extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-24 19:51:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

Minor traffic shaping additions

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2875 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-10-13 20:19:31 +00:00
parent 532bb3df5e
commit 95ffbbad9b
3 changed files with 142 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
Shorewall-docs2/MAC_Validation.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-08-31</pubdate> <pubdate>2005-10-13</pubdate>
<copyright> <copyright>
<year>2001-2005</year> <year>2001-2005</year>
@ -73,7 +73,7 @@
<section> <section>
<title>Components</title> <title>Components</title>
<para>There are four components to this facility.</para> <para>There are six components to this facility.</para>
<orderedlist> <orderedlist>
<listitem> <listitem>
@ -136,6 +136,21 @@
MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
be cached).</para> be cached).</para>
</listitem> </listitem>
<listitem>
<para>Beginning with Shorewall 2.4.6, the <emphasis
role="bold">MACLIST_TABLE</emphasis> variable in <ulink
url="???">/etc/shorewall/shorewall.conf</ulink>. Normally, MAC
verification occurs in the filter table (INPUT and FORWARD) chains.
When forwarding a packet from an interface with MAC verification to a
bridge interface, that doesn't work.</para>
<para>This problem can be worked around by setting
MACLIST_TABLE=mangle which will cause MAC verification to occur out of
the PREROUTING chain. Because REJECT isn't available in that
environment, you may not specify MACLIST_DISPOSITION=REJECT with
MACLIST_TABLE=mangle.</para>
</listitem>
</orderedlist> </orderedlist>
</section> </section>

BIN
Shorewall-docs2/images/QoS.png
View File

Binary file not shown.

213
Shorewall-docs2/traffic_shaping.xml
View File

@ -21,7 +21,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-10-08</pubdate> <pubdate>2005-10-13</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -58,10 +58,11 @@
<para>The support for traffic shaping and control still does not cover all <para>The support for traffic shaping and control still does not cover all
options available (and especially all algorithms that can be used to queue options available (and especially all algorithms that can be used to queue
traffic) in the Linux kernel but it should fit most needs. If you are traffic) in the Linux kernel but it should fit most needs. If you are
using your own script for traffic control and you still want to use it using your own script for traffic control and you still want to use it in
in the future, you will find information on how to do this, <link linkend="owntcstart"> the future, you will find information on how to do this, <link
later in this document</link>. But for this to work, you will also need to linkend="owntcstart"> later in this document</link>. But for this to work,
enable traffic shaping in the kernel and Shorewall as covered by the next sections.</para> you will also need to enable traffic shaping in the kernel and Shorewall
as covered by the next sections.</para>
</section> </section>
<section> <section>
@ -85,38 +86,38 @@
<para>For Shorewall traffic shaping we use two algorithms, one is called <para>For Shorewall traffic shaping we use two algorithms, one is called
HTB (Hierarchical Token Bucket) and SFQ (Stochastic Fairness Queuing). SFQ HTB (Hierarchical Token Bucket) and SFQ (Stochastic Fairness Queuing). SFQ
is easy to explain: it just tries to track your connections (tcp or udp is easy to explain: it just tries to track your connections (tcp or udp
streams) and balances the traffic between them. This normally works well. HTB streams) and balances the traffic between them. This normally works well.
allows you to define a set of classes, and you can put the traffic you HTB allows you to define a set of classes, and you can put the traffic you
want into these classes. You can define minimum and maximum bandwitdh want into these classes. You can define minimum and maximum bandwitdh
settings for those classes and order them hierachically (the less priorized settings for those classes and order them hierachically (the less
classes only get bandwitdth if the more important have what they need). priorized classes only get bandwitdth if the more important have what they
Shorewall builtin traffic shaping allows you to define these classes (and need). Shorewall builtin traffic shaping allows you to define these
their bandwidth limits), and it uses SFQ inside these classes to make classes (and their bandwidth limits), and it uses SFQ inside these classes
sure, that different data streams are handled equally.</para> to make sure, that different data streams are handled equally.</para>
<para>You can only shape outgoing traffic. The reason for this is simple, <para>You can only shape outgoing traffic. The reason for this is simple,
the packets were already received by your network card before you can the packets were already received by your network card before you can
decide what to do with them. So the only choice would be to drop them decide what to do with them. So the only choice would be to drop them
which does normally makes no sense (since you received the packet already, which normally makes no sense (since you received the packet already, it
it went through the possible bottleneck (the incoming connection). The went through the possible bottleneck (the incoming connection). The next
next possible bottleneck might come if the packet leaves on another possible bottleneck might come if the packet leaves on another interface,
interface, so this will be the place where queuing might occur. So, so this will be the place where queuing might occur. So, defining queues
defining queues for incoming packages is not very useful, you just want to for incoming packages is not very useful, you just want to have it
have it forwarded to the outgoing interface as fast as possible.</para> forwarded to the outgoing interface as fast as possible.</para>
<para>There is one exception, though. Limiting incoming traffic to a value <para>There is one exception, though. Limiting incoming traffic to a value
a bit slower than your actual line speed will avoid queueing on the other a bit slower than your actual line speed will avoid queueing on the other
end of that connection. This is mostly useful if you don't have access to end of that connection. This is mostly useful if you don't have access to
traffic control on the other side and if this other side has a faster traffic control on the other side and if this other side has a faster
network connection than you do (the line speed between the systems is the network connection than you do (the line speed between the systems is the
bottleneck, e.g. a DSL connection to you providers router, the router itself bottleneck, e.g. a DSL connection to you providers router, the router
is normally connected to a much faster backbone). So, if you itself is normally connected to a much faster backbone). So, if you drop
drop packages that are coming in too fast, the underlaying protocol might packages that are coming in too fast, the underlaying protocol might
recognize this and slow down the connection. TCP has a builtin mechanism recognize this and slow down the connection. TCP has a builtin mechanism
for this, UDP has not (but the protocol over UDP might recognize it , if for this, UDP has not (but the protocol over UDP might recognize it , if
there is any).</para> there is any).</para>
<para>The reason why qeueing is bad in these cases is, that you might have <para>The reason why queing is bad in these cases is, that you might have
packets which need to be priorized over others, e.g. VoIP or ssh. For this packets which need to be priorized over others, e.g. VoIP or ssh. For this
type of connections it is important that packets arrive in a certain type of connections it is important that packets arrive in a certain
amount of time. For others like http downloads, it does not really matter amount of time. For others like http downloads, it does not really matter
@ -126,6 +127,44 @@
does not care about QoS or the QoS bits are not set properly, your does not care about QoS or the QoS bits are not set properly, your
important packets will go into the same queue as your less timecritical important packets will go into the same queue as your less timecritical
download packets which will result in a large delay.</para> download packets which will result in a large delay.</para>
<para>You shape and control outgoing traffic by assigning the traffic to
<firstterm>classes</firstterm>. Each class is associated with exactly one
network interface and has a number of attributes:</para>
<orderedlist>
<listitem>
<para>PRIORITY - Used to give preference to one class over another
when selecting a packet to send. The priority is a numeric value with
1 being the highest priority, 2 being the next highest, and so
on.</para>
</listitem>
<listitem>
<para>RATE - The minimum bandwidth this class should get, when the
traffic load rises. Classes with a higher priority (lower PRIORITY
value) are served even if there are others that have a guaranteed
bandwith but have a lower priority (higher PRIORITY value).</para>
</listitem>
<listitem>
<para>CEIL - The maximum bandwidth the class is allowed to use when
the link is idle.</para>
</listitem>
<listitem>
<para>MARK - Netfilter has a facility for
<firstterm>marking</firstterm> packets. Packet marks have a numberic
value which is limited in Shorewall to the values 1-255. You assign
packet marks to different types of traffic using entries in the
<filename>/etc/shorewall/tcrules</filename> file. </para>
</listitem>
</orderedlist>
<para>One class for each interface must be designated as the
<firstterm>default class</firstterm>. This is the class to which unmarked
traffic (packets to which you have not assigned a mark value in
<filename>/etc/shorewall/tcrules</filename>) is assigned.</para>
</section> </section>
<section> <section>
@ -178,28 +217,28 @@
<para>For defining bandwidths (for either devices or classes) please use <para>For defining bandwidths (for either devices or classes) please use
kbit or kbps(for Kilobytes per second) and make sure there is <emphasis kbit or kbps(for Kilobytes per second) and make sure there is <emphasis
role="bold">NO</emphasis> space role="bold">NO</emphasis> space between the number and the unit (it is
between the number and the unit (it is 100kbit <emphasis role="bold">not</emphasis> 100kbit <emphasis role="bold">not</emphasis> 100 kbit). Using mbit, mbps
100 kbit). Using mbit, mbps or a raw number (which means bytes) could be used, or a raw number (which means bytes) could be used, but note that only
but note that only integer numbers are supported (0.5 is <emphasis role="bold">not integer numbers are supported (0.5 is <emphasis role="bold">not
valid</emphasis>).</para> valid</emphasis>).</para>
<para>To properly configure the settings for your devices you might need <para>To properly configure the settings for your devices you might need
to find out, the real up- and downstream rates you have. This is to find out, the real up- and downstream rates you have. This is
especially the case, if you are using a DSL connection or one of another especially the case, if you are using a DSL connection or one of another
type that do not have a guaranteed bandwidth.Don't trust the type that do not have a guaranteed bandwidth.Don't trust the values your
values your provider tells you for this, especially measuring the real provider tells you for this, especially measuring the real download speed
download speed is important! There are several online is important! There are several online tools that help you find out,
tools that help you find out, search for "dsl speed test" on google (For Germany you search for "dsl speed test" on google (For Germany you can use <ulink
can use <ulink url="http://www.speedcheck.arcor.de/cgi-bin/speedcheck.cgi">arcor speed url="http://www.speedcheck.arcor.de/cgi-bin/speedcheck.cgi">arcor speed
check</ulink>). Be sure to choose a test located near you. </para> check</ulink>). Be sure to choose a test located near you.</para>
<section> <section>
<title>/etc/shorewall/tcrules</title> <title>/etc/shorewall/tcrules</title>
<para>The fwmark classifier provides a convenient way to classify <para>The fwmark classifier provides a convenient way to classify
packets for traffic shaping. The <quote>/etc/shorewall/tcrules</quote> file packets for traffic shaping. The <quote>/etc/shorewall/tcrules</quote>
is used for specifying these marks in a tabular fashion.</para> file is used for specifying these marks in a tabular fashion.</para>
<para>Normally, packet marking occurs in the PREROUTING chain before any <para>Normally, packet marking occurs in the PREROUTING chain before any
address rewriting takes place. This makes it impossible to mark inbound address rewriting takes place. This makes it impossible to mark inbound
@ -478,26 +517,25 @@ ppp0 6000kbit 500kbit</programlisting>
should do. You are free to change it...</para> should do. You are free to change it...</para>
<section> <section>
<title>tcdevices file</title> <title>tcdevices file</title>
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH <programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
ppp0 5000kbit 500kbit</programlisting> ppp0 5000kbit 500kbit</programlisting>
</section>
</section>
<section> <section>
<title>tcclasses file</title> <title>tcclasses file</title>
<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS <programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
ppp0 1 full full 1 tcp-ack,tos-minimize-delay ppp0 1 full full 1 tcp-ack,tos-minimize-delay
ppp0 2 9*full/10 9*full/10 2 default ppp0 2 9*full/10 9*full/10 2 default
ppp0 3 8*full/10 8*full/10 2</programlisting> ppp0 3 8*full/10 8*full/10 2</programlisting>
</section>
</section> <section>
<title>tcrules file</title>
<section> <programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
<title>tcrules file</title>
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
# PORT(S) # PORT(S)
1:P 0.0.0.0/0 0.0.0.0/0 icmp echo-request 1:P 0.0.0.0/0 0.0.0.0/0 icmp echo-request
1:P 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 1:P 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
@ -505,20 +543,20 @@ ppp0 3 8*full/10 8*full/10 2</programlisting>
# mldonkey # mldonkey
3 0.0.0.0/0 0.0.0.0/0 udp - 4666</programlisting> 3 0.0.0.0/0 0.0.0.0/0 udp - 4666</programlisting>
<para>Wondershaper allows you to define a set of hosts and/or ports <para>Wondershaper allows you to define a set of hosts and/or ports
you want to classify as low priority. To achieve this , you have to you want to classify as low priority. To achieve this , you have to
add these hosts to tcrules and set the mark to 3 (true if you use the add these hosts to tcrules and set the mark to 3 (true if you use
example configuration files).</para> the example configuration files).</para>
</section>
</section> <section>
<section> <title>Setting hosts to low priority</title>
<title>Setting hosts to low priority</title>
<para>lets assume the following settings from your old wondershaper <para>lets assume the following settings from your old wondershaper
script (don't assume these example values are really useful, they are script (don't assume these example values are really useful, they
only used for demonstrating ;-):</para> are only used for demonstrating ;-):</para>
<programlisting> <programlisting>
# low priority OUTGOING traffic - you can leave this blank if you want # low priority OUTGOING traffic - you can leave this blank if you want
# low priority source netmasks # low priority source netmasks
NOPRIOHOSTSRC="192.168.1.128/25 192.168.3.28" NOPRIOHOSTSRC="192.168.1.128/25 192.168.3.28"
@ -532,66 +570,65 @@ NOPRIOPORTSRC="6662 6663"
# low priority destination ports # low priority destination ports
NOPRIOPORTDST="6662 6663" </programlisting> NOPRIOPORTDST="6662 6663" </programlisting>
<para>This would result in the following additional settings to the <para>This would result in the following additional settings to the
tcrules file:</para> tcrules file:</para>
<programlisting>3 192.168.1.128/25 0.0.0.0/0 all <programlisting>3 192.168.1.128/25 0.0.0.0/0 all
3 192.168.3.28 0.0.0.0/0 all 3 192.168.3.28 0.0.0.0/0 all
3 0.0.0.0/0 60.0.0.0/24 all 3 0.0.0.0/0 60.0.0.0/24 all
3 0.0.0.0/0 0.0.0.0/0 udp 6662,6663 3 0.0.0.0/0 0.0.0.0/0 udp 6662,6663
3 0.0.0.0/0 0.0.0.0/0 udp - 6662,6663 3 0.0.0.0/0 0.0.0.0/0 udp - 6662,6663
3 0.0.0.0/0 0.0.0.0/0 tcp 6662,6663 3 0.0.0.0/0 0.0.0.0/0 tcp 6662,6663
3 0.0.0.0/0 0.0.0.0/0 tcp - 6662,6663</programlisting> 3 0.0.0.0/0 0.0.0.0/0 tcp - 6662,6663</programlisting>
</section> </section>
</section> </section>
<section> <section>
<title>A simple setup</title> <title>A simple setup</title>
<para>This is a simple setup for people sharing an internet connection
and using different computers for this. It just basically shapes
between 2 hosts which have the ip addresses 192.168.2.23 and
192.168.2.42</para>
<section>
<title>tcdevices file</title>
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH <para>This is a simple setup for people sharing an internet connection
and using different computers for this. It just basically shapes
between 2 hosts which have the ip addresses 192.168.2.23 and
192.168.2.42</para>
<section>
<title>tcdevices file</title>
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
ppp0 6000kbit 700kbit</programlisting> ppp0 6000kbit 700kbit</programlisting>
<para>We have 6mbit down and 700kbit upstream.</para> <para>We have 6mbit down and 700kbit upstream.</para>
</section>
</section>
<section>
<title>tcclasses file</title>
<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS <section>
<title>tcclasses file</title>
<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
ppp0 1 10kbit 50kbit 1 tcp-ack ppp0 1 10kbit 50kbit 1 tcp-ack
ppp0 2 300kbit full 2 ppp0 2 300kbit full 2
ppp0 3 300kbit full 2 ppp0 3 300kbit full 2
ppp0 4 90kbit 200kbit 3 default</programlisting> ppp0 4 90kbit 200kbit 3 default</programlisting>
<para>We add a class for tcp ack packets with highest priority, so <para>We add a class for tcp ack packets with highest priority, so
that downloads are fast. The following 2 classes share most that downloads are fast. The following 2 classes share most of the
of the bandwidth between the 2 hosts, if the connection is idle, bandwidth between the 2 hosts, if the connection is idle, they may
they may use full speed. As the hosts should be treated equally use full speed. As the hosts should be treated equally they have the
they have the same priority. The last class is for the remaining traffic.</para> same priority. The last class is for the remaining traffic.</para>
</section>
</section> <section>
<title>tcrules file</title>
<section> <programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
<title>tcrules file</title>
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
# PORT(S) # PORT(S)
1:P 0.0.0.0/0 0.0.0.0/0 icmp echo-request 1:P 0.0.0.0/0 0.0.0.0/0 icmp echo-request
1:P 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 1:P 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
2:P 192.168.2.23 0.0.0.0/0 all 2:P 192.168.2.23 0.0.0.0/0 all
3:P 192.168.2.42 0.0.0.0/0 all</programlisting> 3:P 192.168.2.42 0.0.0.0/0 all</programlisting>
<para>We mark icmp ping and replies so they will go into the fast <para>We mark icmp ping and replies so they will go into the fast
interactive class and set a mark for each host.</para> interactive class and set a mark for each host.</para>
</section>
</section>
</section> </section>
</section> </section>
</section> </section>