Re: LARTC Digest, Vol 26, Issue 25

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hey Andreas, how i catch this traffic using L7 filter?, i´ve installed l7 filter now, but i don´t kwnow to use the kind of filter...!!!
Can you help me?
Thx.-
 
 
 
Terraja-based
 
 
 
 


 
2007/4/29, lartc-request@xxxxxxxxxxxxxxx <lartc-request@xxxxxxxxxxxxxxx>:
Send LARTC mailing list submissions to
       lartc@xxxxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
       http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
or, via email, send a message with subject or body 'help' to
       lartc-request@xxxxxxxxxxxxxxx

You can reach the person managing the list at
       lartc-owner@xxxxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of LARTC digest..."


Today's Topics:

  1. Re: LARTC Digest, Vol 26, Issue 24 (terraja-based)
  2. Re: Re: LARTC Digest, Vol 26, Issue 24 (Alejandro Ramos Encinosa)
  3. Re: Re: LARTC Digest, Vol 26, Issue 24 (Andreas Mueller)
  4. Re: HFSC with tcng (Andreas Mueller)


----------------------------------------------------------------------

Message: 1
Date: Sat, 28 Apr 2007 16:33:16 -0300
From: terraja-based <drumlesson@xxxxxxxxx>
Subject: Re: LARTC Digest, Vol 26, Issue 24
To: lartc@xxxxxxxxxxxxxxx
Message-ID:
       <823158cf0704281233v1f4bd80dg719a78eb779021e1@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Alejandro,




So, i did try the script that you give to me, and the problems its
continues.-
Maybe the problem was in the IPTABLES rules, i attach the complete script
below:

#####################
ifconfig imq0 up

tc qdisc add dev imq0 handle 1: root htb default 30
tc class add dev imq0 parent 1: classid 1:1 htb rate 500kbit ceil 2000kbit

tc class add dev imq0 parent 1:1 classid 1:10 htb rate 100kbit ceil 2000kbit
tc class add dev imq0 parent 1:1 classid 1:20 htb rate 100kbit ceil 2000kbit
tc class add dev imq0 parent 1:1 classid 1:30 htb rate 100kbit ceil 2000kbit


tc qdisc add dev imq0 parent 1:10 handle 2 sfq
tc qdisc add dev imq0 parent 1:20 handle 3 sfq

iptables -t mangle -A PREROUTING -i eth1 -j IMQ --todev 0

tc filter add dev imq0 parent 1: prio 0 protocol ip handle 2 fw flowid 1:10
tc filter add dev imq0 parent 1: prio 1 protocol ip handle 3 fw flowid 1:20
iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j MARK
--set-mark 2
iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 20 -j MARK
--set-mark 3
iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 21 -j MARK
--set-mark 3
#####################


The traffic it continues goes out by the "default" qdisc (1:30), and it was
not clasified by the correct qdisc.
I did try a ftp transfererence using the 20 and 21 TCP ports, this should to
use the 1:20 qdisc asociated with the "handle 3"...BUT DID NOT WORK...!!!
PLease, help me...!!!


--
terraja-based
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070428/2952a6ff/attachment-0001.html

------------------------------

Message: 2
Date: Sat, 28 Apr 2007 22:12:45 +0000
From: Alejandro Ramos Encinosa <alex@xxxxx>
Subject: Re: Re: LARTC Digest, Vol 26, Issue 24
To: lartc@xxxxxxxxxxxxxxx
Message-ID: <200704282212.46731.alex@xxxxx>
Content-Type: text/plain;  charset="iso-8859-15"

On Saturday 28 April 2007 19:33, terraja-based wrote:
> [...]
> iptables -t mangle -A PREROUTING -i eth1 -j IMQ --todev 0
>
> tc filter add dev imq0 parent 1: prio 0 protocol ip handle 2 fw flowid 1:10
> tc filter add dev imq0 parent 1: prio 1 protocol ip handle 3 fw flowid 1:20
> iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j MARK
> --set-mark 2
> iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 20 -j MARK
> --set-mark 3
> iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 21 -j MARK
> --set-mark 3
> [...]
> The traffic it continues goes out by the "default" qdisc (1:30), and it was
> not clasified by the correct qdisc.
Hmm, you are trying to "redirect" all packets from eth1 to imq0, and then you
are trying to mark packets for http and ftp connections. Well, I think you
need to change again your configuration: if you put '-j IMQ --todev 0' as
first rule, then all packets will match and will not pass through the chain,
so any rule after that one, will never match against a packet. You need to
mark packets before, and send to imq device later. Maybe something like this:

--------------------------------8<-------------------------8<-----------------------------------
[...]
iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j MARK --set-mark
2
iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 20 -j MARK --set-mark
3
iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 21 -j MARK --set-mark
3
iptables -t mangle -A PREROUTING -i eth1 -j IMQ --todev 0

tc filter add dev imq0 parent 1: prio 0 protocol ip handle 2 fw flowid 1:10
tc filter add dev imq0 parent 1: prio 1 protocol ip handle 3 fw flowid 1:20
[...]
--------------------------------8<-------------------------8<-----------------------------------

PS: as long as I know, marks 0, 1, and 2 are iptables marks (reserved marks),
so if I were you, I start marking with number 3 or greater.

--
Alejandro Ramos Encinosa <alex@xxxxx>
Fac. Matemática Computación
Universidad de La Habana


------------------------------

Message: 3
Date: Sun, 29 Apr 2007 10:48:25 +0200
From: Andreas Mueller <andreas@xxxxxxxxxxxxxxxxxx>
Subject: Re: Re: LARTC Digest, Vol 26, Issue 24
To: lartc@xxxxxxxxxxxxxxx
Message-ID: <20070429084825.GA3557@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii

Hallo terraja-based,



terraja-based wrote:
[snip]
> iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j MARK
> --set-mark 2
> iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 20 -j MARK
> --set-mark 3
> iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 21 -j MARK
> --set-mark 3
[snip]
> The traffic it continues goes out by the "default" qdisc (1:30), and it was
> not clasified by the correct qdisc.
[snip]

the marks you set here will be gone as soon as the packet leaves,
connmark could do the trick here.
Still, matching --sport on the imq device should do the job as well,
at least for http at port 80.
For ftp, passive mode (data) connections will go to the default-class as
the server's port is chosen at runtime, to catch them better use a
level-7 filter (e.g. http://sourceforge.net/projects/l7-filter/).

Bye, Andreas.


------------------------------

Message: 4
Date: Sun, 29 Apr 2007 11:00:30 +0200
From: Andreas Mueller < andreas@xxxxxxxxxxxxxxxxxx>
Subject: Re: HFSC with tcng
To: lartc@xxxxxxxxxxxxxxx
Message-ID: < 20070429090030.GB3557@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii

Hi Simo,



Simo wrote:
> [...]
> I don?t know how to use HFSC queuing discipline with tcng configuration
> language.  I become always this error: syntax error near "hfsc"
> [...]
> Is it possible, that tcng provides no support for this classful hfcs queuing
> discipline?
> [...]

no, there is no such support and might never be, because this project is
no longer under active development.

Andreas


------------------------------

_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


End of LARTC Digest, Vol 26, Issue 25
*************************************



--
terraja-based 
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux