diff --git a/docs/traffic_shaping.xml b/docs/traffic_shaping.xml
index c7579cd4b..a83d470a0 100644
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@@ -26,6 +26,8 @@
2001-2013
+ 2020
+
Thomas M. Eastep
@@ -214,24 +216,6 @@
article.
-
- Linux Kernel Configuration
-
- You will need at least kernel 2.4.18 for this to work, please take a
- look at the following screenshot for what settings you need to enable. For
- builtin support, you need the HTB scheduler, the Ingress scheduler, the
- PRIO pseudoscheduler and SFQ queue. The other scheduler or queue
- algorithms are not needed.
-
- This screen shot shows how I configured QoS in a 2.6.16
- Kernel:
-
- ![]()
-
- And here's my recommendation for a 2.6.21 kernel:![]()
-
-
Enable TC support in Shorewall
@@ -298,6 +282,15 @@
Assign traffic to HTB and/or HFSC classes based on packet mark
value or based on packet contents.
+
+
+ Throttle incoming traffic
+
+
+
+ Use an Intermediate functional block (IFB)
+ to shape incoming traffic
+
Those few features are really all that builtin traffic
@@ -482,6 +475,16 @@
+
+
+ connmark
+
+
+ Added in Shorewall 5.2.7. May be specified on IFB
+ devices to enable use of firewall marks to select the
+ appropriate traffic shaping class.
+
+
@@ -496,7 +499,8 @@
column.
IFB devices automatically get the classify option.
+ role="bold">classify option unless the connmark option is specified.
@@ -1577,9 +1581,11 @@ ip link set ifb0 up
Entries in /etc/shorewall/mangle or
/etc/shorewall/tcrules have no effect on shaping
- traffic through an IFB. To allow classification of such traffic, the
- /etc/shorewall/tcfilters file has been added. Entries in that file create
- u32 classification
+ traffic through an IFB unless the IFB is defined in shorewall-tcclasses(5)
+ with the connmark option. To allow
+ classification of such traffic, the /etc/shorewall/tcfilters file has been
+ added. Entries in that file create u32 classification
rules.
@@ -1937,6 +1943,93 @@ filter parent 1: protocol ip pref 10 u32 fh 800:<========= PROTO TCP
offset 0f00>>6 at 0 eat
+
+
+ IFBs and SNAT/MASQUERADE
+
+ IFB traffic shaping takes place immediately after the traffic is
+ received by the incoming interface and before it has been passed to any
+ Netfilter hook. This has two consequences:
+
+
+
+ There is no opportunity to mark the packets before they are
+ processed by the IFBs traffic shaping rules.
+
+
+
+ The DEST IP address is still the IP address of the external
+ interface on which the traffic arrived.
+
+
+
+ As a result, in the tcdevices file description above, a connmark option was added to that file in
+ Shorewall 5.2.7. The connmark option
+ allows firewall marks to be used to segregate traffic by DEST IP.
+
+ Example (based closely on one supplied by Rodrigo Araujo, who also
+ wrote much of the code supporting the connmark option):
+
+ /etc/shorewall/shorewall.conf:
+
+ ...
+TC_ENABLED=Internal
+...
+
+ /etc/shorewall/interfaces:
+
+ ##############################################################################
+?FORMAT 2
+###############################################################################
+#ZONE INTERFACE OPTIONS
+net NET_IF dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
+loc LOC_IF tcpflags,nosmurfs,routefilter,logmartians,physical=eth1
+
+ /etc/shorewall/snat:
+
+ ?FORMAT 2
+#ACTION SOURCE DEST PROTO PORT IPSEC MARK
+USER SWITCH ORIGDEST PROBABILITY
+MASQUERADE - NET_IF
+
+ /etc/shorewall/tcdevices:
+
+ #INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS REDIRECT
+## net upload
+10:NET_IF - 1000mbit htb
+## net download
+11:ifb0 - 1000mbit htb,connmark NET_IF
+
+ /etc/shorewall/tcclasses:
+
+ #INTERFACE MARK RATE CEIL PRIO OPTIONS
+10:5000 111 500kbit full 10 tcp-ack,tos-minimize-delay
+11:5000 110 500kbit full 10 tcp-ack,tos-minimize-delay
+
+10:1000 100 full-50500 full 20 default
+11:1000 101 full-100500 full 20 default
+
+10:50 10 50mbit 50mbit 101 flow=nfct-src
+11:100 11 100mbit 100mbit 101 flow=dst
+
+ /etc/shorewall/tcfilters:
+
+ #CLASS SOURCE DEST PROTO DPORT SPORT TOS LENGTH
+## limit LAN upload - works
+10:50 10.100.100.0/24
+## limit LAN download - DOESN'T WORK BECAUSE OF MASQUERADE ON eth0 !!!! (snat file)
+#11:100 - 10.100.100.0/24
+
+ /etc/shorewall/mangle:
+
+ #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP SWITCH
+## this only works with the aforementioned conntrack option
+## and LAN users' download traffic will get the 11:100 class (defined in tcclasses) applied
+CONNMARK(11):F 10.100.100.0/24 - { TEST=0x0/0xff }
+