Current location - Plastic Surgery and Aesthetics Network - Plastic surgery and medical aesthetics - Is the excessive outflow of linux servers a Trojan horse?
Is the excessive outflow of linux servers a Trojan horse?
This is not a Trojan horse, it is a matter of setting. Here are ways to control the flow.

First of all, Linux has two flow control processes:

1, the queue control is QOS, and the rule control of the sending queue at the bottleneck is generally SFQ PRIO.

2. Flow control means bandwidth control, and queue shaping is generally TBF HTB.

Second, Linux has two flow control algorithms:

1, classless algorithm is used for queues with no branches at the leaf level, such as SFQ.

2. The classification algorithm is used for multi-branch queues, such as PRIO TBF HTB.

Third, the specific implementation:

1. Establish the current limit based on SFQ algorithm on the network card.

#tc qdisc add dev eth0 root handle 1: sfq

The SFQ parameter has a disturbance (reset algorithm interval), which basically does not need manual adjustment:

Handle 1: Specify the algorithm number ... This can be specified by the system without setting. ..

#tc qdisc sh dev eth0 display algorithm

#tc qd del dev eth0 root Delete Note: The default eht0 supports TOS.

2. Establish the current limit based on TBF algorithm in the network card.

#tc qd add and develop eth 1 root handle 1: tbf rate 256kbit burst 10000 with a delay of 50ms.

Rate 256kbit burst transmission 10k maximum delay of 50ms.

#tc -s qd sh dev eth 1 statistics

#tc qd del dev eth 1 root deletion

3. Establish PRIO on the network card.

#tc qdisc add dev eth0 root handle 1: prio

# This command immediately creates classes: 1: 1, 1: 2, 1: 3 (there are three subclasses by default).

# TC q disc add dev eth 0 parent 1: 1 handle 10:sfq

# TC qdisc add dev eth 0 parent 1:2 handle 20:TBF rate 20k bit buffer 1600 limit 3000

Note: this is another way to write the TBF speed limit, which was explained in the previous article.

# TC q disc add dev eth 0 parent 1:3 handle 30:sfq

4. The traffic of 4.Web server is controlled at 5 Mbps, and the traffic of SMTP is controlled at 3Mbps. Moreover, the two * * * are no more than 6Mbps, allowing each other to borrow bandwidth.

#tc qdisc add dev eth0 root handle 1:0 cbq bandwidth100 mbit avpkt1000cell 8

# TC class add dev eth0parent1:0classid1:1cbq bandwidth 100Mbit rate 6Mbit it weight.

0.6 megabit priority 8 allocation 15 14 unit 8 maximum burst 20 avpkt 1000 bounded.

Traditionally, the root setting of this part is 1:0, and the class binding is 1: 1. That is to say, the whole bandwidth cannot exceed 6Mbps.

# TC class add dev eth0parent1:1classid1:3cbq bandwidth 100mb rate 5mb weight.

0.5 megabit priority 5 allocation 15 14 unit 8 maximum burst 20 avpkt 1000

# TC class add dev eth0parent1:1classid1:4cbq bandwidth1300mb rate 3Mbit weight.

0.3 megabit priority 5 allocation 15 14 unit 8 maximum burst 20 avpkt 1000

Two classes are established. Notice how we adjust the weight parameters according to the bandwidth. None of the classes are configured as "bounded", but they are all connected.

Connect to class 1: 1, 1: 1 is set to Bounded. Therefore, the total bandwidth of the two types will not exceed 6Mbps. Don't forget, the children are under the same CBQ.

The main number of the class must be the same as CBQ's own number!

# TC q disc add dev eth 0 parent 1:3 handle 30:sfq

# TC q disc add dev eth 0 parent 1:4 handle 40:sfq

By default, both classes have a FIFO queue, but we changed it to SFQ queue to ensure that each data stream is treated fairly.

# TC filter add dev eth0parent1:0 protocol ip prio 1 u32 matching ip sport 80 0xffff flowid.

1:3

# tcfilter add dev eth0parent1:0 protocol ip prio 1 u32 matching ip sport 25 0xffff flowid.

1:4

6. Filter filtering example

# TC filter add dev eth 0 protocol IP parent 10:prio 1 u32 match IP dport 22 0x ffff flowid 10: 1

Add a filtering rule with priority of 1 at/kloc-0: node: all IP packets with a destination of 22 ports (exact match) are sent to the channel 10:1. ..

#tc filter add dev eth0 protocol IP parent10: prio1u32match IP sport 800xffffflowid10:1

Add a filtering rule at 10: node with priority of 1: All IP packets from port 80 (perfect match) are sent to channel 10: 1. ..

#tc filter add dev eth0 protocol IP parent10: prio2flowid10: 2.

Add a filtering rule to the 10: node on eth0, and its priority is 2: All IP packets that do not match the last two sentences are sent to the channel 10:2. ..

# TC filter add dev eth0parent10: 0 protocol ip prio 1 u32 matches IPDST 4.3.2.1/32flowid10:1

Packets sent to 4.3.2. 1 are sent to the channel 10: 1. Other parameters are the same as above.

# TC filter add dev eth0parent10: 0 protocol ip prio 1 u32 matches IP src1.2.3.4/32 flowid10:1

The packet from 1.2.3.4 is sent to the channel 10: 1.

#tc filter add dev eth0 protocol IP parent10: prio2flowid10: 2.

Any package that does not meet the above two sentences will be sent to 10:2.

# TC filter add dev eth0parent10: 0 protocol ip prio 1 u32 matching ip src 4.3.2. 1/32 matching.

IP sport 80 0x ffff flowid 10: 1

Match can be used continuously to match 80-port packets from 1.2.3.4.