Ingress qdisc

All qdiscs discussed so far are egress qdiscs. Each interface however can also have an ingress qdisc which is not used to send packets out to the network adaptor. Instead, it allows you to apply tc filters to packets coming in over the interface, regardless of whether they have a local destination or are to be forwarded.

As the tc filters contain a full Token Bucket Filter implementation, and are also able to match on the kernel flow estimator, there is a lot of functionality available. This effectively allows you to police incoming traffic, before it even enters the IP stack.

14.4.1. Parameters & usage

The ingress qdisc itself does not require any parameters. It differs from other qdiscs in that it does not occupy the root of a device. Attach it like this:

# delete original
tc qdisc del dev eth0 ingress
tc qdisc del dev eth0 root

# add new qdisc and filter
tc qdisc add dev eth0 ingress
tc filter add dev eth0 parent ffff: protocol ip prio 50  u32 match ip src 0.0.0.0/0 police rate 2048kbps burst 1m drop flowid :1
tc qdisc add dev eth0 root tbf rate 2048kbps latency 50ms burst 1m

 
I played a bit with the ingress qdisc after seeing Patrick and Stef
talking about it and came up with a few notes and a few questions.

: The ingress qdisc itself has no parameters.  The only thing you can do
: is using the policers.  I have a link with a patch to extend this :
: http://www.cyberus.ca/~hadi/patches/action/ Maybe this can help.
:
: I have some more info about ingress in my mail files, but I have to
: sort it out and put it somewhere on docum.org.  But I still didn't
: found the the time to do so.

Regarding policers and the ingress qdisc.  I have never used them before
today, but have the following understanding.

About the ingress qdisc:

  - ingress qdisc (known as "ffff:") can't have any children classes     (hence the existence of IMQ)
  - the only thing you can do with the ingress qdisc is attach filters

About filtering on the ingress qdisc:

- since there are no classes to which to direct the packets, the only reasonable option (reasonable, indeed!) is to drop the packets
  - with clever use of filtering, you can limit particular traffic signatures to particular uses of your bandwidth

Here's an example of using an ingress policer to limit inbound traffic
from a particular set of IPs on a per IP basis.  In this case, traffic
from each of these source IPs is limited to a T1's worth of bandwidth.
Note that this means that this host can receive up to 1536kbit (768kbit +
768kbit) worth of bandwidth from these two source IPs alone.

# -- start of script
#! /bin/ash
#
# -- simulate a much smaller amount of bandwidth than the 100MBit interface
#
RATE=1536kbit
DEV=eth0
SOURCES="10.168.53.2/32 10.168.73.10/32 10.168.28.20/32"

# -- attach our ingress qdisc
#
tc qdisc add dev $DEV ingress

# -- cap bandwidth from particular source IPs
#

for SOURCE in $SOURCES ; do

tc filter add dev $DEV parent ffff: protocol ip   \
    u32 match ip src $SOURCE flowid :1              \
    police rate $RATE mtu 12k burst 10k drop

done

# -- end of script

Now, if you are using multiple public IPs on your masquerading/SNAT host,
you can use "u32 match ip dst $PER_IP" with a drop action to force a
particular rate on inbound traffic to that IP.

My entirely unquantified impression is that latency suffers as a result,
but traffic is indeed bandwidth limited.

Just a few notes of dissection:

tc filter add dev $DEV   # -- the usual beginnings
    parent ffff:           # -- the ingress qdisc itself
    protocol ip            # -- more preamble  | make sure to visit
    u32 match ip           # -- u32 classifier | http://lartc.org/howto/
    src $SOURCE            # -- could also be "dst $SOME_LOCAL_IP"
    flowid :1              # -- ??? (but it doesn't work without this)
    police rate $RATE      # -- put a policer here
    mtu 12k burst 10k      # -- ???
    drop                   # -- drop packets exceeding our police params

Maybe a guru or two out there (Stef?, Bert?, Jamal?, Werner?) can explain
why mtu needs to be larger than 1k (didn't work for me anyway) and also
how these other parameters should be used.

Ingress qdisc的更多相关文章

  1. 使用ingress qdisc和ifb进行qos

    ifb   The Intermediate Functional Block device is the successor to the IMQ iptables module that was ...

  2. 使用tc ingress来限速接收方向

    Linux中的QoS分为入口(Ingress)部分和出口(Egress)部分,入口部分主要用于进行入口流量限速(policing),出口部分主要用于队列调度(queuing scheduling).大 ...

  3. Linux内核中流量控制

    linux内核中提供了流量控制的相关处理功能,相关代码在net/sched目录下:而应用层上的控制是通过iproute2软件包中的tc来实现, tc和sched的关系就好象iptables和netfi ...

  4. 全面介绍eBPF-概念

    全面介绍eBPF-概念 前面介绍了BCC可观测性和BCC网络,但对底层使用的eBPF的介绍相对较少,且官方欠缺对网络方面的介绍.下面对eBPF进行全面介绍. 目录 全面介绍eBPF-概念 BPF概述 ...

  5. 流量控制--3.Linux流量控制的组件

    Linux流量控制的组件 流量控制元素与Linux组件之间的相关性: traditional element Linux component 入队列 修订:从用户或网络接收报文 整流 class 提供 ...

  6. Linux TC 流量控制介绍

    前段时间在做一些测试的时候接触到了Linux tc,因为需要对数据包添加延迟,用到了tc中的netem.添加简单的延迟非常简单,像这样一条命令就搞定了:$ tc qdisc add dev eth0 ...

  7. Ping Pod不通问题定位及Ingress验证

    Ping Pod网络问题不通定位记录 1.验证墙是否通 flannel默认使用8285端口作为UDP封装报文的端口,VxLan使用8472端口,下面命令验证一下确定其在8472端口 ip -d lin ...

  8. Linux TC的ifb原理以及ingress流控-转

    原文:http://www.xuebuyuan.com/2961303.html 首先贴上Linux内核的ifb.c的文件头注释:     The purpose of this driver is ...

  9. 链路层输出 -qdisc

    二层发送中,实现qdisc的主要函数是__dev_xmit_skb和net_tx_action,本篇将分析qdisc实现的原理,仅对框架进行分析. 其框架如下图所示 qdisc初始化 pktsched ...

随机推荐

  1. [问题2014A08] 复旦高等代数 I(14级)每周一题(第十教学周)

    [问题2014A08]  设 \(A=(a_{ij})\) 为数域 \(\mathbb{K}\) 上的 \(n\) 阶方阵, 定义函数 \[f(A)=\sum_{i,j=1}^na_{ij}^2.\] ...

  2. Javascript学习笔记:6种实现继承的方式

    ①原型链式继承 function Person(name){ this.name=name; } Person.prototype.getName=function(){ return this.na ...

  3. 深入浅出设计模式——享元模式(Flyweight Pattern)

    模式动机 面向对象技术可以很好地解决一些灵活性或可扩展性问题,但在很多情况下需要在系统中增加类和对象的个数.当对象数量太多时,将导致运行代价过高,带来性能下降等问题.享元模式正是为解决这一类问题而诞生 ...

  4. Oracle的不完全恢复

    一.不完全恢复特性 1.不完全恢复 不完全恢复仅仅是将数据恢复到某一个特定的时间点或特定的SCN,而不是当前时间点.不完全恢复会影响整个数据库,需要在MOUNT状  态下进行.在不完全恢复成功之后,通 ...

  5. Listview 隐藏item

    隐藏某一项item(防止list改变后导致复用convertview而错乱--如果删掉list中的该项,会导致复用convertview混乱) 方法: convertView.setVisibilit ...

  6. ocLazyLoad angular 按需加载

    ionic 框架 1.引用 index.html 加载 <script type="text/javascript" src="lib/oclazyload/ocL ...

  7. 常用JavaBean:JdbcBean codes:Java通过JDBC 连接 Mysql 数据库

    package bean;import java.sql.*;import com.mysql.jdbc.PreparedStatement;public class JdbcBean { publi ...

  8. Google API在线生成二维码的方法

    1.先看一个实例,是用Google API生成西部e网的网站地址www.weste.net二维码的方法: http://chart.apis.google.com/chart?cht=qr&c ...

  9. 并发编程 02—— ConcurrentHashMap

    Java并发编程实践 目录 并发编程 01—— ThreadLocal 并发编程 02—— ConcurrentHashMap 并发编程 03—— 阻塞队列和生产者-消费者模式 并发编程 04—— 闭 ...

  10. 并发编程 05—— Callable和Future

    Java并发编程实践 目录 并发编程 01—— ThreadLocal 并发编程 02—— ConcurrentHashMap 并发编程 03—— 阻塞队列和生产者-消费者模式 并发编程 04—— 闭 ...