| View previous topic :: View next topic |
| Author |
Message |
dj_farid
l33t
Joined: 14 Jun 2004
Posts: 613
|
 Posted: Sat Nov 25, 2006 11:30 pm Post subject: iptables Couldn't load match `ipp2p' |
 |
|
I can't get iptables to load ipp2p.
I have the same problem as this other thread where I participated https://forums.gentoo.org/viewtopic-t-514362-highlight-.html. The other thread got marked "SOLVED" by the original poster. I still have the problem though. No one seems to read the thread since it is solved. So I start my own...
I am running gentoo-sources 2.6.18-r3.
According to the ipp2p homepage install instructions this is the first thing to do in order to see if the files are installed where they are supposed to:
| Code: |
# iptables -m ipp2p --help
iptables v1.3.6: Couldn't load match `ipp2p'
Try `iptables -h' or 'iptables --help' for more information.
|
It should not give this error message.
Here you can see that the files are installed where they should be, but still iptables does not seem to understand that it is there:
| Code: | # ls /lib/iptables
libipt_CLASSIFY.so libipt_REDIRECT.so libipt_connbytes.so libipt_layer7.so libipt_sctp.so
libipt_CLUSTERIP.so libipt_REJECT.so libipt_connlimit.so libipt_length.so libipt_standard.so
libipt_CONNMARK.so libipt_SAME.so libipt_connmark.so libipt_limit.so libipt_state.so
libipt_DNAT.so libipt_SNAT.so libipt_conntrack.so libipt_mac.so libipt_stealth.so
libipt_DSCP.so libipt_TARPIT.so libipt_dccp.so libipt_mark.so libipt_string.so
libipt_ECN.so libipt_TCPMSS.so libipt_dscp.so libipt_multiport.so libipt_tcp.so
libipt_LOG.so libipt_TOS.so libipt_ecn.so libipt_owner.so libipt_tcpmss.so
libipt_MARK.so libipt_TRACE.so libipt_esp.so libipt_physdev.so libipt_tos.so
libipt_MASQUERADE.so libipt_TTL.so libipt_hashlimit.so libipt_pkttype.so libipt_ttl.so
libipt_MIRROR.so libipt_ULOG.so libipt_helper.so libipt_policy.so libipt_udp.so
libipt_NETMAP.so libipt_addrtype.so libipt_icmp.so libipt_realm.so libipt_unclean.so
libipt_NFQUEUE.so libipt_ah.so libipt_ipp2p.so libipt_recent.so
libipt_NOTRACK.so libipt_comment.so libipt_iprange.so libipt_rpc.so
|
| Code: |
# ls /lib/modules/2.6.18-gentoo-r3/ipp2p/
ipt_ipp2p.ko
|
Latest iptables with extensions and l7filter USE flags is what I got now:
| Code: | # emerge -vp iptables
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] net-firewall/iptables-1.3.6-r1 USE="extensions l7filter -imq -ipv6 -static" 0 kB
Total size of downloads: 0 kB
|
Latest ipp2p:
| Code: | # emerge -pv ipp2p
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] net-firewall/ipp2p-0.8.2 0 kB [1]
Total size of downloads: 0 kB
Portage overlays:
[1] /usr/local/portage
|
| Code: | | # modprobe ipt_ipp2p |
dmesg shows this: "IPP2P v0.8.2 loading". But it does not work.
Any ideas? |
|
| Back to top |
|
 |
dj_farid
l33t
Joined: 14 Jun 2004
Posts: 613
|
| Posted: Tue Nov 28, 2006 10:39 am Post subject: |
|
|
Tried to re-emerge iptables without the "l7filter" and the "extensions" flag. Re-emerged the ipp2p package after that. No changes.
I have gotten the ipp2p sourcecode from their homepage and installed it manually. No changes.
I am running amd64. Since I don't get any errors during the compile, I guess that that is not the cause of the problem. |
|
| Back to top |
|
|
frostschutz
Advocate
Joined: 22 Feb 2005
Posts: 2977
Location: Germany
|
| Posted: Tue Nov 28, 2006 3:57 pm Post subject: |
|
|
| I don't have iptables here right now, but if I remember correctly, iptables --help (or one of the subpages if there are any) should show up the ipp2p syntax help if iptables is using the iptables-ipp2p extension properly. This is independent from the kernel module (if the kernel module is missing you'll probably get an error while talking to the kernel). So it sounds like in your case the iptables side of things is at fault, not the kernel module. |
|
| Back to top |
|
|
dj_farid
l33t
Joined: 14 Jun 2004
Posts: 613
|
| Posted: Tue Nov 28, 2006 6:45 pm Post subject: |
|
|
Yes this is what I think too.
I suspect iptables more and more.
Which verision of iptables do you use together with ipp2p? |
|
| Back to top |
|
|
gregf
Tux's lil' helper
Joined: 14 May 2003
Posts: 102
Location: USA, Maine
|
| Posted: Wed Nov 29, 2006 2:01 am Post subject: |
|
|
| I have not been able to get this going either. If anyone gets a working script going i would be very grateful to see it. Been playing with it for a few days now myself. |
|
| Back to top |
|
|
dj_farid
l33t
Joined: 14 Jun 2004
Posts: 613
|
| Posted: Wed Nov 29, 2006 10:30 am Post subject: |
|
|
| gregf wrote: | | I have not been able to get this going either. If anyone gets a working script going i would be very grateful to see it. Been playing with it for a few days now myself. |
What happens if you do this:
| Code: | | iptables -m ipp2p --help |
?
It should not give you an error. If it gives you an error there is no need to try writing long scripts... |
|
| Back to top |
|
|
gregf
Tux's lil' helper
Joined: 14 May 2003
Posts: 102
Location: USA, Maine
|
| Posted: Wed Nov 29, 2006 2:51 pm Post subject: |
|
|
yeah does not load up properly.
betsy ~ # iptables -m ipp2p --help
iptables v1.3.6: Couldn't load match `ipp2p'
I did get l7filter to load up but never got it working right so i was going to try ipp2p. Have no real big reason to use either one, just would like to get one working correctly. I had tried the following.
| Code: | #!/bin/bash
# Zap the iptables mangle queue
iptables -t mangle -F
# Egress device
OUT=eth0
# Flow rates
MAX=700kbit
BIT_MAX=40kbit
# Delete existing shaping
tc qdisc del dev $OUT root
# ===========
# Top
tc qdisc add dev $OUT root handle 1: htb default 30
tc class add dev $OUT parent 1: classid 1:1 htb rate $MAX
tc class add dev $OUT parent 1:1 classid 1:10 htb rate $MAX
tc class add dev $OUT parent 1:1 classid 1:20 htb rate $BT_MAX ceil $BT_MAX
tc class add dev $OUT parent 1:1 classid 1:30 htb rate $MAX ceil $MAX
# Rehashing
tc qdisc add dev $OUT parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $OUT parent 1:20 handle 20: sfq perturb 10
tc qdisc add dev $OUT parent 1:30 handle 30: sfq perturb 10
# ===================
# the magic begins...
# ===================
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A OUTPUT -m layer7 --l7proto bittorrent -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
|
I stoll this from another post and was attempting to make it work for me but have had no luck in it actually limiting my connection. After messing with this for a while i had decided to try ipp2p but the module does not load like showed above. Would be happy with either working. When i tried this my bittorrent traffic went above what i set the max limit so my bandwidth was still totally saturated stopping me from doing anything including browsing the internet. My max upload bandwidth is 768kbit i set my CEIL as 700kbit because i read that it should be set below what your max truly is for performance reasons. Anyways if someone can help get this working i would greatly appreciate it. |
|
| Back to top |
|
|
dj_farid
l33t
Joined: 14 Jun 2004
Posts: 613
|
|
| Back to top |
|
|
boerKrelis
Apprentice
Joined: 01 Jul 2003
Posts: 241
Location: The Netherlands
|
| Posted: Wed Nov 29, 2006 6:11 pm Post subject: |
|
|
| Say, have you guys made sure the ipt_ipp2p module is loaded? `lsmod` |
|
| Back to top |
|
|
gregf
Tux's lil' helper
Joined: 14 May 2003
Posts: 102
Location: USA, Maine
|
| Posted: Wed Nov 29, 2006 7:02 pm Post subject: |
|
|
| boerKrelis wrote: | | Say, have you guys made sure the ipt_ipp2p module is loaded? `lsmod` |
Yes it is loaded.
dj_farid: Yeah we talked in another post a few days back you recommended i looked for l7filter or ipp2p because -m owner was no longer being used. Now im in the same situation as i was with -m owner using ipp2p. I did get l7filter to load at least but was not limiting. |
|
| Back to top |
|
|
gregf
Tux's lil' helper
Joined: 14 May 2003
Posts: 102
Location: USA, Maine
|
| Posted: Wed Nov 29, 2006 8:31 pm Post subject: |
|
|
Someone here mentioned they thought it was iptables so i down graded to the latest stable version and then re emerged ipp2p and it loads up fine now. I have not got around to playing with it but if you downgrade iptables to
| Code: | | Installed versions: 1.3.5-r4(15:30:12 11/29/06)(extensions -imq ipv6 -l7filter -static) |
then iptables -m ipp2p --help should go fine. Don't forget to reinstall ipp2p after you install iptables and modprobe again. If you get a working script going before me please post. |
|
| Back to top |
|
|
gregf
Tux's lil' helper
Joined: 14 May 2003
Posts: 102
Location: USA, Maine
|
| Posted: Wed Nov 29, 2006 8:44 pm Post subject: |
|
|
Still do not think it works because as a quick test i did the following
| Code: | | iptables -A FORWARD -m ipp2p --edk --kazaa --gnu --bit --apple --dc --soul --winmx --ares -j DROP |
and all the downloads/uploads were still going in bittorrent (which i did my test with) so still looking for ideas i guess. |
|
| Back to top |
|
|
dj_farid
l33t
Joined: 14 Jun 2004
Posts: 613
|
| Posted: Wed Nov 29, 2006 9:12 pm Post subject: |
|
|
| gregf wrote: | Still do not think it works because as a quick test i did the following
| Code: | | iptables -A FORWARD -m ipp2p --edk --kazaa --gnu --bit --apple --dc --soul --winmx --ares -j DROP |
and all the downloads/uploads were still going in bittorrent (which i did my test with) so still looking for ideas i guess. |
I did this exact same thing yesteday with l7-protocol. It worked really good. Stopped all my bittorrent traffic.
I think that it is time for a bugreport for iptables... |
|
| Back to top |
|
|
gregf
Tux's lil' helper
Joined: 14 May 2003
Posts: 102
Location: USA, Maine
|
| Posted: Wed Nov 29, 2006 9:36 pm Post subject: |
|
|
| Do you have a working method using l7filter to limit your upload speed for bittorent in that case? Painful to use right now because its eating all my bandwidth. I'm not real picky one which i use as long as it works. |
|
| Back to top |
|
|
dj_farid
l33t
Joined: 14 Jun 2004
Posts: 613
|
| Posted: Wed Nov 29, 2006 10:21 pm Post subject: |
|
|
I only run rtorrent on my router, which is the same machine that does the shaping.
The limiting works for say maybe 10 minutes. Then all of a sudden rtorrent eats all my upload. See the other tread for details. |
|
| Back to top |
|
|
gregf
Tux's lil' helper
Joined: 14 May 2003
Posts: 102
Location: USA, Maine
|
| Posted: Wed Nov 29, 2006 10:37 pm Post subject: |
|
|
| Well going to continue looking into this and i'll let you know if i figure anything out myself. |
|
| Back to top |
|
|
frostschutz
Advocate
Joined: 22 Feb 2005
Posts: 2977
Location: Germany
|
| Posted: Thu Nov 30, 2006 12:00 am Post subject: |
|
|
| gregf wrote: | Still do not think it works because as a quick test i did the following
| Code: | | iptables -A FORWARD -m ipp2p --edk --kazaa --gnu --bit --apple --dc --soul --winmx --ares -j DROP |
and all the downloads/uploads were still going in bittorrent (which i did my test with) so still looking for ideas i guess. |
This is normal for already existing/established P2P connections at the time the rule is added, as ipp2p detects only the opening of a connection (and dropping those packets prevents the communication from working in the first place). In other words, after adding an ipp2p rule, only connections that are created afterwards will be affected, not already established ones. |
|
| Back to top |
|
|
gregf
Tux's lil' helper
Joined: 14 May 2003
Posts: 102
Location: USA, Maine
|
| Posted: Thu Nov 30, 2006 12:55 am Post subject: |
|
|
I understand that part i just worded that badly. Bittorrent was not opened before the rules were set in place.
I have made some progress though. layer7 seems to be working good on the other hand. I still have not got bittorrent to work with it but i have been able to limit other things like http/aim/dc++ just for tests. Anytime i try to do bittorrent i have no luck though. I did read the the bittorrent.pat file it could not limit encrypted streams which makes sense so i made sure i had encryption off. Still no luck but it seems to be only the bittorrent protocol i can't make work at this point. |
|
| Back to top |
|
|
gregf
Tux's lil' helper
Joined: 14 May 2003
Posts: 102
Location: USA, Maine
|
| Posted: Thu Nov 30, 2006 3:49 am Post subject: |
|
|
| Sorry to keep this going so long but I'm assuming others will be interested. I have l7filter working in full using the directconnect protocol. I still have had no luck with bittorrent, but I'm assuming thats due to the pat file. I plan on looking into ipp2p again though since my only plans for this are to limit p2p networks. So hopes are still high. |
|
| Back to top |
|
|
dj_farid
l33t
Joined: 14 Jun 2004
Posts: 613
|
| Posted: Thu Nov 30, 2006 8:43 am Post subject: |
|
|
I was also able to limit dc++ without problems. I stopped using dc++ and went with bittorrent. That's why I want this working so bad.
Can't you see any effects of stopping bittorrent with l7? For me it works for a while.
Have you tried with different bittorrent clients? I have only tried rtorrent and transmission. I think that transmission could be stopped with l7 before when I tested it, but I never teseted it very hard. Rtorrent can't be stopped it seems.
If you test ipp2p and file a bug, let me know. I suspect that the devs have changed something in iptables that broke ipp2p. I know that they changed a lot in the latest version that had to do with l7-protocol. |
|
| Back to top |
|
|
NTPT
n00b
Joined: 22 Mar 2005
Posts: 17
|
| Posted: Fri Dec 01, 2006 2:50 pm Post subject: |
|
|
| gregf wrote: | yeah does not load up properly.
betsy ~ # iptables -m ipp2p --help
iptables v1.3.6: Couldn't load match `ipp2p'
I did get l7filter to load up but never got it working right so i was going to try ipp2p. Have no real big reason to use either one, just would like to get one working correctly. I had tried the following.
| Code: | #!/bin/bash
# Zap the iptables mangle queue
iptables -t mangle -F
# Egress device
OUT=eth0
# Flow rates
MAX=700kbit
BIT_MAX=40kbit
# Delete existing shaping
tc qdisc del dev $OUT root
# ===========
# Top
tc qdisc add dev $OUT root handle 1: htb default 30
tc class add dev $OUT parent 1: classid 1:1 htb rate $MAX
tc class add dev $OUT parent 1:1 classid 1:10 htb rate $MAX
tc class add dev $OUT parent 1:1 classid 1:20 htb rate $BT_MAX ceil $BT_MAX
tc class add dev $OUT parent 1:1 classid 1:30 htb rate $MAX ceil $MAX
# Rehashing
tc qdisc add dev $OUT parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $OUT parent 1:20 handle 20: sfq perturb 10
tc qdisc add dev $OUT parent 1:30 handle 30: sfq perturb 10
# ===================
# the magic begins...
# ===================
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A OUTPUT -m layer7 --l7proto bittorrent -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
|
I stoll this from another post and was attempting to make it work for me but have had no luck in it actually limiting my connection. After messing with this for a while i had decided to try ipp2p but the module does not load like showed above. Would be happy with either working. When i tried this my bittorrent traffic went above what i set the max limit so my bandwidth was still totally saturated stopping me from doing anything including browsing the internet. My max upload bandwidth is 768kbit i set my CEIL as 700kbit because i read that it should be set below what your max truly is for performance reasons. Anyways if someone can help get this working i would greatly appreciate it. |
From my point of view the script you cite is nonsens and CAN NOT WORK and may be it is a source of your problems.
1: It is a mess, misuse and misunderestand of rate and ceil parameters on HTB. Read something about HTB and so on.
I do not see a "tc filter" clausule enywhere in your script. Please note that just a marking packets is not enough to got shaping to work correctly. You MUST assign or "filter" packet with mark 1 to correct class ! (with is NOT DONE in this script)
however this script is partially working, because all traffic is send to class 1:30 with "tc qdisc add dev $OUT root handle 1: htb default 30" command and it means limited to $MAX. But NONE of the traffic is send to class 1:20 what is intended to shape bittorrent.
And last but not least, chain OUTPUT in iptables seen only a packets that are OUTGOING FROM LOCAL PROCESSES (ie programs that are running on router only) and no packets that are routed or masqueraded (!) You MUST marking a packets in POSTROUTING chain instead to see ALLL traffic going TROUGH you router.
this shoul be THIS WAY :
| Code: | #!/bin/bash
# Zap the iptables mangle queue
iptables -t mangle -F
# Egress device
OUT=eth0
# Flow rates
MAX_RATE=700kbit
BIT_MIN=40kbit
BIT_MAX=256kbit
# Delete existing shaping
tc qdisc del dev $OUT root
# ===========
# Top
# htb root eth0 , all traffic that is not filtered send to class 10
tc qdisc add dev $OUT root handle 1: htb default 10
tc class add dev $OUT parent 1: classid 1:1 htb rate $MAX_RATE burst 3kb cburst 6kb
# burst improve network latency
## please note that sum of rates for all child MUST NOT EXCEED the rate of the parent
# and rate is what is guaranted,
# ceil is what class can get if there is available
# ie if some other class does not use its rate.
# class for ALL traffic
# rate is 700kbit MINUS 40 kbit minimally guaranted for bittorrent = rate 660kbit
# But when bittorrent does not run, and not occupied any bandwidth
# use full maximal rate = ceil $MAX_RATE
tc class add dev $OUT parent 1:1 classid 1:10 htb rate 660kbit ceil $MAX_RATE burst 3kb cburst 6kb
# bittorrent have guaranted of BIT_MIN and can use line maximally at BIT_MAX rate
tc class add dev $OUT parent 1:1 classid 1:20 htb rate $BIT_MIN ceil $BIT_MAX
# Rehashing
tc qdisc add dev $OUT parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $OUT parent 1:20 handle 20: sfq perturb 10
# ===================
# the magic begins...
# ===================
# not filter an allready marked connection - so restore connmarck and accept all packets that are marked
iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark
iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT
# ipp2p filters
iptables -t mangle -A POSTROUTING -m ipp2p --ipp2p -j MARK --set-mark 1 # mark all p2p networks
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT
# l7 filters are cpu intensive, fire it at last in chain so it does not need to work with all allready marked data.
iptables -t mangle -A POSTROUTING -m layer7 --l7proto bittorrent -j MARK --set-mark 1
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
# ===================
#And even more magic ...
# ===================
# now it is mandatory to send a marked packets to a proper HTB class !!
# this is done by tc filter command
tc filter add dev $OUT parent 1:0 protocol ip handle 1 fw flowid 1:20
# this filter all outgoing trafic on $OUT from qdisc node 1:0 (root class of the interface)
# with is marked with mark 1 to qdisc class 1:20
# ie all p2p is end to htb class 1:20
# and done.
|
PS: iptables -L -v (ie verbose listing) is your friend , because netfilter hold counter for each rule.
with iptables -t mangle -L POSTROUTING -v you can see how many packets and bytes is matched by iptables rule and thus determining if l7filter and ipp2p work -ie matching some traffic .
PPS: tc -s class show dev somedevice show what traffic is in what qdisc class so zou can control if the traffic reallz got ot the right point in the qdisc
please sorrz for mz horrible english and correct misspelling on the script .o] |
|
| Back to top |
|
|
gregf
Tux's lil' helper
Joined: 14 May 2003
Posts: 102
Location: USA, Maine
|
| Posted: Fri Dec 01, 2006 5:18 pm Post subject: |
|
|
| NTPT: thanks a lot for clearing some stuff up. I have not tried this out yet but i have plans to later, just getting home from out of town. I have reworked my script since reading some more of the l7filter manual and had already added a tc filter line in so i did have that much write but i see some stuff i may have done wrong still. Get back to you later today. |
|
| Back to top |
|
|
dj_farid
l33t
Joined: 14 Jun 2004
Posts: 613
|
| Posted: Fri Dec 01, 2006 5:21 pm Post subject: |
|
|
Sorry gregf for not reading your whole script before 
I only read the first part about "betsy ~ # iptables -m ipp2p --help". If that does not work, ipp2p does now work. |
|
| Back to top |
|
|
gregf
Tux's lil' helper
Joined: 14 May 2003
Posts: 102
Location: USA, Maine
|
| Posted: Sat Dec 02, 2006 12:31 am Post subject: |
|
|
| dj_farid wrote: | | iptables -m ipp2p --help". If that does not work, ipp2p does now work. |
Lost me a bit on that one. Care to clear that part up. |
|
| Back to top |
|
|
gregf
Tux's lil' helper
Joined: 14 May 2003
Posts: 102
Location: USA, Maine
|
| Posted: Sat Dec 02, 2006 12:36 am Post subject: |
|
|
| Sorry i think i understand you now, going to play with this a bit more now. Get back to you soonish. |
|
| Back to top |
|
|
|
Networking & Security
