Hi Patrick, Iptables is capaple of matching/marking packets based on the uid or guid of the owner of the process that generates traffic. It's also possible to run apache as a different user for every virtual host (apache suexec wrapper needed), so owner matching would also work there. For example you could match/mark outgoing packets created by a particular user (uid diab here) using iptables -A OUTPUT -t mangle -j MARK -m owner --uid-owner diab \ --set-mark 9999 the problem is that it only works in the OUTPUT chain for outgoing packets. here is a patch that makes it possible for the INPUT chain: http://netfilter.org/patch-o-matic/pom-extra.html#pom-extra-owner-socketlookup Anyways here is what I would try (200kbit limit on outgoing traffic marked with 9999) tc qdisc add dev eth0 root handle 100: htb tc class add dev eth0 parent 100: classid 100:9999 htb rate \ 200kbit prio 0 tc filter add dev eth0 protocol ip parent 100: prio 0 handle 9999 \ fw flowid 100:9999 Anyways I've tried it with scp and it copied files at around 25k/sec, which is exactly 200kbit :) hth, - diab blinken@xxxxxxxxx wrote: PC> Sure - what I want to do is set up a colocated webhost/shell server, PC> and sell people accounts. However, I only have 2000mb upstream/2000mb PC> downstream free bandwidth, after which I start getting charged extra. PC> Therefore, I want to give *each user* a bandwidth quota, which if they PC> go over they can choose to either pay extra or have their account PC> disabled. Normal webhosts would do this in Apache (I would imagine), PC> with mod_quota or similar. PC> However, as I'm offering shell accounts as well, an Apache-only quota PC> system doesnt do what I want. I'm looking to find a way to meter the PC> outgoing and incoming bandwidth used by any program, on any socket, PC> and link that back to a particular user so I can make sure they dont PC> go over their limit. So mapping to a user account is essential. The PC> accounts are actual users. If you could give me an example of how you PC> would implement it in perl, it would be brilliant. PC> Thanks, PC> Patrick PC> On Wed, 29 Sep 2004 19:09:58 +0200, Daniel Frederiksen PC> <cyberdoc@xxxxxxxxxxx> wrote: >> Hey Patrick >> >> I seem to have forgotten the point that you want to relate the bandwidth >> usages to a user. In the perl script you posted a link for, the author >> uses lsof. This sollution is ok, if the connection is still in the list, >> however if you accumulate in a log from netfilter, the probability of >> the connection still being active is reduced and not reliable. Is there >> a specific reason why you want to map the user accounts, and are these >> accounts system or actual users?. If they are just system accounts >> running daemons, there are no point in mapping them. >> >> If you still need the mapping, I will help you with the perl script, if >> not we can use some of the previously sugested ideas. >> >> Perhaps a more detailed description of the usage/problem would help >> allot. >> >> Daniel Frederiksen, Cyberdoc.dk >> >> >> >> On Wed, 2004-09-29 at 13:14, Patrick Coleman wrote: >> > I ran across one called culprit >> > (http://freshmeat.net/projects/culprit.pl/), which does kinda what I >> > want. However, by the looks of things it doesnt look like its going to >> > be easy to maintain a database of user bandwidth usage using it. I >> > might see what I can do about modifying it, but I'm shocking at perl :) >> > >> > Netfilter sounds like a much saner idea - how would you grab the user >> > a packet belongs to when you parse the logfiles? >> > Thanks, >> > Patrick >> >> _______________________________________________ >> LARTC mailing list / LARTC@xxxxxxxxxxxxxxx >> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >> _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
