Iproute

From Whats notepad

Jump to: navigation, search

categoria:utilitats

Contents

[edit] INTRODUCCIÓ

Actualment això nomès és un paste de comandes i coses que he fet servir.


[edit] NOTA

Cal recordar que NOMES es pot limitar el transit de sortida, el d'entrada no.

[edit] COMANDA IP

Llistar contingut d'una taula de rutes 

ip route list table ADSL

Limitar com una línia de 56k 

tc qdisc add dev eth0 root tbf rate 56kbit latency 150ms burst 2500



[edit] EXEMPLES

tc -s qdisc ls dev eth0


PRIMER ES CREA L'ESTRUCTURA:


  1. afegir(add) a la coneccio(ppp0) com a disciplina mare(root) de cues(qdisc) com a nom 10 (handle 10:) del tipus cbq (cbq) amb un ample de banda de 256k (bandwidth 64Kbit) i amb un tamany de paquet d'uns 1000bytes (avpkt 1000)

tc qdisc add dev ppp0 root handle 10: cbq bandwidth 256Kbit avpkt 1000


  1. afegir una classe a ppp0 q és la classe pare 10:0 (que és la disciplina arrel que hem decidit avans...) i l'anomenem 10:1. La clase maneja 256kbit per segon i fara servir tots els 256kbit, així que hem de "posar" rate a 64 kbit. El weight és el rate/10, lo altre és el tamany dels paquets i la prioritat

tc class add dev ppp0 parent 10:0 classid 10:1 cbq bandwidth 256Kbit rate 256Kbit allot 1514 weight 25Kbit prio 8 maxburst 20 avpkt 1000


  1. afegim subclasses

tc class add dev ppp0 parent 10:1 classid 10:100 cbq bandwidth 256kbit rate 128kbit allot 1514 weight 12kbit prio 5 maxburst 20 avpkt 1000


  1. aquesta subclasse no podra usar mes dels 128k que te assignada (bounded)

tc class add dev ppp0 parent 10:1 classid 10:200 cbq bandwidth 256Kbit rate 128Kbit allot 1514 weight 12Kbit prio 5 maxburst 20 avpkt 1000 bounded


  1. partim la 10:100 en 2 subclasses

tc class add dev ppp0 parent 10:100 classid 10:101 cbq bandwidth 256Kbit rate 64Kbit allot 1514 weight 1600 prio 5 maxburst 20 avpkt 1000 bounded

tc class add dev ppp0 parent 10:100 classid 10:102 cbq bandwidth 256Kbit rate 64Kbit allot 1514 weight 1600 prio 5 maxburst 20 avpkt 1000



  1. diria que a totes el bandwith és l'ample de banda maxim del dispositiu
  2. si es posa isolated, la classe no cedirà ample de manda als seus fills


DESPRÉS


So, we now have three classes that we want to use to queue traffic: 10:200 for FTP/HTTP, 10:101 for SMTP/NNTP and 10:102 for SSH and telnet. We apply another queueing discipline to each of those, just as we did to ippp0 earlier, but we re going to use SFQ rather than CBQ:

tc qdisc add dev ppp0 parent 10:200 sfq quantum 1514b perturb 15 tc qdisc add dev ppp0 parent 10:101 sfq quantum 1514b perturb 15 tc qdisc add dev ppp0 parent 10:102 sfq quantum 1514b perturb 15


DESPRÉS 2

  1. Si volem assignar a 10:101 tot el trafic q va o ve de 192.168.1.5

tc filter add dev ppp0 parent 10:0 protocol ip prio 100 u32 match ip src 192.168.1.5 flowid 10:101


As we did before with iproute2 for traffic, we ve set a priority of 100, so that it will get caught before any other rules, assuming they have a priority of less than 100. We might assign different rules to 10.1.1.0/24, but want our limitations to 10.1.1.5 to apply first, and apply the filter for 10.1.1.0/24 the priority of 50. As 10:101 is for all SMTP/NNTP traffic, we also want to apply it to items heading to, or from, port 119 or 25, and we use iptables to mark our packets:

iptables -t mangle -i ppp0 -A PREROUTING -m multiport --sport 25,119 -j MARK --set-mark 1 iptables -t mangle -i ppp0 -A POSTROUTING -m multiport --dport 25,119 -j MARK --set-mark 1 tc filter add dev ppp0 parent 10:0 protocol ip prio 90 u32 match fw classid 1 flowid 10:101





EXEMPLE PER MIRAR............


  1. !/bin/bash
  3. ####### ShaperMussol (OvO) v 1.0 ################################
  5. Traffic Shaper using HTB.
  7. Written by Ivan Belmonte, licensed under the GPL version 2.
  8. Copyright (c) 2001 Ivan Belmonte <ivan@ivanhq.net>.
  10. For full license see: http://www.gnu.org/licenses/gpl.txt
  12. Redistribution and use of this script, with or without modification, is
  13. permitted provided that the following conditions are met:
  15. 1. Redistributions of this script must retain the above copyright
  16. notice, this list of conditions and the following disclaimer.
  18. THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS AND ANY EXPRESS OR
  19. IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  20. OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  21. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  22. SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
  23. TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
  24. PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
  25. LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
  26. NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  27. SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  29. Variable definitions

TC="/sbin/tc" IP="/sbin/ip" EXTIFACE="eth0" LOCALIFACE="eth1" IPTABLES="/usr/sbin/iptables"

  1. The speed of your link.
  2. you may want to declare little less than the real capacity
  3. to make sure the ACK's of the established cons are going out
  4. with no problems.
  5. If you don't understand, simply declare a few kbit less that
  6. the real link speed, and everything will work okay :-)

UPRATE="110" DOWNRATE="240"

  1. p2p ports to shape

P2P_TCP_PORTS="4661 4662 4663 4664 4665" P2P_UDP_PORTS="4661 4662 4663 4664 4665 4672"

  1. services we are offering outside, and must have a high
  2. priority.

OUTGOING_SERVICE_PORTS="80 20:21 22 53"

  1. IP addresses of the user workstations

WORKSTATIONS="\ 192.168.1.1 \ 192.168.1.2 \ 192.168.1.100 \ 192.168.1.110"

  1. IP addresses of the servers

SERVERS="\ 192.168.1.10 \ 192.168.1.15 \ 192.168.1.20 \ 192.168.1.254"

  1. * ISOLATED addresses *
  3. Fill with IP addressess you want to marginalize,
  4. usually P2P users which running applications are
  5. difficult to shape in a normal way.
  6. If there are no special bandwith abusing IP addresses, you
  7. may want to disable this property by commenting next two lines.
  8. If used, THEN DON'T CHANGE THE ISOLATED_MARK VALUE!!

ISOLATED="192.168.1.100" ISOLATED_MARK="30"


          1. DON'T CHANGE THESE MARKS!!!####

WORKSTATIONS_MARK="1" SERVERS_MARK="2" SERVICE_MARK="10" P2P_MARK="20"


  1. --------------------------------------------------------------- #
  2. You shouldn't edit any more lines unless you know
  3. exactly what you're doing
  4. --------------------------------------------------------------- #


  2. Flushing any existing queue

$TC qdisc del dev $EXTIFACE root 2> /dev/null > /dev/null $TC qdisc del dev $EXTIFACE ingress 2> /dev/null > /dev/null

  2. HTB (Hierarchy Token Bucket) for separating Services
  3. from Client workstations
  5. root qdisc for $EXTIFACE

$TC qdisc add dev $EXTIFACE root handle 1: htb default 30

  1. root class for bandwidth borrowing

$TC class add dev $EXTIFACE parent 1 classid 1:1 htb rate \ ${UPRATE}kbit ceil ${UPRATE}kbit

  1. service class on $EXTIFACE

$TC class add dev $EXTIFACE parent 1:1 classid 1:10 htb rate \ $[9*$UPRATE/10]kbit ceil ${UPRATE}kbit

  1. general traffic on $EXTIFACE

$TC class add dev $EXTIFACE parent 1:1 classid 1:20 htb rate \ $[5*$UPRATE/10]kbit ceil ${UPRATE}kbit prio 1

  1. p2p class on $EXTIFACE

$TC class add dev $EXTIFACE parent 1:1 classid 1:30 htb rate \ $[$UPRATE/20]kbit ceil $[$UPRATE/10]kbit prio 2

        1. SFQ classes for the HTB main queues

$TC qdisc add dev $EXTIFACE parent 1:10 handle 10: sfq perturb 10 $TC qdisc add dev $EXTIFACE parent 1:20 handle 20: sfq perturb 10 $TC qdisc add dev $EXTIFACE parent 1:30 handle 30: sfq perturb 10

  2. Class asignment for MARKed packets

$TC filter add dev $EXTIFACE parent 1:0 protocol ip handle 1 fw flowid 1:20 $TC filter add dev $EXTIFACE parent 1:0 protocol ip handle 2 fw flowid 1:20 $TC filter add dev $EXTIFACE parent 1:0 protocol ip handle 10 fw flowid 1:10 $TC filter add dev $EXTIFACE parent 1:0 protocol ip handle 20 fw flowid 1:30 $TC filter add dev $EXTIFACE parent 1:0 protocol ip handle 30 fw flowid 1:30


  2. IPTALES packet MARKing
  4. First need to make a separate chain for marking and filtering
  5. shaped packets

$IPTABLES -t mangle -F $IPTABLES -t mangle -X $IPTABLES -t mangle -N SHAPER $IPTABLES -t mangle -I FORWARD -o $EXTIFACE -j SHAPER


  1. OUTGOING traffic ################
  3. iptables TCP based marks
  5. p2p filter for DESTINATION ports

for TCP_PORT in $P2P_TCP_PORTS; do $IPTABLES -t mangle -A SHAPER -p tcp --dport $TCP_PORT \ -j MARK --set-mark $P2P_MARK # p2p TCP cons done

for UDP_PORT in $P2P_UDP_PORTS; do $IPTABLES -t mangle -A SHAPER -p tcp --dport $UDP_PORT \ -j MARK --set-mark $P2P_MARK # p2p UDP cons done

  1. p2p filter for SOURCE ports

for TCP_PORT in $P2P_TCP_PORTS; do $IPTABLES -t mangle -A SHAPER -p tcp --sport $TCP_PORT \ -j MARK --set-mark $P2P_MARK # p2p TCP cons done

for UDP_PORT in $P2P_UDP_PORTS; do $IPTABLES -t mangle -A SHAPER -p tcp --sport $UDP_PORT \ -j MARK --set-mark $P2P_MARK # p2p UDP cons done

  1. marks for ports of OUTGOING service queries

for TCP_OUT_SRV in $OUTGOING_SERVICE_PORTS; do $IPTABLES -t mangle -A SHAPER -p tcp --dport $TCP_OUT_SRV \ -j MARK --set-mark $SERVICE_MARK # one mark for each service done

for UDP_OUT_SRV in $OUTGOING_SERVICE_PORTS; do $IPTABLES -t mangle -A SHAPER -p udp --dport $UDP_OUT_SRV \ -j MARK --set-mark $SERVICE_MARK # one mark for each service done

  1. marks for ports of INCOMING service queries

for TCP_OUT_SRV in $OUTGOING_SERVICE_PORTS; do $IPTABLES -t mangle -A SHAPER -p tcp --sport $TCP_OUT_SRV \ -j MARK --set-mark $SERVICE_MARK # one mark for each service done

for UDP_OUT_SRV in $OUTGOING_SERVICE_PORTS; do $IPTABLES -t mangle -A SHAPER -p udp --sport $UDP_OUT_SRV \ -j MARK --set-mark $SERVICE_MARK # one mark for each service done


  1. iptables IP based marks
  2. client workstations IP based marks

for IP_WORK in $WORKSTATIONS; do $IPTABLES -t mangle -A SHAPER -s $IP_WORK -j MARK --set-mark \ $WORKSTATIONS_MARK # workstations cons done

  1. servers IP based marks

for IP_SERV in $SERVERS; do $IPTABLES -t mangle -A SHAPER -s $IP_SERV -j MARK --set-mark \ $SERVERS_MARK # workstation cons done

  1. ISOLATED users

for IP_ISOLATED in $ISOLATED; do $IPTABLES -t mangle -A SHAPER -s $IP_ISOLATED -j MARK --set-mark \ $ISOLATED_MARK # workstation cons done

  1. any unmarked package can get marked as general traffic

$IPTABLES -t mangle -A SHAPER -m mark --mark 0 -j MARK \ --set-mark $WORKSTATIONS_MARK # default redundant cons


  3. INCOMING traffic ################
  5. need to drop every packets coming in too fast, so the
  6. other connection side gets used to our recibing rate.

$TC qdisc add dev $EXTIFACE handle ffff: ingress $TC filter add dev $EXTIFACE parent ffff: protocol ip prio 50 u32 match ip src \ 0.0.0.0/0 police rate ${DOWNRATE}kbit burst 10k drop flowid :1 http://www.assl-site.net/docs/docs/rc.shaper



SCRIPT LINUX-TNB: tc qdisc add dev eth0 root handle 10: cbq bandwidth 100mbit avpkt 1000 tc class add dev eth0 parent 10:0 classid 10:1 cbq bandwidth 100mbit rate 240kbit weight 24kbit allot 1514 maxburst 20 avpkt 1000 prio 5 bounded

tc class add dev eth0 parent 10:1 classid 10:200 cbq bandwidth 100mbit rate 20kbit weight 2kbit allot 1514 maxburst 20 avpkt 1000 prio 5 tc class add dev eth0 parent 10:1 classid 10:300 cbq bandwidth 100mbit rate 19.8mbit weight 1.98mbit allot 1514 maxburst 20 avpkt 1000 prio 5



LINUX-TNB:

  1. la eth0 aguanta fins a 100mbits

tc qdisc add dev eth0 root handle 10: cbq bandwidth 100mbit avpkt 1000

  1. limitem l'ample de banda total per deixar passar els ACK

tc class add dev eth0 parent 10:0 classid 10:1 cbq bandwidth 100mbit rate 500kbit weight 50kbit allot 1514 maxburst 20 avpkt 1000 prio 5 bounded

  1. la partim en 3 trossos, la de catux, la de format i la de tecnoba

tc class add dev eth0 parent 10:1 classid 10:100 cbq bandwidth 100mbit rate 20kbit weight 2kbit allot 1514 maxburst 20 avpkt 1000 prio 5 tc class add dev eth0 parent 10:1 classid 10:200 cbq bandwidth 100mbit rate 380kbit weight 38kbit allot 1514 maxburst 20 avpkt 1000 prio 5 tc class add dev eth0 parent 10:1 classid 10:300 cbq bandwidth 100mbit rate 100kbit weight 10kbit allot 1514 maxburst 20 avpkt 1000 prio 5

  1. partim la de format 10:200 (380k)

tc class add dev eth0 parent 10:200 classid 10:210 cbq bandwidth 100mbit rate 50kbit weight 5kbit allot 1514 maxburst 20 avpkt 1000 prio 5 tc class add dev eth0 parent 10:200 classid 10:220 cbq bandwidth 100mbit rate 330kbit weight 33kbit allot 1514 maxburst 20 avpkt 1000 prio 5

  1. partim la de tecnoba 10:300 (100k)

tc class add dev eth0 parent 10:200 classid 10:310 cbq bandwidth 100mbit rate 10kbit weight 1kbit allot 1514 maxburst 20 avpkt 1000 prio 5 tc class add dev eth0 parent 10:200 classid 10:320 cbq bandwidth 100mbit rate 90kbit weight 9kbit allot 1514 maxburst 20 avpkt 1000 prio 5


  1. apliquem els filtres:
  1. xarxa en general

tc filter add dev eth0 parent 10:0 protocol ip prio 5 u32 match ip dst 192.168.0.0/16 match ip src 192.168.0.0/16 flowid 10:0

  1. catux

tc filter add dev eth0 parent 10:0 protocol ip prio 5 u32 match ip dst 192.168.0.181 flowid 10:100 tc filter add dev eth0 parent 10:0 protocol ip prio 5 u32 match ip src 192.168.0.181 flowid 10:100

  1. format
  1. conexions al port 80

tc filter add dev eth0 parent 10:0 protocol ip prio 5 u32 match ip dst 192.168.0.0/24 match ip sport 80 0xffff flowid 10:220 tc filter add dev eth0 parent 10:0 protocol ip prio 5 u32 match ip src 192.168.0.0/24 match ip dport 80 0xffff flowid 10:220

  1. altres conexions

tc filter add dev eth0 parent 10:0 protocol ip prio 5 u32 match ip dst 192.168.0.0/24 flowid 10:210 tc filter add dev eth0 parent 10:0 protocol ip prio 5 u32 match ip src 192.168.0.0/24 flowid 10:210


  1. tecnoba


  1. conexions al port 80

tc filter add dev eth0 parent 10:0 protocol ip prio 5 u32 match ip dst 192.168.1.0/24 match ip sport 80 0xffff flowid 10:320 tc filter add dev eth0 parent 10:0 protocol ip prio 5 u32 match ip src 192.168.1.0/24 match ip dport 80 0xffff flowid 10:320

  1. altres conexions

tc filter add dev eth0 parent 10:0 protocol ip prio 5 u32 match ip dst 192.168.1.0/24 flowid 10:310 tc filter add dev eth0 parent 10:0 protocol ip prio 5 u32 match ip src 192.168.1.0/24 flowid 10:310


PROBES A FER: -iperf entre tecnoba i format -iperf desde el servidor catux


NOTES: -Referència: http://www.linuxforum.com/linux-advanced-routing/lartc.qdisc.classful.html -Els filtres són com ACLs, a la que coincideix amb un, salta a la classe pertinent -Potser s'hauria d'afegir: "tc qdisc add dev eth0 parent 1:3 handle 30: sfq" a cada classe final.

Retrieved from "http://www.wekk.net/wiki/Iproute"
Personal tools