Linux Advanced Routing & Traffic Control HOWTO

[Flubber]

Author(s):

Bert Hubert
Netherlabs BV

Thomas Graf (Section Author)
Gregory Maxwell (Section Author)
Remco van Mook (Section Author)
Martijn van Oosterhout (Section Author)
Paul B Schroeder (Section Author)
Jasper Spaans (Section Author)
Pedro Larroy (Section Author)

Description: A very hands-on approach to iproute2, traffic shaping and a bit of netfilter.

[B]Table of Contents[/B]

1. Dedication
2. Introduction

    2.1. Disclaimer & License
    2.2. Prior knowledge
    2.3. What Linux can do for you
    2.4. Housekeeping notes
    2.5. Access, CVS & submitting updates
    2.6. Mailing list
    2.7. Layout of this document

3. Introduction to iproute2

    3.1. Why iproute2?
    3.2. iproute2 tour
    3.3. Prerequisites
    3.4. Exploring your current configuration

        3.4.1. ip shows us our links
        3.4.2. ip shows us our IP addresses
        3.4.3. ip shows us our routes

    3.5. ARP

4. Rules - routing policy database

    4.1. Simple source policy routing
    4.2. Routing for multiple uplinks/providers

        4.2.1. Split access
        4.2.2. Load balancing

5. GRE and other tunnels

    5.1. A few general remarks about tunnels:
    5.2. IP in IP tunneling
    5.3. GRE tunneling

        5.3.1. IPv4 Tunneling
        5.3.2. IPv6 Tunneling

    5.4. Userland tunnels

6. IPv6 tunneling with Cisco and/or 6bone

    6.1. IPv6 Tunneling

7. IPSEC: secure IP over the Internet

    7.1. Intro with Manual Keying
    7.2. Automatic keying

        7.2.1. Theory
        7.2.2. Example
        7.2.3. Automatic keying using X.509 certificates

    7.3. IPSEC tunnels
    7.4. Other IPSEC software
    7.5. IPSEC interoperation with other systems

        7.5.1. Windows
        7.5.2. Check Point VPN-1 NG

8. Multicast routing
9. Queueing Disciplines for Bandwidth Management

    9.1. Queues and Queueing Disciplines explained
    9.2. Simple, classless Queueing Disciplines

        9.2.1. pfifo_fast
        9.2.2. Token Bucket Filter
        9.2.3. Stochastic Fairness Queueing

    9.3. Advice for when to use which queue
    9.4. Terminology
    9.5. Classful Queueing Disciplines

        9.5.1. Flow within classful qdiscs & classes
        9.5.2. The qdisc family: roots, handles, siblings and parents
        9.5.3. The PRIO qdisc
        9.5.4. The famous CBQ qdisc
        9.5.5. Hierarchical Token Bucket

    9.6. Classifying packets with filters

        9.6.1. Some simple filtering examples
        9.6.2. All the filtering commands you will normally need

    9.7. The Intermediate queueing device (IMQ)

        9.7.1. Sample configuration

10. Load sharing over multiple interfaces

    10.1. Caveats
    10.2. Other possibilities

11. Netfilter & iproute - marking packets
12. Advanced filters for (re-)classifying packets

    12.1. The u32 classifier

        12.1.1. U32 selector
        12.1.2. General selectors
        12.1.3. Specific selectors

    12.2. The route classifier
    12.3. Policing filters

        12.3.1. Ways to police
        12.3.2. Overlimit actions
        12.3.3. Examples

    12.4. Hashing filters for very fast massive filtering
    12.5. Filtering IPv6 Traffic

        12.5.1. How come that IPv6 tc filters do not work?
        12.5.2. Marking IPv6 packets using ip6tables
        12.5.3. Using the u32 selector to match IPv6 packet

13. Kernel network parameters

    13.1. Reverse Path Filtering
    13.2. Obscure settings

        13.2.1. Generic ipv4
        13.2.2. Per device settings
        13.2.3. Neighbor policy
        13.2.4. Routing settings

14. Advanced & less common queueing disciplines

    14.1. bfifo/pfifo

        14.1.1. Parameters & usage

    14.2. Clark-Shenker-Zhang algorithm (CSZ)
    14.3. DSMARK

        14.3.1. Introduction
        14.3.2. What is Dsmark related to?
        14.3.3. Differentiated Services guidelines
        14.3.4. Working with Dsmark
        14.3.5. How SCH_DSMARK works.
        14.3.6. TC_INDEX Filter

    14.4. Ingress qdisc

        14.4.1. Parameters & usage

    14.5. Random Early Detection (RED)
    14.6. Generic Random Early Detection
    14.7. VC/ATM emulation
    14.8. Weighted Round Robin (WRR)

15. Cookbook

    15.1. Running multiple sites with different SLAs
    15.2. Protecting your host from SYN floods
    15.3. Rate limit ICMP to prevent dDoS
    15.4. Prioritizing interactive traffic
    15.5. Transparent web-caching using netfilter, iproute2, ipchains and squid

        15.5.1. Traffic flow diagram after implementation

    15.6. Circumventing Path MTU Discovery issues with per route MTU settings

        15.6.1. Solution

    15.7. Circumventing Path MTU Discovery issues with MSS Clamping (for ADSL, cable, PPPoE & PPtP users)
    15.8. The Ultimate Traffic Conditioner: Low Latency, Fast Up & Downloads

        15.8.1. Why it doesn't work well by default
        15.8.2. The actual script (CBQ)
        15.8.3. The actual script (HTB)

    15.9. Rate limiting a single host or netmask
    15.10. Example of a full nat solution with QoS

        15.10.1. Let's begin optimizing that scarce bandwidth
        15.10.2. Classifying packets
        15.10.3. Improving our setup
        15.10.4. Making all of the above start at boot

16. Building bridges, and pseudo-bridges with Proxy ARP

    16.1. State of bridging and iptables
    16.2. Bridging and shaping
    16.3. Pseudo-bridges with Proxy-ARP

        16.3.1. ARP & Proxy-ARP
        16.3.2. Implementing it

17. Dynamic routing - OSPF and BGP

    17.1. Setting up OSPF with Zebra

        17.1.1. Prerequisites
        17.1.2. Configuring Zebra
        17.1.3. Running Zebra

    17.2. Setting up BGP4 with Zebra

        17.2.1. Network Map (Example)
        17.2.2. Configuration (Example)
        17.2.3. Checking Configuration

18. Other possibilities
19. Further reading
20. Acknowledgements

Link: http://lartc.org/lartc.html

Enjoy =)