Re: [LARTC] Sip Traffic
Hi, Why don\'t just use \--helper sip\ extension in IPTABLES with ip_conntrack_sip loaded. That would see, and track RTP trafic in the machine. Please, if you do send me feed about the module. Thanks. CH. Mensaje citado por: Marius Corici [EMAIL PROTECTED]: Why not just prioritize everything that comes to/from that SIP phone? So forget about ports, just prioritize the IP Address? Use the IP Address to identify traffic you want to move with elevated priority. Just a thought.. . If we got to this, what if the end user is a laptop and wants to do e-mule too? I am just asking, maybe there is an idea here... Marius __ Registrate desde http://servicios.arnet.com.ar/registracion/registracion.asp?origenid=9 y participá de todos los beneficios del Portal Arnet. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] EBTables, iproute, etc.
Ron, : Today: To get traffic for our IDS sensors and a billing system, : we collect everything at our core switches (2) by connecting a : SPAN port from each switch to a server (so, 2 interfaces : collecting traffic). That server changes the destination MAC : address on all traffic to that of another server running iproute : and sends it out a third interface. The server running iproute : collects the traffic on one interface, and sends traffic to : different sub interfaces depending on the network; a switch : connected to the outgoing traffic allows connection of the IDS : sensors, billing system, etc. This, right? --- two SPAN ports / +--+ / +--+ +--+ | switch |-| | | | +==+ | eth_rewr |-| p_router |- other systems | switch |-| | | | +--+ +--+ +--+ So, you essentially want to conflate the eth_rewr box and the p_router box, correct? : 1. Just run iproute, having it take the traffic from the SPAN :ports and policy route without having to have the first server :change destination MAC addresses. : a. Can iproute do policy routing on traffic not destined for it in :the first place (i.e. by having the interfaces in :promiscuous mode)? : b. If not, then does iproute contain functionality that would allow :it to sense all traffic and change the destination MAC :address or IP address? Strictly speaking, the problem here doesn't have anything at all to do with iproute. The switch is transmitting frames with ethernet headers bound for their real destinations. The eth_rewr box simply rewrites the ethernet frame headers so that they have the MAC address of the p_router interface. I can't see how this proposed solution will be viable for you. : 2. Have EBTables and iproute running on the same box if #1 above isn't :possible. : : a. Can we do this without having to have more interfaces in the :box, connected to each other with crossover cables? I think this approach is much more likely to yield fruit. Although I have not yet done anything like this. Consider using the ebtables broute/BROUTING table/chain. You may find this documentation [0] helpful in looking at the problem again. In particular, Joshua Snyder's diagram [1] should be able to illustrate to you a possible solution where ebtables and iproute are running on the same box. To quote from the ebtables manpage: The targets DROP and ACCEPT have special meaning in the broute table. DROP actually means the frame has to be routed, while ACCEPT means the frame has to be bridged. Thus, you should be able to do something like the following on the policy router (assume your MAC on eth1/br0 is 00:80:c8:e8:1e:fc): ebtables --table broute \ --append BROUTING\ --in-if eth1 \ --dst ! 00:80:c8:e8:1e:fc\ --jump redirect --redirect-target DROP So, now you have frames leaping happily up to the IP stack and your policy router. I don't know what the performance implications are of running both ebtables and policy routing on the same machine. Good luck, -Martin [0] http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html [1] http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png -- Martin A. Brown http://linux-ip.net/ ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Backlog with less rate than defined
Hi all, I setup a Linux machine to act as Lan Authentication server. So, the same script that redirect the http connection to a login web page, it create some queues to limit traffic, login by login. The PC uses only 1 ethernet interface that receive the packets source routed to it and forward/nat to the external gateway using the same interface. For each login I create a queue like that: tc class add dev '.$if_externa.' parent 1:1 classid 1:'.$filaDown.' htb rate '.$banda_down.'kbit ceil '.$banda_down.'kbit prio 1' tc filter add dev $if_externa protocol ip parent 1:0 prio 1 handle ::$filaDown u32 match ip dst $ipcliente/32 flowid 1:$filaDown My problem is that most of the queues created does NOT get full rate as defined. I can see the packets entering backlog with much less rate than defined, ex: class htb 1:b1 parent 1:1 prio 1 rate 256Kbit ceil 256Kbit burst 1926b cburst 1926b Sent 6644151 bytes 5435 pkts (dropped 0, overlimits 0) rate 669bps backlog 107p Some help ? Thanks in advance, Luciano Lima ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Sip Traffic
This post is from Samuel Garcia. (thank you ) - - I tried it with kernel 2.6.15.x and many pom-ng patches and those modules - (conntrack and nat) hangs up the system. - - I don't recommend it, at least for now over 2.6.x kernel series. - - Regards - - - Hi, - Why don\'t just use \--helper sip\ extension in - IPTABLES with ip_conntrack_sip loaded. That would see, and track - RTP trafic in the machine. - - Please, if you do send me feed about the module. - Thanks. - CH. - - Mensaje citado por: Marius Corici [EMAIL PROTECTED]: - - Why not just prioritize everything that comes to/from that - SIP phone? So - forget about ports, just prioritize the IP Address? Use the - IP Address to - identify traffic you want to move with elevated priority. Just a - thought.. . - - If we got to this, what if the end user is a laptop and wants - to do e-mule - too? I am just asking, maybe there is an idea here... - - Marius - - - __ - Registrate desde http://servicios.arnet.com.ar/registracion/registracion.asp?origenid=9 y participá de todos los beneficios del Portal Arnet. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Sip Traffic
Hi, well there\'s a line to change in ip_conntrack_sip.c. The \'hangup\' if because the ip_ct_refresh() function. That\'s documented BTW in the netfilter list. I\'m sorry don\'t have the time to submit a patch to the netfilter svn. I\'ll try to do it. Cheers. Christian Hentschel Mensaje citado por: LinuXKiD [EMAIL PROTECTED]: This post is from Samuel Garcia. (thank you ) - - I tried it with kernel 2.6.15.x and many pom-ng patches and those modules - (conntrack and nat) hangs up the system. - - I don\'t recommend it, at least for now over 2.6.x kernel series. - - Regards - - - Hi, - Why don\\\'t just use \\\--helper sip\\\ extension in - IPTABLES with ip_conntrack_sip loaded. That would see, and track - RTP trafic in the machine. - - Please, if you do send me feed about the module. - Thanks. - CH. - - Mensaje citado por: Marius Corici [EMAIL PROTECTED]: - - Why not just prioritize everything that comes to/from that - SIP phone? So - forget about ports, just prioritize the IP Address? Use the - IP Address to - identify traffic you want to move with elevated priority. Just a - thought.. . - - If we got to this, what if the end user is a laptop and wants - to do e-mule - too? I am just asking, maybe there is an idea here... - - Marius - - - __ - Registrate desde http://servicios.arnet.com.ar/registracion/registracion.asp?origenid=9 y participá de todos los beneficios del Portal Arnet. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc __ Registrate desde http://servicios.arnet.com.ar/registracion/registracion.asp?origenid=9 y participá de todos los beneficios del Portal Arnet. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Backlog with less rate than defined
Luciano wrote: Hi all, I setup a Linux machine to act as Lan Authentication server. So, the same script that redirect the http connection to a login web page, it create some queues to limit traffic, login by login. The PC uses only 1 ethernet interface that receive the packets source routed to it and forward/nat to the external gateway using the same interface. For each login I create a queue like that: tc class add dev '.$if_externa.' parent 1:1 classid 1:'.$filaDown.' htb rate '.$banda_down.'kbit ceil '.$banda_down.'kbit prio 1' tc filter add dev $if_externa protocol ip parent 1:0 prio 1 handle ::$filaDown u32 match ip dst $ipcliente/32 flowid 1:$filaDown My problem is that most of the queues created does NOT get full rate as defined. I can see the packets entering backlog with much less rate than defined, ex: class htb 1:b1 parent 1:1 prio 1 rate 256Kbit ceil 256Kbit burst 1926b cburst 1926b Sent 6644151 bytes 5435 pkts (dropped 0, overlimits 0) rate 669bps backlog 107p Htb rate average can be quite long and misleading. I would tcpdump and see whether the rate looks OK with that. If not see what the dequeue behaviour is - you don't show all your rules, if you are using htb default class on root and shaping eth remember arp will get delayed there unless you filter it elsewhere. Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc