To give fast web browsing on my network, I prioritise http traffic by marking it
all into a high priority band ('30'). This generally works quite well, as
unidentified traffic such as p2p falls by default into a lower priority band
('40').
However, I would like to de-prioritise anyone doing large
Whenever I add or remove a DNAT rule such as:
iptables -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.1
there is sometimes a delay before the correct nat'ing is done. Can anyone tell
me why this is? Is it something to do with caching of routing tables? If so, is
there a way
Our company's main line is quite busy the whole day and my shaping is
working perfect, however even if I give icmp priority the pings still
jump around quite a bit.
Sorry, I don't want to offend you, but your mail has been the cause for
the first good laugh of the day.
It may have been a
Many thanks for the reply.
sfq's default queue of 128 may cause you some pain. You could try a pfifo
10 or recompile after modifying sch_sfq.c in your kernel tree.
I tried the above (modifying to 10) but didn't notice much difference.
Also, using
the prio parameter with htb may not do what
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port
3128
This is the same line I use and it works fine. What exactly is the problem? Is it
clients don't use squid, clients can't access the web, or what?
Andy
___
LARTC
the patch described at
http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-3.html#ss3.5
works for the FORWARD chain as well ?
Yes I've just tried it and it works fine.
If you want to use connlimit and you're using a recent kernel you'll need to take
a look at the
Hi,
Does anyone know of a traffic monitoring program that will display a connection's
MARK value as well as the normal information such as current rate? I use iptraf
and ntop at the moment but neither seem capable of diplaying a connection's MARK
value.
Thanks,
Andy
What I would like to do instead is allow the user to use any protocol
they like, with the caveat that attempting to open many connections
simultaneously will result in a steadily decreasing share of the pipe,
rather than a steadily increasing one.
I solved this in a similar but slightly
i want to install and configure bandwidth manager
using Rednat Linux server, i saw the codes to use from
website but the problem is how to apply the code, will
i be entering the code one after the other at shell
prompt or put it in a notepad or how can I use the
codes?
You can do either,
I'm not aware of one, and I think it's an excellent idea.
There's some great software available for LARTC, and some of the
documentation is very good, but unfortunately it's all a bit disparate.
A wiki would be a great start.
I'd be happy to host one and transfer stuff into it unless someone
I've never tried marking packets the way that you're doing it, so not
sure if it should work.
Have you tried marking with iptables instead? Something like:
iptables -t mangle -A FORWARD --source 192.168.200.163 -j CLASSIFY
--set-class 2:12
This will of course match all packets going both ways.
Are you using your firewall as a router, ie is the p2p traffic coming
from another PC through the firewall?
If so, I think your rules need to go in the FORWARD chain not in the
OUTPUT chain.
Another thing to remember is that ipp2p is not 100% reliable at
matching. Have you tried something
That's an interesting way to mark (or should I say classify) packets with
IPTABLES. The one I'm using currently (and which I forgot to add to my
initial query) was this:
$IPTABLES -t mangle -A PREROUTING -s 192.168.200.163 -j MARK --set-mark 1
To be honest, I use the MARK target as well. I
On Thu, 2007-02-08 at 06:52 +1100, Anthony Kamau wrote:
Thanks Andy.
I changed 'classid' back to 'flowid' but whenever I run the script, it
throttles both uploads and downloads to the set rate - can you see why this
would happen by perusing my script?
I'm thinking that the virtualization
On Thu, 2007-02-08 at 19:39 +1100, Anthony Kamau wrote:
-Original Message-
From: Andrew Beverley [mailto:[EMAIL PROTECTED]
Sent: Thursday, 8 February 2007 7:06
To: Anthony Kamau
Cc: 'LARTC'
Subject: RE: [LARTC] Problems with HTB. Help!
I don't think the virtualization
It is not just browsing ...or HTTP... it is every thing... I want a
GPL package for a small ISP
I think you're probably limited in what you could cache other than HTTP.
I suggest you have a look at some of the examples of fair traffic
shaping using linux. I can send you my script if you
What is wrong in this line?
tc class add dev eth1 parent 1:1 classid 1:521df18 htb rate 2Kbit ceil
24000Kbit prio 3 quantum 2000
I know the classid is wrong, but what is the correct syntax?
The syntax looks fine to me. What is the error you're getting?
On Thu, 2007-02-08 at 23:01 +0200, Bogdan Hojda wrote:
Andrew Beverley wrote:
It is not just browsing ...or HTTP... it is every thing... I want a
GPL package for a small ISP
I think you're probably limited in what you could cache other than HTTP.
I suggest you have a look at some
On Fri, 2007-02-09 at 20:52 +1100, tkb2766 wrote:
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Andrew Beverley
Sent: Friday, 9 February 2007 4:24
To: Anthony Kamau
Cc: 'LARTC'
Subject: RE: [LARTC] Problems with HTB. Help!
Can you
On Thu, 2007-02-08 at 21:53 -0500, Jim Lawson wrote:
Hi,
I am attempting to set up some simple outbound shaping following the
LARTC HOWTO.
The HTB qdisc seems to work as the documentation says, but my filters
don't seem to be working. All of the packets go to the default queue
On Wed, 2007-01-31 at 03:58 +0100, Pablo Neira Ayuso wrote:
Andrew Beverley wrote:
I would also like to see as many of the POM included in the stable
kernel. It's a bit of a headache to patch in what I want each time I
update the kernel, and on a fresh system I have to install CURL just
I would also like to see as many of the POM included in the stable
kernel. It's a bit of a headache to patch in what I want each time I
update the kernel, and on a fresh system I have to install CURL just to
update POM just to add connlimit to the kernel...
IMHO, patching kernels to
On Sat, 2007-02-10 at 10:36 +1100, tkb2766 wrote:
-Original Message-
From: Andrew Beverley [mailto:[EMAIL PROTECTED]
Sent: Saturday, 10 February 2007 0:01
To: tkb2766
Cc: 'LARTC'
Subject: RE: [LARTC] Problems with HTB. Help!
I see the problem. You're using a default of 13
On Sat, 2007-02-10 at 12:08 +1100, tkb2766 wrote:
-Original Message-
From: Andrew Beverley [mailto:[EMAIL PROTECTED]
Sent: Saturday, 10 February 2007 0:01
To: tkb2766
Cc: 'LARTC'
Subject: RE: [LARTC] Problems with HTB. Help!
I see the problem. You're using a default
Thanks, those filters that you sent do work. So, any tips? Is the
prio qdisc superfluous if I am already using htb?
No, prio is used by HTB to decide how it should divide up any spare
bandwidth. See the HTB documentation at:
http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm#prio
What
Can you send your modified rules then that you say still 'did
not work'?
Below is how I now have it:
=
#!/bin/bash
# Whole purpose of this is to slow the P2P server down!
###
#
iptables -t mangle -A FORWARD -o eth1 --source 10.0.14.250 -p tcp \
--sport 6881 -j CLASSIFY --set-class 2:12
seems to do the trick.
You'll need to change tcp to udp if it's UDP that you want to match
rather than TCP.
I tried using the CLASSIFY target in IPTABLES,
On Sun, 2007-02-11 at 00:21 +1100, tkb2766 wrote:
-Original Message-
From: Andrew Beverley [mailto:[EMAIL PROTECTED]
Sent: Saturday, 10 February 2007 23:27
To: tkb2766
Cc: 'LARTC'
Subject: RE: [LARTC] Problems with HTB. Help!
Hmmm not sure. No harm in upgrading I guess
Just a question, the rate values use for configure a class, are they a
IP rate or a Ethernet rate ?
Do you mean is the rate per IP address or for the whole of the
interface? If so, then the rate is the total for that interface.
___
LARTC mailing
I need to know how to equalize traffic within 1 class.
I have so many bulk users within 1 class and i should equalize traffic to
their nodes so they get fair traffic. Does SFQ able to handle this ?
You need the ESFQ patch. Check the archives for more information as it's
just been discussed in
On Mon, 2007-02-12 at 14:53 +0200, Alexandru Dragoi wrote:
Andrew Beverley wrote:
Just a question, the rate values use for configure a class, are they a
IP rate or a Ethernet rate ?
Do you mean is the rate per IP address or for the whole of the
interface? If so
I'm trying to divide my bandwidth between different services, but I'd
like to take into account the number of active users.
For example, l want divide my bandwidth between HTTP and SMTP and
guarantee HTTP 80% of the bandwidth.
However, I have many users on my system (tens of thousands)
On Thu, 2007-02-22 at 14:30 +0100, francesco messineo wrote:
On 2/22/07, francesco messineo [EMAIL PROTECTED] wrote:
# iptables -t mangle -A POSTROUTING -m mark --mark ! 0 -j ACCEPT
iptables v1.3.3: Bad MARK value `!'
I'm puzzled, what's wrong with this syntax?
kernel is
I've setuped a bridge with l7-filter and ipp2p. We have every day + or
- between 10Mbits and 30 Mbits P2P traffic from + or - 450 customers.
When traffic increase. I've got this kind of error message :
Feb 23 14:26:19 gestor1 kernel: printk: 38 messages suppressed.
Feb 23 14:26:19
2.6.20.11 iptables command works , but i still get kernel panic :/
What is the problem in redirect a local traffic to IMQ ? I redirect
squid traffic to the IMQ device. [I need this behaviour]
You could try IFB, which is already in the vanilla kernel. However, it
is slightly more limited as
I believe that whole question is in topic.
Is there any way to recognize ( and then shape ) p2p traffic which is
encrypted?
Modern p2p clients have this ability moreover some of them have this enabled
by default.
Now I'm using ipp2p for iptables but as I know this doesn't recognize
I believe fighting is the wrong approach. Badly shaping the wrong
traffic is just as bad, if not worse IMO. An ISP in my neck of the
woods plays havoc with encrypted mail (SMTP + TLS as well as IMAPS) as a
result of their P2P fight. Needless to say we no longer use them, and
we encourage
On Wed, 2011-05-04 at 09:52 +1200, Don Gould wrote:
I'm getting a small stream of old posts and spam off this list.
Are others seeing same?
I've just had a load. Maybe they were a pile of messages that were held
for moderation and have just all been approved?
Would be nice to see some
On Wed, 2011-05-04 at 00:11 +0200, Michelle Konzack wrote:
WHY DO I GET MESSAGES from the list if I am unsubscribbed since years?
Are you sure you were unsubscribed? The list has been very quiet for a
long time...
Andy
___
LARTC mailing list
On Wed, 2011-05-04 at 13:06 -0500, Grant Taylor wrote:
On 05/04/11 12:03, Radu Oprisan wrote:
I can set-up another mailing list in the morning (8 PM now, EEST).
Think we can get somebody else to join?
I'm not opposed to a new mailing list in and of its self.
However I think that this
On Wed, 2011-05-04 at 14:56 -0700, Joe Perches wrote:
On Wed, 2011-05-04 at 14:11 -0500, Grant Taylor wrote:
On 05/04/11 13:37, Radu Oprisan wrote:
True. We shall wait then for more information. On the other hand, I will
try to contact LARTC in order to ask them for permission to take
On Thu, 2011-05-05 at 12:10 +1000, Russell Stuart wrote:
A list on vger.kernel.org does seem like a workable solution.
So who is in favour of doing this ASAP - like within the next few week
or so?
+1
___
LARTC mailing list
LARTC@mailman.ds9a.nl
42 matches
Mail list logo
