Add traffic shaping to my network configuration

2025-04-11 21:08:22 +02:00 · 2009-08-02 08:36:29 -07:00 · 2009-08-02 08:36:29 -07:00 · 0e09292587
commit 0e09292587
parent 4cd41a81f7
3 changed files with 314 additions and 216 deletions
--- a/docs/MyNetwork.xml
+++ b/docs/MyNetwork.xml
@ -80,6 +80,10 @@
      <listitem>
        <para><ulink url="ManualChains.html">Manual Chains</ulink></para>
      </listitem>
+
+      <listitem>
+        <para><ulink url="traffic_shaping.htm">Traffic Shaping</ulink></para>
+      </listitem>
    </itemizedlist>

    <para>Linux runs the firewall and the servers (although they run in OpenVZ
@ -746,6 +750,98 @@ chmod 744 ${VARDIR}/state</programlisting>Kill lsm if the command is stop or
      clear. Make the state file world-readable.</para>
    </section>

+    <section>
+      <title>/etc/shorewall/tcdevices</title>
+
+      <para><programlisting>#INTERFACE	IN-BANDWITH	OUT-BANDWIDTH	OPTIONS
+$EXT_IF		-		300kbit		classify
+$INT_IF		-		80mbit		classify
+$COM_IF		-		4mbit		classify,hfsc
+</programlisting>The use of HFSC on the Comcast link is largely to provide a
+      test bed for that qdisc; I really don't have any real-time requirement
+      such as VOIP.</para>
+    </section>
+
+    <section>
+      <title>/etc/shorewall/tcclasses</title>
+
+      <para><programlisting>INTERFACE	MARK	RATE			CEIL		PRIORITY	OPTIONS
+1:110		-	full/4			full		1		tcp-ack,tos-minimize-delay
+1:120		-	full/4			full		2		flow=nfct-src
+1:130		-	full/4			230kbit		3		default,flow=nfct-src
+1:140		-	full/4			230kbit		4		flow=nfct-src
+
+2:10		-  95*full/100			full		1		flow=dst
+2:100		-	14mbit			20mbit		2
+2:100:101	-	 7mbit			20mbit		3		default,flow=dst
+2:100:102	-	 7mbit			20mbit		3		flow=dst
+
+3:10		-	 2mbit:4ms		full		1	        flow=nfct-src
+3:100		-	 2mbit			full		2
+3:100:101	-	 1mbit			full		3		default,flow=nfct-src
+3:100:102	-	 1mbit			full		3		flow=nfct-src
+</programlisting>Note that most of the outgoing bandwidth on the local
+      interface is allocated to one class. That class is used for local
+      traffic.</para>
+    </section>
+
+    <section>
+      <title>/etc/shorewall/tcfilters</title>
+
+      <para><programlisting>#INTERFACE:	SOURCE			DEST		PROTO	DEST	SOURCE	TOS	LENGTH
+#CLASS								PORT(S)	PORT(S)
+
+# =============================== AVVANTA ====================================
+#
+# Give Highest priority to LSM's pings to the gateway and to DNS queries
+#
+1:110		206.124.146.176	  	206.124.146.254	icmp
+1:110		206.124.146.177		-		udp	53
+#
+# Second Highest priority to IPv6 Tunnel
+#
+1:120		206.124.146.180
+#
+# Lowest priority to bulk traffic
+#
+1:140		206.124.146.177	-		tcp	-	873	-	2048
+1:140		206.124.146.177 -		-	-	-	tos-minimize-cost
+</programlisting>The tcfilters file is only used for the Avvanta provider
+      because it has static public IP addresses.</para>
+    </section>
+
+    <section>
+      <title>/etc/shorewall/tcrules</title>
+
+      <para><programlisting>#MARK		SOURCE			DEST		PROTO	PORT(S)	CLIENT	USER	TEST	LENGTH	TOS
+#									PORT(S)
+
+COMMENT Shape incoming traffic
+
+#
+# Most of the bandwidth is reserved for local traffic since the downlinks aren't that fast
+#
+2:10		206.124.146.176/30	$INT_IF
+2:10		206.124.146.177		$INT_IF
+2:10		172.20.1.254		$INT_IF
+#
+# Guarantee 1/2 of the incoming bandwidth for my work system
+#
+2:102		0.0.0.0/0		$INT_IF:172.20.1.107
+
+COMMENT Shape outgoing traffic to Comcast
+#
+# Give 1/2 to my work system and add a latency guarantee
+#
+3:10		172.20.1.107		$COM_IF
+#
+# Restrict Torrent uploads
+#
+3:102		172.20.1.0/24		$COM_IF		tcp	-	6881:6889
+</programlisting>The tcrules file is used to classify traffic that deals with
+      the local network and/or with Comcast.</para>
+    </section>
+
    <section id="tunnels">
      <title>/etc/shorewall/tunnels</title>

--- a/tools/build/upload44
+++ b/tools/build/upload44
@ -172,6 +172,8 @@ fi
 files="errata known_problems.txt releasenotes.txt patch-*-$1 ${1}.*"
 base=

+rm -f *-${1}*.asc
+
 for f in *-${1}.tar.bz2 *-${1}.tgz; do
    /usr/bin/gpg -ab --batch --comment 'To verify this, you can download our public key at https://lists.shorewall.net/shorewall.gpg.key' $f
 done
--- a/web/shorewall_index.htm
+++ b/web/shorewall_index.htm
@ -47,7 +47,7 @@
    </tr>
  </tbody>
 </table>
-<hr style="width: 100%; height: 2px;"><span style="font-weight: bold;">2009-07-26</span><br>
+<hr style="width: 100%; height: 2px;"><span style="font-weight: bold;">2009-08-01</span><br>
 <h3><a href="Notices.html#Shell-EOL">Attention Shorewall-shell users</a><br>
 </h3>
 <h3><a name="Releases"></a>Current Shorewall Releases</h3>
@ -93,14 +93,14 @@ Release</span><br>
      </div>
      </td>
      <td style="vertical-align: top;"><span style="font-weight: bold;">4.4.0
-RC 1</span><br>
+RC 2</span><br>
      </td>
      <td style="vertical-align: top;"><a
- href="http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-RC1/releasenotes.txt">Release
+ href="http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-RC2/releasenotes.txt">Release
 Notes<br>
      </a> </td>
      <td style="vertical-align: top;"><a
- href="http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-RC1/known_problems.txt">Known
+ href="http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-RC2/known_problems.txt">Known
 Problems</a> </td>
    </tr>
  </tbody>