Linux中的QoS分為入口(Ingress)部分和出口(Egress)部分,入口部分主要用於進行入口流量限速(policing),出口部分主要用於隊列調度(queuing scheduling)。大多數排隊規則(qdisc)都是用於輸出方向的,輸入方向只有一個排隊規則,即ingress qdisc。ingress qdisc本身的功能很有限,如下;
Ingress qdisc The ingress qdisc itself does not require any parameters. It differs from other qdiscs in that it does not occupy the root of a device. Attach it like this: # tc qdisc add dev eth0 ingress This allows you to have other, sending qdiscs on your device besides the ingress qdisc. About the ingress qdisc Ingress qdisc (known as ffff:) can't have any children classes. (hence the existence of IMQ) The only thing you can do with the ingress qdisc is attach filters. About filtering on the ingress qdisc Since there are no classes to which to direct the packets, the only reasonable option is to drop the packets. With clever use of filtering, you can limit particular traffic signatures to particular uses of your bandwidth.
具體使用如下命令,進行限速:
tc qdisc add dev vnet1 handle ffff: ingress tc filter add dev vnet1 parent ffff: protocol all prio 49 basic police rate 10mbit burst 1mb mtu 65535 drop
根據tc相關文檔描述,使用tc ingress限速,功能有限,似乎只能選擇丟棄,並且也不支持分類。實際應用中,我們可以將業務流重定向到ifb設備上,業務流從這個ifb設備中出去,再又相應的端口接收,那我們就可以像正常使用tc對egress限速一樣,來對ifb設備進行egress限速,就可以達到對接收方向的限速了。具體原理可以參考最下面列出的文檔。
ifb模塊需要手動加載。 # modprobe ifb 啟用虛擬設備ifb0 # ip link set dev ifb0 up
接下來配置ifb0的過濾規則
tc qdisc add dev ens3f3 handle ffff: ingress tc filter add dev ens3f3 parent ffff: protocol ip u32 match u32 0 0 action mirred egress redirect dev ifb0 tc qdisc add dev ifb0 root handle 1: htb default 10 tc class add dev ifb0 parent 1: classid 1:1 htb rate 10000mbit tc class add dev ifb0 parent 1:1 classid 1:10 htb rate 1000mbit ceil 1000mbit
注:上述配置可以針對端口來限速配置,但是不能與cgroup配合完成對某些進程組限速。
本來是想用cgroup,像限速egress側一樣,限速ingress側,但是實踐后發現不生效,查過了相關的網絡資料,很多人講在ingress側,是無法達到像cgroup一樣限制帶寬的,具體是與cgroup標記的先后有關系。
be aware that if you use iptable to mark your packet and then filters them, you can't use ifb since all ingress trafic will be forwarded BEFORE any marking. so you will se your class stay at 0 and all forwarded to the default. IMQ seem the rigth solution for iptables users. 來自 <https://serverfault.com/questions/350023/tc-ingress-policing-and-ifb-mirroring
但可以通過報文中的源ip進行限速控制,如下配置:
tc qdisc add dev ifb0 root handle 1: htb default 20 tc class add dev ifb0 parent 1: classid 1:1 htb rate 10000mbit tc class add dev ifb0 parent 1:1 classid 1:10 htb rate 2000mbit tc class add dev ifb0 parent 1:1 classid 1:20 htb rate 1000mbit tc class add dev ifb0 parent 1:1 classid 1:30 htb rate 500mbit tc filter add dev ifb0 protocol ip parent 1:0 prio 1 u32 match ip src 129.9.123.85 flowid 1:10 tc filter add dev ifb0 protocol ip parent 1:0 prio 1 u32 match ip src 129.9.123.89 flowid 1:20
tc filter add dev ifb0 protocol ip parent 1:0 prio 1 u32 match ip src 129.9.123.88 flowid 1:20
當然我們也可以通過源端口和目的端口來限速,如下配置:
tc filter add dev ifb0 protocol ip parent 1:0 prio 1 u32 match ip dport 50051 0xffff flowid 1:30 tc filter add dev ifb0 protocol ip parent 1:0 prio 1 u32 match ip sport 45678 0xffff flowid 1:30
參考文檔:
https://blog.csdn.net/zhangskd/article/details/8240290
https://www.cnblogs.com/CasonChan/p/4919921.html