hi!
I''d like to priorize ssh traffic, but of course I don''t like
scp to
get priorized, too. In the "actual script" of the howto priorization
is done with this:
| # TOS Minimum Delay (ssh, NOT scp) in 1:10:
| tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \
| match ip tos 0x10 0xff flowid 1:10
I''m not sure if I got all of it, but it seems to me, that there is no
port match - it seems to me that this rule matches all packets with a
Minimize-Delay 16 (0x10) TOS value.
I watched some packets with tcpdump and it also seems that scp packets
all have the Maximize-Throughput 8 (0x08) TOS value, but all "pure
ssh" packets have Normal-Service 0 (0x00). It''s no problem to
match
these packets with iptables (just drop me a note if you want to have
the iptables syntax). But the question I have is:
Are these TOS-values standard for ssh and scp or do all
ssh/scp-clients use the values they like? I searched the net, but
haven''t found anything usefull, yet.
best regards
Sebastian
--
Sebastian ''spax'' Pape | A diplomat is someone who can
tell you to go
mailto: sebastian@p-a-p-e.de | to hell in such a way that you will look
gpg: http://p-a-p-e.de/gpg.asc | forward to the trip.
--- Do you want to know more? http://www.p-a-p-e.de/ ---
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi, You are out of luck here. There is no distinction between ssh and scp at IP, TCP or the application layer for that matter. Basically scp is a wrapper which uses ssh as the transfer method... Ramin On Mon, Nov 25, 2002 at 08:12:07PM +0100, Sebastian ''spax'' Pape wrote:> hi! > > I''d like to priorize ssh traffic, but of course I don''t like scp to > get priorized, too. In the "actual script" of the howto priorization > is done with this: > > | # TOS Minimum Delay (ssh, NOT scp) in 1:10: > | tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \ > | match ip tos 0x10 0xff flowid 1:10 > > I''m not sure if I got all of it, but it seems to me, that there is no > port match - it seems to me that this rule matches all packets with a > Minimize-Delay 16 (0x10) TOS value. > > I watched some packets with tcpdump and it also seems that scp packets > all have the Maximize-Throughput 8 (0x08) TOS value, but all "pure > ssh" packets have Normal-Service 0 (0x00). It''s no problem to match > these packets with iptables (just drop me a note if you want to have > the iptables syntax). But the question I have is: > > Are these TOS-values standard for ssh and scp or do all > ssh/scp-clients use the values they like? I searched the net, but > haven''t found anything usefull, yet. > > best regards > > Sebastian > > -- > Sebastian ''spax'' Pape | A diplomat is someone who can tell you to go > mailto: sebastian@p-a-p-e.de | to hell in such a way that you will look > gpg: http://p-a-p-e.de/gpg.asc | forward to the trip. > --- Do you want to know more? http://www.p-a-p-e.de/ --- > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 25 November 2002 20:12, Sebastian ''spax'' Pape wrote:> I watched some packets with tcpdump and it also seems that scp packets > all have the Maximize-Throughput 8 (0x08) TOS value, but all "pure > ssh" packets have Normal-Service 0 (0x00). It''s no problem to match > these packets with iptables (just drop me a note if you want to have > the iptables syntax). But the question I have is:could you please tell me how you match ssh and not scp with iptables? - -- Regards, Robert - ---------------- Robert Penz robert.penz AT outertech.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE94pmo8tTsQqJDUBMRAkIuAJ44N5sKyIchhtR4Lz9AdwilasreqwCeLwNn Cmu0zd+LZhgKLnK88jOwlSY=ix/M -----END PGP SIGNATURE----- _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
For posterity: Data gathered with the following tcpdump command: # tcpdump -nnqti eth0 port 22 and host y.y.y.y ssh session: <session setup snipped, no special ToS value; normal> x.x.x.x.48101 > y.y.y.y.22: tcp 48 (DF) [tos 0x10] y.y.y.y.22 > x.x.x.x.48101: tcp 0 (DF) y.y.y.y.22 > x.x.x.x.48101: tcp 48 (DF) [tos 0x10] y.y.y.y.22 > x.x.x.x.48101: tcp 80 (DF) [tos 0x10] x.x.x.x.48101 > y.y.y.y.22: tcp 0 (DF) [tos 0x10] scp session: <session setup snipped, no special ToS value; normal> y.y.y.y.22 > x.x.x.x.48103: tcp 48 (DF) x.x.x.x.48103 > y.y.y.y.22: tcp 64 (DF) [tos 0x8] y.y.y.y.22 > x.x.x.x.48103: tcp 48 (DF) [tos 0x8] x.x.x.x.48103 > y.y.y.y.22: tcp 0 (DF) [tos 0x8] y.y.y.y.22 > x.x.x.x.48103: tcp 48 (DF) [tos 0x8] So, one *should* be able to do something like this: # iptables -t filter -A FORWARD -m tos --tos 0x08 -j scpchain # iptables -t filter -A FORWARD -m tos --tos 0x10 -j sshchain http://iptables-tutorial.frozentux.net/iptables-tutorial.html I haven''t done it.....Good luck, -Martin -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hello, It''s nice but ... When I make ssh connection, it has tos 0x10. It''s Ok. When I use ssh with any commands, than tos is 0x8. (e.i ssh user@host su) And little trick to end... When I make ssh tunnel, it has tos 0x10 and so I can push data with minimum delay tos. I think that there is only possibility to use bytecount patch. On Mon, 25 Nov 2002, Martin A. Brown wrote:> For posterity: > > Data gathered with the following tcpdump command: > > # tcpdump -nnqti eth0 port 22 and host y.y.y.y > > ssh session: > <session setup snipped, no special ToS value; normal> > > x.x.x.x.48101 > y.y.y.y.22: tcp 48 (DF) [tos 0x10] > y.y.y.y.22 > x.x.x.x.48101: tcp 0 (DF) > y.y.y.y.22 > x.x.x.x.48101: tcp 48 (DF) [tos 0x10] > y.y.y.y.22 > x.x.x.x.48101: tcp 80 (DF) [tos 0x10] > x.x.x.x.48101 > y.y.y.y.22: tcp 0 (DF) [tos 0x10] > > scp session: > <session setup snipped, no special ToS value; normal> > > y.y.y.y.22 > x.x.x.x.48103: tcp 48 (DF) > x.x.x.x.48103 > y.y.y.y.22: tcp 64 (DF) [tos 0x8] > y.y.y.y.22 > x.x.x.x.48103: tcp 48 (DF) [tos 0x8] > x.x.x.x.48103 > y.y.y.y.22: tcp 0 (DF) [tos 0x8] > y.y.y.y.22 > x.x.x.x.48103: tcp 48 (DF) [tos 0x8] > > So, one *should* be able to do something like this: > > # iptables -t filter -A FORWARD -m tos --tos 0x08 -j scpchain > # iptables -t filter -A FORWARD -m tos --tos 0x10 -j sshchain > > http://iptables-tutorial.frozentux.net/iptables-tutorial.html > > I haven''t done it.....Good luck, > > -Martin-- `)_|_('' PSIkappa I k psi _at_ talker.sk _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Mon, 25 Nov 2002, Robert Penz wrote:> could you please tell me how you match ssh and not scp with iptables?I did almost the same as Martin suggested: | So, one *should* be able to do something like this: | | # iptables -t filter -A FORWARD -m tos --tos 0x08 -j scpchain | # iptables -t filter -A FORWARD -m tos --tos 0x10 -j sshchain # (ssh) # $IPTABLES -A PREROUTING -t mangle -p tcp --dport 22 \ # -m tos ! --tos Maximize-Throughput \ # -j MARK --set-mark 2 # (scp) # $IPTABLES -A PREROUTING -t mangle -p tcp --dport 22 \ # -m tos --tos Maximize-Throughput \ # -j MARK --set-mark 8 it works for me but I''m not sure if it is in general correct. greetings Sebastian -- Sebastian ''spax'' Pape | "Things should be as simple as possible, but mailto: sebastian@p-a-p-e.de | not simpler." -- Albert Einstein gpg: http://p-a-p-e.de/gpg.asc | --- Do you want to know more? http://www.p-a-p-e.de/ --- _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
hi Martin, I found almost the same except that my ssh-packets didn''t have their TOS-value set.> So, one *should* be able to do something like this: > > # iptables -t filter -A FORWARD -m tos --tos 0x08 -j scpchain > # iptables -t filter -A FORWARD -m tos --tos 0x10 -j sshchainThat''s almost the same idea as in the "actual script" from the HOWTO. So it seems my ssh-client doesn''t like to set tos-values :o> http://iptables-tutorial.frozentux.net/iptables-tutorial.html*bookmarked* ;) greetings Sebastian -- Sebastian ''spax'' Pape | "Things should be as simple as possible, but mailto: sebastian@p-a-p-e.de | not simpler." -- Albert Einstein gpg: http://p-a-p-e.de/gpg.asc | --- Do you want to know more? http://www.p-a-p-e.de/ --- _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
--On Monday, November 25, 2002 8:12 PM +0100 Sebastian ''spax'' Pape <pape@rbg.informatik.tu-darmstadt.de> wrote:> Are these TOS-values standard for ssh and scp or do all > ssh/scp-clients use the values they like? I searched the net, but > haven''t found anything usefull, yet.Good question. In general, is there a Linux API for setting TOS on a connection? Or for UDP? For example, what would be the "right" values for UDP game packets, which suffer if dropped or delayed? _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Anyone know how to control the queue length with HTB ? I''m seeing large numbers of packets queued (>50), which causes high latency. Reading the code it isn''t immediately clear to me how the HTB queues are bounded. In fact, it isn''t clear to me that there is queueing in sch_htb.c. Is there a default leaf qdisc associated with every HTB class ? Perhaps I need to define a non-default leaf qdisc and set its queue length ? Thanks in advance for your help. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Ok, now I see the code where htb creates a default pfifo queue for its leaves. And I can''t see what limits the pfifo queue size... Got to read more code... _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> Ok, now I see the code where htb creates a default pfifo queue > for its leaves. And I can''t see what limits the pfifo queue size... > Got to read more code...And finally I understand. pfifo_fast has a queue length, but it is taken from the device''s queue length, which in the case of ethernet devices is 100 packets. I bet there is a way to either change that, or use a different qdisc so the length can be configured. I guess I answered my own question. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> And finally I understand. pfifo_fast has a queue length, but it > is taken from the device''s queue length, which in the case of > ethernet devices is 100 packets. > > I bet there is a way to either change that, or use a different > qdisc so the length can be configured.:) you got it. The correct way is to attach fifo with your own limit to a class. devik _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/