Hazard's stuff

10 Feb, 2008

Linux tc multi-level massive hashing

— Posted by hazard @ 08-02-10 09:33
It is little known that Linux tc traffic-shaping framework supports multi-depth filter hashing, allowing to reduce CPU load for installations with a lot of filters. Here is how to configure it.

Say, we have an installation with several thousand hosts in 10.1.C.D and 10.2.C.D ranges. First, we create hash table for 10.1.0.0/16:

tc filter add dev eth3 parent 1:0 prio 1 handle 100: protocol ip u32 divisor 256

tc filter add dev eth3 protocol ip parent 1:0 prio 1 u32 ht 800:: match ip dst 10.1.0.0/16 hashkey mask 0x0000ff00 at 16 link 100:


 This instructs the kernel to create hash table 100 (hex!) with 256 buckets. The next line assigns a filter which would make all traffic with destination IP in 10.1.0.0/16 range be looked up in this hash table ("link 100:") using the the third (C) IP address octet ("hashkey mask 0x0000ff00 at 16").

The next command does the same, but for 10.2.0.0/16:

tc filter add dev eth3 parent 1:0 prio 1 handle 101: protocol ip u32 divisor 256

tc filter add dev eth3 protocol ip parent 1:0 prio 1 u32 ht 800:: match ip dst 10.2.0.0/16 hashkey mask 0x0000ff00 at 16 link 101:


 Now, we create a hash table for every /24 subnet used inside these /16 ranges. Say, for 10.1.1.0/24:

tc filter add dev eth3 parent 1:0 prio 1 handle 201: protocol ip u32 divisor 256

tc filter add dev eth3 protocol ip parent 1:0 prio 1 u32 ht 100:1: match ip dst 10.1.1.0/24 hashkey mask 0x000000ff at 16 link 201:


 First line creates a hash table 201 with 256 buckets. The second line is more complex: "ht 100:1:" means that this filter is to be placed into hash table 100, bucket 1 (hex). So, considering the filter for hash table 100, that means this rule will be evaluate when the third (C) octet of the IP address matches 1, e.g. 10.1.1.X, and then do a further lookup in the hash table 201 ("link 201:"). "hashkey mask 0x000000ff at 16" means that lookup will happen in table 201 using the fourth (D) octet of the IP address, e.g. 10.1.1.1 goes into table 201 bucket 1, 10.1.1.2 into bucket 2, 10.1.1.3 into bucket 3 etc.

We go on with similar configuration for 10.1.2.0/24, 10.2.1.0/24, 10.2.2.0/24, assigning a unique hash table number for each subnet:

# 10.1.2.0/24
tc filter add dev eth3 parent 1:0 prio 1 handle 202: protocol ip u32 divisor 256

tc filter add dev eth3 protocol ip parent 1:0 prio 1 u32 ht 100:2: match ip dst 10.1.2.0/24 hashkey mask 0x000000ff at 16 link 200:
# 10.2.1.0/24
tc filter add dev eth3 parent 1:0 prio 1 handle 203: protocol ip u32 divisor 256

tc filter add dev eth3 protocol ip parent 1:0 prio 1 u32 ht 100:1: match ip dst 10.2.1.0/24 hashkey mask 0x000000ff at 16 link 203:
# 10.2.2.0/24
tc filter add dev eth3 parent 1:0 prio 1 handle 204: protocol ip u32 divisor 256

tc filter add dev eth3 protocol ip parent 1:0 prio 1 u32 ht 100:2: match ip dst 10.2.1.0/24 hashkey mask 0x000000ff at 16 link 204:


 Note that ht values for 10.2.1.0 and 10.1.1.0 are the same ("ht 100:1:"). This is because the third octet is the same, so rules go into the same bucket. For the same reason ht for both 10.2.2.0 and 10.1.2.0 is (100:2:).

The last step is to populate hash tables for the fourth (D) octet, e.g. for 10.1.1.D:

tc filter add dev eth3 parent 1:0 protocol ip prio 1 u32 ht 201:1: match ip dst 10.1.1.1/32 flowid 1:10

tc filter add dev eth3 parent 1:0 protocol ip prio 1 u32 ht 201:2: match ip dst 10.1.1.2/32 flowid 1:20

tc filter add dev eth3 parent 1:0 protocol ip prio 1 u32 ht 201:3: match ip dst 10.1.1.3/32 flowid 1:10

tc filter add dev eth3 parent 1:0 protocol ip prio 1 u32 ht 201:a: match ip dst 10.1.1.10/32 flowid 1:10



 For example, fourth octet of 10.1.1.1 is 1, so the kernel will look for a rule in hash table 201, bucket 1. That's why the first line contains "ht 201:1:". Similarly, for 10.1.1.2 we use "ht 201:2:". Remember, all ht values are in hex. That's why 10.1.1.10 has "ht 201:a:". "flowid 1:10" indicates which class this filter belongs to - probably you are using HTB for shaping and this would be one of its classes (say, gold or bronze).

Apply the same approach to hosts in other subnets:

# Hosts in 10.1.2.0/24
tc filter add dev eth3 parent 1:0 protocol ip prio 1 u32 ht 202:1: match ip dst 10.1.2.1/32 flowid 1:20

tc filter add dev eth3 parent 1:0 protocol ip prio 1 u32 ht 202:2: match ip dst 10.1.2.2/32 flowid 1:10

tc filter add dev eth3 parent 1:0 protocol ip prio 1 u32 ht 202:3: match ip dst 10.1.2.3/32 flowid 1:20
# Hosts in 10.2.1.0/24
tc filter add dev eth3 parent 1:0 protocol ip prio 1 u32 ht 203:1: match ip dst 10.2.1.1/32 flowid 1:20

tc filter add dev eth3 parent 1:0 protocol ip prio 1 u32 ht 203:2: match ip dst 10.2.1.2/32 flowid 1:10

tc filter add dev eth3 parent 1:0 protocol ip prio 1 u32 ht 203:3: match ip dst 10.2.1.3/32 flowid 1:20
# Hosts in 10.2.2.0/24
tc filter add dev eth3 parent 1:0 protocol ip prio 1 u32 ht 204:1: match ip dst 10.2.2.1/32 flowid 1:10

tc filter add dev eth3 parent 1:0 protocol ip prio 1 u32 ht 204:2: match ip dst 10.2.2.2/32 flowid 1:20

tc filter add dev eth3 parent 1:0 protocol ip prio 1 u32 ht 204:3: match ip dst 10.2.2.3/32 flowid 1:10


 Done!


Comments

  1. hmm the font-size is a littlebit to small or, on the firefox browser!

    Posted by free blogger — 24 Jan 2009, 16:46

  2. The Pirate BayRunescape Money trial just Runescape Power levelingwrapped up its Runescape Goldfourth day in Final Fantasy XI gilSweden, making front-page ffxi gilheadlines in localbuy ffxi gil papers ("Fiasco dofus kamasfor prosecution in Piratekamas dofus Bay case," dofus kamassaid one) and kamas dofusstirring up comments from Abbadofus kamas members ("Is it reallykamas dofus so damn difficult to pay your way?"dofus kamas asked Bj?rn Ulvaeus). kamas dofusMusic trade groupdofus kamas IFPI even had its local Swedish kamas dofuswebsite hacked and buy kamasdefaced by a group called "The new generation.

    Posted by bgg — 23 Feb 2009, 18:52

  3. Would some one put here EVERY command needed to make this work?
    How to create class and parent and rate limit, handle etc.?

    Posted by tzihad — 24 Feb 2009, 04:54

  4. Is it good to do multilevel hashing in this SUBnet order /20 -> /23-> /26 -> /28... soo that in every level it needs max8 & avg4 steps to find filter/class.

    Posted by hiphin — 11 Mar 2009, 16:19

  5. hey,find wow power leveling click here

    Posted by fds — 03 Aug 2009, 00:17

  6. hey,find wow power leveling click here

    Posted by fsd — 18 Aug 2009, 22:00

  7. wow goldwow goldwow goldtks

    Posted by wowgold — 16 Sep 2009, 22:35

  8. What replica handbags one could replica handbags glean wholesale handbags from the wholesale handbags voluminous louis vuitton file were louis vuitton the type louis vuitton handbags of things louis vuitton handbags his many replica handbags biographers replica handbags would wholesale handbags probably relegate wholesale handbags to louis vuitton footnotes -- louis vuitton or louis vuitton handbags not include louis vuitton handbags at all. replica handbags That Jackson replica handbags, for wholesale handbags example wholesale handbags was the louis vuitton type of louis vuitton person who louis vuitton handbags smiled for louis vuitton handbags drivers license photos.

    Posted by replica hangbags — 23 Dec 2009, 19:03

  9. Professional Gold Service
    Tibiamoney.com is a true, customer oriented platform that cuts out the retailers' profit. Furthermore, to ensure more competitive prices, we utilize a price analysis system to

    compare prices on the fly in more than 40 Tibia Gold stores and adjust our price so that it remains the lowest. We have also adopted a unified Gold price so that the price on

    the server is the same, regardless of seller. Therefore, the price in Tibiamoney is the most competitive. As for the service, you need not worry about communication with the

    sellers. Tibiamoney provides universal customer service and bears final responsibility for each transaction.
    Please log in our site:
    http://www.tibiamoney.com
    [url=http://www.tibiamoney.com]tibia gold[/url]
    [url=http://www.tibiamoney.com]tibia money[/url]
    [url=http://www.gamegoldcoin.com]tibia gold[/url]
    [url=http://www.tibiagoods.com]tibia gold[/url]
    [url=http://www.18min.com]tibia gold[/url]
    [url=http://www.10minget.com]tibia gold[/url]
    [url=http://www.gamezmoney.com]tibia gold[/url]
    tibia gold
    tibia money
    tibia gold
    tibia gold
    tibia gold
    tibia gold
    tibia gold
    guildwars gold
    tibia gold
    guildwars money
    tibia gold
    tibia moeny
    tibia moeny
    tibia gold
    GuildWars Gold
    Eve Online ISK
    Tibia Gold
    tibia money
    ffxiv gil
    ffxiv money
    ffxiv gold
    ffxiv platinum
    ffxiv gil
    ffxiv gold
    tibia moeny
    tibia gold
    GuildWars Gold
    Eve Online ISK
    cheap Tibia Gold
    cheap tibia money

    [url=http://www.gamezmoney.com]guildwars gold[/url]
    [url=http://www.gamezmoney.com]tibia gold[/url]
    [url=http://www.gamezmoney.com]guildwars money[/url]
    [url=http://www.gamezmoney.com]tibia gold[/url]
    [url=http://www.gamezmoney.com]tibia moeny[/url]
    [url=http://www.enjoygolds.com]tibia moeny[/url]
    [url=http://www.enjoygolds.com]tibia gold[/url]
    [url=http://www.enjoygolds.com]GuildWars Gold[/url]
    [url=http://www.enjoygolds.com]Eve Online ISK[/url]
    [url=http://www.enjoygolds.com]Tibia Gold[/url]
    [url=http://www.enjoygolds.com]tibia money[/url]
    [url=http://gilffxiv.com]ffxiv gil[/url]
    [url=http://gilffxiv.com]ffxiv money[/url]
    [url=http://gilffxiv.com]ffxiv gold[/url]
    [url=http://gilffxiv.com]ffxiv platinum[/url]
    [url=http://gilffxiv.com]ffxiv gil[/url]
    [url=http://gilffxiv.com]ffxiv gold[/url]
    [url=http://www.gamegoldcoin.com]cheap tibia moeny[/url]
    [url=http://www.gamegoldcoin.com]cheap tibia gold[/url]
    [url=http://www.gamegoldcoin.com]GuildWars Gold[/url]
    [url=http://www.gamegoldcoin.com]Eve Online ISK[/url]
    [url=http://www.gamegoldcoin.com]Tibia Gold[/url]
    [url=http://www.gamegoldcoin.com]FFxi gil[/url]
    Our professional customer supporter center provide 24/7 , 24 hours a day , 7 days a week online supporting for you.

    Posted by goodhope2010 — 02 Jan 2010, 01:03

  10. Shifted sharply men's watches to the men's watches right women's watches on the women's watches role of ladies watches government ladies watches, and a men's watches Republican men's watches could women's watches pick up women's watches a Senate ladies watches seat in ladies watches a state men's watches with no men's watches GOP women's watches Members women's watches of Congress ladies watches and ladies watches that whether replica watches or not replica watches Republican replica rolex watches Scott rolex watches Brown replica breitling watches wins today breitling watches in replica tag heuer watches Massachusetts tag heuer watches, the replica cartier watches special cartier watches Senate replica omega watches election omega watches has Replica Watches already Replica Watches shaken replica rolex Watches up American rolex Watches politics. replica breitling Watches The breitling Watches close replica cartier Watches race to cartier Watches replace replica omega Watches Ted Kennedy omega Watches, liberalism's replica tag heuer Watches patron tag heuer Watches saint, Replica Watches shows Replica Watches that replica rolex Watches voters rolex Watches are replica breitling Watches rebelling breitling Watches even replica tag heuer Watches in the tag heuer Watches bluest replica cartier Watches of states cartier Watches against replica omega Watches the last omega Watches year's replica movado Watches unbridled movado Watches pursuit Replica Watches of partisan Replica Watches liberal replica rolex Watches governance rolex Watches. Tomorrow replica breitling Watches marks breitling Watches the replica tag heuer Watches anniversary tag heuer Watches of replica cartier watchesh President cartier watchesh replica omega Watches Obama's omega Watches Inaugural, replica movado Watches and it's movado Watches worth Replica Watches recalling Replica Watches the replica rolex Watches extraordinary rolex Watches political replica breitling Watches opportunity breitling Watches he replica tag heuer Watches had tag heuer Watches a year replica cartier Watches ago cartier Watches. An replica omega Watches anxious omega Watches country replica movado Watches was looking movado Watches for leadership amid a recession.

    Posted by replica watches — 19 Jan 2010, 23:20

  11. Democrats wow gold had wow gold huge wow gold us majorities wow gold us and faced wow gold eu a dispirited wow gold eu, unpopular power leveling GOP power leveling. With wow gold monetary wow gold policy wow gold us stimulus wow gold us already wow gold eu flowing wow gold eu, Democrats power leveling were power leveling poised to wow gold get the wow gold political wow gold us credit for wow gold us the wow gold eu inevitable wow gold eu economic power leveling recovery power leveling. Twelve wow gold months wow gold later, Mr. wow gold us Obama's wow gold us approval wow gold eu rating has wow gold eu fallen power leveling further power leveling and wow gold faster than wow gold any wow gold us recent wow gold us President's, wow gold eu Congress wow gold eu is despised power leveling the public power leveling mood.

    Posted by wow gold — 19 Jan 2010, 23:23

  12. Cartier watches

    Franck Muller
    [url=http://www.dearwatches.com/]watcehs[/url]
    [url=http://www.dearwatches.com/alange-sohne-c-13.html]A.Lange & Sohne watches[/url]
    [url=http://www.dearwatches.com/bell-ross-c-17.html]Bell & Ross watches[/url]

    Posted by lklklk — 23 Apr 2010, 22:10


Add comment






Hazard's stuff is maintained by Vladimir Ivashchenko <hazard -at- hazardous-area.org>
This blog is powered by pLog