John B Dunning/NS/WSC
2004-Jun-03 11:30 UTC
iptables mangle table PREROUTING rule with -o flag
Greetings all, I realize from the subject line this makes little sense but here''s the scenario: I''m trying to shape (via priority - not bandwidth) peer to peer traffic from a number of clients. Currently I use an IMQ device to bring all their outbound (inbound to me - outbound to Inet) traffic together to work with policies all at the same time. I''m testing the IP-P2P modules for IP tables and so far they seem to grab the traffic pretty well but here''s the problem. I''d like to set the priority for all P2P traffic in one shot - thus I have to do it at my IMQ device via a -J CLASSIFY target in iptables. Problem is that the classify target requires that the device with the classes be the "-o device" parameter so it knows which device to query for the classes - but you can''t use -o with the PREROUTING list in the mangle table because normally it would make no sense. Would it be possible to modify iptables to allow -o device in the PREROUTING list if the device type is IMQ?? Does this make any sense?? John Dunning Asst Dir Net & Tech Svcs Wayne State College
On Thursday 03 June 2004 07:30, John B Dunning/NS/WSC wrote:> Greetings all, ><snip>> the mangle table because normally it would make no sense. Would it be > possible to modify iptables to allow -o device in the PREROUTING list if > the device type is IMQ??If it is, you''d have to ask the Netfilter people. You might have to switch to using -j MARK or, if possible, mark in the POSTROUTING chain. I have been using CLASSIFY in POSTROUTING with success, but I don''t use IMQ. I have HTB on my Internet facing interface and shape all outbound traffic through it.> Does this make any sense?? > > John Dunning > Asst Dir Net & Tech Svcs > Wayne State College_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
What in the WORLD is using so much CPU.. we are getting a denial of service attack about 100,000 packets per second and the router is 100% cpu, then when I do iptables -t mangle -I PREROUTING ..etc.. -j DROP to match the packets and drop them the CPU drops to like 15% ... so my question is #1. What in the world uses all that cpu simple routing packets in one interface and out the other? #2. What in the world uses 15% cpu simply blocking packets in the prerouting chain? I''m using NAPI and e1000 so i don''t see how it could even possibly use 15% Any ideas on how to debug or find out what''s causing this? Thanks _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Suppose I forgot to say, this is with 2.6.6 kernel and a dual xeon 2.8.. I also noticed another major problem is that NOTHING is set up for SMP.. NO matter how many packets i''m routing or filtering it ALWAYS USES ONE CPU and it''s ALWAYS SOFTIRQ that uses all the CPU usage.. It''s driving me crazy.. there has to be a bug somewhere that''s causing cpu usage, either that or the software is SO poorly written that 100,000 packets per second bring the whole box to it''s knees.. it would be sad and god no i''d never use conntrack.. even 10000 pps and conntrack dies a horrible death.. what a nasty piece of code :) On Fri, 2004-06-04 at 19:46, Kresimir Sparavec wrote:> do you use connection tracking? if yes, then you could be in trouble, > conntrack hashing doesn''t perform well under load (with kernel 2.4) > > > On Fri, Jun 04, 2004 at 07:07:09PM -0400, Paul wrote: > > What in the WORLD is using so much CPU.. we are getting a denial of > > service attack about 100,000 packets per second and the router is 100% > > cpu, then when I do iptables -t mangle -I PREROUTING ..etc.. -j DROP to > > match the packets and drop them the CPU drops to like 15% ... so my > > question is > > #1. What in the world uses all that cpu simple routing packets in one > > interface and out the other? > > #2. What in the world uses 15% cpu simply blocking packets in the > > prerouting chain? I''m using NAPI and e1000 so i don''t see how it could > > even possibly use 15% > > > > Any ideas on how to debug or find out what''s causing this? > > > > Thanks > > > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi list
In chapter 9.2.3.1 of the lartc Howto the paramters of the SFQ (stochastic
fairness queuing) are listed and one parameter is ''limit''. I
tried to use
this parameter like this:
tc qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10 limit 16
And I got:
What is "limit"?
Usage: ... sfq [ perturb SECS ] [ quantum BYTES ]
It seems that this parameter doesn''t exist. Is this known?
bye,
Matthias Lendholt
[Berlin, Germany]
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Am Saturday 05 June 2004 11:40 schrieb Matthias Lendholt:> What is "limit"? > Usage: ... sfq [ perturb SECS ] [ quantum BYTES ] > > It seems that this parameter doesn''t exist. Is this known?Ah, well, it kind of does exist, but it is not dynamic, it is instead hardcoded into the kernel. Compile SFQ as a module and change the queue length there. It''s a define at the top of the file, default value is 128. HTH Andreas _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/