Open Source Bandwidth Management: Introduction to Linux Traffic Control

(1)

Open Source Bandwidth

Management:

Introduction to Linux Traffic Control

Christian Benvenuti

International Centre for Theoretical Physics (ICTP), Trieste

[email protected]

[http://benve.info]

(2)

Agenda

● Optimization of the use of the external link/s

● Factors that can contribute to a better use of the

bandwidth (distributed optimizations)

● Translation of policies into network configurations

(Traffic Control + Netfilter)

● Do you have bandwidth problems in your network?

● Do you have policies in place in your campus?

● Do you monitor the traffic?

● Are you using any kind of Shaping/Firewalling

(3)

The focus of this presentation is on

the external link/s

● Under the assumption that the campus network

is significantly faster than the external link/s (to the ISP or to a peer institution), the bottleneck that requires optimization is/are the external link/s.

– In this presentation I will therefore touch only briefly

(4)

Distributed Optimizations

● Some applications/servers can can be configured

(and optimized) separately. For example:

– Email (attachments (size, URLs), delayed/batched TX of digests, ...)

– Proxies

● Traffic can be filtered by the firewall/s according to

the policy

● Traffic can be rate-limited by a device that

implements some form of Traffic Control (i.e., shaper).

– This can be done by the same device that acts as

(5)

Where would you do shaping/policing?

Object 2

Border Router firewall

(6)

Your campus network here I n t e r n e t

Ingress vs Egress Queuing/Shaping

RX queue RX queue TX queue TX queue

$

Where do you think it is

better to drop/delay packets? Security Vs Bandwidth

(7)

Common applications

● HTTP/FTP ● DNS ● ... ● Terminal (SSH/Telnet) ● Email TX (SMTP) ● Email RX (POP,IMAP) ● ... ● Viruses ● Spyware ● (email spam) ● ... Easy to cache ● Audio/Video streaming ● P2P ● ... Not cachable Malware Not cachable (unless ...)

How about polices, priorities and shaping?

(8)

Open Source Bandwidth Management

with Linux

● QoS

– iproute2 / Traffic Control

– http://linux-net.osdl.org/index.php/Iproute2

● Firewall

– iptables / Netfilter

– http://www.netfilter.org

(9)

A Linux box can be a firewall and a

shaper at the same time

Border Router Firewall Shaper/Policer Fiber link to building switch Fiber link to building switch Core Router Fiber link to building switch Fiber link to building switch Core Router Core Switch Local Internet exchange switch ... _... ... ... _... ... Object 10

Open Source VS Commercial

(10)

PREROUTING INPUT

PREROUTING

The big (scary) picture

INPUT FORWARD POSTROUTING OUTPUT Application 1 (i.e., SSHD) Application n (i.e., squid)

...

eth0 eth1 OUTPUT POSTROUTING U se r Ker ne l Filter table Mangle table NAT table F M N F F F M M M M M N N N N

(The Raw table is not shown in the figure) Egress

(11)

Example of iptables command

– I would like to block ingress ICMP echo request messages

Table Operation Hook Match/es Target -t filter A INPUT

-p icmp – icmp-type echo-request -j DROP

#iptables -t filter A INPUT -p icmp – icmp-type echo-request -j DROP

iptables -t <TAB> <OP> <HOOK> <MATCH> ... <MATCH> -j <TARGET>

PREROUTING INPUT FORWARD POSTROUTING OUTPUT SSHD

...

Squid eth0 _eth1 U se r K er nel Egress

(12)

Traffic Control Elements

● Queueing disciplines

– Classless: FIFO, RED, GRED, TBF, SFQ, NETEM, TEQL – Classful: CBQ, HTB, HFSC, PRIO, DS, ...

● Classifiers

– FW, ROUTE, RSVP, TCINDEX, U32, BASIC

● Classifier extensions

– Policers, Actions

(13)

Campus 50% 25% 25% 70% Prio 1 30%Prio 2 50% 50%

Example of Hierarchical Queuing

Discipline

Faculty 1 Faculty 2 Faculty 3

Laboratory 1 Laboratory 2 HTTP Anything else

Sharing/Borrowing Priorities

Default class ...

(14)

Example of simple HTB configuration

HTB qdisc 1:0 Class 1:1 Class 1:20 Class 1:10 # QUEUE

tc qdisc add dev eth1 handle 1:0 root htb default 1:20

# CLASSES

tc class add dev eth1 parent 1:0 classid 1:1 htb rate 10Mbit ceil 10Mbit tc class add dev eth1 parent 1:1 classid 1:10 htb rate 7Mbit ceil 10Mbit tc class add dev eth1 parent 1:1 classid 1:20 htb rate 3Mbit ceil 10Mbit

# FILTERS ## 1st_solution

tc filter add dev eth1 protocol ip parent 1:0 u32 match ip dport 80 0xffff flowid 1:10

## 2nd_solution

iptables -t mangle -A FORWARD -p tcp --dport 80 -j MARK --set-mark 1 tc filter add dev eth1 protocol ip parent 1:0 handle 1 fw classid 1:10

(15)

Useful links

● Book: “ How To Accelerate Your Internet”

– A Practical Guide to bandwidth Management and Optimization Using

Open Source Software

– http://bwmo.net (you can download it here)

● Mailing List: LARTC

(16)