Re[2]: [LARTC] Re: Bandwidth Metering

[diab <lartc@diab.org>]

Hi Patrick,

Iptables is capaple of matching/marking packets based on the uid or
guid of the owner of the process that generates traffic.
It's also possible to run apache as a different user for every virtual
host (apache suexec wrapper needed), so owner matching would also
work there.

For example you could match/mark outgoing packets created by a particular
user (uid diab here) using
iptables -A OUTPUT -t mangle -j MARK -m owner --uid-owner diab \
--set-mark 9999
the problem is that it only works in the OUTPUT chain for outgoing
packets.
here is a patch that makes it possible for the INPUT chain:
http://netfilter.org/patch-o-matic/pom-extra.html#pom-extra-owner-socketlookup

Anyways here is what I would try (200kbit limit on outgoing traffic
marked with 9999)

tc qdisc add dev eth0 root handle 100: htb
tc class add dev eth0 parent 100: classid 100:9999 htb rate \
200kbit prio 0
tc filter add dev eth0 protocol ip parent 100: prio 0 handle 9999 \
fw flowid 100:9999

Anyways I've tried it with scp and it copied files at around 25k/sec, which is
exactly 200kbit :)

hth,

-
diab








blinken@gmail.com wrote:

PC> Sure - what I want to do is set up a colocated webhost/shell server,
PC> and sell people accounts. However, I only have 2000mb upstream/2000mb
PC> downstream free bandwidth, after which I start getting charged extra.
PC> Therefore, I want to give *each user* a bandwidth quota, which if they
PC> go over they can choose to either pay extra or have their account
PC> disabled. Normal webhosts would do this in Apache (I would imagine),
PC> with mod_quota or similar.

PC> However, as I'm offering shell accounts as well, an Apache-only quota
PC> system doesnt do what I want. I'm looking to find a way to meter the
PC> outgoing and incoming bandwidth used by any program, on any socket,
PC> and link that back to a particular user so I can make sure they dont
PC> go over their limit. So mapping to a user account is essential. The
PC> accounts are actual users. If you could give me an example of how you
PC> would implement it in perl, it would be brilliant.
PC> Thanks,
PC> Patrick

PC> On Wed, 29 Sep 2004 19:09:58 +0200, Daniel Frederiksen
PC> <cyberdoc@cyberdoc.dk> wrote:
>> Hey Patrick
>> 
>> I seem to have forgotten the point that you want to relate the bandwidth
>> usages to a user. In the perl script you posted a link for, the author
>> uses lsof. This sollution is ok, if the connection is still in the list,
>> however if you accumulate in a log from netfilter, the probability of
>> the connection still being active is reduced and not reliable. Is there
>> a specific reason why you want to map the user accounts, and are these
>> accounts system or actual users?. If they are just system accounts
>> running daemons, there are no point in mapping them.
>> 
>> If you still need the mapping, I will help you with the perl script, if
>> not we can use some of the previously sugested ideas.
>> 
>> Perhaps a more detailed description of the usage/problem would help
>> allot.
>> 
>> Daniel Frederiksen, Cyberdoc.dk
>> 
>> 
>> 
>> On Wed, 2004-09-29 at 13:14, Patrick Coleman wrote:
>> > I ran across one called culprit
>> > (http://freshmeat.net/projects/culprit.pl/), which does kinda what I
>> > want. However, by the looks of things it doesnt look like its going to
>> > be easy to maintain a database of user bandwidth usage using it. I
>> > might see what I can do about modifying it, but I'm shocking at perl :)
>> >
>> > Netfilter sounds like a much saner idea - how would you grab the user
>> > a packet belongs to when you parse the logfiles?
>> > Thanks,
>> > Patrick
>> 
>> _______________________________________________
>> LARTC mailing list / LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>> 




_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/