[LARTC] Re: tc filter protocol arp question

[LARTC] Re: tc filter protocol arp question

[lartc]

Alexander Clouter writes: 

> On Jan 31, lartc@pro-technica.com wrote:
>> Hello,  
>> 
>> I try to shape dhcp requests, but filter rule don't work. My script is:  
>> 
>> [snipped] 
>> 
> I really think you have other problems if you need to shape DHCP requests and
> their responses.  If we overlook the logistical part (QoS under linux only
> see's IP packets iirc, and so ARP packets are invisible) and look at what you 
> are trying to achieve. 
> 
> QoS you should seen as a way of saying "this group of packets can arrive
> 'later' without really any effect" or "these packets should arrive as soon as
> possible".  DHCP does not have realtime requirements, hell I could not care
> if it takes 2 seconds to renew my DHCP lease or 10 seconds.  If you do worry
> about things then consider a large lease time or better still look at what
> traffic is on your network and reduce it; Windoze NetBIOS is a common thing
> that can affect large networks. 
> 
> I am unsure why _anyone_ would want to prioritise DHCP traffic, it operates
> over an unreliable protocol and is built to try to obtain an IP address over
> a period of 30 seconds; if you cannot get a DHCP lease in that time (even on
> a congested network) then you have other problems which should probably be
> addressed in manner other than QoS. 
> 
> Obviously we would like to help, but we are unsure why you would want to do 
> such a thing, "Its damn right crazy man!" :) 
> 
> Regards 
> 
> Alex 
> 
> -- 
>  _______________________ 
> < All's well that ends. >
>  ----------------------- 
>         \   ^__^
>          \  (oo)\_______
>             (__)\       )\/\
>                 ||----w |
>                 ||     ||
 

I manage lan network with more that 1000 home users. Every user have 
iptables/tc pairs for marking packets/traffic limiting. Entire network 
operate via dhcp. If I miss only one user from shaper then his traffic going 
to default class. This class must have very low rate ( abount 1Kbit ). There 
going dhcp conversation. If missed user start to download, entire network 
lose dhcp server becouse of dropped packets. 

So I really need to give dhcp server priority. I thing that 512Kbit is over 
that enough to satisfy about 500 winbozes, powered on in ten minutes period. 
( This is not a joke, I see that nightmare every evening... ) 

Such a rule 'tc filter add dev eth0 protocol arp flowid ... ' i see in 
lartc.org and somewhere in mailing list. But this don't work on my linux ( 
RedHat Advanced Server 3 ). 

 --
Svetozar 


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] Re: tc filter protocol arp question

[Alexander Clouter]

[-- Attachment #1: Type: text/plain, Size: 1914 bytes --]

On Jan 31, lartc@pro-technica.com wrote:
> 
> I manage lan network with more that 1000 home users. Every user have 
> iptables/tc pairs for marking packets/traffic limiting. Entire network 
> operate via dhcp. If I miss only one user from shaper then his traffic 
> going to default class. This class must have very low rate ( abount 1Kbit 
> ). There going dhcp conversation. If missed user start to download, entire 
> network lose dhcp server becouse of dropped packets. 
> 
I know see your needs, however could I offer an alternative solution.  DHCP 
relays, put them on certain IP addresses and then mark their IP's for high 
priority traffic, this can be put in the same band along with ssh traffic and 
classed as 'core network traffic' or something fancy.

This probably would help you no end and give you the flexiblilty to do other 
things later down the road.

> So I really need to give dhcp server priority. I thing that 512Kbit is over
> that enough to satisfy about 500 winbozes, powered on in ten minutes
> period. ( This is not a joke, I see that nightmare every evening... )
> 
hmmmmm tasty :)

> Such a rule 'tc filter add dev eth0 protocol arp flowid ... ' i see in 
> lartc.org and somewhere in mailing list. But this don't work on my linux ( 
> RedHat Advanced Server 3 ). 
> 
well after my comment about shaping ARP packets, I was looking for things on 
a completed unrelated note and stumbled across something in the FAQ[1].

[1] http://www.docum.org/stef.coene/qos/faq/cache/63.html

have fun

Alex

-- 
 ________________________________________ 
/ You may be marching to the beat of a   \
| different drummer, but you're still in |
\ the parade.                            /
 ---------------------------------------- 
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

RE: [LARTC] Re: tc filter protocol arp question

[arek]

> > ). There going dhcp conversation. If missed user start to
> download, entire
> > network lose dhcp server becouse of dropped packets.

Moment, DHCP is not arp packet.
and ARP is not DHCP.

DHCP is always IP addressed /check via tcpdump/
so you can mark these addresses with tc without any problems.

ARP packets are low level packets of ethernet interconnectivity.
They will work always, unless your LAN is overloaded or somebody will do
nasty things like /arp poisoning/.
The only way you can increase your network performance for arp packets is
enabling broadcast storm control in layer-2 devices.
Some limmitations of arp-settings in linux /proc filesystem (gc_thresh_...
etc)
You can neither set static arp from Server side /and client side too (more
complex)/


Arkadiusz Binder

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Re: tc filter protocol arp question

[Alexander Clouter]

[-- Attachment #1: Type: text/plain, Size: 2062 bytes --]

On Feb 02, arek@chelmnet.pl wrote:
> 
> Moment, DHCP is not arp packet.
> and ARP is not DHCP.
> 
however every dhcp request fires off a bunch of ARP requests.  I am 
suggesting using DHCP-relay so you put the 'long distance' DHCP requests into 
a kind of IP tunnel (?).  If this is not true then you could accomplish the 
same with IPSec/ssh tunnels.  The idea of this is to shunt the DHCP (and 
related traffic) into something that is managable.

> DHCP is always IP addressed /check via tcpdump/
> so you can mark these addresses with tc without any problems.
>
good point :)
 
> ARP packets are low level packets of ethernet interconnectivity.
> They will work always, unless your LAN is overloaded or somebody will do
> nasty things like /arp poisoning/.
> The only way you can increase your network performance for arp packets is
> enabling broadcast storm control in layer-2 devices.
> Some limmitations of arp-settings in linux /proc filesystem (gc_thresh_...
> etc)
> You can neither set static arp from Server side /and client side too (more
> complex)/
> 
I would still be keen on shunting things into a managable IP(Sec)/ssh tunnel, 
although it sounds overboard, if you are dealing with thousands of PC's (even 
hundreds) thats likely to cross several subnets.

As I mentioned before it would give you the infrastructure to have 
'maintainence' tunnel, you could put all the insecure telnet traffic in this 
tunnel to prevent it crossing the whole distance un-encrypted :)  More so you 
can give it a high priority which would help you get access to machines when 
you need to during a crisis.

Regards

Alex

-- 
 __________________________________ 
/ A likely impossibility is always \
| preferable to an unconvincing    |
| possibility.                     |
|                                  |
\ -- Aristotle                     /
 ---------------------------------- 
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]