Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
07-31-2010, 12:43 PM
|
#1
|
Member
Registered: Aug 2009
Distribution: linux
Posts: 527
Rep:
|
Iptables & Kernel Config To Do Conntrack of Bittorrent Traffic
Hi,
I was just wondering if using a non-smp kernel would be ok on a older p4 system with no x. I am wondering due to some functionality in IPTABLES that is broken in the SMP kernels ( -m owner --sid.pid,cmd-owner).
Could someone that is running a NON-SMP kernel advise as to whether the support for -m owner --cmd-owner is working in iptables with those kernels? Also, could someone advise me if running a NON-SMP kernel is even advisable? The machine will not have x.
|
|
|
07-31-2010, 12:48 PM
|
#2
|
LQ Guru
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852
|
SMP is for multi-processor systems, which you don't have anyway. There is no problem running a SMP kernel on a single processor system, but no advantage either.
|
|
1 members found this post helpful.
|
07-31-2010, 01:20 PM
|
#3
|
Member
Registered: Aug 2009
Distribution: linux
Posts: 527
Original Poster
Rep:
|
is there a way to find out if the ipables functionality would be available in a non-smp kernel? or is that covered in the "no advantage either" comment?
|
|
|
07-31-2010, 10:10 PM
|
#4
|
Member
Registered: Aug 2008
Location: Phoenix
Distribution: Arch
Posts: 799
Rep:
|
if it's 'broken' then it's a bug? perhaps in the version of the kernel you are using? Try a different kernel version or find out why it's not working the way you expect it to.
|
|
0 members found this post helpful.
|
07-31-2010, 10:15 PM
|
#5
|
Member
Registered: Aug 2009
Distribution: linux
Posts: 527
Original Poster
Rep:
|
Quote:
Originally Posted by lumak
if it's 'broken' then it's a bug? perhaps in the version of the kernel you are using? Try a different kernel version or find out why it's not working the way you expect it to.
|
Its not a bug. However In the SMP kernel the function I want is broken. Its caused by the way the kernel manages PID's. In non-smpo kernels the -m owner --cmd-own ( sid, pid ) should still work. I just wanted to know if anyone is using a non-smp kernel AND if that filter is still available in it. Based on my research so far, since the release of the smp kernels the owner module for iptables has had only partial functionality. In short, conntracking via PID, SID, and/or command name does not function due to the way the kernel tracks processes. However, if you run a non-smp kernel, this will work. Thanks though.
Last edited by mrmnemo; 07-31-2010 at 10:18 PM.
Reason: more info
|
|
|
07-31-2010, 10:20 PM
|
#6
|
LQ Veteran
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 21,316
|
Just run your SMP kernel with "maxcpus=0" (on the kernel line on your bootloader). This is a special case that instructs the kernel to run as if it was a non-SMP kernel.
Easy to test.
|
|
1 members found this post helpful.
|
07-31-2010, 10:35 PM
|
#7
|
Member
Registered: Aug 2009
Distribution: linux
Posts: 527
Original Poster
Rep:
|
OK!! THanks!! My other question is regarding iptables itself. The online man pages reference the -m owner --cmd-owner flag; however, the ubuntu man page does not even mention it. Also, if it was indeed broken, iptables would not kick it back as an unknown right? I guess it would be better to know before installing a system just to get that functionality. Are there switches that would disable this when iptables is compiled? Has that flag been dropped from iptables all together? Google is just showing me the same reference to the command, most recent man page was from last year.
Last edited by mrmnemo; 07-31-2010 at 10:37 PM.
|
|
|
08-01-2010, 07:02 AM
|
#8
|
Senior Member
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070
|
Quote:
Originally Posted by mrmnemo
I was just wondering if using a non-smp kernel would be ok on a older p4 system...
|
For a more complete answer to that you'll have to be more explicit about what you mean by "older p4 system" and "ok" for that matter.
if you mean "out of the P4 systems, it is one of the earlier of those", there probably isn't an issue with that part. If, on the other hand, you just meant "those p4 systems, they are pretty old by now and I have one of those systems, but it is one of the more recent ones of that collection of old systems" then there may be an issue worth considering.
The more recent P4s have the possibility of hyperthreading and while this isn't two cores, from a software point of view in runs like two cores. Thus, I believe you need an SMP kernel to utilise hyperthreading. Hyperthreading may not be a requirement for you as the performance impact is variable, but you ought to consider it before you decide.
Of course, it may well be "OK" in this application even if the performance is significantly lower.
|
|
1 members found this post helpful.
|
08-01-2010, 12:16 PM
|
#9
|
LQ Guru
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852
|
Well, that is true. A HT processor would need an SMP kernel, but it is also true that performance gains would likely be negligible anyway on a simple install with no X. But it is something the original poster would need to consider.
|
|
1 members found this post helpful.
|
08-01-2010, 12:32 PM
|
#10
|
Member
Registered: Aug 2009
Distribution: linux
Posts: 527
Original Poster
Rep:
|
The cpu does not support hyper threading. I had considered that before looking at this option. I just am trying to find out if the functionality is indeed available in iptables once i do switch to a non-smp kernel. It would help loads just to know where to see if ip[tables can be compiled with / without the options i am looking for. Maybe a maintainer has a non-smp and smp kernel ( like slackware ) that has iptables compiled to be compatible with both smp and non-smp kernels. I just need to be able to filter traffic based on PID on the local machine.
Thanks for all the input though.
|
|
|
08-01-2010, 10:44 PM
|
#11
|
Member
Registered: Aug 2009
Distribution: linux
Posts: 527
Original Poster
Rep:
|
o yeah, i just noticed how stuck up my last post may have looked....didnt mean it that way. I have just been searching alot trying to find out if iptables gets compiled with a few extra options when its run on a non-smp kernel. I do really appreciate the input!!
|
|
|
08-02-2010, 05:15 AM
|
#12
|
Senior Member
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070
|
Quote:
Originally Posted by mrmnemo
o yeah, i just noticed how stuck up my last post may have looked....
|
Can't comment for anyone else, of course, but, for me, the stuck-up-o-meter didn't even flicker. Maybe I've been hanging out in wrong places recently.
On the more serious front, the 'how pid numbering occurs on multi-processor and mono-processor systems and the knock-on effects on iptables modules' I can confidently say that you are beyond anything that I have direct knowledge of. I'm guessing that many other people will be in the same boat. As this is a bit of a drift from what seemed to be the original focus of the thread, you might try: - changing the thread title to represent this changed focus
- starting a new thread explicitly about this issue somewhere outside 'Linux General'
this is everything other than a guarantee of success with that route as it is something of specialist question and you'd probably be better finding something like a specialist iptables mailing list, but it might just work.
Another line of attack might be to question why you need to use that particular module (part of conntrack?). Maybe there is some other way of achieving the desired goal.
|
|
1 members found this post helpful.
|
08-02-2010, 11:05 AM
|
#13
|
Member
Registered: Aug 2009
Distribution: linux
Posts: 527
Original Poster
Rep:
|
cool. very helpful. I am just trying to monitor traffic on a machine by the actual command vs. the port number. conntrack_ftp will track and allow traffic for ftp; however, * and i have a thread about this part ) torrent's are proving to be a pain. I dont like a policy of ACCEPT on any chain/table. So, since I cant seem to track connections with conntrack_ftp, then I must find another way. I have yet to see anything that does this ( i am sure it exist though ). I may be wrong. Filtering traffic in this way may be a really bad idea. I honestly dont know. Any way, i have looked at automated scripts to do this and none of them address issues with unprivileged port request from local host by process. I am getting ready to join a netfilter list ( thanks for that...never thought of it ).
|
|
|
08-02-2010, 05:02 PM
|
#14
|
Senior Member
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070
|
Quote:
Originally Posted by mrmnemo
cool. very helpful. I am just trying to monitor traffic on a machine by the actual command vs. the port number.
|
You can get something vaguely related to what you want from iotop. Maybe iostat gets close too (or iftop...that looks promising, but I haven't much used it), but either should give you 'nearly' but not 'exactly'. Can you work round only getting roughly what you want, but getting that easily, or do you have to have exactly what you want?
|
|
1 members found this post helpful.
|
08-02-2010, 07:23 PM
|
#15
|
Member
Registered: Aug 2009
Distribution: linux
Posts: 527
Original Poster
Rep:
|
no such thing as getting exactly what i want i guess. I will have to take a look at those commands you listed and see if I can get it to work. Thanks for the input!! At risk of getting flagged for posting the same topic from another post: What i really want is to filter request TO REMOTE peers using bittorent. However, I would rather keep all my tables defaulted at DROP. Unfortunately, the bittorrent "protocol" may share OUT and retrieve tracker info on a dedicated port,but no dedicated port for the actual traffic. Since peers can set any number of ports to serve up shares, I cant see how to filter it for ACCEPT.
Back on topic though. The -m owner --cmd-owner flag looks useful to me. However, due to my lack of experience, I am not sure if it is a good idea to filter that way ( assuming running a non-smp kernel will even allow that ). I just dont have the experience right now.
Last edited by mrmnemo; 08-02-2010 at 07:30 PM.
|
|
|
All times are GMT -5. The time now is 08:46 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|