Linux Advanced Routing & Traffic Control HOWTO

Bert Hubert

Netherlabs BV

bert.hubert@netherlabs.nl

Thomas Graf (Section Author)

tgraf%suug.ch

Gregory Maxwell (Section Author)
Remco van Mook (Section Author)

remco@virtu.nl

Martijn van Oosterhout (Section Author)

kleptog@cupid.suninternet.com

Paul B Schroeder (Section Author)

paulsch@us.ibm.com

Jasper Spaans (Section Author)

jasper@spaans.ds9a.nl

Pedro Larroy (Section Author)

piotr%member.fsf.org

앐Y - {

nakano@apm.seikei.ac.jp

Revision History                                                       
Revision Revision: 1.41j1         Date: 2003/10/19                     
{|                                                           
Revision $Revision: 1.41 $        $Date: 2003/10/12 15:51:04 $         
DocBook Edition                                                        

iproute2AgtBbNAё netfilter ɊւAɂ߂ĎH
IȃAv[`B

 

Table of Contents
1. 
2. ͂߂
   
    2.1. ƐӂуCZX
    2.2. OɕKvȒm
    2.3. Linux ɂł邱
    2.4. ̊̕ǗɂẴ
    2.5. 擾ACVS уAbvf[g̓e
    2.6. [OXg
    2.7. ̍̕\
   
3. iproute2 
   
    3.1. Ȃ iproute2 Ȃ̂?
    3.2. iproute2 ̊T
    3.3. O̕Kv
    3.4. ݂̐ݒ𒲂ׂĂ݂
    3.5. ARP
   
4. Rules - [eBO|V[f[^x[X
   
    4.1. ȒPȃ\[X|V[[eBO
    4.2. ̃AbvN/voC_ɑ΂郋[eBO
   
5. GRE glȂ̃gl
   
    5.1. glɊւʓIȎ
    5.2. IP in IP glO
    5.3. GRE glO
    5.4. [Uh̃gl
   
6. Cisco  6bone Ƃ IPv6 gl
   
    6.1. IPv6 glO
   
7. IPSEC: C^[lbgz̈S IP
   
    7.1. : 蓮ł̌
    7.2. ł̌
    7.3. IPSEC gl
    7.4.  IPSEC \tgEFA
    7.5. ̃VXeƂ IPSEC ̑݉^p
   
8. }`LXg̃[eBO
9. L[COKƃohǗ
   
    9.1. L[уL[COK̐
    9.2. VvȁANXX̃L[COK
    9.3. ǂȃL[gׂ
    9.4. p
    9.5. NXtȃL[COK
    9.6. tB^ɂpPbg̃NXI
    9.7. ԃL[COfoCX (Intermediate queueing device :IMQ)
   
10. ̃C^[tF[XpוU
   
    10.1. 
    10.2. ̉\
   
11. Netfilter  iproute ŃpPbgɈt
12. xȃtB^ɂpPbg̃NX()I
   
    12.1. u32 NXIʊ
    12.2. route NXIʊ
    12.3. Ď (policing) tB^
    12.4. nbVtB^: ʃtB^O
    12.5. IPv6 gtBbÑtB^O
   
13. J[l̃lbg[Np[^
   
    13.1. ߂oHtB^ (Reverse Path Filtering)
    13.2. ܂mĂȂݒ
   
14. mꂴ鍂xȃL[COK
   
    14.1. bfifo/pfifo
    14.2. Clark-Shenker-Zhang ASY (CSZ)
    14.3. DSMARK
    14.4.  (ingress) qdisc
    14.5. _m (Random Early Detection: RED)
    14.6. ėp_m (Generic Random Early Detection)
    14.7. VC/ATM G~[V
    14.8. dݕtEhr (Weighted Round Robin: WRR)
   
15. NbNubN
   
    15.1. SLA ̈قȂ镡̃TCg𓮍삳
    15.2. zXg SYN tbh
    15.3. ICMP ш搧 dDoS h
    15.4. ΘbIgtBbND悷
    15.5. netfilter, iproute2, ipchains, squid p Web Lb
        V
    15.6. oHƂ MTU ݒ肵 Path MTU Discovery 
    15.7. MSS Nvɂ Path MTU Discovery  (ADSL,
        P[u, PPPoE, PPtP [U)
    15.8. ɂ̃gtBbN: x, Abv[h/_E[
        h
    15.9. P̃zXg܂̓lbg[N̑x
    15.10. QoS t nat ̊Sȗ
   
16. ubWƁA㗝 ARP p[ubW̍\z
   
    16.1. ubW iptables ̏
    16.2. ubWƑш搧
    16.3. 㗝 ARP p[ubW
   
17. I[eBO - OSPF  BGP
   
    17.1. Zebra ɂ OSPF ̐ݒ
    17.2. Zebra ɂ BGP4 ̐ݒ
   
18. ̑̌
19. ɐɐiނ߂
20. ӎ
21. {ɂ

 

Chapter 1. 

͑̐̕lɕ̂ŁA҂͂ɂĉ炩̂Ԃ
ƍlĂ܂BȂłl̂̕O:

 

 E Rusty Russell
   
 E Alexey N. Kuznetsov
   
 E The good folks from Google
   
 E The staff of Casema Internet
   
 

Chapter 2. ͂߂

悤AeȂǎ҂݂̂ȂB

̕ Linux 2.2/2.4 pāA㋉̃[eBO (oH) 
s@ɂďqׂ悤Ƃ̂łBقƂǂ̃[Uɂ͒mĂ
ȂƂłAXyN^NȍƂsc[AȂ͊Ɏs
̂łB route  ifconfig Ȃǂ́AɃpt iproute2 
CtXgN`́Aꕔ݂̂gbpɂȂ̂łB

͂ HOWTO Anetfilter  (قłł) L Rusty
Russell  HOWTO Ɠ炢ǂ݈Ղ̂ł悤A]ł܂B

HOWTO team <mailto:HOWTO@ds9a.nl> ɑM΁AłXƃR^N
g܂BA̎₪ HOWTO ɒڊ֘ÂłȂ
Ał΃[OXg (֘A߂Ă) ɑĂ
BX͖̃wvfXNł͂܂񂪁A[OXgɂ鎿
ɂ͓邱Ƃ͂łB

 HOWTO ŖqɂȂOɈꌾBȒPȑш搧 (traffic shaping)
sȂ΁AׂĔ΂Ă̑̌̏͂ɌĂ
B CBQ.init ɊւLqǂłB

 

2.1. ƐӂуCZX

This document is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

In short, if your STM-64 backbone breaks down and distributes
pornography to your most esteemed customers - it's never our fault.
Sorry.

Copyright (c) 2002 by bert hubert, Gregory Maxwell, Martijn van
Oosterhout, Remco van Mook, Paul B. Schroeder and others. This material
may be distributed only subject to the terms and conditions set forth
in the Open Publication License, v1.0 or later (the latest version is
presently available at http://www.opencontent.org/openpub/).

Please freely copy and distribute (sell or give away) this document in
any format. It's requested that corrections and/or comments be
forwarded to the document maintainer.

It is also requested that if you publish this HOWTO in hardcopy that
you send the authors some samples for "review purposes" :-)

 

2.1.1. { (Ql)

͗̕Lvł邱ƂĔzzĂ܂A؂̕ۏ؂͂
BpEprւ̓KɊւAَIȕۏ؂؂܂B

vɁAȂ STM-64 obN{[ėA厖Ȍڋq
Ƀ|m΂܂Ă܂ƂĂ - ͎̐ӔCł͂܂
B߂ȂB

Copyright (c) 2002 by bert hubert, Gregory Maxwell, Martijn van
Oosterhout, Remco van Mook, Paul B. Schroeder قB̕ Open
Publication License, v1.0 тȍ~ɎĂ鍀ڂƏɏ]
ꍇɌAzzł܂ (OPL ̍ŐVł http://www.opencontent.org/
openpub/ ɂ܂)B

̕̕ʂĔzz (̔Eii) ́Aǂ̂悤ȃtH[}bgł\
łBCRgÅ̕Ǘ҂ɑ悤ɂĂ
B

܂ HOWTO ЂƂďołꍇ́Ar[̂߂ɁA҂
ɐ̃Tv𑗂Ă :-)

 

2.2. OɕKvȒm

^Cgɂ悤ɁA "Advanced"  HOWTO łBPbgȊwق
ł͂܂񂪁Ax̎Om͂łɂ̂ƂĂ܂B

KvȒm𓾂邽߂̎QlĂ܂B

Rusty Russell  networking-concepts-HOWTO <http://netfilter.samba.org/
    unreliable-guides/networking-concepts-HOWTO/index.html>
   
    ɗǂŁAlbg[NƂ͉Ãlbg[NƐڑ
    ɂ͂ǂ邩Ă܂B
   
Linux Networking-HOWTO (ȑO Net-3 HOWTO)
   
    cȕʂŁA܂ɔɏڍׂłBC^[lbgւ̐ڑ
    Ɋւݒ (̂قƂǂ͊ɐݒς݂Ȃ̂ł傤) ɊւāA
    ̂ƂĂ܂B /usr/doc/HOWTO/NET3-4-HOWTO.txt 
    邱ƂƎv܂AIC <http://www.linuxports.com/
    howto/networking> łǂ߂܂B
   
 

2.3. Linux ɂł邱

\ȂƂȒPȃXgɂĂ݂܂B

 E ̃Rs[^ɑ΂ohi
   
 E ̃Rs[^Ɂuvohi
   
 E ohɋL邽߂̎菕
   
 E lbg[N DoS U
   
 E C^[lbgȂ̌ڋq
   
 E T[oЂƂɂ܂Ƃ߁AוUp̌
   
 E Ȃ̃Rs[^ւ̃ANZX𐧌
   
 E Ȃ̃[Us̃zXgւ̃ANZX𐧌
   
 E ̂悤ȏɊÂă[eBOs: [U id ({)AMAC
    AhXAM IP AhXA|[gAT[rX^CvAApPb
    g̒Ȃ
   
݂̂ƂA̐iIȋ@\gĂl͂܂葽܂
Bɂ͂̗R܂B񋟂Ă镶̋Lq͏ڍׂł
A܂HIȂ̂ł͂܂BgtBbN͂قƂǕ
Ă܂B

 

2.4. ̊̕ǗɂẴ

̕ɊւāACɂƂ߂ĂĂقƂ܂B͂
̑啔܂Â悤ɂƂ͌Ďv
܂B̓I[v\[X̋M҂łAĊF񂪃tB
[hobNAAbvf[gApb`Ȃǂ𑗂Ă邱ƂA˂Ɋ}
܂B뎚E悭PȊԈႢłAɒm点Ă
B̉pꂪƂȂ悤łAǂlCe
Buł͂ȂƂvoĂBCyɒĂ𑗂ĉB

镔̃eiXǂsiɂƊꂽA
邢͐VăeiXłƎvꂽA傢Ɋ}
B HOWTO  SGML  CVS ŊǗĂ܂B͂Ƃ
l̕ɊւƂs悤ȏAĂ܂B

̏ƂȂ悤A̕ɂ FIXME Ƃӏu
܂Bpb`͂˂Ɋ}܂! FIXME Am̗̈
Ă̂ƎvĂB͑̕ɊԈႢȂƂӖł
܂񂪁Â悤ȂƂł͓ɒӂĂBǂꂩ̓
emF邱ƂłAɒm点ĂB FIXME 
܂B

 HOWTO ŁA͏ȐU镑Ă邱Ƃ܂BႦ΁A
10Mbit ̃C^[lbgڑOƂĂ܂Aꂪقǂ悭
󋵂ł͖Ƃ͂[킩Ă܂B

 

2.5. 擾ACVS уAbvf[g̓e

̌̕{̒uꏊ͂ <http://www.ds9a.nl/lartc> łB

݁ASE̓ CVS ANZX\ɂȂĂ܂Bɂ͂낢
Ȗʂŗ_܂B HOWTO ̂Vłւ̍XVȒPłA
pb`̓eɂ܂ʓ|܂B

ɁAҒB\[Xɑ΂ēƗɍƂł̂ǂƂłB


$ export CVSROOT=:pserver:anon@outpost.ds9a.nl:/var/cvsroot         
$ cvs login                                                         
CVS password: [enter 'cvs' (without 's)]                            
$ cvs co 2.4routing                                                 
cvs server: Updating 2.4routing                                     
U 2.4routing/lartc.db                                               


ύXsA񋟂Ǝv܂A cvs -z3 diff -uBb 
sȀo͂ <howto@ds9a.nl> Ƀ[ĂBƁAX
͊yɔfƂł܂B낵BǂҏW͕K .db t@Cɑ΂
čsĂBȂ݂ɑ̃t@ĆA .db t@C琶
̂łB

Makefile pƁApostscript, dvi, pdf, html, vCeLXg̐
yɂł܂B̃tH[}bgׂĂ𐶐ɂ́A docbook,
docbook-utils, ghostscript, tetex ̃CXg[KvłB

2.4routing.sgml ͕ҏWȂ悤ɂӂ! ͖̒{ HOWTO 
ÂłłBt@C lartc.db łB

 

2.6. [OXg

M҂󂯎A HOWTO Ɋւ郁[́A񂾂񑝂ĂĂ
BR~jeB̋炩ɂȂ̂ŁA[OXgJn
āAAdvanced [eBOƃgtBbNɊւc_Fłł
ɂ܂BXgwǂ̂͂ <http://mailman.ds9a.nl/
mailman/listinfo/lartc> ł܂B

\󂠂܂񂪁AҒB̓XgȊOŐq˂ꂽɑ΂ẮAق
ǉ񓚂邱Ƃ܂B̓Xg̃A[JCuA̒m
f[^x[XɂƍlĂ̂łB₪܂A܂A[
JCuAă[OXgɓeĂB

 

2.7. ̍̕\

X͎ʔƎve͂قڒɍƂ܂A͋t
Aŏ͐s\AĂȂƂƂł
܂B݂܂񂪂̂悤ȂƂ͖ڂԂĂÂ
ׂĂ炩ɂȂAƎvĂĂB

[eBOƃtB^O 2 ̕ʁX̂ƂłBtB^O
Rusty  HOWTO ŔɗǂĂ܂B̏ꏊɂ܂B

 E Rusty's Remarkably Unreliable Guides <http://netfilter.samba.org/
    unreliable-guides/>
   
́A netfilter  iproute2 gݍ킹ĉ\ɂȂ邱ƂɂďW
łB

 

Chapter 3. iproute2 

3.1. Ȃ iproute2 Ȃ̂?

قƂǂ Linux fBXgr[V (тقƂǂ UNIX) ł́A
` arp, ifconfig, route ƂR}h݂łpĂ܂B
̃c[͓͂̂́A Linux 2.2 ȍ~ł͂ƂǂҒʂ
ȂƂ܂BႦ΁AGRE gl͍ł̓[eBO
̈ꕔƂȂĂ܂Aɂ͊Sɕʂ̃c[KvłB

iproute2 p΁Agl̕c[Zbgɑgݍ܂܂B

2.2 ȍ~ Linux J[lɂ́ASɍĐ݌vꂽlbg[NTuVXe
܂܂Ă܂B̐Vlbg[NR[hɂāA Linux ɂ͐
\Ƌ@\Ƃ (ɋ@\ɊւĂ͈ʂ OS ̂ȂɂقƂǋ҂
炢) オ炳܂Bۂ̂ƂAV[eBOE
tB^OENXt̃R[h́A[^t@CAEH[Aш搧
Ȃǂ̐pȋɔׂĂA荂@\ɂȂĂ܂B

lbg[LOɊւVȊTOɂA͊ OS
̊̃t[[N̏ɓhł߂Ă܂B̂悤ȃVXe
̑wiނƂɂāAlbg[LOR[h (lԂ̌̑
ɔɂ悭) ̊ȐU镑炯ɂȂĂ܂܂B
ߋɂ́ALinux  SunOS ̏̑G~[gĂ܂A
͗zIȂƂƂ͌܂łB

̐Vt[[ŃAȑO Linux y΂Ȃ@\Amɕ\
邱Ƃ\Ƃ̂łB

 

3.2. iproute2 ̊T

Linux ̓oh̋ɊւĐꂽVXeĂA
Traffic Control ƌĂ΂Ă܂B̃VXéANXEDt
ALAƂlXȎ@AEÕgtBbN
T|[gĂ܂B

ł́Aiproute2 ̉\ZɂЉ邱Ƃɂ܂傤B

 

3.3. O̕Kv

܂[Uh̃c[CXg[Ă邱ƂmFKv
܂B̃pbP[W RedHat  Debian ̗҂ł 'iproute' Ƃ
OɂȂĂ܂BȊȌꍇł ftp://ftp.inr.ac.ru/ip-routing/
iproute2-2.2.4-now-ss??????.tar.gz" 擾ł܂B

ŐVł肷ɂ͂̃N <ftp://ftp.inr.ac.ru/ip-routing/
iproute2-current.tar.gz> pł܂B

iproute ̈ꕔɂ́AK؂ȃJ[lIvVLɂȂΎgȂ
̂܂BȂ RedHat ̃[X 6.2 ȑÕJ[lł́AgtB
bN@\ftHg̃J[lɂ͑gݍ܂Ă܂B

RedHat 7.2 ɂ́AׂĂftHgőgݍ܂Ă܂B

܂ŃJ[lpӂꍇɂ́A netlink T|[g܂܂Ă邱
ƂmFĂB iproute2 ł͂ꂪKvłB

 

3.4. ݂̐ݒ𒲂ׂĂ݂

邩܂񂪁Aiproute2 ͊ɐݒς݂Ȃ̂ł! ̃R}
hł ifconfig  route A advanced ȃVXeR[pĂ
̂łBɊ{I (ދ) ݒ݂̂łB

SƂȂR}h ip łBł͂̃R}hɁAX̃C^[tF[
X̏Ԃ\Ă݂܂傤B

 

3.4.1. ip ɃN\


[ahu@home ahu]$ ip link list                                                    
1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue                                     
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00                       
2: dummy: <BROADCAST,NOARP> mtu 1500 qdisc noop                                 
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff                          
3: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1400 qdisc pfifo_fast qlen 100    
    link/ether 48:54:e8:2a:47:16 brd ff:ff:ff:ff:ff:ff                          
4: eth1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100    
    link/ether 00:e0:4c:39:24:78 brd ff:ff:ff:ff:ff:ff                          
3764: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 10  
    link/ppp                                                                    


ɂĕ\͈قȂ܂A̎ NAT [^ ip \
͂̂悤ȓełBłׂ͂Ăڊ֌WĂ킯ł͂Ȃ
ŁAꕔ݂̂܂B 

܂ loopback C^[tF[X܂BꂪȂĂ삵ĂR
s[^邩܂񂪁Â悤ȏ󋵂͂܂AƂ̂
̃AhoCXłB MTU TCY (ő]P)  3924 INebgŁAL
[CO͍s܂B loopback C^[tF[X̓J[lɂ
\łA͓RłB

܂ dummy C^[tF[X͔΂܂B͂Ȃ̃Rs[^
͂Ȃł傤BĕIȃlbg[NC^[tF[X 2 
܂BЂƂ̓P[uf̑ɁA͎C[TlbgZO
g̑ɂ܂BɁAppp0 C^[tF[X̂킩܂B

IP AhX\ĂȂƂɋCÂꂽł傤B iproute ́u
NvƁuIP AhXvƂ̊TO؂藣Ă܂B IP GC
AXpƁAúvIP AhXƂTÓAǂ݂̂ɂ߂ĕsK
Ȃ̂ɂȂĂ܂܂B

̂ MAC AhX͕\Ă܂B̓C[TlbgC^[t
F[X̃n[hEFAʎqłB

 

3.4.2. ip  IP AhX\


[ahu@home ahu]$ ip address show                                                 
1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue                                     
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00                       
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo                          
2: dummy: <BROADCAST,NOARP> mtu 1500 qdisc noop                                 
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff                          
3: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1400 qdisc pfifo_fast qlen 100    
    link/ether 48:54:e8:2a:47:16 brd ff:ff:ff:ff:ff:ff                          
    inet 10.0.0.1/8 brd 10.255.255.255 scope global eth0                        
4: eth1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100    
    link/ether 00:e0:4c:39:24:78 brd ff:ff:ff:ff:ff:ff                          
3764: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 10  
    link/ppp                                                                    
    inet 212.64.94.251 peer 212.64.94.1/32 scope global ppp0                    


͏񂪑Ȃ܂BׂẴAhXƁAꂪǂ̃J[hɑ
Ă邩\Ă܂B'inet'  Internet (IPv4) ̈ӖłBق
ɂ̃AhXt@~[܂Â݂Ƃ͂܂oĂ
Ă܂B

eth0 ƏڂׂĂ݂܂傤Bɂ inet AhX
'10.0.0.1/8' ֘AtĂ܂B͉Ӗ̂ł傤? /8
̓lbg[NAhX̃rbg\Ă܂BS 32 rbg
܂Ac 24 rbglbg[N̓Ŏg킯łB
10.0.0.1 ̍ŏ 8 rbg 10.0.0.0 ƂȂ܂̂ŁAꂪX̃lb
g[NAhXłB܂X̃lbg}XN 255.0.0.0 łB

̃rbg͂̃C^[tF[XƐڑĂ܂BႦ 10.250.3.13 
́A ( 10.0.0.1 ł) eth0 璼ڂɐڑł܂B

ppp0 ɂlKpł܂AlႢ܂B ppp0 ̃AhX
212.64.94.251 ŁATulbg}XN͂܂B point-to-point
ڑł邱ƂӖĂA 212.64.94.251 ẮAׂẴAh
X[głBAɂ񂪂܂B̕\ɂ΁Aڑ
̑[ɂ́A (܂) PƂ̃AhX 212.64.94.1 ݂̂܂B
/32 ́Albg[Nrbg݂ؑȂƂӖĂ܂B

̊TOc邱Ƃ́AIɏdvłB肪悤Ȃ
A HOWTO ̍ŏ̂قŏЉQƂĉB

 'qdisc' ɂCÂł傤B Queueing Discipline \
Ă܂BقǔɏdvƂȂ܂B

 

3.4.3. ip ɌoH\

āA 10.x.y.z ƂAhX̒T͂킩܂B܂
212.64.94.1 ɓB邱Ƃł܂Bꂾł͏\ł͂
BSEւƓB邽߂̕@mKv܂BC^[lbg
ɂ ppp ڑoRłȂĂA 212.64.94.1 ͉X琢E
pPbg𑗂ŁA܂̌ʂ̂Ƃɖ߂Ăꏊ
ł邱Ƃ킩܂B


[ahu@home ahu]$ ip route show                                       
212.64.94.1 dev ppp0  proto kernel  scope link  src 212.64.94.251   
10.0.0.0/8 dev eth0  proto kernel  scope link  src 10.0.0.1         
127.0.0.0/8 dev lo  scope link                                      
default via 212.64.94.1 dev ppp0                                    


͂قڌł킩ł傤Bŏ 3 śA ip address show
ɂĎꂽԂ\Ă܂BŌ̍śAc̐E
212.64.94.1 ̐Ɍ邱ƁAꂪX̃ftHgQ[gEFCł
邱ƂĂ܂Bꂪ܂Ɂu֌vł邱Ƃ́At
܂BȂ킿X 212.64.94.1 ɃpPbg𑗂΁AƂ̎c͂
Ŗʓ|Ă炦̂łB

QƂ̂߂ɁAÂ route [eBeB̌ʂĂ܂傤B


[ahu@home ahu]$ route -n                                                      
Kernel IP routing table                                                       
Destination     Gateway         Genmask         Flags Metric Ref    Use       
Iface                                                                         
212.64.94.1     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0  
10.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 eth0  
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo    
0.0.0.0         212.64.94.1     0.0.0.0         UG    0      0        0 ppp0  

 

3.5. ARP

ARP ̓AhXvgR (Address Resolution Protocol) ̈ӖŁA 
RFC 826 <http://www.faqs.org/rfcs/rfc826.html> ɋLqĂ܂BARP
̓lbg[Nɂ}VA[Jlbg[Nɂ鑼̃}V
̃n[hEFAʒu (AhX) 邽߂ɗp܂BC^[lbg
ɂ}V́AʂɖOŒmĂA̖O IP AhXւƉ
܂BꂪAfoo.com lbg[Nɂ}V bar.net lbg
[Nɂ鑼̃}VƒʐMł闝RłB IP AhX́A}V
̕IȈʒu`Ă͂܂B ARP oꂷ킯łB

ɊȒPȗグ܂傤B̃}VȂlbg[N
zĂB܎̃lbg[Nɂ 2 ̃}VA IP Ah
X 10.0.0.1  foo  IP AhX 10.0.0.2  bar łƂ܂B
 foo Abar Ă邩ǂ ping Ŋm߂Ǝv܂B
cOȂƂɁAfoo ͂ǂ bar 邩킩܂B foo 
bar  ping ܂ɁAARP v𑗂Kv܂B ARP v́A
ubar (10.0.0.2)! ǂɂ?v foo Ԃ悤Ȃ̂łB̌
ʃlbg[Nׂ̂Ẵ}V foo ł̂𕷂܂Abar
(10.0.0.2) ݂̂ɉ܂B bar ͂̂Ƃ ARP ԐM𒼐 foo 
Ԃ܂B́ufoo (10.0.0.1)A͂ 00:60:94:E9:08:12 ɂv
 bar ̂ɎĂ܂B̊ȒPȁAFBlbg[N̂ǂɂ
m邽߂̂̌ɁA foo  bar ƒʐMł悤ɂȂ܂B
 foo (foo  arp LbV)  bar ̏ꏊY܂ (ʏ Unix
ł 15 ) LłB

ł́Aۂɂǂ̂悤ɓ삷邩Ă݂܂傤BȂ̃}V̌
 arp/ߗ׃LbV/e[úÂ悤ɂĂ݂邱Ƃł܂B


[root@espa041 /home/src/iputils]# ip neigh show                     
9.3.76.42 dev eth0 lladdr 00:60:08:3f:e9:f9 nud reachable           
9.3.76.1 dev eth0 lladdr 00:06:29:21:73:c8 nud reachable            


݂Ă킩Ƃ莄̃}V espa041 (9.3.76.41) ́A espa042 (9.3.76.42)
 espagate (9.3.76.1) ̈ʒumĂ܂Bŕʂ̃}V arp
LbVɒǉĂ݂܂傤B


[root@espa041 /home/paulsch/.gnome-desktop]# ping -c 1 espa043                  
PING espa043.austin.ibm.com (9.3.76.43) from 9.3.76.41 : 56(84) bytes of data.  
64 bytes from 9.3.76.43: icmp_seq=0 ttl=255 time=0.9 ms                         
                                                                                
--- espa043.austin.ibm.com ping statistics ---                                  
1 packets transmitted, 1 packets received, 0% packet loss                       
round-trip min/avg/max = 0.9/0.9/0.9 ms                                         
                                                                                
[root@espa041 /home/src/iputils]# ip neigh show                                 
9.3.76.43 dev eth0 lladdr 00:06:29:21:80:20 nud reachable                       
9.3.76.42 dev eth0 lladdr 00:60:08:3f:e9:f9 nud reachable                       
9.3.76.1 dev eth0 lladdr 00:06:29:21:73:c8 nud reachable                        


espa041  espa043 ɐڑ݂ʁA espa043 ̃n[hEFAAhX/
ʒu arp/ߗ׃LbVɒǉ܂B espa043 ̃Gg
(̊ 2 ̊ԂɒʐMȂ) Ԑ؂ɂȂ܂ŁA espa041  espa043
̏ꏊmĂAARP v𑗂Kv͂܂B

ł espa043  arp LbV폜Ă݂܂傤B


[root@espa041 /home/src/iputils]# ip neigh delete 9.3.76.43 dev eth0  
[root@espa041 /home/src/iputils]# ip neigh show                       
9.3.76.43 dev eth0  nud failed                                        
9.3.76.42 dev eth0 lladdr 00:60:08:3f:e9:f9 nud reachable             
9.3.76.1 dev eth0 lladdr 00:06:29:21:73:c8 nud stale                  


 espa041 ͍Ă espa043 ǂɂ邩YĂ܂̂ŁA
espa043 ƒʐM悤ƎvƂɂ͍ēx ARP v𑗂Kv܂B
L̏o͂ɂ́Aespagate (9.3.76.1)  "stale" ԂɕςƂ
Ă܂BꂪӖ̂́Aʒu͂܂Lł̂́Ã}
Vƍŏɂۂɂ͊mFKvłAƂƂłB

 

Chapter 4. Rules - [eBO|V[f[^x[X

K͂ȃ[^ǗĂƁAp҂ꂼɉāA
T[rX񋟂Ȃ΂ȂȂƂ悭܂B[eBO|V
[f[^x[Xŕ̃[eBOe[uZbgpƁAꂪ\
ƂȂ܂B

̋@\𗘗pꍇ́AJ[l̃RpC̍ۂ "IP: advanced
router"  "IP: policy routing" ̊e@\LɂKv܂B

J[l̓[eBO̔fۂɁAǂ̃e[uɂׂ
肵܂BftHgł 3 ̃e[u܂BÂ 'route' c
[́Amain e[u local e[uύX܂BftHgł ip
c[lłB

ftHg̃[:


[ahu@home ahu]$ ip rule list                                        
0:      from all lookup local                                       
32766:  from all lookup main                                        
32767:  from all lookup default                                     


ׂ͂Ẵ[̗DẍꗗłBׂẴ[ׂẴpPb
g ('from all') ɓKp邱Ƃ킩܂BȑOɂ 'main' e[u
͌Ă܂ (ip route ls ŏo͂ꂽ̂ł)B 'local' e[u
 'default' e[u͍񂪏߂ĂłB

ÂƂɂ́Aʂ̃e[uw[𐶐܂Bɂ
ăVXeCh̃[eBOK㏑ł̂łB

̃}b`[ƂɃJ[lǂ̂悤ɓ삷邩Ɋւ鐳
mȎdg݂ɂẮAAlexey  ip-cref ĂB

 

4.1. ȒPȃ\[X|V[[eBO

ł܂ۂ̗Ă݂邱Ƃɂ܂傤B 2  (ۂɂ͂낻
ԂȂƂȂ̂܂߂ 3 ) ̃P[ufĂāA
 Linux  NAT (}XJ[h) [^ɂȂĂ܂BɏZ
łlB́AC^[lbgڑ̑ΉɎxĂ܂B̓l
̈lAhotmail ɍsȂ̂Ŋz炵ĂقAƌĂ
Ƃ܂傤BɈّ͂܂񂪁Aނɂ̓[Gh̃̕P[u
fgĂ炤Ƃɂ܂B

uvP[uf 212.64.94.251 ŁA 212.64.94.1  PPP ڑ
Ă܂BuxvP[uf͂낢 IP AhX܂A
̗ł 212.64.78.148 ƂA195.96.98.253 ɐڑĂƂ܂B

local e[u͎̒ʂ:


[ahu@home ahu]$ ip route list table local                                   
broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1   
local 10.0.0.1 dev eth0  proto kernel  scope host  src 10.0.0.1             
broadcast 10.0.0.0 dev eth0  proto kernel  scope link  src 10.0.0.1         
local 212.64.94.251 dev ppp0  proto kernel  scope host  src 212.64.94.251   
broadcast 10.255.255.255 dev eth0  proto kernel  scope link  src 10.0.0.1   
broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1         
local 212.64.78.148 dev ppp2  proto kernel  scope host  src 212.64.78.148   
local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1             
local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1           


łAǂŎw肵ĂȂ΂ȂȂełBŁAꂪ
łBdefault e[u͋łB

ł 'main' e[u݂܂傤:


[ahu@home ahu]$ ip route list table main                              
195.96.98.253 dev ppp2  proto kernel  scope link  src 212.64.78.148   
212.64.94.1 dev ppp0  proto kernel  scope link  src 212.64.94.251     
10.0.0.0/8 dev eth0  proto kernel  scope link  src 10.0.0.1           
127.0.0.0/8 dev lo  scope link                                        
default via 212.64.94.1 dev ppp0                                      


 'John' ƂVe[uAقǉ肵l̂߂ɍ
܂BlŐݒsƂł܂Ãe[u /etc/
iproute2/rt_tables ɒǉقƊyɂȂ܂B


# echo 200 John >> /etc/iproute2/rt_tables                          
# ip rule add from 10.0.0.10 table John                             
# ip rule ls                                                        
0:      from all lookup local                                       
32765:  from 10.0.0.10 lookup John                                  
32766:  from all lookup main                                        
32767:  from all lookup default                                     


łƕKvȂ̂ John ̃e[uāA[gLbVtb
V (NA) 邾łB


# ip route add default via 195.96.98.253 dev ppp2 table John        
# ip route flush cache                                              


ŊłB ip-up ɑ΂Ď̂́Aǎ҂̉ۑƂĂ
܂傤B

 

4.2. ̃AbvN/voC_ɑ΂郋[eBO

ȉ̂悤Ȃ悭ꍇlĂ݂܂傤B[Jȃlbg[N (1
̃}V܂) C^[lbgւƐڑĂvoC_
 2 悤ȏꍇłB

                                                                 ________ 
                                          +------------+        /         
                                          |            |       |          
                            +-------------+ Provider 1 +-------           
        __                  |             |            |     /            
    ___/  \_         +------+-------+     +------------+    |             
  _/        \__      |     if1      |                      /              
 /             \     |              |                      |              
| Local network -----+ Linux router |                      |     Internet 
 \_           __/    |              |                      |              
   \__     __/       |     if2      |                      \              
      \___/          +------+-------+     +------------+    |             
                            |             |            |     \            
                            +-------------+ Provider 2 +-------           
                                          |            |       |          
                                          +------------+        \________ 


̐ݒɂẮAʏ 2 ̖_܂B

 

4.2.1. ANZX

ŏ̖_́ÃvoC_ėpPbgɑ΂āA
ǂ̂悤Ƀ[eBO邩łBႦ Provider 1 ̃pPbgɑ
āAԐMĂѓvoC_ɖ߂ɂ͂ǂ΂ł傤B

܂LIȖOݒ肵܂傤B $IF1 C^[tF[X (L
G if1)A $IF2 C^[tF[XƂ܂B $IP1  $IF1 Ɋ
Atꂽ IP AhXA $IP2  $IF2 Ɋ֘Atꂽ IP AhX
܂BɁA $P1  Provider 1 ̃Q[gEFC IP AhXA $P2
 Provider 2 ̃Q[gEFC IP AhXƂ܂BŌɁA$P1_NET  
$P1 ̏ IP lbg[NA $P2_NET  $P2 ̏ IP lbg
[NƂ܂B

2 ̃[eBOe[uǉ܂Bł T1  T2 Ƃ܂
B /etc/iproute2/rt_tables ɒǉ܂BẴe[u
ł̃[eBÔ悤ɐݒ肵܂B


          ip route add $P1_NET dev $IF1 src $IP1 table T1           
          ip route add default via $P1 table T1                     
          ip route add $P2_NET dev $IF2 src $IP2 table T2           
          ip route add default via $P2 table T2                     
                                                                    

ʂȂƂ͉Ă炸AQ[gEFCւ̌oHƁÃQ[gEFC
oR default oHłB͏㗬̃voC_ 1 
̏ꍇƓłAoHvoC_ƂɕʁX̃e[uɒuĂ
Bł̓lbg[ŇoHŏ\łBȂȂlbg[Nw
肷΁Aɂ邷ׂẴzXgɓBłAOq̂悤ɃQ[gEFC
̂̂ЂƂłB

 main [eBOe[uݒ肵܂BpPbg𒼐ڂ̋ߗׂɑ
ۂɂ́A̋ߗׂɐڑĂC^[tF[Xɂ̂ǂl
B `src' ɂāAmɐN_ IP AhXI
邱ƂɂڂĂB

            ip route add $P1_NET dev $IF1 src $IP1                  
            ip route add $P2_NET dev $IF2 src $IP2                  
                                                                    

 default [gDȕɐݒ肵܂B

            ip route add default via $P1                            
                                                                    

Ƀ[eBO rule ݒ肵܂B͎ۂɂ́Aǂ̃[eB
Oe[ug̑IłBɃ\[XAhXtĂꍇ
́ÃC^[tF[XoĂ悤ɌoHIт͂łB

            ip rule add from $IP1 table T1                          
            ip rule add from $IP2 table T2                          
                                                                    

̈ÃR}hɂāÃC^[tF[Xėgt
BbNAK̃C^[tF[Xʂĉ邱ƂmƂȂ
B


                                      Warning                                       

ǎ҂ł Rod Roark ɂ: u$P0_NET [Jlbg[N $IF0              
̃C^[tF[XƂƁÂ悤ȃGgǉĂق              
ǂł傤                                                                        

ip route add $P0_NET     dev $IF0 table T1                                      
ip route add $P2_NET     dev $IF2 table T1                                      
ip route add 127.0.0.0/8 dev lo   table T1                                      
ip route add $P0_NET     dev $IF0 table T2                                      
ip route add $P1_NET     dev $IF1 table T2                                      
ip route add 127.0.0.0/8 dev lo   table T2                                      

v                                                                                  


āA͔Ɋ{IȐݒɂ܂B̓[^œ삵Ă
vZXƁA}XJ[hĂꍇɂ̓[Jlbg[Nɑ΂
삷ł傤BȊOƂẮÃvoC_ IP Ԃ
ĂꍇƁAЕ̃voC_ɑ΂Ă̂݃}XJ[hĂ
Ƃl܂B̂ɂĂAǂ̃voC_ʂĔ
M邩A[Jlbg[Ñ}V IP AhX猈߂悤
[ǉ邱ƂɂȂł傤B

 

4.2.2. וU

Ԗڂ̖_́A̃voC_ʂďočsgtBbNo
XłB͎ۂɂ́AOq̂悤ȃANZXɍs
Ă΁A܂B

default ̌oHƂĕЕ̃voC_IԑɁA default oH
multipath oHƂĐݒ肵܂BftHg̃J[lł́Aŗ҂
voC_ւ̌oHoX܂B͎̂悤ɂčs܂ (
łANZX̐߂ɂł̏ꍇl܂)B

            ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \ 
            nexthop via $P2 dev $IF2 weight 1                                     
                                                                                  

ŗ̃voC_ւ̌oHoX܂B weight p[^
ÃvoC_D悷悤߂܂B

̃oX͌oHɊÂ̂ŁAoH̓LbV邽߁AS
Ƃ͌܂BȂƂƁAǂpTCgɑ΂oH́A
˂ɓvoC_očsƂɂȂ邩łB

ɁA{ɂsꍇ́A Julian Anastasov ̃y[W <http://
www.ssi.bg/~ja/#routes> ɂpb`݂Ƃ悢ł傤Bp
ƁAǍDȓ삪҂ł܂B

 

Chapter 5. GRE glȂ̃gl

Linux ł 3 ނ̃gl𗘗pł܂B IP in IP glAGRE g
lAăJ[lOł̃gl (Ⴆ PPTP ̂悤Ȃ) łB

 

5.1. glɊւʓIȎ

glpƁAɗOIȁA܂ɃX}[gȏ󋵂ł
܂B܂gĺAݒ𐳂sȂƁA󋵂``ɂ
Ƃ܂BӐ}Ă邱ƂumɁvĂȂA
default oHglfoCXɌĂ͂܂ :-) ܂Agl
ʂƃI[o[wbh܂BȂȂglł IP wb_ɗ]
f[^ZbgKvƂ邩łBʏ킱̓pPbg 20 oCg
̂ŁAɃlbg[N̒ʏ̃pPbgTCY (MTU)  1500 oCgƂ
΁AglʂđpPbg 1480 oCg̑傫Ȃ
ƂɂȂ܂B͕KɂȂƂ͌܂񂪁A傫ȃlbg
[NglŐڑ悤Ƃۂɂ́A IP pPbg̃tOg/
č\ɂāA悭׋ĂƂłBAꂩAgl
@ő̕@́A@i߂邱ƂłB

 

5.2. IP in IP glO

Linux ł́Ãgl̗p͂Ȃ̂\łB 2 ̃J[l
W[Aipip.o  new_tunnel.o KvłB

 3 ̃lbg[NƂ܂傤Blbg[N A  BA
Ă̒Ԃɂlbg[N C (邢̓C^[lbg) łBlbg
[N A :


network 10.0.1.0                                                    
netmask 255.255.255.0                                               
router  10.0.1.1                                                    


̃[^̃lbg[N C ̃AhX 172.16.17.18 łB

lbg[N B ł:


network 10.0.2.0                                                    
netmask 255.255.255.0                                               
router  10.0.2.1                                                    


̃[^̃lbg[N C ̃AhX 172.19.20.21 łB

ł̓lbg[N C ́A A  B ւ̃pPbg (т̋t) 
ĒʂƂ܂Bɂ̓C^[lbg𗘗p邱Ƃł܂B

ł͍Ƃɓ܂:

܂ŏɃW[CXg[܂B


modprobe ipip.o                                                     
modprobe new_tunnel.o                                               


ălbg[N A ̃[^Ŏ̓es܂:


ifconfig tunl0 10.0.1.1 pointopoint 172.19.20.21                    
route add -net 10.0.2.0 netmask 255.255.255.0 dev tunl0             


ălbg[N B ̃[^ł:


ifconfig tunl0 10.0.2.1 pointopoint 172.16.17.18                    
route add -net 10.0.1.0 netmask 255.255.255.0 dev tunl0             


gl̗pIɂ:


ifconfig tunl0 down                                                 


ƂԂɏI܂BAu[hLXg IPv6 ̃gtB
bN IP-in-IP glʂătH[h邱Ƃ͂ł܂BPɒ
ł͒ʐMłȂ 2  IPv4 lbg[NڑAłB݊
ɊւČ܂ƁÃR[h͒Ƒ݂Ă邽߁AƐ̂
1.3 J[l炢܂ł͌݊łBmA Linux 
IP-in-IP gl͑ OS ⃋[^ƈꏏɂ͓삵܂B̓Vv
ŁAƓ܂BłȂ΂ȂȂRȂg΂
łAłȂ GRE gƂł傤B

 

5.3. GRE glO

GRE ͌X Cisco ɂĊJꂽglOvgRŁA IP-in-IP
glO͂ƍ@\łBႦ΃}`LXggtB
bN IPv6 AGRE glʂē]ł܂B

Linux ł́Aip_gre.o W[KvłB

 

5.3.1. IPv4 glO

܂ IPv4 ̃glOs܂傤B

 3 ̃lbg[NƂ܂傤Blbg[N A  BA
Ă̒Ԃɂlbg[N C (邢̓C^[lbg) łB

lbg[N A :

network 10.0.1.0                                                    
netmask 255.255.255.0                                               
router  10.0.1.1                                                    

̃[^̃lbg[N C ̃AhX 172.16.17.18 łB̃lbg
[N neta ƌĂт܂傤 (AƑnIȖOłȂ̂͂킩Ă܂)
B

ălbg[N B :

network 10.0.2.0                                                    
netmask 255.255.255.0                                               
router  10.0.2.1                                                    

̃[^̃lbg[N C ̃AhX 172.19.20.21 łB̃lbg
[N netb ƌĂт܂傤 (ƑnIł͂܂)B

lbg[N C ́A A  B ւ̃pPbg (т̋t) ׂ͂Ēʂ
܂Bł͂̕@ERɊւĂ͋CɂȂƂɂ܂B

lbg[N A ̃[^ŁAs܂B


ip tunnel add netb mode gre remote 172.19.20.21 local 172.16.17.18 ttl 255  
ip link set netb up                                                         
ip addr add 10.0.1.1 dev netb                                               
ip route add 10.0.2.0/24 dev netb                                           


̓eɂďX܂傤B1 sڂł̓glfoCXǉ
A netb ƌĂԂƂɂ܂ (R͖炩ł傤As̖
Oł)Bɂł́A GRE vgRp邱 (mode gre)A
[gAhX 172.19.20.21 ł邱 ([̃[^)AglO
pPbg̔M 172.16.17.18 ł邱 (ɂă[^ɂ̓lb
g[N C ̕ IP AhX^邱ƂłÂ̂ǂg
lɗp邩ł܂)AăpPbg TTL tB[h 255 
邱 (ttl 255)AȂǂw肵Ă܂B

2 sڂł̓foCXLɂĂ܂B

3 sڂł́AVɐ܂ꂽC^[tF[X netb ɁAAhX 10.0.1.1
^Ă܂Blbg[NȂ炱 OK łA܂zRT
 (̃gl@) ͂߂悤ƂĂꍇ́AglO
C^[tF[Xɂ͕ʂ̗̈ IP AhX^قǂ
 (̗Ȃ 10.0.3.0 g܂)B

4 sڂł́Albg[N B ւ̌oHݒ肵Ă܂Blbg[N̎w
قȂĂ邱ƂɒӂĂB̏ɊĂȂlɁAȒP
Ȍ܂: lbg[N 2 i`ŏA1 ̐𐔂Ă
B킩Ȃ΁A255.0.0.0  /8A 255.255.0.0  /16A
255.255.255.0  /24 łƈËL܂傤BAꂩ 255.255.254.0
 /23 łBÔ߁B

͂ŏ\ł傤Bł̓lbg[N B ̃[^ɍs܂傤B

ip tunnel add neta mode gre remote 172.16.17.18 local 172.19.20.21 ttl 255  
ip link set neta up                                                         
ip addr add 10.0.2.1 dev neta                                               
ip route add 10.0.1.0/24 dev neta                                           

ăgl폜ȂA[^ A :

ip link set netb down                                               
ip tunnel del netb                                                  

񃋁[^ B ł netb  neta ɒuĂB

 

5.3.2. IPv6 glO

IPv6 AhXɊւ Section 6 ĂB

ł̓glɂ:

̂悤 IPv6 lbg[NƂ܂BĂ 6bone FB
lbg[NɐڑƂ܂傤B

 

Network 3ffe:406:5:1:5:a:2:1/96                                     

IPv4 AhX 172.16.17.18 ŁA6bone [^ IPv4 AhX
172.22.23.24 Ƃ܂B

 

ip tunnel add sixbone mode sit remote 172.22.23.24 local 172.16.17.18 ttl 255 
ip link set sixbone up                                                        
ip addr add 3ffe:406:5:1:5:a:2:1/96 dev sixbone                               
ip route add 3ffe::/15 dev sixbone                                            

 

܂傤B1 sڂł́A sixbone ƂÕglfoCX𐶐
Ă܂Bɂ mode sit (IPv6  IPv4 ɃglO) ^
As (remote) ƔM (local) w肵Ă܂B TTL ͍ő 255
ɂĂ܂BɁÃfoCXANeBuɂĂ܂ (up)B̌A
X̃lbg[ÑAhXǉA 3ffe::/15 (݂̂Ƃ 6bone 
S) ւ̌oH̃glɂĂ܂B

GRE gl݂͌̂ƂDŗpĂglO`łB
 Linux R~jeBȊOłL̗pĂWŁAėǂ
łƌ܂B

 

5.4. [Uh̃gl

J[lOł̃glO̎Aʂ肠܂݂Ă܂Bł
悭mĂ̂͂ PPP  PPTP ł傤Aɂ񂠂
܂ (p̂́ASȂ́AIP gȂ̂܂)B
͂ HOWTO ͈̔͂傫OĂ܂B

 

Chapter 6. Cisco  6bone Ƃ IPv6 gl 

By Marco Davids <marco@sara.nl>

eiւ̃:

킽̒mA IPv6-IPv4 glO GRE glO̒`
ɂ͓Ă͂܂܂B GRE glfoCXp IPv6  IPv4 Ƀg
l邱Ƃ͂ł܂ (GRE ́uȂłvIPv4 ɒʂ܂) Aŗp
ĂfoCX ("sit")  IPv6 ݂̂ IPv4 ɒʂ܂̂ŁAƈ
܂B

 

6.1. IPv6 glO

 Linux ̃glO@\́A܂ʂ̗płB IPv6 
ɓl (邢́uҁv) ɐlC܂Bȍ~ŋLq
ĂuHIvȐ́A IPv6 glOB
@Ƃ킯ł͂܂B́AIPv6 @\ Cisco 
[^ Linux Ƃgl̂ɂ悭p@łAX̌o
΁A̐lX]Ăł܂BꂪȂɂ
͂܂ł낤Ƃ́A܂ԈႢȂƎv܂ ;-)

IPv6 AhXɊւďX:

IPv6 AhX́AIPv4 ̃AhXɔׂƁAɋ (128 rbg 32
rbg) łBɂāAX̖]ނ̂񋟂܂BȂ킿A
́A IP AhXAmɌ
340,2822,6692,0938,4634,6337,4607,4317,6821,1465 ̃AhXłB
ȊOɂAIPv6 (邢 IPng: IP Next Generation) ł́AC^[lbg
̃obN{[[^ɂoHe[uȂA@̐ݒ肪
PɂȂAIP xł̃ZLeB茘łɂȂƊ҂Ă܂
B

: 2002:836b:9820:0000:0000:0000:836b:9886

IPv6 ׂď̂́AȂ̏dׂłBāAyɂ邽
̋K܂B

 

 E 擪瑱 0 ͎g܂BIPv4 ƓłB 
   
 E 16 rbg (2 oCg) ɃRŋ؂܂B 
   
 E 0 AƂ :: ̂悤ɏ܂Bꂪs
    ̂̓AhX̂̈ӏŁA܂ 16 rbg̒Pʂɑ΂Ă
    ݎg܂B
   
 

AhX 2002:836b:9820:0000:0000:0000:836b:9886 ́A 2002:836b:9820::
836b:9886 ̂悤ɂ܂B҂̂قƂ͐e݂₷ł
B

ʂ̗AAhX 3ffe:0000:0000:0000:0000:0020:34A1:F32C  3ffe::20:
34A1:F32C Ƃ܂BƒZłˁB

IPv6 ݂͌ IPv4 ̌p҂ƂȂׂJ܂B IPv6 ͂
VZpȂ̂ŁA܂EK͂̃lCeBu IPv6 lbg[N͂
B 6bone ́Äڍs𑬂₩ɂ邽߂ɓ܂B

lCeBu IPv6 lbg[Nmڑ̂ɁA IPv6 vgR
IPv4 pPbgɃJvZA IPv4 CtʂāA IPv6 T
Cgɑ̂łB

ł܂Ƀgl𗘗p邱ƂɂȂ킯łB

IPv6 Lɂɂ́AJ[l̃T|[gKvłBɂ̗͑ǎ
ȕ݂Ă܂Aǂ̂Ƃ͂̒iKɕł܂B

 E K؂ glibc Aŋ߂ Linux fBXgr[V肵
    ܂B
   
 E ŐṼJ[l\[X肵܂B
   
AIPv6 @\J[lRpC܂B

 E /usr/src/linux ɈړA "make menuconfig" Ɠ͂܂B
   
 E "Networking Options" Iт܂B
   
 E "The IPv6 protocol", "IPv6: enable EUI-64 token format", "IPv6:
    disable provider based addresses" I܂B
   
qg: W[ɂ͂Ȃقł傤B܂ȂƂ
܂B

ʂ̌΁AIPv6 J[ĺugݍ݁vɂĂB
ʏ̂悤ɐݒۑAJ[l̃RpCɈڂĂB

qg: ̑OɁAMakefile ҏW EXTRAVERSION = -x ; --> ;
EXTRAVERSION = -x-IPv6 ̂悤ɂĂƂ܂B

J[l̃RpCƃCXg[ɂĂ͗ǂ񂠂
A͂̕܂ł͏܂B̒iKŃgu
AŐݒ肵 Linux J[l̃RpCɊւ镶Tēǂł
Bŏ /usr/src/linux/README t@C猩Ă݂Ƃł傤
B

炪񂾂AVJ[lōċNĂB '/sbin/
ifconfig -a' ƂƁA'sit0' ƂVfoCXłĂ邱ƂɋC
Âł傤B SIT  Simple Internet Transition Ӗ܂B_
߂Ă܂傤BȂ͎ IP ւƌA傫Ȉܓ
ôłB

ł͎̈Ɍ܂傤B̃zXg (邢 LAN S)  IPv6
@\ʂ̃lbg[Nɐڑ܂B̑́A̖ړÎ߂
ʂɐݒ肳ꂽ "6bone" ƂȂł傤B

Ȃ IPv6 lbg[N 3ffe:604:6:8::/64 ŁA 6bone (邢͗F
l) ɐڑ邱ƂӐ}ĂƂ܂B /64 ƂTulbg\
ĹAʏ IP AhX̏ꍇƂ傤Ǔ悤ȈӖ܂B

Ȃ̎Ă IPv4 AhX 145.100.24.181 ŁA 6bone [^
IPv4 AhX 145.100.1.5 Ƃ܂傤B


# ip tunnel add sixbone mode sit remote 145.100.1.5 [local 145.100.24.181 ttl 255]  
# ip link set sixbone up                                                            
# ip addr add 3FFE:604:6:7::2/126 dev sixbone                                       
# ip route add 3ffe::0/16 dev sixbone                                               


܂傤Bŏ̍sł sixbone ƂÕglfoCX𐶐
Ă܂Bɂ mode sit (IPv6  IPv4 ɃglO) ^
As (remote) ƔM (local) w肵Ă܂B TTL ͍ő 255
ɂĂ܂B

ɁÃfoCXANeBuɂĂ܂ (up)B̌AX̃lbg
[ÑAhXǉA 3ffe::/15 (݂̂Ƃ 6bone ̑S) ւ̌oH
̃glɂĂ܂Bs}VAȂ IPv6
Q[gEFCȂA̓esƂł傤B


# echo 1 >/proc/sys/net/ipv6/conf/all/forwarding                    
# /usr/local/sbin/radvd                                             


Ԗڂ̍s radvd  (zebra ̂悤) [^Lf[ŁA IPv6 ̎
ݒ@\T|[gĂ܂BKvȂAĎ݂GWŒׂ
݂ĂBł͎̂悤ɂă`FbNs܂傤B


# /sbin/ip -f inet6 addr                                            


radvd  IPv6 Q[gEFCœ삵ĂA IPv6 @\ Linux 
LAN ̃}VŋNĂ΁A IPv6 ݒ̉by߂͂ł
B


# /sbin/ip -f inet6 addr                                                      
1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue inet6 ::1/128 scope host          
                                                                              
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100          
inet6 3ffe:604:6:8:5054:4cff:fe01:e3d6/64 scope global dynamic                
valid_lft forever preferred_lft 604646sec inet6 fe80::5054:4cff:fe01:e3d6/10  
scope link                                                                    


ł͈ IPv6 AhXɑ΂ bind ̐ݒs܂傤B A ^Cv
 IPv6 ł AAAA ƂȂ܂B in-addr.arpa  ip.int ƂȂ܂B
bɊւẮȀ񂪓ł傤B

IPv6 gAvP[V̐͑Ă܂B secure shell,
telnet, inetd, Mozilla uEU, webserver Apache, قɂ񂠂
܂B́ÁuoHvɊւ镶̔e𒴂Ă܂ :-)

Cisco ł̐ݒ́Â悤ȊɂȂ܂B

!                                                                   
interface Tunnel1                                                   
description IPv6 tunnel                                             
no ip address                                                       
no ip directed-broadcast                                            
ipv6 address 3FFE:604:6:7::1/126                                    
tunnel source Serial0                                               
tunnel destination 145.100.24.181                                   
tunnel mode ipv6ip                                                  
!                                                                   
ipv6 route 3FFE:604:6:8::/64 Tunnel1                                

vʂɂȂ Cisco Ȃ΁AC^[lbgɂ񂠂 IPv6
glu[J[̂ǂꂩĂ݂܂傤B Cisco ̐ݒs
AȂp̃gl@Ăł傤BĂ̏ꍇ́Ag₷
 web C^[tF[X͂łBĎ݂GWŁA"ipv6
tunnel broker" L[[hɂĒTĂ݂ĂB

 

Chapter 7. IPSEC: C^[lbgz̈S IP

 ŋ߂ Linux ɂ 2 ނ IPSEC ݂܂B 2.2  2.4 ɂ FreeS/
WAN Aꂪŏ̃W[ȎłBTCg <http://
www.freeswan.org/>ƔTCg <http://www.freeswan.ca> A
ɃeiXĂ܂BFreeS/WAN ͗lXȗRA܂ŃC
̃J[lɂ̓}[WĂ܂łBłǂyĂ̂̓A
JlJ҂́uIvȗRŁAÍɊւčƂƗAoK
Ă܂łB FreeS/WAN  Linux J[lɂ܂肤
܂邱ƂłAۂ̃}[WɂāAǂɂ͂Ȃ܂
łB

܂AR[h̕iɊւĂ <http://www.edlug.ed.ac.uk/archive/
Sep2002/msg00244.html> ĉ猜O̐ <http://lists.freeswan.org/
pipermail/design/2002-November/003901.html> ܂B FreeS/
WAN ̐ݒɊւẮA̕ <http://www.freeswan.ca/docs/
freeswan-1.99/doc/index.html> pł܂ <http://www.freeswan.org/
doc.html>B

Linux 2.5.47 ̍ɂ́AJ[l̃lCeBu IPSEC ݂Ă
B Alexey Kuznetsov  Dave Miller ɂ̂ŁA USAGI IPv6
O[v̐ʂh󂯂̂łB̃}[WɂẮAJames
Morris  CryptoAPI J[l̈ꕔƂȂ܂ (ꂪۂ̈Í
s܂)B

 HOWTO ł́A2.5+ ł IPSEC ݂̂܂B Linux 2.4 ̃[U
́Â݂Ƃ FreeS/WAN ߂܂A̐ݒ̓lCeBu
IPSEC ̂̂Ƃ͈قȂ܂B֘Aj[XłA܂ł FreeS/WAN ̃
[UԂ̃R[hAlCeBu Linux IPSEC Ɠ삳邽߂̃pb`
<http://gondor.apana.org.au/~herbert/freeswan/> 邻łB

2.5.49 ́AIPSEC ̓pb`Kvɓł悤ɂȂ܂B

    Note: [UԂ̃c[͂ <http://sourceforge.net/projects/
    ipsec-tools> ł܂B̃vOg܂A
    N̂ Racoon x[X̂̂łB
   
    J[l̃RpCɂẮA'PF_KEY', 'AH', 'ESP' ̑A
    CryptoAPI ׂ̂ĂLɂĂ!
   

                              Warning                               

̏͂̒҂́AIPSEC ɊւĂ͂Ǒflł! Kł낤~X
Aǂ bert hubert <ahu@ds9a.nl> Ƀ[Ă 
B                                                                  


܂ŏɁASȒʐM 2 ̃zXg̊Ԃōs@܂B̏
̑啔͎ł܂Ał͎蓮ōsĂ݂āAu̒ŁvȂ
sĂ̂ɂāA悭邱Ƃɂ܂傤B

ł̌ (keying) ɂ̂łA̐߂͔΂Ă
B蓮ł̌Ɋւ闝́AƗLvłB

 

7.1. : 蓮ł̌

IPSEC ͕GȑނłB̏񂪃lbg[Nɂ܂A
 HOWTO ł͓ł悤ɂ邱ƁA{IȌ邱ƂɏW
ƍlĂ܂BׂẮ̗AL̃Nɂ Racoon Ƃ
Ă܂B

    Note: iptables ̂Ă̐ݒł́AIPSEC pPbg𗎂ƂĂ܂
    ܂! IPSEC ʂɂ́A'iptables -A xxx -p 50 -j ACCEPT' 
    'iptables -A xxx -p 51 -j ACCEPT' gĂB
   
IPSEC ̓ZLeBɗDꂽC^[lbgvgRłBł́uZ
LeBvɂ́A2 ̈Ӗ܂BÍєF؂łB킩
ȂĺAZLeBȂ킿ÍłƍlłAꂾ
͏\łȂƂ͊ȒPɎ܂BʐM͈ÍĂĂAʐM悪
̊҂Ăʂ肩ǂ̕ۏ؂؂ȂƂǂł傤?

IPSEC ͈Íɂ 'Encapsulated Security Payload (ESP)' Aă
[g̒ʐM̔F؂ɂ 'Authentication Header (AH)' p܂B
g悤ɂݒł܂AЕgƂł܂B

ESP  AH Asecurity assosiation (SA) ɈˑĂ܂B SA ́AM
EME葱Ȃ܂BႦΔF؂ SA ͎̂悤ɂȂ܂B

          add 10.0.0.11 10.0.0.216 ah 15700 -A hmac-md5 "1234567890123456"; 
                                                                            

́u10.0.0.11  10.0.0.216 ɌgtBbN̂ AH Kv
Ƃ̂́A閧 123456789123456 p HMAC-MD5 ŏłv
ӖłB̎葱ɂ SPI ('Security Parameter Index')  id
15700 tĂ܂BɂĂ͌قǏڂ܂B SA 
[_́AΏ̓IƂ_ɂ܂BʘbLĂ闼[́A
 SA LA[̋fɂ͂Ȃ܂BȂA
 'autoreserve' [ȂƂɒӂ܂傤B܂肱 SA ́A
10.0.0.11  10.0.0.216 ւ̔F؂\ł邱ƂĂ܂B
õgtBbNɑ΂ẮA2  SA KvƂȂ܂B

ESP SA ̗܂傤B

add 10.0.0.11 10.0.0.216 esp 15701 -E 3des-cbc "123456789012123456789012";  
                                                                            

́u10.0.0.11  10.0.0.216 ɌgtBbN̂ÍK
vƂ̂́A 123456789012123456789012 pĈÍłvƂ
ӖłB SPI id  '15701' łB

܂ł̂ƂASA \Ȏ葱Lq邱ƂĂ܂A
 SA ́AꂪKvɂȂ邩Ɋւ|V[LqĂ܂
Bۂ̂ƂASPI id ݂̂قȂقƂǓ SA ADȂu
Ƃł̂ł (قǂqׂ܂ SPI  Security Parameter Index
̈Ӗł)Bۂ̈Ísɂ́A|V[LqȂ΂Ȃ܂
B̃|V[ɂ́Au\Ȃ ipsec gvƂuipsec gȂ
gtBbN̂ĂvƂeLqł܂B

T^IȒP Security Policy (SP) ͎̂悤Ȃ̂łB

spdadd 10.0.0.216 10.0.0.11 any -P out ipsec                        
   esp/transport//require                                           
   ah/transport//require;                                           
                                                                    

zXg 10.0.0.216 łꂪ͂ƁA 10.0.0.11 ɌׂẴg
tBbN͈ÍȂ΂Ȃ炸A AH (authenticating header: F
؃wb_) ŃbvȂ΂Ȃ܂Bł͂ǂ SA g
ׂ͋LqĂ܂B肷̂̓J[lɎcꂽd
̂łB

ʂ̌΁ASecurity Policy ͉XuvKvƂ邩w
̂łBSecurity Association ͂uǂ̂悤ɁvKvƂ邩L
q܂B

opPbǵASA SPI (uǂ̂悤Ɂv) Ńxt܂B
J[l͂gĈÍƔF؂sA[g͂ɑΉ
؂ƕ̎葱𒲂ׂ邱Ƃł܂B

ȍ~Ɏ̂́AzXg 10.0.0.216  10.0.0.11 ɑ΂ĈÍƔF؂
pĒʐMꍇ́AɊȒPȐݒłBŏ̔łł͋t
ł̂ŁA͎ۂɗpĂ͂Ȃ܂B

zXg 10.0.0.216 ł:

#!/sbin/setkey -f                                                           
add 10.0.0.216 10.0.0.11 ah 24500 -A hmac-md5 "1234567890123456";           
add 10.0.0.216 10.0.0.11 esp 24501 -E 3des-cbc "123456789012123456789012";  
                                                                            
spdadd 10.0.0.216 10.0.0.11 any -P out ipsec                                
   esp/transport//require                                                   
   ah/transport//require;                                                   
                                                                            


zXg 10.0.0.11 ł͓ Security Association pA Security Policy
͎w肵܂B

#!/sbin/setkey -f                                                           
add 10.0.0.216 10.0.0.11 ah 24500 -A hmac-md5 "1234567890123456";           
add 10.0.0.216 10.0.0.11 esp 24501 -E 3des-cbc "123456789012123456789012";  
                                                                            


ȏ̐ݒs (̃t@C 'setkey'  /sbin ɃCXg[
ĂΎsł܂)A 10.0.0.126 s 'ping 10.0.0.11' ́A
tcpdump ł͎̂悤Ɍ܂B

22:37:52 10.0.0.216 > 10.0.0.11: AH(spi=0x00005fb4,seq=0xa): ESP(spi=0x00005fb5,seq=0xa) (DF) 
22:37:52 10.0.0.11 > 10.0.0.216: icmp: echo reply                                             
                                                                                              

10.0.0.11  ping ̖߂肪AۂɕŌ邱ƂɒځBtH[
h ping ́A tcpdump ł͌܂B 10.0.0.11 ɓ`
Ă AH  ESP  Security Parameter IndexAȂ킿pPbg̔F؊m
Fƕ̕@A͌Ă܂B

Ał̓_ɐGĂKv܂BL̐ݒ́A
 IPSEC ̗ŎĂ̂łAɊ댯Ȃ̂łB͎
_ɂ܂BLɂ|V[ł́A 10.0.0.216  10.0.0.11 Ɍ
pPbgǂ舵ƁA 10.0.0.11 ̃pPbgǂ
͒߂Ă܂A 10.0.0.11 F؂łȂ/łȂgt
BbNǂ̂悤Ɏ̂Ă邩ĂȂ̂ł!

ł́ANrŃpPbg𓐂݁ASɕꂽpPbgŒu
ƁA 10.0.0.11 ͂󂯓Ă܂܂Bɂ́A
pPbgɑ΂ Security Policy  10.0.0.11 ɕKvłB̂悤
܂B

#!/sbin/setkey -f                                                   
spdadd 10.0.0.216 10.0.0.11 any -P IN ipsec                         
   esp/transport//require                                           
   ah/transport//require;                                           
                                                                    

 10.0.0.11 ɑ΂āA 10.0.0.216 痈gtBbNɑ΂āA
 ESP  AH KvłAƎw肵Ă܂B

āAݒɂ́AÃgtBbNɂlȈÍE
F؂KvłB 10.0.0.216 ɂ銮SȐݒ:

#!/sbin/setkey -f                                                           
flush;                                                                      
spdflush;                                                                   
                                                                            
# AH                                                                        
add 10.0.0.11 10.0.0.216 ah 15700 -A hmac-md5 "1234567890123456";           
add 10.0.0.216 10.0.0.11 ah 24500 -A hmac-md5 "1234567890123456";           
                                                                            
# ESP                                                                       
add 10.0.0.11 10.0.0.216 esp 15701 -E 3des-cbc "123456789012123456789012";  
add 10.0.0.216 10.0.0.11 esp 24501 -E 3des-cbc "123456789012123456789012";  
                                                                            
spdadd 10.0.0.216 10.0.0.11 any -P out ipsec                                
           esp/transport//require                                           
           ah/transport//require;                                           
                                                                            
spdadd 10.0.0.11 10.0.0.216 any -P in ipsec                                 
           esp/transport//require                                           
           ah/transport//require;                                           
                                                                            
                                                                            


 10.0.0.11 ł:

#!/sbin/setkey -f                                                           
flush;                                                                      
spdflush;                                                                   
                                                                            
# AH                                                                        
add 10.0.0.11 10.0.0.216 ah 15700 -A hmac-md5 "1234567890123456";           
add 10.0.0.216 10.0.0.11 ah 24500 -A hmac-md5 "1234567890123456";           
                                                                            
# ESP                                                                       
add 10.0.0.11 10.0.0.216 esp 15701 -E 3des-cbc "123456789012123456789012";  
add 10.0.0.216 10.0.0.11 esp 24501 -E 3des-cbc "123456789012123456789012";  
                                                                            
                                                                            
spdadd 10.0.0.11 10.0.0.216 any -P out ipsec                                
           esp/transport//require                                           
           ah/transport//require;                                           
                                                                            
spdadd 10.0.0.216 10.0.0.11 any -P in ipsec                                 
           esp/transport//require                                           
           ah/transport//require;                                           
                                                                            
                                                                            


̗ł́Ǎ𗼕̃gtBbNɗpĂ܂B
AKvł͂܂܂B

܍sݒmFɂ́A setkey -D s Security
Association \邩A setkey -DP sĐݒ肳ꂽ|V[\
ĂB

 

7.2. ł̌

O̐߂ł́AÍ͒PȋLɂčs܂BāA
Smۂɂ́ÄÍݒMłoHœ]Ȃ΂
܂B[g̃zXg telnet Őݒ肵Ȃ΂ȂȂ悤ȏꍇ
́AO҂ɂ̋L`Ă܂̂ŁA̐ݒ肪SłƂ͌
܂B

ɁALĂƂƂ́A铽ȂƂƂłB
[g͂̌pĂ͂ł܂񂪁AʁX̑
ʐMۂɂ́AKꂼʁX̌gKv܂Bɂ͌
ɂKvłB 10 g̃p[gi[gނȂAŒ 50
ނ̌Kvł ( 10_C_2 Ȃ 45 Ǝv܂c)B

Ώ̖̌ɉA̍XVɂ肪܂BO҂\ȗʂ̃g
tBbN𓐒ƁAo[XGWjAO邱Ƃs\ł
ȂȂ܂B͎XV邱ƂɂĔ܂A
͎KvȏłB

ЂƂ̖ƂāAOq悤Ȏ蓮̌ł́AASY
̒𐳊mɒ`Ȃ΂Ȃ炸A[gƂ̒̎Ԃ
BƕL|V[Lqłق]܂łBႦ΁u
ł 3DES  Blowfish gāA̒ɂ͎̂悤Ȃ̂g܂v
̂悤ɁB

̖邽߂ɁAIPSEC ł Internet Key Exchange g
B̓ASY̏ڍׂlSVG[gāA_ɐꂽ
IɌAΏ̈ÍZppČ]܂B

Linux 2.5  IPSEC ł́AKAME  'racoon' IKE f[삵܂
B 11  9  (: 2002 N) ̒iKł́AAlexey  iptools zzɓ
Ă racoon ́ARpC͂ł܂A2 ̃t@C #include
<net/route.h> 폜Kv܂B܂́ARpCσoCi
 <http://ds9a.nl/ipsec/racoon.bz2> 񋟂Ă܂B

    Note: IKE  UDP |[g 500 ɃANZXłKv܂B
    iptables ŃubNĂȂƂmF܂傤B
   
 

7.2.1. _

ɐʂAł͑̍ƂĂ܂BɁA
Security Associations 𓮍̓rŐĂ܂B|V[
ݒ́A]悤ɂ͍sĂ܂B

āAIKE ̉b󂷂ɂ́A|V[͐ݒ肵āA SA ͐ݒ肵Ȃ
AƂƂɂȂ܂BJ[l SA ̖ IPSEC |V[𔭌
 IKE f[ɒm点Aăf[lSVG[V̍ƂJ
n܂B

JԂ܂ASecurity Policy ͉XuvKvƂ邩̎wł
B Security Association ́Auǂ̂悤Ɂv邩Lq܂
Bp΁AX͉w肷΂悭Ȃ̂
B

 

7.2.2. 

Kame  racoon ɂ͔ɂ̃IvV܂ÂقƂ
́AftHgɗǂlꂽlɂȂĂ܂BĂقƂǂ
ύXKv܂BOq̂悤ɁAIy[^ Security Policy 
`΂悭A Security Associations ͕Kv܂BlSVG[V
 IKE f[ɔC܂B

̗ł́AĂ 10.0.0.11  10.0.0.216 SȒʐMm悤Ƃ
܂B racoon ̏؂܂BȒP̂߂ɁA̐ݒ
͎OɋLA҂́uLÍvƂ܂傤B X.509 F
؂͕ʂ̐߂ŋc_܂B Section 7.2.3 ݂ĂB

قڃftHg̐ݒł܂傤B̃zXgœłB


path pre_shared_key "/usr/local/etc/racoon/psk.txt";                
                                                                    
remote anonymous                                                    
{                                                                   
        exchange_mode aggressive,main;                              
        doi ipsec_doi;                                              
        situation identity_only;                                    
                                                                    
        my_identifier address;                                      
                                                                    
        lifetime time 2 min;   # sec,min,hour                       
        initial_contact on;                                         
        proposal_check obey;    # obey, strict or claim             
                                                                    
        proposal {                                                  
                encryption_algorithm 3des;                          
                hash_algorithm sha1;                                
                authentication_method pre_shared_key;               
                dh_group 2 ;                                        
        }                                                           
}                                                                   
                                                                    
sainfo anonymous                                                    
{                                                                   
        pfs_group 1;                                                
        lifetime time 2 min;                                        
        encryption_algorithm 3des ;                                 
        authentication_algorithm hmac_sha1;                         
                compression_algorithm deflate ;                     
}                                                                   


̐ݒ肪܂ˁBftHg̐ݒɂɋ߂Â΁A
ƌ点Ǝv܂Bڂׂ_B anonymous ()
ݒ 2 sĂ܂Aׂ͂Ẵ[gɓKpAȍ~̐ݒ
ȒPɂȂ܂BzXgƂ̋Lq́AɕKvƂȂ΁AȂ
܂܂B

ɁA̐ݒł͎g̎w IP AhXɂčs
('my_identifier address') 悤Ɏw肵܂B܂ōŝ
3des, sha1 ŁA psk.txt ɂ鎖OLgAƐ錾Ă܂B

psk.txt ɂ 2 ̃Ggݒ肵Ă܂B͊ezXgňقȂ
B10.0.0.11 ł:

10.0.0.216      password2                                           

10.0.0.216 ł:

10.0.0.11       password2                                           

̃t@C root ̏LɂA[h 0600 ɂ邱ƂYꂸ
BȂ racoon ͂̃t@C̓eMp܂B̃t@C
͂ꂼ̋fΏ̂ɂȂĂ܂ˁB

Ŗ]ރ|V[ݒ肷鏀ł܂BȒPŁA10.0.0.216
ł:

#!/sbin/setkey -f                                                   
flush;                                                              
spdflush;                                                           
                                                                    
spdadd 10.0.0.216 10.0.0.11 any -P out ipsec                        
        esp/transport//require;                                     
                                                                    
spdadd 10.0.0.11 10.0.0.216 any -P in ipsec                         
        esp/transport//require;                                     

 10.0.0.11 ł:

#!/sbin/setkey -f                                                   
flush;                                                              
spdflush;                                                           
                                                                    
spdadd 10.0.0.11 10.0.0.216 any -P out ipsec                        
        esp/transport//require;                                     
                                                                    
spdadd 10.0.0.216 10.0.0.11 any -P in ipsec                         
        esp/transport//require;                                     

Ã|V[͋fɂȂĂ܂B

 racoon N鏀ł܂! xN΁A10.0.0.11 
 10.0.0.216  telnet 悤ƂƂA邢͑̐ڑ݂Ƃ
Aracoon ̓lSVG[VJn܂:

12:18:44: INFO: isakmp.c:1689:isakmp_post_acquire(): IPsec-SA                       
  request for 10.0.0.11 queued due to no phase1 found.                              
12:18:44: INFO: isakmp.c:794:isakmp_ph1begin_i(): initiate new                      
  phase 1 negotiation: 10.0.0.216[500]<=>10.0.0.11[500]                             
12:18:44: INFO: isakmp.c:799:isakmp_ph1begin_i(): begin Aggressive mode.            
12:18:44: INFO: vendorid.c:128:check_vendorid(): received Vendor ID:                
  KAME/racoon                                                                       
12:18:44: NOTIFY: oakley.c:2037:oakley_skeyid(): couldn't find                      
  the proper pskey, try to get one by the peer's address.                           
12:18:44: INFO: isakmp.c:2417:log_ph1established(): ISAKMP-SA                       
  established 10.0.0.216[500]-10.0.0.11[500] spi:044d25dede78a4d1:ff01e5b4804f0680  
12:18:45: INFO: isakmp.c:938:isakmp_ph2begin_i(): initiate new phase 2              
  negotiation: 10.0.0.216[0]<=>10.0.0.11[0]                                         
12:18:45: INFO: pfkey.c:1106:pk_recvupdate(): IPsec-SA established:                 
  ESP/Transport 10.0.0.11->10.0.0.216 spi=44556347(0x2a7e03b)                       
12:18:45: INFO: pfkey.c:1318:pk_recvadd(): IPsec-SA established:                    
  ESP/Transport 10.0.0.216->10.0.0.11 spi=15863890(0xf21052)                        


 setkey -D s Security Associations \ƁAۂ
݂Ă邱Ƃ킩܂:

10.0.0.216 10.0.0.11                                                        
        esp mode=transport spi=224162611(0x0d5c7333) reqid=0(0x00000000)    
        E: 3des-cbc  5d421c1b d33b2a9f 4e9055e3 857db9fc 211d9c95 ebaead04  
        A: hmac-sha1  c5537d66 f3c5d869 bd736ae2 08d22133 27f7aa99          
        seq=0x00000000 replay=4 flags=0x00000000 state=mature               
        created: Nov 11 12:28:45 2002   current: Nov 11 12:29:16 2002       
        diff: 31(s)     hard: 600(s)    soft: 480(s)                        
        last: Nov 11 12:29:12 2002      hard: 0(s)      soft: 0(s)          
        current: 304(bytes)     hard: 0(bytes)  soft: 0(bytes)              
        allocated: 3    hard: 0 soft: 0                                     
        sadb_seq=1 pid=17112 refcnt=0                                       
10.0.0.11 10.0.0.216                                                        
        esp mode=transport spi=165123736(0x09d79698) reqid=0(0x00000000)    
        E: 3des-cbc  d7af8466 acd4f14c 872c5443 ec45a719 d4b3fde1 8d239d6a  
        A: hmac-sha1  41ccc388 4568ac49 19e4e024 628e240c 141ffe2f          
        seq=0x00000000 replay=4 flags=0x00000000 state=mature               
        created: Nov 11 12:28:45 2002   current: Nov 11 12:29:16 2002       
        diff: 31(s)     hard: 600(s)    soft: 480(s)                        
        last:                           hard: 0(s)      soft: 0(s)          
        current: 231(bytes)     hard: 0(bytes)  soft: 0(bytes)              
        allocated: 2    hard: 0 soft: 0                                     
        sadb_seq=0 pid=17112 refcnt=0                                       

Security Policy ͐ݒ肵Ƃł:

10.0.0.11[any] 10.0.0.216[any] tcp                                  
        in ipsec                                                    
        esp/transport//require                                      
        created:Nov 11 12:28:28 2002 lastused:Nov 11 12:29:12 2002  
        lifetime:0(s) validtime:0(s)                                
        spid=3616 seq=5 pid=17134                                   
        refcnt=3                                                    
10.0.0.216[any] 10.0.0.11[any] tcp                                  
        out ipsec                                                   
        esp/transport//require                                      
        created:Nov 11 12:28:28 2002 lastused:Nov 11 12:28:44 2002  
        lifetime:0(s) validtime:0(s)                                
        spid=3609 seq=4 pid=17134                                   
        refcnt=3                                                    


 

7.2.2.1. Ɗm̌

ꂪ삵ȂƂ́Aݒt@Cׂ root ̏Lł邩A root
炵ǂ߂Ȃ悤ɂȂĂ邩mFĂB racoon tHA
OEhŋNɂ '-F' p܂BRpCɐݒ肳ꂽt@
C̑ɓ̐ݒt@Cǂݍ܂ɂ́A'-f' p܂B
ׂɂĂƍׂɒm肽΁Aracoon.conf  'log debug' Ƃs
ǉĂB

 

7.2.3. X.509 ؖpł̌

ɐʂAL̗pɂ͓_܂BL͖ʓ|ŁA
ɈxLĂ܂Ƃ͂閧ł͂ȂłB肪
ƂɁAΏ̈ÍZp𗘗p΂̖ł܂B

IPSEC ւ̊eQ҂JƔ閧΁AʐM̗҂J𔭍s
A|V[ݒ肷΁ASȒʐMmł܂B

̐͊ɊȒPłA̍ƂKvłBȉł
'openssl' ̃c[ƂɂƂ܂B

 

7.2.3.1. ̃zXg X.509 ؖ

OpenSSL ɂ͌ɊւcȃCtXgN`A CA ɂ鏐
sƂsȂƂł܂Bł̓Ct̑啔͉A
CA ōς܂Â݂񂿂ZLeBKp܂傤B

܂̃zXǵuؖ (certificate request)v𔭍s܂B
O 'laptop' Ƃ܂B

$ openssl req -new -nodes -newkey rsa:1024 -sha1 -keyform PEM -keyout \ 
  laptop.private -outform PEM -out request.pem                          

Ƃ₳܂B

Country Name (2 letter code) [AU]:NL                                      
State or Province Name (full name) [Some-State]:.                         
Locality Name (eg, city) []:Delft                                         
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linux Advanced 
Routing & Traffic Control                                                 
Organizational Unit Name (eg, section) []:laptop                          
Common Name (eg, YOUR name) []:bert hubert                                
Email Address []:ahu@ds9a.nl                                              
                                                                          
Please enter the following 'extra' attributes                             
to be sent with your certificate request                                  
A challenge password []:                                                  
An optional company name []:                                              

ǂ̂炢܂߂ɓ邩́AȂ̔fłBZLeB̕Kvɉ
āAɃzXg邱Ƃ]ސlA]܂Ȃlł傤B
̗ł͓Ă܂B

ł̐ɁAuȏv܂:

$ openssl x509 -req -in request.pem -signkey laptop.private -out \  
  laptop.public                                                     
Signature ok                                                        
subject=/C=NL/L=Delft/O=Linux Advanced Routing & Traffic \          
  Control/OU=laptop/CN=bert hubert/Email=ahu@ds9a.nl                
Getting Private key                                                 

 'request.pem' t@Ĉ͎ĂĂ܂܂B

̎葱̕KvȃzXĝׂĂŌJԂ܂B '.public' 
Ȃzzł܂A'.private' ͔̕铽Ă悤!

 

7.2.3.2. ݒƋN

zXǧJE閧łAg悤 racoon ɓ`܂B

قǂ̐ݒɖ߂܂傤B 2 ̃zXg 10.0.0.11 ('upstairs') 
10.0.0.216 ('laptop') Ƃ܂B

10.0.0.11  racoon.conf t@CɁAȉǉ܂:

path certificate "/usr/local/etc/racoon/certs";                     
                                                                    
remote 10.0.0.216                                                   
{                                                                   
        exchange_mode aggressive,main;                              
        my_identifier asn1dn;                                       
        peers_identifier asn1dn;                                    
                                                                    
        certificate_type x509 "upstairs.public" "upstairs.private"; 
                                                                    
        peers_certfile "laptop.public";                             
        proposal {                                                  
                encryption_algorithm 3des;                          
                hash_algorithm sha1;                                
                authentication_method rsasig;                       
                dh_group 2 ;                                        
        }                                                           
}                                                                   

 racoon  /usr/local/etc/racoon/certs/ ɂؖp悤w
Ă܂B 10.0.0.216 p̐ݒ荀ڂ܂܂Ă܂B

 'asn1dn' ̍śA[JE[g̎ʎqƂẮAJ
oꂽ̂p悤Aracoon ɓ`Ă܂B͑Oq
'subject=/C=NL/L=Delft/O=Linux Advanced Routing & Traffic Control/OU=
laptop/CN=bert hubert/Email=ahu@ds9a.nl' Ƃo͂łB

certificate_type ̍śA[J̌JE閧ݒ肵Ă܂B 
peers_certfile ́A[g̐ڑ̌J laptop.public Ƃt
@Cǂݍނ悤 racoon ɓ`Ă܂B

proposal ubN͐قǂ̂̂ƕςĂ܂B 
authentication_method  rsasig ɂȂĂAF؂ RSA J/閧
p邱ƂĂ܂B

10.0.0.216 ̐ݒւ̒ǉŁA̒ʂ苾f̊֌W
ɂ܂B

path certificate "/usr/local/etc/racoon/certs";                     
                                                                    
remote 10.0.0.11                                                    
{                                                                   
        exchange_mode aggressive,main;                              
        my_identifier asn1dn;                                       
        peers_identifier asn1dn;                                    
                                                                    
        certificate_type x509 "laptop.public" "laptop.private";     
                                                                    
        peers_certfile "upstairs.public";                           
                                                                    
        proposal {                                                  
                encryption_algorithm 3des;                          
                hash_algorithm sha1;                                
                authentication_method rsasig;                       
                dh_group 2 ;                                        
        }                                                           
}                                                                   


̃zXgɂ̕ǉAƂ͌̏ꏊɒuł
B'upstairs' }Vł́A /usr/local/etc/racoon/certs 
upstairs.private, upstairs.public, laptop.public KvłB̃fB
Ng root ۗ̕LɂȂĂA[h 0700 ɂȂĂ邱ƂmF
̂ƁBȂ racoon ͓ǂݍ݂s܂!

}V 'laptop' ł́A /usr/local/etc/racoon/certs  laptop.private,
laptop.public, upstairs.public KvłBvɁAezXgł͎
JƔ閧AɃ[ǧJKvƂ܂B

Security Policy ݒ肳Ă邱ƂmF܂ (Section 7.2.2 
'spdadd' ss)B racoon N΁Aׂē삷͂ł
B

 

7.2.3.3. glSɐݒ肷ɂ

[g̐ڑƂ̊ԂňSȒʐMsɂ́AJȂ΂
܂BĴ͔̂铽ĂȂėǂ̂łAǍ
{ɉ₂ĂȂłۏ؂ɑ؂łBvɁAur
̓zvȂƂmłȂ΂Ȃ܂B

̍ƂȒPɂ邽߁AOpenSSL ɂ 'digest' R}h܂B

$ openssl dgst upstairs.public                                      
MD5(upstairs.public)= 78a3bddafb4d681c1ca8ed4d23da4ff1              


ŁA[g̃p[gi[Ƃ̊ԂŁA_CWFXgł邱Ƃm
F邾ł݂܂Bsɂ͎ۂɉA邢͓db
ł傤B[gł̂̔ԍA͌Ɠ[őė
AƂ̂ł̓_ł!

s̕@́ACA sĂMłO (Trusted
Third Party) p邱ƂłB CA ɁA(قǂ͎ōs)
Ă炤̂łB

 

7.3. IPSEC gl

܂ł̂Ƃ́AʐM̗[ IPSEC 𗝉ĂA
IPSEC ́u] (transport)v[ĥ݂Ă܂Bʏ
IPSEC 𗝉}V΂ł͂Ȃ̂ŁA[^݂̂ IPSEC 𒝂点A
̌ɂlbg[N̍Ƃ肳邱ƂKvƂȂ܂B
́ugl[hvƌĂ΂Ă܂B

̐ݒ͂ƂĂȒPłB10.0.0.216  130.161.0.0/16 ֌gt
BbNׂ 10.0.0.11 oRŃglɂ́Aȉ 10.0.0.216 
s邾łB

#!/sbin/setkey -f                                                   
flush;                                                              
spdflush;                                                           
                                                                    
add 10.0.0.216 10.0.0.11 esp 34501                                  
        -m tunnel                                                   
        -E 3des-cbc "123456789012123456789012";                     
                                                                    
spdadd 10.0.0.0/24 130.161.0.0/16 any -P out ipsec                  
           esp/tunnel/10.0.0.216-10.0.0.11/require;                 

ł '-m tunnel' ɒڂĂBꂪŏdv̕łB
ŏ ESP Íꂽ SA gl̗[Őݒ肵܂B

Ɏۂ̃glݒ肵܂B̓J[lɑ΂A 10.0.0.24 
130.161.0.0 ɌoH̃gtBbNÍ悤w肵Ă܂B
ɁAẴgtBbN 10.0.0.11 ɏôׂłB

10.0.0.11 łXݒ肪KvłB

#!/sbin/setkey -f                                                   
flush;                                                              
spdflush;                                                           
                                                                    
add 10.0.0.216 10.0.0.11 esp 34501                                  
        -m tunnel                                                   
        -E 3des-cbc "123456789012123456789012";                     
                                                                    
spdadd 10.0.0.0/24 130.161.0.0/16 any -P in ipsec                   
           esp/tunnel/10.0.0.216-10.0.0.11/require;                 

́A'-P out'  '-P in' ɕςƂ΁A܂̂
B܂ł̗ƓlAł̗̃gtBbN݂̂ݒ肵
Bgl̔Ε̂́Aǎ҂̉ۑƂĂ܂B

̐ݒ͕ʖu㗝 ESPvƂĂ΂Ă܂B̂قX킩
₷ł傤B

    Note: IPSEC glɂ́AJ[l IP Forwarding LɂĂ
    Kv܂!
   
 

7.4.  IPSEC \tgEFA

Thomas Walpuski ́AOpenBSD  isakpmd  Linux 2.5 IPSEC œ삷
ɂpb`ƕ񍐂Ă܂BɁA݂ isakpmd ̃
C CVS |Wgɂ̃R[hĂ܂Bނ̃y[W <http://
bender.thinknerd.de/~thomas/IPsec/isakmpd-linux.html> ɂLq
B

isakpmd ͑Oq racoon Ƃ͂ȂႢ܂ADސl
܂B <http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/isakmpd
/> ł܂Bڂ́A OpenBSD CVS <http://www.openbsd.org
/anoncvs.html> ĂB Thomas  CVS pb`ʓ|Ȑl 
tarball <http://bender.thinknerd.de/~thomas/IPsec/isakmpd.tgz> pӂ
ĂĂ܂B

ɁAFreeS/WAN ̃[UԂ̃c[ Linux 2.5 ̃lCeBu IPSEC
Ŏg悤ɂpb`܂B <http://gondor.apana.org.au/
~herbert/freeswan/> ɂ܂B

 

7.5. ̃VXeƂ IPSEC ̑݉^p

FIXME: ĂB

 

7.5.1. Windows

Andreas Jellinghaus <aj@dungeon.inka.de> ̃|[gɂ: uwin2k:
삵܂Bip AhXƎOLgݍ킹F؂g܂
(windows  fqdn  userfqdn ̓T|[gĂȂƎv܂)B
Ǝv܂AĂ܂v

 

Chapter 8. }`LXg̃[eBO

FIXME: ҏW҂܂!

Multicast-HOWTO  (Č) Ñ̂̂ŁÂߊeɕsm
ԈႢ܂B

ǂ̂悤Ȃ̂łA}`LXg[eBOsOɂ́AJ[l
ݒ肵čs[eBÕ^CvT|[gKv܂B
͋tɁAǂ̂悤ȃ}`LXg[eBOĝ́AŌ
߂Ȃ΂ȂȂAƂƂł܂Buʏṽ^Cv́A{I
 4 ܂B DVMRP (RIP jLXgvgR̃}`LXg)
A MOSPF ( OSPF ̃}`LXg)A PIM-SM ("Protocol
Independent Multicasting - Sparse Mode": }`LXgO[ṽ[U
WĂ炸AUĂƉ肵Ă܂)A PIM-DM (L "Dense
Mode" ŁA}`LXgO[vɑ郆[ÚAx܂Ƃ܂
ĂƉ肵Ă܂)AłB

Linux J[lɂ́ȂI͓oꂵ܂BvgR̂̂
AZebra, mrouted, pimd Ȃǂ̃[eBOAvP[Vł
BłAǂp邩͂茈߂ĂȂƁAJ[l
IvVIԂƂł܂B

ׂẴ}`LXg[eBOɂāA܂͂Ă
"multicasting"  "multicast routing" ͕KLɂĂȂ΂Ȃ
܂B DVMRP  MOSPF ł́Aꂾ OK łB PIM p
AڑĂlbg[Nɂ PIM ̃o[WɉāAPIMv1 
PIMv2 ̂ǂ炩LɂĂȂ΂Ȃ܂B

Oq̑IsAV Linux J[lRpC܂Bƃu
[g IP vgRXgAł IGMP ܂܂Ă͂
B̓}`LXgO[vǗvgRłB
錻݂ł́ALinux  IGMP ̃o[W 1  2 T|[gĂ
܂񂪁Ao[W 3 ɑ݂AĂ܂Bo[W
 3 ͂ȂVA IGMPv3 ̊g@\͂قǗpĂȂ̂ŁA
͂܂傫Ȗɂ͂Ȃ܂B IGMP ̓O[v̂ŁAO
[vŜ̂AłVvȃo[W IGMP ɂ@\p
邱ƂɂȂ܂BقƂǂ̏ꍇ IGMPv2 ɂȂł傤A
IGMPv1 ɂȂ邱Ƃ܂ł傤B

܂ł͂łˁB}`LXeBOLɂł܂BāA
[eBOJnɂ̓}`LXgŎۂɉ炩̍Ƃs悤
Linux J[lɓ`Kv܂B́A}`LXgzlbg
[NoHe[uɒǉ邱ƂӖ܂B


ip route add 224.0.0.0/4 dev eth0                                   


(RłAł̓}`LXeBO eth0 ōsĂƂĂ
! ق̃foCXg炱uĂB)

ł́ApPbgtH[h悤w܂傤c


echo 1 > /proc/sys/net/ipv4/ip_forward                              


܂ł̂ƂŁAꂪŝAsvcɎvĂ邩
܂BŁAڑeXgƂāAftHg̃O[v 224.0.0.1 
ping āANĂ邩Ă݂邱Ƃɂ܂傤B}`LXg
Lɂ LAN ̃}Vׂ͂ĉ͂łAقɂ͉N
Bǂ̃}V 224.0.0.1 Ƃ IP AhX͎Ă܂BȂ
svcȂƂł傤! :) ̓O[vAhX (wǎ҂ւ́uu[hL
Xgv)łāAO[vׂ̂Ẵ}V́AO[vAhXł͂Ȃ
AׂĎg̃AhXŉ̂łB


ping -c 2 224.0.0.1                                                 


ŁAۂ̃}`LXg[eBOsł܂BāA2
̃lbg[NÅԂŃ[eBOsƂ܂傤B

(!)

 

Chapter 9. L[COKƃohǗ

āA킽ɋCÂƂɂ́AقƂɂ܂܂B Linux
2.2/2.4 ɂ́AnCGh̐pVXeɔ䌨قǂ́AlXȃoh
Ǘ@\܂܂Ă̂łB

Linux ̓t[[ ATM Ɛi񂾏s܂B

邽߁Atc ɂoh̎wł́Aȉ̋Kp邱
ɂ܂B

mbps = 1024 kbps = 1024 * 1024 bps => byte/s                           
mbit = 1024 kbit => kilo bit/s.                                        
mb = 1024 kb = 1024 * 1024 b => byte                                   
mbit = 1024 kbit => kilo bit.                                          

ł́Al bps  b ŕێĂ܂B

 tc x\Ƃɂ́Aȉp܂B

1Mbit = 1024 Kbit = 1024 * 1024 bps => byte/s                          

 

9.1. L[уL[COK̐

L[COpƁAf[^ǂ̂悤Ɂuvł܂B
؂Ȃ̂́AXύXł̂͑Mf[^AƂFłB

C^[lbg̓쌴炵āA̐lĂe𒼐ڐ䂷
Ƃ͂ł܂B͂Ȃ̎ (I!) X֔ɂƎ
܂B̒ύXāAĂX̗֕ʂɉe^邱Ƃ͂
܂ (SɘAΕʂł)B

ȂAInternet ̑啔 TCP/IP œ삵Ă̂ŁÂ
̋@\pł܂B TCP/IP  2 ̃zXgԂ̃lbg[N̗eʂ
m@Ȃ̂ŁAPɊJnɃf[^񂾂񑬂낤Ƃ
('slow start')AMłEzăpPbgXgn߂ƂɁA
܂Bۂ͂̐̂łAɂĂ͂
قǐG܂B

͂܂AXւ̔ǂ܂Ɏ̂āAȏ㑗ĂȂ
F̂ƓłBC^[lbgł͂܂AƂƂ낪Ⴂ
 :-)

̃lbg[N̂zXgɑ΂āA܂荂Ƀ_E[hł
悤ɂꍇl܂傤 (̃lbg[Ñ[^Ƃ
)B̏ꍇ̓[^́uṽC^[tF[XAȂ킿Rs[^
Ƀf[^𑗂ƂAőш搧s܂B

ڑ̃{glbN̕Ős悤ɂ邱ƂdvłB NIC 
100Mbit ŁA[^̐ڑ 256kbit A[^łȏ̃f
[^͑Ȃ悤ɂȂ΂Ȃ܂BȂƁAڑ𐧌䂵o
hî͂̃[^AƂƂɂȂ܂BX́AȂ΁u
ÕL[vKvȂ킯ŁA͘ÂȂōłxɑ݂Ȃ
΂܂B肪ƂɁA͊ȒPɉ\ƂȂ܂B

 

9.2. VvȁANXX̃L[COK

ɏqׂ悤ɁAL[COKpƁAf[^̑M̂
Xł܂BNX̂Ȃ (NXX) L[COKƂ́Aނ
f[^MAăXPW[ExEj悤Ȃ̂łB

pƁAĕ (subdivision) pɁAC^[tF[XŜ
gtBbNi܂BNX̂ (NXt) uqdisc ܂
qdiscvɐiޑOɁA̕𗝉ĂƂ͂ƂĂ؂łB

܂ł̂ƂAłLpĂK pfifo_fast qdisc ł
(ꂪftHgł)B́AȂ̐iIȋ@\̐M
قǍ̂Ă܂B́uЂƂ]̃L[vȏ̂
̂ł͂Ȃ̂łB

̃L[ɂ́Aꂼ꒷ƒZ܂Bׂ̂ĂA
SɃeXgĂƂ킯ł͂܂B

 

9.2.1. pfifo_fast

̃L[́AO킩ƂAuo (First In, First
Out)vŁA܂ǂ̎MpPbgȈ (ȂƂقǂ)
܂B̃L[ɂ 3 ̂uohv܂Beoh
ɂ FIFO ̃[Kp܂BAoh 0 ɑ҂pPbg
ƁAoh 1 ͏܂Boh 1 ƃoh 2 ֌Wɂ܂
B

J[ĺApPbĝuT[rX̃^Cv (Type of Service)vt
O𑸏dAuŏx (minimum delay)vpPbgoh 0 ɓ
v炢܂B

̃NXXVv qdisc ANXt PRIO qdisc ƍ
ȂƁB҂͓悤ɓ삵܂Apfifo_fast ̓NXXł
A tc R}hő qdisc ǉ邱Ƃ͂ł܂B

 

9.2.1.1. p[^Ǝg

pfifo_fast qdisc ͏õftHgłA[Uɂݒ͂ł
܂Bł̓ftHgłǂ̂悤ɐݒ肳Ă邩܂B

priomap
   
    pPbg̗DAJ[lɂāAǂ̃ohɑΉt
    ߂܂BΉt̓pPbg TOS ɏ]Č܂܂BTOS ͈
    ̂悤Ȃ̂łB
   
     
    
       0     1     2     3     4     5     6     7          
    +-----+-----+-----+-----+-----+-----+-----+-----+       
    |                 |                       |     |       
    |   PRECEDENCE    |          TOS          | MBZ |       
    |                 |                       |     |       
    +-----+-----+-----+-----+-----+-----+-----+-----+       
    
     
   
    TOS  4 rbg (uTOS tB[hv) ͎̂悤ɒ`Ă܂B
    
    Binary Decimcal  Meaning                                
    -----------------------------------------               
    1000   8         Minimize delay (md)                    
    0100   4         Maximize throughput (mt)               
    0010   2         Maximize reliability (mr)              
    0001   1         Minimize monetary cost (mmc)           
    0000   0         Normal Service                         
    
     
   
     4 rbg̉Eɂ͂ 1 rbg܂A TOS tB[h̎
    ۂ̒l͂ TOS rbg猈܂l 2 {ɂȂ܂B tcpdump
    -v -v ƂƂ́A 4 rbg̒lł͂ȂA TOS tB[hS
    ̂̒l\܂B́A̕\̑ɂlɂȂ܂B
   
     
    
    TOS     Bits  Means                    Linux Priority    Band 
    ------------------------------------------------------------  
    0x0     0     Normal Service           0 Best Effort     1    
    0x2     1     Minimize Monetary Cost   1 Filler          2    
    0x4     2     Maximize Reliability     0 Best Effort     1    
    0x6     3     mmc+mr                   0 Best Effort     1    
    0x8     4     Maximize Throughput      2 Bulk            2    
    0xa     5     mmc+mt                   2 Bulk            2    
    0xc     6     mr+mt                    2 Bulk            2    
    0xe     7     mmc+mr+mt                2 Bulk            2    
    0x10    8     Minimize Delay           6 Interactive     0    
    0x12    9     mmc+md                   6 Interactive     0    
    0x14    10    mr+md                    6 Interactive     0    
    0x16    11    mmc+mr+md                6 Interactive     0    
    0x18    12    mt+md                    4 Int. Bulk       1    
    0x1a    13    mmc+mt+md                4 Int. Bulk       1    
    0x1c    14    mr+mt+md                 4 Int. Bulk       1    
    0x1e    15    mmc+mr+mt+md             4 Int. Bulk       1    
    
     
   
    񐔎ł܂ˁB́AɑΉ 4  TOS
    rbg̒lłBĂ̈ӖeĂ܂BႦ
     15 ́ÃpPbg Minimal Monetary Cost, Maximum
    Reliability, Maximum Throughput, Minimum Delay ׂ̂Ă҂Ă
    pPbgӖĂ܂B͂u~ȃpPbg (Dutch
    Packet)vƌĂтƎv܂B [: ҂ Hubert I_
    l :-)]
   
     4  Linux J[lɂ TOS rbg̉߂łBǂ̗Dx
    }bv邩Ă܂B
   
    Ṓ̗AftHg̗Dx}bv (priomap) ̌ʂłBR}h
    Cł́AftHg̗Dx}bv͎̂悤ɂȂ܂B
    
    1, 2, 2, 2, 1, 2, 0, 0 , 1, 1, 1, 1, 1, 1, 1, 1         
    
     
   
    ܂ႦΗDx 4 ̃pPbǵAohԍ 1 ւƃ}bv܂
    (: Dx 0 n܂邱Ƃɒ)BDx}bvł͍Dx
    (> 7) Xg邱Ƃł܂B TOS }bsOɂ͑Ή
    Ă܂񂪁A̕@ɂĐݒł܂B
   
    ̕\ RFC1349 (ڍׂ͒ڂ) ̂ŁAeAvP
    [Vǂ̂悤 TOS rbgݒ肷ƗǂɂĎĂ
    ܂B
    
    TELNET                   1000           (minimize delay)          
    FTP                                                               
            Control          1000           (minimize delay)          
            Data             0100           (maximize throughput)     
                                                                      
    TFTP                     1000           (minimize delay)          
                                                                      
    SMTP                                                              
            Command phase    1000           (minimize delay)          
            DATA phase       0100           (maximize throughput)     
                                                                      
    Domain Name Service                                               
            UDP Query        1000           (minimize delay)          
            TCP Query        0000                                     
            Zone Transfer    0100           (maximize throughput)     
                                                                      
    NNTP                     0001           (minimize monetary cost)  
                                                                      
    ICMP                                                              
            Errors           0000                                     
            Requests         0000 (mostly)                            
            Responses        <same as request> (mostly)               
    
     
   
txqueuelen
   
    ̃L[̒̓C^[tF[X̐ݒ肩猈܂܂BC^[t
    F[Xݒ ifconfig  ip ŉ{Eݒł܂BL[̒ 10
    ɂɂ́A "ifconfig eth0 txqueuelen 10" Ǝs܂B
   
    ̃p[^ tc ł͐ݒł܂B
   
 

9.2.2. g[NoPctB^ (Token Bucket Filter)

g[NoPctB^ (Token Bucket Filter: TBF) ͒P qdisc ŁA
҂ݒ肵xzȂ͈͂œpPbgʂ܂BZ
Ԃ̓˔IȂ̂ȂA̒lz邱Ƃ\܂B

TBF ͔ɐmŁAlbg[NƃvZbTւׂ̕yłBP
C^[tF[X̑x𗎂ƂƎvƂɂ́A܂ŏɂ̗p
lĂׂ݂łB

TBF ̎̓obt@ (oPc) łA͒IɉzIȏ̒f
(g[NƌĂ΂܂) ɂāÅ (g[Nx) Ŗ
܂BoPc̍łdvȃp[^̓TCYŁAێłg[N
Ӗ܂B

oPcɓeg[ŃAꂼЂƂ̎Mf[^pPbgf[^
L[EAăoPc͍폜܂B 2 ̗ (g[N
ƃf[^) ȂASYɂ́A 3 ̃ViIl܂B

 

 E g[NƁuvŁATBF Ƀf[^B̏ꍇeMp
    PbǵAꂼΉg[N̂ŁAx邱ƂȂɃL
    [ʉ߂B 
   
 E g[N̑xuxvŁATBF Ƀf[^BL[
    ɓMf[^pPbg̏o͂ɉč폜g[N͈ꕔ
    ݂̂Ȃ̂ŁAg[N̓oPcTCYtɂ܂ŗ܂ĂBg
    g[ŃA˔Iȃf[^̃o[XgN悤ȏꍇɗ
    płAg[N̕Wxzf[^MłB 
   
 E g[N̑xu傫vŁATBF Ƀf[^B
    ꍇAoPc̃g[N͂ɋɂȂĂ܂A TBF ͂΂炭̊
    ͂iB́uߕ׏ (overlimit situation)vƌĂ΂B
    pPbĝ܂ܓ葱Ăꍇɂ́ApPbg͔jn߂
    B
   
 

 2 ViIƂĂdvłB́ÃtB^ʉ߂f[
^̃ohAǗ҂ł邱ƂӖĂ邩łB

g[N܂ĂƁAzf[^o[XgAẐȂ烍
XȂɒʉ߂ł܂Aߕ׏ԂƃpPbg͂񂾂xĂ
Aɂ͔j܂B

ۂ̎ł́Ag[NΉĂ̂̓oCgłApPbg
ł͂܂B

 

9.2.2.1. p[^Ǝg

قƂǕύX̕Kv͂Ȃł傤A TBF ɂ܂݂͂Ă܂B
܂A˂Ɏwłp[^ł:

limit ܂ latency
   
    limit ̓g[N҂ԂŃL[ɓoCg̐lłB
     latency p[^ (pPbg TBF ɗ܂鎞Ԃ̍ől) 
    肷邱ƂɂĂwł܂BvZۂɂ́AoPc
    TCYAg[N̒ǉxA (w肳Ă) s[Nx
    l܂B
   
burst/buffer/maxburst
   
    oCgPʂ̃oPc̃TCYłB͂uԂɗpłg[N
    ̍ől (oCg) łBʂɁAi肽ʐMx傫ꍇɂ
    A傫ȃobt@܂B Intel  10mbit/s gꍇA̐ݒ
    xɂɂ͏ȂƂ 10kbyte ̃obt@KvłB
   
    obt@ƁAԒPʂɓg[NŃoP
    cĂ܂̂ŁApPbgjĂ܂܂B
   
mpu
   
    TCY 0 ̃pPbgAgoh 0 ł͂܂BC[Tl
    bgł́A64 oCgȉ̃pPbg͂܂BŏpPbgP
    (Minimum Packet Unit) ́AЂƂ̃pPbgpg[N̍ŏl
    ߂܂B
   
rate
   
    Xs[h܂݂łBɂĂ͏LQƂ̂ƁB
   
oPcɃg[NĂāAɂ邱ƂƂAftH
gł͂̍Ƃ͖̑xōs܂Bꂪ܂ꍇɂ́Aȉ
p[^gĉB

peakrate
   
    g[NgԂŃpPbgƁAftHgł͂̃pP
    bg͂܁AȂ΁uvőo܂B́Aɑ
    ȃoPcgĂꍇɂ́A]܂Ƃł͂Ȃ܂
    B
   
    peakrate ́AoPc󂯂ۂɋ鑬߂邽߂ɗp܂B
    ׂĂ{ɏĂʂȂA̓́upPbg𑗂āA\
    ԑ҂āAĎ̃pPbg𑗂vƂɂĎĂ
    B҂Ԃ́A傤 peakrate ő悤ɌvZĂ܂
    B
   
    ȂAUnix ł̃ftHg̎ԒPʂ 10ms Ȃ̂ŁApPbg
    TCY̕ς 10.000 rbgƂƁA peakrate  1mbit/s ɂ
    ܂!
   
mtu/minburst
   
    1mbit/s  peakrate ́Aꂪʏ̑xx΁A܂֗
    ͌܂BԒPʂƂɑpPbg̐𑝂₹΁A
    peakrate ͑傫ł܂B͎Iɂ 2 Ԗڂ̃oPc
    ƓƂłB
   
     2 Ԗڂ̃oPćAftHgł 1 ̃pPbgłȂA
    ܂ۂɂ̓oPcł͂܂B
   
    peakrate ̍ő勖elvZɂ́A mtu ̐ݒl 100 (邢
    mɂ HZB Intel ł 100, Alpha ł 1024) Ă
    B
   
 

9.2.2.2. ݒ

VvłAƂĂ֗Ȑݒ܂B

# tc qdisc add dev ppp0 root tbf rate 220kbit latency 50ms burst 1540 

 

͂AȂ֗Ȃ̂܂傤B DSL fP[uf̂悤
AL[̑傫ȃlbg[NfoCXƂāÃfoCXɂ (C
[TlbgC^[tF[X̂悤) ȃfoCXŒʐMĂƂ
傤BƃAbv[h̍ۂɁAΘbʐMSɃ_ɂȂĂ܂
B

̗ŔAAbv[hf̃L[tɂĂ܂łB
̃L[͂炭ɑ傫AۂɂăAbv[h̃X[v
bgサĂ܂B͖]܂Ƃł͂Ȃł傤BL[
܂傫ɂāAf[^̑Mɂ̂Ƃł悤A
bʐM\ƂĂƂ͂łB

L̎sł́Af̃L[KvȂxɂ܂ŁAMx𗎂Ƃ
Ă܂BŃL[ Linux ɂAɑ΂ĐۂƂ
܂B

220kbit ́AȂ̊́uۂ́vx (}CiXp[Zg) ɂ
B莝̃fɍȂA'burst' X₵Ă
B

 

9.2.3. mIs΃L[CO (Stochastic Fairness Queueing)

mIs΃L[CO (Stochastic Fairness Queueing: SFQ) ́As΃L
[CÕASYVvɎ̂łB͑̂̂ق
mł͂܂񂪁A܂vZʂKvȂAłĔɌł
B

SFQ ł̃L[[h́ub (܂͗)vŁA TCP ZbV
UDP Xg[ƂقƂǓӖłBgtBbN͂Ȃ葽 FIFO
L[ɕAeL[ꂼ̉bɑΉ܂BăgtB
bN̓EhrIɑ܂BȂ킿f[^𑗂@eZbV
ɏԂɗ^܂B

͔ɌȓɂȂẢbcĂ
悤ȂƂ͂ȂȂ܂B SFQ ɂ́umIvƖOĂ܂A
 SFQ ۂɂ͊eZbVƂɃL[蓖Ă̂ł͂ȂAg
tBbNꂽ̃L[ɁAnbVASYgĕ
邩łB

̃nbV̂߁ÃZbVoPcɓ邱Ƃ蓾܂
BeZbVpPbg𑗐M@Ă̂͂̃oPcȂ̂
AIȑx͔ɂȂĂ܂܂B̏󋵂ڗ̂h߂
A SFQ ̓nbVASYɂ߂ĕpɂɕύXAZbVm
Փ˂AZԂȂ悤ɂĂ܂B

͏dvȃ|CgłA SFQ LȂ̂́Aۂ̏o̓C^[tF[
XA{ɈttɂȂĂꍇɌ܂BłȂ΁A
 linux }ṼL[͂قڋۂŁAĉ̌ʂ܂B
SFQ 𑼂 qdisc Ƒgݍ킹Auɂv󋵂邽
߂̕@ɂĂ͌قǋc_܂B

ɁAP[uf DSL [^ɌC[Tlbgɑ΂ SFQ 
肷̂́A̐sȂȂΓIOłB

 

9.2.3.1. p[^Ǝg

SFQ ͂قƂǃ`[jO̕Kv܂B

perturb
   
    nbVR[h̍ĐݒsԊԊuBݒ肵ȂƃnbV͕ύX
    ܂񂪁A͂߂ł܂BԂ 10 bŗǂł傤B
   
quantum
   
    ̃L[ɏԂ񂷂܂ɁAXg[̃L[fof
    [^̃oCgʁBftHg͍ł傫ȃTCY (MTU TCY) ̃pPb
    g 1 łB MTU Ȓlɂ͂Ȃ悤!
   
limit
   
     SFQ L[COpPbg̑ (zƃpPbg
    Ƃn߂܂)B
   
 

9.2.3.2. ݒ

ڑxƎxƂfoCX (db̃f) ɑ΂ẮA̐
sƌ̌オ҂ł܂:

# tc qdisc add dev ppp0 root sfq perturb 10                                     
# tc -s -d qdisc ls                                                             
qdisc sfq 800c: dev ppp0 quantum 1514b limit 128p flows 128/1024 perturb 10sec  
 Sent 4812 bytes 62 pkts (dropped 0, overlimits 0)                              

 

800c: Ƃ̂́AIɊ蓖ĂnhԍłB limit ́A
̃L[ł 128 ̃pPbgҋ@ł邱ƂӖĂ܂B 1024 
̃nbVoPcUɗpłÂɃANeBuɂȂ
̂ 128 ł (ȏ̐̓L[ɓ܂!)B 10 bƂɃnbV
Đݒ肳܂B

 

9.3. ǂȃL[gׂ

܂Ƃ߂ƁA͒PȃL[ŁAۂɃpPbgъAx
Ej肵ăgtBbNǗ̂łB

ȉɁAǂ̃L[pׂ̑IɂďƂȂRc
Bł́A Chapter 14 ̏͂ŉĂ qdisc ܂܂Ă܂B

 E PɑMgtBbNx΁Ag[NoPctB^
    p܂傤BoPc̑傫𒲐߂΁Aɑ傫ȃoh
    ΂Ă܂Ŏg܂B
   
 E ݂̐ڑقڈtŁÃZbVo̓ohxzȂ
    悤ɂꍇ́AmIs΃L[COp܂傤B
   
 E obN{[傫AړI͂肵ĂȂA_m
    (xȃtB^̏͂Ă) ܂傤B
   
 E tH[hȂgtBbNuiv΁AĎ
    (Ingress Policer) g܂傤BȂAgtBbNiꍇ
    ɂ́uĎ (policing)vƂtg܂B
   
 E pPbgtH[hꍇ́Af[^̃tH[hC^[tF[
    X TBF g܂傤B̃C^[tF[XɌg
    tBbNi肽 (̏ꍇʗvf͓C^[tF[X
    Ȃ܂) ꍇ͕ʂŁA̍ۂɂ͓Ďg܂傤B
   
 E ш搧͍sȂAC^[tF[Xׂ̕ (L[
    Kvǂ) Ďꍇ́Apfifo L[ (pfifo_fast ł͂
    ܂) g܂傤Bɂ͓̃oh͂܂񂪁ApPb
    g̃TCYL^܂B
   
 E Ō - uЉIш搧vs͂łB˂ɖ]݂̏Ԃ
    łZppłƂ͌܂B܂[U͋ZpIȐG
    ̂łBe؂Ȍt́Aoh̓K؂ȕzɂ𗧂ł
    !
   
 

9.4. p

蕡GȐݒ𐳂ɂ́A̊TOɐĂK
vł傤B̃e[}͍ݓĂāA܂rIV߁A
͓TOɈقȂ錾tp邱ƂX܂B

ȉł An Informal Management Model for Diffserv Routers
(draft-ietf-diffserv-model-06.txt) XQlɂĂ܂B
<http://www.ietf.org/internet-drafts/draft-ietf-diffserv-model-06.txt>
ɂ܂B

p̐mȒ`m肽ꍇ́Ǎ{ǂłB

L[COK (Queueing Discipline: qdisc)
   
    ͑ (ingress: )Ao͑ (egress: o) ꂩ̃foCX
    L[ǗASŶƁB
   
root qdisc
   
    foCXɒڊ蓖Ăꂽ qdisc ̂ƁB
   
NXX qdisc (classless qdisc)
   
    ݒ\ȓ̍ĕz[݂Ȃ qdisc ̂ƁB
   
NXt qdisc (classful qdisc)
   
    NXt qdisc ɂ͕̃NX܂܂܂B̃NX̂
    ͂ qdisc ێAꂪ܂NXtł邱Ƃ
    ܂ (łȂƂ܂)BȒ`ł́Apfifo_fast ̓N
    XtłBȂȂ 3 ̃oh܂܂A͎̓NX
    łBA[UݒƂʂ猩ƁÃNX tc c
    [ŕύXłȂ̂ŃNXXłB
   
NX (class)
   
    NXt qdisc ͑̃NXƂłÃNX
     qdisc ̓ɑ܂B܂NXAɑ镡̃NX
    Ƃ܂BăNX͐eƂ qdisc ʂ̃NX
    ܂B
   
    tNX (leaf class) ͎q̃NXȂNXłB̃NX
    ɂ qdisc ЂƂ܂B qdisc ͂̃NX̃f[^
    M肵܂BNXƁAfifo qdisc ܂BqNX
    ǉƁA qdisc ͍폜܂BtNX̂ fifo qdisc
    ́AK؂ȑ qdisc ƒu\łB qdisc NXt
     qdisc ƒu΁AɃNXǉ邱Ƃł܂B
   
NXIʊ (classifier)
   
    NXt qdisc ł́Aǂ̃NXɃpPbg𑗂邩߂Kv
    ܂B̓NXIʊpčs܂B
   
tB^ (filter)
   
    NXIʂ̓tB^pčsƂł܂BtB^ɂ͑
    ܂܂ÂǂꂩɃ}b`ƁAtB^}b`
    ƂɂȂ܂B
   
XPW[O (scheduling)
   
    NXIʊpƁA qdisc ͓̃pPbg𑼂ɑM
    悤ȌƂł܂B̏̓XPW[OƌĂ΂
    AႦΑOɏЉ pfifo_fast qdisc ōsĂ̂łBXP
    W[Óuъ (reordering)vƌĂ΂邱Ƃ܂A
    ͂╴킵łB
   
ш搧 (shaping)
   
    pPbg𑗐MOɒxAgtBbNݒ肳ꂽōxz
    Ȃ悤ɂ鏈̂ƂłBш搧͏oōs܂Bbt
    ł́ApPbgjăgtBbNx邱ƂAш搧ƌ
    ΂邱ƂłB
   
Ď (policing)
   
    pPbgx܂͔jāAgtBbNݒ肵ohɎ
    邱ƂłB Linux ɂĎł̓pPbg̔ĵ݂\ŁA
    x͂ł܂BuL[v݂͑Ȃ̂łB
   
ۑI (Work-Conserving)
   
    ۑI qdisc ł́A\ȏꍇɂ͂˂ɃpPbgz܂B
    ܂Albg[NA_v^M\ (o qdisc ̏ꍇ) ȏԂ
    ΁AăpPbgx܂B
   
ۑI (non-Work-Conserving)
   
    Ⴆ΃g[NoPctB^̂悤ɁApPbg鎞ԕێăo
    h𐧌悤ȃL[܂B͂܂A\ȏꍇ
    ĂpPbg̈nۂ悤ȂƂAƂƂ
    B
   
ł͂ł̗p𐮗邽߁A炪ǂ̏ꏊɂ̂
݂邱Ƃɂ܂傤B

 

                Userspace programs                                  
                     ^                                              
                     |                                              
     +---------------+-----------------------------------------+    
     |               Y                                         |    
     |    -------> IP Stack                                    |    
     |   |              |                                      |    
     |   |              Y                                      |    
     |   |              Y                                      |    
     |   ^              |                                      |    
     |   |  / ----------> Forwarding ->                        |    
     |   ^ /                           |                       |    
     |   |/                            Y                       |    
     |   |                             |                       |    
     |   ^                             Y          /-qdisc1-\   |    
     |   |                            Egress     /--qdisc2--\  |    
  --->->Ingress                       Classifier ---qdisc3---- | -> 
     |   Qdisc                                   \__qdisc4__/  |    
     |                                            \-qdiscN_/   |    
     |                                                         |    
     +----------------------------------------------------------+   

 ASCII } Jamal Hadi Salim ɂ̂łB

傫ȃubN̓J[l\Ă܂Bԍɂ́Albg[
N炱̃}VɓĂgtBbNłB͂܂ (ingress)
 qdisc ɓ܂Bł̓pPbgɃtB^KpAj邩ǂ
ł܂B́uĎvƌĂ΂܂B

͔ɏ̒iKŁAJ[l̑啔pPbgOłBł
̂ŁACPU p[܂g킸ɃgtBbNɎ̂Ă΁A
ɗǂꏊłB

pꂽpPbgɂ́A[JȃAvP[VɌ
܂B̏ꍇ̃pPbg͏̂߂ IP X^bNɓA[
UԂ̃vOɓn܂BpPbg̓AvP[Vɂ͓炸
tH[h邱ƂȀꍇ͏o (egress) Ɍ܂B[
U[Ԃ̃vOf[^z邱Ƃ܂Ãf[^͌
AõNXIʊւƃtH[h܂B

ŃpPbg͒A񂠂 qdisc ̂ꂩփL[܂
Bݒ肳ĂȂftHgł́AЂƂ̏o qdisc CXg[
Ă܂B pfifo_fast ŁAꂪɃpPbgM܂B
́uGL[CO (enqueueing)vƌĂ΂܂B

ŃpPbg qdisc Ɏ܂Albg[NC^[tF[Xʂđ
M悤J[lw߂̂҂܂B̂悤ɑM邱Ƃ́u
fL[CO (dequeueing)vƌĂ΂܂B

̊G̓lbg[NA_v^ЂƂȂꍇł܂BJ[l
o肵ẮÂ܂܊G̒ʂɂ͎ȂŉBelb
g[NA_v^ɂ́AƏõtbN̂łB

 

9.5. NXtȃL[COK

NXt qdisc ́AقȂނ̃gtBbNɑ΂ĈقȂ舵
Kvȏꍇɔɕ֗łBNXt qdisc ̂ЂƂɁA'CBQ
(Class Based Queueing)' Ƃ̂܂B͔ɍLЉ
Ă̂ŁANX̂L[COƌ CBQ ƎvĂl
̂łA͐^ł͂܂B

CBQ ͒PɍłÂ炠̂ɂ܂ (āAłGȂ̂
̂ł)B˂ɂꂪ]݂̓Ƃ͌܂B́u
sendmail ہvɂ܂AĂȂGȋZpł
ǂ̂AƎvĂlɂ̓VbN܂B

CBQ Ƃ̑֕iɂāAƐĂ܂傤B

 

9.5.1. NXt qdiscs ƃNXɂ闬

NXt qdisc ɓgtBbŃA̓ɂNX̂
ɑȂ΂Ȃ܂BăgtBbNɁuNXIʁvKp
Kv܂BpPbgɑ΂ĉs߂ۂɂ́Au
tB^vɖ₢킹܂Bő厖Ȃ̂́AtB^ qdisc 
Ă΂̂łāAĂ΂邱Ƃ͂肦ȂAƂ
łB

 qdisc ɑĂtB^́AԂ܂B qdisc ͂
păpPbgNX̂ǂꂩЂƂɃGL[܂BTuNX
ƁAɓKp邩ǂ邽߂ɁÃtB^Kp
邱Ƃ܂BTuNXȂ΁ÃNX̓pPbg̎
 qdisc ɃGL[܂B

̃NXt qdisc ́ÃNXłȂAш搧s
܂B̓pPbg̃XPW[O (Ⴆ SFQ) Ƒx̗
ŝɕ֗łB̃C^[tF[X (Ⴆ΃C[Tlbg) ̐ɒ
ȃfoCX (P[uf) ȂꍇȂǂɂ́AꂪKvɂȂ
B

SFQ gł́AN܂BpPbg͂̃[^ɓA
xɏočsł (o̓C^[tF[Xۂ̃N
x肸Ƒł)B̏ꍇXPW[ΏۂƂȂL[݂͑
܂B

 

9.5.2. qdisc t@~: [gEnhEZEe

eC^[tF[X͏ou[g (root) qdiscvЂƂ܂B
ftHgł́AɏЉ pfifo_fast L[COKłBe qdisc
ƃNXɂ̓nh (handle) 蓖ĂAōsݒ蕶炱
qdisc QƂۂɂ͂̃nhp܂BC^[tF[Xɂ
o qdisc łȂ qdisc Ał͓gtBbN̊Ď
ł܂B

 qdisc ̃nh́AW[ (major) ԍƃ}Ci[ (minor) 
 2 ȂA<major>:<minor> ̂悤ɋLq܂BKIɃ[g
qdisc ɂ '1:' ƂOtƂɂȂĂ܂B '1:0' Ɠ
łBqdisc ̃}Ci[ԍ͂˂ 0 łB

NX́AeƓW[ԍȂ΂Ȃ܂BW[ԍ
AoE̐ݒ̓ŁAƏdȂĂ͂܂B}Ci[ԍ́A
qdisc т̃NX̓ŁAƏdȂĂ͂܂B

 

9.5.2.1. tB^ɂgtBbÑNXI

܂Ƃ߂ƁA悭Kw}͎̂悤ɂȂ܂:

                     1:   root qdisc                                
                      |                                             
                     1:1    child class                             
                   /  |  \                                          
                  /   |   \                                         
                 /    |    \                                        
                 /    |    \                                        
              1:10  1:11  1:12   child classes                      
               |      |     |                                       
               |     11:    |    leaf class                         
               |            |                                       
               10:         12:   qdisc                              
              /   \       /   \                                     
           10:1  10:2   12:1  12:2   leaf classes                   

 

A܂ȂłBJ[l̂悤ȋt̖؍\ (
邢͌قǏoĂԖڍ\) ̂ƂɂƍlĂ͂܂B
܂BpPbg̓[g qdisc ɃGL[AfL[
̂łāAJ[l͂̕ƂΘbȂ̂łB

pPbg͗ႦΎ̂悤ȃ`FCɉăNXIʂ܂B

1: -> 1:1 -> 1:12 -> 12: -> 12:2

ł̃pPbǵANX 12:2 ɑ qdisc Ɏ܂܂B̗
ł́AtB^͖؂̂ꂼ́u (node)vɑĂÃtB
^ɂǂ̎}Ɍ肵܂B͂킩₷łˁB
ȂÂ悤Ȃ̂\ł:

1: -> 12:2

̏ꍇ́A[gɑtB^ApPbg𒼐 12:2 ɑ悤
߂̂łB

 

9.5.2.2. n[hEFAփpPbgfL[

J[lpPbgoăC^[tF[Xɑ邱Ƃ߂ƁA
[g qdisc ł 1: ̓fL[v󂯎A 1:1 ɓn܂
B͑ 10:, 11:, 12: ւƓn܂B͂ꂼZɖ₢
킹sA dequeue() sƂ܂B̏ꍇpPbg
12:2 ɂȂ̂ŁA؂̑ŜHĂȂ΂Ȃ܂B

vɁAlXgꂽNX͐e qdisc ƒʐM邾ŁAC^[tF
[XƂ͒ʐMȂ̂łBJ[lɂăfL[̂̓[g
qdisc Ȃ̂ł!

ʓIɁANX̐eɃfL[邱Ƃ͂肦܂B
͉X̖]ނƂ̂̂ł: ̂悤ɂ SFQ ̃NXƂ
Aш搧͍s킸ɃXPW[OAp qdisc ̊O
ɒuƂ\ƂȂ܂B

 

9.5.3. PRIO qdisc

PRIO qdisc ͎ۂ̑ш搧͍s킸AtB^̐ݒɏ]ăgtBbN
݂̂̕s܂B PRIO qdisc ́Ȃ傫 pfifo_fast ƍl
邱Ƃł܂Beoh͒PȂ FIFO ł͂ȂAʁX̃NX
ɂȂ܂B

pPbg PRIO qdisc ɃGL[ƁA^tB^R}hɊ
ÂāANXIʂ܂BftHgł 3 ̃NX
܂B̃NX̓ftHgł͏ FIFO qdisc ݂̂܂݁A
\͎܂B͕ʂ qdisc ƒu\łB

pPbg̃fL[vƁANX :1 ŏɎ܂Bl
傫ȃNX́A菬ȃoĥǂꂩpPbgo
łȂꍇɂ̂ݗp܂B

TOS tOłȂAtc tB^̔\ׂ͂ĂpăgtBbN̎
DtꍇɁA qdisc ͂ƂĂ֗łBftHgŒ`
Ă 3 ̃NXɂɕʂ qdisc ǉ邱Ƃł܂
(pfifo_fast ͒P fifo qdisc ܂)B

͎ۂ̑ш搧͍sȂ̂ŁA SFQ ɑ΂̂ƓӂY
܂Bp̂́AIȃNtɂȂĂꍇA܂
ۂ̑ш搧sNXt qdisc ̓łɂׂłB҂͂ق
ǂ̃P[uf DSL foCXɊY܂B

̌tŌƁAPRIO qdisc ͏ۑIȃXPW[Ȃ̂łB

 

9.5.3.1. PRIO ̃p[^Ǝg

tc ͈ȉ̃p[^F܂:

bands
   
    oh̃NXBeoh͎ۂɂ̓NXłB̔ԍ
    Xꍇɂ́A̍ڂύXKv܂:
   
priomap
   
    gtBbNIʂ tc tB^^ȂƁA PRIO qdisc 
    TP_PRIO DxQƂāAǂ̂悤ɃgtBbNGL[邩
    肵܂B
   
    ͈ȑOɏЉ pfifo_fast qdisc Ƃ܂悤ɓ삵
    Bڍׂ͂ĂB
   
eoh̓NXŁAftHgł major:1  major:3 ܂ł̖Ot
܂B PRIO qdisc ̖O 12: ȂAtc  12:1 ւ̃gtBb
NɍłDx^悤ɃtB^܂B

JԂ܂Aoh 0 ̃}Ci[ԍ 1 ł! lɁAoh 1 ̓}
Ci[ԍ 2 ƂȂ܂ (ȉl)B

 

9.5.3.2. ݒ

̖؂邱Ƃl܂傤:

          1:   root qdisc                                           
         / | \                                                      
       /   |   \                                                    
       /   |   \                                                    
     1:1  1:2  1:3    classes                                       
      |    |    |                                                   
     10:  20:  30:    qdiscs    qdiscs                              
     sfq  tbf  sfq                                                  
band  0    1    2                                                   

 

oN]̃gtBbN 30: ֑AΘbIȃgtBbN 20: ܂
 10: ֑܂B

R}hCł:

# tc qdisc add dev eth0 root handle 1: prio                                           
## ɂĒɃNX 1:1, 1:2, 1:3 ł܂B                                
                                                                                      
# tc qdisc add dev eth0 parent 1:1 handle 10: sfq                                     
# tc qdisc add dev eth0 parent 1:2 handle 20: tbf rate 20kbit buffer 1600 limit 3000  
# tc qdisc add dev eth0 parent 1:3 handle 30: sfq                                     

 

ł́A܍eĂ݂܂傤:

# tc -s qdisc ls dev eth0                                           
qdisc sfq 30: quantum 1514b                                         
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)                      
                                                                    
 qdisc tbf 20: rate 20Kbit burst 1599b lat 667.6ms                  
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)                      
                                                                    
 qdisc sfq 10: quantum 1514b                                        
 Sent 132 bytes 2 pkts (dropped 0, overlimits 0)                    
                                                                    
 qdisc prio 1: bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1     
 Sent 174 bytes 3 pkts (dropped 0, overlimits 0)                    

킩̂悤ɁAoh 0 ɂ͊ɃgtBbNĂ܂BĂ
̃R}h̎sɁApPbgЂƂ܂!

 TOS tOK؂ɐݒ肷悤ȃc[păoN]gtB
bN𗬂AĂьĂ݂܂傤B

# scp tc ahu@10.0.0.11:./                                                       
ahu@10.0.0.11's password:                                                       
tc                   100% |*****************************|   353 KB    00:00     
# tc -s qdisc ls dev eth0                                                       
qdisc sfq 30: quantum 1514b                                                     
 Sent 384228 bytes 274 pkts (dropped 0, overlimits 0)                           
                                                                                
 qdisc tbf 20: rate 20Kbit burst 1599b lat 667.6ms                              
 Sent 2640 bytes 20 pkts (dropped 0, overlimits 0)                              
                                                                                
 qdisc sfq 10: quantum 1514b                                                    
 Sent 2230 bytes 31 pkts (dropped 0, overlimits 0)                              
                                                                                
 qdisc prio 1: bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1                 
 Sent 389140 bytes 326 pkts (dropped 0, overlimits 0)                           

킩̂悤ɁAׂẴgtBbN̓nh 30: Ɍ܂B
}ƂAꂪłDx̒ႢohłBł́AΘbIȃgtB
bND悳邩mF邽߂ɁÂ悤ȃgtBbN𐶐
݂܂傤:

 

# tc -s qdisc ls dev eth0                                           
qdisc sfq 30: quantum 1514b                                         
 Sent 384228 bytes 274 pkts (dropped 0, overlimits 0)               
                                                                    
 qdisc tbf 20: rate 20Kbit burst 1599b lat 667.6ms                  
 Sent 2640 bytes 20 pkts (dropped 0, overlimits 0)                  
                                                                    
 qdisc sfq 10: quantum 1514b                                        
 Sent 14926 bytes 193 pkts (dropped 0, overlimits 0)                
                                                                    
 qdisc prio 1: bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1     
 Sent 401836 bytes 488 pkts (dropped 0, overlimits 0)               

 

܂Ă܂BǉgtBbNׂ͂ 10: ցA܂łD
x̍ qdisc ֍sĂ܂B scp 󂯂ƂADx̒Ⴂo
hւ͈،Ă܂B

 

9.5.4. (L) CBQ qdisc

ɏqׂ悤ɁACBQ ݂͌钆ōłGȁAłAčł
Ă炸A炭͐삳̂ɍł肪 qdisc 
B͍҂煂薳\킯ł͑SRȂAP CBQ AS
Y{ʂȂ̂łȂA܂ Linux ̓Ƃ̑Ȃ̂ł
B

NXtłƂȊOɁACBQ ͑ш搧̓s܂BĂ
܂Ȃ̂́A܂ɂ̓_ɂ̂łBႦ 10mbit/s ̐ڑ
1mbit/s ɍi肽ꍇASԂ 90% ̂̓AChɂȂ͂
BłȂ΁AȂ悤ɍiKv܂B

𑪒肷̂͂Ȃ̂ŁA CBQ ́An[hEFAw
̃f[^v̊Ԋu}CNbPʂő肵AAChԂ𓱏o
悤Ƃ܂BpƁAڑǂ̂炢tA󂢂Ă邩
TZł܂B

͂ǂ炩ƂƂĂ܂ŁA˂ɐʂɂȂ
͌܂BႦ΁AC^[tF[X̎ۂ̑xA (炭̓h
Co̎߂) 100mbit/s ̃f[^tɂ͒ʂȂƂ
ł傤? PCMCIA ̃lbg[NJ[hAoX̐݌v 100mbit/s ɒB
邱Ƃ͂蓾܂B̏ꍇAAChԂ͂ǂ̂悤ɍl
̂ł傤?

PPP over Ethernet, PPTP over TCP/IP ̂悤ȁAۂ̃foCXł͂Ȃl
bg[NfoCXlƁAɏ󋵂͈Ȃ܂B̂悤
ꍇ̎Iȃoh́A炭[UԂ̃pCv̌ɂČ
܂B͔ɑ傫Ȃł傤B

sĺACBQ KɐmłƂ͌炸AƂɂ
wƂ܂قȂ錋ʂƂȂ邱ƂɋCÂĂ܂B

Åł CBQ ͂܂삵܂Bɒ񋟂Lqp
΁AقƂǂ̏ꍇA܂삷悤Ȑݒ肪\Ǝv܂B

 

9.5.4.1. CBQ ɂш搧̏ڍ

ɏqׂ悤ɁACBQ ̓ł́A傤ǎۂ̃ohݒ肵x
ɗ悤AڑK؂ȎԃAChɂ܂Bs߁ACBQ 
͕ϓIȃpPbgnۂ̎ԊԊuvZ܂B

쒆AIȃAChԂ́Awdݕtړ (Exponential
Weighted Moving Average: EWMA) pđ肳܂B͍ŋ߂̃pPb
gAߋ̃pPbgɔׂāAw֐̏d݂łdvƍl̂
BUNIX ̕ϕׂA̕@ŌvZĂ܂B

vZAChԂA EWMA l獷Ǎʂ̐l
 'avgidle' ƌĂт܂Bׂňt̐ڑɂ avgidle ̓[łB
̂ƂpPbǵA܂ɌvZꂽԊuɂЂƂĂ܂
B

ߕׂ̐ڑł avgidle ͕̒lɂȂ܂BɂȂ肷 CBQ ͂
΂炭ՒfA'overlimit' ԂɂȂ܂B

tɁAAChȐڑł͑ʂ avgidle ~ςAԒق̃o
h͖ɂȂĂ܂܂Bh߁Aavgidle ɂ maxidle
Ƃ݂Ă܂B

overlimit ɂȂƁAIɂ́A CBQ ͎g傤ǃpPbgM
ǔvZl̊Ԃi܂BăpPbgЂƂAĂэi
Bȉ 'minburst' p[^QƂĂB

ȍ~ɁAш搧ݒ肷邽߂Ɏwłp[^܂:

avpkt
   
    pPbg̕σTCY (oCgP)B maxidle  maxburst vZ
    ۂɕKvł (maxburst ̓pPbgPʂŎw肳܂)B
   
bandwidth
   
    foCX̕IȃohBAChԂ̌vZɕKvłB
   
cell
   
    pPbgfoCXʂđM̂ɂ鎞Ԃ́ApPbg̃TC
    YɉĂقȂlɂȂ邱Ƃ܂BႦ΃TCY 800
     806 ̃pPbg𑗂̂ɂ鎞Ԃ傤ǓƂƁA
    ꂪx߂܂Bʏ 8 w肵܂B2 ׂ̐Ŏw肵
    ΂Ȃ܂B
   
maxburst
   
    maxidle ̌vZɁÃpPbgp܂B avgidle 
    maxidle  0 ɂȂƂAϓIȃTCỸpPbg̐o[
    XgMłAƂ̂ɂȂ܂B̐傫ƁA
    o[Xgɑ΂ϐ܂܂B maxidle 𒼐ڐݒ肷邱Ƃ͂
    Ãp[^ʂĒ邵܂B
   
minburst
   
    Oq̒ʂACBQ  overlimit ̍ۂɍi蓮삪KvłB̍ۂ̗z
    Iȓ́A傤ǌvZꂽAChԂiA 1 ̃p
    PbgʂƂłB UNIX J[ĺA10ms ZԊuŃC
    xgXPW[邱Ƃ͓̂ŁAXԊuiA
    minburst ̃pPbgxɒʂA minburst Ԃ
    X[vǂ삵܂B
   
    ̑҂Ԃ offtime ƌĂ΂Ă܂B minburst ̒l傫
    ƁAڂł͐mȑш搧ɂȂ܂A~b̃^CXP[
    ł͂傫ȃo[XgN邱ƂɂȂ܂B
   
minidle
   
    avgidle  0 ȉɂȂ overlimit ԂƂȂA avgidle  1 
    pPbg̑Mlɂ܂ő傫Ȃ̂҂Ȃ΂Ȃ܂B
    ڑ𒷂ՒfƂɁAˑR傫ȃo[Xĝhɂ
    A avgidle Ȃ肷ƂA minidle ɃZbgȂ
    ΂Ȃ܂B
   
    minidle ͕̃}CNbŎw肵܂B 10 w肷ƁA
    avgidle ̉ -10us ƂƂɂȂ܂B
   
mpu
   
    ŏpPbgTCY (Minimum Packet Size) łBf[^TCY 0 
    pPbgłC[Tlbgł 64 oCgƂȂAMɂ鎞Ԃ
    ̂ŁA̒lKvłB CBQ AChԂ𐳊mɌvZɂ́A
    ̒lmĂKv܂B
   
rate
   
     qdisc 瑗MgtBbN̑x̐ݒlB́uXs[
    h܂݁vłB
   
Iɂ́ACBQ ɂ͂̔Ă܂BႦ΃GL[
f[^ĂȂƂ킩ĂNXɂ́A₢킹͍s
Boverlimit ̃NXɂ̓yieBAIȗDx
BɌGɂȂĂ܂B

 

9.5.4.2. CBQ ̃NXt

CBQ ͑ш搧łȂAɏЉAChԂ̋ߎp PRIO
L[̂悤ȓł܂B܂NXɈقȂDx^ADx
̐lA傫ȕɃ|[Oł̂łB

n[hEFAwpPbglbg[NɑM悤vƁAd
ݕtEhr (Weighted Round Robin: WRR) vZXADx̐
lNXJn܂B

̓O[vĂAf[^邩₢킹󂯁Af[^
΂Ԃ܂BNXoCg̃fL[ƁA
̗Dxɂʂ̃NXs󂯂܂B

 WRR vZX́Aȍ~̃p[^ɂĐ䂳܂B

allot
   
    O CBQ pPbgC^[tF[Xɑ悤˗ƁA
    ˗ (NXɑ)  qdisc ցA'priority' p[^̏
    ɑ܂B̏ԂNX́A鐧ꂽʂ̃f[^
    Mł܂B'Allot' ̗͂ʂ̒PʂƂȂʂłBڂ
    'weight' p[^ĂB
   
prio
   
    CBQ  PRIO foCX̂悤ɓł܂BDx̍NX
    ɎsA炪gtBbNێĂ΁ÃNX̓|
    [O܂B
   
weight
   
    weight ͏dݕtEhrvZX̕⏕܂BeNX́A
    M̋@ɗ^܂BNXAɔׂĖ炩ɑ傫
    ȃohꍇÃNXɂ́A1 񂠂ɂ葽̃f[^
    M̂Ół傤B
   
    CBQ ̓NXȉ weight SđĂ𐳋K܂B
    ĔCӂ̐p邱ƂłA䗦ɂȂ܂BĂ
    ̐ĺA悻 'rate/10' ڈɂĂ悤ŁAł
    ܂sĂ悤łBKꂽ weight ɂ 'allot' p[^
    A 1 EhɑMłf[^ʂ肳܂B
   
 CBQ KwɑNX́AׂēW[ԍȂ΂Ȃ
ȂƂɒӂĂB

 

9.5.4.3. ڑLEݎ؂߂ CBQ p[^

̃gtBbNɐ䂷邾łȂAǂ̃NX̃NX
eʂ؂邩A܂tɃoh݂邩AƂƂ
CBQ ł͎wł܂B

isolated/sharing
   
    NX 'isolated' Ɛݒ肷ƁÃNX͌ZNXւ̃oh
    ݂̑ołȂȂ܂BACo֌Wɂ (
    邢݂͌ɒ̈) gDgpĂāA]݂ɗZʂ
    Ȃ悤ł΁ApĂB
   
    vOł tc ł́A'isolated' ̋tӂł 'sharing' 
    g܂B
   
bounded/borrow
   
    NX 'bounded' ɂ邱Ƃł܂BƌZNXo
    h؂悤Ƃ͂ȂȂ܂B tc ł 'bounded' ̋tӂł
    'borrow' g܂B
   
T^Iȏ󋵂́A 2 ̑gDgpĂāA̗ 'isolated'
 'bounded' ł悤ȏꍇł傤B̏ꍇ͗҂ƂꂼɊ
蓖Ăꂽxɗ܂A݂ɑ݂؂s܂B

̂悤ȑgDNX̓ɂ́Aoh݂؂肷悤ȑ̃NX
Qu邱Ƃł傤B

 

9.5.4.4. ݒ


               1:           root qdisc                              
               |                                                    
              1:1           child class                             
             /   \                                                  
            /     \                                                 
          1:3     1:4       leaf classes                            
           |       |                                                
          30:     40:       qdiscs                                  
         (sfq)   (sfq)                                              


̐ݒł web T[õgtBbN 5mbit ɁA SMTP gtBbN
3mbit ɐ܂B҂̍v 6mbit zȂ̂Ƃ܂Bn[hE
FA 100mbit NIC ŁÃNX݂͌Ƀoh݂؂ł
̂Ƃ܂B

# tc qdisc add dev eth0 root handle 1:0 cbq bandwidth 100Mbit         \ 
  avpkt 1000 cell 8                                                     
# tc class add dev eth0 parent 1:0 classid 1:1 cbq bandwidth 100Mbit  \ 
  rate 6Mbit weight 0.6Mbit prio 8 allot 1514 cell 8 maxburst 20      \ 
  avpkt 1000 bounded                                                    

̕ł root т 1:1 NXCXg[Ă܂B
 1:1 NX bounded Ȃ̂ŁAṽoh 6mbit z܂B

Oq̒ʂACBQ ł͔ɂ̂܂݂𒲐Ȃ΂Ȃ܂B
̃p[^́AׂĂ܂łɐĂ܂Bɑ
 HTB ł̐ݒ (q) ́AƂƒPɂȂ܂B

 

# tc class add dev eth0 parent 1:1 classid 1:3 cbq bandwidth 100Mbit  \ 
  rate 5Mbit weight 0.5Mbit prio 5 allot 1514 cell 8 maxburst 20      \ 
  avpkt 1000                                                            
# tc class add dev eth0 parent 1:1 classid 1:4 cbq bandwidth 100Mbit  \ 
  rate 3Mbit weight 0.3Mbit prio 5 allot 1514 cell 8 maxburst 20      \ 
  avpkt 1000                                                            

 

 2 ̗tNXɂȂ܂Bݒ肵xɑ΂āAd݂ǂ̂
ɂĂ邩ɒڂĂB痼NX bounded ł͂
񂪁Abounded łNX 1:1 ɐڑĂ܂BĂ 2 N
X̍voh́A 6mbit z܂BƂŁANX id ̃
W[ԍ́Ae qdisc ƓłȂ΂Ȃ܂!

 

# tc qdisc add dev eth0 parent 1:3 handle 30: sfq                   
# tc qdisc add dev eth0 parent 1:4 handle 40: sfq                   

 

NX́AftHgł FIFO qdisc Ă܂Bł́A
 SFQ ŒuAf[^t[悤Ɉ悤ɂ܂
B

# tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip \ 
  sport 80 0xffff flowid 1:3                                          
# tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip \ 
  sport 25 0xffff flowid 1:4                                          

 

̃R}hł́A root ɒǉĂAgtBbN𐳂
qdisc ɑ܂B

ł 'tc class add' Aqdisc ɃNXuv邽߂ɗp
Ă܂B 'tc qdisc add' ́ÃNX qdisc 𕶎ʂǉ
̂ɗpĂ܂B

 2 ̋KŃNXIʂłȂgtBbNǂȂł
B̏ꍇ́Af[^ 1:0 ̓ŏ̂ŁA󂯂܂
B

web  SMTP 킹 6mbit/s zɂȂƂ́Aoh
weight p[^ɔႷ邩ŕ܂B܂ 5/8  web T[
oɁA3/8 [T[oɌ܂B

܂̐ݒ肩́Aweb T[õgtBbNƂāAŒ 5/8 * 6 mbit =
3.75 mbit ɕۏ؂邱Ƃ킩܂B

 

9.5.4.5.  CBQ p[^: split  defmap

ɏqׂƂANXt qdisc ł́Aǂ̃NXɃpPbgGL
[邩߂邽߂ɃtB^ĂԕKv܂B

tB^ĂԂقɁACBQ ɂ͑̑I܂Bꂪ defmap 
split łB͋ɂ߂ė̂ʓ|ŁA܂قǏdvł
B defmap  split K؂ɐĂƂm܂
̂ŁA҂ȂɍőPsĂ݂Ǝv܂B

Type of Service tB[ĥ݂ŃtB^sǖʂ߁A
ȕ@񋟂Ă܂BCBQ ̓pPbg̃GL[߂ƂA
̃m[h 'split' m[hł邩ǂ`FbN܂B̂悤
ꍇɂ́ATu qdisc ̂ЂƂ́Aݒ肳ꂽDx ( TOS t
B[h猈܂ł傤) A邢̓AvP[Vݒ肳ꂽ
\PbgIvVAׂẴpPbgM悤wĂ
B

̃pPbg̗Dxrbg defmap tB[h and ZA}b`
ǂf܂B܂肱́ADxɂ}b`A
ɍȃtB^yɍ@Ȃ̂łB ff (16 i) Ƃ defmap
ׂ͂ĂɃ}b`A0 ͉ɂ}b`܂Bݒ΁A͂
₷ł傤:

 

# tc qdisc add dev eth1 root handle 1: cbq bandwidth 10Mbit allot 1514 \  
  cell 8 avpkt 1000 mpu 64                                                
                                                                          
# tc class add dev eth1 parent 1:0 classid 1:1 cbq bandwidth 10Mbit    \  
  rate 10Mbit allot 1514 cell 8 weight 1Mbit prio 8 maxburst 20        \  
  avpkt 1000                                                              

WI CBQ ̏iKݒłB̐ݒp[^̑ɂ́A
Ă邱Ƃ͂܂!

defmap  TCP_PRIO rbgQƂ܂B͈ȉ̂悤ɒ`Ă
܂B

 

TC_PRIO..          Num  Corresponds to TOS                          
-------------------------------------------------                   
BESTEFFORT         0    Maximize Reliablity                         
FILLER             1    Minimize Cost                               
BULK               2    Maximize Throughput (0x8)                   
INTERACTIVE_BULK   4                                                
INTERACTIVE        6    Minimize Delay (0x10)                       
CONTROL            7                                                

 

TC_PRIO.. ̐l͉E琔rbgɑΉĂ܂B TOS rbg̗D
xւ̕ϊɊւڍׂ́A pfifo_fast ̐߂ĂB

ł͑ΘbIȃNXƃoN]̃NXł:

 

# tc class add dev eth1 parent 1:1 classid 1:2 cbq bandwidth 10Mbit     \ 
  rate 1Mbit allot 1514 cell 8 weight 100Kbit prio 3 maxburst 20        \ 
  avpkt 1000 split 1:0 defmap c0                                          
                                                                          
# tc class add dev eth1 parent 1:1 classid 1:3 cbq bandwidth 10Mbit     \ 
  rate 8Mbit allot 1514 cell 8 weight 800Kbit prio 7 maxburst 20        \ 
  avpkt 1000 split 1:0 defmap 3f                                          

 

 split qdisc  1:0 ŁAőIʂȂ܂B C0  2 i
11000000 ŁA3F  00111111 łBĂ 2 킹ƁAׂ
Ƀ}b`܂Bŏ̃NX̓rbg 7  6 Ƀ}b`AāuΘbI
vuvgtBbNɃ}b`܂BԖڂ̃NX͎cɃ}b`
܂B

Ńm[h 1:0 ́Â悤ȃe[uƂɂȂ܂B

priority        send to                                             
0               1:3                                                 
1               1:3                                                 
2               1:3                                                 
3               1:3                                                 
4               1:3                                                 
5               1:3                                                 
6               1:2                                                 
7               1:2                                                 

 

ƗVтĺA'change mask' nƂł܂B͕
XDxɎw肷̂łBgKv̂́A'tc
class change' sꍇłBႦ best effort gtBbN
1:2 ɒǉɂ́Â悤ɂ΂ł܂B

 

# tc class change dev eth1 classid 1:2 cbq defmap 01/01             

 

 1:0 ̗Dx}bv͎̂悤ɂȂ܂:

 

priority        send to                                             
0               1:2                                                 
1               1:3                                                 
2               1:3                                                 
3               1:3                                                 
4               1:3                                                 
5               1:3                                                 
6               1:2                                                 
7               1:2                                                 

 

FIXME: 'tc class change' ̓\[XŎĂ܂B

 

9.5.5. KwIg[NoPc (Hierarchical Token Bucket: HTB)

Martin Devera (<devik>) ͐A CBQ GŁȀ󋵂ɂč
KȂ̂ł͂ȂAƂFɎ܂Bނ̊KwIȃAv[`
́AŒ肳ꂽohAʁX̖ړIɕAeړIɃoh
ۏ؂A܂ǂ̂炢̃oh؂邱Ƃ`ł悤ɂ
AƂ悤ȏꍇɓKĂ܂B

HTB  CBQ Ɠ悤ɓ삵܂Aш搧ɃAChԂ̌vZKv
Ƃ܂B̂AHTB ̓NXtȃg[NoPctB^ɂȂ
Ă܂ (Ȃ킿ꂪO̗R)Bp[^͐ŁAނ̃TCg
<http://luxik.cdi.cz/~devik/qos/htb/> ŗǂĂ܂B

ݒ𕡎GɂƂAHTB ͂ƑΉĂ܂B CBQ ł́AV
vȃNX̐ݒɕGł! HTB3 (HTB ̃o[WɂĂ 
HTB ̃z[y[W <http://luxik.cdi.cz/~devik/qos/htb/> Ă
) ́ÃJ[l\[ẌꕔɂȂĂ܂ (2.4.20-pre1 y
2.5.31 ȍ~)BAHTB3 pb`̓ 'tc' 肷Kv邩
܂B HTB ̃J[lƃ[UԂ̕Ƃ́AW[ԍ
Ȃ΂Ȃ܂BȂ 'tc'  HTB ɑ΂ē삵܂B 

ŋ߂̃J[lĂlA邢̓J[lɃpb`ł闧̐l
AЂƂ HTB ̗pl܂傤B

 

9.5.5.1. ݒ

Oq CBQ ̐ݒƁA@\Iɂ͂قړ̂̂ł:

 

# tc qdisc add dev eth0 root handle 1: htb default 30                               
                                                                                    
# tc class add dev eth0 parent 1: classid 1:1 htb rate 6mbit burst 15k              
                                                                                    
# tc class add dev eth0 parent 1:1 classid 1:10 htb rate 5mbit burst 15k            
# tc class add dev eth0 parent 1:1 classid 1:20 htb rate 3mbit ceil 6mbit burst 15k 
# tc class add dev eth0 parent 1:1 classid 1:30 htb rate 1kbit ceil 6mbit burst 15k 

 

āÃNX̉ SFQ uƗǂł傤B

# tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10       
# tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10       
# tc qdisc add dev eth0 parent 1:30 handle 30: sfq perturb 10       


gtBbNK؂ȃNXɌtB^ǉ܂:

# U32="tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32"    
# $U32 match ip dport 80 0xffff flowid 1:10                         
# $U32 match ip sport 25 0xffff flowid 1:20                         

ł܂B킩ɂAĂȂlȂ΁A
ĂȂp[^܂B

HTB ͎ɂ΂炵܂B10:  20: ̗ۏ؂ꂽoh
AĂ܂c肪΁ÃNX͂̎c 5:3 ̔䗦Ŏ؂
邱ƂɂȂ܂B͊҂ʂ̓ł傤B

NXtȂgtBbN 30: Ɍ܂B̃NX͎
g̃oh͂قƂǎĂ܂񂪁A]Ă镪ׂ͂Ď؂邱
Ƃł܂B SFQ 𗘗p悤ɂ̂ŁA^_Ŏ
Ă܂!

 

9.6. tB^ɂpPbg̃NXI

pPbgǂ̃NXׂ߂ɂ́AuNXI
ʃ`FCv̓xƂɌĂяo܂B̃`FĆǍfs
NXt qdisc ɑ邷ׂẴtB^Ȃ܂B

ł͂܂؂Bۂɂ͖؂ł͂Ȃ̂łB


                    root 1:                                         
                      |                                             
                    _1:1_                                           
                   /  |  \                                          
                  /   |   \                                         
                 /    |    \                                        
               10:   11:   12:                                      
              /   \       /   \                                     
           10:1  10:2   12:1  12:2                                  


pPbg̃GL[COہAꂼ̎}łǂ̂悤Ȗ߂
AtB^`FCɖ₢킹܂B悭ݒ́A1:1 ̃t
B^pPbg 12: ɌA 12: ̃tB^̃pPbg 12:2 
AƂ悤Ȃ̂łB

̌҂̋K𒼐 1:1 ɏ邱Ƃł܂AȃeXg
̓`FC̐ɒuAIɂȂ܂B

ȂApPbguvɃtB^邱Ƃ͂ł܂B܂ HTB ł
AׂẴtB^ root ɏȂ΂Ȃ܂B

xBpPbg̃GL[͉ɌĂ̂ݍs܂B̃p
PbgfL[ۂɂ́AC^[tF[X̂̕ɏオĂ
킯łB}̐̕ɍsĂlbg[NA_v^͂܂B

 

9.6.1. VvȃtB^̗

NXIʊ̏͂ŐʂAɕGȕ@płAʂ肠
̂Ƀ}b`\łB܂́A킩₷Ⴉn߂܂傤B
K͊ȒPłB

ł '10:' Ƃ PRIO qdisc Ƃ܂Bɂ 3 ̃NX
A|[g 22 ̃gtBbNłDx̍ohɊ蓖
Ƃ܂傤B̂Ƃ̃tB^͎̂悤ɂȂ܂B

 

# tc filter add dev eth0 protocol ip parent 10: prio 1 u32 match \  
  ip dport 22 0xffff flowid 10:1                                    
# tc filter add dev eth0 protocol ip parent 10: prio 1 u32 match \  
  ip sport 80 0xffff flowid 10:1                                    
# tc filter add dev eth0 protocol ip parent 10: prio 2 flowid 10:2  

 

Ă̂ł傤? ł: eth0  node 10: ɁADx 1 
u32 tB^Ă܂B̃tB^ IP M|[g 22 ()
Ƀ}b`Aoh 10:1 ֑܂B̍sł͔M|[g 80 ̃pP
bgɂēƂĂ܂BŌ̍sł́A}b`Ȃ
ׂ͂āAɗDx̍oh 10:2 ɑĂ܂B (: 0xffff 
}b`̑OɎ AND }XNł)

ɂ 'eth0' ܂͂̃C^[tF[X̖OKvłBeC^[
tF[X́AꂼꑼƏdȂȂŊ蓖ĂꂽAnh̖
OԂێĂ邩łB

IP AhXőIʂɂ́Â悤ɂ܂B

# tc filter add dev eth0 parent 10:0 protocol ip prio 1 u32 \       
  match ip dst 4.3.2.1/32 flowid 10:1                               
# tc filter add dev eth0 parent 10:0 protocol ip prio 1 u32 \       
  match ip src 1.2.3.4/32 flowid 10:1                               
# tc filter add dev eth0 protocol ip parent 10: prio 2      \       
  flowid 10:2                                                       

 

 4.3.2.1 ւ̃gtBbNƁA1.2.3.4 ̃gtBbNɍō̗D
x̃L[ɓȂ 2 Ԗڂ̃L[ɓĂ܂B

}b`͘Ał܂B1.2.3.4 ̃|[g 80 痈gtBbNɃ}
b`ɂ́Â悤ɂ܂B

# tc filter add dev eth0 parent 10:0 protocol ip prio 1 u32 match ip src 4.3.2.1/32 \ 
  match ip sport 80 0xffff flowid 10:1                                                

 

 

9.6.2. ʏKvȃtB^R}hׂ

Őш搧R}h́AĂ̑Oun܂Ă܂:

# tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 ..       

͂ 'u32' }b`ŁApPbĝǂ̕ɂ}b`܂B

M/MAhXɂ}b`
   
    M}XN 'match ip src 1.2.3.0/24'AM}XN 'match ip
    src 4.3.2.0/24' łBP̃zXgɃ}b`ɂ́A/32 p
    }XNȗ܂B
   
M/M|[gɂ}b` (ip vgR͖Ȃ)
   
    M 'match ip sport 80 0xffff'AM 'match ip dport
    0xffff'B
   
ip vgR (tcp, udp, icmp, gre, ipsec)
   
    /etc/protocols ̔ԍp܂BႦ icmp  1 łA'match
    ip protocol 1 0xff'B
   
fwmark ɂ}b`
   
    ipchains  iptables ŃpPbgɈtāÄC^[tF[
    XԂ̃[eBOŗp邱Ƃł܂B͗Ⴆ΁Aeth0 
    ĂpPbg eth1 ōiꍇȂǂɂƂĂ֗łB@
    ͎̒ʂ:
    
    # tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle 6 fw flowid 1:1 
    
     u32 }b`ł͂ȂƂɒӁB
   
    tɂ͎̂悤ɂ܂B
    
    # iptables -A PREROUTING -t mangle -i eth0 -j MARK --set-mark 6 
    
    ̔ԍ 6 ͔CӂɕύXł܂B
   
    tc tB^̕@S𗝉̂ʓ|ȂA iptables gƂ
    āAfwmark ɂIʂoĂB
   
TOS tB[hɂ}b`
   
    ΘbIȁAminimum delay ̃gtBbNIʂɂ:
    
    # tc filter add dev ppp0 parent 1:0 protocol ip prio 10 u32 \ 
          match ip tos 0x10 0xff \                                
         flowid 1:4                                               
    
    oNgtBbNɂ 0x08 0xff p܂B
   
tB^R}hɂĂƒm肽ĺAxȃtB^̏͂Ă
B

 

9.7. ԃL[COfoCX (Intermediate queueing device :IMQ)

ԃL[foCX qdisc ł͂Ȃ̂łA̗p@ qdisc Ɛ[
֘AĂ܂B linux ł qdisc ̓lbg[NfoCXɑĂA
foCXɃL[ꂽ̂́AׂĂ qdisc ɃL[܂B̃R
Zvgɂ́A2 ̌E܂B

1. oł̑ш搧łȂ ( qdisc ܂ANXt
qdisc ɔׂƔɋ@\Ă܂)B

2.  qdisc ͂ЂƂ̃C^[tF[XɂgtBbNȂ
̂ŁAO[oȐuƂ͂ł܂B

IMQ ͂ 2 ̐邽߂ɂ̂łBȒPɂƁAqdisc
őI񂾂ׂ̂Ă IMQ ɒûłBp̈󂪂pPbg
netfilter  NF_IP_PRE_ROUTING  NF_IP_POST_ROUTING etbNŊ荞
󂯁A imq foCXɑ qdisc ւƓn܂BpPbgɈt
ɂ́Aiptables ̃^[Qbgp܂B

ɂāA܂肠ꏊ痈pPbgɈtēł̑ш搧
ł܂A܂̃C^[tF[XNXƂ݂ȂăO[o
Ȑݒł܂BɂႦ http gtBbN qdisc ɓꂽ
AVڑv qdisc ɓꂽAȂǂ낢ȂƂł܂B

 

9.7.1. ݒ

ŏɎvԂ̂́Ał̑ш搧pĊmɕۏ؂ꂽoh
g悤ɂ邱Ƃł傤 ;) ݒ͑̃C^[tF[Xł̂̂
Ă܂B

tc qdisc add dev imq0 root handle 1: htb default 20                   
                                                                      
tc class add dev imq0 parent 1: classid 1:1 htb rate 2mbit burst 15k  
                                                                      
tc class add dev imq0 parent 1:1 classid 1:10 htb rate 1mbit          
tc class add dev imq0 parent 1:1 classid 1:20 htb rate 1mbit          
                                                                      
tc qdisc add dev imq0 parent 1:10 handle 10: pfifo                    
tc qdisc add dev imq0 parent 1:20 handle 20: sfq                      
                                                                      
tc filter add dev imq0 parent 10:0 protocol ip prio 1 u32 match \     
                ip dst 10.0.0.230/32 flowid 1:10                      

̗ł u32 NXIʂɗpĂ܂B̃NXIʊAҒʂ
ɓ삵܂BɁAgtBbNIʂ imq0 ɃGL[悤
t܂B

iptables -t mangle -A PREROUTING -i eth0 -j IMQ --todev 0           
                                                                    
ip link set imq0 up                                                 

 

iptables  IMQ ^[QbǵAmangle e[u PREROUTING `FC
POSTROUTING `FCŎg܂B@͈ȉ̒ʂ:

IMQ [ --todev n ]       n : imq foCX̔ԍ                      

ip6tables ^[Qbg񋟂Ă܂B

gtBbNGL[̂́A^[QbgɓƂł͂ȂA
ȍ~ɂȂ܂BۂɃgtBbN imq foCXɓꏊ́Ag
tBbN̕ (in/out) ɂĈقȂ܂B iptables ŗp
A`ς݂ netfilter tbNłB

enum nf_ip_hook_priorities {                                        
        NF_IP_PRI_FIRST = INT_MIN,                                  
        NF_IP_PRI_CONNTRACK = -200,                                 
        NF_IP_PRI_MANGLE = -150,                                    
        NF_IP_PRI_NAT_DST = -100,                                   
        NF_IP_PRI_FILTER = 0,                                       
        NF_IP_PRI_NAT_SRC = 100,                                    
        NF_IP_PRI_LAST = INT_MAX,                                   
};                                                                  

 

gtBbNł́Aimq ͎g NF_IP_PRI_MANGLE + 1 ̗Dx
Ƃēo^܂B܂pPbǵA mangle e[u PREROUTING
`FCʉ߂ɁA imq foCXɓ̂łB

o imq ł́ANF_IP_PRI_LAST p܂B܂Afilter e[uj
pPbg̓ohLׂłȂAƂ𑸏dĂ܂
B

pb`Ƃڂ񂪁A imq ̃TCg <http://luxik.cdi.cz/~patrick/
imq/> ɂ܂B

 

Chapter 10. ̃C^[tF[XpוU

@͂݂܂BȒPŒBIȂ̂́A'TEQL' -
"True" (܂ "trivial") link equalizer łBL[COɗނ̂
ĂłAוUɓ삵܂BSȌʂ𓾂ɂ
Aڑ̗[̊֗^KvłB

̂悤ȏ󋵂lĂB

 

                 +-------+   eth1   +-------+                       
                 |       |==========|       |                       
 'network 1' ----|   A   |          |   B   |---- 'network 2'       
                 |       |==========|       |                       
                 +-------+   eth2   +-------+                       

 

A  B ̓[^ŁA܂͗ Linux 삵ĂƂ܂傤Bg
tBbN network 1  network 2 ɌƁA[^ A  B Ɍ
2 ̐ڑɁApPbg𕪎UKv܂B[^ B ł́A
Mł悤Ȑݒ肪KvłBtɂĂŁApPbg
network 2  network 1 ɌƂA[^ B ͂̃pPbg
eth1  eth2 ̗gđKv܂B

̕U镔A'TEQL' foCXɂĂȂ܂B̂悤ɂȂ
܂ (΂ȒPȐݒ):

 

# tc qdisc add dev eth1 root teql0                                  
# tc qdisc add dev eth2 root teql0                                  
# ip link set dev teql0 up                                          

 

Ō 'ip link set up' R}hYȂ!

͗̃zXgŎsKv܂B̃foCX teql0 ́AM
pPbgA{IɃEhr eth1  eth2 ɕU܂B
f[^ teql foCXĂ邱Ƃ͌Ă܂Bf[^ '
 (raw)'  eth1  eth2 ɓ܂B

܂foCXłłAɓK؂ȃ[eBOݒ肪Kv
łBs@̂ЂƂ́A/31 ̃lbg[N𗼐ڑɊ蓖āA
teql foCXɂ悤 /31 ̃lbg[N蓖Ăł:

[^ A ɂ:

# ip addr add dev eth1 10.0.0.0/31                                  
# ip addr add dev eth2 10.0.0.2/31                                  
# ip addr add dev teql0 10.0.0.4/31                                 

 

[^ B ɂ:

# ip addr add dev eth1 10.0.0.1/31                                  
# ip addr add dev eth2 10.0.0.3/31                                  
# ip addr add dev teql0 10.0.0.5/31                                 

 

Ń[^ A  10.0.0.1, 10.0.0.3, 10.0.0.5 ɑ΂A 2 ̎ۂ̐
ƁA1  TEQL foCXoR ping ł悤ɂȂ͂łB[
^ B A 10.0.0.0, 10.0.0.2, 10.0.0.4 ɂ̐ڑoR ping ł
͂łB

܂ł삵A[^ A ł 10.0.0.5  network 2 ɌoH
ɂA[^ B ł 10.0.0.4  network 1 ɌoHɂ܂B
ꍇƂāAnetwork 1 ̃lbg[NA network 2 C^[lbg
Ƃ܂ƁA[^ A ł 10.0.0.5 ̃ftHgQ[gEFCɂȂ
悤ɂ܂B

 

10.1. 

ĂقǊȒPł͂܂B[^ A, B ŁAeth1  eth2
 return path filtering (߂oHɂtB^O) ͖ɂȂ
΂Ȃ܂BȂƁÃC^[tF[X͎gȊO
Ă ip pPbg𗎂ƂĂ܂܂B

 

# echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter                   
# echo 0 > /proc/sys/net/ipv4/conf/eth2/rp_filter                   

 

āAɂ̓pPbg̕ёւ (reordering) Ɋւʓ|Ȗ肪
B 6 ̃pPbg A  B ɑȂ΂ȂȂƂ܂傤B
[^ B Ԃǂ 1, 2, 3, 4, 5, 6 Ǝ󂯎ΗzIłB
ۂɂ́AJ[l 2, 1, 4, 3, 6, 5 ̂悤Ɏ󂯎\
ɍ̂łB́Aɂ TCP/IP Ă܂A
ƂłB TCP/IP ZbVʁXɉ^łł͖
ɂȂ܂񂪁Ả܂Ƃ߂āAЂƂ̃t@C ftp 
邱Ƃ͂ł܂BMMsĂ OS  Linux Ȃʂ
A Linux ͒Pȕёւł͊ȒPɂ͍܂B

ɂĂÃAvP[Vł́A̕וU͔ɗǂ
lłB

 

10.2. ̉\

William Stearns ́AxȃglݒpāȂւ̂ȂC^
[lbgڑIɗpĂ܂B͔ނ̃glOy[W
<http://www.stearns.org/tunnel/> ɏĂ܂B

 HOWTO łAɂĎグ邩܂B

 

Chapter 11. Netfilter  iproute ŃpPbgɈt

܂ŁAiproute ǂ̂悤ɓ삷邩ɂČĂ܂A
netfilter ɂĂ񂩌y܂B̂ŁARusty's
Remarkably Unreliable Guides <http://netfilter.samba.org/
unreliable-guides/> ʂĒ߂ĂƂ܂B netfilter
̂̂͂ <http://netfilter.filewatcher.org/> ɂ܂B

netfilter pƃpPbgtB^Awb_ł
܂Bȋ@\ƂāApPbgɐl̈t邱Ƃł܂B
ɂ --set-mark IvVg܂B

ƂāAȉ̃R}h̓|[g 25 ɌAM[̃pPbgɂ
ׂĈtĂ܂B

 

# iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 25 \      
 -j MARK --set-mark 1                                               

 

ܕ̉ƂāAЂƂ͍ł]ʐōAЂƂ
͒ᑬłzňƂ܂傤BقƂǂ̏ꍇAM[͈
̌oHő肽ł傤B

ɃpPbgɂ '1' Ƃt܂Bł͂ŌoH|V[f[^
x[XɁÂ悤ȓ悤w܂傤B

 

# echo 201 mail.out >> /etc/iproute2/rt_tables                      
# ip rule add fwmark 1 table mail.out                               
# ip rule ls                                                        
0:      from all lookup local                                       
32764:  from all fwmark        1 lookup mail.out                    
32766:  from all lookup main                                        
32767:  from all lookup default                                     

 

 mail.out e[uɁAxɌoH܂B

# /sbin/ip route add default via 195.96.98.253 dev ppp0 table mail.out

 

ŏIłBO݂ꍇA͂񂠂܂B
netfilter ̕Cē̃zXgOĂłAOzXg
ɑ΂āAmain e[uw悤ȁADx[}@
܂B

̋@\́ATOS rbg𑸏d̂ɂg܂B Type of Service ̈Ⴂ
ɂăpPbgɈtAɑ΂čp郋[΂悢
łB΁AႦ ISDN ڑAΘbIȃZbVpɂ邱
ł܂B

܂ł܂񂪁A NAT (}XJ[h) sĂzXg
Ȃ삵܂B

dv: pPbgւ̈t́AȂƂ MASQ  SNAT ƂɏՓ˂Ă܂
AƂ񍐂󂯂܂BɊւ Rusty Russell ̐͂̓e
<http://lists.samba.org/pipermail/netfilter/2000-November/006089.html>
ŗ^Ă܂B삳ɂ́Areverse path filter 𖳌
ĂB

: pPbgɈtɂ́A̃J[lIvVLɂ
Kv܂B

 

IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) [Y/n/?]                     
IP: policy routing (CONFIG_IP_MULTIPLE_TABLES) [Y/n/?]                      
IP: use netfilter MARK value as routing key (CONFIG_IP_ROUTE_FWMARK) [Y/n/?]

 

NbNubN Section 15.5 QƂĂB

 

Chapter 12. xȃtB^ɂpPbg̃NX()I

NXtȃL[COK̐߂Ő悤ɁApPbgIʂăT
uL[ɑۂɂ̓tB^KvłB̃tB^̓NXt
qdisc ̓Ă΂܂B

sSł͂܂ApłNXIʊ̃XgłB

fw
   
    t@CAEH[pPbgǂ̂悤ɈtɊÂČ
    s܂B tc tB^̕@׋Ȃlɂ́AՂȉ@
    Bڍׂ̓L[CȌ͂ĂB
   
u32
   
    pPbg̃tB[h (M IP AhXȂ) ɊÂČ
    s܂B
   
route
   
    pPbgʂ邱ƂɂȂoHɊÂČs܂B
   
rsvp, rsvp6
   
    RSVP <http://www.isi.edu/div7/rsvp/overview.html> ɊÂăpPb
    g[eBO܂BꂪLpȂ̂͊Ǘɂlbg[N
    łBC^[lbg RSVP ƌ܂B
   
tcindex
   
    DSMARK qdisc ŗp܂B֘A߂ĂB
   
pPbg̃NXIʂs@͈ʂɂ͉ނ݂Âǂp
邩́Aʏ͍D݂̖ɋA܂B

NXIʊ͂ĂA̋ʂȈ܂BQl̂߂
ɃXgĂ܂B

protocol
   
    ̃NXIʊ킪󂯕tvgRBʏ IP gtBbN
    󂯕t邱ƂɂȂł傤BK{łB
   
parent
   
    ̃NXIʊ킪ĂnhB̃nh́Ałɑ݂
    ĂNXłȂ΂Ȃ܂BK{łB
   
prio
   
    NXIʊ̗DxBlɃeXg܂B
   
handle
   
    tB^ӂɎʂ邽߂̂̂łB
   
ȍ~̐߂ł́AHostA ɌgtBbNi邱Ƃl܂B[gN
X 1: Ɛݒ肳ĂāAIʂꂽgtBbN̑ƂȂNX
 1:1 łƂ܂B

 

12.1. u32 NXIʊ

U32 tB^͌ݎĂ钆ł͍łxȃtB^łB̃tB
^Ŝ̓nbVe[uɊÂĂÃtB^[鎞
łmȓ܂B

łVvȌ`ł́AU32 tB^̓R[h̃XgłAeR[h
 2 ̃tB[hAZN^ƃANVȂ܂BZN^ (ȍ~
ŏڏq܂)AݏĂ IP pPbgƔrAŏɃ}b`
̂Ɋ֘AtꂽANVs܂BłVvȃANV
̓pPbg`ς݂̃NXɌ̂łB

tB^ݒ肷ɂ́AR}hC tc filter s܂B
 3 ̕Ȃ܂BtB^w蕔AZN^AANVłBt
B^w蕔͎̂悤ɒ`܂:

 

tc filter add dev IF [ protocol PROTO ]                             
                     [ (preference|priority) PRIO ]                 
                     [ parent CBQ ]                                 

 

protocol tB[h̓tB^KpvgR܂Bȍ~ł
ip ̏ꍇɂĂ̂݉܂B preference tB[h́AŒ`
tB^̗Dxw肵܂ (priority ӖŎg܂)BetB
^̓[̃XgƂ`܂ÃtB^낢ȗD
xŐݒł̂ŁA̐l͏dvłBeXgł̓[ǉ
ɓnAXgŜ͗Dx̏ (preference ̐l傫) 
̂珈܂B parent tB[h́AtB^̑c[̃gb
v (Ⴆ 1:0) w肵܂B

̃IvV́AU32 Ɍ炸AׂẴtB^ɓKp܂B

 

12.1.1. U32 ZN^

U32 ZN^ɂ̓p^[`܂܂ĂAꂪݏĂpP
bgɃ}b`܂Bmɂ͂́Aǂ̃rbgpPbgwb_Ƀ}b`
邩łāAȏ̂̂ł͂܂B̒Pȕ@͔
ɋ͂łBȍ~̗ɂȂĉB͎ۂɑ݂Ă
Aɂ߂ĕGȃtB^璼ڍ̂̂łB

 

# tc filter add dev eth0 protocol ip parent 1:0 pref 10 u32 \       
  match u32 00100000 00ff0000 at 0 flowid 1:10                      

 

ł́Aŏ̍s͋CɂȂłB̃p[^́Aׂ
tB^̃nbVe[uLq̂łB match L[[h܂ށA
ZN^̍sɒڂ܂傤B̃ZN^́A2 Ԗڂ̃oCg 0x10
(0010) ł IP wb_Ƀ}b`܂Bz̒ʂA 00ff Ƃ
l̓}b`̃}XNŁAǂ̃rbg{Ƀ}b`Ȃ΂ȂȂw
肵܂Bł̓}XN 0xff Ȃ̂ŁAۂ 0x10 łoCĝ݂
}b`܂B at L[[h́Ã}b`n߂̂w肵ItZb
g (oCgP) ł邱ƂĂ܂B̏ꍇ̓pPbg̐擪
łBȏlԂ̌tɖ|󂷂ƁÃZN^ Type of Service tB
[h 'low delay' rbgĂpPbgɃ}b`܂Bʂ
K͂Ă݂܂傤B

 

# tc filter add dev eth0 protocol ip parent 1:0 pref 10 u32 \       
  match u32 00000016 0000ffff at nexthdr+0 flowid 1:10              

 

nexthdr IvV́A IP pPbgɃJvZĂʂ̃wb_
(next wb_)A܂wvgR̃wb_Ӗ܂B̃}b`O
Anext wb_̐擪JnĂ܂B}b`͂̃wb_ 2 Ԗ
 32 rbg[hɑ΂čs܂B TCP  UDP evgRł́A
̃tB[hɂ̓pPbg̑M|[g܂܂܂Bl big GfB
A` (傫) ŗ^Ă܂B 0x0016 ͂̂܂ 10
i 22 ƂȂ܂Aꂪ TCP Ȃ SSH T[rX\Ă܂B
͂Ã}b`͑O񂪂ȂƈӂłȂłˁB̓_ɂĂ͂܂
قǐ܂B

ȏĂ΁ÃZN^ȒPɓǂ߂ł傤umatch
c0a80100 ffffff00 at 16vł IP wb_̐擪 17 Ԗڈȍ~ 3
oCg}b`Ă܂B͑MAhX 192.168.1/24 ̃l
bg[N̂ǂɂȂĂ̂łBȏA͂Ƃ
ŁAw񂾂Ƃ܂Ƃ߂Ă݂邱Ƃɂ܂傤B

 

12.1.2. ėpZN^ (general selector)

ėpZN^́Ap^[A}XNApPbgł̃p^[}b`
̃ItZbgA`܂B̔ėpZN^pƁAق IP w
b_ (яw̃wb_) ̂ǂȃrbgɂ}b`\łB
́AŐZN^ɔׂƁAǂݏʓ|łBėpZ
N^̕@͈ȉ̒ʂ:

 

match [ u32 | u16 | u8 ] PATTERN MASK [ at OFFSET | nexthdr+OFFSET] 

 

L[[h u32, u16 u8 ͂ǂꂩЂƂw肵Ap^[̒rbgP
ʂŕ\܂B PATTERN  MASK ́ÃL[[hŎw肵łȂ
΂Ȃ܂B OFFSET p[^̓oCgPʂ̃ItZbgŁA}b`
n߂ʒułB nexthdr+ L[[hw肳ƁAItZbg͏w
wb_̐擪̑ΈʒuɂȂ܂B

܂B̗ł Time to Live (TTL)  64 łpPb
g}b`܂B TTL tB[h IP wb_ 8 Ԗڂ̃oCg̒ォ
n܂܂B

 

# tc filter add dev ppp14 parent 1:0 prio 10 u32 \                  
     match u8 64 0xff at 8 \                                        
     flowid 1:4                                                     

 

̗ ACK rbgݒ肳Ă邷ׂĂ TCP pPbgɃ}b`܂:

 

# tc filter add dev ppp14 parent 1:0 prio 10 u32 \                  
     match ip protocol 6 0xff \                                     
     match u8 0x10 0xff at nexthdr+13 \                             
     flowid 1:3                                                     

 

64 oCg菬pPbg ACK Ƀ}b`Ƃ͎p܂
:

 

## match acks the hard way,                                         
## IP protocol 6,                                                   
## IP header length 0x5(32 bit words),                              
## IP Total length 0x34 (ACK + 12 bytes of TCP options)             
## TCP ack set (bit 5, offset 33)                                   
# tc filter add dev ppp14 parent 1:0 protocol ip prio 10 u32 \      
            match ip protocol 6 0xff \                              
            match u8 0x05 0x0f at 0 \                               
            match u16 0x0000 0xffc0 at 2 \                          
            match u8 0x10 0xff at 33 \                              
            flowid 1:3                                              

 

̋ḰAACK rbgZbgĂāȂɃyC[h͎Ȃ
悤 TCP pPbgɂ̂݃}b`܂B͕̃ZN^gɂ
Ă܂BŏIIȌʂ́Ǎʂ̘_ςɂȂ܂B TCP wb_
̃_CAOƁAACK rbg TCP wb_ 14 oCg (at
nexthdr+13) ̑rbg (0x10) ɂȂĂ܂Bŏ̃ZN^́A
D݂ȂAŗLZN^ (specific selector) g ip
protocol 6 0xff ƏɁA match u8 0x06 0xff at 9 Ƃ܂B
6  TCP ̃vgRԍŁA IP wb_ 10 Ԗڂ̃oCgɏ
܂Btɂ̗ł́AlԖڂ̃}b`ɂ͌ŗLZN^gĂ܂
B͒PɁATCP ACK rbgɃ}b`ŗLZN^݂Ȃ
łB

̃tB^́ÃtB^̏CłłBႢ ip wb_̒`F
bNĂȂ_łBR? Oq̃wb_́A32 rbgVXeł
ȂłB

 

tc filter add dev ppp14 parent 1:0 protocol ip prio 10 u32 \        
     match ip protocol 6 0xff \                                     
     match u8 0x10 0xff at nexthdr+13 \                             
     match u16 0x0000 0xffc0 at 2 \                                 
     flowid 1:3                                                     

 

 

12.1.3. ŗLZN^ (specific selector)

̕\́A̐߂̒҂ tc vÕ\[XR[h甭A
Ă̌ŗLZN^XĝłB͒PɃtB^ݒ̉ǐ
𑝂A炵yɂ邽߂̂̂łB

FIXME: \͂: ݕ\͕ʃt@C "selector.html" ɂ܂B

FIXME: ܂̃t@C̓|[hł :-(

FIXME: sgml KvłB

܂:

 

# tc filter add dev ppp0 parent 1:0 prio 10 u32 \                   
     match ip tos 0x10 0xff \                                       
     flowid 1:4                                                     

 

FIXME: tcp dport ̃}b`́Aȍ~ŐĂ悤ɂ͓삵܂B

̃[ TOS tB[h 0x10 ɂȂĂpPbgɃ}b`܂B
TOS tB[h̓pPbg̑oCgn܂A傫 1 oCgłB
ēȔėpZN^ match u8 0x10 0xff at 1 Ə܂B
U32 tB^̓_ԌĂ܂B܂ŗLȃ[͏ɔėp
[ɏAăJ[l̃ɂ͂̂ŕۑ
łBʂ̌_܂BȂ킿 tcp  udp ͂܂
Aꂪ match tcp dport 53 0xffff Ƃ 1 ̃ZN^ł́A
|[gɑꂽ TCP pPbgɃ}b`łȂRȂ̂ł (̃|[g
ꂽ UDP pPbgɂ}b`Ă܂܂)BɃvgRw
Ȃ΂ȂȂƂo˂΂Ȃ܂BǍŏIIɂ͎̂悤ȃ
[ɂȂ܂B

 

# tc filter add dev ppp0 parent 1:0 prio 10 u32 \                   
        match tcp dport 53 0xffff \                                 
        match ip protocol 0x6 0xff \                                
        flowid 1:2                                                  

 

 

12.2. route NXIʊ

̃NXIʊ́AoHe[ǔʂɊÂătB^܂B
pPbgNXԂJڂ "route" tB^Ń}[NꂽNXɓB
ƁÃtB^͌oHe[ȕɊÂăpPbgU蕪
B

 

# tc filter add dev eth1 parent 1:0 protocol ip prio 100 route      

 

ł route NXIʊem[h 1:0  priority 100 ŒǉĂ
܂BpPbg̃m[hɓB (ł root Ȃ̂łɓB
܂)ȂIʊ͌oHe[u܂B}b`炱̃pPbg͎w
肳ꂽNXɑA priority 100 ^܂BāA
삳邽߂ɁAK؂ȃ[eBOGgǉ܂B

ł́AM܂͔Mɂ 'realm' `܂B́A
Ύ̂悤ɂȂ܂B

 

# ip route add Host/Network via Gateway dev Device realm RealmNumber

 

Ⴆ΁AM̃lbg[N 192.168.10.0 ̏ꍇ realm ԍ 10 ^
ɂ͎̂悤ɂ܂:

 

# ip route add 192.168.10.0/24 via 192.168.10.1 dev eth1 realm 10   


route tB^ǉۂɂ́Albg[NzXgӖ realm 
płAɂČoHtB^ɂǂ̂悤Ƀ}b`邩w
ł܂B

 

# tc filter add dev eth1 parent 1:0 protocol ip prio 100 \          
  route to 10 classid 1:10                                          


̃[́Albg[N 192.168.10.0 ɌpPbgɃ}b`A id
 1:10 ̃NXɑ܂B

route tB^͌oH̔MpĂ}b`ł܂BႦ Linux [
^ eth2 ɃTulbg[NڑĂƂ܂B

 

# ip route add 192.168.2.0/24 dev eth2 realm 2                      
# tc filter add dev eth1 parent 1:0 protocol ip prio 100 \          
  route from 2 classid 1:2                                          

 

̃tB^ł 192.168.2.0 Tulbg[N痈 (realm 2) pPb
gɃ}b`Aid  1:2 ̃NXɑ܂B

 

12.3. Ď (policing) tB^

ɕGȐݒ\ɂ邽߁AohzꍇɃ}b`
tB^𓱓邱Ƃł܂B鑬xz؃}b`߂
܂悤ȃtB^錾邱ƂA邢͂鑬xzɑ΂
Ă̂݃}b`Ȃ悤ɂł܂B

܂Ď 4mbit/s ƂƂ 5mbit/s ̃gtBbN
A 5mbit/s Sɑ΂ă}b`ȂƂł܂A邢 1mbit
/s ɂ̂݃}b` 4mbit/s ͐ݒ肳ꂽNXɑ悤ɂ邱
ł܂B

ohݒ葬xzꍇ̑IƂẮApPbgjA
NXIʂAʂ̃tB^Ƀ}b`݂AȂǂ܂B

 

12.3.1. Ď̂

Ď̂́A{I 2 ܂BJ[lɁu]
(estimator)vgݍނƁÃJ[l͊etB^̈˗󂯁Aʉ߂
gtBbNʂȂ𑪒ł܂B̕] CPU
ł͔ɗeՂŁAb 25 񂸂Aʉ߂f[^ʂ𑪒肵Ă
rbg[gvZ܂B

ʂ̕@ł́AĂуg[NoPctB^oꂵ܂Bǂ̓tB^
̓ɒu킯łB TBF ́Aݒ肵oh܂ł̃gtBbNɃ}b
`܂Bȏ̃pPbgƁAzAzɑ΂
ݒ肵̑ΏۂƂȂ܂B

 

12.3.1.1. J[l]p

͂ƂĂVvŁAp[^ avrate ̂ЂƂłBʂ
avrate ȓɗ܂ĂƁAtB^͂̃gtBbNݒ肳ꂽ
classid ɃNXIʂ܂BʂzƁAw肳ꂽ (
ftHǵuăNXI (reclassify)v) s܂B

J[l̓ohɎwdݕtړςp܂B͒ZԂ̃o[
Xgɂ͂܂qł͂܂B

 

12.3.1.2. g[NoPctB^p

̃p[^p܂:

 E burst/buffer/maxburst
   
 E mtu/minburst
   
 E mpu
   
 E rate
   
 

̓́Ag[NoPctB^̐߂Ő̂Ƃقړł
BӂĂق̂łATBF  mtu ƁA
pPbgʂ܂Bɑ΂Ao (egress) ł TBF qdisc 
́ApPbg̒ʉ߂x邾łB

ʂ̈Ⴂ́Ał̓pPbgʂj邩łȂƂłB
pPbgێĒx邱Ƃ͂ł܂B

 

12.3.2. zƂ̓

zƔfƁAtB^͎w肳ꂽuvs܂B
4 ̓삪pł܂B

continue
   
    ̃tB^̓}b`܂񂪁ÃtB^Ƀ}b`݂܂
    B
   
drop
   
    ͋ɂ߂ČIŁA鑬xzgtBbNPɔj
    ܂B͓̊ĎŗǂpAp𐧌܂BႦ
    ΁A5mbit/s zpPbg𑗂ƗĂ܂悤ȃl[T[o
    ꍇAtB^p΁Aȏ̃pPbg𑗂Ȃ
    ɂł܂B
   
Pass/OK
   
    gtBbNȂʂ܂BGȃtB^𖳌ɂ
    Â܂ܔzu͂ĂꍇɎg܂B
   
reclassify
   
    قƂǂ̏ꍇ̓xXgGtH[g̍ăNXIʂɂȂ܂Bꂪf
    tHg̓łB
   
 

12.3.3. 

ݒmĂB̎́AzXg SYN tbh̐߂Ő
Ă܂B 

 icmp gtBbN 2kbit ɐAzpPbgu
܂B


tc filter add dev $DEV parent ffff: \                               
    protocol ip prio 20 \                                           
    u32 match ip protocol 1 0xff \                                  
    police rate 2kbit buffer 10k drop \                             
    flowid :1                                                       


pPbg̃TCYKȒlɐ܂ (ł 84 oCg傫ȃp
Pbgׂ͂ėƂ܂)B


tc filter add dev $DEV parent ffff: \                               
   protocol ip prio 20 \                                            
   u32 match tos 0 0 \                                              
   police mtu 84 drop \                                             
   flowid :1                                                        


̕@pƁAׂẴpPbg𗎂Ƃ܂B


tc filter add dev $DEV parent ffff: \                               
   protocol ip prio 20 \                                            
   u32 match ip protocol 1 0xff \                                   
   police mtu 1 drop \                                              
   flowid :1                                                        


͎ۂɂ 1 oCg傫 icmp pPbg𗎂Ƃ܂BTCY 1
oCg̃pPbg͗_Iɂ͂蓾܂Aۂ̃lbg[Nł͂܂
݂Ȃł傤B

 

12.4. nbVtB^: ʃtB^O

̃NCAgRs[^Đ̃[KvƂA
ׂ̂ĂɕʁX QoS wsƁAJ[l͂̃[ւ̃}b`
ɁA̎Ԃ₷ƂɂȂł傤B

ftHgł́AׂẴtB^͂ЂƂ̑傫ȃ`FCɋĂ
A priority ̏Ƀ}b`Ă܂B1000 ̃[ApPb
gɑ΂ĉs߂ɂ́A 1000 ̃`FbNKvƂȂ邩
܂B

ꂼ 4 ̃[Ȃ 256 ̃`FĈقA}b`̑x
ƑfȂ܂BpPbgA 256 ̃`FCAK
ȃ[̂ɕU邱ƂKvɂȂ܂B

̓nbVpƉ\ɂȂ܂B܃P[uf̌ڋqlb
g[N 1024 Ƃ܂傤BIP AhX 1.2.0.0 
1.2.3.255 ܂łŁAꂼ 'lite', 'regular', 'premium' Ȃǂ́AʁX
JeSɑĂ̂Ƃ܂B̏ꍇ͈ȉ̂悤 1024 ̃[
KvɂȂł傤B

 

# tc filter add dev eth1 parent 1:0 protocol ip prio 100 match ip src \ 
  1.2.0.0 classid 1:1                                                   
# tc filter add dev eth1 parent 1:0 protocol ip prio 100 match ip src \ 
  1.2.0.1 classid 1:1                                                   
...                                                                     
# tc filter add dev eth1 parent 1:0 protocol ip prio 100 match ip src \ 
  1.2.3.254 classid 1:3                                                 
# tc filter add dev eth1 parent 1:0 protocol ip prio 100 match ip src \ 
  1.2.3.255 classid 1:2                                                 

 

IP AhX̖unbVL[vƂėp΁A
܂B 256 ̃e[ułA̍ŏ̂̂͂̂悤ɂȂ
܂B

# tc filter add dev eth1 parent 1:0 protocol ip prio 100 match ip src \ 
  1.2.0.0 classid 1:1                                                   
# tc filter add dev eth1 parent 1:0 protocol ip prio 100 match ip src \ 
  1.2.1.0 classid 1:1                                                   
# tc filter add dev eth1 parent 1:0 protocol ip prio 100 match ip src \ 
  1.2.2.0 classid 1:3                                                   
# tc filter add dev eth1 parent 1:0 protocol ip prio 100 match ip src \ 
  1.2.3.0 classid 1:2                                                   

 

̃e[u͂̂悤ɂȂ܂B

# tc filter add dev eth1 parent 1:0 protocol ip prio 100 match ip src \ 
  1.2.0.1 classid 1:1                                                   
...                                                                     

 

̂悤ɂāAő 4 ̃`FbNAς 2 ̃`FbNKv
Ȃ܂B

ݒ͋ɂ߂ĕGłAꂾ̃[悤ȏ󋵂ł́A\
ƂɌ܂B܂ root ɃtB^A 256 ̃Gge[
u܂B

# tc filter add dev eth1 parent 1:0 prio 5 protocol ip u32                      
# tc filter add dev eth1 parent 1:0 prio 5 handle 2: protocol ip u32 divisor 256

 

ł܍e[ũGgɂ[ǉ܂B

 

# tc filter add dev eth1 protocol ip parent 1:0 prio 5 u32 ht 2:7b: \ 
        match ip src 1.2.0.123 flowid 1:1                             
# tc filter add dev eth1 protocol ip parent 1:0 prio 5 u32 ht 2:7b: \ 
        match ip src 1.2.1.123 flowid 1:2                             
# tc filter add dev eth1 protocol ip parent 1:0 prio 5 u32 ht 2:7b: \ 
        match ip src 1.2.3.123 flowid 1:3                             
# tc filter add dev eth1 protocol ip parent 1:0 prio 5 u32 ht 2:7b: \ 
        match ip src 1.2.4.123 flowid 1:2                             

̓Gg 123 ŁA1.2.0.123, 1.2.1.123, 1.2.2.123, 1.2.3.123 ւ
}b`܂łAꂼ 1:1, 1:2, 1:3, 1:2 ɑ܂BŃn
bVoPc 16 iŎw肵Ȃ΂ȂȂƂɂӂB
0x7b  123 łB

ɁunbVtB^v܂B̓gtBbNAnbVe[
u̐GgɌ܂B

# tc filter add dev eth1 protocol ip parent 1:0 prio 5 u32 ht 800:: \ 
        match ip src 1.2.0.0/16 \                                     
        hashkey mask 0x000000ff at 12 \                               
        link 2:                                                       

͂AŐ̂ɂĂ͐Kvł傤BftHg̃n
bVe[u 800:: ƂOɂȂ܂BׂẴtB^͂
n܂܂B IP wb_ 12, 13, 14, 15 oCgڂɂ锭MAh
XIсA̍Ō̕ɂ̂ݒڂĂ邱Ƃw肵Ă܂B
ɍnbVe[u 2: ɑĂ܂B

Ȃ蕡GłAۂɓ삵܂\͋ٓIłB̗͂
ɉǂ\ŁAzIɂ͊e`FC 1 ̃tB^ĂȂ
ɂł܂!

 

12.5. IPv6 gtBbÑtB^O

12.5.1. Ȃ IPv6 ł tc tB^Ȃ̂

Linux J[lł́AoH|V[f[^x[X (Routing Policy Database:
RPDB)  IPv4 ̃[eBOEAhbVO\uA HOWTO
ŐĂf炵@\̌ƂȂĂ܂BcOȂALinux ł
IPv6 \́ARA̍\̊OŎĂ܂BLĂ@\
̂łA{Iɂ RPDB ̍\́A IPv6 ̃[eBOEAhbV
O\Ƃ͕ʁXȂ̂łB

̏󋵂͂ςł傤BX҂ĂΗǂłB

FIXME: ɍƂĂl΁AACfA? v?

 

12.5.2. IPv6 pPbg ip6tables ňt

ipv6tables ̓pPbgɈtAl蓖Ă邱Ƃł܂B


# ip6tables -A PREROUTING -i eth0 -t mangle -p tcp -j MARK --mark 1 


ĂÃpPbg RPDB \ɂ͓nȂ̂ŁAɗ
܂B

 

12.5.3. u32 Iʊg IPv6 pPbgɃ}b`

IPv6 ͒ʏ SIT glɃJvZ IPv4 lbg[NA
B̂悤ȃgl̐ݒɂẮAIPv6 glO̐߂QƂ
B̏ꍇAIPv6 pPbgyC[hɎ IPv4 pPbgɑ΂
āAtB^Kp邱Ƃ\łB

̃tB^́AIPv6 JvZ IPv4 pPbgׂĂɃ}b`܂B


# tc filter add dev $DEV parent 10:0 protocol ip prio 10 u32 \      
            match ip protocol 41 0xff flowid 42:42                  


̕ł߂܂傤BIPv6 pPbg IPv4 oRőMꂽƂA
̃pPbgɂ͉̃IvVZbgĂȂƂ܂B̃tB
^pƁAIvV̂ȂA IPv4  IPv6  ICMPv6 Ƀ}b`
܂B 0x3a (58)  ICMPv6  next wb_^CvłB


# tc filter add dev $DEV parent 10:0 protocol ip prio 10 u32 \      
           match ip protocol 41 0xff \                              
           match u8 0x05 0x0f at 0 \                                
           match u8 0x3a 0xff at 26 \                               
           flowid 42:42                                             


M IPv6 AhXɃ}b`ɂ́AXƂKvłB̃t
B^͑MAhX 3ffe:202c:ffff:32:230:4fff:fe08:358d: ł
Ƀ}b`܂B


# tc filter add dev $DEV parent 10:0 protocol ip prio 10 u32 \      
            match ip protocol 41 0xff \                             
            match u8 0x05 0x0f at 0 \                               
            match u8 0x3f 0xff at 44 \                              
            match u8 0xfe 0xff at 45 \                              
            match u8 0x20 0xff at 46 \                              
            match u8 0x2c 0xff at 47 \                              
            match u8 0xff 0xff at 48 \                              
            match u8 0xff 0xff at 49 \                              
            match u8 0x00 0xff at 50 \                              
            match u8 0x32 0xff at 51 \                              
            match u8 0x02 0xff at 52 \                              
            match u8 0x30 0xff at 53 \                              
            match u8 0x4f 0xff at 54 \                              
            match u8 0xff 0xff at 55 \                              
            match u8 0xfe 0xff at 56 \                              
            match u8 0x08 0xff at 57 \                              
            match u8 0x35 0xff at 58 \                              
            match u8 0x8d 0xff at 59 \                              
            flowid 10:13                                            


eNjbN̓Tulbgւ̃}b`ɂg܂BႦ 2001:: ̏ꍇ
͎̂悤ɂȂ܂B


# tc filter add dev $DEV parent 10:0 protocol ip prio 10 u32 \      
            match ip protocol 41 0xff \                             
            match u8 0x05 0x0f at 0 \                               
            match u8 0x20 0xff at 28 \                              
            match u8 0x01 0xff at 29 \                              
            flowid 10:13                                            

 

Chapter 13. J[l̃lbg[Np[^

J[lɂ͂̃p[^AɉĒł܂B
܂ł̒ʂA99% ̓ftHg̃p[^ł܂Ȃ̂łA
͂̕Ă Advanced HOWTO ƖĂ킯ł͂܂!

ł̋̑Ώۂ /proc/sys/net łBƂɂȂĂ݂Ă
Bׂ̂Ăŏ炱őSĕł킯ł͂܂񂪁A
Ƃ͌pĂłB

܂ł̊Ԃ́ALinux ̃J[l\[XɂȂA Documentation/
filesystems/proc.txt ǂłBقƂǂ̋@\͂̃t@CŐ
Ă܂B

(FIXME)

 

13.1. ߂oHtB^ (Reverse Path Filtering)

ftHgł́A[^ׂ͂Ă[eBO܂BpPbgu炩
Ɂṽlbg[Nɂ͑ĂȂĂłB悭́AvCx
[g IP ԂC^[lbgɘRĂ܂łB 195.96.96.0/24
ɌoHC^[tF[Xɑ΂ẮA 212.64.94.1 甭p
PbǵA{Ȃ͂łB

قƂǂ̐l͂̋@\𖳌ɂƎv͂łAJ[lnbJ
[B͂ȒPł悤ɂĂ܂B /proc ȉɂt@C
gƁAJ[lɑ΂Ă̎wł܂B̕@͖߂oHtB^
(Reverse Path Filtering) ƌĂ΂Ă܂B{Iɂ́ApPbgɑ
ԐMÃpPbg̓ĂC^[tF[XɌȂꍇA
̃pPbg̓C`LƂ݂ȂĖ邱ƂɂȂ܂B

ȉ̃R}hgƁAݑ݂C^[tF[X (ƏC
^[tF[X) ׂĂɑ΂āA̋@\Lɂł܂B

 

# for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do                 
>  echo 2 > $i                                                      
> done                                                              

 

L̗sĂƁALinux [^ ISP C^[tF[Xɓ
pPbgAItBXėAƏ̂ĂƁÃpPbg
j܂BlɁAItBX̃Tulbg炫pPbgAt@CA
EH[̊OėAƏ̂ĂƁA悤ɔj
܂B

͊SȖ߂oHtB^łBftHgł́AڐڑĂlb
g[N IP ɊÂătB^s܂BSȃtB^s
AΏ̂ȃ[eBOŖ肪o邩ł (pPbg̓ĂoH
očsoHႤꍇłBႦΉqʐMAI (bgp, ospf, rip) o
Hlbg[NɂꍇȂǁBq̃p{ėf[^ɂ
Aʏ̒nʂĕԐM邱ƂɂȂ܂)B

̗OȂ̊ɓĂ͂܂ (ۂɂ́A炭
ł傤) ꍇ́Aqf[^ėC^[tF[X rp_filter 
ɂΗǂłBpPbgjĂ邩mF΁A
fBNgɂ log_martians t@CgāÃCxg
syslog ɋL^悤J[lɓ`܂B

 

# echo 1 >/proc/sys/net/ipv4/conf/<interfacename>/log_martians      

 

FIXME: conf/{default,all}/* t@Cɐݒ肷邾ł̂? - martijn

 

13.2. ܂mĂȂݒ

͂AύXłp[^͂ƂĂ񂠂܂Bł͂炷
ĂXgƍlĂ܂Bꕔ Documentation/ip-sysctl.txt ł
Ă܂B

J[l̃RpC 'Configure as router and not host'  'Yes' 
ĂƁA̐ݒ̃ftHgAɎ̂Ƃ͈قȂĂ
邩܂B

Oskar Andreasson ÃtOɊւy[WJĂ܂B
̂̂ǂ悤Ɏv܂̂ŁAނ̃y[W <http://
ipsysctl-tutorial.frozentux.net/> `FbNĂ݂ĂB

: ̖̕oɂẮA 2.2 J[lt proc.txt ̖|
<http://www.linux.or.jp/JF/JFdocs/kernel-docs-2.2/proc.txt.html> Ql
ɂĂ܂B

 

13.2.1. ipv4 S

ʓIȒӂłAقƂǂ̑x@\ loopback ɑ΂Ă͌
Bł̂ŁA[Jł̃eXg͂ȂłB 'jiffies'
Pʂŗ^AɏЉg[NoPctB^ɂēKpĂ
܂B

J[l̎v́A1 b 'HZ'  (邢 'jiffies') œ
܂B Intel ł 'HZ' ͑̏ꍇ 100 łB *_rate t@C
AႦ 50 Ɛݒ肷ƁAb 2 pPbg邱ƂɂȂ
Bg[NoPctB^́A\ȃg[N܂ꍇAő 6 pP
bg܂ł̃o[Xg悤ȐݒɂȂĂ܂B

ȉ̃Xg̈ꕔ́AAlexey Kuznetsov <kuznet@ms2.inr.ac.ru>  Andi
Kleen <ak@muc.de> ɂ /usr/src/linux/Documentation/networking/
ip-sysctl.txt Rs[Ă̂łB

/proc/sys/net/ipv4/icmp_destunreach_rate
   
    J[ĺApPbgzłȂƔfƁÃpPbgj
    ܂BẴpPbg̔MɁAICMP bZ[W̑xő
    ܂B
   
/proc/sys/net/ipv4/icmp_echo_ignore_all
   
    echo pPbgɈؔ܂B̓ftHgł͐ݒ肵Ȃł
    B DoS U̒pɗpĂ܂ꍇɂ͗LpłB
   
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts [֗]
   
    lbg[Ñu[hLXgAhX ping ƁAׂẴzX
    g邱ƂɂȂĂ܂BgƟps\Uc[
    ɂȂ܂B̂ŁA 1 ɂāÂ悤ȃu[hLXgb
    Z[W͖ĂB
   
/proc/sys/net/ipv4/icmp_echoreply_rate
   
     1 ̖ړInɑ΂ echo vC̑MxB
   
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
   
    ݒ肷ƁAlbg[ÑzXgAu[hLXgAh
    XƂ݂Ȃt[ɑ΂ĕsɔ߂ɔ ICMP
    error 𖳎܂B
   
/proc/sys/net/ipv4/icmp_paramprob_rate
   
    ܂mĂȂ ICMP bZ[WłA IP Ȃ TCP wb_
    ĂAsȃpPbgɑ΂ԐMƂđ܂B̃t@C
    pƁÃbZ[W̑Mx𐧌ł܂B
   
/proc/sys/net/ipv4/icmp_timeexceed_rate
   
     traceroute ɂuSolaris ̐^񒆂 *v̌ƂėL
    łB ICMP Time Exceeded bZ[W̑Mx𐧌܂B
   
/proc/sys/net/ipv4/igmp_max_memberships
   
    ̃zXgő҂󂯂 igmp (}`LXg) \Pbg̍ő吔B
    FIXME: ?
   
/proc/sys/net/ipv4/inet_peer_gc_maxtime
   
    FIXME: inet peer storage ɂďXǉ? Kx[WRNV
    sőԊuB̊ԊúAv[ׂ̃Ⴂ (邢
    ) ꍇɌ͂܂B jiffies PʂłB
   
/proc/sys/net/ipv4/inet_peer_gc_mintime
   
    Kx[WRNVsŏԊuB̊ԊúAv[̃
    ׂꍇɌ͂܂B jiffies PʂłB
   
/proc/sys/net/ipv4/inet_peer_maxttl
   
    Gg time-to-live ̍őlBgȂGǵAv[
    ɃׂȂꍇ (܂v[̃Ggɏꍇ)
    ÅԂƊ؂ƂȂ܂B jiffies PʂłB
   
/proc/sys/net/ipv4/inet_peer_minttl
   
    Gg time-to-live ̍ŏlBpPbg̍č\sł́At
    Og time-to-live Jo[ł\ȑ傫ɂȂ΂
    ܂B time-to-live ̍ŏĺAv[̃TCY
    inet_peer_threshold 菬ꍇɕۏ؂܂B jiffies Pʂł
    B
   
/proc/sys/net/ipv4/inet_peer_threshold
   
    INET peer storage ̊TZTCYłB臒lzƁAGg
    ϋɓIɍ폜n߂܂B臒ĺAGg time-to-live ƁA
    Kx[WRNV̊Ԋuɂe܂BGgȂƁA
    time-to-live ͒ZȂAGC ̊ԊuZȂ܂B
   
/proc/sys/net/ipv4/ip_autoconfig
   
    ̃zXg IP ݒ RARP, BOOTP, DHCP Ȃǂ̋@\Ŏ擾ꍇA
    ̃t@C̓e 1 ɂȂ܂BłȂ 0 łB
   
/proc/sys/net/ipv4/ip_default_ttl
   
    pPbg Time To Live lłB 64 ɂĂΈSł傤B
    ȃlbg[Nł͑₵ĂBłȂ悤
    ɁBoH̃[vꍇ̔Q傫Ȃ܂BꍇɂĂ
    炷ƂlĂ悢ł傤B
   
/proc/sys/net/ipv4/ip_dynaddr
   
    C^[tF[XAhXIɌ܂_CIf}hp
    ꍇ͂ݒ肵ĂKv܂BIf}h̃C^[
    tF[XNƁAԐMĂȂ[J TCP \Pbg
    AAhXɃoChȂ܂BɂăC^[tF[
    XNڑ삵ȂAԖڂ͑vɂȂAƂ
    肪܂B
   
/proc/sys/net/ipv4/ip_forward
   
    J[lɃpPbg̃tH[hǂBftHgł͖
    ɂȂĂ܂B
   
/proc/sys/net/ipv4/ip_local_port_range
   
    OɌڑɂA[J|[g͈̔́Bۂ̃ftHg͋
    ߂ďA1024  4999 łB
   
/proc/sys/net/ipv4/ip_no_pmtu_disc
   
    Path MTU discovery 𖳌ɂ΂ݒ肵ĂB
    oH Maximum Transfer Unit ̍ől肷@łBNbNub
    N̏͂ɂ Path MTU discovery ̐߂B
   
/proc/sys/net/ipv4/ipfrag_high_thresh
   
    IP tOgč\ۂɗpő僁B
    ipfrag_high_thresh oCg̖̃ړIɊ蓖ĂƁAt
    Ognh ipfrag_low_thresh ɂȂ܂ŃpPbg𓊂݂
    B
   
/proc/sys/net/ipv4/ip_nonlocal_bind
   
    AvP[ṼVXeɂ͑ĂȂfoCXɃoCh
    ΁Aݒ肵ĂB̓}V̐ڑiI
    Ȃ (邢͓I) ꍇAڑ؂ꂽƂɂT[rXN
    ̃AhXɃoChł悤ɂ̂ɕ֗łB
   
/proc/sys/net/ipv4/ipfrag_low_thresh
   
    IP tOg̍č\ɗp郁̍ŏlB
   
/proc/sys/net/ipv4/ipfrag_time
   
    IP tOgɕێ鎞 (bP)B
   
/proc/sys/net/ipv4/tcp_abort_on_overflow
   
    u[l̃tOŁAڑv񗈂Ƃ̓𐧌䂵܂B
    LɂȂĂƁAT[rXߕׂɂȂƂAJ[l͐ϋɓI
     RST pPbg𑗂悤ɂȂ܂B
   
/proc/sys/net/ipv4/tcp_fin_timeout
   
    \Pbg瑤N[YƂɁAFIN-WAIT-2 Ԃɕۂ
    BʐM悪ĂƁAł̃N[YƍsȂA
    邢͗\Ȃ`Ŏł܂܂BftHg̒l 60
    błB2.2 ŗpĂʏ̒l 180 bŁAɂ邱Ƃ
    ł܂A}V (KׂȂĂ) WEB T[o
    肷ƁAc FIN-WAIT-2 \PbĝŃ댯
    ܂B FIN-WAIT-2 \Pbg 1.5K ̃HȂ̂
    FIN-WAIT-1 قǊ댯ł͂܂񂪁AX܂
    BQ: tcp_max_orphans 
   
/proc/sys/net/ipv4/tcp_keepalive_time
   
    keepalive LɂȂĂƂA TCP  keepalive bZ[W
    pxBftHg 2 ԂłB
   
/proc/sys/net/ipv4/tcp_keepalive_intvl
   
    v[uɑ΂mFԐMȂƂɃv[uđpx
    BftHg 75 błB
   
/proc/sys/net/ipv4/tcp_keepalive_probes
   
    TCP  keepalive v[u𑗂鐔B̐ɒBƁA̐ڑ
    Ƃ݂Ȃ܂BftHg̒l 9 łB̒l
    tcp_keepalive_intvl ƁA keepalive ꂽɋ
    閳Ԃ܂B
   
/proc/sys/net/ipv4/tcp_max_orphans
   
    VXeAǂ̃[Ut@CnhɂA^b`ĂȂ TCP \
    PbgۗLłő吔B̐zƁA݂Ȃ̐ڑ͒
    ZbgAx\܂B̐͒P DoS Uh
    ߂ɂ܂B̋@\ɗ肷A킴Ɛ肵
    ͂܂Blbg[N̏󋵂ɂĕKvȏꍇ́A (ł΃
    ǉĂ) ftHg葝₷̂͂܂܂B܂A
    lbg[NT[rX𒲐āÂ悤ȏԂϋɓI
    E悤ɂĂBēxĂ܂A݂Ȃ̐ڑ́A
    ꂼXbvs\ȃő 64K ̂łB
   
/proc/sys/net/ipv4/tcp_orphan_retries
   
    瑤N[Y TCP RlNVIO̍đ񐔁Bf
    tHgl 7 ŁA RTO ɂ܂A50 b 16 łB}
    V WEB T[o𓮍삵ĂꍇÂ悤ȃ\Pbg̓\[X
    邩Ȃ̂ŁA̒lႭ邱ƂlĂ
    BQ: tcp_max_orphans
   
/proc/sys/net/ipv4/tcp_max_syn_backlog
   
    Mڑv̂A܂ڑ悩 ACK 󂯎ĂȂ̂
    LĂő吔łBftHgĺA128Mb ȏ̃𓋍ڂ
    Ă}V 1024ȀȂ}Vł 128 łBT[o
    ׂɋꂵłꍇ́A̐𑝉Ă݂ĂBx!
    1024 ȏɂꍇ́A include/net/tcp.h  TCP_SYNQ_HSIZE ύX
     TCP_SYNQ_HSIZE*16<=tcp_max_syn_backlog 悤ɂA
    J[lăRpCł傤B
   
/proc/sys/net/ipv4/tcp_max_tw_buckets
   
    VXeɕێ time-wait \Pbg̍ő吔B̐z
    ƁAtime-wait \Pbg͒ɔjAx\܂B̐
    ͒P DoS Uh߂ɂ܂B킴ƐĂ͂
    ܂Blbg[N̏󋵂ɂĕKvȏꍇ́A (ł΃
    ǉĂ) ftHg葝₷̂͂܂܂B
   
/proc/sys/net/ipv4/tcp_retrans_collapse
   
    ̂v^̃oO-oO݊ۂ߂̂́B TCP X
    ^bÑoOɑΏ邽߁Ađɑ傫ȃpPbg𑗂܂B
   
/proc/sys/net/ipv4/tcp_retries1
   
    đ񐔂ŁA̐zƉ肪ƔfA̋^lb
    g[Nwɕ񍐂Kv܂B RFC ł̍ŏl 3 ŁAꂪ
    ftHgłB RTO ɂ܂A3 b 8 ɑ܂B
   
/proc/sys/net/ipv4/tcp_retries2
   
    ڑ TCP ZbVE܂ɍđ݂񐔁B RFC 1122
    <http://www.ietf.org/rfc/rfc1122.txt> ɂ΁A̎Ԃ 100 b
    ɂȂȂ΂܂B͎ۂɂ͒ZBftHgl
    15 ŁARTO ̒lɂ܂ 13-30 ɑ܂B
   
/proc/sys/net/ipv4/tcp_rfc1337
   
    ̃u[l RFC1337 ŐĂ 'time-wait assassination
    hazards in tcp' ̏CłBLɂȂĂƁAJ[l
    time-wait Ԃɂ\Pbgւ RST pPbgj܂B
   
/proc/sys/net/ipv4/tcp_sack
   
    Selective ACK p܂B̃pPbgĂ邩𒲍ł
    Aĉ񕜂₩ɂȂ܂B
   
/proc/sys/net/ipv4/tcp_stdurg
   
    TCP urg |C^tB[hAHost requirements ɏ]ĉ߂܂
    B̃zXg͌Â BSD ̉߂gĂ̂ŁA Linux łZ
    bgƐʐMłȂ܂Bl: FALSE
   
/proc/sys/net/ipv4/tcp_syn_retries
   
    VڑJnƂAJ[l͂̉ SYN pPbg𑗂Ă
    ʖڂȂ΂߂܂B
   
/proc/sys/net/ipv4/tcp_synack_retries
   
    ڑtƂăI[vƂAJ[l SYN  ACK lߍ
    őAɎ󂯂Ƃ SYN mF܂B 3 nhVF
    [N 2 Ԗڂ̕łB̐ݒ́AJ[lڑ߂܂
    ɑA SYN+ACK pPbg̍đw肵܂B
   
/proc/sys/net/ipv4/tcp_timestamps
   
    ^CX^v́AɁAV[PXԍ̏dȂh߂Ɏgp
    ܂B 1 MKrbg̐ڑł́A炭ʂłȂAÂV[P
    Xԍɏo킷Ƃ܂ (O̐̔ԍł邽)B^CX
    ^vpƁAû̃pPbgvƔFł܂BV[NG
    XԍI[o[t[āA܂0n܂邱ƂĂ? --> 
   
/proc/sys/net/ipv4/tcp_tw_recycle
   
    TIME-WAIT \PbgɃTCNł悤ɂ܂BftHg
    l 1 łB͐Zp҂̃AhoCXvȂ΁AύX
    ł͂܂B
   
/proc/sys/net/ipv4/tcp_window_scaling
   
    ʏ TCP/IP ł́Aő 65535 oCg̃EBhE\łB{ɍ
    ȃlbg[Nł́Ał͏\łȂ܂BEBhE
    gIvVpƁAقڃMKoCg̃EBhEpł܂
    B̓ohƒxԂ̐ς傫悤ȐiɓKĂ܂B
   
 

13.2.2. foCXƂ̐ݒ

DEV ͎ۂ̃C^[tF[XA邢 'all' ܂ 'default' \
܂B default ́A܂쐬ĂȂC^[tF[X̐ݒɂe
܂B

/proc/sys/net/ipv4/conf/DEV/accept_redirects
   
    [^́AԈړIŗpĂ (܂󂯂ƂpP
    bg𓯂C^[tF[XɍđȂ΂ȂȂ) ƔfƁA
    ̃pPbg̔M ICMP Redirect 𑗐M܂B͏X
    ZLeB̖肪̂ŁA̎MۂA邢͈S
    ȃ_CNg𗘗pł܂B
   
/proc/sys/net/ipv4/conf/DEV/accept_source_route
   
    ܂p܂BȑO̓pPbgɁArŖKׂ IP A
    hX̃Xg^邱Ƃ\łB Linux ͂ IP IvV
    𑸏d悤ȓ삪\łB
   
/proc/sys/net/ipv4/conf/DEV/bootp_relay
   
    MAhX 0.b.c.d ŁAM悪̃zXgłȂpPbgA
    [JȃpPbgƂċ܂B BOOTP [f[A
    ̂悤ȃpPbgMEtH[hĂ̂ƍl܂B
   
    ̋@\͂܂ (J[lo[W 2.2.12 ł) ĂȂ
    ŁAftHg 0 łB
   
/proc/sys/net/ipv4/conf/DEV/forwarding
   
    ̃C^[tF[Xł IP tH[fBOL/ɂ܂B
   
/proc/sys/net/ipv4/conf/DEV/log_martians
   
    ߂oHtB^ (Reverse Path Filtering) ̐߂ĂB
   
/proc/sys/net/ipv4/conf/DEV/mc_forwarding
   
    ̃C^[tF[XŃ}`LXgtH[fBOsǂ
    łB
   
/proc/sys/net/ipv4/conf/DEV/proxy_arp
   
     1 ɂƁÃC^[tF[X̓J[loHmĂ
    AhXɑ΂ ARP vɕԐM܂Bu^ ip ubWv\z
    ̂ɔɕ֗Ɏg܂BLɂOɂ́Albg}XN
    {ɐmFĂ! ܂ rp_filter (ʂ̂Ƃ
    ŏЉĂ܂) A ARP ₢킹ɑ΂ē삷邱Ƃo
    Ă!
   
/proc/sys/net/ipv4/conf/DEV/rp_filter
   
    ߂oHtB^ (Reverse Path Filtering) ̐߂ĂB
   
/proc/sys/net/ipv4/conf/DEV/secure_redirects
   
    ICMP redirect bZ[WAftHgQ[gEFCɃXgĂ
    Q[gEFCɑ΂Ă̂݋܂BftHgŗLłB
   
/proc/sys/net/ipv4/conf/DEV/send_redirects
   
    ̃zXgq redirect 𑗐M邩ǂłB
   
/proc/sys/net/ipv4/conf/DEV/shared_media
   
    ݒ肳ĂȂƁAJ[l͂̃foCXɂȂĂʁX̃T
    ulbǵAڒʐMłȂƂ݂Ȃ܂BftHg̐ݒ 'yes'
    łB
   
/proc/sys/net/ipv4/conf/DEV/tag
   
    FIXME: 𖄂߂ĂB
   
 

13.2.3. ߗ׃|V[

DEV ͎ۂ̃C^[tF[XA邢 'all' ܂ 'default' \
܂B default ́A܂쐬ĂȂC^[tF[X̐ݒɂe
܂B

/proc/sys/net/ipv4/neigh/DEV/anycast_delay
   
    ߗ׊mFbZ[Wւ̕ԓ̃_x̍ől (jiffies [1/100
    b] P)B܂Ă܂ (Linux ͂܂ anycast T|[g
    Ă܂)B
   
/proc/sys/net/ipv4/neigh/DEV/app_solicit
   
    [Ux ARP f[ɑ郊NGXg̐`܂B
    ɂ 0 ɂ܂B
   
/proc/sys/net/ipv4/neigh/DEV/base_reachable_time
   
    RFC2461 ŋK肳Ă郉_B\Ԃ̌vZ̃x[XɂȂl
    łB
   
/proc/sys/net/ipv4/neigh/DEV/delay_first_probe_time
   
    ߗׂB\ǂ̃v[uŏɍs܂ł̒xԂł
    (gc_stale_time Q)B
   
/proc/sys/net/ipv4/neigh/DEV/gc_stale_time
   
    Â ARP Ggǂ̒x̕pxŃ`FbN邩߂܂BÂ
     ARP Gg͍Ăщ܂ ( IP AhX̃}V
    ֈڂ鎞ɖɗ܂)B ucast_solicit  0 傫΁A܂
    m̃zXgɒ ARP pPbg𑗐M܂BꂪsA
    mcast_solicit  0 傫 ARP vu[hLXg܂
    B
   
/proc/sys/net/ipv4/neigh/DEV/locktime
   
    ARP/ߗ׃GǵAŒł locktime o߂ȂƐV̂
    uł܂B ARP LbṼXbVOh܂B
   
/proc/sys/net/ipv4/neigh/DEV/mcast_solicit
   
    }`LXgmF̍őĎs񐔂łB
   
/proc/sys/net/ipv4/neigh/DEV/proxy_delay
   
    㗝 ARP GgĂꍇɁA ARP vɓ܂ł̍
    厞ԂłBۂ̎Ԃ 0 ȏ proxy_delay ȉ̗ɂȂ܂B
    ꍇɂ́A̓lbg[N̈h߂Ɏgp܂B
   
/proc/sys/net/ipv4/neigh/DEV/proxy_qlen
   
    x㗝 ARP ^C}̃L[̍ő咷ł (proxy_delay Q)B
   
/proc/sys/net/ipv4/neigh/DEV/retrans_time
   
    ߗ׊mFbZ[WđM܂ł̎ (Pʂ jiffy = 1/100 b)
    łBAhXAߗׂs\ǂmF肷
    ۂɎgp܂B
   
/proc/sys/net/ipv4/neigh/DEV/ucast_solicit
   
    jLXgmF̍őĎs񐔂łB
   
/proc/sys/net/ipv4/neigh/DEV/unres_qlen
   
    ҂Ԃ ARP vێL[̍ő咷łB ARP AhX
    ĂŒɁȂw̗vpPbg󂯓鐔łB
   
 

13.2.4. [eBOݒ

/proc/sys/net/ipv4/route/error_burst
   
    ̃p[^Ǝ error_cost ̓[eBÕR[hJ[l
    ̃OɏoxbZ[W̐Ɏgp܂B error_cost
    傫Əo郁bZ[W͏ȂȂ܂B error_burst
    ̓bZ[ŴĂۂ̐s܂BftHgł͌xbZ[
    W 5 bԂɈ܂łɐĂ܂B
   
/proc/sys/net/ipv4/route/error_cost
   
    /proc/sys/net/ipv4/route/error_burst ̍QƂĂB
   
/proc/sys/net/ipv4/route/flush
   
    ̃t@Cɏނƃ[eBOLbVtbV܂B
   
/proc/sys/net/ipv4/route/gc_elasticity
   
    [eBOLbṼKx[WRNV̕pxƓ߂l
    łB̓tFCI[o[ŏdvƂȂ܂BoH
    ƂALinux ʂ̌oHɈڂ܂łɂ́AŒ gc_timeout bo߂
    ΂Ȃ܂BftHgł 300 ɐݒ肵Ă܂AtFC
    I[o[𑁂s΁AƏlɂƗǂł傤B
   
    Ard van Breemen ̂̓e <http://mailman.ds9a.nl/pipermail/lartc/
    2002q1/002667.html> QƂĂB
   
/proc/sys/net/ipv4/route/gc_interval
   
    /proc/sys/net/ipv4/route/gc_elasticity ̍B
   
/proc/sys/net/ipv4/route/gc_min_interval
   
    /proc/sys/net/ipv4/route/gc_elasticity ̍B
   
/proc/sys/net/ipv4/route/gc_thresh
   
    /proc/sys/net/ipv4/route/gc_elasticity ̍B
   
/proc/sys/net/ipv4/route/gc_timeout
   
    /proc/sys/net/ipv4/route/gc_elasticity ̍B
   
/proc/sys/net/ipv4/route/max_delay
   
    [eBOLbVtbV܂ł̍ő厞ԂłB
   
/proc/sys/net/ipv4/route/max_size
   
    [eBOLbV̍őTCYłBLbṼTCYɒB
    ƁAÂGg͔j܂B
   
/proc/sys/net/ipv4/route/min_adv_mss
   
    FIXME: 𖄂߂ĂB
   
/proc/sys/net/ipv4/route/min_delay
   
    [eBOLbVtbV܂ł̍ŏԂłB
   
/proc/sys/net/ipv4/route/min_pmtu
   
    FIXME: 𖄂߂ĂB
   
/proc/sys/net/ipv4/route/mtu_expires
   
    FIXME: 𖄂߂ĂB
   
/proc/sys/net/ipv4/route/redirect_load
   
    ̃zXgɑ΂ ICMP _CNg葽ׂ肷
    邽߂̈qłBׂŎw肵ɒBꍇɂ́Aȏ
    ̃_CNg͑M܂B
   
/proc/sys/net/ipv4/route/redirect_number
   
    /proc/sys/net/ipv4/route/redirect_load ̍ڂQƂĂB
    ̓_CNg̐łB
   
/proc/sys/net/ipv4/route/redirect_silence
   
    _CNg̎Ԑ؂Bׂ⃊_CNgɒBă_C
    Ng~ĂꍇłÅԂ߂ƃ_CNgĂ
    n߂܂B
   
 

Chapter 14. mꂴ鍂xȃL[COK

܂ŏЉĂL[ł͉łȂv]l̂߂ɁA
̓J[lɊ܂܂ĂAȃL[Љ܂B

 

14.1. bfifo/pfifo

̃NXXȃL[́Apfifo_fast ɔׂĂVvłBo
hAׂẴgtBbN܂Ȃ̂łB
͂ЂƂAdvȗ_܂Bv̂łBđш搧D
tKvȂꍇłA qdisc pƁAC^[tF[X
backlog 肷̂ɖ𗧂܂B

pfifo ̒̓pPbgPʂŁAbfifo ł̓oCgPʂŎw肵܂B

 

14.1.1. p[^Ǝg

limit
   
    L[̒w肵܂Bbfifo ł̓oCgPʁApfifo ł̓pPbg
    PʂłBftHg pfifo ̏ꍇC^[tF[X txqueuelen 
    ̃pPbgŁA bfifo ł txqueuelen*mtu oCgł (txqueuelen 
    Ă pfifo_fast ̏͂Q)B
   
 

14.2. Clark-Shenker-Zhang ASY (CSZ)

͔ɗ_IȂ̂ŁAAlexey (CBQ ̎vȍ) ł痝邱
߂Ă܂BAlexey ̃\[XɂQlł:

    David D. Clark, Scott Shenker and Lixia Zhang Supporting Real-Time
    Applications in an Integrated Services Packet Network: Architecture
    and Mechanism.
   
    ̗ł́ÃACfBÅ̂́Aۏ؂T[rXꂼ WFQ
    t[𐶐Ac̃oh_~[ flow-0 Ɋ蓖ĂƂ
    ɂ܂B flow-0 ͗\IT[rX (predictive services) ƃxXg
    GtH[g̃gtBbNƂȂ܂B͗DxXPW[
    ĊǗA\IT[rXɍłDx蓖Ă܂B
    c̓xXgGtH[g̃pPbgɂȂ܂B
   
    CSZ ̓oh̐us܂vBt[͂ł QoS lbg[
    N̋EŗǗꂽƂ݂ȂĂAȏ̑ш搧͍s
    ܂BoHr (intermediate hop) ŁAt[コg[N
    oPctB^ɂisƂƁA]܂ȂxN
    AWb^[̌ɂȂ܂B
   
    ݂̂Ƃ CSZ ͖{́uۏؕtT[rXv񋟂B̃XPW
    [łB (CBQ ܂) ̋@\́Aۏؕtx⃉_ȃWb
    ^[񋟂܂B
   
    ݂̂Ƃ́AɏЉLǂŗłȂA܂
    ۂ̗pɂ͌ĂȂ悤łB
   
 

14.3. DSMARK

    Esteve Camps
   
    <marvin@grn.es>
   
    ͂́̕A2000 N 9 ̘̎_ QoS Support in Linux 甲
    ̂łB
   
ɂȂ:

 E Draft-almesberger-wajhak-diffserv-linux-01.txt <ftp://
    icaftp.epfl.ch/pub/linux/diffserv/misc/dsid-01.txt.gz>.
   
 E iproute2 zzɂ
   
 E White Paper-QoS protocols and architectures <http://
    www.qosforum.com/white-papers/qosprot_v3.pdf> and IP QoS Frequently
    Asked Questions <http://www.qosforum.com/docs/faq> both by Quality
    of Service Forum.
   
̏͂ Esteve Camps <esteve@hades.udg.es> M܂B

 

14.3.1. ͂߂

܂ŏɁÃe[}ɂďꂽ RFC (RFC2474, RFC2475, RFC2597,
RFC2598) ǂނƂ߂܂B IETF DiffServ working
Group web site <http://www.ietf.org/html.charters/
diffserv-charter.html>  Werner Almesberger web site <http://
diffserv.sf.net/> ɂ܂ (ނ Linux  Differentiated Services 
@\T|[gR[h܂)B

 

14.3.2. Dsmark ̑Ώ

Dsmark ́ADifferentiated Services (DiffServ ƂAP DS ƂĂ΂
) ŕKvƂȂ@\񋟂L[COKłB DiffServ  2 
ۂ QoS @\̂̂ЂƂ (ЂƂ Integrated Services ƌ
΂Ă܂) ŁApPbg IP wb_ DS tB[hɊ܂܂Ăl
ɊÂē삵܂B

IP ŁA炩 QoS x̃T[rX𓾂邽߂ɐ݌vꂽŏ̉́A
IP wb_ Type of Service tB[h (TOS oCg) łB̒l
邱ƂɂAX[vbgExEMȂǂ̃x̍Ił
̂łB́Aŋ߂̃T[rX (A^CAvP[V
AΘbIAvP[VȂ) ŕKvƂA\ȏ_Ă
łB̌AVȋ@\܂B̂ЂƂ DiffServ ŁA
 TOS ̊erbgLA DS tB[hƂčĒ`Ďgp܂
B

 

14.3.3. Differentiated Services ̃KChC

DiffServ ̓O[vwłB܂At[ɂĂ͉֒mȂ̂
 ( Integrated Services ̖ړIƂȂ܂)BΏۂɂ̂̓t[
̏WŁApPbgǂ̏WɑĂ邩ɂāAقȂ铮Kp
邱ƂɂȂ܂B

pPbgEm[h (DiffServ hC̃Ggm[h) ɓƁA
DiffServ hC֓ۂɁÃpPbgɂ͐Eш搧E}[L
OȂǂsKv܂ (}[LOƂ́ADS tB[hɒl
邱ƂłB݂Ȃł :-) )B DiffServ hC̓ (RA)
m[hŁAǂ̂悤ȓ QoS xKp邩́Ã}[N (l) 
Ĕf܂B

z̒ʂADifferentiated Services ɂ̓hCAׂĂ DS
K͂œKp܂BہAhCɓĂׂẴpPbg
NXIʂAƍl邱Ƃ\łBpPbg̓hCɓƁAN
XIʋ@\Kɏ]ƂɂȂAoRm[ĥׂĂł
QoS xKp̂łB

̂ƂÃ[JȃhCɂ͎O̐Kpł܂A
 DS hCƐڑۂɂ́A Service Level Agreements lȂ
΂Ȃ܂B

̒iKł́A炭̋^₪ł傤B DiffServ ́A
Őȏ̓e܂ł܂B 3  RFC  50 sŗv񂷂̂
s\ł邱Ƃ́AĂł傤 :-)

 

14.3.4. Dsmark 𗘗p

DiffServe ̕ʂAX͋Em[hƓm[hʉ܂
B̓gtBbNoĤAdv 2 ̃|CgłBɂ
ĂApPbgƃNXIʂs܂B̌ʂ́ADS v
ZXpPbglbg[NɕɂāAǂʂ̏ꏊŗp
邱ƂɂȂł傤B diffserv ̃R[h skb->tc_index ƂtB[
h܂ sk_buff Ƃ\̂̂́Avɂ̂߂Ȃ̂łB
ɂ͏NXIʂ̌ʂۑAꂪ DS ̂̏ꏊŗp
邱ƂɂȂ܂B

ŏ skb->tc_index ̒ĺAׂĂ̓pPbg IP wb_ DS tB[
h璊oA DSMARK qdisk ɂĐݒ肳܂B܂Acls_tcindex
Iʊ́A skb->tcindex ̑Ŝǂ݁ǍʂNXIʂɗp܂B

A܂ŏɁADSMARK qdisc ̃R}hƃp[^Ă݂܂傤
B

... dsmark indices INDICES [ default_index DEFAULT_INDEX ] [ set_tc_index ] 

̃p[^̈Ӗ̂͂Ȃł傤?

 E indices: (mask,value) yAȂe[ũTCYBől 2^n
    ( n>=0) łB
   
 E Default_index: NXIʊ킪܂}b`Ȃꍇ
    ̃ftHgƂȂAe[uGg̃CfbNXB
   
 E Set_tc_index: dsmark qdisc ɁADS tB[h̒l擾 skb->
    tc_index ֕ۑ悤w܂B
   
ł DSMARK ̃vZXĂ݂܂傤B

 

14.3.5. SCH_DSMARK ̓

 qdisc ͎̂悤ȒiKȂ܂:

 E qdisc R}h set_tc_index 錾Ăꍇ́A DS tB[h
    o skb->tc_index ϐɕۑB
   
 E NXIʊ킪NB̃NXIʊ̓NX ID ԂA
    skb->tc_index ϐɕۑB}b`tB^Ȃ
    A default_index IvVāAǂ classID ۑ邩߂
    B set_tc_index  default_index ̂w肵ĂȂꍇ
    ʂ͖`ƂȂB
   
 E  qdisc ɑꂽÃtB^̌ʂėpłB
    qdisc Ԃ classid  skb->tc_index ɕۑB̒ĺA
     mask-value e[ũCfbNXƂėpłBŏIIɂ
    pPbgɓKp錋ʂ́AŎ̌ʂƂȂB
    
    New_Ds_field = ( Old_DS_field & mask ) | value          
    
     
   
 E ĐVȒĺA ds_field ƃ}XNl AND AĂ̌
     value p[^ OR ̂ɂȂB̃vZX𗝉ɂ
    ̐}ĂB
   

                         skb->ihp->tos                                                  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >     
     |                                                       |     ^                    
     | -- If you declare set_tc_index, we set DS             |     |  <-----May change  
     |    value into skb->tc_index variable                  |     |O       DS field    
     |                                                      A|     |R                   
   +-|-+      +------+    +---+-+    Internal   +-+     +---N|-----|----+               
   | | |      | tc   |--->|   | |-->  . . .  -->| |     |   D|     |    |               
   | | |----->|index |--->|   | |     Qdisc     | |---->|    v     |    |               
   | | |      |filter|--->| | | +---------------+ |   ---->(mask,value) |               
-->| O |      +------+    +-|-+--------------^----+  /  |  (.  ,  .)    |               
   | | |          ^         |                |       |  |  (.  ,  .)    |               
   | | +----------|---------|----------------|-------|--+  (.  ,  .)    |               
   | | sch_dsmark |         |                |       |                  |               
   +-|------------|---------|----------------|-------|------------------+               
     |            |         | <- tc_index -> |       |                                  
     |            |(read)   |    may change  |       |  <--------------Index to the     
     |            |         |                |       |                    (mask,value)  
     v            |         v                v       |                    pairs table   
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->      
                         skb->tc_index                                                  

 

}[LO͂ǂ̂悤ɍŝł傤BPɍă}[NNX̃}X
Nƒlς邾łB̃R[hĂB

tc class change dev eth0 classid 1:1 dsmark mask 0x3 value 0xb8     

̓nbVe[u (mask,value) yAύXA class 1:1 ɑ
pPbgă}[N܂B (mask,value) ͍ŏftHg̒l
(ȉ̕\Q) ̂ŁA̒ĺuύXvȂ΂Ȃ܂B

ŁATC_INDEX tB^̓ƁAǂ̂悤ɗp邩
BȂ܂ATC_INDEX tB^ DS T[rXɊ܂܂Ă̂Ƃ͕ʂ
ݒŗp邱Ƃ\łB

 

14.3.6. TC_INDEX tB^

TC_INDEX tB^錾{IȃR}h͎̒ʂł:

... tcindex [ hash SIZE ] [ mask MASK ] [ shift SHIFT ]             
            [ pass_on | fall_through ]                              
            [ classid CLASSID ] [ police POLICE_SPEC ]              


ɁATC_INDEX ̓샂[h܂BꂽPɒ
Ă:

tc qdisc add dev eth0 handle 1:0 root dsmark indices 64 set_tc_index                                                                                
                                                                                                                                                    
tc filter add dev eth0 parent 1:0 protocol ip prio 1 tcindex mask 0xfc  shift 2                                                                     
                                                                                                                                                    
tc qdisc add dev eth0 parent 1:0 handle 2:0 cbq bandwidth 10Mbit cell 8 avpkt 1000 mpu 64                                                           
                                                                                                                                                    
# EF gtBbNNX                                                                                                                             
                                                                                                                                                    
tc class add dev eth0 parent 2:0 classid 2:1 cbq bandwidth 10Mbit rate 1500Kbit avpkt 1000 prio 1 bounded isolated allot 1514 weight 1 maxburst 10  
                                                                                                                                                    
# EF gtbNp pfifo qdisc                                                                                                                     
                                                                                                                                                    
tc qdisc add dev eth0 parent 2:1 pfifo limit 5                                                                                                      
                                                                                                                                                    
tc filter add dev eth0 parent 2:0 protocol ip prio 1 handle 0x2e tcindex classid 2:1 pass_on                                                        

(̃R[h͊Sł͂܂B iproute2 zzɂ EFCBQ ̗Ⴉ甲
̂ɂ܂)B

܂AEF ƃ}[NꂽpPbgƂ܂傤B RFC2598 ǂ
ƁAEF gtBbNɐ DSCP ̒l 101110 łB܂ DS tB
[h 10111000 (TOS oCg̍Œʃrbg DS ł͗pȂƂ
)A邢 16 ił 0xb8 ƂȂ܂B

 

              TC INDEX                                                            
              FILTER                                                              
   +---+      +-------+    +---+-+    +------+                +-+    +-------+    
   |   |      |       |    |   | |    |FILTER|  +-+    +-+    | |    |       |    
   |   |----->| MASK  | -> |   | | -> |HANDLE|->| |    | | -> | | -> |       |    
   |   |  .   | =0xfc |    |   | |    |0x2E  |  | +----+ |    | |    |       |    
   |   |  .   |       |    |   | |    +------+  +--------+    | |    |       |    
   |   |  .   |       |    |   | |                            | |    |       |    
-->|   |  .   | SHIFT |    |   | |                            | |    |       |--> 
   |   |  .   | =2    |    |   | +----------------------------+ |    |       |    
   |   |      |       |    |   |       CBQ 2:0                  |    |       |    
   |   |      +-------+    +---+--------------------------------+    |       |    
   |   |                                                             |       |    
   |   +-------------------------------------------------------------+       |    
   |                          DSMARK 1:0                                     |    
   +-------------------------------------------------------------------------+    

 

pPbgƁADS tB[hɂ 0xb8 Ƃlݒ肳܂B
ɐʂA1:0 Ƃ id  dsmark qdisc ́A DS tB[h𒊏o
 skb->tc_index ϐɕۑ܂B̗ɂ鎟̒iḰA
qdisc Ɋ֘AtꂽtB^ɑΉ܂ ( 2 s)B͎̑
s܂B

Value1 = skb->tc_index & MASK                                       
Key = Value1 >> SHIFT                                               

 

̗ł MASC=0xFC  SHIFT=2 łB

Value1 = 10111000 & 11111100 = 10111000                             
Key = 10111000 >> 2 = 00101110 -> 0x2E (16 i)                      

 

Ԃl qdisc ̓tB^nh (̗ł id  2:0 ̂) 
Ή܂B id tB^ۂɑ݂΁AƑ
 (tB^ɂ炪܂܂Ă) A classid Ԃ
(X̗ł 2:1)A skb->tc_index ϐɕۑ܂B

 id tB^Ȃ΁Aʂ fall_through t
O̐錾Ɉˑ܂B錾Ă΁Avalue L[ class id Ƃ
Ԃ܂B錾ĂȂƃG[ԂAvZX͎c̃tB^
֑܂B fall_through tO̗pɂ͒ӂKvłB skb->
tc_index ϐ̒lƃNX id ̊ԂɒPȊ֌W΁A͍sĂ
܂܂B

KvȎc̃p[^́Ahash  pass_on ł傤B hash ̓n
bVe[uTCYɊ֘AĂ܂B pass_on ́ÃtB^̌ʂ
 class id ꍇ͎̃tB^pAƂƂ
ɗp܂BftHg̓ fall_through ł (\Q)B

ŌɁATCINDEX ̊ep[^ɐݒłlꗗĂ܂傤:

TC Name                 Value           Default                     
-----------------------------------------------------------------   
Hash                    1...0x10000     Implementation dependent    
Mask                    0...0xffff      0xffff                      
Shift                   0...15          0                           
Fall through / Pass_on  Flag            Fall_through                
Classid                 Major:minor     None                        
Police                  .....           None                        

 

̃tB^͔ɋ͂łB\T邽߂ɂ́A̗͂K
vȂ̂łBƂŁÃtB^ DiffServ ̐ݒł̂ݗp
ł͂ȂǍ`ɂtB^ƂĂpł܂B

iproute2 zzɊ܂܂Ă DiffServ ׂ̗ČĂƂ߂
܂B͂̕Ał邾⊮łBƂŁA
éÃeXǧʂłBǂŊԈĂAw
EĂƍKłB

 

14.4.  (ingress) qdisc

܂ŐĂ qdisc ́Aׂďo (egress) qdisc łBC
^[tF[Xɂ͓ (ingress) qdisc 邱Ƃł܂B
ApPbglbg[NA_v^ɑ̂ł͂ȂAA_v^oRē
pPbg tc tB^邽߂̂̂łBpPbg[J
̂̂AtH[ĥ͖܂B

tc tB^ɂ̓g[NoPctB^SɎĂA܂J[l
̗ʕ]ɂă}b`sƂł܂A̋@\
\łBۂɁAgtBbN IP X^bNɓȑÔƂ
Ő邱Ƃł܂B

 

14.4.1. p[^Ǝg

 qdisc ̂́Aǂ̂悤ȃp[^v܂B qdisc ͑
Ƃ͈قȂAfoCX root L܂B̂悤ɂăA^b`
B

# tc qdisc add dev eth0 ingress                                     

Ă̓ qdisc ƓɁA (Mŗp) qdisc ̃foCX
ɓKp邱Ƃł܂B

 qdisc  (킴Ƃ炵) pɂẮANbNubNQƂ
ĂB

 

14.5. _m (Random Early Detection: RED)

̐߂́Aoh 100KrbgȏɂȂ悤ȁAobN{[̌oH
ɊւӐ}ď܂B ADSL fȂǂƂ͈قȂA
v[`KvɂȂ܂B

C^[lbgɂ郋[^̃L[̒ʏ̓́A tail-drop ƌĂ΂
܂B tail-drop ́Aʂ܂ł̓L[sAuꂽvgtBbN
ׂĔj܂B͔ɕsłAđ̏Փ (retransmit
synchronization) ̌ɂȂ܂Bđ̏Փ˂NƁAEɒB
[^œˑR̔jo[XgIɐAꂪ܂΂炭ɍđ̃o[
Xg𐶂AG[^͂܂EɒB邱ƂɂȂ܂B

ڑɂꎞIȍGɑΏ邽߁AobN{[[^ł͑傫ȃL
[pӂĂ邱ƂłBcOȂÂ悤ȃL[
̓X[vbgɂ͗ǂ̂łAx (latency) 傫Ȃ܂A TCP
ڑł͍G̃o[Xgɑ傫ȂĂ܂܂B

 tail-drop ̓́AC^[lbgɂĂ񂾂ȖɂȂ
ĂĂ܂Blbg[NɗDȂAvP[V̗p
łB̂ Linux J[lł RED 񋟂Ă܂ (RED
 Random Early Detection ̗B܂̓삩A Random Early Drop 
Ă΂܂)B

RED ̖͂ɂĂ̖\ł͂܂BwI backoff 𐳂
ĂȂAvP[V́AɂĂsɃohl
Ă܂ƂɂȂ܂B RED p΁AX[vbgxɊ
āA̐ڑɑ傫ȊQ^邱Ƃ͂ȂȂ܂B

RED ́An[h~bgɒBOɁAt[pPbg𓝌vIɔj
܂BƍGobN{[̐ڑA艸₩ɌłA
̏Փ˂hƂł܂B̓L[̃TCYAx
ɕۂA߂ɃpPbgĵŁATCP ́uȁvx
葁̂ɂ𗧂܂B̐ڑɂăpPbgj
ḿApPbg̐ɂł͂ȂAoh̗pɔႵ
B

ȃL[COŕKvƂAGȃZbVƂ̏ԒǐՂ
ł悤ȃobN{[ɑ΂A RED ͓KL[łB

RED gɂ́A3 ̃p[^ min, max, burst ߂Kv܂
B min ͔jn߂ۂ̃L[TCY (̍ŏl)A max ͂̃ASY
ŗ߂Ă\tg~bg (ől)A burst ́uo[Xgʉ߁v
\ȍőpPbgłB

min vZɂ́A{L[COx (base queueing latency) ̍ő
elɃoh܂BႦ 64kbit/s  ISDN ڑɑ΂A{L
[COx 200ms ܂ŔF߂ꍇAmin  1600 oCgƂȂ܂B
min ƃX[vbg͈܂A傫
latency 򉻂܂BȂ min ĂAxڑőΘbIZbV
̔ǂ邽߂ MTU ̂Ɠʂ͓܂B

Փ˂hɂ́Amax ͏ȂƂ min  2 {ɂȂ΂Ȃ܂Bx
ڑ min Ƃ́A炭 max  min  4 {ȏɂق
ǂł傤B

burst  RED ASỸo[Xgɑ΂锽߂܂B burst 
min/avpkt 傫Ȃ΂Ȃ܂BƂł́A
(min+min+max)/(3*avpkt) ł܂삷悤łB

܂Alimit  avpkt ̐ݒKvłB limit ͈SقƂȂlŁAL
[̒g limit oCgzƁA RED  tail-drop Ɂuωv܂B
͑̂̏ꍇAlimit  max  8 {ɐݒ肵܂Bavpkt ̓pPbgTC
Y̕ϒlłB MTU  1500 oCg̍ȃC^[lbgڑł́A
1000 ɂĂ΂悢ł傤B

ZpIȏ́A Sally Floyd  Van Jacobson ɂ RED L[CO
_ <http://www.aciri.org/floyd/papers/red/red.html>B

 

14.6. ėp_m (Generic Random Early Detection)

GRED ɂẮA܂킩Ă邱Ƃ͂܂B GRED ͂
L[Ă悤ŁA DiffServ  tcindex ɊÂđI
Ă悤łB <http://www.davin.ottawa.on.ca/ols/
img22.htm> ̃XChɂ΁AGRED  Cisco  'Distributed Weighted
RED' ̋@\ADave Clark  RIO ̂悤ȋ@\Ă悤łB 

ezL[ɂ́AꂼŗL̔jp[^wł܂B

FIXME: Jamel  Werner ɁAƋĂȂƁB

 

14.7. VC/ATM G~[V

 Werner Almesberger ɂ銄ɗLȃvWFNgŁAzH
(Virtual Circuits)  TCP/IP \Pbgɍ\z悤Ƃ̂łB
Virtual Circuit ́AATM lbg[N_̊TOłB

ڂ́AATM on Linux z[y[W <http://
linux-atm.sourceforge.net/>QƂĂB

 

14.8. dݕtEhr (Weighted Round Robin: WRR)

 qdisc ͕W̃J[lɂ͓Ă܂񂪁A <http://
wipl-wrr.dkik.dk/wrr/>_E[hł܂B݂ qdisc  Linux
2.2 ł̂݃eXgĂ܂A炭 2.4/2.5 J[lł̍ƂȂ
ł傤B

WRR qdisc ́AdݕtEhr̎dg݂gāAoh
̃NXɕU܂B܂ WRR qdisc ́ACBQ qdisc ̂悤
A̔zɃNXAꂼɂ͔Cӂ qdisc ڑł܂Bv
sNXɂ́Aꂼɕtꂽd݂ɔႵoh
܂Bd݂ tc vOpĎ蓮Őݒł܂BA
ʂ̃f[^]NX̏d݂IɌ炷悤ɂł܂B

 qdisc ɂ͑gݍ݂̃NXIʊ킪AقȂ}VƂ̊ԂőME
MpPbgAꂼʁX̃NXɊ蓖Ă܂B MAC ܂ IP
ƁAMAhX܂͑MAhXpł܂B MAC Ah
X Linux }VC[TlbgubWƂē삵Ăꍇł̂ݗp
ł܂BeNX́A}ṼpPbgƁAIɂ
}Vɑ΂Ċ蓖Ă܂B

 qdisc ́Â悤ɁÂꂼƗ}VЂƂ̃C
^[lbgڑLĂꍇɂ́AƂĂ֗ł傤B̂悤
TCgŁA]ޓ邽߂̃XNvgQ́A WRR ̔zzA[JCu
܂܂Ă܂B

 

Chapter 15. NbNubN

̏͂́ȀƂȂuNbNubNv߂Ă܂B
NbNubN͗̑ɂȂ̂ł͂܂Bł̂Ŏ
NĂ邩𗝉悤ɐSĂB

 

15.1. SLA ̈قȂ镡̃TCg𓮍삳

̂܂B Apache ł̋@\W[ŃT|[g
Ă܂Ał Linux gĂł邱ƁÃT[rXłl
Kpł邱Ƃ܂B̃R}h́A̖̕Ɏ
Jamal Hadi ̔\q؂Ă̂łB

http, ftp, Xg[~OI[fBIgĂ 2 ̌ڋqA
Ɍꂽʂ̃oh̔Ƃ܂傤B̓T[og
s܂B

ڋq A ɂ͍ő 2 KrbgAڋq B ɂ 5 Krbg蓖Ă܂
B̌ڋq́AT[oɉz IP AhXĕ܂B

 

# ip address add 188.177.166.1 dev eth0                             
# ip address add 188.177.166.2 dev eth0                             

 

ꂼ̃T[oɓK؂ IP AhX蓖Ă͓̂ǎ҂ɂC܂
BLȃf[́AقڊԈႢȂ̋@\T|[gĂ܂B

܂ eth0  CBQ qdisc A^b`܂B

# tc qdisc add dev eth0 root handle 1: cbq bandwidth 10Mbit cell 8 avpkt 1000 \ 
  mpu 64                                                                        

 

Ċeڋq̃NX܂B

 

# tc class add dev eth0 parent 1:0 classid 1:1 cbq bandwidth 10Mbit rate \  
  2MBit avpkt 1000 prio 5 bounded isolated allot 1514 weight 1 maxburst 21  
# tc class add dev eth0 parent 1:0 classid 1:2 cbq bandwidth 10Mbit rate \  
  5Mbit avpkt 1000 prio 5 bounded isolated allot 1514 weight 1 maxburst 21  

 

 2 ̃NXꂼɃtB^ǉ܂B

##FIXME: ̍s̈ӖƓ? divisor Ƃ?                                    
##FIXME: divisor ̓nbVe[uƃoPc̐ɉ֌W悤 -ahu      
# tc filter add dev eth0 parent 1:0 protocol ip prio 5 handle 1: u32 divisor 1  
# tc filter add dev eth0 parent 1:0 prio 5 u32 match ip src 188.177.166.1       
  flowid 1:1                                                                    
# tc filter add dev eth0 parent 1:0 prio 5 u32 match ip src 188.177.166.2       
  flowid 1:2                                                                    

 

ŏIłB

FIXME: Ȃg[NoPctB^svȂ̂? ǂŃftHg
pfifo_fast ɗĂ̂?

 

15.2. zXg SYN tbh

Alexey  iproute Ƃe netfilter ɍ킹ApX𒲐
̂łBpꍇɂ́Al̃VXeɂ킹ďC
ĂB

lbg[NŜ肽ꍇ́ÃXNvg͓ǂݔ΂Ă
B͒P̃zXg邽߂̂̂łB

 2.4.0 œ삳ɂ́AŐVł iproute2 KvȂ悤łB

 

#! /bin/sh -x                                                             
#                                                                         
#  (ingress) ̋@\pTvXNvg                         
# ̃XNvgł́A SYN 𐧌܂B               
# TCP-SYN Uɑ΂hƂėLpłBSYN ɑ΂Ă                
# ͂ȋ@\ (Ⴆ΃TulbgǉȂ) ǉ                  
#  IPchains g܂B                                            
#                                                                         
# 낢ȃ[eBeB̃pXB                                        
# ̊ɂ킹ĂB                                          
#                                                                         
TC=/sbin/tc                                                               
IP=/sbin/ip                                                               
IPTABLES=/sbin/iptables                                                   
INDEV=eth2                                                                
#                                                                         
# $INDEV ɓ SYN pPbg MARK  1 ̃^Ot܂B           
############################################################              
$iptables -A PREROUTING -i $INDEV -t mangle -p tcp --syn \                
  -j MARK --set-mark 1                                                    
############################################################              
#                                                                         
#  qdisc A̓C^[tF[XɃCXg[܂             
############################################################              
$TC qdisc add dev $INDEV handle ffff: ingress                             
############################################################              
                                                                          
#                                                                         
#                                                                         
# SYN pPbg 40 oCg (320 rbg) Ȃ̂ŁA3  SYN                
#  960 rbg (悻 1krbg) ɂȂ܂Bđш搧              
# ƂāA SYN  3/b ɂ܂ (͂܂֗ł͂               
# ܂Bv_͉Ă܂ -JHS                                 
############################################################              
$TC filter add dev $INDEV parent ffff: protocol ip prio 50 handle 1 fw \  
police rate 1kbit burst 40 mtu 9k drop flowid :1                          
############################################################              
                                                                          
                                                                          
#                                                                         
echo "---- qdisc parameters Ingress  ----------"                          
$TC qdisc ls dev $INDEV                                                   
echo "---- Class parameters Ingress  ----------"                          
$TC class ls dev $INDEV                                                   
echo "---- filter parameters Ingress ----------"                          
$TC filter ls dev $INDEV parent ffff:                                     
                                                                          
#  qdisc 폜܂B                                               
#$TC qdisc del $INDEV ingress                                             

 

 

15.3. ICMP ш搧 dDoS h

̃C^[lbgł́AUps\U (distributed denaial of
service attack: dDoS) ̒ɂɂȂĂ܂Blbg[Nɐ
tB^OƑш搧ƁÂ悤ȍȖΏ (ь)
ƂȂ邱Ƃh܂B

lbg[NɃtB^AMAhX[JłȂ IP pPb
ǵAlbg[NočsȂ悤ɂ܂BƁAŃS~
C^[lbgɑ邱ƂłȂȂ܂B

ш搧́AɎ̂ƓlłBǎ҂̃tbV邽
߂ɁAĂ ASCII }܂傤B

 

[The Internet] ---<E3, T3, whatever>--- [Linux router] --- [Office+ISP] 
                                      eth1          eth0                

 

܂A炩ߕKvȕ̐ݒłB

 

# tc qdisc add dev eth0 root handle 10: cbq bandwidth 10Mbit avpkt 1000       
# tc class add dev eth0 parent 10:0 classid 10:1 cbq bandwidth 10Mbit rate \  
  10Mbit allot 1514 prio 5 maxburst 20 avpkt 1000                             

 

C^[tF[X 100Mrbg (邢͂ȏ) A 3 ̐l
𒲐ĂBɁAICMP gtBbNǂ̒x邩߂
Btcpdump ősĂ݂āA΂炭ʂt@CɋL^Aǂ̒
x ICMP lbg[N𗬒ʂĂ邩Ă݂܂傤B snapshot ̒
𑝂₷̂YȂ悤ɁB

肪łȂꍇ́Apłoh 5% ɂĂ݂Ƃł傤
Bł̓NXݒ肵܂傤B

# tc class add dev eth0 parent 10:1 classid 10:100 cbq bandwidth 10Mbit rate \  
  100Kbit allot 1514 weight 800Kbit prio 5 maxburst 20 avpkt 250 \              
  bounded                                                                       

 

 100Krbgɐ܂Bł̓tB^ǉāA ICMP gtB
bÑNXɊ蓖Ă悤ɂ܂傤B

# tc filter add dev eth0 parent 10:0 protocol ip prio 100 u32 match ip  
  protocol 1 0xFF flowid 10:100                                         

 

 

15.4. ΘbIgtBbND悷

̃f[^ڑočsĂ肵ĂƁA telnet
 ssh ŉ炩̃eiXƂsۂ̔Ȃ܂B̃pP
bgL[͂ubN̂łB̂悤ȑΘbIȃpPbgA
oN]gtBbNƂ͕ʂ̌oHŒʂƂł炷Ǝv
܂? Linux Ȃł̂łB

Oq̂悤ɁÃgtBbNKv܂BRȂA
̗[ Linux }Vł΍ōłA UNIX ł\
B߂ Solaris/BSD Oɐq˂Ă݂܂傤B

W pfifo_fast XPW[ɂ 3 ́uohv܂Boh 0
̃gtBbN͐ɑMǍoh 1  2 ̃gtBbNl
܂BāȂΘbIgtBbNoh 0 Ɋ蓖Ă̂
~\ł!

 (낻 obsolete ɂȂ) ipchains HOWTO pNĂ܂
B

IP wb_ɂ́A܂pȂ 4 ̃rbgA Type of Service (TOS)
rbgƌĂ΂̈悪܂B̓pPbg̈ɉe܂B4
̃rbg͂ꂼ "Minimum Delay", "Maximum Throughput", "Maximum
Reliability", "Minimum Cost" Ӗ܂B̃rbĝAЂƂ
ݒł܂B ipchains  TOS CR[h̒҂ł Rob van
Nieuwkerk ́Â悤ɌĂ܂B

    ɂƂĂ "Minimum Delay" ɏdvłB́uΘbIȁvpPb
    gɂ́A㗬̃[^ (Linux) łLɂ܂B 33.6k
    fڑ̉ɂ܂B Linux ̓pPbg 3 ̃L[ɗDt
    ܂B̂悤ɂāA͑傫ȃ_E[hĂŒɂ
    A܂܂̑Θb\𓾂邱ƂłĂ܂B
   
ł悭ݒ́Atelnet  ftp ̐ڑ "Minimum Delay" pA
FTP f[^ "Maximum Throughput" płBɂ͏㗬̃
[^ŁÂ悤ɂ܂B

 

# iptables -A PREROUTING -t mangle -p tcp --sport telnet \          
  -j TOS --set-tos Minimize-Delay                                   
# iptables -A PREROUTING -t mangle -p tcp --sport ftp \             
  -j TOS --set-tos Minimize-Delay                                   
# iptables -A PREROUTING -t mangle -p tcp --sport ftp-data \        
  -j TOS --set-tos Maximize-Throughput                              

 

ꂾƁAtelnet ̃zXg烍[J PC ւƌpPbgɂ
p܂Bt͂łɐݒ肳Ă̂łB܂ telnet 
ssh Ȃǂł́AMpPbg TOS tB[hIɐݒ肵Ă̂ł
B

sĂȂAvP[VĂA netfilter pΓ
Ƃł܂B[J}VŎ̂悤ɂ܂B

 

# iptables -A OUTPUT -t mangle -p tcp --dport telnet \              
  -j TOS --set-tos Minimize-Delay                                   
# iptables -A OUTPUT -t mangle -p tcp --dport ftp \                 
  -j TOS --set-tos Minimize-Delay                                   
# iptables -A OUTPUT -t mangle -p tcp --dport ftp-data \            
  -j TOS --set-tos Maximize-Throughput                              

 

 

15.5. netfilter, iproute2, ipchains, squid p Web LbV

̐߂͓ǎ҂ Ram Narula (Internet for Education, Thailand) 񂹂
܂B

Linux ł̖ړI𖞂߂̒ʏ̃eNjbŃA炭|[g 80
(web) ́uOvgtBbN squid ̓삵ĂT[oɃ[eB
O悤ɂuŁvAipchains p@ł傤B

Õ|[g 80 gtBbN squid ̓삵ĂT[oɃ[eB
Oɂ́A3 ̕@mĂ܂Bł 4 Ԗڂ̕@Љ
B

Q[gEFC[^ɂ点
   
    Q[gEFC[^ɁAOőM|[g 80 ̃pPbg squid
    T[o IP AhXɑ点邱Ƃ\ȏꍇB
   
    
   
    ̓[^ɕׂ邱ƂɂȂ܂Ap̃[^ł̓T|[
    gĂȂƂ܂B
   
C 4 XCb`p
   
    C 4 XCb`́A̍Ƃ܂Ȃł܂B
   
    
   
    C 4 XCb`̉i͔ɍAĂ̏ꍇ́A(ʓIȃ
    [^ + ǂ Linux T[o) ̍vłB
   
LbVT[olbg[ÑQ[gEFCɂ
   
    ׂẴgtBbNɃLbVT[ooR邱Ƃł܂B
   
    
   
    squid ͂Ȃ CPU p[邽߁A͂Ȃ胊XN
    łB܂lbg[NŜ̐\xȂ邩܂񂵁A
    T[oNbVANlbg[NɃANZXłȂȂ
    B
   
Linux+NetFilter [^
   
    NetFilter pƁAʂ̃eNjbNł܂B܂
    NetFilter ɓB|[g 80 ̃pPbg}[LOA iproute2
    gĈ̂pPbg squid T[oɃ[eBÔł
    B
   

|----------------|                                                  
|            |                                                  
|----------------|                                                  
                                                                    
 pAhX                                                     
 10.0.0.1 naret (NetFilter T[o)                                  
 10.0.0.2 silom (Squid T[o)                                      
 10.0.0.3 donmuang (C^[lbgɐڑĂ郋[^)             
 10.0.0.4 kaosarn (lbg[N̕ʂ̃T[o)                        
 10.0.0.5 RAS                                                       
 10.0.0.0/24 Clbg[N                                     
 10.0.0.0/19 lbg[NS                                       
                                                                    
|---------------|                                                   
| lbg[N}|                                                   
|---------------|                                                   
                                                                    
Internet                                                            
|                                                                   
donmuang                                                            
|                                                                   
------------hub/switch----------                                    
|        |             |       |                                    
naret   silom        kaosarn  RAS etc.                              
                                                                    

܂ naret  silom ȊÕ}ṼftHgQ[gEFCɂāAׂ
̃gtBbN naret oR悤ɂ܂B silom ̃ftHgQ[
gEFC donmuang (10.0.0.3) ɂ܂BȂƂ̊ł web g
tBbN[v܂B

(ȑO͂̃lbg[Nׂ̂ẴT[oł 10.0.0.1 ftHgQ[g
EFCŁA donmuang [^̈ȑO IP AhXłBĂ
ł donmuang  IP AhX 10.0.0.3 ɕύXA naret  IP AhX
 10.0.0.1 ɂ̂ł)


Silom                                                               
-----                                                               
-squid  ipchains ݒ肷                                       
                                                                    


silom  squid T[oݒ肵A߃LbV/vNVT|[g
ɂ܂BftHg̃|[g͒ʏ 3128 Ȃ̂ŁA|[g 80 ւ̃gt
BbN̓[J 3128 Ƀ_CNgȂΖ܂B
ipchains pĎ̂悤ɏ܂:


silom# ipchains -N allow1                                                   
silom# ipchains -A allow1 -p TCP -s 10.0.0.0/19 -d 0/0 80 -j REDIRECT 3128  
silom# ipchains -I input -j allow1                                          
                                                                            


邢 netfilter ̌tł:

silom# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 
                                                                                          


(: ̃Gg邩܂)

squid T[o̐ݒɊւڂ́A Squid FAQ ̃y[W <http://
squid.nlanr.net> QƂĂB

̃T[oł ip forwarding LɂĂĂB܂̃T[o
̃ftHgQ[gEFĆA donmuang [^ɂĂ (naret ł
܂)B


Naret                                                               
-----                                                               
-iptables  iproute2 ̐ݒ                                        
- icmp REDIRECT bZ[W𖳌ɂ (Kvȏꍇ)                 
                                                                    


 1. M|[g 80 ̃pPbgɁAl 2 Ń}[N܂B
    
    naret# iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 80 \ 
     -j MARK --set-mark 2                                               
                                                                        
    
   
 2. iproute2 ݒ肵A2 Ƃ}[N̂pPbg silom Ƀ[e
    BO܂B
    
    naret# echo 202 www.out >> /etc/iproute2/rt_tables              
    naret# ip rule add fwmark 2 table www.out                       
    naret# ip route add default via 10.0.0.2 dev eth0 table www.out 
    naret# ip route flush cache                                     
                                                                    
    
   
    donmuang  naret Tulbgɂꍇ́A naret  icmp
    REDIRECT bZ[W𑗐MĂ͂܂B̏ꍇ͂
    ŁÃR}h icmp REDIRECT 𖳌܂B
    
    naret# echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects      
    naret# echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects  
    naret# echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects     
                                                                    
    
   
Őݒ͊łBׂĂ݂܂傤B


naret ɂ:                                                                           
                                                                                      
naret# iptables -t mangle -L                                                          
Chain PREROUTING (policy ACCEPT)                                                      
target     prot opt source               destination                                  
MARK       tcp  --  anywhere             anywhere           tcp dpt:www MARK set 0x2  
                                                                                      
Chain OUTPUT (policy ACCEPT)                                                          
target     prot opt source               destination                                  
                                                                                      
naret# ip rule ls                                                                     
0:      from all lookup local                                                         
32765:  from all fwmark        2 lookup www.out                                       
32766:  from all lookup main                                                          
32767:  from all lookup default                                                       
                                                                                      
naret# ip route list table www.out                                                    
default via 203.114.224.8 dev eth0                                                    
                                                                                      
naret# ip route                                                                       
10.0.0.1 dev eth0  scope link                                                         
10.0.0.0/24 dev eth0  proto kernel  scope link  src 10.0.0.1                          
127.0.0.0/8 dev lo  scope link                                                        
default via 10.0.0.3 dev eth0                                                         
                                                                                      
(silom ͏q̍ŝǂꂩɑĂ邱ƂmF̂ƁB                               
̏ꍇ 10.0.0.0/24 ̍sł)                                                      
                                                                                      
|------|                                                                              
|-DONE-|                                                                              
|------|                                                                              
                                                                                      


 

15.5.1. ̃gtBbNt[}


|-----------------------------------------|                         
|       ̃gtBbNt[}      |                         
|-----------------------------------------|                         
                                                                    
INTERNET                                                            
/\                                                                  
||                                                                  
\/                                                                  
-----------------donmuang router---------------------               
/\                                      /\         ||               
||                                      ||         ||               
||                                      \/         ||               
naret                                  silom       ||               
*destination port 80 traffic=========>(cache)      ||               
/\                                      ||         ||               
||                                      \/         \/               
\\===================================kaosarn, RAS, etc.             


ʏ̊ǑoHɂ͗]v 1 hop ܂̂ŁAlbg[N͔Ώ̂
ȂĂ܂B

ɂ kaosarn ƃC^[lbg̊ԂőMpPbgǐՂĂ
܂傤B

web/http gtBbN
   
    
         kaosarn  http NGXgnaretsilomdonumuangC^[lbg  
         C^[lbg瓞f[^donmuangkaosarn                  
                                                                              
    
   
web/http ȊÕgtBbN (telnet Ȃ)
   
    
         kaosarn ̊Of[^naretdonumuangC^[lbg 
         C^[lbg瓞f[^donmuangkaosarn      
                                                                  
    
   
 

15.6. oHƂ MTU ݒ肵 Path MTU Discovery 

C^[lbgőʂ̃f[^𑗐MƂAʓIɑ傫ȃpPbg
pق悭삵܂BepPbg͌oȞ𔽉f܂A
1 KoCg̃t@C𑗐MꍇAł邾傫ȃpPbgg
 700 pPbgɂȂ܂AftHg̍ŏTCYgƖ 4000 ɂ
܂B

1 pPbg̃yC[h̍ől 1460 oCgłA̒l̓C
^[lbĝ镔ŃT|[gĂ킯ł͂܂B
ڑœKɂ́AKpłő̃pPbgTCYsʂČ
Kv܂B

̃vZX 'Path MTU Discovery' ƌĂ΂Ă܂B MTU  'Maximum
Transfer Unit' ̈ӖłB

[^ЂƂ܂Ƃ߂őɂ͑傫pPbgMA̃pPb
gŁutOgsvrbgĂƁA[^ ICMP bZ[W
𑗂A̗RŃpPbgj𓾂ȂƂ`܂BM
̃zXg͂̃qgɑΉA菬pPbg𑗂܂BJ
ԂƂŁAoHoRڑɂAœKȃpPbgTCY
ł̂łB

͂܂삵Ă̂łAʐM邱ƂɐS𒍂t[
KBC^[lbg𔭌ƁA󋵂ς܂BǗҒB́A
C^[lbgT[rẌSEŠs߁A ICMP gtB
bN (Ԉ) ubNi肷悤ɂȂĂ܂
̂łB

ɂČ݂ł́APath MTU Discovery 삷󋵂͂ǂǂ
ȂȂǍoHł͎s悤ɂȂĂ܂܂B̏ꍇ
TCP/IP ZbV΂炭ƗȂǁAȓ܂B

؋͂Ȃ̂łǍoł́A̖肪 2 ̃TCgł́A
̃VXe̎O Alteon Acedirectors gĂ܂B̌
ɂẮAڂǂȂ肪^ĂƊ҂Ă
B

 

15.6.1. @

̂悤Ȗ̂TCgɍsA蓮ݒ Path MTU
discovery 𖳌ɂȂ΂Ȃ܂Bȉ Koo van den Hout ̏
̂ł (XҏWĂ܂):

    ͂̂悤Ȃ̂ł: ͎؂Ă ppp ڑ mtu/mru  296
    ɂ܂B̐ڑ 33.6k ȂAڑ̃L[CO͑
    ȂłB 296 ɂƁAL[Ƃ̔ÓȎ
    ԂɎ܂悤ɂȂ܂B
   
    ܂̑ł́A(R) Linux ́A}XJ[h[^삵Ă܂
    B
   
    ŋߎ́uT[ovƁu[^vʂɂ܂BĂقƂǂ̃Av
    P[V́A[eBOsĂ̂Ƃ͕ʂ̃}Vœ삷
    悤ɂȂ܂B
   
     irc ւ̃OCɖ肪o悤ɂȂ܂Bւł!
    ꂱ꒲ׂƂAirc ւ̐ڑ͂łĂA'connected' \
    ĂƂ킩̂łA irc  motd MłȂ̂ł
    B`FbNƂAȑO web TCgւ
    ڑɁA MTU ֘AŖ肪Ƃvo܂B MTU 
    296 ɐݒ肵ƂɏôłB irc T[óAڂ̓
    ֌ŴȂgtBbNׂ͂ăubNĂ܂B icmp ub
    N̑ΏۂłB
   
     web T[õIy[^ɑ΂ẮAꂪ̌ɂȂ̂
    [邱Ƃł܂A irc T[õIy[^̖͂C
    悤Ƃ͂܂łB
   
    ŁA͊Oɏočs}XJ[hgtBbNɑ΂āA菬
     mtu ^悤ɂȂ΂Ȃ܂łB[J̃C
    [TlbggtBbNł́Aʏ mtu ĝł (Ⴆ
    nfs ̃gtBbNȂ)B
   
    @:
   
    
    ip route add default via 10.0.0.1 mtu 296                       
    
   
    (10.0.0.1 ̓ftHgQ[gEFCŁA}XJ[h[^̓̃A
    hX)
   
ʂɁAPMTU Discovery ̐ݒ̌oHɑ΂ĕύX邱Ƃ͉\ł
BႦ΁ATulbgł̂ݖ肪̂ȂÂ悤ɂƂ悢
B


ip route add 195.96.96.0/24 via 10.0.0.1 mtu 1000                   

 

15.7. MSS Nvɂ Path MTU Discovery  (ADSL, P
[u, PPPoE, PPtP [U)

ɐ悤ɁAPath MTU Discovery ́AȑÔ悤ɂ͂܂
삵܂Blbg[ŇoĤǂɁAMTU ̐ (<1500) 
킩Ă悤ȏꍇɁA PMTU Discovery 𔭌ĂƊ
邱Ƃ͂ł܂B

MTU ȊOɂApPbg̍őTCYݒ肷@͂܂B
Maximum Segment Size ƌĂ΂Ă܂B SYN pPbg̈ꕔATCP
IvṼtB[hłB

ŋ߂ Linux J[lƁA PPPoE hCo ( Roaring
Penguin ̂f炵) ́A MSS uNvv@\Ă
B

̕@̒́AMSS ̒lݒ肷ƁA[gɂu̒l傫
ȃpPbg𑗂ȁvƂƂ͂`邱ƂłB̋@\
ɂ ICMP gtBbN͕Kv܂B

_́A͖炩ɂ̏ꂵ̂ƂƂłB̕@̓pP
bgCĂAend-to-end ̊֌Wۑ܂B̓_΁A
̏Z͑̏ꍇŎg܂A@̂悤Ɍ܂B

sɂ́Aiptables-1.2.1a ȍ~ Linux 2.4.3 ȍ~KvłB{
IȃR}hC͎̒ʂ:

# iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS  --clamp-mss-to-pmtu 

 

͐ڑɑ΂K؂ MSS vZ܂BƗECA
邢͎̒mɊmḾÂ悤ɂ邱Ƃł܂B

 

# iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 128

 

͐ɓn SYN pPbg MSS  128 ɂ܂BpPbg̏
VoIP gĂāA http ̋ȃpPbgƉʘbr؂Ă
悤ȏꍇɂ́ApƗǂł傤B

 

15.8. ɂ̃gtBbN: x, Abv[h/_E[h

: ̃XNvg͍ŋ߃AbvO[h܂BȑOł́Albg
[N Linux NCAgɑ΂Ă@\Ă܂ł! łl
bg[N Windows }V Mac Ał̃_E[h
}ṼAbv[hɑȂƂɂCÂłAXVꂽق
悢ł傤B

͐t낤Ǝ݂̂ł:

ꍇɁAΘbIgtBbN̒x͏ۂ
   
    ܂At@C̃_E[hAbv[hASSH (邢
    telnet) ɂ͉eȂAƂƂłB͍łdvȓ_ŁA
     200ms ̒xłAƂɂ͑ςقǂ̒xƂȂ܂B
   
Abv[hE_E[hɂAȂ̑xŃlbgT[tB
    
   
    http ́uoNvgtBbNłÃgtBbNɂ錸
    ܂荓͂܂B
   
Abv[h_E[h򉻂邱 (т̋t) Ȃ悤
    
   
    ̃gtBbN_E[h̑x𗎂ƂĂ܂Ƃ̂́A
    悭݂錻ۂłB
   
ׂ͂̂ẮAق̏Xoh]ɂΉ\łBAbv
[hE_E[hEssh ݂WQ̂́AP[uf
DSL f̂悤Ȏ茳̃ANZXfoCXɁA傫ȃL[邽߂Ȃ
łB

̐߂ł́Ax̌Ȃ̂Aǂ΂Cł邩A
ڂ܂B̖@̓쌴Ɋ֐SȂ΁A͔΂
ڃXNvgɌĂ肠܂B

 

15.8.1. ȂftHgł͓삵Ȃ̂

ISP ́AB̃x`}[N_E[h̑x݂̂ɂĂȂ邱
ƂmĂ܂BohȊOɁA_E[h̑x̓pPbgXɂ
Ă傫e܂BpPbgX TCP/IP ̐\傫ቺ
邩łBL[傫ƃpPbgXĥɖ𗧂A_E
[h̑x傫ł܂B ISP ͑傫ȃL[g悤ɐݒ肵
Ă܂B

̂悤ȑ傫ȃL[͑Θbɂ͊QƂȂ܂BL[Xg[N
܂̃L[ʉ߂Ȃ΂Ȃ炸A̓[gzXgɓ͂O
b (!) ܂邱Ƃ̂łB̌AԐMpPbg߂AXN[
ɕ\Oɂ́ÃpPbg (ISP ɂ) ̃L[ʉ߂
Ȃ΂ȂȂ̂łB

 HOWTO ́A낢ȓ_ŃL[CEȂ΂ȂȂƂ
Ă܂B߂ƂɁAׂẴL[ɃANZXłƂ͌
܂B ISP ɂL[͂炭܂G܂BÃL
[͂炭茳̃P[uf DSL foCX̓ɂł傤B
ݒłꍇłȂꍇł傤AĂ̓_Ǝv
B

ł͂ǂ܂傤? ̃L[͐łȂ̂łAEĂ
Ȃ΂Ȃ܂BL[ Linux [^Ɉړ̂łB肪
ƂɁA͉\łB

Abv[h̑x𐧌
   
    Abv[h̑xAۂɗpłl킸ɍi邱Ƃɂ
    āAf̃L[ɂ̓f[^܂܂BɂăL[
    Linux Ɉړ܂B
   
_E[h̑x𐧌
   
    C^[lbg̃f[^]x𐧌䂷邱Ƃ͕s\Ȃ̂ŁA
    ͂ZIIɂȂ܂BɕpɂɂpPbgj΁A TCP/
    IP ͌Ė]ޑxɂȂĂ܂BsKvɃgtBbNj
    邱Ƃ͂܂񂩂Auo[Xg (burst)v̋TCY̐
    ́A傫ĂƂł傤B
   
āAsƁÃL[S (Zo[Xg) 
ɂłÃL[̊ǗɂALinux ̎\ׂ͂ėpł悤
ɂȂ܂B

ƍsȂ΂ȂȂƂ́AΘbIȃgtBbNmɏL[
̐擪ɉoƂłB܂Abv[h_E[h̊QɂȂȂ
悤ɁA ACK pPbgL[̐擪ɏo܂B́AŃoNg
tBbN𔭐Ƃɒʏ팩AX[_ĚȂ
łBgtBbN ACK () ͒ʏ̏gtBbND悳
KvAȂƂ̏͒xĂ܂܂B

ׂĐݒ肷΁AI_ xs4all ɂ excellent ADSL 
ł́Â悤ȑ茋ʂ܂B

 

{IȒx:                                                       
round-trip min/avg/max = 14.4/17.1/21.7 ms                          
                                                                    
gtBbNȂA_E[h:                             
round-trip min/avg/max = 560.9/573.6/586.4 ms                       
                                                                    
gtBbNȂAAbv[h:                             
round-trip min/avg/max = 2041.4/2332.1/2427.6 ms                    
                                                                    
gtBbN킠A220kbit/s ̃Abv[h:                 
round-trip min/avg/max = 15.7/51.8/79.9 ms                          
                                                                    
gtBbN킠A850kbit/s ̃_E[h:                 
round-trip min/avg/max = 20.4/46.9/74.0 ms                          

Abv[h̃_E[h́Aōx̖ 80% ɂȂ܂BAbv[
h͖ 90% ɂȂ܂Bx 850 ms ɒˏオǍ͂܂
łB

̃XNvg瓾ʂ́Aۂ̐ڑxɑ傫ˑ܂B
xŃAbv[hĂƁAL[Xg[ÑpPbg̑Oɂ͕K 1
pPbg݂܂BꂪBłx̉lłBMTU 葬x
ŊΌvZł܂Bʏ͂̒l͏X傫Ȃ܂Bʂ
グ MTU Ă!

ɁÃXNvg 2 ̔ł܂BЂƂ Devik ̗Dꂽ HTB
ĝŁAЂƂ Linux J[l (HTB Ƃ͈Ⴂ) ŏ
Ă CBQ ĝłBƂeXgς݂ŁA܂삵܂B

 

15.8.2. ۂ̃XNvg (CBQ)

ׂẴJ[lœ삵܂B CBQ qdisc ̓ 2 ̊mIs΃L
[uÃoNXg[݂SɎEĂ܂Ȃ悤
Ă܂B

gtBbN̓g[NoPctB^p tc tB^Ő
܂B

'tc class add .. classid 1:20' Ŏn܂s 'bounded' ǉƁA
̃XNvgPł邩m܂B MTU ꍇ́Aallot
 avpkt ̐炷!

 

#!/bin/bash                                                                   
                                                                              
# ̃C^[lbgڑp̋ɐݒ                                        
#                                                                             
#                                                                             
# ̃p[^Aۂ̃_E[hEAbv[hx                  
# XĂ (LoCgP)                                     
DOWNLINK=800                                                                  
UPLINK=220                                                                    
DEV=ppp0                                                                      
                                                                              
# ̉E qdisc 폜BG[͉BB                             
tc qdisc del dev $DEV root    2> /dev/null > /dev/null                        
tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null                        
                                                                              
######                                                                    
                                                                              
# root CBQ CXg[                                                     
                                                                              
tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 10mbit          
                                                                              
# 镨 $UPLINK x̓Ɏ߂ -  DSL f               
# ȃL[𖳌ɂAxoȂ悤ɂ܂:                           
# CNX                                                                
                                                                              
tc class add dev $DEV parent 1: classid 1:1 cbq rate ${UPLINK}kbit \          
allot 1500 prio 5 bounded isolated                                            
                                                                              
# DxNX 1:10                                                         
                                                                              
tc class add dev $DEV parent 1:1 classid 1:10 cbq rate ${UPLINK}kbit \        
   allot 1600 prio 1 avpkt 1000                                               
                                                                              
# oNуftHg̃NX 1:20BgtBbNȂA             
# DxႭȂ܂                                                        
                                                                              
tc class add dev $DEV parent 1:1 classid 1:20 cbq rate $[9*$UPLINK/10]kbit \  
   allot 1600 prio 2 avpkt 1000                                               
                                                                              
# ҂ɊmIs΃L[Ă܂                                        
tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10                   
tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10                   
                                                                              
# tB^                                                            
# TOS  Minimum Delay (scp ȊO ssh) ̂̂ 1:10 :                     
tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \                   
      match ip tos 0x10 0xff  flowid 1:10                                     
                                                                              
# ICMP (ip vgR 1) ΘbINX 1:10 ցB                             
# Ƒւ̒ʒmł悤ɂȂ܂:                                   
tc filter add dev $DEV parent 1:0 protocol ip prio 11 u32 \                   
        match ip protocol 1 0xff flowid 1:10                                  
                                                                              
# Abv[h̃_E[h邽߂ɁAACK pPbg              
# ΘbINX:                                                             
                                                                              
tc filter add dev $DEV parent 1: protocol ip prio 12 u32 \                    
   match ip protocol 6 0xff \                                                 
   match u8 0x05 0x0f at 0 \                                                  
   match u16 0x0000 0xffc0 at 2 \                                             
   match u8 0x10 0xff at 33 \                                                 
   flowid 1:10                                                                
                                                                              
# ćuΘbIv܂uoNvȂ̂ 1:20                             
                                                                              
tc filter add dev $DEV parent 1: protocol ip prio 13 u32 \                    
   match ip dst 0.0.0.0/0 flowid 1:20                                         
                                                                              
######                                                                    
# _E[hۂ̑xXxāAISP ł̃L[                
# ɂBĂł邾傫ĂB                          
# ISP ͑傫ȃTCỸ_E[h邽߂Ɂuv                
# L[Ƃ                                                      
#                                                                             
# Ďǉ:                                                         
                                                                              
tc qdisc add dev $DEV handle ffff: ingress                                    
                                                                              
# uׂāv(0.0.0.0/0) փtB^Â                  
# j:                                                                   
                                                                              
tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \    
   0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1             

̃XNvg ppp ̐ڑɎs΁A /etc/ppp/ip-up.d ɃRs
[ĂB

Ō 2 sŃG[ɂȂꍇ́A tc c[Vo[WɃAbvf
[gĂ!

 

15.8.3. ۂ̃XNvg (HTB)

̃XNvg͑f炵 HTB L[pAׂĂ̖ړIBĂ
B HTB ̏͂ĂBJ[lւ̃pb`čƂɏ\
!

#!/bin/bash                                                                   
                                                                              
# ̃C^[lbgڑp̋ɐݒ                                        
#                                                                             
#                                                                             
# ̃p[^Aۂ̃_E[hEAbv[hx                  
# XĂ (LoCgP)                                     
DOWNLINK=800                                                                  
UPLINK=220                                                                    
DEV=ppp0                                                                      
                                                                              
# ̉E qdisc 폜BG[͉BB                             
tc qdisc del dev $DEV root    2> /dev/null > /dev/null                        
tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null                        
                                                                              
######                                                                    
                                                                              
# root HTB CXg[AftHg̃gtBbN 1:20 :              
                                                                              
tc qdisc add dev $DEV root handle 1: htb default 20                           
                                                                              
# 镨 $UPLINK x̓Ɏ߂ -  DSL f               
# ȃL[𖳌ɂAxoȂ悤ɂ܂:                           
                                                                              
tc class add dev $DEV parent 1: classid 1:1 htb rate ${UPLINK}kbit burst 6k   
                                                                              
# DxNX 1:10                                                         
                                                                              
tc class add dev $DEV parent 1:1 classid 1:10 htb rate ${UPLINK}kbit \        
   burst 6k prio 1                                                            
                                                                              
# oNуftHg̃NX 1:20BgtBbNȂA             
# DxႭȂ܂                                                        
                                                                              
tc class add dev $DEV parent 1:1 classid 1:20 htb rate $[9*$UPLINK/10]kbit \  
   burst 6k prio 2                                                            
                                                                              
# ҂ɊmIs΃L[Ă܂                                        
tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10                   
tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10                   
                                                                              
# TOS  Minimum Delay (scp ȊO ssh) ̂̂ 1:10 :                     
tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \                   
      match ip tos 0x10 0xff  flowid 1:10                                     
                                                                              
# ICMP (ip vgR 1) ΘbINX 1:10 ցB                             
# Ƒւ̒ʒmł悤ɂȂ܂:                                   
tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \                   
        match ip protocol 1 0xff flowid 1:10                                  
                                                                              
# Abv[h̃_E[h邽߂ɁAACK pPbg              
# ΘbINX:                                                             
                                                                              
tc filter add dev $DEV parent 1: protocol ip prio 10 u32 \                    
   match ip protocol 6 0xff \                                                 
   match u8 0x05 0x0f at 0 \                                                  
   match u16 0x0000 0xffc0 at 2 \                                             
   match u8 0x10 0xff at 33 \                                                 
   flowid 1:10                                                                
                                                                              
# ćuΘbIv܂uoNvȂ̂ 1:20                             
                                                                              
                                                                              
######                                                                    
# _E[hۂ̑xXxāAISP ł̃L[                
# ɂBĂł邾傫ĂB                          
# ISP ͑傫ȃTCỸ_E[h邽߂Ɂuv                
# L[Ƃ                                                      
#                                                                             
# Ďǉ:                                                         
                                                                              
tc qdisc add dev $DEV handle ffff: ingress                                    
                                                                              
# uׂāv(0.0.0.0/0) փtB^Â                  
# j:                                                                   
                                                                              
tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \    
   0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1             

 

̃XNvg ppp ̐ڑɎs΁A /etc/ppp/ip-up.d ɃRs
[ĂB

Ō 2 sŃG[ɂȂꍇ́A tc c[Vo[WɃAbvf
[gĂ!

 

15.9. P̃zXg܂̓lbg[N̑x

̖͑̏ꏊ⎄ man y[WŔɏڍׂɉĂ̂ł
A₪񂹂܂AKȂƂɃgtBbN̊S
KvƂȂȒPȓ݂܂B

 3 s̃XNvgdĂ܂:


# tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 10mbit  
                                                                        
# tc class add dev $DEV parent 1: classid 1:1 cbq rate 512kbit \        
allot 1500 prio 5 bounded isolated                                      
                                                                        
# tc filter add dev $DEV parent 1: protocol ip prio 16 u32 \            
match ip dst 195.96.96.97 flowid 1:1                                    
                                                                        


ŏ̍s̓NXx[X̃L[C^[tF[XɃCXg[A
 10mbit ̃C^[tF[Xł邱Ƃ (vẐ) J[lɓ`
܂BԈႦĂQ͂܂Bݒ肷ƁAS
萳mɂȂ܂B

Ԗڂ̍s 512kbit ̃NXAÓȃftHgl^Ă܂B
ڍׂ cbq  man y[W Chapter 9 B

Ō̍śȂш搧NXɌׂgtBbNw肵Ă܂
B̃[Ƀ}b`ȂgtBbN͐܂B蕡Gȃ}b
` (TulbgAM|[gAM|[g) ꍇ́A Section
9.6.2 B

ύXăXNvg[hۂɂ́A 'tc qdisc del dev $DEV
root' sČ݂̐ݒ폜ĂB

̃XNvg̍Ō 'tc qdisc add dev $DEV parent 1:1 sfq perturb
10' ƂsǉƁAɌʓIłB̍sŝɂ
ẮA Section 9.2.3 B

 

15.10. QoS t nat ̊Sȗ

 Pedro Larroy <piotr%member.fsf.org> łBł͂̃[U
vCx[glbg[NApubN ip AhX Linux
[^ʂăC^[lbgɂȂA Linux [^Ƀlbg[NA
hXϊ (NAT) 点@ɂāA悭ݒƎv
܂Bł QoS ݒpāAw 198 [U (̈lB
Ǘ҂ł) ɃC^[lbgANZX񋟂܂B[U݂͂ȃs
Ac[sAvÕwr[[Uł̂ŁAK؂ȃgtBbN䂪s
łBꂪꂽ lartc ǎ҂ɑ΂ApIȗɂȂĂ
邱Ƃ҂܂B

܂ɁAԂɒiKǂHIȃAv[`AŌɂ̏
u[gɎIɍs܂B̗ႪKplbg[
ŃApubN ip AhXЂƂ Linux [^āAC
^[lbgɂȂĂvCx[g LAN łB𕡐̃pubN
AhXɊg邱Ƃ͔ɊȒPŁA iptables ̃[ǉ
邾łBɂ́Aȍ~̂̂KvƂȂ܂B

Linux 2.4.18 ȍ~̃J[lCXg[Ă邱
   
    2.4.18 gĂꍇ́AHTB pb`KvłB
   
iproute
   
    tc ̃oCi HTB ɑΉĂ邱ƁBRpCς݂̃oCi
    HTB ƈꏏɔzzĂ܂B
   
iptables
   
 

15.10.1. ܂RohœK܂傤

܂ qdisc ݒ肵āAgtBbNNXIʂ܂B htb
qdisc A̗Dx 6 ̃NXt܂BɁAK
蓖ĂꂽxgÃNXsvƂĂohgN
X܂BDx (܂ prio ԍ) NX́A
]ohɗpł܂B̐ڑ͉ 2Mb  300kbit/s
 ADSL łB 240kbit/s xƂ܂BȏɂƁA
炭ڑ̂ǂ̃obt@߂ł傤Ax傫Ȃn
邩łB̃p[^͎Iɑ肵āA߂̃zXgɑ΂x
Ȃ瑝ĂB

CEIL ohl 75% ɒĂB eth0 ɂȂĂ
Ƃ́AC^[lbg̃ANZXɎgĂpubNȃC^[tF
[XɕύXĂB܂n߂ɁAȍ~ root ̃VFŎs܂
B

CEIL=240                                                                              
tc qdisc add dev eth0 root handle 1: htb default 15                                   
tc class add dev eth0 parent 1: classid 1:1 htb rate ${CEIL}kbit ceil ${CEIL}kbit     
tc class add dev eth0 parent 1:1 classid 1:10 htb rate 80kbit ceil 80kbit prio 0      
tc class add dev eth0 parent 1:1 classid 1:11 htb rate 80kbit ceil ${CEIL}kbit prio 1 
tc class add dev eth0 parent 1:1 classid 1:12 htb rate 20kbit ceil ${CEIL}kbit prio 2 
tc class add dev eth0 parent 1:1 classid 1:13 htb rate 20kbit ceil ${CEIL}kbit prio 2 
tc class add dev eth0 parent 1:1 classid 1:14 htb rate 10kbit ceil ${CEIL}kbit prio 3 
tc class add dev eth0 parent 1:1 classid 1:15 htb rate 30kbit ceil ${CEIL}kbit prio 3 
tc qdisc add dev eth0 parent 1:12 handle 120: sfq perturb 10                          
tc qdisc add dev eth0 parent 1:13 handle 130: sfq perturb 10                          
tc qdisc add dev eth0 parent 1:14 handle 140: sfq perturb 10                          
tc qdisc add dev eth0 parent 1:15 handle 150: sfq perturb 10                          
                                                                                      

ł͂܂A[ 1 x htb c[܂B̂悤Ȋ
łB

+---------+                                                         
| root 1: |                                                         
+---------+                                                         
     |                                                              
+---------------------------------------+                           
| class 1:1                             |                           
+---------------------------------------+                           
  |      |      |      |      |      |                              
+----+ +----+ +----+ +----+ +----+ +----+                           
|1:10| |1:11| |1:12| |1:13| |1:14| |1:15|                           
+----+ +----+ +----+ +----+ +----+ +----+                           
                                                                    


classid 1:10 htb rate 80kbit ceil 80kbit prio 0
   
    ꂪDxō̃NXłB̃NX̃pPbǵAxł
    A]ohŏɊ蓖Ă܂BẴNX
    ceil ͗}ڂɐݒ肵Ă̂ǂł傤BΘbIgtBbN̂
    ɁAxƂɂ闘v傫pPbǵÃNXg
    đ܂B̓Iɂ ssh, telnet, dns, quake3, irc, SYN tO
    ̗pPbgłB
   
classid 1:11 htb rate 80kbit ceil ${CEIL}kbit prio 1
   
    ꂪoNgtBbNĂŏ̃NXłB̗ł́A
    [J web T[o甭gtBbN (M|[g 80) ƁA
    web y[W̃NGXg (M|[g 80) łB
   
classid 1:12 htb rate 20kbit ceil ${CEIL}kbit prio 2
   
    ̃NXɂ́ATOS tB[h Maximize-Throughput rbg
    gtBbNƁA[^́u[JvZXvC^[lbg
    ɌĔgtBbN܂BĈȍ~̃NX́Ã}
    VuoRvgtBbNɂȂ܂B
   
classid 1:13 htb rate 20kbit ceil ${CEIL}kbit prio 2
   
    ̃NX́A NAT }VŁADxKvƂoN
    gtBbN̂߂̂̂łB
   
classid 1:14 htb rate 10kbit ceil ${CEIL}kbit prio 3
   
    ɂ̓[֘ÃgtBbN (SMTP, pop3 Ȃ) ƁA TOS tB[
    h Minimize-Cost rbgpPbg܂B
   
classid 1:15 htb rate 30kbit ceil ${CEIL}kbit prio 3
   
    ŌɁAɂ̓[^̔wɒuꂽANAT ꂽ}Ṽg
    tBbN܂B kazaa, edonkey Ȃǂ͂ɓÃT[rX
    ƊȂ悤ɂ܂B
   
 

15.10.2. pPbg̃NXI

qdisc ݒ͍s܂ApPbg̃NXIʂ͂܂łBł̂Ō
́AMpPbgׂ͂ 1:15 ɓ܂ (ȂȂ tc qdisc add
dev eth0 root handle 1: htb default 15 p)BŁAǂ̃pP
bgǂɍŝ`Kv܂BłdvȕłB

ł̓tB^ݒ肵ApPbg iptables ŃNXIʂł悤ɂ
B͂̍Ƃɂ́A܂قƂǂ̏ꍇ iptables p܂B iptables
͏_łAe[ł̃pPbǧvł邩łB܂ RETURN
^[Qbgp΁ApPbgɂׂẴ[KpȂčς݂܂B
̃R}hs܂B

tc filter add dev eth0 parent 1:0 protocol ip prio 1 handle 1 fw classid 1:10 
tc filter add dev eth0 parent 1:0 protocol ip prio 2 handle 2 fw classid 1:11 
tc filter add dev eth0 parent 1:0 protocol ip prio 3 handle 3 fw classid 1:12 
tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 4 fw classid 1:13 
tc filter add dev eth0 parent 1:0 protocol ip prio 5 handle 5 fw classid 1:14 
tc filter add dev eth0 parent 1:0 protocol ip prio 6 handle 6 fw classid 1:15 
                                                                              

ł͒PɁA FWMARK l (handle x fw) epPbgΉ
NX (classid x:x) ɑ悤J[lɓ`łB́ApPb
gւ̃}[Nt iptables gčs@łB

܂ApPbg iptables ̃tB^ǂ̂悤ɒʂ̂𗝉Ȃ
΂Ȃ܂B

        +------------+                +---------+               +-------------+           
Packet -| PREROUTING |--- routing-----| FORWARD |-------+-------| POSTROUTING |- Packets  
input   +------------+    decision    +---------+       |       +-------------+    out    
                             |                          |                                 
                        +-------+                    +--------+                           
                        | INPUT |---- Local process -| OUTPUT |                           
                        +-------+                    +--------+                           
                                                                                          
                                                                                          

ׂẴe[u݂AftHg̃|V[ ACCEPT (-P ACCEPT) 
ȂĂƂ܂B܂ iptables ɐGƂȂ΁AftHg
ok ̂͂łB̃vCx[glbg[N̓NX B ̃AhX
172.17.0.0/16 ApubN ip  212.170.21.172 łB

ɃJ[lɎۂ NAT s悤wAvCx[glbg[ÑN
CAgOƒʐMJnł悤ɂ܂B

echo 1 > /proc/sys/net/ipv4/ip_forward                                                              
iptables -t nat -A POSTROUTING -s 172.17.0.0/255.255.0.0 -o eth0 -j SNAT --to-source 212.170.21.172 
                                                                                                    

ŃpPbg 1:15 oRŗĂ邱ƂmF܂傤:

tc -s class show dev eth0                                           
                                                                    


pPbgւ̈tJnɂ́Amangle e[u PREROUTING `FC
Ƀ[ǉ܂B

iptables -t mangle -A PREROUTING -p icmp -j MARK --set-mark 0x1     
iptables -t mangle -A PREROUTING -p icmp -j RETURN                  
                                                                    

ŃvCx[glbg[NC^[lbĝǂ ping s
ƁA 1:10 ̃pPbĝ킩͂łBĂ݂܂傤:

tc -s class show dev eth0                                           
                                                                    

ł -j RETURN sāApPbg̃[ɂ͍sȂ悤ɂ
B icmp pPbg RETURN ȍ~̃[̃}b`̑Ώۂɂ͂Ȃ
BoĂĂBł͓K؂ TOS 悤Aɂ[
ǉ܂傤B

iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j MARK --set-mark 0x1       
iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j RETURN                    
iptables -t mangle -A PREROUTING -m tos --tos Minimize-Cost -j MARK --set-mark 0x5        
iptables -t mangle -A PREROUTING -m tos --tos Minimize-Cost -j RETURN                     
iptables -t mangle -A PREROUTING -m tos --tos Maximize-Throughput -j MARK --set-mark 0x6  
iptables -t mangle -A PREROUTING -m tos --tos Maximize-Throughput -j RETURN               
                                                                                          

ł ssh pPbgDt܂:

iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j MARK --set-mark 0x1  
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j RETURN               
                                                                                  

tcp ڑJnpPbgA܂ SYN tO̗pPbǵAD悵
܂傤B

iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x1 
iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN              
                                                                                                  

ȂǂȂǁBmangle  PREROUTING ւ̃[ǉIÃR}h
 PREROUTING e[u߂܂傤B

iptables -t mangle -A PREROUTING -j MARK --set-mark 0x6             
                                                                    

ŁA܂ňtȂgtBbN 1:15 Ɍ܂B
̓ftHg̃NX 1:15 Ȃ̂ŁA̍ŏIXebv͕sKvłBł
ݒŜ̐ۂ߁A܂̃[̃JE^邽߂ɁA
ł͈tsĂ܂B

l̍Ƃ OUTPUT [ɑ΂ĂsƂł傤BĂ
R}hA-A PREROUTING ̑ -A OUTPUT ƂČJԂ܂ (s/
PREROUTING/OUTPUT/)Bƃ[J ( Linux [^) Ő
gtBbNNXIʂł܂B OUTPUT `FC̍ṒA-j MARK
--set-mark 0x3 Œ߂A[J̃gtBbNɂ͍߂̗Dx^
悤ɂ܂B

 

15.10.3. ̐ݒP

ł̐ݒׂ͂ē삷悤ɂȂ܂BOtāAoh
ǂ̂悤ɎgĂ邩Aǂ̂悤ɂl܂傤B
ɂ͒Ԃ܂傤B̏ꍇ͍ŏIIɁÃC^[lbgڑ
ɂ܂삳悤ɂȂ܂BsȂ΁A
^CAEgɔY܂ꂽAV tcp ڑɂ܂oh
̔zȂȂAƂԂł傤B

̃NXAقƂǂ̊ԈtɂȂĂ悤ȏ󋵂łÃL
[COKɂĂāAoh̋LɂĂ
Ƃł傤B

tc qdisc add dev eth0 parent 1:13 handle 130: sfq perturb 10        
tc qdisc add dev eth0 parent 1:14 handle 140: sfq perturb 10        
tc qdisc add dev eth0 parent 1:15 handle 150: sfq perturb 10        
                                                                    


 

15.10.4. ׂ̂Ău[gɋN

RłA낢ȕ@܂B̏ꍇ [start | stop |
stop-tables | start-tables | reload-tables] ƂIvV󂯕t
 /etc/init.d/packetfilter ƂXNvgAqdisc ݒ肵A
KvȃJ[lW[[hAf[̂悤ɓ삷悤ɂ
B̃XNvg͓ɁA/etc/network/iptables-rules  iptables
̃[[h܂B̃t@C̓e iptables-save ŕۑA
iptables-restore ŕł܂B

 

Chapter 16. ubWƁA㗝 ARP p[ubW̍\z

ubW͐ݒύXɃlbg[N֑}łfoCXłBlbg
[NXCb`́A{Iɂ͑|[g̃ubWłBubW͂
Ӗł 2 |[g̃XCb`łB Linux ł͕̃C^[tF[
XpubWT|[gĂAقƂ̈Ӗł̃XCb`ɂł
܂B

ubẂAꂽlbg[NAɂ͈ؕύX^ɒ悤
ȏ󋵂ŁA悭p܂BubW̓C 2 ̃foCXł IP 
wŁA[^T[rX݂͂̑ɋCÂ܂B܂蓧ߓIɓ
̃pPbgubNECAił̂łB

ЂƂ̗_AubW (ꂽꍇɂ) NXP[unu
ɒu\łB

m点łAubW͔ɗǂĂɂւ炸A
ȍNƂ܂BubW traceroute Ɍ܂
AȂpPbg A n_ B n_܂ł̊Ԃŏω肷
̂ł (ũlbg[N͎Ă!v)B܂AuςȂ
vƂgDƂĂ邩ǂɂAc_̗]n邩
܂B

Linux 2.4/2.5 ̃ubẂÃy[W < http://bridge.sourceforge.net
/> ŐĂ܂B

 

16.1. ubW iptables ̏

Linux 2.4.20 ł́AubW iptables ͉ȂƂ݂uv
Ƃł܂BubW̃pPbg eth0  eth1 ɌƂA
pPbg iptables oRȂ̂łB܂tB^OANATAC
(mangling) Ȃǂ͍s܂B Linux 2.5.45 ȍ~ł́A̓_͏C
܂B

邢͂܂ʂ̃vWFNgł 'ebtables' ЉĂ̂
l邩܂B MACNAT Ƃuu[eBOvȂǂ
rƂł܂Bɂ낵̂łB

 

16.2. ubWƑш搧

͐`ǂɓ삵܂BeC^[tF[Xꂼǂ瑤ɂ
Ă邩mFĂĂBȂƊÕgtBbN
̃C^[tF[Xōi肩˂܂B͓삵܂BKvɉ
tcpdump g܂傤B

 

16.3. 㗝 ARP p[ubW

Pɋ[ubWłAߔ΂āuv܂
iłBۂ̓ɊւďXǂł̂́AƂ
Ǝv܂B

[ubW͏X܂BubWł́AftHgƃpP
bg͕ύXꂸɁAC^[tF[Xʂ̃C^[tF[XւƓn
܂BubŴ̓pPbg̃n[hEFAAhXŁA
s߂܂B͂܂ALinux łȂgtBbNł
ĂAn[hEFAAhXĂ΃ubWł킯łB

u[ubWv͈قȂ铮AubWƂ͌Ȃ[^
߂̂łAubWƓlAlbg[N̐݌vɂ͂قƂǉe
^܂B

ۂɂ̓ubWł͂ȂAƂƂ̗_́ApPbgۂɃJ[l
ʂAătB^ECE_CNgEoHύXȂǂłA
ƂƂɂ܂B

ۂ̃ubWɂ̋@\邱Ƃ͂ł܂AC[Tlbg
t[_Co[^̂悤ȓȃR[hKvA邢͑Oq
悤ȃpb`KvłB

[ubŴЂƂ̗_́AȂpPbg͒ʂȂƂł
Bĉ܂݂̃lbg[N|ł̂łB̂悤ȉ (SAP
pPbgƂ Netbeui Ƃ) Kvȏꍇ́A{̃ubWgĂ
B

 

16.3.1. ARP Ƒ㗝 ARP

zXgAlbg[NZOgɑ݂ʂ̃zXgƒʐM
ȂƁÃzXg̓AhXvgR̃pPbg𑗂܂B
͊ȒPɂƁAuN 10.0.0.1 Ă邩 10.0.0.7 ɋĂ
vƂ悤Ȃ̂łBɑ΂锽ƂāA10.0.0.1 ́uv
ƂZpPbgԂ܂B

 10.0.0.7 ́AuvpPbgn[hEFAAhXւ
pPbg𑗂܂B܂̃n[hEFAAhX͔rIԃLbV
ALbV̊؂ƁAĂю₪܂B

[ubWƂ́AubWɑ΂Ă̂悤 ARP pPbgɕԐM
悤̂łBălbg[ÑzXǵǍ̃pPbg
̃ubWɑ΂đM܂BƃubW͂̃pPbg
AK؂ȃC^[tF[XւƑ̂łB

܂AȒPɂ΁AubẄɂzXgAtɂzXg
n[hEFAAhXq˂ƁAubWuɓnvƂpPbg
̂łB

̂悤ɂāAׂẴf[^gtBbN͐ꏊɔzBA
ubWoR̂łB

 

16.3.2. 

ȑO܂󋵂̗ǂȂ́ALinux J[lɁu㗝 ARPv̓
悤߂ł̂́ATulbgɑ΂ĂłBċ[u
bWݒ肷ɂ́AubW̗ɗւ̐oHw肵āA
 ARP ̃}b`O[Kv܂Bɂ͑ʂ̓͂K
vŁA܂ԈႢN₷AubWoHmȂlbg[N
 ARP vɉ邱ƂN肪łB

Linux 2.4/2.5 (炭 2.2 ) ł́A̋@\͂ȂȂA /proc fB
Ng 'proxy_arp' ƂtOđ܂Bċ[u
bW\z葱͎̂悤ɂȂ܂:

 

 1. ̃C^[tF[X (ł 'left'  'right' Ƃ܂)  IP
    AhX蓖Ă
   
 2. oHAleft ɂǂ̃zXgA right ɂǂ̃zXg
    ̂A킩悤ɂB
   
 3. echo 1 > /proc/sys/net/ipv4/conf/ethL/proxy_arp, echo 1 > /proc/sys
    /net/ipv4/conf/ethR/proxy_arp, ɂėC^[tF[X̑㗝 ARP
    LɂB L  R  left Aright eC^[tF[X
    ̔ԍ
   
 

܂Aip_forwarding tO ON ɂ̂YȂ悤! {̃ub
Wɂ͂̃tO͕KvȂ߁AڍsĂƂɂ͂̃tO OFF 
ȂĂ邩܂B

ЂƂڍs̍ۂɒӂȂ΂ȂȂ̂́Albg[N̊eRs
[^ ARP LbVNAȂ΂ȂȂAƂƂłBARP
LbVɂ́AǑÂubW̃n[hEFAAhXcĂ (
Ă͂Ȃ) ł傤B

Cisco ł́A 'clear arp-cache' R}hŎsł܂B Linux 
 'arp -d ip.address' łBLbV؂ɂȂ̂҂ĂĂ
ǂłA͔rIԂ܂B

ɂ́Af炵c[ 'arping' g܂B͑
̃fBXgr[V 'iputils' pbP[WɓĂ܂B arping
pƁAv̂Ȃ (unsolicited ) ARP bZ[W𑗂
ƂłA[g ARP LbVXVł܂B

͔ɋ͂ȃeNjbNŁA҂[eBO󂳂̂ɂg
܂!

    Note: Linux 2.4 ł́Áuv̂Ȃ ARP bZ[Wv𑗐M
    Oɂ́A 'echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind' s
    Kv邩܂B
   
܂Albg}XNȗČoHw肷NẐ () ĺA
Ƃ̌ʃlbg[Nݒ肪Ă܂܂B̃o[W
 route ̓lbg}XN𐳂ʂĂ܂񂵁A\
邱ƂȂԈĂ܂BOq悤ȊOȎpIȃ[e
BOƂɂ́Albg}XN`FbN̂́uvɊւ
B

 

Chapter 17. I[eBO - OSPF  BGP

lbg[N{ɑ傫Ȃn߂A܂uC^[lbgv
lKvĂAf[^𓮓IɃ[eBOc[Kv
BTCgm͂Ă̌oHłȂĂA܂̌oH
ɐ܂Ă܂B

C^[lbg͂ق OSPF (RFC 2328)  BGP4 (RFC 1771) ŕW
܂BLinux ̗͂҂A gated  zebra ɂăT|[gĂ܂
B

݂̂Ƃ͈͂̎͂̕ł͂܂񂪁AłMł钘
Ă܂B

T_:

Cisco Systems Designing large-scale IP Internetworks <http://
www.cisco.com/univercd/cc/td/doc/cisintwk/idg4/nd2003.htm>

OFPF ɂ:

Moy, John T. "OSPF. The anatomy of an Internet routing protocol"
Addison Wesley. Reading, MA. 1998.

Halabi  OSPF ̃[eBO݌vɊւǂKChĂ܂B
 Cisco  web TCgĂ܂悤łB

BGP ɂ:

Halabi, Bassam "Internet routing architectures" Cisco Press (New Riders
Publishing). Indianapolis, IN. 1997.

܂

Cisco Systems Using the Border Gateway Protocol for interdomain routing
<http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/icsbgp4.htm>

 Cisco włA Zebra ł̐ݒ茾ƑϗǂĂ܂
:-)

 

17.1. Zebra ɂ OSPF ̐ݒ

ȍ~̏ɕsmȕAɂĂAǂ
<mailto:piotr%member.fsf.org>ɒm点ĂB Zebra <http://
www.zebra.org> ͐΍MGAToshiaki Takada, Yasuhiro Ohara ɂď
ꂽ̑ȓI[eBO\tgEFAłB Zebra gƁAOSPF ̐
͑₩ŃVvɂȂ܂A̗ɂ́AȗprɌ
̃p[^̂łB OSPF  Open Shortest Path First (ŒZo
HɊJ) \Ă܂B̊{Iȋ@\ƂĂ:

KwI
   
    lbg[N area ɂăO[vAꂼ area 0 Ɩ
    tꂽobN{[ area ɂĐڑ܂BׂẴgtB
    bN area 0 ʂA area 0 ׂ̂Ẵ[^́Ȃ area 
    ׂĂɑ΂oHĂ܂B
   

   
    oH́AႦ RIP ɔׂāAɑ`d܂B
   
ohIɎg
   
    u[hLXgł͂Ȃ}`LXgĝŁAoHɂ͋
    Ȃł낤̃zXg̏ňꂳ邱Ƃ͂ȂAlbg
    [ÑI[o[wbh܂B܂[^ (ЂƂ area 
    C^[tF[XĂȂ[^) ͑ area ̌oH
    Ƃ܂B̕ʁX area ɑC^[tF[
    XĂ郋[^ area E[^ƌĂ΂AڑĂ area
    Ɋւg|W[ێ܂B
   
CPU ׂ
   
    OSPF  Dijkstra  Shortest Path First algorithm <http://
    www.soi.wide.ad.jp/class/99007/slides/13/07.html> ɂĂA
    ͑̃[eBOASYɔ׍łBۂɂ́A
    ŒZoH͊e area ̓ł̂݌vZ܂̂ŁAقǂ͈
    ܂B܂TCỸlbg[Nł͖͂ɂȂȂł
    BCÂƂȂ܂B
   
ڑ
   
    OSPF ̓lbg[NƃC^[tF[X̓ȓ (ohAf
    ԁAiȂ) l܂B
   
I[vȃvgR GPL ̃\tgEFA
   
    OSPF ̓I[vȃvgRŁAZebra  GPL \tgEFAłB
    ͓ƐIȃ\tgEFAvgRɑ΂āA炩ȗDʓ_łB
   
 

17.1.1. Kv

 

Linux J[l
   
    CONFIG_NETLINK_DEV  CONFIG_IP_MULTICAST gݍޕKv܂
    (ɕKvƂ̂́A҂͂ƗĂ܂)B
   
iproute
   
Zebra
   
    D݂̃pbP[W}l[WA zebra.org <http://www.zebra.org>
    肵܂傤B
   
 

17.1.2. Zebra ̐ݒ

̂悤ȃlbg[NɎ܂傤:

----------------------------------------------------                                      
| 192.168.0.0/24                                   |                                      
|                                                  |                                      
|      Area 0    100BaseTX Switched                |                                      
|     Backbone     Ethernet                        |                                      
----------------------------------------------------                                      
  |           |                |              |                                           
  |           |                |              |                                           
  |eth1       |eth1            |eth0          |                                           
  |100BaseTX  |100BaseTX       |100BaseTX     |100BaseTX                                  
  |.1         |.2              |.253          |                                           
 ---------   ------------   -----------      ----------------                             
 |R Omega|   |R Atlantis|   |R Legolas|      |R Frodo       |                             
 ---------   ------------   -----------      ----------------                             
  |eth0         |eth0             |             |          |                              
  |             |                 |             |          |                              
  |2MbDSL/ATM   |100BaseTX        |10BaseT      |10BaseT   |10BaseT                       
------------   ------------------------------------       ------------------------------- 
| Internet |   | 172.17.0.0/16        Area 1      |       |  192.168.1.0/24 wlan  Area 2| 
------------   |         Student network (dorm)   |       |       barcelonawireless     | 
               ------------------------------------       ------------------------------- 
                                                                                          

̐}ɋȂłB zebra ͂قƂǂIɏĂ܂
̂ŁǍoHׂĂݒ肷̂ȒPłB̌oH𖈓ێ
̂͋ɂ𔺂ƂłBcĂׂłdvȓ_́Albg[
Ñg|W[łB܂ area 0 ͍łdv area Ȃ̂ŁAאS̒ӂ
ĂB܂ zebra.conf vɂ킹ĕҏWAzebra ݒ肵
܂B

hostname omega                                                      
password xxx                                                        
enable password xxx                                                 
!                                                                   
! Interface's description.                                          
!                                                                   
!interface lo                                                       
! description test of desc.                                         
!                                                                   
interface eth1                                                      
multicast                                                           
!                                                                   
! Static default route                                              
!                                                                   
ip route 0.0.0.0/0 212.170.21.129                                   
!                                                                   
log file /var/log/zebra/zebra.log                                   
                                                                    

Debian ł́A/etc/zebra/daemons ҏWāAu[gɋN悤ɐ
肷Kv܂B

zebra=yes                                                           
ospfd=yes                                                           
                                                                    

ɁA܂ IPv4 gĂȂ ospfd.conf A IPv6 Ȃ ospf6d.conf
ҏW܂B ospfd.conf ͎̂悤Ȋł:

hostname omega                                                      
password xxx                                                        
enable password xxx                                                 
!                                                                   
router ospf                                                         
  network 192.168.0.0/24 area 0                                     
  network 172.17.0.0/16 area 1                                      
!                                                                   
! log stdout                                                        
log file /var/log/zebra/ospfd.log                                   
                                                                    

ł͉X̃lbg[Ng|W[ ospf ɋĂ܂B

 

17.1.3. Zebra s

ł Zebra s܂B蓮 "zebra -d" ƃ^Cv邩A"/etc/init.d
/zebra start" ̂悤ȃXNvgg܂BN ospfd ̃O
Ӑ[Ď܂傤B̂悤ȓe͂łB

2002/12/13 22:46:24 OSPF: interface 192.168.0.1 join AllSPFRouters Multicast group.   
2002/12/13 22:46:34 OSPF: SMUX_CLOSE with reason: 5                                   
2002/12/13 22:46:44 OSPF: SMUX_CLOSE with reason: 5                                   
2002/12/13 22:46:54 OSPF: SMUX_CLOSE with reason: 5                                   
2002/12/13 22:47:04 OSPF: SMUX_CLOSE with reason: 5                                   
2002/12/13 22:47:04 OSPF: DR-Election[1st]: Backup 192.168.0.1                        
2002/12/13 22:47:04 OSPF: DR-Election[1st]: DR     192.168.0.1                        
2002/12/13 22:47:04 OSPF: DR-Election[2nd]: Backup 0.0.0.0                            
2002/12/13 22:47:04 OSPF: DR-Election[2nd]: DR     192.168.0.1                        
2002/12/13 22:47:04 OSPF: interface 192.168.0.1 join AllDRouters Multicast group.     
2002/12/13 22:47:06 OSPF: DR-Election[1st]: Backup 192.168.0.2                        
2002/12/13 22:47:06 OSPF: DR-Election[1st]: DR     192.168.0.1                        
2002/12/13 22:47:06 OSPF: Packet[DD]: Negotiation done (Slave).                       
2002/12/13 22:47:06 OSPF: nsm_change_status(): scheduling new router-LSA origination  
2002/12/13 22:47:11 OSPF: ospf_intra_add_router: Start                                
                                                                                      

SMUX_CLOSE bZ[W SNMP ֘Â̂Ȃ̂ŁA܂͖܂傤B
192.168.0.1  Designated [^ŁA 192.168.0.2 obNAbv
Designated [^ƂȂĂ邱Ƃ킩܂B

zebra  ospfd C^[tF[XƂ́Â悤ȃR}hőΘbł܂B

$ telnet localhost zebra                                            
$ telnet localhost ospfd                                            
                                                                    

oHǂ̂悤ɓ`dĂ邩Ă݂܂傤B zebra ɃOCĎ
͂܂:

root@atlantis:~# telnet localhost zebra                                 
Trying 127.0.0.1...                                                     
Connected to atlantis.                                                  
Escape character is '^]'.                                               
                                                                        
Hello, this is zebra (version 0.92a).                                   
Copyright 1996-2001 Kunihiro Ishiguro.                                  
                                                                        
User Access Verification                                                
                                                                        
Password:                                                               
atlantis> show ip route                                                 
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,  
       B - BGP, > - selected route, * - FIB route                       
                                                                        
K>* 0.0.0.0/0 via 192.168.0.1, eth1                                     
C>* 127.0.0.0/8 is directly connected, lo                               
O   172.17.0.0/16 [110/10] is directly connected, eth0, 06:21:53        
C>* 172.17.0.0/16 is directly connected, eth0                           
O   192.168.0.0/24 [110/10] is directly connected, eth1, 06:21:53       
C>* 192.168.0.0/24 is directly connected, eth1                          
atlantis> show ip ospf border-routers                                   
============ OSPF router routing table =============                    
R    192.168.0.253         [10] area: (0.0.0.0), ABR                    
                           via 192.168.0.253, eth1                      
                                 [10] area: (0.0.0.1), ABR              
                           via 172.17.0.2, eth0                         
                                                                        

邢͒ iproute g:

root@omega:~# ip route                                                    
212.170.21.128/26 dev eth0  proto kernel  scope link  src 212.170.21.172  
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.1        
172.17.0.0/16 via 192.168.0.2 dev eth1  proto zebra  metric 20            
default via 212.170.21.129 dev eth0  proto zebra                          
root@omega:~#                                                             
                                                                          

̂悤 zebra ̌oH݂邱Ƃł܂BȑOɂ݂͑ĂȂ
̂łB zebra  ospfd NĐbɂ͌oHĂ̂
̂́AƂĂĈ̂łB̃zXgւ̐ڑԂ ping ŊmF
܂B zebra ͎IɃ[eBOs܂APɑ̃[^l
bg[NɉAzebra ݒ肷΁Bǂł!

qg: OSPF pPbgLv`ĉ͂ɂ͎g܂:

tcpdump -i eth1 ip[9] == 89                                         
                                                                    

OSPF  ip vgRԍ 89 ŁAvgRtB[h ip wb_̑
9 INebgłB

OSPF ɂ́Aɑ傫ȃlbg[NɁAłp[^
܂B howto Ɋg[ł΁A OSPF ̃t@C`[jO
̕@_Ǝv܂B

 

17.2. Zebra ɂ BGP4 ̐ݒ

Border Gateway Protocol Version 4 (BGP4) ́A RFC 1771 ŋLqĂ
I[eBOvgRłB BGP4 gƁAB񂷂Ȃ킿oH
e[uA BGP4 m[hɔzzł܂BEGP  IGP gA IGP 
[hł͊em[hɌŗL Autonomous System (AS) ԍ܂B BGP4
́ANXXC^[lbghC[eBO (CIDR) ƁAoHW
(̌oHЂƂɂ܂Ƃ߂) ƂT|[g܂B

 

17.2.1. lbg[N} ()

̃lbg[N}ȍ~ł̗Ƃėp܂B AS 1  50 ɂ͑ɂ
׃m[h܂Ał 1  50 ̋ߗׂƂĐݒ肷
ΗǂłB̗ł́Aem[h̓gloRĒʐM܂A
͕KKvł͂܂B

: ̗ł AS ԍ͗\ς݂ł̂ŁAȐڑݒ肷ꍇ
ARIPE  AS 擾ĂB


          --------------------                                      
          | 192.168.23.12/24 |                                      
          |    AS: 23        |                                      
          --------------------                                      
            /             \                                         
           /               \                                        
          /                 \                                       
------------------       ------------------                         
| 192.168.1.1/24 |-------| 10.10.1.1/16   |                         
|    AS: 1       |       |    AS: 50      |                         
------------------       ------------------                         

 

17.2.2. ݒ ()

̐ݒ 192.168.23.12/24 ̂̂łB̃m[hɂ킹̂ȒP
傤B

܂zXgApX[hAfobOXCb`Ȃǂ̈ʏ񂩂n܂܂
B


! hostname                                                          
hostname anakin                                                     
                                                                    
! login password                                                    
password xxx                                                        
                                                                    
! enable password (super user mode)                                 
enable password xxx                                                 
                                                                    
! path to logfile                                                   
log file /var/log/zebra/bgpd.log                                    
                                                                    
! debugging: be verbose (can be removed afterwards)                 
debug bgp events                                                    
debug bgp filters                                                   
debug bgp fsm                                                       
debug bgp keepalives                                                
debug bgp updates                                                   


vCx[glbg[N (RFC 1918) ̍Ĕzz𐧌邽߂̃ANZX
XgłB


! RFC 1918 networks                                                 
access-list local_nets permit 192.168.0.0/16                        
access-list local_nets permit 172.16.0.0/12                         
access-list local_nets permit 10.0.0.0/8                            
access-list local_nets deny any                                     


̃Xebv AS Ƃ̐ݒłB


! Own AS number                                                       
router bgp 23                                                         
                                                                      
    ! IP address of the router                                        
    bgp router-id 192.168.23.12                                       
                                                                      
    ! announce our own network to other neighbors                     
    network 192.168.23.0/24                                           
                                                                      
    ! advertise all connected routes (= directly attached interfaces) 
    redistribute connected                                            
                                                                      
    ! advertise kernel routes (= manually inserted routes)            
    redistribute kernel                                               


'router bgp' ubNɂ́AK[^ڑߗׂ̃Xg܂܂܂
B


    neighbor 192.168.1.1 remote-as 1                                
    neighbor 192.168.1.1 distribute-list local_nets in              
    neighbor 10.10.1.1   remote-as 50                               
    neighbor 10.10.1.1   distribute-list local_nets in              

 

17.2.3. ݒ̊mF

: vtysh ̓}`vNTŁA Zebra C^[tF[XׂĂЂƂ܂
߂ɐڑ܂B


anakin# sh ip bgp summary                                                         
BGP router identifier 192.168.23.12, local AS number 23                           
2 BGP AS-PATH entries                                                             
0 BGP community entries                                                           
                                                                                  
Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd  
10.10.0.1       4    50      35      40        0    0    0 00:28:40        1      
192.168.1.1     4     1   27574   27644        0    0    0 03:26:04       14      
                                                                                  
Total number of neighbors 2                                                       
anakin#                                                                           
anakin# sh ip bgp neighbors 10.10.0.1                                             
BGP neighbor is 10.10.0.1, remote AS 50, local AS 23, external link               
  BGP version 4, remote router ID 10.10.0.1                                       
  BGP state = Established, up for 00:29:01                                        
  ....                                                                            
anakin#                                                                           


ߗׂ󂯂ƂoHĂ݂܂傤B


anakin# sh ip ro bgp                                                    
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,  
       B - BGP, > - selected route, * - FIB route                       
                                                                        
B>* 172.16.0.0/14 [20/0] via 192.168.1.1, tun0, 2d10h19m                
B>* 172.30.0.0/16 [20/0] via 192.168.1.1, tun0, 10:09:24                
B>* 192.168.5.10/32 [20/0] via 192.168.1.1, tun0, 2d10h27m              
B>* 192.168.5.26/32 [20/0] via 192.168.1.1, tun0, 10:09:24              
B>* 192.168.5.36/32 [20/0] via 192.168.1.1, tun0, 2d10h19m              
B>* 192.168.17.0/24 [20/0] via 192.168.1.1, tun0, 3d05h07m              
B>* 192.168.17.1/32 [20/0] via 192.168.1.1, tun0, 3d05h07m              
B>* 192.168.32.0/24 [20/0] via 192.168.1.1, tun0, 2d10h27m              
anakin#                                                                 

 

Chapter 18. ̑̌

̏͂ł́Ax Linux [eBOƃgtBbN̑ш搧Ɋ֘Â
vWFNgЉ܂B̂̂́A܂ł̏͂Ŋɏ
Ă܂B邢͑ HOWTO KvƂȂ炢AO
ŔɗǂĂ̂܂B

Linux p 802.1Q VLAN  <http://scry.wanfear.com/~greear/vlan.html>
   
    VLAN ̓lbg[N𕨗Ił͂ȂzIɏWAɌ
    łBVLAN ɊւDꂽ͂ <ftp://
    ftp.netlab.ohio-state.edu/pub/jain/courses/cis788-97/virtual_lans/
    index.htm> ɂ܂B̎gƁALinux  VLAN ׂ点
    A Cisco Catalyst, 3Com: {Corebuilder, Netbuilder II, SuperStack II
    switch 630}, Extreme Ntwks Summit 48, Foundry: {ServerIronXL,
    FastIron} ȂǂƉb邱Ƃł܂B
   
    VLAN Ɋւf炵 HOWTO  <http://scry.wanfear.com/
    ~greear/vlan/cisco_howto.html> ɂ܂B
   
    XV: 2.4.14 ( 13) ł̓J[lɊ܂܂Ă܂B
   
Linux p 802.1Q VLAN ̕ʂ̎ <http://vlan.sourceforge.net >
   
    Linux p VLAN ̕ʂ̎łB̃vWFNǵuЂvVLAN v
    WFNg̃A[LeN`R[fBOX^Cɑ΂ӌ̑
    X^[gAŜ̐݌vʂǂ邱Ƃ_̂ł
    B
   
Linux Virtual Server <http://www.LinuxVirtualServer.org/>
   
    ̐l͍ōłBLinux Virtual Server ́A{̃T[õNX
    ^ɁA Linux OS œ삷郍[hoTgč\zA
    XP[uiʂȃT[ołBNX^̃A[LeN`̓G
    h[Uɑ΂ēߓIŁAGh[U͒PɈ̉zT[o
    ƂɂȂ܂B
   
    vɁAוÛAꂪǂȃx̃g
    tBbNłALVS ɂ͂s\͂̂łBނ̃eNjb
    N͗ǂӖŎ׈ł! Ⴆ΁Ã}VɂZOgœ
     IP AhXAɑ΂ ARP 𖳌ɂ̂łBLVS
    }V ARP s - ēpPbg̏ǂ̃obNG
    hzXgs߁Aڂ̃obNGhT[o MAC AhX
    ƃpPbg𑗂̂łBÕgtBbN͒ڃ[^֗ALVS
    }V͌oR܂B LVS }V͐E֌ 5Gbit/s ̃R
    ec̃t[Kv͂ȂAă{glbNɂȂ܂
    B
   
    LVS  Linux 2.0, 2.2 ł̓J[lpb`ƂĎĂ܂A
    2.4/2.5 ł netfilter ̃W[ɂȂĂ܂̂ŁAJ[lpb
    `Kv͂܂B 2.4 T|[g͂܂J̏iKł̂ŁA
    񂵂āAtB[hobNpb`𑗂ĂB
   
CBQ.init <ftp://ftp.equinox.gu.net/pub/linux/cbq/>
   
    CBQ ̐ݒ́AƂCƂ낪܂BɁA
    肽ƂPɃ[^̔w̃Rs[^i肽A
    Ƃ悤ȏꍇɂ͂ȂłB CBQ.init ́ALinux ̐ݒ
    Pȕ@ŉ\ɂĂ܂B
   
    Ⴆ΁A(10mbit eth1 ɂȂ) 192.168.1.0/24 Tulbĝ
    ẴRs[^ɑ΂A_E[h̑x 28kbit/s ɐ
    ΁A̓e CBQ.init ̐ݒt@Cɏł:
   
     
    
    DEVICE=eth1,10Mbit,1Mbit                                
    RATE=28Kbit                                             
    WEIGHT=2Kbit                                            
    PRIO=5                                                  
    RULE=192.168.1.0/24                                     
    
     
   
    uȂAǂ̂悤ɁvƂeɋȂ΁A΂ɂ̃vO
    gׂłB͐i CBQ.init gĂ܂A
    ܂삵Ă܂BɈˑш搧Ƃ悤ȁA荂
    xȐݒ\łB̓XNvgɖߍ܂ĂAꂪ
    README ȂRłB
   
Chronox yȑш搧XNvg <http://www.chronox.de>
   
    Stephan Mueller (smueller@chronox.de)  2 ֗̕ȃXNvg
    ܂B 'limit.conn'  'shaper' łB'limit.conn' gƁA
    ЂƂ̃_E[hZbVyɍi܂BȊł:
   
     
    
    # limit.conn -s SERVERIP -p SERVERPORT -l LIMIT         
    
     
   
    Linux 2.2  2.4/2.5 œ삵܂B
   
    'shaper' ͂̕蕡GŁÄقȂL[Aiptables ̃
    [Ƃɂč܂B iptables ͍i肽pPbgɈt
    ̂Ɏg܂B
   
Virtual Router Redundancy vgR̎ (TCg 1 <http://
    w3.arobas.net/~jetienne/vrrpd/index.html>, TCg 2 <http://
    www.imagestream.com/VRRP.html>)
   
    ͏ɏ璷 (redundancy) ̂߂̂̂łB IP AhX
    MAC AhX 2 ̃}VpāAɕʂ IP AhX
    MAC AhXAzIȃ}V܂BƂƂ (ɓ
     MAC AhXKvƂ) [^̂̂̂łÃT
    [ołg܂B
   
    ̃Av[`̔_́AMȂ炢ݒ肪ȒPȂƂłBJ
    [l̃RpCpb`ĂKvȂAׂĂ̓[UԂłB
   
    ̃R}hAT[rXɎQ邷ׂẴ}VŎs邾ł:
    
    # vrrpd -i eth0 -v 50 10.0.0.22                         
    
     
   
    ŏoオ! ̎_ 10.0.0.22 ͂ǂꂩЂƂ̃T[o (
    ŏ vrrp f[s) ۗL܂Bł̃Rs
    [^lbg[N؂藣ƁAɂ΂₭̃Rs[^
     10.0.0.22 Ƃ MAC AhXƂp܂B
   
    ͎茳ŎĂ݂āA1 œ삳邱Ƃł܂B
    ȗRŁAftHgQ[gEFC̏񂪏Ă܂̂łA -n
    tOt΂͉ł܂B
   
    ̓tFCI[o[́uCu摜vł:
   
     
    
    64 bytes from 10.0.0.22: icmp_seq=3 ttl=255 time=0.2 ms   
    64 bytes from 10.0.0.22: icmp_seq=4 ttl=255 time=0.2 ms   
    64 bytes from 10.0.0.22: icmp_seq=5 ttl=255 time=16.8 ms  
    64 bytes from 10.0.0.22: icmp_seq=6 ttl=255 time=1.8 ms   
    64 bytes from 10.0.0.22: icmp_seq=7 ttl=255 time=1.7 ms   
    
     
   
    ping pPbg͂ЂƂĂ܂! 4 Ԗڂ̃pPbǧA
    P200 lbg[N؂藣̂łA 486 p܂B
    Ēx傫ȂĂ邱Ƃ킩܂B
   
tc-config (TCg) <http://slava.local.nsys.by/projects/tc_config/>
   
    tc_config  linux 2.4 ȍ~ł̃gtBbN RedHat VXe
    (炭) ̔hVXeōs߂̃XNvgWł (linux
    2.2.X  ipchains Ƃł̂̂͌ÂȂĂ܂)B[gɂ cbq
    qdisc Atɂ sfq qdisc gĂ܂B
   
    snmp ŃgtBbN̓v邽߁A snmp_pass [eBeB
    ܂܂Ă܂B
   
 

Chapter 19. ɐɐiނ߂

http://snafu.freedom.org/linux2.2/iproute-notes.html
   
    J[l̂̏ƃRg
   
http://www.davin.ottawa.on.ca/ols/
   
    Linux gtBbN̒҂̈lł Jamal Hadi Salim ̃XC
    h
   
http://defiant.coinet.com/iproute2/ip-cref/
   
    Alexey  LaTeX  HTML  - iproute2 ̈ꕔɏڍׂɐ
    Ă܂
   
http://www.aciri.org/floyd/cbq.html
   
    Sally Floyd  CBQ ɊւDꂽy[WBޏ̃IWi̘_
    ܂BLinux ŗLł͂܂񂪁A CBQ ̗_ƗpɂāAǂ
    c_Ă܂BɋZpIȓełAlɂ͗ǂ
    ݕł傤B
   
Differentiated Services on Linux
   
    Werner Almesberger, Jamal Hadi Salim, Alexey Kuzunetsov ɂ邱
     <ftp://icaftp.epfl.ch/pub/linux/diffserv/misc/dsid-01.txt.gz>
    ́ALinux J[lɂ DiffServe ̋@\AȂł TBF, GRED,
    DSMARK qdisc  tcindex NXIʊɂĐĂ܂B
   
http://ceti.pl/~kravietz/cbq/NET4_tc.html
   
    ܂ʂ HOWTO łA̓|[hł! łR}hC
    Rs[/y[Xg΁Aǂ̌ł悤ɓ삵܂B҂͉
    XƂƂĂ̂ŁA߂ɂ HOWTO ɂĂ
    ł傤B
   
IOS Committed Access Rate <http://www.cisco.com/univercd/cc/td/doc/
    product/software/ios111/cc111/car.htm>
   
    ܎^ׂCACisco ͓̋IȐlAނ̕I
    CɍڂĂ܂B Cisco ł͕@͈قȂ܂ATO͓
    łBX̂قł邱Ƃ͑A܂Ԃɓĩ[
    ^͕svł :-)
   
Docum experimental site(site) <http://www.docum.org>
   
    Stef Coene ́ALinux T|[g̔悤ނ̏i[̂
    ZAāAɃoh̊ǗɊւāA̎s
    ܂Bނ̃TCgɂ͎pIȏEEeXgڂĂA
     CBQ/tc ̂̃oOɂĂwE܂B
   
TCP/IP Illustrated, volume 1, W. Richard Stevens, ISBN 0-201-63346-9
   
    TCP/IP {ɗ΁Aǂ܂Ȃ΂ȂȂ{łBʔ{
    ł܂B
   
Policy Routing Using Linux, Matthew G. Marsh, ISBN 0-672-32052-5
   
    |V[[eBO̓发ŁAႪ܂B
   
 

Chapter 20. ӎ

ŏIIȖړÍA HOWTO ɍvĂꂽlA܂̓쌴ɑ΂
X̗ĂꂽlÂׂĂXg邱ƂłB܂̂Ƃ
 Netfilter ̂悤ȃXRA{[huv͂܂񂪁A͂Ă
l͐oĂƎvĂ܂B

 

 E Junk Alins
   
    <juanjo@mat.upc.es>
   
 E Joe Van Andel
   
 E Michael T. Babcock
   
    <mbabcock@fibrespeed.net>
   
 E Christopher Barton
   
    <cpbarton%uiuc.edu>
   
 E Ard van Breemen
   
    <ard%kwaak.net>
   
 E Ron Brinker
   
    <service%emcis.com>
   
 E ?ukasz Bromirski
   
    <l.bromirski@mr0vka.eu.org>
   
 E Lennert Buytenhek
   
    <buytenh@gnu.org>
   
 E Esteve Camps
   
    <esteve@hades.udg.es>
   
 E Ricardo Javier Cardenes
   
    <ricardo%conysis.com>
   
 E Stef Coene
   
    <stef.coene@docum.org>
   
 E Don Cohen
   
    <don-lartc%isis.cs3-inc.com>
   
 E Jonathan Corbet
   
    <lwn%lwn.net>
   
 E Gerry N5JXS Creager
   
    <gerry%cs.tamu.edu>
   
 E Marco Davids
   
    <marco@sara.nl>
   
 E Jonathan Day
   
    <jd9812@my-deja.com>
   
 E Martin aka devik Devera
   
    <devik@cdi.cz>
   
 E Hannes Ebner
   
    <he%fli4l.de>
   
 E Derek Fawcus
   
    <dfawcus%cisco.com>
   
 E David Fries
   
    <dfries%mail.win.org>
   
 E Stephan "Kobold" Gehring
   
    <Stephan.Gehring@bechtle.de>
   
 E Jacek Glinkowski
   
    <jglinkow%hns.com>
   
 E Andrea Glorioso
   
    <sama%perchetopi.org>
   
 E Thomas Graf
   
    <tgraf%suug.ch>
   
 E Sandy Harris
   
    <sandy%storm.ca>
   
 E Nadeem Hasan
   
    <nhasan@usa.net>
   
 E Erik Hensema
   
    <erik%hensema.xs4all.nl>
   
 E Vik Heyndrickx
   
    <vik.heyndrickx@edchq.com>
   
 E Spauldo Da Hippie
   
    <spauldo%usa.net>
   
 E Koos van den Hout
   
    <koos@kzdoos.xs4all.nl>
   
 E Stefan Huelbrock <shuelbrock%datasystems.de>
   
 E Alexander W. Janssen <yalla%ynfonatic.de>
   
 E Andreas Jellinghaus <aj%dungeon.inka.de>
   
 E Gareth John <gdjohn%zepler.org>
   
 E Dave Johnson
   
    <dj@www.uk.linux.org>
   
 E Martin Josefsson <gandalf%wlug.westbo.se>
   
 E Andi Kleen <ak%suse.de>
   
 E Andreas J. Koenig <andreas.koenig%anima.de>
   
 E Pawel Krawczyk <kravietz%alfa.ceti.pl>
   
 E Amit Kucheria <amitk@ittc.ku.edu>
   
 E Pedro Larroy
   
    <piotr%member.fsf.org>
   
      Chapter 15, section 10: Example of a full nat solution with QoS
       
      Chapter 17, section 1: Setting up OSPF with Zebra
       
 E Edmund Lau <edlau%ucf.ics.uci.edu>
   
 E Philippe Latu <philippe.latu%linux-france.org>
   
 E Arthur van Leeuwen <arthurvl%sci.kun.nl>
   
 E Jose Luis Domingo Lopez
   
    <jdomingo@24x7linux.com>
   
 E Robert Lowe
   
    <robert.h.lowe@lawrence.edu>
   
 E Jason Lunz <j@cc.gatech.edu>
   
 E Stuart Lynne <sl@fireplug.net>
   
 E Alexey Mahotkin <alexm@formulabez.ru>
   
 E Predrag Malicevic <pmalic@ieee.org>
   
 E Patrick McHardy <kaber@trash.net>
   
 E Andreas Mohr <andi%lisas.de>
   
 E James Morris <jmorris@intercode.com.au>
   
 E Andrew Morton <akpm%zip.com.au>
   
 E Wim van der Most
   
 E Stephan Mueller <smueller@chronox.de>
   
 E Togan Muftuoglu <toganm%yahoo.com>
   
 E Chris Murray <cmurray@stargate.ca>
   
 E Patrick Nagelschmidt <dto%gmx.net>
   
 E Ram Narula <ram@princess1.net>
   
 E Jorge Novo <jnovo@educanet.net>
   
 E Patrik <ph@kurd.nu>
   
 E P?l Osgy?ny <oplab%westel900.net>
   
 E Lutz Preler <Lutz.Pressler%SerNet.DE>
   
 E Jason Pyeron <jason%pyeron.com>
   
 E Rod Roark <rod%sunsetsystems.com>
   
 E Pavel Roskin <proski@gnu.org>
   
 E Rusty Russell <rusty%rustcorp.com.au>
   
 E Mihai RUSU <dizzy%roedu.net>
   
 E Rob Pitman <rob%pitman.co.za>
   
 E Jamal Hadi Salim <hadi%cyberus.ca>
   
 E Ren? Serral <rserral%ac.upc.es>
   
 E David Sauer <davids%penguin.cz>
   
 E Sheharyar Suleman Shaikh <sss23@drexel.edu>
   
 E Stewart Shields <MourningBlade%bigfoot.com>
   
 E Nick Silberstein <nhsilber%yahoo.com>
   
 E Konrads Smelkov <konrads@interbaltika.com>
   
 E William Stearns
   
    <wstearns@pobox.com>
   
 E Andreas Steinmetz <ast%domdv.de>
   
 E Matthew Strait <straitm%mathcs.carleton.edu>
   
 E Jason Tackaberry <tack@linux.com>
   
 E Charles Tassell <ctassell%isn.net>
   
 E Glen Turner <glen.turner%aarnet.edu.au>
   
 E Tea Sponsor: Eric Veldhuyzen <eric%terra.nu>
   
 E Thomas Walpuski <thomas%bender.thinknerd.de>
   
 E Song Wang <wsong@ece.uci.edu>
   
 E Frank v Waveren <fvw@var.cx>
   
 E Chris Wilson
   
    <chris@netservers.co.uk>
   
 E Lazar Yanackiev
   
    <Lyanackiev%gmx.net>
   
 

 

Chapter 21. {ɂ

{͒앐Y|󂵂܂BCZX͌Ɠ Open
Publication License  v1.0 тȍ~ɏ]܂B

{̖|ɂẮAJF Project ̃[OXg𗘗pĂ
܂BRF͂ɂ́ASɂ킽`FbNĂ܂
BΒːiɂ́A̋ZpIȃRg܂BɋL
ӂ܂B

