Using TC to implement traffic management based on Linux system

Red Hat Linux 7.3 kernel 2.4.18. The eth0 of the server is bound to the external address eth0:192.168.1.3,eth1 bind the internal address eth1:1 172.17.1.1,eth1:2 172.18.1.1,eth1:3 172.19.1.1.

Now to achieve the function is the entire export limit in the 512kbit (upload traffic), 172.17 network download traffic to download to 512Kbit, 172.18 network Segments limited to the 128KBIT,172.19 network segment to 3Mbit.

The method is as follows:

First, the corresponding address is bound to implement routing settings, using iptables implementation.

# iptables ?A input -F
# iptables -A output -F
# iptables -A forward -F
#echo 1 > /proc/sys/net/ipv4/ip_forward
#允许转发
# iptables -A input ?j accept
# iptables -A output -j accept
# iptables -A forward -j accept
# iptables -t nat -A POSTROUTING -s 172.17.0.0/16 -j MASQUERADE
# iptables -t nat -A POSTROUTING -s 172.18.0.0/16 -j MASQUERADE
# iptables -t nat -A POSTROUTING -s 172.19.0.0/16 -j MASQUERADE

IP address camouflage, so that the internal host data packets through the server to contact the outside world. For traffic management:

＃tc qdisc add dev eth0 root tbf rate 512k lantency 50ms burst 1540

The TBF (tokenbucket filter) filter queue is used on the NIC Eth0, the export is limited to 512kbit, the delay 50ms, the burst data 1540,rate The specified value is the limited bandwidth. Continue to make restrictions in eth1:

#tc qdisc add dev eth1 root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 cell 8

Create a queue, indicating that the network card is a 100M NIC, which is independent of the traffic limit and is used for calculation purposes.

＃tc class add dev eth1 parent 1:0 classid 1:1
cbq bandwidth 100Mbit rate 5Mbit weight
6Mbit prio 8 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded

Create a root category, bandwidth is limited to 5Mbit, and no other bandwidth is allowed. The parameters that follow the prio are prioritized, specifying the order in which packets are processed.

＃tc class add dev eth1 parent 1:1 classid 1:3 cbq
bandwidth 100Mbit rate 512kbit weight 5Mbit prio 5 allot
1514 cell 8 maxburst 20 avpkt 1000 bounded

Under the class, create a category 1:3 limit bandwidth of 512kbit, not allowed to borrow bandwidth, for 172.17 network segment.

＃tc class add dev eth1 parent 1:1 classid
1:4 cbq bandwidth 100Mbit rate 128kbit weight 5Mbit
prio 5 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded

Under the class, create a category 1:4 limit bandwidth of 128kbit, not allowed to borrow bandwidth, for 172.18 network segment.

＃tc class add dev eth1 parent 1:1 classid 1:5
cbq bandwidth 100Mbit rate 3Mbit weight 10Mbit prio
5 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded

Under the class, create a category 1:5 limit bandwidth of 3Mbit, not allowed to borrow bandwidth, for 172.19 network segment.

＃tc qdisc add dev eth1 parent 1:3 handle 30: sfq
＃tc qdisc add dev eth1 parent 1:4 handle 40: sfq
＃tc qdisc add dev eth1 parent 1:5 handle 50: sfq

Under each category, the queue is created, and the SFQ (stochastic fareness queueing) is used to fair the queue.

＃tc filter add dev eth1 parent 1:0 protocol
ip prio 1 u32 match ip dst 172.17.0.0/16 flowid 1:3
＃tc filter add dev eth1 parent 1:0 protocol
ip prio 1 u32 match ip dst 172.18.0.0/16 flowid 1:4
＃tc filter add dev eth1 parent 1:0 protocol
ip prio 1 u32 match ip dst 172.19.0.0/16 flowid 1:5

Use the U32 filter to categorize the destination addresses, corresponding to the queues that have been created. Through the above way to achieve a simple flow control, limit the export of upload traffic and the internal port of the download traffic. The download limit for 172.18.1.2 is 128kbit and the download rate is 13-16.3kb. 172.19.1.2 download limit is 3Mbit, download rate reached 180-500kb.

Note: Data packets that do not match any rules are sent by the rules that have been set by root. It is found that the limit error of 3M bandwidth is relatively large.

The above tests are based on stand-alone, without testing the full load of the situation. The above article is in a hurry to write out, TC filter involves a lot of things, there are many methods can be implemented, based on IP address or based on the port can be implemented.