Shulou(Shulou.com)06/01 Report--

What is the policy routing and flow control notes of iproute2? in order to solve this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

Notes on iproute2 Policy routing and flow Control

-premise knowledge:--

If you need to use policy routing, make sure that the kernel is compiled with IP:advanced route and IP:policy routing in the configuration.

Iproute matching conditions: from source address, to destination address, Tos domain, Dev physical interface, Fwmark firewall tags as matching conditions

Iproute action: you can specify the table used by table, nat network address translation, prohibit discard and send icmp messages, reject simply discard, unreachable discard and send icmp messages.

The ip rule program first scans all rules from high priority to low priority, and if the rules match, process the action of the rule. If it is a normal routing addressing or nat address translation swap, first get the routing table from the rule, and then operate on the routing table. In this way, RPDB (routing policy database) is finally clearly shown.

Iproute-related kernel compilation option: CONFIG_IP_ADVANCED_ROUTER=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_IP_ROUTE_FWMARK=y

/ etc/iproute2/rt_tables the association between the name of the rule and the number

Iptables-A FORWARD-p tcp- m tcp--tcp-flags SYN,RST SYN-j TCPMSS-- clamp-mss-to-pmtu allows you to adjust the MSS domain in the tcp syn packet to control the maximum length of the connection packet. Some firewalls or hosts improperly filter out the icmp packets of type 3 and code 4 (which need sharding). The currently released linux kernel has included this patch since 2.4.7.

IMQ Mediation queue device

Packets that are specifically marked are intercepted at netfilter's NF_IP_PRE_ROUTING and NF_IP_POST_ROUTING hook functions and sent to a queue provision that is attached to an IMQ device. It can realize the shaping of the ingress traffic, and the network card can be treated as a class and set up globally.

-- Application case 1--

Implementation of policy routing based on application through cooperation between iptables and iproute2

Key points of implementation: iptables marks the data packets of the service class according to the port, iptables-t mangle-A PREROUTING-p tcp-- dport 80-j MARK-- set-mark 100 (with these tags we can do bandwidth restrictions and request-based classification)

Make nat iptables-t nat-A POSTROUTING-o eth3-j MASQUERADE according to the situation

Then set the routing policy ip rule add fwmark 100 table 100

-- Application case 2--

Setting of ordinary dual ISP Public Network Interface $IF1 IF1 Interface address $IP1 ISP1 Gateway address $P1 ISP1 Network address P1_NET

# specify two default gateways for separate upstream

Ip route add $P1_NET dev $IF1 src $IP1 table T1 source address is IP1 and the purpose is to send out the ISP1 network segment from the IF1 interface (necessary, it allows us to find the host in the subnet and this gateway) to add this route to table T1

Ip route add default via $P1 table T1

Ip route add $P2_NET dev $IF2 src $IP2 table T2 source address is IP2 and the purpose is to send out the ISP2 network segment from the IF2 interface ((necessary, it allows us to find the host in the subnet and this gateway) add this route to table T2

Ip route add default via $P2 table T2

# also add to the main routing table

Ip route add $P1_NET dev $IF1 src $IP1

Ip route add $P2_NET dev $IF2 src $IP2

Main defaults to ISP1

Ip route add default via $P1

# set routing rules

Ip rule add from $IP1 table T1

Ip rule add from $IP2 table T2

# set load balancer

Ip route add default scope global nexthop via $P1 dev $IF1 weight 1\

Nexthop via $P2 dev $IF2 weight 1

Equalization is based on routes, which are buffered, so such equalization is not 100% accurate.

-- Application case 3--

The main implementation step of TC bandwidth management is to establish a queue at the output port for flow control, which is based on routing, that is, flow control based on the destination IP address or the network number of the destination subnet.

1 matters needing attention when compiling kernel

The following example: 8m bandwidth sent to host A, 1m bandwidth to host B, 1m bandwidth to host C

21) bind a CBQ queue for network physical devices (such as Ethernet card eth0)

Tc qdisc add dev eth0 root handle 1: cbq bandwidth 10Mbit avpkt 1000 cell 8 mpu 64

2) establish a classification on the queue

Tc class add dev eth0 parent 1:0 classid 1:1 cbq bandwidth 10Mbit rate 10Mbit maxburst 20 allot\ 1514 prio 8 avpkt 1000 cell 8 weight 1Mbit

Tc class add dev eth0 parent 1:1 classid 1:2 cbq bandwidth 10Mbit rate 8Mbit maxburst 20 allot\ 1514 prio 2 avpkt 1000 cell 8 weight 800Kbit split 1:0 bounded

Tc class add dev eth0 parent 1:1 classid 1:3 cbq bandwidth 10Mbit rate 1Mbit maxburst 20 allot\ 1514 prio 1 avpkt 1000 cell 8 weight 100Kbit split 1:0

Tc class add dev eth0 parent 1:1 classid 1:4 cbq bandwidth 10Mbit rate 1Mbit maxburst 20 allot\ 1514 prio 6 avpkt 1000 cell 8 weight 100Kbit split 1:0

3) establish a route-based filter for each classification

Tc filter add dev eth0 parent 1:0 protocol ip prio 100 route

Tc filter add dev eth0 parent 1:0 protocol ip prio 100 route to 2 flowid 1:2

Tc filter add dev eth0 parent 1:0 protocol ip prio 100 route to 3 flowid 1:3

Tc filter add dev eth0 parent 1:0 protocol ip prio 100 route to 4 flowid 1:4

4) finally, cooperate with the filter to establish a specific routing table.

Ip route add 192.168.1.24 dev eth0 via 192.168.1.66 realm 2

Ip route add 192.168.1.30 dev eth0 via 192.168.1.66 realm 3

Ip route add 192.168.1.0/24 dev eth0 via 192.168.1.66 realm 4

3 applications, monitorin

About load balancing--

The load balancing CONFIG_IP_ROUTE_MULTIPATH kernel option equates all of these paths (default routes), and then chooses its specific approach based on / usr/src/linux / Documentation/Configure.help. The equalize option of the Ip route command allows the Linux kernel to balance external connections based on IP addresses. For a specific IP address, the kernel selects an interface to transmit outgoing packets, and then the kernel creates a record in the routing buffer for that IP address. In this way, other packets that arrive with the same IP address will use the same interface until the record is removed from the routing buffer. We can use the ip route list cache command to view the route buffer.

Load balancing of services through DNS loops

Various services (DNS, SMTP, HTTP, LDAP, SSH, etc.) can be implemented through DNS loops.

There are too many limitations in circular reuse of DNS (DNS cache, ignoring TTL value, modified refresh time, not aware of server availability), which can only be regarded as a barely acceptable load balancing scheme.

-- relevant orders--

Ip link list shows the link

Ip address show displays the IP address. For the PPP0 interface, it also tells us the address on the other end of the link.

One of the ip route show output results default via x.x.x.x dev x

Ip neigh show view cached ARP table

Ip neigh delete x.x.x.x dev x

TC flow control:--

We can only reshape the sent data.

The default shaping method is specified in the Pfifo_fast queue. Characterized by first-in, first-out. Only look at the TOS byte of the packet to determine which channel should be placed (priority). How the average application sets their TOS value.

HTB layered token bucket

HTB can guarantee that the amount of bandwidth provided to each class is the minimum requirement or equal to the amount allocated to it. When the bandwidth required by one class is less than the allocated bandwidth, the remaining bandwidth is allocated to other classes that need services.

SFQ random fair queue

Simple rotation. Use a hashing algorithm to map all sessions to a limited number of queues. (SFQ will only work if your egress network card is really full.)

If you do not want to perform traffic shaping, but just want to see if your network card has a high load and need to use queues, you can use pfifo queues. It lacks internal channels but can count backlog)

-- HTB application case 4Mui-

1)

Tc qdisc add dev eth0 root handle 1: htb default 12

2)

Tc class add dev eth0 parent 1: classid 1:1 htb rate 100kbps ceil 100kbps

Tc class add dev eth0 parent 1:1 classid 1:10 htb rate 30kbps ceil 100kbps

Tc class add dev eth0 parent 1:1 classid 1:11 htb rate 10kbps ceil 100kbps

Tc class add dev eth0 parent 1:1 classid 1:12 htb rate 60kbps ceil 100kbps

3) assign subclasses to the queue. If it is not specified, the default is pfifo

Tc qdisc add dev eth0 parent 1:10 handle 20: pfifo limit 5

Tc qdisc add dev eth0 parent 1:11 handle 30: pfifo limit 5

Tc qdisc add dev eth0 parent 1:12 handle 40: sfq perturb 10

When the class of the 1:12 queue is not defined, that is, all packets that do not match the rules of other classes.

-- Traffic analysis and fault diagnosis

Tc-s-d qdisc show dev eth0 queue status

Tc-s class show dev eth0 class status

Tc filter show dev eth0 filter statu

This is the answer to the question about the policy routing and flow control notes of iproute2. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.