cbq a ip aliasy
Michal Novak
m.novak na prodiliste.cz
Pátek Leden 13 14:19:28 CET 2006
Petr Bartel napsal(a):
> Dobry den preju,
Take
> nejdriv nastinim situaci a pak problem. Mam router s tremi rozhranimi,
> jedno ven, jedno do DMZ a jedno do lokalni site, na tom lokalnim mam
> vice ip adres a potrebuji jim omezit datovy tok. Coz mi z nejakeho
> zahadneho duvodu nefunguje.
>
> public_ip a dmz_ip jsou nahrazenim skutecnych adres
>
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc cbq qlen 1000
> link/ether 00:50:04:32:22:57 brd ff:ff:ff:ff:ff:ff
> inet public_ip/30 brd public_ip_broadcast scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc cbq qlen 1000
> link/ether 00:50:8b:51:54:67 brd ff:ff:ff:ff:ff:ff
> inet dmz_ip/28 brd dmz_ip_broadcast scope global eth1
> 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc cbq qlen 1000
> link/ether 00:0e:2e:72:52:9a brd ff:ff:ff:ff:ff:ff
> inet 10.0.0.254/24 brd 10.0.0.255 scope global eth2
> inet 192.168.1.254/28 brd 192.168.1.255 scope global eth2
> inet 192.168.2.254/28 brd 192.168.2.255 scope global eth2
> inet 192.168.3.254/28 brd 192.168.3.255 scope global eth2
>
> site 192.168.[1-3].240/28 potrebuji ruzne omezit.
>
> pouzivam cbq.init v0.7.3 na Debianu 3.1 Sarge
>
> v /etc/cbq mam
>
> cbq-1002.internet_eth0.all
> --------------------------
> DEVICE=eth0,100Mbit,10Mbit
> RATE=2Mbit
> WEIGHT=200kbit
> PRIO=8
> LEAF=none
>
> cbq-1003.internet_eth2.all
> --------------------------
> DEVICE=eth2,100Mbit,10Mbit
> RATE=2Mbit
> WEIGHT=200Kbit
> PRIO=8
> LEAF=none
>
> cbq-4025.internet_eth2.allcomputers
> --------------------------
> DEVICE=eth2,100Mbit,10Mbit
> RATE=128Kbit
> WEIGHT=12Kbit
> PRIO=6
> PARENT=1003
> LEAF=sfq
> QUANTUM=1514
> PERTURB=15
> BOUNDED=yes
> RULE=192.168.1.240/255.255.255.240
toto vypada OK - spadne sem vse s cilovou adresou v danym rozsahu
>
> cbq-5025.internet_eth0.allcomputers
> DEVICE=eth0,100Mbit,10Mbit
> MARK=5024
> RATE=128Kbit
> WEIGHT=12Kbit
> PRIO=6
> PARENT=1002
> LEAF=sfq
> QUANTUM=1514
> PERTURB=15
> BOUNDED=yes
> RULE=192.168.1.240/255.255.255.240
toto fungovat nebude, protoze na eth0 se rozhodne neposila nic co by
melo cil v teto siti, navic v tomto okamziku neni uz znama ani adresa
odesilatele, protoze je tam NAT = odesiletel je uz public_ip. Sem musi
prijit misto RULE MARK, pripadne, pokud by nebyl NAT, tak neco ve smyslu
a.b.c.d/e, (ta carka na konci = jde o zdrojovou adresu)
>
> v iptables
> iptables -t mangle -A PREROUTING -s 192.168.3.240/28 -j MARK --set-mark=5024
mark je mozne dat do FORWARD, je pak zrejmejsi k cemu slouzi
>
> cbq.init stats vypada takto
> ### eth0: queueing disciplines
>
> qdisc cbq 1: rate 100000Kbit (bounded,isolated) prio no-transmit
> Sent 13681057 bytes 86821 pkts (dropped 0, overlimits 0)
> borrowed 0 overactions 0 avgidle 79 undertime 0
> qdisc sfq 5024: parent 1:5024 limit 128p quantum 1514b perturb 15sec
> Sent 13537 bytes 225 pkts (dropped 0, overlimits 0)
> qdisc sfq 5025: parent 1:5025 limit 128p quantum 1514b perturb 15sec
> Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
>
> ### eth0: traffic classes
>
> class cbq 1: root rate 100000Kbit (bounded,isolated) prio no-transmit
> Sent 13682045 bytes 86827 pkts (dropped 0, overlimits 0)
> borrowed 0 overactions 0 avgidle 79 undertime 0
> class cbq 1:5025 parent 1:1002 leaf 5025: rate 128000bit (bounded) prio 6
> Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
> borrowed 0 overactions 0 avgidle 1.8142e+06 undertime 0
> class cbq 1:5024 parent 1:1002 leaf 5024: rate 128000bit (bounded) prio 6
> Sent 13537 bytes 225 pkts (dropped 0, overlimits 0)
> borrowed 0 overactions 0 avgidle 1.8142e+06 undertime 0
> class cbq 1:1002 parent 1: rate 2000Kbit (bounded) prio no-transmit
> Sent 13537 bytes 225 pkts (dropped 0, overlimits 0)
> borrowed 0 overactions 0 avgidle 113931 undertime 0
>
> ### eth0: filtering rules
>
> filter parent 1: protocol ip pref 200 fw
> filter parent 1: protocol ip pref 200 fw handle 0x13a0 classid 1:5024
>
> ### eth2: queueing disciplines
>
> qdisc cbq 1: rate 100000Kbit (bounded,isolated) prio no-transmit
> Sent 61531689 bytes 92902 pkts (dropped 0, overlimits 0)
> borrowed 0 overactions 0 avgidle 77 undertime 0
> qdisc sfq 4024: parent 1:4024 limit 128p quantum 1514b perturb 15sec
> Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
> qdisc sfq 4025: parent 1:4025 limit 128p quantum 1514b perturb 15sec
> Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
>
> ### eth2: traffic classes
>
> class cbq 1: root rate 100000Kbit (bounded,isolated) prio no-transmit
> Sent 61531689 bytes 92902 pkts (dropped 0, overlimits 0)
> borrowed 0 overactions 0 avgidle 77 undertime 0
> class cbq 1:4024 parent 1:1003 leaf 4024: rate 128000bit (bounded) prio 6
> Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
> borrowed 0 overactions 0 avgidle 1.8142e+06 undertime 0
> class cbq 1:1003 parent 1: rate 2000Kbit (bounded) prio no-transmit
> Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
> borrowed 0 overactions 0 avgidle 113931 undertime 0
> class cbq 1:4025 parent 1:1003 leaf 4025: rate 128000bit (bounded) prio 6
> Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
> borrowed 0 overactions 0 avgidle 1.8142e+06 undertime 0
>
> eth1 jsem umyslne vynechal.
>
> A na tech stanicich je mozno fungovat na internetu do max. kapacity
> inetu. A jeste jeden dotaz jestli na to nema vliv transparentni proxy
> squid ktera bezi take na tom routeru a je do ni veskery provoz na 80
> presmerovan. Zbytek provozu jde ven pres NAT.
Proxy provoz samozrejme ovlivni, hlavne v tom, ze prichozi provoz je
urcen pro ni a pokud bezi na stejnem stroji, omezit ji pomoci CBQ pujde
jen velmi obtizne (snad pres nejake virtualni rozhrani). Odchozi lze
omezit tak, ze se omezi odchozi provoz routeru.
Pokud je potreba aby si eth1 a eth2 vzajemne pasmo pujcovali, tak bude
asi nutne zprovoznit IMQ.
>
> Dekuju moc za rady nebo objeveni chyb
>
> Petr Bartel
MN
Další informace o konferenci Linux