in the out chain you're marking them as mark 5, but only saving it as mark
7, that would cause you to possibly miss some tcp streams, but depending on
the protocol a lot might be marked just from the incomming data. as for how
much data was marked, look at the incomming counters, of the 100,854
packets, 78,910 had a mark restored, and 2904 were newly marked,  that means
81814 out of 100,854 incomming packets were marked as p2p, that's 80% and a
lot more than 625k.   Beyond the mrk 5/7 mixup in the outgoing marking,  you
also didn't mention the IMQ rule in the previous email.  Normally the
iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPT
rule is good as it makes sure the mark doesn't get rechanged after its been
saved once and later restored.  However in this case, it means it was
leaving your chain before reaching the IMQ target. So for your case it
should be safe to remove that rule. This will likely fix the problem you
were really having of the incomming data not all going to the IMQ
- Jody
On 2/7/06, Vaidas <admin@vdx.lt> wrote:>
> Allright...
>
> tc qdisc add dev $DEV root handle 2:0 htb default 20 r2q 2
> tc class add dev $DEV parent 2:0 classid 2:10 htb rate ${RATETOTAL}kbit
> tc class add dev $DEV parent 2:10 classid 2:20 htb rate ${RATETOTAL}kbit
> ceil ${RATETOTAL}kbit prio 0
> tc class add dev $DEV parent 2:10 classid 2:21 htb rate 1kbit ceil
> ${RATEUP}kbit prio 1
> tc qdisc add dev $DEV parent 2:20 handle 20:0 sfq perturb 10
> tc qdisc add dev $DEV parent 2:21 handle 21:0 sfq perturb 10
> tc filter add dev $DEV parent 2:0 prio 1 protocol ip handle 5 fw flowid
> 2:21
> iptables -t mangle -N DSL-OUT
> iptables -t mangle -I POSTROUTING -o $DEV -j DSL-OUT
> iptables -t mangle -A DSL-OUT -p tcp -j CONNMARK --restore-mark
> iptables -t mangle -A DSL-OUT -p tcp -m mark ! --mark 0 -j ACCEPT
> iptables -t mangle -A DSL-OUT -m ipp2p --edk --dc --bit --soul -j MARK
> --set-mark 5
> iptables -t mangle -A DSL-OUT -p tcp -m mark --mark 7 -j CONNMARK
> --save-mark
>
> ip link set imq0 up
> tc qdisc add dev imq0 root handle 2:0 htb default 20 r2q 2
> tc class add dev imq0 parent 2:0 classid 2:10 htb rate ${RATETOTAL}kbit
> tc class add dev imq0 parent 2:10 classid 2:20 htb rate ${RATETOTAL}kbit
> ceil ${RATETOTAL}kbit prio 0
> tc class add dev imq0 parent 2:10 classid 2:21 htb rate 2kbit ceil
> ${RATEDN}kbit prio 1
> tc qdisc add dev imq0 parent 2:20 handle 20:0 sfq perturb 10
> tc qdisc add dev imq0 parent 2:21 handle 21:0 sfq perturb 10
> tc filter add dev imq0 parent 2:0 prio 1 protocol ip handle 7 fw flowid
> 2:21
> iptables -t mangle -N DSL-IN
> iptables -t mangle -I PREROUTING -i $DEV -j DSL-IN
> iptables -t mangle -A DSL-IN -p tcp -j CONNMARK --restore-mark
> iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPT
> iptables -t mangle -A DSL-IN -m ipp2p --edk --dc --bit --soul -j MARK
> --set-mark 7
> iptables -t mangle -A DSL-IN -p tcp -m mark --mark 7 -j CONNMARK
> --save-mark
> iptables -t mangle -A DSL-IN -j IMQ --todev 0
>
> still not working :))))))))
> I don't know what to do else, tried everythink :/
>
> The uTorrent have downloading for half an hour, but the counters are...
>
> Chain DSL-OUT (1 references)
>     pkts      bytes target     prot opt in     out     source
> destination
>    80515  5464493 CONNMARK   tcp  --  any    any     anywhere
> anywhere            CONNMARK restore
>    52501  3402390 ACCEPT     tcp  --  any    any     anywhere
> anywhere            MARK match !0x0
>     3593   464055 MARK       all  --  any    any     anywhere
> anywhere            ipp2p v0.8.0 --edk --dc --bit --soul MARK set 0x5
>        0        0 CONNMARK   tcp  --  any    any     anywhere
> anywhere            MARK match 0x7 CONNMARK save
> Chain DSL-IN (1 references)
>     pkts      bytes target     prot opt in     out     source
> destination
>   100854 97487345 CONNMARK   tcp  --  any    any     anywhere
> anywhere            CONNMARK restore
>    78190 92347437 ACCEPT     tcp  --  any    any     anywhere
> anywhere            MARK match !0x0
>     2904   625681 MARK       all  --  any    any     anywhere
> anywhere            ipp2p v0.8.0 --edk --dc --bit --soul MARK set 0x7
>      274    39048 CONNMARK   tcp  --  any    any     anywhere
> anywhere            MARK match 0x7 CONNMARK save
>    30759  6358180 IMQ        all  --  any    any     anywhere
> anywhere            IMQ: todev 0
>
> Only 625681 bytes marked as p2p :(
>
> ---Original Message-----
> From: Jody Shumaker [mailto:jody.shumaker@gmail.com]
> Sent: 2006 m. vasario 6 d. 21:23
> To: Vaidas
> Cc: lartc@mailman.ds9a.nl
> Subject: Re: [LARTC] p2p marking, again
>
> Bah, I don't know why I didn't notice this before in your previous
> email. It's obvious now that you gave the states output:
> iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK
> --restore-mark
> that line is horribly wrong, it should be:
> iptables -t mangle -A DSL-IN -p tcp -j CONNMARK --restore-mark
> The whole point is that ipp2p can't match on every packet! so you save
> the mark and then restore it.  However, you were conditionally
> restoring the mark only when ipp2p matched, which completely defeats
> the purpose. There's also no reason to have the "-m ipp2p
--ipp2p"
> when saving the mark, as this adds more work than is neccasary.
> Instead of:
> iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK
> --save-mark
> I'd suggets:
> iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j CONNMARK
> --save-mark
> As this match would be much faster, and would mean no redundant work
> on matching ipp2p.  I'd also suggest combining your tcp and udp
> matches for ipp2p into 1.
>
> I'd also suggest not using the -m ipp2p -ipp2p instead listing out the
> protocols to match, even if it's all of them.  For some reason, -ipp2p
> doesn't match all of the safe to identify protocols. I used it at one
> point but then after updating it stopped including bittorrent. As
> listed on the ipp2p docs right now:
> -m ipp2p --ipp2p
> -m ipp2p --edk --kazaa --gnu --dc
> are identical, meaning --ipp2p only matches edonkey, kazaa, gnutella,
> and directconnect.  Leaving out the very easy to match and common
> Bittorrent. I'd suggest using:
> -m ipp2p --edk --kazaa --gnu --dc --bit
>
>
>
> In the end this would result in this for your script:
> #restore mark
> iptables -t mangle -A DSL-IN -p tcp -j CONNMARK --restore-mark
> #skip rest of chain if packet already marked
> iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPT
> #match p2p traffic.
> iptables -t mangle -A DSL-IN -m ipp2p --bit --edk --kazaa --gnu --dc
> -j MARK --set-mark 7
> #save mark
> iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j CONNMARK
> --save-mark
>
> - Jody
>
> On 2/6/06, Vaidas <admin@vdx.lt> wrote:
> >
> >
> >
> >  Hey, one more question for ipp2p
> >
> >
> >
> > iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK
> --restore-mark
> >
> > iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPT
> >
> > iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j MARK
--set-mark
> 7
> >
> > iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK
> --save-mark
> >
> > iptables -t mangle -A DSL-IN -p udp -m ipp2p --ipp2p -j MARK
--set-mark
> 7
> >
> > by this set of commands, should all p2p packets mark well ? Because
very
> little of them are marked on my server…
> >
> > Chain DSL-IN (1 references)
> >
> >     pkts      bytes target     prot opt in     out     source
> destination
> >
> >    13708  2260152 CONNMARK   tcp  --  any    any     anywhere
> anywhere            ipp2p v0.8.1_rc1 --ipp2p CONNMARK restore
> >
> >    11456  2016247 ACCEPT     tcp  --  any    any     anywhere
> anywhere            MARK match !0x0
> >
> >     2252   243905 MARK       tcp  --  any    any     anywhere
> anywhere            ipp2p v0.8.1_rc1 --ipp2p MARK set 0x7
> >
> >     2252   243905 CONNMARK   tcp  --  any    any     anywhere
> anywhere            ipp2p v0.8.1_rc1 --ipp2p CONNMARK save
> >
> >   183300 33333958 MARK       udp  --  any    any     anywhere
> anywhere            ipp2p v0.8.1_rc1 --ipp2p MARK set 0x7
> >
> >
> >
> > Only few Kbytes of tcp, ant few mbytes of udp.. but downloading was up
> on
> 320kbps all night
> >
> > ______________________________________
> >
> > Vaidas
> >
> > VDXnet sistemų administratorius
> > _______________________________________________
> > LARTC mailing list
> > LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> >
> >
> >
>
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc