Re: lug-bg: CBQ problem
- Subject: Re: lug-bg: CBQ problem
- From: stoev@xxxxxxxxxxxxxxxxx (Julian Stoev)
- Date: Thu, 4 May 2000 05:56:00 +0900
On Wed, May 03, 2000 at 10:34:32PM +0300, Luben Karavelov wrote:
|> V momenta opitvam na tukasnata mashina slednoto:
|> #! /bin/sh -x
|> #
|> TC=/root/iproute2/tc/tc
|> IPCHAINS=/sbin/ipchains
|> INDEV=eth0
|> NETWORK=147.46.115.0
|> NETMASK=255.255.255.0
|> #
|> ############################################################
|> $IPCHAINS -A input -i $INDEV -s ! $NETWORK/$NETMASK -m 1
|> ############################################################
|>
|> $TC qdisc add dev $INDEV handle ffff: ingress
|>
|> ############################################################
|> $TC filter add dev $INDEV parent ffff: protocol ip prio 50 handle 1 fw \
|> police rate 5kbps burst 40 mtu 9k drop flowid :1
|> ############################################################
|>
|>
|> Obache nishto ne stava - teglia si sys ftp s 850 kbps :((((
|> ipchains markira paketite uspeshno, no rezultata e nula.
|>
|> Polzuvam slednite versii
|> ftp://lrcftp.epfl.ch/pub/linux/diffserv/dist/ds-8.tar.gz
|> Tova e patch za kernela i za iproute 2, koito pyk e slednata versia:
|> ftp://ftp.inr.ac.ru/ip-routing/iproute2-2.2.4-now-ss991023.tar.gz
|>
|>
|> --JS
|>
|
|ami ne znam zashto si izbral tochno ingress, az sas tazi queue
|discipline ne sam rabotil, no za da ogranichish vhodiashtia traffic
|(koeto si mislia che ne mozhesh da napravish direktno) ti triabva da
|ogranichish skorostta s koiato se vrustat potvurzhdeniata na TCP. Tyi
|che ako iskash traffic 5kbps triabva da napravish ogranichenie za
|prashtane kym syotvetnata mrezha okolo 500bps.
|
|mislia taka ponezhe qdisc se attach-vat i sa v sila samo na izhodnia
|device. ako burkam neka niakoi me popravi.
|
|Luben
Teoriata tvyrdi, che ingress e imenno za ogranichavane na VHODIASHT
trafik. Znam, che po drugite metodi takyv ne moze da se ogranichava.
Az ne moga da razchitam na sydeistvie ot administratora na gateway-a v
Bg, a istinata e, che TOI mnogo lesno moze da si opravi neshtata s
normalnite CBQ, za koito ti pishesh.
Eto kyde cheta za ingress
http://www.ds9a.nl/2.4Routing/HOWTO//cvs/2.4routing/output/2.4routing-8.html#ss8.5
V iproute2 ima primer za ogranichavane na SYN paketi s markirane s
ipchains. Az polzuvam syshtia trik (po-tochno opitvam se).
Eto bukvalno primera ot iproute2.
#! /bin/sh -x
# # sample script on using the ingress capabilities
# this script shows how one can rate limit incoming SYNs
# Useful for TCP-SYN attack protection. You can use # IPchains to have more powerful additions to the SYN (eg # in addition the subnet) # #path to various utilities;
#change to reflect yours. #
IPROUTE=/root/DS-6-beta/iproute2-990530-dsing
TC=$IPROUTE/tc/tc IP=$IPROUTE/ip/ip IPCHAINS=/root/DS-6-beta/ipchains-1.3.9/ipchains
INDEV=eth2 # # tag all incoming SYN packets through $INDEV as mark value 1 ############################################################ $IPCHAINS -A input -i $INDEV -y -m 1 ############################################################ # # install the ingress qdisc on the ingress interface ############################################################ $TC qdisc add dev $INDEV han!
dle ffff: ingress ############################################################ # # # SYN packets are 40 bytes (320 bits) so three SYNs equals # 960 bits (approximately 1kbit); so we rate limit below # the incoming SYNs to 3/sec (not very sueful really; but #serves to show the point - JHS ############################################################ $TC filter add dev $INDEV parent ffff: protocol ip prio !
50 handle 1 fw \
police rate 1kbit burst 40 mtu 9k drop flowid :1 ############################################################
==================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
Otpiswaneto RABOTI !!! : Majordomo@xxxxxxxxxxxxxxxxxx UNSUBSCRIBE LUG-BG
http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora
|