[LARTC] limit ftp bandwidth

[LARTC] limit ftp bandwidth

[Omar Armas]

I want to limit ftp bandwith to 128Kb. In a RH 7.2 box I have:

eth0: 200.39.186.1
eth1: 192.168.1.1

I use these rules:


tc qdisc add dev eth0 root handle 10: cbq bandwidth 10Mbit avpkt 1000
tc class add dev eth0 parent 10:0 classid 10:1282 cbq bandwidth 10Mbit
rate 128Kbit allot 1514 weight 12Kbit prio 5 maxburst 20 avpkt 1000
bounded
tc qdisc add dev eth0 parent 10:1282 sfq quantum 1514b perturb 15
tc filter add dev eth0 parent 10:0 protocol ip prio 100 u32 match ip
dport 21 0xffff flowid 10:1282

But users accesing ftp from 192.168.1.0/24 are allowed more that 128K,
any idea aboout how to solve it?
Or do you have any other solution for this?

Thanks,

Omar




_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] limit ftp bandwidth

[Stef Coene]

On Monday 15 April 2002 23:15, Omar Armas wrote:
> I want to limit ftp bandwith to 128Kb. In a RH 7.2 box I have:
>
> eth0: 200.39.186.1
> eth1: 192.168.1.1
>
> I use these rules:
>
>
> tc qdisc add dev eth0 root handle 10: cbq bandwidth 10Mbit avpkt 1000
> tc class add dev eth0 parent 10:0 classid 10:1282 cbq bandwidth 10Mbit
> rate 128Kbit allot 1514 weight 12Kbit prio 5 maxburst 20 avpkt 1000
> bounded
> tc qdisc add dev eth0 parent 10:1282 sfq quantum 1514b perturb 15
> tc filter add dev eth0 parent 10:0 protocol ip prio 100 u32 match ip
> dport 21 0xffff flowid 10:1282
>
> But users accesing ftp from 192.168.1.0/24 are allowed more that 128K,
> any idea aboout how to solve it?
Yes.  You match destination 21, but this is only the command path.  The data 
path uses an other variable destination port (passive ftp uses port 20, 
active ftp uses a variable port).  So you can't match the data path.

There is a solution.  There is a iptables match-patch so you can mark all 
packets that belongs to a ftp-data stream.  That mark can be used to put the 
data in the class you want.  I don't have more info, but maybe someone else 
on the list can help you.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.openprojects.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] limit ftp bandwidth

[Patrick McHardy]

Stef Coene wrote:
> On Monday 15 April 2002 23:15, Omar Armas wrote:
> 
>>I want to limit ftp bandwith to 128Kb. In a RH 7.2 box I have:
>>
>>eth0: 200.39.186.1
>>eth1: 192.168.1.1
>>
>>I use these rules:
>>
>>
>>tc qdisc add dev eth0 root handle 10: cbq bandwidth 10Mbit avpkt 1000
>>tc class add dev eth0 parent 10:0 classid 10:1282 cbq bandwidth 10Mbit
>>rate 128Kbit allot 1514 weight 12Kbit prio 5 maxburst 20 avpkt 1000
>>bounded
>>tc qdisc add dev eth0 parent 10:1282 sfq quantum 1514b perturb 15
>>tc filter add dev eth0 parent 10:0 protocol ip prio 100 u32 match ip
>>dport 21 0xffff flowid 10:1282
>>
>>But users accesing ftp from 192.168.1.0/24 are allowed more that 128K,
>>any idea aboout how to solve it?
> 
> Yes.  You match destination 21, but this is only the command path.  The data 
> path uses an other variable destination port (passive ftp uses port 20, 
> active ftp uses a variable port).  So you can't match the data path.
> 
> There is a solution.  There is a iptables match-patch so you can mark all 
> packets that belongs to a ftp-data stream.  That mark can be used to put the 
> data in the class you want.  I don't have more info, but maybe someone else 
> on the list can help you.

Just put all ftpusers in a special group and use the owner match, maybe 
in combination with -d ! 192.168.1.0/24 ..

Bye,
Patrick

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/