Linux TC Limit Traffic

Source: Internet
Author: User

I. INTRODUCTION of TC Principle

The Traffic controller TC (traffic control) in the Linux operating system is used for the traffic control of the Linux kernel, mainly by establishing a queue at the output port for traffic control.

The fundamentals of Linux traffic control are as shown.

When the receiving packet comes in from the input interface (inputs Interface), the traffic limit (ingress policing) discards the non-conforming packet, which is determined by the input multiplexer de-multiplexing) to determine the choice: if the purpose of the receiving packet is the host, then the package is sent to the upper processing, otherwise it needs to be forwarded, the receiving packet to the forwarding block (Forwarding blocks) processing. The forwarding block also receives packets generated by the upper layer of the host (TCP, UDP, and so on). The forwarding block determines the next hop of the processed package by looking at the routing table. The packages are then arranged so that they are delivered to the output interface (Interface). Generally we can only restrict the packets sent by the network card, cannot limit the packets received by the network card, so we can change the sending order to control the transmission rate. Linux traffic control is mainly processed and implemented when the output interface is arranged.

Second, TC rules

1. Flow control mode

Flow control includes the following methods:

SHAPING (limit) When traffic is limited, its transfer rate is controlled below a certain value. The limit value can be much less than the effective bandwidth, which can smooth burst traffic and make the network more stable. The shaping (limit) applies only to outward flow.

scheduling (dispatch) can allocate bandwidth according to priority in bandwidth range by dispatching the transmission of packets. The scheduling (dispatch) is also only suitable for outward flow.

The policing (policy) shaping is used to process outward traffic, and policiing (policy) is used to process the received data.

Dropping (discard) if the traffic exceeds a set bandwidth, the packet is discarded, either inward or outward.

2, Flow control processing objects

The processing of traffic is controlled by three objects:qdisc ( queue rule ),Class ( class ) , and filter ( filters ).

Qdisc (queuing rules) Qdisc (queuing rules) is the shorthand for queueing discipline, which is the basis for understanding traffic control (traffic controls). Whenever a kernel needs to send a packet over a network interface, it needs to follow the configuration for that interface. Qdisc ( queuing rules ) joins the packet to the queue. the kernel then extracts the packets from the Qdisc as much as possible, handing them over to the network adapter driver module. The simplest qdisc is PFIFO it does not do any processing of incoming packets, and the packets are queued in first-in, first-out way. However, it saves packets that the network interface cannot handle for a while.

The categories of Qdisc are as follows:

(1), classless Qdisc (non-classified Qdisc)

1> no category Qdisc include:

[P|b]fifo

Use the simplest qdisc, pure FIFO. There is only one parameter: limit, which is used to set the length of the queue, Pfifo is the number of packets, and Bfifo is in bytes.

Pfifo_fast

When the kernel is compiled, Pfifo_fast is the standard qdisc of the system if the Advanced Router (Router) compilation option is turned on. Its queue consists of three bands (band). In each band, the FIFO rule is used. The priority of the three bands (band) is also different, band 0 has the highest priority, and Band 2 is the lowest. If there is a packet inside the band, the system will not process the band 1 packets, Band 1 and Band 2 is the same. Packets are allocated in the three bands (band) according to the service type (type of Service,tos).

Red

Red is the shorthand for random Early Detection (stochastic early detection). If this qdisc is used, the system randomly discards some packets when the bandwidth usage is close to the specified bandwidth. It is ideal for high bandwidth applications.

Sfq

SFQ is a shorthand for stochastic fairness queueing. It sorts the traffic by session (session--corresponds to each TCP connection or UDP stream), and then loops through the packets for each session.

Tbf

The TBF is a shorthand for the token Bucket filter and is suitable for lowering the flow rate to a certain value.

2> non-categorized Qdisc configuration

Non-classified Qdisc can only be attached to the root of the device if there is no qdisc. Their usage is as follows:

TC Qdisc add dev dev root qdisc qdisc-parameters

To delete a non-categorized qdisc, you need to use the following command:

TC Qdisc del Dev Dev root

A network interface if Qdisc,pfifo_fast is not set as the default Qdisc.

(2), classful qdisc (category Qdisc)

Categories of QDISC include:

CBQ

CBQ is the abbreviation for Class Based queueing (class-based queuing). It implements a rich connectivity-sharing class structure that has the ability to limit (shaping) bandwidth and also to have bandwidth-priority management. Bandwidth throttling is done by calculating the idle time of the connection. The calculation standard for idle time is the frequency of packet departure events and the bandwidth of the underlying connection (the data link layer).

HTB

HTB is the abbreviation for hierarchy Token bucket. Through the improvement on the basis of practice, it realizes a rich connection Sharing class system. Using HTB can easily guarantee the bandwidth of each category, although it also allows specific classes to break the bandwidth limit and occupy the bandwidth of other classes. The HTB can be bandwidth constrained through the TBF (Token Bucket Filter), and can also prioritize categories.

PRIO

PRIO Qdisc cannot limit bandwidth because packets belonging to different classes are queued in sequence. With Prio Qdisc It is easy to prioritize traffic, and only packets belonging to the high-priority category are sent, and packets belonging to the low-priority category are sent. For ease of administration, the service type of the packet (type of service,tos) needs to be processed using iptables or IPChains.

Some qdisc (queuing rules) for Class (class) can contain categories, which can contain more in-depth qdisc (queuing rules), and the qdisc of these segments can also queue packets for incoming queues. Qdisc can prioritize network data traffic by setting the order in which various categories of packets are queued.

The filter filter (filter) is used to classify packets and determine what qdisc they enter into the queue. Whenever a packet enters a category that divides subclasses, it needs to be categorized. There are many ways to classify, and using Fileter (filter) is one of them. When using filter (filter) classification, the kernel invokes all filters attached to the class, until a verdict is returned. If no judgement is returned, further treatment is done, and the treatment is related to Qdisc. It is important to note that filter (filter) is inside qdisc and they cannot be used as the main body.

3. Operating principle

Class consists of a tree, each class has only one parent class, and a class can have more than one child class. Some qdisc (for example: CBQ and HTB) allow classes to be dynamically added at run time, while other Qdisc (for example: PRIO) do not allow the dynamic creation of classes. Qdisc that allow dynamic addition of classes can have 0 or more subclasses that queue packets. In addition, each class has a leaf qdisc, by default, this leaf qdisc use Pfifo way to queue, we can also use other types of Qdisc instead of this default Qdisc. Moreover, this leaf leaves Qdisc can be classified, but each subclass can have only one leaf qdisc. When a packet enters a categorical qdisc, it is grouped into a subclass. There are three ways we can categorize packets, but not all qdisc can use these three ways.

TC Filters (TC filter)

If the filter is attached to a class, the relevant instructions will query them. Filters can match all fields in the header, or they can match the tags made by ipchains or iptables.

Types of services (type of service)

Some qdisc have built-in rules based on service type (type of Service,tos) for packet classification.

Skb->priority

User-space applications can use the So_priority option to set an ID for a class in the skb->priority domain.

Each node of a tree can have its own filter, but a high-level filter can also be used directly for its subclasses.

If the packet is not successfully categorized, it is queued to the leaf qdisc of the class. The details are in each Qdisc's hand albums.

4. Naming rules

All Qdisc, classes, and filters have IDs. The ID can be set manually or it can be automatically assigned by the kernel. The ID consists of a master sequence number and a sequence number, two digits separated by a colon.

Qdisc

A qdisc is assigned a master serial number, called a handle (handle), and then the namespace of the class is taken from the serial number. The handle is expressed in the same way as 10: In practice, it is necessary to explicitly assign a handle to a qdisc with sub-classes.

Classes (Class)

Share this Qdisc's main serial number in the same class as the Qdisc, but each class has its own serial number, called the class identifier (CLASSID). The class identifier is only related to the parent qdisc, not to the parent class. The naming habits of classes are the same as Qdisc.

Filters (Filter)

The ID of the filter has three parts, which are only used if the filter is hashed. Please refer to the Tc-filters manual page for details.

5. Units

All parameters of the TC command can use floating-point numbers, which may involve the following counting units.

1 "bandwidth or flow rate unit:

Kbps kilobytes per second

Mbps Megabytes per second

Kbit kbits/sec

Mbit mbits/sec

BPS or a non-unit number of bytes/sec

2 "Number of units of data:

KB or K Kbytes

MB or M MBytes

Mbit Gigabit Bit

kbit thousand bit

b or a non-unit number of bytes

3 "Time Measurement unit:

S, sec or secs sec

MS, msec or msecs minutes

US, USEC, usecs, or a no-unit digit microsecond

Third, TC command

TC can operate on Qdisc, classes, and filters using the following command:

Add

Add a Qdisc, class, or filter to a node. When added, you need to pass an ancestor as a parameter, passing the parameter with either an ID or a direct pass to the root of the device. If you want to create a qdisc or filter, you can use a handle (handle) to name it, and if you want to create a class, you can use the class identifier (CLASSID) to name it.

Remove

Deletes the qdisc specified by a handle (handle), or root qdisc (root) can also be deleted. All the subclasses on the deleted Qdisc and the filters attached to each class will be automatically deleted.

Change

Modify some entries in an alternate way. The syntax of the change command is the same as the add command except that the handle (handle) and the ancestor cannot be modified. In other words, the change command cannot be the location of a certain node.

Replace

Deletes/adds a near-atomic operation to an existing node. If the node does not exist, the command establishes the node.

Link

Applies only to Dqisc, instead of an existing node.

Cases:

TC Qdisc [Add | change | replace | link] Dev dev [parent Qdisc-id | root] [handle Qdisc-id] Qdisc [Qdisc specific P Arameters]

TC class [Add | change | replace] Dev dev parent qdisc-id [classid Class-id] qdisc [qdisc specific parameters]

TC Filter [Add | change | replace] Dev dev [parent Qdisc-id | root] Protocol protocol Prio Priority FilterType [Filte Rtype specific parameters] Flowid Flow-id

TC [-S |-d] qdisc show [Dev Dev]

TC [-S |-d] class show Dev dev tc filter show Dev Dev

Iv. specific operation

Linux traffic control is divided into three aspects, such as establishing queue, establishing classification and establishing filter.

1, the basic implementation steps are:

(1) Binding a queue Qdisc for network physical devices (such as Ethernet card eth0);

(2) The classification class is established on the queue;

(3) To establish a routing-based filter for each classification;

(4) Finally, with the filter to establish a specific routing table.

2, environmental simulation examples:

The IP address of the Ethernet card (eth0) on the flow controller is 192.168.1.66, on which a CBQ queue is established. Assuming that the average packet size is 1000 bytes, the packet interval sending unit is 8 bytes in size, and the maximum number of packets that can receive conflicts is 20 bytes.

If there are three types of traffic that need to be controlled: 1) is destined for Host 1, with an IP address of 192.168.1.24. Its traffic bandwidth control at 8Mbit, Priority 2, 2) is destined to host 2, the IP address is 192.168.1.30. Its traffic bandwidth is controlled at 1Mbit, the priority is 1, 3 is destined for Subnet 1, its subnet number is 192.168.1.0, the subnet mask is 255.255.255.0. The traffic bandwidth is controlled at 1Mbit with a priority of 6.

1. Create a queue

In general, you only need to establish a queue for a network card.

Binds a CBQ queue to the network physical device eth0, which is numbered 1:0, the actual bandwidth of the network physical device eth0 is Mbit, the average packet size is 1000 bytes, the packet interval sending unit is 8 bytes in size, and the minimum transport packet size is 64 bytes.

tc Qdisc Add dev eth0 root handle 1:cbq bandwidth 10Mbit avpkt cell 8 MPU 64

2. Create a classification

Classifications are built on top of the queue.

In general, a root classification is created for a queue and then sub-classifications are created on it. For classification, the number order of their classification function, the number of small priority; Once a classification matching rule is met, the classification will no longer work after the packet is sent through that category.

1) Create root cluster 1:1, allocate bandwidth of 10Mbit, priority level 8.

TC class Add dev eth0 parent 1:0 classid 1:1 CBQ bandwidth 10Mbit rate 10Mbit Maxburst allot 1514 Prio 8 avpkt CE LL 8 Weight 1Mbit

The maximum available bandwidth for this queue is 10Mbit, the actual allocated bandwidth is 10Mbit, the maximum number of packets that can receive the conflict is 20 bytes, the largest transmission unit plus the MAC header size is 1514 bytes, the priority level is 8, the packet average size is 1000 bytes, the packet interval sending unit is 8 bytes in size, The weighted rate corresponding to the actual bandwidth is 1Mbit.

2) Create category 1:2, its parent classification is 1:1, the allocation bandwidth is 8Mbit, the priority level is 2.

TC class Add dev eth0 parent 1:1 classid 1:2 CBQ bandwidth 10Mbit rate 8Mbit Maxburst allot 1514 Prio 2 Avpkt cel L 8 weight 800Kbit split 1:0 bounded

The maximum available bandwidth for this queue is 10Mbit, the actual allocated bandwidth is 8Mbit, the maximum number of packets that can receive the conflict is 20 bytes, the largest transmission unit plus the MAC header size is 1514 bytes, the priority level is 1, the packet average size is 1000 bytes, the packet interval sending unit is 8 bytes in size, The weighted rate corresponding to the actual bandwidth is 800Kbit, the separation point of the classification is 1:0, and unused bandwidth cannot be borrowed.

3) Create category 1:3, its parent classification is 1:1, the allocation bandwidth is 1Mbit, the priority level is 1.

TC class Add dev eth0 parent 1:1 classid 1:3 CBQ bandwidth 10Mbit rate 1Mbit Maxburst allot 1514 Prio 1 Avpkt cel L 8 weight 100Kbit split 1:0

The maximum available bandwidth for this queue is 10Mbit, the actual allocated bandwidth is 1Mbit, the maximum number of packets that can receive the conflict is 20 bytes, the largest transmission unit plus the MAC header size is 1514 bytes, the priority level is 2, the packet average size is 1000 bytes, the packet interval sending unit is 8 bytes in size, The weighted rate corresponding to the actual bandwidth is 100Kbit, and the separation point for the classification is 1:0.

4) Create category 1:4, its parent classification is 1:1, the allocation bandwidth is 1Mbit, the priority level is 6.

TC class Add dev eth0 parent 1:1 classid 1:4 CBQ bandwidth 10Mbit rate 1Mbit Maxburst allot 1514 Prio 6 Avpkt cel L 8 weight 100Kbit split 1:0

The maximum available bandwidth for this queue is 10Mbit, the actual allocated bandwidth is 1Mbit, the maximum number of packets that can receive the conflict is 20 bytes, the largest transmission unit plus the MAC header size is 1514 bytes, the priority level is 6, the packet average size is 1000 bytes, the packet interval sending unit is 8 bytes in size, The weighted rate corresponding to the actual bandwidth is 100Kbit, and the separation point for the classification is 1:0.

3. Create a filter

Filters mainly serve the classification.

Typically, you only need to provide a filter for the root cluster, and then provide a route map for each sub-taxonomy.

1) Apply the route classifier to the root of the CBQ queue, the parent class number is 1:0, the filtering protocol is IP, the priority level is 100, and the filter is based on the routing table.

TC Filter Add dev eth0 parent 1:0 Protocol IP prio

2) Establish route map Classification 1:2, 1:3, 1:4

TC Filter Add dev eth0 parent 1:0 Protocol IP prio route to 2 Flowid 1:2

TC Filter Add dev eth0 parent 1:0 Protocol IP prio route to 3 Flowid 1:3

TC Filter Add dev eth0 parent 1:0 Protocol IP prio route to 4 Flowid 1:4

4. Establish a route

This route corresponds to the route map one by one that was previously established.

1) packets destined for host 192.168.1.24 are forwarded by Category 2 (Rate 8Mbit for classification 2)

• IP route add 192.168.1.24 dev eth0 via 192.168.1.66 Realm 2

2) packets destined for host 192.168.1.30 are forwarded by Category 3 (Rate 1Mbit for classification 3)

• IP route add 192.168.1.30 dev eth0 via 192.168.1.66 Realm 3

3) packets destined for subnet 192.168.1.0/24 are forwarded by Category 4 (rate of classification 4 1Mbit)

• IP route add 192.168.1.0/24 dev eth0 via 192.168.1.66 Realm 4

Note: The network segment that is normally connected to the flow controller is recommended to use IP host address traffic control restrictions, and do not use subnet traffic control restrictions. If it is necessary to use the subnet traffic control limit for the direct-attached subnet, before the route map of the subnet is established, the route established by the system must be deleted before the corresponding steps can be completed.

5. Monitoring

This primarily includes monitoring the status of existing queues, classifications, filters, and routes.

1) Display the status of the queue

Simple display of queue status for a specified device (eth0 here)

tc Qdisc LS Dev eth0

Qdisc CBQ 1:rate 10Mbit (bounded,isolated) Prio No-transmit

Detailed display of queue status for a specified device (here eth0)

tc-s qdisc ls Dev eth0

Qdisc CBQ 1:rate 10Mbit (bounded,isolated) prio no-transmit Sent 7646731 bytes 13232 pkts (dropped 0, overlimits 0) Borrowed 0 overactions 0 avgidle undertime 0

This mainly shows that 13,232 packets are sent through the queue, the data traffic is 7,646,731 bytes, the number of packets dropped is 0, the number of packets exceeding the rate limit is 0.

2) show the status of the classification

Simple display of the classification status of the specified device (eth0 here)

TC class LS dev eth0

Class CBQ 1:root rate 10Mbit (bounded,isolated) Prio No-transmit class CBQ 1:1 parent 1:rate 10Mbit Prio NO-TRANSM      It #no-transmit represents a priority of 8 class CBQ 1:2 Parent 1:1 Rate 8Mbit Prio 2 class CBQ 1:3 Parent 1:1 rate 1Mbit Prio 1 Class CBQ 1:4 Parent 1:1 Rate 1Mbit Prio 6

Detailed display of the classification status of the specified device (here eth0)

tc-s class ls dev eth0

Class CBQ 1:root rate 10Mbit (bounded,isolated) prio no-transmit      Sent 17725304 bytes 32088 pkts (dropped 0, overlimits 0)      borrowed 0 overactions 0 avgidle undertime 0    &nbsp ; Class CBQ 1:1 parent 1:rate 10Mbit prio no-transmit      Sent 16627774 bytes 28884 pkts (dropped 0, O Verlimits 0)      borrowed 16163 overactions 0 avgidle 587 undertime 0      class CBQ 1:2 Parent 1:1 rate 8Mbit prio 2      Sent 628829 bytes 3130 pkts (dropped 0, overlimits 0)       borrowed 0 overactions 0 avgidle 4137 undertime 0      class CBQ 1:3 parent 1:1 rat E 1Mbit prio 1      Sent 0 bytes 0 pkts (dropped 0, overlimits 0)      borrowed 0 Overactions 0 avgidle 159654 undertime 0      class CBQ 1:4 Parent 1:1 rate 1Mbit Prio 6   & nbsp;  Sent 55528Bytes 8076 Pkts (dropped 0, overlimits 0)      borrowed 3797 overactions 0 avgidle 159557 undertime 0

This mainly shows the packets sent through different classifications, data traffic, the number of discarded packets, the number of packets exceeding the rate limit, and so on. The condition of the root classification (class CBQ 1:0) should be similar to the status of the queue.

For example, the classification class CBQ 1:4 sends 8,076 packets, the data traffic is 5,552,879 bytes, the number of packets dropped is 0, and the number of packets exceeding the rate limit is 0.

Show the status of the filter

tc-s filter ls dev eth0

Filter parent 1:protocol IP pref 2-route filter Parent 1:protocol IP pref-route FH 0xffff0002 Flowid 1:2 to Filter parent 1:protocol IP pref Route fh 0xffff0003 Flowid 1:3 to 3 filter parent 1:protocol IP pref 100 Route FH 0xffff0004 Flowid 1:4 to 4

Here Flowid 1:2 represents the classification class CBQ 1:2,to 2 is sent by Route 2.

Show the status of existing routes

• IP route

192.168.1.66 Dev eth0 scope link 192.168.1.24 via 192.168.1.66 dev eth0 realm 2 202.102.24.216 dev ppp0 proto ke Rnel scope link src 202.102.76.5 192.168.1.30 via 192.168.1.66 dev eth0 Realm 3 192.168.1.0/24 via 192.168.1.66 Dev eth0 Realm 4 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.66 172.16.1.0/24 via 192.168.1.66 Dev eth0 scope link 127.0.0.0/8 dev Lo scope link default via 202.102.24.216 dev ppp0 default via 192.168. 1.254 Dev eth0

As shown above, the display line with realm at the end is a route filter that works.

6. Maintenance

This includes additions, modifications, and deletions to queues, classifications, filters, and routes.

The addition action is usually in the order of "queues-----filter----and routing", and there is no requirement to modify the action;

1) Maintenance of the queue

Generally for a flow controller, the factory for each Ethernet card has been configured good one queue, usually the queue does not need to add, modify and delete action.

2) Maintenance of classification

Add

The add action is implemented by the TC class Add command, as shown earlier.

Modify

The Modify action is implemented by the TC class Change command, as follows:

TC class Change Dev eth0 the parent 1:1 classid 1:2 CBQ bandwidth 10Mbit rate 7Mbit Maxburst allot 1514 Prio 2 AVPKT 1000 Cell 8 weight 700Kbit split 1:0 bounded

For bounded commands should be used with caution, once added to modify, can only be removed and then added to achieve.

Delete

The delete action is only available until the category is not working, and once the data has been sent through that category, it cannot be deleted. Therefore, the shell file needs to be modified to complete the delete action by restarting.

3) Maintenance of the filter

Add

The add action is implemented via the TC Filter Add command, as shown earlier.

Modify

The Modify action is implemented by the TC Filter Change command, as follows:

TC Filter Change dev eth0 parent 1:0 Protocol IP prio The route to Flowid 1:8

Delete

The delete action is implemented by the TC Filter del command, as follows:

tc Filter del dev eth0 parent 1:0 Protocol IP prio route to 10

4) with filter one by one map the maintenance of the route

Add

The add action is implemented via the IP route add command, as shown earlier.

Modify

The Modify action is implemented by the IP route Change command, as follows:

• IP route change 192.168.1.30 dev eth0 via 192.168.1.66 Realm 8

Delete

The delete action is implemented by the IP Route del command, as follows:

• IP route del 192.168.1.30 dev eth0 via 192.168.1.66 Realm 8

• IP route del 192.168.1.0/24 dev eth0 via 192.168.1.66 Realm 4

Linux TC Limit Traffic

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.