لطفا منتظر باشید ...
Advanced Kernel
Options
The 2.4.x
Linux kernels include several advanced routing options in the Networking
Options kernel configuration menu. Many, but not all, of these options fall
under the IP: Advanced Router option, so you must activate this option to
activate its suboptions. You can use these options to modify how Linux routes
packetsfor instance, how it prioritizes the packets, responds to the priority
codes in packets it receives, or handles particular types of packets. You can
activate support for these options by selecting Y , or sometimes M for modular
compilation, to the appropriate configuration option. Most of these options,
though, also require configuration through special utilities. Some of these are
fairly complex, so this section presents only an overview of these tools.NOTE
align=left border=0> Kernel options sometimes change names,
split into multiple options, or disappear with new kernel versions. This
section describes the options as they appear with the 2.4.17 kernel, but if
you use a kernel that's substantially older or newer than this one, your
options may differ.
Policy Routing
The first advanced Linux kernel routing
option is called IP: Policy Routing. This option enables three new methods of
deciding how to route data: Source address A Linux router normally uses only the destination address to
determine how to route data. You can have the router use the source address as
well. You might use this to pass data from low-priority hosts over a slower or
less reliable connection than you'd use for data from high-priority hosts. Use
this option with caution, though; if a router with this configuration interacts
with routers that use regular routing criteria, inconsistent routing, or even
routing loops, can result. Mark filtering Packets can be labeled with unique data known as mark values. You can use these to send packets over
particular network routes if you activate the IP: Use Netfilter MARK Value as
Routing Key option. In order to enable this option, you must also enable the
Network Packet Filtering option earlier in the menu. Fast NAT NAT is a tool for "hiding" a network behind a single IP
address, or for changing the IP address associated with a single computer by altering
its packets in a router. If you want your system to function as a NAT router,
you may want to activate this option; however, it's not strictly required. This
option enables NAT in a way that's different from the usual method. (
features. This package is described in the upcoming section, "
Type of Service Values
TCP/IP supports a field type known as the Type-of-Service (TOS) field. You can set this field
on the packets that leave clients, servers, or networks to identify the packets
as requiring a particular type of handling. You might use this to give some
packets access to faster or more reliable connections than you give others. To
use this feature, you must activate the IP: Use TOS Value as Routing Key kernel
option.This option also uses the iproute2 package, described shortly. Specifically, the tos option in the ip command's selector operates on TOS values. These values are ordinary numbers, such as 4. In
addition to local software, other routers must honor the TOS requests. Most
ISPs' routers ignore TOS fields, though, so this option may do you no good.
Multipath Routing
Normally, when you specify a routing action,
an incoming packet is matched against rules that determine the output path with
perfect certainty. For instance, you might have a routing table rule to send
packets destined to 10.201.0.0/16 over eth1 . All packets with
destination addresses in this range necessarily go over eth1 . It's
sometimes possible to specify two rules that seem to conflict. For instance,
you might have another rule that tells the system to send all packets destined
to 10.201.34.0/24 to ppp0 . In the usual configuration, though, this second rule takes
precedence over the first, because the second rule is more specific. If you
provide a second path for 10.201.0.0/16 (say, sending those packets over ppp0 ), Linux
simply uses the first matching rule it finds.If you activate the IP: Equal Cost Multipath
kernel configuration option, Linux's behavior in the event of multiple matching
routing table rules changes; it picks one of the two routes randomly. You might
use this as a crude form of load balancing if you've got two Internet
connections. This option does not affect the case where two rules exist, but
one is more specificthe more specific rule still takes precedence over the
less specific rule.
Router Logging Options
The IP: Verbose Route Monitoring kernel
option activates a kernel feature that requires no further configuration:
additional logging of routing information. Normally, the kernel doesn't log
routine routing information, so you have little or no evidence in your logs
about routing activity. This option, though, causes the kernel to log
information about suspicious packets. You can then examine your system logs to
discover more information about the traffic your router handles.Verbose router logging may sound like a good
security measure, and in some cases it is. On a very busy router, though, this
extra information might consume a lot of system resources in terms of disk
activity, disk space, and even CPU time. It can therefore degrade performance.
In theory, a person who wanted to crash your server could create a
denial-of-service (DoS) attack designed to get your router to log an inordinate
number of packets, thus degrading performance and perhaps causing your disk to
fill up. If you try this option, you should check your log sizes and router
performance to be sure it's not having a negative impact, and perhaps develop a
contingency plan such as having the router page you so you can deal with
problems should your system come under a DoS attack related to this option.
Large Routing Tables
The Linux kernel is optimized to deal with
routing tables of about 64 entries or fewer. If your router configuration is
unusually complex, it may include more than this number of entries, in which
case you should activate the IP: Large Routing Tables option. This changes the
kernel's configuration to work better with routing tables holding more than 64
entries.
Multicast Routing
Most Internet traffic is point-to-pointfor
instance, you may send a request to a Web server, which in response sends a Web
page back to you. This traffic is intended for just one recipient, although as
is mentioned at many points in this book, it's possible for one computer to
snoop on data destined for another under certain circumstances. Another common
type of network traffic is a broadcast. These
are data packets that are addressed to all computers on a local network. Two
types of broadcasts exist. First, a local subnet
broadcast uses a recipient address of 255.255.255.255, which reaches all
computers on the local subnet. A directed subnet
broadcast is more restrictive; it uses the values for the network portion of
the address followed by binary 1 values, such as 192.168.34.255 for the
192.168.34.0/24 network). DHCP clients use broadcasts when they first try to
locate a DHCP server, because the DHCP clients don't know the server's address.
Broadcasts can also be used by a few other protocols, such as some forms of
SMB/CIFS name resolution. Broadcasts are usually restricted to just one subnet;
they aren't normally routed. (Some routers do route directed subnet
broadcasts, though.) A situation in between directed traffic and
broadcasts exists:multicasts. A multicast
consists of packets that are addressed to multiple recipients simultaneously,
but not all computers on a network. Multicasts are fairly uncommon, but a few
tools use them, mostly for distribution of live audio or video feeds. One such
system is the Multicast Backbone (MBONE;
multicast, which can be quite widespread in scope. A more limited type of
multicast, known as link-local, is typically
not distributed very widely and may be used by some routing protocols for
router-to-router communication, as described in the upcoming section, "
routing of multicast packets, you must include appropriate multicast support. This
is done via the IP: Multicast Routing kernel configuration option. In addition,
you may need to add support for one of two suboptionsIP: PIM-SM Version 1
Support or IP: PIM-SM Version 2 Support. These are two variants of Sparse Mode (SM) Protocol Independent Multicast (PIM),
which is a way to support multicasts on networks with limited bandwidth
compared to that of earlier multicast implementations. SM-PIM Version 1 is more
common, and is the protocol supported by Cisco in its routers.In addition to kernel options, you need
special software to support multicast routing, specifically mrouted . This
tool configures the basic Linux multicast routing capabilities. You can find it
at , if it's not in your distribution, and you can read about it at
target="_blank">http://jukie.net/~bart/multicast/Linux-Mrouted-MiniHOWTOl . If you use PIM-SM Version 2, you may also need additional
software, such as pimd ( http://netweb.usc.edu/pim/pimd/ ).
Quality of Service
The normal procedure a Linux router follows
in routing packets is to follow a first-come/first-served policyin scheduling
delivery of two packets, Linux delivers packets in the order in which it
receives them. This procedure works fine when the router has plenty of bandwidth
on all its ports, or when there's no need to give priority to certain types of
packets. On a busy server, though, it may be desirable to use a different
scheduling methodfor instance, to reduce the data flow rate to certain sites
or to guarantee a certain amount of bandwidth for particular users or
applications. Expanding the kernel to support such advanced scheduling options
is the job of the QoS and/or Fair Queueing menu, which is accessed from an
option of the same name at the end of the Networking Options menu. ( QoS stands for Quality of
Service, which is the name applied to a particular group of scheduling
algorithms on this menu.) Activating the QoS options will not, by
itself, alter your system's operation; as with many other advanced routing options,
you must use tools in the iproute2 package to activate and configure the features. If you're not sure
you need these features, you can activate basic support and compile most of the
options as modules. You then don't need to use the options, but they're
available if you find you do need them.WARNING
align=left border=0> Read the help for each option before
compiling it. In 2.4.17, one option, the Clark-Shenker-Zhang (CSZ) algorithm,
is reported to be broken. Attempting to use a broken option will have no
noticeable effect at best, and cause unreliable operation at worst.
