
Contents Traffic-Shaping Initial Situation – Wishes ............. 4 with fwbuilder under Linux Network Diagram .................. 5 Acknowledgements ................ 6 Dr. Ralf Schlatterbeck Example Traffic Shaping Configuration ...... 9 Open Source Consulting Re-Classification .................. 10 Traffic Control .................... 11 Traffic Control: fwbuilder Configuration ...... 16 Email: offi[email protected] Limits of Traffic Shaping .............. 19 Web: http://www.runtux.com Linux and Inbound Shaping ............ 21 Tel. +43/650/621 40 17 Linux-Kernel Packet Travel ............ 22 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 1 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 2 Contents Initial Situation – Wishes Help ......................... 28 • Firewall with Intranet and ≥ 1 DMZ segment Availability ...................... 29 • Homegrown iptables scripts to be replaced with Bibliography ..................... 30 fwbuilder configuration • Wanted to include traffic shaping in the fwbuilder configuration • fwbuilder supports multiple firewalls in a single configuration • these firewall can share network objects • nice for several company firewalls at several locations interconnected by (Open-) VPN © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 3 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 4 Network Diagram Acknowledgements These are some things I found on the net – besides the usual tutorials that helped me a lot Internet • Traffic Shaping with fwbuilder [Sch09] on classifi- cation of packets with fwbuilder and shaping with Globally routable address DeMilitarized Zone (DMZ) tc – as it turned out this doesn’t work for inbound shaping Global Address • OpenWRT’s qos-scripts by Felix Fietkau aka or RFC 1918 nbd also use HFSC, RED and SFQ for shaping Intranet Server RFC 1918 Addresses • it already contains reclassify targets and inbound (10.0.0.0/8, 172.16.0.0/20, 192.168.0.0/16) and outbound shaping – but uses the imq device which is not in the kernel © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 5 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 6 Acknowledgements Policy Rules: Traffic Shaping • The /usr/lib/qos/tcrules.awk script from OpenWRT • traffic classes: Express, Interactive, VPN, Normal, generates tc commands and contains a reference Bulk with corresponding “Mark” actions to [CJOS01] • Mark actions defined as TagServices • A patch to better document tc hfsc – apparently • Express for time-critical services, (NTP,VoIP,?Ping) never merged • Interactive for e.g. SSH • Shorewall has special tc rules to configure ifb • VPN for site-to-site VPN traffic • A blog entry on getting more documentation out of • Normal: Web surfing tc by issuing clever help commands • Bulk: Downloads • lkml thread that started out modifying the dummy • we can mark packets with such a mark and it will device for imq functionality and turned into ifb be put into the given traffic class • everything not marked is Bulk © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 7 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 8 Example Traffic Shaping Configuration Re-Classification • Sometimes we want to re-classify some packets depending on their traffic-shaping class • TCP ACK for non-bulk packet should be faster • Don’t want too large Express packets • Don’t want too large Interactive packets, e.g. we want SSH in Interactive but we don't want SCP in Interactive → reclassify large SSH packets • Promote small VPN packets to Interactive • Many of these need a match on the size of the packet • we need to define a custom rule in fwbuilder © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 9 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 10 Traffic Control Traffic Control Mechanisms to Achieve Traffic Control • Shaping: delay and/or drop packets to meet the • Traffic Shaping is often used desired rate synonymous to Traffic Control • Policing: limit traffic in a particular queue • decide which packets to accept at which rate • Classification: put packets in different classes which • determine at which rate to send packets are treated differently • determine in which order to send packets • We use the Hierarchical Fair Service Curve (HFSC) • tremendous power to re-arrange traffic flows Algorithm [SZN00] for classification, shaping and • . is no substitute for adequate bandwidth [Bro06] policing + more predictable usage and bandwidth allocation • At the leaf-nodes of the hierarchy we use Random − complexity Early Detection (RED) for bulk and Stochastic Fair Queuing (SFQ) for non-bulk traffic © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 11 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 12 Traffic Control: HFSC Traffic Control: RED • with HFSC we can form a hierarchy of classes and • Random Early Detection (or “Drop”) [FJ93] specify bandwith and realtime requirements • Even if not yet congested do early notification • realtime allocate a slightly higher priority to new • can either (randomly) drop packets early flows to minimize delay • . or use explicit congestion notification (ECN) • . even if allocation for other classes is slightly TCP option violated (not their realtime guarantees) • observation: with full queues packets of all flows • for each class in the hierarchy specify bandwidth are dropped • leaf-nodes specify packet or frame size and delay • . which leads to lots of retransmissions • borrow from siblings if these need less bandwidth • with RED we get better utilisation • “Fair”: even after borrowing the guaranteed band- • but it’s hard to configure right [CJOS01, Flo97] width isn’t violated © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 13 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 14 Traffic Control: SFQ Traffic Control: fwbuilder Configuration • Stochastic Fair Queuing based on Fair Queuing by • to generate traffic control configuration we use a John Nagle [Nag85, Nag87] hook in fwbuilder called an epilog script • large number of queues served round robin (e.g. • set up special devices for traffic shaping 128 queues) • generate HFSC, RED, SFQ queueing disciplines • flows are allocated to queues by a hash function (qdiscs) • hash function changes periodically • work special magic for inbound shaping • end result is a stochastically fair allocation • restore OpenVPN-generated routes • . which can break with misbehaved nodes (e.g. • use advanced routing mechanisms where fwbuilder file-sharing with lots of connections) isn’t expressive enough ⇒ use RED for file-sharing traffic • in fwbuilder click on the firewall (e.g. “vienna”) • . then on “Firewall Settings . ” © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 15 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 16 Traffic Control: fwbuilder Configuration Traffic Control: fwbuilder Configuration import sys from rsclib.trafficshape import Traffic_Class as TC root from rsclib.trafficshape import Shaper root = TC (100) fast = TC (90, parent = root) fast slow HFSC slow = TC (10, parent = root) express = TC (1, 128, delay_ms = 10, parent = fast, is_bulk = False, fwmark = '0x10/0x1f0') express interact VPN normal bulk ... shaper = Shaper ("$TC", root) for interface, bandwidth in \ (('eth2', 16000 * 0.98), ('ifb0=eth2', 16000 * 0.98)) : SFQ SFQ SFQ RED RED print shaper.generate (bandwidth, interface) © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 17 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 18 Limits of Traffic Shaping Limits of Traffic Shaping • we can’t really control our incoming traffic • outbound shaping also needs to reduce the band- • no chance against malicious traffic, e.g., Distributed width Denial of Service (DDoS) • otherwise we would send at Ethernet speed • but TCP has flow control and congestion control • . and have a long queue in the router mechanisms • because the upstream bandwidth is below Ether- • when it doesn’t receive an ACK for a packet it will net speed reduce the sending rate → use same mechanism for inbound and outbound • so we can shape traffic by dropping packets shaping • we need to limit bandwidth to slightly below the • works quite well if inbound traffic is mainly TCP maximum so the queue is in our firewall not in the upstream router © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 19 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 20 Linux and Inbound Shaping Linux-Kernel Packet Travel Netfilter Packet Traversal http://linux−ip.net/nf/nfk−traversal.png applications • Linux can’t do inbound shaping Martin A. Brown, martin@linux−ip.net packets inbound locally generated from network routing/ (ip_rcv) other sockets and packets enter the • trick: redirect traffic to Intermediate Functional Block forwarding kernel output routing OUTPUT chains IP services (ifb) device kernel netfilter conntrack hooks ❁ ❁ • . and there we do outbound shaping local packets locally destined forwarded packets packets must • after shaped traffic
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages9 Page
-
File Size-