in the out chain you're marking them as mark 5, but only saving it as mark
7, that would cause you to possibly miss some tcp streams, but depending on
the protocol a lot might be marked just from the incomming data. as for how
much data was marked, look at the incomming counters, of the 100,854
packets, 78,910 had a mark restored, and 2904 were newly marked, that means
81814 out of 100,854 incomming packets were marked as p2p, that's 80% and a
lot more than 625k. Beyond the mrk 5/7 mixup in the outgoing marking, you
also didn't mention the IMQ rule in the previous email. Normally the
iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPT
rule is good as it makes sure the mark doesn't get rechanged after its been
saved once and later restored. However in this case, it means it was
leaving your chain before reaching the IMQ target. So for your case it
should be safe to remove that rule. This will likely fix the problem you
were really having of the incomming data not all going to the IMQ
- Jody
On 2/7/06, Vaidas <admin@vdx.lt> wrote:>
> Allright...
>
> tc qdisc add dev $DEV root handle 2:0 htb default 20 r2q 2
> tc class add dev $DEV parent 2:0 classid 2:10 htb rate ${RATETOTAL}kbit
> tc class add dev $DEV parent 2:10 classid 2:20 htb rate ${RATETOTAL}kbit
> ceil ${RATETOTAL}kbit prio 0
> tc class add dev $DEV parent 2:10 classid 2:21 htb rate 1kbit ceil
> ${RATEUP}kbit prio 1
> tc qdisc add dev $DEV parent 2:20 handle 20:0 sfq perturb 10
> tc qdisc add dev $DEV parent 2:21 handle 21:0 sfq perturb 10
> tc filter add dev $DEV parent 2:0 prio 1 protocol ip handle 5 fw flowid
> 2:21
> iptables -t mangle -N DSL-OUT
> iptables -t mangle -I POSTROUTING -o $DEV -j DSL-OUT
> iptables -t mangle -A DSL-OUT -p tcp -j CONNMARK --restore-mark
> iptables -t mangle -A DSL-OUT -p tcp -m mark ! --mark 0 -j ACCEPT
> iptables -t mangle -A DSL-OUT -m ipp2p --edk --dc --bit --soul -j MARK
> --set-mark 5
> iptables -t mangle -A DSL-OUT -p tcp -m mark --mark 7 -j CONNMARK
> --save-mark
>
> ip link set imq0 up
> tc qdisc add dev imq0 root handle 2:0 htb default 20 r2q 2
> tc class add dev imq0 parent 2:0 classid 2:10 htb rate ${RATETOTAL}kbit
> tc class add dev imq0 parent 2:10 classid 2:20 htb rate ${RATETOTAL}kbit
> ceil ${RATETOTAL}kbit prio 0
> tc class add dev imq0 parent 2:10 classid 2:21 htb rate 2kbit ceil
> ${RATEDN}kbit prio 1
> tc qdisc add dev imq0 parent 2:20 handle 20:0 sfq perturb 10
> tc qdisc add dev imq0 parent 2:21 handle 21:0 sfq perturb 10
> tc filter add dev imq0 parent 2:0 prio 1 protocol ip handle 7 fw flowid
> 2:21
> iptables -t mangle -N DSL-IN
> iptables -t mangle -I PREROUTING -i $DEV -j DSL-IN
> iptables -t mangle -A DSL-IN -p tcp -j CONNMARK --restore-mark
> iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPT
> iptables -t mangle -A DSL-IN -m ipp2p --edk --dc --bit --soul -j MARK
> --set-mark 7
> iptables -t mangle -A DSL-IN -p tcp -m mark --mark 7 -j CONNMARK
> --save-mark
> iptables -t mangle -A DSL-IN -j IMQ --todev 0
>
> still not working :))))))))
> I don't know what to do else, tried everythink :/
>
> The uTorrent have downloading for half an hour, but the counters are...
>
> Chain DSL-OUT (1 references)
> pkts bytes target prot opt in out source
> destination
> 80515 5464493 CONNMARK tcp -- any any anywhere
> anywhere CONNMARK restore
> 52501 3402390 ACCEPT tcp -- any any anywhere
> anywhere MARK match !0x0
> 3593 464055 MARK all -- any any anywhere
> anywhere ipp2p v0.8.0 --edk --dc --bit --soul MARK set 0x5
> 0 0 CONNMARK tcp -- any any anywhere
> anywhere MARK match 0x7 CONNMARK save
> Chain DSL-IN (1 references)
> pkts bytes target prot opt in out source
> destination
> 100854 97487345 CONNMARK tcp -- any any anywhere
> anywhere CONNMARK restore
> 78190 92347437 ACCEPT tcp -- any any anywhere
> anywhere MARK match !0x0
> 2904 625681 MARK all -- any any anywhere
> anywhere ipp2p v0.8.0 --edk --dc --bit --soul MARK set 0x7
> 274 39048 CONNMARK tcp -- any any anywhere
> anywhere MARK match 0x7 CONNMARK save
> 30759 6358180 IMQ all -- any any anywhere
> anywhere IMQ: todev 0
>
> Only 625681 bytes marked as p2p :(
>
> ---Original Message-----
> From: Jody Shumaker [mailto:jody.shumaker@gmail.com]
> Sent: 2006 m. vasario 6 d. 21:23
> To: Vaidas
> Cc: lartc@mailman.ds9a.nl
> Subject: Re: [LARTC] p2p marking, again
>
> Bah, I don't know why I didn't notice this before in your previous
> email. It's obvious now that you gave the states output:
> iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK
> --restore-mark
> that line is horribly wrong, it should be:
> iptables -t mangle -A DSL-IN -p tcp -j CONNMARK --restore-mark
> The whole point is that ipp2p can't match on every packet! so you save
> the mark and then restore it. However, you were conditionally
> restoring the mark only when ipp2p matched, which completely defeats
> the purpose. There's also no reason to have the "-m ipp2p
--ipp2p"
> when saving the mark, as this adds more work than is neccasary.
> Instead of:
> iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK
> --save-mark
> I'd suggets:
> iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j CONNMARK
> --save-mark
> As this match would be much faster, and would mean no redundant work
> on matching ipp2p. I'd also suggest combining your tcp and udp
> matches for ipp2p into 1.
>
> I'd also suggest not using the -m ipp2p -ipp2p instead listing out the
> protocols to match, even if it's all of them. For some reason, -ipp2p
> doesn't match all of the safe to identify protocols. I used it at one
> point but then after updating it stopped including bittorrent. As
> listed on the ipp2p docs right now:
> -m ipp2p --ipp2p
> -m ipp2p --edk --kazaa --gnu --dc
> are identical, meaning --ipp2p only matches edonkey, kazaa, gnutella,
> and directconnect. Leaving out the very easy to match and common
> Bittorrent. I'd suggest using:
> -m ipp2p --edk --kazaa --gnu --dc --bit
>
>
>
> In the end this would result in this for your script:
> #restore mark
> iptables -t mangle -A DSL-IN -p tcp -j CONNMARK --restore-mark
> #skip rest of chain if packet already marked
> iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPT
> #match p2p traffic.
> iptables -t mangle -A DSL-IN -m ipp2p --bit --edk --kazaa --gnu --dc
> -j MARK --set-mark 7
> #save mark
> iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j CONNMARK
> --save-mark
>
> - Jody
>
> On 2/6/06, Vaidas <admin@vdx.lt> wrote:
> >
> >
> >
> > Hey, one more question for ipp2p
> >
> >
> >
> > iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK
> --restore-mark
> >
> > iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPT
> >
> > iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j MARK
--set-mark
> 7
> >
> > iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK
> --save-mark
> >
> > iptables -t mangle -A DSL-IN -p udp -m ipp2p --ipp2p -j MARK
--set-mark
> 7
> >
> > by this set of commands, should all p2p packets mark well ? Because
very
> little of them are marked on my server…
> >
> > Chain DSL-IN (1 references)
> >
> > pkts bytes target prot opt in out source
> destination
> >
> > 13708 2260152 CONNMARK tcp -- any any anywhere
> anywhere ipp2p v0.8.1_rc1 --ipp2p CONNMARK restore
> >
> > 11456 2016247 ACCEPT tcp -- any any anywhere
> anywhere MARK match !0x0
> >
> > 2252 243905 MARK tcp -- any any anywhere
> anywhere ipp2p v0.8.1_rc1 --ipp2p MARK set 0x7
> >
> > 2252 243905 CONNMARK tcp -- any any anywhere
> anywhere ipp2p v0.8.1_rc1 --ipp2p CONNMARK save
> >
> > 183300 33333958 MARK udp -- any any anywhere
> anywhere ipp2p v0.8.1_rc1 --ipp2p MARK set 0x7
> >
> >
> >
> > Only few Kbytes of tcp, ant few mbytes of udp.. but downloading was up
> on
> 320kbps all night
> >
> > ______________________________________
> >
> > Vaidas
> >
> > VDXnet sistemų administratorius
> > _______________________________________________
> > LARTC mailing list
> > LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> >
> >
> >
>
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc