Using TC to control network traffic in Linux

 

　　[It168]As we all know, at the beginning of the Internet, colleges and research institutions communicate with each other, and there is no consideration or design for network traffic control. The principle of IP protocol is to serve all data streams as well as possible, different data streams are equal. However, many years of practice show that this principle is not the most ideal, and some data streams should be taken special care of. For example, interactive data streams with remote logon should have a higher priority than data downloads.

This possibility exists when different policies are adopted for different data streams. Furthermore, with the development and development of research, different management modes have been proposed. IETF has released several standards, such as integrated services and differentiated services. In fact, the Linux kernel has implemented the traffic control function since. This document introduces the concept of traffic control in Linux, describes how to use the TC tool for traffic control, and provides several representative examples.

1. Related Concepts

It can be seen that the packet group is received from the input NIC (entry) and searched through the route to determine whether the packet is sent to the local machine or needs to be forwarded. If it is sent to the local machine, it is directly submitted to the upper-layer protocol, such as TCP. If it is forwarded, it will be issued from the output NIC (exit. Network Traffic is usually controlled at the output Nic. Although traffic control can be performed at the entrance of the router, Linux also has related functions, but in general, because we cannot control the devices outside of our network, it is relatively difficult to control the traffic at the entrance. This article will focus on traffic control at the exit. A basic concept of traffic control is the queue (qdisc). Each Nic is associated with a queue (qdisc,
Whenever the kernel needs to send packets from the NIC, it will first add the packet group to the queue configured by the NIC. The queue determines the sending sequence of the packet group. Therefore, all traffic control occurs in the queue. The detailed flowchart is shown in Figure 1.

 

Figure 1 flowchart of packets in Linux

Some queues are very simple, and they implement a first-come-first-served policy for packet groups. In some queues, the functions are complex. Different Packet groups are queued and classified, and packet groups in the queue are sent in different order according to different principles. To implement such a function, these complex queues need to use different filters to divide packet groups into different classes ). These complex queues are called classfui queues. Generally, to achieve powerful traffic control, classifier queues are essential. Therefore, class and filter are two important basic concepts of traffic control. Figure 2 shows an example of a classifier queue.

 

Figure 2 multi-category queue

As shown in figure 2, The cIass and filter are both internal structures of the queue, and the categorized queue can contain multiple categories. At the same time, A category can further contain sub-queues or sub-categories. All incoming packet groups can be placed in different sub-queues or sub-categories based on different principles, and so on. A filter is a tool used by a queue to classify data packets. It determines the category of a data packet to be allocated.

Read about wordend:

• Song Jiayu: vsphere is as considerate to small and medium-sized enterprises.
• Win2008 R2 RemoteApp: Remote Desktop Web Access
• More than 20 new features x en 4.0 significant improvements

Ii. Use TC

In Linux, traffic control is implemented through the TC tool. Generally, you need to perform the following steps to configure traffic control for the NIC:

◆ Configure a queue for the NIC;

◆ Create a category on the queue;

◆ Create sub-queues and sub-categories as needed;

◆ Create a filter for each category.

In Linux, you can configure many types of queues, such as CBQ and htb. CBQ is complex and hard to understand. Htb (hierarchicaitoken bucket) is a classifier queue. Compared with other complex queue types, htb provides powerful functions, simple configuration, and easy to use. In TC, a handle like "Major: Minor" is used to identify the queue and category. both major and minor are numbers.

For a queue, minor is always 0, that is, in the form of "Major: 0". It can also be abbreviated as "Major: for example, queue 1:0 can be abbreviated as 1 :. It must be noted that major must be unique among all queues of a nic. For a category, its major must be the same as its parent category or the major of its parent queue, minor must be unique within a queue (because the category must be included in a queue ). For example, if queue 2 contains two classes, the handles of these two classes must be in the form of 2: X, and their X cannot be the same, such as and.

Next, we will describe the use of TC based on the requirements of the htb queue. Assume that the eth0 egress has a bandwidth of 100 Mbit/s and is allocated to www, email, and telnet. The bandwidth allocated to WWW is 40 Mbit/s, the bandwidth allocated to email is 40 Mbit/s, and the bandwidth allocated to telnet is 20 Mbit/s. 3.

Note that the following abbreviations are used in TC to indicate the corresponding bandwidth:

◆ Kbps kiiobytes per second, that is, "kilobytes per second;

◆ Mbps megabytes per second, that is, "megabytes per second,

◆ Kbit kilobits per second, that is, "kilobytes per second;

◆ Mbit megabits per second, that is, "megabits per second.

Read about wordend:

• Song Jiayu: vsphere is as considerate to small and medium-sized enterprises.
• Win2008 R2 RemoteApp: Remote Desktop Web Access
• More than 20 new features x en 4.0 significant improvements

3. Create an htb queue

The TC commands related to the queue are generally in the form:

# TC qdisc [add | change | replace | link] Dev [Parent qdisk-ID | root] [Handle qdisc-id] qdisc [qdisc specific parameters]

First, configure an htb queue for eth0, and run the following command:

# TC qdisc add Dev eth0 root handle 1: htb default 11

Here, "add" indicates that you want to add, "Dev eth0 indicates that the NIC to be operated is eth0. "Root indicates that eth0 is added as a root queue for the NIC. "Handle 1: indicates that the queue handle is 1 :. "Htb indicates that the queue to be added is an htb queue. At the end of the command, "Default 11 is a queue parameter specific to htb, meaning that all unclassified traffic will be allocated to class.

4. Create a category for the root queue

The TC command of the type is generally in the following format:

# TC class [add | change | replace] Dev parent qdisc-ID [classid class-id] qdisc [qdisc specific parameters]

The following three commands can be used to create three categories for root queue 1:, and, which occupy 40, 40, and 20 mb [t of bandwidth respectively.

# TC class add Dev eth0 parent 1: classid 1:1 htb rate 40 Mbit Ceil 40 Mbit

# TC class add Dev eth0 parent 1: classid :12 htb rate 40 Mbit Ceil 40 Mbit

# TC class add Dev eth0 parent 1: cllassid :13 htb rate 20 Mbit Ceil 20 Mbit

In the command, "parent 1:" indicates that the parent of the category is root queue 1 :. "Classid1: 11" indicates creating a category marked as, and "rate 40 Mbit" indicates System

For this category, make sure that the bandwidth is 40 Mbit, "Ceil 40 Mbit", indicating that the maximum available bandwidth for this category is 40 Mbit.

Read about wordend:

• Song Jiayu: vsphere is as considerate to small and medium-sized enterprises.
• Win2008 R2 RemoteApp: Remote Desktop Web Access
• More than 20 new features x en 4.0 significant improvements

5. Set filters for various categories

The TC command for the filter is generally in the form:

# TC filter [add | change | replace] Dev [Parent qdisc-ID | root] Protocol protocol PRIO priority filtertype [filtertype specific parameters] flowid flow-ID

To distribute WWW, email, and Telnet traffic to three categories, that is, and, you need to create three filters:

# TC filter add Dev eth0 Protocol IP parent 1:0 PRIO 1 u32 Match ip dport 80 0 xFFFF flowid :11

# TC filter add Dev eth0 prtocol IP parent 1:0 PRIO 1 u32 Match ip dport 25 0 xFFFF flowid

# TC filter add Dev eth0 Protocol IP parent 1:0 PRIO 1 u32 Match ip dport 23 oxffff flowid :13

Here, "Protocol IP" indicates that the filter should check the protocol fields of the packet group. "PR [O 1" indicates that they have the same priority for packet processing. For filters with different priorities, the system will take the priority from small to large.

Filters are executed in sequence. For the same priority, the system will execute the filters in the order of commands. These filters also use the u32 selector (the part after u32 in the Command) to match different data streams. Taking the first command as an example, the dport field is determined. If the result of this field and oxffff operations is 8o, "flowid" indicates that the data stream is allocated to class. For more details about TC usage, refer to the TC manual page.

Read about wordend:

• Song Jiayu: vsphere is as considerate to small and medium-sized enterprises.
• Win2008 R2 RemoteApp: Remote Desktop Web Access
• More than 20 new features x en 4.0 significant improvements

6. Complex instances

In the preceding example, three data streams (WWW, email, and telnet) are mutually exclusive. When the traffic of a data stream does not reach the quota, the remaining bandwidth cannot be borrowed by the other two data streams. Here we will discuss how different data streams can share a certain amount of bandwidth.

First, we need to use a feature of htb, that is, for all sub-categories in a category, they will share the bandwidth of the parent category. At the same time, in addition, the bandwidth applied for by each sub-category can be guaranteed. That is to say, when the actual bandwidth used by a data stream does not reach its quota, the remaining bandwidth can be lent to other data streams. During the lending process, if the data volume of the data stream increases, the borrowed bandwidth will be withdrawn to ensure the bandwidth quota of the data stream.

The following requirements are also considered: three data streams WWW, e-mail, and telnet. Telnet independently allocates 20 Mbit/s of bandwidth. Vwvw and SMTP allocate 40 Mbit/s respectively. At the same time, they are also a shared relationship, that is, they can borrow bandwidth from each other. 3.

The required TC command is as follows:

# TC qdisc add Dev eth0 root handle 1: htb default 21

# TC class add Dev eth0 partent 1: classid 1:1 htb rate 20 Mbit Ceil 20 Mbit

# TC class add Dev eth0 parent 1: classid htb rate 80 Mbit Ceil 80 Mbit

# TC class add Dev eth0 parent 1: classid :21 htb rate 40 Mbit Ceil 20 Mbit

# TC class add Dev eth0 parent classid htb rate 40 Mbit Ceil 80 Mbit

# TC filter add Dev eth0 protocol parent 10 PRIO 1 u32 Match ip dport 80 0 xFFFF flowid :21

# TC filter add Dev eth0 protocol parent 1:0 PRIO 1 u32 Match ip dport 25 0 xFFFF flowid

# TC filter add Dev eth0 protocol parent 1:0 PRIO 1 u32 Match ip dport 23 0 xFFFF flowid 1:1

Here, two root categories are created for root queue 1, namely and. corresponds to the Telnet data stream and corresponds to the 80 Mbit data stream. Then, in, create two subcategories: And, which correspond to the WWW and E-mail data streams respectively. Because the categories and are sub-categories of the category, they can share the allocated 80 Mbit bandwidth. At the same time, make sure that your bandwidth is at least 40 Mbit when necessary.

From this example, we can see that using the class-to-sub-class inclusion relationship in htb, we can build a more complex multi-level category tree to achieve a more flexible bandwidth sharing and exclusive mode, achieve enterprise-level bandwidth management.