tc, QoS, priority
Robert
emil.konev na atlas.cz
Pátek Červenec 7 10:24:51 CEST 2006
ja vychazel z techto dvou scriptu
1.
### Configuration START
SPEED="2048"
### Configuration STOP
presne tohle na vas ceka. SPEED je rychlost jakou muzou pres vas router
tect data. Zpravidla se uvadi rychlost vaseho pripojeni do site CZF.
Co ktery script dela:
qosclear -vycisti aktualni nastaveni QoS
qos-stat - vypise aktualni konfiguraci QoS
qos_base -nastavuje QoS. Takze tenhle script spoustejte treba pri startu
pocitace
Nezapomente si skript pro nastaveni QoS pridat do runlevelu
A tady jsou otisky verze z 28.3.02 23:37:
qos-stat
-------------------------------------------------------------
echo "Existing configuration:"
### Configuration START
### Configuration STOP
FACES="`ip l l | grep "^[0-9]" | grep -vE "(sit|gre|ipip|tun|dummy|lo)"
| sed "s/^[0-9]*: \([^:]*\).*/\1/g"`"
for FACE in ${FACES} ; do
echo "Configuration for:"
echo ${FACE}
tc -s -d qdisc show dev ${FACE}
tc -s -d class show dev ${FACE}
done
------------------------------------------------------------
qosclear
-----------------------------------------------------------
echo "Applying QOS rules"
# Set global variables
IPTABLES="iptables"
TC="/sbin/tc"
### Configuration START
### Configuration STOP
FACES="`ip l l | grep "^[0-9]" | grep -vE "(sit|gre|ipip|tun|dummy|lo)"
| sed "s/^[0-9]*: \([^:]*\).*/\1/g"`"
echo "Remove Qdisc root classes"
for FACE in ${FACES} ; do
$TC qdisc del dev ${FACE} root &>/dev/null
done
echo "Remove IPTables packed mangling, set defaults"
$IPTABLES -t mangle -F INPUT
$IPTABLES -t mangle -F OUTPUT
$IPTABLES -t mangle -F PREROUTING
$IPTABLES -t mangle -F POSTROUTING
$IPTABLES -t mangle -F FORWARD
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
--------------------------------------------------------------------------------
qos_base
---------------------------------------------------------------------------------
#!/bin/sh
echo "Applying QOS rules"
echo "-Set global variables"
IPTABLES="/sbin/iptables"
TC="/sbin/tc"
### Configuration START
# $SPEED must be /2
SPEED="2048"
### Configuration STOP
FACES="`ip l l | grep "^[0-9]" | grep -vE
"(sit|gre|ipip|tun|dummy|lo|teql)" | sed "s/^[0-9]*: \([^:]*\).*/\1/g"`"
STOCHASIS="sfq perturb 10"
echo "-Remove Qdisc root classes"
for FACE in ${FACES} ; do
$TC qdisc del dev ${FACE} root &>/dev/null
done
echo "-Remove IPTables packed mangling, set defaults"
$IPTABLES -t mangle -F INPUT
$IPTABLES -t mangle -F OUTPUT
$IPTABLES -t mangle -F PREROUTING
$IPTABLES -t mangle -F POSTROUTING
$IPTABLES -t mangle -F FORWARD
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
echo "-Trafic Marking"
for FACE in ${FACES} ; do
# SSH
$IPTABLES -t mangle -A OUTPUT -p tcp --sport 22 -o ${FACE} -j MARK
--set-mark 1
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 22 -o ${FACE} -j MARK
--set-mark 1
$IPTABLES -t mangle -A FORWARD -p tcp --sport 22 -o ${FACE} -j MARK
--set-mark 1
$IPTABLES -t mangle -A FORWARD -p tcp --dport 22 -o ${FACE} -j MARK
--set-mark 1
# interactive UDP aplication, suported: Half-Life
$IPTABLES -t mangle -A FORWARD -p udp --sport 27015 -o ${FACE} -j MARK
--set-mark 10
$IPTABLES -t mangle -A FORWARD -p udp --dport 27015 -o ${FACE} -j MARK
--set-mark 10
# Ping
$IPTABLES -t mangle -A FORWARD -p icmp -o ${FACE} -j MARK --set-mark 20
# Routing, suported: OSPF
$IPTABLES -t mangle -A FORWARD -p ospf -o ${FACE} -j MARK --set-mark 30
$IPTABLES -t mangle -A FORWARD -p tcp --sport 179 -o ${FACE} -j MARK
--set-mark 30
$IPTABLES -t mangle -A FORWARD -p tcp --dport 179 -o ${FACE} -j MARK
--set-mark 30
# Huge data transfer, suported: FTP, HTTP, HTTPS, alt. HTTP
$IPTABLES -t mangle -A OUTPUT -p tcp --sport 20 -o ${FACE} -j MARK
--set-mark 40
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 20 -o ${FACE} -j MARK
--set-mark 40
$IPTABLES -t mangle -A FORWARD -p tcp --sport 20 -o ${FACE} -j MARK
--set-mark 40
$IPTABLES -t mangle -A FORWARD -p tcp --dport 20 -o ${FACE} -j MARK
--set-mark 40
$IPTABLES -t mangle -A OUTPUT -p tcp --sport 21 -o ${FACE} -j MARK
--set-mark 40
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 21 -o ${FACE} -j MARK
--set-mark 40
$IPTABLES -t mangle -A FORWARD -p tcp --sport 21 -o ${FACE} -j MARK
--set-mark 40
$IPTABLES -t mangle -A FORWARD -p tcp --dport 21 -o ${FACE} -j MARK
--set-mark 40
$IPTABLES -t mangle -A OUTPUT -p tcp --sport 80 -o ${FACE} -j MARK
--set-mark 40
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 80 -o ${FACE} -j MARK
--set-mark 40
$IPTABLES -t mangle -A FORWARD -p tcp --sport 80 -o ${FACE} -j MARK
--set-mark 40
$IPTABLES -t mangle -A FORWARD -p tcp --dport 80 -o ${FACE} -j MARK
--set-mark 40
$IPTABLES -t mangle -A FORWARD -p tcp --sport 443 -o ${FACE} -j MARK
--set-mark 40
$IPTABLES -t mangle -A FORWARD -p tcp --dport 443 -o ${FACE} -j MARK
--set-mark 40
$IPTABLES -t mangle -A OUTPUT -p tcp --sport 8080 -o ${FACE} -j MARK
--set-mark 40
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 8080 -o ${FACE} -j MARK
--set-mark 40
$IPTABLES -t mangle -A FORWARD -p tcp --sport 8080 -o ${FACE} -j MARK
--set-mark 40
$IPTABLES -t mangle -A FORWARD -p tcp --dport 8080 -o ${FACE} -j MARK
--set-mark 40
# email: SMTP,IMAP, IMAPS, POP3, POP3S
$IPTABLES -t mangle -A FORWARD -p tcp --sport 110 -o ${FACE} -j MARK
--set-mark 50
$IPTABLES -t mangle -A FORWARD -p tcp --dport 110 -o ${FACE} -j MARK
--set-mark 50
$IPTABLES -t mangle -A FORWARD -p tcp --sport 143 -o ${FACE} -j MARK
--set-mark 50
$IPTABLES -t mangle -A FORWARD -p tcp --dport 143 -o ${FACE} -j MARK
--set-mark 50
$IPTABLES -t mangle -A FORWARD -p tcp --sport 25 -o ${FACE} -j MARK
--set-mark 50
$IPTABLES -t mangle -A FORWARD -p tcp --dport 25 -o ${FACE} -j MARK
--set-mark 50
$IPTABLES -t mangle -A FORWARD -p tcp --sport 993 -o ${FACE} -j MARK
--set-mark 50
$IPTABLES -t mangle -A FORWARD -p tcp --dport 993 -o ${FACE} -j MARK
--set-mark 50
$IPTABLES -t mangle -A FORWARD -p tcp --sport 995 -o ${FACE} -j MARK
--set-mark 50
$IPTABLES -t mangle -A FORWARD -p tcp --dport 995 -o ${FACE} -j MARK
--set-mark 50
done
echo "-Create HTB classes"
for FACE in ${FACES} ; do
$TC qdisc add dev ${FACE} root handle 1: htb default 30
$TC class add dev ${FACE} parent 1: classid 1:1 htb rate ${SPEED}kbit
ceil ${SPEED}kbit burst 10k
$TC class add dev ${FACE} parent 1:1 classid 1:11 htb rate 64kbit ceil
256kbit burst 2k prio 1 # SSH class
$TC class add dev ${FACE} parent 1:1 classid 1:110 htb rate 64kbit ceil
$((${SPEED}/4))kbit burst 2k prio 2 # interactive class
$TC class add dev ${FACE} parent 1:1 classid 1:120 htb rate 32kbit ceil
128kbit burst 1k prio 4 # ping class
$TC class add dev ${FACE} parent 1:1 classid 1:130 htb rate 32kbit ceil
64kbit burst 1k prio 1 # routing class
$TC class add dev ${FACE} parent 1:1 classid 1:140 htb rate 32kbit ceil
$((${SPEED}/2))kbit burst 5k prio 3 # data transfer class
$TC class add dev ${FACE} parent 1:1 classid 1:150 htb rate 128kbit ceil
$((${SPEED}/2))kbit burst 5k prio 2 # email class
$TC class add dev ${FACE} parent 1:1 classid 1:30 htb rate 32kbit ceil
$((${SPEED}/2))kbit burst 2k prio 5 # nonsuported trafic class
done
echo "-Add stochasic fairness to HTB classes"
for FACE in ${FACES} ; do
$TC qdisc add dev ${FACE} parent 1:11 handle 111: $STOCHASIS # SSH
sub-classes
$TC qdisc add dev ${FACE} parent 1:110 handle 1101: $STOCHASIS #
interactive sub-classes
$TC qdisc add dev ${FACE} parent 1:120 handle 1201: $STOCHASIS # ping
sub-classes
$TC qdisc add dev ${FACE} parent 1:130 handle 1301: $STOCHASIS # routing
sub-classes
$TC qdisc add dev ${FACE} parent 1:140 handle 1401: $STOCHASIS # data
transfer sub-classes
$TC qdisc add dev ${FACE} parent 1:150 handle 1501: $STOCHASIS # email
sub-classes
$TC qdisc add dev ${FACE} parent 1:30 handle 301: $STOCHASIS #
nonsuported trafic class
done
echo "-Redirect marked services to HTB classes"
for FACE in ${FACES} ; do
$TC filter add dev ${FACE} parent 1:0 protocol ip handle 1 fw flowid
1:11 # SSH
$TC filter add dev ${FACE} parent 1:0 protocol ip handle 10 fw flowid
1:110 # interactive
$TC filter add dev ${FACE} parent 1:0 protocol ip handle 20 fw flowid
1:120 # ping
$TC filter add dev ${FACE} parent 1:0 protocol ip handle 30 fw flowid
1:130 # routing
$TC filter add dev ${FACE} parent 1:0 protocol ip handle 40 fw flowid
1:140 # data transfer
$TC filter add dev ${FACE} parent 1:0 protocol ip handle 50 fw flowid
1:150 # email
done
2.
#!/bin/sh
#
# GameScript This script establishes policy routing and traffic
# control rules to minimize latency for game packets
# in the presence of other traffic.
#
# Besides this script, there is one other thing that must be done.
# Assuming that iproute2 is already installed, edit the file
# /etc/iproute2/rt_tables and add the following line at the bottom:
# "100 Small_MTU"
# ***********************************************************************
# DEFINES *
# ***********************************************************************
# Change these values as required to reflect your setup
# Addresses and Interfaces
LAN_IP_RANGE="192.168.1.0/24"
LAN_IP="192.168.0.1"
LAN_INTERFACE="eth0"
LOCALHOST_IP="127.0.0.1/32"
INTERNET_IP_RANGE="123.123.123.0/24"
INTERNET_IP="123.123.123.123"
INTERNET_GATEWAY="123.123.123.1"
INTERNET_INTERFACE="eth1"
# Executables
IPTABLES="/sbin/iptables"
TC="/sbin/tc"
IP="/sbin/ip"
# Information used to identify game traffic.
# add more as required
HOST1="192.168.0.2"
HOST1_GAME_PORT="3724"
# Packet marks (arbitrary)
GAME_PACKET="1"
# For traffic shaping:
#
# The numbers below were arrived at by test on a DSL
# line with nominal line speeds of 128 kbit up and
# 1400 kbit down. Actual measured throughput was
# about 90 kbit up and 1150 kbit down.
#
# A note regarding MTU: Standard ethernet MTU is 1500
# bytes, which which resulted in unacceptable single
# packet xmit waits of 1500 x 8 / 90,000 = 133 msec.
# Lowering the interface MTU changes the MTU in both
# directions, which helped uplink latency but hurt
# downlink throughput. Lowering the interface MTU to
# 256 bytes resulted in a downlink throughput of less
# than 500kbit. An interface MTU in the 400 - 500 byte
# range provided an acceptable compromise, with single
# packet xmit times of about 40 msec and downlink speeds
# of about 700kbit. However, leaving the interface MTU
# at 1500 bytes and setting a lower per-route MTU that
# only affected non-game uplink traffic was the best
# solution. An uplink MTU smaller than 256 bytes would
# help latency even more, but tc and/or htb don't seem
# to like mtu's below 256 and, besides, 256 results in a max
# single packet xmit wait of around 25 msec, with
# even better average behavior.
STD_MTU="1500"
TC_MTU="256"
TC_MSS=$(( $STD_MTU - 40 ))
TC_UPLINK_RATE="90"
TC_DOWNLINK_RATE="1000"
TC_GAME_RATE="30"
TC_GAME_CEIL=$TC_UPLINK_RATE
TC_OTHER_RATE=$(( $TC_UPLINK_RATE - $TC_GAME_RATE ))
TC_OTHER_CEIL=$(( $TC_UPLINK_RATE - $TC_GAME_RATE ))
# *********************************************************************
# RULES *
# *********************************************************************
case "$1" in
start)
# ***************************************************************
# MANGLE Table PREROUTING Chain *
# ***************************************************************
# Firewall packet marking TCP game traffic from Host1
$IPTABLES --table mangle \
--append PREROUTING \
--protocol TCP \
--in-interface $LAN_INTERFACE \
--source $HOST1 \
--source-port $HOST1_GAME_PORT \
--jump MARK \
--set-mark $GAME_PACKET
# Firewall packet marking UDP game traffic from Host1
$IPTABLES --table mangle \
--append PREROUTING \
--protocol UDP \
--in-interface $LAN_INTERFACE \
--source $HOST1 \
--source-port $HOST1_GAME_PORT \
--jump MARK \
--set-mark $GAME_PACKET
# Firewall packet marking TCP game traffic to Host1
$IPTABLES --table mangle \
--append PREROUTING \
--protocol TCP \
--in-interface $INTERNET_INTERFACE \
--destination $HOST1 \
--destination-port $HOST1_GAME_PORT \
--jump MARK \
--set-mark $GAME_PACKET
# Firewall packet marking UDP game traffic to Host1
$IPTABLES --table mangle \
--append PREROUTING \
--protocol UDP \
--in-interface $INTERNET_INTERFACE \
--destination $HOST1 \
--destination-port $HOST1_GAME_PORT \
--jump MARK \
--set-mark $GAME_PACKET
# ***************************************************************
# Policy Routing *
# ***************************************************************
# Delete any existing / old rules.
$IP rule del priority 4000 2> /dev/null
$IP rule del priority 5000 2> /dev/null
# Flush the alternate routing table and routing cache
$IP route flush table Small_MTU 2> /dev/null
$IP route flush cache
# Duplicate the normal routing table except lower the MTU of the
# default route.
$IP route add $LOCALHOST_IP dev lo table Small_MTU
$IP route add $LAN_IP_RANGE dev $LAN_INTERFACE src $LAN_IP \
table Small_MTU proto static
$IP route add $INTERNET_IP_RANGE dev $INTERNET_INTERFACE \
src $INTERNET_IP table Small_MTU proto static
$IP route add default via $INTERNET_GATEWAY mtu $TC_MTU \
advmss $TC_MSS table Small_MTU proto static
# Game traffic continues to go to the main routing table with
# so that it can take advantage of larger uplink packet sizes.
$IP rule add fwmark $GAME_PACKET priority 4000 table main
# Now start referring non-game traffic to the new routing table
$IP rule add from 0/0 priority 5000 table Small_MTU
$IP route flush cache
# ***************************************************************
# Uplink Traffic Control *
# ***************************************************************
# Egress bandwidth shaping and scheduling are performed to ensure
# that packets are never queued in the ADSL modem, and that game
# packets, if present, take priority over all other traffic.
# First delete any previous traffic control rules
$TC qdisc del dev $INET_IFACE root 2> /dev/null
$TC qdisc del dev $INET_IFACE ingress 2> /dev/null
# Now establish the HTB root discipline
$TC qdisc add dev $INTERNET_INTERFACE root handle 1:0 \
htb default 11 r2q 1
# Now establish the root class
$TC class add dev $INTERNET_INTERFACE parent 1:0 classid 1:1 \
htb rate $TC_UPLINK_RATE"kbit" ceil $TC_UPLINK_RATE"kbit" \
burst 6k cburst 6k
# Add leaf class for game traffic
$TC class add dev $INTERNET_INTERFACE parent 1:1 classid 1:10 \
htb rate $TC_GAME_RATE"kbit" ceil $TC_GAME_CEIL"kbit" \
prio 1 burst 6k cburst 6k
# Add leaf class for non-game traffic. Note that non-game
# traffic is capped at about 67% of the available uplink
# bandwidth, both for rate and ceiling. This was done
# to ensure that sufficient bandwidth (tokens) is always
# available for game packets when they arrive.
$TC class add dev $INTERNET_INTERFACE parent 1:1 classid 1:11 \
htb rate $TC_OTHER_RATE"kbit" ceil $TC_OTHER_CEIL"kbit" \
prio 2 mtu $TC_MTU
# Add fifo queueing discipline for game traffic
$TC qdisc add dev $INTERNET_INTERFACE parent 1:10 handle 10: \
pfifo limit 25
# Add prio queueing discipline for non-game traffic to provide
# standard TOS priority queueing.
$TC qdisc add dev $INTERNET_INTERFACE parent 1:11 handle 11: \
prio
# Add sfq queueing discipline for minimize-delay traffic
$TC qdisc add dev $INTERNET_INTERFACE parent 11:1 handle 111: \
sfq perturb 5
# Add sfq queueing discipline for best-effort traffic
$TC qdisc add dev $INTERNET_INTERFACE parent 11:2 handle 112: \
sfq perturb 5
# Add sfq queueing discipline for maximize-throughput traffic
$TC qdisc add dev $INTERNET_INTERFACE parent 11:3 handle 113: \
sfq perturb 5
# Now filter game traffic to leaf 1:10 as first priority
$TC filter add dev $INTERNET_INTERFACE parent 1:0 \
protocol ip prio 1 handle $GAME_PACKET fw flowid 1:10
# Empty ack packets are assigned directly to the minimize-
# delay queue.
$TC filter add dev $INTERNET_INTERFACE parent 11:0 protocol ip \
prio 3 u32 match ip protocol 6 0xff \
match u8 0x05 0x0f at 0 \
match u16 0x0000 0xffc0 at 2 \
match u8 0x10 0xff at 33 \
flowid 11:1
# The remaining traffic defaults to htb leaf 1:11
# **************************************************************
# Downlink Traffic Control (Ingress Policing) *
# **************************************************************
# Downlink traffic is limited to about 85% of actual downlink
# capability to prevent upstream queueing.
# First establish an ingress qdisc
$TC qdisc add dev $INTERNET_INTERFACE handle ffff: ingress
# Incoming game traffic is not policed
$TC filter add dev $INTERNET_INTERFACE parent ffff: \
protocol ip prio 1 handle $GAME_PACKET fw flowid :1
# Filter everything else to that qdisc and drop packets
# that exceed the bandwidth limit
$TC filter add dev $INTERNET_INTERFACE parent ffff: \
protocol ip prio 3 u32 match ip src 0.0.0.0/0 \
police rate $TC_DOWNLINK_RATE"kbit" burst 3k drop \
flowid :1
;;
stop)
# Remove any uplink throttling
$TC qdisc del dev $INTERNET_INTERFACE root 2> /dev/null
$TC qdisc del dev $INTERNET_INTERFACE ingress 2> /dev/null
# Remove policy routing
$IP rule del priority 5000 2> /dev/null
$IP rule del priority 4000 2> /dev/null
$IP route flush table Small_MTU 2> /dev/null
$IP route flush cache
;;
restart)
$0 stop
sleep 3
$0 start
;;
*)
echo "Usage: ./$0 start|stop|restart}"
exit 1
esac
exit 0
Robert
Další informace o konferenci Linux