On 02/11/2012 12:38, Lutfi ODUNCUOGLU wrote:
Hello,
I compiled nDPI-nefilter patch and it works fine. What I want is to
shape the p2p traffic in my network. For this purpose i just
implemented the nDPI-netfilter patch as two different ways for testing
iptables -t mangle -A POSTROUTING -o XXX -m ndpi --bittorrent -j
CONNMARK --set-mark 1
iptables -t mangle -A POSTROUTING -m connmark --mark 1 -j CLASSIFY
--set-class 0001:0010
or
iptables -t mangle -A POSTROUTING -m ndpi --bittorrent -j CLASSIFY
--set-class 0001:0010
So which one is more suitable for use? I don't know if this patch
inspects connections (marks connection) or every single packet (marks
every single) for a match.
I would be interested in your feedback on CPU usage for both actually?
Internally nDPI implements a "connection cache", which means that it
asks conntrack to maintain the connection, but internally it maintains a
cache of what protocol is matched to a given connection. This should be
quite similar to asking conntrack to --set-mark *if* you also have some
iptables to subsequently skip the test once the connection is marked?
So, either way, the connection gets marked at some point and thereafter
no CPU is expended checking the connection further. Of course theory
and practice aren't the same...
Just beware that the connection may only get marked several packets in,
ie the first few packets might not match anything, then the protocol
will be detected, thereafter the protocol is wedged as being detected as
that protocol. This can obviously mean several packets potentially
going out unmarked even if the connection is subsequently marked (not
normally a problem)
Grateful for your benchmarks!
Ed W
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
