|
|
马上注册成为ROSABC会员,随时发帖回复。
您需要 登录 才可以下载或查看,没有账号?会员注册
x
ROS软路由小包优先策略
/ ip firewall mangle
add chain=forward p2p=all-p2p action=mark-connection
new-connection-mark=p2p_conn passthrough=yes comment="" disabled=no
add chain=forward connection-mark=p2p_conn action=mark-packet
new-packet-mark=p2p passthrough=yes comment="" disabled=no
add chain=forward connection-mark=!p2p_conn action=mark-packet
new-packet-mark=general passthrough=yes comment="" disabled=no
add chain=forward packet-size=1-512 action=mark-packet new-packet-mark=small
passthrough=yes comment="" disabled=no
add chain=forward packet-size=512-1200 action=mark-packet new-packet-mark=big
passthrough=yes comment="" disabled=no
/ queue tree
add name="p2p1" parent=wan packet-mark=p2p limit-at=2000000 queue=default
priority=8 max-limit=6000000 burst-limit=0 burst-threshold=0 burst-time=0s
disabled=no
add name="p2p2" parent=lan packet-mark=p2p limit-at=2000000 queue=default
priority=8 max-limit=6000000 burst-limit=0 burst-threshold=0 burst-time=0s
disabled=no
add name="ClassA" parent=lan packet-mark="" limit-at=0 queue=default priority=8
max-limit=100000000 burst-limit=0 burst-threshold=0 burst-time=0s
disabled=no
add name="ClassB" parent=ClassA packet-mark="" limit-at=0 queue=default
priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
disabled=no
add name="Leaf1" parent=ClassA packet-mark=general limit-at=0 queue=default
priority=7 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
disabled=no
add name="Leaf2" parent=ClassB packet-mark=small limit-at=0 queue=default
priority=5 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
disabled=no
add name="Leaf3" parent=ClassB packet-mark=big limit-at=0 queue=default
priority=6 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
disabled=no
//============================================
以上这段ROS软路由小包策略在网络上被转载了很久,我也没有找到源引用在哪里.许多人只是直接拿来使用了,并不会
去考虑为什么这样做,这样做有什么好处。个人认为这段策略中有两处不是很妥当的地方,许久以前好像在网
盟提到过这个问题,忘记当时有没有人理我啦,网盟现在已是广告场,就在这里发吧。
//============================================
Xisat@ 2008-03-19 转载请保留作者信息,感谢
//==================================
第一处
add chain=forward p2p=all-p2p action=mark-connection
new-connection-mark=p2p_conn passthrough=yes comment="" disabled=no
add chain=forward connection-mark=p2p_conn action=mark-packet
new-packet-mark=p2p passthrough=yes comment="" disabled=no
分解开来看
第一段是用ROS软路由内置的p2p标记mark所有的p2p连接
第二段是mark所有通过该连接的包
目的是为queue tree里的限制做包标志
/ queue tree
add name="p2p1" parent=wan packet-mark=p2p limit-at=2000000 queue=default
priority=8 max-limit=6000000 burst-limit=0 burst-threshold=0 burst-time=0s
disabled=no
add name="p2p2" parent=lan packet-mark=p2p limit-at=2000000 queue=default
priority=8 max-limit=6000000 burst-limit=0 burst-threshold=0 burst-time=0s
disabled=no
这里有两个问题
1. 标志p2p连接的时候
chain选择 forward链不是很妥当,完全可以在prerouting就标记好了,做规则的时候确定可以不用forward链
就不要用,虽然看起来forward很万能,但是过多forward链规则可能造成逻辑上的错误,从效率的考虑,第一
位的chain规则也是应该的.
2.标记p2p数据包的时候
passthrough=yes 貌似看起来没有什么问题passthrough=yes的意思是如果符合该规则,则继续判断下条规则
在这里如果我们已经标志到p2p数据包,剩下的事情就是限制或者阻止它了,这是第一优先的要求,没必要再
去判断下条规则了,从效率上来考虑,这里passthrough=no比较合适
//===========
第二处
add name="ClassA" parent=lan packet-mark="" limit-at=0 queue=default priority=8
max-limit=100000000 burst-limit=0 burst-threshold=0 burst-time=0s
disabled=no
add name="ClassB" parent=ClassA packet-mark="" limit-at=0 queue=default
priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
disabled=no
add name="Leaf1" parent=ClassA packet-mark=general limit-at=0 queue=default
priority=7 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
disabled=no
add name="Leaf2" parent=ClassB packet-mark=small limit-at=0 queue=default
priority=5 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
disabled=no
add name="Leaf3" parent=ClassB packet-mark=big limit-at=0 queue=default
priority=6 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
disabled=no
整个小包策略有个优先级的问题
策略添加进去的关系可以看看下面的图
图
2009-3-7 23:39 上传
下载附件 (7.32 KB)
ClassA组包含的ClassB和Leaf1
我们的目的是让ClassB组中的Leaf2(small)优先Leaf3(big)通过
Leaf2 优先级priority=5 Leaf3优先级 priority=6 没问题
返回上层看看ClassB与Leaf1是同级关系,也就是说Leaf2 Leaf3首先要通过ClassB与Leaf1的优先级比较
ClassB 优先级priority=8 Leaf1的优先级priority=7
意味着Leaf1的优先级更高,也就是说所有general包中优先通过除去Leaf2 Leaf3之外的包然后再去判断
Leaf2Leaf3之间的优先
!Leaf2 and !leaf3 > Leaf2 >Leaf3
对网游来说,我们可能需要的是 Leaf2 > Leaf3 >!Leaf2 and !leaf3
修改ClassB 优先级priority=7 Leaf1的优先级priority=8
//============================================
Xisat@ 2008-03-19 转载请保留作者信息,感谢
//==================================
本来应该再讲讲对网游来说为什么我们需要这样一个策略,又为什么small的包大小是32-512
马上要出门了,趁午休时间赶写出来的,下次再讨论这个问题吧
//===============
我对ROS软路由的了解也停留在肤浅状态,以上的纯粹是个人想法,没有权威的认可。有任何疑问的讨论,希望能叫
上我。
/ ip firewall filter
add chain=input connection-state=invalid action=drop comment="" disabled=no
add chain=input protocol=tcp dst-port=80 connection-limit=100,0 action=accept
comment="" disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment="" disabled=no
add chain=input protocol=tcp connection-limit=3,32 action=accept comment=""
disabled=no
add chain=input protocol=tcp connection-limit=10,32
action=add-src-to-address-list address-list=black_list
address-list-timeout=1d comment="" disabled=no
add chain=input dst-address-type=!local action=drop comment="" disabled=no
add chain=input src-address-type=!unicast action=drop comment="" disabled=no
add chain=input protocol=icmp action=jump jump-target=ICMP comment=""
disabled=no
add chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept
comment="" disabled=no
add chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept
comment="" disabled=no
add chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept
comment="" disabled=no
add chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept
comment="" disabled=no
add chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept
comment="" disabled=no
add chain=ICMP protocol=icmp action=drop comment="" disabled=no
add chain=forward connection-state=established action=accept comment=""
disabled=no
add chain=forward connection-state=related action=accept comment=""
disabled=no
add chain=forward connection-state=invalid action=drop comment="" disabled=no
add chain=forward src-address-type=!unicast action=drop comment="" disabled=no
add chain=forward protocol=icmp action=jump jump-target=ICMP comment=""
disabled=no
add chain=forward action=jump jump-target=virus comment="" disabled=no
add chain=forward action=accept comment="" disabled=no
add chain=virus protocol=tcp dst-port=135-139 action=drop comment=""
disabled=no
add chain=virus protocol=udp dst-port=135-139 action=drop comment=""
disabled=no
add chain=virus protocol=tcp dst-port=445 action=drop comment="" disabled=no
add chain=virus protocol=udp dst-port=445 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=593 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment=""
disabled=no
add chain=virus protocol=tcp dst-port=1080 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=1214 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=1363 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=1364 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=1368 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=1373 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=1377 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment=""
disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=2283 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=2535 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment=""
disabled=no
add chain=virus protocol=tcp dst-port=3410 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=4444 action=drop comment="" disabled=no
add chain=virus protocol=udp dst-port=4444 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=5554 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=8866 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=9898 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=10000 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=10080 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=12345 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=17300 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=27374 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=65506 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=3389 action=drop comment="" disabled=yes
add chain=virus protocol=tcp dst-port=4899 action=drop comment="" disabled=no
add chain=output protocol=icmp action=drop comment="" disabled=no
/ system script
add name="0_50xian"source=":for aaa from 5 to 254 do={/ip firewall filter add
chain=forward src-address=(192.168.0. . $aaa) protocol=tcp
connection-limit=50,32 action=drop}"
policy=ftp,reboot,read,write,policy,test,winbox,password
add name="0_256K"source=":for aaa from 5 to 254 do={/queue simple add
name=(0_ . $aaa) dst-address=(192.168.0. . $aaa) interface=ether1
limit-at=256000/64000 max-limit=512000/128000 burst-limit=1024000/256000
burst-threshold=512000/128000 burst-time=50s/50s }"
policy=ftp,reboot,read,write,policy,test,winbox,password
add name="IP"source=":foreach i in=[/ip arp find dynamic=yes ] do={/ip arp
add copy-from=$i}nn"
policy=ftp,reboot,read,write,policy,test,winbox,password
/ ip firewall mangle
add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1440
comment="" disabled=no
add chain=forward p2p=all-p2p action=mark-connection
new-connection-mark=p2p_conn passthrough=yes comment="" disabled=no
add chain=forward connection-mark=p2p_conn action=mark-packet
new-packet-mark=p2p passthrough=yes comment="" disabled=no
add chain=forward connection-mark=!p2p_conn action=mark-packet
new-packet-mark=general passthrough=yes comment="" disabled=no
add chain=forward packet-size=32-512 action=mark-packet new-packet-mark=small
passthrough=yes comment="" disabled=no
add chain=forward packet-size=512-1200 action=mark-packet new-packet-mark=big
passthrough=yes comment="" disabled=no
/ queue tree
add name="p2p1" parent=ether1 packet-mark=p2p limit-at=2000000 queue=default
priority=8 max-limit=6000000 burst-limit=0 burst-threshold=0 burst-time=0s
disabled=no
add name="p2p2" parent=ether2 packet-mark=p2p limit-at=2000000 queue=default
priority=8 max-limit=6000000 burst-limit=0 burst-threshold=0 burst-time=0s
disabled=no
add name="ClassA" parent=ether2 packet-mark="" limit-at=0 queue=default
priority=8 max-limit=100000000 burst-limit=0 burst-threshold=0
burst-time=0s disabled=no
add name="ClassB" parent=ClassA packet-mark="" limit-at=0 queue=default
priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
disabled=no
add name="Leaf1" parent=ClassA packet-mark=general limit-at=0 queue=default
priority=7 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
disabled=no
add name="Leaf2" parent=ClassB packet-mark=small limit-at=0 queue=default
priority=5 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
disabled=no
add name="Leaf3" parent=ClassB packet-mark=big limit-at=0 queue=default
priority=6 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
disabled=no
把常用游戏的目标连接端口来做一个标记,然后优先,这个办法不错,经过测试效果也可以,不过 chain是 forward比prerouting效果差很多,如果加在forward里还不如不优化,不知道为什么,只是实践的结果。 / ip firewall mangle
add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1452
comment="改变MSS" disabled=no
add chain=prerouting src-address=192.168.0.0/23 tos=min-delay
action=mark-packet new-packet-mark=LEVEL-1 passthrough=yes
comment="上行数据标记" disabled=no
add chain=prerouting src-address=192.168.0.0/23 tos=max-reliability
action=mark-packet new-packet-mark=LEVEL-2 passthrough=yes comment=""
disabled=no
add chain=prerouting src-address=192.168.0.0/23 tos=normal action=mark-packet
new-packet-mark=LEVEL-3 passthrough=yes comment="" disabled=no
add chain=prerouting src-address=192.168.0.0/23 packet-size=0-768
action=mark-packet new-packet-mark=LEVEL-2 passthrough=yes
comment="上行中小包数据" disabled=no
add chain=prerouting src-address=192.168.0.0/23 protocol=tcp dst-port=3724
action=mark-packet new-packet-mark=LEVEL-1 passthrough=yes
comment="魔兽世界" disabled=no
add chain=prerouting src-address=192.168.0.0/23 protocol=tcp
dst-port=8086-8087 action=mark-packet new-packet-mark=LEVEL-1
passthrough=yes comment="" disabled=no
add chain=prerouting src-address=192.168.0.0/23 protocol=tcp
dst-port=9090-9091 action=mark-packet new-packet-mark=LEVEL-1
passthrough=yes comment="" disabled=no
add chain=prerouting src-address=192.168.0.0/23 protocol=tcp dst-port=9100
action=mark-packet new-packet-mark=LEVEL-1 passthrough=yes comment=""
disabled=no
add chain=prerouting src-address=192.168.0.0/23 protocol=udp dst-port=8000
action=mark-packet new-packet-mark=LEVEL-1 passthrough=yes comment="qq"
disabled=no
add chain=prerouting src-address=192.168.0.0/23 protocol=tcp dst-port=8000
action=mark-packet new-packet-mark=LEVEL-1 passthrough=yes comment=""
disabled=no
add chain=prerouting src-address=192.168.0.0/23 protocol=tcp dst-port=39311
action=mark-packet new-packet-mark=LEVEL-1 passthrough=yes
comment="跑跑卡丁车" disabled=no
add chain=prerouting src-address=192.168.0.0/23 protocol=udp dst-port=39311
action=mark-packet new-packet-mark=LEVEL-1 passthrough=yes comment=""
disabled=no
add chain=prerouting src-address=192.168.0.0/23 protocol=tcp dst-port=36567
action=mark-packet new-packet-mark=LEVEL-1 passthrough=yes comment=""
disabled=no
add chain=prerouting src-address=192.168.0.0/23 protocol=udp dst-port=36567
action=mark-packet new-packet-mark=LEVEL-1 passthrough=yes comment=""
disabled=no
add chain=prerouting src-address=192.168.0.0/23 protocol=tcp dst-port=11527
action=mark-packet new-packet-mark=LEVEL-1 passthrough=yes comment=""
disabled=no
add chain=prerouting src-address=192.168.0.0/23 protocol=udp dst-port=11527
action=mark-packet new-packet-mark=LEVEL-1 passthrough=yes comment=""
disabled=no
add chain=prerouting src-address=192.168.0.0/23 protocol=tcp dst-port=11107
action=mark-packet new-packet-mark=LEVEL-1 passthrough=yes comment=""
disabled=no
add chain=prerouting src-address=192.168.0.0/23 protocol=udp dst-port=11107
action=mark-packet new-packet-mark=LEVEL-1 passthrough=yes comment=""
disabled=no
add chain=prerouting src-address=192.168.0.0/23 protocol=tcp
dst-port=9066-9070 action=mark-packet new-packet-mark=LEVEL-1
passthrough=yes comment="大航海时代" disabled=no
/ queue tree
add name="优先级-上行" parent=global-out packet-mark="" limit-at=0
queue=default priority=3 max-limit=0 burst-limit=0 burst-threshold=0
burst-time=0s disabled=no
add name="优先通过的数据包" parent=优先级-上行 packet-mark="" limit-at=0
queue=default priority=3 max-limit=0 burst-limit=0 burst-threshold=0
burst-time=0s disabled=no
add name="第一级别" parent=优先通过的数据包 packet-mark=LEVEL-1 limit-at=0
queue=default priority=3 max-limit=0 burst-limit=0 burst-threshold=0
burst-time=0s disabled=no
add name="中等优先通过的数据包" parent=优先级-上行 packet-mark="" limit-at=0
queue=default priority=6 max-limit=0 burst-limit=0 burst-threshold=0
burst-time=0s disabled=no
add name="第二级别" parent=中等优先通过的数据包 packet-mark=LEVEL-2 limit-at=0
queue=default priority=6 max-limit=0 burst-limit=0 burst-threshold=0
burst-time=0s disabled=no
add name="最后通过的数据包" parent=优先级-上行 packet-mark="" limit-at=0
queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0
burst-time=0s disabled=no
add name="第三级别" parent=最后通过的数据包 packet-mark=LEVEL-3 limit-at=0
queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0
burst-time=0s disabled=no |
|
发表于 2007-10-10 07:11:34
楼主