= Syn-3 traffic control achter de schermen = == Basis traffic-control diagram == [[Image(syn3_traffic_control_schema.png)]] '''Opmerkingen:''' Netwerkkaart IN en Netwerkkaart UIT kan physiek gezien dezelfde netwerkkaart zijn, maar ook 2 of meer verschillende. Trafficcontrol regels van het type NAAR(rood) en DOOR(blauw) kunnen elkaar in de wegzitten, omdat alle verkeer wat DOOR de machine gaat ook NAAR de machine gaat. NAAR de machine gebruikt een andere trafficcontrol methode(Ingress) dan tenopzichte van DOOR en VAN(Egress). Elke netwerkkaart of VPN interface heeft zijn eigen TC-Egress en TC-Ingress. == Tunnel traffic-control diagram == [[Image(syn3_traffic_control_schema_tun.png)]] '''Opmerkingen:''' Bij inkomende tunnel verkeer gaat de data 2 keer door het rode blok 'Alles naar de machine' heen en eventueel 1 keer door het blauwe blok 'Alles door de machine' heen of naar de lokale processen. Bij uitgaande tunnel verkeer geldt dat de data minstens 1 keer door het blauwe blok 'Alles van de machine' heen gaat.. == Debugging == Je kunt op de Syn-3 server via het SSH protocol inloggen(wanneer dit niet lukt controleer de firewall.) en het commando '''syn3-tcdump''' gebruiken. {{{ [Syn-3] root@testbak2.example.net ~# syn3-tcdump ***********************************TC INFO eth0************************************* ***********************************Classes eth0************************************* class htb 1:10 parent 1:1 leaf 10: prio 3 quantum 1500 rate 1000bit ceil 100000Kbit burst 10000b/8 mpu 0b overhead 0b cburst 51787b/8 mpu 0b overhead 0b level 0 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 78125000 ctokens: 4046 class htb 1:1 root rate 100000Kbit ceil 100000Kbit burst 9987b/8 mpu 0b overhead 0b cburst 51787b/8 mpu 0b overhead 0b level 7 Sent 22563 bytes 19 pkt (dropped 0, overlimits 0 requeues 0) rate 5512bit 0pps backlog 0b 0p requeues 0 lended: 4 borrowed: 0 giants: 0 tokens: 761 ctokens: 4026 class htb 1:20 parent 1:1 leaf 20: prio 2 quantum 1250 rate 100000bit ceil 100000Kbit burst 10000b/8 mpu 0b overhead 0b cburst 51787b/8 mpu 0b overhead 0b level 0 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 781250 ctokens: 4046 class htb 1:21 parent 1:1 leaf 21: prio 3 quantum 1250 rate 100000bit ceil 100000Kbit burst 10000b/8 mpu 0b overhead 0b cburst 51787b/8 mpu 0b overhead 0b level 0 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 781250 ctokens: 4046 class htb 1:17 parent 1:1 leaf 17: prio 2 quantum 2500 rate 200000bit ceil 100000Kbit burst 10000b/8 mpu 0b overhead 0b cburst 51787b/8 mpu 0b overhead 0b level 0 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 390625 ctokens: 4046 class htb 1:16 parent 1:1 leaf 16: prio 2 quantum 1250 rate 100000bit ceil 100000bit burst 10000b/8 mpu 0b overhead 0b cburst 1649b/8 mpu 0b overhead 0b level 0 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 781250 ctokens: 128906 class htb 1:19 parent 1:1 leaf 19: prio 3 quantum 1000 rate 5000bit ceil 100000Kbit burst 10000b/8 mpu 0b overhead 0b cburst 51787b/8 mpu 0b overhead 0b level 0 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 15625000 ctokens: 4046 class htb 1:18 parent 1:1 leaf 18: prio 2 quantum 1000 rate 5000bit ceil 100000Kbit burst 10000b/8 mpu 0b overhead 0b cburst 51787b/8 mpu 0b overhead 0b level 0 Sent 22563 bytes 19 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 15 borrowed: 4 giants: 0 tokens: -14792027 ctokens: 4026 ***********************************Qdiscs eth0************************************** qdisc htb 1: r2q 10 default 10 direct_packets_stat 0 ver 3.17 Sent 30759 bytes 69 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 10: parent 1:10 limit 128p quantum 1514b flows 128/1024 perturb 10sec Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 16: parent 1:16 limit 128p quantum 1514b flows 128/1024 perturb 10sec Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 17: parent 1:17 limit 128p quantum 1514b flows 128/1024 perturb 10sec Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 18: parent 1:18 limit 128p quantum 1514b flows 128/1024 perturb 10sec Sent 30759 bytes 69 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 19: parent 1:19 limit 128p quantum 1514b flows 128/1024 perturb 10sec Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 20: parent 1:20 limit 128p quantum 1514b flows 128/1024 perturb 10sec Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 21: parent 1:21 limit 128p quantum 1514b flows 128/1024 perturb 10sec Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 ***********************************Egress Filters eth0****************************** filter parent 1: protocol ip pref 2 fw filter parent 1: protocol ip pref 2 fw handle 0x10 classid 1:16 filter parent 1: protocol ip pref 2 fw handle 0x11 classid 1:17 filter parent 1: protocol ip pref 2 fw handle 0x12 classid 1:18 filter parent 1: protocol ip pref 2 fw handle 0x14 classid 1:20 filter parent 1: protocol ip pref 3 fw filter parent 1: protocol ip pref 3 fw handle 0x13 classid 1:19 filter parent 1: protocol ip pref 3 fw handle 0x15 classid 1:21 ***********************************Ingress Filters eth0***************************** ***********************************TC INFO eth1************************************* ***********************************Classes eth1************************************* Cannot find device "eth1" ***********************************Qdiscs eth1************************************** Cannot find device "eth1" ***********************************Egress Filters eth1****************************** Cannot find device "eth1" ***********************************Ingress Filters eth1***************************** Cannot find device "eth1" ***********************************TC INFO ipsec0************************************* ***********************************Classes ipsec0************************************* ***********************************Qdiscs ipsec0************************************** qdisc pfifo_fast 0: root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 ***********************************Egress Filters ipsec0****************************** ***********************************Ingress Filters ipsec0***************************** ***********************************IPTABLES MANGLE INFO*************************** Chain PREROUTING (policy ACCEPT 266K packets, 38M bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 262K packets, 37M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK match !0x0 0 0 MARK udp -- * eth0 10.73.57.10 0.0.0.0/0 MARK match 0x0 udp dpts:10000:20000 MARK set 0x14 0 0 MARK udp -- * eth0 10.73.57.10 0.0.0.0/0 MARK match 0x0 udp dpt:5060 MARK set 0x14 0 0 MARK udp -- eth0 * 0.0.0.0/0 10.73.57.10 MARK match 0x0 udp dpts:10000:20000 MARK set 0x14 0 0 MARK udp -- eth0 * 0.0.0.0/0 10.73.57.10 MARK match 0x0 udp dpt:5060 MARK set 0x14 0 0 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save Chain OUTPUT (policy ACCEPT 205K packets, 24M bytes) pkts bytes target prot opt in out source destination 134 39285 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore 134 39285 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK match !0x0 0 0 MARK udp -- * eth0 0.0.0.0/0 0.0.0.0/0 MARK match 0x0 udp dpts:10000:20000 MARK set 0x10 0 0 MARK udp -- * eth0 0.0.0.0/0 0.0.0.0/0 MARK match 0x0 udp spts:10000:20000 MARK set 0x10 0 0 MARK tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 MARK match 0x0 tcp dpt:6881 MARK set 0x11 0 0 MARK tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 MARK match 0x0 tcp spt:6881 MARK set 0x11 0 0 MARK tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 MARK match 0x0 tcp dpt:22 MARK set 0x12 0 0 MARK tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 MARK match 0x0 tcp spt:22 MARK set 0x12 0 0 MARK tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 MARK match 0x0 tcp dpt:10000 MARK set 0x12 0 0 MARK tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 MARK match 0x0 tcp spt:10000 MARK set 0x12 0 0 MARK all -- * eth0 0.0.0.0/0 0.0.0.0/0 MARK match 0x0 MARK set 0x13 0 0 MARK udp -- * eth0 0.0.0.0/0 0.0.0.0/0 MARK match 0x0 udp spts:10000:20000 MARK set 0x15 0 0 MARK udp -- * eth0 0.0.0.0/0 0.0.0.0/0 MARK match 0x0 udp spt:5060 MARK set 0x15 0 0 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save Chain POSTROUTING (policy ACCEPT 260K packets, 62M bytes) pkts bytes target prot opt in out source destination }}} '''Let op:''' De '''MARK''' waarden die overeen moeten komen zijn bij IPTABLES hexidecimaal en TC decimaal. bijvoorbeeld de volgende TC regel bevat aan het einde de decimale waarde 17: {{{ filter parent 1: protocol ip pref 2 fw handle 0x11 classid 1:17 }}} terwijl de IPTABLES classificatie regel die erbij hoort aan het einde de hexidecimale waarde 0x11 bevat. {{{ 0 0 MARK tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 MARK match 0x0 tcp dpt:6881 MARK set 0x11 }}} == Zie ook == * [../listtrafficcontrol Syn-3 traffic control] * [../settings Traffic control instellingen] * [../edittrafficcontrol Traffic control regels toegevoegen/wijzigingen]