@@ -6,8 +6,8 @@ What is it?
66-----------
77
88An extension to the filtering/classification architecture of Linux Traffic
9- Control.
10- Up to 2.6.8 the only action that could be "attached" to a filter was policing.
9+ Control.
10+ Up to 2.6.8 the only action that could be "attached" to a filter was policing.
1111i.e you could say something like:
1212
1313-----
@@ -17,7 +17,7 @@ tc filter add dev lo parent ffff: protocol ip prio 10 u32 match ip src \
1717
1818which implies "if a packet is seen on the ingress of the lo device with
1919a source IP address of 127.0.0.1/32 we give it a classification id of 1:1 and
20- we execute a policing action which rate limits its bandwidth utilization
20+ we execute a policing action which rate limits its bandwidth utilization
2121to 1.5Mbps".
2222
2323The new extensions allow for more than just policing actions to be added.
@@ -29,9 +29,9 @@ syntax which will work fine. Of course to get the required effect you need
2929both newer tc and kernel. If you are reading this you have the
3030right tc ;->
3131
32- A side effect is that we can now get stateless firewalling to work with tc.
32+ A side effect is that we can now get stateless firewalling to work with tc.
3333Essentially this is now an alternative to iptables.
34- I won't go into details of my dislike for iptables at times, but
34+ I won't go into details of my dislike for iptables at times, but
3535scalability is one of the main issues; however, if you need stateful
3636classification - use netfilter (for now).
3737
@@ -61,7 +61,7 @@ tc filter add dev lo parent 1:0 protocol ip prio 10 u32 \
6161match ip src 127.0.0.1/32 flowid 1:1 \
6262action police mtu 4000 rate 1500kbit burst 90k
6363
64- " generic Actions" (gact) at the moment are:
64+ " generic Actions" (gact) at the moment are:
6565{ drop, pass, reclassify, continue}
6666(If you have others, no listed here give me a reason and we will add them)
6767+drop says to drop the packet
@@ -93,43 +93,43 @@ decimal 12, then use flowid 1:c.
9393
94943) A feature i call pipe
9595The motivation is derived from Unix pipe mechanism but applied to packets.
96- Essentially take a matching packet and pass it through
96+ Essentially take a matching packet and pass it through
9797action1 | action2 | action3 etc.
9898You could do something similar to this with the tc policer and the "continue"
99- operator but this rather restricts it to just the policer and requires
100- multiple rules (and lookups, hence quiet inefficient);
99+ operator but this rather restricts it to just the policer and requires
100+ multiple rules (and lookups, hence quiet inefficient);
101101
102- as an example -- and please note that this is just an example _not_ The
102+ as an example -- and please note that this is just an example _not_ The
103103Word Youve Been Waiting For (yes i have had problems giving examples
104104which ended becoming dogma in documents and people modifying them a little
105- to look clever);
105+ to look clever);
106106
107- i selected the metering rates to be small so that i can show better how
107+ i selected the metering rates to be small so that i can show better how
108108things work.
109-
110- The script below does the following:
111- - an incoming packet from 10.0.0.21 is first given a firewall mark of 1.
112109
113- - It is then metered to make sure it does not exceed its allocated rate of
110+ The script below does the following:
111+ - an incoming packet from 10.0.0.21 is first given a firewall mark of 1.
112+
113+ - It is then metered to make sure it does not exceed its allocated rate of
1141141Kbps. If it doesn't exceed rate, this is where we terminate action execution.
115115
116- - If it does exceed its rate, its "color" changes to a mark of 2 and it is
116+ - If it does exceed its rate, its "color" changes to a mark of 2 and it is
117117then passed through a second meter.
118118
119- -The second meter is shared across all flows on that device [i am surpised
120- that this seems to be not a well know feature of the policer; Bert was telling
119+ -The second meter is shared across all flows on that device [i am surpised
120+ that this seems to be not a well know feature of the policer; Bert was telling
121121me that someone was writing a qdisc just to do sharing across multiple devices;
122122it must be the summer heat again; weve had someone doing that every year around
123- summer -- the key to sharing is to use a operator "index" in your policer
124- rules (example "index 20"). All your rules have to use the same index to
123+ summer -- the key to sharing is to use a operator "index" in your policer
124+ rules (example "index 20"). All your rules have to use the same index to
125125share.]
126-
126+
127127-If the second meter is exceeded the color of the flow changes further to 3.
128128
129129-We then pass the packet to another meter which is shared across all devices
130130in the system. If this meter is exceeded we drop the packet.
131131
132- Note the mark can be used further up the system to do things like policy
132+ Note the mark can be used further up the system to do things like policy
133133or more interesting things on the egress.
134134
135135------------------ cut here -------------------------------
@@ -161,31 +161,31 @@ action ipt -j mark --set-mark 3 \
161161# and then attempt to borrow from a meter used by all devices in the
162162# system. Should this be exceeded, drop the packet on the floor.
163163action police index 20 mtu 5000 rate 1kbit burst 90k drop
164- ---------------------------------
164+ ---------------------------------
165165
166- Now lets see the actions installed with
166+ Now lets see the actions installed with
167167"tc filter show parent ffff: dev eth0"
168168
169169-------- output -----------
170170jroot# tc filter show parent ffff: dev eth0
171- filter protocol ip pref 1 u32
172- filter protocol ip pref 1 u32 fh 800: ht divisor 1
173- filter protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:15
171+ filter protocol ip pref 1 u32
172+ filter protocol ip pref 1 u32 fh 800: ht divisor 1
173+ filter protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:15
174174
175- action order 1: tablename: mangle hook: NF_IP_PRE_ROUTING
175+ action order 1: tablename: mangle hook: NF_IP_PRE_ROUTING
176176 target MARK set 0x1 index 2
177177
178- action order 2: police 1 action pipe rate 1Kbit burst 9Kb mtu 2Kb
178+ action order 2: police 1 action pipe rate 1Kbit burst 9Kb mtu 2Kb
179179
180- action order 3: tablename: mangle hook: NF_IP_PRE_ROUTING
180+ action order 3: tablename: mangle hook: NF_IP_PRE_ROUTING
181181 target MARK set 0x2 index 1
182182
183- action order 4: police 30 action pipe rate 1Kbit burst 10Kb mtu 5000b
183+ action order 4: police 30 action pipe rate 1Kbit burst 10Kb mtu 5000b
184184
185- action order 5: tablename: mangle hook: NF_IP_PRE_ROUTING
185+ action order 5: tablename: mangle hook: NF_IP_PRE_ROUTING
186186 target MARK set 0x3 index 3
187187
188- action order 6: police 20 action drop rate 1Kbit burst 90Kb mtu 5000b
188+ action order 6: police 20 action drop rate 1Kbit burst 90Kb mtu 5000b
189189
190190 match 0a000015/ffffffff at 12
191191-------------------------------
@@ -209,31 +209,31 @@ Now lets take a look at the stats with "tc -s filter show parent ffff: dev eth0"
209209
210210--------------
211211jroot# tc -s filter show parent ffff: dev eth0
212- filter protocol ip pref 1 u32
213- filter protocol ip pref 1 u32 fh 800: ht divisor 1
212+ filter protocol ip pref 1 u32
213+ filter protocol ip pref 1 u32 fh 800: ht divisor 1
214214filter protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1
215- 5
215+ 5
216216
217- action order 1: tablename: mangle hook: NF_IP_PRE_ROUTING
217+ action order 1: tablename: mangle hook: NF_IP_PRE_ROUTING
218218 target MARK set 0x1 index 2
219- Sent 188832 bytes 2248 pkts (dropped 0, overlimits 0)
219+ Sent 188832 bytes 2248 pkts (dropped 0, overlimits 0)
220220
221- action order 2: police 1 action pipe rate 1Kbit burst 9Kb mtu 2Kb
222- Sent 188832 bytes 2248 pkts (dropped 0, overlimits 2122)
221+ action order 2: police 1 action pipe rate 1Kbit burst 9Kb mtu 2Kb
222+ Sent 188832 bytes 2248 pkts (dropped 0, overlimits 2122)
223223
224- action order 3: tablename: mangle hook: NF_IP_PRE_ROUTING
224+ action order 3: tablename: mangle hook: NF_IP_PRE_ROUTING
225225 target MARK set 0x2 index 1
226- Sent 178248 bytes 2122 pkts (dropped 0, overlimits 0)
226+ Sent 178248 bytes 2122 pkts (dropped 0, overlimits 0)
227227
228- action order 4: police 30 action pipe rate 1Kbit burst 10Kb mtu 5000b
229- Sent 178248 bytes 2122 pkts (dropped 0, overlimits 1945)
228+ action order 4: police 30 action pipe rate 1Kbit burst 10Kb mtu 5000b
229+ Sent 178248 bytes 2122 pkts (dropped 0, overlimits 1945)
230230
231- action order 5: tablename: mangle hook: NF_IP_PRE_ROUTING
231+ action order 5: tablename: mangle hook: NF_IP_PRE_ROUTING
232232 target MARK set 0x3 index 3
233- Sent 163380 bytes 1945 pkts (dropped 0, overlimits 0)
233+ Sent 163380 bytes 1945 pkts (dropped 0, overlimits 0)
234234
235- action order 6: police 20 action drop rate 1Kbit burst 90Kb mtu 5000b
236- Sent 163380 bytes 1945 pkts (dropped 0, overlimits 437)
235+ action order 6: police 20 action drop rate 1Kbit burst 90Kb mtu 5000b
236+ Sent 163380 bytes 1945 pkts (dropped 0, overlimits 437)
237237
238238 match 0a000015/ffffffff at 12
239239-------------------------------
@@ -254,4 +254,3 @@ At the moment the focus has been on getting the architecture in place.
254254Expect new things in the spurious time i have to work on this
255255(particularly around end of year when i have typically get time off
256256from work).
257-
0 commit comments