这是我的 tc 简单脚本。它根据源 IP 地址限制带宽,并使用基于 /24 子网的哈希过滤器。此示例过滤器有效,但仅当此示例子网 10.118.0.0/24 添加到物理接口 eth1 时才有效。当我将此子网切换到 vlan 接口(例如 eth1.100)时,流量限制将停止正常工作。
因此这个场景有效:
(PC 10.118.0.35 eth0)--- (SW)--- (eth1 ip 10.118.0.1 - NAT - eth0)--- 互联网
但事实并非如此:
(PC 10.118.0.35 eth0)---(vlan 100 访问 - SW - vlan 100 中继)---(eth1.100 ip 10.118.0.1 - NAT - eth0)--- 互联网
#!/bin/bash
#UPLOAD
tc qdisc del root dev ifb1
tc qdisc add dev eth1 handle ffff: ingress
tc filter add dev eth1 parent ffff: u32 match u32 0 0 action mirred egress redirect dev ifb1
tc qdisc add dev ifb1 root handle 1: prio bands 2 priomap 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
tc qdisc add dev ifb1 parent 1:1 handle 10: sfq
tc filter add dev ifb1 parent 1:0 protocol ip prio 1 u32 match ip dst 10.90.0.0/16 flowid 1:1
tc qdisc add dev ifb1 parent 1:2 handle 20:0 htb
tc class add dev ifb1 parent 20:0 classid 20:1 htb rate 1024000kbit ceil 1024000kbit
tc class add dev ifb1 parent 20:1 classid 20:100 htb rate 51200kbit ceil 204800kbit
tc qdisc add dev ifb1 parent 20:100 sfq
tc class add dev ifb1 parent 20:1 classid 20:110 htb rate 972800kbit ceil 1013760kbit
tc filter add dev ifb1 parent 20:0 prio 1 handle 11: protocol ip u32 divisor 256
tc filter add dev ifb1 protocol ip parent 20:0 prio 5 u32 ht 800:: match ip src 10.118.0.0/24 hashkey mask 0x000000ff at 12 link 11:
tc class add dev ifb1 parent 20:110 classid 20:03E8 htb rate 1024kbit ceil 1024kbit
tc qdisc add dev ifb1 parent 20:03E8 handle 03E8 cake diffserv4
tc filter add dev ifb1 protocol ip parent 20:0 prio 200 u32 ht 11:23: match ip src 10.118.0.35 flowid 20:03E8
#DOWNLOAD
tc qdisc del root dev eth1
tc qdisc add dev eth1 root handle 1: prio bands 2 priomap 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
tc qdisc add dev eth1 parent 1:1 handle 10: sfq
tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip src 10.90.0.0/16 flowid 1:1
#qdisc add dev eth1 parent 1:2 handle 20:0 hfsc default 100
tc qdisc add dev eth1 parent 1:2 handle 20:0 htb
tc class add dev eth1 parent 20:0 classid 20:1 htb rate 1024000kbit ceil 1024000kbit
tc class add dev eth1 parent 20:1 classid 20:100 htb rate 51200kbit ceil 204800kbit
tc qdisc add dev eth1 parent 20:100 sfq
tc class add dev eth1 parent 20:1 classid 20:110 htb rate 972800kbit ceil 1013760kbit
tc filter add dev eth1 parent 20:0 prio 1 handle 11: protocol ip u32 divisor 256
tc filter add dev eth1 protocol ip parent 20:0 prio 5 u32 ht 800:: match ip dst 10.118.0.0/24 hashkey mask 0x000000ff at 16 link 11:
tc class add dev eth1 parent 20:110 classid 20:03E8 htb rate 1024kbit ceil 1024kbit
tc qdisc add dev eth1 parent 20:03E8 handle 03E8 cake diffserv4
tc filter add dev eth1 protocol ip parent 20:0 prio 200 u32 ht 11:23: match ip dst 10.118.0.35 flowid 20:03E8
有人知道这应该如何查找 vlan 接口或是否可以在 vlan 上运行 tc 吗?在我搜索 tc + vlan 时,我只能找到基于 vlan 编号的 tc 过滤器,但在这种情况下情况并非如此。
答案1
如果其他人需要这个解决方案:
#!/bin/bash
tc qdisc del root dev eth1.118
tc qdisc add dev eth1.118 root handle 1: prio bands 2 priomap 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
tc qdisc add dev eth1.118 parent 1:1 handle 10: cake diffserv4 #esfq hash src perturb 10
tc filter add dev eth1.118 parent 1:0 protocol ip prio 1 u32 match ip dst 10.90.0.0/16 flowid 1:1
tc qdisc add dev eth1.118 parent 1:2 handle 20:0 hfsc default 100
tc class add dev eth1.118 parent 20:0 classid 20:1 hfsc ls m2 1024000kbit ul m2 1024000kbit
tc class add dev eth1.118 parent 20:1 classid 20:100 hfsc ls m2 51200kbit ul m2 204800kbit
tc qdisc add dev eth1.118 parent 20:100 cake diffserv4 #esfq hash src perturb 5
tc class add dev eth1.118 parent 20:1 classid 20:110 hfsc ls m2 972800kbit ul m2 1013760kbit
tc filter add dev eth1.118 parent 20:0 prio 1 handle 11: protocol ip u32 divisor 256
tc filter add dev eth1.118 protocol ip parent 20:0 prio 5 u32 ht 800:: match ip dst 10.118.0.0/24 hashkey mask 0x000000ff at 16 link 11:
# ip=10.118.0.35 qdiscNo=1000 createQdisc=1 multiESFQ=0
tc class add dev eth1.118 parent 20:110 classid 20:03E8 hfsc ls m1 1024kbit d 2000ms m2 512kbit ul m1 2048kbit d 2000ms m2 1024kbit
tc qdisc add dev eth1.118 parent 20:03E8 handle 03E8 cake diffserv4 #sfq perturb 15
tc filter add dev eth1.118 protocol ip parent 20:0 prio 200 u32 ht 11:23: match ip dst 10.118.0.35 flowid 20:03E8
tc qdisc del dev eth1.118 handle ffff: ingress
tc qdisc del root dev ifb0
tc qdisc add dev eth1.118 handle ffff: ingress
tc filter add dev eth1.118 parent ffff: protocol ip u32 match u32 0 0 action mirred egress redirect dev ifb0
tc qdisc add dev ifb0 root handle 1: prio bands 2 priomap 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
tc qdisc add dev ifb0 parent 1:1 handle 10: cake diffserv4 #esfq hash src perturb 10
tc filter add dev ifb0 parent 1:0 protocol ip prio 1 u32 match ip dst 10.90.0.0/16 flowid 1:1
tc qdisc add dev ifb0 parent 1:2 handle 20:0 hfsc default 100
tc class add dev ifb0 parent 20:0 classid 20:1 hfsc ls m2 1024000kbit ul m2 1024000kbit
tc class add dev ifb0 parent 20:1 classid 20:100 hfsc ls m2 51200kbit ul m2 204800kbit
tc qdisc add dev ifb0 parent 20:100 cake diffserv4 #esfq hash src perturb 5
tc class add dev ifb0 parent 20:1 classid 20:110 hfsc ls m2 972800kbit ul m2 1013760kbit
tc filter add dev ifb0 parent 20:0 prio 1 handle 11: protocol ip u32 divisor 256
tc filter add dev ifb0 protocol ip parent 20:0 prio 5 u32 ht 800:: match ip src 10.118.0.0/24 hashkey mask 0x000000ff at 12 link 11:
# ip=10.118.0.35 qdiscNo=1000 createQdisc=1 multiESFQ=0
tc class add dev ifb0 parent 20:110 classid 20:03E8 hfsc ls m1 1024kbit d 2000ms m2 512kbit ul m1 2048kbit d 2000ms m2 1024kbit
tc qdisc add dev ifb0 parent 20:03E8 handle 03E8 cake diffserv4 #sfq perturb 15
tc filter add dev ifb0 protocol ip parent 20:0 prio 200 u32 ht 11:23: match ip src 10.118.0.35 flowid 20:03E8
一个接口中的密钥是“hashkey mask 0x000000ff at 16”,而第二个接口中的密钥是“hashkey mask 0x000000ff at 12”。我不知道为什么这样有效,但它有效。有人能解释为什么必须将此选项设置为 12 和 16 吗?