Table of Contents

Playing with netfiltering-l7 and ipp2p under Debian (Sarge)

Problem: Debian + patched kernel as debian package + patched iptables with latest netfilter-l7 and ipp2p patches.

need some more restyling

Get the source!

apt-get source iptables (take it from debian-packports 1.3.3x)

get ipp2p source get netfilter-l7 source

untar iptables source from upstream and patch it with netfilter-l7-iptables patch. Create a .tgz and put it back at the same location.

untar patch-o-matic stuff .. put ipp2p stuff there ..

.. more to come

Another way to do it

FIXME Need some styling

I downloaded the source package for iptables v1.3.5 and copied the source in '/usr/src/iptables-1.3.5.0debian1. Install the iptables-dev package (although I think it's not necessary if you install the iptables source package). You'll need the kernel-headers package too. I sent you my Makefile. With this setup you just need to do make in the directory where the sources are. If you succeed, you will find a dynamic library libipt_ipp2p.so, which you'll have to copy to /lib/iptables/ and a kernel module called ipt_ipp2p.ko (supposing you have a 2.6.x kernel in your system). Copy ipt_ipp2p.ko in '/lib/modules/<your_kernel_version>/kernel/net/ipv4/netfilter/ipt_ipp2p.ko and type depmod -a.

Try loading the module with modprobe ipt_ipp2p. If everything is OK try the following command:

 iptables -m ipp2p --help

You should see some info about the usage of this module.

Thanks to Abel Martín at debian-firewall mailinglist.

ipp2p best practices

I suggest the following tcp and udp for connection tracking (see docu section)

 01# iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
 02# iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT
 03# iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark 1
 04# iptables -t mangle -A PREROUTING -p tcp -m mark --mark 1 -j CONNMARK --save-mark
 05# iptables -t mangle -A PREROUTING -p udp -m ipp2p --ipp2p -j MARK --set-mark 1

detect TCP FIRST, SAVE MARK , and detect udp after you saved the mark !! You will have now every p2p packet marked, but a dramtic reduce of udp mismatches.

Yet another way to do it ..

1) Download:
 * iptables-dev (apt-get)
 * kernel-headers-2.x.x (your kernel, "uname -r")
 * src of your iptables (iptables -V and apt-get source)
 * ipp2p-0.8.0.tar.gz (stable)
 2) untar ipp2p and cd ipp2p
 3) Edit Makefile, if it's necesary:
 * IPTABLES_SRC = /usr/src/iptables
 * In my case, the headers are detected automaticaly.
 4) make (WITHOUT ERRORS!!! ;) )
 5) cp libipt_ipp2p.so /lib/iptables
 6) cp ipt_ipp2p.ko /lib/modules/`uname -r`/kernel/net/ipv4/netfilter
 7) depmod -A
 8) insmod ipt_ipp2p.ko (or modprobe)
 9) lsmod | grep ipp2p
10) iptables -m ipp2p --help
 root@servidor:/usr/src/ipp2p-0.8.0# make
 make -C /lib/modules/2.6.15-28-386/build SUBDIRS=/usr/src/ipp2p-0.8.0 
 modules
 make[1]: se ingresa al directorio `/usr/src/linux-headers-2.6.15-28-386'
   CC [M]  /usr/src/ipp2p-0.8.0/ipt_ipp2p.o
   Building modules, stage 2.
   MODPOST
   CC      /usr/src/ipp2p-0.8.0/ipt_ipp2p.mod.o
   LD [M]  /usr/src/ipp2p-0.8.0/ipt_ipp2p.ko
   make[1]: se sale del directorio `/usr/src/linux-headers-2.6.15-28-386'
  gcc -O3 -Wall -DIPTABLES_VERSION=\"\" -I/usr/src/iptables-1.3.3/include 
 -fPIC -c  libipt_ipp2p.c
 ld -shared -o libipt_ipp2p.so libipt_ipp2p.o

Which CPU for heavy traffic with much filtering/shaping

> Subject: Re: [LARTC] Which CPU for heavy traffic with much
> filtering/shaping?
> Date: Mon, 19 Nov 2007 17:40:34 +0100
> 
> >Hi
> 
> Hi
> 
> >I have a router with a large number of iptables rules and some
> >extensive traffic shaping (HTB + RED + ... ) + conntrack.
> 
> Performance boost tips:
> 
> - Use "set" module instead of sequential iptables rules. It can lower
> cpu usage.
> 
> - Use hashing filters for shaping if you're using many u32 filters.
> 
> - configure conntrack to use bigger hashsize for better performance;
> i'm passing following parameter to kernel in grub to achieve this:
> ip_conntrack.hashsize=1048575 
> 
> - configure routecache to use bigger to use more memory for better
> performance; i'm passing following parameter to kernel in grub to
> achieve this: rhash_entries=2400000
> 
> >1. What processors should I be looking for in order to achieve the
> >best routing throughput on a linux router?
> 
> I've had good experiences with P4 (with and without HT), Athlon64, Xeon
> [dempsey], Xeon [woodcrest]. The last one is the best choice because of
> the large cache and architecture. I think you can use Core 2 Duo too
> if you want to save some money.
> 
> >2. Is it true that multicore processors will not help much in this 
> >situation?
> 
> Not true. In your setup with two nics with same load you can easily use
> two cores. You can assign each nic to different core by the means of
> smp_affinity setting in /proc/irq/... or by using irqbalance daemon.

L7filtering + CentOS