我发现了一个有趣的问题:我没有对 ipv4 流量进行适当的限制,但它对 ipv6 流量却能完美限制。
自从我读过这篇文章后,这对我来说没有多大意义:http://lartc.org/howto/lartc.adv-filter.ipv6.html
我已简化为以下 bash 脚本来进行限制:
#!/bin/bash
set -x
DOWNLINK=375
UPLINK=375
DEV=eth0
# clean existing down- and uplink qdiscs
tc qdisc del dev $DEV root
tc qdisc del dev $DEV ingress
###### uplink
tc qdisc add dev $DEV root handle 1: htb default 20
# Add the classes
tc class add dev $DEV parent 1: classid 1:1 htb rate ${UPLINK}kbps ceil ${UPLINK}kbps
tc class add dev $DEV parent 1:1 classid 1:10 htb rate ${UPLINK}kbps ceil ${UPLINK}kbps prio 1
tc class add dev $DEV parent 1:1 classid 1:20 htb rate $[9*$UPLINK/10]kbps ceil ${UPLINK}kbps prio 2
# both get Stochastic Fairness:
tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10
# TOS Minimum Delay gets higher prio (interactive traffic, ie ssh)
tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \
match ip tos 0x10 0xff flowid 1:10
# ICMP (ip protocol 1) in the interactive class 1:10 so we
# can do measurements & impress our friends:
tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \
match ip protocol 1 0xff flowid 1:10
# Add ack packets to the prio queue
tc filter add dev $DEV parent 1: protocol ip prio 10 u32 \
match ip protocol 6 0xff \
match u8 0x05 0x0f at 0 \
match u16 0x0000 0xffc0 at 2 \
match u8 0x10 0xff at 33 \
flowid 1:10
########## downlink #############
# attach ingress policer:
tc qdisc add dev $DEV handle ffff: ingress
# filter *everything* to it (0.0.0.0/0), drop everything that's
# coming in too fast:
tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \
0.0.0.0/0 police rate ${DOWNLINK}kbps burst 10k drop flowid :1
这是我正在使用的原始脚本,但我无法让它正常工作:#!/bin/bash set -x
#start over
tc qdisc del dev eth0 handle ffff: ingress
tc qdisc del dev eth0 root
tc qdisc add dev eth0 root handle 1: htb default 30
tc class add dev eth0 parent 1: classid 1:1 htb rate 375kbps ceil 375kbps
#This is for ports 22, 80, 873 and 3400
tc class add dev eth0 parent 1:1 classid 1:22 htb rate 50kbps
tc class add dev eth0 parent 1:1 classid 1:80 htb rate 1kbps ceil 50kbps
tc class add dev eth0 parent 1:1 classid 1:873 htb rate 1kbps ceil 50kbps
tc class add dev eth0 parent 1:1 classid 1:3400 htb rate 25kbps ceil 50kbps
# My default
tc class add dev eth0 parent 1:1 classid 1:30 htb rate 25kbps ceil 25kbps
tc qdisc add dev eth0 parent 1:22 handle 22: sfq perturb 10
tc qdisc add dev eth0 parent 1:80 handle 80: sfq perturb 10
tc qdisc add dev eth0 parent 1:873 handle 873: sfq perturb 10
tc qdisc add dev eth0 parent 1:3400 handle 3400: sfq perturb 10
tc qdisc add dev eth0 parent 1:30 handle 40: sfq perturb 10
# Port 80, 873, 3400 and 22 traffic
tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip sport 80 0xffff flowid 1:80
tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip sport 873 0xffff flowid 1:873
tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip sport 3400 0xffff flowid 1:3400
tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip sport 22 0xffff flowid 1:22
tc qdisc add dev eth0 handle ffff: ingress
tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 375kbps burst 10k drop flowid :1
有趣的是,我发现它们都能正常工作仅适用于 IPv6 连接IPv4 继续不受限制。
有趣的是,IPv4 流量出现在tc -s -d qdisc show dev eth0
其中只是不对其进行整形或速率限制。(除入口流量外,该速率限制完美)
我只是想把这一点说清楚,因为大多数人都有相反的问题。
Linux myserver.com 2.6.18-194.32.1.el5 #1 SMP Wed Jan 5 17:52:25 EST 2011 x86_64 x86_64 x86_64 GNU/Linux
我正在运行 IPv4 和 IPv6 的双栈,并且要求两者都处于活动状态。
关于如何使其至少在 ipv4 中运行(最好两者兼有),有什么建议或帮助吗?
答案1
tc -s -d -r filter show dev eth0
可能会更多地说明哪些过滤器可以匹配。