Hi all, Are there plans to implement the anycast feature set in ip for IPv6 anycast addresses? Thanks in advance, Stuart Sheldon ACT USA -- -- Spider Pig, Spider Pig, Does whatever a Spider Pig does. Can he swing, from a web, no he can't, he's a pig. Look Oouuuut! He is a Spider Pig.... -- Matt Groening - "Spider Pig Lyrics"
/If/ this mailing list is to move to a new domain, I'd suggest that we move it to something at lartc.org if at all possible. Rather than moving it to a different domain that is not directly associated with LARTC or portable. Doing that would keep the mailing list address (hopefully largc <at> lartc.org) dis-associated with any other entity and would allow it to move from location to location as the need arises over the coming years. Grant. . . .
Dear mailing list, I'm experiencing some troubles with the command tc and especially with the filter rsvp. I tried to use it like described in the help section : tc filter add dev eth0 parent 1:0 protocol ip priority 100 rsvp ipproto udp session 10.74.92.174/6000 after having created all the qdiscs described in cbqinit.eth0 (in the examples of tc/iproute2) : $TC qdisc add dev $DEVICE root handle 1: cbq $BANDWIDTH allot 1514 $AVPKT mpu 64 $TC class add dev $DEVICE parent 1:0 classid :1 est 1sec 8sec cbq $BANDWIDTH rate 10Mbit allot 1514 maxburst 50 $AVPKT $TC class add dev $DEVICE parent 1:1 classid :2 est 1sec 8sec cbq $BANDWIDTH rate 4Mbit allot 1514 cell 8 weight 500Kbit prio 6 maxburst 50 $AVPKT split 1:0 defmap ff3d $TC qdisc add dev $DEVICE parent 1:2 sfq quantum 1514b perturb 15 $TC class add dev $DEVICE parent 1:1 classid :3 est 2sec 16sec cbq $BANDWIDTH rate 1Mbit allot 1514 weight 100Kbit prio 2 maxburst 100 $AVPKT split 1:0 defmap c0 $TC qdisc add dev $DEVICE parent 1:3 sfq quantum 1514b perturb 15 $TC class add dev $DEVICE parent 1:1 classid :4 est 1sec 8sec cbq $BANDWIDTH rate 100Kbit allot 1514 weight 10Mbit prio 7 maxburst 10 $AVPKT split 1:0 defmap 2 $TC qdisc add dev $DEVICE parent 1:4 sfq quantum 1514b perturb 15 $TC class add dev $DEVICE parent 1:1 classid 1:7FFE cbq rate 5Mbit $BANDWIDTH allot 1514b $AVPKT maxburst 20 cell 8 $TC class add dev $DEVICE parent 1:7FFE classid 1:7FFF est 4sec 32sec cbq rate 1Mbit $BANDWIDTH allot 1514b $AVPKT weight 10Kbit prio 6 maxburst 10 split 1:7FFE defmap ffff I've also tried a lot of variations (for exemple, I've tried to use the flowid option), but no one succeeded : the error is always the same : RTNETLINK answers: Invalid argument(Continue reading)
Dear Spammers,
Thanks for waking everyone on the list up last night. ;)
Dear List,
Now that you're all awake, and following the number of requests
for some technical discussion, here's my current challenge on my
little research project...
Yes, I'm wanting to figure out the following for a Mikrotik
RB750G router, but AIUI the mkt runs a Linux core, so my request
is on topic ;)
I've got a number of networks on my router....
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.4.0/24
192.168.1.2 can ping 192.168.2.2, 192.168.3.2, 192.168.4.2
That's cool.
However I don't want people on 2.0 to be able to see computers in 3.0 or 4.0, etc.
I also don't want them to be able to establish windows networking connections – so basically samba/smb connections.
However I do what 192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24 to be able to use a NAS in 192.168.1.0/24.
So I need to drop some traffic unless it's heading to my NAS IP (192.168.1.2 for sake of argument).
I do want users in 192.168.x.0/24 to be able to see each other though.
I'm using a Mikrotik 750G with router OS5 on it, lic 4.
TIA
D
_______________________________________________ LARTC mailing list LARTC <at> mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Constantinescu Daniel Eduard
_______________________________________________ LARTC mailing list LARTC <at> mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
I'm getting a small stream of old posts and spam off this list. Are others seeing same? D -- -- Don Gould 31 Acheson Ave Mairehau Christchurch, New Zealand Ph: + 64 3 348 7235 Mobile: + 64 21 114 0699
On Tue, 22 Feb 2011 11:15:39 +0100 "PIOTREK H." <komarekmz <at> tlen.pl> wrote: > Welcome > > I have a problem with the new iproute "iproute2-2.6.37.tar.bz2 07-Jan-2011 9:18 (the problem from version 2010 to 2011). > Three problems: > a) with filters for UDP traffic > problem affects only the queuing traffic to the machine on which you work qos > In the case of UDP traffic filter does not detect movement. > The filter works for udp traffic through the router. > Example: > qos router has the IP 20.0.0.1 > $ TC filter add dev $ dev parent 1:0 protocol ip prio 5 u32 \ > match ip protocol 0x11 0xff \ > match u32 0 0 flowid 1: A4f > or > $ TC filter add dev $ dev parent 1:0 protocol ip prio 5 u32 \ > match ip sport 67 0xffff \ > match u32 0 0 flowid 1: a1 \ > action mirred egress redirect dev ifb4 > > $ TC filter add dev $ dev parent 1:0 protocol ip prio 5 u32 \ > match ip dport 68 0xffff \ > match u32 0 0 flowid 1: a1 \ > action mirred egress redirect dev ifb4 > > or > $ TC filter add dev $ dev parent 1:0 protocol ip prio 5 u32 \ > match ip protocol 0x11 0xff \ > match ip src 20.0.0.1/32 flowid 1: A4f > > These filters do not work for traffic to or from the router. > In the old versions of these filters work iproute > > > b) squid (only egrees) > In the case of traffic from squid filter captures traffic diversion, but the interface is killed ifb movement (2-6kbit) > > Traffic is routed to squid with iptables. After downloading the redirect to squid qos works well. > I noticed that this problem occurs on the cards gigabyte (for Intel 100Pro is ok) > > c) the police action + action mirror > This problem was resolved for the 2010 version of the patch. > > action police rate 1024 kbit burst conform-exceed 90kB drop / pipe \ > action mirred egress redirect dev $ qdev2 > > such action is working ok in iproute iproute2-ss100224 with the patch. Does not work in the new iproute (without the patch, the patch does not have). > How should this action? I need to trim one filter and redirect traffic to the interface. > At the ingress use police action + action mirred, I use the egress flowid + action mirred > > My router: > tc utility, iproute2-ss110107 > Linux shaper 2.6.26-2 > problem on several routers (in different versions kernel and iproute) > > Work ok: > tc -V > tc utility, iproute2-ss070710 > Linux traktor 2.6.23.17-imq #1 SMP Fri Oct 10 00:12:20 CEST 2008 i686 GNU/Linux > > Linux rtr-58.core 2.6.17.13 #1 Mon Mar 10 09:48:28 CET 2008 i686 GNU/Linux > tc utility, iproute2-ss061214 > > with the new iproute have a problem. > I will be grateful for any hint or help. > Thank you for your time. > > If the message sent in breach of procedures sorry. > > > Piotr Homa (Poland) Could you post these to netdev <at> vger.kernel.org -- --
_______________________________________________ LARTC mailing list LARTC <at> mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Hey all, I am having a public reachable root server with its own /64 IPv6 block ready and at home still IPv4 but a WRT54GL with a fresh OpenWRT (IPv6-capable) installed. Now I want to bridge the IPv6 network from my root server to use this 64bit block *locally* leaving the primary address at the public root server, and distribut the remaining at my home's computers. I hope I described my goal just right, but currently I'm a little overquestions in what the right way to go would be. AFAIK, I am in no need for a tunnel broker because I am having already an IPv6 block, but I need to set up a virtual network that connect my root server with my wrt54gl router that in forwards all IPv6 traffic behind it and the root server. From my point of view, radvd should *ideally* be installed on the root server, but this is where it ends for me - I just hope I do not need too many layering tools like OpenVPN to achieve this goal. What can I do? Regards, Christian Parpart.
I have two x86 laptops one with ipsec-utils 0.7 and one with 0.7.1. It seems that the filtering rules in
setkey don't work as the man page describes. Below I have listed some combinations of what has worked and
what has failed as a bi-directional pair. A to b and then b to a. For example.
For each pair combination I did a fresh ping from node A; logged the result. I then restarted the racoon
daemon and flushed setkey and did a ping from node B; logged the result. 3 examples of the actual setkey
configuration are below in no significant order. I actually summarized the rules in the results table
below as well. Fail means the IPSEC session never extablished, usualy failed proposal section for phase
2. Pass means that the IPSEC session established and the ping went through.
Test 1:
spdadd 2.2.2.2/32 0.0.0.0/0 icmp -P out ipsec esp/transport//require ah/transport//require;
spdadd 0.0.0.0/0 2.2.2.2/32 icmp -P out ipsec esp/transport//require ah/transport//require;
Test 5:
spdadd 2.2.2.2/32 1.1.1.1/32 icmp -P out ipsec esp/transport//require ah/transport//require;
spdadd 1.1.1.1/32 2.2.2.2/32 icmp -P out ipsec esp/transport//require ah/transport//require;
Test 11:
spdadd 2.2.0.0/28 0.0.0.0/0 any -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 2.2.0.0/28 any -P in ipsec esp/transport//require;
Complete Results table:
Test # PC Rule A PC Rule B Ping from PC A Ping from PC B
1 ip 0/0 out ICMP ip 0/0 out ICMP fail fail
0/0 ip in ICMP 0/0 ip in ICMP
2 ip 0/0 out ICMP ip 0/0 out any fail pass
0/0 ip in ICMP 0/0 ip in any
3 ip 0/0 out any ip 0/0 out any pass pass
0/0 ip in any 0/0 ip in any
4 ip/32 ip/32 out ICMP ip 0/0 out any pass pass
ip/32 ip/32 ip in ICMP 0/0 ip in any
5 ip/32 ip/32 out ICMP ip 0/0 out ICMP pass fail
ip/32 ip/32 ip in ICMP 0/0 ip in ICMP
6 ip/32 ip/32 out ICMP ip/32 ip/32 out ICMP pass pass
ip/32 ip/32 ip in ICMP ip/32 ip/32 ip in ICMP
7 ip/32 ip/24 out ICMP ip/32 ip/32 out ICMP pass pass
ip/32 ip/24 ip in ICMP ip/32 ip/32 ip in ICMP
8 ip/32 ip/24 out ICMP ip/32 ip/24 out ICMP pass pass
ip/32 ip/24 ip in ICMP ip/32 ip/24 ip in ICMP
9 ip/28 ip/28 out ICMP ip/28 ip/28 out ICMP pass pass
ip/28 ip/28 ip in ICMP ip/28 ip/28 ip in ICMP
10 ip/28 0/0 out ICMP ip/28 0/0 out ICMP fail fail
0/0 ip/28 ip in ICMP 0/0 ip/28 ip in ICMP
11 ip/28 0/0 out any ip/28 0/0 out any pass pass
0/0 ip/28 ip in any 0/0 ip/28 ip in any
Summary:
Basically I have noticed when I change the mask or the protocol that I'm filtering on; a IPSEC session can
fail to establish or pass. This seems like a definite bug in setkey. I am surprised that I don't see any posts
regarding this anywhere though. In my search most setkey configurations are very basic though and maybe
theres isn't a demand for a more complex setkey policy configuration?
If there is a better list to post this on, please advise as well.
Any thoughts/ideas/help on this would be apprecitated. Thanks!
Jon Flechsenhaar
Boeing WNW Team
Network Services Layer
(714)-372-5172
B11-F2-2B60
 |
|
|
|
|
|
|
| Mon | Tue | Wed | Thu | Fri | Sat | Sun |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 | 31 |
RSS Feed58 | |
|---|---|
1 | |
2 | |
3 | |
1 | |
3 | |
2 | |
4 | |
3 | |
2 | |
2 | |
2 | |
3 | |
1 | |
2 | |
10 | |
84 | |
93 | |
191 | |
178 | |
142 | |
137 | |
276 | |
170 | |
107 | |
190 | |
214 | |
166 | |
167 | |
146 | |
75 | |
150 | |
161 | |
150 | |
220 | |
178 | |
256 | |
276 | |
218 | |
262 | |
266 | |
228 | |
273 | |
69 | |
100 | |
315 | |
288 | |
408 | |
392 | |
130 | |
246 | |
327 | |
158 | |
319 | |
344 | |
220 | |
264 | |
328 | |
381 | |
314 | |
278 | |
338 | |
319 | |
387 | |
307 | |
292 | |
335 | |
425 | |
287 | |
358 | |
393 | |
503 | |
447 | |
499 | |
363 | |
343 | |
371 | |
498 | |
487 | |
369 | |
266 | |
365 | |
357 | |
461 | |
348 | |
325 | |
274 | |
252 | |
523 | |
129 | |
78 | |
65 | |
108 | |
196 | |
197 | |
181 | |
188 | |
137 | |
118 | |
54 | |
111 | |
119 | |
1 | |
8 | |
1 | |
1 |