Hi! I''m developing some API functions using cbq / tc (for GUI based BW Management) By two approches i can do this, 1. By excuting cbq.init script (which is executable) using some system calls like execv etc. Are there any problems by doing so? OR 2. Directly using iproute2/tc source code with slight modifications. So, Which option is better? Are there any other solutions, please welcome. thanks & regards, Srikanth. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thursday 06 February 2003 14:08, Srikanth wrote:> Hi! > > I''m developing some API functions using cbq / tc (for GUI based BW > Management) > > By two approches i can do this, > > 1. By excuting cbq.init script (which is executable) using some system > calls like execv etc. > Are there any problems by doing so? > > OR > > 2. Directly using iproute2/tc source code with slight modifications. > > So, Which option is better? > > Are there any other solutions, please welcome.tcng ? http://tcng.sourceforge.net/ Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
First is better as it will not involve changing package if tc changes or some changes are made to tc. Is your GUI X based or web based? Mohan -----Original Message----- From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl] On Behalf Of Srikanth Sent: Thursday, February 06, 2003 6:38 PM To: lartc@mailman.ds9a.nl Cc: stef.coene@docum.org Subject: [LARTC] API using cbq / tc ? Hi! I''m developing some API functions using cbq / tc (for GUI based BW Management) By two approches i can do this, 1. By excuting cbq.init script (which is executable) using some system calls like execv etc. Are there any problems by doing so? OR 2. Directly using iproute2/tc source code with slight modifications. So, Which option is better? Are there any other solutions, please welcome. thanks & regards, Srikanth. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Our GUI developers are using X based (Qt) only, not web based. thanks & reg, Srikanth. On Friday 07 February 2003 07:46 am, you wrote:> First is better as it will not involve changing package if tc changes or > some changes are made to tc. Is your GUI X based or web based? > > Mohan > > -----Original Message----- > From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl] > On Behalf Of Srikanth > Sent: Thursday, February 06, 2003 6:38 PM > To: lartc@mailman.ds9a.nl > Cc: stef.coene@docum.org > Subject: [LARTC] API using cbq / tc ? > > > Hi! > > I''m developing some API functions using cbq / tc (for GUI based BW > Management) > > By two approches i can do this, > > 1. By excuting cbq.init script (which is executable) using some system > calls > like execv etc. > Are there any problems by doing so? > > OR > > 2. Directly using iproute2/tc source code with slight modifications. > > So, Which option is better? > > Are there any other solutions, please welcome. > > thanks & regards, > Srikanth. > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Friday 07 February 2003 05:25, Srikanth wrote:> Our GUI developers are using X based (Qt) only, not web based.I prefer web based. Most of the time, the qos is installed on a router with no display and a limit connection (for instance behind a firewall). So if you have a https server, you can configure it without problems. For a qt based application, you need a monitor or you have to login and use a remove display. This is more complicated (and less secure) then a web based gui. But if you have good GUI developers, they can create a set of library''s so you can use different front ends to access these library''s. So people can choose how to configure the box. Just wondering, will the software be released under the GPL ? Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
I am just written ( I won''t say completed !) a program which performs traffic read operation. It is a VB client program talking to a C TCP socket server. Everything is based on scripting, so it could be flaky right now, so you might have to be patient :-) The server has been tested running on my Linux 2.4.20 machine. The VB GUI program charts the traffic data on per interface and per-class/qdisc basis. It also displays the class/qdisc relationship in a hierarchical (GUI) tree diagram. The intention is for you to determine how effective is your class/qdisc. The server is pure C ( without any other fancy libraries ) to reduce the footprint because my intention is to let it run on a floppy-based NAT firewall/router, which I have tested against floppyfw ( http://www.zelow.no/floppyfw/ ). I will be enhancing it in the future to allow service-by-service traffic charting, based on iptables'' traffic counter. Any interest parties could mail to me and we shall see how thing goes. Regards. --- Stef Coene <stef.coene@docum.org> wrote:> On Friday 07 February 2003 05:25, Srikanth wrote: > > Our GUI developers are using X based (Qt) only, > not web based. > I prefer web based.__________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Saturday 08 February 2003 08:02, Ming-Ching Tiew wrote:> I am just written ( I won''t say completed !) a > program which performs traffic read operation. > It is a VB client program talking to a C TCP > socket server. Everything is based on scripting, > so it could be flaky right now, so you might > have to be patient :-) The server has been tested > running on my Linux 2.4.20 machine. > > The VB GUI program charts the traffic data on per > interface and per-class/qdisc basis. It also > displays the class/qdisc relationship in a > hierarchical (GUI) tree diagram. The intention is > for you to determine how effective is your > class/qdisc. > > The server is pure C ( without any other fancy > libraries ) to reduce the footprint because my > intention is to let it run on a floppy-based > NAT firewall/router, which I have tested against > floppyfw ( http://www.zelow.no/floppyfw/ ). > > I will be enhancing it in the future to allow > service-by-service traffic charting, based on > iptables'' traffic counter. > > Any interest parties could mail to me and we shall > see how thing goes.I found this : http://www.hav.com/java/scroll/ It''s in java. I tested it with some browsers and platforms and it works great. The java class is not so difficult. I contacted the original author for permission to use his java class, but I didn''t received an answer. I used his java class and made my own version so I could display class and qdiscs stats. It works great. But I can''t publish it as long as I don''t know if I may use it. The data is delivered with a cgi-bin prog so you don''t need an extra daemon. And the java class is cross-platform so you can see it in allmost any web-browser that supports java. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Good to know that there are other options available ! :-) Anyway, I have upload my files to the following web site, locations as follows :- http://geocities.com/mctiew/ffw/ffwgrapher0.88.zip http://geocities.com/mctiew/ffw/fwstat-0.88.tar.gz The first is the VB program and the later is the server program. The server program should be fairly plug-and-play. The client program too. However, because I am not using an installer( the installer package is 12MB, so I refused to used it ! ), you may find missing files which causes it unable to run. Regards. --- Stef Coene <stef.coene@docum.org> wrote:> On Saturday 08 February 2003 08:02, Ming-Ching Tiew > wrote: > > Any interest parties could mail to me and we shall > > see how thing goes. > I found this : > http://www.hav.com/java/scroll/ > It''s in java. > And the java class is cross-platform so you can see > it in allmost any > web-browser that supports java. >__________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Saturday 08 February 2003 14:04, Ming-Ching Tiew wrote:> Good to know that there are other options available ! > :-)To be honest, I prefer the java approach. I have no windows installed, so I can''t run your VB prog. But java is available on allmost all platform. So you don''t have to install extra software to see the graphs. And you can get the data from a http sever so you don''t an extra daemon on your router/shaper.> Anyway, I have upload my files to the following web > site, locations as follows :- > > http://geocities.com/mctiew/ffw/ffwgrapher0.88.zip > http://geocities.com/mctiew/ffw/fwstat-0.88.tar.gz > > The first is the VB program and the later is > the server program. > > The server program should be fairly plug-and-play. > The client program too. However, because I am not > using an installer( the installer package is 12MB, > so I refused to used it ! ), you may find missing > files which causes it unable to run.Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Haha life is a trade off between want you actually want and what you actually get. I like the java approach too but it will take me donky years to complete the same functionalities, and you might say it is due to my incompetencies. LOL There are other considerations which I have consider too. Small footprint is a No 1 item here. The floppy-based firewall/nat router can''t house a http server anyway, so a small footprint daemon is needed. Eventually you are talking about something like a MRTG approach where the daemon collecs raw data and handle over to MRTG on another computer for html data processing/presentation. If anyone like this approach, he could enhance the fwstat.pl (based aleady in the package )to provide qdisc/class traffic to MRTG. Feel free and do it ! Rgds. --- Stef Coene <stef.coene@docum.org> wrote:> On Saturday 08 February 2003 14:04, Ming-Ching Tiew > wrote: > > Good to know that there are other options > available ! > > :-) > To be honest, I prefer the java approach. I have no > windows installed, so I > can''t run your VB prog. But java is available on > allmost all platform. So > you don''t have to install extra software to see the > graphs. > And you can get the data from a http sever so you > don''t an extra daemon on > your router/shaper. >__________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Sat, Feb 08, 2003 at 07:45:35AM -0800, Ming-Ching Tiew wrote:> There are other considerations which I have consider > too. Small footprint is a No 1 item here. The > floppy-based firewall/nat router can''t house a > http server anyway, so a small footprint daemonoff on a tangent here, but there are several small/mini/micro/tiny webservers. i built mini-httpd, static, gzipped at under 250k. moreover, (unfortunately) there are minimally functional webservers written in awk and shellscript, both of which are on several single-floppy distro''s. also, nowadays, the single-floppy distro''s can often be substituted with cd-rom boot systems (demolinux, knoppix, roll-your-own), due to the more general availability and affordability of cd-rom writers. there are probably few, if any, space issues with a cd-rom boot system. -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Sunday 09 February 2003 04:45, Ming-Ching Tiew wrote:> Haha life is a trade off between want you actually > want and what you actually get. I like the java > approach too but it will take me donky years > to complete the same functionalities, and you might > say it is due to my incompetencies. LOL:) But I like the freedom. You can do something, I can do something, and we are al happy. But I hope mine solution will be better :) (without competion there is no innovation)> There are other considerations which I have consider > too. Small footprint is a No 1 item here. The > floppy-based firewall/nat router can''t house a > http server anyway, so a small footprint daemon > is needed. Eventually you are talking about something > like a MRTG approach where the daemon collecs raw > data and handle over to MRTG on another computer > for html data processing/presentation. > > If anyone like this approach, he could enhance the > fwstat.pl (based aleady in the package )to provide > qdisc/class traffic to MRTG. Feel free and do it !I already did. But that gives only longterm statistics. For real time statistics, you need the data directly from the router. I prefer a cross-platform solution. Even if it means that you loose some functionality. It''s possible that VB is better/handier then java, but I go for java. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Cool. As an MRTG idiot, I am going to ask this question, why can''t it provide realtime stats ? You mean MRTG does not chart real time graphs ? ----- Original Message ----- From: "Stef Coene" <stef.coene@docum.org> To: "Ming-Ching Tiew" <mctiew@yahoo.com>; <lartc@mailman.ds9a.nl> Sent: Sunday, February 09, 2003 9:39 PM Subject: Re: [LARTC] API using cbq / tc ?> > > > If anyone like this approach, he could enhance the > > fwstat.pl (based aleady in the package )to provide > > qdisc/class traffic to MRTG. Feel free and do it ! > I already did. But that gives only longterm statistics. For real time > statistics, you need the data directly from the router. > >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Monday 10 February 2003 02:58, mingching.tiew@redtone.com wrote:> Cool. As an MRTG idiot, I am going to ask this question, > why can''t it provide realtime stats ? You mean MRTG > does not chart real time graphs ?Mrtg is not designed for that. Mrtg uses rrdtool to generate the graphs. You give the rrdtool each 5 minutes a number. This number is stored in a rrd file. And you can generate a graph with the data in the rrd file. So it''s for long-term graphing. If you want to do real time graphing, you need new data each second. And you need to generate the graph on the client side so you don''t need to load each second a new graph from the server. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi, probably is silly but i can''t find how can i define tc filter for my needs Situation: iptables mark all packages with destanation 192.168.1.0/24 with mark 6 tc use HTB. My Problem is how can I say: packages with mark 6 and with destanation ( or source) A.B.C.D to follow xx:xx Thanks in advance Emo __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Monday 10 February 2003 11:34, Emo Terziev wrote:> Hi, > probably is silly but i can''t find how can i define > tc filter for my needs > > Situation: > iptables mark all packages with destanation > 192.168.1.0/24 with mark 6 > tc use HTB. > > My Problem is how can I say: > packages with mark 6 and with destanation ( or > source) A.B.C.D to follow xx:xxIf you use the fw filter, you can match the mark. If you use the u3é filer, you can match the destination. But you can''t combine both. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> > >On Monday 10 February 2003 11:34, Emo Terziev wrote: > > >>Hi, >> probably is silly but i can''t find how can i define >>tc filter for my needs >> >>Situation: >> iptables mark all packages with destanation >>192.168.1.0/24 with mark 6 >>tc use HTB. >> >>My Problem is how can I say: >> packages with mark 6 and with destanation ( or >>source) A.B.C.D to follow xx:xx >> >> >If you use the fw filter, you can match the mark. If you use the u3é filer, >you can match the destination. But you can''t combine both. > >Stef > > >Then, what about using cascade operations? Cannot you direct the traffic matching the first pattern on a class which will constitue a parent for a second class which will contain traffic matching the second pattern? _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Monday 10 February 2003 15:16, Emmanuel Guiton wrote:> >On Monday 10 February 2003 11:34, Emo Terziev wrote: > >>Hi, > >> probably is silly but i can''t find how can i define > >>tc filter for my needs > >> > >>Situation: > >> iptables mark all packages with destanation > >>192.168.1.0/24 with mark 6 > >>tc use HTB. > >> > >>My Problem is how can I say: > >> packages with mark 6 and with destanation ( or > >>source) A.B.C.D to follow xx:xx > > > >If you use the fw filter, you can match the mark. If you use the u3é > > filer, you can match the destination. But you can''t combine both. > > > >Stef > > Then, what about using cascade operations? > Cannot you direct the traffic matching the first pattern on a class > which will constitue a parent for a second class which will contain > traffic matching the second pattern?Yes. But you will need an extra level of classes. But why not using more marks so you only need a fw filter? Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi all, Has anyone configued a Linux Router in a secure / redundant configuration ? By this I mean a dual (or more) boxen router, using multiple multiple connections on both sides of the router, so that if hardware failures strike the impact on the users is minimised. In particular, I''m interested how load sharing can be configured for when all the hardware is working, ie normal state. Also anyone used LARTC to set up a ''mesh'' type configuration for sharing Internet connections with a wireless based network. I am interested in how several internet connections can be connected to a wireless mesh using LARTC. We are looking to implement this in our local ''remote'' community. The Internet feeds will be from 10MB wireless bridges located in several locations (local schools) several miles apart. Wireless bridges and access points will then be used to distribute the Internet connectivity over a radius of several miles. LARTC may then be used top provide a level of QoS to all users (approx 2000 house in total) of the network using bandwidth sharing/allocation and queuing based on IP address and traffic. Anyone done anything similar and willing to share experiences ? Any pointers/suggestions please ? Many thanks. John Cushnie _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Mon, 2003-02-10 at 10:12, John Cushnie wrote:> Hi all, > > Has anyone configued a Linux Router in a secure / redundant > configuration ? > By this I mean a dual (or more) boxen router, using multiple multiple > connections on both sides of the router, so that if hardware failures > strike the impact on the users is minimised. >I use keepalived (keepalived.sourceforge.net) to handle the fail over of my two Linux NAT routers. keepalived supports VRRP and will fail over a virtual address to the other machines. My working machines use the virtual address as their default gateway. Another solution is to install OSPF on everything and let the working machines decide which route to take based on dynamic routing (OSPF). Here is how we do it Two Cisco routers handle our upstream bandwidth with BGP4 to multiple providers. The cisco routers use HSRP to fail over their Ethernet ports. The cisco routers also speak OSPF with my two linux firewall/LVS/routers (using zebra) which handle inbound load balancing and outbound NAT of my working machines. Working machines are setup with a virtual IP address for default gateway which is only active on one Linux firewall at a time (using keepalived) -Matt> In particular, I''m interested how load sharing can be configured for > when all the hardware is working, ie normal state. > > Also anyone used LARTC to set up a ''mesh'' type configuration for sharing > > Internet connections with a wireless based network. > I am interested in how several internet connections can be connected > to a wireless mesh using LARTC. > > We are looking to implement this in our local ''remote'' community. > The Internet feeds will be from 10MB wireless bridges located in > several locations (local schools) several miles apart. > Wireless bridges and access points will then be used to distribute > the Internet connectivity over a radius of several miles. > LARTC may then be used top provide a level of QoS to all users > (approx 2000 house in total) of the network using bandwidth > sharing/allocation and queuing based on IP address and traffic. > Anyone done anything similar and willing to share experiences ? > > Any pointers/suggestions please ? > > Many thanks. > John Cushnie > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/-- Matthew S. Crocker Crocker Communications, Inc. / Vice President PO BOX 710 Greenfield, MA 01302-0710 Voice: 413-746-2760 Fax: 413-746-3704 Web: http://www.crocker.com E-mail: matthew@crocker.com GPG Public Key: www.keyserver.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
That isnt completely accurate. rrdtool can take data at any interval, you just need to specify it when you create the rrd file. Personally, I get snmp data on 2 interfaces every 10 seconds and store them in two rrd files, and I have a php page that generates new graphs every time I view them (I migrated away from mrtg completely and just use rrd to store and graph). This was, the only consistent load on the box is from the snmp gathering (which is a local connection). The graph script runs only once every time the page is viewed, so the load is quite low there. however, I do agree that doing it all on the client would be better, but for a distributed viewing, a webpage makes a nice interface. jay ----- Original Message ----- From: "Stef Coene" <stef.coene@docum.org> To: <mingching.tiew@redtone.com>; <lartc@mailman.ds9a.nl> Sent: Monday, February 10, 2003 3:59 AM Subject: Re: [LARTC] API using cbq / tc ?> On Monday 10 February 2003 02:58, mingching.tiew@redtone.com wrote: > > Cool. As an MRTG idiot, I am going to ask this question, > > why can''t it provide realtime stats ? You mean MRTG > > does not chart real time graphs ? > Mrtg is not designed for that. Mrtg uses rrdtool to generate the graphs. > You give the rrdtool each 5 minutes a number. This number is stored in arrd> file. And you can generate a graph with the data in the rrd file. > > So it''s for long-term graphing. If you want to do real time graphing, you > need new data each second. And you need to generate the graph on theclient> side so you don''t need to load each second a new graph from the server. >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Monday 10 February 2003 19:01, Jay Wineinger wrote:> That isnt completely accurate. rrdtool can take data at any interval, you > just need to specify it when you create the rrd file. Personally, I get > snmp data on 2 interfaces every 10 seconds and store them in two rrd files, > and I have a php page that generates new graphs every time I view them (I > migrated away from mrtg completely and just use rrd to store and graph). > This was, the only consistent load on the box is from the snmp gathering > (which is a local connection). The graph script runs only once every time > the page is viewed, so the load is quite low there. however, I do agree > that doing it all on the client would be better, but for a distributed > viewing, a webpage makes a nice interface.Still, rrdtool is not made for real time graphing. A 10 sec interval is not real-time. For me, real-time is now. And for that you need something that can graph the files locally like java or vb. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> > that doing it all on the client would be better, but for a distributed > > viewing, a webpage makes a nice interface. > Still, rrdtool is not made for real time graphing. A 10 sec interval is not > real-time. For me, real-time is now. And for that you need something that > can graph the files locally like java or vb.Hmm, typicaly I agree with Stef but here I''m not sure. Speed is derivative of transfered byte count and as such it is dependent on time. Because we can''t compute perfect derivative we have to use difference - and it is always computed as average of some time interval (30sec in HTB). So if you use 5s interval in rrd it seems ok for me (it is what i plan to do here). just by opinion :) devik _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Tuesday 11 February 2003 17:59, Martin Devera wrote:> > > that doing it all on the client would be better, but for a distributed > > > viewing, a webpage makes a nice interface. > > > > Still, rrdtool is not made for real time graphing. A 10 sec interval is > > not real-time. For me, real-time is now. And for that you need > > something that can graph the files locally like java or vb. > > Hmm, typicaly I agree with Stef but here I''m not sure. > Speed is derivative of transfered byte count and as such > it is dependent on time. Because we can''t compute perfect > derivative we have to use difference - and it is always > computed as average of some time interval (30sec in HTB). > So if you use 5s interval in rrd it seems ok for me (it > is what i plan to do here).If you receive an update each second, you have the feeling it''s realtime. It''s slow enough to understand the data and it''s fast enough to feel it as real-time. It''s also fast enought that you get new data before you are tired to look at the old data. For other people, real time can be 5 seconds It depends on how much beer they had :) Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> > So if you use 5s interval in rrd it seems ok for me (it > > is what i plan to do here). > If you receive an update each second, you have the feeling it''s realtime. > It''s slow enough to understand the data and it''s fast enough to feel it as > real-time. It''s also fast enought that you get new data before you are tired > to look at the old data.hmm :) really depends on angle of view .. From my experience ("btw" tool) 1sec is too fast because I see results like: 30kbit, 28, 10, 33,15,35 .... I can see every packet burst and thus my brain is not good enough to compute average from it on fly. So I use 10sec moving average to have something senseful. On other side, there are two time variables : - show rate - EWMA time constant I agree that you can have time constant 30sec and sampling/show rate 1sec. Then you get smooth and fast updates :) Still you can use rrd because it is hierarchical - you can have last minute in secs resolution, then last hour in minutes resolution etc... devik _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi folks, Can I use in the same parent but for the diffrent classes u32 filter rules: 1) filtering by ip address (very low speed only for the Internet) 2) filtering by port (smb, smtp and pop3) for the local connection Thanks in advance Remus _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Wednesday 12 February 2003 17:24, Remus wrote:> Hi folks, > > Can I use in the same parent but for the diffrent classes u32 filter rules: > 1) filtering by ip address (very low speed only for the Internet) > 2) filtering by port (smb, smtp and pop3) for the local connectionYes. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Wednesday 12 February 2003 09:29, devik wrote:> > > So if you use 5s interval in rrd it seems ok for me (it > > > is what i plan to do here). > > > > If you receive an update each second, you have the feeling it''s realtime. > > It''s slow enough to understand the data and it''s fast enough to feel it > > as real-time. It''s also fast enought that you get new data before you > > are tired to look at the old data. > > hmm :) really depends on angle of view .. From my experience > ("btw" tool) 1sec is too fast because I see results like: > 30kbit, 28, 10, 33,15,35 .... I can see every packet burst > and thus my brain is not good enough to compute average from it > on fly. So I use 10sec moving average to have something senseful. > > On other side, there are two time variables : > - show rate > - EWMA time constant > > I agree that you can have time constant 30sec and > sampling/show rate 1sec. Then you get smooth and fast > updates :) > Still you can use rrd because it is hierarchical - you > can have last minute in secs resolution, then last hour > in minutes resolution etc...Storing the value is no problem, but showing. If don''t think it''s such a good idea to refresh a webpage and relaod (and draw) the graphs on it each second. So rrd for long term overview, java (of VB) for real time overview. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
I have a requirement to be connected to a T1/E1 leased line WAN. Because of QoS issues, I am considering these options :- 1. Purchase a router which has some form of bandwidth management - this would be expensive, rite ? 2. Purchase a low end router with 1 lan 1 wan, and connects a dual LAN linux before it. Will this additional hop slow down anything? 3. Purchase a supported T1/E1 interface cards and plug it into the Linux box. This could be a problem for me because of support issues. What if it does not properly? What if there are problems with the card or the drivers ? Any recommendation? __________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine''s Day http://shopping.yahoo.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hello all, : 1. Purchase a router which has some form of bandwidth management - this : would be expensive, rite ? You have to decide what is expensive for you. Time, money, expertise, control, or not having a software/networking vendor to vilify. : 2. Purchase a low end router with 1 lan 1 wan, and connects a dual LAN : linux before it. Will this additional hop slow down anything? Yes. But maybe not significantly enough to be a problem...depends on your pipe and usage on that pipe. Remember, it''s ideal to perform traffic control on the bottleneck itself. Regardless, I''d suggest option 3 or option 1, depending on your answer to your own question in 1. : 3. Purchase a supported T1/E1 interface cards and plug it into the : Linux box. I recommend the Sangoma WAN cards. I''ve been using them for at least 3 years under linux, and they are well supported by Sangoma and the linux community (you''ll see the driver in the distribution). http://www.sangoma.com/ I''ve had exactly one problem with the wanpipe/wanrouter software, and it had already been identified and fixed by the time I had filed the bug report with Sangoma. : This could be a problem for me because of support issues. What if it : does not properly? What if there are problems with the card or the : drivers ? You won''t have problems with support for Sangoma''s cards in the kernel nor technical support from Sangoma. -Martin -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
<mingching.tiew@redtone.com>
2003-Feb-13 01:40 UTC
Re: Bandwidth control using Linux or other router
I am surprised because I am quite inclined towards option 2. Haha. Regarding Sangoma solution, what Linux kernel version they are supported on ? I would need 2.4.20 or there about. Rgds. ----- Original Message ----- From: "Martin A. Brown" <mabrown-lartc@securepipe.com> To: "Ming-Ching Tiew" <mctiew@yahoo.com> Cc: <lartc@mailman.ds9a.nl> Sent: Thursday, February 13, 2003 7:59 AM Subject: Re: [LARTC] Bandwidth control using Linux or other router> Hello all, > > : 1. Purchase a router which has some form of bandwidth management - this > : would be expensive, rite ? > > You have to decide what is expensive for you. Time, money, expertise, > control, or not having a software/networking vendor to vilify. > > : 2. Purchase a low end router with 1 lan 1 wan, and connects a dual LAN > : linux before it. Will this additional hop slow down anything? > > Yes. But maybe not significantly enough to be a problem...depends on your > pipe and usage on that pipe. Remember, it''s ideal to perform traffic > control on the bottleneck itself. Regardless, I''d suggest option 3 or > option 1, depending on your answer to your own question in 1. > > : 3. Purchase a supported T1/E1 interface cards and plug it into the > : Linux box. > > I recommend the Sangoma WAN cards. I''ve been using them for at least 3 > years under linux, and they are well supported by Sangoma and the linux > community (you''ll see the driver in the distribution). > > http://www.sangoma.com/ > > I''ve had exactly one problem with the wanpipe/wanrouter software, and it > had already been identified and fixed by the time I had filed the bug > report with Sangoma. > > : This could be a problem for me because of support issues. What if it > : does not properly? What if there are problems with the card or the > : drivers ? > > You won''t have problems with support for Sangoma''s cards in the kernel nor > technical support from Sangoma. >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hello there again, : > I recommend the Sangoma WAN cards. I''ve been using them for at least 3 : > years under linux, and they are well supported by Sangoma and the linux : > community (you''ll see the driver in the distribution). : : Regarding Sangoma solution, what Linux kernel version they are : supported on ? I would need 2.4.20 or there about. Perhaps I wasn''t as clear as I could have been. Support for their cards has been a part of the linux kernel distribution for quite some time. $ find linux-2.4.20/ -type f -name wan\* -print linux-2.4.20/include/linux/wanrouter.h linux-2.4.20/include/linux/wanpipe.h linux-2.4.20/include/linux/modules/wanmain.stamp linux-2.4.20/include/linux/modules/wanmain.ver linux-2.4.20/include/config/wan.h linux-2.4.20/net/wanrouter/wanmain.c linux-2.4.20/net/wanrouter/wanproc.c linux-2.4.20/net/wanrouter/wanproc.o linux-2.4.20/net/wanrouter/wanmain.o linux-2.4.20/net/wanrouter/wanrouter.o linux-2.4.20/drivers/net/wan/wanpipe_multppp.c linux-2.4.20/drivers/net/wan/wan.o linux-2.4.20/drivers/net/wan/wanpipe_multppp.o linux-2.4.20/drivers/net/wan/wanpipe.o linux-2.4.20/Documentation/networking/wan-router.txt linux-2.4.20/Documentation/networking/wanpipe.txt linux-2.4.20/Documentation/DocBook/wanbook.tmpl Tschüs, -Martin -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi,
Maybe I gave no examples what I want, sorry.
I have the outgoing trafic rules for the 3 local IPs (some rate, ceil and
etc) and I can browse or do whereever from Internet side speed.
But for the local net of these 3 IPs (ports smb, smtp and pop3) I would like
to have 99Mbit speed.
I use the htb_ 0_8_3 script on eth1.
I can limit by IP for example 156k downlink but if I want to have for the
same IP 99Mbit for local connection it does not work.
The same situation I have for my imq on eth1 to limit incoming trafic as
well.
ADSL 512k/256k
| eth0
--------------------
| Linux box aka fw |
--------------------
| eth1
Local net of the 3 PC
Any ideas/examples?
Thanks
Remus
> On Wednesday 12 February 2003 17:24, Remus wrote:
> > Hi folks,
> >
> > Can I use in the same parent but for the diffrent classes u32 filter
rules:> > 1) filtering by ip address (very low speed only for the Internet)
> > 2) filtering by port (smb, smtp and pop3) for the local connection
> Yes.
>
> Stef
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> > in minutes resolution etc... > Storing the value is no problem, but showing. If don''t think it''s such a good > idea to refresh a webpage and relaod (and draw) the graphs on it each second. > So rrd for long term overview, java (of VB) for real time overview.ah now I finally see your reason :) You want stats to move in realtime in your www page. So yes then ok :-) devik _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
I know MRTG runs perl script to keep things working for all platforms. My question is, does MRTG run C program ? I last work on perl script some 5 years ago, almost forgotten everything about perl script. ----- Original Message ----- From: "Stef Coene" <stef.coene@docum.org> To: <mingching.tiew@redtone.com>; <lartc@mailman.ds9a.nl> Sent: Monday, February 10, 2003 4:59 PM Subject: Re: [LARTC] API using cbq / tc ?> On Monday 10 February 2003 02:58, mingching.tiew@redtone.com wrote: > > Cool. As an MRTG idiot, I am going to ask this question, > > why can''t it provide realtime stats ? You mean MRTG > > does not chart real time graphs ? > Mrtg is not designed for that. Mrtg uses rrdtool to generate the graphs. > You give the rrdtool each 5 minutes a number. This number is stored in arrd> file. And you can generate a graph with the data in the rrd file. >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hello,
This is my ADSL connection :
ADSL 512k/256k
| eth0
--------------------
| Linux box aka fw | -
--------------------
| eth1
the firewall has smtp and pop3 servers running (I have no spare PC for email
server, byt just for home use it is OK)
Could somebody check my script please, I''m bit confused of ports 25
and 110
on eth0 and imq0.
tc qdisc del dev imq0 root
tc qdisc add dev imq0 root handle 1 htb default 10 r2q 100
tc qdisc del dev eth0 root
tc qdisc add dev eth0 root handle 1 htb default 10 r2q 100
tc class add dev imq0 parent 1: classid 1:2 htb rate 500kbit burst 15k
tc class add dev imq0 parent 1:2 classid 1:10 htb rate 468kbit ceil 500Kbit
burst 30k prio 0
tc qdisc add dev imq0 parent 1:10 handle 10 sfq perturb 10
tc class add dev imq0 parent 1:2 classid 1:20 htb rate 32Kbit ceil 400Kbit
burst 15k prio 1
tc qdisc add dev imq0 parent 1:20 handle 20 sfq perturb 10
##############
tc filter add dev imq0 parent 1:0 protocol ip prio 100 u32 match ip sport 25
0xffff classid 1:20
Is it enough to have only sport 25 on download link or I need the dport as
well?
##############
tc class add dev eth0 parent 1: classid 1:2 htb rate 250kbit burst 15k
tc class add dev eth0 parent 1:2 classid 1:10 htb rate 218kbit ceil 250Kbit
burst 30k prio 0
tc qdisc add dev eth0 parent 1:10 handle 10 sfq perturb 10
tc class add dev eth0 parent 1:2 classid 1:20 htb rate 32Kbit ceil 250Kbit
burst 15k prio 1
tc qdisc add dev eth0 parent 1:20 handle 20 sfq perturb 10
##############
tc filter add dev eth0 parent 1:0 protocol ip prio 100 u32 match ip sport 25
0xffff classid 1:20
tc filter add dev eth0 parent 1:0 protocol ip prio 100 u32 match ip sport
110 0xffff classid 1:20
The same question on eth0 (upload link)
Is it enough to have only sport 25 and 110 on upload link or I need the
dport as well?
##############
Thank you very much in advance
Remus
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thursday 13 February 2003 11:36, mingching.tiew@redtone.com wrote:> I know MRTG runs perl script to keep things working for all > platforms. My question is, does MRTG run C program ? > I last work on perl script some 5 years ago, almost forgotten > everything about perl script.Perl is easy. Download some scripts (like mine from docum.org, or larrd, or mrtg). The rrdtool tool is simple if you adapt an existing sript so you don''t have to bother for the options. Or run rrdtool from the command line. Stef> ----- Original Message ----- > From: "Stef Coene" <stef.coene@docum.org> > To: <mingching.tiew@redtone.com>; <lartc@mailman.ds9a.nl> > Sent: Monday, February 10, 2003 4:59 PM > Subject: Re: [LARTC] API using cbq / tc ? > > > On Monday 10 February 2003 02:58, mingching.tiew@redtone.com wrote: > > > Cool. As an MRTG idiot, I am going to ask this question, > > > why can''t it provide realtime stats ? You mean MRTG > > > does not chart real time graphs ? > > > > Mrtg is not designed for that. Mrtg uses rrdtool to generate the graphs. > > You give the rrdtool each 5 minutes a number. This number is stored in a > > rrd > > > file. And you can generate a graph with the data in the rrd file. > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/-- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thursday 13 February 2003 09:30, devik wrote:> > > in minutes resolution etc... > > > > Storing the value is no problem, but showing. If don''t think it''s such a > > good idea to refresh a webpage and relaod (and draw) the graphs on it > > each second. So rrd for long term overview, java (of VB) for real time > > overview. > > ah now I finally see your reason :) You want stats to > move in realtime in your www page. > So yes then ok :-)Pff, it took a long thread to explain that to you. I think we can close this thread now, or do you have an other suggestion? Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thursday 13 February 2003 14:24, Remus wrote:> Hello, > > This is my ADSL connection : > > ADSL 512k/256k > > | eth0 > > -------------------- > > | Linux box aka fw | - > > -------------------- > > | eth1 > > the firewall has smtp and pop3 servers running (I have no spare PC for > email server, byt just for home use it is OK) > > Could somebody check my script please, I''m bit confused of ports 25 and > 110 on eth0 and imq0. > > tc qdisc del dev imq0 root > tc qdisc add dev imq0 root handle 1 htb default 10 r2q 100 > > tc qdisc del dev eth0 root > tc qdisc add dev eth0 root handle 1 htb default 10 r2q 100 > > tc class add dev imq0 parent 1: classid 1:2 htb rate 500kbit burst 15k > > tc class add dev imq0 parent 1:2 classid 1:10 htb rate 468kbit ceil 500Kbit > burst 30k prio 0 > tc qdisc add dev imq0 parent 1:10 handle 10 sfq perturb 10 > > tc class add dev imq0 parent 1:2 classid 1:20 htb rate 32Kbit ceil 400Kbit > burst 15k prio 1 > tc qdisc add dev imq0 parent 1:20 handle 20 sfq perturb 10 > > ############## > tc filter add dev imq0 parent 1:0 protocol ip prio 100 u32 match ip sport > 25 0xffff classid 1:20 > Is it enough to have only sport 25 on download link or I need the dport as > well?You never told us what''s redirected to the imq device. But I suppose it''s incoming traffic from the internet. If you want to match mail coming from the internet to your smtp server, you need dport 25. All traffic is sended to your smtp and that''s server is running on port 25.> ############## > > tc class add dev eth0 parent 1: classid 1:2 htb rate 250kbit burst 15k > > tc class add dev eth0 parent 1:2 classid 1:10 htb rate 218kbit ceil 250Kbit > burst 30k prio 0 > tc qdisc add dev eth0 parent 1:10 handle 10 sfq perturb 10 > > tc class add dev eth0 parent 1:2 classid 1:20 htb rate 32Kbit ceil 250Kbit > burst 15k prio 1 > tc qdisc add dev eth0 parent 1:20 handle 20 sfq perturb 10 > > ############## > tc filter add dev eth0 parent 1:0 protocol ip prio 100 u32 match ip sport > 25 0xffff classid 1:20 > tc filter add dev eth0 parent 1:0 protocol ip prio 100 u32 match ip sport > 110 0xffff classid 1:20 > The same question on eth0 (upload link) > Is it enough to have only sport 25 and 110 on upload link or I need the > dport as well?You connect to port 25 and it''s for traffic leaving the server, so you need sport 25. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
I have yet uploaded fwstat-0.89 to
http://www.geocities.com/mctiew/ffw/fwstat-0.89.tgz
This version of fwstat supports collection and charting of tc class/qdisc
and
iptables firewall rules.
A) For ''floppyfw'', it is plug and play. Absolutely no
configuration
needed. Just copy ''fwstatp.bz2'' and
''post-fwstatp.ini'' into /packages.
B) For other Linux Firewall/QoS systems, you could setup similar things by
editing post-fwstatp.ini.
B) For the Linux MRTG station, you setup MRTG, fwstat.cfg and mrtg.cfg.
C) For Windows, use FFWGrapher.exe, downloadable from
http://www.geocities.com/mctiew/ffw/ffwgrapher0.88.zip
-------------------------------fwstat-cfg example-------------------
# this sample configuration collects 8 different traffic data from fwtat
server 192.168.0.19
port 50000
interfaces lo0 eth0 eth1 ppp0
eth1 rx
eth1 tx
eth0 tx
ppp0 tx
eth1 class cbq 1:
eth0 qdisc htb 1:
iptables FORWARD tcp dpt:80
iptables PREROUTING tcp dpt:80 to:192.168.0.3:80
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Thank very much Stef. It works. Best Regards Remus ----- Original Message ----- From: "Stef Coene" <stef.coene@docum.org> To: "Remus" <rmocius@auste.elnet.lt>; <lartc@mailman.ds9a.nl> Sent: Thursday, February 13, 2003 8:49 PM Subject: Re: [LARTC] I need some help with u32 filter> > ############## > > tc filter add dev imq0 parent 1:0 protocol ip prio 100 u32 match ipsport> > 25 0xffff classid 1:20 > > Is it enough to have only sport 25 on download link or I need the dportas> > well?You never told us what''s redirected to the imq device. But I suppose it''s incoming traffic from the internet. If you want to match mail coming from the internet to your smtp server, you need dport 25. All traffic is sended to your smtp and that''s server is running on port 25.> > > ############## > > tc filter add dev eth0 parent 1:0 protocol ip prio 100 u32 match ipsport> > 25 0xffff classid 1:20 > > tc filter add dev eth0 parent 1:0 protocol ip prio 100 u32 match ipsport> > 110 0xffff classid 1:20 > > The same question on eth0 (upload link) > > Is it enough to have only sport 25 and 110 on upload link or I need the > > dport as well?You connect to port 25 and it''s for traffic leaving the server, so you need sport 25.> > Stef_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
It seems that the state monitoring ( -m state --state .... ) is valid in various tables and chains. My question is does it make any difference? Say I need to monitor all the traffic that are started from from an application, even if it is using dynamic ports, where I put the state monitoring, PREROUTING , FORWARD or others ? For example, assuming a ftp packet is entering eth1 and get DNAT-ed into an internal server 192.168.0.99 at PREROUTING and then gotten forward at FORWARD chain, is there any difference with one of these :- iptables -t nat -I PREROUTING -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED iptables -I FORWARD -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>is there any difference with one > of these :- > > iptables -t nat -I PREROUTING -p tcp --dport 21 > -m state --state NEW,ESTABLISHED,RELATED > > iptables -I FORWARD -p tcp --dport 21 > -m state --state NEW,ESTABLISHED,RELATEDI could be wacky, but at this early hour of the morning my foggy brain is noticing a few things. -Neither of these rules jump to anything. -The second rule is not attached to any table, which I don''t think is possible... For the first rule, I believe that rules in the nat table only apply to getting things mangled. Specifying the state in there would mean that only things in that state get mangled (dnat, snat, etc), based on the rules following it. Other packets would just have done with them whatever happens to packets aren''t associated with a session (arent claimed by NAT, or any listening socket) The second rule would catch packets that are to be forwarded (for nat, or for normal routing) that meet the specified requirements. What happens once it''s caught depends on what you jump to.... Remember, I''m just an amateur, havent had my coffee yet, (insert other pithy excuse for my being wrong here). _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Below:- ----- Original Message ----- From: "Brad Davidson" <kiloman@oatmail.org> To: <lartc@mailman.ds9a.nl> Sent: Wednesday, February 26, 2003 12:15 AM Subject: Re: [LARTC] traffic state monitoring> >is there any difference with one > > of these :- > > > > iptables -t nat -I PREROUTING -p tcp --dport 21 > > -m state --state NEW,ESTABLISHED,RELATED > > > > iptables -I FORWARD -p tcp --dport 21 > > -m state --state NEW,ESTABLISHED,RELATED > > I could be wacky, but at this early hour of the morning my foggy brain is > noticing a few things. > > -Neither of these rules jump to anything.There is no need to jump to anything. The rules are added for traffic analysis. All that I am interested is the iptables counters for each rule. A rule without jump can be safely inserted ( even on top of the ruleset !) into a chain without disrupted anything and yet able to provide traffic statistics of interest to me.> -The second rule is not attached to any table, which I don''t think is > possible... >Aha, no tables mentioned it means ''filter'' table. That''s a standard behavior of iptables.> For the first rule, I believe that rules in the nat table only apply to > getting things mangled. Specifying the state in there would mean that only > things in that state get mangled (dnat, snat, etc), based on the rules > following it. Other packets would just have done with them whatever > happens to packets aren''t associated with a session (arent claimed by NAT, > or any listening socket) >Aha I thought I understood 30% of what you say here but after after doing it again and again, I must say I don''t know what you are talking about.> The second rule would catch packets that are to be forwarded (for nat, or > for normal routing) that meet the specified requirements. What happens > once it''s caught depends on what you jump to.... >There is no need to jump to anything as I mentioned earlier. But perhaps I would like to rephrase my question now, considering that I am getting cold response: how do I find out the traffic stats going thru a ftp or h323 session ( considering that these applications create new connections which might not be using the same port etc ) ? Should it be :- iptables -I FORWARD -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED or is this already sufficient :- iptables -I FORWARD -p tcp --dport 21 Actually I am thinking of a new problem now, how do I do a traffic control on a ftp session directly ? Is ''tc filter'' sufficient ? Is it able to do connection tracking ? _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hello, I have a linux box with 2 internet links where I am dividing the traffic among both links. I have one link for VPN and the other one for internet access in general. The main routing table has its default gateway and it''s used for VPN access and the other routing table is used to deviate all the other traffic. If a set transparent proxy, all tha traffic goes out through the main routing table, but I''d like it do go out in the second default gateway. I''ve tried to mark packets but it did''t work for transparent proxy. Any sugestions here? I have in the second routing table routes for the VPNs LAN pointing to the defalut route of the main routing table and rest gets out in the second link. Thanks a lot. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
you should try marking squid packets (output chain for example) and then add a rule (ip rule ls).. in lartc.org http://www.lartc.org/lartc.pdf have plenty of examples. tips: when marking packets on iptables, use hexa not decimal notting. try patching the kernel if does not work (http://www.ssi.bg/~ja/) cause kernel default source may not work... and its probably that squid use as source adrres of ip header the ip on the default route, so you might have to nat that src to the other interface (so packets leave the interface you want and come back in that interface and not the other -if they come..- ) greets and good speed. On Wed, 2003-03-05 at 10:27, Alessandro Ren wrote:> > Hello, > > I have a linux box with 2 internet links where I am dividing the > traffic among both links. I have one link for VPN and the other one for > internet access in general. > The main routing table has its default gateway and it''s used for VPN > access and the other routing table is used to deviate all the other traffic. > If a set transparent proxy, all tha traffic goes out through the main > routing table, but I''d like it do go out in the second default gateway. > I''ve tried to mark packets but it did''t work for transparent proxy. > Any sugestions here? > I have in the second routing table routes for the VPNs LAN pointing > to the defalut route of the main routing table and rest gets out in the > second link. > > Thanks a lot._______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Esteban Ribicic wrote:>you should try marking squid packets (output chain for example) and then >add a rule (ip rule ls).. >in lartc.org http://www.lartc.org/lartc.pdf have plenty of examples. > >Unfortunately, this will not work. It is not possible to route a locally-generated packet using a firewall mark because the routing decision is taken before the packet is sent to the MANGLE OUTPUT chain. Routing a packet using a firewall mark works only in the PREROUTING Netfilter hook. Stephane Ouellette>tips: when marking packets on iptables, use hexa not decimal notting. >try patching the kernel if does not work (http://www.ssi.bg/~ja/) cause >kernel default source may not work... > >and its probably that squid use as source adrres of ip header the ip on >the default route, so you might have to nat that src to the other >interface (so packets leave the interface you want and come back in that >interface and not the other -if they come..- ) > >greets and good speed. > >On Wed, 2003-03-05 at 10:27, Alessandro Ren wrote: > >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
after marking the packet, it is posible to route over ip (marking in output)...packet goes to the gw you choose..routeing after is other issue, as you cant know or predict what will do your isp router. the packet will go where you told him to go (through fwmarks) with src address as kernel algorithm says so (probably, if not bind() called, the ip address of the interface on wich the default gw is setted).. if the src address of the packet does not match with the interface you choose, is probably that the packet leaves the interface and never come back -my scpecial case, is that my two links are from the same isp and they route the packet trgout a default route in their router- ..so packets leaves from one interface and comes in the other... but, you can (i hvent tryed this, but i think it should work) nat the src adress and packet will go and come....maybe you shlud nat the packet again when it comes... example: ip rule add from all fwmark 0x1 nat [your ip] table pppx..for example.. i have working hwat i said on my linux box for squid packets..the go from one interface and come in the other. steve On Wed, 2003-03-05 at 12:40, Stephane Ouellette wrote:> Esteban Ribicic wrote: > > >you should try marking squid packets (output chain for example) and then > >add a rule (ip rule ls).. > >in lartc.org http://www.lartc.org/lartc.pdf have plenty of examples. > > > > > > Unfortunately, this will not work. It is not possible to route a > locally-generated packet using a firewall mark because the routing > decision is taken before the packet is sent to the MANGLE OUTPUT chain. > Routing a packet using a firewall mark works only in the PREROUTING > Netfilter hook. > > Stephane Ouellette > > >tips: when marking packets on iptables, use hexa not decimal notting. > >try patching the kernel if does not work (http://www.ssi.bg/~ja/) cause > >kernel default source may not work... > > > >and its probably that squid use as source adrres of ip header the ip on > >the default route, so you might have to nat that src to the other > >interface (so packets leave the interface you want and come back in that > >interface and not the other -if they come..- ) > > > >greets and good speed. > > > >On Wed, 2003-03-05 at 10:27, Alessandro Ren wrote: > > > > >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
It did''t work becasue the packet is trying to go out on the secondary interface using the address of the primary interface, so the packet get dropped by the ISP. Well, the MARK on the OUTPUT mangle worked well actually, deviating the traffic, just creating the source address problem. Am I forgetting something? Thanks. -----Original Message----- From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl] On Behalf Of Esteban Ribicic Sent: Wednesday, March 05, 2003 1:00 PM To: Stephane Ouellette Cc: Esteban Ribicic; Alessandro Ren; LARTC Subject: Re: [LARTC] ip rule and transparent proxy. after marking the packet, it is posible to route over ip (marking in output)...packet goes to the gw you choose..routeing after is other issue, as you cant know or predict what will do your isp router. the packet will go where you told him to go (through fwmarks) with src address as kernel algorithm says so (probably, if not bind() called, the ip address of the interface on wich the default gw is setted).. if the src address of the packet does not match with the interface you choose, is probably that the packet leaves the interface and never come back -my scpecial case, is that my two links are from the same isp and they route the packet trgout a default route in their router- ..so packets leaves from one interface and comes in the other... but, you can (i hvent tryed this, but i think it should work) nat the src adress and packet will go and come....maybe you shlud nat the packet again when it comes... example: ip rule add from all fwmark 0x1 nat [your ip] table pppx..for example.. i have working hwat i said on my linux box for squid packets..the go from one interface and come in the other. steve On Wed, 2003-03-05 at 12:40, Stephane Ouellette wrote:> Esteban Ribicic wrote: > > >you should try marking squid packets (output chain for example) and > >then add a rule (ip rule ls).. in lartc.org > >http://www.lartc.org/lartc.pdf have plenty of examples. > > > > > > Unfortunately, this will not work. It is not possible to route a > locally-generated packet using a firewall mark because the routing > decision is taken before the packet is sent to the MANGLE OUTPUT chain. > Routing a packet using a firewall mark works only in the PREROUTING > Netfilter hook. > > Stephane Ouellette > > >tips: when marking packets on iptables, use hexa not decimal notting. > >try patching the kernel if does not work (http://www.ssi.bg/~ja/) > >cause kernel default source may not work... > > > >and its probably that squid use as source adrres of ip header the ip > >on the default route, so you might have to nat that src to the other > >interface (so packets leave the interface you want and come back in > >that interface and not the other -if they come..- ) > > > >greets and good speed. > > > >On Wed, 2003-03-05 at 10:27, Alessandro Ren wrote: > > > > >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
yeah, try natting the packet on the rule so src addreess will chanche. that might work. or try looking on squids patches or docu if you can specify anything on it. greets On Thu, 2003-03-06 at 11:18, Alessandro Ren wrote:> > It did''t work becasue the packet is trying to go out on the > secondary interface using the address of the primary interface, so the > packet get dropped by the ISP. > Well, the MARK on the OUTPUT mangle worked well actually, deviating > the traffic, just creating the source address problem. > > Am I forgetting something? > > Thanks. > > -----Original Message----- > From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl] On > Behalf Of Esteban Ribicic > Sent: Wednesday, March 05, 2003 1:00 PM > To: Stephane Ouellette > Cc: Esteban Ribicic; Alessandro Ren; LARTC > Subject: Re: [LARTC] ip rule and transparent proxy. > > > after marking the packet, it is posible to route over ip (marking in > output)...packet goes to the gw you choose..routeing after is other issue, > as you cant know or predict what will do your isp router. > > the packet will go where you told him to go (through fwmarks) with src > address as kernel algorithm says so (probably, if not bind() called, the ip > address of the interface on wich the default gw is setted).. > > if the src address of the packet does not match with the interface you > choose, is probably that the packet leaves the interface and never come back > -my scpecial case, is that my two links are from the same isp and they route > the packet trgout a default route in their router- ..so packets leaves from > one interface and comes in the other... but, you can (i hvent tryed this, > but i think it should work) nat the src adress and packet will go and > come....maybe you shlud nat the packet again when it comes... > example: ip rule add from all fwmark 0x1 nat [your ip] table pppx..for > example.. > > i have working hwat i said on my linux box for squid packets..the go from > one interface and come in the other. > > steve > > On Wed, 2003-03-05 at 12:40, Stephane Ouellette wrote: > > Esteban Ribicic wrote: > > > > >you should try marking squid packets (output chain for example) and > > >then add a rule (ip rule ls).. in lartc.org > > >http://www.lartc.org/lartc.pdf have plenty of examples. > > > > > > > > > > Unfortunately, this will not work. It is not possible to route a > > locally-generated packet using a firewall mark because the routing > > decision is taken before the packet is sent to the MANGLE OUTPUT chain. > > Routing a packet using a firewall mark works only in the PREROUTING > > Netfilter hook. > > > > Stephane Ouellette > > > > >tips: when marking packets on iptables, use hexa not decimal notting. > > >try patching the kernel if does not work (http://www.ssi.bg/~ja/) > > >cause kernel default source may not work... > > > > > >and its probably that squid use as source adrres of ip header the ip > > >on the default route, so you might have to nat that src to the other > > >interface (so packets leave the interface you want and come back in > > >that interface and not the other -if they come..- ) > > > > > >greets and good speed. > > > > > >On Wed, 2003-03-05 at 10:27, Alessandro Ren wrote: > > > > > > > > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > >-- Esteban Ribicic Network Operation Center UOL-Sinectis S.A. Florida 537 Piso 6, Buenos Aires, Argentina +54-11-4321-9110 Ext 2503 +54-11-4321-9107 Directo eribicic@uolsinectis.com www.uolsinectis.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
I found a way to do that. You have to mark tha packet on the OUTPUT, make a rule for that mark to go to where you want and you must set the tcp_outgoing_address in the squid.conf file to match the IP address of the interface you want the squid to start the connections from. It''s working flawlessly for me. The only think is, if link on this interface goes down, squid will not be able do access the internet anymore. I just wrote a script that checks this interface and if its down, changes the squid configuration file disabling the tcp_outgoing_address. []s. -----Original Message----- From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl] On Behalf Of Esteban Ribicic Sent: Thursday, March 06, 2003 12:11 PM To: Alessandro Ren Cc: ''LARTC'' Subject: RE: [LARTC] ip rule and transparent proxy. yeah, try natting the packet on the rule so src addreess will chanche. that might work. or try looking on squids patches or docu if you can specify anything on it. greets On Thu, 2003-03-06 at 11:18, Alessandro Ren wrote:> > It did''t work becasue the packet is trying to go out on thesecondary> interface using the address of the primary interface, so the packet > get dropped by the ISP. > Well, the MARK on the OUTPUT mangle worked well actually, deviating > the traffic, just creating the source address problem. > > Am I forgetting something? > > Thanks. > > -----Original Message----- > From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl] > On Behalf Of Esteban Ribicic > Sent: Wednesday, March 05, 2003 1:00 PM > To: Stephane Ouellette > Cc: Esteban Ribicic; Alessandro Ren; LARTC > Subject: Re: [LARTC] ip rule and transparent proxy. > > > after marking the packet, it is posible to route over ip (marking in > output)...packet goes to the gw you choose..routeing after is other > issue, as you cant know or predict what will do your isp router. > > the packet will go where you told him to go (through fwmarks) with src > address as kernel algorithm says so (probably, if not bind() called, > the ip address of the interface on wich the default gw is setted).. > > if the src address of the packet does not match with the interface you > choose, is probably that the packet leaves the interface and never > come back -my scpecial case, is that my two links are from the same > isp and they route the packet trgout a default route in their router- > ..so packets leaves from one interface and comes in the other... but, > you can (i hvent tryed this, but i think it should work) nat the src > adress and packet will go and come....maybe you shlud nat the packet > again when it comes... > example: ip rule add from all fwmark 0x1 nat [your ip] table pppx..for > example.. > > i have working hwat i said on my linux box for squid packets..the go > from one interface and come in the other. > > steve > > On Wed, 2003-03-05 at 12:40, Stephane Ouellette wrote: > > Esteban Ribicic wrote: > > > > >you should try marking squid packets (output chain for example) and > > >then add a rule (ip rule ls).. in lartc.org > > >http://www.lartc.org/lartc.pdf have plenty of examples. > > > > > > > > > > Unfortunately, this will not work. It is not possible to route a > > locally-generated packet using a firewall mark because the routing > > decision is taken before the packet is sent to the MANGLE OUTPUT chain. > > Routing a packet using a firewall mark works only in the > > PREROUTING > > Netfilter hook. > > > > Stephane Ouellette > > > > >tips: when marking packets on iptables, use hexa not decimal > > >notting. > > >try patching the kernel if does not work (http://www.ssi.bg/~ja/) > > >cause kernel default source may not work... > > > > > >and its probably that squid use as source adrres of ip header the > > >ip > > >on the default route, so you might have to nat that src to the other > > >interface (so packets leave the interface you want and come back in > > >that interface and not the other -if they come..- ) > > > > > >greets and good speed. > > > > > >On Wed, 2003-03-05 at 10:27, Alessandro Ren wrote: > > > > > > > > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > >-- Esteban Ribicic Network Operation Center UOL-Sinectis S.A. Florida 537 Piso 6, Buenos Aires, Argentina +54-11-4321-9110 Ext 2503 +54-11-4321-9107 Directo eribicic@uolsinectis.com www.uolsinectis.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/