Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
linux:iptables:l7patch [2006/03/28 02:03] a created |
linux:iptables:l7patch [2009/05/25 00:35] (current) |
||
---|---|---|---|
Line 20: | Line 20: | ||
+ | |||
+ | |||
+ | ====== Another way to do it ====== | ||
+ | FIXME Need some styling | ||
+ | |||
+ | I downloaded the source package for '' | ||
+ | |||
+ | Try loading the module with modprobe ipt_ipp2p. If everything is OK try the following command: | ||
+ | |||
+ | | ||
+ | |||
+ | You should see some info about the usage of this module. | ||
+ | |||
+ | Thanks to //Abel Martín// at debian-firewall mailinglist. | ||
+ | |||
+ | ==== ipp2p best practices ==== | ||
+ | |||
+ | I suggest the following tcp and udp for connection tracking (see docu section) | ||
+ | |||
+ | 01# iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark | ||
+ | 02# iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT | ||
+ | 03# iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark 1 | ||
+ | 04# iptables -t mangle -A PREROUTING -p tcp -m mark --mark 1 -j CONNMARK --save-mark | ||
+ | 05# iptables -t mangle -A PREROUTING -p udp -m ipp2p --ipp2p -j MARK --set-mark 1 | ||
+ | |||
+ | detect **TCP FIRST, SAVE MARK** , and detect udp after you saved the mark !! | ||
+ | You will have now every p2p packet marked, but a dramtic reduce of udp | ||
+ | mismatches. | ||
+ | |||
+ | |||
+ | ===== Yet another way to do it .. ===== | ||
+ | |||
+ | 1) Download: | ||
+ | * iptables-dev (apt-get) | ||
+ | * kernel-headers-2.x.x (your kernel, "uname -r") | ||
+ | * src of your iptables (iptables -V and apt-get source) | ||
+ | * ipp2p-0.8.0.tar.gz (stable) | ||
+ | 2) untar ipp2p and cd ipp2p | ||
+ | 3) Edit Makefile, if it's necesary: | ||
+ | * IPTABLES_SRC = / | ||
+ | * In my case, the headers are detected automaticaly. | ||
+ | 4) make (WITHOUT ERRORS!!! ;) ) | ||
+ | 5) cp libipt_ipp2p.so / | ||
+ | 6) cp ipt_ipp2p.ko / | ||
+ | 7) depmod -A | ||
+ | 8) insmod ipt_ipp2p.ko (or modprobe) | ||
+ | 9) lsmod | grep ipp2p | ||
+ | 10) iptables -m ipp2p --help | ||
+ | |||
+ | | ||
+ | make -C / | ||
+ | | ||
+ | | ||
+ | CC [M] / | ||
+ | | ||
+ | | ||
+ | | ||
+ | LD [M] / | ||
+ | | ||
+ | gcc -O3 -Wall -DIPTABLES_VERSION=\" | ||
+ | -fPIC -c libipt_ipp2p.c | ||
+ | ld -shared -o libipt_ipp2p.so libipt_ipp2p.o | ||
+ | |||
+ | ==== Which CPU for heavy traffic with much filtering/ | ||
+ | < | ||
+ | > Subject: Re: [LARTC] Which CPU for heavy traffic with much | ||
+ | > filtering/ | ||
+ | > Date: Mon, 19 Nov 2007 17:40:34 +0100 | ||
+ | > | ||
+ | > >Hi | ||
+ | > | ||
+ | > Hi | ||
+ | > | ||
+ | > >I have a router with a large number of iptables rules and some | ||
+ | > > | ||
+ | > | ||
+ | > Performance boost tips: | ||
+ | > | ||
+ | > - Use " | ||
+ | > cpu usage. | ||
+ | > | ||
+ | > - Use hashing filters for shaping if you're using many u32 filters. | ||
+ | > | ||
+ | > - configure conntrack to use bigger hashsize for better performance; | ||
+ | > i'm passing following parameter to kernel in grub to achieve this: | ||
+ | > ip_conntrack.hashsize=1048575 | ||
+ | > | ||
+ | > - configure routecache to use bigger to use more memory for better | ||
+ | > performance; | ||
+ | > achieve this: rhash_entries=2400000 | ||
+ | > | ||
+ | > >1. What processors should I be looking for in order to achieve the | ||
+ | > >best routing throughput on a linux router? | ||
+ | > | ||
+ | > I've had good experiences with P4 (with and without HT), Athlon64, Xeon | ||
+ | > [dempsey], Xeon [woodcrest]. The last one is the best choice because of | ||
+ | > the large cache and architecture. I think you can use Core 2 Duo too | ||
+ | > if you want to save some money. | ||
+ | > | ||
+ | > >2. Is it true that multicore processors will not help much in this | ||
+ | > > | ||
+ | > | ||
+ | > Not true. In your setup with two nics with same load you can easily use | ||
+ | > two cores. You can assign each nic to different core by the means of | ||
+ | > smp_affinity setting in / | ||
+ | </ | ||
+ | |||
+ | ==== L7filtering + CentOS ==== | ||
+ | * [[http:// | ||