Traffic-Shaping with Fwbuilder Under Linux

Traffic-Shaping with Fwbuilder Under Linux

Contents Traffic-Shaping Initial Situation – Wishes ............. 4 with fwbuilder under Linux Network Diagram .................. 5 Acknowledgements ................ 6 Dr. Ralf Schlatterbeck Example Traffic Shaping Configuration ...... 9 Open Source Consulting Re-Classification .................. 10 Traffic Control .................... 11 Traffic Control: fwbuilder Configuration ...... 16 Email: offi[email protected] Limits of Traffic Shaping .............. 19 Web: http://www.runtux.com Linux and Inbound Shaping ............ 21 Tel. +43/650/621 40 17 Linux-Kernel Packet Travel ............ 22 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 1 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 2 Contents Initial Situation – Wishes Help ......................... 28 • Firewall with Intranet and ≥ 1 DMZ segment Availability ...................... 29 • Homegrown iptables scripts to be replaced with Bibliography ..................... 30 fwbuilder configuration • Wanted to include traffic shaping in the fwbuilder configuration • fwbuilder supports multiple firewalls in a single configuration • these firewall can share network objects • nice for several company firewalls at several locations interconnected by (Open-) VPN © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 3 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 4 Network Diagram Acknowledgements These are some things I found on the net – besides the usual tutorials that helped me a lot Internet • Traffic Shaping with fwbuilder [Sch09] on classifi- cation of packets with fwbuilder and shaping with Globally routable address DeMilitarized Zone (DMZ) tc – as it turned out this doesn’t work for inbound shaping Global Address • OpenWRT’s qos-scripts by Felix Fietkau aka or RFC 1918 nbd also use HFSC, RED and SFQ for shaping Intranet Server RFC 1918 Addresses • it already contains reclassify targets and inbound (10.0.0.0/8, 172.16.0.0/20, 192.168.0.0/16) and outbound shaping – but uses the imq device which is not in the kernel © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 5 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 6 Acknowledgements Policy Rules: Traffic Shaping • The /usr/lib/qos/tcrules.awk script from OpenWRT • traffic classes: Express, Interactive, VPN, Normal, generates tc commands and contains a reference Bulk with corresponding “Mark” actions to [CJOS01] • Mark actions defined as TagServices • A patch to better document tc hfsc – apparently • Express for time-critical services, (NTP,VoIP,?Ping) never merged • Interactive for e.g. SSH • Shorewall has special tc rules to configure ifb • VPN for site-to-site VPN traffic • A blog entry on getting more documentation out of • Normal: Web surfing tc by issuing clever help commands • Bulk: Downloads • lkml thread that started out modifying the dummy • we can mark packets with such a mark and it will device for imq functionality and turned into ifb be put into the given traffic class • everything not marked is Bulk © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 7 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 8 Example Traffic Shaping Configuration Re-Classification • Sometimes we want to re-classify some packets depending on their traffic-shaping class • TCP ACK for non-bulk packet should be faster • Don’t want too large Express packets • Don’t want too large Interactive packets, e.g. we want SSH in Interactive but we don't want SCP in Interactive → reclassify large SSH packets • Promote small VPN packets to Interactive • Many of these need a match on the size of the packet • we need to define a custom rule in fwbuilder © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 9 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 10 Traffic Control Traffic Control Mechanisms to Achieve Traffic Control • Shaping: delay and/or drop packets to meet the • Traffic Shaping is often used desired rate synonymous to Traffic Control • Policing: limit traffic in a particular queue • decide which packets to accept at which rate • Classification: put packets in different classes which • determine at which rate to send packets are treated differently • determine in which order to send packets • We use the Hierarchical Fair Service Curve (HFSC) • tremendous power to re-arrange traffic flows Algorithm [SZN00] for classification, shaping and • . is no substitute for adequate bandwidth [Bro06] policing + more predictable usage and bandwidth allocation • At the leaf-nodes of the hierarchy we use Random − complexity Early Detection (RED) for bulk and Stochastic Fair Queuing (SFQ) for non-bulk traffic © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 11 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 12 Traffic Control: HFSC Traffic Control: RED • with HFSC we can form a hierarchy of classes and • Random Early Detection (or “Drop”) [FJ93] specify bandwith and realtime requirements • Even if not yet congested do early notification • realtime allocate a slightly higher priority to new • can either (randomly) drop packets early flows to minimize delay • . or use explicit congestion notification (ECN) • . even if allocation for other classes is slightly TCP option violated (not their realtime guarantees) • observation: with full queues packets of all flows • for each class in the hierarchy specify bandwidth are dropped • leaf-nodes specify packet or frame size and delay • . which leads to lots of retransmissions • borrow from siblings if these need less bandwidth • with RED we get better utilisation • “Fair”: even after borrowing the guaranteed band- • but it’s hard to configure right [CJOS01, Flo97] width isn’t violated © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 13 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 14 Traffic Control: SFQ Traffic Control: fwbuilder Configuration • Stochastic Fair Queuing based on Fair Queuing by • to generate traffic control configuration we use a John Nagle [Nag85, Nag87] hook in fwbuilder called an epilog script • large number of queues served round robin (e.g. • set up special devices for traffic shaping 128 queues) • generate HFSC, RED, SFQ queueing disciplines • flows are allocated to queues by a hash function (qdiscs) • hash function changes periodically • work special magic for inbound shaping • end result is a stochastically fair allocation • restore OpenVPN-generated routes • . which can break with misbehaved nodes (e.g. • use advanced routing mechanisms where fwbuilder file-sharing with lots of connections) isn’t expressive enough ⇒ use RED for file-sharing traffic • in fwbuilder click on the firewall (e.g. “vienna”) • . then on “Firewall Settings . ” © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 15 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 16 Traffic Control: fwbuilder Configuration Traffic Control: fwbuilder Configuration import sys from rsclib.trafficshape import Traffic_Class as TC root from rsclib.trafficshape import Shaper root = TC (100) fast = TC (90, parent = root) fast slow HFSC slow = TC (10, parent = root) express = TC (1, 128, delay_ms = 10, parent = fast, is_bulk = False, fwmark = '0x10/0x1f0') express interact VPN normal bulk ... shaper = Shaper ("$TC", root) for interface, bandwidth in \ (('eth2', 16000 * 0.98), ('ifb0=eth2', 16000 * 0.98)) : SFQ SFQ SFQ RED RED print shaper.generate (bandwidth, interface) © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 17 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 18 Limits of Traffic Shaping Limits of Traffic Shaping • we can’t really control our incoming traffic • outbound shaping also needs to reduce the band- • no chance against malicious traffic, e.g., Distributed width Denial of Service (DDoS) • otherwise we would send at Ethernet speed • but TCP has flow control and congestion control • . and have a long queue in the router mechanisms • because the upstream bandwidth is below Ether- • when it doesn’t receive an ACK for a packet it will net speed reduce the sending rate → use same mechanism for inbound and outbound • so we can shape traffic by dropping packets shaping • we need to limit bandwidth to slightly below the • works quite well if inbound traffic is mainly TCP maximum so the queue is in our firewall not in the upstream router © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 19 © 2010 Dr. Ralf Schlatterbeck Open Source Consulting · www.runtux.com · offi[email protected] 20 Linux and Inbound Shaping Linux-Kernel Packet Travel Netfilter Packet Traversal http://linux−ip.net/nf/nfk−traversal.png applications • Linux can’t do inbound shaping Martin A. Brown, martin@linux−ip.net packets inbound locally generated from network routing/ (ip_rcv) other sockets and packets enter the • trick: redirect traffic to Intermediate Functional Block forwarding kernel output routing OUTPUT chains IP services (ifb) device kernel netfilter conntrack hooks ❁ ❁ • . and there we do outbound shaping local packets locally destined forwarded packets packets must • after shaped traffic

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    9 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us