hello, a simple question; on a router, if I want network A to be routed to network C that goes through network B, using policy routing, do i need to specify a route to network B also, or could i just have routes to A and C in the routing table? the reason that im asking is because i dont know how the ip utility uses the main table together with antoher table. if i didnt use policy routing, just "regular", this would not work, but perhaps if not finding a route to network B, it checks the main table? please enlighten me. regards, tomas bonnedahl _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
(Forwarded to the list because I can''t properly operate a MUA--maybe they''ll take away my license to read email someday.) Tomas, Perhaps you want a summary of how the kernel makes a routing decision? See my description of the route selection process: http://plorf.net/linux-ip/html/routing-selection.htm I''m not sure you need policy routing though... If network B is reachable from network A, and the router for network B is directly connected to network A but is not the default gateway, you''ll have something sort of like this: network-C via router-B network-B via router-B network-A dev ethX default via default-gw Is this your configuration? If so, then you need no policy routing. -Martin On Thu, 28 Nov 2002, Tomas Bonnedahl wrote: : hello, a simple question; on a router, if I want network A to be routed : to network C that goes through network B, using policy routing, do i : need to specify a route to network B also, or could i just have routes : to A and C in the routing table? : : the reason that im asking is because i dont know how the ip utility : uses the main table together with antoher table. if i didnt use policy : routing, just "regular", this would not work, but perhaps if not : finding a route to network B, it checks the main table? : : : please enlighten me. : : regards, : : tomas bonnedahl : _______________________________________________ : LARTC mailing list / LARTC@mailman.ds9a.nl : http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ : -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
thanks for your reply martin, i am yet to read your paper. the reason for using policy routing is that i manage several networks and i do want some kind of control on who can access whose network. this i thought is best accomplished with policy routing using ip route and ip rule. if i want to allow hosts from network A to reach and talk to hosts on network C, but _not_ hosts on network B, is this best controlled by iptables? since i now probably need to specify the route to network B in that very table, i cannot deny network A hosts to talk to network B with ip, or can i? regards, tomas bonnedahl On Thu, Nov 28, 2002 at 04:30:47PM -0600, Martin A. Brown wrote:> Tomas, > > Perhaps you want a summary of how the kernel makes a routing decision? > > See my description of the route selection process: > > http://plorf.net/linux-ip/html/routing-selection.htm > > I''m not sure you need policy routing though... If network B is reachable > from network A, and the router for network B is directly connected to > network A but is not the default gateway, you''ll have something sort of > like this: > > network-C via router-B > network-B via router-B > network-A dev ethX > default via default-gw > > Is this your configuration? If so, then you need no policy routing. > > -Martin > > On Thu, 28 Nov 2002, Tomas Bonnedahl wrote: > > : hello, a simple question; on a router, if I want network A to be routed > : to network C that goes through network B, using policy routing, do i > : need to specify a route to network B also, or could i just have routes > : to A and C in the routing table? > : > : the reason that im asking is because i dont know how the ip utility > : uses the main table together with antoher table. if i didnt use policy > : routing, just "regular", this would not work, but perhaps if not > : finding a route to network B, it checks the main table? > : > : > : please enlighten me. > : > : regards, > : > : tomas bonnedahl > : _______________________________________________ > : LARTC mailing list / LARTC@mailman.ds9a.nl > : http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > : > > -- > Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com > > > >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
nitin panjwani
2002-Nov-29 00:21 UTC
measuring performance time in a node using ethereal/tcpdump
Hi All,
We are doing some experiment, where we are trying to
measure the processing time taken by a node when a
packate pssess throgh it.
--------eth0[Linux-PC Router]eth1-------
We run tethereal within this PC at eth0(incomming
interface) and eth1(outgoing interface) . Then we find
out our packate in both the captures and the
difference of two captures gives processing time of
the node
Now, the question: Is doing so a right way to measure
the processing time, as we are not sure where exactly
does libcap captures the packates. Is it right before
network driver or after it ao anywhere else?
I just came to know that On Linux, libpcap captures
packets using PF_PACKET sockets (or, on 2.0
kernels or with libpcap built on a 2.0-kernel system,
PF_INET/SOCK_PACKET sockets).
Any help on this issue will be highly appreciable.
Thanks,
Nitin
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Tomas, I''m glad to be of help. : if i want to allow hosts from network A to reach and talk to hosts on : network C, but _not_ hosts on network B, is this best controlled by : iptables? since i now probably need to specify the route to network B : in that very table, i cannot deny network A hosts to talk to network B : with ip, or can i? I''d suggest you use iptables and a prohibit route: http://plorf.net/linux-ip/html/tools-ip-route.htm#EX-TOOLS-IP-ROUTE-ADD-FROM Here''s an example: # ip route add prohibit x.x.x.x/24 from y.y.y.y/24 I would be inclined to block packets at the packet filter as well. # iptables -t filter -A FORWARD -d x.x.x.x/24 -s y.y.y.y/24 -j REJECT Good luck, -Martin -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
hello again and thanks for replying. the prohibit rule is supposed to be in that particular table that im creating for hosts whose src address is network A? i was also thinking of blackholeing as default. would this work? ip route add networkB dev eth1 table X ip route add networkA via networkB-router dev eth1 table X ip route add 0/0 blackhole table X <rule for making networkA hosts use table X> since i dont want to use iptables too much either. thanks -tomas On Thu, Nov 28, 2002 at 11:48:01PM -0600, Martin A. Brown wrote:> > Tomas, > > I''m glad to be of help. > > : if i want to allow hosts from network A to reach and talk to hosts on > : network C, but _not_ hosts on network B, is this best controlled by > : iptables? since i now probably need to specify the route to network B > : in that very table, i cannot deny network A hosts to talk to network B > : with ip, or can i? > > I''d suggest you use iptables and a prohibit route: > > http://plorf.net/linux-ip/html/tools-ip-route.htm#EX-TOOLS-IP-ROUTE-ADD-FROM > > Here''s an example: > > # ip route add prohibit x.x.x.x/24 from y.y.y.y/24 > > I would be inclined to block packets at the packet filter as well. > > # iptables -t filter -A FORWARD -d x.x.x.x/24 -s y.y.y.y/24 -j REJECT > > Good luck, > > -Martin > > -- > Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com > > > >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Stef Coene
2002-Nov-29 18:09 UTC
Re: measuring performance time in a node using ethereal/tcpdump
On Friday 29 November 2002 01:21, nitin panjwani wrote:> Hi All, > > We are doing some experiment, where we are trying to > measure the processing time taken by a node when a > packate pssess throgh it. > > --------eth0[Linux-PC Router]eth1------- > > We run tethereal within this PC at eth0(incomming > interface) and eth1(outgoing interface) . Then we find > out our packate in both the captures and the > difference of two captures gives processing time of > the node > > Now, the question: Is doing so a right way to measure > the processing time, as we are not sure where exactly > does libcap captures the packates. Is it right before > network driver or after it ao anywhere else? > > I just came to know that On Linux, libpcap captures > packets using PF_PACKET sockets (or, on 2.0 > kernels or with libpcap built on a 2.0-kernel system, > PF_INET/SOCK_PACKET sockets). > > Any help on this issue will be highly appreciable.Why not using 2 extra boxes. If you send a packet from left to right and the right hosts responds immediate (ping or so), so the packet returns, you know the processing time. I think there are also traffic generator tools that can monitor delays and jitter. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Martin A. Brown
2002-Nov-30 01:40 UTC
Re: measuring performance time in a node using ethereal/tcpdump
The mailing list that refers to itself: http://mailman.ds9a.nl/pipermail/lartc/2001q1/000671.html : I think there are also traffic generator tools that can monitor delays and : jitter. -Martin -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/