HTB na VLAN
Peter Gaal
peto na markizatext.sk
Sobota Květen 26 11:09:46 CEST 2007
Dobry den.
Snazil som sa prepisat moje htb skripty pri pouziti VLAN, ale nechova sa to dobre, vobec to neobmedzuje, ako to ma. Ked som to mal na viacerych interface od eth0-eth5, tak to chodilo dobre, ale na jednom eth s viacerymi vlan to nefunguje. Kde robim chybu ?
Povodny skript vyzera takto:
(eth0 je vonkajsia linka, ostatne su vnutorne)
tc qdisc del dev eth0 root
tc qdisc del dev eth1 root
tc qdisc del dev eth2 root
tc qdisc del dev eth3 root
tc qdisc del dev eth4 root
tc qdisc del dev eth5 root
iptables -t mangle -F
tc qdisc add dev eth0 root handle 1:0 htb default 9999
tc qdisc add dev eth1 root handle 2:0 htb default 9999
tc qdisc add dev eth2 root handle 3:0 htb default 9999
tc qdisc add dev eth3 root handle 4:0 htb default 9999
tc qdisc add dev eth4 root handle 5:0 htb default 9999
tc qdisc add dev eth5 root handle 6:0 htb default 9999
tc class add dev eth0 parent 1:0 classid 1:1 htb rate 10Mbit ceil 10Mbit
tc class add dev eth1 parent 2:0 classid 2:1 htb rate 10Mbit ceil 10Mbit
tc class add dev eth2 parent 3:0 classid 3:1 htb rate 10Mbit ceil 10Mbit
tc class add dev eth3 parent 4:0 classid 4:1 htb rate 10Mbit ceil 10Mbit
tc class add dev eth4 parent 5:0 classid 5:1 htb rate 10Mbit ceil 10Mbit
tc class add dev eth5 parent 6:0 classid 6:1 htb rate 10Mbit ceil 10Mbit
mark=1
# 192.168.0.2, eth1
mark=$((mark+1))
tc class add dev eth1 parent 2:1 classid 2:$mark htb rate 1024kbit \
ceil 1024kbit prio 3
tc filter add dev eth1 parent 2:0 protocol ip prio 3 \
handle $mark fw classid 2:$mark
iptables -t mangle -A FORWARD -d 192.168.0.2 -i eth0 -j MARK --set-mark $mark
mark=$((mark+1))
tc class add dev eth0 parent 1:1 classid 1:$mark htb rate 256kbit \
ceil 256kbit prio 3
tc filter add dev eth0 parent 1:0 protocol ip prio 3 \
handle $mark fw classid 1:$mark
iptables -t mangle -A FORWARD -s 192.168.0.2 -o eth0 -j MARK --set-mark $mark
# 192.168.0.18, eth1
mark=$((mark+1))
tc class add dev eth1 parent 2:1 classid 2:$mark htb rate 512kbit \
ceil 512kbit prio 3
tc filter add dev eth1 parent 2:0 protocol ip prio 3 \
handle $mark fw classid 2:$mark
iptables -t mangle -A FORWARD -d 192.168.0.18 -i eth0 -j MARK --set-mark $mark
mark=$((mark+1))
tc class add dev eth0 parent 1:1 classid 1:$mark htb rate 128kbit \
ceil 128kbit prio 3
tc filter add dev eth0 parent 1:0 protocol ip prio 3 \
handle $mark fw classid 1:$mark
iptables -t mangle -A FORWARD -s 192.168.0.18 -o eth0 -j MARK --set-mark $mark
......
#toto je pre eth2 segment
# 192.168.2.49, eth2
mark=$((mark+1))
tc class add dev eth2 parent 3:1 classid 3:$mark htb rate 1024kbit \
ceil 1024kbit prio 3
tc filter add dev eth2 parent 3:0 protocol ip prio 3 \
handle $mark fw classid 3:$mark
iptables -t mangle -A FORWARD -d 192.168.2.49 -i eth0 -j MARK --set-mark $mark
mark=$((mark+1))
tc class add dev eth0 parent 1:1 classid 1:$mark htb rate 256kbit \
ceil 256kbit prio 3
tc filter add dev eth0 parent 1:0 protocol ip prio 3 \
handle $mark fw classid 1:$mark
iptables -t mangle -A FORWARD -s 192.168.2.49 -o eth0 -j MARK --set-mark $mark
# 192.168.3.63, eth3
mark=$((mark+1))
tc class add dev eth3 parent 4:1 classid 4:$mark htb rate 512kbit \
ceil 512kbit prio 3
tc filter add dev eth3 parent 4:0 protocol ip prio 3 \
handle $mark fw classid 4:$mark
iptables -t mangle -A FORWARD -d 192.168.3.63 -i eth0 -j MARK --set-mark $mark
mark=$((mark+1))
tc class add dev eth0 parent 1:1 classid 1:$mark htb rate 128kbit \
ceil 128kbit prio 3
tc filter add dev eth0 parent 1:0 protocol ip prio 3 \
handle $mark fw classid 1:$mark
iptables -t mangle -A FORWARD -s 192.168.3.63 -o eth0 -j MARK --set-mark $mark
# 192.168.4.66, eth4
mark=$((mark+1))
tc class add dev eth4 parent 5:1 classid 5:$mark htb rate 128kbit \
ceil 1024kbit prio 3
tc filter add dev eth4 parent 5:0 protocol ip prio 3 \
handle $mark fw classid 5:$mark
iptables -t mangle -A FORWARD -d 192.168.4.66 -i eth0 -j MARK --set-mark $mark
mark=$((mark+1))
tc class add dev eth0 parent 1:1 classid 1:$mark htb rate 128kbit \
ceil 256kbit prio 3
tc filter add dev eth0 parent 1:0 protocol ip prio 3 \
handle $mark fw classid 1:$mark
iptables -t mangle -A FORWARD -s 192.168.4.66 -o eth0 -j MARK --set-mark $mark
# 192.168.5.80, eth5
mark=$((mark+1))
tc class add dev eth5 parent 6:1 classid 6:$mark htb rate 512kbit \
ceil 1024kbit prio 3
tc filter add dev eth5 parent 6:0 protocol ip prio 3 \
handle $mark fw classid 6:$mark
iptables -t mangle -A FORWARD -d 192.168.5.80 -i eth0 -j MARK --set-mark $mark
mark=$((mark+1))
tc class add dev eth0 parent 1:1 classid 1:$mark htb rate 128kbit \
ceil 256kbit prio 3
tc filter add dev eth0 parent 1:0 protocol ip prio 3 \
handle $mark fw classid 1:$mark
iptables -t mangle -A FORWARD -s 192.168.5.80 -o eth0 -j MARK --set-mark $mark
............
Pri prechode na VLAN toto vobec nefungovalo, ale mierne pomohlo (pri testovani) pridat tieto riadky:
tc qdisc add dev eth0.11 parent 2:21 sfq perturb 10
alebo
tc qdisc add dev eth0.11 parent 2:21 pfifo limit 100
tc qdisc del dev eth0.10 root
tc qdisc del dev eth0.11 root
tc qdisc del dev eth0.12 root
tc qdisc del dev eth0.13 root
tc qdisc del dev eth0.14 root
tc qdisc del dev eth0.15 root
iptables -t mangle -F
tc qdisc add dev eth0.10 root handle 1:0 htb default 9999
tc qdisc add dev eth0.11 root handle 2:0 htb default 9999
tc qdisc add dev eth0.12 root handle 3:0 htb default 9999
tc qdisc add dev eth0.13 root handle 4:0 htb default 9999
tc qdisc add dev eth0.14 root handle 5:0 htb default 9999
tc qdisc add dev eth0.15 root handle 6:0 htb default 9999
tc class add dev eth0.10 parent 1:0 classid 1:1 htb rate 10Mbit ceil 10Mbit
tc class add dev eth0.11 parent 2:0 classid 2:1 htb rate 8Mbit ceil 8Mbit
tc class add dev eth0.12 parent 3:0 classid 3:1 htb rate 8Mbit ceil 8Mbit
tc class add dev eth0.13 parent 4:0 classid 4:1 htb rate 8Mbit ceil 8Mbit
tc class add dev eth0.14 parent 5:0 classid 5:1 htb rate 8Mbit ceil 8Mbit
tc class add dev eth0.15 parent 6:0 classid 6:1 htb rate 8Mbit ceil 8Mbit
#dalsi segment
tc class add dev eth0.11 parent 2:1 classid 2:68 htb rate 128kbit ceil 512kbit prio 10
tc filter add dev eth0.11 parent 2:0 protocol ip prio 10 handle 68 fw classid 2:68
tc qdisc add dev eth0.11 parent 2:68 sfq perturb 10
iptables -t mangle -A FORWARD -d 192.168.0.77 -i eth0.10 -j MARK --set-mark 68
tc class add dev eth0.10 parent 1:1 classid 1:69 htb rate 128kbit ceil 128kbit prio 10
tc filter add dev eth0.10 parent 1:0 protocol ip prio 10 handle 69 fw classid 1:69
tc qdisc add dev eth0.10 parent 1:69 sfq perturb 10
iptables -t mangle -A FORWARD -s 192.168.0.77 -o eth0.10 -j MARK --set-mark 69
.....
#iny segment
tc class add dev eth0.12 parent 3:1 classid 3:86 htb rate 128kbit ceil 512kbit prio 10
tc filter add dev eth0.12 parent 3:0 protocol ip prio 10 handle 86 fw classid 3:86
tc qdisc add dev eth0.12 parent 3:86 sfq perturb 10
iptables -t mangle -A FORWARD -d 192.168.2.52 -i eth0.10 -j MARK --set-mark 86
tc class add dev eth0.10 parent 1:1 classid 1:87 htb rate 128kbit ceil 128kbit prio 10
tc filter add dev eth0.10 parent 1:0 protocol ip prio 10 handle 87 fw classid 1:87
tc qdisc add dev eth0.10 parent 1:87 sfq perturb 10
iptables -t mangle -A FORWARD -s 192.168.2.52 -o eth0.10 -j MARK --set-mark 87
......
#dalsi segment
tc class add dev eth0.13 parent 4:1 classid 4:143 htb rate 128kbit ceil 256kbit prio 10
tc filter add dev eth0.13 parent 4:0 protocol ip prio 10 handle 143 fw classid 4:143
tc qdisc add dev eth0.13 parent 4:143 sfq perturb 10
iptables -t mangle -A FORWARD -d 192.168.3.53 -i eth0.10 -j MARK --set-mark 143
tc class add dev eth0.10 parent 1:1 classid 1:144 htb rate 128kbit ceil 128kbit prio 10
tc filter add dev eth0.10 parent 1:0 protocol ip prio 10 handle 144 fw classid 1:144
tc qdisc add dev eth0.10 parent 1:144 sfq perturb 10
iptables -t mangle -A FORWARD -s 192.168.3.53 -o eth0.10 -j MARK --set-mark 144
...............
#dalsi segment
tc class add dev eth0.14 parent 5:1 classid 5:274 htb rate 128kbit ceil 1024kbit prio 10
tc filter add dev eth0.14 parent 5:0 protocol ip prio 10 handle 274 fw classid 5:274
tc qdisc add dev eth0.14 parent 5:274 sfq perturb 10
iptables -t mangle -A FORWARD -d 192.168.4.92 -i eth0.10 -j MARK --set-mark 274
tc class add dev eth0.10 parent 1:1 classid 1:275 htb rate 128kbit ceil 256kbit prio 10
tc filter add dev eth0.10 parent 1:0 protocol ip prio 10 handle 275 fw classid 1:275
tc qdisc add dev eth0.10 parent 1:275 sfq perturb 10
iptables -t mangle -A FORWARD -s 192.168.4.92 -o eth0.10 -j MARK --set-mark 275
..............
#dalsi segment
tc class add dev eth0.15 parent 6:1 classid 6:345 htb rate 128kbit ceil 512kbit prio 10
tc filter add dev eth0.15 parent 6:0 protocol ip prio 10 handle 345 fw classid 6:345
tc qdisc add dev eth0.15 parent 6:345 sfq perturb 10
iptables -t mangle -A FORWARD -d 192.168.5.65 -i eth0.10 -j MARK --set-mark 345
tc class add dev eth0.10 parent 1:1 classid 1:346 htb rate 128kbit ceil 128kbit prio 10
tc filter add dev eth0.10 parent 1:0 protocol ip prio 10 handle 346 fw classid 1:346
tc qdisc add dev eth0.10 parent 1:346 sfq perturb 10
iptables -t mangle -A FORWARD -s 192.168.5.65 -o eth0.10 -j MARK --set-mark 346
............
eth0.10 je interface do internetu, ostatne su vnutorne.
Po zapnuti na siet to vobec nefungovalo, niektore IP isli ovela rychlejsie, ako mali, niektore zase takmer vobec. Netusim, kde som spravil chybu, na normalnych sietovych kartach to funguje bez problemov, na vlan to nechodi.
Vdaka za kazdu radu.
Peter Gaal
Další informace o konferenci Linux