[LARTC] limit number of connections per ip

[LARTC] limit number of connections per ip

[Jan Tomak]

[-- Attachment #1.1: Type: text/plain, Size: 1056 bytes --]

  Hello!
   
  I've read a lot of mail archives, but can't find solutions for my problem.
  I have router with about 700 users. I'm using HTB with SFQ leaf qdiscs for every user (client ip). So, different IP can have its own rate limit.
  This scheme ir working fine for a long time. But how can I limit number of connections (sessions) from one host? I see from ip_conntrack that some of users have more than 1000 active connections (mostly P2P udp).
  As I know there is connlimit patch for iptables, but it capable to limit only tcp sessions. And there is ESFQ qdisc, allowing to divide bandwidth more fairly, but inside one class.
  In my case every user have its own class and I'm not able to control how many connections simultaneously they do implementy ESFQ! Also I don't understand how to deal with it from iptables side - connlimit will not help with UDP.
   
  What can be done in my case?


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

[-- Attachment #1.2: Type: text/html, Size: 1393 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] limit number of connections per ip

[Rasmus Melgaard]

Well, only TCP has connections, UDP has non it is only a stream of packets.

So for each user (IP) you could make a class for TCP and one for UDP.

                    IP
		  /    \
	    TCP	UDP

The TCP class you already know how to limit, the UDP class I would limit with 
pfifo with a suitable packet limit setting (in pratice this would lead to det 
same effect as the TCP conn. limiting). Although not a hard limit.

Extra:
I would make a seperate high prio class for ICMP to communicate error, 
connection failures back and forth.

NB! P2P normally used TCP (I know the bittorent does)

BR
Rasmus Melgaard



On Thursday 02 February 2006 21:58, Jan Tomak wrote:
>   Hello!
>
>   I've read a lot of mail archives, but can't find solutions for my
> problem. I have router with about 700 users. I'm using HTB with SFQ leaf
> qdiscs for every user (client ip). So, different IP can have its own rate
> limit. This scheme ir working fine for a long time. But how can I limit
> number of connections (sessions) from one host? I see from ip_conntrack
> that some of users have more than 1000 active connections (mostly P2P udp).
> As I know there is connlimit patch for iptables, but it capable to limit
> only tcp sessions. And there is ESFQ qdisc, allowing to divide bandwidth
> more fairly, but inside one class. In my case every user have its own class
> and I'm not able to control how many connections simultaneously they do
> implementy ESFQ! Also I don't understand how to deal with it from iptables
> side - connlimit will not help with UDP.
>
>   What can be done in my case?
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] limit number of connections per ip

[Nataniel Klug]

So Rasmus,

If I put a limit into TCP connections it will reflect into UDP conections
over the same source IP?

How can I make a limit into TCP connections?

Att,

Nataniel Klug

----- Original Message ----- 
From: "Rasmus Melgaard" <rme@image.dk>
To: <lartc@mailman.ds9a.nl>
Sent: Thursday, February 02, 2006 7:17 PM
Subject: Re: [LARTC] limit number of connections per ip


> Well, only TCP has connections, UDP has non it is only a stream of
packets.
>
> So for each user (IP) you could make a class for TCP and one for UDP.
>
>                     IP
>   /    \
>     TCP UDP
>
> The TCP class you already know how to limit, the UDP class I would limit
with
> pfifo with a suitable packet limit setting (in pratice this would lead to
det
> same effect as the TCP conn. limiting). Although not a hard limit.
>
> Extra:
> I would make a seperate high prio class for ICMP to communicate error,
> connection failures back and forth.
>
> NB! P2P normally used TCP (I know the bittorent does)
>
> BR
> Rasmus Melgaard
>
>
>
> On Thursday 02 February 2006 21:58, Jan Tomak wrote:
> >   Hello!
> >
> >   I've read a lot of mail archives, but can't find solutions for my
> > problem. I have router with about 700 users. I'm using HTB with SFQ leaf
> > qdiscs for every user (client ip). So, different IP can have its own
rate
> > limit. This scheme ir working fine for a long time. But how can I limit
> > number of connections (sessions) from one host? I see from ip_conntrack
> > that some of users have more than 1000 active connections (mostly P2P
udp).
> > As I know there is connlimit patch for iptables, but it capable to limit
> > only tcp sessions. And there is ESFQ qdisc, allowing to divide bandwidth
> > more fairly, but inside one class. In my case every user have its own
class
> > and I'm not able to control how many connections simultaneously they do
> > implementy ESFQ! Also I don't understand how to deal with it from
iptables
> > side - connlimit will not help with UDP.
> >
> >   What can be done in my case?
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc