3-ifb虚拟接口

资讯 2024-06-23 阅读:43 评论:0

QoS分为入口(Ingress)部分和出口(Egress)部分，入口部分主要用于进行入口流量限速(policing)，出口部分主要用于队列调度(queuing scheduling)，大多数排队规则(qdisc)都是用于输出方向的，输入方...

QoS分为入口(Ingress)部分和出口(Egress)部分，入口部分主要用于进行入口流量限速(policing)，出口部分主要用于队列调度(queuing scheduling)，大多数排队规则(qdisc)都是用于输出方向的，输入方向只有一个排队规则，即ingress qdisc
QoS is divided into the entrance (Ingress) and the exit (Egress) sections, which are mainly used for the speed limit of entry traffic (policing), the export component is used mainly for queuing dispatching, most lined rules (qdisc) are used for the direction of output, and there is only one line in the direction of input, i.e., inning qdisc

1.开始思路

image.png

对于wan口来说：下载是ingress，上传是egress
对于lan口来说：下载是egress，上传是ingress

因此，常规做法是，在lan口做下载流控，在wan口做上传流控

So it's normal to do download flow control at Lan mouth, upload control at wan mouth.

2.遇到问题

按上面的做法，LAN口到LAN口的流量也会被控制了。

As is the case above, the flow of LAN to LAN will also be controlled.

尝试对lan-lan流量进行过滤，但是1.不灵活，IP识别困难，外网IP也可以当做内网IP用；2.对不关注的流量进行操作，有性能损耗。
Attempts have been made to filter the lan-lan traffic, but 1. Inflexible, IP recognition is difficult, and extranet IPs can also be used as intranet IPs; 2. Unattended traffic is operated with a loss of performance.

如何只对外网流量(lan-wan)进行控制，不对内网流量(lan-lan)进行控制

How to control only outward network traffic (lan-wan) and not inward network traffic (lan-lan)

3.增加虚拟接口ifb

ifb原理就是开一个接口，把实际接口的ingress流量转到这些ifb接口的egress上，所以我们就把wan口的ingress转发到ifb口的egress，这时候相当于只需要对ifb的输出控制即可，不对lan口进行控制。

The principle of ifb is to open an interface to transfer the flow of the actual interfaces to the egress of these ifb interfaces, so we forward the ingress of the wan to the egress of the ifb, which is the same time that all we need to do is control the output of the ifb and not control the lan.

WAN口控制上传，ifb口控制下载。

WAN Control Upload, ifb Control Download.

image.png

4.如何区分lan口的IP，使用mark标记

上面虽然把lan口释放了，不去控制lan-lan口的数据，但是我们要对lan口的上传/下载做控制。

Although it releases the Lan mouth and does not control the data from the Lan-lan mouth, we need to control the upload/downloading of the Lan mouth.

egress的流量，经过nat以后，源IP不再是lan段的IP，因此无法标识具体的IP/用户。
(SNAT基于原地址的转换一般用在我们的许多内网用户通过一个外网的口上网的时候，这时我们将我们内网的地址转换为一个外网的IP，我们就可以实现连接其他外网IP的功能)

The flow of egress, after nat, the source IP is no longer an IP in the Plan section, so it is not possible to identify the specific IP/user.
.

解决方法是使用fw分类器。在netfilter的forward上挂一个自定义的模块(如：MyMark)，根据需求打mark，这里可以任意发挥想象，直觉可以实现任意你想到的功能。
fw分类器，根据mark来分类：先在父类20:1下面穿件一个子类20:17，(这个类里面做了限速规则)再把打了257/0xfffff标记的分类到20:17，而打了257/0xfffff标记的又在iptable的FORWARD表里面做了对应。

The solution is to use the fw classifier. A customized module (e.g. MyMark) is placed on netfilter's forward, where it is possible to hit Mark according to need.
fw classifier, which is classified according to Mark: first wears a subclass 20:17 below the parent 20:1, then classifies 257/0xfff markers to 20:17 and then uses 257/0xfffff markers to match them in the FORWARD table at iptable.