Shulou(Shulou.com)06/03 Report--

The main purpose of this article is to share the implementation steps of TC speed limit. This paper also introduces the principle of TC speed limit and the queue rule classifier of TC speed limit. I hope you can get something through this article.

I. introduction to TC speed limit

Introduction to the principle of 1.TC Speed limit

The flow controller TC (Traffic Control) in the Linux operating system is used for the flow control of the Linux kernel, mainly by establishing a queue at the output port to realize the flow control.

After the receiving packet comes in from the input interface, the data packet that does not conform to the specification is discarded through the traffic restriction, and the input demultiplexer makes the judgment and selection. If the destination host of the receiving packet is the local host, then the packet is sent to the upper layer for processing, otherwise it needs to be forwarded and the received packet is handed over to the forwarding block (Forwarding Block) for processing. At the same time, the forwarding block also receives the packets generated by the upper layer of the host (TCP, UDP, etc.), and determines the next hop of the processed packet by looking at the routing table. The packets are then arranged to send them to the output interface.

As can be seen from the above introduction, TC can only restrict the classification of packets sent by the network card, not the packets received by the network card, but it can make an overall restriction on the packet traffic received by the network card. Because our project only needs to limit the traffic received by the network card as a whole, TC can just meet our requirements for two-way restrictions on network card traffic.

Introduction to the basic concept of 2.TC Speed limit

The handling of traffic by TC is controlled by three objects, which are:

Queue rule qdisc (queueing discipline)

Class (class)

Classifier (Classifiers).

Qdisc queue rules (queueing discipline)

Qdisc (queue rule) is the abbreviation of queueing discipline, which is the basis of understanding flow control (traffic control). Whenever the kernel needs to send a packet over a network interface, it needs to queue the packet according to the qdisc configured for that interface. The kernel then takes as many packets as possible from the qdisc and hands them over to the network adapter driver module. The simplest qdisc is pfifo, which does not do any processing to incoming packets, and packets pass through the queue on a first-in-first-out basis. However, it saves packets that the network interface cannot handle for the time being.

Classifiable qdisc includes:

(1) CBQ

CBQ is an abbreviation for Class Based Queueing (queuing based on categories). It implements a rich connection sharing category structure, which not only has the ability to shaping bandwidth, but also has the ability to manage bandwidth priority. The bandwidth limit is achieved by calculating the idle time of the connection. Idle time is calculated by the frequency of packet dequeuing events and the bandwidth of the underlying connection (data link layer).

(2) HTB

HTB is the abbreviation of Hierarchy Token Bucket. Through the improvement on the basis of practice, it realizes a rich connection sharing category system. Using HTB makes it easy to guarantee bandwidth for each category, although it also allows specific classes to break the bandwidth limit and take up the bandwidth of other classes. HTB can achieve bandwidth restrictions through TBF (Token Bucket Filter), and can also prioritize categories.

(3) PRIO

PRIO qdisc cannot limit bandwidth because packets belonging to different categories are sequentially dequeued. It is easy to use PRIO qdisc to manage the priority of traffic, and packets belonging to low-priority categories will be sent only after all packets belonging to high-priority categories have been sent. For ease of management, you need to use iptables or ipchains to process the type of service (Type Of Service,ToS) of the packet.

Class class

Some qdisc can contain categories, different categories can contain more in-depth qdisc, and these subdivided qdisc can also queue packets entering the queue. By setting the dequeuing order of various categories of packets, qdisc can set the priority of network data traffic.

Filter rule

Filter (filter) is used to classify packets and determine the qdisc on which they are queued. Whenever a packet enters a subclass, it needs to be classified. There are many ways to classify, and using fileter (filter) is one of them. When using filter (filter) classification, the kernel invokes all filters attached to this class (class) until a decision is returned. If no judgment is returned, further processing will be made, and the way of handling is related to qdisc. It should be noted that filter (filters) are internal to qdisc, and they cannot be used as principals.

II. TC speed limit operation

1. Virtual machine inflow traffic limit

(1) clear all inflow rules on tap01 Nic devices to prevent conflicts with newly added rules.

# tc qdisc del dev tap01 root

(2) bind a htb type qdisc root queue on the network device tap01

# tc qdisc add dev tap01 root handle 1: htb default 9999

(3) create a subclass 1:5 under the qdisc root queue 1:, and set the traffic rate of the subclass to 50Mb/s

# tc class add dev tap01 parent 1: classid 1:5 htb rate 50Mbit burst 1Mbit

(4) add random fair queue sfq to the subclass at 1:5 to prevent the class from being monopolized by a session connection

# tc qdisc add dev tap01 parent 1:5 handle 5: sfq perturb 10

(5) add a filter to the subclass 1:5 to send the packet with the destination address 0.0.0.0Universe 0 (referring to all networks) to class 1:5 and use the rules in it to queue up.

# tc filter add dev tap01 parent 1: protocol ip prio 1 u32 match ip dst 0.0.0.0/0 flowid 1:5

Note: tap01 is the network card that the virtual machine connects to the bridge, corresponding to the network card inside the virtual machine one by one. Because the traffic in the exit direction of the tap01 port is the traffic entering the internal network card of the virtual machine, limiting the traffic in the exit direction of the tap01 port can limit the network traffic flowing into the virtual machine.

two。 Virtual machine outflow traffic limit

(1) clear all inflow rules on tap01 Nic devices to prevent conflicts with newly added rules.

# tc qdisc del dev tap01 ingress

(2) bind a qdisc root queue to handle ingress traffic on the network device tap01

# tc qdisc add dev tap01 ingress handle ffff:

(3) add a filter for class ffff and limit the traffic to 50Mb/s

# tc filter add dev tap01 parent ffff: protocol all prio 1 basic police rate 50Mbit burst 10Mbit mtu 65535 drop

Note: tap01 is the network card that the virtual machine connects to the bridge, corresponding to the network card inside the virtual machine one by one. Because the traffic in the incoming direction of the tap01 port is the traffic sent out by the network card inside the virtual machine, so limiting the traffic in the incoming direction of the tap01 port can limit the network traffic flowing out of the virtual machine.

The numbers 10 and 65535 in the command are related and need to be modified together, otherwise the speed limit will be inaccurate.

After reading the above, do you have a general understanding of the principle of TC speed limit and the implementation of TC speed limit? If you want to know more about the content of the article, welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.