如何使用tc和cgroup来预防数据包

I am trying to prioritize the packets that are generated from a certain process group so that they'll be picked first to be transmitted from the PC. I aim to do this by using cgroups and tc, but it seems not to work.

我正在尝试优先处理从某个进程组生成的数据包，以便首先从PC发送它们。我的目标是通过使用cgroups和tc来做到这一点，但它似乎不起作用。

First I set up cgroups on ubuntu as follows,

首先，我在ubuntu上设置cgroup如下，

modprobe cls_cgroup # load this module to get net_cls

mkdir /sys/fs/cgroup/net_cls  # mount point

mount -t cgroup net_cls -onet_cls /sys/fs/cgroup/net_cls/

mkdir /sys/fs/cgroup/net_cls/foo # new cgroup

echo 0x00010001 > /sys/fs/cgroup/foo/net_cls.classid  # echo in a class id

echo 2348 > /sys/fs/cgroup/net_cls/foo/tasks # echo in pid of firefox

tc qdisc add dev eth0 root handle 1: pri

tc qdisc add dev eth0 parent 1:1 handle 10: sfq

tc qdisc add dev eth0 parent 1:2 handle 20: sfq

tc qdisc add dev eth0 parent 1:3 handle 30: sfq

and after browsing in firefox and running,

在浏览firefox并运行之后，

tc -s qdisc ls dev eth0

I get,

我明白了

qdisc prio 1: root refcnt 2 bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
 Sent 29351 bytes 154 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0 
qdisc sfq 10: parent 1:1 limit 127p quantum 1514b divisor 1024 
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0 
qdisc sfq 20: parent 1:2 limit 127p quantum 1514b divisor 1024 
 Sent 27873 bytes 143 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0 
qdisc sfq 30: parent 1:3 limit 127p quantum 1514b divisor 1024 
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0

Instead I want the traffic to flow in handle 10, what am I doing wrong?

相反，我希望流量在句柄10中流动，我做错了什么？

2 个解决方案

#1

The correct way to do this requires informing tc that you are to be using cgroups. This has been verified on Ubuntu 12.04 with a 3.10 kernel.

执行此操作的正确方法需要通知tc您将使用cgroup。这已在Ubuntu 12.04上通过3.10内核进行了验证。

Ensure you have net_cls support

$ cat /proc/cgroups 
#subsys_name    hierarchy   num_cgroups enabled
cpuset  1   2   1
cpu 1   2   1
cpuacct 1   2   1
memory  1   2   1
net_cls 1   2   1
blkio   1   2   1

if not,

如果不，

Compile a kernel with net_cls support

Just put all these options in your .config. These appear not to exist in menuconfig.

只需将所有这些选项放在.config中。这些似乎不存在于menuconfig中。

CONFIG_NET_CLS=y
CONFIG_NET_CLS_BASIC=m
CONFIG_NET_CLS_TCINDEX=m
CONFIG_NET_CLS_ROUTE4=m
CONFIG_NET_CLS_FW=m
CONFIG_NET_CLS_U32=m
CONFIG_NET_CLS_RSVP=m
CONFIG_NET_CLS_RSVP6=m
CONFIG_NET_CLS_FLOW=m
CONFIG_NET_CLS_CGROUP=y
CONFIG_NET_CLS_ACT=y
CONFIG_NET_CLS_IND=y

then make and install.

然后制作并安装。

Ensure you have an /etc/fstab entry

# echo "cgroup /sys/fs/cgroup cgroup defaults 0 0" >> /etc/fstab
# reboot

Create the test cgroup and set it up

Some cgroup setups complain with generic errors if cpuset is not set. You also must convert your major and minor tc class ID into hex of 0xAAAABBBB where AAAA is major and BBBB is minor.

如果未设置cpuset，某些cgroup设置会抱怨一般错误。您还必须将主要和次要tc类ID转换为0xAAAABBBB的十六进制，其中AAAA是主要的，BBBB是次要的。

# mkdir /sys/fs/cgroup/clstest
# /bin/echo 0 > /sys/fs/cgroup/clstest/cpuset.mems
# /bin/echo 0 > /sys/fs/cgroup/clstest/cpuset.cpus
# /bin/echo 0x100001 > /sys/fs/cgroup/clstest/net_cls.classid

Configure tc

# tc qdisc add dev eth2 root handle 10: htb
# tc class add dev eth2 parent 10: classid 10:1 htb rate 10mbit
# tc filter add dev eth2 parent 10: protocol ip prio 10 handle 1: cgroup

Echo tasks into cgroup

(but only one at a time)

（但一次只有一个）

# echo $FIREFOX_PID > /sys/fs/cgroup/clstest/tasks

Modify tc class

# tc class change dev eth2 parent 10: classid 10:1 htb rate 40mbit

EDIT:

I have been unable to make this work with ingress. Only egress (upload) appears to be working. tc does not appear to take the cgroup option with ingress.

我一直无法使用入口来完成这项工作。只有出口（上传）似乎有效。 tc似乎没有带入口的cgroup选项。