Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ratelimit rules order? #12

Closed
dashkevichdmitry opened this issue May 26, 2017 · 13 comments
Closed

Ratelimit rules order? #12

dashkevichdmitry opened this issue May 26, 2017 · 13 comments
Labels
invalid

Comments

@dashkevichdmitry
Copy link

I'am need ratelimit in all network, but except some IP.
For test I run

root@ubuntu:~# iptables -A FORWARD -m ratelimit --ratelimit-set fullspeedsrc --ratelimit-mode src -j DROP
root@ubuntu:~# iptables -A FORWARD -m ratelimit --ratelimit-set fullspeeddst --ratelimit-mode dst -j DROP
root@ubuntu:~# iptables -A FORWARD -m ratelimit --ratelimit-set limitdst --ratelimit-mode dst -j DROP
root@ubuntu:~# iptables -A FORWARD -m ratelimit --ratelimit-set limitsrc --ratelimit-mode src -j DROP
root@ubuntu:~# echo +10.8.0.100 100000000 > /proc/net/ipt_ratelimit/fullspeedsrc
root@ubuntu:~# echo +10.8.0.100 100000000 > /proc/net/ipt_ratelimit/fullspeeddst
root@ubuntu:~# echo +10.8.0.101 1000000 > /proc/net/ipt_ratelimit/limitdst
root@ubuntu:~# echo +10.8.0.101 1000000 > /proc/net/ipt_ratelimit/limitsrc

All work fine IP .100 have 100mbit limit and IP .101 have 1mbit limit.
After that remove .101 rules and add rules for .100/24 ip range

root@ubuntu:~# echo -10.8.0.101 1000000 > /proc/net/ipt_ratelimit/limitsrc
root@ubuntu:~# echo -10.8.0.101 1000000 > /proc/net/ipt_ratelimit/limitdst
root@ubuntu:~# echo +10.8.0.100/24 1000000 > /proc/net/ipt_ratelimit/limitsrc
root@ubuntu:~# echo +10.8.0.100/24 1000000 > /proc/net/ipt_ratelimit/limitdst

But IP .100 also have limit 1mbit, first rules for .101 IP don't work.

How I can implement this logic?
@aabc
Copy link
Owner

aabc commented May 26, 2017

This should already work. If it supposedly isn't, test and prove it's not working.

@dashkevichdmitry
Copy link
Author

dashkevichdmitry commented May 26, 2017
edited
Loading

I test speed and based on it create issue.

These IP are OpenVPN users. OpenVPN run on Android tablet. I test speed by speedtest app.
Add first rules with limit by one IP, connect OpenVPN by user with IP .101, run test and get 1mbit, then disconnect and connect as user with IP .100 and get 10mbit speed (server or tablet, or channel can't get full 100mbit but isn't 1mbit), all fine.
Then change rules, repeat test and get 1mbit for two users.

What can I provide for debug?

@aabc
Copy link
Owner

aabc commented May 26, 2017

  1. Reload ratelimit rules, so that counters are clean.
  2. When you testing IP .100 and get 20mbit speed in the middle of the test cat /proc/net/ipt_ratelimit/ files, and copy paste here their content. That should show which rules are triggering.

@dashkevichdmitry
Copy link
Author

Under "reload" I understand need clear set file?

root@ubuntu:~# echo / > /proc/net/ipt_ratelimit/fullspeeddst
root@ubuntu:~# echo / > /proc/net/ipt_ratelimit/fullspeedsrc
root@ubuntu:~# echo / > /proc/net/ipt_ratelimit/limitdst
root@ubuntu:~# echo / > /proc/net/ipt_ratelimit/limitsrc
root@ubuntu:~# echo +10.8.0.100 100000000 > /proc/net/ipt_ratelimit/fullspeedsrc
root@ubuntu:~# echo +10.8.0.100 100000000 > /proc/net/ipt_ratelimit/fullspeeddst
root@ubuntu:~# echo +10.8.0.101 1000000 > /proc/net/ipt_ratelimit/limitdst
root@ubuntu:~# echo +10.8.0.101 1000000 > /proc/net/ipt_ratelimit/limitsrc

Run test

root@ubuntu:~# cat /proc/net/ipt_ratelimit/fullspeeddst
10.8.0.100 cir 100000000 cbs 18750000 ebs 37500000; tc 0 te 0 last 2736; conf 15177/12664727 0 bps, rej 0/0
root@ubuntu:~# cat /proc/net/ipt_ratelimit/fullspeedsrc
10.8.0.100 cir 100000000 cbs 18750000 ebs 37500000; tc 324 te 0 last 19; conf 18691/17732314 7074 bps, rej 0/0
root@ubuntu:~# cat /proc/net/ipt_ratelimit/limitdst
10.8.0.101 cir 1000000 cbs 187500 ebs 375000; tc 0 te 0 last 2117; conf 464/374141 0 bps, rej 0/0
root@ubuntu:~# cat /proc/net/ipt_ratelimit/limitsrc
10.8.0.101 cir 1000000 cbs 187500 ebs 375000; tc 0 te 0 last 4009; conf 526/62639 0 bps, rej 0/0

Change rules

root@ubuntu:~# echo / > /proc/net/ipt_ratelimit/fullspeeddst
root@ubuntu:~# echo / > /proc/net/ipt_ratelimit/fullspeedsrc
root@ubuntu:~# echo / > /proc/net/ipt_ratelimit/limitdst
root@ubuntu:~# echo / > /proc/net/ipt_ratelimit/limitsrc
root@ubuntu:~# echo +10.8.0.100 100000000 > /proc/net/ipt_ratelimit/fullspeedsrc
root@ubuntu:~# echo +10.8.0.100 100000000 > /proc/net/ipt_ratelimit/fullspeeddst
root@ubuntu:~# echo +10.8.0.100/24 1000000 > /proc/net/ipt_ratelimit/limitsrc
root@ubuntu:~# echo +10.8.0.100/24 1000000 > /proc/net/ipt_ratelimit/limitdst

Run test

root@ubuntu:~# cat /proc/net/ipt_ratelimit/fullspeeddst
10.8.0.100 cir 100000000 cbs 18750000 ebs 37500000; tc 80 te 0 last 64; conf 6690/2655256 88550 bps, rej 0/0
root@ubuntu:~# cat /proc/net/ipt_ratelimit/fullspeedsrc
10.8.0.100 cir 100000000 cbs 18750000 ebs 37500000; tc 0 te 0 last 138; conf 7988/8762750 474412 bps, rej 0/0
root@ubuntu:~# cat /proc/net/ipt_ratelimit/limitdst
10.8.0.0/24 cir 1000000 cbs 187500 ebs 375000; tc 0 te 163890 last 7; conf 6373/2060542 1656 bps, rej 440/607401
root@ubuntu:~# cat /proc/net/ipt_ratelimit/limitsrc
10.8.0.0/24 cir 1000000 cbs 187500 ebs 375000; tc 0 te 354443 last 3; conf 7028/7409030 2954 bps, rej 1011/1357078

Speedtest screeshot

@aabc
Copy link
Owner

aabc commented May 26, 2017

It's hard to comprehend this stat because test performed not like I requested it and stat is dirty with noise data.

  1. I don't need two tests, I only need single test with incorrect ratelimiting.
  2. Clean the set rules just before the test, so that counters are zero.
  3. Run test from IP 10.8.0.100. Make sure your test IP is 10.8.0.100. I don't see proof of that in your data. Screenshot does not show your IP.
  4. In the middle of the test cat /proc/net/ipt_ratelimit/ files. Just upload or download test is enough. For example, in the middle of download. I just want to see for certain where counters are increasing.

@dashkevichdmitry
Copy link
Author

10.8.0.100 proof
While run test other user not connected to VPN.

root@ubuntu:~# echo / > /proc/net/ipt_ratelimit/fullspeeddst
root@ubuntu:~# echo / > /proc/net/ipt_ratelimit/fullspeedsrc
root@ubuntu:~# echo / > /proc/net/ipt_ratelimit/limitdst
root@ubuntu:~# echo / > /proc/net/ipt_ratelimit/limitsrc
root@ubuntu:~# echo +10.8.0.100 100000000 > /proc/net/ipt_ratelimit/fullspeedsrc
root@ubuntu:~# echo +10.8.0.100 100000000 > /proc/net/ipt_ratelimit/fullspeeddst
root@ubuntu:~# echo +10.8.0.100/24 1000000 > /proc/net/ipt_ratelimit/limitsrc
root@ubuntu:~# echo +10.8.0.100/24 1000000 > /proc/net/ipt_ratelimit/limitdst
root@ubuntu:~# cat /proc/net/ipt_ratelimit/fullspeeddst
10.8.0.100 cir 100000000 cbs 18750000 ebs 37500000; tc 0 te 0 last never; conf 0/0 0 bps, rej 0/0
root@ubuntu:~# cat /proc/net/ipt_ratelimit/fullspeedsrc
10.8.0.100 cir 100000000 cbs 18750000 ebs 37500000; tc 0 te 0 last never; conf 0/0 0 bps, rej 0/0
root@ubuntu:~# cat /proc/net/ipt_ratelimit/limitdst
10.8.0.0/24 cir 1000000 cbs 187500 ebs 375000; tc 0 te 0 last never; conf 0/0 0 bps, rej 0/0
root@ubuntu:~# cat /proc/net/ipt_ratelimit/limitsrc
10.8.0.0/24 cir 1000000 cbs 187500 ebs 375000; tc 0 te 0 last never; conf 0/0 0 bps, rej 0/0

Run test and at middle of download run cat

root@ubuntu:~# cat /proc/net/ipt_ratelimit/fullspeeddst
10.8.0.100 cir 100000000 cbs 18750000 ebs 37500000; tc 0 te 0 last 3; conf 1089/1419961 715600 bps, rej 0/0
root@ubuntu:~# cat /proc/net/ipt_ratelimit/fullspeedsrc
10.8.0.100 cir 100000000 cbs 18750000 ebs 37500000; tc 104 te 0 last 2; conf 884/61227 33452 bps, rej 0/0
root@ubuntu:~# cat /proc/net/ipt_ratelimit/limitdst
10.8.0.0/24 cir 1000000 cbs 187500 ebs 375000; tc 280804 te 93304 last 0; conf 770/975966 515292 bps, rej 321/445496
root@ubuntu:~# cat /proc/net/ipt_ratelimit/limitsrc
10.8.0.0/24 cir 1000000 cbs 187500 ebs 375000; tc 104 te 0 last 4; conf 884/61227 33452 bps, rej 0/0

@aabc aabc added the invalid label May 26, 2017
@aabc
Copy link
Owner

aabc commented May 26, 2017

I misinterpreted your set up at first, so test wasn't really necessary, and everything is seems working correctly.

@dashkevichdmitry
Copy link
Author

So, for correct ratelimit I need create separate rules for IP .100 and for other IP, but if one rule overlap other rules, module use last one?

@aabc
Copy link
Owner

aabc commented May 26, 2017

Answer two questions:

  • Why you create four sets and not just two?
  • Why you put just one rule per set?

@dashkevichdmitry
Copy link
Author

I'am guest in Linux.

Why you put just one rule per set?

Understood my mistake, I can add both rules in one set file

Why you create four sets and not just two?

Looked at readme and thinked need create separate set for src and dst. If not add ratelimit-mode param set will be use for both, src and dst?

@aabc
Copy link
Owner

aabc commented May 26, 2017

Why you create 4 sets and not just 2?

@dashkevichdmitry
Copy link
Author

After understood mistake, I make this, all work fine

iptables -A FORWARD -m ratelimit --ratelimit-set myset --ratelimit-mode src -j DROP
iptables -A FORWARD -m ratelimit --ratelimit-set myset --ratelimit-mode dst -j DROP
echo / > /proc/net/ipt_ratelimit/myset
echo +10.8.0.100 100000000 > /proc/net/ipt_ratelimit/myset
echo +10.8.0.101 100000000 > /proc/net/ipt_ratelimit/myset
echo +10.8.0.100/24 1000000 > /proc/net/ipt_ratelimit/myset

@aabc
Copy link
Owner

aabc commented May 27, 2017

Grats!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aabc @dashkevichdmitry