Advanced Kernel Options

Previous page
Table of content
Next page

The 2.4. x Linux kernels include several advanced routing options in the Networking Options kernel configuration menu. Many, but not all, of these options fall under the IP: Advanced Router option, so you must activate this option to activate its suboptions. You can use these options to modify how Linux routes packets ”for instance, how it prioritizes the packets, responds to the priority codes in packets it receives, or handles particular types of packets. You can activate support for these options by selecting Y , or sometimes M for modular compilation, to the appropriate configuration option. Most of these options, though, also require configuration through special utilities. Some of these are fairly complex, so this section presents only an overview of these tools.

NOTE

graphics/note.gif

Kernel options sometimes change names , split into multiple options, or disappear with new kernel versions. This section describes the options as they appear with the 2.4.17 kernel, but if you use a kernel that's substantially older or newer than this one, your options may differ .


Policy Routing

The first advanced Linux kernel routing option is called IP: Policy Routing. This option enables three new methods of deciding how to route data:

  • Source address ” A Linux router normally uses only the destination address to determine how to route data. You can have the router use the source address as well. You might use this to pass data from low-priority hosts over a slower or less reliable connection than you'd use for data from high-priority hosts . Use this option with caution, though; if a router with this configuration interacts with routers that use regular routing criteria, inconsistent routing, or even routing loops , can result.

  • Mark filtering ” Packets can be labeled with unique data known as mark values. You can use these to send packets over particular network routes if you activate the IP: Use Netfilter MARK Value as Routing Key option. In order to enable this option, you must also enable the Network Packet Filtering option earlier in the menu.

  • Fast NAT ” NAT is a tool for "hiding" a network behind a single IP address, or for changing the IP address associated with a single computer by altering its packets in a router. If you want your system to function as a NAT router, you may want to activate this option; however, it's not strictly required. This option enables NAT in a way that's different from the usual method. (Chapter 25 describes NAT in more detail.)

All of these options rely upon the iproute2 package, which communicates with the kernel to set the various advanced routing features. This package is described in the upcoming section, "Using iproute2."

Type of Service Values

TCP/IP supports a field type known as the Type-of-Service (TOS) field. You can set this field on the packets that leave clients , servers, or networks to identify the packets as requiring a particular type of handling. You might use this to give some packets access to faster or more reliable connections than you give others. To use this feature, you must activate the IP: Use TOS Value as Routing Key kernel option.

This option also uses the iproute2 package, described shortly. Specifically , the tos option in the ip command's selector operates on TOS values. These values are ordinary numbers , such as 4. In addition to local software, other routers must honor the TOS requests . Most ISPs' routers ignore TOS fields, though, so this option may do you no good.

Multipath Routing

Normally, when you specify a routing action, an incoming packet is matched against rules that determine the output path with perfect certainty . For instance, you might have a routing table rule to send packets destined to 10.201.0.0/16 over eth1 . All packets with destination addresses in this range necessarily go over eth1 . It's sometimes possible to specify two rules that seem to conflict. For instance, you might have another rule that tells the system to send all packets destined to 10.201.34.0/24 to ppp0 . In the usual configuration, though, this second rule takes precedence over the first, because the second rule is more specific. If you provide a second path for 10.201.0.0/16 (say, sending those packets over ppp0 ), Linux simply uses the first matching rule it finds.

If you activate the IP: Equal Cost Multipath kernel configuration option, Linux's behavior in the event of multiple matching routing table rules changes; it picks one of the two routes randomly . You might use this as a crude form of load balancing if you've got two Internet connections. This option does not affect the case where two rules exist, but one is more specific ”the more specific rule still takes precedence over the less specific rule.

Router Logging Options

The IP: Verbose Route Monitoring kernel option activates a kernel feature that requires no further configuration: additional logging of routing information. Normally, the kernel doesn't log routine routing information, so you have little or no evidence in your logs about routing activity. This option, though, causes the kernel to log information about suspicious packets. You can then examine your system logs to discover more information about the traffic your router handles.

Verbose router logging may sound like a good security measure, and in some cases it is. On a very busy router, though, this extra information might consume a lot of system resources in terms of disk activity, disk space, and even CPU time. It can therefore degrade performance. In theory, a person who wanted to crash your server could create a denial-of-service (DoS) attack designed to get your router to log an inordinate number of packets, thus degrading performance and perhaps causing your disk to fill up. If you try this option, you should check your log sizes and router performance to be sure it's not having a negative impact, and perhaps develop a contingency plan such as having the router page you so you can deal with problems should your system come under a DoS attack related to this option.

Large Routing Tables

The Linux kernel is optimized to deal with routing tables of about 64 entries or fewer. If your router configuration is unusually complex, it may include more than this number of entries, in which case you should activate the IP: Large Routing Tables option. This changes the kernel's configuration to work better with routing tables holding more than 64 entries.

Multicast Routing

Most Internet traffic is point-to-point ”for instance, you may send a request to a Web server, which in response sends a Web page back to you. This traffic is intended for just one recipient, although as is mentioned at many points in this book, it's possible for one computer to snoop on data destined for another under certain circumstances. Another common type of network traffic is a broadcast. These are data packets that are addressed to all computers on a local network. Two types of broadcasts exist. First, a local subnet broadcast uses a recipient address of 255.255.255.255, which reaches all computers on the local subnet. A directed subnet broadcast is more restrictive ; it uses the values for the network portion of the address followed by binary 1 values, such as 192.168.34.255 for the 192.168.34.0/24 network). DHCP clients use broadcasts when they first try to locate a DHCP server, because the DHCP clients don't know the server's address. Broadcasts can also be used by a few other protocols, such as some forms of SMB/CIFS name resolution. Broadcasts are usually restricted to just one subnet; they aren't normally routed. (Some routers do route directed subnet broadcasts, though.)

A situation in between directed traffic and broadcasts exists: multicasts. A multicast consists of packets that are addressed to multiple recipients simultaneously , but not all computers on a network. Multicasts are fairly uncommon, but a few tools use them, mostly for distribution of live audio or video feeds. One such system is the Multicast Backbone (MBONE; http://www.cs. columbia .edu/~hgs/internet/ mbone -faq.html). This is an example of a network-wide multicast, which can be quite widespread in scope. A more limited type of multicast, known as link-local, is typically not distributed very widely and may be used by some routing protocols for router-to-router communication, as described in the upcoming section, "Using Routing Protocols."

If you want your router to support the routing of multicast packets, you must include appropriate multicast support. This is done via the IP: Multicast Routing kernel configuration option. In addition, you may need to add support for one of two suboptions ”IP: PIM-SM Version 1 Support or IP: PIM-SM Version 2 Support. These are two variants of Sparse Mode (SM) Protocol Independent Multicast (PIM), which is a way to support multicasts on networks with limited bandwidth compared to that of earlier multicast implementations . SM-PIM Version 1 is more common, and is the protocol supported by Cisco in its routers.

In addition to kernel options, you need special software to support multicast routing, specifically mrouted . This tool configures the basic Linux multicast routing capabilities. You can find it at ftp://ftp.rge.com/pub/communications/ipmulti/beta-test/, if it's not in your distribution, and you can read about it at http://jukie.net/~bart/multicast/Linux-Mrouted-MiniHOWTO.html. If you use PIM-SM Version 2, you may also need additional software, such as pimd (http://netweb.usc.edu/pim/pimd/).

Quality of Service

The normal procedure a Linux router follows in routing packets is to follow a first-come/first- served policy ”in scheduling delivery of two packets, Linux delivers packets in the order in which it receives them. This procedure works fine when the router has plenty of bandwidth on all its ports, or when there's no need to give priority to certain types of packets. On a busy server, though, it may be desirable to use a different scheduling method ”for instance, to reduce the data flow rate to certain sites or to guarantee a certain amount of bandwidth for particular users or applications. Expanding the kernel to support such advanced scheduling options is the job of the QoS and/or Fair Queueing menu, which is accessed from an option of the same name at the end of the Networking Options menu. ( QoS stands for Quality of Service, which is the name applied to a particular group of scheduling algorithms on this menu.)

Activating the QoS options will not, by itself, alter your system's operation; as with many other advanced routing options, you must use tools in the iproute2 package to activate and configure the features. If you're not sure you need these features, you can activate basic support and compile most of the options as modules. You then don't need to use the options, but they're available if you find you do need them.

WARNING

graphics/warning.gif

Read the help for each option before compiling it. In 2.4.17, one option, the Clark-Shenker-Zhang (CSZ) algorithm, is reported to be broken. Attempting to use a broken option will have no noticeable effect at best, and cause unreliable operation at worst.



Previous page
Table of content
Next page
Advanced Linux Networking
Advanced Linux Networking
ISBN: 0201774232
EAN: 2147483647
Year: 2002
Pages: 203
Authors: Roderick W. Smith
BUY ON AMAZON
High-Speed Signal Propagation[c] Advanced Black Magic
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
Cisco Voice Gateways and Gatekeepers
Cisco IOS Cookbook (Cookbooks (OReilly))
Sap Bw: a Step By Step Guide for Bw 2.0
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy