Hey Andreas, how i catch this traffic using L7 filter?, i´ve installed l7
filter now, but i don´t kwnow to use the kind of filter...!!!
Can you help me?
Thx.-
Terraja-based
2007/4/29, [EMAIL PROTECTED] <[EMAIL PROTECTED]>:
Send LARTC mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of LARTC digest..."
Today's Topics:
1. Re: LARTC Digest, Vol 26, Issue 24 (terraja-based)
2. Re: Re: LARTC Digest, Vol 26, Issue 24 (Alejandro Ramos Encinosa)
3. Re: Re: LARTC Digest, Vol 26, Issue 24 (Andreas Mueller)
4. Re: HFSC with tcng (Andreas Mueller)
----------------------------------------------------------------------
Message: 1
Date: Sat, 28 Apr 2007 16:33:16 -0300
From: terraja-based <[EMAIL PROTECTED]>
Subject: [LARTC] Re: LARTC Digest, Vol 26, Issue 24
To: [email protected]
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"
Alejandro,
So, i did try the script that you give to me, and the problems its
continues.-
Maybe the problem was in the IPTABLES rules, i attach the complete script
below:
#####################
ifconfig imq0 up
tc qdisc add dev imq0 handle 1: root htb default 30
tc class add dev imq0 parent 1: classid 1:1 htb rate 500kbit ceil 2000kbit
tc class add dev imq0 parent 1:1 classid 1:10 htb rate 100kbit ceil
2000kbit
tc class add dev imq0 parent 1:1 classid 1:20 htb rate 100kbit ceil
2000kbit
tc class add dev imq0 parent 1:1 classid 1:30 htb rate 100kbit ceil
2000kbit
tc qdisc add dev imq0 parent 1:10 handle 2 sfq
tc qdisc add dev imq0 parent 1:20 handle 3 sfq
iptables -t mangle -A PREROUTING -i eth1 -j IMQ --todev 0
tc filter add dev imq0 parent 1: prio 0 protocol ip handle 2 fw flowid
1:10
tc filter add dev imq0 parent 1: prio 1 protocol ip handle 3 fw flowid
1:20
iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j MARK
--set-mark 2
iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 20 -j MARK
--set-mark 3
iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 21 -j MARK
--set-mark 3
#####################
The traffic it continues goes out by the "default" qdisc (1:30), and it
was
not clasified by the correct qdisc.
I did try a ftp transfererence using the 20 and 21 TCP ports, this should
to
use the 1:20 qdisc asociated with the "handle 3"...BUT DID NOT WORK...!!!
PLease, help me...!!!
--
terraja-based
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://mailman.ds9a.nl/pipermail/lartc/attachments/20070428/2952a6ff/attachment-0001.html
------------------------------
Message: 2
Date: Sat, 28 Apr 2007 22:12:45 +0000
From: Alejandro Ramos Encinosa <[EMAIL PROTECTED]>
Subject: Re: [LARTC] Re: LARTC Digest, Vol 26, Issue 24
To: [email protected]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-15"
On Saturday 28 April 2007 19:33, terraja-based wrote:
> [...]
> iptables -t mangle -A PREROUTING -i eth1 -j IMQ --todev 0
>
> tc filter add dev imq0 parent 1: prio 0 protocol ip handle 2 fw flowid
1:10
> tc filter add dev imq0 parent 1: prio 1 protocol ip handle 3 fw flowid
1:20
> iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j MARK
> --set-mark 2
> iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 20 -j MARK
> --set-mark 3
> iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 21 -j MARK
> --set-mark 3
> [...]
> The traffic it continues goes out by the "default" qdisc (1:30), and it
was
> not clasified by the correct qdisc.
Hmm, you are trying to "redirect" all packets from eth1 to imq0, and then
you
are trying to mark packets for http and ftp connections. Well, I think you
need to change again your configuration: if you put '-j IMQ --todev 0' as
first rule, then all packets will match and will not pass through the
chain,
so any rule after that one, will never match against a packet. You need to
mark packets before, and send to imq device later. Maybe something like
this:
--------------------------------8<-------------------------8<-----------------------------------
[...]
iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j MARK
--set-mark
2
iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 20 -j MARK
--set-mark
3
iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 21 -j MARK
--set-mark
3
iptables -t mangle -A PREROUTING -i eth1 -j IMQ --todev 0
tc filter add dev imq0 parent 1: prio 0 protocol ip handle 2 fw flowid
1:10
tc filter add dev imq0 parent 1: prio 1 protocol ip handle 3 fw flowid
1:20
[...]
--------------------------------8<-------------------------8<-----------------------------------
PS: as long as I know, marks 0, 1, and 2 are iptables marks (reserved
marks),
so if I were you, I start marking with number 3 or greater.
--
Alejandro Ramos Encinosa <[EMAIL PROTECTED]>
Fac. Matemática Computación
Universidad de La Habana
------------------------------
Message: 3
Date: Sun, 29 Apr 2007 10:48:25 +0200
From: Andreas Mueller <[EMAIL PROTECTED]>
Subject: Re: [LARTC] Re: LARTC Digest, Vol 26, Issue 24
To: [email protected]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
Hallo terraja-based,
terraja-based wrote:
[snip]
> iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j MARK
> --set-mark 2
> iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 20 -j MARK
> --set-mark 3
> iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 21 -j MARK
> --set-mark 3
[snip]
> The traffic it continues goes out by the "default" qdisc (1:30), and it
was
> not clasified by the correct qdisc.
[snip]
the marks you set here will be gone as soon as the packet leaves,
connmark could do the trick here.
Still, matching --sport on the imq device should do the job as well,
at least for http at port 80.
For ftp, passive mode (data) connections will go to the default-class as
the server's port is chosen at runtime, to catch them better use a
level-7 filter (e.g. http://sourceforge.net/projects/l7-filter/).
Bye, Andreas.
------------------------------
Message: 4
Date: Sun, 29 Apr 2007 11:00:30 +0200
From: Andreas Mueller <[EMAIL PROTECTED]>
Subject: Re: [LARTC] HFSC with tcng
To: [email protected]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
Hi Simo,
Simo wrote:
> [...]
> I don?t know how to use HFSC queuing discipline with tcng configuration
> language. I become always this error: syntax error near "hfsc"
> [...]
> Is it possible, that tcng provides no support for this classful hfcs
queuing
> discipline?
> [...]
no, there is no such support and might never be, because this project is
no longer under active development.
Andreas
------------------------------
_______________________________________________
LARTC mailing list
[email protected]
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
End of LARTC Digest, Vol 26, Issue 25
*************************************
--
terraja-based
_______________________________________________
LARTC mailing list
[email protected]
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
