Download presentation
Presentation is loading. Please wait.
1
Usability of Traffic Control Tools
Thomas Graf Red Hat, Inc.
2
Been There?
3
/etc/libnl/classid Typical workflow of adding qdisc, class, and filter: # tc qdisc add dev eth0 parent root htb # tc qdisc list dev eth0 qdisc htb 8001: root [...] # tc class add dev eth0 parent 8001: classid 8001:1 htb rate 100mbit # tc filter add dev eth0 parent 8001: basic classid 8001:1 Workflow using classid generation & database: # nl-qdisc-add --dev=eth0 --parent=root --id=top htb # nl-class-add --dev=eth0 --parent=top --id=my_class htb --rate=100mbit # nl-cls-add --dev=eth0 --parent=top basic –target=my_class # tail /etc/libnl/classid [...] 4001: top 4001:1 my_class # You may want to describe the class here.
4
Example Using the cgroup classifier becomes somewhat easier. No more messing with classids: # nl-qdisc-add --dev eth0 --parent root --id top htb # nl-class-add --dev eth0 --parent top --id class1 htb --rate 10mbit # nl-class-add --dev eth0 --parent top --id class2 htb --rate 20mbit # nl-cls-add --dev eth0 --parent top --id my_filter cgroup # nl-classid-lookup --raw class1 > /dev/cgroup/A/net_cls.classid # nl-classid-lookup --raw class2 > /dev/cgroup/B/net_cls.classid
5
/etc/libnl/pktloc Simplification of matching
Same result using pktloc based ematch # tc filter add [...] u32 match u16 20 ffff at nexthdr+0 [...] # nl-cls-add [...] basic --ematch 'tcp.sport = 20' [...]
6
Ematch Expression Parser
Logic expressions A && !(B || C) Integrated packet location aliases ip.ttl > 5 Parsing of addresses 2001:10::5 represents a 128bit byte pattern
7
Examples Matches packets with dport 1024..2048 Match ECN bits ECT(1|2)
# nl-cls-add [...] basic \ --ematch 'tcp.dport > 1024 && tcp.dport < 2048' \ --target my_class # nl-cls-add [...] basic \ --ematch '!ip.diffserv & 2 = 0' \ --target my_class
8
Examples While current system load is > 1.0 filter all packets exceeding a packet size of 256 bytes to class slow_down_class # nl-cls-add [...] basic \ --ematch 'meta(pktlen > 256) && meta(loadavg_0 > 100)' \ --target slow_down_class
9
Examples Matches all packets originating from 3ffe::/16 which also have a mark value between 20 and 30 or flowlabel is set to 40. # nl-cls-add [...] basic \ --ematch 'pattern(ip6.src = 3ffe::/16) && \ ((meta(mark > 20) && meta(mark < 30)) || ip6.flowlabel = 40)' --target my_class
10
Examples While the receive backlog of the socket is greater than 5, filter all non-ICMP packets to my_class. # nl-cls-add [...] basic \ --ematch 'meta(sk_rcvqlen > 5) && !ip.proto = 1' --target my_class
11
Netlink Error Message Error codes are insufficient, EINVAL can stand for almost anything. Need error strings
12
Netlink Error Messages
Idea: Append error string at end of error message: Netlink Error Message Netlink Error Message Error Code = EINVAL Error Code = EINVAL Original Request Message Original Request Message Error String = “u32: change request requires handle to be set.”
13
Netlink Error Messages
Store const char * in skb->cb -164,6 +170,7 struct netlink_skb_parms { __u32 loginuid; /* Login (audit) uid */ __u32 sessionid; /* Session id (audit) */ __u32 sid; /* SELinux security id */ + const char * errmsg; /* Error message to send back */ }; Uses the 8 bytes that are left!
14
Netlink Error Messages
Allocate & assign error message void nl_set_errmsg(struct sk_buff skb, const char *fmt, ...) { struct netlink_skb_parms *p = NETLINK_CB(skb); va_list args; /* Consecutive calls will overwrite previous error messages. */ free(p->errmsg); if (!(p->errmsg = kzalloc(NL_ERRMSG_MAXLEN, GFP_KERNEL))) return; va_start(args, fmt); vsnprintf(p->errmsg, NL_ERRMSG_MAXLEN, fmt, args); va_end(args); }
15
Netlink Error Messages
In netlink_ack(), check if error string was set and append it to end of error message. BUGS: Only works if netlink_ack()/netlink_rcv_skb() is used while processing messages. What do you think?
Similar presentations
