How to set up Layer 7 Traffic Control

Resources

Some resources that greatly helped to figure this stuff out
L7-Homepage
LARTC-Guide
Freifunk-Wiki
HTB Linux queue manual
HTB How To

Prerequisites

To get l7-filter to work, you will need to install the package ‘iproute’ and patch your kernel and iptables. Some distros already do that and have pre-built packages, but for the sake of completeness I cover these topic here too. First we need to get 2 packages:

• iptables
  
• l7-filter
  

Patching the kernel

After downloading and untar’ing, we need to patch the running kernel with patch provided by the l7-filter package. I assume the running kernel source is to be found at ‘/usr/src/linux’. At the time of writing the latest available patch was ‘kernel-2.6.25-2.6.28-layer7-2.22.patch’ which applied fine against 2.6.31.

In the kernel configuration menu you have to select the folowing options:
Directly copied from the L7-filter How-to page:

• “Prompt for development and/or incomplete code/drivers” (under “Code maturity level options”)
  
• “Network packet filtering framework” (Networking → Networking support → Networking Options)
  
• “Netfilter Xtables support” (on the same screen)
  
• “Netfilter connection tracking support” (… → Network packet filtering framework → Core Netfilter Configuration), select “Layer 3 Independent Connection tracking”
  
• “Connection tracking flow accounting” (on the same screen)
  
• And finally, “Layer 7 match support”
  
• Optional but highly recommended: Lots of other Netfilter options, notably “FTP support” and other matches. If you don’t know what you’re doing, go ahead and enable all of them.

After you’re done configuring, safe and exit the configuration and install the kernel:

Now reboot the computer with the new kernel.

Patching iptables

The l7-filter package also comes with extensions for iptables. The files ‘libxt_layer7.c’ and ‘libxt_layer7.man’ have to be copied to the iptables ‘extensions’ folder before compiling the new iptables binary:

Be careful not to install your distributors and your private version of iptables in parallel to avoid conflicts.

Testing the setup

At the shell prompt type:

The first command will produce lots of information about iptables, the second one will show a brief description of how to operate ‘tc’.

In no case you should recieve an error message like:

Should any of these errors occur review the previous steps.

Traffic Control Script

After getting the above steps to work you can now happily copy’n’paste the codeblock into a shellscript, make it executable and off you go. Just change the variables at the top that define how much bandwith is available, how it should be distributed and which protocols are to be prioritized. The variable ‘NETDEVICE’ has to be set to the WAN-interface.

IP Accounting

Now that we layed rampaging protocols in chains, we might be interested in the usage of our precious bandwidth and its (hopefully) fair distribution amongst users. This can be accomplished through ip accounting, which keeps track of exactly that. I’ll be using the two programs ‘pmacct’ and ‘pmgraph’ in this tutorial. Both are free as speech, grab them from:

• pmacct
  
• pmgraph

Note to Debian/Ubuntu users: you are in luck as packages for both programs are already available through a PPA. Check the installation details here.

Dependencies

The rest of you follow me over here to walk you through the manual installation process. First we will need to fulfill the dependencies of both pmacct and pmgraph. These can normally be obtained through your distributors package management system. If you’re not familiar with some or any of them I suggest you to search for documentation on the interwebs as there is plenty out there and describing a basic LAMP/Tomcat setup is just out of the scope of this how-to.
In short, you will need:

• MySQL-5
  
• JDK 1.6
  
• Tomcat-6
  
• jdbc-mysql
  
• pmacct (compiled with MySQL support!)

• pmgraph itself can be obtained through the PPA. Chose the latest .tar.gz and download it to a temporary location, we will just need some parts of it. Install and configure all the packages described above. Done? Good, let’s look into the pmacct/pmgraph setup.
  

Setting up pmacct and pmgraph

pmacct

Unzip the ‘pmgraph’-package first as it also contains the MySQL database schema. At the time of writing the latest available package was pmgraph_1.3-2.tar.gz so this is the version number i’ll be using throughout the how-to.

Edit the file pmacct-create-db_v6.mysql with you favourite editor. You only have to change the password string which is set to ‘secret’ as default.

Now import the schema into Mysql:

Edit the file pmacctd.conf. The setting ‘pcap_filter’ has to represent your local subnet, otherwise it won’t work. A 10.1.0.0/16 subnet config would look like this:

Also change the DB settings (check which ip and port your database binds to, it may not be localhost as in the example!):

Now replace the default pmacct configuration with the new one and start the service:

pmgraph

Still being in the ‘dist’-folder, unzip the file pmgraph.war to the tomcats ‘webapp’-folder (usually ‘/var/lib/tomcat-6/webapps’ but might also be found at ‘/usr/share/tomcat-6/webapps’ depending on the distribution):

Now we only have to edit the pmgraph configuration. As before we only need to change the database settings and fill in the correct subnet. the notation is a bit different here, to declare a 10.1.0.0/16 subnet you only need the first two octets: ‘10.1.’. Again, if your database does not bind to localhost, change the setting accordingly:

Restart the tomcat server two aplly the new configuration (this can also be done through tomcats management panel if the tomcat also holds other apps which you don’t want to interrupt).

Thank you for bearing with me that long, i hope this how-to was helpful. Questions, Suggestions or the bad stuff? Hit me at:
<b2c> at <dest-unreachable> dot <net>

Labels parameters