Hi All, Does anyone know of a way to limit the speed of *individual* TCP sessions, but without placing any overall bandwidth limits, and without requiring an explicit QoS entry for every ip address the machine is communicating with ? The scenario is a mailserver - say you want to limit individual TCP sessions (pop3, smtp etc) to no more than 512Kbit so that an individual session can''t hog your bandwidth, but you don''t want to place a maximum limit on the TOTAL traffic. Also it''s impossible to set up normal per-ip address QoS classes, because there are potentially an almost infinite number of possible ip addresses that might try to connect to the server. Any ideas ? Regards, Simon _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Friday 10 September 2004 01:57, Simon Byrnand wrote:> The scenario is a mailserver - say you want to limit individual TCP > sessions (pop3, smtp etc) to no more than 512Kbit so that an individual > session can''t hog your bandwidth, but you don''t want to place a maximum > limit on the TOTAL traffic.It''s not quite clear to me what you want to do. Either you don''t want to limit bandwidth and just make sure that one connection cannot choke the other - I''d use SFQ or similar for that, some kind of scheduler that makes sure that every connection gets it''s turn. Or you want to limit traffic one way or another, then you have to put it into a traffic limiting QoS class. All connections together, of course. How to impose a bandwidth limit on a PER CONNECTION basis is quite a frequently asked question on this list, and I don''t remember seeing any good answer for that one yet. But I don''t even think that it''s a good approach of shaping at all. You''d have to add another class for each connection, and no one can guarantee that summed together, these connections don''t exceed the total bandwidth of your line. As long as you can open as many connections as you like, you can torpedize such a shaping setup easily. Especially if you don''t know your users... users are intelligent and evil. As soon as they notice that some types of connections get better bandwidth than others, they''ll start tunneling their data transfers... Andreas _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Dear Simon I believe that in the first place we may need to understand the implementation on the TCP session. TCP framework is built in such a way so as the various applications developed (SMTP, POP, and HTTP) can use the features u r talking about essentially session, connection. They are very much controlled by the low level system programs (kernel/modules) and eventually highly complicated to bring to the command level interface like Tc. All in all, I believe that it may not be easy to control those parameters from a command line interpreter like TC unless we all share a big design but it would be great! Isn''t it? Thanks & Regards Krishna Guda Message: 9 Date: Fri, 10 Sep 2004 11:57:41 +1200 To: lartc@mailman.ds9a.nl From: Simon Byrnand <simon@igrin.co.nz> Subject: [LARTC] Limiting speed of individual TCP sessions ? Hi All, Does anyone know of a way to limit the speed of *individual* TCP sessions, but without placing any overall bandwidth limits, and without requiring an explicit QoS entry for every ip address the machine is communicating with ? The scenario is a mailserver - say you want to limit individual TCP sessions (pop3, smtp etc) to no more than 512Kbit so that an individual session can''t hog your bandwidth, but you don''t want to place a maximum limit on the TOTAL traffic. Also it''s impossible to set up normal per-ip address QoS classes, because there are potentially an almost infinite number of possible ip addresses that might try to connect to the server. Any ideas ? Regards, Simon --__--__-- Message: 10 From: Andreas Klauer <Andreas.Klauer@metamorpher.de> To: lartc@mailman.ds9a.nl Subject: Re: [LARTC] Limiting speed of individual TCP sessions ? Date: Fri, 10 Sep 2004 02:34:06 +0200 On Friday 10 September 2004 01:57, Simon Byrnand wrote:> The scenario is a mailserver - say you want to limit individual TCP > sessions (pop3, smtp etc) to no more than 512Kbit so that anindividual> session can''t hog your bandwidth, but you don''t want to place amaximum> limit on the TOTAL traffic.It''s not quite clear to me what you want to do. Either you don''t want to limit bandwidth and just make sure that one connection cannot choke the other - I''d use SFQ or similar for that, some kind of scheduler that makes sure that every connection gets it''s turn. Or you want to limit traffic one way or another, then you have to put it into a traffic limiting QoS class. All connections together, of course. How to impose a bandwidth limit on a PER CONNECTION basis is quite a frequently asked question on this list, and I don''t remember seeing any good answer for that one yet. But I don''t even think that it''s a good approach of shaping at all. You''d have to add another class for each connection, and no one can guarantee that summed together, these connections don''t exceed the total bandwidth of your line. As long as you can open as many connections as you like, you can torpedize such a shaping setup easily. Especially if you don''t know your users... users are intelligent and evil. As soon as they notice that some types of connections get better bandwidth than others, they''ll start tunneling their data transfers... Andreas _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Dnia piątek 10 wrzesień 2004 01:57, Simon Byrnand napisał:> Hi All, > > Does anyone know of a way to limit the speed of *individual* TCP sessions, > but without placing any overall bandwidth limits, and without requiring an > explicit QoS entry for every ip address the machine is communicating with ? > > The scenario is a mailserver - say you want to limit individual TCP > sessions (pop3, smtp etc) to no more than 512Kbit so that an individual > session can''t hog your bandwidth, but you don''t want to place a maximum > limit on the TOTAL traffic. Also it''s impossible to set up normal per-ip > address QoS classes, because there are potentially an almost infinite > number of possible ip addresses that might try to connect to the server. > > Any ideas ?seems to me like it should be configurable per MTA.. I don''t know if yours/any implement this.. mhm. -- .: Jakub Głazik (zytek) .: email:zytek@ostrow-wlkp.net .: JID:zytek@azazel.ostrow-wlkp.net .: http://www.misiaj.sie.pl [obsolete] _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi, I can''t imagine a "clean" tc-only solution, but look at the extra-patch-o-matic matches in iptables: from http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-connrate ----------------- Author: Nuutti Kotivuori <naked@iki.fi> Status: Working, but received only minimal testing The connrate match is used to match against the current transfer speed of a connection. The algorithm averages transferred bytes over a time sliding window of constant size. The maximum and minimum rates measurable are explained in the code, along the algorithm used in the measurements. This match can easily be used to reclassify connections based on their current transfer rate, but is not meant for directly dropping packets, because packet drops affect the rate being estimated. The transfer rate per connection can also be viewed through /proc/net/ip_conntrack. Usage: --connrate [!] [FROM]:[TO] will match packet from a connection which is currently transferring more than FROM bytes per second and less than TO byte per second. ''inf'' can be used to signify largest measurable transfer rate. If FROM is omitted, it defaults to zero. If TO is omitted, it defaults to infinity. "!" is used to match packets not falling in the range. Example: iptables .. -m connrate --connrate 10000:100000 ... => match packets in connections transferring faster than 10kbps, but slower than 100kbps. iptables .. -m tos --tos Minimize-Delay \ -m connrate --connrate 20000:inf \ -j TOS --set-tos Maximize-Throughput => match packets in minimize-delay TOS connections that are transferring faster than 20kbps and change their tos to maximize-throughput instead. ------------------------- you could re-classify every *single* connection exceeding your maximum to a "you get less than normal sessions"-htb/hfsc class.... perhaps this is what you want? (although it means you''ll have to patch your kernel ;) Greetings Tobias Am Freitag, 10. September 2004 01:57 schrieb Simon Byrnand:> Hi All, > > Does anyone know of a way to limit the speed of *individual* TCP sessions, > but without placing any overall bandwidth limits, and without requiring an > explicit QoS entry for every ip address the machine is communicating with ? > > The scenario is a mailserver - say you want to limit individual TCP > sessions (pop3, smtp etc) to no more than 512Kbit so that an individual > session can''t hog your bandwidth, but you don''t want to place a maximum > limit on the TOTAL traffic. Also it''s impossible to set up normal per-ip > address QoS classes, because there are potentially an almost infinite > number of possible ip addresses that might try to connect to the server. > > Any ideas ? > > Regards, > Simon > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Great Tobias, sounds good for limiting per session tcp .. Thanks, i also want to have it test. Will post to list if i succeed.. Regards, Rio Martin. On 11 September 2004 am 10:14, Tobias Geiger wrote:> Hi, > > I can''t imagine a "clean" tc-only solution, > but look at the extra-patch-o-matic matches in iptables: > > from > http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-connrate > ----------------- > Author: Nuutti Kotivuori <naked@iki.fi> > Status: Working, but received only minimal testing > > The connrate match is used to match against the current transfer speed of a > connection. The algorithm averages transferred bytes over a time sliding > window > of constant size. The maximum and minimum rates measurable are explained in > the > code, along the algorithm used in the measurements. > > This match can easily be used to reclassify connections based on their > current transfer rate, but is not meant for directly dropping packets, > because packet drops affect the rate being estimated. > > The transfer rate per connection can also be viewed through > /proc/net/ip_conntrack. > > Usage: > --connrate [!] [FROM]:[TO] > > will match packet from a connection which is currently transferring more > than FROM bytes per second and less than TO byte per second. ''inf'' can be > used to signify largest measurable transfer rate. If FROM is omitted, it > defaults to zero. If TO is omitted, it defaults to infinity. "!" is used to > match packets not falling in the range. > > Example: > > iptables .. -m connrate --connrate 10000:100000 ... > > => match packets in connections transferring faster than 10kbps, but > slower than 100kbps. > > iptables .. -m tos --tos Minimize-Delay \ > -m connrate --connrate 20000:inf \ > -j TOS --set-tos Maximize-Throughput > > => match packets in minimize-delay TOS connections that are transferring > faster than 20kbps and change their tos to maximize-throughput instead. > > ------------------------- > > you could re-classify every *single* connection exceeding your maximum to a > "you get less than normal sessions"-htb/hfsc class.... > > perhaps this is what you want? > (although it means you''ll have to patch your kernel ;) > > Greetings > > Tobias > > Am Freitag, 10. September 2004 01:57 schrieb Simon Byrnand: > > Hi All, > > > > Does anyone know of a way to limit the speed of *individual* TCP > > sessions, but without placing any overall bandwidth limits, and without > > requiring an explicit QoS entry for every ip address the machine is > > communicating with ? > > > > The scenario is a mailserver - say you want to limit individual TCP > > sessions (pop3, smtp etc) to no more than 512Kbit so that an individual > > session can''t hog your bandwidth, but you don''t want to place a maximum > > limit on the TOTAL traffic. Also it''s impossible to set up normal per-ip > > address QoS classes, because there are potentially an almost infinite > > number of possible ip addresses that might try to connect to the server. > > > > Any ideas ? > > > > Regards, > > Simon > > > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/