From 7e3675fb3008ebfdabe373d284c535723e80ac67 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 26 Dec 2009 12:40:16 -0800 Subject: [PATCH] Move 4.5 manpage/doc updates to master --- docs/Documentation_Index.xml | 41 ++--- docs/Manpages.xml | 9 +- docs/Manpages6.xml | 9 +- docs/simple_traffic_shaping.xml | 227 ++++++++++++++++++++++++++ docs/traffic_shaping.xml | 51 ++++-- manpages/shorewall-tcinterfaces.xml | 105 ++++++++++++ manpages/shorewall-tcpri.xml | 159 ++++++++++++++++++ manpages/shorewall.conf.xml | 152 +++++++++++++++-- manpages6/shorewall6-tcinterfaces.xml | 103 ++++++++++++ manpages6/shorewall6-tcpri.xml | 157 ++++++++++++++++++ manpages6/shorewall6.conf.xml | 107 ++++++++++++ 11 files changed, 1072 insertions(+), 48 deletions(-) create mode 100644 docs/simple_traffic_shaping.xml create mode 100644 manpages/shorewall-tcinterfaces.xml create mode 100644 manpages/shorewall-tcpri.xml create mode 100644 manpages6/shorewall6-tcinterfaces.xml create mode 100644 manpages6/shorewall6-tcpri.xml diff --git a/docs/Documentation_Index.xml b/docs/Documentation_Index.xml index 42715dc41..742f9dd1b 100644 --- a/docs/Documentation_Index.xml +++ b/docs/Documentation_Index.xml @@ -5,7 +5,7 @@ - Shorewall 4.4 Documentation + Shorewall 4.4/4.5 Documentation @@ -166,9 +166,8 @@ My Shorewall Configuration - Traffic - Shaping/QOS (Russian) + Traffic + Shaping/QOS - Simple @@ -178,8 +177,9 @@ Netfilter Overview - Transparent - Proxy + Traffic Shaping/QOS - + Complex (Russian) @@ -188,7 +188,8 @@ Network Mapping - UPnP + Transparent + Proxy @@ -198,8 +199,7 @@ One-to-one NAT (Static NAT) - Upgrade - Issues + UPnP @@ -208,8 +208,8 @@ OpenVPN - Upgrading to Shorewall 4.4 - (Upgrading Debian Lenny to Squeeze) + Upgrade + Issues @@ -219,7 +219,8 @@ OpenVZ - VPN + Upgrading to Shorewall 4.4 + (Upgrading Debian Lenny to Squeeze) @@ -228,7 +229,7 @@ Operating Shorewall - VPN Passthrough + VPN @@ -238,8 +239,7 @@ Packet Marking - White List - Creation + VPN Passthrough @@ -250,8 +250,8 @@ Packet Processing in a Shorewall-based Firewall - Xen - Shorewall in a Bridged Xen - DomU + White List + Creation @@ -260,8 +260,8 @@ 'Ping' Management - Xen - Shorewall in Routed - Xen Dom0 + Xen - Shorewall in a Bridged Xen + DomU @@ -270,7 +270,8 @@ Port Forwarding - + Xen - Shorewall in Routed + Xen Dom0 diff --git a/docs/Manpages.xml b/docs/Manpages.xml index b640f067c..8e38da5cc 100644 --- a/docs/Manpages.xml +++ b/docs/Manpages.xml @@ -5,7 +5,7 @@ - Shorewall 4.3 Manpages + Shorewall 4.4/4.5 Manpages @@ -137,6 +137,13 @@ url="manpages/shorewall-tcdevices.html">tcdevices - Specify speed of devices for traffic shaping. + tcinterfaces - + Specify devices for simplified traffic shaping. + + tcpri - + Classify traffic for simplified traffic shaping. + tcrules - Define packet marking rules, usually for traffic shaping. diff --git a/docs/Manpages6.xml b/docs/Manpages6.xml index ce5ed3ebb..d0ac8e840 100644 --- a/docs/Manpages6.xml +++ b/docs/Manpages6.xml @@ -5,7 +5,7 @@ - Shorewall6 4.3 Manpages + Shorewall6 4.4/4.5 Manpages @@ -122,6 +122,13 @@ url="manpages6/shorewall6-tcdevices.html">tcdevices - Specify speed of devices for traffic shaping. + tcinterfaces - + Specify interfaces for simplified traffic shaping. + + tcpri - + Classify traffic for simplified traffic shaping. + tcrules - Define packet marking rules, usually for traffic shaping. diff --git a/docs/simple_traffic_shaping.xml b/docs/simple_traffic_shaping.xml new file mode 100644 index 000000000..7ea665f3f --- /dev/null +++ b/docs/simple_traffic_shaping.xml @@ -0,0 +1,227 @@ + + +
+ + + + Simple Traffic Shaping/Control + + + + Tom + + Eastep + + + + + + + 2009 + + 2010 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation + License. + + + +
+ Introduction + + Traffic shaping and control was originally introduced into Shorewall + in version 2.2.5. That facility was based on Arne Bernin's + tc4shorewall and is generally felt to be complex + and difficult to use. + + In Shorewall 4.5.0, a second traffic shaping facility that is simple + to understand and to configure was introduced. This newer facility is + described in this document while the original facility is documented in + Complex Traffic + Shaping/Control. +
+ +
+ Enabling Simple Traffic Shaping + + Simple traffic shaping is enabled by setting TC_ENABLED=Simple in + shorewall.conf(5). You + then add an entry for your external interface to shorewall-tcinterfaces(5) + (/etc/shorewall/tcinterfaces). + + Assuming that your external interface is eth0: + + #INTERFACE TYPE IN-BANDWIDTH +eth0 External + + With this simple contfiguration, packets to be sent through + interface eth0 will be assigned to a priority band based on the value of + their TOS field: + + TOS Bits Means Linux Priority BAND +------------------------------------------------------------ +0x0 0 Normal Service 0 Best Effort 2 +0x2 1 Minimize Monetary Cost 1 Filler 3 +0x4 2 Maximize Reliability 0 Best Effort 2 +0x6 3 mmc+mr 0 Best Effort 2 +0x8 4 Maximize Throughput 2 Bulk 3 +0xa 5 mmc+mt 2 Bulk 3 +0xc 6 mr+mt 2 Bulk 3 +0xe 7 mmc+mr+mt 2 Bulk 3 +0x10 8 Minimize Delay 6 Interactive 1 +0x12 9 mmc+md 6 Interactive 1 +0x14 10 mr+md 6 Interactive 1 +0x16 11 mmc+mr+md 6 Interactive 1 +0x18 12 mt+md 4 Int. Bulk 2 +0x1a 13 mmc+mt+md 4 Int. Bulk 2 +0x1c 14 mr+mt+md 4 Int. Bulk 2 +0x1e 15 mmc+mr+mt+md 4 Int. Bulk 2 + + When dequeueing, band 1 is tried first and only if it did not + deliver a packet does the system try band 2, and so onwards. Maximum + reliability packets should therefore go to band 1, minimum delay to band 2 + and the rest to band 3. + + + If you run both an IPv4 and an IPv6 firewall on your system, you + should define each interface in only one of the two + configurations. + +
+ +
+ Customizing Simple Traffic Shaping + + The default mapping of TOS to bands can be changed using the + TC_PRIOMAP setting in shorewall.conf(5). The default + setting of this option is: + + TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" + + These entries map Linux Priority to priority BAND. So only entries + 0, 1, 2, 4 and 6 in the map are relevant to TOS->BAND mapping. + + Further customizations can be defined in shorewall-tcpri(5) + (/etc/shorewall/tcpri). Using that file, you + can: + + + + Assign traffic entering the firewall on a particular interface + to a specific priority band: + + #BAND PROTO PORT(S) ADDRESS INTERFACE HELPER +2 - - - eth1 + + In this example, traffic from eth1 will be assigned to priority + band 2. + + + When an INTERFACE is specified, the PROTO, PORT(S) and ADDRESS + column must contain '-'. + + + + + Assign traffic from a particular IP address to a specific + priority band: + + #BAND PROTO PORT(S) ADDRESS INTERFACE HELPER +1 - - 192.168.1.44 + + In this example, traffic from 192.168.1.44 will be assigned to + priority band 1. + + + When an ADDRESS is specified, the PROTO, PORT(S) and INTERFACE + columns must be empty. + + + + + Assign traffic to/from a particular application to a specific + priority band: + + #BAND PROTO PORT(S) ADDRESS INTERFACE HELPER +1 udp 1194 + + In that example, OpenVPN traffic is assigned to priority band + 1. + + + + Assign traffic that uses a particular Netfilter helper to a + particular priority band: + + #BAND PROTO PORT(S) ADDRESS INTERFACE HELPER +1 - - - - sip + + In this example, SIP and associated RTP traffic will be assigned + to priority band 1 (assuming that the nf_conntrack_sip helper is + loaded). + + + + It is suggested that entries specifying an INTERFACE be placed the + top of the file. That way, the band assigned to a particular packet will + be the last entry matched by the packet. + Packets which match no entry in shorewall-tcpri(5) are + assigned to priority bands using their TOS field as previously + described. + + One cause of high latency on interactive traffic can be that queues + are building up at your ISP's gateway router. If you suspect that is + happening in your case, you can try to eliminate the problem by using the + IN-BANDWIDTH setting in shorewall-tcinterfaces(5). + The contents of the column are a rate. For + defining the rate, use kbit or kbps (for Kilobytes per second) and make sure there + is NO space between the number and the unit (it is 100kbit not 100 kbit). + mbit, mbps or a raw number (which means bytes) can be + used, but note that only integer numbers are supported (0.5 is not valid). + To pick an appropriate setting, we recommend that you start by setting + IN-BANDWIDTH significantly below your measured download bandwidth (20% or + so). While downloading, measure the ping response time from the firewall + to the upstream router as you gradually increase the setting. The optimal + setting is at the point beyond which the ping time increases sharply as + you increase the setting. + + Simple Traffic Shaping is only appropriate on interfaces where + output queuing occurs. As a consequence, you usually only use it on + extermal interfaces. There are cases where you may need to use it on an + internal interface (a VPN interface, for example). If so, just add an + entry to shorewall-tcinterfaces(5): + + #INTERFACE TYPE IN-BANDWIDTH +tun0 Internal +
+ +
+ Additional Reading + + The PRIO(8) (tc-prio) manpage has additional information on the + facility that Shorewall Simple Traffic Shaping is based on. + + + Please note that Shorewall numbers the bands 1-3 whereas PRIO(8) + refers to them as bands 0-2. + +
+
diff --git a/docs/traffic_shaping.xml b/docs/traffic_shaping.xml index b103610bc..c480ffc4d 100644 --- a/docs/traffic_shaping.xml +++ b/docs/traffic_shaping.xml @@ -5,7 +5,7 @@ - Traffic Shaping/Control + Complex Traffic Shaping/Control @@ -93,6 +93,14 @@
Introduction + Beginning with Shorewall 4.5.0, Shorewall includes two separate + implementations of traffic shaping. This document describes the original + implementation which is complex and difficult to configure. A much simpler + version is described in Simple Traffic Shaping/Control + and is highly recommended unless you really need to delay certain traffic + passing through your firewall. + Shorewall has builtin support for traffic shaping and control. This support does not cover all options available (and especially all algorithms that can be used to queue traffic) in the Linux kernel but it @@ -183,6 +191,13 @@ url="manpages/shorewall.conf.html">shorewall.conf (5) ). You assign packet marks to different types of traffic using entries in the /etc/shorewall/tcrules file. + + + In Shorewall 4.5.0, WIDE_TC_MARKS was superseded by TC_BITS + which specifies the width in bits of the traffic shaping mark field. + The default is based on the setting of WIDE_TC_MARKS so as to + provide upward compatibility. + @@ -479,6 +494,13 @@ ppp0 6000kbit 500kbit if the device specified in the INTERFACE column has the classify option in /etc/shorewall/tcdevices. + + + In Shorewall 4.5.0, WIDE_TC_MARKS was superseded by TC_BITS + which specifies the width in bits of the traffic shaping mark + field. The default is based on the setting of WIDE_TC_MARKS so as + to provide upward compatibility. + @@ -647,7 +669,7 @@ ppp0 6000kbit 500kbit before SNAT as the key. - Shorewall cannot determine ahead of time if the flow + Shorewall cannot determine ahead of time if the flow classifier is available in your kernel (especially if it was built into the kernel as opposed to being loaded as a module). Consequently, you should check ahead of time to ensure that @@ -669,7 +691,7 @@ ppp0 6000kbit 500kbit ... - If 'flow' is not supported, you will see: + If 'flow' is not supported, you will see: Unknown filter "flow", hence option "help" is unparsable @@ -696,7 +718,7 @@ ppp0 6000kbit 500kbit For modularized kernels, Shorewall will attempt to load /lib/modules/<kernel-version>/net/sched/cls_flow.ko - by default. + by default. @@ -808,12 +830,21 @@ ppp0 6000kbit 500kbit MARK or CLASSIFY - MARK specifies the mark value is to be assigned in case of a match. This is an integer in the range 1-255 (1-16383 if you set WIDE_TC_MARKS=Yes in shorewall.conf (5) ). - This value may be optionally followed by : and either - F, P or "T" to designate that the - marking will occur in the FORWARD, PREROUTING or POSTROUTING chains - respectively. If this additional specification is omitted, the chain - used to mark packets will be determined as follows: + url="manpages/shorewall.conf.html">shorewall.conf (5) + ). + + + In Shorewall 4.5.0, WIDE_TC_MARKS was superseded by TC_BITS + which specifies the width in bits of the traffic shaping mark + field. The default is based on the setting of WIDE_TC_MARKS so as + to provide upward compatibility. + + + This value may be optionally followed by : and + either F, P or "T" to designate that + the marking will occur in the FORWARD, PREROUTING or POSTROUTING + chains respectively. If this additional specification is omitted, + the chain used to mark packets will be determined as follows: diff --git a/manpages/shorewall-tcinterfaces.xml b/manpages/shorewall-tcinterfaces.xml new file mode 100644 index 000000000..f090f5c3c --- /dev/null +++ b/manpages/shorewall-tcinterfaces.xml @@ -0,0 +1,105 @@ + + + + + shorewall-tcinterfaces + + 5 + + + + tcinterfaces + + Shorewall file + + + + + /etc/shorewall/tcinterfaces + + + + + Description + + This file lists the interfaces that are subject to simple traffic + shaping. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in + shorewall.conf(5). + + The columns in the file are as follows. + + + + INTERFACE + + + The logical name of an interface. If you run both IPv4 and + IPv6 Shorewall firewalls, a given interface should only be listed in + one of the two configurations. + + + + + TYPE - [external|internal] + + + Optional. If given specifies whether the interface is + external (facing toward the + Internet) or internal (facing + toward a local network) and enables SFQ flow classification. + + + Simple traffic shaping is only useful on interfaces where + queuing occurs. As a consequence, internal interfaces seldom + benefit from simple traffic shaping. VPN interfaces are an + exception because the encapsulated packets are later transferred + over a slower external link. + + + + + + IN-BANDWIDTH - [rate] + + + Optional. If specified, enables ingress policing on the + interface. If incoming traffic exceeds the given + rate, received packets are dropped + randomly. With some DSL and Cable links, large queues can build up + in the ISP's gateway router. While this insures maximum throughput, + it kills interactive response time. By setting IN-BANDWIDTH, you can + eliminate these queues. + + To pick an appropriate setting, we recommend that you start by + setting it significantly below your measured download bandwidth (20% + or so). While downloading, measure the ping response time from the + firewall to the upstream router as you gradually increase the + setting.The optimal setting is at the point beyond which the ping + time increases sharply as you increase the setting. + + + + + + + FILES + + /etc/shorewall/tcinterfaces. + + + + See ALSO + + shorewall(8), shorewall-accounting(5), shorewall-actions(5), + shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5), + shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5), + shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), + shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), + shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5), + shorewall.conf(5), shorewall-tcpri(5), shorewall-tcrules(5), + shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5) + + diff --git a/manpages/shorewall-tcpri.xml b/manpages/shorewall-tcpri.xml new file mode 100644 index 000000000..2c730f0dc --- /dev/null +++ b/manpages/shorewall-tcpri.xml @@ -0,0 +1,159 @@ + + + + + shorewall-tcpri + + 5 + + + + tcpri + + Shorewall file + + + + + /etc/shorewall/tcpri + + + + + Description + + This file is used to specify the priority of traffic for simple + traffic shaping (TC_ENABLED=Simple in shorewall.conf(5)). The priority band of + each packet is determined by the last + entry that the packet matches. If a packet doesn't match any entry in this + file, then its priority will be determined by its TOS field. The default + mapping is as follows but can be changed by setting the TC_PRIOMAP option + in shorewall.conf(5). + + TOS Bits Means Linux Priority BAND +------------------------------------------------------------ +0x0 0 Normal Service 0 Best Effort 2 +0x2 1 Minimize Monetary Cost 1 Filler 3 +0x4 2 Maximize Reliability 0 Best Effort 2 +0x6 3 mmc+mr 0 Best Effort 2 +0x8 4 Maximize Throughput 2 Bulk 3 +0xa 5 mmc+mt 2 Bulk 3 +0xc 6 mr+mt 2 Bulk 3 +0xe 7 mmc+mr+mt 2 Bulk 3 +0x10 8 Minimize Delay 6 Interactive 1 +0x12 9 mmc+md 6 Interactive 1 +0x14 10 mr+md 6 Interactive 1 +0x16 11 mmc+mr+md 6 Interactive 1 +0x18 12 mt+md 4 Int. Bulk 2 +0x1a 13 mmc+mt+md 4 Int. Bulk 2 +0x1c 14 mr+mt+md 4 Int. Bulk 2 +0x1e 15 mmc+mr+mt+md 4 Int. Bulk 2 + + The columns in the file are as follows. + + + + BAND - {1|2|3} + + + Classifies matching traffic as High Priority (1), Medium + Priority (2) or Low Priority (3). For those interfaces listed in + shorewall-tcinterfaces(5), + Priority 2 traffic will be deferred so long and there is Priority 1 + traffic queued and Priority 3 traffic will be deferred so long as + there is Priority 1 or Priority 2 traffic to send. + + + + + PROTO - + protocol + + + Optional. The name or number of an IPv4 + protocol. + + + + + PORT(S) - port [,...] + + + Optional. May only be given if the the PROTO is tcp (6) or udp + (17). A list of one or more port numbers or service names from + /etc/services. Port ranges of the form + lowport:highport + may also be included. + + + + + ADDRESS - [address] + + + Optional. The IP or MAC address that the traffic originated + from. MAC addresses must be given in Shorewall format. If this + column contains an address, then the PROTO, PORT(S) and INTERFACE + column must be empty ("-"). + + + + + INTERFACE - [interface] + + + Optional. The logical name of an + interface that traffic arrives from. If + given, the PROTO, PORT(S) and ADDRESS columns must be empty + ("-"). + + + INTERFACE classification of packets occurs before + classification by PROTO/PORT(S)/ADDRESS. So it is highly + recommended to place entries that specify INTERFACE at the top of + the file so that the rule about last entry + matches is preserved. + + + + + + HELPER - + [helper] + + + Optional. Names a Netfiler protocol helper module such as ftp, + sip, amanda, etc. A packet will match if it was accepted by the + named helper module. You can also append "-" and a port number to + the helper module name (e.g., ftp-21) to specify the port number + that the original connection was made on. + + + + + + + FILES + + /etc/shorewall/tcpri + + + + See ALSO + + PRIO(8), shorewall(8), shorewall-accounting(5), + shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), + shorewall-interfaces(5), shorewall-ipsec(5), shorewall-maclist(5), + shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), + shorewall-params(5), shorewall-policy(5), shorewall-providers(5), + shorewall-proxyarp(5), shorewall-route_rules(5), + shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), + shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), + shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5) + + diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml index b0a6f32de..de5bb8e5d 100644 --- a/manpages/shorewall.conf.xml +++ b/manpages/shorewall.conf.xml @@ -169,6 +169,19 @@ + + ACCOUNTING=[Yes|No] + + + Added in Shorewall 4.5.0. If set to Yes, Shorewall accounting + is enabled (see shorewall-accounting(5)). If + not specified or set to the empty value, ACCOUNTING=Yes is + assumed. + + + ADD_IP_ALIASES=[Yes|No] @@ -554,9 +567,13 @@ net all DROP infothen the chain name is 'net2all' url="shorewall-tcrules.html">shorewall-tcrules(5) if you had a multi-ISP configuration that uses the track option. - Beginning with release 3.2.0, you may set HIGH_ROUTE_MARKS=Yes - in to effectively divide the packet mark and connection mark into - two mark fields. + You may set HIGH_ROUTE_MARKS=Yes in to effectively divide the + packet mark and connection mark into two mark fields. + + + From Shorewall 2.5.0 onward, this option is deprecated in + favor of the PROVIDER_OFFSET option. + The width of the fields are determined by the setting of WIDE_TC_MARKS. If WIDE_TC_MARKS=No (the default): @@ -1044,6 +1061,24 @@ net all DROP infothen the chain name is 'net2all' + + MASK_BITS=bits + + + Added in Shorewall 4.5.0. This option specifies the number of + bits to use as a mask for traffic shaping marks + and must be greater than or equal to TC_BITS. The default value + depends on the setting of WIDE_TC_MARKS: + + + WIDE_TC_MARKS=No - 8 bits. + + WIDE_TC_MARKS=Yes - 16 bits. + + + + MODULE_SUFFIX=["extension ...then the chain name is 'net2all' + + PROVIDER_BITS=bits + + + Added in Shorewall 4.5.0. Specifies the number of bits of the + packet/connection mark to use for the provider (routing) mark. + Provider mark values must be >= 2**PROVIDER_OFFSET and less than + 2**(PROVIDER_OFFSET + PROVIDER_BITS). The default value is 8 + bits. + + + + + PROVIDER_OFFSET=offset + + + Added in Shorewall 4.5.0. Specifies the + offset in bits from the least significate bit + of the packet/connection mark where the Provider Mark value is + stored. The default is based on the settings of HIGH_ROUTE_MARKS and + WIDE_TC_MARKS: + + + HIGH_ROUTE_MARKS=No - 0 bits. + + HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=No - 8 + bits. + + HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=Yes - 16 + bits. + + + + PKTTYPE={Yes|No} @@ -1291,28 +1362,24 @@ net all DROP infothen the chain name is 'net2all' ROUTE_FILTER=[Yes|1|No|0|2|Keep] + role="bold">Yes|No|Keep] If this parameter is given the value Yes or yes - or 1 then route filtering (anti-spoofing) is enabled on all network + then route filtering (anti-spoofing) is enabled on all network interfaces which are brought up while Shorewall is in the started - state. The default value is no - (0). + state. The default value is no. The value Keep causes Shorewall to ignore the option. If the option is set to Yes or 1, then route filtering occurs on all + role="bold">Yes, then route filtering occurs on all interfaces. If the option is set to No, then route filtering is disabled on all interfaces except those specified in shorewall-interfaces(5). - - The value 2 is only available with Shorewall 4.4.5.1 and later - running on kernel 2.6.31 or later. It specifies a looser form of - reverse path filtering than the value Yes (1). @@ -1407,11 +1474,34 @@ net all DROP infothen the chain name is 'net2all' + + TC_BITS=bits + + + Added in Shorewall 4.5.0. This option replaces WIDE_TC_MARKS + by allowing you to specify the number of bits + of the 32-bit packet/connection mark to be used for traffic shaping. + The default value is based on the settings of WIDE_TC_MARKS: + + + WIDE_TC_MARKS=No - 8 bits. + + WIDE_TC_MARKS=Yes - 14 bits. + + + Mark values specified in shorewall-tcclasses (5) must + be < 2**TC_BITS. + + + TC_ENABLED=[Yes|No|Internal] + role="bold">Internal|Simple] If you say Yes or then the chain name is 'net2all' role="bold">no then traffic shaping is not enabled. + If you set TC_ENABLED=Simple (Shorewall 4.5.0 and later), + simple traffic shaping using shorewall-tcinterfaces(5) + and shorewall-tcpri(5) is + enabled. + If you set TC_ENABLED=Internal or internal or leave the option empty then Shorewall will use its builtin traffic shaper (tc4shorewall written by Arne Bernin. @@ -1445,6 +1541,24 @@ net all DROP infothen the chain name is 'net2all' + + TC_PRIOMAP=map + + + Added in Shorewall 4.5.0. Determines the mapping of a packet's + TOS field to priority bands. See shorewall-tcpri(5). The + map consists of 16 space-separated digits with + values 1, 2 or 3. The first entry corresponds to Linux priority 9, + the second to Linux priority 1, the third to Linux Priority 2, and + so on. See tc-prio(8) for additional information. + + The default setting is TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 + 2 2". + + + TCP_FLAGS_DISPOSITION=[then the chain name is 'net2all' traffic shaping marks are 14 bytes wide (values 1-16383). The setting of WIDE_TC_MARKS also has an effect on the HIGH_ROUTE_MARKS option (see above). + + + From Shorewall 2.5.0 onware, this option is deprecated in + favor of the TC_BITS option. + @@ -1607,7 +1726,8 @@ net all DROP infothen the chain name is 'net2all' shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5), - shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), - shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5) + shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcinterfaces(5), + shorewall-tcpri(5), shorewall-tcrules(5), shorewall-tos(5), + shorewall-tunnels(5), shorewall-zones(5) diff --git a/manpages6/shorewall6-tcinterfaces.xml b/manpages6/shorewall6-tcinterfaces.xml new file mode 100644 index 000000000..972f08737 --- /dev/null +++ b/manpages6/shorewall6-tcinterfaces.xml @@ -0,0 +1,103 @@ + + + + + shorewall6-tcinterfaces + + 5 + + + + tcinterfaces + + Shorewall6 file + + + + + /etc/shorewall6/tcinterfaces + + + + + Description + + This file lists the interfaces that are subject to simple traffic + shaping. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in + shorewall6.conf(5). + + The columns in the file are as follows. + + + + INTERFACE + + + The logical name of an interface. If you run both IPv4 and + IPv6 Shorewall firewalls, a given interface should only be listed in + one of the two configurations. + + + + + TYPE - [external|internal] + + + Optional. If given specifies whether the interface is + external (facing toward the + Internet) or internal (facing + toward a local network) and enables SFQ flow classification. + + + Simple traffic shaping is only useful on interfaces where + queuing occurs. As a consequence, internal interfaces seldom + benefit from simple traffic shaping. VPN interfaces are an + exception because the encapsulated packets are later transferred + over a slower external link. + + + + + + IN-BANDWIDTH - [rate] + + + Optional. If specified, enables ingress policing on the + interface. If incoming traffic exceeds the given + rate, received packets are dropped + randomly. With some DSL and Cable links, large queues can build up + in the ISP's gateway router. While this insures maximum throughput, + it kills interactive response time. By setting IN-BANDWIDTH, you can + eliminate these queues. + + To pick an appropriate setting, we recommend that you start by + setting it significantly below your measured download bandwidth (20% + or so). While downloading, measure the ping response time from the + firewall to the upstream router as you gradually increase the + setting.The optimal setting is at the point beyond which the ping + time increases sharply as you increase the setting. + + + + + + + FILES + + /etc/shorewall6/tcinterfaces. + + + + See ALSO + + shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), + shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5), + shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), + shorewall6-route_rules(5), shorewall6-routestopped(5), + shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcpri, + shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5) + + diff --git a/manpages6/shorewall6-tcpri.xml b/manpages6/shorewall6-tcpri.xml new file mode 100644 index 000000000..2392f5324 --- /dev/null +++ b/manpages6/shorewall6-tcpri.xml @@ -0,0 +1,157 @@ + + + + + shorewall6-tcpri + + 5 + + + + tcpri + + Shorewall6 file + + + + + /etc/shorewall6/tcpri + + + + + Description + + This file is used to specify the priority band of traffic for simple + traffic shaping (TC_ENABLED=Simple in shorewall6.conf(5)). The priority band + of each packet is determined by the last + entry that the packet matches. If a packet doesn't match any entry in this + file, then its priority will be determined by its TOS field. The default + mapping is as follows but can be changed by setting the TC_PRIOMAP option + in shorewall6.conf(5). + + TOS Bits Means Linux Priority BAND +------------------------------------------------------------ +0x0 0 Normal Service 0 Best Effort 2 +0x2 1 Minimize Monetary Cost 1 Filler 3 +0x4 2 Maximize Reliability 0 Best Effort 2 +0x6 3 mmc+mr 0 Best Effort 2 +0x8 4 Maximize Throughput 2 Bulk 3 +0xa 5 mmc+mt 2 Bulk 3 +0xc 6 mr+mt 2 Bulk 3 +0xe 7 mmc+mr+mt 2 Bulk 3 +0x10 8 Minimize Delay 6 Interactive 1 +0x12 9 mmc+md 6 Interactive 1 +0x14 10 mr+md 6 Interactive 1 +0x16 11 mmc+mr+md 6 Interactive 1 +0x18 12 mt+md 4 Int. Bulk 2 +0x1a 13 mmc+mt+md 4 Int. Bulk 2 +0x1c 14 mr+mt+md 4 Int. Bulk 2 +0x1e 15 mmc+mr+mt+md 4 Int. Bulk 2 + + The columns in the file are as follows. + + + + BAND - {1|2|3} + + + Classifies matching traffic as High Priority (1), Medium + Priority (2) or Low Priority (3). For those interfaces listed in + shorewall6-tcinterfaces(5), + Priority 2 traffic will be deferred so long and there is Priority 1 + traffic queued and Priority 3 traffic will be deferred so long as + there is Priority 1 or Priority 2 traffic to send. + + + + + PROTO - + protocol + + + Optional. The name or number of an IPv4 + protocol. + + + + + PORT(S) - port [,...] + + + Optional. May only be given if the the PROTO is tcp (6) or udp + (17). A list of one or more port numbers or service names from + /etc/services. Port ranges of the form + lowport:highport + may also be included. + + + + + ADDRESS - [address] + + + Optional. The IP or MAC address that the traffic originated + from. MAC addresses must be given in Shorewall format. If this + column contains an address, then the PROTO, PORT(S) and INTERFACE + column must be empty ("-"). + + + + + INTERFACE - [interface] + + + Optional. The logical name of an + interface that traffic arrives from. If + given, the PROTO, PORT(S) and ADDRESS columns must be empty + ("-"). + + + INTERFACE classification of packets occurs before + classification by PROTO/PORT(S)/ADDRESS. So it is highly + recommended to place entries that specify INTERFACE at the top of + the file so that the rule about last entry + matches is preserved. + + + + + + HELPER - + [helper] + + + Optional. Names a Netfiler protocol helper module such as ftp, + sip, amanda, etc. A packet will match if it was accepted by the + named helper module. You can also append "-" and a port number to + the helper module name (e.g., ftp-21) to specify the port number + that the original connection was made on. + + + + + + + FILES + + /etc/shorewall6/tcpri + + + + See ALSO + + PRIO(8), shorewall6(8), shorewall6-accounting(5), + shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), + shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5), + shorewall6-providers(5), shorewall6-route_rules(5), + shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), + shorewall6-tcinterfaces(5), shorewall6-tos(5), shorewall6-tunnels(5), + shorewall6-zones(5) + + diff --git a/manpages6/shorewall6.conf.xml b/manpages6/shorewall6.conf.xml index 8a367444b..3498debf4 100644 --- a/manpages6/shorewall6.conf.xml +++ b/manpages6/shorewall6.conf.xml @@ -167,6 +167,19 @@ + + ACCOUNTING=[Yes|No] + + + Added in Shorewall 4.5.0. If set to Yes, Shorewall6 accounting + is enabled (see shorewall6-accounting(5)). + If not specified or set to the empty value, ACCOUNTING=Yes is + assumed. + + + ADMINISABSENTMINDED=[Yes|No] @@ -868,6 +881,24 @@ net all DROP infothen the chain name is 'net2all' + + MASK_BITS=bits + + + Added in Shorewall 4.5.0. This option specifies the number of + bits to use as a mask for traffic shaping marks + and must be greater than or equal to TC_BITS. The default value + depends on the setting of WIDE_TC_MARKS: + + + WIDE_TC_MARKS=No - 8 bits. + + WIDE_TC_MARKS=Yes - 16 bits. + + + + MODULE_SUFFIX=["extension ...then the chain name is 'net2all' + + PROVIDER_BITS=bits + + + Added in Shorewall 4.5.0. Specifies the number of bits of the + packet/connection mark to use for the provider (routing) mark. + Provider mark values must be >= 2**PROVIDER_OFFSET and less than + 2**(PROVIDER_OFFSET + PROVIDER_BITS). The default value is 8 + bits. + + + + + PROVIDER_OFFSET=offset + + + Added in Shorewall 4.5.0. Specifies the + offset in bits from the least significate bit + of the packet/connection mark where the Provider Mark value is + stored. The default is based on the settings of HIGH_ROUTE_MARKS and + WIDE_TC_MARKS: + + + HIGH_ROUTE_MARKS=No - 0 bits. + + HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=No - 8 + bits. + + HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=Yes - 16 + bits. + + + + RCP_COMMAND="commandthen the chain name is 'net2all' + + TC_BITS=bits + + + Added in Shorewall 4.5.0. This option replaces WIDE_TC_MARKS + by allowing you to specify the number of bits + of the 32-bit packet/connection mark to be used for traffic shaping. + The default value is based on the settings of WIDE_TC_MARKS: + + + WIDE_TC_MARKS=No - 8 bits. + + WIDE_TC_MARKS=Yes - 14 bits. + + + Mark values specified in shorewall6-tcclasses (5) + must be < 2**TC_BITS. + + + TC_ENABLED=[Yes|then the chain name is 'net2all' + + TC_PRIOMAP=map + + + Added in Shorewall 4.5.0. Determines the mapping of a packet's + TOS field to priority bands. See shorewall6-tcpri(5). The + map consists of 16 space-separated digits with + values 1, 2 or 3. The first entry corresponds to Linux priority 9, + the second to Linux priority 1, the third to Linux Priority 2, and + so on. See tc-prio(8) for additional information. + + The default setting is TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 + 2 2". + + + TCP_FLAGS_DISPOSITION=[