similar to: Debian sarge 2.6.18 Traffic Manager freeze under load ...

Hello, I''ve tried to change ipt_conntrack hashsize and con under my debian charge but doesn''t work ! Ive got 2876Mb available for conntrack so I''ve done (according to some previous mail and this http://www.wallfire.org/misc/netfilter_conntrack_perf.txt) CONNTRACK_MAX = 2876 * 64 = 184064 HASHSIZE = 2876 * 8 = 23002 But the near power of 2 is 2^16 = 131072

Hello I''ve setuped a bridge with l7-filter and ipp2p. We have every day + or - between 10Mbits and 30 Mbits P2P traffic from + or - 450 customers. When traffic increase. I''ve got this kind of error message : Feb 23 14:26:19 gestor1 kernel: printk: 38 messages suppressed. Feb 23 14:26:19 gestor1 kernel: ip_conntrack: table full, dropping packet. The server is celeron

Hello I''ve got a server with 3Gb of ram and I want to keep 256 for the system and allocate the rest to conntrack ... I''ve tried to change the HASHSIZE of the ip_conntrack but dmesg return me this error ! ip_conntrack version 2.4 (2097152 buckets, 16777216 max) - 236 bytes per conntrack ip_conntrack: falling back to vmalloc. .... I''ve use this "math"

Hello, loading conntrack resolve my problem ... layer 7 have got a dependency with conntrack but doesn''t load it automaticaly... so module is loaded but no packets match with l7-protocols ... reported as a bug http://sourceforge.net/tracker/index.php?func=detail&aid=1596065&group_id=80085&atid=558668 regards ArcosCom Linux User a écrit : > With: >

--- Mike Mestnik <cheako911@yahoo.com> wrote: > Date: Fri, 25 Jun 2004 09:51:21 -0700 (PDT) > From: Mike Mestnik <cheako911@yahoo.com> > Subject: Re: IPP2P: Simular project l7-filter. > To: Eicke Friedrich <tady@gmx.net> > > --- Eicke Friedrich <tady@gmx.net> wrote: > > Mike Mestnik wrote: > > > http://sourceforge.net/projects/l7-filter/

Hi all. i'm trying to modify some parameters but when system reboots it doesn't load. For the sysctl if I run sysctl -p then it changes /etc/sysctl.conf net.ipv4.netfilter.ip_conntrack_max = 1048576 /etc/modprobe.conf options ip_conntrack hashsize=131072 after reboot results cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max 65536 cat

... Not so long time ago there was a mail about distros. I made packages of ipp2p and l7-filter for ALT Linux Sisyphus repository -- so, now there is one more PC-oriented distro with both these tools. ... About ncsh: * new docs: http://www.radlinux.org/docs/static/en/ncsh_usecases.html (not proofreaded yet, I''ll send it to Mohan with next mail) * new capability: l7-filter frontend

I am trying to get IPP2P working on my router. Thus far I can see connections being marked (see below), but they don''t seem to get saved or something. When looking at /proc/net/ip_conntrack, nothing has anything other than 0 for mark. The iptables commands for this are: iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j

Hello all, I am having some difficults to make a routing rule work. I want that every P2P packages go to one interface (eth2 - cheaper link) nad the rest of the traffic go to another interface (eth0 - frame relay very expensive). I am using this script to make the mark and balance: ------- #!/bin/bash IPT="/usr/local/sbin/iptables" IP="/sbin/ip" #---- # Declara redes #----

Subject almost says it all, I wonder if there is a way for me to use iptables matches like l7 and/or ipp2p match in a bridge ( one ethernet in and one ethernet out ) ? Regards.

Hello there, I''m having lots of problems with my setup here. Let me explain: I am network administrator for my university dorm. We are about 300 users, and we have 2 ADSL connections doing load balancing with 300kbits upstream and 2Mbit downstream. The load balancing is working great, we are doing connection tracking so I can mark and hence prioritize interactive traffic and ACKS

Hello I''ve setuped a bridge with iptables + layer + ipp2p + tc I don''t know how to shape passive ftp ? If I put rules on port 20, 21 or using layer 7 iptables accounting still empty ... When I done a tcpdump I can see that othe port than 20 or 21 are used ... Any Ideas of how I can achieve this ? Regards

I *think* we are finally making some progress in tracking our elusive performance problems. After employing a second 10Mb link from our ISP, along with another firewall box and proxy, we were able to determine the problem *is* our firewall. We don''t know exactly why yet, but our sporadic slow web access seems to have gone away since swapping a new firewall in this morning. The

http://sourceforge.net/projects/l7-filter/ Providse and posibly replaces your project. Thay use regex(in kernel space) to filter packets in much the same way you do. How ever regex is not going into the kernel! Here is a mail that describes the situation. http://lists.debian.org/debian-firewall/2004/02/msg00051.html Hopefully the l7 ppl will FINALY get a copy, now that I know thay

I had been using L7-Filter[1] successfully for edonkey/eMule traffic until recently. I upgraded to the latest release of mldonkey, 2.5.28a, which implements eMule compatibility, and with support for Kademlia[2] enabled, network latency increases greatly. [1] http://l7-filter.sourceforge.net/ [2] http://www.infoanarchy.org/wiki/wiki.pl?Kademlia Has anyone created a new pattern match for

Hi! How I can use L7-Filter (http://l7-filter.sourceforge.net/) with Shorewall? Thank you very much! Bye. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

--mYCpIKhGyMATD0i+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Netfilter Core Team Security Advisory =20 CVE: CAN-2003-0187 Subject: Netfilter / Connection Tracking Remote DoS Released: 01 Aug 2003 Effects: Any remote user may be able to DoS a machine

Hi, can anybody comment on the cost of matching with IPP2P vs. Layer7. Also, does a iptables rule with more complicated matching mechanism also slow down processing if all the packets are matched before they reach the rule. I.e. is the mere existence of a potentially costly rule already slowing down processing or only if packets are actually processed by it? Thanks very much in advance.

HI I have a bridge running ipp2p blocking Ares traffic and others protocols. This bridge works fine buts since two weeks can''t block Ares traffic. All protocols block fine but Ares not (upload and download). Somebody are using ipp2p blocking the latest Ares version ? My system settings are: kernel : 2.6.13 iptables: 1.3.3 ipp2p: 0.81 rc1 iptables -L -v output: Chain FORWARD

hi all, I''m writing not for technical problems but for a simple question. Do You know if there is a distro which is ready for traffic shaping etc. ''out of the box''? I mean a distro which does not require patching the kernel and/or iptables and/or installing from source etc. and gives the user most of the tools needed (imq, ipp2p, l7filter and so on). many thanks