mirror of
https://git.proxmox.com/git/mirror_iproute2
synced 2026-01-06 05:30:46 +00:00
ifb needed to be added to repo.
This commit is contained in:
shemminger
parent
29fdf987c5
commit
adeb6bf25e
155
doc/actions/ifb-README
Normal file
155
doc/actions/ifb-README
Normal file
@ -0,0 +1,155 @@
|
||||
|
||||
Advantage over current IMQ; cleaner in particular in in SMP;
|
||||
with a _lot_ less code.
|
||||
Old Dummy device functionality is preserved while new one only
|
||||
kicks in if you use actions.
|
||||
|
||||
IMQ USES
|
||||
--------
|
||||
As far as i know the reasons listed below is why people use IMQ.
|
||||
It would be nice to know of anything else that i missed.
|
||||
|
||||
1) qdiscs/policies that are per device as opposed to system wide.
|
||||
IMQ allows for sharing.
|
||||
|
||||
2) Allows for queueing incoming traffic for shaping instead of
|
||||
dropping. I am not aware of any study that shows policing is
|
||||
worse than shaping in achieving the end goal of rate control.
|
||||
I would be interested if anyone is experimenting.
|
||||
|
||||
3) Very interesting use: if you are serving p2p you may wanna give
|
||||
preference to your own localy originated traffic (when responses come back)
|
||||
vs someone using your system to do bittorent. So QoSing based on state
|
||||
comes in as the solution. What people did to achive this was stick
|
||||
the IMQ somewhere prelocal hook.
|
||||
I think this is a pretty neat feature to have in Linux in general.
|
||||
(i.e not just for IMQ).
|
||||
But i wont go back to putting netfilter hooks in the device to satisfy
|
||||
this. I also dont think its worth it hacking ifb some more to be
|
||||
aware of say L3 info and play ip rule tricks to achieve this.
|
||||
--> Instead the plan is to have a contrack related action. This action will
|
||||
selectively either query/create contrack state on incoming packets.
|
||||
Packets could then be redirected to ifb based on what happens -> eg
|
||||
on incoming packets; if we find they are of known state we could send to
|
||||
a different queue than one which didnt have existing state. This
|
||||
all however is dependent on whatever rules the admin enters.
|
||||
|
||||
At the moment this function does not exist yet. I have decided instead
|
||||
of sitting on the patch to release it and then if theres pressure i will
|
||||
add this feature.
|
||||
|
||||
What you can do with ifb currently with actions
|
||||
--------------------------------------------------
|
||||
|
||||
Lets say you are policing packets from alias 192.168.200.200/32
|
||||
you dont want those to exceed 100kbps going out.
|
||||
|
||||
tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \
|
||||
match ip src 192.168.200.200/32 flowid 1:2 \
|
||||
action police rate 100kbit burst 90k drop
|
||||
|
||||
If you run tcpdump on eth0 you will see all packets going out
|
||||
with src 192.168.200.200/32 dropped or not
|
||||
Extend the rule a little to see only the ones that made it out:
|
||||
|
||||
tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \
|
||||
match ip src 192.168.200.200/32 flowid 1:2 \
|
||||
action police rate 10kbit burst 90k drop \
|
||||
action mirred egress mirror dev ifb0
|
||||
|
||||
Now fire tcpdump on ifb0 to see only those packets ..
|
||||
tcpdump -n -i ifb0 -x -e -t
|
||||
|
||||
Essentially a good debugging/logging interface.
|
||||
|
||||
If you replace mirror with redirect, those packets will be
|
||||
blackholed and will never make it out. This redirect behavior
|
||||
changes with new patch (but not the mirror).
|
||||
|
||||
What you can do with the patch to provide functionality
|
||||
that most people use IMQ for below:
|
||||
|
||||
--------
|
||||
export TC="/sbin/tc"
|
||||
|
||||
$TC qdisc add dev ifb0 root handle 1: prio
|
||||
$TC qdisc add dev ifb0 parent 1:1 handle 10: sfq
|
||||
$TC qdisc add dev ifb0 parent 1:2 handle 20: tbf rate 20kbit buffer 1600 limit 3000
|
||||
$TC qdisc add dev ifb0 parent 1:3 handle 30: sfq
|
||||
$TC filter add dev ifb0 protocol ip pref 1 parent 1: handle 1 fw classid 1:1
|
||||
$TC filter add dev ifb0 protocol ip pref 2 parent 1: handle 2 fw classid 1:2
|
||||
|
||||
ifconfig ifb0 up
|
||||
|
||||
$TC qdisc add dev eth0 ingress
|
||||
|
||||
# redirect all IP packets arriving in eth0 to ifb0
|
||||
# use mark 1 --> puts them onto class 1:1
|
||||
$TC filter add dev eth0 parent ffff: protocol ip prio 10 u32 \
|
||||
match u32 0 0 flowid 1:1 \
|
||||
action ipt -j MARK --set-mark 1 \
|
||||
action mirred egress redirect dev ifb0
|
||||
|
||||
--------
|
||||
|
||||
|
||||
Run A Little test:
|
||||
|
||||
from another machine ping so that you have packets going into the box:
|
||||
-----
|
||||
[root@jzny action-tests]# ping 10.22
|
||||
PING 10.22 (10.0.0.22): 56 data bytes
|
||||
64 bytes from 10.0.0.22: icmp_seq=0 ttl=64 time=2.8 ms
|
||||
64 bytes from 10.0.0.22: icmp_seq=1 ttl=64 time=0.6 ms
|
||||
64 bytes from 10.0.0.22: icmp_seq=2 ttl=64 time=0.6 ms
|
||||
|
||||
--- 10.22 ping statistics ---
|
||||
3 packets transmitted, 3 packets received, 0% packet loss
|
||||
round-trip min/avg/max = 0.6/1.3/2.8 ms
|
||||
[root@jzny action-tests]#
|
||||
-----
|
||||
Now look at some stats:
|
||||
|
||||
---
|
||||
[root@jmandrake]:~# $TC -s filter show parent ffff: dev eth0
|
||||
filter protocol ip pref 10 u32
|
||||
filter protocol ip pref 10 u32 fh 800: ht divisor 1
|
||||
filter protocol ip pref 10 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1
|
||||
match 00000000/00000000 at 0
|
||||
action order 1: tablename: mangle hook: NF_IP_PRE_ROUTING
|
||||
target MARK set 0x1
|
||||
index 1 ref 1 bind 1 installed 4195sec used 27sec
|
||||
Sent 252 bytes 3 pkts (dropped 0, overlimits 0)
|
||||
|
||||
action order 2: mirred (Egress Redirect to device ifb0) stolen
|
||||
index 1 ref 1 bind 1 installed 165 sec used 27 sec
|
||||
Sent 252 bytes 3 pkts (dropped 0, overlimits 0)
|
||||
|
||||
[root@jmandrake]:~# $TC -s qdisc
|
||||
qdisc sfq 30: dev ifb0 limit 128p quantum 1514b
|
||||
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
|
||||
qdisc tbf 20: dev ifb0 rate 20Kbit burst 1575b lat 2147.5s
|
||||
Sent 210 bytes 3 pkts (dropped 0, overlimits 0)
|
||||
qdisc sfq 10: dev ifb0 limit 128p quantum 1514b
|
||||
Sent 294 bytes 3 pkts (dropped 0, overlimits 0)
|
||||
qdisc prio 1: dev ifb0 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
|
||||
Sent 504 bytes 6 pkts (dropped 0, overlimits 0)
|
||||
qdisc ingress ffff: dev eth0 ----------------
|
||||
Sent 308 bytes 5 pkts (dropped 0, overlimits 0)
|
||||
|
||||
[root@jmandrake]:~# ifconfig ifb0
|
||||
ifb0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
|
||||
inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link
|
||||
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
|
||||
RX packets:6 errors:0 dropped:3 overruns:0 frame:0
|
||||
TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
|
||||
collisions:0 txqueuelen:32
|
||||
RX bytes:504 (504.0 b) TX bytes:252 (252.0 b)
|
||||
-----
|
||||
|
||||
Dummy continues to behave like it always did.
|
||||
You send it any packet not originating from the actions it will drop them.
|
||||
[In this case the three dropped packets were ipv6 ndisc].
|
||||
|
||||
cheers,
|
||||
jamal
|
||||
Loading…
Reference in New Issue
Block a user