Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
HOWTO: Bandwidth limiting
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
LeTene
Guru
Guru


Joined: 02 Mar 2004
Posts: 348
Location: Ah'll glass ye!

PostPosted: Thu Jan 20, 2005 9:11 pm    Post subject: Reply with quote

It's worth a quick mention that the L7 filtering is now working for the 2.6.10 series kernels - much more elegant solution to protocol-filtering...just emerge l7-filter.
_________________
Docs, Tips & Tricks at the Gentoo Wiki page.
Back to top
View user's profile Send private message
ranmakun
Guru
Guru


Joined: 06 Nov 2002
Posts: 372
Location: Buenos Aires - Argentina

PostPosted: Sat Feb 05, 2005 8:48 pm    Post subject: Reply with quote

I'm having problems with HTB, I've created very simple rules to test this and it doesn't work, here's what I'm using:
Code:

#!/bin/bash

INTERFACE='eth0'
TC='/sbin/tc'

#reset everything
iptables --flush --table mangle
$TC qdisc del dev $INTERFACE root 2> /dev/null > /dev/null

#rules
$TC qdisc add dev $INTERFACE root handle 1: htb default 20
$TC class add dev $INTERFACE parent 1: classid 1:1 htb rate 100kbit
$TC class add dev $INTERFACE parent 1:1 classid 1:10 htb rate 92kbit ceil 100kbit prio 0
$TC class add dev $INTERFACE parent 1:1 classid 1:20 htb rate 32kbit ceil 100kbit prio 1
$TC qdisc add dev $INTERFACE parent 1:10 handle 10: sfq perturb 10
$TC qdisc add dev $INTERFACE parent 1:20 handle 20: sfq perturb 10

iptables -t mangle -A POSTROUTING -o eth0 -p tcp --dport 80 -j CLASSIFY --set-class 1:10

#I've also tried with the following line instead of iptables
#tc filter add dev eth0 parent 1: protocol ip u32 match ip dport 80 0xffff flowid 1:10


That is, everything goes to 1:20 except web traffic that goes to 1:10
But it doesn't work, I get the following output from "tc -s class show dev eth0":
Quote:

class htb 1:1 root rate 100000bit ceil 100000bit burst 1611b cburst 1611b
Sent 1996470 bytes 5057 pkts (dropped 0, overlimits 0)
rate 86312bit 25pps
lended: 3167 borrowed: 0 giants: 0
tokens: 24496 ctokens: 24496

class htb 1:10 parent 1:1 leaf 10: prio 0 rate 92000bit ceil 100000bit burst 1610b cburst 1611b
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
lended: 0 borrowed: 0 giants: 0
tokens: 143448 ctokens: 132055

class htb 1:20 parent 1:1 leaf 20: prio 1 rate 32000bit ceil 00000bit burst 1603b cburst 1611b
Sent 1996470 bytes 5057 pkts (dropped 0, overlimits 0)
rate 87024bit 26pps
lended: 1890 borrowed: 3167 giants: 0
tokens: -171904 ctokens: 24496

No matter how much I surf the web 1:10 doesn't fill with anything.
I've also didn't understand why to classify web traffic the author of this thread used source port 80, if traffic is outgoing it should be destination port I think. Anyway, in case you ask, I've tried both, source and destination on my tests but neither of them work. Any ideas?, I don't know what else to try, I've also tried other ways of doing it and can't find a solution. Thank you.
Back to top
View user's profile Send private message
j-kidd
Apprentice
Apprentice


Joined: 20 Feb 2003
Posts: 213

PostPosted: Sat Feb 05, 2005 10:33 pm    Post subject: Reply with quote

Try to use prio 1 and prio 2 instead of prio 0 and prio 1. I have tried prio 0 with tc filter as suggested by some websites, but it didn't work. I suspect prio 0 won't work with tc class too.
Back to top
View user's profile Send private message
DeathAndTaxes
Tux's lil' helper
Tux's lil' helper


Joined: 27 Mar 2003
Posts: 124

PostPosted: Sun Feb 06, 2005 5:46 am    Post subject: Reply with quote

ranmakun wrote:
I'm having problems with HTB, I've created very simple rules to test this and it doesn't work, here's what I'm using:
[code]
#!/bin/bash

INTERFACE='eth0'
TC='/sbin/tc'

#reset everything
iptables --flush --table mangle
$TC qdisc del dev $INTERFACE root 2> /dev/null > /dev/null

#rules
$TC qdisc add dev $INTERFACE root handle 1: htb default 20
$TC class add dev $INTERFACE parent 1: classid 1:1 htb rate 100kbit
$TC class add dev $INTERFACE parent 1:1 classid 1:10 htb rate 92kbit ceil 100kbit prio 0
$TC class add dev $INTERFACE parent 1:1 classid 1:20 htb rate 32kbit ceil 100kbit prio 1
$TC qdisc add dev $INTERFACE parent 1:10 handle 10: sfq perturb 10
$TC qdisc add dev $INTERFACE parent 1:20 handle 20: sfq perturb 10

iptables -t mangle -A POSTROUTING -o eth0 -p tcp --dport 80 -j CLASSIFY --set-class 1:10


Instead of using the iptables -j CLASSIFY --set-class option, have you tried the -j MARK --set-mark option? Also, I'm thinking you don't need to --set-class 1:10, but rather just --set-class 10. Perhaps the CLASSIFY target isn't working for you, while I've never seen the MARK target not work (I'm assuming that both the kernels are configured correctly...If you didn't have CLASSIFY target support, iptables would let you know).

The more I think about it, the more I think you need to just set --set-class 10.
Back to top
View user's profile Send private message
DeathAndTaxes
Tux's lil' helper
Tux's lil' helper


Joined: 27 Mar 2003
Posts: 124

PostPosted: Sun Feb 06, 2005 5:50 am    Post subject: Reply with quote

j-kidd wrote:
Try to use prio 1 and prio 2 instead of prio 0 and prio 1. I have tried prio 0 with tc filter as suggested by some websites, but it didn't work. I suspect prio 0 won't work with tc class too.


Sorry to double-post like this...I think prio 0 should work just fine...I've always started counting from 0 with tc and it's always worked (been doing this for about 2 years). However, I don't *think* there's any adverse affect of starting from 1 or any other number. :-)
Back to top
View user's profile Send private message
ranmakun
Guru
Guru


Joined: 06 Nov 2002
Posts: 372
Location: Buenos Aires - Argentina

PostPosted: Sun Feb 06, 2005 3:55 pm    Post subject: Reply with quote

Thanks for your help guys, but still I couldn't solve it.
I've tried with different prios, but it's the same. I've also tried marking the packets instead of classifying but no luck. Also using "10" in the classifier instead of "1:10", nothing worked.
I've started to investigate things a little closer, "iptables -t mangle -L -v" shows a packet and byte count of zero, with the two methods of classifying by iptables, so I think there is the problem. But I cannot find why it doesn't do it. I'm doing NAT on this machine so I thought maybe it wasn't doing anything for the NATed machines, so I tried to generate web traffic in the machine itself using wget and nothing happened. I've also tried deleting all iptables and setting all policies to ACCEPT and then using mangle and it didn't work either. I'm really out of ideas, maybe it's the kernel?, the modules?
kernel version is 2.6.10-gentoo-r4
Code:

kaori htb # lsmod
Module                  Size  Used by
ip_conntrack_ftp       70928  -
cls_u32                 5552  -
ipt_limit               1644  -
ipt_multiport           1516  -
ipt_CLASSIFY            1612  -
ipt_mark                1196  -
ipt_length              1228  -
ipt_MARK                1484  -
cls_fw                  2860  -
sch_sfq                 4556  -
sch_htb                21356  -
iptable_mangle          1868  -
ipt_state               1324  -
ipt_LOG                 5836  -
iptable_nat            20776  -
ip_conntrack           37812  -
iptable_filter          2636  -
ip_tables              14144  -
Back to top
View user's profile Send private message
DeathAndTaxes
Tux's lil' helper
Tux's lil' helper


Joined: 27 Mar 2003
Posts: 124

PostPosted: Sun Feb 06, 2005 5:35 pm    Post subject: Reply with quote

Have you re-emerged both iproute2 and iptables since compiling this kernel? Are your error messages getting suppressed somehow? If it doesn't work, and you're redirecting all the exit messages to /dev/null, you'd not know it.

It could be that the packets are getting marked, but tc isn't configured correctly, or that tc is ok, but the packets are getting marked incorrectly. I think the usual practice is to create a new target in the mangle table and point all traffic that's destined out $INTERNET_INTERFACE to that new table, then mark the packets there. You *should* be able to mark them wherever (including the POSTROUTING section), but it is a bit easier to maintain if you build another TARGET.

There's a few utilities you can use to look at the packets as they pass to your interface(s). I think ethereal can do this, but I've not ever used it.

You can also try changing the default class in your $TC ... root handle ... line. Change that on the fly in one window and `watch -n1 /sbin/tc -s qdisc show dev eth0` in another window and see if it the traffic starts changing to different filters.

I also try to avoid using tc with the u32 match whenever I can. I try to handle just marking in iptables and only using tc to do it's thing based on marks. I've found that tc and ip both can be really, uhm, crashy when something weird happens (try setting up two routes and have a packet match positively in the ruleset for both routes...Your box will probably stop responding to traffic). ;-)
Back to top
View user's profile Send private message
BeFalou
n00b
n00b


Joined: 26 May 2003
Posts: 45
Location: Madrid

PostPosted: Tue Feb 22, 2005 12:12 am    Post subject: Reply with quote

Hi,

I've been trying to get this all day but I'm starting to think that what I want is not possible. I want to do traffic shaping to get something like Upload Speed Sense , which is a feature present in some emule mods but not in amule, and it consists on giving two values (Min and Max) to the upload rate and the programa itself moves betweeen that values so that you can surf and do internet stuff pretty fast. Since I'm on 512/128 I need to set an upload rate of at least 10kb/s but if I do that my downloads are slowed down too. Thats why I need traffic shaping.

I first tried the script that LeTene posted(modified for my purposes):
Code:
#!/bin/bash

# Zap the iptables mangle queue
iptables -t mangle -F

# Egress device
OUT=eth0

# Flow rates
MAX=100mbit
BT_MAX=90kbit

# Application names (for "marking")
BT_APP=qtorrent

# Delete existing shaping
tc qdisc del dev $OUT root

# ===========
# Our classes
# ===========
# Top
tc qdisc add dev $OUT root handle 1: htb default 30
tc class add dev $OUT parent 1: classid 1:1 htb rate $MAX

tc class add dev $OUT parent 1:1 classid 1:10 htb rate $MAX
tc class add dev $OUT parent 1:1 classid 1:20 htb rate $BT_MAX ceil $BT_MAX
tc class add dev $OUT parent 1:1 classid 1:30 htb rate $MAX ceil $MAX

# Rehashing
tc qdisc add dev $OUT parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $OUT parent 1:20 handle 20: sfq perturb 10
tc qdisc add dev $OUT parent 1:30 handle 30: sfq perturb 10

# ===================
# the magic begins...
# ===================

# Bittorrent
iptables -t mangle -A OUTPUT -m owner --cmd-owner $BT_APP -j MARK --set-mark 2
tc filter add dev $OUT protocol ip parent 1:0 handle 2 fw flowid 1:20

It worked great but then I realized that my downloads in aMule were slower. That could be because for amule my connection is 90kbits/s and its upload limit (inside the program) is almost that so it's like it was using for uploading all the avaliable upload bandwidth (with the negative effect on downloads). I'm not sure if that's correct.

What I've been trying since then is to only limit the traffic from the upload amule port (lets call it $APP_PORT). I basically tried two different ways, changing from the comment "the magic begins":
1.- Removing last 2 lines and using:
Code:
tc filter add dev $OUT parent 1:0 protocol ip u32 match ip sport $APP_PORT 0xffff flowid 1:20

2.- Removing last 2 lines and using:
Code:
iptables -t mangle -A POSTROUTING -p tcp --sport $APP_PORT -j CLASSIFY --set-class 1:20

Neither of them worked as expected, my inet connection was almost dead all the time.

I need help with this, I don't know if what I'm trying to do is the best way or even possible. Any suggestion will be greatly appreciated.
Back to top
View user's profile Send private message
kaksi
Tux's lil' helper
Tux's lil' helper


Joined: 21 May 2004
Posts: 125

PostPosted: Sun May 15, 2005 9:24 am    Post subject: Reply with quote

I cant seem to get the incoming bandwidth (download) to be catched by my script. I do not want to shape the download speed but I want to use it for statistics.

Here is a part of my script:
Code:

#Classes
# eth0
tc qdisc add dev eth0 root handle 1: htb default 30
tc class add dev eth0 parent 1: classid 1:1 htb rate 9Mbit burst 6k
tc class add dev eth0 parent 1:1 classid 1:10 htb rate 9Mbit burst 6k prio 1
tc class add dev eth0 parent 1:1 classid 1:20 htb rate  8Mbit burst 6k prio 2
tc class add dev eth0 parent 1:1 classid 1:30 htb rate  8Mbit burst 6k prio 3
tc class add dev eth0 parent 1:1 classid 1:40 htb rate  8Mbit burst 6k prio 4
tc class add dev eth0 parent 1:1 classid 1:50 htb rate  8Mbit burst 6k prio 5
tc class add dev eth0 parent 1:1 classid 1:60 htb rate  8Mbit burst 6k prio 6
tc class add dev eth0 parent 1:1 classid 1:70 htb rate  8Mbit burst 6k prio 7
tc class add dev eth0 parent 1:1 classid 1:80 htb rate  8Mbit burst 6k prio 8
tc class add dev eth0 parent 1:1 classid 1:90 htb rate  8Mbit burst 6k prio 9
tc class add dev eth0 parent 1:1 classid 1:100 htb rate  8Mbit burst 6k prio 10

tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10
tc qdisc add dev eth0 parent 1:30 handle 30: sfq perturb 10
tc qdisc add dev eth0 parent 1:40 handle 40: sfq perturb 10
tc qdisc add dev eth0 parent 1:50 handle 50: sfq perturb 10
tc qdisc add dev eth0 parent 1:60 handle 60: sfq perturb 10
tc qdisc add dev eth0 parent 1:70 handle 70: sfq perturb 10
tc qdisc add dev eth0 parent 1:80 handle 80: sfq perturb 10
tc qdisc add dev eth0 parent 1:90 handle 90: sfq perturb 10
tc qdisc add dev eth0 parent 1:100 handle 100: sfq perturb 10

#eth1
tc qdisc add dev eth1 root handle 2: htb default 30
tc class add dev eth1 parent 2: classid 2:1 htb rate 99Mbit burst 6k
tc class add dev eth1 parent 2:1 classid 2:10 htb rate 99Mbit burst 6k prio 1
tc class add dev eth1 parent 2:1 classid 2:20 htb rate  99Mbit burst 6k prio 2
tc class add dev eth1 parent 2:1 classid 2:30 htb rate  99Mbit burst 6k prio 3
tc class add dev eth1 parent 2:1 classid 2:40 htb rate  99Mbit burst 6k prio 4
tc class add dev eth1 parent 2:1 classid 2:50 htb rate  99Mbit burst 6k prio 5
tc class add dev eth1 parent 2:1 classid 2:60 htb rate  99Mbit burst 6k prio 6
tc class add dev eth1 parent 2:1 classid 2:70 htb rate  99Mbit burst 6k prio 7
tc class add dev eth1 parent 2:1 classid 2:80 htb rate  99Mbit burst 6k prio 8
tc class add dev eth1 parent 2:1 classid 2:90 htb rate  99Mbit burst 6k prio 9
tc class add dev eth1 parent 2:1 classid 2:100 htb rate  99Mbit burst 6k prio 10

tc qdisc add dev eth1 parent 2:10 handle 10: sfq perturb 10
tc qdisc add dev eth1 parent 2:20 handle 20: sfq perturb 10
tc qdisc add dev eth1 parent 2:30 handle 30: sfq perturb 10
tc qdisc add dev eth1 parent 2:40 handle 40: sfq perturb 10
tc qdisc add dev eth1 parent 2:50 handle 50: sfq perturb 10
tc qdisc add dev eth1 parent 2:60 handle 60: sfq perturb 10
tc qdisc add dev eth1 parent 2:70 handle 70: sfq perturb 10
tc qdisc add dev eth1 parent 2:80 handle 80: sfq perturb 10
tc qdisc add dev eth1 parent 2:90 handle 90: sfq perturb 10
tc qdisc add dev eth1 parent 2:100 handle 100: sfq perturb 10


This script is located at my server that acts as a bridge between my network and my internet connection. Here is a sample output of what happens when I download a 100MB file from a server on the net:
Code:

 13:22:29 up  1:11,  3 users,  load average: 2.38, 1.34, 0.59
                                          Interval    Cumulated Total
Dev  Classid   Tokens   Ctokens Rate      Speed       Send      Send
-------------------------------------------------------------------------
eth0 1:1       5535     2423    83.78KB   23.76KB/s   240.18KB  1.22MB2KB
eth0 1:10      5535     2423    18.92KB   2.10KB/s    29.19KB   183.08KB
eth0 1:100     6291     2662    0B        0B/s        0B        0B
eth0 1:20      6291     2662    0B        0B/s        0B        0B
eth0 1:30      6226     2597    71.11KB   21.66KB/s   210.99KB  1.04MB4KB
eth0 1:40      6291     2662    0B        0B/s        0B        0B
eth0 1:50      6291     2662    0B        0B/s        0B        0B
eth0 1:60      6291     2662    0B        0B/s        0B        0B
eth0 1:70      6291     2662    0B        0B/s        0B        0B
eth0 1:80      6291     2662    0B        0B/s        0B        0B
eth0 1:90      6291     2662    0B        0B/s        0B        0B
eth1 2:1       383      1032    3.11KB    1.00MB/s    9.71MB    49.45MB
eth1 2:10      502      1151    9.62KB    1.80KB/s    27.20KB   74.46KB
eth1 2:100     507      1156    0B        0B/s        0B        0B
eth1 2:20      494      1143    488B      0B/s        469B      3.07KB
eth1 2:30      503      1152    6.72KB    40B/s       1.73KB    334.38KB
eth1 2:40      507      1156    0B        0B/s        0B        0B
eth1 2:50      383      1032    3.67KB    1.00MB/s    9.67MB    49.01MB
eth1 2:60      507      1156    0B        0B/s        0B        0B
eth1 2:70      360      1009    4.83KB    1.15KB/s    11.93KB   46.71KB
eth1 2:80      507      1156    0B        0B/s        0B        0B
eth1 2:90      507      1156    0B        0B/s        0B        0B


As can be seen the trafic from the net to eth0 (nic connected to internet) the traffic cannot be seen. But the traffic from the server (eth1) to my internal computer that donwloads the file can be seen.

Is there anyway I can make this traffic be seen at eth0? Or is that not possible? Is it only outgoing traffic that can be montored?
Back to top
View user's profile Send private message
opentaka
l33t
l33t


Joined: 18 Feb 2005
Posts: 840
Location: Japan

PostPosted: Sun May 15, 2005 2:42 pm    Post subject: Reply with quote

intresting.
but i guess this thing will limit whole interface instead of by application only.

it will be more then nice if someone can write how to limit the bandwidth by application tho..
_________________
"Being defeated is often a temporary condition. Giving up is what makes it permanent" - Marilyn vos Savant
Back to top
View user's profile Send private message
DeathAndTaxes
Tux's lil' helper
Tux's lil' helper


Joined: 27 Mar 2003
Posts: 124

PostPosted: Sun May 15, 2005 4:50 pm    Post subject: Reply with quote

kaksi wrote:
Is there anyway I can make this traffic be seen at eth0? Or is that not possible? Is it only outgoing traffic that can be montored?


If I understand it correctly, tc only works on traffic being sent, not on receiving traffic. If you set up a couple of IMQ devices, you could bend your traffic coming from the interenet (on eth0, right) to one of your IMQ devices, classifying it as it goes, and get nice stats if you need them.

Alternatively, you could mark the packets with iptables as they come in, and then count the packets with iptables and get your stats off of that with an iptables -t mangle -L WHATEVERYOURTABLEISCALLED -v -n. . ;-)
Back to top
View user's profile Send private message
bookstack
Apprentice
Apprentice


Joined: 27 Feb 2004
Posts: 245

PostPosted: Sun May 15, 2005 9:48 pm    Post subject: Reply with quote

Is there anyway to shape the traffic more dedicately ?

For example, limit the dl/ul bandwidth according the user, time, application ...
Back to top
View user's profile Send private message
DeathAndTaxes
Tux's lil' helper
Tux's lil' helper


Joined: 27 Mar 2003
Posts: 124

PostPosted: Sun May 15, 2005 10:40 pm    Post subject: Reply with quote

bookstack wrote:
Is there anyway to shape the traffic more dedicately ?

For example, limit the dl/ul bandwidth according the user, time, application ...


Yes, the trick is getting the right patch(es) for iptables. I know there are patches for time of day, and I know there's some patches for p2p traffic. The term 'application' is a bit esoteric...Your router is only interested in ips and ports for the most part...It won't know if you're browsing with konqueror or firefox, just it sees port 80 traffic.

I think there's some per-user stuff that's relatively new, but I'm not familiar with it myself.

I'd look at www.lartc.org and google around it's mailing lists and such. I'm sure there's other people out there who have done/are interested in doing what you want. I'd suggest joining the lartc.org mailing list and posting your questions to it, since those are the guys who do this sort of stuff. ;-)
Back to top
View user's profile Send private message
ranmakun
Guru
Guru


Joined: 06 Nov 2002
Posts: 372
Location: Buenos Aires - Argentina

PostPosted: Sun May 15, 2005 11:09 pm    Post subject: Reply with quote

There is traffic analyzer software that uses iptables to mark the traffic, then you can classify it easily.
I read about it the other day at work and I think I bookmarked it there, tomorrow I'll see if I have the site.
Back to top
View user's profile Send private message
ranmakun
Guru
Guru


Joined: 06 Nov 2002
Posts: 372
Location: Buenos Aires - Argentina

PostPosted: Mon May 16, 2005 1:22 pm    Post subject: Reply with quote

ranmakun wrote:
There is traffic analyzer software that uses iptables to mark the traffic, then you can classify it easily.
I read about it the other day at work and I think I bookmarked it there, tomorrow I'll see if I have the site.


Ok, here I found it: http://l7-filter.sourceforge.net/

Quote:

L7-filter is a classifier for the Linux kernel's Netfilter subsystem that identifies packets based on application layer data. This means that it can classify packets as HTTP, FTP, Gnucleus, eDonkey2000, etc., regardless of port. It complements existing classifiers that match on address, port numbers and so on.

Our intent is for l7-filter to be used in conjunction with Linux QoS to do bandwith arbitration ("packet shaping").


Looks promising, I didn't have time to test it yet.
Back to top
View user's profile Send private message
ranmakun
Guru
Guru


Joined: 06 Nov 2002
Posts: 372
Location: Buenos Aires - Argentina

PostPosted: Mon May 16, 2005 2:21 pm    Post subject: Reply with quote

Another one: http://rnvs.informatik.uni-leipzig.de/ipp2p/index_en.html

Quote:

The goal of the IPP2P project is to identify peer-to-peer (P2P) data in IP traffic. For this purpose we extended the iptables/netfilter architecture by a new matching module. Thereby IPP2P integrates itself easily into existing Linux firewalls and it's functionality can be used by adding appropriate filter rules.
IPP2P uses suitable search patterns to identify P2P traffic thus allowing the reliable identifcation of traffic belonging to many P2P networks. Once identified one may handle P2P traffic in different ways - dropping such traffic, putting into low priority classes or shaping to a given bandwidth limit is possible. Reducing costs, freeing network ressources and therefore improving network performance is often the result of using IPP2P.
Back to top
View user's profile Send private message
tnt
Veteran
Veteran


Joined: 27 Feb 2004
Posts: 1221

PostPosted: Fri Jun 10, 2005 2:38 pm    Post subject: Reply with quote

l7-filter (with little hacking of iptables source) works fine on amd64.

here is an example:
http://www.aaen.edu.yu/~tnt/forums/titan.eth2-week.png


:wink:
_________________
gentoo user
Back to top
View user's profile Send private message
tnt
Veteran
Veteran


Joined: 27 Feb 2004
Posts: 1221

PostPosted: Fri Jun 10, 2005 2:43 pm    Post subject: Reply with quote

barberio wrote:
Updated my bandwidth RC script to try to calculate working quantum sizes from the MTU of the device being used. This should get rid of messages like 'HTB: quantum of class 10001 is big. Consider r2q change.'


Seems that your scritps are missing.
Could you past them here?

:?:
_________________
gentoo user
Back to top
View user's profile Send private message
ranmakun
Guru
Guru


Joined: 06 Nov 2002
Posts: 372
Location: Buenos Aires - Argentina

PostPosted: Sun Jun 12, 2005 4:06 pm    Post subject: Reply with quote

tnt wrote:
l7-filter (with little hacking of iptables source) works fine on amd64.

here is an example:
http://www.aaen.edu.yu/~tnt/forums/titan.eth2-week.png


:wink:


Two questions:
1. There is an l7-filter ebuild, but I don't see any iptables USE flag to use with it for l7-filter support. Did you patched iptables manually?
2. What did you use to make those graphs?
Back to top
View user's profile Send private message
tnt
Veteran
Veteran


Joined: 27 Feb 2004
Posts: 1221

PostPosted: Sun Jun 12, 2005 5:42 pm    Post subject: Reply with quote

1. you should emerge iptables with 'extensions' use flag
Code:
titan ~ # emerge -pv iptables

These are the packages that I would merge, in order:

Calculating dependencies ...done!
[ebuild   R   ] net-firewall/iptables-1.2.11-r3  -debug +extensions -ipv6 -static 0 kB

Total size of downloads: 0 kB
titan ~ #

but in my case (amd64 system) I had to patch source manually to solve bug about 64-bit integer.
details here:
https://bugs.gentoo.org/show_bug.cgi?id=88218

2. I use rrdtool (which rulz :D ) to monitor all of my server activities and later to draw graphs

:wink:
_________________
gentoo user
Back to top
View user's profile Send private message
ranmakun
Guru
Guru


Joined: 06 Nov 2002
Posts: 372
Location: Buenos Aires - Argentina

PostPosted: Sun Jun 12, 2005 7:31 pm    Post subject: Reply with quote

tnt wrote:
1. you should emerge iptables with 'extensions' use flag

2. I use rrdtool (which rulz :D ) to monitor all of my server activities and later to draw graphs

:wink:


I see, well, I have a problem with the extensions use flag:
Code:

[snip]
 * WARNING: 3rd party extensions has been enabled.
 * This means that iptables will use your currently installed
 * kernel in /usr/src/linux as headers for iptables.
 *
 * You may have to patch your kernel to allow iptables to build.
 * Please check http://cvs.iptables.org/patch-o-matic-ng/updates/ for patches
 * for your kernel.
>>> Unpacking source...
>>> Unpacking iptables-1.2.11.tar.bz2 to /var/tmp/portage/iptables-1.2.11-r3/work
 * Applying grsecurity-1.2.8-iptables.patch.bz2 ...                                                                                [ ok ]
 * Applying install_ipv6_apps.patch.bz2 ...                                                                                        [ ok ]
 * Applying install_all_dev_files.patch.bz2 ...                                                                                    [ ok ]
 * Applying round-robin.patch ...                                                                                                  [ ok ]
 * Applying CAN-2004-0986.patch ...                                                                                                [ ok ]
 * Applying iptables-1.2.9-imq1.diff.bz2 ...                                                                                       [ ok ]
 * Applying iptables-layer7-0.9.0.patch.bz2 ...                                                                                    [ ok ]
>>> Source unpacked.
Making dependencies: please wait...
Something wrong... deleting dependencies.
make: *** [../ipset/libipt_set.h] Error 1

!!! ERROR: net-firewall/iptables-1.2.11-r3 failed.
!!! Function src_compile, Line 91, Exitcode 2
!!! Please check http://cvs.iptables.org/patch-o-matic-ng/updates/ if your kernel needs to be patched for iptables
!!! If you need support, post the topmost build error, NOT this status message.


2. I imagined it was rrdtool, but do you use any special tool or you do it manually?, in this case, how do you get the value of each sample for the rrd?
Back to top
View user's profile Send private message
tnt
Veteran
Veteran


Joined: 27 Feb 2004
Posts: 1221

PostPosted: Sun Jun 12, 2005 10:33 pm    Post subject: Reply with quote

Well, don't know anything about error you've got, but I'll paste my message to you here for others to see my examples of my scripts

Quote:
Hello.

I don't use serverstats (couldn't even open that demo but newermind).
I don't have mail server so I didn't have chance to try to monitor it. I've heard that 'mailgraph' is using rrdtool as a background for mail-server statistics.

I've made rrds with perl scripts like this one:
Code:
#!/usr/bin/perl -w
#

use RRDs;

# define location of rrdtool databases
my $rrd = '/var/lib/rrd';

if (! -e "$rrd/dns.rrd")
{
        print "creating rrd database for dns...\n";
        RRDs::create "$rrd/dns.rrd",
                "-s 300",
                "DS:success:DERIVE:600:0:U",
                "DS:referral:DERIVE:600:0:U",
                "DS:nxrrset:DERIVE:600:0:U",
                "DS:nxdomain:DERIVE:600:0:U",
                "DS:recursion:DERIVE:600:0:U",
                "DS:failure:DERIVE:600:0:U",
                "RRA:AVERAGE:0.5:1:576",
                "RRA:AVERAGE:0.9:6:672",
                "RRA:AVERAGE:0.9:24:744",
                "RRA:AVERAGE:0.9:288:730",
                "RRA:AVERAGE:0.9:2016:522";
        if ($ERROR = RRDs::error) { print "unable to generate database: $ERROR\n"; }
}

After that I've put line in my crontab to execute rrd-update script for everything I want to monitor. Just an example for my system-5m.rrd database:
Code:
#!/usr/bin/perl -w
#

use RRDs;

# define location of rrdtool databases
my $rrd = '/var/lib/rrd';

my $temp_cpu = `cat /sys/devices/platform/i2c-0/0-0290/temp1_input` / 1000;
my $temp_sys = `cat /sys/devices/platform/i2c-0/0-0290/temp2_input` / 1000;

my $fan1 = `cat /sys/devices/platform/i2c-0/0-0290/fan1_input` *1;
my $fan2 = `cat /sys/devices/platform/i2c-0/0-0290/fan2_input` *1;
my $fan3 = `cat /sys/devices/platform/i2c-0/0-0290/fan3_input` *1;
my $voltage_cpu = `cat /sys/devices/platform/i2c-0/0-0290/in0_input` / 1000;
my $voltage_ram = `cat /sys/devices/platform/i2c-0/0-0290/in1_input` / 1000;
my $voltage_33v = `cat /sys/devices/platform/i2c-0/0-0290/in2_input` / 1000;
my $voltage_5v = `cat /sys/devices/platform/i2c-0/0-0290/in3_input` / 1000;
$voltage_5v = 1.68 * $voltage_5v;
my $voltage_12v = `cat /sys/devices/platform/i2c-0/0-0290/in4_input` / 1000;
$voltage_12v = 4 * $voltage_12v;
my $voltage_bat = `cat /sys/devices/platform/i2c-0/0-0290/in8_input` / 1000;

my $cpu0_user = `grep cpu0 /proc/stat > /tmp/proc.stat.moment; cut -d" " -f2 /tmp/proc.stat.moment` *1;
my $cpu0_nice = `cut -d" " -f3 /tmp/proc.stat.moment` *1;
my $cpu0_system = `cut -d" " -f4 /tmp/proc.stat.moment` *1;
my $cpu0_iowait = `cut -d" " -f6 /tmp/proc.stat.moment` *1;
my $cpu0_irq = `cut -d" " -f7 /tmp/proc.stat.moment` *1;
my $cpu0_softirq = `cut -d" " -f8 /tmp/proc.stat.moment` *1;
my $cpu1_user = "U"; my $cpu1_nice = "U"; my $cpu1_system = "U";
my $cpu1_iowait = "U"; my $cpu1_irq = "U"; my $cpu1_softirq = "U";

my $time_1000 = `gawk '/1000000 /{print \$2}'</sys/devices/system/cpu/cpu0/cpufreq/stats/time_in_state` *1;
my $time_1800 = `gawk '/1800000 /{print \$2}'</sys/devices/system/cpu/cpu0/cpufreq/stats/time_in_state` *1;
my $load = `cut -d" " -f2 /proc/loadavg` *1;
my $uptime = `cut -d" " -f1 /proc/uptime` *1;

my $mem_buffers = `/bin/gawk '{if (\$1=="Buffers:") {print(\$2);exit}}'</proc/meminfo` *1;
my $mem_cache = `/bin/gawk '{if (\$1=="Cached:") {print(\$2); exit;}}'</proc/meminfo` *1;
my $mem_app = `/bin/gawk '{if (\$1=="MemTotal:") t=\$2;if (\$1=="MemFree:") f=\$2;if (\$1=="Buffers:") b=\$2;if (\$1=="Cached:") c=\$2;if(\$1=="SwapCached:") exit;}END{print (t-f-b-c)}'</proc/meminfo` *1;
my $swap_total = `/bin/gawk '{if (\$1=="SwapTotal:") t=\$2;if (\$1=="SwapFree:") f=\$2;if (\$1=="Dirty:") exit;}END{print (t-f)}'</proc/meminfo` *1;
my $swap_cached = `/bin/gawk '/SwapCached: /{print \$2}'</proc/meminfo` *1;
my $swaped_in = `grep pswpin /proc/vmstat|cut -d" " -f2` *1;
my $swaped_out = `grep pswpout /proc/vmstat|cut -d" " -f2` *1;
if ($uptime < 601) {
    $swaped_in = "U"; $swaped_out = "U"; }
my $dirty_pages = `grep nr_dirty /proc/vmstat|cut -d" " -f2` *1;

my $eth0_in = `ifconfig eth0 |grep bytes|cut -d":" -f2|cut -d" " -f1` *1;
my $eth0_out = `ifconfig eth0 |grep bytes|cut -d":" -f3|cut -d" " -f1` *1;
my $eth1_in = `ifconfig eth1 |grep bytes|cut -d":" -f2|cut -d" " -f1` *1;
my $eth1_out = `ifconfig eth1 |grep bytes|cut -d":" -f3|cut -d" " -f1` *1;
my $eth2_in = `ifconfig eth2 |grep bytes|cut -d":" -f2|cut -d" " -f1` *1;
my $eth2_out = `ifconfig eth2 |grep bytes|cut -d":" -f3|cut -d" " -f1` *1;
my $eth3_in = "U"; my $eth3_out = "U";
if ($uptime < 601) {
    $eth0_in = "U"; $eth0_out = "U";
    $eth1_in = "U"; $eth1_out = "U";
    $eth2_in = "U"; $eth2_out = "U";
    $eth3_in = "U"; $eth3_out = "U"; }

my $sda_read = `/bin/gawk '{print \$3}'</sys/block/sda/stat` *1;
my $sda_write = `/bin/gawk '{print \$7}'</sys/block/sda/stat` *1;
my $sdb_read = `/bin/gawk '{print \$3}'</sys/block/sdb/stat` *1;
my $sdb_write = `/bin/gawk '{print \$7}'</sys/block/sdb/stat` *1;
my $sdc_read = `/bin/gawk '{print \$3}'</sys/block/sdc/stat` *1;
my $sdc_write = `/bin/gawk '{print \$7}'</sys/block/sdc/stat` *1;
my $sdd_read = `/bin/gawk '{print \$3}'</sys/block/sdd/stat` *1;
my $sdd_write = `/bin/gawk '{print \$7}'</sys/block/sdd/stat` *1;
if ($uptime < 601) {
    $sda_read = "U"; $sda_write = "U";
    $sdb_read = "U"; $sdb_write = "U";
    $sdc_read = "U"; $sdc_write = "U";
    $sdd_read = "U"; $sdd_write = "U";
}

my $temp_sda = `smartctl -A --device=ata /dev/sda|gawk '/194 /{print(\$10)}'` *1;
my $temp_sdb = `smartctl -A --device=ata /dev/sdb|gawk '/194 /{print(\$10)}'` *1;
my $temp_sdc = `smartctl -A --device=ata /dev/sdc|gawk '/194 /{print(\$10)}'` *1;
my $temp_sdd = `smartctl -A --device=ata /dev/sdd|gawk '/194 /{print(\$10)}'` *1;

# insert values into rrd
RRDs::update "$rrd/system-5min.rrd",
        "-t", "temp_cpu:temp_sys:temp_sda:temp_sdb:temp_sdc:temp_sdd:fan1:fan2:fan3:voltage_cpu:voltage_ram:voltage_33v:voltage_5v:voltage_12v:voltage_bat:cpu0_user:cpu0_nice:cpu0_system:cpu0_iowait:cpu0_irq:cpu0_softirq:cpu1_user:cpu1_nice:cpu1_system:cpu1_iowait:cpu1_irq:cpu1_softirq:time_1000:time_1800:load:uptime:mem_app:mem_buffers:mem_cache:swap_total:swap_cached:swaped_in:swaped_out:dirty_pages:eth0_in:eth0_out:eth1_in:eth1_out:eth2_in:eth2_out:eth3_in:eth3_out:sda_read:sda_write:sdb_read:sdb_write:sdc_read:sdc_write:sdd_read:sdd_write",
        "N:$temp_cpu:$temp_sys:$temp_sda:$temp_sdb:$temp_sdc:$temp_sdd:$fan1:$fan2:$fan3:$voltage_cpu:$voltage_ram:$voltage_33v:$voltage_5v:$voltage_12v:$voltage_bat:$cpu0_user:$cpu0_nice:$cpu0_system:$cpu0_iowait:$cpu0_irq:$cpu0_softirq:$cpu1_user:$cpu1_nice:$cpu1_system:$cpu1_iowait:$cpu1_irq:$cpu1_softirq:$time_1000:$time_1800:$load:$uptime:$mem_app:$mem_buffers:$mem_cache:$swap_total:$swap_cached:$swaped_in:$swaped_out:$dirty_pages:$eth0_in:$eth0_out:$eth1_in:$eth1_out:$eth2_in:$eth2_out:$eth3_in:$eth3_out:$sda_read:$sda_write:$sdb_read:$sdb_write:$sdc_read:$sdc_write:$sdd_read:$sdd_write";

if ($ERROR = RRDs::error) { print "unable to update: $ERROR\n"; }


Ofcorse, you can see that I use many different ways to colect date I'm interested in. Your needs may be different, but I hope you'll get at least some idea how I do that.

After all that I draw graphics with .cgi script in my /var/www/localhost/htdocs/monitor but you have to enable cgi execution in that dir.
That way graphs are made on-demand-only, and not every 5 minutes so a lot of CPU power is saved.

Any suggestions/questions are welcome ;)


_________________
gentoo user
Back to top
View user's profile Send private message
ranmakun
Guru
Guru


Joined: 06 Nov 2002
Posts: 372
Location: Buenos Aires - Argentina

PostPosted: Tue Jun 14, 2005 1:20 am    Post subject: Reply with quote

tnt wrote:
Well, don't know anything about error you've got, but I'll paste my message to you here for others to see my examples of my scripts


Well, thank you, this centainlly gave me some ideas I could use. Althought I don't see where you calculate the kb/s used by p2p, maybe I'm missing something.

The iptables problem was solved downgrading to a previous version, since upgrading to a ~x86 also had problems, a different one but still a problem.
Back to top
View user's profile Send private message
tnt
Veteran
Veteran


Joined: 27 Feb 2004
Posts: 1221

PostPosted: Tue Jun 14, 2005 1:41 am    Post subject: Reply with quote

Well, situation for p2p is a little bit complicated... I have 3 NICs in server: LAN, wifi comunity and internet (eth0, eth1, eth2).
P2P is shaped only for internet, but recorded for wifi too. I don't use IMQ so I have to limit incomming p2p traffic not at eth2 (internet iface) but on eth0 that is LAN iface. I mark packets comming from internet that are p2p (eth2) and when they are queued in eth0 for sending to client I put them in slow dequeuing class (by tc). P2P for wifi is something different, there are some allowed and not allowed ports for DC.

Part of firewall script I use for marking:
Code:
# 4.3 MANGLE table

# FORWARD chain

# PREROUTING chain
$IPTABLES -t mangle -A PREROUTING -i $LAN_IFACE -j RETURN

$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m layer7 --l7proto directconnect -j MARK --set-mark 0x102
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -p TCP --sport ! 5444:5453 --dport ! 5444:5453 \
-m mark --mark 0x102 -j MARK --set-mark 0x109
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -p TCP -m multiport --source-port 411,412,4012 \
-m mark --mark 0x109 -j MARK --set-mark 0x102
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -p TCP -m multiport --destination-port 411,412,4012 \
-m mark --mark 0x109 -j MARK --set-mark 0x102
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m mark --mark 0x109 -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "directconnect (input): "
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m mark --mark 0x102 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m mark --mark 0x109 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m layer7 --l7proto fasttrack -j MARK --set-mark 0x101
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m mark --mark 0x101 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m layer7 --l7proto gnutella -j MARK --set-mark 0x103
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m mark --mark 0x103 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m layer7 --l7proto bittorrent -j MARK --set-mark 0x104
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m mark --mark 0x104 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m layer7 --l7proto openft -j MARK --set-mark 0x105
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m mark --mark 0x105 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -p TCP --sport 4200:4700 -m layer7 --l7proto edonkey -j MARK --set-mark 0x106
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m mark --mark 0x106 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m layer7 --l7proto tesla -j MARK --set-mark 0x100
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m mark --mark 0x100 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m layer7 --l7proto mute -j MARK --set-mark 0x100
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m mark --mark 0x100 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m layer7 --l7proto applejuice -j MARK --set-mark 0x100
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m mark --mark 0x100 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m layer7 --l7proto 100bao -j MARK --set-mark 0x100
$IPTABLES -t mangle -A PREROUTING -i $WIFI_IFACE -m mark --mark 0x100 -j RETURN

$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto fasttrack -j MARK --set-mark 0x201
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x201 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto directconnect -j MARK --set-mark 0x202
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x202 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto gnutella -j MARK --set-mark 0x203
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x203 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto bittorrent -j MARK --set-mark 0x204
#$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x204 -m limit --limit 3/minute --limit-burst 3 -j LOG \
#--log-level DEBUG --log-prefix "bittorrent: "
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x204 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto openft -j MARK --set-mark 0x205
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x205 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -p TCP --sport 4200:4700 -m layer7 --l7proto edonkey -j MARK --set-mark 0x206
#$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x206 -m limit --limit 3/minute --limit-burst 3 -j LOG \
#--log-level DEBUG --log-prefix "edonkey: "
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x206 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto tesla -j MARK --set-mark 0x200
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x200 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto mute -j MARK --set-mark 0x200
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x200 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto applejuice -j MARK --set-mark 0x200
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x200 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto 100bao -j MARK --set-mark 0x200
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x200 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto poco -j MARK --set-mark 0x200
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x200 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto soribada -j MARK --set-mark 0x200
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x200 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto msn-filetransfer -j MARK --set-mark 0x200
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x200 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -p TCP --sport 1080 -j MARK --set-mark 0x200

$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto smtp -j MARK --set-mark 0x207
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x207 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto pop3 -j MARK --set-mark 0x207
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x207 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto imap -j MARK --set-mark 0x207
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x207 -j RETURN
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m layer7 --l7proto ftp -j MARK --set-mark 0x207
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -m mark --mark 0x207 -j RETURN

# POSTROUTING chain
$IPTABLES -t mangle -A POSTROUTING -o $LAN_IFACE -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -d 10.0.0.114 -j MARK --set-mark 0x119
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m mark --mark 0x119 -j RETURN

$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m layer7 --l7proto directconnect -j MARK --set-mark 0x112
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -p TCP --sport ! 5444:5453 --dport ! 5444:5453 \
-m mark --mark 0x112 -j MARK --set-mark 0x119
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -p TCP -m multiport --source-port 411,412,4012 \
-m mark --mark 0x119 -j MARK --set-mark 0x112
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -p TCP -m multiport --destination-port 411,412,4012 \
-m mark --mark 0x119 -j MARK --set-mark 0x112
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m mark --mark 0x119 -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "directconnect (output): "
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m mark --mark 0x112 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m mark --mark 0x119 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m layer7 --l7proto fasttrack -j MARK --set-mark 0x111
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m mark --mark 0x111 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m layer7 --l7proto gnutella -j MARK --set-mark 0x113
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m mark --mark 0x113 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m layer7 --l7proto bittorrent -j MARK --set-mark 0x114
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m mark --mark 0x114 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m layer7 --l7proto openft -j MARK --set-mark 0x115
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m mark --mark 0x115 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -p TCP --dport 4200:4700 -m layer7 --l7proto edonkey -j MARK --set-mark 0x116
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m mark --mark 0x116 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m layer7 --l7proto tesla -j MARK --set-mark 0x110
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m mark --mark 0x110 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m layer7 --l7proto mute -j MARK --set-mark 0x110
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m mark --mark 0x110 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m layer7 --l7proto applejuice -j MARK --set-mark 0x110
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m mark --mark 0x110 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m layer7 --l7proto 100bao -j MARK --set-mark 0x110
$IPTABLES -t mangle -A POSTROUTING -o $WIFI_IFACE -m mark --mark 0x110 -j RETURN

$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -p TCP --sport 80 -j MARK --set-mark 0x217
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x217 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto fasttrack -j MARK --set-mark 0x211
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x211 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto directconnect -j MARK --set-mark 0x212
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x212 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto gnutella -j MARK --set-mark 0x213
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x213 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto bittorrent -j MARK --set-mark 0x214
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x214 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto openft -j MARK --set-mark 0x215
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x215 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -p TCP --dport 4200:4700 -m layer7 --l7proto edonkey -j MARK --set-mark 0x216
#$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x216 -m limit --limit 3/minute --limit-burst 3 -j LOG \
#--log-level DEBUG --log-prefix "edonkey: "
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x216 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto tesla -j MARK --set-mark 0x210
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x210 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto mute -j MARK --set-mark 0x210
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x210 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto applejuice -j MARK --set-mark 0x210
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x210 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto 100bao -j MARK --set-mark 0x210
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x210 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto poco -j MARK --set-mark 0x210
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x210 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto soribada -j MARK --set-mark 0x210
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x210 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto msn-filetransfer -j MARK --set-mark 0x210
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x210 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -p TCP --dport 1080 -j MARK --set-mark 0x210

$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto smtp -j MARK --set-mark 0x217
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x217 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto pop3 -j MARK --set-mark 0x217
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x217 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto imap -j MARK --set-mark 0x217
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x217 -j RETURN
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m layer7 --l7proto ftp -j MARK --set-mark 0x217
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -m mark --mark 0x217 -j RETURN


tc scripts used for eth0, eth1 and eth2 are:
Code:
#!/bin/bash

UPLINK=100
P2P=24
PUNISH=80
DEV=eth0

# cistimo sve sto je do sad bilo na device-u
tc qdisc del dev $DEV root    2> /dev/null > /dev/null
tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null

# pravimo klase:
tc qdisc add dev $DEV root handle 1: htb default 10 r2q 63
tc class add dev $DEV parent 1: classid 1:1 htb rate ${UPLINK}mbit
tc class add dev $DEV parent 1:1 classid 1:10 htb rate ${UPLINK}mbit prio 1
tc class add dev $DEV parent 1:1 classid 1:20 htb rate ${P2P}kbit prio 2 quantum 1514
tc class add dev $DEV parent 1:1 classid 1:30 htb rate ${PUNISH}kbit prio 3 quantum 1514
tc qdisc add dev $DEV parent 1:10 handle 100: sfq perturb 11
tc qdisc add dev $DEV parent 1:20 handle 200: sfq perturb 13
tc qdisc add dev $DEV parent 1:30 handle 300: sfq perturb 15

# rasporedjujemo pakete po klasama na osnovu markiranja:
tc filter add dev $DEV parent 1:0 protocol ip prio 10 handle 0x201 fw classid 1:20
tc filter add dev $DEV parent 1:0 protocol ip prio 15 handle 0x202 fw classid 1:20
tc filter add dev $DEV parent 1:0 protocol ip prio 20 handle 0x203 fw classid 1:20
tc filter add dev $DEV parent 1:0 protocol ip prio 25 handle 0x204 fw classid 1:20
tc filter add dev $DEV parent 1:0 protocol ip prio 30 handle 0x205 fw classid 1:20
tc filter add dev $DEV parent 1:0 protocol ip prio 35 handle 0x206 fw classid 1:20
tc filter add dev $DEV parent 1:0 protocol ip prio 40 handle 0x200 fw classid 1:20
tc filter add dev $DEV parent 1:0 protocol ip prio 45 handle 0x109 fw classid 1:30


#!/bin/bash

UPLINK=100
P2P=100
PUNISH=80
DEV=eth1

# cistimo sve sto je do sad bilo na device-u
tc qdisc del dev $DEV root    2> /dev/null > /dev/null
tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null

# pravimo klase:
tc qdisc add dev $DEV root handle 1: htb default 10 r2q 63
tc class add dev $DEV parent 1: classid 1:1 htb rate ${UPLINK}mbit
tc class add dev $DEV parent 1:1 classid 1:10 htb rate ${UPLINK}mbit prio 1
tc class add dev $DEV parent 1:1 classid 1:20 htb rate ${P2P}mbit prio 2
tc class add dev $DEV parent 1:1 classid 1:30 htb rate ${PUNISH}kbit prio 3 quantum 1514
tc qdisc add dev $DEV parent 1:10 handle 100: sfq perturb 11
tc qdisc add dev $DEV parent 1:20 handle 200: sfq perturb 13
tc qdisc add dev $DEV parent 1:30 handle 300: sfq perturb 15

# rasporedjujemo pakete po klasama na osnovu markiranja:
tc filter add dev $DEV parent 1:0 protocol ip prio 10 handle 0x111 fw classid 1:20
tc filter add dev $DEV parent 1:0 protocol ip prio 15 handle 0x112 fw classid 1:20
tc filter add dev $DEV parent 1:0 protocol ip prio 20 handle 0x113 fw classid 1:20
tc filter add dev $DEV parent 1:0 protocol ip prio 25 handle 0x114 fw classid 1:20
tc filter add dev $DEV parent 1:0 protocol ip prio 30 handle 0x115 fw classid 1:20
tc filter add dev $DEV parent 1:0 protocol ip prio 35 handle 0x116 fw classid 1:20
tc filter add dev $DEV parent 1:0 protocol ip prio 40 handle 0x110 fw classid 1:20
tc filter add dev $DEV parent 1:0 protocol ip prio 45 handle 0x119 fw classid 1:30


#!/bin/bash

UPLINK=100
LOW_PRIO=48
P2P=16
DEV=eth2

# cistimo sve sto je do sad bilo na device-u
tc qdisc del dev $DEV root    2> /dev/null > /dev/null
tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null

# pravimo klase:
tc qdisc add dev $DEV root handle 1: htb default 10 r2q 63
tc class add dev $DEV parent 1: classid 1:1 htb rate ${UPLINK}mbit
tc class add dev $DEV parent 1:1 classid 1:10 htb rate ${UPLINK}mbit prio 1
tc class add dev $DEV parent 1:1 classid 1:20 htb rate ${LOW_PRIO}kbit prio 2 quantum 1514
tc class add dev $DEV parent 1:20 classid 1:100 htb rate ${LOW_PRIO}kbit prio 2 quantum 1514
tc class add dev $DEV parent 1:20 classid 1:200 htb rate ${P2P}kbit prio 3 quantum 1514

tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 11
tc qdisc add dev $DEV parent 1:100 handle 100: sfq perturb 15
tc qdisc add dev $DEV parent 1:200 handle 200: sfq perturb 13

# rasporedjujemo pakete po klasama na osnovu markiranja:
tc filter add dev $DEV parent 1:0 protocol ip prio 5 handle 0x217 fw classid 1:100
tc filter add dev $DEV parent 1:0 protocol ip prio 10 handle 0x211 fw classid 1:200
tc filter add dev $DEV parent 1:0 protocol ip prio 15 handle 0x212 fw classid 1:200
tc filter add dev $DEV parent 1:0 protocol ip prio 20 handle 0x213 fw classid 1:200
tc filter add dev $DEV parent 1:0 protocol ip prio 25 handle 0x214 fw classid 1:200
tc filter add dev $DEV parent 1:0 protocol ip prio 30 handle 0x215 fw classid 1:200
tc filter add dev $DEV parent 1:0 protocol ip prio 35 handle 0x216 fw classid 1:200
tc filter add dev $DEV parent 1:0 protocol ip prio 40 handle 0x210 fw classid 1:200


and p2p.rrd update script looks like this:
Code:
#!/usr/bin/perl -w
#

use RRDs;

sleep 2;

# define location of rrdtool databases
my $rrd = '/var/lib/rrd';

my $eth1_in_ft = `iptables -t mangle -L -n -v -x|grep 0x101|grep LAYER7|gawk '{print \$2}'` *1;
my $eth1_out_ft = `iptables -t mangle -L -n -v -x|grep 0x111|grep LAYER7|gawk '{print \$2}'` *1;
my $eth1_in_dc = `iptables -t mangle -L -n -v -x|grep 0x102|grep LAYER7|gawk '{print \$2; exit}'` *1;
my $eth1_out_dc = `iptables -t mangle -L -n -v -x|grep 0x112|grep LAYER7|gawk '{print \$2; exit}'` *1;
my $eth1_in_gnu = `iptables -t mangle -L -n -v -x|grep 0x103|grep LAYER7|gawk '{print \$2}'` *1;
my $eth1_out_gnu = `iptables -t mangle -L -n -v -x|grep 0x113|grep LAYER7|gawk '{print \$2}'` *1;
my $eth1_in_bittor = `iptables -t mangle -L -n -v -x|grep 0x104|grep LAYER7|gawk '{print \$2}'` *1;
my $eth1_out_bittor = `iptables -t mangle -L -n -v -x|grep 0x114|grep LAYER7|gawk '{print \$2}'` *1;
my $eth1_in_oft = `iptables -t mangle -L -n -v -x|grep 0x105|grep LAYER7|gawk '{print \$2}'` *1;
my $eth1_out_oft = `iptables -t mangle -L -n -v -x|grep 0x115|grep LAYER7|gawk '{print \$2}'` *1;
my $eth1_in_edonk = `iptables -t mangle -L -n -v -x|grep 0x106|grep LAYER7|gawk '{print \$2}'` *1;
my $eth1_out_edonk = `iptables -t mangle -L -n -v -x|grep 0x116|grep LAYER7|gawk '{print \$2}'` *1;
my $eth1_in_rest = `iptables -t mangle -L -n -v -x|grep 0x100|grep LAYER7|gawk 'BEGIN{sum=0}{sum+=\$2}END{print sum}'` *1;
my $eth1_out_rest = `iptables -t mangle -L -n -v -x|grep 0x110|grep LAYER7|gawk 'BEGIN{sum=0}{sum+=\$2}END{print sum}'` *1;

my $eth2_in_ft = `iptables -t mangle -L -n -v -x|grep 0x201|grep LAYER7|gawk '{print \$2}'` *1;
my $eth2_out_ft = `iptables -t mangle -L -n -v -x|grep 0x211|grep LAYER7|gawk '{print \$2}'` *1;
my $eth2_in_dc = `iptables -t mangle -L -n -v -x|grep 0x202|grep LAYER7|gawk '{print \$2}'` *1;
my $eth2_out_dc = `iptables -t mangle -L -n -v -x|grep 0x212|grep LAYER7|gawk '{print \$2}'` *1;
my $eth2_in_gnu = `iptables -t mangle -L -n -v -x|grep 0x203|grep LAYER7|gawk '{print \$2}'` *1;
my $eth2_out_gnu = `iptables -t mangle -L -n -v -x|grep 0x213|grep LAYER7|gawk '{print \$2}'` *1;
my $eth2_in_bittor = `iptables -t mangle -L -n -v -x|grep 0x204|grep LAYER7|gawk '{print \$2}'` *1;
my $eth2_out_bittor = `iptables -t mangle -L -n -v -x|grep 0x214|grep LAYER7|gawk '{print \$2}'` *1;
my $eth2_in_oft = `iptables -t mangle -L -n -v -x|grep 0x205|grep LAYER7|gawk '{print \$2}'` *1;
my $eth2_out_oft = `iptables -t mangle -L -n -v -x|grep 0x215|grep LAYER7|gawk '{print \$2}'` *1;
my $eth2_in_edonk = `iptables -t mangle -L -n -v -x|grep 0x206|grep LAYER7|gawk '{print \$2}'` *1;
my $eth2_out_edonk = `iptables -t mangle -L -n -v -x|grep 0x216|grep LAYER7|gawk '{print \$2}'` *1;
my $eth2_in_rest = `iptables -t mangle -L -n -v -x|grep 0x200|grep LAYER7|gawk 'BEGIN{sum=0}{sum+=\$2}END{print sum}'` *1;
my $eth2_out_rest = `iptables -t mangle -L -n -v -x|grep 0x210|grep LAYER7|gawk 'BEGIN{sum=0}{sum+=\$2}END{print sum}'` *1;

my $uptime = `cut -d" " -f1 /proc/uptime` *1;
if ($uptime > 600) {
# insert values into rrd
RRDs::update "$rrd/p2p.rrd",
        "-t", "eth1_in_ft:eth1_out_ft:eth1_in_dc:eth1_out_dc:eth1_in_gnu:eth1_out_gnu:eth1_in_bittor:eth1_out_bittor:eth1_in_oft:eth1_out_oft:eth1_in_edonk:eth1_out_edonk:eth1_in_rest:eth1_out_rest:eth2_in_ft:eth2_out_ft:eth2_in_dc:eth2_out_dc:eth2_in_gnu:eth2_out_gnu:eth2_in_bittor:eth2_out_bittor:eth2_in_oft:eth2_out_oft:eth2_in_edonk:eth2_out_edonk:eth2_in_rest:eth2_out_rest",
        "N:$eth1_in_ft:$eth1_out_ft:$eth1_in_dc:$eth1_out_dc:$eth1_in_gnu:$eth1_out_gnu:$eth1_in_bittor:$eth1_out_bittor:$eth1_in_oft:$eth1_out_oft:$eth1_in_edonk:$eth1_out_edonk:$eth1_in_rest:$eth1_out_rest:$eth2_in_ft:$eth2_out_ft:$eth2_in_dc:$eth2_out_dc:$eth2_in_gnu:$eth2_out_gnu:$eth2_in_bittor:$eth2_out_bittor:$eth2_in_oft:$eth2_out_oft:$eth2_in_edonk:$eth2_out_edonk:$eth2_in_rest:$eth2_out_rest";

if ($ERROR = RRDs::error) { print "unable to update: $ERROR\n"; }
}


I hope you'll find your way in all this mess. :D
If you get stucked, do not hesitate to ask!
_________________
gentoo user
Back to top
View user's profile Send private message
kaksi
Tux's lil' helper
Tux's lil' helper


Joined: 21 May 2004
Posts: 125

PostPosted: Tue Jun 14, 2005 8:01 am    Post subject: Reply with quote

tnt: Please post the script that creates the rrd database.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3, 4  Next
Page 2 of 4

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum