Modify

Opened 12 years ago

Closed 11 years ago

Last modified 11 years ago

#660 closed enhancement (fixed)

connbytes patch

Reported by: netprince Owned by: florian
Priority: normal Milestone: 0.9/rc6
Component: kernel Version:
Keywords: netfilter connbytes Cc:

Description

This is a patch for the connbytes feature for whiterussian. It is a port from the previous version for kernel 2.4.24 found here:

http://luxik.cdi.cz/~devik/connbytes/

and

http://svn.netfilter.org/cgi-bin/viewcvs.cgi/trunk/patch-o-matic-ng/patchlets/connbytes/?rev=4258

I beleive it should not have the same problem as the last patch because it does not deal with the ip_ct_refresh function, but I am no expert:

/ticket/267.html

I have built it and tested with the following iptables rule and it seems to be working:

iptables -A OUTPUT -m connbytes --connbytes 9000:11000 --connbytes-dir both  --connbytes-mode bytes

One can see how much throughput is associated with each connection by checking /proc/net/ip_conntrack.

This patch should be usefull for marking long running uploads with low priority.

Attachments (2)

118-netfilter_connbytes.patch (5.8 KB) - added by netprince 12 years ago.
118-netfilter_connbytes.patch
118-netfilter_connbytes.2.patch (6.2 KB) - added by netprince 11 years ago.
Updated ipt_connbytes patch, works when compiled as a module.

Download all attachments as: .zip

Change History (8)

Changed 12 years ago by netprince

118-netfilter_connbytes.patch

comment:1 Changed 12 years ago by florian

  • Owner changed from developers to florian
  • Status changed from new to assigned

comment:2 Changed 11 years ago by florian

  • Resolution set to fixed
  • Status changed from assigned to closed

Added in [4596]

comment:3 Changed 11 years ago by netprince

  • Resolution fixed deleted
  • Status changed from closed to reopened

Unfortunatly the patch doesn't work as a module. If I change the following line in branches/whiterussian/openwrt/target/linux/linux-2.4/config/brcm from

CONFIG_IP_NF_MATCH_CONNBYTES=m

to

CONFIG_IP_NF_MATCH_CONNBYTES=Y

then the patch works great. I must admit, I dont know why the patch doesn't work as a module. I can insmod the 'ipt_connbytes' module, but the 'bytes' column does not appear in /proc/net/ip_conntrack and packet matching does not work in iptables. I hope to throw more time at the problem as it becomes available...

comment:4 Changed 11 years ago by netprince

Updated patch, now works as a module. You can see the bytes per connection in /proc/net/ip_connbytes. You can also test by adding this line to the 'OUTPUT' section of /etc/init.d/S35firewall:

iptables -A OUTPUT -m connbytes --connbytes 1000:11000 --connbytes-dir both  --connbytes-mode bytes

Then check for matched packets with the command 'iptables -L OUTPUT -v'. Also dont forget to 'insmod ipt_connbytes' if you compiled as a module.

Changed 11 years ago by netprince

Updated ipt_connbytes patch, works when compiled as a module.

comment:5 Changed 11 years ago by florian

  • Resolution set to fixed
  • Status changed from reopened to closed

Updated in [4739]

comment:6 Changed 11 years ago by netprince

Just tested the latest WR, seems to be working.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.