Hello! I''ve read a lot of mail archives, but can''t find solutions for my problem. I have router with about 700 users. I''m using HTB with SFQ leaf qdiscs for every user (client ip). So, different IP can have its own rate limit. This scheme ir working fine for a long time. But how can I limit number of connections (sessions) from one host? I see from ip_conntrack that some of users have more than 1000 active connections (mostly P2P udp). As I know there is connlimit patch for iptables, but it capable to limit only tcp sessions. And there is ESFQ qdisc, allowing to divide bandwidth more fairly, but inside one class. In my case every user have its own class and I''m not able to control how many connections simultaneously they do implementy ESFQ! Also I don''t understand how to deal with it from iptables side - connlimit will not help with UDP. What can be done in my case? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Well, only TCP has connections, UDP has non it is only a stream of packets. So for each user (IP) you could make a class for TCP and one for UDP. IP / \ TCP UDP The TCP class you already know how to limit, the UDP class I would limit with pfifo with a suitable packet limit setting (in pratice this would lead to det same effect as the TCP conn. limiting). Although not a hard limit. Extra: I would make a seperate high prio class for ICMP to communicate error, connection failures back and forth. NB! P2P normally used TCP (I know the bittorent does) BR Rasmus Melgaard On Thursday 02 February 2006 21:58, Jan Tomak wrote:> Hello! > > I''ve read a lot of mail archives, but can''t find solutions for my > problem. I have router with about 700 users. I''m using HTB with SFQ leaf > qdiscs for every user (client ip). So, different IP can have its own rate > limit. This scheme ir working fine for a long time. But how can I limit > number of connections (sessions) from one host? I see from ip_conntrack > that some of users have more than 1000 active connections (mostly P2P udp). > As I know there is connlimit patch for iptables, but it capable to limit > only tcp sessions. And there is ESFQ qdisc, allowing to divide bandwidth > more fairly, but inside one class. In my case every user have its own class > and I''m not able to control how many connections simultaneously they do > implementy ESFQ! Also I don''t understand how to deal with it from iptables > side - connlimit will not help with UDP. > > What can be done in my case? > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com
So Rasmus, If I put a limit into TCP connections it will reflect into UDP conections over the same source IP? How can I make a limit into TCP connections? Att, Nataniel Klug ----- Original Message ----- From: "Rasmus Melgaard" <rme@image.dk> To: <lartc@mailman.ds9a.nl> Sent: Thursday, February 02, 2006 7:17 PM Subject: Re: [LARTC] limit number of connections per ip> Well, only TCP has connections, UDP has non it is only a stream ofpackets.> > So for each user (IP) you could make a class for TCP and one for UDP. > > IP > / \ > TCP UDP > > The TCP class you already know how to limit, the UDP class I would limitwith> pfifo with a suitable packet limit setting (in pratice this would lead todet> same effect as the TCP conn. limiting). Although not a hard limit. > > Extra: > I would make a seperate high prio class for ICMP to communicate error, > connection failures back and forth. > > NB! P2P normally used TCP (I know the bittorent does) > > BR > Rasmus Melgaard > > > > On Thursday 02 February 2006 21:58, Jan Tomak wrote: > > Hello! > > > > I''ve read a lot of mail archives, but can''t find solutions for my > > problem. I have router with about 700 users. I''m using HTB with SFQ leaf > > qdiscs for every user (client ip). So, different IP can have its ownrate> > limit. This scheme ir working fine for a long time. But how can I limit > > number of connections (sessions) from one host? I see from ip_conntrack > > that some of users have more than 1000 active connections (mostly P2Pudp).> > As I know there is connlimit patch for iptables, but it capable to limit > > only tcp sessions. And there is ESFQ qdisc, allowing to divide bandwidth > > more fairly, but inside one class. In my case every user have its ownclass> > and I''m not able to control how many connections simultaneously they do > > implementy ESFQ! Also I don''t understand how to deal with it fromiptables> > side - connlimit will not help with UDP. > > > > What can be done in my case? > > > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam protection around > > http://mail.yahoo.com > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc