Re: control p2p upload bandwidth rate

["Nataniel Klug" <nata@xxxxxxxxxxxx>]

Jody,

 

My question is not about P2P filters. This is working fine at my gateway box. My question concerns to my autentication gateway, where I use PPPoE to autenticante my LAN clients at a Radius server into my DMZ.

 

This PPPoE server, when I have a new conection, make some rules using IPTABLES and CBQ/HTB to control my clients internet speed. The script I use when a client conects is this:

 

=== /etc/ppp/ip-up ===

#! /bin/bash
IPT="/usr/local/sbin/iptables"

 

interface=$1
remoteIP=$5
download=`grep Download /var/run/radattr.$interface | awk '{ print $2; }'`
upload=`grep Upload  /var/run/radattr.$interface | awk '{ print $2; }'`
cliente=`grep Cliente /var/run/radattr.$interface | awk '{ print $2; }'`
contamark=`echo $interface | cut -c 4-99`
mark=`expr $contamark + 500`

 

echo "$download" > /tmp/$interface.download
echo "$upload" > /tmp/$interface.upload
echo "$cliente" > /tmp/$interface.cliente

 

#if [ $cliente == "cliente" ]
#then
#$IPT -I FORWARD -d $remoteIP -p tcp --dport 1:1024 -j DROP
#$IPT -I FORWARD -d $remoteIP -p tcp --dport 6000:9000 -j DROP
#fi

 

/sbin/tc qdisc add dev $interface root handle 1 cbq bandwidth 10Mbit avpkt 1000 cell 8
/sbin/tc class add dev $interface parent 1: classid 1:$mark cbq bandwidth 10Mbit rate "$download"Kbit weight `expr $download / 10`Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded
/sbin/tc qdisc add dev $interface parent 1:$mark handle $mark sfq perturb 10
/sbin/tc filter add dev $interface parent 1:0 protocol ip prio 200 handle $mark fw classid 1:$mark
$IPT -t mangle -A POSTROUTING -d $remoteIP -j MARK --set-mark $mark

 

/sbin/tc qdisc add dev eth0 root handle 1 cbq bandwidth 10Mbit avpkt 1000 cell 8
/sbin/tc class add dev eth0 parent 1: classid 1:$mark cbq bandwidth 10Mbit rate "$upload"Kbit weight `expr $upload / 10`Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded
/sbin/tc qdisc add dev eth0 parent 1:$mark handle $mark  sfq perturb 10
/sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle $mark fw classid 1:$mark
$IPT -t mangle -A FORWARD -s $remoteIP -j MARK --set-mark $mark

 

echo "PPP started at $(date):
interface = $interface
Remote IP = $remoteIP
download = $download
upload = $upload
mark = $mark
" >/tmp/$interface
=== END ===

 

My doubt is, what you said is that only one package in a mark will me matched without that other comands, so, the lines I have put in red are correct? Today it is working fine, but I have never made a test longer than 20 or 30 minutes...

 

Att,

 

Nataniel Klug

----- Original Message -----

From: Jody Shumaker

To: Nataniel Klug

Cc: lartc@xxxxxxxxxxxxxxx

Sent: Wednesday, January 11, 2006 3:11 AM

Subject: Re: control p2p upload bandwidth rate

#accepts the packet if it has a mark besides the default 0 and prevents the saved mark from being changed
iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT

That section after the restore-mark rule will cause any saved marks to skip the rest of the chain.  This results in only the first packets of a tcp connection having to hit their individual --set-mark rule.  If you do have concerns about cpu usage or some such,  I'd suggest trying trying out the ipp2p match module instead of the more generic l7match module.  It's more specific to p2p and tends to be much faster than doing regular expressions.

On 1/10/06, Nataniel Klug <nata@xxxxxxxxxxxx> wrote:

I have a script that makes connections for every user with his auth. So, in this script, I have two mark tags. Can I use this tip you give to ro0ot? My doubt is if I use this every time some user log it will be all executed again, it will not make me trouble?

I'm not sure exactly what you mean by this. If my above explanation doesn't apply, could you possibly explain or give an example?

- Jody

_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc