Welcome to !

     Main Menu

· Main How-To

· Arbitrator9.61 on linux-2.4.30 miniHOWTO


· Main FAQ

· Tips & Tricks

· Change Log

· Buy Online

· Application shaping for Kazaa and numerous others

· CREDITS

· About Us

· Contact Us


     Downloads

Warning, before you untar the Arbitrator releases please read the How-To. Also any items in the Changelog relating to the version.

. arbitrator9.62.tar.gz this is the GPL version. It does not come with a GUI, nor is reporting included in this version. Those items are licensed with our commercial products only. This version runs on the Linux 2.6.5 kernel. No other patches are required since iptables and ebtables are already in this kernel. READ THE CHANGE LOG FOR INFO ON THIS VERSION.


. arbitrator8.63.tar.gz this is the GPL version. This is currently the most stable version based on the 2.4.19 kernel. It does not come with a GUI, nor is reporting included in this version. Those items are licensed with our commercial products only. This version runs on the Linux 2.4.19 kernel. READ THE CHANGE LOG FOR INFO ON THIS VERSION.


. callnetplot version 1.0 for plotting MULTIPLE VLANs This is a user donated perl script which should be used with 8.25. Other versions may be able to be tweaked to use this as well with a little work.
. sanity.tar.gz
Version 1.21 is a watchdog utility type program for the Arbi. You can read the README by clicking here.

. userlimit1.0.tar.gz
This is a beta release and we welcome beta customers. Enforce Bandwidth Caps on monthly/daily or hourly usage, take actions when caps are exceeded. You can read the README by clicking here.

. arbiqos1.1.tar.gz
This is a beta release and we welcome beta customers. You can find the docs for ArbiQos by clicking here.

. apccrond - Perl cron like helper app

. asciiplot2.0 - Perl plot routine that creates ASCII graphs in the form of horizontal bar charts. You could modify the code to output graphics instead of ASCII *'s for use with web apps. Here is the README.


. bridge-utils-0.9.5.tar
. bridge-nf-0.0.7-against-2.4.19.diff for the 2.4.19 kernels.
Off site links

. 2.6.5 Kernel Source


     Partners

Interested in simulating traffic? Please visit our partner Candela Technologies.


     Linux help links
New to Linux?
Here are a few links
to get you over the
that learning curve.

The Linux Cookbook

Linux Useful Commands

A Bridging Firewall


 NotOnFrontPage: Linux Bandwidth Arbitration How-to

PHP-NukeArbitrator How-To

Updated Sept 23, 2003

If you'd rather purchase a ready to run appliance then please contact us directly.

Linux Bandwidth Arbitration How-To


If you are looking for the ArbiQos How-To then Click here

Prerequisites:

Loading your system ( I wish this part was turn key)

To start the Bandwidth arbitrator in default mode.

To view IP addresses that are being penalized for hogging too much bandwidth.

Brief description of how it works.

Here are the basic user space commands for advanced use.

To set up bandwidth shaping.

Open Source Admin Utilities that come with the tool

The secret!

Known Issues 5/1/2003.

Network Cards and BA

Common Problems and Solutions

An Actual Configuration File With all the Startup Configuration Parameters.

Detailed Notes on Loading the Arbitrator3.2 and Suse 8.1 distribution.

Mini How-to Compile on Debian

Full How-to on Redhat 9 BA install (user provided offsite link)

Another Full How-to on Redhat 9 BA install using 8.63(user provided offsite link)

How-to discover other apps to shape

CREDITS


Prerequisites:


- Intel Based Machines with two Lan Cards

- 500 megahertz for T1 size networks 100 – 300 users

-1.0 gigahertz 10mbs Network 300-2000 users

-2.0 gigahertz 50mbs Network 2000-8000 users (this is the largest configuration that the author knows of in production)



Loading your system ( I wish this part was turn key)


Source for help


Note: Although the arbitrator is turn key (when you plug it into your network) loading the software does require some experience with configuring LINUX and the LINUX operating system. If you are uncomfortable with loading LINUX systems, you can first try

- asking questions to the Arbitrator forums.

- contact a certified LINUX consultant

- your local LINUX users group

- APconnections www.apconnections.net can preload a system and send it to you , e-mail your request for help.

Loading a standard configuration should take not longer than 2 or 3 hours.


You will need to get the right version of the LINUX kernel source , on your machine, arbitrator versions 3.0 or later require the 2.4.19 Linux kernel, the arbitrator 2.0 or earlier work with the LINUX 2.4.10 kernel.


The arbitrator 3.0 versions and later are compatible with Linux Netfilter and firewall features (you can run these co-resident on the same box) Arbitrator 3.0 and later also has the latest bug fixes.


The old version such as arbitrator 2.0 is not compatible with Netfilter, although this version is stable it does not have the latest bug fixes.


Complete instructions for loading Linux Kernels can be found at http://www.tldp.org/HOWTO/Kernel-HOWTO.html


You can download kernel source from ftp://ftp.kernel.org


If you are using arbitrator 8.x or earlier then do steps A and B

A) Follow the http://tldp.org/HOWTO/BRIDGE-STP-HOWTO/index.html make sure the bridging software is up and operational, before doing the rest of the steps.

B) Install the kernel patch bridge-nf-0.0.7-against-2.4.19.diff

If you are usning arbitrator 9.x or later then do steps C

C) Download and build a linux 2.6.5 kernel, the bridging is built into the kernel make sure to select Ethernet Bridging as a module and test your bridge. There is no need to load separate bridging software or patches when using the 2.6.5 kernel

• Create a base directory /bridge for the user space utilities that come with the LINUX bridge. Use the bridge-utils-0.9.5.tar version of the user utilities

· Make sure you can get the standard linux bridge up and running before installing the arbitrator software. If you are having trouble getting the standard Linux bridge as delivered in the base up DO NOT PROCEED, the arbitrator is dependent on this standard bridging software and will not work without it.


So far all the previous steps have walked you through getting the right version of the Linux Kernel,and bridging software on your system, the arbitrator software runs on top of the bridging configuration. The rest of the setup instructions are specific for the arbitrator software.

· Download arbitratorX.X.tar.gz to any directory ( from the link on the bandwidtharbitrator.com website), X.X is the version.

Create a directory /art

After you have the bridging utilities installed and tested and the 2.4.19 kernel source installed with a symbolic link of /usr/src/linux pointing to that 2.4.19 source directory.

The next step overwrites the standard bridging source files, it should only overwrite files specific to the arbitrator but to be safe we suggest that you do not do this on a machine with important data or one you can’t afford to have crash. If you wish to see what files will be overwritten then just look at the contents of this tar.gz

tar zxfv arbitratorX.X.tar.gz
cd arbitratorX.X
Run the following command as root
./install.sh

(if you are running a version of arbitrator that is older than 4.21 then the instructions for the install of that are here)

Rebuild your kernel.


cd /usr/src/linux
make clean
make
make bzImage
copy bzImage to your boot sector

run lilo

make modules

make modules_install


Rebuild the bridge user space utilities


cd /bridge/bridge-utils
make


If you are newer to Linux and want a more detailed set of notes see the detailed notes for the Suse 8.1 distribution

To start the Bandwidth arbitrator in default mode


The file /etc/arbdefault.conf contains the start up configuration and is self documenting, you may edit this file as appropriate.


/etc/init.d/arbitrate is executed to start everything. You can start it manually or have it start up at boot time by executing this file from an rc script.


/etc/init.d/arbitrate [start /stop]


To view IP addresses that are being penalized for hogging too much bandwidth.


tail –f /var/log/arblog


Brief description of how it works


The bandwidth arbitrator has kernel portion and user space portion. At its core are some modifications to the kernel which have two basic parts


1) A table of active internet connections (see brctl getbrain command below for a description of the fields in this table)

I refer to this table as the “brain table” because all the decisions the arbitrator makes are a result of analysis on the content of this table. The table is kept in the kernel for efficiency. The table size can be manipulated with the “brctl setbrain” command.

2) Also in the kernel are a set of queues that can be used to slow packets down. When a penalty is in effect, all packets going to and from a specific source and destination of IP address are put into a queue and delayed from 10-1000 milliseconds


In user space there exists a perl program called “new2” located in the directory /art (yes I know you purist don’t like hard coded installation directories but that is another debate) New2 starts up when “/etc/arbitrate start” is run. New2 reads the content of the brain table every second and does analysis. It then makes a decision on if there is any bandwidth abuse going on. If it decides there is bandwidth abuse going on, it levies a penalty on a specific set of IP addresses (source and destination) The penalty will only be levied against subsequent packets with the specific IP source and destination. After a short time (configuration parameter in /etc/arbdefault.conf), the penalty will expire.

Here are the basic user space commands for advanced use.
With these commands you have the power to and create new arbitrator behavior. Don’t let these intimidate you, all tuning for standard features is done from a configuration file (example below). I include this section so other programmers can create their own custom bandwidth effects!


./brctl getbrain my


The output from this command is a human readable dump of active internet connections (brain table),Only active connections are tracked the arbitrator ages out the oldest ones. The aging timer and the table are updated in the kernel are configured at start-up by parameters in /etc/arbdefault.conf.

The output from the” brctl getbrain my “ command dumps as ascii text (brain table) with the following fields (column labels)

Index = The index into the table
SRCP = The source port

DSTP = The destination port for this connection, (what service is being requested http,ftp)

Wavg = A weighted average of the in bytes per second of last three packets

Avg = the average in bytes per second since this IP pair came into the table

IP1 = source IP address

IP2 = Destination IP address

Prot = The protocol ICMP,TCP/IP,UDP


To penalize an IP source address.


./brctl dump my [IP src address] [buffer] [penalty] [IP destination address]


Where IP ADDRESS is the source address to be slowed down, in other words any IP packet coming from this address will be delayed by the “penalty” . Penalty is in 10ths of seconds. Buffer can range from 0 to 49. You’ll have to change a define in the kernel to make if bigger (until we create a nice dynamic way to change it.

The default of 80 is tuned to work with networks of up to 2000 users. The destination ip address is the last parameter, only IP packets going from the specified source to this destination will be delayed.


To clear a penalty manually


brctl dump my [0.0.0.0] [buffer] [0] [0]


This will clear the IP address being penalized associated with “buffer”


To forcibly age out an entry in the “brain table”


/bridge/bridge-utils//brctl/brctl rembrain my [index]


Note: This does not keep the IP source and destination pair out of the brain table , it will pop right back in if it is active. The arbitrator automatically ages out entries.


To ask the arbitrator how many queues are supported (how many IP address can be simultaneously penalized)


/bridge/bridge-utils//brctl /brctl getbuffs my


To control the number of packets stored in a queue


/bridge/bridge-utils//brctl/brctl dropcount my [ value]


Re-call the when packets are being delayed they are stored in a queue, if the number of packets in exceeds dropcount, the arbitrator will drop them.


To find out the bandwidth of the trunk (bi –directional total) as measured by the arbitrator


/bridge/bridge-utils//brctl /brctl getpeak my


The get peak command returns two numbers, the first is the the maximum number of bytes per second measured since the arbitrator has been running, the second number is the bytes per second for the last second. Note: The arbitrator does not assume that trunk speeds are constant , it continually measures and adjusts every 5 minutes .

To mask off a subnet from the arbitrator


brctl setmask my [x.x.x.x/y] [1 or 2]


This command was added for whole subnets where the arbitrator sees traffic which should not be penalized or analyzed in any way. This would happen in cases where the arbitrator sits near the edge of network but still gets WAN traffic from other locations in the enterprise. Setting up this mask and IP causes the arbitrator to pass all traffic as if it did not see it. This will also prevent peak bursts of bandwidth from these subnets from being calculated into the peak trunk measurements.


The last parameter is used to indicate the type of mask, 1=pair 2= absolute

A “paired” mask will only be honored if it occurs with another paired mask in a source/desitination pair,this is useful if you do not want to penalize traffic between two local subnets.

An “absolute” mask will allow traffic to pass un-molested if this address appears in the source or desitination of an internet packet.


Note: The limit is currently 30 masks.

Note: Adding a mask automatically resets the internal peak value (this is the bytes per second value the arbitrator measures to be the trunk capacity)


To remove a mask

brctl removemask my x.x.x.x ( removes a specific mask)

brctl removemask 0 ( will remove all masks)


To view current masks


brctl getmask my


To dynamically change the size of the “brain table”


./brctl setbrain my [size] [moving_avg] [inactive tics]


size= the number of internet connections to monitor, typical for T1 size networks a value of 100 is adequate.


To count the current number of connections for an IP address on your network

/art/conncount x.x.x.x

Where x.x.x.x is the IP address of interest.

moving_avg= how to weight the bytes of an internet packet. If your familiar with moving averages you know what this means.. If not well the best I can do is say that this number prevents the arbitrator from penalizing short bursts of traffic.

Inactive_tics= the time in 100ths of seconds that an “inactive”entry will the brain table will live before being tossed.


To set up bandwidth shaping
There are four basic options to set up bandwidth shaping they are controlled from the /etc/arbdefault.con, this file is well documented (sample at the end of this how-to)


1) Generic (Don’t touch that dial this is the default)
Looks at any internet connection regardless of port
and scales back bandwidth based on the default rules.

The default rules do the following:

1) Look at the trunk size
2) Look at the number of active users (ip to ip
connections)
3) The persistence of a user, is this just
a burst , (like a web page) or a big stream

It takes all these into account and then starts slowing bandwidth down for those users who are consistently using more than there fair share.

2) PRIORITY Percent

When a priority host is active the arbitrator throws out all the generic rules (above) and basically says “if I have a PRIORITY host active then slow down everybody else” , kind of radical so use it sparingly. But if you have a user that must take priority on busy trunk (your boss, paying customer, angry person with a gun) you can insure they will get through at the expense of all other users.


3) LIMIT PERCENT

This mode says only allow this host/subnet up to PERCENT bandwidth on the trunk, and hold them below this amount, the generic rules stay in effect simultaneously so a host could get slowed by a "generic" rule before reaching its limit. This is used extensively by ultimate systems a company with a very large trunk and users who are apt to grab too much.

3.1) LIMIT PERCENT UPLINK
This mode works just like LIMIT PERCENT but it is only applied to the traffic coming from host/subnet. To see the syntaxt of how to use the UPLINK LIMIT, runn the ADD_CONFIG command from the console without any parameters, and it will display the usage syntax for setting up this type of LIMIT.

3.2) LIMIT PERCENT DOWNLINK

Same as UPLINK but the opposite direction, limits traffic going to the specified host/subnet.

4) LIMIT by Service (ftp,http etc)

In this mode the arbitrator limits the bandwidth on your trunk to a percent of the trunk, if the combined traffic of all the hosts using this service exceeds the set percent they are collectively scaled back.


5) As of the 3.2 release you now have the option to set a time period for the shaping command to be in effect. For example if you want to limit ftp downloads to 10 percent of your bandwidth between 1:00 and 2:00 pm you can now do this! Details for setting this configuration are documented in the config follow (see next paragraph)

This is done by setting parameters in /etc/arbdefault.conf , an example of this file and a more complete description on how to configure these features are documented below.


6) As of the 3.3 release you can now set a limit for an entire subnet example below in the /etc/arbdefault.conf file


7) APPLICATION SHAPING

Arbitrator 4.x now comes with application shaping for KAZAA,POP3 and IMAP and others, details on how to use these features are explained in the /etc/arbdefault.conf.


To increase the number penalty queues (the number of hosts that can be penalized simultaneously.

/bridge/bridge-utils//brctl/brctl setbuffs my <#>


The default is for T1 sized networks and is set to 40 , note you must run “/etc/init.d/arbitrate stop” (and then start) for this parameter to take effect.


To turn off the dynamic trunk size feature (it is automatically on) .


Normally the arbitrator automatically determines the trunk size and there is no need to statically set it. The arbitrator makes all of its decisions on who to penalize based on how much bandwidth they use relative to the trunk size. So artificially setting this value higher or lower than the actual trunk size can make the arbitrator do some weird things.


/bridge/bridge-utils//brctl/brctl settrunk my < bi-direction total of bytes per second of the trunk>


Setting the trunk size to 0 will turn on dynamic trunk size calculation.


Open Source Admin Utilities that come with the tool


/art/penalties mm/dd/yy


It will give you the top ten offenders by IP for the
given date.


/art/utilization [minutes]


Reports the average utilization (the sum of
downloading and uplink) for the "minutes"

Warning if your arblog file gets really really big
this may have problems, I did not test it at the upper
limits of what an arblog file could grow to.


/bridge/bridge-utils/breakdown


Utility to remove the default bridge, normally eth0 and eth1 make up the bridge, this is used by advanced programmers when making a new bridge kernel module to remove the bridge in conjunction with the setup command.


/bridge/bridge-utils/setup Starts up the bridge.


Starting with version 4.4 you also have the following commands:

MODIFY_CONFIG Dynamically change your shaping parameters on the fly.

The modify config command is a full featured command designed to allow the arbitrator user to experiment or fine tune their system without the need to start and stop the main processes.

All parameter changes sent by this command take effect immediately and have no effect on your other parameters or your running system.

It supports Persistence of Data:

When changing a command with this interface the "static" file /etc/arbdefault.conf will also automatically be changed to reflect the parameter setting should the system need to be restarted it will remain with the "comitted" change.

It provides a history of previous configurations:


Should the need arise to revert to a previous configuration this command automatically time stamps and archives your previous configuration as /etc/arbdfault.TIMESTAMP.


When parameters are changed, the specific changed parameters are also noted in the standard log file.

/var/log/arblog

This will allow the user to correlate parameter changes to network behavior.


/art/MODIFY_CONFIG

For Example usages for this command type :

/art/MODIFY_CONFIG


Starting with Version 4.5

ADD_CONFIG (stable Beta , maybe a few quirks)

/art/ADD_CONFIG


The offiical arbitrator approved method for safely changing configuration parameters. With this routine you can now dynamically add new shaping rules on the fly without restarting the arbitrator. It also archives your previous configuration (Copies /etc/arbdefault.conf to a date stamped version in the same directory.

For Example usages for this command type :

/art/ADD_CONFIG


/art/BROWSE_CONFIG

The official way to look at your parameters .
For Example usages for this command type :

/art/BROWSE_CONFIG


/art/test_config4.5.sh


The official configuration test utility, provides a nice sanity test to make sure the arbitrator is installed and responding correctly. Comments in the beginning of the file explain how to use this utility.

THERE ARE SOME MINOR RESTRICTIONS so please read first!

We will continue to expand this utility into a more comprehensive self test with future releases.


/art/REMOVE_CONFIG

The official way to remove shaping/limiting
For Example usages for this command type :

/art/REMOVE_CONFIG


Starting with Version 4.63
We have created three configuration parameters to make it easy to set up an external IP address to remotely contact the arbitrator in a "two ethernet" card configuration.

BRIDGEIP
BRIDGENETMASK
BRIDGEROUTE

They allow you to set an IP address for the bridge, which is essentially just like setting up the normal IP address on a host, except that with a bridge you have to do it a bit differently. So the arbitrator start up routine will do the IP set up for you if you set these parameters up.

Use the standard MODIFY_CONFIG utility to set values for these parameters.


Starting with Version 5.0
CONTENT_FILTER is used for creating content filters, activating and deactivating them is done with ADD_CONFIG REMOVE_CONFIG

Starting with Version 5.3
Features

In this release the major enhancement is the ability to limit a single user to a fixed amount of traffic per an application .

For example:

To keep the user at 10.33.22.1 from using more than 50kbs for BEARSHARE you would do the following.

1) Assuming you have a 5mbs Trunk , you would do the following.

First Turn on APP SHAPING for BEARSHARE in general by

ADD_CONFIG APP BEARSHARE 100

Notice I set the BEARSHARE limit for the whole trunk to 100 percent because I had no desire to limit BEARSHARE trunk wide.

Now ADD in the specific host(s) you want to limit for BEARSHARE

ADD_CONFIG HOST 10.33.22.1/32 COMPOUND BEARSHARE 1
And you are done.

To REMOVE this rule

REMOVE_CONFIG COMPOUND 10.33.22.1 BEARSHARE.

Caveats to this utility.

The 5.3 release does not support persistence, if you reboot you must re-enter the rules (most users just write a start-up script)

The 5.3 release does not support modify for these "Compound" limits, you must remove and then add to change.


Starting with version 5.5

You can now specify a SHAPE amount by kbs in addtion to setting your limits as a percentage of the trunk size. Simply add kbs after the number you want like 60000kbs. Without the KBS in the suffix, the value reverts to percent.

You can turn off the default shaping mode using a new parameter DEFAULT_RULES. The default rules are background rules for determining bandwidth hogs; which up until now were a pain to disable (when customers just wanted fixed limits only)


Starting with version 6.0

6.0 introduces connection limits here are some examples

brctl setconnection my x.x.x.x/32 20 80

The command above will prevent any new connections to port 80 on host x.x.x.x once there are already 20 connections.

Note: All connections are counted (not just port 80). This is because many connections are transient, they start on port 80 and change ports.

brctl setconnection my x.x.x.x/32 20 0

The command above will prevent any new connections to any port on host x.x.x.x beyond 20 connections.

brctl setconnection my x.x.x.x/32 0 80

The command above will remove the connection limit for port 80.


Starting with version 6.2
New Persistent commands

ADD_CONFIG MAC x:x:x:x:x:x LIMIT

Where x:x:x:x:x:x is any mac address visible to the arbitrator. (must be on the same LAN segment).

To see current MAC addresses visible to the arbitrator you can type

brctl showmacs my

port no mac addr is local? ageing timer
2 00:02:3f:37:29:11 no 172.96
1 00:04:9a:87:28:f0 no 0.56
1 00:30:1b:ae:a5:20 yes 0.00
2 00:30:1b:ae:a5:21 yes 0.00

Note when entering MAC addresses for shaping to the arbitrator you must leave off the leading 0's, for example

this is valid..

ADD_CONFIG MAC 0:4:9a:87:28:f0 LIMIT 10kbs

This is wrong

ADD_CONFIG 00:04:9a:87:28:f0

You can also see the current IP MAC associations for active connections with the command

/brctl getmacip my

You can remove a MAC shaping rule by

REMOVE_CONFIG MAC x:x:x:x:x:x

For limiting the total connections to a server you can now use the standard command line utilities that support persistence.

ADD_CONFIG CONNECTION x.x.x.x/y val port

Note /y must be 32 (all bits no subnet support for now)

val is the number of connections to allow

port is the port to deny service to once this server has more than "val" connections already.

Setting the port to 0 will refuse connections to all ports once the connection limit is reached

REMOVE_CONFIG CONNECTION x.x.x.x/y


Other caveats:

1) You should only set connections limits when the system is lightly loaded. It is not retroactive to existing connections.

2) Connection Limits are not available for subnets in the first release

3) Persistence not supported inthe first release of connection limits

Starting with version 6.3
ADD_CONFIG MAC

REMOVE_CONFIG MAC

Starting with version 7.3

You can now start the arbitrator and tell it run in double time, essentially what this means is that it will do analysis on bandwdith usage twice a second instead of once a second.

This version is meant for use in doing QOS type activities where it is important to scale back hogs more quickly. If you choose to use double time on the standard arbitrator it is advised that you also scale back the PENALTY_UNIT parameter as the combination of a smaller PENALTY_UNIT and double time should give you smoother shaping.

The trade-off with using double time, is that it will use quite a bit more resources. Keep an eye on system cpu usage.

The following low level command can be used to speed up the average of data analysis in the kernel.

/bridge/bridge-utils/brctl/brclt timefactor my

Where should be either 1 or 2, a value of 1 causes the kernel to average data once a second (this is the default)

Note: you can set double time in the standard start command without calling brctl command see below.

A value of 2 causes it compute average data rates twice second, a value of 3 would cause it to average data 3 times a second.

This feature has been integrated into the system start-up utility so you can select double time in one step.

/etc/init.d/arbitrate start 2 (for double time)
/etc/init.d/arbitrate start 1 (for normal time or just leave the last parameter off)

Starting with version 7.32
There is a new utility called /art/getbrain2

This new utility will allow you to look at usage by application. It will only show you the current active usage for selected applications (BEARSHARE GNUTELLA WINMX and so forth) You must turn on application shaping for each individual application you wish to track. Be careful not to turn on too many at one time unless needed, shaping applications will tax your CPU utilization.

Also if you are just interested in tracking application usage with this utility and not shaping then set the percent value to 100 and nothing will get penalized.


Usage:

/art/getbrain2


The output format is


App Wavg Avg IP1 IP2
BEARSHARE 57 459 68.59.200.207 10.0.0.85
BEARSHARE 94 320 67.86.247.254 10.0.0.85
BEARSHARE 56 196 24.203.23.18 10.0.0.85


Where

APP is the common name of the active application
Wavg is the weighted average over the last 8 seconds in bytes per second
Avg is the average bytes per second for this connections since it became active
IP1 is the destination IP address
IP2 is the source IP adress.


Starting with Version 7.51

ADD_CONFIG CONNECTION x.x.x.x/y val port direction

The direction parameter is new to the 7.51 release. A value of 0 indicates limit incoming connections to host, a value of 1 indicates limit the total number of outgoing connections from the host. For backward compatibility you can leave the "direction" parameter off and the connection limit will default to incoming.

"x.x.x.x" = is the host and y must be 32.

"val" = connections allowed before droping new connections.

Setting the port to 0 will limit all connections coming into this host.

Setting the port value will do the following, please READ carefully. When the port value is set the number of connections coming to/from the host on all ports will be counted. When the number of connections on ALL ports exceeds "val" new connections to the specified "port" will be denied.

Connections are defined as any two IP addresses talking to each other.

A new parameter RATIO has been added. This parameter will allow the adminstrator to tell the arbitrator (default rules) not to create any Penalties unti the utilization on the trunk exceeds "RATIO". Ratio should be set from 1 to 100. For example setting Ratio to 90 on 100kbs trunk will disable any arbitration of data until the trunk utilization hits 90kbs. Ratio applies to both TRUNK_UP and TRUNK_DOWN directions.

The Sanity Utility
It checks:
Cpu utilization (warns at 90 percent)
To make sure the bridge is up and running
Brain table capacity
Arbitrator is running
Process for do mac shaping is running
Disk space
Penalty buffer capacity.

If any of these checks fails it prints a warning a message and will return 1

If all the checks report ok it will return 0.

To put it in a loop to constantly monitor you could do the following in a shell script and take action only when there is a problem

while true
do
./sanity > /dev/null
if [ "$?" = "1" ]
then
# call sendmail or something here
fi
sleep 100
done


Here are the basic user space commands for advanced use.
With this command you have the power to create new arbitrator behavior. Don’t let this intimidate you, all tuning for standard features is done from a configuration file (example below). I include this section so other programmers can create their own custom bandwidth effects!


./brctl getbrain my

-----------------------------------------

Use ./brctl getbrain my x.x.x.x/y or ./brctl getbrain my 0 (after version 8.x)


The secret!


Almost all internet communications have a client server model where the client is sending requests and the server is sending data. This is true for ftp transfers, streaming video and streaming audio. Even if the client and server are sending UDP packets there is always a client server relationship. It so happens that the slowing or delaying the client requests is a much better way to throttle the data back than slowing the data coming from the server.


This is radically different than the methods employed by WFQ and other packet shaping tools. (as far as I can tell other tools do not do this)


The biggest advantage to slowing down client requests is that you get at the source of traffic problems without employing expensive and complex queing algorithms. Oh and it so far in all the testing and trials it seems to work pretty well!




An Actual Configuration File With all the Startup Configuration Parameters with comments. Do not use this as your actual file though because we no longer allow comments such as these.


       
# LINUX arbitrator Edit as appropriate  
# MAY 2003 by Art Reisman Apconnections www.apconnections.net
       
# NOTE: As of release 4.5 you should use the config tools
# MODIFY_CONFIG ADD_CONFIG and BROWSE_CONFIG   
# (REMOVE_CONFIG coming in 4.6)   
# to make configuration changes   
#       
# Failure to use these routines may result in problems in maintaining
# this startup file correctly so please only edit as a last resort.
# the reading in this file is a good place to learn information about
# various parameters ..    
#       
# this is the configuration file for the Linux Bandwidth arbitrator it
# comes set up in a default configuration which is tuned for DSL up to
# about 5 mega bit trunks, and 500 users it will work for higher and
# lower speeds     
       
# Arbitrator masks allow traffic to pass through the arbitrator
# un-molested The masking capabilities should only be used in networks
# where local traffic goes through the arbitrator or in cases where
# special IP users must not be penalized
       
       
# The arbitrator supports two types of IP masks
# 1) Paired masking    
# 2) Absolute masking    
#       
# format is MASK [x.x.x.x/y] [1 or 2]
#       
# When the second parameter is 1 all traffic from this IP address
# will be ignored whenever this address appears as a source or
# a destination of an IP address (absolute masking)
#       
       
# When the second parameter is set to 2, this address will only be
# ignored if is paired with another masked IP address (paired masking)
# for example given the MASK set up of:
       
# MASK 10.1.1.3/32 2    
#       
       
# and an IP packet with source address 12.12.15.2 and destination
# address of 10.1.1.3 would not get ignored because only one address is
# of mask type 2 (10.1.1.0 subnet) and the other address does not appear
# as a masked subnet.   
       
#       
#       
#       
# set up your masks here be careful to use the correct second parameter
# choice      
       
# MASK=66.218.65.72/24 1     
       
# the state is used for default on startup ON/OFF
# ON to have arbitrator start up on boot

       
STATE=ON       
       
# you must provide the ethernet interfaces to use
# in the ETHA and ETHB fields 
       
ETHA=eth0       
ETHB=eth1       
       
# the name field by default must always be "my" for now
       
NAME=my       
       
#shaping can be done by LIMIT or PRIORITY for a host
       
# shaping by limit will make sure that this host only gets the specified
# percent of bandwidth    
# setting percent to 0 effectively shuts down the desired connection
# almost completely (very close to zero) however it does let tiny
# bits of traffic slip through so it cannot be used in place of
# a firewall     
       
#Shaping by PRIORITY will insure that this host has priority up to the
#specified percent      
       
# When a priority shaped host is active, the rest of the system traffic
# is (everybody except the priority host) reduced significantly. This
# must be done to insure that the priority host can get through It is
# not a good idea to set priority hosts unless you are willing to have
# the rest of the system slowed in order to accommodate the priority
# host.      
       
       
# If a priority host is set up , but not active, then the system behaves
# as a standard arbitrator.   
       
#       
# Tips for tuning with PRIORITY shaping if you decide to use it
#       
# 1 Increase the number of buffers see the setbuffs command in the howto
# http://bandwidtharbitrator.com/modules.php?name=News&file=article&sid=4      
# make sure you have a gigahertz class machine for networks larger the T1
# 2 If the rest of your system is being degraded too much when using the
# priority host try    
# - Reducing the MAX PENALTY  
# - Reducing the Penalty Unit  
# 3 If your Priority host is not getting priority
# - increase the number of buffers (see the setbuffs command in the howto)
# - Increase the MAX PENALTY, PENALTY UNIT , and the Value of ANCIENT
       
       
# Note you can have more than priority host or limit host ,but they MUST be
# listed separately     
       
# Note you can put an optional start and stop time for a shaping
# directive to take place if you do not put a time the Arbitrator will
# assume it is always on if you specify a start time with no stop time
# it will not work the format is start HH:MM:SS followed by end time
# HH:MM:SS see the examples   
       
# Below are examples of setting priority and limit hosts: NOTE the
# PRIORITY feature is for single IP only cannot do PRIORITY subnet yet
       
# SHAPE 10.0.0.2/32 LIMIT 41   
# SHAPE 10.x.x.x PRIORITY 20   
# SHAPE 10.0.1.7/24 LIMIT 11 10:11:11 12:11:22 
       
# so the last example above LIMITS subnet 10.0.1.* to 20 percent of the
# trunks bandwidth between the hours of 21:50:22 and 21:55:22 , the rest
# of the time it is inactive 
       
# The following table is for port shaping, by port or service, uncomment
# the port you want to shape and put a percent value (less then 100) The
# percent is the number in the fourth column.  The percent is percent of
# total trunk you want this service to stay below You can add the port
# for a particular service if not shown using the same format for the
# first 4 columns the 5th 6th column will get interpreted as a time
# fields (start end) if the correct format is used HH:MM:SS or else they
# will be ignored The port shaping is limit only so a percent set to
# 100 means no shaping will take place Do not turn these on unless you
# plan to shape because it uses CPU resource You do not have to add up
# to 100 and the sum of limits can exceed 100
       
# SHAPE PORT 20 5 TCP FTP (default data)
# SHAPE PORT 21 5 TCP FTP (control)
# SHAPE PORT 23 20 TCP Telnet 
# SHAPE PORT 25 100 TCP Simple Mail Transfer Protocol (SMTP) (email)
# SHAPE PORT 43 100 TCP whois Internet directory service
# SHAPE PORT 53 100 UDP Domain Name System (DNS)
# SHAPE PORT 69 100 UDP Trivial File Transfer Protocol (TFTP)
# SHAPE PORT 70 100 TCP Gopher 
# SHAPE PORT 70 100 UDP Gopher 
# SHAPE PORT 79 100 TCP Finger Protocol
# SHAPE PORT 80 50 TCP World Wide Web Hypertext Transfer Protocol(HTTP)
# SHAPE PORT 88 100 TCP Kerberos authentication
# SHAPE PORT 110 100 TCP Post Office Protocol (POP) version 3
# SHAPE PORT 119 100 TCP Network News Transfer Protocol (NNTP)

# SHAPE PORT 161 100 TCP Simple Network Management Protocol (SNMP)
# SHAPE PORT 162 100 TCP SNMP system management messages
# SHAPE PORT 220 10 TCP TCP Protocol (IMAP)version 3
       
# For application shaping DO NOT add any comments to the end of the app
# shaping lines below after the app name is a regular expression these
# patterns were taken from the sourceforge project
# http://l7-filter.sourceforge.net/ this site is the official keeper of
# these patterns to turn on shaping for your favorite application
# uncomment the appropriate "shape app" line 
# line and set the percent to something less than 100
# (this is percent of total trunk for this app time of day parameters
# are not supported for APP shaping 
       
# SHAPE APP 3003 10 KAZAA kazaa 
# SHAPE APP 3004 100 POP3 +ok pop3 .* server ready
# SHAPE APP 3005 100 IMAP * ok
       
       
# SHAPE APP 3006 100 BEARSHARE bear 
       
# this GNUTELLA shape line below covers Bearshare
# Gnucleus      
# Morpheus      
# Swapper      
# XoloX      
# LimeWire      

# Phex      
# SHAPE APP 3008 100 GNUTELLA connect/.*x-ultrapeer|user-agent: bearshare|x-gnutella-content-urn
       
# matches GnucleusLAN (the lan only version) 
       
# SHAPE APP 3009 100 gnucleuslan gnuclear connect/.*user-agent: gnucleus .*lan:
# SHAPE APP 3010 100 counterstrike cs .*dl.www.counter-strike.net
# note shaping ftp application to 0 percent is somewhat unreliable as of 4.3
# release      
# SHAPE APP 3011 100 FTP 220 .*ftp.*([.*]|(.*))
# SHAPE APP 3012 100 SMTP 220 .* (esmtp|smtp)
# shapes pressplay subscription service music match jukebox and probably others
# SHAPE APP 3013 100 pressplay user-agent: nsplayer
       
# this is not good enough yet to get all realplayer data experimental
# SHAPE APP 3014 100 realplayer realplayer 
       

# gets the live 365 radio stations this is a web site
# SHAPE APP 3015 100 live365 membername.*session.*player 
       
# bittorrent experimental not tested by APconnections 
# SHAPE APP 3016 100 bittorrent protocols 
       
# http experimental not tested by APconnections 
# SHAPE APP 3017 100 HTTP (http.*(200 ok|302).*(connection:|content-type:|content-length:))|(post .* http/)
       
       
# Novell Core Protocol experimental not tested by APconnections
# SHAPE APP 3018 100 NCP uu)|tncp.*33 
       
       
# AOL instant messenger content dowloads  
# experimental not tested by apconnections  
# SHAPE APP 3019 0 AIMCONTENT user-agent:aim/ 
# SHAPE APP 3020 10 WINMX +.*p.*get 
# SHAPE APP 3021 100 RSTP rtsp/1.0 200 ok
# SHAPE APP 3502 0 GAMBLING casino.*gambling|large.*breasts 
# the drop count configures how many packets to queue before dropping
# range is from 1 to 40 
       
DROP_COUNT=10       
       
       
       
# penalty unit is the minimum penalty that will be inflicted on a packet

# when a penalty is set up on an IP address if the IP address continues
# to offend, the penalty is raised by this amount, the default unit is
# 100ths of seconds so a penalty unit of 10 would delay all packets by
# 1/10 of a second the max value for this variable is 50 the min is 1
       
PENALTY_UNIT=20       
       
# if an IP connection does not respond to the original penalty, the
# penalty size is raised after several seconds max penalty limits the
# upper limit of what a penalty can be so the penalty will not increment
# beyond this amount this should be greater than PENALTY UNIT and less
# than 200     
       
MAX_PENALTY=90       
       
# queue limit tells the arbitrator how many packets to queue when a
# penalty is being enforced if the the number of packets in a queue gets
# bigger than this, the oldest packets are tossed.
       
# for example: If you have a queue_limit of 16 and a penalty unit of 10
# the newest packet on the queue may wait 1.6 seconds before transmittal
       
       
QUEUE_LIMIT=15       


# buffers are how many penalties we can have at one time
# the kernel caps out at 300
BUFFERS=123
       
       
# ancient: is how long to keep a penalty in effect
       
       
ANCIENT=45       
       
# brain size this is the size of the data table kept in the Linux kernel
# that keeps track of traffic going through active IP connections (how
# many do keep track of at one time) the trade off here is performance ,
# although I have not seen any problems there is really not need to keep
# track of everything because they age out pretty quickly anyway This
# variable must be between 10 and 100 (for now)
       
       
BRAIN_SIZE=20       
       
# inactive tics: this is how long an entry in the BRAIN_TABLE
# (BRAIN_SIZE from above) will live before being tossed if no activity

# is detected, generally we are not interested in things that don't do
# any thing for a while this is in 100ths of seconds. So a value of 800
# is 8 seconds the max is 2000 or 20 seconds the min is 100 or 1 second
       
INACTIVE_TICS=750       
       
# moving avg: this is a very important parameter, it is what keeps the
# arbitrator from penalizing short bursts of activity, For example if
# this variable is set to 8 and you get a burst of 8000 bytes over a
# second from an Ip address the moving average for the second would be
# just 8000/8 or 1000 bytes, if the burst persisted for 4 seconds the
# average would be 32000/8 or 4000 bytes, So the larger this number the
# longer a burst can be before it gets penalized.  Of course if you make
# it too large nothing will ever get penalized.
       
# the min for this is 3 and the max is 40
       
MOVING_AVG=8       
       
# NOTE: there are other factors that determine penalties such as the
# active number of users, the more users with active entries in the
# brain table the lower the penalty threshold, on a mostly idle a system
# a single user can grab up to 70 percent of bandwidth, on a very active
# system the user may get penalized at 10 percent .
       
       
       
# The trunk size parameter can be set when a system administrator wishes
# to not to use the "self calibrating feature for trunk size, A value of
# 0 causes the arbitrator to auto-calculate the trunk size.  If you have
# a network where the trunk size fluctuates then setting this value to 0
# is the way to go. If you know your trunk size to the INTERNET and it
# is stable you should enter a value for this variable,
       
       
# Setting this parameter DOES NOT cause the arbitrator to limit the
# bandwidth down to this size this entire trunk, but it does cause the
# arbitrator to think that this is the upper limit of the trunk size and
# will cause it to decide a "HOG" relative to this number.  If you do
# set this parameter it should reflect the bidirectional total, the sum
# of uplink and downlink. The units are bytes per second.
       
# Setting a specific Trunk size to a very large value (10 times the
# actual trunk size) is often used in conjunction with a LIMIT shaping
# feature. This can be used to override the arbitrator default
# rules. For example if you wanted to set a couple of hosts on your
# network to 100kbs, and you did not want the arbitrator to limit
# anybody else you can set the TRUNK_XX to something very large
# 1000000 kbs, and set the LIMIT value to 10 percent for those hosts
# (see the SHAPE parameter for setting limits)
       
       
TRUNK_UP=100000      
TRUNK_DOWN=100000      
       
       
# Hogmin keeps the arbitrator from penalizing connections once they
# reach this level of traffic. In other words a connection using less
# bandwidth in bytes per second than this number will never get
# penalized. The dynamic equation for determining who is a hog has no
# lower bound unless this variable is set.
       
HOGMIN=7000       
       
# These parameters are used to set up your networking
# configuration on the bridge   
# They allow you to set an IP address for the bridge, which
# is essentially just like setting up the normal IP address
# on a host, except that with a bridge you have to do it a bit
# differently. So the arbitrator start up routine will do
# the IP set up for you if you set these parameters up
       
# the IP is the IP of the host
BRIDGEIP=0.0.0.0       
# your netmask     
BRIDGENETMASK=255.255.255.0       
# your default router    
BRIDGEROUTE=10.0.0.1       
       



Note: 5



 




Web site powered by PHP-Nuke

All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest © 2002 by me
Web site engine's code is Copyright © 2003 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.314 Seconds