Hi! I''m wondering whether anyone has successfully set up a bandwidth control system using ipp2p and shorewall. I have been able to drop connecions altogether, but I don''t seem to be able to get CONNMARK working with ipp2p. Any pointers would be greatly appreciated :) ______________________________ Mario R. Pizzolanti
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mario R. Pizzolanti wrote:> Hi! > I''m wondering whether anyone has successfully set up a bandwidth control > system using ipp2p and shorewall. I have been able to drop connecions > altogether, but I don''t seem to be able to get CONNMARK working withipp2p.> Any pointers would be greatly appreciated :)I''ve gone out on a limb and added ipp2p/CONNMARK support to the Shorewall development thread (CVS Shorewall2). This is in stark violation of my usual policy of not providing explicit Shorewall support for Patch-O-Matic[-NG] features and we will see how this experiment goes. Just remember that the Shorewall lists are not appropriate forums for asking questions about building kernels or about building iptables or for whining about how Patch-O-Matic-ng doesn''t work with your kernel source tree. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBcs01O/MAbZfjDLIRAvbgAJ0RI6xJ2eGW3Gvyvj8S436yiGzZxgCfaecq OLNGy0xV5tlKBOk9o+Gt49s=X2T8 -----END PGP SIGNATURE-----
> -----Original Message----- > From: shorewall-users-bounces@lists.shorewall.net > Behalf Of Tom Eastep > Sent: Sunday, October 17, 2004 10:51 PM > Mario R. Pizzolanti wrote: > > Hi! > > I''m wondering whether anyone has successfully set up a > bandwidth control > > system using ipp2p and shorewall. I have been able to drop > connecions > > altogether, but I don''t seem to be able to get CONNMARK working with > ipp2p. > > Any pointers would be greatly appreciated :) > > I''ve gone out on a limb and added ipp2p/CONNMARK support to the > Shorewall development thread (CVS Shorewall2). This is in stark > violation of my usual policy of not providing explicit > Shorewall support > for Patch-O-Matic[-NG] features and we will see how this experiment > goes. Just remember that the Shorewall lists are not > appropriate forums > for asking questions about building kernels or about building iptables > or for whining about how Patch-O-Matic-ng doesn''t work with > your kernel > source tree. > > - -TomGreat news! Thanks! I just downloaded latest cvs and installed it. I already have ipp2p and CONNMARK compiled into the kernel and iptables. I''m currently using htb for port/destination based traffic shaping. I have been able to completely turn off p2p/bt traffic using DROP, but that''s not really what I want to do. What''s needed is load control, not complete lockout. I just need some pointers on how to set up CONNMARK. I don''t seem to understand how to set that up correctly :( The main point I don''t seem to understand, I guess, is the difference between the marks set by CONNMARK and MARK... What I''d like to do is: 1) Mark all ipp2p/bit traffic from net (eth2) to 192.168.0.0/23 with mark 10 (0xa) 2) Mark all ipp2p traffic from masq (eth1) to net with mark 11 (0xb) 3) Mark all bit traffic from masq (eth1) to net with mark 12 (0xc) The actual traffic shaping should be handled HTB, configured via the htb.init script I already have installed (and is currently working). Any help would be greatly appreciated. Sincerely, Mario PS: Btw, Tom, I''d be more than happy to help you test this "experiment" :)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mario R. Pizzolanti wrote:>>-----Original Message----- >>From: shorewall-users-bounces@lists.shorewall.net >>Behalf Of Tom Eastep >>Sent: Sunday, October 17, 2004 10:51 PM >>Mario R. Pizzolanti wrote: >> >>>Hi! >>>I''m wondering whether anyone has successfully set up a >> >>bandwidth control >> >>>system using ipp2p and shorewall. I have been able to drop >> >>connecions >> >>>altogether, but I don''t seem to be able to get CONNMARK working with >> >>ipp2p. >> >>>Any pointers would be greatly appreciated :) >> >>I''ve gone out on a limb and added ipp2p/CONNMARK support to the >>Shorewall development thread (CVS Shorewall2). This is in stark >>violation of my usual policy of not providing explicit >>Shorewall support >>for Patch-O-Matic[-NG] features and we will see how this experiment >>goes. Just remember that the Shorewall lists are not >>appropriate forums >>for asking questions about building kernels or about building iptables >>or for whining about how Patch-O-Matic-ng doesn''t work with >>your kernel >>source tree. >> >>- -Tom > > > Great news! Thanks! > I just downloaded latest cvs and installed it. I already have ipp2p and > CONNMARK compiled into the kernel and iptables. > I''m currently using htb for port/destination based traffic shaping. > I have been able to completely turn off p2p/bt traffic using DROP, but > that''s not really what I want to do. What''s needed is load control, not > complete lockout. > I just need some pointers on how to set up CONNMARK. I don''t seem to > understand how to set that up correctly :( The main point I don''t seem to > understand, I guess, is the difference between the marks set byCONNMARK and> MARK...I''m sorry but I just don''t have time today to teach you how to use MARK and CONNMARK. I''ll try to write something up in the next day or two. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBdAN2O/MAbZfjDLIRAvC8AKCCM4hVmUXCPSoG9QCFs06JlXMviwCfYSCi ariecuZoonSCvQNqMSSvfNY=R4hF -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote:>>>Great news! Thanks! >>>I just downloaded latest cvs and installed it. I already have ipp2p and >>>CONNMARK compiled into the kernel and iptables. >>>I''m currently using htb for port/destination based traffic shaping. >>>I have been able to completely turn off p2p/bt traffic using DROP, but >>>that''s not really what I want to do. What''s needed is load control, not >>>complete lockout. >>>I just need some pointers on how to set up CONNMARK. I don''t seem to >>>understand how to set that up correctly :( The main point I don''tseem to>>>understand, I guess, is the difference between the marks set by > > CONNMARK and > >>>MARK... > > > I''m sorry but I just don''t have time today to teach you how to use MARK > and CONNMARK. I''ll try to write something up in the next day or two. >In the meantime, there are additional changes in the CVS Shorewall2/ tree. This rule from the ipp2p documentation: iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT may be duplicated for outbound traffic in Shorewall with this entry in tcrules: CONTINUE:P <internal if> 0.0.0.0/0 - - - - !0 25-word documentation: CONNMARK marks the connection MARK marks the packet SAVE copies the packet mark to the connection mark RESTORE copies the connection mark to the packet mark Traffic shaping''s ''fwmark'' classifier uses the packet mark Good luck: - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBdAihO/MAbZfjDLIRAqc9AKCUTyHQFiwCxSlplNv++X6t1GOINgCgyk8y 4L2M4IF38LxVQI3NzOaAqcU=Wdtg -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote:> > 25-word documentation: > > CONNMARK marks the connection > MARK marks the packet > SAVE copies the packet mark to the connection mark > RESTORE copies the connection mark to the packet mark > Traffic shaping''s ''fwmark'' classifier uses the packet markAnd of course, connection mark value persist for the life of the connection while packet marks live only while the packet is being processed. IPP2P marks need to be saved in the connection because only a small subset of the packets involved in a P2P connection can be identified by ''ipp2p'' as such. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBdBY5O/MAbZfjDLIRAlJtAJ9RGVBVxH74Uu3rHl0uoOUSxsHa0ACfSDCG i0w6Yj6nmIwoBga6lnodYbc=YIxa -----END PGP SIGNATURE-----
Thanks for your help so far. Attached is my tcrules file with what I''ve done so far Am I in the right direction? Again, thank you for your time! ______________________________ Mario R. Pizzolanti> -----Original Message----- > From: shorewall-users-bounces@lists.shorewall.net > [mailto:shorewall-users-bounces@lists.shorewall.net] On > Behalf Of Tom Eastep > Sent: Monday, October 18, 2004 10:15 PM > To: Mailing List for Shorewall Users > Subject: Re: [Shorewall-users] Shorewall and IPP2P > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Tom Eastep wrote: > > > > > 25-word documentation: > > > > CONNMARK marks the connection > > MARK marks the packet > > SAVE copies the packet mark to the connection mark > > RESTORE copies the connection mark to the packet mark > > Traffic shaping''s ''fwmark'' classifier uses the packet mark > > And of course, connection mark value persist for the life of the > connection while packet marks live only while the packet is being > processed. IPP2P marks need to be saved in the connection > because only a > small subset of the packets involved in a P2P connection can be > identified by ''ipp2p'' as such. > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFBdBY5O/MAbZfjDLIRAlJtAJ9RGVBVxH74Uu3rHl0uoOUSxsHa0ACfSDCG > i0w6Yj6nmIwoBga6lnodYbc> =YIxa > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mario R. Pizzolanti wrote:> Thanks for your help so far. Attached is my tcrules file with what I''ve > done so far > Am I in the right direction?Looks like it. The only suggestion I would make is to add more CONTINUE rules -- remember that EVERY packet goes through these rules so if you can stop early, you save CPU cycles. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBdnWFO/MAbZfjDLIRAthdAJ9hMqy/xLbvYezMIRosAuFN7QHDlACgh5Ez DiZyousZWYTyukpZl2m7USI=H+os -----END PGP SIGNATURE-----
It''s working :) Thanks for your help! Btw, anyone who wants to get this to work should take into consideration that CONNMARK support in iptables 1.2.9 is broken... (at least in Mandrake) It took me 2 days to figure it out :( iptables 1.2.11 is ok though If anyone needs iptables 1.2.11 RPMS for Mandrake I''d be more than willing to provide them (you''ll still have to patch your own kernel) Sincerely, Mario R. Pizzolanti> -----Original Message----- > From: shorewall-users-bounces@lists.shorewall.net > [mailto:shorewall-users-bounces@lists.shorewall.net] On > Behalf Of Tom Eastep > Sent: 20. oktoober 2004. a. 17:26 > To: Mailing List for Shorewall Users > Subject: Re: [Shorewall-users] Shorewall and IPP2P > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Mario R. Pizzolanti wrote: > > Thanks for your help so far. Attached is my tcrules file with what > > I''ve done so far Am I in the right direction? > > Looks like it. The only suggestion I would make is to add > more CONTINUE rules -- remember that EVERY packet goes > through these rules so if you can stop early, you save CPU cycles. > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFBdnWFO/MAbZfjDLIRAthdAJ9hMqy/xLbvYezMIRosAuFN7QHDlACgh5Ez > DiZyousZWYTyukpZl2m7USI> =H+os > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >