Re: p2p marking, again

[Jody Shumaker <jody.shumaker@xxxxxxxxx>]

in the out chain you're marking them as mark 5, but only saving it as mark 7, that would cause you to possibly miss some tcp streams, but depending on the protocol a lot might be marked just from the incomming data. as for how much data was marked, look at the incomming counters, of the 100,854 packets, 78,910 had a mark restored, and 2904 were newly marked,  that means 81814 out of 100,854 incomming packets were marked as p2p, that's 80% and a lot more than 625k.   Beyond the mrk 5/7 mixup in the outgoing marking,  you also didn't mention the IMQ rule in the previous email.  Normally the 

iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPT

rule is good as it makes sure the mark doesn't get rechanged after its been saved once and later restored.  However in this case, it means it was leaving your chain before reaching the IMQ target. So for your case it should be safe to remove that rule. This will likely fix the problem you were really having of the incomming data not all going to the IMQ

- Jody

On 2/7/06, Vaidas <admin@xxxxxx> wrote:

Allright...

tc qdisc add dev $DEV root handle 2:0 htb default 20 r2q 2
tc class add dev $DEV parent 2:0 classid 2:10 htb rate ${RATETOTAL}kbit
tc class add dev $DEV parent 2:10 classid 2:20 htb rate ${RATETOTAL}kbit
ceil ${RATETOTAL}kbit prio 0
tc class add dev $DEV parent 2:10 classid 2:21 htb rate 1kbit ceil
${RATEUP}kbit prio 1
tc qdisc add dev $DEV parent 2:20 handle 20:0 sfq perturb 10
tc qdisc add dev $DEV parent 2:21 handle 21:0 sfq perturb 10
tc filter add dev $DEV parent 2:0 prio 1 protocol ip handle 5 fw flowid 2:21
iptables -t mangle -N DSL-OUT
iptables -t mangle -I POSTROUTING -o $DEV -j DSL-OUT
iptables -t mangle -A DSL-OUT -p tcp -j CONNMARK --restore-mark
iptables -t mangle -A DSL-OUT -p tcp -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A DSL-OUT -m ipp2p --edk --dc --bit --soul -j MARK
--set-mark 5
iptables -t mangle -A DSL-OUT -p tcp -m mark --mark 7 -j CONNMARK
--save-mark

ip link set imq0 up
tc qdisc add dev imq0 root handle 2:0 htb default 20 r2q 2
tc class add dev imq0 parent 2:0 classid 2:10 htb rate ${RATETOTAL}kbit
tc class add dev imq0 parent 2:10 classid 2:20 htb rate ${RATETOTAL}kbit
ceil ${RATETOTAL}kbit prio 0
tc class add dev imq0 parent 2:10 classid 2:21 htb rate 2kbit ceil
${RATEDN}kbit prio 1
tc qdisc add dev imq0 parent 2:20 handle 20:0 sfq perturb 10
tc qdisc add dev imq0 parent 2:21 handle 21:0 sfq perturb 10
tc filter add dev imq0 parent 2:0 prio 1 protocol ip handle 7 fw flowid 2:21
iptables -t mangle -N DSL-IN
iptables -t mangle -I PREROUTING -i $DEV -j DSL-IN
iptables -t mangle -A DSL-IN -p tcp -j CONNMARK --restore-mark
iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A DSL-IN -m ipp2p --edk --dc --bit --soul -j MARK
--set-mark 7
iptables -t mangle -A DSL-IN -p tcp -m mark --mark 7 -j CONNMARK --save-mark
iptables -t mangle -A DSL-IN -j IMQ --todev 0

still not working :))))))))
I don't know what to do else, tried everythink :/

The uTorrent have downloading for half an hour, but the counters are...

Chain DSL-OUT (1 references)
    pkts      bytes target     prot opt in     out     source
destination
   80515  5464493 CONNMARK   tcp  --  any    any     anywhere
anywhere            CONNMARK restore
   52501  3402390 ACCEPT     tcp  --  any    any     anywhere
anywhere            MARK match !0x0
    3593   464055 MARK       all  --  any    any     anywhere
anywhere            ipp2p v0.8.0 --edk --dc --bit --soul MARK set 0x5
       0        0 CONNMARK   tcp  --  any    any     anywhere
anywhere            MARK match 0x7 CONNMARK save
Chain DSL-IN (1 references)
    pkts      bytes target     prot opt in     out     source
destination
  100854 97487345 CONNMARK   tcp  --  any    any     anywhere
anywhere            CONNMARK restore
   78190 92347437 ACCEPT     tcp  --  any    any     anywhere
anywhere            MARK match !0x0
    2904   625681 MARK       all  --  any    any     anywhere
anywhere            ipp2p v0.8.0 --edk --dc --bit --soul MARK set 0x7
     274    39048 CONNMARK   tcp  --  any    any     anywhere
anywhere            MARK match 0x7 CONNMARK save
   30759  6358180 IMQ        all  --  any    any     anywhere
anywhere            IMQ: todev 0

Only 625681 bytes marked as p2p :(

---Original Message-----
From: Jody Shumaker [mailto:jody.shumaker@xxxxxxxxx]
Sent: 2006 m. vasario 6 d. 21:23
To: Vaidas
Cc: lartc@xxxxxxxxxxxxxxx
Subject: Re: [LARTC] p2p marking, again

Bah, I don't know why I didn't notice this before in your previous
email. It's obvious now that you gave the states output:
iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK
--restore-mark
that line is horribly wrong, it should be:
iptables -t mangle -A DSL-IN -p tcp -j CONNMARK --restore-mark
The whole point is that ipp2p can't match on every packet! so you save
the mark and then restore it.  However, you were conditionally
restoring the mark only when ipp2p matched, which completely defeats
the purpose. There's also no reason to have the "-m ipp2p --ipp2p"
when saving the mark, as this adds more work than is neccasary.
Instead of:
iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK --save-mark
I'd suggets:
iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j CONNMARK
--save-mark
As this match would be much faster, and would mean no redundant work
on matching ipp2p.  I'd also suggest combining your tcp and udp
matches for ipp2p into 1.

I'd also suggest not using the -m ipp2p -ipp2p instead listing out the
protocols to match, even if it's all of them.  For some reason, -ipp2p
doesn't match all of the safe to identify protocols. I used it at one
point but then after updating it stopped including bittorrent. As
listed on the ipp2p docs right now:
-m ipp2p --ipp2p
-m ipp2p --edk --kazaa --gnu --dc
are identical, meaning --ipp2p only matches edonkey, kazaa, gnutella,
and directconnect.  Leaving out the very easy to match and common
Bittorrent. I'd suggest using:
-m ipp2p --edk --kazaa --gnu --dc --bit



In the end this would result in this for your script:
#restore mark
iptables -t mangle -A DSL-IN -p tcp -j CONNMARK --restore-mark
#skip rest of chain if packet already marked
iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPT
#match p2p traffic.
iptables -t mangle -A DSL-IN -m ipp2p --bit --edk --kazaa --gnu --dc
-j MARK --set-mark 7
#save mark
iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j CONNMARK
--save-mark

- Jody

On 2/6/06, Vaidas <admin@xxxxxx> wrote:
>
>
>
>  Hey, one more question for ipp2p
>
>
>
> iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK
--restore-mark
>
> iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPT
>
> iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j MARK --set-mark 7
>
> iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK
--save-mark
>
> iptables -t mangle -A DSL-IN -p udp -m ipp2p --ipp2p -j MARK --set-mark 7
>
> by this set of commands, should all p2p packets mark well ? Because very
little of them are marked on my server…
>
> Chain DSL-IN (1 references)
>
>     pkts      bytes target     prot opt in     out     source
destination
>
>    13708  2260152 CONNMARK   tcp  --  any    any     anywhere
anywhere            ipp2p v0.8.1_rc1 --ipp2p CONNMARK restore
>
>    11456  2016247 ACCEPT     tcp  --  any    any     anywhere
anywhere            MARK match !0x0
>
>     2252   243905 MARK       tcp  --  any    any     anywhere
anywhere            ipp2p v0.8.1_rc1 --ipp2p MARK set 0x7
>
>     2252   243905 CONNMARK   tcp  --  any    any     anywhere
anywhere            ipp2p v0.8.1_rc1 --ipp2p CONNMARK save
>
>   183300 33333958 MARK       udp  --  any    any     anywhere
anywhere            ipp2p v0.8.1_rc1 --ipp2p MARK set 0x7
>
>
>
> Only few Kbytes of tcp, ant few mbytes of udp.. but downloading was up on
320kbps all night
>
> ______________________________________
>
> Vaidas
>
> VDXnet sistemų administratorius
> _______________________________________________
> LARTC mailing list
> LARTC@xxxxxxxxxxxxxxx
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>
>

_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc