Hello Alex, Perhaps I missed something below which ties eth0 and eth1 to the PPP pipe, or its just my unfamiliarity with PPP. Regardless, an interesting methodology. Do you think you could do the following: <eth0>----<ppp0>----<standard linux bridging / routing>---<ppp1>---<eth1> The reason I ask is that I would like to, at the PPP level, apply CBQ or HTB rate shaping to my each end user (ie, limit traffic to 256K or something like that). And then, after each customer has their rate shaping, at the ETH level I would like to priorize traffic (ie, all www prio 3, ssh - telnet, prio 1, ftp prio 4, everything else prio 7) Thoughts? -----Original Message----- From: lartc-admin@xxxxxxxxxxxxxxx [mailto:lartc-admin@xxxxxxxxxxxxxxx] On Behalf Of Alexander Clouter Sent: Saturday, January 24, 2004 7:05 PM To: lartc@xxxxxxxxxxxxxxx Subject: Re: IMQ Stability On Jan 24, mkazmier@xxxxxxxxxx wrote: > Thank you for the detailed discussion. There is no doubt that there is a > need for an IMQ type device/funtionality. What would work really great, > IMHO, is a "fake" or psuedo ethernet driver that simply sits as a shim > between one or more real drivers. This fake device could allow us to > "Stack" qdiscs in a way to allow one to shape traffic in multiple > "policies" - ie, prioritize traffic AND allocate / rate shape end users. > I have actually thought of utilizing the kernel bonding driver for this - > attaching only a single slave to it - but haven't had time as yet. Not > sure that this would do anything for ingress shaping though. > I have been working on this with using what I call a ppp-pipe. The result is Internet (eth0) <-> ppp0 ----- ppp1 <-> LAN (eth1) 10.0.0.0/8 where ppp0----ppp1 is on the local machine (and simulates two NICs with a crossover cable between them in the same machine). What you throw in at ppp0 appears at ppp1 and vice versa. This works fine, it also means you can shape on the ppp0/ppp1 interfaces and leave all the NAT stuff on the real interfaces. The command to create this ppp-pipe is (as root), so far I am not completely sure if you need to add to the first pppd command "<real ip>:<real ip>" for its parameters (you might also need 'xonxoff' too in both): # mkfifo /tmp/ppp-pipe # pppd noauth nodefaultroute notty < /tmp/ppp-pipe | pppd noauth \ notty > /tmp/ppp-pipe However there is a major problem......connection tracking. In the above setup you do iptables -t nat -I POSTROUTING -s 10.0.0.0/8 \ -d ! 10.0.0.0/8 -o eth0 -j MASQUERADE the '-o eth0' is very important, you also create some advance routing bits to make all traffic crossing the router to pass through the ppp-pipe; easy enough, but depends on your needs. Conntrack unfortunately notices that you did not want to NAT the packet straight away when it arrives on eth1 (if you do then you will be unable to shape fairly per IP, for example with ESFQ), but then later on when the packet resurfaces at ppp0 the 'nat' table is skipped. The only way about this is to use the patch-o-matic RAW patch and instruct it to skip connection tracking for packets on eth1 destined for the Internet. As I am now pure 2.6.x goodness I am in the middle of porting the patch myself (the patch-o-matic-ng does not work for me, could be me being lame though). Sure this is replacing one patch dependency with another, however IMQ really seems that it has been left out to rot; whilst the RAW patch probably is going to stay better maintained, hell its in the patch-o-matic for starters. Besides there are lots of advantages with the ppp-pipe, as now all you folks who want to shape over with IP-Aliasing can just use cunning ppp-pipes instead; whilst still keeping things very simple. So far the above should work in non-NAT (or rather connection tracking) setups but where you want the equilivent of IP-Aliased style shaping. Anyway thoughts would be apprieated, however when I was on #lartc it was its normal dead self so I was left dead in the water myself :( have fun Alex -- ___________________________ < Fortune favors the lucky. > --------------------------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
