 83.211.205.162 Local net is 10.0.0.0/16, the two WAN interfaces are $WAN and $WAN2, and their relative IP addresses are set as shown. WAN interfaces are phisically different and have no aliases, only the IP shown above. Now, I am experiencing two issues: - First, I see packets with "from" address set to 83.211.205.162 that go out of $WAN, and also packets with from address set to 217.221.234.74 that flow out of $WAN2. This address mixup should not happen, I suppose. looking at the packets, it seems that only NATed trafic shows this behaviour. - Second, I see (rare) packets flowing out of WAN or WAN2 interfaces that still have the LAN from address, that is 10.0.x.x, these packets somehow where not NATed at all. Now, the questions are: How do I solve this? Do I need to patch my kernel to solve the first issue, because I need to lock at NAT "established connections" tables to make routing decisions? Is it impossible to have equal cost multipath and SNAT together without patching the kernel? If so, what patch do I need exactly? Is there something wrong with my kernel version, that has a broken NAT support? (this could explain why I get some packets that do not get NATed at all) Thanks a lot for the time you took reading this. -- Fabio "Kurgan" Muzzi From alex at samad.com.au Mon Jan 29 22:35:40 2007 From: alex at samad.com.au (Alex Samad) Date: Mon Jan 29 22:35:59 2007 Subject: [LARTC] Questions about mutiple providers In-Reply-To: <615095102.20070129131703@kurgan.org> References: <615095102.20070129131703@kurgan.org> Message-ID: <20070129213540.GJ25822@samad.com.au> On Mon, Jan 29, 2007 at 01:17:03PM +0100, Fabio Muzzi wrote: > > Hi, this is my first post to the list. > > I have googled a lot, and still cannot find a proper solution. I hope > someone here will be able to shed some light on my doubts. > > I have set up a firewall using kernel 2.6.15 (Debian) that does NAT for > 100 clients, and uses two different ISPs, using the howto found at > http://lartc.org/howto/lartc.rpdb.multiple-links.html. I have *not* > patched my kernel. > > The rounting setup is taken from the howto, and it basically works, I see > packets flowing out of both WAN interfaces, and everyting seems to work > properly for packets that are generated from the firewall itself. > > I have set up NAT rules in postrouting table, this way: > > iptables -t nat -A POSTROUTING -o $WAN -j SNAT -s 10.0.0.0/16 --to-source 217.221.234.74 > iptables -t nat -A POSTROUTING -o $WAN2 -j SNAT -s 10.0.0.0/16 --to-source 83.211.205.162 > > Local net is 10.0.0.0/16, the two WAN interfaces are $WAN and $WAN2, and > their relative IP addresses are set as shown. WAN interfaces are > phisically different and have no aliases, only the IP shown above. > > Now, I am experiencing two issues: > > - First, I see packets with "from" address set to 83.211.205.162 that go > out of $WAN, and also packets with from address set to 217.221.234.74 that > flow out of $WAN2. This address mixup should not happen, I suppose. > looking at the packets, it seems that only NATed trafic shows this > behaviour. you have to setup your ip rule rules, which will state anything coming from 217.221.234.74 only goes out $WAN and anything coming from 83.211.205.162 only goes out $WAN2, it should be part of the wiki/faq doco > > > - Second, I see (rare) packets flowing out of WAN or WAN2 interfaces that > still have the LAN from address, that is 10.0.x.x, these packets somehow > where not NATed at all. never seen this > > > Now, the questions are: > > How do I solve this? > > Do I need to patch my kernel to solve the first issue, because I need to > lock at NAT "established connections" tables to make routing decisions? Is > it impossible to have equal cost multipath and SNAT together without > patching the kernel? If so, what patch do I need exactly? > > Is there something wrong with my kernel version, that has a broken NAT > support? (this could explain why I get some packets that do not get NATed > at all) > > > Thanks a lot for the time you took reading this. > > -- > > Fabio "Kurgan" Muzzi > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070130/60254412/attachment.pgp From maxwell at digitalpath.net Mon Jan 29 23:14:25 2007 From: maxwell at digitalpath.net (Hampton Maxwell) Date: Mon Jan 29 23:16:29 2007 Subject: [LARTC] Rewriting output interface Message-ID: <45BE71C1.2090206@digitalpath.net> I would like to setup some rules for a wireless bridge to do load balancing. I'd like to dedicate one radio for doing transmit and one for receive. router | | ------------- eth0 ---------------- | | wlan0 upstream device wlan1 | ^ | | V ========================== ^ | | V | wlan2 downstream device wlan3 | | ------------- eth0 ---------------- | | network All traffic headed to the network will be sent out on wlan0, while all traffic headed to the router to be sent on wlan3. Is tc capable of doing something like this, and if so, how would I configure it? I would prefer to bridge the traffic rather than routing it. Thanks, Hampton From maxwell at digitalpath.net Mon Jan 29 23:41:48 2007 From: maxwell at digitalpath.net (Hampton Maxwell) Date: Mon Jan 29 23:43:53 2007 Subject: [LARTC] Rewriting output interface In-Reply-To: <20070129143454.5770e847@freekitty> References: <45BE71C1.2090206@digitalpath.net> <20070129143454.5770e847@freekitty> Message-ID: <45BE782C.7090405@digitalpath.net> We are using a madwifi type driver that supports wds. I just don't know how to setup the dual-bonded part of it. If someone has experience doing this with an ethernet only setup, I can adapt that to our network. Cheers, Hampton Stephen Hemminger wrote: > On Mon, 29 Jan 2007 14:14:25 -0800 > Hampton Maxwell wrote: > >> I would like to setup some rules for a wireless bridge to do load balancing. >> I'd like to dedicate one radio for doing transmit and one for receive. >> > > For most cases wireless bridge with Linux won't work. Unless you (one of the following): > * have special device firmware > * bridge only one client (ie point-to-point) > * use MAC layer NAT > * use experimental WDS and have device that supports it. > From gtaylor at riverviewtech.net Tue Jan 30 04:42:37 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Tue Jan 30 04:52:18 2007 Subject: [LARTC] Bridging multiple vlans on linux router In-Reply-To: <45BDC69B.8070008@netwlan.net> References: <45BDC69B.8070008@netwlan.net> Message-ID: <45BEBEAD.7080208@riverviewtech.net> On 01/29/07 04:04, Ivan Vladimirov wrote: > I need br0 to see all hosts in all vlans but hosts in different vlans > not to see each other. > Is there any way to do this with ebtables without making to many rules? I think if you set a forward policy of DROP you will be able to do what you are wanting. Grant. . . . From bruno at wolff.to Tue Jan 30 06:25:14 2007 From: bruno at wolff.to (Bruno Wolff III) Date: Tue Jan 30 06:25:27 2007 Subject: [LARTC] lartc doc and Jamal's iproute2 notes Message-ID: <20070130052514.GB7539@wolff.to> There are some notes written by Jamal that come with the iproute2 source that describe some very significant features that are not even hinted at in the lartc document. They aren't real easy to run across if you don't know they exist and even when I did first see them, I wasn't sure if they represented the current state of things. I also ran across IMQ and it took me a while to realize that was a dead end. It would be nice if at least the part on ingress filtering references them. The pipe action and ifb devices provide a way to overcome a lot of the ingress filtering limitations mentioned in the lartc document. The random action and packet mirroring action are probably of interest to people as well. It would have saved me a fair amount of time if these had been included as part of the lartc document. From kcem at tlen.pl Tue Jan 30 13:39:57 2007 From: kcem at tlen.pl (Konrad Cempura) Date: Tue Jan 30 13:40:24 2007 Subject: [LARTC] dev IFB, few questions Message-ID: <45BF3C9D.3090709@tlen.pl> I've made some tests... eth2 is my internal interface, LAN is connected here. Before I had IMQ device in AB mode... PREROUTING [A]fter NAT, POSTROUTING [B]efore NAT. I want the same situation on ifb. I do this in this way: --- # incoming traffic here from LAN is before NAT tc qdisc add dev eth2 handle ffff: ingress # outcoming traffic here from WAN is after NAT tc qdisc add dev eth2 root handle 1:0 htb tc filter add dev eth2 parent ffff: protocol ip prio 1 u32 match ip src 192.168.0.0/24 flowid 1:1 action mirred egress mirror dev ifb0 tc filter add dev eth2 parent 1:0 protocol ip prio 1 u32 match ip dst 192.168.0.0/24 flowid 1:2 action mirred egress mirror dev ifb0 --- Everything is working fine. I can catch packets from and to users by they ip address. Of course in my script I'll use act_mirred redirect, but now I'm testing on mirror. But my question is... Am I doing this in right way? Anybody knows better rules? And another question, Is any possible to recognize if traffic is incoming or outcoming from device using u32? I'm doing this - ip src 192.168.0.0/24 or ip dst - but to do this I need to know IP addresses of my LAN. Is it possible to do this without this knowledge? Recognize incoming and outcoming traffic on device by filters (u32)... Thanks in advance :) Konrad Cempura (a.k.a. Lenthir) From huetmann at site38.ping.at Tue Jan 30 15:03:12 2007 From: huetmann at site38.ping.at (Peter Huetmannsberger) Date: Tue Jan 30 15:03:26 2007 Subject: [LARTC] Multiple Internetconn. & DNAT In-Reply-To: <45BF3C9D.3090709@tlen.pl> References: <45BF3C9D.3090709@tlen.pl> Message-ID: Hello, I came across a problem today, which after trying a number of approaches I could not solve, and I am hoping someone out there knows how to deal with this. Situation: 2 different internet connections on eth2 and eth3 Traffic coming in on eth2 goes out on eth2 and traffic coming in on eth3 goes out on eth3 (because of rt_tables, and routes, which works fine) unless I do a DNAT to a different machine. i.e. default route is eth3 traffic comes in eth2 --> DNAT --> eth1 machine behind eth1 answers correctly, but the resulting packets choose the default route (eth3) to go out and not the way they came in. or in ipaddress description: default route is 81.223.13.xx1 eth3 = 81.223.13.xx2 eth2 = 91.112.38.xx8 Packets coming in via 91.112.38.xx8 for port 80 get DNATed to 192.168.10.199:80 on returining from 192.168.10.199 they choose the default route 81.223.13.xx2 on their way out. Without the DNAT the setup works fine, with the DNAT they don't. I am grateful for any suggestions. Thanks .peter From bolivardg at ml.com.mx Wed Jan 31 00:21:52 2007 From: bolivardg at ml.com.mx (Bolivar Diaz Galarza) Date: Wed Jan 31 00:17:54 2007 Subject: [LARTC] Problems matching tos on port 554 Message-ID: <002501c744c5$6cfca050$82f793c9@www> Hi There, I am trying to match mac address and tos at the same time. It mostly works for all ports, but recently I discovered that it doesn't, for example it does not work on port 554. For each client I have two classes, one is the "good" traffic that I mark using iptables with the line, for example: /sbin/iptables -t mangle -A PREROUTING -p tcp --sport 554 -j TOS --set-tos 0x10 Later on, I use tc filter to send the packets marked with tos 0x10 to the proper class which will be 1:1192 in this case, and the rest of the traffic matching that clients MAC address continues to 1:2192: BAJADA="/sbin/tc filter add dev eth1 protocol ip parent 1:0 prio 1 u32 match u16 0x0800 0xffff at -2" $BAJADA match u32 0x5bb517c8 0xffffffff at -12 match u16 0x0011 0xffff at -14 match ip tos 0x10 0xff flowid 1:1192 $BAJADA match u32 0x5bb517c8 0xffffffff at -12 match u16 0x0011 0xffff at -14 flowid 1:2192 I thought about marking the packets with iptables -j MARK --set-mark but I can't find a way of making this work and matching the MAC address at the same time. Any help will be greatly appreciated. Bolivar, -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070130/63fd9f5c/attachment.htm From lsharpe at pacificwireless.com.au Wed Jan 31 06:18:22 2007 From: lsharpe at pacificwireless.com.au (Leigh Sharpe) Date: Wed Jan 31 06:19:15 2007 Subject: [LARTC] U32 VLAN Header match Message-ID: Hi all, Is is possible to configure the u32 classifier to match on VLAN ID? Or any other bits in the 802.1 header for that matter? If so, can anybody tell me how? Or where to find out how? Regards, Leigh Leigh Sharpe Network Systems Engineer Pacific Wireless Ph +61 3 9584 8966 Mob 0408 009 502 email lsharpe@pacificwireless.com.au web www.pacificwireless.com.au -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070131/a46827b8/attachment.html From lsharpe at pacificwireless.com.au Wed Jan 31 07:35:36 2007 From: lsharpe at pacificwireless.com.au (Leigh Sharpe) Date: Wed Jan 31 07:36:00 2007 Subject: [LARTC] tc act ipt errors Message-ID: Hi all, I'm having a hell of a time getting tc and IFBs to co-operate. I've copied the following from http://linux-net.osdl.org/index.php/IFB: -- export TC="/sbin/tc" $TC qdisc add dev ifb0 root handle 1: prio $TC qdisc add dev ifb0 parent 1:1 handle 10: sfq $TC qdisc add dev ifb0 parent 1:2 handle 20: tbf rate 20kbit buffer 1600 limit 3000 $TC qdisc add dev ifb0 parent 1:3 handle 30: sfq $TC filter add dev ifb0 protocol ip pref 1 parent 1: handle 1 fw classid 1:1 $TC filter add dev ifb0 protocol ip pref 2 parent 1: handle 2 fw classid 1:2 ifconfig ifb0 up $TC qdisc add dev eth0 ingress # redirect all IP packets arriving in eth0 to ifb0 # use mark 1 --> puts them onto class 1:1 $TC filter add dev eth0 parent ffff: protocol ip prio 10 u32 \ match u32 0 0 flowid 1:1 \ action ipt -j MARK --set-mark 1 \ action mirred egress redirect dev ifb0 -- Gives me an error: Tablename: mangle hook: NF_IP_PRE_ROUTING target: MARK set 0x1 index 0 Action 4 device ifb0 ifindex 10 RTNETLINK answers: No such file or directory We have an error talking to the kernel Any ideas why? I have act_mirred loaded, and I have act_ipt loaded. What gives? Regards, Leigh Leigh Sharpe Network Systems Engineer Pacific Wireless Ph +61 3 9584 8966 Mob 0408 009 502 email lsharpe@pacificwireless.com.au web www.pacificwireless.com.au From pupilla at hotmail.com Wed Jan 31 09:37:23 2007 From: pupilla at hotmail.com (Marco Berizzi) Date: Wed Jan 31 09:47:27 2007 Subject: [LARTC] tc act ipt errors References: Message-ID: > Tablename: mangle hook: NF_IP_PRE_ROUTING > target: MARK set 0x1 index 0 > Action 4 device ifb0 ifindex 10 > RTNETLINK answers: No such file or directory > We have an error talking to the kernel > I have act_mirred loaded, and I have > act_ipt loaded. What gives? Did you load the iptables mark module? From radu at securesystems.ro Thu Feb 1 00:22:43 2007 From: radu at securesystems.ro (Radu Oprisan) Date: Thu Feb 1 00:23:01 2007 Subject: [LARTC] Disable netfilter for bridged traffic In-Reply-To: <200701091043.31823.luciano@lugmen.org.ar> References: <4588D088.3050702@multitech.co.in> <459FEADF.5060609@securesystems.ro> <200701091043.31823.luciano@lugmen.org.ar> Message-ID: <45C124C3.8070003@securesystems.ro> Luciano Ruete wrote: > On Saturday 06 January 2007 15:30, Radu Oprisan wrote: >> senthil wrote: >>> Hi All, >>> Can anybody suggests how can I disable netfilter for bridged traffic in >>> linux-2.4.27 kernel ? >> If i understand the question, then you just need to ignore the >> interfaces for the bridge. > > this is not necesary cause bridged traffic is "layer 2" traffic, and there is > not a chance that netfiter(layer 3) saw it. > > There is ebtables and iptables "physdev" in 2.6, to filter bridged traffic. I'm sorry. I missed the part about 2.4.27 in the first message. From xenoterracide at gmail.com Thu Feb 1 04:41:30 2007 From: xenoterracide at gmail.com (Caleb Cushing) Date: Thu Feb 1 04:42:25 2007 Subject: [LARTC] ipsec x.509 or kerberos Message-ID: <81bfc67a0701311941kc95555fkb7787ec0a2064e3@mail.gmail.com> I'm setting up a ipsec proxy (gentoo linux) I'm wondering whether I should use certificates or kerberos. I want it to be able to interact with windows. opinions? facts? which is more secure? From simonl at parknet.dk Thu Feb 1 06:18:48 2007 From: simonl at parknet.dk (Simon Lodal) Date: Thu Feb 1 06:18:55 2007 Subject: [LARTC] [PATCH] HTB O(1) class lookup Message-ID: <200702010618.48692.simonl@parknet.dk> This patch changes HTB's class storage from hash+lists to a two-level linear array, so it can do constant time (O(1)) class lookup by classid. It improves scalability for large number of classes. Without the patch, ~14k htb classes can starve a Xeon-3.2 at only 15kpps, using most of it's cycles traversing lists in htb_find(). The patch eliminates this problem, and has a measurable impact even with a few hundred classes. Previously, scalability could be improved by increasing HTB_HSIZE, modify the hash function, and recompile, but this patch works for everyone without recompile and scales better too. The patch is for 2.6.20-rc6, I have older ones for 2.6.18 and 2.6.19 if anyone is interested. Signed-off-by: Simon Lodal -------------- next part -------------- A non-text attachment was scrubbed... Name: htb_O(1)_class_lookup.diff Type: text/x-diff Size: 11212 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070201/475f8a30/htb_O1_class_lookup.bin From kaber at trash.net Thu Feb 1 07:08:47 2007 From: kaber at trash.net (Patrick McHardy) Date: Sat Feb 3 15:43:48 2007 Subject: [LARTC] Re: [PATCH] HTB O(1) class lookup In-Reply-To: <200702010618.48692.simonl@parknet.dk> References: <200702010618.48692.simonl@parknet.dk> Message-ID: <45C183EF.2040701@trash.net> Simon Lodal wrote: > This patch changes HTB's class storage from hash+lists to a two-level linear > array, so it can do constant time (O(1)) class lookup by classid. It improves > scalability for large number of classes. > > Without the patch, ~14k htb classes can starve a Xeon-3.2 at only 15kpps, > using most of it's cycles traversing lists in htb_find(). The patch > eliminates this problem, and has a measurable impact even with a few hundred > classes. > > Previously, scalability could be improved by increasing HTB_HSIZE, modify the > hash function, and recompile, but this patch works for everyone without > recompile and scales better too. I agree that the current fixed sized hashes (additionally quite small by default) are a big problem with many classes, for all of HTB/HFSC/CBQ. But I think your approach is a bit wasteful, with unfortunately chosen classids 128 classes are enough to reach the maximum memory usage of ~512kb (with 4k pages and 8 byte pointers). I have a patch for HFSC which introduces dynamic resizing of the class hash. I have planned to generalize it (similar to tcf_hashinfo) and convert HTB and CBQ as well, which as a nice side effect will allow to get rid of some duplicated code, like hash walking. If you give me a few days I'll try to finish and post it. From simonl at parknet.dk Thu Feb 1 08:08:20 2007 From: simonl at parknet.dk (Simon Lodal) Date: Sat Feb 3 15:44:30 2007 Subject: [LARTC] Re: [PATCH] HTB O(1) class lookup In-Reply-To: <45C183EF.2040701@trash.net> References: <200702010618.48692.simonl@parknet.dk> <45C183EF.2040701@trash.net> Message-ID: <200702010808.20416.simonl@parknet.dk> On Thursday 01 February 2007 07:08, Patrick McHardy wrote: > Simon Lodal wrote: > > This patch changes HTB's class storage from hash+lists to a two-level > > linear array, so it can do constant time (O(1)) class lookup by classid. > > It improves scalability for large number of classes. > > > > Without the patch, ~14k htb classes can starve a Xeon-3.2 at only 15kpps, > > using most of it's cycles traversing lists in htb_find(). The patch > > eliminates this problem, and has a measurable impact even with a few > > hundred classes. > > > > Previously, scalability could be improved by increasing HTB_HSIZE, modify > > the hash function, and recompile, but this patch works for everyone > > without recompile and scales better too. > > I agree that the current fixed sized hashes (additionally quite > small by default) are a big problem with many classes, for all of > HTB/HFSC/CBQ. But I think your approach is a bit wasteful, with > unfortunately chosen classids 128 classes are enough to reach the > maximum memory usage of ~512kb (with 4k pages and 8 byte pointers). I think it is a non-issue since it does not happen in practice. Generally there are two ways to assign classids: 1) Manually, used when you have few classes. People usually use 100, 101, 102, 200, 201 etc (probably unaware that they are hex). With 4k pages and 32bit pointers, everything below classid 400 is within the first page, which covers most "few classes" examples you can find lying around. 2) Script generated, in practice this is required if you have many classes. The classid's will then usually be forthrunning, at least in large chunks, which means minimal memory waste, and an optimal case for plain linear lookup; hashing them can only be wasteful. > I have a patch for HFSC which introduces dynamic resizing of the > class hash. I have planned to generalize it (similar to tcf_hashinfo) > and convert HTB and CBQ as well, which as a nice side effect will > allow to get rid of some duplicated code, like hash walking. I have not been looking into HFSC and CBQ, was not aware that they have similar issues. > If you give me a few days I'll try to finish and post it. Memory is generally not an issue, but CPU is, and you can not beat the CPU efficiency of plain array lookup (always faster, and constant time). If anything, I would find it more relevant to use array lookup with dynamic adjustment of the array size (HTB_CLS_ARRAY_SIZE in my patch); start out small to waste less memory, increase up to PAGE_SIZE as needed. But then, it is probably too much effort for the gain (a few kb's in machines that should have plenty of RAM anyway), and requires more code => more complexity, bugs, maintenance. Regards Simon From pekster-main at usa.net Thu Feb 1 23:20:02 2007 From: pekster-main at usa.net (Josh) Date: Sat Feb 3 15:52:37 2007 Subject: [LARTC] tc filter Questions Message-ID: <45C26792.2020601@usa.net> An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070201/7fe32170/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: tc_diagram.pdf Type: application/pdf Size: 18869 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070201/7fe32170/tc_diagram-0001.pdf From kcem at tlen.pl Thu Feb 1 23:44:52 2007 From: kcem at tlen.pl (Konrad Cempura) Date: Sat Feb 3 15:52:46 2007 Subject: [LARTC] [PATCH] HTB O(1) class lookup In-Reply-To: <200702010618.48692.simonl@parknet.dk> References: <200702010618.48692.simonl@parknet.dk> Message-ID: <45C26D64.9010700@tlen.pl> Simon Lodal napisa?(a): > The patch is for 2.6.20-rc6, I have older ones for 2.6.18 and 2.6.19 if anyone > is interested. It's working also on 2.6.20-rc7. I'm testing it and I'm impressed. Good work :) From administrator at netwlan.net Fri Feb 2 10:32:30 2007 From: administrator at netwlan.net (Ivan Vladimirov) Date: Sat Feb 3 15:55:32 2007 Subject: [LARTC] Thoughput In-Reply-To: <20070125154016.2a45cd30@localhost> References: <006f01c73fdc$30f4c0d0$92de4270$@eu> <20070125154016.2a45cd30@localhost> Message-ID: <45C3052E.60105@netwlan.net> An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070202/35105641/attachment.htm From tom at debost.net Sat Feb 3 02:44:15 2007 From: tom at debost.net (tomdeb) Date: Sat Feb 3 15:58:28 2007 Subject: [LARTC] Marks not working... Message-ID: <20070203014415.GA15078@snoopy> Hi, I am experimenting a little bit with my firewall and I don't seem to get my head round marks ... I try to mark p2p packets generated on the firewall in the output chain and then try to match that mark either in NAT OUTPUT or POSTROUTING I don't seem to get the expected result. Any help or clue would be more than welcome. root@droopy:~/firewall > iptables-view -t mangle Chain PREROUTING (policy ACCEPT 33890 packets, 16M bytes) num pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 24751 packets, 12M bytes) num pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 9146 packets, 4557K bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 59M packets, 61G bytes) num pkts bytes target prot opt in out source destination 1 3 324 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 ipp2p v0.8.2 --ipp2p LOG flags 0 level 4 prefix ` OUT IPP2P ' 2 3 324 MARK 0 -- * * 0.0.0.0/0 0.0.0.0/0 ipp2p v0.8.2 --ipp2p MARK set 0x2 Chain POSTROUTING (policy ACCEPT 32911 packets, 7397K bytes) num pkts bytes target prot opt in out source destination root@droopy:~/firewall > iptables-view -t nat Chain PREROUTING (policy ACCEPT 973 packets, 62249 bytes) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 227 packets, 14178 bytes) num pkts bytes target prot opt in out source destination 1 0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x2 LOG flags 0 level 4 prefix ` MARK IPP2P ' Chain OUTPUT (policy ACCEPT 226 packets, 14172 bytes) num pkts bytes target prot opt in out source destination` 1 0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x2 LOG flags 0 level 4 prefix ` MARK IPP2P ' T o M From timo.benk at gmx.de Sat Feb 3 16:07:27 2007 From: timo.benk at gmx.de (Timo Benk) Date: Sat Feb 3 16:07:41 2007 Subject: [LARTC] ingress qdisc problem Message-ID: <45C4A52F.5070208@gmx.de> Hello, i try to limit the incoming traffic rate using the ingress qdisc, but it does not work for me. Here is what i have done: # sudo tc qdisc add dev eth1 ingress # tc filter add dev eth1 parent ffff:0 protocol ip prio 1 u32 match ip dst 172.17.0.101/32 police rate 10kbit buffer 10k drop The ingress qdisc is there: # tc -s qdisc show dev eth1 qdisc pfifo_fast 0: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 165366 bytes 2142 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc ingress ffff: ---------------- Sent 5125378 bytes 3554 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 But i cannot see any filter: # tc -s filter show dev eth1 The traffic is not limit. Anyone here who can point me in the right direction what i have done? Greetings, -timo -- Timo Benk - Jabber ID: fry@downtempo.de - ICQ ID: #414944731 PGP Public Key: http://m28s01.vlinux.de/timo_benk_gpg_key.asc From erestor.elensar at gmail.com Sat Feb 3 16:08:17 2007 From: erestor.elensar at gmail.com (Erestor Elensar) Date: Sat Feb 3 16:08:24 2007 Subject: [LARTC] Traffic goes not through filters. Message-ID: <45C4A561.7040904@gmail.com> Hi, I think i have made an error with my filters but i can't find it. We have a site to site tunnel and want to separate the traffic in two queues, http and business. I'm now filtering on protocol 8080 prio 2 and ip range prio 1. As i read the manual i've seen that the filters are executed by prio means that all goes trough the buisiness queue because all traffic is for the same ip range. And indeed i see only traffic in 1:30 and not in 1:20 Can someone tell me how to set this up ? Thanks. My code: #!/bin/ksh # QOS schema ---------------------------------------- # QDISC-ID 1: # | # MAINCLASS-ID 1:1 # / \ # 1:20: 1:30: # | | # SQF SQF # FILTER 1: FILTER 1: # # 1:10 Always reserved for VOIP even not used # 1:20 HTTP # 1:30 All other data (could be split-up in 1:30) # # This script requires a parameter #---------------------------------------------------- #set -o xtrace # Variablen DEV="tun3" MAXBAND="256Kbit" QDISC_ID="1" QDISC_DEFAULT_HTB="10" MAINCLASS_HANDLE="1" MAINCLASS_ID="${QDISC_ID}:${MAINCLASS_HANDLE}" # HANDLE 10 is reserved for VOIP HTTP_HANDLE="20" HTTP_CLASS_ID="${QDISC_ID}:${HTTP_HANDLE}" HTTP_RATE="64Kbit" HTTP_PRIO="3" DATA_HANDLE="30" DATA_CLASS_ID="${QDISC_ID}:${DATA_HANDLE}" DATA_RATE="192Kbit" DATA_PRIO="2" # Check the parameter case "$1" in start) # The root queue tc qdisc add dev ${DEV} root handle ${QDISC_ID}: htb default ${QDISC_DEFAULT_HTB} # The main Class with the full bandwitdth of 256Kbit tc class add dev ${DEV} parent ${QDISC_ID}: classid ${MAINCLASS_ID} htb rate ${MAXBAND} # Classes for each queue # HTTP 64Kbit burst MaxBand tc class add dev ${DEV} parent ${MAINCLASS_ID} classid ${HTTP_CLASS_ID} htb rate ${HTTP_RATE} ceil ${MAXBAND} tc qdisc add dev ${DEV} parent ${HTTP_CLASS_ID} handle ${HTTP_HANDLE}: sfq perturb ${HTTP_HANDLE} # All other traffic burst MaxBand tc class add dev ${DEV} parent ${MAINCLASS_ID} classid ${DATA_CLASS_ID} htb rate ${DATA_RATE} ceil ${MAXBAND} tc qdisc add dev ${DEV} parent ${DATA_CLASS_ID} handle ${DATA_HANDLE}: sfq perturb ${DATA_HANDLE} # The Filters that will transport the traffic through the wright Class # HTTP tc filter add dev ${DEV} protocol ip parent ${QDISC_ID}: prio ${HTTP_PRIO} u32 match ip sport 8080 0xffff flowid ${HTTP_CLASS_ID} # Other data tc filter add dev ${DEV} protocol ip parent ${QDISC_ID}: prio ${DATA_PRIO} u32 match ip dst 10.32.0.0/22 flowid ${DATA_CLASS_ID} ;; stop) tc qdisc del dev ${DEV} root ;; status) tc -s class show dev ${DEV} ;; esac From xenoterracide at gmail.com Sat Feb 3 21:56:19 2007 From: xenoterracide at gmail.com (Caleb Cushing) Date: Sat Feb 3 21:56:28 2007 Subject: [LARTC] ipsec and x509 certificate Message-ID: <81bfc67a0702031256l3cd988c1m6bf13bb8aa2c53d@mail.gmail.com> hi I'm trying to get ipsec working with x509 certificates however I just can't seem to. I've hit a road block and was wondering if someone could help me figure it out. my racoon.conf (I have it mirrored on the connecting machine. path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/certs"; remote anonymous { exchange_mode aggressive,main; my_identifier asn1dn; peers_identifier asn1dn; lifetime time 2 min; # sec,min,hour initial_contact on; proposal_check obey; # obey, strict or claim certificate_type x509 "slave1.public" "slave1.private"; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method rsasig; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 2 min; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } remote 192.168.0.29 { exchange_mode aggressive,main; my_identifier asn1dn; peers_identifier asn1dn; certificate_type x509 "slave1.public" "slave1.private"; peers_certfile "slave2.public"; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method rsasig; dh_group 2 ; } } my racoon.log says this 2007-02-01 15:12:54: INFO: @(#)ipsec-tools 0.6.3 (http://ipsec-tools.sourceforge.net) 2007-02-01 15:12:54: INFO: @(#)This product linked OpenSSL 0.9.8d 28 Sep 2006 (http://www.openssl.org/) 2007-02-01 15:12:54: ERROR: failed to bind to address 127.0.0.1[500] (Address already in use). 2007-02-01 15:12:54: ERROR: failed to bind to address 207.179.73.150[500] (Address already in use). 2007-02-01 15:12:54: ERROR: failed to bind to address 192.168.1.2[500] (Address already in use). 2007-02-01 15:12:54: ERROR: failed to bind to address 192.168.0.1[500] (Address already in use). 2007-02-01 15:12:54: ERROR: no address could be bound. 2007-02-01 15:34:02: INFO: @(#)ipsec-tools 0.6.3 (http://ipsec-tools.sourceforge.net) 2007-02-01 15:34:02: INFO: @(#)This product linked OpenSSL 0.9.8d 28 Sep 2006 (http://www.openssl.org/) 2007-02-01 15:34:02: WARNING: /etc/racoon/racoon.conf:42: ""slave2.public" This directive without certtype will be removed! 2007-02-01 15:34:02: WARNING: /etc/racoon/racoon.conf:42: ""slave2.public" Please use 'peers_certfile x509 "slave2.public";' instead 2007-02-01 15:34:02: ERROR: failed to bind to address 127.0.0.1[500] (Address already in use). 2007-02-01 15:34:02: ERROR: failed to bind to address [500] (Address already in use). 2007-02-01 15:34:02: ERROR: failed to bind to address 192.168.1.2[500] (Address already in use). 2007-02-01 15:34:02: ERROR: failed to bind to address 192.168.0.1[500] (Address already in use). 2007-02-01 15:34:02: ERROR: no address could be bound. how do I get it to be bound? is it possible to have it not bound? From mnhassan at usa.net Sun Feb 4 03:49:28 2007 From: mnhassan at usa.net (Nyamul Hassaan) Date: Sun Feb 4 03:47:45 2007 Subject: [LARTC] VPN Solution Message-ID: <00be01c74807$1d7b9dc0$58c170cb@isprossrv02> Greeting List Members, I'm not sure if what I want to do is possible at all. I have an office network (ONet) with 3 uplinks. Each of these ISPs give me a block of /26 to /29 IP addresses, as my needs / demands are. Now, I have a remote server (RS) hosted in a data center, which communicates between several hosts in my office. What we want to do is encrypt the data being transferred between RS and ONet. We already established a IPSEC tunnel between RS and ONet through 1 of the uplinks. Is it possible to have 3 different IPSEC tunnels through the 3 uplinks, and then have a load balancing between the 3? We have also taken a /26 block from the data center provider, and have routed the /26 through the IPSEC to our ONet. Can we have the same /26 use the 3 uplinks configured as IPSEC tunnels and load balance between them? If you need any more explanation, I would be happy to provide that. Regards HASSAAN -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070204/8ab0adba/attachment.html From salatiel.filho at gmail.com Sun Feb 4 14:29:09 2007 From: salatiel.filho at gmail.com (Salatiel Filho) Date: Sun Feb 4 14:29:24 2007 Subject: [LARTC] tc ingress + iptables mark problem Message-ID: Hi guys , i am starting to "play" with qos in linux. Well , i am trying to setup an ingress filter but i do not know why it is not working. tc add qdisc dev eth0 ingress tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw police rate 160kbit burst 256kbit drop flowid :1 After that : iptables -A PREROUTING -t mangle --sport 80 -j MARK --set-mark 1 So , i think this should make all traffic from port 80 be filtered by tc , does it ? But it is not working , i keep downloading at full speed from port 80. Any help ? -- []'s Salatiel "O maior prazer do inteligente ? bancar o idiota diante de um idiota que banca o inteligente". From alex at zoomnet.ro Sun Feb 4 14:32:44 2007 From: alex at zoomnet.ro (Alexandru Dragoi) Date: Sun Feb 4 14:32:18 2007 Subject: [LARTC] tc ingress + iptables mark problem In-Reply-To: References: Message-ID: <45C5E07C.5030509@zoomnet.ro> Salatiel Filho wrote: > Hi guys , i am starting to "play" with qos in linux. Well , i am > trying to setup an ingress filter but i do not know why it is not > working. > > tc add qdisc dev eth0 ingress > tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw > police rate 160kbit burst 256kbit drop flowid :1 > > After that : > > iptables -A PREROUTING -t mangle --sport 80 -j MARK --set-mark 1 > > So , i think this should make all traffic from port 80 be filtered by > tc , does it ? > > But it is not working , i keep downloading at full speed from port 80. > > Any help ? > I think becasue the MARK-ing is done after the ingress. Better use u32 on ingress. From salatiel.filho at gmail.com Sun Feb 4 14:40:48 2007 From: salatiel.filho at gmail.com (Salatiel Filho) Date: Sun Feb 4 14:40:54 2007 Subject: [LARTC] tc ingress + iptables mark problem In-Reply-To: <45C5E07C.5030509@zoomnet.ro> References: <45C5E07C.5030509@zoomnet.ro> Message-ID: On 2/4/07, Alexandru Dragoi wrote: > Salatiel Filho wrote: > > Hi guys , i am starting to "play" with qos in linux. Well , i am > > trying to setup an ingress filter but i do not know why it is not > > working. > > > > tc add qdisc dev eth0 ingress > > tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw > > police rate 160kbit burst 256kbit drop flowid :1 > > > > After that : > > > > iptables -A PREROUTING -t mangle --sport 80 -j MARK --set-mark 1 > > > > So , i think this should make all traffic from port 80 be filtered by > > tc , does it ? > > > > But it is not working , i keep downloading at full speed from port 80. > > > > Any help ? > > > I think becasue the MARK-ing is done after the ingress. Better use u32 > on ingress. > I did not know that :D Now i am gonna try to understand u32. 2 doubts : 1) Do tc filters work like iptables [ First match stops the chain ] ? 2) what exactly mean "rate 160kbit burst 256kbit" ? Rate 160 and can go till 256 ? rate 160 and can go till 160 + 256 ? -- []'s Salatiel "O maior prazer do inteligente ? bancar o idiota diante de um idiota que banca o inteligente". From zhukov at gawab.com Sun Feb 4 15:32:32 2007 From: zhukov at gawab.com (Georgy Zhukov) Date: Sun Feb 4 15:32:44 2007 Subject: [LARTC] tc ingress + iptables mark problem In-Reply-To: References: <45C5E07C.5030509@zoomnet.ro> Message-ID: <30a2c22b0702040632g488cb96aq27c42f837699fdec@mail.gmail.com> On 2/4/07, Salatiel Filho wrote: > > On 2/4/07, Alexandru Dragoi wrote: > > Salatiel Filho wrote: > > > Hi guys , i am starting to "play" with qos in linux. Well , i am > > > trying to setup an ingress filter but i do not know why it is not > > > working. > > > > > > tc add qdisc dev eth0 ingress > > > tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw > > > police rate 160kbit burst 256kbit drop flowid :1 > > > > > > After that : > > > > > > iptables -A PREROUTING -t mangle --sport 80 -j MARK --set-mark 1 > > > > > > So , i think this should make all traffic from port 80 be filtered by > > > tc , does it ? > > > > > > But it is not working , i keep downloading at full speed from port > 80. > > > > > > Any help ? > > > > > I think becasue the MARK-ing is done after the ingress. Better use u32 > > on ingress. > > > > I did not know that :D > Now i am gonna try to understand u32. Once I wanted to do something similar and worked ok with u32. 2 doubts : > > 1) Do tc filters work like iptables [ First match stops the chain ] ? > 2) what exactly mean "rate 160kbit burst 256kbit" ? Rate 160 and > can go till 256 ? rate 160 and can go till 160 + 256 ? Rate 160 and can allow until 256. -- > []'s > Salatiel > > "O maior prazer do inteligente ? bancar o idiota > diante de um idiota que banca o inteligente". > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070204/ec76d466/attachment.htm From salatiel.filho at gmail.com Sun Feb 4 15:36:28 2007 From: salatiel.filho at gmail.com (Salatiel Filho) Date: Sun Feb 4 15:36:32 2007 Subject: [LARTC] tc ingress + iptables mark problem In-Reply-To: <30a2c22b0702040632g488cb96aq27c42f837699fdec@mail.gmail.com> References: <45C5E07C.5030509@zoomnet.ro> <30a2c22b0702040632g488cb96aq27c42f837699fdec@mail.gmail.com> Message-ID: On 2/4/07, Georgy Zhukov wrote: > > > On 2/4/07, Salatiel Filho wrote: > > On 2/4/07, Alexandru Dragoi wrote: > > > Salatiel Filho wrote: > > > > Hi guys , i am starting to "play" with qos in linux. Well , i am > > > > trying to setup an ingress filter but i do not know why it is not > > > > working. > > > > > > > > tc add qdisc dev eth0 ingress > > > > tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw > > > > police rate 160kbit burst 256kbit drop flowid :1 > > > > > > > > After that : > > > > > > > > iptables -A PREROUTING -t mangle --sport 80 -j MARK --set-mark 1 > > > > > > > > So , i think this should make all traffic from port 80 be filtered by > > > > tc , does it ? > > > > > > > > But it is not working , i keep downloading at full speed from port > 80. > > > > > > > > Any help ? > > > > > > > I think becasue the MARK-ing is done after the ingress. Better use u32 > > > on ingress. > > > > > > > I did not know that :D > > Now i am gonna try to understand u32. > > Once I wanted to do something similar and worked ok with u32. Well , according to : http://www.lartc.org/lartc.html#LARTC.ADV-QDISC.INGRESS It should work , see this : ############################################################ $iptables -A PREROUTING -i $INDEV -t mangle -p tcp --syn \ -j MARK --set-mark 1 ############################################################ # # install the ingress qdisc on the ingress interface ############################################################ $TC qdisc add dev $INDEV handle ffff: ingress ############################################################ # # # SYN packets are 40 bytes (320 bits) so three SYNs equals # 960 bits (approximately 1kbit); so we rate limit below # the incoming SYNs to 3/sec (not very useful really; but #serves to show the point - JHS ############################################################ $TC filter add dev $INDEV parent ffff: protocol ip prio 50 handle 1 fw \ police rate 1kbit burst 40 mtu 9k drop flowid :1 ############################################################ > > > 2 doubts : > > > > 1) Do tc filters work like iptables [ First match stops the chain ] ? what about this first question > > 2) what exactly mean "rate 160kbit burst 256kbit" ? Rate 160 and > > can go till 256 ? rate 160 and can go till 160 + 256 ? > > Rate 160 and can allow until 256. > > > -- > > []'s > > Salatiel > > > > "O maior prazer do inteligente ? bancar o idiota > > diante de um idiota que banca o inteligente". > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > -- []'s Salatiel "O maior prazer do inteligente ? bancar o idiota diante de um idiota que banca o inteligente". From junior.listas at gmail.com Sun Feb 4 19:07:09 2007 From: junior.listas at gmail.com (JC =?ISO-8859-1?Q?J=FAnior?=) Date: Sun Feb 4 19:06:55 2007 Subject: [LARTC] load balance problem Message-ID: <1170612429.4901.15.camel@edgy.virtua.com.br> Hi friends; i`m having troubles with load balance, i follow the lartc howto, aparently everything works fine, the firewall selects the right link when the other is down, but when i try to use clients (windows) some pages open without pictures, some not, when i "ping" somewhere 50% of the packages are lost,sometimes dont "ping"... this firewall only do nat .. without any rule, without squid... the firewall show some logs on terminal: "MASQUERADE: Route Send us to somewhere else" , where are my mistake?? any help?? tanks a lot!! JC Junior From mingching.tiew at redtone.com Mon Feb 5 02:28:37 2007 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Mon Feb 5 02:25:32 2007 Subject: [LARTC] tc filter matches ip fileds inside pppoe frames Message-ID: <006701c748c4$f6082fb0$0100a8c0@MingChing> Skipped content of type multipart/alternative-------------- next part -------------- ****** Message from InterScan E-Mail VirusWall NT ****** ** No virus found in attached file noname.htm ** No virus found in attached file noname.htm This mail has been scanned by InterScan. ***************** End of message *************** From riomartin at bloomasia.com Mon Feb 5 04:43:49 2007 From: riomartin at bloomasia.com (Rio Martin) Date: Mon Feb 5 04:44:07 2007 Subject: [LARTC] Shape incoming & outgoing multiple-backbone traffic Message-ID: Dear all, I have 3 backbones for my local network. 1st backbone: down 1024kbps, up 1024kbps through eth1 2nd backbone: down 2048kbps, up 2048kbps through eth2 3rd backbone: down 1024kbps, up 128kbps through eth3 Local network: 192.168.0.0/16 through eth0 Router: Linux Slakware 11 with iproute2 Please let me know how to shape both incoming and outgoing traffic for this case. LARTC doc only showing just 1 backbone. Any idea to use HTB ? Thanks before. - Rio.Martin - From mingching.tiew at redtone.com Mon Feb 5 11:11:41 2007 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Mon Feb 5 11:09:18 2007 Subject: [LARTC] Re: tc filter matches ip fileds inside pppoe frames Message-ID: <027101c7490e$07d9c2f0$0100a8c0@MingChing> Skipped content of type multipart/alternative-------------- next part -------------- ****** Message from InterScan E-Mail VirusWall NT ****** ** No virus found in attached file noname.htm ** No virus found in attached file noname.htm This mail has been scanned by InterScan. ***************** End of message *************** From jarkao2 at o2.pl Mon Feb 5 11:16:38 2007 From: jarkao2 at o2.pl (Jarek Poplawski) Date: Mon Feb 5 11:13:50 2007 Subject: [LARTC] Re: [PATCH] HTB O(1) class lookup In-Reply-To: Message-ID: <20070205101637.GB1863@ff.dom.local> On 01-02-2007 12:30, Andi Kleen wrote: > Simon Lodal writes: >> Memory is generally not an issue, but CPU is, and you can not beat the CPU >> efficiency of plain array lookup (always faster, and constant time). Probably for some old (or embedded) lean boxes used for small network routers, with memory hungry iptables - memory could be an issue. > Actually that's not true when the array doesn't fit in cache. > > The cost of going out to memory over caches is so large (factor 100 and more) > that often algorithms with smaller cache footprint can easily beat > algorithms that execute much less instructions if it has less cache misses. > That is because not all instructions have the same cost; anything > in core is very fast but going out to memory is very slow. > > That said I think I agree with your analysis that a two level > array is probably the right data structure for this and likely > not less cache efficient than the hash table. Strange - it seems you gave only arguments against this analysis... > And the worst memory consumption case considered by Patrick should > be relatively unlikely. Anyway, such approach, that most users do something this (reasonable) way, doesn't look like good programming practice. I wonder, why not try, at least for a while, to do this a compile (menuconfig) option with a comment: recommended for a large number of classes. After hash optimization and some testing, final decisions could be made. Regards, Jarek P. From anthony at anroet.com Mon Feb 5 11:38:46 2007 From: anthony at anroet.com (Anthony Kamau) Date: Mon Feb 5 11:38:56 2007 Subject: [LARTC] Problems with HTB. Help! Message-ID: <043001c74911$d06d1570$8cc8a8c0@anroet.com> Hello list. I've configured a very simple script to slow down packets coming from a particular IP Address. I've used IPTABLES to mark traffic coming from this IP Address, but it does not appear to be working as expected. Let me first describe my system as maybe what I'm doing is beyond what NETFILTER can do. I have one machine that runs all my servers as VM's. The P2P WinXP box and the router are virtualized. So too is the Windows 2003 DNS server. Please have a look at the traffic control script below and let me know if I've done something wrong! Cheers, tkb. Below is the script. You'll note that I've even tried using a filter (attached to eth0 - LAN) linking parent at eth0 going to a class on eth1 - is this even valid? tc did not seem to complain about it so I figured it must be okay. #******************************************************************* #!/bin/bash # Whole purpose of this is to slow the P2P WinXP box down! ################################### # Reset everything to known state # ################################### tc qdisc del dev eth0 root tc qdisc del dev eth1 root #################### # Setup the qdiscs # #################### tc qdisc add dev eth0 parent root handle 1: htb default 10 tc qdisc add dev eth1 parent root handle 2: htb default 10 ########################## # Setup the root classes # ########################## tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit \ ceil 10mbit tc class add dev eth1 parent 2: classid 2:1 htb rate 384kbit \ ceil 384kbit burst 15k ########################### # Setup the child classes # ########################### tc class add dev eth0 parent 1:1 classid 1:10 htb rate 10mbit \ ceil 10mbit prio 0 tc class add dev eth1 parent 2:1 classid 2:10 htb rate 224kbit \ ceil 384kbit prio 0 tc class add dev eth1 parent 2:1 classid 2:11 htb rate 100kbit \ ceil 100kbit prio 1 tc class add dev eth1 parent 2:1 classid 2:12 htb rate 60kbit \ ceil 60kbit prio 2 ##################### # Setup the filters # ##################### # match acks the hard way, # IP protocol 6, # IP header length 0x5(32 bit words), # IP Total length 0x34 (ACK + 12 bytes of TCP options) # TCP ack set (bit 5, offset 33) ACK="tc filter add dev eth1 protocol ip parent 2:0 prio 0 u32" $ACK match ip protocol 6 0xff \ match u8 0x05 0x0f at 0 \ match u16 0x0000 0xffc0 at 2 \ match u8 0x10 0xff at 33 \ classid 2:11 #**U32_0="tc filter add dev eth0 protocol ip parent 1:0 u32" #**$U32_0 match ip src 192.168.200.163 classid 2:12 #U32_1="tc filter add dev eth1 protocol ip parent 2:0 u32" P2P="tc filter add dev eth1 protocol ip parent 2:0 prio 10" $P2P handle 1 fw classid 2:12 #################################################### # Setup the queue discipline for the child classes # #################################################### tc qdisc add dev eth1 parent 2:10 handle 10: sfq perturb 10 tc qdisc add dev eth1 parent 2:11 handle 11: sfq perturb 10 tc qdisc add dev eth1 parent 2:12 handle 12: sfq perturb 10 #************************************************************************ From gustavo at angulosolido.pt Mon Feb 5 11:51:35 2007 From: gustavo at angulosolido.pt (Gustavo Homem) Date: Mon Feb 5 11:54:59 2007 Subject: [LARTC] Shape incoming & outgoing multiple-backbone traffic In-Reply-To: References: Message-ID: <200702051051.35245.gustavo@angulosolido.pt> Hi, On Monday 05 February 2007 03:43, Rio Martin wrote: > Dear all, > I have 3 backbones for my local network. > > 1st backbone: down 1024kbps, up 1024kbps through eth1 > 2nd backbone: down 2048kbps, up 2048kbps through eth2 > 3rd backbone: down 1024kbps, up 128kbps through eth3 > Local network: 192.168.0.0/16 through eth0 > Router: Linux Slakware 11 with iproute2 > > Please let me know how to shape both incoming and outgoing traffic for > this case. > LARTC doc only showing just 1 backbone. > Any idea to use HTB ? If shapping the outgoing traffic and policing the incoming traffic (rate limiting only) is enough, take a look at this: http://downloads.angulosolido.pt/QoS/HTB_shaper_basic.sh the HTB_shape and limit_incoming functions already do what you need. After you get familiar with, you can adapt as needed. Regards Gustavo > > Thanks before. > > - Rio.Martin - > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Angulo S?lido - Tecnologias de Informa??o http://angulosolido.pt From simonl at parknet.dk Mon Feb 5 18:14:13 2007 From: simonl at parknet.dk (Simon Lodal) Date: Mon Feb 5 18:14:41 2007 Subject: [LARTC] Re: [PATCH] HTB O(1) class lookup In-Reply-To: <20070205101637.GB1863@ff.dom.local> References: <20070205101637.GB1863@ff.dom.local> Message-ID: <200702051814.13899.simonl@parknet.dk> On Monday 05 February 2007 11:16, Jarek Poplawski wrote: > On 01-02-2007 12:30, Andi Kleen wrote: > > Simon Lodal writes: > >> Memory is generally not an issue, but CPU is, and you can not beat the > >> CPU efficiency of plain array lookup (always faster, and constant time). > > Probably for some old (or embedded) lean boxes used for > small network routers, with memory hungry iptables - > memory could be an issue. Sure, but if they are that constrained they probably do not run HTB in the first place. We are talking about 4k initially, up to 256k worst case (or 512k if your router is 64bit, unlikely if "small" is a priority). > > And the worst memory consumption case considered by Patrick should > > be relatively unlikely. > > Anyway, such approach, that most users do something > this (reasonable) way, doesn't look like good > programming practice. The current hash algorithm also assumes certain usage patterns, namely that you choose classids that generate different hash keys (= distribute uniformly across the buckets), or scalability will suffer very quickly. Even at 64 classes you would probably see htb_find() near the top of a profiling analysis. But I would say that it is just as unlikely as choosing 64 classids that cause my patch to allocate all 256k. In these unlikely cases, my patch only wastes passive memory, while the current htb wastes cpu to a point where it can severely limit routing performance. > I wonder, why not try, at least for a while, to do this > a compile (menuconfig) option with a comment: > recommended for a large number of classes. After hash > optimization and some testing, final decisions could be > made. I decided not to do it because it would mean too many ifdefs (ugly+unmaintanable code). Regards Simon From simonl at parknet.dk Mon Feb 5 19:21:19 2007 From: simonl at parknet.dk (Simon Lodal) Date: Mon Feb 5 19:22:16 2007 Subject: [LARTC] Re: [PATCH] HTB O(1) class lookup In-Reply-To: References: <200702010618.48692.simonl@parknet.dk> <200702010808.20416.simonl@parknet.dk> Message-ID: <200702051921.20146.simonl@parknet.dk> On Thursday 01 February 2007 12:30, Andi Kleen wrote: > Simon Lodal writes: > > Memory is generally not an issue, but CPU is, and you can not beat the > > CPU efficiency of plain array lookup (always faster, and constant time). > > Actually that's not true when the array doesn't fit in cache. > > The cost of going out to memory over caches is so large (factor 100 and > more) that often algorithms with smaller cache footprint can easily beat > algorithms that execute much less instructions if it has less cache misses. > That is because not all instructions have the same cost; anything > in core is very fast but going out to memory is very slow. > > That said I think I agree with your analysis that a two level > array is probably the right data structure for this and likely > not less cache efficient than the hash table. Good point. The 2-level lookup generates 3 memory accesses (including getting at the htb_class struct). List traversal will generate many more memory accesses, unless the lists have 3 or fewer entries (currently that only holds true for up to 48 classes, uniformly distributed). It is difficult to judge if the tables will be in cache or not. The tables are clearly extra baggage for the cachelines, compared to only having the htb_class structs (they are going to be fetched anyway). On the other hand, if you have 10k classes, they are usually (real world) allocated for individual users, of which at most half are active at any time. With hashing, all 10k classes are fetched into cachelines all the time, only in order to traverse lists. That is >150k wasted cache (5000 x 32 bytes); plenty for 10k pointers in lookup tables. Regards Simon From gregoriandres at yahoo.com.ar Mon Feb 5 22:33:08 2007 From: gregoriandres at yahoo.com.ar (gregori andres) Date: Mon Feb 5 22:33:40 2007 Subject: [LARTC] CryptNET Peer Cache Daemon Message-ID: <001201c7496d$4049a6a0$6402a8c0@luna> Hi Anyone has tested "CryptNET Peer Cache Daemon" ?? http://cryptnet.net/fsp/cpcd/ I've heared that by using a Peer Cache Daemon I can lower p2p traffic over my internet link, and provide better rates over p2p downloads to LAN users. I would like to know if somebody has tested it ... is a Peer Cache server really useful ? Best regards, Andres. From mike at atomicmongoose.com Tue Feb 6 00:06:05 2007 From: mike at atomicmongoose.com (Mike) Date: Tue Feb 6 00:06:26 2007 Subject: [LARTC] route to a host behind and ipsec tunnel Message-ID: <45C7B85D.8070501@atomicmongoose.com> Hi there, I have a client who has several branch offices, they are adding a system that uses a PC in the main office to create a PPTP connection to the Applications host. So, locally I specify a route on my gateway to handle this. ip route add 1.2.3.4/20 via 192.168.24.4 (Firewall 192.168.24.1/24) 192.168.24.4 is the PC with the PPTP connection. This works wonderfully for the local lan, however, I'm not sure how to route, or what route to set on the remote firewalls to push this traffic to the host? ip route add 1.2.3.4/30 via 192.168.24.4 nexthop 10.10.10.1? (Assumes the remote locations lan is 10.10.10.1) Can this be done? Do I need to bring OSPF into the mix? |Remote Workstations | REMOTE LAN 10.10.10.0/24 10.10.10.1 Firewall | Real IP | | Ipsec Tunnel (StrongSwan) | | Real IP Primary LAN 192.168.24.1 Firewall 192.168.24.0/24 | | (Application Provider's REAL ip) |192.168.24.4 --shared PPTP-- 1.2.3.4/30 | |Other Workstations From jarkao2 at o2.pl Tue Feb 6 09:08:54 2007 From: jarkao2 at o2.pl (Jarek Poplawski) Date: Thu Feb 8 11:32:24 2007 Subject: [LARTC] Re: [PATCH] HTB O(1) class lookup In-Reply-To: <200702051814.13899.simonl@parknet.dk> References: <20070205101637.GB1863@ff.dom.local> <200702051814.13899.simonl@parknet.dk> Message-ID: <20070206080854.GA1635@ff.dom.local> On Mon, Feb 05, 2007 at 06:14:13PM +0100, Simon Lodal wrote: > On Monday 05 February 2007 11:16, Jarek Poplawski wrote: > > On 01-02-2007 12:30, Andi Kleen wrote: > > > Simon Lodal writes: > > >> Memory is generally not an issue, but CPU is, and you can not beat the > > >> CPU efficiency of plain array lookup (always faster, and constant time). > > > > Probably for some old (or embedded) lean boxes used for > > small network routers, with memory hungry iptables - > > memory could be an issue. > > Sure, but if they are that constrained they probably do not run HTB in the > first place. > > We are talking about 4k initially, up to 256k worst case (or 512k if your > router is 64bit, unlikely if "small" is a priority). > > > > And the worst memory consumption case considered by Patrick should > > > be relatively unlikely. > > > > Anyway, such approach, that most users do something > > this (reasonable) way, doesn't look like good > > programming practice. > > The current hash algorithm also assumes certain usage patterns, namely that > you choose classids that generate different hash keys (= distribute uniformly > across the buckets), or scalability will suffer very quickly. Even at 64 > classes you would probably see htb_find() near the top of a profiling > analysis. > > But I would say that it is just as unlikely as choosing 64 classids that cause > my patch to allocate all 256k. > > In these unlikely cases, my patch only wastes passive memory, while the > current htb wastes cpu to a point where it can severely limit routing > performance. > > > > I wonder, why not try, at least for a while, to do this > > a compile (menuconfig) option with a comment: > > recommended for a large number of classes. After hash > > optimization and some testing, final decisions could be > > made. > > I decided not to do it because it would mean too many ifdefs > (ugly+unmaintanable code). As a matter of fact Andi's recommentation is enough for me. In his first message he wrote "probably the right data structure for this", so I thought: why not test and make sure. It should be easier without removing current solution. But his second message convinced me. Generally I think 512k (or even 256k) should matter and don't agree HTB is not for constrained ones. It could be dangerous attitude if every module in the kernel were so "generous". And it could be contagious: others don't care - why should I? Some time ago low memory requirements and possibility to run on older boxes were strong arguments for linux. Did we give it up to BSDs? So I only wanted to make sure there would be a real gain, because, for consistency, probably the same model should be used with others (CBQ, HFSC). Cheers, Jarek P. From victor at ambra.ro Tue Feb 6 12:07:14 2007 From: victor at ambra.ro (Sterpu Victor) Date: Thu Feb 8 11:33:24 2007 Subject: [LARTC] tc class add syntax Message-ID: <45C86162.8030209@ambra.ro> What is wrong in this line? tc class add dev eth1 parent 1:1 classid 1:521df18 htb rate 2Kbit ceil 24000Kbit prio 3 quantum 2000 I know the classid is wrong, but what is the correct syntax? Thank you. From rodrigocc at gmail.com Tue Feb 6 15:19:43 2007 From: rodrigocc at gmail.com (Rodrigo Campos) Date: Thu Feb 8 11:34:41 2007 Subject: [LARTC] Multiple Internetconn. & DNAT In-Reply-To: References: <45BF3C9D.3090709@tlen.pl> Message-ID: <33d560f70702060619q20c13e80mcee5cb5edc5a6d1f@mail.gmail.com> On 1/30/07, Peter Huetmannsberger wrote: > > Hello, > > I came across a problem today, which after trying a number of approaches I > could not solve, and I am hoping someone out there knows how to deal with > this. > > Situation: > > 2 different internet connections on eth2 and eth3 > > Traffic coming in on eth2 goes out on eth2 and traffic coming in on eth3 > goes out on eth3 (because of rt_tables, and routes, which works fine) > unless I do a DNAT to a different machine. > > i.e. > > default route is eth3 > > traffic comes in eth2 --> DNAT --> eth1 > machine behind eth1 answers correctly, but the resulting packets choose > the default route (eth3) to go out and not the way they came in. > > or in ipaddress description: > > default route is 81.223.13.xx1 > > eth3 = 81.223.13.xx2 > eth2 = 91.112.38.xx8 > > Packets coming in via 91.112.38.xx8 for port 80 get DNATed to > 192.168.10.199:80 > on returining from 192.168.10.199 they choose the default route > 81.223.13.xx2 on their way out. > > Without the DNAT the setup works fine, with the DNAT they don't. > > I am grateful for any suggestions. I am very new to this, but last week i have to deal with the same and i came to a "solution" (but i don't know if there are better ways to do this) Bah, actually two solutions: one is http://linux-ip.net/html/linux-ip.html#adv-multi-internet, which basically proposes adding an other address to the server you want to dnat to, so for one public ip dnat to one internal ip of the server, and for the other public ip dnat to the other internal ip of the server. So, using ip rule (and using "from")you can route answers to the correct route The other (i found) is using conntrack, the rule which makes the trick is: iptables -t mangle -A PREROUTING -m conntrack --ctstate DNAT --ctorigdst $ISP2_NET -j MARK --set-mark 10 and then: ip rule add prio fwmark 10 table isp2.table (put it with lower prio than the main table, or less prio than the table where packets are routed by default) So, adding this for the isp that DNAT is not working should be enough (where $ISP_NET is the public ip you are dnatting or the net you are doing DNAT (both are ok) ), but adding this to both ISPs should work too And almos for "free" with this cames: iptables -t mangle -A PREROUTING -m conntrack --ctstate SNAT --ctrepldst $ISP2_NET -j MARK --set-mark 10 which makes SNAT to behave as expected with 2 (or more) ISPs > > Thanks You are welcome, i hope it helps :-). And please tell me if you do this different > > .peter Rodrigo From andy at andybev.com Tue Feb 6 21:01:02 2007 From: andy at andybev.com (Andrew Beverley) Date: Thu Feb 8 11:38:50 2007 Subject: [LARTC] Problems with HTB. Help! In-Reply-To: <043001c74911$d06d1570$8cc8a8c0@anroet.com> References: <043001c74911$d06d1570$8cc8a8c0@anroet.com> Message-ID: <1170792062.4255.6.camel@andybev.localdomain> I've never tried marking packets the way that you're doing it, so not sure if it should work. Have you tried marking with iptables instead? Something like: iptables -t mangle -A FORWARD --source 192.168.200.163 -j CLASSIFY --set-class 2:12 This will of course match all packets going both ways. Add "-i eth0" if you only want it one way. Andy Beverley On Mon, 2007-02-05 at 21:38 +1100, Anthony Kamau wrote: > Hello list. > > I've configured a very simple script to slow down packets coming from a > particular IP Address. I've used IPTABLES to mark traffic coming from this > IP Address, but it does not appear to be working as expected. Let me first > describe my system as maybe what I'm doing is beyond what NETFILTER can do. > > I have one machine that runs all my servers as VM's. The P2P WinXP box and > the router are virtualized. So too is the Windows 2003 DNS server. > > Please have a look at the traffic control script below and let me know if > I've done something wrong! > > Cheers, > tkb. > > > Below is the script. You'll note that I've even tried using a filter > (attached to eth0 - LAN) linking parent at eth0 going to a class on eth1 - > is this even valid? tc did not seem to complain about it so I figured it > must be okay. > > #******************************************************************* > #!/bin/bash > > # Whole purpose of this is to slow the P2P WinXP box down! > > ################################### > # Reset everything to known state # > ################################### > tc qdisc del dev eth0 root > tc qdisc del dev eth1 root > > #################### > # Setup the qdiscs # > #################### > tc qdisc add dev eth0 parent root handle 1: htb default 10 > tc qdisc add dev eth1 parent root handle 2: htb default 10 > > ########################## > # Setup the root classes # > ########################## > tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit \ > ceil 10mbit > tc class add dev eth1 parent 2: classid 2:1 htb rate 384kbit \ > ceil 384kbit burst 15k > > ########################### > # Setup the child classes # > ########################### > tc class add dev eth0 parent 1:1 classid 1:10 htb rate 10mbit \ > ceil 10mbit prio 0 > tc class add dev eth1 parent 2:1 classid 2:10 htb rate 224kbit \ > ceil 384kbit prio 0 > tc class add dev eth1 parent 2:1 classid 2:11 htb rate 100kbit \ > ceil 100kbit prio 1 > tc class add dev eth1 parent 2:1 classid 2:12 htb rate 60kbit \ > ceil 60kbit prio 2 > > ##################### > # Setup the filters # > ##################### > # match acks the hard way, > # IP protocol 6, > # IP header length 0x5(32 bit words), > # IP Total length 0x34 (ACK + 12 bytes of TCP options) > # TCP ack set (bit 5, offset 33) > ACK="tc filter add dev eth1 protocol ip parent 2:0 prio 0 u32" > $ACK match ip protocol 6 0xff \ > match u8 0x05 0x0f at 0 \ > match u16 0x0000 0xffc0 at 2 \ > match u8 0x10 0xff at 33 \ > classid 2:11 > #**U32_0="tc filter add dev eth0 protocol ip parent 1:0 u32" > #**$U32_0 match ip src 192.168.200.163 classid 2:12 > #U32_1="tc filter add dev eth1 protocol ip parent 2:0 u32" > P2P="tc filter add dev eth1 protocol ip parent 2:0 prio 10" > $P2P handle 1 fw classid 2:12 > > #################################################### > # Setup the queue discipline for the child classes # > #################################################### > tc qdisc add dev eth1 parent 2:10 handle 10: sfq perturb 10 > tc qdisc add dev eth1 parent 2:11 handle 11: sfq perturb 10 > tc qdisc add dev eth1 parent 2:12 handle 12: sfq perturb 10 > #************************************************************************ > > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From andy at andybev.com Tue Feb 6 21:08:27 2007 From: andy at andybev.com (Andrew Beverley) Date: Thu Feb 8 11:38:58 2007 Subject: [LARTC] Marks not working... In-Reply-To: <20070203014415.GA15078@snoopy> References: <20070203014415.GA15078@snoopy> Message-ID: <1170792507.4255.11.camel@andybev.localdomain> Are you using your firewall as a router, ie is the p2p traffic coming from another PC through the firewall? If so, I think your rules need to go in the FORWARD chain not in the OUTPUT chain. Another thing to remember is that ipp2p is not 100% reliable at matching. Have you tried something simpler first such as matching on source address? Andy Beverley On Sat, 2007-02-03 at 01:44 +0000, tomdeb wrote: > Hi, > > I am experimenting a little bit with my firewall and I don't seem to get > my head round marks ... > > I try to mark p2p packets generated on the firewall in the output chain > and then try to match that mark either in NAT OUTPUT or POSTROUTING > > I don't seem to get the expected result. > > Any help or clue would be more than welcome. > > > root@droopy:~/firewall > iptables-view -t mangle > Chain PREROUTING (policy ACCEPT 33890 packets, 16M bytes) num pkts bytes target prot opt in out source destination > > Chain INPUT (policy ACCEPT 24751 packets, 12M bytes) num pkts bytes target prot opt in out source destination > > Chain FORWARD (policy ACCEPT 9146 packets, 4557K bytes) num pkts bytes target prot opt in out source destination > > Chain OUTPUT (policy ACCEPT 59M packets, 61G bytes) num pkts bytes target prot opt in out source destination > 1 3 324 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 ipp2p v0.8.2 --ipp2p LOG flags 0 level 4 prefix ` OUT IPP2P ' > 2 3 324 MARK 0 -- * * 0.0.0.0/0 0.0.0.0/0 ipp2p v0.8.2 --ipp2p MARK set 0x2 > > Chain POSTROUTING (policy ACCEPT 32911 packets, 7397K bytes) num pkts bytes target prot opt in out source destination > root@droopy:~/firewall > iptables-view -t nat > Chain PREROUTING (policy ACCEPT 973 packets, 62249 bytes) num pkts bytes target prot opt in out source destination > > Chain POSTROUTING (policy ACCEPT 227 packets, 14178 bytes) num pkts bytes target prot opt in out source destination > 1 0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x2 LOG flags 0 level 4 prefix ` MARK IPP2P ' > > Chain OUTPUT (policy ACCEPT 226 packets, 14172 bytes) num pkts bytes target prot opt in out source destination` > 1 0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x2 LOG flags 0 level 4 prefix ` MARK IPP2P ' > > T o M > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From lastchancehotel at gmail.com Wed Feb 7 01:10:16 2007 From: lastchancehotel at gmail.com (Jan Mulders) Date: Thu Feb 8 11:39:36 2007 Subject: [LARTC] HTB Troubleshooting Message-ID: <2dae841b0702061610x7be1d8e8mca03ae060b0715ce@mail.gmail.com> Skipped content of type multipart/alternative-------------- next part -------------- [root@chi01-050-05 shorewall]# tc -s -d class show dev tun0 class htb 1:99 parent 1:1 prio 0 quantum 200000 rate 100Mbit ceil 100Mbit burst 14087b/8 mpu 0b overhead 0b cburst 14087b/8 mpu 0b overhead 0b level 0 Sent 3818 bytes 34 pkts (dropped 0, overlimits 0 requeues 0) lended: 34 borrowed: 0 giants: 0 tokens: 1152 ctokens: 1152 class htb 1:11 parent 1:1 prio 0 quantum 62500 rate 5Mbit ceil 5Mbit burst 2224b/8 mpu 0b overhead 0b cburst 2224b/8 mpu 0b overhead 0b level 0 Sent 1208 bytes 24 pkts (dropped 0, overlimits 0 requeues 0) lended: 24 borrowed: 0 giants: 0 tokens: 3568 ctokens: 3568 class htb 1:22 parent 1:1 prio 0 quantum 62500 rate 5Mbit ceil 5Mbit burst 2224b/8 mpu 0b overhead 0b cburst 2224b/8 mpu 0b overhead 0b level 0 Sent 872 bytes 17 pkts (dropped 0, overlimits 0 requeues 0) lended: 17 borrowed: 0 giants: 0 tokens: 3568 ctokens: 3568 class htb 1:1 root rate 100Mbit ceil 100Mbit burst 14087b/8 mpu 0b overhead 0b cburst 14087b/8 mpu 0b overhead 0b level 7 Sent 718046853 bytes 1137426 pkts (dropped 0, overlimits 0 requeues 0) rate 325616bit 464pps lended: 0 borrowed: 0 giants: 0 tokens: 1152 ctokens: 1152 class htb 1:10 parent 1:1 prio 0 quantum 62500 rate 5Mbit ceil 5Mbit burst 2224b/8 mpu 0b overhead 0b cburst 2224b/8 mpu 0b overhead 0b level 0 Sent 14230 bytes 179 pkts (dropped 0, overlimits 0 requeues 0) rate 5bit lended: 179 borrowed: 0 giants: 0 tokens: 3541 ctokens: 3541 class htb 1:23 parent 1:1 prio 0 quantum 62500 rate 5Mbit ceil 5Mbit burst 2224b/8 mpu 0b overhead 0b cburst 2224b/8 mpu 0b overhead 0b level 0 Sent 1084 bytes 14 pkts (dropped 0, overlimits 0 requeues 0) lended: 14 borrowed: 0 giants: 0 tokens: 3554 ctokens: 3554 class htb 1:2 parent 1:1 prio 0 quantum 62500 rate 5Mbit ceil 5Mbit burst 2224b/8 mpu 0b overhead 0b cburst 2224b/8 mpu 0b overhead 0b level 0 Sent 125836268 bytes 253056 pkts (dropped 0, overlimits 0 requeues 0) rate 72441bit 131pps lended: 253061 borrowed: 0 giants: 0 tokens: 3580 ctokens: 3580 class htb 1:13 parent 1:1 prio 0 quantum 131072 rate 1310720bit ceil 1310720bit burst 2908b/8 mpu 0b overhead 0b cburst 2908b/8 mpu 0b overhead 0b level 0 Sent 1815 bytes 35 pkts (dropped 0, overlimits 0 requeues 0) lended: 35 borrowed: 0 giants: 0 tokens: 2237 ctokens: 2237 class htb 1:20 parent 1:1 prio 0 quantum 62500 rate 5Mbit ceil 5Mbit burst 2224b/8 mpu 0b overhead 0b cburst 2224b/8 mpu 0b overhead 0b level 0 Sent 1868 bytes 36 pkts (dropped 0, overlimits 0 requeues 0) lended: 36 borrowed: 0 giants: 0 tokens: 3568 ctokens: 3568 class htb 1:3 parent 1:1 prio 0 quantum 62500 rate 5Mbit ceil 5Mbit burst 2224b/8 mpu 0b overhead 0b cburst 2224b/8 mpu 0b overhead 0b level 0 Sent 22399137 bytes 38641 pkts (dropped 0, overlimits 0 requeues 0) rate 9593bit 17pps lended: 38641 borrowed: 0 giants: 0 tokens: 3580 ctokens: 3580 class htb 1:12 parent 1:1 prio 0 quantum 62500 rate 5Mbit ceil 5Mbit burst 2224b/8 mpu 0b overhead 0b cburst 2224b/8 mpu 0b overhead 0b level 0 Sent 1292 bytes 24 pkts (dropped 0, overlimits 0 requeues 0) rate 1bit lended: 24 borrowed: 0 giants: 0 tokens: 3568 ctokens: 3568 class htb 1:21 parent 1:1 prio 0 quantum 62500 rate 5Mbit ceil 5Mbit burst 2224b/8 mpu 0b overhead 0b cburst 2224b/8 mpu 0b overhead 0b level 0 Sent 820 bytes 16 pkts (dropped 0, overlimits 0 requeues 0) lended: 16 borrowed: 0 giants: 0 tokens: 3554 ctokens: 3554 class htb 1:30 parent 1:1 prio 0 quantum 62500 rate 5Mbit ceil 5Mbit burst 2224b/8 mpu 0b overhead 0b cburst 2224b/8 mpu 0b overhead 0b level 0 Sent 1252 bytes 25 pkts (dropped 0, overlimits 0 requeues 0) lended: 25 borrowed: 0 giants: 0 tokens: 3568 ctokens: 3568 class htb 1:4 parent 1:1 prio 0 quantum 62500 rate 5Mbit ceil 5Mbit burst 2224b/8 mpu 0b overhead 0b cburst 2224b/8 mpu 0b overhead 0b level 0 Sent 82765251 bytes 133445 pkts (dropped 0, overlimits 0 requeues 0) rate 38659bit 66pps lended: 133445 borrowed: 0 giants: 0 tokens: 3213 ctokens: 3213 class htb 1:15 parent 1:1 prio 0 quantum 62500 rate 5Mbit ceil 5Mbit burst 2224b/8 mpu 0b overhead 0b cburst 2224b/8 mpu 0b overhead 0b level 0 Sent 2542 bytes 46 pkts (dropped 0, overlimits 0 requeues 0) lended: 46 borrowed: 0 giants: 0 tokens: 3502 ctokens: 3502 class htb 1:26 parent 1:1 prio 0 quantum 62500 rate 5Mbit ceil 5Mbit burst 2224b/8 mpu 0b overhead 0b cburst 2224b/8 mpu 0b overhead 0b level 0 Sent 1564 bytes 24 pkts (dropped 0, overlimits 0 requeues 0) rate 3bit lended: 24 borrowed: 0 giants: 0 tokens: 3568 ctokens: 3568 class htb 1:5 parent 1:1 prio 0 quantum 62500 rate 5Mbit ceil 5Mbit burst 2224b/8 mpu 0b overhead 0b cburst 2224b/8 mpu 0b overhead 0b level 0 Sent 300641036 bytes 327513 pkts (dropped 3, overlimits 0 requeues 0) rate 186291bit 176pps lended: 327513 borrowed: 0 giants: 0 tokens: 3437 ctokens: 3437 class htb 1:14 parent 1:1 prio 0 quantum 62500 rate 5Mbit ceil 5Mbit burst 2224b/8 mpu 0b overhead 0b cburst 2224b/8 mpu 0b overhead 0b level 0 Sent 1736 bytes 35 pkts (dropped 0, overlimits 0 requeues 0) lended: 35 borrowed: 0 giants: 0 tokens: 3568 ctokens: 3568 class htb 1:27 parent 1:1 prio 0 quantum 62500 rate 5Mbit ceil 5Mbit burst 2224b/8 mpu 0b overhead 0b cburst 2224b/8 mpu 0b overhead 0b level 0 Sent 776 bytes 15 pkts (dropped 0, overlimits 0 requeues 0) lended: 15 borrowed: 0 giants: 0 tokens: 3554 ctokens: 3554 class htb 1:6 parent 1:1 prio 0 quantum 131071 rate 1310712bit ceil 1310712bit burst 2908b/8 mpu 0b overhead 0b cburst 2908b/8 mpu 0b overhead 0b level 0 Sent 180823964 bytes 376299 pkts (dropped 1572, overlimits 0 requeues 0) rate 53331bit 106pps lended: 376299 borrowed: 0 giants: 0 tokens: 2243 ctokens: 2243 class htb 1:17 parent 1:1 prio 0 quantum 131072 rate 1310720bit ceil 1310720bit burst 2908b/8 mpu 0b overhead 0b cburst 2908b/8 mpu 0b overhead 0b level 0 Sent 968 bytes 19 pkts (dropped 0, overlimits 0 requeues 0) lended: 19 borrowed: 0 giants: 0 tokens: 2237 ctokens: 2237 class htb 1:24 parent 1:1 prio 0 quantum 62500 rate 5Mbit ceil 5Mbit burst 2224b/8 mpu 0b overhead 0b cburst 2224b/8 mpu 0b overhead 0b level 0 Sent 3080 bytes 34 pkts (dropped 0, overlimits 0 requeues 0) lended: 34 borrowed: 0 giants: 0 tokens: 3568 ctokens: 3568 class htb 1:7 parent 1:1 prio 0 quantum 62500 rate 5Mbit ceil 5Mbit burst 2224b/8 mpu 0b overhead 0b cburst 2224b/8 mpu 0b overhead 0b level 0 Sent 5344805 bytes 5685 pkts (dropped 0, overlimits 0 requeues 0) rate 51bit lended: 5685 borrowed: 0 giants: 0 tokens: 3541 ctokens: 3541 class htb 1:16 parent 1:1 prio 0 quantum 13107 rate 131072bit ceil 131072bit burst 1730b/8 mpu 0b overhead 0b cburst 1730b/8 mpu 0b overhead 0b level 0 Sent 1766 bytes 33 pkts (dropped 0, overlimits 0 requeues 0) lended: 33 borrowed: 0 giants: 0 tokens: 13148 ctokens: 13148 class htb 1:25 parent 1:1 prio 0 quantum 62500 rate 5Mbit ceil 5Mbit burst 2224b/8 mpu 0b overhead 0b cburst 2224b/8 mpu 0b overhead 0b level 0 Sent 1448 bytes 29 pkts (dropped 0, overlimits 0 requeues 0) lended: 29 borrowed: 0 giants: 0 tokens: 3568 ctokens: 3568 class htb 1:8 parent 1:1 prio 0 quantum 62500 rate 5Mbit ceil 5Mbit burst 2224b/8 mpu 0b overhead 0b cburst 2224b/8 mpu 0b overhead 0b level 0 Sent 110471 bytes 1297 pkts (dropped 0, overlimits 0 requeues 0) rate 43bit lended: 1297 borrowed: 0 giants: 0 tokens: 3541 ctokens: 3541 class htb 1:19 parent 1:1 prio 0 quantum 62500 rate 5Mbit ceil 5Mbit burst 2224b/8 mpu 0b overhead 0b cburst 2224b/8 mpu 0b overhead 0b level 0 Sent 1400 bytes 28 pkts (dropped 0, overlimits 0 requeues 0) lended: 28 borrowed: 0 giants: 0 tokens: 3554 ctokens: 3554 class htb 1:9 parent 1:1 prio 0 quantum 62500 rate 5Mbit ceil 5Mbit burst 2224b/8 mpu 0b overhead 0b cburst 2224b/8 mpu 0b overhead 0b level 0 Sent 72466 bytes 769 pkts (dropped 0, overlimits 0 requeues 0) rate 40bit lended: 769 borrowed: 0 giants: 0 tokens: 3502 ctokens: 3502 class htb 1:18 parent 1:1 prio 0 quantum 62500 rate 5Mbit ceil 5Mbit burst 2224b/8 mpu 0b overhead 0b cburst 2224b/8 mpu 0b overhead 0b level 0 Sent 844 bytes 9 pkts (dropped 0, overlimits 0 requeues 0) lended: 9 borrowed: 0 giants: 0 tokens: 3554 ctokens: 3554 class htb 1:28 parent 1:1 prio 0 quantum 62500 rate 5Mbit ceil 5Mbit burst 2224b/8 mpu 0b overhead 0b cburst 2224b/8 mpu 0b overhead 0b level 0 Sent 786 bytes 15 pkts (dropped 0, overlimits 0 requeues 0) lended: 15 borrowed: 0 giants: 0 tokens: 3568 ctokens: 3568 class htb 1:29 parent 1:1 prio 0 quantum 62500 rate 5Mbit ceil 5Mbit burst 2224b/8 mpu 0b overhead 0b cburst 2224b/8 mpu 0b overhead 0b level 0 Sent 1256 bytes 25 pkts (dropped 0, overlimits 0 requeues 0) lended: 25 borrowed: 0 giants: 0 tokens: 3568 ctokens: 3568 [root@chi01-050-05 shorewall]# tc -s -d filter show dev tun0 filter parent 1: protocol ip pref 1 u32 filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:2 (rule hit 1305271 success 282996) match d0641502/ffffffff at 16 (success 282996 ) filter parent 1: protocol ip pref 1 u32 fh 800::801 order 2049 key ht 800 bkt 0 flowid 1:3 (rule hit 1022273 success 43811) match d0641503/ffffffff at 16 (success 43811 ) filter parent 1: protocol ip pref 1 u32 fh 800::802 order 2050 key ht 800 bkt 0 flowid 1:4 (rule hit 978461 success 150853) match d0641504/ffffffff at 16 (success 150853 ) filter parent 1: protocol ip pref 1 u32 fh 800::803 order 2051 key ht 800 bkt 0 flowid 1:5 (rule hit 827607 success 376824) match d0641505/ffffffff at 16 (success 376824 ) filter parent 1: protocol ip pref 1 u32 fh 800::804 order 2052 key ht 800 bkt 0 flowid 1:6 (rule hit 450782 success 437570) match d0641506/ffffffff at 16 (success 437570 ) filter parent 1: protocol ip pref 1 u32 fh 800::805 order 2053 key ht 800 bkt 0 flowid 1:7 (rule hit 13212 success 5865) match d0641507/ffffffff at 16 (success 5865 ) filter parent 1: protocol ip pref 1 u32 fh 800::806 order 2054 key ht 800 bkt 0 flowid 1:8 (rule hit 7347 success 5664) match d0641508/ffffffff at 16 (success 5664 ) filter parent 1: protocol ip pref 1 u32 fh 800::807 order 2055 key ht 800 bkt 0 flowid 1:9 (rule hit 1683 success 866) match d0641509/ffffffff at 16 (success 866 ) filter parent 1: protocol ip pref 1 u32 fh 800::808 order 2056 key ht 800 bkt 0 flowid 1:10 (rule hit 817 success 207) match d064150a/ffffffff at 16 (success 207 ) filter parent 1: protocol ip pref 1 u32 fh 800::809 order 2057 key ht 800 bkt 0 flowid 1:11 (rule hit 610 success 30) match d064150b/ffffffff at 16 (success 30 ) filter parent 1: protocol ip pref 1 u32 fh 800::80a order 2058 key ht 800 bkt 0 flowid 1:12 (rule hit 580 success 28) match d064150c/ffffffff at 16 (success 28 ) filter parent 1: protocol ip pref 1 u32 fh 800::80b order 2059 key ht 800 bkt 0 flowid 1:13 (rule hit 552 success 39) match d064150d/ffffffff at 16 (success 39 ) filter parent 1: protocol ip pref 1 u32 fh 800::80c order 2060 key ht 800 bkt 0 flowid 1:14 (rule hit 513 success 35) match d064150e/ffffffff at 16 (success 35 ) filter parent 1: protocol ip pref 1 u32 fh 800::80d order 2061 key ht 800 bkt 0 flowid 1:15 (rule hit 478 success 48) match d064150f/ffffffff at 16 (success 48 ) filter parent 1: protocol ip pref 1 u32 fh 800::80e order 2062 key ht 800 bkt 0 flowid 1:16 (rule hit 430 success 40) match d0641510/ffffffff at 16 (success 40 ) filter parent 1: protocol ip pref 1 u32 fh 800::80f order 2063 key ht 800 bkt 0 flowid 1:17 (rule hit 390 success 27) match d0641511/ffffffff at 16 (success 27 ) filter parent 1: protocol ip pref 1 u32 fh 800::810 order 2064 key ht 800 bkt 0 flowid 1:18 (rule hit 363 success 17) match d0641512/ffffffff at 16 (success 17 ) filter parent 1: protocol ip pref 1 u32 fh 800::811 order 2065 key ht 800 bkt 0 flowid 1:19 (rule hit 346 success 33) match d0641513/ffffffff at 16 (success 33 ) filter parent 1: protocol ip pref 1 u32 fh 800::812 order 2066 key ht 800 bkt 0 flowid 1:20 (rule hit 313 success 36) match d0641514/ffffffff at 16 (success 36 ) filter parent 1: protocol ip pref 1 u32 fh 800::813 order 2067 key ht 800 bkt 0 flowid 1:21 (rule hit 277 success 16) match d0641515/ffffffff at 16 (success 16 ) filter parent 1: protocol ip pref 1 u32 fh 800::814 order 2068 key ht 800 bkt 0 flowid 1:22 (rule hit 261 success 23) match d0641516/ffffffff at 16 (success 23 ) filter parent 1: protocol ip pref 1 u32 fh 800::815 order 2069 key ht 800 bkt 0 flowid 1:23 (rule hit 238 success 22) match d0641517/ffffffff at 16 (success 22 ) filter parent 1: protocol ip pref 1 u32 fh 800::816 order 2070 key ht 800 bkt 0 flowid 1:24 (rule hit 216 success 38) match d0641518/ffffffff at 16 (success 38 ) filter parent 1: protocol ip pref 1 u32 fh 800::817 order 2071 key ht 800 bkt 0 flowid 1:25 (rule hit 178 success 31) match d0641519/ffffffff at 16 (success 31 ) filter parent 1: protocol ip pref 1 u32 fh 800::818 order 2072 key ht 800 bkt 0 flowid 1:26 (rule hit 147 success 34) match d064151a/ffffffff at 16 (success 34 ) filter parent 1: protocol ip pref 1 u32 fh 800::819 order 2073 key ht 800 bkt 0 flowid 1:27 (rule hit 113 success 17) match d064151b/ffffffff at 16 (success 17 ) filter parent 1: protocol ip pref 1 u32 fh 800::81a order 2074 key ht 800 bkt 0 flowid 1:28 (rule hit 96 success 15) match d064151c/ffffffff at 16 (success 15 ) filter parent 1: protocol ip pref 1 u32 fh 800::81b order 2075 key ht 800 bkt 0 flowid 1:29 (rule hit 81 success 27) match d064151d/ffffffff at 16 (success 27 ) filter parent 1: protocol ip pref 1 u32 fh 800::81c order 2076 key ht 800 bkt 0 flowid 1:30 (rule hit 54 success 25) match d064151e/ffffffff at 16 (success 25 ) [root@chi01-050-05 shorewall]# tc class change dev eth0 parent 1:1 classid 1:6 htb rate $attributes[$j]{'value'}bit" From indunil75 at gmail.com Wed Feb 7 07:05:07 2007 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Thu Feb 8 11:41:10 2007 Subject: [LARTC] What is the diffrence between port filtering and packet filtering ? Message-ID: <7ed6b0aa0702062205m2faa7207i64da5202f66ffbfb@mail.gmail.com> Hi all, I want to set up a firewall on CentOS 4.4. I wnat to know the diiffrence between port filtering and packet filtering ? Can iptables do both? Is there another pkg better than this? if so, pls let me know. The purpose of this is to setup a firewall for production use. -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070207/5472033b/attachment.html From mcdouglas at mmcomputer.hu Wed Feb 7 08:28:17 2007 From: mcdouglas at mmcomputer.hu (=?ISO-8859-1?Q?Gregorics_Tam=E1s?=) Date: Thu Feb 8 11:41:13 2007 Subject: [LARTC] trouble with TC Message-ID: <45C97F91.1010306@mmcomputer.hu> Hi, I'm having a little trouble adjusting the priorities and the use of free outgoing bandwith between my classes: http://mmcomp.adsl.datanet.hu/tc/tc.png green - ACK packets (downloading an iso) red - p2p traffic As you can see, when i start p2p, it takes away bandwith from the class holding the ack packets. I dont know why, since that class has the highest priority. The problem is, if my ACK packets get delayed my download drops down also (good old adsl...). Here are my tc rules: http://mmcomp.adsl.datanet.hu/tc/tc.txt http://mmcomp.adsl.datanet.hu/tc/rc.fw.txt (the markers) Any idea what could be the problem? -- Tisztelettel: Gregorics Tam?s Szerv?zmunkat?rs M&M Computer Kft. 7623 P?cs, M?rt?rok u.42. Tel.: +36-72/516-517 Fax: +36-72/516-522 Mobil: +36-30-747-6553 e-mail: tamas.gregorics@mmcomputer.hu http://www.mmcomputer.hu From andy at andybev.com Wed Feb 7 18:17:30 2007 From: andy at andybev.com (Andrew Beverley) Date: Thu Feb 8 11:43:57 2007 Subject: [LARTC] Problems with HTB. Help! In-Reply-To: <05d901c74ad9$162dfde0$8cc8a8c0@anroet.com> References: <05d901c74ad9$162dfde0$8cc8a8c0@anroet.com> Message-ID: <1170868650.13777.21.camel@andybev.localdomain> > That's an interesting way to mark (or should I say classify) packets with > IPTABLES. The one I'm using currently (and which I forgot to add to my > initial query) was this: > $IPTABLES -t mangle -A PREROUTING -s 192.168.200.163 -j MARK --set-mark 1 To be honest, I use the MARK target as well. I just thought the CLASSIFY option would be easier in your situation because (I think) it saves an extra tc rule to classify the packets. If you're using MARK you need a rule telling tc to classify the packets that are MARKed. I'm not sure if what you are using is correct; I use the following (you'll need to edit appropriately): tc filter add dev ifb0 parent 1:0 prio 0 protocol ip handle 10 fw \ flowid 1:10 I'm getting out of my depth here so may be wrong, but as I understand it 'handle' is the MARK, flowid is what it should be classified as. Andy From andy at andybev.com Wed Feb 7 21:06:23 2007 From: andy at andybev.com (Andrew Beverley) Date: Thu Feb 8 11:44:03 2007 Subject: [LARTC] Problems with HTB. Help! In-Reply-To: <000a01c74af1$83e38bd0$8cc8a8c0@anroet.com> References: <000a01c74af1$83e38bd0$8cc8a8c0@anroet.com> Message-ID: <1170878783.7380.1.camel@andybev.localdomain> On Thu, 2007-02-08 at 06:52 +1100, Anthony Kamau wrote: > Thanks Andy. > > I changed 'classid' back to 'flowid' but whenever I run the script, it > throttles both uploads and downloads to the set rate - can you see why this > would happen by perusing my script? > > I'm thinking that the virtualization is what's causing the problem! I don't think the virtualization would affect it. Can you resend the iptables command you use to mark plus your tc commands? Also, can you detail your setup (for example what is on eth0 and what is on eth1). Andy From tomlobato at gmail.com Thu Feb 8 00:52:03 2007 From: tomlobato at gmail.com (Tom Lobato) Date: Thu Feb 8 11:44:07 2007 Subject: [LARTC] DGD patch not detecting dead gateway Message-ID: <45CA6623.8000703@gmail.com> Hi! Thank you for the script. I'm trying it. Well, I made a simple modification and would like to hear opnions. Until now, I just added one more TESTIP, so I'm pinging one IP for each link. Also I'm using the IP instead name address, and used the DNS IP of each provider for the ping. I made this because the ping to external sites (yahoo, google) is too slow here, mainly when the link is under heavy load. So I'm afraid it can try ping without success and "think" the link is down. Also, for don't get falses 'link down', did you tried to increase the number of 4 ping fails before replace the route? What do you think about? I appreciate suggestions, PS: although alteration be so simple, if someone want to see, tell me and I send a mail. Tom Lobato Manish Kathuria wrote: > The script is appended. It assumes that you have followed the steps as > described in nano.txt with or without applying the patches. Though it > appears to be very simplistic, its working great at a number of > locations. > > #!/bin/bash -x > > TESTIP=www.yahoo.com > CHECK=0 > ISPA=1 > ISPB=1 > LINKSTATUS=1 > COUNTA=0 > COUNTB=0 > EXTIF1=eth1 > EXTIF2=eth2 > GW1=172.16.1.1 > GW2=192.168.1.1 > W1=1 > W2=1 > > while : ; do > > ping -I $EXTIF1 -c 1 $TESTIP > /dev/null 2>&1 > RETVAL=$? > if [ $RETVAL -ne 0 ]; then > COUNTA=`expr $COUNTA + 1` > else > COUNTA=0 > fi > > if [ $COUNTA -ge 4 ]; then > ISPA=0 > else > ISPA=1 > fi > > ping -I $EXTIF2 -c 1 $TESTIP > /dev/null 2>&1 > RETVAL=$? > if [ $RETVAL -ne 0 ]; then > COUNTB=`expr $COUNTB + 1` > else > COUNTB=0 > fi > > if [ $COUNTB -ge 4 ]; then > ISPB=0 > else > ISPB=1 > fi > > > if [ $ISPA -eq 1 ]; then > if [ $ISPB -eq 1 ]; then > NEWSTATUS=1 > elif [ $ISPB -eq 0 ]; then > NEWSTATUS=2 > fi > elif [ $ISPA -eq 0 ]; then > if [ $ISPB -eq 1 ]; then > NEWSTATUS=3 > fi > fi > > case $LINKSTATUS in > > 1) if [ $NEWSTATUS -eq 2 ]; then > ip route replace default via $GW1 dev $EXTIF1 > elif [ $NEWSTATUS -eq 3 ]; then > ip route replace default via $GW2 dev $EXTIF2 > fi;; > > 2) if [ $NEWSTATUS -eq 1 ]; then > ip route del default > ip route replace default table 222 proto static \ > nexthop via $GW1 dev $EXTIF1 weight $W1\ > nexthop via $GW2 dev $EXTIF2 weight $W2 > elif [ $NEWSTATUS -eq 3 ]; then > ip route replace default via $GW2 dev $EXTIF2 > fi;; > > 3) if [ $NEWSTATUS -eq 1 ]; then > ip route del default > ip route replace default table 222 proto static \ > nexthop via $GW1 dev $EXTIF1 weight $W1\ > nexthop via $GW2 dev $EXTIF2 weight $W2 > elif [ $NEWSTATUS -eq 2 ]; then > ip route replace default via $GW1 dev $EXTIF1 > fi;; > > *) echo;; > > esac > > LINKSTATUS=$NEWSTATUS > sleep 10 > done > > Let me know if you can think of any improvements or modifications. > From madhava.rayudu at gmail.com Thu Feb 8 04:26:17 2007 From: madhava.rayudu at gmail.com (Madhava Rayudu) Date: Thu Feb 8 11:45:32 2007 Subject: [LARTC] GPL Software for Small ISP Message-ID: Sir, I have one 2 MB link which I have to distribute to 200 people. Caching may enchance performance. Kindly suggest packages for this purpose under GPL. Regards, Rayudu. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070208/187c942b/attachment.htm From jarkao2 at o2.pl Thu Feb 8 08:36:49 2007 From: jarkao2 at o2.pl (Jarek Poplawski) Date: Thu Feb 8 11:45:36 2007 Subject: [LARTC] Re: [PATCH] HTB O(1) class lookup In-Reply-To: <200702051814.13899.simonl@parknet.dk> References: <20070205101637.GB1863@ff.dom.local> <200702051814.13899.simonl@parknet.dk> Message-ID: <20070208073649.GA1751@ff.dom.local> On Mon, Feb 05, 2007 at 06:14:13PM +0100, Simon Lodal wrote: ... > Regards ... It seems decisions makers need more time, so I'd add 2 cents more: 1c: an indentation could be improved (spaces around operators), like in these places: >+#define HTB_MAX_CLS (TC_H_MIN(-1)+1) ... >+ htb_cls_array* a; ... >+ int cnt,done; etc. 2c: it is a question of taste, but here: > err = -ENOBUFS; >+ if (q->classes[HTB_CLS_ARRAY(minorid)] == NULL) { >+ if ((q->classes[HTB_CLS_ARRAY(minorid)] = >+ kzalloc(sizeof(htb_cls_array), GFP_KERNEL)) >+ == NULL) >+ goto failure; >+ } > if ((cl = kzalloc(sizeof(*cl), GFP_KERNEL)) == NULL) > goto failure; it would be probably more readable and a bit merciful to the stressed system to free this htb_cls_array after the last error (I know it's not a leak). Regards, Jarek P. PS: 1c extra - it's easier to read a diff if you use -p option. From geoff at cmcnetworks.net Thu Feb 8 11:59:50 2007 From: geoff at cmcnetworks.net (Geoff Dornan) Date: Thu Feb 8 11:59:59 2007 Subject: [LARTC] GPL Software for Small ISP References: Message-ID: Squid does the trick http://www.squid-cache.org/ G. ________________________________ From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Madhava Rayudu Sent: 08 February 2007 05:26 AM To: lartc@mailman.ds9a.nl Subject: [LARTC] GPL Software for Small ISP Sir, I have one 2 MB link which I have to distribute to 200 people. Caching may enchance performance. Kindly suggest packages for this purpose under GPL. Regards, Rayudu. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070208/9b28357c/attachment.html From anthony at anroet.com Thu Feb 8 12:10:35 2007 From: anthony at anroet.com (Anthony Kamau) Date: Thu Feb 8 12:10:56 2007 Subject: [LARTC] Problems with HTB. Help! In-Reply-To: <1170868650.13777.21.camel@andybev.localdomain> Message-ID: <003301c74b71$c1aa2750$8cc8a8c0@anroet.com> Thanks Andy. I changed 'classid' back to 'flowid' but whenever I run the script, it throttles both uploads and downloads to the set rate - can you see why this would happen by perusing my script? I'm thinking that the virtualization is what's causing the problem! Cheers, Anthony. PS: Andy, please respond to this email as opposed to ther other one. I forgot to change my Outlook account before transmitting and thus ended up using the incorrect email address and message was rejected by LARTC. -----Original Message----- From: Andrew Beverley [mailto:andy@andybev.com] Sent: Thursday, 8 February 2007 4:18 To: Anthony Kamau Cc: 'LARTC' Subject: RE: [LARTC] Problems with HTB. Help! tc filter add dev ifb0 parent 1:0 prio 0 protocol ip handle 10 fw \ flowid 1:10 I'm getting out of my depth here so may be wrong, but as I understand it 'handle' is the MARK, flowid is what it should be classified as. Andy From tkb at anroet.com Thu Feb 8 15:21:40 2007 From: tkb at anroet.com (tkb2766) Date: Thu Feb 8 15:22:00 2007 Subject: [LARTC] Problems with HTB. Help! Message-ID: <01d601c74b8c$73290040$8cc8a8c0@anroet.com> > I just realized something important - I've been looking at > the status bar on Azureus and it appears to be broken! > Looking at the connected hosts and tallying up their > bandwidth, it is actually capped at the limit set in my HTB > script. The status bar seems to always show what the > download is capped at. However, I have seen it go to zero > when there are no connected hosts downloading from my system! > > So all this time is has been an Azureus problem!!! > > Thanks for all your help Andy. > > Cheers, > Ak. > Oh never mind - I'm high on something that I'm not aware of - it is still misbehaving! Dang it - this should be simple to implement as I've done it before albeit a long while back!!! Cheers, Ak. From francis at aspl.es Thu Feb 8 15:47:35 2007 From: francis at aspl.es (Francis Brosnan Blazquez) Date: Thu Feb 8 15:48:11 2007 Subject: [LARTC] Configuring several route tables for the same network interface Message-ID: <1170946055.3995.25.camel@vulcan.aspl> Hi, I've been following documentation provided at [1] in order to setup a firewall to use two internet connections with different providers. While instructions found in [1] are pretty clear, I'm not able to install new route tables (apart from the main and local), always getting: RTNETLINK answers: File exists Here is the situation: [INET] -- [Provider Router 1] -- [10.0.0.1] -- Linux Box 10.0.0.0/29 \ eth1 |- [10.0.0.4] 10.0.1.0/29 / [10.0.1.4] [INET] -- [Provider Router 2] -- [10.0.1.1] -- What I'm trying to do is to have two routing tables, one for each different gateway, and using "ip rule from" to instruct the linux box to use one table or another according to the source address (either: 10.0.0.4 or 10.0.1.4). The set of instruction I've used are exactly the same as [1] but with one difference: our linux box only have one NIC adapter (with two IPs configured) as opposed to the example, which has two NIC adapters. So, the question would be: it is possible to have several route tables, or it is only allowed to have one routing table for each NIC. Supposing this context, is there any way to make traffic coming through "Provider Router 2" to be replied by the linux box using the same router, avoiding to always use the "Provider Router 1" which is the default via installed in the "main" route table? Thanks for your attention! [1] http://lartc.org/howto/lartc.rpdb.multiple-links.html -- Francis Brosnan Blazquez Advanced Software Production Line, S.L. From andy at andybev.com Thu Feb 8 18:24:20 2007 From: andy at andybev.com (Andrew Beverley) Date: Thu Feb 8 18:24:25 2007 Subject: [LARTC] Problems with HTB. Help! In-Reply-To: <000001c74b5c$af2dd780$8cc8a8c0@anroet.com> References: <000001c74b5c$af2dd780$8cc8a8c0@anroet.com> Message-ID: <1170955461.4260.9.camel@andybev.localdomain> On Thu, 2007-02-08 at 19:39 +1100, Anthony Kamau wrote: > > -----Original Message----- > > From: Andrew Beverley [mailto:andy@andybev.com] > > Sent: Thursday, 8 February 2007 7:06 > > To: Anthony Kamau > > Cc: 'LARTC' > > Subject: RE: [LARTC] Problems with HTB. Help! > > > > > > I don't think the virtualization would affect it. Can you resend the > > iptables command you use to mark plus your tc commands? Also, can you > > detail your setup (for example what is on eth0 and what is on eth1). > > > > Andy > > > > Thanks Andy. > > eth0 connects to my LAN network - 192.168.200.0/24 > eth1 connects to a 4 port switch then onto my ADSL modem > > I mark traffic going to my P2P server as follows: > > $IPTABLES -t mangle -A PREROUTING -i eth0 -s 192.168.200.163 \ > -j MARK --set-mark 1 > > I tried moving the rule to the FORWARD chain instead but that did not help > either: > > $IPTABLES -t mangle -A FORWARD -i eth0 -s 192.168.200.163 \ > -j MARK --set-mark 1 Can you send your updated tc rules as well please? Andy From bob at nleaudio.com Thu Feb 8 18:42:36 2007 From: bob at nleaudio.com (Bob Puff@NLE) Date: Thu Feb 8 18:37:35 2007 Subject: [LARTC] Need big buffer! Message-ID: <45CB610C.70905@nleaudio.com> Hi gang, I have an application that is sending streaming media to a server. The encoder computer sends an average of 200kbit stream; but for short, 1 second bursts, can hit 400-500kbits. After it does one of these bursts, it reduces its output for another second or two, so that it maintains its average of 200kbits. The problem is that it is sending UDP packets into a DSL link that has a fixed upstream cap of 300kbit. All is fine until it decides to burst, then I get dropped packets. Is there a way I can insert a linux box after the encoding machine that I can use some traffic shaping to: 1. Make sure it never sends more than 300k up (I do know how to do this now) 2. Make a big buffer so that I can still get all the data through the pipe, albeit with some delay, when these bursts happen. I would need this buffer to handle at least 2 seconds worth, maybe more. I need something like this: Time IN OUT (secs) (kbit) (kbit) ---------------------- 0.0 200 200 0.5 200 200 1.0 350 300 1.5 400 300 2.0 25 175 2.5 50 50 3.0 175 175 3.5 200 200 ...etc... Ideas? Bob From larry.brigman at gmail.com Thu Feb 8 18:46:17 2007 From: larry.brigman at gmail.com (Larry Brigman) Date: Thu Feb 8 18:46:25 2007 Subject: [LARTC] Need big buffer! In-Reply-To: <45CB610C.70905@nleaudio.com> References: <45CB610C.70905@nleaudio.com> Message-ID: On 2/8/07, Bob Puff@NLE wrote: > Hi gang, > > I have an application that is sending streaming media to a server. The encoder computer sends an > average of 200kbit stream; but for short, 1 second bursts, can hit 400-500kbits. After it does one > of these bursts, it reduces its output for another second or two, so that it maintains its average > of 200kbits. > > The problem is that it is sending UDP packets into a DSL link that has a fixed upstream cap of > 300kbit. All is fine until it decides to burst, then I get dropped packets. > > Is there a way I can insert a linux box after the encoding machine that I can use some traffic > shaping to: > > 1. Make sure it never sends more than 300k up (I do know how to do this now) > 2. Make a big buffer so that I can still get all the data through the pipe, albeit with some delay, > when these bursts happen. I would need this buffer to handle at least 2 seconds worth, maybe more. > If you know how to do the 300k limit then using that same method add a queue depth to handle the difference on that class. From madhava.rayudu at gmail.com Thu Feb 8 19:02:04 2007 From: madhava.rayudu at gmail.com (Madhava Rayudu) Date: Thu Feb 8 19:02:10 2007 Subject: [LARTC] Re: GPL Software for Small ISP In-Reply-To: References: Message-ID: Hai, It is not just browsing ...or HTTP... it is every thing... I want a GPL package for a small ISP Regards, Rayudu.. On 2/8/07, Madhava Rayudu wrote: > > > Sir, > > I have one 2 MB link which I have to distribute to 200 people. > Caching may enchance performance. Kindly suggest packages for this purpose > under GPL. > > > Regards, > > Rayudu. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070208/f61393d5/attachment.htm From andy at andybev.com Thu Feb 8 19:12:26 2007 From: andy at andybev.com (Andrew Beverley) Date: Thu Feb 8 19:12:34 2007 Subject: [LARTC] Re: GPL Software for Small ISP In-Reply-To: References: Message-ID: <1170958346.4260.28.camel@andybev.localdomain> > It is not just browsing ...or HTTP... it is every thing... I want a > GPL package for a small ISP I think you're probably limited in what you could cache other than HTTP. I suggest you have a look at some of the examples of fair traffic shaping using linux. I can send you my script if you like - I have used it to share a 1 Mbit link between about 70 people and it works fairly well. Regards, Andy Beverley > > On 2/8/07, Madhava Rayudu wrote: > > Sir, > > I have one 2 MB link which I have to distribute to 200 > people. Caching may enchance performance. Kindly suggest > packages for this purpose under GPL. > > > Regards, > > Rayudu. > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From mkathuria at tuxtechnologies.co.in Thu Feb 8 20:07:20 2007 From: mkathuria at tuxtechnologies.co.in (Manish Kathuria) Date: Thu Feb 8 20:07:25 2007 Subject: [LARTC] DGD patch not detecting dead gateway In-Reply-To: <45CA6623.8000703@gmail.com> References: <45CA6623.8000703@gmail.com> Message-ID: <1df4abe60702081107h1479cda3o7836ae3c13109f4e@mail.gmail.com> On 2/8/07, Tom Lobato wrote: > Thank you for the script. I'm trying it. > > Well, I made a simple modification and would like to hear opnions. > Until now, I just added one more TESTIP, so I'm pinging one IP for each link. > Also I'm using the IP instead name address, and used the DNS IP of each provider > for the ping. I made this because the ping to external sites (yahoo, google) is too slow > here, mainly when the link is under heavy load. So I'm afraid it can try ping > without success and "think" the link is down. I just used a popular external site because it may happen that connectivity from your location to the provider's DNS is there but the provider's link with the rest of the internet is down so even if you get a successful ping reply, the link isn't working in the real sense. Also, I preferred using a name instead of IP address because there could be multiple IP addresses associated with the site name and they can change too. But I don't see anything wrong in your approach. What do you mean by slow ? I don't think ping reply time should be an issue. We are more concerned with the success. Obviously, it should not time out. The ping reply times I get here for sites like www.yahoo.com and www.google.com are to the tune of 300 ms. You can increase the pin > Also, for don't get falses 'link down', did you tried to increase the number of 4 > ping fails before replace the route? What do you think about? > 4 successful ping fails means that the link has been down for anywhere between 40-50 seconds which I think was a sufficient time interval to carry a failover. But you can increase it depending upon your requirements. For restoring the link, the script doesn't wait for that much time. > PS: although alteration be so simple, if someone want to see, tell me and I send a mail. > Tom Lobato It would be great to see your final script. -- Manish Kathuria Tux Technologies http://www.tuxtechnologies.co.in/ From andy at andybev.com Thu Feb 8 21:45:28 2007 From: andy at andybev.com (Andrew Beverley) Date: Thu Feb 8 21:45:36 2007 Subject: [LARTC] tc class add syntax In-Reply-To: <45C86162.8030209@ambra.ro> References: <45C86162.8030209@ambra.ro> Message-ID: <1170967528.4243.17.camel@andybev.localdomain> > What is wrong in this line? > tc class add dev eth1 parent 1:1 classid 1:521df18 htb rate 2Kbit ceil > 24000Kbit prio 3 quantum 2000 > I know the classid is wrong, but what is the correct syntax? The syntax looks fine to me. What is the error you're getting? From andy at andybev.com Thu Feb 8 22:40:34 2007 From: andy at andybev.com (Andrew Beverley) Date: Thu Feb 8 22:40:50 2007 Subject: [LARTC] Re: GPL Software for Small ISP In-Reply-To: <45CB8F9D.9020405@bistrita-net.ro> References: <1170958346.4260.28.camel@andybev.localdomain> <45CB8F9D.9020405@bistrita-net.ro> Message-ID: <1170970834.4243.25.camel@andybev.localdomain> On Thu, 2007-02-08 at 23:01 +0200, Bogdan Hojda wrote: > Andrew Beverley wrote: > >> It is not just browsing ...or HTTP... it is every thing... I want a > >> GPL package for a small ISP > > > > I think you're probably limited in what you could cache other than HTTP. > > > > I suggest you have a look at some of the examples of fair traffic > > shaping using linux. I can send you my script if you like - I have used > > it to share a 1 Mbit link between about 70 people and it works fairly > > well. > > > > Could you send that script to me, please? I have about 150 people > sharing a 2 Mbit link, I'm not satisfied with my old script, and I'm > searching some alternatives. > I've attached it. Let me know if you have any questions. A few notes: - internet link is ppp0, local network is eth0 - local network is on a 10.0.0.0 subnet - I use IFB to shape ingress traffic - edit DOWNLINK and UPLINK variables as required - You'll need to patch your kernel for connlimit and ipset (if you want p2p detection) - I also use Squid as a transparent web cache. Take those rules out if you don't need them. Regards, Andy Beverley -------------- next part -------------- A non-text attachment was scrubbed... Name: traffic-shaper Type: application/x-shellscript Size: 12112 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070208/f40739a0/traffic-shaper-0001.bin From bob at nleaudio.com Fri Feb 9 02:05:20 2007 From: bob at nleaudio.com (Bob Puff) Date: Fri Feb 9 02:05:42 2007 Subject: [LARTC] Need big buffer! In-Reply-To: References: <45CB610C.70905@nleaudio.com> Message-ID: <20070209010402.M21760@nleaudio.com> > If you know how to do the 300k limit then using that same method add > a queue depth to handle the difference on that class. How do I do that? (sorry, newbie to tc) Bob From bob at nleaudio.com Fri Feb 9 03:31:27 2007 From: bob at nleaudio.com (Bob Puff@NLE) Date: Fri Feb 9 03:26:34 2007 Subject: [LARTC] Need big buffer! In-Reply-To: <20070209010402.M21760@nleaudio.com> References: <45CB610C.70905@nleaudio.com> <20070209010402.M21760@nleaudio.com> Message-ID: <45CBDCFF.5080204@nleaudio.com> Bob Puff wrote: > >>If you know how to do the 300k limit then using that same method add >>a queue depth to handle the difference on that class. > > > How do I do that? (sorry, newbie to tc) > > Bob I've been trying to read up, and still not coming up with concrete info on queue sizes. Right now, my code for limiting to 300k is: tc qdisc add dev eth0 root handle 1: htb default 21 tc class add dev eth0 parent 1: classid 1:1 htb rate 300kbit tc class add dev eth0 parent 1:1 classid 1:20 htb prio 0 rate 100kbit tc class add dev eth0 parent 1:1 classid 1:21 htb prio 1 rate 100kbit ceil 300k ..with some matches for prioritizing other traffic into class 1:20. I assume there is something I need to add to the first line, but everything I've read about never mentions htb. Bob From jim+lartc at jimlawson.org Fri Feb 9 03:53:00 2007 From: jim+lartc at jimlawson.org (Jim Lawson) Date: Fri Feb 9 03:53:36 2007 Subject: [LARTC] need help with tc filters Message-ID: <45CBE20C.4080106@jimlawson.org> Hi, I am attempting to set up some simple outbound shaping following the LARTC HOWTO. The HTB qdisc seems to work as the documentation says, but my filters don't seem to be working. All of the packets go to the default queue regardless of what filters I set, it seems. (according to tc -s qdisc show) I am trying to get this working on my openwrt box (whiterussian rc6), but when testing it on my Debian etch box for comparison, I see the same behavior. I'm hoping someone can point out what I'm doing wrong with the filters... FYI: "vlan1" is the outbound interface of my wrt54g. Script follows: IF=vlan1 insmod cls_u32 insmod sch_htb insmod sch_prio insmod sch_sfq # # qdisc/class tree # 1: root (HTB) qdisc # | # 1:10 class rate 384000bit # | # 10: prio qdisc # / | \ # 10:1 | 10:3 # | 10:2 | # 101: | | sfq # 102: | sfq # 103: sfq tc qdisc del dev $IF root tc qdisc add dev $IF root handle 1: htb default 10 tc class add dev $IF parent 1: classid 1:10 htb rate 384kbit burst 3k # This automatically creates 10:1, 10:2, 10:3 tc qdisc add dev $IF parent 1:10 handle 10: prio # Add sfq qdisc to each of the priority classes tc qdisc add dev $IF parent 10:1 handle 101: sfq tc qdisc add dev $IF parent 10:2 handle 102: sfq tc qdisc add dev $IF parent 10:3 handle 103: sfq # "bulk" ssh on port 20022 goes to 103: (low priority) tc filter add dev $IF parent 1:0 protocol ip prio 1 u32 \ match ip sport 20022 0xffff flowid 103: tc filter add dev $IF parent 1:0 protocol ip prio 1 u32 \ match ip dport 20022 0xffff flowid 103: # ICMP goes fast? tc filter add dev $IF parent 1:0 protocol ip prio 2 u32 \ match ip protocol 1 0xff flowid 101: From mingching.tiew at redtone.com Fri Feb 9 04:03:19 2007 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Fri Feb 9 04:00:04 2007 Subject: [LARTC] Re: tc filter matches ip fileds inside pppoe frames Message-ID: <044901c74bf6$da398830$0100a8c0@MingChing> From: Ming-Ching Tiew To: lartc@mailman.ds9a.nl Sent: Monday, February 05, 2007 9:28 AM Subject: tc filter matches ip fileds inside pppoe frames > I have a requirement which I guess it is not too unusually, however I haven't > quite figured out how to do it and couldn't find any examples which handle that. > > I have made myself a Linux-based bridge, eth0 bridged with > eth1 to form br0. > > In this bridge, I run 'tc' script to handle QoS. > > So far nothing unusual. > > However, what's different is that this bridge is sitted in between a pppoe client > and pppoe server, ie pppoe frames are bridge between the Linux bridge, and > I am interested to perform QoS on the pppoe frames, based on the ip tos setting > of the ppp packets ( encapsulated inside the pppoe frames ). > > For example, normal tc script :- > > tc filter add dev ppp0 parent 1:0 prio 10 u32 \ > match ip tos 0x10 0xff \ > flowid 1:4 > > This will work on a ppp0 device because the ppp0 has ip packets flowing through > it. Now in my bridge, there is no such device, I only have access to eth0 or eth1, > how could I perform the same thing on devices such as eth0 or eth1, but matching > the ip TOS setting inside the pppoe frame ? Perhaps this will be one step closer to matching ip TOS inside the PPPOE frame :- # tc filter add dev vlan0 parent 1:0 protocol 0x8864 prio 10 u32 \ match u32 0x00100000 0x00ff0000 at .... \ flowid 1:4 Protocol 0x8864 refers to PPP_SES. But the question where is the location of the TOS filed in the ip header encapsulated inside the PPP frame ? What if the IP header is compressed inside the ppp frame ? Cheers From madhava.rayudu at gmail.com Fri Feb 9 04:11:55 2007 From: madhava.rayudu at gmail.com (Madhava Rayudu) Date: Fri Feb 9 04:12:02 2007 Subject: [LARTC] Re: GPL Software for Small ISP In-Reply-To: <1170958346.4260.28.camel@andybev.localdomain> References: <1170958346.4260.28.camel@andybev.localdomain> Message-ID: Sir, On 2/8/07, Andrew Beverley wrote: I suggest you have a look at some of the examples of fair traffic > shaping using linux. I can send you my script if you like - I have used > it to share a 1 Mbit link between about 70 people and it works fairly > well. Please do send. I am very Thankful to you. Right now I am using rshaper by Alsandro Rubini for shaping incoming bandwidth(from my clients) and Squid delay pools for HTTP traffic. Kindly see there is provision for using squid cache. Most of the Qos/TC packages does not consider Squid in between. Marking of Squids Hit/Misses etc.. But Squid saves around 35% of bandwidth which is huge money saving. Regards, Rayudu. > > > On 2/8/07, Madhava Rayudu wrote: > > > > Sir, > > > > I have one 2 MB link which I have to distribute to 200 > > people. Caching may enchance performance. Kindly suggest > > packages for this purpose under GPL. > > > > > > Regards, > > > > Rayudu. > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070209/6f6a1102/attachment.htm From bob at nleaudio.com Fri Feb 9 06:15:34 2007 From: bob at nleaudio.com (Bob Puff@NLE) Date: Fri Feb 9 06:10:34 2007 Subject: [LARTC] need help with tc filters In-Reply-To: <45CBE20C.4080106@jimlawson.org> References: <45CBE20C.4080106@jimlawson.org> Message-ID: <45CC0376.40109@nleaudio.com> Hi Jim, Try something a little more simple: tc qdisc del dev $IF root tc qdisc add dev $IF root handle 1: htb default 11 tc class add dev $IF parent 1: classid 1:1 htb rate 384kbit tc class add dev $IF parent 1:1 classid 1:10 htb prio 0 rate 384kbit burst 3k tc class add dev $IF parent 1:1 classid 1:11 htb prio 3 rate 384kbit # "bulk" ssh on port 20022 goes to 1:11: (low priority) tc filter add dev $IF parent 1:0 protocol ip prio 1 u32 \ match ip sport 20022 0xffff flowid 1:11 tc filter add dev $IF parent 1:0 protocol ip prio 1 u32 \ match ip dport 20022 0xffff flowid 1:11 # ICMP goes fast: tc filter add dev $IF parent 1:0 protocol ip prio 0 u32 \ match ip protocol 1 0xff flowid 1:10 Some minor changes in numbers there. Class 1:10 is fast, 1:11 is bulk. Bob Jim Lawson wrote: > Hi, > > I am attempting to set up some simple outbound shaping following the > LARTC HOWTO. > > The HTB qdisc seems to work as the documentation says, but my filters > don't seem to be working. All of the packets go to the default queue > regardless of what filters I set, it seems. (according to tc -s qdisc > show) > > I am trying to get this working on my openwrt box (whiterussian rc6), > but when testing it on my Debian etch box for comparison, I see the same > behavior. > > I'm hoping someone can point out what I'm doing wrong with the filters... > > FYI: "vlan1" is the outbound interface of my wrt54g. > > Script follows: > > IF=vlan1 > > insmod cls_u32 > insmod sch_htb > insmod sch_prio > insmod sch_sfq > > # > # qdisc/class tree > > > # 1: root (HTB) qdisc > # | > # 1:10 class rate 384000bit > # | > # 10: prio qdisc > # / | \ > # 10:1 | 10:3 > # | 10:2 | > # 101: | | sfq > # 102: | sfq > # 103: sfq > > > tc qdisc del dev $IF root > > tc qdisc add dev $IF root handle 1: htb default 10 > > tc class add dev $IF parent 1: classid 1:10 htb rate 384kbit burst 3k > > # This automatically creates 10:1, 10:2, 10:3 > tc qdisc add dev $IF parent 1:10 handle 10: prio > > # Add sfq qdisc to each of the priority classes > > tc qdisc add dev $IF parent 10:1 handle 101: sfq > > tc qdisc add dev $IF parent 10:2 handle 102: sfq > > tc qdisc add dev $IF parent 10:3 handle 103: sfq > > # "bulk" ssh on port 20022 goes to 103: (low priority) > tc filter add dev $IF parent 1:0 protocol ip prio 1 u32 \ > match ip sport 20022 0xffff flowid 103: > tc filter add dev $IF parent 1:0 protocol ip prio 1 u32 \ > match ip dport 20022 0xffff flowid 103: > > # ICMP goes fast? > > tc filter add dev $IF parent 1:0 protocol ip prio 2 u32 \ > match ip protocol 1 0xff flowid 101: > > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From dennyzulfikar at gmail.com Fri Feb 9 08:15:05 2007 From: dennyzulfikar at gmail.com (Denny Zulfikar) Date: Fri Feb 9 08:15:16 2007 Subject: [LARTC] trouble https multiple uplinks... how? Message-ID: hello, my name is Denny. I am new in this list. I am trying use multiple uplinks as describe in the lartc documentation (http://lartc.org/howto/lartc.rpdb.multiple-links.html) with squid transparent proxy in my gateway server. let me draw the configuration : /----------------- -----DSL1-----| \ |Transparent proxy |----Local network -----DSL2-----| / \----------------- IP DSL1 : 172.17.1.2/30 IP DSL2 : 172.18.1.2/30 IP eth1(DSL1) : 172.17.1.1/30 IP eth2(DSL2) : 172.18.1.1/30 Local network : 10.14.1.0/24 each DSL links rate is 384 kbps downlink and 128 kbps uplinks. my ip route setting : ------------ ip route add equalize scope global \ nexthop via 172.17.1.2 dev eth1 weight 1 \ nexthop via 172.18.1.2 dev eth2 weight 1 ------------ my iptables setting : ------------ # proxy redirect iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128 # postrouting iptables -t nat -A POSTROUTING -j SNAT -o eth1 --to-source 172.17.1.1 iptables -t nat -A POSTROUTING -j SNAT -o eth2 --to-source 172.18.1.1 ------------ squid config : ------------ visible_hostname my_isp.net icp_port 0 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY http_port 3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on cache_mem 512 MB cache_replacement_policy heap GDSF memory_replacement_policy heap GDSF cache_dir ufs /cache 6000 14 256 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl localnet src 10.14.1.0/255.255.255.0 acl SSL_ports port 443 563 acl Safe_ports port 80 21 443 563 70 210 1025-65535 acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow localhost http_access allow localnet http_access allow manager localhost http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all cache_mgr cache-me cache_effective_user squid cache_effective_group squid logfile_rotate 0 log_icp_queries off buffered_logs on half_closed_clients off maximum_object_size 2048 KB ------------ All Configuration is works. I can browsing most website. But, I have another problem when implementing this multiple uplinks methods. 1. Messenger tools like YM will disconnect and try to reconnect every 3-5 minutes. it's always happens. 2. HTTPS for hotmail/msn is always error. "The connection was reset" always appear in mozilla firefox. but, it never happens with yahoo-mail and gmail (https). 3. MSN messenger never connect successfully. All these problem never happens when I used conventional routing with only one gateway. After search articles in internet, I am trying to mark each connection for MSN messenger via only one gateway. this is my solve using iptables : ---------- iptables -t mangle -A PREROUTING -p tcp --dport 443 -j MARK --set-mark 0x10 iptables -t mangle -A PREROUTING -p tcp --dport 1863:1864 -j MARK --set-mark 0x10 iptables -t nat -A POSTROUTING -m mark --mark 0x10 -j SNAT -o eth1 --to-source 172.17.1.2 ---------- It works!! My MSN messenger is able to connect now. but always disconnect every 3-5 minutes. The same way I try to fix my YM problem. I trying to mark YM port and postrouting the traffic to eth1. but, it's not solve my problem. YM always connect/disconnect every 5 minutes. (problem number 1) Another problem, why MSN/Hotmail webmail always refuse my connection? (problem number 2) Maybe somebody have idea how to solve this problem? I feel will give up soon... :( thanks alot for your information and helps.. :) best regards, Denny Zulfikar From andrew.lyon at josims.com Fri Feb 9 11:18:31 2007 From: andrew.lyon at josims.com (Andrew Lyon) Date: Fri Feb 9 11:22:00 2007 Subject: [LARTC] Routing / NAT for Multi Subnet Router Message-ID: <592F914D209FD942908826DFF2277A2D0329E51B@COMMSSERVER> Hi, I have a linux system which is router between several subnets (each also a different segment), in total 3 different lans, 2 dmz, and 4 internet connections, my default FORWARD policy is DROP, here is a simplified example of my config with only two lan segments and internet connection: Allow forwarding between lans -A FORWARD -s lan1/mask -j ACCEPT -A FORWARD -d lan1/mask -j ACCEPT -A FORWARD -s lan2/mask -j ACCEPT -A FORWARD -d lan2/mask -j ACCEPT Are some of those redundant? Then I want to nat anything that is not to one of the local subnets (i.e. is going to internet), but the only way I can find to do that is to setup rules to avoid natting between subnets: -t nat -A POSTROUTING -s lan1/mask -d lan2/mask -j RETURN -t nat -A POSTROUTING -s lan2/mask -d lan1/mask -j RETURN And then a final rule to nat: -t nat -A POSTROUTING -s lan1/mask -j SNAT --to-source I used to have a rule like: -t nat -A POSTROUTING -s lan1/mask -o internet-eth -j MASQUERADE, and that worked because it only natted packets that were going to the internet, but now I am using Equal Cost MultiPath and when that doesn't work well with MASQUERADE, but it does work with SNAT, but with SNAT I cannot use a rule like that. Is there a better way to achieve what I desire? Thanks Andy JOSEDV001TAG From andy at andybev.com Fri Feb 9 14:00:42 2007 From: andy at andybev.com (Andrew Beverley) Date: Fri Feb 9 14:00:47 2007 Subject: [LARTC] Problems with HTB. Help! In-Reply-To: <020b01c74c2f$f9f2c7c0$8cc8a8c0@anroet.com> References: <020b01c74c2f$f9f2c7c0$8cc8a8c0@anroet.com> Message-ID: <1171026042.4244.12.camel@andybev.localdomain> On Fri, 2007-02-09 at 20:52 +1100, tkb2766 wrote: > > -----Original Message----- > > From: lartc-bounces@mailman.ds9a.nl > > [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Andrew Beverley > > Sent: Friday, 9 February 2007 4:24 > > To: Anthony Kamau > > Cc: 'LARTC' > > Subject: RE: [LARTC] Problems with HTB. Help! > > > > Can you send your updated tc rules as well please? > > > > Andy > > > > Here's the htbinit script: > ************************************************************************ > #!/bin/bash > > # Whole purpose of this is to slow the P2P server down! > > ################################### > # Reset everything to known state # > ################################### > tc qdisc del dev eth1 root > > #################### > # Setup the links # > #################### > tc qdisc add dev eth1 parent root handle 2: htb default 13 > > ########################### > # Setup the root classes # > ########################### > tc class add dev eth1 parent 2: classid 2:1 htb rate 384kbit \ > ceil 384kbit > > ########################### > # Setup the child classes # > ########################### > tc class add dev eth1 parent 2:1 classid 2:10 htb rate 224kbit \ > ceil 384kbit prio 0 > tc class add dev eth1 parent 2:1 classid 2:11 htb rate 100kbit \ > ceil 100kbit prio 1 burst 1024k > tc class add dev eth1 parent 2:1 classid 2:12 htb rate 30kbit \ > ceil 30kbit prio 2 > tc class add dev eth1 parent 2:1 classid 2:13 htb rate 30kbit \ > ceil 30kbit prio 3 burst 1500 > > ##################### > # Setup the filters # > ##################### > # match acks the hard way, > # IP protocol 6, > # IP header length 0x5(32 bit words), > # IP Total length 0x34 (ACK + 12 bytes of TCP options) > # TCP ack set (bit 5, offset 33) > ACK="tc filter add dev eth1 protocol ip parent 2:0 prio 0 u32" > $ACK match ip protocol 6 0xff \ > match u8 0x05 0x0f at 0 \ > match u16 0x0000 0xffc0 at 2 \ > match u8 0x10 0xff at 33 \ > flowid 2:11 > U32="tc filter add dev eth1 protocol ip parent 2:0 u32" > $U32 match ip src 192.168.200.130 flowid 2:10 > $U32 match ip src 192.168.200.140 flowid 2:10 > $U32 match ip src 192.168.200.147 flowid 2:10 > P2P="tc filter add dev eth1 parent 2:0 prio 2 protocol ip" > #$P2P handle 1 fw flowid 2:12 > > #################################################### > # Setup the queue discipline for the child classes # > #################################################### > tc qdisc add dev eth1 parent 2:10 handle 10: sfq perturb 10 > tc qdisc add dev eth1 parent 2:11 handle 11: sfq perturb 10 > tc qdisc add dev eth1 parent 2:12 handle 12: sfq perturb 10 > ********************************************************************** > > And here is the rule in the firewall that is marking the parkets: > ************************************************************************ > $IPTABLES -t mangle -I FORWARD -s $P2PSRVR -i $LAN_IFACE -j MARK \ > --set-mark 1 > ************************************************************************ > > > Can you spot any issues with this? > > In the mean time, I'll try your classid method and if that works fine, then > so be it from now on. I see the problem. You're using a default of 13 so all unclassified traffic goes to classid 13. All traffic from and to 192.168.200.163 falls into this category, and is therefore limited to 30 kbit. I suggest changing your default to 10, removing the U32 rules to match all the other hosts, and using -j CLASSIFY --set-class 2:13 on your iptables rule (the current one based on MARK isn't used at the minute anyway because there is no tc filter for it). Hope this helps, Andy Beverley From andy at andybev.com Fri Feb 9 14:10:02 2007 From: andy at andybev.com (Andrew Beverley) Date: Fri Feb 9 14:10:07 2007 Subject: [LARTC] need help with tc filters In-Reply-To: <45CBE20C.4080106@jimlawson.org> References: <45CBE20C.4080106@jimlawson.org> Message-ID: <1171026603.4244.15.camel@andybev.localdomain> On Thu, 2007-02-08 at 21:53 -0500, Jim Lawson wrote: > Hi, > > I am attempting to set up some simple outbound shaping following the > LARTC HOWTO. > > The HTB qdisc seems to work as the documentation says, but my filters > don't seem to be working. All of the packets go to the default queue > regardless of what filters I set, it seems. (according to tc -s qdisc show) > > I am trying to get this working on my openwrt box (whiterussian rc6), > but when testing it on my Debian etch box for comparison, I see the same > behavior. > > I'm hoping someone can point out what I'm doing wrong with the filters... > > FYI: "vlan1" is the outbound interface of my wrt54g. > > Script follows: > > IF=vlan1 > > insmod cls_u32 > insmod sch_htb > insmod sch_prio > insmod sch_sfq > > # > # qdisc/class tree > > > # 1: root (HTB) qdisc > # | > # 1:10 class rate 384000bit > # | > # 10: prio qdisc > # / | \ > # 10:1 | 10:3 > # | 10:2 | > # 101: | | sfq > # 102: | sfq > # 103: sfq > > > tc qdisc del dev $IF root > > tc qdisc add dev $IF root handle 1: htb default 10 > > tc class add dev $IF parent 1: classid 1:10 htb rate 384kbit burst 3k > > # This automatically creates 10:1, 10:2, 10:3 > tc qdisc add dev $IF parent 1:10 handle 10: prio > > # Add sfq qdisc to each of the priority classes > > tc qdisc add dev $IF parent 10:1 handle 101: sfq > > tc qdisc add dev $IF parent 10:2 handle 102: sfq > > tc qdisc add dev $IF parent 10:3 handle 103: sfq > > # "bulk" ssh on port 20022 goes to 103: (low priority) > tc filter add dev $IF parent 1:0 protocol ip prio 1 u32 \ > match ip sport 20022 0xffff flowid 103: > > tc filter add dev $IF parent 1:0 protocol ip prio 1 u32 \ > match ip dport 20022 0xffff flowid 103: > > # ICMP goes fast? > > tc filter add dev $IF parent 1:0 protocol ip prio 2 u32 \ > match ip protocol 1 0xff flowid 101: > At a guess there's a problem with the filters. Because it's not always immediately apparent, what I tend to do is match using iptables, but send to target LOG to check that it's catching what I expect it to. Once you're happy this is working you can then change the LOG to CLASSIFY instead of using the last few tc filter rules that you have. Regards, Andy Beverley From tkb at anroet.com Fri Feb 9 10:52:02 2007 From: tkb at anroet.com (tkb2766) Date: Fri Feb 9 14:12:52 2007 Subject: [LARTC] Problems with HTB. Help! In-Reply-To: <1170955461.4260.9.camel@andybev.localdomain> Message-ID: <020b01c74c2f$f9f2c7c0$8cc8a8c0@anroet.com> > -----Original Message----- > From: lartc-bounces@mailman.ds9a.nl > [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Andrew Beverley > Sent: Friday, 9 February 2007 4:24 > To: Anthony Kamau > Cc: 'LARTC' > Subject: RE: [LARTC] Problems with HTB. Help! > > Can you send your updated tc rules as well please? > > Andy > Here's the htbinit script: ************************************************************************ #!/bin/bash # Whole purpose of this is to slow the P2P server down! ################################### # Reset everything to known state # ################################### tc qdisc del dev eth1 root #################### # Setup the links # #################### tc qdisc add dev eth1 parent root handle 2: htb default 13 ########################### # Setup the root classes # ########################### tc class add dev eth1 parent 2: classid 2:1 htb rate 384kbit \ ceil 384kbit ########################### # Setup the child classes # ########################### tc class add dev eth1 parent 2:1 classid 2:10 htb rate 224kbit \ ceil 384kbit prio 0 tc class add dev eth1 parent 2:1 classid 2:11 htb rate 100kbit \ ceil 100kbit prio 1 burst 1024k tc class add dev eth1 parent 2:1 classid 2:12 htb rate 30kbit \ ceil 30kbit prio 2 tc class add dev eth1 parent 2:1 classid 2:13 htb rate 30kbit \ ceil 30kbit prio 3 burst 1500 ##################### # Setup the filters # ##################### # match acks the hard way, # IP protocol 6, # IP header length 0x5(32 bit words), # IP Total length 0x34 (ACK + 12 bytes of TCP options) # TCP ack set (bit 5, offset 33) ACK="tc filter add dev eth1 protocol ip parent 2:0 prio 0 u32" $ACK match ip protocol 6 0xff \ match u8 0x05 0x0f at 0 \ match u16 0x0000 0xffc0 at 2 \ match u8 0x10 0xff at 33 \ flowid 2:11 U32="tc filter add dev eth1 protocol ip parent 2:0 u32" $U32 match ip src 192.168.200.130 flowid 2:10 $U32 match ip src 192.168.200.140 flowid 2:10 $U32 match ip src 192.168.200.147 flowid 2:10 P2P="tc filter add dev eth1 parent 2:0 prio 2 protocol ip" #$P2P handle 1 fw flowid 2:12 #################################################### # Setup the queue discipline for the child classes # #################################################### tc qdisc add dev eth1 parent 2:10 handle 10: sfq perturb 10 tc qdisc add dev eth1 parent 2:11 handle 11: sfq perturb 10 tc qdisc add dev eth1 parent 2:12 handle 12: sfq perturb 10 ********************************************************************** And here is the rule in the firewall that is marking the parkets: ************************************************************************ $IPTABLES -t mangle -I FORWARD -s $P2PSRVR -i $LAN_IFACE -j MARK \ --set-mark 1 ************************************************************************ Can you spot any issues with this? In the mean time, I'll try your classid method and if that works fine, then so be it from now on. Cheers, tkb. From thuleau at gmail.com Fri Feb 9 14:19:12 2007 From: thuleau at gmail.com (Edouard Thuleau) Date: Fri Feb 9 14:19:17 2007 Subject: [LARTC] QoS Linux questions Message-ID: <81c11a560702090519s647f7fe8q5ee29e6b2d7089e4@mail.gmail.com> Hy, I've two question about the QoS on a Linux system. 1) What's unit it uses for the rate in the differente configuration of the schedulers, IP rate or Ethernet rate ? 2) Is it possible to attach on a interface, a queues with a strict priority scheduler and two or mores with a HTB scheduler ? For example, a queue for the VoIP with a strict priority, 2 queues for Video and Internet with a HTB scheduler. Priorities are : VoIP, Video and Internet. The Video and data can starving. Thanks, Edouard. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070209/3e381add/attachment.html From andy at andybev.com Fri Feb 9 14:37:34 2007 From: andy at andybev.com (Andrew Beverley) Date: Fri Feb 9 14:37:42 2007 Subject: [LARTC] Opinions about pom/patches [was: iptables 1.3.7, kernel 2.6.19, ROUTE and Layer7 issues] In-Reply-To: <45C005EB.1040704@netfilter.org> References: <54905.84.123.236.132.1165866276.squirrel@www.arcoscom.com> <57631.195.55.244.106.1165911878.squirrel@www.arcoscom.com> <457E6997.1050001@trash.net> <36479.195.55.244.106.1165998665.squirrel@www.arcoscom.com> <457FBBFD.6060009@trash.net> <45A48087.8090200@trash.net> <54696.195.55.244.106.1168435275.squirrel@www.arcoscom.com> <1169746884.4253.51.camel@andybev.localdomain> <45C005EB.1040704@netfilter.org> Message-ID: <1171028254.4244.26.camel@andybev.localdomain> On Wed, 2007-01-31 at 03:58 +0100, Pablo Neira Ayuso wrote: > Andrew Beverley wrote: > > I would also like to see as many of the POM included in the stable > > kernel. It's a bit of a headache to patch in what I want each time I > > update the kernel, and on a fresh system I have to install CURL just to > > update POM just to add connlimit to the kernel... > > IMHO, patching kernels to add some certain shiny-feature(TM) is > generally a bad idea if you don't know how the patch internally works or > if you can't directly get support from the author of such patch. Yes, agreed. I was more thinking of those that (look like) they have been stable for a few years. > Anyway, if you think that some certain patch is stable enough to push it > forward to mainline, encourage the author to push it forward. Probably > there is a reason why he decided not to do that. Okay, I've emailed the author (of connlimit) but not received a reply. I did ask him a while ago on the same subject but didn't really get a reason as to why it is not. Anybody have any ideas? In this case can *I* push it forward to the stable kernel? Regards, Andy Beverley From martin at linux-ip.net Fri Feb 9 17:00:26 2007 From: martin at linux-ip.net (Martin A. Brown) Date: Fri Feb 9 17:00:54 2007 Subject: [LARTC] Need big buffer! In-Reply-To: <45CBDCFF.5080204@nleaudio.com> References: <45CB610C.70905@nleaudio.com> <20070209010402.M21760@nleaudio.com> <45CBDCFF.5080204@nleaudio.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings Bob, : I've been trying to read up, and still not coming up with : concrete info on queue sizes. Right now, my code for limiting to : 300k is: : : tc qdisc add dev eth0 root handle 1: htb default 21 : tc class add dev eth0 parent 1: classid 1:1 htb rate 300kbit : tc class add dev eth0 parent 1:1 classid 1:20 htb prio 0 rate 100kbit : tc class add dev eth0 parent 1:1 classid 1:21 htb prio 1 rate 100kbit ceil 300k : : ..with some matches for prioritizing other traffic into class : 1:20. : : I assume there is something I need to add to the first line, but : everything I've read about never mentions htb. Here are pointers to HTB documentation that I have written [0], and, of course, the author's own documentation [1]. Stef Coene, who used to be extraordinarily active on this list has some useful (if not currently maintained) documentation at [2]. See also Leonardo Balliache's thorough examination of traffic control under Linux [3]. As I see it, your problem is not that you haven't found the right HTB setting, but rather that you haven't embedded a (b)FIFO in the right place. Try adding a fifo of the appropriate size (in bytes) to the class which is handling your bursty traffic. This FIFO will hold your queued packets while HTB dequeues them at the ceil rate. Trial and error will probably help you determine the optimal depth of the FIFO for your purposes. tc qdisc add dev eth0 parent 1:21 bfifo limit 256000 Best of luck, - -Martin [0] [1] http://luxik.cdi.cz/~devik/qos/htb/ [2] http://www.docum.org/docum.org/ [3] http://www.opalsoft.net/qos/DS-28.htm - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFFzJqeHEoZD1iZ+YcRAvFyAJ9ARFRk02h1tY0COJnHvEvHs1HkwgCgpQwF 9AWk9kTyPSGmdxPtFYpFpGg= =Y0gF -----END PGP SIGNATURE----- From kaber at trash.net Fri Feb 9 18:03:51 2007 From: kaber at trash.net (Patrick McHardy) Date: Fri Feb 9 18:03:57 2007 Subject: [LARTC] Opinions about pom/patches [was: iptables 1.3.7, kernel 2.6.19, ROUTE and Layer7 issues] In-Reply-To: References: <54905.84.123.236.132.1165866276.squirrel@www.arcoscom.com> <57631.195.55.244.106.1165911878.squirrel@www.arcoscom.com> <457E6997.1050001@trash.net> <36479.195.55.244.106.1165998665.squirrel@www.arcoscom.com> <457FBBFD.6060009@trash.net> <45A48087.8090200@trash.net> <54696.195.55.244.106.1168435275.squirrel@www.arcoscom.com> <1169746884.4253.51.camel@andybev.localdomain> <45C005EB.1040704@netfilter.org> <1171028254.4244.26.camel@andybev.localdomain> Message-ID: <45CCA977.9080704@trash.net> Krzysztof Oledzki wrote: > Getting back to the question: generally I have no objection for > forwarding connlinit to the mainline but I believe we should first > investigate a possibilty to add support for other protocols than TCP. > AFAIK at least UDP support could be very usefull - p2p software > generates not only a lot of tcp cnnections but also udp flows and main > job for this extension is to prevent conntrack database overflows. Feel free to post a version you consider suitable for merging (without all the version ifdefs, only nf_conntrack support, etc). I had a quick look at the current version and it seems to maintain some internal hash of connections, IIRC that has not always been the case. In case that change is from you please add a short description. And it should probably support all protocols. From andy at andybev.com Fri Feb 9 18:30:28 2007 From: andy at andybev.com (Andrew Beverley) Date: Fri Feb 9 18:30:43 2007 Subject: [LARTC] Opinions about pom/patches [was: iptables 1.3.7, kernel 2.6.19, ROUTE and Layer7 issues] In-Reply-To: References: <54905.84.123.236.132.1165866276.squirrel@www.arcoscom.com> <57631.195.55.244.106.1165911878.squirrel@www.arcoscom.com> <457E6997.1050001@trash.net> <36479.195.55.244.106.1165998665.squirrel@www.arcoscom.com> <457FBBFD.6060009@trash.net> <45A48087.8090200@trash.net> <54696.195.55.244.106.1168435275.squirrel@www.arcoscom.com> <1169746884.4253.51.camel@andybev.localdomain> <45C005EB.1040704@netfilter.org> <1171028254.4244.26.camel@andybev.localdomain> Message-ID: <1171042229.4244.50.camel@andybev.localdomain> > >>> I would also like to see as many of the POM included in the stable > >>> kernel. It's a bit of a headache to patch in what I want each time I > >>> update the kernel, and on a fresh system I have to install CURL just to > >>> update POM just to add connlimit to the kernel... > >> > >> IMHO, patching kernels to add some certain shiny-feature(TM) is > >> generally a bad idea if you don't know how the patch internally works or > >> if you can't directly get support from the author of such patch. > > > > Yes, agreed. I was more thinking of those that (look like) they have > > been stable for a few years. > > > >> Anyway, if you think that some certain patch is stable enough to push it > >> forward to mainline, encourage the author to push it forward. Probably > >> there is a reason why he decided not to do that. > > > > Okay, I've emailed the author (of connlimit) but not received a reply. I > > did ask him a while ago on the same subject but didn't really get a > > reason as to why it is not. Anybody have any ideas? > > > > In this case can *I* push it forward to the stable kernel? > > Please excuse me - I have been _extremely _ busy for the last three weeks. No please accept my apologies - I was a bit impatient. > Getting back to the question: generally I have no objection for forwarding > connlinit to the mainline but I believe we should first investigate a > possibilty to add support for other protocols than TCP. AFAIK at least UDP > support could be very usefull - p2p software generates not only a lot of > tcp cnnections but also udp flows and main job for this extension is to > prevent conntrack database overflows. Very interesting. I had exactly the same thoughts myself, and have actually already created a patch for hashlimit which matches on the number of UDP 'connections'. Of course, the problem with UDP is that there are no connections as such to count, which is why I chose to patch hashlimit rather than connlimit. Hashlimit (as I am sure you are aware) keeps a table of recent data flows which die after a set time, making it easier to count UDP flows. I'm not sure how easy this would be to achieve with connlimit. I was planning on sending the patch to hashlimit's author, if nothing else just to get feedback on it, as it is the first kernel hacking I have done. Maybe I should post it to the netfilter-devel list instead, or am I using the wrong tool for the wrong job? Regards, Andy Beverley From jim+lartc at jimlawson.org Sat Feb 10 01:29:37 2007 From: jim+lartc at jimlawson.org (Jim Lawson) Date: Sat Feb 10 01:29:58 2007 Subject: [LARTC] need help with tc filters In-Reply-To: <45CC0376.40109@nleaudio.com> References: <45CBE20C.4080106@jimlawson.org> <45CC0376.40109@nleaudio.com> Message-ID: <45CD11F1.4030006@jimlawson.org> Hi Bob, Thanks, those filters that you sent do work. So, any tips? Is the "prio" qdisc superfluous if I am already using htb? What was it about my filters that didn't work? I will fiddle with this a bit... this helps a lot. Jim Bob Puff@NLE wrote: > Hi Jim, > > Try something a little more simple: > > tc qdisc del dev $IF root > tc qdisc add dev $IF root handle 1: htb default 11 > tc class add dev $IF parent 1: classid 1:1 htb rate 384kbit > tc class add dev $IF parent 1:1 classid 1:10 htb prio 0 rate 384kbit burst 3k > tc class add dev $IF parent 1:1 classid 1:11 htb prio 3 rate 384kbit > > # "bulk" ssh on port 20022 goes to 1:11: (low priority) > tc filter add dev $IF parent 1:0 protocol ip prio 1 u32 \ > match ip sport 20022 0xffff flowid 1:11 > tc filter add dev $IF parent 1:0 protocol ip prio 1 u32 \ > match ip dport 20022 0xffff flowid 1:11 > > # ICMP goes fast: > tc filter add dev $IF parent 1:0 protocol ip prio 0 u32 \ > match ip protocol 1 0xff flowid 1:10 > > Some minor changes in numbers there. Class 1:10 is fast, 1:11 is bulk. > > Bob > > > Jim Lawson wrote: > > >> Hi, >> >> I am attempting to set up some simple outbound shaping following the >> LARTC HOWTO. >> >> The HTB qdisc seems to work as the documentation says, but my filters >> don't seem to be working. All of the packets go to the default queue >> regardless of what filters I set, it seems. (according to tc -s qdisc >> show) >> >> I am trying to get this working on my openwrt box (whiterussian rc6), >> but when testing it on my Debian etch box for comparison, I see the same >> behavior. >> >> I'm hoping someone can point out what I'm doing wrong with the filters... >> >> FYI: "vlan1" is the outbound interface of my wrt54g. >> >> Script follows: >> >> IF=vlan1 >> >> insmod cls_u32 >> insmod sch_htb >> insmod sch_prio >> insmod sch_sfq >> >> # >> # qdisc/class tree >> >> >> # 1: root (HTB) qdisc >> # | >> # 1:10 class rate 384000bit >> # | >> # 10: prio qdisc >> # / | \ >> # 10:1 | 10:3 >> # | 10:2 | >> # 101: | | sfq >> # 102: | sfq >> # 103: sfq >> >> >> tc qdisc del dev $IF root >> >> tc qdisc add dev $IF root handle 1: htb default 10 >> >> tc class add dev $IF parent 1: classid 1:10 htb rate 384kbit burst 3k >> >> # This automatically creates 10:1, 10:2, 10:3 >> tc qdisc add dev $IF parent 1:10 handle 10: prio >> >> # Add sfq qdisc to each of the priority classes >> >> tc qdisc add dev $IF parent 10:1 handle 101: sfq >> >> tc qdisc add dev $IF parent 10:2 handle 102: sfq >> >> tc qdisc add dev $IF parent 10:3 handle 103: sfq >> >> # "bulk" ssh on port 20022 goes to 103: (low priority) >> tc filter add dev $IF parent 1:0 protocol ip prio 1 u32 \ >> match ip sport 20022 0xffff flowid 103: >> tc filter add dev $IF parent 1:0 protocol ip prio 1 u32 \ >> match ip dport 20022 0xffff flowid 103: >> >> # ICMP goes fast? >> >> tc filter add dev $IF parent 1:0 protocol ip prio 2 u32 \ >> match ip protocol 1 0xff flowid 101: >> >> >> >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> >> From tkb at anroet.com Sat Feb 10 02:08:14 2007 From: tkb at anroet.com (tkb2766) Date: Sat Feb 10 02:08:37 2007 Subject: [LARTC] Problems with HTB. Help! In-Reply-To: <1171026042.4244.12.camel@andybev.localdomain> Message-ID: <000801c74caf$f122dc90$8cc8a8c0@anroet.com> > -----Original Message----- > From: Andrew Beverley [mailto:andy@andybev.com] > Sent: Saturday, 10 February 2007 0:01 > To: tkb2766 > Cc: 'LARTC' > Subject: RE: [LARTC] Problems with HTB. Help! > > > I see the problem. You're using a default of 13 so all unclassified > traffic goes to classid 13. All traffic from and to 192.168.200.163 > falls into this category, and is therefore limited to 30 kbit. > > I suggest changing your default to 10, removing the U32 rules to match > all the other hosts, and using -j CLASSIFY --set-class 2:13 on your > iptables rule (the current one based on MARK isn't used at the minute > anyway because there is no tc filter for it). > > Hope this helps, > > Andy Beverley > Could it be too that Kernel 2.6.19-2 I recently upgraded to might have a problem??? From cemeyer2 at uiuc.edu Sat Feb 10 03:01:07 2007 From: cemeyer2 at uiuc.edu (Charlie Meyer) Date: Sat Feb 10 03:01:40 2007 Subject: [LARTC] trouble https multiple uplinks... how? In-Reply-To: References: Message-ID: <5B8B3D66554D0246BF6D224D9E8169E0022AF385@snshbea106.4smartphone.snx> I ran into this issue too, what I did for IM clients was run the dante socks server and had my lan clients configure to use the proxy server to connect. As for ssl, try marking every packet as it comes in and reroute it out over the same interface it came in on, that way the sessions will stay persistent over a single interface -charlie -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Denny Zulfikar Sent: Friday, February 09, 2007 1:15 AM To: lartc@mailman.ds9a.nl Subject: [LARTC] trouble https multiple uplinks... how? hello, my name is Denny. I am new in this list. I am trying use multiple uplinks as describe in the lartc documentation (http://lartc.org/howto/lartc.rpdb.multiple-links.html) with squid transparent proxy in my gateway server. let me draw the configuration : /----------------- -----DSL1-----| \ |Transparent proxy |----Local network -----DSL2-----| / \----------------- IP DSL1 : 172.17.1.2/30 IP DSL2 : 172.18.1.2/30 IP eth1(DSL1) : 172.17.1.1/30 IP eth2(DSL2) : 172.18.1.1/30 Local network : 10.14.1.0/24 each DSL links rate is 384 kbps downlink and 128 kbps uplinks. my ip route setting : ------------ ip route add equalize scope global \ nexthop via 172.17.1.2 dev eth1 weight 1 \ nexthop via 172.18.1.2 dev eth2 weight 1 ------------ my iptables setting : ------------ # proxy redirect iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128 # postrouting iptables -t nat -A POSTROUTING -j SNAT -o eth1 --to-source 172.17.1.1 iptables -t nat -A POSTROUTING -j SNAT -o eth2 --to-source 172.18.1.1 ------------ squid config : ------------ visible_hostname my_isp.net icp_port 0 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY http_port 3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on cache_mem 512 MB cache_replacement_policy heap GDSF memory_replacement_policy heap GDSF cache_dir ufs /cache 6000 14 256 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl localnet src 10.14.1.0/255.255.255.0 acl SSL_ports port 443 563 acl Safe_ports port 80 21 443 563 70 210 1025-65535 acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow localhost http_access allow localnet http_access allow manager localhost http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all cache_mgr cache-me cache_effective_user squid cache_effective_group squid logfile_rotate 0 log_icp_queries off buffered_logs on half_closed_clients off maximum_object_size 2048 KB ------------ All Configuration is works. I can browsing most website. But, I have another problem when implementing this multiple uplinks methods. 1. Messenger tools like YM will disconnect and try to reconnect every 3-5 minutes. it's always happens. 2. HTTPS for hotmail/msn is always error. "The connection was reset" always appear in mozilla firefox. but, it never happens with yahoo-mail and gmail (https). 3. MSN messenger never connect successfully. All these problem never happens when I used conventional routing with only one gateway. After search articles in internet, I am trying to mark each connection for MSN messenger via only one gateway. this is my solve using iptables : ---------- iptables -t mangle -A PREROUTING -p tcp --dport 443 -j MARK --set-mark 0x10 iptables -t mangle -A PREROUTING -p tcp --dport 1863:1864 -j MARK --set-mark 0x10 iptables -t nat -A POSTROUTING -m mark --mark 0x10 -j SNAT -o eth1 --to-source 172.17.1.2 ---------- It works!! My MSN messenger is able to connect now. but always disconnect every 3-5 minutes. The same way I try to fix my YM problem. I trying to mark YM port and postrouting the traffic to eth1. but, it's not solve my problem. YM always connect/disconnect every 5 minutes. (problem number 1) Another problem, why MSN/Hotmail webmail always refuse my connection? (problem number 2) Maybe somebody have idea how to solve this problem? I feel will give up soon... :( thanks alot for your information and helps.. :) best regards, Denny Zulfikar _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From andy at andybev.com Sat Feb 10 09:16:46 2007 From: andy at andybev.com (Andrew Beverley) Date: Sat Feb 10 09:17:06 2007 Subject: [LARTC] Problems with HTB. Help! In-Reply-To: <026001c74ca3$22135120$8cc8a8c0@anroet.com> References: <026001c74ca3$22135120$8cc8a8c0@anroet.com> Message-ID: <1171095406.4439.9.camel@andybev.localdomain> On Sat, 2007-02-10 at 10:36 +1100, tkb2766 wrote: > > -----Original Message----- > > From: Andrew Beverley [mailto:andy@andybev.com] > > Sent: Saturday, 10 February 2007 0:01 > > To: tkb2766 > > Cc: 'LARTC' > > Subject: RE: [LARTC] Problems with HTB. Help! > > > > I see the problem. You're using a default of 13 so all unclassified > > traffic goes to classid 13. All traffic from and to 192.168.200.163 > > falls into this category, and is therefore limited to 30 kbit. > > > > I suggest changing your default to 10, removing the U32 rules to match > > all the other hosts, and using -j CLASSIFY --set-class 2:13 on your > > iptables rule (the current one based on MARK isn't used at the minute > > anyway because there is no tc filter for it). > > > > Hope this helps, > > > > Andy Beverley > > > > I've already tried what you suggest and it did not work. Can you send your modified rules then that you say still 'did not work'? Your scripts as previously sent would definitely show the behaviour you describe, ie all unmatched traffic (including your p2p machine both ways) rate limited to 30kbit > I also do not have > the capability to use CLASSIFY in IPTABLES - what module provides this > functionalty? Not sure what the module's called, but it's "CLASSIFY target support" in the kernel menuconfig (CONFIG_NETFILTER_XT_TARGET_CLASSIFY in the kernel config file) If you haven't got it just use MARK, but you'll need the extra filter lines for tc. From andy at andybev.com Sat Feb 10 09:18:42 2007 From: andy at andybev.com (Andrew Beverley) Date: Sat Feb 10 09:18:59 2007 Subject: [LARTC] Problems with HTB. Help! In-Reply-To: <000801c74caf$f122dc90$8cc8a8c0@anroet.com> References: <000801c74caf$f122dc90$8cc8a8c0@anroet.com> Message-ID: <1171095522.4439.11.camel@andybev.localdomain> On Sat, 2007-02-10 at 12:08 +1100, tkb2766 wrote: > > -----Original Message----- > > From: Andrew Beverley [mailto:andy@andybev.com] > > Sent: Saturday, 10 February 2007 0:01 > > To: tkb2766 > > Cc: 'LARTC' > > Subject: RE: [LARTC] Problems with HTB. Help! > > > > > > I see the problem. You're using a default of 13 so all unclassified > > traffic goes to classid 13. All traffic from and to 192.168.200.163 > > falls into this category, and is therefore limited to 30 kbit. > > > > I suggest changing your default to 10, removing the U32 rules to match > > all the other hosts, and using -j CLASSIFY --set-class 2:13 on your > > iptables rule (the current one based on MARK isn't used at the minute > > anyway because there is no tc filter for it). > > > > Hope this helps, > > > > Andy Beverley > > > > Could it be too that Kernel 2.6.19-2 I recently upgraded to might have a > problem??? No I doubt it. Like I said in the previous post, the rules that you sent would show the behaviour described, with a correctly functioning system From andy at andybev.com Sat Feb 10 11:00:59 2007 From: andy at andybev.com (Andrew Beverley) Date: Sat Feb 10 11:01:12 2007 Subject: [LARTC] need help with tc filters In-Reply-To: <45CD11F1.4030006@jimlawson.org> References: <45CBE20C.4080106@jimlawson.org> <45CC0376.40109@nleaudio.com> <45CD11F1.4030006@jimlawson.org> Message-ID: <1171101659.4439.15.camel@andybev.localdomain> > Thanks, those filters that you sent do work. So, any tips? Is the > "prio" qdisc superfluous if I am already using htb? No, prio is used by HTB to decide how it should divide up any spare bandwidth. See the HTB documentation at: http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm#prio > What was it about > my filters that didn't work? Not sure. I think what Bob says is the best - start simple and gradually work to what you want testing as you go... From andy at andybev.com Sat Feb 10 13:03:38 2007 From: andy at andybev.com (Andrew Beverley) Date: Sat Feb 10 13:03:52 2007 Subject: [LARTC] Problems with HTB. Help! In-Reply-To: <008001c74d06$db0b4580$8cc8a8c0@anroet.com> References: <008001c74d06$db0b4580$8cc8a8c0@anroet.com> Message-ID: <1171109019.4439.23.camel@andybev.localdomain> > > > > Can you send your modified rules then that you say still 'did > > not work'? > > Below is how I now have it: > ===================================================================== > #!/bin/bash > > # Whole purpose of this is to slow the P2P server down! > > ################################### > # Reset everything to known state # > ################################### > tc qdisc del dev eth0 root > tc qdisc del dev eth1 root > > #################### > # Setup the links # > #################### > tc qdisc add dev eth0 parent root handle 1: htb default 10 > tc qdisc add dev eth1 parent root handle 2: htb default 10 > > ########################### > # Setup the root classes # > ########################### > tc class add dev eth1 parent 2: classid 2:1 htb rate 384kbit ceil 384kbit > > ########################### > # Setup the child classes # > ########################### > tc class add dev eth0 parent 1:1 classid 1:10 htb rate 10mbit ceil 10mbit > prio 0 > tc class add dev eth1 parent 2:1 classid 2:10 htb rate 224kbit ceil 384kbit > prio 0 > tc class add dev eth1 parent 2:1 classid 2:11 htb rate 100kbit ceil 100kbit > prio 1 > tc class add dev eth1 parent 2:1 classid 2:12 htb rate 60kbit ceil 60kbit > prio 2 > > ##################### > # Setup the filters # > ##################### > # match acks the hard way, > # IP protocol 6, > # IP header length 0x5(32 bit words), > # IP Total length 0x34 (ACK + 12 bytes of TCP options) > # TCP ack set (bit 5, offset 33) > ACK="tc filter add dev eth1 protocol ip parent 2:0 prio 1 u32" > $ACK match ip protocol 6 0xff \ > match u8 0x05 0x0f at 0 \ > match u16 0x0000 0xffc0 at 2 \ > match u8 0x10 0xff at 33 \ > flowid 2:11 > U32="tc filter add dev eth1 protocol ip parent 2:0 prio 1 u32" > $U32 match ip src 192.168.200.163 match ip sport 6881 0xffff flowid 2:12 I couldn't get this line to work either - maybe someone else can help as I've never used u32 myself. However, replacing it with: iptables -t mangle -A FORWARD -o eth1 --source 10.0.14.250 -p tcp \ --sport 6881 -j CLASSIFY --set-class 2:12 seems to do the trick. You'll need to change tcp to udp if it's UDP that you want to match rather than TCP. From tkb at anroet.com Sat Feb 10 13:19:30 2007 From: tkb at anroet.com (tkb2766) Date: Sat Feb 10 13:19:48 2007 Subject: [LARTC] Problems with HTB. Help! In-Reply-To: <1171109019.4439.23.camel@andybev.localdomain> Message-ID: <008201c74d0d$b6e7d9f0$8cc8a8c0@anroet.com> > -----Original Message----- > From: Andrew Beverley [mailto:andy@andybev.com] > Sent: Saturday, 10 February 2007 23:04 > To: tkb2766 > Cc: 'LARTC' > Subject: RE: [LARTC] Problems with HTB. Help! > > > iptables -t mangle -A FORWARD -o eth1 --source 10.0.14.250 -p tcp \ > --sport 6881 -j CLASSIFY --set-class 2:12 > > seems to do the trick. > > You'll need to change tcp to udp if it's UDP that you want to match > rather than TCP. > I tried using the CLASSIFY target in IPTABLES, but it errors out with the following: ************* iptables v1.2.8: Unknown arg `--set-class' Try `iptables -h' or 'iptables --help' for more information. ************* Do I need to installer a later version of IPTABLES? Cheers, tkb. From andy at andybev.com Sat Feb 10 13:27:16 2007 From: andy at andybev.com (Andrew Beverley) Date: Sat Feb 10 13:27:26 2007 Subject: [LARTC] Problems with HTB. Help! In-Reply-To: <008201c74d0d$b6e7d9f0$8cc8a8c0@anroet.com> References: <008201c74d0d$b6e7d9f0$8cc8a8c0@anroet.com> Message-ID: <1171110436.4439.27.camel@andybev.localdomain> > > > > > > iptables -t mangle -A FORWARD -o eth1 --source 10.0.14.250 -p tcp \ > > --sport 6881 -j CLASSIFY --set-class 2:12 > > > > seems to do the trick. > > > > You'll need to change tcp to udp if it's UDP that you want to match > > rather than TCP. > > > > I tried using the CLASSIFY target in IPTABLES, but it errors out with the > following: > ************* > iptables v1.2.8: Unknown arg `--set-class' > Try `iptables -h' or 'iptables --help' for more information. > ************* > > Do I need to installer a later version of IPTABLES? Hmmm not sure. No harm in upgrading I guess - I use 1.3.6 ftp://ftp.netfilter.org/pub/iptables/iptables-1.3.6.tar.bz2 From brian at interlinx.bc.ca Sat Feb 10 14:29:42 2007 From: brian at interlinx.bc.ca (Brian J. Murrell) Date: Sat Feb 10 14:29:49 2007 Subject: [LARTC] mutliple default routes, rp_filter and martians Message-ID: <1171114182.7941.135.camel@pc.ilinx> I have a theory on the cause of a problem but it is still only a theory. I wonder if anyone here can confirm. I have a multi-isp configuration with a multi-path default route to each ISP, equally weighted. I am seeing, periodically, traffic dropped due to martian detection and errors logged on inbound traffic, but at other times, that same exact traffic will be allowed, no errors. My supposition is this: If I use "ip route get " for the source address that rp_filter is dropping traffic from I can see that it's reporting that traffic to that address would use the alternate ISP interface from the one it's being received on (and logged as a martian and dropped). If I continue to use ip get route on that address eventually it will report the interface that the traffic is being received on -- that would be the balancing feature of the multiple paths. I believe that during these times when ip route get is reporting the alternate interface, the kernel would also log inbound packets from that address as martians. Is this the case? To further confirm my supposition, while my gateway is dropping packets and logging them as martians, I can install a route specifically for that source pointing to the interface that they are being received on and the dropping/martian logging stops and the traffic is received. So to summarize it seems that when doing the rp_filter tests, the kernel only uses the "current default" route and not all available default routes when determining the reverse path. Is this true? Thanx, b. -- My other computer is your Microsoft Windows server. Brian J. Murrell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070210/702d2bc7/attachment.pgp From andy at andybev.com Sat Feb 10 14:32:55 2007 From: andy at andybev.com (Andrew Beverley) Date: Sat Feb 10 14:33:03 2007 Subject: [LARTC] Problems with HTB. Help! In-Reply-To: <008801c74d16$5e1df7b0$8cc8a8c0@anroet.com> References: <008801c74d16$5e1df7b0$8cc8a8c0@anroet.com> Message-ID: <1171114375.4439.31.camel@andybev.localdomain> On Sun, 2007-02-11 at 00:21 +1100, tkb2766 wrote: > > -----Original Message----- > > From: Andrew Beverley [mailto:andy@andybev.com] > > Sent: Saturday, 10 February 2007 23:27 > > To: tkb2766 > > Cc: 'LARTC' > > Subject: RE: [LARTC] Problems with HTB. Help! > > > > > > Hmmm not sure. No harm in upgrading I guess - I use 1.3.6 > > > > ftp://ftp.netfilter.org/pub/iptables/iptables-1.3.6.tar.bz2 > > > > > > I went one version higher (1.3.7) and now all seems to be well with the > CLASSIFY target. > > However, why my HTB script isn't working still puzzles me and I'll keep at > it until I figure out why. I suggest you temporarily change the CLASSIFY to a LOG. This will confirm that you're matching packets as you expect. Look at the kernel log file to check you're capturing as expected once you've made the change. > It could still be a kernel issue as there is > mention of compilation issues with kernel 2.6.19 at: > http://www.netfilter.org/news.html#2006-12-04 - see comment on 2006-Dec-04. I still doubt it's a kernel issue to be honest. From alejandro_aero at yahoo.es Sun Feb 11 13:01:45 2007 From: alejandro_aero at yahoo.es (Alejandro Lorenzo Gallego) Date: Sun Feb 11 13:02:21 2007 Subject: [LARTC] Is ESFQ working? Message-ID: <200702111301.51685.alejandro_aero@yahoo.es> Hi there, i am trying to shape a network for a college dorms... INTERNET---- ETH0--------Nat Box-------ETH1--------LAN I have set up classes of traffic (HTTP, FTP, MAIL, IM, OTHER) and i have assigned a rate for everyone with a HTB qdisc. The limit based in traffic is working flawlessly. However, under every HTB class i have set up a ESFQ queue discipline with hash value set to 'dst' int eth1 to control the rate of download of every user, but it appears to do nothing. and in eth0 there is a prio handler According to documentation, every user should get a fair amount of bandwidth but currently, users with some kind of download accelerator gets a higher amount of bandwidth Is ESFQ working right for someone? ?Should i go for imq for this kind of shaping? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070211/f6e31e68/attachment.pgp From chilek at chilan.com Sun Feb 11 13:28:33 2007 From: chilek at chilan.com (Tomasz Chilinski) Date: Sun Feb 11 13:28:39 2007 Subject: [LARTC] Is ESFQ working? In-Reply-To: <200702111301.51685.alejandro_aero@yahoo.es> References: <200702111301.51685.alejandro_aero@yahoo.es> Message-ID: <20070211122440.M20772@chilan.com> On Sun, 11 Feb 2007 13:01:45 +0100, Alejandro Lorenzo Gallego wrote > Hi there, i am trying to shape a network for a college dorms... Hi Alejandro. > INTERNET---- ETH0--------Nat Box-------ETH1--------LAN > > I have set up classes of traffic (HTTP, FTP, MAIL, IM, OTHER) and i > have assigned a rate for everyone with a HTB qdisc. The limit based > in traffic is working flawlessly. > > However, under every HTB class i have set up a ESFQ queue discipline > with hash value set to 'dst' int eth1 to control the rate of > download of every user, but it appears to do nothing. > > and in eth0 there is a prio handler > > According to documentation, every user should get a fair amount of > bandwidth but currently, users with some kind of download > accelerator gets a higher amount of bandwidth > > Is ESFQ working right for someone? > > ?Should i go for imq for this kind of shaping? Can you show a snippet of your script here? Bests, Tomasz Chilinski. From alejandro_aero at yahoo.es Sun Feb 11 14:15:49 2007 From: alejandro_aero at yahoo.es (Alejandro Lorenzo Gallego) Date: Sun Feb 11 14:17:05 2007 Subject: [LARTC] Is ESFQ working? In-Reply-To: <20070211122440.M20772@chilan.com> References: <200702111301.51685.alejandro_aero@yahoo.es> <20070211122440.M20772@chilan.com> Message-ID: <200702111415.56822.alejandro_aero@yahoo.es> On Sunday 11 February 2007 13:28:33 Tomasz Chilinski wrote: > On Sun, 11 Feb 2007 13:01:45 +0100, Alejandro Lorenzo Gallego wrote > > > Hi there, i am trying to shape a network for a college dorms... > > Hi Alejandro. > > > INTERNET---- ETH0--------Nat Box-------ETH1--------LAN > > > > I have set up classes of traffic (HTTP, FTP, MAIL, IM, OTHER) and i > > have assigned a rate for everyone with a HTB qdisc. The limit based > > in traffic is working flawlessly. > > > > However, under every HTB class i have set up a ESFQ queue discipline > > with hash value set to 'dst' int eth1 to control the rate of > > download of every user, but it appears to do nothing. > > > > and in eth0 there is a prio handler > > > > According to documentation, every user should get a fair amount of > > bandwidth but currently, users with some kind of download > > accelerator gets a higher amount of bandwidth > > > > Is ESFQ working right for someone? > > > > ?Should i go for imq for this kind of shaping? > > Can you show a snippet of your script here? > > Bests, Tomasz Chilinski. There you go: #!/bin/sh echo "Borrando todo" tc qdisc del dev eth1 root tc qdisc add dev eth1 parent root handle 1: htb default 900 tc class add dev eth1 parent 1: classid 1:1 htb rate 100mbit tc class add dev eth1 parent 1:1 classid 1:10 htb rate 100mbit tc class add dev eth1 parent 1:1 classid 1:20 htb rate 2500kbit ceil 4mbit echo "Clases base creadas" #Para permitir a la clase del proxy llegar al tope de la tarjeta, si fuese necesario echo "clase pal proxy" tc class add dev eth1 parent 1:20 classid 1:50 htb rate 800kbit ceil 4mbit echo "Insertando reglas de clases" tc class add dev eth1 parent 1:20 classid 1:100 htb rate 400kbit ceil 4mbit tc class add dev eth1 parent 1:20 classid 1:200 htb rate 300kbit ceil 4mbit tc class add dev eth1 parent 1:20 classid 1:300 htb rate 200kbit ceil 4mbit tc class add dev eth1 parent 1:20 classid 1:900 htb rate 300kbit ceil 4mbit tc class add dev eth1 parent 1:20 classid 1:700 htb rate 300kbit echo "Clases insertadas" echo "Esfq" tc-esfq qdisc add dev eth1 parent 1:100 handle 100: esfq hash dst perturb 20 tc-esfq qdisc add dev eth1 parent 1:200 handle 200: esfq hash dst tc-esfq qdisc add dev eth1 parent 1:300 handle 300: esfq hash dst tc-esfq qdisc add dev eth1 parent 1:900 handle 900: esfq hash dst tc-esfq qdisc add dev eth1 parent 1:50 handle 50: esfq hash dst perturb 20 limit 10 depth 20 tc-esfq qdisc add dev eth1 parent 1:10 handle 10: esfq hash dst #!/bin/sh IPTABLES="iptables -t mangle" ANADIR="iptables -t mangle -A POSTROUTING -o eth1" INSERTAR="iptables -t mangle -I POSTROUTING -o eth1" echo "Borrando el postrouting de iptables" $IPTABLES -F POSTROUTING $ANADIR -p tcp --sport 443 -j CLASSIFY --set-class 1:100 $ANADIR -p tcp --sport 22 -j CLASSIFY --set-class 1:100 $ANADIR -p tcp --sport 53 -j CLASSIFY --set-class 1:100 $ANADIR -p tcp --sport 8080 -j CLASSIFY --set-class 1:100 $ANADIR -p tcp --sport 587 -j CLASSIFY --set-class 1:200 $ANADIR -p tcp --sport 6667 -j CLASSIFY --set-class 1:300 $ANADIR -p tcp --sport 1863 -j CLASSIFY --set-class 1:300 $ANADIR -p tcp --sport 123 -j CLASSIFY --set-class 1:200 $ANADIR -p udp --sport 123 -j CLASSIFY --set-class 1:200 $ANADIR -p tcp --sport 115 -j CLASSIFY --set-class 1:200 $ANADIR -p tcp --sport 69 -j CLASSIFY --set-class 1:200 $ANADIR -p tcp --sport 23 -j CLASSIFY --set-class 1:200 $ANADIR -p tcp --sport 5223 -j CLASSIFY --set-class 1:300 $ANADIR -p tcp --sport 10025 -j CLASSIFY --set-class 1:200 $ANADIR -p tcp --sport 3690 -j CLASSIFY --set-class 1:200 $ANADIR -p tcp --sport 3306 -j CLASSIFY --set-class 1:200 $ANADIR -p tcp --sport 143 -j CLASSIFY --set-class 1:200 $ANADIR -p tcp --sport 995 -j CLASSIFY --set-class 1:200 $ANADIR -p tcp --sport 990 -j CLASSIFY --set-class 1:200 $ANADIR -p tcp --sport 110 -j CLASSIFY --set-class 1:200 $ANADIR -p tcp --sport 993 -j CLASSIFY --set-class 1:200 $ANADIR -p tcp --sport 220 -j CLASSIFY --set-class 1:200 #$ANADIR -d 192.168.20.49 -j CLASSIFY --set-class 1:700 $INSERTAR -s 192.168.0.0/16 -p tcp --sport 3128 -j CLASSIFY --set-class 1:50 $INSERTAR -s 192.168.0.0/16 -d 192.168.0.0/16 -p tcp -j CLASSIFY --set-class 1:10 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070211/c69e5c5b/attachment.pgp From chilek at chilan.com Sun Feb 11 15:20:49 2007 From: chilek at chilan.com (Tomasz Chilinski) Date: Sun Feb 11 15:20:56 2007 Subject: [LARTC] Is ESFQ working? In-Reply-To: <200702111415.56822.alejandro_aero@yahoo.es> References: <200702111301.51685.alejandro_aero@yahoo.es> <20070211122440.M20772@chilan.com> <200702111415.56822.alejandro_aero@yahoo.es> Message-ID: <20070211141806.M34664@chilan.com> On Sun, 11 Feb 2007 14:15:49 +0100, Alejandro Lorenzo Gallego wrote > [cut] > > $IPTABLES -F POSTROUTING > > $ANADIR -p tcp --sport 443 -j CLASSIFY --set-class 1:100 > $ANADIR -p tcp --sport 22 -j CLASSIFY --set-class 1:100 > $ANADIR -p tcp --sport 53 -j CLASSIFY --set-class 1:100 > $ANADIR -p tcp --sport 8080 -j CLASSIFY --set-class 1:100 > $ANADIR -p tcp --sport 587 -j CLASSIFY --set-class 1:200 > $ANADIR -p tcp --sport 6667 -j CLASSIFY --set-class 1:300 > $ANADIR -p tcp --sport 1863 -j CLASSIFY --set-class 1:300 > $ANADIR -p tcp --sport 123 -j CLASSIFY --set-class 1:200 > $ANADIR -p udp --sport 123 -j CLASSIFY --set-class 1:200 > $ANADIR -p tcp --sport 115 -j CLASSIFY --set-class 1:200 > $ANADIR -p tcp --sport 69 -j CLASSIFY --set-class 1:200 > $ANADIR -p tcp --sport 23 -j CLASSIFY --set-class 1:200 > $ANADIR -p tcp --sport 5223 -j CLASSIFY --set-class 1:300 > $ANADIR -p tcp --sport 10025 -j CLASSIFY --set-class 1:200 > $ANADIR -p tcp --sport 3690 -j CLASSIFY --set-class 1:200 > $ANADIR -p tcp --sport 3306 -j CLASSIFY --set-class 1:200 > $ANADIR -p tcp --sport 143 -j CLASSIFY --set-class 1:200 > $ANADIR -p tcp --sport 995 -j CLASSIFY --set-class 1:200 > $ANADIR -p tcp --sport 990 -j CLASSIFY --set-class 1:200 > $ANADIR -p tcp --sport 110 -j CLASSIFY --set-class 1:200 > $ANADIR -p tcp --sport 993 -j CLASSIFY --set-class 1:200 > $ANADIR -p tcp --sport 220 -j CLASSIFY --set-class 1:200 > #$ANADIR -d 192.168.20.49 -j CLASSIFY --set-class 1:700 > > [cut] Have u tried to replace CLASSIFY target by MARK target and then using fw filter? I have got bad experience with CLASSIFY target. Bests, Tomasz Chilinski. From alejandro_aero at yahoo.es Sun Feb 11 16:19:54 2007 From: alejandro_aero at yahoo.es (Alejandro Lorenzo Gallego) Date: Sun Feb 11 16:20:21 2007 Subject: [LARTC] Is ESFQ working? In-Reply-To: <20070211141806.M34664@chilan.com> References: <200702111301.51685.alejandro_aero@yahoo.es> <200702111415.56822.alejandro_aero@yahoo.es> <20070211141806.M34664@chilan.com> Message-ID: <200702111620.00689.alejandro_aero@yahoo.es> > > > > [cut] > > Have u tried to replace CLASSIFY target by MARK target and then using > fw filter? I have got bad experience with CLASSIFY target. > Behaviour is identical if i use classify or mark, however, i expected this, because the packets do go to the right classes, it's just it looks that ESFQ is not assuring fairness between users -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070211/3a982a03/attachment.pgp From chilek at chilan.com Sun Feb 11 16:48:10 2007 From: chilek at chilan.com (Tomasz Chilinski) Date: Sun Feb 11 16:48:15 2007 Subject: [LARTC] Is ESFQ working? In-Reply-To: <200702111620.00689.alejandro_aero@yahoo.es> References: <200702111301.51685.alejandro_aero@yahoo.es> <200702111415.56822.alejandro_aero@yahoo.es> <20070211141806.M34664@chilan.com> <200702111620.00689.alejandro_aero@yahoo.es> Message-ID: <20070211154721.M41804@chilan.com> On Sun, 11 Feb 2007 16:19:54 +0100, Alejandro Lorenzo Gallego wrote > > > > > > [cut] > > > > Have u tried to replace CLASSIFY target by MARK target and then using > > fw filter? I have got bad experience with CLASSIFY target. > > > > Behaviour is identical if i use classify or mark, however, i > expected this, because the packets do go to the right classes, it's > just it looks that ESFQ is not assuring fairness between users Which version of ESFQ? Patch for 2.6.15.1 or 2.6.19.2? Bests, Tomasz Chilinski. From alejandro_aero at yahoo.es Sun Feb 11 16:59:55 2007 From: alejandro_aero at yahoo.es (Alejandro Lorenzo Gallego) Date: Sun Feb 11 17:00:29 2007 Subject: [LARTC] Is ESFQ working? In-Reply-To: <20070211154721.M41804@chilan.com> References: <200702111301.51685.alejandro_aero@yahoo.es> <200702111620.00689.alejandro_aero@yahoo.es> <20070211154721.M41804@chilan.com> Message-ID: <200702111700.01608.alejandro_aero@yahoo.es> On Sunday 11 February 2007 16:48:10 Tomasz Chilinski wrote: > On Sun, 11 Feb 2007 16:19:54 +0100, Alejandro Lorenzo Gallego wrote > > > > > [cut] > > > > > > Have u tried to replace CLASSIFY target by MARK target and then using > > > fw filter? I have got bad experience with CLASSIFY target. > > > > Behaviour is identical if i use classify or mark, however, i > > expected this, because the packets do go to the right classes, it's > > just it looks that ESFQ is not assuring fairness between users > > Which version of ESFQ? Patch for 2.6.15.1 or 2.6.19.2? > > Bests, Tomasz Chilinski. > Actually for 2.6.29.2 And i made some progress, using a depth parameter higher than default (800) it behaves better and closer to fairness.... ?Can some explain the exact meaning of limit and depth options? Thank you -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070211/c19077ac/attachment.pgp From bugfood-ml at fatooh.org Sun Feb 11 20:10:34 2007 From: bugfood-ml at fatooh.org (Corey Hickey) Date: Sun Feb 11 20:10:43 2007 Subject: [LARTC] Is ESFQ working? In-Reply-To: <200702111700.01608.alejandro_aero@yahoo.es> References: <200702111301.51685.alejandro_aero@yahoo.es> <200702111620.00689.alejandro_aero@yahoo.es> <20070211154721.M41804@chilan.com> <200702111700.01608.alejandro_aero@yahoo.es> Message-ID: <45CF6A2A.3050009@fatooh.org> Alejandro Lorenzo Gallego wrote: > On Sunday 11 February 2007 16:48:10 Tomasz Chilinski wrote: >> On Sun, 11 Feb 2007 16:19:54 +0100, Alejandro Lorenzo Gallego wrote >> >>>>> [cut] >>>> Have u tried to replace CLASSIFY target by MARK target and then using >>>> fw filter? I have got bad experience with CLASSIFY target. >>> Behaviour is identical if i use classify or mark, however, i >>> expected this, because the packets do go to the right classes, it's >>> just it looks that ESFQ is not assuring fairness between users >> Which version of ESFQ? Patch for 2.6.15.1 or 2.6.19.2? >> >> Bests, Tomasz Chilinski. >> > > Actually for 2.6.29.2 I assume that's a typo and you mean '2.6.19.2'. > And i made some progress, using a depth parameter higher than default (800) it > behaves better and closer to fairness.... The default for depth is only 128. You're hashing by dst, right? On your network, how many destinations will be receiving packets concurrently? In other words, how many of your users will be downloading at the same time? > ?Can some explain the exact meaning of limit and depth options? I am 95% sure of the following, which isn't in the ESFQ documentation yet because I just recently read the relevant paperwork and tried to understand more of the code. 'Limit' is the total number of packets ESFQ will queue before it starts finding packets to drop. ESFQ divides traffic into a number of smaller queues ("slots"), one for each flow. Flows are distinguished based on whatever aspect of the packets is hashed, such as source or destination. 'Depth' is the maximum number of slots. If there are more flows than 'depth', some flows might actually start sharing slots. Obviously, this is not good, and fairness will suffer. If there are 'limit' number of packets, ESFQ will simply drop a packet from the slot that has the most packets. This doesn't hurt fairness, since the longest slot will generally correspond to whichever flow has tried to transfer the most packets recently. -Corey From alejandro_aero at yahoo.es Sun Feb 11 22:49:22 2007 From: alejandro_aero at yahoo.es (Alejandro Lorenzo Gallego) Date: Sun Feb 11 22:49:50 2007 Subject: [LARTC] Is ESFQ working? In-Reply-To: <45CF6A2A.3050009@fatooh.org> References: <200702111301.51685.alejandro_aero@yahoo.es> <200702111700.01608.alejandro_aero@yahoo.es> <45CF6A2A.3050009@fatooh.org> Message-ID: <200702112249.29091.alejandro_aero@yahoo.es> On Sunday 11 February 2007 20:10:34 Corey Hickey wrote: > Alejandro Lorenzo Gallego wrote: > > On Sunday 11 February 2007 16:48:10 Tomasz Chilinski wrote: > >> On Sun, 11 Feb 2007 16:19:54 +0100, Alejandro Lorenzo Gallego wrote > >> > >>>>> [cut] > >>>> > >>>> Have u tried to replace CLASSIFY target by MARK target and then using > >>>> fw filter? I have got bad experience with CLASSIFY target. > >>> > >>> Behaviour is identical if i use classify or mark, however, i > >>> expected this, because the packets do go to the right classes, it's > >>> just it looks that ESFQ is not assuring fairness between users > >> > >> Which version of ESFQ? Patch for 2.6.15.1 or 2.6.19.2? > >> > >> Bests, Tomasz Chilinski. > > > > Actually for 2.6.29.2 > > I assume that's a typo and you mean '2.6.19.2'. > Yep, these fat fingers >_< > > And i made some progress, using a depth parameter higher than default > > (800) it behaves better and closer to fairness.... > > The default for depth is only 128. You're hashing by dst, right? On your > network, how many destinations will be receiving packets concurrently? > In other words, how many of your users will be downloading at the same > time? > I know default is 128, i tried 800 to see if it improved fairness, and it did :? > > ?Can some explain the exact meaning of limit and depth options? > > I am 95% sure of the following, which isn't in the ESFQ documentation > yet because I just recently read the relevant paperwork and tried to > understand more of the code. > > 'Limit' is the total number of packets ESFQ will queue before it starts > finding packets to drop. > > ESFQ divides traffic into a number of smaller queues ("slots"), one for > each flow. Flows are distinguished based on whatever aspect of the > packets is hashed, such as source or destination. 'Depth' is the maximum > number of slots. > > If there are more flows than 'depth', some flows might actually start > sharing slots. Obviously, this is not good, and fairness will suffer. > So i only need as many flows as concurrent expected downloaders > If there are 'limit' number of packets, ESFQ will simply drop a packet > from the slot that has the most packets. This doesn't hurt fairness, > since the longest slot will generally correspond to whichever flow has > tried to transfer the most packets recently. > So limit is nearly a free value in what affects fairness -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070211/7b7b3280/attachment-0001.pgp From riomartin at bloomasia.com Mon Feb 12 15:57:22 2007 From: riomartin at bloomasia.com (Rio Martin) Date: Mon Feb 12 08:59:19 2007 Subject: [LARTC] Equalize traffic within 1 class. Message-ID: <200702121457.22189.riomartin@bloomasia.com> Folks, I need to know how to equalize traffic within 1 class. I have so many bulk users within 1 class and i should equalize traffic to their nodes so they get fair traffic. Does SFQ able to handle this ? Thanks - Rio.Martin - From thuleau at gmail.com Mon Feb 12 09:32:49 2007 From: thuleau at gmail.com (Edouard Thuleau) Date: Mon Feb 12 09:32:56 2007 Subject: [LARTC] IP rate or Ethernet rate ? Message-ID: <81c11a560702120032w49e39e80vddd7c92fa348586f@mail.gmail.com> Hi, Just a question, the rate values use for configure a class, are they a IP rate or a Ethernet rate ? Thanks, Edouard. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070212/aa7764cb/attachment.htm From tomlobato at gmail.com Mon Feb 12 12:34:26 2007 From: tomlobato at gmail.com (Tom Lobato) Date: Mon Feb 12 12:34:38 2007 Subject: [LARTC] DGD patch not detecting dead gateway In-Reply-To: <1df4abe60702081107h1479cda3o7836ae3c13109f4e@mail.gmail.com> References: <45CA6623.8000703@gmail.com> <1df4abe60702081107h1479cda3o7836ae3c13109f4e@mail.gmail.com> Message-ID: <45D050C2.80904@gmail.com> Manish Kathuria escreveu: > On 2/8/07, Tom Lobato wrote: > >> Thank you for the script. I'm trying it. >> >> Well, I made a simple modification and would like to hear opnions. >> Until now, I just added one more TESTIP, so I'm pinging one IP for >> each link. >> Also I'm using the IP instead name address, and used the DNS IP of >> each provider >> for the ping. I made this because the ping to external sites (yahoo, >> google) is too slow >> here, mainly when the link is under heavy load. So I'm afraid it can >> try ping >> without success and "think" the link is down. > > I just used a popular external site because it may happen that > connectivity from your location to the provider's DNS is there but the > provider's link with the rest of the internet is down so even if you > get a successful ping reply, the link isn't working in the real sense. ok, I noted here my DNS server block pings (!) so I'm also using a site now. > Also, I preferred using a name instead of IP address because there > could be multiple IP addresses associated with the site name and they > can change too. But I don't see anything wrong in your approach. What > do you mean by slow ? I don't think ping reply time should be an > issue. We are more concerned with the success. Obviously, it should > not time out. I agree, but here "slow == timeout" =) I'm suspecting the adsl modem is the problem. I have two dynamic IP links, adsl/pppoe 400kbps and cable-modem/dhcp 4Mbps. Anyway, I changed my mind and will connect links directly to linux (no routers), with the drawback of not have fixed IP/GW/MASK/NET's, but with advantages of need no routers, need no port forwarding in routers, a more auto-sufficient solution. So, I'm using your script as base (although I had made another, I liked yours), making scripts for dhcp and pppoe create files with connection info, from where it reads data for set LB. If someone more wants it, tell me and I send a mail. I know I could apply the patchs and these scripts would too more simple, but the patch does not detect fail if it is beyond the gateway. > > The ping reply times I get here for sites like www.yahoo.com and > www.google.com are to the tune of 300 ms. Here, without any internet use from localnet, i get ~150ms for both. So, really, it appears I have another problem, not ping delay. Maybe too load on adsl link, although I set weights 10 for cable link and 1 for adsl. Tom Lobato From andy at andybev.com Mon Feb 12 13:51:39 2007 From: andy at andybev.com (Andrew Beverley) Date: Mon Feb 12 13:52:02 2007 Subject: [LARTC] IP rate or Ethernet rate ? In-Reply-To: <81c11a560702120032w49e39e80vddd7c92fa348586f@mail.gmail.com> References: <81c11a560702120032w49e39e80vddd7c92fa348586f@mail.gmail.com> Message-ID: <1171284699.4255.0.camel@andybev.localdomain> > Just a question, the rate values use for configure a class, are they a > IP rate or a Ethernet rate ? Do you mean is the rate per IP address or for the whole of the interface? If so, then the rate is the total for that interface. From andy at andybev.com Mon Feb 12 13:52:52 2007 From: andy at andybev.com (Andrew Beverley) Date: Mon Feb 12 13:53:10 2007 Subject: [LARTC] Equalize traffic within 1 class. In-Reply-To: <200702121457.22189.riomartin@bloomasia.com> References: <200702121457.22189.riomartin@bloomasia.com> Message-ID: <1171284772.4255.2.camel@andybev.localdomain> > I need to know how to equalize traffic within 1 class. > I have so many bulk users within 1 class and i should equalize traffic to > their nodes so they get fair traffic. Does SFQ able to handle this ? You need the ESFQ patch. Check the archives for more information as it's just been discussed in the past day or two. From sandu.andrei at gmail.com Mon Feb 12 13:54:05 2007 From: sandu.andrei at gmail.com (Andrei Sandu) Date: Mon Feb 12 13:54:20 2007 Subject: [LARTC] Page allocation failure Message-ID: Hi list, I have a very strange problem with my network. I have 2 internet connections: A - 1 Gbit, B - 100Mbps. Network layout: A, B | | [Brd1] / \ [L1] [L2] \ / [ GW1] ................... Clients ..................... Brd1 runs bgpd, and balances the traffic through L1 and L2. L1 and L2 do traffic shaping. GW1 does some packet filtering, and balances the traffic through L1 and L2. Every interface is gigabit. (Realtek NICs) I'm using IMQ on L1 and L2, to separate the traffic into 2 zones, international and local, with HTB for shaping. The system works fine for some time, but when the traffic hits 200Mbps, and ocassionally bursts to 250-300Mbps, L1 and L2 behave strangely (packet loss > 30%, increased latency +20ms), sometimes they even hang, leaving me with the only solution: rebooting them. I've checked the CPU usage, it stays around 80% during the highest traffic. I've examined the logs, and here is what i've found: Feb 11 08:04:05 l1 kernel: cpu 0 cold: low 0, high 0, batch 1 used:0 Feb 11 08:04:05 l1 kernel: DMA32 per-cpu: empty Feb 11 08:04:05 l1 kernel: Normal per-cpu: Feb 11 08:04:05 l1 kernel: cpu 0 hot: low 0, high 186, batch 31 used:79 Feb 11 08:04:05 l1 kernel: cpu 0 cold: low 0, high 62, batch 15 used:52 Feb 11 08:04:05 l1 kernel: HighMem per-cpu: empty Feb 11 08:04:05 l1 kernel: Free pages: 3032kB (0kB HighMem) Feb 11 08:04:05 l1 kernel: Active:15050 inactive:8995 dirty:0 writeback:0 unstable:0 free:758 slab:102918 mapped:3203 pagetables:101 Feb 11 08:04:05 l1 kernel: DMA free:2016kB min:88kB low:108kB high:132kB active:28kB inactive:1092kB present:16384kB pages_scanned:0 all_unrec laimable? no Feb 11 08:04:05 l1 kernel: lowmem_reserve[]: 0 0 495 495 Feb 11 08:04:05 l1 kernel: DMA32 free:0kB min:0kB low:0kB high:0kB active:0kB inactive:0kB present:0kB pages_scanned:0 all_unreclaimable? no Feb 11 08:04:05 l1 kernel: lowmem_reserve[]: 0 0 495 495 Feb 11 08:04:05 l1 kernel: Normal free:1016kB min:2800kB low:3500kB high:4200kB active:60172kB inactive:34888kB present:507584kB pages_scanned :0 all_unreclaimable? no Feb 11 08:04:05 l1 kernel: lowmem_reserve[]: 0 0 0 0 Feb 11 08:04:05 l1 kernel: HighMem free:0kB min:128kB low:128kB high:128kB active:0kB inactive:0kB present:0kB pages_scanned:0 all_unreclaimab le? no Feb 11 08:04:05 l1 kernel: lowmem_reserve[]: 0 0 0 0 ........... Feb 11 08:04:05 l1 kernel: Swap cache: add 0, delete 0, find 0/0, race 0+0 Feb 11 08:04:05 l1 kernel: Free swap = 987956kB Feb 11 08:04:05 l1 kernel: Total swap = 987956kB Feb 11 08:04:05 l1 kernel: Free swap: 987956kB Feb 11 08:04:05 l1 kernel: 130992 pages of RAM Feb 11 08:04:05 l1 kernel: 0 pages of HIGHMEM Feb 11 08:04:05 l1 kernel: 2137 reserved pages Feb 11 08:04:05 l1 kernel: 28840 pages shared Feb 11 08:04:05 l1 kernel: 0 pages swap cached Feb 11 08:04:05 l1 kernel: 0 pages dirty Feb 11 08:04:05 l1 kernel: 0 pages writeback Feb 11 08:04:05 l1 kernel: 3203 pages mapped Feb 11 08:04:05 l1 kernel: 102918 pages slab Feb 11 08:04:05 l1 kernel: 101 pages pagetables Feb 11 08:04:05 l1 kernel: ksoftirqd/0: page allocation failure. order:0, mode:0x20 Feb 11 08:04:05 l1 kernel: [] __alloc_pages+0x1e6/0x2b0 Feb 11 08:04:05 l1 kernel: [] kmem_getpages+0x30/0x90 Feb 11 08:04:05 l1 kernel: [] cache_grow+0x8c/0x120 Feb 11 08:04:05 l1 kernel: [] cache_alloc_refill+0x11f/0x1d0 Feb 11 08:04:05 l1 kernel: [] __kmalloc+0x4f/0x60 Feb 11 08:04:05 l1 kernel: [] __alloc_skb+0x40/0x130 Feb 11 08:04:05 l1 kernel: [] e1000_alloc_rx_buffers+0x60/0x360 Feb 11 08:04:05 l1 kernel: [] e1000_clean_rx_irq+0x1d3/0x4a0 Feb 11 08:04:05 l1 kernel: [] rtl8169_rx_fill+0x5b/0x70 Feb 11 08:04:05 l1 kernel: [] e1000_clean+0x9a/0x150 Feb 11 08:04:05 l1 kernel: [] ksoftirqd+0x0/0x80 Feb 11 08:04:05 l1 kernel: [] net_rx_action+0x61/0xe0 Feb 11 08:04:05 l1 kernel: [] __do_softirq+0x79/0x90 Feb 11 08:04:05 l1 kernel: [] do_softirq+0x26/0x30 Feb 11 08:04:05 l1 kernel: [] ksoftirqd+0x4d/0x80 Feb 11 08:04:05 l1 kernel: [] kthread+0x9c/0xb0 Feb 11 08:04:05 l1 kernel: [] kthread+0x0/0xb0 Feb 11 08:04:05 l1 kernel: [] kernel_thread_helper+0x5/0x10 And it continues like this for a long, long time .... Does anybody know whats wrong, or how can I fix this? Thanks. Andrei SANDU. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070212/ee4824b9/attachment.html From alex at zoomnet.ro Mon Feb 12 13:53:41 2007 From: alex at zoomnet.ro (Alexandru Dragoi) Date: Mon Feb 12 13:55:49 2007 Subject: [LARTC] IP rate or Ethernet rate ? In-Reply-To: <1171284699.4255.0.camel@andybev.localdomain> References: <81c11a560702120032w49e39e80vddd7c92fa348586f@mail.gmail.com> <1171284699.4255.0.camel@andybev.localdomain> Message-ID: <45D06355.1070800@zoomnet.ro> An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070212/8ce3db79/attachment.htm From andy at andybev.com Mon Feb 12 13:57:37 2007 From: andy at andybev.com (Andrew Beverley) Date: Mon Feb 12 13:58:01 2007 Subject: [LARTC] IP rate or Ethernet rate ? In-Reply-To: <45D06355.1070800@zoomnet.ro> References: <81c11a560702120032w49e39e80vddd7c92fa348586f@mail.gmail.com> <1171284699.4255.0.camel@andybev.localdomain> <45D06355.1070800@zoomnet.ro> Message-ID: <1171285057.4255.6.camel@andybev.localdomain> On Mon, 2007-02-12 at 14:53 +0200, Alexandru Dragoi wrote: > Andrew Beverley wrote: > > > Just a question, the rate values use for configure a class, are they a > > > IP rate or a Ethernet rate ? > > > > > > > Do you mean is the rate per IP address or for the whole of the > > interface? If so, then the rate is the total for that interface. > > > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > I think he meant if rates are applyed counting the whole ethernet > frame (ip packet + 14 bytes). In which case I've got no idea, but it works for me :) From thuleau at gmail.com Mon Feb 12 15:16:27 2007 From: thuleau at gmail.com (Edouard Thuleau) Date: Mon Feb 12 15:16:37 2007 Subject: [LARTC] IP rate or Ethernet rate ? In-Reply-To: <45D06355.1070800@zoomnet.ro> References: <81c11a560702120032w49e39e80vddd7c92fa348586f@mail.gmail.com> <1171284699.4255.0.camel@andybev.localdomain> <45D06355.1070800@zoomnet.ro> Message-ID: <81c11a560702120616l6c5983dbx9e7ecd3b3d6dd59@mail.gmail.com> Yes I want to know if the rate counter calculate with the ethernet frame or only the IP frame ? When I put a ceil in Kbit/s on a HTB class, is it the ethernet rate or the IP rate ? 2007/2/12, Alexandru Dragoi : > > Andrew Beverley wrote: > > Just a question, the rate values use for configure a class, are they a > IP rate or a Ethernet rate ? > > Do you mean is the rate per IP address or for the whole of the > interface? If so, then the rate is the total for that interface. > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nlhttp://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > I think he meant if rates are applyed counting the whole ethernet frame > (ip packet + 14 bytes). > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070212/2a4006eb/attachment.html From bob at nleaudio.com Mon Feb 12 16:49:20 2007 From: bob at nleaudio.com (Bob Puff) Date: Mon Feb 12 16:49:40 2007 Subject: [LARTC] tc statistics Message-ID: <20070212154516.M3349@nleaudio.com> Hi Gang, I'm still experiencing some bandwidth starvation with my script (below), so I decided to look at the statistics by using: tc -s qdisc show dev eth0 (where eth0 is the interface I'm trying to rate-limit outbound packets) I get, for example: qdisc sfq 21: quantum 1514b perturb 10sec Sent 133527926 bytes 413260 pkts (dropped 0, overlimits 0) qdisc sfq 20: quantum 1514b perturb 10sec Sent 42622473 bytes 184396 pkts (dropped 0, overlimits 0) qdisc htb 1: r2q 10 default 21 direct_packets_stat 0 Sent 176150399 bytes 597656 pkts (dropped 0, overlimits 137379) On first appearance, I would think this is telling me that the overall limiting is kicking in, and I'm not limiting specifically in the class 21 (which is where I want the limiting). Here's my script: tc qdisc del dev eth0 root tc qdisc add dev eth0 root handle 1: htb default 21 tc class add dev eth0 parent 1: classid 1:1 htb rate 370kbit tc class add dev eth0 parent 1:1 classid 1:20 htb prio 0 rate 100kbit tc class add dev eth0 parent 1:1 classid 1:21 htb prio 1 rate 200kbit ceil 370kbit tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10 tc qdisc add dev eth0 parent 1:21 handle 21: sfq perturb 10 # Set high priority for a certain destination IP address: tc filter add dev eth0 parent 1:0 protocol ip prio 0 u32 \ match ip dst 147.135.2.0/24 flowid 1:20 # Set high priority for <64 byte packets: tc filter add dev eth0 parent 1:0 protocol ip prio 0 u32 \ match ip protocol 6 0xff \ match u8 0x05 0x0f at 0 \ match u16 0x0000 0xffc0 at 2 \ match u8 0x10 0xff at 33 \ flowid 1:20 # Set high priority for ICMP packets: tc filter add dev eth0 parent 1:0 protocol ip prio 0 u32 \ match ip protocol 1 0xff \ flowid 1:20 # Set high priority for UDP packets (hopefully all VOIP!): tc filter add dev eth0 parent 1:0 protocol ip prio 0 u32 \ match ip protocol 17 0xff \ flowid 1:20 Am I reading this incorrectly? Bob From kcem at tlen.pl Mon Feb 12 22:17:57 2007 From: kcem at tlen.pl (Konrad Cempura) Date: Mon Feb 12 22:18:20 2007 Subject: [LARTC] Little problem with ifb. How to catch server traffic on IFB... Message-ID: <45D0D985.2040006@tlen.pl> I've network with NATed hosts. I want to catch only all traffic going from my server, but I don't want catch NATed traffic from LAN. I need only traffic going from/to my server (traffic from INPUT, OUTPUT chain in iptables) (like SSH, postfix, WWW or proxy). This is throw all traffic from my LAN to IFB: $TC qdisc add dev $iface_lan handle ffff: ingress $TC qdisc add dev $iface_lan root handle 1:0 htb #Incoming traffic... $TC filter add dev $iface_lan parent 1:0 protocol ip prio 1 u32 match ip dst 192.168.0.0/16 flowid 1:1 action mirred egress redirect dev ifb0 #Outgoing traffic... $TC filter add dev $iface_lan parent ffff: protocol ip prio 1 u32 match ip src 192.168.0.0/16 flowid 1:1 action mirred egress redirect dev ifb1 I need some rules to throw all traffic from my server to ifb. This rules throw all traffic from my router, all with NATed LAN traffic... And there is no way to filter this traffic:/ $TC qdisc add dev $iface_wan handle ffff: ingress $TC qdisc add dev $iface_wan root handle 1:0 htb #Incoming traffic... $TC filter add dev $iface_wan parent ffff: protocol ip prio 1 u32 match ip dst $server_external_IP flowid 1:1 action mirred egress redirect dev ifb0 #Outgoing traffic... $TC filter add dev $iface_wan parent 1:0 protocol ip prio 1 u32 match ip src $server_external_IP flowid 1:1 action mirred egress redirect dev ifb1 I need some help... Is any possibility to do this? How to catch packets which is not from/to LAN - on WAN interface? From lihalla at gmail.com Mon Feb 12 22:36:38 2007 From: lihalla at gmail.com (David Brodsky) Date: Mon Feb 12 22:36:46 2007 Subject: [LARTC] htb: rate bigger then ceil Message-ID: Hi, we have upgraded a gateway machine for our network and suddenly shaping doesn't work as it used to. Before the upgrade the traffic was shaped correctly - both OUTPUT and FORWARD packets shared the same class and it just worked. But now only FORWARD packets are shaped, OUTPUT uses whole line bandwidth. This is a piece of output from tc -s class show dev eth1: class htb 1:894 parent 1:257 leaf 894: prio 1 rate 32000bit ceil 320000bit burst 16Kb cburst 1759b Sent 10360881 bytes 1470 pkt (dropped 0, overlimits 0 requeues 0) rate 1111Kbit 18pps backlog 0b 11p requeues 0 lended: 181 borrowed: 1278 giants: 1039 tokens: -1198082 ctokens: -32358 Class 1:894 is a leaf, 1:257 has to children, both leaves (sum of the children's rate equals to 1:257's rate). By FORWARD I mean packets that are forwarded by the machine and by OUTPUT packets that are generated by the machine. The new configuration is Core 2 duo, kernel (2.6.17.13-smp) and utils from Slackware. The previous one was something like Duron with non-smp 2.4 kernel. So the question is - what am I missing? How is it possible that rate is much bigger than ceil in a leaf class? Thaks, David Brodsky From netsecuredata at gmail.com Mon Feb 12 23:36:26 2007 From: netsecuredata at gmail.com (Jorge Evangelista) Date: Mon Feb 12 23:36:32 2007 Subject: [LARTC] Route-map Linux for ssh traffic Message-ID: Hi guys, I have a question about of route-map with linux, I have two routers linux, one for Internet Trafic and other for VPN traffic, both routers have public IP's address. Internet with nat VPN with nat eth0 200.244.10.1 eth0 200.244.10.2 ---- ---- ----- ------ eth1 10.10.1.1 gw1 eth1 10.10.1.254 gw2 I have created the following route-map echo 100 gw2 >> /etc/iproute2/rt_tables ip route add default via 10.10.1.254 table gw2 proto static ip rule add from 10.10.1.5 table gw2 Where 10.10.1.5 is my computer. Public IP address are ficticious. With this configuration my PC going out to Internet for gw2, my PC is nat with IP public 200.244.10.2, but I need change it, I need that my PC going out via gw2 only for ssh traffic, I change my rules: echo 100 gw2 >> /etc/iproute2/rt_tables ip route add default via 10.10.1.254 table gw2 proto static ip rule add from all fwmark 1 table gw2 iptables -I PREROUTING -t mangle -i eth1 -s 10.10.1.5 -p tcp --dport 22 -j MARK --set-mark 1 However, it does not work, because when I make a ssh conexion to remote host, I can see that I am going to nat with IP 200.244.10.1 Anyone can help me with this configuration, excuse me for my english. From paul at diasoft.nl Tue Feb 13 14:50:13 2007 From: paul at diasoft.nl (Paul Viney) Date: Tue Feb 13 14:50:36 2007 Subject: [LARTC] Routing problem (RTNETLINK answers: Invalid argument) on multiple internet link. Message-ID: <200702131450.13852.paul@diasoft.nl> Hi all, I'm trying to set up a computer with 2 routes to the internet, much as described at http://lartc.org/howto/lartc.rpdb.multiple-links.html .One of my interfaces (eth5, 192.168.2.2) is only used for traffic originating inside the network. The other (eth1, 192.168.1.2) is only used for a VPN, where all (udp) traffic originates from outside our network. I have created a second routing table for eth1, with its own default gateway, and selected it with ip rule from 192.168.1.2 iif lo lookup 4. All this works fine. My problem is that one of the udp ports is forwarded to another server using iptables: /sbin/iptables -t nat -A PREROUTING -i eth1 -p udp -d 192.168.1.2 --dport 4902 -j DNAT --to 192.168.12.5:4902 using tcpdump on eth1, I can see that the incoming packets receive an icmp rejection, and when I try something like ip route get 192.168.12.5 from 64.233.183.103 iif eth1 I get "RTNETLINK answers: Invalid argument" If I try ip route get 192.168.12.5 from 64.233.183.103 iif eth5 I get 192.168.12.5 from 64.233.183.103 dev eth3 src 192.168.2.2 cache mtu 1500 advmss 1460 metric 10 64 iif eth5 which leads me to conclude that the difference has something to do with the default route. I've tried things like ip rule add iif eth1 lookup 4 (4 being my custom routing table) ip rule add from 192.168.1.2 lookup 4 and even iptables -t nat -I PREROUTING -i eth1 -p udp -j MARK --set-mark 1 ip rule from all fwmark 0x1 lookup 4 ip route flush cache I'm using linux 2.6.19.2 + grsecurity patches, every option I could find compiled in, on an up to date gentoo system. Can anyone see what I'm missing? Thanks, Paul Viney ip route show 192.168.2.0/24 dev eth5 proto kernel scope link src 192.168.2.2 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2 192.168.12.0/24 dev eth3 proto kernel scope link src 192.168.12.1 127.0.0.0/8 dev lo scope link default via 192.168.2.1 dev eth5 ip route show table 4 192.168.2.0/24 dev eth5 proto kernel scope link src 192.168.2.2 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2 192.168.12.0/24 dev eth3 proto kernel scope link src 192.168.12.1 127.0.0.0/8 dev lo scope link default via 192.168.1.1 dev eth1 ip rule show 0: from all lookup local 9999: from all fwmark 0x1 lookup 4 10000: from 192.168.1.2 iif lo lookup 4 30000: from all lookup main 30000: from all lookup default From alex at samad.com.au Tue Feb 13 21:40:20 2007 From: alex at samad.com.au (Alex Samad) Date: Tue Feb 13 21:40:43 2007 Subject: [LARTC] Routing problem (RTNETLINK answers: Invalid argument) on multiple internet link. In-Reply-To: <200702131450.13852.paul@diasoft.nl> References: <200702131450.13852.paul@diasoft.nl> Message-ID: <20070213204020.GP4088@samad.com.au> On Tue, Feb 13, 2007 at 02:50:13PM +0100, Paul Viney wrote: > Hi all, > > I'm trying to set up a computer with 2 routes to the internet, much as > described at http://lartc.org/howto/lartc.rpdb.multiple-links.html .One of my > interfaces (eth5, 192.168.2.2) is only used for traffic originating inside > the network. The other (eth1, 192.168.1.2) is only used for a VPN, where all > (udp) traffic originates from outside our network. I have created a second > routing table for eth1, with its own default gateway, and selected it with > ip rule from 192.168.1.2 iif lo lookup 4. All this works fine. > My problem is that one of the udp ports is forwarded to another server using > iptables: > /sbin/iptables -t nat -A PREROUTING -i eth1 -p udp -d 192.168.1.2 --dport > 4902 -j DNAT --to 192.168.12.5:4902 > > using tcpdump on eth1, I can see that the incoming packets receive an icmp > rejection, and when I try something like > > ip route get 192.168.12.5 from 64.233.183.103 iif eth1 > I get "RTNETLINK answers: Invalid argument" > > If I try > ip route get 192.168.12.5 from 64.233.183.103 iif eth5 > I get > 192.168.12.5 from 64.233.183.103 dev eth3 src 192.168.2.2 > cache mtu 1500 advmss 1460 metric 10 64 iif eth5 > > which leads me to conclude that the difference has something to do with the > default route. > I've tried things like > ip rule add iif eth1 lookup 4 (4 being my custom routing table) > ip rule add from 192.168.1.2 lookup 4 > > and even > iptables -t nat -I PREROUTING -i eth1 -p udp -j MARK --set-mark 1 > ip rule from all fwmark 0x1 lookup 4 > ip route flush cache > > I'm using linux 2.6.19.2 + grsecurity patches, every option I could find > compiled in, on an up to date gentoo system. > > Can anyone see what I'm missing? > > Thanks, > > Paul Viney > > > ip route show > 192.168.2.0/24 dev eth5 proto kernel scope link src 192.168.2.2 > 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2 > 192.168.12.0/24 dev eth3 proto kernel scope link src 192.168.12.1 > 127.0.0.0/8 dev lo scope link > default via 192.168.2.1 dev eth5 > > ip route show table 4 > 192.168.2.0/24 dev eth5 proto kernel scope link src 192.168.2.2 > 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2 > 192.168.12.0/24 dev eth3 proto kernel scope link src 192.168.12.1 > 127.0.0.0/8 dev lo scope link > default via 192.168.1.1 dev eth1 > > ip rule show > 0: from all lookup local > 9999: from all fwmark 0x1 lookup 4 > 10000: from 192.168.1.2 iif lo lookup 4 if the ip address on eth1 is 64.233.183.103 then you need a rule 10001: from 64.233.183.103 lookup 4 I don't think the fwmark rule will work with ip route get. Plus your routing information in table 4, you are saying that the default address is available via 192.168.1.1 ???? that doesn't match up with 64.233.183.103 this is my ip ru 0: from all lookup local 200: from 144.132.147.156 lookup cable 201: from 60.241.248.86 lookup adsl 32766: from all lookup main 32767: from all lookup default 144.132.147.156 is one isp, 60.241.248.86 is the other one ip r sh tab cable 192.168.8.248/29 dev tap0 scope link src 192.168.8.249 192.168.11.0/24 dev vlan0 scope link src 192.168.11.1 192.168.10.0/24 dev eth1 scope link src 192.168.10.1 default via 144.132.144.1 dev vlan2 proto static src 144.132.147.156 metric 50 prohibit default proto static metric 100 ip r sh tab adsl 192.168.8.248/29 dev tap0 scope link src 192.168.8.249 192.168.11.0/24 dev vlan0 scope link src 192.168.11.1 192.168.10.0/24 dev eth1 scope link src 192.168.10.1 default via 10.20.20.168 dev ppp0 proto static src 60.241.248.86 metric 20 prohibit default proto static metric 100 ip r sh tab default default proto static metric 5 nexthop via 144.132.144.1 dev vlan2 weight 1 nexthop via 10.20.20.168 dev ppp0 weight 20 default via 10.20.20.168 dev ppp0 src 60.241.248.86 metric 20 default via 144.132.144.1 dev vlan2 src 144.132.147.156 metric 30 The difference for you should be in the default table, you will not need default proto static metric 5 nexthop via 144.132.144.1 dev vlan2 weight 1 nexthop via 10.20.20.168 dev ppp0 weight 20 cause you want all your traffic to go out 1 link. alex > 30000: from all lookup main > 30000: from all lookup default > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070214/b3a11868/attachment.pgp From paul at diasoft.nl Tue Feb 13 22:54:51 2007 From: paul at diasoft.nl (Paul Viney) Date: Tue Feb 13 22:55:02 2007 Subject: [LARTC] Routing problem (RTNETLINK answers: Invalid argument) on multiple internet link. In-Reply-To: <20070213204020.GP4088@samad.com.au> References: <200702131450.13852.paul@diasoft.nl> <20070213204020.GP4088@samad.com.au> Message-ID: <200702132254.51313.paul@diasoft.nl> Thanks for the advice, Alex. I've been able to add both default routes - I hadn't considered using the metric to avoid using the VPN link. I guess I wasn't very clear with my use of 64.233.183.103, which was meant to be a random internet address coming in over the VPN link, not the default internet link. what exactly does the " prohibit default proto static metric 100 " in your routing table do? Haven't you already had a default route which would trigger before reaching this rule? I still seem to have much the same problem. I no longer get ICMP unreachable errors, but the packet just seems to disappear - I can't see it being forwarded on any interface, nor can I find any kind of reply - icmp or otherwise. ip route get to 192.168.12.5 gives 192.168.12.5 dev eth3 src 192.168.12.1 cache mtu 1500 advmss 1460 metric 10 64 ip route get to 192.168.12.5 iif eth1 gives RTNETLINK answers: Invalid argument Am I not understanding how "ip route get" works? The man pages are fairly succinct in their explanation. Thanks for your help, Paul Viney On Tuesday 13 February 2007 21:40, Alex Samad wrote: > On Tue, Feb 13, 2007 at 02:50:13PM +0100, Paul Viney wrote: > > Hi all, > > > > I'm trying to set up a computer with 2 routes to the internet, much as > > described at http://lartc.org/howto/lartc.rpdb.multiple-links.html .One > > of my interfaces (eth5, 192.168.2.2) is only used for traffic originating > > inside the network. The other (eth1, 192.168.1.2) is only used for a VPN, > > where all (udp) traffic originates from outside our network. I have > > created a second routing table for eth1, with its own default gateway, > > and selected it with ip rule from 192.168.1.2 iif lo lookup 4. All this > > works fine. > > My problem is that one of the udp ports is forwarded to another server > > using iptables: > > /sbin/iptables -t nat -A PREROUTING -i eth1 -p udp -d 192.168.1.2 --dport > > 4902 -j DNAT --to 192.168.12.5:4902 > > > > using tcpdump on eth1, I can see that the incoming packets receive an > > icmp rejection, and when I try something like > > > > ip route get 192.168.12.5 from 64.233.183.103 iif eth1 > > I get "RTNETLINK answers: Invalid argument" > > > > If I try > > ip route get 192.168.12.5 from 64.233.183.103 iif eth5 > > I get > > 192.168.12.5 from 64.233.183.103 dev eth3 src 192.168.2.2 > > cache mtu 1500 advmss 1460 metric 10 64 iif eth5 > > > > which leads me to conclude that the difference has something to do with > > the default route. > > I've tried things like > > ip rule add iif eth1 lookup 4 (4 being my custom routing table) > > ip rule add from 192.168.1.2 lookup 4 > > > > and even > > iptables -t nat -I PREROUTING -i eth1 -p udp -j MARK --set-mark 1 > > ip rule from all fwmark 0x1 lookup 4 > > ip route flush cache > > > > I'm using linux 2.6.19.2 + grsecurity patches, every option I could find > > compiled in, on an up to date gentoo system. > > > > Can anyone see what I'm missing? > > > > Thanks, > > > > Paul Viney > > > > > > ip route show > > 192.168.2.0/24 dev eth5 proto kernel scope link src 192.168.2.2 > > 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2 > > 192.168.12.0/24 dev eth3 proto kernel scope link src 192.168.12.1 > > 127.0.0.0/8 dev lo scope link > > default via 192.168.2.1 dev eth5 > > > > ip route show table 4 > > 192.168.2.0/24 dev eth5 proto kernel scope link src 192.168.2.2 > > 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2 > > 192.168.12.0/24 dev eth3 proto kernel scope link src 192.168.12.1 > > 127.0.0.0/8 dev lo scope link > > default via 192.168.1.1 dev eth1 > > > > ip rule show > > 0: from all lookup local > > 9999: from all fwmark 0x1 lookup 4 > > 10000: from 192.168.1.2 iif lo lookup 4 > > if the ip address on eth1 is 64.233.183.103 then you need a rule > 10001: from 64.233.183.103 lookup 4 > > I don't think the fwmark rule will work with ip route get. > > Plus your routing information in table 4, you are saying that the default > address is available via 192.168.1.1 ???? that doesn't match up with > 64.233.183.103 > > > > this is my ip ru > 0: from all lookup local > 200: from 144.132.147.156 lookup cable > 201: from 60.241.248.86 lookup adsl > 32766: from all lookup main > 32767: from all lookup default > > > 144.132.147.156 is one isp, 60.241.248.86 is the other one > > ip r sh tab cable > 192.168.8.248/29 dev tap0 scope link src 192.168.8.249 > 192.168.11.0/24 dev vlan0 scope link src 192.168.11.1 > 192.168.10.0/24 dev eth1 scope link src 192.168.10.1 > default via 144.132.144.1 dev vlan2 proto static src 144.132.147.156 > metric 50 > prohibit default proto static metric 100 > > > ip r sh tab adsl > 192.168.8.248/29 dev tap0 scope link src 192.168.8.249 > 192.168.11.0/24 dev vlan0 scope link src 192.168.11.1 > 192.168.10.0/24 dev eth1 scope link src 192.168.10.1 > default via 10.20.20.168 dev ppp0 proto static src 60.241.248.86 metric > 20 prohibit default proto static metric 100 > > ip r sh tab default > default proto static metric 5 > nexthop via 144.132.144.1 dev vlan2 weight 1 > nexthop via 10.20.20.168 dev ppp0 weight 20 > default via 10.20.20.168 dev ppp0 src 60.241.248.86 metric 20 > default via 144.132.144.1 dev vlan2 src 144.132.147.156 metric 30 > > > The difference for you should be in the default table, you will not need > default proto static metric 5 > nexthop via 144.132.144.1 dev vlan2 weight 1 > nexthop via 10.20.20.168 dev ppp0 weight 20 > > > cause you want all your traffic to go out 1 link. > > alex > > > 30000: from all lookup main > > 30000: from all lookup default > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From alex at samad.com.au Wed Feb 14 03:53:59 2007 From: alex at samad.com.au (Alex Samad) Date: Wed Feb 14 03:54:18 2007 Subject: [LARTC] Routing problem (RTNETLINK answers: Invalid argument) on multiple internet link. In-Reply-To: <200702132254.51313.paul@diasoft.nl> References: <200702131450.13852.paul@diasoft.nl> <20070213204020.GP4088@samad.com.au> <200702132254.51313.paul@diasoft.nl> Message-ID: <20070214025359.GS4088@samad.com.au> On Tue, Feb 13, 2007 at 10:54:51PM +0100, Paul Viney wrote: > Thanks for the advice, Alex. I've been able to add both default routes - I > hadn't considered using the metric to avoid using the VPN link. > I guess I wasn't very clear with my use of 64.233.183.103, which was meant to > be a random internet address coming in over the VPN link, not the default > internet link. > what exactly does the " prohibit default proto static metric 100 " in your > routing table do? Haven't you already had a default route which would trigger > before reaching this rule? it been a while since I looked over this, but from memory, if the link goes down, it stops the route table being used > > I still seem to have much the same problem. I no longer get ICMP unreachable > errors, but the packet just seems to disappear - I can't see it being > forwarded on any interface, nor can I find any kind of reply - icmp or > otherwise. sounds like a firewall issue! > > ip route get to 192.168.12.5 gives > 192.168.12.5 dev eth3 src 192.168.12.1 > cache mtu 1500 advmss 1460 metric 10 64 > > ip route get to 192.168.12.5 iif eth1 gives > RTNETLINK answers: Invalid argument try ip r g from 192.168.12.5, I seem to be getting the same error as you > > Am I not understanding how "ip route get" works? The man pages are fairly > succinct in their explanation. > > Thanks for your help, > > Paul Viney > > > On Tuesday 13 February 2007 21:40, Alex Samad wrote: > > On Tue, Feb 13, 2007 at 02:50:13PM +0100, Paul Viney wrote: > > > Hi all, > > > > > > I'm trying to set up a computer with 2 routes to the internet, much as > > > described at http://lartc.org/howto/lartc.rpdb.multiple-links.html .One > > > of my interfaces (eth5, 192.168.2.2) is only used for traffic originating > > > inside the network. The other (eth1, 192.168.1.2) is only used for a VPN, > > > where all (udp) traffic originates from outside our network. I have > > > created a second routing table for eth1, with its own default gateway, > > > and selected it with ip rule from 192.168.1.2 iif lo lookup 4. All this > > > works fine. > > > My problem is that one of the udp ports is forwarded to another server > > > using iptables: > > > /sbin/iptables -t nat -A PREROUTING -i eth1 -p udp -d 192.168.1.2 --dport > > > 4902 -j DNAT --to 192.168.12.5:4902 > > > > > > using tcpdump on eth1, I can see that the incoming packets receive an > > > icmp rejection, and when I try something like > > > > > > ip route get 192.168.12.5 from 64.233.183.103 iif eth1 > > > I get "RTNETLINK answers: Invalid argument" > > > > > > If I try > > > ip route get 192.168.12.5 from 64.233.183.103 iif eth5 > > > I get > > > 192.168.12.5 from 64.233.183.103 dev eth3 src 192.168.2.2 > > > cache mtu 1500 advmss 1460 metric 10 64 iif eth5 > > > > > > which leads me to conclude that the difference has something to do with > > > the default route. > > > I've tried things like > > > ip rule add iif eth1 lookup 4 (4 being my custom routing table) > > > ip rule add from 192.168.1.2 lookup 4 > > > > > > and even > > > iptables -t nat -I PREROUTING -i eth1 -p udp -j MARK --set-mark 1 > > > ip rule from all fwmark 0x1 lookup 4 > > > ip route flush cache > > > > > > I'm using linux 2.6.19.2 + grsecurity patches, every option I could find > > > compiled in, on an up to date gentoo system. > > > > > > Can anyone see what I'm missing? > > > > > > Thanks, > > > > > > Paul Viney > > > > > > > > > ip route show > > > 192.168.2.0/24 dev eth5 proto kernel scope link src 192.168.2.2 > > > 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2 > > > 192.168.12.0/24 dev eth3 proto kernel scope link src 192.168.12.1 > > > 127.0.0.0/8 dev lo scope link > > > default via 192.168.2.1 dev eth5 > > > > > > ip route show table 4 > > > 192.168.2.0/24 dev eth5 proto kernel scope link src 192.168.2.2 > > > 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2 > > > 192.168.12.0/24 dev eth3 proto kernel scope link src 192.168.12.1 > > > 127.0.0.0/8 dev lo scope link > > > default via 192.168.1.1 dev eth1 > > > > > > ip rule show > > > 0: from all lookup local > > > 9999: from all fwmark 0x1 lookup 4 > > > 10000: from 192.168.1.2 iif lo lookup 4 > > > > if the ip address on eth1 is 64.233.183.103 then you need a rule > > 10001: from 64.233.183.103 lookup 4 > > > > I don't think the fwmark rule will work with ip route get. > > > > Plus your routing information in table 4, you are saying that the default > > address is available via 192.168.1.1 ???? that doesn't match up with > > 64.233.183.103 > > > > > > > > this is my ip ru > > 0: from all lookup local > > 200: from 144.132.147.156 lookup cable > > 201: from 60.241.248.86 lookup adsl > > 32766: from all lookup main > > 32767: from all lookup default > > > > > > 144.132.147.156 is one isp, 60.241.248.86 is the other one > > > > ip r sh tab cable > > 192.168.8.248/29 dev tap0 scope link src 192.168.8.249 > > 192.168.11.0/24 dev vlan0 scope link src 192.168.11.1 > > 192.168.10.0/24 dev eth1 scope link src 192.168.10.1 > > default via 144.132.144.1 dev vlan2 proto static src 144.132.147.156 > > metric 50 > > prohibit default proto static metric 100 > > > > > > ip r sh tab adsl > > 192.168.8.248/29 dev tap0 scope link src 192.168.8.249 > > 192.168.11.0/24 dev vlan0 scope link src 192.168.11.1 > > 192.168.10.0/24 dev eth1 scope link src 192.168.10.1 > > default via 10.20.20.168 dev ppp0 proto static src 60.241.248.86 metric > > 20 prohibit default proto static metric 100 > > > > ip r sh tab default > > default proto static metric 5 > > nexthop via 144.132.144.1 dev vlan2 weight 1 > > nexthop via 10.20.20.168 dev ppp0 weight 20 > > default via 10.20.20.168 dev ppp0 src 60.241.248.86 metric 20 > > default via 144.132.144.1 dev vlan2 src 144.132.147.156 metric 30 > > > > > > The difference for you should be in the default table, you will not need > > default proto static metric 5 > > nexthop via 144.132.144.1 dev vlan2 weight 1 > > nexthop via 10.20.20.168 dev ppp0 weight 20 > > > > > > cause you want all your traffic to go out 1 link. > > > > alex > > > > > 30000: from all lookup main > > > 30000: from all lookup default > > > _______________________________________________ > > > LARTC mailing list > > > LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070214/47b50f49/attachment.pgp From paul at diasoft.nl Wed Feb 14 08:30:48 2007 From: paul at diasoft.nl (Paul Viney) Date: Wed Feb 14 08:31:58 2007 Subject: [LARTC] Routing problem (RTNETLINK answers: Invalid argument) on multiple internet link. In-Reply-To: <20070214025359.GS4088@samad.com.au> References: <200702131450.13852.paul@diasoft.nl> <200702132254.51313.paul@diasoft.nl> <20070214025359.GS4088@samad.com.au> Message-ID: <200702140830.48866.paul@diasoft.nl> > > I still seem to have much the same problem. I no longer get ICMP > > unreachable errors, but the packet just seems to disappear - I can't see > > it being forwarded on any interface, nor can I find any kind of reply - > > icmp or otherwise. > > sounds like a firewall issue! It does sound like a firewall issue, but the only firewall rule I have at the moment is the one doing the DNAT. If I do 'iptables -t nat -L -v', then I can see the number of packets increasing. Once I remove the firewall rule, I get my "icmp unreachable" errors again. Funnily enough, if I then reinstate the firewall (dnat) rule, then I still get "icmp unreachable" errors and the packet count doesn't go up for the rule. It's almost as though the rule doesn't get consulted. 'ip route flush cache' doesn't make a difference. After about 5 minutes the "icmp unreachable" errors stop and the packet count starts going up, although I still can't find my packet on the next hop. (I do have forwarding switched on). The packet count on a iptables log rule on the forward table does not go up, giving me the impression that routing has failed. I also tried ip r get from 192.168.12.5, which did indeed give me the same "RTNETLINK answers: Invalid argument" error. I guess that means that my understanding of the purpose of 'ip r get' is indeed faulty. Thanks for all your help so far. Paul Viney From paul at diasoft.nl Wed Feb 14 08:35:02 2007 From: paul at diasoft.nl (Paul Viney) Date: Wed Feb 14 08:35:18 2007 Subject: [LARTC] Routing problem (RTNETLINK answers: Invalid argument) on multiple internet link. In-Reply-To: <20070214025359.GS4088@samad.com.au> References: <200702131450.13852.paul@diasoft.nl> <200702132254.51313.paul@diasoft.nl> <20070214025359.GS4088@samad.com.au> Message-ID: <200702140835.02304.paul@diasoft.nl> If I type route add default gw 192.168.1.1 ip route flush cache then my forwarding suddenly starts working again, although the rest of my routing obviously doesn't do what I want any more. Weird. Paul Viney From simone84bo at email.it Wed Feb 14 12:05:18 2007 From: simone84bo at email.it (Simone84bo) Date: Wed Feb 14 12:05:29 2007 Subject: [LARTC] Marking packets with iptables (NEWBIE) Message-ID: <32e8c9ad46447dda11a5806e3e2785fd@85.18.136.107> Hi all, I'm trying to marking packets with iptables and use tc filter to catch this packets. I configure my device: tc qdisc del root dev eth0 tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1: classid 1:1 htb rate 3000kbit ceil 6000kbit burst 15k tc class add dev eth0 parent 1:1 classid 1:10 htb rate 2000kbit ceil 4000kbit burst 15k tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10 tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1400kbit ceil 2000kbit burst 15k tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10 Then I mark the packet with this commands: iptables -F -t mangle iptables -A PREROUTING -t mangle -p tcp --sport 80 -j MARK --set-mark 2 And I realize the filter: tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 2 fw classid 1:20 To test this configuration I use my browser to create html traffic. Packets are marked: iptables -t mangle -vL PREROUTING output: Chain PREROUTING (policy ACCEPT 4762 packets, 2102K bytes) pkts bytes target prot opt in out source destination 13 4884 MARK tcp -- any any anywhere anywhere tcp spt:www MARK set 0x2 but nothing goes to class 1:20 and qdisc 20: tc -s qdisc ls dev eth0 output: qdisc htb 1: r2q 10 default 10 direct_packets_stat 0 Sent 45353 bytes 197 pkts (dropped 0, overlimits 0) qdisc sfq 10: parent 1:10 limit 128p quantum 1514b perturb 10sec Sent 45353 bytes 197 pkts (dropped 0, overlimits 0) qdisc sfq 20: parent 1:20 limit 128p quantum 1514b perturb 10sec Sent 0 bytes 0 pkts (dropped 0, overlimits 0) Why? Thanks -- Email.it, the professional e-mail, gratis per te: http://www.email.it/f Sponsor: Vuoi fare business con la Cina? Videocorso pratico con utili suggerimenti per chi vuole fare import-export con la Cina Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=6201&d=20070214 From anthony at anroet.com Wed Feb 14 12:24:15 2007 From: anthony at anroet.com (Anthony Kamau) Date: Wed Feb 14 12:24:28 2007 Subject: [LARTC] Problems with HTB. Help! In-Reply-To: <1171114375.4439.31.camel@andybev.localdomain> Message-ID: <037f01c7502a$a8a802a0$8cc8a8c0@anroet.com> > -----Original Message----- > From: Andrew Beverley [mailto:andy@andybev.com] > Sent: Sunday, 11 February 2007 0:33 > To: tkb2766 > Cc: 'LARTC' > Subject: RE: [LARTC] Problems with HTB. Help! > > I still doubt it's a kernel issue to be honest. > I updated to IPTABLES ver 1.3.7 and now I can --set-class. However, that has not made any difference to my situation - traffic still affected in both directions! I've now read several posts about HTB not working as expected - me thinks someone has gone and broken something! I might resort to going back to previous Kernel version to get my HTB working again! Cheers, tkb. From radu at securesystems.ro Wed Feb 14 12:39:54 2007 From: radu at securesystems.ro (Radu Oprisan) Date: Wed Feb 14 12:40:00 2007 Subject: [LARTC] Page allocation failure In-Reply-To: References: Message-ID: <45D2F50A.60600@securesystems.ro> Andrei Sandu wrote: > Hi list, > > I have a very strange problem with my network. I have 2 internet > connections: A - 1 Gbit, B - 100Mbps. > Network layout: > > A, B > | | > [Brd1] > / \ > [L1] [L2] > \ / > [ GW1] > ................... > Clients > ..................... > > > Brd1 runs bgpd, and balances the traffic through L1 and L2. > L1 and L2 do traffic shaping. > GW1 does some packet filtering, and balances the traffic through L1 and L2. > Every interface is gigabit. (Realtek NICs) > > I'm using IMQ on L1 and L2, to separate the traffic into 2 zones, > international and local, with HTB for shaping. Drop IMQ.. there are some other more standard solutions. > The system works fine for some time, but when the traffic hits 200Mbps, > and ocassionally bursts to 250-300Mbps, > L1 and L2 behave strangely (packet loss > 30%, increased latency +20ms), > sometimes they even hang, leaving me with the only solution: rebooting them. Acording to the logs, that's when your network cards go down. Do you have TX polling enabled in the kernel for 8169? Try enabling it. At 200 Mbps, how many kpp's go through the machines? > I've checked the CPU usage, it stays around 80% during the highest traffic. > > I've examined the logs, and here is what i've found: From danas at ctn.sk Wed Feb 14 14:50:31 2007 From: danas at ctn.sk (Bc.Slavomir Danas) Date: Wed Feb 14 14:54:08 2007 Subject: [LARTC] HTB policing affects shaping performance? Please, help. Message-ID: <20070214135031.21a9765c@ns1.ctn.sk> This is my simple situation: I want to policy download and shape upload going through my router. It has two interfaces: eth0 (10.4.10.222/24 connected to LAN) and eth1 (172.16.0.1/24 connected to my laptop). My setup: [eth1] tc qdisc add dev eth1 root handle 1: htb default 999 tc qdisc add dev eth1 parent 1: classid 1:1 htb rate 1Mbit tc filter add dev eth1 protocol ip parent 1:0 prio 1 u32 match ip dst 172.16.0.2 flowid 1:1 [eth0] tc qdisc add dev eth0 root handle 1: htb default 999 tc qdisc add dev eth0 parent 1: classid 1:1 htb rate 1Mbit tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src 172.16.0.2 flowid 1:1 I'm trying to access shared folders (samba) on ip 10.4.10.10 from my laptop with ip 172.16.0.2. Everything works as expected when downloading or uploading (correctly shaped and policed at 1Mbit). But when I try to download and upload at the same time, my speed drops down rapidly on both download and upload (approx. 350kbit and 550kbit). I tried to replace tc filter with iptables CLASSIFY but with the same result. What is the correct approach when configuring separate queues with guaranteed rate without affecting each other? Running 2.6.19-gentoo-r5, iptables-1.3.5, iproute2-ss061214 Thanx in advance. Slavius. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070214/dadcd4e8/attachment.htm From t.luettgert at pressestimmen.de Wed Feb 14 21:17:58 2007 From: t.luettgert at pressestimmen.de (Torsten Luettgert) Date: Wed Feb 14 21:15:11 2007 Subject: [LARTC] Routing problem (RTNETLINK answers: Invalid argument) on multiple internet link. In-Reply-To: <200702132254.51313.paul@diasoft.nl> References: <200702131450.13852.paul@diasoft.nl> <20070213204020.GP4088@samad.com.au> <200702132254.51313.paul@diasoft.nl> Message-ID: <1171484278.3545.6.camel@murdegern.cbxnet.de> On Tue, 2007-02-13 at 22:54 +0100, Paul Viney wrote: > I still seem to have much the same problem. I no longer get ICMP unreachable > errors, but the packet just seems to disappear - I can't see it being > forwarded on any interface, nor can I find any kind of reply - icmp or > otherwise. This is one of my favourites :-) Usually that problem is caused by the rp_filter feature, which silently drops packets that arrive on an interface answers wouldn't be routed to. Just try for i in /proc/sys/net/ipv4/conf/eth*/rp_filter; do echo 0 > $i done and see if that helps. (indeed, you don't really need to switch it off for all of them, just the uplink interfaces would be enough) Hth, Torsten From radu at securesystems.ro Wed Feb 14 22:01:02 2007 From: radu at securesystems.ro (Radu Oprisan) Date: Wed Feb 14 22:01:13 2007 Subject: [LARTC] HTB policing affects shaping performance? Please, help. In-Reply-To: <20070214135031.21a9765c@ns1.ctn.sk> References: <20070214135031.21a9765c@ns1.ctn.sk> Message-ID: <45D3788E.2050504@securesystems.ro> Bc.Slavomir Danas wrote: > I'm trying to access shared folders (samba) on ip 10.4.10.10 from my > laptop with ip 172.16.0.2. > Everything works as expected when downloading or uploading (correctly > shaped and policed at 1Mbit). But when I try to download and upload at > the same time, my speed drops down rapidly on both download and upload > (approx. 350kbit and 550kbit). I tried to replace tc filter with > iptables CLASSIFY but with the same result. > What is the correct approach when configuring separate queues with > guaranteed rate without affecting each other? Your setup is ok. The only problem you are facing is that samba is a very "chatty" program, it tends to communicate a lot outside of simply downloading something. What i am trying to say is that, you will have some upload when in reality you are downloading something. This being true, when you begin uploading something, your upload line becomes full and, the upload chat for the download slows down, this in turn slowing down your download. I'm sorry if what I'm saying is hard to read. Try using some other protocol to run your tests. I was using for this purpose a Linux utility but i can't remember how it was called. -- Radu Oprisan From alex at samad.com.au Thu Feb 15 01:00:38 2007 From: alex at samad.com.au (Alex Samad) Date: Thu Feb 15 01:00:52 2007 Subject: [LARTC] Routing problem (RTNETLINK answers: Invalid argument) on multiple internet link. In-Reply-To: <200702140830.48866.paul@diasoft.nl> References: <200702131450.13852.paul@diasoft.nl> <200702132254.51313.paul@diasoft.nl> <20070214025359.GS4088@samad.com.au> <200702140830.48866.paul@diasoft.nl> Message-ID: <20070215000038.GU4088@samad.com.au> On Wed, Feb 14, 2007 at 08:30:48AM +0100, Paul Viney wrote: > > > I still seem to have much the same problem. I no longer get ICMP > > > unreachable errors, but the packet just seems to disappear - I can't see > > > it being forwarded on any interface, nor can I find any kind of reply - > > > icmp or otherwise. > > > > sounds like a firewall issue! > > It does sound like a firewall issue, but the only firewall rule I have at the > moment is the one doing the DNAT. If I do 'iptables -t nat -L -v', then I can > see the number of packets increasing. Once I remove the firewall rule, I get > my "icmp unreachable" errors again. Funnily enough, if I then reinstate the > firewall (dnat) rule, then I still get "icmp unreachable" errors and the > packet count doesn't go up for the rule. It's almost as though the rule > doesn't get consulted. 'ip route flush cache' doesn't make a difference. > After about 5 minutes the "icmp unreachable" errors stop and the packet count > starts going up, although I still can't find my packet on the next hop. (I do > have forwarding switched on). The packet count on a iptables log rule on the > forward table does not go up, giving me the impression that routing has > failed. This could be connection tracking, once you start a ping, connection tracking will keep it in its cache, so even though you have placed it (the rule) back in it doesn't count for the established link... > I also tried ip r get from 192.168.12.5, which did > indeed give me the same "RTNETLINK answers: Invalid argument" error. I guess > that means that my understanding of the purpose of 'ip r get' is indeed > faulty. does 192.168.12.5 exist on your box, can up do an ip a also do you have forwarding on ? > > Thanks for all your help so far. > > Paul Viney > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070215/f4af393d/attachment.pgp From sachinutd at gmail.com Thu Feb 15 05:51:54 2007 From: sachinutd at gmail.com (Sachin K) Date: Thu Feb 15 05:52:23 2007 Subject: [LARTC] Multicast routing Message-ID: How do the Multicast routers sniff IGMP/MLD messages from the network? I checked the XORP, pimd etc. Most of them just open a RAW socket with protocol set to IPPROTO_IGMP. But using this the router gets the packets addressed to 224.0.0.1 only. How does it receive IGMPv2 and IGMPv3 membership reports sent by other hosts? Thanks, Sachin From darshak at elitecore.com Thu Feb 15 10:24:37 2007 From: darshak at elitecore.com (Darshak) Date: Thu Feb 15 10:29:59 2007 Subject: [LARTC] Brige + Firewall + Squid problem Message-ID: <45D426D5.2040700@elitecore.com> Hi, guys I am new to linux and iptables/ebtables =========================== My network is as follows LAN IP1 : 10.10.3.25 Web Server BRIDGE : Bridge + Squid + Firewall Which is between IP1 and IP2 which is given IP and Defuault Gateways for this is 192.168.1.1 IP2 : 10.10.3.61 Normal Machine Acting as Clinet If I enable Squid, I am unable to acces web on IP1. =========================== How a packet is passing ? Client[IP2]->Bridge Layer2,Layer3->Squid squid->Layer3 ==Here It may be checking for Route Of IP1 But It goes to gateway now gateway doesnt have Route to 10.10.3.61 So its not able to access web. I am not sure but is this correct? [ Packet Traversal ] What change do i need to take in bridge so it sends traffic to IP2. And doesnt need any route. Thanxs Darshak Modi From paul at diasoft.nl Thu Feb 15 00:30:45 2007 From: paul at diasoft.nl (Paul Viney) Date: Thu Feb 15 11:06:26 2007 Subject: [LARTC] Routing problem (RTNETLINK answers: Invalid argument) on =?iso-8859-1?q?=09multiple_internet?= link. In-Reply-To: <1171484278.3545.6.camel@murdegern.cbxnet.de> References: <200702131450.13852.paul@diasoft.nl> <200702132254.51313.paul@diasoft.nl> <1171484278.3545.6.camel@murdegern.cbxnet.de> Message-ID: <200702150030.45187.paul@diasoft.nl> Wow! That made a difference. One echo "0" > /proc/sys/net/ipv4/conf/eth1/rp_filter and everything started working. Thanks a lot Torsten and Alex - I wouldn't have solved it without your suggestions. Paul Viney On Wednesday 14 February 2007 21:17, Torsten Luettgert wrote: > This is one of my favourites :-) > > Usually that problem is caused by the rp_filter feature, which silently > drops packets that arrive on an interface answers wouldn't be routed to. > > Just try > > for i in /proc/sys/net/ipv4/conf/eth*/rp_filter; do > echo 0 > $i > done > > and see if that helps. > (indeed, you don't really need to switch it off for all of them, just > the uplink interfaces would be enough) > > Hth, > Torsten From gregoriandres at yahoo.com.ar Thu Feb 15 15:19:22 2007 From: gregoriandres at yahoo.com.ar (gregori andres) Date: Thu Feb 15 15:21:14 2007 Subject: [LARTC] monitoring hosts from my lan Message-ID: <008a01c7510c$5a4d9600$6402a8c0@luna> Hi, there is a way to graph host's traffic from my lan ? I've a linux router (2.4.x kernel), and a lan: linux router : 192.168.1.254 host 1: 192.168.1.1 host 2: 192.168.1.2 host 3: 192.168.1.3 I'm looking for a way to graph traffic ( in / out ) from each 3 hosts, and store total traffic on a mysql table, in order to make statistics later. I think I can do with Mrtg, Cacti, or RRD, but I don't know how to get total traffic data for each host. I also think that I can put ACCEPT rules on FORWARD iptables chain (for each host), and later get total traffic data from iptables -L FORWARD -vn , but I think that this way is a bit hard... :-( there is a easyer way ? best regards andres. From edesio at softaplic.com.br Thu Feb 15 16:44:59 2007 From: edesio at softaplic.com.br (Edesio Costa e Silva) Date: Thu Feb 15 16:45:10 2007 Subject: [LARTC] ?OT? Linux 2.6: bridge + routing firewall Message-ID: <20070215154459.GC6325@softaplic.com.br> Hi All! I need to deploy a bridge firewall using linux kernel 2.6. I had success using kernel 2.4 plus br-nf patch. But the configuration does not work with kernel 2.6. If the default policy for the iptables FORWARD chain is ACCEPT I have a bridge. If iptables FORWARD chain is DROP I have an insulator (no packet flows). Any hint? I did some google search and in many places they say "kernel 2.6 is not recommended", "no luck with kernel 2.6", etc. Any link to a success story of a bridge firewall with kernel 2.6? Any personal experience? Thanks in advance, Ed?sio From thuleau at gmail.com Thu Feb 15 18:36:17 2007 From: thuleau at gmail.com (Edouard Thuleau) Date: Thu Feb 15 18:36:29 2007 Subject: [LARTC] HTB and ATM patch Message-ID: <81c11a560702150936k2e83bbedl189d440562e1cf6e@mail.gmail.com> Hi all, I patch my kernel (2.6.17) and my tc (iproute2-2.6.18-061002) utilitie for an accurate packet scheduling on an ATM link. I configure my HTB hierarchy on the upload of the link and try with differents flows. It works correctly but in some of case I lose about 50% of my bandwith. I use the overhead (42) configuration for my link (PPPoE, VC/LLC) indicate in the documentation. My question is, how this hoverhead value is calculate ? I try to separate the streams with the lentgh of the packet in differents classes and put a specific overhead for each one, but I don't know how calculate it. Do you think it's a good solution ? Is it necessary to put the atm, nohyst options and configure the overhead for the mother class ? Thanks, Edouard. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070215/86beda1c/attachment.htm From ceho at chilan.com Fri Feb 16 12:27:58 2007 From: ceho at chilan.com (Grzegorz Chwesewicz) Date: Fri Feb 16 12:28:19 2007 Subject: [LARTC] HTB policing affects shaping performance? Please, help. In-Reply-To: <45D3788E.2050504@securesystems.ro> References: <20070214135031.21a9765c@ns1.ctn.sk> <45D3788E.2050504@securesystems.ro> Message-ID: <20070216112630.M53247@chilan.com> On Wed, 14 Feb 2007 23:01:02 +0200, Radu Oprisan wrote > Bc.Slavomir Danas wrote: > > I'm trying to access shared folders (samba) on ip 10.4.10.10 from > my > > laptop with ip 172.16.0.2. > > Everything works as expected when downloading or uploading (correctly > > shaped and policed at 1Mbit). But when I try to download and upload at > > the same time, my speed drops down rapidly on both download and upload > > (approx. 350kbit and 550kbit). I tried to replace tc filter with > > iptables CLASSIFY but with the same result. > > What is the correct approach when configuring separate queues with > > guaranteed rate without affecting each other? >Try using some other protocol to run your > tests. I was using for this purpose a Linux utility but i can't > remember how it was called. You are probably talking about ttcp tool. -- Grzegorz Chwesewicz From ceho at chilan.com Fri Feb 16 12:37:24 2007 From: ceho at chilan.com (Grzegorz Chwesewicz) Date: Fri Feb 16 12:37:29 2007 Subject: [LARTC] monitoring hosts from my lan In-Reply-To: <008a01c7510c$5a4d9600$6402a8c0@luna> References: <008a01c7510c$5a4d9600$6402a8c0@luna> Message-ID: <20070216113532.M62644@chilan.com> On Thu, 15 Feb 2007 11:19:22 -0300, gregori andres wrote > Hi, > > there is a way to graph host's traffic from my lan ? > > I've a linux router (2.4.x kernel), and a lan: > > linux router : 192.168.1.254 > host 1: 192.168.1.1 > host 2: 192.168.1.2 > host 3: 192.168.1.3 > > I'm looking for a way to graph traffic ( in / out ) > from each 3 hosts, and store total traffic on a > mysql table, in order to make statistics later. For logging traffic to mysql You can use ulogd from http://www.netfilter.org/projects/ulogd/index.html -- Grzegorz Chwesewicz From francesco.messineo at gmail.com Fri Feb 16 12:55:49 2007 From: francesco.messineo at gmail.com (francesco messineo) Date: Fri Feb 16 12:55:57 2007 Subject: [LARTC] problem with two default routes In-Reply-To: References: Message-ID: Hello, I'm trying to set up a gateway for a local network to use two dsl lines. Ok, I read the LARTC howto and set up two routing tables and the correct balancing default gw. It works fine for connections originating locally on the gw machine. Then I added two iptables rules on the nat table: iptables -t nat -A POSTROUTING -s 192.168.4.0/24 -o $TI_IF -j SNAT --to-source $TI_IP iptables -t nat -A POSTROUTING -s 192.168.4.0/24 -o $MC_IF -j SNAT --to-source $MC_IP ok, now all local ip can go to the internet but all connections go to the second route specified in the default, whatever it is. Here's the default (as found on the howto): ip route add default scope global \ nexthop via $MC_GW dev $MC_IF weight 1 \ nexthop via $TI_GW dev $TI_IF weight 1 If I reverse the position of the two nexthop then traffic from localnet switches to the other dsl line. Order of the iptables rules doesn't affect the behaviour. Am I missing something? TIA Francesco From =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= Fri Feb 16 14:37:10 2007 From: =?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?= (=?koi8-r?Q?=F0=CF=CB=CF=D4=C9=CC=C5=CE=CB=CF_?=) Date: Fri Feb 16 14:37:25 2007 Subject: [LARTC] ?OT? Linux 2.6: bridge + routing firewall In-Reply-To: <20070215154459.GC6325@softaplic.com.br> References: <20070215154459.GC6325@softaplic.com.br> Message-ID: <1171633030.4769.10.camel@localhost.localdomain> I have some experience. It seems that you should explicitely allow bridging in iptables as well as in ebtables. So, in addition to my bridge roules in ebtables I also have this rule in iptables: iptables -A FORWARD -i br0 -o br0 -j ACCEPT Otherwise, it could block bridging by later rules or the policy. ? ???, 15/02/2007 ? 13:44 -0200, Edesio Costa e Silva ?????: > Hi All! > > I need to deploy a bridge firewall using linux kernel 2.6. I had success > using kernel 2.4 plus br-nf patch. But the configuration does not work with > kernel 2.6. > > If the default policy for the iptables FORWARD chain is ACCEPT I have a > bridge. If iptables FORWARD chain is DROP I have an insulator (no packet > flows). Any hint? > > I did some google search and in many places they say "kernel 2.6 is not > recommended", "no luck with kernel 2.6", etc. > > Any link to a success story of a bridge firewall with kernel 2.6? Any > personal experience? > > Thanks in advance, > > Ed?sio > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- ??????????? ?????? From tom at debost.net Fri Feb 16 15:12:31 2007 From: tom at debost.net (tomdeb) Date: Fri Feb 16 15:15:14 2007 Subject: [LARTC] ?OT? Linux 2.6: bridge + routing firewall In-Reply-To: <1171633030.4769.10.camel@localhost.localdomain> References: <20070215154459.GC6325@softaplic.com.br> <1171633030.4769.10.camel@localhost.localdomain> Message-ID: <20070216141231.GA28186@snoopy> What you might be interested in as well is the physdev match witch will let you filter traffic on physical devices T o M | On Fri, Feb 16, 2007 at 03:37:10PM +0200, ??????????? ?????? wrote: >I have some experience. > >It seems that you should explicitely allow bridging in iptables as well >as in ebtables. > >So, in addition to my bridge roules in ebtables I also have this rule in >iptables: > >iptables -A FORWARD -i br0 -o br0 -j ACCEPT > >Otherwise, it could block bridging by later rules or the policy. > >?? ??????, 15/02/2007 ?? 13:44 -0200, Edesio Costa e Silva ??????????: >> Hi All! >> >> I need to deploy a bridge firewall using linux kernel 2.6. I had success >> using kernel 2.4 plus br-nf patch. But the configuration does not work with >> kernel 2.6. >> >> If the default policy for the iptables FORWARD chain is ACCEPT I have a >> bridge. If iptables FORWARD chain is DROP I have an insulator (no packet >> flows). Any hint? >> >> I did some google search and in many places they say "kernel 2.6 is not >> recommended", "no luck with kernel 2.6", etc. >> >> Any link to a success story of a bridge firewall with kernel 2.6? Any >> personal experience? >> >> Thanks in advance, >> >> Ed?sio >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> >-- >?????????????????????? ???????????? > >_______________________________________________ >LARTC mailing list >LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From vvitkov at gmail.com Fri Feb 16 16:49:05 2007 From: vvitkov at gmail.com (Vladimir Vitkov) Date: Fri Feb 16 16:49:11 2007 Subject: [LARTC] monitoring hosts from my lan In-Reply-To: <20070216113532.M62644@chilan.com> References: <008a01c7510c$5a4d9600$6402a8c0@luna> <20070216113532.M62644@chilan.com> Message-ID: For traffic accounting you can look at pmacct or ipaudit On 16/02/07, Grzegorz Chwesewicz wrote: > On Thu, 15 Feb 2007 11:19:22 -0300, gregori andres wrote > > Hi, > > > > there is a way to graph host's traffic from my lan ? > > > > I've a linux router (2.4.x kernel), and a lan: > > > > linux router : 192.168.1.254 > > host 1: 192.168.1.1 > > host 2: 192.168.1.2 > > host 3: 192.168.1.3 > > > > I'm looking for a way to graph traffic ( in / out ) > > from each 3 hosts, and store total traffic on a > > mysql table, in order to make statistics later. > > > > For logging traffic to mysql You can use ulogd from > http://www.netfilter.org/projects/ulogd/index.html > > -- > Grzegorz Chwesewicz > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- ? ????????, ???????? ?????? http://www.netsecad.com http://www.supportbg.com From foxy202 at gmail.com Sat Feb 17 00:23:08 2007 From: foxy202 at gmail.com (foxy 202) Date: Sat Feb 17 00:23:22 2007 Subject: [LARTC] traffic accounting again Message-ID: HI , Please for advice. How I can get traffic from classes and to write it into mysql database. Probably this question is often asked but I cannot find good solution. Main problem that I try to fix is that when I do traffic accounting for network with huge number of IP addresses from Linux most of accounting systems doesn't work very well and made big load of CPU Is there any tool that just read traffic from classes per IP and write it into SQL database ? Regards Foxy202 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070217/46da040d/attachment.html From eriberto at eriberto.pro.br Sat Feb 17 05:36:24 2007 From: eriberto at eriberto.pro.br (Eriberto) Date: Sat Feb 17 05:37:11 2007 Subject: [LARTC] Two ADSL links and one gateway only Message-ID: <4784fdae0702162036o58e443c5vf21b052d10ab1ae3@mail.gmail.com> Hello! I read the Split access and Load balancing sections into LARTC (Chapter 4). However I have one gateway only and the LARTC says about 2 links. I need to know how to make a load balance with my links. Thanks in advance. Eriberto - Brazil From mkathuria at tuxtechnologies.co.in Sat Feb 17 05:49:52 2007 From: mkathuria at tuxtechnologies.co.in (Manish Kathuria) Date: Sat Feb 17 05:50:01 2007 Subject: [LARTC] Two ADSL links and one gateway only In-Reply-To: <4784fdae0702162036o58e443c5vf21b052d10ab1ae3@mail.gmail.com> References: <4784fdae0702162036o58e443c5vf21b052d10ab1ae3@mail.gmail.com> Message-ID: <1df4abe60702162049v7d0b87dck911e54cfba53c242@mail.gmail.com> On 2/17/07, Eriberto wrote: > Hello! > > I read the Split access and Load balancing sections into LARTC > (Chapter 4). However I have one gateway only and the LARTC says about > 2 links. I need to know how to make a load balance with my links. > > Thanks in advance. > > Eriberto - Brazil Don't you have different modems for each of the ADSL links ? Or do you mean to say that they assign you IPs from the subnet and have the same IP as their gateway ? -- Manish Kathuria Tux Technologies http://www.tuxtechnologies.co.in/ From eriberto at eriberto.pro.br Sat Feb 17 12:42:54 2007 From: eriberto at eriberto.pro.br (Eriberto) Date: Sat Feb 17 12:43:13 2007 Subject: [LARTC] Two ADSL links and one gateway only In-Reply-To: <1df4abe60702162049v7d0b87dck911e54cfba53c242@mail.gmail.com> References: <4784fdae0702162036o58e443c5vf21b052d10ab1ae3@mail.gmail.com> <1df4abe60702162049v7d0b87dck911e54cfba53c242@mail.gmail.com> Message-ID: <4784fdae0702170342h4cfad2f9pf2e92239626c107f@mail.gmail.com> Yes! I have two modems acting as bridge. Then my Linux box connects to the ISP and receives the same gateway address. I need to balance these links. Thanks! Eriberto - Brazil 2007/2/17, Manish Kathuria : > Don't you have different modems for each of the ADSL links ? Or do you > mean to say that they assign you IPs from the subnet and have the same > IP as their gateway ? From malinux at gmail.com Sat Feb 17 13:48:49 2007 From: malinux at gmail.com (=?ISO-8859-1?Q?Martin_Schi=F8tz?=) Date: Sat Feb 17 13:48:56 2007 Subject: [LARTC] Order of 'tc filer' Message-ID: Hi How can I control which filter a packet will meet first? I have tried changing the order of applying the tc filter scripts and switching flowid number, but 'protocol ip u32 match ip src match ip src 0.0.0.0/0' always kicks in first? >From my script -------------------- # All traffic - Priority: Low tc filter add dev eth0 parent 1:0 prio 2 protocol ip u32 match ip src match ip src 0.0.0.0/0 flowid 1:21 # Traffic between offices (IPSEC) - Priority: High tc filter add dev eth0 parent 1:0 prio 0 protocol ip u32 match ip src match ip protocol 50 0xff flowid 1:22 # tc -s filter show dev eth0 ---------------------------------- filter parent 1: protocol ip pref 2 u32 filter parent 1: protocol ip pref 2 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 2 u32 fh 800::802 order 2050 key ht 800 bkt 0 flowid 1:21 (rule hit 428 success 426) match c0000000/e0000000 at 16 (success 426 ) match 00000000/00000000 at 12 (success 426 ) filter parent 1: protocol ip pref 49151 u32 filter parent 1: protocol ip pref 49151 u32 fh 803: ht divisor 1 filter parent 1: protocol ip pref 49151 u32 fh 803::800 order 2048 key ht 803 bkt 0 flowid 1:22 (rule hit 3 success 0) match c0000000/e0000000 at 16 (success 0 ) match 00320000/00ff0000 at 8 (success 0 ) - Martin From malinux at gmail.com Sat Feb 17 19:14:46 2007 From: malinux at gmail.com (=?ISO-8859-1?Q?Martin_Schi=F8tz?=) Date: Sat Feb 17 19:14:56 2007 Subject: [LARTC] Re: Order of 'tc filer' In-Reply-To: References: Message-ID: OK - I solved the thing. Using 'prio 0' actually gives the filter a low priority. I just used 'prio 1' instead and know I can control the order :-) - Martin On 2/17/07, Martin Schi?tz wrote: > Hi > > How can I control which filter a packet will meet first? > > I have tried changing the order of applying the tc filter scripts and > switching flowid number, but 'protocol ip u32 match ip src > match ip src 0.0.0.0/0' always kicks in first? > > From my script > -------------------- > # All traffic - Priority: Low > tc filter add dev eth0 parent 1:0 prio 2 protocol ip u32 match ip src > match ip src 0.0.0.0/0 flowid 1:21 > # Traffic between offices (IPSEC) - Priority: High > tc filter add dev eth0 parent 1:0 prio 0 protocol ip u32 match ip src > match ip protocol 50 0xff flowid 1:22 > > > # tc -s filter show dev eth0 > ---------------------------------- > filter parent 1: protocol ip pref 2 u32 > filter parent 1: protocol ip pref 2 u32 fh 800: ht divisor 1 > filter parent 1: protocol ip pref 2 u32 fh 800::802 order 2050 key ht > 800 bkt 0 flowid 1:21 (rule hit 428 success 426) > match c0000000/e0000000 at 16 (success 426 ) > match 00000000/00000000 at 12 (success 426 ) > filter parent 1: protocol ip pref 49151 u32 > filter parent 1: protocol ip pref 49151 u32 fh 803: ht divisor 1 > filter parent 1: protocol ip pref 49151 u32 fh 803::800 order 2048 key > ht 803 bkt 0 flowid 1:22 (rule hit 3 success 0) > match c0000000/e0000000 at 16 (success 0 ) > match 00320000/00ff0000 at 8 (success 0 ) > > - Martin > From bob at nleaudio.com Sat Feb 17 19:33:23 2007 From: bob at nleaudio.com (Bob Puff) Date: Sat Feb 17 19:33:45 2007 Subject: [LARTC] Re: Order of 'tc filer' In-Reply-To: References: Message-ID: <20070217183246.M70798@nleaudio.com> This is the reverse of what I believe I have read - you may want to continue looking. Prio 0 is supposed to be the highest, i believe. Bob ---------- Original Message ----------- From: "Martin Schi?tz" To: lartc@mailman.ds9a.nl Sent: Sat, 17 Feb 2007 19:14:46 +0100 Subject: [LARTC] Re: Order of 'tc filer' > OK - I solved the thing. Using 'prio 0' actually gives the filter a > low priority. > > I just used 'prio 1' instead and know I can control the order :-) > > - Martin > > On 2/17/07, Martin Schi?tz wrote: > > Hi > > > > How can I control which filter a packet will meet first? > > > > I have tried changing the order of applying the tc filter scripts and > > switching flowid number, but 'protocol ip u32 match ip src > > match ip src 0.0.0.0/0' always kicks in first? > > > > From my script > > -------------------- > > # All traffic - Priority: Low > > tc filter add dev eth0 parent 1:0 prio 2 protocol ip u32 match ip src > > match ip src 0.0.0.0/0 flowid 1:21 > > # Traffic between offices (IPSEC) - Priority: High > > tc filter add dev eth0 parent 1:0 prio 0 protocol ip u32 match ip src > > match ip protocol 50 0xff flowid 1:22 > > > > > > # tc -s filter show dev eth0 > > ---------------------------------- > > filter parent 1: protocol ip pref 2 u32 > > filter parent 1: protocol ip pref 2 u32 fh 800: ht divisor 1 > > filter parent 1: protocol ip pref 2 u32 fh 800::802 order 2050 key ht > > 800 bkt 0 flowid 1:21 (rule hit 428 success 426) > > match c0000000/e0000000 at 16 (success 426 ) > > match 00000000/00000000 at 12 (success 426 ) > > filter parent 1: protocol ip pref 49151 u32 > > filter parent 1: protocol ip pref 49151 u32 fh 803: ht divisor 1 > > filter parent 1: protocol ip pref 49151 u32 fh 803::800 order 2048 key > > ht 803 bkt 0 flowid 1:22 (rule hit 3 success 0) > > match c0000000/e0000000 at 16 (success 0 ) > > match 00320000/00ff0000 at 8 (success 0 ) > > > > - Martin > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ------- End of Original Message ------- From malinux at gmail.com Sat Feb 17 22:39:40 2007 From: malinux at gmail.com (=?ISO-8859-1?Q?Martin_Schi=F8tz?=) Date: Sat Feb 17 22:39:47 2007 Subject: [LARTC] Re: Order of 'tc filer' In-Reply-To: <20070217183246.M70798@nleaudio.com> References: <20070217183246.M70798@nleaudio.com> Message-ID: I thought so too - maybe I was too fast. I want too be sure that a packet always first is checked/filtered against src and protocol 50 and if it matches it goes to flowid 1:21 (prio 0 - high). Then if it does not match above - it is checked/filtered against src and dst and goes to flowid 1:22 (prio 2 - low). But it seems that a filter with prio 0 always is the last filter to be checked and filters with prio 1,2,3.... is checked in that same order. It seem that the order has something to do with the pref value the filter gets. prio 1 = pref 1 prio 2 = pref 2 prio 3 = pref 3 ... prio 0 = pref 49151 Anyway I don't think that the prio should have anything to do with the order of the filtering. If it had I guess that a filter with prio 0 would be first filter to be check. The question is can I somehow in some reasonable way control the order of the filtering? - Martin On 2/17/07, Bob Puff wrote: > This is the reverse of what I believe I have read - you may want to continue > looking. Prio 0 is supposed to be the highest, i believe. > > Bob > > > ---------- Original Message ----------- > From: "Martin Schi?tz" > To: lartc@mailman.ds9a.nl > Sent: Sat, 17 Feb 2007 19:14:46 +0100 > Subject: [LARTC] Re: Order of 'tc filer' > > > OK - I solved the thing. Using 'prio 0' actually gives the filter a > > low priority. > > > > I just used 'prio 1' instead and know I can control the order :-) > > > > - Martin > > > > On 2/17/07, Martin Schi?tz wrote: > > > Hi > > > > > > How can I control which filter a packet will meet first? > > > > > > I have tried changing the order of applying the tc filter scripts and > > > switching flowid number, but 'protocol ip u32 match ip src > > > match ip src 0.0.0.0/0' always kicks in first? > > > > > > From my script > > > -------------------- > > > # All traffic - Priority: Low > > > tc filter add dev eth0 parent 1:0 prio 2 protocol ip u32 match ip src > > > match ip src 0.0.0.0/0 flowid 1:21 > > > # Traffic between offices (IPSEC) - Priority: High > > > tc filter add dev eth0 parent 1:0 prio 0 protocol ip u32 match ip src > > > match ip protocol 50 0xff flowid 1:22 > > > > > > > > > # tc -s filter show dev eth0 > > > ---------------------------------- > > > filter parent 1: protocol ip pref 2 u32 > > > filter parent 1: protocol ip pref 2 u32 fh 800: ht divisor 1 > > > filter parent 1: protocol ip pref 2 u32 fh 800::802 order 2050 key ht > > > 800 bkt 0 flowid 1:21 (rule hit 428 success 426) > > > match c0000000/e0000000 at 16 (success 426 ) > > > match 00000000/00000000 at 12 (success 426 ) > > > filter parent 1: protocol ip pref 49151 u32 > > > filter parent 1: protocol ip pref 49151 u32 fh 803: ht divisor 1 > > > filter parent 1: protocol ip pref 49151 u32 fh 803::800 order 2048 key > > > ht 803 bkt 0 flowid 1:22 (rule hit 3 success 0) > > > match c0000000/e0000000 at 16 (success 0 ) > > > match 00320000/00ff0000 at 8 (success 0 ) > > > > > > - Martin > > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > ------- End of Original Message ------- > > From zhukov at gawab.com Sat Feb 17 23:45:03 2007 From: zhukov at gawab.com (Georgy Zhukov) Date: Sat Feb 17 23:45:09 2007 Subject: [LARTC] Re: Order of 'tc filer' In-Reply-To: <20070217183246.M70798@nleaudio.com> References: <20070217183246.M70798@nleaudio.com> Message-ID: <30a2c22b0702171445s10985f18nee00b65b3fd8d31d@mail.gmail.com> Same here. In fact every article I've read recommend the use of prio 0 for administration purposes only. On 2/17/07, Bob Puff wrote: > > This is the reverse of what I believe I have read - you may want to > continue > looking. Prio 0 is supposed to be the highest, i believe. > > Bob > > > ---------- Original Message ----------- > From: "Martin Schi?tz" > To: lartc@mailman.ds9a.nl > Sent: Sat, 17 Feb 2007 19:14:46 +0100 > Subject: [LARTC] Re: Order of 'tc filer' > > > OK - I solved the thing. Using 'prio 0' actually gives the filter a > > low priority. > > > > I just used 'prio 1' instead and know I can control the order :-) > > > > - Martin > > > > On 2/17/07, Martin Schi?tz wrote: > > > Hi > > > > > > How can I control which filter a packet will meet first? > > > > > > I have tried changing the order of applying the tc filter scripts and > > > switching flowid number, but 'protocol ip u32 match ip src > > > match ip src 0.0.0.0/0' always kicks in first? > > > > > > From my script > > > -------------------- > > > # All traffic - Priority: Low > > > tc filter add dev eth0 parent 1:0 prio 2 protocol ip u32 match ip src > > > match ip src 0.0.0.0/0 flowid 1:21 > > > # Traffic between offices (IPSEC) - Priority: High > > > tc filter add dev eth0 parent 1:0 prio 0 protocol ip u32 match ip src > > > match ip protocol 50 0xff flowid 1:22 > > > > > > > > > # tc -s filter show dev eth0 > > > ---------------------------------- > > > filter parent 1: protocol ip pref 2 u32 > > > filter parent 1: protocol ip pref 2 u32 fh 800: ht divisor 1 > > > filter parent 1: protocol ip pref 2 u32 fh 800::802 order 2050 key ht > > > 800 bkt 0 flowid 1:21 (rule hit 428 success 426) > > > match c0000000/e0000000 at 16 (success 426 ) > > > match 00000000/00000000 at 12 (success 426 ) > > > filter parent 1: protocol ip pref 49151 u32 > > > filter parent 1: protocol ip pref 49151 u32 fh 803: ht divisor 1 > > > filter parent 1: protocol ip pref 49151 u32 fh 803::800 order 2048 key > > > ht 803 bkt 0 flowid 1:22 (rule hit 3 success 0) > > > match c0000000/e0000000 at 16 (success 0 ) > > > match 00320000/00ff0000 at 8 (success 0 ) > > > > > > - Martin > > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > ------- End of Original Message ------- > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070217/58c62f73/attachment.htm From alin at matrixrom.ro Sun Feb 18 08:29:37 2007 From: alin at matrixrom.ro (Alin Ilie) Date: Sun Feb 18 08:29:57 2007 Subject: [LARTC] client disconnecting In-Reply-To: <45D7FE8B.5050508@matrixrom.ro> References: <45D7FE8B.5050508@matrixrom.ro> Message-ID: <45D80061.2090206@matrixrom.ro> Hi, I have two connections to the Internet. I implemented the load balancing as described in chapter 4.2 "Routing for multiple uplinks/providers" The problem that occurred is that the client applications like Yahoo Messenger or even PuTTY (SSH client) are loosing the connection very often. Does anyone experienced this problem? Does anyone knows an workaround for this problem? Cheers, Alin From rune.kock at gmail.com Sun Feb 18 10:10:47 2007 From: rune.kock at gmail.com (Rune Kock) Date: Sun Feb 18 10:11:01 2007 Subject: [LARTC] client disconnecting In-Reply-To: <45D80061.2090206@matrixrom.ro> References: <45D7FE8B.5050508@matrixrom.ro> <45D80061.2090206@matrixrom.ro> Message-ID: > I have two connections to the Internet. > > I implemented the load balancing as described in chapter 4.2 "Routing > for multiple uplinks/providers" > The problem that occurred is that the client applications like Yahoo > Messenger or even PuTTY (SSH client) are loosing the connection very often. I had a similar problem with an internet game disconnecting exactly every 10 minutes. My theory is that the routing code may choose to switch the data to the other provider, and that that breaks the connection. I solved it by using connection marking, and then directing all marked to the provider where they were originally marked. I don't know the exact commands to use because I used Shorewall, which can setup this hack by simply specifying "track" (see http://www.shorewall.net/MultiISP.html). Even after doing that, some connections would still break after some hours, but it was a lot better than before. If you find out other things about this problem, I would very much like to hear about it. Rune From eshabtai at gmail.com Sun Feb 18 12:01:33 2007 From: eshabtai at gmail.com (Ehud Shabtai) Date: Sun Feb 18 12:01:39 2007 Subject: [LARTC] Modifying traffic shaping rates according to the amount of active users Message-ID: Hi, I'm trying to divide my bandwidth between different services, but I'd like to take into account the number of active users. For example, l want divide my bandwidth between HTTP and SMTP and guarantee HTTP 80% of the bandwidth. However, I have many users on my system (tens of thousands) and if only 1% of my active users are using HTTP (and the other 99% SMTP), I'd like somehow to change the HTTP rate to a lower limit. Is there any way to do it automatically, assuming that each user has a different IP? Thanks, -- Ehud Shabtai http://www.freemap.co.il/map/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070218/b45d0cf5/attachment.html From alin at matrixrom.ro Sun Feb 18 12:23:25 2007 From: alin at matrixrom.ro (Alin Ilie) Date: Sun Feb 18 12:23:56 2007 Subject: [LARTC] client disconnecting In-Reply-To: References: <45D7FE8B.5050508@matrixrom.ro> <45D80061.2090206@matrixrom.ro> Message-ID: <45D8372D.4060608@matrixrom.ro> I think that connection marking is limiting the idea behind the balancing that we want to do with this "routing for multiple providers". Rune Kock wrote: >> I have two connections to the Internet. >> >> I implemented the load balancing as described in chapter 4.2 "Routing >> for multiple uplinks/providers" >> The problem that occurred is that the client applications like Yahoo >> Messenger or even PuTTY (SSH client) are loosing the connection very >> often. > > I had a similar problem with an internet game disconnecting exactly > every 10 minutes. > > My theory is that the routing code may choose to switch the data to > the other provider, and that that breaks the connection. > > I solved it by using connection marking, and then directing all marked > to the provider where they were originally marked. I don't know the > exact commands to use because I used Shorewall, which can setup this > hack by simply specifying "track" (see > http://www.shorewall.net/MultiISP.html). > > Even after doing that, some connections would still break after some > hours, but it was a lot better than before. > > If you find out other things about this problem, I would very much > like to hear about it. > > > > Rune > From andy at andybev.com Sun Feb 18 12:58:34 2007 From: andy at andybev.com (Andrew Beverley) Date: Sun Feb 18 12:59:11 2007 Subject: [LARTC] Modifying traffic shaping rates according to the amount of active users In-Reply-To: References: Message-ID: <1171799915.4251.5.camel@andybev.localdomain> > I'm trying to divide my bandwidth between different services, but I'd > like to take into account the number of active users. > > For example, l want divide my bandwidth between HTTP and SMTP and > guarantee HTTP 80% of the bandwidth. > > However, I have many users on my system (tens of thousands) and if > only 1% of my active users are using HTTP (and the other 99% SMTP), > I'd like somehow to change the HTTP rate to a lower limit. > > Is there any way to do it automatically, assuming that each user has a > different IP? How about use HTB? Set the HTTP guaranteed rate to 80%, and the upper (ceil) limit of other classes to 100%. This then means that if HTTP is not using 80% of your link, then the spare bandwidth not used will be shared between the other classes. Andy Beverley From eshabtai at gmail.com Sun Feb 18 13:25:21 2007 From: eshabtai at gmail.com (Ehud Shabtai) Date: Sun Feb 18 13:25:27 2007 Subject: [LARTC] Modifying traffic shaping rates according to the amount of active users In-Reply-To: <1171799915.4251.5.camel@andybev.localdomain> References: <1171799915.4251.5.camel@andybev.localdomain> Message-ID: On 2/18/07, Andrew Beverley wrote: > > I'm trying to divide my bandwidth between different services, but I'd > > like to take into account the number of active users. > > How about use HTB? Set the HTTP guaranteed rate to 80%, and the upper > (ceil) limit of other classes to 100%. This then means that if HTTP is > not using 80% of your link, then the spare bandwidth not used will be > shared between the other classes. I'm trying to avoid a situation where a small group of users get most of the bandwidth. If just 1% of my active users are using HTTP, then I'd like to set its rate to 10%. If 10% of the active users are using HTTP than limit HTTP to 50%, etc' up to 80%. I'm trying to set dynamic rate limits according to the distribution of IP addresses. -- Ehud Shabtai http://www.freemap.co.il/map/ From brian at interlinx.bc.ca Sun Feb 18 21:30:33 2007 From: brian at interlinx.bc.ca (Brian J. Murrell) Date: Sun Feb 18 21:30:51 2007 Subject: [LARTC] Routing problem (RTNETLINK answers: Invalid argument) on multiple internet link. In-Reply-To: <200702150030.45187.paul@diasoft.nl> References: <200702131450.13852.paul@diasoft.nl> <200702132254.51313.paul@diasoft.nl> <1171484278.3545.6.camel@murdegern.cbxnet.de> <200702150030.45187.paul@diasoft.nl> Message-ID: <1171830634.7053.58.camel@pc.ilinx> On Thu, 2007-02-15 at 00:30 +0100, Paul Viney wrote: > Wow! That made a difference. One > echo "0" > /proc/sys/net/ipv4/conf/eth1/rp_filter > and everything started working. > Thanks a lot Torsten and Alex - I wouldn't have solved it without your > suggestions. But the question I have had about this subject is when one has two default routes, load balanced, does this evaluation of which interface would be used when the packet is reverse-path-tested test all of the default routes or just the route that is currently active given the load balancing algorithm? If only the one, current default route is used in the evaluation it seems to me even in the most straightforward dual-load-balanced-default-route configuration there is a race between the time a packet is assigned an outgoing address & sent out the then current default route and the routing code re-balancing and switching the active default route (i.e prior to the reply packet -- or even in the middle of active tcp connections). The situation gets even worse (not even just a race condition) when you apply policy routing to force the use of a particular default route. Thots? b. > > Paul Viney > > > On Wednesday 14 February 2007 21:17, Torsten Luettgert wrote: > > This is one of my favourites :-) > > > > Usually that problem is caused by the rp_filter feature, which silently > > drops packets that arrive on an interface answers wouldn't be routed to. > > > > Just try > > > > for i in /proc/sys/net/ipv4/conf/eth*/rp_filter; do > > echo 0 > $i > > done > > > > and see if that helps. > > (indeed, you don't really need to switch it off for all of them, just > > the uplink interfaces would be enough) > > > > Hth, > > Torsten > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > -- My other computer is your Microsoft Windows server. Brian J. Murrell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070218/fc602b24/attachment.pgp From bob at nleaudio.com Mon Feb 19 00:32:09 2007 From: bob at nleaudio.com (Bob Puff) Date: Mon Feb 19 00:32:33 2007 Subject: [LARTC] prio not seeming to work Message-ID: <20070218232851.M8467@nleaudio.com> Hello, I am trying to mess with a prio type qdisc, and must be missing something. Here's my sample code: tc qdisc add dev eth0 root handle 1: prio tc filter add dev eth0 parent 1:0 prio 1 protocol ip u32 \ match ip dst 208.0.0.0/8 flowid 1:1 tc filter add dev eth0 parent 1:0 prio 3 protocol ip u32 \ match ip dst 0.0.0.0/0 flowid 1:3 I would assume that any traffic going to 208.x.x.x should be getting priority over all other traffic. But when I set up two simultaneous FTP uploads, one to a server in the 208.x.x.x block and one to another not in that block, both end up at the same transfer rate.. This is going into an ADSL line. What am I missing? Bob From bob at nleaudio.com Mon Feb 19 00:57:01 2007 From: bob at nleaudio.com (Bob Puff) Date: Mon Feb 19 00:57:20 2007 Subject: [LARTC] Routing problem on multiple internet link. In-Reply-To: <1171830634.7053.58.camel@pc.ilinx> References: <200702131450.13852.paul@diasoft.nl> <200702132254.51313.paul@diasoft.nl> <1171484278.3545.6.camel@murdegern.cbxnet.de> <200702150030.45187.paul@diasoft.nl> <1171830634.7053.58.camel@pc.ilinx> Message-ID: <20070218235240.M60673@nleaudio.com> THis might be slightly off-topic, but... I wasn to have two identical ADSL connections to the same ISP, in order to get a better upload pipe. DSL Connection A has a handful of IPs, as does connection B. Requests come from the internet into connection A, and server behind the magical gateway box running this tc load balancing responds with a blast of data. Will my ISP drop packets going out on connection B, because they didn't come in on that originally? Bob From dan at 34q.eu Mon Feb 19 01:35:32 2007 From: dan at 34q.eu (Dan) Date: Mon Feb 19 01:40:46 2007 Subject: [LARTC] Absolute Maximal Bandwidth Message-ID: <000001c753bd$dd448c90$97cda5b0$@eu> Hey, I currently have a box serving as a firewall (running iptables) and packet shaper (using tc / tcng's tcc compiler) to shape a large amount of inbound and outbound traffic to my data center. Whilst I can perform shaping functions using HTB, I need to also provide an absolute (to the nearest few 100kb/s) bandwidth usage maximum. As an example I might have 200MBit/sec "agreed" bandwidth, and the ability to go up to 500MBit/sec if I wish. Anything past 200MBit/sec invokes a huge cost. Example tcc script (might contain typos): dev eth0 { ingress { $inpolicer = SLB ( cbs 100kB, cir 200Mbps ); class (<$whatever>) if SLB_ok ($policer); drop if 1; /* Drop the traffic exceeding the 200mbit rate */ } egress { $egpolicer = SLB (cbs 100kB, cir 200Mbps ); class (<$ftp>) if (ip_dst == 10.1.1.1 && tcp_dport == 21 && SLB_ok ($egpolicer)); class (<$web>) if (tcp_dport == 80 && SLB_ok ($egpolicer)); class (<$oth>) if SLB_ok ($egpolicer); /* classify to oth if max bw not exceeded */ drop if 1; /* I assume we reached max bw if we get here? */ htb(){ ... } } } The question is: Can I rely on something like the SLB macro to absolutely guarantee this maximum is enforced, or do I need to find some other way to let me sleep at night? Also, is there a better way of doing this and does the script look ok? Thanks in Advance! Dan From rune.kock at gmail.com Mon Feb 19 14:30:44 2007 From: rune.kock at gmail.com (Rune Kock) Date: Mon Feb 19 14:31:19 2007 Subject: [LARTC] Routing problem on multiple internet link. In-Reply-To: <20070218235240.M60673@nleaudio.com> References: <200702131450.13852.paul@diasoft.nl> <200702132254.51313.paul@diasoft.nl> <1171484278.3545.6.camel@murdegern.cbxnet.de> <200702150030.45187.paul@diasoft.nl> <1171830634.7053.58.camel@pc.ilinx> <20070218235240.M60673@nleaudio.com> Message-ID: > DSL Connection A has a handful of IPs, as does connection B. > > Requests come from the internet into connection A, and server behind the > magical gateway box running this tc load balancing responds with a blast of > data. Will my ISP drop packets going out on connection B, because they didn't > come in on that originally? The best would be to get a special arrangement with your ISP that the same IPs can be routed over both connections. But that is often not possible. If your gateway sends a packet on line B, but specifies a sender IP that belongs to line A, your ISP may or may not drop the packet, depending on whether they have implemented anti-spoofing measures. If your gateway sends a packet on line B with a sender IP that belongs to line B, things should be okay, so that is how it is usually done. But note that the receiver at the other end will not recognise the packet as being part of a connection if the IP has changed. So if someone connects to a service on a specific IP, the reply packets must specify that IP as sender address. Well, your ISP won't drop the packets. But the receiver at the other end will. If the packets From frederic at juliana-multimedia.com Mon Feb 19 14:38:55 2007 From: frederic at juliana-multimedia.com (=?ISO-8859-15?Q?Fr=E9d=E9ric_Massot?=) Date: Mon Feb 19 14:39:03 2007 Subject: [LARTC] "dst cache overflow" messages and crash Message-ID: <45D9A86F.2020407@juliana-multimedia.com> Hi, I regularly have errors (kernel: dst cache overflow) and crash of a firewall under Linux 2.6.17 and the route patch from Julian Anastasov. With rtstat I see that the route cache size increases regularly without never decreasing. I have this parameters: fw:/proc/sys/net/ipv4/route# grep . * error_burst:1250 error_cost:250 gc_elasticity:15 gc_interval:60 gc_min_interval:0 gc_min_interval_ms:500 gc_thresh:4096 gc_timeout:300 max_delay:10 max_size:65536 min_adv_mss:256 min_delay:2 min_pmtu:552 mtu_expires:600 redirect_load:5 redirect_number:9 redirect_silence:5120 secret_interval:600 I can increase the maximum size of the cache, but that will do nothing but delay the crash. Can you help me? Regards. -- ============================================== | FR?D?RIC MASSOT | | http://www.juliana-multimedia.com | | mailto:frederic@juliana-multimedia.com | ===========================Debian=GNU/Linux=== From Jon.J.Flechsenhaar at boeing.com Mon Feb 19 17:36:30 2007 From: Jon.J.Flechsenhaar at boeing.com (Flechsenhaar, Jon J) Date: Mon Feb 19 17:36:56 2007 Subject: [LARTC] prio not seeming to work In-Reply-To: <20070218232851.M8467@nleaudio.com> References: <20070218232851.M8467@nleaudio.com> Message-ID: <0E24ED2A7F9AA349A8633E6A56A64BE0027A81D7@XCH-SW-2V1.sw.nos.boeing.com> Two questions 1.) When you type tc class ls dev ethx - Do you see that both ftp streams are flowing into their proper class; 1:1, 1:3? 2.) Are you sending enough traffic to reach the point of congestion on you link? - If your not then it will service all the traffic at the same rate. Jon Flechsenhaar Boeing WNW Team Network Services (714)-762-1231 202-E7 -----Original Message----- From: Bob Puff [mailto:bob@nleaudio.com] Sent: Sunday, February 18, 2007 3:32 PM To: lartc@mailman.ds9a.nl Subject: [LARTC] prio not seeming to work Hello, I am trying to mess with a prio type qdisc, and must be missing something. Here's my sample code: tc qdisc add dev eth0 root handle 1: prio tc filter add dev eth0 parent 1:0 prio 1 protocol ip u32 \ match ip dst 208.0.0.0/8 flowid 1:1 tc filter add dev eth0 parent 1:0 prio 3 protocol ip u32 \ match ip dst 0.0.0.0/0 flowid 1:3 I would assume that any traffic going to 208.x.x.x should be getting priority over all other traffic. But when I set up two simultaneous FTP uploads, one to a server in the 208.x.x.x block and one to another not in that block, both end up at the same transfer rate.. This is going into an ADSL line. What am I missing? Bob _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From Jon.J.Flechsenhaar at boeing.com Mon Feb 19 18:02:23 2007 From: Jon.J.Flechsenhaar at boeing.com (Flechsenhaar, Jon J) Date: Mon Feb 19 18:02:32 2007 Subject: [LARTC] Modifying traffic shaping rates according to the amount ofactive users In-Reply-To: References: Message-ID: <0E24ED2A7F9AA349A8633E6A56A64BE0027A81D8@XCH-SW-2V1.sw.nos.boeing.com> Based on your requirements I would use HTB. Ceil (the maximum borrowed rate) HTTP traffic to 80% of your bandwidth in one class. In the other class ceil rate to 20%. If HTTP needs more bandwidth or SMTP they can borrow between each other. Example: 40% SMTP 60% HTTP - HTTP class will loan its additional bandwith to the SMTP class based on the parent class rate. initial parent 100 kbps Borrowing class 1 - 80 kbps - 40 class 2 - 20 kbps - 60 Hope this helps. Jon Flechsenhaar Boeing WNW Team Network Services (714)-762-1231 202-E7 ________________________________ From: Ehud Shabtai [mailto:eshabtai@gmail.com] Sent: Sunday, February 18, 2007 3:02 AM To: lartc@mailman.ds9a.nl Subject: [LARTC] Modifying traffic shaping rates according to the amount ofactive users Hi, I'm trying to divide my bandwidth between different services, but I'd like to take into account the number of active users. For example, l want divide my bandwidth between HTTP and SMTP and guarantee HTTP 80% of the bandwidth. However, I have many users on my system (tens of thousands) and if only 1% of my active users are using HTTP (and the other 99% SMTP), I'd like somehow to change the HTTP rate to a lower limit. Is there any way to do it automatically, assuming that each user has a different IP? Thanks, -- Ehud Shabtai http://www.freemap.co.il/map/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070219/432c1af6/attachment.html From mkathuria at tuxtechnologies.co.in Mon Feb 19 18:37:20 2007 From: mkathuria at tuxtechnologies.co.in (Manish Kathuria) Date: Mon Feb 19 18:37:37 2007 Subject: [LARTC] Two ADSL links and one gateway only In-Reply-To: <4784fdae0702170342h4cfad2f9pf2e92239626c107f@mail.gmail.com> References: <4784fdae0702162036o58e443c5vf21b052d10ab1ae3@mail.gmail.com> <1df4abe60702162049v7d0b87dck911e54cfba53c242@mail.gmail.com> <4784fdae0702170342h4cfad2f9pf2e92239626c107f@mail.gmail.com> Message-ID: <1df4abe60702190937g45c4fba3rb3d5a6d58a7b734@mail.gmail.com> On 2/17/07, Eriberto wrote: > Yes! I have two modems acting as bridge. Then my Linux box connects to > the ISP and receives the same gateway address. I need to balance these > links. > I haven't come across a similar scenario but TEQL might be the thing that could work for you. -- Manish Kathuria Tux Technologies http://www.tuxtechnologies.co.in/ From bob at nleaudio.com Mon Feb 19 18:58:19 2007 From: bob at nleaudio.com (Bob Puff@NLE) Date: Mon Feb 19 18:53:12 2007 Subject: [LARTC] prio not seeming to work In-Reply-To: <0E24ED2A7F9AA349A8633E6A56A64BE0027A81D7@XCH-SW-2V1.sw.nos.boeing.com> References: <20070218232851.M8467@nleaudio.com> <0E24ED2A7F9AA349A8633E6A56A64BE0027A81D7@XCH-SW-2V1.sw.nos.boeing.com> Message-ID: <45D9E53B.8030805@nleaudio.com> Flechsenhaar, Jon J wrote: > Two questions > > 1.) When you type tc class ls dev ethx > - Do you see that both ftp streams are flowing into their proper > class; 1:1, 1:3? > > 2.) Are you sending enough traffic to reach the point of congestion on > you link? > - If your not then it will service all the traffic at the same > rate. Hi John, 1. Hmm, I guess not: [root@bob ~]# tc class ls dev eth0 class prio 1:1 parent 1: class prio 1:2 parent 1: class prio 1:3 parent 1: Am I missing something in my short & sweet little script? Again, it is: tc qdisc add dev eth0 root handle 1: prio tc filter add dev eth0 parent 1:0 prio 1 protocol ip u32 \ match ip dst 208.0.0.0/8 flowid 1:1 tc filter add dev eth0 parent 1:0 prio 3 protocol ip u32 \ match ip dst 0.0.0.0/0 flowid 1:3 2. I'm definitely saturating my 384k upstream. Bob From frederic at juliana-multimedia.com Tue Feb 20 11:46:50 2007 From: frederic at juliana-multimedia.com (=?ISO-8859-1?Q?Fr=E9d=E9ric_Massot?=) Date: Tue Feb 20 11:47:27 2007 Subject: [LARTC] "dst cache overflow" messages and crash In-Reply-To: <6c9e84f70702190752u7552629br5788ba5d5934209b@mail.gmail.com> References: <45D9A86F.2020407@juliana-multimedia.com> <6c9e84f70702190752u7552629br5788ba5d5934209b@mail.gmail.com> Message-ID: <45DAD19A.5040703@juliana-multimedia.com> Charlie Meyer wrote: > i ran into this problem a while ago, and i did the following: > > echo 8192 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 > echo 8192 > /proc/sys/net/ipv4/neigh/default/gc_thresh2 > echo 8192 > /proc/sys/net/ipv4/neigh/default/gc_thresh3 > > and all my problems were solved > > -Charlie > > On 2/19/07, *Fr?d?ric Massot* > wrote: >> >> Hi, >> >> I regularly have errors (kernel: dst cache overflow) and crash of a >> firewall under Linux 2.6.17 and the route patch from Julian Anastasov. >> >> With rtstat I see that the route cache size increases regularly without >> never decreasing. >> >> I have this parameters: >> fw:/proc/sys/net/ipv4/route# grep . * >> error_burst:1250 >> error_cost:250 >> gc_elasticity:15 >> gc_interval:60 >> gc_min_interval:0 >> gc_min_interval_ms:500 >> gc_thresh:4096 >> gc_timeout:300 >> max_delay:10 >> max_size:65536 >> min_adv_mss:256 >> min_delay:2 >> min_pmtu:552 >> mtu_expires:600 >> redirect_load:5 >> redirect_number:9 >> redirect_silence:5120 >> secret_interval:600 >> >> I can increase the maximum size of the cache, but that will do nothing >> but delay the crash. Hi, I think that my problem comes from the route cache and not ARP cache: - http://mailman.ds9a.nl/pipermail/lartc/2007q1/020061.html - http://mailman.ds9a.nl/pipermail/lartc/2007q1/020067.html I read several thread of discusion on this problem, but I did not find a solution. Regards. -- ============================================== | FR?D?RIC MASSOT | | http://www.juliana-multimedia.com | | mailto:frederic@juliana-multimedia.com | ===========================Debian=GNU/Linux=== From Jon.J.Flechsenhaar at boeing.com Tue Feb 20 18:06:17 2007 From: Jon.J.Flechsenhaar at boeing.com (Flechsenhaar, Jon J) Date: Tue Feb 20 18:06:55 2007 Subject: [LARTC] prio not seeming to work In-Reply-To: <45D9E53B.8030805@nleaudio.com> References: <20070218232851.M8467@nleaudio.com> <0E24ED2A7F9AA349A8633E6A56A64BE0027A81D7@XCH-SW-2V1.sw.nos.boeing.com> <45D9E53B.8030805@nleaudio.com> Message-ID: <0E24ED2A7F9AA349A8633E6A56A64BE0027A81E3@XCH-SW-2V1.sw.nos.boeing.com> Bob, Sorry, actually you need this command tc -s -d class ls dev ethx. Just so you know you can sub "class" out with "qdisc" or "filter". This will show stats in detail. Ex. Packets flowing through your queue. Do you have a priority assigned to the class also? I see one filter has a higher priority so it should get more packets than the other; which I know is what your trying to do. Jon Flechsenhaar Boeing WNW Team Network Services (714)-762-1231 202-E7 -----Original Message----- From: Bob Puff@NLE [mailto:bob@nleaudio.com] Sent: Monday, February 19, 2007 9:58 AM To: Flechsenhaar, Jon J Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] prio not seeming to work Flechsenhaar, Jon J wrote: > Two questions > > 1.) When you type tc class ls dev ethx > - Do you see that both ftp streams are flowing into their proper > class; 1:1, 1:3? > > 2.) Are you sending enough traffic to reach the point of congestion > on you link? > - If your not then it will service all the traffic at the same > rate. Hi John, 1. Hmm, I guess not: [root@bob ~]# tc class ls dev eth0 class prio 1:1 parent 1: class prio 1:2 parent 1: class prio 1:3 parent 1: Am I missing something in my short & sweet little script? Again, it is: tc qdisc add dev eth0 root handle 1: prio tc filter add dev eth0 parent 1:0 prio 1 protocol ip u32 \ match ip dst 208.0.0.0/8 flowid 1:1 tc filter add dev eth0 parent 1:0 prio 3 protocol ip u32 \ match ip dst 0.0.0.0/0 flowid 1:3 2. I'm definitely saturating my 384k upstream. Bob From Jon.J.Flechsenhaar at boeing.com Tue Feb 20 22:05:39 2007 From: Jon.J.Flechsenhaar at boeing.com (Flechsenhaar, Jon J) Date: Tue Feb 20 22:06:47 2007 Subject: [LARTC] CCNA training Message-ID: <0E24ED2A7F9AA349A8633E6A56A64BE0027A81E6@XCH-SW-2V1.sw.nos.boeing.com> You guys have expressed interest in CCNA training. What would be better for you guys. On-site training after work hours or during the wkend? The other option is after hours or wkend at a near by college. Jon Flechsenhaar Boeing WNW Team Network Services (714)-762-1231 202-E7 From ichi.brown at gmail.com Tue Feb 20 22:16:46 2007 From: ichi.brown at gmail.com (Ichi Brown) Date: Tue Feb 20 22:16:52 2007 Subject: [LARTC] table/rule problems definately odd. Message-ID: Hello, for the past couple of days i've been banging my head against a wall trying to get this iproute2 issue resolved. the basic scenario is as follows. eth0 - external ip eth1 - internal ip i'm forwarding an external ip to the internal interface at a port that's responding. i can connect to the internal ip just fine. %telnet 10.x.x.x 25 Trying 10.x.x.x... Connected to xxxx. Escape character is '^]'. 220 xxxx ESMTP i need a higher port forwarded to port 25 on that machine for a couple of asinine reasons. this is what i see when i tcpdump the eth1 interface without iproute2 rules in place. %telnet 63.x.x.x smtps Trying 63.x.x.x... # tcpdump -i eth1 host 206.x.x.x tcpdump: listening on eth1 13:00:32.048622 206.x.x.x.1325 > 10.x.x.x.smtp: S 3731510172:3731510172(0) win 57344 (DF) 13:00:35.227581 206.x.x.x.1325 > 10.x.x.x.smtp: S 3731510172:3731510172(0) win 57344 (DF) 10 packets received by filter 0 packets dropped by kernel # tcpdump -i eth0 host 206.x.x.x tcpdump: listening on eth0 13:00:44.621421 10.x.x.x.smtp > 206.x.x.x.1325: S 2172768788:2172768788(0) ack 3731510173 win 5792 (DF) 13:00:44.871241 10.x.x.x.smtp > 206.x.x.x.1325: S 2172768788:2172768788(0) ack 3731510173 win 5792 (DF) 2 packets received by filter 0 packets dropped by kernel so as you can see without the iproute2 rule, the 10.x.x.x traffic leaves through the 63.x.x.x interface. that's bad mojo. So i've setup some iproute2 tables and rules. Here's what i've setup thus far. # cat /etc/iproute2/rt_tables # # reserved values # 255 local 254 main 253 default 0 unspec # # local # #1 inr.ruhep 100 internal ip route add default via 10.x.x.1 dev eth1 table internal # ip ru show 0: from all lookup local 32765: from 10.x.x.x lookup internal 32766: from all lookup main 32767: from all lookup default so when i add the "ip route add" command and i tcpdump -i eth1 host 206.x.x.x i see zero packets. if i start the connection via telnet, then add the rule, the connection works traffic gets routed correctly... but initiating another connection via telnet only causes the machine to see no traffic when i tcpdump -i eth1. If i remove the rule after that point, it goes back to routing through the wrong interface. it's quite bizarre and probably something small and silly i'm overlooking... but my eyes aren't fresh enough anymore. Can someone lend some ideas? http://lartc.org/howto/lartc.rpdb.html is the main URL i've been using as a reference for iproute2. fwiw. my main routing table is as follows. # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 63.x.x.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 10.x.x.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 10.x.x.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 63.x.x.x 0.0.0.0 UG 0 0 0 eth0 -- --- ichi.brown@gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070220/368f139d/attachment.htm From radu at securesystems.ro Tue Feb 20 22:38:00 2007 From: radu at securesystems.ro (Radu Oprisan) Date: Tue Feb 20 22:38:27 2007 Subject: [LARTC] client disconnecting In-Reply-To: <45D80061.2090206@matrixrom.ro> References: <45D7FE8B.5050508@matrixrom.ro> <45D80061.2090206@matrixrom.ro> Message-ID: <45DB6A38.1010404@securesystems.ro> Alin Ilie wrote: > Hi, > > I have two connections to the Internet. > > I implemented the load balancing as described in chapter 4.2 "Routing > for multiple uplinks/providers" > The problem that occurred is that the client applications like Yahoo > Messenger or even PuTTY (SSH client) are loosing the connection very often. > Does anyone experienced this problem? Does anyone knows an workaround > for this problem? > > Cheers, > Alin Your problem may have something to do with cleanup of connection tracking tables or cache routing. Are you sure you have the correct rp_filter settings for what you are trying to do? From narezatel at gmail.com Wed Feb 21 08:06:13 2007 From: narezatel at gmail.com (Goga) Date: Wed Feb 21 08:06:21 2007 Subject: [LARTC] (no subject) Message-ID: -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070220/ed64981f/attachment.html From thelastmohican54 at gmail.com Wed Feb 21 09:20:31 2007 From: thelastmohican54 at gmail.com (mohican 542003) Date: Wed Feb 21 09:20:41 2007 Subject: [LARTC] Problem with HTB and outgoing traffic Message-ID: <519f77360702210020s4408e2dw2d47ccee2f9ac04a@mail.gmail.com> Hello, I'm using a script with tc, to limit my outgoing traffic : tc qdisc add dev eth0 root handle 1: htb tc class add dev eth0 parent 1: classid 1:1 htb rate 500kbit burst 6k tc filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip dst 172.28.54.9 flowid 1:1 I want to test bandwidth with iperf to see if limitation is correct. Sometimes, I get correct measure for certain rates, but i often get measure that do not correspond to rate. For example, if rate is 500kbit, measure is 2000kbit/s... Can someone help me ? Thanks, Olivier -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070221/39f769b3/attachment.htm From alin at matrixrom.ro Wed Feb 21 10:56:06 2007 From: alin at matrixrom.ro (Alin Ilie) Date: Wed Feb 21 10:56:23 2007 Subject: [LARTC] client disconnecting In-Reply-To: <45DB6A38.1010404@securesystems.ro> References: <45D7FE8B.5050508@matrixrom.ro> <45D80061.2090206@matrixrom.ro> <45DB6A38.1010404@securesystems.ro> Message-ID: <45DC1736.9020005@matrixrom.ro> Radu Oprisan wrote: > Alin Ilie wrote: > >> Hi, >> >> I have two connections to the Internet. >> >> I implemented the load balancing as described in chapter 4.2 "Routing >> for multiple uplinks/providers" >> The problem that occurred is that the client applications like Yahoo >> Messenger or even PuTTY (SSH client) are loosing the connection very often. >> Does anyone experienced this problem? Does anyone knows an workaround >> for this problem? >> >> Cheers, >> Alin >> > > > Your problem may have something to do with cleanup of connection > tracking tables or cache routing. Are you sure you have the correct > rp_filter settings for what you are trying to do? > > I had the rp_filter set to 1. I changed to 0 for all the interfaces, and I will see if this works. Thank you, Alin Ilie :) From lartc at ethen.de Wed Feb 21 13:42:04 2007 From: lartc at ethen.de (Markus) Date: Wed Feb 21 13:42:59 2007 Subject: [LARTC] simple source policy routing not working Message-ID: <200702211342.04797.lartc@ethen.de> Hi, my box is connected to 3 networks, eth0 eth1 wlan0. I want "my" traffic to go via wlan0 and everything from eth1 NATed to eth0: eth0 192.168.1.10/24 eth1 172.16.1.1/12 wlan0 192.168.10.190/24 I first tried this with two single hosts: iptables -A POSTROUTING -j MASQUERADE -o eth0 -t nat iptables -A POSTROUTING -j MASQUERADE -o wlan0 -t nat echo 200 Forw >> /etc/iproute2/rt_tables ip rule add from 172.30.230.230 table Forw ip route add 192.168.1.99 via 192.168.10.1 dev wlan0 table main ip route add 192.168.1.99 dev eth0 table Forw ip -statistics route flush cache ip route get 192.168.1.98 from 172.30.230.230 iif eth1 # 192.168.1.98 from 172.30.230.230 dev eth0 src 172.16.1.1 # cache mtu 1492 advmss 1452 fragtimeout 64 iif eth1 ip route get 192.168.1.99 from 172.30.230.230 iif eth1 # 192.168.1.99 from 172.30.230.230 dev eth0 src 172.16.1.1 # cache mtu 1492 advmss 1452 fragtimeout 64 iif eth1 ip route get 192.168.1.98 # 192.168.1.98 dev eth0 src 192.168.1.10 # cache mtu 1492 advmss 1452 fragtimeout 64 ip route get 192.168.1.99 # 192.168.1.99 via 192.168.10.1 dev wlan0 src 192.168.10.190 # cache mtu 1500 advmss 1460 fragtimeout 64 Before 172.30.230.230 was able to ping 192.168.1.99 and 192.168.1.98, after 192.168.1.99 was unreacheable. What's wrong? Please help... Markus From administrator at netwlan.net Wed Feb 21 14:39:57 2007 From: administrator at netwlan.net (Ivan Vladimirov) Date: Wed Feb 21 14:40:07 2007 Subject: [LARTC] "dst cache overflow" messages and crash In-Reply-To: <45D9A86F.2020407@juliana-multimedia.com> References: <45D9A86F.2020407@juliana-multimedia.com> Message-ID: <45DC4BAD.3000903@netwlan.net> Fr?d?ric Massot wrote: > Hi, > > I regularly have errors (kernel: dst cache overflow) and crash of a > firewall under Linux 2.6.17 and the route patch from Julian Anastasov. > > With rtstat I see that the route cache size increases regularly without > never decreasing. > > I have this parameters: > fw:/proc/sys/net/ipv4/route# grep . * > error_burst:1250 > error_cost:250 > gc_elasticity:15 > gc_interval:60 > gc_min_interval:0 > gc_min_interval_ms:500 > gc_thresh:4096 > gc_timeout:300 > max_delay:10 > max_size:65536 > min_adv_mss:256 > min_delay:2 > min_pmtu:552 > mtu_expires:600 > redirect_load:5 > redirect_number:9 > redirect_silence:5120 > secret_interval:600 > > I can increase the maximum size of the cache, but that will do nothing > but delay the crash. > > Can you help me? > > Regards. max_size=65536 is to low increase size to 256k From frederic at juliana-multimedia.com Wed Feb 21 15:04:09 2007 From: frederic at juliana-multimedia.com (=?ISO-8859-15?Q?Fr=E9d=E9ric_Massot?=) Date: Wed Feb 21 15:04:26 2007 Subject: [LARTC] Re: "dst cache overflow" messages and crash In-Reply-To: <45DC4BAD.3000903@netwlan.net> References: <45D9A86F.2020407@juliana-multimedia.com> <45DC4BAD.3000903@netwlan.net> Message-ID: <45DC5159.1060603@juliana-multimedia.com> Ivan Vladimirov wrote: > Fr?d?ric Massot wrote: >> Hi, [...] >> gc_thresh:4096 >> gc_timeout:300 >> max_delay:10 >> max_size:65536 >> min_adv_mss:256 >> min_delay:2 >> min_pmtu:552 >> mtu_expires:600 >> redirect_load:5 >> redirect_number:9 >> redirect_silence:5120 >> secret_interval:600 >> >> I can increase the maximum size of the cache, but that will do nothing >> but delay the crash. >> >> Can you help me? >> >> Regards. > max_size=65536 > is to low increase size to 256k Hi, Thank you for your answer. This change prevents the server crach or does nothing but delay it? Regards. -- ============================================== | FR?D?RIC MASSOT | | http://www.juliana-multimedia.com | | mailto:frederic@juliana-multimedia.com | ===========================Debian=GNU/Linux=== From andrewm at intoweb.co.za Wed Feb 21 15:10:52 2007 From: andrewm at intoweb.co.za (Andrew McGill) Date: Wed Feb 21 15:11:03 2007 Subject: [LARTC] Split access, load balancing AND forwarding: HOW? Message-ID: The LARTC howto correctly describes load balancing and split access for traffic from a machine with multiple ISP connections (http://www.lartc.org/lartc.html#LARTC.RPDB.MULTIPLE-LINKS) -- *provided* the traffic originates from the machine itself (i.e. traffic regularly handled by the INPUT and OUTPUT chains of iptables). When forwarding traffic from an attached local network, the following problems occur with traffic from the local network to internet hosts: 1. The ip rule add from x.x.x.x refers to local IP addresses before NAT, such as 192.168.0.44, rather than the public IP address after NAT (and certainly not both). This is the fundamental problem that causes load balancing and split access to be unreliable. 2. Cached routes are dropped periodically from the route cache, even while in active use: this causes connection reset errors and strange timeouts. 3. To frustrate iptables based work-arounds, routing does not obey marks added with iptables -t mangle -A PREROUTING. It seems that ip fwmark rules are not obeyed if the route is cached, and the cache hash does not include the firewall mark (or maybe it does, but it doesn't work ?!?). (Interestingly, cached routing *does* obey the TOS bits, which makes creative work-arounds marginally possible. There just aren't too many TOS values to play with.) Is there a solution to these problems which works with the official kernels? If so, which versions? If not, which patches resolve these problems? &:-) -- Disclaimer: in the event of this disclaimer being incomplete From Jon.J.Flechsenhaar at boeing.com Wed Feb 21 17:27:47 2007 From: Jon.J.Flechsenhaar at boeing.com (Flechsenhaar, Jon J) Date: Wed Feb 21 17:27:55 2007 Subject: [LARTC] Problem with HTB and outgoing traffic In-Reply-To: <519f77360702210020s4408e2dw2d47ccee2f9ac04a@mail.gmail.com> References: <519f77360702210020s4408e2dw2d47ccee2f9ac04a@mail.gmail.com> Message-ID: <0E24ED2A7F9AA349A8633E6A56A64BE0027A81E9@XCH-SW-2V1.sw.nos.boeing.com> If you let "burst" get calculated with default settings (don't specify the 6k) does it change anything? Jon Flechsenhaar Boeing WNW Team Network Services (714)-762-1231 202-E7 ________________________________ From: mohican 542003 [mailto:thelastmohican54@gmail.com] Sent: Wednesday, February 21, 2007 12:21 AM To: lartc@mailman.ds9a.nl Subject: [LARTC] Problem with HTB and outgoing traffic Hello, I'm using a script with tc, to limit my outgoing traffic : tc qdisc add dev eth0 root handle 1: htb tc class add dev eth0 parent 1: classid 1:1 htb rate 500kbit burst 6k tc filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip dst 172.28.54.9 flowid 1:1 I want to test bandwidth with iperf to see if limitation is correct. Sometimes, I get correct measure for certain rates, but i often get measure that do not correspond to rate. For example, if rate is 500kbit, measure is 2000kbit/s... Can someone help me ? Thanks, Olivier -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070221/eaed730d/attachment.html From alin at matrixrom.ro Wed Feb 21 19:42:11 2007 From: alin at matrixrom.ro (Alin Ilie) Date: Wed Feb 21 19:42:36 2007 Subject: [LARTC] client disconnecting In-Reply-To: <45DBB019.3090608@hotmail.com> References: <45D7FE8B.5050508@matrixrom.ro> <45D80061.2090206@matrixrom.ro> <45DBB019.3090608@hotmail.com> Message-ID: <45DC9283.1040902@matrixrom.ro> Hi Kevin, I have kernel 2.6.18-1. I tried to set rp_filter=0. Still problem unsolved. Alin Kevin wrote: > Alin, > I get this problem all the time. Mainly with Yahoo and ssh > connections. I had put it down to using an unpatched 2.4 kernel. I can > get round the problem temporarily by supplying static routes for the > connections affected. What kernel are you using? > Kevin. > > on 18/02/2007 14:29 Alin Ilie wrote: >> Hi, >> >> I have two connections to the Internet. >> >> I implemented the load balancing as described in chapter 4.2 "Routing >> for multiple uplinks/providers" >> The problem that occurred is that the client applications like Yahoo >> Messenger or even PuTTY (SSH client) are loosing the connection very >> often. >> Does anyone experienced this problem? Does anyone knows an workaround >> for this problem? >> >> Cheers, >> Alin >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From alin at matrixrom.ro Wed Feb 21 20:08:09 2007 From: alin at matrixrom.ro (Alin Ilie) Date: Wed Feb 21 20:08:26 2007 Subject: [LARTC] client disconnecting In-Reply-To: <45DC1736.9020005@matrixrom.ro> References: <45D7FE8B.5050508@matrixrom.ro> <45D80061.2090206@matrixrom.ro> <45DB6A38.1010404@securesystems.ro> <45DC1736.9020005@matrixrom.ro> Message-ID: <45DC9899.5070508@matrixrom.ro> Alin Ilie wrote: > Radu Oprisan wrote: >> Alin Ilie wrote: >> >>> Hi, >>> >>> I have two connections to the Internet. >>> >>> I implemented the load balancing as described in chapter 4.2 "Routing >>> for multiple uplinks/providers" >>> The problem that occurred is that the client applications like Yahoo >>> Messenger or even PuTTY (SSH client) are loosing the connection very >>> often. >>> Does anyone experienced this problem? Does anyone knows an workaround >>> for this problem? >>> >>> Cheers, >>> Alin >>> >> >> >> Your problem may have something to do with cleanup of connection >> tracking tables or cache routing. Are you sure you have the correct >> rp_filter settings for what you are trying to do? >> >> > > I had the rp_filter set to 1. > I changed to 0 for all the interfaces, and I will see if this works. > Thank you, > Alin Ilie :) > Still doesn't work. :( Alin From luciano at lugmen.org.ar Thu Feb 22 03:16:53 2007 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Thu Feb 22 03:16:59 2007 Subject: [LARTC] Split access, load balancing AND forwarding: HOW? In-Reply-To: References: Message-ID: <200702212316.53813.luciano@lugmen.org.ar> On Wednesday 21 February 2007 11:10, Andrew McGill wrote: > The LARTC howto correctly describes load balancing and split > access for traffic from a machine with multiple ISP connections > (http://www.lartc.org/lartc.html#LARTC.RPDB.MULTIPLE-LINKS) -- > *provided* the traffic originates from the machine itself (i.e. > traffic regularly handled by the INPUT and OUTPUT chains of > iptables). > > When forwarding traffic from an attached local network, the > following problems occur with traffic from the local network to > internet hosts: > > 1. The ip rule add from x.x.x.x refers to local IP addresses > before NAT, such as 192.168.0.44, rather than the public IP > address after NAT (and certainly not both). This is the > fundamental problem that causes load balancing and split > access to be unreliable. the 'ip rule' is evaluated before the routing desition so, this is before FORWARD and before POSTROUTING(the place where NAT actualy happens) so far. Hence, refer to the local IP is correct. > 2. Cached routes are dropped periodically from the route cache, > even while in active use: this causes connection reset errors > and strange timeouts. this is true, and to increase the routes timeout does not help cause at the end you have all internet routes cached making your kernel/noswapable RAM to kicks out every single app on the host. The solution is to use CONNTRACK from iptables, full example described in this[1] e-mail from the archive. No patches needed. > 3. To frustrate iptables based work-arounds, routing does not > obey marks added with iptables -t mangle -A PREROUTING. It > seems that ip fwmark rules are not obeyed if the route is > cached, this is not true, the rules are evaluated before the routing desition, so fwmark rules works as expected. You really think that this BUG can be in linux kernel since early 2.3/2.4 versions and be discovered today? > and the cache hash does not include the firewall mark > (or maybe it does, but it doesn't work ?!?). (Interestingly, > cached routing *does* obey the TOS bits, which makes creative > work-arounds marginally possible. There just aren't too many > TOS values to play with.) > Is there a solution to these problems which works with the official > kernels? If so, which versions? If not, which patches resolve these > problems? Yes as i pointed out, there is a solution and no patches needed. [1] http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html -- Luciano From mingching.tiew at redtone.com Thu Feb 22 03:58:24 2007 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Thu Feb 22 03:58:58 2007 Subject: [LARTC] Split access, load balancing AND forwarding: HOW? References: <200702212316.53813.luciano@lugmen.org.ar> Message-ID: <000d01c7562d$51853570$02bca8c0@freelance> From: "Luciano Ruete" > > The solution is to use CONNTRACK from iptables, full example described in > this[1] e-mail from the archive. No patches needed. > > [1] http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html > I think you mean CONNMARK ( not CONNTRACK ) from iptables ? The ever popular routing command :- > > #route commands > ip ro add default nexthop via x.x.x.x dev eth1 weight 1 nexthop via y.y.y.y dev eth2 > I personal view is that ***NEVER*** use such a routing statement, or never let the system has a chance to use such a routing statement, especially when you are doing NAT. The email example above included this routing statement but it is not used because the 'ip rule' takes precedence. The multipath weighted cached based routing is problematic. I would say it would be better to re-order the the iptables command :- #restore mark before ROUTING decision iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark #by-pass rules if it is already MARKed iptables -t mangle -A POSTROUTING -m mark --mark ! 0 -j ACCEPT #1st packets(from a connection) will arrive here iptables -t mangle -A POSTROUTING -o eth1 -j MARK --set-mark 0x1 iptables -t mangle -A POSTROUTING -o eth2 -j MARK --set-mark 0x2 iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark ie restore-mark is moved to the top. I strongly recommend that the LARTC documentation be updated, especially it encourages people to use multipath weighted routing instead of iptables based solution. Cheers. From mingching.tiew at redtone.com Thu Feb 22 05:57:10 2007 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Thu Feb 22 05:59:17 2007 Subject: [LARTC] Split access, load balancing AND forwarding: HOW? Message-ID: <001201c7563d$e96c2140$02bca8c0@freelance> From: "Ming-Ching Tiew" > > I would say it would be better to re-order the the iptables command :- > > #restore mark before ROUTING decision > iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark > #by-pass rules if it is already MARKed > iptables -t mangle -A POSTROUTING -m mark --mark ! 0 -j ACCEPT > #1st packets(from a connection) will arrive here > iptables -t mangle -A POSTROUTING -o eth1 -j MARK --set-mark 0x1 > iptables -t mangle -A POSTROUTING -o eth2 -j MARK --set-mark 0x2 > iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark > > ie restore-mark is moved to the top. > On more careful reading, I am wondering why it is using POSTROUTING ? Shouldn't it all be PREROUTING ? Cheers. From administrator at netwlan.net Thu Feb 22 08:36:48 2007 From: administrator at netwlan.net (Ivan Vladimirov) Date: Thu Feb 22 08:37:01 2007 Subject: [LARTC] Re: "dst cache overflow" messages and crash In-Reply-To: <45DC5159.1060603@juliana-multimedia.com> References: <45D9A86F.2020407@juliana-multimedia.com> <45DC4BAD.3000903@netwlan.net> <45DC5159.1060603@juliana-multimedia.com> Message-ID: <45DD4810.2040305@netwlan.net> Fr?d?ric Massot wrote: > Ivan Vladimirov wrote: >> Fr?d?ric Massot wrote: >>> Hi, > [...] >>> gc_thresh:4096 >>> gc_timeout:300 >>> max_delay:10 >>> max_size:65536 >>> min_adv_mss:256 >>> min_delay:2 >>> min_pmtu:552 >>> mtu_expires:600 >>> redirect_load:5 >>> redirect_number:9 >>> redirect_silence:5120 >>> secret_interval:600 >>> >>> I can increase the maximum size of the cache, but that will do nothing >>> but delay the crash. >>> >>> Can you help me? >>> >>> Regards. >> max_size=65536 >> is to low increase size to 256k > > Hi, > > Thank you for your answer. > > This change prevents the server crach or does nothing but delay it? > > Regards. This change prevents server crash but you need careful tweaking of this parameter use slabtop to see how much new objects in dstcache you have over 5min Also value of this parameter depends on type of traffic you have and number of destination routes which server have to cache. From francesco.messineo at gmail.com Thu Feb 22 10:58:54 2007 From: francesco.messineo at gmail.com (francesco messineo) Date: Thu Feb 22 10:59:16 2007 Subject: [LARTC] what's wrong? Message-ID: # iptables -t mangle -A POSTROUTING -m mark --mark ! 0 -j ACCEPT iptables v1.3.3: Bad MARK value `!' I'm puzzled, what's wrong with this syntax? kernel is 2.6.15.7-ubuntu1 Thanks Francesco From francesco.messineo at gmail.com Thu Feb 22 14:30:03 2007 From: francesco.messineo at gmail.com (francesco messineo) Date: Thu Feb 22 14:30:20 2007 Subject: [LARTC] Re: what's wrong? In-Reply-To: References: Message-ID: On 2/22/07, francesco messineo wrote: > # iptables -t mangle -A POSTROUTING -m mark --mark ! 0 -j ACCEPT > > iptables v1.3.3: Bad MARK value `!' > > > I'm puzzled, what's wrong with this syntax? > kernel is 2.6.15.7-ubuntu1 also tried with a 2.6.20.1 compiled from source and same result. I can't make also work these two rules: iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark both fail with: iptables: Invalid argument what's wrong? Thanks Francesco From andy at andybev.com Thu Feb 22 16:38:22 2007 From: andy at andybev.com (Andrew Beverley) Date: Thu Feb 22 16:39:10 2007 Subject: [LARTC] Re: what's wrong? In-Reply-To: References: Message-ID: <1172158702.4446.7.camel@andybev.localdomain> On Thu, 2007-02-22 at 14:30 +0100, francesco messineo wrote: > On 2/22/07, francesco messineo wrote: > > # iptables -t mangle -A POSTROUTING -m mark --mark ! 0 -j ACCEPT > > > > iptables v1.3.3: Bad MARK value `!' > > > > > > I'm puzzled, what's wrong with this syntax? > > kernel is 2.6.15.7-ubuntu1 Not all extensions support all types of matching. Looks like MARK doesn't support an inverse match. If you want the same effect redirect all traffic to another chain, and within that chain RETURN if you match a 0, and then with a subsequent rule ACCEPT any other packets. This way if packets are MARKed 0 then they will carry on traversing the table, otherwise they will be ACCEPTed iptables -t mangle -A POSTROUTING -J new_chain -- iptables -t mangle -N new_chain iptables -t mangle -A new_chain -m mark --mark 0 -j RETURN iptables -t mangle -A new_chain -j ACCEPT > also tried with a 2.6.20.1 compiled from source and same result. > I can't make also work these two rules: > > > iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark > > iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark > > both fail with: > > iptables: Invalid argument Looks like your iptables (or your kernel?) doesn't support CONNMARK. What version of iptables do you have? Andy Beverley From francesco.messineo at gmail.com Thu Feb 22 16:44:14 2007 From: francesco.messineo at gmail.com (francesco messineo) Date: Thu Feb 22 16:44:23 2007 Subject: [LARTC] Re: what's wrong? In-Reply-To: <1172158702.4446.7.camel@andybev.localdomain> References: <1172158702.4446.7.camel@andybev.localdomain> Message-ID: Hi Andrew, On 2/22/07, Andrew Beverley wrote: > On Thu, 2007-02-22 at 14:30 +0100, francesco messineo wrote: > > On 2/22/07, francesco messineo wrote: > > > # iptables -t mangle -A POSTROUTING -m mark --mark ! 0 -j ACCEPT > > > > > > iptables v1.3.3: Bad MARK value `!' > > > > > > > > > I'm puzzled, what's wrong with this syntax? > > > kernel is 2.6.15.7-ubuntu1 > > Not all extensions support all types of matching. Looks like MARK > doesn't support an inverse match. > > If you want the same effect redirect all traffic to another chain, and > within that chain RETURN if you match a 0, and then with a subsequent > rule ACCEPT any other packets. This way if packets are MARKed 0 then > they will carry on traversing the table, otherwise they will be ACCEPTed > > iptables -t mangle -A POSTROUTING -J new_chain > > -- > > iptables -t mangle -N new_chain > iptables -t mangle -A new_chain -m mark --mark 0 -j RETURN > iptables -t mangle -A new_chain -j ACCEPT > > ok, that's easy enough, in fact this isn't the worst problem... > > also tried with a 2.6.20.1 compiled from source and same result. > > I can't make also work these two rules: > > > > > > iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark > > > > iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark > > > > both fail with: > > > > iptables: Invalid argument > > Looks like your iptables (or your kernel?) doesn't support CONNMARK. > What version of iptables do you have? kernel has the CONNMARK support built as module and loaded. iptables is v1.3.3 Thanks Francesco From andy at andybev.com Thu Feb 22 16:47:02 2007 From: andy at andybev.com (Andrew Beverley) Date: Thu Feb 22 16:47:49 2007 Subject: [LARTC] Re: what's wrong? In-Reply-To: References: <1172158702.4446.7.camel@andybev.localdomain> Message-ID: <1172159222.4446.10.camel@andybev.localdomain> > > > I can't make also work these two rules: > > > > > > > > > iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark > > > > > > iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark > > > > > > both fail with: > > > > > > iptables: Invalid argument > > > > Looks like your iptables (or your kernel?) doesn't support CONNMARK. > > What version of iptables do you have? > > kernel has the CONNMARK support built as module and loaded. > iptables is v1.3.3 At a guess 1.3.3 doesn't support CONNMARK. Try the latest version (1.3.7) - this is the version I'm using and it works fine. Regards, Andy From francesco.messineo at gmail.com Thu Feb 22 17:02:49 2007 From: francesco.messineo at gmail.com (francesco messineo) Date: Thu Feb 22 17:02:57 2007 Subject: [LARTC] Re: what's wrong? In-Reply-To: <1172159222.4446.10.camel@andybev.localdomain> References: <1172158702.4446.7.camel@andybev.localdomain> <1172159222.4446.10.camel@andybev.localdomain> Message-ID: Hello again On 2/22/07, Andrew Beverley wrote: > > > > I can't make also work these two rules: > > > > > > > > > > > > iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark > > > > > > > > iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark > > > > > > > > both fail with: > > > > > > > > iptables: Invalid argument > > > > > > Looks like your iptables (or your kernel?) doesn't support CONNMARK. > > > What version of iptables do you have? > > > > kernel has the CONNMARK support built as module and loaded. > > iptables is v1.3.3 > > At a guess 1.3.3 doesn't support CONNMARK. Try the latest version > (1.3.7) - this is the version I'm using and it works fine. > yes indeed, upgrading to 1.3.7 solved the problem. Many thanks Francesco From luciano at lugmen.org.ar Fri Feb 23 03:54:59 2007 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Fri Feb 23 03:55:12 2007 Subject: [LARTC] Split access, load balancing AND forwarding: HOW? In-Reply-To: <000d01c7562d$51853570$02bca8c0@freelance> References: <200702212316.53813.luciano@lugmen.org.ar> <000d01c7562d$51853570$02bca8c0@freelance> Message-ID: <200702222354.59466.luciano@lugmen.org.ar> On Wednesday 21 February 2007 23:58, Ming-Ching Tiew wrote: > From: "Luciano Ruete" > > > The solution is to use CONNTRACK from iptables, full example described in > > this[1] e-mail from the archive. No patches needed. > > > > [1] http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html > > I think you mean CONNMARK ( not CONNTRACK ) from iptables ? sory a brain-o, but in the email refered is well explained. > > The ever popular routing command :- > > > #route commands > > ip ro add default nexthop via x.x.x.x dev eth1 weight 1 nexthop via > > y.y.y.y dev eth2 > > I personal view is that ***NEVER*** use such a routing statement, or never > let the system has a chance to use such a routing statement, especially > when you are doing NAT. You are ***WRONG*** here :-) The multipath statement works really great, but is connection state-less without the iptables CONNMARK help. > The email example above included this routing > statement but it is not used because the 'ip rule' takes precedence. WRONG, the first packet of a trackeable connection does get routed by the multipath routing statement. Once routed for one of the weighted gw, it is MARKEd and --saved by CONNMARK. The second(and all the rest) packet from that connection will use always the same gateway. So, 'ip ro nexthop' does the weighted gw selection and balancing, then i use CONNMARK to ensure that packets from the same flow keep always the same gateway. I got this working in production server in 3 ISPs, and belive me, it works like a swiss clock. > The > multipath weighted cached based routing is problematic. if you do not use something that can track the connection yes, but hey, you have CONNMARK now, and before that you can do the same trick(and still can) with julian's anastasov patches. > I would say it would be better to re-order the the iptables command :- > > #restore mark before ROUTING decision > iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark > #by-pass rules if it is already MARKed > iptables -t mangle -A POSTROUTING -m mark --mark ! 0 -j ACCEPT > #1st packets(from a connection) will arrive here > iptables -t mangle -A POSTROUTING -o eth1 -j MARK --set-mark 0x1 > iptables -t mangle -A POSTROUTING -o eth2 -j MARK --set-mark 0x2 > iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark > > ie restore-mark is moved to the top. it produces the same result, i think is better to understand if the restore command goes at the end, cause first you talk about the mark, and at the end you talk about restore it. If you put the restore first, the newbie will ask "what the hell i am restoring???". But is a matter of taste. > I strongly recommend that the LARTC documentation be updated, especially it > encourages people to use multipath weighted routing instead of iptables > based solution. The docs are outdated but tecnically ok, they where wrote by people who really know about the matters. It is more dangerous that you say things like the ones you wrote in this email (wich are enourmosly wrong) and google indexed them. -- Luciano From luciano at lugmen.org.ar Fri Feb 23 04:06:53 2007 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Fri Feb 23 04:07:06 2007 Subject: [LARTC] Split access, load balancing AND forwarding: HOW? In-Reply-To: <001201c7563d$e96c2140$02bca8c0@freelance> References: <001201c7563d$e96c2140$02bca8c0@freelance> Message-ID: <200702230006.53744.luciano@lugmen.org.ar> On Thursday 22 February 2007 01:57, Ming-Ching Tiew wrote: > From: "Ming-Ching Tiew" > > > I would say it would be better to re-order the the iptables command :- > > > > #restore mark before ROUTING decision > > iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark > > #by-pass rules if it is already MARKed > > iptables -t mangle -A POSTROUTING -m mark --mark ! 0 -j ACCEPT > > #1st packets(from a connection) will arrive here > > iptables -t mangle -A POSTROUTING -o eth1 -j MARK --set-mark 0x1 > > iptables -t mangle -A POSTROUTING -o eth2 -j MARK --set-mark 0x2 > > iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark > > > > ie restore-mark is moved to the top. > > On more careful reading, I am wondering why it is using POSTROUTING ? > > Shouldn't it all be PREROUTING ? _NO_, cause i need that 'multipath routing' makes the 'weighted routing decision' in the first packet of each new connection. Once it is routed, all the other packets from same flow are hacked in PREROUTING, they mark are resotred and ip rule garantize that they will go by the same gateway as the first packet. This solution works in theory and in practice, so plz, get your hands dirty before you post your next great idea. -- Luciano From raorpiano at gmail.com Fri Feb 23 04:48:58 2007 From: raorpiano at gmail.com (Roy Orpiano) Date: Fri Feb 23 04:49:13 2007 Subject: [LARTC] Split access, load balancing AND forwarding: HOW? In-Reply-To: <200702222354.59466.luciano@lugmen.org.ar> References: <200702212316.53813.luciano@lugmen.org.ar> <000d01c7562d$51853570$02bca8c0@freelance> <200702222354.59466.luciano@lugmen.org.ar> Message-ID: <681329680702221948v64e59021x73d3ba8449efc7c6@mail.gmail.com> Hello, Can anyone tell me what is the effect, in terms of latency, if I have: 1. 1 thousand defined HTB classes which represents 1 thousand users. I filter the traffic based on source IP address. 2. multiple class hierarchy inside a class. Is there a limit on the depth of hierarchy in HTB? Thank you very much in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070223/5430b361/attachment.htm From netsecuredata at gmail.com Fri Feb 23 06:11:17 2007 From: netsecuredata at gmail.com (Jorge Evangelista) Date: Fri Feb 23 06:11:23 2007 Subject: [LARTC] simple source policy routing not working In-Reply-To: <200702211342.04797.lartc@ethen.de> References: <200702211342.04797.lartc@ethen.de> Message-ID: Hi, I think that these rules could be work fine with you want to do, you have to know gateway for network eth0 and wlan0. eth0 192.168.1.10/24 ----> Example default Gateway 192.168.1.1 eth1 172.16.1.1/12 ----> LAN wlan0 192.168.10.190/24 ----> Example default Gateway 192.168.10.1 Hi, I think that these rules could be work fine with you want to do, you have to know gateway for network eth0 and wlan0. eth0 192.168.1.10/24 ----> Default Gateway 192.168.1.1 eth1 172.16.1.1/12 wlan0 192.168.10.190/24 ----> Default Gateway 192.168.10.1 Rules echo 100 T1 >> /etc/iproute2/rt_tables echo 200 T2 >> /etc/iproute2/rt_tables ip route add 192.168.1.0/24 dev eth0 src 192.168.1.10 table T1 ip route add 192.168.10.0/24 dev wlan0 src 192.168.10.190 table T1 ip route add default via 192.168.1.1 table T1 ip route add 192.168.1.0/24 dev eth0 src 192.168.1.10 table T2 ip route add 192.168.10.0/24 dev wlan0 src 192.168.10.190 table T2 ip route add default via 192.168.10.1 table T2 ip rule add from 172.30.230.230/32 table T2 ip rule add from 172.16.1.1/12 table T1 iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.1.10 iptables -t nat -A POSTROUTING -o wlan0 -j SNAT --to 192.168.10.190 Regards On 2/21/07, Markus wrote: > Hi, > > my box is connected to 3 networks, eth0 eth1 wlan0. I want "my" traffic to go > via wlan0 and everything from eth1 NATed to eth0: > eth0 192.168.1.10/24 > eth1 172.16.1.1/12 > wlan0 192.168.10.190/24 > > I first tried this with two single hosts: > > iptables -A POSTROUTING -j MASQUERADE -o eth0 -t nat > iptables -A POSTROUTING -j MASQUERADE -o wlan0 -t nat > > echo 200 Forw >> /etc/iproute2/rt_tables > > ip rule add from 172.30.230.230 table Forw > > ip route add 192.168.1.99 via 192.168.10.1 dev wlan0 table main > ip route add 192.168.1.99 dev eth0 table Forw > > ip -statistics route flush cache > > ip route get 192.168.1.98 from 172.30.230.230 iif eth1 > # 192.168.1.98 from 172.30.230.230 dev eth0 src 172.16.1.1 > # cache mtu 1492 advmss 1452 fragtimeout 64 iif eth1 > ip route get 192.168.1.99 from 172.30.230.230 iif eth1 > # 192.168.1.99 from 172.30.230.230 dev eth0 src 172.16.1.1 > # cache mtu 1492 advmss 1452 fragtimeout 64 iif eth1 > ip route get 192.168.1.98 > # 192.168.1.98 dev eth0 src 192.168.1.10 > # cache mtu 1492 advmss 1452 fragtimeout 64 > ip route get 192.168.1.99 > # 192.168.1.99 via 192.168.10.1 dev wlan0 src 192.168.10.190 > # cache mtu 1500 advmss 1460 fragtimeout 64 > > Before 172.30.230.230 was able to ping 192.168.1.99 and 192.168.1.98, after > 192.168.1.99 was unreacheable. > > What's wrong? Please help... > > Markus > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- "The network is the computer" From mingching.tiew at redtone.com Fri Feb 23 08:23:42 2007 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Fri Feb 23 08:27:48 2007 Subject: [LARTC] Split access, load balancing AND forwarding: HOW? References: <001201c7563d$e96c2140$02bca8c0@freelance> <200702230006.53744.luciano@lugmen.org.ar> Message-ID: <000101c7571b$ee2eda90$02bca8c0@freelance> From: "Luciano Ruete" > > This solution works in theory and in practice, so plz, get your hands dirty > before you post your next great idea. > I understand your explanation fully but believe me I also have got hand-on experience with using the alternative, ie 1. I don't use multipath weight routing. 2. I use PREROUTING all the way, ie I don't use POSTROUTING. Instead, I use iptables 'recent' and 'statistics'/'random' match to achieve load sharing. I have use this for many years already, believe me I am not theoretical. It's just a matter of different ways to doing things. If you search the web it will come upon many others using the same method I used. Cheers From s.cramatte at wanadoo.fr Fri Feb 23 17:04:12 2007 From: s.cramatte at wanadoo.fr (=?ISO-8859-1?Q?S=E9bastien_CRAMATTE?=) Date: Fri Feb 23 17:04:55 2007 Subject: [LARTC] Ethernet bridge overflow ? Message-ID: <45DF107C.8080403@wanadoo.fr> Hello, I've setuped an ethernet bridge on a debian sarge 3.1 with l7-filter + ipp2 shapper rules The server is a supermicro p4sci + celeron pentium 4 base 3ghz + 512Mb + 2 ethernet e1000 One interface is connected to a cisco catalyst switch The other interface is connected directly to a CMTS (a sort of router for cable modem) configured as bridge too. More than 20Mbps of bandwith cross this bridge. Most of this traffic is p2p (~80%) When traffic goes over 14Mbps the bridge seems to saturate (overflow ? ) and start to make colision and loose packets I've take a look to this paper http://facweb.cti.depaul.edu/jyu/Publications/Yu-Linux-TSM2004.pdf And with a duron 1,3Ghz+512 mbps he obtain these values Input Rate 28,444,444 (bps) Latency 29 (us) Throughput 28,000,000 (bps) Linux CPU 77% Occupancy A duron 1,3 is less powered than a celeron p4 3 ... So I don't understand why I've got this problem :( When I make a "top" or "uptime" all seems that works well ... I've got rrdtool graphs that check cpu and load and seems normal too ... Does someone have got somes ideas ? Any clue or tips to isolate/resolve the problem are welcome Regards From olexat at post.cz Fri Feb 23 17:10:53 2007 From: olexat at post.cz (olexat@post.cz) Date: Fri Feb 23 17:11:03 2007 Subject: [LARTC] ttshaper 1.0 released! Message-ID: <999.1845-22085-1613535551-1172247053@post.cz> Hello there, Traffic shaping tool ttshaper 1.0 released! For more info, visit http://exef.xko.cz/others/others.htm Regards, Tom ExEf - the Ultimate Effect Processor - GNU Linux *** http://exef.xko.cz *** From larry.brigman at gmail.com Fri Feb 23 18:31:07 2007 From: larry.brigman at gmail.com (Larry Brigman) Date: Fri Feb 23 18:31:12 2007 Subject: [LARTC] Ethernet bridge overflow ? In-Reply-To: <45DF107C.8080403@wanadoo.fr> References: <45DF107C.8080403@wanadoo.fr> Message-ID: On 2/23/07, S?bastien CRAMATTE wrote: > Hello, > > I've setuped an ethernet bridge on a debian sarge 3.1 with l7-filter + > ipp2 shapper rules > The server is a supermicro p4sci + celeron pentium 4 base 3ghz + 512Mb > + 2 ethernet e1000 > > One interface is connected to a cisco catalyst switch > The other interface is connected directly to a CMTS (a sort of router > for cable modem) configured as bridge too. > > More than 20Mbps of bandwith cross this bridge. Most of this traffic is > p2p (~80%) > When traffic goes over 14Mbps the bridge seems to saturate (overflow ? > ) and start to make colision and loose packets > > I've take a look to this paper > http://facweb.cti.depaul.edu/jyu/Publications/Yu-Linux-TSM2004.pdf > > And with a duron 1,3Ghz+512 mbps he obtain these values > > Input Rate 28,444,444 > (bps) > Latency 29 > (us) > Throughput 28,000,000 > (bps) > Linux CPU 77% > Occupancy > > A duron 1,3 is less powered than a celeron p4 3 ... So I don't > understand why I've got this problem :( > > > When I make a "top" or "uptime" all seems that works well ... > I've got rrdtool graphs that check cpu and load and seems normal too ... > > Does someone have got somes ideas ? > Any clue or tips to isolate/resolve the problem are welcome > One thing that is possible it that you are getting receive starved. Look to see if your network drivers have NAPI configured. Also look at the FAQ on the bridge site. http://linux-net.osdl.org/index.php/Bridge They have a mailing list also but it is not as active as LARTC. From azez at ufomechanic.net Fri Feb 23 18:33:49 2007 From: azez at ufomechanic.net (Amin Azez) Date: Fri Feb 23 18:34:11 2007 Subject: [LARTC] Here's the code: XML routing In-Reply-To: References: Message-ID: <45DF257D.9020205@ufomechanic.net> I've put together scripts to save the routing tables in text or xml form. This message explains 1. how they are used 2. the approach I have taken 3. what is needed next. This is related to other work which converts iptables to xml and back (now in iptables 1.3.7), htb files into xml and xml to tc commands (complete but not yet released) and ebtables to xml and back (to be released any day now). I find that having iptables, ebtables, tc and ip route as xml permits some very useful manipulations. This first draft is thorough, but maybe not correct, so I welcome feedback; please see STRATEGY further down: I've made use of bash's <( ) to package some external resource files (large sed script and xslt) in the same bash script so there is only one file to distribute and try out. You will need xsltproc to restore xml routes Basic Usage =========== iproute save [-x][-t][-s] [filename]xml will save the rules and routes in text [-t] format (default), xml [-x] format, and with [-s] or without the /proc/sys/net/ipv4/route routing paramters. The save is atomic. xml iproute restore [-x][-t][-s] [filename] behaves similarly. If iproute restore fails to restore the routes, it attempts to rollback to the previous set of routes. Conversion to xml is managed with sed; conversion from xml requires xsltproc, a command line C based xslt 1.0 processor. iproute flush will pretty much flush the rules and routes; this is also done before restore or rollback. See Strategy. Formats - TEXT -------------- The text format is roughly the same as: ( ip -o rule show ; ip -o route show table all ) but has a notation like: > error_burst 1250 for the sysctl paramters; which are converted to echo 1250 > /proc/sys/net/ipv4/route/error_burst Formats - XML ------------- The xml format is along these lines: ... ... ...
... Stategy ======= Flushing -------- Before applying routes and rules (or rolling back previous routes and rules on failure) some kind of routing table flush is needed. The difficulty I am under is knowing what should be flushed and what should not. I guess if someone is using a routing daemon, they won't be using this - although I could be wrong; thus I only need to be careful where proto = kernel, or I can be liberal where proto = boot (or not specified). As the kernel only fiddles with routes in the main and default tables, I don't bother to check proto generally. Also I don't want to fiddle with the local table. I've decided not to fiddle with the default table (is this right?) I empty every other table totally, except the main table where I preserve routes with scope=link, as to my dull mind messing with these would be silly. I delete all rules except 0, 32766 and 32767 So, yes, I also delete the default gateway. If someone also wanted to use this on a system with a routing daemon running, we should probably pay more attention to the proto parameter; I would need to talk with someone who knows more about mixing routing daemons with non-daemon routes. I flush tables using the "ip route flush" command. Parsing / Restoring ------------------- I flush or restore rules by some sed which converts the initial priority and colon to the keyword priority; combined with the rest of the output these seems parsable as input. similarly for tables, prefixing route add or route delete to the results of a line from: ip -o route show table all seems a good way to delete or restore a route individually. dev entry --------- When restoring routes it seems prudent to remove the dev entry for any via unless it is an onlink route; for the reason that generally the dev entry was not specified initially but divined from the device tables and netmasks and such, and it would be a good idea to let ip route do this again in case the interface addressing has changed. Currently the dev entry is removed during xml restore and not text restore. It should probably be removed during save, so that it may be specified strictly as part of a fresh xml routing profile without being ignored. This would have the disadvantage that when save were used for diagnostic or informational purposes the dev information would be missing. Local Main Default ------------------ Likewise, for informational reasons, the default, local and main table (and their rules) are saved; but skipped when a restore takes place. It is presumed that whatever set these tables up in the first place (and their rules) has done the same again. The only exception is that routes for default are processed if they have no scope (text restore) or they are default routes (xml restore). This difference is historical and should be removed. Converting to XML ----------------- I've written a few scripts to convert from various text formats to xml. This one was the most fun yet. I do rely on the fact that ip route spits out simple text that does not need any xml escaping (my other conversions do xml escaping properly). Because the output of ip route is structured fluidly (the via information appears in the middle of the per-route information unless there is more than one hop) and because I'm not entirely sure of all the outputs of ip route, I've structured the xml conversion to detect when unrecognized parameters exist, and output xml comments to warn of this.today Those who have used sed heavily will know it only has 2 variables: the "current" line, and a "spare". I've made cunning use of these in ways that will be hard to grasp and easy to break if you don't know sed well. It's not as spaghetti as it looks, I have had do develop certain idioms for converting to xml and once you spot these a new macro-level understanding will coalesce making the whole thing easier to understand. Why did I use sed seeing how complicated it is? I've learned that using bash to convert xml is a SLOW mistake, and I really don't want to introduce dependancies on anything even as big as awk - which probably would have done a better job (what with having more than two variables, and hashes and all!). So what about xsltproc? libxslt and xsltproc are smaller than gawk. Also, I was learning sed for fun and wanted to see how far I could push it. However, Generating XML is generally simple; if what I have done is worthwhile, it will be simple enough to get the ip command to output xml as an alternative format. Converting from XML ------------------- I've been generating bash-able output from XML for quite some time and developed a full xslt library of escape functions to prevent injection errors from crafted xml. For this project, and to keep the xslt dependancies simple, I've tried a new strategy which is to not generate bash script lines and execute them, but instead to validate the output in bash and use them as parameters instead of commands, reducing the scope for naughtiness. Because the xml saving was done before the text saving, the xslt generates ip route commands directly instead of the text format and then using the text format conversion. The asymmetry is interesting but I don't plan to do anything about it. Next Steps ========== This work suits me and my employer, but we don't see why we should be the only ones to benefit. Our benefit is not in having xml routes, but how we process the xml. Those who have an interest, please examine this and see how useful it is. I have a source-rpm as well which I will distriute once we've reviewed this once. -------------- next part -------------- #! /bin/bash # iproute - save and restore ip route's in text or xml format # Copyright (C) UFO Mechanic # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the: # Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. # Severe error means we left the system in an unknown state # probably with partial routing. It means the new routes wouldn't # go in and we couldn't restore the old ones ERROR_SEVERE=4 # Mild errors means we didn't do what we were asked, but as far as # we can tell it was a clean failure and nothing is damaged # System error means basic things failed, like creating files in /tmp # If the environment isn't useful, there's not much we can do. # System errors are mild ERROR_SYSTEM=3 # XML error means the xml processor failed, probably bad xml ERROR_XML=2 # ROUTE error means that ip would not process the route commands, # perhaps bad xslt or good xml specifying a bad configuration ERROR_ROUTE=1 SYSCTL_ATTR="error_burst gc_elasticity gc_min_interval_ms max_delay min_delay redirect_load secret_interval error_cost gc_interval gc_thresh max_size min_pmtu redirect_number gc_min_interval gc_timeout min_adv_mss mtu_expires redirect_silence" SYSCTL_PATH="/proc/sys/net/ipv4/route" IPROUTE_TMP=/tmp/iproute-save.$$ SYSCTL="" FORMAT="text" # clean up temporary files on_exit() { rm -f /tmp/rollback.$$ /tmp/route.$$ $IPROUTE_TMP } trap on_exit 0 # validate echo nnn > /proc/sys/net/ipv4/route/* # and execute according to PERMIT_SYSCTL ip_sysctl() { if [ "$1" = "echo" -a "$3" = ">" -a "$#" = 4 ] then case "$4" in *..*) ;; # escape any dodgy paths /proc/sys/net/ipv4/route/*) # it's legal, is it permitted? if [ -n "$SYSCTL" ] then echo "$2" > "$4" || return $ERROR_ROUTE fi return ;; esac fi echo "Bad set route paramter: $*" >&2 return $ERROR_ROUTE } # Rather than pipe output xsltproc output directly to a shell, # we avoid shell injection, and inspect each line (read from stdin) ip_run_commands() { while read ip_line do set -- $ip_line case "$1" in ip) "$@" || return $?;; echo) ip_sysctl "$@" || return $?;; '#'*|'') ;; *) echo "Invalid IP command: $*" >&2 # It's severe until we rollback return $ERROR_SEVERE;; esac done } # convert ip show/save format to shell commands. # also handles systl's denoted by > ip_save_to_commands() { sed -e '/^[0-9]*:/{ # its a rule /^0:/d;/^32766:/d;/^32767:/d; s/ none *$/ 0/;s/^\([^: \t]*\)[:\t ]*/ip rule add pref \1 /;t;d } /^> /{ # its a sysctl tSYSCTL :SYSCTL s/^> *\([^ ]*\) *\(.*[^ ]\) *$/echo \2 > \/proc\/sys\/net\/ipv4\/route\/\1/ tSYSCTL_OK s/^/#/ :SYSCTL_OK b } # must be a table / table local /d; / table default /d; # ignore non-global scope for main / table /!{ / scope /d }; / table main /{ / scope /d }; s/\\\t/ /g; # fix bad rtt suffixes s/\( rtt[^ ]* [0-9]*\)[^ ]*/\1/g; s/^/ip route add /' } # read rules in a way ready to do ip rule add, ip rule delete on # "$1" is inserted to the beginning of the line # Ignores rules 0, 32766 and 32767 ip_read_rules() { ip rule show | sed -e '/^0:/d;/^32766:/d;/^32767:/d;s/ none *$/ 0/;s/^\([^: \t]*\)[:\t ]*/'"$1"' pref \1 /;t;d' } # read routes in a way to do ip route add or ip route delete on # "$1" is inserted at the beginning of the line # Ignore default and local and scope links in main ip_read_routes() { # here we are relying on the double space that occurs before the keyword table and the single space that always follows the table name # We also remove the ms suffix from the rtt and rttvar parameters. # BUG: route show displays a smaller rtt than was set, so each rollback shrinks rtt. rttvar does not have this problem ip -o route show table all | \ sed -e '/ table local /d;/ table default /d;/ table /!{/ scope /d};s/\\\t/ /g;s/\( rtt[^ ]* [0-9]*\)[^ ]*/\1/g; s/^/'"$1"' /' } # output table names apart from main, local, default ip_show_tables() { ip -o route show table all | \ sed -ne '1{x;s/^.*/ main local default 255 254 253 /;x;tDone;:Done;};s/^.* table *\([^ ]*\).*/\1/;T;G;/^\([^\n]*\)\n.* \1 /!{P;s/\n/ /;s/^/ /;x;}' } # Flush existing rules ip_flush_rules() { ip_read_rules "ip rule del" | ip_run_commands } # Flush existing tables entirely (except local, main, default) # Of main, flush non local scope rules. Local scope rules seem to # refer to per-local-ip routes ip_flush_routes() { ip_show_tables | \ while read table do ip -o route flush table $table done # Flush non link scope'd rules from main - call that scope global for now ip route del table main scope global &>/dev/null } # produce a set of ip commands which will restore a newly # flushed routing table to it's current state ip_prepare_rollback() { save_text } flush() { # perhaps we should only delete proto boot routes (and only scope globan for table main) ip_flush_routes # ..and perhaps we should only delete rules whose tables are now empty? ip_flush_rules } ip_rollback() { flush ip_save_to_commands < /tmp/rollback.$$ | ip_run_commands } restore_text() { ip_save_to_commands < "$FILE" > /tmp/route.$$ || return $ERROR_ROUTE ip_run_commands < /tmp/route.$$ || return $? } # generate ip commands, don't execute unless we do this successfully restore_xml() { xsltproc <( iproutexml_xslt ) "$FILE" > /tmp/route.$$ || return $ERROR_XML ip_run_commands < /tmp/route.$$ || return $? } save_text() { test -n "$SYSCTL" && for attr in $SYSCTL_ATTR do read f < "$SYSCTL_PATH/$attr" echo "> $attr $f" done ip -o rule show ip -o route show table all } save_xml() { save_text | iproute2xml } save() { test -n "$1" && IPROUTE_TMP="$1.$$" if save_$FORMAT > "$IPROUTE_TMP" then if [ -n "$1" ] then mv "$IPROUTE_TMP" "$1" || exit 1 else cat "$IPROUTE_TMP" fi else exit 1 fi } restore() { FILE="${1:-/dev/stdin}" if ! ip_prepare_rollback > /tmp/rollback.$$ then echo "Can't prepare rollback file" >&2 return $ERROR_SYSTEM fi flush # apply xml routes or rollback if restore_$FORMAT "$@" then # flush routing cache ip route flush cache else # need to roll-back previous route echo "Attempting to restore previous routing table" >&2 if ! ip_rollback then echo "Rollback failed!" >&2 return $ERROR_SEVERE fi return $ERROR_ROUTE fi } help() { case "$0" in *save) ;; *restore) ;; *) action=" [save|restore]";; esac cat<&2 ; help >&2; exit 1;; esac done shift $(($OPTIND - 1)) case "$0" in *save) save "$@";; *restore) restore "$@";; *) "$@";; esac } # This was a standalone sed script, but I built it into bash for fun and ease of initial distribution iproute2xml() { sed -n -f <( iproute2xml_sed ) } iproute2xml_sed() { cat<<'ENDOFSED' #! /bin/sed -nf # invoke like this: # ( ip -o rule show ; ip -o route show table all ) | ./iproute2xml # or # ( echo 'echo attr="value" attr2="value2"' ; ip -o rule show ; ip -o route show table all ) | ./iproute2xml # to have the attributes inserted into the outer node; e.g. # e.g. # ( echo "echo 2 > /proc/sys/net/ipv4/route/error_bust"; ip -o rule show ; ip -o route show table all ) | ./iproute2xml 1{ # if it's a "special" attributes line merge it with the open tag tOpenTag :OpenTag /^> /{ # looks like a sysctl routing param x s/^.*/ *\([^ \/]*\) *\(.*[^ ]\) *$/\1="\2"/ TSkipAttr H :SkipAttr n /^> /bMakeAttr # thats all attributes done x s/\n/ /g s/$/>/ p s/^.*// x bDoneOpenTag } :StaticOpenTag i :DoneOpenTag } ${# close dangling tags x /^:/a\ \ /^[^:\n]/{ a\ \ \ \ a\ \ } a x } # line 1 of h will contain the current table, or : if we are processing rules /^[0-9][0-9]*:/{# rules... x /^:/!{# open rules tag i\ \ } s/^.*// # keep copy of line for error reporting g x # now process input line itself. # leave un-recognized fragments on line 2 so we can warn about them s/^\([0-9][0-9]*\):[\t ]*/ \n/ # anything left on line 2 is unrecognized attributes of the rule /\n *[^ ]/{ # save line 2 on to the end of holding space as warning s/\n */\n Warning; Unknown ip rule arguments: / G h s/[^\n]*\n\([^\n]*\)\(.*\)/\2\n\1/ s/^\n* *// x } # strip line 2 s/\n.*// # print output, comments first, if any... x ## ADJUST: Un-comment this line to stop input appearing as output comment unless there is an error /\n/!s/^.*// /^./{ s/^/\n / p } x p # note that we have an open rule tag s/^.*/:/ x d } # soo... it must be a table entry { # holding space line 1 is used to hold currently open table name # holding space line 2 and onwards will be for xml comments and errors x s/\n.*// # keep copy of input for error reporting G x # normalize multi-hop lines into multiple lines s/\\\tnexthop /\n /g tStartRoute :StartRoute s/^ *\(via\|anycast\|unicast\|local\|broadcast\|multicast\|throw\|unreachable\|prohibit\|\blackhole\|\nat\) *\([^ ]*\)/ # do we need to open a tables tag? /^:*\n/i\ \ # do we need to close a table tag? /^[^:\n]/i\ \ \ \ # get rid of table tag s/[^\n]*\n\([^\n]*\n[^\n]*\ntable *\([^ \n]*\)\)/ \n\2\n\1/ P # strip tag s/^[^\n]*\n// } # and strip current line so we just have table name and original line again s/\n\([^\n]*\).*/\n\1/ x # combine the table tag from line 2 with line 1 s/^\([^\n]*\)\ntable *\([^\n ]*\) */\1\n/ # anything left in line 2 is unrecognized NODE-SPEC. { H x tNodeSpecWarning :NodeSpecWarning # Copy unknown node-spec to line 3 s/^\([^\n]*\)\n *\([^\n]*\n\)[^\n]*\n\([^\n][^\n]*\).*/\2 Warning; Unknown NODE-SPEC attributes: \3 \n\1/ tDoneNodeSpecWarning # There was no warning needed, copy a second line instead of warning s/^\([^\n]*\)\n *\([^\n]*\n\).*/\2\n\1/ :DoneNodeSpecWarning # And if there is no warning, remove the input line unless it is wanted anyway # ADJUST: Comment-out this line to show input lines even if no error s/^\([^\n]*\)\n\n\(.*\)/\n\n\2/ s/ *\n *\n */\n/ /^[^\n].*\n/{ # is there anything to be said? s/^/\n \n/ # Need to print everything except last line; :NodeSpecWarningPrint P s/^[^\n]*\n// /\n/bNodeSpecWarningPrint } s/.*\n// x } # ASSERT holding space has only 1 line again which is the table name # close the tag on line 1 s/\n/>\n/ # if we dont have anything else to analyse then self-close the tag # is there a none-space character after line 2? tclosing :closing /^[^\n]*\n[^\n]*\n.*[^ \n]/!s/>\n/\/>\n/ P tend # we have to output the different hop tags, chop off first line s/^[^\n]*\n// tvia # reset t command :via # and empty the second line s/^[^\n]*// # if there is nothing left we are done... /^\n./!bdonevia # chop off previous line s/[^\n]*\n// # remember current line for warnings H x s/$/\n/ # Store line after line 1 table name s/\([^\n]*\n[^\n]*\).*/\1/ x # off we go... s/^/ \n/ # if there is anything left in line 2 we need to raise a warning { H x tHopSpecWarning :HopSpecWarning # Copy unknown node-spec to line 3 s/^\([^\n]*\)\n *\([^\n]*\n\)[^\n]*\n *\([^\n ][^\n]*\).*/\2 Warning; Unknown NEXT-HOP attributes: \3\n\1/ tDoneHopSpecWarning # There was no warning needed, copy a blank line s/^\([^\n]*\)\n *\([^\n]*\n\).*/\2\n\1/ :DoneHopSpecWarning # And if there is no warning, remove the input line unless it is wanted anyway # ADJUST: Comment-out this line to show input lines even if no error s/^\([^\n]*\)\n\n\(.*\)/\n\n\2/ s/ *\n *\n */\n/ /^[^\n].*\n/{ # is there anything to be said? s/^/\n \n/ # Need to print everything except last line; :HopSpecWarningPrint P s/^[^\n]*\n// /\n/bHopSpecWarningPrint } s/.*\n// x } P s/^[^\n]*\n// bvia :donevia i\ \ \ \ \ \ :end } ENDOFSED } iproutexml_xslt() { cat<<'ENDOFXSLT' Illegal characters in iproute attributes: echo > ip rule add from to tos fwmark dev pref table 0 realms ip route add dev tos table proto scope src metric mtu lock advmss rtt rttvar window cwn realms nexthop via dev weight ENDOFXSLT } main "$@" From s.cramatte at wanadoo.fr Fri Feb 23 19:30:39 2007 From: s.cramatte at wanadoo.fr (=?ISO-8859-1?Q?S=E9bastien_CRAMATTE?=) Date: Fri Feb 23 19:31:14 2007 Subject: [LARTC] Ethernet bridge overflow ? In-Reply-To: References: <45DF107C.8080403@wanadoo.fr> Message-ID: <45DF32CF.3080609@wanadoo.fr> I've just check my kernel compilation and NAPI is enabled for twice nics... Normally load should appear on "top" or "uptime" command ? From alex at samad.com.au Fri Feb 23 19:40:44 2007 From: alex at samad.com.au (Alex Samad) Date: Fri Feb 23 19:40:58 2007 Subject: [LARTC] Split access, load balancing AND forwarding: HOW? In-Reply-To: <000101c7571b$ee2eda90$02bca8c0@freelance> References: <001201c7563d$e96c2140$02bca8c0@freelance> <200702230006.53744.luciano@lugmen.org.ar> <000101c7571b$ee2eda90$02bca8c0@freelance> Message-ID: <20070223184044.GM17130@samad.com.au> On Fri, Feb 23, 2007 at 03:23:42PM +0800, Ming-Ching Tiew wrote: > From: "Luciano Ruete" > > > > This solution works in theory and in practice, so plz, get your hands dirty > > before you post your next great idea. > > > > I understand your explanation fully but believe me I also have got > hand-on experience with using the alternative, ie > > 1. I don't use multipath weight routing. > 2. I use PREROUTING all the way, ie I don't use POSTROUTING. > > Instead, I use iptables 'recent' and 'statistics'/'random' match to achieve > load sharing. hi sorry missed the previous bits of the thread, could you post the relevant info, interested to see how this works and why you would pick it over the multipath method > > I have use this for many years already, believe me I am not theoretical. > It's just a matter of different ways to doing things. If you search the web > it will come upon many others using the same method I used. > > Cheers > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070224/c2adb976/attachment.pgp From s.cramatte at wanadoo.fr Fri Feb 23 20:28:19 2007 From: s.cramatte at wanadoo.fr (=?ISO-8859-1?Q?S=E9bastien_CRAMATTE?=) Date: Fri Feb 23 20:28:51 2007 Subject: [LARTC] Conntrack table full and Heavy p2p loaded traffic manager ... Message-ID: <45DF4053.8090104@wanadoo.fr> Hello I've setuped a bridge with l7-filter and ipp2p. We have every day + or - between 10Mbits and 30 Mbits P2P traffic from + or - 450 customers. When traffic increase. I've got this kind of error message : Feb 23 14:26:19 gestor1 kernel: printk: 38 messages suppressed. Feb 23 14:26:19 gestor1 kernel: ip_conntrack: table full, dropping packet. The server is celeron pentium 4 based 3Ghz + 512Mb ram Does anyone could suggest me what are the best value for net.ipv4.netfilter.ip_conntrack_max net.ipv4.netfilter.ip_conntrack_tcp_timeout_established Might be I can tune other kernel value ? Thanks for your help Regards ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ L7-filter-users mailing list L7-filter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/l7-filter-users From mingching.tiew at redtone.com Sat Feb 24 00:59:53 2007 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Sat Feb 24 01:00:36 2007 Subject: [LARTC] Split access, load balancing AND forwarding: HOW? References: <001201c7563d$e96c2140$02bca8c0@freelance><200702230006.53744.luciano@lugmen.org.ar><000101c7571b$ee2eda90$02bca8c0@freelance> <20070223184044.GM17130@samad.com.au> Message-ID: <005001c757a6$b69934f0$02bca8c0@freelance> From: "Alex Samad" > hi > > sorry missed the previous bits of the thread, could you post the relevant info, > interested to see how this works and why you would pick it over the multipath > method Please note my checking of marked traffic is not ( according to the earlier posts ) > iptables -t mangle .... -m mark --mark ! 0 -j ACCEPT However, it is :- > iptables -t mangle .... -m mark ! --mark 0 -j ACCEPT I leave it to you guys to decide which is the correct syntax. The code below is taken from part of my bigger code :- Cheers. ---------------------code------------------------------------------- LINK1_MARK=5 LINK2_MARK=7 OUTSIDE_DEV_WEIGHT=0.5 INSIDE_DEVICE=eth0 OUTSIDE_DEVICE=eth1 OUTSIDE_DEVICE2=eth2 SAVEMARK="-m mark ! --mark 0 -j CONNMARK --save-mark" ACCEPTMARK="-m mark ! --mark 0 -j ACCEPT" SETMARK1="-j MARK --set-mark ${LINK1_MARK}" SETMARK2="-j MARK --set-mark ${LINK2_MARK}" # #first, restore and accept the mark if there is any iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark iptables -t mangle -A PREROUTING ${ACCEPTMARK} #handle inbound for link1 iptables -t mangle -A PREROUTING -i ${OUTSIDE_DEVICE} ${SETMARK1} iptables -t mangle -A PREROUTING -i ${OUTSIDE_DEVICE} ${SAVEMARK} iptables -t mangle -A PREROUTING ${ACCEPTMARK} #handle inbound for link2 iptables -t mangle -A PREROUTING -i ${OUTSIDE_DEVICE2} ${SETMARK2} iptables -t mangle -A PREROUTING -i ${OUTSIDE_DEVICE2} ${SAVEMARK} iptables -t mangle -A PREROUTING ${ACCEPTMARK} # (other features implementation snipped ) #handle recent outbound iptables -t mangle -A PREROUTING -i ${INSIDE_DEVICE} -m recent --name link1 \ --update --second 300 ${SETMARK1} iptables -t mangle -A PREROUTING -i ${INSIDE_DEVICE} -m recent --name link2 \ --update --second 300 ${SETMARK2} iptables -t mangle -A PREROUTING -i ${INSIDE_DEVICE} ${SAVEMARK} iptables -t mangle -A PREROUTING ${ACCEPTMARK} # #non-recent outbound randomly allocated # iptables -t mangle -A PREROUTING -i ${INSIDE_DEVICE} \ -m statistic --mode random --probability ${OUTSIDE_DEV2_WEIGHT} \ -m recent --name link2 --set ${SETMARK2} iptables -t mangle -A PREROUTING -i ${INSIDE_DEVICE} ${SAVEMARK} iptables -t mangle -A PREROUTING ${ACCEPTMARK} iptables -t mangle -A PREROUTING -i ${INSIDE_DEVICE} \ -m recent --name link1 --set ${SETMARK1} iptables -t mangle -A PREROUTING -i ${INSIDE_DEVICE} ${SAVEMARK} iptables -t mangle -A PREROUTING ${ACCEPTMARK} From lartc at ethen.de Sat Feb 24 03:05:59 2007 From: lartc at ethen.de (Markus) Date: Sat Feb 24 03:05:53 2007 Subject: [LARTC] source policy routing and SNAT - wrong hardware adress Message-ID: <200702240305.59696.lartc@ethen.de> Hi, when using diffrent routing tables, outgoing packets after SNAT always have hw-adresses as if the packed was coming from my machine. So a forwarded packet to default gw x on eth0 gets hw-adresses as if the same packet with origin loopback was routed to default gw y on network wlan0 which is diffrent. I do "ip rule add iif lo table mine" and some "ip route add ... table mine" for local generated traffic. My "main" rt is configured for forwared traffic. "iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.1.10" for NAT. (eth1 <-> [NAT] <-> eth0, [local]<->[wlan0]). Thanks for your help Markus From andy at andybev.com Sat Feb 24 11:37:45 2007 From: andy at andybev.com (Andrew Beverley) Date: Sat Feb 24 11:38:53 2007 Subject: [LARTC] Conntrack table full and Heavy p2p loaded traffic manager ... In-Reply-To: <45DF4053.8090104@wanadoo.fr> References: <45DF4053.8090104@wanadoo.fr> Message-ID: <1172313465.4248.6.camel@andybev.localdomain> > I've setuped a bridge with l7-filter and ipp2p. We have every day + or > - between 10Mbits and 30 Mbits P2P traffic from + or - 450 customers. > When traffic increase. I've got this kind of error message : > > Feb 23 14:26:19 gestor1 kernel: printk: 38 messages suppressed. > Feb 23 14:26:19 gestor1 kernel: ip_conntrack: table full, dropping packet. Not necessarily the answer you were looking for, but this is what connlimit was written for. Connlimit will limit the number of parallel TCP connections per host. Do something like: iptables -t mangle -A PREROUTING -p tcp -i eth0 --dport 1024: \ -m connlimit --connlimit-above 30 -j DROP connlimit is not in the vanilla kernel at the minute; you need to patch with pom. You can download pom from http://ipset.netfilter.org/install.html, but you may need to patch pom first! See http://lists.netfilter.org/pipermail/netfilter-devel/2006-July/025090.html Andy Beverley From luciano at lugmen.org.ar Sun Feb 25 02:37:33 2007 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Sun Feb 25 02:37:45 2007 Subject: [LARTC] Conntrack table full and Heavy p2p loaded traffic manager ... In-Reply-To: <45DF4053.8090104@wanadoo.fr> References: <45DF4053.8090104@wanadoo.fr> Message-ID: <200702242237.33902.luciano@lugmen.org.ar> On Friday 23 February 2007 16:28, S?bastien CRAMATTE wrote: > Hello > > I've setuped a bridge with l7-filter and ipp2p. We have every day + or > - between 10Mbits and 30 Mbits P2P traffic from + or - 450 customers. > When traffic increase. I've got this kind of error message : > > Feb 23 14:26:19 gestor1 kernel: printk: 38 messages suppressed. > Feb 23 14:26:19 gestor1 kernel: ip_conntrack: table full, dropping packet. > > The server is celeron pentium 4 based 3Ghz + 512Mb ram > Does anyone could suggest me what are the best value for > > net.ipv4.netfilter.ip_conntrack_max > net.ipv4.netfilter.ip_conntrack_tcp_timeout_established leave the timeouts as is, and focus on the conntrack_max, lnstat command is your friend, will help to find the magic numbers: lnstat -f ip_conntrack -i 1 -c 1 this will tell you the number of entries used in real time, so you can put a very large value in ip_conntrack_max and monitor with lnstat and crontab like this: */5 * * * * root date >> /var/log/conntrack_watchdog.log; lnstat -f ip_conntrack -i 1 -c 1 >> /var/log/conntrack_watchdog.log After a couple of days you are ready to put the perfect number for you personal enviroment. Each conntrack entrie is about 350bytes from non-swappable kernel memory, so you can make your maths to know how much RAM is consumed. > Might be I can tune other kernel value ? yes, in large setups is recommended to change the conntrack hash table size: modrobe ip_conntrack hashsize=xxx to avoid to have a large ammount of entries in the same bucket, this can have performmance issues, you can check your acctual hash table size looking at dmesg. -- Luciano From administrator at netwlan.net Mon Feb 26 11:39:33 2007 From: administrator at netwlan.net (Ivan Vladimirov) Date: Mon Feb 26 11:39:59 2007 Subject: [LARTC] Ethernet bridge overflow ? In-Reply-To: <45DF107C.8080403@wanadoo.fr> References: <45DF107C.8080403@wanadoo.fr> Message-ID: <45E2B8E5.5070503@netwlan.net> S?bastien CRAMATTE wrote: > Hello, > > I've setuped an ethernet bridge on a debian sarge 3.1 with l7-filter + > ipp2 shapper rules > The server is a supermicro p4sci + celeron pentium 4 base 3ghz + 512Mb > + 2 ethernet e1000 > > One interface is connected to a cisco catalyst switch > The other interface is connected directly to a CMTS (a sort of router > for cable modem) configured as bridge too. > > More than 20Mbps of bandwith cross this bridge. Most of this traffic is > p2p (~80%) > When traffic goes over 14Mbps the bridge seems to saturate (overflow ? > ) and start to make colision and loose packets > > I've take a look to this paper > http://facweb.cti.depaul.edu/jyu/Publications/Yu-Linux-TSM2004.pdf > > And with a duron 1,3Ghz+512 mbps he obtain these values > > Input Rate 28,444,444 > (bps) > Latency 29 > (us) > Throughput 28,000,000 > (bps) > Linux CPU 77% > Occupancy > > A duron 1,3 is less powered than a celeron p4 3 ... So I don't > understand why I've got this problem :( > > > When I make a "top" or "uptime" all seems that works well ... > I've got rrdtool graphs that check cpu and load and seems normal too ... > > Does someone have got somes ideas ? > Any clue or tips to isolate/resolve the problem are welcome > > > Regards > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > The problem you have is caused by L7-filter There is a performance problem with this filter . From korey at zaneray.com Mon Feb 26 22:43:29 2007 From: korey at zaneray.com (Korey O'Dell) Date: Mon Feb 26 22:43:50 2007 Subject: [LARTC] Multiple uplinks, ssh connections hang Message-ID: <45E35481.5020106@zaneray.com> Folks, Ive got two ISP connections that I am using with: --- ip route add 192.168.200.0/24 dev eth2 src 192.168.200.11 table connection1 ip route add default via 192.168.200.1 table connection1 ip route add x.175.244.0/24 dev eth1 src x.175.244.2 table connection2 ip route add default via x.175.244.1 table connection2 ip rule add from 192.168.200.11 table connection1 ip rule add from x.175.244.2 table connection2 echo "Enabling load balancing between ISP connections..." ip route add default scope global nexthop via 192.168.200.1 dev eth2 weight 1 nexthop via x.175.244.1 dev eth1 weight 1 iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to x.175.244.2 iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to 192.168.200.11 --- The 192.168.200.x (lan) network gets to the internet via another gateway (192.168.200.1). Client machines on the 200.x network work ok except for ssh connections to machines on the internet hanging. It asks for a password and hangs. Any ideas? Thanks Korey From martin at linux-ip.net Mon Feb 26 23:52:55 2007 From: martin at linux-ip.net (Martin A. Brown) Date: Mon Feb 26 23:53:32 2007 Subject: [LARTC] Multiple uplinks, ssh connections hang In-Reply-To: <45E35481.5020106@zaneray.com> References: <45E35481.5020106@zaneray.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello there, : The 192.168.200.x (lan) network gets to the internet via another : gateway (192.168.200.1). Client machines on the 200.x network : work ok except for ssh connections to machines on the internet : hanging. It asks for a password and hangs. Any ideas? Thanks Yes. Vincent Jaussaud had a very similar problem (though much larger than yours) several years ago [0]. If you run tcpdump on the client and watch for the ToS to change (just after authentication), it should become very clear what is happening. You must remember that the the tuple on which a route is selected includes the ToS. So, after you have tried to connect to the ssh server in the public Internet from the inside (watching with tcpdump, of course), run "ip route show cache $DEST_IP" and compare the set of results. If that's at all unclear, maybe this will also help [1]. Good luck, - -Martin [0] http://mailman.ds9a.nl/pipermail/lartc/2002q4/005653.html [1] http://linux-ip.net/html/routing-selection.html#tb-routing-selection-adv - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFF42TLHEoZD1iZ+YcRAlZqAKCrpGmNKdyCUUwExGW2MWLUQqMzzwCgiKY6 czRMryHmcM9HBGdKkFfWUgg= =Pgu8 -----END PGP SIGNATURE----- From mingching.tiew at redtone.com Tue Feb 27 00:42:38 2007 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Tue Feb 27 00:43:28 2007 Subject: [LARTC] Multiple uplinks, ssh connections hang References: <45E35481.5020106@zaneray.com> Message-ID: <003201c759ff$ce44dae0$02bca8c0@freelance> From: "Korey O'Dell" > > The 192.168.200.x (lan) network gets to the internet via another gateway > (192.168.200.1). > Client machines on the 200.x network work ok except for ssh connections > to machines on the internet hanging. It asks for a password and hangs. > Any ideas? Thanks Korey > SSH is a good test of whether you have set up your multiple uplinks correctly. You need CONNMARK, so that once a session is established with one uplink, it continues to stay with the same uplink. SSH does not like it if you change uplink in the middle of one session. Cheers. From dennyzulfikar at gmail.com Tue Feb 27 02:12:17 2007 From: dennyzulfikar at gmail.com (Denny Zulfikar) Date: Tue Feb 27 02:12:22 2007 Subject: [LARTC] Multiple uplinks, ssh connections hang In-Reply-To: <45E35481.5020106@zaneray.com> References: <45E35481.5020106@zaneray.com> Message-ID: Hello korey, I don't think your configuration will work well, because there're balancing using "weight" connection. So, if you have connection-oriented-application that must sure passing their traffic only from one connection (such as ssh and https-please try to test open and login to hotmail.com), it will fail when the default routing switch from one gateway to another (round robin). Dont use this config for connection-oriented application. it's round robin rule, that will switch from one gateway to another without notice/know about traffic type. "ip route add default scope global nexthop via 192.168.200.1 dev eth2 weight 1 nexthop via x.175.244.1 dev eth1 weight 1" please refer to this documentation howto develop multpile internet connection gateway. http://linux-ip.net/html/adv-multi-internet.html Best Regards, Denny Z On 2/27/07, Korey O'Dell wrote: > Folks, > Ive got two ISP connections that I am using with: > --- > ip route add 192.168.200.0/24 dev eth2 src 192.168.200.11 table connection1 > ip route add default via 192.168.200.1 table connection1 > > ip route add x.175.244.0/24 dev eth1 src x.175.244.2 table connection2 > ip route add default via x.175.244.1 table connection2 > > ip rule add from 192.168.200.11 table connection1 > ip rule add from x.175.244.2 table connection2 > > echo "Enabling load balancing between ISP connections..." > ip route add default scope global nexthop via 192.168.200.1 dev eth2 > weight 1 nexthop via x.175.244.1 dev eth1 weight 1 > > iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to x.175.244.2 > iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to 192.168.200.11 > From cpwp at w3z.co.uk Tue Feb 27 12:20:01 2007 From: cpwp at w3z.co.uk (Charles Price) Date: Tue Feb 27 12:20:26 2007 Subject: [LARTC] Creating a contended section of bandwidth with HTB and IMQ Message-ID: <200702271120.02584.cpwp@w3z.co.uk> Hi All, I'm trying to create a contended section of bandwidth using IMQ. I have the imq0 device up and running, with traffic passing through it. Firstly, I need to throttle the entire device imq0 to 2mbit/s. I would then like to add throttle rules for individual IP addresses, allowing them to pass up to 512kbit/s each, as long as imq0 has not reached its 2mbit/s. The configuration I currently have is as follows: tc qdisc add dev imq0 root handle 1: htb default 1 tc class add dev imq0 parent 1: classid 1:1 htb rate 2mbit burst 15k # IP 10.0.0.10 tc class add dev imq0 parent 1:1 classid 1:10 htb rate 512kbit tc qdisc add dev imq0 parent 10 handle 10: sfq tc filter add dev imq0 protocol ip parent 1: prio 10 u32 \ match ip src 10.0.0.10/32 flowid 1:10 # IP 10.0.0.20 tc class add dev imq0 parent 1:1 classid 1:20 htb rate 512kbit tc qdisc add dev imq0 parent 20 handle 20: sfq tc filter add dev imq0 protocol ip parent 1: prio 20 u32 \ match ip src 10.0.0.20/32 flowid 1:20 Both IP addresses (10.0.0.10 and 10.0.0.20) aquire their 512kbit/s without problem. However, when I add more classes like the ones above and pass plently of traffic, each IP address still obtains its full 512kbit/s - regardless of the 2mbit/s limit in the root class. Is there a way to achieve this? Thanks in advance, Charlie From thelastmohican54 at gmail.com Tue Feb 27 17:31:09 2007 From: thelastmohican54 at gmail.com (mohican 542003) Date: Tue Feb 27 17:31:25 2007 Subject: [LARTC] Incoming traffic Message-ID: <519f77360702270831v2dd01e3bu6af6c75de50d96eb@mail.gmail.com> Hello, with the command : tc filter add dev eth0 parent ffff: protocol ip u32 patch ip src 192.168.2.6police rate 10000kbit burst 10000kbit drop flowid :1 we can limit traffic coming from 192.168.2.6. I would like: for 192.168.1.2, 192.168.1.4 limit to 10mbit for 192.168.1.3, 192.168.1.5 limit to 20mbit other ip would have no limit. Is it possible with tc ? Regards Olivier. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070227/8eb7ce1f/attachment.htm From alex at samad.com.au Tue Feb 27 22:16:24 2007 From: alex at samad.com.au (Alex Samad) Date: Tue Feb 27 22:16:37 2007 Subject: [LARTC] Multiple uplinks, ssh connections hang In-Reply-To: References: <45E35481.5020106@zaneray.com> Message-ID: <20070227211624.GD17130@samad.com.au> On Tue, Feb 27, 2007 at 08:12:17AM +0700, Denny Zulfikar wrote: > Hello korey, > > I don't think your configuration will work well, because there're > balancing using "weight" connection. So, if you have > connection-oriented-application that must sure passing their traffic > only from one connection (such as ssh and https-please try to test > open and login to hotmail.com), it will fail when the default routing > switch from one gateway to another (round robin). > > Dont use this config for connection-oriented application. it's round > robin rule, that will switch from one gateway to another without > notice/know about traffic type. > "ip route add default scope global nexthop via 192.168.200.1 dev eth2 > weight 1 nexthop via x.175.244.1 dev eth1 weight 1" I have been using default proto static metric 5 nexthop via 138.130.8.1 dev vlan2 weight 1 nexthop via 10.20.20.243 dev ppp0 weight 20 for over 4 years and it has worked fine for me, for ssh and other connection oriented applications. the key thing is to have contrack (or its new incarnation) loaded. the default rule is only used when you don't have a source address or route cache entry. When you ssh through the machine, the syn packet uses the default route, but it also setups a entry in contrack, all other packets will have a source and dest address. These will match up the ip rul statements. if you followed your link onto julian pages http://www.ssi.bg/~ja/nano.txt, there is a howto on this ! > > please refer to this documentation howto develop multpile internet > connection gateway. > http://linux-ip.net/html/adv-multi-internet.html > > Best Regards, > Denny Z > > > On 2/27/07, Korey O'Dell wrote: > >Folks, > >Ive got two ISP connections that I am using with: > >--- > >ip route add 192.168.200.0/24 dev eth2 src 192.168.200.11 table connection1 > >ip route add default via 192.168.200.1 table connection1 > > > >ip route add x.175.244.0/24 dev eth1 src x.175.244.2 table connection2 > >ip route add default via x.175.244.1 table connection2 > > > >ip rule add from 192.168.200.11 table connection1 > >ip rule add from x.175.244.2 table connection2 > > > >echo "Enabling load balancing between ISP connections..." > >ip route add default scope global nexthop via 192.168.200.1 dev eth2 > >weight 1 nexthop via x.175.244.1 dev eth1 weight 1 > > > >iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to x.175.244.2 > >iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to 192.168.200.11 > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070228/da4a3e7b/attachment.pgp From luciano at lugmen.org.ar Wed Feb 28 02:28:03 2007 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Wed Feb 28 02:28:15 2007 Subject: [LARTC] Conntrack table full and Heavy p2p loaded traffic manager ... In-Reply-To: <45E2A347.6010801@wanadoo.fr> References: <45DF4053.8090104@wanadoo.fr> <200702242237.33902.luciano@lugmen.org.ar> <45E2A347.6010801@wanadoo.fr> Message-ID: <200702272228.03687.luciano@lugmen.org.ar> On Monday 26 February 2007 06:07, you wrote: > Hello, cc to the list, it may help others. > Thanks for your answer > Do you know a method to choose hashSize as you explain me for > conntrack max ? Yes, the hash table size(search wikipedia if you do not know what a hash table is) is the numbers of bucket that you have. So if you have a table with 10 buckets and you put 160 conntrack entries(conntrack_max), then each bucket will have 16 average entries. In practice can happens that a bucket has 0 and other has 30 or more, it depends on the eficency of the hash algorithm, but you can assume an average of 16 to do your maths. After the bucket is found by the hash function, the entrie is searched lineary, so in our example with hash_size at 10 and conntrack_max at 160, the kernel will do at last an 16 items linear search, so just to simplify, whe can assume an average linear search of 8 items. In a 1GB memroy i386PC, the linux kernel defaults to 8180 buckets and 65440 entries, if you start reciving messages that conntrack table is full, you can just rise up the entries to an 1/16 ratio (as in the example above), this means set conntrack_max to 13088 and leave hash_size in 8180. At 5000 searches per second you will have an average of 5000*8=40000 aditional operations to search an item, 40000 operations/second shure cost some cpu cycles. But if you rise up the bucket as well to 65440(1/2 ratio) you will reduce the number to just 5000 operations per second. To choose the rigth number just depends on how much RAM you have, how fast is you CPU, and how many searches are made in the conntrack table. -- Luciano From luciano at lugmen.org.ar Wed Feb 28 03:00:17 2007 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Wed Feb 28 03:00:21 2007 Subject: [LARTC] Multiple uplinks, ssh connections hang In-Reply-To: <45E35481.5020106@zaneray.com> References: <45E35481.5020106@zaneray.com> Message-ID: <200702272300.17309.luciano@lugmen.org.ar> On Monday 26 February 2007 18:43, Korey O'Dell wrote: > Folks, > Ive got two ISP connections that I am using with: > --- > ip route add 192.168.200.0/24 dev eth2 src 192.168.200.11 table connection1 > ip route add default via 192.168.200.1 table connection1 > > ip route add x.175.244.0/24 dev eth1 src x.175.244.2 table connection2 > ip route add default via x.175.244.1 table connection2 > > ip rule add from 192.168.200.11 table connection1 > ip rule add from x.175.244.2 table connection2 > > echo "Enabling load balancing between ISP connections..." > ip route add default scope global nexthop via 192.168.200.1 dev eth2 > weight 1 nexthop via x.175.244.1 dev eth1 weight 1 > > iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to x.175.244.2 > iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to 192.168.200.11 > > --- > > > The 192.168.200.x (lan) network gets to the internet via another gateway > (192.168.200.1). > Client machines on the 200.x network work ok except for ssh connections > to machines on the internet hanging. It asks for a password and hangs. > Any ideas? Thanks Korey Yes your hit a big FAQ, read this[1][2] thread (from this same week). There are two alternatives full solutions explained to that problem, both uses netfilter CONNMARK. [1]http://mailman.ds9a.nl/pipermail/lartc/2007q1/020354.html [2]http://mailman.ds9a.nl/pipermail/lartc/2007q1/020360.html -- Luciano From tore at linpro.no Wed Feb 28 11:53:12 2007 From: tore at linpro.no (Tore Anderson) Date: Wed Feb 28 11:53:33 2007 Subject: [LARTC] Problems getting multipath routes to balance Message-ID: <45E55F18.1000906@linpro.no> Hi. I've trying to balance outgoing traffic by using multipath routes, but I can't get it to work. Only one of the routes are used. I'm adding the route like this: ip route add table 101 default \ nexthop via X.X.X.X nexthop via Y.Y.Y.Y It shows up the routing table like this: default nexthop via X.X.X.X dev vlan110 weight 1 nexthop via Y.Y.Y.Y dev vlan120 weight 1 So it looks quite good. However, all traffic is routed via Y.Y.Y.Y, no matter what I do. I can increase the weight of X.X.X.X, load and unload the various multipath kernel modules (_rr, _random, _wrandom, and _drr), flush the cache routing table, delete and re-add the route, but still traffic is only sent to X.X.X.X If I reverse the order of the nexthops on the command line, that is: ip route add table 101 default \ nexthop via Y.Y.Y.Y nexthop via X.X.X.X ...the behaviour is exactly the same, only now the traffic is sent only to X.X.X.X. The ordering of the nexthops on the command line is the only thing that appears to make a difference to me. I send traffic from a relatively busy network into table 101 (using "ip rule add from z.z.z.z/zz table 101 prio 20000"), so there's constantly traffic there, and many simultaneous flows. I tried using "equalize" too, though, but it had no effect either. How is this actually supposed to work, and what am I missing? I'm grateful for any suggestions. I'm seeing this behaviour both on 2.6.12 and 2.6.15. Thanks -- Tore Anderson From pradeep.padala at hp.com Wed Feb 28 15:31:47 2007 From: pradeep.padala at hp.com (Padala, Pradeep) Date: Wed Feb 28 15:32:59 2007 Subject: [LARTC] Xen and tc problems Message-ID: <08CA2245AFCF444DB3AC415E47CC40AF8120E8@G3W0072.americas.hpqcorp.net> Hi, I am trying to shape traffic to two VMs hosted in Xen. There seems to be very little information regarding this. I found this web page http://www.ioncannon.net/system-administration/57/limiting-bandwidth-usa ge-on-xen-linux-setup/ and followed the instructions. But, the real bandwidth experienced from clients always seems to exceed the set rate. Part of the problem may be because of the way Xen bridging is setup. There are many interfaces that the packets go through. So, I switched to the Xen routed networking, in which dom0 simply sees two virtual interfaces for the VM, which are kind of PPP connections to the eth0 interfaces in VM. eth0 +---- vif1.0 -- eth0 in VM1 | | +---- vif2.0 -- eth1 in VM2 Say, I want to limit the bandwidth to VM1 to 100mbit and VM2 to 500mbit (eth0 is a 1gbit interface), I used to following commands. iptables -t mangle -F POSTROUTING tc qdisc add dev eth0 root handle 1: htb r2q 1000 iptables -t mangle -A POSTROUTING -s $vm1_ip -j CLASSIFY --set-class 1:1 iptables -t mangle -A POSTROUTING -d $vm1_ip -j CLASSIFY --set-class 1:1 tc class add dev eth0 parent 1: classid 1:1 htb rate 512mbit iptables -t mangle -A POSTROUTING -s $vm2_ip -j CLASSIFY --set-class 1:2 iptables -t mangle -A POSTROUTING -d $vm2_ip -j CLASSIFY --set-class 1:2 tc class add dev eth0 parent 1: classid 1:2 htb rate 512mbit I setup a web server in VM1 and download a 1GB file from another machine that is on the same network (actually on the same enclosure). I always see wire speeds on the client side. I have tried many configurations including adding a sfq, pfifo, tbf class under the leaf classes, but either the rate becomes too low (because packets are dropped at the leaves) or too high. Part of the problem lies in the fact the vif1.0 has already received the traffice, so it has to be overlimited at eth0, instead of dropping. So, I tried a simple tbf within the VM. That doesn't work either with very low speeds. Xen VMs don't have very precise clocks, so that might be one reason why the reliable tbf is also not performing well. I also set the burst sizes manually and the speed again becomes exceptionally low. Please let me know if you have any ideas on why this is happening. I can paste the stats as well, if required. TIA, Pradeep From thelastmohican54 at gmail.com Wed Feb 28 15:39:54 2007 From: thelastmohican54 at gmail.com (mohican 542003) Date: Wed Feb 28 15:40:07 2007 Subject: [LARTC] incoming traffic + iptable Message-ID: <519f77360702280639r6a40361ejc2c57801da55d4eb@mail.gmail.com> Hello, i try to use iptables to mark packet and then to filter them with tc. Here is my script: iptables -t mangle -A PREROUTING -s 172.28.54.41/32 -p tcp -j MARK --set-mark 1 tc qdisc add dev eth0 handle ffff: ingress tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw police rate 10000kbit burst 10000kbit mtu 1500k drop flowid :1 I can not use u32 because i have several filter with more than one IP address in each. Packets seem to be well marked (command: iptables -t mangle -L -vnx) but packets are not filtered with tc. Can someone help me ? Thanks, Olivier. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070228/25f9556a/attachment.htm From Sandrine.MASSON at fr.thalesgroup.com Wed Feb 28 18:06:43 2007 From: Sandrine.MASSON at fr.thalesgroup.com (Sandrine.MASSON@fr.thalesgroup.com) Date: Wed Feb 28 18:06:44 2007 Subject: [LARTC] Data rate with HTB Message-ID: <2F8EE677D406514ABE53EF9C0934A6660406F7DB@anubis2.clb.tcfr.thales> Dear all, I'm making a script to implement DiffServ policies with HTB. Here it is : if test $1 = "help" -o $1 = "h" -o $# != 5 then echo "usage: ds.sh " exit fi DEV=$1 DS_RATE=$2 EF_RATE=$3 AF_RATE=$4 BE_RATE=$5 sync tc qdisc del root dev $DEV tc qdisc add dev $DEV root handle 1: htb default 1 tc class add dev $DEV parent 1: classid 1:1 htb rate $DS_RATE ceil $DS_RATE tc class add dev $DEV parent 1:1 classid 1:10 htb rate $EF_RATE ceil $DS_RATE tc class add dev $DEV parent 1:1 classid 1:11 htb rate $AF_RATE ceil $DS_RATE tc class add dev $DEV parent 1:1 classid 1:12 htb rate $BE_RATE ceil $DS_RATE # --- EF 1:10 #tc filter add dev $DEV parent 1:0 protocol ip prio 1 handle 0x2e tcindex classid 1:10 # --- AF class 1:11 #tc filter add dev $DEV parent 1:0 protocol ip prio 1 handle 0xa tcindex classid 1:11 My problem is that the data rate I've measured with generated high rate BE traffic is not reduced to DS_RATE as I expected. The rate is well limited when only the class 1:1 is defined. But when I change the script to include classes 1:10, 1:11 and 1:12, the rate is not controlled anymore. If any idea, thanks in advance, Sandrine From Jon.J.Flechsenhaar at boeing.com Wed Feb 28 18:16:27 2007 From: Jon.J.Flechsenhaar at boeing.com (Flechsenhaar, Jon J) Date: Wed Feb 28 18:16:41 2007 Subject: [LARTC] Data rate with HTB In-Reply-To: <2F8EE677D406514ABE53EF9C0934A6660406F7DB@anubis2.clb.tcfr.thales> References: <2F8EE677D406514ABE53EF9C0934A6660406F7DB@anubis2.clb.tcfr.thales> Message-ID: <0E24ED2A7F9AA349A8633E6A56A64BE0027A81F6@XCH-SW-2V1.sw.nos.boeing.com> You probably want to change your default class to 12. This will send your all traffic not matched by the filter to your BE class. Right now your sending it to 1:1 by default. Also your filters don't look correct. I would just filter based on the tos bit. Example EF Tc filter add dev $DEV parent 1:0 protocol ip u32 match ip tos 0xb8 0xff flowid 1:10 Jon Flechsenhaar Boeing WNW Team Network Services (714)-762-1231 202-E7 -----Original Message----- From: Sandrine.MASSON@fr.thalesgroup.com [mailto:Sandrine.MASSON@fr.thalesgroup.com] Sent: Wednesday, February 28, 2007 9:07 AM To: lartc@mailman.ds9a.nl Subject: [LARTC] Data rate with HTB Dear all, I'm making a script to implement DiffServ policies with HTB. Here it is : if test $1 = "help" -o $1 = "h" -o $# != 5 then echo "usage: ds.sh " exit fi DEV=$1 DS_RATE=$2 EF_RATE=$3 AF_RATE=$4 BE_RATE=$5 sync tc qdisc del root dev $DEV tc qdisc add dev $DEV root handle 1: htb default 1 tc class add dev $DEV parent 1: classid 1:1 htb rate $DS_RATE ceil $DS_RATE tc class add dev $DEV parent 1:1 classid 1:10 htb rate $EF_RATE ceil $DS_RATE tc class add dev $DEV parent 1:1 classid 1:11 htb rate $AF_RATE ceil $DS_RATE tc class add dev $DEV parent 1:1 classid 1:12 htb rate $BE_RATE ceil $DS_RATE # --- EF 1:10 #tc filter add dev $DEV parent 1:0 protocol ip prio 1 handle 0x2e tcindex classid 1:10 # --- AF class 1:11 #tc filter add dev $DEV parent 1:0 protocol ip prio 1 handle 0xa tcindex classid 1:11 My problem is that the data rate I've measured with generated high rate BE traffic is not reduced to DS_RATE as I expected. The rate is well limited when only the class 1:1 is defined. But when I change the script to include classes 1:10, 1:11 and 1:12, the rate is not controlled anymore. If any idea, thanks in advance, Sandrine _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From hijacker at oldum.net Thu Mar 1 08:21:31 2007 From: hijacker at oldum.net (Nikolay Kichukov) Date: Thu Mar 1 08:23:04 2007 Subject: [LARTC] incoming traffic + iptable References: <519f77360702280639r6a40361ejc2c57801da55d4eb@mail.gmail.com> Message-ID: <005901c75bd2$3e99e000$0600a8c0@hpa> Hello there, Why would you want to mark the packets with iptables in the first place for ingress shaping? Why don't use the tc functionality to specify source and destination addresses and protocol types? I would suggest to leave iptables alone and get your hand on TC for doing traffic control ;-) So in your example: tc qdisc add dev eth0 handle ffff: ingress tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src 172.28.54.41/32 police rate 10000kbit burst 10000kbit mtu 1500k drop flowid ffff: Thats an elegant way to achieve what you want. HTH, -nik p.s. Mind the burst parameter, seems huge value to me. ----- Original Message ----- From: mohican 542003 To: lartc@mailman.ds9a.nl Sent: Wednesday, February 28, 2007 4:39 PM Subject: [LARTC] incoming traffic + iptable Hello, i try to use iptables to mark packet and then to filter them with tc. Here is my script: iptables -t mangle -A PREROUTING -s 172.28.54.41/32 -p tcp -j MARK --set-mark 1 tc qdisc add dev eth0 handle ffff: ingress tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw police rate 10000kbit burst 10000kbit mtu 1500k drop flowid :1 I can not use u32 because i have several filter with more than one IP address in each. Packets seem to be well marked (command: iptables -t mangle -L -vnx) but packets are not filtered with tc. Can someone help me ? Thanks, Olivier. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From alecm at chatango.com Thu Mar 1 09:07:31 2007 From: alecm at chatango.com (Alec Matusis) Date: Thu Mar 1 09:07:58 2007 Subject: [LARTC] transparent proxy? Message-ID: <20070301080738.6197D3F75@outpost.ds9a.nl> My requirement is to have a transparent proxy in some sense: the TCP packets should be proxied by box A to a server on box B, and back from B to the client (via A I guess). The server on box B should see the original IP address of the client. When I do SNAT on A, the original IP becomes invisible for box B, which is not acceptable for my application. Is there a way to do this without using squid, with iptables and iproute2 tools only? I have the following (simplified) network topology: WAN ----- BOX A ----- LAN ------ BOX B ------ WAN Assuming that BOX A has WAN ip 1.2.3.4, LAN ip 10.0.0.1 and BOX B has LAN ip 10.0.0.2 and the clients connect to port 5224 on box A, this is what I have tried: On box A: # iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp -m tcp --dport 5224 -j DNAT --to-destination 10.0.0.2:5224 On box B, I can verify that the SYN packets containing the original client ip are received via LAN interface. The server on B is listening on 10.0.0.2:5224. I tried to route the response from this server back to A: On B: # ip rule ls 0: from all lookup local 32764: from 10.0.0.2 lookup 3 32766: from all lookup main 32767: from all lookup default # ip route ls table 3 default via 10.0.0.1 dev eth1 My problem is that I cannot see response (ACK) packets from the server on B anywhere- neither on A, nor even on B. I suspect the problem is incorrect routing on B, but I do not know how to capture the outbound packets before routing? What am I doing wrong? From fdelawarde at wirelessmundi.com Thu Mar 1 16:03:36 2007 From: fdelawarde at wirelessmundi.com (=?ISO-8859-1?Q?Fran=E7ois_Delawarde?=) Date: Thu Mar 1 16:05:10 2007 Subject: [LARTC] incoming traffic + iptable In-Reply-To: <005901c75bd2$3e99e000$0600a8c0@hpa> References: <519f77360702280639r6a40361ejc2c57801da55d4eb@mail.gmail.com> <005901c75bd2$3e99e000$0600a8c0@hpa> Message-ID: <45E6EB48.5060700@wirelessmundi.com> Hello, I would need to be able to do that, as I think that iptables is more powerful for classifying traffic you want to police/shape. I don't really know tc yet, so could you tell if it has the possibility of detecting: - mac addresses - ip tos/ttl values - icmp types - tcp/udp flags/ports or port ranges - layer 7 protocols Thanks for help, Fran?ois. Nikolay Kichukov wrote: > Hello there, > Why would you want to mark the packets with iptables in the first place for > ingress shaping? > Why don't use the tc functionality to specify source and destination > addresses and protocol types? > > I would suggest to leave iptables alone and get your hand on TC for doing > traffic control ;-) > > So in your example: > > tc qdisc add dev eth0 handle ffff: ingress > tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src > 172.28.54.41/32 police rate 10000kbit burst 10000kbit mtu 1500k drop flowid > ffff: > > Thats an elegant way to achieve what you want. > > HTH, > -nik > > p.s. Mind the burst parameter, seems huge value to me. > > > ----- Original Message ----- > From: mohican 542003 > To: lartc@mailman.ds9a.nl > Sent: Wednesday, February 28, 2007 4:39 PM > Subject: [LARTC] incoming traffic + iptable > > > Hello, > > i try to use iptables to mark packet and then to filter them with tc. Here > is my script: > iptables -t mangle -A PREROUTING -s 172.28.54.41/32 -p tcp -j > MARK --set-mark 1 > tc qdisc add dev eth0 handle ffff: ingress > tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw police > rate 10000kbit burst 10000kbit mtu 1500k drop flowid :1 > > I can not use u32 because i have several filter with more than one IP > address in each. > > Packets seem to be well marked (command: iptables -t mangle -L -vnx) > but packets are not filtered with tc. > > Can someone help me ? > > Thanks, > > Olivier. > > > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From tomlobato at gmail.com Fri Mar 2 01:21:44 2007 From: tomlobato at gmail.com (Tom Lobato) Date: Fri Mar 2 01:21:44 2007 Subject: [LARTC] DNAT and Load Balancing Message-ID: <45E76E18.4080201@gmail.com> Hi all! After that good thread "DGD patch not detecting dead gateway" I was able to set up a Load Balancing with ping based DGD (without Julian Anastasov patch). But now I'm facing a new problem and tried some options, with only partial solutions. I made a script based on http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg16257.html (Thank you Manish Kathuria), without Julian A. patch, and with routes/rules as described in nano.txt. It works fine, but... The problem: I do DNAT for internet located people to access my LAN machines (VNC, RDP, etc...). It sometimes works, sometimes don't work. It appears that the connection from outside can enter, but when reply packets try to get back across nat machine, it falls into the round robin default route selection to define its gateway. Well, of course, this reply must leave the router via the same interface whose initial packets entered. vnc initial request packet reply that got \ wrong route \ ^ \ / V / isp1 isp2 isp3 _|____|____|__ | | | dnat | |_____________| ^ | | V LAN estation, the vnc server What I need is a way to force packets leave the router via the same interface whose its request entered this. I'd like to hear opinions about the problem (and also solution =). Remember, I can't apply the DGD patch from J.A. because it only checks the first hop for dead detection. I will apreciate any help. Thank you, Tom Lobato From mkathuria at tuxtechnologies.co.in Fri Mar 2 02:52:13 2007 From: mkathuria at tuxtechnologies.co.in (Manish Kathuria) Date: Fri Mar 2 02:52:51 2007 Subject: [LARTC] DNAT and Load Balancing In-Reply-To: <45E76E18.4080201@gmail.com> References: <45E76E18.4080201@gmail.com> Message-ID: <1df4abe60703011752n55edb4b9o452e6c72527f0efb@mail.gmail.com> On 3/2/07, Tom Lobato wrote: > > > Hi all! > > > After that good thread "DGD patch not detecting dead gateway" I was > able to set up a Load Balancing with ping based DGD (without Julian > Anastasov patch). But now I'm facing a new problem and tried some > options, with only partial solutions. > > I made a script based on > http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg16257.html (Thank > you Manish Kathuria), without Julian A. patch, and with routes/rules as > described in nano.txt. It works fine, but... > > The problem: I do DNAT for internet located people to access my LAN > machines (VNC, RDP, etc...). It sometimes works, sometimes don't work. > It appears that the connection from outside can enter, but when reply > packets try to get back across nat machine, it falls into the round > robin default route selection to define its gateway. Well, of course, > this reply must leave the router via the same interface whose initial > packets entered. > > > vnc initial > request packet reply that got > \ wrong route > \ ^ > \ / > V / > isp1 isp2 isp3 > _|____|____|__ > | | > | dnat | > |_____________| > ^ > | > | > V > LAN estation, the > vnc server > > > > What I need is a way to force packets leave the router via the same > interface whose its request entered this. > I'd like to hear opinions about the problem (and also solution =). > Remember, I can't apply the DGD patch from J.A. because it only checks > the first hop for dead detection. > I will apreciate any help. > > Thank you, > > > > Tom Lobato > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > I had overlooked this. I had also faced a similar problem. There are two possible solutions, one is to apply Julian's patches because even though you are not using the patches for DGD, they do help in making NAT processing with multiple gateways work properly. The other option is to mark the packets using CONNTRACK. There was a good discussion on this topic some days back. You can check the thread using the following links to the archives: http://mailman.ds9a.nl/pipermail/lartc/2007q1/020354.html http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html -- Manish Kathuria Tux Technologies http://www.tuxtechnologies.co.in/ From hijacker at oldum.net Fri Mar 2 08:38:43 2007 From: hijacker at oldum.net (Nikolay Kichukov) Date: Fri Mar 2 08:39:57 2007 Subject: [LARTC] incoming traffic + iptable References: <519f77360702280639r6a40361ejc2c57801da55d4eb@mail.gmail.com> <005901c75bd2$3e99e000$0600a8c0@hpa> <45E6EB48.5060700@wirelessmundi.com> Message-ID: <009e01c75c9d$ce19d9d0$0600a8c0@hpa> Hello there, Sure tc can do those, I am not sure about layer 7 protocols. I am no tc expert myself ;-( -nik ----- Original Message ----- From: "Fran?ois Delawarde" To: Cc: "Nikolay Kichukov" Sent: Thursday, March 01, 2007 5:03 PM Subject: Re: [LARTC] incoming traffic + iptable > Hello, > I would need to be able to do that, as I think that iptables is more > powerful for classifying traffic you want to police/shape. I don't > really know tc yet, so could you tell if it has the possibility of > detecting: > > - mac addresses > - ip tos/ttl values > - icmp types > - tcp/udp flags/ports or port ranges > - layer 7 protocols > > Thanks for help, > Fran?ois. > > > Nikolay Kichukov wrote: > > Hello there, > > Why would you want to mark the packets with iptables in the first place for > > ingress shaping? > > Why don't use the tc functionality to specify source and destination > > addresses and protocol types? > > > > I would suggest to leave iptables alone and get your hand on TC for doing > > traffic control ;-) > > > > So in your example: > > > > tc qdisc add dev eth0 handle ffff: ingress > > tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src > > 172.28.54.41/32 police rate 10000kbit burst 10000kbit mtu 1500k drop flowid > > ffff: > > > > Thats an elegant way to achieve what you want. > > > > HTH, > > -nik > > > > p.s. Mind the burst parameter, seems huge value to me. > > > > > > ----- Original Message ----- > > From: mohican 542003 > > To: lartc@mailman.ds9a.nl > > Sent: Wednesday, February 28, 2007 4:39 PM > > Subject: [LARTC] incoming traffic + iptable > > > > > > Hello, > > > > i try to use iptables to mark packet and then to filter them with tc. Here > > is my script: > > iptables -t mangle -A PREROUTING -s 172.28.54.41/32 -p tcp -j > > MARK --set-mark 1 > > tc qdisc add dev eth0 handle ffff: ingress > > tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw police > > rate 10000kbit burst 10000kbit mtu 1500k drop flowid :1 > > > > I can not use u32 because i have several filter with more than one IP > > address in each. > > > > Packets seem to be well marked (command: iptables -t mangle -L -vnx) > > but packets are not filtered with tc. > > > > Can someone help me ? > > > > Thanks, > > > > Olivier. > > > > > > > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > From linux at arcoscom.com Fri Mar 2 09:43:41 2007 From: linux at arcoscom.com (ArcosCom Linux User) Date: Fri Mar 2 09:36:53 2007 Subject: [LARTC] DNAT and Load Balancing [attached compresed file] In-Reply-To: <1df4abe60703011752n55edb4b9o452e6c72527f0efb@mail.gmail.com> References: <45E76E18.4080201@gmail.com> <1df4abe60703011752n55edb4b9o452e6c72527f0efb@mail.gmail.com> Message-ID: <44093.195.55.244.106.1172825021.squirrel@www.arcoscom.com> In the file "comandos.log" you can see how I implement the "load balancing". The explanation is: 1) Add more filters to routing decisions that depending on fwmark value of packets use one or another link to send the packet. 2) In PREROUTING mark the connection to know the "incoming" iface and keep that into conntrack table. 3) In POSTROUTING the same, to allow outgoing packages select the same interface. In my configuration wan0 is a bridge (without STP) that links all the WAN interfaces and I make aliases for all, that is why you can see the "physdev" match used, but if you don't use a bridge, you can replace the wan0 and bridge selection by only your wan ifaces. With this configuration, I expect these: 1) Allow UPnP work fine (appears to be working for now). 2) Allow the correct incoming DNAT work fine. 3) Allow the correct outgoing conections tracks fine. 4) Allow only 1 iptables rules if I need DNAT to one machine from any wan iface (very usefull for p2p programs). You can see, too, that I use masks with marks, that is because I use another marks to allow traffic control (with other marks). I'm testing this configuration for two days now, and appears to be working fine. Last note: This file is not my real script, my real script parse one config file where I define all my wan ifaces, my real script generates this files to allow me debug the command execution results, order, output, etc... Regards El Vie, 2 de Marzo de 2007, 2:52, Manish Kathuria escribi?: > On 3/2/07, Tom Lobato wrote: >> >> >> Hi all! >> >> >> After that good thread "DGD patch not detecting dead gateway" I was >> able to set up a Load Balancing with ping based DGD (without Julian >> Anastasov patch). But now I'm facing a new problem and tried some >> options, with only partial solutions. >> >> I made a script based on >> http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg16257.html (Thank >> you Manish Kathuria), without Julian A. patch, and with routes/rules as >> described in nano.txt. It works fine, but... >> >> The problem: I do DNAT for internet located people to access my LAN >> machines (VNC, RDP, etc...). It sometimes works, sometimes don't work. >> It appears that the connection from outside can enter, but when reply >> packets try to get back across nat machine, it falls into the round >> robin default route selection to define its gateway. Well, of course, >> this reply must leave the router via the same interface whose initial >> packets entered. >> >> >> vnc initial >> request packet reply that got >> \ wrong route >> \ ^ >> \ / >> V / >> isp1 isp2 isp3 >> _|____|____|__ >> | | >> | dnat | >> |_____________| >> ^ >> | >> | >> V >> LAN estation, the >> vnc server >> >> >> >> What I need is a way to force packets leave the router via the same >> interface whose its request entered this. >> I'd like to hear opinions about the problem (and also solution =). >> Remember, I can't apply the DGD patch from J.A. because it only checks >> the first hop for dead detection. >> I will apreciate any help. >> >> Thank you, >> >> >> >> Tom Lobato >> >> >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> > > I had overlooked this. I had also faced a similar problem. There are > two possible solutions, one is to apply Julian's patches because even > though you are not using the patches for DGD, they do help in making > NAT processing with multiple gateways work properly. The other option > is to mark the packets using CONNTRACK. There was a good discussion on > this topic some days back. You can check the thread using the > following links to the archives: > > http://mailman.ds9a.nl/pipermail/lartc/2007q1/020354.html > http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html > > -- > Manish Kathuria > Tux Technologies > http://www.tuxtechnologies.co.in/ > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From kamen at evrocom.net Fri Mar 2 09:41:38 2007 From: kamen at evrocom.net (Kamen TOMOV) Date: Fri Mar 2 09:41:53 2007 Subject: [LARTC] help on routing Message-ID: We have a router with two external and one internal interfaces and it doesn't work as we'd like to. We need it to route all the trafic through one of the external interfaces and to access a few networks through the other. Currently it seems that all the packets with source address from the inernal network are routed correctly. The problem is with the packets that originate from the router. For some reason they are routed through the default interface. Does anybody know why does that happen? # ip rule ls 0: from all lookup local 200: from 192.168.1.0/24 to a.b.c.0/24 lookup 202 201: from e.f.g.0/24 lookup 201 201: from 192.168.1.0/24 to 62.44.96.0/19 lookup 201 201: from 127.0.0.0/8 to 62.44.96.0 lookup 201 202: from a.b.c.0/24 lookup 202 32766: from all lookup main 32767: from all lookup default # ip route ls e.f.g.0/24 dev eth3 scope link metric 1 a.b.c.0/24 dev eth2 scope link 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1 127.0.0.0/8 dev lo scope link default via a.b.c.1 dev eth2 ip route ls table 201 default via e.f.g.1 dev eth3 proto static src e.f.g.52 realm 201 prohibit default proto static metric 1 ip route ls table 202 default via a.b.c.1 dev eth2 proto static src a.b.c.4 realm 202 prohibit default proto static metric 1 Your help is appreciated. -- ????? From tomlobato at gmail.com Fri Mar 2 12:13:26 2007 From: tomlobato at gmail.com (Tom Lobato) Date: Fri Mar 2 12:13:29 2007 Subject: [LARTC] DNAT and Load Balancing [attached compresed file] In-Reply-To: <44093.195.55.244.106.1172825021.squirrel@www.arcoscom.com> References: <45E76E18.4080201@gmail.com> <1df4abe60703011752n55edb4b9o452e6c72527f0efb@mail.gmail.com> <44093.195.55.244.106.1172825021.squirrel@www.arcoscom.com> Message-ID: <45E806D6.3020209@gmail.com> Hi! Thank you! The mail arrived to me without attached file. Can you send again, please? Tom Lobato ArcosCom Linux User escreveu: > Last note: This file is not my real script, my real script parse one > config file where I define all my wan ifaces, my real script generates > this files to allow me debug the command execution results, order, output, > etc... > Fine. I'm using something like this (set of conf/scripts files). Mainly for get dynamic IPs (dhcp, pppoe) and set all routes/rules. Soon I'll make my script set available, so we could to learn each other. Tom Lobato From linux at arcoscom.com Fri Mar 2 12:45:58 2007 From: linux at arcoscom.com (ArcosCom Linux User) Date: Fri Mar 2 12:39:07 2007 Subject: [LARTC] DNAT and Load Balancing [attached compresed file] In-Reply-To: <44093.195.55.244.106.1172825021.squirrel@www.arcoscom.com> References: <45E76E18.4080201@gmail.com> <1df4abe60703011752n55edb4b9o452e6c72527f0efb@mail.gmail.com> <44093.195.55.244.106.1172825021.squirrel@www.arcoscom.com> Message-ID: <46184.195.55.244.106.1172835958.squirrel@www.arcoscom.com> Sorry, appears that lists manager cut off the attached file. Here is the comands: ===BEGIN=== /sbin/ip rule del prio 50 table main /sbin/ip rule del prio 100 fwmark 0x8000/0xf000 table 150 /sbin/ip rule del prio 150 from a1.b1.c1.d1/26 table 150 /sbin/ip rule del prio 101 fwmark 0x4000/0xf000 table 151 /sbin/ip rule del prio 151 from a2.b2.c2.d2/24 table 151 /sbin/ip rule del prio 200 table 200 /sbin/ip route flush table 150 /sbin/ip route flush table 151 /sbin/ip route flush table 200 /sbin/iptables -t mangle -D PREROUTING -j MARCAR_IFACE /sbin/iptables -t mangle -F MARCAR_IFACE /sbin/iptables -t mangle -X MARCAR_IFACE /sbin/iptables -t mangle -F MARCAR_IFACE_TRAFICO /sbin/iptables -t mangle -X MARCAR_IFACE_TRAFICO /sbin/iptables -t mangle -D POSTROUTING -j MARCAR_IFACE_OUT /sbin/iptables -t mangle -F MARCAR_IFACE_OUT /sbin/iptables -t mangle -X MARCAR_IFACE_OUT /sbin/iptables -t mangle -N MARCAR_IFACE /sbin/iptables -t mangle -N MARCAR_IFACE_TRAFICO /sbin/iptables -t mangle -A MARCAR_IFACE -j CONNMARK --restore-mark /sbin/iptables -t mangle -A MARCAR_IFACE -m mark ! --mark 0x0000/0xf000 -j RETURN /sbin/iptables -t mangle -A MARCAR_IFACE -m mark --mark 0x0000/0xf000 -j MARCAR_IFACE_TRAFICO /sbin/iptables -t mangle -N MARCAR_IFACE_OUT /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -j CONNMARK --restore-mark /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark ! --mark 0x0000/0xf000 -j RETURN /sbin/iptables -t mangle -A MARCAR_IFACE -m mark --mark 0x0000/0xf000 -i wan0 -m physdev --physdev-in eth1 -m state --state NEW -j MARK --or-mark 0x8000 /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 -o wan0 -m physdev --physdev-out eth1 -m state --state NEW -j MARK --or-mark 0x8000 /sbin/iptables -t mangle -A MARCAR_IFACE -m mark --mark 0x0000/0xf000 -i wan0 -m physdev --physdev-in eth3 -m state --state NEW -j MARK --or-mark 0x4000 /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 -o wan0 -m physdev --physdev-out eth3 -m state --state NEW -j MARK --or-mark 0x4000 /sbin/iptables -t mangle -A MARCAR_IFACE -j CONNMARK --save-mark /sbin/iptables -t mangle -A MARCAR_IFACE -j RETURN /sbin/iptables -t mangle -I PREROUTING -j MARCAR_IFACE /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -j CONNMARK --save-mark /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -j RETURN /sbin/iptables -t mangle -I POSTROUTING -j MARCAR_IFACE_OUT /sbin/ip rule add prio 50 table main /sbin/ip rule add prio 100 fwmark 0x8000/0xf000 table 150 /sbin/ip rule add prio 150 from a1.b1.c1.d1/26 table 150 /sbin/ip route add default via ga1.gb1.gc1.gd1 dev wan0 src a1.b1.c1.d1 proto static table 150 /sbin/ip route append prohibit default table 150 metric 1 proto static /sbin/ip rule add prio 101 fwmark 0x4000/0xf000 table 151 /sbin/ip rule add prio 151 from a2.b2.c2.d2/24 table 151 /sbin/ip route add default via ga2.gb2.gc2.gd2 dev wan0 src a2.b2.c2.d2 proto static table 151 /sbin/ip route append prohibit default table 151 metric 1 proto static /sbin/ip rule add prio 200 table 200 /sbin/ip route add default table 200 proto static nexthop via ga1.gb1.gc1.gd1 dev wan0 weight 1 nexthop via ga2.gb2.gc2.gd2 dev wan0 weight 1 /sbin/ip route flush cache ===END=== Regards El Vie, 2 de Marzo de 2007, 9:43, ArcosCom Linux User escribi?: > In the file "comandos.log" you can see how I implement the "load > balancing". > > The explanation is: > 1) Add more filters to routing decisions that depending on fwmark value > of packets use one or another link to send the packet. > 2) In PREROUTING mark the connection to know the "incoming" iface and > keep that into conntrack table. > 3) In POSTROUTING the same, to allow outgoing packages select the same > interface. > > In my configuration wan0 is a bridge (without STP) that links all the WAN > interfaces and I make aliases for all, that is why you can see the > "physdev" match used, but if you don't use a bridge, you can replace the > wan0 and bridge selection by only your wan ifaces. > > With this configuration, I expect these: > 1) Allow UPnP work fine (appears to be working for now). > 2) Allow the correct incoming DNAT work fine. > 3) Allow the correct outgoing conections tracks fine. > 4) Allow only 1 iptables rules if I need DNAT to one machine from any > wan iface (very usefull for p2p programs). > > You can see, too, that I use masks with marks, that is because I use > another marks to allow traffic control (with other marks). > > I'm testing this configuration for two days now, and appears to be working > fine. > > Last note: This file is not my real script, my real script parse one > config file where I define all my wan ifaces, my real script generates > this files to allow me debug the command execution results, order, output, > etc... > > Regards > > El Vie, 2 de Marzo de 2007, 2:52, Manish Kathuria escribi?: >> On 3/2/07, Tom Lobato wrote: >>> >>> >>> Hi all! >>> >>> >>> After that good thread "DGD patch not detecting dead gateway" I was >>> able to set up a Load Balancing with ping based DGD (without Julian >>> Anastasov patch). But now I'm facing a new problem and tried some >>> options, with only partial solutions. >>> >>> I made a script based on >>> http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg16257.html (Thank >>> you Manish Kathuria), without Julian A. patch, and with routes/rules as >>> described in nano.txt. It works fine, but... >>> >>> The problem: I do DNAT for internet located people to access my LAN >>> machines (VNC, RDP, etc...). It sometimes works, sometimes don't work. >>> It appears that the connection from outside can enter, but when reply >>> packets try to get back across nat machine, it falls into the round >>> robin default route selection to define its gateway. Well, of course, >>> this reply must leave the router via the same interface whose initial >>> packets entered. >>> >>> >>> vnc initial >>> request packet reply that got >>> \ wrong route >>> \ ^ >>> \ / >>> V / >>> isp1 isp2 isp3 >>> _|____|____|__ >>> | | >>> | dnat | >>> |_____________| >>> ^ >>> | >>> | >>> V >>> LAN estation, the >>> vnc server >>> >>> >>> >>> What I need is a way to force packets leave the router via the same >>> interface whose its request entered this. >>> I'd like to hear opinions about the problem (and also solution =). >>> Remember, I can't apply the DGD patch from J.A. because it only checks >>> the first hop for dead detection. >>> I will apreciate any help. >>> >>> Thank you, >>> >>> >>> >>> Tom Lobato >>> >>> >>> _______________________________________________ >>> LARTC mailing list >>> LARTC@mailman.ds9a.nl >>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>> >> >> I had overlooked this. I had also faced a similar problem. There are >> two possible solutions, one is to apply Julian's patches because even >> though you are not using the patches for DGD, they do help in making >> NAT processing with multiple gateways work properly. The other option >> is to mark the packets using CONNTRACK. There was a good discussion on >> this topic some days back. You can check the thread using the >> following links to the archives: >> >> http://mailman.ds9a.nl/pipermail/lartc/2007q1/020354.html >> http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html >> >> -- >> Manish Kathuria >> Tux Technologies >> http://www.tuxtechnologies.co.in/ >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From hijacker at oldum.net Fri Mar 2 17:44:19 2007 From: hijacker at oldum.net (Nikolay Kichukov) Date: Fri Mar 2 17:45:05 2007 Subject: [LARTC] incoming traffic + iptable References: <519f77360702280639r6a40361ejc2c57801da55d4eb@mail.gmail.com> <005901c75bd2$3e99e000$0600a8c0@hpa> <519f77360702282345r3520f4a6j55db4e1fca4ca6f3@mail.gmail.com> <009801c75c9d$74e4c8c0$0600a8c0@hpa> <519f77360703020647g58ef1db5n8e2bd1372c1f414@mail.gmail.com> Message-ID: <004a01c75cea$05fdf2e0$0600a8c0@hpa> Glad that helped. You may want to share the knowledge with the others so I am CCing the list. Just in case someone else is or will be having the same questions. -nik ----- Original Message ----- From: mohican 542003 To: Nikolay Kichukov Sent: Friday, March 02, 2007 4:47 PM Subject: Re: [LARTC] incoming traffic + iptable Hello, Thank you very much. I tried it and it works very well. my script is: tc qdisc del dev eth0 ingress tc qdisc add dev eth0 handle ffff: ingress tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src 172.24.11.14 police index 1 rate 15000kbit burst 15000kbit drop flowid :5002 tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src 172.24.16.11 police index 1 rate 15000kbit burst 15000kbit drop flowid :5002 tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src 172.24.100.2 police index 2 rate 15000kbit burst 15000kbit drop flowid :5002 172.24.11.14 and 172.24.16.11 shared 15000kbit for incoming traffic and 172.24.100.2 can receive at 15000kbit. Regards. Olivier. 2007/3/2, Nikolay Kichukov : hello, I used to be wondering the same thing some time ago and also asked the list for help, the answer was that I could use the index option to achieve that. tc filter add ... police index 1 ... tc filter add ... police index 1 ... tc filter add ... police index 1 ... tc filter add ... police index 1 ... So all your rules should have the index parameter and thus the consumed bandwidth will be calculated for all the IPs. However I could not verify that this is actually working. Currently I am not using it, I just tried it once, but did not have time to do measures and calculations. So I cannot confirm if that actualy solves the problem you have. Maybe you can give it a try and let me and the list know if that works as expected? -nik ----- Original Message ----- From: mohican 542003 To: Nikolay Kichukov Sent: Thursday, March 01, 2007 9:45 AM Subject: Re: [LARTC] incoming traffic + iptable Hello, I would like something like: tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src 172.28.54.41/32 match ip src 172.28.54.45/32match ip src 172.28.54.54/32match ip src 172.28.54.80/32 police rate 10000kbit burst 10000kbit mtu 1500k drop flowid ffff: with several IP address (not consecutive). The only way to do this seems to be with iptables to mark packets ? Thanks, Olivier. 2007/3/1, Nikolay Kichukov : Hello there, Why would you want to mark the packets with iptables in the first place for ingress shaping? Why don't use the tc functionality to specify source and destination addresses and protocol types? I would suggest to leave iptables alone and get your hand on TC for doing traffic control ;-) So in your example: tc qdisc add dev eth0 handle ffff: ingress tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src 172.28.54.41/32 police rate 10000kbit burst 10000kbit mtu 1500k drop flowid ffff: Thats an elegant way to achieve what you want. HTH, -nik p.s. Mind the burst parameter, seems huge value to me. ----- Original Message ----- From: mohican 542003 To: lartc@mailman.ds9a.nl Sent: Wednesday, February 28, 2007 4:39 PM Subject: [LARTC] incoming traffic + iptable Hello, i try to use iptables to mark packet and then to filter them with tc. Here is my script: iptables -t mangle -A PREROUTING -s 172.28.54.41/32 -p tcp -j MARK --set-mark 1 tc qdisc add dev eth0 handle ffff: ingress tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw police rate 10000kbit burst 10000kbit mtu 1500k drop flowid :1 I can not use u32 because i have several filter with more than one IP address in each. Packets seem to be well marked (command: iptables -t mangle -L -vnx) but packets are not filtered with tc. Can someone help me ? Thanks, Olivier. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From alex at samad.com.au Fri Mar 2 19:30:16 2007 From: alex at samad.com.au (Alex Samad) Date: Fri Mar 2 19:30:33 2007 Subject: [LARTC] DNAT and Load Balancing In-Reply-To: <1df4abe60703011752n55edb4b9o452e6c72527f0efb@mail.gmail.com> References: <45E76E18.4080201@gmail.com> <1df4abe60703011752n55edb4b9o452e6c72527f0efb@mail.gmail.com> Message-ID: <20070302183016.GK17130@samad.com.au> On Fri, Mar 02, 2007 at 07:22:13AM +0530, Manish Kathuria wrote: > On 3/2/07, Tom Lobato wrote: > > > > > > Hi all! > > > > > > After that good thread "DGD patch not detecting dead gateway" I was > >able to set up a Load Balancing with ping based DGD (without Julian > >Anastasov patch). But now I'm facing a new problem and tried some > >options, with only partial solutions. > > > > I made a script based on > >http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg16257.html (Thank > >you Manish Kathuria), without Julian A. patch, and with routes/rules as > >described in nano.txt. It works fine, but... > > > > The problem: I do DNAT for internet located people to access my LAN > >machines (VNC, RDP, etc...). It sometimes works, sometimes don't work. > >It appears that the connection from outside can enter, but when reply > >packets try to get back across nat machine, it falls into the round > >robin default route selection to define its gateway. Well, of course, > >this reply must leave the router via the same interface whose initial > >packets entered. > > > > > > vnc initial > >request packet reply that got > > \ wrong route > > \ ^ > > \ / > > V / > > isp1 isp2 isp3 > > _|____|____|__ > > | | > > | dnat | > > |_____________| > > ^ > > | > > | > > V > > LAN estation, the > > vnc server > > > > > > > > What I need is a way to force packets leave the router via the same > >interface whose its request entered this. > > I'd like to hear opinions about the problem (and also solution =). > >Remember, I can't apply the DGD patch from J.A. because it only checks > >the first hop for dead detection. > > I will apreciate any help. > > > > Thank you, > > > > > > > > Tom Lobato > > > > > >_______________________________________________ > >LARTC mailing list > >LARTC@mailman.ds9a.nl > >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > I had overlooked this. I had also faced a similar problem. There are > two possible solutions, one is to apply Julian's patches because even This sounds exactly like my problem, until I appplied julian's patch, I would suggest giving it a try > though you are not using the patches for DGD, they do help in making > NAT processing with multiple gateways work properly. The other option > is to mark the packets using CONNTRACK. There was a good discussion on > this topic some days back. You can check the thread using the > following links to the archives: > > http://mailman.ds9a.nl/pipermail/lartc/2007q1/020354.html > http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html > > -- > Manish Kathuria > Tux Technologies > http://www.tuxtechnologies.co.in/ > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070303/761740d3/attachment.pgp From francesco.messineo at gmail.com Fri Mar 2 19:34:34 2007 From: francesco.messineo at gmail.com (francesco messineo) Date: Fri Mar 2 19:34:41 2007 Subject: [LARTC] DNAT and Load Balancing In-Reply-To: <20070302183016.GK17130@samad.com.au> References: <45E76E18.4080201@gmail.com> <1df4abe60703011752n55edb4b9o452e6c72527f0efb@mail.gmail.com> <20070302183016.GK17130@samad.com.au> Message-ID: I solved this exact problem (with incoming connections on three different adsl) markin packets on PREROUTING chain. Obviously with three different routing tables. # incoming connections for DNAT to DMZ need to be marked here in PREROUTING iptables -t mangle -N mymark iptables -t mangle -F mymark # first of all RETURN for "local" interfaces iptables -t mangle -A mymark -i $E0_IF -j RETURN iptables -t mangle -A mymark -i $DMZ_IF -j RETURN iptables -t mangle -A mymark -i $VPN_IF -j RETURN # then mark and save incoming connections from the external universe iptables -t mangle -A mymark -i $IN_IF -j MARK --set-mark $IN_M iptables -t mangle -A mymark -i $MC_IF -j MARK --set-mark $MC_M iptables -t mangle -A mymark -i $TI_IF -j MARK --set-mark $TI_M iptables -t mangle -A mymark -j CONNMARK --save-mark #restore mark before ROUTING decision iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark # non marked incoming connections need to be marked (DNAT to DMZ only) iptables -t mangle -A PREROUTING -m mark --mark 0 -j mymark On 3/2/07, Alex Samad wrote: > On Fri, Mar 02, 2007 at 07:22:13AM +0530, Manish Kathuria wrote: > > On 3/2/07, Tom Lobato wrote: > > > > > > > > > Hi all! > > > > > > > > > After that good thread "DGD patch not detecting dead gateway" I was > > >able to set up a Load Balancing with ping based DGD (without Julian > > >Anastasov patch). But now I'm facing a new problem and tried some > > >options, with only partial solutions. > > > > > > I made a script based on > > >http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg16257.html (Thank > > >you Manish Kathuria), without Julian A. patch, and with routes/rules as > > >described in nano.txt. It works fine, but... > > > > > > The problem: I do DNAT for internet located people to access my LAN > > >machines (VNC, RDP, etc...). It sometimes works, sometimes don't work. > > >It appears that the connection from outside can enter, but when reply > > >packets try to get back across nat machine, it falls into the round > > >robin default route selection to define its gateway. Well, of course, > > >this reply must leave the router via the same interface whose initial > > >packets entered. > > > > > > > > > vnc initial > > >request packet reply that got > > > \ wrong route > > > \ ^ > > > \ / > > > V / > > > isp1 isp2 isp3 > > > _|____|____|__ > > > | | > > > | dnat | > > > |_____________| > > > ^ > > > | > > > | > > > V > > > LAN estation, the > > > vnc server > > > > > > > > > > > > What I need is a way to force packets leave the router via the same > > >interface whose its request entered this. > > > I'd like to hear opinions about the problem (and also solution =). > > >Remember, I can't apply the DGD patch from J.A. because it only checks > > >the first hop for dead detection. > > > I will apreciate any help. > > > > > > Thank you, > > > > > > > > > > > > Tom Lobato > > > > > > > > >_______________________________________________ > > >LARTC mailing list > > >LARTC@mailman.ds9a.nl > > >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > I had overlooked this. I had also faced a similar problem. There are > > two possible solutions, one is to apply Julian's patches because even > > This sounds exactly like my problem, until I appplied julian's patch, I would > suggest giving it a try > > > though you are not using the patches for DGD, they do help in making > > NAT processing with multiple gateways work properly. The other option > > is to mark the packets using CONNTRACK. There was a good discussion on > > this topic some days back. You can check the thread using the > > following links to the archives: > > > > http://mailman.ds9a.nl/pipermail/lartc/2007q1/020354.html > > http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html > > > > -- > > Manish Kathuria > > Tux Technologies > > http://www.tuxtechnologies.co.in/ > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFF6G04kZz88chpJ2MRAplNAKDrYspoCJYOEe3+3xMllBDP0vAuLQCgvBsM > 3HkDStEOSQErTD2RarWObXs= > =/G6Y > -----END PGP SIGNATURE----- > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From alex at samad.com.au Fri Mar 2 19:39:13 2007 From: alex at samad.com.au (Alex Samad) Date: Fri Mar 2 19:39:24 2007 Subject: [LARTC] DNAT and Load Balancing In-Reply-To: References: <45E76E18.4080201@gmail.com> <1df4abe60703011752n55edb4b9o452e6c72527f0efb@mail.gmail.com> <20070302183016.GK17130@samad.com.au> Message-ID: <20070302183913.GL17130@samad.com.au> On Fri, Mar 02, 2007 at 07:34:34PM +0100, francesco messineo wrote: > I solved this exact problem (with incoming connections on three > different adsl) markin packets on PREROUTING chain. Obviously with > three different routing tables. > > # incoming connections for DNAT to DMZ need to be marked here in PREROUTING > iptables -t mangle -N mymark > iptables -t mangle -F mymark > # first of all RETURN for "local" interfaces > iptables -t mangle -A mymark -i $E0_IF -j RETURN > iptables -t mangle -A mymark -i $DMZ_IF -j RETURN > iptables -t mangle -A mymark -i $VPN_IF -j RETURN > # then mark and save incoming connections from the external universe > iptables -t mangle -A mymark -i $IN_IF -j MARK --set-mark $IN_M > iptables -t mangle -A mymark -i $MC_IF -j MARK --set-mark $MC_M > iptables -t mangle -A mymark -i $TI_IF -j MARK --set-mark $TI_M > iptables -t mangle -A mymark -j CONNMARK --save-mark > > #restore mark before ROUTING decision > iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark > > # non marked incoming connections need to be marked (DNAT to DMZ only) > iptables -t mangle -A PREROUTING -m mark --mark 0 -j mymark > Hi i know there was a thread on this methiod earlier, but has somebody put up a howto, or a wiki page on it ? alex -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070303/da910c14/attachment.pgp From tomlobato at gmail.com Fri Mar 2 20:10:04 2007 From: tomlobato at gmail.com (Tom Lobato) Date: Fri Mar 2 20:10:15 2007 Subject: [LARTC] DNAT and Load Balancing In-Reply-To: <20070302183913.GL17130@samad.com.au> References: <45E76E18.4080201@gmail.com> <1df4abe60703011752n55edb4b9o452e6c72527f0efb@mail.gmail.com> <20070302183016.GK17130@samad.com.au> <20070302183913.GL17130@samad.com.au> Message-ID: <7fe14e000703021110j343b32a9mae7a36725d1c6288@mail.gmail.com> Thank you all! Solved. I used the Julian A. patch. I already had applied/used it, but with new scripts I changed the kernel. So only rebooted with this patched kernel again and all works fine. For now it's good, but I liked the CONNMARK way to do the things that you told me. Likely in the future I`ll abandon the patch and only use iptables and scripts for the job. Thank you for all suggestions. Even with things working, I will test all ideas/scripts. I think would be fine to publish a repository with such scripts, mini-howtos and solutions, or of course, add all it to LARTC howto. If it already exists please tell me, else, lets begin!? Tom Lobato From donvodka at gmail.com Sat Mar 3 20:39:15 2007 From: donvodka at gmail.com (Edgar Merino) Date: Sat Mar 3 20:39:48 2007 Subject: [LARTC] Help with HTB rules (experiencing latency) Message-ID: <45E9CEE3.2070400@gmail.com> Hello, I'm using these rules (attached) to control traffic going out from ip 192.168.0.100 which is acting as a p2p server, but when I have these rules on and mldonkey running I experience some latency in web pages, which Iwould like to eliminate. I've read that this is where the burst and cburst (even quantum) parameters are useful, but I still can't understand crearly how to set them (there are few examples using up rates of ~25kb/s), I hope you can check my rules and give me a hint on what to do. Soluciones en espa?ol tambi?n aceptadas. Edgar Merino -------------- next part -------------- A non-text attachment was scrubbed... Name: layer7ru.sh Type: application/x-shellscript Size: 2140 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070303/29b6a3d3/layer7ru.bin From donvodka at gmail.com Sat Mar 3 20:48:18 2007 From: donvodka at gmail.com (Edgar Merino) Date: Sat Mar 3 20:48:34 2007 Subject: [LARTC] Help with HTB rules (experiencing latency) Message-ID: <45E9D102.9050804@gmail.com> Hello, I'm using these rules (attached) to control traffic going out from ip 192.168.0.100 which is acting as a p2p server, but when I have these rules on and mldonkey running I experience some latency in web pages, which Iwould like to eliminate. I've read that this is where the burst and cburst (even quantum) parameters are useful, but I still can't understand crearly how to set them (there are few examples using up rates of ~25kb/s), I hope you can check my rules and give me a hint on what to do. Soluciones en espa?ol tambi?n aceptadas. Edgar Merino -------------- next part -------------- #!/bin/sh ### Dispositivo de upload (externo) ### DEV=eth0 ### Bajar la cola the $DEV y el MTU### ip link set dev $DEV qlen 30 ip link set dev $DEV mtu 1000 ### BORRADO DE REGLAS Y CADENAS de la tabla mangle ### iptables -t mangle -F iptables -t mangle -X ## BORRADO DE ROOT QDISC EN $DEV tc qdisc del dev $DEV root ### IPTABLES RULES ### P2P_IP=192.168.0.100 SSH_PORT=9000 iptables -t mangle -A FORWARD -s $P2P_IP -o $DEV -j MARK --set-mark 1 iptables -t mangle -A OUTPUT -o $DEV -p tcp --sport $SSH_PORT -j MARK --set-mark 2 iptables -t mangle -A POSTROUTING -o $DEV -s ! $P2P_IP -m length --length :64 -j MARK --set-mark 3 ### CLASES ### SSH=1:10 P2P=1:20 ACK=1:40 DEF=1:30 ## HERE I USE $PARENT_RATE TO LIMIT BORROWING FROM P2P CLASS FROM PARENT, AND I PUT $MAX_RATE FOR LOW PRIO CLASSES SO THEY ALWAYS GET THE RATE THEY NEED (THIS TRICK SEEMS TO HELP) ## MAX_RATE=25kbps PARENT_RATE=10kbps P2P_UP=10kbps tc qdisc add dev $DEV root handle 1: htb default 30 tc class add dev $DEV parent 1: classid 1:1 htb rate $PARENT_RATE burst 6k cburst 3k tc class add dev $DEV parent 1:1 classid $P2P htb rate $P2P_UP ceil $P2P_UP burst 1k cburst 1k prio 2 tc class add dev $DEV parent 1:1 classid $SSH htb rate 5kbps ceil 10kbps burst 6k cburst 3k prio 0 ## Is this really needed? tc class add dev $DEV parent 1:1 classid $ACK htb rate $MAX_RATE ceil $MAX_RATE burst 6k cburst 3k prio 0 ## DEFAULT CLASS tc class add dev $DEV parent 1:1 classid $DEF htb rate $MAX_RATE ceil $MAX_RATE burst 6k cburst 3k prio 1 ### Se agregan qdisc sfq para garantizar un manejo de ancho de banda justo ### tc qdisc add dev $DEV parent $SSH handle 10: sfq perturb 10 tc qdisc add dev $DEV parent $DEF handle 30: sfq perturb 10 tc qdisc add dev $DEV parent $P2P handle 20: sfq perturb 10 ### Filtros para controlar el trafico marcado (especificamente, P2P y SSH) iptables -t mangle -A FORWARD -o $DEV -s $P2P_IP -m mark --mark 1 -j CLASSIFY --set-class $P2P iptables -t mangle -A OUTPUT -o $DEV -s ! $P2P_IP -m mark --mark 2 -j CLASSIFY --set-class $SSH iptables -t mangle -A POSTROUTING -o $DEV -s ! $P2P_IP -m mark --mark 3 -j CLASSIFY --set-class $ACK From administrator at netwlan.net Sun Mar 4 12:37:29 2007 From: administrator at netwlan.net (Ivan Vladimirov) Date: Sun Mar 4 12:38:00 2007 Subject: [LARTC] help on routing In-Reply-To: References: Message-ID: <45EAAF79.7030106@netwlan.net> Kamen TOMOV wrote: > We have a router with two external and one internal interfaces and it > doesn't work as we'd like to. We need it to route all the trafic > through one of the external interfaces and to access a few networks > through the other. > > Currently it seems that all the packets with source address from the > inernal network are routed correctly. The problem is with the packets > that originate from the router. For some reason they are routed > through the default interface. Does anybody know why does that happen? > > # ip rule ls > 0: from all lookup local > 200: from 192.168.1.0/24 to a.b.c.0/24 lookup 202 > 201: from e.f.g.0/24 lookup 201 > 201: from 192.168.1.0/24 to 62.44.96.0/19 lookup 201 > 201: from 127.0.0.0/8 to 62.44.96.0 lookup 201 > 202: from a.b.c.0/24 lookup 202 > 32766: from all lookup main > 32767: from all lookup default > > # ip route ls > e.f.g.0/24 dev eth3 scope link metric 1 > a.b.c.0/24 dev eth2 scope link > 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1 > 127.0.0.0/8 dev lo scope link > default via a.b.c.1 dev eth2 > > ip route ls table 201 > default via e.f.g.1 dev eth3 proto static src e.f.g.52 realm 201 > prohibit default proto static metric 1 > > ip route ls table 202 > default via a.b.c.1 dev eth2 proto static src a.b.c.4 realm 202 > prohibit default proto static metric 1 > > Your help is appreciated. > > Because locally originated packets use IP addres of the external interface looking only main table To resolve this you need to apply rules for external interfaces of the router From administrator at netwlan.net Sun Mar 4 13:12:39 2007 From: administrator at netwlan.net (Ivan Vladimirov) Date: Sun Mar 4 13:12:56 2007 Subject: [LARTC] help on routing In-Reply-To: References: Message-ID: <45EAB7B7.20401@netwlan.net> Kamen TOMOV wrote: > We have a router with two external and one internal interfaces and it > doesn't work as we'd like to. We need it to route all the trafic > through one of the external interfaces and to access a few networks > through the other. > > Currently it seems that all the packets with source address from the > inernal network are routed correctly. The problem is with the packets > that originate from the router. For some reason they are routed > through the default interface. Does anybody know why does that happen? > > # ip rule ls > 0: from all lookup local > 200: from 192.168.1.0/24 to a.b.c.0/24 lookup 202 > 201: from e.f.g.0/24 lookup 201 > 201: from 192.168.1.0/24 to 62.44.96.0/19 lookup 201 > 201: from 127.0.0.0/8 to 62.44.96.0 lookup 201 > 202: from a.b.c.0/24 lookup 202 > 32766: from all lookup main > 32767: from all lookup default > > # ip route ls > e.f.g.0/24 dev eth3 scope link metric 1 > a.b.c.0/24 dev eth2 scope link > 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1 > 127.0.0.0/8 dev lo scope link > default via a.b.c.1 dev eth2 > > ip route ls table 201 > default via e.f.g.1 dev eth3 proto static src e.f.g.52 realm 201 > prohibit default proto static metric 1 > > ip route ls table 202 > default via a.b.c.1 dev eth2 proto static src a.b.c.4 realm 202 > prohibit default proto static metric 1 > > Your help is appreciated. > > A little correction for my previos post local packets look in Local table not main ip r ls table 0 From administrator at netwlan.net Sun Mar 4 13:29:43 2007 From: administrator at netwlan.net (Ivan Vladimirov) Date: Sun Mar 4 13:30:00 2007 Subject: [LARTC] Creating a contended section of bandwidth with HTB and IMQ In-Reply-To: <200702271120.02584.cpwp@w3z.co.uk> References: <200702271120.02584.cpwp@w3z.co.uk> Message-ID: <45EABBB7.30504@netwlan.net> Charles Price wrote: > Hi All, > > I'm trying to create a contended section of bandwidth using IMQ. I have the > imq0 device up and running, with traffic passing through it. > > Firstly, I need to throttle the entire device imq0 to 2mbit/s. > > I would then like to add throttle rules for individual IP addresses, allowing > them to pass up to 512kbit/s each, as long as imq0 has not reached its > 2mbit/s. > > The configuration I currently have is as follows: > > tc qdisc add dev imq0 root handle 1: htb default 1 > tc class add dev imq0 parent 1: classid 1:1 htb rate 2mbit burst 15k > > # IP 10.0.0.10 > tc class add dev imq0 parent 1:1 classid 1:10 htb rate 512kbit > tc qdisc add dev imq0 parent 10 handle 10: sfq > tc filter add dev imq0 protocol ip parent 1: prio 10 u32 \ > match ip src 10.0.0.10/32 flowid 1:10 > > # IP 10.0.0.20 > tc class add dev imq0 parent 1:1 classid 1:20 htb rate 512kbit > tc qdisc add dev imq0 parent 20 handle 20: sfq > tc filter add dev imq0 protocol ip parent 1: prio 20 u32 \ > match ip src 10.0.0.20/32 flowid 1:20 > > > Both IP addresses (10.0.0.10 and 10.0.0.20) aquire their 512kbit/s without > problem. However, when I add more classes like the ones above and pass > plently of traffic, each IP address still obtains its full 512kbit/s - > regardless of the 2mbit/s limit in the root class. > > Is there a way to achieve this? > > Thanks in advance, > > Charlie > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > You can try using HFSC for such low speeds here is an example tc qdisc add dev imq0 root handle 1: hfsc default 7 tc qdisc add dev imq1 root handle 1: hfsc default 7 ########################### #Defining root class U/D### ########################### tc class add dev imq0 parent 1: classid 1:1 hfsc ul m1 2mbit d 500 m2 2mbit ls m1 2mbit d 500 m2 2mbit tc class add dev imq1 parent 1: classid 1:1 hfsc ul m1 2mbit d 500 m2 2mbit ls m1 2mbit d 500 m2 2mbit ########################### #7Mi klas NOT FILTRED ##### ########################### tc class add dev imq0 parent 1:1 classid 1:7 hfsc ul m1 8kbit d 500 m2 8kbit ls m1 8kbit d 500 m2 8kbit tc class add dev imq1 parent 1:1 classid 1:7 hfsc ul m1 8kbit d 500 m2 8kbit ls m1 8kbit d 500 m2 8kbit ###################################################################################### tc class add dev imq0 parent 1:1 classid 1:10 hfsc ul m1 2mbit d 500 m2 2mbit ls m1 2mbit d 500 m2 512kbit tc class add dev imq1 parent 1:1 classid 1:10 hfsc ul m1 2mbit d 500 m2 2mbit ls m1 2mbit d 500 m2 512kbit tc class add dev imq0 parent 1:1 classid 1:11 hfsc ul m1 2mbit d 500 m2 2mbit ls m1 2mbit d 500 m2 512kbit tc class add dev imq1 parent 1:1 classid 1:11 hfsc ul m1 2mbit d 500 m2 2mbit ls m1 2mbit d 500 m2 512kbit tc class add dev imq0 parent 1:1 classid 1:12 hfsc ul m1 2mbit d 500 m2 2mbit ls m1 2mbit d 500 m2 512kbit tc class add dev imq1 parent 1:1 classid 1:12 hfsc ul m1 2mbit d 500 m2 2mbit ls m1 2mbit d 500 m2 512kbit tc class add dev imq0 parent 1:1 classid 1:12 hfsc ul m1 2mbit d 500 m2 2mbit ls m1 2mbit d 500 m2 512kbit tc class add dev imq1 parent 1:1 classid 1:12 hfsc ul m1 2mbit d 500 m2 2mbit ls m1 2mbit d 500 m2 512kbit This is an example for fair sharing when every subscriber gets 2mbit if it is alone or 512kbit if there are other subscribers on line the speed of imq device never pass 2mbit or whatever you put on class 1:1 From lists at davey.net.au Sun Mar 4 15:58:14 2007 From: lists at davey.net.au (John Arthur) Date: Sun Mar 4 15:59:51 2007 Subject: [LARTC] Creating a contended section of bandwidth with HTB and IMQ In-Reply-To: <200702271120.02584.cpwp@w3z.co.uk> Message-ID: <000301c75e6d$8adec550$0202fea9@tau> Hi Charlie, That's because for HTB rate is the guaranteed minimum it will get when requesting bandwidth so the sum of all your rates should not Exceed your root (2mbit) or things will get ugly. You want something like this (ceil) htb rate 52kbit ceil 512kbit This is guaranteeing a minimum 52k and setting a max Bandwidth of 512kbit Regards John From donvodka at gmail.com Sun Mar 4 20:15:42 2007 From: donvodka at gmail.com (Edgar Merino) Date: Sun Mar 4 20:16:05 2007 Subject: [LARTC] Help with HTB rules (experiencing latency) Message-ID: <45EB1ADE.3030403@gmail.com> Hello, I'm using these rules (attached) to control traffic going out from ip 192.168.0.100 which is acting as a p2p server, but when I have these rules on and mldonkey running I experience some latency in web pages, which Iwould like to eliminate. I've read that this is where the burst and cburst (even quantum) parameters are useful, but I still can't understand crearly how to set them (there are few examples using up rates of ~25kb/s), I hope you can check my rules and give me a hint on what to do. Soluciones en espa?ol tambi?n aceptadas. Edgar Merino -------------- next part -------------- #!/bin/sh ### Dispositivo de upload (externo) ### DEV=eth0 ### Bajar la cola the $DEV y el MTU### ip link set dev $DEV qlen 30 ip link set dev $DEV mtu 1000 ### BORRADO DE REGLAS Y CADENAS de la tabla mangle ### iptables -t mangle -F iptables -t mangle -X ## BORRADO DE ROOT QDISC EN $DEV tc qdisc del dev $DEV root ### IPTABLES RULES ### P2P_IP=192.168.0.100 SSH_PORT=9000 iptables -t mangle -A FORWARD -s $P2P_IP -o $DEV -j MARK --set-mark 1 iptables -t mangle -A OUTPUT -o $DEV -p tcp --sport $SSH_PORT -j MARK --set-mark 2 iptables -t mangle -A POSTROUTING -o $DEV -s ! $P2P_IP -m length --length :64 -j MARK --set-mark 3 ### CLASES ### SSH=1:10 P2P=1:20 ACK=1:40 DEF=1:30 ## HERE I USE $PARENT_RATE TO LIMIT BORROWING FROM P2P CLASS FROM PARENT, AND I PUT $MAX_RATE FOR LOW PRIO CLASSES SO THEY ALWAYS GET THE RATE THEY NEED (THIS TRICK SEEMS TO HELP) ## MAX_RATE=25kbps PARENT_RATE=10kbps P2P_UP=10kbps tc qdisc add dev $DEV root handle 1: htb default 30 tc class add dev $DEV parent 1: classid 1:1 htb rate $PARENT_RATE burst 6k cburst 3k tc class add dev $DEV parent 1:1 classid $P2P htb rate $P2P_UP ceil $P2P_UP burst 1k cburst 1k prio 2 tc class add dev $DEV parent 1:1 classid $SSH htb rate 5kbps ceil 10kbps burst 6k cburst 3k prio 0 ## Is this really needed? tc class add dev $DEV parent 1:1 classid $ACK htb rate $MAX_RATE ceil $MAX_RATE burst 6k cburst 3k prio 0 ## DEFAULT CLASS tc class add dev $DEV parent 1:1 classid $DEF htb rate $MAX_RATE ceil $MAX_RATE burst 6k cburst 3k prio 1 ### Se agregan qdisc sfq para garantizar un manejo de ancho de banda justo ### tc qdisc add dev $DEV parent $SSH handle 10: sfq perturb 10 tc qdisc add dev $DEV parent $DEF handle 30: sfq perturb 10 tc qdisc add dev $DEV parent $P2P handle 20: sfq perturb 10 ### Filtros para controlar el trafico marcado (especificamente, P2P y SSH) iptables -t mangle -A FORWARD -o $DEV -s $P2P_IP -m mark --mark 1 -j CLASSIFY --set-class $P2P iptables -t mangle -A OUTPUT -o $DEV -s ! $P2P_IP -m mark --mark 2 -j CLASSIFY --set-class $SSH iptables -t mangle -A POSTROUTING -o $DEV -s ! $P2P_IP -m mark --mark 3 -j CLASSIFY --set-class $ACK From kamen at evrocom.net Mon Mar 5 08:22:23 2007 From: kamen at evrocom.net (Kamen TOMOV) Date: Mon Mar 5 08:23:20 2007 Subject: [LARTC] Re: help on routing In-Reply-To: <45EAB7B7.20401@netwlan.net> (Ivan Vladimirov's message of "Sun\, 04 Mar 2007 14\:12\:39 +0200") References: <45EAB7B7.20401@netwlan.net> Message-ID: On ??????, ???? 04 2007, Ivan Vladimirov wrote: > A little correction for my previos post > local packets look in Local table not main > ip r ls table 0 Interesting. Thanks a lot! Regards, -- ????? From simone84bo at email.it Mon Mar 5 20:42:11 2007 From: simone84bo at email.it (Simone84bo) Date: Mon Mar 5 20:42:36 2007 Subject: [LARTC] Routing across some interaces Message-ID: <9b7529e928cd47905a233d0096fa676d@85.18.136.107> Hi all, I need help for one problem... I want to see and manage traffic of two interfaces. I've read that i can use IMQ but it don't direct traffic on the interfaces. It's true?! Looking the example at 9.7.1 chapter of LARTC HOWTO I know how to manage traffic from a net (in the example 10.0.0.230/32) but how i can send this traffic to device eth0 and the default traffic to device eth1 for example? It's very important for me. Please hel me! Thanks Simone -- Email.it, the professional e-mail, gratis per te: http://www.email.it/f Sponsor: Invita a cena con Suzi Wan e vinci! Proponi ai tuoi amici una cena originale come te. Scegli il tuo menu tra le ricette del nostro chef e gioca per vincere un wok al giorno! Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=6219&d=20070305 From Jon.J.Flechsenhaar at boeing.com Mon Mar 5 20:52:45 2007 From: Jon.J.Flechsenhaar at boeing.com (Flechsenhaar, Jon J) Date: Mon Mar 5 20:53:04 2007 Subject: [LARTC] QoS IP precedence and Diffserv combination Message-ID: <0E24ED2A7F9AA349A8633E6A56A64BE0027A8207@XCH-SW-2V1.sw.nos.boeing.com> All: I am tasked with creating an environment in which DiffServ and IP precedence is handled as close to RFC specification as possible. I have a few problems with implementing this based on current queueing structure. Here are a few of my questions. 1.) Is there any way to get DiffServ AF drop levels without using DSMARK and GRED? Ex. AF11 Gred DP 1 AF12 Gred DP 2 AF13 Gred DP 3 2.) Can I get traffic into GRED DP levels without using DSMARK? 3.) It appears that DSMARK was designed to be the root queuing discipline of an interface. Is this true? 4.) If you filter with DSMARK into a class the TOS value is copied into Tcindex. If you further filter that traffic into other imbeded classes with a u32 filter on TOS; does it read the original value in the IP header or the Tcindex value? Ex. DSMARK as root | HTB class (tcindex filter gets traffic into HTB class) | Imbedded prio classes under HTB (u32 TOS filter to put traffic into priority queue) Look forward to any comments... Thanks! Jon Flechsenhaar Boeing WNW Team Network Services (714)-762-1231 202-E7 From michael_soulier at mitel.com Mon Mar 5 21:45:53 2007 From: michael_soulier at mitel.com (Michael P. Soulier) Date: Mon Mar 5 21:45:59 2007 Subject: [LARTC] File exists? Message-ID: <20070305204553.GI17062@e-smith.com> Hello, I'm trying to put 3 nodes in a vpn in tunnel mode. When I run setkey on the following file, I end up with The result of line 33: File exists. That error isn't overly helpful, so I was hoping that someone could explain the issue. Here's the file, with line 33 highlighted. Help appreciated. Mike # Flush the SAD and SPD flush; spdflush; # Add SA for 10.33.15.145 to 10.31.8.96 in tunnel mode add 10.33.15.145 10.31.8.96 esp 0x201 -m tunnel -E 3des-cbc 0xB1A03D22D78D6357084B13E930A27F72ECAFB61B5D398A22 -A hmac-md5 0x2F9FCE98685ED329C2E9A5C6CC7C5E20; # Add SA for 10.31.8.96 to 10.33.15.145 in tunnel mode add 10.31.8.96 10.33.15.145 esp 0x301 -m tunnel -E 3des-cbc 0x80C16F148B2C11A0E65939D9D945C5630BE09B7F2EC75186 -A hmac-md5 0xFC2B609F54DFFA62040AC8D9A4657387; # Add SA for 10.33.15.145 to 10.33.15.151 in tunnel mode add 10.33.15.145 10.33.15.151 esp 0x201 -m tunnel -E 3des-cbc 0xB1A03D22D78D6357084B13E930A27F72ECAFB61B5D398A22 -A hmac-md5 0x2F9FCE98685ED329C2E9A5C6CC7C5E20; # Add SA for 10.33.15.151 to 10.33.15.145 in tunnel mode add 10.33.15.151 10.33.15.145 esp 0x301 -m tunnel -E 3des-cbc 0xE0C9C70351CD3B4E2D9024FC1CACBC8B0D288E6981417259 -A hmac-md5 0x8FC64D13209EFC7732D4A9A1159BA758; <======== line 33 # Add policy for 172.16.113.0/24 -> 192.168.19.0/24 over # the 10.33.15.145-10.31.8.96 tunnel spdadd 172.16.113.0/24 192.168.19.0/24 any -P out ipsec esp/tunnel/10.33.15.145-10.31.8.96/require; # Add policy for 192.168.19.0/24 -> 172.16.113.0/24 over # the 10.31.8.96-10.33.15.145 tunnel spdadd 192.168.19.0/24 172.16.113.0/24 any -P in ipsec esp/tunnel/10.31.8.96-10.33.15.145/require; # Add policy for 172.16.113.0/24 -> 172.16.129.0/24 over # the 10.33.15.145-10.33.15.151 tunnel spdadd 172.16.113.0/24 172.16.129.0/24 any -P out ipsec esp/tunnel/10.33.15.145-10.33.15.151/require; # Add policy for 172.16.129.0/24 -> 172.16.113.0/24 over # the 10.33.15.151-10.33.15.145 tunnel spdadd 172.16.129.0/24 172.16.113.0/24 any -P in ipsec esp/tunnel/10.33.15.151-10.33.15.145/require; -- Michael P. Soulier , 613-592-2122 x2522 "Any intelligent fool can make things bigger and more complex... It takes a touch of genius - and a lot of courage to move in the opposite direction." --Albert Einstein From johnphilips42 at yahoo.com Tue Mar 6 00:05:28 2007 From: johnphilips42 at yahoo.com (John Philips) Date: Tue Mar 6 00:05:36 2007 Subject: [LARTC] Router dropping packets? Message-ID: <969452.20613.qm@web57812.mail.re3.yahoo.com> Hey guys, I have several Linux routers in place at high-usage locations (student apartment complexes). I'm having trouble with some of the routers which use 6Mbit DSL lines as their Internet feed. The routers use PPPoE and perform NAT. During peak usage periods, the routers are dropping alot of packets. I'm lead to believe this is because there are too many active connections. For example, when I ping the WAN IP address of one of the routers from a remote location, I may start getting replies immediately. But during peak periods, the first several pings usually time out and then they just start responding. Sometimes they start responding on the 4th ping, sometimes the 12th, etc., it's pretty random. I searched the web and tried increasing my gc_cache settings, but it didn't make a difference. echo 512 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh2 echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh3 The other notable difference is that the conntrack tables are much larger than normal. `wc -l /proc/net/ip_conntrack` returns >19000 on the routers experiencing packet loss while virtually all of the other routers (not having this issue) have less than 5000 entries in ip_conntrack. I tried increasing ip_conntrack_max in /proc, setting it to 65536 - didn't make a difference. Are there any other /proc settings I should change to improve performance? Any tips on analyzing the ip_conntrack data to find oddities? FYI I'm using kernel 2.4.25. I'd rather not upgrade to 2.6 since doing so in the past has introduced more problems! Thanks. ____________________________________________________________________________________ No need to miss a message. Get email on-the-go with Yahoo! Mail for Mobile. Get started. http://mobile.yahoo.com/mail From netsecuredata at gmail.com Tue Mar 6 06:03:38 2007 From: netsecuredata at gmail.com (Jorge Evangelista) Date: Tue Mar 6 06:03:57 2007 Subject: [LARTC] Router dropping packets? In-Reply-To: <969452.20613.qm@web57812.mail.re3.yahoo.com> References: <969452.20613.qm@web57812.mail.re3.yahoo.com> Message-ID: Hi Do you block P2P traffic in your routers?, you might use module ipp2p, How many RAM do you have in your routers Linux?. Assure that MTU is configured for lower 1500 in your networks cards, in many cases 1492. On 3/5/07, John Philips wrote: > Hey guys, > > I have several Linux routers in place at high-usage > locations (student apartment complexes). I'm having > trouble with some of the routers which use 6Mbit DSL > lines as their Internet feed. The routers use PPPoE > and perform NAT. > > During peak usage periods, the routers are dropping > alot of packets. I'm lead to believe this is because > there are too many active connections. > > For example, when I ping the WAN IP address of one of > the routers from a remote location, I may start > getting replies immediately. But during peak periods, > the first several pings usually time out and then they > just start responding. Sometimes they start > responding on the 4th ping, sometimes the 12th, etc., > it's pretty random. > > I searched the web and tried increasing my gc_cache > settings, but it didn't make a difference. > > echo 512 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 > echo 2048 > > /proc/sys/net/ipv4/neigh/default/gc_thresh2 > echo 4096 > > /proc/sys/net/ipv4/neigh/default/gc_thresh3 > > The other notable difference is that the conntrack > tables are much larger than normal. > > `wc -l /proc/net/ip_conntrack` returns >19000 on the > routers experiencing packet loss while virtually all > of the other routers (not having this issue) have less > than 5000 entries in ip_conntrack. I tried increasing > ip_conntrack_max in /proc, setting it to 65536 - > didn't make a difference. > > Are there any other /proc settings I should change to > improve performance? Any tips on analyzing the > ip_conntrack data to find oddities? > > FYI I'm using kernel 2.4.25. I'd rather not upgrade > to 2.6 since doing so in the past has introduced more > problems! > > Thanks. > > > > > > ____________________________________________________________________________________ > No need to miss a message. Get email on-the-go > with Yahoo! Mail for Mobile. Get started. > http://mobile.yahoo.com/mail > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- "The network is the computer" From bugfood-ml at fatooh.org Tue Mar 6 07:04:43 2007 From: bugfood-ml at fatooh.org (Corey Hickey) Date: Tue Mar 6 07:04:52 2007 Subject: [LARTC] Router dropping packets? In-Reply-To: <969452.20613.qm@web57812.mail.re3.yahoo.com> References: <969452.20613.qm@web57812.mail.re3.yahoo.com> Message-ID: <45ED047B.2050901@fatooh.org> John Philips wrote: > Hey guys, > > I have several Linux routers in place at high-usage > locations (student apartment complexes). I'm having > trouble with some of the routers which use 6Mbit DSL > lines as their Internet feed. The routers use PPPoE > and perform NAT. > > During peak usage periods, the routers are dropping > alot of packets. I'm lead to believe this is because > there are too many active connections. Besides what you wrote in the rest of your mail, do you have any other reason to believe this? Based on the information you've given, I would suspect you're just seeing the normal (albeit ugly) effects of saturating a DSL line. Are your Linux routers doing any traffic shaping? When you're having these problems, what is the bandwidth going over the DSL? Don't forget to look at both upstream and downstream rates. -Corey From Jon.J.Flechsenhaar at boeing.com Tue Mar 6 19:34:25 2007 From: Jon.J.Flechsenhaar at boeing.com (Flechsenhaar, Jon J) Date: Tue Mar 6 19:34:58 2007 Subject: [LARTC] QoS prio queuing Message-ID: <0E24ED2A7F9AA349A8633E6A56A64BE0027A8210@XCH-SW-2V1.sw.nos.boeing.com> Is there anyway to actually see packet stats or that packets are for sure going into a prio queue with TC? I can see all the HTB stats but the prio classes just list as being there...would like more information Basically I have the following setup DSMARK | HTB - (tcindex filter on TOS) | Prio (u32 filter on TOS) Thanks Jon Flechsenhaar Boeing WNW Team Network Services (714)-762-1231 202-E7 From galak at kernel.crashing.org Tue Mar 6 23:32:50 2007 From: galak at kernel.crashing.org (Kumar Gala) Date: Tue Mar 6 23:33:05 2007 Subject: [LARTC] ip route config question, forcing src address Message-ID: I'm trying to use ip route to setup a single interface with two ip addresses. I currently have: / # /usr/sbin/ip address show 1: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:19:03:00:27:10 brd ff:ff:ff:ff:ff:ff inet 128.0.0.1/16 brd 128.0.255.255 scope global eth0:1 inet 172.17.31.84/24 brd 172.17.31.255 scope global eth0 2: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo / # /usr/sbin/ip route 172.17.31.0/24 dev eth0 proto kernel scope link src 172.17.31.84 128.0.0.0/16 dev eth0 proto kernel scope link src 128.0.0.1 default via 172.17.31.1 dev eth0 / # /usr/sbin/ip route show table local broadcast 172.17.31.255 dev eth0 proto kernel scope link src 172.17.31.84 broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 broadcast 128.0.0.0 dev eth0 proto kernel scope link src 128.0.0.1 local 128.0.0.1 dev eth0 proto kernel scope host src 128.0.0.1 broadcast 172.17.31.0 dev eth0 proto kernel scope link src 172.17.31.84 broadcast 128.0.255.255 dev eth0 proto kernel scope link src 128.0.0.1 local 172.17.31.84 dev eth0 proto kernel scope host src 172.17.31.84 broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 What I'd like is to have it so that the src address is always 172.17.31.84 for both 172.17.31.0/24 & 128.0.0.0/16. So I modify the routes to get: / # /usr/sbin/ip route show 172.17.31.0/24 dev eth0 proto kernel scope link src 172.17.31.84 128.0.0.0/16 dev eth0 proto kernel scope link src 172.17.31.84 default via 172.17.31.1 dev eth0 however if the dest is 128.0.0.1 the src is still 128.0.0.1: / # /usr/sbin/ip route get 128.0.0.1 local 128.0.0.1 dev lo src 128.0.0.1 cache mtu 16436 advmss 16396 metric 10 64 Is there any way to modify the routes so this 'loopback' src becomes 172.17.31.84? I'm running a 2.6.20 kernel. thanks - kumar From donvodka at gmail.com Wed Mar 7 00:03:36 2007 From: donvodka at gmail.com (Edgar Merino) Date: Wed Mar 7 00:04:00 2007 Subject: [LARTC] Help needed with HTB Message-ID: <45EDF348.4040507@gmail.com> Hello, a few days ago I sent an email asking for help with my tc htb rules I've got (a script), but I'm not sure if that email got to you... anyway, I'm sending it again along with my htb script and I'll tell you the problem once again: I have a computer with ip 192.168.0.100 which is acting as a p2p server, so I want to shape traffic coming out from that ip, I have a linux box acting as a router with two NICs, server ip is 192.168.0.1. So I hope you can take a look at it and tell me why is it that everytime I have mldonkey or any other p2p software running on that computer I experience a lot of latency in my whole network with http traffic, maybe someone can help me out specify the burst and cburst parameters... and maybe even the quantum parameter, and some little explanation on it since I haven't been able to understand what the benefits of this parameters are. Hope you can give me a hand on this, Edgar Merino -------------- next part -------------- #!/bin/sh ### Dispositivo de upload (externo) ### DEV=eth0 ### Bajar la cola the $DEV y el MTU### ip link set dev $DEV qlen 30 ip link set dev $DEV mtu 1000 ### BORRADO DE REGLAS Y CADENAS de la tabla mangle ### iptables -t mangle -F iptables -t mangle -X ## BORRADO DE ROOT QDISC EN $DEV tc qdisc del dev $DEV root ### IPTABLES RULES ### P2P_IP=192.168.0.100 SSH_PORT=9000 iptables -t mangle -A FORWARD -s $P2P_IP -o $DEV -j MARK --set-mark 1 iptables -t mangle -A OUTPUT -o $DEV -p tcp --sport $SSH_PORT -j MARK --set-mark 2 iptables -t mangle -A POSTROUTING -o $DEV -s ! $P2P_IP -m length --length :64 -j MARK --set-mark 3 ### CLASES ### SSH=1:10 P2P=1:20 ACK=1:40 DEF=1:30 ## HERE I USE $PARENT_RATE TO LIMIT BORROWING FROM P2P CLASS FROM PARENT, AND I PUT $MAX_RATE FOR LOW PRIO CLASSES SO THEY ALWAYS GET THE RATE THEY NEED (THIS TRICK SEEMS TO HELP) ## MAX_RATE=25kbps PARENT_RATE=10kbps P2P_UP=10kbps tc qdisc add dev $DEV root handle 1: htb default 30 tc class add dev $DEV parent 1: classid 1:1 htb rate $PARENT_RATE burst 6k cburst 3k tc class add dev $DEV parent 1:1 classid $P2P htb rate $P2P_UP ceil $P2P_UP burst 1k cburst 1k prio 2 tc class add dev $DEV parent 1:1 classid $SSH htb rate 5kbps ceil 10kbps burst 6k cburst 3k prio 0 ## Is this really needed? tc class add dev $DEV parent 1:1 classid $ACK htb rate $MAX_RATE ceil $MAX_RATE burst 6k cburst 3k prio 0 ## DEFAULT CLASS tc class add dev $DEV parent 1:1 classid $DEF htb rate $MAX_RATE ceil $MAX_RATE burst 6k cburst 3k prio 1 ### Se agregan qdisc sfq para garantizar un manejo de ancho de banda justo ### tc qdisc add dev $DEV parent $SSH handle 10: sfq perturb 10 tc qdisc add dev $DEV parent $DEF handle 30: sfq perturb 10 tc qdisc add dev $DEV parent $P2P handle 20: sfq perturb 10 ### Filtros para controlar el trafico marcado (especificamente, P2P y SSH) iptables -t mangle -A FORWARD -o $DEV -s $P2P_IP -m mark --mark 1 -j CLASSIFY --set-class $P2P iptables -t mangle -A OUTPUT -o $DEV -s ! $P2P_IP -m mark --mark 2 -j CLASSIFY --set-class $SSH iptables -t mangle -A POSTROUTING -o $DEV -s ! $P2P_IP -m mark --mark 3 -j CLASSIFY --set-class $ACK From simone84bo at email.it Wed Mar 7 10:53:12 2007 From: simone84bo at email.it (Simone84bo) Date: Wed Mar 7 10:53:36 2007 Subject: [LARTC] packet in the kernel Message-ID: Hi all, Can someone say me the theoretic way of packet in the kernel. When the packet will be send to a IMQ device? When the packet arrives to post routing time? When operation of NAT occur? befor or later that the packet will send to net device? Thanks Bye Simone -- Email.it, the professional e-mail, gratis per te: http://www.email.it/f Sponsor: Problemi di Liquidit?? Con Logos Finanziaria 30.000 ? in 24 ore a dipendenti e lavoratori autonomi con rimborsi fino a 120 mesi clicca qui Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=2907&d=20070307 From rodob at datafull.com Wed Mar 7 12:43:39 2007 From: rodob at datafull.com (Rodolfo Brasnarof) Date: Wed Mar 7 12:44:27 2007 Subject: [LARTC] packet in the kernel In-Reply-To: References: Message-ID: <20070307084339.545405bd@localhost> On Wed, 7 Mar 2007 10:53:12 +0100 Simone84bo wrote: > Hi all, > Can someone say me the theoretic way of packet in the kernel. Perhaps this diagram can help you: http://l7-filter.sourceforge.net/PacketFlow.png I'll attach another one in asciiart I picked from somewhere (maybe this list itself). > When the packet will be send to a IMQ device? > When the packet arrives to post routing time? > When operation of NAT occur? befor or later that the packet will send > to net device? When loading imq module, my kernel says: IMQ starting with 2 devices... IMQ driver loaded successfully. Hooking IMQ before NAT on PREROUTING. Hooking IMQ after NAT on POSTROUTING. This is the default option, but you can choose from all 4 options at compile time: CONFIG_IMQ=m # CONFIG_IMQ_BEHAVIOR_AA is not set # CONFIG_IMQ_BEHAVIOR_AB is not set CONFIG_IMQ_BEHAVIOR_BA=y # CONFIG_IMQ_BEHAVIOR_BB is not set -------------- next part -------------- Kernel Packet Traveling Diagram Network -----------+----------- | +--------------------------+ +-------+-------+ +---------+---------+ | IPCHAINS | | IPTABLES | | INPUT | | PREROUTING | +-------+-------+ | +-------+-------+ | | | | conntrack | | | | +-------+-------+ | | | | mangle | | <- MARK WRITE | | +-------+-------+ | | | | IMQ | | | | +-------+-------+ | | | | nat | | <- DEST REWRITE | | +-------+-------+ | DNAT or REDIRECT or DE-MASQUERADE | +---------+---------+ +------------+-------------+ | +-------+-------+ | QOS | | INGRESS | +-------+-------+ | packet is for +-------+-------+ packet is for this machine | INPUT | another address +--------------+ ROUTING +--------------+ | | + PDBB | | | +---------------+ | +-------+-------+ | | IPTABLES | | | INPUT | | | +-----+-----+ | | | | mangle | | | | +-----+-----+ | | | | filter | | | | +-----+-----+ | | +-------+-------+ | | +---------------------------+ +-------+-------+ | | | Local | +-------+-------+ +-------+-------+ | Process | | IPCHAINS | | IPTABLES | +-------+-------+ | FORWARD | | FORWARD | | +-------+-------+ | +-----+-----+ | +-------+-------+ | | | mangle | | <- MARK WRITE | OUTPUT | | | +-----+-----+ | | ROUTING | | | | filter | | +-------+-------+ | | +-----+-----+ | | | +-------+-------+ +-------+-------+ | | | IPTABLES | +---------------------------+ | OUTPUT | | | +-----------+ | | | | conntrack | | | | +-----+-----+ | | | | mangle | | <- MARK WRITE | | +-----+-----+ | | | | nat | | <-DEST REWRITE | | +-----+-----+ | DNAT or REDIRECT | | | filter | | | | +-----+-----+ | | +-------+-------+ | | | +----------------------+----------------------+ | +------------+------------+ | | +-------+-------+ +---------+---------+ | IPCHAINS | | IPTABLES | | OUTPUT | | POSTROUTING | +-------+------- | +-------+-------+ | | | | mangle | | <- MARK WRITE | | +-------+-------+ | | | | nat | | <- SOURCE REWRITE | | +-------+-------+ | SNAT or MASQUERADE | | | IMQ | | | | +-------+-------+ | | +---------+---------+ +------------+------------+ | +------+------+ | QOS | | EGRESS | +------+------+ | -----------+----------- Network From cbergstrom at netsyncro.com Wed Mar 7 13:33:54 2007 From: cbergstrom at netsyncro.com (=?ISO-8859-1?Q?=22C=2E_Bergstr=F6m=22?=) Date: Wed Mar 7 13:34:14 2007 Subject: [LARTC] Simple route 2nd look please In-Reply-To: References: Message-ID: <45EEB132.5070302@netsyncro.com> I want B to route (temporarily) to both the .65 gw and eventually move to xxx.xxx.xxx.83 being the default gw, but I can't add that route.. I'm missing some obvious, but if someone would take a 2nd look it would be appreciated. I also have requested to get access to the switch ,but that's still waiting. Server B ip a s 1: eth0: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:0b:db:91:84:53 brd ff:ff:ff:ff:ff:ff inet xxx.xxx.xxx.87/26 brd xxx.xxx.xxx.127 scope global eth0 2: eth1: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:0b:db:91:84:54 brd ff:ff:ff:ff:ff:ff inet xxx.xxx.xxx.84/32 scope global eth1 arping -I eth1 xxx.xxx.xxx.83 ARPING xxx.xxx.xxx.83 from xxx.xxx.xxx.84 eth1 Unicast reply from xxx.xxx.xxx.83 [00:00:25:C1:CC:C0] 0.956ms <-- Correct interface Unicast reply from xxx.xxx.xxx.83 [00:00:25:C1:CC:C1] 1.210ms <-- Incorrect Unicast reply from xxx.xxx.xxx.83 [00:00:25:C1:CC:C1] 0.712ms Unicast reply from xxx.xxx.xxx.83 [00:00:25:C1:CC:C1] 0.711ms --------------- ip route add default via xxx.xxx.xxx.83 dev eth1 table T1 RTNETLINK answers: Network is unreachable eris ~ # route add -net xxx.xxx.xxx.84/31 gw xxx.xxx.xxx.83 SIOCADDRT: Network is unreachable ip r s 127.0.0.0/8 dev lo scope link default via xxx.xxx.xxx.65 dev eth0 Server C 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:00:25:c1:cc:c0 brd ff:ff:ff:ff:ff:ff inet xxx.xxx.xxx.83/31 scope global eth0 valid_lft forever preferred_lft forever 3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:00:25:c1:cc:c1 brd ff:ff:ff:ff:ff:ff inet xxx.xxx.xxx.82/26 scope global eth1 (Temporary) ip r s xxx.xxx.xxx.64/26 dev eth1 proto kernel scope link src 207.135.120.82 xxx.xxx.xxx.64/26 dev eth0 proto kernel scope link src 207.135.120.83 127.0.0.0/8 dev lo scope link default via xxx.xxx.xxx.65 dev eth1 From johnphilips42 at yahoo.com Wed Mar 7 13:57:41 2007 From: johnphilips42 at yahoo.com (John Philips) Date: Wed Mar 7 13:57:47 2007 Subject: [LARTC] Router dropping packets? - SOLVED In-Reply-To: <969452.20613.qm@web57812.mail.re3.yahoo.com> Message-ID: <435613.1543.qm@web57807.mail.re3.yahoo.com> Guys, I called my DSL provider and it turns out they limit the number of simultaneous "flows" you can have. I guess that means active TCP connections. Their limit is 1500 concurrent flows, and when the tech looked at it we had 1450 active. I presume all these flows are from P2P users, so I'm going to try using the connlimit iptables extension to prevent individual users from having more than 50 or so connections. --- John Philips wrote: > Hey guys, > > I have several Linux routers in place at high-usage > locations (student apartment complexes). I'm having > trouble with some of the routers which use 6Mbit DSL > lines as their Internet feed. The routers use PPPoE > and perform NAT. > > During peak usage periods, the routers are dropping > alot of packets. I'm lead to believe this is > because > there are too many active connections. > > For example, when I ping the WAN IP address of one > of > the routers from a remote location, I may start > getting replies immediately. But during peak > periods, > the first several pings usually time out and then > they > just start responding. Sometimes they start > responding on the 4th ping, sometimes the 12th, > etc., > it's pretty random. > > I searched the web and tried increasing my gc_cache > settings, but it didn't make a difference. > > echo 512 > > /proc/sys/net/ipv4/neigh/default/gc_thresh1 > echo 2048 > > /proc/sys/net/ipv4/neigh/default/gc_thresh2 > echo 4096 > > /proc/sys/net/ipv4/neigh/default/gc_thresh3 > > The other notable difference is that the conntrack > tables are much larger than normal. > > `wc -l /proc/net/ip_conntrack` returns >19000 on the > routers experiencing packet loss while virtually all > of the other routers (not having this issue) have > less > than 5000 entries in ip_conntrack. I tried > increasing > ip_conntrack_max in /proc, setting it to 65536 - > didn't make a difference. > > Are there any other /proc settings I should change > to > improve performance? Any tips on analyzing the > ip_conntrack data to find oddities? > > FYI I'm using kernel 2.4.25. I'd rather not upgrade > to 2.6 since doing so in the past has introduced > more > problems! > > Thanks. > > > > > > ____________________________________________________________________________________ > No need to miss a message. Get email on-the-go > with Yahoo! Mail for Mobile. Get started. > http://mobile.yahoo.com/mail > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > ____________________________________________________________________________________ Don't get soaked. Take a quick peek at the forecast with the Yahoo! Search weather shortcut. http://tools.search.yahoo.com/shortcuts/#loc_weather From ternaryd at hotmail.com Wed Mar 7 14:49:25 2007 From: ternaryd at hotmail.com (Ternary Digit) Date: Wed Mar 7 14:49:34 2007 Subject: [LARTC] LARTC Howto Section 4.1 doesn't work (source policy routing) Message-ID: Hi, I've tried to reproduce the example from section 4.1 (simple source policy routing) but without success. The setup is the same as in the example, with only two differences: there is additionally a gre tunnel which doesn't seem to disturb here, and one interface does not masquerade at all, as it's thought to be used from the router only. Besides that, and the obviously different IP addresses, the output of ip route list is just the same as in the example. This is a debian box with linux stock kernel 2.6.8. From the router everything seems to work fine, besides the insisting message "MASQUERADE: Route sent us somewhere else.". Even "ip route get" gives always the correct answer. But from the client computer (John's in the example) things work from time to time only. It seems that the first packet is correct, but that there are only little chances that the following packets from John actually use his table. The fact, that it works sometimes seems to indicate that the problem is not with iptables but with routing. Was that example thought for an older version of the kernel? Is there something else I need to add to make it work? Thanks, Cris _________________________________________________________________ MSN Messenger: instale grátis e converse com seus amigos. http://messenger.msn.com.br From netsecuredata at gmail.com Wed Mar 7 15:01:40 2007 From: netsecuredata at gmail.com (Jorge Evangelista) Date: Wed Mar 7 15:01:46 2007 Subject: [LARTC] File exists? In-Reply-To: <20070305204553.GI17062@e-smith.com> References: <20070305204553.GI17062@e-smith.com> Message-ID: Hi, I had had the same problem, I remember that I solve the problem kill the process, because when you run setkey then you can not run again setkey until that you kill the running process, try to find ID (ps waux) and then kill -9. On 3/5/07, Michael P. Soulier wrote: > Hello, > > I'm trying to put 3 nodes in a vpn in tunnel mode. > > When I run setkey on the following file, I end up with > > The result of line 33: File exists. > > That error isn't overly helpful, so I was hoping that someone could explain > the issue. > > Here's the file, with line 33 highlighted. > > Help appreciated. > > Mike > > # Flush the SAD and SPD > flush; > spdflush; > > # Add SA for 10.33.15.145 to 10.31.8.96 in tunnel mode > add 10.33.15.145 10.31.8.96 esp 0x201 -m tunnel -E 3des-cbc > 0xB1A03D22D78D6357084B13E930A27F72ECAFB61B5D398A22 > -A hmac-md5 0x2F9FCE98685ED329C2E9A5C6CC7C5E20; > # Add SA for 10.31.8.96 to 10.33.15.145 in tunnel mode > add 10.31.8.96 10.33.15.145 esp 0x301 -m tunnel -E 3des-cbc > 0x80C16F148B2C11A0E65939D9D945C5630BE09B7F2EC75186 > -A hmac-md5 0xFC2B609F54DFFA62040AC8D9A4657387; > > # Add SA for 10.33.15.145 to 10.33.15.151 in tunnel mode > add 10.33.15.145 10.33.15.151 esp 0x201 -m tunnel -E 3des-cbc > 0xB1A03D22D78D6357084B13E930A27F72ECAFB61B5D398A22 > -A hmac-md5 0x2F9FCE98685ED329C2E9A5C6CC7C5E20; > # Add SA for 10.33.15.151 to 10.33.15.145 in tunnel mode > add 10.33.15.151 10.33.15.145 esp 0x301 -m tunnel -E 3des-cbc > 0xE0C9C70351CD3B4E2D9024FC1CACBC8B0D288E6981417259 > -A hmac-md5 0x8FC64D13209EFC7732D4A9A1159BA758; <======== line 33 > > > # Add policy for 172.16.113.0/24 -> 192.168.19.0/24 over > # the 10.33.15.145-10.31.8.96 tunnel > spdadd 172.16.113.0/24 192.168.19.0/24 any -P out ipsec > esp/tunnel/10.33.15.145-10.31.8.96/require; > > # Add policy for 192.168.19.0/24 -> 172.16.113.0/24 over > # the 10.31.8.96-10.33.15.145 tunnel > spdadd 192.168.19.0/24 172.16.113.0/24 any -P in ipsec > esp/tunnel/10.31.8.96-10.33.15.145/require; > > # Add policy for 172.16.113.0/24 -> 172.16.129.0/24 over > # the 10.33.15.145-10.33.15.151 tunnel > spdadd 172.16.113.0/24 172.16.129.0/24 any -P out ipsec > esp/tunnel/10.33.15.145-10.33.15.151/require; > > # Add policy for 172.16.129.0/24 -> 172.16.113.0/24 over > # the 10.33.15.151-10.33.15.145 tunnel > spdadd 172.16.129.0/24 172.16.113.0/24 any -P in ipsec > esp/tunnel/10.33.15.151-10.33.15.145/require; > > -- > Michael P. Soulier , 613-592-2122 x2522 > "Any intelligent fool can make things bigger and more complex... It takes a > touch of genius - and a lot of courage to move in the opposite direction." > --Albert Einstein > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- "The network is the computer" From bruno at wolff.to Wed Mar 7 17:50:00 2007 From: bruno at wolff.to (Bruno Wolff III) Date: Wed Mar 7 18:31:18 2007 Subject: [LARTC] ip route config question, forcing src address In-Reply-To: References: Message-ID: <20070307165000.GA17238@wolff.to> On Tue, Mar 06, 2007 at 16:32:50 -0600, Kumar Gala wrote: > > What I'd like is to have it so that the src address is always 172.17.31.84 > for both 172.17.31.0/24 & 128.0.0.0/16. ip addr add dev eth0 172.17.31.84/24 ip addr add dev eth0 172.17.31.84 peer 128.0.0.0/16 From alexandre at ondainternet.com.br Wed Mar 7 21:12:02 2007 From: alexandre at ondainternet.com.br (Alexandre J. Correa - Onda Internet) Date: Wed Mar 7 21:11:37 2007 Subject: [LARTC] 2 links web going out by link1.. rest by link2 In-Reply-To: <20070307165000.GA17238@wolff.to> References: <20070307165000.GA17238@wolff.to> Message-ID: <45EF1C92.4040104@ondainternet.com.br> Hello !! On my linux gateway i have 2 adsl connections. how I make traffic that leaves to port 80 has left on link1 and the remaining left on link2 ? without marking packets with iptables... it?s possible ?! Thanks ! -- Sds. Alexandre J. Correa Onda Internet www.ondainternet.com.br Linux User ID #142329 From luciano at lugmen.org.ar Thu Mar 8 02:06:07 2007 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Thu Mar 8 02:06:24 2007 Subject: [LARTC] Problems getting multipath routes to balance In-Reply-To: <45E55F18.1000906@linpro.no> References: <45E55F18.1000906@linpro.no> Message-ID: <200703072206.07438.luciano@lugmen.org.ar> On Wednesday 28 February 2007 07:53, Tore Anderson wrote: > Hi. I've trying to balance outgoing traffic by using multipath > routes, but I can't get it to work. Only one of the routes are used. > > I'm adding the route like this: > > ip route add table 101 default \ > nexthop via X.X.X.X nexthop via Y.Y.Y.Y > > It shows up the routing table like this: > > default > nexthop via X.X.X.X dev vlan110 weight 1 > nexthop via Y.Y.Y.Y dev vlan120 weight 1 > > So it looks quite good. However, all traffic is routed via Y.Y.Y.Y, > no matter what I do. I can increase the weight of X.X.X.X, load and > unload the various multipath kernel modules (_rr, _random, _wrandom, > and _drr), flush the cache routing table, delete and re-add the route, > but still traffic is only sent to X.X.X.X > > If I reverse the order of the nexthops on the command line, that is: > > ip route add table 101 default \ > nexthop via Y.Y.Y.Y nexthop via X.X.X.X > > ...the behaviour is exactly the same, only now the traffic is > sent only to X.X.X.X. The ordering of the nexthops on the command line > is the only thing that appears to make a difference to me. > > I send traffic from a relatively busy network into table 101 (using > "ip rule add from z.z.z.z/zz table 101 prio 20000"), so there's > constantly traffic there, and many simultaneous flows. I tried using > "equalize" too, though, but it had no effect either. > > How is this actually supposed to work, and what am I missing? I'm > grateful for any suggestions. I'm seeing this behaviour both on 2.6.12 > and 2.6.15. FAQ sor far by now (this must be somewere...) (copy & paste of a previous e-mail of mine) Try a kernel without CONFIG_IP_ROUTE_MULTIPATH_CACHED there are several threads on this topic in the archive, one as reference: http://archives.free.net.ph/message/20060618.150532.8a6cc07f.en.html If it solves the problem, maybe is time to contact the author of Multipath Cached and send some report. -- Luciano From alecm at chatango.com Thu Mar 8 05:07:13 2007 From: alecm at chatango.com (Alec Matusis) Date: Thu Mar 8 05:08:13 2007 Subject: [LARTC] routing TCP to another box preserving ORIGINAL client IPs Message-ID: <004301c76137$40fdaa10$c2f8fe30$@com> My TCP clients connect to box A. I need to forward those connections to a server on box B, such that the original client IPs are visible to the server on B. Each box has two Ethernet ports. One port on each box is connected to WAN, and they are cross-connected in a LAN via remaining ports: ------------------- ------------------- WAN -- |eth0 Box A eth1|---LAN---|eth1 Box B eth0| -- WAN ------------------- ------------------- Is there a way to do this with iproute2 and iptables tools ONLY? Can you provide an example? Nothing in Google after more than a week of searching. An additional requirement is to reduce the load on box A as much as possible (I guess the server on B would still have to reply to the client via A, not using B's own WAN interface however..) From martin at linux-ip.net Thu Mar 8 05:23:31 2007 From: martin at linux-ip.net (Martin A. Brown) Date: Thu Mar 8 05:23:56 2007 Subject: [LARTC] routing TCP to another box preserving ORIGINAL client IPs In-Reply-To: <004301c76137$40fdaa10$c2f8fe30$@com> References: <004301c76137$40fdaa10$c2f8fe30$@com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings Alec, : My TCP clients connect to box A. I need to forward those : connections to a server on box B, such that the original client : IPs are visible to the server on B. : : Each box has two Ethernet ports. One port on each box is : connected to WAN, and they are cross-connected in a LAN via : remaining ports: : : ------------------- ------------------- : WAN -- |eth0 Box A eth1|---LAN---|eth1 Box B eth0| -- WAN : ------------------- ------------------- : : : Is there a way to do this with iproute2 and iptables tools ONLY? : Can you provide an example? Nothing in Google after more than a : week of searching. An additional requirement is to reduce the : load on box A as much as possible (I guess the server on B would : still have to reply to the client via A, not using B's own WAN : interface however..) You need to provide us a bit more information to help you figure out the right way to solve this problem. Why is DNAT not sufficient? Given your description, you should simply be able to: iptables -t nat -i eth0 [...] -j DNAT --to-destination $BOX_B_ETH1 If it were that simple, though, you shouldn't have spent a week looking for the answer. Do you have a TCP service on Box A which is providing services to the client across the WAN? If so, then you are looking for something called transparent proxying in the Linux networking world. You will want to examine the tproxy patches to iptables [0]. If you go with the transparent proxying method, it's helpful to remember: * the client thinks it's connected to Box A * Box A knows its connected to the client * Box A uses client's source address to initiate traffic to Box B * Box B thinks it's connected to client In either case, you are correct about routing. Box B must send its traffic back to Box A to forward back across the LAN. Good luck, - -Martin [0] http://www.balabit.com/products/oss/tproxy/ http://www.balabit.com/downloads/tproxy/linux-2.4/ - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFF74/JHEoZD1iZ+YcRAlRaAJ4wf2fIc3oBJnGstjUBdpKWn1wOsQCbB2Ee 5Q7zrssGkA02Pq+298i9tEA= =O3sf -----END PGP SIGNATURE----- From alecm at chatango.com Thu Mar 8 05:46:07 2007 From: alecm at chatango.com (Alec Matusis) Date: Thu Mar 8 05:46:56 2007 Subject: [LARTC] routing TCP to another box preserving ORIGINAL client IPs In-Reply-To: References: <004301c76137$40fdaa10$c2f8fe30$@com> Message-ID: <004401c7613c$b036ec70$10a4c550$@com> Hello Martin, I tried implementing DNAT as you indicated: iptables -t nat -i eth0 [...] -j DNAT --to-destination $BOX_B_ETH1 After that, I can see SYN packets arriving on BOX_B_ETH1, having the original client's IP. Only half of the connection gets established after this: I cannot see ACK packets from box B anywhere (neither on BOX_B_ETH0, nor on BOX_A_ETH0). I think the reason is that since box A never sends a SYN packet itself, it never classifies the connection as ESTABLISHED, so all further traffic gets rejected. It's still a mystery to me what happens to SYN packets from be in this scenario however. It turns out that I have to supplement DNAT with SNAT for this to work correctly. On box A: iptables -t nat -i eth0 -p tcp -m tcp --dport $SERVER_PORT -j DNAT --to-destination $BOX_B_ETH1 iptables -t nat -A POSTROUTING -d $BOX_B_ETH1 -p tcp -m tcp --dport $SERVER_PORT -j SNAT --to-source $BOX_A_ETH1 in this case, the clients can connect, however the server on B sees only IP of BOX_A_ETH1, not the original client IPs. Regarding tproxy: I am currently running the TCP server on box A. I would like to move it to box B to reduce the load on A. Other services on A are bound to the same IP address as the server that I need to move, so simply moving that IP address to BOX_B_ETH0 is impossible. Box A has 2.6.11 kernel. Does tproxy install over netfilter? I am sort of scared to tamper with netfilter installation on A, since it is currently running live services. It it possible to implement this scenario: * the client thinks it's connected to Box A * Box A knows its connected to the client * Box A uses client's source address to initiate traffic to Box B * Box B thinks it's connected to client with advanced routing and iptables only? Thanks Alec. -----Original Message----- From: Martin A. Brown [mailto:martin@linux-ip.net] Sent: Wednesday, March 07, 2007 8:24 PM To: Alec Matusis Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] routing TCP to another box preserving ORIGINAL client IPs -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings Alec, : My TCP clients connect to box A. I need to forward those : connections to a server on box B, such that the original client : IPs are visible to the server on B. : : Each box has two Ethernet ports. One port on each box is : connected to WAN, and they are cross-connected in a LAN via : remaining ports: : : ------------------- ------------------- : WAN -- |eth0 Box A eth1|---LAN---|eth1 Box B eth0| -- WAN : ------------------- ------------------- : : : Is there a way to do this with iproute2 and iptables tools ONLY? : Can you provide an example? Nothing in Google after more than a : week of searching. An additional requirement is to reduce the : load on box A as much as possible (I guess the server on B would : still have to reply to the client via A, not using B's own WAN : interface however..) You need to provide us a bit more information to help you figure out the right way to solve this problem. Why is DNAT not sufficient? Given your description, you should simply be able to: iptables -t nat -i eth0 [...] -j DNAT --to-destination $BOX_B_ETH1 If it were that simple, though, you shouldn't have spent a week looking for the answer. Do you have a TCP service on Box A which is providing services to the client across the WAN? If so, then you are looking for something called transparent proxying in the Linux networking world. You will want to examine the tproxy patches to iptables [0]. If you go with the transparent proxying method, it's helpful to remember: * the client thinks it's connected to Box A * Box A knows its connected to the client * Box A uses client's source address to initiate traffic to Box B * Box B thinks it's connected to client In either case, you are correct about routing. Box B must send its traffic back to Box A to forward back across the LAN. Good luck, - -Martin [0] http://www.balabit.com/products/oss/tproxy/ http://www.balabit.com/downloads/tproxy/linux-2.4/ - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFF74/JHEoZD1iZ+YcRAlRaAJ4wf2fIc3oBJnGstjUBdpKWn1wOsQCbB2Ee 5Q7zrssGkA02Pq+298i9tEA= =O3sf -----END PGP SIGNATURE----- From simone84bo at email.it Thu Mar 8 11:29:42 2007 From: simone84bo at email.it (Simone84bo) Date: Thu Mar 8 11:30:13 2007 Subject: [LARTC] Why i would have to use IMQ on postrouting? Message-ID: Hi all, I manage somo interface in output. I know that i can send packet to the single interface using routing tables. I use IMQ to shape ingress traffic but why i would have to use IMQ on postrouting? When IMQ, on egress, give me advantages? and what are this advantages? Thanks Bye Simone -- Email.it, the professional e-mail, gratis per te: http://www.email.it/f Sponsor: Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=6119&d=20070308 From linux at arcoscom.com Thu Mar 8 12:17:09 2007 From: linux at arcoscom.com (ArcosCom Linux User) Date: Thu Mar 8 12:09:07 2007 Subject: [LARTC] Why i would have to use IMQ on postrouting? In-Reply-To: References: Message-ID: <48438.195.55.244.106.1173352629.squirrel@www.arcoscom.com> IMQ has de advantage that you can filter packets you need to control the traffic using iptables and the packets pass the contrack layer too (if you use "state" module). For example, you need to classify traffic from/to clients and by type too, you can do it with a single interface with tc and complex filters/classes/qdiscs, but with IMQ, you can use the traffic classification into the interface and the clients traffic into an IMQ interface.. Another example, you have many interfaces that comunicates with many lan's and you want to use the same classification for all them, then use only one IMQ interface and the outgoing/incoming to/from that interfaces redirect to it using IMQ target. That are two examples, many users have more real applications of IMQ, perhaps they want to say us. Regards El Jue, 8 de Marzo de 2007, 11:29, Simone84bo escribi?: > Hi all, > I manage somo interface in output. > I know that i can send packet to the single interface using routing > tables. > I use IMQ to shape ingress traffic but why i would have to use IMQ on > postrouting? > When IMQ, on egress, give me advantages? and what are this advantages? > > Thanks > Bye > Simone > -- > Email.it, the professional e-mail, gratis per te: http://www.email.it/f > > Sponsor: > > Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=6119&d=20070308 > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From chrisp at tangent.co.za Thu Mar 8 17:48:39 2007 From: chrisp at tangent.co.za (Chris Picton) Date: Thu Mar 8 17:51:08 2007 Subject: [LARTC] DGD of upstream routers Message-ID: <45F03E67.6040604@tangent.co.za> Hi I have read various info, and mailing list archives, but have not found an answer to the following. I have a few servers with configurations similar to the following: They each have multiple uplinks to the Internet, and a sample config is as follows: eth1 is 192.168.0.1, connected to 192.168.0.2 eth2 is 192.168.1.1, connected to 192.168.1.2 My default route looks like: ip route add scope global equalize nexthop via 192.168.0.2 dev eth1 \ weight 1 nexthop via 192.168.1.2 dev eth2 weight 1 If one line goes down, I would like the second to be used exclusively until the first comes back up However, the IPs 192.168.0.2 and 192.168.1.2 are always available and reachable. It is the connection past those devices which may drop. Do any of the available options or patches take this into account, or do I have to write custom ping scripts to try reach remote hosts via each gateway, and modify the routes if a line appears to be down. From alecm at chatango.com Fri Mar 9 01:05:14 2007 From: alecm at chatango.com (Alec Matusis) Date: Fri Mar 9 01:06:10 2007 Subject: [LARTC] routing TCP to another box preserving ORIGINAL client IPs In-Reply-To: <5c6851530703080912p2aace69p5cfbce9cdfde2740@mail.gmail.com> References: <004301c76137$40fdaa10$c2f8fe30$@com> <004401c7613c$b036ec70$10a4c550$@com> <5c6851530703080912p2aace69p5cfbce9cdfde2740@mail.gmail.com> Message-ID: <013b01c761de$9d8a9ed0$d89fdc70$@com> I have not considered bridge and ebtables yet. I assume I'd have to implement this in the "routing" box A. Is ebtables CPU-intensive? The goal of setting up this forwarding is to reduce the load on the router box A. Also, is it very surprising that there is no way to build a transparent proxy/router with standard iproute2 and iptables tools ONLY? It would seem that transparent forwarding of TCP connections to another machine is a very common task. From: Robb Bossley [mailto:robb.bossley@gmail.com] Sent: Thursday, March 08, 2007 9:13 AM To: Alec Matusis Subject: Re: [LARTC] routing TCP to another box preserving ORIGINAL client IPs Have you considered putting a bridge in and using ebtables?? That might be what you are looking for. On 3/7/07, Alec Matusis < alecm at chatango.com> wrote: Hello Martin, I tried implementing DNAT as you indicated: iptables -t nat -i eth0 [...] -j DNAT --to-destination $BOX_B_ETH1 After that, I can see SYN packets arriving on BOX_B_ETH1, having the original client's IP. Only half of the connection gets established after this: I cannot see ACK packets from box B anywhere (neither on BOX_B_ETH0, nor on BOX_A_ETH0). I think the reason is that since box A never sends a SYN packet itself, it never classifies the connection as ESTABLISHED, so all further traffic gets rejected. It's still a mystery to me what happens to SYN packets from be in this scenario however. It turns out that I have to supplement DNAT with SNAT for this to work correctly. On box A: iptables -t nat -i eth0 -p tcp -m tcp --dport $SERVER_PORT -j DNAT --to-destination $BOX_B_ETH1 iptables -t nat -A POSTROUTING -d $BOX_B_ETH1 -p tcp -m tcp --dport $SERVER_PORT -j SNAT --to-source $BOX_A_ETH1 in this case, the clients can connect, however the server on B sees only IP of BOX_A_ETH1, not the original client IPs. Regarding tproxy: I am currently running the TCP server on box A. I would like to move it to box B to reduce the load on A. Other services on A are bound to the same IP address as the server that I need to move, so simply moving that IP address to BOX_B_ETH0 is impossible. Box A has 2.6.11 kernel. Does tproxy install over netfilter? I am sort of scared to tamper with netfilter installation on A, since it is currently running live services. It it possible to implement this scenario: ??* the client thinks it's connected to Box A ??* Box A knows its connected to the client ??* Box A uses client's source address to initiate traffic to Box B ??* Box B thinks it's connected to client with advanced routing and iptables only? Thanks Alec. -----Original Message----- From: Martin A. Brown [mailto:martin@linux-ip.net] Sent: Wednesday, March 07, 2007 8:24 PM To: Alec Matusis Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] routing TCP to another box preserving ORIGINAL client IPs -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings Alec, : My TCP clients connect to box A. I need to forward those : connections to a server on box B, such that the original client : IPs are visible to the server on B. : : Each box has two Ethernet ports. One port on each box is : connected to WAN, and they are cross-connected in a LAN via : remaining ports: : :???????? -------------------?????????? ------------------- : WAN -- |eth0?? Box A?? eth1|---LAN---|eth1?? Box B?? eth0| -- WAN :???????? -------------------?????????? ------------------- : : : Is there a way to do this with iproute2 and iptables tools ONLY? : Can you provide an example? Nothing in Google after more than a : week of searching. An additional requirement is to reduce the : load on box A as much as possible (I guess the server on B would : still have to reply to the client via A, not using B's own WAN : interface however..) You need to provide us a bit more information to help you figure out the right way to solve this problem.??Why is DNAT not sufficient? Given your description, you should simply be able to: ??iptables -t nat -i eth0 [...] -j DNAT --to-destination $BOX_B_ETH1 If it were that simple, though, you shouldn't have spent a week looking for the answer. Do you have a TCP service on Box A which is providing services to the client across the WAN???If so, then you are looking for something called transparent proxying in the Linux networking world. You will want to examine the tproxy patches to iptables [0]. If you go with the transparent proxying method, it's helpful to remember: ??* the client thinks it's connected to Box A ??* Box A knows its connected to the client ??* Box A uses client's source address to initiate traffic to Box B ??* Box B thinks it's connected to client In either case, you are correct about routing.??Box B must send its traffic back to Box A to forward back across the LAN. Good luck, - -Martin [0] http://www.balabit.com/products/oss/tproxy/ ???? http://www.balabit.com/downloads/tproxy/linux-2.4/ - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 ( http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFF74/JHEoZD1iZ+YcRAlRaAJ4wf2fIc3oBJnGstjUBdpKWn1wOsQCbB2Ee 5Q7zrssGkA02Pq+298i9tEA= =O3sf -----END PGP SIGNATURE----- _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From linux at arcoscom.com Fri Mar 9 01:48:30 2007 From: linux at arcoscom.com (ArcosCom Linux User) Date: Fri Mar 9 01:40:21 2007 Subject: [LARTC] routing TCP to another box preserving ORIGINAL client IPs In-Reply-To: <013b01c761de$9d8a9ed0$d89fdc70$@com> References: <004301c76137$40fdaa10$c2f8fe30$@com> <004401c7613c$b036ec70$10a4c550$@com> <5c6851530703080912p2aace69p5cfbce9cdfde2740@mail.gmail.com> <013b01c761de$9d8a9ed0$d89fdc70$@com> Message-ID: <39498.84.123.233.184.1173401310.squirrel@www.arcoscom.com> Are you sure? Take a look into: http://tldp.org/HOWTO/TransparentProxy-6.html Regards El Vie, 9 de Marzo de 2007, 1:05, Alec Matusis escribi?: > I have not considered bridge and ebtables yet. I assume I'd have to > implement this in the "routing" box A. Is ebtables CPU-intensive? The goal > of setting up this forwarding is to reduce the load on the router box A. > > Also, is it very surprising that there is no way to build a transparent > proxy/router with standard iproute2 and iptables tools ONLY? It would seem > that transparent forwarding of TCP connections to another machine is a > very > common task. > > > From: Robb Bossley [mailto:robb.bossley@gmail.com] > Sent: Thursday, March 08, 2007 9:13 AM > To: Alec Matusis > Subject: Re: [LARTC] routing TCP to another box preserving ORIGINAL client > IPs > > Have you considered putting a bridge in and using ebtables? That might be > what you are looking for. > > > On 3/7/07, Alec Matusis < alecm at chatango.com> wrote: > Hello Martin, > > I tried implementing DNAT as you indicated: > > iptables -t nat -i eth0 [...] -j DNAT --to-destination $BOX_B_ETH1 > > After that, I can see SYN packets arriving on BOX_B_ETH1, having the > original client's IP. Only half of the connection gets established after > this: > I cannot see ACK packets from box B anywhere (neither on BOX_B_ETH0, nor > on > BOX_A_ETH0). I think the reason is that since box A never sends a SYN > packet > itself, it never classifies the connection as ESTABLISHED, so all further > traffic gets rejected. It's still a mystery to me what happens to SYN > packets from be in this scenario however. > > It turns out that I have to supplement DNAT with SNAT for this to work > correctly. > On box A: > iptables -t nat -i eth0 -p tcp -m tcp --dport $SERVER_PORT -j DNAT > --to-destination $BOX_B_ETH1 > iptables -t nat -A POSTROUTING -d $BOX_B_ETH1 -p tcp -m tcp --dport > $SERVER_PORT -j SNAT --to-source $BOX_A_ETH1 > > in this case, the clients can connect, however the server on B sees only > IP > of BOX_A_ETH1, not the original client IPs. > > Regarding tproxy: > I am currently running the TCP server on box A. I would like to move it to > box B to reduce the load on A. Other services on A are bound to the same > IP > address as the server that I need to move, so simply moving that IP > address > to BOX_B_ETH0 is impossible. > Box A has 2.6.11 kernel. Does tproxy install over netfilter? I am sort of > scared to tamper with netfilter installation on A, since it is currently > running live services. > > It it possible to implement this scenario: > * the client thinks it's connected to Box A > * Box A knows its connected to the client > * Box A uses client's source address to initiate traffic to Box B > * Box B thinks it's connected to client > with advanced routing and iptables only? > > Thanks > > Alec. > > > > -----Original Message----- > From: Martin A. Brown [mailto:martin@linux-ip.net] > Sent: Wednesday, March 07, 2007 8:24 PM > To: Alec Matusis > Cc: lartc@mailman.ds9a.nl > Subject: Re: [LARTC] routing TCP to another box preserving ORIGINAL client > IPs > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Greetings Alec, > > : My TCP clients connect to box A. I need to forward those > : connections to a server on box B, such that the original client > : IPs are visible to the server on B. > : > : Each box has two Ethernet ports. One port on each box is > : connected to WAN, and they are cross-connected in a LAN via > : remaining ports: > : > : ------------------- ------------------- > : WAN -- |eth0 Box A eth1|---LAN---|eth1 Box B eth0| -- WAN > : ------------------- ------------------- > : > : > : Is there a way to do this with iproute2 and iptables tools ONLY? > : Can you provide an example? Nothing in Google after more than a > : week of searching. An additional requirement is to reduce the > : load on box A as much as possible (I guess the server on B would > : still have to reply to the client via A, not using B's own WAN > : interface however..) > > You need to provide us a bit more information to help you figure out > the right way to solve this problem. Why is DNAT not sufficient? > Given your description, you should simply be able to: > > iptables -t nat -i eth0 [...] -j DNAT --to-destination $BOX_B_ETH1 > > If it were that simple, though, you shouldn't have spent a week > looking for the answer. > > Do you have a TCP service on Box A which is providing services to > the client across the WAN? If so, then you are looking for > something called transparent proxying in the Linux networking world. > You will want to examine the tproxy patches to iptables [0]. > > If you go with the transparent proxying method, it's helpful to > remember: > > * the client thinks it's connected to Box A > * Box A knows its connected to the client > * Box A uses client's source address to initiate traffic to Box B > * Box B thinks it's connected to client > > In either case, you are correct about routing. Box B must send its > traffic back to Box A to forward back across the LAN. > > Good luck, > > - -Martin > > [0] http://www.balabit.com/products/oss/tproxy/ > http://www.balabit.com/downloads/tproxy/linux-2.4/ > > - -- > Martin A. Brown > http://linux-ip.net/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: pgf-0.72 ( http://linux-ip.net/sw/pine-gpg-filter/) > > iD8DBQFF74/JHEoZD1iZ+YcRAlRaAJ4wf2fIc3oBJnGstjUBdpKWn1wOsQCbB2Ee > 5Q7zrssGkA02Pq+298i9tEA= > =O3sf > -----END PGP SIGNATURE----- > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From alecm at chatango.com Fri Mar 9 04:13:12 2007 From: alecm at chatango.com (Alec Matusis) Date: Fri Mar 9 04:13:58 2007 Subject: [LARTC] routing TCP to another box preserving ORIGINAL client IPs In-Reply-To: <39498.84.123.233.184.1173401310.squirrel@www.arcoscom.com> References: <004301c76137$40fdaa10$c2f8fe30$@com> <004401c7613c$b036ec70$10a4c550$@com> <5c6851530703080912p2aace69p5cfbce9cdfde2740@mail.gmail.com> <013b01c761de$9d8a9ed0$d89fdc70$@com> <39498.84.123.233.184.1173401310.squirrel@www.arcoscom.com> Message-ID: <017701c761f8$df6aa380$9e3fea80$@com> I tried method 2 multiple times for 2 weeks, and it does not work. Perhaps someone can tell me what the problem is? Maybe I am missing some kernel option? How do I check that? Router box A (wan ip x.x.x.83 on eth0) : # iptables -t mangle -L -n Chain PREROUTING (policy ACCEPT) target prot opt source destination MARK tcp -- 0.0.0.0/0 x.x.x.83 tcp dpt:5224 MARK set 0x3 Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination #iptables -t filter -L -n Chain INPUT (policy ACCEPT) ... # ip ru l 0: from all lookup local 32765: from all fwmark 0x3 lookup 2 32766: from all lookup main 32767: from all lookup default # ip ro l t 2 default via 10.18.1.1 dev eth1 # cat /proc/sys/net/ipv4/ip_forward 1 checking a few things from A: # telnet 10.18.1.1 5224 Trying 10.18.1.1... Connected to 10.18.1.1 (10.18.1.1). Escape character is '^]'. --success. It means that box B is ready to accept connections on 5224 via LAN (it's INPUT chain's policy in filter is ACCEPT for simplicity). >From an outside client Outside client /> telnet x.x.x.83 5224 Trying x.x.x.83 ... telnet: connect to address x.x.x.83: Connection refused This suggests that the problem lies within box A. -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of ArcosCom Linux User Sent: Thursday, March 08, 2007 4:49 PM To: lartc@mailman.ds9a.nl Subject: RE: [LARTC] routing TCP to another box preserving ORIGINAL client IPs Are you sure? Take a look into: http://tldp.org/HOWTO/TransparentProxy-6.html Regards El Vie, 9 de Marzo de 2007, 1:05, Alec Matusis escribi?: > I have not considered bridge and ebtables yet. I assume I'd have to > implement this in the "routing" box A. Is ebtables CPU-intensive? The goal > of setting up this forwarding is to reduce the load on the router box A. > > Also, is it very surprising that there is no way to build a transparent > proxy/router with standard iproute2 and iptables tools ONLY? It would seem > that transparent forwarding of TCP connections to another machine is a > very > common task. > > > From: Robb Bossley [mailto:robb.bossley@gmail.com] > Sent: Thursday, March 08, 2007 9:13 AM > To: Alec Matusis > Subject: Re: [LARTC] routing TCP to another box preserving ORIGINAL client > IPs > > Have you considered putting a bridge in and using ebtables? That might be > what you are looking for. > > > On 3/7/07, Alec Matusis < alecm at chatango.com> wrote: > Hello Martin, > > I tried implementing DNAT as you indicated: > > iptables -t nat -i eth0 [...] -j DNAT --to-destination $BOX_B_ETH1 > > After that, I can see SYN packets arriving on BOX_B_ETH1, having the > original client's IP. Only half of the connection gets established after > this: > I cannot see ACK packets from box B anywhere (neither on BOX_B_ETH0, nor > on > BOX_A_ETH0). I think the reason is that since box A never sends a SYN > packet > itself, it never classifies the connection as ESTABLISHED, so all further > traffic gets rejected. It's still a mystery to me what happens to SYN > packets from be in this scenario however. > > It turns out that I have to supplement DNAT with SNAT for this to work > correctly. > On box A: > iptables -t nat -i eth0 -p tcp -m tcp --dport $SERVER_PORT -j DNAT > --to-destination $BOX_B_ETH1 > iptables -t nat -A POSTROUTING -d $BOX_B_ETH1 -p tcp -m tcp --dport > $SERVER_PORT -j SNAT --to-source $BOX_A_ETH1 > > in this case, the clients can connect, however the server on B sees only > IP > of BOX_A_ETH1, not the original client IPs. > > Regarding tproxy: > I am currently running the TCP server on box A. I would like to move it to > box B to reduce the load on A. Other services on A are bound to the same > IP > address as the server that I need to move, so simply moving that IP > address > to BOX_B_ETH0 is impossible. > Box A has 2.6.11 kernel. Does tproxy install over netfilter? I am sort of > scared to tamper with netfilter installation on A, since it is currently > running live services. > > It it possible to implement this scenario: > * the client thinks it's connected to Box A > * Box A knows its connected to the client > * Box A uses client's source address to initiate traffic to Box B > * Box B thinks it's connected to client > with advanced routing and iptables only? > > Thanks > > Alec. > > > > -----Original Message----- > From: Martin A. Brown [mailto:martin@linux-ip.net] > Sent: Wednesday, March 07, 2007 8:24 PM > To: Alec Matusis > Cc: lartc@mailman.ds9a.nl > Subject: Re: [LARTC] routing TCP to another box preserving ORIGINAL client > IPs > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Greetings Alec, > > : My TCP clients connect to box A. I need to forward those > : connections to a server on box B, such that the original client > : IPs are visible to the server on B. > : > : Each box has two Ethernet ports. One port on each box is > : connected to WAN, and they are cross-connected in a LAN via > : remaining ports: > : > : ------------------- ------------------- > : WAN -- |eth0 Box A eth1|---LAN---|eth1 Box B eth0| -- WAN > : ------------------- ------------------- > : > : > : Is there a way to do this with iproute2 and iptables tools ONLY? > : Can you provide an example? Nothing in Google after more than a > : week of searching. An additional requirement is to reduce the > : load on box A as much as possible (I guess the server on B would > : still have to reply to the client via A, not using B's own WAN > : interface however..) > > You need to provide us a bit more information to help you figure out > the right way to solve this problem. Why is DNAT not sufficient? > Given your description, you should simply be able to: > > iptables -t nat -i eth0 [...] -j DNAT --to-destination $BOX_B_ETH1 > > If it were that simple, though, you shouldn't have spent a week > looking for the answer. > > Do you have a TCP service on Box A which is providing services to > the client across the WAN? If so, then you are looking for > something called transparent proxying in the Linux networking world. > You will want to examine the tproxy patches to iptables [0]. > > If you go with the transparent proxying method, it's helpful to > remember: > > * the client thinks it's connected to Box A > * Box A knows its connected to the client > * Box A uses client's source address to initiate traffic to Box B > * Box B thinks it's connected to client > > In either case, you are correct about routing. Box B must send its > traffic back to Box A to forward back across the LAN. > > Good luck, > > - -Martin > > [0] http://www.balabit.com/products/oss/tproxy/ > http://www.balabit.com/downloads/tproxy/linux-2.4/ > > - -- > Martin A. Brown > http://linux-ip.net/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: pgf-0.72 ( http://linux-ip.net/sw/pine-gpg-filter/) > > iD8DBQFF74/JHEoZD1iZ+YcRAlRaAJ4wf2fIc3oBJnGstjUBdpKWn1wOsQCbB2Ee > 5Q7zrssGkA02Pq+298i9tEA= > =O3sf > -----END PGP SIGNATURE----- > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From rangi at ngen.net.nz Fri Mar 9 05:31:47 2007 From: rangi at ngen.net.nz (Rangi Biddle) Date: Fri Mar 9 05:32:14 2007 Subject: [LARTC] routing TCP to another box preserving ORIGINAL client IPs In-Reply-To: <017701c761f8$df6aa380$9e3fea80$@com> References: <004301c76137$40fdaa10$c2f8fe30$@com> <004401c7613c$b036ec70$10a4c550$@com> <5c6851530703080912p2aace69p5cfbce9cdfde2740@mail.gmail.com> <013b01c761de$9d8a9ed0$d89fdc70$@com> <39498.84.123.233.184.1173401310.squirrel@www.arcoscom.com> <017701c761f8$df6aa380$9e3fea80$@com> Message-ID: <004801c76203$dc1535f0$943fa1d0$@net.nz> Hi Alex, Perhaps another test to see if it is really working is to connect to the public address (x.x.x.83) from box A. The other thing perhaps you might want to check is if there is a firewall running in between that is blocking 5224. -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Alec Matusis Sent: Friday, March 09, 2007 4:13 PM To: linux@arcoscom.com; lartc@mailman.ds9a.nl Subject: RE: [LARTC] routing TCP to another box preserving ORIGINAL client IPs I tried method 2 multiple times for 2 weeks, and it does not work. Perhaps someone can tell me what the problem is? Maybe I am missing some kernel option? How do I check that? Router box A (wan ip x.x.x.83 on eth0) : # iptables -t mangle -L -n Chain PREROUTING (policy ACCEPT) target prot opt source destination MARK tcp -- 0.0.0.0/0 x.x.x.83 tcp dpt:5224 MARK set 0x3 Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination #iptables -t filter -L -n Chain INPUT (policy ACCEPT) ... # ip ru l 0: from all lookup local 32765: from all fwmark 0x3 lookup 2 32766: from all lookup main 32767: from all lookup default # ip ro l t 2 default via 10.18.1.1 dev eth1 # cat /proc/sys/net/ipv4/ip_forward 1 checking a few things from A: # telnet 10.18.1.1 5224 Trying 10.18.1.1... Connected to 10.18.1.1 (10.18.1.1). Escape character is '^]'. --success. It means that box B is ready to accept connections on 5224 via LAN (it's INPUT chain's policy in filter is ACCEPT for simplicity). >From an outside client Outside client /> telnet x.x.x.83 5224 Trying x.x.x.83 ... telnet: connect to address x.x.x.83: Connection refused This suggests that the problem lies within box A. -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of ArcosCom Linux User Sent: Thursday, March 08, 2007 4:49 PM To: lartc@mailman.ds9a.nl Subject: RE: [LARTC] routing TCP to another box preserving ORIGINAL client IPs Are you sure? Take a look into: http://tldp.org/HOWTO/TransparentProxy-6.html Regards El Vie, 9 de Marzo de 2007, 1:05, Alec Matusis escribi?: > I have not considered bridge and ebtables yet. I assume I'd have to > implement this in the "routing" box A. Is ebtables CPU-intensive? The goal > of setting up this forwarding is to reduce the load on the router box A. > > Also, is it very surprising that there is no way to build a transparent > proxy/router with standard iproute2 and iptables tools ONLY? It would seem > that transparent forwarding of TCP connections to another machine is a > very > common task. > > > From: Robb Bossley [mailto:robb.bossley@gmail.com] > Sent: Thursday, March 08, 2007 9:13 AM > To: Alec Matusis > Subject: Re: [LARTC] routing TCP to another box preserving ORIGINAL client > IPs > > Have you considered putting a bridge in and using ebtables? That might be > what you are looking for. > > > On 3/7/07, Alec Matusis < alecm at chatango.com> wrote: > Hello Martin, > > I tried implementing DNAT as you indicated: > > iptables -t nat -i eth0 [...] -j DNAT --to-destination $BOX_B_ETH1 > > After that, I can see SYN packets arriving on BOX_B_ETH1, having the > original client's IP. Only half of the connection gets established after > this: > I cannot see ACK packets from box B anywhere (neither on BOX_B_ETH0, nor > on > BOX_A_ETH0). I think the reason is that since box A never sends a SYN > packet > itself, it never classifies the connection as ESTABLISHED, so all further > traffic gets rejected. It's still a mystery to me what happens to SYN > packets from be in this scenario however. > > It turns out that I have to supplement DNAT with SNAT for this to work > correctly. > On box A: > iptables -t nat -i eth0 -p tcp -m tcp --dport $SERVER_PORT -j DNAT > --to-destination $BOX_B_ETH1 > iptables -t nat -A POSTROUTING -d $BOX_B_ETH1 -p tcp -m tcp --dport > $SERVER_PORT -j SNAT --to-source $BOX_A_ETH1 > > in this case, the clients can connect, however the server on B sees only > IP > of BOX_A_ETH1, not the original client IPs. > > Regarding tproxy: > I am currently running the TCP server on box A. I would like to move it to > box B to reduce the load on A. Other services on A are bound to the same > IP > address as the server that I need to move, so simply moving that IP > address > to BOX_B_ETH0 is impossible. > Box A has 2.6.11 kernel. Does tproxy install over netfilter? I am sort of > scared to tamper with netfilter installation on A, since it is currently > running live services. > > It it possible to implement this scenario: > * the client thinks it's connected to Box A > * Box A knows its connected to the client > * Box A uses client's source address to initiate traffic to Box B > * Box B thinks it's connected to client > with advanced routing and iptables only? > > Thanks > > Alec. > > > > -----Original Message----- > From: Martin A. Brown [mailto:martin@linux-ip.net] > Sent: Wednesday, March 07, 2007 8:24 PM > To: Alec Matusis > Cc: lartc@mailman.ds9a.nl > Subject: Re: [LARTC] routing TCP to another box preserving ORIGINAL client > IPs > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Greetings Alec, > > : My TCP clients connect to box A. I need to forward those > : connections to a server on box B, such that the original client > : IPs are visible to the server on B. > : > : Each box has two Ethernet ports. One port on each box is > : connected to WAN, and they are cross-connected in a LAN via > : remaining ports: > : > : ------------------- ------------------- > : WAN -- |eth0 Box A eth1|---LAN---|eth1 Box B eth0| -- WAN > : ------------------- ------------------- > : > : > : Is there a way to do this with iproute2 and iptables tools ONLY? > : Can you provide an example? Nothing in Google after more than a > : week of searching. An additional requirement is to reduce the > : load on box A as much as possible (I guess the server on B would > : still have to reply to the client via A, not using B's own WAN > : interface however..) > > You need to provide us a bit more information to help you figure out > the right way to solve this problem. Why is DNAT not sufficient? > Given your description, you should simply be able to: > > iptables -t nat -i eth0 [...] -j DNAT --to-destination $BOX_B_ETH1 > > If it were that simple, though, you shouldn't have spent a week > looking for the answer. > > Do you have a TCP service on Box A which is providing services to > the client across the WAN? If so, then you are looking for > something called transparent proxying in the Linux networking world. > You will want to examine the tproxy patches to iptables [0]. > > If you go with the transparent proxying method, it's helpful to > remember: > > * the client thinks it's connected to Box A > * Box A knows its connected to the client > * Box A uses client's source address to initiate traffic to Box B > * Box B thinks it's connected to client > > In either case, you are correct about routing. Box B must send its > traffic back to Box A to forward back across the LAN. > > Good luck, > > - -Martin > > [0] http://www.balabit.com/products/oss/tproxy/ > http://www.balabit.com/downloads/tproxy/linux-2.4/ > > - -- > Martin A. Brown > http://linux-ip.net/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: pgf-0.72 ( http://linux-ip.net/sw/pine-gpg-filter/) > > iD8DBQFF74/JHEoZD1iZ+YcRAlRaAJ4wf2fIc3oBJnGstjUBdpKWn1wOsQCbB2Ee > 5Q7zrssGkA02Pq+298i9tEA= > =O3sf > -----END PGP SIGNATURE----- > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From alecm at chatango.com Fri Mar 9 05:38:43 2007 From: alecm at chatango.com (Alec Matusis) Date: Fri Mar 9 05:39:37 2007 Subject: [LARTC] routing TCP to another box preserving ORIGINAL client IPs In-Reply-To: <004801c76203$dc1535f0$943fa1d0$@net.nz> References: <004301c76137$40fdaa10$c2f8fe30$@com> <004401c7613c$b036ec70$10a4c550$@com> <5c6851530703080912p2aace69p5cfbce9cdfde2740@mail.gmail.com> <013b01c761de$9d8a9ed0$d89fdc70$@com> <39498.84.123.233.184.1173401310.squirrel@www.arcoscom.com> <017701c761f8$df6aa380$9e3fea80$@com> <004801c76203$dc1535f0$943fa1d0$@net.nz> Message-ID: <019c01c76204$d26e3e60$774abb20$@com> Hi Ranghi: The connection to the public IP x.x.x.83 of box A from box A itself fails as well, just like from a remote client. On A, in table filter, both INPUT and FORWARD policies are ACCEPT. I start suspecting that some options (e.g. IP advanced router) are not compiled into the kernel (2.6.11), but I do not know how to check that? -----Original Message----- From: Rangi Biddle [mailto:rangi@ngen.net.nz] Sent: Thursday, March 08, 2007 8:32 PM To: 'Alec Matusis'; lartc@mailman.ds9a.nl Subject: RE: [LARTC] routing TCP to another box preserving ORIGINAL client IPs Hi Alex, Perhaps another test to see if it is really working is to connect to the public address (x.x.x.83) from box A. The other thing perhaps you might want to check is if there is a firewall running in between that is blocking 5224. -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Alec Matusis Sent: Friday, March 09, 2007 4:13 PM To: linux@arcoscom.com; lartc@mailman.ds9a.nl Subject: RE: [LARTC] routing TCP to another box preserving ORIGINAL client IPs I tried method 2 multiple times for 2 weeks, and it does not work. Perhaps someone can tell me what the problem is? Maybe I am missing some kernel option? How do I check that? Router box A (wan ip x.x.x.83 on eth0) : # iptables -t mangle -L -n Chain PREROUTING (policy ACCEPT) target prot opt source destination MARK tcp -- 0.0.0.0/0 x.x.x.83 tcp dpt:5224 MARK set 0x3 Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination #iptables -t filter -L -n Chain INPUT (policy ACCEPT) ... # ip ru l 0: from all lookup local 32765: from all fwmark 0x3 lookup 2 32766: from all lookup main 32767: from all lookup default # ip ro l t 2 default via 10.18.1.1 dev eth1 # cat /proc/sys/net/ipv4/ip_forward 1 checking a few things from A: # telnet 10.18.1.1 5224 Trying 10.18.1.1... Connected to 10.18.1.1 (10.18.1.1). Escape character is '^]'. --success. It means that box B is ready to accept connections on 5224 via LAN (it's INPUT chain's policy in filter is ACCEPT for simplicity). >From an outside client Outside client /> telnet x.x.x.83 5224 Trying x.x.x.83 ... telnet: connect to address x.x.x.83: Connection refused This suggests that the problem lies within box A. -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of ArcosCom Linux User Sent: Thursday, March 08, 2007 4:49 PM To: lartc@mailman.ds9a.nl Subject: RE: [LARTC] routing TCP to another box preserving ORIGINAL client IPs Are you sure? Take a look into: http://tldp.org/HOWTO/TransparentProxy-6.html Regards El Vie, 9 de Marzo de 2007, 1:05, Alec Matusis escribi?: > I have not considered bridge and ebtables yet. I assume I'd have to > implement this in the "routing" box A. Is ebtables CPU-intensive? The goal > of setting up this forwarding is to reduce the load on the router box A. > > Also, is it very surprising that there is no way to build a transparent > proxy/router with standard iproute2 and iptables tools ONLY? It would seem > that transparent forwarding of TCP connections to another machine is a > very > common task. > > > From: Robb Bossley [mailto:robb.bossley@gmail.com] > Sent: Thursday, March 08, 2007 9:13 AM > To: Alec Matusis > Subject: Re: [LARTC] routing TCP to another box preserving ORIGINAL client > IPs > > Have you considered putting a bridge in and using ebtables? That might be > what you are looking for. > > > On 3/7/07, Alec Matusis < alecm at chatango.com> wrote: > Hello Martin, > > I tried implementing DNAT as you indicated: > > iptables -t nat -i eth0 [...] -j DNAT --to-destination $BOX_B_ETH1 > > After that, I can see SYN packets arriving on BOX_B_ETH1, having the > original client's IP. Only half of the connection gets established after > this: > I cannot see ACK packets from box B anywhere (neither on BOX_B_ETH0, nor > on > BOX_A_ETH0). I think the reason is that since box A never sends a SYN > packet > itself, it never classifies the connection as ESTABLISHED, so all further > traffic gets rejected. It's still a mystery to me what happens to SYN > packets from be in this scenario however. > > It turns out that I have to supplement DNAT with SNAT for this to work > correctly. > On box A: > iptables -t nat -i eth0 -p tcp -m tcp --dport $SERVER_PORT -j DNAT > --to-destination $BOX_B_ETH1 > iptables -t nat -A POSTROUTING -d $BOX_B_ETH1 -p tcp -m tcp --dport > $SERVER_PORT -j SNAT --to-source $BOX_A_ETH1 > > in this case, the clients can connect, however the server on B sees only > IP > of BOX_A_ETH1, not the original client IPs. > > Regarding tproxy: > I am currently running the TCP server on box A. I would like to move it to > box B to reduce the load on A. Other services on A are bound to the same > IP > address as the server that I need to move, so simply moving that IP > address > to BOX_B_ETH0 is impossible. > Box A has 2.6.11 kernel. Does tproxy install over netfilter? I am sort of > scared to tamper with netfilter installation on A, since it is currently > running live services. > > It it possible to implement this scenario: > * the client thinks it's connected to Box A > * Box A knows its connected to the client > * Box A uses client's source address to initiate traffic to Box B > * Box B thinks it's connected to client > with advanced routing and iptables only? > > Thanks > > Alec. > > > > -----Original Message----- > From: Martin A. Brown [mailto:martin@linux-ip.net] > Sent: Wednesday, March 07, 2007 8:24 PM > To: Alec Matusis > Cc: lartc@mailman.ds9a.nl > Subject: Re: [LARTC] routing TCP to another box preserving ORIGINAL client > IPs > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Greetings Alec, > > : My TCP clients connect to box A. I need to forward those > : connections to a server on box B, such that the original client > : IPs are visible to the server on B. > : > : Each box has two Ethernet ports. One port on each box is > : connected to WAN, and they are cross-connected in a LAN via > : remaining ports: > : > : ------------------- ------------------- > : WAN -- |eth0 Box A eth1|---LAN---|eth1 Box B eth0| -- WAN > : ------------------- ------------------- > : > : > : Is there a way to do this with iproute2 and iptables tools ONLY? > : Can you provide an example? Nothing in Google after more than a > : week of searching. An additional requirement is to reduce the > : load on box A as much as possible (I guess the server on B would > : still have to reply to the client via A, not using B's own WAN > : interface however..) > > You need to provide us a bit more information to help you figure out > the right way to solve this problem. Why is DNAT not sufficient? > Given your description, you should simply be able to: > > iptables -t nat -i eth0 [...] -j DNAT --to-destination $BOX_B_ETH1 > > If it were that simple, though, you shouldn't have spent a week > looking for the answer. > > Do you have a TCP service on Box A which is providing services to > the client across the WAN? If so, then you are looking for > something called transparent proxying in the Linux networking world. > You will want to examine the tproxy patches to iptables [0]. > > If you go with the transparent proxying method, it's helpful to > remember: > > * the client thinks it's connected to Box A > * Box A knows its connected to the client > * Box A uses client's source address to initiate traffic to Box B > * Box B thinks it's connected to client > > In either case, you are correct about routing. Box B must send its > traffic back to Box A to forward back across the LAN. > > Good luck, > > - -Martin > > [0] http://www.balabit.com/products/oss/tproxy/ > http://www.balabit.com/downloads/tproxy/linux-2.4/ > > - -- > Martin A. Brown > http://linux-ip.net/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: pgf-0.72 ( http://linux-ip.net/sw/pine-gpg-filter/) > > iD8DBQFF74/JHEoZD1iZ+YcRAlRaAJ4wf2fIc3oBJnGstjUBdpKWn1wOsQCbB2Ee > 5Q7zrssGkA02Pq+298i9tEA= > =O3sf > -----END PGP SIGNATURE----- > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From martin at linux-ip.net Fri Mar 9 05:39:39 2007 From: martin at linux-ip.net (Martin A. Brown) Date: Fri Mar 9 05:40:02 2007 Subject: [LARTC] routing TCP to another box preserving ORIGINAL client IPs In-Reply-To: <004401c7613c$b036ec70$10a4c550$@com> References: <004301c76137$40fdaa10$c2f8fe30$@com> <004401c7613c$b036ec70$10a4c550$@com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alec, : I tried implementing DNAT as you indicated: : : iptables -t nat -i eth0 [...] -j DNAT --to-destination $BOX_B_ETH1 : : After that, I can see SYN packets arriving on BOX_B_ETH1, having : the original client's IP. OK, that means DNAT + routing on your BOX_A is working correctly. : Only half of the connection gets established after this: I cannot : see ACK packets from box B anywhere (neither on BOX_B_ETH0, nor : on BOX_A_ETH0). This is where your problem lies now. You need to find out why the SYN (which you said was transmitted to BOX_B_ETH1) is not getting accepted by this IP stack. * reverse path filtering (net.ipv4.conf.*.rp_filter) * packet filtering rules on BOX_B? : I think the reason is that since box A never sends a SYN packet : itself, it never classifies the connection as ESTABLISHED, so all : further traffic gets rejected. It's still a mystery to me what : happens to SYN packets from be in this scenario however. BOX_A will never have a socket in ESTABLISHED state. BOX_A will have a state entry in the /proc/net/ip_conntrack table. Examine /proc/net/ip_conntrack after sending a SYN to BOX_B. : It turns out that I have to supplement DNAT with SNAT for this to work : correctly. : On box A: : iptables -t nat -i eth0 -p tcp -m tcp --dport $SERVER_PORT -j DNAT : --to-destination $BOX_B_ETH1 : iptables -t nat -A POSTROUTING -d $BOX_B_ETH1 -p tcp -m tcp --dport : $SERVER_PORT -j SNAT --to-source $BOX_A_ETH1 If this works, then I think you problem may be reverse path filtering. : in this case, the clients can connect, however the server on B : sees only IP of BOX_A_ETH1, not the original client IPs. [ tproxy recommendation snipped ] - -Martin - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFF8OURHEoZD1iZ+YcRAoenAJ9XCZyMf4K7TVCTs28bzIGeu3EEewCg07Cw Spk8a+T/th+ESyPN4hSTjYs= =k+5E -----END PGP SIGNATURE----- From alecm at chatango.com Fri Mar 9 09:16:05 2007 From: alecm at chatango.com (Alec Matusis) Date: Fri Mar 9 09:17:09 2007 Subject: [LARTC] routing TCP to another box preserving ORIGINAL client IPs In-Reply-To: References: <004301c76137$40fdaa10$c2f8fe30$@com> <004401c7613c$b036ec70$10a4c550$@com> Message-ID: <01c401c76223$2f90e1b0$8eb2a510$@com> Thanks Martin. My rp_filter was disabled on server box B: # cat /proc/sys/net/ipv4/conf/all/rp_filter 0 I got it to work however, along the lines you were suggesting like this: On Box A: iptables -t nat -i eth0 [...] -j DNAT --to-destination $BOX_B_ETH1 on box B, I finally found ACK packets. I do not know why I could not see them before. It turns out that box B was trying to route ACKs via its WAN interface eth0 directly to the client, in some sort of asymmetric router fashion. This did not work. So on B, I routed ACKs back to A: #ip rule add from $BOX_B_ETH1 lookup 3 #ip route add default via $BOX_A_ETH1 table 3 Now it works, with DNAT on A and without anything else. I have 1 small follow-up question: 1) when I add custom rules like #ip rule add from $BOX_B_ETH1 lookup 3 it does not take effect for at least 1 minute, perhaps 2-3. Why is that? This is confusing, since it makes one think that the rule does not work, while in reality it just has not taken effect. Thanks a lot for your help, Alec. > -----Original Message----- > From: Martin A. Brown [mailto:martin@linux-ip.net] > Sent: Thursday, March 08, 2007 8:40 PM > To: Alec Matusis > Cc: lartc@mailman.ds9a.nl > Subject: RE: [LARTC] routing TCP to another box preserving ORIGINAL > client IPs > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Alec, > > : I tried implementing DNAT as you indicated: > : > : iptables -t nat -i eth0 [...] -j DNAT --to-destination $BOX_B_ETH1 > : > : After that, I can see SYN packets arriving on BOX_B_ETH1, having > : the original client's IP. > > OK, that means DNAT + routing on your BOX_A is working correctly. > > : Only half of the connection gets established after this: I cannot > : see ACK packets from box B anywhere (neither on BOX_B_ETH0, nor > : on BOX_A_ETH0). > > This is where your problem lies now. You need to find out why the > SYN (which you said was transmitted to BOX_B_ETH1) is not getting > accepted by this IP stack. > > * reverse path filtering (net.ipv4.conf.*.rp_filter) > * packet filtering rules on BOX_B? > > : I think the reason is that since box A never sends a SYN packet > : itself, it never classifies the connection as ESTABLISHED, so all > : further traffic gets rejected. It's still a mystery to me what > : happens to SYN packets from be in this scenario however. > > BOX_A will never have a socket in ESTABLISHED state. BOX_A will > have a state entry in the /proc/net/ip_conntrack table. Examine > /proc/net/ip_conntrack after sending a SYN to BOX_B. > > : It turns out that I have to supplement DNAT with SNAT for this to > work > : correctly. > : On box A: > : iptables -t nat -i eth0 -p tcp -m tcp --dport $SERVER_PORT -j DNAT > : --to-destination $BOX_B_ETH1 > : iptables -t nat -A POSTROUTING -d $BOX_B_ETH1 -p tcp -m tcp --dport > : $SERVER_PORT -j SNAT --to-source $BOX_A_ETH1 > > If this works, then I think you problem may be reverse path > filtering. > > : in this case, the clients can connect, however the server on B > : sees only IP of BOX_A_ETH1, not the original client IPs. > > [ tproxy recommendation snipped ] > > - -Martin > > - -- > Martin A. Brown > http://linux-ip.net/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) > > iD8DBQFF8OURHEoZD1iZ+YcRAoenAJ9XCZyMf4K7TVCTs28bzIGeu3EEewCg07Cw > Spk8a+T/th+ESyPN4hSTjYs= > =k+5E > -----END PGP SIGNATURE----- From tore at linpro.no Fri Mar 9 10:28:57 2007 From: tore at linpro.no (Tore Anderson) Date: Fri Mar 9 10:29:10 2007 Subject: [LARTC] Problems getting multipath routes to balance In-Reply-To: <200703072206.07438.luciano@lugmen.org.ar> References: <45E55F18.1000906@linpro.no> <200703072206.07438.luciano@lugmen.org.ar> Message-ID: <45F128D9.1060702@linpro.no> * Luciano Ruete > Try a kernel without CONFIG_IP_ROUTE_MULTIPATH_CACHED I did and it worked. Thanks. I primarily wanted caching but oh well... > there are several threads on this topic in the archive, one as > reference: > http://archives.free.net.ph/message/20060618.150532.8a6cc07f.en.html Looked but didn't find it of course... :-/ > If it solves the problem, maybe is time to contact the author of > Multipath Cached and send some report. I ended up asking on the netdev list, and got a reply there that cached ECMP is simply broken for forwarded packets. I submitted a patch to document it in the configuration screen, no idea if it will get merged though. -- Tore Anderson From frederic at juliana-multimedia.com Fri Mar 9 16:21:02 2007 From: frederic at juliana-multimedia.com (=?ISO-8859-15?Q?Fr=E9d=E9ric_Massot?=) Date: Fri Mar 9 16:22:03 2007 Subject: [LARTC] Mark on FTP passive traffic Message-ID: Hi, I use for a customer a Linux router/firewall with 1 internal interface connected to the LAN and 3 external interfaces connected to 3 different ISP. I use a kernel 2.6.17 with a routes patch from Julian Anastasov. I mark outgoing FTP traffic for the routing. With the rules below I do not have a problem with the active/normal FTP to connect on FTP server. But the passive FTP does not pass because I do not know how to mark the related packets whose ports are negotiated in FTP session. I quote only the rules for the internal interface and one of the external interfaces. The rules are the same ones for the three external interfaces. # global rule for all traffic iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # FTP rule iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE1 -p tcp -s $INTERNAL_LAN --sport $UNPRIVPORTS --dport 21 -m state --state NEW -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE1 -p tcp -s $EXTERNAL_IP1 --sport $UNPRIVPORTS --dport 21 -m state --state NEW -j ACCEPT # FTP mark iptables -t mangle -A FORWARD -o $EXTERNAL_INTERFACE1 -p tcp --dport 21 -j MARK --set-mark 0x21 iptables -t mangle -A OUTPUT -o $EXTERNAL_INTERFACE1 -p tcp --dport 21 -j MARK --set-mark 0x21 iptables -t mangle -A PREROUTING -i $INTERNAL_INTERFACE -p tcp --dport 21 -j MARK --set-mark 0x21 iptables -t mangle -A FORWARD -o $EXTERNAL_INTERFACE1 -p tcp --dport 20 -j MARK --set-mark 0x21 iptables -t mangle -A OUTPUT -o $EXTERNAL_INTERFACE1 -p tcp --dport 20 -j MARK --set-mark 0x21 iptables -t mangle -A PREROUTING -i $INTERNAL_INTERFACE -p tcp --dport 20 -j MARK --set-mark 0x21 Do you know how I can mark the related packets to the passive FTP? Regards. -- ============================================== | FR?D?RIC MASSOT | | http://www.juliana-multimedia.com | | mailto:frederic@juliana-multimedia.com | ===========================Debian=GNU/Linux=== From martin at linux-ip.net Fri Mar 9 16:43:57 2007 From: martin at linux-ip.net (Martin A. Brown) Date: Fri Mar 9 16:44:09 2007 Subject: [LARTC] routing TCP to another box preserving ORIGINAL client IPs In-Reply-To: <01c401c76223$2f90e1b0$8eb2a510$@com> References: <004301c76137$40fdaa10$c2f8fe30$@com> <004401c7613c$b036ec70$10a4c550$@com> <01c401c76223$2f90e1b0$8eb2a510$@com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, : 1) when I add custom rules like : #ip rule add from $BOX_B_ETH1 lookup 3 : it does not take effect for at least 1 minute, perhaps 2-3. : : Why is that? It's quite simple. There is a routing cache. Recently used routes are stored here for faster access. If you would like to empty the routing cache, then you must make your changes to the routing tables and then empty the routing cache: ip route flush cache Be very careful not to omit the word "cache". You will have a nice little surprise if you forget the word "cache". : This is confusing, since it makes one think that the rule does : not work, while in reality it just has not taken effect. If you'd like to view the route cache: ip route show cache Do you want to see a particular entry? ip route show cache 72.14.203.104 - -Martin - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFF8YC/HEoZD1iZ+YcRAkfFAJ9zYzVRCVMTGE619avs4hZVe+yi2gCgtGRi iCnX/HpQS3PiGIvlaJi7nlo= =S+EQ -----END PGP SIGNATURE----- From martin at linux-ip.net Sat Mar 10 03:26:03 2007 From: martin at linux-ip.net (Martin A. Brown) Date: Sat Mar 10 03:26:22 2007 Subject: [LARTC] Simple route 2nd look please In-Reply-To: <45EEB132.5070302@netsyncro.com> References: <45EEB132.5070302@netsyncro.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings, : I want B to route (temporarily) to both the .65 gw and eventually : move to xxx.xxx.xxx.83 being the default gw, but I can't add that : route.. : : I'm missing some obvious, but if someone would take a 2nd look it : would be appreciated. I also have requested to get access to the : switch ,but that's still waiting. This is an L3 problem. After reading your description, I'm guessing that each of your servers has two physical connections to the same L2 (broadcast domain) and you have made modifications to the routing table (at least on Server B) before you tried to solve this problem below. : Server B : ip a s : 1: eth0: mtu 1500 qdisc pfifo_fast qlen 100 : link/ether 00:0b:db:91:84:53 brd ff:ff:ff:ff:ff:ff : inet xxx.xxx.xxx.87/26 brd xxx.xxx.xxx.127 scope global eth0 : 2: eth1: mtu 1500 qdisc pfifo_fast qlen 100 : link/ether 00:0b:db:91:84:54 brd ff:ff:ff:ff:ff:ff : inet xxx.xxx.xxx.84/32 scope global eth1 : : arping -I eth1 xxx.xxx.xxx.83 : ARPING xxx.xxx.xxx.83 from xxx.xxx.xxx.84 eth1 : Unicast reply from xxx.xxx.xxx.83 [00:00:25:C1:CC:C0] 0.956ms <-- Correct interface : Unicast reply from xxx.xxx.xxx.83 [00:00:25:C1:CC:C1] 1.210ms <-- Incorrect : Unicast reply from xxx.xxx.xxx.83 [00:00:25:C1:CC:C1] 0.712ms : Unicast reply from xxx.xxx.xxx.83 [00:00:25:C1:CC:C1] 0.711ms I call the above problem ARP flux [0]. It's an extraordinarily common problem when you have multiple connections to the same Ethernet. : ip r s : 127.0.0.0/8 dev lo scope link : default via xxx.xxx.xxx.65 dev eth0 : Unless you are running some weirdo networking startup scripts you have made changes to the routing table or lost routes on this box since you brought up the interface on eth0. Note! The "ip address" output for eth0 shows that you have an L3 address of 207.135.120.87/26. This means you should have had a network route that looked like this: 207.135.120.64/26 dev eth0 proto kernel scope link src 207.135.120.87 Since this route is missing on Server B, something has removed it. : ip route add default via xxx.xxx.xxx.83 dev eth1 table T1 : RTNETLINK answers: Network is unreachable : eris ~ # route add -net xxx.xxx.xxx.84/31 gw xxx.xxx.xxx.83 : SIOCADDRT: Network is unreachable RTNETLINK is telling you that it has no way to reach 207.135.120.83. You can do two things: * restore the network route, 207.135.120.64/26: "ip route add 207.135.120.64/26 dev eth0 src 207.135.120.87" * create a host route to the L3 address you want to use as a next hop: "ip route add 207.135.120.83 dev eth0" Good luck! - -Martin [0] http://linux-ip.net/html/ether-arp.html#ether-arp-flux (Sorry for the character encoding mismatch.) - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFF8hdAHEoZD1iZ+YcRAnMNAJ4y+0/GKY3sUEx85IshFuKrCQ4mXwCfeQLO YmGSNeQgmGX8LDGqGySG9CA= =hYRK -----END PGP SIGNATURE----- From rodob at datafull.com Sat Mar 10 06:00:19 2007 From: rodob at datafull.com (Rodolfo Brasnarof) Date: Sat Mar 10 06:00:55 2007 Subject: [LARTC] Mark on FTP passive traffic In-Reply-To: References: Message-ID: <20070310020019.67ef107e@localhost> On Fri, 09 Mar 2007 16:21:02 +0100 Fr?d?ric Massot wrote: > Hi, > > I use for a customer a Linux router/firewall with 1 internal > interface connected to the LAN and 3 external interfaces connected to > 3 different ISP. I use a kernel 2.6.17 with a routes patch from > Julian Anastasov. > > I mark outgoing FTP traffic for the routing. > > With the rules below I do not have a problem with the active/normal > FTP to connect on FTP server. > > But the passive FTP does not pass because I do not know how to mark > the related packets whose ports are negotiated in FTP session. > > I quote only the rules for the internal interface and one of the > external interfaces. The rules are the same ones for the three > external interfaces. > > # global rule for all traffic > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > # FTP rule > iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE1 -p > tcp -s $INTERNAL_LAN --sport $UNPRIVPORTS --dport 21 -m state --state > NEW -j ACCEPT > > iptables -A OUTPUT -o $EXTERNAL_INTERFACE1 -p tcp -s $EXTERNAL_IP1 > --sport $UNPRIVPORTS --dport 21 -m state --state NEW -j ACCEPT > > > # FTP mark > iptables -t mangle -A FORWARD -o $EXTERNAL_INTERFACE1 -p tcp --dport > 21 -j MARK --set-mark 0x21 > iptables -t mangle -A OUTPUT -o $EXTERNAL_INTERFACE1 -p tcp --dport > 21 -j MARK --set-mark 0x21 > iptables -t mangle -A PREROUTING -i $INTERNAL_INTERFACE -p tcp > --dport 21 -j MARK --set-mark 0x21 > > iptables -t mangle -A FORWARD -o $EXTERNAL_INTERFACE1 -p tcp --dport > 20 -j MARK --set-mark 0x21 > iptables -t mangle -A OUTPUT -o $EXTERNAL_INTERFACE1 -p tcp --dport > 20 -j MARK --set-mark 0x21 > iptables -t mangle -A PREROUTING -i $INTERNAL_INTERFACE -p tcp > --dport 20 -j MARK --set-mark 0x21 > > > Do you know how I can mark the related packets to the passive FTP? > > Regards. Here's what I'm using to mark ftp traffic for routing purposes, then I use the prerouting chain: # ftp iptables -t mangle -A PREROUTING -i eth0 -p tcp --sport 20 -j MARK --set-mark 1000 iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 20 -j MARK --set-mark 1000 iptables -t mangle -A PREROUTING -i eth0 -p tcp --sport 21 -j MARK --set-mark 1000 iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 21 -j MARK --set-mark 1000 iptables -t mangle -A PREROUTING -m helper --helper ftp -j MARK --set-mark 1000 With the use of the ftp_conntrack helper you can match all you ftp traffic, even passive ftp. I hope this can help you. From fermat at rigel.deusto.es Sun Mar 11 23:47:33 2007 From: fermat at rigel.deusto.es (Alvaro =?utf-8?B?VXLDrWE=?=) Date: Sun Mar 11 23:48:18 2007 Subject: [LARTC] Where is the returning connection? Message-ID: <20070311224733.GC6990@mogli> Hi all! I'm new to the list :-) I'm having a weird problem in which I'm a little bit lost right now. I've got a machine (Debian) connected to 2 different networks (A and B, with 2 different net cards), and a web server that is listening on the second one (B). I think I've configured correctly the rules and routes, but I'm not being able to see the returning connection comming from the same machine, but using the A network to reach the service in the B network. Being more precise, * A network: 192.168.1.2 connected to a switch (default gw) * B network: 192.168.2.2 connected to a router with 2 interfaces (192.168.2.1 and 192.168.1.30) * Clients can only connect to the service through 192.168.1.30:80 (the router), where the dst IP is masked to 192.168.2.2:10080 * If I connect from any host but 192.168.1.2, everything runs ok (tcpdump shows me both ways of tcp packets) Now, if I connect from that machine (that has the web server) through the router (192.168.1.30:80), 1. I see a SYN_SENT to 192.168.1.30 when I execute "netstat". 2. If I put tcpdump on eth0 (192.168.1.2), I see the tcp packets going to 192.168.1.30 (I don't see any packets comming back) 3. If I put tcpdump on eth1 (192.168.2.2), I see the tcp packets going to 192.168.2.2:10080 (from 192.168.1.2), but I don't see any packets comming back. 4. I've replaced the web server with a tiny tcp listener that shows the client IP, and I don't see the connection from 192.168.1.2 (I mean, any other clients connect correctly, but this one does not. Please remember that I can see tcpdump logs that say "192.168.1.2.32759 > 192.168.2.2.10080", etc. 5. I've also put tcpdump on "lo" but I can't see anything either :-S 6. I've tried "iptables --sport 10080 -j LOG"'s rules for OUTPUT chain, and nothing is shown. The routes and rules I've configured are, # A network ip route add 192.168.1.0/24 dev eth0 src 192.168.1.2 table main ip route add default via 192.168.1.1 table main ip rule add from 192.168.1.2 table main # B network ip route add 192.168.2.0/24 dev eth1 src 192.168.2.2 table router ip route add default via 192.168.2.1 dev eth1 onlink table router ip rule add from 192.168.2.2 table router And last, I've also tried to "-j MARK" those packets going to "--dport 10080" and add a rule like: ip rule add fwmark table router But it didn't work either. Why the connection is not arriving to the application that is listening? (But it is arriving to the machine) Why I can't see any kind of returning connection or ICMP packet telling that something is unreachable? (Maybe that will be solved after the first question) Thank you very much in advance for any light on this ;-) Best regards, Alvaro Ur?a PS1: Direct connection from 192.168.1.2 to 192.168.2.2 (or using 127.0.0.1) is not a solution (I've kind of simplified the infrastructure). PS2: BTW, LARTC-HOWTO is great :-)) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070311/b7132fd7/attachment.pgp From michael.flower at elantisystems.com Tue Mar 13 02:26:12 2007 From: michael.flower at elantisystems.com (Michael Flower) Date: Tue Mar 13 02:26:45 2007 Subject: [LARTC] Problem Message-ID: <45F5FDB4.4040207@elantisystems.com> Hello. I am trying to get multi paths running, i.e I want to specify 2 paths from a particular node to another. To test this, I am setting up the following scenario: I create 2 tap devices tap0 = 10.1.1.1/32 netmask 255.255.255.0 tap1 = 10.2.2.2/32 netmask 255.255.255.0 I then issue the route command: ip route add 10.3.3.3/32 nexthop via 10.1.1.2 nexthop via 10.2.2.3 The route table then looks like: 10.3.3.3 nexthop via 10.1.1.2 dev tap0 weight 1 nexthop via 10.2.2.3 dev tap1 weight 1 Pinging 10.3.3.3 causes arp requests on tap1 for 10.2.2.3 and never for 10.1.1.2. (there is nothing connected to tap0 or tap1 so I don't expect anything really, but I do expect the ARP requests, which would show that splitting would work. If the two routes were being used equally, I would have expected to see arp requests for 10.1.1.2 also (wouldn't I?) ...Michael Flower -- Michael Flower ES Labs Elantis Systems Inc. +61 3 9550 0866 From doolph at syscount.net Tue Mar 13 08:41:44 2007 From: doolph at syscount.net (Ying Xie) Date: Tue Mar 13 07:42:23 2007 Subject: [LARTC] Standlone Shaping Message-ID: <20070313024144.wwyo86dz9c4skgsg@webmail.syscount.net> Hello guys, I hope anyone can help me, I am kinda newb. I got my Lan Shaping working pretty well with HTB + ESFQ (Shaping on 192.168.10.0/24). The problem is How can I shape the main router, my router is also http proxy and pop3 proxy, if my Lan use them will get full download & upload speed. I need to restrict any incoming and outgoing traffic to the router from prot 80, 110 & 25. PS. I am installing IMQ maybe its what I need, please give me with examples. Thanks in advance. -- Ing. Ying Xie Syscount Providers CEO / President USA: +1.419.301.6329 Panama: 202-9950/51 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070313/0f334511/attachment.html From azez at ufomechanic.net Tue Mar 13 12:18:02 2007 From: azez at ufomechanic.net (Amin Azez) Date: Tue Mar 13 13:10:37 2007 Subject: [LARTC] Re: BUG? re-ordering of tos routes in table Message-ID: * Amin Azez wrote, On 13/03/07 11:01: > It strikes me that the re-ordering that seems to be based on netmask > size should occur only in a larger ordering by tos, with tos of zero > appearing last. > > i.e. when inserting routes, sort by descending order of tos and then by > descending order of netmask size. > > For the last case this would give: > 1.1.0.0/24 tos 0x15 via 192.168.0.23 dev eth3 > 1.1.0.1 via 192.168.0.24 dev eth3 > > as tos 0x0 (any) appears last. > > Sam > perhaps not... it would cause: # ip route add 1.1.0.1/32 table 3 nexthop via 192.168.0.24 # ip route add 1.1.0.0/24 tos 0x15 table 3 nexthop via 192.168.0.23 # ip route show table 3 to result in (with tos 0 (any) last) 1.1.0.0/24 tos 0x15 via 192.168.0.23 dev eth3 1.1.0.1 via 192.168.0.24 dev eth3 Which again is not what is wanted. The conditions when route-creation order trumps subnet size seem to be: 1. that non-0-tos smaller subneted routes can't be automatically moved before any 0-tos route whose subnet contains the smaller subnet. 2. that 0-tos smaller subneted routes can't be automatically moved before any non-0-tos route whose subnet contains the smaller subnet. because in both cases the tos mismatch would cause the smaller subnet to steal packets belonging to the other route, by virtue of route-creation order, which otherwise would result in sequences that could not easily be specified. However this may result in islands of 0-tos, non-0-tos, 0-tos in the table that don't get merged in some cases because of the particular subnets in use but do in others. There is a simpler solution... not to use tos in a table at all, but relegate it solely to rules; or not to use tos in tables in such cases (being where tos is intended to trump subnet size ordering). Sam From azez at ufomechanic.net Tue Mar 13 12:01:51 2007 From: azez at ufomechanic.net (Amin Azez) Date: Tue Mar 13 13:22:12 2007 Subject: [LARTC] BUG? re-ordering of tos routes in table Message-ID: It seems like tos should be considered when sorting routes on insertion. Consider this out-of-order route creation: # ip route add 1.1.0.0/24 table 3 nexthop via 192.168.0.23 # ip route add 1.1.0.1/32 table 3 nexthop via 192.168.0.24 # ip route show table 3 1.1.0.1 via 192.168.0.24 dev eth3 1.1.0.0/24 via 192.168.0.23 dev eth3 ok... it's re-ordered the routes - it makes sense, the host route would have been masked by the net route, but what about this: # ip route add 1.1.0.0/24 tos 0x15 table 3 nexthop via 192.168.0.23 # ip route add 1.1.0.1/32 table 3 nexthop via 192.168.0.24 # ip route show table 3 1.1.0.1 via 192.168.0.24 dev eth3 1.1.0.0/24 tos 0x15 via 192.168.0.23 dev eth3 The routes as record will route all 1.1.0.1 traffic to 192.168.0.24 when it should only route non tos 0x15 traffic to 192.168.0.24 It strikes me that the re-ordering that seems to be based on netmask size should occur only in a larger ordering by tos, with tos of zero appearing last. i.e. when inserting routes, sort by descending order of tos and then by descending order of netmask size. For the last case this would give: 1.1.0.0/24 tos 0x15 via 192.168.0.23 dev eth3 1.1.0.1 via 192.168.0.24 dev eth3 as tos 0x0 (any) appears last. Sam From randywallacejr at gmail.com Tue Mar 13 13:31:58 2007 From: randywallacejr at gmail.com (Randy Wallace) Date: Tue Mar 13 13:32:03 2007 Subject: [LARTC] Standalone Shaping Message-ID: <861508be0703130531yb7a757sa99bc8cb5879a614@mail.gmail.com> On a router, there is no need for and IMQ because there is always an egress path. For example: Internet -> eth1 -> iptables -> routing -> ... -> egress qdisc -> eth0 -> LAN LAN -> eth0 -> iptables -> routing -> .... -> egress qdisc -> eth1 -> Internet Local Process / Proxy -> routing -> iptables -> egress qdisc -> eth1/eth0 -> LAN/Internet So, All 'Incoming' Shaping would be done at eth0, and all 'Outgoing' Shaping would be done at eth1. The easiest solution, to prevent changing any of your local LAN related Traffic Shaping Rules, would be to use an iptables mark (-j MARK --set-mark) at PREROUTING, OUTPUT, or POSTROUTING to classify, by port, routed traffic from the Internet to the LAN, the LAN to the Internet, or the proxy to the Internet/LAN. Then, add to your qdisc a class with a filter based on the firewall mark. very easy! an example 'Outgoing' (LAN/Proxy to Internet) tc qdisc add dev eth1 root handle 1: htb default 2 tc class add dev eth1 1: classid 1:1 htb rate XXX ceil XXX tc class add dev eth1 parent 1:1 classid 1:2 htb rate XXX ceil XXX tc qdisc add dev eth1 parent 1:2 handle 2: sfq perturb 10 tc class add dev eth1 parent 1:1 classid 1:3 htb rate XXX ceil XXX tc qdisc add dev eth1 parent 1:3 handle 3: sfq perturb 10 tc class add dev eth1 parent 1:1 classid 1:4 htb rate XXX ceil XXX tc qdisc add dev eth1 parent 1:4 handle 4: sfq perturb 10 tc class add dev eth1 parent 1:1 classid 1:5 htb rate XXX ceil XXX tc qdisc add dev eth1 parent 1:5 handle 5: sfq perturb 10 tc filter add dev eth1 protocol ip parent 1: prio 1 handle 1 fw flowid 1:3 tc filter add dev eth1 protocol ip parent 1: prio 1 handle 2 fw flowid 1:4 tc filter add dev eth1 protocol ip parent 1: prio 1 handle 3 fw flowid 1:5 iptables -A OUTPUT -o eth1 -p tcp --dport 25 -j MARK --set-mark 1 iptables -A FORWARD -o eth1 -p tcp --dport 25 -j DROP iptables -A OUTPUT -o eth1 -p tcp --dport 80 -j MARK --set-mark 2 iptables -A FORWARD -o eth1 -p tcp --dport 80 -j DROP iptables -A OUTPUT -o eth1 -p tcp --dport 110 -j MARK --set-mark 3 iptables -A FORWARD -o eth1 -p tcp --dport 110 -j DROP so what happens? you have 4 classes, each with their own bandwidth rates and ceilings, sharing when they can. 3 of the 4 classes receive their flows based on destination port. the fourth is the default for all other traffic. iptables marks traffic coming from the Proxy destined for the Internet with a 1, 2, or 3 depending on port. iptables drops all related traffic on the FORWARD chain to prevent UNproxied traffic from getting to the internet. the 'Incoming rules shouldn't change much from the outgoing., there should just be another layer of classes to allow for normal, local ethernet traffic to and from the Local Processes on the Server/Router. i.e. DHCP, FTP, etc... Local Traffic should recieve what's left over when you subtract your internet bandwidth from your interface speed. Again, Firewall Marking will alleviate the problems associated with classifying local/internet traffic from tc. hope this helped a little! From karme at berlios.de Tue Mar 13 14:47:42 2007 From: karme at berlios.de (Jens Thiele) Date: Tue Mar 13 14:55:13 2007 Subject: [LARTC] Standalone Shaping In-Reply-To: <861508be0703130531yb7a757sa99bc8cb5879a614@mail.gmail.com> (Randy Wallace's message of "Tue, 13 Mar 2007 15:31:58 +0300") References: <861508be0703130531yb7a757sa99bc8cb5879a614@mail.gmail.com> Message-ID: Hi, I have the same question. "Randy Wallace" writes: > On a router, there is no need for and IMQ because there is always an > egress path. > For example: > Internet -> eth1 -> iptables -> routing -> ... -> egress qdisc -> > eth0 -> LAN > LAN -> eth0 -> iptables -> routing -> .... -> egress qdisc -> eth1 > -> Internet > Local Process / Proxy -> routing -> iptables -> egress qdisc -> What about Internet -> eth1 -> iptables -> Local Process ? First I thought it should be easy to put a virtual interface in between: Internet <-> eth1 <-> virtual dev (maybe tun/tap or modified dummy) <-> local process or routing <-> eth0 <-> LAN Then I could use egress shaping on eth1 and the virtual device (and have a setup as simple as a "plain router setup") But I did not manage to do this yet. Anybody using a setup like this one? (maybe bridging or iptables -j ROUTE might help? it seems impossible to force a packet to pass through netfilter for a second time) Greetings Jens PS: Randy: sorry for replying to the wrong address first From orrie at seznam.cz Tue Mar 13 21:59:29 2007 From: orrie at seznam.cz (Ales Klok) Date: Tue Mar 13 22:00:05 2007 Subject: [LARTC] Standalone Shaping In-Reply-To: References: <861508be0703130531yb7a757sa99bc8cb5879a614@mail.gmail.com> Message-ID: <45F710B1.3080404@seznam.cz> Jens Thiele wrote: > Hi, > > I have the same question. > > > What about > Internet -> eth1 -> iptables -> Local Process ? > > First I thought it should be easy to put a virtual interface in between: > > Internet <-> eth1 <-> virtual dev (maybe tun/tap or modified > dummy) <-> local process or routing <-> eth0 <-> LAN > > Then I could use egress shaping on eth1 and the virtual device > (and have a setup as simple as a "plain router setup") > > But I did not manage to do this yet. Anybody using a setup like this > one? (maybe bridging or iptables -j ROUTE might help? it seems > impossible to force a packet to pass through netfilter for a second time) > > Greetings > Jens > You have to use IMQ for that. IMQ act as "dummy" device which hooks itself to iptables after NAT (or before, depends on config) so you can use egress shaping on it before packet reach local proces or forwarding. You can't use IFB in your case because packet goes to IFB before NAT and thus you don't know if it is designated for router itself or client behind NAT. /ak From kaber at trash.net Wed Mar 14 13:05:59 2007 From: kaber at trash.net (Patrick McHardy) Date: Wed Mar 14 13:06:48 2007 Subject: [LARTC] Re: [ANNOUNCE] iproute2 2.6.20-070313 In-Reply-To: <200703141223.48927.arekm@maven.pl> References: <20070313151549.332004c9@freekitty> <200703141223.48927.arekm@maven.pl> Message-ID: <45F7E527.6030307@trash.net> Arkadiusz Miskiewicz wrote: > This patch > > http://www.mail-archive.com/netdev@vger.kernel.org/msg27506.html > > didn't make into upstream linux kernel it seems. As mentioned in the changelog, its in 2.6.19. > The question is - are patches adding some functionality that's not in upstream > kernel accepted? > > There is one wrr patch for iproute floating around that I'm thinking about. Last time I looked at the WRR patch it was a huge mess and used architecture dependant types in the netlink messages. Unless someone fixed this, adding support to iproute is a bad idea since in case it would get merged compatibility would break. From kaber at trash.net Wed Mar 14 13:32:28 2007 From: kaber at trash.net (Patrick McHardy) Date: Wed Mar 14 13:32:55 2007 Subject: [LARTC] Re: [ANNOUNCE] iproute2 2.6.20-070313 In-Reply-To: <200703141316.05509.arekm@maven.pl> References: <20070313151549.332004c9@freekitty> <200703141223.48927.arekm@maven.pl> <45F7E527.6030307@trash.net> <200703141316.05509.arekm@maven.pl> Message-ID: <45F7EB5C.5010901@trash.net> Arkadiusz Miskiewicz wrote: > Hm, why no RTA_FWMASK in HEAD rtnetlink.h > > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=include/linux/rtnetlink.h;h=4a629ea70cc4ca60a6f486f8653974af68dbe8cd;hb=HEAD > > and 2.6.19 > > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=include/linux/rtnetlink.h;h=3a18addaed4ccb7436bffc9cf5fd0666f145d35c;hb=0215ffb08ce99e2bb59eca114a99499a4d06e704 > > ? Its in include/linux/fib_rules.h: enum { ... FRA_FWMASK, /* mask for netfilter mark */ __FRA_MAX }; RTA_* attributes aren't used for routing rules anymore inside the kernel. From chrisp at tangent.co.za Wed Mar 14 13:44:42 2007 From: chrisp at tangent.co.za (Chris Picton) Date: Wed Mar 14 14:06:33 2007 Subject: [LARTC] DGD of upstream routers In-Reply-To: <45F03E67.6040604@tangent.co.za> References: <45F03E67.6040604@tangent.co.za> Message-ID: <1173876282.18504.13.camel@localhost> Hi all I have seen the below question asked a few times, but not seen any answers. Is this because 1) it is not possible 2) It is really simple and I shouldn't even be asking the question :) Can somebody please enlighten me. Thanks Chris On Thu, 2007-03-08 at 18:48 +0200, Chris Picton wrote: > Hi > > I have read various info, and mailing list archives, but have not found > an answer to the following. > > I have a few servers with configurations similar to the following: > > They each have multiple uplinks to the Internet, and a sample config is > as follows: > > eth1 is 192.168.0.1, connected to 192.168.0.2 > eth2 is 192.168.1.1, connected to 192.168.1.2 > > My default route looks like: > ip route add scope global equalize nexthop via 192.168.0.2 dev eth1 \ > weight 1 nexthop via 192.168.1.2 dev eth2 weight 1 > > If one line goes down, I would like the second to be used exclusively > until the first comes back up > > However, the IPs 192.168.0.2 and 192.168.1.2 are always available and > reachable. It is the connection past those devices which may drop. > > Do any of the available options or patches take this into account, or do > I have to write custom ping scripts to try reach remote hosts via each > gateway, and modify the routes if a line appears to be down. > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ---------------------+---------------------------------------------------- Chris Picton | PGP Key ID: 9D28A988 (wwwkeys.pgp.net) Technical Director | PGP Key Fingerprint: Tangent Systems | 2B46 29EA D530 79EC D9EA 3ED0 229D 6DD6 9D28 A988 011 447 8096 | "Quid quid latine dictum sit, altum viditar" chrisp@tangent.co.za | http://www.tangent.co.za/keys/chrisp.asc ---------------------+---------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070314/5331372d/attachment.pgp From alchemyx at uznam.net.pl Wed Mar 14 14:29:19 2007 From: alchemyx at uznam.net.pl (=?ISO-8859-2?Q?Micha=B3_Margula?=) Date: Wed Mar 14 14:31:17 2007 Subject: [LARTC] DGD of upstream routers In-Reply-To: <1173876282.18504.13.camel@localhost> References: <45F03E67.6040604@tangent.co.za> <1173876282.18504.13.camel@localhost> Message-ID: <45F7F8AF.7000908@uznam.net.pl> Chris Picton napisa?(a): > Hi all > > I have seen the below question asked a few times, but not seen any > answers. Is this because > > 1) it is not possible > > 2) It is really simple and I shouldn't even be asking the question :) > Usually you do such things using some dynamic routing protocols (OSPF, BGP, RIP). But it need cooperation from upstream provider. Quite good solution is using some kind of monitoring tool (nagios for example), which reachibility of some hosts and using that information you can alter routing table. Or you can use shell script, combined with ping and cron :) -- Micha? Margula, alchemyx@uznam.net.pl, http://alchemyx.uznam.net.pl/ "W ?yciu pi?kne s? tylko chwile" [Ryszard Riedel] From jecarb at menta.net Wed Mar 14 14:45:53 2007 From: jecarb at menta.net (J.E.) Date: Wed Mar 14 14:45:59 2007 Subject: [LARTC] ipp2p problems Message-ID: <45F7FC91.8010503@menta.net> Hello list, I'm newbie in this list. Well, i'm going crazy with ipp2p. Googling i find a mini-howto but i've got problems. 1) Download: * iptables-dev (apt-get) * kernel-headers-2.x.x (your kernel, "uname -r") * src of your iptables (iptables -V and apt-get source) * ipp2p-0.8.0.tar.gz (stable) 2) untar ipp2p and cd ipp2p 3) Edit Makefile, if it's necesary: * IPTABLES_SRC = /usr/src/iptables * In my case, the headers are detected automaticaly. 4) make (WITHOUT ERRORS!!! ;) ) 5) cp libipt_ipp2p.so /lib/iptables 6) cp ipt_ipp2p.ko /lib/modules/`uname -r`/kernel/net/ipv4/netfilter 7) depmod -A 8) insmod ipt_ipp2p.ko (or modprobe) 9) lsmod | grep ipp2p 10) iptables -m ipp2p --help root@servidor:/usr/src/ipp2p-0.8.0# make make -C /lib/modules/2.6.15-28-386/build SUBDIRS=/usr/src/ipp2p-0.8.0 modules make[1]: se ingresa al directorio `/usr/src/linux-headers-2.6.15-28-386' CC [M] /usr/src/ipp2p-0.8.0/ipt_ipp2p.o Building modules, stage 2. MODPOST CC /usr/src/ipp2p-0.8.0/ipt_ipp2p.mod.o LD [M] /usr/src/ipp2p-0.8.0/ipt_ipp2p.ko make[1]: se sale del directorio `/usr/src/linux-headers-2.6.15-28-386' gcc -O3 -Wall -DIPTABLES_VERSION=\"\" -I/usr/src/iptables-1.3.3/include -fPIC -c libipt_ipp2p.c ld -shared -o libipt_ipp2p.so libipt_ipp2p.o Seems that all it's ok... . . . But ... root@servidor:/usr/src/ipp2p-0.8.0# iptables -m ipp2p --help iptables: match `ipp2p' v (I'm v1.3.1). Only i get this line, iptables: match `ipp2p' v (I'm v1.3.1) root@servidor:/usr/src/ipp2p-0.8.0# iptables -A FORWARD -m ipp2p --ipp2p -j DROP iptables: match `ipp2p' v (I'm v1.3.1). Only one line, again. root@servidor:/usr/src/ipp2p-0.8.0# iptables -L FORWARD Chain FORWARD (policy DROP) target prot opt source destination DROP !icmp -- anywhere anywhere state INVALID eth0_fwd all -- anywhere anywhere eth1_fwd all -- anywhere anywhere Reject all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 5/min burst 2 LOG level info prefix `Shorewall:FORWARD:REJECT:' reject all -- anywhere anywhere I don't see anything of ipp2p. (In Spanish: Nada por aqu? nada por all? :) ) Always i get the same results with: Ubuntu Dapper Kernels: 2.6.15-27-386, 2.6.15-28-386 iptables: 1.3.3 ipp2p: 0.8.0 Ubuntu Breezy (i think) Kernel: 2.6.12-10-386 iptables: 1.3.1 ipp2p: 0.8.0 I don't know what's going on. Any ideas? Thank you all Juanen From marco.casaroli at gmail.com Wed Mar 14 16:56:36 2007 From: marco.casaroli at gmail.com (Marco Aurelio) Date: Wed Mar 14 16:56:41 2007 Subject: [LARTC] ipp2p problems In-Reply-To: <45F7FC91.8010503@menta.net> References: <45F7FC91.8010503@menta.net> Message-ID: <92ed523b0703140856s3e21d923x78ee17fe98a18913@mail.gmail.com> On 3/14/07, J.E. wrote: > > > root@servidor:/usr/src/ipp2p-0.8.0# iptables -m ipp2p --help > iptables: match `ipp2p' v (I'm v1.3.1). > > Only i get this line, iptables: match `ipp2p' v (I'm v1.3.1) You are running iptables version 1.3.1, and this is not the version you compiled ipp2p for (1.3.3) What is the output of the ipp2p make install? -- Marco root@servidor:/usr/src/ipp2p-0.8.0# iptables -A FORWARD -m ipp2p --ipp2p > -j DROP > iptables: match `ipp2p' v (I'm v1.3.1). > > Only one line, again. > > root@servidor:/usr/src/ipp2p-0.8.0# iptables -L FORWARD > Chain FORWARD (policy DROP) > target prot opt source destination > DROP !icmp -- anywhere anywhere state INVALID > eth0_fwd all -- anywhere anywhere > eth1_fwd all -- anywhere anywhere > Reject all -- anywhere anywhere > LOG all -- anywhere anywhere limit: avg > 5/min burst 2 LOG level info prefix `Shorewall:FORWARD:REJECT:' > reject all -- anywhere anywhere > > I don't see anything of ipp2p. > (In Spanish: Nada por aqu? nada por all? :) ) > > Always i get the same results with: > > Ubuntu Dapper > Kernels: 2.6.15-27-386, 2.6.15-28-386 > iptables: 1.3.3 > ipp2p: 0.8.0 > > Ubuntu Breezy (i think) > Kernel: 2.6.12-10-386 > iptables: 1.3.1 > ipp2p: 0.8.0 > > I don't know what's going on. Any ideas? > > Thank you all > Juanen > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070314/03812be7/attachment.html From doolph at syscount.net Wed Mar 14 18:02:59 2007 From: doolph at syscount.net (Ying Xie) Date: Wed Mar 14 17:03:26 2007 Subject: [LARTC] Re: Standalone Shaping Message-ID: <20070314120259.r52ji5rssg8w80o0@webmail.syscount.net> Hi randy, I think you didn't understand me, I have this situation Internet -- eth0 -- firewall/router/qos -- eth1 -- Lan My Lan traffic is pretty cool, and its shaped by the router inbound and outbound. Now all I want is shape the same firewall/router/qos, shaping its ingress and egress traffic, example: If I download anything from the server (within a ssh session) won't affect my Lan, or I am using Squid proxy, or a Mail Server, or a http server. thanks in advance... -- Ing. Ying Xie Syscount Providers CEO / President USA: +1.419.301.6329 Panama: 202-9950/51 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070314/ed95527b/attachment.htm From kaber at trash.net Wed Mar 14 21:42:40 2007 From: kaber at trash.net (Patrick McHardy) Date: Wed Mar 14 21:42:54 2007 Subject: [LARTC] Re: [ANNOUNCE] iproute2 2.6.20-070313 In-Reply-To: <20070314101443.4347efdd@freekitty> References: <20070313151549.332004c9@freekitty> <200703141223.48927.arekm@maven.pl> <45F7E527.6030307@trash.net> <200703141316.05509.arekm@maven.pl> <45F7EB5C.5010901@trash.net> <20070314101443.4347efdd@freekitty> Message-ID: <45F85E40.6050409@trash.net> Stephen Hemminger wrote: > On Wed, 14 Mar 2007 13:32:28 +0100 > Patrick McHardy wrote: > >>RTA_* attributes aren't used for routing rules anymore inside >>the kernel. > > > But we need to keep them in iproute2 for back compatibility? Not really for compatibility, its the numerical values that matter. iproute hasn't been changed to use the FRA_* attributes for routing rules, but it might be a good idea to do this before adding the next RTA_* attribute since RTA_FWMASK doesn't have any meaning for routes in the kernel, so the next RTA attribute we add could just use the same value instead of leaving a hole. From jecarb at menta.net Wed Mar 14 23:34:47 2007 From: jecarb at menta.net (J.E.) Date: Wed Mar 14 23:34:53 2007 Subject: [LARTC] ipp2p problems References: 45F7FC91.8010503@menta.net Message-ID: <45F87887.3060906@menta.net> Thank you Marco. >> You are running iptables version 1.3.1, and this is not the version you compiled ipp2p for (1.3.3) But I make a mistake in my explanation. I've mixed the results of Ubuntu Dapper with results of Ubuntu Breezy, sorry. Instead of 1.3.1 should it would have to put 1.3.3. In any case I will verify it. But i'm sure at 99% that i've used the correct source code. >> What is the output of the ipp2p make install? I don't made "make install". Is it necesary? Simply i made 5) cp libipt_ipp2p.so /lib/iptables 6) cp ipt_ipp2p.ko /lib/modules/`uname -r`/kernel/net/ipv4/netfilter May be I need to recompile iptables? I'm using the same version of iptables debian packet, to compile ipp2p. May be it's a silly question, but now i doubt of everything. ;) First time: ----------- Compiled in Ubuntu Dapper Kernel: 2.6.15-28-386 iptables: 1.3.3 ipp2p: 0.8.0 Second time: ------------ Compiled in Ubuntu Dapper Kernel: 2.6.15-27-386 iptables: 1.3.3 ipp2p: 0.8.0 Third time: ------------ Compiled in Ubuntu Breezy Kernel: 2.6.12-10-386 iptables: 1.3.1 ipp2p: 0.8.0 -------------------- This would be the correct explanation. 1) Download: * iptables-dev (apt-get) * kernel-headers-2.x.x (your kernel, "uname -r") * src of your iptables (iptables -V and apt-get source) * ipp2p-0.8.0.tar.gz (stable) 2) untar ipp2p and cd ipp2p 3) Edit Makefile, if it's necesary: * IPTABLES_SRC = /usr/src/iptables * In my case, the headers are detected automaticaly. 4) make (WITHOUT ERRORS!!! ;) ) 5) cp libipt_ipp2p.so /lib/iptables 6) cp ipt_ipp2p.ko /lib/modules/`uname -r`/kernel/net/ipv4/netfilter 7) depmod -A 8) insmod ipt_ipp2p.ko (or modprobe) 9) lsmod | grep ipp2p 10) iptables -m ipp2p --help root@servidor:/usr/src/ipp2p-0.8.0# make make -C /lib/modules/2.6.15-28-386/build SUBDIRS=/usr/src/ipp2p-0.8.0 modules make[1]: se ingresa al directorio `/usr/src/linux-headers-2.6.15-28-386' CC [M] /usr/src/ipp2p-0.8.0/ipt_ipp2p.o Building modules, stage 2. MODPOST CC /usr/src/ipp2p-0.8.0/ipt_ipp2p.mod.o LD [M] /usr/src/ipp2p-0.8.0/ipt_ipp2p.ko make[1]: se sale del directorio `/usr/src/linux-headers-2.6.15-28-386' gcc -O3 -Wall -DIPTABLES_VERSION=\"\" -I/usr/src/iptables-1.3.3/include -fPIC -c libipt_ipp2p.c ld -shared -o libipt_ipp2p.so libipt_ipp2p.o Seems that all it's ok... . . . But ... root at servidor:/usr/src/ipp2p-0.8.0# iptables -m ipp2p --help iptables: match `ipp2p' v (I'm v1.3.3). <--- mistake Only i get this line, iptables: match `ipp2p' v (I'm v1.3.3) <--- mistake root at servidor:/usr/src/ipp2p-0.8.0# iptables -A FORWARD -m ipp2p --ipp2p -j DROP iptables: match `ipp2p' v (I'm v1.3.3). <--- mistake Only one line, again. root at servidor:/usr/src/ipp2p-0.8.0# iptables -L FORWARD Chain FORWARD (policy DROP) target prot opt source destination DROP !icmp -- anywhere anywhere state INVALID eth0_fwd all -- anywhere anywhere eth1_fwd all -- anywhere anywhere Reject all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 5/min burst 2 LOG level info prefix `Shorewall:FORWARD:REJECT:' reject all -- anywhere anywhere I don't see anything of ipp2p. Thank you. From jecarb at menta.net Wed Mar 14 23:53:47 2007 From: jecarb at menta.net (J.E.) Date: Wed Mar 14 23:53:45 2007 Subject: [LARTC] ipp2p problems Message-ID: <45F87CFB.60907@menta.net> >> What is the output of the ipp2p make install? When i 'make install' root@servidor:/usr/src/ipp2p-0.8.0# make install make: *** No hay ninguna regla para construir el objetivo `install'. Alto. This is the answer make: *** There's no rules to build `install' object. Stop. Logs don't give me any clue. Any ideas? From netsecuredata at gmail.com Thu Mar 15 04:51:59 2007 From: netsecuredata at gmail.com (Jorge Evangelista) Date: Thu Mar 15 04:52:09 2007 Subject: [LARTC] ipp2p problems In-Reply-To: <45F87CFB.60907@menta.net> References: <45F87CFB.60907@menta.net> Message-ID: Hi This is my small guide (in spanish) for compile ipp2p with iptables, I think that you have these errors because the script is looking for files in other directories. I had had similars problems, I suggest you that install it over a clon of redhat(centos, whitebox). I have installed it in these distributions and I does not have problems more. Guide IPP2P Para esto uso el ipp2p, aqui esta el procedimiento de como instalarlo: Tengo iptables instalado en rpm, extraer la version #iptables -V En un directorio especifico puede ser /opt o /tmp descomprime el ipp2p y las fuentes de mi iptables. Baje la version correspondiente de mi iptables-miversion.tar.gz desde la pagina de NETFILTER (ftp.netfilter.org) Luego te vas al directorio del ipp2p En el Makefile del ipp2p editar los siguientes parametros IPTABLES_BIN = /usr/sbin/iptables IPTABLES_SRC = /tmp/iptables-1.3.1 Luego hacer un # make Se crean los siguientes archivos en el directorio del ipp2p: libipt_ipp2p.so libipt_ipp2p.o ipt_ipp2p.o El archivo libipt_ipp2p.so moverlo a /lib/iptables Copiar los otros dos al /lib/modules/2.4.20-8/kernel/net/ipv4/netfilter luego hacer un # depmod -a Listo para definir una regla que bloquee todo el trafico P2P de kazza, ares, etc # iptables -A FORWARD -m ipp2p --ipp2p -j DROP On 3/14/07, J.E. wrote: > >> What is the output of the ipp2p make install? > > When i 'make install' > > root@servidor:/usr/src/ipp2p-0.8.0# make install > make: *** No hay ninguna regla para construir el objetivo `install'. Alto. > > This is the answer > > make: *** There's no rules to build `install' object. Stop. > > Logs don't give me any clue. > > Any ideas? > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- "The network is the computer" From indunil75 at gmail.com Thu Mar 15 07:35:17 2007 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Thu Mar 15 07:35:33 2007 Subject: [LARTC] Monitoring pkg to monitor router Message-ID: <7ed6b0aa0703142335l63b63591l6f6a46556410afb7@mail.gmail.com> Hi, I have a router which is maintained by our ISP. They have given us to monitor it by using MRTG. It is okay. But it only shows incoming and outgoing traffice. It does not say wherther is TCP or UDP or ICMP. It just shows in and out.That's it. But, I want to monitor this router ? Can you tell me a good pkg for it ? router has a snmp commiunity password . Ido not know it. My ISP does not give it either. Can you help me accoring to my condition soon? -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070315/d5ca7dc7/attachment.html From ruben.porras at linworks.de Thu Mar 15 09:47:16 2007 From: ruben.porras at linworks.de (Ruben Porras) Date: Thu Mar 15 09:47:35 2007 Subject: [LARTC] Problem attaching htb class to a htb qdisc Message-ID: <1173948436.5168.3.camel@localhost> I'm trying to build a QoS system that would divide the outgoing traffic into four categories, each one also subdivided into two more categories. For that I chose a htb root qdisc subdivided into four classes, each of these classes contains also a htb qdisc. Until these point everything goes well, but when I try to attach a new class to the leaf htb qdisc a problem with the sintaxis arises. Code follows: tc qdisc add dev $DEV root handle 1: htb default 30 tc class add dev $DEV parent 1: classid 1:1 htb rate ${UPLINK}kbit tc class add dev $DEV parent 1:1 classid 1:10 htb rate ${UPLINK}kbit tc class add dev $DEV parent 1:1 classid 1:20 htb rate ${UPLINK}kbit tc class add dev $DEV parent 1:1 classid 1:30 htb rate ${UPLINK}kbit tc class add dev $DEV parent 1:1 classid 1:40 htb rate ${UPLINK}kbit tc qdisc add dev $DEV parent 1:10 handle 10: htb default 12 tc class add dev $DEV parent 10: classid 1:11 htb rate ${UPLINK}kbit prio 1 RTNETLINK answers: Invalid argument tc class add dev $DEV parent 10: classid 1:12 htb rate ${UPLINK}kbit prio 2 RTNETLINK answers: Invalid argument tc qdisc add dev $DEV parent 1:11 handle 11: sfq perturb 10 tc qdisc add dev $DEV parent 1:12 handle 12: sfq perturb 10 ... If I attach the classes to 1: instead of 10: everything goes well, but I do not understand why I can't attach a class to 10: Any help would be appreciated. From randywallacejr at gmail.com Thu Mar 15 10:11:34 2007 From: randywallacejr at gmail.com (Randy Wallace) Date: Thu Mar 15 10:11:39 2007 Subject: [LARTC] Traffic Shaping over Satellite Internet Message-ID: <861508be0703150211y3845b8aci213e9b29492f50fe@mail.gmail.com> I've set up Traffic Shaping on a Linux Router. Using HTB with SFQ, i'm trying to slow down heavy downloading for 20 subscribers over a 2048 kbit downlink. I'm classifying internet related traffic using iptables marking. bri0 is my local lan bridge, receiving egress traffic destined for subscribers. tc qdisc add dev bri0 root handle 1: htb default 2 tc class add dev bri0 parent 1: classid 1:1 htb rate 92129kbit ceil 102400kbit tc class add dev bri0 parent 1:1 classid 1:2 htb rate 90072kbit ceil 92129kbit tc class add dev bri0 parent 1:1 classid 1:3 htb rate 2048kbit ceil 92129kbit # Non-Internet Local Lan Traffic tc qdisc add dev bri0 parent 1:2 handle 2: sfq perturb 10 # Internet Traffic tc class add dev bri0 parent 1:3 classid 1:9 htb rate 50kbit ceil 100kbit # Unknown Internet Traffic tc qdisc add dev bri0 parent 1:9 handle 9: sfq perturb 10 # Known Subscribers, based on IP Address, ea. subscriber gets their own class, # starting with 1:10 (a script populates the classes for me) tc class add dev bri0 parent 1:3 classid 1:(10->X) htb rate 100kbit ceil 400kbit tc qdisc add dev bri0 parent 1:(10->X) handle (10->X): sfq perturb 10 Then the classifier: # Send Internet traffic, marked 3, to Class 1:3 tc filter add dev bri0 protocol ip parent 1: prio 1 handle 3 fw flowid 1:3 # Send traffic, based on dest. IP to their corresponding classes tc filter add dev bri0 protocol ip parent 1: prio 1 u32 match ip dst 10.200.0.(2->X)/32 flowid 1:((2->X) + 10) Does this look like a good solution? Can this really slow down heavy downloads, so all subscribers can at least get ..some.. traffic? Does traffic shaping, not policing, also drop packets when a HTB class exceeds it's rate, or does it just wait until there are enough tokens? Thank you for any guidance.. Randy From oscar at ufomechanic.net Thu Mar 15 10:29:55 2007 From: oscar at ufomechanic.net (Oscar Mechanic) Date: Thu Mar 15 10:30:01 2007 Subject: [LARTC] Traffic Shaping over Satellite Internet In-Reply-To: <861508be0703150211y3845b8aci213e9b29492f50fe@mail.gmail.com> References: <861508be0703150211y3845b8aci213e9b29492f50fe@mail.gmail.com> Message-ID: <1173950995.4424.48.camel@OSCARLAPLIN> Shaping on satellite can be a bad idea. Depends on who your provider is. Some satellite providers use SCPS http://www.scps.org/ as a means to increase performance. Simply put if you start shaping and drop ACK's you will end up with connections hangs. I am really surprised we do not hear more about SCPS in this forum. On Thu, 2007-03-15 at 12:11 +0300, Randy Wallace wrote: > I've set up Traffic Shaping on a Linux Router. > Using HTB with SFQ, i'm trying to slow down > heavy downloading for 20 subscribers over > a 2048 kbit downlink. I'm classifying internet related > traffic using iptables marking. > > bri0 is my local lan bridge, receiving egress traffic destined for subscribers. > > tc qdisc add dev bri0 root handle 1: htb default 2 > tc class add dev bri0 parent 1: classid 1:1 htb rate 92129kbit ceil 102400kbit > tc class add dev bri0 parent 1:1 classid 1:2 htb rate 90072kbit ceil 92129kbit > tc class add dev bri0 parent 1:1 classid 1:3 htb rate 2048kbit ceil 92129kbit > # Non-Internet Local Lan Traffic > tc qdisc add dev bri0 parent 1:2 handle 2: sfq perturb 10 > # Internet Traffic > tc class add dev bri0 parent 1:3 classid 1:9 htb rate 50kbit ceil 100kbit > # Unknown Internet Traffic > tc qdisc add dev bri0 parent 1:9 handle 9: sfq perturb 10 > # Known Subscribers, based on IP Address, ea. subscriber gets their own class, > # starting with 1:10 (a script populates the classes for me) > tc class add dev bri0 parent 1:3 classid 1:(10->X) htb rate 100kbit ceil 400kbit > tc qdisc add dev bri0 parent 1:(10->X) handle (10->X): sfq perturb 10 > > Then the classifier: > # Send Internet traffic, marked 3, to Class 1:3 > tc filter add dev bri0 protocol ip parent 1: prio 1 handle 3 fw flowid 1:3 > # Send traffic, based on dest. IP to their corresponding classes > tc filter add dev bri0 protocol ip parent 1: prio 1 u32 match ip dst > 10.200.0.(2->X)/32 flowid 1:((2->X) + 10) > > Does this look like a good solution? Can this really slow down heavy downloads, > so all subscribers can at least get ..some.. traffic? Does traffic > shaping, not > policing, also drop packets when a HTB class exceeds it's rate, or does it just > wait until there are enough tokens? > > Thank you for any guidance.. > Randy > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nlhttp://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From rabbit at rabbit.us Thu Mar 15 10:50:29 2007 From: rabbit at rabbit.us (Peter Rabbitson) Date: Thu Mar 15 10:50:35 2007 Subject: [LARTC] Openvpn routing problem Message-ID: <45F916E5.1070102@rabbit.us> Hi, I posted this question yesterday on the Openvpn mailing list, with no response, figured I will ask here too. I have been using openvpn for quite a while, no major problems encountered. Now I need to allow the server to access the lan of the client, and I can not figure out the routing. This is what I have after the tunnel is brought up: SERVER (A.A.A.A) Arx:~# ip addr ... 3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:04:e2:09:6c:ea brd ff:ff:ff:ff:ff:ff inet 192.168.13.1/24 brd 192.168.13.255 scope global eth1 ... 5: tun0: mtu 1500 qdisc pfifo_fast qlen 100 link/[65534] inet 10.0.13.1 peer 10.0.13.2/32 scope global tun0 Arx:~# ip route A.A.A.B dev ppp0 proto kernel scope link src A.A.A.A 10.0.13.2 dev tun0 proto kernel scope link src 10.0.13.1 10.0.13.0/24 via 10.0.13.2 dev tun0 192.168.13.0/24 dev eth1 proto kernel scope link src 192.168.13.1 default dev ppp0 scope link CLIENT (192.168.9.11, machine behind a router) root@Thesaurus:~# ip addr ... 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:11:09:8d:4f:c1 brd ff:ff:ff:ff:ff:ff inet 192.168.9.11/24 brd 192.168.9.255 scope global eth0 ... 5: tun_arx: mtu 1500 qdisc pfifo_fast qlen 100 link/[65534] inet 10.0.13.14 peer 10.0.13.13/32 scope global tun_arx root@Thesaurus:~# ip route 10.0.13.13 dev tun_arx proto kernel scope link src 10.0.13.14 10.0.13.1 via 10.0.13.13 dev tun_arx 192.168.13.0/24 via 10.0.13.13 dev tun_arx 192.168.9.0/24 dev eth0 proto kernel scope link src 192.168.9.11 default via 192.168.9.1 dev eth0 From the client ping 192.168.13.1 works as expected. I want to be able to ping 192.168.9.20 from the server. So on the server I did: ip route add 192.168.9.0/24 via 10.0.13.14 dev tun0 and I got RTNETLINK answers: Network is unreachable Then I tried both ip route add 192.168.9.0/24 via 10.0.13.1 dev tun0 ip route add 192.168.9.0/24 via 10.0.13.2 dev tun0 which seem to work, but the icmp packets vanish in the tunnel. I checked all my firewall settings and the ip_forward settings on both systems. I looked at the tunnel with tcpdump - packets go in and never come out. Any suggestions? Thanks Peter From alin at matrixrom.ro Thu Mar 15 10:54:53 2007 From: alin at matrixrom.ro (Alin Ilie) Date: Thu Mar 15 10:54:59 2007 Subject: [LARTC] client disconnecting In-Reply-To: <45DC9899.5070508@matrixrom.ro> References: <45D7FE8B.5050508@matrixrom.ro> <45D80061.2090206@matrixrom.ro> <45DB6A38.1010404@securesystems.ro> <45DC1736.9020005@matrixrom.ro> <45DC9899.5070508@matrixrom.ro> Message-ID: <45F917ED.5060503@matrixrom.ro> Alin Ilie wrote: > Alin Ilie wrote: >> Radu Oprisan wrote: >>> Alin Ilie wrote: >>> >>>> Hi, >>>> >>>> I have two connections to the Internet. >>>> >>>> I implemented the load balancing as described in chapter 4.2 "Routing >>>> for multiple uplinks/providers" >>>> The problem that occurred is that the client applications like Yahoo >>>> Messenger or even PuTTY (SSH client) are loosing the connection >>>> very often. >>>> Does anyone experienced this problem? Does anyone knows an workaround >>>> for this problem? >>>> >>>> Cheers, >>>> Alin >>>> >>> >>> >>> Your problem may have something to do with cleanup of connection >>> tracking tables or cache routing. Are you sure you have the correct >>> rp_filter settings for what you are trying to do? >>> >>> >> >> I had the rp_filter set to 1. >> I changed to 0 for all the interfaces, and I will see if this works. >> Thank you, >> Alin Ilie :) >> > > Still doesn't work. :( > Alin > Does anyone have an idea how can I solve this? I think that the problem resides in the routes cache refresh time and method. Thank you, Alin From karme at berlios.de Thu Mar 15 13:25:14 2007 From: karme at berlios.de (Jens Thiele) Date: Thu Mar 15 13:25:23 2007 Subject: [LARTC] Standalone Shaping In-Reply-To: <45F710B1.3080404@seznam.cz> (Ales Klok's message of "Tue, 13 Mar 2007 21:59:29 +0100") References: <861508be0703130531yb7a757sa99bc8cb5879a614@mail.gmail.com> <45F710B1.3080404@seznam.cz> Message-ID: Ales Klok writes: > Jens Thiele wrote: >> Hi, >> >> I have the same question. >> >> What about >> Internet -> eth1 -> iptables -> Local Process ? >> >> First I thought it should be easy to put a virtual interface in between: >> >> Internet <-> eth1 <-> virtual dev (maybe tun/tap or modified >> dummy) <-> local process or routing <-> eth0 <-> LAN >> >> Then I could use egress shaping on eth1 and the virtual device >> (and have a setup as simple as a "plain router setup") >> >> But I did not manage to do this yet. Anybody using a setup like this >> one? (maybe bridging or iptables -j ROUTE might help? it seems >> impossible to force a packet to pass through netfilter for a second time) >> >> Greetings >> Jens >> > You have to use IMQ for that. IMQ act as "dummy" device which hooks > itself to iptables after NAT (or before, depends on config) so you can > use egress shaping on it before packet reach local proces or > forwarding. You can't use IFB in your case because packet goes to IFB > before NAT and thus you don't know if it is designated for router > itself or client behind NAT. So, if I understand it right in a setup without NAT it would look like: Internet<->eth1<->IFB<->local process or routing<->eth0<->LAN and there would be no problem. I could do egress shaping on eth1 (for "upstream") and egress shaping on IFB (for "downstream"). In a setup with NAT (and maybe IPSEC) the problem is that if I want to do the egress shaping at the IFB interface ("downstream") I therefore want the NAT (and maybe IPSEC) happen before the packets cross the IFB interface. A picture again: Internet<->eth1<->NAT<->IFB<->local process or routing<->eth0<->LAN Is this correct? Is there a solution to reach that goal (other than IMQ)? Or do I have to use 2 machines if I don't want to use IMQ? | Machine 1 | Machine 2 | Internet<->eth1<->NAT (maybe IPSEC)<->eth0<->eth1<->local process or routing<->eth0<->LAN A last more general question: Is ingress shaping considered useless or why does it seem that difficult to get it to work? Greetings Jens From talk2ram at gmail.com Thu Mar 15 13:39:10 2007 From: talk2ram at gmail.com (ram) Date: Thu Mar 15 13:39:17 2007 Subject: [LARTC] Monitoring pkg to monitor router In-Reply-To: <7ed6b0aa0703142335l63b63591l6f6a46556410afb7@mail.gmail.com> References: <7ed6b0aa0703142335l63b63591l6f6a46556410afb7@mail.gmail.com> Message-ID: On 3/15/07, Indunil Jayasooriya wrote: > > Hi, > > I have a router which is maintained by our ISP. They have given us to > monitor it by using MRTG. It is okay. But it only shows incoming and > outgoing traffice. It does not say wherther is TCP or UDP or ICMP. It just > shows in and out.That's it. > > But, I want to monitor this router ? Can you tell me a good pkg for it ? > router has a snmp commiunity password . Ido not know it. My ISP does not > give it either. > > Can you help me accoring to my condition soon? Hi its all depend on what router you have installed ? is this cisco or linux or what brand it is. you can monitor using Iptables+log with linux bridge or router or if you have netflow enabled Router, then you can use rrdtools to make graphs its all depend how your setup and how you design, what to monitor ram ------------- let me know if it helps you, your feed back help others too. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070315/05bb114d/attachment.htm From jecarb at menta.net Thu Mar 15 13:47:07 2007 From: jecarb at menta.net (J.E.) Date: Thu Mar 15 13:47:05 2007 Subject: [LARTC] ipp2p problems solved References: 45F87CFB.60907@menta.net Message-ID: <45F9404B.4030505@menta.net> Hi, Thank you Jorge. Gracias Jorge. Until now, i downloaded source of ubuntu packet with "apt-get source iptables". Well, downloading the code from http://www.netfilter.org, like you suggests, with the appropiate version ( in my case 1.3.3 ), i've got it. root@servidor:/usr/src/ipp2p-0.8.0# iptables -m ipp2p --help iptables v1.3.3 Usage: iptables -[AD] chain rule-specification [options] iptables -[RI] chain rulenum rule-specification [options] iptables -D chain rulenum [options] iptables -[LFZ] [chain] [options] iptables -[NX] chain iptables -E old-chain-name new-chain-name iptables -P chain target [options] iptables -h (print this help information) Commands: . . . Thank you everybody. Juanen From ramoni at databras.com.br Thu Mar 15 21:18:17 2007 From: ramoni at databras.com.br (Andre =?utf-8?q?Guimar=C3=A3es?=) Date: Thu Mar 15 21:18:23 2007 Subject: [LARTC] Openvpn routing problem In-Reply-To: <45F916E5.1070102@rabbit.us> References: <45F916E5.1070102@rabbit.us> Message-ID: <200703151718.17778.ramoni@databras.com.br> As described here: > 10.0.13.2 dev tun0 proto kernel scope link src 10.0.13.1 > 10.0.13.0/24 via 10.0.13.2 dev tun0 You are not in the 10.0.13.0/24 entire network, I presume you are 10.0.13.1 in the 10.0.13.0/30 network, and 10.0.13.2 is the next hop. > ip route add 192.168.9.0/24 via 10.0.13.14 dev tun0 > and I got > RTNETLINK answers: Network is unreachable Yes, because you can only use gateways that are on the same net as you, and you are not on the 10.0.13.0/24. On Thursday 15 March 2007 06:50, Peter Rabbitson wrote: > Arx:~# ip addr > ... > 3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:04:e2:09:6c:ea brd ff:ff:ff:ff:ff:ff > inet 192.168.13.1/24 brd 192.168.13.255 scope global eth1 > ... > 5: tun0: mtu 1500 qdisc > pfifo_fast qlen 100 > link/[65534] > inet 10.0.13.1 peer 10.0.13.2/32 scope global tun0 > > Arx:~# ip route > A.A.A.B dev ppp0 proto kernel scope link src A.A.A.A > 10.0.13.2 dev tun0 proto kernel scope link src 10.0.13.1 > 10.0.13.0/24 via 10.0.13.2 dev tun0 > 192.168.13.0/24 dev eth1 proto kernel scope link src 192.168.13.1 > default dev ppp0 scope link > > > > CLIENT (192.168.9.11, machine behind a router) > > root@Thesaurus:~# ip addr > ... > 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:11:09:8d:4f:c1 brd ff:ff:ff:ff:ff:ff > inet 192.168.9.11/24 brd 192.168.9.255 scope global eth0 > ... > 5: tun_arx: mtu 1500 qdisc > pfifo_fast qlen 100 > link/[65534] > inet 10.0.13.14 peer 10.0.13.13/32 scope global tun_arx > > root@Thesaurus:~# ip route > 10.0.13.13 dev tun_arx proto kernel scope link src 10.0.13.14 > 10.0.13.1 via 10.0.13.13 dev tun_arx > 192.168.13.0/24 via 10.0.13.13 dev tun_arx > 192.168.9.0/24 dev eth0 proto kernel scope link src 192.168.9.11 > default via 192.168.9.1 dev eth0 > > > From the client ping 192.168.13.1 works as expected. I want to be able > to ping 192.168.9.20 from the server. So on the server I did: > ip route add 192.168.9.0/24 via 10.0.13.14 dev tun0 > and I got > RTNETLINK answers: Network is unreachable > > Then I tried both > ip route add 192.168.9.0/24 via 10.0.13.1 dev tun0 > ip route add 192.168.9.0/24 via 10.0.13.2 dev tun0 > which seem to work, but the icmp packets vanish in the tunnel. I checked > all my firewall settings and the ip_forward settings on both systems. I > looked at the tunnel with tcpdump - packets go in and never come out. > > Any suggestions? > > Thanks > Peter > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Andr? Guimar?es Databras Inform?tica Matriz RJ - 55 (21) 2518-2363 Filial ES - 55 (27) 3233-0098 http://www.databras.com.br From luciano at lugmen.org.ar Fri Mar 16 04:06:57 2007 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Fri Mar 16 04:07:13 2007 Subject: [LARTC] ipp2p problems In-Reply-To: <45F7FC91.8010503@menta.net> References: <45F7FC91.8010503@menta.net> Message-ID: <200703160006.58516.luciano@lugmen.org.ar> On Wednesday 14 March 2007 10:45, J.E. wrote: > Hello list, > > I'm newbie in this list. Well, i'm going crazy with ipp2p. > Googling i find a mini-howto but i've got problems. > > 1) Download: > * iptables-dev (apt-get) > * kernel-headers-2.x.x (your kernel, "uname -r") > * src of your iptables (iptables -V and apt-get source) > * ipp2p-0.8.0.tar.gz (stable) > 2) untar ipp2p and cd ipp2p > 3) Edit Makefile, if it's necesary: > * IPTABLES_SRC = /usr/src/iptables > * In my case, the headers are detected automaticaly. > 4) make (WITHOUT ERRORS!!! ;) ) > 5) cp libipt_ipp2p.so /lib/iptables > 6) cp ipt_ipp2p.ko /lib/modules/`uname -r`/kernel/net/ipv4/netfilter > 7) depmod -A > 8) insmod ipt_ipp2p.ko (or modprobe) > 9) lsmod | grep ipp2p > 10) iptables -m ipp2p --help > > root@servidor:/usr/src/ipp2p-0.8.0# make > make -C /lib/modules/2.6.15-28-386/build SUBDIRS=/usr/src/ipp2p-0.8.0 > modules > make[1]: se ingresa al directorio `/usr/src/linux-headers-2.6.15-28-386' > CC [M] /usr/src/ipp2p-0.8.0/ipt_ipp2p.o > Building modules, stage 2. > MODPOST > CC /usr/src/ipp2p-0.8.0/ipt_ipp2p.mod.o > LD [M] /usr/src/ipp2p-0.8.0/ipt_ipp2p.ko > make[1]: se sale del directorio `/usr/src/linux-headers-2.6.15-28-386' > gcc -O3 -Wall -DIPTABLES_VERSION=\"\" -I/usr/src/iptables-1.3.3/include > -fPIC -c libipt_ipp2p.c > ld -shared -o libipt_ipp2p.so libipt_ipp2p.o > > Seems that all it's ok... > . > . > . > But ... > > root@servidor:/usr/src/ipp2p-0.8.0# iptables -m ipp2p --help > iptables: match `ipp2p' v (I'm v1.3.1). > > Only i get this line, iptables: match `ipp2p' v (I'm v1.3.1) > > root@servidor:/usr/src/ipp2p-0.8.0# iptables -A FORWARD -m ipp2p --ipp2p > -j DROP > iptables: match `ipp2p' v (I'm v1.3.1). ipp2p wasn't able to detect your current iptables versi?n number at compile time, that's why you see a 'v' character with nothing behind. Edit the ipp2p Makefile, and make shure that it finds your iptables versi?n number. Do a make clean and rebuild. -- Luciano From randywallacejr at gmail.com Fri Mar 16 07:55:44 2007 From: randywallacejr at gmail.com (Randy Wallace) Date: Fri Mar 16 07:55:58 2007 Subject: [LARTC] Traffic Shaping over Satellite Internet In-Reply-To: <1173950995.4424.48.camel@OSCARLAPLIN> References: <861508be0703150211y3845b8aci213e9b29492f50fe@mail.gmail.com> <1173950995.4424.48.camel@OSCARLAPLIN> Message-ID: <861508be0703152355g72d9e161k29c95700e37be0bc@mail.gmail.com> Well, so far as I can tell, there have not been any major problems with dropped ACK's. Our biggest gain, at least in the last 36 hours, is that during peak hours, subscribers have not been able to download at as high a rate as they could before. That, and when the subscribers who only wish to look at web pages and do Instant Messaging try to, they can, and at better, faster rates. I have no way of knowing if our service provider uses SCPS, HughesNet is a maze of customer support personnel who don't know what a router is ;) My question is this: Is it normal, or desired, for some of my classes to possess negative tokens (HTB)? Does this mean that those classes are grossly abusing their rates? Thank you! On 3/15/07, Oscar Mechanic wrote: > > Shaping on satellite can be a bad idea. Depends on who your provider is. > Some satellite providers use SCPS http://www.scps.org/ as a means to > increase performance. Simply put if you start shaping and drop ACK's you > will end up with connections hangs. > > I am really surprised we do not hear more about SCPS in this forum. > > > On Thu, 2007-03-15 at 12:11 +0300, Randy Wallace wrote: > > I've set up Traffic Shaping on a Linux Router. > > Using HTB with SFQ, i'm trying to slow down > > heavy downloading for 20 subscribers over > > a 2048 kbit downlink. I'm classifying internet related > > traffic using iptables marking. > > > > bri0 is my local lan bridge, receiving egress traffic destined for subscribers. > > > > tc qdisc add dev bri0 root handle 1: htb default 2 > > tc class add dev bri0 parent 1: classid 1:1 htb rate 92129kbit ceil 102400kbit > > tc class add dev bri0 parent 1:1 classid 1:2 htb rate 90072kbit ceil 92129kbit > > tc class add dev bri0 parent 1:1 classid 1:3 htb rate 2048kbit ceil 92129kbit > > # Non-Internet Local Lan Traffic > > tc qdisc add dev bri0 parent 1:2 handle 2: sfq perturb 10 > > # Internet Traffic > > tc class add dev bri0 parent 1:3 classid 1:9 htb rate 50kbit ceil 100kbit > > # Unknown Internet Traffic > > tc qdisc add dev bri0 parent 1:9 handle 9: sfq perturb 10 > > # Known Subscribers, based on IP Address, ea. subscriber gets their own class, > > # starting with 1:10 (a script populates the classes for me) > > tc class add dev bri0 parent 1:3 classid 1:(10->X) htb rate 100kbit ceil 400kbit > > tc qdisc add dev bri0 parent 1:(10->X) handle (10->X): sfq perturb 10 > > > > Then the classifier: > > # Send Internet traffic, marked 3, to Class 1:3 > > tc filter add dev bri0 protocol ip parent 1: prio 1 handle 3 fw flowid 1:3 > > # Send traffic, based on dest. IP to their corresponding classes > > tc filter add dev bri0 protocol ip parent 1: prio 1 u32 match ip dst > > 10.200.0.(2->X)/32 flowid 1:((2->X) + 10) > > > > Does this look like a good solution? Can this really slow down heavy downloads, > > so all subscribers can at least get ..some.. traffic? Does traffic > > shaping, not > > policing, also drop packets when a HTB class exceeds it's rate, or does it just > > wait until there are enough tokens? > > > > Thank you for any guidance.. > > Randy > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nlhttp://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From lartc at manchotnetworks.net Fri Mar 16 08:24:53 2007 From: lartc at manchotnetworks.net (lartc) Date: Fri Mar 16 08:25:28 2007 Subject: [LARTC] Traffic Shaping over Satellite Internet In-Reply-To: <861508be0703152355g72d9e161k29c95700e37be0bc@mail.gmail.com> References: <861508be0703150211y3845b8aci213e9b29492f50fe@mail.gmail.com> <1173950995.4424.48.camel@OSCARLAPLIN> <861508be0703152355g72d9e161k29c95700e37be0bc@mail.gmail.com> Message-ID: <1174029893.5035.9.camel@sumatra.radius.fr> hi randy, On Fri, 2007-03-16 at 09:55 +0300, Randy Wallace wrote: > I have no way of knowing if our service provider > uses SCPS, HughesNet is a maze of customer support personnel > who don't know what a router is ;) this is really critical to try to do any shaping ... many indoor units have proprietary backbone protocols -- the indoor unit can potentially be spoofing ACKs and renegotiating tcp sessions and much more. if you've got one these, about the most you can do is allocate the bandwidth to clients, but not "optimize" the satellite connection -- the modem can potentially be doing that. this thesis is a bit old, but is still an excellent read: http://www.tomh.org/thesis/thesis_front.pdf cheers charles From luciano at lugmen.org.ar Sat Mar 17 22:21:23 2007 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Sat Mar 17 22:22:29 2007 Subject: [LARTC] Problem In-Reply-To: <45F5FDB4.4040207@elantisystems.com> References: <45F5FDB4.4040207@elantisystems.com> Message-ID: <200703171821.23677.luciano@lugmen.org.ar> On Monday 12 March 2007 22:26, Michael Flower wrote: > Hello. > > I am trying to get multi paths running, i.e I want to specify 2 paths > from a particular node to another. > > To test this, I am setting up the following scenario: > > I create 2 tap devices > tap0 = 10.1.1.1/32 netmask 255.255.255.0 > tap1 = 10.2.2.2/32 netmask 255.255.255.0 > > I then issue the route command: > > ip route add 10.3.3.3/32 nexthop via 10.1.1.2 nexthop via 10.2.2.3 > > The route table then looks like: > > 10.3.3.3 > nexthop via 10.1.1.2 dev tap0 weight 1 > nexthop via 10.2.2.3 dev tap1 weight 1 > > Pinging 10.3.3.3 causes arp requests on tap1 for 10.2.2.3 and never for > 10.1.1.2. > (there is nothing connected to tap0 or tap1 so I don't expect anything > really, but I do expect the ARP requests, which would show that > splitting would work. > > If the two routes were being used equally, I would have expected to see > arp requests for 10.1.1.2 also (wouldn't I?) no, route uses src_ip+dst_ip+TOS to build it's cache, so it will use the same cached routing desicion unless you change one of these 3 parameters. After cache expires, probably the other hop takes it's turn. -- Luciano From dhananjay.tembe at calsoftinc.com Sun Mar 18 22:12:27 2007 From: dhananjay.tembe at calsoftinc.com (dhananjay.tembe@calsoftinc.com) Date: Sun Mar 18 22:12:59 2007 Subject: [LARTC] Doubt... Message-ID: <1469.67.169.183.149.1174252347.squirrel@webmail.calsoftinc.com> ---------------------------- Original Message ---------------------------- Subject: Doubt... From: dhananjay.tembe@calsoftinc.com Date: Mon, March 19, 2007 2:33 am To: lartc@mailman.ds9a.nl -------------------------------------------------------------------------- Hi, I am facing a problem when I run tc on the bonded nic cards. When I run tc on a single nic card, it worked perfectly fine. But when I run tc on a bond of two nics, tc gives poor performance. The two nics were bonded in round-robin (load balancing) mode. I created a qdisc, class and a filter as follows: tc qdisc add dev bond0 root handle 1: htb tc class add dev bond0 parent 1: classid 1:1 htb rate 240mbps tc class add dev bond0 parent 1:1 classid 1:2 htb rate 50 ceil 50 quantum 1500 I started a TCP traffic between this bond (2gbit bandwidth) and a remote nic (1gbit bandwidth). Without qos, bond was transmitting at 960Mbps. After I executed above mentioned commands, it was expected that the bond will transmit at 400Mbps but it was transmitting only at 70Mbps. Same thing was observed with different qos rates for class 1:2, outbound traffic through bond was very less than the rate specified in the tc command. Is getting poor performance after running tc over a bond is a known issue? Please help me with this issue. Thanks and regards, ---Dhananjay. From luciano at lugmen.org.ar Mon Mar 19 04:46:46 2007 From: luciano at lugmen.org.ar (Luciano Ruete) Date: Mon Mar 19 04:47:10 2007 Subject: [LARTC] [BUG?] ip ru flush && RTNETLINK answers: Numerical result out of range Message-ID: <200703190046.47021.luciano@lugmen.org.ar> After an: # ip ru flush I loose all my ip rules but the priority 0 one. root@sarasvati:~# ip ru 0: from all lookup 255 root@sarasvati:~# Ok with that, but now i'm not able to insert any new rule. This leads to a total loose of conectivity. root@sarasvati:~# ip ru add from all table default RTNETLINK answers: Numerical result out of range root@sarasvati:~# ip ru add from all lookup main RTNETLINK answers: Numerical result out of range Even seting the priority value by hand, i got the same error: root@sarasvati:~# ip ru add from all lookup main priority 32766 RTNETLINK answers: Numerical result out of range To be able to send this e-mail without rebooting i had to insert my gw ip routes in table 255. Is this a bug in iproute? Some adiotional data: # ip -V ip utility, iproute2-ss060323 # uname -a Linux sarasvati 2.6.20-5-386 #2 Sat Jan 6 14:44:57 UTC 2007 i686 GNU/Linux # cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=7.04 DISTRIB_CODENAME=feisty DISTRIB_DESCRIPTION="Ubuntu feisty (development branch)" -- Luciano From kaber at trash.net Mon Mar 19 06:54:15 2007 From: kaber at trash.net (Patrick McHardy) Date: Mon Mar 19 06:54:23 2007 Subject: [LARTC] [BUG?] ip ru flush && RTNETLINK answers: Numerical result out of range In-Reply-To: <200703190046.47021.luciano@lugmen.org.ar> References: <200703190046.47021.luciano@lugmen.org.ar> Message-ID: <45FE2587.3050205@trash.net> Luciano Ruete wrote: > After an: > # ip ru flush > I loose all my ip rules but the priority 0 one. > root@sarasvati:~# ip ru > 0: from all lookup 255 > root@sarasvati:~# > > Ok with that, but now i'm not able to insert any new rule. > This leads to a total loose of conectivity. > > root@sarasvati:~# ip ru add from all table default > RTNETLINK answers: Numerical result out of range > root@sarasvati:~# ip ru add from all lookup main > RTNETLINK answers: Numerical result out of range > > Even seting the priority value by hand, i got the same error: > > root@sarasvati:~# ip ru add from all lookup main priority 32766 > RTNETLINK answers: Numerical result out of range > > To be able to send this e-mail without rebooting i had to insert my gw ip > routes in table 255. > > Is this a bug in iproute? > > Some adiotional data: > ip utility, iproute2-ss060323 > Linux sarasvati 2.6.20-5-386 #2 Sat Jan 6 14:44:57 UTC 2007 i686 GNU/Linux The problem seems to be the nla policy added in 2.6.19 or 2.6.20. When specifying a prefix as "all", iproute adds a zero byte long attribute (FRA_SRC in this case). The IPv4 fib_rules policy states that it has to be exactly 4 bytes long, which makes validation fail. This also affects IPv6 and DECnet. I would argue that iproute is broken and shouldn't add a zero byte long attribute, but we still need to make sure the kernel accepts these attributes as valid. Thomas, I can't see a clean way to fix this right now that doesn't either bloat struct nla_policy or removes FRA_SRC/FRA_DST from the policy, could you please look into this? Thanks. From tgraf at suug.ch Mon Mar 19 16:25:32 2007 From: tgraf at suug.ch (Thomas Graf) Date: Mon Mar 19 16:25:36 2007 Subject: [LARTC] [BUG?] ip ru flush && RTNETLINK answers: Numerical result out of range In-Reply-To: <45FE2587.3050205@trash.net> References: <200703190046.47021.luciano@lugmen.org.ar> <45FE2587.3050205@trash.net> Message-ID: <20070319152532.GL521@postel.suug.ch> * Patrick McHardy 2007-03-19 06:54 > Thomas, I can't see a clean way to fix this right now that > doesn't either bloat struct nla_policy or removes FRA_SRC/FRA_DST > from the policy, could you please look into this? Thanks. I guess the only way is to remove FRA_SRC/FRA_DST from the policy and validate it in configure() based on src_len/dst_len. From linux at arcoscom.com Mon Mar 19 23:57:51 2007 From: linux at arcoscom.com (ArcosCom Linux User) Date: Mon Mar 19 23:58:02 2007 Subject: [LARTC] Multilink + bridge + nat problem Message-ID: <48254.84.123.233.184.1174345071.squirrel@www.arcoscom.com> Hi, I have a suspicious problem with multiple uplinks configuration. First of all my configuration: 1) kernel 2.6.20.3 2) iptables 1.3.7 3) last iproute (for masked marks) All wan interfaces are bridged (stp disabled) in only one interface (wan0), all lan interfaces are bridged (stp enabled) in only one interface (zlan0). The wan0 bridge is to allow UPnP works. To allow related incoming traffic from one fisical interface I mark connections, and the same to allow outgoing related. The routing rules are the same than lartc documentation plus a rule by interface to allow the routing using marks (masked). The comands I use are: ==BEGIN== /sbin/ip rule del prio 50 table main /sbin/ip rule del prio 100 fwmark 0x8000/0xf000 table 150 /sbin/ip rule del prio 150 from 217.125.139.204/26 table 150 /sbin/ip rule del prio 101 fwmark 0x4000/0xf000 table 151 /sbin/ip rule del prio 151 from 80.32.61.58/24 table 151 /sbin/ip rule del prio 200 table 200 /sbin/ip route flush table 150 /sbin/ip route flush table 151 /sbin/ip route flush table 200 /sbin/iptables -t mangle -D PREROUTING -j MARCAR_IFACE /sbin/iptables -t mangle -F MARCAR_IFACE /sbin/iptables -t mangle -X MARCAR_IFACE /sbin/iptables -t mangle -F MARCAR_IFACE_TRAFICO /sbin/iptables -t mangle -X MARCAR_IFACE_TRAFICO /sbin/iptables -t mangle -D POSTROUTING -j MARCAR_IFACE_OUT /sbin/iptables -t mangle -F MARCAR_IFACE_OUT /sbin/iptables -t mangle -X MARCAR_IFACE_OUT /sbin/iptables -t mangle -N MARCAR_IFACE /sbin/iptables -t mangle -N MARCAR_IFACE_TRAFICO /sbin/iptables -t mangle -A MARCAR_IFACE -j CONNMARK --restore-mark /sbin/iptables -t mangle -A MARCAR_IFACE -m mark ! --mark 0x0000/0xf000 -j RETURN /sbin/iptables -t mangle -A MARCAR_IFACE -m mark --mark 0x0000/0xf000 -j MARCAR_IFACE_TRAFICO /sbin/iptables -t mangle -N MARCAR_IFACE_OUT /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -j CONNMARK --restore-mark /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark ! --mark 0x0000/0xf000 -j RETURN /sbin/iptables -t mangle -A MARCAR_IFACE -m mark --mark 0x0000/0xf000 -i wan0 -m physdev --physdev-in eth1 -m state --state NEW -j MARK --or-mark 0x8000 /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 -o wan0 -m conntrack --ctreplsrc 217.125.139.204 -j MARK --or-mark 0x8000 /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 -o wan0 -m conntrack --ctrepldst 217.125.139.204 -j MARK --or-mark 0x8000 /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 -o wan0 -s 217.125.139.204 -j MARK --or-mark 0x8000 /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 -o wan0 -m conntrack --ctorigsrc 217.125.139.204 -j MARK --or-mark 0x8000 /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 -o wan0 -m conntrack --ctorigdst 217.125.139.204 -j MARK --or-mark 0x8000 /sbin/iptables -t mangle -A MARCAR_IFACE -m mark --mark 0x0000/0xf000 -i wan0 -m physdev --physdev-in eth3 -m state --state NEW -j MARK --or-mark 0x4000 /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 -o wan0 -m conntrack --ctreplsrc 80.32.61.58 -j MARK --or-mark 0x4000 /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 -o wan0 -m conntrack --ctrepldst 80.32.61.58 -j MARK --or-mark 0x4000 /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 -o wan0 -s 80.32.61.58 -j MARK --or-mark 0x4000 /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 -o wan0 -m conntrack --ctorigsrc 80.32.61.58 -j MARK --or-mark 0x4000 /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 -o wan0 -m conntrack --ctorigdst 80.32.61.58 -j MARK --or-mark 0x4000 /sbin/iptables -t mangle -A MARCAR_IFACE -j CONNMARK --save-mark /sbin/iptables -t mangle -A MARCAR_IFACE -j RETURN /sbin/iptables -t mangle -I PREROUTING -j MARCAR_IFACE /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -j CONNMARK --save-mark /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -j RETURN /sbin/iptables -t mangle -I POSTROUTING -j MARCAR_IFACE_OUT /sbin/ip rule add prio 50 table main /sbin/ip rule add prio 100 fwmark 0x8000/0xf000 table 150 /sbin/ip rule add prio 150 from 217.125.139.204/26 table 150 /sbin/ip route add default via 217.125.139.193 dev wan0 src 217.125.139.204 proto static table 150 /sbin/ip route append prohibit default table 150 metric 1 proto static /sbin/ip rule add prio 101 fwmark 0x4000/0xf000 table 151 /sbin/ip rule add prio 151 from 80.32.61.58/24 table 151 /sbin/ip route add default via 80.32.61.1 dev wan0 src 80.32.61.58 proto static table 151 /sbin/ip route append prohibit default table 151 metric 1 proto static /sbin/ip rule add prio 200 table 200 /sbin/ip route add default table 200 proto static nexthop via 217.125.139.193 dev wan0 weight 1 nexthop via 80.32.61.1 dev wan0 weight 1 /sbin/ip route flush cache ==END== I have this "output" for all chains and routes: ==BEGIN== === REGLAS IPTABLES PARA EL ENRUTADO === Chain PREROUTING (policy ACCEPT 8664K packets, 5097M bytes) num pkts bytes target prot opt in out source destination 1 3348K 1832M MARCAR_IFACE 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain MARCAR_IFACE (1 references) num pkts bytes target prot opt in out source destination 1 3348K 1832M CONNMARK 0 -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore 2 2841K 1653M RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0/0xf000 3 507K 179M MARCAR_IFACE_TRAFICO 0 -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x0/0xf000 4 40690 2721K MARK 0 -- wan0 * 0.0.0.0/0 0.0.0.0/0 MARK match 0x0/0xf000 PHYSDEV match --physdev-in eth1 state NEW MARK or 0x8000 5 48680 3062K MARK 0 -- wan0 * 0.0.0.0/0 0.0.0.0/0 MARK match 0x0/0xf000 PHYSDEV match --physdev-in eth3 state NEW MARK or 0x4000 6 507K 179M CONNMARK 0 -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save 7 507K 179M RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain MARCAR_IFACE_TRAFICO (1 references) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 16M packets, 8665M bytes) num pkts bytes target prot opt in out source destination 1 6483K 3397M MARCAR_IFACE_OUT 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain MARCAR_IFACE_OUT (1 references) num pkts bytes target prot opt in out source destination 1 6483K 3397M CONNMARK 0 -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore 2 5781K 2966M RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0/0xf000 3 0 0 MARK 0 -- * wan0 0.0.0.0/0 0.0.0.0/0 MARK match 0x0/0xf000 ctreplsrc 217.125.139.204 MARK or 0x8000 4 104K 7470K MARK 0 -- * wan0 0.0.0.0/0 0.0.0.0/0 MARK match 0x0/0xf000 ctrepldst 217.125.139.204 MARK or 0x8000 5 135 7091 MARK 0 -- * wan0 217.125.139.204 0.0.0.0/0 MARK match 0x0/0xf000 MARK or 0x8000 6 0 0 MARK 0 -- * wan0 0.0.0.0/0 0.0.0.0/0 MARK match 0x0/0xf000 ctorigsrc 217.125.139.204 MARK or 0x8000 7 0 0 MARK 0 -- * wan0 0.0.0.0/0 0.0.0.0/0 MARK match 0x0/0xf000 ctorigdst 217.125.139.204 MARK or 0x8000 8 0 0 MARK 0 -- * wan0 0.0.0.0/0 0.0.0.0/0 MARK match 0x0/0xf000 ctreplsrc 80.32.61.58 MARK or 0x4000 9 101K 7298K MARK 0 -- * wan0 0.0.0.0/0 0.0.0.0/0 MARK match 0x0/0xf000 ctrepldst 80.32.61.58 MARK or 0x4000 10 175 7578 MARK 0 -- * wan0 80.32.61.58 0.0.0.0/0 MARK match 0x0/0xf000 MARK or 0x4000 11 0 0 MARK 0 -- * wan0 0.0.0.0/0 0.0.0.0/0 MARK match 0x0/0xf000 ctorigsrc 80.32.61.58 MARK or 0x4000 12 1 48 MARK 0 -- * wan0 0.0.0.0/0 0.0.0.0/0 MARK match 0x0/0xf000 ctorigdst 80.32.61.58 MARK or 0x4000 13 702K 431M CONNMARK 0 -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save 14 702K 431M RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 === REGLAS DE ENRUTAMIENTO === 0: from all lookup local 50: from all lookup main 100: from all fwmark 0x8000/0xf000 lookup uno 101: from all fwmark 0x4000/0xf000 lookup dos 150: from 217.125.139.204/26 lookup uno 151: from 80.32.61.58/24 lookup dos 200: from all lookup defecto 32766: from all lookup main 32767: from all lookup default === TABLAS DE RUTAS === === MAIN === 217.125.139.192/26 dev wan0 proto kernel scope link src 217.125.139.204 80.32.61.0/24 dev wan0 proto kernel scope link src 80.32.61.58 192.168.3.0/24 dev zlan0 proto kernel scope link src 192.168.3.247 192.168.2.0/24 dev zlan0 proto kernel scope link src 192.168.2.247 192.168.1.0/24 dev zlan0 proto kernel scope link src 192.168.1.247 10.1.1.0/24 dev zlan0 proto kernel scope link src 10.1.1.6 169.254.0.0/16 dev zlan0 scope link 239.0.0.0/8 dev zlan0 scope link === wan0 TABLA 150 === default via 217.125.139.193 dev wan0 proto static src 217.125.139.204 prohibit default proto static metric 1 === wan0 TABLA 151 === default via 80.32.61.1 dev wan0 proto static src 80.32.61.58 prohibit default proto static metric 1 === TABLA 200 (defecto) === default proto static nexthop via 217.125.139.193 dev wan0 weight 1 nexthop via 80.32.61.1 dev wan0 weight 1 ==END== The -t nat POSTROUTING rules: ==BEGIN==Chain POSTROUTING (policy ACCEPT 58524 packets, 42M bytes) pkts bytes target prot opt in out source destination 0 0 SNAT 0 -- * eth3 10.1.1.0/24 0.0.0.0/0 to:80.32.61.58 0 0 SNAT 0 -- * eth1 10.1.1.0/24 0.0.0.0/0 to:217.125.139.204 0 0 SNAT 0 -- * wan0 10.1.1.0/24 0.0.0.0/0 PHYSDEV match --physdev-out eth3 to:80.32.61.58 0 0 SNAT 0 -- * wan0 10.1.1.0/24 0.0.0.0/0 PHYSDEV match --physdev-out eth1 to:217.125.139.204 0 0 SNAT 0 -- * eth3 10.1.1.0/24 0.0.0.0/0 to:80.32.61.58 0 0 SNAT 0 -- * eth1 10.1.1.0/24 0.0.0.0/0 to:217.125.139.204 578K 39M MASQUERADE 0 -- * wan0 10.1.1.0/24 0.0.0.0/0 0 0 MASQUERADE 0 -- * wan0:1 10.1.1.0/24 0.0.0.0/0 0 0 SNAT 0 -- * wan0 10.1.1.0/24 0.0.0.0/0 to:80.32.61.58 0 0 SNAT 0 -- * wan0 10.1.1.0/24 0.0.0.0/0 to:217.125.139.204 ==END== The problems I have are: 1) If I make ssh conections from internet to the router (not to any pc into the lan zone), sometimes the ssh sesions disconnect. 2) If I run tcpdump as these: tcpdump -n -i eth3 not host 80.32.61.58 tcpdump -n -i eth1 not host 217.125.139.204 I can see : a) IP frames not nated, where the source address is from lan zone. b) Source IPs are not the correct. With tcpdump command I expect don't see anything, instead I can see frames as described below. Because the wan interface is only 1 (with 2 ip's), I only can use "-j MASQUERADE" for the nating, I can't use -m physdev --physdev-out, netfilter layer appears don't know what is the real outgoing interface in the bridge wan0 and "wan0:1" is not handled by netfilter layer. The questions: 1) Does anyone know if this is a known issue (the tcpdump output and physdev issue)? 2) Does anyone know how to use SNAT in this case (I cant use -j SNAT)? 3) With 2.6.19.7 I were using "-m physdev --physdev-out" into the chain "MARCAR_IFACE_OUT", but with the 2.6.20.3 updated kernel, the -m physdev appears to be broken and I then must use -m conntrack. Is this a good solution? Please, I need any help, with this configuration I discovered these problems but I don't know how to solve them: 1) wan0 bridge don't appears to be working 100% of time (appears that packets from one IP in the bridge are sent to the other interface). 2) NAT appears to be a bit confused and don't nat all packets, MASQUERADE don't want to be working all time. 3) -m physdev --physdev-out don't know what is the read physical interface where the packets a sent. (Whith 2.6.19.7 kernel, this extension were working, or, at least, there were counters in the rules. 4) Conections from internet to the router machine are lost randomly. I have no problem to use POSTROUTING chain in nat table to DROP o REJECT incorrect packets, but ... really need I to do that? Thanks!! All help are apretiated!! Regards. P.D.: Sorry, my english is a bit poor. From dhananjay.tembe at calsoftinc.com Tue Mar 20 00:21:53 2007 From: dhananjay.tembe at calsoftinc.com (dhananjay.tembe@calsoftinc.com) Date: Tue Mar 20 00:22:02 2007 Subject: [LARTC] TC not working well with bonded nics please help Message-ID: <3742.65.115.68.194.1174346513.squirrel@webmail.calsoftinc.com> Hi, I am facing a problem when I run tc on the bonded nic cards. When I run tc on a single nic card, it worked perfectly fine. But when I run tc on a bond of two nics, tc gives poor performance. The two nics were bonded in round-robin (load balancing) mode. I created a qdisc, class and a filter as follows: tc qdisc add dev bond0 root handle 1: htb tc class add dev bond0 parent 1: classid 1:1 htb rate 240mbps tc class add dev bond0 parent 1:1 classid 1:2 htb rate 50 ceil 50 quantum 1500 I started a TCP traffic between this bond (2gbit bandwidth) and a remote nic (1gbit bandwidth). Without qos, bond was transmitting at 960Mbps. After I executed above mentioned commands, it was expected that the bond will transmit at 400Mbps but it was transmitting only at 70Mbps. Same thing was observed with different qos rates for class 1:2, outbound traffic through bond was very less than the rate specified in the tc command. Is getting poor performance after running tc over a bond is a known issue? Please help me with this issue. Thanks and regards, ---Dhananjay. From rodob at datafull.com Tue Mar 20 04:41:23 2007 From: rodob at datafull.com (Rodolfo Brasnarof) Date: Tue Mar 20 04:41:42 2007 Subject: [LARTC] TC not working well with bonded nics please help In-Reply-To: <3742.65.115.68.194.1174346513.squirrel@webmail.calsoftinc.com> References: <3742.65.115.68.194.1174346513.squirrel@webmail.calsoftinc.com> Message-ID: <20070320004123.19b3a7d3@localhost> On Tue, 20 Mar 2007 04:51:53 +0530 (IST) dhananjay.tembe@calsoftinc.com wrote: > > Hi, > I am facing a problem when I run tc on the bonded nic cards. > When I run tc on a single nic card, it worked perfectly fine. But > when I run tc on a bond of two nics, tc gives poor performance. The > two nics were bonded in round-robin (load balancing) mode. I created > a qdisc, class and a filter as follows: > > tc qdisc add dev bond0 root handle 1: htb > tc class add dev bond0 parent 1: classid 1:1 htb rate 240mbps > tc class add dev bond0 parent 1:1 classid 1:2 htb rate 50 ceil 50 > quantum 1500 > > I started a TCP traffic between this bond (2gbit bandwidth) and a > remote nic (1gbit bandwidth). > Without qos, bond was transmitting at 960Mbps. > After I executed above mentioned commands, it was expected that the > bond will transmit at 400Mbps but it was transmitting only at 70Mbps. > Same thing was observed with different qos rates for class 1:2, > outbound traffic through bond was very less than the rate specified > in the tc command. > > Is getting poor performance after running tc over a bond is a known > issue? Please help me with this issue. Perhaps you can use an IMQ device for traffic control/shaping. From kaber at trash.net Tue Mar 20 07:19:51 2007 From: kaber at trash.net (Patrick McHardy) Date: Tue Mar 20 07:20:11 2007 Subject: [LARTC] [BUG?] ip ru flush && RTNETLINK answers: Numerical result out of range In-Reply-To: <20070319152532.GL521@postel.suug.ch> References: <200703190046.47021.luciano@lugmen.org.ar> <45FE2587.3050205@trash.net> <20070319152532.GL521@postel.suug.ch> Message-ID: <45FF7D07.4040103@trash.net> Thomas Graf wrote: > * Patrick McHardy 2007-03-19 06:54 > >>Thomas, I can't see a clean way to fix this right now that >>doesn't either bloat struct nla_policy or removes FRA_SRC/FRA_DST >>from the policy, could you please look into this? Thanks. > > > I guess the only way is to remove FRA_SRC/FRA_DST from the policy > and validate it in configure() based on src_len/dst_len. Its not too pretty, but I agree. This patch fixes the problem. I'll also push it to -stable. -------------- next part -------------- [NET]: Fix fib_rules compatibility breakage The fib_rules netlink attribute policy introduced in 2.6.19 broke userspace compatibilty. When specifying a rule with "from all" or "to all", iproute adds a zero byte long netlink attribute, but the policy requires all addresses to have a size equal to sizeof(struct in_addr)/sizeof(struct in6_addr), resulting in a validation error. Fix by only looking at the FRA_SRC/FRA_DST attributes if src_len or dst_len is larger than zero. DECnet is unaffected since iproute doesn't support specifying addresses as "all". Signed-off-by: Patrick McHardy --- commit 39f42dd26f1f9c93b9700e1bace540ed9bb94e46 tree ecc71ef742d9d636bf129b34ae7a18173377ccc0 parent db98e0b434a6265c451ffe94ec0a29b8d0aaf587 author Patrick McHardy Tue, 20 Mar 2007 07:08:38 +0100 committer Patrick McHardy Tue, 20 Mar 2007 07:08:38 +0100 net/ipv4/fib_rules.c | 18 ++++++++++++------ net/ipv6/fib6_rules.c | 16 ++++++++++++---- 2 files changed, 24 insertions(+), 10 deletions(-) diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c index b837c33..9524b2e 100644 --- a/net/ipv4/fib_rules.c +++ b/net/ipv4/fib_rules.c @@ -171,8 +171,6 @@ static struct fib_table *fib_empty_table static struct nla_policy fib4_rule_policy[FRA_MAX+1] __read_mostly = { FRA_GENERIC_POLICY, - [FRA_SRC] = { .type = NLA_U32 }, - [FRA_DST] = { .type = NLA_U32 }, [FRA_FLOW] = { .type = NLA_U32 }, }; @@ -187,6 +185,12 @@ static int fib4_rule_configure(struct fi (frh->tos & ~IPTOS_TOS_MASK)) goto errout; + if (frh->src_len && tb[FRA_SRC] && nla_len(tb[FRA_SRC]) != sizeof(u32)) + goto errout; + + if (frh->dst_len && tb[FRA_DST] && nla_len(tb[FRA_DST]) != sizeof(u32)) + goto errout; + if (rule->table == RT_TABLE_UNSPEC) { if (rule->action == FR_ACT_TO_TBL) { struct fib_table *table; @@ -201,10 +205,10 @@ static int fib4_rule_configure(struct fi } } - if (tb[FRA_SRC]) + if (frh->src_len && tb[FRA_SRC]) rule4->src = nla_get_be32(tb[FRA_SRC]); - if (tb[FRA_DST]) + if (frh->dst_len && tb[FRA_DST]) rule4->dst = nla_get_be32(tb[FRA_DST]); #ifdef CONFIG_NET_CLS_ROUTE @@ -242,10 +246,12 @@ #ifdef CONFIG_NET_CLS_ROUTE return 0; #endif - if (tb[FRA_SRC] && (rule4->src != nla_get_be32(tb[FRA_SRC]))) + if (frh->src_len && tb[FRA_SRC] && + (rule4->src != nla_get_be32(tb[FRA_SRC]))) return 0; - if (tb[FRA_DST] && (rule4->dst != nla_get_be32(tb[FRA_DST]))) + if (frh->dst_len && tb[FRA_DST] && + (rule4->dst != nla_get_be32(tb[FRA_DST]))) return 0; return 1; diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c index 0862809..a15244e 100644 --- a/net/ipv6/fib6_rules.c +++ b/net/ipv6/fib6_rules.c @@ -145,6 +145,14 @@ static int fib6_rule_configure(struct fi if (frh->src_len > 128 || frh->dst_len > 128) goto errout; + if (frh->src_len && tb[FRA_SRC] && + nla_len(tb[FRA_SRC]) != sizeof(struct in6_addr)) + goto errout; + + if (frh->dst_len && tb[FRA_DST] && + nla_len(tb[FRA_DST]) != sizeof(struct in6_addr)) + goto errout; + if (rule->action == FR_ACT_TO_TBL) { if (rule->table == RT6_TABLE_UNSPEC) goto errout; @@ -155,11 +163,11 @@ static int fib6_rule_configure(struct fi } } - if (tb[FRA_SRC]) + if (frh->src_len && tb[FRA_SRC]) nla_memcpy(&rule6->src.addr, tb[FRA_SRC], sizeof(struct in6_addr)); - if (tb[FRA_DST]) + if (frh->dst_len && tb[FRA_DST]) nla_memcpy(&rule6->dst.addr, tb[FRA_DST], sizeof(struct in6_addr)); @@ -186,11 +194,11 @@ static int fib6_rule_compare(struct fib_ if (frh->tos && (rule6->tclass != frh->tos)) return 0; - if (tb[FRA_SRC] && + if (frh->src_len && tb[FRA_SRC] && nla_memcmp(tb[FRA_SRC], &rule6->src.addr, sizeof(struct in6_addr))) return 0; - if (tb[FRA_DST] && + if (frh->dst_len && tb[FRA_DST] && nla_memcmp(tb[FRA_DST], &rule6->dst.addr, sizeof(struct in6_addr))) return 0; From kaber at trash.net Tue Mar 20 07:42:49 2007 From: kaber at trash.net (Patrick McHardy) Date: Tue Mar 20 07:42:56 2007 Subject: [LARTC] [BUG?] ip ru flush && RTNETLINK answers: Numerical result out of range In-Reply-To: <45FF7D07.4040103@trash.net> References: <200703190046.47021.luciano@lugmen.org.ar> <45FE2587.3050205@trash.net> <20070319152532.GL521@postel.suug.ch> <45FF7D07.4040103@trash.net> Message-ID: <45FF8269.3000606@trash.net> Patrick McHardy wrote: > [NET]: Fix fib_rules compatibility breakage I forgot to remove FRA_SRC/FRA_DST from fib6_rule_policy. Updated patch attached. -------------- next part -------------- [NET]: Fix fib_rules compatibility breakage The fib_rules netlink attribute policy introduced in 2.6.19 broke userspace compatibilty. When specifying a rule with "from all" or "to all", iproute adds a zero byte long netlink attribute, but the policy requires all addresses to have a size equal to sizeof(struct in_addr)/sizeof(struct in6_addr), resulting in a validation error. Fix by only looking at the FRA_SRC/FRA_DST attributes if src_len or dst_len is larger than zero. DECnet is unaffected since iproute doesn't support specifying addresses as "all". Signed-off-by: Patrick McHardy --- commit 676307508e675dcf434f4f18e619b195f2f503ad tree aa87342144b3b19ebddb5011380c3ac96c38dbbc parent db98e0b434a6265c451ffe94ec0a29b8d0aaf587 author Patrick McHardy Tue, 20 Mar 2007 07:08:38 +0100 committer Patrick McHardy Tue, 20 Mar 2007 07:42:19 +0100 net/ipv4/fib_rules.c | 18 ++++++++++++------ net/ipv6/fib6_rules.c | 18 ++++++++++++------ 2 files changed, 24 insertions(+), 12 deletions(-) diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c index b837c33..9524b2e 100644 --- a/net/ipv4/fib_rules.c +++ b/net/ipv4/fib_rules.c @@ -171,8 +171,6 @@ static struct fib_table *fib_empty_table static struct nla_policy fib4_rule_policy[FRA_MAX+1] __read_mostly = { FRA_GENERIC_POLICY, - [FRA_SRC] = { .type = NLA_U32 }, - [FRA_DST] = { .type = NLA_U32 }, [FRA_FLOW] = { .type = NLA_U32 }, }; @@ -187,6 +185,12 @@ static int fib4_rule_configure(struct fi (frh->tos & ~IPTOS_TOS_MASK)) goto errout; + if (frh->src_len && tb[FRA_SRC] && nla_len(tb[FRA_SRC]) != sizeof(u32)) + goto errout; + + if (frh->dst_len && tb[FRA_DST] && nla_len(tb[FRA_DST]) != sizeof(u32)) + goto errout; + if (rule->table == RT_TABLE_UNSPEC) { if (rule->action == FR_ACT_TO_TBL) { struct fib_table *table; @@ -201,10 +205,10 @@ static int fib4_rule_configure(struct fi } } - if (tb[FRA_SRC]) + if (frh->src_len && tb[FRA_SRC]) rule4->src = nla_get_be32(tb[FRA_SRC]); - if (tb[FRA_DST]) + if (frh->dst_len && tb[FRA_DST]) rule4->dst = nla_get_be32(tb[FRA_DST]); #ifdef CONFIG_NET_CLS_ROUTE @@ -242,10 +246,12 @@ #ifdef CONFIG_NET_CLS_ROUTE return 0; #endif - if (tb[FRA_SRC] && (rule4->src != nla_get_be32(tb[FRA_SRC]))) + if (frh->src_len && tb[FRA_SRC] && + (rule4->src != nla_get_be32(tb[FRA_SRC]))) return 0; - if (tb[FRA_DST] && (rule4->dst != nla_get_be32(tb[FRA_DST]))) + if (frh->dst_len && tb[FRA_DST] && + (rule4->dst != nla_get_be32(tb[FRA_DST]))) return 0; return 1; diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c index 0862809..6331306 100644 --- a/net/ipv6/fib6_rules.c +++ b/net/ipv6/fib6_rules.c @@ -131,8 +131,6 @@ static int fib6_rule_match(struct fib_ru static struct nla_policy fib6_rule_policy[FRA_MAX+1] __read_mostly = { FRA_GENERIC_POLICY, - [FRA_SRC] = { .len = sizeof(struct in6_addr) }, - [FRA_DST] = { .len = sizeof(struct in6_addr) }, }; static int fib6_rule_configure(struct fib_rule *rule, struct sk_buff *skb, @@ -145,6 +143,14 @@ static int fib6_rule_configure(struct fi if (frh->src_len > 128 || frh->dst_len > 128) goto errout; + if (frh->src_len && tb[FRA_SRC] && + nla_len(tb[FRA_SRC]) != sizeof(struct in6_addr)) + goto errout; + + if (frh->dst_len && tb[FRA_DST] && + nla_len(tb[FRA_DST]) != sizeof(struct in6_addr)) + goto errout; + if (rule->action == FR_ACT_TO_TBL) { if (rule->table == RT6_TABLE_UNSPEC) goto errout; @@ -155,11 +161,11 @@ static int fib6_rule_configure(struct fi } } - if (tb[FRA_SRC]) + if (frh->src_len && tb[FRA_SRC]) nla_memcpy(&rule6->src.addr, tb[FRA_SRC], sizeof(struct in6_addr)); - if (tb[FRA_DST]) + if (frh->dst_len && tb[FRA_DST]) nla_memcpy(&rule6->dst.addr, tb[FRA_DST], sizeof(struct in6_addr)); @@ -186,11 +192,11 @@ static int fib6_rule_compare(struct fib_ if (frh->tos && (rule6->tclass != frh->tos)) return 0; - if (tb[FRA_SRC] && + if (frh->src_len && tb[FRA_SRC] && nla_memcmp(tb[FRA_SRC], &rule6->src.addr, sizeof(struct in6_addr))) return 0; - if (tb[FRA_DST] && + if (frh->dst_len && tb[FRA_DST] && nla_memcmp(tb[FRA_DST], &rule6->dst.addr, sizeof(struct in6_addr))) return 0; From alchemyx at uznam.net.pl Tue Mar 20 14:20:30 2007 From: alchemyx at uznam.net.pl (=?ISO-8859-2?Q?Micha=B3_Margula?=) Date: Tue Mar 20 14:21:09 2007 Subject: [LARTC] TC Filter matching all Message-ID: <45FFDF9E.4090208@uznam.net.pl> Hello! I was always using "default" in HTB to choose default class, but now I need to do it with filters. Tried following command: # tc filter add dev eth0 protocol ip parent 10: prio 2 flowid 10:2 Unknown filter "flowid", hence option "10:2" is unparsable It is from example in LARTC Howto. My question is then - how to make a filter matching all without eating too much CPU cycles? Thanks -- Micha? Margula, alchemyx@uznam.net.pl, http://alchemyx.uznam.net.pl/ "W ?yciu pi?kne s? tylko chwile" [Ryszard Riedel] From unki at netshadow.at Tue Mar 20 15:45:11 2007 From: unki at netshadow.at (Andreas Unterkircher) Date: Tue Mar 20 15:45:18 2007 Subject: [LARTC] TC Filter matching all In-Reply-To: <45FFDF9E.4090208@uznam.net.pl> References: <45FFDF9E.4090208@uznam.net.pl> Message-ID: <20070320154511.bhfcwins8oksow88@webmail.netshadow.at> I use this one for "match anything" http://mailman.ds9a.nl/pipermail/lartc/2005q3/016774.html Andreas Quoting Micha? Margula : > Hello! > > I was always using "default" in HTB to choose default class, but now I > need to do it with filters. Tried following command: > > # tc filter add dev eth0 protocol ip parent 10: prio 2 flowid 10:2 > Unknown filter "flowid", hence option "10:2" is unparsable > > It is from example in LARTC Howto. > > My question is then - how to make a filter matching all without eating > too much CPU cycles? > > Thanks > > -- > Micha? Margula, alchemyx@uznam.net.pl, http://alchemyx.uznam.net.pl/ > "W ?yciu pi?kne s? tylko chwile" [Ryszard Riedel] > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From tgraf at suug.ch Tue Mar 20 17:40:04 2007 From: tgraf at suug.ch (Thomas Graf) Date: Tue Mar 20 17:39:49 2007 Subject: [LARTC] [NET]: Fix fib_rules compatibility breakage In-Reply-To: <45FF8269.3000606@trash.net> References: <200703190046.47021.luciano@lugmen.org.ar> <45FE2587.3050205@trash.net> <20070319152532.GL521@postel.suug.ch> <45FF7D07.4040103@trash.net> <45FF8269.3000606@trash.net> Message-ID: <20070320164004.GN521@postel.suug.ch> Based on Patrick's patch: The fib_rules netlink attribute policy introduced in 2.6.19 broke userspace compatibilty. When specifying a rule with "from all" or "to all", iproute adds a zero byte long netlink attribute, but the policy requires all addresses to have a size equal to sizeof(struct in_addr)/sizeof(struct in6_addr), resulting in a validation error. Check attribute length of FRA_SRC/FRA_DST in the generic framework by letting the family specific rules implementation provide the length of an address. Report an error if address length is non zero but no address attribute is provided. Fix actual bug by checking address length for non-zero instead of relying on availability of attribute. Signed-off-by: Thomas Graf Index: net-2.6/include/net/fib_rules.h =================================================================== --- net-2.6.orig/include/net/fib_rules.h 2007-03-20 15:38:19.000000000 +0100 +++ net-2.6/include/net/fib_rules.h 2007-03-20 16:01:31.000000000 +0100 @@ -34,6 +34,7 @@ struct fib_rules_ops int family; struct list_head list; int rule_size; + int addr_size; int (*action)(struct fib_rule *, struct flowi *, int, Index: net-2.6/net/core/fib_rules.c =================================================================== --- net-2.6.orig/net/core/fib_rules.c 2007-03-20 15:37:39.000000000 +0100 +++ net-2.6/net/core/fib_rules.c 2007-03-20 15:56:59.000000000 +0100 @@ -173,6 +173,19 @@ int fib_nl_newrule(struct sk_buff *skb, if (err < 0) goto errout; + err = -EINVAL; + if (frh->src_len) + if (tb[FRA_SRC] == NULL || + frh->src_len > (ops->addr_size * 8) || + nla_len(tb[FRA_SRC]) != ops->addr_size) + goto errout; + + if (frh->dst_len) + if (tb[FRA_DST] == NULL || + frh->dst_len > (ops->addr_size * 8) || + nla_len(tb[FRA_DST]) != ops->addr_size) + goto errout; + rule = kzalloc(ops->rule_size, GFP_KERNEL); if (rule == NULL) { err = -ENOMEM; Index: net-2.6/net/decnet/dn_rules.c =================================================================== --- net-2.6.orig/net/decnet/dn_rules.c 2007-03-20 15:35:26.000000000 +0100 +++ net-2.6/net/decnet/dn_rules.c 2007-03-20 15:58:29.000000000 +0100 @@ -109,8 +109,6 @@ errout: static struct nla_policy dn_fib_rule_policy[FRA_MAX+1] __read_mostly = { FRA_GENERIC_POLICY, - [FRA_SRC] = { .type = NLA_U16 }, - [FRA_DST] = { .type = NLA_U16 }, }; static int dn_fib_rule_match(struct fib_rule *rule, struct flowi *fl, int flags) @@ -133,7 +131,7 @@ static int dn_fib_rule_configure(struct int err = -EINVAL; struct dn_fib_rule *r = (struct dn_fib_rule *)rule; - if (frh->src_len > 16 || frh->dst_len > 16 || frh->tos) + if (frh->tos) goto errout; if (rule->table == RT_TABLE_UNSPEC) { @@ -150,10 +148,10 @@ static int dn_fib_rule_configure(struct } } - if (tb[FRA_SRC]) + if (frh->src_len) r->src = nla_get_le16(tb[FRA_SRC]); - if (tb[FRA_DST]) + if (frh->dst_len) r->dst = nla_get_le16(tb[FRA_DST]); r->src_len = frh->src_len; @@ -176,10 +174,10 @@ static int dn_fib_rule_compare(struct fi if (frh->dst_len && (r->dst_len != frh->dst_len)) return 0; - if (tb[FRA_SRC] && (r->src != nla_get_le16(tb[FRA_SRC]))) + if (frh->src_len && (r->src != nla_get_le16(tb[FRA_SRC]))) return 0; - if (tb[FRA_DST] && (r->dst != nla_get_le16(tb[FRA_DST]))) + if (frh->dst_len && (r->dst != nla_get_le16(tb[FRA_DST]))) return 0; return 1; @@ -249,6 +247,7 @@ int dn_fib_dump_rules(struct sk_buff *sk static struct fib_rules_ops dn_fib_rules_ops = { .family = AF_DECnet, .rule_size = sizeof(struct dn_fib_rule), + .addr_size = sizeof(u16), .action = dn_fib_rule_action, .match = dn_fib_rule_match, .configure = dn_fib_rule_configure, Index: net-2.6/net/ipv4/fib_rules.c =================================================================== --- net-2.6.orig/net/ipv4/fib_rules.c 2007-03-20 15:46:16.000000000 +0100 +++ net-2.6/net/ipv4/fib_rules.c 2007-03-20 15:55:08.000000000 +0100 @@ -171,8 +171,6 @@ static struct fib_table *fib_empty_table static struct nla_policy fib4_rule_policy[FRA_MAX+1] __read_mostly = { FRA_GENERIC_POLICY, - [FRA_SRC] = { .type = NLA_U32 }, - [FRA_DST] = { .type = NLA_U32 }, [FRA_FLOW] = { .type = NLA_U32 }, }; @@ -183,8 +181,7 @@ static int fib4_rule_configure(struct fi int err = -EINVAL; struct fib4_rule *rule4 = (struct fib4_rule *) rule; - if (frh->src_len > 32 || frh->dst_len > 32 || - (frh->tos & ~IPTOS_TOS_MASK)) + if (frh->tos & ~IPTOS_TOS_MASK) goto errout; if (rule->table == RT_TABLE_UNSPEC) { @@ -201,10 +198,10 @@ static int fib4_rule_configure(struct fi } } - if (tb[FRA_SRC]) + if (frh->src_len) rule4->src = nla_get_be32(tb[FRA_SRC]); - if (tb[FRA_DST]) + if (frh->dst_len) rule4->dst = nla_get_be32(tb[FRA_DST]); #ifdef CONFIG_NET_CLS_ROUTE @@ -242,10 +239,10 @@ static int fib4_rule_compare(struct fib_ return 0; #endif - if (tb[FRA_SRC] && (rule4->src != nla_get_be32(tb[FRA_SRC]))) + if (frh->src_len && (rule4->src != nla_get_be32(tb[FRA_SRC]))) return 0; - if (tb[FRA_DST] && (rule4->dst != nla_get_be32(tb[FRA_DST]))) + if (frh->dst_len && (rule4->dst != nla_get_be32(tb[FRA_DST]))) return 0; return 1; @@ -309,6 +306,7 @@ static size_t fib4_rule_nlmsg_payload(st static struct fib_rules_ops fib4_rules_ops = { .family = AF_INET, .rule_size = sizeof(struct fib4_rule), + .addr_size = sizeof(u32), .action = fib4_rule_action, .match = fib4_rule_match, .configure = fib4_rule_configure, Index: net-2.6/net/ipv6/fib6_rules.c =================================================================== --- net-2.6.orig/net/ipv6/fib6_rules.c 2007-03-20 15:48:50.000000000 +0100 +++ net-2.6/net/ipv6/fib6_rules.c 2007-03-20 15:57:44.000000000 +0100 @@ -131,8 +131,6 @@ static int fib6_rule_match(struct fib_ru static struct nla_policy fib6_rule_policy[FRA_MAX+1] __read_mostly = { FRA_GENERIC_POLICY, - [FRA_SRC] = { .len = sizeof(struct in6_addr) }, - [FRA_DST] = { .len = sizeof(struct in6_addr) }, }; static int fib6_rule_configure(struct fib_rule *rule, struct sk_buff *skb, @@ -142,9 +140,6 @@ static int fib6_rule_configure(struct fi int err = -EINVAL; struct fib6_rule *rule6 = (struct fib6_rule *) rule; - if (frh->src_len > 128 || frh->dst_len > 128) - goto errout; - if (rule->action == FR_ACT_TO_TBL) { if (rule->table == RT6_TABLE_UNSPEC) goto errout; @@ -155,11 +150,11 @@ static int fib6_rule_configure(struct fi } } - if (tb[FRA_SRC]) + if (frh->src_len) nla_memcpy(&rule6->src.addr, tb[FRA_SRC], sizeof(struct in6_addr)); - if (tb[FRA_DST]) + if (frh->dst_len) nla_memcpy(&rule6->dst.addr, tb[FRA_DST], sizeof(struct in6_addr)); @@ -186,11 +181,11 @@ static int fib6_rule_compare(struct fib_ if (frh->tos && (rule6->tclass != frh->tos)) return 0; - if (tb[FRA_SRC] && + if (frh->src_len && nla_memcmp(tb[FRA_SRC], &rule6->src.addr, sizeof(struct in6_addr))) return 0; - if (tb[FRA_DST] && + if (frh->dst_len && nla_memcmp(tb[FRA_DST], &rule6->dst.addr, sizeof(struct in6_addr))) return 0; @@ -240,6 +235,7 @@ static size_t fib6_rule_nlmsg_payload(st static struct fib_rules_ops fib6_rules_ops = { .family = AF_INET6, .rule_size = sizeof(struct fib6_rule), + .addr_size = sizeof(struct in6_addr), .action = fib6_rule_action, .match = fib6_rule_match, .configure = fib6_rule_configure, From kaber at trash.net Tue Mar 20 17:59:44 2007 From: kaber at trash.net (Patrick McHardy) Date: Tue Mar 20 18:00:50 2007 Subject: [LARTC] Re: [NET]: Fix fib_rules compatibility breakage In-Reply-To: <20070320164004.GN521@postel.suug.ch> References: <200703190046.47021.luciano@lugmen.org.ar> <45FE2587.3050205@trash.net> <20070319152532.GL521@postel.suug.ch> <45FF7D07.4040103@trash.net> <45FF8269.3000606@trash.net> <20070320164004.GN521@postel.suug.ch> Message-ID: <46001300.90804@trash.net> Thomas Graf wrote: > @@ -242,10 +239,10 @@ static int fib4_rule_compare(struct fib_ > return 0; > #endif > > - if (tb[FRA_SRC] && (rule4->src != nla_get_be32(tb[FRA_SRC]))) > + if (frh->src_len && (rule4->src != nla_get_be32(tb[FRA_SRC]))) > return 0; > > - if (tb[FRA_DST] && (rule4->dst != nla_get_be32(tb[FRA_DST]))) > + if (frh->dst_len && (rule4->dst != nla_get_be32(tb[FRA_DST]))) > return 0; > The presence of the attributes when src_len/dst_len is non-zero is only verified in fib_newrule, so this looks like it might crash when something broken sets src_len/dst_len to a non-zero value without actually adding the attributes. Other than that it looks fine. From derek at interdart.co.uk Tue Mar 20 19:13:48 2007 From: derek at interdart.co.uk (Derek Sims) Date: Tue Mar 20 19:13:55 2007 Subject: [LARTC] Fairness queuing across a range of IP addresses Message-ID: <4600245C.9040906@interdart.co.uk> I have a block of IP addresses (2048) used for ADSL connections to customers. In order to provide a fair slice of available bandwidth on the contended services I would like to be able to set up some kind of SFQ filter, but using a hash of the destination IP address rather than the the full source and destination ip and port. This would be done at the Internet side gateway for traffic being sent towards the customer's IP address. Can anybody suggest how this could be done with qdiscs? TIA Derek From tgraf at suug.ch Tue Mar 20 19:15:47 2007 From: tgraf at suug.ch (Thomas Graf) Date: Tue Mar 20 19:15:28 2007 Subject: [LARTC] [NET]: Fix fib_rules compatibility breakage In-Reply-To: <46001300.90804@trash.net> References: <200703190046.47021.luciano@lugmen.org.ar> <45FE2587.3050205@trash.net> <20070319152532.GL521@postel.suug.ch> <45FF7D07.4040103@trash.net> <45FF8269.3000606@trash.net> <20070320164004.GN521@postel.suug.ch> <46001300.90804@trash.net> Message-ID: <20070320181547.GO521@postel.suug.ch> * Patrick McHardy 2007-03-20 17:59 > The presence of the attributes when src_len/dst_len is non-zero > is only verified in fib_newrule, so this looks like it might crash > when something broken sets src_len/dst_len to a non-zero value > without actually adding the attributes. You're right, we need to validate in fib_nl_delrule() as well. Based on Patrick's patch: The fib_rules netlink attribute policy introduced in 2.6.19 broke userspace compatibilty. When specifying a rule with "from all" or "to all", iproute adds a zero byte long netlink attribute, but the policy requires all addresses to have a size equal to sizeof(struct in_addr)/sizeof(struct in6_addr), resulting in a validation error. Check attribute length of FRA_SRC/FRA_DST in the generic framework by letting the family specific rules implementation provide the length of an address. Report an error if address length is non zero but no address attribute is provided. Fix actual bug by checking address length for non-zero instead of relying on availability of attribute. Signed-off-by: Thomas Graf Index: net-2.6/include/net/fib_rules.h =================================================================== --- net-2.6.orig/include/net/fib_rules.h 2007-03-20 16:49:06.000000000 +0100 +++ net-2.6/include/net/fib_rules.h 2007-03-20 17:22:35.000000000 +0100 @@ -34,6 +34,7 @@ struct fib_rules_ops int family; struct list_head list; int rule_size; + int addr_size; int (*action)(struct fib_rule *, struct flowi *, int, Index: net-2.6/net/core/fib_rules.c =================================================================== --- net-2.6.orig/net/core/fib_rules.c 2007-03-20 16:49:06.000000000 +0100 +++ net-2.6/net/core/fib_rules.c 2007-03-20 19:09:52.000000000 +0100 @@ -152,6 +152,28 @@ out: EXPORT_SYMBOL_GPL(fib_rules_lookup); +static int validate_rulemsg(struct fib_rule_hdr *frh, struct nlattr **tb, + struct fib_rules_ops *ops) +{ + int err = -EINVAL; + + if (frh->src_len) + if (tb[FRA_SRC] == NULL || + frh->src_len > (ops->addr_size * 8) || + nla_len(tb[FRA_SRC]) != ops->addr_size) + goto errout; + + if (frh->dst_len) + if (tb[FRA_DST] == NULL || + frh->dst_len > (ops->addr_size * 8) || + nla_len(tb[FRA_DST]) != ops->addr_size) + goto errout; + + err = 0; +errout: + return err; +} + int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) { struct fib_rule_hdr *frh = nlmsg_data(nlh); @@ -173,6 +195,10 @@ int fib_nl_newrule(struct sk_buff *skb, if (err < 0) goto errout; + err = validate_rulemsg(frh, tb, ops); + if (err < 0) + goto errout; + rule = kzalloc(ops->rule_size, GFP_KERNEL); if (rule == NULL) { err = -ENOMEM; @@ -260,6 +286,10 @@ int fib_nl_delrule(struct sk_buff *skb, if (err < 0) goto errout; + err = validate_rulemsg(frh, tb, ops); + if (err < 0) + goto errout; + list_for_each_entry(rule, ops->rules_list, list) { if (frh->action && (frh->action != rule->action)) continue; Index: net-2.6/net/decnet/dn_rules.c =================================================================== --- net-2.6.orig/net/decnet/dn_rules.c 2007-03-20 16:49:06.000000000 +0100 +++ net-2.6/net/decnet/dn_rules.c 2007-03-20 17:22:35.000000000 +0100 @@ -109,8 +109,6 @@ errout: static struct nla_policy dn_fib_rule_policy[FRA_MAX+1] __read_mostly = { FRA_GENERIC_POLICY, - [FRA_SRC] = { .type = NLA_U16 }, - [FRA_DST] = { .type = NLA_U16 }, }; static int dn_fib_rule_match(struct fib_rule *rule, struct flowi *fl, int flags) @@ -133,7 +131,7 @@ static int dn_fib_rule_configure(struct int err = -EINVAL; struct dn_fib_rule *r = (struct dn_fib_rule *)rule; - if (frh->src_len > 16 || frh->dst_len > 16 || frh->tos) + if (frh->tos) goto errout; if (rule->table == RT_TABLE_UNSPEC) { @@ -150,10 +148,10 @@ static int dn_fib_rule_configure(struct } } - if (tb[FRA_SRC]) + if (frh->src_len) r->src = nla_get_le16(tb[FRA_SRC]); - if (tb[FRA_DST]) + if (frh->dst_len) r->dst = nla_get_le16(tb[FRA_DST]); r->src_len = frh->src_len; @@ -176,10 +174,10 @@ static int dn_fib_rule_compare(struct fi if (frh->dst_len && (r->dst_len != frh->dst_len)) return 0; - if (tb[FRA_SRC] && (r->src != nla_get_le16(tb[FRA_SRC]))) + if (frh->src_len && (r->src != nla_get_le16(tb[FRA_SRC]))) return 0; - if (tb[FRA_DST] && (r->dst != nla_get_le16(tb[FRA_DST]))) + if (frh->dst_len && (r->dst != nla_get_le16(tb[FRA_DST]))) return 0; return 1; @@ -249,6 +247,7 @@ int dn_fib_dump_rules(struct sk_buff *sk static struct fib_rules_ops dn_fib_rules_ops = { .family = AF_DECnet, .rule_size = sizeof(struct dn_fib_rule), + .addr_size = sizeof(u16), .action = dn_fib_rule_action, .match = dn_fib_rule_match, .configure = dn_fib_rule_configure, Index: net-2.6/net/ipv4/fib_rules.c =================================================================== --- net-2.6.orig/net/ipv4/fib_rules.c 2007-03-20 16:49:06.000000000 +0100 +++ net-2.6/net/ipv4/fib_rules.c 2007-03-20 17:22:35.000000000 +0100 @@ -171,8 +171,6 @@ static struct fib_table *fib_empty_table static struct nla_policy fib4_rule_policy[FRA_MAX+1] __read_mostly = { FRA_GENERIC_POLICY, - [FRA_SRC] = { .type = NLA_U32 }, - [FRA_DST] = { .type = NLA_U32 }, [FRA_FLOW] = { .type = NLA_U32 }, }; @@ -183,8 +181,7 @@ static int fib4_rule_configure(struct fi int err = -EINVAL; struct fib4_rule *rule4 = (struct fib4_rule *) rule; - if (frh->src_len > 32 || frh->dst_len > 32 || - (frh->tos & ~IPTOS_TOS_MASK)) + if (frh->tos & ~IPTOS_TOS_MASK) goto errout; if (rule->table == RT_TABLE_UNSPEC) { @@ -201,10 +198,10 @@ static int fib4_rule_configure(struct fi } } - if (tb[FRA_SRC]) + if (frh->src_len) rule4->src = nla_get_be32(tb[FRA_SRC]); - if (tb[FRA_DST]) + if (frh->dst_len) rule4->dst = nla_get_be32(tb[FRA_DST]); #ifdef CONFIG_NET_CLS_ROUTE @@ -242,10 +239,10 @@ static int fib4_rule_compare(struct fib_ return 0; #endif - if (tb[FRA_SRC] && (rule4->src != nla_get_be32(tb[FRA_SRC]))) + if (frh->src_len && (rule4->src != nla_get_be32(tb[FRA_SRC]))) return 0; - if (tb[FRA_DST] && (rule4->dst != nla_get_be32(tb[FRA_DST]))) + if (frh->dst_len && (rule4->dst != nla_get_be32(tb[FRA_DST]))) return 0; return 1; @@ -309,6 +306,7 @@ static size_t fib4_rule_nlmsg_payload(st static struct fib_rules_ops fib4_rules_ops = { .family = AF_INET, .rule_size = sizeof(struct fib4_rule), + .addr_size = sizeof(u32), .action = fib4_rule_action, .match = fib4_rule_match, .configure = fib4_rule_configure, Index: net-2.6/net/ipv6/fib6_rules.c =================================================================== --- net-2.6.orig/net/ipv6/fib6_rules.c 2007-03-20 16:49:06.000000000 +0100 +++ net-2.6/net/ipv6/fib6_rules.c 2007-03-20 17:22:35.000000000 +0100 @@ -131,8 +131,6 @@ static int fib6_rule_match(struct fib_ru static struct nla_policy fib6_rule_policy[FRA_MAX+1] __read_mostly = { FRA_GENERIC_POLICY, - [FRA_SRC] = { .len = sizeof(struct in6_addr) }, - [FRA_DST] = { .len = sizeof(struct in6_addr) }, }; static int fib6_rule_configure(struct fib_rule *rule, struct sk_buff *skb, @@ -142,9 +140,6 @@ static int fib6_rule_configure(struct fi int err = -EINVAL; struct fib6_rule *rule6 = (struct fib6_rule *) rule; - if (frh->src_len > 128 || frh->dst_len > 128) - goto errout; - if (rule->action == FR_ACT_TO_TBL) { if (rule->table == RT6_TABLE_UNSPEC) goto errout; @@ -155,11 +150,11 @@ static int fib6_rule_configure(struct fi } } - if (tb[FRA_SRC]) + if (frh->src_len) nla_memcpy(&rule6->src.addr, tb[FRA_SRC], sizeof(struct in6_addr)); - if (tb[FRA_DST]) + if (frh->dst_len) nla_memcpy(&rule6->dst.addr, tb[FRA_DST], sizeof(struct in6_addr)); @@ -186,11 +181,11 @@ static int fib6_rule_compare(struct fib_ if (frh->tos && (rule6->tclass != frh->tos)) return 0; - if (tb[FRA_SRC] && + if (frh->src_len && nla_memcmp(tb[FRA_SRC], &rule6->src.addr, sizeof(struct in6_addr))) return 0; - if (tb[FRA_DST] && + if (frh->dst_len && nla_memcmp(tb[FRA_DST], &rule6->dst.addr, sizeof(struct in6_addr))) return 0; @@ -240,6 +235,7 @@ static size_t fib6_rule_nlmsg_payload(st static struct fib_rules_ops fib6_rules_ops = { .family = AF_INET6, .rule_size = sizeof(struct fib6_rule), + .addr_size = sizeof(struct in6_addr), .action = fib6_rule_action, .match = fib6_rule_match, .configure = fib6_rule_configure, From s.cramatte at wanadoo.fr Tue Mar 20 19:24:31 2007 From: s.cramatte at wanadoo.fr (=?ISO-8859-1?Q?S=E9bastien_CRAMATTE?=) Date: Tue Mar 20 19:24:43 2007 Subject: [LARTC] SIP and RTP QoS rules Message-ID: <460026DF.9040008@wanadoo.fr> Hello, I've setuped a QoS bridge under debian. I would like to know If anyone have got some ressources about how setup perfectly VoIP (SIP/RTP) QoS with Asterisk Might be I should use TOS ? Regards From orrie at seznam.cz Tue Mar 20 20:09:01 2007 From: orrie at seznam.cz (Ales Klok) Date: Tue Mar 20 20:09:14 2007 Subject: [LARTC] Fairness queuing across a range of IP addresses In-Reply-To: <4600245C.9040906@interdart.co.uk> References: <4600245C.9040906@interdart.co.uk> Message-ID: <4600314D.2010503@seznam.cz> Derek Sims wrote: > I have a block of IP addresses (2048) used for ADSL connections to > customers. > > In order to provide a fair slice of available bandwidth on the > contended services I would like to be able to set up some kind of SFQ > filter, but using a hash of the destination IP address rather than the > the full source and destination ip and port. This would be done at the > Internet side gateway for traffic being sent towards the customer's IP > address. > > Can anybody suggest how this could be done with qdiscs? > > TIA > > Derek Hi Derek, if i understand what you wanna do then i think you are looking for ESFQ. With ESFQ you can choose hash type from classic, dest IP or src IP. /ak From orrie at seznam.cz Tue Mar 20 20:21:06 2007 From: orrie at seznam.cz (Ales Klok) Date: Tue Mar 20 20:21:24 2007 Subject: [LARTC] SIP and RTP QoS rules In-Reply-To: <460026DF.9040008@wanadoo.fr> References: <460026DF.9040008@wanadoo.fr> Message-ID: <46003422.40803@seznam.cz> S?bastien CRAMATTE wrote: > Hello, > > I've setuped a QoS bridge under debian. > I would like to know If anyone have got some ressources about how setup > perfectly VoIP (SIP/RTP) QoS with Asterisk > > Might be I should use TOS ? > > Regards > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > Hi, I'm not using asterisk but i do SIP/RTP shaping on a gateway and you should definitely use HFSC. I've spent a lot of time trying to set up PRIO and HTB, but i've got best results with HFSC. You should start here http://linux-ip.net/articles/hfsc.en and some theory http://trash.net/~kaber/hfsc/SIGCOM97.pdf /ak From oscar at ufomechanic.net Tue Mar 20 20:26:02 2007 From: oscar at ufomechanic.net (Oscar Mechanic) Date: Tue Mar 20 20:26:35 2007 Subject: [LARTC] Fairness queuing across a range of IP addresses In-Reply-To: <4600314D.2010503@seznam.cz> References: <4600245C.9040906@interdart.co.uk> <4600314D.2010503@seznam.cz> Message-ID: <1174418762.4496.39.camel@OSCARLAPLIN> On Tue, 2007-03-20 at 20:09 +0100, Ales Klok wrote: > Derek Sims wrote: > > I have a block of IP addresses (2048) used for ADSL connections to > > customers. > > > > In order to provide a fair slice of available bandwidth on the > > contended services I would like to be able to set up some kind of SFQ > > filter, but using a hash of the destination IP address rather than the > > the full source and destination ip and port. This would be done at the > > Internet side gateway for traffic being sent towards the customer's IP > > address. > > > > Can anybody suggest how this could be done with qdiscs? > > > > TIA > > > > Derek > Hi Derek, if i understand what you wanna do then i think you are looking > for ESFQ. With ESFQ you can choose hash type from classic, dest IP or > src IP. > /ak As an ISP with 800 clients I found the hashs difficult to manage after time. Also when dealing with clients who want subnet /29 mapping back to a billing entry was hard. I wrote some PHP so other could use web front end and used ipset (both hash and net sets) and combining with marks to do the traffic control for different levels of service. As the client requirements grew changed this ended in allot of panic PHP. So i use 3rd party vendor device. My advice would be to use 2 devices 1 to mark traffic and do access control and use ds_shed to control traffic on other device. I think I went wrong in trying to do all on one device. Hope helps. > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nlhttp://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From kaber at trash.net Tue Mar 20 20:58:55 2007 From: kaber at trash.net (Patrick McHardy) Date: Tue Mar 20 20:59:02 2007 Subject: [LARTC] Re: [NET]: Fix fib_rules compatibility breakage In-Reply-To: <20070320181547.GO521@postel.suug.ch> References: <200703190046.47021.luciano@lugmen.org.ar> <45FE2587.3050205@trash.net> <20070319152532.GL521@postel.suug.ch> <45FF7D07.4040103@trash.net> <45FF8269.3000606@trash.net> <20070320164004.GN521@postel.suug.ch> <46001300.90804@trash.net> <20070320181547.GO521@postel.suug.ch> Message-ID: <46003CFF.8050109@trash.net> Thomas Graf wrote: > * Patrick McHardy 2007-03-20 17:59 > >>The presence of the attributes when src_len/dst_len is non-zero >>is only verified in fib_newrule, so this looks like it might crash >>when something broken sets src_len/dst_len to a non-zero value >>without actually adding the attributes. > > > You're right, we need to validate in fib_nl_delrule() as well. > > Based on Patrick's patch: > The fib_rules netlink attribute policy introduced in 2.6.19 broke > userspace compatibilty. When specifying a rule with "from all" > or "to all", iproute adds a zero byte long netlink attribute, > but the policy requires all addresses to have a size equal to > sizeof(struct in_addr)/sizeof(struct in6_addr), resulting in a > validation error. > > Check attribute length of FRA_SRC/FRA_DST in the generic framework > by letting the family specific rules implementation provide the > length of an address. Report an error if address length is non > zero but no address attribute is provided. Fix actual bug by > checking address length for non-zero instead of relying on > availability of attribute. > > Signed-off-by: Thomas Graf This looks good, thanks. Signed-off-by: Patrick McHardy From CVEREDA at telefonica.net Wed Mar 21 00:41:30 2007 From: CVEREDA at telefonica.net (CVEREDA@telefonica.net) Date: Wed Mar 21 00:41:51 2007 Subject: [LARTC] Divide bandwidth between 4 groups of ip with the same rate Message-ID: <27625364.1174434090073.JavaMail.root@ctps1> Hello, I have begun to use the tc scripts since 2 weeks ago, so I am beginner. I am trying to divide my bandwidth in 4 independent ones. Each of these sub-bandwidths is assigned to 4 different groups of ip. Bandwidth sharing is allowed. I put a Linux with two Ethernet card between the router and the LAN. Eth1 is the card connected to the router and eth0 is the one connected to the LAN. My ISP provides 3 mbit upload and 300 kbit download. I define 4 classes for download with a rate of 300kbit and a ceil of 2700 kbit (1:10 to 1:40, parent 1:12). In the same way, I define 4 classes for upload with a rate of 72kbit and a ceil of 200kbit (2:10 to 2:40, parent 2.12). Everything looks work fine, nevertheless when traffic through one of these classes are near to its ceil (200kbit), the http traffic through the rest of the classes becomes slow, and I do not understand whit the free 56 kbit is not used by these traffic. Whatever, htb should decrease the rate of the abusive class, should not? Thank you in advance for your teaching. The script that I am using is: #Shaping in eth0 for download traffic tc qdisc add dev eth0 root handle 1: htb default 50 tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit tc class add dev eth0 parent 1:1 classid 1:11 htb rate 80mbit ceil 100mbit tc class add dev eth0 parent 1:1 classid 1:12 htb rate 2700kbit ceil 2700kbit prio 7 tc class add dev eth0 parent 1:12 classid 1:10 htb rate 300kbit ceil 2700kbit prio 7 tc class add dev eth0 parent 1:12 classid 1:20 htb rate 300kbit ceil 2700kbit prio 7 tc class add dev eth0 parent 1:12 classid 1:30 htb rate 300kbit ceil 2700kbit prio 7 tc class add dev eth0 parent 1:12 classid 1:40 htb rate 300kbit ceil 2700kbit prio 7 tc class add dev eth0 parent 1:12 classid 1:50 htb rate 30kbit ceil 270kbit prio 7 tc filter add dev eth0 protocol ip parent 1:0 u32 match ip dst 192.168.0.0/26 flowid 1:10 tc filter add dev eth0 protocol ip parent 1:0 u32 match ip dst 192.168.0.64/26 flowid 1:20 tc filter add dev eth0 protocol ip parent 1:0 u32 match ip dst 192.168.0.128/26 flowid 1:30 tc filter add dev eth0 protocol ip parent 1:0 u32 match ip dst 192.168.0.192/26 flowid 1:40 #Shaping in eth1 for upload traffic marking packets at mangle tc qdisc add dev eth1 root handle 2: htb default 50 tc class add dev eth1 parent 2: classid 2:1 htb rate 10mbit tc class add dev eth1 parent 2:1 classid 2:11 htb rate 8mbit ceil 10mbit tc class add dev eth1 parent 2:1 classid 2:12 htb rate 256kbit tc class add dev eth1 parent 2:12 classid 2:10 htb rate 72kbit ceil 200kbit prio 7 tc class add dev eth1 parent 2:12 classid 2:20 htb rate 72kbit ceil 200kbit prio 7 tc class add dev eth1 parent 2:12 classid 2:30 htb rate 72kbit ceil 200kbit prio 7 tc class add dev eth1 parent 2:12 classid 2:40 htb rate 72kbit ceil 200kbit prio 7 tc class add dev eth1 parent 2:12 classid 2:50 htb rate 10kbit prio 7 tc qdisc add dev eth1 parent 2:10 handle 210: sfq perturb 10 tc qdisc add dev eth1 parent 2:20 handle 220: sfq perturb 10 tc qdisc add dev eth1 parent 2:30 handle 230: sfq perturb 10 tc qdisc add dev eth1 parent 2:40 handle 240: sfq perturb 10 iptables -A FORWARD -t mangle -i eth0 -j MARK -s 192.168.0.0/26 --set-mark 1 iptables -A FORWARD -t mangle -i eth0 -j MARK -s 192.168.0.64/26 --set-mark 2 iptables -A FORWARD -t mangle -i eth0 -j MARK -s 192.168.0.128/26 --set-mark 3 iptables -A FORWARD -t mangle -i eth0 -j MARK -s 192.168.0.192/26 --set-mark 4 tc filter add dev eth1 protocol ip parent 2:0 handle 1 prio 16 fw flowid 2:10 tc filter add dev eth1 protocol ip parent 2:0 handle 2 prio 16 fw flowid 2:20 tc filter add dev eth1 protocol ip parent 2:0 handle 3 prio 16 fw flowid 2:30 tc filter add dev eth1 protocol ip parent 2:0 handle 4 prio 16 fw flowid 2:40 TERRA --> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070321/b631face/attachment.html From vdautrem at ulb.ac.be Wed Mar 21 03:35:11 2007 From: vdautrem at ulb.ac.be (Vincent Dautremont) Date: Wed Mar 21 03:35:25 2007 Subject: [LARTC] how can i compile tc Message-ID: <797D2AC9-EDBA-452A-B443-C664CD5D837A@ulb.ac.be> Hi, i'm just new here, i'm searching for how to compile tc (if i've understood correctly, i must compile the whole iproute2 thing). So i did like the read me file said: ------ 1. Look at start of Makefile and set correct values for: KERNEL_INCLUDE ----- i did that, and then i doesn't understand a damn thing about the reste of the the 1st step about ADDLIB and LDLIBS. so when i type the make command, the compiling process fail and end before compiling ip. Could someone give me better indications than this read me file perhaps ? Thank you. Vincent. From janasamit at wlink.com.np Wed Mar 21 21:07:01 2007 From: janasamit at wlink.com.np (Samit) Date: Wed Mar 21 21:07:37 2007 Subject: [LARTC] Shaping based on Vlan tag Message-ID: <46019065.4010901@wlink.com.np> Hi all, A new member and new post. Is it possible to manage bandwidth marking the packets based on VLAN tags using ebtables? Samit From linux at arcoscom.com Thu Mar 22 09:28:59 2007 From: linux at arcoscom.com (ArcosCom Linux User) Date: Thu Mar 22 09:28:55 2007 Subject: [LARTC] Re: Multilink + bridge + nat problem In-Reply-To: <48254.84.123.233.184.1174345071.squirrel@www.arcoscom.com> References: <48254.84.123.233.184.1174345071.squirrel@www.arcoscom.com> Message-ID: <55003.195.55.244.106.1174552139.squirrel@www.arcoscom.com> Any help please? Thanks. El Lun, 19 de Marzo de 2007, 23:57, ArcosCom Linux User escribi?: > Hi, I have a suspicious problem with multiple uplinks configuration. > First of all my configuration: > 1) kernel 2.6.20.3 > 2) iptables 1.3.7 > 3) last iproute (for masked marks) > > All wan interfaces are bridged (stp disabled) in only one interface > (wan0), all lan interfaces are bridged (stp enabled) in only one interface > (zlan0). > > The wan0 bridge is to allow UPnP works. > > To allow related incoming traffic from one fisical interface I mark > connections, and the same to allow outgoing related. > > The routing rules are the same than lartc documentation plus a rule by > interface to allow the routing using marks (masked). > > The comands I use are: > > ==BEGIN== > /sbin/ip rule del prio 50 table main > /sbin/ip rule del prio 100 fwmark 0x8000/0xf000 table 150 > /sbin/ip rule del prio 150 from 217.125.139.204/26 table 150 > /sbin/ip rule del prio 101 fwmark 0x4000/0xf000 table 151 > /sbin/ip rule del prio 151 from 80.32.61.58/24 table 151 > /sbin/ip rule del prio 200 table 200 > /sbin/ip route flush table 150 > /sbin/ip route flush table 151 > /sbin/ip route flush table 200 > /sbin/iptables -t mangle -D PREROUTING -j MARCAR_IFACE > /sbin/iptables -t mangle -F MARCAR_IFACE > /sbin/iptables -t mangle -X MARCAR_IFACE > /sbin/iptables -t mangle -F MARCAR_IFACE_TRAFICO > /sbin/iptables -t mangle -X MARCAR_IFACE_TRAFICO > /sbin/iptables -t mangle -D POSTROUTING -j MARCAR_IFACE_OUT > /sbin/iptables -t mangle -F MARCAR_IFACE_OUT > /sbin/iptables -t mangle -X MARCAR_IFACE_OUT > /sbin/iptables -t mangle -N MARCAR_IFACE > /sbin/iptables -t mangle -N MARCAR_IFACE_TRAFICO > /sbin/iptables -t mangle -A MARCAR_IFACE -j CONNMARK --restore-mark > /sbin/iptables -t mangle -A MARCAR_IFACE -m mark ! --mark 0x0000/0xf000 -j > RETURN > /sbin/iptables -t mangle -A MARCAR_IFACE -m mark --mark 0x0000/0xf000 -j > MARCAR_IFACE_TRAFICO > /sbin/iptables -t mangle -N MARCAR_IFACE_OUT > /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -j CONNMARK --restore-mark > /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark ! --mark > 0x0000/0xf000 -j RETURN > /sbin/iptables -t mangle -A MARCAR_IFACE -m mark --mark 0x0000/0xf000 -i > wan0 -m physdev --physdev-in eth1 -m state --state NEW -j MARK --or-mark > 0x8000 > /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 > -o wan0 -m conntrack --ctreplsrc 217.125.139.204 -j MARK --or-mark 0x8000 > /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 > -o wan0 -m conntrack --ctrepldst 217.125.139.204 -j MARK --or-mark 0x8000 > /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 > -o wan0 -s 217.125.139.204 -j MARK --or-mark 0x8000 > /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 > -o wan0 -m conntrack --ctorigsrc 217.125.139.204 -j MARK --or-mark 0x8000 > /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 > -o wan0 -m conntrack --ctorigdst 217.125.139.204 -j MARK --or-mark 0x8000 > /sbin/iptables -t mangle -A MARCAR_IFACE -m mark --mark 0x0000/0xf000 -i > wan0 -m physdev --physdev-in eth3 -m state --state NEW -j MARK --or-mark > 0x4000 > /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 > -o wan0 -m conntrack --ctreplsrc 80.32.61.58 -j MARK --or-mark 0x4000 > /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 > -o wan0 -m conntrack --ctrepldst 80.32.61.58 -j MARK --or-mark 0x4000 > /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 > -o wan0 -s 80.32.61.58 -j MARK --or-mark 0x4000 > /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 > -o wan0 -m conntrack --ctorigsrc 80.32.61.58 -j MARK --or-mark 0x4000 > /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 > -o wan0 -m conntrack --ctorigdst 80.32.61.58 -j MARK --or-mark 0x4000 > /sbin/iptables -t mangle -A MARCAR_IFACE -j CONNMARK --save-mark > /sbin/iptables -t mangle -A MARCAR_IFACE -j RETURN > /sbin/iptables -t mangle -I PREROUTING -j MARCAR_IFACE > /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -j CONNMARK --save-mark > /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -j RETURN > /sbin/iptables -t mangle -I POSTROUTING -j MARCAR_IFACE_OUT > /sbin/ip rule add prio 50 table main > /sbin/ip rule add prio 100 fwmark 0x8000/0xf000 table 150 > /sbin/ip rule add prio 150 from 217.125.139.204/26 table 150 > /sbin/ip route add default via 217.125.139.193 dev wan0 src > 217.125.139.204 proto static table 150 > /sbin/ip route append prohibit default table 150 metric 1 proto static > /sbin/ip rule add prio 101 fwmark 0x4000/0xf000 table 151 > /sbin/ip rule add prio 151 from 80.32.61.58/24 table 151 > /sbin/ip route add default via 80.32.61.1 dev wan0 src 80.32.61.58 proto > static table 151 > /sbin/ip route append prohibit default table 151 metric 1 proto static > /sbin/ip rule add prio 200 table 200 > /sbin/ip route add default table 200 proto static nexthop via > 217.125.139.193 dev wan0 weight 1 nexthop via 80.32.61.1 dev wan0 weight 1 > /sbin/ip route flush cache > ==END== > > I have this "output" for all chains and routes: > ==BEGIN== > === REGLAS IPTABLES PARA EL ENRUTADO === > Chain PREROUTING (policy ACCEPT 8664K packets, 5097M bytes) > num pkts bytes target prot opt in out source > destination > 1 3348K 1832M MARCAR_IFACE 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 > Chain MARCAR_IFACE (1 references) > num pkts bytes target prot opt in out source > destination > 1 3348K 1832M CONNMARK 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 CONNMARK restore > 2 2841K 1653M RETURN 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK match !0x0/0xf000 > 3 507K 179M MARCAR_IFACE_TRAFICO 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 > 4 40690 2721K MARK 0 -- wan0 * 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 PHYSDEV match --physdev-in eth1 > state NEW MARK or 0x8000 > 5 48680 3062K MARK 0 -- wan0 * 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 PHYSDEV match --physdev-in eth3 > state NEW MARK or 0x4000 > 6 507K 179M CONNMARK 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 CONNMARK save > 7 507K 179M RETURN 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 > Chain MARCAR_IFACE_TRAFICO (1 references) > num pkts bytes target prot opt in out source > destination > Chain POSTROUTING (policy ACCEPT 16M packets, 8665M bytes) > num pkts bytes target prot opt in out source > destination > 1 6483K 3397M MARCAR_IFACE_OUT 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 > Chain MARCAR_IFACE_OUT (1 references) > num pkts bytes target prot opt in out source > destination > 1 6483K 3397M CONNMARK 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 CONNMARK restore > 2 5781K 2966M RETURN 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK match !0x0/0xf000 > 3 0 0 MARK 0 -- * wan0 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 ctreplsrc 217.125.139.204 MARK > or 0x8000 > 4 104K 7470K MARK 0 -- * wan0 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 ctrepldst 217.125.139.204 MARK > or 0x8000 > 5 135 7091 MARK 0 -- * wan0 217.125.139.204 > 0.0.0.0/0 MARK match 0x0/0xf000 MARK or 0x8000 > 6 0 0 MARK 0 -- * wan0 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 ctorigsrc 217.125.139.204 MARK > or 0x8000 > 7 0 0 MARK 0 -- * wan0 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 ctorigdst 217.125.139.204 MARK > or 0x8000 > 8 0 0 MARK 0 -- * wan0 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 ctreplsrc 80.32.61.58 MARK or > 0x4000 > 9 101K 7298K MARK 0 -- * wan0 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 ctrepldst 80.32.61.58 MARK or > 0x4000 > 10 175 7578 MARK 0 -- * wan0 80.32.61.58 > 0.0.0.0/0 MARK match 0x0/0xf000 MARK or 0x4000 > 11 0 0 MARK 0 -- * wan0 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 ctorigsrc 80.32.61.58 MARK or > 0x4000 > 12 1 48 MARK 0 -- * wan0 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 ctorigdst 80.32.61.58 MARK or > 0x4000 > 13 702K 431M CONNMARK 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 CONNMARK save > 14 702K 431M RETURN 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 > === REGLAS DE ENRUTAMIENTO === > 0: from all lookup local > 50: from all lookup main > 100: from all fwmark 0x8000/0xf000 lookup uno > 101: from all fwmark 0x4000/0xf000 lookup dos > 150: from 217.125.139.204/26 lookup uno > 151: from 80.32.61.58/24 lookup dos > 200: from all lookup defecto > 32766: from all lookup main > 32767: from all lookup default > === TABLAS DE RUTAS === > === MAIN === > 217.125.139.192/26 dev wan0 proto kernel scope link src 217.125.139.204 > 80.32.61.0/24 dev wan0 proto kernel scope link src 80.32.61.58 > 192.168.3.0/24 dev zlan0 proto kernel scope link src 192.168.3.247 > 192.168.2.0/24 dev zlan0 proto kernel scope link src 192.168.2.247 > 192.168.1.0/24 dev zlan0 proto kernel scope link src 192.168.1.247 > 10.1.1.0/24 dev zlan0 proto kernel scope link src 10.1.1.6 > 169.254.0.0/16 dev zlan0 scope link > 239.0.0.0/8 dev zlan0 scope link > === wan0 TABLA 150 === > default via 217.125.139.193 dev wan0 proto static src 217.125.139.204 > prohibit default proto static metric 1 > === wan0 TABLA 151 === > default via 80.32.61.1 dev wan0 proto static src 80.32.61.58 > prohibit default proto static metric 1 > === TABLA 200 (defecto) === > default proto static > nexthop via 217.125.139.193 dev wan0 weight 1 > nexthop via 80.32.61.1 dev wan0 weight 1 > > ==END== > > The -t nat POSTROUTING rules: > ==BEGIN==Chain POSTROUTING (policy ACCEPT 58524 packets, 42M bytes) > pkts bytes target prot opt in out source > destination > 0 0 SNAT 0 -- * eth3 10.1.1.0/24 > 0.0.0.0/0 to:80.32.61.58 > 0 0 SNAT 0 -- * eth1 10.1.1.0/24 > 0.0.0.0/0 to:217.125.139.204 > 0 0 SNAT 0 -- * wan0 10.1.1.0/24 > 0.0.0.0/0 PHYSDEV match --physdev-out eth3 to:80.32.61.58 > 0 0 SNAT 0 -- * wan0 10.1.1.0/24 > 0.0.0.0/0 PHYSDEV match --physdev-out eth1 > to:217.125.139.204 > 0 0 SNAT 0 -- * eth3 10.1.1.0/24 > 0.0.0.0/0 to:80.32.61.58 > 0 0 SNAT 0 -- * eth1 10.1.1.0/24 > 0.0.0.0/0 to:217.125.139.204 > 578K 39M MASQUERADE 0 -- * wan0 10.1.1.0/24 > 0.0.0.0/0 > 0 0 MASQUERADE 0 -- * wan0:1 10.1.1.0/24 > 0.0.0.0/0 > 0 0 SNAT 0 -- * wan0 10.1.1.0/24 > 0.0.0.0/0 to:80.32.61.58 > 0 0 SNAT 0 -- * wan0 10.1.1.0/24 > 0.0.0.0/0 to:217.125.139.204 > > ==END== > > The problems I have are: > 1) If I make ssh conections from internet to the router (not to any pc > into the lan zone), sometimes the ssh sesions disconnect. > 2) If I run tcpdump as these: > tcpdump -n -i eth3 not host 80.32.61.58 > tcpdump -n -i eth1 not host 217.125.139.204 > I can see : > a) IP frames not nated, where the source address is from lan > zone. > b) Source IPs are not the correct. > With tcpdump command I expect don't see anything, instead I can see > frames as described below. > > Because the wan interface is only 1 (with 2 ip's), I only can use "-j > MASQUERADE" for the nating, I can't use -m physdev --physdev-out, > netfilter layer appears don't know what is the real outgoing interface in > the bridge wan0 and "wan0:1" is not handled by netfilter layer. > > The questions: > 1) Does anyone know if this is a known issue (the tcpdump output and > physdev issue)? > 2) Does anyone know how to use SNAT in this case (I cant use -j SNAT)? > 3) With 2.6.19.7 I were using "-m physdev --physdev-out" into the chain > "MARCAR_IFACE_OUT", but with the 2.6.20.3 updated kernel, the -m > physdev appears to be broken and I then must use -m conntrack. Is this > a good solution? > > Please, I need any help, with this configuration I discovered these > problems but I don't know how to solve them: > 1) wan0 bridge don't appears to be working 100% of time (appears that > packets from one IP in the bridge are sent to the other interface). > 2) NAT appears to be a bit confused and don't nat all packets, > MASQUERADE don't want to be working all time. > 3) -m physdev --physdev-out don't know what is the read physical > interface where the packets a sent. (Whith 2.6.19.7 kernel, this > extension were working, or, at least, there were counters in the rules. > 4) Conections from internet to the router machine are lost randomly. > > I have no problem to use POSTROUTING chain in nat table to DROP o REJECT > incorrect packets, but ... really need I to do that? > > Thanks!! All help are apretiated!! > > Regards. > > P.D.: Sorry, my english is a bit poor. > From azez at ufomechanic.net Thu Mar 22 10:24:30 2007 From: azez at ufomechanic.net (Amin Azez) Date: Thu Mar 22 10:24:48 2007 Subject: [LARTC] Re: Shaping based on Vlan tag In-Reply-To: <46019065.4010901@wlink.com.np> References: <46019065.4010901@wlink.com.np> Message-ID: <46024B4E.9000007@ufomechanic.net> * Samit wrote, On 21/03/07 20:07: > Hi all, > > A new member and new post. > > Is it possible to manage bandwidth marking the packets based on VLAN > tags using ebtables? If ebtables can match a vlan tag then you can set a mark on PREROUTING based on the vlan tag. You can use this mark in the tc classification to select packets to traffic classes for shaping. Sam From azez at ufomechanic.net Thu Mar 22 10:30:24 2007 From: azez at ufomechanic.net (Amin Azez) Date: Thu Mar 22 10:30:26 2007 Subject: [LARTC] Re: TC not working well with bonded nics please help In-Reply-To: <3742.65.115.68.194.1174346513.squirrel@webmail.calsoftinc.com> References: <3742.65.115.68.194.1174346513.squirrel@webmail.calsoftinc.com> Message-ID: <46024CB0.5000301@ufomechanic.net> * dhananjay.tembe@calsoftinc.com wrote, On 19/03/07 23:21: > Hi, > I am facing a problem when I run tc on the bonded nic cards. > When I run tc on a single nic card, it worked perfectly fine. But when I > run tc on a bond of two nics, tc gives poor performance. The two nics > were bonded in round-robin (load balancing) mode. I created a qdisc, class > and a filter as follows: > > tc qdisc add dev bond0 root handle 1: htb > tc class add dev bond0 parent 1: classid 1:1 htb rate 240mbps > tc class add dev bond0 parent 1:1 classid 1:2 htb rate 50 ceil 50 quantum > 1500 I may have missed something, but why did you expect a transmit rate of 400mbps? Has anything else changed besides the bond? If your traffic is not sent evenly and burst or cburst aren't big enough to buffer the data until transmit, then it will be dropped reducing your throughput. How are you calculating the transmit rate; is the transmit rate actually 70mbps or is that the tcp send rate, maybe due to retransmission because of tc drops? Sam From frederic at juliana-multimedia.com Thu Mar 22 10:58:46 2007 From: frederic at juliana-multimedia.com (=?UTF-8?B?RnLDqWTDqXJpYyBNYXNzb3Q=?=) Date: Thu Mar 22 10:59:13 2007 Subject: [LARTC] Re: Mark on FTP passive traffic In-Reply-To: <20070310020019.67ef107e@localhost> References: <20070310020019.67ef107e@localhost> Message-ID: Rodolfo Brasnarof wrote: > [...] > Here's what I'm using to mark ftp traffic for routing purposes, then > I use the prerouting chain: > > # ftp > iptables -t mangle -A PREROUTING -i eth0 -p tcp --sport 20 -j MARK --set-mark 1000 > iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 20 -j MARK --set-mark 1000 > iptables -t mangle -A PREROUTING -i eth0 -p tcp --sport 21 -j MARK --set-mark 1000 > iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 21 -j MARK --set-mark 1000 > iptables -t mangle -A PREROUTING -m helper --helper ftp -j MARK --set-mark 1000 > > With the use of the ftp_conntrack helper you can match all you ftp > traffic, even passive ftp. > > I hope this can help you. Hi, Thank you, it is really what was necessary for me. :o) Regards. -- ============================================== | FR?D?RIC MASSOT | | http://www.juliana-multimedia.com | | mailto:frederic@juliana-multimedia.com | ===========================Debian=GNU/Linux=== From frederic at juliana-multimedia.com Thu Mar 22 11:41:15 2007 From: frederic at juliana-multimedia.com (=?ISO-8859-15?Q?Fr=E9d=E9ric_Massot?=) Date: Thu Mar 22 11:41:49 2007 Subject: [LARTC] Re: "dst cache overflow" messages and crash In-Reply-To: <45DC4BAD.3000903@netwlan.net> References: <45D9A86F.2020407@juliana-multimedia.com> <45DC4BAD.3000903@netwlan.net> Message-ID: Ivan Vladimirov wrote: > Fr?d?ric Massot wrote: >> Hi, >> >> I regularly have errors (kernel: dst cache overflow) and crash of a >> firewall under Linux 2.6.17 and the route patch from Julian Anastasov. >> >> With rtstat I see that the route cache size increases regularly without >> never decreasing. >> >> I have this parameters: >> fw:/proc/sys/net/ipv4/route# grep . * >> error_burst:1250 >> error_cost:250 >> gc_elasticity:15 >> gc_interval:60 >> gc_min_interval:0 >> gc_min_interval_ms:500 >> gc_thresh:4096 >> gc_timeout:300 >> max_delay:10 >> max_size:65536 >> min_adv_mss:256 >> min_delay:2 >> min_pmtu:552 >> mtu_expires:600 >> redirect_load:5 >> redirect_number:9 >> redirect_silence:5120 >> secret_interval:600 >> >> I can increase the maximum size of the cache, but that will do nothing >> but delay the crash. >> >> Can you help me? >> >> Regards. > max_size=65536 > is to low increase size to 256k Hi, I supervised the system during a few weeks with slabtop and rtstat. What I could see, it is that the ip_dst_cache cache grow without never being cleaned by the garbage collector. At the end of a few days, the traffic is slowed down and the customer restart the firewall. When the cache reaches its maximum value there is the error message (kernel: dst cache overflow) and the traffic is really disturbed. I use the Linux kernel 2.6.17 and the route patch from Julian Anastasov. - The bug comes from the kernel or the patch? - Do you know if this bug were corrected in the new versions of the kernel? Regards. -- ============================================== | FR?D?RIC MASSOT | | http://www.juliana-multimedia.com | | mailto:frederic@juliana-multimedia.com | ===========================Debian=GNU/Linux=== From kaber at trash.net Thu Mar 22 12:11:54 2007 From: kaber at trash.net (Patrick McHardy) Date: Thu Mar 22 12:12:05 2007 Subject: [LARTC] Re: Multilink + bridge + nat problem In-Reply-To: <55003.195.55.244.106.1174552139.squirrel@www.arcoscom.com> References: <48254.84.123.233.184.1174345071.squirrel@www.arcoscom.com> <55003.195.55.244.106.1174552139.squirrel@www.arcoscom.com> Message-ID: <4602647A.1030202@trash.net> ArcosCom Linux User wrote: > Any help please? Please attach your scripts, your mailer wrapped the lines which makes them pretty unreadable. From administrator at netwlan.net Thu Mar 22 14:18:27 2007 From: administrator at netwlan.net (Ivan Vladimirov) Date: Thu Mar 22 14:20:16 2007 Subject: [LARTC] Re: "dst cache overflow" messages and crash In-Reply-To: References: <45D9A86F.2020407@juliana-multimedia.com> <45DC4BAD.3000903@netwlan.net> Message-ID: <46028223.4010104@netwlan.net> Patches from Julian Anastasov works only as he mentioned for 2.4 series of kernels His patches are untested for 2.6 kernels 2.6.17 kernel das not suppose to have this bug cos it was fixed earlier in 2.6.16 My advise is to switch from 2.6.17 to 2.6.16.29 or lather and avoid patches from Julian there are other ways to perform same task without patches. Fr?d?ric Massot wrote: > Ivan Vladimirov wrote: >> Fr?d?ric Massot wrote: >>> Hi, >>> >>> I regularly have errors (kernel: dst cache overflow) and crash of a >>> firewall under Linux 2.6.17 and the route patch from Julian Anastasov. >>> >>> With rtstat I see that the route cache size increases regularly without >>> never decreasing. >>> >>> I have this parameters: >>> fw:/proc/sys/net/ipv4/route# grep . * >>> error_burst:1250 >>> error_cost:250 >>> gc_elasticity:15 >>> gc_interval:60 >>> gc_min_interval:0 >>> gc_min_interval_ms:500 >>> gc_thresh:4096 >>> gc_timeout:300 >>> max_delay:10 >>> max_size:65536 >>> min_adv_mss:256 >>> min_delay:2 >>> min_pmtu:552 >>> mtu_expires:600 >>> redirect_load:5 >>> redirect_number:9 >>> redirect_silence:5120 >>> secret_interval:600 >>> >>> I can increase the maximum size of the cache, but that will do nothing >>> but delay the crash. >>> >>> Can you help me? >>> >>> Regards. >> max_size=65536 >> is to low increase size to 256k > > Hi, > > I supervised the system during a few weeks with slabtop and rtstat. > > What I could see, it is that the ip_dst_cache cache grow without never > being cleaned by the garbage collector. > > At the end of a few days, the traffic is slowed down and the customer > restart the firewall. When the cache reaches its maximum value there > is the error message (kernel: dst cache overflow) and the traffic is > really disturbed. > > I use the Linux kernel 2.6.17 and the route patch from Julian Anastasov. > > - The bug comes from the kernel or the patch? > > - Do you know if this bug were corrected in the new versions of the > kernel? > > Regards. From lists at andyfurniss.entadsl.com Thu Mar 22 15:49:20 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Thu Mar 22 15:49:17 2007 Subject: [LARTC] how can i compile tc In-Reply-To: <797D2AC9-EDBA-452A-B443-C664CD5D837A@ulb.ac.be> References: <797D2AC9-EDBA-452A-B443-C664CD5D837A@ulb.ac.be> Message-ID: <46029770.8000408@andyfurniss.entadsl.com> Vincent Dautremont wrote: > Hi, i'm just new here, > i'm searching for how to compile tc (if i've understood correctly, i > must compile the whole iproute2 thing). > > So i did like the read me file said: > ------ > 1. Look at start of Makefile and set correct values for: > KERNEL_INCLUDE > ----- > i did that, and then i doesn't understand a damn thing about the reste > of the the 1st step about ADDLIB and LDLIBS. > so when i type the make command, the compiling process fail and end > before compiling ip. > > Could someone give me better indications than this read me file perhaps ? I've never had to change anything other than KERNEL_INCLUDE and sometimes remove arpd from the build because I don't need it and it sometimes causes errors (for me because of no/wrong BerkeleyDB). Just tried the 2.6.19 and 20 versions (I notice iproute-latest still points at 19). Neither build - Error on m_ipt.o. This was just a quick test against a vanilla 2.6.19-rc6. Previously putting different iptables/netfilter headers into iproute include fixed this - was along time ago. Maybe Stephen will know - added to cc. Andy. From johnnyb at marlboro.edu Thu Mar 22 20:05:18 2007 From: johnnyb at marlboro.edu (John Baker) Date: Thu Mar 22 20:05:48 2007 Subject: [LARTC] how can i compile tc In-Reply-To: <46029770.8000408@andyfurniss.entadsl.com> References: <797D2AC9-EDBA-452A-B443-C664CD5D837A@ulb.ac.be> <46029770.8000408@andyfurniss.entadsl.com> Message-ID: <4602D36E.6000502@marlboro.edu> I'm having a bunch of troubles with this as well. I'm using Ubuntu Dapper with vanilla kernel 2.6.20.3. The iproute2-2.6.20 compile dies right away after /usr/include/linux/ip.h:93:2: error: #error "Endian problem - this didn't happen" iptunnel.c: In function ?parse_args?: iptunnel.c:62: error: ?struct iphdr? has no member named ?version? iptunnel.c:63: error: ?struct iphdr? has no member named ?ihl? make[1]: *** [iptunnel.o] Error 1 make[1]: Leaving directory `/usr/src/iproute-2.6.20-070313/ip' make: *** [all] Error 2 The iproute2-2.6.19 kicks out that same error (except the last line) and tries to run the whole thing but nothing compiles correctly. The tc section looks like this: make[1]: Entering directory `/usr/src/iproute2-2.6.19-061214/tc' gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -DCONFIG_GACT -DCONFIG_GACT_PROB -c -o m_ipt.o m_ipt.c In file included from ../include/libiptc/libiptc.h:6, from ../include/iptables.h:5, from m_ipt.c:20: ../include/linux/netfilter_ipv4/ip_tables.h:20:38: error: linux/netfilter/x_tables.h: No such file or directory In file included from ../include/libiptc/libiptc.h:6, from ../include/iptables.h:5, from m_ipt.c:20: ../include/linux/netfilter_ipv4/ip_tables.h:87: error: field ?counters? has incomplete type ../include/linux/netfilter_ipv4/ip_tables.h:115:39: error: linux/netfilter/xt_tcpudp.h: No such file or directory ../include/linux/netfilter_ipv4/ip_tables.h:144: error: ?XT_FUNCTION_MAXNAMELEN? undeclared here (not in a function) In file included from m_ipt.c:20: ../include/iptables.h:56: warning: ?struct xt_entry_match? declared inside parameter list ../include/iptables.h:56: warning: its scope is only this definition or declaration, which is probably not what you want ../include/iptables.h:63: warning: ?struct xt_entry_match? declared inside parameter list ../include/iptables.h:70: warning: ?struct xt_entry_match? declared inside parameter list ../include/iptables.h:74: warning: ?struct xt_entry_match? declared inside parameter list m_ipt.c: In function ?build_st?: m_ipt.c:356: error: invalid application of ?sizeof? to incomplete type ?struct xt_entry_target? m_ipt.c:360: error: dereferencing pointer to incomplete type m_ipt.c:364: error: dereferencing pointer to incomplete type m_ipt.c:368: error: dereferencing pointer to incomplete type m_ipt.c: In function ?parse_ipt?: m_ipt.c:499: error: dereferencing pointer to incomplete type m_ipt.c: In function ?print_ipt?: m_ipt.c:547: error: dereferencing pointer to incomplete type m_ipt.c:559: error: dereferencing pointer to incomplete type make[1]: *** [m_ipt.o] Error 1 make[1]: Leaving directory `/usr/src/iproute2-2.6.19-061214/tc' I have very little experience compiling software so I'm not entirely sure where to go from here. How can I try to compile iproute2-2.6.20 with only tc? As I have installed iptables-1.3.7 and various kernel patches it seems likely that some variation on the fix suggested below would help. But I'm just not sure exactly what I need. Any suggestions? Thank John Andy Furniss wrote: > Vincent Dautremont wrote: >> Hi, i'm just new here, >> i'm searching for how to compile tc (if i've understood correctly, i >> must compile the whole iproute2 thing). >> >> So i did like the read me file said: >> ------ >> 1. Look at start of Makefile and set correct values for: >> KERNEL_INCLUDE >> ----- >> i did that, and then i doesn't understand a damn thing about the >> reste of the the 1st step about ADDLIB and LDLIBS. >> so when i type the make command, the compiling process fail and end >> before compiling ip. >> >> Could someone give me better indications than this read me file >> perhaps ? > > I've never had to change anything other than KERNEL_INCLUDE and > sometimes remove arpd from the build because I don't need it and it > sometimes causes errors (for me because of no/wrong BerkeleyDB). > > Just tried the 2.6.19 and 20 versions (I notice iproute-latest still > points at 19). Neither build - Error on m_ipt.o. This was just a quick > test against a vanilla 2.6.19-rc6. > > Previously putting different iptables/netfilter headers into iproute > include fixed this - was along time ago. Maybe Stephen will know - > added to cc. > > Andy. > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- John Baker Network Systems Administrator Marlboro College Phone: 451-7551 off campus; 551 on campus From salatiel.filho at gmail.com Thu Mar 22 22:59:41 2007 From: salatiel.filho at gmail.com (Salatiel Filho) Date: Thu Mar 22 22:59:46 2007 Subject: [LARTC] Shape own router Message-ID: On 2/19/07, Salatiel Filho wrote: > Well , thanks to imq all my client machines are now shaped and > everything is great ... > But now i have a doubt , is there a way to shape the traffic that goes > to the route [doing a wget from the router for example ]? > > > I have a PREROUTING IMQ0 and a POSTROUTING IMQ1 , everything is > working like i`d expect but i`d like to be able to shape download from > the router in the same htb qdisc provide by IMQ1. is there a way ? > > -- > []'s > Salatiel >