From mingching.tiew at redtone.com Mon Oct 1 03:00:15 2007 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Mon Oct 1 03:15:26 2007 Subject: [LARTC] QoS for VoIP References: <00c701c800ae$762e8990$0100a8c0@MingChing><20070927160443.M42463@elportal.net.ec> <20070928140350.M405@elportal.net.ec> Message-ID: <00bc01c803c6$6deb8a60$0100a8c0@MingChing> From: "Santiago" > If you have for example 1024 Kbps, you have to create a class (maybe htb) > about 920Kpbs to create the queue. Then you have to attach the prio qdisc to > this class, mark the voip packets and send to class :1 in the prio qdisc. > That's what I am talking about. You said it **VERY** easily that "If you have for example 1024 Kbps, you have to create a class about 920 Kbps ...". But what's the reality. The reality is that you might not have a 1024 Kbps link, even though the ISP you sign up with might claim that. You don't know for sure. Even perhaps for most of the days you have 1024 Kbps, certain peak hours you might be clamped down to a lower figure due to congestion at the BRAS of the ISP. And how do you arrive at your magic figure of 920 kbps ? And bear in mind that most ADSL are asymmetric, your uplink is usually lower than your downlink. Even if you clamp down your down link, if you don't police ( or rate limit ) your uplink, you still can't really control the link. So in practice you will actually police the rate of download to a figure slightly smaller than your uplink speed. There you can see, your overall throughput of the internet (download ) is significantly slowed down. From fdelawarde at wirelessmundi.com Mon Oct 1 12:45:01 2007 From: fdelawarde at wirelessmundi.com (=?ISO-8859-1?Q?Fran=E7ois_Delawarde?=) Date: Mon Oct 1 12:47:34 2007 Subject: [LARTC] Problem with Julian Anastasov's routing patches Message-ID: <4700CFAD.7070809@wirelessmundi.com> Hello, I wanted to try some multipath setup with Julian's patches, and when rebooting on the newly patched kernel, without any multipath routes (only one interface up and one default gateway), my SSH connections to the server freeze after a few seconds. I tried with and without bridges (I sometimes have a bridge between a tap device and my eth0) with the same results. When I close and try to reconnect, sometimes it works, sometimes it doesn't, but when it does the client (on my laptop) always stops receiving data from the server after a random time, between 1 and 60 seconds approximately. Also HTTP connections to the server's apache daemon seem to suffer from this problem, and I usually have to "reload" the page from my browser several times in order to have a complete page (it usually stops in the middle of the page loading). Tracing with tcpdump on the laptop, the connections seem still up (the server sends ACK packets, and when closing the console on the laptop, I can see the FIN stuff closing TCP connection successfully), but the ssh console is frozen on the laptop (no real replies from server apart from ACK). I tested several times with and without the patches, and it strongly appears to be related to Julian's patches. - Is it a known issue for these kernels (2.6.21)? - Is there a way to repair that in order to be able to use these patches? I'm using a vanilla kernel 2.6.21.7 with the following patches: - IMQ - Layer 7 - Julian's route patches (version for kernel 2.6.21) relevant parts of .config: CONFIG_IP_ROUTE_MULTIPATH=y # CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set ... # CONFIG_BRIDGE_NETFILTER is not set # CONFIG_BRIDGE_NF_EBTABLES is not set CONFIG_BRIDGE=m Thanks for any help, Fran?ois. From nic-lartc at studentergaarden.dk Mon Oct 1 13:52:05 2007 From: nic-lartc at studentergaarden.dk (nic-lartc@studentergaarden.dk) Date: Mon Oct 1 13:48:59 2007 Subject: PHP script to get MySQL data and make TC speed limit Re: [LARTC] (no subject) In-Reply-To: References: Message-ID: <4700DF65.8040904@studentergaarden.dk> Dear Anirudh, You will probably get better help if you write your setup, what you have tried, how it does not work, and write a subject. Here is a PHP script which looks IP numbers and limits up in a database and generates a simple TC HTB limit rule per host. You may be able to modify it to be useful for you. Notes: - This script is run from the console, not a web server. You will need command line PHP installed. Or you can rewrite it in a language of your choice. - We only have two limit options: limit everything to 255 Kbit/s, or limit only packets that have been marked as "6" by some firewall rules to 255 Kbit/s. You will want to rewrite this bit to get the speed value from the database, but you can simplify the "marked as 6" bit away. - Warning: we only limit download speed. You will probably want to limit upload speed as well! You will probably want to do this by matching on IP number on the way OUT of you INTERNET interface. #!/usr/bin/php 0 AND expiry_date > NOW()"; $result = mysql_query($sql_query) or die(mysql_error()); $i = 1; while ($current_row = mysql_fetch_assoc($result)) { $ip = $current_row['last_seen_ip']; $limit = $current_row['limit']; $mac = $current_row['mac']; if (check_internal_ip($ip)) { $out .= sprintf($cmd1,$i,$mac,$i); if ($limit == 1) $out .= sprintf($cmd2dkstream,$ip,$i); elseif ($limit == 2) $out .= sprintf($cmd2all,$ip,$i); $i++; } unset($ip); unset($limit); unset($mac); } if($debug) print $out; else logfile($out); `$out`; // run everything in 'out' ?> ------------------- The output looks like this: # delete all existing queue disciplines tc qdisc del dev eth2 root # attach queue discipline HTB to interface eth2 and give it handle 1:0 tc qdisc add dev eth2 root handle 1:0 htb # host 1 mac xxxxxxxxxxxxx tc class add dev eth2 parent 1:0 classid 1:1 htb rate 255kbit burst 255kbit tc filter add dev eth2 protocol ip parent 1:0 prio 1 u32 \ match ip dst 172.16.xxx.xxx \ flowid 1:1 # host 2 mac xxxxxxxxxxxxxxxx tc class add dev eth2 parent 1:0 classid 1:2 htb rate 255kbit burst 255kbit tc filter add dev eth2 protocol ip parent 1:0 prio 1 u32 \ match mark 0x0006 0xffff \ match ip dst 172.16.xxx.xxx \ flowid 1:2 -------------- Anirudh Gottumukkala)me in Google Accounts (Anirudh Gottumukkala wrote: > Hello > > I am anirudh, I need help to write script to fetch detail like ips, > speedlimit from mysql and add htb rules at the starting of the > server. it is for a small isp i am working for. > > can any one help me out!, i had tried but fail to limit speed > > -- > Anirudh Chowdary From umesh at websurfer.com.np Mon Oct 1 16:01:53 2007 From: umesh at websurfer.com.np (Umesh Upreti) Date: Mon Oct 1 16:02:49 2007 Subject: [LARTC] download/upload restriction. Message-ID: <20071001140241.B4866402C@outpost.ds9a.nl> Hi all I have following script in my server. Now I want to restrict ip 192.168.3.2 to 128kbps (downlink). But in this case client can download upto 500kbps and upload cannot exceed more than 20kbps. Now what should I do to restrict client 192.168.3.2 within 128kbps downlink and 64kbps uplink. tc qdisc del dev eth0 root tc qdisc add dev eth0 root handle 1:0 htb tc class add dev eth0 parent 1:0 classid 1:1 htb rate 300kbit tc class add dev eth0 parent 1:0 classid 1:11 htb rate 128kbit ceil 300kbit tc class add dev eth0 parent 1:0 classid 1:12 htb rate 128kbit ceil 300kbit tc class add dev eth0 parent 1:0 classid 1:13 htb rate 50kbit ceil 300kbit tc qdisc add dev eth0 parent 1:11 handle 210: pfifo limit 10 tc qdisc add dev eth0 parent 1:12 handle 220: pfifo limit 10 tc qdisc add dev eth0 parent 1:13 handle 230: pfifo limit 10 tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dst 192.168.3.1 match ip sport 20 0xfff flowid 1:11 tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dst 192.168.3.1 match ip sport 21 0xfff flowid 1:11 tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dst 192.168.3.2 flowid 1:12 tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dst 192.168.3.3 flowid 1:13 Regards, Umesh -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071001/e98e5d7c/attachment.htm From gbrehmer at yahoo.de Mon Oct 1 16:30:13 2007 From: gbrehmer at yahoo.de (Gerrit Brehmer) Date: Mon Oct 1 16:30:18 2007 Subject: [LARTC] htb statistics Message-ID: <751006.66548.qm@web26603.mail.ukl.yahoo.com> Hi, how long is the period over that the htb rate of a class will be estimated? on a site i read 10 sec but the update rate is 10 sec. i think the average rate determination is nearly 120 seconds? What is the exact meaning of requeues? If one packet must be 5 times requeued this statistics value is 5? When will be a packet requeued because in my case this value is always 0... Is overlimits a summary of dropped, requeued and delayed packets, because all dropped or requeued packets were previously marked as overlimit? I have a htb root qdisc,three htb classes, and two leaf-sfq-qdiscs. The root class will shaping the traffic to 512kbit. So i meant that the overlimits value of this class will be increased if someone would send the data faster. but the overlimits will be counted only in the root htb qdisc. is there a reason for this behauvior? Thanks in advance for your help! Gerrit ____________________________________________________________________________________ Need a vacation? Get great deals to amazing places on Yahoo! Travel. http://travel.yahoo.com/ From jwilke at baselogistics.nl Wed Oct 3 11:11:15 2007 From: jwilke at baselogistics.nl (Jeroen) Date: Wed Oct 3 11:43:21 2007 Subject: [LARTC] unable to add routes to empty table Message-ID: Hi all, I am trying to add an alternative routing table to a machine running 2.6.21. If I do a ip route show table x, it tells me the table is empty, then when I try to add a route I get "RTNETLINK answers: File exists" Now I always understood this as meaning that I am trying to add a duplicate route to a table, but since the table in question doesnt have any entries I am a bit confused as to why this is occurring. Table x is listed in the rt_tables in case you where wondering. Regards Jeroen From ams at toroid.org Wed Oct 3 13:01:51 2007 From: ams at toroid.org (Abhijit Menon-Sen) Date: Wed Oct 3 13:01:59 2007 Subject: [LARTC] using HTB with thousands of classes Message-ID: <20071003110151.GA15546@toroid.org> Does anyone have experience with using HTB to shape traffic for several thousands of users, each with a class of their own? The LARTC HOWTO has a section about setting up hashed filters to deal with "many" classes. Has anyone used that setup? -- ams From marek at piasta.pl Wed Oct 3 14:44:29 2007 From: marek at piasta.pl (Marek Kierdelewicz) Date: Wed Oct 3 14:45:52 2007 Subject: [LARTC] using HTB with thousands of classes In-Reply-To: <20071003110151.GA15546@toroid.org> References: <20071003110151.GA15546@toroid.org> Message-ID: <20071003144429.00067416@catlap> Hi, >Does anyone have experience with using HTB to shape traffic for several >thousands of users, each with a class of their own? The LARTC HOWTO has >a section about setting up hashed filters to deal with "many" classes. >Has anyone used that setup? I'm using HTB to shape traffic generated by ~3000 users using hashing filters. It works OK and is cpu conservative (thanks to hashing). One thing is worth mentioting if you're going to update shaping config more often. Load tc commands using "batch" option (-b) of tc binary instead of sequential executions of tc binary. I'll load your config in ~30 seconds instead of couple of minutes. I'm curious about one thing. What kind of hardware are you planning to use for that router? cheers, Marek Kierdelewicz KoBa ISP From dagarwal at juniper.net Wed Oct 3 17:36:28 2007 From: dagarwal at juniper.net (Deepak Agarwal) Date: Wed Oct 3 17:37:59 2007 Subject: [LARTC] tc qdisc for interface alias Message-ID: <3CE2A12931824E42A6FECE9FF9EA5503102CD8@emailbng4.jnpr.net> Hi, Can we create TC rules for an interface alias? Here are the commands: /sbin/ifconfig eth0 add ip.ad.dr.ss netmask m.a.s.k up tc qdisc show dev eth0:0 Last command throws error "can't find device". Is there any way to define tc rules on alias or is it simply a limitation? Thanks, Deepak -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071003/e8ca64d3/attachment.html From martin at linux-ip.net Wed Oct 3 17:44:30 2007 From: martin at linux-ip.net (Martin A. Brown) Date: Wed Oct 3 17:44:42 2007 Subject: [LARTC] tc qdisc for interface alias In-Reply-To: <3CE2A12931824E42A6FECE9FF9EA5503102CD8@emailbng4.jnpr.net> References: <3CE2A12931824E42A6FECE9FF9EA5503102CD8@emailbng4.jnpr.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings Deepak, : Can we create TC rules for an interface alias? Sadly, no, it is not possible. : /sbin/ifconfig eth0 add ip.ad.dr.ss netmask m.a.s.k up : : tc qdisc show dev eth0:0 The traffic control structures apply (more or less) to link layer devices, since you are changing the queueing mechanism(s) for packets/frames just before they get dequeued to the hardware, so the only devices available to you (for traffic control) are the devices which show up when you type: ip link show It may be instructive for you to also try typing: ip address show This will provide you a more accurate presentation of the separation of link layer (L2) devices and network layer (L3) interfaces and addresses. You will then see what a sham ifconfig's aliases are. : Last command throws error "can't find device". Is there any way : to define tc rules on alias or is it simply a limitation? So, basically, if you wish to apply some sort of traffic control to a secondary (aliased) address, then you'll need to include the IP in your "tc filter" rules. Best of luck! - -Martin - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFHA7jjHEoZD1iZ+YcRAotYAKCr0VObLEXOx947Gzm0UDNRl4QH3wCglaXu ejgXnsPAPIfbichEHm9TjFQ= =cKox -----END PGP SIGNATURE----- From ams at toroid.org Thu Oct 4 06:06:28 2007 From: ams at toroid.org (Abhijit Menon-Sen) Date: Thu Oct 4 06:06:38 2007 Subject: [LARTC] Re: using HTB with thousands of classes In-Reply-To: <20071003144429.00067416@catlap> References: <20071003110151.GA15546@toroid.org> <20071003144429.00067416@catlap> Message-ID: <20071004040628.GB21713@toroid.org> Hi Marek. At 2007-10-03 14:44:29 +0200, marek@piasta.pl wrote: > > I'm using HTB to shape traffic generated by ~3000 users using hashing > filters. It works OK and is cpu conservative (thanks to hashing). Thanks, that's useful to know. > Load tc commands using "batch" option (-b) of tc binary Yes, that's a very good point. (I already do this.) > I'm curious about one thing. What kind of hardware are you planning to > use for that router? Right now we have one HP ProLiant DL380 G5 machine, with a 2GHz Xeon processor and 2GB of memory. Part of the reason I posted was because I wanted to get a better idea of how much CPU/memory I would need for a setup that needed to handle some 15k classes with bandwidth limits of ~64kbit each. What hardware are you using for your 3k-user router? -- ams From shadur at systemec.nl Thu Oct 4 10:25:08 2007 From: shadur at systemec.nl (Rens Houben) Date: Thu Oct 4 10:25:22 2007 Subject: [LARTC] Prioritizing filters in tcng? Message-ID: <20071004082508.GA30576@systemec.nl> Hello, I've been using a TCNG-based traffic shaper for about a year and a half now to manage bandwidth usage of a number of our fiber and wireless customers, and it's always worked extremely well. Right now though, I'm finding myself with a problem I'm not sure how to solve properly: We also provide colocation hosting for several of those clients, and we'd like to be able to offer them unrestricted bandwidth from their locations to their respective colo hosts. We had a similar problem before, back when I was still using a shell script that called TC directly, and at the time I simply used two nested classes, one for their regular traffic and a second one for the client's VPN uplink which had a more specific filter (specifying both source and destination instead of just one), and assigning a higher priority to the filter. However, I'm not sure how to translate that into TCNG syntax. Any suggestions would be welcome. -- Rens Houben | opinions are mine Resident linux guru and sysadmin | if my employers have one Systemec Internet Services. |they'll tell you themselves PGP key at http://marduk.systemec.nl/~shadur/shadur.key.asc From radu at securesystems.ro Thu Oct 4 21:50:34 2007 From: radu at securesystems.ro (Radu Oprisan) Date: Thu Oct 4 21:50:42 2007 Subject: [LARTC] 802.1q & bridge Message-ID: <4705440A.5010009@securesystems.ro> Hello, I'm having some dificulties troubleshooting a rather strange setup. We have a Linux box, that is supposed to act as a shaper. For this, there are several 802.1q vlans transported to one of the interfaces. So the setup is something like this: ------------------- - Cisco Router - ------------------- /-------/ \-----------\ upstream | | client vlans connection | | \--- Gi1 - Linux Box - Gi2 ---/ Gi1 is an upstream connection, Gi2 holds several 802.1q vlans. This already works with one vlan transported to it. However, when i try to add another vlan and i try to send icmp packets from one side to the other, arp relationships are established, however only _some_ of the packets sent get a reply from the other side. Of course, testing was done with all qdiscs removed. STP is disabled on the bridge, so is rp_filter. Does anybody have any idea what's going on? Just keep in mind that there already is a connection that works without problems on the same machine. From gtaylor at riverviewtech.net Thu Oct 4 22:56:44 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Thu Oct 4 22:56:29 2007 Subject: [LARTC] Layer 3 switching... Message-ID: <4705538C.7070403@riverviewtech.net> Is it even possible or even worth while to do layer 3 switching (bridging) on a Linux system? Or would this be considered routing even though everything is done on OSI Layer 2? Which would be faster, Layer 3 switching (bridging) on OSI Layer 2 or routing on OSI Layer 3? Grant. . . . From indunil75 at gmail.com Fri Oct 5 07:51:38 2007 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Fri Oct 5 07:51:46 2007 Subject: [LARTC] DNAT rule for vsftp (PASSIVE FTP) Message-ID: <7ed6b0aa0710042251u6442fb85ma74e46aa9d3f81f9@mail.gmail.com> Hi all, I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as passive ftp. the theroy behind passive ftp is , - FTP server's port 21 from anywhere (Client initiates connection) - FTP server's port 21 to ports > 1024 (Server responds to client's control port) - FTP server's ports > 1024 from anywhere (Client initiates data connection to random port specified by server) - FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client's data port) Then, How can I write DNAT rules. pls assume 1.2.3.4 is the ip of the internert interface. #DNAT from Internet to the box running VSFTP @ 192.168.100.3 iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 21 -j DNAT --to-destination 192.168.100.3:21 iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 1024: -j DNAT --to-destination 192.168.100.3 And also #connect to below ip (actual destination ip) with below ports,due to DNATing iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 21 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 1024: -m state --state NEW -j ACCEPT R u okay with the above 4 rules ? If WRONG, pls write down your rules. I am going to put this vsftp server in to PRODUCTION USE. Pls also make sure , my firewall has below rules such as DROP, ESTABLISHED,RELATED. iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT YOUR comments. -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071005/fc674455/attachment.htm From gtaylor at riverviewtech.net Fri Oct 5 08:55:22 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Fri Oct 5 08:55:37 2007 Subject: [LARTC] DNAT rule for vsftp (PASSIVE FTP) In-Reply-To: <7ed6b0aa0710042251u6442fb85ma74e46aa9d3f81f9@mail.gmail.com> References: <7ed6b0aa0710042251u6442fb85ma74e46aa9d3f81f9@mail.gmail.com> Message-ID: <4705DFDA.5090803@riverviewtech.net> On 10/5/2007 12:51 AM, Indunil Jayasooriya wrote: > I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as > passive ftp. Ok... > Then, How can I write DNAT rules. You don't want to write rules for each possible combination. > YOUR comments. Use the FTP helper module as it is meant to take care of this for you. Grant. . . . From indunil75 at gmail.com Fri Oct 5 09:16:56 2007 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Fri Oct 5 09:17:02 2007 Subject: [LARTC] DNAT rule for vsftp (PASSIVE FTP) In-Reply-To: <4705DFDA.5090803@riverviewtech.net> References: <7ed6b0aa0710042251u6442fb85ma74e46aa9d3f81f9@mail.gmail.com> <4705DFDA.5090803@riverviewtech.net> Message-ID: <7ed6b0aa0710050016i736b0a7cx5d49847096eb00fb@mail.gmail.com> On 10/5/07, Grant Taylor wrote: > > On 10/5/2007 12:51 AM, Indunil Jayasooriya wrote: > > I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as > > passive ftp. > > Ok... > > > Then, How can I write DNAT rules. > > You don't want to write rules for each possible combination. > > > YOUR comments. > > Use the FTP helper module as it is meant to take care of this for you. > > What is FTP helper module? is it ip_nat_ftp ? ANYWAY, I have loaded below 2 modules. /sbin/modprobe -a ip_conntrack_ftp ip_nat_ftp YOUR COMMENTS. Grant. . . . > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071005/b488fce8/attachment.html From default at advaita.sytes.net Fri Oct 5 12:05:35 2007 From: default at advaita.sytes.net (John Default) Date: Fri Oct 5 12:04:44 2007 Subject: [LARTC] Layer 3 switching... In-Reply-To: <4705538C.7070403@riverviewtech.net> References: <4705538C.7070403@riverviewtech.net> Message-ID: <47060C6F.1040704@advaita.sytes.net> Hi I was told that layer 3 switches are faster because "routing" there is done by some ASIC hardware. Is there any advantage in having another routing code in bridging when everything is done in software which is same slow as normal routing? The only speed gain would be in keeping the routing code very simple with limited functionality, but i think that the trend is to put there more and more functionality which would end up in having two same slow, same function code in two places. (i was taugth that packets are routed on L3, frames are switched(bridged) on L2. And L3 switch does L2 switching + L3 routing but in hardware. routers are completely a software thing, switches hardware thing, and bridge is switch in software.) Please excuse me if i am missing your idea completely. Grant Taylor wrote: > Is it even possible or even worth while to do layer 3 switching > (bridging) on a Linux system? > > Or would this be considered routing even though everything is done on > OSI Layer 2? > > Which would be faster, Layer 3 switching (bridging) on OSI Layer 2 or > routing on OSI Layer 3? > > > > Grant. . . . > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- ___________________________________ S pozdravom / Best regards John Default From fhartman at hsr.ch Fri Oct 5 15:25:31 2007 From: fhartman at hsr.ch (fhartman@hsr.ch) Date: Fri Oct 5 15:25:48 2007 Subject: [LARTC] Limit Rates in more scalable and efficient way Message-ID: <08100C47CD5D9740B09C5CDD944B2A7417108CD5@sid00102.hsr.ch> Hello I'm looking for a more efficient way to limit rates to different clients. Right now as I understand it, I have to make a class for every customer/ip-address I'd like to limit bandwidth. This means lots of configuration if i had many customers to setup traffic shaping for. I can filter for ip-ranges, but then all ip's of that range share the set bandwidth of the class. I'd like a fixed rate for every ip in a group without configuring classes for each address! It's a lot of work to configure thousands of ip addresses if I have make thousand classes for it. Adding, Deleting and Processing won't be very efficient that way. Is there someone who had the same problems and got to a solution or am I just asking too much? regards Fabian From david_list at boreham.org Fri Oct 5 16:08:57 2007 From: david_list at boreham.org (David Boreham) Date: Fri Oct 5 16:11:04 2007 Subject: [LARTC] shaping by packet count rather than bytes ? Message-ID: <47064579.3020001@boreham.org> In wireless networks it can be handy to shape by packet rate rather than bytes/s (because capacity is packet-rate-limited). Has anyone done any work on packet-rate shaping ? Thanks. From gtaylor at riverviewtech.net Fri Oct 5 16:18:23 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Fri Oct 5 16:18:08 2007 Subject: [LARTC] DNAT rule for vsftp (PASSIVE FTP) In-Reply-To: <7ed6b0aa0710050016i736b0a7cx5d49847096eb00fb@mail.gmail.com> References: <7ed6b0aa0710042251u6442fb85ma74e46aa9d3f81f9@mail.gmail.com> <4705DFDA.5090803@riverviewtech.net> <7ed6b0aa0710050016i736b0a7cx5d49847096eb00fb@mail.gmail.com> Message-ID: <470647AF.2090608@riverviewtech.net> On 10/05/07 02:16, Indunil Jayasooriya wrote: > What is FTP helper module? As I understand it, the Connection Tracking FTP helper module is essentially a small module / algorithm that you load in to the Connecting Tracking structure (via the below modules) to watch what ftp commands you send out and / or receive so that it can dynamically on the fly update the connection tracking table to allow the other negotiated ports that FTP uses through statefull packet inspection. In other words you should not need to write explicit rules for control and data connections be it active or passive. > is it ip_nat_ftp ? Yes. > ANYWAY, I have loaded below 2 modules. > > /sbin/modprobe -a ip_conntrack_ftp ip_nat_ftp > > YOUR COMMENTS. That should work. I'll have to double check some things to make sure that you don't need to do any thing special other than just allow the initial connection and rely on the FTP connection tracking helper to handle all other connections. I've never run an FTP server behind a NAT, but I've never had a problem with the FTP client behind the NAT with the above modules loaded. Though it is my understanding that the module will take care of both. Grant. . . . From gtaylor at riverviewtech.net Fri Oct 5 16:48:53 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Fri Oct 5 16:48:36 2007 Subject: [LARTC] Layer 3 switching... In-Reply-To: <47060C6F.1040704@advaita.sytes.net> References: <4705538C.7070403@riverviewtech.net> <47060C6F.1040704@advaita.sytes.net> Message-ID: <47064ED5.7030900@riverviewtech.net> On 10/05/07 05:05, John Default wrote: > I was told that layer 3 switches are faster because "routing" there is > done by some ASIC hardware. Is there any advantage in having another > routing code in bridging when everything is done in software which is > same slow as normal routing? The only speed gain would be in keeping the > routing code very simple with limited functionality, but i think that > the trend is to put there more and more functionality which would end up > in having two same slow, same function code in two places. Ah, there in lies the difference in what you are saying, which as a norm is probably correct and something that I do not disagree with. I guess I should say that my introduction to L3 switching is actually on Cisco Catalyst 5000 / 5500 L2 switches where they depend on an external Cisco L3 router to assist in the L3 switching. Rater that is to say that the L2 switch and the L3 router communicate with each other to combined do L3 switching. As I understand it, the L2 switch will send initial packets to the L3 router along with some meta data. The L3 router will route the packets and send them back to the L2 switch with updated meta data. Then the L2 switch will have learned with the help of the L3 router that the packets can be altered on L2 to emulate L3 routing but this time in hardware. Thus the L2 switch depends on the L3 router to do the initial routing and then the L2 switch will subsequently step up and L2 switch across L3 boundaries based on what it learned from the L3 router. So, I guess I should say that I'm not wanting to (re)implement the routing code in the kernel, it does quite fine for me thank you very much. ;) I'm looking for a way to alter source / destination MAC addresses of packets on L2 to emulate what happens in routing. I believe that I could SNAT / DNAT the MAC addresses of the packet via EBTables on L2 to achieve the effect of an L3 route. I would do this by having the bridging code in the kernel learn from cached (?) results of a previous L3 route. In other words if the packet is in a NEW connection state, send it on up to L3 routing. If the packet is in an ESTABLISHED state and we can pull information form the systems ARP cache to know the destination MAC address for the next subnet as well as pull the correct source MAC address for the interface on the next subnet, then we could just SNAT / DNAT the MAC addresses on L2 and send the packet back out on the appropriate wire. I'm wondering if this NATing of the source and destination MAC addresses on L2 would be faster than passing the packet up to L3 routing. It is my belief that L3 will do more sanity checks on packets than L2 will. These sanity checks will take time to perform which could be avoided if we could just NAT the source and destination MAC addresses on L2. Or at least that's what I think. I could be very wrong about it. > (i was taugth that packets are routed on L3, frames are > switched(bridged) on L2. And L3 switch does L2 switching + L3 routing > but in hardware. routers are completely a software thing, switches > hardware thing, and bridge is switch in software.) I can agree with that statement. However I'll spin what you said a little bit and then I think you can see how I'm logically progressing on down the line. Switching is a L2 operation, no matter what that operation is. Routing is a L3 operation, no matter what that operation is. Thus if we perform some sort of L3 type operation on L2 then we are performing some sort of switching operation. If that operation happens to be routing which is normally a L3 operation, then we are doing a L3 like operation on L2, thus L3 switching. So now that I have circularly argues that, how about an example. Let's say that we have two end point hosts on separate subnets with an intermediary router. +---------+ +-------------------+ +---------+ IP: | 4.0.0.9 +-----+ 4.0.0.1 : 5.0.0.1 +-----+ 5.0.0.9 | MAC: | ..00:0f | | ..11:1e : ..22:2d | | ..33:3c | +---------+ +-------------------+ +---------+ If I want to send an ICMP ping from 4.0.0.9 to 5.0.0.9 the ethernet frames will be sent from ..00:0f to ..11:1e and from ..22:2d to ..33:3c. Note that the routing code on the intermediary router will see that the packet needs to be routed from one subnet to the other and will do so just fine with out any problems at all. However this is a layer 3 operation. What I'm wanting to do is educate L2 enough so that it can use cached results from L3 to perform a similar operation on L2 in the future. Thus when the frame from 4.0.0.9 with a MAC address of ..00:0f comes in destined to 5.0.0.9 with the router's MAC address of ..11:1e I'm wanting to alter the frame coming in to the switch such that the new destination MAC address will be ..33:3c with a new source MAC address of ..22:2d based on contents of the system's ARP cache with a little bit of help. It is my belief that this L2 operation of SNATing and DNATing the MAC addresses with out sending the data up to L3 will be faster than sending the data up to L3 and doing its full processing. At least that is what this entire discussion is based on. At the very least I believe I'm going to do some controlled tests to see if this will even work with manually entered static configurations. If this does work, I think it would be possible to come up with a new EBTables target that could alter the destination MAC address based on the contents of the system's ARP cache (the system just spoke to the target, thus the target MAC should be in the ARP cache, if not the ARP code does a fine job at it's job and can get us the MAC address). The only hiccup that I don't have an answer for at the moment is picking the correct source MAC address. However looking at the contents of the ARP cache we see that the interface is listed as well. So we could do a simple translation from interface to source MAC address. Thus I believe we have the basis of a rough crude logistical algorithm to L3 switch (a n L3 operation on L2) traffic through a Linux system. > Please excuse me if i am missing your idea completely. Please read and chew on what I've brain farted to the mailing list. Poke holes in it and let's discuss this. If this truly will not work, I have only wasted some bandwidth and bytes on drives, nothing else. All the while we will have hopefully cleared a few cob webs from our collective brains. ;) At least for a few minutes while I try to make a fool of my self. :} Grant. . . . From salatiel.filho at gmail.com Fri Oct 5 16:57:45 2007 From: salatiel.filho at gmail.com (Salatiel Filho) Date: Fri Oct 5 16:57:52 2007 Subject: [LARTC] Limit Rates in more scalable and efficient way In-Reply-To: <08100C47CD5D9740B09C5CDD944B2A7417108CD5@sid00102.hsr.ch> References: <08100C47CD5D9740B09C5CDD944B2A7417108CD5@sid00102.hsr.ch> Message-ID: Sometime ago i had written a bash script that read from a file containing the list of ips and built all the needed classes. unfortunately i do not have it anymore [hd crash and no backup :/] , but at least you know it can be relatively easy to automate this task. On 10/5/07, fhartman@hsr.ch wrote: > Hello > > I'm looking for a more efficient way to limit rates to different clients. > > Right now as I understand it, I have to make a class for every customer/ip-address I'd like to limit bandwidth. > This means lots of configuration if i had many customers to setup traffic shaping for. > > I can filter for ip-ranges, but then all ip's of that range share the set bandwidth of the class. > I'd like a fixed rate for every ip in a group without configuring classes for each address! > It's a lot of work to configure thousands of ip addresses if I have make thousand classes for it. > Adding, Deleting and Processing won't be very efficient that way. > > Is there someone who had the same problems and got to a solution or am I just asking too much? > > regards > Fabian > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- []'s Salatiel "O maior prazer do inteligente ? bancar o idiota diante de um idiota que banca o inteligente". From mohan.tux at gmail.com Fri Oct 5 17:27:03 2007 From: mohan.tux at gmail.com (Mohan Sundaram) Date: Fri Oct 5 17:27:24 2007 Subject: [Fwd: Re: [LARTC] DNAT rule for vsftp (PASSIVE FTP)] Message-ID: <470657C7.1000700@vsnl.com> -------- Original Message -------- Subject: Re: [LARTC] DNAT rule for vsftp (PASSIVE FTP) Date: Fri, 05 Oct 2007 12:17:42 +0530 From: Mohan Sundaram Reply-To: smohan@vsnl.com To: Indunil Jayasooriya References: <7ed6b0aa0710042251u6442fb85ma74e46aa9d3f81f9@mail.gmail.com> Indunil Jayasooriya wrote: > Hi all, > > I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as > passive ftp. > > the theroy behind passive ftp is , > > * FTP server's port 21 from anywhere ( Client initiates connection) > * FTP server's port 21 to ports > 1024 (Server responds to client's > control port) > * FTP server's ports > 1024 from anywhere (Client initiates data > connection to random port specified by server) > * FTP server's ports > 1024 to remote ports > 1024 (Server sends > ACKs (and data) to client's data port) > > > > Then, How can I write DNAT rules. > > pls assume 1.2.3.4 is the ip of the internert interface. > > #DNAT from Internet to the box running VSFTP @ 192.168.100.3 > > iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 > --dport 21 -j DNAT --to-destination 192.168.100.3:21 > > iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 > --dport 1024: -j DNAT --to-destination 192.168.100.3 > > And also > #connect to below ip (actual destination ip) with below ports,due to > DNATing > iptables -A FORWARD -p tcp -d 192.168.100.3 > --dport 21 -m state --state NEW -j ACCEPT > iptables -A FORWARD -p tcp -d 192.168.100.3 > --dport 1024: -m state --state NEW -j ACCEPT > > > R u okay with the above 4 rules ? > > If WRONG, pls write down your rules. I am going to put this vsftp server > in to PRODUCTION USE. > > > Pls also make sure , my firewall has below rules such as DROP, > ESTABLISHED,RELATED. > > iptables -P INPUT DROP > iptables -P FORWARD DROP > iptables -P OUTPUT DROP > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > YOUR comments. > > > -- > Thank you > Indunil Jayasooriya If you want to run apps with different ports for control and data, you need to run ALG or Connection tracking helper ip_conntrack_ftp. Extracted from http://www.kalamazoolinux.org/presentations/20010417/conntrack.html Connection tracking and ftp Firstly, you need to load the ip_conntrack_ftp module. Assuming you have a single-homed box, a simple ruleset to allow an ftp connection would be: iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT (Please note, I am assuming here you have a separate ruleset to allow any icmp RELATED to the conection. Please see my example ruleset for this). This is not the whole story. An ftp connection also needs a data-channel, which can be provided in one of two ways: 1) Active ftp The ftp client sends a port number over the ftp channel via a PORT command to the ftp server. The ftp server then connects from port 20 to this port to send data, such as a file, or the output from an ls command. The ftp-data connection is in the opposite sense from the original ftp connection. To allow active ftp without knowing the port number that has been passed we need a general rule which allows connections from port 20 on remote ftp servers to high ports (port numbers > 1023) on ftp clients. This is simply too general to ever be secure. Enter the ip_conntrack_ftp module. This module is able to recognize the PORT command and pick-out the port number. As such, the ftp-data connection can be classified as RELATED to the original outgoing connection to port 21 so we don't need NEW as a state match for the connection in the INPUT chain. The following rules will serve our purposes grandly: iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT 2) Passive ftp A PORT command is again issued, but this time it is from the server to the client. The client connects to the server for data transfer. Since the connection is in the same sense as the original ftp connection, passive ftp is inherently more secure than active ftp, but note that this time we know even less about the port numbers. Now we have a connection between almost arbitrary port numbers. Enter the ip_conntrack_ftp module once more. Again, this module is able to recognize the PORT command and pick-out the port number. Instead of NEW in the state match for the OUTPUT chain, we can use RELATED. The following rules will suffice: iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT Mohan From mohan.tux at gmail.com Fri Oct 5 17:29:18 2007 From: mohan.tux at gmail.com (Mohan Sundaram) Date: Fri Oct 5 17:29:32 2007 Subject: [LARTC] Reply to on list Message-ID: <4706584E.6080101@vsnl.com> I just realised that reply goes to the member instead of the list. Has this changed recently? Mohan From mohan.tux at gmail.com Fri Oct 5 17:29:51 2007 From: mohan.tux at gmail.com (Mohan Sundaram) Date: Fri Oct 5 17:30:19 2007 Subject: [Fwd: Re: [LARTC] DNAT rule for vsftp (PASSIVE FTP)] Message-ID: <4706586F.9010805@vsnl.com> Grant Taylor wrote: > I'll have to double check some things to make sure that you don't need > to do any thing special other than just allow the initial connection and > rely on the FTP connection tracking helper to handle all other connections. > > I've never run an FTP server behind a NAT, but I've never had a problem > with the FTP client behind the NAT with the above modules loaded. Though > it is my understanding that the module will take care of both. Yes nothing extra except state to be used is related in iptables. I had sent a mail but do not know if it reached the list. Mohan From gtaylor at riverviewtech.net Fri Oct 5 17:38:59 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Fri Oct 5 17:38:42 2007 Subject: [LARTC] Reply to on list In-Reply-To: <4706584E.6080101@vsnl.com> References: <4706584E.6080101@vsnl.com> Message-ID: <47065A93.9020706@riverviewtech.net> On 10/05/07 10:29, Mohan Sundaram wrote: > I just realised that reply goes to the member instead of the list. > Has this changed recently? No, I don't think this has changed. I have gotten tired of trying to get list administrators to set the list up correctly for discussion mailing lists. As such, I set up a Procmail rule on my system to run formail to change the Reply-To: header for messages from the mailing list to direct messages back to the mailing list. So, all I have to do is hit reply, where as most people will have to reply to all. *SIGH* I'm going to stop before I get fully on my tainted high horse.... Grant. . . . From michele.petrazzo at unipex.it Fri Oct 5 18:42:18 2007 From: michele.petrazzo at unipex.it (Michele Petrazzo - Unipex srl) Date: Fri Oct 5 18:42:24 2007 Subject: [LARTC] Limit Rates in more scalable and efficient way In-Reply-To: <08100C47CD5D9740B09C5CDD944B2A7417108CD5@sid00102.hsr.ch> References: <08100C47CD5D9740B09C5CDD944B2A7417108CD5@sid00102.hsr.ch> Message-ID: <4706696A.10004@unipex.it> fhartman@hsr.ch wrote: > Hello > > I'm looking for a more efficient way to limit rates to different > clients. > > Right now as I understand it, I have to make a class for every > customer/ip-address I'd like to limit bandwidth. This is right. > This means lots of configuration if i had many customers to setup > traffic shaping for. > If you have a lot of customers and not a "automatic" process, yes. > I can filter for ip-ranges, but then all ip's of that range share the > set bandwidth of the class. right > I'd like a fixed rate for every ip in a group without configuring > classes for each address! It's a lot of work to configure thousands > of ip addresses if I have make thousand classes for it. Adding, > Deleting and Processing won't be very efficient that way. > Add ok, but why you need to "delete" and "process" a lot of IP/customers? > Is there someone who had the same problems and got to a solution or > am I just asking too much? > Here we haven't thousand of ip, but I thinks it's the same because we develop a simple, but working solution internally that talk with a db and ip/mac/dhcp and do the work (create class with its speed). Just done a: cat firewall_* | wc -l and there is not so much lines: about 1100 plus that for little internal site (where the user insert his credential plus the admin part for add, delete, etc..) that are 2600. I think that with a 4/5 day of work you can do your self the same. I think, however, that if you need some advice for create the right limiting policy and its implementation, this it the right place! Michele From karme at berlios.de Fri Oct 5 20:56:10 2007 From: karme at berlios.de (Jens Thiele) Date: Fri Oct 5 20:56:28 2007 Subject: [LARTC] shaping by packet count rather than bytes ? In-Reply-To: <47064579.3020001@boreham.org> (David Boreham's message of "Fri\, 05 Oct 2007 08\:08\:57 -0600") References: <47064579.3020001@boreham.org> Message-ID: <87ejg9ie5x.fsf@thialfi.karme-net.hirschau> On 5 Okt 2007, david_list@boreham.org wrote: > In wireless networks it can be handy to shape by packet rate > rather than bytes/s (because capacity is packet-rate-limited). > > Has anyone done any work on packet-rate shaping ? Don't know any wireless details. But I guess in the end it is very similar to the ATM fixed cell size. Maybe the tcatm patch [1] might give some hints. Greetings Jens [1] http://ace-host.stuart.id.au/russell/files/tc/tc-atm/ From peet at altlinux.org Sat Oct 6 01:43:34 2007 From: peet at altlinux.org (Peter V. Saveliev) Date: Sat Oct 6 01:43:44 2007 Subject: [LARTC] shaping by packet count rather than bytes ? In-Reply-To: <47064579.3020001@boreham.org> References: <47064579.3020001@boreham.org> Message-ID: <200710060343.35381.peet@altlinux.org> > Has anyone done any work on packet-rate shaping ? > iptables: limit, hashlimit, dstlimit work on pps basis. -- Peter V. Saveliev From david_list at boreham.org Sat Oct 6 03:04:07 2007 From: david_list at boreham.org (David Boreham) Date: Sat Oct 6 03:06:16 2007 Subject: [LARTC] shaping by packet count rather than bytes ? In-Reply-To: <200710060343.35381.peet@altlinux.org> References: <47064579.3020001@boreham.org> <200710060343.35381.peet@altlinux.org> Message-ID: <4706DF07.8050706@boreham.org> Peter V. Saveliev wrote: > > >> Has anyone done any work on packet-rate shaping ? >> >> > > iptables: limit, hashlimit, dstlimit work on pps basis. > > ! yes, I'd thought about that stuff but somehow discounted it as 'not worthy' for traffic shaping. Thanks. From david_list at boreham.org Sat Oct 6 03:16:38 2007 From: david_list at boreham.org (David Boreham) Date: Sat Oct 6 03:18:44 2007 Subject: [LARTC] shaping by packet count rather than bytes ? In-Reply-To: <4706DF07.8050706@boreham.org> References: <47064579.3020001@boreham.org> <200710060343.35381.peet@altlinux.org> <4706DF07.8050706@boreham.org> Message-ID: <4706E1F6.2070006@boreham.org> David Boreham wrote: >> iptables: limit, hashlimit, dstlimit work on pps basis. >> > ! yes, I'd thought about that stuff but somehow > discounted it as 'not worthy' for traffic shaping. Actually, I remember now why iptables doesn't work : All it does is drop the excess packets over the limit. That's not what I need. Rather , I want something like a tbf that operates on packet count rather than byte count. Thus, packets will be send at the configured rate, and queued up if they arrive at a rate in excess of the limit. iptables will simply drop the excess, which I'm sure will lead to poor throughput and of course means that there's no queue to manage to achieve a given QoS policy. Rewriting tbf or htb to operate on packets not bytes _seems_ like it'd do the trick. I'm a bit surprised that nobody has made this their masters thesis ;) From peet at altlinux.org Sat Oct 6 03:47:45 2007 From: peet at altlinux.org (Peter V. Saveliev) Date: Sat Oct 6 03:48:01 2007 Subject: [LARTC] shaping by packet count rather than bytes ? In-Reply-To: <4706E1F6.2070006@boreham.org> References: <47064579.3020001@boreham.org> <4706DF07.8050706@boreham.org> <4706E1F6.2070006@boreham.org> Message-ID: <200710060547.46008.peet@altlinux.org> ? ????????? ?? Saturday 06 October 2007 05:16:38 David Boreham ???????(?): > David Boreham wrote: > >> iptables: limit, hashlimit, dstlimit work on pps basis. > > > > ! yes, I'd thought about that stuff but somehow > > discounted it as 'not worthy' for traffic shaping. > > Actually, I remember now why iptables doesn't work : > > All it does is drop the excess packets over the limit. > Simple packet drop works for ordinary tcp congestion algorithms as a channel overload, and tcp decreases speed. So works RED policing filters and so on. Beside of this, iptables can _accept_ a packet :) You can try to mark and queue the excess packets. -- Peter V. Saveliev From david_list at boreham.org Sat Oct 6 03:52:29 2007 From: david_list at boreham.org (David Boreham) Date: Sat Oct 6 03:54:34 2007 Subject: [LARTC] shaping by packet count rather than bytes ? In-Reply-To: <200710060547.46008.peet@altlinux.org> References: <47064579.3020001@boreham.org> <4706DF07.8050706@boreham.org> <4706E1F6.2070006@boreham.org> <200710060547.46008.peet@altlinux.org> Message-ID: <4706EA5D.2030900@boreham.org> Peter V. Saveliev wrote: > > > Simple packet drop works for ordinary tcp congestion algorithms as a channel > overload, and tcp decreases speed. So works RED policing filters and so on. > Well...red isn't exactly 'simple' packet drop :) In fact, if I could combine packet-rate-limit with red or sfq I'd be very happy. > Beside of this, iptables can _accept_ a packet :) You can try to mark and > queue the excess packets. > Hmm...need more coffee... From jim.barber at ddihealth.com Sat Oct 6 07:52:45 2007 From: jim.barber at ddihealth.com (Jim Barber) Date: Sat Oct 6 07:53:11 2007 Subject: [LARTC] ipp2p segmentation fault Message-ID: <470722AD.2080303@ddihealth.com> Hi all. On Sep 26th I decided to try and get ipp2p working on my machine that acts as a gateway for my Internet connection. This machine is running Debian. I performed the install by doing the following steps: - I installed the Debian package called linux-source-2.6.22 for my Linux kernel source and unpacked the resulting tar.bz2 file. - From the netfilter.org site I downloaded the following snapshot packages and unpacked them into my build area: iptables-1.3.8-20070925.tar.bz2 patch-o-matic-ng-20070925.tar.bz2 - I ran the patch-o-matic-ng runme script correctly defining the KERNEL_DIR and IPTABLES_DIR parameters. I also used the --download parameter so that it would fetch the ipp2p out-of-tree repository. - When running the patch-o-matic-ng script I said 'No' to all the extensions except for the ipp2p one since that is all I was interested in. The patch seemed to successfully apply. - I configured and built the Linux sources enabling all the netfilter modules that I needed (including the ipp2p one that is now patched in). - I then built and installed the kernel. - I also built and installed the iptables package (again specifying the KERNEL_DIR parameter) This new iptables is installed under my /usr/local/ tree which is earlier in my $PATH. - I rebooted off the new kernel and all looks good and a 'uname -a' confirms I am on the new kernel. I'm using shorewall to configure my firewall rules so it loads pretty much all the iptables/netfilter modules on start up. The module has loaded okay as far as I can tell: root@gecko:~# lsmod | grep p2p ipt_ipp2p 8256 0 x_tables 15236 43 xt_comment,xt_policy,xt_multiport,ipt_ULOG,ipt_TTL,ipt_ttl,ipt_TOS,ipt_tos,ipt_SAME,ipt_REJECT,ipt_REDIRECT,ipt_recent,ipt_owner,ipt_NETMAP,ipt_MASQUERADE,ipt_LOG,ipt_iprange,ipt_ipp2p,ipt_ECN,ipt_ecn,ipt_ah,ipt_addrtype,xt_tcpmss,xt_pkttype,xt_physdev,xt_NFQUEUE,xt_NFLOG,xt_MARK,xt_mark,xt_mac,xt_limit,xt_length,xt_helper,xt_hashlimit,xt_dccp,xt_conntrack,xt_CONNMARK,xt_connmark,xt_CLASSIFY,xt_tcpudp,xt_state,iptable_nat,ip_tables And the help for it works okay: root@gecko:~# iptables -m ipp2p --help iptables v1.3.8-20070925 IPP2P v0.8.1_rc1 options: --ipp2p Grab all known p2p packets --edk [TCP&UDP] All known eDonkey/eMule/Overnet packets --dc [TCP] All known Direct Connect packets --kazaa [TCP&UDP] All known KaZaA packets --gnu [TCP&UDP] All known Gnutella packets --bit [TCP&UDP] All known BitTorrent packets --apple [TCP] All known AppleJuice packets --winmx [TCP] All known WinMX --soul [TCP] All known SoulSeek --ares [TCP] All known Ares EXPERIMENTAL protocols (please send feedback to: ipp2p@ipp2p.org) : --mute [TCP] All known Mute packets --waste [TCP] All known Waste packets --xdcc [TCP] All known XDCC packets (only xdcc login) DEBUG SUPPPORT, use only if you know why --debug Generate kernel debug output, THIS WILL SLOW DOWN THE FILTER Note that the follwing options will have the same meaning: '--ipp2p' is equal to '--edk --dc --kazaa --gnu --bit --apple --winmx --soul --ares' IPP2P was intended for TCP only. Due to increasing usage of UDP we needed to change this. You can now use -p udp to search UDP packets only or without -p switch to search UDP and TCP packets. See README included with this package for more details or visit http://www.ipp2p.org Examples: iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 0x01 iptables -A FORWARD -p udp -m ipp2p --kazaa --bit -j DROP iptables -A FORWARD -p tcp -m ipp2p --edk --soul -j DROP When I created some shorewall tcrules for ipp2p a 'shorewall check' command shows a segmentation fault occurring and aborts reporting that I don't have IPP2P support. Delving further I found shorewall's test for ipp2p support in /usr/share/shorewall/lib.base where is it running the following command: $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT Note that I've correctly defined the $IPTABLES variable in the main config file to point to /usr/local/sbin/iptables instead of /sbin/iptables If I run the command directly myself I also get the segmentation fault: root@gecko:~# iptables -A fooX1234 -m ipp2p --ipp2p -j ACCEPT Segmentation fault This is despite the help for the module working as you can see above. Using /usr/local/sbin/iptables makes no difference, but a which command shows I'm running the correct version: root@gecko:~# which iptables /usr/local/sbin/iptables Any idea how I can track down what is wrong? Finally, just in case it helps anyone, here is the output from an strace: root@gecko:~# strace iptables -A fooX1234 -m ipp2p --ipp2p -j ACCEPT execve("/usr/local/sbin/iptables", ["iptables", "-A", "fooX1234", "-m", "ipp2p", "--ipp2p", "-j", "ACCEPT"], [/* 21 vars */]) = 0 brk(0) = 0x8055000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f58000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=19567, ...}) = 0 mmap2(NULL, 19567, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f53000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/i686/cmov/libdl.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p\n\0\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0644, st_size=9684, ...}) = 0 mmap2(NULL, 12412, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7f4f000 mmap2(0xb7f51000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7f51000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/i686/cmov/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260a\1"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=1335720, ...}) = 0 mmap2(NULL, 1340944, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7e07000 mmap2(0xb7f49000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x142) = 0xb7f49000 mmap2(0xb7f4c000, 9744, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7f4c000 close(3) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7e06000 set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e06ac0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 mprotect(0xb7f49000, 4096, PROT_READ) = 0 munmap(0xb7f53000, 19567) = 0 brk(0) = 0x8055000 brk(0x8076000) = 0x8076000 open("/usr/local/lib/iptables/libxt_ipp2p.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/iptables/libipt_ipp2p.so", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=11602, ...}) = 0 mmap2(NULL, 11284, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7f55000 mmap2(0xb7f57000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7f57000 close(3) = 0 --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++ Process 23813 detached I notice it is trying to open libxt_ipp2p.so in /urs/local/lib/iptables/ which failed... Is that something that should be on my system? Regards, -- ---------- Jim Barber DDI Health From default at advaita.sytes.net Sat Oct 6 13:16:31 2007 From: default at advaita.sytes.net (John Default) Date: Sat Oct 6 13:15:48 2007 Subject: [LARTC] Layer 3 switching... In-Reply-To: <47064ED5.7030900@riverviewtech.net> References: <4705538C.7070403@riverviewtech.net> <47060C6F.1040704@advaita.sytes.net> <47064ED5.7030900@riverviewtech.net> Message-ID: <47076E8F.7060306@advaita.sytes.net> Grant Taylor wrote: > On 10/05/07 05:05, John Default wrote: >> I was told that layer 3 switches are faster because "routing" there >> is done by some ASIC hardware. Is there any advantage in having >> another routing code in bridging when everything is done in software >> which is same slow as normal routing? The only speed gain would be in >> keeping the routing code very simple with limited functionality, but >> i think that the trend is to put there more and more functionality >> which would end up in having two same slow, same function code in two >> places. > > Ah, there in lies the difference in what you are saying, which as a > norm is probably correct and something that I do not disagree with. I > guess I should say that my introduction to L3 switching is actually on > Cisco Catalyst 5000 / 5500 L2 switches where they depend on an > external Cisco L3 router to assist in the L3 switching. Rater that is > to say that the L2 switch and the L3 router communicate with each > other to combined do L3 switching. As I understand it, the L2 switch > will send initial packets to the L3 router along with some meta data. > The L3 router will route the packets and send them back to the L2 > switch with updated meta data. Then the L2 switch will have learned > with the help of the L3 router that the packets can be altered on L2 > to emulate L3 routing but this time in hardware. Thus the L2 switch > depends on the L3 router to do the initial routing and then the L2 > switch will subsequently step up and L2 switch across L3 boundaries > based on what it learned from the L3 router. > > So, I guess I should say that I'm not wanting to (re)implement the > routing code in the kernel, it does quite fine for me thank you very > much. ;) I'm looking for a way to alter source / destination MAC > addresses of packets on L2 to emulate what happens in routing. I > believe that I could SNAT / DNAT the MAC addresses of the packet via > EBTables on L2 to achieve the effect of an L3 route. I would do this > by having the bridging code in the kernel learn from cached (?) > results of a previous L3 route. > > In other words if the packet is in a NEW connection state, send it on > up to L3 routing. If the packet is in an ESTABLISHED state and we can > pull information form the systems ARP cache to know the destination > MAC address for the next subnet as well as pull the correct source MAC > address for the interface on the next subnet, then we could just SNAT > / DNAT the MAC addresses on L2 and send the packet back out on the > appropriate wire. > > I'm wondering if this NATing of the source and destination MAC > addresses on L2 would be faster than passing the packet up to L3 > routing. It is my belief that L3 will do more sanity checks on > packets than L2 will. These sanity checks will take time to perform > which could be avoided if we could just NAT the source and destination > MAC addresses on L2. Or at least that's what I think. I could be > very wrong about it. > >> (i was taugth that packets are routed on L3, frames are >> switched(bridged) on L2. And L3 switch does L2 switching + L3 routing >> but in hardware. routers are completely a software thing, switches >> hardware thing, and bridge is switch in software.) > > I can agree with that statement. However I'll spin what you said a > little bit and then I think you can see how I'm logically progressing > on down the line. > > Switching is a L2 operation, no matter what that operation is. > Routing is a L3 operation, no matter what that operation is. Thus if > we perform some sort of L3 type operation on L2 then we are performing > some sort of switching operation. If that operation happens to be > routing which is normally a L3 operation, then we are doing a L3 like > operation on L2, thus L3 switching. So now that I have circularly > argues that, how about an example. > > Let's say that we have two end point hosts on separate subnets with an > intermediary router. > > +---------+ +-------------------+ +---------+ > IP: | 4.0.0.9 +-----+ 4.0.0.1 : 5.0.0.1 +-----+ 5.0.0.9 | > MAC: | ..00:0f | | ..11:1e : ..22:2d | | ..33:3c | > +---------+ +-------------------+ +---------+ > > If I want to send an ICMP ping from 4.0.0.9 to 5.0.0.9 the ethernet > frames will be sent from ..00:0f to ..11:1e and from ..22:2d to ..33:3c. > > Note that the routing code on the intermediary router will see that > the packet needs to be routed from one subnet to the other and will do > so just fine with out any problems at all. However this is a layer 3 > operation. > > What I'm wanting to do is educate L2 enough so that it can use cached > results from L3 to perform a similar operation on L2 in the future. > Thus when the frame from 4.0.0.9 with a MAC address of ..00:0f comes > in destined to 5.0.0.9 with the router's MAC address of ..11:1e I'm > wanting to alter the frame coming in to the switch such that the new > destination MAC address will be ..33:3c with a new source MAC address > of ..22:2d based on contents of the system's ARP cache with a little > bit of help. > > It is my belief that this L2 operation of SNATing and DNATing the MAC > addresses with out sending the data up to L3 will be faster than > sending the data up to L3 and doing its full processing. At least > that is what this entire discussion is based on. At the very least I > believe I'm going to do some controlled tests to see if this will even > work with manually entered static configurations. > > If this does work, I think it would be possible to come up with a new > EBTables target that could alter the destination MAC address based on > the contents of the system's ARP cache (the system just spoke to the > target, thus the target MAC should be in the ARP cache, if not the ARP > code does a fine job at it's job and can get us the MAC address). The > only hiccup that I don't have an answer for at the moment is picking > the correct source MAC address. However looking at the contents of > the ARP cache we see that the interface is listed as well. So we > could do a simple translation from interface to source MAC address. > Thus I believe we have the basis of a rough crude logistical algorithm > to L3 switch (a n L3 operation on L2) traffic through a Linux system. > So, now i get it (after your first mail, it wasn't possible :)). I think the idea is great, but. What everything would you we actually avoid ? For correct operation we will have to look at destination IP anyway, skipping only ip header check (iphdr checksum, version, maybe length check), which consists of functions that are implemented in very quick way (sum through 20B written in assembly..) (probably few tens of nanoseconds on 1GHz processor) With the probability of damaged packet header we probably can skip checking. But there are some security problems that can arise from that. Then we avoid lookup in routing table. But routing already does have cache (i don't know how effective) for routes to avoid doing the lookup for each packet. Will this be much faster than route cache ? Bringing it down to lower, dumber layer we risk that we will somehow mess up policy routing, multipath routing and probably some other advanced things. Another thing is that turning the l3 switching on, router will start to behave little bit different as usually, what could confuse the administrator ... What about NAT and other packet-changing things in iptables (and QoS marking and the like)? Stealing packet before layer3 processing we avoid these things as well i think. Hm this could really become a problem. There could be mechanism for detecting if packet is changed anyhow and then we would not touch it, but if box is meant for changing packets, then we would have to implement it too or process no packets at all ...(you are right, who would use l3 switch for NAT : ) ) ... and you should probably decrement and check the ttl too : ) >> Please excuse me if i am missing your idea completely. > > Please read and chew on what I've brain farted to the mailing list. > Poke holes in it and let's discuss this. If this truly will not work, > I have only wasted some bandwidth and bytes on drives, nothing else. > All the while we will have hopefully cleared a few cob webs from our > collective brains. ;) At least for a few minutes while I try to make > a fool of my self. :} > I just mentioned few things that came to my mind that might need to be considered. But otherwise i think the idea is very nice. I will try to find out more, just need to find time to read the source ; ) (disclaimer: I am just beginner, with my stupid questions i am just trying to help your thinking process) > > > Grant. . . . > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- ___________________________________ S pozdravom / Best regards John Default From aleksander at krediidiinfo.ee Sat Oct 6 14:25:10 2007 From: aleksander at krediidiinfo.ee (Aleksander Kamenik) Date: Sat Oct 6 14:25:16 2007 Subject: [LARTC] ipp2p segmentation fault In-Reply-To: <470722AD.2080303@ddihealth.com> References: <470722AD.2080303@ddihealth.com> Message-ID: <47077EA6.1040300@krediidiinfo.ee> Hi, IIRC you had to compile the module for the kernel and iptables, you're missing the latter. Why are you using patch-o-matic if you only need ipp2p? What version of ipp2p is in pom? Try downloading this one (latest): http://ipp2p.org/downloads/ipp2p-0.8.2.tar.gz And follow these instructions: http://ipp2p.org/docu_en.html#install Regards, -- Aleksander Kamenik system administrator +372 6659 649 aleksander@krediidiinfo.ee Krediidiinfo AS http://www.krediidiinfo.ee/ From mohan.tux at gmail.com Sat Oct 6 14:27:18 2007 From: mohan.tux at gmail.com (Mohan Sundaram) Date: Sat Oct 6 14:27:40 2007 Subject: [LARTC] Layer 3 switching... In-Reply-To: <47076E8F.7060306@advaita.sytes.net> References: <4705538C.7070403@riverviewtech.net> <47060C6F.1040704@advaita.sytes.net> <47064ED5.7030900@riverviewtech.net> <47076E8F.7060306@advaita.sytes.net> Message-ID: <47077F26.8030306@vsnl.com> John Default wrote: > Grant Taylor wrote: >> On 10/05/07 05:05, John Default wrote: >>> I was told that layer 3 switches are faster because "routing" there >>> is done by some ASIC hardware. Is there any advantage in having >>> another routing code in bridging when everything is done in software >>> which is same slow as normal routing? The only speed gain would be in >>> keeping the routing code very simple with limited functionality, but >>> i think that the trend is to put there more and more functionality >>> which would end up in having two same slow, same function code in two >>> places. CISCO CEF works somewhat in this fashion for routing only. I've been building network gear for a while now. I had this idea but no buyers. Route cache is for destination IPs normally. If the router does stateful filtering, then it has connections/ flows. Once a look up is done for a flow based on destination or policy routing, the exit interface with new packet header values and frame header value is also made part of the route cache. Thus the resultant of all L3/L2 actions are attached to a flow and used. This would include NAT translations. The above idea gives good speed but fails for encapsulations, packet based load balancing and effecting inline change in configurations for existing flows. Being a commercial product, unless it is fully baked, it does not fly. User is responsible is also an arguement that is not accepted in such scenarios. Further this is IP specific and cannot do well in multi-protocol routers unless IP encapsulations like GRE are used as a standard. An extension was to tie flows to MPLS labels but this was getting into core routing/switching space while focus was on CPE side. Mohan From dino at webjogger.net Sat Oct 6 14:51:00 2007 From: dino at webjogger.net (Mario Antonio Garcia) Date: Sat Oct 6 14:49:39 2007 Subject: [LARTC] ipp2p segmentation fault In-Reply-To: <470722AD.2080303@ddihealth.com> Message-ID: <15563792.55701191675060775.JavaMail.root@mailgate.webjogger.net> Jim, I am using Debian Etch with: 2.6.22.6 customized kernel Iptables from the Stable (Etch) branch I got Iptables sources also from the stable branch: apt-get source iptables ln -s /usr/src/iptables-1.3.6.0debian1/iptables /usr/src/iptables-1.3.6 I downloaded ipp2p-0.8.2.tar.gz from its site, and Modified the Makefile to use CC instead of ld. Working fine so far. Mario Antonio ----- Original Message ----- From: "Jim Barber" To: lartc@mailman.ds9a.nl Sent: Saturday, October 6, 2007 1:52:45 AM (GMT-0500) America/New_York Subject: [LARTC] ipp2p segmentation fault Hi all. On Sep 26th I decided to try and get ipp2p working on my machine that acts as a gateway for my Internet connection. This machine is running Debian. I performed the install by doing the following steps: - I installed the Debian package called linux-source-2.6.22 for my Linux kernel source and unpacked the resulting tar.bz2 file. - From the netfilter.org site I downloaded the following snapshot packages and unpacked them into my build area: iptables-1.3.8-20070925.tar.bz2 patch-o-matic-ng-20070925.tar.bz2 - I ran the patch-o-matic-ng runme script correctly defining the KERNEL_DIR and IPTABLES_DIR parameters. I also used the --download parameter so that it would fetch the ipp2p out-of-tree repository. - When running the patch-o-matic-ng script I said 'No' to all the extensions except for the ipp2p one since that is all I was interested in. The patch seemed to successfully apply. - I configured and built the Linux sources enabling all the netfilter modules that I needed (including the ipp2p one that is now patched in). - I then built and installed the kernel. - I also built and installed the iptables package (again specifying the KERNEL_DIR parameter) This new iptables is installed under my /usr/local/ tree which is earlier in my $PATH. - I rebooted off the new kernel and all looks good and a 'uname -a' confirms I am on the new kernel. I'm using shorewall to configure my firewall rules so it loads pretty much all the iptables/netfilter modules on start up. The module has loaded okay as far as I can tell: root@gecko:~# lsmod | grep p2p ipt_ipp2p 8256 0 x_tables 15236 43 xt_comment,xt_policy,xt_multiport,ipt_ULOG,ipt_TTL,ipt_ttl,ipt_TOS,ipt_tos,ipt_SAME,ipt_REJECT,ipt_REDIRECT,ipt_recent,ipt_owner,ipt_NETMAP,ipt_MASQUERADE,ipt_LOG,ipt_iprange,ipt_ipp2p,ipt_ECN,ipt_ecn,ipt_ah,ipt_addrtype,xt_tcpmss,xt_pkttype,xt_physdev,xt_NFQUEUE,xt_NFLOG,xt_MARK,xt_mark,xt_mac,xt_limit,xt_length,xt_helper,xt_hashlimit,xt_dccp,xt_conntrack,xt_CONNMARK,xt_connmark,xt_CLASSIFY,xt_tcpudp,xt_state,iptable_nat,ip_tables And the help for it works okay: root@gecko:~# iptables -m ipp2p --help iptables v1.3.8-20070925 IPP2P v0.8.1_rc1 options: --ipp2p Grab all known p2p packets --edk [TCP&UDP] All known eDonkey/eMule/Overnet packets --dc [TCP] All known Direct Connect packets --kazaa [TCP&UDP] All known KaZaA packets --gnu [TCP&UDP] All known Gnutella packets --bit [TCP&UDP] All known BitTorrent packets --apple [TCP] All known AppleJuice packets --winmx [TCP] All known WinMX --soul [TCP] All known SoulSeek --ares [TCP] All known Ares EXPERIMENTAL protocols (please send feedback to: ipp2p@ipp2p.org) : --mute [TCP] All known Mute packets --waste [TCP] All known Waste packets --xdcc [TCP] All known XDCC packets (only xdcc login) DEBUG SUPPPORT, use only if you know why --debug Generate kernel debug output, THIS WILL SLOW DOWN THE FILTER Note that the follwing options will have the same meaning: '--ipp2p' is equal to '--edk --dc --kazaa --gnu --bit --apple --winmx --soul --ares' IPP2P was intended for TCP only. Due to increasing usage of UDP we needed to change this. You can now use -p udp to search UDP packets only or without -p switch to search UDP and TCP packets. See README included with this package for more details or visit http://www.ipp2p.org Examples: iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 0x01 iptables -A FORWARD -p udp -m ipp2p --kazaa --bit -j DROP iptables -A FORWARD -p tcp -m ipp2p --edk --soul -j DROP When I created some shorewall tcrules for ipp2p a 'shorewall check' command shows a segmentation fault occurring and aborts reporting that I don't have IPP2P support. Delving further I found shorewall's test for ipp2p support in /usr/share/shorewall/lib.base where is it running the following command: $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT Note that I've correctly defined the $IPTABLES variable in the main config file to point to /usr/local/sbin/iptables instead of /sbin/iptables If I run the command directly myself I also get the segmentation fault: root@gecko:~# iptables -A fooX1234 -m ipp2p --ipp2p -j ACCEPT Segmentation fault This is despite the help for the module working as you can see above. Using /usr/local/sbin/iptables makes no difference, but a which command shows I'm running the correct version: root@gecko:~# which iptables /usr/local/sbin/iptables Any idea how I can track down what is wrong? Finally, just in case it helps anyone, here is the output from an strace: root@gecko:~# strace iptables -A fooX1234 -m ipp2p --ipp2p -j ACCEPT execve("/usr/local/sbin/iptables", ["iptables", "-A", "fooX1234", "-m", "ipp2p", "--ipp2p", "-j", "ACCEPT"], [/* 21 vars */]) = 0 brk(0) = 0x8055000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f58000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=19567, ...}) = 0 mmap2(NULL, 19567, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f53000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/i686/cmov/libdl.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p\n\0\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0644, st_size=9684, ...}) = 0 mmap2(NULL, 12412, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7f4f000 mmap2(0xb7f51000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7f51000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/i686/cmov/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260a\1"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=1335720, ...}) = 0 mmap2(NULL, 1340944, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7e07000 mmap2(0xb7f49000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x142) = 0xb7f49000 mmap2(0xb7f4c000, 9744, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7f4c000 close(3) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7e06000 set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e06ac0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 mprotect(0xb7f49000, 4096, PROT_READ) = 0 munmap(0xb7f53000, 19567) = 0 brk(0) = 0x8055000 brk(0x8076000) = 0x8076000 open("/usr/local/lib/iptables/libxt_ipp2p.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/local/lib/iptables/libipt_ipp2p.so", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=11602, ...}) = 0 mmap2(NULL, 11284, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7f55000 mmap2(0xb7f57000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7f57000 close(3) = 0 --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++ Process 23813 detached I notice it is trying to open libxt_ipp2p.so in /urs/local/lib/iptables/ which failed... Is that something that should be on my system? Regards, -- ---------- Jim Barber DDI Health _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From jim.barber at ddihealth.com Sun Oct 7 01:42:20 2007 From: jim.barber at ddihealth.com (Jim Barber) Date: Sun Oct 7 01:42:36 2007 Subject: [LARTC] ipp2p segmentation fault In-Reply-To: <47077EA6.1040300@krediidiinfo.ee> References: <470722AD.2080303@ddihealth.com> <47077EA6.1040300@krediidiinfo.ee> Message-ID: <47081D5C.3090000@ddihealth.com> Hi Aleksanser. When running the patch-o-matic part to apply the ipp2p patches it patches both the kernel and the iptables sources. So the iptables that I have compiled and installed under the /usr/local/ tree already does have the ipp2p module. Why am I using using patch-o-matic-ng? Mainly because I am familiar with it. If you refer to the ipp2p FAQ at http://www.ipp2p.org/faq_en.html under the question "How can I obtain IPP2P?", part of the answer is as follows: "Another way to install IPP2P is through Patch-O-Matic-ng from http://www.netfilter.org wich adds patches and updates to your kernel and iptables sources. You'll need to recompile both afterwards." So that is the approach I took. The patch-o-matic-ng script downloads the ipp2p patches, they aren't distributed with it. So it'll get the latest at the time, which on Sep 26th was 0.8.1_rc1, if I had waited a day or two 0.8.2 would have been out. I'll try again using the newer version. Thanks. ---------- Jim Barber DDI Health Aleksander Kamenik wrote: > Hi, > > IIRC you had to compile the module for the kernel and iptables, you're missing the latter. > > Why are you using patch-o-matic if you only need ipp2p? What version of ipp2p is in pom? > > Try downloading this one (latest): > http://ipp2p.org/downloads/ipp2p-0.8.2.tar.gz > > And follow these instructions: http://ipp2p.org/docu_en.html#install > > Regards, > From jim.barber at ddihealth.com Sun Oct 7 02:47:08 2007 From: jim.barber at ddihealth.com (Jim Barber) Date: Sun Oct 7 02:47:26 2007 Subject: [LARTC] ipp2p segmentation fault In-Reply-To: <15563792.55701191675060775.JavaMail.root@mailgate.webjogger.net> References: <15563792.55701191675060775.JavaMail.root@mailgate.webjogger.net> Message-ID: <47082C8C.1010208@ddihealth.com> Thanks Mario. I might try again using the source code from Debian's version of iptables to see how it goes. I thought they had disabled ipp2p support in it completely, but I guess the patch must add it back. Also maybe 0.8.2 fixes something that was wrong with 0.8.1_rc1. Or maybe the snapshot tar-ball of iptables I got had a problem. But I'm glad to hear that it works on a 2.6.22 series kernel. I was wondering if perhaps it was a bit too new for the patches. Thanks. ---------- Jim Barber DDI Health Mario Antonio Garcia wrote: > Jim, > > I am using Debian Etch with: > 2.6.22.6 customized kernel > Iptables from the Stable (Etch) branch > I got Iptables sources also from the stable branch: > apt-get source iptables > ln -s /usr/src/iptables-1.3.6.0debian1/iptables /usr/src/iptables-1.3.6 > > I downloaded ipp2p-0.8.2.tar.gz from its site, and Modified the Makefile to use CC instead of ld. > > Working fine so far. > > Mario Antonio > > ----- Original Message ----- > From: "Jim Barber" > To: lartc@mailman.ds9a.nl > Sent: Saturday, October 6, 2007 1:52:45 AM (GMT-0500) America/New_York > Subject: [LARTC] ipp2p segmentation fault > > Hi all. > > On Sep 26th I decided to try and get ipp2p working on my machine that acts as a gateway for my Internet connection. > This machine is running Debian. > > I performed the install by doing the following steps: > > - I installed the Debian package called linux-source-2.6.22 for my Linux kernel source and unpacked the resulting tar.bz2 file. > > - From the netfilter.org site I downloaded the following snapshot packages and unpacked them into my build area: > > iptables-1.3.8-20070925.tar.bz2 > patch-o-matic-ng-20070925.tar.bz2 > > - I ran the patch-o-matic-ng runme script correctly defining the KERNEL_DIR and IPTABLES_DIR parameters. > I also used the --download parameter so that it would fetch the ipp2p out-of-tree repository. > > - When running the patch-o-matic-ng script I said 'No' to all the extensions except for the ipp2p one since that is all I was interested in. > The patch seemed to successfully apply. > > - I configured and built the Linux sources enabling all the netfilter modules that I needed (including the ipp2p one that is now patched in). > > - I then built and installed the kernel. > > - I also built and installed the iptables package (again specifying the KERNEL_DIR parameter) > This new iptables is installed under my /usr/local/ tree which is earlier in my $PATH. > > - I rebooted off the new kernel and all looks good and a 'uname -a' confirms I am on the new kernel. > > > I'm using shorewall to configure my firewall rules so it loads pretty much all the iptables/netfilter modules on start up. > > The module has loaded okay as far as I can tell: > > root@gecko:~# lsmod | grep p2p > ipt_ipp2p 8256 0 > x_tables 15236 43 xt_comment,xt_policy,xt_multiport,ipt_ULOG,ipt_TTL,ipt_ttl,ipt_TOS,ipt_tos,ipt_SAME,ipt_REJECT,ipt_REDIRECT,ipt_recent,ipt_owner,ipt_NETMAP,ipt_MASQUERADE,ipt_LOG,ipt_iprange,ipt_ipp2p,ipt_ECN,ipt_ecn,ipt_ah,ipt_addrtype,xt_tcpmss,xt_pkttype,xt_physdev,xt_NFQUEUE,xt_NFLOG,xt_MARK,xt_mark,xt_mac,xt_limit,xt_length,xt_helper,xt_hashlimit,xt_dccp,xt_conntrack,xt_CONNMARK,xt_connmark,xt_CLASSIFY,xt_tcpudp,xt_state,iptable_nat,ip_tables > > And the help for it works okay: > > root@gecko:~# iptables -m ipp2p --help > iptables v1.3.8-20070925 > > > > IPP2P v0.8.1_rc1 options: > --ipp2p Grab all known p2p packets > --edk [TCP&UDP] All known eDonkey/eMule/Overnet packets > --dc [TCP] All known Direct Connect packets > --kazaa [TCP&UDP] All known KaZaA packets > --gnu [TCP&UDP] All known Gnutella packets > --bit [TCP&UDP] All known BitTorrent packets > --apple [TCP] All known AppleJuice packets > --winmx [TCP] All known WinMX > --soul [TCP] All known SoulSeek > --ares [TCP] All known Ares > > EXPERIMENTAL protocols (please send feedback to: ipp2p@ipp2p.org) : > --mute [TCP] All known Mute packets > --waste [TCP] All known Waste packets > --xdcc [TCP] All known XDCC packets (only xdcc login) > > DEBUG SUPPPORT, use only if you know why > --debug Generate kernel debug output, THIS WILL SLOW DOWN THE FILTER > > Note that the follwing options will have the same meaning: > '--ipp2p' is equal to '--edk --dc --kazaa --gnu --bit --apple --winmx --soul --ares' > > IPP2P was intended for TCP only. Due to increasing usage of UDP we needed to change this. > You can now use -p udp to search UDP packets only or without -p switch to search UDP and TCP packets. > > See README included with this package for more details or visit http://www.ipp2p.org > > Examples: > iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 0x01 > iptables -A FORWARD -p udp -m ipp2p --kazaa --bit -j DROP > iptables -A FORWARD -p tcp -m ipp2p --edk --soul -j DROP > > > When I created some shorewall tcrules for ipp2p a 'shorewall check' command shows a segmentation fault occurring and aborts reporting that I don't have IPP2P support. > Delving further I found shorewall's test for ipp2p support in /usr/share/shorewall/lib.base where is it running the following command: > > $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT > > Note that I've correctly defined the $IPTABLES variable in the main config file to point to /usr/local/sbin/iptables instead of /sbin/iptables > > If I run the command directly myself I also get the segmentation fault: > > root@gecko:~# iptables -A fooX1234 -m ipp2p --ipp2p -j ACCEPT > Segmentation fault > > This is despite the help for the module working as you can see above. > Using /usr/local/sbin/iptables makes no difference, but a which command shows I'm running the correct version: > > root@gecko:~# which iptables > /usr/local/sbin/iptables > > Any idea how I can track down what is wrong? > > Finally, just in case it helps anyone, here is the output from an strace: > > root@gecko:~# strace iptables -A fooX1234 -m ipp2p --ipp2p -j ACCEPT > execve("/usr/local/sbin/iptables", ["iptables", "-A", "fooX1234", "-m", "ipp2p", "--ipp2p", "-j", "ACCEPT"], [/* 21 vars */]) = 0 > brk(0) = 0x8055000 > access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) > mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f58000 > access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) > open("/etc/ld.so.cache", O_RDONLY) = 3 > fstat64(3, {st_mode=S_IFREG|0644, st_size=19567, ...}) = 0 > mmap2(NULL, 19567, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f53000 > close(3) = 0 > access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) > open("/lib/i686/cmov/libdl.so.2", O_RDONLY) = 3 > read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p\n\0\000"..., 512) = 512 > fstat64(3, {st_mode=S_IFREG|0644, st_size=9684, ...}) = 0 > mmap2(NULL, 12412, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7f4f000 > mmap2(0xb7f51000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7f51000 > close(3) = 0 > access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) > open("/lib/i686/cmov/libc.so.6", O_RDONLY) = 3 > read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260a\1"..., 512) = 512 > fstat64(3, {st_mode=S_IFREG|0755, st_size=1335720, ...}) = 0 > mmap2(NULL, 1340944, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7e07000 > mmap2(0xb7f49000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x142) = 0xb7f49000 > mmap2(0xb7f4c000, 9744, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7f4c000 > close(3) = 0 > mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7e06000 > set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e06ac0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 > mprotect(0xb7f49000, 4096, PROT_READ) = 0 > munmap(0xb7f53000, 19567) = 0 > brk(0) = 0x8055000 > brk(0x8076000) = 0x8076000 > open("/usr/local/lib/iptables/libxt_ipp2p.so", O_RDONLY) = -1 ENOENT (No such file or directory) > open("/usr/local/lib/iptables/libipt_ipp2p.so", O_RDONLY) = 3 > read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\4\0"..., 512) = 512 > fstat64(3, {st_mode=S_IFREG|0755, st_size=11602, ...}) = 0 > mmap2(NULL, 11284, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7f55000 > mmap2(0xb7f57000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7f57000 > close(3) = 0 > --- SIGSEGV (Segmentation fault) @ 0 (0) --- > +++ killed by SIGSEGV +++ > Process 23813 detached > > > I notice it is trying to open libxt_ipp2p.so in /urs/local/lib/iptables/ which failed... > Is that something that should be on my system? > > Regards, > > From aleksander at krediidiinfo.ee Sun Oct 7 13:08:19 2007 From: aleksander at krediidiinfo.ee (Aleksander Kamenik) Date: Sun Oct 7 13:08:35 2007 Subject: [LARTC] ipp2p segmentation fault In-Reply-To: <47081D5C.3090000@ddihealth.com> References: <470722AD.2080303@ddihealth.com> <47077EA6.1040300@krediidiinfo.ee> <47081D5C.3090000@ddihealth.com> Message-ID: <4708BE23.5010404@krediidiinfo.ee> Jim Barber wrote: > So it'll get the latest at the time, which on Sep 26th was 0.8.1_rc1, if > I had waited a day or two 0.8.2 would have been out. 0.8.2 was released Sep 26 _2006_. More than a year ago. > > I'll try again using the newer version. So how did that go? The reason for not using pom is the simplicity of the manual install. After compiling you get two files, the kernel module and the iptables module. Copy them into the correct places, run depmod -a for the kernel module and you're ready to go. Easy to see where you've gone wrong if there's a problem. Also, why did you install your own version of iptables? Does pom require it? The problem probably is that the ipp2p module for iptables was either compiled for the wrong version or you're trying to use it with the wrong version of iptables. Regards, -- Aleksander Kamenik system administrator +372 6659 649 aleksander@krediidiinfo.ee Krediidiinfo AS http://www.krediidiinfo.ee/ From jim.barber at ddihealth.com Sun Oct 7 15:36:30 2007 From: jim.barber at ddihealth.com (Jim Barber) Date: Sun Oct 7 15:36:50 2007 Subject: [LARTC] ipp2p segmentation fault In-Reply-To: <4708BE23.5010404@krediidiinfo.ee> References: <470722AD.2080303@ddihealth.com> <47077EA6.1040300@krediidiinfo.ee> <47081D5C.3090000@ddihealth.com> <4708BE23.5010404@krediidiinfo.ee> Message-ID: <4708E0DE.1090306@ddihealth.com> Aleksander Kamenik wrote: > > 0.8.2 was released Sep 26 _2006_. More than a year ago. Oh. :) Shows how observant I am. I read the Sep 26th in the NEWS section on the ipp2p.org site and because the version I compiled reported itself as v0.8.1_rc1 it didn't click with me that I had an old version. The version I has was what POM downloaded on the day I did it. >> I'll try again using the newer version. > > So how did that go? > I haven't had a go at it yet. I'll probably look at it mid week. I'll use your method of doing it without using POM. > The reason for not using pom is the simplicity of the manual install. > After compiling you get two files, the kernel module and the iptables > module. Copy them into the correct places, run depmod -a for the kernel > module and you're ready to go. Easy to see where you've gone wrong if > there's a problem. > > Also, why did you install your own version of iptables? Does pom require > it? In the /usr/share/doc/iptables/changelog.Debian.gz file I read the following entry: * pomng kernel extensions removed upstream: IPMARK, NETLINK, TCPLAG, XOR, account, condition, dstlimit, fuzzy, geoip, ip6t_ULOG, ipp2p, mport, nth, osf, pool, psd, quota, random, time And since ipp2p is listed above I figured Debian may have changed their version to not support ipp2p at all. So I got the real iptables source code to be safe. > The problem probably is that the ipp2p module for iptables was either > compiled for the wrong version or you're trying to use it with the wrong > version of iptables. Thanks for your help. I'll look at it a bit later this week using the latest ipp2p package from their web site. Working or not, I'll post the result. Jim. From salatiel.filho at gmail.com Mon Oct 8 03:09:26 2007 From: salatiel.filho at gmail.com (Salatiel Filho) Date: Mon Oct 8 03:09:44 2007 Subject: [LARTC] new doubts about bridge qdisc Message-ID: Ok , let`s go again with shaping a bridge interface. The environment is a dd-wrt firmware router. I have vlan1 interface connected to the DSL modem , and a br0 interface connecting wired and wireless machines. lets begin with the doubts , I have [example]: tc qdisc add dev br0 root handle 1: htb default 999 tc class add dev br0 parent 1: classid 1:999 htb rate 16kbit ceil 16kbit well , all traffic coming from vlan1[dsl modem] to br0 [wired or wireless] is shaped to 16kbit as expected [default class], but why traffic coming from the wireless to the wired or the other way around is not shaped ? I like the fact it is not , but i do not understand why not since i still think packets coming from br0 and leaving to br0 still should be shaped since it is doing an outgoing path. -- []'s Salatiel "O maior prazer do inteligente ? bancar o idiota diante de um idiota que banca o inteligente". From dmiller at amfes.com Mon Oct 8 06:18:05 2007 From: dmiller at amfes.com (Daniel L. Miller) Date: Mon Oct 8 06:17:47 2007 Subject: [LARTC] Multiple shaping on a single physical interface Message-ID: <4709AF7D.7090703@amfes.com> I have a Linux box connected to a simple DSL router (along with other machines on the home network). This box is intended as an off-site storage server for my office. Taking advantage of some rsync scripts, I have a very simple yet complete off-site backup solution. My question is in bandwidth management. I want to use this box for other purposes. It has a single NIC, connected to the switch/router. Operating within my home LAN, I should be able to communicate with it at the typical full-duplex 100BaseT speeds. However, when it's involved in the archive process, the DSL connection (5M/512k) get saturated. I wanted to setup some sort of shaping on this box to control how much of the DSL connection it consumes. I initially went to wondershaper/ctshaper - but I realized that this is actually going to hurt me. With ctshaper enabled, with the DSL tuned settings of 5M/512k - I've absolutely crippled its ability to communicate with the LAN. How can I achieve the clean communication with the DSL, reserving some available bandwidth for other purposes - yet leave communication with the local network at full? Do I need to define multiple virtual interfaces? Daniel From dmiller at amfes.com Mon Oct 8 08:34:13 2007 From: dmiller at amfes.com (Daniel L. Miller) Date: Mon Oct 8 08:34:01 2007 Subject: [LARTC] Multiple shaping on a single physical interface In-Reply-To: <4709AF7D.7090703@amfes.com> References: <4709AF7D.7090703@amfes.com> Message-ID: <4709CF65.5050704@amfes.com> Daniel L. Miller wrote: > I have a Linux box connected to a simple DSL router (along with other > machines on the home network). This box is intended as an off-site > storage server for my office. Taking advantage of some rsync scripts, > I have a very simple yet complete off-site backup solution. My > question is in bandwidth management. > > I want to use this box for other purposes. It has a single NIC, > connected to the switch/router. Operating within my home LAN, I > should be able to communicate with it at the typical full-duplex > 100BaseT speeds. However, when it's involved in the archive process, > the DSL connection (5M/512k) get saturated. I wanted to setup some > sort of shaping on this box to control how much of the DSL connection > it consumes. > > I initially went to wondershaper/ctshaper - but I realized that this > is actually going to hurt me. With ctshaper enabled, with the DSL > tuned settings of 5M/512k - I've absolutely crippled its ability to > communicate with the LAN. > > How can I achieve the clean communication with the DSL, reserving some > available bandwidth for other purposes - yet leave communication with > the local network at full? Do I need to define multiple virtual > interfaces? It just hit me that this is probably incorrect in my particular case - since I'm using OpenVPN for the conenction I can apply the throttling to the tap interface. But - my question still remains how I would go about doing this type of control if I were actually using just the one interface. Daniel From tuure.vartiainen at tut.fi Mon Oct 8 09:02:25 2007 From: tuure.vartiainen at tut.fi (Tuure Vartiainen) Date: Mon Oct 8 09:02:34 2007 Subject: [LARTC] "htb: too many events !"? Message-ID: <4709D601.5010406@tut.fi> Hello. I have a benchmark setup where I try to shape the traffic of 3000 concurrent tcp connection using HTB and hash tables. The machine doing the shaping is running Debian 4.0 with Linux kernel 2.6.18 and has two 1 Gbps ethernet interfaces (in and out). During the testing everything is going fine for couple of minutes but after that kernel's ring buffer starts to fill of "htb: too many events !" messages and total throughput drops to 1/3 of original speed. The code of htb_do_events(struct htb_sched *q, int level) function in net/sched/sch_htb.c don't really comment it's self at least not for me :). So in what kind of situations the for loop inside htb_do_events(struct htb_sched *q, int level) function does not return in 500 (magic number?) rounds and kernel warning "htb: too many events !" will be printed? Any ideas? BR -- Tuure Vartiainen From linux at arcoscom.com Mon Oct 8 11:17:30 2007 From: linux at arcoscom.com (ArcosCom Linux User) Date: Mon Oct 8 11:11:01 2007 Subject: [LARTC] ipp2p segmentation fault In-Reply-To: <470722AD.2080303@ddihealth.com> References: <470722AD.2080303@ddihealth.com> Message-ID: <47749.89.107.243.1.1191835050.squirrel@www.arcoscom.com> I remember some months ago some problem as you have. Perhaps this can help you: 1) Be sure your libraries directories are in the correct order, you /usr/lobal/lib/iptables a loaded before the distro iptables lib directory. Take a look into /etc/ld.so.conf.d .conf files to modify and add your libs directories before the system ones. 2) In ipp2p Makefile, I remember somebody that says as you need to change the link command (LD) and put the C compiler for link step (CC). I no have debian to say you if all this info is for debian too, but you can try this before goes crazy compiling. Regards El Sab, 6 de Octubre de 2007, 7:52, Jim Barber escribi?: > Hi all. > > On Sep 26th I decided to try and get ipp2p working on my machine that acts > as a gateway for my Internet connection. > This machine is running Debian. > > I performed the install by doing the following steps: > > - I installed the Debian package called linux-source-2.6.22 for my Linux > kernel source and unpacked the resulting tar.bz2 file. > > - From the netfilter.org site I downloaded the following snapshot packages > and unpacked them into my build area: > > iptables-1.3.8-20070925.tar.bz2 > patch-o-matic-ng-20070925.tar.bz2 > > - I ran the patch-o-matic-ng runme script correctly defining the > KERNEL_DIR and IPTABLES_DIR parameters. > I also used the --download parameter so that it would fetch the ipp2p > out-of-tree repository. > > - When running the patch-o-matic-ng script I said 'No' to all the > extensions except for the ipp2p one since that is all I was interested in. > The patch seemed to successfully apply. > > - I configured and built the Linux sources enabling all the netfilter > modules that I needed (including the ipp2p one that is now patched in). > > - I then built and installed the kernel. > > - I also built and installed the iptables package (again specifying the > KERNEL_DIR parameter) > This new iptables is installed under my /usr/local/ tree which is > earlier in my $PATH. > > - I rebooted off the new kernel and all looks good and a 'uname -a' > confirms I am on the new kernel. > > > I'm using shorewall to configure my firewall rules so it loads pretty much > all the iptables/netfilter modules on start up. > > The module has loaded okay as far as I can tell: > > root@gecko:~# lsmod | grep p2p > ipt_ipp2p 8256 0 > x_tables 15236 43 > xt_comment,xt_policy,xt_multiport,ipt_ULOG,ipt_TTL,ipt_ttl,ipt_TOS,ipt_tos,ipt_SAME,ipt_REJECT,ipt_REDIRECT,ipt_recent,ipt_owner,ipt_NETMAP,ipt_MASQUERADE,ipt_LOG,ipt_iprange,ipt_ipp2p,ipt_ECN,ipt_ecn,ipt_ah,ipt_addrtype,xt_tcpmss,xt_pkttype,xt_physdev,xt_NFQUEUE,xt_NFLOG,xt_MARK,xt_mark,xt_mac,xt_limit,xt_length,xt_helper,xt_hashlimit,xt_dccp,xt_conntrack,xt_CONNMARK,xt_connmark,xt_CLASSIFY,xt_tcpudp,xt_state,iptable_nat,ip_tables > > And the help for it works okay: > > root@gecko:~# iptables -m ipp2p --help > iptables v1.3.8-20070925 > > > > IPP2P v0.8.1_rc1 options: > --ipp2p Grab all known p2p packets > --edk [TCP&UDP] All known eDonkey/eMule/Overnet packets > --dc [TCP] All known Direct Connect packets > --kazaa [TCP&UDP] All known KaZaA packets > --gnu [TCP&UDP] All known Gnutella packets > --bit [TCP&UDP] All known BitTorrent packets > --apple [TCP] All known AppleJuice packets > --winmx [TCP] All known WinMX > --soul [TCP] All known SoulSeek > --ares [TCP] All known Ares > > EXPERIMENTAL protocols (please send feedback to: ipp2p@ipp2p.org) : > --mute [TCP] All known Mute packets > --waste [TCP] All known Waste packets > --xdcc [TCP] All known XDCC packets (only xdcc login) > > DEBUG SUPPPORT, use only if you know why > --debug Generate kernel debug output, THIS WILL SLOW DOWN > THE FILTER > > Note that the follwing options will have the same meaning: > '--ipp2p' is equal to '--edk --dc --kazaa --gnu --bit --apple --winmx > --soul --ares' > > IPP2P was intended for TCP only. Due to increasing usage of UDP we needed > to change this. > You can now use -p udp to search UDP packets only or without -p switch to > search UDP and TCP packets. > > See README included with this package for more details or visit > http://www.ipp2p.org > > Examples: > iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 0x01 > iptables -A FORWARD -p udp -m ipp2p --kazaa --bit -j DROP > iptables -A FORWARD -p tcp -m ipp2p --edk --soul -j DROP > > > When I created some shorewall tcrules for ipp2p a 'shorewall check' > command shows a segmentation fault occurring and aborts reporting that I > don't have IPP2P support. > Delving further I found shorewall's test for ipp2p support in > /usr/share/shorewall/lib.base where is it running the following command: > > $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT > > Note that I've correctly defined the $IPTABLES variable in the main config > file to point to /usr/local/sbin/iptables instead of /sbin/iptables > > If I run the command directly myself I also get the segmentation fault: > > root@gecko:~# iptables -A fooX1234 -m ipp2p --ipp2p -j ACCEPT > Segmentation fault > > This is despite the help for the module working as you can see above. > Using /usr/local/sbin/iptables makes no difference, but a which command > shows I'm running the correct version: > > root@gecko:~# which iptables > /usr/local/sbin/iptables > > Any idea how I can track down what is wrong? > > Finally, just in case it helps anyone, here is the output from an strace: > > root@gecko:~# strace iptables -A fooX1234 -m ipp2p --ipp2p -j ACCEPT > execve("/usr/local/sbin/iptables", ["iptables", "-A", "fooX1234", "-m", > "ipp2p", "--ipp2p", "-j", "ACCEPT"], [/* 21 vars */]) = 0 > brk(0) = 0x8055000 > access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or > directory) > mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) > = 0xb7f58000 > access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or > directory) > open("/etc/ld.so.cache", O_RDONLY) = 3 > fstat64(3, {st_mode=S_IFREG|0644, st_size=19567, ...}) = 0 > mmap2(NULL, 19567, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f53000 > close(3) = 0 > access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or > directory) > open("/lib/i686/cmov/libdl.so.2", O_RDONLY) = 3 > read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p\n\0\000"..., > 512) = 512 > fstat64(3, {st_mode=S_IFREG|0644, st_size=9684, ...}) = 0 > mmap2(NULL, 12412, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) > = 0xb7f4f000 > mmap2(0xb7f51000, 8192, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7f51000 > close(3) = 0 > access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or > directory) > open("/lib/i686/cmov/libc.so.6", O_RDONLY) = 3 > read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260a\1"..., 512) > = 512 > fstat64(3, {st_mode=S_IFREG|0755, st_size=1335720, ...}) = 0 > mmap2(NULL, 1340944, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, > 0) = 0xb7e07000 > mmap2(0xb7f49000, 12288, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x142) = 0xb7f49000 > mmap2(0xb7f4c000, 9744, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7f4c000 > close(3) = 0 > mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) > = 0xb7e06000 > set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e06ac0, > limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, > limit_in_pages:1, seg_not_present:0, useable:1}) = 0 > mprotect(0xb7f49000, 4096, PROT_READ) = 0 > munmap(0xb7f53000, 19567) = 0 > brk(0) = 0x8055000 > brk(0x8076000) = 0x8076000 > open("/usr/local/lib/iptables/libxt_ipp2p.so", O_RDONLY) = -1 ENOENT (No > such file or directory) > open("/usr/local/lib/iptables/libipt_ipp2p.so", O_RDONLY) = 3 > read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\4\0"..., > 512) = 512 > fstat64(3, {st_mode=S_IFREG|0755, st_size=11602, ...}) = 0 > mmap2(NULL, 11284, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) > = 0xb7f55000 > mmap2(0xb7f57000, 4096, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7f57000 > close(3) = 0 > --- SIGSEGV (Segmentation fault) @ 0 (0) --- > +++ killed by SIGSEGV +++ > Process 23813 detached > > > I notice it is trying to open libxt_ipp2p.so in /urs/local/lib/iptables/ > which failed... > Is that something that should be on my system? > > Regards, > > -- > ---------- > Jim Barber > DDI Health > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From gtaylor at riverviewtech.net Mon Oct 8 16:48:46 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Mon Oct 8 16:48:31 2007 Subject: [LARTC] Layer 3 switching... In-Reply-To: <47076E8F.7060306@advaita.sytes.net> References: <4705538C.7070403@riverviewtech.net> <47060C6F.1040704@advaita.sytes.net> <47064ED5.7030900@riverviewtech.net> <47076E8F.7060306@advaita.sytes.net> Message-ID: <470A434E.9000103@riverviewtech.net> On 10/06/07 06:16, John Default wrote: > So, now i get it (after your first mail, it wasn't possible :)). I > think the idea is great, but. > > What everything would you we actually avoid ? For correct operation we > will have to look at destination IP anyway, skipping only ip header > check (iphdr checksum, version, maybe length check), which consists of > functions that are implemented in very quick way (sum through 20B > written in assembly..) (probably few tens of nanoseconds on 1GHz processor) True... > With the probability of damaged packet header we probably can skip > checking. But there are some security problems that can arise from that. Agreed. > Then we avoid lookup in routing table. But routing already does have > cache (i don't know how effective) for routes to avoid doing the lookup > for each packet. Will this be much faster than route cache ? > Bringing it down to lower, dumber layer we risk that we will somehow > mess up policy routing, multipath routing and probably some other > advanced things. > Another thing is that turning the l3 switching on, router will start to > behave little bit different as usually, what could confuse the > administrator ... I'm not thinking about making this an all or nothing type of application. I would rather turn on L3 switching as desired and use the existing kernel as is for any thing else. The intent is to not mess things up, but optimize when basic routing will be the predominant task. > What about NAT and other packet-changing things in iptables (and QoS > marking and the like)? Stealing packet before layer3 processing we > avoid these things as well i think. Hm this could really become a problem. > There could be mechanism for detecting if packet is changed anyhow and > then we would not touch it, but if box is meant for changing packets, > then we would have to implement it too or process no packets at all > ...(you are right, who would use l3 switch for NAT : ) ) This, again, is not a scenario for L3 switching, at least not in its first incarnation. However basic NATing would not be difficult to implement, just alter the source IP like the source MAC is altered. > ... and you should probably decrement and check the ttl too : ) Agreed. > I just mentioned few things that came to my mind that might need to be > considered. But otherwise i think the idea is very nice. I will try to > find out more, just need to find time to read the source ; ) These are all very good points and deserve to be addressed. Thank you for discussing things, that's exactly what I was wanting. > (disclaimer: I am just beginner, with my stupid questions i am just > trying to help your thinking process) (See my last statement.) Grant. . . . From gtaylor at riverviewtech.net Mon Oct 8 17:00:17 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Mon Oct 8 16:59:59 2007 Subject: [LARTC] Layer 3 switching... In-Reply-To: <47077F26.8030306@vsnl.com> References: <4705538C.7070403@riverviewtech.net> <47060C6F.1040704@advaita.sytes.net> <47064ED5.7030900@riverviewtech.net> <47076E8F.7060306@advaita.sytes.net> <47077F26.8030306@vsnl.com> Message-ID: <470A4601.4000106@riverviewtech.net> On 10/06/07 07:27, Mohan Sundaram wrote: > CISCO CEF works somewhat in this fashion for routing only. I've been > building network gear for a while now. *nod* > I had this idea but no buyers. Route cache is for destination IPs > normally. If the router does stateful filtering, then it has > connections / flows. Once a look up is done for a flow based on > destination or policy routing, the exit interface with new packet header > values and frame header value is also made part of the route cache. Thus > the resultant of all L3/L2 actions are attached to a flow and used. This > would include NAT translations. Sounds like the route cache has been well thought out in the Cisco gear. > The above idea gives good speed but fails for encapsulations, packet > based load balancing and effecting inline change in configurations for > existing flows. Being a commercial product, unless it is fully baked, it > does not fly. User is responsible is also an arguement that is not > accepted in such scenarios. Further this is IP specific and cannot do > well in multi-protocol routers unless IP encapsulations like GRE are > used as a standard. I don't think that L3 switching that I'm referring to is meant to be used in all locations, especially some of the ones that you reference. However L3 switching would be good in a core network between edge and core networks (presuming that there is no firewalling / filtering going on between the two). I would never use a L3 switch as the interface to WANs and / or the ISPs, at least not today in this day and age. > An extension was to tie flows to MPLS labels but this was getting into > core routing / switching space while focus was on CPE side. I think MPLS in and of its own right is a very promising technology, all be it somewhat isolated to larger networks with their own complex core. Rather it is my understanding that MPLS is primarily intra company, not inter company which is where I think it could have more benefit. However I could be wrong about this. (If a discussion is going to ensue, let's start a new thread.) Grant. . . . From ams at toroid.org Wed Oct 10 12:35:41 2007 From: ams at toroid.org (Abhijit Menon-Sen) Date: Wed Oct 10 12:36:06 2007 Subject: [LARTC] failover with conntrackd Message-ID: <20071010103540.GA11105@toroid.org> Hi. Is anyone using conntrack-tools to implement gateway failover on a network with windows clients? I set it up with ucarp and keepalived, and found that gratuitous ARP doesn't always seem to update the cache on Windows machines. It works the first time, but if a second failover happens, the client continues to send stuff to the wrong MAC address. Linux machines work fine. I've noticed similar reports from other people, but nothing that seemed like a solution. Has anyone experimented with doing MAC address takeover too? That seems like it ought to work, but I haven't tried it out because neither ucarp nor keepalived seem to implement it; and I wondered if I was missing something. What do other people do? -- ams From jayeshleo at gmail.com Wed Oct 10 15:56:43 2007 From: jayeshleo at gmail.com (Jayesh Agrawal) Date: Wed Oct 10 15:56:52 2007 Subject: [LARTC] Packet capturing Message-ID: Hello Everybody! I am an Engineering student and doing a project on WAN Emulator. Can anyone please tell me the way to capture a packet on Network Layer. I want to capture original packet and not the copy(i think libpcap provides a copy of the original packet). Let suppose we get a copy on Netwok layer then how we can destroy the original packet.... Plz suggest me....Thanks in advance -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071010/798f7d01/attachment.htm From gtaylor at riverviewtech.net Wed Oct 10 16:55:57 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Wed Oct 10 16:55:40 2007 Subject: [LARTC] failover with conntrackd In-Reply-To: <20071010103540.GA11105@toroid.org> References: <20071010103540.GA11105@toroid.org> Message-ID: <470CE7FD.3080402@riverviewtech.net> On 10/10/07 05:35, Abhijit Menon-Sen wrote: > Is anyone using conntrack-tools to implement gateway failover on a > network with windows clients? No, not as of yet. Sorry. > I set it up with ucarp and keepalived, and found that gratuitous ARP > doesn't always seem to update the cache on Windows machines. It works > the first time, but if a second failover happens, the client > continues to send stuff to the wrong MAC address. Linux machines work > fine. Um, why are you not using the same MAC address for the gateway and having the systems decide who is actively using the MAC at any given time? > I've noticed similar reports from other people, but nothing that > seemed like a solution. *nod* > Has anyone experimented with doing MAC address takeover too? That > seems like it ought to work, but I haven't tried it out because > neither ucarp nor keepalived seem to implement it; and I wondered if > I was missing something. What do other people do? Virtual Router Redundancy Protocol (VRRP) comes to mind. There is a very simple VRRP daemon (vrrpd) for Linux / Unix that will achieve this. To my knowledge it works by creating a new MAC address that is used for the VRRP router. The VRRP router is a virtual router that is traded back and forth between two or more possible real routers. Technically VRRP creates a new virtual MAC address 00:00:5E:00:01:XX that the IP is associated with. The "XX" is the virtual redundant router ID, usually 1 unless you have multiple virtual redundant routers in your network. The active virtual router will claim the 00:00:5E:00:01:XX MAC address and send out GARPs to update switch / bridge tables for the new location of the same MAC address. The two or more VRRP routers will heart beat each other (I think by multicast (?)) and if the active does not heartbeat with in a timeout the next router in the chain takes over, GARPs to updates switch / bridge tables and clients continue using the same MAC address. I've set up VRRP on a couple of test systems just long enough to say "Yep, that works." but did not do any thing further. I used vrrpd which was ridiculesly easy to set up. Be aware that VRRP is only meant for routers and not for hosts that have things bound to the virtual interface / IP, you want some sort of load balancing / failover scenario in that case. Grant. . . . From marco.casaroli at gmail.com Wed Oct 10 23:05:02 2007 From: marco.casaroli at gmail.com (Marco Aurelio) Date: Wed Oct 10 23:05:09 2007 Subject: [LARTC] htb on Gigabit Interfaces In-Reply-To: References: Message-ID: <92ed523b0710101405o5f87ab8bj3edafe0c116aa7c4@mail.gmail.com> On 9/18/07, hhoxha wrote: > > > Hi every body > > I have a linux server with Intel(R) Xeon(TM) CPU 3.20GHz , and 2 Gigabit > of RAM , kernel version 2.6.22.6 , and 2 Intel 82541PI Gigabit Ethernet > controllers > > > In simple situation i would like to limit bandwidth for 2 customers 1) ( > to 34 Mb/s ) and 2) 68 Mb/s . > > My conf is as below > ///////////////////////////////////////////////////// > #IFACE FACONG THE CUSTOMERS > > /sbin/tc qdisc add dev eth0 root handle 1:0 htb > > #IFACE FACING THE INTERNET > > /sbin/tc qdisc add dev eth1 root handle 1:0 htb > > > /sbin/tc class add dev eth0 parent 1:0 classid 1:1 htb rate 150mbit quantum 30000 > /sbin/tc class add dev eth1 parent 1:0 classid 1:1 htb rate 150mbit quantum 30000 > > #second customer download > > /sbin/tc class add dev eth0 parent 1:0 classid 1:2 htb rate 68mbit ceil 68mbit quantum 30000 try parent 1:1 > > #seconf customer upload > > /sbin/tc class add dev eth1 parent 1:0 classid 1:2 htb rate 68000kbit ceil 68000kbit quantum 30000 and here > > # first customer download > > /sbin/tc class add dev eth0 parent 1:0 classid 1:3 htb rate 34mbit ceil 34mbit quantum 30000 and here > > # first customer upload > > /sbin/tc class add dev eth1 parent 1:0 classid 1:3 htb rate 34mbit ceil 34mbit quantum 30000 aand here > > > #then iptable classify rules > > #TO_FIRST CUSTOMER > > /opt/sbin/iptables -t mangle -I POSTROUTING -o eth0 -d $DESTINATIONIP -j CLASSIFY --set-class 1:2 > > > #FROM_FIRST CUSTOMER > > /opt/sbin/iptables -t mangle -I POSTROUTING -o eth1 -s $SOURCEIP -j CLASSIFY --set-class 1:2 > > > #TO_SECOND CUSTOMER > > /opt/sbin/iptables -t mangle -I POSTROUTING -o eth0 -d $DESTINATIONIP -j CLASSIFY --set-class 1:3 > > > #FROM_SECOND CUSTOMER > > /opt/sbin/iptables -t mangle -I POSTROUTING -o eth1 -s $SOURCEIP -j CLASSIFY --set-class 1:3 > > > > ///////////////////////////////// > > For the customer with 34 Mb/s of bandwidth i can hardly reach 8 Mb/s and > at this point i can notice an increased number of packets in the htb > scheduler queue . > > With the tc ( htb disabled ) the line rate of nearly 100 Mb.s of the > customer can be reached easily > > Is there any special tunning or conf that should be done considering the > gig interfaces in place > > Thank you > > Hysen Hoxha > AlbTelecom > Albania > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Marco Casaroli SapucaiNet Telecom +55 35 34712377 ext. 5 From mbe_ml at swiss-wireless.com.ar Wed Oct 10 23:05:36 2007 From: mbe_ml at swiss-wireless.com.ar (Beat Meier) Date: Wed Oct 10 23:05:53 2007 Subject: [LARTC] How to use rate limit with marks set on packets with own queue??? Message-ID: <470D3EA0.7080506@swiss-wireless.com.ar> Hi After several days testing and studing howtos and docu again ... I want to limit all tcp trafic with the limit module to say one connection per second except some known trafic. (This is because of using p2p progs gets mi crazy which gets my adsl modem down and I share my net with some users and because of encryption of stream l7 does not work ...) As I understand the limit module does work only on queues i.e. INPUT,FORWARD, OUTPUT or user defiend. My idea now: create a user defined queue and limit this queue to 2 connections per minute (only to test). Now my question How can I select that trafic with a mark set do not go to this queue? What I do now is the following: ( I have some queues to priorize traffic with the marks ...) So I mark some trafic. ... tc filter add dev $DEV parent 1:0 protocol ip prio 1 handle 1 fw classid 1:10 iptables -t mangle -A PREROUTING -p icmp -j MARK --set-mark 0x1 iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j MARK --set-mark 0x1 iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j RETURN iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j MARK --set-mark 0x1 iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j RETURN I create a new queue test which all trafic should go EXPECT the marked ones: iptables -N test ### WHAT DO I HAVE TO PUT THAT ALL MARKED or say MARK 0x1 go on not to test ... iptables -A FORWARD -p TCP -j test iptables -A test -p tcp -m state --state NEW -m recent --set iptables -A test -p tcp -m state --state NEW -m recent --update --seconds 60 --hitcount 2 -j LOG iptables -A test -p tcp -m state --state NEW -m recent --update --seconds 60 --hitcount 2 -j DROP Or is there a much better way to do this??? Thanks a lot for any hints!!! Beat From default at advaita.sytes.net Thu Oct 11 01:17:36 2007 From: default at advaita.sytes.net (John Default) Date: Thu Oct 11 01:16:36 2007 Subject: [LARTC] Packet capturing In-Reply-To: References: Message-ID: <470D5D90.6020500@advaita.sytes.net> Hi and why do you need to destroy the other packet copy? The packet you receive with pcap is a/ for your host and can be used normally (for normal networking of the host) b/ not for your host - operating system drops packets not intended for it anyway If you didn't switch your network card into promiscuous mode, your NIC has already dropped that packet so neither you (pcap), nor your operating system will see it With libpcap you are actually capturing on Layer 2, ethernet header is included and can be injected. your operating system doesn't even have to have an IP address therefore. during testing i usually used "ifconfig ethX 0.0.0.0 up" just to be sure OS will not mess with IP packets :) . I am not sure the interface has to be even in "up" state for pcap to work. In our school we have to implement "bridge" and "router" using libpcap and i had no problems with that. Using raw socket is another option to pcap Jayesh Agrawal wrote: > Hello Everybody! > > I am an Engineering student and doing a project on WAN Emulator. Can > anyone please tell me the way to capture a packet on Network Layer. I > want to capture original packet and not the copy(i think libpcap > provides a copy of the original packet). Let suppose we get a copy on > Netwok layer then how we can destroy the original packet.... > > Plz suggest me....Thanks in advance > ------------------------------------------------------------------------ > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- ___________________________________ S pozdravom / Best regards John Default From etg at setcom.bg Thu Oct 11 02:45:08 2007 From: etg at setcom.bg (Evgeni Gechev) Date: Thu Oct 11 02:45:18 2007 Subject: [LARTC] SK-9E21D + vlan + ifb Message-ID: <470D7214.5040606@setcom.bg> Hello! Scenario: kernel 2.6.22.9, SysKonnect SK-9E21D, vlan, redirecting for packets arriving on than vlan to ifb. Using tcpdump on ifb iinterface I see the following: 03:30:17.322484 5a:71:6f:15:00:17 > 00:00:5a:71:00:00, ethertype Unknown (0xcb69), length 1522: 0x0000: 2000 0800 4500 05dc 3a2f 4000 3c06 d868 ....E...:/@.<..h 0x0010: c299 9143 c3e6 0ec1 0050 0f2a e2c1 ce38 ...C.....P.*...8 0x0020: 792b a65c 5010 1a6d 6d13 0000 9b44 5dd1 y+.\P..mm....D]. 0x0030: e3b3 771e def5 bd61 19fb 393f 7d58 fde3 ..w....a..9?}X.. 0x0040: 8e7d 2b86 5251 6772 48d0 b083 e467 f2c0 .}+.RQgrH....g.. 0x0050: 2bca +. 03:30:17.322622 5a:71:6f:15:00:17 > 00:00:5a:71:00:00, ethertype Unknown (0xcb69), length 1522: 0x0000: 2000 0800 4500 05dc 3a31 4000 3c06 d866 ....E...:1@.<..f 0x0010: c299 9143 c3e6 0ec1 0050 0f2a e2c1 d3ec ...C.....P.*.... 0x0020: 792b a65c 5010 1a6d a79d 0000 f6a1 b2d8 y+.\P..m........ 0x0030: e47d 3d29 dcad 8685 3b73 d0fa 63ad 046d .}=)....;s..c..m 0x0040: 2064 1c8a 40ee 8490 60f0 7eb5 2458 690f .d..@...`.~.$Xi. 0x0050: 19c0 .. Doing redirect on another vlan on the same adapter shows this: 03:32:01.943833 5a:71:6f:15:00:04 > 00:00:5a:71:00:00, ethertype Unknown (0x23b1), length 1514: 0x0000: ccec 0800 4500 05d4 f3d5 4000 3d06 c329 ....E.....@.=..) 0x0010: c395 f88a c3e6 011e 0050 3c1d 7527 ebcf .........P<.u'.. 0x0020: b69c 46d7 5010 1ae5 24d4 0000 8f45 14cf ..F.P...$....E.. 0x0030: fd3a 20d7 47e9 d3a7 ffd1 d3a7 474c 8a3a .:..G.......GL.: 0x0040: 3d3d 3f4c cd35 a747 fd31 da7d 1e8e 8e8f ==?L.5.G.1.}.... 0x0050: a74f .O 03:32:01.943835 5a:71:6f:15:00:04 > 00:00:5a:71:00:00, ethertype Unknown (0x23b1), length 74: 0x0000: ccec 0800 4500 0034 d884 4000 7b06 7023 ....E..4..@.{.p# 0x0010: 4dec a079 c3e6 04d0 0db0 272a 4ff8 4103 M..y......'*O.A. 0x0020: 2012 ea72 8010 ffff d6f4 0000 0101 050a ...r............ 0x0030: 2012 ec8a 2012 eea2 b2d2 2187 ..........!. 03:32:01.944488 5a:71:6f:15:00:04 > 00:00:5a:71:00:00, ethertype Unknown (0x23b1), length 68: 0x0000: ccec 0800 4500 002e 3ba9 4000 7e06 99ac ....E...;.@.~... 0x0010: 59d7 010b c3e6 08ac da5d 0a9e cfbd 8a73 Y........].....s 0x0020: 8cd3 a15e 5018 fc31 109e 0000 c106 4402 ...^P..1......D. 0x0030: 091a 4f53 b574 ..OS.t Doing redirect on other vlans (on other adapters, same PC) I see normal IP traffic. Everyting works fine on eth interfaces. Everything works fine on vlans on other adapters (intel, broadcom), only vlans on SysKonnect has this behavior. Seeing such packets on ifb makes impossible to do any further processing. From tony.hagans at coairnet.com Thu Oct 11 05:44:09 2007 From: tony.hagans at coairnet.com (Tony Hagans) Date: Thu Oct 11 05:44:27 2007 Subject: [LARTC] Multipath Multirouter - Can it be done? Message-ID: Currently I have a setup that involves connections from several different providers ranging from 6 mbit DSL's to 10 mbit fractional DS3 connections tied together to provide multipath high availability internet in our area for schools and businesses. We recently extended our coverage to another area which has several other ISP's. The box that is doing multiwan right now is the only gateway for the entire network and for some sites it is several hops back to that gateway. My goal is for us to purchase bandwidth in other locations, install a linux box and have multiple gateways available, but I think this is easier said than done. I will diagram this as best I can for you in current and future setup modes. Currently: ISP 1 ISP 2 ISP 3 etc... | | | | Multiwan box | Area 1 / | \ Area 2 Area 3 Area 4 Goal: Currently: ISP 1 ISP 2 ISP 3 etc... | | | | Multiwan box | Area 1 / | \ Area 2 Area 3 Area 4 | | Linux Box Linux Box | | ISP x ISP y My goal is for people in area 1-4 to all be able to use any of the connections to ISP 1-z and if one fails it passes the traffic through the network to an available route. Area 1-4 don't current have any linux hardware but it has been a long standing plan to put some in place in those areas as well so if that is required it could be done. These areas are all serviced by different small ISP's and would make acceptable alternate routes say if a backhual failed for some reason so that is the goal. Thanks for any input. From alex at samad.com.au Thu Oct 11 05:53:42 2007 From: alex at samad.com.au (Alex Samad) Date: Thu Oct 11 05:53:56 2007 Subject: [LARTC] Multipath Multirouter - Can it be done? In-Reply-To: References: Message-ID: <20071011035342.GL18816@samad.com.au> sound like you need a routing protocol, if you have access to manage all the routers On Wed, Oct 10, 2007 at 09:44:09PM -0600, Tony Hagans wrote: > Currently I have a setup that involves connections from several different providers ranging from 6 mbit DSL's to 10 mbit fractional DS3 connections tied together to provide multipath high availability internet in our area for schools and businesses. We recently extended our coverage to another area which has several other ISP's. The box that is doing multiwan right now is the only gateway for the entire network and for some sites it is several hops back to that gateway. My goal is for us to purchase bandwidth in other locations, install a linux box and have multiple gateways available, but I think this is easier said than done. I will diagram this as best I can for you in current and future setup modes. > > Currently: > > ISP 1 ISP 2 ISP 3 etc... > | | | | > > Multiwan box > > | > > Area 1 > > / | \ > > Area 2 Area 3 Area 4 > > Goal: > > Currently: > > ISP 1 ISP 2 ISP 3 etc... > | | | | > > Multiwan box > > | > > Area 1 > > / | \ > > Area 2 Area 3 Area 4 > > | | > Linux Box Linux Box > | | > ISP x ISP y > > My goal is for people in area 1-4 to all be able to use any of the connections to ISP 1-z and if one fails it passes the traffic through the network to an available route. Area 1-4 don't current have any linux hardware but it has been a long standing plan to put some in place in those areas as well so if that is required it could be done. These areas are all serviced by different small ISP's and would make acceptable alternate routes say if a backhual failed for some reason so that is the goal. > > Thanks for any input. > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20071011/e37fe839/attachment.pgp From thelastmohican54 at gmail.com Thu Oct 11 10:05:51 2007 From: thelastmohican54 at gmail.com (mohican 542003) Date: Thu Oct 11 10:06:12 2007 Subject: [LARTC] How to set MTU Message-ID: <519f77360710110105p20bbe9f6j93edbb37d3478fc1@mail.gmail.com> Hello, I made some tests with HTB, and i usually set MTU to the default value of TCP_WMEM (that is 65536 for me). I have this case : 50 Mbits/s 10 Mbits/s A----------------------------------B---------------------------------------C if A send to B, bandwidth is about 50 Mbits/s if B send to C, bandwidth is about 10 Mbits/s But if A send to C, Bandwidth is about 14 Mbits/s, instead of 10 Mbits/s. I think perhaps the MTU should be different according to bandwidth ? Has someone an idea about this ? Here is my configuration : On A : tc class add dev eth0 parent 1: classid 1:2 htb rate 50000kbit ceil 50000kbit mtu 65536 tc filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip dst B flowid 1:2 On B : tc class add dev eth0 parent 1: classid 1:2 htb rate 10000kbit ceil 10000kbit mtu 65536 tc filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip dst C flowid 1:2 On B, /proc/sys/net/ipv4/ip_forward =1, and there is no link between A and C. Thanks, Olivier. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071011/8b0cba4e/attachment.htm From gtaylor at riverviewtech.net Thu Oct 11 16:19:23 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Thu Oct 11 16:19:05 2007 Subject: [LARTC] Multipath Multirouter - Can it be done? In-Reply-To: References: Message-ID: <470E30EB.80900@riverviewtech.net> On 10/10/07 22:44, Tony Hagans wrote: > Currently I have a setup that involves connections from several > different providers ranging from 6 mbit DSL's to 10 mbit fractional > DS3 connections tied together to provide multipath high availability > internet in our area for schools and businesses. We recently > extended our coverage to another area which has several other ISP's. > The box that is doing multiwan right now is the only gateway for the > entire network and for some sites it is several hops back to that > gateway. My goal is for us to purchase bandwidth in other locations, > install a linux box and have multiple gateways available, but I think > this is easier said than done. I will diagram this as best I can for > you in current and future setup modes. ... > My goal is for people in area 1-4 to all be able to use any of the > connections to ISP 1-z and if one fails it passes the traffic through > the network to an available route. Area 1-4 don't current have any > linux hardware but it has been a long standing plan to put some in > place in those areas as well so if that is required it could be done. > These areas are all serviced by different small ISP's and would make > acceptable alternate routes say if a backhual failed for some reason > so that is the goal. Like Alex said, I think you need at least an interior routing protocol. I'd also recommend that you look in to getting your own address space from your regional provider. Ideally you would get multiple if not all of the ISPs to BGP advertise your address space out to the world. In addition to the world knowing the better / best routes in to you depending on where the traffic is originating from, your network would know the better / best routes to take out to destinations with relation to your ingress / egress points. Additionally as long as you are doing NATing much closer to the customer, or the customer is doing it them selves, you could have multiple routes to / from the customer with out worrying about changing NAT IPs. > Thanks for any input. You are welcome. Grant. . . . From sewlist at gmail.com Thu Oct 11 17:17:02 2007 From: sewlist at gmail.com (the sew) Date: Thu Oct 11 17:17:10 2007 Subject: [LARTC] ADSL channel boding or Load balancing Message-ID: Hi There, We currently using iproute2 for load balancing. However we need more upload speed as we load balance over 3 dsl lines. I've been looking for a way to combine the upload speed to more faster. Found a site called www.upstreaminter.net where these guys bond the adsl channels to improve uploads, Since downloading is problem as its need to know the ip address of the downloader they use VPN to their existing infrastruture to improve download speeds to a single IP. Im not interested in doing that though, Our company uses alot of mail to our smarthost and the upload is only 256k on the 4Mbit Line These guys talking about using USB modems , some researching says your ISP must support MLPPP , Anyone with any expierencing bonding adsl modems with a standard kernel and distro? Most nix's come with RP-PPPOE, will this work? Thanks Sew From gtaylor at riverviewtech.net Thu Oct 11 18:18:24 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Thu Oct 11 18:18:06 2007 Subject: [LARTC] ADSL channel boding or Load balancing In-Reply-To: References: Message-ID: <470E4CD0.7020505@riverviewtech.net> On 10/11/07 10:17, the sew wrote: > We currently using iproute2 for load balancing. However we need more > upload speed as we load balance over 3 dsl lines. *nod* > I've been looking for a way to combine the upload speed to more > faster. Found a site called www.upstreaminter.net where these guys > bond the adsl channels to improve uploads, Since downloading is > problem as its need to know the ip address of the downloader they use > VPN to their existing infrastruture to improve download speeds to a > single IP. Im not interested in doing that though, Our company uses > alot of mail to our smarthost and the upload is only 256k on the > 4Mbit Line Now you are entering some more complex and interesting territory. The problem you have with traditional load balancing that the LARTC suggests for SOHO users is that you have multiple external IP addresses. Thus any single stream is limited to the speed of the link that it is using. If you are using multiple links from a single provider who is willing to work with you, you could do something like I did with the two 1.1 Mbps SDSL links that I have aggregated in to one 2.2 Mbps link. I can easily, and routinely do, push and / or pull 1.9+ Mbps on a single ftp stream. I have a small globally routable DMZ behind the two globally routable IPs for my SDSL links. My ISP has a router here on my premise and is using OSPF to load balance across the SDSL links. (A little ASCII drawing comes to mind.) : : +--------+ +--------+ +-----+ +-----+ | SDSL 1 +-----+ SDSL 1 | +------+ | LAN +-----| NAT +-----+ CPERTR | | ISPRTR +-----+ INet | +-----+ +-----+ | SDSL 2 +-----+ SDSL 2 | +------+ : +--------+ +--------+ Your domain : ISP domain : To recap, the following interfaces all have globally routable IP addresses: - NAT outside - CPE Router inside - CPE Router SDSL 1 outside - CPE Router SDSL 2 outside - ISP Router SDSL 1 inside - ISP Router SDSL 2 inside - ISP Router INET outside The only interfaces that have private IPs are the LAN and the NAT inside. As such the CPE Router and ISP Router load balance across the two SDSL links. The world sees my office as being from the NAT outside and does not give a darn about any thing in between. We even have OSPF set up to realize if one of the SDSL links goes down to re-route across the remaining link. > These guys talking about using USB modems , some researching says > your ISP must support MLPPP , I don't think the technology of the modem really matters all that much. However you will require support from your provider, be it PPP Multi-Link, or load balancing like I'm doing, or something similar. > Anyone with any expierencing bonding adsl modems with a standard > kernel and distro? Not speciffically. Though, given a scenario like mine, I don't see why it would matter as long as you can get Equal Cost Multi-Path to work correctly. My provider required that their own equipment be used on customer premise because they were using OSPF an interior routing protocol to my premise. So my ISP extended their premise to be located at my office so that the IRP stays with in their control. Heh, it works and I get aggregated speeds and redundancy, so I'm not going to complain. Seeing as how the CPE Router above is a Cisco 3640 I can't say any thing for sure about Linux, but it should be able to do the job just fine. > Most nix's come with RP-PPPOE, will this work? I don't know if RP-PPPoE will do PPP Multi-Linking or not. Though I don't think that it is an aspect of RP-PPPoE, but rather the underlying PPP implementation on your system. It is my understanding that RP-PPPoE just passes traffic from "over Ethernet" to your PPP daemon. So it is probably really up to your PPP daemon. Granted you will have to have your providers support to be able to do this too. Another option you could look in to if you have access to a system with high speed (read OC-1 or better) internet access somewhere is tunnels. That is create an IP in IP or GRE tunnel from your external IP to a co-located system and then load balance across the tunnels and NAT at the co-located system. Your router and the co-located system would need to know how to spread the bandwidth across the tunnels in to you. : : +--------+ +--------+ : +-----+ | ADSL 1 +-----+ ADSL 1 | +------+ +------+ | LAN +-----+ CPENAT | | ISPRTR +-----+ COLO |-----+ INet | +-----+ | ADSL 2 +-----+ ADSL 2 | +------+ +------+ +--------+ +--------+ : : : Your Domain : Shared Domain : Public Domain : : In this scenario, you would set up a tunnel from the CPE NAT Router ADSL 1 outside to the COLO inside and from the CPE NAT Router ADSL 2 outside to the COLO inside. You would add a route to the COLO box via the ISPs upstream gateway to each ADSL connection and use the COLO box as your default gateways. I.e. the CPD NAT Router would have a routing table similar to this: 0.0.0.0/0 0.0.0.0/0 This way computers on your LAN will use the CPE NAT Router as their default gateway. The CPE NAT Router will really have two default gateways, the far end of the tunnels. The Co-Located box is what will really be doing the NATing for the LAN. As far as subnets are concerned, this is what the network will look like. +--------+ +--------+ +--------+ | ...1.2 +-----| ...1.1 | +------+ | ...0.x +-----+ ...0.1 | | Global +-----+ INet | +--------+ + ...2.2 +-----| ...2.1 | +------+ |--------+ +--------+ The CPE Router (that is not NATing) will use the Co-Located box tunnels as its two default gateways and know about the LAN and tunnel subnets. The CPE Router will have routes to the globally routable IP of the Co-Located box via the ISPs upstream gateways but not use the ISPs upstream gateways as default routes. The Co-Located box will use the tunnels as multiple routes to get to the LAN subnet and know about the tunnels and LAN subnet. I know that this type of set up is extremely convoluted but will work and it will work with out the support of the ISP(s). Heck, you could even use multiple different ISPs each with different layer 1 technology. Thus you would really have redundancy in case one of the links goes down. You could even expand this modle to include a second different co-located box to allow for even more redundancy. (I'm going to shut up now.) Grant. . . . From gtaylor at riverviewtech.net Thu Oct 11 18:21:53 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Thu Oct 11 18:21:37 2007 Subject: [LARTC] ADSL channel boding or Load balancing In-Reply-To: <470E4CD0.7020505@riverviewtech.net> References: <470E4CD0.7020505@riverviewtech.net> Message-ID: <470E4DA1.6040601@riverviewtech.net> On 10/11/07 11:18, Grant Taylor wrote: > Another option you could look in to if you have access to a system > with high speed (read OC-1 or better) internet access somewhere is > tunnels. That is create an IP in IP or GRE tunnel from your external > IP to a co-located system and then load balance across the tunnels > and NAT at the co-located system. I would recommend that you not use an encrypting tunnel to reach the Co-Located box as you are dealing with traffic that is going to go across the internet at large any way, just let it go out. However if you want to take this idea to connect multiple sites together, you obviously would want to consider encrypting VPNs. Grant. . . . From sewlist at gmail.com Thu Oct 11 20:12:58 2007 From: sewlist at gmail.com (the sew) Date: Thu Oct 11 20:13:03 2007 Subject: [LARTC] ADSL channel boding or Load balancing In-Reply-To: <470E4DA1.6040601@riverviewtech.net> References: <470E4CD0.7020505@riverviewtech.net> <470E4DA1.6040601@riverviewtech.net> Message-ID: Hi Grant, Thanks for all the info, I like your SDSL option with the ospf, exactly what I would like Our situation is quite simple, Our ISP is telkom, one main Provider for our Country, they will not touch anything other than the standard services they provide. No SDSL, only ADSL. with standard pppoe. I guess i'm bit stuck there. I could do it to our co-location like u suggest, but that will add more costs to line rental where lines here is quite pricey. That would be a last resort for me I've seen the bonding in action,but havent seen the configs as they kept it quite secret as its a "new" thing. Looks like I'm gonna have to try this route on my own. I could not find much info on this. I will give it a try with 2 x USB modems and tell pppd to use multilinking and see if I can attach the device as one, I'm sure downloads will be speed to a single dsl only, but upload should be double. I think I might get a bit stuck as they might do the bonding to a co-location like you said and just resell it, will give it a #!/bin/bash anyway Thanks again for your info Sew . On 10/11/07, Grant Taylor wrote: > On 10/11/07 11:18, Grant Taylor wrote: > > Another option you could look in to if you have access to a system > > with high speed (read OC-1 or better) internet access somewhere is > > tunnels. That is create an IP in IP or GRE tunnel from your external > > IP to a co-located system and then load balance across the tunnels > > and NAT at the co-located system. > > I would recommend that you not use an encrypting tunnel to reach the > Co-Located box as you are dealing with traffic that is going to go > across the internet at large any way, just let it go out. However if > you want to take this idea to connect multiple sites together, you > obviously would want to consider encrypting VPNs. > > > > Grant. . . . > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From gtaylor at riverviewtech.net Thu Oct 11 20:42:33 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Thu Oct 11 20:42:19 2007 Subject: [LARTC] ADSL channel boding or Load balancing In-Reply-To: References: <470E4CD0.7020505@riverviewtech.net> <470E4DA1.6040601@riverviewtech.net> Message-ID: <470E6E99.8070908@riverviewtech.net> On 10/11/07 13:12, the sew wrote: > Thanks for all the info, I like your SDSL option with the ospf, > exactly what I would like *nod* I like it too. :) > Our situation is quite simple, Our ISP is telkom, one main Provider > for our Country, they will not touch anything other than the standard > services they provide. No SDSL, only ADSL. with standard pppoe. I > guess i'm bit stuck there. I could do it to our co-location like u > suggest, but that will add more costs to line rental where lines here > is quite pricey. That would be a last resort for me You can do the tunneling like I was referring to across any thing that will carry IP, it does not have to be SDSL or any other form of connection in particular. What do you mean by "... that will add more costs to line rental ..."? Are you trying to say that you pay for bandwidth, so you would be doubling what passes through your co-located box? > I've seen the bonding in action,but havent seen the configs as they > kept it quite secret as its a "new" thing. Looks like I'm gonna have > to try this route on my own. I could not find much info on this. I > will give it a try with 2 x USB modems and tell pppd to use > multilinking and see if I can attach the device as one, I'm sure > downloads will be speed to a single dsl only, but upload should be > double. I think I might get a bit stuck as they might do the bonding > to a co-location like you said and just resell it, will give it a > #!/bin/bash anyway I don't think you need to worry about using a USB modem persay, if the provider is using standard RFC 1483 (2684) (Multiprotocol Encapsulation over ATM Adaptation Layer 5) encapsulation to carry the ethernet frames back to the router. You could easily use an external ADSL ATM to Ethernet bridging modem with out a problem. Now if the provider is wanting to do something more special such that there are two different ATM connections with the ATM stack on the Linux system using the USB ADSL ATM modems, then yes you would need to use the USB modems. However I think it would be much more complex to try to multiplex across two different ATM connections with out an intermediary IP layer. With regards to PPP Multi-Linking, things have been standardized for a long time. Well as standardized as things can be when there is little call for it. Basically what is done is two separate PPP connections are made between the PPP daemons on each end where the PPP daemon knows that some traffic for a given logical interface will pass down both connections. The PPP daemon splits the traffic that it sends and combines the traffic that it receives. In short this is much like striping data (RAID 0) across two drives except that it is used for networking. I think you will need to find out some more information to know what direction to go to get this to work. Ideally if your provider does support PPP Multi-Linking there is no reason (that I know of) why you could not use this across PPPoE. If more providers supported this, this would be a very good thing. Heck I think you can even get the PPP daemon to realize that one of the links is down and to fall back to the single link, thus you have some redundancy. > Thanks again for your info You are welcome. Grant. . . . From tony.hagans at coairnet.com Thu Oct 11 21:07:11 2007 From: tony.hagans at coairnet.com (Tony Hagans) Date: Thu Oct 11 21:07:18 2007 Subject: [LARTC] Multipath Multirouter - Can it be done? Message-ID: <8452edc7a7a4b7fc5d7227ce080e354e@coairnet.com> Thanks for the input Grant, we have kicked around the idea of BGP or a similar method for the routing but the issue is that NAT takes place at the box doing the multiwan. We only have a few external IP addresses and all of our connections are from different vendors so they are spread across several different IP ranges. My first though was to create a tunnels between the machines at each location and put the tunnel adapters in a routing table with a prio > the local routing table. This would allow data to: client --> main gateway --> routing table mpath to any gateway on the network --> internet as available I have a feeling this would cause some very very bad problems with return paths and I don't know what would happen if a tunnel were to fail or something of that nature. The system is basically many many wireless repeaters, access points, and clients spread across about 60 square miles. It crosses 3 LATAs and is within range of at least 10 different ISP's who all use different providers. The idea was if we could instead of bringing the traffic all back to where it goes now be able to go wherever was closest/least busy/etc and hop on a DSL/Cable/Wireless/whatever we can pick up for cheap bandwidth it would take some of the traffic from individuals doing whatever they do off the DS3 durring the day for businesses and schools to make use of. Tony From gtaylor at riverviewtech.net Thu Oct 11 22:02:56 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Thu Oct 11 22:02:41 2007 Subject: [LARTC] Multipath Multirouter - Can it be done? In-Reply-To: <8452edc7a7a4b7fc5d7227ce080e354e@coairnet.com> References: <8452edc7a7a4b7fc5d7227ce080e354e@coairnet.com> Message-ID: <470E8170.3020801@riverviewtech.net> On 10/11/07 14:07, Tony Hagans wrote: > Thanks for the input Grant, we have kicked around the idea of BGP or > a similar method for the routing but the issue is that NAT takes > place at the box doing the multiwan. We only have a few external IP > addresses and all of our connections are from different vendors so > they are spread across several different IP ranges. My first though > was to create a tunnels between the machines at each location and put > the tunnel adapters in a routing table with a prio > the local > routing table. This would allow data to: You are welcome. Just because you are doing NATing at the core egress points instead of the edge ingress points does not mean that you can not still use some sort of routing protocol. Do NATing where you are but use some sort of routing protocol that will keep all your routers in sync with each other. If you use some sort of routing protocol that includes connection state and possibly load, you could easily shift where traffic is routed out of your network based on load and / or availability. Your customers would talk to the upstream router that you direct them to use, which will then send the traffic out the appropriate way. > client --> main gateway --> routing table mpath to any gateway on the > network --> internet as available Using some sort of routing protocol that includes load / cost of a particular connection, you could easily just let routers pick the best route to go out based on the routing protocol. Your routers that have a single connection would just do standard NATing. Your routers that have multiple connections would use the basic multipath routing described in the LARTC How-To. Use your routing protocols to pick which rout to go out. I would also make sure to educate each router be aware of the subnets that the provider has. There is no reason to ever go out provider B to get to a server on provider A's network unless the link with provider A is down. It sounds like you don't have a bunch of IPs, say one for each client, but could you get extra IPs from each provider, say one ip for each router in your network from each provider. So if you had 5 providers, get 5 IPs from each, for a total of 25 IPs. If you could do this, you could have each router be able to connect directly to the links from each provider and load balance out with multipath routing if you so chose. Granted this would be dependent on your network structure and its capabilities. One advantage of this is that you would have more IPs to hid services behind. If one IP became black listed for some reason, you could shift traffic off of it and use another one with out much hassle at all. > I have a feeling this would cause some very very bad problems with > return paths and I don't know what would happen if a tunnel were to > fail or something of that nature. The system is basically many many > wireless repeaters, access points, and clients spread across about 60 > square miles. It crosses 3 LATAs and is within range of at least 10 > different ISP's who all use different providers. The idea was if we > could instead of bringing the traffic all back to where it goes now > be able to go wherever was closest/least busy/etc and hop on a > DSL/Cable/Wireless/whatever we can pick up for cheap bandwidth it > would take some of the traffic from individuals doing whatever they > do off the DS3 durring the day for businesses and schools to make use > of. I think this is possible to do. I think you will have better luck if you have traffic predominantly use the closest router and not try to load balance a given client across multiple providers but rather load balance by picking which provider a given client uses. You could even use something as devious as VRRP and virtual routers to on the fly change which router was a given IP with out requiring clients to re-configure any thing. Granted you run a chance of in progress sessions being messed up, but that is a problem you will have with just about any multipath setup where you are NATing at the core. If you will provide more information on what your actual network topology is including if things are a layer 2 or layer 3 link and what subnets are where, I'll be glad to help. Grant. . . . From kflokos at gmail.com Thu Oct 11 22:54:47 2007 From: kflokos at gmail.com (Kostas Flokos) Date: Thu Oct 11 22:54:52 2007 Subject: [LARTC] Problem with multiple ADSL lines Message-ID: <1196d7620710111354p5301336cue87ae26926a587ac@mail.gmail.com> Hi all, I have managed to setup a Fedora 7 box with 3 ethernet cards and two ADSL modem/routers from different suppliers as LARTC recommends. I am able to direct traffic for specific internal IPs either to one or the other ADSL line. However, I am faced with two problems I am struggling for the solution: 1. I have opened a few ports on the ADSL router/firewalls to talk to internal hosts; say when someone hits http://myADSL1_IP I would redirect him to 192.168.0.10; while if someone hits http://myADSL2_IP I would redirect him to 192.168.0.20. If I have rules such as the following all works well: ip rule add from 192.168.0.10 table ADSL1_rules ip rule add from 192.168.0.20 table ADSL2_rules Unfortunately, if I want to do the reverse it does not work. I can't have a host prefer one ADSL line, but still receive traffic from the other ADSL line. It may sound weird, but I only want to have one host reply to any of the two IPs, either from ISP1 or ISP2. With the current configuration I can't. It works ok the default ISP of the host, but can't make it to work for the other. 2. I tried using ip route add equalize default scope global nexthop via myADSL1_IP dev eth2 weight 1 nexthop via myADSL2_IP dev eth1 weight 1 It doesn't seem to perform round robin for every request, more like it caches the route to use per host. Is it possible to force a real round robin or (better) weighted routing without resorting to a new kernel - as suggested in the article? I think I've seen recent threads saying that it is no longer necessary to create a new kernel. Thank you in advance for your help Kostas -- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071011/a5157da2/attachment.html From mbe_ml at swiss-wireless.com.ar Fri Oct 12 01:48:04 2007 From: mbe_ml at swiss-wireless.com.ar (Beat Meier) Date: Fri Oct 12 01:48:25 2007 Subject: [LARTC] Filtering RTP/SIP protocol (Voip)? Message-ID: <470EB634.2050108@swiss-wireless.com.ar> Hello How can I filter (i.e. priorize) RTP protocol and SIP? Has anybody wrote a filter for that in the meantime (In 2006 there was none answer from the list ...) Thanks Beat From salim.si at cipherium.com.tw Fri Oct 12 03:52:06 2007 From: salim.si at cipherium.com.tw (Salim S I) Date: Fri Oct 12 03:52:42 2007 Subject: [LARTC] Filtering RTP/SIP protocol (Voip)? In-Reply-To: <470EB634.2050108@swiss-wireless.com.ar> Message-ID: <000501c80c72$821f17e0$5964a8c0@SalimSi> SIP is pretty easy. Normally it uses 5060 port. But prioritizing this port traffic won't enhance the overall voice quality. RTP ports are decided dynamically during SIP handshake. To filter RTP protocol from packet pattern will delay the traffic. So using port number is easier way, BUT, you need to find out these ports from the SIP handshake messages. How to prioritize depends on your setup's capabilities. -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Beat Meier Sent: Friday, October 12, 2007 7:48 AM To: lartc@mailman.ds9a.nl Subject: [LARTC] Filtering RTP/SIP protocol (Voip)? Hello How can I filter (i.e. priorize) RTP protocol and SIP? Has anybody wrote a filter for that in the meantime (In 2006 there was none answer from the list ...) Thanks Beat _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From mohan.tux at gmail.com Fri Oct 12 05:21:32 2007 From: mohan.tux at gmail.com (Mohan Sundaram) Date: Fri Oct 12 05:21:56 2007 Subject: [LARTC] Problem with multiple ADSL lines In-Reply-To: <1196d7620710111354p5301336cue87ae26926a587ac@mail.gmail.com> References: <1196d7620710111354p5301336cue87ae26926a587ac@mail.gmail.com> Message-ID: <470EE83C.40602@vsnl.com> Kostas Flokos wrote: > Hi all, > I have managed to setup a Fedora 7 box with 3 ethernet cards and two > ADSL modem/routers from different suppliers as LARTC recommends. I am > able to direct traffic for specific internal IPs either to one or the > other ADSL line. However, I am faced with two problems I am struggling > for the solution: > > 1. I have opened a few ports on the ADSL router/firewalls to talk to > internal hosts; say when someone hits http://myADSL1_IP I would redirect > him to 192.168.0.10 ; while if someone hits > http://myADSL2_IP I would redirect him to 192.168.0.20 > . This is your ADSL router(s) config. > If I have rules such as the following all works well: > ip rule add from 192.168.0.10 table ADSL1_rules > ip rule add from 192.168.0.20 table ADSL2_rules These are rules on your linux machine to send traffic back on the same link they came from. > Unfortunately, if I want to do the reverse it does not work. I can't > have a host prefer one ADSL line, but still receive traffic from the > other ADSL line. This can be done by switching the rule table above. Obviously NAT is being used. However, this will break. You cannot initiate a connection to one IP and match the reply or ack for that connection from another IP. TCP/IP basics. Assymetric routing works when no address translations take place. > It may sound weird, but I only want to have one host > reply to any of the two IPs, either from ISP1 or ISP2. With the current > configuration I can't. It works ok the default ISP of the host, but > can't make it to work for the other. One way of doing this would be: 1. Set the routers to bridge mode. 2. Assign the ISP IPs to the NICs. 3. Source NAT rules use ISP1_IP and routing rule redirects it to link connected to ISP2. Flip similarly for ISP1. Let us hope your ISP2 does not filter out traffic having source outside his subnet when it arrives from within. Mohan From mohan.tux at gmail.com Fri Oct 12 05:25:52 2007 From: mohan.tux at gmail.com (Mohan Sundaram) Date: Fri Oct 12 05:26:10 2007 Subject: [LARTC] Filtering RTP/SIP protocol (Voip)? In-Reply-To: <000501c80c72$821f17e0$5964a8c0@SalimSi> References: <000501c80c72$821f17e0$5964a8c0@SalimSi> Message-ID: <470EE940.7060103@vsnl.com> Salim S I wrote: > SIP is pretty easy. Normally it uses 5060 port. But prioritizing this > port traffic won't enhance the overall voice quality. > RTP ports are decided dynamically during SIP handshake. To filter RTP > protocol from packet pattern will delay the traffic. So using port > number is easier way, BUT, you need to find out these ports from the SIP > handshake messages. > How to prioritize depends on your setup's capabilities. > Correct. However, some conntrack modules are available for such dual port (negotiated data port) protocols like ftp. Need to see if one exists for SIP. If so, iptables can be used to mark SIP data connections and the mark can be used for traffic classification. Search netfilter.org mailing lists please. Mohan From kflokos at gmail.com Fri Oct 12 08:13:48 2007 From: kflokos at gmail.com (Kostas Flokos) Date: Fri Oct 12 08:14:28 2007 Subject: [LARTC] Problem with multiple ADSL lines In-Reply-To: <470EE83C.40602@vsnl.com> References: <1196d7620710111354p5301336cue87ae26926a587ac@mail.gmail.com> <470EE83C.40602@vsnl.com> Message-ID: <1196d7620710112313h7eae9595p748d14387249c86e@mail.gmail.com> Hi Mohan, Thanks a lot for your reply. I haven't tried it yet, but I have no doubts it will work. However, if you have time, could you please explain to me why a request received from IP1 by host H1, having as default route IP2, can not be routed through IP1; I have a routing table saying that the route to IP1 is through the proper eth card. I have used tcpdump to check the packets coming/in/out from the systems and it seems that there is a packet going from ADSL1 to H1, but nothing on the other way... it seems like H1 doesn't know what to do with it. Could you please explain (or point me to URLs explaining that) why it will change if I set the modems to bridge mode? I still want to do NAT, will it change if I do it from the Linux router now? I also do not understand what you imply with "3. Source NAT rules use ISP1_IP and routing rule redirects it to link connected to ISP2. Flip similarly for ISP1." Could you be a bit more descriptive? Forgive me for being a bit ignorant of all that; possibly I'm trying to understand too much without basic technical background on routing, etc. . One more time, thanks a lot for your help. Regards, Kostas On 10/12/07, Mohan Sundaram wrote: > > Kostas Flokos wrote: > > Hi all, > > I have managed to setup a Fedora 7 box with 3 ethernet cards and two > > ADSL modem/routers from different suppliers as LARTC recommends. I am > > able to direct traffic for specific internal IPs either to one or the > > other ADSL line. However, I am faced with two problems I am struggling > > for the solution: > > > > 1. I have opened a few ports on the ADSL router/firewalls to talk to > > internal hosts; say when someone hits http://myADSL1_IP I would redirect > > him to 192.168.0.10 ; while if someone hits > > http://myADSL2_IP I would redirect him to 192.168.0.20 > > . > This is your ADSL router(s) config. > > If I have rules such as the following all works well: > > ip rule add from 192.168.0.10 table ADSL1_rules > > ip rule add from 192.168.0.20 table ADSL2_rules > These are rules on your linux machine to send traffic back on the same > link they came from. > > Unfortunately, if I want to do the reverse it does not work. I can't > > have a host prefer one ADSL line, but still receive traffic from the > > other ADSL line. > This can be done by switching the rule table above. Obviously NAT is > being used. However, this will break. You cannot initiate a connection > to one IP and match the reply or ack for that connection from another > IP. TCP/IP basics. Assymetric routing works when no address translations > take place. > > It may sound weird, but I only want to have one host > > reply to any of the two IPs, either from ISP1 or ISP2. With the current > > configuration I can't. It works ok the default ISP of the host, but > > can't make it to work for the other. > One way of doing this would be: > 1. Set the routers to bridge mode. > 2. Assign the ISP IPs to the NICs. > 3. Source NAT rules use ISP1_IP and routing rule redirects it to link > connected to ISP2. Flip similarly for ISP1. > > Let us hope your ISP2 does not filter out traffic having source outside > his subnet when it arrives from within. > > Mohan > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- bus-email: kflokos@upcom.eu priv-email: kflokos@gmail.com web: http://www.upcom.eu GSM: +30-693-8415038 ************************************************************************ This message and all of its attachments should be regarded as confidential. If you have received this email in error please notify the sender and destroy it immediately. Statements of intent shall only become binding when confirmed in hard copy by an authorised signatory. ************************************************************************ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071012/cfa9c267/attachment-0001.htm From jayeshleo at gmail.com Fri Oct 12 08:17:58 2007 From: jayeshleo at gmail.com (Jayesh Agrawal) Date: Fri Oct 12 08:18:04 2007 Subject: [LARTC] Packet Interception Message-ID: Hello! In the earlier mail I think I was not clear... Actually the following is my requirements: 1) our requirement is to capture all packets originating/destined to a particular machine. This also includes ping packets to same machine/localhost. i.e. at machine A we want to also capture packets originating from say machine A and destined to machine A (these propably do not go to data link layer). 2) we want to experiment the behavior by adding delays to those packets, and that is why we want the actual packet and a copy of packet wont serve purpose. 3) we are open to listen at whatever layer (datalinke/network) and so how can we achieve this functionality. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071012/76f672ee/attachment.html From mohan.tux at gmail.com Fri Oct 12 09:00:31 2007 From: mohan.tux at gmail.com (Mohan Sundaram) Date: Fri Oct 12 09:00:50 2007 Subject: [LARTC] Problem with multiple ADSL lines In-Reply-To: <1196d7620710112313h7eae9595p748d14387249c86e@mail.gmail.com> References: <1196d7620710111354p5301336cue87ae26926a587ac@mail.gmail.com> <470EE83C.40602@vsnl.com> <1196d7620710112313h7eae9595p748d14387249c86e@mail.gmail.com> Message-ID: <470F1B8F.9010406@vsnl.com> Kostas Flokos wrote: > Hi Mohan, > > Thanks a lot for your reply. I haven't tried it yet, but I have no > doubts it will work. > > However, if you have time, could you please explain to me why a request > received from IP1 by host H1, having as default route IP2, can not be > routed through IP1; I have a routing table saying that the route to IP1 > is through the proper eth card. > I have used tcpdump to check the packets coming/in/out from the systems > and it seems that there is a packet going from ADSL1 to H1, but nothing > on the other way... it seems like H1 doesn't know what to do with it. > Does the packet from H1 reach the Linux box? Coming to think of it, you must have a route on each of the ADSL routers that shows 192.168.0.0/24 as reachable thro' the Linux box. Think this is ok else packet will not reach H1. Similarly, the host H1 must've the Linux box as default gateway. > Could you please explain (or point me to URLs explaining that) why it > will change if I set the modems to bridge mode? Not all ADSL modems support bridging. Please check that out first. > I still want to do NAT, > will it change if I do it from the Linux router now? > Most routers NAT with their external IP and user normally has no control. Thus if you receive a request on ADSL1_IP which goes to H1 and the reply goes out thro' ISP2, the src of the reply will be ADSL2_IP due to natting. The initiator will only accept a reply with src ADSL1_IP. If you set the modems to bridge mode, you can do the NATting on the Linux box where you can NAT with ADSL1_IP and still send the packet out thro' ISP2. Linux has a great deal of flexibility here. > I also do not understand what you imply with > "3. Source NAT rules use ISP1_IP and routing rule redirects it to link > connected to ISP2. Flip similarly for ISP1." > Could you be a bit more descriptive? Linux Router config: Dst NAT http on ADSL1_IP goes to H1 Dst NAT http on ADSL2_IP goes to H2 Source NAT src H1 to ADSL1_IP Source NAT src H2 to ADSL2_IP ip rule add from ADSL1_IP table ADSL2_rules ip rule add from ADSL2_IP table ADSL1_rules ADSL1_rules default gw is ISP1. ADSL2_rules default gw is ISP2 H1 receives all requests that come on ADSL1_IP. The reply from H1 for request arriving on ADSL1 goes out thro' ISP2 as desired but with the right source IP i.e. ADSL1_IP. From your mail, it seemed like you were wanting to do this. Your original config was sending replies out thro' the same i/f it arrived on. > > Forgive me for being a bit ignorant of all that; possibly I'm trying to > understand too much without basic technical background on routing, etc. > We were all there at a point of time. No need to apologize. It may also not be true that you do not know. We may be failing in communication too. > One more time, thanks a lot for your help. You are welcome. > Regards, > Kostas > > On 10/12/07, *Mohan Sundaram* > wrote: > > Kostas Flokos wrote: > > Hi all, > > I have managed to setup a Fedora 7 box with 3 ethernet cards and two > > ADSL modem/routers from different suppliers as LARTC recommends. I am > > able to direct traffic for specific internal IPs either to one or the > > other ADSL line. However, I am faced with two problems I am > struggling > > for the solution: > > > > 1. I have opened a few ports on the ADSL router/firewalls to talk to > > internal hosts; say when someone hits http://myADSL1_IP I would > redirect > > him to 192.168.0.10 ; > while if someone hits > > http://myADSL2_IP I would redirect him to 192.168.0.20 > > > . > This is your ADSL router(s) config. > > If I have rules such as the following all works well: > > ip rule add from 192.168.0.10 > table ADSL1_rules > > ip rule add from 192.168.0.20 > table ADSL2_rules > These are rules on your linux machine to send traffic back on the same > link they came from. > > Unfortunately, if I want to do the reverse it does not work. I can't > > have a host prefer one ADSL line, but still receive traffic from the > > other ADSL line. > This can be done by switching the rule table above. Obviously NAT is > being used. However, this will break. You cannot initiate a connection > to one IP and match the reply or ack for that connection from another > IP. TCP/IP basics. Assymetric routing works when no address translations > take place. > > It may sound weird, but I only want to have one host > > reply to any of the two IPs, either from ISP1 or ISP2. With the > current > > configuration I can't. It works ok the default ISP of the host, but > > can't make it to work for the other. > One way of doing this would be: > 1. Set the routers to bridge mode. > 2. Assign the ISP IPs to the NICs. > 3. Source NAT rules use ISP1_IP and routing rule redirects it to link > connected to ISP2. Flip similarly for ISP1. > > Let us hope your ISP2 does not filter out traffic having source outside > his subnet when it arrives from within. > > Mohan > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > -- > bus-email: kflokos@upcom.eu > priv-email: kflokos@gmail.com > web: http://www.upcom.eu > GSM: +30-693-8415038 > > ************************************************************************ > This message and all of its attachments should be regarded as > confidential. If you have received this email in error please notify the > sender and destroy it immediately. Statements of intent shall only > become binding when confirmed in hard copy by an authorised signatory. > ************************************************************************ From agi at fs3.ph Fri Oct 12 04:49:47 2007 From: agi at fs3.ph (Alec Joseph Rivera) Date: Fri Oct 12 13:26:58 2007 Subject: [LARTC] load balance switching latency Message-ID: <1192157387.5678.18.camel@gravitas.fs3.ph> Hello there. I am setting up a router using openwrt. Part of the project is load balancing among 2 broadband lines. I made use of the line: ip route add default scope global \ nexthop {GW1} dev {IF1} weight 1 \ nexthop {GW2} dev {IF2} weight 1 somewhere on the configs. On the test phase, automatically switching (routing) to line GW2 when line GW1 is suddenly disconnected takes a long time. I'm thinking that the routing still tries to send to GW1 even though it's dead. a. Is there a way around this? b. Does routing react differently to carrier loss (unplugging the cable) to a fully loaded line? Any thoughts? Thanks... -- Alec Joseph Rivera F S 3 Consulting Inc. http://www.fs3.ph -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20071012/7bfa1c72/attachment.pgp From default at advaita.sytes.net Fri Oct 12 14:10:29 2007 From: default at advaita.sytes.net (John Default) Date: Fri Oct 12 14:11:35 2007 Subject: [LARTC] Packet Interception In-Reply-To: References: Message-ID: <470F6435.3080605@advaita.sytes.net> Hi. Jayesh Agrawal wrote: > Hello! > > In the earlier mail I think I was not clear... Actually the following > is my requirements: > > > 1) our requirement is to capture all packets originating/destined to a > particular machine. This also includes ping packets to same > machine/localhost. i.e. at machine A we want to also capture packets > originating from say machine A and destined to machine A (these > propably do not go to data link layer). did you consider using iptables -j QUEUE ? maybe it would be possible with that (even if you want to delay loopback packets). http://www.crhc.uiuc.edu/~grier/projects/libipq.html > 2) we want to experiment the behavior by adding delays to those > packets, and that is why we want the actual packet and a copy of > packet wont serve purpose. but i saw warning that when you delay for too long, queue may fill up and you start to loose packets. > 3) we are open to listen at whatever layer (datalinke/network) and so > how can we achieve this functionality. > you were right, loopback packets aren't seen in pcap, only thing going through some interface -- ___________________________________ S pozdravom / Best regards John Default From mnhassan at usa.net Fri Oct 12 23:05:45 2007 From: mnhassan at usa.net (Nyamul Hassan) Date: Fri Oct 12 23:05:49 2007 Subject: [LARTC] IPSec & Null Encryption Message-ID: <114e01c80d13$abb5feb0$625a983b@isprossrv02> Hi, Is it possible to use "null encryption" in IPSec protocl? Regards HASSAN -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071013/991ff9be/attachment.html From alex at samad.com.au Fri Oct 12 23:32:09 2007 From: alex at samad.com.au (Alex Samad) Date: Fri Oct 12 23:32:19 2007 Subject: [LARTC] scrapting data from tc rules Message-ID: <20071012213209.GL6456@samad.com.au> Hi Currently I use snmp to scrap information from my router about its interfaces, does any one have an easy way of scaping information from tc rules to place into a rrd db ? do I need to put together a perl script to extract it from the output ? Alex -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20071013/77414c5c/attachment.pgp From mbe_ml at swiss-wireless.com.ar Fri Oct 12 23:43:59 2007 From: mbe_ml at swiss-wireless.com.ar (Beat Meier) Date: Fri Oct 12 23:44:16 2007 Subject: [LARTC] Why not qos for downloading stream?? Message-ID: <470FEA9F.6020707@swiss-wireless.com.ar> HI there Simple question :-) Why there is always only qos examples for upload and not download stream of adsl? I have a linux router which shares 5 wireless "customers" my neighbours and me to one adsl link 512kbps download 128kbps upload ... Now does it make sense to do qos on the linux router for download for us? Say if someone is using ssh from outside ... So I tried to apply the example 15.10 of Cookbook of the lartc howto on the linux router ... I have for every neighbour a class which limits its traffic to 128kbps and below that I addedd the whole tree of example 15.10 on the router ... Or does it make more sense this to do on the ap with ingress? I have a full linux ap router for each neighbour. Now comes the filtering and I was wondering if there 1. makes sense i.e. it helps us if download speed is at limit to priorize ssh, voip etc. 2. what will be the cpu load if you have not only 5 connected clients if not say 30 and a lot of filter rules i.e. each customer needs his full filter set ... Has anybody such a thing in production or is it "useless"? Greetings Beat From sawar at interia.pl Sat Oct 13 00:10:02 2007 From: sawar at interia.pl (sAwAr) Date: Sat Oct 13 00:10:10 2007 Subject: [LARTC] Weird problem with maximum upload speed on Windows Message-ID: <20071012221003.05A0712390B@f44.poczta.interia.pl> Witam, I had very big problem since last Friday. I noticed that clients with Windows can't upload faster than ~140kB/s at one connection ( ftp http). It's quite weird because when I do exactly the same test (the same server, time, computer, client ip address, even switch and port) but on Linux upload speed is much bigger. Very interesting is that this is always something about 140KB/s. Does somebody have any suggestions or possible solutions for this ? Thanks in advance Pozdrawiam Szymon Turkieiwcz ---------------------------------------------------------------------- Bedac w toalecie korzystala z ... >>> http://link.interia.pl/f1c16 From andreas at stapelspeicher.org Sat Oct 13 03:13:28 2007 From: andreas at stapelspeicher.org (Andreas Mueller) Date: Sat Oct 13 03:13:43 2007 Subject: [LARTC] Why not qos for downloading stream?? In-Reply-To: <470FEA9F.6020707@swiss-wireless.com.ar> References: <470FEA9F.6020707@swiss-wireless.com.ar> Message-ID: <20071013011328.GA29844@lintera> Hi, Beat Meier wrote: > HI there > > Simple question :-) > Why there is always only qos examples for upload and not download stream of > adsl? The packages are allready on your router, so why slowing down the routing? You cannot hinder anyone to send you data but you can control the questioning for more incoming traffic. (the case here is a "slow" internet connection) [...] > > Now comes the filtering and I was wondering if there > 1. makes sense i.e. it helps us if download speed is at limit to priorize > ssh, voip etc. > 2. what will be the cpu load if you have not only 5 connected clients if > not say 30 > and a lot of filter rules i.e. each customer needs his full filter set ... [...] That's how I would argue on the other questions with a "no". (Btw., afaik the traffic of 5 or 30 people would not fully load a 200MHz mipsel router on this line, but effectively shaping for low latency (voip) could be hard to deal with on that line). Bye, Andreas. From mohan.tux at gmail.com Sat Oct 13 04:46:55 2007 From: mohan.tux at gmail.com (Mohan Sundaram) Date: Sat Oct 13 04:47:15 2007 Subject: [LARTC] Why not qos for downloading stream?? In-Reply-To: <470FEA9F.6020707@swiss-wireless.com.ar> References: <470FEA9F.6020707@swiss-wireless.com.ar> Message-ID: <4710319F.2070201@vsnl.com> Beat Meier wrote: > HI there > > Simple question :-) > Why there is always only qos examples for upload and not download stream > of adsl? QoS works on packet queuing at the interface level. We can only queue what we send out or police/ rate limit what you receive. On edge devices, normally, a incoming stream on one interface translates to one or more outgoing streams on other interfaces. Thus applying QoS on an egress interface is equivalent to doing QoS on the ingress interface. TCP/IP slows down automatically when some congestions occur. The above does not hold true for UDP/ICMP and that is why these are commonly rate limited at ingress. > I have a linux router which shares 5 wireless "customers" my neighbours > and me to > one adsl link 512kbps download 128kbps upload ... > Now does it make sense to do qos on the linux router for download for us? > Say if someone is using ssh from outside ... > So I tried to apply the example 15.10 of Cookbook of the lartc howto on > the linux router ... > I have for every neighbour a class which limits its traffic to 128kbps > and below that > I addedd the whole tree of example 15.10 on the router ... > Or does it make more sense this to do on the ap with ingress? I have a > full linux > ap router for each neighbour. > Shape outgoing traffic on the interface that faces each customer. Mohan From tim at timg.ws Sun Oct 14 15:07:10 2007 From: tim at timg.ws (Tim Groeneveld) Date: Sun Oct 14 15:07:47 2007 Subject: [LARTC] Routing public IP's through a gateway Message-ID: <200710142307.12127.tim@timg.ws> Greeting all, I have a bit of a complicated question. I have two ethernet devices, eth1 and eth2. eth1 is where my internet comes from. It is in the form of 202.172.122.208/29. It has another IP range, 202.172.122.72/29. What I want to be able to do is route 202.172.122.72/29 to eth2, so that other machines can use those IPs, any ideas on how to do this, I cannot work out how to do this. eth2 has a DHCP server, which only gives out IPs 202.172.122.74 to 202.172.122.76. eth1 is basically just hooked into my internet router, while eth2 is hooked into a switch, and will be used for other computers. If anyone could help me with this setup, I would more then appreciate it. Thank you very much, - Tim Groeneveld -- Need hosting for your next Open Source project? why not try ShareSource? www.sharesource.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20071014/81d01b3d/attachment.pgp From alex at samad.com.au Sun Oct 14 22:47:37 2007 From: alex at samad.com.au (Alex Samad) Date: Sun Oct 14 22:47:59 2007 Subject: [LARTC] Routing public IP's through a gateway In-Reply-To: <200710142307.12127.tim@timg.ws> References: <200710142307.12127.tim@timg.ws> Message-ID: <20071014204737.GR6456@samad.com.au> On Sun, Oct 14, 2007 at 11:07:10PM +1000, Tim Groeneveld wrote: > Greeting all, > > I have a bit of a complicated question. > > I have two ethernet devices, eth1 and eth2. > > eth1 is where my internet comes from. It is in the form of 202.172.122.208/29. > It has another IP range, 202.172.122.72/29. What I want to be able to do is > route 202.172.122.72/29 to eth2, so that other machines can use those IPs, > any ideas on how to do this, I cannot work out how to do this. You haven't made it too clear what exactly you are trying to do, from what i gather this should work on your linux box ip route add 202.172.122.72/29 dev eth2 Does your isp route 202.172.122.72/29 to you ? > > eth2 has a DHCP server, which only gives out IPs 202.172.122.74 to > 202.172.122.76. > > eth1 is basically just hooked into my internet router, while eth2 is hooked > into a switch, and will be used for other computers. > > If anyone could help me with this setup, I would more then appreciate it. > > Thank you very much, > > - Tim Groeneveld > > -- > > Need hosting for your next Open Source project? why not try ShareSource? > www.sharesource.org > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20071015/e224addf/attachment.pgp From mbe_ml at swiss-wireless.com.ar Sun Oct 14 23:44:04 2007 From: mbe_ml at swiss-wireless.com.ar (Beat Meier) Date: Sun Oct 14 23:44:28 2007 Subject: [LARTC] QOS ip filter does no work with 2 queues below top level queue ... Message-ID: <47128DA4.7070805@swiss-wireless.com.ar> Hello First thanks for the answers I have received from the list!! I have now a working qos configuration which bases of the lartc howto capitel 15.10. One Problem I have is that I have limited the upload stream to 100kps because my upstream is only 128kbps. Everything works fine EXCEPT Voip. I have a VoiP phone which is connected on the same net as the adsl modem BUT does not use upstream it goes to the public phone line not the internet i.e. Voip is only in my internal red. Now what I try is to have 2 queues below the top level - one for internet conections (1:1) - one for the voip phone (1:2) I have not 2 interfaces in my embedded linux platform so I cannot route seperate :-( What I've tried is: ### Normal stuff tc qdisc add dev eth0 root handle 1: htb default 15 tc class add dev eth0 parent 1: classid 1:1 htb rate100kbit ceil 100kbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 33kbit ceil 33kbit prio 0 ... ### Aditional 2. queue at "toplevel" tc class add dev eth0 parent 1: classid 1:2 htb rate 10mbps ceil 10mbps tc class add dev eth0 parent 1:2 classid 1:99 htb rate 100kbit ceil 100kbit prio 0 ### Add filter for Voip phone with ip address of it tc filter add dev eth0 parent 1:0 protocol ip prio 7 u32 match ip dst 192.168.99.240/32 flowid 1:99 tc filter add dev eth0 parent 1:0 protocol ip prio 7 u32 match ip src 192.168.99.240/32 flowid 1:99 What does not work are the filters... The packets don't go to class 1:99 they go still to the default one which is 1:15 ... BTW: The packets are udp but this should be matched with ip, or not? What do I wrong? Thanks for any help Beat From mohan.tux at gmail.com Mon Oct 15 04:47:53 2007 From: mohan.tux at gmail.com (Mohan Sundaram) Date: Mon Oct 15 04:48:11 2007 Subject: [LARTC] Routing public IP's through a gateway In-Reply-To: <20071014204737.GR6456@samad.com.au> References: <200710142307.12127.tim@timg.ws> <20071014204737.GR6456@samad.com.au> Message-ID: <4712D4D9.6090409@vsnl.com> Alex Samad wrote: > On Sun, Oct 14, 2007 at 11:07:10PM +1000, Tim Groeneveld wrote: >> Greeting all, >> >> I have a bit of a complicated question. >> >> I have two ethernet devices, eth1 and eth2. >> >> eth1 is where my internet comes from. It is in the form of 202.172.122.208/29. >> It has another IP range, 202.172.122.72/29. What I want to be able to do is >> route 202.172.122.72/29 to eth2, so that other machines can use those IPs, >> any ideas on how to do this, I cannot work out how to do this. > You haven't made it too clear what exactly you are trying to do, from what i > gather this should work on your linux box *cannot agree more*. Topology and better expression of scenario requiring this helps always. This may be a convoluted solution to a simple problem. I must add we are operating in relative vaccum here. > > > ip route add 202.172.122.72/29 dev eth2 > > Does your isp route 202.172.122.72/29 to you ? > >> eth2 has a DHCP server, which only gives out IPs 202.172.122.74 to >> 202.172.122.76. seems to be outside subnet cited. *.72/29 is .72-.75* Only 2 addresses can be served on DHCP from a subnet of 4. >> >> eth1 is basically just hooked into my internet router, while eth2 is hooked >> into a switch, and will be used for other computers. >> >> If anyone could help me with this setup, I would more then appreciate it. >> >> Thank you very much, >> >> - Tim Groeneveld >> You seem to want to use public IP addresses against mapping public to private addresses. If so, why not just connect the router to the switch and connect all computers to the switch? Will also be better to get a combined /28 subnet. No private addresses? No need for firewall? I would use the Linux machine to map the public addresses to private addresses for specific services to a DMZ. Mohan From mohan.tux at gmail.com Mon Oct 15 04:50:33 2007 From: mohan.tux at gmail.com (Mohan Sundaram) Date: Mon Oct 15 04:51:02 2007 Subject: [LARTC] Routing public IP's through a gateway In-Reply-To: <4712D4D9.6090409@vsnl.com> References: <200710142307.12127.tim@timg.ws> <20071014204737.GR6456@samad.com.au> <4712D4D9.6090409@vsnl.com> Message-ID: <4712D579.9000109@vsnl.com> Mohan Sundaram wrote: > Alex Samad wrote: >> ip route add 202.172.122.72/29 dev eth2 >> >> Does your isp route 202.172.122.72/29 to you ? >> >>> eth2 has a DHCP server, which only gives out IPs 202.172.122.74 to >>> 202.172.122.76. > seems to be outside subnet cited. *.72/29 is .72-.75* Only 2 addresses > can be served on DHCP from a subnet of 4. Pl ignore. I'm wrong. Early morning fogginess. Mohan From tim at timg.ws Mon Oct 15 14:14:44 2007 From: tim at timg.ws (Tim Groeneveld) Date: Mon Oct 15 14:15:03 2007 Subject: [LARTC] Routing public IP's through a gateway In-Reply-To: <200710142307.12127.tim@timg.ws> References: <200710142307.12127.tim@timg.ws> Message-ID: <200710152214.46148.tim@timg.ws> On Sunday 14 October 2007 11:07:10 pm Tim Groeneveld wrote: > Greeting all, > > I have a bit of a complicated question. > > I have two ethernet devices, eth1 and eth2. > > eth1 is where my internet comes from. It is in the form of > 202.172.122.208/29. It has another IP range, 202.172.122.72/29. What I want > to be able to do is route 202.172.122.72/29 to eth2, so that other machines > can use those IPs, any ideas on how to do this, I cannot work out how to do > this. > > eth2 has a DHCP server, which only gives out IPs 202.172.122.74 to > 202.172.122.76. > > eth1 is basically just hooked into my internet router, while eth2 is hooked > into a switch, and will be used for other computers. > > If anyone could help me with this setup, I would more then appreciate it. > > Thank you very much, > > - Tim Groeneveld > To extend what I have tried to say further: My ISP has given me two IP ranges. 202.172.122.208/29 and 202.172.122.72/29. They are unable to give me any larger IP ranges for some lame excuse, which I am sure was written by the BOfH. Does your isp route 202.172.122.72/29 to me? Why yes it does. It routes this IP through the gateway 202.172.122.209. If I want to give a machine an IP in 202.172.122.72/29, this is what I need > A machine already in the 202.172.122.208/29 IP range. > ip route add 202.172.122.72/29 via 202.172.122.209 dev eth1 > ifconfig eth1 202.172.122.73 netmask 255.255.255.248 (where on this machine, eth1 is hooked into my router). What I would like, is a gateway machine, which will use eth2 to provide a gateway for other machines to assign themselves .72/29 IP's, *without* the need of 202.172.122.209 being in the route table. So, there would be *one* gateway machine. This gateway machine has (already) an IP on both ranges. > 202.172.122.211 (eth1) > 202.172.122.74 (eth2) eth2 would then be connected into a switch, and eth1 into the internet router. I am not sure if this helps at all, sorry if it does not. Thanks again, - Tim G -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20071015/c0faff34/attachment.pgp From dan at 34q.eu Mon Oct 15 14:31:25 2007 From: dan at 34q.eu (Dan) Date: Mon Oct 15 14:31:17 2007 Subject: [LARTC] Routing public IP's through a gateway In-Reply-To: <200710152214.46148.tim@timg.ws> References: <200710142307.12127.tim@timg.ws> <200710152214.46148.tim@timg.ws> Message-ID: <000f01c80f27$4d636580$e82a3080$@eu> Hi, Sounds to me like you don't actually need to do anything - just enable IP forwarding on the linux machine (the gateway - usually something like echo 1 > /proc/sys/net/ipv4/ip_forward), and point your 202.172.122.7x machines at 202.172.122.74 for their default gateway (which your DHCP server should be passing out as a dhcp option anyway). Unless I have missed something in the question? Dan -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Tim Groeneveld Sent: 15 October 2007 13:15 To: lartc@mailman.ds9a.nl Subject: Re: [LARTC] Routing public IP's through a gateway On Sunday 14 October 2007 11:07:10 pm Tim Groeneveld wrote: > Greeting all, > > I have a bit of a complicated question. > > I have two ethernet devices, eth1 and eth2. > > eth1 is where my internet comes from. It is in the form of > 202.172.122.208/29. It has another IP range, 202.172.122.72/29. What I > want to be able to do is route 202.172.122.72/29 to eth2, so that > other machines can use those IPs, any ideas on how to do this, I > cannot work out how to do this. > > eth2 has a DHCP server, which only gives out IPs 202.172.122.74 to > 202.172.122.76. > > eth1 is basically just hooked into my internet router, while eth2 is > hooked into a switch, and will be used for other computers. > > If anyone could help me with this setup, I would more then appreciate it. > > Thank you very much, > > - Tim Groeneveld > To extend what I have tried to say further: My ISP has given me two IP ranges. 202.172.122.208/29 and 202.172.122.72/29. They are unable to give me any larger IP ranges for some lame excuse, which I am sure was written by the BOfH. Does your isp route 202.172.122.72/29 to me? Why yes it does. It routes this IP through the gateway 202.172.122.209. If I want to give a machine an IP in 202.172.122.72/29, this is what I need > A machine already in the 202.172.122.208/29 IP range. > ip route add 202.172.122.72/29 via 202.172.122.209 dev eth1 > ifconfig eth1 202.172.122.73 netmask 255.255.255.248 (where on this machine, eth1 is hooked into my router). What I would like, is a gateway machine, which will use eth2 to provide a gateway for other machines to assign themselves .72/29 IP's, *without* the need of 202.172.122.209 being in the route table. So, there would be *one* gateway machine. This gateway machine has (already) an IP on both ranges. > 202.172.122.211 (eth1) > 202.172.122.74 (eth2) eth2 would then be connected into a switch, and eth1 into the internet router. I am not sure if this helps at all, sorry if it does not. Thanks again, - Tim G From dan at 34q.eu Mon Oct 15 15:07:39 2007 From: dan at 34q.eu (Dan) Date: Mon Oct 15 15:07:31 2007 Subject: FW: [LARTC] Routing public IP's through a gateway Message-ID: <002701c80f2c$5d5c5910$18150b30$@eu> If understand the setup correctly based on previous emails, it looks like this: [Internet] <-> [202.172.122.211 (eth1) {Gateway Machine} 202.172.122.74 (eth2)] <-> [202.172.122.75 (eth1) {Other Machine}] So, according to your emails, your external (eth1) interface on the Gateway machine ** needs to be .209 not .211 or .210 ** (as this is where the ISP's 'router' is pointing the .72 subnet according to what you said), and you need to type echo 1 > /proc/sys/net/ipv4/ip_forward on the gateway machine. No route commands needed: the Gateway machine knows where the .72 subnet is, because it has an interface on it. The Gateway Machine's default gateway is set to your normal ISP's gateway. Does that sound like your setup? If so, a few things come to mind - either your ISP is not routing .72/29 via .209, or maybe you have a firewall or routing rules in place, or you are using the wrong IP on the eth1 gateway interface. Hope this helps! Dan -----Original Message----- From: Tim Groeneveld [mailto:tim@timg.ws] Sent: 15 October 2007 13:45 To: Dan Subject: Re: [LARTC] Routing public IP's through a gateway On Monday 15 October 2007 10:31:25 pm you wrote: > Unless I have missed something in the question? Well, these are the commands I issue on my gateway machine: > ifconfig eth1 202.172.122.210 netmask 255.255.255.248 > ifconfig eth2 202.172.122.73 netmask 255.255.255.248 > route add -net 202.172.122.72 netmask 255.255.255.248 eth1 > route add default gw 202.172.122.209 > echo 1 > /proc/sys/net/ipv4/ip_forward They all succeed and everything, but no outside Internet locations are accessable on .72/29 machines. What is worse, running > tcpdump -i eth1 Shows that the data from eth2 is being sent to the Internet, but there is no replies coming on eth2. From tim at timg.ws Mon Oct 15 15:12:40 2007 From: tim at timg.ws (Tim Groeneveld) Date: Mon Oct 15 15:12:56 2007 Subject: FW: [LARTC] Routing public IP's through a gateway In-Reply-To: <002701c80f2c$5d5c5910$18150b30$@eu> References: <002701c80f2c$5d5c5910$18150b30$@eu> Message-ID: <200710152312.43342.tim@timg.ws> On Monday 15 October 2007 11:07:39 pm Dan wrote: > So, according to your emails, your external (eth1) interface on the Gateway > machine ** needs to be .209 not .211 or .210 ** (as this is where the ISP's > 'router' is pointing the .72 subnet according to what you said), and you > need to type echo 1 > /proc/sys/net/ipv4/ip_forward on the gateway machine. > No route commands needed: the Gateway machine knows where the .72 subnet > is, because it has an interface on it. The Gateway Machine's default > gateway is set to your normal ISP's gateway. .209 is taken by the routers gateway, so, it needs to be 210. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20071015/de8faf51/attachment.pgp From tim at timg.ws Mon Oct 15 16:10:55 2007 From: tim at timg.ws (Tim Groeneveld) Date: Mon Oct 15 16:11:06 2007 Subject: FW: [LARTC] Routing public IP's through a gateway In-Reply-To: <200710152312.43342.tim@timg.ws> References: <002701c80f2c$5d5c5910$18150b30$@eu> <200710152312.43342.tim@timg.ws> Message-ID: <200710160010.57669.tim@timg.ws> On Monday 15 October 2007 11:12:40 pm Tim Groeneveld wrote: > On Monday 15 October 2007 11:07:39 pm Dan wrote: > > So, according to your emails, your external (eth1) interface on the > > Gateway machine ** needs to be .209 not .211 or .210 ** (as this is where > > the ISP's 'router' is pointing the .72 subnet according to what you > > said), and you need to type echo 1 > /proc/sys/net/ipv4/ip_forward on the > > gateway machine. No route commands needed: the Gateway machine knows > > where the .72 subnet is, because it has an interface on it. The Gateway > > Machine's default gateway is set to your normal ISP's gateway. > > .209 is taken by the routers gateway, so, it needs to be 210. root@videl:/home/tim# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 202.172.122.208 * 255.255.255.248 U 0 0 0 eth1 202.172.122.72 * 255.255.255.248 U 0 0 0 eth2 link-local * 255.255.0.0 U 1000 0 0 eth1 default home.gateway 0.0.0.0 UG 100 0 0 eth1 root@videl:/home/tim# ip route list 202.172.122.208/29 dev eth1 proto kernel scope link src 202.172.122.210 202.172.122.72/29 dev eth2 proto kernel scope link src 202.172.122.73 169.254.0.0/16 dev eth1 scope link metric 1000 default via 202.172.122.209 dev eth1 metric 100 Is this the correct way to have the route, or is there something here that could be stopping the route from working? root@videl:/home/tim# tcpdump -i eth2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes 00:08:23.863360 IP 202-172-122-76.static.nsw-6.comcen.com.au.1175 > jc-in-f99.google.com.www: S 3109124259:3109124259(0) win 65535 00:08:26.786727 IP 202-172-122-76.static.nsw-6.comcen.com.au.1175 > jc-in-f99.google.com.www: S 3109124259:3109124259(0) win 65535 00:08:31.280752 arp who-has home.gateway tell 202-172-122-74.static.nsw-6.comcen.com.au 00:08:32.795422 IP 202-172-122-76.static.nsw-6.comcen.com.au.1175 > jc-in-f99.google.com.www: S 3109124259:3109124259(0) win 65535 That is a tcpdump of eth2 ... when typing 72.14.253.147 into a browser. Thanks again, - Tim G -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20071016/3d4e275a/attachment.pgp From ceeboyo at ipnxmediahosting.com Tue Oct 16 21:50:24 2007 From: ceeboyo at ipnxmediahosting.com (CeeBoyo) Date: Tue Oct 16 21:51:05 2007 Subject: [LARTC] Determining burst/cburst HTB values Message-ID: <004a01c8102d$d44eb5c0$d223ad3e@ltseuneng> Hello. I am wondering if the default (auto-computed) burst and cburst parameters are appropriate values for my application. I have a 100 mbit interface which is connected to a 16 mbit uplink. I am sharing this bandwidth into a set of partitions (tc classes) defined as follows: root class [1:1] | | | | --------------------------------------------------------------------- | | | | | | | | | | | | default [1:10] part-1 [1:20] part-2 [1:30] part-3 [1:40] My script (without filter statements) follows: [root@mercury ~]# cat tc.sh #!/bin/bash # reset tc qdisc del dev eth0 root # root qdisc tc qdisc add dev eth0 root handle 1: htb default 10 # root class tc class add dev eth0 parent 1: classid 1:1 htb rate 16mbit # default partition tc class add dev eth0 parent 1:1 classid 1:10 htb rate 1mbit ceil 16mbit tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10 # partition-1 tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1mbit ceil 1mbit tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10 # partition-2 tc class add dev eth0 parent 1:1 classid 1:30 htb rate 256kbit ceil 256kbit tc qdisc add dev eth0 parent 1:30 handle 30: sfq perturb 10 # partition-3 tc class add dev eth0 parent 1:1 classid 1:40 htb rate 128kbit ceil 128kbit tc qdisc add dev eth0 parent 1:40 handle 40: sfq perturb 10 A sample from tc -s show class dev eth0 is: [root@mercury ~]# tc -s class show dev eth0 class htb 1:1 root rate 16Mbit ceil 16Mbit burst 3598b cburst 3598b Sent 238 bytes 3 pkts (dropped 0, overlimits 0 requeues 0) lended: 0 borrowed: 0 giants: 0 tokens: 1794 ctokens: 1794 class htb 1:10 parent 1:1 leaf 10: prio 0 rate 1Mbit ceil 16Mbit burst 1724b cburst 3598b Sent 238 bytes 3 pkts (dropped 0, overlimits 0 requeues 0) lended: 3 borrowed: 0 giants: 0 tokens: 13345 ctokens: 1794 class htb 1:20 parent 1:1 leaf 20: prio 0 rate 1Mbit ceil 1Mbit burst 1724b cburst 1724b Sent 0 bytes 0 pkts (dropped 0, overlimits 0 requeues 0) lended: 0 borrowed: 0 giants: 0 tokens: 14131 ctokens: 14131 class htb 1:30 parent 1:1 leaf 30: prio 0 rate 256Kbit ceil 256Kbit burst 1631b cburst 1631b Sent 0 bytes 0 pkts (dropped 0, overlimits 0 requeues 0) lended: 0 borrowed: 0 giants: 0 tokens: 52224 ctokens: 52224 class htb 1:40 parent 1:1 leaf 40: prio 0 rate 128Kbit ceil 128Kbit burst 1615b cburst 1615b Sent 0 bytes 0 pkts (dropped 0, overlimits 0 requeues 0) lended: 0 borrowed: 0 giants: 0 tokens: 103424 ctokens: 103424 I am also graphing the 'Sent' bytes value as reported above and I noticed that the classes usually exceed the configured rates slightly. Can be be improved by tuning the burst and/or cburst values? Note that MTU is set to 1500 bytes. Regards, Charles -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071016/2dc45f10/attachment.htm From rabbit+list at rabbit.us Wed Oct 17 17:20:53 2007 From: rabbit+list at rabbit.us (Peter Rabbitson) Date: Wed Oct 17 17:21:09 2007 Subject: [LARTC] TC basic match problems Message-ID: <47162855.3000908@rabbit.us> Hello, I am attempting to match on a single bit of the NF mark value, and after hours of reading and googling I can not get the syntax right. It got to be something very simple, yet I can't find it. Any help will be greatly appreciated. Thanks! root@Arzamas:/etc/init.d# tc filter add dev wan_b protocol ip prio 2 parent 1:0 basic match meta\(nf_mark mask 0x80 eq 0x80\) flowid 1:0x80 RTNETLINK answers: No such file or directory We have an error talking to the kernel root@Arzamas:/etc/init.d# root@Arzamas:/etc/init.d# tc qdisc show dev wan_b qdisc htb 1: r2q 10 default 2 direct_packets_stat 0 root@Arzamas:/etc/init.d# root@Arzamas:/etc/init.d# tc class show dev wan_b class htb 1:10 parent 1:1 prio 2 rate 40000bit ceil 8000Mbit burst 1604b cburst 1000999b class htb 1:1 root rate 8000Mbit ceil 8000Mbit burst 1000999b cburst 1000999b class htb 1:20 parent 1:1 prio 4 rate 40000bit ceil 8000Mbit burst 1604b cburst 1000999b class htb 1:2 root prio 0 rate 8000Mbit ceil 8000Mbit burst 1000999b cburst 1000999b class htb 1:30 parent 1:1 prio 5 rate 40000bit ceil 8000Mbit burst 1604b cburst 1000999b class htb 1:40 parent 1:1 prio 6 rate 40000bit ceil 8000Mbit burst 1604b cburst 1000999b class htb 1:50 parent 1:1 prio 7 rate 40000bit ceil 8000Mbit burst 1604b cburst 1000999b class htb 1:8 parent 1:1 prio 1 rate 40000bit ceil 8000Mbit burst 1604b cburst 1000999b class htb 1:80 parent 1:1 prio 1 rate 40000bit ceil 8000Mbit burst 1604b cburst 1000999b class htb 1:18 parent 1:1 prio 3 rate 40000bit ceil 8000Mbit burst 1604b cburst 1000999b class htb 1:28 parent 1:1 prio 5 rate 80000bit ceil 8000Mbit burst 1609b cburst 1000999b class htb 1:38 parent 1:1 prio 5 rate 40000bit ceil 8000Mbit burst 1604b cburst 1000999b class htb 1:48 parent 1:1 prio 6 rate 40000bit ceil 1200Kbit burst 1604b cburst 1749b class htb 1:58 parent 1:1 prio 7 rate 40000bit ceil 1200Kbit burst 1604b cburst 1749b root@Arzamas:/etc/init.d# From jrfuller at redhat.com Thu Oct 18 15:58:20 2007 From: jrfuller at redhat.com (Johnray Fuller) Date: Thu Oct 18 15:58:37 2007 Subject: [LARTC] Quality of Service with VLAN using Traffic Control (tc) Message-ID: <4717667C.2040607@redhat.com> We are using VLAN tagging to put several networks on one machine. To ensure quality of service on one of the VLANs, we would like to prioritize (outgoing/egress traffic) one VLAN interface over the other (or others), but without capping bandwidth on any of the interfaces. We want to do this while being careful to minimize increases in latency on the prioritized interface. Since these are two or more separate VLAN interfaces on the same physical NIC, we want to know if specific policies assigned to each interface through the tc command would be best suited for this task. At the moment we are using the classless prio_fifo qdisc parameter in tc. Are there other qdisciplines we should consider (such as the classful HTB). In other words, what tc policies have the best low latency principles for the prioritized VLAN? Also under consideration are IMQ meta-interfaces for system wide traffic shaping across multiple interfaces. But does the use of IMQ and the requisite iptables packet tagging have a siginificant impact on increases latency in your experience? Finally, is a weighted round-robin queuing algorithm supported. I was unable to figure this out. Thanks for any assistance you can provide. Johnray From fabio.marcone at duet.it Thu Oct 18 16:27:37 2007 From: fabio.marcone at duet.it (Fabio Marcone) Date: Thu Oct 18 16:27:50 2007 Subject: [LARTC] exporting service on multiple wan Message-ID: <47176D59.20909@duet.it> Hi all, I've a routing problem. I'm setting up a router based on debian (kernel 2.4). I need to setup routing to export an ftp service (ftp server is in dmz) to 2 wan (both). I setup prerouting ad forward rule with no problem. The problem is that reply packet use default gateway (default wan) even though they are enter using the other wan. I solved it marking packets in input from the dmz iface and force to use another gateway (iproute2), but in this way I don't export ftp service on default wan. how I can setup routing to export ftp service on both iface? Thanks in advance, Fabio -- Dott. Fabio Marcone 2T srl Telefono +39 - 0871- 540154 Fax +39 - 0871- 571594 Email fabio.marcone(AT)duet.it Indirizzo Viale B. Croce 573 66013 Chieti Scalo (CH) GNU/Linux registered user #400424 From aragonx at dcsnow.com Thu Oct 18 21:05:33 2007 From: aragonx at dcsnow.com (aragonx@dcsnow.com) Date: Thu Oct 18 20:59:05 2007 Subject: [LARTC] rx_csum_offload_errors Message-ID: <28175.192.35.79.70.1192734333.squirrel@www.dcsnow.com> This might not be the right place to ask this question. If someone could point me to a better place, that would be greatly appreciated. My question is this, what is this rx_csum_offload_errors and what causes them. I see them on a few machines that are on my network. I only get maybe 10 or so a day on a couple of my machines. The thing is, it's not always the same machines that get them every day. It can vary. Could this be a sender that is configured to use TSO while no one else is? Is there an easy way for me to setup a rule to capture these packets and find out what the IP address of the sender is? Thanks in advance. --- Will Y. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From nozo at ziu.info Thu Oct 18 22:17:31 2007 From: nozo at ziu.info (Michal Soltys) Date: Thu Oct 18 22:17:46 2007 Subject: [LARTC] TC basic match problems In-Reply-To: <47162855.3000908@rabbit.us> References: <47162855.3000908@rabbit.us> Message-ID: <4717BF5B.8000301@ziu.info> Peter Rabbitson wrote: > Hello, > > I am attempting to match on a single bit of the NF mark value, and after > hours of reading and googling I can not get the syntax right. It got to > be something very simple, yet I can't find it. Any help will be greatly > appreciated. > Hmm wouldn't something like: tc filter add dev eth0 proto ip prio 1 parent 1:0 u32 match mark 0x80 0x80 flowid 1:1 suffice ? > > root@Arzamas:/etc/init.d# tc filter add dev wan_b protocol ip prio 2 > parent 1:0 basic match meta\(nf_mark mask 0x80 eq 0x80\) flowid 1:0x80 > RTNETLINK answers: No such file or directory > We have an error talking to the kernel Are required modules loaded and/or options compiled ? The syntax seems fine. From rabbit+list at rabbit.us Thu Oct 18 23:50:46 2007 From: rabbit+list at rabbit.us (Peter Rabbitson) Date: Thu Oct 18 23:50:54 2007 Subject: [LARTC] TC basic match problems In-Reply-To: <4717BF5B.8000301@ziu.info> References: <47162855.3000908@rabbit.us> <4717BF5B.8000301@ziu.info> Message-ID: <4717D536.4030607@rabbit.us> Michal Soltys wrote: > Peter Rabbitson wrote: >> Hello, >> >> I am attempting to match on a single bit of the NF mark value, and >> after hours of reading and googling I can not get the syntax right. It >> got to be something very simple, yet I can't find it. Any help will be >> greatly appreciated. >> > > Hmm > > wouldn't something like: > > tc filter add dev eth0 proto ip prio 1 parent 1:0 u32 match mark 0x80 > 0x80 flowid 1:1 > > suffice ? > It certainly will, granted you have to know that u32 actually supports it (for more than 3 years now). Thanks a ton for the pointer! P.S. Sigh... tc is such a mess... From mohan.tux at gmail.com Fri Oct 19 04:19:01 2007 From: mohan.tux at gmail.com (Mohan Sundaram) Date: Fri Oct 19 04:19:19 2007 Subject: [LARTC] exporting service on multiple wan In-Reply-To: <47176D59.20909@duet.it> References: <47176D59.20909@duet.it> Message-ID: <47181415.8000309@vsnl.com> Fabio Marcone wrote: > Hi all, > I've a routing problem. I'm setting up a router based on debian (kernel > 2.4). > > I need to setup routing to export an ftp service (ftp server is in dmz) > to 2 wan (both). > > I setup prerouting ad forward rule with no problem. > > The problem is that reply packet use default gateway (default wan) even > though they are enter using the other wan. > > I solved it marking packets in input from the dmz iface and force to use > another gateway (iproute2), but in this way I don't export ftp service > on default wan. > > how I can setup routing to export ftp service on both iface? > > Thanks in advance, > Fabio One way to do this: 1. Assign 2 private domain IP addresses to the ftp server and listen to both for ftp. IP1 and IP2 2. Map one IP each for WAN address. WAN1>>IP1 and WAN2>>IP2 3. On the Linux machine, set policy routing based on src IP of reply packet i.e. src IP1 goes thro' WAN1 and src IP2 goes thro' WAN2. Mohan From salim.si at cipherium.com.tw Fri Oct 19 04:32:36 2007 From: salim.si at cipherium.com.tw (Salim S I) Date: Fri Oct 19 04:32:53 2007 Subject: [LARTC] exporting service on multiple wan In-Reply-To: <47181415.8000309@vsnl.com> Message-ID: <000301c811f8$530b9a10$5964a8c0@SalimSi> How about conn-marking the (NEW state)packets in POSTROUTING? -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Mohan Sundaram Sent: Friday, October 19, 2007 10:19 AM To: LARTC Subject: Re: [LARTC] exporting service on multiple wan Fabio Marcone wrote: > Hi all, > I've a routing problem. I'm setting up a router based on debian (kernel > 2.4). > > I need to setup routing to export an ftp service (ftp server is in dmz) > to 2 wan (both). > > I setup prerouting ad forward rule with no problem. > > The problem is that reply packet use default gateway (default wan) even > though they are enter using the other wan. > > I solved it marking packets in input from the dmz iface and force to use > another gateway (iproute2), but in this way I don't export ftp service > on default wan. > > how I can setup routing to export ftp service on both iface? > > Thanks in advance, > Fabio One way to do this: 1. Assign 2 private domain IP addresses to the ftp server and listen to both for ftp. IP1 and IP2 2. Map one IP each for WAN address. WAN1>>IP1 and WAN2>>IP2 3. On the Linux machine, set policy routing based on src IP of reply packet i.e. src IP1 goes thro' WAN1 and src IP2 goes thro' WAN2. Mohan _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From mohan.tux at gmail.com Fri Oct 19 06:09:02 2007 From: mohan.tux at gmail.com (Mohan Sundaram) Date: Fri Oct 19 06:09:26 2007 Subject: [LARTC] exporting service on multiple wan In-Reply-To: <000301c811f8$530b9a10$5964a8c0@SalimSi> References: <000301c811f8$530b9a10$5964a8c0@SalimSi> Message-ID: <47182DDE.5030205@vsnl.com> Salim S I wrote: > How about conn-marking the (NEW state)packets in POSTROUTING? > Would probably need to use conntrack ESTABLISHED,DNAT and ROUTE directive for packets coming from LAN to make sure packet goes out from the same interface it came on. Mohan From salim.si at cipherium.com.tw Fri Oct 19 07:36:13 2007 From: salim.si at cipherium.com.tw (Salim S I) Date: Fri Oct 19 07:36:30 2007 Subject: [LARTC] exporting service on multiple wan In-Reply-To: <47182DDE.5030205@vsnl.com> Message-ID: <000d01c81211$f95fac80$5964a8c0@SalimSi> Sorry, I forgot for a moment it was DMZ. In mangle PREROUTING -j CONNMARK restore-mark -m mark --mark 0x0 -i WAN1 -j CONNMARK --set-mark 0x1 -m mark --mark 0x0 -i WAN2 -j CONNMARK --set-mark 0x2 Two routing tables, one for each mark. -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Mohan Sundaram Sent: Friday, October 19, 2007 12:09 PM To: 'LARTC' Subject: Re: [LARTC] exporting service on multiple wan Salim S I wrote: > How about conn-marking the (NEW state)packets in POSTROUTING? > Would probably need to use conntrack ESTABLISHED,DNAT and ROUTE directive for packets coming from LAN to make sure packet goes out from the same interface it came on. Mohan _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From anshulmakkar at gmail.com Fri Oct 19 14:14:17 2007 From: anshulmakkar at gmail.com (anshul makkar) Date: Fri Oct 19 14:14:35 2007 Subject: [LARTC] Tc Filter - Port Ranges Calculate Mask Value Message-ID: Hi, I need to support port ranges in tc filter rules. I know how to formulate the rule but , I am not able to understand how to calculate the mask value for a perticular range so as to segregate the port values that lie within this range . I got the following sample "tc filter add dev eth1 parent 1:1 protocol ip prio 10 u32 match ip sport 0x1ae0 0x1ff0 flowid 1:10 This rule will match all ports from 6880 to 6895. " This rule correctly matches port range from 6880 to 6895. But I am unable to figure out , how the mask value has been calculated. I am picking up port ranges from GUI. So the range can be any and I need to calculte mask value so as to find out which ports lie within the entered range. Please if you have any link, clue or reference material , do share it. Thanking You Anshul Makkar From r.penco at scasinet.com Fri Oct 19 16:39:07 2007 From: r.penco at scasinet.com (Riccardo (SCASI)) Date: Fri Oct 19 16:39:37 2007 Subject: [LARTC] Distro ready out of the box Message-ID: <4718C18B.7070106@scasinet.com> hi all, I'm writing not for technical problems but for a simple question. Do You know if there is a distro which is ready for traffic shaping etc. 'out of the box'? I mean a distro which does not require patching the kernel and/or iptables and/or installing from source etc. and gives the user most of the tools needed (imq, ipp2p, l7filter and so on). many thanks riki From nic-lartc at studentergaarden.dk Sat Oct 20 04:24:49 2007 From: nic-lartc at studentergaarden.dk (nic-lartc@studentergaarden.dk) Date: Sat Oct 20 04:20:57 2007 Subject: [LARTC] Distro ready out of the box In-Reply-To: <4718C18B.7070106@scasinet.com> References: <4718C18B.7070106@scasinet.com> Message-ID: <471966F1.6050508@studentergaarden.dk> Debian 4.0 has all I need including iptables and tc, but _not_ L7 filter or ipp2p :-( You should look into Zeroshell, which has L7 (haven't tried it) http://linuxdevices.com/news/NS9446520379.html http://www.zeroshell.net/eng Shorewall appears to have ipp2p (but apparently not L7?) and it looks like there are add ons to IPCop. It is sad it is not easier... I looked into L7 etc. and ended up deciding that is is such an imperfect way of classifying data that it is better (for me at least) to instead choose a different policy - prioritize ssh, VOIP and web by port and then prevent each host from hogging more than their fair share of the total bandwidth. But e.g. DD-WRT (embedded distro for wireless routers like the WRT54GL) seems to do a quite good job of it (with L7). sincerely, Nicolas Riccardo (SCASI) wrote: > hi all, > > I'm writing not for technical problems but for a simple question. > Do You know if there is a distro which is ready for traffic shaping > etc. 'out of the box'? > I mean a distro which does not require patching the kernel and/or > iptables and/or installing from source etc. and gives the user most of > the tools needed (imq, ipp2p, l7filter and so on). > > many thanks > riki From nic-lartc at studentergaarden.dk Sat Oct 20 04:50:08 2007 From: nic-lartc at studentergaarden.dk (Nicolas Padfield) Date: Sat Oct 20 04:46:14 2007 Subject: [LARTC] Filtering RTP/SIP protocol (Voip)? In-Reply-To: <470EB634.2050108@swiss-wireless.com.ar> References: <470EB634.2050108@swiss-wireless.com.ar> Message-ID: <47196CE0.4080905@studentergaarden.dk> Depends a lot on your setup. If you are running e.g. an Asterisk server, you can - prioritize all traffic to/from the Asterisk server IP number or - Asterisk (and most SIP clients) allows you to specify which UDP port numbers to use for the RTP data. Proiritize traffic to/from this port range. I know of some sites that run an Asterisk SIP proxy mainly/only to make it easier to prioritize the VOIP traffic. or If you are using hardware VOIP phones, put them in a specific IP range and prioritize this range. or Many hardware phones and some software VOIP clients support setting QoS flags in the data packets which both switches and routers can use to prioritize the traffic. This can be at layer 2 (e.g. 802.1Q / 802.1p) or layer 3 (DiffServ, IP ToS) As mentioned before, SIP is easy (almost always on port 5060), it is the RTP data stream that can be tricky. My experience: if you control the infrastructure, the easiest and cheapest way to ensure good VOIP quality is to often to make sure there is _plenty_ of bandwidth. This is seldom a problem on the LAN, but may be a problem on your internet connection if you do not own the infrastructure. ** sincerely Nicolas Padfield Beat Meier wrote: > Hello > > How can I filter (i.e. priorize) RTP protocol and SIP? > Has anybody wrote a filter for that in the meantime > (In 2006 there was none answer from the list ...) > > Thanks > > Beat > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From mlistz at gmail.com Sat Oct 20 05:14:22 2007 From: mlistz at gmail.com (Zhuang Yuyao) Date: Sat Oct 20 05:14:29 2007 Subject: [LARTC] [HELP] Proxy ARP & OSPF Message-ID: Hi, The network topo looks like this: the original network: router1 router2 | | |----------------OSPF------------| the target network: (we need to insert a transparent firewall between these 2 routers, so a proxy arp is set up on firewall to bridge router1 and router2) router1 firewall router2 | | | | |------OSPF-----| |---OSPF-----| 10.0.0.1 10.0.0.2 10.0.0.4 my question is: is an osfpd required on firewall to allow ospf traffic to pass through? or proxy arp has done this job already? thanks very much! From andreas at stapelspeicher.org Sat Oct 20 06:06:31 2007 From: andreas at stapelspeicher.org (Andreas Mueller) Date: Sat Oct 20 06:07:01 2007 Subject: [LARTC] Distro ready out of the box In-Reply-To: <471966F1.6050508@studentergaarden.dk> References: <4718C18B.7070106@scasinet.com> <471966F1.6050508@studentergaarden.dk> Message-ID: <20071020040631.GA2981@lintera> Hi, nic-lartc@studentergaarden.dk wrote: > Debian 4.0 has all I need including iptables and tc, but _not_ L7 filter or > ipp2p :-( > > You should look into Zeroshell, which has L7 (haven't tried it) > http://linuxdevices.com/news/NS9446520379.html > http://www.zeroshell.net/eng > > Shorewall appears to have ipp2p (but apparently not L7?) > > and it looks like there are add ons to IPCop. > > It is sad it is not easier... I looked into L7 etc. and ended up deciding > that is is such an imperfect way of classifying data that it is better (for > me at least) to instead choose a different policy - prioritize ssh, VOIP > and web by port and then prevent each host from hogging more than their > fair share of the total bandwidth. > > But e.g. DD-WRT (embedded distro for wireless routers like the WRT54GL) > seems to do a quite good job of it (with L7). By the way, OpenWRT also offers an x86 version (Kamikaze) which might suit you. > > sincerely, > Nicolas Sincerely, Andreas From rabbit+list at rabbit.us Sat Oct 20 12:51:04 2007 From: rabbit+list at rabbit.us (Peter Rabbitson) Date: Sat Oct 20 12:51:17 2007 Subject: HTB Ceil (was: [LARTC] Yet another shaping question) In-Reply-To: <46ECFD33.1030302@rabbit.us> References: <46ECFD33.1030302@rabbit.us> Message-ID: <4719DD98.2010406@rabbit.us> Lately I had time to make some progress on the problem stated at the start of this thread. Now however I am facing a problem with HTB not working correctly. Since I use the same rules on multiple interfaces, I use the same impossibly high ceil for all of them (1Gbyte), and rely on priorities in order to distribute traffic. However it does not seem to work, although the docs state it should. Here is a minimized example: root@Arzamas:/etc/init.d# tc -d class show dev wan_a class htb 1:1 root rate 8000Mbit ceil 8000Mbit burst 1Kb/8 mpu 0b overhead 0b cburst 1Kb/8 mpu 0b overhead 0b level 7 class htb 1:80 parent 1:1 prio 0 quantum 1000 rate 40000bit ceil 8000Mbit burst 1600b/8 mpu 0b overhead 0b cburst 1Kb/8 mpu 0b overhead 0b level 0 class htb 1:48 parent 1:1 prio 4 quantum 1000 rate 40000bit ceil 960000bit burst 1600b/8 mpu 0b overhead 0b cburst 1599b/8 mpu 0b overhead 0b level 0 class htb 1:58 parent 1:1 prio 6 quantum 1000 rate 40000bit ceil 1200Kbit burst 1600b/8 mpu 0b overhead 0b cburst 1599b/8 mpu 0b overhead 0b level 0 root@Arzamas:/etc/init.d# Traffic flowing into 1:58 is correctly shaped at 150kbytes/s. However when traffic starts coming down 1:48 it only gets up to the actual link speed less 1:58, which is about 40kbytes/s in my case. If however I cap the ceil of the master class to 190kbytes/s - everything works as expected: root@Arzamas:/etc/init.d# tc -d class show dev wan_a class htb 1:1 root rate 1520Kbit ceil 1520Kbit burst 1599b/8 mpu 0b overhead 0b cburst 1599b/8 mpu 0b overhead 0b level 7 class htb 1:80 parent 1:1 prio 0 quantum 1000 rate 40000bit ceil 1520Kbit burst 1600b/8 mpu 0b overhead 0b cburst 1599b/8 mpu 0b overhead 0b level 0 class htb 1:48 parent 1:1 prio 4 quantum 1000 rate 40000bit ceil 960000bit burst 1600b/8 mpu 0b overhead 0b cburst 1599b/8 mpu 0b overhead 0b level 0 class htb 1:58 parent 1:1 prio 6 quantum 1000 rate 40000bit ceil 1200Kbit burst 1600b/8 mpu 0b overhead 0b cburst 1599b/8 mpu 0b overhead 0b level 0 root@Arzamas:/etc/init.d# My question is - how can I shape traffic by priority (deliberately allowing starvation), without knowing beforehand the speed of the underlying link? Thank you Peter From admin at vdx.lt Sat Oct 20 13:23:12 2007 From: admin at vdx.lt (Vaidas M) Date: Sat Oct 20 13:24:08 2007 Subject: [LARTC] bridge or vlan Message-ID: <001001c8130b$99babfe0$cd303fa0$@lt> Hello to everyone, Here is the situation: [LAN1]---[eth3]/----------\ | LinuxBR |[eth2]---[LAN0]---[linuxGW]---[internet] [LAN2]---[eth4]\----------/ Whole LAN is in subnet 10.0.0.0/24. So I need: LAN0, LAN1, LAN2 could not see each other. LAN0, LAN1, LAN2 is in same subnet (10.0.0.0/24). All LANs have to get only internet. How can I configure LinuxBR to do so? Do I have to do only bridge? Or only vlan? Or both? Thanks. _ _ _ _ _ _ _ __ ___ ____ _____ Vaidas M. [Noxius] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071020/36e79cf9/attachment.html From pankoAA at yandex.ru Sat Oct 20 13:58:38 2007 From: pankoAA at yandex.ru (Pan'ko Alexander) Date: Sat Oct 20 13:58:50 2007 Subject: [LARTC] bridge or vlan In-Reply-To: <001001c8130b$99babfe0$cd303fa0$@lt> References: <001001c8130b$99babfe0$cd303fa0$@lt> Message-ID: On Sat, 20 Oct 2007 14:23:12 +0300 "Vaidas M" wrote: > Hello to everyone, > > > > Here is the situation: > > [LAN1]---[eth3]/----------\ > > | LinuxBR |[eth2]---[LAN0]---[linuxGW]---[internet] > > [LAN2]---[eth4]\----------/ > > Whole LAN is in subnet 10.0.0.0/24. > > > > So I need: > > LAN0, LAN1, LAN2 could not see each other. > > LAN0, LAN1, LAN2 is in same subnet (10.0.0.0/24). > > All LANs have to get only internet. > > > > How can I configure LinuxBR to do so? > > Do I have to do only bridge? Or only vlan? Or both? > On LinuxBR: iptables -A FORWARD -s 10.0.0.0/24 -d linuxGW_IP/32 -j ACCEPT iptables -A FORWARD -s 10.0.0.0/24 -d 10.0.0.0/24 -j DROP iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d linuxGW_IP/32 -j MASQUERADE On linuxGW: iptables -t nat -A POSTROUTING -s LinuxBR_IP/32 -j MASQUERADE -- With best regards, Pan'ko Alexander. From peet at altlinux.org Sat Oct 20 20:23:26 2007 From: peet at altlinux.org (Peter V. Saveliev) Date: Sat Oct 20 20:23:38 2007 Subject: [LARTC] ncsh: alpha release Message-ID: <200710202223.26770.peet@altlinux.org> ... Hello! An alpha-mature code of the Connexion project is available: http://www.radlinux.org/ http://www.radlinux.org/download/connexion-0.4.4.tar.bz2 [171Kb] docs: * en: http://www.radlinux.org/docs/static/en/ * ru: http://www.radlinux.org/docs/static/ru/ See docs/INSTALL for quick start-up howto (strictly speaking, installation isn't required, it can work out-of-box -- if all dependencies are provided). config samples: * in the tarball, interfaces/console/testing/* * event handling: http://www.radlinux.org/connexion/wiki/Connexion/Samples ... In general, Connexion is a framework that provides an easy way to create and combine system configuration modules. The 0.4.4 is shipped with modules: * ncsh: basic network setup (ethernet, vlan, bridging, pptp, pppoe controls), shaping (tbf,htb) (including class-factory for massive shaping) * events: snmp traps and netlink events handling * base dictionary ... System requirements: GNU/Linux (2.6.13 and above tested; older kernels are not tested but should work, except, maybe, netlink events), glibc (uclibc is not tested, may not work in events handling), python2.4, iproute2, vlan-utils and other ip stuff. Possible problems: netlink module uses ctypes and operates on very low level. It may have arch-related bugs, 'cause it is tested only on PC ia32 and amd x86_64 Additional python modules (may be installed, but are not necessary): * egenix-mx-experimental -- for UID(); if absent, uuidgen will be used * pysnmp 4.x * pyasn1 * pysnmp-mibs -- for SNMP traps * ctypes -- for netlink events So, without event handling, the Connexion project may work with python2.4 only, w/o any additional packages (ip related utils are still needed, but if one works with network setup, he already has these utils) ... I hope that the project will be useful. Any comments are appreciated. If anyone want to help the project with coding/testing/docs -- you are welcome. -- Peter V. Saveliev From anshulmakkar at gmail.com Sat Oct 20 20:30:27 2007 From: anshulmakkar at gmail.com (anshul makkar) Date: Sat Oct 20 20:30:32 2007 Subject: [LARTC] Tc Filter - Port Ranges Calculate Mask Value Message-ID: Hi, I need to support port ranges in tc filter rules. I know how to formulate the rule but , I am not able to understand how to calculate the mask value for a perticular range so as to segregate the port values that lie within this range . I got the following sample "tc filter add dev eth1 parent 1:1 protocol ip prio 10 u32 match ip sport 0x1ae0 0x1ff0 flowid 1:10 This rule will match all ports from 6880 to 6895. " This rule correctly matches port range from 6880 to 6895. But I am unable to figure out , how the mask value has been calculated. I am picking up port ranges from GUI. So the range can be any and I need to calculte mask value so as to find out which ports lie within the entered range. Please if you have any link, clue or reference material , do share it. Thanking You Anshul Makkar From david_list at boreham.org Sat Oct 20 23:59:15 2007 From: david_list at boreham.org (David Boreham) Date: Sat Oct 20 23:59:13 2007 Subject: [LARTC] Distro ready out of the box In-Reply-To: <4718C18B.7070106@scasinet.com> References: <4718C18B.7070106@scasinet.com> Message-ID: <471A7A33.5010207@boreham.org> Riccardo (SCASI) wrote: > I'm writing not for technical problems but for a simple question. > Do You know if there is a distro which is ready for traffic shaping > etc. 'out of the box'? > I mean a distro which does not require patching the kernel and/or > iptables and/or installing from source etc. and gives the user most of > the tools needed (imq, ipp2p, l7filter and so on). I think the short answer is 'no'. I use OpenWrt on embedded systems for part of our network and it's quite good in this respect, but I wasn't willing to put in the effort to make it run on regular x86 PC hardware (I think it does run but there were too many unknowns for my tastes). So where we use PCs I install Fedora and build the extra modules I need myself. It is a bit strange that nobody seems to be able to succeed with a router distribution -- there have been many attempts over the years but they've all failed (wikipedia has a good page listing them all). From laisve at gmail.com Sun Oct 21 05:04:50 2007 From: laisve at gmail.com (Dovydas Sankauskas) Date: Sun Oct 21 05:04:57 2007 Subject: [LARTC] [HELP] Proxy ARP & OSPF In-Reply-To: References: Message-ID: <1d3e8bf0710202004m1354c341s5af58dc0d6cf536a@mail.gmail.com> 2007/10/20, Zhuang Yuyao : > Hi, > > The network topo looks like this: > > the original network: > router1 router2 > | | > |----------------OSPF------------| > > the target network: (we need to insert a transparent firewall between > these 2 routers, so a proxy arp is set up on firewall to bridge > router1 and router2) > > router1 firewall router2 > | | | | > |------OSPF-----| |---OSPF-----| > 10.0.0.1 10.0.0.2 10.0.0.4 > > my question is: is an osfpd required on firewall to allow ospf traffic > to pass through? or proxy arp has done this job already? Well, subnet is the only thing that is important for OSPF, so I am not sure if proxy arp will work. But I think hopefully it should do the trick, because IP 10.0.0.2 is only for management, proxy arp is transparent to both router1 and router2. It should work as is. However I have not tested it myself, it is just an assumption. -- Dovydas Sankauskas From gtaylor at riverviewtech.net Mon Oct 22 21:05:59 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Mon Oct 22 21:05:53 2007 Subject: [LARTC] bridge or vlan In-Reply-To: <001001c8130b$99babfe0$cd303fa0$@lt> References: <001001c8130b$99babfe0$cd303fa0$@lt> Message-ID: <471CF497.8020808@riverviewtech.net> On 10/20/07 06:23, Vaidas M wrote: > Hello to everyone, > > Here is the situation: > > [LAN1]---[eth3]/----------\ > | LinuxBR |[eth2]---[LAN0]---[linuxGW]---[internet] > [LAN2]---[eth4]\----------/ > > Whole LAN is in subnet 10.0.0.0/24. > > So I need: > > LAN0, LAN1, LAN2 could not see each other. > LAN0, LAN1, LAN2 is in same subnet (10.0.0.0/24). > > All LANs have to get only internet. > > How can I configure LinuxBR to do so? > > Do I have to do only bridge? Or only vlan? Or both? This is very simple to do. Bridge all your LANs together (what ever interface you choose to use, physical and / or VLAN) and use EBTables to block forwarding of any traffic that has a source and destination on your 10.0.0.0/24 network. This will allow traffic from the LAN to the world and from the world to the LAN to be bridged, but not allow LAN to LAN traffic to be bridged. ebtables -t filter -A FORWARD --ip-src 10/24 --ip-dst 10/24 -j DROP This will block all IP traffic. Broadcasts and ARPs will get through, but can be stopped if you do want. If you do want broadcasts and ARPs to be stopped let me know and I'll propose some follow up rules to add to the above to stop them. Grant. . . . From maillist1 at argontech.net Mon Oct 22 23:46:44 2007 From: maillist1 at argontech.net (Marco C. Coelho) Date: Mon Oct 22 23:37:01 2007 Subject: [LARTC] neighbor table overflow Message-ID: <471D1A44.40503@argontech.net> I've got a linux router pushing 600-1000 pppoe connections through it. I'm getting a screen error "Neighbor Table Overflow" after this box has been up for between 1 week and 1 month. When this is happening, routing slows to a crawl if at all. Then dies. I've added: # Added to stop "neighbor table overflow" messages in the kernel net.ipv4.neigh.default.gc_thresh1=512 net.ipv4.neigh.default.gc_thresh2=2048 net.ipv4.neigh.default.gc_thresh3=4096 # Added to increase IP contrack number (was getting to max) net.ipv4.ip_conntrack_max=99999 to sysctl.conf to increase the size, but this only seems to delay the problem. Any thoughts? Marco From peet at altlinux.org Mon Oct 22 23:46:26 2007 From: peet at altlinux.org (Peter V. Saveliev) Date: Mon Oct 22 23:46:42 2007 Subject: [LARTC] neighbor table overflow In-Reply-To: <471D1A44.40503@argontech.net> References: <471D1A44.40503@argontech.net> Message-ID: <200710230146.27081.peet@altlinux.org> > > # Added to stop "neighbor table overflow" messages in the kernel > net.ipv4.neigh.default.gc_thresh1=512 > net.ipv4.neigh.default.gc_thresh2=2048 > net.ipv4.neigh.default.gc_thresh3=4096 > # Added to increase IP contrack number (was getting to max) > net.ipv4.ip_conntrack_max=99999 > > to sysctl.conf to increase the size, but this only seems to delay the > problem. > > Any thoughts? try arpd? -- Peter V. Saveliev From gtaylor at riverviewtech.net Tue Oct 23 00:34:21 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Tue Oct 23 00:33:54 2007 Subject: [LARTC] bridge or vlan In-Reply-To: <000e01c814ed$3cf06010$b6d12030$@lt> References: <001001c8130b$99babfe0$cd303fa0$@lt> <471CF497.8020808@riverviewtech.net> <000e01c814ed$3cf06010$b6d12030$@lt> Message-ID: <471D256D.1080904@riverviewtech.net> On 10/22/07 15:50, Vaidas M wrote: > Thanks for your answer, this would help. You are welcome. > I think I know how to block arp: -p ARP -j DROP something like that, > ant the broadcasts: --pkttype-type ... Be careful blocking all ARP / broadcasts. Remember that equipment will need to ARP to find the router, at least from the two LANs that are not common with the router. You will probably want to allow ARPs to the router's IP address (and any other common equipment) and block all others. Grant. . . . From gtaylor at riverviewtech.net Tue Oct 23 00:35:19 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Tue Oct 23 00:34:55 2007 Subject: [LARTC] neighbor table overflow In-Reply-To: <200710230146.27081.peet@altlinux.org> References: <471D1A44.40503@argontech.net> <200710230146.27081.peet@altlinux.org> Message-ID: <471D25A7.4020700@riverviewtech.net> On 10/22/07 16:46, Peter V. Saveliev wrote: > try arpd? You took the statement right out from under my finger tips. Grant. . . . From ohu at silver-peak.com Tue Oct 23 01:35:10 2007 From: ohu at silver-peak.com (Oliver Hu) Date: Tue Oct 23 01:35:15 2007 Subject: [LARTC] is Prio-map really used in a CBQ without filter of filter mismatch? Message-ID: <8F1355BE69A4F943B34CCA447F73E605206F80@SPDCMX04.speak.local> Hi, all, according to the following HTML, http://lartc.org/howto/lartc.qdisc.classful.html section 9.5.3.1. PRIO parameters & usage: it says: "If you do not provide tc filters to classify traffic, the PRIO qdisc looks at the TC_PRIO priority to decide how to enqueue traffic." So my understanding is that the Priomap will be consulted to classify the packet. However, I see the packet always goes into the "best-effort" queue, i.e. band1, the medium priority queue, no matter how I change the TOS byte of the packet. Can someone point out whether I have a misunderstanding of this or there is a discrepancy between the behavior and the code? Thanks very much. ohu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071022/c8b55267/attachment.htm From ams at toroid.org Tue Oct 23 08:08:00 2007 From: ams at toroid.org (Abhijit Menon-Sen) Date: Tue Oct 23 08:08:17 2007 Subject: [LARTC] Re: failover with conntrackd In-Reply-To: <470CE7FD.3080402@riverviewtech.net> References: <20071010103540.GA11105@toroid.org> <470CE7FD.3080402@riverviewtech.net> Message-ID: <20071023060800.GA16481@toroid.org> (Sorry for the delayed response. I've been on vacation. I'm quoting extensively to provide context.) At 2007-10-10 09:55:57 -0500, gtaylor@riverviewtech.net wrote: > > > Is anyone using conntrack-tools to implement gateway failover on a > > network with windows clients? [...] To recap: I have two gateway machines that share two virtual addresses (one on eth0, connected to the internal network and the other on eth1, connected to the outside world). > Um, why are you not using the same MAC address for the gateway and > having the systems decide who is actively using the MAC at any given > time? Mostly because neither ucarp nor keepalived seem to support changing the MAC address... and besides, everything I read seems to suggest that just gratuitous ARP should be sufficient. > There is a very simple VRRP daemon (vrrpd) for Linux / Unix that will > achieve this. To my knowledge it works by creating a new MAC address > that is used for the VRRP router. I did not realise that vrrpd supports it. My problem with ucarp (which, like vrrpd, also uses a single daemon per interface/shared IP) is that the pair of daemons on eth0 were not always perfectly synchronised with the pair on eth1. As a result, failover time was unpredictable. That's why I switched to keepalived, so as to manage both interfaces with a single process. But I'll try vrrpd anyway, thanks. > The two or more VRRP routers will heart beat each other (I think by > multicast (?)) Yes, through multicast; and if the primary goes down, the remaining nodes elect a new primary. I'll try it and report. -- ams From alex at zoomnet.ro Tue Oct 23 13:56:48 2007 From: alex at zoomnet.ro (Alexandru Dragoi) Date: Tue Oct 23 13:57:26 2007 Subject: [LARTC] neighbor table overflow In-Reply-To: <471D1A44.40503@argontech.net> References: <471D1A44.40503@argontech.net> Message-ID: <471DE180.5040708@zoomnet.ro> Marco C. Coelho wrote: > I've got a linux router pushing 600-1000 pppoe connections through > it. I'm getting a screen error "Neighbor Table Overflow" after this > box has been up for between 1 week and 1 month. When this is > happening, routing slows to a crawl if at all. Then dies. I've added: > > # Added to stop "neighbor table overflow" messages in the kernel > net.ipv4.neigh.default.gc_thresh1=512 > net.ipv4.neigh.default.gc_thresh2=2048 > net.ipv4.neigh.default.gc_thresh3=4096 > # Added to increase IP contrack number (was getting to max) > net.ipv4.ip_conntrack_max=99999 > > to sysctl.conf to increase the size, but this only seems to delay the > problem. > > Any thoughts? > > Marco > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc What about checking your routing table? you may have link routes for massive subnets (like 85.0.0.0/8 or 140.20.0.0/16). Some programs prefer to use "standard" netmask of classes A and B. # ip rou |grep link From hijacker at oldum.net Tue Oct 23 14:27:37 2007 From: hijacker at oldum.net (Nikolay Kichukov) Date: Tue Oct 23 14:30:13 2007 Subject: [LARTC] Tc Filter - Port Ranges Calculate Mask Value In-Reply-To: References: Message-ID: <471DE8B9.2040602@oldum.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Anshul and list, That is really interesting matter. I am also awaiting someone who knows how the hex mask is calculated and applied to reply to this post. I am sure it was discussed on the list before, but anyways I might have missed that part. Cheers, - -Nikolay anshul makkar wrote: > Hi, > > I need to support port ranges in tc filter rules. > > I know how to formulate the rule but , I am not able to understand how > to calculate the mask value for a perticular range so as to segregate > the port values that lie within this range . > > I got the following sample > > "tc filter add dev eth1 parent 1:1 protocol ip prio 10 u32 match ip > sport 0x1ae0 0x1ff0 flowid 1:10 This rule will match all ports from > 6880 to 6895. " > > This rule correctly matches port range from 6880 to 6895. But I am > unable to figure out , how the mask value has been calculated. > > I am picking up port ranges from GUI. So the range can be any and I > need to calculte mask value so as to find out which ports lie within > the entered range. > > Please if you have any link, clue or reference material , do share it. > > Thanking You > Anshul Makkar > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEUAwUBRx3ouTFLYVOGGjgXAQK6EAf4sTwWDdKvvzvNbee8PGKEeKcpt+n0sc0M Nn1PvOKEbT8qBiUXozHVz9pQ51qXpiggjOXv78OzRJRu+q8fyq9ZlA3XS+1CiRAR KMjoUy4Rlfm0lQVqrPmQrBVX07md/OWmLGBDy4hZUrNPi82G3w7gtm39N7fSqbaE O38uaX3nFF76tu+gb6XRb9vnJVuDWi0w5Tyd4L7dp1qZIot9Vi6QpEJa02r/osvs yuP8odoxY2N4BSdcJftlU8nyD5DKuzFd6VB9yZk1EC7gNNsv7GUT/jyABFRbOuJK E5d3wugPfoeREEJ8+gzztRwoedfOkMMcJfaxRb8AcSCHFHAsOenh =7RGv -----END PGP SIGNATURE----- From rabbit+list at rabbit.us Tue Oct 23 16:38:12 2007 From: rabbit+list at rabbit.us (Peter Rabbitson) Date: Tue Oct 23 16:38:24 2007 Subject: [LARTC] Tc Filter - Port Ranges Calculate Mask Value In-Reply-To: References: Message-ID: <471E0754.3050408@rabbit.us> anshul makkar wrote: > Hi, > > I need to support port ranges in tc filter rules. > > I know how to formulate the rule but , I am not able to understand how > to calculate the mask value for a perticular range so as to segregate > the port values that lie within this range . > > I got the following sample > > "tc filter add dev eth1 parent 1:1 protocol ip prio 10 u32 match ip > sport 0x1ae0 0x1ff0 flowid 1:10 This rule will match all ports from > 6880 to 6895. " > > This rule correctly matches port range from 6880 to 6895. But I am > unable to figure out , how the mask value has been calculated. First you need to have a good understanding of logical operations (and specifically AND). If you do not - do some reading until you at least can give the answer to something like 0b101 & 0b100. Once you understand this is very easy if you convert all the numbers to binary (we use 16 bits, since the port numbers are 16bit). You have: result 0x1AE0 == 0b0001101011100000 mask 0x1FF0 == 0b0001111111110000 So what happens is: 1) u32 extracts the sport 2) ANDs the extracted value with 0b0001111111110000 3) compares the result to 0b0001101011100000 This means that anything from 0b0001101011100000 to 0b0001101011101111 inclusive will result in a match (since the mask essentially strips the last 4 bits). If you convert this range back to decimal you get: 0b0001101011100000 == 6880 0b0001101011101111 == 6895 > I am picking up port ranges from GUI. So the range can be any and I > need to calculte mask value so as to find out which ports lie within > the entered range. Unfortunately this is impossible. As you probably noticed the range you are matching causes variation of only the last 4 bits in the entire number. The first bits always stay the same (0b000110101110xxxx). If your range is _continuous_ (i.e. without "holes" in it), and this is exactly your case - such a range _must_ be aligned so that the start has N least significant 0's and the end has N least significant 1's. What does this mean in practice: The size of the range R must be of the form 2^N (to guarantee trailing 0's). In your case 6895 - 6880 + 1 = 16[*] which is 2^4. The start of the range S must be larger then R and also divisible by it. In your case 6880 / 16 = 430. Based on the above you can easily calculate the end of the range E: E = S + R - 1[*]. In your case: 6880 + 16 - 1 = 6895. You might wonder why for a continuous range the last N bits of the mask must be 0. Think of it in decimal terms: Assume we want the range of all numbers between 130 and 139. We can say - we change the last digit to 0, and we check if the number equals 130. If we want a range between 100 and 199 - no problem again. Now what if we want the range between 130 and 149? We can say - we change the last digit to 0 and check if the number equals 130 or 140. Well there - a single mask does not work :) HTH Peter [*] You might be wondering where the +1/-1 comes from. Well take the numbers from 3 to 6 inclusive, and count how many there actually are. 6 - 3? From gtaylor at riverviewtech.net Tue Oct 23 22:32:19 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Tue Oct 23 22:31:53 2007 Subject: [LARTC] neighbor table overflow In-Reply-To: <471DE180.5040708@zoomnet.ro> References: <471D1A44.40503@argontech.net> <471DE180.5040708@zoomnet.ro> Message-ID: <471E5A53.3000405@riverviewtech.net> On 10/23/07 06:56, Alexandru Dragoi wrote: > What about checking your routing table? you may have link routes for > massive subnets (like 85.0.0.0/8 or 140.20.0.0/16). Some programs > prefer to use "standard" netmask of classes A and B. I'm betting that the OP has other things going on seeing has how s/he mentioned PPPoE, which to my knowledge is a layer 2 protocol, and thus not subject to typical routing scenarios. In essence the OP could have thousands of PPPoE connections terminating on one system with the ARP cache having to deal with where to send traffic to which MAC address. There is not a lot of room for routing in such a scenario. Grant. . . . From jeff.welling at crystalstudio.ca Tue Oct 23 22:43:06 2007 From: jeff.welling at crystalstudio.ca (Jeff Welling) Date: Tue Oct 23 22:43:22 2007 Subject: [LARTC] neighbor table overflow In-Reply-To: <471E5A53.3000405@riverviewtech.net> References: <471D1A44.40503@argontech.net> <471DE180.5040708@zoomnet.ro> <471E5A53.3000405@riverviewtech.net> Message-ID: <9295C708-B499-4D57-8AD4-D97EFDCC9405@crystalstudio.ca> > On 10/23/07 06:56, Alexandru Dragoi wrote: >> What about checking your routing table? you may have link routes >> for massive subnets (like 85.0.0.0/8 or 140.20.0.0/16). Some >> programs prefer to use "standard" netmask of classes A and B. > > I'm betting that the OP has other things going on seeing has how s/ > he mentioned PPPoE, which to my knowledge is a layer 2 protocol, > and thus not subject to typical routing scenarios. In essence the > OP could have thousands of PPPoE connections terminating on one > system with the ARP cache having to deal with where to send traffic > to which MAC address. There is not a lot of room for routing in > such a scenario. > I agree with Peter's suggestion, arpd. I ran into the neighbor table overflow problem recently, at the hands of our ISP. I was in the process of recompiling the kernel and mucking with arpd (I couldn't get it to run/start properly) when the problem disappeared as quickly as it showed up. Lucky for me, this was some kind of ISP problem, I was able to determine that much through `tcpdump -i X -n arpd`. My 'two cents' is that you try arpd, I did a bit of looking when I came across that problem and it seemed to be the last ditch effort when changing the gc threshold had no effect. Wasn't able to confirm that it worked for sure though. Cheers. From maillist1 at argontech.net Tue Oct 23 23:10:32 2007 From: maillist1 at argontech.net (Marco C. Coelho) Date: Tue Oct 23 23:00:48 2007 Subject: [LARTC] neighbor table overflow In-Reply-To: <9295C708-B499-4D57-8AD4-D97EFDCC9405@crystalstudio.ca> References: <471D1A44.40503@argontech.net> <471DE180.5040708@zoomnet.ro> <471E5A53.3000405@riverviewtech.net> <9295C708-B499-4D57-8AD4-D97EFDCC9405@crystalstudio.ca> Message-ID: <471E6348.5040404@argontech.net> This box is doing a lot. It terminates 1000 PPPoE connections, provides traffic shaping using TC/HTB, authenticates all users via Radius. It also runs OSPF routing for the internal network. Looking at a simple route output I see all the PPP connections coming through the box, and due to the OSPF I also see the rest of my network announcements. The only strange things are: 1. The last man working on this box had mistakenly edited the hosts file and added the machine name and complete domain name to the local host 127.0.0.1 name. It should only be pointed to the eth0 interface. I have changed this. 2. The route output is making an announcement 64.0.0.0 argontech.net 255.0.0.0 UG 20 0 0 eth0 My public IP space is a /20 within that space, not the whole Class A. I have not found which box is announcing this within my network yet. Jeff Welling wrote: > >> On 10/23/07 06:56, Alexandru Dragoi wrote: >>> What about checking your routing table? you may have link routes for >>> massive subnets (like 85.0.0.0/8 or 140.20.0.0/16). Some programs >>> prefer to use "standard" netmask of classes A and B. >> >> I'm betting that the OP has other things going on seeing has how s/he >> mentioned PPPoE, which to my knowledge is a layer 2 protocol, and >> thus not subject to typical routing scenarios. In essence the OP >> could have thousands of PPPoE connections terminating on one system >> with the ARP cache having to deal with where to send traffic to which >> MAC address. There is not a lot of room for routing in such a scenario. >> > I agree with Peter's suggestion, arpd. I ran into the neighbor table > overflow problem recently, at the hands of our ISP. I was in the > process of recompiling the kernel and mucking with arpd (I couldn't > get it to run/start properly) when the problem disappeared as quickly > as it showed up. Lucky for me, this was some kind of ISP problem, I > was able to determine that much through `tcpdump -i X -n arpd`. > > My 'two cents' is that you try arpd, I did a bit of looking when I > came across that problem and it seemed to be the last ditch effort > when changing the gc threshold had no effect. Wasn't able to confirm > that it worked for sure though. > > Cheers. > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From gtaylor at riverviewtech.net Tue Oct 23 23:04:43 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Tue Oct 23 23:04:17 2007 Subject: [LARTC] neighbor table overflow In-Reply-To: <471E6348.5040404@argontech.net> References: <471D1A44.40503@argontech.net> <471DE180.5040708@zoomnet.ro> <471E5A53.3000405@riverviewtech.net> <9295C708-B499-4D57-8AD4-D97EFDCC9405@crystalstudio.ca> <471E6348.5040404@argontech.net> Message-ID: <471E61EB.4080602@riverviewtech.net> On 10/23/07 16:10, Marco C. Coelho wrote: > This box is doing a lot. It terminates 1000 PPPoE connections, provides > traffic shaping using TC/HTB, authenticates all users via Radius. It > also runs OSPF routing for the internal network. Looking at a simple > route output I see all the PPP connections coming through the box, and > due to the OSPF I also see the rest of my network announcements. The > only strange things are: That's just a few things to do on one box. How well is it handling it if I can ask (aside from the problem that you are working on)? > 1. The last man working on this box had mistakenly edited the hosts > file and added the machine name and complete domain name to the local > host 127.0.0.1 name. It should only be pointed to the eth0 interface. > I have changed this. Dough! > 2. The route output is making an announcement > > 64.0.0.0 argontech.net 255.0.0.0 UG 20 0 > 0 eth0 > > My public IP space is a /20 within that space, not the whole Class A. I > have not found which box is announcing this within my network yet. I would think that you could extract that information from OSPF, or at least the system that is advertising and work backwards until you find the ultimate culprit. Grant. . . . From maillist1 at argontech.net Tue Oct 23 23:27:47 2007 From: maillist1 at argontech.net (Marco C. Coelho) Date: Tue Oct 23 23:18:04 2007 Subject: [LARTC] neighbor table overflow In-Reply-To: <471E61EB.4080602@riverviewtech.net> References: <471D1A44.40503@argontech.net> <471DE180.5040708@zoomnet.ro> <471E5A53.3000405@riverviewtech.net> <9295C708-B499-4D57-8AD4-D97EFDCC9405@crystalstudio.ca> <471E6348.5040404@argontech.net> <471E61EB.4080602@riverviewtech.net> Message-ID: <471E6753.6000508@argontech.net> Is there a way to probe the kernel to find out how big the neighbor table is on a regular basis? Without making a smoking hole of course. BTW, Traffic shaping is also controlled via Radius. Grant Taylor wrote: > On 10/23/07 16:10, Marco C. Coelho wrote: >> This box is doing a lot. It terminates 1000 PPPoE connections, >> provides traffic shaping using TC/HTB, authenticates all users via >> Radius. It also runs OSPF routing for the internal network. Looking >> at a simple route output I see all the PPP connections coming through >> the box, and due to the OSPF I also see the rest of my network >> announcements. The only strange things are: > > That's just a few things to do on one box. How well is it handling it > if I can ask (aside from the problem that you are working on)? It's actually pretty happy on a single processor, single core AMD 3000 with 1.5 G of RAM (it was not happy with 512K!!!). I've actually got a new Dual Core, Dual Processor box loaded and ready to place in production, but would like to fix this problem first. Unfortunately it takes between a week and a month for the problem to surface. model name : AMD Athlon(tm) 64 Processor 3000+ stepping : 0 cpu MHz : 2000.000 cache size : 512 KB total used free shared buffers cached Mem: 1554796 1044324 510472 0 221180 430860 -/+ buffers/cache: 392284 1162512 Swap: 4096496 148 4096348 ping times through this box: 64 bytes from f1.www.vip.mud.yahoo.com (209.191.93.52): icmp_seq=1 ttl=58 time=7.74 ms 64 bytes from f1.www.vip.mud.yahoo.com (209.191.93.52): icmp_seq=2 ttl=58 time=8.25 ms 64 bytes from f1.www.vip.mud.yahoo.com (209.191.93.52): icmp_seq=3 ttl=58 time=8.36 ms 64 bytes from f1.www.vip.mud.yahoo.com (209.191.93.52): icmp_seq=4 ttl=58 time=11.9 ms 64 bytes from f1.www.vip.mud.yahoo.com (209.191.93.52): icmp_seq=5 ttl=58 time=8.39 ms > >> 1. The last man working on this box had mistakenly edited the hosts >> file and added the machine name and complete domain name to the local >> host 127.0.0.1 name. It should only be pointed to the eth0 >> interface. I have changed this. > > Dough! > >> 2. The route output is making an announcement >> >> 64.0.0.0 argontech.net 255.0.0.0 UG 20 >> 0 0 eth0 >> >> My public IP space is a /20 within that space, not the whole Class >> A. I have not found which box is announcing this within my network yet. > > I would think that you could extract that information from OSPF, or at > least the system that is advertising and work backwards until you find > the ultimate culprit. I'm working on it, but time is slim today (but not me)! > > > > Grant. . . . > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From gtaylor at riverviewtech.net Tue Oct 23 23:23:41 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Tue Oct 23 23:23:12 2007 Subject: [LARTC] neighbor table overflow In-Reply-To: <471E6753.6000508@argontech.net> References: <471D1A44.40503@argontech.net> <471DE180.5040708@zoomnet.ro> <471E5A53.3000405@riverviewtech.net> <9295C708-B499-4D57-8AD4-D97EFDCC9405@crystalstudio.ca> <471E6348.5040404@argontech.net> <471E61EB.4080602@riverviewtech.net> <471E6753.6000508@argontech.net> Message-ID: <471E665D.10307@riverviewtech.net> On 10/23/07 16:27, Marco C. Coelho wrote: > Is there a way to probe the kernel to find out how big the neighbor > table is on a regular basis? Without making a smoking hole of course. Other than querying the ARP cache, I'm not aware of any thing. I'm sure there is a way with in the kernel to see how many entries are in the ARP cache, but I am the wrong person to ask. > BTW, Traffic shaping is also controlled via Radius. *nod* > It's actually pretty happy on a single processor, single core AMD 3000 > with 1.5 G of RAM (it was not happy with 512K!!!). I've actually got a > new Dual Core, Dual Processor box loaded and ready to place in > production, but would like to fix this problem first. Unfortunately it > takes between a week and a month for the problem to surface. Good. It is nice to see Linux doing some things that Cisco and others tried to dominate for so long. > I'm working on it, but time is slim today (but not me)! I wonder if you can turn up debugging on your OSPF daemon to see who / what is being advertised. Grant. . . . From steve at escortguide.tv Wed Oct 24 10:33:28 2007 From: steve at escortguide.tv (steve finch) Date: Wed Oct 24 10:33:38 2007 Subject: [LARTC] tc u32 match drop packets Message-ID: Hello, I am trying to use tc to drop packets based on the ip identification field in the ip header, I am trying to drop incomming packets with the ip identification field egual with 15: tc qdisc del dev eth0 ingress tc qdisc add dev eth0 handle ffff: ingress tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip protocol 6 0xff flowid 1:1 match u16 0x000f 0xffff at 4 action drop tc doesn't show any error, but no packets are beeing dropped. Please help. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071024/df321e6d/attachment.html From alex at zoomnet.ro Wed Oct 24 12:19:49 2007 From: alex at zoomnet.ro (Alexandru Dragoi) Date: Wed Oct 24 12:20:12 2007 Subject: [LARTC] neighbor table overflow In-Reply-To: <471E6348.5040404@argontech.net> References: <471D1A44.40503@argontech.net> <471DE180.5040708@zoomnet.ro> <471E5A53.3000405@riverviewtech.net> <9295C708-B499-4D57-8AD4-D97EFDCC9405@crystalstudio.ca> <471E6348.5040404@argontech.net> Message-ID: <471F1C45.2010109@zoomnet.ro> Marco C. Coelho wrote: > > This box is doing a lot. It terminates 1000 PPPoE connections, > provides traffic shaping using TC/HTB, authenticates all users via > Radius. It also runs OSPF routing for the internal network. Looking > at a simple route output I see all the PPP connections coming through > the box, and due to the OSPF I also see the rest of my network > announcements. The only strange things are: > > 1. The last man working on this box had mistakenly edited the hosts > file and added the machine name and complete domain name to the local > host 127.0.0.1 name. It should only be pointed to the eth0 > interface. I have changed this. > > 2. The route output is making an announcement > > 64.0.0.0 argontech.net 255.0.0.0 UG 20 > 0 0 eth0 This doesn't look dangerous for your problem, I was only talking about directly connected networks: # ip route |grep link > > My public IP space is a /20 within that space, not the whole Class A. > I have not found which box is announcing this within my network yet. > > > > > > Jeff Welling wrote: >> >>> On 10/23/07 06:56, Alexandru Dragoi wrote: >>>> What about checking your routing table? you may have link routes >>>> for massive subnets (like 85.0.0.0/8 or 140.20.0.0/16). Some >>>> programs prefer to use "standard" netmask of classes A and B. >>> >>> I'm betting that the OP has other things going on seeing has how >>> s/he mentioned PPPoE, which to my knowledge is a layer 2 protocol, >>> and thus not subject to typical routing scenarios. In essence the >>> OP could have thousands of PPPoE connections terminating on one >>> system with the ARP cache having to deal with where to send traffic >>> to which MAC address. There is not a lot of room for routing in such >>> a scenario. >>> >> I agree with Peter's suggestion, arpd. I ran into the neighbor table >> overflow problem recently, at the hands of our ISP. I was in the >> process of recompiling the kernel and mucking with arpd (I couldn't >> get it to run/start properly) when the problem disappeared as quickly >> as it showed up. Lucky for me, this was some kind of ISP problem, I >> was able to determine that much through `tcpdump -i X -n arpd`. >> >> My 'two cents' is that you try arpd, I did a bit of looking when I >> came across that problem and it seemed to be the last ditch effort >> when changing the gc threshold had no effect. Wasn't able to confirm >> that it worked for sure though. >> >> Cheers. >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From maillist1 at argontech.net Wed Oct 24 17:19:19 2007 From: maillist1 at argontech.net (Marco C. Coelho) Date: Wed Oct 24 17:09:34 2007 Subject: [LARTC] neighbor table overflow In-Reply-To: <471F1C45.2010109@zoomnet.ro> References: <471D1A44.40503@argontech.net> <471DE180.5040708@zoomnet.ro> <471E5A53.3000405@riverviewtech.net> <9295C708-B499-4D57-8AD4-D97EFDCC9405@crystalstudio.ca> <471E6348.5040404@argontech.net> <471F1C45.2010109@zoomnet.ro> Message-ID: <471F6277.2050300@argontech.net> the ip route with a grep for link returns: snip** too long 64.202.227.198 dev ppp436 proto kernel scope link src 10.20.1.1 64.202.227.196 dev ppp421 proto kernel scope link src 10.20.1.1 64.202.227.197 dev ppp211 proto kernel scope link src 10.20.0.1 64.202.227.194 dev ppp13 proto kernel scope link src 10.20.1.1 64.202.227.192 dev ppp404 proto kernel scope link src 10.20.1.1 64.202.227.254 dev ppp194 proto kernel scope link src 10.20.1.1 64.202.227.253 dev ppp130 proto kernel scope link src 10.20.1.1 64.202.227.252 dev ppp243 proto kernel scope link src 10.20.1.1 64.202.227.249 dev ppp195 proto kernel scope link src 10.20.1.1 64.202.227.248 dev ppp254 proto kernel scope link src 10.20.1.1 64.202.227.247 dev ppp235 proto kernel scope link src 10.20.1.1 64.202.227.242 dev ppp78 proto kernel scope link src 10.20.1.1 64.202.227.240 dev ppp328 proto kernel scope link src 10.20.1.1 64.202.227.237 dev ppp44 proto kernel scope link src 10.20.1.1 64.202.227.236 dev ppp122 proto kernel scope link src 10.20.1.1 64.202.227.234 dev ppp316 proto kernel scope link src 10.20.1.1 64.202.227.232 dev ppp132 proto kernel scope link src 10.20.1.1 64.202.227.231 dev ppp104 proto kernel scope link src 10.20.0.1 64.202.227.226 dev ppp179 proto kernel scope link src 10.20.0.1 64.202.224.0/24 dev eth0 proto kernel scope link src 64.202.224.8 192.168.1.0/24 dev eth3 proto kernel scope link src 192.168.1.8 169.254.0.0/16 dev eth3 scope link All the pppoe terminations (pppd) are shown, as well as the last three subnets. I'll have to see where the 169.254.0.0/16 is coming from? mc Alexandru Dragoi wrote: > Marco C. Coelho wrote: > >> This box is doing a lot. It terminates 1000 PPPoE connections, >> provides traffic shaping using TC/HTB, authenticates all users via >> Radius. It also runs OSPF routing for the internal network. Looking >> at a simple route output I see all the PPP connections coming through >> the box, and due to the OSPF I also see the rest of my network >> announcements. The only strange things are: >> >> 1. The last man working on this box had mistakenly edited the hosts >> file and added the machine name and complete domain name to the local >> host 127.0.0.1 name. It should only be pointed to the eth0 >> interface. I have changed this. >> >> 2. The route output is making an announcement >> >> 64.0.0.0 argontech.net 255.0.0.0 UG 20 >> 0 0 eth0 >> > > This doesn't look dangerous for your problem, I was only talking about > directly connected networks: > > # ip route |grep link > > >> My public IP space is a /20 within that space, not the whole Class A. >> I have not found which box is announcing this within my network yet. >> >> >> >> >> >> Jeff Welling wrote: >> >>>> On 10/23/07 06:56, Alexandru Dragoi wrote: >>>> >>>>> What about checking your routing table? you may have link routes >>>>> for massive subnets (like 85.0.0.0/8 or 140.20.0.0/16). Some >>>>> programs prefer to use "standard" netmask of classes A and B. >>>>> >>>> I'm betting that the OP has other things going on seeing has how >>>> s/he mentioned PPPoE, which to my knowledge is a layer 2 protocol, >>>> and thus not subject to typical routing scenarios. In essence the >>>> OP could have thousands of PPPoE connections terminating on one >>>> system with the ARP cache having to deal with where to send traffic >>>> to which MAC address. There is not a lot of room for routing in such >>>> a scenario. >>>> >>>> >>> I agree with Peter's suggestion, arpd. I ran into the neighbor table >>> overflow problem recently, at the hands of our ISP. I was in the >>> process of recompiling the kernel and mucking with arpd (I couldn't >>> get it to run/start properly) when the problem disappeared as quickly >>> as it showed up. Lucky for me, this was some kind of ISP problem, I >>> was able to determine that much through `tcpdump -i X -n arpd`. >>> >>> My 'two cents' is that you try arpd, I did a bit of looking when I >>> came across that problem and it seemed to be the last ditch effort >>> when changing the gc threshold had no effect. Wasn't able to confirm >>> that it worked for sure though. >>> >>> Cheers. >>> _______________________________________________ >>> LARTC mailing list >>> LARTC@mailman.ds9a.nl >>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>> >>> >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071024/7dec5de9/attachment.htm From alex at zoomnet.ro Wed Oct 24 18:06:12 2007 From: alex at zoomnet.ro (Alexandru Dragoi) Date: Wed Oct 24 18:06:39 2007 Subject: [LARTC] neighbor table overflow In-Reply-To: <471F6277.2050300@argontech.net> References: <471D1A44.40503@argontech.net> <471DE180.5040708@zoomnet.ro> <471E5A53.3000405@riverviewtech.net> <9295C708-B499-4D57-8AD4-D97EFDCC9405@crystalstudio.ca> <471E6348.5040404@argontech.net> <471F1C45.2010109@zoomnet.ro> <471F6277.2050300@argontech.net> Message-ID: <471F6D74.7000607@zoomnet.ro> Marco C. Coelho wrote: > > the ip route with a grep for link returns: > > snip** too long > 64.202.227.198 dev ppp436 proto kernel scope link src 10.20.1.1 > 64.202.227.196 dev ppp421 proto kernel scope link src 10.20.1.1 > 64.202.227.197 dev ppp211 proto kernel scope link src 10.20.0.1 > 64.202.227.194 dev ppp13 proto kernel scope link src 10.20.1.1 > 64.202.227.192 dev ppp404 proto kernel scope link src 10.20.1.1 > 64.202.227.254 dev ppp194 proto kernel scope link src 10.20.1.1 > 64.202.227.253 dev ppp130 proto kernel scope link src 10.20.1.1 > 64.202.227.252 dev ppp243 proto kernel scope link src 10.20.1.1 > 64.202.227.249 dev ppp195 proto kernel scope link src 10.20.1.1 > 64.202.227.248 dev ppp254 proto kernel scope link src 10.20.1.1 > 64.202.227.247 dev ppp235 proto kernel scope link src 10.20.1.1 > 64.202.227.242 dev ppp78 proto kernel scope link src 10.20.1.1 > 64.202.227.240 dev ppp328 proto kernel scope link src 10.20.1.1 > 64.202.227.237 dev ppp44 proto kernel scope link src 10.20.1.1 > 64.202.227.236 dev ppp122 proto kernel scope link src 10.20.1.1 > 64.202.227.234 dev ppp316 proto kernel scope link src 10.20.1.1 > 64.202.227.232 dev ppp132 proto kernel scope link src 10.20.1.1 > 64.202.227.231 dev ppp104 proto kernel scope link src 10.20.0.1 > 64.202.227.226 dev ppp179 proto kernel scope link src 10.20.0.1 > 64.202.224.0/24 dev eth0 proto kernel scope link src 64.202.224.8 > 192.168.1.0/24 dev eth3 proto kernel scope link src 192.168.1.8 > 169.254.0.0/16 dev eth3 scope link The one above must be deleted, many redhat-like distros attach 169.254.0.0/16. > > All the pppoe terminations (pppd) are shown, as well as the last three > subnets. I'll have to see where the 169.254.0.0/16 is coming from? > > mc > > > > > Alexandru Dragoi wrote: >> Marco C. Coelho wrote: >> >>> This box is doing a lot. It terminates 1000 PPPoE connections, >>> provides traffic shaping using TC/HTB, authenticates all users via >>> Radius. It also runs OSPF routing for the internal network. Looking >>> at a simple route output I see all the PPP connections coming through >>> the box, and due to the OSPF I also see the rest of my network >>> announcements. The only strange things are: >>> >>> 1. The last man working on this box had mistakenly edited the hosts >>> file and added the machine name and complete domain name to the local >>> host 127.0.0.1 name. It should only be pointed to the eth0 >>> interface. I have changed this. >>> >>> 2. The route output is making an announcement >>> >>> 64.0.0.0 argontech.net 255.0.0.0 UG 20 >>> 0 0 eth0 >>> >> >> This doesn't look dangerous for your problem, I was only talking about >> directly connected networks: >> >> # ip route |grep link >> >> >>> My public IP space is a /20 within that space, not the whole Class A. >>> I have not found which box is announcing this within my network yet. >>> >>> >>> >>> >>> >>> Jeff Welling wrote: >>> >>>>> On 10/23/07 06:56, Alexandru Dragoi wrote: >>>>> >>>>>> What about checking your routing table? you may have link routes >>>>>> for massive subnets (like 85.0.0.0/8 or 140.20.0.0/16). Some >>>>>> programs prefer to use "standard" netmask of classes A and B. >>>>>> >>>>> I'm betting that the OP has other things going on seeing has how >>>>> s/he mentioned PPPoE, which to my knowledge is a layer 2 protocol, >>>>> and thus not subject to typical routing scenarios. In essence the >>>>> OP could have thousands of PPPoE connections terminating on one >>>>> system with the ARP cache having to deal with where to send traffic >>>>> to which MAC address. There is not a lot of room for routing in such >>>>> a scenario. >>>>> >>>>> >>>> I agree with Peter's suggestion, arpd. I ran into the neighbor table >>>> overflow problem recently, at the hands of our ISP. I was in the >>>> process of recompiling the kernel and mucking with arpd (I couldn't >>>> get it to run/start properly) when the problem disappeared as quickly >>>> as it showed up. Lucky for me, this was some kind of ISP problem, I >>>> was able to determine that much through `tcpdump -i X -n arpd`. >>>> >>>> My 'two cents' is that you try arpd, I did a bit of looking when I >>>> came across that problem and it seemed to be the last ditch effort >>>> when changing the gc threshold had no effect. Wasn't able to confirm >>>> that it worked for sure though. >>>> >>>> Cheers. >>>> _______________________________________________ >>>> LARTC mailing list >>>> LARTC@mailman.ds9a.nl >>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>>> >>>> >>> _______________________________________________ >>> LARTC mailing list >>> LARTC@mailman.ds9a.nl >>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>> >> >> >> > ------------------------------------------------------------------------ > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From rasky at develer.com Wed Oct 24 19:47:45 2007 From: rasky at develer.com (Giovanni Bajo) Date: Wed Oct 24 19:47:48 2007 Subject: [LARTC] Low-priority traffic Message-ID: <471F8541.4010606@develer.com> Hello, I'm a total tc newbie, and I'm trying to tweak the wondershaper script (http://lartc.org/wondershaper/) to get a slightly different result. Excuse me if I will not use the correct technical terms, it's a whole new world to me :) wondershaper.htb creates 3 HTB classes; 1:10 is high prio, 1:20 is bulk (default), and 1:30 is low priority. The classes are created as follows: ========================================================== tc class add dev $DEV parent 1:1 classid 1:10 htb \ rate ${UPLINK}kbit \ burst 6k prio 1 tc class add dev $DEV parent 1:1 classid 1:20 htb \ rate $[9*$UPLINK/10]kbit ceil ${UPLINK}kbit \ burst 6k prio 2 tc class add dev $DEV parent 1:1 classid 1:30 htb \ rate $[1*$UPLINK/10]kbit ceil ${UPLINK}kbit \ burst 6k prio 2 ========================================================== What I would like to do is to always give priority to traffic in class 1:20 respect to class 1:30: basically, if there is a lot of traffic in class 1:20, class 1:30 shouldn't have any bandwidth allocated beside its minimum rate. I'll try to clarify the above paragraph with an example; let's assume that if I download file A from this server, the generated traffic goes to class 1:20; if I download file B, the traffic goes to class 1:30. Let's also say that UPLINK is 1Mbit/s. 0) Server does nothing. 1) I start downloading B. I begin downloading it a 1Mbit/s. 2) I then start download A while B is going. A's download totally steals traffic from B's download, up to its minimum rate. So, after a little while, I should see download B going to 10% = 100Kbit and download A going to 90% = 900Kbit. 3) I stop download B. A goes up to 1Mbit. 4) I apply a client-side limit to A's download. Now A goes to 600Kbit. 5) I start downloading B again. B cannot steal any bandwidth to A, but it will get all the available bandwidth. So A will stay at 600Kbit, and B will go at 400Kbit. I hope my explanation is clear. Wondershaper does not seem to do this. In fact, when I start downloading A and B, they seem to equally distribute the available bandwidth (I verified that packets really go to the respective classes, so it's not a filter problem). It's not clear to me how HTB decides to allocate the bandwidth, and what the "rate" parameter really means. I even tried the CBQ version of wondershaper, but I got the same results. Do you have any suggestion about how can I achieve my expected behaviour? How should I modify wondershaper? Thanks! -- Giovanni Bajo From ams at toroid.org Wed Oct 24 20:04:32 2007 From: ams at toroid.org (Abhijit Menon-Sen) Date: Wed Oct 24 20:04:46 2007 Subject: [LARTC] Re: failover with conntrackd In-Reply-To: <20071023060800.GA16481@toroid.org> References: <20071010103540.GA11105@toroid.org> <470CE7FD.3080402@riverviewtech.net> <20071023060800.GA16481@toroid.org> Message-ID: <20071024180432.GA4586@toroid.org> At 2007-10-23 11:38:00 +0530, ams@toroid.org wrote: > > But I'll try vrrpd anyway, thanks. Ah, no. vrrpd is a non-starter, because it provides no notification when a machine switches between primary and secondary mode. Unfortunately, I can't use any of the three failover programs I've tried so far. 1. keepalived - Provides notifications. - Uses a single process for multiple interfaces, so no synchronisation problems. - Doesn't support MAC address takeover. 2. vrrpd - Supports MAC address takeover. - Uses one process per interface, but supports synchronisation through signalling the other process when state the changes. - Doesn't provide notifications (although Jerome Etienne's OLS presentation suggests that he meant to implement this). - Not very nice code; authentication partly implemented, but with bugs and without sufficient testing. 3. ucarp - Provides notifications. - Reasonably nice code. - Uses one process per interface, and provides no synchronisation support at all. - Does not support MAC address takeover. I'm going to modify ucarp to change the MAC address with the state, and to switch state on signal, so that two processes can be synchronised. This is a lot more painful than I thought it would be. -- ams From shakirgil at yahoo.com Wed Oct 24 20:37:44 2007 From: shakirgil at yahoo.com (Mohammad Shakir) Date: Wed Oct 24 20:37:49 2007 Subject: [LARTC] Traffic shaping Message-ID: <401359.58277.qm@web62412.mail.re1.yahoo.com> I am using HTB for traffic shaping, my scenario is Eth1 is my local interface and I wan to shape bandwidth for IP 172.16.173.245. Now I want if any request from above IP comes its get 1mb speed and all others get 96kb speed, for this setup I make following script but it does not work. Can anyone help me ? htb script -------------- tc qdisc del dev eth1 root 2> /dev/null > /dev/null tc qdisc add dev eth1 root handle 11: htb tc class add dev eth1 parent 11: classid 11:1 htb rate 10mbit tc class add dev eth1 parent 11:1 classid 11:21 htb rate 1024kbit ceil 1024kbit prio 5 tc qdisc add dev eth1 parent 11:21 handle 21: sfq perturb 10 tc filter add dev eth1 parent 11: protocol ip prio 100 handle 5000 fw flowid 11:21 tc class add dev eth1 parent 11:1 classid 11:22 htb rate 96kbit ceil 96kbit prio 5 tc qdisc add dev eth1 parent 11:22 handle 22: sfq perturb 10 tc filter add dev eth1 protocol ip parent 11: prio 2 u32 match ip dst 172.16.173.254 flowid 11:22 iptables -t mangle -A PREROUTING -s 172.16.173.245 -p tcp --dport 80 -j MARK --set-mark 5000 htp result -------------- [root@test ~]# tc -s class show dev eth1 class htb 11:22 parent 11:1 leaf 22: prio 5 rate 96000bit ceil 96000bit burst 1647b cburst 1647b Sent 179720 bytes 247 pkt (dropped 0, overlimits 0 requeues 0) rate 29728bit 5pps backlog 0b 42p requeues 0 lended: 205 borrowed: 0 giants: 0 tokens: -141972 ctokens: -141972 class htb 11:1 root rate 10000Kbit ceil 10000Kbit burst 6600b cburst 6600b Sent 129540 bytes 205 pkt (dropped 0, overlimits 0 requeues 0) rate 56bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 3953 ctokens: 3953 class htb 11:21 parent 11:1 leaf 21: prio 5 rate 1024Kbit ceil 1024Kbit burst 2112b cburst 2112b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 16500 ctokens: 16500 __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From karme at berlios.de Wed Oct 24 23:53:15 2007 From: karme at berlios.de (Jens Thiele) Date: Wed Oct 24 23:53:26 2007 Subject: [LARTC] Low-priority traffic In-Reply-To: <471F8541.4010606@develer.com> (Giovanni Bajo's message of "Wed\, 24 Oct 2007 19\:47\:45 +0200") References: <471F8541.4010606@develer.com> Message-ID: <87640wji2c.fsf@thialfi.karme-net.hirschau> On 24 Okt 2007, rasky@develer.com wrote: > Hello, Hi, [...] > wondershaper.htb creates 3 HTB classes; 1:10 is high prio, 1:20 is > bulk (default), and 1:30 is low priority. The classes are created as > follows: > > ========================================================== > tc class add dev $DEV parent 1:1 classid 1:10 htb \ > rate ${UPLINK}kbit \ > burst 6k prio 1 > > tc class add dev $DEV parent 1:1 classid 1:20 htb \ > rate $[9*$UPLINK/10]kbit ceil ${UPLINK}kbit \ > burst 6k prio 2 > > tc class add dev $DEV parent 1:1 classid 1:30 htb \ > rate $[1*$UPLINK/10]kbit ceil ${UPLINK}kbit \ > burst 6k prio 2 ^ I guess you you want to have prio 3 here. "The rule is that classes with higher priority are offered excess bandwidth first. But rules about guaranted rate and ceil are still met." [1] where lower numerical prio value means higher priority (and prio is in [0,7]) > What I would like to do is to always give priority to traffic in class > 1:20 respect to class 1:30: basically, if there is a lot of traffic in > class 1:20, class 1:30 shouldn't have any bandwidth allocated beside > its minimum rate. > > I'll try to clarify the above paragraph with an example; let's assume > that if I download file A from this server, the generated traffic goes > to class 1:20; if I download file B, the traffic goes to class > 1:30. Let's also say that UPLINK is 1Mbit/s. > > 0) Server does nothing. > 1) I start downloading B. I begin downloading it a 1Mbit/s. > 2) I then start download A while B is going. A's download totally > steals traffic from B's download, up to its minimum rate. So, after a > little while, I should see download B going to 10% = 100Kbit and > download A going to 90% = 900Kbit. > 3) I stop download B. A goes up to 1Mbit. > 4) I apply a client-side limit to A's download. Now A goes to 600Kbit. > 5) I start downloading B again. B cannot steal any bandwidth to A, > but it will get all the available bandwidth. So A will stay at > 600Kbit, and B will go at 400Kbit. > > I hope my explanation is clear. > > Wondershaper does not seem to do this. In fact, when I start > downloading A and B, they seem to equally distribute the available > bandwidth bandwith of classes with same priority is AFAIR dirstributed proportionally to (minimum) rate > (I verified that packets really go to the respective > classes, so it's not a filter problem). It's not clear to me how HTB > decides to allocate the bandwidth, and what the "rate" parameter > really means. > > I even tried the CBQ version of wondershaper, but I got the same > results. > > Do you have any suggestion about how can I achieve my expected > behaviour? How should I modify wondershaper? > > Thanks! good documentation for htb: [1] http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm Greetings Jens From mailvortex at gmail.com Thu Oct 25 02:25:08 2007 From: mailvortex at gmail.com (Ben Scott) Date: Thu Oct 25 02:25:13 2007 Subject: [LARTC] One machine, two net feeds, outbound route selection Message-ID: <59f980d60710241725p5ca9cca2ueb5edc12675f62e3@mail.gmail.com> Hello, world! Sorry to subscribe to the list only to immediately ask a question, but this one's got me scratching my head and I can't find the answer in the archives, the HOWTO, or on the web. Maybe I'm just asking the wrong question. Anyway, our Internet gateway is a Linux box. We've got two Internet feeds, a fast one from a crummy provider, and a slower one from a good provider. The goal is to control which feed gets used on a per-service basis. For the most part, I've been pretty successful at this, and it's worked well. Score one for the good guys. However, I'm having trouble trying to get Sendmail -- which is running on the gateway box itself -- to use the good provider when it tries to deliver mail. (If we use the crummy provider, too many others reject us as a likely spammer.) I found plenty of docs that tell me what to do if Sendmail is running on a different box -- just select packets using iptables as they come in, fwmark them, and then use a routing rule to put them into the appropriate routing table. This is conceptually easy, because the packets would already have well-defined characteristics. The problem is that Sendmail is running on the gateway itself. I don't know how to tell the system what to select. The packets won't have IP address or interface info yet, because they haven't gone through the kernel router yet. Right? And once they've gone through the kernel router, it's too late to try and pick the route they'll use. Right? Catch-22? I can't bind Sendmail's outgoing SMTP client mailer to a specific interface, because it has to be able to forward mail on to inside systems, too. I can think of all sorts of possible combinations of iptables options I might try (table, chain, interface, TCP port, etc.), but there are literally hundreds of permutations. Trial-and-error doesn't seem like a good way to do this. Especially since it's a production box. I tried a few ideas and got nowhere useful. Does someone here already know the answer? Environment: - CentOS 5 - kernel 2.6.18-8.1.10.el5 - iptables 1.3.5-1.2.1 - iproute 2.6.18-4.el5 - Both feeds connect to the gateway with plain old IP-over-Ethernet - Static IP addresses for both feeds - LAN is NAT'ed and using a 10/8 private subnet - Successfully using multiple routing tables, iptables, and/or interface-bindings to select route/feed for most services advTHANKSance! -- Ben From sewlist at gmail.com Thu Oct 25 07:49:29 2007 From: sewlist at gmail.com (the sew) Date: Thu Oct 25 07:49:36 2007 Subject: [LARTC] ADSL channel boding or Load balancing In-Reply-To: <470E4CD0.7020505@riverviewtech.net> References: <470E4CD0.7020505@riverviewtech.net> Message-ID: Hi Grant, You were right, the usb modem mehtod was just a way for me to see how usb modems works in linux, u basicly add new firmware and load the driver and it sees your usb modem also as a ethernet device and u use pppd with that :-) Im trying your option below to get increased upload, but no luck yet from your ascii , mine looks similar +--------+ +--------+ +--------+ | ...245.18 +-----| ...77.1 | +------+ | ...0.x +-----+ ...0.1 | | COLO +-----+ 101.x | +--------+ + ...245.19 +-----| ...78.1 | +------+ |--------+ +--------+ the background how I got this setup is that 245.18 and 19 has pppoe into my ISP, then I made a pptp tunnel to COLO on 2 diffrent ips and got my new ips which is 245.18 Ptp 77.1 and 245.19 Ptp 78.1. All this works fine, I've even add multiple routes to 101.x via dev ppp0 nexthop dev ppp1, but this just load balances the links, not increase uploads Is it possible at all to route all upload via both links at the same time, maybe disable the cached routes, let it just change routes the whole time? Thanks agian for your help Sew From rabbit+list at rabbit.us Thu Oct 25 11:09:11 2007 From: rabbit+list at rabbit.us (Peter Rabbitson) Date: Thu Oct 25 11:09:28 2007 Subject: [LARTC] One machine, two net feeds, outbound route selection In-Reply-To: <59f980d60710241725p5ca9cca2ueb5edc12675f62e3@mail.gmail.com> References: <59f980d60710241725p5ca9cca2ueb5edc12675f62e3@mail.gmail.com> Message-ID: <47205D37.8050806@rabbit.us> Ben Scott wrote: > > > I can't bind Sendmail's outgoing SMTP client mailer to a specific > interface, because it has to be able to forward mail on to inside > systems, too. > Of course you can. Remember that the kernel knows about both networks - the internal and external ones. Once you bind to the external IP, a packet destined to the inside would still be routed correctly, without regard to the source IP. From gtaylor at riverviewtech.net Thu Oct 25 16:38:48 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Thu Oct 25 16:38:19 2007 Subject: [LARTC] ADSL channel boding or Load balancing In-Reply-To: References: <470E4CD0.7020505@riverviewtech.net> Message-ID: <4720AA78.3010005@riverviewtech.net> On 10/25/07 00:49, the sew wrote: > You were right, the usb modem mehtod was just a way for me to see how > usb modems works in linux, u basicly add new firmware and load the > driver and it sees your usb modem also as a ethernet device and u use > pppd with that :-) *nod* That's the experience that I had too. I will say that I perceived performance to be a bit better with the USB ADSL modem than I did with external bridging modems. I attributed this perceived performance improvement to be related to more intelligent caching of data on the system with the IP stack with comparison to external modems that did not know if there would be any more packets coming or not thus the external would have to wait longer before transmitting packets. I have no numbers to back this up, but I did perceive a performance improvement both under Linux and Windows with my USB ADSL modem and under Windows with my PCI ADSL modem. > Im trying your option below to get increased upload, but no luck yet > > from your ascii , mine looks similar +-----------+ +---------+ +--------+ | ...245.18 +-----+ ...77.1 | +-------+ | ...0.x +-----+ ...0.1 | | COLO +-----+ 101.x | +--------+ | ...245.19 +-----+ ...78.1 | +-------+ +-----------+ +---------+ (Slight clean up.) > the background how I got this setup is that 245.18 and 19 has pppoe > into my ISP, then I made a pptp tunnel to COLO on 2 diffrent ips and > got my new ips which is 245.18 Ptp 77.1 and 245.19 Ptp 78.1. > > All this works fine, I've even add multiple routes to 101.x via dev > ppp0 nexthop dev ppp1, but this just load balances the links, not > increase uploads Where are you doing your NATing to the world? Are you NATing on your PPtP tunnels or on the COLO system? > Is it possible at all to route all upload via both links at the same > time, maybe disable the cached routes, let it just change routes the > whole time? If you are doing your NATing on the COLO system and you add two routes to your internal network via the two PPtP tunnels, you should be able to equal cost multipath route across both PPtP tunnels to achieve increased bandwidth. The key part is that both tunnels have to appear to the world as a single external IP. > Thanks agian for your help You are welcome. Grant. . . . From maillist1 at argontech.net Thu Oct 25 17:08:16 2007 From: maillist1 at argontech.net (Marco C. Coelho) Date: Thu Oct 25 16:58:30 2007 Subject: [LARTC] neighbor table overflow In-Reply-To: <471F6D74.7000607@zoomnet.ro> References: <471D1A44.40503@argontech.net> <471DE180.5040708@zoomnet.ro> <471E5A53.3000405@riverviewtech.net> <9295C708-B499-4D57-8AD4-D97EFDCC9405@crystalstudio.ca> <471E6348.5040404@argontech.net> <471F1C45.2010109@zoomnet.ro> <471F6277.2050300@argontech.net> <471F6D74.7000607@zoomnet.ro> Message-ID: <4720B160.6060602@argontech.net> Looking into it further an ip route shows: 64.0.0.0/8 via 64.202.224.1 dev eth0 proto zebra metric 20 equalize So the 64.0.0.0 announce is coming into this box through OSPF (zebra) The 169.254.0.0/16 is being automajically added through the sysconfig network scripts. I'm looking into why. In either case I still don't see why these entries would make the neighbor table overflow. Could it have been the previous fix to the hosts file? mc Alexandru Dragoi wrote: > Marco C. Coelho wrote: > >> the ip route with a grep for link returns: >> >> snip** too long >> 64.202.227.198 dev ppp436 proto kernel scope link src 10.20.1.1 >> 64.202.227.196 dev ppp421 proto kernel scope link src 10.20.1.1 >> 64.202.227.197 dev ppp211 proto kernel scope link src 10.20.0.1 >> 64.202.227.194 dev ppp13 proto kernel scope link src 10.20.1.1 >> 64.202.227.192 dev ppp404 proto kernel scope link src 10.20.1.1 >> 64.202.227.254 dev ppp194 proto kernel scope link src 10.20.1.1 >> 64.202.227.253 dev ppp130 proto kernel scope link src 10.20.1.1 >> 64.202.227.252 dev ppp243 proto kernel scope link src 10.20.1.1 >> 64.202.227.249 dev ppp195 proto kernel scope link src 10.20.1.1 >> 64.202.227.248 dev ppp254 proto kernel scope link src 10.20.1.1 >> 64.202.227.247 dev ppp235 proto kernel scope link src 10.20.1.1 >> 64.202.227.242 dev ppp78 proto kernel scope link src 10.20.1.1 >> 64.202.227.240 dev ppp328 proto kernel scope link src 10.20.1.1 >> 64.202.227.237 dev ppp44 proto kernel scope link src 10.20.1.1 >> 64.202.227.236 dev ppp122 proto kernel scope link src 10.20.1.1 >> 64.202.227.234 dev ppp316 proto kernel scope link src 10.20.1.1 >> 64.202.227.232 dev ppp132 proto kernel scope link src 10.20.1.1 >> 64.202.227.231 dev ppp104 proto kernel scope link src 10.20.0.1 >> 64.202.227.226 dev ppp179 proto kernel scope link src 10.20.0.1 >> 64.202.224.0/24 dev eth0 proto kernel scope link src 64.202.224.8 >> 192.168.1.0/24 dev eth3 proto kernel scope link src 192.168.1.8 >> 169.254.0.0/16 dev eth3 scope link >> > > The one above must be deleted, many redhat-like distros attach > 169.254.0.0/16. > >> All the pppoe terminations (pppd) are shown, as well as the last three >> subnets. I'll have to see where the 169.254.0.0/16 is coming from? >> >> mc >> >> >> >> >> Alexandru Dragoi wrote: >> >>> Marco C. Coelho wrote: >>> >>> >>>> This box is doing a lot. It terminates 1000 PPPoE connections, >>>> provides traffic shaping using TC/HTB, authenticates all users via >>>> Radius. It also runs OSPF routing for the internal network. Looking >>>> at a simple route output I see all the PPP connections coming through >>>> the box, and due to the OSPF I also see the rest of my network >>>> announcements. The only strange things are: >>>> >>>> 1. The last man working on this box had mistakenly edited the hosts >>>> file and added the machine name and complete domain name to the local >>>> host 127.0.0.1 name. It should only be pointed to the eth0 >>>> interface. I have changed this. >>>> >>>> 2. The route output is making an announcement >>>> >>>> 64.0.0.0 argontech.net 255.0.0.0 UG 20 >>>> 0 0 eth0 >>>> >>>> >>> This doesn't look dangerous for your problem, I was only talking about >>> directly connected networks: >>> >>> # ip route |grep link >>> >>> >>> >>>> My public IP space is a /20 within that space, not the whole Class A. >>>> I have not found which box is announcing this within my network yet. >>>> >>>> >>>> >>>> >>>> >>>> Jeff Welling wrote: >>>> >>>> >>>>>> On 10/23/07 06:56, Alexandru Dragoi wrote: >>>>>> >>>>>> >>>>>>> What about checking your routing table? you may have link routes >>>>>>> for massive subnets (like 85.0.0.0/8 or 140.20.0.0/16). Some >>>>>>> programs prefer to use "standard" netmask of classes A and B. >>>>>>> >>>>>>> >>>>>> I'm betting that the OP has other things going on seeing has how >>>>>> s/he mentioned PPPoE, which to my knowledge is a layer 2 protocol, >>>>>> and thus not subject to typical routing scenarios. In essence the >>>>>> OP could have thousands of PPPoE connections terminating on one >>>>>> system with the ARP cache having to deal with where to send traffic >>>>>> to which MAC address. There is not a lot of room for routing in such >>>>>> a scenario. >>>>>> >>>>>> >>>>>> >>>>> I agree with Peter's suggestion, arpd. I ran into the neighbor table >>>>> overflow problem recently, at the hands of our ISP. I was in the >>>>> process of recompiling the kernel and mucking with arpd (I couldn't >>>>> get it to run/start properly) when the problem disappeared as quickly >>>>> as it showed up. Lucky for me, this was some kind of ISP problem, I >>>>> was able to determine that much through `tcpdump -i X -n arpd`. >>>>> >>>>> My 'two cents' is that you try arpd, I did a bit of looking when I >>>>> came across that problem and it seemed to be the last ditch effort >>>>> when changing the gc threshold had no effect. Wasn't able to confirm >>>>> that it worked for sure though. >>>>> >>>>> Cheers. >>>>> _______________________________________________ >>>>> LARTC mailing list >>>>> LARTC@mailman.ds9a.nl >>>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>>>> >>>>> >>>>> >>>> _______________________________________________ >>>> LARTC mailing list >>>> LARTC@mailman.ds9a.nl >>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>>> >>>> >>> >>> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071025/0a54f8f7/attachment.html From mailvortex at gmail.com Thu Oct 25 17:39:28 2007 From: mailvortex at gmail.com (Ben Scott) Date: Thu Oct 25 17:39:34 2007 Subject: [LARTC] One machine, two net feeds, outbound route selection In-Reply-To: <47205D37.8050806@rabbit.us> References: <59f980d60710241725p5ca9cca2ueb5edc12675f62e3@mail.gmail.com> <47205D37.8050806@rabbit.us> Message-ID: <59f980d60710250839j117bddbhd521a264f7604fc4@mail.gmail.com> On 10/25/07, Peter Rabbitson wrote: >> I can't bind Sendmail's outgoing SMTP client mailer to a specific >> interface, because it has to be able to forward mail on to inside >> systems, too. > > Of course you can. Remember that the kernel knows about both networks ... Hmmm. You're right, of course. And even better, it worked when I tried it. ;) Thanks! Now, for the sake of knowledge, let us say that a piece of needed software didn't have an option to bind to a specific interface. Would it be possible to control the outgoing route/interface anyway, by using iptables or some other mechanism external to the software? For example, what if Sendmail didn't have a ClientPortOptions directive (heh, I know, use Postfix, but work with me here)? And remember: This is for something running on the gateway, not forwarding packets received from another machine. :) (No, I don't presently have such a piece of software, but I'd like to know.) Thanks again, either way! -- Ben From alex at zoomnet.ro Thu Oct 25 18:30:52 2007 From: alex at zoomnet.ro (Alexandru Dragoi) Date: Thu Oct 25 18:31:19 2007 Subject: [LARTC] neighbor table overflow In-Reply-To: <4720B160.6060602@argontech.net> References: <471D1A44.40503@argontech.net> <471DE180.5040708@zoomnet.ro> <471E5A53.3000405@riverviewtech.net> <9295C708-B499-4D57-8AD4-D97EFDCC9405@crystalstudio.ca> <471E6348.5040404@argontech.net> <471F1C45.2010109@zoomnet.ro> <471F6277.2050300@argontech.net> <471F6D74.7000607@zoomnet.ro> <4720B160.6060602@argontech.net> Message-ID: <4720C4BC.4000606@zoomnet.ro> Marco C. Coelho wrote: > Looking into it further an ip route shows: > > 64.0.0.0/8 via 64.202.224.1 dev eth0 proto zebra metric 20 equalize This /8 doesn't affect the neighbor table. There must be a problem on the site that announce it > > So the 64.0.0.0 announce is coming into this box through OSPF (zebra) > > The 169.254.0.0/16 is being automajically added through the sysconfig > network scripts. I'm looking into why. > > In either case I still don't see why these entries would make the > neighbor table overflow. Could it have been the previous fix to the > hosts file? Well, when somebody try to make traffic with somebody from 169.254.0.0/16 throught you, your server will ask for arp on eth3, and most probably will record an entry in arp table. Virii and others can make this worse. Another quick fix is to drop arps from/to 169.254.0.0/16 with arptables. > > mc > > Alexandru Dragoi wrote: >> Marco C. Coelho wrote: >> >>> the ip route with a grep for link returns: >>> >>> snip** too long >>> 64.202.227.198 dev ppp436 proto kernel scope link src 10.20.1.1 >>> 64.202.227.196 dev ppp421 proto kernel scope link src 10.20.1.1 >>> 64.202.227.197 dev ppp211 proto kernel scope link src 10.20.0.1 >>> 64.202.227.194 dev ppp13 proto kernel scope link src 10.20.1.1 >>> 64.202.227.192 dev ppp404 proto kernel scope link src 10.20.1.1 >>> 64.202.227.254 dev ppp194 proto kernel scope link src 10.20.1.1 >>> 64.202.227.253 dev ppp130 proto kernel scope link src 10.20.1.1 >>> 64.202.227.252 dev ppp243 proto kernel scope link src 10.20.1.1 >>> 64.202.227.249 dev ppp195 proto kernel scope link src 10.20.1.1 >>> 64.202.227.248 dev ppp254 proto kernel scope link src 10.20.1.1 >>> 64.202.227.247 dev ppp235 proto kernel scope link src 10.20.1.1 >>> 64.202.227.242 dev ppp78 proto kernel scope link src 10.20.1.1 >>> 64.202.227.240 dev ppp328 proto kernel scope link src 10.20.1.1 >>> 64.202.227.237 dev ppp44 proto kernel scope link src 10.20.1.1 >>> 64.202.227.236 dev ppp122 proto kernel scope link src 10.20.1.1 >>> 64.202.227.234 dev ppp316 proto kernel scope link src 10.20.1.1 >>> 64.202.227.232 dev ppp132 proto kernel scope link src 10.20.1.1 >>> 64.202.227.231 dev ppp104 proto kernel scope link src 10.20.0.1 >>> 64.202.227.226 dev ppp179 proto kernel scope link src 10.20.0.1 >>> 64.202.224.0/24 dev eth0 proto kernel scope link src 64.202.224.8 >>> 192.168.1.0/24 dev eth3 proto kernel scope link src 192.168.1.8 >>> 169.254.0.0/16 dev eth3 scope link >>> >> >> The one above must be deleted, many redhat-like distros attach >> 169.254.0.0/16. >> >>> All the pppoe terminations (pppd) are shown, as well as the last three >>> subnets. I'll have to see where the 169.254.0.0/16 is coming from? >>> >>> mc >>> >>> >>> >>> >>> Alexandru Dragoi wrote: >>> >>>> Marco C. Coelho wrote: >>>> >>>> >>>>> This box is doing a lot. It terminates 1000 PPPoE connections, >>>>> provides traffic shaping using TC/HTB, authenticates all users via >>>>> Radius. It also runs OSPF routing for the internal network. Looking >>>>> at a simple route output I see all the PPP connections coming through >>>>> the box, and due to the OSPF I also see the rest of my network >>>>> announcements. The only strange things are: >>>>> >>>>> 1. The last man working on this box had mistakenly edited the hosts >>>>> file and added the machine name and complete domain name to the local >>>>> host 127.0.0.1 name. It should only be pointed to the eth0 >>>>> interface. I have changed this. >>>>> >>>>> 2. The route output is making an announcement >>>>> >>>>> 64.0.0.0 argontech.net 255.0.0.0 UG 20 >>>>> 0 0 eth0 >>>>> >>>>> >>>> This doesn't look dangerous for your problem, I was only talking about >>>> directly connected networks: >>>> >>>> # ip route |grep link >>>> >>>> >>>> >>>>> My public IP space is a /20 within that space, not the whole Class A. >>>>> I have not found which box is announcing this within my network yet. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Jeff Welling wrote: >>>>> >>>>> >>>>>>> On 10/23/07 06:56, Alexandru Dragoi wrote: >>>>>>> >>>>>>> >>>>>>>> What about checking your routing table? you may have link routes >>>>>>>> for massive subnets (like 85.0.0.0/8 or 140.20.0.0/16). Some >>>>>>>> programs prefer to use "standard" netmask of classes A and B. >>>>>>>> >>>>>>>> >>>>>>> I'm betting that the OP has other things going on seeing has how >>>>>>> s/he mentioned PPPoE, which to my knowledge is a layer 2 protocol, >>>>>>> and thus not subject to typical routing scenarios. In essence the >>>>>>> OP could have thousands of PPPoE connections terminating on one >>>>>>> system with the ARP cache having to deal with where to send traffic >>>>>>> to which MAC address. There is not a lot of room for routing in such >>>>>>> a scenario. >>>>>>> >>>>>>> >>>>>>> >>>>>> I agree with Peter's suggestion, arpd. I ran into the neighbor table >>>>>> overflow problem recently, at the hands of our ISP. I was in the >>>>>> process of recompiling the kernel and mucking with arpd (I couldn't >>>>>> get it to run/start properly) when the problem disappeared as quickly >>>>>> as it showed up. Lucky for me, this was some kind of ISP problem, I >>>>>> was able to determine that much through `tcpdump -i X -n arpd`. >>>>>> >>>>>> My 'two cents' is that you try arpd, I did a bit of looking when I >>>>>> came across that problem and it seemed to be the last ditch effort >>>>>> when changing the gc threshold had no effect. Wasn't able to confirm >>>>>> that it worked for sure though. >>>>>> >>>>>> Cheers. >>>>>> _______________________________________________ >>>>>> LARTC mailing list >>>>>> LARTC@mailman.ds9a.nl >>>>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>>>>> >>>>>> >>>>>> >>>>> _______________________________________________ >>>>> LARTC mailing list >>>>> LARTC@mailman.ds9a.nl >>>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>>>> >>>>> >>>> >>>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> LARTC mailing list >>> LARTC@mailman.ds9a.nl >>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>> >>> >> >> >> From wxu at max-t.com Thu Oct 25 18:38:11 2007 From: wxu at max-t.com (William Xu) Date: Thu Oct 25 18:41:34 2007 Subject: [LARTC] TC (HTB) doesn't work well when network is congested? Message-ID: <4720C673.7040900@max-t.com> Hi, I have a server and ten clients in a Gigabit network. The server has 125mbps network bandwidth. I want that the server has 40Mbps bandwidth reserved for client 1 (IP 192.168.5.141), and the rest bandwidth is for all other clients. My script looks like this (I use IFB for incoming traffic): #!/bin/bash export TC="/sbin/tc" $TC qdisc add dev ifb0 root handle 1: htb default 30 r2q 100 $TC class add dev ifb0 parent 1:0 classid 1:1 htb rate 125mbps mtu 9000 $TC class add dev ifb0 parent 1:1 classid 1:10 htb rate 40mbps ceil 125mbps mtu 9000 prio 0 $TC class add dev ifb0 parent 1:1 classid 1:30 htb rate 85mbps ceil 125mbps mtu 9000 prio 1 $TC filter add dev ifb0 parent 1: protocol ip prio 1 u32 match ip src 192.168.5.141/32 flowid 1:10 $TC qdisc add dev eth2 ingress $TC filter add dev eth2 parent ffff: protocol ip prio 1 u32 \ match u32 0 0 flowid 1:1 \ action mirred egress redirect dev ifb0 $TC qdisc add dev eth2 root handle 1: htb default 30 r2q 100 $TC class add dev eth2 parent 1: classid 1:1 htb rate 125mbps mtu 9000 $TC class add dev eth2 parent 1:1 classid 1:10 htb rate 40mbps ceil 125mbps mtu 9000 prio 0 $TC class add dev eth2 parent 1:1 classid 1:30 htb rate 85mbps ceil 125mbps mtu 9000 prio 1 $TC filter add dev eth2 parent 1: protocol ip prio 1 u32 match ip dst 192.168.5.141/32 classid 1:10 I ran a test in which all 10 clients send/receive packets to/from the server simultaneously. But Client 1 only got 20mbps bandwidth for sending, and 38mpbs for receiving. If I limit the rate of both classes 1:1 to 60mbps instead of 125mbps, Client 1 got 39mbps for sending, and 40mbps for receiving. I am not sure what might cause this. Is it because TC doesn't work well when network is congested? Or my script is not right? Thanks a lot, william From rabbit+list at rabbit.us Thu Oct 25 19:03:48 2007 From: rabbit+list at rabbit.us (Peter Rabbitson) Date: Thu Oct 25 19:03:59 2007 Subject: [LARTC] One machine, two net feeds, outbound route selection In-Reply-To: <59f980d60710250839j117bddbhd521a264f7604fc4@mail.gmail.com> References: <59f980d60710241725p5ca9cca2ueb5edc12675f62e3@mail.gmail.com> <47205D37.8050806@rabbit.us> <59f980d60710250839j117bddbhd521a264f7604fc4@mail.gmail.com> Message-ID: <4720CC74.2090102@rabbit.us> Ben Scott wrote: > Now, for the sake of knowledge, let us say that a piece of needed > software didn't have an option to bind to a specific interface. Would > it be possible to control the outgoing route/interface anyway, by > using iptables or some other mechanism external to the software? For > example, what if Sendmail didn't have a ClientPortOptions directive > (heh, I know, use Postfix, but work with me here)? > Unfortunately not easy without doing local NAT (from the local interface to another local interface). The problem lies in how the kernel sends packets without a specified source. I wrote an explanation some time ago: http://mailman.ds9a.nl/pipermail/lartc/2007q2/020941.html From rabbit+list at rabbit.us Thu Oct 25 19:22:09 2007 From: rabbit+list at rabbit.us (Peter Rabbitson) Date: Thu Oct 25 19:22:22 2007 Subject: [LARTC] TC (HTB) doesn't work well when network is congested? In-Reply-To: <4720C673.7040900@max-t.com> References: <4720C673.7040900@max-t.com> Message-ID: <4720D0C1.3040309@rabbit.us> William Xu wrote: > Hi, > > I have a server and ten clients in a Gigabit network. The server has > 125mbps network bandwidth. > I want that the server has 40Mbps bandwidth reserved for client 1 (IP > 192.168.5.141), and the > rest bandwidth is for all other clients. > > > > I ran a test in which all 10 clients send/receive packets to/from the > server simultaneously. But > Client 1 only got 20mbps bandwidth for sending, and 38mpbs for > receiving. If I limit the rate of > both classes 1:1 to 60mbps instead of 125mbps, Client 1 got 39mbps for > sending, and 40mbps for > receiving. > > I am not sure what might cause this. Is it because TC doesn't work well > when network is congested? > Or my script is not right? > No network will be able to operate at its theoretical maximum. In the case of a gigabit network you will be lucky to get consistent 120mbps, and it heavily depends on the hardware quality, and the number of switches in between. So what you are doing is oversaturating the link, the ACK packets can not get through, your speed drops due to delays/retransmissions. Perform a test with only two systems sending stuff to each other to see what is the actual bandwidth you can hope for, and use that number instead of 125mbps. From chloekcy2000 at yahoo.ca Thu Oct 25 19:59:16 2007 From: chloekcy2000 at yahoo.ca (chloe K) Date: Thu Oct 25 19:59:23 2007 Subject: [LARTC] network question Message-ID: <319402.61791.qm@web57411.mail.re1.yahoo.com> Hi all I have following network question and want you to help 1/ I got the "RX FCSErrors 6" from switch. (router ---link--switch----host). how can I determine it is host issue or router issue? 2/ when I use my linux as router with iptables, do i need to set 0=net.ipv4.tcp_timestamps What parameters in kernel i need to set in linux router to have good performance in router? 3/ what is the best way to capture data for audit later as I sometimes get bandwidth drop in mrtg graph? now I only capture load from top, netstat -i every minutes in cronjob. Thank you for your help --------------------------------- Ask a question on any topic and get answers from real people. Go to Yahoo! Answers. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071025/46b7e65e/attachment.htm From mailvortex at gmail.com Thu Oct 25 20:00:14 2007 From: mailvortex at gmail.com (Ben Scott) Date: Thu Oct 25 20:00:21 2007 Subject: [LARTC] One machine, two net feeds, outbound route selection In-Reply-To: <4720CC74.2090102@rabbit.us> References: <59f980d60710241725p5ca9cca2ueb5edc12675f62e3@mail.gmail.com> <47205D37.8050806@rabbit.us> <59f980d60710250839j117bddbhd521a264f7604fc4@mail.gmail.com> <4720CC74.2090102@rabbit.us> Message-ID: <59f980d60710251100j630039b5k9f9cfc7421298733@mail.gmail.com> On 10/25/07, Peter Rabbitson wrote: > Unfortunately not easy without doing local NAT (from the local interface > to another local interface). I thought that might be the case. I even started to write a rule about how the NAT might work... but then I ran into brain pain trying to figure out how, because I didn't know when the packets get what address/interface info assigned to them, and I didn't know how SNAT would interact with the routing tables. Normally, I do SNAT in the POSTROUTING chain, but by then the routing rules have already run, right? So the packet would still be bound for the wrong interface, even if the source address is translated. No? In other words, let's say $DEF_ADDR is the IP address of the interface that is going to be picked by the default routing table, but I really want the packets to go out the $ALT_ADDR interface. So I try this: iptables -t nat -A POSTROUTING -s $DEF_ADDR -p tcp --dport smtp -j SNAT --to $ALT_ADDR But the whole point of changing the source address/interface is to influence which routing rules match, and those have already been applied by the time the packet transverses the POSTROUTING chain, right? In any event, that didn't work. So then I thought, well, maybe I can do SNAT in the PREROUTING chain for this? But in that case, the kernel won't have assigned it an address yet, right? So there's nothing to SNAT. And I can't do "-s 0/0" because that actually means "match all packets", right? So then I thought, well, maybe I can mark the packet in the OUTPUT chain of the mangle table, and match that in the routing rules, and *also* match that in the POSTROUTING chain: iptables -t mangle -A OUTPUT -s $DEF_ADDR -p tcp --dport smtp -j MARK --set-mark 42 ip rule add fwmark 42 table 42 iptables -t nat -A POSTROUTING -m mark --mark 42 -j SNAT --to-source $ALT_ADDR I think I tried that and it didn't work either. It was getting late and my maintenance window was closing and my brain hurt. If this is just one of those "you can't do that" situations, I'm willing to accept that answer. But if there is a way, I'd like to know what it is. :) -- Ben From sewlist at gmail.com Thu Oct 25 20:06:00 2007 From: sewlist at gmail.com (the sew) Date: Thu Oct 25 20:06:05 2007 Subject: [LARTC] ADSL channel boding or Load balancing In-Reply-To: <4720AA78.3010005@riverviewtech.net> References: <470E4CD0.7020505@riverviewtech.net> <4720AA78.3010005@riverviewtech.net> Message-ID: +-----------+ +---------+ +--------+ | ...245.18 +-----+ ...77.1 | +-------+ | ...0.x +-----+ ...0.1 | | COLO +-----+ 101.x | +--------+ | ...245.19 +-----+ ...78.1 | +-------+ +-----------+ +---------+ > > (Slight clean up.) > > > Where are you doing your NATing to the world? Are you NATing on your > PPtP tunnels or on the COLO system? Currently I'm natting on 0.1 ( -o ppp+ -j MASQUERADE ) , This was setup by default as I did not want 0.x to be routed. I've however taken off the natting, and added a route for 0.20/32 dev ppp62 nexthop dev ppp32 ( the 2 vpn interfaces) at COLO and obviously same nexthop routes at 0.1 for 101.x testing from 0.20, I scp a tar file over to 101.20 , still goes via one line at time, the route cache which I disabled, just reroute it the whole time( about every 5 sec) via the diffrent uplink, but not to our result we want I use sysstat to check the speeds and tcpdump verified I its from 0.20 -> 101.20 ssh > > If you are doing your NATing on the COLO system and you add two routes > to your internal network via the two PPtP tunnels, you should be able to > equal cost multipath route across both PPtP tunnels to achieve increased > bandwidth. The key part is that both tunnels have to appear to the > world as a single external IP. I understand now very clearly the key part. My problem must be the tunnel, im sure im messing up, the equal cost multipath routing , am I using the right utitily? , still iproute2 right, or is iptables gonna play big part here as well? S From wxu at max-t.com Thu Oct 25 20:20:43 2007 From: wxu at max-t.com (William Xu) Date: Thu Oct 25 20:23:55 2007 Subject: [LARTC] TC (HTB) doesn't work well when network is congested? In-Reply-To: <4720D0C1.3040309@rabbit.us> References: <4720C673.7040900@max-t.com> <4720D0C1.3040309@rabbit.us> Message-ID: <4720DE7B.10404@max-t.com> Thanks, Peter, So what you means is that network congestion caused my problem. I test the bandwidth between client1 and server using iperf, SEND and RECV are both 122MB/s. I tried different values for the total bandwidth, and I got the following numbers: total bandwidth 120MB/s client1 SEND :10MB/s RECV :39MB/s total bandwidth 110MB/s client1 SEND :16MB/s RECV :40MB/s total bandwidth 100MB/s client1 SEND :30MB/s RECV :38MB/s total bandwidth 90MB/s client1 SEND :39MB/s RECV :40MB/s total bandwidth 80MB/s client1 SEND :39MB/s RECV :40MB/s total bandwidth 70MB/s client1 SEND :40MB/s RECV :40MB/s total bandwidth 60MB/s client1 SEND :40MB/s RECV :40MB/s So TC works well as long as total bandwidth is below 90MB/s, which is about 70% of the wise speed. Is it possible that I can use the full bandwidth (122MB/s) in my script? william Peter Rabbitson wrote: > William Xu wrote: > >> Hi, >> >> I have a server and ten clients in a Gigabit network. The server has >> 125mbps network bandwidth. >> I want that the server has 40Mbps bandwidth reserved for client 1 (IP >> 192.168.5.141), and the >> rest bandwidth is for all other clients. >> >> >> >> I ran a test in which all 10 clients send/receive packets to/from the >> server simultaneously. But >> Client 1 only got 20mbps bandwidth for sending, and 38mpbs for >> receiving. If I limit the rate of >> both classes 1:1 to 60mbps instead of 125mbps, Client 1 got 39mbps >> for sending, and 40mbps for >> receiving. >> >> I am not sure what might cause this. Is it because TC doesn't work >> well when network is congested? >> Or my script is not right? >> > > No network will be able to operate at its theoretical maximum. In the > case of a gigabit network you will be lucky to get consistent 120mbps, > and it heavily depends on the hardware quality, and the number of > switches in between. So what you are doing is oversaturating the link, > the ACK packets can not get through, your speed drops due to > delays/retransmissions. Perform a test with only two systems sending > stuff to each other to see what is the actual bandwidth you can hope > for, and use that number instead of 125mbps. From mail2shashank at gmail.com Thu Oct 25 20:44:19 2007 From: mail2shashank at gmail.com (Shashank Sharma) Date: Thu Oct 25 20:44:29 2007 Subject: [LARTC] unregister me from this site Message-ID: -- Shashank Sharma, M.Tech (Microelectronics System & Embedded Technology) Contact no. : 9899912081 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071025/98fc6497/attachment.html From rabbit+list at rabbit.us Thu Oct 25 23:13:28 2007 From: rabbit+list at rabbit.us (Peter Rabbitson) Date: Thu Oct 25 23:13:38 2007 Subject: [LARTC] TC (HTB) doesn't work well when network is congested? In-Reply-To: <4720DE7B.10404@max-t.com> References: <4720C673.7040900@max-t.com> <4720D0C1.3040309@rabbit.us> <4720DE7B.10404@max-t.com> Message-ID: <472106F8.1080808@rabbit.us> William Xu wrote: > So TC works well as long as total bandwidth is below 90MB/s, which is > about 70% of the > wise speed. Is it possible that I can use the full bandwidth (122MB/s) > in my script? > In order to troubleshoot further more info is needed: 1) execute your script with 120MB/s as limit 2) perform a test transfer for several minutes 3) post back the output of the following commands: ip link show tc qdisc show tc -s -d class show dev ifb0 tc -s -d class show dev eth2 Peter From alex at samad.com.au Thu Oct 25 23:16:13 2007 From: alex at samad.com.au (Alex Samad) Date: Thu Oct 25 23:16:26 2007 Subject: [LARTC] One machine, two net feeds, outbound route selection In-Reply-To: <59f980d60710251100j630039b5k9f9cfc7421298733@mail.gmail.com> References: <59f980d60710241725p5ca9cca2ueb5edc12675f62e3@mail.gmail.com> <47205D37.8050806@rabbit.us> <59f980d60710250839j117bddbhd521a264f7604fc4@mail.gmail.com> <4720CC74.2090102@rabbit.us> <59f980d60710251100j630039b5k9f9cfc7421298733@mail.gmail.com> Message-ID: <20071025211613.GP26246@samad.com.au> On Thu, Oct 25, 2007 at 02:00:14PM -0400, Ben Scott wrote: > On 10/25/07, Peter Rabbitson wrote: > > Unfortunately not easy without doing local NAT (from the local interface > > to another local interface). Can you use marking, mark the packet in the mangle table, us iptables to select the which packets and then use ip rules fw mark -> routing table (sorry about the syntax) > > I thought that might be the case. I even started to write a rule > about how the NAT might work... but then I ran into brain pain trying > to figure out how, because I didn't know when the packets get what > address/interface info assigned to them, and I didn't know how SNAT > would interact with the routing tables. Normally, I do SNAT in the > POSTROUTING chain, but by then the routing rules have already run, > right? So the packet would still be bound for the wrong interface, > even if the source address is translated. No? > > In other words, let's say $DEF_ADDR is the IP address of the > interface that is going to be picked by the default routing table, but > I really want the packets to go out the $ALT_ADDR interface. So I try > this: > > iptables -t nat -A POSTROUTING -s $DEF_ADDR -p tcp --dport smtp -j > SNAT --to $ALT_ADDR > > But the whole point of changing the source address/interface is to > influence which routing rules match, and those have already been > applied by the time the packet transverses the POSTROUTING chain, > right? In any event, that didn't work. > > So then I thought, well, maybe I can do SNAT in the PREROUTING chain > for this? But in that case, the kernel won't have assigned it an > address yet, right? So there's nothing to SNAT. And I can't do "-s > 0/0" because that actually means "match all packets", right? > > So then I thought, well, maybe I can mark the packet in the OUTPUT > chain of the mangle table, and match that in the routing rules, and > *also* match that in the POSTROUTING chain: > > iptables -t mangle -A OUTPUT -s $DEF_ADDR -p tcp --dport smtp -j MARK > --set-mark 42 > ip rule add fwmark 42 table 42 > iptables -t nat -A POSTROUTING -m mark --mark 42 -j SNAT --to-source $ALT_ADDR > > I think I tried that and it didn't work either. It was getting late > and my maintenance window was closing and my brain hurt. > > If this is just one of those "you can't do that" situations, I'm > willing to accept that answer. But if there is a way, I'd like to > know what it is. :) > > -- Ben > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20071026/256bb510/attachment.pgp From rabbit+list at rabbit.us Thu Oct 25 23:25:00 2007 From: rabbit+list at rabbit.us (Peter Rabbitson) Date: Thu Oct 25 23:25:06 2007 Subject: [LARTC] One machine, two net feeds, outbound route selection In-Reply-To: <59f980d60710251100j630039b5k9f9cfc7421298733@mail.gmail.com> References: <59f980d60710241725p5ca9cca2ueb5edc12675f62e3@mail.gmail.com> <47205D37.8050806@rabbit.us> <59f980d60710250839j117bddbhd521a264f7604fc4@mail.gmail.com> <4720CC74.2090102@rabbit.us> <59f980d60710251100j630039b5k9f9cfc7421298733@mail.gmail.com> Message-ID: <472109AC.8040803@rabbit.us> Ben Scott wrote: > On 10/25/07, Peter Rabbitson wrote: >> Unfortunately not easy without doing local NAT (from the local interface >> to another local interface). > > I thought that might be the case. I even started to write a rule > about how the NAT might work... but then I ran into brain pain trying > to figure out how, because I didn't know when the packets get what > address/interface info assigned to them, and I didn't know how SNAT > would interact with the routing tables. Normally, I do SNAT in the > POSTROUTING chain, but by then the routing rules have already run, > right? So the packet would still be bound for the wrong interface, > even if the source address is translated. No? > I was not thorough enough. The NAT is necessary in order to make the packet come back through the link/interface you want (because as I noted previously you do not have control over the choice of a source address). Once this is out of the way the only problem is how to make an already routed packet to leave via a different interface. One way to do this is the ROUTE target: http://netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-4.html#ss4.5 There might also be other ways to do this, but I never investigated, as this is a mostly theoretical exercise. Peter From peet at altlinux.org Fri Oct 26 00:36:19 2007 From: peet at altlinux.org (Peter V. Saveliev) Date: Fri Oct 26 00:36:27 2007 Subject: [LARTC] ncsh: docs + news Message-ID: <200710260236.19341.peet@altlinux.org> ... Not so long time ago there was a mail about distros. I made packages of ipp2p and l7-filter for ALT Linux Sisyphus repository -- so, now there is one more PC-oriented distro with both these tools. ... About ncsh: * new docs: http://www.radlinux.org/docs/static/en/ncsh_usecases.html (not proofreaded yet, I'll send it to Mohan with next mail) * new capability: l7-filter frontend An l7-filter usage example: ! configure network interfaces ethernet 0 ! address 10.0.0.1/24 ! egress htb ! class 1 rate 100Mbit ! class 2 match l7 edonkey match l7 ftp match l7 socks rate 16Kbit ! default 1 rate 100Mbit l7 support in connexion requires a trivial patch on l7-filter, which can be found in the download area along with connexion snapshots: http://www.radlinux.org/download/ ... Any comments/wishes -- welcome. -- Peter V. Saveliev From gtaylor at riverviewtech.net Fri Oct 26 04:11:50 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Fri Oct 26 04:12:02 2007 Subject: [LARTC] ADSL channel boding or Load balancing In-Reply-To: References: <470E4CD0.7020505@riverviewtech.net> <4720AA78.3010005@riverviewtech.net> Message-ID: <47214CE6.60005@riverviewtech.net> On 10/25/2007 1:06 PM, the sew wrote > +-----------+ +---------+ > +--------+ | ...245.18 +-----+ ...77.1 | +-------+ > | ...0.x +-----+ ...0.1 | | COLO +-----+ 101.x | > +--------+ | ...245.19 +-----+ ...78.1 | +-------+ > +-----------+ +---------+ > > Currently I'm natting on 0.1 ( -o ppp+ -j MASQUERADE ) , This was > setup by default as I did not want 0.x to be routed. I've however > taken off the natting, and added a route for 0.20/32 dev ppp62 > nexthop dev ppp32 ( the 2 vpn interfaces) at COLO and obviously same > nexthop routes at 0.1 for 101.x Ok, good. The NATing at 0.1 was part of the problem. > testing from 0.20, I scp a tar file over to 101.20 , still goes via > one line at time, the route cache which I disabled, just reroute it > the whole time( about every 5 sec) via the diffrent uplink, but not > to our result we want Hum. I would question the routes then. > I use sysstat to check the speeds and tcpdump verified I its from > 0.20 -> 101.20 ssh Ok. > I understand now very clearly the key part. > > My problem must be the tunnel, im sure im messing up, the equal cost > multipath routing , am I using the right utitily? , still iproute2 > right, or is iptables gonna play big part here as well? To the best of my knowledge you will still be using the "ip" command from iproute2. Will you please show us your routing table and / or the ip route command you are using to set up your ecmp route? Grant. . . . From wxu at max-t.com Fri Oct 26 15:44:11 2007 From: wxu at max-t.com (William Xu) Date: Fri Oct 26 15:47:24 2007 Subject: [LARTC] TC (HTB) doesn't work well when network is congested? In-Reply-To: <472106F8.1080808@rabbit.us> References: <4720C673.7040900@max-t.com> <4720D0C1.3040309@rabbit.us> <4720DE7B.10404@max-t.com> <472106F8.1080808@rabbit.us> Message-ID: <4721EF2B.7020708@max-t.com> Hi Peter, thanks for looking at this. Here are the information I got after running tests. The client1 got 7MB/s instead of 40MB/s for SEND, and 40MB/s for RECV during the test. Thanks, william # ip link show ... 5: eth2: mtu 9000 qdisc htb qlen 1000 link/ether 00:e0:ed:04:9f:a2 brd ff:ff:ff:ff:ff:ff ... 12: ifb0: mtu 9000 qdisc htb qlen 32 link/ether f2:f2:77:f9:cf:30 brd ff:ff:ff:ff:ff:ff #tc qdisc show qdisc pfifo_fast 0: dev eth0 root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 qdisc ingress ffff: dev eth2 ---------------- qdisc htb 1: dev eth2 r2q 100 default 30 direct_packets_stat 0 qdisc pfifo_fast 0: dev eth3 root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 qdisc pfifo_fast 0: dev eth4 root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 qdisc pfifo_fast 0: dev eth5 root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 qdisc pfifo_fast 0: dev eth6 root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 qdisc pfifo_fast 0: dev eth7 root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 qdisc pfifo_fast 0: dev eth8 root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 qdisc htb 1: dev ifb0 r2q 100 default 30 direct_packets_stat 0 #tc -s -d class show dev ifb0 class htb 1:10 parent 1:1 prio 0 quantum 200000 rate 320000Kbit ceil 960000Kbit burst 169000b/64 mpu 0b overhead 0b cburst 489000b/64 mpu 0b overhead 0b level 0 Sent 2366125838 bytes 928639 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 925807 borrowed: 2832 giants: 0 tokens: 4224 ctokens: 4075 class htb 1:1 root rate 960000Kbit ceil 960000Kbit burst 489000b/64 mpu 0b overhead 0b cburst 489000b/64 mpu 0b overhead 0b level 7 Sent 36927678674 bytes 6132723 pkt (dropped 0, overlimits 0 requeues 0) rate 2672bit 1pps backlog 0b 0p requeues 0 lended: 1131873 borrowed: 0 giants: 0 tokens: 4074 ctokens: 4074 class htb 1:30 parent 1:1 prio 1 quantum 200000 rate 640000Kbit ceil 960000Kbit burst 328960b/64 mpu 0b overhead 0b cburst 489000b/64 mpu 0b overhead 0b level 0 Sent 34561552836 bytes 5204084 pkt (dropped 44, overlimits 0 requeues 0) rate 528bit 0pps backlog 0b 0p requeues 0 lended: 4075043 borrowed: 1129041 giants: 0 tokens: 4108 ctokens: 4074 #tc -s -d class show dev eth2 class htb 1:10 parent 1:1 prio 0 quantum 200000 rate 320000Kbit ceil 960000Kbit burst 169000b/64 mpu 0b overhead 0b cburst 489000b/64 mpu 0b overhead 0b level 0 Sent 12092794712 bytes 1544210 pkt (dropped 0, overlimits 0 requeues 0) rate 56bit 0pps backlog 0b 0p requeues 0 lended: 1543687 borrowed: 523 giants: 0 tokens: 4224 ctokens: 4075 class htb 1:1 root rate 960000Kbit ceil 960000Kbit burst 489000b/64 mpu 0b overhead 0b cburst 489000b/64 mpu 0b overhead 0b level 7 Sent 36872760531 bytes 7346321 pkt (dropped 0, overlimits 0 requeues 0) rate 288bit 0pps backlog 0b 0p requeues 0 lended: 40477 borrowed: 0 giants: 0 tokens: 4073 ctokens: 4073 class htb 1:30 parent 1:1 prio 1 quantum 200000 rate 640000Kbit ceil 960000Kbit burst 328960b/64 mpu 0b overhead 0b cburst 489000b/64 mpu 0b overhead 0b level 0 Sent 24779965819 bytes 5802111 pkt (dropped 0, overlimits 0 requeues 0) rate 176bit 0pps backlog 0b 0p requeues 0 lended: 5762157 borrowed: 39954 giants: 0 tokens: 4109 ctokens: 4073 Peter Rabbitson wrote: > William Xu wrote: > >> So TC works well as long as total bandwidth is below 90MB/s, which is >> about 70% of the >> wise speed. Is it possible that I can use the full bandwidth >> (122MB/s) in my script? >> > > In order to troubleshoot further more info is needed: > > 1) execute your script with 120MB/s as limit > 2) perform a test transfer for several minutes > 3) post back the output of the following commands: > ip link show > tc qdisc show > tc -s -d class show dev ifb0 > tc -s -d class show dev eth2 > > > Peter From rabbit+list at rabbit.us Sat Oct 27 00:39:58 2007 From: rabbit+list at rabbit.us (Peter Rabbitson) Date: Sat Oct 27 00:40:12 2007 Subject: [LARTC] TC (HTB) doesn't work well when network is congested? In-Reply-To: <4721EF2B.7020708@max-t.com> References: <4720C673.7040900@max-t.com> <4720D0C1.3040309@rabbit.us> <4720DE7B.10404@max-t.com> <472106F8.1080808@rabbit.us> <4721EF2B.7020708@max-t.com> Message-ID: <47226CBE.5070503@rabbit.us> William Xu wrote: > Hi Peter, thanks for looking at this. > > Here are the information I got after running tests. The client1 got > 7MB/s instead of 40MB/s for SEND, > and 40MB/s for RECV during the test. > > Thanks, > william > > # ip link show > > ... > 5: eth2: mtu 9000 qdisc htb qlen 1000 > link/ether 00:e0:ed:04:9f:a2 brd ff:ff:ff:ff:ff:ff > ... > 12: ifb0: mtu 9000 qdisc htb qlen 32 > link/ether f2:f2:77:f9:cf:30 brd ff:ff:ff:ff:ff:ff > > #tc qdisc show > qdisc pfifo_fast 0: dev eth0 root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 > 1 1 1 1 1 > qdisc ingress ffff: dev eth2 ---------------- > qdisc htb 1: dev eth2 r2q 100 default 30 direct_packets_stat 0 > qdisc pfifo_fast 0: dev eth3 root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 > 1 1 1 1 1 > qdisc pfifo_fast 0: dev eth4 root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 > 1 1 1 1 1 > qdisc pfifo_fast 0: dev eth5 root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 > 1 1 1 1 1 > qdisc pfifo_fast 0: dev eth6 root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 > 1 1 1 1 1 > qdisc pfifo_fast 0: dev eth7 root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 > 1 1 1 1 1 > qdisc pfifo_fast 0: dev eth8 root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 > 1 1 1 1 1 > qdisc htb 1: dev ifb0 r2q 100 default 30 direct_packets_stat 0 > > #tc -s -d class show dev ifb0 > class htb 1:10 parent 1:1 prio 0 quantum 200000 rate 320000Kbit ceil > 960000Kbit burst 169000b/64 mpu 0b overhead 0b cburst 489000b/64 mpu 0b > overhead 0b level 0 > Sent 2366125838 bytes 928639 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > lended: 925807 borrowed: 2832 giants: 0 > tokens: 4224 ctokens: 4075 > > class htb 1:1 root rate 960000Kbit ceil 960000Kbit burst 489000b/64 mpu > 0b overhead 0b cburst 489000b/64 mpu 0b overhead 0b level 7 > Sent 36927678674 bytes 6132723 pkt (dropped 0, overlimits 0 requeues 0) > rate 2672bit 1pps backlog 0b 0p requeues 0 > lended: 1131873 borrowed: 0 giants: 0 > tokens: 4074 ctokens: 4074 > > class htb 1:30 parent 1:1 prio 1 quantum 200000 rate 640000Kbit ceil > 960000Kbit burst 328960b/64 mpu 0b overhead 0b cburst 489000b/64 mpu 0b > overhead 0b level 0 > Sent 34561552836 bytes 5204084 pkt (dropped 44, overlimits 0 requeues 0) > rate 528bit 0pps backlog 0b 0p requeues 0 > lended: 4075043 borrowed: 1129041 giants: 0 > tokens: 4108 ctokens: 4074 > > #tc -s -d class show dev eth2 > class htb 1:10 parent 1:1 prio 0 quantum 200000 rate 320000Kbit ceil > 960000Kbit burst 169000b/64 mpu 0b overhead 0b cburst 489000b/64 mpu 0b > overhead 0b level 0 > Sent 12092794712 bytes 1544210 pkt (dropped 0, overlimits 0 requeues 0) > rate 56bit 0pps backlog 0b 0p requeues 0 > lended: 1543687 borrowed: 523 giants: 0 > tokens: 4224 ctokens: 4075 > > class htb 1:1 root rate 960000Kbit ceil 960000Kbit burst 489000b/64 mpu > 0b overhead 0b cburst 489000b/64 mpu 0b overhead 0b level 7 > Sent 36872760531 bytes 7346321 pkt (dropped 0, overlimits 0 requeues 0) > rate 288bit 0pps backlog 0b 0p requeues 0 > lended: 40477 borrowed: 0 giants: 0 > tokens: 4073 ctokens: 4073 > > class htb 1:30 parent 1:1 prio 1 quantum 200000 rate 640000Kbit ceil > 960000Kbit burst 328960b/64 mpu 0b overhead 0b cburst 489000b/64 mpu 0b > overhead 0b level 0 > Sent 24779965819 bytes 5802111 pkt (dropped 0, overlimits 0 requeues 0) > rate 176bit 0pps backlog 0b 0p requeues 0 > lended: 5762157 borrowed: 39954 giants: 0 > tokens: 4109 ctokens: 4073 > > The setup looks good. There are only two things that come to mind - you have problems with TSO, or your clock is too slow. For the first use ethtool -K to disable all 6 offloading parameters. For the second check what is the value of CONFIG_HZ in the current kernel config (/boot/config-), and if it is less than 1000 this might be your problem as well. If none of those help - I am out of ideas, hopefully someone else can help you. Peter From sanni.abdul at gmail.com Sat Oct 27 21:07:02 2007 From: sanni.abdul at gmail.com (Abdul Sanni) Date: Sat Oct 27 21:07:18 2007 Subject: [LARTC] MAN Message-ID: <9ceb41580710271207j40ecbbe7j1d3d57b993e7183c@mail.gmail.com> Hello All, My nameis Abdul from Nigeria pls l need information on MAN, what the factors to be considered when planning for a metropolitan Area Network -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071027/4a7dde0a/attachment.html From c.mihaitza at gmail.com Sun Oct 28 09:00:24 2007 From: c.mihaitza at gmail.com (mihai cezar) Date: Sun Oct 28 09:00:41 2007 Subject: [LARTC] IFB replacemnt for IMQ Message-ID: <85400f430710280100q2bda452ag9092ed64b8449372@mail.gmail.com> Hello, I want to use IFB instead of imq, but i don't know how to redirect traffic from eth2.101 to ifb0 and traffic from eth1.301 to ifb1 so I can applied QoS. With IMQ i use iptables -j IMQ --to-dev 0. Is it possible to apply tc rules on ifb1 both download/upload ? thx -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071028/360cc1ad/attachment.htm From gustavo at angulosolido.pt Sun Oct 28 12:47:42 2007 From: gustavo at angulosolido.pt (Gustavo Homem) Date: Sun Oct 28 12:47:50 2007 Subject: [LARTC] MAN In-Reply-To: <9ceb41580710271207j40ecbbe7j1d3d57b993e7183c@mail.gmail.com> References: <9ceb41580710271207j40ecbbe7j1d3d57b993e7183c@mail.gmail.com> Message-ID: <200710281147.42774.gustavo@angulosolido.pt> Hi, This is a very broad question as you have to plan not only the IP layer but also the underlying transport layer (SDH, ATM, Ethernet,....). Maybe if you can narrow your question to more specific topics, someone will be able to help you. Cheers Gustavo On Saturday 27 October 2007 20:07, Abdul Sanni wrote: > Hello All, > > My nameis Abdul from Nigeria pls l need information on MAN, what the > factors to be considered when planning for a metropolitan Area Network -- Angulo S?lido - Tecnologias de Informa??o http://angulosolido.pt From daniel at mks.padinet.com Sun Oct 28 18:48:13 2007 From: daniel at mks.padinet.com (Daniel) Date: Sun Oct 28 19:00:30 2007 Subject: [LARTC] tc filter question Message-ID: <200710290148.13471.daniel@mks.padinet.com> Dear all, I have big question in my mind about "tc filter" sintax. If I give "tc -s -d filter sh dev eth0" command, then the output is like below : filter parent 1: protocol ip pref 1 u32 filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:2 (rule hit 21553629 success 37907) match 00160000/ffff0000 at 20 (success 37907 ) ... My question is : 1. What is "fh 800:" and "fh 800::800" mean ? 2. How I change the value "800" in "fh 800::800" ? I'm guessing this is default value and I need to change that because my filter rule can be more than 0xfff line. Thanks for all, Daniel PadiNet Makassar From peet at altlinux.org Sun Oct 28 19:55:30 2007 From: peet at altlinux.org (Peter V. Saveliev) Date: Sun Oct 28 19:55:39 2007 Subject: [LARTC] tc filter question In-Reply-To: <200710290148.13471.daniel@mks.padinet.com> References: <200710290148.13471.daniel@mks.padinet.com> Message-ID: <200710282155.30328.peet@altlinux.org> ? ????????? ?? Sunday 28 October 2007 20:48:13 Daniel ???????(?): > Dear all, > > I have big question in my mind about "tc filter" sintax. If I give "tc -s > -d filter sh dev eth0" command, then the output is like below : > > filter parent 1: protocol ip pref 1 u32 > filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1 > filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 > bkt 0 flowid 1:2 (rule hit 21553629 > success 37907) > match 00160000/ffff0000 at 20 (success 37907 ) > > ... > > My question is : > 1. What is "fh 800:" and "fh 800::800" mean ? > 2. How I change the value "800" in "fh 800::800" ? I'm guessing this is > default value and I need to change that because my filter rule can be more > than 0xfff line. There is a rather unclear howto chapter: http://lartc.org/howto/lartc.adv-filter.hashing.html But it is very correct. Try it (actually, I understood it not from the first attempt ;)) -- Peter V. Saveliev From andreas at stapelspeicher.org Sun Oct 28 19:56:28 2007 From: andreas at stapelspeicher.org (Andreas Mueller) Date: Sun Oct 28 19:56:40 2007 Subject: [LARTC] tc filter question In-Reply-To: <200710290148.13471.daniel@mks.padinet.com> References: <200710290148.13471.daniel@mks.padinet.com> Message-ID: <20071028185628.GA18512@lintera> Hi Daniel. Daniel wrote: > Dear all, > > I have big question in my mind about "tc filter" sintax. If I give "tc -s -d > filter sh dev eth0" command, then the output is like below : > > filter parent 1: protocol ip pref 1 u32 > filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1 > filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt > 0 flowid 1:2 (rule hit 21553629 > success 37907) > match 00160000/ffff0000 at 20 (success 37907 ) > > ... > > My question is : > 1. What is "fh 800:" and "fh 800::800" mean ? > 2. How I change the value "800" in "fh 800::800" ? I'm guessing this is > default value and I need to change that because my filter rule can be more > than 0xfff line. Hi, that values are for the hash-tables of u32, see: http://lartc.org/howto/lartc.adv-filter.hashing.html > > Thanks for all, > > Daniel > PadiNet Makassar Bye, Andreas. From nozo at ziu.info Mon Oct 29 06:32:30 2007 From: nozo at ziu.info (Michal Soltys) Date: Mon Oct 29 06:32:57 2007 Subject: [LARTC] tc filter question In-Reply-To: <200710290148.13471.daniel@mks.padinet.com> References: <200710290148.13471.daniel@mks.padinet.com> Message-ID: <4725706E.80107@ziu.info> Daniel wrote: > > My question is : > 1. What is "fh 800:" and "fh 800::800" mean ? > 2. How I change the value "800" in "fh 800::800" ? I'm guessing this is > default value and I need to change that because my filter rule can be more > than 0xfff line. > Also check http://ace-host.stuart.id.au/russell/files/tc/doc/cls_u32.txt Old howto misses a few important things. From hi100nu at yahoo.com Mon Oct 29 13:44:48 2007 From: hi100nu at yahoo.com (sonu chouhan) Date: Mon Oct 29 13:45:10 2007 Subject: [LARTC] multigateway routing with adsl and dynamic ip Message-ID: <658869.14038.qm@web32513.mail.mud.yahoo.com> hi currently i am using redhat enterprise linux 5 for multi gateway routing with 5 internet connection on static ip and all is working fine, now i want to use 5 adsl lines with dynamic ip but there is no doc. in lartc and in nano's how to for dynamic ip, so can u plz help me out thanks in advance nilesh chouhan __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071029/df2cccdc/attachment.html From mailvortex at gmail.com Mon Oct 29 14:15:47 2007 From: mailvortex at gmail.com (Ben Scott) Date: Mon Oct 29 14:15:54 2007 Subject: [LARTC] multigateway routing with adsl and dynamic ip In-Reply-To: <658869.14038.qm@web32513.mail.mud.yahoo.com> References: <658869.14038.qm@web32513.mail.mud.yahoo.com> Message-ID: <59f980d60710290615i94f3213k309f91515fa6e80f@mail.gmail.com> On 10/29/07, sonu chouhan wrote: > now i want to use 5 adsl lines with dynamic ip ... You'll probably have to use a script with variables for all the IP addresses, and have that script be called by whatever software manages the dynamic IP address configuration. Most distributions have a mechanism for doing "custom" things after an interface comes up. For example, Red Hat and it's derivatives will call /sbin/ifup-local and /sbin/ifdown-local if they exist. > can u plz help me out Can you please use real words? :) -- Ben From joel.bertrand at systella.fr Mon Oct 29 19:48:45 2007 From: joel.bertrand at systella.fr (=?ISO-8859-1?Q?BERTRAND_Jo=EBl?=) Date: Mon Oct 29 19:49:01 2007 Subject: [LARTC] Some questions about HTB Message-ID: <47262B0D.10106@systella.fr> Hello, I have installed a server with three physical ethernet links and some virtual interfaces: eth0 - 213.215.42.70 eth0:1 - 213.215.42.71 eth0:2 - 213.215.42.72 eth0:3 - 213.215.42.73 eth0:4 - 213.215.42.74 eth0:5 - 213.215.42.75 eth0:6 - 213.215.42.76 eth0:7 - 213.215.42.77 eth0:8 - 213.215.42.78 eth2 - 192.168.1.128 eth3 - 213.215.42.69 All traffic are routed by iproute2 and iptables rules without any trouble, but I don't understand how install a traffic limitation on each IP address. I have to limit forwarded traffic on eth0:x, and input and output traffic on eth3. Thus, I have written : MAX_LOCAL_RATE=2mbit MAX_PUBLIC_RATE=100mbit LOCAL_INTERFACE=eth3 LOCAL_ADDRESS=213.215.42.69 PUBLIC_INTERFACE=eth0 # eth3 tc qdisc add dev $LOCAL_INTERFACE root handle 1: htb default 100 tc class add dev $LOCAL_INTERFACE parent 1: classid 1:1 \ htb rate $MAX_LOCAL_RATE tc filter add dev $LOCAL_INTERFACE protocol ip parent 1: \ prio 1 u32 match ip src $LOCAL_ADDRESS/32 flowid 1:1 tc class add dev $LOCAL_INTERFACE parent 1: classid 1:100 \ htb rate 16kbit tc qdisc add dev $LOCAL_INTERFACE parent 1:100 sfq perturb 10 tc qdisc add dev $LOCAL_INTERFACE handle ffff: ingress tc filter add dev $LOCAL_INTERFACE protocol ip parent ffff: \ prio 1 u32 match ip dst $LOCAL_ADDRESS/32 \ police rate $MAX_LOCAL_RATE burst 20k drop flowid :1 # eth0 tc qdisc add dev $PUBLIC_INTERFACE root handle 2: htb default 200 tc class add dev $PUBLIC_INTERFACE parent 2: classid 2:1 \ htb rate $MAX_PUBLIC_RATE burst 20k tc class add dev $PUBLIC_INTERFACE parent 2: classid 2:200 \ htb rate 16kbit tc qdisc add dev $PUBLIC_INTERFACE parent 2:200 sfq perturb 10 # 213.215.42.71 tc class add dev $PUBLIC_INTERFACE parent 2:1 classid 2:71 \ htb rate 1024kbps ceil 1024kbps burst 20k tc qdisc add dev $PUBLIC_INTERFACE parent 2:71 handle 71: sfq perturb 10 tc filter add dev $PUBLIC_INTERFACE protocol ip parent 2:71 \ prio 1 handle 71 fw flowid 2:71 # 213.215.42.72 tc class add dev $PUBLIC_INTERFACE parent 2:1 classid 2:72 \ htb rate 512kbit tc qdisc add dev $PUBLIC_INTERFACE parent 2:72 handle 72: sfq perturb 10 tc filter add dev $PUBLIC_INTERFACE protocol ip parent 2:72 \ prio 1 handle 72 fw flowid 2:72 When I start for example a ftp connection (and only one) on 213.215.42.71, traffic shaping works fine (fw mark are set by iptables rules). When more than one connection are done, paquet transfert is very slow (~20 kbps even I specify 1024kbps). I suspect a mistake in my code but I don't know how fix it. I have tried to use quantum, r2q, burst, cburst without any success. Any idea ? Thanks in advance, JKB From thomas.elsgaard at gmail.com Mon Oct 29 20:46:39 2007 From: thomas.elsgaard at gmail.com (Thomas Elsgaard) Date: Mon Oct 29 20:46:48 2007 Subject: [LARTC] Fair que between 255 users Message-ID: Hello guys I have a subnet with 255 users, which need to share 1 single slow internet connection, so i would like to implement a kind of *fair queuing *on the UPLOAD between them, which means that they all share the connection equally.. The tools that i have available is: A linux box with IPROUTE2,HTB and TC.. I have looked at some examples, and my first idea was to make 255 entries in iproute2, marking each source IP from 1-255 , and then adding one class in HTB, with 255 childs... but isn't there a smarter way? Does anyone have an example? or a good idea Best regards ///Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071029/3dce9cb7/attachment.htm From peet at altlinux.org Mon Oct 29 21:00:02 2007 From: peet at altlinux.org (Peter V. Saveliev) Date: Mon Oct 29 21:01:45 2007 Subject: [LARTC] Fair que between 255 users In-Reply-To: References: Message-ID: <200710292300.03353.peet@altlinux.org> ? ????????? ?? Monday 29 October 2007 22:46:39 Thomas Elsgaard ???????(?): > Hello guys > > I have a subnet with 255 users, which need to share 1 single slow internet > connection, so i would like to implement a kind of *fair queuing *on the > UPLOAD between them, which means that they all share the connection > equally.. > > The tools that i have available is: A linux box with IPROUTE2,HTB and TC.. > > I have looked at some examples, and my first idea was to make 255 entries > in iproute2, marking each source IP from 1-255 , and then adding one class > in HTB, with 255 childs... but isn't there a smarter way? > > Does anyone have an example? or a good idea simply sfq -- is enough, isn't it? -- Peter V. Saveliev From gtaylor at riverviewtech.net Mon Oct 29 23:17:08 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Mon Oct 29 23:16:35 2007 Subject: [LARTC] multigateway routing with adsl and dynamic ip In-Reply-To: <658869.14038.qm@web32513.mail.mud.yahoo.com> References: <658869.14038.qm@web32513.mail.mud.yahoo.com> Message-ID: <47265BE4.1030209@riverviewtech.net> On 10/29/07 07:44, sonu chouhan wrote: > currently i am using redhat enterprise linux 5 for multi gateway routing > with 5 internet connection on static ip and all is working fine, now i > want to use 5 adsl lines with dynamic ip but there is no doc. in lartc > and in nano's how to for dynamic ip, so can u plz help me out > thanks in advance Like Ben said, you will need to run a script to manage your dynamic IPs. One thing to keep in mind is that you will need to run a script that is aware of each interface's IP address so that it can manage the multipath nexthop route(s). Thus you can not have a generic script that is called for each interface in such a way that it is unaware of the state of the other interfaces. Grant. . . . From WBohannan at spidersat.com.gh Tue Oct 30 10:16:29 2007 From: WBohannan at spidersat.com.gh (William Bohannan) Date: Tue Oct 30 10:16:56 2007 Subject: [LARTC] 2 NICS - local services not shaping correctly Message-ID: <4D411FB02758FE45915E9724339093F6443E23@intranet.scpl.local> Hi Having a problem trying to figure out how to shape local services running on the debian box (asterisk, squid etc) as currently the voice only seems to be getting shaped one way when making external calls. For example I have the rules below (these are the matching rules only not the actual policy rules): #Create Chain for local traffic (outbound) /sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth0 -s 193.xxx.xxx.66 -d 193.xxx.xxx.69 -j MARK --set-mark 0x44444445 /sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth0 -s 193.xxx.xxx.66 -d 193.xxx.xxx.69 -j RETURN /sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth0 -s 193.xxx.xxx.69 -d 193.xxx.xxx.66 -j MARK --set-mark 0x44444445 /sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth0 -s 193.xxx.xxx.69 -d 193.xxx.xxx.66 -j RETURN #Create Chain for all remaining traffic (outbound) /sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth0 -j MARK --set-mark 0x44444446 /sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth0 -j RETURN #Phones match (outbound) /sbin/iptables -t mangle -A match-chain-eth1-1:11 -p tcp -m multiport --port 4569 -j CLASSIFY --set-class 1:1006 /sbin/iptables -t mangle -A match-chain-eth1-1:11 -p tcp -m multiport --port 4569 -j RETURN /sbin/iptables -t mangle -A match-chain-eth1-1:11 -p udp -m multiport --port 4569 -j CLASSIFY --set-class 1:1006 /sbin/iptables -t mangle -A match-chain-eth1-1:11 -p udp -m multiport --port 4569 -j RETURN #Create Chain for local traffic (inbound) /sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth1 -s 193.xxx.xxx.66 -d 193.xxx.xxx.69 -j MARK --set-mark 0x44444447 /sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth1 -s 193.xxx.xxx.66 -d 193.xxx.xxx.69 -j RETURN /sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth1 -s 193.xxx.xxx.69 -d 193.xxx.xxx.66 -j MARK --set-mark 0x44444447 /sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth1 -s 193.xxx.xxx.69 -d 193.xxx.xxx.66 -j RETURN #Create Chain for all remaining traffic (inbound) /sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth1 -j MARK --set-mark 0x44444448 /sbin/iptables -t mangle -A match-all -m physdev --physdev-in eth1 -j RETURN #Phones match (inbound) /sbin/iptables -t mangle -A match-chain-eth0-1:12 -p tcp -m multiport --port 4569 -j CLASSIFY --set-class 1:2008 /sbin/iptables -t mangle -A match-chain-eth0-1:12 -p tcp -m multiport --port 4569 -j RETURN /sbin/iptables -t mangle -A match-chain-eth0-1:12 -p udp -m multiport --port 4569 -j CLASSIFY --set-class 1:2008 /sbin/iptables -t mangle -A match-chain-eth0-1:12 -p udp -m multiport --port 4569 -j RETURN Kind Regards William Bohannan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071030/12e2e3f4/attachment-0001.html From joel.bertrand at systella.fr Tue Oct 30 10:21:46 2007 From: joel.bertrand at systella.fr (=?ISO-8859-1?Q?BERTRAND_Jo=EBl?=) Date: Tue Oct 30 10:22:03 2007 Subject: [LARTC] Some questions about HTB In-Reply-To: <47262B0D.10106@systella.fr> References: <47262B0D.10106@systella.fr> Message-ID: <4726F7AA.5060308@systella.fr> BERTRAND Jo?l wrote: > Hello, I think I have found my mistake... ... > # eth0 > > tc qdisc add dev $PUBLIC_INTERFACE root handle 2: htb default 200 > tc class add dev $PUBLIC_INTERFACE parent 2: classid 2:1 \ > htb rate $MAX_PUBLIC_RATE burst 20k > > tc class add dev $PUBLIC_INTERFACE parent 2: classid 2:200 \ > htb rate 16kbit > tc qdisc add dev $PUBLIC_INTERFACE parent 2:200 sfq perturb 10 > > # 213.215.42.71 > > tc class add dev $PUBLIC_INTERFACE parent 2:1 classid 2:71 \ > htb rate 1024kbps ceil 1024kbps burst 20k > tc qdisc add dev $PUBLIC_INTERFACE parent 2:71 handle 71: sfq perturb 10 > tc filter add dev $PUBLIC_INTERFACE protocol ip parent 2:71 \ should be tc filter add dev $PUBLIC_INTERFACE protocol ip parent 2: > prio 1 handle 71 fw flowid 2:71 > > # 213.215.42.72 > > tc class add dev $PUBLIC_INTERFACE parent 2:1 classid 2:72 \ > htb rate 512kbit > tc qdisc add dev $PUBLIC_INTERFACE parent 2:72 handle 72: sfq perturb 10 > tc filter add dev $PUBLIC_INTERFACE protocol ip parent 2:72 \ > prio 1 handle 72 fw flowid 2:72 > > When I start for example a ftp connection (and only one) on > 213.215.42.71, traffic shaping works fine (fw mark are set by iptables > rules). When more than one connection are done, paquet transfert is very > slow (~20 kbps even I specify 1024kbps). I suspect a mistake in my code > but I don't know how fix it. I have tried to use quantum, r2q, burst, > cburst without any success. Any idea ? Regards, JKB From aleksander at krediidiinfo.ee Tue Oct 30 15:18:06 2007 From: aleksander at krediidiinfo.ee (Aleksander Kamenik) Date: Tue Oct 30 15:18:10 2007 Subject: [LARTC] Fair que between 255 users In-Reply-To: <200710292300.03353.peet@altlinux.org> References: <200710292300.03353.peet@altlinux.org> Message-ID: <47273D1E.3000902@krediidiinfo.ee> Peter V. Saveliev wrote: > simply sfq -- is enough, isn't it? sfq is great actually, but it works for connections. If you have say 10 users and 9 of them each have 1 active ftp RETR connections but the 10th user has 100 active ftp RETR connections, then he gets 99,9% of traffic, doesn't he? (just an example) I think what the GP is looking for, as am I, is a simple way of giving each user an equal share of the bandwidth. This can be achieved for example by hundreds of HTB classes. But that's the rub. I have 20 /24 internal networks which amounts to a maximum of 5000+ unique IP's which DHCP gives out. There are only about 500 active users though and the total number of users (active at least once a month) is probably around 1000. I don't think it makes sense to create 5000 htb leaf classes and let them all borrow from each other. 90% of them would be _only_ lending and 10% would be fighting over who gets the small bit of it. What I'm looking for is something like the ISP's use. Like sfq which creates fair queues per connections pools where each pool is a bunch of connections from/to the same IP addr. Is there something like this for linux? -- Aleksander Kamenik system administrator +372 6659 649 aleksander@krediidiinfo.ee Krediidiinfo AS http://www.krediidiinfo.ee/ From daniel at mks.padinet.com Tue Oct 30 14:50:09 2007 From: daniel at mks.padinet.com (Daniel) Date: Tue Oct 30 15:24:49 2007 Subject: [LARTC] Fair que between 255 users In-Reply-To: <47273D1E.3000902@krediidiinfo.ee> References: <200710292300.03353.peet@altlinux.org> <47273D1E.3000902@krediidiinfo.ee> Message-ID: <200710302150.10140.daniel@mks.padinet.com> On Tuesday 30 October 2007 22:18, Aleksander Kamenik wrote: > Peter V. Saveliev wrote: > > simply sfq -- is enough, isn't it? > > sfq is great actually, but it works for connections. If you have say 10 > users and 9 of them each have 1 active ftp RETR connections but the 10th > user has 100 active ftp RETR connections, then he gets 99,9% of traffic, > doesn't he? (just an example) you can try esfq. Daniel PadiNet Makassar From aleksander at krediidiinfo.ee Tue Oct 30 15:38:12 2007 From: aleksander at krediidiinfo.ee (Aleksander Kamenik) Date: Tue Oct 30 15:38:16 2007 Subject: [LARTC] custom route for forwarded traffic Message-ID: <472741D4.4050409@krediidiinfo.ee> Hi, I have two networks, users and servers connected via vpn (ipsec). Both internal networks. The routing is fine and connections work both ways. Accordingly both networks have a firewall each which faces the internet and they create the vpn link between each other. Both firewalls have only one external IP (if they had more, I wouldn't be asking). The servers network's firewall however does DNAT too. This is for external clients who connect to the external IP of the firewall and so can connect to the internal mail and webserver. I want the computers in the users network to connect to the external IP of the servers firewall AND have the connection go through the VPN. If I add a rule to the main routing table in the users network's firewall for servers network's external IP to go through the VPN, I will break the VPN connection (kind of like the chicken and egg problem). So I need to create a route, which will apply only for forwarded connections. How do I do that? Thanks, -- Aleksander Kamenik system administrator +372 6659 649 aleksander@krediidiinfo.ee Krediidiinfo AS http://www.krediidiinfo.ee/ From gtaylor at riverviewtech.net Tue Oct 30 17:14:39 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Tue Oct 30 17:14:05 2007 Subject: [LARTC] custom route for forwarded traffic In-Reply-To: <472741D4.4050409@krediidiinfo.ee> References: <472741D4.4050409@krediidiinfo.ee> Message-ID: <4727586F.3030808@riverviewtech.net> On 10/30/07 09:38, Aleksander Kamenik wrote: > I have two networks, users and servers connected via vpn (ipsec). Both > internal networks. The routing is fine and connections work both ways. > > Accordingly both networks have a firewall each which faces the internet > and they create the vpn link between each other. Both firewalls have > only one external IP (if they had more, I wouldn't be asking). > > The servers network's firewall however does DNAT too. This is for > external clients who connect to the external IP of the firewall and so > can connect to the internal mail and webserver. > > I want the computers in the users network to connect to the external IP > of the servers firewall AND have the connection go through the VPN. > > If I add a rule to the main routing table in the users network's > firewall for servers network's external IP to go through the VPN, I will > break the VPN connection (kind of like the chicken and egg problem). > > So I need to create a route, which will apply only for forwarded > connections. How do I do that? It has been a long time sense I messed with IPSec under Linux so I can not say any thing for sure. But what I can say is the direction that I would start looking. +----------+ +----------+ (LAN 1)---+ Router 1 +---(INet)---+ Router 2 +---(LAN 2) +----------+ +----------+ I would only encrypt traffic that is from / to LAN 1 and to / from LAN 2 through the IPSec VPN. Any other traffic from / to LAN 1 that is not going to / from LAN 2 would be unencrypted and vice versa for LAN 2. This way when LAN 1 tried to access the external IP of Router 2 it would not match your routing rules for encryption and thus not be encrypted. If the traffic is not encrypted it should be subject to the normal DNAT rule(s) on Route 2. Likewise for reverse traffic and the corresponding traffic from LAN 2. I'm not sure how to set up such routes with current IPSec implementations so I can't help specifically with that. What I do see is the various types of traffic that will be seen from each end. LAN 1 <-> LAN 2 (encrypted via IPSec VPN) (LAN 1 subnet to LAN 2 subnet) LAN 1 <-> INet (unencrypted) (Router 1 external to INet) LAN 1 <-> Router 2 (unencrypted) (Router 1 external to Router 2 external) INet <-> Router 1 (unencrypted) (INet to Router 1 external & DNATed in) The same above is true in reverse for LAN 2. So in short, I see four classes of traffic at each connection. I hope this helps clear things up and make the water a little less muddy. If you need any thing else, I'll be glad to try. Grant. . . . From karme at berlios.de Tue Oct 30 17:50:19 2007 From: karme at berlios.de (Jens Thiele) Date: Tue Oct 30 17:50:22 2007 Subject: [LARTC] Fair que between 255 users In-Reply-To: <200710292300.03353.peet@altlinux.org> (Peter V. Saveliev's message of "Mon\, 29 Oct 2007 23\:00\:02 +0300") References: <200710292300.03353.peet@altlinux.org> Message-ID: <87bqagczsk.fsf@thialfi.karme-net.hirschau> On 29 Okt 2007, peet@altlinux.org wrote: > ? ????????? ?? Monday 29 October 2007 22:46:39 Thomas Elsgaard > ???????(?): >> Hello guys >> >> I have a subnet with 255 users, which need to share 1 single slow >> internet connection, so i would like to implement a kind of *fair >> queuing *on the UPLOAD between them, which means that they all share >> the connection equally.. >> >> The tools that i have available is: A linux box with IPROUTE2,HTB and >> TC.. >> >> I have looked at some examples, and my first idea was to make 255 >> entries in iproute2, marking each source IP from 1-255 , and then >> adding one class in HTB, with 255 childs... but isn't there a smarter >> way? >> >> Does anyone have an example? or a good idea > > > simply sfq -- is enough, isn't it? No (at least not yet?) Quoting the man page (man sfq): "SFQ does not shape traffic but only schedules the transmission of packets, based on ?flows?. The goal is to ensure fairness so that each flow is able to send data in turn, thus preventing any single flow from drowning out the rest." And: "SFQ is work-conserving and therefore always delivers a packet if it has one available." ESFQ might help. Using google: http://fatooh.org/esfq-2.6/ Note: Corey Hickey is working on getting some ESFQ features into kernel mainline SFQ: Search for "SFQ: backport some features from ESFQ (try 5)" on netdev ml. Greetings Jens From marco.casaroli at gmail.com Tue Oct 30 18:01:50 2007 From: marco.casaroli at gmail.com (Marco Aurelio) Date: Tue Oct 30 18:01:57 2007 Subject: [LARTC] Fair que between 255 users In-Reply-To: <87bqagczsk.fsf@thialfi.karme-net.hirschau> References: <200710292300.03353.peet@altlinux.org> <87bqagczsk.fsf@thialfi.karme-net.hirschau> Message-ID: <92ed523b0710301001w5ab728bfsbd6ccb31406b756b@mail.gmail.com> WRR worked for me in the past but it is not maintained anymore. On 10/30/07, Jens Thiele wrote: > On 29 Okt 2007, peet@altlinux.org wrote: > > > ? ????????? ?? Monday 29 October 2007 22:46:39 Thomas Elsgaard > > ???????(?): > >> Hello guys > >> > >> I have a subnet with 255 users, which need to share 1 single slow > >> internet connection, so i would like to implement a kind of *fair > >> queuing *on the UPLOAD between them, which means that they all share > >> the connection equally.. > >> > >> The tools that i have available is: A linux box with IPROUTE2,HTB and > >> TC.. > >> > >> I have looked at some examples, and my first idea was to make 255 > >> entries in iproute2, marking each source IP from 1-255 , and then > >> adding one class in HTB, with 255 childs... but isn't there a smarter > >> way? > >> > >> Does anyone have an example? or a good idea > > > > > > simply sfq -- is enough, isn't it? > > No (at least not yet?) > > Quoting the man page (man sfq): > "SFQ does not shape traffic but only schedules the transmission of > packets, based on 'flows'. The goal is to ensure fairness so that each > flow is able to send data in turn, thus preventing any single flow from > drowning out the rest." > > And: > "SFQ is work-conserving and therefore always delivers a packet if it > has one available." > > ESFQ might help. Using google: > http://fatooh.org/esfq-2.6/ > > Note: > Corey Hickey is working on getting some ESFQ features into kernel > mainline SFQ: > Search for "SFQ: backport some features from ESFQ (try 5)" on netdev ml. > > Greetings > Jens > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Marco Casaroli SapucaiNet Telecom +55 35 34712377 ext. 5 From mohan.tux at gmail.com Wed Oct 31 03:47:54 2007 From: mohan.tux at gmail.com (Mohan Sundaram) Date: Wed Oct 31 03:48:08 2007 Subject: [Fwd: Re: [LARTC] custom route for forwarded traffic] Message-ID: <4727ECDA.3090009@vsnl.com> Aleksander Kamenik wrote: > Hi, > If I add a rule to the main routing table in the users network's > firewall for servers network's external IP to go through the VPN, I will > break the VPN connection (kind of like the chicken and egg problem). > This true only for cases like L3 IPSec where traffic to be encrypted is based on src/dst IP combo. If you had a VPN virtual interface, this should not be a problem. You can choose to route traffic of your choice. Good examples is OpenVPN and L2 IPSec. Mohan From bugfood-ml at fatooh.org Wed Oct 31 05:45:54 2007 From: bugfood-ml at fatooh.org (Corey Hickey) Date: Wed Oct 31 05:46:09 2007 Subject: [LARTC] Fair que between 255 users In-Reply-To: <87bqagczsk.fsf@thialfi.karme-net.hirschau> References: <200710292300.03353.peet@altlinux.org> <87bqagczsk.fsf@thialfi.karme-net.hirschau> Message-ID: <47280882.1020600@fatooh.org> Jens Thiele wrote: > ESFQ might help. Using google: > http://fatooh.org/esfq-2.6/ > > Note: > Corey Hickey is working on getting some ESFQ features into kernel > mainline SFQ: > Search for "SFQ: backport some features from ESFQ (try 5)" on netdev ml. Yep. :) Unfortunately, the only missing feature from those patches is the alternate hash types, which I will end up handling later, one way or another. My most recent ESFQ (tarball + incremental patch) still applies to 2.6.23.1 and builds fine. I haven't actually tested it, but I expect it won't have any problems. That will suffice for now. -Corey From hi100nu at yahoo.com Wed Oct 31 12:18:05 2007 From: hi100nu at yahoo.com (sonu chouhan) Date: Wed Oct 31 12:18:18 2007 Subject: [LARTC] multigateway routing with adsl and dynamic ip Message-ID: <33723.46916.qm@web32504.mail.mud.yahoo.com> Thanks ben & Grant, i am not so much expert in linux and don't have a proper knowledge of script writing, i am showing my problem again in detail below. i am using 4 adsl lines of an same isp, my adsl modem is working as a nat router so i can get static private ip on my linux multigateway router, all is working fine but my adsl router's wan port hang sometime in 4 to 5 days, and my linux router don't find that one line is down bcoz gateway is still up (i.e. adsl modem's lan port is working). i have try many different modem of different make but problem is same and when i use adsl modem as a bridge, there is no problem in modem, so i have desided to change my adsl modem in bridge mode, but my isp only provide dynamic ip and also getting many problem which i am showing you below with my rules which is working fine IFI=eth1 # local lan card IPI=172.16.1.1 # local network's ip NMI=16 # local network's subnet IFE1=eth0 # adsl internet lan card IFE2=eth2 # adsl internet lan card IFE3=eth3 # adsl internet lan card IFE4=eth4 # adsl internet lan card IPE1=192.168.1.2 # adsl internet ip IPE2=10.10.10.2 # adsl internet ip IPE3=10.10.16.2 # adsl internet ip IPE4=10.10.1.2 # adsl internet ip NWE1=192.168.1.0 NWE2=10.10.10.0 NWE3=10.10.16.0 NWE4=10.10.1.0 NME1=24 NME2=24 NME3=24 NME4=24 BRD1=192.168.1.255 BRD2=10.10.10.255 BRD3=10.10.16.255 BRD4=10.10.1.255 GWE1=192.168.1.1 GWE2=10.10.10.1 GWE3=10.10.16.1 GWE4=10.10.1.1 /sbin/ip addr flush dev lo /sbin/ip addr flush dev $IFI /sbin/ip addr flush dev $IFE1 /sbin/ip addr flush dev $IFE2 /sbin/ip addr flush dev $IFE3 /sbin/ip addr flush dev $IFE4 /sbin/ip link set lo up /sbin/ip addr add 127.0.0.1/8 brd + dev lo /sbin/ip link set $IFI up /sbin/ip addr add $IPI/$NMI brd + dev $IFI /sbin/ip rule add prio 50 table main /sbin/ip route del default table main /sbin/ip link set $IFE1 up /sbin/ip addr flush dev $IFE1 /sbin/ip addr add $IPE1/$NME1 brd $BRD1 dev $IFE1 /sbin/ip link set $IFE2 up /sbin/ip addr flush dev $IFE2 /sbin/ip addr add $IPE2/$NME2 brd $BRD2 dev $IFE2 /sbin/ip link set $IFE3 up /sbin/ip addr flush dev $IFE3 /sbin/ip addr add $IPE3/$NME3 brd $BRD3 dev $IFE3 /sbin/ip link set $IFE4 up /sbin/ip addr flush dev $IFE4 /sbin/ip addr add $IPE4/$NME4 brd $BRD4 dev $IFE4 /sbin/ip rule add prio 201 from $NWE1/$NME1 table T1 # problem 1 : how to know the subnet each time ip change /sbin/ip route add default via $GWE1 dev $IFE1 src $IPE1 proto static table T1 # problem 2 : how to add gw, it's already added. Problem 3 : how to know IPE, it's dynamic /sbin/ip route append prohibit default table T1 metric 1 proto static /sbin/ip rule add prio 202 from $NWE2/$NME2 table T2 /sbin/ip route add default via $GWE2 dev $IFE2 src $IPE2 proto static table T2 /sbin/ip route append prohibit default table T2 metric 1 proto static /sbin/ip rule add prio 203 from $NWE3/$NME3 table T3 /sbin/ip route add default via $GWE3 dev $IFE3 src $IPE3 proto static table T3 /sbin/ip route append prohibit default table T3 /sbin/ip rule add prio 204 from $NWE4/$NME4 table T4 /sbin/ip route add default via $GWE4 dev $IFE4 src $IPE4 proto static table T4 /sbin/ip route append prohibit default table T4 /sbin/ip rule add prio 222 table T6 /sbin/ip route add default table T6 proto static nexthop via $GWE4 dev $IFE4 weight 1 nexthop via $GWE3 dev $IFE3 weight 1 nexthop via $GWE2 dev $IFE2 weight 1 nexthop via $GWE1 dev $IFE1 weight 1 /sbin/ip rule add fwmark 0x11 table T1 /sbin/ip rule add fwmark 0x12 table T2 /sbin/ip rule add fwmark 0x13 table T3 /sbin/ip rule add fwmark 0x14 table T4 /sbin/ip route flush cache so plz help me out that how can i make a script, and i don't want to run any script manuly bcoz ip does change in every few hours sorry for my poor english thanks in advance. Nilesh.......... __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071031/941304d1/attachment.htm From gtaylor at riverviewtech.net Wed Oct 31 17:34:37 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Wed Oct 31 17:34:06 2007 Subject: [LARTC] multigateway routing with adsl and dynamic ip In-Reply-To: <33723.46916.qm@web32504.mail.mud.yahoo.com> References: <33723.46916.qm@web32504.mail.mud.yahoo.com> Message-ID: <4728AE9D.2090904@riverviewtech.net> On 10/31/07 06:18, sonu chouhan wrote: > i am not so much expert in linux and don't have a proper knowledge of > script writing, i am showing my problem again in detail below. Eh, sounds like a good time to learn something with the help of others. ;) > i am using 4 adsl lines of an same isp, my adsl modem is working as a > nat router so i can get static private ip on my linux multigateway > router, all is working fine but my adsl router's wan port hang > sometime in 4 to 5 days, and my linux router don't find that one line > is down bcoz gateway is still up (i.e. adsl modem's lan port is > working). i have try many different modem of different make but > problem is same and when i use adsl modem as a bridge, there is no > problem in modem, so i have desided to change my adsl modem in bridge > mode, but my isp only provide dynamic ip and also getting many > problem which i am showing you below with my rules which is working > fine > so plz help me out that how can i make a script, and i don't want to > run any script manuly bcoz ip does change in every few hours I will say that based on what I know and have experienced, you are biting off more than you realize. First there is the fact that with your modems in bridging mode you will have multiple IPs from the same provider, probably all on the same subnet and thus all having the same upstream gateway, which Linux can not (directly) use like you are wanting to. If your modems are not bridging but rather routing Linux will indeed not detect that the modem acting as a router has a defunct out bound connection because it can communicate with the router its self. Based on my experience, I think you will be better off having some system handle the routing for each modem. I don't care if you have the modems act as a router, or bridge them and put a router behind them, or bridge them and do some VERY fancy stuff with Linux. How ever you do it, I'd suggest that you use a router that is capable of informing the other router(s), say your Linux box, when it's ADSL connection is down and as such to not use said router. Usually this is done with routing protocols. With these multiple (physical or virtual) routers Linux will see different IP addresses for them and as such be able to use them as 'nexthop' gateways thus be able to use them for load balancing / equal cost multi-path routing. Even if all the modems and your Linux box share one common small subnet, the fact that the routers have different IPs make them something that Linux can work with. (Granted you could do some dastardly things with bridging and the likes so that Linux thinks that it really does have multiple routers one one subnet when it really does not, but I think that is more than a bit beyond what you are asking. For now avoid doing this.) The reason that Linux is trying to use the modems (acting as a router) is because it is not aware that the modem (acting as a router) has a bad connection. Linux's "Dead Gateway Detection" algorithms detect when they can not reach the immediate upstream gateway on the MAC layer (2). Thus if Linux can talk to the modem (acting as a router) at all, say ping it, ARP it, what ever to it, Linux believes the router (a.k.a. gateway) is very much a live and thus available for use. (Granted you may be able to do something with ICMP redirects to encourage the Linux box to use a different router, but this is so far out of the norm I will not even speculate on the viability. For now avoid doing this.) > thanks in advance. Does this at least help you know what you are up against? Grant. . . . From darko at veze.net Wed Oct 31 21:06:14 2007 From: darko at veze.net (Darko) Date: Wed Oct 31 20:07:06 2007 Subject: [LARTC] tc filter AP device Message-ID: <200710312106.14518.darko@veze.net> Hi, trying to set packet classifying on wireless AP device for transfer between two wireless clients without success. It seems that packet allways going thru default class. Marking packets success only with ebtables+madwifi patch, but appropriate filter doesn't react on it. (examined by counter stats of ebtables and tc) u32 match with ip dst match of one client, and even 0.0.0.0/0 didn't get any luck. My questions are how can I debug process of deciding to which class packet is going, could "protocol ip" be responsible for unclassifying packet and is there some filter rule which can allways pick packet. p.s. when source of packet is from other interface it works ok, and with tcpdump I can normally see communication between clients (Ethereal shows Ethernet II packet Type IP). Thanks, Darko From wxu at max-t.com Wed Oct 31 20:39:13 2007 From: wxu at max-t.com (William Xu) Date: Wed Oct 31 20:42:36 2007 Subject: [LARTC] TC (HTB) doesn't work well when network is congested? In-Reply-To: <47226CBE.5070503@rabbit.us> References: <4720C673.7040900@max-t.com> <4720D0C1.3040309@rabbit.us> <4720DE7B.10404@max-t.com> <472106F8.1080808@rabbit.us> <4721EF2B.7020708@max-t.com> <47226CBE.5070503@rabbit.us> Message-ID: <4728D9E1.9040902@max-t.com> Thank you, Peter, After changing CONFIG_HZ to 1000, TC works much better. I still need to limit the total bandwidth to 110MB/s (about 90% of 125MB/s), but that's normal I guess. Thanks again, william Peter Rabbitson wrote: > William Xu wrote: > >> Hi Peter, thanks for looking at this. >> >> Here are the information I got after running tests. The client1 got >> 7MB/s instead of 40MB/s for SEND, >> and 40MB/s for RECV during the test. >> >> Thanks, >> william >> >> # ip link show >> >> ... >> 5: eth2: mtu 9000 qdisc htb qlen 1000 >> link/ether 00:e0:ed:04:9f:a2 brd ff:ff:ff:ff:ff:ff >> ... >> 12: ifb0: mtu 9000 qdisc htb qlen 32 >> link/ether f2:f2:77:f9:cf:30 brd ff:ff:ff:ff:ff:ff >> >> #tc qdisc show >> qdisc pfifo_fast 0: dev eth0 root bands 3 priomap 1 2 2 2 1 2 0 0 1 >> 1 1 1 1 1 1 1 >> qdisc ingress ffff: dev eth2 ---------------- >> qdisc htb 1: dev eth2 r2q 100 default 30 direct_packets_stat 0 >> qdisc pfifo_fast 0: dev eth3 root bands 3 priomap 1 2 2 2 1 2 0 0 1 >> 1 1 1 1 1 1 1 >> qdisc pfifo_fast 0: dev eth4 root bands 3 priomap 1 2 2 2 1 2 0 0 1 >> 1 1 1 1 1 1 1 >> qdisc pfifo_fast 0: dev eth5 root bands 3 priomap 1 2 2 2 1 2 0 0 1 >> 1 1 1 1 1 1 1 >> qdisc pfifo_fast 0: dev eth6 root bands 3 priomap 1 2 2 2 1 2 0 0 1 >> 1 1 1 1 1 1 1 >> qdisc pfifo_fast 0: dev eth7 root bands 3 priomap 1 2 2 2 1 2 0 0 1 >> 1 1 1 1 1 1 1 >> qdisc pfifo_fast 0: dev eth8 root bands 3 priomap 1 2 2 2 1 2 0 0 1 >> 1 1 1 1 1 1 1 >> qdisc htb 1: dev ifb0 r2q 100 default 30 direct_packets_stat 0 >> >> #tc -s -d class show dev ifb0 >> class htb 1:10 parent 1:1 prio 0 quantum 200000 rate 320000Kbit ceil >> 960000Kbit burst 169000b/64 mpu 0b overhead 0b cburst 489000b/64 mpu >> 0b overhead 0b level 0 >> Sent 2366125838 bytes 928639 pkt (dropped 0, overlimits 0 requeues 0) >> rate 0bit 0pps backlog 0b 0p requeues 0 >> lended: 925807 borrowed: 2832 giants: 0 >> tokens: 4224 ctokens: 4075 >> >> class htb 1:1 root rate 960000Kbit ceil 960000Kbit burst 489000b/64 >> mpu 0b overhead 0b cburst 489000b/64 mpu 0b overhead 0b level 7 >> Sent 36927678674 bytes 6132723 pkt (dropped 0, overlimits 0 requeues 0) >> rate 2672bit 1pps backlog 0b 0p requeues 0 >> lended: 1131873 borrowed: 0 giants: 0 >> tokens: 4074 ctokens: 4074 >> >> class htb 1:30 parent 1:1 prio 1 quantum 200000 rate 640000Kbit ceil >> 960000Kbit burst 328960b/64 mpu 0b overhead 0b cburst 489000b/64 mpu >> 0b overhead 0b level 0 >> Sent 34561552836 bytes 5204084 pkt (dropped 44, overlimits 0 requeues 0) >> rate 528bit 0pps backlog 0b 0p requeues 0 >> lended: 4075043 borrowed: 1129041 giants: 0 >> tokens: 4108 ctokens: 4074 >> >> #tc -s -d class show dev eth2 >> class htb 1:10 parent 1:1 prio 0 quantum 200000 rate 320000Kbit ceil >> 960000Kbit burst 169000b/64 mpu 0b overhead 0b cburst 489000b/64 mpu >> 0b overhead 0b level 0 >> Sent 12092794712 bytes 1544210 pkt (dropped 0, overlimits 0 requeues 0) >> rate 56bit 0pps backlog 0b 0p requeues 0 >> lended: 1543687 borrowed: 523 giants: 0 >> tokens: 4224 ctokens: 4075 >> >> class htb 1:1 root rate 960000Kbit ceil 960000Kbit burst 489000b/64 >> mpu 0b overhead 0b cburst 489000b/64 mpu 0b overhead 0b level 7 >> Sent 36872760531 bytes 7346321 pkt (dropped 0, overlimits 0 requeues 0) >> rate 288bit 0pps backlog 0b 0p requeues 0 >> lended: 40477 borrowed: 0 giants: 0 >> tokens: 4073 ctokens: 4073 >> >> class htb 1:30 parent 1:1 prio 1 quantum 200000 rate 640000Kbit ceil >> 960000Kbit burst 328960b/64 mpu 0b overhead 0b cburst 489000b/64 mpu >> 0b overhead 0b level 0 >> Sent 24779965819 bytes 5802111 pkt (dropped 0, overlimits 0 requeues 0) >> rate 176bit 0pps backlog 0b 0p requeues 0 >> lended: 5762157 borrowed: 39954 giants: 0 >> tokens: 4109 ctokens: 4073 >> >> > > The setup looks good. There are only two things that come to mind - > you have problems with TSO, or your clock is too slow. For the first > use ethtool -K to disable all 6 offloading parameters. For the second > check what is the value of CONFIG_HZ in the current kernel config > (/boot/config-), and if it is less than 1000 this > might be your problem as well. If none of those help - I am out of > ideas, hopefully someone else can help you. > > Peter From andykras at hotmail.com Thu Nov 1 00:45:05 2007 From: andykras at hotmail.com (Andrew Kraslavsky) Date: Thu Nov 1 00:45:12 2007 Subject: [LARTC] Sluggish throughput with htb Message-ID: All, I have been using the following as a means of rate limiting access to the Internet via eth0 (which connects to my cable modem) and it was working great with my 2.4.20 kernel: tc qdisc del dev eth0 root tc qdisc add dev eth0 root handle 1: htb default 1 tc class add dev eth0 parent 1: classid 1:1 htb rate 486kbit ceil 486kbit tc qdisc add dev eth0 parent 1:1 handle 10: sfq perturb 10 However, after recently updating to kernel version 2.6.15, throughput on eth0 has become sluggish and it is only by disabling the above that performance is restored. Also, I see a whole slew of the following messages in my log: qdisc_restart: Empty queue has non zero length 1 Any advice on how to approach this problem would be greatly appreciated. Thanks, - Andrew Kraslavsky P.S. If I go back to my 2.4.20 kernel, throughput is restored. _________________________________________________________________ Help yourself to FREE treats served up daily at the Messenger Caf?. Stop by today. http://www.cafemessenger.com/info/info_sweetstuff2.html?ocid=TXT_TAGLM_OctWLtagline From joshk at triplehelix.org Thu Nov 1 01:50:39 2007 From: joshk at triplehelix.org (Joshua Kwan) Date: Thu Nov 1 01:51:01 2007 Subject: [LARTC] Bridging two subnets selectively using routing Message-ID: <20071101005039.GA4906@triplehelix.org> Hi LARTC, I have two networks that I manage, A and B. They both have their own primary gateways for hosts on the network, let's call them AR and BR. There is another box, A1, which lives on network A but also has a wire connecting it to a switch on network B. My goal is to let hosts on B access three particular hosts on A's subnet (192.168.4.0/24) and let hosts on A access one particular host on B's subnet (10.3.0.0/24). Suppose the IP addresses of the machines I wish to address on either network are A2, A3, A4 and B1. A1 has IP 10.3.0.13 on network B and 192.168.4.10 on network A. Is it possible to just tell the gateways for each network: on BR: ip route add {A2, A3, A4} via 10.3.0.13 on AR: ip route add B1 via 192.168.4.10 But when I do that, ping does something like: PING A2 56(84) bytes of data. From BR: Redirect Host (new nexthop: 10.3.0.13) and doesn't actually report success on the ping. What am I doing wrong? Is this a job for iptables? I feel like I can do this with just routing table magic. Thanks, -- Joshua Kwan From georgi.alexandrov at gmail.com Thu Nov 1 13:08:28 2007 From: georgi.alexandrov at gmail.com (Georgi Alexandrov) Date: Thu Nov 1 13:08:54 2007 Subject: [LARTC] TC (HTB) doesn't work well when network is congested? In-Reply-To: <4728D9E1.9040902@max-t.com> References: <4720C673.7040900@max-t.com> <4720D0C1.3040309@rabbit.us> <4720DE7B.10404@max-t.com> <472106F8.1080808@rabbit.us> <4721EF2B.7020708@max-t.com> <47226CBE.5070503@rabbit.us> <4728D9E1.9040902@max-t.com> Message-ID: <4729C1BC.5010403@gmail.com> William Xu wrote: > Thank you, Peter, > > After changing CONFIG_HZ to 1000, TC works much better. I still need to > limit the total bandwidth > to 110MB/s (about 90% of 125MB/s), but that's normal I guess. Yes, it's normal. Depending on the situation and tests you'll be allocating about 90% - 99% of the actual link capacity to tc. 100% will generally never work good as link queues start filling up and you don't want this. You (tc) should be the bottleneck of the link thus you can say what and how much goes where. -- regards, Georgi Alexandrov key server - pgp.mit.edu :: key id - 0x37B4B3EE Key fingerprint = E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 B3EE -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20071101/dc4d8629/signature.pgp From peet at altlinux.org Fri Nov 2 12:33:49 2007 From: peet at altlinux.org (Peter V. Saveliev) Date: Fri Nov 2 12:36:22 2007 Subject: [LARTC] HiPAC Message-ID: <200711021433.49761.peet@altlinux.org> ... Is there anyone, who has worked with HiPAC? (http://www.hipac.org/) The project seems interesting, but orphaned. -- Peter V. Saveliev From bugfood-ml at fatooh.org Fri Nov 2 21:24:29 2007 From: bugfood-ml at fatooh.org (Corey Hickey) Date: Fri Nov 2 21:24:38 2007 Subject: [LARTC] Bridging two subnets selectively using routing In-Reply-To: <20071101005039.GA4906@triplehelix.org> References: <20071101005039.GA4906@triplehelix.org> Message-ID: <472B877D.10501@fatooh.org> Joshua Kwan wrote: > Hi LARTC, > > I have two networks that I manage, A and B. They both have their own > primary gateways for hosts on the network, let's call them AR and BR. > There is another box, A1, which lives on network A but also has a wire > connecting it to a switch on network B. My goal is to let hosts on B > access three particular hosts on A's subnet (192.168.4.0/24) and let > hosts on A access one particular host on B's subnet (10.3.0.0/24). > > Suppose the IP addresses of the machines I wish to address on either > network are A2, A3, A4 and B1. > > A1 has IP 10.3.0.13 on network B and 192.168.4.10 on network A. Is it > possible to just tell the gateways for each network: > > on BR: ip route add {A2, A3, A4} via 10.3.0.13 > on AR: ip route add B1 via 192.168.4.10 > > But when I do that, ping does something like: > > PING A2 56(84) bytes of data. > From BR: Redirect Host (new nexthop: 10.3.0.13) That's to be expected, as far as I understand. > and doesn't actually report success on the ping. > What am I doing wrong? Is this a job for iptables? I feel like I can do > this with just routing table magic. Well, nobody has given you a better answer yet, so I'll take a shot. 1. Check /proc/sys/net/ipv4/ip_forward on box A1 to see if it's configured to route at all. 2. The hosts on network A will receive packets from miscellaneous IP addresses in B's subnet, and not have any idea what to do with them. You'll need to either configure routes on the hosts in network A... # ip route add 10.3.0.0/16 via 192.168.4.10 dev eth0 ...or set up box A1 to SNAT packets # iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -d 192.168.4.0/24 \ -j SNAT --to-source 192.168.4.10 You'll have to do something similar for the reverse direction, too. I haven't tested what I wrote above; if it doesn't work, run tcpdump in various places to see what icmp packets are going where. Honestly, though, I think you're setting yourself up for a decent headache trying to do it this way. In my opinion, the easy solution is in the first word of your subject line: just make host A1 a bridge. That's what I did when I originally set up that box, and it worked fine the whole time I managed it (actually, I didn't manage it at all, since the bridging never had any problems). Put both physical networks on the same IP subnet and enforce any desired firewalling/segmentation with a few simple iptables rules running on the bridge. If you're still using the same machine that used to do that job, you might be able to find the relevant configuration files lying around. If not, I'm sure I can recall at least most of the details. Either way, if you need assistance, let me know and I'll be happy to stop by sometime and lend a hand. -Corey From gtaylor at riverviewtech.net Sat Nov 3 01:39:24 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Sat Nov 3 01:38:49 2007 Subject: [LARTC] Bridging two subnets selectively using routing In-Reply-To: <20071101005039.GA4906@triplehelix.org> References: <20071101005039.GA4906@triplehelix.org> Message-ID: <472BC33C.6010107@riverviewtech.net> On 10/31/07 19:50, Joshua Kwan wrote: > What am I doing wrong? Is this a job for iptables? I feel like I can > do this with just routing table magic. As Corey said, make sure that IP Forwarding is enabled on A1. You are setting your self up for a very weird scenario. Probably what would be the easiest for long term would be to put a third network between your two routers, AR and BR. This way you end up with the following type of scenario: +----+ +----+ | AI | | BI | +-+--+ +--+-+ | | +-+--+ +--+-+ ---( Net A )---+ AR +---( Net C )---+ BR +---( Net B )--- | +----+ +----+ | | | | +----+ | +-------+ A1 +----------------------------+ +----+ With this type of set up, you can configure both AR and BR that each can reach the others network via the other router on network C. I.e. AR can reach Net B via BR's IP on Net C. Likewise BR can reach Net A via AR's IP on Net C. This way, each and every computer on both networks A and B can reach any host they want to via their default gateway AR or BR respectively. This may be a little more work to set up initially, but it is very simple routing that will be very easy to maintain for a long time. In this scenario Net C can very simply be a cross over cable between routers AR and BR. Another option is to enable routing on A1 and tell A2, A3, and A4 that they can reach B1 via A1 and likewise tell B1 that it can reach a2, A3, and A4 via A1. Thus you have a bi-directional routing set up between just the four additional hosts. The main disadvantage of this set up is that each and every host that wants to communicate across networks will have to have its own routing entries set up to pick the correct direction to route traffic to. So if you only have two or three hosts on each network and you can not do the additional network (C) between the two routers, this will work. There are some other things that you can do to allow the hosts to communicate across the networks like bridging and / or proxy ARP. However seeing as how you have different subnets on Net A and Net B, you will very likely be doing routing or multi-homing on all hosts to support bridging and / or proxy ARP. I think your best bet is to do the additional network (C) between the two routers AR and BR. Grant. . . . From gtaylor at riverviewtech.net Sat Nov 3 01:51:15 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Sat Nov 3 01:50:37 2007 Subject: [LARTC] Bridging two subnets selectively using routing In-Reply-To: <472B877D.10501@fatooh.org> References: <20071101005039.GA4906@triplehelix.org> <472B877D.10501@fatooh.org> Message-ID: <472BC603.9090309@riverviewtech.net> On 11/02/07 15:24, Corey Hickey wrote: > 1. Check /proc/sys/net/ipv4/ip_forward on box A1 to see if it's > configured to route at all. > > 2. The hosts on network A will receive packets from miscellaneous IP > addresses in B's subnet, and not have any idea what to do with them. > You'll need to either configure routes on the hosts in network A... > > # ip route add 10.3.0.0/16 via 192.168.4.10 dev eth0 > > ...or set up box A1 to SNAT packets > > # iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -d 192.168.4.0/24 -j > SNAT --to-source 192.168.4.10 > > You'll have to do something similar for the reverse direction, too. You could do either of the above. However there should be a route from any box on either network to specific boxes on the other network. Remember that the OP configured routes on AR and BR to reach host(s) on Net B and Net A (respectively) via A1. Thus when a host on Net B receives a packet from a host on Net A, it will reply via its default gateway, BR. BR will then redirect or route the packet back to A1 which will then send the packet directly on to the original host on Net A. This is all of course presuming that A1 is forwarding packets like it needs to be and that there are no firewalls in place blocking any thing, especially reverse path filters. > I haven't tested what I wrote above; if it doesn't work, run tcpdump > in various places to see what icmp packets are going where. TCPDump / Etherial is your *FRIEND*!!! > Honestly, though, I think you're setting yourself up for a decent > headache trying to do it this way. In my opinion, the easy solution > is in the first word of your subject line: just make host A1 a > bridge. That's what I did when I originally set up that box, and it > worked fine the whole time I managed it (actually, I didn't manage it > at all, since the bridging never had any problems). Bridging and / or proxy ARP by them selves will not solve this problem. Net A and Net B have different IP address ranges, thus even with a bridge in place the hosts will never communicate. In fact a bridge with out any thing else will just worsen the situation by passing broadcasts where they are not needed. > Put both physical networks on the same IP subnet and enforce any > desired firewalling/segmentation with a few simple iptables rules > running on the bridge. If you're still using the same machine that > used to do that job, you might be able to find the relevant > configuration files lying around. If not, I'm sure I can recall at > least most of the details. Ugh. I'm going to presume that the networks have different IP address ranges and are not presently joined for a reason. Thus combining the IP address ranges and bridging them together will actually be a regression in network config / technology / evolution. Now if you want to bridge the networks together wile still using the separate IP address ranges AND multi-home select boxen so that they are on both Net A and Net B then bridging and / or proxy ARP will work just fine. > Either way, if you need assistance, let me know and I'll be happy to > stop by sometime and lend a hand. You can drop a line in here too. Grant. . . . From bugfood-ml at fatooh.org Sat Nov 3 05:35:31 2007 From: bugfood-ml at fatooh.org (Corey Hickey) Date: Sat Nov 3 05:35:43 2007 Subject: [LARTC] Bridging two subnets selectively using routing In-Reply-To: <472BC603.9090309@riverviewtech.net> References: <20071101005039.GA4906@triplehelix.org> <472B877D.10501@fatooh.org> <472BC603.9090309@riverviewtech.net> Message-ID: <472BFA93.70601@fatooh.org> Grant Taylor wrote: > On 11/02/07 15:24, Corey Hickey wrote: >> 1. Check /proc/sys/net/ipv4/ip_forward on box A1 to see if it's >> configured to route at all. >> >> 2. The hosts on network A will receive packets from miscellaneous IP >> addresses in B's subnet, and not have any idea what to do with them. >> You'll need to either configure routes on the hosts in network A... >> >> # ip route add 10.3.0.0/16 via 192.168.4.10 dev eth0 >> >> ...or set up box A1 to SNAT packets >> >> # iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -d 192.168.4.0/24 -j >> SNAT --to-source 192.168.4.10 >> >> You'll have to do something similar for the reverse direction, too. > > You could do either of the above. I meant to do both, which I think is necessary in order to make the OPs proposed scheme work without modification. I'll defer if I'm wrong, though--I haven't tested it, and, as you said in your other email, it's "a very weird scenario." > However there should be a route from any box on either network to > specific boxes on the other network. Remember that the OP configured > routes on AR and BR to reach host(s) on Net B and Net A (respectively) > via A1. Thus when a host on Net B receives a packet from a host on Net > A, it will reply via its default gateway, BR. BR will then redirect or > route the packet back to A1 which will then send the packet directly on > to the original host on Net A. This is all of course presuming that A1 > is forwarding packets like it needs to be and that there are no > firewalls in place blocking any thing, especially reverse path filters. I don't think this will work unless BR has a route like: # ip route add 192.168.4.0/24 via 10.3.0.13 dev eth0 ...whereas the OP only specified wanting routes to a few specific machines rather than the whole networks. In any case, debating that is probably academic, since I agree with you in principle. It should be cleaner to set up routes for the whole networks and use iptables rules on A1 to only allow traffic to/from specified hosts. There are certainly different ways to do it, and I furthermore agree with you that using a separate link between AR and BR (as you suggested in your earlier message) is cleaner still. I prefer bridging in this situation mostly because it distributes traffic and reduces the load on the routers. >> I haven't tested what I wrote above; if it doesn't work, run tcpdump >> in various places to see what icmp packets are going where. > > TCPDump / Etherial is your *FRIEND*!!! :) >> Honestly, though, I think you're setting yourself up for a decent >> headache trying to do it this way. In my opinion, the easy solution >> is in the first word of your subject line: just make host A1 a >> bridge. That's what I did when I originally set up that box, and it >> worked fine the whole time I managed it (actually, I didn't manage it >> at all, since the bridging never had any problems). > > Bridging and / or proxy ARP by them selves will not solve this problem. > Net A and Net B have different IP address ranges, thus even with a > bridge in place the hosts will never communicate. In fact a bridge with > out any thing else will just worsen the situation by passing broadcasts > where they are not needed. Absolutely. >> Put both physical networks on the same IP subnet and enforce any >> desired firewalling/segmentation with a few simple iptables rules >> running on the bridge. If you're still using the same machine that >> used to do that job, you might be able to find the relevant >> configuration files lying around. If not, I'm sure I can recall at >> least most of the details. > > Ugh. I'm going to presume that the networks have different IP address > ranges and are not presently joined for a reason. Thus combining the IP > address ranges and bridging them together will actually be a regression > in network config / technology / evolution. The two networks in question are rather small and occupy adjoining buildings. Network A had to be rebuilt after getting torn out while the corresponding building underwent a very intrusive retrofit and remodeling. Prior to that, the two networks were bridged and shared the same subnet. I don't know if the OP has a reason to isolate them from each other now. I guess I'll go ahead and describe the former setup in a little detail. Every host in the entire bridged network was given an IP address within the subnet 10.0.0.0/8. The bridge was configured to drop all DHCP packets, so there was a DHCP server on network A and another on network B. Hosts on network A were given addresses in the following ranges[1]: 10.0.0.0/16 10.1.0.0/16 10.2.0.0/16 Hosts on network B were given addresses in the following range: 10.3.0.0/16 ...but, regardless of which network a host was on, it still was given the /8 subnet, so hosts could communicate over the bridge without any further configuration. Since each network had its own router to the Internet, the DHCP servers also specified separate gateways. The bridge was configured to drop packets with sources or destinations that didn't match the IP ranges corresponding to the source/destination networks[2]. That's all. My philosophy was to allow unrestricted communication over the bridge and gently LART users that caused trouble (always inadvertently; Windows worms and such). If the OP wants to allow communication only to a few hosts, that's no more difficult--just write a few rules to accept desired traffic and then drop/reject the rest. [1] Given the chance to do it over, I would have allocated addresses to network A from 10.0.0.0/18 and network B from 10.4.0.0/18 in order to simplify a little bit. Also, I should mention that the use of several /16 ranges doesn't mean we had anywhere near that many hosts; the separation was just for management. [2] Just in case some users on network B tried to manually set their IP address and gateway in order to use the better Internet access of network A. Of course, they could still have tunneled through the bridge to an accomplice on network A, but they could have also used an accomplice's wireless router, or CAT-5 strung between rooftops, or RFC 1149, etc. I dealt with such things on a case-by-case basis. :) -Corey From db5 at exemail.com.au Sun Nov 4 13:04:19 2007 From: db5 at exemail.com.au (Fog_Watch) Date: Sun Nov 4 13:04:45 2007 Subject: [LARTC] HFSC and that ATM overhead problem (Another VOIP QoS post. Ahhhh) Message-ID: <20071104230419.6987d1d1@ns.fogwatch.com.au> G'Day I would like to be able to use my VOIP telephone over a saturated ADSL link whilst enjoying optimum audio quality and utilising all of the bandwidth I pay for. It is about this situation that I write. HFSC appears to be the queueing discipline of choice for VOIP. In order for this to work, though, do I have to account for the ATM overhead in the small VOIP packets by defining my maximum root class bit rate as (measured max bit rate)*%50 (or some other awful percentage)? If the answer is yes to the above, does that mean that the next best solution would be HTB coupled with the newly updated http://www.adsl-optimizer.dk/? Would Shorewall with patched kernel and patched iproute2 be the most Luddite way of using adsl-optimizer? Ah, so many questions, sorry. Have a nice day. Regards Fog_Watch. -- Lose wait. Get Gentoo. From gustavo at angulosolido.pt Sun Nov 4 13:46:37 2007 From: gustavo at angulosolido.pt (Gustavo Homem) Date: Sun Nov 4 13:46:45 2007 Subject: [LARTC] HFSC and that ATM overhead problem (Another VOIP QoS post. Ahhhh) In-Reply-To: <20071104230419.6987d1d1@ns.fogwatch.com.au> References: <20071104230419.6987d1d1@ns.fogwatch.com.au> Message-ID: <200711041246.37295.gustavo@angulosolido.pt> On Sunday 04 November 2007 12:04, Fog_Watch wrote: > G'Day > > I would like to be able to use my VOIP telephone over a saturated > ADSL link whilst enjoying optimum audio quality and utilising all of the > bandwidth I pay for. It is about this situation that I write. > > HFSC appears to be the queueing discipline of choice for VOIP. In order > for this to work, though, do I have to account for the ATM overhead in > the small VOIP packets by defining my maximum root class bit rate as > (measured max bit rate)*%50 (or some other awful percentage)? > > If the answer is yes to the above, does that mean that the next best > solution would be HTB coupled with the newly updated > http://www.adsl-optimizer.dk/? Ah! Thanks for pointing to us that the kernel devs finnally accepted the patches. Does someone know if the patched TC will work for kernel versions >= 2.6.24? > Would Shorewall with patched kernel and > patched iproute2 be the most Luddite way of using adsl-optimizer? I don't use Shorewall, but rather an iptables script which works for most scenarios: http://downloads.angulosolido.pt/iptables/ If you don't use a patched kernel and if your system has only two network interfaces, you can use a script like this one: http://downloads.angulosolido.pt/QoS/HTB_shaper_basic.sh and take the overhead into account empirically (this one is HTB based). That is, start with the value the modem is synchronized for, fill the line with the average traffic you expect and lower the values until is OK. As you lower the upstream value you will find increasingly better latency values (try with ping + voip app). The best way is indeed patching the kernel and tc so that the overhead is automatically taken into account. I haven't done it yet, since that process doesn't scale for using across multiple systems of different versions. Now that the kernel patches were accepted things may change :-) Best regards Gustavo -- Angulo S?lido - Tecnologias de Informa??o http://angulosolido.pt From rasky at develer.com Sun Nov 4 15:34:07 2007 From: rasky at develer.com (Giovanni Bajo) Date: Sun Nov 4 15:34:13 2007 Subject: [LARTC] HFSC and that ATM overhead problem (Another VOIP QoS post. Ahhhh) In-Reply-To: <20071104230419.6987d1d1@ns.fogwatch.com.au> References: <20071104230419.6987d1d1@ns.fogwatch.com.au> Message-ID: <1194186847.7856.18.camel@DevelBook> On dom, 2007-11-04 at 23:04 +1100, Fog_Watch wrote: > HFSC appears to be the queueing discipline of choice for VOIP. Is it? Any pointers? -- Giovanni Bajo From gtaylor at riverviewtech.net Sun Nov 4 21:14:14 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Sun Nov 4 21:14:20 2007 Subject: [LARTC] Bridging two subnets selectively using routing In-Reply-To: <472BFA93.70601@fatooh.org> References: <20071101005039.GA4906@triplehelix.org> <472B877D.10501@fatooh.org> <472BC603.9090309@riverviewtech.net> <472BFA93.70601@fatooh.org> Message-ID: <472E2816.5070301@riverviewtech.net> On 11/2/2007 11:35 PM, Corey Hickey wrote: > I meant to do both, which I think is necessary in order to make the > OPs proposed scheme work without modification. I'll defer if I'm > wrong, though--I haven't tested it, and, as you said in your other > email, it's "a very weird scenario." As long as there are routes in both directions there should be no need for SNATing. > I don't think this will work unless BR has a route like: > > # ip route add 192.168.4.0/24 via 10.3.0.13 dev eth0 > > ...whereas the OP only specified wanting routes to a few specific > machines rather than the whole networks. > > In any case, debating that is probably academic, since I agree with > you in principle. It should be cleaner to set up routes for the whole > networks and use iptables rules on A1 to only allow traffic to/from > specified hosts. Agreed. I mis read the routes on the two routers AR and BR to be for the entire networks. Though again presuming there are routes, things should work. This is more just a semantical mis-interpretation on the scope of what the routes are for. > There are certainly different ways to do it, and I furthermore agree > with you that using a separate link between AR and BR (as you > suggested in your earlier message) is cleaner still. > > I prefer bridging in this situation mostly because it distributes > traffic and reduces the load on the routers. I can see how this would reduce load on the routes, but I don't believe that load on routers will be much of a concern. (At least the routers that I use (pick any box (less than 10 years old) and install Linux) would do just fine. However I would be concerned about broadcast storms being propagated across the bridge unnecessarily. But if steps are taken to mitigate that then it is probably not that big of an issue. > The two networks in question are rather small and occupy adjoining > buildings. Network A had to be rebuilt after getting torn out while > the corresponding building underwent a very intrusive retrofit and > remodeling. Prior to that, the two networks were bridged and shared > the same subnet. I don't know if the OP has a reason to isolate them > from each other now. Ok... Obviously you are probably in a very unique position knowing the history of the network. > I guess I'll go ahead and describe the former setup in a little > detail. > > Every host in the entire bridged network was given an IP address > within the subnet 10.0.0.0/8. The bridge was configured to drop all > DHCP packets, so there was a DHCP server on network A and another on > network B. Ok... > Hosts on network A were given addresses in the following ranges[1]: > > 10.0.0.0/16 > 10.1.0.0/16 > 10.2.0.0/16 > > Hosts on network B were given addresses in the following range: > > 10.3.0.0/16 > > ...but, regardless of which network a host was on, it still was given > the /8 subnet, so hosts could communicate over the bridge without any > further configuration. Ok, you chose to do in bridging what most people do in routing. Seeing as how things were bridged you had to put things in place to stop things that would naturally leave the subnet. Your preference to have and work with. > Since each network had its own router to the Internet, the DHCP > servers also specified separate gateways. The bridge was configured > to drop packets with sources or destinations that didn't match the IP > ranges corresponding to the source/destination networks[2]. Ok... > That's all. So let me get this right, you did bridging rather than routing to avoid load on the router(s)? Yet you had to put more load on the bridging host to segregate the networks like they would be if they were routed while still allowing host to host communications between the two buildings? Strange > My philosophy was to allow unrestricted communication over the bridge > and gently LART users that caused trouble (always inadvertently; > Windows worms and such). If the OP wants to allow communication only > to a few hosts, that's no more difficult--just write a few rules to > accept desired traffic and then drop/reject the rest. Ok. > [1] Given the chance to do it over, I would have allocated addresses > to network A from 10.0.0.0/18 and network B from 10.4.0.0/18 in order > to simplify a little bit. Also, I should mention that the use of > several /16 ranges doesn't mean we had anywhere near that many hosts; > the separation was just for management. *nod* > [2] Just in case some users on network B tried to manually set their > IP address and gateway in order to use the better Internet access of > network A. Of course, they could still have tunneled through the > bridge to an accomplice on network A, but they could have also used > an accomplice's wireless router, or CAT-5 strung between rooftops, or > RFC 1149, etc. I dealt with such things on a case-by-case basis. :) That's what a "Clue-by-4" is used for. ;) All in all you chose to implement a solution in one way that very like did exactly what you needed even if it was a bit different than what the industry norm would have been. Either way, bridging or routing, they both would have / do / will work. Grant. . . . From nozo at ziu.info Sun Nov 4 23:01:52 2007 From: nozo at ziu.info (Michal Soltys) Date: Sun Nov 4 23:02:05 2007 Subject: [LARTC] HFSC and that ATM overhead problem (Another VOIP QoS post. Ahhhh) In-Reply-To: <1194186847.7856.18.camel@DevelBook> References: <20071104230419.6987d1d1@ns.fogwatch.com.au> <1194186847.7856.18.camel@DevelBook> Message-ID: <472E4150.9060702@ziu.info> Giovanni Bajo wrote: > On dom, 2007-11-04 at 23:04 +1100, Fog_Watch wrote: > >> HFSC appears to be the queueing discipline of choice for VOIP. > > Is it? Any pointers? Well, it can decouple bandwidth and delay. And both are important here. Some documentation pointers: http://linux-ip.net/articles/hfsc.en/ http://www.cs.cmu.edu/~istoica/hfsc-tr.ps.gz (deep, but good read) http://www.sonycsl.co.jp/~kjc/software/TIPS.txt (regarding implementation in *BSD) http://marc.info/?t=107799591400001&r=1&w=2 From db5 at exemail.com.au Sun Nov 4 23:54:45 2007 From: db5 at exemail.com.au (Ian) Date: Sun Nov 4 23:54:56 2007 Subject: [LARTC] HFSC and that ATM overhead problem (Another VOIP QoS post. Ahhhh) In-Reply-To: <1194186847.7856.18.camel@DevelBook> References: <20071104230419.6987d1d1@ns.fogwatch.com.au> <1194186847.7856.18.camel@DevelBook> Message-ID: <20071105095445.3aa4557e@ns.fogwatch.com.au> On Sun, 04 Nov 2007 15:34:07 +0100 Giovanni Bajo wrote: > On dom, 2007-11-04 at 23:04 +1100, Fog_Watch wrote: > > > HFSC appears to be the queueing discipline of choice for VOIP. > > Is it? Any pointers? I was going on gut instinct from vague information I read cruising around. Michal Soltys has given the hard references. -- Lose wait. Get Gentoo. From db5 at exemail.com.au Mon Nov 5 00:16:28 2007 From: db5 at exemail.com.au (Fog_Watch) Date: Mon Nov 5 00:16:35 2007 Subject: [LARTC] HFSC and that ATM overhead problem (Another VOIP QoS post. Ahhhh) In-Reply-To: <200711041246.37295.gustavo@angulosolido.pt> References: <20071104230419.6987d1d1@ns.fogwatch.com.au> <200711041246.37295.gustavo@angulosolido.pt> Message-ID: <20071105101628.4954e478@ns.fogwatch.com.au> On Sun, 4 Nov 2007 12:46:37 +0000 Gustavo Homem wrote: > I don't use Shorewall, but rather an iptables script which works for > most scenarios: No disrespect, but that sounds too scary for me. I feel more comfortable if something like Shorewall is holding my hand. > That is, start with the value the modem is synchronized for, fill the > line with the average traffic you expect and lower the values until > is OK. As you lower the upstream value you will find increasingly > better latency values (try with ping + voip app). Thanks for the explanation. > doesn't scale for using across multiple systems of > different versions. I didn't understand that bit. What are the "systems" and "versions"? Regards Fog_Watch. -- Lose wait. Get Gentoo. From gustavo at angulosolido.pt Mon Nov 5 00:21:43 2007 From: gustavo at angulosolido.pt (Gustavo Homem) Date: Mon Nov 5 00:21:57 2007 Subject: [LARTC] HFSC and that ATM overhead problem (Another VOIP QoS post. Ahhhh) In-Reply-To: <20071105101628.4954e478@ns.fogwatch.com.au> References: <20071104230419.6987d1d1@ns.fogwatch.com.au> <200711041246.37295.gustavo@angulosolido.pt> <20071105101628.4954e478@ns.fogwatch.com.au> Message-ID: <200711042321.44017.gustavo@angulosolido.pt> On Sunday 04 November 2007 23:16, Fog_Watch wrote: > On Sun, 4 Nov 2007 12:46:37 +0000 > > Gustavo Homem wrote: > > I don't use Shorewall, but rather an iptables script which works for > > most scenarios: > > No disrespect, but that sounds too scary for me. I feel more > comfortable if something like Shorewall is holding my hand. Takes more time the first time and less time from then on. > > > That is, start with the value the modem is synchronized for, fill the > > line with the average traffic you expect and lower the values until > > is OK. As you lower the upstream value you will find increasingly > > better latency values (try with ping + voip app). > > Thanks for the explanation. > > > doesn't scale for using across multiple systems of > > different versions. > > I didn't understand that bit. What are the "systems" and "versions"? > If you manage multiple Linux systems with different versions you realize that patching the kernels for all, and retesting afterwards, takes quite some time. Then if you need a kernel upgrade, there you go again praying that the patches work. The point was: the gain obtained from using those patches might not compensate the time investment, on the scenarios I work with. For a single setup, or multiple identical ones, it will pay off for sure. Cheers Gustavo > Regards > > Fog_Watch. -- Angulo S?lido - Tecnologias de Informa??o http://angulosolido.pt From db5 at exemail.com.au Tue Nov 6 11:14:39 2007 From: db5 at exemail.com.au (Fog_Watch) Date: Tue Nov 6 11:15:02 2007 Subject: [LARTC] Re: HFSC and that ATM overhead problem (Another VOIP QoS post. Ahhhh) In-Reply-To: <20071104230419.6987d1d1@ns.fogwatch.com.au> References: <20071104230419.6987d1d1@ns.fogwatch.com.au> Message-ID: <20071106211439.0bd5a50a@ns.fogwatch.com.au> On Sun, 4 Nov 2007 23:04:19 +1100 Fog_Watch wrote: > HFSC appears to be the queueing discipline of choice for VOIP. In http://www.lartc.org/lartc.html it is stated that users of CBQ might suffer from the 'sendmail effect' - "which teaches us that any complex technology which doesn't come with documentation must be the best available." Purhaps I was suffering from 'sendmail effect' when considering HFSC. At http://forum.openwrt.org/viewtopic.php?pid=27049#p27049 there is an interesting passage that compares HTB and HFSC, and states how the priority setting of HTB in effect decouples latency and bandwidth. Based on this and the standard documentation (http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm) I think I'll have a crack at HTB first. > >does that mean that the next best > solution would be HTB coupled with the newly updated > http://www.adsl-optimizer.dk/? In addition to the above I've looked at: http://www.adsl-optimizer.dk/ http://ace-host.stuart.id.au/russell/files/tc/tc-atm/ http://edseek.com/archives/2006/03/13/linux-qos-tc-and-accounting-for-atm-overhead/ I am none the wiser about what I do to make adsl-optimizer go. What I'm going to do is establish sub-optimal shaping (probably Shorewall) and then maybe optimise later. Interestingly, adsl-optimizer is now established under sourceforge (https://sourceforge.net/projects/adsl-optimizer/) Regards Fog_Watch. -- Lose wait. Get Gentoo. From guillermo.gomez at gmail.com Tue Nov 6 13:39:21 2007 From: guillermo.gomez at gmail.com (=?ISO-8859-1?Q?=22Guillermo_G=F3mez_=28Gomix=29=22?=) Date: Tue Nov 6 13:44:06 2007 Subject: [LARTC] dead router detection Message-ID: <47306079.9050907@gmail.com> Hi all I would like to know what happens with a dead router in a multipath configuration like the one presented http://lartc.org/howto/lartc.rpdb.multiple-links.html Do i need to monitor dead routers and reconfigure ? Guillermo From gtaylor at riverviewtech.net Tue Nov 6 19:00:52 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Tue Nov 6 19:00:17 2007 Subject: [LARTC] dead router detection In-Reply-To: <47306079.9050907@gmail.com> References: <47306079.9050907@gmail.com> Message-ID: <4730ABD4.3070608@riverviewtech.net> On 11/06/07 06:39, Guillermo G?mez (Gomix) wrote: > I would like to know what happens with a dead router in a multipath > configuration like the one presented > http://lartc.org/howto/lartc.rpdb.multiple-links.html > > Do i need to monitor dead routers and reconfigure ? Dead Gateway Detection (a.k.a. DGD) built in to stock Linux kernels will detect the death of immediately connected gateways. DGD will only work with gateways on the same subnet, not beyond other gateways. DGD running on 'Client' below will detect the death of 'Router A' or 'Router B' but not 'Router C' nor 'Router D'. For 'Client' to be aware of the death of 'Router C' or 'Router D' a routing protocol will need to be used. +----------+ +----------+ +---+ Router A +---+---+ Router C +--- +--------+ | +----------+ | +----------+ | Client +---+ | +--------+ | +----------+ | +----------+ +---+ Router B +---+---+ Router D +--- +----------+ +----------+ DGD is used for the Linux kernel to detect when a given router is unreachable and to fail over to the next available route. For this to work 'Client' would have to have the following two routes in place. route add default gw metric route add default gw metric DGD will detect the failure of one gateway (route) and fall back to the next available gateway (route). One point of interest is that DGD purportedly only works with default routes, not routes to specific destinations. I have not personally used this so I can not say for sure. I have tested the following scenario with stock Linux kernels and had success. +-------------+ +------------+ | 'A' eth0 +---[Switch]---[Switch]---+ eth0 'B' | | dummy0 | | dummy0 | | eth1 +---[Switch]---[Switch]---+ eth1 | +-------------+ +------------+ I had two routes set up on each system that the network bound to the opposing systems dummy0 available via the opposing systems eth0 and eth1 interfaces. So each system had two routes to the opposing dummy0 network. I ran pings from one systems dummy0 interface to the other systems dummy0 interface. I then disconnected the ethernet cable from one of the systems eth interfaces. With in 60 seconds the system that I did not disconnect the cable on would realize that the gateway was dead and drop back to the one remaining gateway. If I plugged the ethernet cable back in and manually restored the config on the system that I unplugged the cable from (when the interface went down the kernel removed its configuration) the system would send traffic back to the other system using both interfaces. So, say I unplugged the cable from eth0 on B, A would realize that the route that used B:eth0 as the gateway was dead and so A would stop using that route. B would know immediately that replies needed to to back to A over eth1 because it already knew that it could not reach eth0 on A because its interface was down. Once I plugged the cable back in to eth0 on B and re-configured the IP address and routes back to A (again the kernel removed the interface config and routes when it saw the physical link was dead) B immediately started using both routes again. A allowed the traffic to come back in eth0 while still sending the traffic out eth1. After about 45 - 60 seconds of live traffic on eth0 the kernel on A decided that the gateway was back alive and started using the route again. When I ran this test I was trying to make sure that A would work with out any regard to B. B was under someone else's control and as such not my worry how it behaved. I found that A would detect the lack of the ability to reach B via one route or the other and start using the remaining route(s) as it should. I did not need to run any sort of monitoring of traffic on either eth0 or eth1 on A because I was able to rely on incoming traffic from both routes to increment the kernel's packet counters that were used by the DGD algorithm. However if I was implementing both sides of this situation I would have needed to periodically do something like an ARPing to both eth0 and eth1 on B to make sure that they were both alive. More specifically, I would need to ARPing to see if the routes were resurrected. The kernel would watch packet counters to see when a route died. However when the route died, there would be no normal traffic to start incrementing the counters when the route came back to life. Thus I would need to create the traffic via ARPing. There is another issue that you need to be aware of with what "Routing for multiple uplinks/providers". Namely when you use "Routing for multiple uplinks/providers" you have multiple external IP addresses that systems see you coming from. When you are coming from multiple external IP addresses, you can not shift traffic from one route to the other(s) with out breaking where the connection appears to be from. Grant. . . . From andykras at hotmail.com Thu Nov 8 01:55:49 2007 From: andykras at hotmail.com (Andrew Kraslavsky) Date: Thu Nov 8 01:56:04 2007 Subject: [LARTC] RE: Sluggish throughput with htb Message-ID: All, Follow up to the problem I reported earlier: > I have been using the following as a means of rate limiting > access to the Internet via eth0 (which connects to my cable > modem) and it was working great with my 2.4.20 kernel: > > tc qdisc del dev eth0 root > tc qdisc add dev eth0 root handle 1: htb default 1 > tc class add dev eth0 parent 1: classid 1:1 htb rate 486kbit ceil 486kbit > tc qdisc add dev eth0 parent 1:1 handle 10: sfq perturb 10 > > However, after recently updating to kernel version 2.6.15, > throughput on eth0 has become sluggish and it is only by > disabling the above that performance is restored. > > Also, I see a whole slew of the following messages in my log: > > qdisc_restart: Empty queue has non zero length 1 I see negative "tokens" and "ctokens" values listed when I do a "show" on the class of eth0: $ tc -s -d class show dev eth0 class htb 1:1 root leaf 10: prio 0 quantum 6075 rate 486000bit ceil 486000bit burst 2206b/8 mpu 0b overhead 0b cburst 2206b/8 mpu 0b overhead 0b level 0 Sent 614100 bytes 578 pkts (dropped 0, overlimits 0) rate 31312bit 3pps backlog 106p lended: 472 borrowed: 0 giants: 0 tokens: -33271 ctokens: -33271 Are the "tokens" and "ctokens" values ever supposed to be negative? If so, what does the negative value mean (e.g. borrowed or lent tokens?). If not, is this indicative of a problem that is at all familiar to anyone? Thanks, - Andrew Kraslavsky _________________________________________________________________ Peek-a-boo FREE Tricks & Treats for You! http://www.reallivemoms.com?ocid=TXT_TAGHM&loc=us From imthiyaz at peopletech.co.in Thu Nov 8 18:12:18 2007 From: imthiyaz at peopletech.co.in (Imthiyaz Ahmed) Date: Thu Nov 8 18:12:43 2007 Subject: [LARTC] wan card routing Message-ID: <8595daf70711080912m680da61x2f38da0ab0facbbf@mail.gmail.com> Hi, I am using sangoma S5141 wan card. I have connected my modem to the card in linux machine. The linux distribution I am using is Redhat AS 4, I am trying to replace the cisco router in my office with the sangoma S5141 wan card. I have configured the card in CHDLC where I can able to ping the serial IP, but with 80% of packet loss. And If I browse any http or ftp or any sites I cant able to browse. When I put tcpdump I am seeing the error like one as below, which means the far end is blocking some traffic. IP > yahoo.com: port host unreachable - admin prohibited The protocol status Lip Dev Prot State goes UP and DOWN. Any ideas would be appreciated. Thanks Imthiyaz. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071108/5267a44d/attachment.htm From gtaylor at riverviewtech.net Thu Nov 8 19:40:49 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Thu Nov 8 19:40:14 2007 Subject: [LARTC] wan card routing In-Reply-To: <8595daf70711080912m680da61x2f38da0ab0facbbf@mail.gmail.com> References: <8595daf70711080912m680da61x2f38da0ab0facbbf@mail.gmail.com> Message-ID: <47335831.8070203@riverviewtech.net> On 11/08/07 11:12, Imthiyaz Ahmed wrote: > I am using sangoma S5141 wan card. I have connected my modem to the > card in linux machine. The linux distribution I am using is Redhat AS > 4, I am trying to replace the cisco router in my office with the > sangoma S5141 wan card. I have configured the card in CHDLC where I > can able to ping the serial IP, but with 80% of packet loss. And If I > browse any http or ftp or any sites I cant able to browse. When I > put tcpdump I am seeing the error like one as below, which means the > far end is blocking some traffic. I've not yet had the pleasure (I do want to work with it) of working with any WAN equipment under Linux, as such I can't say much for sure. > IP > yahoo.com:port host > unreachable - admin prohibited This makes me believe that someone on the remote end is rejecting your traffic. Can you tell what host sent the 'host ... unreachable' message. If the host that sent the message is not on the other end of your WAN link, chances are good that the WAN link has nothing to do with the problem. Rather that someone further out in the net is blocking the traffic. > The protocol status Lip Dev Prot State goes UP and DOWN. From some quick Googleing it looks like you are dealing with a PPP connection across your WAN, correct? If this is the case, is there a chance that the other end of the PPP connection is unhappy with something about your configuration and thus taking your connection down? > Any ideas would be appreciated. Speculation is all I really have. Grant. . . . From default at advaita.sytes.net Thu Nov 8 22:10:25 2007 From: default at advaita.sytes.net (John Default) Date: Thu Nov 8 22:10:42 2007 Subject: [LARTC] wan card routing In-Reply-To: <8595daf70711080912m680da61x2f38da0ab0facbbf@mail.gmail.com> References: <8595daf70711080912m680da61x2f38da0ab0facbbf@mail.gmail.com> Message-ID: <47337B41.9070308@advaita.sytes.net> Hi From your description it looks like there are more problems combined or connected. I would recommend to first check just your serial connection to next hop with whatever tools available and only then to try resolving that "destination unreachable- admin prohibited" problem. Imthiyaz Ahmed wrote: > Hi, > I am using sangoma S5141 wan card. I have connected my modem to the > card in linux machine. The linux distribution I am using is Redhat AS > 4, I am trying to replace the cisco router in my office with the > sangoma S5141 wan card. I have configured the card in CHDLC where I > can able to ping the serial IP, but with 80% of packet loss Can you show some longer ping output ? 80% loss can be 4 of 5 packets missing but that shows nothing, longer ping run may show some non-randomness (like line protocol going up and down you describe) maybe pointing to encapsulation problems... You could also try to ping with packets of small and larger sizes and look for CRC errors... If the packet loss is completely random, could be hardware/cable/noise/whatever problem. > . And If I browse any http or ftp or any sites I cant able to browse. > When I put tcpdump I am seeing the error like one as below, which > means the far end is blocking some traffic. > > IP > yahoo.com : port host > unreachable - admin prohibited > The protocol status Lip Dev Prot State goes UP and DOWN. > if you see interface going up down up down, it can be anything from hardware to encapsulation. maybe if you reconnected the old cisco router and tried "sh interfaces serial", "show controllers serial" and similiar debugging commands, and then tried checking against output of debugging tools for your new card, it would show some differences in setup. hardware or encapsulation problems could confuse upper layers to the point that other side of the link now refuses to forward packets for you... > Any ideas would be appreciated. And if you've got lots of time, and proper cables and experience, you could try to connect your card directly to your old router and test your card and setup locally, but that would require you to really know what you are doing. > Thanks > Imthiyaz. > Good luck john default -- ___________________________________ S pozdravom / Best regards John Default tel: + 421 907 294 849 icq: 277 131 242 mail: default@advaita.sytes.net jab: defaultadvaita@jabber.org __________________________________ From gypsy at iswest.com Fri Nov 9 03:49:08 2007 From: gypsy at iswest.com (gypsy) Date: Fri Nov 9 03:49:17 2007 Subject: [LARTC] RE: Sluggish throughput with htb References: Message-ID: <4733CAA4.15DA81F5@iswest.com> Andrew Kraslavsky wrote: > > All, > > Follow up to the problem I reported earlier: > > > I have been using the following as a means of rate limiting > > access to the Internet via eth0 (which connects to my cable > > modem) and it was working great with my 2.4.20 kernel: > > > > tc qdisc del dev eth0 root > > tc qdisc add dev eth0 root handle 1: htb default 1 > > tc class add dev eth0 parent 1: classid 1:1 htb rate 486kbit ceil 486kbit > > tc qdisc add dev eth0 parent 1:1 handle 10: sfq perturb 10 > > > > However, after recently updating to kernel version 2.6.15, > > throughput on eth0 has become sluggish and it is only by > > disabling the above that performance is restored. > > > > Also, I see a whole slew of the following messages in my log: > > > > qdisc_restart: Empty queue has non zero length 1 > > I see negative "tokens" and "ctokens" values listed when I do a "show" on the class of eth0: > > $ tc -s -d class show dev eth0 > > class htb 1:1 root leaf 10: prio 0 quantum 6075 rate 486000bit ceil 486000bit burst 2206b/8 mpu 0b overhead 0b cburst 2206b/8 mpu 0b overhead 0b level 0 Why is the quantum so large? Is this a gigabit NIC? > Sent 614100 bytes 578 pkts (dropped 0, overlimits 0) > rate 31312bit 3pps backlog 106p This backlog and the 472 borrowed below are what are causing your negatives. > lended: 472 borrowed: 0 giants: 0 > tokens: -33271 ctokens: -33271 > > Are the "tokens" and "ctokens" values ever supposed to be negative? Yes. > If so, what does the negative value mean (e.g. borrowed or lent tokens?). I don't know. Read the HTB docs. If not, is this indicative of a problem that is at all familiar to anyone? > > Thanks, > > - Andrew Kraslavsky My guesses are: 1) The clock used by HTB is too slow. 2) This is a gigabit NIC not correctly set up. -- gypsy From kokdennis at yahoo.com Sat Nov 10 20:13:53 2007 From: kokdennis at yahoo.com (dennis kok) Date: Sat Nov 10 20:14:20 2007 Subject: [LARTC] The issue with IIS Server Message-ID: <396452.90486.qm@web44802.mail.sp1.yahoo.com> Hi All, I used MasterShaper (The frontend of tc), after setting the high priority on ack packets, our university website just can't be accessed while all the other website got no problems. The website is hosted on IIS 6.0, Windows 2003 The tc code below just make our university website can't be accessed: tc qdisc add dev eth1 handle 1: root htb default 1 tc class add dev eth1 parent 1: classid 1:1 htb rate 1024Kbit tc filter add dev eth1 parent 1:0 protocol all u32 match u32 0 0 classid 1:1 ######### boost ACK packets tc class add dev eth1 parent 1:1 classid 1:2 htb rate 64Kbit prio 1 quantum 1532 tc qdisc add dev eth1 handle 2: parent 1:2 sfq tc filter add dev eth1 parent 1:1 protocol ip prio 1 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid 1:2 ######### Incoming Rules tc qdisc add dev eth0 handle 1: root htb default 1 tc class add dev eth0 parent 1: classid 1:1 htb rate 512Kbit tc filter add dev eth0 parent 1:0 protocol all u32 match u32 0 0 classid 1:1 However, the scripts below is OK for our university website: tc qdisc add dev eth1 handle 1: root htb default 1 tc class add dev eth1 parent 1: classid 1:1 htb rate 1024Kbit tc filter add dev eth1 parent 1:0 protocol all u32 match u32 0 0 classid 1:1 ######### Incoming Rules tc qdisc add dev eth0 handle 1: root htb default 1 tc class add dev eth0 parent 1: classid 1:1 htb rate 512Kbit tc filter add dev eth0 parent 1:0 protocol all u32 match u32 0 0 classid 1:1 The difference is ######### boost ACK packets tc class add dev eth1 parent 1:1 classid 1:2 htb rate 64Kbit prio 1 quantum 1532 tc qdisc add dev eth1 handle 2: parent 1:2 sfq tc filter add dev eth1 parent 1:1 protocol ip prio 1 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid 1:2 Is it possible that MTU(1532) caused issue for IIS on windows? Thanks Dennis __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071110/1b92d1bf/attachment.html From sawar at interia.pl Mon Nov 12 02:51:07 2007 From: sawar at interia.pl (sAwAr) Date: Mon Nov 12 02:51:18 2007 Subject: [LARTC] How to fight with encrypted p2p Message-ID: <20071112015107.4ECBBEB2BB@f05.poczta.interia.pl> Hi I believe that whole question is in topic. Is there any way to recognize ( and then shape ) p2p traffic which is encrypted? Modern p2p clients have this ability moreover some of them have this enabled by default. Now I'm using ipp2p for iptables but as I know this doesn't recognize encrypted traffic. Thanks in advance. Pozdrawiam Szymon Turkiewicz From mohan.tux at gmail.com Mon Nov 12 04:48:11 2007 From: mohan.tux at gmail.com (Mohan Sundaram) Date: Mon Nov 12 04:54:53 2007 Subject: [LARTC] How to fight with encrypted p2p In-Reply-To: <20071112015107.4ECBBEB2BB@f05.poczta.interia.pl> References: <20071112015107.4ECBBEB2BB@f05.poczta.interia.pl> Message-ID: <4737CCFB.30607@vsnl.com> sAwAr wrote: > > Hi > > I believe that whole question is in topic. > Is there any way to recognize ( and then shape ) p2p traffic which is encrypted? > Modern p2p clients have this ability moreover some of them have this enabled by default. > Now I'm using ipp2p for iptables but as I know this doesn't recognize encrypted traffic. > > Thanks in advance. > > Pozdrawiam > Szymon Turkiewicz Have not tried this. An idea. P2P initiations are not encrypted AFAIK. Thus connections can be marked and related traffic shaped. If initiation is also encrypted, then I think we have a serious problem. Mohan From operations at cynicbytrade.com Mon Nov 12 08:02:41 2007 From: operations at cynicbytrade.com (David Bierce) Date: Mon Nov 12 08:03:33 2007 Subject: [LARTC] How to fight with encrypted p2p In-Reply-To: <4737CCFB.30607@vsnl.com> References: <20071112015107.4ECBBEB2BB@f05.poczta.interia.pl> <4737CCFB.30607@vsnl.com> Message-ID: <1027755C-A59F-4B36-AEA6-890EFB5B4364@cynicbytrade.com> Some clients P2P clients are nice about there encryption and negotiate encryption ahead of time using plain communication. I.E. Limewire, Azureus. However, some just start TLS and that is all you can see. Looking at ipp2ps signatures, I don't see anything that leads me to believe they track that kind of info. David Bierce On Nov 11, 2007, at 9:48 PM, Mohan Sundaram wrote: > sAwAr wrote: >> Hi >> I believe that whole question is in topic. Is there any way to >> recognize ( and then shape ) p2p traffic which is encrypted? >> Modern p2p clients have this ability moreover some of them have >> this enabled by default. Now I'm using ipp2p for iptables but as I >> know this doesn't recognize encrypted traffic. >> Thanks in advance. >> Pozdrawiam >> Szymon Turkiewicz > Have not tried this. An idea. P2P initiations are not encrypted > AFAIK. Thus connections can be marked and related traffic shaped. If > initiation is also encrypted, then I think we have a serious problem. > > Mohan > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From sawar at interia.pl Mon Nov 12 12:17:13 2007 From: sawar at interia.pl (sawar) Date: Mon Nov 12 12:18:05 2007 Subject: [LARTC] How to fight with encrypted p2p In-Reply-To: <1027755C-A59F-4B36-AEA6-890EFB5B4364@cynicbytrade.com> References: <20071112015107.4ECBBEB2BB@f05.poczta.interia.pl> <4737CCFB.30607@vsnl.com> <1027755C-A59F-4B36-AEA6-890EFB5B4364@cynicbytrade.com> Message-ID: <200711121217.13406.sawar@interia.pl> Rtorrent which I use sometimes have ability to completely disable plain text communication : man rtorrent allow_incoming (allow incoming encrypted connections), try_outgoing (use encryption for outgoing connections), require (disable unencrypted handshakes), require_RC4 (also disable plaintext transmission after the initial encrypted handshake), enable_retry (if the initial outgoing connection fails, retry with encryption turned on if it was off or off if it was on), prefer_plain text (choose plaintext when peer offers a choice between plaintext transmission and RC4 encryption, otherwise RC4 will be used). and many other clients have similar abilities. I'm afraid that full encrypted and enabled by default communication is only a matter of time and we will lose this "fight" very soon. > Some clients P2P clients are nice about there encryption and negotiate > encryption ahead of time using plain communication. I.E. Limewire, > Azureus. However, some just start TLS and that is all you can see. > > Looking at ipp2ps signatures, I don't see anything that leads me to > believe they track that kind of info. > > > > David Bierce > > On Nov 11, 2007, at 9:48 PM, Mohan Sundaram wrote: > > sAwAr wrote: > >> Hi > >> I believe that whole question is in topic. Is there any way to > >> recognize ( and then shape ) p2p traffic which is encrypted? > >> Modern p2p clients have this ability moreover some of them have > >> this enabled by default. Now I'm using ipp2p for iptables but as I > >> know this doesn't recognize encrypted traffic. > >> Thanks in advance. > >> Pozdrawiam > >> Szymon Turkiewicz > > > > Have not tried this. An idea. P2P initiations are not encrypted > > AFAIK. Thus connections can be marked and related traffic shaped. If > > initiation is also encrypted, then I think we have a serious problem. > > > > Mohan > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From ams at toroid.org Tue Nov 13 06:52:45 2007 From: ams at toroid.org (Abhijit Menon-Sen) Date: Tue Nov 13 07:25:07 2007 Subject: [LARTC] using libnetfilter_queue Message-ID: <20071113055245.GA14889@toroid.org> Hi. Has anyone written or used, or does anyone know of, applications that use libnetfilter_queue to mangle packets in userspace before letting them proceed on their way? I'm wondering if it's possible to write a transparent proxy that way, and looking for examples and/or inspiration. Thanks. -- ams From stanczyk.marcin at gmail.com Tue Nov 13 12:58:53 2007 From: stanczyk.marcin at gmail.com (Marcin Stanczyk) Date: Tue Nov 13 12:59:29 2007 Subject: [LARTC] How to fight with encrypted p2p In-Reply-To: <20071112110007.97E3D44DC@outpost.ds9a.nl> References: <20071112110007.97E3D44DC@outpost.ds9a.nl> Message-ID: <4739917D.6000301@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Hi > > I believe that whole question is in topic. > Is there any way to recognize ( and then shape ) p2p traffic which is encrypted? > Modern p2p clients have this ability moreover some of them have this enabled by default. > Now I'm using ipp2p for iptables but as I know this doesn't recognize encrypted traffic. > > Thanks in advance. > As far as I am concerned there is no way to recognize encrypted p2p. I`ve tested ipp2p, and layer7, and also Mikrotik`s 3.0 p2p mark systems [ which in fact uses modified layer7 ], and none of them cant recognize this traffic simply because it is enctypted. - -- [ ... and the Slackware for All... ] gpg_key: http://szuwar.mayhem.net.pl/keys/szuwar_mayhem-public.gpg -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFHOZF96pLYJHrOtfoRAhxNAKCoOEqujQ8ibpeKKLcy4ODHXQmgAgCgh8Ur k+pLmHu2JzhZmM1mtxD9pL4= =DKs2 -----END PGP SIGNATURE----- From gtaylor at riverviewtech.net Tue Nov 13 16:09:32 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Tue Nov 13 16:08:57 2007 Subject: [LARTC] How to fight with encrypted p2p In-Reply-To: <20071112015107.4ECBBEB2BB@f05.poczta.interia.pl> References: <20071112015107.4ECBBEB2BB@f05.poczta.interia.pl> Message-ID: <4739BE2C.1020708@riverviewtech.net> On 11/11/07 19:51, sAwAr wrote: > Is there any way to recognize ( and then shape ) p2p traffic which is > encrypted? Modern p2p clients have this ability moreover some of > them have this enabled by default. Now I'm using ipp2p for iptables > but as I know this doesn't recognize encrypted traffic. Does this mean that we are down to handling traffic based on the sustained stream(s)? I.e. how long the streams have been active, how many packets per second, how many streams a given end point has, speed of traffic, average size of packets? Encrypted or not, I believe all traffic can be somewhat recognized by its usage pattern(s). However there may be more false positives. We may end up recognizing what we know as good and putting the rest at a lower class of service. Thought's / comments / objections / flame wars? Grant. . . . From c-d.hailfinger.devel.2006 at gmx.net Tue Nov 13 16:37:17 2007 From: c-d.hailfinger.devel.2006 at gmx.net (Carl-Daniel Hailfinger) Date: Tue Nov 13 16:36:24 2007 Subject: [LARTC] How to fight with encrypted p2p In-Reply-To: <4739BE2C.1020708@riverviewtech.net> References: <20071112015107.4ECBBEB2BB@f05.poczta.interia.pl> <4739BE2C.1020708@riverviewtech.net> Message-ID: <4739C4AD.8050503@gmx.net> On 13.11.2007 16:09, Grant Taylor wrote: > On 11/11/07 19:51, sAwAr wrote: >> Is there any way to recognize ( and then shape ) p2p traffic which is >> encrypted? Modern p2p clients have this ability moreover some of >> them have this enabled by default. Now I'm using ipp2p for iptables >> but as I know this doesn't recognize encrypted traffic. > > Does this mean that we are down to handling traffic based on the > sustained stream(s)? I.e. how long the streams have been active, how > many packets per second, how many streams a given end point has, speed > of traffic, average size of packets? > > Encrypted or not, I believe all traffic can be somewhat recognized by > its usage pattern(s). However there may be more false positives. We > may end up recognizing what we know as good and putting the rest at a > lower class of service. Well, you can surely try. But then again, I have been doing research (publication pending) in traffic-pattern-based detection of VoIP flows and peer-to-peer connections. While it usually is easy to find a pattern matching your particular traffic class very well, part of this research has been dedicated to automatically circumvent these systems. Why that? Simple. Application evolve to circumvent detection. If you can simulate that evolution in the lab, you can find out where your detection algorithms will fail. Of course, that enumeration of possible failure modes is non-exhaustive. Bottom line: This is an arms race. Unless you do lots of research and testing, detection will always be trying to catch up. If detection manages to catch up, circumvention will advance, but you may have a small time window where you can enjoy the "win". However, winning becomes more and more expensive. Clients can expend considerable amount of CPU power to avoid detection. You don't have that luxury in filter systems unless you have one filter per client. Regards, Carl-Daniel From gtaylor at riverviewtech.net Tue Nov 13 16:53:26 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Tue Nov 13 16:52:44 2007 Subject: [LARTC] How to fight with encrypted p2p In-Reply-To: <4739C4AD.8050503@gmx.net> References: <20071112015107.4ECBBEB2BB@f05.poczta.interia.pl> <4739BE2C.1020708@riverviewtech.net> <4739C4AD.8050503@gmx.net> Message-ID: <4739C876.4020602@riverviewtech.net> On 11/13/07 09:37, Carl-Daniel Hailfinger wrote: > Well, you can surely try. But then again, I have been doing research > (publication pending) in traffic-pattern-based detection of VoIP > flows and peer-to-peer connections. While it usually is easy to find > a pattern matching your particular traffic class very well, part of > this research has been dedicated to automatically circumvent these > systems. Why that? Simple. Application evolve to circumvent > detection. If you can simulate that evolution in the lab, you can > find out where your detection algorithms will fail. Of course, that > enumeration of possible failure modes is non-exhaustive. > > Bottom line: This is an arms race. Unless you do lots of research and > testing, detection will always be trying to catch up. If detection > manages to catch up, circumvention will advance, but you may have a > small time window where you can enjoy the "win". However, winning > becomes more and more expensive. Clients can expend considerable > amount of CPU power to avoid detection. You don't have that luxury in > filter systems unless you have one filter per client. All very good points with regard to pattern based detecting P2P (and the likes) traffic. What do you think about recognizing the traffic you do want and treating all else as a second or third class citizen. Or is this just a form of net neutrality? Or really is this entire discussion such. Further does the net neutrality issue apply to companies (read: non ISPs) wanting to filter their own internal traffic. Additionally as an aside will you please provide more information on your pending publication? I'd likely be curious to read (what ever) when ever it is published. Thanks in advance. Grant. . . . From konstantin at astafjev.com Tue Nov 13 17:08:03 2007 From: konstantin at astafjev.com (Konstantin Astafjev) Date: Tue Nov 13 17:20:15 2007 Subject: [LARTC] How to fight with encrypted p2p In-Reply-To: <4739BE2C.1020708@riverviewtech.net> References: <20071112015107.4ECBBEB2BB@f05.poczta.interia.pl> <4739BE2C.1020708@riverviewtech.net> Message-ID: <1806746580.20071113180803@astafjev.com> Hello , Tuesday, November 13, 2007, 5:09:32 PM, you wrote: > Encrypted or not, I believe all traffic can be somewhat recognized by > its usage pattern(s). However there may be more false positives. We > may end up recognizing what we know as good and putting the rest at a > lower class of service. > Thought's / comments / objections / flame wars? It's true that encrypted/unencrypted ratio of p2p traffic increased about 10 times for past 2 years. There were a lot of predictions before about such situation will happen. I guess that we have revise shaping policing by some usage patterns as Grant said before. I guess I'll start to reread about all netfilter features and it helps me to figure out how to solve this problem. -- Konstantin From marco.casaroli at gmail.com Tue Nov 13 17:32:03 2007 From: marco.casaroli at gmail.com (Marco Aurelio) Date: Tue Nov 13 17:32:09 2007 Subject: [LARTC] How to fight with encrypted p2p In-Reply-To: <200711121217.13406.sawar@interia.pl> References: <20071112015107.4ECBBEB2BB@f05.poczta.interia.pl> <4737CCFB.30607@vsnl.com> <1027755C-A59F-4B36-AEA6-890EFB5B4364@cynicbytrade.com> <200711121217.13406.sawar@interia.pl> Message-ID: <92ed523b0711130832j407aebebreff69c268aa23022@mail.gmail.com> As you might have seen, these are words from ipp2p author: """ I have seen some pieces of code from ipoque which can detect encypted bittorrent and edonkey traffic. Unforunately, this code will not work with iptables, because it needs more information about the flow history and the history of an ip address. Right now, I do not have the time and the money to develop a filter like this, but if you are interested in a developement in this direction, please contact me. """ I *think* that we need something like a "bittorrent helper" in the kernel to keep this extra information about the flow history and then an iptables plugin to match. What do you think? Maybe we could contact him to know what kind of information is it? On Nov 12, 2007 9:17 AM, sawar wrote: > Rtorrent which I use sometimes have ability to completely disable plain text > communication : > > man rtorrent > allow_incoming (allow incoming encrypted connections), > try_outgoing (use encryption for outgoing connections), require (disable > unencrypted handshakes), require_RC4 (also disable plaintext > transmission after the initial encrypted handshake), enable_retry (if the > initial outgoing connection fails, retry with encryption turned on if it was > off or off if it was on), prefer_plain text (choose plaintext when peer > offers a choice between plaintext transmission and RC4 encryption, otherwise > RC4 will be used). > > and many other clients have similar abilities. > I'm afraid that full encrypted and enabled by default communication is only a > matter of time and we will lose this "fight" very soon. > > > > Some clients P2P clients are nice about there encryption and negotiate > > encryption ahead of time using plain communication. I.E. Limewire, > > Azureus. However, some just start TLS and that is all you can see. > > > > Looking at ipp2ps signatures, I don't see anything that leads me to > > believe they track that kind of info. > > > > > > > > David Bierce > > > > On Nov 11, 2007, at 9:48 PM, Mohan Sundaram wrote: > > > sAwAr wrote: > > >> Hi > > >> I believe that whole question is in topic. Is there any way to > > >> recognize ( and then shape ) p2p traffic which is encrypted? > > >> Modern p2p clients have this ability moreover some of them have > > >> this enabled by default. Now I'm using ipp2p for iptables but as I > > >> know this doesn't recognize encrypted traffic. > > >> Thanks in advance. > > >> Pozdrawiam > > >> Szymon Turkiewicz > > > > > > Have not tried this. An idea. P2P initiations are not encrypted > > > AFAIK. Thus connections can be marked and related traffic shaped. If > > > initiation is also encrypted, then I think we have a serious problem. > > > > > > Mohan > > > _______________________________________________ > > > LARTC mailing list > > > LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Marco Casaroli SapucaiNet Telecom +55 35 34712377 ext. 5 From klaus at ipp2p.org Wed Nov 14 10:42:23 2007 From: klaus at ipp2p.org (Klaus) Date: Wed Nov 14 10:42:53 2007 Subject: [LARTC] How to fight with encrypted p2p In-Reply-To: <92ed523b0711130832j407aebebreff69c268aa23022@mail.gmail.com> References: <20071112015107.4ECBBEB2BB@f05.poczta.interia.pl> <4737CCFB.30607@vsnl.com> <1027755C-A59F-4B36-AEA6-890EFB5B4364@cynicbytrade.com> <200711121217.13406.sawar@interia.pl> <92ed523b0711130832j407aebebreff69c268aa23022@mail.gmail.com> Message-ID: <473AC2FF.3000403@ipp2p.org> About ipp2p, Right now, the battle against p2p is lost with l7 detection from ipp2p, l7 filter and others. Why ?? It is a known fact that pattern matching does not work with full encrypted P2P handshakes based on DHT key exchange algorithms with byte padding. You have absolutely no byte pattern and no fixed packet lengths in the stream. So something like a flow history will fail or might have a very high false +ve rate. The thing is that there are proprietary solutions which can detect fully encrypted p2p streams based on a heuristic approach. (AFAIK ipoque is selling a proprietary library for this which is integrated in some firewall vendors). I have not seen any open source development into this direction. Klaus, (former) maintainer of ipp2p Marco Aurelio wrote: > As you might have seen, these are words from ipp2p author: > > """ > > I have seen some pieces of code from ipoque which can detect encypted bittorrent > and edonkey traffic. Unforunately, this code will not work with > iptables, because it needs > more information about the flow history and the history of an ip address. > > Right now, I do not have the time and the money to develop a filter > like this, but > if you are interested in a developement in this direction, please contact me. > > """ > > I *think* that we need something like a "bittorrent helper" in the > kernel to keep this extra information about the flow history and then > an iptables plugin to match. What do you think? Maybe we could contact > him to know what kind of information is it? > > > On Nov 12, 2007 9:17 AM, sawar wrote: >> Rtorrent which I use sometimes have ability to completely disable plain text >> communication : >> >> man rtorrent >> allow_incoming (allow incoming encrypted connections), >> try_outgoing (use encryption for outgoing connections), require (disable >> unencrypted handshakes), require_RC4 (also disable plaintext >> transmission after the initial encrypted handshake), enable_retry (if the >> initial outgoing connection fails, retry with encryption turned on if it was >> off or off if it was on), prefer_plain text (choose plaintext when peer >> offers a choice between plaintext transmission and RC4 encryption, otherwise >> RC4 will be used). >> >> and many other clients have similar abilities. >> I'm afraid that full encrypted and enabled by default communication is only a >> matter of time and we will lose this "fight" very soon. >> >> >>> Some clients P2P clients are nice about there encryption and negotiate >>> encryption ahead of time using plain communication. I.E. Limewire, >>> Azureus. However, some just start TLS and that is all you can see. >>> >>> Looking at ipp2ps signatures, I don't see anything that leads me to >>> believe they track that kind of info. >>> >>> >>> >>> David Bierce >>> >>> On Nov 11, 2007, at 9:48 PM, Mohan Sundaram wrote: >>>> sAwAr wrote: >>>>> Hi >>>>> I believe that whole question is in topic. Is there any way to >>>>> recognize ( and then shape ) p2p traffic which is encrypted? >>>>> Modern p2p clients have this ability moreover some of them have >>>>> this enabled by default. Now I'm using ipp2p for iptables but as I >>>>> know this doesn't recognize encrypted traffic. >>>>> Thanks in advance. >>>>> Pozdrawiam >>>>> Szymon Turkiewicz >>>> Have not tried this. An idea. P2P initiations are not encrypted >>>> AFAIK. Thus connections can be marked and related traffic shaped. If >>>> initiation is also encrypted, then I think we have a serious problem. >>>> >>>> Mohan >>>> _______________________________________________ >>>> LARTC mailing list >>>> LARTC@mailman.ds9a.nl >>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>> _______________________________________________ >>> LARTC mailing list >>> LARTC@mailman.ds9a.nl >>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> > > > From s.cramatte at wanadoo.fr Wed Nov 14 15:32:23 2007 From: s.cramatte at wanadoo.fr (=?ISO-8859-1?Q?S=E9bastien_CRAMATTE?=) Date: Wed Nov 14 15:32:04 2007 Subject: [LARTC] How to fight with encrypted p2p In-Reply-To: <473AC2FF.3000403@ipp2p.org> References: <20071112015107.4ECBBEB2BB@f05.poczta.interia.pl> <4737CCFB.30607@vsnl.com> <1027755C-A59F-4B36-AEA6-890EFB5B4364@cynicbytrade.com> <200711121217.13406.sawar@interia.pl> <92ed523b0711130832j407aebebreff69c268aa23022@mail.gmail.com> <473AC2FF.3000403@ipp2p.org> Message-ID: <473B06F7.4070502@wanadoo.fr> Klauss, Could you Might be you can sponsor the development ... Regards S?bastien Klaus escribi?: > About ipp2p, > > Right now, the battle against p2p is lost with l7 detection from ipp2p, > l7 filter and others. > > Why ?? It is a known fact that pattern matching does not work with full > encrypted P2P handshakes based on DHT key exchange algorithms with byte > padding. You have absolutely no byte pattern and no fixed packet lengths > in the stream. So something like a flow history will fail or might have > a very high false +ve rate. > > The thing is that there are proprietary solutions which can detect fully > encrypted p2p streams based on a heuristic approach. (AFAIK ipoque is > selling a proprietary library for this which is integrated in some > firewall vendors). I have not seen any open source development into this > direction. > > Klaus, (former) maintainer of ipp2p > > > Marco Aurelio wrote: > >> As you might have seen, these are words from ipp2p author: >> >> """ >> >> I have seen some pieces of code from ipoque which can detect encypted bittorrent >> and edonkey traffic. Unforunately, this code will not work with >> iptables, because it needs >> more information about the flow history and the history of an ip address. >> >> Right now, I do not have the time and the money to develop a filter >> like this, but >> if you are interested in a developement in this direction, please contact me. >> >> """ >> >> I *think* that we need something like a "bittorrent helper" in the >> kernel to keep this extra information about the flow history and then >> an iptables plugin to match. What do you think? Maybe we could contact >> him to know what kind of information is it? >> >> >> On Nov 12, 2007 9:17 AM, sawar wrote: >> >>> Rtorrent which I use sometimes have ability to completely disable plain text >>> communication : >>> >>> man rtorrent >>> allow_incoming (allow incoming encrypted connections), >>> try_outgoing (use encryption for outgoing connections), require (disable >>> unencrypted handshakes), require_RC4 (also disable plaintext >>> transmission after the initial encrypted handshake), enable_retry (if the >>> initial outgoing connection fails, retry with encryption turned on if it was >>> off or off if it was on), prefer_plain text (choose plaintext when peer >>> offers a choice between plaintext transmission and RC4 encryption, otherwise >>> RC4 will be used). >>> >>> and many other clients have similar abilities. >>> I'm afraid that full encrypted and enabled by default communication is only a >>> matter of time and we will lose this "fight" very soon. >>> >>> >>> >>>> Some clients P2P clients are nice about there encryption and negotiate >>>> encryption ahead of time using plain communication. I.E. Limewire, >>>> Azureus. However, some just start TLS and that is all you can see. >>>> >>>> Looking at ipp2ps signatures, I don't see anything that leads me to >>>> believe they track that kind of info. >>>> >>>> >>>> >>>> David Bierce >>>> >>>> On Nov 11, 2007, at 9:48 PM, Mohan Sundaram wrote: >>>> >>>>> sAwAr wrote: >>>>> >>>>>> Hi >>>>>> I believe that whole question is in topic. Is there any way to >>>>>> recognize ( and then shape ) p2p traffic which is encrypted? >>>>>> Modern p2p clients have this ability moreover some of them have >>>>>> this enabled by default. Now I'm using ipp2p for iptables but as I >>>>>> know this doesn't recognize encrypted traffic. >>>>>> Thanks in advance. >>>>>> Pozdrawiam >>>>>> Szymon Turkiewicz >>>>>> >>>>> Have not tried this. An idea. P2P initiations are not encrypted >>>>> AFAIK. Thus connections can be marked and related traffic shaped. If >>>>> initiation is also encrypted, then I think we have a serious problem. >>>>> >>>>> Mohan >>>>> _______________________________________________ >>>>> LARTC mailing list >>>>> LARTC@mailman.ds9a.nl >>>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>>>> >>>> _______________________________________________ >>>> LARTC mailing list >>>> LARTC@mailman.ds9a.nl >>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>>> >>> _______________________________________________ >>> LARTC mailing list >>> LARTC@mailman.ds9a.nl >>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>> >>> >> >> > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > From s.cramatte at wanadoo.fr Wed Nov 14 15:44:56 2007 From: s.cramatte at wanadoo.fr (=?ISO-8859-1?Q?S=E9bastien_CRAMATTE?=) Date: Wed Nov 14 15:44:30 2007 Subject: [LARTC] How to fight with encrypted p2p In-Reply-To: <473B06F7.4070502@wanadoo.fr> References: <20071112015107.4ECBBEB2BB@f05.poczta.interia.pl> <4737CCFB.30607@vsnl.com> <1027755C-A59F-4B36-AEA6-890EFB5B4364@cynicbytrade.com> <200711121217.13406.sawar@interia.pl> <92ed523b0711130832j407aebebreff69c268aa23022@mail.gmail.com> <473AC2FF.3000403@ipp2p.org> <473B06F7.4070502@wanadoo.fr> Message-ID: <473B09E8.5010001@wanadoo.fr> Sorry ... I'm little bite tired ... I mean that we might sponsor Klauss and L7 team to develop this ... Regards S?bastien CRAMATTE escribi?: > Klauss, > > Could you > Might be you can sponsor the development ... > > Regards > > S?bastien > > > Klaus escribi?: > >> About ipp2p, >> >> Right now, the battle against p2p is lost with l7 detection from ipp2p, >> l7 filter and others. >> >> Why ?? It is a known fact that pattern matching does not work with full >> encrypted P2P handshakes based on DHT key exchange algorithms with byte >> padding. You have absolutely no byte pattern and no fixed packet lengths >> in the stream. So something like a flow history will fail or might have >> a very high false +ve rate. >> >> The thing is that there are proprietary solutions which can detect fully >> encrypted p2p streams based on a heuristic approach. (AFAIK ipoque is >> selling a proprietary library for this which is integrated in some >> firewall vendors). I have not seen any open source development into this >> direction. >> >> Klaus, (former) maintainer of ipp2p >> >> >> Marco Aurelio wrote: >> >> >>> As you might have seen, these are words from ipp2p author: >>> >>> """ >>> >>> I have seen some pieces of code from ipoque which can detect encypted bittorrent >>> and edonkey traffic. Unforunately, this code will not work with >>> iptables, because it needs >>> more information about the flow history and the history of an ip address. >>> >>> Right now, I do not have the time and the money to develop a filter >>> like this, but >>> if you are interested in a developement in this direction, please contact me. >>> >>> """ >>> >>> I *think* that we need something like a "bittorrent helper" in the >>> kernel to keep this extra information about the flow history and then >>> an iptables plugin to match. What do you think? Maybe we could contact >>> him to know what kind of information is it? >>> >>> >>> On Nov 12, 2007 9:17 AM, sawar wrote: >>> >>> >>>> Rtorrent which I use sometimes have ability to completely disable plain text >>>> communication : >>>> >>>> man rtorrent >>>> allow_incoming (allow incoming encrypted connections), >>>> try_outgoing (use encryption for outgoing connections), require (disable >>>> unencrypted handshakes), require_RC4 (also disable plaintext >>>> transmission after the initial encrypted handshake), enable_retry (if the >>>> initial outgoing connection fails, retry with encryption turned on if it was >>>> off or off if it was on), prefer_plain text (choose plaintext when peer >>>> offers a choice between plaintext transmission and RC4 encryption, otherwise >>>> RC4 will be used). >>>> >>>> and many other clients have similar abilities. >>>> I'm afraid that full encrypted and enabled by default communication is only a >>>> matter of time and we will lose this "fight" very soon. >>>> >>>> >>>> >>>> >>>>> Some clients P2P clients are nice about there encryption and negotiate >>>>> encryption ahead of time using plain communication. I.E. Limewire, >>>>> Azureus. However, some just start TLS and that is all you can see. >>>>> >>>>> Looking at ipp2ps signatures, I don't see anything that leads me to >>>>> believe they track that kind of info. >>>>> >>>>> >>>>> >>>>> David Bierce >>>>> >>>>> On Nov 11, 2007, at 9:48 PM, Mohan Sundaram wrote: >>>>> >>>>> >>>>>> sAwAr wrote: >>>>>> >>>>>> >>>>>>> Hi >>>>>>> I believe that whole question is in topic. Is there any way to >>>>>>> recognize ( and then shape ) p2p traffic which is encrypted? >>>>>>> Modern p2p clients have this ability moreover some of them have >>>>>>> this enabled by default. Now I'm using ipp2p for iptables but as I >>>>>>> know this doesn't recognize encrypted traffic. >>>>>>> Thanks in advance. >>>>>>> Pozdrawiam >>>>>>> Szymon Turkiewicz >>>>>>> >>>>>>> >>>>>> Have not tried this. An idea. P2P initiations are not encrypted >>>>>> AFAIK. Thus connections can be marked and related traffic shaped. If >>>>>> initiation is also encrypted, then I think we have a serious problem. >>>>>> >>>>>> Mohan >>>>>> _______________________________________________ >>>>>> LARTC mailing list >>>>>> LARTC@mailman.ds9a.nl >>>>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>>>>> >>>>>> >>>>> _______________________________________________ >>>>> LARTC mailing list >>>>> LARTC@mailman.ds9a.nl >>>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>>>> >>>>> >>>> _______________________________________________ >>>> LARTC mailing list >>>> LARTC@mailman.ds9a.nl >>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>>> >>>> >>>> >>> >>> >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> >> >> >> > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > From s.cramatte at wanadoo.fr Wed Nov 14 15:55:14 2007 From: s.cramatte at wanadoo.fr (=?ISO-8859-1?Q?S=E9bastien_CRAMATTE?=) Date: Wed Nov 14 15:54:50 2007 Subject: [LARTC] ip_conntrack: falling back to vmalloc. Message-ID: <473B0C52.80402@wanadoo.fr> Hello I've got a server with 3Gb of ram and I want to keep 256 for the system and allocate the rest to conntrack ... I've tried to change the HASHSIZE of the ip_conntrack but dmesg return me this error ! ip_conntrack version 2.4 (2097152 buckets, 16777216 max) - 236 bytes per conntrack ip_conntrack: falling back to vmalloc. .... I've use this "math" to calculate it : (3072 - 256) x 1024^2 - 236 = 12511822,1027 The near "power of 2" seems to be 2^23 = 8388608 With this result I've change my "sysctl.conf" file net.ipv4.netfilter.ip_conntrack_max = 8388608 net.ipv4.netfilter.ip_conntrack_tcp_timeout_established= 28800 and I've to change the HASHSIZE to ip_conntrack_max / 4 ... What is wrong ! How can I solve the problem ... I'm waiting for a server with 8Gb (8192) of ram most of available to use with conntrack ! Regards From shane at hemc.coop Wed Nov 14 21:44:06 2007 From: shane at hemc.coop (Shane McKinley) Date: Wed Nov 14 21:43:46 2007 Subject: [LARTC] Hardware Requirements for qdisc htb/sfq Message-ID: <7C454E01C5FAE748BEFE65F4C6B7FD8BF42B1F@s-marcell.hemc.coop> I am planning to replace our cisco 7200 core router with Linux. We currently serve around 1500 (3/4 DSL - different router) customers with probably half of them being concurrent at any given time. We have a fiber network and customers currently aren't managed as far as how much bandwidth they can use at anytime. Therefore I have constructed a working tc qdisc Linux router as a test. It is working beautifully. My question is what are the general hardware requirements for routing to about 20 subnets (class c), traffic shaping for about 50 fiber customers (TC QDISC), 2 T1s (straight into the Linux router) and about 35MB of traffic out to the next ISP? We are planning to implement BGP sometime in the near future. I have been searching everywhere for some kind of guidelines, but I see none. If anyone could give me a round about answer that would point me in the right direction I would be obliged. This is what I have been looking at: 2.0GHz Dual-Core Xeon, 4GB 667MGz RAM, 2x1Gbit Network Interfaces. Is this overkill? Thanks, Shane McKinley From marek at piasta.pl Wed Nov 14 22:36:29 2007 From: marek at piasta.pl (Marek Kierdelewicz) Date: Wed Nov 14 22:42:49 2007 Subject: [LARTC] Hardware Requirements for qdisc htb/sfq In-Reply-To: <7C454E01C5FAE748BEFE65F4C6B7FD8BF42B1F@s-marcell.hemc.coop> References: <7C454E01C5FAE748BEFE65F4C6B7FD8BF42B1F@s-marcell.hemc.coop> Message-ID: <20071114223629.3f00537b@catlap> >My question is what are the general hardware requirements for routing >to about 20 subnets (class c), traffic shaping for about 50 fiber >customers (TC QDISC), 2 T1s (straight into the Linux router) and about >35MB of traffic out to the next ISP? We are planning to implement BGP >sometime in the near future. From my experience router load is mostly dependant on pps (packet per second). I was doing statefull 550k pps on Athlon64 X2 5200 cpu usage was ~50% per core. I'm doing stateless > 1m pps on Quad-core Xeon(R) CPU E5345 @ 2.33GHz, peak cpu usage is less then 25% per core both configs used e1000 nics, 1GB Ram both boxes were running BGP >I have been searching everywhere for some kind of guidelines, but I see >none. If anyone could give me a round about answer that would point me >in the right direction I would be obliged. Use irqbalance of smp affinity to distribute irqs between cores. Make your router stateless or optimeze netfilter settings related to conntrack (more memory, bigger hashtables ect) >2.0GHz Dual-Core Xeon, 4GB 667MGz RAM, 2x1Gbit Network Interfaces. Quite a lot of ram for statefull firewall + BGP (1GB would probably suffice). As for CPU diagnose your network and compare your pps with the numbers and platforms I specified. cheers, Marek Kierdelewicz KoBa ISP From shane at hemc.coop Wed Nov 14 22:51:20 2007 From: shane at hemc.coop (Shane McKinley) Date: Wed Nov 14 22:51:16 2007 Subject: [LARTC] Hardware Requirements for qdisc htb/sfq In-Reply-To: <20071114223629.3f00537b@catlap> Message-ID: <7C454E01C5FAE748BEFE65F4C6B7FD8BF42B48@s-marcell.hemc.coop> This is what I am getting atm: 5 minute input rate 21323000 bits/sec, 3544 packets/sec 5 minute output rate 7870000 bits/sec, 3084 packets/sec So I should prolly be good with the hardware listed, huh? I am mostly concerned about the qdisc stuff, is it more CPU intensive or RAM? -----Original Message----- From: Marek Kierdelewicz [mailto:marek@piasta.pl] Sent: Wednesday, November 14, 2007 4:36 PM To: lartc@mailman.ds9a.nl Subject: Re: [LARTC] Hardware Requirements for qdisc htb/sfq >My question is what are the general hardware requirements for routing >to about 20 subnets (class c), traffic shaping for about 50 fiber >customers (TC QDISC), 2 T1s (straight into the Linux router) and about >35MB of traffic out to the next ISP? We are planning to implement BGP >sometime in the near future. >From my experience router load is mostly dependant on pps (packet per second). I was doing statefull 550k pps on Athlon64 X2 5200 cpu usage was ~50% per core. I'm doing stateless > 1m pps on Quad-core Xeon(R) CPU E5345 @ 2.33GHz, peak cpu usage is less then 25% per core both configs used e1000 nics, 1GB Ram both boxes were running BGP >I have been searching everywhere for some kind of guidelines, but I see >none. If anyone could give me a round about answer that would point me >in the right direction I would be obliged. Use irqbalance of smp affinity to distribute irqs between cores. Make your router stateless or optimeze netfilter settings related to conntrack (more memory, bigger hashtables ect) >2.0GHz Dual-Core Xeon, 4GB 667MGz RAM, 2x1Gbit Network Interfaces. Quite a lot of ram for statefull firewall + BGP (1GB would probably suffice). As for CPU diagnose your network and compare your pps with the numbers and platforms I specified. cheers, Marek Kierdelewicz KoBa ISP _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From marek at piasta.pl Wed Nov 14 23:04:29 2007 From: marek at piasta.pl (Marek Kierdelewicz) Date: Wed Nov 14 23:10:49 2007 Subject: [LARTC] Hardware Requirements for qdisc htb/sfq In-Reply-To: <7C454E01C5FAE748BEFE65F4C6B7FD8BF42B48@s-marcell.hemc.coop> References: <20071114223629.3f00537b@catlap> <7C454E01C5FAE748BEFE65F4C6B7FD8BF42B48@s-marcell.hemc.coop> Message-ID: <20071114230429.187dbd5d@catlap> >So I should prolly be good with the hardware listed, huh? I am mostly >concerned about the qdisc stuff, is it more CPU intensive or RAM? Shaping is not RAM hogging at all. With simpler setups It should not be too CPU intensive either. If you plan to do per-user shaping then consider using hashing u32 filters. cheers, Marek Kierdelewicz KoBa ISP From mohan.tux at gmail.com Thu Nov 15 02:58:39 2007 From: mohan.tux at gmail.com (Mohan Sundaram) Date: Thu Nov 15 02:58:54 2007 Subject: [LARTC] Hardware Requirements for qdisc htb/sfq In-Reply-To: <7C454E01C5FAE748BEFE65F4C6B7FD8BF42B1F@s-marcell.hemc.coop> References: <7C454E01C5FAE748BEFE65F4C6B7FD8BF42B1F@s-marcell.hemc.coop> Message-ID: <473BA7CF.3010201@vsnl.com> Shane McKinley wrote: > I have been searching everywhere for some kind of guidelines, but I see > none. If anyone could give me a round about answer that would point me > in the right direction I would be obliged. > > This is what I have been looking at: > > 2.0GHz Dual-Core Xeon, 4GB 667MGz RAM, 2x1Gbit Network Interfaces. > > Is this overkill? > Speed normally seen in PPS. The 7200 routes approx 1M PPS. I ran our own routing and classification s/w on a AMD Opteron 2Ghz, 1GB RAM and got 1.1M PPS. Linux Kernel gave approx 700K PPS. IMHO your h/w is way oversized but why not? H/w is cheap nowadays. Mohan From juanquimis at hotmail.com Thu Nov 15 14:27:28 2007 From: juanquimis at hotmail.com (Juan Carlos Quimis Alvarez) Date: Thu Nov 15 14:27:51 2007 Subject: [LARTC] help samba 3.0.10 configuration Message-ID: Hello people please help me to configuration for my samba The problem is the permision don't apply correct . the group user don't permit write in share and other people is a read group, both people write in my share folder this action dont need. please help Juan Carlos Quimis _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071115/35a5af3b/attachment.htm From hhding.gnu at gmail.com Mon Nov 19 04:06:26 2007 From: hhding.gnu at gmail.com (H.H. Ding) Date: Mon Nov 19 04:07:05 2007 Subject: [LARTC] problem in udp route for NIC with 2 ip and gateway Message-ID: <4740FDB2.1050706@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi, I have a server with 2 ip address 2: eth0: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:20:ed:32:81:76 brd ff:ff:ff:ff:ff:ff inet 61.164.49.39/26 brd 61.164.49.63 scope global eth0 inet 60.12.230.167/26 brd 60.12.230.191 scope global eth0:0 and default gateway is default via 61.164.49.1 dev eth0 It works for tcp. Problem is, when client connect to 60.12.230.167 by udp, server will response the package with source ip 61.164.49.39 and client drop the packge. How should I config to make the udp response with correct source ip address? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFHQP2yJo9Njjkvy34RAkJDAKDgd5mZ/WWu8btrvrOEC6ckZXCziACgzGtt k6jpYwohLyDcdTbr5AZxixQ= =+/BV -----END PGP SIGNATURE----- From uncystu at hotmail.com Mon Nov 19 08:26:54 2007 From: uncystu at hotmail.com (Stuart Clouston) Date: Mon Nov 19 08:27:27 2007 Subject: [LARTC] Unexpected results using HTB qdisc Message-ID: Hi All, I am using the script below to limit download rates and manage traffic for a certain IP address and testing the results using iperf. The rate that iperf reports is much higher than the rate I have configured for the HTB qdisc. It's probably just some newbie trap that's messing things up but I'm buggered if I can see it. The following script is run on the server (192.168.10.30): (I have simplified it and removed all of the ceil parameters during my troubleshooting process) # Remove any existing qdisc tc qdisc del dev eth0 root handle 1: # Root queueing discipline tc qdisc add dev eth0 root handle 1: htb default 10 # Root class tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit burst 1500 ceil 100mbit # Default class tc class add dev eth0 parent 1:1 classid 1:10 htb rate 30mbit ceil 100mbit burst 1500 # Rate limited classes tc class add dev eth0 parent 1:1 classid 1:4 htb rate 300kbit tc class add dev eth0 parent 1:4 classid 1:40 htb rate 50kbit tc class add dev eth0 parent 1:4 classid 1:41 htb rate 50kbit tc class add dev eth0 parent 1:4 classid 1:42 htb rate 200kbit tc qdisc add dev eth0 parent 1:40 handle 40: sfq perturb 10 tc qdisc add dev eth0 parent 1:41 handle 41: sfq perturb 10 tc qdisc add dev eth0 parent 1:42 handle 42: sfq perturb 10 # Filters to direct traffic to the right classes: U32="tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32" $U32 match ip dst 192.168.10.85 match ip sport 3389 0xffff flowid 1:42 $U32 match ip dst 192.168.10.85 match ip sport 1352 0xffff flowid 1:41 $U32 match ip dst 192.168.10.85 flowid 1:40 The client (192.168.10.85) then runs iperf to test the results: iperf -c 192.168.10.30 -p 1352 -P 5 -f k [SUM] 0.0-11.4 sec 3016 KBytes 2163 Kbits/sec iperf -c 192.168.10.30 -p 23 -P 5 -f k [SUM] 0.0-11.4 sec 2856 KBytes 2053 Kbits/sec iperf -c 192.168.10.30 -p 3389 -P 5 -f k [SUM] 0.0-10.3 sec 11264 KBytes 8956 Kbits/sec The traffic is being shaped proportially as I'd hoped but each class is well in excess of its configured limit. I am getting similar results on two separate units: 1: Debian (testing), Kernel v2.6.16.19, iproute2 ss070313 2: Ubuntu (dapper), Kernel v2.6.23.1, iproute2 ss041019 I'd be very grateful for any information that could help me out. Thanks, Stu (newbie to HTB) _________________________________________________________________ What are you waiting for? Join Lavalife FREE http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Flavalife9%2Eninemsn%2Ecom%2Eau%2Fclickthru%2Fclickthru%2Eact%3Fid%3Dninemsn%26context%3Dan99%26locale%3Den%5FAU%26a%3D30288&_t=764581033&_r=email_taglines_Join_free_OCT07&_m=EXT From derek at interdart.co.uk Mon Nov 19 10:42:11 2007 From: derek at interdart.co.uk (Derek Sims) Date: Mon Nov 19 10:42:25 2007 Subject: [LARTC] Which CPU for heavy traffic with much filtering/shaping? In-Reply-To: References: Message-ID: <47415A73.9020107@interdart.co.uk> Hi I have a router with a large number of iptables rules and some extensive traffic shaping (HTB + RED + ... ) + conntrack. The router is running Centos5 on a P4 Celeron 2.4 with 512Mb ram 30% soft interrupt cpu utilisation 7000 packets/second on each of eth1 and eth0 (forwarded packets) 20Mbit/second on both eth1 and eth0 e1000 ethernet on both eth0 and eth1 (eth1 running at 100Mbit) I am trying to optimise the firewall rules and have already managed to reduce cpu si by about 40% however I need to get this router to handle a throughput rate of 100Mbit or more. I have seen hints that using SMP (or multicore) processors will not help for soft interrupt. My question is this: 1. What processors should I be looking for in order to achieve the best routing throughput on a linux router? 2. Is it true that multicore processors will not help much in this situation? Best regards, Derek From marek at piasta.pl Mon Nov 19 17:40:34 2007 From: marek at piasta.pl (Marek Kierdelewicz) Date: Mon Nov 19 17:47:38 2007 Subject: [LARTC] Which CPU for heavy traffic with much filtering/shaping? In-Reply-To: <47415A73.9020107@interdart.co.uk> References: <47415A73.9020107@interdart.co.uk> Message-ID: <20071119174034.1b7e9bb7@catlap> >Hi Hi >I have a router with a large number of iptables rules and some >extensive traffic shaping (HTB + RED + ... ) + conntrack. Performance boost tips: - Use "set" module instead of sequential iptables rules. It can lower cpu usage. - Use hashing filters for shaping if you're using many u32 filters. - configure conntrack to use bigger hashsize for better performance; i'm passing following parameter to kernel in grub to achieve this: ip_conntrack.hashsize=1048575 - configure routecache to use bigger to use more memory for better performance; i'm passing following parameter to kernel in grub to achieve this: rhash_entries=2400000 >1. What processors should I be looking for in order to achieve the >best routing throughput on a linux router? I've had good experiences with P4 (with and without HT), Athlon64, Xeon [dempsey], Xeon [woodcrest]. The last one is the best choice because of the large cache and architecture. I think you can use Core 2 Duo too if you want to save some money. >2. Is it true that multicore processors will not help much in this >situation? Not true. In your setup with two nics with same load you can easily use two cores. You can assign each nic to different core by the means of smp_affinity setting in /proc/irq/... or by using irqbalance daemon. >Best regards, >Derek pozdrawiam Marek Kierdelewicz KoBa ISP From derek at interdart.co.uk Mon Nov 19 18:55:20 2007 From: derek at interdart.co.uk (Derek Sims) Date: Mon Nov 19 18:55:30 2007 Subject: [LARTC] Which CPU for heavy traffic with much filtering/shaping? In-Reply-To: <20071119174034.1b7e9bb7@catlap> References: <47415A73.9020107@interdart.co.uk> <20071119174034.1b7e9bb7@catlap> Message-ID: <4741CE08.8020506@interdart.co.uk> Marek Kierdelewicz wrote: >> Hi >> > > Hi > > >> I have a router with a large number of iptables rules and some >> extensive traffic shaping (HTB + RED + ... ) + conntrack. >> > > Performance boost tips: > > - Use "set" module instead of sequential iptables rules. It can lower > cpu usage. > Hmm - I don't know what the "set" module is - can you point me to some documentation please? > - Use hashing filters for shaping if you're using many u32 filters. > Only 3 > - configure conntrack to use bigger hashsize for better performance; > i'm passing following parameter to kernel in grub to achieve this: > ip_conntrack.hashsize=1048575 > > I have 64k in conntrack_max and hashsize of 16000 Currently running with about 20000 conntrack connections I will try increasing this > - configure routecache to use bigger to use more memory for better > performance; i'm passing following parameter to kernel in grub to > achieve this: rhash_entries=2400000 > > >> 1. What processors should I be looking for in order to achieve the >> best routing throughput on a linux router? >> > > I've had good experiences with P4 (with and without HT), Athlon64, Xeon > [dempsey], Xeon [woodcrest]. The last one is the best choice because of > the large cache and architecture. I think you can use Core 2 Duo too > if you want to save some money. > > Thanks - I will see what I can get >> 2. Is it true that multicore processors will not help much in this >> situation? >> > > Not true. In your setup with two nics with same load you can easily use > two cores. You can assign each nic to different core by the means of > smp_affinity setting in /proc/irq/... or by using irqbalance daemon. > > That is good news :) - however I guess 4 core with dual ethernet would not help very much! >> Best regards, >> Derek >> > > pozdrawiam > Marek Kierdelewicz > KoBa ISP > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > Best regards, Derek From default at advaita.sytes.net Mon Nov 19 22:49:03 2007 From: default at advaita.sytes.net (John Default) Date: Mon Nov 19 22:49:12 2007 Subject: [LARTC] Unexpected results using HTB qdisc In-Reply-To: References: Message-ID: <474204CF.60205@advaita.sytes.net> Hi Stuart Clouston wrote: > Hi All, > > I am using the script below to limit download rates and manage traffic for a certain IP address and testing the results using iperf. The rate that iperf reports is much higher than the rate I have configured for the HTB qdisc. It's probably just some newbie trap that's messing things up but I'm buggered if I can see it. > > The following script is run on the server (192.168.10.30): (I have simplified it and removed all of the ceil parameters during my troubleshooting process) > it think you should have not removed ceiling parameters : ) > # Remove any existing qdisc > tc qdisc del dev eth0 root handle 1: > > # Root queueing discipline > tc qdisc add dev eth0 root handle 1: htb default 10 > > # Root class > tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit burst 1500 ceil 100mbit > > # Default class > tc class add dev eth0 parent 1:1 classid 1:10 htb rate 30mbit ceil 100mbit burst 1500 > > # Rate limited classes > tc class add dev eth0 parent 1:1 classid 1:4 htb rate 300kbit > > tc class add dev eth0 parent 1:4 classid 1:40 htb rate 50kbit > You should use ceil here right after rate, otherwise the class can borrow from its parent class and therefore your overall traffic will be shaped in correct proportion but not absolutely (i.e to proper bandwidth) Once you set ceil value, the class will not get any more throughput even if the link is free... > tc class add dev eth0 parent 1:4 classid 1:41 htb rate 50kbit > tc class add dev eth0 parent 1:4 classid 1:42 htb rate 200kbit > > tc qdisc add dev eth0 parent 1:40 handle 40: sfq perturb 10 > tc qdisc add dev eth0 parent 1:41 handle 41: sfq perturb 10 > tc qdisc add dev eth0 parent 1:42 handle 42: sfq perturb 10 > > # Filters to direct traffic to the right classes: > > U32="tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32" > $U32 match ip dst 192.168.10.85 match ip sport 3389 0xffff flowid 1:42 > $U32 match ip dst 192.168.10.85 match ip sport 1352 0xffff flowid 1:41 > $U32 match ip dst 192.168.10.85 flowid 1:40 > > > > The client (192.168.10.85) then runs iperf to test the results: > > iperf -c 192.168.10.30 -p 1352 -P 5 -f k > [SUM] 0.0-11.4 sec 3016 KBytes 2163 Kbits/sec > > iperf -c 192.168.10.30 -p 23 -P 5 -f k > [SUM] 0.0-11.4 sec 2856 KBytes 2053 Kbits/sec > > iperf -c 192.168.10.30 -p 3389 -P 5 -f k > [SUM] 0.0-10.3 sec 11264 KBytes 8956 Kbits/sec > > > The traffic is being shaped proportially as I'd hoped but each class is well in excess of its configured limit. > > I am getting similar results on two separate units: > 1: Debian (testing), Kernel v2.6.16.19, iproute2 ss070313 > 2: Ubuntu (dapper), Kernel v2.6.23.1, iproute2 ss041019 > > I'd be very grateful for any information that could help me out. > Thanks, > Stu (newbie to HTB) > _________________________________________________________________ > > I am newbie too, so if i am wrong please someone correct me. -- ___________________________________ S pozdravom / Best regards John Default From zampognaro at ing.uniroma2.it Mon Nov 19 23:23:45 2007 From: zampognaro at ing.uniroma2.it (Francesco Zampognaro) Date: Mon Nov 19 23:23:53 2007 Subject: [LARTC] Changing TBF rate on the fly results in drops? Message-ID: <20071119232345.yn77o512ook84koc@webmail.uniroma2.it> Hi everybody, it is my first message here. I tried to browse throughout older posts but I found no immediate answer. I need to change rate of a tbf queue while ip packets are already enqueued by it. If I go: tc qdisc replace|change|link dev eth0 root tbf rate 180kbit burst 1540 limit 15400 as results all enqueued packets seems to disappear. I can see that from a: tc -s qdisc ls dev eth0 where backlog suddenly goes down to zero packets. Iperf performances also confirm that. Using custom kernel 2.6.20.1 on Ubuntu 6.06. Where can I look to understand what is going on? Can I do something else to get the same result (shaping outgoing traffic dynamically and very often without losses)? Thanks in advance! ____________________________________ Francesco ____________________________________ From maillist1 at argontech.net Mon Nov 19 23:36:31 2007 From: maillist1 at argontech.net (Marco C. Coelho) Date: Mon Nov 19 23:36:39 2007 Subject: [LARTC] neighbor table overflow In-Reply-To: <10a268fb0710270406m622492aawa561f72a369cacee@mail.gmail.com> References: <471D1A44.40503@argontech.net> <471DE180.5040708@zoomnet.ro> <471E5A53.3000405@riverviewtech.net> <9295C708-B499-4D57-8AD4-D97EFDCC9405@crystalstudio.ca> <471E6348.5040404@argontech.net> <471F1C45.2010109@zoomnet.ro> <471F6277.2050300@argontech.net> <471F6D74.7000607@zoomnet.ro> <4720B160.6060602@argontech.net> <10a268fb0710270406m622492aawa561f72a369cacee@mail.gmail.com> Message-ID: <47420FEF.9070303@argontech.net> Still beating the same bush! I've done all the possible suggestions so far. I still was getting a neighbor table overflow. Looking at the MAN 7 ARP pages, I see: gc_thresh1 The minimum number of entries to keep in the ARP cache. The garbage collector will not run if there are fewer than this number of entries in the cache. Defaults to 128. gc_thresh2 The soft maximum number of entries to keep in the ARP cache. The garbage collector will allow the num- ber of entries to exceed this for 5 seconds before collection will be performed. Defaults to 512. gc_thresh3 The hard maximum number of entries to keep in the ARP cache. The garbage collector will always run if there are more than this number of entries in the cache. Defaults to 1024. Since this box never gets less than 500 pppoe connections, this Sat I changed WAS NOW gc_thresh1 512 1024 gc_thresh2 2048 2048 gc_thresh3 4096 4096 what's strange is when I do an 'arp -an' I only get three entries back. (ips changed to protect the guilty). Shouldn't this show the arp entries ? (x.202.x.3) at 00:03:47:2D:8B:F9 [ether] on eth0 ? (x.202.x.1) at 00:03:E3:88:EC:C2 [ether] on eth0 ? (x.202.x.2) at 00:18:8B:76:EC:D8 [ether] on eth0 ? (x.202.x.9) at 00:90:27:43:C2:CF [ether] on eth0 ip route | grep link provides: snip (lots of pppoe connects) x.202.x.237 dev ppp53 proto kernel scope link src 10.20.1.1 x.202.x.235 dev ppp339 proto kernel scope link src 10.20.1.1 x.202.x.232 dev ppp185 proto kernel scope link src 10.20.1.1 x.202.x.231 dev ppp313 proto kernel scope link src 10.20.1.1 x.202.x.230 dev ppp67 proto kernel scope link src 10.20.1.1 x.202.x.226 dev ppp74 proto kernel scope link src 10.20.1.1 x.202.x.224 dev ppp150 proto kernel scope link src 10.20.1.1 x.202.x.0/24 dev eth0 proto kernel scope link src x.202.224.8 192.168.1.0/24 dev eth3 proto kernel scope link src 192.168.1.8 I don't think we are doing anything too special with this box that we would see a kernel issue no one else is seeing. Can arp poisoning cause this? a dmesg after a clean reboot only gives: Shorewall:all2all:REJECT:IN=ppp413 OUT= MAC= SRC=x.202.x.165 DST=10.20.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=254 ID=39752 PROTO=ICMP TYPE=8 CODE=0 ID=25040 SEQ=0 Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.202.x.110 DST=192.168.1.7 LEN=72 TOS=0x00 PREC=0x00 TTL=126 ID=48363 PROTO=UDP SPT=427 DPT=427 LEN=52 Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.202.x.110 DST=192.168.1.7 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=48492 DF PROTO=TCP SPT=36005 DPT=9220 WINDOW=16384 RES=0x00 SYN URGP=0 Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.202.x.110 DST=192.168.1.7 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=48493 DF PROTO=TCP SPT=36005 DPT=9220 WINDOW=16384 RES=0x00 SYN URGP=0 Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.202.x.110 DST=192.168.1.7 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=48517 DF PROTO=TCP SPT=36005 DPT=9220 WINDOW=16384 RES=0x00 SYN URGP=0 Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.202.x.110 DST=192.168.1.7 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=48518 DF PROTO=TCP SPT=33969 DPT=16398 WINDOW=16384 RES=0x00 SYN URGP=0 Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.202.x.110 DST=192.168.1.7 LEN=72 TOS=0x00 PREC=0x00 TTL=126 ID=48519 PROTO=UDP SPT=427 DPT=427 LEN=52 Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.202.x.110 DST=192.168.1.7 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=48522 DF PROTO=TCP SPT=33969 DPT=16398 WINDOW=16384 RES=0x00 SYN URGP=0 Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.202.x.110 DST=192.168.1.7 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=48526 DF PROTO=TCP SPT=33969 DPT=16398 WINDOW=16384 RES=0x00 SYN URGP=0 Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.202.x.110 DST=192.168.1.7 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=48614 DF PROTO=TCP SPT=35790 DPT=9220 WINDOW=16384 RES=0x00 SYN URGP=0 Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.202.x.110 DST=192.168.1.7 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=48630 DF PROTO=TCP SPT=35790 DPT=9220 WINDOW=16384 RES=0x00 SYN URGP=0 Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.202.x.110 DST=192.168.1.7 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=48x6 DF PROTO=TCP SPT=35790 DPT=9220 WINDOW=16384 RES=0x00 SYN URGP=0 Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.202.x.110 DST=192.168.1.7 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=48x8 DF PROTO=TCP SPT=34718 DPT=16398 WINDOW=16384 RES=0x00 SYN URGP=0 Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.202.x.110 DST=192.168.1.7 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=48663 DF PROTO=TCP SPT=34718 DPT=16398 WINDOW=16384 RES=0x00 SYN URGP=0 Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.202.x.110 DST=192.168.1.7 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=48679 DF PROTO=TCP SPT=34718 DPT=16398 WINDOW=16384 RES=0x00 SYN URGP=0 Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.y.x.110 DST=192.168.1.7 LEN=72 TOS=0x00 PREC=0x00 TTL=126 ID=48724 PROTO=UDP SPT=427 DPT=427 LEN=52 Kernel Version 2.6.18-8.1.6 Looking for any suggestions. Marco Andrei Kovacs wrote: > On 10/25/07, Marco C. Coelho wrote: > >> Looking into it further an ip route shows: >> >> x.0.0.0/8 via x.y.224.1 dev eth0 proto zebra metric 20 equalize >> >> So the x.0.0.0 announce is coming into this box through OSPF (zebra) >> >> The 169.254.0.0/16 is being automajically added through the sysconfig >> network scripts. I'm looking into why. >> >> > > Add "NOZEROCONF=yes" in /etc/sysconfig/network and the 169.254.0.0/16 > network won't be created anymore. > > >> In either case I still don't see why these entries would make the neighbor >> table overflow. Could it have been the previous fix to the hosts file? >> >> mc >> >> Alexandru Dragoi wrote: >> Marco C. Coelho wrote: >> >> >> the ip route with a grep for link returns: >> >> snip** too long >> x.y.x.198 dev ppp436 proto kernel scope link src 10.20.1.1 >> x.y.x.196 dev ppp421 proto kernel scope link src 10.20.1.1 >> x.y.x.197 dev ppp211 proto kernel scope link src 10.20.0.1 >> x.y.x.194 dev ppp13 proto kernel scope link src 10.20.1.1 >> x.y.x.192 dev ppp404 proto kernel scope link src 10.20.1.1 >> x.y.x.254 dev ppp194 proto kernel scope link src 10.20.1.1 >> x.y.x.253 dev ppp130 proto kernel scope link src 10.20.1.1 >> x.y.x.252 dev ppp243 proto kernel scope link src 10.20.1.1 >> x.y.x.249 dev ppp195 proto kernel scope link src 10.20.1.1 >> x.y.x.248 dev ppp254 proto kernel scope link src 10.20.1.1 >> x.y.x.247 dev ppp235 proto kernel scope link src 10.20.1.1 >> x.y.x.242 dev ppp78 proto kernel scope link src 10.20.1.1 >> x.y.x.240 dev ppp328 proto kernel scope link src 10.20.1.1 >> x.y.x.237 dev ppp44 proto kernel scope link src 10.20.1.1 >> x.y.x.236 dev ppp122 proto kernel scope link src 10.20.1.1 >> x.y.x.234 dev ppp316 proto kernel scope link src 10.20.1.1 >> x.y.x.232 dev ppp132 proto kernel scope link src 10.20.1.1 >> x.y.x.231 dev ppp104 proto kernel scope link src 10.20.0.1 >> x.y.x.226 dev ppp179 proto kernel scope link src 10.20.0.1 >> x.y.224.0/24 dev eth0 proto kernel scope link src x.y.224.8 >> 192.168.1.0/24 dev eth3 proto kernel scope link src 192.168.1.8 >> 169.254.0.0/16 dev eth3 scope link >> >> The one above must be deleted, many redhat-like distros attach >> 169.254.0.0/16. >> >> >> All the pppoe terminations (pppd) are shown, as well as the last three >> subnets. I'll have to see where the 169.254.0.0/16 is coming from? >> >> mc >> >> >> >> >> Alexandru Dragoi wrote: >> >> >> Marco C. Coelho wrote: >> >> >> >> This box is doing a lot. It terminates 1000 PPPoE connections, >> provides traffic shaping using TC/HTB, authenticates all users via >> Radius. It also runs OSPF routing for the internal network. Looking >> at a simple route output I see all the PPP connections coming through >> the box, and due to the OSPF I also see the rest of my network >> announcements. The only strange things are: >> >> 1. The last man working on this box had mistakenly edited the hosts >> file and added the machine name and complete domain name to the local >> host 127.0.0.1 name. It should only be pointed to the eth0 >> interface. I have changed this. >> >> 2. The route output is making an announcement >> >> x.0.0.0 argontech.net 255.0.0.0 UG 20 >> 0 0 eth0 >> >> >> This doesn't look dangerous for your problem, I was only talking about >> directly connected networks: >> >> # ip route |grep link >> >> >> >> >> My public IP space is a /20 within that space, not the whole Class A. >> I have not found which box is announcing this within my network yet. >> >> >> >> >> >> Jeff Welling wrote: >> >> >> >> >> On 10/23/07 06:56, Alexandru Dragoi wrote: >> >> >> >> What about checking your routing table? you may have link routes >> for massive subnets (like 85.0.0.0/8 or 140.20.0.0/16). Some >> programs prefer to use "standard" netmask of classes A and B. >> >> >> I'm betting that the OP has other things going on seeing has how >> s/he mentioned PPPoE, which to my knowledge is a layer 2 protocol, >> and thus not subject to typical routing scenarios. In essence the >> OP could have thousands of PPPoE connections terminating on one >> system with the ARP cache having to deal with where to send traffic >> to which MAC address. There is not a lot of room for routing in such >> a scenario. >> >> >> >> I agree with Peter's suggestion, arpd. I ran into the neighbor table >> overflow problem recently, at the hands of our ISP. I was in the >> process of recompiling the kernel and mucking with arpd (I couldn't >> get it to run/start properly) when the problem disappeared as quickly >> as it showed up. Lucky for me, this was some kind of ISP problem, I >> was able to determine that much through `tcpdump -i X -n arpd`. >> >> My 'two cents' is that you try arpd, I did a bit of looking when I >> came across that problem and it seemed to be the last ditch effort >> when changing the gc threshold had no effect. Wasn't able to confirm >> that it worked for sure though. >> >> Cheers. >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> >> >> >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> >> >> >> >> >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071119/96a6a385/attachment-0001.html From sawar at interia.pl Tue Nov 20 00:08:40 2007 From: sawar at interia.pl (sawar) Date: Tue Nov 20 00:09:37 2007 Subject: [LARTC] Which CPU for heavy traffic with much filtering/shaping? In-Reply-To: <20071119174034.1b7e9bb7@catlap> References: <47415A73.9020107@interdart.co.uk> <20071119174034.1b7e9bb7@catlap> Message-ID: <200711200008.40900.sawar@interia.pl> Hi is there any how-to which can guide me through all available tuning options in /proc/ filesystem Pozdrawiam Szymon Turkiewicz > >Hi > > Hi > > >I have a router with a large number of iptables rules and some > >extensive traffic shaping (HTB + RED + ... ) + conntrack. > > Performance boost tips: > > - Use "set" module instead of sequential iptables rules. It can lower > cpu usage. > > - Use hashing filters for shaping if you're using many u32 filters. > > - configure conntrack to use bigger hashsize for better performance; > i'm passing following parameter to kernel in grub to achieve this: > ip_conntrack.hashsize=1048575 > > - configure routecache to use bigger to use more memory for better > performance; i'm passing following parameter to kernel in grub to > achieve this: rhash_entries=2400000 > > >1. What processors should I be looking for in order to achieve the > >best routing throughput on a linux router? > > I've had good experiences with P4 (with and without HT), Athlon64, Xeon > [dempsey], Xeon [woodcrest]. The last one is the best choice because of > the large cache and architecture. I think you can use Core 2 Duo too > if you want to save some money. > > >2. Is it true that multicore processors will not help much in this > >situation? > > Not true. In your setup with two nics with same load you can easily use > two cores. You can assign each nic to different core by the means of > smp_affinity setting in /proc/irq/... or by using irqbalance daemon. > > >Best regards, > >Derek > > pozdrawiam > Marek Kierdelewicz > KoBa ISP > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From darko at veze.net Tue Nov 20 00:15:04 2007 From: darko at veze.net (darko) Date: Tue Nov 20 00:18:10 2007 Subject: [LARTC] neighbor table overflow In-Reply-To: <20071119223651.7BE7C44F6@outpost.ds9a.nl> References: <20071119223651.7BE7C44F6@outpost.ds9a.nl> Message-ID: <20071119225501.M90713@veze.net> > Still beating the same bush! > > I've done all the possible suggestions so far. I still was getting > a neighbor table overflow. ... If this can help. Have same problem when testing new server in network (kernel is 2.6.21.5) - everything seems OK in system except neighbor table overflow, and as consequence buffer overflow. Situation was next: Server Internet port was connected in network where logically local port of the server belong. There are mostly 10.x.0.0/16 addresses. Also on that network was one client with some viruses which produce excessive ARP scanning of 10.x.0.0/16 clients. In situation when local port of server is connected where it's belonging, there is no overflow messages, nor any problems. Also there are no problem in situation when problematic client was offline. Darko From uncystu at hotmail.com Tue Nov 20 00:31:52 2007 From: uncystu at hotmail.com (Stuart Clouston) Date: Tue Nov 20 00:32:04 2007 Subject: [LARTC] Unexpected results using HTB qdisc In-Reply-To: <474204CF.60205@advaita.sytes.net> References: <474204CF.60205@advaita.sytes.net> Message-ID: Hi John, Thanks for the reply. I removed the ceil parameters as a troubleshooting process to ensure that they weren't what was causing the excess of the configured rate. From what I can see if the ceil parameter is not specified it defaults to the same figure as the rate parameter. I have verified this by running "tc -s -d class list dev eth0". The output from this command also shows that the rate limited classes have not borrowed at all (see below). I have tried what you suggested anyway and it is still exceeding the configured rate. The output below was generated on the server immediately after the completion of the iperf tests. Another thing that doesn't make sense to me is that all but one of the classes are reported to have been lending but which class are they lending to? None of the classes have been recorded as borrowing. # tc -s -d class list dev eth0class htb 1:10 parent 1:1 prio 0 quantum 200000 rate 30000Kbit ceil 100000Kbit burst 39093b/8 mpu 0b overhead 0b cburst 126587b/8 mpu 0b overhead 0b level 0 Sent 574506 bytes 1223 pkts (dropped 0, overlimits 0) rate 63888bit 18pps lended: 1223 borrowed: 0 giants: 0 tokens: 10155 ctokens: 9883 class htb 1:1 root rate 100000Kbit ceil 100000Kbit burst 1487b/8 mpu 0b overhead 0b cburst 126587b/8 mpu 0b overhead 0b level 7 Sent 1006166 bytes 7723 pkts (dropped 0, overlimits 0) rate 181840bit 240pps lended: 0 borrowed: 0 giants: 0 tokens: 110 ctokens: 9883 class htb 1:40 parent 1:4 leaf 40: prio 0 quantum 1000 rate 50000bit ceil 50000bit burst 1661b/8 mpu 0b overhead 0b cburst 1661b/8 mpu 0b overhead 0b level 0 Sent 81010 bytes 1225 pkts (dropped 341, overlimits 0) rate 21272bit 40pps lended: 1225 borrowed: 0 giants: 0 tokens: -239487 ctokens: -239487 class htb 1:4 parent 1:1 rate 300000bit ceil 300000bit burst 1974b/8 mpu 0b overhead 0b cburst 1974b/8 mpu 0b overhead 0b level 6 Sent 431660 bytes 6500 pkts (dropped 0, overlimits 0) rate 117952bit 222pps lended: 0 borrowed: 0 giants: 0 tokens: 39055 ctokens: 39055 class htb 1:41 parent 1:4 leaf 41: prio 0 quantum 1000 rate 50000bit ceil 50000bit burst 1661b/8 mpu 0b overhead 0b cburst 1661b/8 mpu 0b overhead 0b level 0 Sent 78502 bytes 1189 pkts (dropped 294, overlimits 0) rate 20376bit 39pps lended: 1189 borrowed: 0 giants: 0 tokens: -176795 ctokens: -176795 class htb 1:42 parent 1:4 leaf 42: prio 0 quantum 2500 rate 200000bit ceil 200000bit burst 1849b/8 mpu 0b overhead 0b cburst 1849b/8 mpu 0b overhead 0b level 0 Sent 272120 bytes 4086 pkts (dropped 809, overlimits 0) rate 71768bit 135pps lended: 4086 borrowed: 0 giants: 0 tokens: 4616 ctokens: 4616 > Date: Mon, 19 Nov 2007 22:49:03 +0100> From: default@advaita.sytes.net> Subject: Re: [LARTC] Unexpected results using HTB qdisc> To: lartc@mailman.ds9a.nl> > Hi> > Stuart Clouston wrote:> > Hi All,> >> > I am using the script below to limit download rates and manage traffic for a certain IP address and testing the results using iperf. The rate that iperf reports is much higher than the rate I have configured for the HTB qdisc. It's probably just some newbie trap that's messing things up but I'm buggered if I can see it.> >> > The following script is run on the server (192.168.10.30): (I have simplified it and removed all of the ceil parameters during my troubleshooting process)> > > it think you should have not removed ceiling parameters : )> > # Remove any existing qdisc> > tc qdisc del dev eth0 root handle 1:> >> > # Root queueing discipline> > tc qdisc add dev eth0 root handle 1: htb default 10> >> > # Root class> > tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit burst 1500 ceil 100mbit> >> > # Default class> > tc class add dev eth0 parent 1:1 classid 1:10 htb rate 30mbit ceil 100mbit burst 1500> >> > # Rate limited classes> > tc class add dev eth0 parent 1:1 classid 1:4 htb rate 300kbit> > > > tc class add dev eth0 parent 1:4 classid 1:40 htb rate 50kbit> > > You should use ceil here right after rate, otherwise the class can > borrow from its parent class and therefore your overall traffic will be > shaped in correct proportion but not absolutely (i.e to proper bandwidth)> Once you set ceil value, the class will not get any more throughput even > if the link is free...> > > tc class add dev eth0 parent 1:4 classid 1:41 htb rate 50kbit> > tc class add dev eth0 parent 1:4 classid 1:42 htb rate 200kbit> >> > tc qdisc add dev eth0 parent 1:40 handle 40: sfq perturb 10> > tc qdisc add dev eth0 parent 1:41 handle 41: sfq perturb 10> > tc qdisc add dev eth0 parent 1:42 handle 42: sfq perturb 10> >> > # Filters to direct traffic to the right classes:> >> > U32="tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32"> > $U32 match ip dst 192.168.10.85 match ip sport 3389 0xffff flowid 1:42> > $U32 match ip dst 192.168.10.85 match ip sport 1352 0xffff flowid 1:41> > $U32 match ip dst 192.168.10.85 flowid 1:40> >> >> >> > The client (192.168.10.85) then runs iperf to test the results:> >> > iperf -c 192.168.10.30 -p 1352 -P 5 -f k> > [SUM] 0.0-11.4 sec 3016 KBytes 2163 Kbits/sec> >> > iperf -c 192.168.10.30 -p 23 -P 5 -f k> > [SUM] 0.0-11.4 sec 2856 KBytes 2053 Kbits/sec> >> > iperf -c 192.168.10.30 -p 3389 -P 5 -f k> > [SUM] 0.0-10.3 sec 11264 KBytes 8956 Kbits/sec> >> >> > The traffic is being shaped proportionally as I'd hoped but each class is well in excess of its configured limit. > >> > I am getting similar results on two separate units:> > 1: Debian (testing), Kernel v2.6.16.19, iproute2 ss070313> > 2: Ubuntu (dapper), Kernel v2.6.23.1, iproute2 ss041019> >> > I'd be very grateful for any information that could help me out.> > Thanks,> > Stu (newbie to HTB)> > _________________________________________________________________> >> > > I am newbie too, so if i am wrong please someone correct me.> > -- > ___________________________________> S pozdravom / Best regards> > John Default> > > _______________________________________________> LARTC mailing list> LARTC@mailman.ds9a.nl> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc _________________________________________________________________ New music from the Rogue Traders - listen now! http://ninemsn.com.au/share/redir/adTrack.asp?mode=click&clientID=832&referral=hotmailtaglineOct07&URL=http://music.ninemsn.com.au/roguetraders -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071120/d1bf6e3e/attachment.htm From marek at piasta.pl Tue Nov 20 02:03:17 2007 From: marek at piasta.pl (Marek Kierdelewicz) Date: Tue Nov 20 02:10:22 2007 Subject: [LARTC] Which CPU for heavy traffic with much filtering/shaping? In-Reply-To: <200711200008.40900.sawar@interia.pl> References: <47415A73.9020107@interdart.co.uk> <20071119174034.1b7e9bb7@catlap> <200711200008.40900.sawar@interia.pl> Message-ID: <20071120020317.2e716938@catlap> >Hi Hi >is there any how-to which can guide me through all available tuning >options in /proc/ filesystem Proc filesystem is described in file Documentation/filesystems/proc.txt in the linux kernel sources. You can find there something about smp_affinity and linux network stack parameters (and about many more things). No info about netfilter-related setting is supplied in that document. As for guide... Lartc howto: lartc. org / howto / lartc . kernel . html and many more available throu the google search. pozdrawiam Marek Kierdelewicz KoBa ISP From mohan.tux at gmail.com Tue Nov 20 04:03:11 2007 From: mohan.tux at gmail.com (Mohan Sundaram) Date: Tue Nov 20 04:03:24 2007 Subject: [LARTC] Which CPU for heavy traffic with much filtering/shaping? In-Reply-To: <4741CE08.8020506@interdart.co.uk> References: <47415A73.9020107@interdart.co.uk> <20071119174034.1b7e9bb7@catlap> <4741CE08.8020506@interdart.co.uk> Message-ID: <47424E6F.5030101@vsnl.com> Derek Sims wrote: > Marek Kierdelewicz wrote: > > Hmm - I don't know what the "set" module is - can you point me to some > documentation please? Search for ipset extensions for iptables or look up extension projects in netfilter.org. ipset gives the facility to create sets of IPs and use the sets in iptables rules. Makes the rules more orderly, easy to read, easy to manage and is easier on the CPU. Mohan From mohan.tux at gmail.com Tue Nov 20 04:18:48 2007 From: mohan.tux at gmail.com (Mohan Sundaram) Date: Tue Nov 20 04:19:02 2007 Subject: [LARTC] Which CPU for heavy traffic with much filtering/shaping? In-Reply-To: <4741CE08.8020506@interdart.co.uk> References: <47415A73.9020107@interdart.co.uk> <20071119174034.1b7e9bb7@catlap> <4741CE08.8020506@interdart.co.uk> Message-ID: <47425218.9090700@vsnl.com> Derek Sims wrote: > Marek Kierdelewicz wrote >>> 1. What processors should I be looking for in order to achieve the >>> best routing throughput on a linux router? >>> >> I've had good experiences with P4 (with and without HT), Athlon64, Xeon >> [dempsey], Xeon [woodcrest]. The last one is the best choice because of >> the large cache and architecture. I think you can use Core 2 Duo too >> if you want to save some money. >> >> > Thanks - I will see what I can get I used AMD Opteron 2Ghz and it blazes. In my packet switching benchmarks, onchip cache gave no benefit. On price-performance basis, you'd be better off going for greater CPU speed than for cache. Mohan From maillist1 at argontech.net Tue Nov 20 17:03:47 2007 From: maillist1 at argontech.net (Marco C. Coelho) Date: Tue Nov 20 17:04:07 2007 Subject: [LARTC] Which CPU for heavy traffic with much filtering/shaping? In-Reply-To: <47425218.9090700@vsnl.com> References: <47415A73.9020107@interdart.co.uk> <20071119174034.1b7e9bb7@catlap> <4741CE08.8020506@interdart.co.uk> <47425218.9090700@vsnl.com> Message-ID: <47430563.6050803@argontech.net> I like multicore / multicpu amd opteron boards from Tyan. With a dual core (later you can double to 4 core) dual cpu motherboard, you can route and shape to your hearts content. To really improve throughput, you should use a higher end network controller with pci-express with some smarts and multiple ports if you need it. Hope that helps. Mohan Sundaram wrote: > Derek Sims wrote: >> Marek Kierdelewicz wrote >>>> 1. What processors should I be looking for in order to achieve the >>>> best routing throughput on a linux router? >>>> >>> I've had good experiences with P4 (with and without HT), Athlon64, Xeon >>> [dempsey], Xeon [woodcrest]. The last one is the best choice because of >>> the large cache and architecture. I think you can use Core 2 Duo too >>> if you want to save some money. >>> >>> >> Thanks - I will see what I can get > I used AMD Opteron 2Ghz and it blazes. In my packet switching > benchmarks, onchip cache gave no benefit. On price-performance basis, > you'd be better off going for greater CPU speed than for cache. > > Mohan > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From cbergstrom at netsyncro.com Tue Nov 20 18:38:21 2007 From: cbergstrom at netsyncro.com (C. =?ISO-8859-1?Q?Bergstr=F6m?=) Date: Tue Nov 20 18:39:03 2007 Subject: [LARTC] OT: vendor hw recommendations In-Reply-To: <47430563.6050803@argontech.net> References: <47415A73.9020107@interdart.co.uk> <20071119174034.1b7e9bb7@catlap> <4741CE08.8020506@interdart.co.uk> <47425218.9090700@vsnl.com> <47430563.6050803@argontech.net> Message-ID: <1195580301.18148.26.camel@chaos> I'm mostly just a lurker here, but with recent discussion just wanted to toss this question out to the community/vendors. My preferences are.. a) low thermals (maybe sbc) b) routes 100-200Mbps with shaping c) 1U-4U rack mountable factor d) not sparc, alpha or mips based e) pci-x /pcie slot so I can put some quad port nic (open to suggestions) f) priced between 300-1000 USD g) serial port preferably with bios level access Looking at the vyatta project, which was recommended by a senior person on this list, they are currently supporting Dell 860's. Which fits some of the requirements, but I'm open to different vendors such as Tyan. Routerboard and soekris 4801 with my limited testing couldn't push enough bandwidth otherwise they'd be a nice fit. Feel free to email me off list if you think this is too OT. Thanks in advance! Christopher From pragma at omnikron.net Tue Nov 20 18:43:13 2007 From: pragma at omnikron.net (Szymon Stefanek) Date: Tue Nov 20 18:56:09 2007 Subject: [LARTC] Problem deleting tc rules Message-ID: <200711201843.13299.pragma@omnikron.net> Hi all! :) I see that this is partially covered in the mailing list archive but at the moment I can't find a straight & working answer. I have an imq device with dynamically attacched classes/qdiscs/filters. There is a hashing filter that maps the last octet of an user's IP address to a class (and associated qdisc). The "empty" filter looks like this: filter parent 1: protocol ip pref 5 u32 filter parent 1: protocol ip pref 5 u32 fh 2: ht divisor 256 filter parent 1: protocol ip pref 5 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 5 u32 fh 800::800 order 2048 key ht 800 bkt 0 link 2: (rule hit 0 success 0) match 00000000/00000000 at 12 (success 0 ) hash mask 000000ff at 16 I'm adding the hash entries dynamically, as users get attacched to the system (this is a dynamic PPPoE access concentrator). tc filter add dev imq0 protocol ip parent 1:0 prio 5 u32 ht 2:: match ip dst flowid 1: is the address of the newly attacched user, is a dynamically assigned unique identifier and is the last octet of the user's IP address. This works and I get a tc tree like this: filter parent 1: protocol ip pref 5 u32 filter parent 1: protocol ip pref 5 u32 fh 2: ht divisor 256 filter parent 1: protocol ip pref 5 u32 fh 2:1:800 order 2048 key ht 2 bkt 1 flowid 1:4098 (rule hit 0 success 0) match 0a050001/ffffffff at 16 (success 0 ) filter parent 1: protocol ip pref 5 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 5 u32 fh 800::800 order 2048 key ht 800 bkt 0 link 2: (rule hit 0 success 0) match 00000000/00000000 at 12 (success 0 ) hash mask 000000ff at 16 Nice. If another user gets added to the same hash bucket I get something like: filter parent 1: protocol ip pref 5 u32 filter parent 1: protocol ip pref 5 u32 fh 2: ht divisor 256 filter parent 1: protocol ip pref 5 u32 fh 2:1:800 order 2048 key ht 2 bkt 1 flowid 1:4098 (rule hit 0 success 0) match 0a050001/ffffffff at 16 (success 0 ) filter parent 1: protocol ip pref 5 u32 fh 2:1:801 order 2048 key ht 2 bkt 1 flowid 1:4099 (rule hit 0 success 0) match 0a060001/ffffffff at 16 (success 0 ) filter parent 1: protocol ip pref 5 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 5 u32 fh 800::800 order 2048 key ht 800 bkt 0 link 2: (rule hit 0 success 0) match 00000000/00000000 at 12 (success 0 ) hash mask 000000ff at 16 Now when the users go away I want to _programmatically_ remove the associated filter entries. This doesn't work unless I manually specify the filter handle (handle 2:1:801). The problem is that I actually don't know the filter handle since its last part is assigned automatically by tc. I would need to relaunch tc with the show option, capture its output and parse it... this is an overkill. If I try to delete handle 2:1: (just like in the add command) then ALL the rules with handle 2:1:* get deleted (and this is obviously not what I want). Trying to add filters with completly specified handle (like fh 2:1:4098) doesn't work unless the last part is EXACTLY what tc would set automatically (this is 800, 801 etc...). But since I have multiple unsynchronized processes that do the adding job then I don't know which handles have been already used and thus can't guess what which handle to add next. Synchronizing the processes and sharing a database would be again a very huge overkill. Trying to assign an unique filter id by using pref creates a mess since it adds three filters at once for every preference value. And removing doesn't work either with tc complaining about "No such file or directory". I have read somewhere that deleting a qdisc will also delete the filters attacched to it but this doesn't seem to work: the qdisc is deleted but the filter in the hash bucket is not. So finally, can I programmatically remove a filter without knowing exactly its handle ? How ? Is there another way to match filters ? Maybe on flowid... ? Add/remove by using direct syscalls ? -- Szymon Stefanek ------------------------------------------------------------------------------ - - Somewhere, something incredible is waiting to be known. - ------------------------------------------------------------------------------ From emmett at webengineer.com Wed Nov 21 00:47:07 2007 From: emmett at webengineer.com (Emmett Culley) Date: Wed Nov 21 00:47:13 2007 Subject: [LARTC] Problem deleting tc rules In-Reply-To: <200711201843.13299.pragma@omnikron.net> References: <200711201843.13299.pragma@omnikron.net> Message-ID: <474371FB.60404@webengineer.com> Szymon Stefanek wrote: > Hi all! :) > > I see that this is partially covered in the mailing list archive > but at the moment I can't find a straight & working answer. > > I have an imq device with dynamically attacched classes/qdiscs/filters. > There is a hashing filter that maps the last octet of an user's IP address > to a class (and associated qdisc). The "empty" filter looks like this: > > filter parent 1: protocol ip pref 5 u32 > filter parent 1: protocol ip pref 5 u32 fh 2: ht divisor 256 > filter parent 1: protocol ip pref 5 u32 fh 800: ht divisor 1 > filter parent 1: protocol ip pref 5 u32 fh 800::800 order 2048 key ht 800 bkt > 0 link 2: (rule hit 0 success 0) > match 00000000/00000000 at 12 (success 0 ) > hash mask 000000ff at 16 > > I'm adding the hash entries dynamically, as users get attacched to the system > (this is a dynamic PPPoE access concentrator). > > tc filter add dev imq0 protocol ip parent 1:0 prio 5 u32 ht > 2:: match ip dst flowid 1: > > is the address of the newly attacched user, is > a dynamically assigned unique identifier and is the > last octet of the user's IP address. > > This works and I get a tc tree like this: > > filter parent 1: protocol ip pref 5 u32 > filter parent 1: protocol ip pref 5 u32 fh 2: ht divisor 256 > filter parent 1: protocol ip pref 5 u32 fh 2:1:800 order 2048 key ht 2 bkt 1 > flowid 1:4098 (rule hit 0 success 0) > match 0a050001/ffffffff at 16 (success 0 ) > filter parent 1: protocol ip pref 5 u32 fh 800: ht divisor 1 > filter parent 1: protocol ip pref 5 u32 fh 800::800 order 2048 key ht 800 bkt > 0 link 2: (rule hit 0 success 0) > match 00000000/00000000 at 12 (success 0 ) > hash mask 000000ff at 16 > > Nice. > > If another user gets added to the same hash bucket I get something like: > > filter parent 1: protocol ip pref 5 u32 > filter parent 1: protocol ip pref 5 u32 fh 2: ht divisor 256 > filter parent 1: protocol ip pref 5 u32 fh 2:1:800 order 2048 key ht 2 bkt 1 > flowid 1:4098 (rule hit 0 success 0) > match 0a050001/ffffffff at 16 (success 0 ) > filter parent 1: protocol ip pref 5 u32 fh 2:1:801 order 2048 key ht 2 bkt 1 > flowid 1:4099 (rule hit 0 success 0) > match 0a060001/ffffffff at 16 (success 0 ) > filter parent 1: protocol ip pref 5 u32 fh 800: ht divisor 1 > filter parent 1: protocol ip pref 5 u32 fh 800::800 order 2048 key ht 800 bkt > 0 link 2: (rule hit 0 success 0) > match 00000000/00000000 at 12 (success 0 ) > hash mask 000000ff at 16 > > > Now when the users go away I want to _programmatically_ remove the associated > filter entries. This doesn't work unless I manually specify the filter handle > (handle 2:1:801). The problem is that I actually don't know the filter > handle since its last part is assigned automatically by tc. I would need > to relaunch tc with the show option, capture its output and parse it... > this is an overkill. If I try to delete handle 2:1: (just like in the add > command) then ALL the rules with handle 2:1:* get deleted (and this is > obviously not what I want). > > Trying to add filters with completly specified handle (like fh 2:1:4098) > doesn't work unless the last part is EXACTLY what tc would set automatically > (this is 800, 801 etc...). But since I have multiple unsynchronized processes > that do the adding job then I don't know which handles have been already > used and thus can't guess what which handle to add next. Synchronizing > the processes and sharing a database would be again a very huge overkill. > > Trying to assign an unique filter id by using pref creates a mess since it > adds three filters at once for every preference value. And removing doesn't > work either with tc complaining about "No such file or directory". > > I have read somewhere that deleting a qdisc will also delete the filters > attacched to it but this doesn't seem to work: the qdisc is deleted > but the filter in the hash bucket is not. > > So finally, can I programmatically remove a filter without knowing exactly its > handle ? How ? Is there another way to match filters ? Maybe on flowid... ? > Add/remove by using direct syscalls ? > > I resolved this by adding "pref " to the filter rule: tc filter add dev parent 1:0 protocol ip pref u32 match ip dst flowid 1: replacing "add" with "del" to remove filter. In my case I used the last two octets to create a user_id value as I am serving DHCP to subnet 172.16.128.0/17 Note that the pref value has to be in base 10. Regards, Emmett From mohan.tux at gmail.com Wed Nov 21 02:17:16 2007 From: mohan.tux at gmail.com (Mohan Sundaram) Date: Wed Nov 21 02:17:28 2007 Subject: [LARTC] OT: vendor hw recommendations In-Reply-To: <1195580301.18148.26.camel@chaos> References: <20071119174034.1b7e9bb7@catlap> <4741CE08.8020506@interdart.co.uk> <47425218.9090700@vsnl.com> <47430563.6050803@argontech.net> <1195580301.18148.26.camel@chaos> Message-ID: <4743871C.9060707@vsnl.com> C. Bergstr?m wrote: > I'm mostly just a lurker here, but with recent discussion just wanted to > toss this question out to the community/vendors. > > My preferences are.. > > a) low thermals (maybe sbc) > b) routes 100-200Mbps with shaping Most low thermal SBCs come with low end network controllers like 100Mbps RTL8139. Getting 100Mbps thro' most of these is impossible. > c) 1U-4U rack mountable factor I'd recommend a 1U server m/c. I used a Sunfire x2100 in March 2006 costing $750 on the Net. Added a dual port PCIe GigE Intel board for $175 and was home booting from a USB stick with a memory based Linux for routing (persistent storage on USB stick for config). > d) not sparc, alpha or mips based > e) pci-x /pcie slot so I can put some quad port nic (open to > suggestions) Go Intel > f) priced between 300-1000 USD > g) serial port preferably with bios level access > The Sunfire had a management processor independent of the Opteron which is a nice thing. Did not try to access it though. Helps if the systems hangs for some reason. Need to see if you can login to the processor thro' the onboard ethernet so that you can reboot the system remotely without a KVM/power control. The Opteron generates a lot of heat. 1U chassis is well provisioned to cool it. These machines being servers are rated to run non-stop for pretty long. You may want to look at water cooling rigs to be safer. Since these are not just routers, I know guys like IEI have OEM network boxes made for networking with multiple high end nics and switches on board. Helpful if you want to run large stateful firewalls or IDS etc on the edge. I'd be satisfied with a 1U server for your requirements though. Mohan From pragma at omnikron.net Wed Nov 21 02:27:22 2007 From: pragma at omnikron.net (Szymon Stefanek) Date: Wed Nov 21 02:27:12 2007 Subject: [LARTC] Problem deleting tc rules In-Reply-To: <474371FB.60404@webengineer.com> References: <200711201843.13299.pragma@omnikron.net> <474371FB.60404@webengineer.com> Message-ID: <200711210227.23107.pragma@omnikron.net> On Wednesday 21 November 2007 00:47, Emmett Culley wrote: > Szymon Stefanek wrote: > > > > I have an imq device with dynamically attacched classes/qdiscs/filters. > > There is a hashing filter that > > [...] > > So finally, can I programmatically remove a filter without knowing > > exactly its handle ? How ? Is there another way to match filters ? Maybe > > on flowid... ? Add/remove by using direct syscalls ? > > I resolved this by adding "pref " to the filter rule: > > tc filter add dev parent 1:0 protocol ip pref u32 match > ip dst flowid 1: > > replacing "add" with "del" to remove filter. > > In my case I used the last two octets to create a user_id value as I am > serving DHCP to subnet 172.16.128.0/17 > > Note that the pref value has to be in base 10. Hum. I have tried this. Or better, my problem manifests when there are collisions of filters inside a single hashtable bucket. Since the ht is hashing by last octet then a single bucket can contain 2^24 ip addresses (the remaining octets). I have then tried using (ipaddress >> 8) as preference value. Here comes the first problem: priority values seem to be limited to 16 bits. That is, if you add something with priority 0xaffff you'll end up with real priority 0xffff which will collide with 0xbffff, for example. The second problem is that if I use priority then I get a very different filter layout. For each different priority used two additional filter lines are printed by "tc filter show"... The difference is between: filter parent 1: protocol ip pref 5 u32 filter parent 1: protocol ip pref 5 u32 fh 2: ht divisor 256 filter parent 1: protocol ip pref 5 u32 fh 2:1:800 order 2048 key ht 2 bkt 1 flowid 1:4098 (rule hit 0 success 0) match 0a050001/ffffffff at 16 (success 0 ) filter parent 1: protocol ip pref 5 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 5 u32 fh 800::800 order 2048 key ht 800 bkt 0 link 2: (rule hit 0 success 0) match 00000000/00000000 at 12 (success 0 ) hash mask 000000ff at 16 where priority wasn't used (and it's working) and filter parent 1: protocol ip pref 5 u32 filter parent 1: protocol ip pref 5 u32 fh 2: ht divisor 256 filter parent 1: protocol ip pref 5 u32 fh 2:1:800 order 2048 key ht 2 bkt 1 flowid 1:4098 (rule hit 0 success 0) match 0a050001/ffffffff at 16 (success 0 ) filter parent 1: protocol ip pref 5 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 5 u32 fh 800::800 order 2048 key ht 800 bkt 0 link 2: (rule hit 0 success 0) match 00000000/00000000 at 12 (success 0 ) hash mask 000000ff at 16 filter parent 1: protocol ip pref 7 u32 filter parent 1: protocol ip pref 7 u32 fh 801: ht divisor 1 where a different priority was used. Hm? Looks ugly. Now, I'm not a tc expert but the output suggests that a complexier filter hierarchy is created in this case and an additional "fh 801:" jumps out from nowhere. In both cases the filter I've just added is the third line of the listing: in the second listing it STILL has pref of 5! (????) Since I tend to not trust stuff that I don't understand at the moment I've choosen the very-dirty-but-at-least-undestandable solution of using some grep & sed to get back the filter handle. To add: tc filter add dev @IMQDEV@ protocol ip parent 1:0 prio 5 u32 ht 2:@LASTIPOCTETHEX@: match ip src @IPADDRESS@ flowid 1:@TCCLASSID@ To remove: tc filter del dev @IMQDEV@ parent 1:0 handle $( tc -s filter show dev @IMQDEV@ | grep 'flowid 1:@TCCLASSID@' | sed -e 's/filter[A-Za-z0-9: ]*fh//' | sed -e 's/order.*//' ) prio 5 u32 This forces me to spawn several children through a shell, is strongly dependant on tc output (that might change in a future version) and makes batch processing impossible...but at least it works and *maybe* I'll undestand it in one year from now :D ...but if somebody comed out with a nicer solution I'd happily use it... -- Szymon Stefanek ------------------------------------------------------------------------------ - - The Space Between Your Ears - Ozric Tentacles - ------------------------------------------------------------------------------ From vandebo-lartc at NerdBox.Net Wed Nov 21 04:03:07 2007 From: vandebo-lartc at NerdBox.Net (Steve VanDeBogart) Date: Wed Nov 21 04:03:17 2007 Subject: [LARTC] Problem with ingress policing on bridged device Message-ID: I'm having trouble getting ingress policing to work on a bridged device. The bridge contains several interfaces: peth0, vif0.0, vif[1-7]0.1, vif[25].1 . (This is under xen, in case the vif's didn't give that away, so peth0 is renamed eth0.) The tc rules I have are: tc qdisc del dev peth0 root tc qdisc del dev peth0 ingress handle ffff: tc qdisc add dev peth0 root handle 1: htb default 1 tc class add dev peth0 parent 1: classid 1:1 htb rate 1mbit ceil 1mbit mtu 100000 burst 3000 cburst 3000 tc qdisc add dev peth0 ingress handle ffff: tc filter add dev peth0 parent ffff: protocol ip prio 10 u32 match ip protocol 6 0xff police rate 1mbit buffer 3k drop flowid ffff: The egress filter has such a large mtu to deal with "giants." Otherwise it seems like these rules should work without a problem. However, when I do tc -s qdisc show dev peth0 I get 0 bytes of the ingress qdisc: qdisc htb 1: r2q 10 default 1 direct_packets_stat 0 Sent 33055549 bytes 232260 pkt (dropped 0, overlimits 3661 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc ingress ffff: ---------------- Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 Furthermore, when I run tc filter ls dev peth0 root , the ref value on the police rule changes each time I run the command: filter parent ffff: protocol ip pref 10 u32 filter parent ffff: protocol ip pref 10 u32 fh 800: ht divisor 1 filter parent ffff: protocol ip pref 10 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid ffff: match 00060000/00ff0000 at 8 police 0xf rate 1000Kbit burst 3Kb mtu 2Kb action drop ref -561105860 bind 4 ... ref -952640528 bind 4 ... ref -540461920 bind 4 Any help would be appreciated. -- Steve From cjjoy1980 at yahoo.com Wed Nov 21 03:55:35 2007 From: cjjoy1980 at yahoo.com (joy charles) Date: Wed Nov 21 05:04:03 2007 Subject: [LARTC] Some doubts regarding load balancing!!! Message-ID: <983830.95662.qm@web44813.mail.sp1.yahoo.com> Hi all, I have implemented load balancing using the tutorial http://www.ssi.bg/~ja/nano.txt ..The traffic is going through both my external network interface. I have some questions regarding this: ip route add default table 222 proto static \ nexthop via GWE1 dev IFE1 \ nexthop via GWE2 dev IFE2 The author explains the kernel chooses both the interfaces alternately (weight being 1 for both). Can anyone please elaborate this, like how the kernel will decide this??? Will it decide using any hash functions??? Is this kind of loadbalancing similar to ECMP (Equal cost multi path). Please let me know.. Thanks, Joy --------------------------------- Never miss a thing. Make Yahoo your homepage. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071120/4eb1ec44/attachment.html From cjjoy1980 at yahoo.com Wed Nov 21 03:55:35 2007 From: cjjoy1980 at yahoo.com (joy charles) Date: Wed Nov 21 09:30:24 2007 Subject: [LARTC] Some doubts regarding load balancing!!! Message-ID: <983830.95662.qm@web44813.mail.sp1.yahoo.com> Hi all, I have implemented load balancing using the tutorial http://www.ssi.bg/~ja/nano.txt ..The traffic is going through both my external network interface. I have some questions regarding this: ip route add default table 222 proto static \ nexthop via GWE1 dev IFE1 \ nexthop via GWE2 dev IFE2 The author explains the kernel chooses both the interfaces alternately (weight being 1 for both). Can anyone please elaborate this, like how the kernel will decide this??? Will it decide using any hash functions??? Is this kind of loadbalancing similar to ECMP (Equal cost multi path). Please let me know.. Thanks, Joy --------------------------------- Never miss a thing. Make Yahoo your homepage. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071120/4eb1ec44/attachment.htm From mike at psand.net Wed Nov 21 15:08:01 2007 From: mike at psand.net (Mike Harris) Date: Wed Nov 21 15:14:04 2007 Subject: [LARTC] Split access multi-route problem - need help. Message-ID: <47443BC1.4060001@psand.net> Hello, Am writing to the list in the hope that someone out there might be able to shed some light on a weird problem I have with a multiple route configuration. Some time ago I configured a web server to have two different IP addresses from two different ranges on each of it's two ethernet cards. I followed the excellent instructions at http://lartc.org/lartc.html#AEN268 and came up with the following configuration: #!/bin/bash /sbin/ip route add 194.164.97.0 dev eth0 src 194.164.97.252 table T1 /sbin/ip route add default via 194.164.97.1 table T1 /sbin/ip route add 86.54.82.144 dev eth1 src 86.54.82.146 table T2 /sbin/ip route add default via 86.54.82.145 table T2 /sbin/ip route add 194.164.97.0 dev eth0 src 194.164.97.252 /sbin/ip route add 86.54.82.144 dev eth1 src 86.54.82.146 /sbin/ip route add default via 194.164.97.1 /sbin/ip rule add from 194.164.97.252 table T1 /sbin/ip rule add from 86.54.82.146 table T2 /sbin/iptables-save I'm uncertain if the last line is actually needed there. Anyway, this worked perfectly, or seemed to. The two web sites could be accessed properly and I could use ping to access the internet via either interface, so 'ping -I eth0 lartc.org' and 'ping -I eth1 lartc.org' both worked absolutely fine. Now what's gone wrong. My lovely web server's RAID controller started failing and I have to move to another server in somewhat of a hurry. I copied over the configuration but on the new server it just doesn't work. What happens is that whichever interface is defined in the '/sbin/ip route add default via 194.164.97.1' line of the configuration above becomes the only route out that works. So for example 'ping -I eth1 lartc.org' no longer returns a result. Would appreciate any help, especially if someone can confirm that my configuration is correct and perhaps shed some light on other things that I may have overlooked, such as the correct kernel modules etc. For reference the install is Debian Etch, kernel 2.6.18-5-amd64. Any help much appreciated, Thanks in advance, Mike. -- ---------- Mike Harris Psand.net Tlf: +44 7811 671 893 / +34 69 676 3122 / +44 870 162 4927 ext 2 Fax: +44 870 162 4925 Web: http://psand.net PGP: http://www.psand.net/mike/mike.gpg.pub IRC: irc://irc.psand.net:6667/#psand ---------- Psand Limited is registered in England and Wales company number 03291616. Registered office: 54 Goodwin Road, Ramsgate, Kent, CT11 0JJ, UK. From deepc2005 at hotmail.com Wed Nov 21 15:12:37 2007 From: deepc2005 at hotmail.com (Maximilian Freisinger) Date: Wed Nov 21 15:20:55 2007 Subject: [LARTC] Traffic generation and measurement Message-ID: Hello, i am searching for a method to generate traffic and measure it, to compare several version of tc configurations. For my thesis i am researching the best way to use tc for medium sized companies. For this purpose i analyzed the company network and created a tc schema. Now i have to test this definition in a kind of simulation outside the network. Also i have to do a comparison of the different qdiscs for my prof. So i need a way to define traffic and send it into tc and need to have a way to plot the results. I tried with virtual machines and wireshark but that didn't seam to be the right solution. The problem is i have problems with generating usable traffic. Can anybody help me there? I just found a tool called ethloop but couldn't find an useful documentation. It seams there are some people out there, who use this tool. Perhaps somebody could give me a hint where to look. thx DC _________________________________________________________________ Connect and share in new ways with Windows Live. http://www.windowslive.com/connect.html?ocid=TXT_TAGLM_Wave2_newways_112007 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071121/ebebf105/attachment.html From paa.listas at gmail.com Wed Nov 21 15:29:05 2007 From: paa.listas at gmail.com (Paa.listas) Date: Wed Nov 21 15:29:27 2007 Subject: [LARTC] Load Balancing with secondary tables (not main as in the howto) Message-ID: <474440b8.0c86460a.71b8.0bd4@mx.google.com> Hello, We have 3 DSL connections connected to eth3 and another interface with a dedicated link in eth0 (main table) We want to balance selected traffic (using fwmark and iptables) through our 3 DSL connections in a secondary table named DSL (without using the dedicated link in eth0), but the next command is not accepted, and gives us the following error: # ip route add default scope global nexthop via 10.0.1.1 dev eth3 weight 1 nexthop via 10.0.2.1 dev eth3 weight 3 nexthop via 10.0.3.1 dev eth3 weight 2 table DSL Error: "nexthop" or end of line is expected instead of "table" That because the syntax rules of ip: # ip route add help Usage: ip route { add | del | change | append | replace | monitor } ROUTE SELECTOR := [ root PREFIX ] [ match PREFIX ] [ exact PREFIX ] [ table TABLE_ID ] [ proto RTPROTO ] [ type TYPE ] [ scope SCOPE ] ROUTE := NODE_SPEC [ INFO_SPEC ] NODE_SPEC := [ TYPE ] PREFIX [ tos TOS ] [ table TABLE_ID ] [ proto RTPROTO ] [ scope SCOPE ] [ metric METRIC ] INFO_SPEC := NH OPTIONS FLAGS [ nexthop NH ]... NH := [ via ADDRESS ] [ dev STRING ] [ weight NUMBER ] NHFLAGS The question is, can I add load balancing over a secondary table in any other way? Why ip route add doesn't allow this? Thanks in advance. Note: - Architecture: Linux box ---- eth3 --------------- | ----- ADSL1 (IP: 10.0.1.1) | | ----- ADSL2 (IP: 10.0.2.1) | | ----- ADSL3 (IP: 10.0.3.1) eth0 # ip addr show dev eth3 5: eth3: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:16:17:9d:3d:b2 brd ff:ff:ff:ff:ff:ff inet 10.0.1.2/24 brd 10.255.255.255 scope global eth3 inet 10.0.2.2/24 brd 10.255.255.255 scope global eth3:1 inet 10.0.3.2/24 brd 10.255.255.255 scope global eth3:2 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071121/da12dd2f/attachment.htm From paa.listas at gmail.com Wed Nov 21 16:12:31 2007 From: paa.listas at gmail.com (Paa.listas) Date: Wed Nov 21 16:12:51 2007 Subject: [LARTC] Load Balancing with secondary tables (not main as in the howto) In-Reply-To: <677967882.20071121155931@invers.com> Message-ID: <47444ae7.0a86460a.7e1d.2c42@mx.google.com> Thanks! It works. # -----Mensaje original----- # De: Arnd Steinbrecher [mailto:] # Enviado el: Mi?rcoles, 21 de Noviembre de 2007 12:00 p.m. # Para: Paa.listas # Asunto: Re: [LARTC] Load Balancing with secondary tables (not main as in # the howto) # # Hi, # you have to write NODE_SPEC in front of INFO_SPEC. I you case: # # ip route add default scope global table DSL nexthop via 10.0.1.1 dev eth3 # weight # 1 nexthop via 10.0.2.1 dev eth3 weight 3 nexthop via 10.0.3.1 dev eth3 # weight 2 # # > Hello, # # # # > We have 3 DSL connections connected to eth3 and another interface # with # > a dedicated link in eth0 (main table) # # # # > We want to balance selected traffic (using fwmark and iptables) through # our # > 3 DSL connections in a secondary table named DSL (without using the # > dedicated link in eth0), but the next command is not accepted, and gives # us # > the following error: # # # # # # > # ip route add default scope global nexthop via 10.0.1.1 dev eth3 weight # 1 # > nexthop via 10.0.2.1 dev eth3 weight 3 nexthop via 10.0.3.1 dev eth3 # weight # > 2 table DSL # # > Error: "nexthop" or end of line is expected instead of "table" # # # # # # # # > That because the syntax rules of ip: # # # # > # ip route add help # # > Usage: # # > ip route { add | del | change | append | replace | monitor } # ROUTE # # > SELECTOR := [ root PREFIX ] [ match PREFIX ] [ exact PREFIX ] # # > [ table TABLE_ID ] [ proto RTPROTO ] # # > [ type TYPE ] [ scope SCOPE ] # # > ROUTE := NODE_SPEC [ INFO_SPEC ] # # > NODE_SPEC := [ TYPE ] PREFIX [ tos TOS ] # # > [ table TABLE_ID ] [ proto RTPROTO ] # # > [ scope SCOPE ] [ metric METRIC ] # # > INFO_SPEC := NH OPTIONS FLAGS [ nexthop NH ]... # # > NH := [ via ADDRESS ] [ dev STRING ] [ weight NUMBER ] NHFLAGS # # # # # # > The question is, can I add load balancing over a secondary table in any # > other way? Why ip route add doesn't allow this? # # # # > Thanks in advance. # # # # # # > Note: # # # # > - Architecture: # # # # # # > Linux box ---- eth3 --------------- | ----- ADSL1 (IP: 10.0.1.1) # # > | | ----- ADSL2 (IP: 10.0.2.1) # # > | | ----- ADSL3 (IP: 10.0.3.1) # # > eth0 # # # # # # # # > # ip addr show dev eth3 # # > 5: eth3: mtu 1500 qdisc pfifo_fast qlen 1000 # # > link/ether 00:16:17:9d:3d:b2 brd ff:ff:ff:ff:ff:ff # # > inet 10.0.1.2/24 brd 10.255.255.255 scope global eth3 # # > inet 10.0.2.2/24 brd 10.255.255.255 scope global eth3:1 # # > inet 10.0.3.2/24 brd 10.255.255.255 scope global eth3:2 # # # # # # # # # # # # # # # # -- # Mit freundlichen Gr??en # Arnd Steinbrecher # INVERS GmbH, An den Weiden 17, 57078 Siegen # Tel: +49 271 23888 0, Fax: +49 271 23888 29 # HRB Siegen: 4822, Gesch?ftsf?hrer/CEO: Uwe Latsch From derek at interdart.co.uk Wed Nov 21 18:31:21 2007 From: derek at interdart.co.uk (Derek Sims) Date: Wed Nov 21 18:31:33 2007 Subject: [LARTC] iptables and BUG: soft lockup detected Message-ID: <47446B69.7090403@interdart.co.uk> Apologies if this is not relevant to this list. I am seeing errors when loading a large iptables file Using iptables-restore containing more than out 1000 rules reports errors shown below in the system log: I am using Centos5 and have tried various processors and memory from Celeron 2.4 to Core2Duo and 500Mb to 2Gb The problem appears to be related to the size of the ruleset being loaded - loading the full ruleset of 3000 rules takes about 30 seconds. My questions are: 1. Should I be worried by these messages 2. Is it likely the rules are not being loaded properly 3. Is there anything I can do to get rid of the errors Best regards, Derek BUG: soft lockup detected on CPU#0! [] softlockup_tick+0x98/0xa6 [] update_process_times+0x39/0x5c [] smp_apic_timer_interrupt+0x5c/0x64 [] apic_timer_interrupt+0x1f/0x24 [] translate_table+0x22d/0x717 [ip_tables] [] do_IRQ+0xa5/0xae [] do_ipt_set_ctl+0xee/0x607 [ip_tables] [] get_page_from_freelist+0x2a6/0x310 [] nf_sockopt+0xac/0xda [] nf_setsockopt+0x11/0x16 [] ip_setsockopt+0x9fe/0xa1d [] __d_lookup+0x98/0xdb [] do_lookup+0x53/0x157 [] _atomic_dec_and_lock+0x2a/0x44 [] mntput_no_expire+0x11/0x6a [] __link_path_walk+0xd11/0xd33 [] touch_atime+0x60/0x8f [] apic_timer_interrupt+0x1f/0x24 [] get_page_from_freelist+0x2a6/0x310 [] __alloc_pages+0x57/0x27e [] anon_vma_prepare+0x11/0xa5 [] __handle_mm_fault+0x85e/0x87b [] sock_common_setsockopt+0x12/0x16 [] sys_setsockopt+0x76/0x95 [] sys_socketcall+0x15c/0x19e [] syscall_call+0x7/0xb ======================= From emmett at webengineer.com Wed Nov 21 22:57:06 2007 From: emmett at webengineer.com (Emmett Culley) Date: Wed Nov 21 22:57:14 2007 Subject: [LARTC] Problem deleting tc rules In-Reply-To: <200711210227.23107.pragma@omnikron.net> References: <200711201843.13299.pragma@omnikron.net> <474371FB.60404@webengineer.com> <200711210227.23107.pragma@omnikron.net> Message-ID: <4744A9B2.8070603@webengineer.com> Szymon Stefanek wrote: > On Wednesday 21 November 2007 00:47, Emmett Culley wrote: > >> Szymon Stefanek wrote: >>> I have an imq device with dynamically attacched classes/qdiscs/filters. >>> There is a hashing filter that >>> [...] >>> So finally, can I programmatically remove a filter without knowing >>> exactly its handle ? How ? Is there another way to match filters ? Maybe >>> on flowid... ? Add/remove by using direct syscalls ? >> I resolved this by adding "pref " to the filter rule: >> >> tc filter add dev parent 1:0 protocol ip pref u32 match >> ip dst flowid 1: >> >> replacing "add" with "del" to remove filter. >> >> In my case I used the last two octets to create a user_id value as I am >> serving DHCP to subnet 172.16.128.0/17 >> >> Note that the pref value has to be in base 10. > > Hum. I have tried this. > > Or better, my problem manifests when there are collisions of filters > inside a single hashtable bucket. Since the ht is hashing by last octet > then a single bucket can contain 2^24 ip addresses (the remaining octets). > I have then tried using (ipaddress >> 8) as preference value. > > Here comes the first problem: priority values seem to be limited to 16 bits. > That is, if you add something with priority 0xaffff you'll end up with > real priority 0xffff which will collide with 0xbffff, for example. > > The second problem is that if I use priority then I get a very different > filter layout. For each different priority used two additional filter > lines are printed by "tc filter show"... > The difference is between: > > filter parent 1: protocol ip pref 5 u32 > filter parent 1: protocol ip pref 5 u32 fh 2: ht divisor 256 > filter parent 1: protocol ip pref 5 u32 fh 2:1:800 order 2048 key ht 2 bkt 1 > flowid 1:4098 (rule hit 0 success 0) > match 0a050001/ffffffff at 16 (success 0 ) > filter parent 1: protocol ip pref 5 u32 fh 800: ht divisor 1 > filter parent 1: protocol ip pref 5 u32 fh 800::800 order 2048 key ht 800 bkt > 0 link 2: (rule hit 0 success 0) > match 00000000/00000000 at 12 (success 0 ) > hash mask 000000ff at 16 > > where priority wasn't used (and it's working) and > > filter parent 1: protocol ip pref 5 u32 > filter parent 1: protocol ip pref 5 u32 fh 2: ht divisor 256 > filter parent 1: protocol ip pref 5 u32 fh 2:1:800 order 2048 key ht 2 bkt 1 > flowid 1:4098 (rule hit 0 success 0) > match 0a050001/ffffffff at 16 (success 0 ) > filter parent 1: protocol ip pref 5 u32 fh 800: ht divisor 1 > filter parent 1: protocol ip pref 5 u32 fh 800::800 order 2048 key ht 800 bkt > 0 link 2: (rule hit 0 success 0) > match 00000000/00000000 at 12 (success 0 ) > hash mask 000000ff at 16 > filter parent 1: protocol ip pref 7 u32 > filter parent 1: protocol ip pref 7 u32 fh 801: ht divisor 1 > > where a different priority was used. > > Hm? Looks ugly. > > Now, I'm not a tc expert but the output suggests that a complexier filter > hierarchy is created in this case and an additional "fh 801:" jumps > out from nowhere. In both cases the filter I've just added is the third line > of the listing: in the second listing it STILL has pref of 5! (????) > > Since I tend to not trust stuff that I don't understand > at the moment I've choosen the very-dirty-but-at-least-undestandable solution > of using some grep & sed to get back the filter handle. > > To add: > > tc filter add dev @IMQDEV@ protocol ip parent 1:0 prio 5 u32 ht > 2:@LASTIPOCTETHEX@: match ip src @IPADDRESS@ flowid 1:@TCCLASSID@ > > To remove: > > tc filter del dev @IMQDEV@ parent 1:0 handle > $( > tc -s filter show dev @IMQDEV@ | grep 'flowid 1:@TCCLASSID@' | > sed -e 's/filter[A-Za-z0-9: ]*fh//' | sed -e 's/order.*//' > ) > prio 5 u32 > > This forces me to spawn several children through a shell, is strongly > dependant on tc output (that might change in a future version) and makes batch > processing impossible...but at least it works and *maybe* I'll undestand it > in one year from now :D > > ...but if somebody comed out with a nicer solution I'd happily use it... > > Here's what I show (for one connection): [root@lab1 ~]# tc filter show dev eth0 filter parent 1: protocol ip pref 65004 u32 filter parent 1: protocol ip pref 65004 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 65004 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:fdec match ac13fef6/ffffffff at 16 [ This is with the last two octets (254.246 in this case). I understand from the docs and much googling that the pref parameter is only to give priority within a class, but in this case each user has it's own qdisc and class rule. And it seems to be working. I'd be happy to send you the entire configuration... Regards, Emmett From uncystu at hotmail.com Thu Nov 22 01:06:37 2007 From: uncystu at hotmail.com (Stuart Clouston) Date: Thu Nov 22 01:06:57 2007 Subject: [LARTC] Traffic generation and measurement In-Reply-To: References: Message-ID: Hi DC, I have used "iperf" for my testing. It is available on a number of platforms such as Linux and Windows. http://dast.nlanr.net/Projects/Iperf/ From: deepc2005@hotmail.comTo: lartc@mailman.ds9a.nlDate: Wed, 21 Nov 2007 09:12:37 -0500Subject: [LARTC] Traffic generation and measurement Hello,i am searching for a method to generate traffic and measure it, to compare several version of tc configurations.For my thesis i am researching the best way to use tc for medium sized companies.For this purpose i analyzed the company network and created a tc schema.Now i have to test this definition in a kind of simulation outside the network.Also i have to do a comparison of the different qdiscs for my prof.So i need a way to define traffic and send it into tc and need to have a way to plot the results.I tried with virtual machines and wireshark but that didn't seam to be the right solution.The problem is i have problems with generating usable traffic.Can anybody help me there?I just found a tool called ethloop but couldn't find an useful documentation.It seams there are some people out there, who use this tool. Perhaps somebody could give me a hint where to look. thxDC Connect and share in new ways with Windows Live. Connect now! _________________________________________________________________ What are you waiting for? Join Lavalife FREE http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Flavalife9%2Eninemsn%2Ecom%2Eau%2Fclickthru%2Fclickthru%2Eact%3Fid%3Dninemsn%26context%3Dan99%26locale%3Den%5FAU%26a%3D30288&_t=764581033&_r=email_taglines_Join_free_OCT07&_m=EXT -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071122/93ac473a/attachment.html From scoleman at cfbtrenton.com Thu Nov 22 22:15:01 2007 From: scoleman at cfbtrenton.com (Sean Coleman) Date: Thu Nov 22 22:13:52 2007 Subject: [LARTC] TC filter error Message-ID: <000701c82d4c$be99bd10$3bcd3730$@com> When I enter the following, tc filter add dev eth0 parent 1:0 protocol ip prio 0 u32 match ip src 192.168.0.61 flowid 1:10 Iget this response: RTNETLINK answers: Invalid argument We have an error talking to the kernel The qdiscs add fine, and show as expected, but I can't for the life of me get the filter to apply. Using Gentoo w/kernel 2.6.21.3. IPTABLES running as a basic NAT gateway. My whole goal hinges on getting the filter to work, then I might understand what the heck is going on with this stuff. I've added every marking/netfilter kernel option I can find, both as a module and native. No matter what I add or take away, I get the same error when I try to add the filter. It's probably one of those "simple" things, but I'm stumped. Please help, an additional 200 connections is crimpling us at the moment! Regards, Sean -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071122/79532fd7/attachment.htm From uncystu at hotmail.com Fri Nov 23 04:01:42 2007 From: uncystu at hotmail.com (Stuart Clouston) Date: Fri Nov 23 04:01:51 2007 Subject: [LARTC] Unexpected results using HTB qdisc In-Reply-To: References: <474204CF.60205@advaita.sytes.net> Message-ID: Dear All, I have compiled the latest iproute2 (ss071016) with the latest kernel (2.6.23.8) and my test client is still getting rates of approximately 40 times what I have configured it to. I observed from the output of the "tc -s -d class list dev eth0" command that the bit rate reported appears to be correct. This in conjunction with other documentation I have read leads me to think it may be the timer setting in the kernel (tried both 100Hz and 250hz). Just for fun I tried a simple tbf qdisc rate limited to 50mbit on the server, the client achieved almost 90mbit. Also, since compiling the new iproute2, if I type "tc qdisc show" with only the default pfifo-fast qdisc enabled, linux responds with "Segmentation fault". I'm not too worried about this because I would prefer to get htb working as opposed to using pfifo-fast. Has anyone out there actually got this working properly on a Debian or Ubuntu distro? If so, can you let me know what versions of iproute, kernel, etc you used? Thanks, Stuart Clouston From: uncystu@hotmail.comTo: lartc@mailman.ds9a.nlSubject: RE: [LARTC] Unexpected results using HTB qdiscDate: Tue, 20 Nov 2007 10:31:52 +1100 Hi John, Thanks for the reply. I removed the ceil parameters as a troubleshooting process to ensure that they weren't what was causing the excess of the configured rate. From what I can see if the ceil parameter is not specified it defaults to the same figure as the rate parameter. I have verified this by running "tc -s -d class list dev eth0". The output from this command also shows that the rate limited classes have not borrowed at all (see below). I have tried what you suggested anyway and it is still exceeding the configured rate. The output below was generated on the server immediately after the completion of the iperf tests. Another thing that doesn't make sense to me is that all but one of the classes are reported to have been lending but which class are they lending to? None of the classes have been recorded as borrowing.# tc -s -d class list dev eth0class htb 1:10 parent 1:1 prio 0 quantum 200000 rate 30000Kbit ceil 100000Kbit burst 39093b/8 mpu 0b overhead 0b cburst 126587b/8 mpu 0b overhead 0b level 0 Sent 574506 bytes 1223 pkts (dropped 0, overlimits 0) rate 63888bit 18pps lended: 1223 borrowed: 0 giants: 0 tokens: 10155 ctokens: 9883class htb 1:1 root rate 100000Kbit ceil 100000Kbit burst 1487b/8 mpu 0b overhead 0b cburst 126587b/8 mpu 0b overhead 0b level 7 Sent 1006166 bytes 7723 pkts (dropped 0, overlimits 0) rate 181840bit 240pps lended: 0 borrowed: 0 giants: 0 tokens: 110 ctokens: 9883class htb 1:40 parent 1:4 leaf 40: prio 0 quantum 1000 rate 50000bit ceil 50000bit burst 1661b/8 mpu 0b overhead 0b cburst 1661b/8 mpu 0b overhead 0b level 0 Sent 81010 bytes 1225 pkts (dropped 341, overlimits 0) rate 21272bit 40pps lended: 1225 borrowed: 0 giants: 0 tokens: -239487 ctokens: -239487class htb 1:4 parent 1:1 rate 300000bit ceil 300000bit burst 1974b/8 mpu 0b overhead 0b cburst 1974b/8 mpu 0b overhead 0b level 6 Sent 431660 bytes 6500 pkts (dropped 0, overlimits 0) rate 117952bit 222pps lended: 0 borrowed: 0 giants: 0 tokens: 39055 ctokens: 39055class htb 1:41 parent 1:4 leaf 41: prio 0 quantum 1000 rate 50000bit ceil 50000bit burst 1661b/8 mpu 0b overhead 0b cburst 1661b/8 mpu 0b overhead 0b level 0 Sent 78502 bytes 1189 pkts (dropped 294, overlimits 0) rate 20376bit 39pps lended: 1189 borrowed: 0 giants: 0 tokens: -176795 ctokens: -176795class htb 1:42 parent 1:4 leaf 42: prio 0 quantum 2500 rate 200000bit ceil 200000bit burst 1849b/8 mpu 0b overhead 0b cburst 1849b/8 mpu 0b overhead 0b level 0 Sent 272120 bytes 4086 pkts (dropped 809, overlimits 0) rate 71768bit 135pps lended: 4086 borrowed: 0 giants: 0 tokens: 4616 ctokens: 4616 > Date: Mon, 19 Nov 2007 22:49:03 +0100> From: default@advaita.sytes.net> Subject: Re: [LARTC] Unexpected results using HTB qdisc> To: lartc@mailman.ds9a.nl> > Hi> > Stuart Clouston wrote:> > Hi All,> >> > I am using the script below to limit download rates and manage traffic for a certain IP address and testing the results using iperf. The rate that iperf reports is much higher than the rate I have configured for the HTB qdisc. It's probably just some newbie trap that's messing things up but I'm buggered if I can see it.> >> > The following script is run on the server (192.168.10.30): (I have simplified it and removed all of the ceil parameters during my troubleshooting process)> > > it think you should have not removed ceiling parameters : )> > # Remove any existing qdisc> > tc qdisc del dev eth0 root handle 1:> >> > # Root queueing discipline> > tc qdisc add dev eth0 root handle 1: htb default 10> >> > # Root class> > tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit burst 1500 ceil 100mbit> >> > # Default class> > tc class add dev eth0 parent 1:1 classid 1:10 htb rate 30mbit ceil 100mbit burst 1500> >> > # Rate limited classes> > tc class add dev eth0 parent 1:1 classid 1:4 htb rate 300kbit> > > > tc class add dev eth0 parent 1:4 classid 1:40 htb rate 50kbit> > > You should use ceil here right after rate, otherwise the class can > borrow from its parent class and therefore your overall traffic will be > shaped in correct proportion but not absolutely (i.e to proper bandwidth)> Once you set ceil value, the class will not get any more throughput even > if the link is free...> > > tc class add dev eth0 parent 1:4 classid 1:41 htb rate 50kbit> > tc class add dev eth0 parent 1:4 classid 1:42 htb rate 200kbit> >> > tc qdisc add dev eth0 parent 1:40 handle 40: sfq perturb 10> > tc qdisc add dev eth0 parent 1:41 handle 41: sfq perturb 10> > tc qdisc add dev eth0 parent 1:42 handle 42: sfq perturb 10> >> > # Filters to direct traffic to the right classes:> >> > U32="tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32"> > $U32 match ip dst 192.168.10.85 match ip sport 3389 0xffff flowid 1:42> > $U32 match ip dst 192.168.10.85 match ip sport 1352 0xffff flowid 1:41> > $U32 match ip dst 192.168.10.85 flowid 1:40> >> >> >> > The client (192.168.10.85) then runs iperf to test the results:> >> > iperf -c 192.168.10.30 -p 1352 -P 5 -f k> > [SUM] 0.0-11.4 sec 3016 KBytes 2163 Kbits/sec> >> > iperf -c 192.168.10.30 -p 23 -P 5 -f k> > [SUM] 0.0-11.4 sec 2856 KBytes 2053 Kbits/sec> >> > iperf -c 192.168.10.30 -p 3389 -P 5 -f k> > [SUM] 0.0-10.3 sec 11264 KBytes 8956 Kbits/sec> >> >> > The traffic is being shaped proportionally as I'd hoped but each class is well in excess of its configured limit. > >> > I am getting similar results on two separate units:> > 1: Debian (testing), Kernel v2.6.16.19, iproute2 ss070313> > 2: Ubuntu (dapper), Kernel v2.6.23.1, iproute2 ss041019> >> > I'd be very grateful for any information that could help me out.> > Thanks,> > Stu (newbie to HTB)> > _________________________________________________________________> >> > > I am newbie too, so if i am wrong please someone correct me.> > -- > ___________________________________> S pozdravom / Best regards> > John Default> > > _______________________________________________> LARTC mailing list> LARTC@mailman.ds9a.nl> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc Listen now! New music from the Rogue Traders. _________________________________________________________________ New music from the Rogue Traders - listen now! http://ninemsn.com.au/share/redir/adTrack.asp?mode=click&clientID=832&referral=hotmailtaglineOct07&URL=http://music.ninemsn.com.au/roguetraders -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071123/3708194b/attachment.html From dino at webjogger.net Fri Nov 23 14:50:42 2007 From: dino at webjogger.net (Mario Antonio Garcia) Date: Fri Nov 23 14:51:05 2007 Subject: [LARTC] Unexpected results using HTB qdisc In-Reply-To: Message-ID: <10526825.25111195825842051.JavaMail.root@mailgate.webjogger.net> Stuart, I am using Debian Etch with: Customized Kernel: Linux Deb-Bridge 2.6.22.6-qos2 #1 SMP I configured the Kernel with CONFIG_HZ_1000=y CONFIG_HZ=1000 But I think (perhaps I am wrong) this configs do not apply any more to htb since: http://lists.openwall.net/netdev/2007/03/16/22 "These patches convert the packet schedulers to use ktime as only clock source and kill off the manual clock source selection. Additionally all packet schedulers are converted to use hrtimer-based watchdogs, greatly increasing scheduling precision." Package from Stable branch (Etch) iptables v1.3.6 Package from Stable branch (Etch) ip utility, iproute2-ss060323 I am in testing phase (not in production yet) shaping just a Class C subnet. So far It has been working fine ( I am just playing a bit with it) Regards, Mario Antonio ----- Original Message ----- From: "Stuart Clouston" To: lartc@mailman.ds9a.nl Sent: Thursday, November 22, 2007 10:01:42 PM (GMT-0500) America/New_York Subject: RE: [LARTC] Unexpected results using HTB qdisc _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From kamen at evrocom.net Fri Nov 23 15:24:29 2007 From: kamen at evrocom.net (kamen) Date: Fri Nov 23 15:24:52 2007 Subject: [LARTC] optimizing traffic to a web server Message-ID: Hi, I have a Linux server and provide Internet access in the neighborhood and I also run a web server on the same machine. Although our external connection is not bad, the access to the web server from outside is awful - the web pages always require "Try again" when accessed. Do you think I can prioritize the traffic to the web server? How? I have a traffic shaper of the internal and the external interface. I use "tc" with HTB and "iptables" for that purpose. I mark the packets and then filter them. I just don't seem to have written the write filters. Thanks in advance! -- Kamen From goblin at pentex.pl Fri Nov 23 21:31:15 2007 From: goblin at pentex.pl (Radek 'Goblin' Pieczonka) Date: Fri Nov 23 21:32:48 2007 Subject: [LARTC] optimizing traffic to a web server In-Reply-To: References: Message-ID: <47473893.6050703@pentex.pl> kamen pisze: > Hi, > > I have a Linux server and provide Internet access in the neighborhood > and I also run a web server on the same machine. > > Although our external connection is not bad, the access to the web > server from outside is awful - the web pages always require "Try > again" when accessed. > > Do you think I can prioritize the traffic to the web server? How? I > have a traffic shaper of the internal and the external interface. I > use "tc" with HTB and "iptables" for that purpose. I mark the packets > and then filter them. I just don't seem to have written the write > filters. > > Thanks in advance! > > this task should be an easy objective to acomplish, do you have some kind of shaping in place at this moment ? anyway, please supply more info on priv and i may be able to help you. -- Radek 'Goblin' Pieczonka goblin@pentex.pl From kamen at evrocom.net Sat Nov 24 02:45:49 2007 From: kamen at evrocom.net (kamen) Date: Sat Nov 24 02:46:04 2007 Subject: [LARTC] Re: optimizing traffic to a web server In-Reply-To: <47473893.6050703@pentex.pl> (Radek Pieczonka's message of "Fri\, 23 Nov 2007 21\:31\:15 +0100") References: <47473893.6050703@pentex.pl> Message-ID: On Fri, Nov 23 2007, Radek 'Goblin' Pieczonka wrote: > this task should be an easy objective to acomplish, do you have some > kind of shaping in place at this moment ? anyway, please supply more > info on priv and i may be able to help you. > Cool... here is how I tried to optimize the traffic: helper () { ... iptables -t mangle -A $CHAIN -p tcp -m tcp --sport 80 --source my-domain.com -j MARK --set-mark 0x2 iptables -t mangle -A $CHAIN -p tcp -m tcp --sport 80 -j RETURN ... } OPR=start CHAIN=OUTPUT helper OPR=start CHAIN=PREROUTING helper tc_helper () { ... tc qdisc add dev ${WAN_IF} root handle 1: htb default 15 r2q 1 tc class add dev ${WAN_IF} parent 1: classid 1:1 htb rate ${UPLINK} ceil ${UPLINK} burst 6k tc class add dev ${WAN_IF} parent 1:1 classid 1:10 htb rate 64kbit ceil 64kbit prio 0 tc class add dev ${WAN_IF} parent 1:1 classid 1:11 htb rate 64kbit ceil ${UPLINK} prio 1 tc filter add dev ${WAN_IF} parent 1:0 protocol ip prio 1 handle 1 fw classid 1:10 tc filter add dev ${WAN_IF} parent 1:0 protocol ip prio 2 handle 2 fw classid 1:11 ... } WAN_IF=eth2 tc_helper Please tell me if you need more information. Thanks, -- Kamen From hawk at diku.dk Sat Nov 24 23:52:16 2007 From: hawk at diku.dk (Jesper Dangaard Brouer) Date: Sat Nov 24 23:52:40 2007 Subject: [LARTC] Project proposal/idea: Categorize traffic by behavior Message-ID: Back in 2003/2004 when finding the topic for my masters thesis, I had a secondary project idea, perhaps its about time to do something about the idea, and hear if anyone else thinks its a good idea? The basic idea is to: "Categorize traffic by behavior" The categorization should be based upon things like packet timing characteristics and packet size, rather than standard port numbers. The categories would be groups like Interactive, (RTP-)Stream, Bulk. - Interactive; would have a high degree of packet inter-timing variants and consist of mainly small packets. - Stream; Real Time Protocols (RTP) (used by e.g. VoIP) can be categorized based upon the very precise inter-packet gap (packets are not send back-to-back). Imagine that it might actually be possible to "catch" skype voice traffic. - Bulk; could be categorized by large packets being back-to-back. I propose this could be implemented with Netfilter target modules for categorizing traffic, and using conntrack flows for saving the group/type, that other rules can match upon. What can it be used for? ------------------------ Security/NIDS: Detecting backdoors, by identifying interactive on non-standard ports. QoS: Prioritize traffic based on type (e.g. interactive or RTP-streams) without needing to write static iptables rules to match each new protocols port number. Some protocols, like Skype, its not possible to do categorizing based upon standard port numbers. Is it possible? --------------- I actually got the idea from two scientific papers by Vern Paxson and Yin Zhang, where they actually detect interactive traffic by timing characteristic on real-life data. They use it for detecting backdoors and stepping stones. http://www.icir.org/vern/papers/backdoor/ http://www.icir.org/vern/papers/stepping/ http://citeseer.ist.psu.edu/zhang00detecting.html Cheers, Jesper Brouer http://www.adsl-optimizer.dk -- ------------------------------------------------------------------- MSc. Master of Computer Science Dept. of Computer Science, University of Copenhagen Author of http://www.adsl-optimizer.dk ------------------------------------------------------------------- From tuxstef at tuxstef.org Sun Nov 25 08:46:59 2007 From: tuxstef at tuxstef.org (Stefan Breitegger) Date: Sun Nov 25 08:47:20 2007 Subject: [LARTC] tc stats and cacti Message-ID: <47492873.5010209@tuxstef.org> HI! Does anybody has a ready solution for graphing the tc stats eg. from htb to cacti? Yours, -------------- next part -------------- A non-text attachment was scrubbed... Name: tuxstef.vcf Type: text/x-vcard Size: 135 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20071125/541311c2/tuxstef.vcf From hawk at diku.dk Sun Nov 25 12:26:20 2007 From: hawk at diku.dk (Jesper Dangaard Brouer) Date: Sun Nov 25 12:26:29 2007 Subject: [LARTC] tc stats and cacti In-Reply-To: <47492873.5010209@tuxstef.org> References: <47492873.5010209@tuxstef.org> Message-ID: On Sun, 25 Nov 2007, Stefan Breitegger wrote: > Does anybody has a ready solution for graphing the tc stats eg. from htb to > cacti? The ADSL-optimizer software package contains a "graph" module, that can collect TC stats from HTB and store them in RRDtool files, that you should be able to use with Cacti or another RRD display tool. http://www.adsl-optimizer.dk/ADSL-optimizer/graph/ Hilsen Jesper Brouer -- ------------------------------------------------------------------- MSc. Master of Computer Science Dept. of Computer Science, University of Copenhagen Author of http://www.adsl-optimizer.dk ------------------------------------------------------------------- From pommnitz at yahoo.com Mon Nov 26 15:22:52 2007 From: pommnitz at yahoo.com (Joerg Pommnitz) Date: Mon Nov 26 15:23:14 2007 Subject: [LARTC] prio qdisc broken? Message-ID: <420757.32093.qm@web51407.mail.re2.yahoo.com> Hello all, I might make a fool out of me, but I think the prio qdisc doesn't work as advertised in any document I could lay my hands on. The following tests and observations were made with Linux kernel 2.6.20.21. This makes it up-to-date in the 2.6.20.x kernel family. My problem was that the link quality reported by the olsr.org olsrd degraded depending on the amount of payload traffic was transferred through an adhoc/mesh interface. The LQ is calculated from the packet loss of LQ Hello packets sent through this interface. To make sure normal traffic does not interfere with this value, olsrd sets the TOS field to 0x10 (Minimize-Delay) by default. In theory this should give olsr traffic the highest priority on the link. Investigating this issue I replaced the default Pfifo_fast with a prio qdisc and attached a pfifo on each of the bands: INTERFACE=wifi0 tc qdisc add dev $INTERFACE root handle 1: prio tc qdisc add dev $INTERFACE parent 1:1 handle 10: pfifo tc qdisc add dev $INTERFACE parent 1:2 handle 20: pfifo tc qdisc add dev $INTERFACE parent 1:3 handle 30: pfifo Then I used "ping -Q TOSVALUE target" to send packets with different TOS values through the interface. "tcpdump -vvv" confirmed the correct TOS values in the outgoing packets. With "tc -s qdisc ls dev wifi0" I could observe the effects of the different TOS values. The result: no effect at all! Every single packet used the band indicated by the first value in the priomap (e.g. band 1 by default, in my case the pfifo with handle 20:). I can't square this observation with the available documentation. Looking at the source code, it seems that sched_prio uses the skb->priority value to select the outgoing band. According to some documentation I found, an application can set this value. The following is more speculation than an educated guess: Could it be that skb->priority used to be set according to the TOS field by default and that this changed after the implementation of prio? So, can somebody confirm or deny that the problem I see is real? Is there a fix? Thanks in advance Joerg Heute schon einen Blick in die Zukunft von E-Mails wagen? Versuchen Sie?s mit dem neuen Yahoo! Mail. www.yahoo.de/mail From kamen at evrocom.net Mon Nov 26 16:20:24 2007 From: kamen at evrocom.net (kamen) Date: Mon Nov 26 16:20:43 2007 Subject: [LARTC] Re: optimizing traffic to a web server In-Reply-To: (kamen@evrocom.net's message of "Sat\, 24 Nov 2007 03\:45\:49 +0200") References: <47473893.6050703@pentex.pl> Message-ID: I still don't have a solution of how optimize the access to my web server. By the way I'd like to do this with other ports as well (ssh for example). Any help would be appreciated. -- Kamen From peet at altlinux.org Tue Nov 27 14:05:23 2007 From: peet at altlinux.org (Peter V. Saveliev) Date: Tue Nov 27 14:05:40 2007 Subject: [LARTC] userspace tarpit Message-ID: <200711271605.24310.peet@altlinux.org> ... Hello! I completed a simple userspace tarpit script: http://www.radlinux.org/connexion/browser/branches/0.4.4/lib/cxnet It is not a production solution, but an example of cxnet usage. Whilst not as fast as libnfnetlink and kernel netfilter, cxnet is extremely simple and can be used for rapid net-apps development or in GNU/Linux network studies (e.g., for educational purposes). Cxnet isn't a complete implementation of netlink and tcp/ip :) Only some features are implemented: full rtnetlink and netfilter support, as well as udp and icmp primitives, are in the todo. -- Peter V. Saveliev From lists at andyfurniss.entadsl.com Tue Nov 27 15:12:43 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Tue Nov 27 15:12:43 2007 Subject: [LARTC] prio qdisc broken? In-Reply-To: <420757.32093.qm@web51407.mail.re2.yahoo.com> References: <420757.32093.qm@web51407.mail.re2.yahoo.com> Message-ID: <474C25DB.4060302@andyfurniss.entadsl.com> Joerg Pommnitz wrote: > Hello all, > I might make a fool out of me, but I think the prio qdisc doesn't work as > advertised in any document I could lay my hands on. > > The following tests and observations were made with Linux kernel 2.6.20.21. > This makes it up-to-date in the 2.6.20.x kernel family. If it's kernel version you are unlucky - I just tested with a 2.6.19-rc6 and a 2.6.21.1 and it seems OK. Echo replies don't work, and they haven't on others versions as well, but this could be deliberate anti dos plus I am not testing forwarded traffic. > > My problem was that the link quality reported by the olsr.org olsrd degraded > depending on the amount of payload traffic was transferred through an > adhoc/mesh interface. The LQ is calculated from the packet loss of LQ Hello > packets sent through this interface. To make sure normal traffic does not > interfere with this value, olsrd sets the TOS field to 0x10 (Minimize-Delay) > by default. In theory this should give olsr traffic the highest priority on the link. > Even if you fix it I don't think it will help wireless using just prio. There are/will be extensions to prio AIUI - multiqueue which if the wireless driver supports it, prio bands will map to hardware/link layer prio bands on the device. Andy. From lists at andyfurniss.entadsl.com Tue Nov 27 21:26:14 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Tue Nov 27 21:26:10 2007 Subject: [LARTC] TC filter error In-Reply-To: <000701c82d4c$be99bd10$3bcd3730$@com> References: <000701c82d4c$be99bd10$3bcd3730$@com> Message-ID: <474C7D66.5020005@andyfurniss.entadsl.com> Sean Coleman wrote: > When I enter the following, > > > > tc filter add dev eth0 parent 1:0 protocol ip prio 0 u32 match ip src > 192.168.0.61 flowid 1:10 I can't see anything wrong with that that should throw an error. prio 1 is the top prio for filters, but it shouldn't matter. does it work on something simple like - tc qdisc del dev eth0 root &>/dev/null tc qdisc add dev eth0 handle 1:0 root prio tc filter add dev eth0 parent 1:0 protocol ip prio 0 u32 match ip src 192.168.0.61 flowid 1:3 Andy. From johan.huysmans at inuits.be Wed Nov 28 11:42:59 2007 From: johan.huysmans at inuits.be (Johan Huysmans) Date: Wed Nov 28 11:43:33 2007 Subject: [LARTC] tc doesn't shape correct Message-ID: <474D4633.2070704@inuits.be> Hi All, I'm configuring my natting-firewall to do some tc shaping. Some traffic has to be shaped on 30mbit, some on 10mbit all the others are unlimited. The configuring and filtering works correctly. The traffic that is shaped at 30mbit is correct, but the traffic that is shapped at 10mbit only gets to 100KB/sec. It is on a device configured with bonding (both in and out interface). Any clue why shaped traffic at 10mbit only gets to 100KB/sec and not faster? Thx for any response, Johan Huysmans From dino at webjogger.net Wed Nov 28 14:40:27 2007 From: dino at webjogger.net (Mario Antonio Garcia) Date: Wed Nov 28 14:40:35 2007 Subject: [LARTC] Unexpected results using HTB qdisc In-Reply-To: Message-ID: <31248300.48611196257227101.JavaMail.root@mailgate.webjogger.net> Stuart, FTP transfer (which includes application overhead) has been my tool to test bandwidth shaping. I also used a bit : btest (Bandwidth utility from Mikrotik), netio, and iperf. Regards, Mario Antonio ----- Original Message ----- From: "Stuart Clouston" To: "Mario Antonio Garcia" Sent: Wednesday, November 28, 2007 3:20:09 AM (GMT-0500) America/New_York Subject: RE: [LARTC] Unexpected results using HTB qdisc Hi Mario, Thanks for your reply. What utility have you used to test your deployment? > Date: Fri, 23 Nov 2007 08:50:42 -0500 > From: dino@webjogger.net > To: uncystu@hotmail.com > CC: lartc@mailman.ds9a.nl > Subject: Re: [LARTC] Unexpected results using HTB qdisc > > Stuart, > > I am using Debian Etch with: > > Customized Kernel: Linux Deb-Bridge 2.6.22.6-qos2 #1 SMP > I configured the Kernel with > CONFIG_HZ_1000=y > CONFIG_HZ=1000 > But I think (perhaps I am wrong) this configs do not apply any more to htb since: > http://lists.openwall.net/netdev/2007/03/16/22 > "These patches convert the packet schedulers to use ktime as only clock source and kill off the manual clock source selection. Additionally all packet schedulers are converted to use hrtimer-based watchdogs, greatly increasing scheduling precision." > > Package from Stable branch (Etch) iptables v1.3.6 > Package from Stable branch (Etch) ip utility, iproute2-ss060323 > > I am in testing phase (not in production yet) shaping just a Class C subnet. > > So far It has been working fine ( I am just playing a bit with it) > > Regards, > > Mario Antonio > > > ----- Original Message ----- > From: "Stuart Clouston" < uncystu@hotmail.com > > To: lartc@mailman.ds9a.nl > Sent: Thursday, November 22, 2007 10:01:42 PM (GMT-0500) America/New_York > Subject: RE: [LARTC] Unexpected results using HTB qdisc > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > Find it at www.seek.com.au Your Future Starts Here. Dream it? Then be it! From BJulin at clarku.edu Wed Nov 28 18:27:51 2007 From: BJulin at clarku.edu (Brian S Julin) Date: Wed Nov 28 18:27:56 2007 Subject: [LARTC] dynamic PBR, actions, docs and getting it all straight Message-ID: <5A630F46702DD1498FFD48394B4A664C27DCBDEC@john.ad.clarku.edu> Hi, Fair warning this may be a bit rambling, and is definitely a bit long. I am trying to prototype a system for doing dynamic policy-based routing (source address dependent based on reverse routes from BGP or other dynamic routing protocols.) We need to do this due to a cacophony of factors I won't get into. To do so the general plan is to store dynamic routes in their own table, classify based on source realm, and use the tc "mirred" action to redirect packets that source from addresses routed back to by that table onto a different egress interface. It seems obvious this can be done, that the old "iptables -j ROUTE" method is falling into disfavor and lack of maintenence, and that the tc "mirred" action is stepping up to take its place. However this has raised numerous questions, most of which just because this is my first wade into the LARTC pool. Also, though, I am having trouble finding any docs that factor in actions, since they are relatively new -- but not so new that this should really be the case. (And speaking of docs, one wonders whether the "Traffic Control HOWTO" posted at linux-ip.net bearing version 1.0.2 is intended to split/supercede the LARTC HOWTO or is completely rogue. It appears to be a very well done doc, but also does not factor in actions.) Anyway, the questions: 1) When a packet is "mirred egress redirect"ed, how does the system determine the destination MAC address to place on the outgoing interface, assuming it is ethernet? If I have things straight, this packet will never see the routing stack again and so a gateway cannot be designated? (The older iptables -j ROUTE allowed designation of a gateway) If this: http://www.shorewall.net/NetfilterOverview.html ...is right there is no swat at mangling/rewriting post-qdisc? I'm guessing "that's a job for IMQ"? 2) If I have things straight again, it is not necessary to involve iptables to do this. The method cited in the few examples on the net about doing this use fwmark. However, with the tc "route" filter it should not be neccessary to do that anymore. Am I right there? 3) Per 2) which is the better method to use? 4) Is there an authoritative list of which actions are supported at which points in the syntax tree? The "route" filter seems to only support classifying and gact, for example, and if I am interpreting the not-so-lucid error messages from yesterday's wrestle with tc correctly, the inability to execute certain actions extends into any policer appended to the filter. What's supported where and what will be eventually supported where? 5) Is there any way to turn on more error messages from the kernel so I can tell what the heck tc doesn't like about commands, even if I have to read it from syslog and the userspace handles aren't meaningful it still might be nice to have. 6) If I have this right, it's possible to define a class using the "rule" filter, then a subclass using a do-nothing filter (u32 match u32 0 0) which then in turn invokes the "mirred" action. I am not quite clear, however, precisely when a packet is counted against a qdisc and when precisely actions "happen." I am worried about the activation of the "route" rule counting as link use even though the packet is redirected (stolen). Mainly because in order to use a filter just to execute an action, it's mandatory to have a class to attach it to, and then a second class for packets that did not match (the normal traffic) -- each class having bandwith limits or whatnot depending on the qdisc. If I have it right a stolen or dropped packet, though, will not show up because it won't actually be there in the qdisc when the kernel comes collecting (?). 7) Will eventually classless qdiscs regain support for attaching filters, given that filters do not necessarily have to assign a class, they can instead execute an action or a police with nothing but actions? Or will it always be necessary to create classes to contain the filters, and thus use a classy qdisc? I say regeain because I seem to recall seeing a doc that showed attaching a filter to a classless qdisc, though I can't find it now and perhaps that was an error. 8) As a curiosity, why "handle XX fw" rather than "fw handle XX"? 9) Is there any motion to bring the distributed manpage up to sync? 10) I haven't even looked into it yet -- how does (or does?) one integrate L2+L3 criteria/actions with qdiscs... any docs on other-than "protocol ip"? I am assuming it is not possible to trick things into performing a direct route table comparison against a packet that is not routed, but bridged, other than to build a netfilter ipset from the route table with bubblegum and spit and just use ebtables on it. But I'd be bummed if I assumed so wrongly and passed up an elegant solution. Thanks for any help wrapping my head around this. From andy at andybev.com Sun Dec 2 12:42:36 2007 From: andy at andybev.com (Andrew Beverley) Date: Sun Dec 2 12:43:02 2007 Subject: [LARTC] How to fight with encrypted p2p In-Reply-To: <20071112015107.4ECBBEB2BB@f05.poczta.interia.pl> References: <20071112015107.4ECBBEB2BB@f05.poczta.interia.pl> Message-ID: <1196595757.6539.9.camel@andybev> > I believe that whole question is in topic. > Is there any way to recognize ( and then shape ) p2p traffic which is encrypted? > Modern p2p clients have this ability moreover some of them have this enabled by default. > Now I'm using ipp2p for iptables but as I know this doesn't recognize encrypted traffic. One way to do this is to look for the style of traffic. For example, I look for lots of connections from one PC to port numbers above 1024. This will also incorrectly recognise some other traffic, but on the whole it works well for me. The following are some examples using connlimit (now included in vanilla kernel) and ipset (see http://ipset.netfilter.org/) # first look for style of traffic and log that client to an ipset iptables -t mangle -A FORWARD -o ppp0 -p tcp --dport 1024: \ -m connlimit --connlimit-above 10 -j SET --add-set p2p src iptables -t mangle -A FORWARD -o ppp0 -p udp --dport 1024: \ -m connlimit --connlimit-above 10 -j SET --add-set p2p src iptables -t mangle -A FORWARD -i ppp0 -p tcp --sport 1024: \ -m connlimit --connlimit-above 10 -j SET --add-set p2p dst iptables -t mangle -A FORWARD -i ppp0 -p udp --sport 1024: \ -m connlimit --connlimit-above 10 -j SET --add-set p2p dst # then shape traffic above port 1024 for those detected clients iptables -t mangle -A FORWARD -o ppp0 -p tcp --dport 1024: \ -m set --set p2p dst -j MARK --set-mark 60 iptables -t mangle -A FORWARD -i ppp0 -p tcp --sport 1024: \ -m set --set p2p dst -j MARK --set-mark 60 iptables -t mangle -A FORWARD -o ppp0 -p udp --dport 1024: \ -m set --set p2p dst -j MARK --set-mark 60 iptables -t mangle -A FORWARD -i ppp0 -p udp --sport 1024: \ -m set --set p2p dst -j MARK --set-mark 60 Regards, Andy Beverley From jaime.f at netcabo.pt Sun Dec 2 18:37:18 2007 From: jaime.f at netcabo.pt (Jaime Fordham) Date: Sun Dec 2 18:37:29 2007 Subject: [LARTC] ipp2p: Unaligned access in search_all_ed2k on sparc64 Message-ID: <4752ED4E.1030005@netcabo.pt> Hey guys, I've just built a sparc64 (Ultra/5) based firewall with ipp2p compiled as a module and I'm constantly getting the following message in my logs: Kernel unaligned access at TPC[100f8490] search_all_edk+0x20/0x4c [ipt_ipp2p] I'm running the following versions: - Kernel 2.6.22 - ipp2p 0.8.2-r4 - iptables 1.3.8-r1 Any thoughts? From johan.huysmans at inuits.be Mon Dec 3 09:57:06 2007 From: johan.huysmans at inuits.be (Johan Huysmans) Date: Mon Dec 3 09:57:44 2007 Subject: [LARTC] tc doesn't shape correct In-Reply-To: <474D4633.2070704@inuits.be> References: <474D4633.2070704@inuits.be> Message-ID: <4753C4E2.4020701@inuits.be> Here is my tc config, maybe something is wrong with that config: /sbin/tc qdisc del dev bond1 root /sbin/tc qdisc add dev bond1 root handle 1: htb default 1 /sbin/tc class add dev bond1 parent 1: classid 1:1 htb rate 1000mbit burst 1310720 /sbin/tc class add dev bond1 parent 1: classid 1:2 htb rate 30mbit burst 39321 /sbin/tc class add dev bond1 parent 1: classid 1:3 htb rate 10mbit burst 13107 /sbin/tc filter add dev bond1 parent 1: protocol ip prio 0 handle 1 fw flowid 1:2 /sbin/tc filter add dev bond1 parent 1: protocol ip prio 0 handle 2 fw flowid 1:3 Any help appreciated! Johan Huysmans wrote: > Hi All, > > I'm configuring my natting-firewall to do some tc shaping. Some > traffic has to be shaped on 30mbit, some on 10mbit all the others are > unlimited. > The configuring and filtering works correctly. The traffic that is > shaped at 30mbit is correct, but the traffic that is shapped at 10mbit > only gets to 100KB/sec. > > It is on a device configured with bonding (both in and out interface). > > Any clue why shaped traffic at 10mbit only gets to 100KB/sec and not > faster? > > Thx for any response, > Johan Huysmans > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From jaime.f at netcabo.pt Mon Dec 3 10:40:17 2007 From: jaime.f at netcabo.pt (Jaime Fordham) Date: Mon Dec 3 10:40:26 2007 Subject: [LARTC] ipp2p: Unaligned access in search_all_ed2k on sparc64 In-Reply-To: <000001c83585$ed2952d0$c77bf870$@lt> References: <4752ED4E.1030005@netcabo.pt> <000001c83585$ed2952d0$c77bf870$@lt> Message-ID: <4753CF01.8060604@netcabo.pt> Hi, ipp2p 0.8.2.-r4 is a Gentoo Linux "ebuild" which downloads "http://www.ipp2p.org/downloads/ipp2p-0.8.2.tar.gz" and then compiles the kernel+iptables module from source so I would assume that it is the version you mention. Any thoughts on the unaligned access? Jaime. Vaidas M wrote: > Where did you get ipp2p 0.8.2-r4? What's the difference from release for > version 0.8.2 27.09.2006 ? > > > -----Original Message----- > From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] > On Behalf Of Jaime Fordham > Sent: Sunday, December 02, 2007 7:37 PM > To: lartc@mailman.ds9a.nl > Subject: [LARTC] ipp2p: Unaligned access in search_all_ed2k on sparc64 > > Hey guys, > > I've just built a sparc64 (Ultra/5) based firewall with ipp2p compiled > as a module and I'm constantly getting the following message in my logs: > > Kernel unaligned access at TPC[100f8490] search_all_edk+0x20/0x4c > [ipt_ipp2p] > > I'm running the following versions: > > - Kernel 2.6.22 > - ipp2p 0.8.2-r4 > - iptables 1.3.8-r1 > > > Any thoughts? > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From stanislav.kruchinin at gmail.com Mon Dec 3 11:05:08 2007 From: stanislav.kruchinin at gmail.com (Stanislav Kruchinin) Date: Mon Dec 3 11:04:37 2007 Subject: [LARTC] tc doesn't shape correct In-Reply-To: <4753C4E2.4020701@inuits.be> References: <474D4633.2070704@inuits.be> <4753C4E2.4020701@inuits.be> Message-ID: <4753D4D4.9000207@gmail.com> Johan Huysmans wrote: > Here is my tc config, maybe something is wrong with that config: > > /sbin/tc qdisc del dev bond1 root > /sbin/tc qdisc add dev bond1 root handle 1: htb default 1 > /sbin/tc class add dev bond1 parent 1: classid 1:1 htb rate 1000mbit > burst 1310720 > /sbin/tc class add dev bond1 parent 1: classid 1:2 htb rate 30mbit > burst 39321 > /sbin/tc class add dev bond1 parent 1: classid 1:3 htb rate 10mbit > burst 13107 I think you should try to set "quantum" parameter of all leaf classes to the value at least as high as MTU, e.g. 1500 for Ethernet, and to increase the burst of 1:3 class. From jaime.f at netcabo.pt Mon Dec 3 11:21:49 2007 From: jaime.f at netcabo.pt (Jaime Fordham) Date: Mon Dec 3 11:21:56 2007 Subject: [LARTC] ipp2p: Unaligned access in search_all_ed2k on sparc64 In-Reply-To: <000201c83594$51cadb60$f5609220$@lt> References: <4752ED4E.1030005@netcabo.pt> <000001c83585$ed2952d0$c77bf870$@lt> <4753CF01.8060604@netcabo.pt> <000201c83594$51cadb60$f5609220$@lt> Message-ID: <4753D8BD.2090504@netcabo.pt> An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071203/820b5018/attachment.html From gustin at echostar.ca Mon Dec 3 11:49:12 2007 From: gustin at echostar.ca (Gustin Johnson) Date: Mon Dec 3 11:49:30 2007 Subject: [LARTC] How to fight with encrypted p2p In-Reply-To: <1196595757.6539.9.camel@andybev> References: <20071112015107.4ECBBEB2BB@f05.poczta.interia.pl> <1196595757.6539.9.camel@andybev> Message-ID: <4753DF28.8080209@echostar.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I believe "fighting" is the wrong approach. Badly shaping the wrong traffic is just as bad, if not worse IMO. An ISP in my neck of the woods plays havoc with encrypted mail (SMTP + TLS as well as IMAPS) as a result of their P2P fight. Needless to say we no longer use them, and we encourage clients, friends, and colleagues not to as well. I don't use P2P but I do use ssh, imaps, sftp, and https daily. Screwing with these services is not useful. Limiting your rules to specific ports is pretty useless. This has been done before, and it failed miserably. For me, if P2P does not belong at all, for instance on a corporate network, then a default deny on the outbound works much better. We then only allow specific connections on a case by case basis. For instances where I am not able to block p2p, I define specific rules for high and low priority, and leave everything else in the default. If the end user wants to use the bulk of his or her bandwidth for P2P, so be it. Of course in this case bandwidth accounting is far more useful. I would also encourage your users to use software that is or can be well behaved. Software that allows you set a proper TOS for instance. If possible work with the end users. I have personally found that the best solutions are not tech solutions. Having a well defined Acceptable Use Policy, plus a constructive dialogue with my users has been far more effective than any shaping routine I/we could come up with. Ask yourself, what is the problem you are really trying to solve. Andrew Beverley wrote: >> I believe that whole question is in topic. >> Is there any way to recognize ( and then shape ) p2p traffic which is encrypted? >> Modern p2p clients have this ability moreover some of them have this enabled by default. >> Now I'm using ipp2p for iptables but as I know this doesn't recognize encrypted traffic. > > One way to do this is to look for the style of traffic. For example, I > look for lots of connections from one PC to port numbers above 1024. > This will also incorrectly recognise some other traffic, but on the > whole it works well for me. > > The following are some examples using connlimit (now included in vanilla > kernel) and ipset (see http://ipset.netfilter.org/) > > # first look for style of traffic and log that client to an ipset > iptables -t mangle -A FORWARD -o ppp0 -p tcp --dport 1024: \ > -m connlimit --connlimit-above 10 -j SET --add-set p2p src > iptables -t mangle -A FORWARD -o ppp0 -p udp --dport 1024: \ > -m connlimit --connlimit-above 10 -j SET --add-set p2p src > iptables -t mangle -A FORWARD -i ppp0 -p tcp --sport 1024: \ > -m connlimit --connlimit-above 10 -j SET --add-set p2p dst > iptables -t mangle -A FORWARD -i ppp0 -p udp --sport 1024: \ > -m connlimit --connlimit-above 10 -j SET --add-set p2p dst > > # then shape traffic above port 1024 for those detected clients > iptables -t mangle -A FORWARD -o ppp0 -p tcp --dport 1024: \ > -m set --set p2p dst -j MARK --set-mark 60 > iptables -t mangle -A FORWARD -i ppp0 -p tcp --sport 1024: \ > -m set --set p2p dst -j MARK --set-mark 60 > iptables -t mangle -A FORWARD -o ppp0 -p udp --dport 1024: \ > -m set --set p2p dst -j MARK --set-mark 60 > iptables -t mangle -A FORWARD -i ppp0 -p udp --sport 1024: \ > -m set --set p2p dst -j MARK --set-mark 60 > > > Regards, > > Andy Beverley > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHU98owRXgH3rKGfMRAmszAKCIhVoUnfuWDIaWQqwE1WfuSz9sNwCgipFZ wqrptNaNg3HMFE79AvbQ+fI= =gb3i -----END PGP SIGNATURE----- From johan.huysmans at inuits.be Mon Dec 3 13:05:13 2007 From: johan.huysmans at inuits.be (Johan Huysmans) Date: Mon Dec 3 13:05:22 2007 Subject: [LARTC] tc doesn't shape correct In-Reply-To: <4753D4D4.9000207@gmail.com> References: <474D4633.2070704@inuits.be> <4753C4E2.4020701@inuits.be> <4753D4D4.9000207@gmail.com> Message-ID: <4753F0F9.7070703@inuits.be> none of these changes corrected my problem. Stanislav Kruchinin wrote: > Johan Huysmans wrote: > >> Here is my tc config, maybe something is wrong with that config: >> >> /sbin/tc qdisc del dev bond1 root >> /sbin/tc qdisc add dev bond1 root handle 1: htb default 1 >> /sbin/tc class add dev bond1 parent 1: classid 1:1 htb rate 1000mbit >> burst 1310720 >> /sbin/tc class add dev bond1 parent 1: classid 1:2 htb rate 30mbit >> burst 39321 >> /sbin/tc class add dev bond1 parent 1: classid 1:3 htb rate 10mbit >> burst 13107 >> > > I think you should try to set "quantum" parameter of all leaf classes to > the value at least as high as MTU, e.g. 1500 for Ethernet, and to > increase the burst of 1:3 class. > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From michele.petrazzo at unipex.it Mon Dec 3 14:39:19 2007 From: michele.petrazzo at unipex.it (Michele Petrazzo - Unipex srl) Date: Mon Dec 3 14:39:27 2007 Subject: [LARTC] ipp2p: Unaligned access in search_all_ed2k on sparc64 In-Reply-To: <4753D8BD.2090504@netcabo.pt> References: <4752ED4E.1030005@netcabo.pt> <000001c83585$ed2952d0$c77bf870$@lt> <4753CF01.8060604@netcabo.pt> <000201c83594$51cadb60$f5609220$@lt> <4753D8BD.2090504@netcabo.pt> Message-ID: <47540707.3080500@unipex.it> Jaime Fordham wrote: > But ipp2p does compile with Kernel 2.6.22, only it produces these "unaligned > access" errors for the "search_all_ed2k" class. > Google say me that need a patch (that work here) http://kambing.ui.edu/gentoo-portage/net-firewall/ipp2p/files/ipp2p-0.8.2-kernel-2.6.22.patch Michele From stonie.cooper at planetarydata.com Mon Dec 3 15:11:39 2007 From: stonie.cooper at planetarydata.com (Stonie Cooper) Date: Mon Dec 3 15:11:49 2007 Subject: [LARTC] Route optimization. Message-ID: <7C7B7998-E904-4A2C-BBBD-F1F704ED734A@planetarydata.com> Is there prior work or examples on setting up a router to perform route optimization for customers (such as using traceroute, etc.)? I recently came across a vendor that has implemented a Cisco appliance that does this . . . it watches customer traffic and then sets about trying to optimize the route the customer's traffic takes. Stonie Cooper Planetary Data, Incorporated 402-663-6599 From andy at andybev.com Mon Dec 3 20:33:12 2007 From: andy at andybev.com (Andrew Beverley) Date: Mon Dec 3 20:33:16 2007 Subject: [LARTC] How to fight with encrypted p2p In-Reply-To: <4753DF28.8080209@echostar.ca> References: <20071112015107.4ECBBEB2BB@f05.poczta.interia.pl> <1196595757.6539.9.camel@andybev> <4753DF28.8080209@echostar.ca> Message-ID: <20071203193312.rg91ytgfeog0w4ss@www.simplelists.com> > I believe "fighting" is the wrong approach. Badly shaping the wrong > traffic is just as bad, if not worse IMO. An ISP in my neck of the > woods plays havoc with encrypted mail (SMTP + TLS as well as IMAPS) as a > result of their P2P fight. Needless to say we no longer use them, and > we encourage clients, friends, and colleagues not to as well. I don't > use P2P but I do use ssh, imaps, sftp, and https daily. Screwing with > these services is not useful. Using the rules in the example previously given specifically steers well clear of these services. > Limiting your rules to specific ports is > pretty useless. This has been done before, and it failed miserably. Agreed. > For me, if P2P does not belong at all, for instance on a corporate > network, then a default deny on the outbound works much better. We then > only allow specific connections on a case by case basis. I have seen this work very well on corporate networks, and would recommend this approach where possible. Unfortunately though, on a normal home user network, there are so many different possibilities that this isn't very practical. > For instances > where I am not able to block p2p, I define specific rules for high and > low priority, and leave everything else in the default. If the end user > wants to use the bulk of his or her bandwidth for P2P, so be it. Of > course in this case bandwidth accounting is far more useful. Again, this depends on the circumstances. If you only have 2Mbit/s to share between 100 users then each user cannot have their own 'share' of the connection. Equally, people downloading in a responsible way are lumped into the same category as p2p users, which is not fair. Bandwidth accounting is a possibility, and something I haven't investigated. For those who want to fairly share bandwidth beween users, I would recommend the ESFQ patches. These allow bandwidth sharing to be done on an IP address basis, rather than per connection. This prevents the hundreds of p2p connections from drowning out single downloads. > I would also encourage your users to use software that is or can be well > behaved. Software that allows you set a proper TOS for instance. If > possible work with the end users. > I have personally found that the best solutions are not tech solutions. > Having a well defined Acceptable Use Policy, plus a constructive > dialogue with my users has been far more effective than any shaping > routine I/we could come up with. Agreed. However, in a situation where you have a lot of users coming and going, it is not easy to educate the many hundreds of users. I guess it all boils down to your own situation. Traffic shaping on a corporate network or on a network where your users are static can be done using the above techniques. However, sharing a small connection between hundreds of regularly changing users is difficult, and I have found the 'blunt' rules previously described to work very well with no complaints. Regards, Andy Beverley From commercials at gmx.net Tue Dec 4 12:32:52 2007 From: commercials at gmx.net (Julius) Date: Tue Dec 4 12:38:39 2007 Subject: [LARTC] Simple Example isnt working (ssh/bulk traffic) Message-ID: <200712041232.52329.commercials@gmx.net> Hi, the script below should allow to get ssh connections running well while downloading, but even the 100kbps (100kbyte/s?) doesnt work - can still download with 500+kb/s. Whats wrong? INTERFACE=eth0 #clear all on $INTERFACE tc qdisc del dev $INTERFACE root tc qdisc add dev $INTERFACE root handle 1:0 htb default 15 #root qdics, allows borrowing for its children tc class add dev $INTERFACE parent 1:0 classid 1:1 htb rate 100kbps ceil 100kbps #ssh qdisc tc class add dev $INTERFACE parent 1:1 classid 1:5 htb rate 20kbps ceil 100kbps prio 2 #other traffic tc class add dev $INTERFACE parent 1:1 classid 1:15 htb rate 80kbps ceil 100kbps prio 10 #filter ssh tc filter add dev $INTERFACE protocol ip parent 1:0 prio 1 u32 match ip dport 22 0xffff flowid 1:5 tc filter add dev $INTERFACE protocol ip parent 1:0 prio 1 u32 match ip sport 22 0xffff flowid 1:5 greets Julius From mike at psand.net Tue Dec 4 19:11:25 2007 From: mike at psand.net (Mike Harris) Date: Tue Dec 4 19:17:45 2007 Subject: [LARTC] Multiple routing query Message-ID: <4755984D.3020508@psand.net> Hello, Am writing to the list in the hope that someone out there might be able to help me make sure I have the right configuration here. I'm not all that au fait with routing using multiple interfaces. Some time ago I configured a web server to have two different IP addresses from two different network ranges on each of it's two ethernet cards. I followed the excellent instructions at http://lartc.org/lartc.html#AEN268 and came up with the following configuration: #!/bin/bash /sbin/ip route add 194.164.97.0 dev eth0 src 194.164.97.252 table T1 /sbin/ip route add default via 194.164.97.1 table T1 /sbin/ip route add 86.54.82.144 dev eth1 src 86.54.82.146 table T2 /sbin/ip route add default via 86.54.82.145 table T2 /sbin/ip route add 194.164.97.0 dev eth0 src 194.164.97.252 /sbin/ip route add 86.54.82.144 dev eth1 src 86.54.82.146 /sbin/ip route add default via 194.164.97.1 /sbin/ip rule add from 194.164.97.252 table T1 /sbin/ip rule add from 86.54.82.146 table T2 /sbin/iptables-save I'm uncertain if the last line is actually needed there. My understanding is that what is supposed to happen is that incoming traffic to 86.54.82.146 is correctly routed back through the same interface to the gateway at 86.54.82.145 and similarly traffic to 194.164.97.252 is routed back through 194.164.97.1. I test this using ping but it doesn't seem to work properly, whichever interface is set as the default route becomes just that. So 'ping -I eth0 lartc.org' works but 'ping -I eth1 lartc.org' doesn't. I've checked to make sure the kernel has the compile parameter IP_MULTIPLE_TABLES in it and it does. So I cannot work out where I've gone wrong. I've trawled back over the LARTC HOWTO and can't spot anything else. Can anyone help with this, or at least give me some pointers on things to try? Thanks in advance, Mike. -- ---------- Mike Harris Psand.net Tlf: +44 7811 671 893 / +34 69 676 3122 / +44 870 162 4927 ext 2 Fax: +44 870 162 4925 Web: http://psand.net PGP: http://www.psand.net/mike/mike.gpg.pub IRC: irc://irc.psand.net:6667/#psand ---------- Psand Limited is registered in England and Wales company number 03291616. Registered office: 54 Goodwin Road, Ramsgate, Kent, CT11 0JJ, UK. From rabbit+list at rabbit.us Tue Dec 4 19:27:54 2007 From: rabbit+list at rabbit.us (Peter Rabbitson) Date: Tue Dec 4 19:28:02 2007 Subject: [LARTC] Multiple routing query In-Reply-To: <4755984D.3020508@psand.net> References: <4755984D.3020508@psand.net> Message-ID: <47559C2A.3070203@rabbit.us> Mike Harris wrote: > I test this using ping but it doesn't seem to work properly, whichever > interface is set as the default route becomes just that. So 'ping -I > eth0 lartc.org' works but 'ping -I eth1 lartc.org' doesn't. > The source selection code of the ping binary is broken. Try -I 86.54.82.146 as the source argument and watch your pings fly away. HTH Peter From andreas at stapelspeicher.org Tue Dec 4 20:45:54 2007 From: andreas at stapelspeicher.org (Andreas Mueller) Date: Tue Dec 4 20:46:24 2007 Subject: [LARTC] Simple Example isnt working (ssh/bulk traffic) In-Reply-To: <200712041232.52329.commercials@gmx.net> References: <200712041232.52329.commercials@gmx.net> Message-ID: <20071204194553.GA2805@lintera> Hello, Julius wrote: > Hi, > > the script below should allow to get ssh connections running well while > downloading, but even the 100kbps (100kbyte/s?) doesnt work - can still > download with 500+kb/s. Whats wrong? > > INTERFACE=eth0 are you mixing egress with ingress? (IMQ in that case) What's you network-configuration (it's a router? what eths)? And yes, kbps actually is kbyte/s, kbit for kbit/s. If all should be setup right, what does # tc -s -d class show dev eth0 say? Bye, Andreas From mike at psand.net Wed Dec 5 01:30:56 2007 From: mike at psand.net (Mike Harris) Date: Wed Dec 5 01:28:38 2007 Subject: [LARTC] Multiple routing query In-Reply-To: <47559C2A.3070203@rabbit.us> References: <4755984D.3020508@psand.net> <47559C2A.3070203@rabbit.us> Message-ID: <1196814656.4755f1409b3eb@www.slackmail.co.uk> No way!!! Thanks Peter, I have a feeling this means that I was stumped by what I thought was the simplest and most failsafe program to test network connexions around. I never ever even thought of checking that ping might not be behaving itself. Doh! This means (I think) that it was working all along. Many thanks for that again Peter, Mike. Mensaje citado por Peter Rabbitson : > Mike Harris wrote: > > I test this using ping but it doesn't seem to work properly, whichever > > interface is set as the default route becomes just that. So 'ping -I > > eth0 lartc.org' works but 'ping -I eth1 lartc.org' doesn't. > > > > The source selection code of the ping binary is broken. Try > -I 86.54.82.146 > as the source argument and watch your pings fly away. > > HTH > > Peter > > > ------ Mike Harris, Psand Tlf: +44 870 162 4927 x 2 / +34 696 763 122 Fax: +44 870 162 4925 Web: http://psand.net IRC: irc.psand.net channel #psand PGP: http://psand.net/mike/mike.gpg.pub --------------------------------------------- This email message was delivered by Psand.net From lsharpe at pacificwireless.com.au Wed Dec 5 05:36:48 2007 From: lsharpe at pacificwireless.com.au (Leigh Sharpe) Date: Wed Dec 5 05:31:20 2007 Subject: [LARTC] Adding qdiscs crashes kernel?? Message-ID: <96CF49BD8B56384395D698BA99007FA32DB8@exchange.pacwire.local> Hi all, I'm having some problems setting up qdiscs on a bridge.The config looks a little like this: ifconfig ifb0 up # Bring up the IFB for this bridge. tc qdisc add dev eth2 ingress tc qdisc add dev eth3 ingress tc qdisc add dev ifb0 root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 cell 8 # Raw qdiscs on each bridge port tc qdisc add dev eth2 root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 cell 8 tc qdisc add dev eth3 root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 cell 8 tc filter add dev eth2 parent 1: protocol 0x8100 prio 5 u32 match u16 3000 0x0fff at 0 flowid 1:1 action ipt -j MARK --or-mark 0x01000000 # mark packets for VLAN 3000. tc filter add dev eth3 parent 1: protocol 0x8100 prio 5 u32 match u16 3000 0x0fff at 0 flowid 1:1 action ipt -j MARK --or-mark 0x01000000 # mark packets for VLAN 3000. tc class add dev eth2 parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate 2000Kbit weight 200Kbit prio 1 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded isolated # 2000 Kbit rate limit on entry point. tc class add dev eth3 parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate 2000Kbit weight 200Kbit prio 1 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded isolated # 2000 Kbit rate limit on entry point. tc qdisc add dev eth2 parent 1:1 handle 2: cbq bandwidth 100Mbit avpkt 1000 cell 8 tc qdisc add dev eth3 parent 1:1 handle 2: cbq bandwidth 100Mbit avpkt 1000 cell 8 tc class add dev eth2 parent 2:0 classid 2:1 cbq bandwidth 100Mbit rate 2000Kbit weight 200Kbit prio 2 allot 1514 cell 8 maxburst 20 avpkt 1000 sharing tc filter add dev eth2 parent 2:0 protocol 0x8100 prio 2 u32 match u16 3000 0x0fff at 0 flowid 2:1 action ipt -j MARK --or-mark 0x00100000 tc qdisc add dev eth2 parent 2:1 handle 3: cbq bandwidth 100Mbit avpkt 1000 cell 8 tc filter add dev eth2 parent 3:0 protocol 0x8100 prio 4 u32 match u32 0 0 flowid 3:3 # Traffic class 3 - catchall. Don't MARK further. (There's lot's more, mostly a repeat of the above with different criteria.) When I first boot the box, and apply the traffic shaping before any traffic flows, all is fine. However, if I apply this same config whilst the bridge is passing lots of traffic, it completely crashes the box. Everything freezes, I don't even get a kernel panic message on the console. Nothing responds and the only way to recover is by a power-cycle. If I take the link down on the ethernet port (with ip link set ethx down), apply the configs, and then bring it back up again, all is OK. Obviously, though, this isn't really acceptable. It always crashes immediately after a 'tc qdisc add...' line, but not always in the same place. Are there any known issues with adding qdiscs whilst traffic is being queued on it? I've also tried it using HTB instead of CBQ, and I get the same results. Anybody got any other ideas as to what might be going on? Regards, Leigh Leigh Sharpe Network Systems Engineer Pacific Wireless Ph +61 3 9584 8966 Mob 0408 009 502 Helpdesk 1300 300 616 email lsharpe@pacificwireless.com.au web www.pacificwireless.com.au -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071205/15a6e082/attachment.htm From lsharpe at pacificwireless.com.au Wed Dec 5 05:40:47 2007 From: lsharpe at pacificwireless.com.au (Leigh Sharpe) Date: Wed Dec 5 05:35:16 2007 Subject: [LARTC] Adding qdiscs crashes kernel?? Message-ID: <96CF49BD8B56384395D698BA99007FA32DB9@exchange.pacwire.local> Oh, kernel version 2.6.23, since I forgot to mention it. Leigh. ________________________________ From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Leigh Sharpe Sent: Wednesday, 5 December 2007 3:37 PM To: lartc@mailman.ds9a.nl Subject: [LARTC] Adding qdiscs crashes kernel?? Hi all, I'm having some problems setting up qdiscs on a bridge.The config looks a little like this: ifconfig ifb0 up # Bring up the IFB for this bridge. tc qdisc add dev eth2 ingress tc qdisc add dev eth3 ingress tc qdisc add dev ifb0 root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 cell 8 # Raw qdiscs on each bridge port tc qdisc add dev eth2 root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 cell 8 tc qdisc add dev eth3 root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 cell 8 tc filter add dev eth2 parent 1: protocol 0x8100 prio 5 u32 match u16 3000 0x0fff at 0 flowid 1:1 action ipt -j MARK --or-mark 0x01000000 # mark packets for VLAN 3000. tc filter add dev eth3 parent 1: protocol 0x8100 prio 5 u32 match u16 3000 0x0fff at 0 flowid 1:1 action ipt -j MARK --or-mark 0x01000000 # mark packets for VLAN 3000. tc class add dev eth2 parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate 2000Kbit weight 200Kbit prio 1 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded isolated # 2000 Kbit rate limit on entry point. tc class add dev eth3 parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate 2000Kbit weight 200Kbit prio 1 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded isolated # 2000 Kbit rate limit on entry point. tc qdisc add dev eth2 parent 1:1 handle 2: cbq bandwidth 100Mbit avpkt 1000 cell 8 tc qdisc add dev eth3 parent 1:1 handle 2: cbq bandwidth 100Mbit avpkt 1000 cell 8 tc class add dev eth2 parent 2:0 classid 2:1 cbq bandwidth 100Mbit rate 2000Kbit weight 200Kbit prio 2 allot 1514 cell 8 maxburst 20 avpkt 1000 sharing tc filter add dev eth2 parent 2:0 protocol 0x8100 prio 2 u32 match u16 3000 0x0fff at 0 flowid 2:1 action ipt -j MARK --or-mark 0x00100000 tc qdisc add dev eth2 parent 2:1 handle 3: cbq bandwidth 100Mbit avpkt 1000 cell 8 tc filter add dev eth2 parent 3:0 protocol 0x8100 prio 4 u32 match u32 0 0 flowid 3:3 # Traffic class 3 - catchall. Don't MARK further. (There's lot's more, mostly a repeat of the above with different criteria.) When I first boot the box, and apply the traffic shaping before any traffic flows, all is fine. However, if I apply this same config whilst the bridge is passing lots of traffic, it completely crashes the box. Everything freezes, I don't even get a kernel panic message on the console. Nothing responds and the only way to recover is by a power-cycle. If I take the link down on the ethernet port (with ip link set ethx down), apply the configs, and then bring it back up again, all is OK. Obviously, though, this isn't really acceptable. It always crashes immediately after a 'tc qdisc add...' line, but not always in the same place. Are there any known issues with adding qdiscs whilst traffic is being queued on it? I've also tried it using HTB instead of CBQ, and I get the same results. Anybody got any other ideas as to what might be going on? Regards, Leigh Leigh Sharpe Network Systems Engineer Pacific Wireless Ph +61 3 9584 8966 Mob 0408 009 502 Helpdesk 1300 300 616 email lsharpe@pacificwireless.com.au web www.pacificwireless.com.au -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071205/284d3899/attachment.html From kaber at trash.net Wed Dec 5 09:07:55 2007 From: kaber at trash.net (Patrick McHardy) Date: Wed Dec 5 09:08:22 2007 Subject: [LARTC] Adding qdiscs crashes kernel?? In-Reply-To: <96CF49BD8B56384395D698BA99007FA32DB9@exchange.pacwire.local> References: <96CF49BD8B56384395D698BA99007FA32DB9@exchange.pacwire.local> Message-ID: <47565C5B.2030302@trash.net> Please always report bugs to netdev@vger.kernel.org. Leigh Sharpe wrote: > Oh, > kernel version 2.6.23, since I forgot to mention it. > > Leigh. > > ________________________________ > > From: lartc-bounces@mailman.ds9a.nl > [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Leigh Sharpe > Sent: Wednesday, 5 December 2007 3:37 PM > To: lartc@mailman.ds9a.nl > Subject: [LARTC] Adding qdiscs crashes kernel?? > > > Hi all, > I'm having some problems setting up qdiscs on a bridge.The config looks > a little like this: > > > ifconfig ifb0 up # Bring up the IFB for this bridge. > tc qdisc add dev eth2 ingress > tc qdisc add dev eth3 ingress > tc qdisc add dev ifb0 root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 > cell 8 > # Raw qdiscs on each bridge port > tc qdisc add dev eth2 root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 > cell 8 > tc qdisc add dev eth3 root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 > cell 8 > > tc filter add dev eth2 parent 1: protocol 0x8100 prio 5 u32 match u16 > 3000 0x0fff at 0 flowid 1:1 action ipt -j MARK --or-mark 0x01000000 # > mark packets for VLAN 3000. > tc filter add dev eth3 parent 1: protocol 0x8100 prio 5 u32 match u16 > 3000 0x0fff at 0 flowid 1:1 action ipt -j MARK --or-mark 0x01000000 # > mark packets for VLAN 3000. > > tc class add dev eth2 parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate > 2000Kbit weight 200Kbit prio 1 allot 1514 cell 8 maxburst 20 avpkt 1000 > bounded isolated # 2000 Kbit rate limit on entry point. > tc class add dev eth3 parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate > 2000Kbit weight 200Kbit prio 1 allot 1514 cell 8 maxburst 20 avpkt 1000 > bounded isolated # 2000 Kbit rate limit on entry point. > > tc qdisc add dev eth2 parent 1:1 handle 2: cbq bandwidth 100Mbit avpkt > 1000 cell 8 > tc qdisc add dev eth3 parent 1:1 handle 2: cbq bandwidth 100Mbit avpkt > 1000 cell 8 > tc class add dev eth2 parent 2:0 classid 2:1 cbq bandwidth 100Mbit rate > 2000Kbit weight 200Kbit prio 2 allot 1514 cell 8 maxburst 20 avpkt 1000 > sharing > tc filter add dev eth2 parent 2:0 protocol 0x8100 prio 2 u32 match u16 > 3000 0x0fff at 0 flowid 2:1 action ipt -j MARK --or-mark 0x00100000 > tc qdisc add dev eth2 parent 2:1 handle 3: cbq bandwidth 100Mbit avpkt > 1000 cell 8 > tc filter add dev eth2 parent 3:0 protocol 0x8100 prio 4 u32 match u32 0 > 0 flowid 3:3 # Traffic > class 3 - catchall. Don't MARK further. > > (There's lot's more, mostly a repeat of the above with different > criteria.) > When I first boot the box, and apply the traffic shaping before any > traffic flows, all is fine. However, if I apply this same config whilst > the bridge is passing lots of traffic, it completely crashes the box. > Everything freezes, I don't even get a kernel panic message on the > console. Nothing responds and the only way to recover is by a > power-cycle. > > If I take the link down on the ethernet port (with ip link set ethx > down), apply the configs, and then bring it back up again, all is OK. > Obviously, though, this isn't really acceptable. > > It always crashes immediately after a 'tc qdisc add...' line, but not > always in the same place. Are there any known issues with adding qdiscs > whilst traffic is being queued on it? > I've also tried it using HTB instead of CBQ, and I get the same results. > > Anybody got any other ideas as to what might be going on? Which qdisc add crashes it? Please post the full oops. From lsharpe at pacificwireless.com.au Wed Dec 5 11:06:16 2007 From: lsharpe at pacificwireless.com.au (Leigh Sharpe) Date: Wed Dec 5 11:00:35 2007 Subject: [LARTC] Adding qdiscs crashes kernel?? References: <96CF49BD8B56384395D698BA99007FA32DB9@exchange.pacwire.local> <47565C5B.2030302@trash.net> Message-ID: <96CF49BD8B56384395D698BA99007FA3386A@exchange.pacwire.local> >Please always report bugs to netdev@vger.kernel.org. Not entirely sure it's a bug yet. >Which qdisc add crashes it? Please post the full oops. I don't get an oops. Just a completely unresponsive system. It's not terribly consistent. It's always one of these: tc qdisc add dev eth2 parent 1:1 handle 2: cbq bandwidth 100Mbit avpkt 1000 cell 8 tc qdisc add dev eth3 parent 1:1 handle 2: cbq bandwidth 100Mbit avpkt 1000 cell 8 But there's no telling which. Leigh. ________________________________ From: Patrick McHardy [mailto:kaber@trash.net] Sent: Wed 5/12/2007 7:07 PM To: Leigh Sharpe Cc: lartc@mailman.ds9a.nl; Linux Netdev List Subject: Re: [LARTC] Adding qdiscs crashes kernel?? Please always report bugs to netdev@vger.kernel.org. Leigh Sharpe wrote: > Oh, > kernel version 2.6.23, since I forgot to mention it. > > Leigh. > > ________________________________ > > From: lartc-bounces@mailman.ds9a.nl > [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Leigh Sharpe > Sent: Wednesday, 5 December 2007 3:37 PM > To: lartc@mailman.ds9a.nl > Subject: [LARTC] Adding qdiscs crashes kernel?? > > > Hi all, > I'm having some problems setting up qdiscs on a bridge.The config looks > a little like this: > > > ifconfig ifb0 up # Bring up the IFB for this bridge. > tc qdisc add dev eth2 ingress > tc qdisc add dev eth3 ingress > tc qdisc add dev ifb0 root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 > cell 8 > # Raw qdiscs on each bridge port > tc qdisc add dev eth2 root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 > cell 8 > tc qdisc add dev eth3 root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 > cell 8 > > tc filter add dev eth2 parent 1: protocol 0x8100 prio 5 u32 match u16 > 3000 0x0fff at 0 flowid 1:1 action ipt -j MARK --or-mark 0x01000000 # > mark packets for VLAN 3000. > tc filter add dev eth3 parent 1: protocol 0x8100 prio 5 u32 match u16 > 3000 0x0fff at 0 flowid 1:1 action ipt -j MARK --or-mark 0x01000000 # > mark packets for VLAN 3000. > > tc class add dev eth2 parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate > 2000Kbit weight 200Kbit prio 1 allot 1514 cell 8 maxburst 20 avpkt 1000 > bounded isolated # 2000 Kbit rate limit on entry point. > tc class add dev eth3 parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate > 2000Kbit weight 200Kbit prio 1 allot 1514 cell 8 maxburst 20 avpkt 1000 > bounded isolated # 2000 Kbit rate limit on entry point. > > tc qdisc add dev eth2 parent 1:1 handle 2: cbq bandwidth 100Mbit avpkt > 1000 cell 8 > tc qdisc add dev eth3 parent 1:1 handle 2: cbq bandwidth 100Mbit avpkt > 1000 cell 8 > tc class add dev eth2 parent 2:0 classid 2:1 cbq bandwidth 100Mbit rate > 2000Kbit weight 200Kbit prio 2 allot 1514 cell 8 maxburst 20 avpkt 1000 > sharing > tc filter add dev eth2 parent 2:0 protocol 0x8100 prio 2 u32 match u16 > 3000 0x0fff at 0 flowid 2:1 action ipt -j MARK --or-mark 0x00100000 > tc qdisc add dev eth2 parent 2:1 handle 3: cbq bandwidth 100Mbit avpkt > 1000 cell 8 > tc filter add dev eth2 parent 3:0 protocol 0x8100 prio 4 u32 match u32 0 > 0 flowid 3:3 # Traffic > class 3 - catchall. Don't MARK further. > > (There's lot's more, mostly a repeat of the above with different > criteria.) > When I first boot the box, and apply the traffic shaping before any > traffic flows, all is fine. However, if I apply this same config whilst > the bridge is passing lots of traffic, it completely crashes the box. > Everything freezes, I don't even get a kernel panic message on the > console. Nothing responds and the only way to recover is by a > power-cycle. > > If I take the link down on the ethernet port (with ip link set ethx > down), apply the configs, and then bring it back up again, all is OK. > Obviously, though, this isn't really acceptable. > > It always crashes immediately after a 'tc qdisc add...' line, but not > always in the same place. Are there any known issues with adding qdiscs > whilst traffic is being queued on it? > I've also tried it using HTB instead of CBQ, and I get the same results. > > Anybody got any other ideas as to what might be going on? Which qdisc add crashes it? Please post the full oops. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071205/ff441144/attachment.htm From commercials at gmx.net Wed Dec 5 22:54:08 2007 From: commercials at gmx.net (Julius) Date: Wed Dec 5 22:59:36 2007 Subject: [LARTC] Simple Example isnt working (ssh/bulk traffic) In-Reply-To: <20071204194553.GA2805@lintera> References: <200712041232.52329.commercials@gmx.net> <20071204194553.GA2805@lintera> Message-ID: <200712052254.08827.commercials@gmx.net> On Tuesday 04 December 2007 20:45:54 Andreas Mueller wrote: > Hello, > > Julius wrote: > > Hi, > > > > the script below should allow to get ssh connections running well while > > downloading, but even the 100kbps (100kbyte/s?) doesnt work - can still > > download with 500+kb/s. Whats wrong? > > > > INTERFACE=eth0 > > are you mixing egress with ingress? (IMQ in that case) > What's you network-configuration (it's a router? what eths)? ah, yes i did. INTERFACE=ppp0 #alles l?schen tc qdisc del dev $INTERFACE root tc qdisc add dev $INTERFACE root handle 1:0 htb default 15 tc class add dev $INTERFACE parent 1:0 classid 1:1 htb rate 11kbps tc class add dev $INTERFACE parent 1:1 classid 1:5 htb rate 6kbps ceil 11kbps prio 2 tc class add dev $INTERFACE parent 1:1 classid 1:15 htb rate 5kbps ceil 11kbps prio 10 #ssh filtern tc filter add dev $INTERFACE protocol ip parent 1:0 prio 1 u32 match ip dport 22 0xffff flowid 1:5 tc filter add dev $INTERFACE protocol ip parent 1:0 prio 1 u32 match ip sport 22 0xffff flowid 1:5 Network setup: my pc ---- internet ---- router@home I want to connect to router@home, traffic shaping is done on the router. The router can do 120kb/s down and 14kb/s up. This works so far, have to test these settings for some time. greets Julius From lartc at meta-dynamic.com Thu Dec 6 05:02:31 2007 From: lartc at meta-dynamic.com (David) Date: Thu Dec 6 05:02:33 2007 Subject: [LARTC] Incorrect source address, per-process routing Message-ID: <47577457.7020905@meta-dynamic.com> Hello, please excuse the length of my question, and I hope that this is an appropriate place to ask. I have a workstation that has two interfaces connected to two private networks, 192.168.0.0/24 and 192.168.1.0/24, each of which has a separate masquerading gateway to the internet, something like as follows: +-----------> to internet | router0 192.168.0.1 | | 192.168.0.100 +---------+ | | | Workstation | | | +---------+ 192.168.1.100 | | 192.168.1.1 router1 | +-----------> to internet I want to control which traffic to/from processes running on the workstation uses which interface (i.e. outbound path to internet) on a process-by-process basis, without the cooperation of the program (i.e. rather than having the program bind to a particular local interface, when I start a program I want to be able to choose one or the other interface, and have all of that process's traffic get routed through that interface). My idea of how to accomplish this (I'm open to alternate suggestions) is to set up a default route via one gateway, e.g. router0, then a designated group-ID via the iptables 'owner' match module to mark packets from processes owned by a user in that group, and use the iproute2 tables to route those packets via the other gateway (router1). (it seems that ipt_ROUTE is frowned upon and I've never been able to get it to work anyhow.) So, after each interface is up on its sub-net and the default route is set, my commands are like this: iptables --table mangle --append OUTPUT --match owner --gid-owner alt-route-group -j MARK --set-mark 1 ip rule add fwmark 1 pref 10001 table 100 ip route add default via router1 table 100 It's not a very elegant solution, but it seems like it should work; yet I have a problem: when I run a program sudo'd to the designated user/group, its traffic does indeed get matched, marked, and exits via the "alternate" interface (eth1), bound for the alternate gateway (router1), but when I examine by sniffing the interface, I find that the packets' source IP address is that of the default interface (eth0, 192.168.0.100). Of course this prevents proper routing of any return packets. I tried forcing the source-address in the routing table entry with 'src': ip route add default via router1 dev eth1 src 192.168.1.100 table 100 But it still showed the source as 192.168.0.100 (eth0's address), even though the packet exited via eth1, and I verified that their destination ethernet address is bound for router1. So I wonder if anyone knows what's wrong? I would also be interested in other suggestions for how to do per-process routing (but I'd like to get this approach working even if I abandon it). Any help is greatly appreciated. My tables: ~ # iptables --table mangle --list OUTPUT Chain OUTPUT (policy ACCEPT) target prot opt source destination MARK all -- anywhere anywhere OWNER GID match alt-route-group MARK set 0x1 ~ # ip rule show 0: from all lookup local 10001: from all fwmark 0x1 lookup 100 32766: from all lookup main 32767: from all lookup default ~ # ip route show table main 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.100 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.100 169.254.0.0/16 dev eth0 scope link default via 192.168.0.1 dev eth0 ~ # ip route show table 100 default via 192.168.1.1 dev eth1 src 192.168.1.100 The command: ~ # sudo -u alt-route-user ping google.com PING google.com (64.233.187.99) 56(84) bytes of data. --- google.com ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3010ms /tmp # Produces the trace: ~ # tshark -n -i eth1 icmp Capturing on eth1 0.000000 192.168.0.100 -> 64.233.187.99 ICMP Echo (ping) request 1.009611 192.168.0.100 -> 64.233.187.99 ICMP Echo (ping) request 2.009777 192.168.0.100 -> 64.233.187.99 ICMP Echo (ping) request 3.013895 192.168.0.100 -> 64.233.187.99 ICMP Echo (ping) request 4 packets captured ~ # Thanks in advance, David From Mingyur.Koblensky at elsagdatamat.com Thu Dec 6 10:17:28 2007 From: Mingyur.Koblensky at elsagdatamat.com (Koblensky Mingyur) Date: Thu Dec 6 10:18:05 2007 Subject: [LARTC] HTB performance improvement Message-ID: <685F1926C37B1846BE64D0033B46AF97E34D1D@els00wmx04.elsag.it> An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071206/6509776e/attachment.html From shane at hemc.coop Thu Dec 6 17:43:24 2007 From: shane at hemc.coop (Shane McKinley) Date: Thu Dec 6 17:42:41 2007 Subject: [LARTC] Best setup for redundant routers. Message-ID: <7C454E01C5FAE748BEFE65F4C6B7FD8BFD2128@s-marcell.hemc.coop> I am setting up 2 Vyatta routers that will serve as redundant failover core routers out to the backbone of our ISP. They will be serving for routing between other branches and the ISP and bandwidth management. I am trying to differentiate between the plethora of information about having redundant, automatic failover routers and pretty much decided on VRRP for the IP address failover mechanism. I am having a bit of a problem sorting out what will work best for automatic routing propagation between the two units and have been looking at the possibility of using OSPF to accomplish this to avoid having to enter routes into two different routers. Would OSPF work well for this? Are there better options? Thanks for any info, Shane McKinley From gtaylor at riverviewtech.net Thu Dec 6 18:15:54 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Thu Dec 6 18:14:50 2007 Subject: [LARTC] Best setup for redundant routers. In-Reply-To: <7C454E01C5FAE748BEFE65F4C6B7FD8BFD2128@s-marcell.hemc.coop> References: <7C454E01C5FAE748BEFE65F4C6B7FD8BFD2128@s-marcell.hemc.coop> Message-ID: <47582E4A.1060102@riverviewtech.net> This looks to be a general routing related question rather than a "Linux Advanced Routing and Traffic Control" (a.k.a. LARTC) question and thus may be better answered elsewhere. On 12/06/07 10:43, Shane McKinley wrote: > I am setting up 2 Vyatta routers that will serve as redundant > failover core routers out to the backbone of our ISP. They will be > serving for routing between other branches and the ISP and bandwidth > management. Ok... > I am trying to differentiate between the plethora of information > about having redundant, automatic failover routers and pretty much > decided on VRRP for the IP address failover mechanism. VRRP is a good idea. I don't think I'd rely on one virtual redundant router through. I would make router B be redundant for router A *AND router A be redundant for router B. This way, your branch offices can see two different routers that have the same capabilities. This way you could route some load through one router and the rest through the other while having both be redundant for each other. > I am having a bit of a problem sorting out what will work best for > automatic routing propagation between the two units and have been > looking at the possibility of using OSPF to accomplish this to avoid > having to enter routes into two different routers. Yes, an interior routing protocol would be good. Based on my limited experience I would recommend that you use either (preferably) OSPF or possibly Interior BGP (a.k.a. IBGP). > Would OSPF work well for this? Are there better options? You could look at things like RIP or ISIS, but neither of them will be as good or bandwidth friendly as either OSPF or IBGP. > Thanks for any info, You are welcome. Grant. . . . From mfdutra at gmail.com Thu Dec 6 19:52:28 2007 From: mfdutra at gmail.com (Marlon Dutra) Date: Thu Dec 6 19:52:32 2007 Subject: [LARTC] GRE tunnel stops traffic when idle Message-ID: <30dd942a0712061052q179c11aex865633102564efbf@mail.gmail.com> Hello, I've set up a GRE tunnel between two Linux boxes and it's working well, with or without IPSEC (under GRE). The problem is that when I have no traffic for some minutes, side A cannot communicate to side B any more, unless side B tries to communidate to side A. The same thing happens in the other direction. For example, side A pings side B. No reply. Keep pinging. Side B pings side A. Reply ok. Side A starts getting reply from side B too. It's like the kernel suspends the tunnel for inactivity. That happens even in a non NAT environment. NAT isn't a problem because I'm using NAT-T in those environments, and NAT-T itself has a keep alive method that prevents the NAT routers to drop the mapping. Is there a "keep alive method" for GRE tunnels. I know that if I keep a ping once a minute, that would fix the problem, but I'm looking for something that isn't a band aid. Thanks. -- MARLON DUTRA Propus GnuPG ID: 0x3E2060AC pgp.mit.edu http://www.propus.com.br/ http://hackers.propus.com.br/~marlon/ From archana.gopal at gmail.com Thu Dec 6 19:55:54 2007 From: archana.gopal at gmail.com (Archana Rajagopal) Date: Thu Dec 6 19:55:59 2007 Subject: [LARTC] prio qdisc not wokring Message-ID: <5dd628b40712061055l137caa6ah636cb68c378497c4@mail.gmail.com> Hi, I am working on linux 2.6.16.I tried to prioritize traffic using prio module but its not working well.It always maps to same class irrespective of ToS.Is it possible to fix it using filters?Anybody fixed this problem? -- Regards Archana Rajagopal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071206/8bfc20e7/attachment.htm From gypsy at iswest.com Thu Dec 6 20:10:39 2007 From: gypsy at iswest.com (gypsy) Date: Thu Dec 6 20:10:54 2007 Subject: [LARTC] HTB performance improvement References: <685F1926C37B1846BE64D0033B46AF97E34D1D@els00wmx04.elsag.it> Message-ID: <4758492F.3E3F252F@iswest.com> > Koblensky Mingyur wrote: > > Hi all ! > i'm looking at the performance of the HTB algorithm/implementation > because i would like more packets/sec !! > this is the scenario of the performance test: > > i'm using an embedded system with: > SPEED CPU: 399,999 MHz > RAM: 128 MByte > FLASH: 16 MByte > EEPROM: 8Kbyte > PROCESSOR MPC8272 > > 1) with none qos configuration (system conf) i've obtained: TX > 29940 packets/sec RX 29948.98 packets/sec with 2 packets lost > 2) with only system conf + iptables marking support TX/RX > 24950 packets/sec, 8 packets lost > 3) with only system conf + u32 support TX/RX > 29950 packets/sec, 5 packets lost > 4) with only system conf + HTB with iptables mark classifier TX/RX > 13000 packets/sec, 0 packets lost > 5) with only system conf + HTB with u32 classifier TX/RX > 19290 packets/sec, 0 packets lost > > tc qdisc add dev eth0.2 root handle 1: htb > tc class add dev eth0.2 parent 1: classid 1:1 htb rate 100000000 ceil > 100000000 burst 1000000 quantum 1600 > tc class add dev eth0.2 parent 1:1 classid 1:10 htb prio 1 rate > 70000000 ceil 70000000 burst 1000000 quantum 1600 > tc class add dev eth0.2 parent 1:1 classid 1:11 htb prio 2 rate > 10000000 ceil 10000000 burst 1000000 quantum 1600 > tc class add dev eth0.2 parent 1:1 classid 1:12 htb prio 3 rate > 10000000 ceil 10000000 burst 1000000 quantum 1600 First, your quantum is wrong. Think of HTB as a NIC. You are sending packets out via that "NIC", and those packets must be 1600 bytes big before being sent. Since a "normal" packet is up to 1500 bytes, you're making HTB take part of the next packet before it can send. Your burst is also huge enough to swamp the interrupt controller. Consider 16K or 32K instead. Unless you get complaints during the load of the above, do not specify any quantum, or specify the quantum HTB sets for rates that do not complain. The next likely reason for you to be at "half spped" is that HTB is using the wrong clock. Which clock and what speed are kernel version dependent. Part of what I snipped referred to 10/100 ethernet. Normally that will not trigger any, but be sure that when you run a 'tc -s class ls dev $IFE' (where IFE is the correct interface) that "giants" are always zero. -- gypsy From gypsy at iswest.com Thu Dec 6 22:36:21 2007 From: gypsy at iswest.com (gypsy) Date: Thu Dec 6 22:36:32 2007 Subject: [LARTC] How does one increase the output buffer size? Message-ID: <47586B55.C3D11ED6@iswest.com> In 2.4 kernels, there was a [bp]fifo that could be implemented with 'tc add', but in 2.6 kernels, I find no way to create either of these fifos. I am able to increase txqueuelen. What I desire is a larger number of backlogged packetes before drops occur. How can the output buffer size be increased for HTB? -- gypsy From a.segura at kernellinux.com Thu Dec 6 23:15:09 2007 From: a.segura at kernellinux.com (Alex Segura N.) Date: Thu Dec 6 23:15:19 2007 Subject: [LARTC] Bandwith vsatl - not static Message-ID: <20071206221514.0EA58458B@outpost.ds9a.nl> I have a existencial problem. There are some provider that offer the service of bandwith asimetric as download/upload link as for example 512/256. but most of them offer not exclusive this amount of transmission or reception capacity. They usually offer the service with more users as a ratio of 1/10. How I can design a appropriate diagrama with htb where the amount of bandwith could vary.? I have an idea where I can create a paterrn as : Main Link Parent Childs A Child B Child C Child X Where X is the amount of bandwith that could vary? And it change in period of time as from 8:00am - 12:00pm bandwith 200kbps and from 12:00pm-16:00pm 100 kbps. And so on. Depend of the stadistic I assume. And reload the script several time with crob. Does anyone knows a better way? Regards. -- Alex Segura N. Jefe de Proyectos Redes - VoIP a.segura@kernellinux.com http://www.kernellinux.com Peru T: Peru-Lima : 51-1-4529526 Nextel : 400*5698 T: Personal : 51-1-9412*3550 Nextel : 412*3550 T: Personal Movil : 51-1-98415454 *************************************************************************** The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify KERNELLINUX immediately by replying to this message and deleting it from your computer. ************************************************************************* -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071206/d32d8a9c/attachment.html From lsharpe at pacificwireless.com.au Fri Dec 7 00:27:51 2007 From: lsharpe at pacificwireless.com.au (Leigh Sharpe) Date: Fri Dec 7 00:21:32 2007 Subject: [LARTC] Setting max latency on classful qdiscs Message-ID: <96CF49BD8B56384395D698BA99007FA32DC3@exchange.pacwire.local> Hi All, I'm using HTB to shape traffic, a little like this: tc qdisc add dev eth2 root handle 1:0 htb tc qdisc add dev eth3 root handle 1:0 htb tc filter add dev eth2 parent 1: protocol 0x8100 prio 5 u32 match u16 3000 0x0fff at 0 flowid 1:1 action ipt -j MARK --or-mark 0x01000000 tc filter add dev eth3 parent 1: protocol 0x8100 prio 5 u32 match u16 3000 0x0fff at 0 flowid 1:1 action ipt -j MARK --or-mark 0x01000000 tc class add dev eth2 parent 1:0 classid 1:1 htb rate 2000Kbit ceil 2000Kbit tc class add dev eth3 parent 1:0 classid 1:1 htb rate 2000Kbit ceil 2000Kbit tc qdisc add dev eth2 parent 1:1 handle 2: htb tc qdisc add dev eth3 parent 1:1 handle 2: htb tc class add dev eth2 parent 2:0 classid 2:1 htb rate 2000Kbit tc class add dev eth3 parent 2:0 classid 2:1 htb rate 2000Kbit tc filter add dev eth2 parent 2:0 protocol 0x8100 prio 2 u32 match u16 3000 0x0fff at 0 flowid 2:1 action ipt -j MARK --or-mark 0x00100000 tc filter add dev eth3 parent 2:0 protocol 0x8100 prio 2 u32 match u16 3000 0x0fff at 0 flowid 2:1 action ipt -j MARK --or-mark 0x00100000 This essentially provides a 2mbit/s rate limit on each of eth2 and eth3. However, when I attempt to put more than 2mbps through it, It gets quite latent (I end up with >1second latency at times). Is there any way of specifying the maximum latency on a HTB class or qdisc? Or CBQ, for that matter? I need to use a classful qdisc, so tbf is out of the question. Ideally, I want to be able to specify that packets get dropped if they are in the queue for any longer than a specified period of time. Any ideas? Regards, Leigh Leigh Sharpe Network Systems Engineer Pacific Wireless Ph +61 3 9584 8966 Mob 0408 009 502 Helpdesk 1300 300 616 email lsharpe@pacificwireless.com.au web www.pacificwireless.com.au -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071207/6a103372/attachment.htm From salim.si at cipherium.com.tw Fri Dec 7 02:40:44 2007 From: salim.si at cipherium.com.tw (Salim S I) Date: Fri Dec 7 02:41:06 2007 Subject: [LARTC] prio qdisc not wokring In-Reply-To: <5dd628b40712061055l137caa6ah636cb68c378497c4@mail.gmail.com> Message-ID: <000f01c83872$33191c50$5964a8c0@SalimSi> I do not know about TOS, but it can be mapped well with filters. -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Archana Rajagopal Sent: Friday, December 07, 2007 2:56 AM To: lartc@mailman.ds9a.nl Subject: [LARTC] prio qdisc not wokring Hi, I am working on linux 2.6.16.I tried to prioritize traffic using prio module but its not working well.It always maps to same class irrespective of ToS.Is it possible to fix it using filters?Anybody fixed this problem? -- Regards Archana Rajagopal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071207/8ae8b691/attachment.html From salatiel.filho at gmail.com Fri Dec 7 02:54:52 2007 From: salatiel.filho at gmail.com (Salatiel Filho) Date: Fri Dec 7 02:54:58 2007 Subject: [LARTC] how RED should work ? Message-ID: Hi , i am trying to understand how RED queue discipline works but i am having a few troubles. The parameters are MIN , MAX , LIMIT , BURST I put LIMIT = 64Kb, so if i am not wrong it should PDROP anything over this value , right ? i put MIN = 8Kb , so no drops at all below this value, right ? i put MAX = 16Kb, starts to early drop anything above this using probability P. I put probability at 0.5 [very high , just for test] i PUT burst at 20 [actually , no idea what really put in here] but after a while downloading at full speed i still get no drops at all. Using 50% probability i should get at least 1 early drop shouldnt i ? qdisc red 3: limit 64Kb min 8Kb max 16Kb Sent 5023410 bytes 3817 pkts (dropped 0, overlimits 0) marked 0 early 0 pdrop 0 other 0 -- []'s Salatiel "O maior prazer do inteligente ? bancar o idiota diante de um idiota que banca o inteligente". From mohan.tux at gmail.com Fri Dec 7 03:18:56 2007 From: mohan.tux at gmail.com (Mohan Sundaram) Date: Fri Dec 7 03:19:09 2007 Subject: [LARTC] Best setup for redundant routers. In-Reply-To: <47582E4A.1060102@riverviewtech.net> References: <7C454E01C5FAE748BEFE65F4C6B7FD8BFD2128@s-marcell.hemc.coop> <47582E4A.1060102@riverviewtech.net> Message-ID: <4758AD90.1060505@vsnl.com> Grant Taylor wrote: > This looks to be a general routing related question rather than a "Linux > Advanced Routing and Traffic Control" (a.k.a. LARTC) question and thus > may be better answered elsewhere. *nod* > > On 12/06/07 10:43, Shane McKinley wrote: >> I am setting up 2 Vyatta routers that will serve as redundant >> failover core routers out to the backbone of our ISP. They will be >> serving for routing between other branches and the ISP and bandwidth >> management. Would be interesting to know how they perform. > Yes, an interior routing protocol would be good. Based on my limited > experience I would recommend that you use either (preferably) OSPF or > possibly Interior BGP (a.k.a. IBGP). Either is good. For just 2 routers, most dynamic protocols work well. Older protocols failed in scaling to larger networks. AFAIR, OSPF support discovered route cost propogation which is useful in route selection/ load balancing/ECMP etc. Do not remember if IBGP does it. Has been a while and so a little rusty on finer details. > You could look at things like RIP or ISIS, but neither of them will be > as good or bandwidth friendly as either OSPF or IBGP. For just 2 routers, the decision is pretty simple - any. I'd go with OSPF or IBGP depending on comfort, skillset and support at locations needed. Mohan From gtaylor at riverviewtech.net Fri Dec 7 03:19:39 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Fri Dec 7 03:19:42 2007 Subject: [LARTC] Best setup for redundant routers. In-Reply-To: <7C454E01C5FAE748BEFE65F4C6B7FD8BFD2144@s-marcell.hemc.coop> References: <7C454E01C5FAE748BEFE65F4C6B7FD8BFD2144@s-marcell.hemc.coop> Message-ID: <4758ADBB.6030905@riverviewtech.net> On 12/6/2007 11:40 AM, Shane McKinley wrote: > Wouldn't the redundant VRRP cause an IP address conflict? No. Let me try to explain using pseudo IP addresses. For the sake of discussion we will use the RFC test network of 192.0.2.0/24. (All IPs below will be just the last octet in said subnet.) Real routers A and B (RA and RB respectively) and virtual routers A and B (VA and VB respectively) will make up the routers of the network. Have RA be primary for VA's IP and backup for VB's IP. Then have RB be backup for VA's IP and primary for VB's IP. So you would have four IPs in use (RA, RB, VA, and VB). You would only have clients use VA and / or VB as their default gateway(s). So, if you have the following IPs used: VA = .254 VB = .253 RA = .252 RB = .251 Real router A would have it's ""management IP of .252 and participate (as the primary) in the VRRP virtual router A IP / MAC address of .254 and (as the secondary) in the VRRP virtual router B IP / MAC address of .253. Real router B would have it's ""management IP of .251 and participate (as the secondary) in the VRRP virtual router A IP / MAC address of .254 and (as the primary) in the VRRP virtual router B IP / MAC address of .253. As you can see there are four IP addresses used, two are what clients would use as potential default gateways and two are for management of the real routers. With the two different IPs that you can hand out to clients, you could do some load balancing by having some clients use one virtual router and others use the other virtual router. Heck, if you wanted to you could even add a third real router (RC) to be a tertiary router for virtual routers. > If not, that would be sweet. I would have redundancy for my redundancy. Start thinking about how sweet things can be.... Grant. . . . From archana.gopal at gmail.com Fri Dec 7 03:35:55 2007 From: archana.gopal at gmail.com (Archana Rajagopal) Date: Fri Dec 7 03:36:07 2007 Subject: [LARTC] prio qdisc not wokring In-Reply-To: <000f01c83872$33191c50$5964a8c0@SalimSi> References: <5dd628b40712061055l137caa6ah636cb68c378497c4@mail.gmail.com> <000f01c83872$33191c50$5964a8c0@SalimSi> Message-ID: <5dd628b40712061835m25069968w402e2d9f08f8f963@mail.gmail.com> Thank you for the reply! Is prio per flow based or per connection based.I mean if I have two clients(two different systems)each sending different flows of traffic, it seems to classify flows from one system but it does not aggregate the flows of same priority of all clients.Is this observation correct?How do I aggregate the flows? Thank you Archana. On Dec 6, 2007 8:40 PM, Salim S I wrote: > I do not know about TOS, but it can be mapped well with filters. > > > > -----Original Message----- > *From:* lartc-bounces@mailman.ds9a.nl [mailto: > lartc-bounces@mailman.ds9a.nl] *On Behalf Of *Archana Rajagopal > *Sent:* Friday, December 07, 2007 2:56 AM > *To:* lartc@mailman.ds9a.nl > *Subject:* [LARTC] prio qdisc not wokring > > > > Hi, > I am working on linux 2.6.16.I tried to prioritize traffic using prio > module but its not working well.It always maps to same class irrespective > of ToS.Is it possible to fix it using filters?Anybody fixed this problem? > > -- > Regards > Archana Rajagopal > -- Regards Archana Rajagopal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071206/3c2edd6e/attachment.htm From salim.si at cipherium.com.tw Fri Dec 7 04:30:15 2007 From: salim.si at cipherium.com.tw (Salim S I) Date: Fri Dec 7 04:30:38 2007 Subject: [LARTC] prio qdisc not wokring In-Reply-To: <5dd628b40712061835m25069968w402e2d9f08f8f963@mail.gmail.com> Message-ID: <001d01c83881$7f4cdee0$5964a8c0@SalimSi> If you use filters, you can use src IP or TOS to send traffic from different clients to different bands. There is no connection tracking in qdisc, the priority mapping is done according to the TC_PRIO. I think this will help http://www.opalsoft.net/qos/DS-23.htm -----Original Message----- From: Archana Rajagopal [mailto:archana.gopal@gmail.com] Sent: Friday, December 07, 2007 10:36 AM To: Salim S I Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] prio qdisc not wokring Thank you for the reply! Is prio per flow based or per connection based.I mean if I have two clients(two different systems)each sending different flows of traffic, it seems to classify flows from one system but it does not aggregate the flows of same priority of all clients.Is this observation correct?How do I aggregate the flows? Thank you Archana. On Dec 6, 2007 8:40 PM, Salim S I > wrote: I do not know about TOS, but it can be mapped well with filters. -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Archana Rajagopal Sent: Friday, December 07, 2007 2:56 AM To: lartc@mailman.ds9a.nl Subject: [LARTC] prio qdisc not wokring Hi, I am working on linux 2.6.16.I tried to prioritize traffic using prio module but its not working well.It always maps to same class irrespective of ToS.Is it possible to fix it using filters?Anybody fixed this problem? -- Regards Archana Rajagopal -- Regards Archana Rajagopal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071207/7f2f072a/attachment.html From gypsy at iswest.com Fri Dec 7 07:10:25 2007 From: gypsy at iswest.com (gypsy) Date: Fri Dec 7 07:10:42 2007 Subject: [LARTC] HTB performance improvement References: <685F1926C37B1846BE64D0033B46AF97E34D1D@els00wmx04.elsag.it> <4758492F.3E3F252F@iswest.com> Message-ID: <4758E3D1.CF107954@iswest.com> gypsy wrote: > > > tc qdisc add dev eth0.2 root handle 1: htb > > tc class add dev eth0.2 parent 1: classid 1:1 htb rate 100000000 ceil > > 100000000 burst 1000000 quantum 1600 > > tc class add dev eth0.2 parent 1:1 classid 1:10 htb prio 1 rate > > 70000000 ceil 70000000 burst 1000000 quantum 1600 > > tc class add dev eth0.2 parent 1:1 classid 1:11 htb prio 2 rate > > 10000000 ceil 10000000 burst 1000000 quantum 1600 > > tc class add dev eth0.2 parent 1:1 classid 1:12 htb prio 3 rate > > 10000000 ceil 10000000 burst 1000000 quantum 1600 I just noticed that you're trying to shape "aliases". You can't. You must shape eth0 because you can't shape eth0.2. I'm just repeating what I've heard/read, so do your own research. But I bet you a quarter I'm right :) -- gypsy From indunil75 at gmail.com Fri Dec 7 12:41:38 2007 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Fri Dec 7 12:41:56 2007 Subject: [LARTC] mark bag packets - iptables Message-ID: <7ed6b0aa0712070341x69fc9e39wc9614dacb8855c91@mail.gmail.com> Hi All, I want to create chains to mark bag packets. my firewall has 3 network cards. eth0 - connected to internet. eth1 - connected to DMZ eth2 - connected to LAN eth0 only accepts SSH (tcp -port 22) and ICMP for pinging.. If it gets anything other than that, I want to create a new chain and log and DROP . what are the suitable rules for it? what about the below rule? iptables -A INPUT -i eth0 -j bad_packets I think I need some more rules as well. Could you pls help me to go ahead. Similary, I need for FORWARD AND OUTPUT. But, If I write for INPUT , I will be able to write for FORAWAD AND OUTPUT chains. ANY IDEA? -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071207/57a3ab8b/attachment.htm From lists at andyfurniss.entadsl.com Fri Dec 7 13:48:48 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri Dec 7 13:48:32 2007 Subject: [LARTC] HTB performance improvement In-Reply-To: <4758E3D1.CF107954@iswest.com> References: <685F1926C37B1846BE64D0033B46AF97E34D1D@els00wmx04.elsag.it> <4758492F.3E3F252F@iswest.com> <4758E3D1.CF107954@iswest.com> Message-ID: <47594130.7080200@andyfurniss.entadsl.com> gypsy wrote: > gypsy wrote: >>> tc qdisc add dev eth0.2 root handle 1: htb >>> tc class add dev eth0.2 parent 1: classid 1:1 htb rate 100000000 ceil >>> 100000000 burst 1000000 quantum 1600 >>> tc class add dev eth0.2 parent 1:1 classid 1:10 htb prio 1 rate >>> 70000000 ceil 70000000 burst 1000000 quantum 1600 >>> tc class add dev eth0.2 parent 1:1 classid 1:11 htb prio 2 rate >>> 10000000 ceil 10000000 burst 1000000 quantum 1600 >>> tc class add dev eth0.2 parent 1:1 classid 1:12 htb prio 3 rate >>> 10000000 ceil 10000000 burst 1000000 quantum 1600 > > I just noticed that you're trying to shape "aliases". You can't. You > must shape eth0 because you can't shape eth0.2. I'm just repeating what > I've heard/read, so do your own research. But I bet you a quarter I'm > right :) > -- Could be vlans - in which case OP could try adding child b/pfifos to the leafs and use the limit parameter to specify buffer length. HTB and HFSC both pick up default queuelengths from the device, but it's 0 on vlans (they use 2 or 3 packet pfifos IIRC in this case). I do notice there are no drops in the stats though, but it's still worth specifying queue length and type in the script. Andy. From lists at andyfurniss.entadsl.com Fri Dec 7 13:50:32 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri Dec 7 13:50:10 2007 Subject: [LARTC] how RED should work ? In-Reply-To: References: Message-ID: <47594198.7060809@andyfurniss.entadsl.com> Salatiel Filho wrote: > Hi , i am trying to understand how RED queue discipline works but i am > having a few troubles. > > The parameters are MIN , MAX , LIMIT , BURST > > I put LIMIT = 64Kb, so if i am not wrong it should PDROP anything over > this value , right ? > i put MIN = 8Kb , so no drops at all below this value, right ? > i put MAX = 16Kb, starts to early drop anything above this using probability P. > I put probability at 0.5 [very high , just for test] > i PUT burst at 20 [actually , no idea what really put in here] > > but after a while downloading at full speed i still get no drops at > all. Using 50% probability i should get at least 1 early drop shouldnt > i ? > > qdisc red 3: limit 64Kb min 8Kb max 16Kb > Sent 5023410 bytes 3817 pkts (dropped 0, overlimits 0) > marked 0 early 0 pdrop 0 other 0 > > > RED doesn't rate limit by its self so you need to make it a child of htb/tbf/hfsc. Andy. From lists at andyfurniss.entadsl.com Fri Dec 7 14:34:05 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri Dec 7 14:33:45 2007 Subject: [LARTC] Setting max latency on classful qdiscs In-Reply-To: <96CF49BD8B56384395D698BA99007FA32DC3@exchange.pacwire.local> References: <96CF49BD8B56384395D698BA99007FA32DC3@exchange.pacwire.local> Message-ID: <47594BCD.5000504@andyfurniss.entadsl.com> Leigh Sharpe wrote: > Hi All, > I'm using HTB to shape traffic, a little like this: > > tc qdisc add dev eth2 root handle 1:0 htb > tc qdisc add dev eth3 root handle 1:0 htb > > tc filter add dev eth2 parent 1: protocol 0x8100 prio 5 u32 match u16 > 3000 0x0fff at 0 flowid 1:1 action ipt -j MARK --or-mark 0x01000000 > tc filter add dev eth3 parent 1: protocol 0x8100 prio 5 u32 match u16 > 3000 0x0fff at 0 flowid 1:1 action ipt -j MARK --or-mark 0x01000000 > > tc class add dev eth2 parent 1:0 classid 1:1 htb rate 2000Kbit ceil > 2000Kbit > tc class add dev eth3 parent 1:0 classid 1:1 htb rate 2000Kbit ceil > 2000Kbit > > tc qdisc add dev eth2 parent 1:1 handle 2: htb > tc qdisc add dev eth3 parent 1:1 handle 2: htb Do you really need nested htb - I know it's allowed, but thought it was not really meant for normal use. > > tc class add dev eth2 parent 2:0 classid 2:1 htb rate 2000Kbit > tc class add dev eth3 parent 2:0 classid 2:1 htb rate 2000Kbit > > tc filter add dev eth2 parent 2:0 protocol 0x8100 prio 2 u32 match u16 > 3000 0x0fff at 0 flowid 2:1 action ipt -j MARK --or-mark 0x00100000 > tc filter add dev eth3 parent 2:0 protocol 0x8100 prio 2 u32 match u16 > 3000 0x0fff at 0 flowid 2:1 action ipt -j MARK --or-mark 0x00100000 > > This essentially provides a 2mbit/s rate limit on each of eth2 and eth3. > However, when I attempt to put more than 2mbps through it, It gets quite > latent (I end up with >1second latency at times). Is there any way of > specifying the maximum latency on a HTB class or qdisc? Or CBQ, for that > matter? I need to use a classful qdisc, so tbf is out of the question. > Ideally, I want to be able to specify that packets get dropped if they > are in the queue for any longer than a specified period of time. > Any ideas? The default pfifo length is picked up from the txqueuelen on the device. If you want to control queuelengths per class just add sfq/[p|b]fifo and use the limit parameter. As for latency - if you are shaping then you could consider trying to separate bulk from interactive and give interactive priority. You could just use qlen or sfq, but that's really meant for bulk. Policing down will give the best latency. I am glad my ISP polices rather than buffers when it's peak time. The policers need to be per customer though. Andy. From lists at andyfurniss.entadsl.com Fri Dec 7 14:36:26 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri Dec 7 14:36:09 2007 Subject: [LARTC] How does one increase the output buffer size? In-Reply-To: <47586B55.C3D11ED6@iswest.com> References: <47586B55.C3D11ED6@iswest.com> Message-ID: <47594C5A.7050601@andyfurniss.entadsl.com> gypsy wrote: > In 2.4 kernels, there was a [bp]fifo that could be implemented with 'tc > add', but in 2.6 kernels, I find no way to create either of these > fifos. I am able to increase txqueuelen. > > What I desire is a larger number of backlogged packetes before drops > occur. > > How can the output buffer size be increased for HTB? [b|p]fifo and sfq and limit parameter work OK for me as children of htb leaf classes on all the 2.6s I've used. Andy. From lists at andyfurniss.entadsl.com Fri Dec 7 15:42:23 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri Dec 7 15:42:00 2007 Subject: [LARTC] prio qdisc not wokring In-Reply-To: <5dd628b40712061055l137caa6ah636cb68c378497c4@mail.gmail.com> References: <5dd628b40712061055l137caa6ah636cb68c378497c4@mail.gmail.com> Message-ID: <47595BCF.60903@andyfurniss.entadsl.com> Archana Rajagopal wrote: > Hi, > I am working on linux 2.6.16.I tried to prioritize traffic using prio > module but its not working well.It always maps to same class irrespective of > ToS.Is it possible to fix it using filters?Anybody fixed this problem? There was a recent post that prio wasn't working on 2.6.20.x. For me on 2.6.19 and 21 it works OK for locally generated ping requests, but not replies. SSH works so I assume other tcp is OK. Andy. From lists at andyfurniss.entadsl.com Fri Dec 7 16:00:39 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri Dec 7 16:00:21 2007 Subject: [LARTC] tc doesn't shape correct In-Reply-To: <4753C4E2.4020701@inuits.be> References: <474D4633.2070704@inuits.be> <4753C4E2.4020701@inuits.be> Message-ID: <47596017.2020902@andyfurniss.entadsl.com> Johan Huysmans wrote: > Here is my tc config, maybe something is wrong with that config: > > /sbin/tc qdisc del dev bond1 root I would see if it's the same on normal eth and/or try using child queues on the classes - htb may be using a very small queuelen because there is no default queue on the bond. > /sbin/tc qdisc add dev bond1 root handle 1: htb default 1 > /sbin/tc class add dev bond1 parent 1: classid 1:1 htb rate 1000mbit > burst 1310720 This isn't really shaping anyway (rate 1000 is too high because of overheads) so I would use default 0 (or don't specify) which means unclassified traffic goes unshaped. HTB default also catches arp which is worth considering. There could be other reasons - timers maybe, or if your nic uses tcp segmentation offload then locally generated tcp may go through a super sized packets - this makes htb underlimit them and shows a giants on the output of - tc -s class ls dev .. you can turn TSO off with ethtool -k On the filters prio 0 is not the highest 1 is, thouh it won't matter here. Andy. From maillist1 at argontech.net Fri Dec 7 18:17:09 2007 From: maillist1 at argontech.net (Marco C. Coelho) Date: Fri Dec 7 18:17:03 2007 Subject: [LARTC] neighbor table overflow In-Reply-To: <47420FEF.9070303@argontech.net> References: <471D1A44.40503@argontech.net> <471DE180.5040708@zoomnet.ro> <471E5A53.3000405@riverviewtech.net> <9295C708-B499-4D57-8AD4-D97EFDCC9405@crystalstudio.ca> <471E6348.5040404@argontech.net> <471F1C45.2010109@zoomnet.ro> <471F6277.2050300@argontech.net> <471F6D74.7000607@zoomnet.ro> <4720B160.6060602@argontech.net> <10a268fb0710270406m622492aawa561f72a369cacee@mail.gmail.com> <47420FEF.9070303@argontech.net> Message-ID: <47598015.2030904@argontech.net> Ok, I hope this helps someone else out there when they google neighbor table overflow solution linux kernel: This is just an update to state that since gc_thresh1 was increased to a number greater than the number of simultaneous connected PPPoE clients on this box, it has not given me the neighbor table problem. So set gc_thresh1 greater than the number of local connections you get with: ip route | grep link | wc -l So in /etc/sysctl.conf add something like: # Added to stop "neighbor table overflow" messages in the kernel net.ipv4.neigh.default.gc_thresh1=1024 net.ipv4.neigh.default.gc_thresh2=2048 net.ipv4.neigh.default.gc_thresh3=4096 # Added to increase IP contrack number (was getting to max) net.ipv4.ip_conntrack_max=99999 Have a Merry Christmas! Marco Coelho Argon Technologies Inc. www.argontech.net Marco C. Coelho wrote: > Still beating the same bush! > > I've done all the possible suggestions so far. I still was getting a > neighbor table overflow. > Looking at the MAN 7 ARP pages, I see: > > gc_thresh1 > The minimum number of entries to keep in the ARP cache. > The garbage collector will not run if there are > fewer than this number of entries in the cache. > Defaults to 128. > > gc_thresh2 > The soft maximum number of entries to keep in the ARP > cache. The garbage collector will allow the num- > ber of entries to exceed this for 5 seconds before > collection will be performed. Defaults to 512. > > gc_thresh3 > The hard maximum number of entries to keep in the ARP > cache. The garbage collector will always run if > there are more than this number of entries in the > cache. Defaults to 1024. > > Since this box never gets less than 500 pppoe connections, this Sat I > changed > WAS NOW > gc_thresh1 512 1024 > gc_thresh2 2048 2048 > gc_thresh3 4096 4096 > > what's strange is when I do an 'arp -an' I only get three entries > back. (ips changed to protect the guilty). Shouldn't this show the > arp entries > > ? (x.202.x.3) at 00:03:47:2D:8B:F9 [ether] on eth0 > ? (x.202.x.1) at 00:03:E3:88:EC:C2 [ether] on eth0 > ? (x.202.x.2) at 00:18:8B:76:EC:D8 [ether] on eth0 > ? (x.202.x.9) at 00:90:27:43:C2:CF [ether] on eth0 > > ip route | grep link provides: > > snip (lots of pppoe connects) > x.202.x.237 dev ppp53 proto kernel scope link src 10.20.1.1 > x.202.x.235 dev ppp339 proto kernel scope link src 10.20.1.1 > x.202.x.232 dev ppp185 proto kernel scope link src 10.20.1.1 > x.202.x.231 dev ppp313 proto kernel scope link src 10.20.1.1 > x.202.x.230 dev ppp67 proto kernel scope link src 10.20.1.1 > x.202.x.226 dev ppp74 proto kernel scope link src 10.20.1.1 > x.202.x.224 dev ppp150 proto kernel scope link src 10.20.1.1 > x.202.x.0/24 dev eth0 proto kernel scope link src x.202.224.8 > 192.168.1.0/24 dev eth3 proto kernel scope link src 192.168.1.8 > > I don't think we are doing anything too special with this box that we > would see a kernel issue no one else is seeing. Can arp poisoning > cause this? > > a dmesg after a clean reboot only gives: > > Shorewall:all2all:REJECT:IN=ppp413 OUT= MAC= SRC=x.202.x.165 > DST=10.20.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=254 ID=39752 PROTO=ICMP > TYPE=8 CODE=0 ID=25040 SEQ=0 > Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.202.x.110 > DST=192.168.1.7 LEN=72 TOS=0x00 PREC=0x00 TTL=126 ID=48363 PROTO=UDP > SPT=427 DPT=427 LEN=52 > Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.202.x.110 > DST=192.168.1.7 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=48492 DF > PROTO=TCP SPT=36005 DPT=9220 WINDOW=16384 RES=0x00 SYN URGP=0 > Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.202.x.110 > DST=192.168.1.7 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=48493 DF > PROTO=TCP SPT=36005 DPT=9220 WINDOW=16384 RES=0x00 SYN URGP=0 > Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.202.x.110 > DST=192.168.1.7 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=48517 DF > PROTO=TCP SPT=36005 DPT=9220 WINDOW=16384 RES=0x00 SYN URGP=0 > Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.202.x.110 > DST=192.168.1.7 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=48518 DF > PROTO=TCP SPT=33969 DPT=16398 WINDOW=16384 RES=0x00 SYN URGP=0 > Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.202.x.110 > DST=192.168.1.7 LEN=72 TOS=0x00 PREC=0x00 TTL=126 ID=48519 PROTO=UDP > SPT=427 DPT=427 LEN=52 > Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.202.x.110 > DST=192.168.1.7 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=48522 DF > PROTO=TCP SPT=33969 DPT=16398 WINDOW=16384 RES=0x00 SYN URGP=0 > Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.202.x.110 > DST=192.168.1.7 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=48526 DF > PROTO=TCP SPT=33969 DPT=16398 WINDOW=16384 RES=0x00 SYN URGP=0 > Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.202.x.110 > DST=192.168.1.7 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=48614 DF > PROTO=TCP SPT=35790 DPT=9220 WINDOW=16384 RES=0x00 SYN URGP=0 > Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.202.x.110 > DST=192.168.1.7 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=48630 DF > PROTO=TCP SPT=35790 DPT=9220 WINDOW=16384 RES=0x00 SYN URGP=0 > Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.202.x.110 > DST=192.168.1.7 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=48x6 DF PROTO=TCP > SPT=35790 DPT=9220 WINDOW=16384 RES=0x00 SYN URGP=0 > Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.202.x.110 > DST=192.168.1.7 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=48x8 DF PROTO=TCP > SPT=34718 DPT=16398 WINDOW=16384 RES=0x00 SYN URGP=0 > Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.202.x.110 > DST=192.168.1.7 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=48663 DF > PROTO=TCP SPT=34718 DPT=16398 WINDOW=16384 RES=0x00 SYN URGP=0 > Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.202.x.110 > DST=192.168.1.7 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=48679 DF > PROTO=TCP SPT=34718 DPT=16398 WINDOW=16384 RES=0x00 SYN URGP=0 > Shorewall:all2all:REJECT:IN=ppp160 OUT=eth3 SRC=x.y.x.110 > DST=192.168.1.7 LEN=72 TOS=0x00 PREC=0x00 TTL=126 ID=48724 PROTO=UDP > SPT=427 DPT=427 LEN=52 > > Kernel Version 2.6.18-8.1.6 > > > Looking for any suggestions. > > Marco > > > > > > Andrei Kovacs wrote: >> On 10/25/07, Marco C. Coelho wrote: >> >>> Looking into it further an ip route shows: >>> >>> x.0.0.0/8 via x.y.224.1 dev eth0 proto zebra metric 20 equalize >>> >>> So the x.0.0.0 announce is coming into this box through OSPF (zebra) >>> >>> The 169.254.0.0/16 is being automajically added through the sysconfig >>> network scripts. I'm looking into why. >>> >>> >> >> Add "NOZEROCONF=yes" in /etc/sysconfig/network and the 169.254.0.0/16 >> network won't be created anymore. >> >> >>> In either case I still don't see why these entries would make the neighbor >>> table overflow. Could it have been the previous fix to the hosts file? >>> >>> mc >>> >>> Alexandru Dragoi wrote: >>> Marco C. Coelho wrote: >>> >>> >>> the ip route with a grep for link returns: >>> >>> snip** too long >>> x.y.x.198 dev ppp436 proto kernel scope link src 10.20.1.1 >>> x.y.x.196 dev ppp421 proto kernel scope link src 10.20.1.1 >>> x.y.x.197 dev ppp211 proto kernel scope link src 10.20.0.1 >>> x.y.x.194 dev ppp13 proto kernel scope link src 10.20.1.1 >>> x.y.x.192 dev ppp404 proto kernel scope link src 10.20.1.1 >>> x.y.x.254 dev ppp194 proto kernel scope link src 10.20.1.1 >>> x.y.x.253 dev ppp130 proto kernel scope link src 10.20.1.1 >>> x.y.x.252 dev ppp243 proto kernel scope link src 10.20.1.1 >>> x.y.x.249 dev ppp195 proto kernel scope link src 10.20.1.1 >>> x.y.x.248 dev ppp254 proto kernel scope link src 10.20.1.1 >>> x.y.x.247 dev ppp235 proto kernel scope link src 10.20.1.1 >>> x.y.x.242 dev ppp78 proto kernel scope link src 10.20.1.1 >>> x.y.x.240 dev ppp328 proto kernel scope link src 10.20.1.1 >>> x.y.x.237 dev ppp44 proto kernel scope link src 10.20.1.1 >>> x.y.x.236 dev ppp122 proto kernel scope link src 10.20.1.1 >>> x.y.x.234 dev ppp316 proto kernel scope link src 10.20.1.1 >>> x.y.x.232 dev ppp132 proto kernel scope link src 10.20.1.1 >>> x.y.x.231 dev ppp104 proto kernel scope link src 10.20.0.1 >>> x.y.x.226 dev ppp179 proto kernel scope link src 10.20.0.1 >>> x.y.224.0/24 dev eth0 proto kernel scope link src x.y.224.8 >>> 192.168.1.0/24 dev eth3 proto kernel scope link src 192.168.1.8 >>> 169.254.0.0/16 dev eth3 scope link >>> >>> The one above must be deleted, many redhat-like distros attach >>> 169.254.0.0/16. >>> >>> >>> All the pppoe terminations (pppd) are shown, as well as the last three >>> subnets. I'll have to see where the 169.254.0.0/16 is coming from? >>> >>> mc >>> >>> >>> >>> >>> Alexandru Dragoi wrote: >>> >>> >>> Marco C. Coelho wrote: >>> >>> >>> >>> This box is doing a lot. It terminates 1000 PPPoE connections, >>> provides traffic shaping using TC/HTB, authenticates all users via >>> Radius. It also runs OSPF routing for the internal network. Looking >>> at a simple route output I see all the PPP connections coming through >>> the box, and due to the OSPF I also see the rest of my network >>> announcements. The only strange things are: >>> >>> 1. The last man working on this box had mistakenly edited the hosts >>> file and added the machine name and complete domain name to the local >>> host 127.0.0.1 name. It should only be pointed to the eth0 >>> interface. I have changed this. >>> >>> 2. The route output is making an announcement >>> >>> x.0.0.0 argontech.net 255.0.0.0 UG 20 >>> 0 0 eth0 >>> >>> >>> This doesn't look dangerous for your problem, I was only talking about >>> directly connected networks: >>> >>> # ip route |grep link >>> >>> >>> >>> >>> My public IP space is a /20 within that space, not the whole Class A. >>> I have not found which box is announcing this within my network yet. >>> >>> >>> >>> >>> >>> Jeff Welling wrote: >>> >>> >>> >>> >>> On 10/23/07 06:56, Alexandru Dragoi wrote: >>> >>> >>> >>> What about checking your routing table? you may have link routes >>> for massive subnets (like 85.0.0.0/8 or 140.20.0.0/16). Some >>> programs prefer to use "standard" netmask of classes A and B. >>> >>> >>> I'm betting that the OP has other things going on seeing has how >>> s/he mentioned PPPoE, which to my knowledge is a layer 2 protocol, >>> and thus not subject to typical routing scenarios. In essence the >>> OP could have thousands of PPPoE connections terminating on one >>> system with the ARP cache having to deal with where to send traffic >>> to which MAC address. There is not a lot of room for routing in such >>> a scenario. >>> >>> >>> >>> I agree with Peter's suggestion, arpd. I ran into the neighbor table >>> overflow problem recently, at the hands of our ISP. I was in the >>> process of recompiling the kernel and mucking with arpd (I couldn't >>> get it to run/start properly) when the problem disappeared as quickly >>> as it showed up. Lucky for me, this was some kind of ISP problem, I >>> was able to determine that much through `tcpdump -i X -n arpd`. >>> >>> My 'two cents' is that you try arpd, I did a bit of looking when I >>> came across that problem and it seemed to be the last ditch effort >>> when changing the gc threshold had no effect. Wasn't able to confirm >>> that it worked for sure though. >>> >>> Cheers. >>> _______________________________________________ >>> LARTC mailing list >>> LARTC@mailman.ds9a.nl >>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>> >>> >>> >>> _______________________________________________ >>> LARTC mailing list >>> LARTC@mailman.ds9a.nl >>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>> >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> LARTC mailing list >>> LARTC@mailman.ds9a.nl >>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>> >>> >>> >>> >>> >>> _______________________________________________ >>> LARTC mailing list >>> LARTC@mailman.ds9a.nl >>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>> >>> >>> >> >> > ------------------------------------------------------------------------ > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071207/83eacf61/attachment-0001.html From asaph1986 at yahoo.fr Fri Dec 7 18:41:19 2007 From: asaph1986 at yahoo.fr (bobo asaph) Date: Fri Dec 7 18:41:26 2007 Subject: [LARTC] Need HELP Message-ID: <772859.59416.qm@web51504.mail.re2.yahoo.com> hello Mister. I am happy to make your knowledge by this mail I had to find your name and addresses on documents HOW TO linux. I am student, at the end of my Bachelor in networks. I ask for your assistance to configure QoS in a system of e-learning including/understanding on network IP, using Linux Sytem because i want to used opensource licence. i work with RedHat 5.0 Enterprise. In my network i want to give voice traffic and video traffic priority. I have documents on that but I really does not include/understand how that functions. please accept my sincere thanks. --------------------------------- Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071207/2fe054d5/attachment.htm From gypsy at iswest.com Fri Dec 7 20:49:48 2007 From: gypsy at iswest.com (gypsy@iswest.com) Date: Fri Dec 7 21:12:00 2007 Subject: [LARTC] How does one increase the output buffer size? In-Reply-To: <47594C5A.7050601@andyfurniss.entadsl.com> References: <47586B55.C3D11ED6@iswest.com> <47594C5A.7050601@andyfurniss.entadsl.com> Message-ID: <1197056988.4759a3dc0f84a@qmail.iswest.net> Quoting Andy Furniss : > gypsy wrote: > > In 2.4 kernels, there was a [bp]fifo that could be implemented with 'tc > > add', but in 2.6 kernels, I find no way to create either of these > > fifos. I am able to increase txqueuelen. > > > > What I desire is a larger number of backlogged packetes before drops > > occur. > > > > How can the output buffer size be increased for HTB? > > [b|p]fifo and sfq and limit parameter work OK for me as children of htb > leaf classes on all the 2.6s I've used. > > Andy. Could you please check your .config file and tell me the name of the line that creates b|pfifo module? "It just ain't there" for me... -- gypsy From lists at andyfurniss.entadsl.com Fri Dec 7 22:46:24 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri Dec 7 22:46:02 2007 Subject: [LARTC] How does one increase the output buffer size? In-Reply-To: <1197056988.4759a3dc0f84a@qmail.iswest.net> References: <47586B55.C3D11ED6@iswest.com> <47594C5A.7050601@andyfurniss.entadsl.com> <1197056988.4759a3dc0f84a@qmail.iswest.net> Message-ID: <4759BF30.4000408@andyfurniss.entadsl.com> gypsy@iswest.com wrote: > Quoting Andy Furniss : > >> gypsy wrote: >>> In 2.4 kernels, there was a [bp]fifo that could be implemented with 'tc >>> add', but in 2.6 kernels, I find no way to create either of these >>> fifos. I am able to increase txqueuelen. >>> >>> What I desire is a larger number of backlogged packetes before drops >>> occur. >>> >>> How can the output buffer size be increased for HTB? >> [b|p]fifo and sfq and limit parameter work OK for me as children of htb >> leaf classes on all the 2.6s I've used. >> >> Andy. > > Could you please check your .config file and tell me the name of the line that > creates b|pfifo module? "It just ain't there" for me... > -- > gypsy Hmm maybe I haven't hit that one yet - I am a bit behind with my kernels. andy@noki:~$ grep -i fifo /boot/config-2.6.21.1 CONFIG_NET_SCH_FIFO=y # CONFIG_PARPORT_PC_FIFO is not set I am using bfifo on this box. Andy. From BJulin at clarku.edu Sat Dec 8 15:29:50 2007 From: BJulin at clarku.edu (Brian S Julin) Date: Sat Dec 8 15:30:09 2007 Subject: [LARTC] Patch for easier dynamic SAD PBR Message-ID: <5A630F46702DD1498FFD48394B4A664C3472BAC3@john.ad.clarku.edu> Yesterday I posted a patch on the netdev list but it occurred to me that folks here might have more to say about the proposed feature (and a stake in it since it would add syntax to iproute) http://www.spinics.net/lists/netdev/msg49450.html Comments very welcome. From drumlesson at gmail.com Sun Dec 9 16:24:27 2007 From: drumlesson at gmail.com (m.a.t.e.o) Date: Sun Dec 9 16:24:59 2007 Subject: [LARTC] MAC filter Message-ID: <823158cf0712090724o1f0e9100x8c3432a1e1eaf650@mail.gmail.com> I did search a lot of post in this list and other, but never have a solution that works... I want to filter the INGRESS by MAC address...please, any help? There are a "solution" that supposedly works, but did not work for me: ####### for the MAC address: M0M1M2M3M4M5 tc filter add dev eth1 parent 1: protocol ip prio 5 u32 match u16 0x0800 0xffff at -2 match u16 0x4455 0xffff at -4 match u32 0x00112233 0xffffffff at -8 flowid 1:40 ####### Thx, a lot.- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071209/acbe85f3/attachment.html From marek at piasta.pl Sun Dec 9 16:47:57 2007 From: marek at piasta.pl (Marek Kierdelewicz) Date: Sun Dec 9 16:48:04 2007 Subject: [LARTC] MAC filter In-Reply-To: <823158cf0712090724o1f0e9100x8c3432a1e1eaf650@mail.gmail.com> References: <823158cf0712090724o1f0e9100x8c3432a1e1eaf650@mail.gmail.com> Message-ID: <20071209164757.0fd8c33d@catlap> Hi, >There are a "solution" that supposedly works, but did not work for me: What you sent works for egress not ingress. Look here: http://www.linux-foundation.org/en/Net:IFB There's an example how to shape traffic in ingress. cheers, Marek Kierdelewicz From geraldwalden at frontiernet.net Sun Dec 9 20:57:59 2007 From: geraldwalden at frontiernet.net (jerry) Date: Sun Dec 9 20:59:45 2007 Subject: [LARTC] ixp400 Message-ID: <1197230279.3410.4.camel@localhost.localdomain> Hello I am encountering what I believe is a deadlock state when I am transferring traffic via an embedded linux device that only kills traffic with a combination of the Intel ixp400_eth.ko driver and the sch_htb.ko queuing discipline. If I use any other qdisk - including the complex cbq module I encounter smooth sailing. Any suggestions? Thanks Jerry From indunil75 at gmail.com Mon Dec 10 11:20:31 2007 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Mon Dec 10 11:21:03 2007 Subject: [LARTC] PAT HOW to - IPTABLES Message-ID: <7ed6b0aa0712100220n57ea0e54x628d539621cb6b35@mail.gmail.com> Hi, I have a box running with iptables and iproute2. it has 3 ethernet cards. One for the internet. another for LAN and yet another for DMZ. @ DMZ ZONE I have 3 web servers. But I have only one real ip on my firewall. Now , I want to forward port 80 to theese 3 web servers. How can I do it? I searched a lot from google. But, still no luck. -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071210/7146d379/attachment.htm From alexandre at ondainternet.com.br Mon Dec 10 12:32:18 2007 From: alexandre at ondainternet.com.br (Alexandre J. Correa - Onda Internet) Date: Mon Dec 10 11:32:32 2007 Subject: [LARTC] PAT HOW to - IPTABLES In-Reply-To: <7ed6b0aa0712100220n57ea0e54x628d539621cb6b35@mail.gmail.com> References: <7ed6b0aa0712100220n57ea0e54x628d539621cb6b35@mail.gmail.com> Message-ID: <475D23C2.2090300@ondainternet.com.br> you can use squid as reverse proxy .. see cache_peer !! squid can load balance between 3 servers and cache it !! run squid on your box with real ip.. here you can see examples http://under-linux.org/7964-squid-atuando-como-proxy-reverso.html (pt-br) Indunil Jayasooriya wrote: > Hi, > > I have a box running with iptables and iproute2. it has 3 ethernet > cards. One for the internet. another for LAN and yet another for DMZ. > > @ DMZ ZONE I have 3 web servers. But I have only one real ip on my > firewall. Now , I want to forward port 80 to theese 3 web servers. > > How can I do it? > > I searched a lot from google. But, still no luck. > > > -- > Thank you > Indunil Jayasooriya > ------------------------------------------------------------------------ > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Sds. Alexandre Jeronimo Correa Onda Internet - http://www.ondainternet.com.br OPinguim Hosting - http://www.opinguim.net Linux User ID #142329 UNOTEL S/A - http://www.unotel.com.br From indunil75 at gmail.com Mon Dec 10 11:39:52 2007 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Mon Dec 10 11:40:00 2007 Subject: [LARTC] PAT HOW to - IPTABLES In-Reply-To: <475D23C2.2090300@ondainternet.com.br> References: <7ed6b0aa0712100220n57ea0e54x628d539621cb6b35@mail.gmail.com> <475D23C2.2090300@ondainternet.com.br> Message-ID: <7ed6b0aa0712100239j7591a4e3pd484c70baeb2d668@mail.gmail.com> > > > > see cache_peer !! > > squid can load balance between 3 servers and cache it !! > > run squid on your box with real ip.. > > Thanks for your quick answer. I know about reverse proxy. I wanted to know > that without squid, whether iptables it self can handle this situation. Suppose, I have 3 mail servers @ DMZ zone with one real ip. the situation as before? in that case, What can I do? Hope to hear form you. -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071210/4fc3208e/attachment.html From sewlist at gmail.com Mon Dec 10 14:37:07 2007 From: sewlist at gmail.com (the sew) Date: Mon Dec 10 14:37:15 2007 Subject: [LARTC] How to fight with encrypted p2p In-Reply-To: <20071203193312.rg91ytgfeog0w4ss@www.simplelists.com> References: <20071112015107.4ECBBEB2BB@f05.poczta.interia.pl> <1196595757.6539.9.camel@andybev> <4753DF28.8080209@echostar.ca> <20071203193312.rg91ytgfeog0w4ss@www.simplelists.com> Message-ID: Hi, We had similiar problem with p2p, used ipp2p and L7filter together before and worked well until clients( mostly clever ones) started getting around it with encryption. We have about 700 wireless clients hitting our network and our network was taking big knocks with guys using couple of gigs day on entry level packages. Was going to use Ipoque, but was quite pricy for us, Only solutions for us to use a daily limit of eg 500MB, then they get slowed down to slower speeds, This worked like a charm Out of interest we used freeradius / pptpd|pppd with some custom perl scripts and tc rules Sew On Dec 3, 2007 9:33 PM, Andrew Beverley wrote: > > I believe "fighting" is the wrong approach. Badly shaping the wrong > > traffic is just as bad, if not worse IMO. An ISP in my neck of the > > woods plays havoc with encrypted mail (SMTP + TLS as well as IMAPS) as a > > result of their P2P fight. Needless to say we no longer use them, and > > we encourage clients, friends, and colleagues not to as well. I don't > > use P2P but I do use ssh, imaps, sftp, and https daily. Screwing with > > these services is not useful. > > Using the rules in the example previously given specifically steers well clear > of these services. > > > Limiting your rules to specific ports is > > pretty useless. This has been done before, and it failed miserably. > > Agreed. > > > For me, if P2P does not belong at all, for instance on a corporate > > network, then a default deny on the outbound works much better. We then > > only allow specific connections on a case by case basis. > > I have seen this work very well on corporate networks, and would > recommend this > approach where possible. Unfortunately though, on a normal home user network, > there are so many different possibilities that this isn't very practical. > > > For instances > > where I am not able to block p2p, I define specific rules for high and > > low priority, and leave everything else in the default. If the end user > > wants to use the bulk of his or her bandwidth for P2P, so be it. Of > > course in this case bandwidth accounting is far more useful. > > Again, this depends on the circumstances. If you only have 2Mbit/s to share > between 100 users then each user cannot have their own 'share' of the > connection. Equally, people downloading in a responsible way are lumped > into the > same category as p2p users, which is not fair. Bandwidth accounting is a > possibility, and something I haven't investigated. > > For those who want to fairly share bandwidth beween users, I would > recommend the > ESFQ patches. These allow bandwidth sharing to be done on an IP address basis, > rather than per connection. This prevents the hundreds of p2p connections from > drowning out single downloads. > > > I would also encourage your users to use software that is or can be well > > behaved. Software that allows you set a proper TOS for instance. If > > possible work with the end users. > > I have personally found that the best solutions are not tech solutions. > > Having a well defined Acceptable Use Policy, plus a constructive > > dialogue with my users has been far more effective than any shaping > > routine I/we could come up with. > > Agreed. However, in a situation where you have a lot of users coming > and going, > it is not easy to educate the many hundreds of users. > > I guess it all boils down to your own situation. Traffic shaping on a > corporate > network or on a network where your users are static can be done using > the above > techniques. However, sharing a small connection between hundreds of regularly > changing users is difficult, and I have found the 'blunt' rules previously > described to work very well with no complaints. > > > Regards, > > Andy Beverley > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From dino at webjogger.net Mon Dec 10 15:09:19 2007 From: dino at webjogger.net (Mario Antonio Garcia) Date: Mon Dec 10 15:09:27 2007 Subject: [LARTC] How to fight with encrypted p2p In-Reply-To: Message-ID: <29489517.102461197295759096.JavaMail.root@mailgate.webjogger.net> Thanks for sharing. Just one question, how are you implementing the daily limit? Regards, Mario Antonio ----- Original Message ----- From: "the sew" To: "Andrew Beverley" Cc: lartc@mailman.ds9a.nl Sent: Monday, December 10, 2007 8:37:07 AM (GMT-0500) America/New_York Subject: Re: [LARTC] How to fight with encrypted p2p Hi, We had similiar problem with p2p, used ipp2p and L7filter together before and worked well until clients( mostly clever ones) started getting around it with encryption. We have about 700 wireless clients hitting our network and our network was taking big knocks with guys using couple of gigs day on entry level packages. Was going to use Ipoque, but was quite pricy for us, Only solutions for us to use a daily limit of eg 500MB, then they get slowed down to slower speeds, This worked like a charm Out of interest we used freeradius / pptpd|pppd with some custom perl scripts and tc rules Sew On Dec 3, 2007 9:33 PM, Andrew Beverley wrote: > > I believe "fighting" is the wrong approach. Badly shaping the wrong > > traffic is just as bad, if not worse IMO. An ISP in my neck of the > > woods plays havoc with encrypted mail (SMTP + TLS as well as IMAPS) as a > > result of their P2P fight. Needless to say we no longer use them, and > > we encourage clients, friends, and colleagues not to as well. I don't > > use P2P but I do use ssh, imaps, sftp, and https daily. Screwing with > > these services is not useful. > > Using the rules in the example previously given specifically steers well clear > of these services. > > > Limiting your rules to specific ports is > > pretty useless. This has been done before, and it failed miserably. > > Agreed. > > > For me, if P2P does not belong at all, for instance on a corporate > > network, then a default deny on the outbound works much better. We then > > only allow specific connections on a case by case basis. > > I have seen this work very well on corporate networks, and would > recommend this > approach where possible. Unfortunately though, on a normal home user network, > there are so many different possibilities that this isn't very practical. > > > For instances > > where I am not able to block p2p, I define specific rules for high and > > low priority, and leave everything else in the default. If the end user > > wants to use the bulk of his or her bandwidth for P2P, so be it. Of > > course in this case bandwidth accounting is far more useful. > > Again, this depends on the circumstances. If you only have 2Mbit/s to share > between 100 users then each user cannot have their own 'share' of the > connection. Equally, people downloading in a responsible way are lumped > into the > same category as p2p users, which is not fair. Bandwidth accounting is a > possibility, and something I haven't investigated. > > For those who want to fairly share bandwidth beween users, I would > recommend the > ESFQ patches. These allow bandwidth sharing to be done on an IP address basis, > rather than per connection. This prevents the hundreds of p2p connections from > drowning out single downloads. > > > I would also encourage your users to use software that is or can be well > > behaved. Software that allows you set a proper TOS for instance. If > > possible work with the end users. > > I have personally found that the best solutions are not tech solutions. > > Having a well defined Acceptable Use Policy, plus a constructive > > dialogue with my users has been far more effective than any shaping > > routine I/we could come up with. > > Agreed. However, in a situation where you have a lot of users coming > and going, > it is not easy to educate the many hundreds of users. > > I guess it all boils down to your own situation. Traffic shaping on a > corporate > network or on a network where your users are static can be done using > the above > techniques. However, sharing a small connection between hundreds of regularly > changing users is difficult, and I have found the 'blunt' rules previously > described to work very well with no complaints. > > > Regards, > > Andy Beverley > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From sewlist at gmail.com Mon Dec 10 15:28:30 2007 From: sewlist at gmail.com (the sew) Date: Mon Dec 10 15:28:40 2007 Subject: [LARTC] How to fight with encrypted p2p In-Reply-To: <29489517.102461197295759096.JavaMail.root@mailgate.webjogger.net> References: <29489517.102461197295759096.JavaMail.root@mailgate.webjogger.net> Message-ID: On Dec 10, 2007 4:09 PM, Mario Antonio Garcia wrote: > Thanks for sharing. No problem > > Just one question, how are you implementing the daily limit? two ways of detecting them: 1st is the /etc/ppp/ip-up.local which executes the script to check usage against the radius db and shape them on authentication, Once they logged in , I dont want to kick everone off every few hours to check usage, I have a "nice" cron job running every 3 hours, to check every single user against the db and if they reached their quotas ,they get shaped while being online., Radius stores all info about the nas in the db, so makes it quite strait forward. Also nicely added is our reselling guys who maintain the clients get a report everytime of users who exceeded the limit and can be aware of which clients is the problem if they phone to complain, Also nice is that usually the infected pc's gets knocked off first to save alot of bandwidth Sew > > Regards, > > Mario Antonio > > > ----- Original Message ----- > From: "the sew" > To: "Andrew Beverley" > Cc: lartc@mailman.ds9a.nl > Sent: Monday, December 10, 2007 8:37:07 AM (GMT-0500) America/New_York > Subject: Re: [LARTC] How to fight with encrypted p2p > > Hi, > > We had similiar problem with p2p, used ipp2p and L7filter together > before and worked well until clients( mostly clever ones) started > getting around it with encryption. We have about 700 wireless clients > hitting our network and our network was taking big knocks with guys > using couple of gigs day on entry level packages. > > Was going to use Ipoque, but was quite pricy for us, Only solutions > for us to use a daily limit of eg 500MB, then they get slowed down to > slower speeds, This worked like a charm > > Out of interest we used freeradius / pptpd|pppd with some custom perl > scripts and tc rules > > Sew > > On Dec 3, 2007 9:33 PM, Andrew Beverley wrote: > > > I believe "fighting" is the wrong approach. Badly shaping the wrong > > > traffic is just as bad, if not worse IMO. An ISP in my neck of the > > > woods plays havoc with encrypted mail (SMTP + TLS as well as IMAPS) as a > > > result of their P2P fight. Needless to say we no longer use them, and > > > we encourage clients, friends, and colleagues not to as well. I don't > > > use P2P but I do use ssh, imaps, sftp, and https daily. Screwing with > > > these services is not useful. > > > > Using the rules in the example previously given specifically steers well clear > > of these services. > > > > > Limiting your rules to specific ports is > > > pretty useless. This has been done before, and it failed miserably. > > > > Agreed. > > > > > For me, if P2P does not belong at all, for instance on a corporate > > > network, then a default deny on the outbound works much better. We then > > > only allow specific connections on a case by case basis. > > > > I have seen this work very well on corporate networks, and would > > recommend this > > approach where possible. Unfortunately though, on a normal home user network, > > there are so many different possibilities that this isn't very practical. > > > > > For instances > > > where I am not able to block p2p, I define specific rules for high and > > > low priority, and leave everything else in the default. If the end user > > > wants to use the bulk of his or her bandwidth for P2P, so be it. Of > > > course in this case bandwidth accounting is far more useful. > > > > Again, this depends on the circumstances. If you only have 2Mbit/s to share > > between 100 users then each user cannot have their own 'share' of the > > connection. Equally, people downloading in a responsible way are lumped > > into the > > same category as p2p users, which is not fair. Bandwidth accounting is a > > possibility, and something I haven't investigated. > > > > For those who want to fairly share bandwidth beween users, I would > > recommend the > > ESFQ patches. These allow bandwidth sharing to be done on an IP address basis, > > rather than per connection. This prevents the hundreds of p2p connections from > > drowning out single downloads. > > > > > I would also encourage your users to use software that is or can be well > > > behaved. Software that allows you set a proper TOS for instance. If > > > possible work with the end users. > > > I have personally found that the best solutions are not tech solutions. > > > Having a well defined Acceptable Use Policy, plus a constructive > > > dialogue with my users has been far more effective than any shaping > > > routine I/we could come up with. > > > > Agreed. However, in a situation where you have a lot of users coming > > and going, > > it is not easy to educate the many hundreds of users. > > > > I guess it all boils down to your own situation. Traffic shaping on a > > corporate > > network or on a network where your users are static can be done using > > the above > > techniques. However, sharing a small connection between hundreds of regularly > > changing users is difficult, and I have found the 'blunt' rules previously > > described to work very well with no complaints. > > > > > > Regards, > > > > Andy Beverley > > > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > From alex at samad.com.au Mon Dec 10 22:29:32 2007 From: alex at samad.com.au (Alex Samad) Date: Mon Dec 10 22:29:43 2007 Subject: [LARTC] PAT HOW to - IPTABLES In-Reply-To: <7ed6b0aa0712100239j7591a4e3pd484c70baeb2d668@mail.gmail.com> References: <7ed6b0aa0712100220n57ea0e54x628d539621cb6b35@mail.gmail.com> <475D23C2.2090300@ondainternet.com.br> <7ed6b0aa0712100239j7591a4e3pd484c70baeb2d668@mail.gmail.com> Message-ID: <20071210212931.GA8267@samad.com.au> On Mon, Dec 10, 2007 at 04:09:52PM +0530, Indunil Jayasooriya wrote: > > > > > > > > see cache_peer !! > > > > squid can load balance between 3 servers and cache it !! > > > > run squid on your box with real ip.. > > > > Thanks for your quick answer. I know about reverse proxy. I wanted to know > > that without squid, whether iptables it self can handle this situation. > > > Suppose, I have 3 mail servers @ DMZ zone with one real ip. the situation > as before? > > in that case, What can I do? your could use exim/postfix and route the mail to the right server, but I guess you are trying to find out how to have port 25 on the real ip nat'ed to one of the 3 dmz'ed ip based upon the destination mail address short answer you can't as far as I know, iptables only looks at src ip / src port & dest ip/dest port. You could write your own plugin module to look into the tcp stream. > > > Hope to hear form you. > > > -- > Thank you > Indunil Jayasooriya > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20071211/31a5b8c4/attachment.pgp From mythathchr at yahoo.com Mon Dec 10 23:02:40 2007 From: mythathchr at yahoo.com (rajesh reddy) Date: Mon Dec 10 23:02:52 2007 Subject: [LARTC] regarding implementation of queue in linux Message-ID: <216940.33275.qm@web38007.mail.mud.yahoo.com> Can somebody tell me where is the source code implementation of Queue at Network Layer level in Linux OS. I mean .C and .h files regarding implementation of Queue. --------------------------------- Looking for last minute shopping deals? Find them fast with Yahoo! Search. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071210/579071ae/attachment.html From goblin at pentex.pl Tue Dec 11 00:19:22 2007 From: goblin at pentex.pl (Radek 'Goblin' Pieczonka) Date: Tue Dec 11 00:20:07 2007 Subject: [LARTC] PAT HOW to - IPTABLES In-Reply-To: <20071210212931.GA8267@samad.com.au> References: <7ed6b0aa0712100220n57ea0e54x628d539621cb6b35@mail.gmail.com> <475D23C2.2090300@ondainternet.com.br> <7ed6b0aa0712100239j7591a4e3pd484c70baeb2d668@mail.gmail.com> <20071210212931.GA8267@samad.com.au> Message-ID: <475DC97A.50102@pentex.pl> >> Suppose, I have 3 mail servers @ DMZ zone with one real ip. the situation >> as before? >> >> in that case, What can I do? >> > your could use exim/postfix and route the mail to the right server, but I guess > you are trying to find out how to have port 25 on the real ip nat'ed to one of > the 3 dmz'ed ip based upon the destination mail address > > short answer you can't as far as I know, iptables only looks at src ip / src > port & dest ip/dest port. You could write your own plugin module to look into > the tcp stream. > based upon destination email address/domain could be done by postfix and transports for selected mail/domain to selected server. but there is also a possibility of load balancing and failover for set of domains with all servers working with all the domains for HA and flexibility of computing power, then id say take a look at keepalived for both those features. for http traffic its actually the same, and also you can consider apache reverse proxy feature. -- Radek aka Goblin From alex at samad.com.au Tue Dec 11 09:16:35 2007 From: alex at samad.com.au (Alex Samad) Date: Tue Dec 11 09:17:01 2007 Subject: [LARTC] PAT HOW to - IPTABLES In-Reply-To: <475DC97A.50102@pentex.pl> References: <7ed6b0aa0712100220n57ea0e54x628d539621cb6b35@mail.gmail.com> <475D23C2.2090300@ondainternet.com.br> <7ed6b0aa0712100239j7591a4e3pd484c70baeb2d668@mail.gmail.com> <20071210212931.GA8267@samad.com.au> <475DC97A.50102@pentex.pl> Message-ID: <20071211081635.GC8267@samad.com.au> On Tue, Dec 11, 2007 at 12:19:22AM +0100, Radek 'Goblin' Pieczonka wrote: > >>> Suppose, I have 3 mail servers @ DMZ zone with one real ip. the situation >>> as before? >>> >>> in that case, What can I do? >>> >> your could use exim/postfix and route the mail to the right server, but I >> guess you are trying to find out how to have port 25 on the real ip nat'ed >> to one of the 3 dmz'ed ip based upon the destination mail address >> >> short answer you can't as far as I know, iptables only looks at src ip / >> src port & dest ip/dest port. You could write your own plugin module to >> look into the tcp stream. >> > > based upon destination email address/domain could be done by postfix and > transports for selected mail/domain to selected server. but there is also a > possibility of load balancing and failover for set of domains with all > servers working with all the domains for HA and flexibility of computing > power, then id say take a look at keepalived for both those features. for > http traffic its actually the same, and also you can consider apache > reverse proxy feature. he only has 1 real ip [silly idea] of course could be really tricky and use an ipv6 to ipv4 address and name all the dmz servers with ipv6 (in dns as well), really relying upon clients to be ipv6 enable [/silly idea] > > -- > Radek aka Goblin > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20071211/0fdde68a/attachment.pgp From gtaylor at riverviewtech.net Tue Dec 11 16:31:26 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Tue Dec 11 16:30:20 2007 Subject: [LARTC] PAT HOW to - IPTABLES In-Reply-To: <7ed6b0aa0712100220n57ea0e54x628d539621cb6b35@mail.gmail.com> References: <7ed6b0aa0712100220n57ea0e54x628d539621cb6b35@mail.gmail.com> Message-ID: <475EAD4E.3000500@riverviewtech.net> On 12/10/07 04:20, Indunil Jayasooriya wrote: > @ DMZ ZONE I have 3 web servers. But I have only one real ip on my > firewall. Now , I want to forward port 80 to theese 3 web servers. > > How can I do it? Like someone else suggested, run a reverse proxy on one system. You could either run it on the firewall or a fourth system in the DMZ so that you are not running it on the firewall. Use this reverse proxy to intelligently redirect queries that come in to it to the correct back end server. In short, you are forwarding HTTP traffic to an application layer gateway that is intelligent enough to pick the proper back end system to handle the requests. For SMTP, you would use something like Sendmail with Mailertable. With regards to others comments about the single IP and not being able to communicate with the internal servers, you can use private IP addresses in your DMZ with out a problem so long as they are all hidden from the world by your NATing router such that everyone would think that all your services are coming off of your one single external IP. You will need to pay attention to SMTP Hello names as well. Also be aware that you are having a lot depend on connection tracking on the NATing router, thus have a finite number of resources that are being shared by multiple systems. If it is still in place you may want to consider running stateless nat (IPRoute2) for your traffic coming in to said systems so that that traffic will not exceed conntrack. Grant. . . . From hi100nu at yahoo.com Wed Dec 12 13:03:51 2007 From: hi100nu at yahoo.com (sonu chouhan) Date: Wed Dec 12 13:04:19 2007 Subject: [LARTC] bgp require in multigateway routing Message-ID: <368077.76072.qm@web32515.mail.mud.yahoo.com> hi all, first i wann to explain my network & it's problem, i am using a redhat el5 for multigateway routing, i have 3 adsl lines which is connected with eth0, eth2 and eth3. eth1 is my local network. those 3 lines comes with adsl modem from same isp with equal bandwidth (512 Kbps). In this adsl modems there is one lan and one wan port, adsl modem's lan ip is gateway for my linux box, some times wan port of the modem got hang and that time lan ip of modem does up and accessable, so for my linux box gateway is up but internet is down of this gateway, but linux box seem this like running gateway and it's continusly send request to this gateway, so that time failover routing not work, so i need it's solution. somebody suggest me to use border gateway protocol for this, but i don't have any knowledge about this protocol that it will useful for me our not, and plz also guide me how to configure this protocol. sorry for my poor english thanks in advance sonu --------------------------------- Looking for last minute shopping deals? Find them fast with Yahoo! Search. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071212/fc5724a7/attachment.html From goblin at pentex.pl Wed Dec 12 15:18:45 2007 From: goblin at pentex.pl (Radek 'Goblin' Pieczonka) Date: Wed Dec 12 15:21:20 2007 Subject: [LARTC] bgp require in multigateway routing In-Reply-To: <368077.76072.qm@web32515.mail.mud.yahoo.com> References: <368077.76072.qm@web32515.mail.mud.yahoo.com> Message-ID: <475FEDC5.3040503@pentex.pl> > somebody suggest me to use border gateway protocol for this, but i > don't have any knowledge about this protocol that it will useful for > me our not, and plz also guide me how to configure this protocol. considering the bandwidth, i dont think your ISP would even start to think about BGP, not to mention the fact that as long as you use the same ISP I'd rather think of OSPF or even RIPv2. Also, there is a question of support on modem, as from what you say its actually a router with adsl modem integrated, so it should take part of dynamic routing. All in all, first question to ask is what your ISP is willing to do in this case. As an alternative you can always run some checks on links and switch routing information (aspecially default route, or selection of routing table in policy routing) in static table from some cron script / daemon accordingly. -- Radek aka Goblin goblin@pentex.pl From drumlesson at gmail.com Wed Dec 12 17:30:35 2007 From: drumlesson at gmail.com (m.a.t.e.o) Date: Wed Dec 12 17:30:45 2007 Subject: [LARTC] Re: LARTC Digest, Vol 34, Issue 12 In-Reply-To: <20071210110007.1EABE44F1@outpost.ds9a.nl> References: <20071210110007.1EABE44F1@outpost.ds9a.nl> Message-ID: <823158cf0712120830i63861d5fyc7c4836bd6fe2bf0@mail.gmail.com> Hey Marek, I?know that i must to works whith the INGRESS (instead of EGRESS), i?ve well formed my kernel. My others TC rules for source IP address (not for MAC address) does work fine...!!!, the problem is whith the MAC because is a not "IP PROTOCOL" and for that i must to use the "u32/u16 match" to solve it, and if i make an analogy from my others INGRESS rules applied to Src IP address, to Src MAC address using the scripts below, did not work too. Im not shure that i am doing...!!!, please "give a hand" !!! Regards, mateo.- 2007/12/10, lartc-request@mailman.ds9a.nl : > > Send LARTC mailing list submissions to > lartc@mailman.ds9a.nl > > To subscribe or unsubscribe via the World Wide Web, visit > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > or, via email, send a message with subject or body 'help' to > lartc-request@mailman.ds9a.nl > > You can reach the person managing the list at > lartc-owner@mailman.ds9a.nl > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of LARTC digest..." > > > Today's Topics: > > 1. MAC filter (m.a.t.e.o) > 2. Re: MAC filter (Marek Kierdelewicz) > 3. ixp400 (jerry) > 4. PAT HOW to - IPTABLES (Indunil Jayasooriya) > 5. Re: PAT HOW to - IPTABLES (Alexandre J. Correa - Onda Internet) > 6. Re: PAT HOW to - IPTABLES (Indunil Jayasooriya) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 9 Dec 2007 12:24:27 -0300 > From: m.a.t.e.o > Subject: [LARTC] MAC filter > To: lartc@mailman.ds9a.nl > Message-ID: > <823158cf0712090724o1f0e9100x8c3432a1e1eaf650@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > I did search a lot of post in this list and other, but never have a > solution > that works... > I want to filter the INGRESS by MAC address...please, any help? > > There are a "solution" that supposedly works, but did not work for me: > > > ####### > for the MAC address: M0M1M2M3M4M5 > > tc filter add dev eth1 parent 1: protocol ip prio 5 u32 match u16 0x0800 > 0xffff at -2 match u16 0x4455 0xffff at -4 match u32 0x00112233 0xffffffff > at -8 flowid 1:40 > > ####### > > Thx, a lot.- > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://mailman.ds9a.nl/pipermail/lartc/attachments/20071209/acbe85f3/attachment-0001.html > > ------------------------------ > > Message: 2 > Date: Sun, 9 Dec 2007 16:47:57 +0100 > From: Marek Kierdelewicz > Subject: Re: [LARTC] MAC filter > To: lartc@mailman.ds9a.nl > Message-ID: <20071209164757.0fd8c33d@catlap> > Content-Type: text/plain; charset=US-ASCII > > Hi, > > >There are a "solution" that supposedly works, but did not work for me: > > What you sent works for egress not ingress. > > Look here: > http://www.linux-foundation.org/en/Net:IFB > > There's an example how to shape traffic in ingress. > > cheers, > Marek Kierdelewicz > > > ------------------------------ > > Message: 3 > Date: Sun, 09 Dec 2007 11:57:59 -0800 > From: jerry > Subject: [LARTC] ixp400 > To: lartc@mailman.ds9a.nl > Message-ID: <1197230279.3410.4.camel@localhost.localdomain> > Content-Type: text/plain > > Hello > > I am encountering what I believe is a deadlock state when I am > transferring traffic via an embedded linux device that only kills > traffic with a combination of the Intel ixp400_eth.ko driver and the > sch_htb.ko queuing discipline. If I use any other qdisk - including the > complex cbq module I encounter smooth sailing. Any suggestions? > > Thanks > > Jerry > > > > ------------------------------ > > Message: 4 > Date: Mon, 10 Dec 2007 15:50:31 +0530 > From: "Indunil Jayasooriya" > Subject: [LARTC] PAT HOW to - IPTABLES > To: "Mail List - Linux Advanced Routing and Traffic Control" > > Message-ID: > <7ed6b0aa0712100220n57ea0e54x628d539621cb6b35@mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > Hi, > > I have a box running with iptables and iproute2. it has 3 ethernet cards. > One for the internet. another for LAN and yet another for DMZ. > > @ DMZ ZONE I have 3 web servers. But I have only one real ip on my > firewall. > Now , I want to forward port 80 to theese 3 web servers. > > How can I do it? > > I searched a lot from google. But, still no luck. > > > -- > Thank you > Indunil Jayasooriya > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://mailman.ds9a.nl/pipermail/lartc/attachments/20071210/7146d379/attachment.html > > ------------------------------ > > Message: 5 > Date: Mon, 10 Dec 2007 08:32:18 -0300 > From: "Alexandre J. Correa - Onda Internet" > > Subject: Re: [LARTC] PAT HOW to - IPTABLES > To: lartc@mailman.ds9a.nl > Message-ID: <475D23C2.2090300@ondainternet.com.br> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > you can use squid as reverse proxy .. > > see cache_peer !! > > squid can load balance between 3 servers and cache it !! > > run squid on your box with real ip.. > > here you can see examples > http://under-linux.org/7964-squid-atuando-como-proxy-reverso.html > > (pt-br) > > > Indunil Jayasooriya wrote: > > Hi, > > > > I have a box running with iptables and iproute2. it has 3 ethernet > > cards. One for the internet. another for LAN and yet another for DMZ. > > > > @ DMZ ZONE I have 3 web servers. But I have only one real ip on my > > firewall. Now , I want to forward port 80 to theese 3 web servers. > > > > How can I do it? > > > > I searched a lot from google. But, still no luck. > > > > > > -- > > Thank you > > Indunil Jayasooriya > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > -- > Sds. > > Alexandre Jeronimo Correa > > Onda Internet - http://www.ondainternet.com.br > OPinguim Hosting - http://www.opinguim.net > > Linux User ID #142329 > > UNOTEL S/A - http://www.unotel.com.br > > > > ------------------------------ > > Message: 6 > Date: Mon, 10 Dec 2007 16:09:52 +0530 > From: "Indunil Jayasooriya" > Subject: Re: [LARTC] PAT HOW to - IPTABLES > To: "Alexandre J. Correa - Onda Internet" > , "Mail List - Linux > Advanced Routing > and Traffic Control" > Message-ID: > <7ed6b0aa0712100239j7591a4e3pd484c70baeb2d668@mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > > > > > > > > see cache_peer !! > > > > squid can load balance between 3 servers and cache it !! > > > > run squid on your box with real ip.. > > > > Thanks for your quick answer. I know about reverse proxy. I wanted to > know > > that without squid, whether iptables it self can handle this situation. > > > Suppose, I have 3 mail servers @ DMZ zone with one real ip. the situation > as before? > > in that case, What can I do? > > > Hope to hear form you. > > > -- > Thank you > Indunil Jayasooriya > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://mailman.ds9a.nl/pipermail/lartc/attachments/20071210/4fc3208e/attachment.htm > > ------------------------------ > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > End of LARTC Digest, Vol 34, Issue 12 > ************************************* > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071212/c9ff5066/attachment.htm From gypsy at iswest.com Thu Dec 13 03:42:35 2007 From: gypsy at iswest.com (gypsy) Date: Thu Dec 13 03:42:52 2007 Subject: [LARTC] Re: LARTC Digest, Vol 34, Issue 12 References: <20071210110007.1EABE44F1@outpost.ds9a.nl> <823158cf0712120830i63861d5fyc7c4836bd6fe2bf0@mail.gmail.com> Message-ID: <47609C1B.AEBF7EEA@iswest.com> "m.a.t.e.o" wrote: > ####### > for the MAC address: M0M1M2M3M4M5 > > tc filter add dev eth1 parent 1: protocol ip prio 5 u32 > match u16 0x0800 > 0xffff at -2 match u16 0x4455 0xffff at -4 match u32 > 0x00112233 0xffffffff > at -8 flowid 1:40 > > ####### Have you tried "protocol all" rather than "protocol ip"? I tested M0M1M2M3M4M5 (a long time ago) and it did work for eth1 and imq0. I guess that when the interface it was used on "saw" the MAC specified by it then I got a match. It did not work when the machine was too far away (in # hops), probably because then the MAC is no longer "visible". In short, M0M1M2M3M4M5 matched any computer on my internal LAN and the gateway of my ISP but nothing else. -- gypsy From hi100nu at yahoo.com Thu Dec 13 15:12:36 2007 From: hi100nu at yahoo.com (sonu chouhan) Date: Thu Dec 13 16:59:21 2007 Subject: [LARTC] bgp require in multigateway routing Message-ID: <211997.64923.qm@web32513.mail.mud.yahoo.com> Thanks a lot for your reply, my isp doesn't support bgp, so i have a second chance to write a script for this, but my question is, if i run a script which will detect dead route and then delete that route, all is fine but after deleting route how can i know that this route is working again and need to add it again. plz help me and if you have any script like this plz provide me. thanks again sonu.... > somebody suggest me to use border gateway protocol for this, but i > don't have any knowledge about this protocol that it will useful for > me our not, and plz also guide me how to configure this protocol. considering the bandwidth, i dont think your ISP would even start to think about BGP, not to mention the fact that as long as you use the same ISP I'd rather think of OSPF or even RIPv2. Also, there is a question of support on modem, as from what you say its actually a router with adsl modem integrated, so it should take part of dynamic routing. All in all, first question to ask is what your ISP is willing to do in this case. As an alternative you can always run some checks on links and switch routing information (aspecially default route, or selection of routing table in policy routing) in static table from some cron script / daemon accordingly. -- Radek aka Goblin goblin@pentex.pl ------------------------------ --------------------------------- Looking for last minute shopping deals? Find them fast with Yahoo! Search. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071213/3d734e2d/attachment.html From gtaylor at riverviewtech.net Thu Dec 13 18:09:40 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Thu Dec 13 18:08:35 2007 Subject: [LARTC] bgp require in multigateway routing In-Reply-To: <211997.64923.qm@web32513.mail.mud.yahoo.com> References: <211997.64923.qm@web32513.mail.mud.yahoo.com> Message-ID: <47616754.2090105@riverviewtech.net> On 12/13/07 08:12, sonu chouhan wrote: > my isp doesn't support bgp, so i have a second chance to write a > script for this, but my question is, if i run a script which will > detect dead route and then delete that route, all is fine but after > deleting route how can i know that this route is working again and > need to add it again. plz help me and if you have any script like > this plz provide me. I think you will want to delete the route (or mark it dead) in your (main?) routing table that gets used by most of your traffic and leave additional administrative / test routing tables alone. With the additional administrative / test routing tables you can have your test traffic go out the routes that would otherwise not be used by your normal traffic. Thus you can have test scripts see if the routes are good or not. If the routes are good, you can re-add the routes to your mail (?) routing table. Another idea is to use different routing tables based on the connection status. I.e. have main_both, main_isp_a, and main_isp_b routing tables that are used for your normal traffic. If something happens, just change the routing table that is used from main_both to main_isp_. Changing which routing table is used is probably going to be easier than altering a routing table. Just to be clear, you will still want to have test_isp_a and test_isp_b routing tables so you can direct your test traffic to use either connection. So all in all, this route, you will have five routing tables: main_both, main_isp_a, main_isp_b, test_isp_a, and test_isp_b. Grant. . . . From zampognaro at ing.uniroma2.it Fri Dec 14 00:22:04 2007 From: zampognaro at ing.uniroma2.it (Francesco Zampognaro) Date: Fri Dec 14 00:22:15 2007 Subject: [LARTC] Changing TBF rate on the fly results in drops? In-Reply-To: <20071119232345.yn77o512ook84koc@webmail.uniroma2.it> References: <20071119232345.yn77o512ook84koc@webmail.uniroma2.it> Message-ID: <20071214002204.3ig5cb39cws4s4o4@webmail.uniroma2.it> Quoting Francesco Zampognaro : > Hi everybody, it is my first message here. I tried to browse throughout > older posts but I found no immediate answer. > > I need to change rate of a tbf queue while ip packets are already > enqueued by it. If I go: > > tc qdisc replace|change|link dev eth0 root tbf rate 180kbit burst 1540 > limit 15400 > > as results all enqueued packets seems to disappear. I can see that from a: > > tc -s qdisc ls dev eth0 > > where backlog suddenly goes down to zero packets. Iperf performances > also confirm that. Using custom kernel 2.6.20.1 on Ubuntu 6.06. > > Where can I look to understand what is going on? Can I do something > else to get the same result (shaping outgoing traffic dynamically and > very often without losses)? > > > Thanks in advance! > > ____________________________________ > Francesco > ____________________________________ > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc Hi, I solved for now passing packets in userspace using ip_queue (iptables ... -j QUEUE) and processing them so that the they go out respecting the rate which varies over time, without losses. Still open to find a better solution in the kernel. Regards! ____________________________________ Francesco ____________________________________ From nikky at mnet.bg Fri Dec 14 09:49:33 2007 From: nikky at mnet.bg (Nickola Kolev) Date: Fri Dec 14 09:49:31 2007 Subject: [LARTC] bgp require in multigateway routing In-Reply-To: <211997.64923.qm@web32513.mail.mud.yahoo.com> References: <211997.64923.qm@web32513.mail.mud.yahoo.com> Message-ID: <20071214104933.78c30555.nikky@mnet.bg> ?? Thu, 13 Dec 2007 06:12:36 -0800 (PST) sonu chouhan ??????: > Thanks a lot for your reply, > my isp doesn't support bgp, so i have a second chance to write a > script for this, but my question is, if i run a script which will > detect dead route and then delete that route, all is fine but after > deleting route how can i know that this route is working again and > need to add it again. plz help me and if you have any script like > this plz provide me. thanks again sonu.... You can take a look at this document: http://blog.taragana.com/index.php/archive/how-to-load-balancing-failover-with-dual-multi-wan-adsl-cable-connections-on-linux/ The script mentioned is working as a charm. [ cut ] -- Regards, Nickola Kolev -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20071214/9b59cbce/attachment.pgp From mkathuria at tuxtechnologies.co.in Fri Dec 14 14:40:27 2007 From: mkathuria at tuxtechnologies.co.in (Manish Kathuria) Date: Fri Dec 14 14:40:33 2007 Subject: [LARTC] bgp require in multigateway routing In-Reply-To: <211997.64923.qm@web32513.mail.mud.yahoo.com> References: <211997.64923.qm@web32513.mail.mud.yahoo.com> Message-ID: <1df4abe60712140540y723f54flf8b22fdf5bcb06d2@mail.gmail.com> On 12/13/07, sonu chouhan wrote: > Thanks a lot for your reply, > my isp doesn't support bgp, so i have a second chance to write a script for > this, > but my question is, if i run a script which will detect dead route and then > delete that route, all is fine but after deleting route how can i know that > this route is working again and need to add it again. plz help me and if you > have any script like this plz provide me. > thanks again > > sonu.... > I had posted a script on this list early this year. You can check out the link and use the script. http://mailman.ds9a.nl/pipermail/lartc/2007q1/020170.html You will have to modify it since this one is for two internet links whereas you have three links. But I think it should be easy to do, just the number of cases would increase. You will have to take care of all possible scenarios (all 3 links active, any two links active and any one link active) and set the default route for these 7 cases. -- Manish Kathuria Tux Technologies http://www.tuxtechnologies.co.in/ From tuxstef at tuxstef.org Sat Dec 15 08:22:26 2007 From: tuxstef at tuxstef.org (Stefan Breitegger) Date: Sat Dec 15 08:22:34 2007 Subject: [LARTC] hfsc and bps Message-ID: <476380B2.8040101@tuxstef.org> Hi! Do you know somthing about hfsc and bps? There's no output for speed only for packets. Doesn't hfsc support such a field? tc -s class show dev eth0 class hfsc 1: root Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 2 class hfsc 1:11 parent 1:1 sc m1 0bit d 18.0ms m2 1000Kbit ul m1 0bit d 0us m2 100000Kbit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 class hfsc 1:1 parent 1: sc m1 0bit d 0us m2 100000Kbit ul m1 0bit d 0us m2 100000Kbit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 294075 work 614619581 bytes level 1 class hfsc 1:10 parent 1:1 sc m1 0bit d 52.9ms m2 99000Kbit ul m1 0bit d 0us m2 100000Kbit Sent 614619581 bytes 429677 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 294075 work 614619581 bytes rtwork 614464173 bytes level 0 -------------- next part -------------- A non-text attachment was scrubbed... Name: tuxstef.vcf Type: text/x-vcard Size: 135 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20071215/fd52b466/tuxstef.vcf From nuclearcat at nuclearcat.com Sat Dec 15 18:32:08 2007 From: nuclearcat at nuclearcat.com (Denys) Date: Sat Dec 15 18:32:30 2007 Subject: [LARTC] hfsc and bps In-Reply-To: <476380B2.8040101@tuxstef.org> References: <476380B2.8040101@tuxstef.org> Message-ID: <20071215173208.M4463@nuclearcat.com> Already someone answered me before about that... good idea to check first archive :-) tip: tc class add dev ${DEV} parent 1:922 classid 1:925 est 1sec 8sec hfsc sc dmax 1ms rate 1000kbit ul rate ${ROOTRATE}kbit est 1sec 8sec On Sat, 15 Dec 2007 08:22:26 +0100, Stefan Breitegger wrote > Hi! > > Do you know somthing about hfsc and bps? > > There's no output for speed only for packets. Doesn't hfsc support > such a field? > > tc -s class show dev eth0 > class hfsc 1: root > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > period 0 level 2 > > class hfsc 1:11 parent 1:1 sc m1 0bit d 18.0ms m2 1000Kbit ul m1 > 0bit d 0us m2 100000Kbit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 > requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 0 level 0 > > class hfsc 1:1 parent 1: sc m1 0bit d 0us m2 100000Kbit ul m1 0bit d > 0us m2 100000Kbit Sent 0 bytes 0 pkt (dropped 0, overlimits 0 > requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 period 294075 > work 614619581 bytes level 1 > > class hfsc 1:10 parent 1:1 sc m1 0bit d 52.9ms m2 99000Kbit ul m1 > 0bit d 0us m2 100000Kbit Sent 614619581 bytes 429677 pkt (dropped 0, > overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 > period 294075 work 614619581 bytes rtwork 614464173 bytes level 0 -- Denys Fedoryshchenko Technical Manager Virtual ISP S.A.L. From mailinglists at lucassen.org Mon Dec 17 12:09:52 2007 From: mailinglists at lucassen.org (richard lucassen) Date: Tue Dec 18 12:26:17 2007 Subject: [LARTC] traffic not getting into class Message-ID: <20071217120952.1d06da9d.mailinglists@lucassen.org> Hello list, I have these sorts of filters, putting traffic into the appropiate classid (1:15 is the default class): ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \ match ip protocol 0x6 0xff \ match ip sport 22 0xffff \ classid 1:11 # ssh ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \ match ip protocol 0x6 0xff \ match ip dport 22 0xffff \ classid 1:11 # ssh {and a few more 1:11 filters] ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \ match ip protocol 0x11 0xff \ match ip sport 123 0xffff \ classid 1:11 # return packets NTP ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \ match ip protocol 0x06 0xff \ match u8 0x05 0x0f at 0 \ match u8 0x10 0xff at 33 \ match u16 0x000 0xffc0 at 2 \ classid 1:11 # ACK's ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 2 protocol ip u32 \ match ip protocol 0x6 0xff \ match ip dport 80 0xffff \ classid 1:12 # Webserver ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 3 protocol ip u32 \ match ip protocol 0x6 0xff \ match ip sport 443 0xffff \ classid 1:13 # webmail server ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 4 protocol ip u32 \ match ip protocol 0x6 0xff \ match ip dport 21 0xffff \ classid 1:14 # ftp-server This works fine, but traffic for 1:14 (ftp) never gets into 1:14. Is there a certain rule order in which filters must be written? As far as I can see I haven't made any mistakes in these filters... Anyone a hint? R. -- ___________________________________________________________________ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+ From salatiel.filho at gmail.com Mon Dec 17 14:02:07 2007 From: salatiel.filho at gmail.com (Salatiel Filho) Date: Tue Dec 18 12:27:23 2007 Subject: [LARTC] doubt about esfq Message-ID: In esfq README i have: Depth sets the number of slots. If the number of active flows is greater than the number of slots, flows will end up sharing slots and ESFQ will no longer be fair. If you anticipate more than 128 concurrently active flows, you should use a larger depth and probably a larger divisor (see below). If you expect there to be far fewer than 128 concurrent flows, you may want to use a lower depth in order to benefit from slightly better latency (because limit can then be lower as well). I am just curious, 128 active flows would mean [in ESFQ] 128 different IPs if i hash for ip dst ? or would it be 128 connections. For example let`s say i download from my machine using some download accelerator and put 128 parallel connections[ theorically of course :) ] , so would i be using all slots or just one ? -- []'s Salatiel "O maior prazer do inteligente ? bancar o idiota diante de um idiota que banca o inteligente". From shane at hemc.coop Tue Dec 18 16:41:11 2007 From: shane at hemc.coop (Shane McKinley) Date: Thu Jan 31 12:23:36 2008 Subject: [LARTC] traffic not getting into class In-Reply-To: <20071217120952.1d06da9d.mailinglists@lucassen.org> Message-ID: <7C454E01C5FAE748BEFE65F4C6B7FD8BFD28C7@s-marcell.hemc.coop> Wouldn't it depend on if you are using passive FTP or not? http://www.slacksite.com/other/ftp.html Shane McKinley Habersham EMC -----Original Message----- From: richard lucassen [mailto:mailinglists@lucassen.org] Sent: Monday, December 17, 2007 6:10 AM To: lartc@mailman.ds9a.nl Subject: [LARTC] traffic not getting into class Hello list, I have these sorts of filters, putting traffic into the appropiate classid (1:15 is the default class): ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \ match ip protocol 0x6 0xff \ match ip sport 22 0xffff \ classid 1:11 # ssh ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \ match ip protocol 0x6 0xff \ match ip dport 22 0xffff \ classid 1:11 # ssh {and a few more 1:11 filters] ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \ match ip protocol 0x11 0xff \ match ip sport 123 0xffff \ classid 1:11 # return packets NTP ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \ match ip protocol 0x06 0xff \ match u8 0x05 0x0f at 0 \ match u8 0x10 0xff at 33 \ match u16 0x000 0xffc0 at 2 \ classid 1:11 # ACK's ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 2 protocol ip u32 \ match ip protocol 0x6 0xff \ match ip dport 80 0xffff \ classid 1:12 # Webserver ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 3 protocol ip u32 \ match ip protocol 0x6 0xff \ match ip sport 443 0xffff \ classid 1:13 # webmail server ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 4 protocol ip u32 \ match ip protocol 0x6 0xff \ match ip dport 21 0xffff \ classid 1:14 # ftp-server This works fine, but traffic for 1:14 (ftp) never gets into 1:14. Is there a certain rule order in which filters must be written? As far as I can see I haven't made any mistakes in these filters... Anyone a hint? R. -- ___________________________________________________________________ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+ _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From bugfood-ml at fatooh.org Tue Dec 18 21:17:59 2007 From: bugfood-ml at fatooh.org (Corey Hickey) Date: Thu Jan 31 12:26:31 2008 Subject: [LARTC] doubt about esfq In-Reply-To: References: Message-ID: <47682AF2.7080305@fatooh.org> Salatiel Filho wrote: > In esfq README i have: > > Depth sets the number of slots. If the number of active flows is greater > than the number of slots, flows will end up sharing slots and ESFQ will no > longer be fair. If you anticipate more than 128 concurrently active flows, > you should use a larger depth and probably a larger divisor (see below). > > If you expect there to be far fewer than 128 concurrent flows, you may > want to use a lower depth in order to benefit from slightly better latency > (because limit can then be lower as well). > > > > I am just curious, 128 active flows would mean [in ESFQ] 128 different > IPs if i hash for ip dst ? or would it be 128 connections. > For example let`s say i download from my machine using some download > accelerator and put 128 parallel connections[ theorically of course :) > ] , so would i be using all slots or just one ? Maybe. I had to re-read your message a couple times, and I'm not sure I completely understand your question. In any case, you didn't specify whether you are using ESFQ on the LAN interface or the WAN interface of your router. Scenario 1: downloading from 128 different IPs hash dst on LAN interface: puts all packets in a single slot--after all, the destination IP is that of your workstation. This approach would only be useful if other workstations on your LAN were downloading as well, since their packets would go in other slots. hash dst on WAN interface: divides packets into 128 different slots[1], since the destination IPs are those of the servers from which you are downloading. Note, however, that if you're only downloading, these packets would be "empty ACKs", which are quite small. Unless your upstream bandwidth is severely limited (or in heavy use for other reasons), the ACK packets would not need any special consideration. This approach is more useful for if you are actually uploading data and you want the outbound traffic to be allocated fairly among the remote hosts. Scenario 2: downloading from one IP, with 128 connections hash dst on LAN interface: puts all packets on a single slot (same as in scenario 1). hash dst on WAN interface: puts all packets in a single slot, since there is only one remote host to which the packets are going. >From what I've written, you may gather that using "hash dst" is not of much use for distributing inbound traffic to a single workstation. If that is really what you need to do, then you can look into "hash src". [1] This is subject to the limitations of the hash function, and there may be collisions that result in slots being shared. See the "divisor" and "perturb" parameters. -Corey From kandrei at gmail.com Thu Dec 20 14:00:06 2007 From: kandrei at gmail.com (Andrei Kovacs) Date: Thu Jan 31 12:51:20 2008 Subject: [LARTC] traffic not getting into class In-Reply-To: <20071217120952.1d06da9d.mailinglists@lucassen.org> References: <20071217120952.1d06da9d.mailinglists@lucassen.org> Message-ID: <10a268fb0712200500x79fb0231yb794a1019601b9b6@mail.gmail.com> > ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 4 protocol ip u32 \ > match ip protocol 0x6 0xff \ > match ip dport 21 0xffff \ > classid 1:14 # ftp-server > > This works fine, but traffic for 1:14 (ftp) never gets into 1:14. > > Is there a certain rule order in which filters must be written? As far > as I can see I haven't made any mistakes in these filters... > > Anyone a hint? > Port 21 is used only by the control connection of FTP. Active mode FTP uses port 20 to do the actual downloading and Passive mode uses random ports. I think you need to mark packets in iptables using ip_conntrack_ftp helper to identify ftp packets. From gustin at echostar.ca Sun Dec 23 23:52:11 2007 From: gustin at echostar.ca (Gustin Johnson) Date: Thu Jan 31 13:04:45 2008 Subject: [LARTC] traffic not getting into class In-Reply-To: <20071217120952.1d06da9d.mailinglists@lucassen.org> References: <20071217120952.1d06da9d.mailinglists@lucassen.org> Message-ID: <476EE684.7020108@echostar.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 4 protocol ip u32 \ > match ip protocol 0x6 0xff \ match ip dport 21 0xffff \ classid 1:14 > # ftp-server > > This works fine, but traffic for 1:14 (ftp) never gets into 1:14. > > Is there a certain rule order in which filters must be written? As > far as I can see I haven't made any mistakes in these filters... FTP is more complicated to filter than ssh. There is a control connection and a data connection. > Anyone a hint? The following sites give some info on the ftp protocal, though there is a ton of more info if you use google. http://www.slacksite.com/other/ftp.html http://www.troubleshootingnetworks.com/ftpinfo.html As an aside, ftp services really should be replaced with one of the better alternatives. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHbuaEwRXgH3rKGfMRAq2dAJ9fYPz6yvBQPuima3sUNCt0OQpHWQCfcxHw nUC+eYmSP+0MNj+DEkyUQDk= =6BBW -----END PGP SIGNATURE----- From marek at piasta.pl Sun Dec 30 13:19:20 2007 From: marek at piasta.pl (Marek Kierdelewicz) Date: Thu Jan 31 13:29:42 2008 Subject: [LARTC] HTB deadlock In-Reply-To: <1181752830.9399.66.camel@ranko-fc2.spidernet.net> References: <1181752830.9399.66.camel@ranko-fc2.spidernet.net> Message-ID: <20071230131939.7b84fa88@catlap> >Greetings, Hi, >I've been experiencing problems with HTB where the whole machine locks >up. This usually happens when the whole qdisc is being removed and >occasionally when a leaf is being removed. You may be interested in reading these two: http://bugzilla.kernel.org/show_bug.cgi?id=9318 http://bugzilla.kernel.org/show_bug.cgi?id=9632 cheers, Marek Kierdelewicz KoBa ISP From ianbrn at gmail.com Mon Dec 31 09:09:50 2007 From: ianbrn at gmail.com (Ian Brown) Date: Thu Jan 31 13:32:12 2008 Subject: [LARTC] ip neigh show and NUD_NOARP state - is it possible ? Message-ID: Hello, I know that there are devices which are not working with arp. For example, the loopback device. I was wondering whether it is possible to create neighbours in a NUD_NOARP state; so that "ip neigh show" will show such neighbours where their state is NUD_ARP. I made some tests with the loopback device , but could not find such a way to cause it to appear as NUD_NOARP. Also if I ping a (nonexisting) multicast address (like 224.0.0.0) I don't see it in "ip neigh show" (but I see it in the routing cache). Could it be done ? (maybe with multicast/braodcast)? BTW, I see an example in the documentation which demonstrates NUD_NOARP on the loopback device, but this documentation is from quite a time ago. See: http://www.policyrouting.org/iproute2.doc.html#ss9.4.5 ... ... ip neigh ls dev lo lladdr 000000000000 nud noarp fe80200cfffe763f85 dev eth0 lladdr 00000c763f85 router nud stale 0.0.0.0 dev lo lladdr 000000000000 nud noarp 193.233.7.254 dev eth0 lladdr 00000c763f85 nud reachable Regards, Ian From johan.huysmans at inuits.be Wed Dec 19 12:47:46 2007 From: johan.huysmans at inuits.be (Johan Huysmans) Date: Tue Feb 5 10:00:19 2008 Subject: [LARTC] tc doesn't shape correct {SOLVED} In-Reply-To: <474D4633.2070704@inuits.be> References: <474D4633.2070704@inuits.be> Message-ID: <476904BE.60306@inuits.be> My issue is solved. Andy Furniss has mailed me a new set of rules which are doing exactly what you expect. For the record, here are the rules: /sbin/tc qdisc del dev bond1 root /sbin/tc qdisc add dev bond1 root handle 1: htb /sbin/tc class add dev bond1 parent 1: classid 1:1 htb rate 30mbit /sbin/tc qdisc add dev bond1 parent 1:1 handle 10: pfifo limit 300 /sbin/tc class add dev bond1 parent 1: classid 1:2 htb rate 10mbit /sbin/tc qdisc add dev bond1 parent 1:2 handle 20: pfifo limit 100 /sbin/tc filter add dev bond1 parent 1: protocol ip prio 0 handle 1 fw flowid 1:1 /sbin/tc filter add dev bond1 parent 1: protocol ip prio 0 handle 2 fw flowid 1:2 Thx for helping to fix this! Johan Johan Huysmans wrote: > Hi All, > > I'm configuring my natting-firewall to do some tc shaping. Some > traffic has to be shaped on 30mbit, some on 10mbit all the others are > unlimited. > The configuring and filtering works correctly. The traffic that is > shaped at 30mbit is correct, but the traffic that is shapped at 10mbit > only gets to 100KB/sec. > > It is on a device configured with bonding (both in and out interface). > > Any clue why shaped traffic at 10mbit only gets to 100KB/sec and not > faster? > > Thx for any response, > Johan Huysmans > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc