|
|
EDA365欢迎您登录!
您需要 登录 才可以下载或查看,没有帐号?注册
x
3 ^* [; o7 t. i& T" r6 Z% v E
Ingress qdisc J' v$ [& w# }1 |" x) e A9 J
1 P4 m8 M8 T. p' ?All qdiscs discussed so far are egress qdiscs. Each inteRFace however can also have an ingress qdisc which is not used to send packets out to the network adaptor. Instead, it allows you to apply tc filters to packets coming in over the interface, regardless of whether they have a local destination or are to be forwarded.# s: `% b" S, O+ @. ^6 C( t
9 J' U0 }* H: l/ W) r& wAs the tc filters contain a full Token Bucket Filter implementation, and are also able to match on the kernel flow estimator, there is a lot of functionality available. This effectively allows you to police incoming traffic, before it even enters the IP stack./ ?( I C+ b( s* e8 p
, r a4 H; c- A8 ]" ^14.4.1. Parameters & usage
+ c* R" T6 k* U3 r, j& P8 E; Z5 u* j. J$ S
The ingress qdisc itself does not require any parameters. It differs from other qdiscs in that it does not occupy the root of a device. Attach it like this:! H$ r7 P0 A3 r4 {* S
2 r2 m8 t7 Q( {4 `' k# delete original Y u' t% V0 x3 y( E
tc qdisc del dev eth0 ingress1 D/ z- M+ k l3 R% s) I
tc qdisc del dev eth0 root; _% I2 s- X# F& y w4 h: |
8 S7 E2 a' S. S3 R2 M# add new qdisc and filter. A8 {6 Z" I7 \
tc qdisc add dev eth0 ingress
- X8 `. l+ h9 B; u7 U9 N1 k3 g+ X1 Vtc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 2048kbps burst 1m drop flowid :1
* U& L U( J: b2 Stc qdisc add dev eth0 root tbf rate 2048kbps latency 50ms burst 1m
. {$ d2 F$ u6 A5 D( ]7 I
# |4 x) [& ?' F0 E5 i! |' N
3 B. x' F3 h5 a* q5 j3 u* `I played a bit with the ingress qdisc after seeing Patrick and Stef; ~; R- ?$ n. c h5 j# [! s$ W
talking about it and came up with a few notes and a few questions.' n" A+ `& i" u9 z2 a1 Q3 o8 ~, r4 s
' M5 }. i4 j* z! J
: The ingress qdisc itself has no parameters. The only thing you can do
& p" Y9 @( x w0 I: is using the policers. I have a link with a patch to extend this :/ ?( \' R# o' }+ i$ c! I
: http://www.cyberus.ca/~hadi/patches/action/ Maybe this can help.1 M3 K' J$ \" ?1 ^3 i
:/ ~$ w" K- W. j( {5 {
: I have some more info about ingress in my mail files, but I have to
0 ]$ G" e1 l% R4 u: sort it out and put it somewhere on docum.org. But I still didn't' y/ C z+ b" G
: found the the time to do so.
% Y9 Z$ \! C- D2 r+ {
: e+ B$ n6 v$ C& b- Q3 PRegarding policers and the ingress qdisc. I have never used them before! A5 ^& Y& p! K* c, v
today, but have the following understanding.
6 ^9 n9 o P: ?5 {% W. f5 o p: e- s9 m, ~- X- w
About the ingress qdisc:& [3 S# k1 Y) F; v, |2 J( A
z9 R p; o. E- _" W2 [; K9 Y
- ingress qdisc (known as "ffff:") can't have any children classes (hence the existence of IMQ)
; t2 ?3 a# Z$ j3 Y) i# d - the only thing you can do with the ingress qdisc is attach filters! \# e% P7 Q; d' j' q# K
7 T4 `. j, n# j$ O
About filtering on the ingress qdisc:
/ Q. r3 C% P I3 `' ^1 d( I: j
2 K$ P" a K1 _ - since there are no classes to which to direct the packets, the only reasonable option (reasonable, indeed!) is to drop the packets) ?1 ~+ e3 \8 r8 H
- with clever use of filtering, you can limit particular traffic signatures to particular uses of your bandwidth
: c- l2 Q! B& J% G: W+ U, R( Z& H
Here's an example of using an ingress policer to limit inbound traffic! h0 ~' N3 {& F Y7 K
from a particular set of IPs on a per IP basis. In this case, traffic. s/ R. {9 e# | f8 D8 \, a1 H- L
from each of these source IPs is limited to a T1's worth of bandwidth.. N. G0 `! }9 e H' I2 s
Note that this means that this host can receive up to 1536kbit (768kbit +- A3 U! {# q) w/ g: b% V
768kbit) worth of bandwidth from these two source IPs alone.
0 v q8 n+ }2 }: q! N6 p" P* b: O5 a i
# -- start of script
4 n8 W0 K: }0 v5 b$ I# T3 b#! /bin/ash
9 \# U* l' a2 z& d9 \/ b#, V# U% K" X! X9 V8 D
# -- simulate a much smaller amount of bandwidth than the 100MBit interface& `+ j$ O) p4 K; m$ L+ z7 Y( x1 n
#0 W6 n4 J) k% ?( T4 t7 p1 |
RATE=1536kbit
" ?6 v* f5 N: s5 {' oDEV=eth0/ ?5 \; p% s- _# B3 i# P8 k
SOURCES="10.168.53.2/32 10.168.73.10/32 10.168.28.20/32"
# u+ a4 B4 W# U X
, Z: }. v: _/ M! G" o8 p, F# -- attach our ingress qdisc
/ m: y0 \8 e- t; [7 }: X#
! _2 [% i3 B3 l0 P$ Q, n7 Jtc qdisc add dev $DEV ingress
% I# Z) k/ n9 ]) S3 M8 ~
4 G$ |% I; Y5 S# -- cap bandwidth from particular source IPs
7 X% U: m: J7 x/ Q" n0 g; K% N#
& W# s5 D: S' P8 e! l% e
4 I5 I$ `6 D; w0 a; S# Ffor SOURCE in $SOURCES ; do
, l+ q7 I; E# |7 K, k. b& [9 C& u9 m9 V V1 K
tc filter add dev $DEV parent ffff: protocol ip \
p, P5 ?& \1 Z9 j" y% e u32 match ip src $SOURCE flowid :1 \
( K6 ?; E N. V5 `4 M" e police rate $RATE mtu 12k burst 10k drop2 g, n- N _/ A! B4 g; ?7 c- \
/ R/ R# c7 n( r4 S) x3 v
done. P) |+ q8 W9 {
7 O3 ^; T f6 {) S4 w4 J" I
# -- end of script1 [$ p9 g% T" N" e1 r* s
" @& b- i- W: H) V g+ p, I& i: T$ hNow, if you are using multiple public IPs on your masquerading/SNAT host,
0 A; U3 z# |# R2 Q0 L: Syou can use "u32 match ip dst $PER_IP" with a drop action to force a0 J+ x9 q9 A1 Z7 f7 ^4 x$ f
particular rate on inbound traffic to that IP.) s( u3 m( W* F3 X0 ^5 s3 }" @
& K* K# V. w6 r! a
My entirely unquantified impression is that latency suffers as a result,7 Y5 N! u* C) C" O
but traffic is indeed bandwidth limited.: h( [4 e" i2 L; j0 l. J
0 K6 Y2 W# d& `3 M4 K9 n4 F0 IJust a few notes of dissection:' s6 I0 v7 N7 e" e
$ i, }! I9 A4 v
tc filter add dev $DEV # -- the usual beginnings: I( `; m+ q9 w% C! h# J! v" \: P
parent ffff: # -- the ingress qdisc itself- P7 E# @& I6 c" Z9 r7 F
protocol ip # -- more preamble | make sure to visit. T4 m5 U, p' O7 R" l' w& ]. S
u32 match ip # -- u32 classifier | http://lartc.org/howto/
/ O! X% B' J% W src $SOURCE # -- could also be "dst $SOME_LOCAL_IP"
- V0 j6 K! f/ m: h* I" s flowid :1 # -- ??? (but it doesn't work without this)" }+ i& ]5 G" a- R0 ]
police rate $RATE # -- put a policer here
4 y1 p: a8 m( d( Q8 W7 j7 ^' `, x mtu 12k burst 10k # -- ???
5 a7 v: ?/ x$ Y. c/ P8 H/ Z N drop # -- drop packets exceeding our police params3 b! o! R5 I; T" |* K( Z" g
- K4 ?- w* u) m2 |, B- C$ o/ U
Maybe a guru or two out there (Stef?, Bert?, Jamal?, Werner?) can explain
2 A1 O1 O0 K- i: }& \why mtu needs to be larger than 1k (didn't work for me anyway) and also
4 X) c3 t7 Q* d( i3 k3 ghow these other parameters should be used. |
|
/1 
发表于 2020-3-20 10:02
收藏
淘帖
支持!
反对!