All of lore.kernel.org
 help / color / mirror / Atom feed
* [LARTC] control p2p upload bandwidth rate
@ 2005-12-22 17:55 ro0ot
  2005-12-22 19:48 ` Jody Shumaker
                   ` (4 more replies)
  0 siblings, 5 replies; 6+ messages in thread
From: ro0ot @ 2005-12-22 17:55 UTC (permalink / raw)
  To: lartc

Hi all,

I am running Slackware 10.1 with Kernel 2.6.14.3 includes iptables 1.3.4 
with layer 7

My network diagram below: -
INTERNET --- LINUX_ROUTER_FW --- PCs

Below is my simple iptables script: -

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t mangle -A POSTROUTING -m layer7 --l7proto applejuice -j MARK 
--set-mark 1
iptables -t mangle -A POSTROUTING -m layer7 --l7proto ares -j MARK 
--set-mark 1
iptables -t mangle -A POSTROUTING -m layer7 --l7proto bittorrent -j MARK 
--set-mark 1
iptables -t mangle -A POSTROUTING -m layer7 --l7proto directconnect -j 
MARK --set-mark 1
iptables -t mangle -A POSTROUTING -m layer7 --l7proto edonkey -j MARK 
--set-mark 1
iptables -t mangle -A POSTROUTING -m layer7 --l7proto fasttrack -j MARK 
--set-mark 1
iptables -t mangle -A POSTROUTING -m layer7 --l7proto gnucleuslan -j 
MARK --set-mark 1
iptables -t mangle -A POSTROUTING -m layer7 --l7proto gnutella -j MARK 
--set-mark 1
iptables -t mangle -A POSTROUTING -m layer7 --l7proto napster -j MARK 
--set-mark 1
iptables -t mangle -A POSTROUTING -m layer7 --l7proto openft -j MARK 
--set-mark 1
 
Below is my simple tc script: -

tc qdisc del dev eth1 root
tc qdisc add dev eth1 root handle 1: htb default 20
tc class add dev eth1 parent 1: classid 1:1 htb rate 10240kbit ceil 
10240kbit
tc class add dev eth1 parent 1:1 classid 1:11 htb rate 32kbit ceil 512kbit
tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle  1 fw 
classid 1:11
tc qdisc add dev eth1 parent 1:11 sfq perturb 10

I have no problem shaping the "PCs" p2p download bandwidth rate.  How 
can I control the "PCs" p2p upload bandwidth rate?  Please help...thanks, :)

Regards,
ro0ot





_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [LARTC] control p2p upload bandwidth rate
  2005-12-22 17:55 [LARTC] control p2p upload bandwidth rate ro0ot
@ 2005-12-22 19:48 ` Jody Shumaker
  2006-01-11  1:20 ` Nataniel Klug
                   ` (3 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: Jody Shumaker @ 2005-12-22 19:48 UTC (permalink / raw)
  To: lartc


[-- Attachment #1.1: Type: text/plain, Size: 3469 bytes --]

Seems like eth0 is your IF connected to the itnernet, you need to do shaping
on that for the upload.  Modifying the rates and using the same tc comands
but on eth0 would likely do it.

Also your script is flawed, the layer7 matching for most if not all of those
protocols will only match on the first packet or two. After that the data
for those connections won't match. I suggest you look into using CONNMARK
target/matching so you can match all of the data, not just the first few
packets.

With your setup it'd be used something along these lines:
#before setting mark:
#restores any saved mark
iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
#accepts the packet if it has a mark besides the default 0 and prevents the
saved mark from being changed
iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT

#use "-j MARK --set-mark #" here

#after all the --set-mark's
iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j CONNMARK
--save-mark
iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT

Without this, I'm not really sure how you were matching all packets for your
download shaping.  Normally, only the first packet or two will have matching
data in the TCP connection, and if you don't somehow mark the whole
connection using the above, the majority of the bandwidth won't be shaped
correctly.

- Jody


On 12/22/05, ro0ot <ro0ot@phreaker.net> wrote:
>
> Hi all,
>
> I am running Slackware 10.1 with Kernel 2.6.14.3 includes iptables 1.3.4
> with layer 7
>
> My network diagram below: -
> INTERNET --- LINUX_ROUTER_FW --- PCs
>
> Below is my simple iptables script: -
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> iptables -t mangle -A POSTROUTING -m layer7 --l7proto applejuice -j MARK
> --set-mark 1
> iptables -t mangle -A POSTROUTING -m layer7 --l7proto ares -j MARK
> --set-mark 1
> iptables -t mangle -A POSTROUTING -m layer7 --l7proto bittorrent -j MARK
> --set-mark 1
> iptables -t mangle -A POSTROUTING -m layer7 --l7proto directconnect -j
> MARK --set-mark 1
> iptables -t mangle -A POSTROUTING -m layer7 --l7proto edonkey -j MARK
> --set-mark 1
> iptables -t mangle -A POSTROUTING -m layer7 --l7proto fasttrack -j MARK
> --set-mark 1
> iptables -t mangle -A POSTROUTING -m layer7 --l7proto gnucleuslan -j
> MARK --set-mark 1
> iptables -t mangle -A POSTROUTING -m layer7 --l7proto gnutella -j MARK
> --set-mark 1
> iptables -t mangle -A POSTROUTING -m layer7 --l7proto napster -j MARK
> --set-mark 1
> iptables -t mangle -A POSTROUTING -m layer7 --l7proto openft -j MARK
> --set-mark 1
>
> Below is my simple tc script: -
>
> tc qdisc del dev eth1 root
> tc qdisc add dev eth1 root handle 1: htb default 20
> tc class add dev eth1 parent 1: classid 1:1 htb rate 10240kbit ceil
> 10240kbit
> tc class add dev eth1 parent 1:1 classid 1:11 htb rate 32kbit ceil 512kbit
> tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle  1 fw
> classid 1:11
> tc qdisc add dev eth1 parent 1:11 sfq perturb 10
>
> I have no problem shaping the "PCs" p2p download bandwidth rate.  How
> can I control the "PCs" p2p upload bandwidth rate?  Please help...thanks,
> :)
>
> Regards,
> ro0ot
>
>
>
>
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>

[-- Attachment #1.2: Type: text/html, Size: 4013 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [LARTC] control p2p upload bandwidth rate
  2005-12-22 17:55 [LARTC] control p2p upload bandwidth rate ro0ot
  2005-12-22 19:48 ` Jody Shumaker
@ 2006-01-11  1:20 ` Nataniel Klug
  2006-01-11  5:11 ` Jody Shumaker
                   ` (2 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: Nataniel Klug @ 2006-01-11  1:20 UTC (permalink / raw)
  To: lartc


[-- Attachment #1.1: Type: text/plain, Size: 4498 bytes --]

Jody,

I have a script that makes connections for every user with his auth. So, in this script, I have two mark tags. Can I use this tip you give to ro0ot? My doubt is if I use this every time some user log it will be all executed again, it will not make me trouble?

Now I mark all packts from a client and forward this to some cbq/htb band control rules. It is working fine, but I have never made a test for longer time...

Thanks for your cooperation.

Att,

Nataniel Klug
  ----- Original Message ----- 
  From: Jody Shumaker 
  To: lartc@mailman.ds9a.nl 
  Sent: Thursday, December 22, 2005 5:48 PM
  Subject: Re: [LARTC] control p2p upload bandwidth rate


  Seems like eth0 is your IF connected to the itnernet, you need to do shaping on that for the upload.  Modifying the rates and using the same tc comands but on eth0 would likely do it.

  Also your script is flawed, the layer7 matching for most if not all of those protocols will only match on the first packet or two. After that the data for those connections won't match. I suggest you look into using CONNMARK target/matching so you can match all of the data, not just the first few packets. 

  With your setup it'd be used something along these lines:
  #before setting mark:
  #restores any saved mark
  iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
  #accepts the packet if it has a mark besides the default 0 and prevents the saved mark from being changed 
  iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT

  #use "-j MARK --set-mark #" here

  #after all the --set-mark's
  iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j CONNMARK --save-mark 
  iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT

  Without this, I'm not really sure how you were matching all packets for your download shaping.  Normally, only the first packet or two will have matching data in the TCP connection, and if you don't somehow mark the whole connection using the above, the majority of the bandwidth won't be shaped correctly. 

  - Jody



  On 12/22/05, ro0ot <ro0ot@phreaker.net> wrote:
    Hi all,

    I am running Slackware 10.1 with Kernel 2.6.14.3 includes iptables 1.3.4
    with layer 7

    My network diagram below: -
    INTERNET --- LINUX_ROUTER_FW --- PCs

    Below is my simple iptables script: - 

    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    iptables -t mangle -A POSTROUTING -m layer7 --l7proto applejuice -j MARK
    --set-mark 1
    iptables -t mangle -A POSTROUTING -m layer7 --l7proto ares -j MARK 
    --set-mark 1
    iptables -t mangle -A POSTROUTING -m layer7 --l7proto bittorrent -j MARK
    --set-mark 1
    iptables -t mangle -A POSTROUTING -m layer7 --l7proto directconnect -j
    MARK --set-mark 1
    iptables -t mangle -A POSTROUTING -m layer7 --l7proto edonkey -j MARK 
    --set-mark 1
    iptables -t mangle -A POSTROUTING -m layer7 --l7proto fasttrack -j MARK
    --set-mark 1
    iptables -t mangle -A POSTROUTING -m layer7 --l7proto gnucleuslan -j
    MARK --set-mark 1
    iptables -t mangle -A POSTROUTING -m layer7 --l7proto gnutella -j MARK 
    --set-mark 1
    iptables -t mangle -A POSTROUTING -m layer7 --l7proto napster -j MARK
    --set-mark 1
    iptables -t mangle -A POSTROUTING -m layer7 --l7proto openft -j MARK
    --set-mark 1

    Below is my simple tc script: - 

    tc qdisc del dev eth1 root
    tc qdisc add dev eth1 root handle 1: htb default 20
    tc class add dev eth1 parent 1: classid 1:1 htb rate 10240kbit ceil
    10240kbit
    tc class add dev eth1 parent 1:1 classid 1:11 htb rate 32kbit ceil 512kbit 
    tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle  1 fw
    classid 1:11
    tc qdisc add dev eth1 parent 1:11 sfq perturb 10

    I have no problem shaping the "PCs" p2p download bandwidth rate.  How 
    can I control the "PCs" p2p upload bandwidth rate?  Please help...thanks, :)

    Regards,
    ro0ot





    _______________________________________________
    LARTC mailing list
    LARTC@mailman.ds9a.nl
    http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc





------------------------------------------------------------------------------


  _______________________________________________
  LARTC mailing list
  LARTC@mailman.ds9a.nl
  http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[-- Attachment #1.2: Type: text/html, Size: 6455 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [LARTC] control p2p upload bandwidth rate
  2005-12-22 17:55 [LARTC] control p2p upload bandwidth rate ro0ot
  2005-12-22 19:48 ` Jody Shumaker
  2006-01-11  1:20 ` Nataniel Klug
@ 2006-01-11  5:11 ` Jody Shumaker
  2006-01-11 10:06 ` Nataniel Klug
  2006-01-11 15:08 ` Jody Shumaker
  4 siblings, 0 replies; 6+ messages in thread
From: Jody Shumaker @ 2006-01-11  5:11 UTC (permalink / raw)
  To: lartc


[-- Attachment #1.1: Type: text/plain, Size: 1111 bytes --]

#accepts the packet if it has a mark besides the default 0 and prevents the
saved mark from being changed
iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT

That section after the restore-mark rule will cause any saved marks to skip
the rest of the chain.  This results in only the first packets of a tcp
connection having to hit their individual --set-mark rule.  If you do have
concerns about cpu usage or some such,  I'd suggest trying trying out the
ipp2p match module instead of the more generic l7match module.  It's more
specific to p2p and tends to be much faster than doing regular expressions.

On 1/10/06, Nataniel Klug <nata@cnett.com.br> wrote:
>
> I have a script that makes connections for every user with his auth. So,
> in this script, I have two mark tags. Can I use this tip you give to ro0ot?
> My doubt is if I use this every time some user log it will be all executed
> again, it will not make me trouble?
>

I'm not sure exactly what you mean by this. If my above explanation doesn't
apply, could you possibly explain or give an example?

- Jody

[-- Attachment #1.2: Type: text/html, Size: 1517 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [LARTC] control p2p upload bandwidth rate
  2005-12-22 17:55 [LARTC] control p2p upload bandwidth rate ro0ot
                   ` (2 preceding siblings ...)
  2006-01-11  5:11 ` Jody Shumaker
@ 2006-01-11 10:06 ` Nataniel Klug
  2006-01-11 15:08 ` Jody Shumaker
  4 siblings, 0 replies; 6+ messages in thread
From: Nataniel Klug @ 2006-01-11 10:06 UTC (permalink / raw)
  To: lartc


[-- Attachment #1.1: Type: text/plain, Size: 3894 bytes --]

Jody,

My question is not about P2P filters. This is working fine at my gateway box. My question concerns to my autentication gateway, where I use PPPoE to autenticante my LAN clients at a Radius server into my DMZ.

This PPPoE server, when I have a new conection, make some rules using IPTABLES and CBQ/HTB to control my clients internet speed. The script I use when a client conects is this:

=== /etc/ppp/ip-up ===
#! /bin/bash
IPT="/usr/local/sbin/iptables"

interface=$1
remoteIP=$5
download=`grep Download /var/run/radattr.$interface | awk '{ print $2; }'`
upload=`grep Upload  /var/run/radattr.$interface | awk '{ print $2; }'`
cliente=`grep Cliente /var/run/radattr.$interface | awk '{ print $2; }'`
contamark=`echo $interface | cut -c 4-99`
mark=`expr $contamark + 500`

echo "$download" > /tmp/$interface.download
echo "$upload" > /tmp/$interface.upload
echo "$cliente" > /tmp/$interface.cliente


#if [ $cliente == "cliente" ]
#then
#$IPT -I FORWARD -d $remoteIP -p tcp --dport 1:1024 -j DROP
#$IPT -I FORWARD -d $remoteIP -p tcp --dport 6000:9000 -j DROP
#fi


/sbin/tc qdisc add dev $interface root handle 1 cbq bandwidth 10Mbit avpkt 1000 cell 8
/sbin/tc class add dev $interface parent 1: classid 1:$mark cbq bandwidth 10Mbit rate "$download"Kbit weight `expr $download / 10`Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded
/sbin/tc qdisc add dev $interface parent 1:$mark handle $mark sfq perturb 10
/sbin/tc filter add dev $interface parent 1:0 protocol ip prio 200 handle $mark fw classid 1:$mark
$IPT -t mangle -A POSTROUTING -d $remoteIP -j MARK --set-mark $mark


/sbin/tc qdisc add dev eth0 root handle 1 cbq bandwidth 10Mbit avpkt 1000 cell 8
/sbin/tc class add dev eth0 parent 1: classid 1:$mark cbq bandwidth 10Mbit rate "$upload"Kbit weight `expr $upload / 10`Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded
/sbin/tc qdisc add dev eth0 parent 1:$mark handle $mark  sfq perturb 10
/sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle $mark fw classid 1:$mark
$IPT -t mangle -A FORWARD -s $remoteIP -j MARK --set-mark $mark


echo "PPP started at $(date):
interface = $interface
Remote IP = $remoteIP
download = $download
upload = $upload
mark = $mark
" >/tmp/$interface
=== END ===

My doubt is, what you said is that only one package in a mark will me matched without that other comands, so, the lines I have put in red are correct? Today it is working fine, but I have never made a test longer than 20 or 30 minutes...

Att,

Nataniel Klug
  ----- Original Message ----- 
  From: Jody Shumaker 
  To: Nataniel Klug 
  Cc: lartc@mailman.ds9a.nl 
  Sent: Wednesday, January 11, 2006 3:11 AM
  Subject: Re: [LARTC] control p2p upload bandwidth rate


  #accepts the packet if it has a mark besides the default 0 and prevents the saved mark from being changed 
  iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT

  That section after the restore-mark rule will cause any saved marks to skip the rest of the chain.  This results in only the first packets of a tcp connection having to hit their individual --set-mark rule.  If you do have concerns about cpu usage or some such,  I'd suggest trying trying out the ipp2p match module instead of the more generic l7match module.  It's more specific to p2p and tends to be much faster than doing regular expressions. 


  On 1/10/06, Nataniel Klug <nata@cnett.com.br> wrote:
    I have a script that makes connections for every user with his auth. So, in this script, I have two mark tags. Can I use this tip you give to ro0ot? My doubt is if I use this every time some user log it will be all executed again, it will not make me trouble?

  I'm not sure exactly what you mean by this. If my above explanation doesn't apply, could you possibly explain or give an example?


  - Jody



[-- Attachment #1.2: Type: text/html, Size: 7520 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [LARTC] control p2p upload bandwidth rate
  2005-12-22 17:55 [LARTC] control p2p upload bandwidth rate ro0ot
                   ` (3 preceding siblings ...)
  2006-01-11 10:06 ` Nataniel Klug
@ 2006-01-11 15:08 ` Jody Shumaker
  4 siblings, 0 replies; 6+ messages in thread
From: Jody Shumaker @ 2006-01-11 15:08 UTC (permalink / raw)
  To: lartc


[-- Attachment #1.1: Type: text/plain, Size: 630 bytes --]

> My doubt is, what you said is that only one package in a mark will me
> matched without that other comands, so, the lines I have put in red are
> correct? Today it is working fine, but I have never made a test longer than
> 20 or 30 minutes...
>
> Att,
>
> Nataniel Klug
>
>

It should perfectly fine.  Since you're just marking based on an ip match,
there is no need for CONNMARK.  CONNMARK is only needed when you want to
mark a whole connection based on something you'll only see once, like the
p2p protocol's headers.  destination/source addresses will be present in
every packet you want to mark.

- Jody

[-- Attachment #1.2: Type: text/html, Size: 1078 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2006-01-11 15:08 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-12-22 17:55 [LARTC] control p2p upload bandwidth rate ro0ot
2005-12-22 19:48 ` Jody Shumaker
2006-01-11  1:20 ` Nataniel Klug
2006-01-11  5:11 ` Jody Shumaker
2006-01-11 10:06 ` Nataniel Klug
2006-01-11 15:08 ` Jody Shumaker

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.