hi! I'd like to priorize ssh traffic, but of course I don't like scp to get priorized, too. In the "actual script" of the howto priorization is done with this: | # TOS Minimum Delay (ssh, NOT scp) in 1:10: | tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \ | match ip tos 0x10 0xff flowid 1:10 I'm not sure if I got all of it, but it seems to me, that there is no port match - it seems to me that this rule matches all packets with a Minimize-Delay 16 (0x10) TOS value. I watched some packets with tcpdump and it also seems that scp packets all have the Maximize-Throughput 8 (0x08) TOS value, but all "pure ssh" packets have Normal-Service 0 (0x00). It's no problem to match these packets with iptables (just drop me a note if you want to have the iptables syntax). But the question I have is: Are these TOS-values standard for ssh and scp or do all ssh/scp-clients use the values they like? I searched the net, but haven't found anything usefull, yet. best regards Sebastian -- Sebastian 'spax' Pape | A diplomat is someone who can tell you to go mailto: sebastian@p-a-p-e.de | to hell in such a way that you will look gpg: http://p-a-p-e.de/gpg.asc | forward to the trip. --- Do you want to know more? http://www.p-a-p-e.de/ ---
Hi, You are out of luck here. There is no distinction between ssh and scp at IP, TCP or the application layer for that matter. Basically scp is a wrapper which uses ssh as the transfer method... Ramin On Mon, Nov 25, 2002 at 08:12:07PM +0100, Sebastian 'spax' Pape wrote: > hi! > > I'd like to priorize ssh traffic, but of course I don't like scp to > get priorized, too. In the "actual script" of the howto priorization > is done with this: > > | # TOS Minimum Delay (ssh, NOT scp) in 1:10: > | tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \ > | match ip tos 0x10 0xff flowid 1:10 > > I'm not sure if I got all of it, but it seems to me, that there is no > port match - it seems to me that this rule matches all packets with a > Minimize-Delay 16 (0x10) TOS value. > > I watched some packets with tcpdump and it also seems that scp packets > all have the Maximize-Throughput 8 (0x08) TOS value, but all "pure > ssh" packets have Normal-Service 0 (0x00). It's no problem to match > these packets with iptables (just drop me a note if you want to have > the iptables syntax). But the question I have is: > > Are these TOS-values standard for ssh and scp or do all > ssh/scp-clients use the values they like? I searched the net, but > haven't found anything usefull, yet. > > best regards > > Sebastian > > -- > Sebastian 'spax' Pape | A diplomat is someone who can tell you to go > mailto: sebastian@p-a-p-e.de | to hell in such a way that you will look > gpg: http://p-a-p-e.de/gpg.asc | forward to the trip. > --- Do you want to know more? http://www.p-a-p-e.de/ --- > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 25 November 2002 20:12, Sebastian 'spax' Pape wrote: > I watched some packets with tcpdump and it also seems that scp packets > all have the Maximize-Throughput 8 (0x08) TOS value, but all "pure > ssh" packets have Normal-Service 0 (0x00). It's no problem to match > these packets with iptables (just drop me a note if you want to have > the iptables syntax). But the question I have is: could you please tell me how you match ssh and not scp with iptables? - --=20 Regards, Robert - ---------------- Robert Penz robert.penz AT outertech.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE94pmo8tTsQqJDUBMRAkIuAJ44N5sKyIchhtR4Lz9AdwilasreqwCeLwNn Cmu0zd+LZhgKLnK88jOwlSY=3D =3Dix/M -----END PGP SIGNATURE-----
For posterity: Data gathered with the following tcpdump command: # tcpdump -nnqti eth0 port 22 and host y.y.y.y ssh session: <session setup snipped, no special ToS value; normal> x.x.x.x.48101 > y.y.y.y.22: tcp 48 (DF) [tos 0x10] y.y.y.y.22 > x.x.x.x.48101: tcp 0 (DF) y.y.y.y.22 > x.x.x.x.48101: tcp 48 (DF) [tos 0x10] y.y.y.y.22 > x.x.x.x.48101: tcp 80 (DF) [tos 0x10] x.x.x.x.48101 > y.y.y.y.22: tcp 0 (DF) [tos 0x10] scp session: <session setup snipped, no special ToS value; normal> y.y.y.y.22 > x.x.x.x.48103: tcp 48 (DF) x.x.x.x.48103 > y.y.y.y.22: tcp 64 (DF) [tos 0x8] y.y.y.y.22 > x.x.x.x.48103: tcp 48 (DF) [tos 0x8] x.x.x.x.48103 > y.y.y.y.22: tcp 0 (DF) [tos 0x8] y.y.y.y.22 > x.x.x.x.48103: tcp 48 (DF) [tos 0x8] So, one *should* be able to do something like this: # iptables -t filter -A FORWARD -m tos --tos 0x08 -j scpchain # iptables -t filter -A FORWARD -m tos --tos 0x10 -j sshchain http://iptables-tutorial.frozentux.net/iptables-tutorial.html I haven't done it.....Good luck, -Martin -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
Hello, It's nice but ... When I make ssh connection, it has tos 0x10. It's Ok. When I use ssh with any commands, than tos is 0x8. (e.i ssh user@host su) And little trick to end... When I make ssh tunnel, it has tos 0x10 and so I can push data with minimum delay tos. I think that there is only possibility to use bytecount patch. On Mon, 25 Nov 2002, Martin A. Brown wrote: > For posterity: > > Data gathered with the following tcpdump command: > > # tcpdump -nnqti eth0 port 22 and host y.y.y.y > > ssh session: > <session setup snipped, no special ToS value; normal> > > x.x.x.x.48101 > y.y.y.y.22: tcp 48 (DF) [tos 0x10] > y.y.y.y.22 > x.x.x.x.48101: tcp 0 (DF) > y.y.y.y.22 > x.x.x.x.48101: tcp 48 (DF) [tos 0x10] > y.y.y.y.22 > x.x.x.x.48101: tcp 80 (DF) [tos 0x10] > x.x.x.x.48101 > y.y.y.y.22: tcp 0 (DF) [tos 0x10] > > scp session: > <session setup snipped, no special ToS value; normal> > > y.y.y.y.22 > x.x.x.x.48103: tcp 48 (DF) > x.x.x.x.48103 > y.y.y.y.22: tcp 64 (DF) [tos 0x8] > y.y.y.y.22 > x.x.x.x.48103: tcp 48 (DF) [tos 0x8] > x.x.x.x.48103 > y.y.y.y.22: tcp 0 (DF) [tos 0x8] > y.y.y.y.22 > x.x.x.x.48103: tcp 48 (DF) [tos 0x8] > > So, one *should* be able to do something like this: > > # iptables -t filter -A FORWARD -m tos --tos 0x08 -j scpchain > # iptables -t filter -A FORWARD -m tos --tos 0x10 -j sshchain > > http://iptables-tutorial.frozentux.net/iptables-tutorial.html > > I haven't done it.....Good luck, > > -Martin -- `)_|_(' PSIkappa I k psi _at_ talker.sk
hi Martin, I found almost the same except that my ssh-packets didn't have their TOS-value set. > So, one *should* be able to do something like this: > > # iptables -t filter -A FORWARD -m tos --tos 0x08 -j scpchain > # iptables -t filter -A FORWARD -m tos --tos 0x10 -j sshchain That's almost the same idea as in the "actual script" from the HOWTO. So it seems my ssh-client doesn't like to set tos-values :o > http://iptables-tutorial.frozentux.net/iptables-tutorial.html *bookmarked* ;) greetings Sebastian -- Sebastian 'spax' Pape | "Things should be as simple as possible, but mailto: sebastian@p-a-p-e.de | not simpler." -- Albert Einstein gpg: http://p-a-p-e.de/gpg.asc | --- Do you want to know more? http://www.p-a-p-e.de/ ---
On Mon, 25 Nov 2002, Robert Penz wrote: > could you please tell me how you match ssh and not scp with iptables? I did almost the same as Martin suggested: | So, one *should* be able to do something like this: | | # iptables -t filter -A FORWARD -m tos --tos 0x08 -j scpchain | # iptables -t filter -A FORWARD -m tos --tos 0x10 -j sshchain # (ssh) # $IPTABLES -A PREROUTING -t mangle -p tcp --dport 22 \ # -m tos ! --tos Maximize-Throughput \ # -j MARK --set-mark 2 # (scp) # $IPTABLES -A PREROUTING -t mangle -p tcp --dport 22 \ # -m tos --tos Maximize-Throughput \ # -j MARK --set-mark 8 it works for me but I'm not sure if it is in general correct. greetings Sebastian -- Sebastian 'spax' Pape | "Things should be as simple as possible, but mailto: sebastian@p-a-p-e.de | not simpler." -- Albert Einstein gpg: http://p-a-p-e.de/gpg.asc | --- Do you want to know more? http://www.p-a-p-e.de/ ---
--On Monday, November 25, 2002 8:12 PM +0100 Sebastian 'spax' Pape <pape@rbg.informatik.tu-darmstadt.de> wrote: > Are these TOS-values standard for ssh and scp or do all > ssh/scp-clients use the values they like? I searched the net, but > haven't found anything usefull, yet. Good question. In general, is there a Linux API for setting TOS on a connection? Or for UDP? For example, what would be the "right" values for UDP game packets, which suffer if dropped or delayed?