graph TD
1: -- sys flow --> 1:1
1: -- user flow --> 1:2
1:1 -- prio 2 --> 1:11
1:2 -- prio 1 --> 1:21
1:2 -- prio 3 --> 1:22
假设有如上例子,区分系统流量和用户流量。
1:11: filter system packets out1:21: filter SYN,ACK… important packets out1:22: filter nothing, packet goes this tunnel by default
tc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| tc qdisc add dev wlan1 root handle 1:0 htb default 22
# 创建根节点
tc class add dev wlan1 parent 1:0 classid 1:1 htb rate 1000kbit ceil 1500kbit burst 100
tc class add dev wlan1 parent 1:0 classid 1:2 htb rate 9000kbit
# 创建子节点
tc class add dev wlan1 parent 1:1 classid 1:11 htb rate 1000kbit ceil 1000kbit burst 100 prio 2
tc class add dev wlan1 parent 1:2 classid 1:21 htb rate 200kbit ceil 400kbit burst 15k prio 1
tc class add dev wlan1 parent 1:2 classid 1:22 htb rate 200kbit ceil 210kbit burst 5k prio 3
# 创建子节点
tc qdisc add dev wlan1 parent 1:11 handle 111: sfq perturb 10
tc qdisc add dev wlan1 parent 1:21 handle 121: sfq perturb 10
tc qdisc add dev wlan1 parent 1:22 handle 122: sfq perturb 10
# 对子节点使用随机公平队列,默认 10s 打乱一次
tc filter add dev wlan1 parent 1:0 protocol ip prio 1 handle 1 fw classid 1:21
tc filter add dev wlan1 parent 1:0 protocol ip prio 2 handle 2 fw classid 1:11
tc filter add dev wlan1 parent 1:0 protocol ip prio 3 handle 3 fw classid 1:22
# 设置过滤器,方便 iptables 过滤,过滤时使用的是 handle 后的数值
|
iptables
1
2
3
4
5
6
7
8
9
10
11
| iptables -t mangle -A OUTPUT -p udp --sport 5201 -j MARK --set-mark 2 > /dev/null 2>&1
iptables -t mangle -A OUTPUT -p udp --sport 5201 -j RETURN > /dev/null 2>&1
# 假设以该规则作为系统数据,方便下面的测试
iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 2 > /dev/null 2>&1
iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN > /dev/null 2>&1
# 重要数据
iptables -t mangle -A PREROUTING -j MARK --set-mark 3 > /dev/null 2>&1
iptables -t mangle -A PREROUTING -j RETURN > /dev/null 2>&1
# 其余数据
|
others
SFE
mdm9x07 平台有以下几个模块需要卸载的,否则影响 tc
- shortcut_fe_cm
- shortcut_fe_ipv6
- shortcut_fe
test tc statistic
tc 的统计结果里,dropped 包的字节数并不会统计进结果。可通过如下方式测试:
使用上面的 tc 和 iptables 规则,再利用 iperf 打流,iperf 配置如下。
sequenceDiagram
Note left of Server: iperf3 -s 192.168.100.1 -f k
Server ->> Client: UDP
Note right of Client: iperf3 -c 192.168.100.1 -u -R -b 20M
server 结果
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| -----------------------------------------------------------
Server listening on 5201
-----------------------------------------------------------
Accepted connection from 192.168.100.43, port 50063
[ 5] local 192.168.100.1 port 5201 connected to 192.168.100.43 port 60524
[ ID] Interval Transfer Bitrate Total Datagrams
[ 5] 0.00-1.00 sec 2.38 MBytes 20.0 Mbits/sec 305
[ 5] 1.00-2.00 sec 2.39 MBytes 20.0 Mbits/sec 306
[ 5] 2.00-3.00 sec 2.38 MBytes 20.0 Mbits/sec 305
[ 5] 3.00-4.00 sec 2.38 MBytes 20.0 Mbits/sec 305
[ 5] 4.00-5.00 sec 2.38 MBytes 20.0 Mbits/sec 305
[ 5] 5.00-6.00 sec 2.38 MBytes 20.0 Mbits/sec 305
[ 5] 6.00-7.00 sec 2.38 MBytes 20.0 Mbits/sec 305
[ 5] 7.00-8.00 sec 2.39 MBytes 20.1 Mbits/sec 306
[ 5] 8.00-9.00 sec 2.38 MBytes 20.0 Mbits/sec 305
[ 5] 9.00-10.00 sec 2.38 MBytes 20.0 Mbits/sec 305
[ 5] 10.00-10.20 sec 480 KBytes 19.8 Mbits/sec 60
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Jitter Lost/Total Datagrams
[ 5] 0.00-10.20 sec 24.3 MBytes 20.0 Mbits/sec 0.000 ms 0/3112 (0%) sender
-----------------------------------------------------------
Server listening on 5201
-----------------------------------------------------------
|
tc -s class show dev wlan1 classid 1:11 结果
1
2
3
4
5
| class htb 1:11 parent 1:1 leaf 111: prio 2 rate 1000Kbit ceil 1000Kbit burst 100b cburst 1600b
Sent 1466394 bytes 983 pkt (dropped 17690, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
lended: 983 borrowed: 0 giants: 0
tokens: -183433 ctokens: 4067
|
tc 结果里,发送了 1466394 字节,共 983 个包,平均每个包 1466394 / 983 ~= 1492 bytes/pkt
tc 结果里,实际发送的包数加丢弃的包数,总字节数为 (983 + 17690) * 1492 ~= 26.56 MBytes
server 结果里,共发送了 24.3 MBytes,约等于 26.56 MBytes(可能包有长短,会有部分误差)。
所以 tc 的统计结果里不会统计丢弃的包,仅统计流量整形后,实际发出去的包。