im trying to debug how cpu consuming could be the string match. is it a lineal function? i mean.. 1 Mbit -> 1024/8 Kbytes supossaing mtu payload is 1500 bytes, i have in 1 megabit [(1024/8)*1000]*1500 = 1920000000 packets anorther thing..this rule just filter the initial download request..that would be okay if oyu want filter completely, but if you want to slwo down (i mean using tc/htb/fwmarks) you wouldnt be matching the hole download, only the request... iptables -t mangle -A PREROUTING -p tcp -m --string "Kazaa" -j DROP any comment, any idea? _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 11 June 2003 02:35, Esteban Ribicic wrote:> im trying to debug how cpu consuming could be the string match. > is it a lineal function? i mean..did you look at this project http://l7-filter.sourceforge.net/ - -- Regards, Robert - ---------------- Robert Penz robert.penz AT outertech.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+5n0o8tTsQqJDUBMRAtDVAJ9qR0eBymUsgg82Kvx6VivNf91SvQCglNTV PDeALhZf+agAkEcoG5kdJB0=F2bN -----END PGP SIGNATURE----- _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
May be I didn''t understand you but I think you are wrong, in 1 Mbit you have: ((1/8)*1024*1024)/1500~=88 packets isn''t it?? On Wednesday 11 June 2003 02:35, Esteban Ribicic wrote:> im trying to debug how cpu consuming could be the string match. > is it a lineal function? i mean.. > > 1 Mbit -> 1024/8 Kbytes > > supossaing mtu payload is 1500 bytes, i have in 1 megabit > [(1024/8)*1000]*1500 = 1920000000 packets > > anorther thing..this rule just filter the initial download request..that > would be okay if oyu want filter completely, but if you want to slwo > down (i mean using tc/htb/fwmarks) you wouldnt be matching the hole > download, only the request... > > iptables -t mangle -A PREROUTING -p tcp -m --string "Kazaa" -j DROP > > > any comment, any idea? > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/-- --------------------------------------------------------------- René Serral Universitat Politècnica de Catalunya rserral@ac.upc.es UPC Campus Nord, Ed. D4 Tel: +34 934 017 432 Barcelona 08034 --------------------------------------------------------------- _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Wednesday 11 June 2003 02:51, Robert Penz wrote:> On Wednesday 11 June 2003 02:35, Esteban Ribicic wrote: > > im trying to debug how cpu consuming could be the string match. > > is it a lineal function? i mean.. > > did you look at this project > > http://l7-filter.sourceforge.net/The provided patches will only examine the first 8 bytes of a connection to determine the type of traffic. So if you have 1 big download, only 8 packets are checked. This can be done because the l7 patches uses netfilter code to do connection tracking. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> anorther thing..this rule just filter the initial download request..that > would be okay if oyu want filter completely, but if you want to slwo > down (i mean using tc/htb/fwmarks) you wouldnt be matching the hole > download, only the request... > >iptables -t mangle -A PREROUTING -p tcp -m --string "Kazaa" -j DROP > > any comment, any idea?you can use iptables connmark extension (from patch -o-matic) to mark all packets from connection, ie: iptables -t mangle -N detect-abusers #if string kazaa detected then connection will be marked iptables -t mangle -A detect-abusers -m string --string ''KaZaA'' -j CONNMARK --set-mark 0x1 #check if connection is marked, if not inspect packet iptables -t mangle -A PREROUTING -m connmark --mark 0x0 -j detect-abusers #set packet mark with those from connmark iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark and now you can use: tc filter add dev eth0 parent 1:0 protocol ip handle 1 fw classid your_kazaa_class i don''t use string match so i''m not sure if that would work - personally i detect "abusers" by destination port (well known ports http/smtp/pop3 are allowed at full speed) HTH __________________________ ignore ads below this line Zobacz nasz nowy serwis - wczasy za granicą - http://hoga.travelplanet.pl/ ------------------------------------------------------------ Wiosną wirusy rosną bez pamięci!dlatego do pakietów wielostanowiskowych mks_vir dokładamy Mobile Disks. Sprawdź: http://www.mks.com.pl/promocja-mobile.html _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Am Mittwoch, 11. Juni 2003 20:43 schrieb mikee:> > anorther thing..this rule just filter the initial download request..that > > would be okay if oyu want filter completely, but if you want to slwo > > down (i mean using tc/htb/fwmarks) you wouldnt be matching the hole > > download, only the request... > > > >iptables -t mangle -A PREROUTING -p tcp -m --string "Kazaa" -j DROP > > > > any comment, any idea? > > you can use iptables connmark extension (from patch -o-matic) to mark all > packets from connection, ie: > > iptables -t mangle -N detect-abusers > #if string kazaa detected then connection will be marked > iptables -t mangle -A detect-abusers -m string --string ''KaZaA'' -j CONNMARK > --set-mark 0x1 > > #check if connection is marked, if not inspect packet > iptables -t mangle -A PREROUTING -m connmark --mark 0x0 -j detect-abusers > #set packet mark with those from connmark > iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark >Hello, I''m filtering Kazaa with this strings and it works fine with: $IPTABLES -A FORWARD -p tcp -m string --string X-Kazaa-Username: -j REJECT --reject-with tcp-reset $IPTABLES -A FORWARD -p tcp -m string --string X-Kazaa-Network: -j REJECT --reject-with tcp-reset $IPTABLES -A FORWARD -p tcp -m string --string X-Kazaa-IP: -j REJECT --reject-with tcp-reset $IPTABLES -A FORWARD -p tcp -m string --string X-Kazaa-SupernodeIP: -j REJECT --reject-with tcp-reset With friendly Regards Andre _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Le mer 11/06/2003 à 02:35, Esteban Ribicic a écrit :> im trying to debug how cpu consuming could be the string match. > is it a lineal function? i mean.. > > 1 Mbit -> 1024/8 Kbytes > > supossaing mtu payload is 1500 bytes, i have in 1 megabit > [(1024/8)*1000]*1500 = 1920000000 packets > any comment, any idea?Use Connmark as suggested by GoMi on the list in the recent thread Questions regarding CONNMARK With that you just have to match the first packet... BR, -- Eric Leblond <eric@regit.org>
> -----Original Message----- > From: netfilter-admin@lists.netfilter.org > [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of > Esteban Ribicic > Sent: Wednesday, June 11, 2003 2:36 AM > To: netfilter@lists.netfilter.org; LARTC > Cc: winfield@freegates.be > Subject: kazaaa is making me crazy! > > > im trying to debug how cpu consuming could be the string > match. is it a lineal function? i mean.. > > 1 Mbit -> 1024/8 Kbytes > > supossaing mtu payload is 1500 bytes, i have in 1 megabit > [(1024/8)*1000]*1500 = 1920000000 packets > > anorther thing..this rule just filter the initial download > request..that would be okay if oyu want filter completely, > but if you want to slwo down (i mean using tc/htb/fwmarks) > you wouldnt be matching the hole download, only the request... > > iptables -t mangle -A PREROUTING -p tcp -m --string "Kazaa" -j DROP > > > any comment, any idea? >Wouldn''t it be better if you put -m state --state established on top of the rules. And also to the INPUT or FORWARD chain. That way not every packet needs to be checked for -m --string "Kazaa" iptables -t mangle -D PREROUTING -p tcp -m --string "Kazaa" -j DROP iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p tcp -m state --state NEW -m string --string "Kazaa" -j DROP Regards Klintan
> -----Original Message----- > From: netfilter-admin@lists.netfilter.org > [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of > Esteban Ribicic > Sent: Wednesday, June 11, 2003 2:36 AM > To: netfilter@lists.netfilter.org; LARTC > Cc: winfield@freegates.be > Subject: kazaaa is making me crazy! > > > im trying to debug how cpu consuming could be the string > match. is it a lineal function? i mean.. > > 1 Mbit -> 1024/8 Kbytes > > supossaing mtu payload is 1500 bytes, i have in 1 megabit > [(1024/8)*1000]*1500 = 1920000000 packets > > anorther thing..this rule just filter the initial download > request..that would be okay if oyu want filter completely, > but if you want to slwo down (i mean using tc/htb/fwmarks) > you wouldnt be matching the hole download, only the request... > > iptables -t mangle -A PREROUTING -p tcp -m --string "Kazaa" -j DROP > > > any comment, any idea? >Wouldn''t it be better if you put -m state --state established on top of the rules. And also to the INPUT or FORWARD chain. That way not every packet needs to be checked for -m --string "Kazaa" iptables -t mangle -D PREROUTING -p tcp -m --string "Kazaa" -j DROP iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p tcp -m state --state NEW -m string --string "Kazaa" -j DROP Regards Klintan
In general the string match is not reliable as the string you''re scanning for could be fragmented amongst several packets... Ramin On Tue, Jun 10, 2003 at 09:35:39PM -0300, Esteban Ribicic wrote:> im trying to debug how cpu consuming could be the string match. > is it a lineal function? i mean.. > > 1 Mbit -> 1024/8 Kbytes > > supossaing mtu payload is 1500 bytes, i have in 1 megabit > [(1024/8)*1000]*1500 = 1920000000 packets > > anorther thing..this rule just filter the initial download request..that > would be okay if oyu want filter completely, but if you want to slwo > down (i mean using tc/htb/fwmarks) you wouldnt be matching the hole > download, only the request... > > iptables -t mangle -A PREROUTING -p tcp -m --string "Kazaa" -j DROP > > > any comment, any idea? >