From e1771ebeadd0ab143ad551d5608dbbd63cc21df9 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 8 May 2009 14:05:27 -0700 Subject: [PATCH] Externalize the 'flow' classifier --- Shorewall/Perl/Shorewall/Tc.pm | 2 +- Shorewall/changelog.txt | 4 ++++ Shorewall/releasenotes.txt | 25 ++++++++++++++++++++++++- 3 files changed, 29 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index d4f9193fb..9e56231e4 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -1058,7 +1058,7 @@ sub setup_traffic_shaping() { } } - emit "run_tc filter add dev $device protocol all prio 1 parent $classnum: protocol ip handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow}; + emit "run_tc filter add dev $device protocol all prio 1 parent $classnum: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow}; # # options # diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 0961f143d..4c07882ce 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -27,6 +27,10 @@ Changes in Shorewall 4.3.10 10) Fix 'iprange' command. +11) Make traffic shaping work better with IPv6. + +12) Externalize 'flow'. + Changes in Shorewall 4.3.9 1) Logging rules now create separate chain. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 2dd2eb7f5..a0353fa99 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -100,7 +100,30 @@ None. N E W F E A T U R E S I N 4 . 3 . 11 ---------------------------------------------------------------------------- -None. +1) Shorewall attaches an SFQ queuing discipline to each leaf HTB + class. SFQ ensures that each 'flow' gets equal access to the + interface. + + The default definition of a 'flow' corresponds to a TCP + connection. So if one internal system is running BitTorrent, for + example, it can have lots of 'flows' and can thus take up a larger + share of the bandwidth than a system having only a single active + connection. + + The 'flow' classifier (module cls_flow) works around this by + letting you define what a 'flow' is. The clasifier must be used + carefully or it can block off all traffic on an interface! + + To use the 'flow' classifier, you specify 'flow=' in the + OPTIONS column of an HTB leaf class (one that has no + sub-classes). I recommend that you use the following: + + Shaping internet-bound traffic flow=nfct-src + Shaping traffic bound for your + local net flow=dst + + These will cause a 'flow' to consists of the traffic to/from each + internal system. ---------------------------------------------------------------------------- N E W F E A T U R E S IN 4 . 3