Prihlásiť sa Odoslať Novinky :: FAQ :: Rozšírené vyhľadávanie :: Napísali o nás :: Ankety
Main Menu
· Home
· 
· FAQ
· 
· Diskusia
· 
Main Menu
· Domov

Moduly
· AvantGo
· Downloads
· FAQ
· News
· Recommend Us
· Reviews
· Search
· Sections
· Stats
· Topics
· Top List
· Web Links
· Forum
Jazyk
Výber jazykovej mutácie:

FAQ  •  Search  •  Register  •  Log in to check your private messages
Log in  •  Maximize
The time now is 28.04.2024 - 07:58

SKFREE Forum Index » SKFree Network » Software

l7-filter

Post new topic Reply to topic
View previous topic Printable version Log in to check your private messages View next topic
Page 1 of 2 12 >
Author Message
iwik
Post subject: l7-filter  PostPosted: 02.10.2005 - 12:47 #23519
Basic


Joined: Feb 05, 2003
Posts: 118
Location: Bratislava
ahojte. mate niekto dake skusenosti s l7-filtrom ? zaujima ma, na akom hw a kolko pravidiel vam to zvlada. dik
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
mgx
Post subject: RE: l7-filter  PostPosted: 02.10.2005 - 19:16 #23529
Guru


Joined: Dec 27, 2002
Posts: 1505
ja pouzivam filtre vlastnej konstrukcie. stihaju shapovat siete >1000 users (teda zatial sa mi nikto nestazoval, ze by to neslo). samozrejme, chce to kusok masinku (2ghz?)
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
iwik
Post subject: RE: l7-filter  PostPosted: 02.10.2005 - 19:43 #23531
Basic


Joined: Feb 05, 2003
Posts: 118
Location: Bratislava
situacia: uzivatelia maju rozne linky, povedzme download 64 az 256kbit, upload 64kbit. chcel som spravit, to, ze p2p pojde kazdemu max tych 64kbit, zvysny traffic normalne do 256kbit. cize kazdemu som vytvoril htb podtriedu pre p2p. (to je vsetko ok, ziaden problem) problem nastal, ked som chcel loadnut iptables pravidla
Code: ›
iptables -t mangle -A POSTROUTING -d 192.168.x.y -m layer7 --l7proto directconnect -j MARK --set-mark xy
iptables -t mangle -A POSTROUTING -d 192.168.x.y -m layer7 --l7proto fasttrack -j MARK --set-mark xy
iptables -t mangle -A POSTROUTING -d 192.168.x.y -m layer7 --l7proto edonkey -j MARK --set-mark xy
iptables -t mangle -A POSTROUTING -d 192.168.x.y -m layer7 --l7proto bittorrent -j MARK --set-mark xy
iptables -t mangle -A POSTROUTING -d 192.168.x.y -m layer7 --l7proto gnutella -j MARK --set-mark xy
iptables -t mangle -A POSTROUTING -d 192.168.x.y -m layer7 --l7proto soulseek -j MARK --set-mark xy
iptables -t mangle -A POSTROUTING -d 192.168.x.y -m layer7 --l7proto napster -j MARK --set-mark xy

a to iste aj pre upload, tj zmeni sa iba -d za -s. cize to mame 14 pravidiel pre jedneho uzivatela (ip adresu). pre par ludi to ide ok, ale ked sa to zopakuje povedzme pre cca 200 ipciek (>3000 pravidiel v ....nacitavanie je cim dalej pomalsie, az pri konci sa jedno pravidla nacitava asi 5 sekund!!!

dalsim mojim pokusom teda bolo nacitat pravidla na jeden krat, cez iptables-restore.
nacitanie fungovalo ok, vsetky pravidla sa loadli asi za 5 sec. tesil som sa predcasne. zacal rast load (bol okolo 10), stracali sa pingy.
po iptables -t mangle -F (ktory bezal asi 30 sec) sa vsetko vratilo do normalu. Sad

jednalo sa o p4 3GHz, 1GB ram, linux 2.6.11.7..
tak teraz rozmyslam co s tym spravim...
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
mgx
Post subject: QoS  PostPosted: 03.10.2005 - 08:59 #23538
Guru


Joined: Dec 27, 2002
Posts: 1505
Ani sa necudujem Smile

Musis bud pouzit HASHOVACIE TABULKY, vid inspiracia na

http://www.arachne.cz/index.php?indexid=2

Alebo zoptimalizuj pocet pravidiel na usera Smile, co pojde asi dost tazko bez prestavby celej strategie QoS Smile

Horeuvedeny link ti vsak da inspiraciu ako na to.

Mgx
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
stab_
Post subject: RE: l7-filter  PostPosted: 03.10.2005 - 17:35 #23560
Guru


Joined: Dec 22, 2003
Posts: 1101
Location: Košice
alebo to omarkuj opacne. napr ssh http ftp pop a imap, prirad im rychlost a zvysok bordel hod do jednej triedy.
 
 View user's profile Send private message Visit poster's website ICQ Number 
Reply with quote Back to top
iwik
Post subject: RE: l7-filter  PostPosted: 03.10.2005 - 19:54 #23566
Basic


Joined: Feb 05, 2003
Posts: 118
Location: Bratislava
vdaka za tip. poskusam a dam vediet vysledok.
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
mgx
Post subject: P2P  PostPosted: 04.10.2005 - 08:17 #23572
Guru


Joined: Dec 27, 2002
Posts: 1505
osobne si myslim, ze garantovat rychlost p2p pre jednotlivych userov je podla mna dost nestastne riesenie.
treba to dat do jednej queue (ak teda nepouzivas hashe) a p2p si tu zataz rozlozi sam Smile...

mgx

ps: podla kriku userov nastav prislusnu sirku.
ps2: hocico nastavis, bude to malo
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
kubiik
Post subject: RE: l7-filter  PostPosted: 04.10.2005 - 17:39 #23597
Guru


Joined: Jan 24, 2004
Posts: 1685
jo presne tak ako pise MGX tak to robim ja

vsetko co sa mi pomocou l7-filtra identifikuje ako P2P hadzem do jednej triedy a ja som spokojny Smile
a so mnou aj 95% uzivatelov

...aj ked na druhu stranu sa mi zacali poniektori ludia stazovat ze im DC++ ide okolo 1KB download...

...ja som im na to odpovedal, ze to mna netrapi kto ma aky dobry stahovac, pripadne na rychly hub sa napoji a ako mu to ide rychlo a pastol som im ze su fakt ludi co tahaju stale a ze to neblokujem...

od vtedy mi net ide super, latencie sa drzia furt na vybornej urovni a na full je uz vytazena iba p2p linka.

QoS osobitne na userov nerobim - ak chce niekto nieco hrat po nete - nech si vypne stahovanie a basta
 
 View user's profile Send private message ICQ Number 
Reply with quote Back to top
iwik
Post subject: RE: l7-filter  PostPosted: 04.10.2005 - 22:09 #23599
Basic


Joined: Feb 05, 2003
Posts: 118
Location: Bratislava
ano to co tu spominate je tiez riesenie. no ale u nas je situacia je ina, mame programy pre uzivatelov ako je spomenute vyssie, tj, su tam dake garancie rychlosti. prerobil som shaper a vysledok: zataz cpu absolutne v pohode, zlepsili sa pingy. p2p ide tou garantovanou spodnou rychlostou.

jediny problem je, ze pravidla pre iptables zaberaju v pamati okolo 40MB.iptables potom uz pise ze memory allocation error Smile a v syslogu kernel: allocation failed: out of vmalloc space - use vmalloc=<size> to increase size

ked si dam cat /proc/meminfo tak mam VmallocTotal: 122800 kB na routri co ma momentalne 1GB ram. co mam taky akoze server a ma 256MB ram tak VmallocTotal: 778164 kB
nevie niekto preco?
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
mgx
Post subject: RE: l7-filter  PostPosted: 05.10.2005 - 10:01 #23618
Guru


Joined: Dec 27, 2002
Posts: 1505
a babky Google si sa uz pytal? Smile
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
iwik
Post subject: RE: l7-filter  PostPosted: 05.10.2005 - 10:15 #23619
Basic


Joined: Feb 05, 2003
Posts: 118
Location: Bratislava
pytal, pytal, ale nerozumel som tomu. nie som programator kernelu Smile. aj tak dik za pomoc, moj hlavny problem je vyrieseny.
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
alwarez
Post subject: RE: l7-filter  PostPosted: 12.10.2005 - 23:41 #23921
Basic


Joined: Máj 22, 2005
Posts: 477
Location: Michalovce
root@pikacu:/usr/src/iptables/extensions# iptables -m layer7
Segmentation fault

tak nic Smile

asi si to skompilujem znova na inej verzii Smile
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
mgx
Post subject: RE: l7-filter  PostPosted: 13.10.2005 - 12:43 #23938
Guru


Joined: Dec 27, 2002
Posts: 1505
poradim:

strace iptables -m layer7

a pokukaj do logu.
predpokladam ze ti chyba nieco v jadre alebo moduloch. alebo sa nieco bije.
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
alwarez
Post subject: RE: l7-filter  PostPosted: 13.10.2005 - 12:52 #23939
Basic


Joined: Máj 22, 2005
Posts: 477
Location: Michalovce
strace nevyhodil nic zaujimave, asi sa tam bude nieco bit, bo tam mam nejake veci z patch-o-matic
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
mgx
Post subject: RE: l7-filter  PostPosted: 13.10.2005 - 19:02 #23954
Guru


Joined: Dec 27, 2002
Posts: 1505
aha.... no patch-o-matic je vysoko beta tool Smile tak vysoko, ze som ho skoro prestal pouzivat.

mgx
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
Display posts from previous:     
All times are GMT
Post new topic Reply to topic
View previous topic Printable version Log in to check your private messages View next topic
Page 1 of 2 12 >
Jump to:  

SKFREE Forum Index » SKFree Network » Software
Powered by PNphpBB2 © 2003-2005 The PNphpBB Group
Credits

(C) SKFree 2002-2010: Powered by POSTNUKE. Môžete prebera? naše správy vo formáte XML(RSS)