TA的每日心情 | 怒
2019-11-20 15:22 |
|---|
签到天数: 2 天 [LV.1]初来乍到
|
EDA365欢迎您登录!
您需要 登录 才可以下载或查看,没有帐号?注册
x
( s3 U+ `& q2 z9 Z. X: G* ]8 vifb B4 E8 c3 B+ v
. x; _7 g* c' @$ S% t [
The Intermediate Functional Block device is the successor to the IMQ iptables module that was never integrated. Advantage over current IMQ; cleaner in particular in SMP; with a _lot_ less code. Old Dummy device functionality is preserved while new one only kicks in if you use actions.
( P6 I) V# f- cTo use an IFB, you must have IFB support in your kernel (configuration option CONFIG_IFB). Assuming that you have a modular kernel, the name of the IFB module is 'ifb' and may be loaded using the command modprobe ifb (if you have modprobe installed) or insmod /path/to/module/ifb.6 n6 [, S b5 m
; @' z- ?4 P3 @: j, D
ip link set ifb0 up8 m. c5 B5 O" Q- t
ip link set ifb1 up
# A3 e, m1 W: z3 _6 u0 sBy default, two IFB devices (ifb0 and ifb1) are created
6 Z" M) e9 e& B# d3 i0 g/ w2 z' W7 z" X6 L n
2 F' x( X. j# }8 N2 `6 J* i
IFB Usage
! x- V7 x# _+ @: h/ x- A$ t3 D2 KAs far as i know the reasons listed below is why people use IMQ. It would be nice to know of anything else that i missed.
9 W- l7 _9 D9 `4 ~9 _0 j" f5 P' B, h4 u! O* c$ R/ Q
qdiscs/policies that are per device as opposed to system wide. IMQ allows for sharing.
. |3 J) ]0 s [# M/ r# M5 ]" i' h+ dAllows for queueing incoming traffic for shaping instead of dropping. I am not aware of any study that shows policing is worse than shaping in achieving the end goal of rate control. I would be interested if anyone is experimenting. (re shaping vs policing: the desire for shaping comes more from the need to have complex rules like with htb)
7 Z3 ^1 ]0 w0 m. }" R9 E/ |2 ]Very interesting use: if you are serving p2p you may wanna give preference to your own localy originated traffic (when responses come back) vs someone using your system to do bittorent. So QoSing based on state comes in as the solution. What people did to achieve this was stick the IMQ somewhere prelocal hook. I think this is a pretty neat feature to have in Linux in general. (i.e not just for IMQ).
8 q! ?+ z1 \ {) HBut I wont go back to putting netfilter hooks in the device to satisfy this. I also dont think its worth it hacking ifb some more to be
4 S0 T3 _! J1 C4 g7 F' Xaware of say L3 info and play ip rule tricks to achieve this.
4 d6 {. L4 X. X" w( A
: v; l7 |0 I0 YInstead the plan is to have a contrack related action. This action will selectively either query/create contrack state on incoming packets. Packets could then be redirected to ifb based on what happens (e.g. on incoming packets); if we find they are of known state we could send to a different queue than one which didnt have existing state. This all however is dependent on whatever rules the admin enters.
" n( H* v, H4 N, j' N; l" c# f- k, s* Y+ Q8 X8 L
At the moment this function does not exist yet. I have decided instead of sitting on the patch to release it and then if theres pressure i will add this feature.
! _+ u8 v# ^3 I1 n) M6 \
1 {+ k( ]8 g" S8 s2 k- MWhat you can do with ifb currently with actions
9 l/ h" i, C# R
9 `+ b7 f6 f* R; B" lWhat you can do with ifb currently with actions
$ j( u% G: Y+ r5 a4 n
/ |3 z5 F* f' E+ aLets say you are policing packets from alias 192.168.200.200/32 you dont want those to exceed 100kbps going out.
, y3 }; B/ K) Y
6 ]* Y9 b; v2 A' { t% C; y+ Atc filter add dev eth0 parent 1: protocol ip prio 10 u32 match ip src 192.168.200.200/32 flowid 1:2 action police rate 100kbit burst 90k drop
1 z) r/ U6 w0 t( F! _ n% E# O& ~: {8 o: s0 @4 D
If you run tcpdump on eth0 you will see all packets going out with src 192.168.200.200/32 dropped or not
9 _9 A$ @4 i2 ^8 o0 {" ~9 d: }) o7 r2 a |7 [3 S; o. n
Extend the rule a little to see only the ones that made it out:$ w0 e+ y; A5 x7 U2 [" W$ V
# X1 @9 g2 {* Y
tc filter add dev eth0 parent 1: protocol ip prio 10 u32 match ip src 192.168.200.200/32 flowid 1:2 action police rate 10kbit burst 90k drop action mirred egress mirror dev ifb0
! h' M" B" n1 F L: x( D; O! L1 }# T
% n Z4 F+ {, ^Now fire tcpdump on ifb0 to see only those packets ..
" t% X h; {6 M. `+ h( U- y% I+ e
tcpdump -n -i ifb0 -x -e -t ' a, @$ j& U- R3 b
1 w8 l/ y& A( x4 I6 F% A
Essentially a good debugging/logging inteRFace.6 E! M/ E5 j7 [: c& l
& C4 `0 w A7 P8 E
If you replace mirror with redirect, those packets will be blackholed and will never make it out. This redirect behavior changes with new patch (but not the mirror).) p4 G- L' \( e' |. P8 t( L
2 c, y+ O, a. j; p
IFB Example; ?9 L/ V$ u4 U3 w
0 U0 M* I: I4 `Many readers have found this page to be unhelpful in terms of expressing how IFB is useful and how it should be used usefully.
7 Z7 w6 x; g) G) u7 d, ~; x* b8 m0 Y" z& X$ Z
These examples are taken from a posting of Jamal at http://www.mail-archive.com/netdev@vger.kernel.org/msg04900.html% ~9 _3 u+ _) S/ K0 z% q
5 o9 K" L: n9 c3 x o; @2 Q* VWhat this script will demonstrate is the following sequence:
: Y0 d% F; m# U1 e8 z) ?: c7 R- Z' C2 |% j1 b6 b
any packet coming going out on eth0 10.0.0.229 is classified as class 1:10 and redirected to ifb0.+ Y# P" A# y5 z' ?0 k; S" u6 s: M
on reaching ifb0 the packet is classified as class 1:2
* b t" _4 E: A% S subjected to a token buffer shaping of rate 20kbit/s6 w& j2 L4 d/ l8 }
sent back to eth00 _5 U- }4 @2 ^
on coming back to eth0, the classificaction 1:10 is still valid and this packet is put through an HTB classifier which limits the rate to 256Kbps( v, y. e- v# }0 F( p5 [& _
; e# U5 \! x" P4 Q. o+ z3 s# }+ x8 V
What this script will demonstrate is the following sequence:. X c, ]5 v* e3 r
1) any packet coming going out on eth0 10.0.0.229 is classified as
% T3 W/ G/ @$ V5 s4 d1 S! |class 1:10 and redirected to ifb0.
8 z- s! a6 ^& W4 n" W2) a) on reaching ifb0 the packet is classified as class 1:2( N1 ]9 s M- g2 a% P2 k9 v0 c
b) subjected to a token buffer shaping of rate 20kbit/s
/ P8 Y5 {7 s# }3 g8 J' y c) sent back to eth0( G" J7 k. Z1 V
3) on coming back to eth0, the classificaction 1:10 is still valid
$ Y( u( s$ d4 Q, k8 C2 Fand this packet is put through an HTB classifier which limits the rate+ y$ S+ q; g( R( G
to 256Kbps- Q8 F5 f X& E( N" A: Z9 U
- \5 t$ X9 v" z8 m7 R0 rexport TC="/sbin/tc"
! H* |( w! {9 `! O. }( n! O! T9 Q* q: R7 F3 n9 I
$TC qdisc del dev ifb0 root handle 1: prio
; ]" P; m) b0 b$TC qdisc add dev ifb0 root handle 1: prio
! C4 w7 V3 D, B/ \8 [' g( C8 [. E$TC qdisc add dev ifb0 parent 1:1 handle 10: sfq
3 u& u& ^3 {# u4 c9 Q. V$TC qdisc add dev ifb0 parent 1:2 handle 20: tbf \
9 _/ }! ^1 }; srate 20kbit buffer 1600 limit 3000( a! i6 l8 X. y( a
$TC qdisc add dev ifb0 parent 1:3 handle 30: sfq
4 h0 U3 a3 j! w5 ?( o3 c# Z5 N" d- F! h$TC filter add dev ifb0 parent 1: protocol ip prio 1 u32 \3 O6 A& t0 d* u3 u
match ip dst 11.0.0.0/24 flowid 1:1
# y2 |- W( _3 H3 ~+ C* z$TC filter add dev ifb0 parent 1: protocol ip prio 2 u32 \
8 C& R- l2 m3 ^match ip dst 10.0.0.0/24 flowid 1:2
& t% g5 C' q9 j1 n1 G. u7 m( ^! W) L' ` Z8 Q' M* S* M# N6 c
ifconfig ifb0 up% M$ ~, U' x+ r/ M% m: b
7 Y# h; }1 V& X# h$TC qdisc del dev eth0 root handle 1: htb default 20 y1 g) I, Y' p6 o. S& Q. S
$TC qdisc add dev eth0 root handle 1: htb default 2
9 \; s G3 }7 ~5 `) X7 o$TC class add dev eth0 parent 1: classid 1:1 htb rate 800Kbit9 w# G; v) P9 v3 p
$TC class add dev eth0 parent 1: classid 1:2 htb rate 800Kbit
8 G$ t$ e+ o: D" d8 c/ C$TC class add dev eth0 parent 1:1 classid 1:10 htb rate 256kbit ceil 384kbit5 o, R2 b. B: Q: B
$TC class add dev eth0 parent 1:1 classid 1:20 htb rate 512kbit ceil 648kbit3 A% z7 {; ^9 e; L+ w
$TC filter add dev eth0 parent 1: protocol ip prio 1 u32 \
* l- C2 Y5 Y* a" W( l& Bmatch ip dst 10.0.0.229/32 flowid 1:10 \
# E+ F: b7 h$ p/ r9 h% e. N( Zaction mirred egress redirect dev ifb01 X. C' k/ L/ ?( u
% o4 n/ d- Y' r; ~% `; yA Little test (be careful if you are sshed in and are classifying on
' x8 G8 ?: T/ y! Gthat IP, counters may be not easy to follow)9 \7 k- |% \" p0 N1 a% q' k1 B I8 A
------ T$ @. H$ @4 w
+ Y/ `9 V* e' G$ p' F$ }9 X
A ping ...
) X, H3 F2 d9 H+ W! H: u, Z
, y8 R6 B0 a" g& Jmambo:~# ping -c2 10.0.0.229
$ A1 o# B6 \* Q, V& L! [ }4 e- P6 W
// first at ifb09 V' b2 L$ ^' D! [+ D% T
5 q1 Y3 ^# {5 N" _! W! Y// observe that second filter twice being successful& v; I, Z8 ~+ i! B2 K
* U; B, o( A8 F) @) U& |/ R9 Xmambo:~# $TC -s filter show dev ifb0 parent 1:$ G H L& r- h
filter protocol ip pref 1 u32 H/ m1 _+ |: t% o1 w
filter protocol ip pref 1 u32 fh 800: ht divisor 1
. H" ` N( X# d0 a1 h- E' j- mfilter protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid. n: i3 I/ A, A$ H
1:1 (rule hit 2 success 0)) F% N$ t* D; ]
match 0b000000/ffffff00 at 16 (success 0 )/ t; R; a7 f! t
filter protocol ip pref 2 u327 e! \4 g6 H8 }; t2 f
filter protocol ip pref 2 u32 fh 801: ht divisor 1
/ t9 q% O1 z; `filter protocol ip pref 2 u32 fh 801::800 order 2048 key ht 801 bkt 0 flowid
, u6 T+ M" ?. J J. r4 V& Y1:2 (rule hit 2 success 2)( p% y$ [" b" i
match 0a000000/ffffff00 at 16 (success 2 )
6 i! o, w; J& `1 V6 Z2 @2 U% r
4 z) H! Q6 K' m4 `* g6 V4 [, g//next the qdisc numbers ..+ n2 Z" Q3 B! k
//Observe that 1:2 has 2 packets
* d9 j1 E4 t7 x' Z; H5 l5 K' B' N# I
mambo:~# $TC -s qdisc show dev ifb0$ ?+ _7 T9 x) Z9 n) G0 o
qdisc prio 1: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 15 g1 I( Q- |' R: o
Sent 196 bytes 2 pkt (dropped 0, overlimits 0 requeues 0)
5 V6 o7 T1 n, j% p5 h Xrate 0bit 0pps backlog 0b 0p requeues 0' I; j& H6 Q4 R& t
qdisc sfq 10: parent 1:1 limit 128p quantum 1514b
% }- V* j$ I: n) r. _Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
8 Q( P$ I( c! K. l0 ]- t- frate 0bit 0pps backlog 0b 0p requeues 0
2 D# c) X. {( U7 F& w, aqdisc tbf 20: parent 1:2 rate 20000bit burst 1599b lat 546.9ms, J2 z; p8 ]- H7 V0 S8 j6 h
Sent 196 bytes 2 pkt (dropped 0, overlimits 0 requeues 0); ^* R0 q/ @8 ?. r
rate 0bit 0pps backlog 0b 0p requeues 0" C( ~" W6 }, l) n. M8 r
qdisc sfq 30: parent 1:3 limit 128p quantum 1514b
0 R1 S+ _# D, Z$ l4 S. VSent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)& _* u _9 u9 ~+ J. @& I2 Q+ c
rate 0bit 0pps backlog 0b 0p requeues 0
/ h9 R# H. V0 Z2 c: o" l2 a3 X
. r/ f" n! q# w8 |; I( D// Next look at eth0) z# Y# P3 j( Z) M) F6 i9 z5 z& ~
// observe class 1:10 which is where the pings went through after& w/ A9 B6 r1 {
// they came back from the ifb0 device.
3 y; H0 [! T' |; ]4 F a+ s3 `
, H' \2 v- B& P% f& m0 r4 pmambo:~# $TC -s class show dev eth0% x& H. B/ ?6 a& Q
class htb 1:1 root rate 800000bit ceil 800000bit burst 1699b cburst 1699b
# {$ L2 |3 B+ J& S/ ASent 196 bytes 2 pkt (dropped 0, overlimits 0 requeues 0)
) y2 V6 @" [6 P7 w! zrate 0bit 0pps backlog 0b 0p requeues 0" E, k2 ]) V( G. `% b% t( _, u
lended: 0 borrowed: 0 giants: 0$ U! }& j* c9 s
tokens: 16425 ctokens: 16425' Y. ~# y3 f1 d; g _+ o/ b; I" y8 U
, s+ J M+ ~9 ^
class htb 1:10 parent 1:1 prio 0 rate 256000bit ceil 384000bit burst 1631b
! R4 M3 _( h0 q; \0 S3 m3 _7 j, Ncburst 1647b- i1 }) b( S8 l" C2 r5 G! ^
Sent 196 bytes 2 pkt (dropped 0, overlimits 0 requeues 0)( O. B# J/ t+ n2 ~
rate 0bit 0pps backlog 0b 0p requeues 0
& k( P! }$ O. B# n$ Hlended: 2 borrowed: 0 giants: 0( x* o3 g7 V- F+ b, e) W6 |# G
tokens: 49152 ctokens: 33110
/ h1 n9 J4 |) h3 A( p4 v+ e! L {6 T- F1 O- E! E3 x
class htb 1:2 root prio 0 rate 800000bit ceil 800000bit burst 1699b cburst 1699b' [* ^" B4 Z! R+ l
Sent 47714 bytes 321 pkt (dropped 0, overlimits 0 requeues 0)
: R' Q& s1 C% rrate 3920bit 3pps backlog 0b 0p requeues 0
- s0 H0 C( l( F! P8 clended: 321 borrowed: 0 giants: 0
; }: P* q" Y. W: _- B, G7 qtokens: 16262 ctokens: 16262
2 p1 a+ M, _9 }7 z+ M% W, `* I
8 ]4 Q7 u8 y. w- O3 Y' o6 Bclass htb 1:20 parent 1:1 prio 0 rate 512000bit ceil 648000bit burst 1663b5 ^8 h5 S6 `! i
cburst 1680b
0 K: ^6 V+ [( C: z6 b' ESent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
O$ A2 @ u# e4 g; V9 i0 yrate 0bit 0pps backlog 0b 0p requeues 0- i# ?/ a5 ~% D; k$ ^
lended: 0 borrowed: 0 giants: 03 O% o! @5 s) n, h: c7 S! `5 W
tokens: 26624 ctokens: 21251
5 K1 V: y x- X# ]- E& D& q5 V6 |; N, | S# j. R
-----1 a9 J* q7 v. U" t" u- }; ]1 H2 ?" H
mambo:~# $TC -s filter show dev eth0 parent 1:
9 g# [+ Z& j, Ifilter protocol ip pref 1 u32, t% l2 G7 u6 L2 ^- }
filter protocol ip pref 1 u32 fh 800: ht divisor 17 Z6 V% X7 l4 j) d3 K' H4 m3 Y! C
filter protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid
7 }. a/ A+ m: H- d6 S/ P" y1:10 (rule hit 235 success 4)
* x$ [3 A) i$ x match 0a0000e5/ffffffff at 16 (success 4 )% q8 k |1 ~% c4 ^0 G
action order 1: mirred (Egress Redirect to device ifb0) stolen* h7 p8 @9 C; G( o8 z4 |, G
index 2 ref 1 bind 1 installed 114 sec used 100 sec
6 n6 N/ s' x9 b4 G Action statistics:8 `0 T1 C6 t, R5 p" D
Sent 196 bytes 2 pkt (dropped 0, overlimits 0 requeues 0)! f9 g/ P- M& P
rate 0bit 0pps backlog 0b 0p requeues 02 Z. {: k3 C- `. ]* ?( j
1 [" g0 A) r! h
4 R: U/ Q( K v2 P- }" QIFB requirements
) D4 ?8 B2 c! F9 D/ O6 j) T
* Z2 N% r1 Q- oIn order to use ifb you need:
+ I* Z* Z* H: h p$ O2 S( X9 n* F! {1 c0 H) a
Support for ifb on kernel (2.6.20 works OK)( o5 X& j5 x! h% X
Menu option: Device drivers -> Network device support -> Intermediate Functional Block support
4 {6 g M" ]' { V% A. n I Module name: ifb5 p. s* u8 J, `; N; P, ^9 E4 K
Tc iproute2 with support of "actions" (2.6.20 - 20070313 works OK and package from Debian etch is outdated). You can download it from here: http://developer.osdl.org/dev/iproute2/download/
5 _! k" C) x% B) ~. q
' \, m# B# N, ~: z% f/ |- |
2 z- e z. X% Y, m0 lIngress qdisc5 W+ b0 a" e* k- { ~" O; @
% \, M/ c3 L' q" J2 U" t% ^
All qdiscs discussed so far are egress qdiscs. Each interface however can also have an ingress qdisc which is not used to send packets out to the network adaptor. Instead, it allows you to apply tc filters to packets coming in over the interface, regardless of whether they have a local destination or are to be forwarded.
, T* U3 y/ H" G4 g; H; [: v3 m; [3 J3 Z) M5 q) d% k! Z
As the tc filters contain a full Token Bucket Filter implementation, and are also able to match on the kernel flow estimator, there is a lot of functionality available. This effectively allows you to police incoming traffic, before it even enters the IP stack.
( D* ^4 P: ~1 M' s) p* |9 C: _
9 @' B$ I3 _$ @& K; |* G+ z" U14.4.1. Parameters & usage
- q( R/ u5 v# o) I$ D! P( I y
; _+ {, D8 } U2 tThe ingress qdisc itself does not require any parameters. It differs from other qdiscs in that it does not occupy the root of a device. Attach it like this:! {. e+ }. C1 {+ S3 y2 J" x0 P% T
( T) s2 ~9 d8 w% x
# delete original8 Q- j4 t: {( C( ?8 f! `& r
tc qdisc del dev eth0 ingress8 X7 h/ V ?" J. Z8 {0 [$ W
tc qdisc del dev eth0 root5 n$ B S% W! V5 a7 m
/ C$ H/ ?4 u2 c/ \8 P
# add new qdisc and filter- f# D) |+ Y8 J; R0 z3 j' G$ M6 B
tc qdisc add dev eth0 ingress
9 z+ [4 j* j1 y, R. g# S3 [4 Q* ~9 Vtc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 2048kbps burst 1m drop flowid :1
. B) M3 x- G2 ?9 ztc qdisc add dev eth0 root tbf rate 2048kbps latency 50ms burst 1m
; x9 U7 K/ C$ N1 u6 y% {
! }7 Q: U3 I' _5 D9 v9 z* F7 U# U; ^" g6 S6 `! e
I played a bit with the ingress qdisc after seeing Patrick and Stef
+ k! }7 h4 t9 f, {" B) ]talking about it and came up with a few notes and a few questions.2 a- I0 y2 ?/ u; k/ n/ Y
. @' Y( J/ t" R8 i6 M; ^: The ingress qdisc itself has no parameters. The only thing you can do
?. I6 }& L M/ I* B5 w: is using the policers. I have a link with a patch to extend this :, |4 f/ v6 c& E8 n9 F
: http://www.cyberus.ca/~hadi/patches/action/ Maybe this can help. e8 W4 \. z3 V3 ^# a& N
:
1 @# @. C9 |7 [6 r. y: I have some more info about ingress in my mail files, but I have to
{+ V& V; I# k( l. Y8 m: sort it out and put it somewhere on docum.org. But I still didn't
9 s' O- z# x* @* k: found the the time to do so.
! Z% i3 j1 n5 m' Z( x" X7 \) e, m' H" U' e
Regarding policers and the ingress qdisc. I have never used them before
X4 a5 B" P0 [, Ztoday, but have the following understanding.5 }3 Y6 |4 ~# L$ P0 Q7 v- X7 ?
4 F2 e ?3 _* ~9 P% s( a( H! x
About the ingress qdisc:$ a0 U+ v# }. P q' _# _/ j
* c* L+ V& f$ D5 I5 v - ingress qdisc (known as "ffff:") can't have any children classes (hence the existence of IMQ)
& ?* B4 L3 f# T3 M - the only thing you can do with the ingress qdisc is attach filters; U8 S2 B' I( }6 P9 N
2 E0 V8 Z2 [% K/ M# n4 r
About filtering on the ingress qdisc:
9 @ e$ X8 p7 ?" E) d4 _2 j+ H3 o% r; ~
- since there are no classes to which to direct the packets, the only reasonable option (reasonable, indeed!) is to drop the packets8 w4 `) H6 g4 j
- with clever use of filtering, you can limit particular traffic signatures to particular uses of your bandwidth
* |( ^4 S; z1 E) @7 A( q, Q0 \6 P, U5 _1 i% r* j6 C# C: _
QoS Using ifb and ingress qdisc" e" b; _+ J: P- z& L0 t5 g! X
Add some qdisc/class/filter to eth0/ifb0/ifb1
4 q% ^" l9 i' Q# e5 ^: f) V 3 V, O. _6 A9 \8 Q- Y( x! v
tc qdisc add dev eth0 ingress 2>/dev/null# B9 ` m& Z$ `; z
, j" \) T; J* s4 k A- W
# ingress filter
& G$ R+ v7 P1 P) ~. J0 @" ~tc filter add dev eth0 parent ffff: protocol ip prio 10 u32 match u32 0 0 flowid 1:1 action mirred egress redirect dev ifb0/ `% }" R% \! @1 }# X. H$ Y
# egress filter
) V6 z6 i. ^/ gtc filter add dev eth0 parent 1: protocol ip prio 10 u32 match u32 0 0 flowid 1:1 action mirred egress redirect dev ifb1 |
|
/1 
发表于 2020-3-21 11:17
收藏
淘帖
支持!
反对!