Hash-tables based shaper can act as an effective firewall; just take a look.
Now our shaper configurator generates, let’s say, this script for a client’s connection (excerpt):
#
# Contract I-1082,
# connection 606 (0x25e).
#
# input:
/sbin/tc class add dev clients0 classid 1:25e parent 1:fe10 htb rate 96kbit ceil 128kbit quantum 1500 burst 7500 cburst 12500 prio 50
/sbin/tc filter add dev clients0 protocol 802.1q parent 1:0 prio 100 u32 ht 133:5c match ip dst X.X.133.92 flowid 1:25e
/sbin/tc filter add dev clients0 protocol 802.1q parent 1:0 prio 100 u32 ht 133:5d match ip dst X.X.133.93 flowid 1:25e
/sbin/tc filter add dev clients0 protocol 802.1q parent 1:0 prio 100 u32 ht 133:5e match ip dst X.X.133.94 flowid 1:25e
/sbin/tc filter add dev clients0 protocol 802.1q parent 1:0 prio 100 u32 ht 133:5f match ip dst X.X.133.95 flowid 1:25e
Now let’s assume we have a lot of DoS traffic from IP 173.204.53.138 to IP X.X.133.94 — a lot of packets, a client’s bandwidth is exhausted. (Yes, that’s real IP, that was a real DoS attack,-)
All we need is to write a filter into a proper hash table cell:
# input:
/sbin/tc class add dev clients0 classid 1:25e parent 1:fe10 htb rate 96kbit ceil 128kbit quantum 1500 burst 7500 cburst 12500 prio 50
# FIXME:
/sbin/tc filter add dev clients0 protocol 802.1q parent 1:0 prio 100 u32 ht 133:5e match ip src 173.204.53.138 police mtu 1 drop flowid 1:fe49
#
/sbin/tc filter add dev clients0 protocol 802.1q parent 1:0 prio 100 u32 ht 133:5c match ip dst X.X.133.92 flowid 1:25e
/sbin/tc filter add dev clients0 protocol 802.1q parent 1:0 prio 100 u32 ht 133:5d match ip dst X.X.133.93 flowid 1:25e
/sbin/tc filter add dev clients0 protocol 802.1q parent 1:0 prio 100 u32 ht 133:5e match ip dst X.X.133.94 flowid 1:25e
/sbin/tc filter add dev clients0 protocol 802.1q parent 1:0 prio 100 u32 ht 133:5f match ip dst X.X.133.95 flowid 1:25e
«FIXME» — because it’s a manual work, i have to add this feature in my configurator :-)
This filter we have added to a cell, where all filters regarding packets to X.X.133.94 are (there are only one filter normally). And we added it before «normal» filter, which «routes» packets to a client’s class.
This work like this: if a packet from IP 173.204.53.138 has MTU less that 1 byte (physically unreal case) — it should be «routed» to a default class (yes, 1:fe49 is the default class for my shaper now). If this packet has a larger MTU — it should be dropped.
Therefore, our queueing discipline have not to cope with these packets (HTB in my case, but it may be any qdisc).
Tags: adm, HTB, Programming, Shaper
Posted 9 March 2010 in Administration, Programming, Shaper | No Comments »
Please see some info here. I will translate this post into English, i hope.
;;
(use-modules (ice-9 rdelim) (ice-9 regex))
(define argv (program-arguments))
(define filename (car (cdr (cdr argv))))
(define inputfile (open-input-file filename))
(define pattern-string (cadr argv))
(define pattern (make-regexp pattern-string))
(define records 0)
(define lines 0)
(define selected 0)
(define (read-all-lines)
(let loop ((stack '()) (good #f))
(let ((line (read-line inputfile)))
(set! stack (append stack (list line)))
(set! lines (+ 1 lines))
(if (regexp-exec pattern line)
(set! good #t)
(if (equal? "" line)
(begin
(if (eq? good #t)
(begin
(for-each (lambda (line) (display line) (newline)) stack)
(set! selected (+ 1 selected))))
(set! good #f)
(set! stack '())
(set! records (+ 1 records)))))
(if (not (eof-object? (peek-char inputfile)))
(loop stack good)))))
(read-all-lines)
(use-modules (ice-9 format))
(format (current-error-port)
"~d records (~d lines) processed
~d records matched
Pattern was: '~a'
" records lines selected pattern-string)
;; vim: ts=2:Scheme:
$ time guile -s fradlog_extract.scm 'Station-Id = \"4494.....\"' detail-20090519 > part-scheme
183764 records (4563405 lines) processed
447 records matched
Pattern was: 'Station-Id = "4494....."'
real 0m27.653s
user 0m27.550s
sys 0m0.110s
awk:
$ time awk -f fradlog_extract.awk pattern='Station-Id = \"4494.....\"' detail-20090519 > part-awk
183764 records (4563405 lines) processed
447 records matched
Pattern was: 'Station-Id = "4494....."'
real 0m21.680s
user 0m21.490s
sys 0m0.090s
python:
$ time python fradlog_extract.py 'Station-Id = "4494....."' detail-20090519 > part-python
183764 records (4563405 lines) processed
447 records matched
Pattern was: 'Station-Id = "4494....."'
real 0m9.766s
user 0m9.670s
sys 0m0.060s
Tags: awk, FreeRadius, Python, scheme, Programming
Posted 4 February 2010 in Misc | No Comments »
>>> (with-error-to-file (current-error-port) (display "foo"))
File "", line 1
(with-error-to-file (current-error-port) (display "foo"))
^
SyntaxError: invalid syntax
>>>
Trying to learn Scheme, trying to work with Python…
Yes, right, guile throws another error message, i’ve already learned that :O)
Tags: Python, scheme, Programming
Posted 4 February 2010 in Misc | No Comments »
If you wish to use vlan sub-interfaces in linux, and sub-sub-interfaces, and sub-sub-sub-… and if you wish to ping something — sure, you may wish to have them only for switching, but if you wish to ping — don’t forget to re-set REORDER_HDR flag:
ip link set up dev eth2
vconfig add eth2 100
ip link set up dev vlan100
vconfig set_flag vlan100 1 0
vconfig add vlan100 200
ip link set up dev vlan200
vconfig set_flag vlan200 1 0
# ....etc-etc
vconfig add vlan800 900
ip link set up dev vlan900
vconfig set_flag vlan900 1 0
ip add add 192.168.1.100/24 brd 192.168.1.255 dev vlan900
ping 192.168.1.3
Note using command vconfig set_flag DEV 1 0 — i mean exactly this :-)
Now (since 2.6.x?.. can’t remember, doesn’t matter) Linux kernel creates vlan interfaces with REORDER_HDR=1.
You can verify current value of REORDER_HDR flag with command like this:
# cat /proc/net/vlan/vlan900
vlan900 VID: 900 REORDER_HDR: 0 dev->priv_flags: 1
total frames received 172
total bytes received 222546
Broadcast/Multicast Rcvd 0
total frames transmitted 405
total bytes transmitted 283743
total headroom inc 0
total encap on xmit 26
Device: vlan900
INGRESS priority mappings: 0:0 1:0 2:0 3:0 4:0 5:0 6:0 7:0
EGRESS priority mappings:
Tags: Administration, Shaper
Posted 23 November 2009 in Misc | No Comments »
Це все — про гарного хлопця і його дружину, яку я, на жаль, жодного разу не бачив. Не встиг?.. Не зумів, напевно.
— Давай, если хочешь…
Красивый закат…
А как на работе?
— Нормально пока…
А правда, как горы стоят облака?..
— Действительно, горы… Как сказочный сон…
— А сколько он падал?..
— …Там — метров шестьсот…
Юрій Візбор
…и когда ты без кожи останешься вдруг
оттого, что убили его, не тебя…
Володимир Висоцький
…и не о том же речь,
что я их мог, но не сумел сберечь, —
речь не о том,
но все же, все же, все же…
Олександр Твардовський
Нет, ребята! Все не так!
Все не так, ребята…
Володимир Висоцький
…И там, где окончится глиняная дорога,
Увижу дожди, но не вымокну и не остыну.
Я понял закон
и увидел летящего Бога
и Сына.
Я умер. Не плачьте. Молитесь.
Я выше и выше.
И голубь струится на землю под трубные звуки.
Я, кажется, вышел.
Я вижу: над домом не крыша,
а РУКИ.
Ганна Куземська
Tags: Private
Posted 19 November 2009 in Misc | No Comments »
English
Українська