From c51a9af89fb4ae18414a5da490d89f1e0a4648d2 Mon Sep 17 00:00:00 2001 From: Bert Hubert Date: Sun, 23 Jun 2002 11:28:18 +0000 Subject: [PATCH] latu is a hero! --- Makefile | 4 +- lartc.db | 1399 +++++++++++++++++++++++++++----------------------------------- 2 files changed, 619 insertions(+), 784 deletions(-) diff --git a/Makefile b/Makefile index 63dd89c..089c4b2 100755 --- a/Makefile +++ b/Makefile @@ -16,7 +16,7 @@ clean: html/index.html: lartc.db - db2html -o html lartc.db + db2html -V %use-id-as-filename% -o html lartc.db html.tar.gz: html/index.html tar czf html.tar.gz html/ @@ -25,7 +25,7 @@ html.tar.gz: html/index.html docbook2txt $< %.pdf: %.db - docbook2pdf $< + docbook2pdf -p /usr/bin/openjade $< %.ps: %.db docbook2ps $< diff --git a/lartc.db b/lartc.db index e64e13e..ecfef43 100644 --- a/lartc.db +++ b/lartc.db @@ -1,152 +1,147 @@ - + + + - - - -Linux Advanced Routing & Traffic Control HOWTO + + Linux Advanced Routing & Traffic Control HOWTO - - berthubert - - - Netherlabs BV - -
bert.hubert@netherlabs.nl
- - - - Gregory - Maxwell - -
greg@linuxpower.cx
- - - - - Remco - van Mook - -
remco@virtu.nl
- - - - - Martijn - van Oosterhout - -
kleptog@cupid.suninternet.com
- - - - Paul - B - Schroeder - -
paulsch@us.ibm.com
- - - - - Jasper - Spaans - -
jasper@spaans.ds9a.nl
- - - - - - - -A very hands-on approach to iproute2, traffic shaping and a bit of -netfilter. - - - Verison v1.0.0 $Date$ - - - - + BertHubert + + Netherlabs BV +
bert.hubert@netherlabs.nl
+ + + + + Gregory Maxwell + +
greg@linuxpower.cx
+ + + + + Remco van Mook + +
remco@virtu.nl
+ + + + + Martijn van Oosterhout + +
kleptog@cupid.suninternet.com
+ + + + + Paul B Schroeder + +
paulsch@us.ibm.com
+ + + + + Jasper Spaans + +
jasper@spaans.ds9a.nl
+ + + + + + + $Revision$ + $Date$ + DocBook Edition + + + + + A very hands-on approach to iproute2, + traffic shaping and a bit of netfilter. + + + - -Dedication - - -This document is dedicated to lots of people, and is my attempt to do -something back. To list but a few: - - - - - - - - -Rusty Russell - - - - - -Alexey N. Kuznetsov - - - - - -The good folks from Google - - - - - -The staff of Casema Internet - - + + Dedication + + + This document is dedicated to lots of people, and is my attempt to do + something back. To list but a few: + + + + + + + + Rusty Russell + + + + + + Alexey N. Kuznetsov + + + + + + The good folks from Google + + + + + + The staff of Casema Internet + + - + - + - + - -Introduction + + Introduction Welcome, gentle reader. -This document hopes to enlighten you on how to do more with Linux 2.2/2.4 -routing. Unbeknownst to most users, you already run tools which allow you to -do spectacular things. Commands like 'route' and 'ifconfig' are actually -very thin wrappers for the very powerful iproute2 infrastructure. + This document hopes to enlighten you on how to do more with Linux 2.2/2.4 + routing. Unbeknownst to most users, you already run tools which allow you to + do spectacular things. Commands like route and + ifconfig are actually + very thin wrappers for the very powerful iproute2 infrastructure. - -I hope that this HOWTO will become as readable as the ones by Rusty Russell -of (amongst other things) netfilter fame. - + + I hope that this HOWTO will become as readable as the ones by Rusty Russell + of (amongst other things) netfilter fame. + - -You can always reach us by writing to the HOWTO team. However, please consider posting to the mailing -list (see the relevant section) if you have questions which are not directly -related to this HOWTO. + + You can always reach us by writing to the HOWTO team. However, please consider posting to the mailing + list (see the relevant section) if you have questions which are not directly + related to this HOWTO. We are no free helpdesk, but we often will answer questions + asked on the list. Before losing your way in this HOWTO, if all you want to do is simple -traffic shaping, skip everything and head to the 'Other possibilties' -chapter, and read about CBQ.init. +traffic shaping, skip everything and head to the chapter, and read about CBQ.init. - + Disclaimer & License @@ -161,7 +156,7 @@ your most esteemed customers - it's never our fault. Sorry. -Copyright (c) 2001 by bert hubert, Gregory Maxwell, Martijn van +Copyright (c) 2002 by bert hubert, Gregory Maxwell, Martijn van Oosterhout, Remco van Mook, Paul B. Schroeder and others. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently @@ -176,124 +171,97 @@ document maintainer. It is also requested that if you publish this HOWTO in hardcopy that you -send the authors some samples for 'review purposes' :-) +send the authors some samples for review purposes :-) - -Prior knowledge + + Prior knowledge -As the title implies, this is the 'Advanced' HOWTO. While by no means rocket -science, some prior knowledge is assumed. +As the title implies, this is the Advanced HOWTO. +While by no means rocket science, some prior knowledge is assumed. Here are some other references which might help teach you more: - -Rusty Russell's networking-concepts-HOWTO - - -Very nice introduction, explaining what a network is, and how it is -connected to other networks - - - -Linux Networking-HOWTO (Previously the Net-3 HOWTO) - - -Great stuff, although very verbose. It teaches you a lot of stuff that's -already configured if you are able to connect to the Internet. -Should be located in /usr/doc/HOWTO/NET3-4-HOWTO.txt + + + Rusty Russell's networking-concepts-HOWTO + + + Very nice introduction, explaining what a network is, and how it is + connected to other networks. + + + + + Linux Networking-HOWTO (Previously the Net-3 HOWTO) + + Great stuff, although very verbose. It teaches you a lot of stuff + that's already configured if you are able to connect to the Internet. + Should be located in /usr/doc/HOWTO/NET3-4-HOWTO.txt but can be also be found -online - + online. + + - -What Linux can do for you + + What Linux can do for you A small list of things that are possible: - - - - -Throttle bandwidth for certain computers - + Throttle bandwidth for certain computers + - - -Throttle bandwidth TO certain computers - + Throttle bandwidth TO certain computers + - - -Help you to fairly share your bandwidth - + Help you to fairly share your bandwidth + - - -Protect your network from DoS attacks - + Protect your network from DoS attacks + - - -Protect the Internet from your customers - + Protect the Internet from your customers + - - -Multiplex several servers as one, for load balancing or -enhanced availability - + Multiplex several servers as one, for load balancing or + enhanced availability + - - -Restrict access to your computers - + Restrict access to your computers + - - -Limit access of your users to other hosts - + Limit access of your users to other hosts + - - -Do routing based on user id (yes!), MAC address, source IP -address, port, type of service, time of day or content - + Do routing based on user id (yes!), MAC address, source IP + address, port, type of service, time of day or content + - - - Currently, not many people are using these advanced features. This is for several reasons. While the provided documentation is verbose, it is not very @@ -302,8 +270,8 @@ hands-on. Traffic control is almost undocumented. - -Housekeeping notes + + Housekeeping notes There are several things which should be noted about this document. While I @@ -337,14 +305,12 @@ are not very common. - -Access, CVS & submitting updates + + Access, CVS & submitting updates -The canonical location for the HOWTO is here. +The canonical location for the HOWTO is +here. @@ -358,9 +324,7 @@ Furthermore, it allows the authors to work on the source independently, which is good too. - - - + $ export CVSROOT=:pserver:anon@outpost.ds9a.nl:/var/cvsroot $ cvs login CVS password: [enter 'cvs' (without 's)] @@ -369,34 +333,30 @@ cvs server: Updating 2.4routing U 2.4routing/2.4routing.sgml - - If you spot an error, or want to add something, just fix it locally, and run -cvs diff -u, and send the result off to us. +cvs diff -u, and send the result off to us. A Makefile is supplied which should help you create postscript, dvi, pdf, -html and plain text. You may need to install sgml-tools, ghostscript and -tetex to get all formats. +html and plain text. You may need to install +docbook, docbook-utils, +ghostscript and tetex +to get all formats. - -Mailing list + + Mailing list - The authors receive an increasing amount of mail about this HOWTO. Because of the clear interest of the community, it has been decided to start a mailinglist where people can talk to each other about Advanced Routing and Traffic Control. You can subscribe to the list -here. +here. @@ -408,8 +368,8 @@ the archive, and then post to the mailinglist. - -Layout of this document + + Layout of this document We will be doing interesting stuff almost immediately, which also means that @@ -422,48 +382,41 @@ Routing and filtering are two distinct things. Filtering is documented very well by Rusty's HOWTOs, available here: - - - - -Rusty's Remarkably Unreliable Guides - + + Rusty's Remarkably Unreliable Guides + - - - - -We will be focusing mostly on what is possible by combining netfilter and -iproute2. +We will be focusing mostly on what is possible by combining netfilter +and iproute2. - -Introduction to iproute2 + + Introduction to iproute2 - -Why iproute2? + + Why iproute2? Most Linux distributions, and most UNIX's, currently use the -venerable 'arp', 'ifconfig' and 'route' commands. While these tools work, -they show some unexpected behaviour under Linux 2.2 and up. For example, GRE -tunnels are an integral part of routing these days, but require completely -different tools. +venerable arp, ifconfig and +route commands. +While these tools work, they show some unexpected behaviour under Linux 2.2 +and up. +For example, GRE tunnels are an integral part of routing these days, but +require completely different tools. -With iproute2, tunnels are an integral part of the tool set. +With iproute2, tunnels are an integral part of +the tool set. @@ -490,8 +443,8 @@ previously beyond Linux's reach. - -iproute2 tour + + iproute2 tour Linux has a sophisticated system for bandwidth provisioning called Traffic @@ -505,20 +458,18 @@ We'll start off with a tiny tour of iproute2 possibilities. - -Prerequisites + + Prerequisites You should make sure that you have the userland tools installed. This package is called 'iproute' on both RedHat and Debian, and may otherwise be -found at ftp://ftp.inr.ac.ru/ip-routing/iproute2-2.2.4-now-ss??????.tar.gz". +found at ftp://ftp.inr.ac.ru/ip-routing/iproute2-2.2.4-now-ss??????.tar.gz". -You can also try here +You can also try +here for the latest version. @@ -539,26 +490,24 @@ own kernel. Iproute2 needs it. - -Exploring your current configuration + + Exploring your current configuration This may come as a surprise, but iproute2 is already configured! The current -commands ifconfig and route are already using the advanced +commands ifconfig and route are already using the advanced syscalls, but mostly with very default (ie. boring) settings. -The ip tool is central, and we'll ask it to display our interfaces +The ip tool is central, and we'll ask it to display our interfaces for us. -<Literal remap="tt">ip</Literal> shows us our links +<command>ip</command> shows us our links - - - + [ahu@home ahu]$ ip link list 1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 @@ -573,8 +522,6 @@ for us. - - Your mileage may vary, but this is what it shows on my NAT router at home. I'll only explain part of the output as not everything is directly @@ -609,11 +556,9 @@ ethernet interfaces. -<Literal remap="tt">ip</Literal> shows us our IP addresses + <command>ip</command> shows us our IP addresses - - - + [ahu@home ahu]$ ip address show 1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 @@ -630,8 +575,6 @@ ethernet interfaces. inet 212.64.94.251 peer 212.64.94.1/32 scope global ppp0 - - This contains more information. It shows all our addresses, and to which cards they belong. 'inet' stands for Internet (IPv4). There are lots of other @@ -673,7 +616,7 @@ become vital later on. -<Literal remap="tt">ip</Literal> shows us our routes + <command>ip</command> shows us our routes Well, we now know how to find 10.x.y.z addresses, and we are able to reach @@ -683,9 +626,7 @@ appears that 212.64.94.1 is willing to spread our packets around the world, and deliver results back to us. - - - + [ahu@home ahu]$ ip route show 212.64.94.1 dev ppp0 proto kernel scope link src 212.64.94.251 10.0.0.0/8 dev eth0 proto kernel scope link src 10.0.0.1 @@ -693,11 +634,9 @@ world, and deliver results back to us. default via 212.64.94.1 dev ppp0 - - This is pretty much self explanatory. The first 4 lines of output explicitly -state what was already implied by ip address show, the last line +state what was already implied by ip address show, the last line tells us that the rest of the world can be found via 212.64.94.1, our default gateway. We can see that it is a gateway because of the word via, which tells us that we need to send packets to 212.64.94.1, and that it @@ -705,9 +644,10 @@ will take care of things. -For reference, this is what the old 'route' utility shows us: +For reference, this is what the old route utility shows us: + - + [ahu@home ahu]$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use @@ -718,21 +658,16 @@ Iface 0.0.0.0 212.64.94.1 0.0.0.0 UG 0 0 0 ppp0 - - - -ARP + + ARP ARP is the Address Resolution Protocol as described in -RFC 826. +RFC 826. ARP is used by a networked machine to resolve the hardware location/address of another machine on the same local network. Machines on the Internet are generally known by their names @@ -764,24 +699,21 @@ with bar until he (his arp cache) forgets where bar is (typically after Now let's see how this works. You can view your machines current arp/neighbor cache/table like so: + - + [root@espa041 /home/src/iputils]# ip neigh show 9.3.76.42 dev eth0 lladdr 00:60:08:3f:e9:f9 nud reachable 9.3.76.1 dev eth0 lladdr 00:06:29:21:73:c8 nud reachable - - As you can see my machine espa041 (9.3.76.41) knows where to find espa042 (9.3.76.42) and espagate (9.3.76.1). Now let's add another machine to the arp cache. - - - + [root@espa041 /home/paulsch/.gnome-desktop]# ping -c 1 espa043 PING espa043.austin.ibm.com (9.3.76.43) from 9.3.76.41 : 56(84) bytes of data. 64 bytes from 9.3.76.43: icmp_seq=0 ttl=255 time=0.9 ms @@ -796,8 +728,6 @@ round-trip min/avg/max = 0.9/0.9/0.9 ms 9.3.76.1 dev eth0 lladdr 00:06:29:21:73:c8 nud reachable - - As a result of espa041 trying to contact espa043, espa043's hardware address/location has now been added to the arp/neighbor cache. @@ -810,9 +740,7 @@ knows where to find espa043 and has no need to send an ARP request. Now let's delete espa043 from our arp cache: - - - + [root@espa041 /home/src/iputils]# ip neigh delete 9.3.76.43 dev eth0 [root@espa041 /home/src/iputils]# ip neigh show 9.3.76.43 dev eth0 nud failed @@ -820,8 +748,6 @@ Now let's delete espa043 from our arp cache: 9.3.76.1 dev eth0 lladdr 00:06:29:21:73:c8 nud stale - - Now espa041 has again forgotten where to find espa043 and will need to send another ARP request the next time he needs to communicate with espa043. @@ -835,8 +761,8 @@ machine. - -Rules - routing policy database + + Rules - routing policy database If you have a large router, you may well cater for the needs of different @@ -855,22 +781,20 @@ needs to be consulted. By default, there are three tables. The old 'route' tool modifies the main and local tables, as does the ip tool (by default). - -The default rules: +The default rules: + - + [ahu@home ahu]$ ip rule list 0: from all lookup local 32766: from all lookup main 32767: from all lookup default - - This lists the priority of all rules. We see that all rules apply to all packets ('from all'). We've seen the 'main' table before, it is output by -ip route ls, but the 'local' and 'default' table are new. +ip route ls, but the 'local' and 'default' table are new. @@ -883,8 +807,8 @@ For the exact semantics on what the kernel does when there are more matching rules, see Alexey's ip-cref documentation. - -Simple source policy routing + + Simple source policy routing Let's take a real example once again, I have 2 (actually 3, about time I @@ -900,10 +824,10 @@ The 'fast' cable modem is known as 212.64.94.251 and is a PPP link to 212.64.78.148 in this example and is a link to 195.96.98.253. - -The local table: +The local table: + - + [ahu@home ahu]$ ip route list table local broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 local 10.0.0.1 dev eth0 proto kernel scope host src 10.0.0.1 @@ -916,17 +840,15 @@ local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 - - Lots of obvious things, but things that need to be specified somewhere. Well, here they are. The default table is empty. - -Let's view the 'main' table: +Let's view the 'main' table: + - + [ahu@home ahu]$ ip route list table main 195.96.98.253 dev ppp2 proto kernel scope link src 212.64.78.148 212.64.94.1 dev ppp0 proto kernel scope link src 212.64.94.251 @@ -935,17 +857,13 @@ Let's view the 'main' table: default via 212.64.94.1 dev ppp0 - - We now generate a new rule which we call 'John', for our hypothetical house mate. Although we can work with pure numbers, it's far easier if we add our tables to /etc/iproute2/rt_tables. - - - + # echo 200 John >> /etc/iproute2/rt_tables # ip rule add from 10.0.0.10 table John # ip rule ls @@ -955,25 +873,24 @@ our tables to /etc/iproute2/rt_tables. 32767: from all lookup default - - Now all that is left is to generate John's table, and flush the route cache: + - + # ip route add default via 195.96.98.253 dev ppp2 table John # ip route flush cache - - And we are done. It is left as an exercise for the reader to implement this in ip-up. -Routing for multiple uplinks/providers + + + Routing for multiple uplinks/providers A common configuration is the following, in which there are two providers that connect a local network (or even a single machine) to the big Internet. @@ -1105,21 +1022,21 @@ There are usually two questions given this setup. - -GRE and other tunnels + + GRE and other tunnels There are 3 kinds of tunnels in Linux. There's IP in IP tunneling, GRE tunneling and tunnels that live outside the kernel (like, for example PPTP). - -A few general remarks about tunnels: + + A few general remarks about tunnels: Tunnels can be used to do some very unusual and very cool stuff. They can also make things go horribly wrong when you don't configure them right. Don't point your default route to a tunnel device unless you know -exactly what you are doing :-). Furthermore, tunneling increases +EXACTLY what you are doing :-). Furthermore, tunneling increases overhead, because it needs an extra set of IP headers. Typically this is 20 bytes per packet, so if the normal packet size (MTU) on a network is 1500 bytes, a packet that is sent through a tunnel can only be 1480 bytes big. @@ -1131,8 +1048,8 @@ both sides. - -IP in IP tunneling + + IP in IP tunneling This kind of tunneling has been available in Linux for a long time. It requires 2 kernel modules, @@ -1144,27 +1061,25 @@ Let's say you have 3 networks: Internal networks A and B, and intermediate netwo So we have network A: - - - + network 10.0.1.0 netmask 255.255.255.0 router 10.0.1.1 -The router has address 172.16.17.18 on network C. +The router has address 172.16.17.18 on network C. - -and network B: +and network B: + - + network 10.0.2.0 netmask 255.255.255.0 router 10.0.2.1 -The router has address 172.19.20.21 on network C. +The router has address 172.19.20.21 on network C. @@ -1172,49 +1087,48 @@ As far as network C is concerned, we assume that it will pass any packet sent from A to B and vice versa. You might even use the Internet for this. - -Here's what you do: +Here's what you do: - -First, make sure the modules are installed: +First, make sure the modules are installed: - - - + insmod ipip.o insmod new_tunnel.o -Then, on the router of network A, you do the following: +Then, on the router of network A, you do the following: + - + ifconfig tunl0 10.0.1.1 pointopoint 172.19.20.21 route add -net 10.0.2.0 netmask 255.255.255.0 dev tunl0 -And on the router of network B: +And on the router of network B: + - + ifconfig tunl0 10.0.2.1 pointopoint 172.16.17.18 route add -net 10.0.1.0 netmask 255.255.255.0 dev tunl0 -And if you're finished with your tunnel: +And if you're finished with your tunnel: + - + ifconfig tunl0 down -Presto, you're done. You can't forward broadcast or IPv6 traffic through +Presto, you're done. You can't forward broadcast or IPv6 traffic through an IP-in-IP tunnel, though. You just connect 2 IPv4 networks that normally wouldn't be able to talk to each other, that's all. As far as compatibility goes, this code has been around a long time, so it's compatible all the way back to 1.3 kernels. Linux IP-in-IP tunneling doesn't work with other Operating Systems or routers, as far as I know. It's simple, it works. Use it if you have to, otherwise use GRE. - -GRE tunneling + + GRE tunneling GRE is a tunneling protocol that was originally developed by Cisco, and it @@ -1240,7 +1154,7 @@ Let's say you have 3 networks: Internal networks A and B, and intermediate netwo So we have network A: - + network 10.0.1.0 netmask 255.255.255.0 router 10.0.1.1 @@ -1253,7 +1167,7 @@ Let's call this network neta (ok, hardly original) and network B: - + network 10.0.2.0 netmask 255.255.255.0 router 10.0.2.1 @@ -1268,18 +1182,16 @@ As far as network C is concerned, we assume that it will pass any packet sent from A to B and vice versa. How and why, we do not care. - -On the router of network A, you do the following: +On the router of network A, you do the following: + - + ip tunnel add netb mode gre remote 172.19.20.21 local 172.16.17.18 ttl 255 ip link set netb up ip addr add 10.0.1.1 dev netb ip route add 10.0.2.0/24 dev netb - - Let's discuss this for a bit. In line 1, we added a tunnel device, and called it netb (which is kind of obvious because that's where we want it to @@ -1376,8 +1288,8 @@ GRE tunnels are currently the preferred type of tunneling. It's a standard that - -Userland tunnels + + Userland tunnels There are literally dozens of implementations of tunneling outside the kernel. Best known are of course PPP and PPTP, but there are lots more (some proprietary, some secure, some that don't even use IP) and that is really beyond the scope of this HOWTO. @@ -1387,7 +1299,7 @@ There are literally dozens of implementations of tunneling outside the kernel. B - + IPv6 tunneling with Cisco and/or 6bone @@ -1405,8 +1317,8 @@ GRE tunneling. You could tunnel IPv6 over IPv4 by means of GRE tunnel devices IPv6 over IPv4 and is therefore something different. - -IPv6 Tunneling + + IPv6 Tunneling This is another application of the tunneling capabilities of Linux. It is @@ -1595,16 +1507,15 @@ subnet notation works just like with regular IP adresses. Your IPv4 address is 145.100.24.181 and the 6bone router has IPv4 address 145.100.1.5 + - + # ip tunnel add sixbone mode sit remote 145.100.1.5 [local 145.100.24.181 ttl 255] # ip link set sixbone up # ip addr add 3FFE:604:6:7::2/126 dev sixbone # ip route add 3ffe::0/16 dev sixbone - - Let's discuss this. In the first line, we created a tunnel device called sixbone. We gave it mode sit (which is IPv6 in IPv4 tunneling) and told it @@ -1619,33 +1530,29 @@ through the tunnel. If the particular machine you run this on is your IPv6 gateway, then consider adding the following lines: - - - + # echo 1 >/proc/sys/net/ipv6/conf/all/forwarding # /usr/local/sbin/radvd + The latter, radvd is -like zebra- a router advertisement daemon, to support IPv6's autoconfiguration features. Search for it with your favourite search-engine if you like. You can check things like this: - - - + # /sbin/ip -f inet6 addr - - If you happen to have radvd running on your IPv6 gateway and boot your IPv6 capable Linux on a machine on your local LAN, you would be able to enjoy the benefits of IPv6 autoconfiguration: + - + # /sbin/ip -f inet6 addr 1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue inet6 ::1/128 scope host @@ -1655,8 +1562,6 @@ valid_lft forever preferred_lft 604646sec inet6 fe80::5054:4cff:fe01:e3d6/10 scope link - - You could go ahead and configure your bind for IPv6 addresses. The A type has an equivalent for IPv6: AAAA. The in-addr.arpa's equivalent is: @@ -1698,15 +1603,14 @@ web interface. Search for "ipv6 tunnel broker" on your favourite search engine. - + IPsec: secure IP over the Internet FIXME: editor vacancy. -In the meantime, see: The FreeS/WAN project. Another IPSec implementation for Linux is Cerberus, +In the meantime, see: + The FreeS/WAN project. +Another IPSec implementation for Linux is Cerberus, by NIST. However, their web pages have not been updated in over a year, and their version tended to trail well behind the current Linux kernel. USAGI, an alternative IPv6 implementation for Linux, also includes an @@ -1715,7 +1619,7 @@ IPSec implementation, but that might only be for IPv6. - + Multicast routing @@ -1814,7 +1718,7 @@ that you have two networks to route between. - + Queueing Disciplines for Bandwidth Management @@ -1827,36 +1731,32 @@ dedicated bandwidth management systems. Linux even goes far beyond what Frame and ATM provide. - -Just to prevent confusion, tc uses the following rules for bandwith -specification: - - +Just to prevent confusion, tc uses the following +rules for bandwith specification: + mbps = 1024 kbps = 1024 * 1024 bps => byte/s mbit = 1024 kbit => kilo bit/s. mb = 1024 kb = 1024 * 1024 b => byte mbit = 1024 kbit => kilo bit. - + Internally, the number is stored in bps and b. - -But when tc prints the rate, it uses following : +But when tc prints the rate, it uses following : + - + 1Mbit = 1024 Kbit = 1024 * 1024 bps => bit/s - + - - - -Queues and Queueing Disciplines explained + + Queues and Queueing Disciplines explained -With queueing we determine the way in which data is sent. It is -important to realise that we can only shape data that we transmit. +With queueing we determine the way in which data is SENT. +It is important to realise that we can only shape data that we transmit. @@ -1898,8 +1798,8 @@ be the slowest link in the chain. Luckily this is easily possible. - -Simple, classless Queueing Disciplines + + Simple, classless Queueing Disciplines As said, with queueing disciplines, we change the way data is sent. @@ -2128,14 +2028,6 @@ and is then deleted from the bucket. Associating this algorithm with the two flows -- token and data, gives us three possible scenarios: - - -To use the TBF, make sure that you have compiled TBF support (under -networking options -> QoS & fair queueing -> TBF queue) in the linux -kernel, to make the token bucket filter work. - - - @@ -2440,8 +2332,8 @@ reconfigured. - -Advice for when to use which queue + + Advice for when to use which queue Summarizing, these are the simple queues that actually manage traffic by @@ -2450,14 +2342,12 @@ reordering, slowing or dropping packets. The following tips may help in chosing which queue to use. It mentions some -qdiscs described in the 'Advanced & less common queueing disciplines'. +qdiscs described in the + chapter. - - - To purely slow down outgoing traffic, use the Token Bucket Filter. Works up to huge bandwidths, if you scale the bucket. @@ -2502,23 +2392,19 @@ internal bands but does account the size of its backlog. - -Finally - you can also do 'social shaping'. You may not always be able to -use technology to achieve what you want. Users experience technical -constraints as hostile. A kind word may also help with getting your -bandwidth to be divided right! +Finally - you can also do social shaping. +You may not always be able to use technology to achieve what you want. +Users experience technical constraints as hostile. +A kind word may also help with getting your bandwidth to be divided right! - - - - -Terminology + + Terminology To properly understand more complicated configurations it is necessary to @@ -2528,9 +2414,13 @@ mean the same thing. -The following is loosely based on draft-ietf-diffserv-model-06.txt, 'An -Informal Management Model for Diffserv Routers'. It can currently be found -at http://www.ietf.org/internet-drafts/draft-ietf-diffserv-model-06.txt. +The following is loosely based on +draft-ietf-diffserv-model-06.txt, +An Informal Management Model for Diffserv Routers. +It can currently be found at + + http://www.ietf.org/internet-drafts/draft-ietf-diffserv-model-06.txt +. @@ -2645,7 +2535,7 @@ are. - + Userspace programs ^ | @@ -2713,8 +2603,8 @@ Each network adaptor has both ingress and egress hooks. - -Classful Queueing Disciplines + + Classful Queueing Disciplines Classful qdiscs are very useful if you have different kinds of traffic which @@ -3721,8 +3611,8 @@ internally, we get fairness thrown in for free! - -Classifying packets with filters + + Classifying packets with filters To determine which class shall process a packet, the so-called 'classifier @@ -3730,10 +3620,10 @@ chain' is called each time a choice needs to be made. This chain consists of all filters attached to the classful qdisc that needs to decide. - -To reiterate the tree, which is not a tree: +To reiterate the tree, which is not a tree: + - + root 1: | _1:1_ @@ -3745,8 +3635,6 @@ To reiterate the tree, which is not a tree: 10:1 10:2 12:1 12:2 - - When enqueueing a packet, at each branch the filter chain is consulted for a relevant instruction. A typical setup might be to have a filter in 1:1 that @@ -3929,7 +3817,7 @@ For more filtering commands, see the Advanced Filters chapter. - + The Intermediate queueing device (IMQ) @@ -4053,7 +3941,7 @@ URL="http://luxik.cdi.cz/~patrick/imq/" - + Loadsharing over multiple interfaces @@ -4161,8 +4049,8 @@ the special case where network 1 is your network at home, and network 2 is the Internet, Router A should make 10.0.0.5 its default gateway. - -Caveats + + Caveats Nothing is as easy as it seems. eth1 and eth2 on both router A and B need to @@ -4199,7 +4087,7 @@ However, for lots of applications, link loadbalancing is a great idea. - + Netfilter & iproute - marking packets @@ -4306,20 +4194,22 @@ kernel: IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) [Y/n/?] - IP: policy routing (CONFIG_IP_MULTIPLE_TABLES) [Y/n/?] - IP: use netfilter MARK value as routing key (CONFIG_IP_ROUTE_FWMARK) [Y/n/?] +IP: policy routing (CONFIG_IP_MULTIPLE_TABLES) [Y/n/?] +IP: use netfilter MARK value as routing key (CONFIG_IP_ROUTE_FWMARK) [Y/n/?] -See also the Squid bit in the Cookbook. +See also the in the +. - -Advanced filters for (re-)classifying packets + + Advanced filters for (re-)classifying packets As explained in the section on classful queueing disciplines, filters are @@ -4429,8 +4319,8 @@ configured on 1: and that the class you want to send the selected traffic to is 1:1. - -The "u32" classifier + + The <option>u32</option> classifier The U32 filter is the most advanced filter available in the current @@ -4712,8 +4602,8 @@ the protocol and end up with the following rule: - -The "route" classifier + + The <option>route</option> classifier This classifier filters based on the results of the routing tables. When a @@ -4805,8 +4695,8 @@ Here the filter specifies that packets from the subnetwork 192.168.2.0 - -Policing filters + + Policing filters To make even more complicated setups possible, you can have filters that @@ -4976,7 +4866,7 @@ FIXME: if you have used this, please share your experience with us - + Hashing filters for very fast massive filtering @@ -5114,7 +5004,7 @@ where each chain contains 1 filter! - + Kernel network parameters @@ -5140,8 +5030,9 @@ features are explained there. (FIXME) - -Reverse Path Filtering + + Reverse Path Filtering By default, routers route everything, even packets which 'obviously' don't @@ -5168,7 +5059,7 @@ interfaces. # for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do -> echo 1 > $i +> echo 2 > $i > done @@ -5212,8 +5103,8 @@ FIXME: is setting the conf/{default,all}/* files enough? - martijn - -Obscure settings + + Obscure settings Ok, there are a lot of parameters which can be modified. We try to list them @@ -5410,7 +5301,8 @@ default, 1024 to 4999. Set this if you want to disable Path MTU discovery - a technique to determine the largest Maximum Transfer Unit possible on your path. See also -the section on Path MTU discovery in the cookbook chapter. +the section on Path MTU discovery in the + chapter. @@ -5716,7 +5608,8 @@ Enable or disable IP forwarding on this interface. /proc/sys/net/ipv4/conf/DEV/log_martians -See the section on reverse path filters. +See the section on +. @@ -5741,7 +5634,8 @@ operates on ARP queries! /proc/sys/net/ipv4/conf/DEV/rp_filter -See the section on reverse path filters. +See the section on +. @@ -6055,16 +5949,16 @@ this has been stopped, because the load or number limit has been reached. - -Advanced & less common queueing disciplines + + Advanced & less common queueing disciplines Should you find that you have needs not addressed by the queues mentioned earlier, the kernel contains some other more specialized queues mentioned here. - -bfifo/pfifo + + <literal>bfifo</literal>/<literal>pfifo</literal> These classless queues are even simpler than pfifo_fast in that they lack @@ -6100,18 +5994,19 @@ packets long or txqueuelen*mtu bytes for bfifo. - -Clark-Shenker-Zhang algorithm (CSZ) + + Clark-Shenker-Zhang algorithm (CSZ) This is so theoretical that not even Alexey (the main CBQ author) claims to understand it. From his source: +
-"David D. Clark, Scott Shenker and Lixia Zhang -Supporting Real-Time Applications in an Integrated Services Packet -Network: Architecture and Mechanism. +David D. Clark, Scott Shenker and Lixia Zhang +Supporting Real-Time Applications in an Integrated Services Packet +Network: Architecture and Mechanism. @@ -6140,57 +6035,48 @@ randomize jitter." Does not currently seem like a good canidate to use, unless you've read and understand the article mentioned. +
 - -DSMARK - - -Esteve Camps Chust <marvin@grn.es> - -This text is an extract from my thesis on "QoS Support in Linux", September 2000. + + DSMARK - - - -Source documents: + + + EsteveCamps +
marvin@grn.es
+ This text is an extract from my thesis on + QoS Support in Linux, September 2000. + + +Source documents: + - - -Draft-almesberger-wajhak-diffserv-linux-01.txt. - + + + Draft-almesberger-wajhak-diffserv-linux-01.txt. + - - -Examples in iproute2 distribution. - + Examples in iproute2 distribution. + - - -White Paper-QoS protocols and architectures and -IP QoS Frequently Asked Questions both by Quality of Service Forum. - + + + White Paper-QoS protocols and architectures and + + IP QoS Frequently Asked Questions both by + Quality of Service Forum. + - - - This chapter was written by Esteve Camps <esteve@hades.udg.es>. @@ -6200,13 +6086,11 @@ This chapter was written by Esteve Camps <esteve@hades.udg.es>. First of all, first of all, it would be a great idea for you to read RFCs -written about this (RFC2474, RFC2475, RFC2597 and RFC2598) at IETF DiffServ working Group web site and Werner Almesberger web site +written about this (RFC2474, RFC2475, RFC2597 and RFC2598) at + + IETF DiffServ working Group web site and + + Werner Almesberger web site (he wrote the code to support Differentiated Services on Linux). @@ -6566,11 +6450,10 @@ I would thank you tell me if I'm wrong in any point. - -Ingress qdisc + + Ingress qdisc - All qdiscs discussed so far are egress qdiscs. Each interface however can also have an ingress qdisc which is not used to send packets out to the network adaptor. Instead, it allows you to apply tc filters to @@ -6610,8 +6493,8 @@ Cookbook. - -Random Early Detection (RED) + + Random Early Detection (RED) This section is meant as an introduction to backbone routing, which often @@ -6709,18 +6592,16 @@ information. - + Generic Random Early Detection Not a lot is known about GRED. It looks like GRED with several internal queues, whereby the internal queue is chosen based on the Diffserv tcindex -field. According to a slide found here, it contains -the capabilities of Cisco's 'Distributed Weighted RED', as well as Dave -Clark's RIO. +field. According to a slide found +here, +it contains the capabilities of Cisco's 'Distributed Weighted RED', as well +as Dave Clark's RIO. @@ -6733,8 +6614,8 @@ FIXME: get Jamal or Werner to tell us more - -VC/ATM emulation + + VC/ATM emulation This is quite a major effort by Werner Almesberger to allow you to build @@ -6751,8 +6632,8 @@ URL="http://linux-atm.sourceforge.net/" - -Weighted Round Robin (WRR) + + Weighted Round Robin (WRR) This qdisc is not included in the standard kernels but can be downloaded from @@ -6791,8 +6672,9 @@ relevant behavior for such a site is a central part of the WRR distribution. - -Cookbook + + Cookbook This section contains 'cookbook' entries which may help you solve problems. @@ -6800,7 +6682,7 @@ A cookbook is no replacement for understanding however, so try and comprehend what is going on. - + Running multiple sites with different SLAs @@ -6887,8 +6769,9 @@ somewhere? - -Protecting your host from SYN floods + + Protecting your host from SYN floods From Alexey's iproute documentation, adapted to netfilter and with more @@ -6964,8 +6847,8 @@ $TC filter ls dev $INDEV parent ffff: - -Ratelimit ICMP to prevent dDoS + + Ratelimit ICMP to prevent dDoS Recently, distributed denial of service attacks have become a major nuisance @@ -7041,7 +6924,7 @@ class: - + Prioritizing interactive traffic @@ -7133,11 +7016,12 @@ with netfilter. On your local box: - -Transparent web-caching using netfilter, iproute2, ipchains and squid + + Transparent web-caching using <application>netfilter</application>, + <application>iproute2</application>, <application>ipchains</application> and + <application>squid</application> - This section was sent in by reader Ram Narula from Internet for Education (Thailand). @@ -7429,9 +7313,7 @@ it's the line with 10.0.0.0/24) Traffic flow diagram after implementation - - - + |-----------------------------------------| |Traffic flow diagram after implementation| @@ -7453,8 +7335,6 @@ naret silom || - - Note that the network is asymmetric as there is one extra hop on general outgoing path. @@ -7481,7 +7361,7 @@ incoming data from Internet->donmuang->kaosarn - + Circumventing Path MTU Discovery issues with per route MTU settings @@ -7538,10 +7418,7 @@ MTU discovery by setting it manually. Koos van den Hout, slightly edited, writes: - - - - +
The following problem: I set the mtu/mru of my leased line running ppp to 296 because it's only 33k6 and I cannot influence the queueing on the @@ -7580,23 +7457,18 @@ mtu of the outside link. But I want local ethernet traffic to have the normal mtu (for things like nfs traffic). - -Solution: +Solution: + - + ip route add default via 10.0.0.1 mtu 296 - - (10.0.0.1 being the default gateway, the inside address of the masquerading router) - - - - +
In general, it is possible to override PMTU Discovery by setting specific @@ -7604,21 +7476,17 @@ routes. For example, if only a certain subnet is giving problems, this should help: - - - + ip route add 195.96.96.0/24 via 10.0.0.1 mtu 1000 - - - -Circumventing Path MTU Discovery issues with MSS Clamping (for ADSL, -cable, PPPoE & PPtP users) + + Circumventing Path MTU Discovery issues with MSS Clamping + (for ADSL, cable, PPPoE & PPtP users) As explained above, Path MTU Discovery doesn't work as well as it should @@ -7680,7 +7548,7 @@ voice calls. - + The Ultimate Traffic Conditioner: Low Latency, Fast Up & Downloads @@ -8069,8 +7937,8 @@ If the last two lines give an error, update your tc tool to a newer version! - -Building bridges, and pseudo-bridges with Proxy ARP + + Building bridges, and pseudo-bridges with Proxy ARP Bridges are devices which can be installed in a network without any @@ -8102,17 +7970,11 @@ change anything' is doing the right thing. The Linux 2.4/2.5 bridge is documented on +this page. - -this page. - - - -State of bridging and iptables + + State of bridging and iptables As of Linux 2.4.14, bridging and iptables do not 'see' each other without @@ -8131,8 +7993,8 @@ people if and how the patch can be merged, stay tuned! - -Bridging and shaping + + Bridging and shaping This does work as advertised. Be sure to figure out which side each @@ -8142,8 +8004,8 @@ internal interface, which won't work. Use tcpdump if needed. - -Pseudo-bridges with Proxy-ARP + + Pseudo-bridges with Proxy-ARP If you just want to implement a Pseudo-bridge, skip down a few sections @@ -8299,8 +8161,8 @@ is *vital* that you check your netmasks! - -Dynamic routing - OSPF and BGP + + Dynamic routing - OSPF and BGP Once your network starts to get really big, or you start to consider 'the @@ -8310,8 +8172,9 @@ popping up all the time. -The Internet has mostly standardised on OSPF and BGP4 (rfc1771). Linux -supports both, by way of gated and zebra +The Internet has mostly standardised on OSPF and BGP4 (rfc1771). +Linux supports both, by way of gated and +zebra @@ -8378,8 +8241,9 @@ to the configuration language in Zebra :-) - -Other possibilities + + Other possibilities This chapter is a list of projects having to do with advanced Linux routing @@ -8599,8 +8463,8 @@ latency. - -Further reading + + Further reading @@ -8712,7 +8576,7 @@ well. - + Acknowledgements @@ -8725,155 +8589,150 @@ helping. - - - -Dave Aaldering <dave%puddingonline.com> - - - - - - - -Juanjo Alins <juanjo%mat.upc.es> - - - - - - -Joe Van Andel - - - - - - -Michael T. Babcock <mbabcock@fibrespeed.net> - - - - - -Ard van Breemen <ard%kwaak.net> - - - - - -Ron Brinker <service%emcis.com> - - - - - -?ukasz Bromirski <L.Bromirski@prosys.com.pl> - - - - - -Lennert Buytenhek <buytenh@gnu.org> - - - - - -Esteve Camps <esteve@hades.udg.es> - - - - - -Stef Coene <stef.coene@docum.org> - - - - - -Don Cohen <don-lartc%isis.cs3-inc.com> - - - - - -Jonathan Corbet <lwn%lwn.net> - - - - - -Gerry Creager N5JXS <gerry%cs.tamu.edu> - - - - - -Marco Davids <marco@sara.nl> - - - - - -Jonathan Day <jd9812@my-deja.com> - - - - - -Martin Devera aka devik <devik@cdi.cz> - - - - - -Stephan "Kobold" Gehring <Stephan.Gehring@bechtle.de> - - - - - -Jacek Glinkowski <jglinkow%hns.com> - - - - - -Andrea Glorioso <sama%perchetopi.org> - - - - - -Nadeem Hasan <nhasan@usa.net> - - - - - -Erik Hensema <erik%hensema.xs4all.nl> - - - - - -Vik Heyndrickx <vik.heyndrickx@edchq.com> - - - - - -Spauldo Da Hippie <spauldo%usa.net> - - - - - -Koos van den Hout <koos@kzdoos.xs4all.nl> - - - + + + + + JuanjoAlins +
juanjo@mat.upc.es
+ + + + + JoeVan Andel + + + + + MichaelT. + Babcock +
mbabcock@fibrespeed.net
+ + + + + Ardvan Breemen +
ard%kwaak.net
+ + + + + RonBrinker +
service%emcis.com
+ + + + + ?ukaszBromirski +
L.Bromirski@prosys.com.pl
+ + + + + LennertBuytenhek +
buytenh@gnu.org
+ + + + + EsteveCamps +
esteve@hades.udg.es
+ + + + + StefCoene +
stef.coene@docum.org
+ + + + + DonCohen +
don-lartc%isis.cs3-inc.com
+ + + + + JonathanCorbet +
lwn%lwn.net
+ + + + + GerryCreager + N5JXS +
gerry%cs.tamu.edu
+ + + + + MarcoDavids +
marco@sara.nl
+ + + + + JonathanDay +
jd9812@my-deja.com
+ + + + + MartinDevera + aka devik +
devik@cdi.cz
+ + + + + Stephan"Kobold" + Gehring +
Stephan.Gehring@bechtle.de
+ + + + + JacekGlinkowski +
jglinkow%hns.com
+ + + + + AndreaGlorioso +
sama%perchetopi.org
+ + + + + NadeemHasan +
nhasan@usa.net
+ + + + + ErikHensema +
erik%hensema.xs4all.nl
+ + + + + VikHeyndrickx +
vik.heyndrickx@edchq.com
+ + + + + SpauldoDa Hippie +
spauldo%usa.net
+ + + + + Koosvan den Hout +
koos@kzdoos.xs4all.nl
+ + + Stefan Huelbrock <shuelbrock%datasystems.de> @@ -9090,13 +8949,6 @@ Nick Silberstein <nhsilber%yahoo.com> -Dragan Simic <dsimic%oracle.urc.bl.ac.yu> - - - - - - Konrads Smelkov <konrads@interbaltika.com> @@ -9106,15 +8958,8 @@ Konrads Smelkov <konrads@interbaltika.com> Andreas Steinmetz <ast%domdv.de> - - - - -Olli Suihkonen <olli.suihkonen%micsom.com> - - - + Jason Tackaberry <tack@linux.com> @@ -9142,18 +8987,8 @@ Tea Sponsor: Eric Veldhuyzen <eric%terra.nu> Song Wang <wsong@ece.uci.edu> - - - - -Tijs Zwinkels <tijszwinkels%home.nl> - - - - - -- 2.11.4.GIT