Zum Inhalt springen.
Sympa Menü

it-securitynotifies - Re: [IT-SecNots] Traffic shaping on debian

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

Re: [IT-SecNots] Traffic shaping on debian


Chronologisch Thread 
  • From: Aleksey <unite AT openmailbox.org>
  • To: Dmitry Sinina <dmitry.sinina AT onat.edu.ua>
  • Cc: debian-isp AT lists.debian.org
  • Subject: Re: [IT-SecNots] Traffic shaping on debian
  • Date: Fri, 27 May 2016 16:50:55 +0300
  • List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
  • List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
  • List-url: <https://lists.debian.org/debian-isp/>
  • Old-return-path: <unite AT openmailbox.org>
  • Resent-date: Fri, 27 May 2016 13:51:15 +0000 (UTC)
  • Resent-from: debian-isp AT lists.debian.org
  • Resent-message-id: <44Kndu2wC7J.A.pSC.TDFSXB@bendel>
  • Resent-sender: debian-isp-request AT lists.debian.org

On 2016-05-27 14:48, Dmitry Sinina wrote:
On 05/27/2016 02:40 PM, Aleksey wrote:
Hi guys!

I have a debian box acting as a router and need a tool to perform traffic shaping based on source/destination IPs, interfaces, etc. I have tried the default tc, however, it uses plenty of resources, e.g. 600 mbps without shaping flows through with 3% cpu load and the same 600mbps with shaping (tc
using htb on egress interface) consumes something like 40% cpu.

Probably someone could advise some kind of a tool to do such shaping with minimum resources consumed - I've searched through the web and found a module named nf-hishape, however, I didn't manage to find some reasonably high number of articles about it as well as no manuals and so on - I guess it's
not very popular (if it's actually alive).

Any help would be appreciated.

Thanks in advance.

Hi.

Seems you use flat list of filters. How many filters you have?
Did you try hash tables for traffic classification?

Hi.

Practically, I haven't done any configuration on my production router - I have performed tests in lab environment. Configuration was pretty simple:

tc qdisc add dev eth1 root handle 1: htb default 30
tc class add dev eth1 parent 1: classid 1:1 htb rate 1000mbps ceil 1000mbps
tc class add dev eth1 parent 1:1 classid 1:10 htb rate 3mbps ceil 5mbps
tc class add dev eth1 parent 1:1 classid 1:20 htb rate 5mbps ceil 7mbps
tc class add dev eth1 parent 1:1 classid 1:30 htb rate 1mbps ceil 1000mbps
tc qdisc add dev eth1 parent 1:10 handle 10:0 sfq perturb 10
tc qdisc add dev eth1 parent 1:20 handle 20:0 sfq perturb 10
tc qdisc add dev eth1 parent 1:30 handle 30:0 sfq perturb 10
tc filter add dev eth1 protocol ip parent 1:0 prio 1 u32 match ip dport 443 0xffff flowid 1:20
tc filter add dev eth1 protocol ip parent 1:0 prio 1 u32 match ip dport 80 0xffff flowid 1:10

So after applying it I tried to push some traffic through this lab box using iperf. When performing test on ports 80/443 (limited to low bandwidth) - CPU load was ok, however when I pushed unrestricted traffic (1000 mbps limit) I noticed high CPU usage. I tried setting up filters based on fwmark but the result was the same. I'm using debian 7 with 3.16 kernel installed from wheezy-backports, if it is important.

If some additional info (firewall config, etc) is needed, please ask.

--
With kind regards,
Aleksey





Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang