* [LARTC] kazaaa is making me crazy!
2003-06-11 0:35 [LARTC] kazaaa is making me crazy! Esteban Ribicic
@ 2003-06-11 0:35 ` Esteban Ribicic
2003-06-11 0:51 ` Robert Penz
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Esteban Ribicic @ 2003-06-11 0:35 UTC (permalink / raw)
To: lartc
im trying to debug how cpu consuming could be the string match.
is it a lineal function? i mean..
1 Mbit -> 1024/8 Kbytes
supossaing mtu payload is 1500 bytes, i have in 1 megabit
[(1024/8)*1000]*1500 = 1920000000 packets
anorther thing..this rule just filter the initial download request..that
would be okay if oyu want filter completely, but if you want to slwo
down (i mean using tc/htb/fwmarks) you wouldnt be matching the hole
download, only the request...
iptables -t mangle -A PREROUTING -p tcp -m --string "Kazaa" -j DROP
any comment, any idea?
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [LARTC] kazaaa is making me crazy!
2003-06-11 0:35 [LARTC] kazaaa is making me crazy! Esteban Ribicic
2003-06-11 0:35 ` Esteban Ribicic
@ 2003-06-11 0:51 ` Robert Penz
2003-06-11 7:02 ` René Serral
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Robert Penz @ 2003-06-11 0:51 UTC (permalink / raw)
To: lartc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wednesday 11 June 2003 02:35, Esteban Ribicic wrote:
> im trying to debug how cpu consuming could be the string match.
> is it a lineal function? i mean..
did you look at this project
http://l7-filter.sourceforge.net/
- --
Regards,
Robert
- ----------------
Robert Penz
robert.penz AT outertech.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE+5n0o8tTsQqJDUBMRAtDVAJ9qR0eBymUsgg82Kvx6VivNf91SvQCglNTV
PDeALhZf+agAkEcoG5kdJB0òbN
-----END PGP SIGNATURE-----
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [LARTC] kazaaa is making me crazy!
2003-06-11 0:35 [LARTC] kazaaa is making me crazy! Esteban Ribicic
2003-06-11 0:35 ` Esteban Ribicic
2003-06-11 0:51 ` Robert Penz
@ 2003-06-11 7:02 ` René Serral
2003-06-11 16:34 ` Stef Coene
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: René Serral @ 2003-06-11 7:02 UTC (permalink / raw)
To: lartc
May be I didn't understand you but I think you are wrong, in 1 Mbit you have:
((1/8)*1024*1024)/1500~ˆ packets isn't it??
On Wednesday 11 June 2003 02:35, Esteban Ribicic wrote:
> im trying to debug how cpu consuming could be the string match.
> is it a lineal function? i mean..
>
> 1 Mbit -> 1024/8 Kbytes
>
> supossaing mtu payload is 1500 bytes, i have in 1 megabit
> [(1024/8)*1000]*1500 = 1920000000 packets
>
> anorther thing..this rule just filter the initial download request..that
> would be okay if oyu want filter completely, but if you want to slwo
> down (i mean using tc/htb/fwmarks) you wouldnt be matching the hole
> download, only the request...
>
> iptables -t mangle -A PREROUTING -p tcp -m --string "Kazaa" -j DROP
>
>
> any comment, any idea?
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
--
---------------------------------------------------------------
René Serral Universitat Politècnica de Catalunya
rserral@ac.upc.es
UPC Campus Nord, Ed. D4 Tel: +34 934 017 432
Barcelona 08034
---------------------------------------------------------------
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [LARTC] kazaaa is making me crazy!
2003-06-11 0:35 [LARTC] kazaaa is making me crazy! Esteban Ribicic
` (2 preceding siblings ...)
2003-06-11 7:02 ` René Serral
@ 2003-06-11 16:34 ` Stef Coene
2003-06-11 18:43 ` mikee
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Stef Coene @ 2003-06-11 16:34 UTC (permalink / raw)
To: lartc
On Wednesday 11 June 2003 02:51, Robert Penz wrote:
> On Wednesday 11 June 2003 02:35, Esteban Ribicic wrote:
> > im trying to debug how cpu consuming could be the string match.
> > is it a lineal function? i mean..
>
> did you look at this project
>
> http://l7-filter.sourceforge.net/
The provided patches will only examine the first 8 bytes of a connection to
determine the type of traffic. So if you have 1 big download, only 8 packets
are checked. This can be done because the l7 patches uses netfilter code to
do connection tracking.
Stef
--
stef.coene@docum.org
"Using Linux as bandwidth manager"
http://www.docum.org/
#lartc @ irc.oftc.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 8+ messages in thread* [LARTC] kazaaa is making me crazy!
2003-06-11 0:35 [LARTC] kazaaa is making me crazy! Esteban Ribicic
` (3 preceding siblings ...)
2003-06-11 16:34 ` Stef Coene
@ 2003-06-11 18:43 ` mikee
2003-06-11 19:25 ` Andre Lorenz
2003-06-17 18:56 ` Eric Leblond
6 siblings, 0 replies; 8+ messages in thread
From: mikee @ 2003-06-11 18:43 UTC (permalink / raw)
To: lartc
> anorther thing..this rule just filter the initial download request..that
> would be okay if oyu want filter completely, but if you want to slwo
> down (i mean using tc/htb/fwmarks) you wouldnt be matching the hole
> download, only the request...
>
>iptables -t mangle -A PREROUTING -p tcp -m --string "Kazaa" -j DROP
>
> any comment, any idea?
you can use iptables connmark extension (from patch -o-matic) to mark all packets from connection, ie:
iptables -t mangle -N detect-abusers
#if string kazaa detected then connection will be marked
iptables -t mangle -A detect-abusers -m string --string 'KaZaA' -j CONNMARK --set-mark 0x1
#check if connection is marked, if not inspect packet
iptables -t mangle -A PREROUTING -m connmark --mark 0x0 -j detect-abusers
#set packet mark with those from connmark
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
and now you can use:
tc filter add dev eth0 parent 1:0 protocol ip handle 1 fw classid your_kazaa_class
i don't use string match so i'm not sure if that would work - personally i detect "abusers" by destination port (well known ports http/smtp/pop3 are allowed at full speed)
HTH
__________________________
ignore ads below this line
Zobacz nasz nowy serwis - wczasy za granic± - http://hoga.travelplanet.pl/
------------------------------------------------------------
Wiosn± wirusy rosn± bez pamiêci!dlatego do pakietów wielostanowiskowych
mks_vir dok³adamy Mobile Disks. Sprawd¼:
http://www.mks.com.pl/promocja-mobile.html
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [LARTC] kazaaa is making me crazy!
2003-06-11 0:35 [LARTC] kazaaa is making me crazy! Esteban Ribicic
` (4 preceding siblings ...)
2003-06-11 18:43 ` mikee
@ 2003-06-11 19:25 ` Andre Lorenz
2003-06-17 18:56 ` Eric Leblond
6 siblings, 0 replies; 8+ messages in thread
From: Andre Lorenz @ 2003-06-11 19:25 UTC (permalink / raw)
To: lartc
Am Mittwoch, 11. Juni 2003 20:43 schrieb mikee:
> > anorther thing..this rule just filter the initial download request..that
> > would be okay if oyu want filter completely, but if you want to slwo
> > down (i mean using tc/htb/fwmarks) you wouldnt be matching the hole
> > download, only the request...
> >
> >iptables -t mangle -A PREROUTING -p tcp -m --string "Kazaa" -j DROP
> >
> > any comment, any idea?
>
> you can use iptables connmark extension (from patch -o-matic) to mark all
> packets from connection, ie:
>
> iptables -t mangle -N detect-abusers
> #if string kazaa detected then connection will be marked
> iptables -t mangle -A detect-abusers -m string --string 'KaZaA' -j CONNMARK
> --set-mark 0x1
>
> #check if connection is marked, if not inspect packet
> iptables -t mangle -A PREROUTING -m connmark --mark 0x0 -j detect-abusers
> #set packet mark with those from connmark
> iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
>
Hello,
I'm filtering Kazaa with this strings and it works fine with:
$IPTABLES -A FORWARD -p tcp -m string --string X-Kazaa-Username: -j REJECT
--reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp -m string --string X-Kazaa-Network: -j REJECT
--reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp -m string --string X-Kazaa-IP: -j REJECT
--reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp -m string --string X-Kazaa-SupernodeIP: -j REJECT
--reject-with tcp-reset
With friendly Regards
Andre
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [LARTC] kazaaa is making me crazy!
2003-06-11 0:35 [LARTC] kazaaa is making me crazy! Esteban Ribicic
` (5 preceding siblings ...)
2003-06-11 19:25 ` Andre Lorenz
@ 2003-06-17 18:56 ` Eric Leblond
6 siblings, 0 replies; 8+ messages in thread
From: Eric Leblond @ 2003-06-17 18:56 UTC (permalink / raw)
To: lartc
[-- Attachment #1: Type: text/plain, Size: 525 bytes --]
Le mer 11/06/2003 à 02:35, Esteban Ribicic a écrit :
> im trying to debug how cpu consuming could be the string match.
> is it a lineal function? i mean..
>
> 1 Mbit -> 1024/8 Kbytes
>
> supossaing mtu payload is 1500 bytes, i have in 1 megabit
> [(1024/8)*1000]*1500 = 1920000000 packets
> any comment, any idea?
Use Connmark as suggested by GoMi on the list in the recent thread
Questions regarding CONNMARK
With that you just have to match the first packet...
BR,
--
Eric Leblond <eric@regit.org>
[-- Attachment #2: Ceci est une partie de message numériquement signée --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread