On Thu, 2005-28-07 at 08:19 +0200, Lucas Nussbaum wrote:
> On Wed, Jul 27, 2005 at 08:59:56AM -0400, jamal <[EMAIL PROTECTED]> wrote:
> > On Wed, 2005-27-07 at 10:06 +0200, Lucas Nussbaum wrote:
> > > Hi,
> > >
> > > I'm interested in doing more complex stuff on inbound packets than what
> > > is currently possible with ing_filter (I understand ingress doesn't
> > > allow child classes , and can only drop/pass packets, not store one to
> > > send it later).
> > >
> >
> > No, thats not true. You can write a tc action that will steal packets
> > from that path and later reinject them.
>
> Any example/mail thread I could read about this ?
>
Attaching README from a posting on netdev few months back.
For background:
-> You need to be familiar with how traffic control works on linux.
-> must take a look at netem if what you want to do is emulation since
you maybe reinventing the wheel.
> > I am not sure why you say it's unclean. If you can give the packets to
> > dummy and run any qdisc on it such as netem - why would that be a
> > problem?
>
> I'm concerned about the overhead of redirecting the packets to a
> dummy/imq device and then re-inject them, compared to doing all the
> processing inside ing_filter. However, I don't know enough linux
> internals to really evaluate it. Any idea ?
I dont think there will be any difference with you hard-coding at
ing_filter() and using existing infrastructure. In both cases you will
need to redirect packets to some queue and then later let them continue
on their way up the stack.
Infact i have strong feeling you will not need to write a single line of
code.
cheers,
jamal
This is in relation to providing functionality that IMQ was intending
to using the dummy device and tc actions.
Please forward this to any other list which may have interest
in the subject.
Advantage over current IMQ; cleaner in particular in in SMP;
with a _lot_ less code.
Old Dummy device functionality is preserved while new one only
kicks in if you use actions.
IMQ USES
--------
As far as i know the reasons listed below is why people use IMQ.
It would be nice to know of anything else that i missed.
1) qdiscs/policies that are per device as opposed to system wide.
IMQ allows for sharing.
2) Allows for queueing incoming traffic for shaping instead of
dropping. I am not aware of any study that shows policing is
worse than shaping in achieving the end goal of rate control.
I would be interested if anyone is experimenting.
3) Very interesting use: if you are serving p2p you may wanna give
preference to your own localy originated traffic (when responses come back)
vs someone using your system to do bittorent. So QoSing based on state
comes in as the solution. What people did to achive this was stick
the IMQ somewhere prelocal hook.
I think this is a pretty neat feature to have in Linux in general.
(i.e not just for IMQ).
But i wont go back to putting netfilter hooks in the device to satisfy
this. I also dont think its worth it hacking dummy some more to be
aware of say L3 info and play ip rule tricks to achieve this.
--> Instead the plan is to have a contrack related action. This action will
selectively either query/create contrack state on incoming packets.
Packets could then be redirected to dummy based on what happens -> eg
on incoming packets; if we find they are of known state we could send to
a different queue than one which didnt have existing state. This
all however is dependent on whatever rules the admin enters.
What you can do with dummy currently with actions
--------------------------------------------------
Lets say you are policing packets from alias 192.168.200.200/32
you dont want those to exceed 100kbps going out.
tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \
match ip src 192.168.200.200/32 flowid 1:2 \
action police rate 100kbit burst 90k drop
If you run tcpdump on eth0 you will see all packets going out
with src 192.168.200.200/32 dropped or not
Extend the rule a little to see only the ones that made it out:
tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \
match ip src 192.168.200.200/32 flowid 1:2 \
action police rate 10kbit burst 90k drop \
action mirred egress mirror dev dummy0
Now fire tcpdump on dummy0 to see only those packets ..
tcpdump -n -i dummy0 -x -e -t
Essentially a good debugging/logging interface.
If you replace mirror with redirect, those packets will be
blackholed and will never make it out. This redirect behavior
changes with new patch (but not the mirror).
What you can do with the patch to provide functionality
that most people use IMQ for below:
--------
export TC="/sbin/tc"
$TC qdisc add dev dummy0 root handle 1: prio
$TC qdisc add dev dummy0 parent 1:1 handle 10: sfq
$TC qdisc add dev dummy0 parent 1:2 handle 20: tbf rate 20kbit buffer 1600
limit 3000
$TC qdisc add dev dummy0 parent 1:3 handle 30: sfq
$TC filter add dev dummy0 protocol ip pref 1 parent 1: handle 1 fw classid 1:1
$TC filter add dev dummy0 protocol ip pref 2 parent 1: handle 2 fw classid 1:2
ifconfig dummy0 up
$TC qdisc add dev eth0 ingress
# redirect all IP packets arriving in eth0 to dummy0
# use mark 1 --> puts them onto class 1:1
$TC filter add dev eth0 parent ffff: protocol ip prio 10 u32 \
match u32 0 0 flowid 1:1 \
action ipt -j MARK --set-mark 1 \
action mirred egress redirect dev dummy0
--------
Run A Little test:
from another machine ping so that you have packets going into the box:
-----
[EMAIL PROTECTED] action-tests]# ping 10.22
PING 10.22 (10.0.0.22): 56 data bytes
64 bytes from 10.0.0.22: icmp_seq=0 ttl=64 time=2.8 ms
64 bytes from 10.0.0.22: icmp_seq=1 ttl=64 time=0.6 ms
64 bytes from 10.0.0.22: icmp_seq=2 ttl=64 time=0.6 ms
--- 10.22 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.6/1.3/2.8 ms
[EMAIL PROTECTED] action-tests]#
-----
Now look at some stats:
---
[EMAIL PROTECTED]:~# $TC -s filter show parent ffff: dev eth0
filter protocol ip pref 10 u32
filter protocol ip pref 10 u32 fh 800: ht divisor 1
filter protocol ip pref 10 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid
1:1
match 00000000/00000000 at 0
action order 1: tablename: mangle hook: NF_IP_PRE_ROUTING
target MARK set 0x1
index 1 ref 1 bind 1 installed 4195sec used 27sec
Sent 252 bytes 3 pkts (dropped 0, overlimits 0)
action order 2: mirred (Egress Redirect to device dummy0) stolen
index 1 ref 1 bind 1 installed 165 sec used 27 sec
Sent 252 bytes 3 pkts (dropped 0, overlimits 0)
[EMAIL PROTECTED]:~# $TC -s qdisc
qdisc sfq 30: dev dummy0 limit 128p quantum 1514b
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
qdisc tbf 20: dev dummy0 rate 20Kbit burst 1575b lat 2147.5s
Sent 210 bytes 3 pkts (dropped 0, overlimits 0)
qdisc sfq 10: dev dummy0 limit 128p quantum 1514b
Sent 294 bytes 3 pkts (dropped 0, overlimits 0)
qdisc prio 1: dev dummy0 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
Sent 504 bytes 6 pkts (dropped 0, overlimits 0)
qdisc ingress ffff: dev eth0 ----------------
Sent 308 bytes 5 pkts (dropped 0, overlimits 0)
[EMAIL PROTECTED]:~# ifconfig dummy0
dummy0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:6 errors:0 dropped:3 overruns:0 frame:0
TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:504 (504.0 b) TX bytes:252 (252.0 b)
-----
Dummy continues to behave like it always did.
You send it any packet not originating from the actions it will drop them.
[In this case the three dropped packets were ipv6 ndisc].
My goal here is to start a discussion to see if people agree this is
a good replacement for IMQ or whether to go another path.
Clearly i would prefer to have this change in, but I am not religious
and would listen to reason about how it should be done as long as no
uneccessary clutter happens.
Patch attached.
