====== Playing with netfiltering-l7 and ipp2p under Debian (Sarge) ======

Problem: Debian + patched kernel as debian package + patched iptables with latest netfilter-l7 and ipp2p patches.

**need some more restyling**

====== Get the source! ======

apt-get source iptables (take it from debian-packports 1.3.3x)

get ipp2p source
get netfilter-l7 source

untar iptables source from upstream and patch it with netfilter-l7-iptables patch. Create a .tgz and put it back at the same location.

untar patch-o-matic stuff .. put ipp2p stuff there ..

.. more to come





====== Another way to do it ======
FIXME Need some styling

I downloaded the source package for ''iptables v1.3.5'' and copied the source in  '/usr/src/iptables-1.3.5.0debian1''. Install the iptables-dev package (although I think it's not necessary if you install the iptables source package). You'll need the kernel-headers package too. I sent you my ''**Makefile**.'' With this setup you just need to do make in the directory where the sources are. If you succeed, you will find a dynamic library ''libipt_ipp2p.so'', which you'll have to copy to ''/lib/iptables/'' and a kernel module called ''ipt_ipp2p.ko'' (supposing you have a 2.6.x kernel in your system). Copy ''ipt_ipp2p.ko'' in '/lib/modules/<your_kernel_version>/kernel/net/ipv4/netfilter/ipt_ipp2p.ko'' and type ''depmod -a''.

Try loading the module with modprobe ipt_ipp2p. If everything is OK try the following command:

   iptables -m ipp2p --help

You should see some info about the usage of this module.

Thanks to //Abel Martín// at debian-firewall mailinglist.

==== ipp2p best practices ====

I suggest the following tcp and udp for connection tracking (see docu section)

   01# iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
   02# iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT
   03# iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark 1
   04# iptables -t mangle -A PREROUTING -p tcp -m mark --mark 1 -j CONNMARK --save-mark
   05# iptables -t mangle -A PREROUTING -p udp -m ipp2p --ipp2p -j MARK --set-mark 1

detect **TCP FIRST, SAVE MARK** , and detect udp after you saved the mark !!
You will have now every p2p packet marked, but a dramtic reduce of udp
mismatches.


===== Yet another way to do it .. =====

  1) Download:
   * iptables-dev (apt-get)
   * kernel-headers-2.x.x (your kernel, "uname -r")
   * src of your iptables (iptables -V and apt-get source)
   * ipp2p-0.8.0.tar.gz (stable)
   2) untar ipp2p and cd ipp2p
   3) Edit Makefile, if it's necesary:
   * IPTABLES_SRC = /usr/src/iptables
   * In my case, the headers are detected automaticaly.
   4) make (WITHOUT ERRORS!!! ;) )
   5) cp libipt_ipp2p.so /lib/iptables
   6) cp ipt_ipp2p.ko /lib/modules/`uname -r`/kernel/net/ipv4/netfilter
   7) depmod -A
   8) insmod ipt_ipp2p.ko (or modprobe)
   9) lsmod | grep ipp2p
  10) iptables -m ipp2p --help

   root@servidor:/usr/src/ipp2p-0.8.0# make
   make -C /lib/modules/2.6.15-28-386/build SUBDIRS=/usr/src/ipp2p-0.8.0 
   modules
   make[1]: se ingresa al directorio `/usr/src/linux-headers-2.6.15-28-386'
     CC [M]  /usr/src/ipp2p-0.8.0/ipt_ipp2p.o
     Building modules, stage 2.
     MODPOST
     CC      /usr/src/ipp2p-0.8.0/ipt_ipp2p.mod.o
     LD [M]  /usr/src/ipp2p-0.8.0/ipt_ipp2p.ko
     make[1]: se sale del directorio `/usr/src/linux-headers-2.6.15-28-386'
    gcc -O3 -Wall -DIPTABLES_VERSION=\"\" -I/usr/src/iptables-1.3.3/include 
   -fPIC -c  libipt_ipp2p.c
   ld -shared -o libipt_ipp2p.so libipt_ipp2p.o

==== Which CPU for heavy traffic with much filtering/shaping ====
<code>
> Subject: Re: [LARTC] Which CPU for heavy traffic with much
> filtering/shaping?
> Date: Mon, 19 Nov 2007 17:40:34 +0100
> 
> >Hi
> 
> Hi
> 
> >I have a router with a large number of iptables rules and some
> >extensive traffic shaping (HTB + RED + ... ) + conntrack.
> 
> Performance boost tips:
> 
> - Use "set" module instead of sequential iptables rules. It can lower
> cpu usage.
> 
> - Use hashing filters for shaping if you're using many u32 filters.
> 
> - configure conntrack to use bigger hashsize for better performance;
> i'm passing following parameter to kernel in grub to achieve this:
> ip_conntrack.hashsize=1048575 
> 
> - configure routecache to use bigger to use more memory for better
> performance; i'm passing following parameter to kernel in grub to
> achieve this: rhash_entries=2400000
> 
> >1. What processors should I be looking for in order to achieve the
> >best routing throughput on a linux router?
> 
> I've had good experiences with P4 (with and without HT), Athlon64, Xeon
> [dempsey], Xeon [woodcrest]. The last one is the best choice because of
> the large cache and architecture. I think you can use Core 2 Duo too
> if you want to save some money.
> 
> >2. Is it true that multicore processors will not help much in this 
> >situation?
> 
> Not true. In your setup with two nics with same load you can easily use
> two cores. You can assign each nic to different core by the means of
> smp_affinity setting in /proc/irq/... or by using irqbalance daemon.
</code>

==== L7filtering + CentOS ====
   * [[http://www.howtoforge.com/how-to-set-up-a-linux-layer-7-packet-classifier-on-centos5.1]]