Add download shaping example

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8624 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

docs/MultiISP.xml

@@ -250,8 +250,9 @@
           <listitem>
             <para>Gives the name or number of a routing table to duplicate.
             May be 'main' or the name or number of a previously declared
-            provider. For most applications, you want to specify 'main'
-            here.</para>
+            provider. For most applications, you want to specify 'main' here.
+            This field should be be specified as '-' when USE_DEFAULT_RT=Yes
+            in <filename>shorewall.conf</filename></para>
           </listitem>
         </varlistentry>
 
@@ -1128,4 +1129,4 @@ linksys       1    1    -        wlan0   172.20.1.1    track,balance=1,optional
 shorewall     2    2    -        eth0    192.168.1.254 track,balance=2,optional</programlisting>/etc/shorewall/rules:<programlisting>#SOURCE     DEST      PROVIDER        PRIORITY
 -           -         shorewall       11999</programlisting></para>
   </section>
-</article>
+</article>

docs/traffic_shaping.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
-
-
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
 <article>
   <!--$Id$-->
 
@@ -182,6 +182,16 @@
         and at your own.</emphasis></para>
       </blockquote></para>
 
+    <para><emphasis role="bold">This is not to say that you cannot shape
+    downloads, regardless of which Shorewall release you are
+    running</emphasis>.</para>
+
+    <blockquote>
+      <para>If you wish to shape downloads, you can always configure traffic
+      shaping on your firewall's local interface. An example appears <link
+      linkend="Downloads">below</link>.</para>
+    </blockquote>
+
     <para>You shape and control outgoing traffic by assigning the traffic to
     <firstterm>classes</firstterm>. Each class is associated with exactly one
     network interface and has a number of attributes:</para>
@@ -1071,7 +1081,7 @@ ppp0            6000kbit        700kbit</programlisting>
           <title>tcclasses file</title>
 
           <programlisting>#INTERFACE      MARK    RATE            CEIL            PRIORITY    OPTIONS
-ppp0            1       10kbit          50kbit          1           tcp-ack
+ppp0            1       10kbit          50kbit          1           tcp-ack,tos-minimize-delay
 ppp0            2       300kbit         full            2
 ppp0            3       300kbit         full            2
 ppp0            4       90kbit          200kbit         3           default</programlisting>
@@ -1134,6 +1144,59 @@ ppp0            4       90kbit          200kbit         3           default</pro
     instructions.</para>
   </section>
 
+  <section id="Downloads">
+    <title>Shaping Download Traffic</title>
+
+    <para>As stated at the outset, traffic shaping works on traffic being sent
+    by the firewall. Download traffic from the Internet to local hosts is sent
+    by the firewall over a local interface. So it follows that if you want to
+    shape such traffic, you must configure shaping on the local
+    interface.</para>
+
+    <para>Shaping of download traffic is most straightforward when there are
+    only two interface. That way, traffic leaving the local interface falls
+    into only two broad categories:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>Traffic being forwarded from the internet</para>
+      </listitem>
+
+      <listitem>
+        <para>Traffic that originated on the firewall itself</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>In general, you will want to shape the forwarded traffic and leave
+    the local traffic unrestricted.</para>
+
+    <para>Extending the <link linkend="simiple">simple example</link>
+    above:</para>
+
+    <para><filename>/etc/shorewall/tcdevices</filename>:<programlisting>#INTERFACE    IN-BANDWITH      OUT-BANDWIDTH
+ppp0            6000kbit        700kbit
+eth1             -              100mbit</programlisting></para>
+
+    <para>/etc/shorewall/tcclasses:<programlisting>#INTERFACE      MARK    RATE            CEIL            PRIORITY    OPTIONS
+ppp0            1       10kbit          50kbit          1           tcp-ack,tos-minimize-delay
+ppp0            2       300kbit         full            2
+ppp0            3       300kbit         full            2
+ppp0            4       90kbit          200kbit         3           default
+eth0            1       100kbit         500kbit         1           tcp-ack,tos-minimize-delay
+eth0            2       3mbit           6mbit           2
+eth0            3       3mbit           6mbit           3
+eth0            4       94mbit          full            default #for local traffic</programlisting></para>
+
+    <para>/etc/shorewall/tcrules:<programlisting>#MARK           SOURCE          DEST            PROTO   PORT(S)      CLIENT   USER
+#                                                                    PORT(S)
+1:F             0.0.0.0/0       0.0.0.0/0       icmp    echo-request
+1:F             0.0.0.0/0       0.0.0.0/0       icmp    echo-reply
+2:F             192.168.2.23    0.0.0.0/0       all
+3:F             192.168.2.42    0.0.0.0/0       all
+2:F             ppp0            192.168.2.23    all
+3:F             ppp0            192.168.2.42    all</programlisting></para>
+  </section>
+
   <section id="IFB">
     <title>Intermediate Frame Block (IFB) Devices</title>
 
@@ -1616,4 +1679,4 @@ class htb 1:120 parent 1:1 leaf 120: prio 2 quantum 1900 rate 76000bit ceil 2300
     <para>At least one Shorewall user has found this tool helpful: <ulink
     url="http://e2epi.internet2.edu/network-performance-toolkit.html">http://e2epi.internet2.edu/network-performance-toolkit.html</ulink></para>
   </section>
-</article>
+</article>