Re: [RFC] setting up throughput threshold indications to userspace

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Luciano Coelho <luciano.coelho@nokia.com>
To: ext Patrick McHardy <kaber@trash.net>
Cc: "netfilter-devel@vger.kernel.org"
	<netfilter-devel@vger.kernel.org>,
	Pablo Neira Ayuso <pablo@netfilter.org>,
	Samuel Ortiz <sameo@linux.intel.com>,
	Changli Gao <xiaosuo@gmail.com>
Subject: Re: [RFC] setting up throughput threshold indications to userspace
Date: Fri, 16 Jul 2010 16:10:29 +0300	[thread overview]
Message-ID: <1279285829.1603.77.camel@powerslave> (raw)
In-Reply-To: <4C40583F.40200@trash.net>

On Fri, 2010-07-16 at 15:01 +0200, ext Patrick McHardy wrote:
> Am 16.07.2010 10:20, schrieb Luciano Coelho:
> > I'm thinking about having this kind of ruleset:
> > 
> > -A INPUT -j throughput 
> > -A above -m connmark --mark 0x1 -j RETURN 
> > -A above -m rateest --rateest throughput --rateest-bps1 0bit --rateest-bps2 1000bit --rateest-gt -j LOG --log-prefix "ABOVE" 
> > -A above -m rateest --rateest throughput --rateest-bps1 0bit --rateest-bps2 1000bit --rateest-gt -j CONNMARK --set-xmark 0x1/0xffffffff 
> > -A below -m connmark --mark 0x2 -j RETURN 
> > -A below -m rateest --rateest throughput --rateest-bps1 0bit --rateest-bps2 1000bit --rateest-lt -j LOG --log-prefix "BELOW" 
> > -A below -m rateest --rateest throughput --rateest-bps1 0bit --rateest-bps2 1000bit --rateest-lt -j CONNMARK --set-xmark 0x2/0xffffffff 
> > -A throughput -j RATEEST --rateest-name throughput --rateest-interval 250.0ms --rateest-ewmalog 500.0ms 
> > -A throughput -j above 
> > -A throughput -j below 
> > 
> > I'm using a normal LOG just for simplicity reasons, in real life I'd use
> > NFLOG instead.
> > 
> > The idea here is that all packets would be collected by RATEEST for rate
> > estimation and then I'd check whether the throughput is above the
> > threshold.  If it is, I mark it as such and print the log.  Same thing
> > for below the threshold.  The RETURN rules are there to prevent more LOG
> > messages from being printed (what I need is to know only when the
> > throughput "crosses" the threshold).
> > 
> > Do you think this works?
> 
> Looks reasonable, but you could probably simplify it a bit by adding
> RETURN rules to the above/below chains when the threshold is below/
> above the specified value. That way you only need a single rateest
> match.

Right, that would certainly make it simpler.


> > There is one problem with this solution, which is that it works in a
> > per-connection basis (due to CONNMARK).  This is not exactly what I
> > want.  I need to have this on a per-ruleset basis.  For that, I need to
> > have a MARK (variable?) which can be set independently of connections or
> > packets.  This is similar to the proposed condition match, but what is
> > missing there is a way to set the condition with iptables itself,
> > without requiring the userspace to change the procfs file.  This could
> > probably be achieved with a "CONDITION" target or something similar.
> > Any ideas?
> 
> Sounds useful.

Okay, this was the kind of confirmation I wanted before jumping into the
implementation. ;) I'll implement this target soon.

Thanks for your comments!

-- 
Cheers,
Luca.

next prev parent reply	other threads:[~2010-07-16 13:10 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-07-16  8:20 [RFC] setting up throughput threshold indications to userspace Luciano Coelho
2010-07-16 13:01 ` Patrick McHardy
2010-07-16 13:10   ` Luciano Coelho [this message]
2010-07-16 19:27     ` Jan Engelhardt
2010-07-19  5:30       ` Luciano Coelho
2010-08-16 13:40         ` Luciano Coelho
2010-08-16 13:51           ` Changli Gao
2010-08-16 14:01             ` Luciano Coelho
2010-08-16 14:13               ` Changli Gao
2010-08-16 14:26                 ` Luciano Coelho
2010-08-16 15:19               ` Jan Engelhardt
2010-08-17  5:27                 ` Luciano Coelho
2010-08-16 14:26           ` Changli Gao
2010-08-16 14:32             ` Luciano Coelho

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1279285829.1603.77.camel@powerslave \
    --to=luciano.coelho@nokia.com \
    --cc=kaber@trash.net \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=sameo@linux.intel.com \
    --cc=xiaosuo@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.