netfilter condition2 module

This netfilter module allows setting, unsetting and matching of "condition variables" stored in the /proc filesystem.

It is based on code by Stephane Ouellette .

It is used via an iptables condition2 match and an iptables CONDITION2SET target.

Manual page

 CONDITION2SET
       This target sets the value of a /proc/net/ipt_condition2/ variable to '1'.

       --set-condition2 filename
              Filename of condition vaiable

       --timeout [ timeout ]
              The condition variable resets (to '0') when no packets have been received for the timeout period.


 condition2
       This matches if a specific /proc filename is '0' or '1'.

       --condition2 [!] filename
              Match on boolean value stored in /proc/net/ipt_condition2/filename file

Uses

I use it for QoS on VOIP. When RTP data is matched the condition variable is set.
This then classifies all other traffic into a low bandwidth pool.
This gives me a lower audio delay (negligible) than pure traffic prioritizing alone. I found that without this module I get significant jitter delay on an 128kbit uplink using the htb qdisc. Perhaps a different qdisc might be better.
At the very least I am assured that VOIP packets cannot be throttled by non-work-conserving qdiscs (because now I don't have to use such a qdisc for VOIP packets).

Project page

http://sourceforge.net/projects/condition2

Installation

1. Download patch-o-matic.
2. Change directory to patch-o-matic-[version]/patchlets.
3. Checkout the CVS version of condition2 module.

	cvs -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/condition2 login 
	cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/condition2 co -P condition2
4. Change back to the patch-o-matic dir and execute: ./runme condition2
5. Rebuild and install iptables and the linux kernel.

My setup for VOIP


iptables (-t mangle)


Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DSCP       udp  --  anywhere             anywhere            udp dpt:5060 DSCP set 0x28
DSCP       udp  --  anywhere             anywhere            udp spts:10000:20000 DSCP set 0x28

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
CONDITION2SET  udp  --  anywhere             anywhere            udp spts:10000:20000 CONDITION2SET voip timeout (5000)
CLASSIFY   tcp  --  anywhere             anywhere            condition2 voip CLASSIFY set 1:3
CLASSIFY   udp  --  anywhere             anywhere            multiport sports ! 10000:20000,5060 condition2 voip CLASSIFY set 1:3


tc


MTU=576
BUCKETlo=$(( 5 * MTU ))
BUCKEThigh=$(( 5 * MTU ))
tc qdisc del root dev eth0
tc qdisc add dev eth0 root handle 1:  prio bands 3 priomap 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
tc qdisc add dev eth0 parent 1:1 pfifo
tc qdisc add dev eth0 parent 1:2 tbf rate 100kbit burst 600 limit $BUCKEThigh
tc qdisc add dev eth0 parent 1:3 tbf rate 24kbit burst 600 limit $BUCKETlo peakrate 30kbit mtu 600
tc filter add dev eth0 parent 1: \
        protocol ip u32 match ip tos 0xA0 0xfc flowid 1:1


misc


ifconfig eth0 mtu 576
I have yet to add an ingress policer (I'm not sure how necessary it is), your ISP may do QoS anyhow.

Email me: thepigs@gmail.com