From indunil75 at gmail.com Thu Jan 3 12:26:14 2008 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Thu Jan 31 13:39:28 2008 Subject: [LARTC] Fwd: iptables In-Reply-To: <7ed6b0aa0801030324r24794429odfeb4571768c91e5@mail.gmail.com> References: <7ed6b0aa0801030324r24794429odfeb4571768c91e5@mail.gmail.com> Message-ID: <7ed6b0aa0801030326x45350222w5bfdaf7fbe5145a7@mail.gmail.com> Hi All, I am running iptables on centos 4.5 and 5 boxes. Now , I have requirements to enable below features. Gateway level antivirus, anti spyware and intrusion preventions, content filtering, etc. I googled a bit. But, Still no luck to find proper Docs to enable these. Can Iptables meet these features? If possible, Pls let me know some documentations that say How to set up these. Hope to hear from you. -- Thank you Indunil Jayasooriya From salatiel.filho at gmail.com Sat Jan 5 19:05:03 2008 From: salatiel.filho at gmail.com (Salatiel Filho) Date: Thu Jan 31 13:46:26 2008 Subject: [LARTC] Help With WRR Message-ID: Could anyone explain what is WRR param2 [wmode2 , incr2 , decr2 , min2] for ? can i set just the param1 ? [wmode1 , incr1 , decr1,min1] -- []'s Salatiel "O maior prazer do inteligente ? bancar o idiota diante de um idiota que banca o inteligente". From shemminger at linux-foundation.org Tue Jan 8 18:14:35 2008 From: shemminger at linux-foundation.org (Stephen Hemminger) Date: Tue Feb 5 10:21:33 2008 Subject: [LARTC] [ANNOUNCE] iproute2-2.6.24-rc7 Message-ID: <20080108091222.514e976e@deepthought> This is a preliminary release that includes all the changes for new features in 2.6.24. It should be backward compatible with older kernels. http://devresources.linux-foundation.org/dev/iproute2/download/iproute2-2.6.24-rc7.tar.bz2 Note: This release is for validation (don't put it in your distros), therefore I didn't bother signing it. Changelog since v2.6.23 release (edited). Alexander Wirt (2): Fix various typos and nitpicks Add parameters to usage help text. Andreas Barth (1): Remove bogus reference to tc-filters(8) from tc(8) manpage. Andreas Henriksson (4): Fix corruption when using batch files with comments and broken lines. iproute2: support dotted-quad netmask notation. iproute2: revert syntax help text mistake. iproute2: add synonyms for ip rule options to ip(8) manpage. Denys Fedoryshchenko (1): iptables compatiablity Fran?ois Delawarde (1): tc mask patch Herbert Xu: Fix typo in tunnel code (o_key vs. i_key). Add NAT action Jesper Dangaard Brouer (3): Overhead calculation is now done in the kernel. Cleanup: tc_calc_rtable(). Change the rate table calc of transmit cost to use upper bound value. Patrick McHardy (1): iproute 2.6.23 incompatibility Pavel Emelyanov (1): iplink_parse() routine Stephen Hemminger 2.6.24-rc3 headers Fix off by one in nested attribute management. Fix dotted quad for bit order veth: use kernel header file snapshot target for makefile veth.h move to linux/ Manual page fixes add decode of match rules Use netinet/tcp.h (with correction) rather than kernel headers add include/netinet/tcp.h Revert "TC action parsing bug fix" Tomas Janousek (1): Correct documentation regarding PROMISC and ALLMULTI. Vitaliy Gusev (2): Fix lost export-dynamic veth device link management YOSHIFUJI Hideaki / ???? (1): rto_min value display overflow From mehta.salil at gmail.com Wed Jan 9 12:45:10 2008 From: mehta.salil at gmail.com (Salil Mehta) Date: Tue Feb 5 10:25:52 2008 Subject: [LARTC] Can we filter VLAN related fileds using U32 filter at Ingress? Message-ID: Hi, Is there any way I can filter L2 related fields at Ingress using TC U32 filter. I want to filter VLAN, DSAP, SSAP related fields...and further take some packet actions(basically marking the incoming packets) on the basis of it. I do not want to use IPTables/EBTables for the same. You immediate help would be highly appreciated Thanks -- Maverick -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20080109/5dc77fc6/attachment.html From pupilla at hotmail.com Thu Jan 10 17:35:22 2008 From: pupilla at hotmail.com (Marco Berizzi) Date: Tue Aug 5 13:35:16 2008 Subject: [LARTC] ip rule and ipsec policy Message-ID: Hello everybody. AFAIK ipsec policy aren't related to routing tables: if there is an ipsec policy to deliver traffic, for example, from 192.168.0.0/16 to 10.0.0.0/8, xfrm will eat the packets ignoring the routing table. Take a look: # ip ru sh 0: from all lookup local 601: from 172.23.0.0/23 iif eth2 lookup isa 32766: from all lookup main 32767: from all lookup default # ip r sh table isa default via 172.23.1.254 dev eth2 metric 1 When I insert the rule number #601 packets from 172.23.0.0/23 to 172.21.1.0/24 are rerouted to 172.23.1.254: xfrm aren't eating them anymore. Is this the expected behaviour? Inserting rule number #501 is a workaround. # ip ru sh 0: from all lookup local 501: from 172.23.0.0/23 to 172.16.0.0/12 iif eth2 lookup main 601: from 172.23.0.0/23 iif eth2 lookup isa 32766: from all lookup main 32767: from all lookup default # ip x p src 172.21.1.0/24 dst 172.23.0.0/23 dir in priority 2376 ptype main tmpl src osw-napoli dst osw-genova proto comp reqid 16390 mode tunnel level use tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 16389 mode transport src 172.23.0.0/23 dst 172.21.1.0/24 dir out priority 2376 ptype main tmpl src osw-genova dst osw-napoli proto comp reqid 16390 mode tunnel tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 16389 mode transport src 172.21.1.0/24 dst 172.23.0.0/23 dir fwd priority 2376 ptype main tmpl src osw-napoli dst osw-genova proto comp reqid 16390 mode tunnel level use tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 16389 mode transport Here are the others routing tables: # ip r sh table main cisco-genova dev eth0 scope link dmz-genova/28 dev eth1 proto kernel scope link src osw-genova 172.21.1.0/24 via cisco-genova dev eth0 172.23.0.0/23 dev eth2 proto kernel scope link src 172.23.1.8 127.0.0.0/8 dev lo scope link default via cisco-genova dev eth0 metric 1 # ip r sh table local broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 local 172.23.2.254 dev eth0 proto kernel scope host src 172.23.2.254 broadcast dmz-genova dev eth0 proto kernel scope link src osw-genova broadcast dmz-genova dev eth1 proto kernel scope link src osw-genova broadcast broadcast-genova dev eth0 proto kernel scope link src osw-genova broadcast broadcast-genova dev eth1 proto kernel scope link src osw-genova local osw-genova dev eth0 proto kernel scope host src osw-genova local osw-genova dev eth1 proto kernel scope host src osw-genova broadcast 172.23.0.0 dev eth2 proto kernel scope link src 172.23.1.8 broadcast 172.23.1.255 dev eth2 proto kernel scope link src 172.23.1.8 local 172.23.1.8 dev eth2 proto kernel scope host src 172.23.1.8 broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 From salatiel.filho at gmail.com Fri Jan 11 20:11:52 2008 From: salatiel.filho at gmail.com (Salatiel Filho) Date: Tue Aug 5 13:42:53 2008 Subject: [LARTC] why can`t i attach wrr to a htb or hfsc class ? Message-ID: Attaching WRR to a hfsc ot htb class after a while i will get all packets drop and syslog full of HFSC or HTB : Non-work-conserving qdisc any ideas ? -- []'s Salatiel "O maior prazer do inteligente ? bancar o idiota diante de um idiota que banca o inteligente". From dennyzulfikar at gmail.com Mon Jan 14 03:30:04 2008 From: dennyzulfikar at gmail.com (Denny Zulfikar) Date: Mon Jun 8 15:09:01 2009 Subject: [LARTC] iptables + tc + squid in one box.. Message-ID: hello all, I got little stuck with my configuration : I have network like this : ADSL<---(ppp0 in eth0 : pppoe)---> [Linux BOX : squid+LAN portal+samba ] <---> LAN ADSL link down/up = 256kbps/64kbps ADSL ppp0/eth0 = public IP eth1 = 172.16.1.1/24 LAN = 172.16.1.0/24 in linux box I run squid transparent proxy in port 8080, web server, and samba file sharing. I already masquerade all traffic in ppp0 using : iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE proxy redirection success with this command : iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 I have limit bandwidth for all client (one-by-one) with this script : #!/bin/sh tc qdisc del dev eth1 root tc qdisc add dev eth1 root handle 1: htb default 9999 tc class add dev eth1 parent 1:0 classid 1:10 htb rate 100Mbit RATE=92kbit tc class add dev eth1 parent 1:10 classid 1:100 htb rate $RATE tc qdisc add dev eth1 parent 1:100 sfq quantum 1514b perturb 15 tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip dst 172.16.1.2/32 flowid 1:100 tc class add dev eth1 parent 1:10 classid 1:200 htb rate $RATE tc qdisc add dev eth1 parent 1:200 sfq quantum 1514b perturb 15 tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip dst 172.16.1.3/32 flowid 1:200 tc class add dev eth1 parent 1:10 classid 1:300 htb rate $RATE tc qdisc add dev eth1 parent 1:300 sfq quantum 1514b perturb 15 tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip dst 172.16.1.4/32 flowid 1:300 tc class add dev eth1 parent 1:10 classid 1:400 htb rate $RATE tc qdisc add dev eth1 parent 1:400 sfq quantum 1514b perturb 15 tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip dst 172.16.1.5/32 flowid 1:400 tc class add dev eth1 parent 1:10 classid 1:9999 htb rate 8Kbit this is my problem: 1. how to make total bandwidth down/up for client only 48kbps/240kbps with class : - DNS, ssh and telnet, messenger (YM, MSN) -> 1st priority -> 30% of 48kbps/240kbps - http/https -> 2nd priority -> 50% of 48kbps/240kbps - others (online game, etc) -> 20%. 2. how to make each class above shared fairly for all client, and all class able to share each other if there're any unused bandwidth. so, no one able use full bandwidth when other clients are online except able to use all 48kbps/240kbps if only himself online that time. 3. how to make all client able to access the router 172.16.1.1 services without queuing in these class above, so all client able access to router service (internal portal, samba file sharing) without any traffic limit (use full speed ~ 100Mbps). 4. how to make all client able to access cache that already exist in proxy without limit. I would be very grateful if you could give me any suggestions to solve this problem... regards, denny -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20080114/a83602ce/attachment.html From pranavadesai at gmail.com Fri Jan 18 18:56:55 2008 From: pranavadesai at gmail.com (Pranav Desai) Date: Mon Jun 8 15:25:09 2009 Subject: [LARTC] Need to setup large number of qdisc and filter to shape traffic based on src ip Message-ID: Hello All, I want to setup a linux router for load testing which can shape traffic for a large number of users (2000+) based on the src IP, so that each user can have a different bandwidth and delay. What is the best approach to do this and what are the performance impact of doing it on one machine (the machine is a quad-core, 8GB RAM and can be beefed up more) I am thinking of a following setup: --------------------------- --------------------- -------------------- 2 x client machine | | | | | |-------------e0--| Linux Router |---e1--------- | Web Server | with 1000 ip alias | | | | | --------------------------- ---------------------- ---------------------- The linux router will have qdisc and filters (for each IP) applied to both interfaces for outbound traffic. Please let me know if you any comments or suggestions. Thanks for your time. -- Pranav From shane at hemc.coop Mon Jan 21 17:04:53 2008 From: shane at hemc.coop (Shane McKinley) Date: Fri Jul 24 10:46:54 2009 Subject: [LARTC] Question: Rate Limiting Per Subnet Message-ID: <7C454E01C5FAE748BEFE65F4C6B7FD8B010F1D30@s-marcell.hemc.coop> If I do something like this: ======================================================================== == tc qdisc add dev eth1 root handle 1: htb default 12 tc class add dev eth1 parent 1: classid 1:1 htb rate 25mbit ceil 27mbit tc class add dev eth1 parent 1:1 classid 1:11 htb rate 5mbit ceil 7mbit tc class add dev eth1 parent 1:1 classid 1:12 htb rate 25mbit ceil 27mbit tc filter add dev eth1 protocol ip parent 1:0 prio 1 u32 \ match ip dst 0.0.0.0 flowid 1:12 tc filter add dev eth1 protocol ip parent 1:0 prio 1 u32 \ match ip dst 1.1.1.0/24 flowid 1:11 tc qdisc add dev eth1 parent 1:11 handle 3: sfq tc qdisc add dev eth1 parent 1:12 handle 4: sfq ======================================================================== == NOTICE: match ip dst 1.1.1./24 flowid 1:11 Question: Will this share the rate between everyone on the subnet or give each host guaranteed 5mbit? Shane From simon at imaginator.com Tue Jan 22 10:50:30 2008 From: simon at imaginator.com (Simon Tennant) Date: Fri Jul 24 10:51:18 2009 Subject: [LARTC] Choosing a qlen? Message-ID: <4795BC5E.8080304@imaginator.com> qlen must be the worst term to search for on the internet: the results show endless ifconfig output. I am trying to work out the optimal qlen for: * ADSL outbound * wireless outbound. My current understanding is that it is the buffer in the kernel before the packets hit the buffer on the ethernet card. So a nice fat qlen should allow better traffic prioritisation? Or am I misguided? If it helps, I'm trying to prioritise traffic and reduce jitter between my asterisk box on the internet and my wifi voip fone hanging off an internal subnet. S. -- Simon Tennant _____________________________________________ fixed: .uk +44 20 7043 6756 .de +49 89 420 955 854 mob: .uk +44 79 6096 6249 .de +49 17 8545 0880 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: OpenPGP digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20080122/dcedab2f/signature.pgp From s.cramatte at wanadoo.fr Tue Jan 22 16:34:38 2008 From: s.cramatte at wanadoo.fr (=?ISO-8859-1?Q?S=E9bastien_CRAMATTE?=) Date: Mon Jan 18 13:41:01 2010 Subject: [LARTC] Qos performance datas Message-ID: <47960CF3.1040702@wanadoo.fr> Hello, We have tested L7-filter + IPP2P on a P4 3.0Ghz HyperThreading with 3Gb of ram. The system is running debian etch with 2.6.22 vanilla kernel and setuped as transparent bridge. Filters are applied on POSTROUTING chain in "mangle" table using iptables physical ethernet module. With this config we can filter up to: 30Mbits download 25Mbits upload 500-600 Users CPU system usage was arround 70% with 0,1 - 0,3 load Opened conntrack was about 76000 This system filter P2P , VoIP (sip+skype), Web, Ftp, Icmp, Ssh, Ack/Syn,Dns, Smtp P2P connection are limited to 4096 per source IP using "connlimit" iptables module Do someone could give me his opinion about these performances ... Is quite good ? CPU consume too much ? It's difficult to find data to compare. Regards From newbie81 at abv.bg Wed Jan 23 04:40:59 2008 From: newbie81 at abv.bg (Az Toq) Date: Mon Jan 18 13:44:42 2010 Subject: [LARTC] Not another common DiffServ problem Message-ID: <1231374693.29405.1201059645560.JavaMail.nobody@mail61.abv.bg> Hi all, you are my last hope :)) I have asking in almost all forums i know but no one helps to deal with my problem. So, the problem, i want to implement DiffServ in my network. Last two months i read almost everything in Internet about DSCP, RFCs and all kind of forums and did not find a case like mine. I have well tested shaper based on CBQ, and want to add DiffServ before CBQ. The idea is to have DiffServ differentiation Plus Speed shaping, but not on different classes like almost all info points in Internet, but shaping on different users (IPs) after Linux Box. All that i see in Internet about DSCP is based on fair sharing of Inet link on X PCs, but no one with shaping on max speed per user after DiffServ implementation. I have tryed to implement a CISCO based scheme about it but can't find appropriate queue to use - in case something like WFQ/WF2Q algorithms for Linux. So, can someone help me with clue or hint. I use Debian 3.1 Linux with kernel 2.6.11. Have very good understanding on iptables, CBQ, TC, most of qdiscs in Linux. Thanks in advanvce. P.S. I do not have any problems with recognizing and marking of packets in different classes in DSCP, i have only problems in how to sheduling them before the speed shaping. From rcugut at gmail.com Wed Jan 23 10:18:11 2008 From: rcugut at gmail.com (Radu CUGUT) Date: Mon Jan 18 13:45:27 2010 Subject: [LARTC] How to calculate HTB quantum Message-ID: <18ebe9d30801230118x412e696ap945d578695daa100@mail.gmail.com> Hello all, I have a question about the quantum parameter of a HTB class: Is there a formula to calculate the quantum parameter of a class, having the rate and ceil as parameters? Sometimes, if I omit putting the quantum parameter for a class, I get a message like "HTB: quantum of class ..... is big/small. Consider r2q change" and shaping doesn't work very smooth sometimes. This is a common warning and I saw on lartc mailinglist that there are multiple ways to fix it. But, I found a shaper script one on an linux box that had a formula for calculating the quantum. I have no idea where the guy that wrote that formula came up with it, but when I use it, it seems to work. What I ask if someone can explain to me why? The formula I found is this: quantum = rate*8/5 if quantum>24000 then quantum = 24000 if quantum<1500 quantum = 1500 on the root class, there is no r2q parameter set, so I guess HTB puts the default value for it. This works for me. But I don't like that I don't know why? Thanks very much for any answer. -- Radu Cugut