TC+HTB flow control under Linux

Source: Internet
Author: User
Tags ack sessions domain server

The C rule involves the queue classifier (Class) filter (filter), the filter divided by the flag bit can be used U32 or iptables of the Set-mark to achieve) is generally "control" does not control the Linux two network card, a eth1 is an external network, Another piece of eth0 is the intranet. Do HTB on eth0. (Note: The filter partition flag can be used u32 marking function or iptables set-mark function, if the iptables to mark, the next stroke speeds LV in eth0 control, but marking should be carried out before entering eth0, so, "-I eth1"; Example:
The main command is the following three sentences: Creating a HTB root
1.TC qdisc add dev eth0 root handle 1:htb default 20 creates a HTB class, the traffic limit is limited here, and a burst is set.
2.tc class Add dev eth0 parent 1:classid 1:1 HTB rate 200kbit (speed) Ceil 200kbit burst 20k (burst)
Create a filter rule to filter the data to limit traffic and send it to the class above to limit the speed 3.tc filter Add dev eth0 parent 1:prio 1 (priority) protocol IP u32 match IP sport 0xfff F lowID 1:1
Description: Keep the interaction packet low latency and get free bandwidth first, such as:
SSH telnet DNS quake3 IRC FTP control SMTP commands and packets with SYN tokens should all belong to this category. To ensure that the upstream traffic does not harm the downstream stream, the ACK packets are queued before the queue because the ACK of the downstream data must contend with the upstream stream.
Tc+iptables+htb+sfq
1 The TCP/IP protocol stipulates that each packet needs to have a acknowledge message, that is, the transmitted data need to have a message to receive information to reply, in order to determine the subsequent transmission speed, and decide whether to retransmit the lost data, A portion of the upstream bandwidth is used to transmit these ACK data. When the upstream bandwidth point is large, it will affect the speed of the ACK data transmission, and thus affect the download speed,
2 test proves that when the upload full load, the download speed to the original speed of 40%, or even lower, because upload files (including FTP upload, email smtp), if the larger, one of the traffic to the bandwidth packages and, then all the packets in accordance with the first-out principle of queuing and waiting, This can explain why the Internet has become very slow when someone in the network uploads files with FTP or sends large messages.
The way to solve the speed:
1 in order to solve these speed problems, we have a regular diversion of the data passing through the line. Shifting the bottlenecks that would otherwise be on the broadband to our Linux routers can limit bandwidth to a bit less than the bandwidth we buy. In this way, we can conveniently use TC technology to flow through the data and control.
Our imagination is like the lane on the road, there are high-speed lanes, there are small lanes, large lanes, the need for high-speed SYN ack ICMP ssh, such as the high-speed road, the need for a large number of transmission of FTP-DATA,SMTP, such as the big Lane, can not let it block the whole road, each line its way.
The TC (traffic control) under Linux has this effect, so long as it is properly controlled, it will have obvious effect. TC and iptables combination is the best combination of simple use.
We set up filters to classify packets with iptables, because iptables is more flexible, and you can set up counters for each rule, iptables the Mark packet with a mangle chain, tells the kernel that the packet has a specific Fwmark tag value ( Handle x FW) indicates that it should be given to that class (ClassID x:x), and Prio is a priority value, indicating that the important data should be prioritized through that channel, first select the queue (select HTB),
The general system default is FIFO first-out queue, that is, the package is based on first to deal with the principle, if there is a large packet in front, then the package can only wait before the end of the previous send, so that even if the back is a small ACK packet, but also to wait, so upload affects the download, Even if you have a large download bandwidth, you can do nothing.
HTB (Hierarchical token buckets, tiered tokens buckets), works like CBQ, but does not rely on calculating idle time to shape, it is a classified token bucket filter. It has very few parameters.
Structure diagram: 1:
~~~~~~~~~~~~~~~~`~~~~~
~~~~~~~_________1:1~~~~~~~~~1:2________
|~~~|~~~~|~~~~|~~~~~|~~~~~~~~|~~~~~~~~|~~~~~~~|
1:11~~~1:12~~~~~~~~~~~~1:21~~~1:22~~~1:23~~1:24
Priority order: 1:11 1:12 1:21 1:22 1:23 1:24
Start the script according to the example above:
A description of the parameter:
Rate: is a class guaranteed to get the bandwidth value, if there is more than one class, ensure that the sum of all child classes is less than or equal to the parent class,
Ceil:ceil is a class that can get the maximum bandwidth value.
Prio: Is the priority setting, the greater the value, the lower the priority, if the allocation of residual bandwidth, is the number of small value will be the highest priority to obtain the remaining free bandwidth rights.
General Big Data words, control at about 50%-80%, and Ceil maximum recommended not more than 85%, so that one session consumes too much bandwidth.
Rate can be assigned according to all types of requirements:
1:11 is a very small and most important packet channel, of course, more points, and even when necessary to occupy all, but generally not, so give full speed.
1:12 is a very important data channel, give more points, at least half, but can be a little more when needed
Rate planning 1:2=1:21 +1:22 +1:23 +1:24 is generally around 50%-80%.
1:21 Http,pop is the most commonly used, for too many people use, and lead to blockage, we can not give too much, nor too little.
1:22 I'm going to give SMTP a priority of less than 1:21 to prevent large attachments from taking up a lot of bandwidth.
1:23 I'm going to give Ftp-data, and 1:22, is likely to upload a large number of files, so, rate can not give too much, and when others have left to give larger, ceil set larger.
1:24 is not the channel, is generally not our usual work in need of the channel, to small points to prevent these people from interfering with the normal work needs of people.
Upstream uplink 320K, set pin below theoretical value.
dev= "PPP0"
uplink=300
The downstream downlink is about half 3200K, so that more connections can be made.
downlink=1500
1 once added a root queue, packets that are not categorized are gone. 1:24 is the default class:
TC Qdisc Add dev $DEV parent 1:HTB default 24
1.1 Add a root team under the backbone Class 1: rate of $uplink K
TC Cladd Add Dev $DEV parent 1:classid 1:1 HTB rate ${uplink}kbit ceil ${uplink}kbit prio 0
1.1.1 The first leaf class in the Trunk Class 1, which is a class of highest priority, requiring high-priority and high-speed packets to take this channel, such as Syn ACK ICMP.
TC class Add Dev $DEV parent 1:1 classid 1:11 HTB rate ${$uplink}kbit ceil ${uplink}kbit prio 1
1.1.2 Creates a second leaf class under the main Class 1, which is a sub-high priority class, such as our important CRM data.
TC class Add Dev $DEV parent 1:1 classid 1:12 HTB rate ${$uplink -150}kbit ceil ${uplink-50}kbit prio 2
1.2 Under the root class to establish sub-dry class ClassID 1:2, the dry class below all the priority below the backbone class, in case of important data congestion.
TC class Add dev $DEV parent 1:classid 1:2 HTB rate ${$UPLINK -150]kbit prio 3

1.2.1 Set up the first leaf class under sub-dry category, can run for example HTTP, pop and so on.
TC class Add dev $DEV parent 1:2 classid 1:21 HTB rate 100kbit ceil ${$uplink -150}kbit prio 4
1.2.2 under the sub-dry category to establish a second leaf class, not too high speed, in case of large attachments to occupy a large amount of bandwidth, such as SMTP.
TC class Add dev $DEV parent 1:2 classid 1:22 HTB rate 30kbit ceil ${uplink-160}kbit prio 5
1.2.3 in sub-dry category to establish a third leaf class, not too high bandwidth, in case of a large number of data blocking network, such as: Ftp-data.
TC class Add dev $DEV parent 1:2 classid 1:23 HTB rate 15kbit ceil ${uplink-170}kbit prio 6
1.2.4 The fourth leaf category under sub-dry category. No data channel, no need too much bandwidth, in case people do not care about the obstruction of the service.
TC class Add dev $DEV parent 1:2 classid 1:24 HTB rate 5kbit ceil ${uplink-250}kbit prio 7
Another queue is appended to each class to stipulate that the random fair queue (SFQ) is not used by a connection to keep up the bandwidth to ensure the average fair use of bandwidth.
#SFQ (Stochastic Fairness Queueing Random fair queue), SFQ keyword is "session" (or "stream"), mainly for a TCP session or UDP stream, traffic is divided into a number of FIFO queues, each of which corresponds to a session.
Data is sent in a simple round-robin manner, with each session being sent in order. This is a fairly fair way to ensure that every session is not overwhelmed by other sessions, and SFQ is called "random" because it does not really create a queue for each session, but instead uses a hashing algorithm to map all sessions to a limited number of queues.
#参数perturb是多少秒后重新配置一次散列算法, the default is 10 seconds.
TC Qdisc Add dev $DEV parent 1:11 handle 111:SFQ perturb 5
TC QIDSC Add dev $DEV parent 1:12 handle 112:SFQ perturb 5
TC Qdisc Add dev $DEV parent 1:21 handle 121:SFQ perturb 10
TC QIDSC Add dev $DEV parent 1:22 handle 122:SFQ perturb 10
TC QIDSC Add dev $DEV parent 1:23 handle 123:SFQ perturb 10
TC QIDSC Add dev $DEV parent 1:24 handle 124:SFQ perturb 10
Set the filter, handle is iptables as Mark's value, let the iptables in the mangle chain do mark different values to choose different channel ClassID, and Prio is the priority level of the filter
TC Filter Add dev $DEV parent 1:0 protocol IP prio 1 handle 1 FW classid 1:11
TC Filter Add dev $DEV parent 1:0 protocol IP prio 2 handle 2 FW classid 1:12
TC Filter Add dev $DEV parent 1:0 protocol IP prio 3 handle 3 FW classid 1:21
TC Filter Add dev $DEV parent 1:0 protocol IP prio 4 handle 4 FW ClassID 1:22
TC Filter Add dev $DEV parent 1:0 protocol IP prio 5 handle 5 fw classid 1:23
TC Filter Add dev $DEV parent 1:0 protocol IP prio 6 handle 6 FW ClassID 1:24
##################################################
##################################
Downside Restrictions:
# set up the rules of the queue, because some often cause the download of large files of the port control, do not let them come too fast, resulting in blockage, come too fast, directly drop, will not waste and occupy the machine time and power to deal with.
The 1 downlink rate is controlled at approximately 1000-1500k (about 50% of the bandwidth) because it is sufficient to allow for more concurrent download connections.
TC Qdisc Add dev $DEV handle ffff:ingress
TC Filter Add dev $DEV parent ffff:protocol IP Prio handle 8 FW Police rate ${downlink}kbit burst 10k Drop Flowid:8
If the internal network traffic is not very crazy, you do not have to download the restrictions, with the # symbol to block the above two lines can be.
If you want to limit the speed of any incoming data, you can use the following sentence.
TC Filter Add dev $DEV parent ffff:protocol IP prio u32 match IP src 0.0.0.0/0 Police rate ${downlink}kbit Burst 10k Drop Flowid:1
################################
Start marking packets
Put out the different classes of packets (for Dport) to mark 1---6 and let it go different channels.
Mark 8 on the incoming packet (for sport) and let it be limited by the downside, lest it be too fast to affect the overall situation.
Each rule followed by return means that the return method avoids traversing all rules and speeds up processing.
To set up the handling of the TOS:
Iptables-t mangle-a prerouting-m tos--tos minimize-delay-j MARK--set-mark 1
Iptables-t mangle-a prerouting-m tos--tos minimize-delay-j RETURN
Iptables-t mangle-a prerouting-m tos--tos minimize-cost-j MARK--set-mark 4
Iptables-t mangle-a prerouting--m tos--tos minimize-cost-j RETURN
Iptables-t mangle-a prerouting-m tos--tos maximize-throughput-j MARK--set-mark 5
Iptables-t mangle-a prerouting-m tos--tos maximize-througput-j RETURN
# The priority of #提高TCP初始连接 (that is, packets with SYN) is very sensible.
Iptables-t mangle-a prerouting-p tcp-m tcp--tcp-flags syn,rst,ack syn-j MARK--set-mark 1
Iptables-t mangle-a prerouting-p tcp-m tcp--tcp-flags syn,rst,ack syn-j RETURN
#想ICMP want the ping to have a good reaction and put it in the first class.
Iptables-t mangle-a prerouting-p icmp-j MARK--set-mark 1
Iptables-t mangle-a prerouting-p icmp-j RETURN
#small packets (probably just ACKS) small packets of less than 64 usually need to be faster, generally to confirm the TCP connection, let it follow the faster channel it.
Iptables-t mangle-a prerouting-p tcp-m length--length:64-j MARK--set-mark 2
Iptables-t mangle-a prerouting-p tcp-m length--length:64-j RETURN
#ftp放第二类, because it is generally a small packet, Ftp-data is placed in class 5th, because it is generally the transmission of large-time data.
Iptables-t mangle-a prerouting-p tcp-m tcp--dport ftp-j MARK--set-mark 2
Iptables-t mangle-a prerouting-p tcp-m tcp--dport ftp-j RETURN
Iptables-t mangle-a pretouting-p tcp-m tcp--dport ftp-data-j MARK--set-mark 5
Iptables-t mangle-a prerouting-p tcp-m TCP--dport-j RETURN
Iptables-t mangle-a prerouting-p tcp-m tcp--sport ftp-j MARK--set-mark 8
Iptables-t mangle-a prerouting-p tcp-m tcp--sport ftp-j RETURN
Iptables-t mangle-a prerouting-p tcp-m tcp--sport ftp-data-j MARK--set-mark 8
Iptables-t mangle-a prerouting-p tcp-m tcp--sport ftp-data-j RETURN
# # #提高SSH数据包的优先权: In class 1th, be aware that SSH is interactive and important, and not slow down:
Iptables-t mangle-a prerouting-p tcp-m tcp--dport 22-j MARK--set-mark 1
Iptables-t mangle-a prerouting-p tcp-m TCP--dport-j RETURN
# #SMTP邮件, put in class 4th, because sometimes someone sends a lot of mail, to avoid it clogging, let it run 4th way Bar
Iptables-t mangle-a prerouting-p tcp-m tcp--dport 25-j MARK--st-mark 4
Iptables-t mangle-a prerouting-p tcp-m tcp--dport 25-j RETURN
Iptables-t mangle-a prerouting-p tcp-m tcp--sport 25-j MARK--set-mark 8
Iptables-t mangle-a prerouting-p tcp-m tcp--sport 25-j RETURN

# #name-domain Server: Put in class 1th, so connect with a domain name to quickly find the address you should have, and increase the speed
Iptables-t mangle-a prerouting-p udp-m UDP--dport 53-j MARK--set-mark 1
Iptables-t mangle-a prerouting-p udp-m UDP--dport 53-j RETURN
# # #HTTP: Put in class 3rd, is the most commonly used, most people use
Iptables-t mangle-a prerouting-p tcp-m tcp--dport 80-j MARK--set-mark 3
Iptables-t mangle-a prerouting-p tcp-m tcp--dport 80-j RETURN
Iptables-t mangle-a prerouting-p tcp-m tcp--sport 80-j MARK--set-mark 8
Iptables-t mangle-a prerouting-p tcp-m tcp--sport 80-j RETURN
# # #pop邮件放在第3类:
Iptables-t mangle-a prerouting-p tcp-m tcp--dport 110-j MARK--set-mark 3
Iptables-t mangle-a prerouting-p tcp-m tcp--dprot 110-j RETURN
Iptables-t mangle-a prerouting-p tcp-m tcp--sport 110-j MARK--set-mark 8
Iptables-t mangle-a prerouting-p tcp-m tcp--sport 110-j RETURN
# # #MICSOSOFT-sql-serve: Put in the 2nd class, I think here is more important, must guarantee the speed and priority
Iptables-t mangle-a prerouting-p tcp-m tcp--dport 1433-j MARK--set-mark 3
Iptables-t mangle-a prerouting-p tcp-m tcp--dport 1433-j RETURN
Iptables-t mangle-a prerouting-p tcp-m tcp--sport 1433-j MARK--set-mark 8
Iptables-t mangle-a prerouting-p tcp-m tcp--sport 1433-j RETURN
# #https: Put in class 3rd
Iptables-t mangle-a prerouting-p tcp-m tcp--dport 443-j MARK--set-mark 3
Iptables-t mangle-a prerouting-p tcpm-m tcp--dport 443-j RETURN
Iptables-t mangle-a prerouting-p tcp-m tcp--sport 443-j Makr--set-mark 8
Iptables-t mangle-a prerouting-p tcp-m tcp--sport 443-j RETURN
# # #voip用, improve, voice to keep high speed will not be interrupted
Iptables-t mangle-a prerouting-p tcp-m tcp--dport 1720-j Mark--set-mark 1
Iptables-t mangle-a prerouting-p tcp-m tcp--dport 1720-j RETURN
Iptables-t mangle-a prerouting-p tcp-m tcp--sport 1720-j Makr--set-mark 8
Iptables-t mangle-a prerouting-p tcp-m tcp--sport 1720-j RETURN
# # # #VPN used for VoIP, but also to take the highway, will not be interrupted
Iptables-t mangle-a prerouting-p udp-m UDP--dport 7707-j MARK--set-mark 1
Iptables-t mangle-a prerouting-p udp-m UDP--dport 7707-j RETURN
# # #放在第1类, because I think the objective existence to my heart is very important, excellent line:
Iptables-t mangle-a prerouting-p tcp-m tcp--dport 7070-j MARK--set-mark 1
Iptables-t mangle-a prerouting-p tcp-m TCP--dport-j RETURN
# #提高本地数据包的优先权: Put in class 1th
Iptables-t mangle-a output-p tcp-m tcp--dport 22-j MARK--set-mark 1
Iptables-t mangle-a output-p tcp-m tcp--dport 22-j RETURN
Iptables-t mangle-a output-p icmp-j MARK--set-mark 1
Iptables-t mangle-a output-p icmp-j RETURN
# # #本地small Packet (probably just ACKS)
Iptables-t mangle-a output-p tcp-m length--length:64--set-mark 2
Iptables-t mangle-a output-p tcp-m length--length:64-j RETURN
#################################################
# # After adding the mangle rule to pretoutrin, use this rule to end the Prerouting table: that is, it is not necessary to dispose of the packets that were not tagged before 1:24, because 1:24 is the default class, but still marked to keep the whole setting , and in this way, you can see the packet count for the rule:
Iptables-t mangle-a prerouting-i $DEV-j MARK--set-mark 6
# # #对某人限制: iptables-t mangle-i prerouting 1-s 192.168.xx.xx-j Makr--set-mark 6
# # #iptables-T mangle-i prerouting 2-s 192.168.xx.xx-j RETURN
###################################################
Application of U32:
TC Filter Add dev eth0 parent 1:0 protocol IP prio 1 u32 ... This is called a u32 match and can match any part of the packet.
According to source/destination address: Match IP src 0.0.0.0/0
Match IP DST 1.2.3.0/24
A single IP address can be represented by/32来
Depending on the source/destination port, you can say this: match IP sport 0xFFFF
Match IP dport 0xFFFF
According to IP protocol: Match IP protocol (UDP TCP ICMP GRE IPSec)
For example, the ICMP protocol is 1 match IP protocol 1 0xff
Example:
TC Filter Add dev $DEV parent 1:0 protocol IP prio 1 u32 match IP DST 4.3.2.1/32 flowid 10:1
TC Filter Add dev $DEV parent 1:0 protocol IP prio 1
U32 match ip src 4.3.2.1/32 match IP sport 0xffff flowid 10:1

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.