1 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
6 <Title>Linux Advanced Routing & Traffic Control HOWTO</Title>
9 <FirstName>Bert</FirstName><Surname>Hubert</Surname>
11 <orgname>Netherlabs BV</orgname>
12 <address><email>bert.hubert@netherlabs.nl</email></address>
17 <collabname>Gregory Maxwell</collabname>
19 <address><email>greg@linuxpower.cx</email></address>
24 <collabname>Remco van Mook</collabname>
26 <address><email>remco@virtu.nl</email></address>
31 <collabname>Martijn van Oosterhout</collabname>
33 <address><email>kleptog@cupid.suninternet.com</email></address>
38 <collabname>Paul B Schroeder</collabname>
40 <address><email>paulsch@us.ibm.com</email></address>
45 <collabname>Jasper Spaans</collabname>
47 <address><email>jasper@spaans.ds9a.nl</email></address>
54 <revnumber role="rcs">$Revision$</revnumber>
55 <date role="rcs">$Date$</date>
56 <revremark>DocBook Edition</revremark>
61 <Para>A very hands-on approach to <application>iproute2</application>,
62 traffic shaping and a bit of <application>netfilter</application>.
68 <chapter id="lartc.dedication">
69 <Title>Dedication</Title>
72 This document is dedicated to lots of people, and is my attempt to do
73 something back. To list but a few:
93 The good folks from Google
99 The staff of Casema Internet
109 <chapter id="lartc.intro">
110 <Title>Introduction</Title>
113 Welcome, gentle reader.
117 This document hopes to enlighten you on how to do more with Linux 2.2/2.4
118 routing. Unbeknownst to most users, you already run tools which allow you to
119 do spectacular things. Commands like <command>route</command> and
120 <command>ifconfig</command> are actually
121 very thin wrappers for the very powerful iproute2 infrastructure.
125 I hope that this HOWTO will become as readable as the ones by Rusty Russell
126 of (amongst other things) netfilter fame.
130 You can always reach us by writing to the <ULink
131 URL="mailto:HOWTO@ds9a.nl"
133 >. However, please consider posting to the mailing
134 list (see the relevant section) if you have questions which are not directly
135 related to this HOWTO. We are no free helpdesk, but we often will answer questions
140 Before losing your way in this HOWTO, if all you want to do is simple
141 traffic shaping, skip everything and head to the <citetitle><xref linkend="lartc.other"></citetitle> chapter, and read about CBQ.init.
144 <Sect1 id="lartc.intro.disclaimer">
145 <Title>Disclaimer & License</Title>
148 This document is distributed in the hope that it will be useful,
149 but WITHOUT ANY WARRANTY; without even the implied warranty of
150 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
154 In short, if your STM-64 backbone breaks down and distributes pornography to
155 your most esteemed customers - it's never our fault. Sorry.
159 Copyright (c) 2002 by bert hubert, Gregory Maxwell, Martijn van
160 Oosterhout, Remco van Mook, Paul B. Schroeder and others. This material may
161 be distributed only subject to the terms and conditions set forth in the
162 Open Publication License, v1.0 or later (the latest version is presently
163 available at http://www.opencontent.org/openpub/).
167 Please freely copy and distribute (sell or give away) this document in any
168 format. It's requested that corrections and/or comments be fowarded to the
173 It is also requested that if you publish this HOWTO in hardcopy that you
174 send the authors some samples for <quote>review purposes</quote> :-)
179 <Sect1 id="lartc.intro.prior">
180 <Title>Prior knowledge</Title>
183 As the title implies, this is the <quote>Advanced</quote> HOWTO.
184 While by no means rocket science, some prior knowledge is assumed.
188 Here are some other references which might help teach you more:
192 <ULink URL="http://netfilter.samba.org/unreliable-guides/networking-concepts-HOWTO/index.html">
193 Rusty Russell's networking-concepts-HOWTO</ULink>
196 <Para>Very nice introduction, explaining what a network is, and how it is
197 connected to other networks.
202 <Term>Linux Networking-HOWTO (Previously the Net-3 HOWTO)</Term>
204 <Para>Great stuff, although very verbose. It teaches you a lot of stuff
205 that's already configured if you are able to connect to the Internet.
206 Should be located in <filename>/usr/doc/HOWTO/NET3-4-HOWTO.txt</filename>
207 but can be also be found
208 <ULink URL="http://www.linuxports.com/howto/networking">online</ULink>.
217 <Sect1 id="lartc.intro.linux">
218 <Title>What Linux can do for you</Title>
221 A small list of things that are possible:
226 <Para>Throttle bandwidth for certain computers
230 <Para>Throttle bandwidth TO certain computers
234 <Para>Help you to fairly share your bandwidth
238 <Para>Protect your network from DoS attacks
242 <Para>Protect the Internet from your customers
246 <Para>Multiplex several servers as one, for load balancing or
247 enhanced availability
251 <Para>Restrict access to your computers
255 <Para>Limit access of your users to other hosts
259 <Para>Do routing based on user id (yes!), MAC address, source IP
260 address, port, type of service, time of day or content
266 Currently, not many people are using these advanced features. This is for
267 several reasons. While the provided documentation is verbose, it is not very
268 hands-on. Traffic control is almost undocumented.
273 <Sect1 id="lartc.intro.houskeeping">
274 <Title>Housekeeping notes</Title>
277 There are several things which should be noted about this document. While I
278 wrote most of it, I really don't want it to stay that way. I am a strong
279 believer in Open Source, so I encourage you to send feedback, updates,
280 patches etcetera. Do not hesitate to inform me of typos or plain old errors.
281 If my English sounds somewhat wooden, please realise that I'm not a native
282 speaker. Feel free to send suggestions.
286 If you feel to you are better qualified to maintain a section, or think that
287 you can author and maintain new sections, you are welcome to do so. The SGML
288 of this HOWTO is available via CVS, I very much envision more people
293 In aid of this, you will find lots of FIXME notices. Patches are always
294 welcome! Wherever you find a FIXME, you should know that you are treading in
295 unknown territory. This is not to say that there are no errors elsewhere,
296 but be extra careful. If you have validated something, please let us know so
297 we can remove the FIXME notice.
301 About this HOWTO, I will take some liberties along the road. For example, I
302 postulate a 10Mbit Internet connection, while I know full well that those
308 <Sect1 id="lartc.intro.cvs">
309 <Title>Access, CVS & submitting updates</Title>
312 The canonical location for the HOWTO is
313 <ULink URL="http://www.ds9a.nl/lartc">here</ULink>.
317 We now have anonymous CVS access available to the world at large. This is
318 good in a number of ways. You can easily upgrade to newer versions of this
319 HOWTO and submitting patches is no work at all.
323 Furthermore, it allows the authors to work on the source independently,
328 $ export CVSROOT=:pserver:anon@outpost.ds9a.nl:/var/cvsroot
330 CVS password: [enter 'cvs' (without 's)]
332 cvs server: Updating 2.4routing
333 U 2.4routing/2.4routing.sgml
337 If you spot an error, or want to add something, just fix it locally, and run
338 <userinput>cvs diff -u</userinput>, and send the result off to us.
342 A Makefile is supplied which should help you create postscript, dvi, pdf,
343 html and plain text. You may need to install
344 <application>docbook</application>, <application>docbook-utils</application>,
345 <application>ghostscript</application> and <application>tetex</application>
351 <Sect1 id="lartc.intro.mlist">
352 <Title>Mailing list</Title>
355 The authors receive an increasing amount of mail about this HOWTO. Because
356 of the clear interest of the community, it has been decided to start a
357 mailinglist where people can talk to each other about Advanced Routing and
358 Traffic Control. You can subscribe to the list
359 <ULink URL="http://mailman.ds9a.nl/mailman/listinfo/lartc">here</ULink>.
363 It should be pointed out that the authors are very hesitant of answering
364 questions not asked on the list. We would like the archive of the list to
365 become some kind of knowledge base. If you have a question, please search
366 the archive, and then post to the mailinglist.
371 <Sect1 id="lartc.intro.layout">
372 <Title>Layout of this document</Title>
375 We will be doing interesting stuff almost immediately, which also means that
376 there will initially be parts that are explained incompletely or are not
377 perfect. Please gloss over these parts and assume that all will become clear.
381 Routing and filtering are two distinct things. Filtering is documented very
382 well by Rusty's HOWTOs, available here:
387 <Para><ULink URL="http://netfilter.samba.org/unreliable-guides/">
388 Rusty's Remarkably Unreliable Guides</ULink>
393 <Para>We will be focusing mostly on what is possible by combining netfilter
401 <chapter id="lartc.iproute2">
402 <Title>Introduction to iproute2</Title>
404 <Sect1 id="lartc.iproute2.why">
405 <Title>Why iproute2?</Title>
408 Most Linux distributions, and most UNIX's, currently use the
409 venerable <command>arp</command>, <command>ifconfig</command> and
410 <command>route</command> commands.
411 While these tools work, they show some unexpected behaviour under Linux 2.2
413 For example, GRE tunnels are an integral part of routing these days, but
414 require completely different tools.
418 With <application>iproute2</application>, tunnels are an integral part of
423 The 2.2 and above Linux kernels include a completely redesigned network
424 subsystem. This new networking code brings Linux performance and a feature
425 set with little competition in the general OS arena. In fact, the new
426 routing, filtering, and classifying code is more featureful than the one
427 provided by many dedicated routers and firewalls and traffic shaping
432 As new networking concepts have been invented, people have found ways to
433 plaster them on top of the existing framework in existing OSes. This
434 constant layering of cruft has lead to networking code that is filled with
435 strange behaviour, much like most human languages. In the past, Linux
436 emulated SunOS's handling of many of these things, which was not ideal.
440 This new framework makes it possible to clearly express features
441 previously beyond Linux's reach.
446 <Sect1 id="lartc.iproute2.tour">
447 <Title>iproute2 tour</Title>
450 Linux has a sophisticated system for bandwidth provisioning called Traffic
451 Control. This system supports various method for classifying, prioritizing,
452 sharing, and limiting both inbound and outbound traffic.
456 We'll start off with a tiny tour of iproute2 possibilities.
461 <Sect1 id="lartc.iproute2.package">
462 <Title>Prerequisites</Title>
465 You should make sure that you have the userland tools installed. This
466 package is called 'iproute' on both RedHat and Debian, and may otherwise be
467 found at <filename>ftp://ftp.inr.ac.ru/ip-routing/iproute2-2.2.4-now-ss??????.tar.gz"</filename>.
472 <ULink URL="ftp://ftp.inr.ac.ru/ip-routing/iproute2-current.tar.gz">here</ULink>
473 for the latest version.
477 Some parts of iproute require you to have certain kernel options enabled. It
478 should also be noted that all releases of RedHat up to and including 6.2
479 come without most of the traffic control features in the default kernel.
483 RedHat 7.2 has everything in by default.
487 Also make sure that you have netlink support, should you choose to roll your
488 own kernel. Iproute2 needs it.
493 <Sect1 id="lartc.iproute2.explore">
494 <Title>Exploring your current configuration</Title>
497 This may come as a surprise, but iproute2 is already configured! The current
498 commands <command>ifconfig</command> and <command>route</command> are already using the advanced
499 syscalls, but mostly with very default (ie. boring) settings.
503 The <command>ip</command> tool is central, and we'll ask it to display our interfaces
508 <Title><command>ip</command> shows us our links</Title>
511 [ahu@home ahu]$ ip link list
512 1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue
513 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
514 2: dummy: <BROADCAST,NOARP> mtu 1500 qdisc noop
515 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
516 3: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1400 qdisc pfifo_fast qlen 100
517 link/ether 48:54:e8:2a:47:16 brd ff:ff:ff:ff:ff:ff
518 4: eth1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100
519 link/ether 00:e0:4c:39:24:78 brd ff:ff:ff:ff:ff:ff
520 3764: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 10
526 Your mileage may vary, but this is what it shows on my NAT router at
527 home. I'll only explain part of the output as not everything is directly
532 We first see the loopback interface. While your computer may function
533 somewhat without one, I'd advise against it. The MTU size (Maximum Transfer
534 Unit) is 3924 octets, and it is not supposed to queue. Which makes sense
535 because the loopback interface is a figment of your kernel's imagination.
539 I'll skip the dummy interface for now, and it may not be present on your
540 computer. Then there are my two physical network interfaces, one at the side
541 of my cable modem, the other one serves my home ethernet segment.
542 Furthermore, we see a ppp0 interface.
546 Note the absence of IP addresses. iproute disconnects the concept of 'links'
547 and 'IP addresses'. With IP aliasing, the concept of 'the' IP address had
548 become quite irrelevant anyhow.
552 It does show us the MAC addresses though, the hardware identifier of our
559 <Title><command>ip</command> shows us our IP addresses</Title>
562 [ahu@home ahu]$ ip address show
563 1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue
564 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
565 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
566 2: dummy: <BROADCAST,NOARP> mtu 1500 qdisc noop
567 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
568 3: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1400 qdisc pfifo_fast qlen 100
569 link/ether 48:54:e8:2a:47:16 brd ff:ff:ff:ff:ff:ff
570 inet 10.0.0.1/8 brd 10.255.255.255 scope global eth0
571 4: eth1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100
572 link/ether 00:e0:4c:39:24:78 brd ff:ff:ff:ff:ff:ff
573 3764: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 10
575 inet 212.64.94.251 peer 212.64.94.1/32 scope global ppp0
579 This contains more information. It shows all our addresses, and to which
580 cards they belong. 'inet' stands for Internet (IPv4). There are lots of other
581 address families, but these don't concern us right now.
585 Let's examine eth0 somewhat closer. It says that it is related to the inet
586 address '10.0.0.1/8'. What does this mean? The /8 stands for the number of
587 bits that are in the Network Address. There are 32 bits, so we have 24 bits
588 left that are part of our network. The first 8 bits of 10.0.0.1 correspond
589 to 10.0.0.0, our Network Address, and our netmask is 255.0.0.0.
593 The other bits are connected to this interface, so 10.250.3.13 is directly
594 available on eth0, as is 10.0.0.1 for example.
598 With ppp0, the same concept goes, though the numbers are different. Its
599 address is 212.64.94.251, without a subnet mask. This means that we have a
600 point-to-point connection and that every address, with the exception of
601 212.64.94.251, is remote. There is more information, however. It tells us
602 that on the other side of the link there is, yet again, only one address,
603 212.64.94.1. The /32 tells us that there are no 'network bits'.
607 It is absolutely vital that you grasp these concepts. Refer to the
608 documentation mentioned at the beginning of this HOWTO if you have trouble.
612 You may also note 'qdisc', which stands for Queueing Discipline. This will
613 become vital later on.
619 <Title><command>ip</command> shows us our routes</Title>
622 Well, we now know how to find 10.x.y.z addresses, and we are able to reach
623 212.64.94.1. This is not enough however, so we need instructions on how to
624 reach the world. The Internet is available via our ppp connection, and it
625 appears that 212.64.94.1 is willing to spread our packets around the
626 world, and deliver results back to us.
630 [ahu@home ahu]$ ip route show
631 212.64.94.1 dev ppp0 proto kernel scope link src 212.64.94.251
632 10.0.0.0/8 dev eth0 proto kernel scope link src 10.0.0.1
633 127.0.0.0/8 dev lo scope link
634 default via 212.64.94.1 dev ppp0
638 This is pretty much self explanatory. The first 4 lines of output explicitly
639 state what was already implied by <command>ip address show</command>, the last line
640 tells us that the rest of the world can be found via 212.64.94.1, our
641 default gateway. We can see that it is a gateway because of the word
642 via, which tells us that we need to send packets to 212.64.94.1, and that it
643 will take care of things.
647 For reference, this is what the old <command>route</command> utility shows us:
651 [ahu@home ahu]$ route -n
652 Kernel IP routing table
653 Destination Gateway Genmask Flags Metric Ref Use
655 212.64.94.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
656 10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0
657 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
658 0.0.0.0 212.64.94.1 0.0.0.0 UG 0 0 0 ppp0
665 <Sect1 id="lartc.iproute2.arp">
669 ARP is the Address Resolution Protocol as described in
670 <ULink URL="http://www.faqs.org/rfcs/rfc826.html">RFC 826</ULink>.
671 ARP is used by a networked machine to resolve the hardware location/address of
672 another machine on the same
673 local network. Machines on the Internet are generally known by their names
675 addresses. This is how a machine on the foo.com network is able to communicate
676 with another machine which is on the bar.net network. An IP address, though,
677 cannot tell you the physical location of a machine. This is where ARP comes
682 Let's take a very simple example. Suppose I have a network composed of several
683 machines. Two of the machines which are currently on my network are foo
684 with an IP address of 10.0.0.1 and bar with an IP address of 10.0.0.2.
685 Now foo wants to ping bar to see that he is alive, but alas, foo has no idea
686 where bar is. So when foo decides to ping bar he will need to send
688 This ARP request is akin to foo shouting out on the network "Bar (10.0.0.2)!
689 Where are you?" As a result of this every machine on the network will hear
690 foo shouting, but only bar (10.0.0.2) will respond. Bar will then send an
691 ARP reply directly back to foo which is akin
693 "Foo (10.0.0.1) I am here at 00:60:94:E9:08:12." After this simple transaction
694 that's used to locate his friend on the network, foo is able to communicate
695 with bar until he (his arp cache) forgets where bar is (typically after
700 Now let's see how this works.
701 You can view your machines current arp/neighbor cache/table like so:
705 [root@espa041 /home/src/iputils]# ip neigh show
706 9.3.76.42 dev eth0 lladdr 00:60:08:3f:e9:f9 nud reachable
707 9.3.76.1 dev eth0 lladdr 00:06:29:21:73:c8 nud reachable
711 As you can see my machine espa041 (9.3.76.41) knows where to find espa042
713 espagate (9.3.76.1). Now let's add another machine to the arp cache.
717 [root@espa041 /home/paulsch/.gnome-desktop]# ping -c 1 espa043
718 PING espa043.austin.ibm.com (9.3.76.43) from 9.3.76.41 : 56(84) bytes of data.
719 64 bytes from 9.3.76.43: icmp_seq=0 ttl=255 time=0.9 ms
721 --- espa043.austin.ibm.com ping statistics ---
722 1 packets transmitted, 1 packets received, 0% packet loss
723 round-trip min/avg/max = 0.9/0.9/0.9 ms
725 [root@espa041 /home/src/iputils]# ip neigh show
726 9.3.76.43 dev eth0 lladdr 00:06:29:21:80:20 nud reachable
727 9.3.76.42 dev eth0 lladdr 00:60:08:3f:e9:f9 nud reachable
728 9.3.76.1 dev eth0 lladdr 00:06:29:21:73:c8 nud reachable
732 As a result of espa041 trying to contact espa043, espa043's hardware
733 address/location has now been added to the arp/neighbor cache.
734 So until the entry for
735 espa043 times out (as a result of no communication between the two) espa041
736 knows where to find espa043 and has no need to send an ARP request.
740 Now let's delete espa043 from our arp cache:
744 [root@espa041 /home/src/iputils]# ip neigh delete 9.3.76.43 dev eth0
745 [root@espa041 /home/src/iputils]# ip neigh show
746 9.3.76.43 dev eth0 nud failed
747 9.3.76.42 dev eth0 lladdr 00:60:08:3f:e9:f9 nud reachable
748 9.3.76.1 dev eth0 lladdr 00:06:29:21:73:c8 nud stale
752 Now espa041 has again forgotten where to find espa043 and will need to send
753 another ARP request the next time he needs to communicate with espa043.
754 You can also see from the above output that espagate (9.3.76.1) has been
755 changed to the "stale" state. This means that the location shown is still
756 valid, but it will have to be confirmed at the first transaction to that
764 <chapter id="lartc.rpdb">
765 <Title>Rules - routing policy database</Title>
768 If you have a large router, you may well cater for the needs of different
769 people, who should be served differently. The routing policy database allows
770 you to do this by having multiple sets of routing tables.
774 If you want to use this feature, make sure that your kernel is compiled with
775 the "IP: advanced router" and "IP: policy routing" features.
779 When the kernel needs to make a routing decision, it finds out which table
780 needs to be consulted. By default, there are three tables. The old 'route'
781 tool modifies the main and local tables, as does the ip tool (by default).
784 <Para>The default rules:
788 [ahu@home ahu]$ ip rule list
789 0: from all lookup local
790 32766: from all lookup main
791 32767: from all lookup default
795 This lists the priority of all rules. We see that all rules apply to all
796 packets ('from all'). We've seen the 'main' table before, it is output by
797 <userinput>ip route ls</userinput>, but the 'local' and 'default' table are new.
801 If we want to do fancy things, we generate rules which point to different
802 tables which allow us to override system wide routing rules.
806 For the exact semantics on what the kernel does when there are more matching
807 rules, see Alexey's ip-cref documentation.
810 <Sect1 id="lartc.rpdb.simple">
811 <Title>Simple source policy routing</Title>
814 Let's take a real example once again, I have 2 (actually 3, about time I
815 returned them) cable modems, connected to a Linux NAT ('masquerading')
816 router. People living here pay me to use the Internet. Suppose one of my
817 house mates only visits hotmail and wants to pay less. This is fine with me,
818 but they'll end up using the low-end cable modem.
822 The 'fast' cable modem is known as 212.64.94.251 and is a PPP link to
823 212.64.94.1. The 'slow' cable modem is known by various ip addresses,
824 212.64.78.148 in this example and is a link to 195.96.98.253.
827 <Para>The local table:
831 [ahu@home ahu]$ ip route list table local
832 broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
833 local 10.0.0.1 dev eth0 proto kernel scope host src 10.0.0.1
834 broadcast 10.0.0.0 dev eth0 proto kernel scope link src 10.0.0.1
835 local 212.64.94.251 dev ppp0 proto kernel scope host src 212.64.94.251
836 broadcast 10.255.255.255 dev eth0 proto kernel scope link src 10.0.0.1
837 broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
838 local 212.64.78.148 dev ppp2 proto kernel scope host src 212.64.78.148
839 local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
840 local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
844 Lots of obvious things, but things that need to be specified somewhere.
845 Well, here they are. The default table is empty.
848 <Para>Let's view the 'main' table:
852 [ahu@home ahu]$ ip route list table main
853 195.96.98.253 dev ppp2 proto kernel scope link src 212.64.78.148
854 212.64.94.1 dev ppp0 proto kernel scope link src 212.64.94.251
855 10.0.0.0/8 dev eth0 proto kernel scope link src 10.0.0.1
856 127.0.0.0/8 dev lo scope link
857 default via 212.64.94.1 dev ppp0
861 We now generate a new rule which we call 'John', for our hypothetical
862 house mate. Although we can work with pure numbers, it's far easier if we add
863 our tables to /etc/iproute2/rt_tables.
867 # echo 200 John >> /etc/iproute2/rt_tables
868 # ip rule add from 10.0.0.10 table John
870 0: from all lookup local
871 32765: from 10.0.0.10 lookup John
872 32766: from all lookup main
873 32767: from all lookup default
877 Now all that is left is to generate John's table, and flush the route cache:
881 # ip route add default via 195.96.98.253 dev ppp2 table John
882 # ip route flush cache
886 And we are done. It is left as an exercise for the reader to implement this
892 <sect1 id="lartc.rpdb.multiple-links">
893 <title>Routing for multiple uplinks/providers</title>
895 A common configuration is the following, in which there are two providers
896 that connect a local network (or even a single machine) to the big Internet.
902 +-------------+ Provider 1 +-------
904 ___/ \_ +------+-------+ +------------+ |
907 | Local network -----+ Linux router | | Internet
910 \___/ +------+-------+ +------------+ |
912 +-------------+ Provider 2 +-------
914 +------------+ \________
917 There are usually two questions given this setup.
919 <sect2><title>Split access</title>
921 The first is how to route answers to packets coming in over a
922 particular provider, say Provider 1, back out again over that same provider.
925 Let us first set some symbolical names. Let <command>$IF1</command> be the name of the
926 first interface (if1 in the picture above) and <command>$IF2</command> the name of the
927 second interface. Then let <command>$IP1</command> be the IP address associated with
928 <command>$IF1</command> and <command>$IP2</command> the IP address associated with
929 <command>$IF2</command>. Next, let <command>$P1</command> be the IP address of the gateway at
930 Provider 1, and <command>$P2</command> the IP address of the gateway at provider 2.
931 Finally, let <command>$P1_NET</command> be the IP network <command>$P1</command> is in,
932 and <command>$P2_NET</command> the IP network <command>$P2</command> is in.
935 One creates two additional routing tables, say <command>T1</command> and <command>T2</command>.
936 These are added in /etc/iproute2/rt_tables. Then you set up routing in
937 these tables as follows:
941 ip route add $P1_NET dev $IF1 src $IP1 table T1
942 ip route add default via $P1 table T1
943 ip route add $P2_NET dev $IF2 src $IP2 table T2
944 ip route add default via $P2 table T2
947 Nothing spectacular, just build a route to the gateway and build a
948 default route via that gateway, as you would do in the case of a single
949 upstream provider, but put the routes in a seperate table per provider.
950 Note that the network route suffices, as it tells you how to find any host
951 in that network, which includes the gateway, as specified above.
954 Next you set up the main routing table. It is a good idea to route
955 things to the direct neighbour through the interface connected to that
956 neighbour. Note the `src' arguments, they make sure the right outgoing IP
960 ip route add $P1_NET dev $IF1 src $IP1
961 ip route add $P2_NET dev $IF2 src $IP2
964 Then, your preference for default route:
967 ip route add default via $P1
970 Next, you set up the routing rules. These actually choose what routing table
971 to route with. You want to make sure that you route out a given
972 interface if you already have the corresponding source address:
975 ip rule add from $IP1 table T1
976 ip rule add from $IP2 table T2
979 This set of commands makes sure all answers to traffic coming in on a
980 particular interface get answered from that interface.
983 Now, this is just the very basic setup. It will work for all processes
984 running on the router itself, and for the local network, if it is
985 masqueraded. If it is not, then you either have IP space from both providers
986 or you are going to want to masquerade to one of the two providers. In both
987 cases you will want to add rules selecting which provider to route out from
988 based on the IP address of the machine in the local network.
990 <sect2><title>Load balancing</title>
992 The second question is how to balance traffic going out over the two providers.
993 This is actually not hard if you already have set up split access as above.
996 Instead of choosing one of the two providers as your default route,
997 you now set up the default route to be a multipath route. In the default
998 kernel this will balance routes over the two providers. It is done
999 as follows (once more building on the example in the section on
1003 ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \
1004 nexthop via $P2 dev $IF2 weight 1
1007 This will balance the routes over both providers. The <command>weight</command>
1008 parameters can be tweaked to favor one provider over the other.
1011 Note that balancing will not be perfect, as it is route based, and routes
1012 are cached. This means that routes to often-used sites will always
1013 be over the same provider.
1016 Furthermore, if you really want to do this, you probably also want to look
1017 at Julian Anastasov's patches at <ulink
1018 url="http://www.linuxvirtualserver.org/~julian/#routes">http://www.linuxvirtualserver.org/~julian/#routes
1019 </ulink>, Julian's route patch page. They will make things nicer to work with.
1025 <chapter id="lartc.tunnel">
1026 <Title>GRE and other tunnels</Title>
1029 There are 3 kinds of tunnels in Linux. There's IP in IP tunneling, GRE tunneling and tunnels that live outside the kernel (like, for example PPTP).
1032 <Sect1 id="lartc.tunnel.remarks">
1033 <Title>A few general remarks about tunnels:</Title>
1036 Tunnels can be used to do some very unusual and very cool stuff. They can
1037 also make things go horribly wrong when you don't configure them right.
1038 Don't point your default route to a tunnel device unless you know
1039 <Emphasis>EXACTLY</Emphasis> what you are doing :-). Furthermore, tunneling increases
1040 overhead, because it needs an extra set of IP headers. Typically this is 20
1041 bytes per packet, so if the normal packet size (MTU) on a network is 1500
1042 bytes, a packet that is sent through a tunnel can only be 1480 bytes big.
1043 This is not necessarily a problem, but be sure to read up on IP packet
1044 fragmentation/reassembly when you plan to connect large networks with
1045 tunnels. Oh, and of course, the fastest way to dig a tunnel is to dig at
1051 <Sect1 id="lartc.tunnel.ip-ip">
1052 <Title>IP in IP tunneling</Title>
1055 This kind of tunneling has been available in Linux for a long time. It requires 2 kernel modules,
1056 ipip.o and new_tunnel.o.
1060 Let's say you have 3 networks: Internal networks A and B, and intermediate network C (or let's say, Internet).
1061 So we have network A:
1066 netmask 255.255.255.0
1070 <Para>The router has address 172.16.17.18 on network C.
1073 <Para>and network B:
1078 netmask 255.255.255.0
1082 <Para>The router has address 172.19.20.21 on network C.
1086 As far as network C is concerned, we assume that it will pass any packet sent
1087 from A to B and vice versa. You might even use the Internet for this.
1090 <Para>Here's what you do:
1093 <Para>First, make sure the modules are installed:
1101 <Para>Then, on the router of network A, you do the following:
1105 ifconfig tunl0 10.0.1.1 pointopoint 172.19.20.21
1106 route add -net 10.0.2.0 netmask 255.255.255.0 dev tunl0
1109 <Para>And on the router of network B:
1113 ifconfig tunl0 10.0.2.1 pointopoint 172.16.17.18
1114 route add -net 10.0.1.0 netmask 255.255.255.0 dev tunl0
1117 <Para>And if you're finished with your tunnel:
1124 <Para>Presto, you're done. You can't forward broadcast or IPv6 traffic through
1125 an IP-in-IP tunnel, though. You just connect 2 IPv4 networks that normally wouldn't be able to talk to each other, that's all. As far as compatibility goes, this code has been around a long time, so it's compatible all the way back to 1.3 kernels. Linux IP-in-IP tunneling doesn't work with other Operating Systems or routers, as far as I know. It's simple, it works. Use it if you have to, otherwise use GRE.
1130 <Sect1 id="lartc.tunnel.gre">
1131 <Title>GRE tunneling</Title>
1134 GRE is a tunneling protocol that was originally developed by Cisco, and it
1135 can do a few more things than IP-in-IP tunneling. For example, you can also
1136 transport multicast traffic and IPv6 through a GRE tunnel.
1140 In Linux, you'll need the ip_gre.o module.
1144 <Title>IPv4 Tunneling</Title>
1147 Let's do IPv4 tunneling first:
1151 Let's say you have 3 networks: Internal networks A and B, and intermediate network C (or let's say, Internet).
1155 So we have network A:
1159 netmask 255.255.255.0
1163 The router has address 172.16.17.18 on network C.
1164 Let's call this network neta (ok, hardly original)
1172 netmask 255.255.255.0
1176 The router has address 172.19.20.21 on network C.
1177 Let's call this network netb (still not original)
1181 As far as network C is concerned, we assume that it will pass any packet sent
1182 from A to B and vice versa. How and why, we do not care.
1185 <Para>On the router of network A, you do the following:
1189 ip tunnel add netb mode gre remote 172.19.20.21 local 172.16.17.18 ttl 255
1191 ip addr add 10.0.1.1 dev netb
1192 ip route add 10.0.2.0/24 dev netb
1196 Let's discuss this for a bit. In line 1, we added a tunnel device, and
1197 called it netb (which is kind of obvious because that's where we want it to
1198 go). Furthermore we told it to use the GRE protocol (mode gre), that the
1199 remote address is 172.19.20.21 (the router at the other end), that our
1200 tunneling packets should originate from 172.16.17.18 (which allows your
1201 router to have several IP addresses on network C and let you decide which
1202 one to use for tunneling) and that the TTL field of the packet should be set
1207 The second line enables the device.
1211 In the third line we gave the newly born interface netb the address
1212 10.0.1.1. This is OK for smaller networks, but when you're starting up a
1213 mining expedition (LOTS of tunnels), you might want to consider using
1214 another IP range for tunneling interfaces (in this example, you could use
1219 In the fourth line we set the route for network B. Note the different notation for the netmask. If you're not familiar with this notation, here's how it works: you write out the netmask in binary form, and you count all the ones. If you don't know how to do that, just remember that 255.0.0.0 is /8, 255.255.0.0 is /16 and 255.255.255.0 is /24. Oh, and 255.255.254.0 is /23, in case you were wondering.
1223 But enough about this, let's go on with the router of network B.
1226 ip tunnel add neta mode gre remote 172.16.17.18 local 172.19.20.21 ttl 255
1228 ip addr add 10.0.2.1 dev neta
1229 ip route add 10.0.1.0/24 dev neta
1232 And when you want to remove the tunnel on router A:
1235 ip link set netb down
1239 Of course, you can replace netb with neta for router B.
1245 <Title>IPv6 Tunneling</Title>
1248 See Section 6 for a short bit about IPv6 Addresses.
1252 On with the tunnels.
1256 Let's assume that you have the following IPv6 network, and you want to connect it to 6bone, or a friend.
1262 Network 3ffe:406:5:1:5:a:2:1/96
1265 Your IPv4 address is 172.16.17.18, and the 6bone router has IPv4 address 172.22.23.24.
1271 ip tunnel add sixbone mode sit remote 172.22.23.24 local 172.16.17.18 ttl 255
1272 ip link set sixbone up
1273 ip addr add 3ffe:406:5:1:5:a:2:1/96 dev sixbone
1274 ip route add 3ffe::/15 dev sixbone
1280 Let's discuss this. In the first line, we created a tunnel device called sixbone. We gave it mode sit (which is IPv6 in IPv4 tunneling) and told it where to go to (remote) and where to come from (local). TTL is set to maximum, 255. Next, we made the device active (up). After that, we added our own network address, and set a route for 3ffe::/15 (which is currently all of 6bone) through the tunnel.
1284 GRE tunnels are currently the preferred type of tunneling. It's a standard that is also widely adopted outside the Linux community and therefore a Good Thing.
1291 <Sect1 id="lartc.tunnel.userland">
1292 <Title>Userland tunnels</Title>
1295 There are literally dozens of implementations of tunneling outside the kernel. Best known are of course PPP and PPTP, but there are lots more (some proprietary, some secure, some that don't even use IP) and that is really beyond the scope of this HOWTO.
1302 <chapter id="lartc.ipv6-tunnel">
1303 <Title>IPv6 tunneling with Cisco and/or 6bone</Title>
1306 By Marco Davids <marco@sara.nl>
1314 As far as I am concerned, this IPv6-IPv4 tunneling is not per definition
1315 GRE tunneling. You could tunnel IPv6 over IPv4 by means of GRE tunnel devices
1316 (GRE tunnels ANY to IPv4), but the device used here ("sit") only tunnels
1317 IPv6 over IPv4 and is therefore something different.
1320 <Sect1 id="lartc.tunnel-ipv6.addressing">
1321 <Title>IPv6 Tunneling</Title>
1324 This is another application of the tunneling capabilities of Linux. It is
1325 popular among the IPv6 early adopters, or pioneers if you like.
1326 The 'hands-on' example described below is certainly not the only way
1327 to do IPv6 tunneling. However, it is the method that is often used to tunnel
1328 between Linux and a Cisco IPv6 capable router and experience tells us that
1329 this is just the thing many people are after. Ten to one this applies to
1334 A short bit about IPv6 addresses:
1338 IPv6 addresses are, compared to IPv4 addresses, really big: 128 bits
1339 against 32 bits. And this provides us just with the thing we need: many, many
1340 IP-addresses: 340,282,266,920,938,463,463,374,607,431,768,211,465 to be
1341 precise. Apart from this, IPv6 (or IPng, for IP Next Generation) is supposed
1342 to provide for smaller routing tables on the Internet's backbone routers,
1343 simpler configuration of equipment, better security at the IP level and
1344 better support for QoS.
1348 An example: 2002:836b:9820:0000:0000:0000:836b:9886
1352 Writing down IPv6 addresses can be quite a burden. Therefore, to make
1353 life easier there are some rules:
1362 Don't use leading zeroes. Same as in IPv4.
1369 Use colons to separate every 16 bits or two bytes.
1376 When you have lots of consecutive zeroes,
1377 you can write this down as ::. You can only do this once in an
1378 address and only for quantities of 16 bits, though.
1387 The address 2002:836b:9820:0000:0000:0000:836b:9886 can be written down
1388 as 2002:836b:9820::836b:9886, which is somewhat friendlier.
1392 Another example, the address 3ffe:0000:0000:0000:0000:0020:34A1:F32C can be
1393 written down as 3ffe::20:34A1:F32C, which is a lot shorter.
1397 IPv6 is intended to be the successor of the current IPv4. Because it
1398 is relatively new technology, there is no worldwide native IPv6 network
1399 yet. To be able to move forward swiftly, the 6bone was introduced.
1403 Native IPv6 networks are connected to each other by encapsulating the IPv6
1404 protocol in IPv4 packets and sending them over the existing IPv4 infrastructure
1405 from one IPv6 site to another.
1409 That is precisely where the tunnel steps in.
1413 To be able to use IPv6, we should have a kernel that supports it. There
1414 are many good documents on how to achieve this. But it all comes down to
1421 Get yourself a recent Linux distribution, with suitable glibc.
1427 Then get yourself an up-to-date kernel source.
1433 If you are all set, then you can go ahead and compile an IPv6 capable
1440 Go to /usr/src/linux and type:
1452 Choose "Networking Options"
1458 Select "The IPv6 protocol", "IPv6: enable EUI-64 token format", "IPv6:
1459 disable provider based addresses"
1465 HINT: Don't go for the 'module' option. Often this won't work well.
1469 In other words, compile IPv6 as 'built-in' in your kernel.
1470 You can then save your config like usual and go ahead with compiling
1475 HINT: Before doing so, consider editing the Makefile:
1476 EXTRAVERSION = -x ; --> ; EXTRAVERSION = -x-IPv6
1480 There is a lot of good documentation about compiling and installing
1481 a kernel, however this document is about something else. If you run into
1482 problems at this stage, go and look for documentation about compiling a
1483 Linux kernel according to your own specifications.
1487 The file /usr/src/linux/README might be a good start.
1488 After you acomplished all this, and rebooted with your brand new kernel,
1489 you might want to issue an '/sbin/ifconfig -a' and notice the brand
1490 new 'sit0-device'. SIT stands for Simple Internet Transition. You may give
1491 yourself a compliment; you are now one major step closer to IP, the Next
1496 Now on to the next step. You want to connect your host, or maybe even
1497 your entire LAN to another IPv6 capable network. This might be the "6bone"
1498 that is setup especially for this particular purpose.
1502 Let's assume that you have the following IPv6 network: 3ffe:604:6:8::/64 and
1503 you want to connect it to 6bone, or a friend. Please note that the /64
1504 subnet notation works just like with regular IP adresses.
1508 Your IPv4 address is 145.100.24.181 and the 6bone router has IPv4 address
1513 # ip tunnel add sixbone mode sit remote 145.100.1.5 [local 145.100.24.181 ttl 255]
1514 # ip link set sixbone up
1515 # ip addr add 3FFE:604:6:7::2/126 dev sixbone
1516 # ip route add 3ffe::0/16 dev sixbone
1520 Let's discuss this. In the first line, we created a tunnel device called
1521 sixbone. We gave it mode sit (which is IPv6 in IPv4 tunneling) and told it
1522 where to go to (remote) and where to come from (local). TTL is set to
1527 Next, we made the device active (up). After that, we added our own network
1528 address, and set a route for 3ffe::/15 (which is currently all of 6bone)
1529 through the tunnel. If the particular machine you run this on is your IPv6
1530 gateway, then consider adding the following lines:
1534 # echo 1 >/proc/sys/net/ipv6/conf/all/forwarding
1535 # /usr/local/sbin/radvd
1539 The latter, radvd is -like zebra- a router advertisement daemon, to
1540 support IPv6's autoconfiguration features. Search for it with your favourite
1541 search-engine if you like.
1542 You can check things like this:
1546 # /sbin/ip -f inet6 addr
1550 If you happen to have radvd running on your IPv6 gateway and boot your
1551 IPv6 capable Linux on a machine on your local LAN, you would be able to
1552 enjoy the benefits of IPv6 autoconfiguration:
1556 # /sbin/ip -f inet6 addr
1557 1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue inet6 ::1/128 scope host
1559 3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
1560 inet6 3ffe:604:6:8:5054:4cff:fe01:e3d6/64 scope global dynamic
1561 valid_lft forever preferred_lft 604646sec inet6 fe80::5054:4cff:fe01:e3d6/10
1566 You could go ahead and configure your bind for IPv6 addresses. The A
1567 type has an equivalent for IPv6: AAAA. The in-addr.arpa's equivalent is:
1568 ip6.int. There's a lot of information available on this topic.
1572 There is an increasing number of IPv6-aware applications available,
1573 including secure shell, telnet, inetd, Mozilla the browser, Apache the
1574 websever and a lot of others. But this is all outside the scope of this
1575 Routing document ;-)
1579 On the Cisco side the configuration would be something like this:
1584 description IPv6 tunnel
1586 no ip directed-broadcast
1588 ipv6 address 3FFE:604:6:7::1/126
1589 tunnel source Serial0
1590 tunnel destination 145.100.24.181
1593 ipv6 route 3FFE:604:6:8::/64 Tunnel1
1596 But if you don't have a Cisco at your disposal, try one of the many
1597 IPv6 tunnel brokers available on the Internet. They are willing to configure
1598 their Cisco with an extra tunnel for you. Mostly by means of a friendly
1599 web interface. Search for "ipv6 tunnel broker" on your favourite search engine.
1606 <chapter id="lartc.ipsec">
1607 <Title>IPsec: secure IP over the Internet</Title>
1610 FIXME: editor vacancy.
1611 In the meantime, see: <ULink URL="http://www.freeswan.org/">
1612 The FreeS/WAN project</ULink>.
1613 Another IPSec implementation for Linux is Cerberus,
1614 by NIST. However, their web pages have not been updated in over a year,
1615 and their version tended to trail well behind the current Linux kernel.
1616 USAGI, an alternative IPv6 implementation for Linux, also includes an
1617 IPSec implementation, but that might only be for IPv6.
1622 <chapter id="lartc.multicast">
1623 <Title>Multicast routing</Title>
1626 FIXME: Editor Vacancy!
1630 The Multicast-HOWTO is ancient (relatively-speaking) and may be inaccurate
1631 or misleading in places, for that reason.
1635 Before you can do any multicast routing, you need to configure the Linux
1636 kernel to support the type of multicast routing you want to do. This, in
1637 turn, requires you to decide what type of multicast routing you expect to
1638 be using. There are essentially four "common" types - DVMRP (the Multicast
1639 version of the RIP unicast protocol), MOSPF (the same, but for OSPF), PIM-SM
1640 ("Protocol Independent Multicasting - Sparse Mode", which assumes that users
1641 of any multicast group are spread out, rather than clumped) and PIM-DM (the
1642 same, but "Dense Mode", which assumes that there will be significant clumps
1643 of users of the same multicast group).
1647 In the Linux kernel, you will notice that these options don't appear. This is
1648 because the protocol itself is handled by a routing application, such as
1649 Zebra, mrouted, or pimd. However, you still have to have a good idea of which
1650 you're going to use, to select the right options in the kernel.
1654 For all multicast routing, you will definitely need to enable "multicasting"
1655 and "multicast routing". For DVMRP and MOSPF, this is sufficient. If you are
1656 going to use PIM, you must also enable PIMv1 or PIMv2, depending on whether
1657 the network you are connecting to uses version 1 or 2 of the PIM protocol.
1661 Once you have all that sorted out, and your new Linux kernel compiled, you
1662 will see that the IP protocols listed, at boot time, now include IGMP. This
1663 is a protocol for managing multicast groups. At the time of writing, Linux
1664 supports IGMP versions 1 and 2 only, although version 3 does exist and has
1665 been documented. This doesn't really affect us that much, as IGMPv3 is still
1666 new enough that the extra capabilities of IGMPv3 aren't going to be that
1667 much use. Because IGMP deals with groups, only the features present in the
1668 simplest version of IGMP over the entire group are going to be used. For the
1669 most part, that will be IGMPv2, although IGMPv1 is sill going to be
1674 So far, so good. We've enabled multicasting. Now, we have to tell the Linux
1675 kernel to actually do something with it, so we can start routing. This means
1676 adding the Multicast virtual network to the router table:
1680 ip route add 224.0.0.0/4 dev eth0
1684 (Assuming, of course, that you're multicasting over eth0! Substitute the
1685 device of your choice, for this.)
1689 Now, tell Linux to forward packets...
1693 echo 1 > /proc/sys/net/ipv4/ip_forward
1697 At this point, you may be wondering if this is ever going to do anything. So,
1698 to test our connection, we ping the default group, 224.0.0.1, to see if anyone
1699 is alive. All machines on your LAN with multicasting enabled <Emphasis>should</Emphasis>
1700 respond, but nothing else. You'll notice that none of the machines that
1701 respond have an IP address of 224.0.0.1. What a surprise! :) This is a group
1702 address (a "broadcast" to subscribers), and all members of the group will
1703 respond with their own address, not the group address.
1711 At this point, you're ready to do actual multicast routing. Well, assuming
1712 that you have two networks to route between.
1721 <chapter id="lartc.qdisc">
1722 <Title>Queueing Disciplines for Bandwidth Management</Title>
1725 Now, when I discovered this, it <Emphasis>really</Emphasis> blew me away. Linux 2.2/2.4
1726 comes with everything to manage bandwidth in ways comparable to high-end
1727 dedicated bandwidth management systems.
1731 Linux even goes far beyond what Frame and ATM provide.
1734 <Para>Just to prevent confusion, <command>tc</command> uses the following
1735 rules for bandwith specification:
1737 <literallayout class='monospaced'>
1738 mbps = 1024 kbps = 1024 * 1024 bps => byte/s
1739 mbit = 1024 kbit => kilo bit/s.
1740 mb = 1024 kb = 1024 * 1024 b => byte
1741 mbit = 1024 kbit => kilo bit.
1744 Internally, the number is stored in bps and b.
1747 <Para>But when <command>tc</command> prints the rate, it uses following :
1750 <literallayout class='monospaced'>
1751 1Mbit = 1024 Kbit = 1024 * 1024 bps => bit/s
1754 <Sect1 id="lartc.qdisc.explain">
1755 <Title>Queues and Queueing Disciplines explained</Title>
1758 With queueing we determine the way in which data is <Emphasis>SENT</Emphasis>.
1759 It is important to realise that we can only shape data that we transmit.
1763 With the way the Internet works, we have no direct control of what people
1764 send us. It's a bit like your (physical!) mailbox at home. There is no way
1765 you can influence the world to modify the amount of mail they send you,
1766 short of contacting everybody.
1770 However, the Internet is mostly based on TCP/IP which has a few features
1771 that help us. TCP/IP has no way of knowing the capacity of the network
1772 between two hosts, so it just starts sending data faster and faster ('slow
1773 start') and when packets start getting lost, because there is no room to
1774 send them, it will slow down. In fact it is a bit smarter than this, but
1775 more about that later.
1779 This is the equivalent of not reading half of your mail, and hoping that
1780 people will stop sending it to you. With the difference that it works for
1785 If you have a router and wish to prevent certain hosts within your network
1786 from downloading too fast, you need to do your shaping on the *inner* interface
1787 of your router, the one that sends data to your own computers.
1791 You also have to be sure you are controlling the bottleneck of the link.
1792 If you have a 100Mbit NIC and you have a router that has a 256kbit link,
1793 you have to make sure you are not sending more data than your router can
1794 handle. Othewise, it will be the router who is controlling the link and
1795 shaping the available bandwith. We need to 'own the queue' so to speak, and
1796 be the slowest link in the chain. Luckily this is easily possible.
1801 <Sect1 id="lartc.qdisc.classless">
1802 <Title>Simple, classless Queueing Disciplines</Title>
1805 As said, with queueing disciplines, we change the way data is sent.
1806 Classless queueing disciplines are those that, by and large accept data and
1807 only reschedule, delay or drop it.
1811 These can be used to shape traffic for an entire interface, without any
1812 subdivisions. It is vital that you understand this part of queueing before
1813 we go on the the classful qdisc-containing-qdiscs!
1817 By far the most widely used discipline is the pfifo_fast qdisc - this is the
1818 default. This also explains why these advanced features are so robust. They
1819 are nothing more than 'just another queue'.
1823 Each of these queues has specific strengths and weaknesses. Not all of them
1824 may be as well tested.
1828 <Title>pfifo_fast</Title>
1831 This queue is, as the name says, First In, First Out, which means that no
1832 packet receives special treatment. At least, not quite. This queue has 3 so
1833 called 'bands'. Within each band, FIFO rules apply. However, as long as
1834 there are packets waiting in band 0, band 1 won't be processed. Same goes
1835 for band 1 and band 2.
1839 The kernel honors the so called Type of Service flag of packets, and takes
1840 care to insert 'minimum delay' packets in band 0.
1844 Do not confuse this classless simple qdisc with the classful PRIO one!
1845 Although they behave similarly, pfifo_fast is classless and you cannot add
1846 other qdiscs to it with the tc command.
1850 <Title>Parameters & usage</Title>
1853 You can't configure the pfifo_fast qdisc as it is the hardwired default.
1854 This is how it is configured by default:
1858 <Term>priomap</Term>
1861 Determines how packet priorities, as assigned by the kernel, map to bands.
1862 Mapping occurs based on the TOS octet of the packet, which looks like this:
1869 +-----+-----+-----+-----+-----+-----+-----+-----+
1871 | PRECEDENCE | TOS | MBZ |
1873 +-----+-----+-----+-----+-----+-----+-----+-----+
1879 The four TOS bits (the 'TOS field') are defined as:
1882 Binary Decimcal Meaning
1883 -----------------------------------------
1884 1000 8 Minimize delay (md)
1885 0100 4 Maximize throughput (mt)
1886 0010 2 Maximize reliability (mr)
1887 0001 1 Minimize monetary cost (mmc)
1888 0000 0 Normal Service
1894 As there is 1 bit to the right of these four bits, the actual value of the
1895 TOS field is double the value of the TOS bits. Tcpdump -v -v shows you the
1896 value of the entire TOS field, not just the four bits. It is the value you
1897 see in the first column of this table:
1903 TOS Bits Means Linux Priority Band
1904 ------------------------------------------------------------
1905 0x0 0 Normal Service 0 Best Effort 1
1906 0x2 1 Minimize Monetary Cost 1 Filler 2
1907 0x4 2 Maximize Reliability 0 Best Effort 1
1908 0x6 3 mmc+mr 0 Best Effort 1
1909 0x8 4 Maximize Throughput 2 Bulk 2
1910 0xa 5 mmc+mt 2 Bulk 2
1911 0xc 6 mr+mt 2 Bulk 2
1912 0xe 7 mmc+mr+mt 2 Bulk 2
1913 0x10 8 Minimize Delay 6 Interactive 0
1914 0x12 9 mmc+md 6 Interactive 0
1915 0x14 10 mr+md 6 Interactive 0
1916 0x16 11 mmc+mr+md 6 Interactive 0
1917 0x18 12 mt+md 4 Int. Bulk 1
1918 0x1a 13 mmc+mt+md 4 Int. Bulk 1
1919 0x1c 14 mr+mt+md 4 Int. Bulk 1
1920 0x1e 15 mmc+mr+mt+md 4 Int. Bulk 1
1926 Lots of numbers. The second column contains the value of the relevant four
1927 TOS bits, followed by their translated meaning. For example, 15 stands for a
1928 packet wanting Minimal Montetary Cost, Maximum Reliability, Maximum
1929 Throughput AND Minimum Delay. I would call this a 'Dutch Packet'.
1933 The fourth column lists the way the Linux kernel interprets the TOS bits, by
1934 showing to which Priority they are mapped.
1938 The last column shows the result of the default priomap. On the commandline,
1939 the default priomap looks like this:
1942 1, 2, 2, 2, 1, 2, 0, 0 , 1, 1, 1, 1, 1, 1, 1, 1
1948 This means that priority 4, for example, gets mapped to band number 1. The
1949 priomap also allows you to list higher priorities (> 7) which do not
1950 correspond to TOS mappings, but which are set by other means.
1954 This table from RFC 1349 (read it for more details) tells you how
1955 applications might very well set their TOS bits:
1958 TELNET 1000 (minimize delay)
1960 Control 1000 (minimize delay)
1961 Data 0100 (maximize throughput)
1963 TFTP 1000 (minimize delay)
1966 Command phase 1000 (minimize delay)
1967 DATA phase 0100 (maximize throughput)
1970 UDP Query 1000 (minimize delay)
1972 Zone Transfer 0100 (maximize throughput)
1974 NNTP 0001 (minimize monetary cost)
1978 Requests 0000 (mostly)
1979 Responses <same as request> (mostly)
1985 <Term>txqueuelen</Term>
1988 The length of this queue is gleaned from the interface configuration, which
1989 you can see and set with ifconfig and ip. To set the queue length to 10,
1990 execute: ifconfig eth0 txqueuelen 10
1994 You can't set this parameter with tc!
2005 <Title>Token Bucket Filter</Title>
2008 The Token Bucket Filter (TBF) is a simple qdisc that only passes packets
2009 arriving at a rate which is not exceeding some administratively set rate, but
2010 with the possibility to allow short bursts in excess of this rate.
2014 TBF is very precise, network- and processor friendly. It should be your
2015 first choice if you simply want to slow an interface down!
2019 The TBF implementation consists of a buffer (bucket), constantly filled by
2020 some virtual pieces of information called tokens, at a specific rate (token
2021 rate). The most important parameter of the bucket is its size, that is the
2022 number of tokens it can store.
2026 Each arriving token collects one incoming data packet from the data queue
2027 and is then deleted from the bucket. Associating this algorithm
2028 with the two flows -- token and data, gives us three possible scenarios:
2037 The data arrives in TBF at a rate that's <Emphasis>equal</Emphasis> to the rate
2038 of incoming tokens. In this case each incoming packet has its matching token
2039 and passes the queue without delay.
2046 The data arrives in TBF at a rate that's <Emphasis>smaller</Emphasis> than the
2047 token rate. Only a part of the tokens are deleted at output of each data packet
2048 that's sent out the queue, so the tokens accumulate, up to the bucket size.
2049 The unused tokens can then be used to send data a a speed that's exceeding the
2050 standard token rate, in case short data bursts occur.
2057 The data arrives in TBF at a rate <Emphasis>bigger</Emphasis> than the token rate.
2058 This means that the bucket will soon be devoid of tokens, which causes the
2059 TBF to throttle itself for a while. This is called an 'overlimit situation'.
2060 If packets keep coming in, packets will start to get dropped.
2069 The last scenario is very important, because it allows to
2070 administratively shape the bandwidth available to data that's passing
2075 The accumulation of tokens allows a short burst of overlimit data to be
2076 still passed without loss, but any lasting overload will cause packets to be
2077 constantly delayed, and then dropped.
2081 Please note that in the actual implementation, tokens correspond to bytes,
2086 <Title>Parameters & usage</Title>
2089 Even though you will probably not need to change them, tbf has some knobs
2090 available. First the parameters that are always available:
2094 <Term>limit or latency</Term>
2097 Limit is the number of bytes that can be queued waiting for tokens to become
2098 available. You can also specify this the other way around by setting the
2099 latency parameter, which specifies the maximum amount of time a packet can
2100 sit in the TBF. The latter calculation takes into account the size of the
2101 bucket, the rate and possibly the peakrate (if set).
2105 <Term>burst/buffer/maxburst</Term>
2108 Size of the bucket, in bytes. This is the maximum amount of bytes that
2109 tokens can be available for instantaneously. In general, larger shaping
2110 rates require a larger buffer. For 10mbit/s on Intel, you need at least
2111 10kbyte buffer if you want to reach your configured rate!
2115 If your buffer is too small, packets may be dropped because more tokens
2116 arrive per timer tick than fit in your bucket.
2123 A zero-sized packet does not use zero bandwidth. For ethernet, no packet
2124 uses less than 64 bytes. The Minimum Packet Unit determines the minimal
2125 token usage for a packet.
2132 The speedknob. See remarks above about limits!
2139 If the bucket contains tokens and is allowed to empty, by default it does so
2140 at infinite speed. If this is unacceptable, use the following parameters:
2147 <Term>peakrate</Term>
2150 If tokens are available, and packets arrive, they are sent out immediately
2151 by default, at 'lightspeed' so to speak. That may not be what you want,
2152 especially if you have a large bucket.
2156 The peakrate can be used to specify how quickly the bucket is allowed to be
2157 depleted. If doing everything by the book, this is achieved by releasing a
2158 packet, and then wait just long enough, and release the next. We calculated
2159 our waits so we send just at peakrate.
2163 However, due to de default 10ms timer resolution of Unix, with 10.000 bits
2164 average packets, we are limited to 1mbit/s of peakrate!
2168 <Term>mtu/minburst</Term>
2171 The 1mbit/s peakrate is not very useful if your regular rate is more than
2172 that. A higher peakrate is possible by sending out more packets per
2173 timertick, which effectively means that we create a second bucket!
2177 This second bucket defaults to a single packet, which is not a bucket at
2182 To calculate the maximum possible peakrate, multiply the configured mtu by
2183 100 (or more correctly, HZ, which is 100 on intel, 1024 on Alpha).
2192 <Title>Sample configuration</Title>
2195 A simple but *very* useful configuration is this:
2198 # tc qdisc add dev ppp0 root tbf rate 220kbit latency 50ms burst 1540
2204 Ok, why is this useful? If you have a networking device with a large queue,
2205 like a DSL modem or a cablemodem, and you talk to it over a fast device,
2206 like over an ethernet interface, you will find that uploading absolutely
2207 destroys interactivity.
2211 This is because uploading will fill the queue in the modem, which is
2212 probably *huge* because this helps actually achieving good data throughput
2213 uploading. But this is not what you want, you want to have the queue not too
2214 big so interactivity remains and you can still do other stuff while sending
2219 The line above slows down sending to a rate that does not lead to a queue in
2220 the modem - the queue will be in Linux, where we can control it to a limited
2225 Change 220kbit to your uplink's *actual* speed, minus a few percent. If you
2226 have a really fast modem, raise 'burst' a bit.
2234 <Title>Stochastic Fairness Queueing</Title>
2237 Stochastic Fairness Queueing (SFQ) is a simple implementation of the fair
2238 queueing algorithms family. It's less accurate than others, but it also
2239 requires less calculations while being almost perfectly fair.
2243 The key word in SFQ is conversation (or flow), which mostly corresponds to a
2244 TCP session or a UDP stream. Traffic is divided into a pretty large number
2245 of FIFO queues, one for each conversation. Traffic is then sent in a round
2246 robin fashion, giving each session the chance to send data in turn.
2250 This leads to very fair behaviour and disallows any single conversation from
2251 drowning out the rest. SFQ is called 'Stochastic' because it doesn't really
2252 allocate a queue for each session, it has an algorithm which divides traffic
2253 over a limited number of queues using a hashing algorithm.
2257 Because of the hash, multiple sessions might end up in the same bucket, which
2258 would halve each session's chance of sending a packet, thus halving the
2259 effective speed available. To prevent this situation from becoming
2260 noticeable, SFQ changes its hashing algorithm quite often so that any two
2261 colliding sessions will only do so for a small number of seconds.
2265 It is important to note that SFQ is only useful in case your actual outgoing
2266 interface is really full! If it isn't then there will be no queue on your
2267 linux machine and hence no effect. Later on we will describe how to combine
2268 SFQ with other qdiscs to get a best-of-both worlds situation.
2272 Specifically, setting SFQ on the ethernet interface heading to your
2273 cablemodem or DSL router is pointless without further shaping!
2277 <Title>Parameters & usage</Title>
2280 The SFQ is pretty much selftuning:
2284 <Term>perturb</Term>
2287 Reconfigure hashing once this many seconds. If unset, hash will never be
2288 reconfigured. Not recommended. 10 seconds is probably a good value.
2292 <Term>quantum</Term>
2295 Amount of bytes a stream is allowed to dequeue before the next queue gets a
2296 turn. Defaults to 1 maximum sized packet (MTU-sized). Do not set below the
2306 <Title>Sample configuration</Title>
2309 If you have a device which has identical link speed and actual available
2310 rate, like a phone modem, this configuration will help promote fairness:
2313 # tc qdisc add dev ppp0 root sfq perturb 10
2315 qdisc sfq 800c: dev ppp0 quantum 1514b limit 128p flows 128/1024 perturb 10sec
2316 Sent 4812 bytes 62 pkts (dropped 0, overlimits 0)
2322 The number 800c: is the automatically assigned handle number, limit means
2323 that 128 packets can wait in this queue. There are 1024 hashbuckets
2324 available for accounting, of which 128 can be active at a time (no more
2325 packets fit in the queue!) Once every 10 seconds, the hashes are
2335 <Sect1 id="lartc.qdisc.advice">
2336 <Title>Advice for when to use which queue</Title>
2339 Summarizing, these are the simple queues that actually manage traffic by
2340 reordering, slowing or dropping packets.
2344 The following tips may help in chosing which queue to use. It mentions some
2345 qdiscs described in the
2346 <citetitle><xref linkend="lartc.adv-qdisc"></citetitle> chapter.
2352 To purely slow down outgoing traffic, use the Token Bucket Filter. Works up
2353 to huge bandwidths, if you scale the bucket.
2359 If your link is truly full and you want to make sure that no single session
2360 can dominate your outgoing bandwidth, use Stochastical Fairness Queueing.
2366 If you have a big backbone and know what you are doing, consider Random
2367 Early Drop (see Advanced chapter).
2373 To 'shape' incoming traffic which you are not forwarding, use the Ingress
2374 Policer. Incoming shaping is called 'policing', by the way, not 'shaping'.
2380 If you *are* forwarding it, use a TBF on the interface you are forwarding
2381 the data to. Unless you want to shape traffic that may go out over several
2382 interfaces, in which case the only common factor is the incoming interface.
2383 In that case use the Ingress Policer.
2389 If you don't want to shape, but only want to see if your interface is so
2390 loaded that it has to queue, use the pfifo queue (not pfifo_fast). It lacks
2391 internal bands but does account the size of its backlog.
2396 Finally - you can also do <quote>social shaping</quote>.
2397 You may not always be able to use technology to achieve what you want.
2398 Users experience technical constraints as hostile.
2399 A kind word may also help with getting your bandwidth to be divided right!
2406 <Sect1 id="lartc.qdisc.terminology">
2407 <Title>Terminology</Title>
2410 To properly understand more complicated configurations it is necessary to
2411 explain a few concepts first. Because of the complexity and he relative
2412 youth of the subject, a lot of different words are used when people in fact
2413 mean the same thing.
2417 The following is loosely based on
2418 <filename>draft-ietf-diffserv-model-06.txt</filename>,
2419 <citetitle>An Informal Management Model for Diffserv Routers</citetitle>.
2420 It can currently be found at
2421 <ulink url="http://www.ietf.org/internet-drafts/draft-ietf-diffserv-model-06.txt">
2422 http://www.ietf.org/internet-drafts/draft-ietf-diffserv-model-06.txt
2427 Read it for the strict definitions of the terms used.
2431 <Term>Queueing Discipline</Term>
2434 An algorithm that manages the queue of a device, either incoming (ingress)
2435 or outgoing (egress).
2439 <Term>Classless qdisc</Term>
2442 A qdisc with no configurable internal subdivisions.
2446 <Term>Classful qdisc</Term>
2449 A classful qdisc contains multiple classes. Each of these classes contains a
2450 further qdisc, which may again be classful, but need not be. According to
2451 the strict definition, pfifo_fast *is* classful, because it contains three
2452 bands which are, in fact, classes. However, from the user's configuration
2453 perspective, it is classless as the classes can't be touched with the tc
2458 <Term>Classes</Term>
2461 A classful qdisc may have many classes, which each are internal to the
2462 qdisc. Each of these classes may contain a real qdisc.
2466 <Term>Classifier</Term>
2469 Each classful qdisc needs to determine to which class it needs to send a
2470 packet. This is done using the classifier.
2477 Classification can be performed using filters. A filter contains a number of
2478 conditions which if matched, make the filter match.
2482 <Term>Scheduling</Term>
2485 A qdisc may, with the help of a classifier, decide that some packets need to
2486 go out earlier than others. This process is called Scheduling, and is
2487 performed for example by the pfifo_fast qdisc mentioned earlier. Scheduling
2488 is also called 'reordering', but this is confusing.
2492 <Term>Shaping</Term>
2495 The process of delaying packets before they go out to make traffic confirm
2496 to a configured maximum rate. Shaping is performed on egress. Colloquially,
2497 dropping packets to slow traffic down is also often called Shaping.
2501 <Term>Policing</Term>
2504 Delaying or dropping packets in order to make traffic stay below a
2505 configured bandwidth. In Linux, policing can only drop a packet and not
2506 delay it - there is no 'ingress queue'.
2510 <Term>Work-Conserving</Term>
2513 A work-conserving qdisc always delivers a packet if one is available. In
2514 other words, it never delays a packet if the network adaptor is ready to
2515 send one (in the case of an egress qdisc).
2519 <Term>non-Work-Conserving</Term>
2522 Some queues, like for example the Token Bucket Filter, may need to hold on
2523 to a packet for a certain time in order to limit the bandwidth. This means
2524 that they sometimes refuse to give up a packet, even though they have one
2532 Now that we have our terminology straight, let's see where all these things
2542 +---------------+-----------------------------------------+
2544 | -------> IP Stack |
2549 | | / ----------> Forwarding -> |
2554 | | Egress /--qdisc2--\ |
2555 --->->Ingress Classifier ---qdisc3---- | ->
2556 | Qdisc \__qdisc4__/ |
2559 +----------------------------------------------------------+
2562 Thanks to Jamal Hadi Salim for this ascii representation.
2566 The big block represents the kernel. The leftmost arrow represents traffic
2567 entering your machine from the network. It is then fed to the Ingress
2568 Qdisc which may apply Filters to a packet, and decide to drop it. This
2569 is called 'Policing'.
2573 This happens at a very early stage, before it has seen a lot of the kernel.
2574 It is therefore a very good place to drop traffic very early, without
2575 consuming a lot of CPU power.
2579 If the packet is allowed to continue, it may be destined for a local
2580 application, in which case it enters the IP stack in order to be processed,
2581 and handed over to a userspace program. The packet may also be forwarded
2582 without entering an application, in which case it is destined for egress.
2583 Userspace programs may also deliver data, which is then examined and
2584 forwarded to the Egress Classifier.
2588 There it is investigated and enqueued to any of a number of qdiscs. In the
2589 unconfigured default case, there is only one egress qdisc installed, the
2590 pfifo_fast, which always receives the packet. This is called 'enqueueing'.
2594 The packet now sits in the qdisc, waiting for the kernel to ask for
2595 it for transmission over the network interface. This is called 'dequeueing'.
2599 This picture also holds in case there is only one network adaptor - the
2600 arrows entering and leaving the kernel should not be taken too literally.
2601 Each network adaptor has both ingress and egress hooks.
2606 <Sect1 id="lartc.qdisc.classful">
2607 <Title>Classful Queueing Disciplines</Title>
2610 Classful qdiscs are very useful if you have different kinds of traffic which
2611 should have differing treatment. One of the classful qdiscs is called 'CBQ'
2612 , 'Class Based Queueing' and it is so widely mentioned that people identify
2613 queueing with classes solely with CBQ, but this is not the case.
2617 CBQ is merely the oldest kid on the block - and also the most complex one.
2618 It may not always do what you want. This may come as something of a shock
2619 to many who fell for the 'sendmail effect', which teaches us that any
2620 complex technology which doesn't come with documentation must be the best
2625 More about CBQ and its alternatives shortly.
2629 <Title>Flow within classful qdiscs & classes</Title>
2632 When traffic enters a classful qdisc, it needs to be sent to any of the
2633 classes within - it needs to be 'classified'. To determine what to do with a
2634 packet, the so called 'filters' are consulted. It is important to know that
2635 the filters are called from within a qdisc, and not the other way around!
2639 The filters attached to that qdisc then return with a decision, and the
2640 qdisc uses this to enqueue the packet into one of the classes. Each subclass
2641 may try other filters to see if further instructions apply. If not, the
2642 class enqueues the packet to the qdisc it contains.
2646 Besides containing other qdiscs, most classful qdiscs also perform shaping.
2647 This is useful to perform both packet scheduling (with SFQ, for example) and
2648 rate control. You need this in cases where you have a high speed
2649 interface (for example, ethernet) to a slower device (a cable modem).
2653 If you were only to run SFQ, nothing would happen, as packets enter &
2654 leave your router without delay: the output interface is far faster than
2655 your actual link speed. There is no queue to schedule then.
2661 <Title>The qdisc family: roots, handles, siblings and parents</Title>
2664 Each interface has one egress 'root qdisc', by default the earlier mentioned
2665 classless pfifo_fast queueing discipline. Each qdisc can be assigned a
2666 handle, which can be used by later configuration statements to refer to that
2667 qdisc. Besides an egress qdisc, an interface may also have an ingress, which
2668 polices traffic coming in.
2672 The handles of these qdiscs consist of two parts, a major number and a minor
2673 number. It is habitual to name the root qdisc '1:', which is equal to '1:0'.
2674 The minor number of a qdisc is always 0.
2678 Classes need to have the same major number as their parent.
2682 <Title>How filters are used to classify traffic </Title>
2685 Recapping, a typical hierarchy might look like this:
2702 But don't let this tree fool you! You should *not* imagine the kernel to be
2703 at the apex of the tree and the network below, that is just not the case.
2704 Packets get enqueued and dequeued at the root qdisc, which is the only thing
2705 the kernel talks to.
2709 A packet might get classified in a chain like this:
2713 1: -> 1:1 -> 12: -> 12:2
2717 The packet now resides in a queue in a qdisc attached to class 12:2. In this
2718 example, a filter was attached to each 'node' in the tree, each chosing a
2719 branch to take next. This can make sense. However, this is also possible:
2727 In this case, a filter attached to the root decided to send the packet
2734 <Title>How packets are dequeued to the hardware</Title>
2737 When the kernel decides that it needs to extract packets to send to the
2738 interface, the root qdisc 1: gets a dequeue request, which is passed to
2739 1:1, which is in turn passed to 10:, 11: and 12:, which each query their
2740 siblings, and try to dequeue() from them. In this case, the kernel needs to
2741 walk the entire tree, because only 12:2 contains a packet.
2745 In short, nested classes ONLY talk to their parent qdiscs, never to an
2746 interface. Only the root qdisc gets dequeued by the kernel!
2750 The upshot of this is that classes never get dequeued faster than their
2751 parents allow. And this is exactly what we want: this way we can have SFQ in
2752 an inner class, which doesn't do any shaping, only scheduling, and have a
2753 shaping outer qdisc, which does the shaping.
2761 <Title>The PRIO qdisc</Title>
2764 The PRIO qdisc doesn't actually shape, it only subdivides traffic based on
2765 how you configured your filters. You can consider the PRIO qdisc a kind
2766 of pfifo_fast on stereoids, whereby each band is a separate class instead of
2771 When a packet is enqueued to the PRIO qdisc, a class is chosen based on the
2772 filter commands you gave. By default, three classes are created. These
2773 classes by default contain pure FIFO qdiscs with no internal
2774 structure, but you can replace these by any qdisc you have available.
2778 Whenever a packet needs to be dequeued, class :1 is tried first. Higher
2779 classes are only used if lower bands all did not give up a packet.
2783 This qdisc is very useful in case you want to prioritize certain kinds of
2784 traffic without using only TOS-flags but using all the power of the tc
2785 filters. It can also contain more all qdiscs, whereas pfifo_fast is limited
2786 to simple fifo qdiscs.
2790 Because it doesn't actually shape, the same warning as for SFQ holds: either
2791 use it only if your physical link is really full or wrap it inside a
2792 classful qdisc that does shape. The last holds for almost all cablemodems
2797 In formal words, the PRIO qdisc is a Work-Conserving scheduler.
2801 <Title>PRIO parameters & usage</Title>
2804 The following parameters are recognized by tc:
2811 Number of bands to create. Each band is in fact a class. If you change this
2812 number, you must also change:
2816 <Term>priomap</Term>
2819 If you do not provide tc filters to classify traffic, the PRIO qdisc looks
2820 at the TC_PRIO priority to decide how to enqueue traffic.
2824 This works just like with the pfifo_fast qdisc mentioned earlier, see there
2829 The bands are classes, and are called major:1 to major:3 by default, so if
2830 your PRIO qdisc is called 12:, tc filter traffic to 12:1 to grant it more
2835 Reiterating, band 0 goes to minor number 1! Band 1 to minor number 2, etc.
2841 <Title>Sample configuration</Title>
2844 We will create this tree:
2859 Bulk traffic will go to 30:, interactive traffic to 20: or 10:.
2866 # tc qdisc add dev eth0 root handle 1: prio
2867 ## This *instantly* creates classes 1:1, 1:2, 1:3
2869 # tc qdisc add dev eth0 parent 1:1 handle 10: sfq
2870 # tc qdisc add dev eth0 parent 1:2 handle 20: tbf rate 20kbit buffer 1600 limit 3000
2871 # tc qdisc add dev eth0 parent 1:3 handle 30: sfq
2877 Now lets's see what we created:
2880 # tc -s qdisc ls dev eth0
2881 qdisc sfq 30: quantum 1514b
2882 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
2884 qdisc tbf 20: rate 20Kbit burst 1599b lat 667.6ms
2885 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
2887 qdisc sfq 10: quantum 1514b
2888 Sent 132 bytes 2 pkts (dropped 0, overlimits 0)
2890 qdisc prio 1: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
2891 Sent 174 bytes 3 pkts (dropped 0, overlimits 0)
2894 As you can see, band 0 has already had some traffic, and one packet was sent
2895 while running this command!
2899 We now do some bulk data transfer with a tool that properly sets TOS flags,
2900 and take another look:
2903 # scp tc ahu@10.0.0.11:./
2904 ahu@10.0.0.11's password:
2905 tc 100% |*****************************| 353 KB 00:00
2906 # tc -s qdisc ls dev eth0
2907 qdisc sfq 30: quantum 1514b
2908 Sent 384228 bytes 274 pkts (dropped 0, overlimits 0)
2910 qdisc tbf 20: rate 20Kbit burst 1599b lat 667.6ms
2911 Sent 2640 bytes 20 pkts (dropped 0, overlimits 0)
2913 qdisc sfq 10: quantum 1514b
2914 Sent 2230 bytes 31 pkts (dropped 0, overlimits 0)
2916 qdisc prio 1: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
2917 Sent 389140 bytes 326 pkts (dropped 0, overlimits 0)
2920 As you can see, all traffic went to handle 30:, which is the lowest priority
2921 band, just as intended. Now to verify that interactive traffic goes to
2922 higher bands, we create some interactive traffic:
2928 # tc -s qdisc ls dev eth0
2929 qdisc sfq 30: quantum 1514b
2930 Sent 384228 bytes 274 pkts (dropped 0, overlimits 0)
2932 qdisc tbf 20: rate 20Kbit burst 1599b lat 667.6ms
2933 Sent 2640 bytes 20 pkts (dropped 0, overlimits 0)
2935 qdisc sfq 10: quantum 1514b
2936 Sent 14926 bytes 193 pkts (dropped 0, overlimits 0)
2938 qdisc prio 1: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
2939 Sent 401836 bytes 488 pkts (dropped 0, overlimits 0)
2945 It worked - all additional traffic has gone to 10:, which is our highest
2946 priority qdisc. No traffic was sent to the lowest priority, which previously
2947 received our entire scp.
2955 <Title>The famous CBQ qdisc</Title>
2958 As said before, CBQ is the most complex qdisc available, the most hyped, the
2959 least understood, and probably the trickiest one to get right. This is not
2960 because the authors are evil or incompetent, far from it, it's just that the
2961 CBQ algorithm isn't all that precise and doesn't really match the way Linux
2966 Besides being classful, CBQ is also a shaper and it is in that aspect that
2967 it really doesn't work very well. It should work like this. If you try to
2968 shape a 10mbit/s connection to 1mbit/s, the link should be idle 90% of the
2969 time. If it isn't, we need to throttle so that it IS idle 90% of the time.
2973 This is pretty hard to measure, so CBQ instead derives the idle time from
2974 the number of microseconds that elapse between requests from the hardware
2975 layer for more data. Combined, this can be used to approximate how full or
2980 This is rather circumspect and doesn't always arrive at proper results. For
2981 example, what if the actual link speed of an interface that is not really
2982 able to transmit the full 100mbit/s of data, perhaps because of a badly
2983 implemented driver? A PCMCIA network card will also never achieve 100mbit/s
2984 because of the way the bus is designed - again, how do we calculate the idle
2989 It gets even worse if we consider not-quite-real network devices like PPP
2990 over Ethernet or PPTP over TCP/IP. The effective bandwidth in that case is
2991 probably determined by the efficiency of pipes to userspace - which is huge.
2995 People who have done measurements discover that CBQ is not always very
2996 accurate and sometimes completely misses the mark.
3000 In many circumstances however it works well. With the documentation provided
3001 here, you should be able to configure it to work well in most cases.
3005 <Title>CBQ shaping in detail</Title>
3008 As said before, CBQ works by making sure that the link is idle just long
3009 enough to bring down the real bandwidth to the configured rate. To do so, it
3010 calculates the time that should pass between average packets.
3014 During operations, the effective idletime is measured using an exponential
3015 weighted moving average (EWMA), which considers recent packets to be
3016 exponentially more important than past ones. The unix loadaverage is
3017 calculated in the same way.
3021 The calculated idle time is substracted from the EWMA measured one, the
3022 resulting number is called 'avgidle'. A perfectly loaded link has an avgidle
3023 of zero: packets arrive exactly once every calculated interval.
3027 An overloaded link has a negative avgidle and if it gets too negative, CBQ
3028 shuts down for a while and is then 'overlimit'.
3032 Conversely, an idle link might amass a huge avgidle, which would then allow
3033 infinite bandwidths after a few hours of silence. To prevent this, avgidle is
3038 If overlimit, in theory, the CBQ could throttle itself for exactly the
3039 amount of time that was calculated to pass between packets, and then pass
3040 one packet, and throttle again. But see the 'minburst' parameter below.
3044 These are parameters you can specify in order to configure shaping:
3051 Average size of a packet, measured in bytes. Needed for calculating maxidle,
3052 which is derived from maxburst, which is specified in packets.
3056 <Term>bandwidth</Term>
3059 The physical bandwidth of your device, needed for idle time
3067 The time a packet takes to be transmitted over a device may grow in steps,
3068 based on the packet size. An 800 and an 806 size packet may take just as long
3069 to send, for example - this sets the granularity. Most often set to '8'.
3070 Must be an integral power of two.
3074 <Term>maxburst</Term>
3077 This number of packets is used to calculate maxidle so that when avgidle is
3078 at maxidle, this number of average packets can be burst before avgidle drops
3079 to 0. Set it higher to be more tolerant of bursts. You can't set maxidle
3080 directly, only via this parameter.
3084 <Term>minburst</Term>
3087 As mentioned before, CBQ needs to throttle in case of overlimit. The ideal
3088 solution is to do so for exactly the calculated idle time, and pass 1
3089 packet. However, Unix kernels generally have a hard time scheduling events
3090 shorter than 10ms, so it is better to throttle for a longer period, and then
3091 pass minburst packets in one go, and then sleep minburst times longer.
3095 The time to wait is called the offtime. Higher values of minburst lead to
3096 more accurate shaping in the long term, but to bigger bursts at millisecond
3101 <Term>minidle</Term>
3104 If avgidle is below 0, we are overlimits and need to wait until avgidle will
3105 be big enough to send one packet. To prevent a sudden burst from shutting
3106 down the link for a prolonged period of time, avgidle is reset to minidle if
3111 Minidle is specified in negative microseconds, so 10 means that avgidle is
3119 Mininum packet size - needed because even a zero size packet is padded
3120 to 64 bytes on ethernet, and so takes a certain time to transmit. CBQ needs
3121 to know this to accurately calculate the idle time.
3128 Desired rate of traffic leaving this qdisc - this is the 'speed knob'!
3135 Internally, CBQ has a lot of finetuning. For example, classes which are
3136 known not to have data enqueued to them aren't queried. Overlimit classes
3137 are penalized by lowering their effective priority. All very smart &
3144 <Title>CBQ classful behaviour</Title>
3147 Besides shaping, using the aforementioned idletime approximations, CBQ also
3148 acts like the PRIO queue in the sense that classes can have differing
3149 priorities and that lower priority numbers will be polled before the higher
3154 Each time a packet is requested by the hardware layer to be sent out to the
3155 network, a weighted round robin process ('WRR') starts, beginning with the
3156 lower priority classes.
3160 These are then grouped and queried if they have data available. If so, it is
3161 returned. After a class has been allowed to dequeue a number of bytes, the
3162 next class within that priority is tried.
3166 The following parameters control the WRR process:
3173 When the outer cbq is asked for a packet to send out on the interface, it
3174 will try all inner qdiscs (in the classes) in turn, in order of
3175 the 'priority' parameter. Each time a class gets its turn, it can only send out
3176 a limited amount of data. 'Allot' is the base unit of this amount. See
3177 the 'weight' parameter for more information.
3184 The CBQ can also act like the PRIO device. Inner classes with lower priority
3185 are tried first and as long as they have traffic, other classes are not
3193 Weight helps in the Weighted Round Robin process. Each class gets a chance
3194 to send in turn. If you have classes with significantly more bandwidth than
3195 other classes, it makes sense to allow them to send more data in one round
3200 A CBQ adds up all weights under a class, and normalizes them, so you can use
3201 arbitrary numbers: only the ratios are important. People have been
3202 using 'rate/10' as a rule of thumb and it appears to work well. The renormalized
3203 weight is multiplied by the 'allot' parameter to determine how much data can
3204 be sent in one round.
3211 Please note that all classes within an CBQ hierarchy need to share the same
3218 <Title>CBQ parameters that determine link sharing & borrowing</Title>
3221 Besides purely limiting certain kinds of traffic, it is also possible to
3222 specify which classes can borrow capacity from other classes or, conversely,
3230 <Term>Isolated/sharing</Term>
3233 A class that is configured with 'isolated' will not lend out bandwidth to
3234 sibling classes. Use this if you have competing or mutually-unfriendly
3235 agencies on your link who do want to give eachother freebies.
3239 The control program tc also knows about 'sharing', which is the reverse
3244 <Term>bounded/borrow</Term>
3247 A class can also be 'bounded', which means that it will not try to borrow
3248 bandwidth from sibling classes. tc also knows about 'borrow', which is the
3249 reverse of 'bounded'.
3253 A typical situation might be where you have two agencies on your link which
3254 are both 'isolated' and 'bounded', which means that they are really limited
3255 to their assigned rate, and also won't allow each other to borrow.
3259 Within such an agency class, there might be other classes which are allowed
3266 <Title>Sample configuration</Title>
3269 This configuration limits webserver traffic to 5mbit and smtp traffic to 3
3270 mbit. Together, they may not get more than 6mbit. We have a 100mbit NIC and
3271 the classes may borrow bandwidth from each other.
3274 # tc qdisc add dev eth0 root handle 1:0 cbq bandwidth 100Mbit \
3276 # tc class add dev eth0 parent 1:0 classid 1:1 cbq bandwidth 100Mbit \
3277 rate 6Mbit weight 0.6Mbit prio 8 allot 1514 cell 8 maxburst 20 \
3281 This part installs the root and the customary 1:0 class. The 1:1 class is
3282 bounded, so the total bandwidth can't exceed 6mbit.
3286 As said before, CBQ requires a *lot* of knobs. All parameters are explained
3287 above, however. The corresponding HTB configuration is lots simpler.
3293 # tc class add dev eth0 parent 1:1 classid 1:3 cbq bandwidth 100Mbit \
3294 rate 5Mbit weight 0.5Mbit prio 5 allot 1514 cell 8 maxburst 20 \
3296 # tc class add dev eth0 parent 1:1 classid 1:4 cbq bandwidth 100Mbit \
3297 rate 3Mbit weight 0.3Mbit prio 5 allot 1514 cell 8 maxburst 20 \
3304 These are our two classes. Note how we scale the weight with the configured
3305 rate. Both classes are not bounded, but they are connected to class 1:1
3306 which is bounded. So the sum of bandwith of the 2 classes will never be
3307 more than 6mbit. The classid's need to be within the same major number as
3308 the parent CBQ, by the way!
3314 # tc qdisc add dev eth0 parent 1:3 handle 30: sfq
3315 # tc qdisc add dev eth0 parent 1:4 handle 40: sfq
3321 Both classes have a FIFO qdisc by default. But we replaced these with an SFQ
3322 queue so each flow of data is treated equally.
3325 # tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip \
3326 sport 80 0xffff flowid 1:3
3327 # tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip \
3328 sport 25 0xffff flowid 1:4
3334 These commands, attached directly to the root, send traffic to the right
3339 Note that we use 'tc class add' to CREATE classes within a qdisc, but that
3340 we use 'tc qdisc add' to actually add qdiscs to these classes.
3344 You may wonder what happens to traffic that is not classified by any of the
3345 two rules. It appears that in this case, data will then be processed within
3346 1:0, and be unlimited.
3350 If smtp+web together try to exceed the set limit of 6mbit/s, bandwidth will
3351 be divided according to the weight parameter, giving 5/8 of traffic to the
3352 webserver and 3/8 to the mailserver.
3356 With this configuratien you can also say that webserver traffic will always
3357 get at minimum 5/8 * 6 mbit = 3.75 mbit.
3363 <Title>Other CBQ parameters: split & defmap</Title>
3366 As said before, a classful qdisc needs to call filters to determine
3367 which class a packet will be enqueued to.
3371 Besides calling the filter, CBQ offers other options, defmap & split.
3372 This is pretty complicated to understand, and it is not vital. But as this
3373 is the only known place where defmap & split are properly explained, I'm
3378 As you will often want to filter on the Type of Service field only, a special
3379 syntax is provided. Whenever the CBQ needs to figure out where a packet
3380 needs to be enqueued, it checks if this node is a 'split node'. If so, one
3381 of the sub-qdiscs has indicated that it wishes to receive all packets with
3382 a certain configured priority, as might be derived from the TOS field, or
3383 socket options set by applications.
3387 The packets' priority bits are or-ed with the defmap field to see if a match
3388 exists. In other words, this is a short-hand way of creating a very fast
3389 filter, which only matches certain priorities. A defmap of ff (hex) will
3390 match everything, a map of 0 nothing. A sample configuration may help make
3397 # tc qdisc add dev eth1 root handle 1: cbq bandwidth 10Mbit allot 1514 \
3398 cell 8 avpkt 1000 mpu 64
3400 # tc class add dev eth1 parent 1:0 classid 1:1 cbq bandwidth 10Mbit \
3401 rate 10Mbit allot 1514 cell 8 weight 1Mbit prio 8 maxburst 20 \
3405 Standard CBQ preamble. I never get used to the sheer amount of numbers
3410 Defmap refers to TC_PRIO bits, which are defined as follows:
3416 TC_PRIO.. Num Corresponds to TOS
3417 -------------------------------------------------
3418 BESTEFFORT 0 Maximize Reliablity
3419 FILLER 1 Minimize Cost
3420 BULK 2 Maximize Throughput (0x8)
3422 INTERACTIVE 6 Minimize Delay (0x10)
3429 The TC_PRIO.. number corresponds to bits, counted from the right. See the
3430 pfifo_fast section for more details how TOS bits are converted to
3435 Now the interactive and the bulk classes:
3441 # tc class add dev eth1 parent 1:1 classid 1:2 cbq bandwidth 10Mbit \
3442 rate 1Mbit allot 1514 cell 8 weight 100Kbit prio 3 maxburst 20 \
3443 avpkt 1000 split 1:0 defmap c0
3445 # tc class add dev eth1 parent 1:1 classid 1:3 cbq bandwidth 10Mbit \
3446 rate 8Mbit allot 1514 cell 8 weight 800Kbit prio 7 maxburst 20 \
3447 avpkt 1000 split 1:0 defmap 3f
3453 The 'split qdisc' is 1:0, which is where the choice will be made. C0 is
3454 binary for 11000000, 3F for 00111111, so these two together will match
3455 everything. The first class matches bits 7 & 6, and thus corresponds
3456 to 'interactive' and 'control' traffic. The second class matches the rest.
3460 Node 1:0 now has a table like this:
3477 For additional fun, you can also pass a 'change mask', which indicates
3478 exactly which priorities you wish to change. You only need to use this if you
3479 are running 'tc class change'. For example, to add best effort traffic to
3480 1:2, we could run this:
3486 # tc class change dev eth1 classid 1:2 cbq defmap 01/01
3492 The priority map over at 1:0 now looks like this:
3512 FIXME: did not test 'tc class change', only looked at the source.
3520 <Title>Hierarchical Token Bucket </Title>
3523 Martin Devera (<devik>) rightly realised that CBQ is complex and does
3524 not seem optimized for many typical situations. His Hierarchial approach is
3525 well suited for setups where you have a fixed amount of bandwidth which you
3526 want to divide for different purposes, giving each purpose a guaranteed
3527 bandwidth, with the possibility of specifying how much bandwidth can be
3532 HTB works just like CBQ but does not resort to idle time calculations to
3533 shape. Instead, it is a classful Token Bucket Filter - hence the name. It
3534 has only a few parameters, which are well documented on his
3536 URL="http://luxik.cdi.cz/~devik/qos/htb/"
3542 As your HTB configuration gets more complex, your configuration scales
3543 well. With CBQ it is already complex even in simple cases! HTB is not yet a
3544 part of the standard kernel, but it should soon be!
3548 If you are in a position to patch your kernel, by all means consider HTB.
3552 <Title>Sample configuration</Title>
3555 Functionally almost identical to the CBQ sample configuration above:
3561 # tc qdisc add dev eth0 root handle 1: htb default 30
3563 # tc class add dev eth0 parent 1: classid 1:1 htb rate 6mbit burst 15k
3565 # tc class add dev eth0 parent 1:1 classid 1:10 htb rate 5mbit burst 15k
3566 # tc class add dev eth0 parent 1:1 classid 1:20 htb rate 3mbit ceil 6mbit burst 15k
3567 # tc class add dev eth0 parent 1:1 classid 1:30 htb rate 1kbit ceil 6mbit burst 15k
3573 The author then recommends SFQ for beneath these classes:
3576 # tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10
3577 # tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10
3578 # tc qdisc add dev eth0 parent 1:30 handle 30: sfq perturb 10
3584 Add the filters which direct traffic to the right classes:
3587 # U32="tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32"
3588 # $U32 match ip dport 80 0xffff flowid 1:10
3589 # $U32 match ip sport 25 0xffff flowid 1:20
3592 And that's it - no unsightly unexplained numbers, no undocumented
3597 HTB certainly looks wonderful - if 10: and 20: both have their guaranteed
3598 bandwidth, and more is left to divide, they borrow in a 5:3 ratio, just as
3603 Unclassified traffic gets routed to 30:, which has little bandwidth of its
3604 own but can borrow everything that is left over. Because we chose SFQ
3605 internally, we get fairness thrown in for free!
3614 <Sect1 id="lartc.qdisc.filters">
3615 <Title>Classifying packets with filters</Title>
3618 To determine which class shall process a packet, the so-called 'classifier
3619 chain' is called each time a choice needs to be made. This chain consists of
3620 all filters attached to the classful qdisc that needs to decide.
3623 <Para>To reiterate the tree, which is not a tree:
3639 When enqueueing a packet, at each branch the filter chain is consulted for a
3640 relevant instruction. A typical setup might be to have a filter in 1:1 that
3641 directs a packet to 12: and a filter on 12: that sends the packet to 12:2.
3645 You might also attach this latter rule to 1:1, but you can make efficiency
3646 gains by having more specific tests lower in the chain.
3650 You can't filter a packet 'upwards', by the way. Also, with HTB, you should
3651 attach all filters to the root!
3655 And again - packets are only enqueued downwards! When they are dequeued,
3656 they go up again, where the interface lives. They do NOT fall off the end of
3657 the tree to the network adaptor!
3661 <Title>Some simple filtering examples</Title>
3664 As explained in the Classifier chapter, you can match on literally anything,
3665 using a very complicated syntax. To start, we will show how to do the
3666 obvious things, which luckily are quite easy.
3670 Let's say we have a PRIO qdisc called '10:' which contains three classes, and
3671 we want to assign all traffic from and to port 22 to the highest priority
3672 band, the filters would be:
3678 # tc filter add dev eth0 protocol ip parent 10: prio 1 u32 match \
3679 ip dport 22 0xffff flowid 10:1
3680 # tc filter add dev eth0 protocol ip parent 10: prio 1 u32 match \
3681 ip sport 80 0xffff flowid 10:1
3682 # tc filter add dev eth0 protocol ip parent 10: prio 2 flowid 10:2
3688 What does this say? It says: attach to eth0, node 10: a priority 1 u32
3689 filter that matches on IP destination port 22 *exactly* and send it to band
3690 10:1. And it then repeats the same for source port 80. The last command says
3691 that anything unmatched so far should go to band 10:2, the next-highest
3696 You need to add 'eth0', or whatever your interface is called, because each
3697 interface has a unique namespace of handles.
3701 To select on an IP address, use this:
3704 # tc filter add dev eth0 parent 10:0 protocol ip prio 1 u32 \
3705 match ip dst 4.3.2.1/32 flowid 10:1
3706 # tc filter add dev eth0 parent 10:0 protocol ip prio 1 u32 \
3707 match ip src 1.2.3.4/32 flowid 10:1
3708 # tc filter add dev eth0 protocol ip parent 10: prio 2 \
3715 This assigns traffic to 4.3.2.1 and traffic from 1.2.3.4 to the highest
3716 priority queue, and the rest to the next-highest one.
3720 You can concatenate matches, to match on traffic from 1.2.3.4 and from port
3724 # tc filter add dev eth0 parent 10:0 protocol ip prio 1 u32 match ip src 4.3.2.1/32
3725 match ip sport 80 0xffff flowid 10:1
3733 <Title>All the filtering commands you will normally need</Title>
3736 Most shaping commands presented here start with this preamble:
3739 # tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 ..
3742 These are the so called 'u32' matches, which can match on ANY part of a
3747 <Term>On source/destination address</Term>
3750 Source mask 'match ip src 1.2.3.0/24', destination mask 'match ip dst
3751 4.3.2.0/24'. To match a single host, use /32, or omit the mask.
3755 <Term>On source/destination port, all IP protocols</Term>
3758 Source: 'match ip sport 80 0xffff', 'match ip dport 0xffff'
3762 <Term>On ip protocol (tcp, udp, icmp, gre, ipsec)</Term>
3765 Use the numbers from /etc/protocols, for example, icmp is 1: 'match ip
3770 <Term>On fwmark</Term>
3773 You can mark packets with either ipchains and have that mark survive routing
3774 across interfaces. This is really useful to for example only shape traffic on
3775 eth1 that came in on eth0. Syntax:
3776 # tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle 6 fw flowid 1:1
3777 Note that this is not a u32 match!
3781 You can place a mark like this:
3784 # iptables -A PREROUTING -t mangle -i eth0 -j MARK --set-mark 6
3787 The number 6 is arbitrary.
3791 If you don't want to understand the full tc filter syntax, just use
3792 iptables, and only learn to select on fwmark.
3796 <Term>On the TOS field</Term>
3799 To select interactive, minimum delay traffic:
3802 # tc filter add dev ppp0 parent 1:0 protocol ip prio 10 u32 \
3803 match ip tos 0x10 0xff \
3807 Use 0x08 0xff for bulk traffic.
3814 For more filtering commands, see the Advanced Filters chapter.
3820 <Sect1 id="lartc.imq">
3821 <Title>The Intermediate queueing device (IMQ)</Title>
3824 The Intermediate queueing device is not a qdisc but its usage is tightly bound
3825 to qdiscs. Within linux, qdiscs are attached to network devices and everything
3826 that is queued to the device is first queued to the qdisc. From this concept,
3827 two limitations arise:
3831 1. Only egress shaping is possible (an ingress qdisc exists, but its
3832 possibilities are very limited compared to classful qdiscs).
3836 2. A qdisc can only see traffic of one interface, global limitations can't be
3841 IMQ is there to help solve those two limitations. In short, you can put
3842 everything you choose in a qdisc. Specially marked packets get intercepted
3843 in netfilter NF_IP_PRE_ROUTING and NF_IP_POST_ROUTING hooks and pass through
3844 the qdisc attached to an imq device. An iptables target is used for marking
3849 This enables you to do ingress shaping as you can just mark packets coming in from somewhere and/or treat interfaces as classes to set global limits.
3850 You can also do lots of other stuff like just putting your http traffic in a
3851 qdisc, put new connection requests in a qdisc, ...
3855 <Title>Sample configuration</Title>
3858 The first thing that might come to mind is use ingress shaping to give yourself
3859 a high guaranteed bandwidth. ;)
3860 Configuration is just like with any other interface:
3863 tc qdisc add dev imq0 root handle 1: htb default 20
3865 tc class add dev imq0 parent 1: classid 1:1 htb rate 2mbit burst 15k
3867 tc class add dev imq0 parent 1:1 classid 1:10 htb rate 1mbit
3868 tc class add dev imq0 parent 1:1 classid 1:20 htb rate 1mbit
3870 tc qdisc add dev imq0 parent 1:10 handle 10: pfifo
3871 tc qdisc add dev imq0 parent 1:20 handle 20: sfq
3873 tc filter add dev imq0 parent 10:0 protocol ip prio 1 u32 match \
3874 ip dst 10.0.0.230/32 flowid 1:10
3877 In this example u32 is used for classification. Other classifiers should work as
3879 Next traffic has to be selected and marked to be enqueued to imq0.
3882 iptables -t mangle -A PREROUTING -i eth0 -j IMQ --todev 0
3890 The IMQ iptables targets is valid in the PREROUTING and POSTROUTING chains of
3891 the mangle table. It's syntax is
3894 IMQ [ --todev n ] n : number of imq device
3897 An ip6tables target is also provided.
3901 Please note traffic is not enqueued when the target is hit but afterwards.
3902 The exact location where traffic enters the imq device depends on the
3903 direction of the traffic (in/out).
3904 These are the predefined netfilter hooks used by iptables:
3907 enum nf_ip_hook_priorities {
3908 NF_IP_PRI_FIRST = INT_MIN,
3909 NF_IP_PRI_CONNTRACK = -200,
3910 NF_IP_PRI_MANGLE = -150,
3911 NF_IP_PRI_NAT_DST = -100,
3912 NF_IP_PRI_FILTER = 0,
3913 NF_IP_PRI_NAT_SRC = 100,
3914 NF_IP_PRI_LAST = INT_MAX,
3921 For ingress traffic, imq registers itself with NF_IP_PRI_MANGLE + 1 priority
3922 which means packets enter the imq device directly after the mangle PREROUTING
3923 chain has been passed.
3927 For egress imq uses NF_IP_PRI_LAST which honours the fact that packets dropped
3928 by the filter table won't occupy bandwidth.
3932 The patches and some more information can be found at the
3934 URL="http://luxik.cdi.cz/~patrick/imq/"
3944 <chapter id="lartc.loadshare">
3945 <Title>Loadsharing over multiple interfaces</Title>
3948 There are several ways of doing this. One of the easiest and straightforward
3949 ways is 'TEQL' - "True" (or "trivial") link equalizer. Like most things
3950 having to do with queueing, loadsharing goes both ways. Both ends of a link
3951 may need to participate for full effect.
3955 Imagine this situation:
3961 +-------+ eth1 +-------+
3963 'network 1' ----| A | | B |---- 'network 2'
3965 +-------+ eth2 +-------+
3971 A and B are routers, and for the moment we'll assume both run Linux. If
3972 traffic is going from network 1 to network 2, router A needs to distribute
3973 the packets over both links to B. Router B needs to be configured to accept
3974 this. Same goes the other way around, when packets go from network 2 to
3975 network 1, router B needs to send the packets over both eth1 and eth2.
3979 The distributing part is done by a 'TEQL' device, like this (it couldn't be
3986 # tc qdisc add dev eth1 root teql0
3987 # tc qdisc add dev eth2 root teql0
3988 # ip link set dev teql0 up
3994 Don't forget the 'ip link set up' command!
3998 This needs to be done on both hosts. The device teql0 is basically a
3999 roundrobbin distributor over eth1 and eth2, for sending packets. No data
4000 ever comes in over an teql device, that just appears on the 'raw' eth1 and
4005 But now we just have devices, we also need proper routing. One way to do
4006 this is to assign a /31 network to both links, and a /31 to the teql0 device
4011 FIXME: does this need something like 'nobroadcast'? A /31 is too small to
4012 house a network address and a broadcast address - if this doesn't work as
4013 planned, try a /30, and adjust the ip adresses accordingly. You might even
4014 try to make eth1 and eth2 do without an IP address!
4021 # ip addr add dev eth1 10.0.0.0/31
4022 # ip addr add dev eth2 10.0.0.2/31
4023 # ip addr add dev teql0 10.0.0.4/31
4032 # ip addr add dev eth1 10.0.0.1/31
4033 # ip addr add dev eth2 10.0.0.3/31
4034 # ip addr add dev teql0 10.0.0.5/31
4040 Router A should now be able to ping 10.0.0.1, 10.0.0.3 and 10.0.0.5 over the
4041 2 real links and the 1 equalized device. Router B should be able to ping
4042 10.0.0.0, 10.0.0.2 and 10.0.0.4 over the links.
4046 If this works, Router A should make 10.0.0.5 its route for reaching network
4047 2, and Router B should make 10.0.0.4 its route for reaching network 1. For
4048 the special case where network 1 is your network at home, and network 2 is
4049 the Internet, Router A should make 10.0.0.5 its default gateway.
4052 <Sect1 id="lartc.loadshare.caveats">
4053 <Title>Caveats</Title>
4056 Nothing is as easy as it seems. eth1 and eth2 on both router A and B need to
4057 have return path filtering turned off, because they will otherwise drop
4058 packets destined for ip addresses other than their own:
4064 # echo 0 > /proc/net/ipv4/conf/eth1/rp_filter
4065 # echo 0 > /proc/net/ipv4/conf/eth2/rp_filter
4071 Then there is the nasty problem of packet reordering. Let's say 6 packets
4072 need to be sent from A to B - eth1 might get 1, 3 and 5. eth2 would then do
4073 2, 4 and 6. In an ideal world, router B would receive this in order, 1, 2,
4074 3, 4, 5, 6. But the possibility is very real that the kernel gets it like
4075 this: 2, 1, 4, 3, 6, 5. The problem is that this confuses TCP/IP. While not
4076 a problem for links carrying many different TCP/IP sessions, you won't be
4077 able to to a bundle multiple links and get to ftp a single file lots faster,
4078 except when your receiving or sending OS is Linux, which is not easily
4079 shaken by some simple reordering.
4083 However, for lots of applications, link loadbalancing is a great idea.
4087 <Sect1 id="lartc.loadshare.other">
4088 <Title>Other possibilities</Title>
4090 William Stearns has used an advanced tunneling setup to achieve good use of
4091 multiple, unrelated, internet connections together. It can be found on
4093 URL="http://www.stearns.org/tunnel/">his tunneling page</ULink>.
4096 The HOWTO may feature more about this in the future.
4101 <chapter id="lartc.netfilter">
4102 <Title>Netfilter & iproute - marking packets</Title>
4105 So far we've seen how iproute works, and netfilter was mentioned a few
4106 times. This would be a good time to browse through <ULink
4107 URL="http://netfilter.samba.org/unreliable-guides/"
4108 >Rusty's Remarkably Unreliable Guides</ULink
4111 URL="http://netfilter.filewatcher.org/"
4117 Netfilter allows us to filter packets, or mangle their headers. One special
4118 feature is that we can mark a packet with a number. This is done with the
4119 --set-mark facility.
4123 As an example, this command marks all packets destined for port 25, outgoing
4130 # iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 25 \
4131 -j MARK --set-mark 1
4137 Let's say that we have multiple connections, one that is fast (and
4138 expensive, per megabyte) and one that is slower, but flat fee. We would most
4139 certainly like outgoing mail to go via the cheap route.
4143 We've already marked the packets with a '1', we now instruct the routing
4144 policy database to act on this:
4150 # echo 201 mail.out >> /etc/iproute2/rt_tables
4151 # ip rule add fwmark 1 table mail.out
4153 0: from all lookup local
4154 32764: from all fwmark 1 lookup mail.out
4155 32766: from all lookup main
4156 32767: from all lookup default
4162 Now we generate the mail.out table with a route to the slow but cheap link:
4165 # /sbin/ip route add default via 195.96.98.253 dev ppp0 table mail.out
4171 And we are done. Should we want to make exceptions, there are lots of ways
4172 to achieve this. We can modify the netfilter statement to exclude certain
4173 hosts, or we can insert a rule with a lower priority that points to the main
4174 table for our excepted hosts.
4178 We can also use this feature to honour TOS bits by marking packets with a
4179 different type of service with different numbers, and creating rules to act
4180 on that. This way you can even dedicate, say, an ISDN line to interactive
4185 Needless to say, this also works fine on a host that's doing NAT
4190 IMPORTANT: We received a report that MASQ and SNAT at least collide
4191 with marking packets. Rusty Russell explains it in
4193 URL="http://lists.samba.org/pipermail/netfilter/2000-November/006089.html"
4194 >this posting</ULink
4195 >. Turn off the reverse path filter to make it work
4200 Note: to mark packets, you need to have some options enabled in your
4207 IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) [Y/n/?]
4208 IP: policy routing (CONFIG_IP_MULTIPLE_TABLES) [Y/n/?]
4209 IP: use netfilter MARK value as routing key (CONFIG_IP_ROUTE_FWMARK) [Y/n/?]
4215 See also the <xref linkend="lartc.cookbook.squid"> in the
4216 <citetitle><xref linkend="lartc.cookbook"></citetitle>.
4221 <chapter id="lartc.adv-filter"
4222 xreflabel="Advanced filters for (re-)classifying packets">
4223 <Title>Advanced filters for (re-)classifying packets</Title>
4226 As explained in the section on classful queueing disciplines, filters are
4227 needed to classify packets into any of the sub-queues. These filters are
4228 called from within the classful qdisc.
4232 Here is an incomplete list of classifiers available:
4239 Bases the decision on how the firewall has marked the packet. This can be
4240 the easy way out if you don't want to learn tc filter syntax. See the
4241 Queueing chapter for details.
4248 Bases the decision on fields within the packet (i.e. source IP address, etc)
4255 Bases the decision on which route the packet will be routed by
4259 <Term>rsvp, rsvp6</Term>
4262 Routes packets based on <ULink
4263 URL="http://www.isi.edu/div7/rsvp/overview.html"
4266 on networks you control - the Internet does not respect RSVP.
4270 <Term>tcindex</Term>
4273 Used in the DSMARK qdisc, see the relevant section.
4280 Note that in general there are many ways in which you can classify packet
4281 and that it generally comes down to preference as to which system you wish
4286 Classifiers in general accept a few arguments in common. They are listed
4287 here for convenience:
4294 <Term>protocol</Term>
4297 The protocol this classifier will accept. Generally you will only be
4298 accepting only IP traffic. Required.
4305 The handle this classifier is to be attached to. This handle must be
4306 an already existing class. Required.
4313 The priority of this classifier. Lower numbers get tested first.
4320 This handle means different things to different filters.
4327 All the following sections will assume you are trying to shape the traffic
4328 going to <Literal remap="tt">HostA</Literal>. They will assume that the root class has been
4329 configured on 1: and that the class you want to send the selected traffic to
4333 <Sect1 id="lartc.adv-filter.u32">
4334 <Title>The <option>u32</option> classifier</Title>
4337 The U32 filter is the most advanced filter available in the current
4338 implementation. It entirely based on hashing tables, which make it
4339 robust when there are many filter rules.
4343 In its simplest form the U32 filter is a list of records, each
4344 consisting of two fields: a selector and an action. The selectors,
4345 described below, are compared with the currently processed IP packet
4346 until the first match occurs, and then the associated action is performed.
4347 The simplest type of action would be directing the packet into defined
4352 The commandline of <Literal remap="tt">tc filter</Literal> program, used to configure the filter,
4353 consists of three parts: filter specification, a selector and an action.
4354 The filter specification can be defined as:
4360 tc filter add dev IF [ protocol PROTO ]
4361 [ (preference|priority) PRIO ]
4368 The <Literal remap="tt">protocol</Literal> field describes protocol that the filter will be
4369 applied to. We will only discuss case of <Literal remap="tt">ip</Literal> protocol. The
4370 <Literal remap="tt">preference</Literal> field (<Literal remap="tt">priority</Literal> can be used alternatively)
4371 sets the priority of currently defined filter. This is important, since
4372 you can have several filters (lists of rules) with different priorities.
4373 Each list will be passed in the order the rules were added, then list with
4374 lower priority (higher preference number) will be processed. The <Literal remap="tt">parent</Literal>
4375 field defines the CBQ tree top (e.g. 1:0), the filter should be attached
4380 The options decribed above apply to all filters, not only U32.
4384 <Title>U32 selector </Title>
4387 The U32 selector contains definition of the pattern, that will be matched
4388 to the currently processed packet. Precisely, it defines which bits are
4389 to be matched in the packet header and nothing more, but this simple
4390 method is very powerful. Let's take a look at the following examples,
4391 taken directly from a pretty complex, real-world filter:
4397 # tc filter add dev eth0 protocol ip parent 1:0 pref 10 u32 \
4398 match u32 00100000 00ff0000 at 0 flowid 1:10
4404 For now, leave the first line alone - all these parameters describe
4405 the filter's hash tables. Focus on the selector line, containing
4406 <Literal remap="tt">match</Literal> keyword. This selector will match to IP headers, whose
4407 second byte will be 0x10 (0010). As you can guess, the 00ff number is
4408 the match mask, telling the filter exactly which bits to match. Here
4409 it's 0xff, so the byte will match if it's exactly 0x10. The <Literal remap="tt">at</Literal>
4410 keyword means that the match is to be started at specified offset (in
4411 bytes) -- in this case it's beginning of the packet. Translating all
4412 that to human language, the packet will match if its Type of Service
4413 field will have `low delay' bits set. Let's analyze another rule:
4419 # tc filter add dev eth0 protocol ip parent 1:0 pref 10 u32 \
4420 match u32 00000016 0000ffff at nexthdr+0 flowid 1:10
4426 The <Literal remap="tt">nexthdr</Literal> option means next header encapsulated in the IP packet,
4427 i.e. header of upper-layer protocol. The match will also start here
4428 at the beginning of the next header. The match should occur in the
4429 second, 32-bit word of the header. In TCP and UDP protocols this field
4430 contains packet's destination port. The number is given in big-endian
4431 format, i.e. older bits first, so we simply read 0x0016 as 22 decimal,
4432 which stands for SSH service if this was TCP. As you guess, this match
4433 is ambigous without a context, and we will discuss this later.
4437 Having understood all the above, we will find the following selector
4438 quite easy to read: <Literal remap="tt">match c0a80100 ffffff00 at 16</Literal>. What we
4439 got here is a three byte match at 17-th byte, counting from the IP
4440 header start. This will match for packets with destination address
4441 anywhere in 192.168.1/24 network. After analyzing the examples, we
4442 can summarize what we have learnt.
4448 <Title>General selectors</Title>
4451 General selectors define the pattern, mask and offset the pattern
4452 will be matched to the packet contents. Using the general selectors
4453 you can match virtually any single bit in the IP (or upper layer)
4454 header. They are more difficult to write and read, though, than
4455 specific selectors that described below. The general selector syntax
4462 match [ u32 | u16 | u8 ] PATTERN MASK [ at OFFSET | nexthdr+OFFSET]
4468 One of the keywords <Literal remap="tt">u32</Literal>, <Literal remap="tt">u16</Literal> or <Literal remap="tt">u8</Literal> specifies
4469 length of the pattern in bits. PATTERN and MASK should follow, of length
4470 defined by the previous keyword. The OFFSET parameter is the offset,
4471 in bytes, to start matching. If <Literal remap="tt">nexthdr+</Literal> keyword is given,
4472 the offset is relative to start of the upper layer header.
4482 # tc filter add dev ppp14 parent 1:0 prio 10 u32 \
4483 match u8 64 0xff at 8 \
4490 Packet will match to this rule, if its time to live (TTL) is 64.
4491 TTL is the field starting just after 8-th byte of the IP header.
4497 # tc filter add dev ppp14 parent 1:0 prio 10 u32 \
4498 match u8 0x10 0xff at nexthdr+13 \
4506 FIXME: it has been pointed out that this syntax does not work currently.
4510 Use this to match ACKs on packets smaller than 64 bytes:
4516 ## match acks the hard way,
4518 ## IP header length 0x5(32 bit words),
4519 ## IP Total length 0x34 (ACK + 12 bytes of TCP options)
4520 ## TCP ack set (bit 5, offset 33)
4521 # tc filter add dev ppp14 parent 1:0 protocol ip prio 10 u32 \
4522 match ip protocol 6 0xff \
4523 match u8 0x05 0x0f at 0 \
4524 match u16 0x0000 0xffc0 at 2 \
4525 match u8 0x10 0xff at 33 \
4532 This rule will only match TCP packets with ACK bit set, and no further
4533 payload. Here we can see an example of using two selectors, the final result
4534 will be logical AND of their results. If we take a look at TCP header
4535 diagram, we can see that the ACK bit is second older bit (0x10) in the 14-th
4536 byte of the TCP header (<Literal remap="tt">at nexthdr+13</Literal>). As for the second
4537 selector, if we'd like to make our life harder, we could write <Literal remap="tt">match u8
4538 0x06 0xff at 9</Literal> instead of using the specific selector <Literal remap="tt">protocol
4539 tcp</Literal>, because 6 is the number of TCP protocol, present in 10-th byte of
4540 the IP header. On the other hand, in this example we couldn't use any
4541 specific selector for the first match - simply because there's no specific
4542 selector to match TCP ACK bits.
4548 <Title>Specific selectors</Title>
4551 The following table contains a list of all specific selectors
4552 the author of this section has found in the <Literal remap="tt">tc</Literal> program
4553 source code. They simply make your life easier and increase readability
4554 of your filter's configuration.
4558 FIXME: table placeholder - the table is in separate file ,,selector.html''
4562 FIXME: it's also still in Polish :-(
4566 FIXME: must be sgml'ized
4576 # tc filter add dev ppp0 parent 1:0 prio 10 u32 \
4577 match ip tos 0x10 0xff \
4584 FIXME: tcp dst match does not work as described below:
4588 The above rule will match packets which have the TOS field set to 0x10.
4589 The TOS field starts at second byte of the packet and is one byte big,
4590 so we could write an equivalent general selector: <Literal remap="tt">match u8 0x10 0xff
4591 at 1</Literal>. This gives us hint to the internals of U32 filter -- the
4592 specific rules are always translated to general ones, and in this
4593 form they are stored in the kernel memory. This leads to another conclusion
4594 -- the <Literal remap="tt">tcp</Literal> and <Literal remap="tt">udp</Literal> selectors are exactly the same
4595 and this is why you can't use single <Literal remap="tt">match tcp dst 53 0xffff</Literal>
4596 selector to match TCP packets sent to given port -- they will also
4597 match UDP packets sent to this port. You must remember to also specify
4598 the protocol and end up with the following rule:
4604 # tc filter add dev ppp0 parent 1:0 prio 10 u32 \
4605 match tcp dst 53 0xffff \
4606 match ip protocol 0x6 0xff \
4616 <Sect1 id="lartc.adv-filter.route">
4617 <Title>The <option>route</option> classifier</Title>
4620 This classifier filters based on the results of the routing tables. When a
4621 packet that is traversing through the classes reaches one that is marked
4622 with the "route" filter, it splits the packets up based on information in
4629 # tc filter add dev eth1 parent 1:0 protocol ip prio 100 route
4635 Here we add a route classifier onto the parent node 1:0 with priority 100.
4636 When a packet reaches this node (which, since it is the root, will happen
4637 immediately) it will consult the routing table and if one matches will
4638 send it to the given class and give it a priority of 100. Then, to finally
4639 kick it into action, you add the appropriate routing entry:
4643 The trick here is to define 'realm' based on either destination or source.
4644 The way to do it is like this:
4650 # ip route add Host/Network via Gateway dev Device realm RealmNumber
4656 For instance, we can define our destination network 192.168.10.0 with a realm
4663 # ip route add 192.168.10.0/24 via 192.168.10.1 dev eth1 realm 10
4669 When adding route filters, we can use realm numbers to represent the
4670 networks or hosts and specify how the routes match the filters.
4676 # tc filter add dev eth1 parent 1:0 protocol ip prio 100 \
4677 route to 10 classid 1:10
4683 The above rule says packets going to the network 192.168.10.0 match class id
4688 Route filter can also be used to match source routes. For example, there is
4689 a subnetwork attached to the Linux router on eth2.
4695 # ip route add 192.168.2.0/24 dev eth2 realm 2
4696 # tc filter add dev eth1 parent 1:0 protocol ip prio 100 \
4697 route from 2 classid 1:2
4703 Here the filter specifies that packets from the subnetwork 192.168.2.0
4704 (realm 2) will match class id 1:2.
4709 <Sect1 id="lartc.adv-filter.policing">
4710 <Title>Policing filters</Title>
4713 To make even more complicated setups possible, you can have filters that
4714 only match up to a certain bandwidth. You can declare a filter to entirely
4715 cease matching above a certain rate, or only to not match only the bandwidth
4716 exceeding a certain rate.
4720 So if you decided to police at 4mbit/s, but 5mbit/s of traffic is present,
4721 you can stop matching either the entire 5mbit/s, or only not match 1mbit/s,
4722 and do send 4mbit/s to the configured class.
4726 If bandwidth exceeds the configured rate, you can drop a packet, reclassify
4727 it, or see if another filter will match it.
4731 <Title>Ways to police</Title>
4734 There are basically two ways to police. If you compiled the kernel
4735 with 'Estimators', the kernel can measure for each filter how much traffic
4736 it is passing, more or less. These estimators are very easy on the CPU, as
4737 they simply count 25 times per second how many data has been passed, and
4738 calculate the bitrate from that.
4742 The other way works again via a Token Bucket Filter, this time living within
4743 your filter. The TBF only matches traffic UP TO your configured bandwidth,
4744 if more is offered, only the excess is subject to the configured overlimit
4749 <Title>With the kernel estimator</Title>
4752 This is very simple and has only one parameter: avrate. Either the flow
4753 remains below avrate, and the filter classifies the traffic to the classid
4754 configured, or your rate exceeds it in which case the specified action is
4755 taken, which is 'reclassify' by default.
4759 The kernel uses an Exponential Weighted Moving Average for your bandwidth
4760 which makes it less sensitive to short bursts.
4766 <Title>With Token Bucket Filter</Title>
4769 Uses the following parameters:
4802 Which behave mostly identical to those described in the Token Bucket Filter
4803 section. Please note however that if you set the mtu of a TBF policer too
4804 low, *no* packets will pass, whereas the egress TBF qdisc will just pass
4809 Another difference is that a policer can only let a packet pass, or drop it.
4810 It cannot delay hold on to it in order to delay it.
4818 <Title>Overlimit actions</Title>
4821 If your filter decides that it is overlimit, it can take 'actions'.
4822 Currently, three actions are available:
4826 <Term>continue</Term>
4829 Causes this filter not to match, but perhaps other filters will.
4836 This is a very fierce option which simply discards traffic exceeding a
4837 certain rate. It is often used in the ingress policer and has limited uses.
4838 For example, you may have a nameserver that falls over if offered more than
4839 5mbit/s of packets, in which case an ingress filter could be used to make
4840 sure no more is ever offered.
4844 <Term>Pass/OK</Term>
4847 Pass on traffic ok. Might be used to disable a complicated filter, but leave
4852 <Term>reclassify</Term>
4855 Most often comes down to reclassification to Best Effort. This is the
4865 <Title>Examples</Title>
4868 The only real example known is mentioned in the 'Protecting your host
4869 from SYN floods' section.
4873 FIXME: if you have used this, please share your experience with us
4880 <Sect1 id="lartc.adv-filter.hashing">
4881 <Title>Hashing filters for very fast massive filtering</Title>
4884 If you have a need for thousands of rules, for example if you have a lot of
4885 clients or computers, all with different QoS specifications, you may find
4886 that the kernel spends a lot of time matching all those rules.
4890 By default, all filters reside in one big chain which is matched in
4891 descending order of priority. If you have 1000 rules, 1000 checks may be
4892 needed to determine what to do with a packet.
4896 Matching would go much quicker if you would have 256 chains with each four
4897 rules - if you could divide packets over those 256 chains, so that the right
4902 Hashing makes this possible. Let's say you have 1024 cablemodem customers in
4903 your network, with IP addresses ranging from 1.2.0.0 to 1.2.3.255, and each
4904 has to go in another bin, for example 'lite', 'regular' and 'premium'. You
4905 would then have 1024 rules like this:
4911 # tc filter add dev eth1 parent 1:0 protocol ip prio 100 match ip src \
4913 # tc filter add dev eth1 parent 1:0 protocol ip prio 100 match ip src \
4916 # tc filter add dev eth1 parent 1:0 protocol ip prio 100 match ip src \
4917 1.2.3.254 classid 1:3
4918 # tc filter add dev eth1 parent 1:0 protocol ip prio 100 match ip src \
4919 1.2.3.255 classid 1:2
4925 To speed this up, we can use the last part of the IP address as a 'hash
4926 key'. We then get 256 tables, the first of which looks like this:
4929 # tc filter add dev eth1 parent 1:0 protocol ip prio 100 match ip src \
4931 # tc filter add dev eth1 parent 1:0 protocol ip prio 100 match ip src \
4933 # tc filter add dev eth1 parent 1:0 protocol ip prio 100 match ip src \
4935 # tc filter add dev eth1 parent 1:0 protocol ip prio 100 match ip src \
4942 The next one starts like this:
4945 # tc filter add dev eth1 parent 1:0 protocol ip prio 100 match ip src \
4953 This way, only four checks are needed at most, two on average.
4957 Configuration is pretty complicated, but very worth it by the time you have
4958 this many rules. First we make a filter root, then we create a table with
4962 # tc filter add dev eth1 parent 1:0 prio 5 protocol ip u32
4963 # tc filter add dev eth1 parent 1:0 prio 5 handle 2: protocol ip u32 divisor 256
4969 Now we add some rules to entries in the created table:
4975 # tc filter add dev eth1 protocol ip parent 1:0 prio 5 u32 ht 2:7b: \
4976 match ip src 1.2.0.123 flowid 1:1
4977 # tc filter add dev eth1 protocol ip parent 1:0 prio 5 u32 ht 2:7b: \
4978 match ip src 1.2.1.123 flowid 1:2
4979 # tc filter add dev eth1 protocol ip parent 1:0 prio 5 u32 ht 2:7b: \
4980 match ip src 1.2.3.123 flowid 1:3
4981 # tc filter add dev eth1 protocol ip parent 1:0 prio 5 u32 ht 2:7b: \
4982 match ip src 1.2.4.123 flowid 1:2
4985 This is entry 123, which contains matches for 1.2.0.123, 1.2.1.123,
4986 1.2.2.123, 1.2.3.123, and sends them to 1:1, 1:2, 1:3 and 1:2 respectively.
4987 Note that we need to specify our hash bucket in hex, 0x7b is 123.
4991 Next create a 'hashing filter' that directs traffic to the right entry in
4995 # tc filter add dev eth1 protocol ip parent 1:0 prio 5 u32 ht 800:: \
4996 match ip src 1.2.0.0/16 \
4997 hashkey mask 0x000000ff at 12 \
5001 Ok, some numbers need explaining. The default hash table is called 800:: and
5002 all filtering starts there. Then we select the source address, which lives
5003 as position 12, 13, 14 and 15 in the IP header, and indicate that we are
5004 only interested in the last part. This we send to hash table 2:, which we
5009 It is quite complicated, but it does work in practice and performance will
5010 be staggering. Note that this example could be improved to the ideal case
5011 where each chain contains 1 filter!
5018 <chapter id="lartc.kernel">
5019 <Title>Kernel network parameters </Title>
5023 The kernel has lots of parameters which
5024 can be tuned for different circumstances. While, as usual, the default
5025 parameters serve 99% of installations very well, we don't call this the
5026 Advanced HOWTO for the fun of it!
5030 The interesting bits are in /proc/sys/net, take a look there. Not everything
5031 will be documented here initially, but we're working on it.
5035 In the meantime you may want to have a look at the Linux-Kernel sources;
5036 read the file Documentation/filesystems/proc.txt. Most of the
5037 features are explained there.
5044 <Sect1 id="lartc.kernel.rpf"
5045 xreflabel="Reverse Path Filtering">
5046 <Title>Reverse Path Filtering</Title>
5049 By default, routers route everything, even packets which 'obviously' don't
5050 belong on your network. A common example is private IP space escaping onto
5051 the Internet. If you have an interface with a route of 195.96.96.0/24 to it,
5052 you do not expect packets from 212.64.94.1 to arrive there.
5056 Lots of people will want to turn this feature off, so the kernel hackers
5057 have made it easy. There are files in /proc where you can tell
5058 the kernel to do this for you. The method is called "Reverse Path
5059 Filtering". Basically, if the reply to this packet wouldn't go out the
5060 interface this packet came in, then this is a bogus packet and should be
5065 The following fragment will turn this on for all current and future
5072 # for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
5073 > echo 2 > $i
5080 Going by the example above, if a packet arrived on the Linux router on eth1
5081 claiming to come from the Office+ISP subnet, it would be dropped. Similarly,
5082 if a packet came from the Office subnet, claiming to be from somewhere
5083 outside your firewall, it would be dropped also.
5087 The above is full reverse path filtering. The default is to only filter
5088 based on IPs that are on directly connected networks. This is because the
5089 full filtering breaks in the case of asymmetric routing (where packets come
5090 in one way and go out another, like satellite traffic, or if you have
5091 dynamic (bgp, ospf, rip) routes in your network. The data comes down
5092 through the satellite dish and replies go back through normal land-lines).
5096 If this exception applies to you (and you'll probably know if it does) you
5097 can simply turn off the rp_filter on the interface where the
5098 satellite data comes in. If you want to see if any packets are being
5099 dropped, the log_martians file in the same directory will tell
5100 the kernel to log them to your syslog.
5106 # echo 1 >/proc/sys/net/ipv4/conf/<interfacename>/log_martians
5112 FIXME: is setting the conf/{default,all}/* files enough? - martijn
5117 <Sect1 id="lartc.kernel.obscure">
5118 <Title>Obscure settings</Title>
5121 Ok, there are a lot of parameters which can be modified. We try to list them
5122 all. Also documented (partly) in Documentation/ip-sysctl.txt.
5126 Some of these settings have different defaults based on whether you
5127 answered 'Yes' to 'Configure as router and not host' while compiling your
5132 <Title>Generic ipv4</Title>
5135 As a generic note, most rate limiting features don't work on loopback, so
5136 don't test them locally. The limits are supplied in 'jiffies', and are
5137 enforced using the earlier mentioned token bucket filter.
5141 The kernel has an internal clock which runs at 'HZ' ticks (or 'jiffies') per
5142 second. On intel, 'HZ' is mostly 100. So setting a *_rate file to, say 50,
5143 would allow for 2 packets per second. The token bucket filter is also
5144 configured to allow for a burst of at most 6 packets, if enough tokens have
5149 Several entries in the following list have been copied from
5150 /usr/src/linux/Documentation/networking/ip-sysctl.txt, written by Alexey
5151 Kuznetsov <kuznet@ms2.inr.ac.ru> and Andi Kleen <ak@muc.de>
5155 <Term>/proc/sys/net/ipv4/icmp_destunreach_rate</Term>
5158 If the kernel decides that it can't deliver a packet, it will drop it, and
5159 send the source of the packet an ICMP notice to this effect.
5163 <Term>/proc/sys/net/ipv4/icmp_echo_ignore_all</Term>
5166 Don't act on echo packets at all. Please don't set this by default, but if
5167 you are used as a relay in a DoS attack, it may be useful.
5171 <Term>/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts [Useful]</Term>
5174 If you ping the broadcast address of a network, all hosts are supposed to
5175 respond. This makes for a dandy denial-of-service tool. Set this to 1 to
5176 ignore these broadcast messages.
5180 <Term>/proc/sys/net/ipv4/icmp_echoreply_rate</Term>
5183 The rate at which echo replies are sent to any one destination.
5187 <Term>/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses</Term>
5190 Set this to ignore ICMP errors caused by hosts in the network reacting badly
5191 to frames sent to what they perceive to be the broadcast address.
5195 <Term>/proc/sys/net/ipv4/icmp_paramprob_rate</Term>
5198 A relatively unknown ICMP message, which is sent in response to incorrect
5199 packets with broken IP or TCP headers. With this file you can control the
5200 rate at which it is sent.
5204 <Term>/proc/sys/net/ipv4/icmp_timeexceed_rate</Term>
5207 This the famous cause of the 'Solaris middle star' in traceroutes. Limits
5208 number of ICMP Time Exceeded messages sent.
5212 <Term>/proc/sys/net/ipv4/igmp_max_memberships</Term>
5215 Maximum number of listening igmp (multicast) sockets on the host.
5216 FIXME: Is this true?
5220 <Term>/proc/sys/net/ipv4/inet_peer_gc_maxtime</Term>
5223 FIXME: Add a little explanation about the inet peer storage?
5225 Minimum interval between garbage collection passes. This interval is in
5226 effect under low (or absent) memory pressure on the pool. Measured in
5231 <Term>/proc/sys/net/ipv4/inet_peer_gc_mintime</Term>
5234 Minimum interval between garbage collection passes. This interval is in
5235 effect under high memory pressure on the pool. Measured in jiffies.
5239 <Term>/proc/sys/net/ipv4/inet_peer_maxttl</Term>
5242 Maximum time-to-live of entries. Unused entries will expire after this
5243 period of time if there is no memory pressure on the pool (i.e. when the
5244 number of entries in the pool is very small). Measured in jiffies.
5248 <Term>/proc/sys/net/ipv4/inet_peer_minttl</Term>
5251 Minimum time-to-live of entries. Should be enough to cover fragment
5252 time-to-live on the reassembling side. This minimum time-to-live
5253 is guaranteed if the pool size is less than inet_peer_threshold.
5254 Measured in jiffies.
5258 <Term>/proc/sys/net/ipv4/inet_peer_threshold</Term>
5261 The approximate size of the INET peer storage. Starting from this threshold
5262 entries will be thrown aggressively. This threshold also determines
5263 entries' time-to-live and time intervals between garbage collection passes.
5264 More entries, less time-to-live, less GC interval.
5268 <Term>/proc/sys/net/ipv4/ip_autoconfig</Term>
5271 This file contains the number one if the host received its IP configuration by
5272 RARP, BOOTP, DHCP or a similar mechanism. Otherwise it is zero.
5276 <Term>/proc/sys/net/ipv4/ip_default_ttl</Term>
5279 Time To Live of packets. Set to a safe 64. Raise it if you have a huge
5280 network. Don't do so for fun - routing loops cause much more damage that
5281 way. You might even consider lowering it in some circumstances.
5285 <Term>/proc/sys/net/ipv4/ip_dynaddr</Term>
5288 You need to set this if you use dial-on-demand with a dynamic interface
5289 address. Once your demand interface comes up, any local TCP sockets which haven't seen replies will be rebound to have the right address. This solves the problem that the
5290 connection that brings up your interface itself does not work, but the
5295 <Term>/proc/sys/net/ipv4/ip_forward</Term>
5298 If the kernel should attempt to forward packets. Off by default.
5302 <Term>/proc/sys/net/ipv4/ip_local_port_range</Term>
5305 Range of local ports for outgoing connections. Actually quite small by
5306 default, 1024 to 4999.
5310 <Term>/proc/sys/net/ipv4/ip_no_pmtu_disc</Term>
5313 Set this if you want to disable Path MTU discovery - a technique to
5314 determine the largest Maximum Transfer Unit possible on your path. See also
5315 the section on Path MTU discovery in the
5316 <citetitle><xref linkend="lartc.cookbook"></citetitle> chapter.
5320 <Term>/proc/sys/net/ipv4/ipfrag_high_thresh</Term>
5323 Maximum memory used to reassemble IP fragments. When
5324 ipfrag_high_thresh bytes of memory is allocated for this purpose,
5325 the fragment handler will toss packets until ipfrag_low_thresh
5330 <Term>/proc/sys/net/ipv4/ip_nonlocal_bind</Term>
5333 Set this if you want your applications to be able to bind to an address
5334 which doesn't belong to a device on your system. This can be useful when
5335 your machine is on a non-permanent (or even dynamic) link, so your services
5336 are able to start up and bind to a specific address when your link is down.
5340 <Term>/proc/sys/net/ipv4/ipfrag_low_thresh</Term>
5343 Minimum memory used to reassemble IP fragments.
5347 <Term>/proc/sys/net/ipv4/ipfrag_time</Term>
5350 Time in seconds to keep an IP fragment in memory.
5354 <Term>/proc/sys/net/ipv4/tcp_abort_on_overflow</Term>
5357 A boolean flag controlling the behaviour under lots of incoming connections.
5358 When enabled, this causes the kernel to actively send RST packets when a
5359 service is overloaded.
5363 <Term>/proc/sys/net/ipv4/tcp_fin_timeout</Term>
5366 Time to hold socket in state FIN-WAIT-2, if it was closed by our side. Peer
5367 can be broken and never close its side, or even died unexpectedly. Default
5368 value is 60sec. Usual value used in 2.2 was 180 seconds, you may restore it,
5369 but remember that if your machine is even underloaded WEB server, you risk
5370 to overflow memory with kilotons of dead sockets, FIN-WAIT-2 sockets are
5371 less dangerous than FIN-WAIT-1, because they eat maximum 1.5K of memory, but
5372 they tend to live longer. Cf. tcp_max_orphans.
5376 <Term>/proc/sys/net/ipv4/tcp_keepalive_time</Term>
5379 How often TCP sends out keepalive messages when keepalive is enabled.
5385 <Term>/proc/sys/net/ipv4/tcp_keepalive_intvl</Term>
5388 How frequent probes are retransmitted, when a probe isn't acknowledged.
5390 Default: 75 seconds.
5394 <Term>/proc/sys/net/ipv4/tcp_keepalive_probes</Term>
5397 How many keepalive probes TCP will send, until it decides that the
5398 connection is broken.
5402 Multiplied with tcp_keepalive_intvl, this gives the time a link can be
5403 nonresponsive after a keepalive has been sent.
5407 <Term>/proc/sys/net/ipv4/tcp_max_orphans</Term>
5410 Maximal number of TCP sockets not attached to any user file handle, held by
5411 system. If this number is exceeded orphaned connections are reset
5412 immediately and warning is printed. This limit exists only to prevent simple
5413 DoS attacks, you _must_ not rely on this or lower the limit artificially,
5414 but rather increase it (probably, after increasing installed memory), if
5415 network conditions require more than default value, and tune network
5416 services to linger and kill such states more aggressively. Let me remind you
5417 again: each orphan eats up to 64K of unswappable memory.
5421 <Term>/proc/sys/net/ipv4/tcp_orphan_retries</Term>
5424 How may times to retry before killing TCP connection, closed by our side.
5425 Default value 7 corresponds to 50sec-16min depending on RTO. If your machine
5426 is a loaded WEB server, you should think about lowering this value, such
5427 sockets may consume significant resources. Cf. tcp_max_orphans.
5431 <Term>/proc/sys/net/ipv4/tcp_max_syn_backlog</Term>
5434 Maximal number of remembered connection requests, which still did not
5435 receive an acknowledgement from connecting client. Default value is 1024 for
5436 systems with more than 128Mb of memory, and 128 for low memory machines. If
5437 server suffers of overload, try to increase this number. Warning! If you
5438 make it greater than 1024, it would be better to change TCP_SYNQ_HSIZE in
5439 include/net/tcp.h to keep TCP_SYNQ_HSIZE*16<=tcp_max_syn_backlog and to
5444 <Term>/proc/sys/net/ipv4/tcp_max_tw_buckets</Term>
5447 Maximal number of timewait sockets held by system simultaneously. If this
5448 number is exceeded time-wait socket is immediately destroyed and warning is
5449 printed. This limit exists only to prevent simple DoS attacks, you _must_
5450 not lower the limit artificially, but rather increase it (probably, after
5451 increasing installed memory), if network conditions require more than
5456 <Term>/proc/sys/net/ipv4/tcp_retrans_collapse</Term>
5459 Bug-to-bug compatibility with some broken printers.
5460 On retransmit try to send bigger packets to work around bugs in
5465 <Term>/proc/sys/net/ipv4/tcp_retries1</Term>
5468 How many times to retry before deciding that something is wrong
5469 and it is necessary to report this suspection to network layer.
5470 Minimal RFC value is 3, it is default, which corresponds
5471 to 3sec-8min depending on RTO.
5475 <Term>/proc/sys/net/ipv4/tcp_retries2</Term>
5478 How may times to retry before killing alive TCP connection.
5480 URL="http://www.ietf.org/rfc/rfc1122.txt"
5483 says that the limit should be longer than 100 sec.
5484 It is too small number. Default value 15 corresponds to 13-30min
5489 <Term>/proc/sys/net/ipv4/tcp_rfc1337</Term>
5492 This boolean enables a fix for 'time-wait assassination hazards in tcp', described
5493 in RFC 1337. If enabled, this causes the kernel to drop RST packets for
5494 sockets in the time-wait state.
5500 <Term>/proc/sys/net/ipv4/tcp_sack</Term>
5503 Use Selective ACK which can be used to signify that specific packets are
5504 missing - therefore helping fast recovery.
5508 <Term>/proc/sys/net/ipv4/tcp_stdurg</Term>
5511 Use the Host requirements interpretation of the TCP urg pointer
5514 Most hosts use the older BSD interpretation, so if you turn this on
5515 Linux might not communicate correctly with them.
5521 <Term>/proc/sys/net/ipv4/tcp_syn_retries</Term>
5524 Number of SYN packets the kernel will send before giving up on the new
5529 <Term>/proc/sys/net/ipv4/tcp_synack_retries</Term>
5532 To open the other side of the connection, the kernel sends a SYN with a
5533 piggybacked ACK on it, to acknowledge the earlier received SYN. This is part
5534 2 of the threeway handshake. This setting determines the number of SYN+ACK
5535 packets sent before the kernel gives up on the connection.
5539 <Term>/proc/sys/net/ipv4/tcp_timestamps</Term>
5542 Timestamps are used, amongst other things, to protect against wrapping
5543 sequence numbers. A 1 gigabit link might conceivably re-encounter a previous
5544 sequence number with an out-of-line value, because it was of a previous
5545 generation. The timestamp will let it recognise this 'ancient packet'.
5549 <Term>/proc/sys/net/ipv4/tcp_tw_recycle</Term>
5552 Enable fast recycling TIME-WAIT sockets. Default value is 1.
5553 It should not be changed without advice/request of technical experts.
5557 <Term>/proc/sys/net/ipv4/tcp_window_scaling</Term>
5560 TCP/IP normally allows windows up to 65535 bytes big. For really fast
5561 networks, this may not be enough. The window scaling options allows for
5562 almost gigabyte windows, which is good for high bandwidth*delay products.
5571 <Title>Per device settings</Title>
5574 DEV can either stand for a real interface, or for 'all' or 'default'.
5575 Default also changes settings for interfaces yet to be created.
5579 <Term>/proc/sys/net/ipv4/conf/DEV/accept_redirects</Term>
5582 If a router decides that you are using it for a wrong purpose (ie, it needs
5583 to resend your packet on the same interface), it will send us a ICMP
5584 Redirect. This is a slight security risk however, so you may want to turn it
5585 off, or use secure redirects.
5589 <Term>/proc/sys/net/ipv4/conf/DEV/accept_source_route</Term>
5592 Not used very much anymore. You used to be able to give a packet a list of
5593 IP addresses it should visit on its way. Linux can be made to honor this IP
5598 <Term>/proc/sys/net/ipv4/conf/DEV/bootp_relay</Term>
5601 Accept packets with source address 0.b.c.d with destinations not to this host
5602 as local ones. It is supposed that a BOOTP relay daemon will catch and forward
5607 The default is 0, since this feature is not implemented yet (kernel version
5612 <Term>/proc/sys/net/ipv4/conf/DEV/forwarding</Term>
5615 Enable or disable IP forwarding on this interface.
5619 <Term>/proc/sys/net/ipv4/conf/DEV/log_martians</Term>
5623 <citetitle><xref linkend="lartc.kernel.rpf"></citetitle>.
5627 <Term>/proc/sys/net/ipv4/conf/DEV/mc_forwarding</Term>
5630 If we do multicast forwarding on this interface
5634 <Term>/proc/sys/net/ipv4/conf/DEV/proxy_arp</Term>
5637 If you set this to 1, this interface will respond to ARP requests for
5638 addresses the kernel has routes to. Can be very useful when building 'ip
5639 pseudo bridges'. Do take care that your netmasks are very correct before
5640 enabling this! Also be aware that the rp_filter, mentioned elsewhere, also
5641 operates on ARP queries!
5645 <Term>/proc/sys/net/ipv4/conf/DEV/rp_filter</Term>
5649 <citetitle><xref linkend="lartc.kernel.rpf"></citetitle>.
5653 <Term>/proc/sys/net/ipv4/conf/DEV/secure_redirects</Term>
5656 Accept ICMP redirect messages only for gateways, listed in default gateway
5657 list. Enabled by default.
5661 <Term>/proc/sys/net/ipv4/conf/DEV/send_redirects</Term>
5664 If we send the above mentioned redirects.
5668 <Term>/proc/sys/net/ipv4/conf/DEV/shared_media</Term>
5671 If it is not set the kernel does not assume that different subnets on this
5672 device can communicate directly. Default setting is 'yes'.
5676 <Term>/proc/sys/net/ipv4/conf/DEV/tag</Term>
5688 <Title>Neighbor policy</Title>
5691 Dev can either stand for a real interface, or for 'all' or 'default'.
5692 Default also changes settings for interfaces yet to be created.
5696 <Term>/proc/sys/net/ipv4/neigh/DEV/anycast_delay</Term>
5699 Maximum for random delay of answers to neighbor solicitation messages in
5700 jiffies (1/100 sec). Not yet implemented (Linux does not have anycast support
5705 <Term>/proc/sys/net/ipv4/neigh/DEV/app_solicit</Term>
5708 Determines the number of requests to send to the user level ARP daemon. Use 0
5713 <Term>/proc/sys/net/ipv4/neigh/DEV/base_reachable_time</Term>
5716 A base value used for computing the random reachable time value as specified
5721 <Term>/proc/sys/net/ipv4/neigh/DEV/delay_first_probe_time</Term>
5724 Delay for the first time probe if the neighbor is reachable. (see
5729 <Term>/proc/sys/net/ipv4/neigh/DEV/gc_stale_time</Term>
5732 Determines how often to check for stale ARP entries. After an ARP entry is
5733 stale it will be resolved again (which is useful when an IP address migrates
5734 to another machine). When ucast_solicit is greater than 0 it first tries to
5735 send an ARP packet directly to the known host When that fails and
5736 mcast_solicit is greater than 0, an ARP request is broadcasted.
5740 <Term>/proc/sys/net/ipv4/neigh/DEV/locktime</Term>
5743 An ARP/neighbor entry is only replaced with a new one if the old is at least
5744 locktime old. This prevents ARP cache thrashing.
5748 <Term>/proc/sys/net/ipv4/neigh/DEV/mcast_solicit</Term>
5751 Maximum number of retries for multicast solicitation.
5755 <Term>/proc/sys/net/ipv4/neigh/DEV/proxy_delay</Term>
5758 Maximum time (real time is random [0..proxytime]) before answering to an ARP
5759 request for which we have an proxy ARP entry. In some cases, this is used to
5760 prevent network flooding.
5764 <Term>/proc/sys/net/ipv4/neigh/DEV/proxy_qlen</Term>
5767 Maximum queue length of the delayed proxy arp timer. (see proxy_delay).
5771 <Term>/proc/sys/net/ipv4/neigh/DEV/retrans_time</Term>
5774 The time, expressed in jiffies (1/100 sec), between retransmitted Neighbor
5775 Solicitation messages. Used for address resolution and to determine if a
5776 neighbor is unreachable.
5780 <Term>/proc/sys/net/ipv4/neigh/DEV/ucast_solicit</Term>
5783 Maximum number of retries for unicast solicitation.
5787 <Term>/proc/sys/net/ipv4/neigh/DEV/unres_qlen</Term>
5790 Maximum queue length for a pending arp request - the number of packets which
5791 are accepted from other layers while the ARP address is still resolved.
5795 <Term>Internet QoS: Architectures and Mechanisms for Quality of Service,
5796 Zheng Wang, ISBN 1-55860-608-4</Term>
5799 Hardcover textbook covering topics
5800 related to Quality of Service. Good for understanding basic concepts.
5809 <Title>Routing settings</Title>
5815 <Term>/proc/sys/net/ipv4/route/error_burst</Term>
5818 These parameters are used to limit the warning messages written to the kernel
5819 log from the routing code. The higher the error_cost factor is, the fewer
5820 messages will be written. Error_burst controls when messages will be dropped.
5821 The default settings limit warning messages to one every five seconds.
5825 <Term>/proc/sys/net/ipv4/route/error_cost</Term>
5828 These parameters are used to limit the warning messages written to the kernel
5829 log from the routing code. The higher the error_cost factor is, the fewer
5830 messages will be written. Error_burst controls when messages will be dropped.
5831 The default settings limit warning messages to one every five seconds.
5835 <Term>/proc/sys/net/ipv4/route/flush</Term>
5838 Writing to this file results in a flush of the routing cache.
5842 <Term>/proc/sys/net/ipv4/route/gc_elasticity</Term>
5845 Values to control the frequency and behavior of the garbage collection
5846 algorithm for the routing cache. This can be important for when doing
5847 failover. At least gc_timeout seconds will elapse before Linux will skip
5848 to another route because the previous one has died. By default set to 300,
5849 you may want to lower it if you want to have a speedy failover.
5854 URL="http://mailman.ds9a.nl/pipermail/lartc/2002q1/002667.html"
5856 > by Ard van Breemen.
5860 <Term>/proc/sys/net/ipv4/route/gc_interval</Term>
5863 See /proc/sys/net/ipv4/route/gc_elasticity.
5867 <Term>/proc/sys/net/ipv4/route/gc_min_interval</Term>
5870 See /proc/sys/net/ipv4/route/gc_elasticity.
5874 <Term>/proc/sys/net/ipv4/route/gc_thresh</Term>
5877 See /proc/sys/net/ipv4/route/gc_elasticity.
5881 <Term>/proc/sys/net/ipv4/route/gc_timeout</Term>
5884 See /proc/sys/net/ipv4/route/gc_elasticity.
5888 <Term>/proc/sys/net/ipv4/route/max_delay</Term>
5891 Delays for flushing the routing cache.
5895 <Term>/proc/sys/net/ipv4/route/max_size</Term>
5898 Maximum size of the routing cache. Old entries will be purged once the cache
5899 reached has this size.
5903 <Term>/proc/sys/net/ipv4/route/min_adv_mss</Term>
5910 <Term>/proc/sys/net/ipv4/route/min_delay</Term>
5913 Delays for flushing the routing cache.
5917 <Term>/proc/sys/net/ipv4/route/min_pmtu</Term>
5924 <Term>/proc/sys/net/ipv4/route/mtu_expires</Term>
5931 <Term>/proc/sys/net/ipv4/route/redirect_load</Term>
5934 Factors which determine if more ICPM redirects should be sent to a specific
5935 host. No redirects will be sent once the load limit or the maximum number of
5936 redirects has been reached.
5940 <Term>/proc/sys/net/ipv4/route/redirect_number</Term>
5943 See /proc/sys/net/ipv4/route/redirect_load.
5947 <Term>/proc/sys/net/ipv4/route/redirect_silence</Term>
5950 Timeout for redirects. After this period redirects will be sent again, even if
5951 this has been stopped, because the load or number limit has been reached.
5963 <chapter id="lartc.adv-qdisc">
5964 <Title>Advanced & less common queueing disciplines</Title>
5967 Should you find that you have needs not addressed by the queues mentioned
5968 earlier, the kernel contains some other more specialized queues mentioned here.
5971 <Sect1 id="lartc.adv-qdisc.bfifo-pfifo">
5972 <Title><literal>bfifo</literal>/<literal>pfifo</literal></Title>
5975 These classless queues are even simpler than pfifo_fast in that they lack
5976 the internal bands - all traffic is really equal. They have one important
5977 benefit though, they have some statistics. So even if you don't need shaping
5978 or prioritizing, you can use this qdisc to determine the backlog on your
5983 pfifo has a length measured in packets, bfifo in bytes.
5987 <Title>Parameters & usage</Title>
5996 Specifies the length of the queue. Measured in bytes for bfifo, in packets
5997 for pfifo. Defaults to the interface txqueuelen (see pfifo_fast chapter)
5998 packets long or txqueuelen*mtu bytes for bfifo.
6008 <Sect1 id="lartc.adv-qdisc.csz">
6009 <Title>Clark-Shenker-Zhang algorithm (CSZ)</Title>
6012 This is so theoretical that not even Alexey (the main CBQ author) claims to
6013 understand it. From his source:
6018 David D. Clark, Scott Shenker and Lixia Zhang
6019 <citetitle>Supporting Real-Time Applications in an Integrated Services Packet
6020 Network: Architecture and Mechanism</citetitle>.
6024 As I understand it, the main idea is to create WFQ flows for each guaranteed
6025 service and to allocate the rest of bandwith to dummy flow-0. Flow-0
6026 comprises the predictive services and the best effort traffic; it is handled
6027 by a priority scheduler with the highest priority band allocated for
6028 predictive services, and the rest --- to the best effort packets.
6032 Note that in CSZ flows are NOT limited to their bandwidth. It is supposed
6033 that the flow passed admission control at the edge of the QoS network and it
6034 doesn't need further shaping. Any attempt to improve the flow or to shape it
6035 to a token bucket at intermediate hops will introduce undesired delays and
6040 At the moment CSZ is the only scheduler that provides true guaranteed
6041 service. Another schemes (including CBQ) do not provide guaranteed delay and
6046 Does not currently seem like a good canidate to use, unless you've read and
6047 understand the article mentioned.
6053 <Sect1 id="lartc.adv-qdisc.dsmark"
6055 <Title>DSMARK</Title>
6059 <author><firstname>Esteve</firstname><surname>Camps</surname></author>
6060 <address><email>marvin@grn.es</email></address>
6061 This text is an extract from my thesis on
6062 <citetitle>QoS Support in Linux</citetitle>, September 2000.
6066 <Para>Source documents:
6072 <ULink URL="ftp://icaftp.epfl.ch/pub/linux/diffserv/misc/dsid-01.txt.gz">
6073 Draft-almesberger-wajhak-diffserv-linux-01.txt</ULink>.
6077 <Para>Examples in iproute2 distribution.
6082 <ULink URL="http://www.qosforum.com/white-papers/qosprot_v3.pdf">
6083 White Paper-QoS protocols and architectures</ULink> and
6084 <ULink URL="http://www.qosforum.com/docs/faq">
6085 IP QoS Frequently Asked Questions</ULink> both by
6086 <citetitle>Quality of Service Forum</citetitle>.
6092 This chapter was written by Esteve Camps <esteve@hades.udg.es>.
6096 <Title>Introduction</Title>
6099 First of all, first of all, it would be a great idea for you to read RFCs
6100 written about this (RFC2474, RFC2475, RFC2597 and RFC2598) at
6101 <ULink URL="http://www.ietf.org/html.charters/diffserv-charter.html">
6102 IETF DiffServ working Group web site</ULink> and
6103 <ULink URL="http://diffserv.sf.net/">
6104 Werner Almesberger web site</ULink>
6105 (he wrote the code to support Differentiated Services on Linux).
6111 <Title>What is Dsmark related to?</Title>
6114 Dsmark is a queueing discipline that offers the capabilities needed in
6115 Differentiated Services (also called DiffServ or, simply, DS). DiffServ is
6116 one of two actual QoS architectures (the other one is called Integrated
6117 Services) that is based on a value carried by packets in the DS field of the
6122 One of the first solutions in IP designed to offer some QoS level was
6123 the Type of Service field (TOS byte) in IP header. By changing that value,
6124 we could choose a high/low level of throughput, delay or reliability.
6125 But this didn't provide sufficient flexibility to the needs of new
6126 services (such as real-time applications, interactive applications and
6127 others). After this, new architectures appeared. One of these was DiffServ
6128 which kept TOS bits and renamed DS field.
6134 <Title>Differentiated Services guidelines</Title>
6137 Differentiated Services is group-oriented. I mean, we don't know anything
6138 about flows (this will be the Integrated Services purpose); we know about
6139 flow aggregations and we will apply different behaviours depending on which
6140 aggregation a packet belongs to.
6144 When a packet arrives to an edge node (entry node to a DiffServ domain)
6145 entering to a DiffServ Domain we'll have to policy, shape and/or mark those
6146 packets (marking refers to assigning a value to the DS field. It's just like the
6147 cows :-) ). This will be the mark/value that the internal/core nodes on our
6148 DiffServ Domain will look at to determine which behaviour or QoS level
6153 As you can deduce, Differentiated Services involves a domain on which
6154 all DS rules will have to be applied. In fact you can think I
6155 will classify all the packets entering my domain. Once they enter my
6156 domain they will be subjected to the rules that my classification dictates
6157 and every traversed node will apply that QoS level.
6161 In fact, you can apply your own policies into your local domains, but some
6162 <Emphasis>Service Level Agreements</Emphasis> should be considered when connecting to
6167 At this point, you maybe have a lot of questions. DiffServ is more than I've
6168 explained. In fact, you can understand that I can not resume more than 3
6169 RFC's in just 50 lines :-).
6175 <Title>Working with Dsmark</Title>
6178 As the DiffServ bibliography specifies, we differentiate boundary nodes and
6179 interior nodes. These are two important points in the traffic path. Both
6180 types perform a classification when the packets arrive. Its result may be
6181 used in different places along the DS process before the packet is released
6182 to the network. It's just because of this that the diffserv code supplies an
6183 structure called sk_buff, including a new field called skb->tc_index
6184 where we'll store the result of initial classification that may be used in
6185 several points in DS treatment.
6189 The skb->tc_index value will be initially set by the DSMARK qdisc,
6190 retrieving it from the DS field in IP header of every received packet.
6191 Besides, cls_tcindex classifier will read all or part of skb->tcindex
6192 value and use it to select classes.
6196 But, first of all, take a look at DSMARK qdisc command and its parameters:
6199 ... dsmark indices INDICES [ default_index DEFAULT_INDEX ] [ set_tc_index ]
6202 What do these parameters mean?
6208 <Emphasis remap="bf">indices</Emphasis>: size of table of (mask,value) pairs. Maximum value is 2ˆn, where n>=0.
6214 <Emphasis remap="bf">Default_index</Emphasis>: the default table entry index if classifier finds no match.
6220 <Emphasis remap="bf">Set_tc_index</Emphasis>: instructs dsmark discipline to retrieve the DS field and store it onto skb->tc_index.
6226 Let's see the DSMARK process.
6232 <Title>How SCH_DSMARK works.</Title>
6235 This qdisc will apply the next steps:
6241 If we have declared set_tc_index option in qdisc command, DS field is retrieved and stored onto
6242 skb->tc_index variable.
6248 Classifier is invoked. The classifier will be executed and it will return a class ID that will be stored in
6249 skb->tc_index variable.If no filter matches are found, we consider the default_index option to be the
6250 classId to store. If neither set_tc_index nor default_index has been declared results may be
6257 After been sent to internal qdisc's where you can reuse the result of the filter, the classid returned by
6258 the internal qdisc is stored into skb->tc_index. We will use this value in the future to index a mask-
6259 value table. The final result to assign to the packet will be that resulting from next operation:
6262 New_Ds_field = ( Old_DS_field & mask ) | value
6271 Thus, new value will result from "anding" ds_field and mask values and next, this result "ORed" with
6272 value parameter. See next diagram to understand all this process:
6281 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >
6283 | -- If you declare set_tc_index, we set DS | | <-----May change
6284 | value into skb->tc_index variable | |O DS field
6286 +-|-+ +------+ +---+-+ Internal +-+ +---N|-----|----+
6287 | | | | tc |--->| | |--> . . . -->| | | D| | |
6288 | | |----->|index |--->| | | Qdisc | |---->| v | |
6289 | | | |filter|--->| | | +---------------+ | ---->(mask,value) |
6290 -->| O | +------+ +-|-+--------------^----+ / | (. , .) |
6291 | | | ^ | | | | (. , .) |
6292 | | +----------|---------|----------------|-------|--+ (. , .) |
6293 | | sch_dsmark | | | | |
6294 +-|------------|---------|----------------|-------|------------------+
6295 | | | <- tc_index -> | |
6296 | |(read) | may change | | <--------------Index to the
6297 | | | | | (mask,value)
6298 v | v v | pairs table
6299 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->
6306 How to do marking? Just change the mask and value of the class you want to remark. See next line of code:
6309 tc class change dev eth0 classid 1:1 dsmark mask 0x3 value 0xb8
6312 This changes the (mask,value) pair in hash table, to remark packets belonging to class 1:1.You have to "change" this values
6313 because of default values that (mask,value) gets initially (see table below).
6317 Now, we'll explain how TC_INDEX filter works and how fits into this. Besides, TCINDEX filter can be
6318 used in other configurations rather than those including DS services.
6324 <Title>TC_INDEX Filter</Title>
6327 This is the basic command to declare a TC_INDEX filter:
6330 ... tcindex [ hash SIZE ] [ mask MASK ] [ shift SHIFT ]
6331 [ pass_on | fall_through ]
6332 [ classid CLASSID ] [ police POLICE_SPEC ]
6335 Next, we show the example used to explain TC_INDEX operation mode. Pay attention to bolded words:
6338 tc qdisc add dev eth0 handle 1:0 root dsmark indices 64 <Emphasis remap="bf">set_tc_index</Emphasis>
6340 tc filter add dev eth0 parent 1:0 protocol ip prio 1 tcindex <Emphasis remap="bf">mask 0xfc shift 2</Emphasis>
6342 tc qdisc add dev eth0 parent 1:0 handle 2:0 cbq bandwidth 10Mbit cell 8 avpkt 1000 mpu 64
6344 # EF traffic class
6346 tc class add dev eth0 parent 2:0 classid 2:1 cbq bandwidth 10Mbit rate 1500Kbit avpkt 1000 prio 1 bounded isolated allot 1514 weight 1 maxburst 10
6348 # Packet fifo qdisc for EF traffic
6350 tc qdisc add dev eth0 parent 2:1 pfifo limit 5
6352 tc filter add dev eth0 parent 2:0 protocol ip prio 1 <Emphasis remap="bf">handle 0x2e</Emphasis> tcindex <Emphasis remap="bf">classid 2:1 pass_on</Emphasis>
6356 (This code is not complete. It's just an extract from EFCBQ example included in iproute2 distribution).
6360 First of all, suppose we receive a packet marked as EF . If you read RFC2598, you'll see that DSCP
6361 recommended value for EF traffic is 101110. This means that DS field will be 10111000 (remember that
6362 less signifiant bits in TOS byte are not used in DS) or 0xb8 in hexadecimal codification.
6370 +---+ +-------+ +---+-+ +------+ +-+ +-------+
6371 | | | | | | | |FILTER| +-+ +-+ | | | |
6372 | |----->| MASK | -> | | | -> |HANDLE|->| | | | -> | | -> | |
6373 | | . | =0xfc | | | | |0x2E | | +----+ | | | | |
6374 | | . | | | | | +------+ +--------+ | | | |
6375 | | . | | | | | | | | |
6376 -->| | . | SHIFT | | | | | | | |-->
6377 | | . | =2 | | | +----------------------------+ | | |
6378 | | | | | | CBQ 2:0 | | |
6379 | | +-------+ +---+--------------------------------+ | |
6381 | +-------------------------------------------------------------+ |
6383 +-------------------------------------------------------------------------+
6390 The packet arrives, then, set with 0xb8 value at DS field. As we explained before, dsmark qdisc identified
6391 by 1:0 id in the example, retrieves DS field and store it in skb->tc_index variable.
6392 Next step in the example will correspond to the filter associated to this qdisc (second line in the example).
6393 This will perform next operations:
6396 Value1 = skb->tc_index & MASK
6397 Key = Value1 >> SHIFT
6403 In the example, MASK=0xFC i SHIFT=2.
6406 Value1 = 10111000 & 11111100 = 10111000
6407 Key = 10111000 >> 2 = 00101110 -> 0x2E in hexadecimal
6413 The returned value will correspond to a qdisc interal filter handle (in the example, identifier 2:0). If a
6414 filter with this id exists, policing and metering conditions will be verified (in case that filter includes this)
6415 and the classid will be returned (in our example, classid 2:1) and stored in skb->tc_index variable.
6419 But if any filter with that identifier is found, the result will depend on fall_through flag declaration. If so,
6420 value key is returned as classid. If not, an error is returned and process continues with the rest filters. Be
6421 careful if you use fall_through flag; this can be done if a simple relation exists between values
6423 of skb->tc_index variable and class id's.
6427 The latest parameters to comment on are hash and pass_on. The first one
6428 relates to hash table size. Pass_on will be used to indicate that if no classid
6429 equal to the result of this filter is found, try next filter.
6430 The default action is fall_through (look at next table).
6434 Finally, let's see which possible values can be set to all this TCINDEX parameters:
6437 TC Name Value Default
6438 -----------------------------------------------------------------
6439 Hash 1...0x10000 Implementation dependent
6440 Mask 0...0xffff 0xffff
6442 Fall through / Pass_on Flag Fall_through
6443 Classid Major:minor None
6450 This kind of filter is very powerful. It's necessary to explore all possibilities. Besides, this filter is not only used in DiffServ configurations.
6451 You can use it as any other kind of filter.
6455 I recommend you to look at all DiffServ examples included in iproute2 distribution. I promise I will try to
6456 complement this text as soon as I can. Besides, all I have explained is the result of a lot of tests.
6457 I would thank you tell me if I'm wrong in any point.
6464 <Sect1 id="lartc.adv-qdisc.ingress">
6465 <Title>Ingress qdisc</Title>
6468 All qdiscs discussed so far are egress qdiscs. Each interface however can
6469 also have an ingress qdisc which is not used to send packets
6470 out to the network adaptor. Instead, it allows you to apply tc filters to
6471 packets coming in over the interface, regardless of whether they have a local
6472 destination or are to be forwarded.
6476 As the tc filters contain a full Token Bucket Filter implementation, and are
6477 also able to match on the kernel flow estimator, there is a lot of
6478 functionality available. This effectively allows you to police incoming
6479 traffic, before it even enters the IP stack.
6483 <Title>Parameters & usage</Title>
6486 The ingress qdisc itself does not require any parameters. It differs from
6487 other qdiscs in that it does not occupy the root of a device. Attach it like
6491 # tc qdisc add dev eth0 ingress
6494 This allows you to have other, sending, qdiscs on your device besides the
6499 For a contrived example how the ingress qdisc could be used, see the
6507 <Sect1 id="lartc.adv-qdisc.red">
6508 <Title>Random Early Detection (RED)</Title>
6511 This section is meant as an introduction to backbone routing, which often
6512 involves <100 megabit bandwidths, which requires a different approach than
6513 your ADSL modem at home.
6517 The normal behaviour of router queues on the Internet is called tail-drop.
6518 Tail-drop works by queueing up to a certain amount, then dropping all traffic
6519 that 'spills over'. This is very unfair, and also leads to retransmit
6520 synchronisation. When retransmit synchronisation occurs, the sudden burst
6521 of drops from a router that has reached its fill will cause a delayed burst
6522 of retransmits, which will over fill the congested router again.
6526 In order to cope with transient congestion on links, backbone routers will
6527 often implement large queues. Unfortunately, while these queues are good for
6528 throughput, they can substantially increase latency and cause TCP
6529 connections to behave very bursty during congestion.
6533 These issues with tail-drop are becoming increasingly troublesome on the
6534 Internet because the use of network unfriendly applications is increasing.
6535 The Linux kernel offers us RED, short for Random Early Detect, also called
6536 Random Early Drop, as that is how it works.
6540 RED isn't a cure-all for this, applications which inappropriately fail to
6541 implement exponential backoff still get an unfair share of the bandwidth,
6542 however, with RED they do not cause as much harm to the throughput and
6543 latency of other connections.
6547 RED statistically drops packets from flows before it reaches its hard
6548 limit. This causes a congested backbone link to slow more gracefully, and
6549 prevents retransmit synchronisation. This also helps TCP find its 'fair'
6550 speed faster by allowing some packets to get dropped sooner keeping queue
6551 sizes low and latency under control. The probability of a packet being
6552 dropped from a particular connection is proportional to its bandwidth usage
6553 rather than the number of packets it transmits.
6557 RED is a good queue for backbones, where you can't afford the
6558 complexity of per-session state tracking needed by fairness queueing.
6562 In order to use RED, you must decide on three parameters: Min, Max, and
6563 burst. Min sets the minimum queue size in bytes before dropping will begin,
6564 Max is a soft maximum that the algorithm will attempt to stay under, and
6565 burst sets the maximum number of packets that can 'burst through'.
6569 You should set the min by calculating that highest acceptable base queueing
6570 latency you wish, and multiply it by your bandwidth. For instance, on my
6571 64kbit/s ISDN link, I might want a base queueing latency of 200ms so I set
6572 min to 1600 bytes. Setting min too small will degrade throughput and too
6573 large will degrade latency. Setting a small min is not a replacement for
6574 reducing the MTU on a slow link to improve interactive response.
6578 You should make max at least twice min to prevent synchronisation. On slow
6579 links with small min's it might be wise to make max perhaps four or
6580 more times large then min.
6584 Burst controls how the RED algorithm responds to bursts. Burst must be set
6585 larger then min/avpkt. Experimentally, I've found (min+min+max)/(3*avpkt) to
6590 Additionally, you need to set limit and avpkt. Limit is a safety value, after
6591 there are limit bytes in the queue, RED 'turns into' tail-drop. I typical set
6592 limit to eight times max. Avpkt should be your average packet size. 1000
6593 works okay on high speed Internet links with a 1500byte MTU.
6598 URL="http://www.aciri.org/floyd/papers/red/red.html"
6599 >the paper on RED queueing</ULink
6600 > by Sally Floyd and Van Jacobson for technical
6606 <Sect1 id="lartc.adv-qdisc.gred">
6607 <Title>Generic Random Early Detection</Title>
6610 Not a lot is known about GRED. It looks like GRED with several internal
6611 queues, whereby the internal queue is chosen based on the Diffserv tcindex
6612 field. According to a slide found
6613 <ULink URL="http://www.davin.ottawa.on.ca/ols/img22.htm">here</ULink>,
6614 it contains the capabilities of Cisco's 'Distributed Weighted RED', as well
6615 as Dave Clark's RIO.
6619 Each virtual queue can have its own Drop Parameters specified.
6623 FIXME: get Jamal or Werner to tell us more
6628 <Sect1 id="lartc.adv-qdisc.vc-atm">
6629 <Title>VC/ATM emulation</Title>
6632 This is quite a major effort by Werner Almesberger to allow you to build
6633 Virtual Circuits over TCP/IP sockets. A Virtual Circuit is a concept from
6638 For more information, see the <ULink
6639 URL="http://linux-atm.sourceforge.net/"
6640 >ATM on Linux homepage</ULink
6646 <Sect1 id="lartc.adv-qdisc.wrr">
6647 <Title>Weighted Round Robin (WRR)</Title>
6650 This qdisc is not included in the standard kernels but can be downloaded from
6652 URL="http://wipl-wrr.dkik.dk/wrr/"
6655 Currently the qdisc is only tested with Linux 2.2 kernels but it will
6656 probably work with 2.4/2.5 kernels too.
6660 The WRR qdisc distributes bandwidth between its classes using the weighted
6661 round robin scheme. That is, like the CBQ qdisc it contains classes
6662 into which arbitrary qdiscs can be plugged. All classes which have sufficient
6663 demand will get bandwidth proportional to the weights associated with the classes.
6664 The weights can be set manually using the <Literal remap="tt">tc</Literal> program. But they
6665 can also be made automatically decreasing for classes transferring much data.
6669 The qdisc has a built-in classifier which assigns packets coming from or
6670 sent to different machines to different classes. Either the MAC or IP and
6671 either source or destination addresses can be used. The MAC address can only
6672 be used when the Linux box is acting as an ethernet bridge, however. The
6673 classes are automatically assigned to machines based on the packets seen.
6677 The qdisc can be very useful at sites such as dorms where a lot of unrelated
6678 individuals share an Internet connection. A set of scripts setting up a
6679 relevant behavior for such a site is a central part of the WRR distribution.
6686 <chapter id="lartc.cookbook"
6687 xreflabel="Cookbook">
6688 <Title>Cookbook</Title>
6691 This section contains 'cookbook' entries which may help you solve problems.
6692 A cookbook is no replacement for understanding however, so try and comprehend
6696 <Sect1 id="lartc.cookbook.sla">
6697 <Title>Running multiple sites with different SLAs</Title>
6700 You can do this in several ways. Apache has some support for this with a
6701 module, but we'll show how Linux can do this for you, and do so for other
6702 services as well. These commands are stolen from a presentation by Jamal
6703 Hadi that's referenced below.
6707 Let's say we have two customers, with http, ftp and streaming audio, and we
6708 want to sell them a limited amount of bandwidth. We do so on the server itself.
6712 Customer A should have at most 2 megabits, customer B has paid for 5
6713 megabits. We separate our customers by creating virtual IP addresses on our
6720 # ip address add 188.177.166.1 dev eth0
6721 # ip address add 188.177.166.2 dev eth0
6727 It is up to you to attach the different servers to the right IP address. All
6728 popular daemons have support for this.
6732 We first attach a CBQ qdisc to eth0:
6735 # tc qdisc add dev eth0 root handle 1: cbq bandwidth 10Mbit cell 8 avpkt 1000 \
6742 We then create classes for our customers:
6748 # tc class add dev eth0 parent 1:0 classid 1:1 cbq bandwidth 10Mbit rate \
6749 2MBit avpkt 1000 prio 5 bounded isolated allot 1514 weight 1 maxburst 21
6750 # tc class add dev eth0 parent 1:0 classid 1:2 cbq bandwidth 10Mbit rate \
6751 5Mbit avpkt 1000 prio 5 bounded isolated allot 1514 weight 1 maxburst 21
6757 Then we add filters for our two classes:
6760 ##FIXME: Why this line, what does it do?, what is a divisor?:
6761 ##FIXME: A divisor has something to do with a hash table, and the number of
6763 # tc filter add dev eth0 parent 1:0 protocol ip prio 5 handle 1: u32 divisor 1
6764 # tc filter add dev eth0 parent 1:0 prio 5 u32 match ip src 188.177.166.1
6766 # tc filter add dev eth0 parent 1:0 prio 5 u32 match ip src 188.177.166.2
6777 FIXME: why no token bucket filter? is there a default pfifo_fast fallback
6783 <Sect1 id="lartc.cookbook.synflood-protect"
6784 xreflabel="Protecting your host from SYN floods">
6785 <Title>Protecting your host from SYN floods</Title>
6788 From Alexey's iproute documentation, adapted to netfilter and with more
6789 plausible paths. If you use this, take care to adjust the numbers to
6790 reasonable values for your system.
6794 If you want to protect an entire network, skip this script, which is best
6795 suited for a single host.
6799 It appears that you need the very latest version of the iproute2 tools to
6800 get this to work with 2.4.0.
6808 # sample script on using the ingress capabilities
6809 # this script shows how one can rate limit incoming SYNs
6810 # Useful for TCP-SYN attack protection. You can use
6811 # IPchains to have more powerful additions to the SYN (eg
6812 # in addition the subnet)
6814 #path to various utilities;
6815 #change to reflect yours.
6819 IPTABLES=/sbin/iptables
6822 # tag all incoming SYN packets through $INDEV as mark value 1
6823 ############################################################
6824 $iptables -A PREROUTING -i $INDEV -t mangle -p tcp --syn \
6825 -j MARK --set-mark 1
6826 ############################################################
6828 # install the ingress qdisc on the ingress interface
6829 ############################################################
6830 $TC qdisc add dev $INDEV handle ffff: ingress
6831 ############################################################
6835 # SYN packets are 40 bytes (320 bits) so three SYNs equals
6836 # 960 bits (approximately 1kbit); so we rate limit below
6837 # the incoming SYNs to 3/sec (not very useful really; but
6838 #serves to show the point - JHS
6839 ############################################################
6840 $TC filter add dev $INDEV parent ffff: protocol ip prio 50 handle 1 fw \
6841 police rate 1kbit burst 40 mtu 9k drop flowid :1
6842 ############################################################
6846 echo "---- qdisc parameters Ingress ----------"
6847 $TC qdisc ls dev $INDEV
6848 echo "---- Class parameters Ingress ----------"
6849 $TC class ls dev $INDEV
6850 echo "---- filter parameters Ingress ----------"
6851 $TC filter ls dev $INDEV parent ffff:
6853 #deleting the ingress qdisc
6854 #$TC qdisc del $INDEV ingress
6861 <Sect1 id="lartc.cookbook.icmp-ratelimit">
6862 <Title>Ratelimit ICMP to prevent dDoS</Title>
6865 Recently, distributed denial of service attacks have become a major nuisance
6866 on the Internet. By properly filtering and ratelimiting your network, you can
6867 both prevent becoming a casualty or the cause of these attacks.
6871 You should filter your networks so that you do not allow non-local IP source
6872 addressed packets to leave your network. This stops people from anonymously
6873 sending junk to the Internet.
6877 Rate limiting goes much as shown earlier. To refresh your memory, our
6884 [The Internet] ---<E3, T3, whatever>--- [Linux router] --- [Office+ISP]
6891 We first set up the prerequisite parts:
6897 # tc qdisc add dev eth0 root handle 10: cbq bandwidth 10Mbit avpkt 1000
6898 # tc class add dev eth0 parent 10:0 classid 10:1 cbq bandwidth 10Mbit rate \
6899 10Mbit allot 1514 prio 5 maxburst 20 avpkt 1000
6905 If you have 100Mbit, or more, interfaces, adjust these numbers. Now you need
6906 to determine how much ICMP traffic you want to allow. You can perform
6907 measurements with tcpdump, by having it write to a file for a while, and
6908 seeing how much ICMP passes your network. Do not forget to raise the
6913 If measurement is impractical, you might want to choose 5% of your available
6914 bandwidth. Let's set up our class:
6917 # tc class add dev eth0 parent 10:1 classid 10:100 cbq bandwidth 10Mbit rate \
6918 100Kbit allot 1514 weight 800Kbit prio 5 maxburst 20 avpkt 250 \
6925 This limits at 100Kbit. Now we need a filter to assign ICMP traffic to this
6929 # tc filter add dev eth0 parent 10:0 protocol ip prio 100 u32 match ip
6930 protocol 1 0xFF flowid 10:100
6938 <Sect1 id="lartc.cookbook.interactive-prio">
6939 <Title>Prioritizing interactive traffic</Title>
6942 If lots of data is coming down your link, or going up for that matter, and
6943 you are trying to do some maintenance via telnet or ssh, this may not go too
6944 well. Other packets are blocking your keystrokes. Wouldn't it be great if
6945 there were a way for your interactive packets to sneak past the bulk
6946 traffic? Linux can do this for you!
6950 As before, we need to handle traffic going both ways. Evidently, this works
6951 best if there are Linux boxes on both ends of your link, although other
6952 UNIX's are able to do this. Consult your local Solaris/BSD guru for this.
6956 The standard pfifo_fast scheduler has 3 different 'bands'. Traffic in band 0
6957 is transmitted first, after which traffic in band 1 and 2 gets considered.
6958 It is vital that our interactive traffic be in band 0!
6962 We blatantly adapt from the (soon to be obsolete) ipchains HOWTO:
6966 There are four seldom-used bits in the IP header, called the Type of Service
6967 (TOS) bits. They effect the way packets are treated; the four bits are
6968 "Minimum Delay", "Maximum Throughput", "Maximum Reliability" and "Minimum
6969 Cost". Only one of these bits is allowed to be set. Rob van Nieuwkerk, the
6970 author of the ipchains TOS-mangling code, puts it as follows:
6976 Especially the "Minimum Delay" is important for me. I switch it on for
6977 "interactive" packets in my upstream (Linux) router. I'm
6978 behind a 33k6 modem link. Linux prioritizes packets in 3 queues. This
6979 way I get acceptable interactive performance while doing bulk
6980 downloads at the same time.
6986 The most common use is to set telnet & ftp control connections to "Minimum
6987 Delay" and FTP data to "Maximum Throughput". This would be
6988 done as follows, on your upstream router:
6994 # iptables -A PREROUTING -t mangle -p tcp --sport telnet \
6995 -j TOS --set-tos Minimize-Delay
6996 # iptables -A PREROUTING -t mangle -p tcp --sport ftp \
6997 -j TOS --set-tos Minimize-Delay
6998 # iptables -A PREROUTING -t mangle -p tcp --sport ftp-data \
6999 -j TOS --set-tos Maximize-Throughput
7005 Now, this only works for data going from your telnet foreign host to your
7006 local computer. The other way around appears to be done for you, ie, telnet,
7007 ssh & friends all set the TOS field on outgoing packets automatically.
7011 Should you have an application that does not do this, you can always do it
7012 with netfilter. On your local box:
7018 # iptables -A OUTPUT -t mangle -p tcp --dport telnet \
7019 -j TOS --set-tos Minimize-Delay
7020 # iptables -A OUTPUT -t mangle -p tcp --dport ftp \
7021 -j TOS --set-tos Minimize-Delay
7022 # iptables -A OUTPUT -t mangle -p tcp --dport ftp-data \
7023 -j TOS --set-tos Maximize-Throughput
7030 <Sect1 id="lartc.cookbook.squid">
7031 <Title>Transparent web-caching using <application>netfilter</application>,
7032 <application>iproute2</application>, <application>ipchains</application> and
7033 <application>squid</application></Title>
7036 This section was sent in by reader Ram Narula from Internet for Education
7041 The regular technique in accomplishing this in Linux
7042 is probably with use of ipchains AFTER making sure
7043 that the "outgoing" port 80(web) traffic gets routed through
7044 the server running squid.
7048 There are 3 common methods to make sure "outgoing"
7049 port 80 traffic gets routed to the server running squid
7050 and 4th one is being introduced here.
7057 <Term>Making the gateway router do it.</Term>
7060 If you can tell your gateway router to
7061 match packets that has outgoing destination port
7062 of 80 to be sent to the IP address of squid server.
7070 This would put additional load on the router and
7071 some commercial routers might not even support this.
7075 <Term>Using a Layer 4 switch.</Term>
7078 Layer 4 switches can handle this without any problem.
7086 The cost for this equipment is usually very high. Typical
7087 layer 4 switch would normally cost more than
7088 a typical router+good linux server.
7092 <Term>Using cache server as network's gateway.</Term>
7095 You can force ALL traffic through cache server.
7103 This is quite risky because Squid does
7104 utilize lots of cpu power which might
7105 result in slower over-all network performance
7106 or the server itself might crash and no one on the
7107 network will be able to access the Internet if
7112 <Term>Linux+NetFilter router.</Term>
7115 By using NetFilter another technique can be implemented
7116 which is using NetFilter for "mark"ing the packets
7117 with destination port 80 and using iproute2 to
7118 route the "mark"ed packets to the Squid server.
7129 10.0.0.1 naret (NetFilter server)
7130 10.0.0.2 silom (Squid server)
7131 10.0.0.3 donmuang (Router connected to the Internet)
7132 10.0.0.4 kaosarn (other server on network)
7134 10.0.0.0/24 main network
7135 10.0.0.0/19 total network
7145 ------------hub/switch----------
7147 naret silom kaosarn RAS etc.
7150 First, make all traffic pass through naret by making
7151 sure it is the default gateway except for silom.
7152 Silom's default gateway has to be donmuang (10.0.0.3) or
7153 this would create web traffic loop.
7157 (all servers on my network had 10.0.0.1 as the default gateway
7158 which was the former IP address of donmuang router so what I did
7159 was changed the IP address of donmuang to 10.0.0.3 and gave
7160 naret ip address of 10.0.0.1)
7168 -setup squid and ipchains
7174 Setup Squid server on silom, make sure it does support
7175 transparent caching/proxying, the default port is usually
7176 3128, so all traffic for port 80 has to be redirected to port
7177 3128 locally. This can be done by using ipchains with the following:
7183 silom# ipchains -N allow1
7184 silom# ipchains -A allow1 -p TCP -s 10.0.0.0/19 -d 0/0 80 -j REDIRECT 3128
7185 silom# ipchains -I input -j allow1
7195 Or, in netfilter lingo:
7198 silom# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
7204 (note: you might have other entries as well)
7208 For more information on setting Squid server please refer
7209 to Squid faq page on <ULink
7210 URL="http://squid.nlanr.net"
7211 >http://squid.nlanr.net</ULink
7216 Make sure ip forwarding is enabled on this server and the default
7217 gateway for this server is donmuang router (NOT naret).
7225 -setup iptables and iproute2
7226 -disable icmp REDIRECT messages (if needed)
7237 "Mark" packets of destination port 80 with value 2
7241 naret# iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 80 \
7242 -j MARK --set-mark 2
7249 Setup iproute2 so it will route packets with "mark" 2 to silom
7252 naret# echo 202 www.out >> /etc/iproute2/rt_tables
7253 naret# ip rule add fwmark 2 table www.out
7254 naret# ip route add default via 10.0.0.2 dev eth0 table www.out
7255 naret# ip route flush cache
7261 If donmuang and naret is on the same subnet then
7262 naret should not send out icmp REDIRECT messages.
7263 In this case it is, so icmp REDIRECTs has to be
7267 naret# echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
7268 naret# echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
7269 naret# echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
7281 The setup is complete, check the configuration
7289 naret# iptables -t mangle -L
7290 Chain PREROUTING (policy ACCEPT)
7291 target prot opt source destination
7292 MARK tcp -- anywhere anywhere tcp dpt:www MARK set 0x2
7294 Chain OUTPUT (policy ACCEPT)
7295 target prot opt source destination
7298 0: from all lookup local
7299 32765: from all fwmark 2 lookup www.out
7300 32766: from all lookup main
7301 32767: from all lookup default
7303 naret# ip route list table www.out
7304 default via 203.114.224.8 dev eth0
7307 10.0.0.1 dev eth0 scope link
7308 10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.1
7309 127.0.0.0/8 dev lo scope link
7310 default via 10.0.0.3 dev eth0
7312 (make sure silom belongs to one of the above lines, in this case
7313 it's the line with 10.0.0.0/24)
7325 <Title>Traffic flow diagram after implementation</Title>
7329 |-----------------------------------------|
7330 |Traffic flow diagram after implementation|
7331 |-----------------------------------------|
7337 -----------------donmuang router---------------------
7342 *destination port 80 traffic=========>(cache) ||
7345 \\===================================kaosarn, RAS, etc.
7350 Note that the network is asymmetric as there is one extra hop on
7351 general outgoing path.
7357 Here is run down for packet traversing the network from kaosarn
7358 to and from the Internet.
7360 For web/http traffic:
7361 kaosarn http request->naret->silom->donmuang->internet
7362 http replies from Internet->donmuang->silom->kaosarn
7364 For non-web/http requests(eg. telnet):
7365 kaosarn outgoing data->naret->donmuang->internet
7366 incoming data from Internet->donmuang->kaosarn
7375 <Sect1 id="lartc.cookbook.mtu-discovery">
7376 <Title>Circumventing Path MTU Discovery issues with per route MTU settings</Title>
7379 For sending bulk data, the Internet generally works better when using larger
7380 packets. Each packet implies a routing decision, when sending a 1 megabyte
7381 file, this can either mean around 700 packets when using packets that are as
7382 large as possible, or 4000 if using the smallest default.
7386 However, not all parts of the Internet support full 1460 bytes of payload
7387 per packet. It is therefore necessary to try and find the largest packet
7388 that will 'fit', in order to optimize a connection.
7392 This process is called 'Path MTU Discovery', where MTU stands for 'Maximum
7397 When a router encounters a packet that's too big too send in one piece, AND
7398 it has been flagged with the "Don't Fragment" bit, it returns an ICMP
7399 message stating that it was forced to drop a packet because of this. The
7400 sending host acts on this hint by sending smaller packets, and by iterating
7401 it can find the optimum packet size for a connection over a certain path.
7405 This used to work well until the Internet was discovered by hooligans who do
7406 their best to disrupt communications. This in turn lead administrators to
7407 either block or shape ICMP traffic in a misguided attempt to improve
7408 security or robustness of their Internet service.
7412 What has happened now is that Path MTU Discovery is working less and less
7413 well and fails for certain routes, which leads to strange TCP/IP sessions
7414 which die after a while.
7418 Although I have no proof for this, two sites who I used to have this problem
7419 with both run Alteon Acedirectors before the affected systems - perhaps
7420 somebody more knowledgeable can provide clues as to why this happens.
7424 <Title>Solution</Title>
7427 When you encounter sites that suffer from this problem, you can disable Path
7428 MTU discovery by setting it manually. Koos van den Hout, slightly edited,
7434 The following problem: I set the mtu/mru of my leased line running ppp to
7435 296 because it's only 33k6 and I cannot influence the queueing on the
7436 other side. At 296, the response to a keypress is within a reasonable
7441 And, on my side I have a masqrouter running (of course) Linux.
7445 Recently I split 'server' and 'router' so most applications are run on a
7446 different machine than the routing happens on.
7450 I then had trouble logging into irc. Big panic! Some digging did find
7451 out that I got connected to irc, even showed up as 'connected' on irc
7452 but I did not receive the motd from irc. I checked what could be wrong
7453 and noted that I already had some previous trouble reaching certain
7454 websites related to the MTU, since I had no trouble reaching them when
7455 the MTU was 1500, the problem just showed when the MTU was set to 296.
7456 Since irc servers block about every kind of traffic not needed for their
7457 immediate operation, they also block icmp.
7461 I managed to convince the operators of a webserver that this was the cause
7462 of a problem, but the irc server operators were not going to fix this.
7466 So, I had to make sure outgoing masqueraded traffic started with the lower
7467 mtu of the outside link. But I want local ethernet traffic to have the
7468 normal mtu (for things like nfs traffic).
7475 ip route add default via 10.0.0.1 mtu 296
7479 (10.0.0.1 being the default gateway, the inside address of the
7480 masquerading router)
7485 In general, it is possible to override PMTU Discovery by setting specific
7486 routes. For example, if only a certain subnet is giving problems, this
7491 ip route add 195.96.96.0/24 via 10.0.0.1 mtu 1000
7498 <Sect1 id="lartc.cookbook.mtu-mss">
7499 <Title>Circumventing Path MTU Discovery issues with MSS Clamping
7500 (for ADSL, cable, PPPoE & PPtP users)</Title>
7503 As explained above, Path MTU Discovery doesn't work as well as it should
7504 anymore. If you know for a fact that a hop somewhere in your network has a
7505 limited (<1500) MTU, you cannot rely on PMTU Discovery finding this out.
7509 Besides MTU, there is yet another way to set the maximum packet size, the so
7510 called Maximum Segment Size. This is a field in the TCP Options part of a
7515 Recent Linux kernels, and a few pppoe drivers (notably, the excellent
7516 Roaring Penguin one), feature the possibility to 'clamp the MSS'.
7520 The good thing about this is that by setting the MSS value, you are telling
7521 the remote side unequivocally 'do not ever try to send me packets bigger
7522 than this value'. No ICMP traffic is needed to get this to work.
7526 The bad thing is that it's an obvious hack - it breaks 'end to end' by
7527 modifying packets. Having said that, we use this trick in many places and it
7532 In order for this to work you need at least iptables-1.2.1a and Linux 2.4.3
7533 or higher. The basic commandline is:
7536 # iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
7542 This calculates the proper MSS for your link. If you are feeling brave, or
7543 think that you know best, you can also do something like this:
7549 # iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 128
7555 This sets the MSS of passing SYN packets to 128. Use this if you have VoIP
7556 with tiny packets, and huge http packets which are causing chopping in your
7562 <Sect1 id="lartc.cookbook.ultimate-tc">
7563 <Title>The Ultimate Traffic Conditioner: Low Latency, Fast Up & Downloads</Title>
7566 Note: This script has recently been upgraded and previously only worked for
7567 Linux clients in your network! So you might want to update if you have
7568 Windows machines or Macs in your network and noticed that they were not able
7569 to download faster while others were uploading.
7573 I attempted to create the holy grail:
7577 <Term>Maintain low latency for interfactive traffic at all times</Term>
7580 This means that downloading or uploading files should not disturb SSH or
7581 even telnet. These are the most important things, even 200ms latency is
7582 sluggish to work over.
7586 <Term>Allow 'surfing' at reasonable speeds while up or downloading</Term>
7589 Even though http is 'bulk' traffic, other traffic should not drown it out
7594 <Term>Make sure uploads don't harm downloads, and the other way around</Term>
7597 This is a much observed phenomenon where upstream traffic simply destroys
7602 It turns out that all this is possible, at the cost of a tiny bit of
7603 bandwidth. The reason that uploads, downloads and ssh hurt eachother is the
7604 presence of large queues in many domestic access devices like cable or DSL
7609 The next section explains in depth what causes the delays, and how we can
7610 fix them. You can safely skip it and head straight for the script if you
7611 don't care how the magic is performed.
7615 <Title>Why it doesn't work well by default</Title>
7618 ISPs know that they are benchmarked solely on how fast people can download.
7619 Besides available bandwidth, download speed is influenced heavily by packet
7620 loss, which seriously hampers TCP/IP performance. Large queues can help
7621 prevent packetloss, and speed up downloads. So ISPs configure large queues.
7625 These large queues however damage interactivity. A keystroke must first
7626 travel the upstream queue, which may be seconds (!) long and go to your
7627 remote host. It is then displayed, which leads to a packet coming back, which
7628 must then traverse the downstream queue, located at your ISP, before it
7629 appears on your screen.
7633 This HOWTO teaches you how to mangle and process the queue in many ways, but
7634 sadly, not all queues are accessible to us. The queue over at the ISP is
7635 completely off-limits, whereas the upstream queue probably lives inside your
7636 cable modem or DSL device. You may or may not be able to configure it. Most
7641 So, what next? As we can't control either of those queues, they must be
7642 eliminated, and moved to your Linux router. Luckily this is possible.
7649 <Term>Limit upload speed</Term>
7652 By limiting our upload speed to slightly less than the truly available rate,
7653 no queues are built up in our modem. The queue is now moved to Linux.
7657 <Term>Limit download speed</Term>
7660 This is slightly trickier as we can't really influence how fast the internet
7661 ships us data. We can however drop packets that are coming in too fast,
7662 which causes TCP/IP to slow down to just the rate we want. Because we don't
7663 want to drop traffic unnecessarily, we configure a 'burst' size we allow at
7671 Now, once we have done this, we have eliminated the downstream queue totally
7672 (except for short bursts), and gain the ability to manage the upstream queue
7673 with all the power Linux offers.
7677 What remains to be done is to make sure interactive traffic jumps to the
7678 front of the upstream queue. To make sure that uploads don't hurt downloads,
7679 we also move ACK packets to the front of the queue. This is what normally
7680 causes the huge slowdown observed when generating bulk traffic both ways.
7681 The ACKnowledgements for downstream traffic must compete with upstream
7682 traffic, and get delayed in the process.
7686 If we do all this we get the following measurements using an excellent ADSL
7687 connection from xs4all in the Netherlands:
7694 round-trip min/avg/max = 14.4/17.1/21.7 ms
7696 Without traffic conditioner, while downloading:
7697 round-trip min/avg/max = 560.9/573.6/586.4 ms
7699 Without traffic conditioner, while uploading:
7700 round-trip min/avg/max = 2041.4/2332.1/2427.6 ms
7702 With conditioner, during 220kbit/s upload:
7703 round-trip min/avg/max = 15.7/51.8/79.9 ms
7705 With conditioner, during 850kbit/s download:
7706 round-trip min/avg/max = 20.4/46.9/74.0 ms
7708 When uploading, downloads proceed at ~80% of the available speed. Uploads
7709 at around 90%. Latency then jumps to 850 ms, still figuring out why.
7715 What you can expect from this script depends a lot on your actual uplink
7716 speed. When uploading at full speed, there will always be a single packet
7717 ahead of your keystroke. That is the lower limit to the latency you can
7718 achieve - divide your MTU by your upstream speed to calculate. Typical
7719 values will be somewhat higher than that. Lower your MTU for better effects!
7723 Next, two versions of this script, one with Devik's excellent HTB, the other
7724 with CBQ which is in each Linux kernel, unlike HTB. Both are tested and work
7731 <Title>The actual script (CBQ)</Title>
7734 Works on all kernels. Within the CBQ
7735 qdisc we place two Stochastic Fairness Queues that make sure that multiple
7736 bulk streams don't drown each other out.
7740 Downstream traffic is policed using a tc filter containing a Token Bucket
7745 You might improve on this script by adding 'bounded' to the line that starts
7746 with 'tc class add .. classid 1:20'. If you lowered your MTU, also lower the
7747 allot & avpkt numbers!
7755 # The Ultimate Setup For Your Internet Connection At Home
7758 # Set the following values to somewhat less than your actual download
7759 # and uplink speed. In kilobits
7764 # clean existing down- and uplink qdiscs, hide errors
7765 tc qdisc del dev $DEV root 2> /dev/null > /dev/null
7766 tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null
7772 tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 10mbit
7774 # shape everything at $UPLINK speed - this prevents huge queues in your
7775 # DSL modem which destroy latency:
7778 tc class add dev $DEV parent 1: classid 1:1 cbq rate ${UPLINK}kbit \
7779 allot 1500 prio 5 bounded isolated
7781 # high prio class 1:10:
7783 tc class add dev $DEV parent 1:1 classid 1:10 cbq rate ${UPLINK}kbit \
7784 allot 1600 prio 1 avpkt 1000
7786 # bulk and default class 1:20 - gets slightly less traffic,
7787 # and a lower priority:
7789 tc class add dev $DEV parent 1:1 classid 1:20 cbq rate $[9*$UPLINK/10]kbit \
7790 allot 1600 prio 2 avpkt 1000
7792 # both get Stochastic Fairness:
7793 tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10
7794 tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10
7797 # TOS Minimum Delay (ssh, NOT scp) in 1:10:
7798 tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \
7799 match ip tos 0x10 0xff flowid 1:10
7801 # ICMP (ip protocol 1) in the interactive class 1:10 so we
7802 # can do measurements & impress our friends:
7803 tc filter add dev $DEV parent 1:0 protocol ip prio 11 u32 \
7804 match ip protocol 1 0xff flowid 1:10
7806 # To speed up downloads while an upload is going on, put ACK packets in
7807 # the interactive class:
7809 tc filter add dev $DEV parent 1: protocol ip prio 12 u32 \
7810 match ip protocol 6 0xff \
7811 match u8 0x05 0x0f at 0 \
7812 match u16 0x0000 0xffc0 at 2 \
7813 match u8 0x10 0xff at 33 \
7816 # rest is 'non-interactive' ie 'bulk' and ends up in 1:20
7818 tc filter add dev $DEV parent 1: protocol ip prio 13 u32 \
7819 match ip dst 0.0.0.0/0 flowid 1:20
7821 ########## downlink #############
7822 # slow downloads down to somewhat less than the real speed to prevent
7823 # queuing at our ISP. Tune to see how high you can set it.
7824 # ISPs tend to have *huge* queues to make sure big downloads are fast
7826 # attach ingress policer:
7828 tc qdisc add dev $DEV handle ffff: ingress
7830 # filter *everything* to it (0.0.0.0/0), drop everything that's
7831 # coming in too fast:
7833 tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \
7834 0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1
7837 If you want this script to be run by ppp on connect, copy it to
7842 If the last two lines give an error, update your tc tool to a newer version!
7848 <Title>The actual script (HTB)</Title>
7851 The following script achieves all goals using the wonderful HTB queue, see
7852 the relevant chapter. Well worth patching your kernel for!
7857 # The Ultimate Setup For Your Internet Connection At Home
7860 # Set the following values to somewhat less than your actual download
7861 # and uplink speed. In kilobits
7866 # clean existing down- and uplink qdiscs, hide errors
7867 tc qdisc del dev $DEV root 2> /dev/null > /dev/null
7868 tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null
7872 # install root HTB, point default traffic to 1:20:
7874 tc qdisc add dev $DEV root handle 1: htb default 20
7876 # shape everything at $UPLINK speed - this prevents huge queues in your
7877 # DSL modem which destroy latency:
7879 tc class add dev $DEV parent 1: classid 1:1 htb rate ${UPLINK}kbit burst 6k
7881 # high prio class 1:10:
7883 tc class add dev $DEV parent 1:1 classid 1:10 htb rate ${UPLINK}kbit \
7886 # bulk & default class 1:20 - gets slightly less traffic,
7887 # and a lower priority:
7889 tc class add dev $DEV parent 1:1 classid 1:20 htb rate $[9*$UPLINK/10]kbit \
7892 # both get Stochastic Fairness:
7893 tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10
7894 tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10
7896 # TOS Minimum Delay (ssh, NOT scp) in 1:10:
7897 tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \
7898 match ip tos 0x10 0xff flowid 1:10
7900 # ICMP (ip protocol 1) in the interactive class 1:10 so we
7901 # can do measurements & impress our friends:
7902 tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \
7903 match ip protocol 1 0xff flowid 1:10
7905 # To speed up downloads while an upload is going on, put ACK packets in
7906 # the interactive class:
7908 tc filter add dev $DEV parent 1: protocol ip prio 10 u32 \
7909 match ip protocol 6 0xff \
7910 match u8 0x05 0x0f at 0 \
7911 match u16 0x0000 0xffc0 at 2 \
7912 match u8 0x10 0xff at 33 \
7915 # rest is 'non-interactive' ie 'bulk' and ends up in 1:20
7918 ########## downlink #############
7919 # slow downloads down to somewhat less than the real speed to prevent
7920 # queuing at our ISP. Tune to see how high you can set it.
7921 # ISPs tend to have *huge* queues to make sure big downloads are fast
7923 # attach ingress policer:
7925 tc qdisc add dev $DEV handle ffff: ingress
7927 # filter *everything* to it (0.0.0.0/0), drop everything that's
7928 # coming in too fast:
7930 tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \
7931 0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1
7937 If you want this script to be run by ppp on connect, copy it to
7942 If the last two lines give an error, update your tc tool to a newer version!
7951 <chapter id="lartc.bridging">
7952 <Title>Building bridges, and pseudo-bridges with Proxy ARP</Title>
7955 Bridges are devices which can be installed in a network without any
7956 reconfiguration. A network switch is basically a many-port bridge. A bridge
7957 is often a 2-port switch. Linux does however support multiple interfaces in
7958 a bridge, making it a true switch.
7962 Bridges are often deployed when confronted with a broken network that needs
7963 to be fixed without any alterations. Because the bridge is a layer-2 device,
7964 one layer below IP, routers and servers are not aware of its existence.
7965 This means that you can transparently block or modify certain packets, or do
7970 Another good thing is that a bridge can often be replaced by a cross cable
7971 or a hub, should it break down.
7975 The bad news is that a bridge can cause great confusion unless it is very
7976 well documented. It does not appear in traceroutes, but somehow packets
7977 disappear or get changed from point A to point B ('this network is
7978 HAUNTED!'). You should also wonder if an organization that 'does not want to
7979 change anything' is doing the right thing.
7983 The Linux 2.4/2.5 bridge is documented on
7984 <ULink URL=" http://bridge.sourceforge.net/">this page</ULink>.
7987 <Sect1 id="lartc.bridging.iptables">
7988 <Title>State of bridging and iptables</Title>
7991 As of Linux 2.4.14, bridging and iptables do not 'see' each other without
7992 help. If you bridge packets from eth0 to eth1, they do not 'pass' by
7993 iptables. This means that you cannot do filtering, or NAT or mangling or
7998 There are several projects going on to fix this, the truly right one is by
7999 the author of the Linux 2.4 bridging code, Lennert Buytenhek. He recently
8000 informed us that as of bridge-nf 0.0.2 (see the url above), the code is
8001 stable and usable in production environments. He is now asking the kernel
8002 people if and how the patch can be merged, stay tuned!
8007 <Sect1 id="lartc.bridging.shaping">
8008 <Title>Bridging and shaping</Title>
8011 This does work as advertised. Be sure to figure out which side each
8012 interface is on, otherwise you might be shaping outbound traffic in your
8013 internal interface, which won't work. Use tcpdump if needed.
8018 <Sect1 id="lartc.bridging.proxy-arp">
8019 <Title>Pseudo-bridges with Proxy-ARP</Title>
8022 If you just want to implement a Pseudo-bridge, skip down a few sections
8023 to 'Implementing it', but it is wise to read a bit about how it works in
8028 A Pseudo-bridge works a bit differently. By default, a bridge passes packets
8029 unaltered from one interface to the other. It only looks at the hardware
8030 address of packets to determine what goes where. This in turn means that you
8031 can bridge traffic that Linux does not understand, as long as it has an
8032 hardware address it does.
8036 A 'Pseudo-bridge' works differently and looks more like a hidden router than
8037 a bridge, but like a bridge, it has little impact on network design.
8041 An advantage of the fact that it is not a brige lies in the fact that
8042 packets really pass through the kernel, and can be filtered, changed,
8043 redirected or rerouted.
8047 A real bridge can also be made to perform these feats, but it needs special
8048 code, like the Ethernet Frame Diverter, or the above mentioned patch.
8052 Another advantage of a pseudo-bridge is that it does not pass packets it
8053 does not understand - thus cleaning your network of a lot of cruft. In cases
8054 where you need this cruft (like SAP packets, or Netbeui), use a real bridge.
8058 <Title>ARP & Proxy-ARP</Title>
8061 When a host wants to talk to another host on the same physical network
8062 segment, it sends out an Address Resolution Protocol packet, which, somewhat
8063 simplified, reads like this 'who has 10.0.0.1, tell 10.0.0.7'. In response
8064 to this, 10.0.0.1 replies with a short 'here' packet.
8068 10.0.0.7 then sends packets to the hardware address mentioned in the 'here'
8069 packet. It caches this hardware address for a relatively long time, and
8070 after the cache expires, it reasks the question.
8074 When building a Pseudo-bridge, we instruct the bridge to reply to these ARP
8075 packets, which causes the hosts in the network to send its packets to the
8076 bridge. The brige then processes these packets, and sends them to the
8081 So, in short, whenever a host on one side of the bridge asks for the
8082 hardware address of a host on the other, the bridge replies with a packet
8083 that says 'hand it to me'.
8087 This way, all data traffic gets transmitted to the right place, and always
8088 passes through the bridge.
8094 <Title>Implementing it</Title>
8097 In the bad old days, it used to be possible to instruct the Linux Kernel to
8098 perform 'proxy-ARP' for just any subnet. So, to configure a pseudo-bridge,
8099 you would have to specify both the proper routes to both sides of the bridge
8100 AND create matching proxy-ARP rules. This is bad in that it requires a lot
8101 of typing, but also because it easily allows you to make mistakes which make
8102 your bridge respond to ARP queries for networks it does not know how to
8107 With Linux 2.4/2.5 (and possibly 2.2), this possibility has been withdrawn and
8108 has been replaced by a flag in the /proc directory, called 'proxy_arp'. The
8109 procedure for building a pseudo-bridge is then:
8118 Assign an IP address to both interfaces, the 'left' and the 'right'
8125 Create routes so your machine knows which hosts reside on the left,
8126 and which on the right
8132 Turn on proxy-ARP on both interfaces, echo 1 >
8133 /proc/sys/net/ipv4/conf/ethL/proxy_arp, echo 1 >
8134 /proc/sys/net/ipv4/conf/ethR/proxy_arp, where L and R stand for the numbers
8135 of your interfaces on the left and on the right side
8144 Also, do not forget to turn on the ip_forwarding flag! When converting from
8145 a true bridge, you may find that this flag was turned off as it is not
8146 needed when bridging.
8150 Another thing you might note when converting is that you need to clear the
8151 arp cache of computers in the network - the arp cache might contain old
8152 pre-bridge hardware addresses which are no longer correct.
8156 On a Cisco, this is done using the command 'clear arp-cache', under
8157 Linux, use 'arp -d ip.address'. You can also wait for the cache to expire
8158 manually, which can take rather long.
8161 You can speed this up using the wonderful 'arping' tool, which on many
8162 distributions is part of the 'iputils' package. Using 'arping' you can send
8163 out unsollicited ARP messages so as to update remote arp caches.
8166 This is a very powerful technique that is also used by 'black hats' to
8167 subvert your routing!
8171 On Linux 2.4, you may need to execute
8172 'echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind' before being able to send
8173 out unsollicited ARP messages!
8177 You may also discover that your network was misconfigured if you are/were of
8178 the habit of specifying routes without netmasks. To explain, some versions
8179 of route may have guessed your netmask right in the past, or guessed wrong
8180 without you noticing. When doing surgical routing like described above, it
8181 is *vital* that you check your netmasks!
8190 <chapter id="lartc.dynamic-routing">
8191 <Title>Dynamic routing - OSPF and BGP</Title>
8194 Once your network starts to get really big, or you start to consider 'the
8195 internet' as your network, you need tools which dynamically route your data.
8196 Sites are often connected to each other with multiple links, and more are
8197 popping up all the time.
8201 The Internet has mostly standardised on OSPF and BGP4 (rfc1771).
8202 Linux supports both, by way of <application>gated</application> and
8203 <application>zebra</application>
8207 While currently not within the scope of this document, we would like to
8208 point you to the definitive works:
8218 URL="http://www.cisco.com/univercd/cc/td/doc/cisintwk/idg4/nd2003.htm"
8219 >Designing large-scale IP Internetworks</ULink
8229 "OSPF. The anatomy of an Internet routing protocol"
8230 Addison Wesley. Reading, MA. 1998.
8234 Halabi has also written a good guide to OSPF routing design, but this
8235 appears to have been dropped from the Cisco web site.
8244 "Internet routing architectures"
8245 Cisco Press (New Riders Publishing). Indianapolis, IN. 1997.
8258 URL="http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/icsbgp4.htm"
8259 >Using the Border Gateway Protocol for interdomain routing</ULink
8264 Although the examples are Cisco-specific, they are remarkably similar
8265 to the configuration language in Zebra :-)
8270 <chapter id="lartc.other"
8271 xreflabel="Other possibilities">
8272 <Title>Other possibilities</Title>
8275 This chapter is a list of projects having to do with advanced Linux routing
8276 & traffic shaping. Some of these links may deserve chapters of their
8277 own, some are documented very well of themselves, and don't need more HOWTO.
8284 <Term>802.1Q VLAN Implementation for Linux <ULink
8285 URL="http://scry.wanfear.com/~greear/vlan.html"
8290 VLANs are a very cool way to segregate your
8291 networks in a more virtual than physical way. Good information on VLANs can
8293 URL="ftp://ftp.netlab.ohio-state.edu/pub/jain/courses/cis788-97/virtual_lans/index.htm"
8295 >. With this implementation, you can have your Linux box talk
8296 VLANs with machines like Cisco Catalyst, 3Com: {Corebuilder, Netbuilder II,
8297 SuperStack II switch 630}, Extreme Ntwks Summit 48, Foundry: {ServerIronXL,
8302 A great HOWTO about VLANs can be found <ULink
8303 URL="http://scry.wanfear.com/~greear/vlan/cisco_howto.html"
8309 Update: has been included in the kernel as of 2.4.14 (perhaps 13).
8313 <Term>Alternate 802.1Q VLAN Implementation for Linux <ULink
8314 URL="http://vlan.sourceforge.net "
8319 Alternative VLAN implementation for linux. This project was started out of
8320 disagreement with the 'established' VLAN project's architecture and coding
8321 style, resulting in a cleaner overall design.
8325 <Term>Linux Virtual Server <ULink
8326 URL="http://www.LinuxVirtualServer.org/"
8331 These people are brilliant. The Linux Virtual Server is a highly scalable and
8332 highly available server built on a cluster of real servers, with the load
8333 balancer running on the Linux operating system. The architecture of the
8334 cluster is transparent to end users. End users only see a single virtual
8339 In short whatever you need to loadbalance, at whatever level of traffic, LVS
8340 will have a way of doing it. Some of their techniques are positively evil!
8341 For example, they let several machines have the same IP address on a
8342 segment, but turn off ARP on them. Only the LVS machine does ARP - it then
8343 decides which of the backend hosts should handle an incoming packet, and
8344 sends it directly to the right MAC address of the backend server. Outgoing
8345 traffic will flow directly to the router, and not via the LVS machine, which
8346 does therefor not need to see your 5Gbit/s of content flowing to the world,
8347 and cannot be a bottleneck.
8351 The LVS is implemented as a kernel patch in Linux 2.0 and 2.2, but as a
8352 Netfilter module in 2.4/2.5, so it does not need kernel patches! Their 2.4
8353 support is still in early development, so beat on it and give feedback or
8358 <Term>CBQ.init <ULink
8359 URL="ftp://ftp.equinox.gu.net/pub/linux/cbq/"
8364 Configuring CBQ can be a bit daunting, especially if all you want to do is
8365 shape some computers behind a router. CBQ.init can help you configure Linux
8366 with a simplified syntax.
8370 For example, if you want all computers in your 192.168.1.0/24 subnet
8371 (on 10mbit eth1) to be limited to 28kbit/s download speed, put
8372 this in the CBQ.init configuration file:
8378 DEVICE=eth1,10Mbit,1Mbit
8388 By all means use this program if the 'how and why' don't interest you.
8389 We're using CBQ.init in production and it works very well. It can even do
8390 some more advanced things, like time dependent shaping. The documentation is
8391 embedded in the script, which explains why you can't find a README.
8395 <Term>Chronox easy shaping scripts <ULink
8396 URL="http://www.chronox.de"
8401 Stephan Mueller (smueller@chronox.de) wrote two useful scripts, 'limit.conn'
8402 and 'shaper'. The first one allows you to easily throttle a single download
8409 # limit.conn -s SERVERIP -p SERVERPORT -l LIMIT
8415 It works on Linux 2.2 and 2.4/2.5.
8419 The second script is more complicated, and can be used to make lots of
8420 different queues based on iptables rules, which are used to mark packets
8421 which are then shaped.
8425 <Term>Virtual Router
8426 Redundancy Protocol implementation <ULink
8427 URL="http://w3.arobas.net/~jetienne/vrrpd/index.html"
8432 This is purely for redundancy. Two machines with their own IP address and
8433 MAC Address together create a third IP Address and MAC Address, which is
8434 virtual. Originally intended purely for routers, which need constant MAC
8435 addresses, it also works for other servers.
8439 The beauty of this approach is the incredibly easy configuration. No kernel
8440 compiling or patching required, all userspace.
8444 Just run this on all machines participating in a service:
8447 # vrrpd -i eth0 -v 50 10.0.0.22
8453 And you are in business! 10.0.0.22 is now carried by one of your servers,
8454 probably the first one to run the vrrp daemon. Now disconnect that computer
8455 from the network and very rapidly one of the other computers will assume the
8456 10.0.0.22 address, as well as the MAC address.
8460 I tried this over here and had it up and running in 1 minute. For some
8461 strange reason it decided to drop my default gateway, but the -n flag
8466 This is a 'live' failover:
8472 64 bytes from 10.0.0.22: icmp_seq=3 ttl=255 time=0.2 ms
8473 64 bytes from 10.0.0.22: icmp_seq=4 ttl=255 time=0.2 ms
8474 64 bytes from 10.0.0.22: icmp_seq=5 ttl=255 time=16.8 ms
8475 64 bytes from 10.0.0.22: icmp_seq=6 ttl=255 time=1.8 ms
8476 64 bytes from 10.0.0.22: icmp_seq=7 ttl=255 time=1.7 ms
8482 Not *one* ping packet was lost! Just after packet 4, I disconnected my P200
8483 from the network, and my 486 took over, which you can see from the higher
8492 <chapter id="lartc.further">
8493 <Title>Further reading</Title>
8500 URL="http://snafu.freedom.org/linux2.2/iproute-notes.html"
8501 >http://snafu.freedom.org/linux2.2/iproute-notes.html</ULink
8505 Contains lots of technical information, comments from the kernel
8510 URL="http://www.davin.ottawa.on.ca/ols/"
8511 >http://www.davin.ottawa.on.ca/ols/</ULink
8515 Slides by Jamal Hadi Salim, one of the authors of Linux traffic control
8520 URL="http://defiant.coinet.com/iproute2/ip-cref/"
8521 >http://defiant.coinet.com/iproute2/ip-cref/</ULink
8525 HTML version of Alexeys LaTeX documentation - explains part of iproute2 in
8531 URL="http://www.aciri.org/floyd/cbq.html"
8532 >http://www.aciri.org/floyd/cbq.html</ULink
8536 Sally Floyd has a good page on CBQ, including her original papers. None of
8537 it is Linux specific, but it does a fair job discussing the theory and uses
8539 Very technical stuff, but good reading for those so inclined.
8543 <Term>Differentiated Services on Linux</Term>
8547 URL="ftp://icaftp.epfl.ch/pub/linux/diffserv/misc/dsid-01.txt.gz"
8549 > by Werner Almesberger, Jamal Hadi Salim and Alexey
8550 Kuznetsov describes DiffServ facilities in the Linux kernel, amongst which
8551 are TBF, GRED, the DSMARK qdisc and the tcindex classifyer.
8556 URL="http://ceti.pl/~kravietz/cbq/NET4_tc.html"
8557 >http://ceti.pl/~kravietz/cbq/NET4_tc.html</ULink
8561 Yet another HOWTO, this time in Polish! You can copy/paste command lines
8562 however, they work just the same in every language. The author is
8563 cooperating with us and may soon author sections of this HOWTO.
8568 URL="http://www.cisco.com/univercd/cc/td/doc/product/software/ios111/cc111/car.htm"
8569 >IOS Committed Access Rate</ULink
8574 From the helpful folks of Cisco who have the laudable habit of putting
8575 their documentation online. Cisco syntax is different but the concepts are
8576 the same, except that we can do more and do it without routers the price of
8581 <Term>Docum experimental site<ULink
8582 URL="http://www.docum.org"
8587 Stef Coene is busy convincing his boss to sell Linux support, and so he is
8588 experimenting a lot, especially with managing bandwidth. His site has a lot
8589 of practical information, examples, tests and also points out some CBQ/tc bugs.
8593 <Term>TCP/IP Illustrated, volume 1, W. Richard Stevens, ISBN 0-201-63346-9</Term>
8596 Required reading if you truly want to understand TCP/IP. Entertaining as
8605 <chapter id="lartc.ack">
8606 <Title>Acknowledgements </Title>
8610 It is our goal to list everybody who has contributed to this HOWTO, or
8611 helped us demystify how things work. While there are currently no plans
8612 for a Netfilter type scoreboard, we do like to recognise the people who are
8618 <ItemizedList spacing="compact">
8622 <author><firstname>Juanjo</firstname><surname>Alins</surname></author>
8623 <address><email>juanjo@mat.upc.es</email></address>
8628 <author><firstname>Joe</firstname><surname>Van Andel</surname></author>
8634 <author><firstname>Michael</firstname><othername>T.</othername>
8635 <surname>Babcock</surname></author>
8636 <address><email>mbabcock@fibrespeed.net</email></address>
8643 <author><firstname>Christopher</firstname>
8644 <surname>Barton</surname></author>
8645 <address><email>cpbarton%uiuc.edu</email></address>
8652 <author><firstname>Ard</firstname><surname>van Breemen</surname></author>
8653 <address><email>ard%kwaak.net</email></address>
8658 <author><firstname>Ron</firstname><surname>Brinker</surname></author>
8659 <address><email>service%emcis.com</email></address>
8664 <author><firstname>?ukasz</firstname><surname>Bromirski</surname></author>
8665 <address><email>L.Bromirski@prosys.com.pl</email></address>
8670 <author><firstname>Lennert</firstname><surname>Buytenhek</surname></author>
8671 <address><email>buytenh@gnu.org</email></address>
8676 <author><firstname>Esteve</firstname><surname>Camps</surname></author>
8677 <address><email>esteve@hades.udg.es</email></address>
8682 <author><firstname>Stef</firstname><surname>Coene</surname></author>
8683 <address><email>stef.coene@docum.org</email></address>
8688 <author><firstname>Don</firstname><surname>Cohen</surname></author>
8689 <address><email>don-lartc%isis.cs3-inc.com</email></address>
8694 <author><firstname>Jonathan</firstname><surname>Corbet</surname></author>
8695 <address><email>lwn%lwn.net</email></address>
8700 <author><firstname>Gerry</firstname><surname>Creager</surname>
8701 <othername>N5JXS</othername></author>
8702 <address><email>gerry%cs.tamu.edu</email></address>
8707 <author><firstname>Marco</firstname><surname>Davids</surname></author>
8708 <address><email>marco@sara.nl</email></address>
8713 <author><firstname>Jonathan</firstname><surname>Day</surname></author>
8714 <address><email>jd9812@my-deja.com</email></address>
8719 <author><firstname>Martin</firstname><surname>Devera</surname>
8720 <othername>aka devik</othername></author>
8721 <address><email>devik@cdi.cz</email></address>
8726 <author><firstname>Stephan</firstname><othername>"Kobold"</othername>
8727 <surname>Gehring</surname></author>
8728 <address><email>Stephan.Gehring@bechtle.de</email></address>
8733 <author><firstname>Jacek</firstname><surname>Glinkowski</surname></author>
8734 <address><email>jglinkow%hns.com</email></address>
8739 <author><firstname>Andrea</firstname><surname>Glorioso</surname></author>
8740 <address><email>sama%perchetopi.org</email></address>
8745 <author><firstname>Nadeem</firstname><surname>Hasan</surname></author>
8746 <address><email>nhasan@usa.net</email></address>
8751 <author><firstname>Erik</firstname><surname>Hensema</surname></author>
8752 <address><email>erik%hensema.xs4all.nl</email></address>
8757 <author><firstname>Vik</firstname><surname>Heyndrickx</surname></author>
8758 <address><email>vik.heyndrickx@edchq.com</email></address>
8763 <author><firstname>Spauldo</firstname><surname>Da Hippie</surname></author>
8764 <address><email>spauldo%usa.net</email></address>
8769 <author><firstname>Koos</firstname><surname>van den Hout</surname></author>
8770 <address><email>koos@kzdoos.xs4all.nl</email></address>
8776 Stefan Huelbrock <shuelbrock%datasystems.de>
8782 Alexander W. Janssen <yalla%ynfonatic.de>
8788 Gareth John <gdjohn%zepler.org>
8794 Martin Josefsson <gandalf%wlug.westbo.se>
8800 Andi Kleen <ak%suse.de>
8806 Andreas J. Koenig <andreas.koenig%anima.de>
8812 Pawel Krawczyk <kravietz%alfa.ceti.pl>
8818 Amit Kucheria <amitk@ittc.ku.edu>
8824 Edmund Lau <edlau%ucf.ics.uci.edu>
8830 Philippe Latu <philippe.latu%linux-france.org>
8836 Arthur van Leeuwen <arthurvl%sci.kun.nl>
8842 Jason Lunz <j@cc.gatech.edu>
8848 Stuart Lynne <sl@fireplug.net>
8854 Alexey Mahotkin <alexm@formulabez.ru>
8860 Predrag Malicevic <pmalic@ieee.org>
8865 Patrick McHardy <kaber@trash.net>
8873 Andreas Mohr <andi%lisas.de>
8879 Andrew Morton <akpm@zip.com.au>
8891 Stephan Mueller <smueller@chronox.de>
8897 Togan Muftuoglu <toganm%yahoo.com>
8903 Chris Murray <cmurray@stargate.ca>
8909 Patrick Nagelschmidt <dto%gmx.net>
8915 Ram Narula <ram@princess1.net>
8921 Jorge Novo <jnovo@educanet.net>
8927 Patrik <ph@kurd.nu>
8931 <listitem><para>P?l Osgy?ny <oplab%westel900.net></para></listitem>
8936 Lutz Preßler <Lutz.Pressler%SerNet.DE>
8942 Jason Pyeron <jason%pyeron.com>
8948 Rusty Russell <rusty%rustcorp.com.au>
8954 Mihai RUSU <dizzy%roedu.net>
8960 Jamal Hadi Salim <hadi%cyberus.ca>
8966 David Sauer <davids%penguin.cz>
8972 Sheharyar Suleman Shaikh <sss23@drexel.edu>
8978 Stewart Shields <MourningBlade%bigfoot.com>
8984 Nick Silberstein <nhsilber%yahoo.com>
8990 Konrads Smelkov <konrads@interbaltika.com>
8996 <author><firstname>William</firstname><surname>Stearns</surname></author>
8997 <address><email>wstearns@pobox.com</email></address>
9003 Andreas Steinmetz <ast%domdv.de>
9009 Jason Tackaberry <tack@linux.com>
9015 Charles Tassell <ctassell%isn.net>
9021 Glen Turner <glen.turner%aarnet.edu.au>
9027 Tea Sponsor: Eric Veldhuyzen <eric%terra.nu>
9033 Song Wang <wsong@ece.uci.edu>