You are not logged in.
- Topics: Active | Unanswered
#1 2006-12-03 10:46:26
- FUBAR
- Member
- From: Belgium
- Registered: 2004-12-08
- Posts: 1,029
- Website
[iptables] ipp2p - Dealing with P2P upload congestion
I have to share an ADSL (4MBit/256kbit) line with 4 other people. They like to download stuff, who doesn't. I don't mind. I do mind the behaviour of their P2P-clients: most clients have a fixed ratio between upload and download speeds. You can't cap the upload speed and get decent download speeds.
This is very annoying because I usually log into my box using SSH. The connection lags so much because of all the P2P upstream, that I can't even use my shell comfortably anymore.
It just so happens that I'm also the "admin" of the network and the router (running Arch! ^_^) and I've been looking for a way to deal with this annoying traffic.
I'm currently using iptables with Shorewall as a frontend. I've setup some QoS rules, but they only work for traffic that uses standard ports. P2P clients open random ports, so it's impossible to track (and manage).
I've come across ipp2p, a module for iptables that can recognize most of the P2P traffic (it checks connections, rather than individual packets).
Using the following rules I've tried to cap the combined upstream of P2P traffic to 20kbit/s (yeah, you can call me a leecher, I don't care since we have strict quotas in Belgium 
):
/etc/shorewall/tcdevices
eth1 4000kbit 256kbit/etc/shorewall/tcclasses
# P2P outgoing
eth1 10 20kbit 20kbit 255 /etc/shorewall/tcrules
10 10.0.0.0/0 0.0.0.0/0 ipp2p:alleth1 being my "red" (WAN) interface, connected to the Ethernet ADSL modem. I've also tried replacing it with ppp0, but to no avail.
It doesn't seem to work: if I set an unlimited upload rate in a P2P client, the router doesn't limit it.
How do I check if the ipp2p is working correctly? I'm sure it's loaded: I can use the --help option.
A bus station is where a bus stops.
A train station is where a train stops.
On my desk I have a workstation.
Offline
#2 2006-12-04 10:16:30
- cin
- Member
- Registered: 2006-10-23
- Posts: 2
Re: [iptables] ipp2p - Dealing with P2P upload congestion
Hi, not going to be very helpful here, but having setup similar to yours (arch router, me + 3 others; everyone does some p2p'ing), thouht I might put my 2 cents...
From the ipp2p page:
In version 0.7 --debug was introduced that prints a statement about every single match into the kernel logfile. An entry would look like this:
Dec 20 14:23:10 box kernel: IPP2P.debug:UDP-match: 201 from: 192.168.0.1:4693 to: 192.168.0.2:2004 Length: 26
That would be about checking if it's working at all, and if correctly :?: :?:
Second thingy - holy war between evil ISP's and file sharers. On ed2k recent emule client introduced protocol obfuscation, amule devs are working to implement it ASAP too. Don't know about other networks, but that's the way to go, methinks. Then, depending on what p2p apps yr lan-mates are running and how good the last version of IPP2P is at recognizing their traffic...
me for now sticking to customized wondershaper, latency for SSH/games ok at a cost of almost half up banwidth wasted 
P.S. ~1/2 year ago I needed to quickly find out how to connect our place to internet - found your wiki router page and then the rest of Arch 
Offline
#3 2006-12-04 12:45:45
- FUBAR
- Member
- From: Belgium
- Registered: 2004-12-08
- Posts: 1,029
- Website
Re: [iptables] ipp2p - Dealing with P2P upload congestion
From the ipp2p page:
In version 0.7 --debug was introduced that prints a statement about every single match into the kernel logfile. An entry would look like this:
Dec 20 14:23:10 box kernel: IPP2P.debug:UDP-match: 201 from: 192.168.0.1:4693 to: 192.168.0.2:2004 Length: 26That would be about checking if it's working at all, and if correctly :?: :?:
Thanks, I'll give that a try.
Second thingy - holy war between evil ISP's and file sharers. On ed2k recent emule client introduced protocol obfuscation, amule devs are working to implement it ASAP too. Don't know about other networks, but that's the way to go, methinks. Then, depending on what p2p apps yr lan-mates are running and how good the last version of IPP2P is at recognizing their traffic...
Maybe l7-filter is "smart" enough?
me for now sticking to customized wondershaper, latency for SSH/games ok at a cost of almost half up banwidth wasted
Care to show me your rules? 
P.S. ~1/2 year ago I needed to quickly find out how to connect our place to internet - found your wiki router page and then the rest of Arch
Hehe, good to hear.
A bus station is where a bus stops.
A train station is where a train stops.
On my desk I have a workstation.
Offline
#4 2006-12-04 16:31:57
- sh__
- Member
- Registered: 2005-07-19
- Posts: 272
Re: [iptables] ipp2p - Dealing with P2P upload congestion
How about not trying to identify the P2P traffic at all? Use port-based QoS for known services only. Example:
SSH traffic: high priority
HTTP traffic: medium priority
everything else: low priority
Another idea (stolen from the Gentoo wiki) would be to look at the packet size. Bulk data for P2P transfers tends to be fairly big compared to SSH.
Offline
#5 2006-12-06 19:52:39
- FUBAR
- Member
- From: Belgium
- Registered: 2004-12-08
- Posts: 1,029
- Website
Re: [iptables] ipp2p - Dealing with P2P upload congestion
I don't just want to give it a low priority, I want to cap its upload rate. But only of P2P traffic. I think I'm nearly there. I just found out I didn't even have CONNMARK support in my kernel.
A bus station is where a bus stops.
A train station is where a train stops.
On my desk I have a workstation.
Offline