extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 23:53:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update the Traffic Shaping article for 5.0

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-02-19 10:17:05 -08:00
parent 26f760b761
commit b73fb58745
1 changed files with 21 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
docs/traffic_shaping.xml
View File

@ -922,7 +922,7 @@ ppp0 6000kbit 500kbit</programlisting>
packets arriving on eth2 and eth3 should be marked with 2. All packets packets arriving on eth2 and eth3 should be marked with 2. All packets
originating on the firewall itself should be marked with 3.</para> originating on the firewall itself should be marked with 3.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
MARK(1) eth1 0.0.0.0/0 all MARK(1) eth1 0.0.0.0/0 all
MARK(2) eth2 0.0.0.0/0 all MARK(2) eth2 0.0.0.0/0 all
MARK(2) eth3 0.0.0.0/0 all MARK(2) eth3 0.0.0.0/0 all
@ -935,7 +935,7 @@ MARK(3) $FW 0.0.0.0/0 all</programlisting>
<para>All GRE (protocol 47) packets destined for 155.186.235.151 <para>All GRE (protocol 47) packets destined for 155.186.235.151
should be marked with 12.</para> should be marked with 12.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
MARK(12):T 0.0.0.0/0 155.182.235.151 47</programlisting> MARK(12):T 0.0.0.0/0 155.182.235.151 47</programlisting>
</example> </example>
@ -945,7 +945,7 @@ MARK(12):T 0.0.0.0/0 155.182.235.151 47</programlisting>
<para>All SSH request packets originating in 192.168.1.0/24 and <para>All SSH request packets originating in 192.168.1.0/24 and
destined for 155.186.235.151 should be marked with 22.</para> destined for 155.186.235.151 should be marked with 22.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
MARK(22):T 192.168.1.0/24 155.182.235.151 tcp 22</programlisting> MARK(22):T 192.168.1.0/24 155.182.235.151 tcp 22</programlisting>
</example> </example>
@ -956,8 +956,7 @@ MARK(22):T 192.168.1.0/24 155.182.235.151 tcp 22</programlisting>
/etc/shorewall/tcdevices should be assigned to the class with mark /etc/shorewall/tcdevices should be assigned to the class with mark
value 10.</para> value 10.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
# PORT(S)
CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp 22 CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp 22
CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp - 22</programlisting> CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp - 22</programlisting>
</example> </example>
@ -975,8 +974,7 @@ CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp - 22</
means unclassified. Traffic originating on the firewall is not covered means unclassified. Traffic originating on the firewall is not covered
by this example.</para> by this example.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
# PORT(S) GROUP
MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-request MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-request
MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-reply MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
@ -1002,8 +1000,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - -
ensure that all VOIP packets also receive that mark (assumes that ensure that all VOIP packets also receive that mark (assumes that
nf_conntrack_sip is loaded).</para> nf_conntrack_sip is loaded).</para>
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST CONNBYTES TOS HELPER <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST CONNBYTES TOS HELPER
# PORT(S) GROUP
RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0
CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0
1 0.0.0.0/0 0.0.0.0/0 all - - - - - - sip 1 0.0.0.0/0 0.0.0.0/0 all - - - - - - sip
@ -1235,7 +1232,7 @@ Source IP address is 192.168.4.3 = 0xc0a80403
<para><filename>/etc/shorewall/tcdevices</filename>:</para> <para><filename>/etc/shorewall/tcdevices</filename>:</para>
<programlisting>#INTERFACE IN-BANDWIDTH OUT-BANDWIDTH <programlisting>#INTERFACE IN_BANDWIDTH OUT_BANDWIDTH
eth0 100mbit 100mbit</programlisting> eth0 100mbit 100mbit</programlisting>
<para><filename>/etc/shorewall/tcclasses</filename>:</para> <para><filename>/etc/shorewall/tcclasses</filename>:</para>
@ -1293,7 +1290,7 @@ IPMARK(src,0xff,0x10100):F 192.168.1.0/29 eth0</programlisting>
<section id="realtcd"> <section id="realtcd">
<title>tcdevices file</title> <title>tcdevices file</title>
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH <programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
ppp0 5000kbit 500kbit</programlisting> ppp0 5000kbit 500kbit</programlisting>
</section> </section>
@ -1309,8 +1306,7 @@ ppp0 3 2*full/10 8*full/10 2</programlisting>
<section id="realtcr"> <section id="realtcr">
<title>mangle file</title> <title>mangle file</title>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER
# PORT(S)
MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-request MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-request
MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
# mark traffic which should have a lower priority with a 3: # mark traffic which should have a lower priority with a 3:
@ -1347,23 +1343,14 @@ NOPRIOPORTDST="6662 6663" </programlisting>
<para>This would result in the following additional settings to the <para>This would result in the following additional settings to the
mangle file:</para> mangle file:</para>
<programlisting>MARK(3) 192.168.1.128/25 0.0.0.0/0 all <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER
MARK(3) 192.168.1.128/25 0.0.0.0/0 all
MARK(3) 192.168.3.28 0.0.0.0/0 all MARK(3) 192.168.3.28 0.0.0.0/0 all
MARK(3) 0.0.0.0/0 60.0.0.0/24 all MARK(3) 0.0.0.0/0 60.0.0.0/24 all
MARK(3) 0.0.0.0/0 0.0.0.0/0 udp 6662,6663 MARK(3) 0.0.0.0/0 0.0.0.0/0 udp 6662,6663
MARK(3) 0.0.0.0/0 0.0.0.0/0 udp - 6662,6663 MARK(3) 0.0.0.0/0 0.0.0.0/0 udp - 6662,6663
MARK(3) 0.0.0.0/0 0.0.0.0/0 tcp 6662,6663 MARK(3) 0.0.0.0/0 0.0.0.0/0 tcp 6662,6663
MARK(3) 0.0.0.0/0 0.0.0.0/0 tcp - 6662,6663</programlisting> MARK(3) 0.0.0.0/0 0.0.0.0/0 tcp - 6662,6663</programlisting>
<para>Corresponding tcrules file entries are:</para>
<programlisting>3 192.168.1.128/25 0.0.0.0/0 all
3 192.168.3.28 0.0.0.0/0 all
3 0.0.0.0/0 60.0.0.0/24 all
3 0.0.0.0/0 0.0.0.0/0 udp 6662,6663
3 0.0.0.0/0 0.0.0.0/0 udp - 6662,6663
3 0.0.0.0/0 0.0.0.0/0 tcp 6662,6663
3 0.0.0.0/0 0.0.0.0/0 tcp - 6662,6663</programlisting>
</section> </section>
</section> </section>
@ -1378,7 +1365,7 @@ MARK(3) 0.0.0.0/0 0.0.0.0/0 tcp - 6662,666
<section id="simpletcd"> <section id="simpletcd">
<title>tcdevices file</title> <title>tcdevices file</title>
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH <programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
ppp0 6000kbit 700kbit</programlisting> ppp0 6000kbit 700kbit</programlisting>
<para>We have 6mbit down and 700kbit upstream.</para> <para>We have 6mbit down and 700kbit upstream.</para>
@ -1403,8 +1390,7 @@ ppp0 4 90kbit 200kbit 3 default</pro
<section id="simpletcr"> <section id="simpletcr">
<title>mangle file</title> <title>mangle file</title>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER
# PORT(S)
MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-request MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-request
MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
MARK(2):F 192.168.2.23 0.0.0.0/0 all MARK(2):F 192.168.2.23 0.0.0.0/0 all
@ -1412,8 +1398,7 @@ MARK(3):F 192.168.2.42 0.0.0.0/0 all</programlisting>
<para>Corresponding tcrules file:</para> <para>Corresponding tcrules file:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER
# PORT(S)
1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-request 1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-request
1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
2:F 192.168.2.23 0.0.0.0/0 all 2:F 192.168.2.23 0.0.0.0/0 all
@ -1472,13 +1457,12 @@ MARK(3):F 192.168.2.42 0.0.0.0/0 all</programlisting>
<para><filename>/etc/shorewall/tcdevices</filename>:</para> <para><filename>/etc/shorewall/tcdevices</filename>:</para>
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS <programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS
eth0 - 1000kbit hfsc</programlisting> eth0 - 1000kbit hfsc</programlisting>
<para><filename>/etc/shorewall/tcclasses</filename>:</para> <para><filename>/etc/shorewall/tcclasses</filename>:</para>
<programlisting>#INTERFACE:CLASS MARK RATE: CEIL PRIORITY OPTIONS <programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
# DMAX:UMAX
1:10 1 500kbit full 1 1:10 1 500kbit full 1
1:20 2 500kbit full 1 1:20 2 500kbit full 1
1:10:11 3 400kbit:53ms:1500b full 2 1:10:11 3 400kbit:53ms:1500b full 2
@ -1649,8 +1633,7 @@ ip link set ifb0 up</command></programlisting>
<para>Example: <filename>/etc/shorewall/rules</filename>:</para> <para>Example: <filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT(S) PORT(S) DEST
DNAT net dmz:192.168.4.5 tcp 80 - 206.124.146.177</programlisting> DNAT net dmz:192.168.4.5 tcp 80 - 206.124.146.177</programlisting>
<para>Requests redirected by this rule will have destination IP <para>Requests redirected by this rule will have destination IP
@ -1721,7 +1704,7 @@ eth0 192.168.1.0/24 206.124.146.179</programlisting></para>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>DEST PORT(S)</term> <term>DPORT</term>
<listitem> <listitem>
<para>Comma-separated list of destination port names or numbers. <para>Comma-separated list of destination port names or numbers.
@ -1731,7 +1714,7 @@ eth0 192.168.1.0/24 206.124.146.179</programlisting></para>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>SOURCE PORT</term> <term>SPORT</term>
<listitem> <listitem>
<para>Comma-separated list of source port names or numbers. May <para>Comma-separated list of source port names or numbers. May
@ -1810,8 +1793,7 @@ qt ip link set dev ifb0 up</programlisting></para>
<para><filename>/etc/shorewall/tcdevices</filename>:</para> <para><filename>/etc/shorewall/tcdevices</filename>:</para>
<para><programlisting> <para><programlisting>
#INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED #INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS REDIRECT
# INTERFACES
1:eth0 - 384kbit classify 1:eth0 - 384kbit classify
2:ifb0 - 1300kbit - eth0</programlisting> 2:ifb0 - 1300kbit - eth0</programlisting>
<filename>/etc/shorewall/tcclasses</filename>:<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS <filename>/etc/shorewall/tcclasses</filename>:<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
@ -1820,8 +1802,7 @@ qt ip link set dev ifb0 up</programlisting></para>
1:130 - 2*full/10 6*full/10 3 1:130 - 2*full/10 6*full/10 3
2:110 - 5*full/10 full 1 tcp-ack,tos-minimize-delay 2:110 - 5*full/10 full 1 tcp-ack,tos-minimize-delay
2:120 - 2*full/10 6*full/10 2 default 2:120 - 2*full/10 6*full/10 2 default
2:130 - 2*full/10 6*full/10 3</programlisting><filename>/etc/shorewall/tcfilters</filename>:<programlisting>#INTERFACE: SOURCE DEST PROTO DEST SOURCE 2:130 - 2*full/10 6*full/10 3</programlisting><filename>/etc/shorewall/tcfilters</filename>:<programlisting>#INTERFACE: SOURCE DEST PROTO DPORT SPORT
#CLASS PORT(S) PORT(S)
# #
# OUTGOING TRAFFIC # OUTGOING TRAFFIC
# #