Reply To: Slow ssh and httpd connections with weighted routing…

Home Page Forums Network Management ZeroShell Slow ssh and httpd connections with weighted routing… Reply To: Slow ssh and httpd connections with weighted routing…

#50309

arfon
Participant

For ssh on port 10, couldn’t I just change it to:

Index: kerbynet.cgi/scripts/fw_initrules
===================================================================
RCS file: /home/atheling/cvsroot/Zeroshell/Zeroshell/kerbynet.cgi/scripts/fw_initrules,v
retrieving revision 1.1.1.1
diff -w -u -6 -r1.1.1.1 fw_initrules
--- kerbynet.cgi/scripts/fw_initrules 26 Nov 2009 22:13:35 -0000 1.1.1.1
+++ kerbynet.cgi/scripts/fw_initrules 1 Dec 2009 03:51:40 -0000
@@ -2,13 +2,13 @@
. /etc/kerbynet.conf
CHAIN="$1"
[ -z "$CHAIN" ] && exit 1
CONFIG="$REGISTER/system/net/FW/"
if [ "$CHAIN" == QoS ] ; then
TABLE="-t mangle"
- CH=FORWARD
+ CH=QoS
else
if [ "$CHAIN" == NetBalancer ] ; then
TABLE="-t mangle"
CH=NetBalancer
else
TABLE=""
@@ -23,12 +23,16 @@
iptables -A INPUT -j SYS_INPUT
iptables -A INPUT -p tcp --dport 80 -j SYS_HTTPS
iptables -A INPUT -p tcp --dport 443 -j SYS_HTTPS
iptables -A INPUT -p tcp --dport 10 -j SYS_SSH
fi
[ "$CHAIN" == OUTPUT ] && iptables -A OUTPUT -j SYS_OUTPUT
+ # If we are doing the QoS chain, thenlear any marks left over from
+ # Netbalancing/failover routing. The QoS chain is applied after
+ # routing so there is no conflict.
+ [ "$CHAIN" == "QoS" ] && iptables $TABLE -A $CH -j MARK --set-mark 0x0
if [ -d $CONFIG/Chains/$CHAIN/Rules ] ; then
cd $CONFIG/Chains/$CHAIN/Rules
RULES=`ls`
for RULE in $RULES ; do
ENABLED="`cat $RULE/Enabled 2>/dev/null`"
if [ "$ENABLED" == yes ] ; then
Index: kerbynet.cgi/scripts/fw_makerule
===================================================================
RCS file: /home/atheling/cvsroot/Zeroshell/Zeroshell/kerbynet.cgi/scripts/fw_makerule,v
retrieving revision 1.1.1.1
diff -w -u -6 -r1.1.1.1 fw_makerule
--- kerbynet.cgi/scripts/fw_makerule 26 Nov 2009 22:13:35 -0000 1.1.1.1
+++ kerbynet.cgi/scripts/fw_makerule 1 Dec 2009 03:32:42 -0000
@@ -4,13 +4,13 @@
RULE="$2"
OPT="$3"
[ -z "$CHAIN" -a -z "$RULE" ] && exit 1
CONFIG="$REGISTER/system/net/FW"
if [ "$CHAIN" = QoS ] ; then
TABLE="-t mangle"
- CH=FORWARD
+ CH=QoS
else
if [ "$CHAIN" = NetBalancer ] ; then
TABLE="-t mangle"
CH=NetBalancer
else
TABLE=""
@@ -411,13 +411,13 @@
iptables $TABLE $IPT $TGT
if [ "$CHAIN" == QoS ] ; then
TGTDSCP=`cat $REGISTER/system/net/QoS/Class/$TARGET/DSCP 2>/dev/null`
if [ -n "$TGTDSCP" ] ; then
iptables $TABLE $IPT -j DSCP --set-dscp $TGTDSCP
fi
- iptables -t mangle -A FORWARD -m mark ! --mark 0 -j ACCEPT
+ iptables -t mangle -A QoS -m mark ! --mark 0 -j ACCEPT
fi
if [ "$CHAIN" == NetBalancer ] ; then
[ "$TARGET" != Auto ] && iptables -t mangle -A NetBalancer -m mark ! --mark 0 -j ACCEPT
fi
fi
fi
Index: kerbynet.cgi/scripts/fw_start
===================================================================
RCS file: /home/atheling/cvsroot/Zeroshell/Zeroshell/kerbynet.cgi/scripts/fw_start,v
retrieving revision 1.1.1.1
diff -w -u -6 -r1.1.1.1 fw_start
--- kerbynet.cgi/scripts/fw_start 26 Nov 2009 22:13:35 -0000 1.1.1.1
+++ kerbynet.cgi/scripts/fw_start 30 Nov 2009 22:10:47 -0000
@@ -10,12 +10,18 @@
iptables -t mangle -F NetBalancer 2>/dev/null
iptables -t mangle -X NetBalancer 2>/dev/null
iptables -t mangle -N NetBalancer 2>/dev/null
iptables -t mangle -F OpenVPN 2>/dev/null
iptables -t mangle -X OpenVPN 2>/dev/null
iptables -t mangle -N OpenVPN 2>/dev/null
+iptables -t mangle -F QoS 2>/dev/null
+iptables -t mangle -X QoS 2>/dev/null
+iptables -t mangle -N QoS 2>/dev/null
+iptables -t mangle -F NB_CT_PRE 2>/dev/null
+iptables -t mangle -X NB_CT_PRE 2>/dev/null
+iptables -t mangle -N NB_CT_PRE 2>/dev/null
[ "$CPGW" == yes ] && iptables -N CapPort
$SCRIPTS/fw_https_chain
$SCRIPTS/fw_ssh_chain
$SCRIPTS/fw_sys_chain
CHAINS=`ls`
for C in $CHAINS ; do
Index: kerbynet.cgi/scripts/fw_viewchain
===================================================================
RCS file: /home/atheling/cvsroot/Zeroshell/Zeroshell/kerbynet.cgi/scripts/fw_viewchain,v
retrieving revision 1.1.1.1
diff -w -u -6 -r1.1.1.1 fw_viewchain
--- kerbynet.cgi/scripts/fw_viewchain 26 Nov 2009 22:13:35 -0000 1.1.1.1
+++ kerbynet.cgi/scripts/fw_viewchain 30 Nov 2009 19:30:43 -0000
@@ -1,7 +1,7 @@
#!/bin/sh
. /etc/kerbynet.conf
CHAIN="$1"
[ -z "$CHAIN" ] && exit 1
-[ "$CHAIN" == QoS ] && CHAIN="FORWARD -t mangle"
+[ "$CHAIN" == QoS ] && CHAIN="QoS -t mangle"
[ "$CHAIN" == NetBalancer ] && CHAIN="NetBalancer -t mangle"
iptables -n -v -L $CHAIN
Index: kerbynet.cgi/scripts/nb_fw
===================================================================
RCS file: /home/atheling/cvsroot/Zeroshell/Zeroshell/kerbynet.cgi/scripts/nb_fw,v
retrieving revision 1.1.1.1
diff -w -u -6 -r1.1.1.1 nb_fw
--- kerbynet.cgi/scripts/nb_fw 26 Nov 2009 22:13:35 -0000 1.1.1.1
+++ kerbynet.cgi/scripts/nb_fw 10 Apr 2010 13:44:21 -0000
@@ -1,23 +1,35 @@
#!/bin/sh
. /etc/kerbynet.conf
iptables -t mangle -D PREROUTING -j CONNMARK --restore-mark 2>/dev/null
+iptables -t mangle -D PREROUTING -m state --state NEW -j NB_CT_PRE 2>/dev/null
iptables -t mangle -D PREROUTING -j NetBalancer 2>/dev/null
+iptables -t mangle -D INPUT -m state --state NEW -j NB_CT_POST 2>/dev/null
iptables -t mangle -D INPUT -j NetBalancer 2>/dev/null
+iptables -t mangle -D OUTPUT -j CONNMARK --restore-mark 2>/dev/null
iptables -t mangle -D OUTPUT -j NetBalancer 2>/dev/null
iptables -t mangle -D OUTPUT -j OpenVPN 2>/dev/null
iptables -t mangle -D POSTROUTING -m state --state NEW -j NB_CT_POST 2>/dev/null
iptables -t mangle -D POSTROUTING -j NB_STAT 2>/dev/null
+# Need QoS to be done in mangle POSTROUTING. Note that if NetBalance
+# is enabled then we will insert those rules/chains first. So any
+# routing marks will be handled before we blow them away with QoS
+# marks.
+iptables -t mangle -D POSTROUTING -j QoS 2>/dev/null
+iptables -t mangle -I POSTROUTING 1 -j QoS 2>/dev/null
if [ "`cat $REGISTER/system/net/nb/Enabled 2>/dev/null`" = yes ] ; then
iptables -t mangle -I PREROUTING 1 -j CONNMARK --restore-mark
- iptables -t mangle -I PREROUTING 2 -j NetBalancer
+ iptables -t mangle -I PREROUTING 2 -m state --state NEW -j NB_CT_PRE 2>/dev/null
+ iptables -t mangle -I PREROUTING 3 -j NetBalancer
+ iptables -t mangle -I INPUT 1 -m state --state NEW -j NB_CT_POST 2>/dev/null
+ iptables -t mangle -I INPUT 2 -j NetBalancer
+ iptables -t mangle -I OUTPUT 1 -j CONNMARK --restore-mark
+ iptables -t mangle -I OUTPUT 2 -j NetBalancer
+ iptables -t mangle -I OUTPUT 3 -j OpenVPN
iptables -t mangle -I POSTROUTING 1 -m state --state NEW -j NB_CT_POST 2>/dev/null
iptables -t mangle -I POSTROUTING 2 -j NB_STAT 2>/dev/null
- iptables -t mangle -I INPUT 1 -j NetBalancer
- iptables -t mangle -I OUTPUT 1 -j NetBalancer
- iptables -t mangle -I OUTPUT 2 -j OpenVPN
fi
$SCRIPTS/nb_vpn 2> /dev/null
$SCRIPTS/nb_setautomarking 2>/dev/null



Index: kerbynet.cgi/scripts/nb_setautomarking
===================================================================
RCS file: /home/atheling/cvsroot/Zeroshell/Zeroshell/kerbynet.cgi/scripts/nb_setautomarking,v
retrieving revision 1.1.1.1
diff -w -u -6 -r1.1.1.1 nb_setautomarking
--- kerbynet.cgi/scripts/nb_setautomarking 26 Nov 2009 22:13:35 -0000 1.1.1.1
+++ kerbynet.cgi/scripts/nb_setautomarking 4 Dec 2009 03:41:47 -0000
@@ -3,27 +3,56 @@
CONFIG=$REGISTER/system/net/nb/Gateways
cd $CONFIG
function set_gwmark {
xGW="$1"
INTERFACE=`cat $xGW/Interface 2>/dev/null`
IP=`cat $xGW/IP 2>/dev/null`
+ # Set up the pre-routing chain for new connections from this Gateway. We want
+ # to mark all traffic originating from this gateway to be routed back out to the
+ #same gateway.
+
+ # If this Gateway has no interface device defined for it, see if we can get
+ # one based on the next hop IP address
+ if [ "$INTERFACE" == "" ] ; then
+ if [ "$IP" != "" ] ; then
+ INTERFACE=`ip route get $IP | grep -o "dev w*" | awk 'BEGIN {FS=" "}{print $2}'`
+ fi
+ fi
+ # If we have found the interface, then mark all traffic coming in on it to use
+ # it for outbound responses
+ if [ "$INTERFACE" != "" ] ; then
+ if ! iptables -t mangle -L NB_CT_PRE -n | grep -q -w `echo 1$xGW |awk '{printf ("0x%x",$0)}'` ; then
+ [ "`cat $xGW/Enabled 2>/dev/null`" = yes ] && iptables -t mangle -I NB_CT_PRE 1 -i $INTERFACE -j MARK --set-mark 1$xGW
+ else
+ [ "`cat $xGW/Enabled 2>/dev/null`" != yes ] && iptables -t mangle -D NB_CT_PRE -i $INTERFACE -j MARK --set-mark 1$xGW
+ fi
+ fi
+
+ # In the post routing phase, we want to get the the routing realm used for new
+ # connections and save it in the connection. First setp here is to get the mark
+ # and put it on the packet. Our caller will emit the code to save the marks to
+ # the connection.
if ! iptables -t mangle -L NB_CT_POST -n | grep -q -w `echo 1$xGW |awk '{printf ("0x%x",$0)}'` ; then
[ "`cat $xGW/Enabled 2>/dev/null`" = yes ] && iptables -t mangle -I NB_CT_POST 1 -m realm --realm 1$xGW -j MARK --set-mark 1$xGW
else
[ "`cat $xGW/Enabled 2>/dev/null`" != yes ] && iptables -t mangle -D NB_CT_POST -m realm --realm 1$xGW -j MARK --set-mark 1$xGW
fi
+
+ # Make the entry in the statistics chain so we can track how much traffic went
+ # over each gateway
if ! iptables -t mangle -L NB_STAT -n | grep -q -w `echo 1$xGW |awk '{printf ("0x%x",$0)}'` ; then
[ "`cat $xGW/Enabled 2>/dev/null`" = yes ] && iptables -t mangle -I NB_STAT 1 -m mark --mark 1$xGW
else
[ "`cat $xGW/Enabled 2>/dev/null`" != yes ] && iptables -t mangle -D NB_STAT -m mark --mark 1$xGW
fi
}
GW="$1"
if [ -z "$GW" ] ; then
GW=`ls -d ?? 2>/dev/null`
iptables -t mangle -F NB_CT_POST
+ iptables -t mangle -F NB_CT_PRE
iptables -t mangle -F NB_STAT
for G in $GW ; do
set_gwmark $G
done
iptables -t mangle -D NB_CT_POST -j CONNMARK --save-mark 2> /dev/null
iptables -t mangle -A NB_CT_POST -j CONNMARK --save-mark