View previous topic :: View next topic |
Author |
Message |
LeTene Guru
Joined: 02 Mar 2004 Posts: 348 Location: Ah'll glass ye!
|
Posted: Thu Jan 20, 2005 9:11 pm Post subject: |
|
|
It's worth a quick mention that the L7 filtering is now working for the 2.6.10 series kernels - much more elegant solution to protocol-filtering...just emerge l7-filter. _________________ Docs, Tips & Tricks at the Gentoo Wiki page. |
|
Back to top |
|
|
ranmakun Guru
Joined: 06 Nov 2002 Posts: 372 Location: Buenos Aires - Argentina
|
Posted: Sat Feb 05, 2005 8:48 pm Post subject: |
|
|
I'm having problems with HTB, I've created very simple rules to test this and it doesn't work, here's what I'm using:
Code: |
#!/bin/bash
INTERFACE='eth0'
TC='/sbin/tc'
#reset everything
iptables --flush --table mangle
$TC qdisc del dev $INTERFACE root 2> /dev/null > /dev/null
#rules
$TC qdisc add dev $INTERFACE root handle 1: htb default 20
$TC class add dev $INTERFACE parent 1: classid 1:1 htb rate 100kbit
$TC class add dev $INTERFACE parent 1:1 classid 1:10 htb rate 92kbit ceil 100kbit prio 0
$TC class add dev $INTERFACE parent 1:1 classid 1:20 htb rate 32kbit ceil 100kbit prio 1
$TC qdisc add dev $INTERFACE parent 1:10 handle 10: sfq perturb 10
$TC qdisc add dev $INTERFACE parent 1:20 handle 20: sfq perturb 10
iptables -t mangle -A POSTROUTING -o eth0 -p tcp --dport 80 -j CLASSIFY --set-class 1:10
#I've also tried with the following line instead of iptables
#tc filter add dev eth0 parent 1: protocol ip u32 match ip dport 80 0xffff flowid 1:10
|
That is, everything goes to 1:20 except web traffic that goes to 1:10
But it doesn't work, I get the following output from "tc -s class show dev eth0":
Quote: |
class htb 1:1 root rate 100000bit ceil 100000bit burst 1611b cburst 1611b
Sent 1996470 bytes 5057 pkts (dropped 0, overlimits 0)
rate 86312bit 25pps
lended: 3167 borrowed: 0 giants: 0
tokens: 24496 ctokens: 24496
class htb 1:10 parent 1:1 leaf 10: prio 0 rate 92000bit ceil 100000bit burst 1610b cburst 1611b
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
lended: 0 borrowed: 0 giants: 0
tokens: 143448 ctokens: 132055
class htb 1:20 parent 1:1 leaf 20: prio 1 rate 32000bit ceil 00000bit burst 1603b cburst 1611b
Sent 1996470 bytes 5057 pkts (dropped 0, overlimits 0)
rate 87024bit 26pps
lended: 1890 borrowed: 3167 giants: 0
tokens: -171904 ctokens: 24496
|
No matter how much I surf the web 1:10 doesn't fill with anything.
I've also didn't understand why to classify web traffic the author of this thread used source port 80, if traffic is outgoing it should be destination port I think. Anyway, in case you ask, I've tried both, source and destination on my tests but neither of them work. Any ideas?, I don't know what else to try, I've also tried other ways of doing it and can't find a solution. Thank you. |
|
Back to top |
|
|
j-kidd Apprentice
Joined: 20 Feb 2003 Posts: 213
|
Posted: Sat Feb 05, 2005 10:33 pm Post subject: |
|
|
Try to use prio 1 and prio 2 instead of prio 0 and prio 1. I have tried prio 0 with tc filter as suggested by some websites, but it didn't work. I suspect prio 0 won't work with tc class too. |
|
Back to top |
|
|
DeathAndTaxes Tux's lil' helper
Joined: 27 Mar 2003 Posts: 124
|
Posted: Sun Feb 06, 2005 5:46 am Post subject: |
|
|
ranmakun wrote: | I'm having problems with HTB, I've created very simple rules to test this and it doesn't work, here's what I'm using:
[code]
#!/bin/bash
INTERFACE='eth0'
TC='/sbin/tc'
#reset everything
iptables --flush --table mangle
$TC qdisc del dev $INTERFACE root 2> /dev/null > /dev/null
#rules
$TC qdisc add dev $INTERFACE root handle 1: htb default 20
$TC class add dev $INTERFACE parent 1: classid 1:1 htb rate 100kbit
$TC class add dev $INTERFACE parent 1:1 classid 1:10 htb rate 92kbit ceil 100kbit prio 0
$TC class add dev $INTERFACE parent 1:1 classid 1:20 htb rate 32kbit ceil 100kbit prio 1
$TC qdisc add dev $INTERFACE parent 1:10 handle 10: sfq perturb 10
$TC qdisc add dev $INTERFACE parent 1:20 handle 20: sfq perturb 10
iptables -t mangle -A POSTROUTING -o eth0 -p tcp --dport 80 -j CLASSIFY --set-class 1:10 |
Instead of using the iptables -j CLASSIFY --set-class option, have you tried the -j MARK --set-mark option? Also, I'm thinking you don't need to --set-class 1:10, but rather just --set-class 10. Perhaps the CLASSIFY target isn't working for you, while I've never seen the MARK target not work (I'm assuming that both the kernels are configured correctly...If you didn't have CLASSIFY target support, iptables would let you know).
The more I think about it, the more I think you need to just set --set-class 10. |
|
Back to top |
|
|
DeathAndTaxes Tux's lil' helper
Joined: 27 Mar 2003 Posts: 124
|
Posted: Sun Feb 06, 2005 5:50 am Post subject: |
|
|
j-kidd wrote: | Try to use prio 1 and prio 2 instead of prio 0 and prio 1. I have tried prio 0 with tc filter as suggested by some websites, but it didn't work. I suspect prio 0 won't work with tc class too. |
Sorry to double-post like this...I think prio 0 should work just fine...I've always started counting from 0 with tc and it's always worked (been doing this for about 2 years). However, I don't *think* there's any adverse affect of starting from 1 or any other number. |
|
Back to top |
|
|
ranmakun Guru
Joined: 06 Nov 2002 Posts: 372 Location: Buenos Aires - Argentina
|
Posted: Sun Feb 06, 2005 3:55 pm Post subject: |
|
|
Thanks for your help guys, but still I couldn't solve it.
I've tried with different prios, but it's the same. I've also tried marking the packets instead of classifying but no luck. Also using "10" in the classifier instead of "1:10", nothing worked.
I've started to investigate things a little closer, "iptables -t mangle -L -v" shows a packet and byte count of zero, with the two methods of classifying by iptables, so I think there is the problem. But I cannot find why it doesn't do it. I'm doing NAT on this machine so I thought maybe it wasn't doing anything for the NATed machines, so I tried to generate web traffic in the machine itself using wget and nothing happened. I've also tried deleting all iptables and setting all policies to ACCEPT and then using mangle and it didn't work either. I'm really out of ideas, maybe it's the kernel?, the modules?
kernel version is 2.6.10-gentoo-r4
Code: |
kaori htb # lsmod
Module Size Used by
ip_conntrack_ftp 70928 -
cls_u32 5552 -
ipt_limit 1644 -
ipt_multiport 1516 -
ipt_CLASSIFY 1612 -
ipt_mark 1196 -
ipt_length 1228 -
ipt_MARK 1484 -
cls_fw 2860 -
sch_sfq 4556 -
sch_htb 21356 -
iptable_mangle 1868 -
ipt_state 1324 -
ipt_LOG 5836 -
iptable_nat 20776 -
ip_conntrack 37812 -
iptable_filter 2636 -
ip_tables 14144 -
|
|
|
Back to top |
|
|
DeathAndTaxes Tux's lil' helper
Joined: 27 Mar 2003 Posts: 124
|
Posted: Sun Feb 06, 2005 5:35 pm Post subject: |
|
|
Have you re-emerged both iproute2 and iptables since compiling this kernel? Are your error messages getting suppressed somehow? If it doesn't work, and you're redirecting all the exit messages to /dev/null, you'd not know it.
It could be that the packets are getting marked, but tc isn't configured correctly, or that tc is ok, but the packets are getting marked incorrectly. I think the usual practice is to create a new target in the mangle table and point all traffic that's destined out $INTERNET_INTERFACE to that new table, then mark the packets there. You *should* be able to mark them wherever (including the POSTROUTING section), but it is a bit easier to maintain if you build another TARGET.
There's a few utilities you can use to look at the packets as they pass to your interface(s). I think ethereal can do this, but I've not ever used it.
You can also try changing the default class in your $TC ... root handle ... line. Change that on the fly in one window and `watch -n1 /sbin/tc -s qdisc show dev eth0` in another window and see if it the traffic starts changing to different filters.
I also try to avoid using tc with the u32 match whenever I can. I try to handle just marking in iptables and only using tc to do it's thing based on marks. I've found that tc and ip both can be really, uhm, crashy when something weird happens (try setting up two routes and have a packet match positively in the ruleset for both routes...Your box will probably stop responding to traffic). |
|
Back to top |
|
|
BeFalou n00b
Joined: 26 May 2003 Posts: 45 Location: Madrid
|
Posted: Tue Feb 22, 2005 12:12 am Post subject: |
|
|
Hi,
I've been trying to get this all day but I'm starting to think that what I want is not possible. I want to do traffic shaping to get something like Upload Speed Sense , which is a feature present in some emule mods but not in amule, and it consists on giving two values (Min and Max) to the upload rate and the programa itself moves betweeen that values so that you can surf and do internet stuff pretty fast. Since I'm on 512/128 I need to set an upload rate of at least 10kb/s but if I do that my downloads are slowed down too. Thats why I need traffic shaping.
I first tried the script that LeTene posted(modified for my purposes): Code: | #!/bin/bash
# Zap the iptables mangle queue
iptables -t mangle -F
# Egress device
OUT=eth0
# Flow rates
MAX=100mbit
BT_MAX=90kbit
# Application names (for "marking")
BT_APP=qtorrent
# Delete existing shaping
tc qdisc del dev $OUT root
# ===========
# Our classes
# ===========
# Top
tc qdisc add dev $OUT root handle 1: htb default 30
tc class add dev $OUT parent 1: classid 1:1 htb rate $MAX
tc class add dev $OUT parent 1:1 classid 1:10 htb rate $MAX
tc class add dev $OUT parent 1:1 classid 1:20 htb rate $BT_MAX ceil $BT_MAX
tc class add dev $OUT parent 1:1 classid 1:30 htb rate $MAX ceil $MAX
# Rehashing
tc qdisc add dev $OUT parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $OUT parent 1:20 handle 20: sfq perturb 10
tc qdisc add dev $OUT parent 1:30 handle 30: sfq perturb 10
# ===================
# the magic begins...
# ===================
# Bittorrent
iptables -t mangle -A OUTPUT -m owner --cmd-owner $BT_APP -j MARK --set-mark 2
tc filter add dev $OUT protocol ip parent 1:0 handle 2 fw flowid 1:20 |
It worked great but then I realized that my downloads in aMule were slower. That could be because for amule my connection is 90kbits/s and its upload limit (inside the program) is almost that so it's like it was using for uploading all the avaliable upload bandwidth (with the negative effect on downloads). I'm not sure if that's correct.
What I've been trying since then is to only limit the traffic from the upload amule port (lets call it $APP_PORT). I basically tried two different ways, changing from the comment "the magic begins":
1.- Removing last 2 lines and using: Code: | tc filter add dev $OUT parent 1:0 protocol ip u32 match ip sport $APP_PORT 0xffff flowid 1:20 |
2.- Removing last 2 lines and using: Code: | iptables -t mangle -A POSTROUTING -p tcp --sport $APP_PORT -j CLASSIFY --set-class 1:20 |
Neither of them worked as expected, my inet connection was almost dead all the time.
I need help with this, I don't know if what I'm trying to do is the best way or even possible. Any suggestion will be greatly appreciated. |
|
Back to top |
|
|
kaksi Tux's lil' helper
Joined: 21 May 2004 Posts: 125
|
Posted: Sun May 15, 2005 9:24 am Post subject: |
|
|
I cant seem to get the incoming bandwidth (download) to be catched by my script. I do not want to shape the download speed but I want to use it for statistics.
Here is a part of my script:
Code: |
#Classes
# eth0
tc qdisc add dev eth0 root handle 1: htb default 30
tc class add dev eth0 parent 1: classid 1:1 htb rate 9Mbit burst 6k
tc class add dev eth0 parent 1:1 classid 1:10 htb rate 9Mbit burst 6k prio 1
tc class add dev eth0 parent 1:1 classid 1:20 htb rate 8Mbit burst 6k prio 2
tc class add dev eth0 parent 1:1 classid 1:30 htb rate 8Mbit burst 6k prio 3
tc class add dev eth0 parent 1:1 classid 1:40 htb rate 8Mbit burst 6k prio 4
tc class add dev eth0 parent 1:1 classid 1:50 htb rate 8Mbit burst 6k prio 5
tc class add dev eth0 parent 1:1 classid 1:60 htb rate 8Mbit burst 6k prio 6
tc class add dev eth0 parent 1:1 classid 1:70 htb rate 8Mbit burst 6k prio 7
tc class add dev eth0 parent 1:1 classid 1:80 htb rate 8Mbit burst 6k prio 8
tc class add dev eth0 parent 1:1 classid 1:90 htb rate 8Mbit burst 6k prio 9
tc class add dev eth0 parent 1:1 classid 1:100 htb rate 8Mbit burst 6k prio 10
tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10
tc qdisc add dev eth0 parent 1:30 handle 30: sfq perturb 10
tc qdisc add dev eth0 parent 1:40 handle 40: sfq perturb 10
tc qdisc add dev eth0 parent 1:50 handle 50: sfq perturb 10
tc qdisc add dev eth0 parent 1:60 handle 60: sfq perturb 10
tc qdisc add dev eth0 parent 1:70 handle 70: sfq perturb 10
tc qdisc add dev eth0 parent 1:80 handle 80: sfq perturb 10
tc qdisc add dev eth0 parent 1:90 handle 90: sfq perturb 10
tc qdisc add dev eth0 parent 1:100 handle 100: sfq perturb 10
#eth1
tc qdisc add dev eth1 root handle 2: htb default 30
tc class add dev eth1 parent 2: classid 2:1 htb rate 99Mbit burst 6k
tc class add dev eth1 parent 2:1 classid 2:10 htb rate 99Mbit burst 6k prio 1
tc class add dev eth1 parent 2:1 classid 2:20 htb rate 99Mbit burst 6k prio 2
tc class add dev eth1 parent 2:1 classid 2:30 htb rate 99Mbit burst 6k prio 3
tc class add dev eth1 parent 2:1 classid 2:40 htb rate 99Mbit burst 6k prio 4
tc class add dev eth1 parent 2:1 classid 2:50 htb rate 99Mbit burst 6k prio 5
tc class add dev eth1 parent 2:1 classid 2:60 htb rate 99Mbit burst 6k prio 6
tc class add dev eth1 parent 2:1 classid 2:70 htb rate 99Mbit burst 6k prio 7
tc class add dev eth1 parent 2:1 classid 2:80 htb rate 99Mbit burst 6k prio 8
tc class add dev eth1 parent 2:1 classid 2:90 htb rate 99Mbit burst 6k prio 9
tc class add dev eth1 parent 2:1 classid 2:100 htb rate 99Mbit burst 6k prio 10
tc qdisc add dev eth1 parent 2:10 handle 10: sfq perturb 10
tc qdisc add dev eth1 parent 2:20 handle 20: sfq perturb 10
tc qdisc add dev eth1 parent 2:30 handle 30: sfq perturb 10
tc qdisc add dev eth1 parent 2:40 handle 40: sfq perturb 10
tc qdisc add dev eth1 parent 2:50 handle 50: sfq perturb 10
tc qdisc add dev eth1 parent 2:60 handle 60: sfq perturb 10
tc qdisc add dev eth1 parent 2:70 handle 70: sfq perturb 10
tc qdisc add dev eth1 parent 2:80 handle 80: sfq perturb 10
tc qdisc add dev eth1 parent 2:90 handle 90: sfq perturb 10
tc qdisc add dev eth1 parent 2:100 handle 100: sfq perturb 10
|
This script is located at my server that acts as a bridge between my network and my internet connection. Here is a sample output of what happens when I download a 100MB file from a server on the net:
Code: |
13:22:29 up 1:11, 3 users, load average: 2.38, 1.34, 0.59
Interval Cumulated Total
Dev Classid Tokens Ctokens Rate Speed Send Send
-------------------------------------------------------------------------
eth0 1:1 5535 2423 83.78KB 23.76KB/s 240.18KB 1.22MB2KB
eth0 1:10 5535 2423 18.92KB 2.10KB/s 29.19KB 183.08KB
eth0 1:100 6291 2662 0B 0B/s 0B 0B
eth0 1:20 6291 2662 0B 0B/s 0B 0B
eth0 1:30 6226 2597 71.11KB 21.66KB/s 210.99KB 1.04MB4KB
eth0 1:40 6291 2662 0B 0B/s 0B 0B
eth0 1:50 6291 2662 0B 0B/s 0B 0B
eth0 1:60 6291 2662 0B 0B/s 0B 0B
eth0 1:70 6291 2662 0B 0B/s 0B 0B
eth0 1:80 6291 2662 0B 0B/s 0B 0B
eth0 1:90 6291 2662 0B 0B/s 0B 0B
eth1 2:1 383 1032 3.11KB 1.00MB/s 9.71MB 49.45MB
eth1 2:10 502 1151 9.62KB 1.80KB/s 27.20KB 74.46KB
eth1 2:100 507 1156 0B 0B/s 0B 0B
eth1 2:20 494 1143 488B 0B/s 469B 3.07KB
eth1 2:30 503 1152 6.72KB 40B/s 1.73KB 334.38KB
eth1 2:40 507 1156 0B 0B/s 0B 0B
eth1 2:50 383 1032 3.67KB 1.00MB/s 9.67MB 49.01MB
eth1 2:60 507 1156 0B 0B/s 0B 0B
eth1 2:70 360 1009 4.83KB 1.15KB/s 11.93KB 46.71KB
eth1 2:80 507 1156 0B 0B/s 0B 0B
eth1 2:90 507 1156 0B 0B/s 0B 0B
|
As can be seen the trafic from the net to eth0 (nic connected to internet) the traffic cannot be seen. But the traffic from the server (eth1) to my internal computer that donwloads the file can be seen.
Is there anyway I can make this traffic be seen at eth0? Or is that not possible? Is it only outgoing traffic that can be montored? |
|
Back to top |
|
|
opentaka l33t
Joined: 18 Feb 2005 Posts: 840 Location: Japan
|
Posted: Sun May 15, 2005 2:42 pm Post subject: |
|
|
intresting.
but i guess this thing will limit whole interface instead of by application only.
it will be more then nice if someone can write how to limit the bandwidth by application tho.. _________________ "Being defeated is often a temporary condition. Giving up is what makes it permanent" - Marilyn vos Savant
|
|
Back to top |
|
|
DeathAndTaxes Tux's lil' helper
Joined: 27 Mar 2003 Posts: 124
|
Posted: Sun May 15, 2005 4:50 pm Post subject: |
|
|
kaksi wrote: | Is there anyway I can make this traffic be seen at eth0? Or is that not possible? Is it only outgoing traffic that can be montored? |
If I understand it correctly, tc only works on traffic being sent, not on receiving traffic. If you set up a couple of IMQ devices, you could bend your traffic coming from the interenet (on eth0, right) to one of your IMQ devices, classifying it as it goes, and get nice stats if you need them.
Alternatively, you could mark the packets with iptables as they come in, and then count the packets with iptables and get your stats off of that with an iptables -t mangle -L WHATEVERYOURTABLEISCALLED -v -n. . |
|
Back to top |
|
|
bookstack Apprentice
Joined: 27 Feb 2004 Posts: 245
|
Posted: Sun May 15, 2005 9:48 pm Post subject: |
|
|
Is there anyway to shape the traffic more dedicately ?
For example, limit the dl/ul bandwidth according the user, time, application ... |
|
Back to top |
|
|
DeathAndTaxes Tux's lil' helper
Joined: 27 Mar 2003 Posts: 124
|
Posted: Sun May 15, 2005 10:40 pm Post subject: |
|
|
bookstack wrote: | Is there anyway to shape the traffic more dedicately ?
For example, limit the dl/ul bandwidth according the user, time, application ... |
Yes, the trick is getting the right patch(es) for iptables. I know there are patches for time of day, and I know there's some patches for p2p traffic. The term 'application' is a bit esoteric...Your router is only interested in ips and ports for the most part...It won't know if you're browsing with konqueror or firefox, just it sees port 80 traffic.
I think there's some per-user stuff that's relatively new, but I'm not familiar with it myself.
I'd look at www.lartc.org and google around it's mailing lists and such. I'm sure there's other people out there who have done/are interested in doing what you want. I'd suggest joining the lartc.org mailing list and posting your questions to it, since those are the guys who do this sort of stuff. |
|
Back to top |
|
|
ranmakun Guru
Joined: 06 Nov 2002 Posts: 372 Location: Buenos Aires - Argentina
|
Posted: Sun May 15, 2005 11:09 pm Post subject: |
|
|
There is traffic analyzer software that uses iptables to mark the traffic, then you can classify it easily.
I read about it the other day at work and I think I bookmarked it there, tomorrow I'll see if I have the site. |
|
Back to top |
|
|
ranmakun Guru
Joined: 06 Nov 2002 Posts: 372 Location: Buenos Aires - Argentina
|
Posted: Mon May 16, 2005 1:22 pm Post subject: |
|
|
ranmakun wrote: | There is traffic analyzer software that uses iptables to mark the traffic, then you can classify it easily.
I read about it the other day at work and I think I bookmarked it there, tomorrow I'll see if I have the site. |
Ok, here I found it: http://l7-filter.sourceforge.net/
Quote: |
L7-filter is a classifier for the Linux kernel's Netfilter subsystem that identifies packets based on application layer data. This means that it can classify packets as HTTP, FTP, Gnucleus, eDonkey2000, etc., regardless of port. It complements existing classifiers that match on address, port numbers and so on.
Our intent is for l7-filter to be used in conjunction with Linux QoS to do bandwith arbitration ("packet shaping").
|
Looks promising, I didn't have time to test it yet. |
|
Back to top |
|
|
ranmakun Guru
Joined: 06 Nov 2002 Posts: 372 Location: Buenos Aires - Argentina
|
Posted: Mon May 16, 2005 2:21 pm Post subject: |
|
|
Another one: http://rnvs.informatik.uni-leipzig.de/ipp2p/index_en.html
Quote: |
The goal of the IPP2P project is to identify peer-to-peer (P2P) data in IP traffic. For this purpose we extended the iptables/netfilter architecture by a new matching module. Thereby IPP2P integrates itself easily into existing Linux firewalls and it's functionality can be used by adding appropriate filter rules.
IPP2P uses suitable search patterns to identify P2P traffic thus allowing the reliable identifcation of traffic belonging to many P2P networks. Once identified one may handle P2P traffic in different ways - dropping such traffic, putting into low priority classes or shaping to a given bandwidth limit is possible. Reducing costs, freeing network ressources and therefore improving network performance is often the result of using IPP2P.
|
|
|
Back to top |
|
|
tnt Veteran
Joined: 27 Feb 2004 Posts: 1221
|
|
Back to top |
|
|
tnt Veteran
Joined: 27 Feb 2004 Posts: 1221
|
Posted: Fri Jun 10, 2005 2:43 pm Post subject: |
|
|
barberio wrote: | Updated my bandwidth RC script to try to calculate working quantum sizes from the MTU of the device being used. This should get rid of messages like 'HTB: quantum of class 10001 is big. Consider r2q change.' |
Seems that your scritps are missing.
Could you past them here?
_________________ gentoo user |
|
Back to top |
|
|
ranmakun Guru
Joined: 06 Nov 2002 Posts: 372 Location: Buenos Aires - Argentina
|
Posted: Sun Jun 12, 2005 4:06 pm Post subject: |
|
|
Two questions:
1. There is an l7-filter ebuild, but I don't see any iptables USE flag to use with it for l7-filter support. Did you patched iptables manually?
2. What did you use to make those graphs? |
|
Back to top |
|
|
tnt Veteran
Joined: 27 Feb 2004 Posts: 1221
|
Posted: Sun Jun 12, 2005 5:42 pm Post subject: |
|
|
1. you should emerge iptables with 'extensions' use flag Code: | titan ~ # emerge -pv iptables
These are the packages that I would merge, in order:
Calculating dependencies ...done!
[ebuild R ] net-firewall/iptables-1.2.11-r3 -debug +extensions -ipv6 -static 0 kB
Total size of downloads: 0 kB
titan ~ # |
but in my case (amd64 system) I had to patch source manually to solve bug about 64-bit integer.
details here:
https://bugs.gentoo.org/show_bug.cgi?id=88218
2. I use rrdtool (which rulz ) to monitor all of my server activities and later to draw graphs
_________________ gentoo user |
|
Back to top |
|
|
ranmakun Guru
Joined: 06 Nov 2002 Posts: 372 Location: Buenos Aires - Argentina
|
Posted: Sun Jun 12, 2005 7:31 pm Post subject: |
|
|
tnt wrote: | 1. you should emerge iptables with 'extensions' use flag
2. I use rrdtool (which rulz ) to monitor all of my server activities and later to draw graphs
|
I see, well, I have a problem with the extensions use flag:
Code: |
[snip]
* WARNING: 3rd party extensions has been enabled.
* This means that iptables will use your currently installed
* kernel in /usr/src/linux as headers for iptables.
*
* You may have to patch your kernel to allow iptables to build.
* Please check http://cvs.iptables.org/patch-o-matic-ng/updates/ for patches
* for your kernel.
>>> Unpacking source...
>>> Unpacking iptables-1.2.11.tar.bz2 to /var/tmp/portage/iptables-1.2.11-r3/work
* Applying grsecurity-1.2.8-iptables.patch.bz2 ... [ ok ]
* Applying install_ipv6_apps.patch.bz2 ... [ ok ]
* Applying install_all_dev_files.patch.bz2 ... [ ok ]
* Applying round-robin.patch ... [ ok ]
* Applying CAN-2004-0986.patch ... [ ok ]
* Applying iptables-1.2.9-imq1.diff.bz2 ... [ ok ]
* Applying iptables-layer7-0.9.0.patch.bz2 ... [ ok ]
>>> Source unpacked.
Making dependencies: please wait...
Something wrong... deleting dependencies.
make: *** [../ipset/libipt_set.h] Error 1
!!! ERROR: net-firewall/iptables-1.2.11-r3 failed.
!!! Function src_compile, Line 91, Exitcode 2
!!! Please check http://cvs.iptables.org/patch-o-matic-ng/updates/ if your kernel needs to be patched for iptables
!!! If you need support, post the topmost build error, NOT this status message.
|
2. I imagined it was rrdtool, but do you use any special tool or you do it manually?, in this case, how do you get the value of each sample for the rrd? |
|
Back to top |
|
|
tnt Veteran
Joined: 27 Feb 2004 Posts: 1221
|
Posted: Sun Jun 12, 2005 10:33 pm Post subject: |
|
|
Well, don't know anything about error you've got, but I'll paste my message to you here for others to see my examples of my scripts
Quote: | Hello.
I don't use serverstats (couldn't even open that demo but newermind).
I don't have mail server so I didn't have chance to try to monitor it. I've heard that 'mailgraph' is using rrdtool as a background for mail-server statistics.
I've made rrds with perl scripts like this one:
Code: | #!/usr/bin/perl -w
#
use RRDs;
# define location of rrdtool databases
my $rrd = '/var/lib/rrd';
if (! -e "$rrd/dns.rrd")
{
print "creating rrd database for dns...\n";
RRDs::create "$rrd/dns.rrd",
"-s 300",
"DS:success:DERIVE:600:0:U",
"DS:referral:DERIVE:600:0:U",
"DS:nxrrset:DERIVE:600:0:U",
"DS:nxdomain:DERIVE:600:0:U",
"DS:recursion:DERIVE:600:0:U",
"DS:failure:DERIVE:600:0:U",
"RRA:AVERAGE:0.5:1:576",
"RRA:AVERAGE:0.9:6:672",
"RRA:AVERAGE:0.9:24:744",
"RRA:AVERAGE:0.9:288:730",
"RRA:AVERAGE:0.9:2016:522";
if ($ERROR = RRDs::error) { print "unable to generate database: $ERROR\n"; }
} |
After that I've put line in my crontab to execute rrd-update script for everything I want to monitor. Just an example for my system-5m.rrd database:
Code: | #!/usr/bin/perl -w
#
use RRDs;
# define location of rrdtool databases
my $rrd = '/var/lib/rrd';
my $temp_cpu = `cat /sys/devices/platform/i2c-0/0-0290/temp1_input` / 1000;
my $temp_sys = `cat /sys/devices/platform/i2c-0/0-0290/temp2_input` / 1000;
my $fan1 = `cat /sys/devices/platform/i2c-0/0-0290/fan1_input` *1;
my $fan2 = `cat /sys/devices/platform/i2c-0/0-0290/fan2_input` *1;
my $fan3 = `cat /sys/devices/platform/i2c-0/0-0290/fan3_input` *1;
my $voltage_cpu = `cat /sys/devices/platform/i2c-0/0-0290/in0_input` / 1000;
my $voltage_ram = `cat /sys/devices/platform/i2c-0/0-0290/in1_input` / 1000;
my $voltage_33v = `cat /sys/devices/platform/i2c-0/0-0290/in2_input` / 1000;
my $voltage_5v = `cat /sys/devices/platform/i2c-0/0-0290/in3_input` / 1000;
$voltage_5v = 1.68 * $voltage_5v;
my $voltage_12v = `cat /sys/devices/platform/i2c-0/0-0290/in4_input` / 1000;
$voltage_12v = 4 * $voltage_12v;
my $voltage_bat = `cat /sys/devices/platform/i2c-0/0-0290/in8_input` / 1000;
my $cpu0_user = `grep cpu0 /proc/stat > /tmp/proc.stat.moment; cut -d" " -f2 /tmp/proc.stat.moment` *1;
my $cpu0_nice = `cut -d" " -f3 /tmp/proc.stat.moment` *1;
my $cpu0_system = `cut -d" " -f4 /tmp/proc.stat.moment` *1;
my $cpu0_iowait = `cut -d" " -f6 /tmp/proc.stat.moment` *1;
my $cpu0_irq = `cut -d" " -f7 /tmp/proc.stat.moment` *1;
my $cpu0_softirq = `cut -d" " -f8 /tmp/proc.stat.moment` *1;
my $cpu1_user = "U"; my $cpu1_nice = "U"; my $cpu1_system = "U";
my $cpu1_iowait = "U"; my $cpu1_irq = "U"; my $cpu1_softirq = "U";
my $time_1000 = `gawk '/1000000 /{print \$2}'</sys/devices/system/cpu/cpu0/cpufreq/stats/time_in_state` *1;
my $time_1800 = `gawk '/1800000 /{print \$2}'</sys/devices/system/cpu/cpu0/cpufreq/stats/time_in_state` *1;
my $load = `cut -d" " -f2 /proc/loadavg` *1;
my $uptime = `cut -d" " -f1 /proc/uptime` *1;
my $mem_buffers = `/bin/gawk '{if (\$1=="Buffers:") {print(\$2);exit}}'</proc/meminfo` *1;
my $mem_cache = `/bin/gawk '{if (\$1=="Cached:") {print(\$2); exit;}}'</proc/meminfo` *1;
my $mem_app = `/bin/gawk '{if (\$1=="MemTotal:") t=\$2;if (\$1=="MemFree:") f=\$2;if (\$1=="Buffers:") b=\$2;if (\$1=="Cached:") c=\$2;if(\$1=="SwapCached:") exit;}END{print (t-f-b-c)}'</proc/meminfo` *1;
my $swap_total = `/bin/gawk '{if (\$1=="SwapTotal:") t=\$2;if (\$1=="SwapFree:") f=\$2;if (\$1=="Dirty:") exit;}END{print (t-f)}'</proc/meminfo` *1;
my $swap_cached = `/bin/gawk '/SwapCached: /{print \$2}'</proc/meminfo` *1;
my $swaped_in = `grep pswpin /proc/vmstat|cut -d" " -f2` *1;
my $swaped_out = `grep pswpout /proc/vmstat|cut -d" " -f2` *1;
if ($uptime < 601) {
$swaped_in = "U"; $swaped_out = "U"; }
my $dirty_pages = `grep nr_dirty /proc/vmstat|cut -d" " -f2` *1;
my $eth0_in = `ifconfig eth0 |grep bytes|cut -d":" -f2|cut -d" " -f1` *1;
my $eth0_out = `ifconfig eth0 |grep bytes|cut -d":" -f3|cut -d" " -f1` *1;
my $eth1_in = `ifconfig eth1 |grep bytes|cut -d":" -f2|cut -d" " -f1` *1;
my $eth1_out = `ifconfig eth1 |grep bytes|cut -d":" -f3|cut -d" " -f1` *1;
my $eth2_in = `ifconfig eth2 |grep bytes|cut -d":" -f2|cut -d" " -f1` *1;
my $eth2_out = `ifconfig eth2 |grep bytes|cut -d":" -f3|cut -d" " -f1` *1;
my $eth3_in = "U"; my $eth3_out = "U";
if ($uptime < 601) {
$eth0_in = "U"; $eth0_out = "U";
$eth1_in = "U"; $eth1_out = "U";
$eth2_in = "U"; $eth2_out = "U";
$eth3_in = "U"; $eth3_out = "U"; }
my $sda_read = `/bin/gawk '{print \$3}'</sys/block/sda/stat` *1;
my $sda_write = `/bin/gawk '{print \$7}'</sys/block/sda/stat` *1;
my $sdb_read = `/bin/gawk '{print \$3}'</sys/block/sdb/stat` *1;
my $sdb_write = `/bin/gawk '{print \$7}'</sys/block/sdb/stat` *1;
my $sdc_read = `/bin/gawk '{print \$3}'</sys/block/sdc/stat` *1;
my $sdc_write = `/bin/gawk '{print \$7}'</sys/block/sdc/stat` *1;
my $sdd_read = `/bin/gawk '{print \$3}'</sys/block/sdd/stat` *1;
my $sdd_write = `/bin/gawk '{print \$7}'</sys/block/sdd/stat` *1;
if ($uptime < 601) {
$sda_read = "U"; $sda_write = "U";
$sdb_read = "U"; $sdb_write = "U";
$sdc_read = "U"; $sdc_write = "U";
$sdd_read = "U"; $sdd_write = "U";
}
my $temp_sda = `smartctl -A --device=ata /dev/sda|gawk '/194 /{print(\$10)}'` *1;
my $temp_sdb = `smartctl -A --device=ata /dev/sdb|gawk '/194 /{print(\$10)}'` *1;
my $temp_sdc = `smartctl -A --device=ata /dev/sdc|gawk '/194 /{print(\$10)}'` *1;
my $temp_sdd = `smartctl -A --device=ata /dev/sdd|gawk '/194 /{print(\$10)}'` *1;
# insert values into rrd
RRDs::update "$rrd/system-5min.rrd",
"-t", "temp_cpu:temp_sys:temp_sda:temp_sdb:temp_sdc:temp_sdd:fan1:fan2:fan3:voltage_cpu:voltage_ram:voltage_33v:voltage_5v:voltage_12v:voltage_bat:cpu0_user:cpu0_nice:cpu0_system:cpu0_iowait:cpu0_irq:cpu0_softirq:cpu1_user:cpu1_nice:cpu1_system:cpu1_iowait:cpu1_irq:cpu1_softirq:time_1000:time_1800:load:uptime:mem_app:mem_buffers:mem_cache:swap_total:swap_cached:swaped_in:swaped_out:dirty_pages:eth0_in:eth0_out:eth1_in:eth1_out:eth2_in:eth2_out:eth3_in:eth3_out:sda_read:sda_write:sdb_read:sdb_write:sdc_read:sdc_write:sdd_read:sdd_write",
"N:$temp_cpu:$temp_sys:$temp_sda:$temp_sdb:$temp_sdc:$temp_sdd:$fan1:$fan2:$fan3:$voltage_cpu:$voltage_ram:$voltage_33v:$voltage_5v:$voltage_12v:$voltage_bat:$cpu0_user:$cpu0_nice:$cpu0_system:$cpu0_iowait:$cpu0_irq:$cpu0_softirq:$cpu1_user:$cpu1_nice:$cpu1_system:$cpu1_iowait:$cpu1_irq:$cpu1_softirq:$time_1000:$time_1800:$load:$uptime:$mem_app:$mem_buffers:$mem_cache:$swap_total:$swap_cached:$swaped_in:$swaped_out:$dirty_pages:$eth0_in:$eth0_out:$eth1_in:$eth1_out:$eth2_in:$eth2_out:$eth3_in:$eth3_out:$sda_read:$sda_write:$sdb_read:$sdb_write:$sdc_read:$sdc_write:$sdd_read:$sdd_write";
if ($ERROR = RRDs::error) { print "unable to update: $ERROR\n"; } |
Ofcorse, you can see that I use many different ways to colect date I'm interested in. Your needs may be different, but I hope you'll get at least some idea how I do that.
After all that I draw graphics with .cgi script in my /var/www/localhost/htdocs/monitor but you have to enable cgi execution in that dir.
That way graphs are made on-demand-only, and not every 5 minutes so a lot of CPU power is saved.
Any suggestions/questions are welcome
|
_________________ gentoo user |
|
Back to top |
|
|
ranmakun Guru
Joined: 06 Nov 2002 Posts: 372 Location: Buenos Aires - Argentina
|
Posted: Tue Jun 14, 2005 1:20 am Post subject: |
|
|
tnt wrote: | Well, don't know anything about error you've got, but I'll paste my message to you here for others to see my examples of my scripts
|
Well, thank you, this centainlly gave me some ideas I could use. Althought I don't see where you calculate the kb/s used by p2p, maybe I'm missing something.
The iptables problem was solved downgrading to a previous version, since upgrading to a ~x86 also had problems, a different one but still a problem. |
|
Back to top |
|
|
tnt Veteran
Joined: 27 Feb 2004 Posts: 1221
|
Posted: Tue Jun 14, 2005 1:41 am Post subject: |
|
|
Well, situation for p2p is a little bit complicated... I have 3 NICs in server: LAN, wifi comunity and internet (eth0, eth1, eth2).
P2P is shaped only for internet, but recorded for wifi too. I don't use IMQ so I have to limit incomming p2p traffic not at eth2 (internet iface) but on eth0 that is LAN iface. I mark packets comming from internet that are p2p (eth2) and when they are queued in eth0 for sending to client I put them in slow dequeuing class (by tc). P2P for wifi is something different, there are some allowed and not allowed ports for DC.
Part of firewall script I use for marking:
Code: | # 4.3 MANGLE table
# FORWARD chain
# PREROUTING chain
$IPTABLES -t mangle -A PREROUTING -i $LAN_IFACE -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m layer7 --l7proto directconnect -j MARK --set-mark 0x102
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -p TCP --sport ! 5444:5453 --dport ! 5444:5453 \
-m mark --mark 0x102 -j MARK --set-mark 0x109
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -p TCP -m multiport --source-port 411,412,4012 \
-m mark --mark 0x109 -j MARK --set-mark 0x102
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -p TCP -m multiport --destination-port 411,412,4012 \
-m mark --mark 0x109 -j MARK --set-mark 0x102
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m mark --mark 0x109 -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "directconnect (input): "
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m mark --mark 0x102 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m mark --mark 0x109 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m layer7 --l7proto fasttrack -j MARK --set-mark 0x101
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m mark --mark 0x101 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m layer7 --l7proto gnutella -j MARK --set-mark 0x103
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m mark --mark 0x103 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m layer7 --l7proto bittorrent -j MARK --set-mark 0x104
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m mark --mark 0x104 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m layer7 --l7proto openft -j MARK --set-mark 0x105
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m mark --mark 0x105 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -p TCP --sport 4200:4700 -m layer7 --l7proto edonkey -j MARK --set-mark 0x106
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m mark --mark 0x106 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m layer7 --l7proto tesla -j MARK --set-mark 0x100
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m mark --mark 0x100 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m layer7 --l7proto mute -j MARK --set-mark 0x100
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m mark --mark 0x100 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m layer7 --l7proto applejuice -j MARK --set-mark 0x100
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m mark --mark 0x100 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m layer7 --l7proto 100bao -j MARK --set-mark 0x100
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m mark --mark 0x100 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto fasttrack -j MARK --set-mark 0x201
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x201 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto directconnect -j MARK --set-mark 0x202
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x202 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto gnutella -j MARK --set-mark 0x203
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x203 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto bittorrent -j MARK --set-mark 0x204
#$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x204 -m limit --limit 3/minute --limit-burst 3 -j LOG \
#--log-level DEBUG --log-prefix "bittorrent: "
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x204 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto openft -j MARK --set-mark 0x205
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x205 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -p TCP --sport 4200:4700 -m layer7 --l7proto edonkey -j MARK --set-mark 0x206
#$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x206 -m limit --limit 3/minute --limit-burst 3 -j LOG \
#--log-level DEBUG --log-prefix "edonkey: "
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x206 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto tesla -j MARK --set-mark 0x200
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x200 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto mute -j MARK --set-mark 0x200
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x200 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto applejuice -j MARK --set-mark 0x200
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x200 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto 100bao -j MARK --set-mark 0x200
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x200 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto poco -j MARK --set-mark 0x200
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x200 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto soribada -j MARK --set-mark 0x200
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x200 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto msn-filetransfer -j MARK --set-mark 0x200
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x200 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -p TCP --sport 1080 -j MARK --set-mark 0x200
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto smtp -j MARK --set-mark 0x207
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x207 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto pop3 -j MARK --set-mark 0x207
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x207 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto imap -j MARK --set-mark 0x207
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x207 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto ftp -j MARK --set-mark 0x207
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x207 -j RETURN
# POSTROUTING chain
$IPTABLES -t mangle -A POSTROUTING -o $LAN_IFACE -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -d 10.0.0.114 -j MARK --set-mark 0x119
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m mark --mark 0x119 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m layer7 --l7proto directconnect -j MARK --set-mark 0x112
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -p TCP --sport ! 5444:5453 --dport ! 5444:5453 \
-m mark --mark 0x112 -j MARK --set-mark 0x119
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -p TCP -m multiport --source-port 411,412,4012 \
-m mark --mark 0x119 -j MARK --set-mark 0x112
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -p TCP -m multiport --destination-port 411,412,4012 \
-m mark --mark 0x119 -j MARK --set-mark 0x112
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m mark --mark 0x119 -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "directconnect (output): "
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m mark --mark 0x112 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m mark --mark 0x119 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m layer7 --l7proto fasttrack -j MARK --set-mark 0x111
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m mark --mark 0x111 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m layer7 --l7proto gnutella -j MARK --set-mark 0x113
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m mark --mark 0x113 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m layer7 --l7proto bittorrent -j MARK --set-mark 0x114
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m mark --mark 0x114 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m layer7 --l7proto openft -j MARK --set-mark 0x115
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m mark --mark 0x115 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -p TCP --dport 4200:4700 -m layer7 --l7proto edonkey -j MARK --set-mark 0x116
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m mark --mark 0x116 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m layer7 --l7proto tesla -j MARK --set-mark 0x110
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m mark --mark 0x110 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m layer7 --l7proto mute -j MARK --set-mark 0x110
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m mark --mark 0x110 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m layer7 --l7proto applejuice -j MARK --set-mark 0x110
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m mark --mark 0x110 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m layer7 --l7proto 100bao -j MARK --set-mark 0x110
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m mark --mark 0x110 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -p TCP --sport 80 -j MARK --set-mark 0x217
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x217 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto fasttrack -j MARK --set-mark 0x211
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x211 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto directconnect -j MARK --set-mark 0x212
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x212 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto gnutella -j MARK --set-mark 0x213
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x213 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto bittorrent -j MARK --set-mark 0x214
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x214 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto openft -j MARK --set-mark 0x215
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x215 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -p TCP --dport 4200:4700 -m layer7 --l7proto edonkey -j MARK --set-mark 0x216
#$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x216 -m limit --limit 3/minute --limit-burst 3 -j LOG \
#--log-level DEBUG --log-prefix "edonkey: "
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x216 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto tesla -j MARK --set-mark 0x210
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x210 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto mute -j MARK --set-mark 0x210
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x210 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto applejuice -j MARK --set-mark 0x210
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x210 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto 100bao -j MARK --set-mark 0x210
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x210 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto poco -j MARK --set-mark 0x210
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x210 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto soribada -j MARK --set-mark 0x210
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x210 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto msn-filetransfer -j MARK --set-mark 0x210
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x210 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -p TCP --dport 1080 -j MARK --set-mark 0x210
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto smtp -j MARK --set-mark 0x217
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x217 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto pop3 -j MARK --set-mark 0x217
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x217 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto imap -j MARK --set-mark 0x217
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x217 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto ftp -j MARK --set-mark 0x217
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x217 -j RETURN
|
tc scripts used for eth0, eth1 and eth2 are:
Code: | #!/bin/bash
UPLINK=100
P2P=24
PUNISH=80
DEV=eth0
# cistimo sve sto je do sad bilo na device-u
tc qdisc del dev $DEV root 2> /dev/null > /dev/null
tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null
# pravimo klase:
tc qdisc add dev $DEV root handle 1: htb default 10 r2q 63
tc class add dev $DEV parent 1: classid 1:1 htb rate ${UPLINK}mbit
tc class add dev $DEV parent 1:1 classid 1:10 htb rate ${UPLINK}mbit prio 1
tc class add dev $DEV parent 1:1 classid 1:20 htb rate ${P2P}kbit prio 2 quantum 1514
tc class add dev $DEV parent 1:1 classid 1:30 htb rate ${PUNISH}kbit prio 3 quantum 1514
tc qdisc add dev $DEV parent 1:10 handle 100: sfq perturb 11
tc qdisc add dev $DEV parent 1:20 handle 200: sfq perturb 13
tc qdisc add dev $DEV parent 1:30 handle 300: sfq perturb 15
# rasporedjujemo pakete po klasama na osnovu markiranja:
tc filter add dev $DEV parent 1:0 protocol ip prio 10 handle 0x201 fw classid 1:20
tc filter add dev $DEV parent 1:0 protocol ip prio 15 handle 0x202 fw classid 1:20
tc filter add dev $DEV parent 1:0 protocol ip prio 20 handle 0x203 fw classid 1:20
tc filter add dev $DEV parent 1:0 protocol ip prio 25 handle 0x204 fw classid 1:20
tc filter add dev $DEV parent 1:0 protocol ip prio 30 handle 0x205 fw classid 1:20
tc filter add dev $DEV parent 1:0 protocol ip prio 35 handle 0x206 fw classid 1:20
tc filter add dev $DEV parent 1:0 protocol ip prio 40 handle 0x200 fw classid 1:20
tc filter add dev $DEV parent 1:0 protocol ip prio 45 handle 0x109 fw classid 1:30
#!/bin/bash
UPLINK=100
P2P=100
PUNISH=80
DEV=eth1
# cistimo sve sto je do sad bilo na device-u
tc qdisc del dev $DEV root 2> /dev/null > /dev/null
tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null
# pravimo klase:
tc qdisc add dev $DEV root handle 1: htb default 10 r2q 63
tc class add dev $DEV parent 1: classid 1:1 htb rate ${UPLINK}mbit
tc class add dev $DEV parent 1:1 classid 1:10 htb rate ${UPLINK}mbit prio 1
tc class add dev $DEV parent 1:1 classid 1:20 htb rate ${P2P}mbit prio 2
tc class add dev $DEV parent 1:1 classid 1:30 htb rate ${PUNISH}kbit prio 3 quantum 1514
tc qdisc add dev $DEV parent 1:10 handle 100: sfq perturb 11
tc qdisc add dev $DEV parent 1:20 handle 200: sfq perturb 13
tc qdisc add dev $DEV parent 1:30 handle 300: sfq perturb 15
# rasporedjujemo pakete po klasama na osnovu markiranja:
tc filter add dev $DEV parent 1:0 protocol ip prio 10 handle 0x111 fw classid 1:20
tc filter add dev $DEV parent 1:0 protocol ip prio 15 handle 0x112 fw classid 1:20
tc filter add dev $DEV parent 1:0 protocol ip prio 20 handle 0x113 fw classid 1:20
tc filter add dev $DEV parent 1:0 protocol ip prio 25 handle 0x114 fw classid 1:20
tc filter add dev $DEV parent 1:0 protocol ip prio 30 handle 0x115 fw classid 1:20
tc filter add dev $DEV parent 1:0 protocol ip prio 35 handle 0x116 fw classid 1:20
tc filter add dev $DEV parent 1:0 protocol ip prio 40 handle 0x110 fw classid 1:20
tc filter add dev $DEV parent 1:0 protocol ip prio 45 handle 0x119 fw classid 1:30
#!/bin/bash
UPLINK=100
LOW_PRIO=48
P2P=16
DEV=eth2
# cistimo sve sto je do sad bilo na device-u
tc qdisc del dev $DEV root 2> /dev/null > /dev/null
tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null
# pravimo klase:
tc qdisc add dev $DEV root handle 1: htb default 10 r2q 63
tc class add dev $DEV parent 1: classid 1:1 htb rate ${UPLINK}mbit
tc class add dev $DEV parent 1:1 classid 1:10 htb rate ${UPLINK}mbit prio 1
tc class add dev $DEV parent 1:1 classid 1:20 htb rate ${LOW_PRIO}kbit prio 2 quantum 1514
tc class add dev $DEV parent 1:20 classid 1:100 htb rate ${LOW_PRIO}kbit prio 2 quantum 1514
tc class add dev $DEV parent 1:20 classid 1:200 htb rate ${P2P}kbit prio 3 quantum 1514
tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 11
tc qdisc add dev $DEV parent 1:100 handle 100: sfq perturb 15
tc qdisc add dev $DEV parent 1:200 handle 200: sfq perturb 13
# rasporedjujemo pakete po klasama na osnovu markiranja:
tc filter add dev $DEV parent 1:0 protocol ip prio 5 handle 0x217 fw classid 1:100
tc filter add dev $DEV parent 1:0 protocol ip prio 10 handle 0x211 fw classid 1:200
tc filter add dev $DEV parent 1:0 protocol ip prio 15 handle 0x212 fw classid 1:200
tc filter add dev $DEV parent 1:0 protocol ip prio 20 handle 0x213 fw classid 1:200
tc filter add dev $DEV parent 1:0 protocol ip prio 25 handle 0x214 fw classid 1:200
tc filter add dev $DEV parent 1:0 protocol ip prio 30 handle 0x215 fw classid 1:200
tc filter add dev $DEV parent 1:0 protocol ip prio 35 handle 0x216 fw classid 1:200
tc filter add dev $DEV parent 1:0 protocol ip prio 40 handle 0x210 fw classid 1:200
|
and p2p.rrd update script looks like this:
Code: | #!/usr/bin/perl -w
#
use RRDs;
sleep 2;
# define location of rrdtool databases
my $rrd = '/var/lib/rrd';
my $eth1_in_ft = `iptables -t mangle -L -n -v -x|grep 0x101|grep LAYER7|gawk '{print \$2}'` *1;
my $eth1_out_ft = `iptables -t mangle -L -n -v -x|grep 0x111|grep LAYER7|gawk '{print \$2}'` *1;
my $eth1_in_dc = `iptables -t mangle -L -n -v -x|grep 0x102|grep LAYER7|gawk '{print \$2; exit}'` *1;
my $eth1_out_dc = `iptables -t mangle -L -n -v -x|grep 0x112|grep LAYER7|gawk '{print \$2; exit}'` *1;
my $eth1_in_gnu = `iptables -t mangle -L -n -v -x|grep 0x103|grep LAYER7|gawk '{print \$2}'` *1;
my $eth1_out_gnu = `iptables -t mangle -L -n -v -x|grep 0x113|grep LAYER7|gawk '{print \$2}'` *1;
my $eth1_in_bittor = `iptables -t mangle -L -n -v -x|grep 0x104|grep LAYER7|gawk '{print \$2}'` *1;
my $eth1_out_bittor = `iptables -t mangle -L -n -v -x|grep 0x114|grep LAYER7|gawk '{print \$2}'` *1;
my $eth1_in_oft = `iptables -t mangle -L -n -v -x|grep 0x105|grep LAYER7|gawk '{print \$2}'` *1;
my $eth1_out_oft = `iptables -t mangle -L -n -v -x|grep 0x115|grep LAYER7|gawk '{print \$2}'` *1;
my $eth1_in_edonk = `iptables -t mangle -L -n -v -x|grep 0x106|grep LAYER7|gawk '{print \$2}'` *1;
my $eth1_out_edonk = `iptables -t mangle -L -n -v -x|grep 0x116|grep LAYER7|gawk '{print \$2}'` *1;
my $eth1_in_rest = `iptables -t mangle -L -n -v -x|grep 0x100|grep LAYER7|gawk 'BEGIN{sum=0}{sum+=\$2}END{print sum}'` *1;
my $eth1_out_rest = `iptables -t mangle -L -n -v -x|grep 0x110|grep LAYER7|gawk 'BEGIN{sum=0}{sum+=\$2}END{print sum}'` *1;
my $eth2_in_ft = `iptables -t mangle -L -n -v -x|grep 0x201|grep LAYER7|gawk '{print \$2}'` *1;
my $eth2_out_ft = `iptables -t mangle -L -n -v -x|grep 0x211|grep LAYER7|gawk '{print \$2}'` *1;
my $eth2_in_dc = `iptables -t mangle -L -n -v -x|grep 0x202|grep LAYER7|gawk '{print \$2}'` *1;
my $eth2_out_dc = `iptables -t mangle -L -n -v -x|grep 0x212|grep LAYER7|gawk '{print \$2}'` *1;
my $eth2_in_gnu = `iptables -t mangle -L -n -v -x|grep 0x203|grep LAYER7|gawk '{print \$2}'` *1;
my $eth2_out_gnu = `iptables -t mangle -L -n -v -x|grep 0x213|grep LAYER7|gawk '{print \$2}'` *1;
my $eth2_in_bittor = `iptables -t mangle -L -n -v -x|grep 0x204|grep LAYER7|gawk '{print \$2}'` *1;
my $eth2_out_bittor = `iptables -t mangle -L -n -v -x|grep 0x214|grep LAYER7|gawk '{print \$2}'` *1;
my $eth2_in_oft = `iptables -t mangle -L -n -v -x|grep 0x205|grep LAYER7|gawk '{print \$2}'` *1;
my $eth2_out_oft = `iptables -t mangle -L -n -v -x|grep 0x215|grep LAYER7|gawk '{print \$2}'` *1;
my $eth2_in_edonk = `iptables -t mangle -L -n -v -x|grep 0x206|grep LAYER7|gawk '{print \$2}'` *1;
my $eth2_out_edonk = `iptables -t mangle -L -n -v -x|grep 0x216|grep LAYER7|gawk '{print \$2}'` *1;
my $eth2_in_rest = `iptables -t mangle -L -n -v -x|grep 0x200|grep LAYER7|gawk 'BEGIN{sum=0}{sum+=\$2}END{print sum}'` *1;
my $eth2_out_rest = `iptables -t mangle -L -n -v -x|grep 0x210|grep LAYER7|gawk 'BEGIN{sum=0}{sum+=\$2}END{print sum}'` *1;
my $uptime = `cut -d" " -f1 /proc/uptime` *1;
if ($uptime > 600) {
# insert values into rrd
RRDs::update "$rrd/p2p.rrd",
"-t", "eth1_in_ft:eth1_out_ft:eth1_in_dc:eth1_out_dc:eth1_in_gnu:eth1_out_gnu:eth1_in_bittor:eth1_out_bittor:eth1_in_oft:eth1_out_oft:eth1_in_edonk:eth1_out_edonk:eth1_in_rest:eth1_out_rest:eth2_in_ft:eth2_out_ft:eth2_in_dc:eth2_out_dc:eth2_in_gnu:eth2_out_gnu:eth2_in_bittor:eth2_out_bittor:eth2_in_oft:eth2_out_oft:eth2_in_edonk:eth2_out_edonk:eth2_in_rest:eth2_out_rest",
"N:$eth1_in_ft:$eth1_out_ft:$eth1_in_dc:$eth1_out_dc:$eth1_in_gnu:$eth1_out_gnu:$eth1_in_bittor:$eth1_out_bittor:$eth1_in_oft:$eth1_out_oft:$eth1_in_edonk:$eth1_out_edonk:$eth1_in_rest:$eth1_out_rest:$eth2_in_ft:$eth2_out_ft:$eth2_in_dc:$eth2_out_dc:$eth2_in_gnu:$eth2_out_gnu:$eth2_in_bittor:$eth2_out_bittor:$eth2_in_oft:$eth2_out_oft:$eth2_in_edonk:$eth2_out_edonk:$eth2_in_rest:$eth2_out_rest";
if ($ERROR = RRDs::error) { print "unable to update: $ERROR\n"; }
}
|
I hope you'll find your way in all this mess.
If you get stucked, do not hesitate to ask! _________________ gentoo user |
|
Back to top |
|
|
kaksi Tux's lil' helper
Joined: 21 May 2004 Posts: 125
|
Posted: Tue Jun 14, 2005 8:01 am Post subject: |
|
|
tnt: Please post the script that creates the rrd database. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|