# problem with ipp2p

## TheCat

first:

```
# iptables -A FORWARD -m ipp2p --ipp2p -j DROP

iptables: No chain/target/match by that name
```

second:

```
# insmod ipt_ipp2p.ko

insmod: can't read 'ipt_ipp2p.ko': No such file or directory
```

after copying ipt_ipp2p.ko to /lib/modules/2.6.11-gentoo-r5/kernel/net/ or just symlinking:

```
# insmod ipt_ipp2p.ko

insmod: error inserting 'ipt_ipp2p.ko': -1 Invalid module format
```

----------

## TheCat

no help?

----------

## scottfk

Did you change kernel versions since merging ipp2p?

If so (it sounds like you did), re merge ipp2p.

----------

## Magicmat

I'm having these same exact problems. I know for a fact that I didn't upgrade the kernel since merging ipp2p, but I un/re-merged anyway with the same effect. I merged it, ran the command given in the first post and got the error. I tried manuall insmod'ing the .ko and got the error in the first post. I also tried installing ipp2p 0.7.4 manually and had the same problem. It seems that iptlib_ipp2p.so will load up correct, but the kernel module flakes out with the "Invalid module format" error. What gives?

----------

## mekong

Did you check the support for ipp2p from the  userland program "iptables" itself? Check for the existant of this file "/lib/iptables/libipt_ipp2p.so" Without it, you will see this kinda of message: "iptables: No chain/target/match by that name". About the message "Invalid module format", probably you can't use that module, you need to download the source, patch the kernel source and recompile it. The kernel modules you download is compiled using a different kernel version than yours.

----------

## Magicmat

 *mekong wrote:*   

> Did you check the support for ipp2p from the  userland program "iptables" itself? Check for the existant of this file "/lib/iptables/libipt_ipp2p.so" Without it, you will see this kinda of message: "iptables: No chain/target/match by that name". About the message "Invalid module format", probably you can't use that module, you need to download the source, patch the kernel source and recompile it. The kernel modules you download is compiled using a different kernel version than yours.

 As I said above, I've tried both these things. libipt_ipp2p.so is in the right directory and, so far as I can tell, working since "iptables -m ipp2p --help" produces output with help for ipp2p. As for the kernel module, I'm using emerge to merge ipp2p which should compile it for me, should it not? Also, as stated above, I've tried manually downloading and compiling the latest snapshot of ipp2p. It'll compile without errors but trying to load the kernel module produces the "Invalid..." error.

This is really perplexing me.

----------

## mekong

From the README of the latest ipp2p patch" 

 *Quote:*   

> 
> 
> Currently IPP2P is tested to be working together with:
> 
>  -Linux-Kernels 2.6: 2.6.3, 2.6.4, 2.6.6
> ...

 

I bet you've a newer kernel version.

Just a suggestion, try l7-filter, I use it now and it offer the same funcionality, the iptables patch is already included in the iptables ebuild and the kernel patch is on the portage too.

----------

## Magicmat

 *mekong wrote:*   

> From the README of the latest ipp2p patch" 
> 
>  *Quote:*   
> 
> Currently IPP2P is tested to be working together with:
> ...

 I was about to say that l7-filter was hard masked due to a memory leak but it looks like emerge bumped the build just a few days ago so it's no longer hard masked. I'll check out l7 filter, thanks for the information.

Edit: Quick question: The patch applied to iptables is for l7-filter 0.9.1 and the version that I have is 1.2. I haven't yet tried to recompile my kernel with l7 support, but I assume that these two facts would cause a problem. Am I correct in this assesment? If so, how can I go about patching iptables for the l7-filter 1.2 patch and not the 0.9 patch? Would it be as simple as bzipping the new patch and pointing the ebuild file to it instead of the 0.9 patch?

----------

## mekong

Yeah, both should have the same version, I used 0.9 on iptables and 1.0 on kernel for sometimes (lazyness) and I didn't notice anything, but now I upgrade both to 1.2.

You can do either:

- unmask and use iptables-1.3.1-r2, it's included the 1.2 patch

- or download the 1.2 iptables patch and copy over the 0.9 patch files in the portage "/usr/portage/net-firewall/iptables/files/1.2.11-files/iptables-layer7-0.9.0.patch.bz2", run "ebuild iptables-1.2.11-r3.ebuild digest", then emerge...

----------

## NoDamage

 *mekong wrote:*   

> From the README of the latest ipp2p patch" 
> 
>  *Quote:*   
> 
> Currently IPP2P is tested to be working together with:
> ...

 After doing some testing I can confirm that ipp2p works fine on 2.6.11-gentoo-r6.

Anyway, I think the likely problem is you're missing some kernel option under Netfilter Configuration and/or QoS support. While playing around with it I was having the same issue with insmod not working properly until I recompiled the kernel with everything under Netfilter and QoS enabled as modules. After that, insmod ipt_ipp2p.ko worked fine.

----------

## Magicmat

OK, l7-filter seems to have gotten the job done. I allowed the testing branch of l7-filter and l7-protocols and emerged them, then re-compiled my kernel with support for them enabled. I then unmasked iptables 1.3.1 and emerged that (taking care to make sure the 'extensions' flag was set). Testing showed that it was all working so I just finagled my rules into what I wanted them to and everything seems peachy keen.

Below are my rules for doing all of this. I post them for reference and in case anybody sees anything that I'm doing wrong or something that can be improved upon.

```
# BT from privliged computers (first because we mark it in previous chains and need to honor those marks)

iptables -t mangle -A POSTROUTING -m mark --mark 1 -j CLASSIFY --set-class 1:50

# Background TCP traffic (1:10)

iptables -t mangle -A POSTROUTING -o eth0 -p tcp --syn -m length --length 40:68 -j CLASSIFY --set-class 1:10

iptables -t mangle -A POSTROUTING -o eth0 -p tcp --tcp-flags ALL SYN,ACK -m length --length 40:68 -j CLASSIFY --set-class 1:10

iptables -t mangle -A POSTROUTING -o eth0 -p tcp --tcp-flags ALL ACK -m length --length 40:100 -j CLASSIFY --set-class 1:10

iptables -t mangle -A POSTROUTING -o eth0 -p tcp --tcp-flags ALL RST -j CLASSIFY --set-class 1:10

iptables -t mangle -A POSTROUTING -o eth0 -p tcp --tcp-flags ALL ACK,RST -j CLASSIFY --set-class 1:10

iptables -t mangle -A POSTROUTING -o eth0 -p tcp --tcp-flags ALL ACK,FIN -j CLASSIFY --set-class 1:10

# BT from 192.168.1.99 & router (1:50)

iptables -t mangle -A PREROUTING -s 192.168.1.99 -m layer7 --l7proto bittorrent -j MARK --set-mark 1

iptables -t mangle -A OUTPUT -m layer7 --l7proto bittorrent -j MARK --set-mark 1

# BT from * (1:60)

iptables -t mangle -A POSTROUTING -o eth0 -m layer7 --l7proto bittorrent -j CLASSIFY --set-class 1:60

# ICMP, DNS & non-TCP traffic

iptables -t mangle -A POSTROUTING -o eth0 -p icmp -j CLASSIFY --set-class 1:20

iptables -t mangle -A POSTROUTING -o eth0 -p ! tcp -j CLASSIFY --set-class 1:20

# Traffic from 192.168.1.99 (1:30)

iptables -t mangle -A POSTROUTING -o eth0 -s 192.168.1.99 -j CLASSIFY --set-class 1:30

# (Implicit) All other traffic (1:40)

###############################################################################

#Constants

 

# Interface you want to do shaping on

# eth2, eth1 for direct connection; ppp0 or so for dsl

# and other dialup connections (check ifconfig)

IFACE=eth0

# Ceilings

UPRATE="384kbit"

P2PRATE="300kbit"

# Specify queue discipline

tc qdisc add dev $IFACE root handle 1: htb default 40 r2q 1

# Set root class

#tc class add dev $IFACE parent 1:0 classid 1:1 htb rate $UPRATE burst 6k cburst 3k

tc class add dev $IFACE parent 1:0 classid 1:1 htb rate $UPRATE burst 20k cburst 10k

# Specify sub classes

tc class add dev $IFACE parent 1:1 classid 1:10 htb rate 100kbit ceil $UPRATE quantum 12187 burst 20k cburst 10k prio 0

tc class add dev $IFACE parent 1:1 classid 1:20 htb rate 40kbit ceil $UPRATE quantum 10000 burst 20k cburst 10k prio 1

tc class add dev $IFACE parent 1:1 classid 1:25 htb rate 206kbit ceil $UPRATE quantum 13124 burst 6k cburst 3k prio 2

tc class add dev $IFACE parent 1:25 classid 1:30 htb rate 116kbit ceil $UPRATE quantum 8062 burst 6k cburst 3k prio 1

tc class add dev $IFACE parent 1:25 classid 1:40 htb rate 90kbit ceil $UPRATE quantum 5062 burst 6k cburst 3k prio 2

tc class add dev $IFACE parent 1:1 classid 1:45 htb rate 38kbit ceil $P2PRATE quantum 4500 burst 3k cburst 1k prio 3

tc class add dev $IFACE parent 1:45 classid 1:50 htb rate 30kbit ceil $P2PRATE quantum 3000 burst 3k cburst 1k prio 1

tc class add dev $IFACE parent 1:45 classid 1:60 htb rate 8kbit ceil $P2PRATE quantum 1500 burst 0k cburst 0k prio 2

# Add queuing disciplines

tc qdisc add dev $IFACE parent 1:10 sfq perturb 10 quantum 12187

tc qdisc add dev $IFACE parent 1:20 sfq perturb 10 quantum 10000

tc qdisc add dev $IFACE parent 1:30 sfq perturb 10 quantum 8062

tc qdisc add dev $IFACE parent 1:40 sfq perturb 10 quantum 5062

tc qdisc add dev $IFACE parent 1:50 sfq perturb 10 quantum 3000

tc qdisc add dev $IFACE parent 1:60 sfq perturb 10 quantum 1500
```

----------

## TheCat

ipp2p works fine on 2.6.11-gentoo-r9

----------

