LDP/LDP/howto/linuxdoc/Adv-Routing-HOWTO.sgml

<!doctype linuxdoc system>

<!-- $Id$
 -->

<article>

<!-- Title information -->

<title>Linux 2.4 Advanced Routing HOWTO
<author>Netherlabs BV (bert hubert &lt;bert.hubert@netherlabs.nl&gt;)&nl;
Gregory Maxwell &lt;greg@linuxpower.cx&gt; &nl;
Remco van Mook &lt;remco@virtu.nl&gt; &nl;
Martijn van Oosterhout &lt;kleptog@cupid.suninternet.com&gt; &nl;
Paul B Schroeder  &lt;paulsch@us.ibm.com&gt; &nl;
howto@ds9a.nl
<date>v0.1.0 $Date$
<abstract>
A very hands-on approach to iproute2, traffic shaping and a bit of netfilter
</abstract>

<!-- Table of contents -->
<toc>

<!-- Begin the document -->

<sect>Dedication
<p>
This document is dedicated to lots of people, and is my attempt to do
something back. To list but a few:
<p>
<itemize>
	<item>Rusty Russel
	<item>Alexey N. Kuznetsov
	<item>The good folks from Google
	<item>The staff of Casema Internet
</itemize>	

<sect>Introduction
<p>
Welcome, gentle reader.
<p>
This document hopes to enlighten you on how to do more with Linux 2.2/2.4
routing. Unbeknownst to most users, you already run tools which allow you to
do spectacular things. Commands like 'route' and 'ifconfig' are actually
very thin wrappers for the very powerful iproute2 infrastructure
<p>
I hope that this HOWTO will become as readable as the ones by Rusty Russel
of (amongst other things) netfilter fame.

You can always reach us by writing the <url name="HOWTO team"
url="mailto:HOWTO@ds9a.nl">.
<sect1>Disclaimer &amp; License
<p>
This document is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

In short, if your STM-64 backbone breaks down and distributes pornography to
your most esteemed customers - it's never our fault. Sorry.

Copyright (c) 2000 by bert hubert, Gregory Maxwell and Martijn van Oosterhout

Please freely copy and distribute (sell or give away) this document in any
format. It's requested that corrections and/or comments be fowarded to the
document maintainer. You may create a derivative work and distribute it
provided that you:

<enum>
<item>Send your derivative work (in the most suitable format such as sgml) to
the LDP (Linux Documentation Project) or the like for posting on the Internet. 
If not the LDP, then let the LDP know where it is available. 

<item>License the derivative work with this same license or use GPL. Include a
copyright notice and at least a pointer to the license used. 

<item>Give due credit to previous authors and major contributors. 

</enum>
If you're considering making a derived work other than a translation, it's
requested that you discuss your plans with the current maintainer. 

It is also requested that if you publish this HOWTO in hardcopy that you
send the authors some samples for 'review purposes' :-) 


<sect1>Prior knowledge
<p>
As the title implies, this is the 'Advanced' HOWTO. While by no means rocket
science, some prior knowledge is assumed. This document is meant as a sequel
to the <url name="Linux 2.4 Networking HOWTO"
url="http://www.ds9a.nl/2.4Networking/"> by the same authors. You should
probably read that first.

Here are some orther references which might help learn you more:
<descrip>
<tag><url
url="http://netfilter.kernelnotes.org/unreliable-guides/networking-concepts-HOWTO.html"
name="Rusty Russels networking-concepts-HOWTO"></tag>
Very nice introduction, explaining what a network is, and how it is
connected to other networks
<tag>Linux Networking-HOWTO (Previously the Net-3 HOWTO)</tag>
Great stuff, although very verbose. It learns you a lot of stuff that's
already configured if you are able to connect to the internet. 
Should be located in <file>/usr/doc/HOWTO/NET3-4-HOWTO.txt</file> but can be also be found 
<url url="http://www.linuxports.com/howto/networking"
name="online">
</descrip>

<sect1>What Linux can do for you
<p>
A small list of things that are possible:
<p>
<itemize>
	<item>Throttle bandwidth for certain computers
	<item>Throttle bandwidth to certain computers
	<item>Help you to fairly share your bandwidth
	<item>Protect your network from DoS attacks
	<item>Protect the internet from your customers
	<item>Multiplex several servers as one, for load balancing or
enhanced availability
	<item>Restrict access to your computers
	<item>Limit access of your users to other hosts
	<item>Do routing based on user id (yes!), MAC address, source IP
address, port, type of service, time of day or content
</itemize>
<p>
Currently not many people are using these advanced features. This has several
reasons. While the provided documentation is verbose, it is not very hands
on. Traffic control is almost undocumented.
<sect1>Housekeeping notes
<p>
There are several things which should be noted about this document. While I
wrote most of it, I really don't want it to stay that way. I am a strong
believer in Open Source, so I encourage you to send feedback, updates,
patches etcetera. Do not hesitate to inform me of typos or plain old errors.
If my English sounds somewhat wooden, please realise that I'm not a native
speaker. Feel free to send suggestions.

If you feel to you are better qualified to maintain a section, or think that
you can author and maintain new sections, you are welcome to do so. The SGML
of this HOWTO is available via CVS, I very much envision more people
working on it.

In aid of this, you will find lots of FIXME notices. Patches are always
welcome! Wherever you find a FIXME, you should know that you are treading
unknown territory. This is not to say that there are no errors elsewhere,
but be extra careful. If you have validated something, please let us know so
we can remove the FIXME notice.

About this HOWTO, I will take some liberties along the road. For example, I
postulate a 10Mbit internet connection, while I know full well that those
are not very common.
<sect1>Access, CVS &amp; submitting updates
<p>
The canonical location for the HOWTO is <url
url="http://www.ds9a.nl/2.4Routing" name="here">.

We now have anonymous CVS access available for the world at large. This is
good in several ways. You can easily upgrade to newer versions of this
HOWTO and submitting patches is no work at all.

Furthermore, it allows the authors to work on the source independently,
which is good too.

<tscreen><verb>
$ export CVSROOT=:pserver:anon@outpost.ds9a.nl:/var/cvsroot
$ cvs login
CVS password: [enter 'cvs' (without 's)]
$ cvs co 2.4routing
cvs server: Updating 2.4routing
U 2.4routing/2.4routing.sgml
</verb></tscreen>

If you spot an error, or want to add something, just fix it locally, and run
cvs diff -u, and send the result off to us.

A Makefile is supplied which should help you create postscript, dvi, pdf,
html and plain text. You may need to install sgml-tools, ghostscript and
tetex to get all formats.

<sect1>Layout of this document
<p>
We will be doing interesting stuff almost immediately, which also means that
there will initially be parts that are explained incompletely or are not
perfect. Please gloss over these parts and assume that all will become clear.

Routing and filtering are two distinct things. Filtering is documented very
well by Rusty's HOWTOs, available here:

<itemize>
	<item><url url="http://netfilter.kernelnotes.org/unreliable-guides/"
name="Rusty's Remarkably Unreliable Guides">
</itemize>

We will be focusing mostly on what is possible by combining netfilter and
iproute2.
<sect>Introduction to iproute2
<sect1>Why iproute2?
<p>
Most Linux distributions, and most UNIX's, currently use the 
venerable 'arp', 'ifconfig' and 'route' commands. While these tools work,
they show some unexpected behaviour under Linux 2.2 and up. For example, GRE
tunnels are an integral part of routing these days, but require completely
different tools.

With iproute2, tunnels are an integral part of the tool set

The 2.2 and above Linux kernels include a completely redesigned network
subsystem. This new networking code brings Linux performance and a feature
set with little competition in the general OS arena. In fact, the new
routing filtering, and classifying code is more featureful then that
provided by many dedicated routers and firewalls and traffic shaping
products.

As new networking concepts have been invented, people have found ways to
plaster them on top of the existing framework in existing OSes. This
constant layering of cruft has lead to networking code that is filled with
strange behaviour, much like most human languages. In the past, Linux
emulated SunOS's handling of many of these things, which was not ideal.  

This new framework has made it possible to clearly express features
previously not possible.

<sect1>Iproute2 tour
<p>
Linux has a sophisticated system for bandwidth provisioning called Traffic
Control. This system supports various method for classifying, prioritising,
sharing, and limiting both inbound and outbound traffic.


We'll start off with a tiny tour of iproute2 possibilities.
<sect1>Prerequisites
<p>
You should make sure that you have the userland tools installed. This
package is called 'iproute' on both RedHat and Debian, and may otherwise be
found at <tt>ftp://ftp.inr.ac.ru/ip-routing/iproute2-2.2.4-now-ss??????.tar.gz"</tt>. 
Some parts of iproute require you to have certain kernel options enabled.

FIXME: We should mention <url url="ftp://ftp.inr.ac.ru/ip-routing/iproute2-current.tar.gz"> 
is always the latest

<sect1>Exploring your current configuration
<p>
This may come as a surprise, but iproute2 is already configured! The current
commands <tt>ifconfig</tt> and <tt>route</tt> are already using the advanced
syscalls, but mostly with very default (ie, boring) settings.

The <tt>ip</tt> tool is central, and we'll ask it do display our interfaces
for us.
<sect2><tt>ip</tt> shows us our links
<p>
<tscreen><verb>
[ahu@home ahu]$ ip link list
1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: dummy: <BROADCAST,NOARP> mtu 1500 qdisc noop 
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1400 qdisc pfifo_fast qlen 100
    link/ether 48:54:e8:2a:47:16 brd ff:ff:ff:ff:ff:ff
4: eth1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:e0:4c:39:24:78 brd ff:ff:ff:ff:ff:ff
3764: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 10
    link/ppp 

</verb></tscreen>
<p>Your mileage may vary, but this is what it shows on my NAT router at
home. I'll only explain part of the output as not everything is directly
relevant.

We first see the loopback interface. While your computer may function
somewhat without one, I'd advise against it. The mtu size (maximum transfer
unit) is 3924 octects, and it is not supposed to queue. Which makes sense
because the loopback interface is a figment of your kernels imagination.

I'll skip the dummy interface for now, and it may not be present on your
computer. Then there are my two network interfaces, one at the side of my
cable modem, the other serves my home ethernet segment. Furthermore, we see
a ppp0 interface.

Note the absence of IP addresses. Iproute disconnects the concept of 'links'
and 'IP addresses'. With IP aliasing, the concept of 'the' IP address had
become quite irrelevant anyhow. 

It does show us the MAC addresses though, the hardware identifier of our
ethernet interfaces.
<sect2><tt>ip</tt> shows us our IP addresses
<p>
<tscreen><verb>
[ahu@home ahu]$ ip address show        
1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy: <BROADCAST,NOARP> mtu 1500 qdisc noop 
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1400 qdisc pfifo_fast qlen 100
    link/ether 48:54:e8:2a:47:16 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.1/8 brd 10.255.255.255 scope global eth0
4: eth1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:e0:4c:39:24:78 brd ff:ff:ff:ff:ff:ff
3764: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 10
    link/ppp 
    inet 212.64.94.251 peer 212.64.94.1/32 scope global ppp0
</verb></tscreen>
<p>
This contains more information. It shows all our addresses, and to which
cards they belong. 'inet' stands for Internet. There are lots of other
address families, but these don't concern us right now.

Lets examine eth0 somewhat closer. It says that it is related to the inet
address '10.0.0.1/8'. What does this mean? The /8 stands for the number of
bits that are in the Network Address. There are 32 bits, so we have 24 bits
left that are part of our network. The first 8 bits of 10.0.0.1 correspond
to 10.0.0.0, our Network Address, and our netmask is 255.0.0.0.

The other bits are connected to this interface, so 10.250.3.13 is directly
available on eth0, as is 10.0.0.1 for example. 

With ppp0, the same concept goes, though the numbers are different. It's
address is 212.64.94.251, without a subnet mask. This means that we have a
point-to-point connection and that every address, with the exception of
212.64.94.251, is remote. There is more information however, it tells us
that on the other side of the link is yet again only one address,
212.64.94.1. The /32 tells us that there are no 'network bits'.

It is absolutely vital that you grasp these concepts. Refer to the
documentation mentioned at the beginning of this HOWTO if you have trouble.

You may also note 'qdisc', which stands for Queueing Discipline. This will
become vital later on. 

<sect2><tt>ip</tt> shows us our routes
<p>
Well, we now know how to find 10.x.y.z addresses, and we are able to reach
212.64.94.1. This is not enough however, so we need instructions on how to
reach the world. The internet is available via our ppp connection, and it
appears that 212.64.94.1 is willing to spread our packets around the
world, and deliver results back to us.

<tscreen><verb>
[ahu@home ahu]$ ip route show
212.64.94.1 dev ppp0  proto kernel  scope link  src 212.64.94.251 
10.0.0.0/8 dev eth0  proto kernel  scope link  src 10.0.0.1 
127.0.0.0/8 dev lo  scope link 
default via 212.64.94.1 dev ppp0 
</verb></tscreen>

This is pretty much self explanatory. The first 4 lines of output explicitly
state what was already implied by <tt>ip address show</tt>, the last line
tells us that the rest of the world can be found via 212.64.94.1, our
default gateway. We can see that it is a gateway because of the word
via, which tells us that we need to send packets to 212.64.94.1, and that it
will take care of things.

For reference, this is what the old 'route' utility shows us:
<tscreen><verb>
[ahu@home ahu]$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
212.64.94.1     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
10.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         212.64.94.1     0.0.0.0         UG    0      0        0 ppp0
</verb></tscreen>

<sect1>ARP
<p>
ARP is the Address Resolution Protocol as described in
<url url="http://www.faqs.org/rfcs/rfc826.html" name="RFC 826">.
ARP is used by a networked machine to resolve the hardware location/address of
another machine on the same
local network.  Machines on the Internet are generally known by their names
which resolve to IP
addresses.  This is how a machine on the foo.com network is able to communicate
with another machine which is on the bar.net network.  An IP address, though,
cannot tell you the physical location of a machine.  This is where ARP comes
into the picture.

Let's take a very simple example.  Suppose I have a network composed of several
machines.  Two of the machines which are currently on my network are foo
with an IP address of 10.0.0.1 and bar with an IP address of 10.0.0.2.
Now foo wants to ping bar to see that he is alive, but alas, foo has no idea
where bar is.  So when foo decides to ping bar he will need to send
out an ARP request.
This ARP request is akin to foo shouting out on the network "Bar (10.0.0.2)!
Where are you?"  As a result of this every machine on the network will hear
foo shouting, but only bar (10.0.0.2) will respond.  Bar will then send an
ARP reply directly back to foo which is akin
bar saying,
"Foo (10.0.0.1) I am here at 00:60:94:E9:08:12."  After this simple transaction
used to locate his friend on the network foo is able to communicate with bar
until he (his arp cache) forgets where bar is.

Now let's see how this works.
You can view your machines current arp/neighbor cache/table like so:
<tscreen><verb>
[root@espa041 /home/src/iputils]# ip neigh show
9.3.76.42 dev eth0 lladdr 00:60:08:3f:e9:f9 nud reachable
9.3.76.1 dev eth0 lladdr 00:06:29:21:73:c8 nud reachable
</verb></tscreen>

As you can see my machine espa041 (9.3.76.41) knows where to find espa042 
(9.3.76.42) and
espagate (9.3.76.1).  Now let's add another machine to the arp cache.

<tscreen><verb>
[root@espa041 /home/paulsch/.gnome-desktop]# ping -c 1 espa043
PING espa043.austin.ibm.com (9.3.76.43) from 9.3.76.41 : 56(84) bytes of data.
64 bytes from 9.3.76.43: icmp_seq=0 ttl=255 time=0.9 ms

--- espa043.austin.ibm.com ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.9/0.9/0.9 ms

[root@espa041 /home/src/iputils]# ip neigh show
9.3.76.43 dev eth0 lladdr 00:06:29:21:80:20 nud reachable
9.3.76.42 dev eth0 lladdr 00:60:08:3f:e9:f9 nud reachable
9.3.76.1 dev eth0 lladdr 00:06:29:21:73:c8 nud reachable
</verb></tscreen>

As a result of espa041 trying to contact espa043, espa043's hardware
address/location has now been added to the arp/nieghbor cache.
So until the entry for
espa043 times out (as a result of no communication between the two) espa041
knows where to find espa043 and has no need to send an ARP request.

Now let's delete espa043 from our arp cache:

<tscreen><verb>
[root@espa041 /home/src/iputils]# ip neigh delete 9.3.76.43 dev eth0
[root@espa041 /home/src/iputils]# ip neigh show
9.3.76.43 dev eth0  nud failed
9.3.76.42 dev eth0 lladdr 00:60:08:3f:e9:f9 nud reachable
9.3.76.1 dev eth0 lladdr 00:06:29:21:73:c8 nud stale
</verb></tscreen>

Now espa041 has again forgotten where to find espa043 and will need to send
another ARP request the next time he needs to communicate with espa043.
You can also see from the above output that espagate (9.3.76.1) has been
changed to the "stale" state.  This means that the location shown is still
valid, but it will have to be confirmed at the first transaction to that
machine.

<sect>Rules - routing policy database
<p>
If you have a large router, you may well cater for the needs of different
people, who should be served differently. The routing policy database allows
you to do this by having multiple sets of routing tables. 

If you want to use this feature, make sure that your kernel is compiled with
the "IP: policy routing" feature.

When the kernel needs to make a routing decision, it finds out which table
needs to be consulted. By default, there are three tables. The old 'route'
tool modifies the main and local tables, as does the ip tool (by default).

The default rules:
<tscreen><verb>
[ahu@home ahu]$ ip rule list
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default
</verb></tscreen>

This lists the priority of all rules. We see that all rules apply to all
packets ('from all'). We've seen the 'main' table before, it's output by
<tt>ip route ls</tt>, but the 'local' and 'default' table are new.

If we want to do fancy things, we generate rules which point to different
tables which allow us to override system wide routing rules.

For the exact semantics on what the kernel does when there are more matching
rules, see Alexey's ip-cfref documentation. 

<sect1>Simple source routing
<p>
Let's take a real example once again, I have 2 (actually 3, about time I
returned them) cable modems, connected to a Linux NAT ('masquerading')
router. People living here pay me to use the internet. Suppose one of my
house mates only visits hotmail and wants to pay less. This is fine with me,
but you'll end up using the low-end cable modem.

The 'fast' cable modem is known as 212.64.94.251 and is an PPP link to
212.64.94.1. The 'slow' cable modem is known by various ip addresses,
212.64.78.148 in this example and is a link to 195.96.98.253.

The local table:
<tscreen><verb>
[ahu@home ahu]$ ip route list table local
broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1 
local 10.0.0.1 dev eth0  proto kernel  scope host  src 10.0.0.1 
broadcast 10.0.0.0 dev eth0  proto kernel  scope link  src 10.0.0.1 
local 212.64.94.251 dev ppp0  proto kernel  scope host  src 212.64.94.251 
broadcast 10.255.255.255 dev eth0  proto kernel  scope link  src 10.0.0.1 
broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1 
local 212.64.78.148 dev ppp2  proto kernel  scope host  src 212.64.78.148 
local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1 
local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1 
</verb></tscreen>

Lots of obvious things, but things that need to specified somewhere.
Well, here they are. The default table is empty.

Let's view the 'main' table:
<tscreen><verb>
[ahu@home ahu]$ ip route list table main 
195.96.98.253 dev ppp2  proto kernel  scope link  src 212.64.78.148 
212.64.94.1 dev ppp0  proto kernel  scope link  src 212.64.94.251 
10.0.0.0/8 dev eth0  proto kernel  scope link  src 10.0.0.1 
127.0.0.0/8 dev lo  scope link 
default via 212.64.94.1 dev ppp0 
</verb></tscreen>

We now generate a new rule which we call 'John', for our hypothetical
house mate. Although we can work with pure numbers, it's far easier if we add
our tables to <file>/etc/iproute2/rt_tables</file>. 

<tscreen><verb>
# echo 200 John >> /etc/iproute2/rt_tables
# ip rule add from 10.0.0.10 table John
# ip rule ls
0:	from all lookup local 
32765:	from 10.0.0.10 lookup John
32766:	from all lookup main 
32767:	from all lookup default
</verb></tscreen>

Now all that is left is to generate Johns table, and flush the route cache:
<tscreen><verb>
# ip route add default via 195.96.98.253 dev ppp2 table John
# ip route flush cache
</verb></tscreen>

And we are done. It is left as an exercise for the reader to implement this
in ip-up.
<sect>GRE and other tunnels
<p>
There are 3 kinds of tunnels in Linux. There's IP in IP tunneling, GRE tunneling and tunnels that live outside the kernel (like, for example PPTP). 
<sect1>A few general remarks about tunnels:
<p>
Tunnels can be used to do some very unusual and very cool stuff. They can also make things go horribly wrong when you don't configure them right. Don't point your default route to a tunnel device unless you know _exactly_ what you are doing :-). Furthermore, tunneling increases overhead, because it needs an extra set of IP headers. Typically this is 20 bytes per packet, so if the normal packet size (MTU) on a network is 1500 bytes, a packet that is sent through a tunnel can only be 1480 bytes big. This is not necessarily a problem, but be sure to read up on IP packet fragmentation/reassembly when you plan to connect large networks with tunnels. Oh, and of course, the fastest way to dig a tunnel is to dig at both sides.
<p>
<sect1>IP in IP tunneling
<p>
This kind of tunneling has been available in Linux for a long time. It requires 2 kernel modules,
ipip.o and new_tunnel.o.

Let's say you have 3 networks: Internal networks A and B, and intermediate network C (or let's say, Internet). 
So we have network A:

<tscreen><verb>
network 10.0.1.0
netmask 255.255.255.0
router  10.0.1.1
</verb></tscreen>
The router has address 172.16.17.18 on network C.

and network B:
<tscreen><verb>
network 10.0.2.0
netmask 255.255.255.0
router  10.0.2.1
</verb></tscreen>
The router has address 172.19.20.21 on network C.

As far as network C is concerned, we assume that it will pass any packet sent
from A to B and vice versa. You might even use the Internet for this.

Here's what you do:

First, make sure the modules are installed:

<tscreen><verb>
insmod ipip.o
insmod new_tunnel.o
</verb></tscreen>
Then, on the router of network A, you do the following:
<tscreen><verb>
ifconfig tunl0 10.0.1.1 pointopoint 172.19.20.21
route add -net 10.0.2.0 netmask 255.255.255.0 dev tunl0
</verb></tscreen>
And on the router of network B:
<tscreen><verb>
ifconfig tunl0 10.0.2.1 pointopoint 172.16.17.18
route add -net 10.0.1.0 netmask 255.255.255.0 dev tunl0
</verb></tscreen>
And if you're finished with your tunnel:
<tscreen><verb>
ifconfig tunl0 down
</verb></tscreen>
Presto, you're done. You can't forward broadcast or IPv6 traffic through
an IP-in-IP tunnel, though. You just connect 2 IPv4 networks that normally wouldn't be able to talk to each other, that's all. As far as compatibility goes, this code has been around a long time, so it's compatible all the way back to 1.3 kernels. Linux IP-in-IP tunneling doesn't work with other Operating Systems or routers, as far as I know. It's simple, it works. Use it if you have to, otherwise use GRE.

<sect1>GRE tunneling
<p>
GRE is a tunneling protocol that was originally developed by Cisco, and it
can do a few more things than IP-in-IP tunneling. For example, you can also
transport multicast traffic and IPv6 through a GRE tunnel.

In Linux, you'll need the ip_gre module.

<sect2>IPv4 Tunneling
<p>
Let's do IPv4 tunneling first:

Let's say you have 3 networks: Internal networks A and B, and intermediate network C (or let's say, Internet). 

So we have network A:
<tscreen><verb>
network 10.0.1.0
netmask 255.255.255.0
router  10.0.1.1
</verb></tscreen>
The router has address 172.16.17.18 on network C.
Let's call this network neta (ok, hardly original)

and network B:
<tscreen><verb>
network 10.0.2.0
netmask 255.255.255.0
router  10.0.2.1
</verb></tscreen>
The router has address 172.19.20.21 on network C.
Let's call this network netb (still not original)

As far as network C is concerned, we assume that it will pass any packet sent
from A to B and vice versa. How and why, we do not care.
<p>
On the router of network A, you do the following:
<tscreen><verb>
ip tunnel add netb mode gre remote 172.19.20.21 local 172.16.17.18 ttl 255
ip addr add 10.0.1.1 dev netb
ip route add 10.0.2.0/24 dev netb
</verb></tscreen>

Let's discuss this for a bit. In line 1, we added a tunnel device, and
called it netb (which is kind of obvious because that's where we want it to
go). Furthermore we told it to use the GRE protocol (mode gre), that the
remote address is 172.19.20.21 (the router at the other end), that our
tunneling packets should originate from 172.16.17.18 (which allows your
router to have several IP addresses on network C and let you decide which
one to use for tunneling) and that the TTL field of the packet should be set
to 255 (ttl 255).

In the second line we gave the newly born interface netb the address
10.0.1.1. This is OK for smaller networks, but when you're starting up a
mining expedition (LOTS of tunnels), you might want to consider using
another IP range for tunneling interfaces (in this example, you could use
10.0.3.0).

<p>In the third line we set the route for network B. Note the different notation for the netmask. If you're not familiar with this notation, here's how it works: you write out the netmask in binary form, and you count all the ones. If you don't know how to do that, just remember that 255.0.0.0 is /8, 255.255.0.0 is /16 and 255.255.255.0 is /24. Oh, and 255.255.254.0 is /23, in case you were wondering.
<p>
But enough about this, let's go on with the router of network B.
<tscreen><verb>
ip tunnel add neta mode gre remote 172.16.17.18 local 172.19.20.21 ttl 255
ip addr add 10.0.2.1 dev neta
ip route add 10.0.1.0/24 dev neta
</verb></tscreen>
And when you want to remove the tunnelon router A:
<tscreen><verb>
ip link set netb down
ip tunnel del netb
</verb></tscreen>
Of course, you can replace netb with neta for router B.

<sect2>IPv6 Tunneling
<p>

BIG FAT WARNING !! 

The following is untested and might therefore be
completely and utter BOLLOCKS. Proceed at your own risk. Don't say I didn't
warn you.

FIXME: check &amp; try all this

<p>
A short bit about IPv6 addresses:<p>
IPv6 addresses are, compared to IPv4 addresses, monstrously big. An example:
<verb>3ffe:2502:200:40:281:48fe:dcfe:d9bc</verb>
So, to make writing them down easier, there are a few rules:
<itemize>
<item>Don't use leading zeroes. Same as in IPv4.
<item>Use colons to separate every 16 bits or two bytes.
<item>When you have lots of consecutive zeroes, you can write this down as ::. You can only do this once in an address and only for quantities of 16 bits, though.
</itemize>
Using these rules, the address 3ffe:0000:0000:0000:0000:0020:34A1:F32C can be written down as 3ffe::20:34A1:F32C, which is a lot shorter. 
<p>
On with the tunnels.

Let's assume that you have the following IPv6 network, and you want to connect it to 6bone, or a friend.

<tscreen><verb>
Network 3ffe:406:5:1:5:a:2:1/96
</verb></tscreen>
Your IPv4 address is 172.16.17.18, and the 6bone router has IPv4 address 172.22.23.24. 
<p>
<tscreen><verb>
ip tunnel add sixbone mode sit remote 172.22.23.24 local 172.16.17.18 ttl 255
ip link set sixbone up
ip addr add 3ffe:406:5:1:5:a:2:1/96 dev sixbone
ip route add 3ffe::/15 dev sixbone 
</verb></tscreen>

Let's discuss this. In the first line, we created a tunnel device called sixbone. We gave it mode sit (which is IPv6 in IPv4 tunneling) and told it where to go to (remote) and where to come from (local). TTL is set to maximum, 255. Next, we made the device active (up). After that, we added our own network address, and set a route for 3ffe::/15 (which is currently all of 6bone) through the tunnel.
<p>
GRE tunnels are currently the preferred type of tunneling. It's a standard that's also widely adopted outside the Linux community and therefore a Good Thing.
<p>
<sect1>Userland tunnels
<p>
There are literally dozens of implementations of tunneling outside the kernel. Best known are of course PPP and PPTP, but there are lots more (some proprietary, some secure, some that don't even use IP) and that is really beyond the scope of this HOWTO.

<sect>IPsec: secure IP over the internet
<p>
FIXME: Waiting for our feature editor Stefan to finish his stuf

<sect>Multicast routing
<p>
FIXME: Editor Vacancy!
<sect>Using Class Based Queueing for bandwidth management
<p>
Now, when I discovered this, it *really* blew me away. Linux 2.2 comes with
everything to manage bandwidth in ways comparable to high-end dedicated
bandwidth management systems.

Linux even goes far beyond what Frame and ATM provide. 

The two basic units of Traffic Control are filters and queues. Filters place
traffic into queues, and queues gather traffic and decide what to send
first, send later, or drop. There are several flavours of filters and queues.

The most common filters are fwmark and u32, the first lets you use the Linux
netfilter code to select traffic, and the second allows you to select
traffic based on ANY header. The most notable queue is Class Based
Queue. CBQ is a super-queue, in that it contains other queues (even other
CBQs).

It may not be immediately clear what queueing has to do with bandwidth
management, but it really does work. 

For our frame of reference, I have modelled this section on an ISP where I
learned the ropes, so to speak, Casema Internet in The Netherlands. Casema,
which is actually a cable company, has internet needs both for their
customers and for their own office. Most corporate computers there have
access to the internet. In reality, they have lots of money to spend and do
not use Linux for bandwidth management.

We will explore how our ISP could have used Linux to manage their bandwidth.

<sect1>What is queueing?
<p>
With queueing we determine the order in which data is *sent*. It it important
to realise this, we can only shape data that we transmit. How this changing
the order determine the speed of transmission? Imagine a cash register which
is able to process 3 customers per minute.

People wishing to pay go stand in line at the 'tail end' of the queue. This
is 'fifo queueing'. Let's suppose however that we let certain people always
join in the middle of the queue, in stead of at the end. These people spend
a lot less time in the queue and are therefore able to shop faster. 

With the way the internet works, we have no direct control of what people
send us. It's a bit like your (physical!) mailbox at home. There is no way
you can influence the world to modify the amount of mail they send you,
short of contacting everybody.

However, the internet is mostly based on TCP/IP which has a few features
that help us. TCP/IP has no way of knowing the capacity of the network
between two hosts, so it just starts sending data faster and faster ('slow
start') and when packets start getting lost, because there is no room to
send them, it will slow down.

This is the equivalent of not reading half of your mail, and hoping that
people will stop sending it to you. With the difference that it works for
the Internet :-)

FIXME: explain that normally, ACKs are used to determine speed

<tscreen><verb>
[The Internet] ---<E3, T3, whatever>--- [Linux router] --- [Office+ISP]
                                      eth1          eth0
</verb></tscreen>

Now, our Linux router has two interfaces which I shall dub eth0 and eth1.
Eth1 is connected to our router which moves packets from to and from our
fibre link.

Eth0 is connected to a subnet which contains both the corporate firewall and
our network head ends, through which we can connect to our customers.

Because we can only limit what we send, we need two separate but possibly
very similar sets of rules. By modifying queueing on eth0, we determine how
fast data gets sent to our customers, and therefor how much downstream
bandwidth is available for them. Their 'download speed' in short.

On eth1, we determine how fast we send data to The Internet, how fast our
users, both corporate and commercial can upload data.

<sect1>First attempt at bandwidth division
<p>
CBQ enables us to generate several classes, and even classes within classes.
The larger devisions might be called 'agencies'. Within these classes may be
things like 'bulk' or 'interactive'.

For example, we may have a 10 megabit internet connection to 'the internet'
which is to be shared by our customers, and our corporate needs. We should
not allow a few people at the office to steal away large amounts of
bandwidth which we should sell to our customers.

On the other hand, or customers should not be able to drown out the traffic
from our field offices to the customer database.

Previously, one way to solve this was either to use Frame relay/ATM and
create virtual circuits. This works, but frame is not very fine grained, ATM
is terribly inefficient at carrying IP traffic, and neither have standardised
ways to segregate different types of traffic into different VCs. 

Hover, if you do use ATM, Linux can also happily perform deft acts of fancy
traffic classification for you too. Another way is to order separate
connections, but this is not very practical and also not very elegant, and
still does not solve all your problems.

CBQ to the rescue!

Clearly we have two main classes, 'ISP' and 'Office'. Initially, we really
don't care what the divisions do with their bandwidth, so we don't further
subdivide their classes.

We decide that the customers should always be guaranteed 8 megabits of
downstream traffic, and our office 2 megabits. 

Setting up traffic control is done with the iproute2 tool <tt>tc</tt>.
<tscreen><verb>
# tc qdisc add dev eth0 root handle 10: cbq bandwidth 10Mbit avpkt 1000
</verb></tscreen>
<p>Ok, lots of numbers here. What has happened? We have configured
the 'queueing discipline' of eth0. With 'root' we denote that this is the root
discipline. We have given it the handle '10:'. We want to do CBQ, so we
mention that on the command line as well. We tell the kernel that it can
allocate 10Mbit and that the average packet size is somewhere around 1000
octets.

FIXME: Double check with Alexey the the built in cell calculation is sufficient.

FIXME: With a 1500 mtu, the default cell is calculated same as the old example.

FIXME: I checked the sources (userspace and kernel), so we should be safe omitting it.

Now we need to generate our root class, from which all others descend:
<tscreen><verb>
# tc class add dev eth0 parent 10:0 classid 10:1 cbq bandwidth 10Mbit rate \
  10Mbit allot 1514 weight 1Mbit prio 8 maxburst 20 avpkt 1000
</verb></tscreen>
<p>
Even more numbers to worry about - the Linux CBQ implementation is very
generic. With 'parent 10:0' we indicate that this class descends from the
root of qdisc handle '10:' we generated earlier. With 'classid 10:1' we
name this class.

We really don't tell the kernel a lot more, we just generate a
class that completely fills the available device. We also specify that the
MTU (plus some overhead) is 1514 octets. We also 'weigh' this class with
1Mbit - a tuning parameter.

We now generate our ISP class:
<tscreen><verb>
# tc class add dev eth0 parent 10:1 classid 10:100 cbq bandwidth 10Mbit rate \
  8Mbit allot 1514 weight 800Kbit prio 5 maxburst 20 avpkt 1000 \
  bounded
</verb></tscreen>
<p>
We allocate 8Mbit, and indicate that this class must not exceed this by
adding the 'bounded' parameter. Otherwise this class would have started
borrowing bandwidth from other classes, something we will discuss later on.

To top it off, we generate the root Office class:
<tscreen><verb>
# tc class add dev eth0 parent 10:1 classid 10:200 cbq bandwidth 10Mbit rate \
  2Mbit allot 1514 weight 200Kbit prio 5 maxburst 20 avpkt 1000 \
  bounded
</verb></tscreen>

To make this a bit clearer, a diagram which shows our classes:

<tscreen><verb>
+-------------[10: 10Mbit]----------------------+
|+-------------[10:1 root 10Mbit]--------------+|
||                                             ||
|| +-[10:100 8Mbit]-+ +--[10:200 2Mbit]-----+  ||
|| |                | |                     |  ||
|| | ISP            | |  Office             |  ||
|| |                | |                     |  ||
|| +----------------+ +---------------------+  ||
||                                             ||
|+---------------------------------------------+|
+-----------------------------------------------+
</verb></tscreen>

Ok, now we have told the kernel what our classes are, but not yet how to
manage the queues. We do this presently, in one fell swoop for both classes.

<tscreen><verb>
# tc qdisc add dev eth0 parent 10:100 sfq quantum 1514b perturb 15
# tc qdisc add dev eth0 parent 10:200 sfq quantum 1514b perturb 15
</verb></tscreen>

In this case we install the Stochastic Fairness Queueing discipline (sfq),
which is not quite fair, but works well up to high bandwidths without
burning up CPU cycles. There are other queueing disciplines available which
are better, but need more CPU. The Token Bucket Filter is often used.

Now there is only one thing left to do and that is to explain to the kernel
which packets belong to which class. Initially we will do this natively with
iproute2, but more interesting applications are possible in combination with
netfilter.

<tscreen><verb>
# tc filter add dev eth0 parent 10:0 protocol ip prio 100 u32 match ip dst \
  150.151.23.24 flowid 10:200

# tc filter add dev eth0 parent 10:0 protocol ip prio 25 u32 match ip dst \
  150.151.0.0/16 flowid 10:100
</verb></tscreen>

Here is is assumed that our office hides behind a firewall with IP address
150.151.23.24 and that all our other IP addresses should be considered to be
part of the ISP.

The u32 match is a very simple one - more sophisticated matching rules are
possible when using netfilter to mark our packets, which we can than match on
in tc.

Now we have fairly divided the downstream bandwidth, we need to do the same
for the upstream. For brevity's sake, all in one go:

<tscreen><verb>
# tc qdisc add dev eth1 root handle 20: cbq bandwidth 10Mbit avpkt 1000

# tc class add dev eth1 parent 20:0 classid 20:1 cbq bandwidth 10Mbit rate \
  10Mbit allot 1514 weight 1Mbit prio 8 maxburst 20 avpkt 1000

# tc class add dev eth1 parent 20:1 classid 20:100 cbq bandwidth 10Mbit rate \
  8Mbit allot 1514 weight 800Kbit prio 5 maxburst 20 avpkt 1000 \
  bounded

# tc class add dev eth1 parent 20:1 classid 20:200 cbq bandwidth 10Mbit rate \
  2Mbit allot 1514 weight 200Kbit prio 5 maxburst 20 avpkt 1000 \
  bounded

# tc qdisc add dev eth1 parent 20:100 sfq quantum 1514b perturb 15
# tc qdisc add dev eth1 parent 20:200 sfq quantum 1514b perturb 15

# tc filter add dev eth1 parent 20:0 protocol ip prio 100 u32 match ip src \
  150.151.23.24 flowid 20:200

# tc filter add dev eth1 parent 20:0 protocol ip prio 25 u32 match ip src \
  150.151.0.0/16 flowid 20:100
</verb></tscreen>
<sect1>What to do with excess bandwidth
<p>
In our hypothetical case, we will find that even when the ISP customers
are mostly offline (say, at 8AM), our office still gets only 2Mbit, which is
rather wasteful.

By removing the 'bounded' statements, classes will be able to borrow
bandwidth from each other.

Some classes may not wish to borrow their bandwidth to other classes. Two
rival ISPs on a single link may not want to offer each other freebees. In
such a case, you can add the keyword 'isolated' at the end of your 'tc class
add' lines.

<sect1>Class subdivisions
<p>
FIXME: completely untested suppositions! Try this!

We can go further than this. Should the employees at the office decide to all
fire up their 'napster' clients, it is still possible that our database runs
out of bandwidth. Therefore, we create two subclasses, 'Human' and 'Database'.

Our database always needs 500Kbit, so we have 1.5Mbit left for Human
consumption.

We now need to create two new classes, within our Office class:
<tscreen><verb>
# tc class add dev eth0 parent 10:200 classid 10:250 cbq bandwidth 10Mbit rate \
  500Kbit allot 1514 weight 50Kbit prio 5 maxburst 20 avpkt 1000 \
  bounded

# tc class add dev eth0 parent 10:200 classid 10:251 cbq bandwidth 10Mbit rate \
  1500Kbit allot 1514 weight 150Kbit prio 5 maxburst 20 avpkt 1000 \
  bounded
</verb></tscreen>

FIXME: Finish this example!

<sect1>Loadsharing over multiple interfaces
<p>
FIXME: document TEQL

<sect>More queueing disciplines
<p>
The Linux kernel offers us lots of queueing disciplines. By far the most
widely used is the pfifo_fast queue - this is the default. This also
explains why these advanced features are so robust. They are nothing more
than 'just another queue'.

Each of these queues has specific strengths and weaknesses. Not all of them
may be as well tested.
<sect1>pfifo_fast
<p>
This queue is, as the name says, First In, First Out, which means that no
packet receives special treatment. At least, not quite. This queue has 3 so
called 'bands'. Within each band, FIFO rules apply. However, as long as
there are packets waiting in band 0, band 1 won't be processed. Same goes
for band 1 and band 2.
<sect1>Stochastic Fairness Queueing
<p>
SFQ, as said earlier, is not quite deterministic, but works (on average).
Its main benefits are that it requires little CPU and memory. 'Real' fair
queueing requires that the kernel keep track of all running sessions.

Stochastic Fairness Queueing (SFQ) is a simple implementation
of fair queueing algorithms family. It's less accurate than
others, but it also requires less calculations while being
almost perfectly fair.

The key word in SFQ is conversation (or flow), being a sequence
of data packets having enough common parameters to distinguish
it from other conversations. The parameters used in case of
IP packets are source and destination address, and the protocol
number.

SFQ consists of dynamically allocated number of FIFO queues,
one queue for one conversation. The discipline runs in round-robin,
sending one packet from each FIFO in one turn, and this is why
it's called fair. The main advantage of SFQ is that it allows
fair sharing the link between several applications and prevent
bandwidth take-over by one client. SFQ however cannot determine
interactive flows from bulk ones -- one usually needs to do
the selection with CBQ before, and then direct the bulk traffic
into SFQ.


<sect1>Token Bucket Filter
<p>
The Token Bucket Filter (TBF) is a simple queue, that only passes packets
arriving at rate in bounds of some administratively set limit, with
possibility to buffer short bursts.

The TBF implementation consists of a buffer (bucket), constatly filled by
some virtual pieces of information called tokens, at specific rate (token
rate). The most important parameter of the bucket is its size, that is
number of tokens it can store.

Each arriving token lets one incoming data packet of out the queue and is
then deleted from the bucket. Associating this algorithm with the two flows
-- token and data, gives us three possible scenarios:

<itemize>

<item> The data arrives into TBF at rate <em>equal</em> the rate of incoming
tokens. In this case each incoming packet has its matching token and passes
the queue without delay.

<item> The data arrives into TBF at rate <em>smaller</em> than the token rate.
Only some tokens are deleted at output of each data packet sent out the
queue, so the tokens accumulate, up to the bucket size. The saved tokens can
be then used to send data over the token rate, if short data burst occurs.

<item> The data arrives into TBF at rate <em>bigger</em> than the token rate. In
this case filter overrun occurs -- incoming data can be only sent out
without loss until all accumulated tokens are used. After that, overlimit
packets are dropped.

</itemize>

<p> The last scenario is very important, because it allows to
administratively shape the bandwidth available to data, passing the filter.
The accumulation of tokens allows short burst of overlimit data to be still
passed without loss, but any lasting overload will cause packets to be
constantly dropped.

The Linux kernel seems to go beyond this specification, and also allows us
to limit the speed of the burst transmission. However, Alexey warns us:

<tscreen>
Note that the peak rate TBF is much more tough: with MTU 1500
P_crit = 150Kbytes/sec. So, if you need greater peak
rates, use alpha with HZ=1000 :-)
</tscreen>

FIXME: is this still true with TSC (pentium+)? Well sort of
<!-- It's like this (from sch_tbf.c):
  Note that the minimal timer resolution is 1/HZ.
  If no new packets arrive during this period,
  or if the device is not awaken by EOI for some previous packet.
  
  So it's true as long as the box is relativly quiet. On a busily
  routing box, it's limited by the bandwidth of the interface -->

FIXME: if not, add section on raising HZ

<sect1>Random Early Detect
<p>
RED has some extra smartness built in. When a TCP/IP session starts, neither
end knows the amount of bandwidth available. So TCP/IP starts to transmit
slowly and goes faster and faster, though limited by the latency at which
ACKs return.

Once a link is filling up, RED starts dropping packets, which indicate to
TCP/IP that the link is congested, and that it should slow down. The smart
bit is that RED simulates real congestion, and starts to drop some packets
some time before the link is entirely filled up. Once the link is completely
saturated, it behaves like a normal policer.

For more information on this, see the Backbone chapter.

<sect1>Ingress policer qdisc
<p> 

The Ingress qdisc comes in handy if you need to ratelimit a host without
help from routers or other Linux boxes. You can police incoming bandwidth
and drop packets when this bandwidth exceeds your desired rate. This can
save your host from a SYN flood, for example, and also works to slow down
TCP/IP, which responds to dropped packets by reducing speed.

FIXME: instead of dropping, can we also assign it to a real queue?

FIXME: shaping by dropping packets seems less desirable than using, for
example, a token bucket filter. Not sure though, Cisco CAR works this
way, and people appear happy with it.

See the reference to <ref id="CAR" name="IOS Committed Access Rate"> at the
end of this document.

<!--
FIXME: This fixme was a question, not a stated fact :-) - ahu

Old text:
For TCP/IP connections it is desirable to simply delay the packets rather
than drop them. TCP/IP responds to lost packets by abruptly reducing speed,
while if the packet is simply delayed, the slowdown is much more gradual.
It's also better for bandwidth usage, since dropped packets must be resent.

This is not quite true, see W. Stevens TCP/IP Illustrated series - ahu
-->

In short: you can use this to limit how fast your computer downloads files,
thus leaving more of the available bandwidth for others.

See the section on protecting your host from SYN floods for an example on
how this works.
<sect>Netfilter &amp; iproute - marking packets
<p>
So far we've seen how iproute works, and netfilter was mentioned a few
times. This would be a good time to browse through <url name="Rusty's Remarkably
Unreliable guides"
url="http://netfilter.kernelnotes.org/unreliable-guides/">. Netfilter itself
can be found <url name="here"
url="http://antarctica.penguincomputing.com/~netfilter/">.

Netfilter allows us to filter packets, or mangle their headers. One special
feature is that we can mark a packet with a number. This is done with the
--set-mark facility. 

As an example, this command marks all packets destined for port 25, outgoing
mail:

<tscreen><verb>
# iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 25 \
 -j MARK --set-mark 1
</verb></tscreen>

Let's say that we have multiple connections, one that is fast (and
expensive, per megabyte) and one that is slower, but flat fee. We would most
certainly like outgoing mail to go via the cheap route.

We've already marked the packets with a '1', we now instruct the routing
policy database to act on this:

<tscreen><verb>
# echo 201 mail.out >> /etc/iproute2/rt_tables
# ip rule add fwmark 1 table mail.out
# ip rule ls
0:	from all lookup local 
32764:	from all fwmark        1 lookup mail.out 
32766:	from all lookup main 
32767:	from all lookup default 
</verb></tscreen>

Now we generate the mail.out table with a route to the slow but cheap link:
<tscreen><verb>
# /sbin/ip route add default via 195.96.98.253 dev ppp0 table mail.out
</verb></tscreen>

And we are done. Should we want to make exceptions, there are lots of ways
to achieve this. We can modify the netfilter statement to exclude certain
hosts, or we can insert a rule with a lower priority that points to the main
table for our excepted hosts.

We can also use this feature to honour TOS bits by marking packets with a
different type of service with different numbers, and creating rules to act
on that. This way you can even dedicate, say, an ISDN line to interactive
sessions.

Needless to say, this also works fine on a host that's doing NAT
('masquerading').

Note: for this to work, you need to have some options enabled in your
kernel:

<tscreen><verb>
IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) [Y/n/?]
 IP: policy routing (CONFIG_IP_MULTIPLE_TABLES) [Y/n/?]
  IP: use netfilter MARK value as routing key (CONFIG_IP_ROUTE_FWMARK) [Y/n/?]
</verb></tscreen>

<sect>More classifiers
<p>

Classifiers are the way by which the kernel decides which queue a packet
should be placed into. There are various different classifiers, each of
which can be used for different purposes.

<descrip>
  <tag>fw</tag>
       Bases the decision on how the firewall has marked the packet.
       
  <tag>u32</tag>
       Bases the decision on fields within the packet (i.e. source IP address, etc)
       
  <tag>route</tag>
       Bases the decision on which route the packet will be routed by.
       
  <tag>rsvp, rsvp6</tag>
       Bases the decision on the target (destination,protocol) and optionally the source as well. (I think)
       
  <tag>tcindex</tag>
       FIXME: Fill me in
</descrip>

Note that in general there are many ways in which you can classify packet
and that it generally comes down to preference as to which system you wish
to use.

Classifiers in general accept a few arguments in common. They are listed here for convenience:

<descrip>
  <tag>protocol</tag>
      The protocol this classifier will accept. Generally you will only be
      accepting only IP traffic. Required.

  <tag>parent</tag>
      The handle this classifier is to be attached to. This handle must be
      an already existing class. Required.

  <tag>prio</tag>
      The priority of this classifier. Higher numbers get tested first.

  <tag>handle</tag>
      This handle means different things to different filters.

      FIXME: Add more
</descrip>

All the following sections will assume you are trying to shape the traffic
going to <tt>HostA</tt>. They will assume that the root class has been
configured on 1: and that the class you want to send the selected traffic to
is 1:1.

<sect1>The "fw" classifier
<p>  The "fw" classifier relies on the firewall tagging the packets to be shaped. So,
  first we will setup the firewall to tag them:

<tscreen><verb>
# iptables -I PREROUTING -t mangle -p tcp -d HostA \
 -j MARK --set-mark 1
</verb></tscreen>

  Now all packets to that machine are tagged with the mark 1. Now we build
  the packet shaping rules to actually shape the packets.  Now we just need
  to indicate that we want the packets that are tagged with the mark 1 to go
  to class 1:1. This is accomplished with the command:

<tscreen><verb>
# tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:1
</verb></tscreen>

  This should be fairly self-explanatory. Attach to the 1:0 class a filter
  with priority 1 to filter all packet marked with 1 in the firewall to
  class 1:1. Note how the handle here is used to indicate what the mark
  should be.

  That's all there is to it! This is the (IMHO) easy way, the other ways are
  I think harder to understand. Note that you can apply the full power of
  the firewalling code with this classifier, including matching MAC
  addresses, user IDs and anything else the firewall can match.

<sect1>The "u32" classifier
<p>
The U32 filter is the most advanced filter available in the current
implementation. It entirely based on hashing tables, which make it
robust when there are many filter rules.

In its simplest form the U32 filter is a list of records, each
consisting of two fields: a selector and an action. The selectors,
described below, are compared with the currently processed IP packet
until the first match and the associated action is performed. The
simplest type of action would be directing the packet into defined
CBQ class.

The commandline of <tt>tc filter</tt> program, used to configure the filter,
consists of three parts: filter specification, a selector and an action.
The filter specification can be defined as:

<tscreen><verb>
tc filter add dev IF [ protocol PROTO ]
                     [ (preference|priority) PRIO ]
                     [ parent CBQ ]
</verb></tscreen>

The <tt>protocol</tt> field describes protocol that the filter will be
applied to. We will only discuss case of <tt>ip</tt> protocol. The
<tt>preference</tt> field (<tt>priority</tt> can be used alternatively)
sets the priority of currently defined filter. This is important, since
you can have several filters (lists of rules) with different priorities.
Each list will be passed in the order the rules were added, then list with
lower priority (higher preference number) will be processed. The <tt>parent</tt>
field defines the CBQ tree top (e.g. 1:0), the filter should be attached
to.

The options decribed apply to all filters, not only U32.

<sect2>U32 selector

<p>
The U32 selector contains definition of the pattern, that will be matched
to the currently processed packet. Precisely, it defines which bits are
to be matched in the packet header and nothing more, but this simple
method is very powerful. Let's take a look at the following examplesm
taken directly from a pretty complex, real-world filter:

<tscreen><verb>
# filter parent 1: protocol ip pref 10 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:3 \
  match 00100000/00ff0000 at 0
</verb></tscreen>

<p>
For now, leave the first line alone - all these parameters describe
the filter's hash tables. Focus on the selector line, containing
<tt>match</tt> keyword. This selector will match to IP headers, whose
second byte will be 0x10 (0010). As you can guess, the 00ff number is
the match mask, telling the filter exactly which bits to match. Here
it's 0xff, so the byte will match if it's exactly 0x10. The <tt>at</tt>
keyword means that the match is to be started at specified offset (in
bytes) -- in this case it's beginning of the packet.  Translating all
that to human language, the packet will match if its Type of Service
field will have ,,low delay'' bits set. Let's analyze another rule:

<tscreen><verb>
# filter parent 1: protocol ip pref 10 u32 fh 800::803 order 2051 key ht 800 bkt 0 flowid 1:3 \
  match 00000016/0000ffff at nexthdr+0
</verb></tscreen>

<p>
The <tt>nexthdr</tt> option means next header encapsulated in the IP packet,
i.e. header of upper-layer protocol. The match will also start here
at the beginning of the next header. The match should occur in the
second, 32-bit word of the header. In TCP and UDP protocols this field
contains packet's destination port. The number is given in big-endian
format, i.e. older bits first, so we simply read 0x0016 as 22 decimal,
which stands for SSH service if this was TCP. As you guess, this match
is ambigous without a context, and we will discuss this later.

<p>
Having understood all the above, we will find the following selector
quite easy to read: <tt>match c0a80100/ffffff00 at 16</tt>. What we
got here is a three byte match at 17-th byte, counting from the IP
header start. This will match for packets with destination address
anywhere in 192.168.1/24 network. After analyzing the examples, we
can summarize what we have learnt.

<sect2>General selectors

<p>
General selectors define the pattern, mask and offset the pattern
will be matched to the packet contents. Using the general selectors
you can match virtually any single bit in the IP (or upper layer)
header. They are more difficult to write and read, though, than
specific selectors that described below. The general selector syntax
is:

<tscreen><verb>
match [ u32 | u16 | u8 ] PATTERN MASK [ at OFFSET | nexthdr+OFFSET]
</verb></tscreen>

<p>
One of the keywords <tt>u32</tt>, <tt>u16</tt> or <tt>u8</tt> specifies
length of the pattern in bits. PATTERN and MASK should follow, of length
defined by the previous keyword. The OFFSET parameter is the offset,
in bytes, to start matching. If <tt>nexthdr+</tt> keyword is given,
the offset is relative to start of the upper layer header.

<p>
Some examples:

<tscreen><verb>
# tc filter add dev ppp14 parent 1:0 prio 10 u32 \
     match u8 64 0xff at 8 \
     flowid 1:4
</verb></tscreen>

<p>
Packet will match to this rule, if its time to live (TTL) is 64.
TTL is the field starting just after 8-th byte of the IP header.

<tscreen><verb>
# tc filter add dev ppp14 parent 1:0 prio 10 u32 \
     match u8 0x10 0xff at nexthdr+13 \
     protocol tcp \
     flowid 1:3 \
</verb></tscreen>

<p>
This rule will only match TCP packets with ACK bit set. Here we can see
an example of using two selectors, the final result will be logical AND
of their results. If we take a look at TCP header diagram, we can see
that the ACK bit is second older bit (0x10) in the 14-th byte of the TCP
header (<tt>at nexthdr+13</tt>).  As for the second selector, if we'd like
to make our life harder, we could write <tt>match u8 0x06 0xff at 9</tt>
instead if using the specific selector <tt>protocol tcp</tt>, because
6 is the number of TCP protocol, present in 10-th byte of the IP header.
On the other hand, in this example we couldn't use any specific selector
for the first match - simply because there's no specific selector to match
TCP ACK bits.

<sect2>Specific selectors
<p>
The following table contains a list of all specific selectors 
the author of this section has found in the <tt>tc</tt> program
source code. They simply make your life easier and increase readability
of your filter's configuration.

FIXME: table placeholder - the table is in separate file ,,selector.html''

FIXME: it's also still in Polish :-(

FIXME: must be sgml'ized

Some examples:

<tscreen><verb>
# tc filter add dev ppp0 parent 1:0 prio 10 u32 \
     match ip tos 0x10 0xff \
     flowid 1:4
</verb></tscreen>

The above rule will match packets, which have the TOS field set to 0x10.
The TOS field starts at second byte of the packet and is one byte big,
so we coul write an equivalent general selector: <tt>match u8 0x10 0xff
at 1</tt>. This gives us hint to the internals of U32 filter -- the
specific rules are always translated to general ones, and in this
form they are stored in the kernel memory. This leads to another conclusion
-- the <tt>tcp</tt> and <tt>udp</tt> selectors are exactly the same
and this is why you can't use single <tt>match tcp dst 53 0xffff</tt>
selector to match TCP packets sent to given port -- they will also
match UDP packets sent to this port. You must remember to also specify
the protocol and end up with the following rule:

<tscreen><verb>
# tc filter add dev ppp0 parent 1:0 prio 10 u32 \
        match tcp dst 53 0xffff \
        match ip protocol 0x6 0xff \
        flowid 1:2
</verb></tscreen>

<!--
TODO:

describe more options

match
offset
hashkey
classid | flowid
divisor
order
link
ht
sample
police

-->

<sect1>The "route" classifier
<p>

  This classifier filters based on the results of the routing tables. When a
  packet that is traversing through the classes reaches one that is marked
  with the "route" filter, it splits the packets up based on information in
  the routing table.

<tscreen><verb>
# tc filter add dev eth1 parent 1:0 protocol ip prio 100 route
</verb></tscreen>

  Here we add a route classifier onto the parent node 1:0 with priority 100. 
  When a packet reaches this node (which, since it is the root, will happen
  immediately) it will consult the routing table and if one matches will
  send it to the given class and give it a priority of 100. Then, to finally
  kick it into action, you add the appropriate routing entry:

  The trick here is to define 'realm' based on either destination or source. 
  The way to do it is like this:

<tscreen><verb>
# ip route add Host/Network via Gateway dev Device realm RealmNumber
</verb></tscreen>
  
  For instance, we can define our destination network 192.168.10.0 with a realm
  number 10:
  
<tscreen><verb>
# ip route add 192.168.10.0/24 via 192.168.10.1 dev eth1 realm 10
</verb></tscreen>  

  When adding route filters, we can use realm numbers to represent the
  networks or hosts and specify how the routes match the filters.

<tscreen><verb>
# tc filter add dev eth1 parent 1:0 protocol ip prio 100 \
  route to 10 classid 1:10
</verb></tscreen>  

  The above rule says packets going to the network 192.168.10.0 match class id
  1:10.
  
  Route filter can also be used to match source routes. For example, there is 
  a subnetwork attached to the Linux router on eth2.

<tscreen><verb>
# ip route add 192.168.2.0/24 dev eth2 realm 2
# tc filter add dev eth1 parent 1:0 protocol ip prio 100 \
  route from 2 classid 1:2
</verb></tscreen>

  Here the filter specifies that packets from the subnetwork 192.168.2.0
  (realm 2) will match class id 1:2.

  
  

<sect1>The "rsvp" classifier
<p>FIXME: Fill me in

<sect1>The "tcindex" classifier
<p>FIXME: Fill me in

<sect>Kernel network parameters
<p>
The kernel has lots of parameters which can be tuned for different
circumstances. While, as usual, the default parameters serve 99% of
installations very well, we don't call this the Advanced HOWTO for the fun
of it!

The interesting bits are in /proc/sys/net, take a look there. Not everything
will be documented here initially, but we're working on it.
<sect1>Reverse Path Filtering
<p>
By default, routers route everything, even packets which 'obviously' don't
belong on your network. A common example is private IP space escaping onto
the internet. If you have an interface with a route of 195.96.96.0/24 to it,
you do not expect packets from 212.64.94.1 to arrive there.

Lots of people will want to turn this feature off, so the kernel hackers
have made it easy. There are files in <file>/proc</file> where you can tell
the kernel to do this for you. The method is called "Reverse Path
Filtering". Basically, if the reply to this packet wouldn't go out the
interface this packet came in, then this is a bogus packet and should be
ignored.

The following fragment will turn this on for all current and future
interfaces.

<tscreen><verb>
# for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
&gt;  echo 2 > $i 
&gt; done
</verb></tscreen>

Going by the example above, if a packet arrived on the Linux router on eth1
claiming to come from the Office+ISP subnet, it would be dropped. Similarly,
if a packet came from the Office subnet, claiming to be from somewhere
outside your firewall, it would be dropped also.

The above is full reverse path filtering. The default is to only filter
based on IPs that are on directly connected networks. This is because the
full filtering breaks in the case of asymmetric routing (where packets come
in one way and go out another, like satellite traffic, or if you have
dynamic (bgp, ospf, rip) routes in your network. The data comes down
through the satellite dish and replies go back through normal land-lines).

If this exception applies to you (and you'll probably know if it does) you
can simply turn off the <file>rp_filter</file> on the interface where the
satellite data comes in. If you want to see if any packets are being
dropped, the <file>log_martians</file> file in the same directory will tell
the kernel to log them to your syslog.

<tscreen><verb>
# echo 1 >/proc/sys/net/ipv4/conf/<interfacename>/log_martians
</verb></tscreen>

FIXME: is setting the conf/{default,all}/* files enough? - martijn

<sect1>Obscure settings
<p>
Ok, there are a lot of parameters which can be modified. We try to list them
all. Also documented (partly) in <file>Documentation/ip-sysctl.txt</file>.

Some of these settings have different defaults based on wether you 
answered 'Yes' to 'Configure as router and not host' while compiling your
kernel.

<sect2>Generic ipv4
<p>
As a generic note, most rate limiting features don't work on loopback, so
don't test them locally.
<descrip>
<tag>/proc/sys/net/ipv4/icmp_destunreach_rate</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/icmp_echo_ignore_all</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts [Useful]</tag>
If you ping the broadcast address of a network, all hosts are supposed to
respond. This makes for a dandy denial-of-service tool. Set this to 1 to
ignore these broadcast messages.
<tag>/proc/sys/net/ipv4/icmp_echoreply_rate</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/icmp_paramprob_rate</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/icmp_timeexceed_rate</tag>
This the famous cause of the 'Solaris middle star' in traceroutes. Limits
number of ICMP Time Exceeded messages sent. 
FIXME: Units of these rates - either I'm stupid, or this just doesn't work
<tag>/proc/sys/net/ipv4/igmp_max_memberships</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/inet_peer_gc_maxtime</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/inet_peer_gc_mintime</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/inet_peer_maxttl</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/inet_peer_minttl</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/inet_peer_threshold</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/ip_autoconfig</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/ip_default_ttl</tag>
Time To Live of packets. Set to a safe 64. Raise it if you have a huge
network. Don't do so for fun - routing loops cause much more damage that
way. You might even consider lowering it in some circumstances.
<tag>/proc/sys/net/ipv4/ip_dynaddr</tag>
You need to set this if you use dial-on-demand with a dynamic interface
address. Once your demand interface comes up, any queued packets will be
rebranded to have the right address. This solves the problem that the
connection that brings up your interface itself does not work, but the
second try does.
<tag>/proc/sys/net/ipv4/ip_forward</tag>
If the kernel should attempt to forward packets. Off by default for hosts,
on by default when configured as a router.
<tag>/proc/sys/net/ipv4/ip_local_port_range</tag>
Range of local ports for outgoing connections. Actually quite small by
default, 1024 to 4999.
<tag>/proc/sys/net/ipv4/ip_no_pmtu_disc</tag>
Set this if you want to disable Path MTU discovery - a technique to
determince the largest Maximum Transfer Unit possible on you path.
<tag>/proc/sys/net/ipv4/ipfrag_high_thresh</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/ipfrag_low_thresh</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/ipfrag_time</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/tcp_abort_on_overflow</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/tcp_fin_timeout</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/tcp_keepalive_intvl</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/tcp_keepalive_probes</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/tcp_keepalive_time</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/tcp_max_orphans</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/tcp_max_syn_backlog</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/tcp_max_tw_buckets</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/tcp_orphan_retries</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/tcp_retrans_collapse</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/tcp_retries1</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/tcp_retries2</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/tcp_rfc1337</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/tcp_sack</tag>
Use Selective ACK which can be used to signify that only a single packet is
missing - therefore helping fast recovery.
<tag>/proc/sys/net/ipv4/tcp_stdurg</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/tcp_syn_retries</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/tcp_synack_retries</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/tcp_timestamps</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/tcp_tw_recycle</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/tcp_window_scaling</tag>
TCP/IP normally allows windows up to 65535 bytes big. For really fast
networks, this may not be enough. The window scaling options allows for
almost gigabyte windows, which is good for high bandwidth*delay products.

</descrip>
<sect2>Per device settings
<p>
DEV can either stand for a real interface, or for 'all' or 'default'.
Default also changes settings for interfaces yet to be created.
<descrip>
<tag>/proc/sys/net/ipv4/conf/DEV/accept_redirects</tag>
If a router decides that you are using it for a wrong purpose (ie, it needs
to resend your packet on the same interface), it will send us a ICMP
Redirect. This is a slight security risk however, so you may want to turn it
off, or use secure redirects.
<tag>/proc/sys/net/ipv4/conf/DEV/accept_source_route</tag>
Not used very much anymore. You used to be able to give a packet a list of
IP addresses it should visit on its way. Linux can be made to honor this IP
option.
<tag>/proc/sys/net/ipv4/conf/DEV/bootp_relay</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/conf/DEV/forwarding</tag>
FIXME:
<tag>/proc/sys/net/ipv4/conf/DEV/log_martians</tag>
See the section on reverse path filters.
<tag>/proc/sys/net/ipv4/conf/DEV/mc_forwarding</tag>
If we do multicast forwarding on this interface
<tag>/proc/sys/net/ipv4/conf/DEV/proxy_arp</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/conf/DEV/rp_filter</tag>
See the section on reverse path filters.
<tag>/proc/sys/net/ipv4/conf/DEV/secure_redirects</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/conf/DEV/send_redirects</tag>
If we send the above mentioned redirects.
<tag>/proc/sys/net/ipv4/conf/DEV/shared_media</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/conf/DEV/tag</tag>
FIXME: fill this in

</descrip>

<sect2> Neighbor pollicy
<p>
Dev can either stand for a real interface, or for 'all' or 'default'.
Default also changes settings for interfaces yet to be created.
<descrip>
<tag>/proc/sys/net/ipv4/neigh/DEV/anycast_delay</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/neigh/DEV/app_solicit</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/neigh/DEV/base_reachable_time</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/neigh/DEV/delay_first_probe_time</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/neigh/DEV/gc_stale_time</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/neigh/DEV/locktime</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/neigh/DEV/mcast_solicit</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/neigh/DEV/proxy_delay</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/neigh/DEV/proxy_qlen</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/neigh/DEV/retrans_time</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/neigh/DEV/ucast_solicit</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/neigh/DEV/unres_qlen</tag>
FIXME: fill this in

</descrip>

<sect2>Routing settings
<p>
<descrip>
<tag>/proc/sys/net/ipv4/route/error_burst</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/route/error_cost</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/route/flush</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/route/gc_elasticity</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/route/gc_interval</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/route/gc_min_interval</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/route/gc_thresh</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/route/gc_timeout</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/route/max_delay</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/route/max_size</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/route/min_adv_mss</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/route/min_delay</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/route/min_pmtu</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/route/mtu_expires</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/route/redirect_load</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/route/redirect_number</tag>
FIXME: fill this in
<tag>/proc/sys/net/ipv4/route/redirect_silence</tag>
FIXME: fill this in
</descrip>


<sect>Backbone applications of traffic control
<p>
This chapter is meant as an introduction to backbone routing, which often
involves >100 megabit bandwidths, which requires a different approach then
your ADSL modem at home.

<sect1>Router queues
<p>
The normal behaviour of router queues on the Internet is called tail-drop.
Tail-drop works by queueing up to a certain amount, then dropping all traffic
that 'spills over'. This is very unfair, and also leads to retransmit 
synchronisation. When retransmit synchronisation occurs, the sudden burst
of drops from a router that has reached its fill will cause a delayed burst
of retransmits, which will over fill the congested router again. 

In order to cope with transient congestion on links, backbone routers will
often implement large queues. Unfortunately, while these queues are good for
throughput, they can substantially increase latency and cause TCP
connections to behave very bursty during congestion.

These issues with tail-drop are becoming increasingly troublesome on the
Internet because the use of network unfriendly applications is increasing.
The Linux kernel offers us RED, short for Random Early Detect.

RED isn't a cure-all for this, applications which inappropriately fail to 
implement exponential backoff still get an unfair share of the bandwidth,
however, with RED they do not cause as much harm to the throughput and
latency of other connections.

RED statistically drops packets from flows before it reaches its hard
limit. This causes a congested backbone link to slow more gracefully, and
prevents retransmit synchronisation. This also helps TCP find its 'fair'
speed faster by allowing some packets to get dropped sooner keeping queue
sizes low and latency under control. The probability of a packet being
dropped from a particular connection is proportional to its bandwidth usage
rather then the number of packets it transmits. 

RED is a good queue for backbones, where you can't afford the 
complexity of per-session state tracking needed by fairness queueing.

In order to use RED, you must decide on three parameters: Min, Max, and
burst. Min sets the minimum queue size in bytes before dropping will begin,
Max is a soft maximum that the algorithm will attempt to stay under, and
burst sets the maximum number of packets that can 'burst through'.

You should set the min by calculating that highest acceptable base queueing 
latency you wish, and multiply it by your bandwidth. For instance, on my 
64kbit/s ISDN link, I might want a base queueing latency of 200ms so I set
min to 1600 bytes. Setting min too small will degrade throughput and too
large will degrade latency. Setting a small min is not a replacement for
reducing the MTU on a slow link to improve interactive response.

You should make max at least twice min to prevent synchronisation. On slow
links with small min's it might be wise to make max perhaps four or
more times large then min.

Burst controls how the RED algorithm responds to bursts. Burst must be set
large then min/avpkt. Experimentally, I've found (min+min+max)/(3*avpkt) to
work okay.

Additionally, you need to set limit and avpkt. Limit is a safety value, after
there are limit bytes in the queue, RED 'turns into' tail-drop. I typical set
limit to eight times max. Avpkt should be your average packet size. 1000
works okay on high speed Internet links with a 1500byte MTU. 

Read <url url="http://www.aciri.org/floyd/papers/red/red.html"
name="the paper on RED queueing"> by Sally Floyd and Van Jacobson for technical
information.

FIXME: more needed. This means *you* greg :-) - ahu


<sect>Shaping Cookbook
<p>
This section contains 'cookbook' entries which may help you solve problems.
A cookbook is no replacement for understanding however, so try and comprehend
what is going on. 
<!-- 
<sect1>Reserving bandwidth for your IRC server
<p>
Recently the IRC networks have been plagued by distributed denial of service
attacks. The aim of some of these attacks is to disrupt communication
between servers which split the network. You then join the splitted part
of the network. Because nobody else is there, the server assigns you
operator status. You then stop the disruption, the network rejoins and
voila, you can take over the channel.

This silly behaviour is seriously damaging IRC, and luckily, Linux is there
to protect it :-) 

We need to be smarter than your average scriptkid, so we'll use some
advanced netfilter features to help us.
-->

<sect1>Running multiple sites with different SLAs
<p>
You can do this in several ways. Apache has some support for this with a
module, but we'll show how Linux can do this for you, and do so for other
services as well. These commands are stolen from a presentation by Jamal
Hadi that's referenced below.

Let's say we have two customers, with http, ftp and streaming audio, and we
want to sell them a limited amount of bandwidth. We do so on the server itself.

Customer A should have at most 2 megabits, cusomer B has paid for 5
megabits. We separate our customers by creating virtual IP addresses on our
server.

<tscreen><verb>
# ip address add 188.177.166.1 dev eth0
# ip address add 188.177.166.2 dev eth0
</verb></tscreen>

It is up to you to attach the different servers to the right IP address. All
popular daemons have support for this.

We first attach a CBQ qdisc to eth0:
<tscreen><verb>
# tc qdisc add dev eth0 root handle 1: bandwidth 10Mbit cell 8 avpkt 1000 \
  mpu 64
</verb></tscreen>

We then create classes for our customers:

<tscreen><verb>
# tc class add dev eth0 parent 1:0 classid 1:1 cbq bandwidth 10Mbit rate \
  2MBit avpkt 1000 prio 5 bounded isolated allot 1514 weight 1 maxburst 21
# tc class add dev eth0 parent 1:0 classid 1:2 cbq bandwidth 10Mbit rate \
  5Mbit avpkt 1000 prio 5 bounded isolated allot 1514 weight 1 maxburst 21
</verb></tscreen>

Then we add filters for our two classes:
<tscreen><verb>
##FIXME: Why this line, what does it do?, what is a divisor?:
##FIXME: A divisor has something to do with a hash table, and the number of
##       buckets - ahu
# tc filter add dev eth0 parent 1:0 protocol ip prio 5 handle 1: u32 divisor 1
# tc filter add dev eth0 parent 1:0 prio 5 u32 match ip src 188.177.166.1
  flowid 1:1
# tc filter add dev eth0 parent 1:0 prio 5 u32 match ip src 188.177.166.2
  flowid 1:2
</verb></tscreen>

And we're done.

FIXME: why no token bucket filter? is there a default pfifo_fast fallback
somewhere?

<sect1>Protecting your host from SYN floods 
<p>From Alexeys iproute documentation, adapted to netfilter and with more
plausible paths. If you use this, take care to adjust the numbers to
reasonable values for your system.

If you want to protect an entire network, skip this script, which is best
suited for a single host.

<tscreen><verb>
#! /bin/sh -x
#
# sample script on using the ingress capabilities
# this script shows how one can rate limit incoming SYNs
# Useful for TCP-SYN attack protection. You can use
# IPchains to have more powerful additions to the SYN (eg 
# in addition the subnet)
#
#path to various utilities;
#change to reflect yours.
#
TC=/sbin/tc
IP=/sbin/ip
IPTABLES=/sbin/iptables
INDEV=eth2
#
# tag all incoming SYN packets through $INDEV as mark value 1
############################################################ 
$iptables -A PREROUTING -i $INDEV -t mangle -p tcp --syn \
  -j MARK --set-mark 1
############################################################ 
#
# install the ingress qdisc on the ingress interface
############################################################ 
$TC qdisc add dev $INDEV handle ffff: ingress
############################################################ 

#
# 
# SYN packets are 40 bytes (320 bits) so three SYNs equals
# 960 bits (approximately 1kbit); so we rate limit below
# the incoming SYNs to 3/sec (not very sueful really; but
#serves to show the point - JHS
############################################################ 
$TC filter add dev $INDEV parent ffff: protocol ip prio 50 handle 1 fw \
police rate 1kbit burst 40 mtu 9k drop flowid :1
############################################################ 


#
echo "---- qdisc parameters Ingress  ----------"
$TC qdisc ls dev $INDEV
echo "---- Class parameters Ingress  ----------"
$TC class ls dev $INDEV
echo "---- filter parameters Ingress ----------"
$TC filter ls dev $INDEV parent ffff:

#deleting the ingress qdisc
#$TC qdisc del $INDEV ingress
</verb></tscreen>
<sect1>Ratelimit ICMP to prevent dDoS
<p>
Recently, distributed denial of service attacks have become a major nuisance
on the internet. By properly filtering and ratelimiting your network, you can
both prevent becoming a casualty or the cause of these attacks.

You should filter your networks so that you do not allow non-local IP source
addressed packets to leave your network. This stops people from anonymously
sending junk to the internet. 

<!-- FIXME: netfilter one liner.  Is there a netfilter one-liner? Martijn -->


Rate limiting goes much as shown earlier. To refresh your memory, our
ASCIIgram again:

<tscreen><verb>
[The Internet] ---<E3, T3, whatever>--- [Linux router] --- [Office+ISP]
                                      eth1          eth0
</verb></tscreen>

We first set up the prerequisite parts:

<tscreen><verb>
# tc qdisc add dev eth0 root handle 10: cbq bandwidth 10Mbit avpkt 1000
# tc class add dev eth0 parent 10:0 classid 10:1 cbq bandwidth 10Mbit rate \
  10Mbit allot 1514 prio 5 maxburst 20 avpkt 1000
</verb></tscreen>

If you have 100Mbit, or more, interfaces, adjust these numbers. Now you need
to determine how much ICMP traffic you want to allow. You can perform
measurements with tcpdump, by having it write to a file for a while, and
seeing how much ICMP passes your network. Do not forget to raise the
snapshot length!

If measurement is impractical, you might want to choose 5% of your available
bandwidth. Let's set up our class:
<tscreen><verb>
# tc class add dev eth0 parent 10:1 classid 10:100 cbq bandwidth 10Mbit rate \
  100Kbit allot 1514 weight 800Kbit prio 5 maxburst 20 avpkt 250 \
  bounded
</verb></tscreen>

This limits at 100Kbit. Now we need a filter to assign ICMP traffic to this
class:
<tscreen><verb>
# tc filter add dev eth0 parent 10:0 protocol ip prio 100 u32 match ip
  protocol 1 0xFF flowid 10:100

</verb></tscreen>

<sect1>Prioritising interactive traffic
<p>
If lots of data is coming down your link, or going up for that matter, and
you are trying to do some maintenance via telnet or ssh, this may not go too
well. Other packets are blocking your keystrokes. Wouldn't it be great if
there were a way for your interactive packets to sneak past the bulk
traffic? Linux can do this for you!

As before, we need to handle traffic going both ways. Evidently, this works
best if there are Linux boxes on both ends of your link, although other
UNIX's are able to do this. Consult your local Solaris/BSD guru for this.

The standard pfifo_fast scheduler has 3 different 'bands'. Traffic in band 0
is transmitted first, after which traffic in band 1 and 2 gets considered.
It is vital that our interactive traffic be in band 0!

We blatantly adapt from the (soon to be obsolete) ipchains HOWTO:

There are four seldom-used bits in the IP header, called the Type of Service
(TOS) bits. They effect the way packets are treated; the four bits are
"Minimum Delay", "Maximum Throughput", "Maximum Reliability" and "Minimum
Cost". Only one of these bits is allowed to be set. Rob van Nieuwkerk, the
author of the ipchains TOS-mangling code, puts it as follows:

<tscreen>
Especially the "Minimum Delay" is important for me. I switch it on for
"interactive" packets in my upstream (Linux) router. I'm
behind a 33k6 modem link. Linux prioritises packets in 3 queues. This
way I get acceptable interactive performance while doing bulk
downloads at the same time. 
</tscreen>

The most common use is to set telnet & ftp control connections to "Minimum
Delay" and FTP data to "Maximum Throughput". This would be
done as follows, on your upstream router:

<tscreen><verb>
# iptables -A PREROUTING -t mangle -p tcp --sport telnet \
  -j TOS --set-tos Minimize-Delay
# iptables -A PREROUTING -t mangle -p tcp --sport ftp \
  -j TOS --set-tos Minimize-Delay
# iptables -A PREROUTING -t mangle -p tcp --sport ftp-data \
  -j TOS --set-tos Maximize-Throughput
</verb></tscreen>

Now, this only works for data going from your telnet foreign host to your
local computer. The other way around appears to be done for you, ie, telnet,
ssh & friends all set the TOS field on outgoing packets automatically.

Should you have a client that does not do this, you can always do it with
netfilter. On your local box:

<tscreen><verb>
# iptables -A OUTPUT -t mangle -p tcp --dport telnet \
  -j TOS --set-tos Minimize-Delay
# iptables -A OUTPUT -t mangle -p tcp --dport ftp \
  -j TOS --set-tos Minimize-Delay
# iptables -A OUTPUT -t mangle -p tcp --dport ftp-data \
  -j TOS --set-tos Maximize-Throughput
</verb></tscreen>

<sect>Advanced Linux Routing
<p>
This section is for all you people who either want to understand why the
whole system works or have a configuration that's so bizarre that you
need the low down to make it work.

This section is completely optional. It's quite possible that this section
will be quite complex and really not intended for normal users. You have
been warned.

FIXME: Decide what really need to go in here.
<sect1>How does packet queueing really work?
<p>This is the low-down on how the packet queueing system really works.

Lists the steps the kernel takes to classify a packet, etc...

FIXME: Write this.

<sect1>Advanced uses of the packet queueing system
<p>Go through Alexeys extremely tricky example involving the unused bits
in the TOS field.

FIXME: Write this.

<sect1>Other packet shaping systems
<p>I'd like to include a brief description of other packet shaping systems
in other operating systems and how they compare to the Linux one. Since Linux
is one of the few OSes that has a completely original (non-BSD derived) TCP/IP
stack, I think it would be useful to see how other people do it.

Unfortunately I have no experiene with other systems so cannot write this.

FIXME: Anyone? - Martijn

<sect>Dynamic routing - OSPF and BGP
<p>
Once your network starts to get really big, or you start to consider 'the
internet' as your network, you need tools which dynamically route your data.
Sites are often connected to each other with multiple links, and more are
popping up all the time. 

The Internet has mostly standardised on OSPF and BGP4 (rfc1771). Linux
supports both, by way of <tt>gated</tt> and <tt>zebra</tt>

While currently not within the scope of this document, we would like to
point you to the definitive works:
 
Overview:
 
  Cisco Systems
  <url
url="http://www.cisco.com/univercd/cc/td/doc/cisintwk/idg4/nd2003.htm"
name="Designing large-scale IP internetworks">

 
 
For OSPF:
 
  Moy, John T.
  "OSPF.  The anatomy of an Internet routing protocol"
  Addison Wesley. Reading, MA. 1998.
 
Halabi has also written a good guide to OSPF routing design, but this
appears to have been dropped from the Cisco web site.
 
 
For BGP:
 
  Halabi, Bassam
  "Internet routing architectures"
  Cisco Press (New Riders Publishing). Indianapolis, IN. 1997.
 
also
 
  Cisco Systems
  
  <url
url="http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/icsbgp4.htm"
name="Using the Border Gateway Protocol for interdomain routing">

 
Although the examples are Cisco-specific, they are remarkably similar
to the configuration language in Zebra :-)
<sect>Further reading
<p>
<descrip>
<tag><url url="http://snafu.freedom.org/linux2.2/iproute-notes.html"
name="http://snafu.freedom.org/linux2.2/iproute-notes.html"></tag>
Contains lots of technical information, comments from the kernel
<tag><url url="http://www.davin.ottawa.on.ca/ols/"
name="http://www.davin.ottawa.on.ca/ols/"></tag>
Slides by Jamal Hadi, one of the authors of Linux traffic control
<tag><url url="http://defiant.coinet.com/iproute2/ip-cref/"
name="http://defiant.coinet.com/iproute2/ip-cref/"></tag>
HTML version of Alexeys LaTeX documentation - explains part of iproute2 in
great detail
<tag><url url="http://www.aciri.org/floyd/cbq.html"
name="http://www.aciri.org/floyd/cbq.html"></tag>
Sally Floyd has a good page on CBQ, including her original papers. None of
it is Linux specific, but it does a fair job discussing the theory and uses
of CBQ.
Very technical stuff, but good reading for those so inclined. 

<tag><url url="http://ceti.pl/%7ekravietz/cbq/NET4_tc.html" name="http://ceti.pl/%7ekravietz/cbq/NET4_tc.html"></tag>
Yet another HOWTO, this time in Polish! You can copy/paste command lines
however, they work just the same in every language. The author is
cooperating with us and may soon author sections of this HOWTO.

<tag><url
url="http://snafu.freedom.org/linux2.2/docs/draft-almesberger-wajhak-diffserv-linux-00.txt"
name="Differentiated Services on Linux"></tag>
Discussion on how to use Linux in a diffserv compliant environment. Pretty
far removed from your everyday routing needs, but very interesting none the
less. We may include a section on this at a later date.

<tag><url
url="http://www.cisco.com/univercd/cc/td/doc/product/software/ios111/cc111/car.htm"
name="IOS Committed Access Rate"></tag>
<label id="CAR">
>From the helpful folks of Cisco who have the laudable habit of putting
their documentation online. Cisco syntax is different but the concepts are
the same, except that we can do more and do it without routers the price of
cars :-)

<tag>TCP/IP Illustrated, volume 1, W. Richard Stevens, ISBN 0-201-63346-9</tag>
Required reading if you truly want to understand TCP/IP. Entertaining as
well.

</descrip> 
<sect>Acknowledgements 
<p> 
It is our goal to list everybody who has contributed to this HOWTO, or
helped us demistify how things work. While there are currently no plans
for a Netfilter type scoreboard, we do like to recognise the people who are
helping.

<itemize>
<item>Jamal Hadi &lt;hadi%cyberus.ca&gt;
<item>Nadeem Hasan &lt;nhasan@usa.net&gt;
<item>Jason Lunz &lt;j@cc.gatech.edu&gt;
<item>Alexey Mahotkin &lt;alexm@formulabez.ru&gt;
<item>Pawel Krawczyk &lt;kravietz%alfa.ceti.pl&gt;
<item>Wim van der Most 
<item>Glen Turner &lt;glen.turner%aarnet.edu.au&gt;
<item>Song Wang &lt;wsong@ece.uci.edu&gt;
</itemize>

</article>