Hello! I need assistance to solve my problem related to traffic shaping based on the user ids. The problem: each unix user (of the linux host) has to be limited with incoming channel (internet) bandwidth. I need this to implement internet access solution based on ltsp (http://www.ltsp.org). As far as I know the best way to shape traffic in linux is CBQ. But there is no filter based on unix user id (the reason is clear for everybody -- ip packet doesn''t contain this information). I''ve found the very interesting netfilter patches at the patch-o-matic: http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-owner-socketlookup http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-owner-supgids http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-ip_queue_vwmark Am I on the right way? How can I combine the power of netfilter and traffic control systems to solve my problem? I am new in this topic, so excuse me if my questions are too simple or "dummy" ::-) Thank you beforehand! -- Sincerely yours, Vitaly Repin Ice Brains Software, ltd
vit@icebrains-soft.com
2006-Sep-08 19:13 UTC
UIDs, virtual network inside localhost, etc. Pls, help, me.
Hello!
I need assistance to solve my problem related to traffic shaping based on
the user ids.
The problem: each unix user (of the linux host) has to be limited with
incoming channel (internet) bandwidth.
Solution I want to implement:
____________
unix user1 <-> IP1 \ | |
.... <---------> | gw IP, NAT |<-----> eth interface
unix userN <-> IPN / ^ |____________|
|
|_____ traffic shaper is here
Each unix user sents and receives network data through dedicated IP address
(which belongs to
one of the aliases of the localhost interface - lo:1, lo:2 etc). All IP
addresses are in the same network
(for example, 192.168.5.0). One of localhost aliases acts as a gateway
(192.168.5.1, for example).
And to send and receive data to the actual network, (S)NAT is required.
To shape the traffic, linux traffic shaper (CBQ) is used.
It seems to me, this scheme looks good and real (in my case, the quantity of
simultaniously connected users is less than 50). Am I right?
But can anybody give me an advice how to implement it ? :-)
Problems were appeared at my first step:
As first step, I''ve tried to construct the "virtual network"
IP1..IPN and gw IP:
# ifconfig lo:1 inet 192.168.5.1 up
And immediately after executing this command it is possible to ping any
192.168.5.x IP address, not only 192.168.5.1 (as I''ve expected).
Why??? What is the problem?
Thank you beforehand!
--
Sincerely yours, Vitaly Repin
Ice Brains Software, ltd
Hi, vit@icebrains-soft.com wrote: ...> But there is no filter based on unix user id (the reason is clear for > everybody -- ip packet doesn''t contain this information). > > I''ve found the very interesting netfilter patches at the patch-o-matic:... There is no need for POM patches, you may use the "owner" match from iptables. (see: man iptables)> Am I on the right way? How can I combine the power of netfilter and > traffic control systems to solve my problem?... You might match for each user and then set a mark or even classify directly by iptables. (see man, too) Howto mark: http://lartc.org/howto/lartc.qdisc.filters.html (9.6.2, fwmark) Btw.. there is no best (classful) qdisc, this varies on your needs. Nevertheless, I''d take htb because it''s relativly simple to setup (personally I like hfsc though). You may just try them out. :) Bye, Andreas.
Hello, Andreas! Yes, the owner match is great. But I can mark only outgoing packets this way. And as far as I know, traffic shaper needs to know who is the owner of the incoming packets to do the shaper job. And that''s why it is required to patch the kernel, it seems to me. Have I misunderstood something? But I''ve recently sent to this mailing list another letter related to this problem. It seems to me, if each unix user would use the different IP address, it is not a problem to do the shaping. Thank you for your response.> Hi, > > vit@icebrains-soft.com wrote: > ... > > But there is no filter based on unix user id (the reason is clear for > > everybody -- ip packet doesn''t contain this information). > > > > I''ve found the very interesting netfilter patches at the patch-o-matic: > ... > There is no need for POM patches, you may use the "owner" match from > iptables. (see: man iptables) > > Am I on the right way? How can I combine the power of netfilter and > > traffic control systems to solve my problem? > ... > You might match for each user and then set a mark or even classify directly > by iptables. (see man, too) > > Howto mark: http://lartc.org/howto/lartc.qdisc.filters.html (9.6.2, fwmark) > > Btw.. there is no best (classful) qdisc, this varies on your needs. > Nevertheless, I''d take htb because it''s relativly simple to setup > (personally I like hfsc though). > You may just try them out. :) > > Bye, > Andreas. > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc-- Sincerely yours, Vitaly Repin Ice Brains Software, ltd
Reasonably Related Threads
- IMQ compile procedure ??
- [ANNOUNCE] New netfilter/iptables patch-o-matic release
- [ANNOUNCE] New netfilter/iptables patch-o-matic release
- Re: Error: Your kernel and/or iptables does not not support policy match: ipsec
- [Bug 25] Can't compile iptables-1.2.7a.tar.bz2