wiki:help/scc/trafficcontrol/technisch

Version 17 (modified by rick, 15 years ago) (diff)

--

Syn-3 traffic control achter de schermen

Basis traffic-control diagram

Opmerkingen:

Netwerkkaart IN en Netwerkkaart UIT kan physiek gezien dezelfde netwerkkaart zijn, maar ook 2 of meer verschillende.

Trafficcontrol regels van het type NAAR(rood) en DOOR(blauw) kunnen elkaar in de wegzitten, omdat alle verkeer wat DOOR de machine gaat ook NAAR de machine gaat.

NAAR de machine gebruikt een andere trafficcontrol methode(Ingress) dan tenopzichte van DOOR en VAN(Egress).

Elke netwerkkaart of VPN interface heeft zijn eigen TC-Egress en TC-Ingress.

Tunnel traffic-control diagram

Opmerkingen:

Bij inkomende tunnel verkeer gaat de data 2 keer door het rode blok 'Alles naar de machine' heen en eventueel 1 keer door het blauwe blok 'Alles door de machine' heen of naar de lokale processen.

Bij uitgaande tunnel verkeer geldt dat de data minstens 1 keer door het blauwe blok 'Alles van de machine' heen gaat..

Debugging

Je kunt op de Syn-3 server via het SSH protocol inloggen(wanneer dit niet lukt controleer de firewall.) en het commando syn3-tcdump gebruiken.

[Syn-3] root@testbak2.example.net ~# syn3-tcdump
***********************************TC INFO eth0*************************************

***********************************Classes eth0*************************************
class htb 1:10 parent 1:1 leaf 10: prio 3 quantum 1500 rate 1000bit ceil 100000Kbit burst 10000b/8 mpu 0b overhead 0b cburst 51787b/8 mpu 0b overhead 0b level 0
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
 lended: 0 borrowed: 0 giants: 0
 tokens: 78125000 ctokens: 4046

class htb 1:1 root rate 100000Kbit ceil 100000Kbit burst 9987b/8 mpu 0b overhead 0b cburst 51787b/8 mpu 0b overhead 0b level 7
 Sent 22563 bytes 19 pkt (dropped 0, overlimits 0 requeues 0)
 rate 5512bit 0pps backlog 0b 0p requeues 0
 lended: 4 borrowed: 0 giants: 0
 tokens: 761 ctokens: 4026

class htb 1:20 parent 1:1 leaf 20: prio 2 quantum 1250 rate 100000bit ceil 100000Kbit burst 10000b/8 mpu 0b overhead 0b cburst 51787b/8 mpu 0b overhead 0b level 0
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
 lended: 0 borrowed: 0 giants: 0
 tokens: 781250 ctokens: 4046

class htb 1:21 parent 1:1 leaf 21: prio 3 quantum 1250 rate 100000bit ceil 100000Kbit burst 10000b/8 mpu 0b overhead 0b cburst 51787b/8 mpu 0b overhead 0b level 0
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
 lended: 0 borrowed: 0 giants: 0
 tokens: 781250 ctokens: 4046

class htb 1:17 parent 1:1 leaf 17: prio 2 quantum 2500 rate 200000bit ceil 100000Kbit burst 10000b/8 mpu 0b overhead 0b cburst 51787b/8 mpu 0b overhead 0b level 0
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
 lended: 0 borrowed: 0 giants: 0
 tokens: 390625 ctokens: 4046

class htb 1:16 parent 1:1 leaf 16: prio 2 quantum 1250 rate 100000bit ceil 100000bit burst 10000b/8 mpu 0b overhead 0b cburst 1649b/8 mpu 0b overhead 0b level 0
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
 lended: 0 borrowed: 0 giants: 0
 tokens: 781250 ctokens: 128906

class htb 1:19 parent 1:1 leaf 19: prio 3 quantum 1000 rate 5000bit ceil 100000Kbit burst 10000b/8 mpu 0b overhead 0b cburst 51787b/8 mpu 0b overhead 0b level 0
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
 lended: 0 borrowed: 0 giants: 0
 tokens: 15625000 ctokens: 4046

class htb 1:18 parent 1:1 leaf 18: prio 2 quantum 1000 rate 5000bit ceil 100000Kbit burst 10000b/8 mpu 0b overhead 0b cburst 51787b/8 mpu 0b overhead 0b level 0
 Sent 22563 bytes 19 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
 lended: 15 borrowed: 4 giants: 0
 tokens: -14792027 ctokens: 4026


***********************************Qdiscs eth0**************************************
qdisc htb 1: r2q 10 default 10 direct_packets_stat 0 ver 3.17
 Sent 30759 bytes 69 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
qdisc sfq 10: parent 1:10 limit 128p quantum 1514b flows 128/1024 perturb 10sec
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
qdisc sfq 16: parent 1:16 limit 128p quantum 1514b flows 128/1024 perturb 10sec
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
qdisc sfq 17: parent 1:17 limit 128p quantum 1514b flows 128/1024 perturb 10sec
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
qdisc sfq 18: parent 1:18 limit 128p quantum 1514b flows 128/1024 perturb 10sec
 Sent 30759 bytes 69 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
qdisc sfq 19: parent 1:19 limit 128p quantum 1514b flows 128/1024 perturb 10sec
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
qdisc sfq 20: parent 1:20 limit 128p quantum 1514b flows 128/1024 perturb 10sec
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
qdisc sfq 21: parent 1:21 limit 128p quantum 1514b flows 128/1024 perturb 10sec
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0

***********************************Egress Filters eth0******************************
filter parent 1: protocol ip pref 2 fw
filter parent 1: protocol ip pref 2 fw handle 0x10 classid 1:16
filter parent 1: protocol ip pref 2 fw handle 0x11 classid 1:17
filter parent 1: protocol ip pref 2 fw handle 0x12 classid 1:18
filter parent 1: protocol ip pref 2 fw handle 0x14 classid 1:20
filter parent 1: protocol ip pref 3 fw
filter parent 1: protocol ip pref 3 fw handle 0x13 classid 1:19
filter parent 1: protocol ip pref 3 fw handle 0x15 classid 1:21

***********************************Ingress Filters eth0*****************************

***********************************TC INFO eth1*************************************

***********************************Classes eth1*************************************
Cannot find device "eth1"

***********************************Qdiscs eth1**************************************
Cannot find device "eth1"

***********************************Egress Filters eth1******************************
Cannot find device "eth1"

***********************************Ingress Filters eth1*****************************
Cannot find device "eth1"

***********************************TC INFO ipsec0*************************************

***********************************Classes ipsec0*************************************

***********************************Qdiscs ipsec0**************************************
qdisc pfifo_fast 0: root bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0

***********************************Egress Filters ipsec0******************************

***********************************Ingress Filters ipsec0*****************************

***********************************IPTABLES MANGLE INFO***************************
Chain PREROUTING (policy ACCEPT 266K packets, 38M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 262K packets, 37M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK restore
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK match !0x0
    0     0 MARK       udp  --  *      eth0    10.73.57.10          0.0.0.0/0           MARK match 0x0 udp dpts:10000:20000 MARK set 0x14
    0     0 MARK       udp  --  *      eth0    10.73.57.10          0.0.0.0/0           MARK match 0x0 udp dpt:5060 MARK set 0x14
    0     0 MARK       udp  --  eth0   *       0.0.0.0/0            10.73.57.10         MARK match 0x0 udp dpts:10000:20000 MARK set 0x14
    0     0 MARK       udp  --  eth0   *       0.0.0.0/0            10.73.57.10         MARK match 0x0 udp dpt:5060 MARK set 0x14
    0     0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK save

Chain OUTPUT (policy ACCEPT 205K packets, 24M bytes)
 pkts bytes target     prot opt in     out     source               destination
  134 39285 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK restore
  134 39285 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK match !0x0
    0     0 MARK       udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           MARK match 0x0 udp dpts:10000:20000 MARK set 0x10
    0     0 MARK       udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           MARK match 0x0 udp spts:10000:20000 MARK set 0x10
    0     0 MARK       tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           MARK match 0x0 tcp dpt:6881 MARK set 0x11
    0     0 MARK       tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           MARK match 0x0 tcp spt:6881 MARK set 0x11
    0     0 MARK       tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           MARK match 0x0 tcp dpt:22 MARK set 0x12
    0     0 MARK       tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           MARK match 0x0 tcp spt:22 MARK set 0x12
    0     0 MARK       tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           MARK match 0x0 tcp dpt:10000 MARK set 0x12
    0     0 MARK       tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           MARK match 0x0 tcp spt:10000 MARK set 0x12
    0     0 MARK       all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           MARK match 0x0 MARK set 0x13
    0     0 MARK       udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           MARK match 0x0 udp spts:10000:20000 MARK set 0x15
    0     0 MARK       udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           MARK match 0x0 udp spt:5060 MARK set 0x15
    0     0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK save

Chain POSTROUTING (policy ACCEPT 260K packets, 62M bytes)
 pkts bytes target     prot opt in     out     source               destination

Let op: De MARK waarden die overeen moeten komen zijn bij IPTABLES hexidecimaal en TC decimaal.

bijvoorbeeld de volgende TC regel bevat aan het einde de decimale waarde 17:

filter parent 1: protocol ip pref 2 fw handle 0x11 classid 1:17

terwijl de IPTABLES classificatie regel die erbij hoort aan het einde de hexidecimale waarde 0x11 bevat.

    0     0 MARK       tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           MARK match 0x0 tcp dpt:6881 MARK set 0x11

Zie ook

Attachments (2)

Download all attachments as: .zip