mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-24 19:51:40 +02:00
Edit traffic shaping changes by Arne
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2821 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
1974e95454
commit
ebd5d3f856
@ -13,179 +13,190 @@
|
|||||||
|
|
||||||
<surname>Eastep</surname>
|
<surname>Eastep</surname>
|
||||||
</author>
|
</author>
|
||||||
|
|
||||||
<author>
|
<author>
|
||||||
<firstname>Arne</firstname>
|
<firstname>Arne</firstname>
|
||||||
|
|
||||||
<surname>Bernin</surname></author>
|
<surname>Bernin</surname>
|
||||||
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2005-10-07</pubdate>
|
<pubdate>2005-10-08</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2004</year>
|
<year>2001-2004</year>
|
||||||
|
|
||||||
<holder>Thomas M. Eastep</holder>
|
<holder>Thomas M. Eastep</holder>
|
||||||
</copyright>
|
</copyright>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2005</year>
|
<year>2005</year>
|
||||||
|
|
||||||
<holder>Arne Bernin</holder>
|
<holder>Arne Bernin</holder>
|
||||||
</copyright>
|
</copyright>
|
||||||
|
|
||||||
<legalnotice>
|
<legalnotice>
|
||||||
<para>Permission is granted to copy, distribute and/or modify this
|
<para>Permission is granted to copy, distribute and/or modify this
|
||||||
document under the terms of the GNU Free Documentation License, Version
|
document under the terms of the GNU Free Documentation License, Version
|
||||||
1.2 or any later version published by the Free Software Foundation; with
|
1.2 or any later version published by the Free Software Foundation; with
|
||||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||||
Texts. A copy of the license is included in the section entitled
|
Texts. A copy of the license is included in the section entitled
|
||||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||||
|
License</ulink></quote>.</para>
|
||||||
</legalnotice>
|
</legalnotice>
|
||||||
</articleinfo>
|
</articleinfo>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Introduction</title>
|
<title>Introduction</title>
|
||||||
|
|
||||||
|
<para>Starting with Version 2.5.5, Shorewall has builtin support for
|
||||||
<para>Starting with Version 2.5.5, shorewall has builtin support for traffic shaping
|
traffic shaping and control. Before this version, the support was quite
|
||||||
and control. Before this version, the support was quite limited. You were able
|
limited. You were able to use your own tcstart script (and you still are),
|
||||||
to use your own tcstart script (and you still are), but besides the tcrules file
|
but besides the tcrules file it was not possible to define classes or
|
||||||
it was not possible to define classes or queueing discplines inside the shorewall
|
queueing discplines inside the Shorewall config files.</para>
|
||||||
config files.</para>
|
|
||||||
|
|
||||||
<para>The support for traffic shaping and control still does not cover all
|
<para>The support for traffic shaping and control still does not cover all
|
||||||
options available (and especially all algorithms that can be used to queue traffic)
|
options available (and especially all algorithms that can be used to queue
|
||||||
for the Linux kernel but it should fit most needs.
|
traffic) for the Linux kernel but it should fit most needs. If you are
|
||||||
If you are using your own script for traffic control und you still want to use it rather
|
using your own script for traffic control and you still want to use it
|
||||||
the builtin support in the future, you will find information on how to do this,
|
rather the builtin support in the future, you will find information on how
|
||||||
<link linkend="owntcstart">later in this document</link>. But for this to work,
|
to do this, <link linkend="owntcstart">later in this document</link>. But
|
||||||
you will also need to enable traffic shaping in the kernel and shorewall as
|
for this to work, you will also need to enable traffic shaping in the
|
||||||
covered by the next sections.</para>
|
kernel and Shorewall as covered by the next sections.</para>
|
||||||
|
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Linux traffic shaping and control</title>
|
<title>Linux traffic shaping and control</title>
|
||||||
|
|
||||||
<para>This section gives a brief introduction of how controlling traffic with
|
<para>This section gives a brief introduction of how controlling traffic
|
||||||
the linux kernel works. Although this might be enough for configuring it in
|
with the linux kernel works. Although this might be enough for configuring
|
||||||
the shorewall configuration files, it still might be a good idea to take a
|
it in the Shorewall configuration files, it still might be a good idea to
|
||||||
deeper look into the <ulink url="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</ulink>.
|
take a deeper look into the <ulink url="http://ds9a.nl/lartc">Linux
|
||||||
At the time of writing this, the current version is 1.0.0. </para>
|
Advanced Routing and Shaping HOWTO</ulink>. At the time of writing this,
|
||||||
|
the current version is 1.0.0.</para>
|
||||||
|
|
||||||
<para>Since kernel 2.2 Linux has extensive support for controlling traffic. You can define different
|
<para>Since kernel 2.2 Linux has extensive support for controlling
|
||||||
algorithms that are used to queue the traffic before it leaves an interface. The standard one is called
|
traffic. You can define different algorithms that are used to queue the
|
||||||
pfifo and is (as the name suggests) of the type First In First out. This means, that it does not shape
|
traffic before it leaves an interface. The standard one is called pfifo
|
||||||
anything, if you have a connection that eats up all your bandwidth, this qeueing algorithm will not
|
and is (as the name suggests) of the type First In First out. This means,
|
||||||
stop it from doing so.</para>
|
that it does not shape anything, if you have a connection that eats up all
|
||||||
<para> For shorewall traffic shaping we use two algorithms, one is called HTB (Hierarchical
|
your bandwidth, this qeueing algorithm will not stop it from doing
|
||||||
Token Bucket) and SFQ (Stochastic Fairness Queuing). SFQ is easy to explain: it just tries to track
|
so.</para>
|
||||||
your connections (tcp or udp streams) and balances the traffic between them. This normaly works ok.
|
|
||||||
HTB allows you to define a set of classes, and you can put the traffic you want into these classes.
|
<para>For Shorewall traffic shaping we use two algorithms, one is called
|
||||||
You can define minimum and maximum bandwitdh settings for those classes and order the hierachically (the less
|
HTB (Hierarchical Token Bucket) and SFQ (Stochastic Fairness Queuing). SFQ
|
||||||
priorized classes only get bandwitdth if the more important have what they need).
|
is easy to explain: it just tries to track your connections (tcp or udp
|
||||||
Shorewall builtin traffic shaping allows you to define these classes (and their bandwidth limits), and it
|
streams) and balances the traffic between them. This normaly works ok. HTB
|
||||||
uses SFW inside these classes to make sure, that different data streams are handled equally.</para>
|
allows you to define a set of classes, and you can put the traffic you
|
||||||
|
want into these classes. You can define minimum and maximum bandwitdh
|
||||||
|
settings for those classes and order the hierachically (the less priorized
|
||||||
|
classes only get bandwitdth if the more important have what they need).
|
||||||
|
Shorewall builtin traffic shaping allows you to define these classes (and
|
||||||
|
their bandwidth limits), and it uses SFW inside these classes to make
|
||||||
|
sure, that different data streams are handled equally.</para>
|
||||||
|
|
||||||
<para>You can only shape outgoing traffic. The reason for this is simple,
|
<para>You can only shape outgoing traffic. The reason for this is simple,
|
||||||
the packets were already received by your network card before you can
|
the packets were already received by your network card before you can
|
||||||
decide what to do with them. So the only choice would be to drop them
|
decide what to do with them. So the only choice would be to drop them
|
||||||
which does normally makes no sense (since you received the packet already,
|
which does normally makes no sense (since you received the packet already,
|
||||||
it went through the possible bottleneck (the incoming connection).
|
it went through the possible bottleneck (the incoming connection). The
|
||||||
The next possible bottleneck might come if the packet leaves on another
|
next possible bottleneck might come if the packet leaves on another
|
||||||
interface, so this will be the place where queuing might occur. So,
|
interface, so this will be the place where queuing might occur. So,
|
||||||
defining queues for incoming packages is not very useful, you just want
|
defining queues for incoming packages is not very useful, you just want to
|
||||||
to have it forwarded to the outgoing interface as fast as possible.</para>
|
have it forwarded to the outgoing interface as fast as possible.</para>
|
||||||
|
|
||||||
<para>There is one exception, though. Limiting incoming traffic to a value
|
<para>There is one exception, though. Limiting incoming traffic to a value
|
||||||
a bit slower than your actual line speed will avoid queuing on the other
|
a bit slower than your actual line speed will avoid queuing on the other
|
||||||
end of that connection. This is mostly useful if you don't have access
|
end of that connection. This is mostly useful if you don't have access to
|
||||||
to traffic control on the other side and if this other side has a
|
traffic control on the other side and if this other side has a faster
|
||||||
faster network connection than you do (the line speed between the systems
|
network connection than you do (the line speed between the systems is the
|
||||||
is the bottleneck, e.g. a DSL connection to you providers router).
|
bottleneck, e.g. a DSL connection to you providers router). So, if you
|
||||||
So, if you drop packages that are coming in too fast, the underlaying
|
drop packages that are coming in too fast, the underlaying protocol might
|
||||||
protocol might recognize this and slow down the connection. TCP has a
|
recognize this and slow down the connection. TCP has a builtin mechanism
|
||||||
builtin mechanism for this, UDP has not (but the protocol over UDP might
|
for this, UDP has not (but the protocol over UDP might recognize it , if
|
||||||
recognize it , if there is any).</para>
|
there is any).</para>
|
||||||
|
|
||||||
<para>The reason why qeueing is bad in these cases is, that you might have
|
<para>The reason why qeueing is bad in these cases is, that you might have
|
||||||
packets which need to be priorized over others, e.g. VoIP or ssh. For
|
packets which need to be priorized over others, e.g. VoIP or ssh. For this
|
||||||
this type of connections it is important that packets arrive in a certain
|
type of connections it is important that packets arrive in a certain
|
||||||
amount of time. For others like http downloads, it does not really
|
amount of time. For others like http downloads, it does not really matter
|
||||||
matter if it takes a few seconds more.</para>
|
if it takes a few seconds more.</para>
|
||||||
<para>If you have a large queue on the other side and the router there does
|
|
||||||
not care about QoS or the QoS bits are not set properly, your
|
<para>If you have a large queue on the other side and the router there
|
||||||
|
does not care about QoS or the QoS bits are not set properly, your
|
||||||
important packets will go into the same queue as your less timecritical
|
important packets will go into the same queue as your less timecritical
|
||||||
download packets which will result in a large delay.</para>
|
download packets which will result in a large delay.</para>
|
||||||
|
|
||||||
</section>
|
|
||||||
|
|
||||||
<section>
|
|
||||||
|
|
||||||
<title>Linux Kernel Configuration</title>
|
|
||||||
|
|
||||||
<para>You will need at least kernel 2.4.18 for this to work,
|
|
||||||
please take a look at the following screenshot for what settings you need
|
|
||||||
to enable. For builtin support, you need the HTB scheduler, the PRIO
|
|
||||||
pseudoscheduler and SFQ queue. The other scheduler or queue algorithms are
|
|
||||||
not needed.</para>
|
|
||||||
|
|
||||||
<para>This screen shot show how I've configured QoS in my Kernel:<graphic fileref="images/QoS.png" align="center"/></para>
|
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>Linux Kernel Configuration</title>
|
||||||
|
|
||||||
|
<para>You will need at least kernel 2.4.18 for this to work, please take a
|
||||||
|
look at the following screenshot for what settings you need to enable. For
|
||||||
|
builtin support, you need the HTB scheduler, the PRIO pseudoscheduler and
|
||||||
|
SFQ queue. The other scheduler or queue algorithms are not needed.</para>
|
||||||
|
|
||||||
|
<para>This screen shot show how I've configured QoS in my Kernel:<graphic
|
||||||
|
align="center" fileref="images/QoS.png" /></para>
|
||||||
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Enable TC support in shorewall</title>
|
<title>Enable TC support in Shorewall</title>
|
||||||
|
|
||||||
<para>You need this support whether you use the builtin support or
|
<para>You need this support whether you use the builtin support or whether
|
||||||
whether you provide your own tcstart script.</para>
|
you provide your own tcstart script.</para>
|
||||||
|
|
||||||
<para>To enable general support for traffic shaping and control in shorewall,
|
<para>To enable the builtin traffic shaping and control in Shorewall, you
|
||||||
you have to do the following:</para>
|
have to do the following:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Set <emphasis role="bold">TC_ENABLED</emphasis> to Yes in /etc/shorewall/shorewall.conf</para>
|
<para>Set <emphasis role="bold">TC_ENABLED</emphasis> to No in
|
||||||
|
/etc/shorewall/shorewall.conf. While that seems a bit illogical, it is
|
||||||
|
done for compatibility with previous releases where TC_ENABLED=Yes
|
||||||
|
causes Shorewall to look for an external tcstart file (See <link
|
||||||
|
linkend="tcstart">a later section</link> for details).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Setting <emphasis role="bold">CLEAR_TC</emphasis> parameter in
|
<para>Setting <emphasis role="bold">CLEAR_TC</emphasis> parameter in
|
||||||
/etc/shorewall/shorewall.conf to Yes will clear the traffic shaping
|
/etc/shorewall/shorewall.conf to Yes will clear the traffic shaping
|
||||||
configuration during Shorewall [re]start and Shorewall stop.
|
configuration during Shorewall [re]start and Shorewall stop. This is
|
||||||
This is normally what you want when using the builtin support (and
|
normally what you want when using the builtin support (and also if you
|
||||||
also if you use your own tcstart script)</para>
|
use your own tcstart script)</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The other steps that follow depend on whether you use your own script
|
<para>The other steps that follow depend on whether you use your own
|
||||||
or the builtin solution. They will be explained in the following sections.</para>
|
script or the builtin solution. They will be explained in the
|
||||||
|
following sections.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
|
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Using builtin traffic shaping/control</title>
|
<title>Using builtin traffic shaping/control</title>
|
||||||
|
|
||||||
<para>For defining bandwidths (for either devices or classes) please
|
<para>For defining bandwidths (for either devices or classes) please use
|
||||||
use kbit or kbps(for Kilobytes per second) and make sure there
|
kbit or kbps(for Kilobytes per second) and make sure there is NO space
|
||||||
is NO space between the number and the unit (100kbit not 100 kbit).
|
between the number and the unit (100kbit not 100 kbit). You generally
|
||||||
You generally could use mbit or mbps or just Bytes, but i suggest
|
could use mbit or mbps or just Bytes, but i suggest to use kbit, as values
|
||||||
to use kbit, as values lether than 1 are not supported (NO 0.5mbit).
|
lether than 1 are not supported (NO 0.5mbit).</para>
|
||||||
</para>
|
|
||||||
<para>To properly configure the settings for your devices you might
|
<para>To properly configure the settings for your devices you might need
|
||||||
need to find out, the real up- and downstream rates you have. This
|
to find out, the real up- and downstream rates you have. This is
|
||||||
is especially the case, if you are using a DSL connection or one
|
especially the case, if you are using a DSL connection or one of another
|
||||||
of another type that do not have a guaranteed bandwidth. There
|
type that do not have a guaranteed bandwidth. There are several online
|
||||||
are several online tools that help you find out, try .....
|
tools that help you find out, try ..... Don't trust the values your
|
||||||
Don't trust the values your provider tells you for this, especially
|
provider tells you for this, especially measuring the real download speed
|
||||||
measuring the real download speed is important!
|
is important!</para>
|
||||||
|
|
||||||
</para>
|
|
||||||
<section>
|
<section>
|
||||||
<title>/etc/shorewall/tcrules</title>
|
<title>/etc/shorewall/tcrules</title>
|
||||||
|
|
||||||
<para>The fwmark classifier provides a convenient way to classify packets
|
<para>The fwmark classifier provides a convenient way to classify
|
||||||
for traffic shaping. The /etc/shorewall/tcrules file provides a means for
|
packets for traffic shaping. The /etc/shorewall/tcrules file provides a
|
||||||
specifying these marks in a tabular fashion.</para>
|
means for specifying these marks in a tabular fashion.</para>
|
||||||
|
|
||||||
<para>Normally, packet marking occurs in the PREROUTING chain before any
|
<para>Normally, packet marking occurs in the PREROUTING chain before any
|
||||||
address rewriting takes place. This makes it impossible to mark inbound
|
address rewriting takes place. This makes it impossible to mark inbound
|
||||||
@ -198,19 +209,19 @@
|
|||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>MARK - Specifies the mark value is to be assigned in case of a
|
<para>MARK - Specifies the mark value is to be assigned in case of a
|
||||||
match. This is an integer in the range 1-255. This value may be optionally
|
match. This is an integer in the range 1-255. This value may be
|
||||||
followed by
|
optionally followed by <quote>:</quote> and either <quote>F</quote>
|
||||||
<quote>:</quote> and either <quote>F</quote> or <quote>P</quote> to
|
or <quote>P</quote> to designate that the marking will occur in the
|
||||||
designate that the marking will occur in the FORWARD or PREROUTING
|
FORWARD or PREROUTING chains respectively. If this additional
|
||||||
chains respectively. If this additional specification is omitted, the
|
specification is omitted, the chain used to mark packets will be
|
||||||
chain used to mark packets will be determined by the setting of the
|
determined by the setting of the MARK_IN_FORWARD_CHAIN option in
|
||||||
MARK_IN_FORWARD_CHAIN option in shorewall.conf.</para>
|
shorewall.conf.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>SOURCE - The source of the packet. If the packet originates on
|
<para>SOURCE - The source of the packet. If the packet originates on
|
||||||
the firewall, place <quote>fw</quote> in this column. Otherwise, this
|
the firewall, place <quote>fw</quote> in this column. Otherwise,
|
||||||
is a comma-separated list of interface names, IP addresses, MAC
|
this is a comma-separated list of interface names, IP addresses, MAC
|
||||||
addresses in Shorewall Format and/or Subnets.</para>
|
addresses in Shorewall Format and/or Subnets.</para>
|
||||||
|
|
||||||
<para>Examples <programlisting> eth0 192.168.2.4,192.168.1.0/24</programlisting></para>
|
<para>Examples <programlisting> eth0 192.168.2.4,192.168.1.0/24</programlisting></para>
|
||||||
@ -228,15 +239,16 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>PORT(S) - Destination Ports. A comma-separated list of Port
|
<para>PORT(S) - Destination Ports. A comma-separated list of Port
|
||||||
names (from /etc/services), port numbers or port ranges (e.g., 21:22);
|
names (from /etc/services), port numbers or port ranges (e.g.,
|
||||||
if the protocol is <quote>icmp</quote>, this column is interpreted as
|
21:22); if the protocol is <quote>icmp</quote>, this column is
|
||||||
the destination icmp type(s).</para>
|
interpreted as the destination icmp type(s).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>CLIENT PORT(S) - (Optional) Port(s) used by the client. If
|
<para>CLIENT PORT(S) - (Optional) Port(s) used by the client. If
|
||||||
omitted, any source port is acceptable. Specified as a comma-separate
|
omitted, any source port is acceptable. Specified as a
|
||||||
list of port names, port numbers or port ranges.</para>
|
comma-separate list of port names, port numbers or port
|
||||||
|
ranges.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -246,7 +258,8 @@
|
|||||||
generating the output is running under the effective user and/or
|
generating the output is running under the effective user and/or
|
||||||
group. It may contain :</para>
|
group. It may contain :</para>
|
||||||
|
|
||||||
<para>[<user name or number>]:[<group name or number>]</para>
|
<para>[<user name or number>]:[<group name or
|
||||||
|
number>]</para>
|
||||||
|
|
||||||
<para>The colon is optionnal when specifying only a user.</para>
|
<para>The colon is optionnal when specifying only a user.</para>
|
||||||
|
|
||||||
@ -257,8 +270,8 @@
|
|||||||
<example>
|
<example>
|
||||||
<title></title>
|
<title></title>
|
||||||
|
|
||||||
<para>All packets arriving on eth1 should be marked with 1. All packets
|
<para>All packets arriving on eth1 should be marked with 1. All
|
||||||
arriving on eth2 and eth3 should be marked with 2. All packets
|
packets arriving on eth2 and eth3 should be marked with 2. All packets
|
||||||
originating on the firewall itself should be marked with 3.</para>
|
originating on the firewall itself should be marked with 3.</para>
|
||||||
|
|
||||||
<programlisting>#MARK SOURCE DESTINATION PROTOCOL USER/GROUP
|
<programlisting>#MARK SOURCE DESTINATION PROTOCOL USER/GROUP
|
||||||
@ -271,8 +284,8 @@
|
|||||||
<example>
|
<example>
|
||||||
<title></title>
|
<title></title>
|
||||||
|
|
||||||
<para>All GRE (protocol 47) packets not originating on the firewall and
|
<para>All GRE (protocol 47) packets not originating on the firewall
|
||||||
destined for 155.186.235.151 should be marked with 12.</para>
|
and destined for 155.186.235.151 should be marked with 12.</para>
|
||||||
|
|
||||||
<programlisting>#MARK SOURCE DESTINATION PROTOCOL USER/GROUP
|
<programlisting>#MARK SOURCE DESTINATION PROTOCOL USER/GROUP
|
||||||
12 0.0.0.0/0 155.182.235.151 47</programlisting>
|
12 0.0.0.0/0 155.182.235.151 47</programlisting>
|
||||||
@ -292,53 +305,54 @@
|
|||||||
<section>
|
<section>
|
||||||
<title>/etc/shorewall/tcdevices</title>
|
<title>/etc/shorewall/tcdevices</title>
|
||||||
|
|
||||||
<para>This file allows you to define the incoming and outgoing bandwidth for
|
<para>This file allows you to define the incoming and outgoing bandwidth
|
||||||
the devices you want traffic shaping to be enabled. That means, if you want
|
for the devices you want traffic shaping to be enabled. That means, if
|
||||||
to use traffic shaping for a device, you have to define it here.</para>
|
you want to use traffic shaping for a device, you have to define it
|
||||||
|
here.</para>
|
||||||
|
|
||||||
<para>Columns in the file are as follows:</para>
|
<para>Columns in the file are as follows:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>INTERFACE - Name of interface. Each interface may be listed only
|
<para>INTERFACE - Name of interface. Each interface may be listed
|
||||||
once in this file. You may NOT specify the name of an alias (e.g., eth0:0)
|
only once in this file. You may NOT specify the name of an alias
|
||||||
here; see <ulink url="FAQ.htm#faq18">FAQ #18</ulink>. You man NOT specify
|
(e.g., eth0:0) here; see <ulink url="FAQ.htm#faq18">FAQ #18</ulink>.
|
||||||
wildcards here, e.g. if you have multiple ppp interfaces, you need to put
|
You man NOT specify wildcards here, e.g. if you have multiple ppp
|
||||||
them all in here!</para>
|
interfaces, you need to put them all in here!</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
<listitem>
|
|
||||||
<para>IN-BANDWIDTH - The incoming Bandwidth of that interface. Please
|
|
||||||
note that you are not able to do traffic shaping on incoming traffic,
|
|
||||||
as the traffic is already received before you could do so. This Column allows
|
|
||||||
you to define the maximum traffic allowed for this interface in total, if
|
|
||||||
the rate is exceeded, the packets are dropped.
|
|
||||||
You want this mainly if you have a DSL or Cable Connection to avoid
|
|
||||||
queuing at your providers side.
|
|
||||||
|
|
||||||
If you don't want any traffic to be dropped set this to a value faster
|
|
||||||
than your interface maximum rate.</para>
|
|
||||||
</listitem>
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>OUT-BANDWIDTH - Specifiy the outgoing bandwidth of that interface.
|
<para>IN-BANDWIDTH - The incoming Bandwidth of that interface.
|
||||||
This is the maximum speed your connection can handle. It is also the speed
|
Please note that you are not able to do traffic shaping on incoming
|
||||||
you can refer as "full" if you define the tc classes. Outgoing traffic above
|
traffic, as the traffic is already received before you could do so.
|
||||||
this rate will be dropped.</para>
|
This Column allows you to define the maximum traffic allowed for
|
||||||
|
this interface in total, if the rate is exceeded, the packets are
|
||||||
|
dropped. You want this mainly if you have a DSL or Cable Connection
|
||||||
|
to avoid queuing at your providers side. If you don't want any
|
||||||
|
traffic to be dropped set this to a value faster than your interface
|
||||||
|
maximum rate.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>OUT-BANDWIDTH - Specifiy the outgoing bandwidth of that
|
||||||
|
interface. This is the maximum speed your connection can handle. It
|
||||||
|
is also the speed you can refer as "full" if you define the tc
|
||||||
|
classes. Outgoing traffic above this rate will be dropped.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<example>
|
<example>
|
||||||
<title></title>
|
<title></title>
|
||||||
|
|
||||||
<para>Suppose you are using PPP over Ethernet (DSL) and ppp0 is the interface
|
<para>Suppose you are using PPP over Ethernet (DSL) and ppp0 is the
|
||||||
for this. The device has an outgoing bandwidth of 500kbit and an incoming bandwidth
|
interface for this. The device has an outgoing bandwidth of 500kbit
|
||||||
of 6000kbit
|
and an incoming bandwidth of 6000kbit</para>
|
||||||
</para>
|
|
||||||
|
|
||||||
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
|
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
|
||||||
ppp0 6000kbit 500kbit</programlisting>
|
ppp0 6000kbit 500kbit</programlisting>
|
||||||
</example>
|
</example>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>/etc/shorewall/tcclasses</title>
|
<title>/etc/shorewall/tcclasses</title>
|
||||||
|
|
||||||
@ -347,119 +361,133 @@ ppp0 6000kbit 500kbit</programlisting>
|
|||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>INTERFACE - Name of interface. Each interface may be listed only
|
<para>INTERFACE - Name of interface. Each interface may be listed
|
||||||
once in this file. You may NOT specify the name of an alias (e.g., eth0:0)
|
only once in this file. You may NOT specify the name of an alias
|
||||||
here; see <ulink url="FAQ.htm#faq18">FAQ #18</ulink>. You man NOT specify
|
(e.g., eth0:0) here; see <ulink url="FAQ.htm#faq18">FAQ #18</ulink>.
|
||||||
wildcards here, e.g. if you have multiple ppp interfaces, you need to put
|
You man NOT specify wildcards here, e.g. if you have multiple ppp
|
||||||
them all in here!</para>
|
interfaces, you need to put them all in here!</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>MARK - The mark value which is an integer in the range 1-255. You
|
<para>MARK - The mark value which is an integer in the range 1-255.
|
||||||
define these marks in the tcrules file, marking the traffic you want
|
You define these marks in the tcrules file, marking the traffic you
|
||||||
to go into the queueing classes defined in here.
|
want to go into the queueing classes defined in here. You can use
|
||||||
You can use the same marks for different Interfaces.</para>
|
the same marks for different Interfaces.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>RATE - The minimum bandwidth this class should get, when the traffic load
|
<para>RATE - The minimum bandwidth this class should get, when the
|
||||||
rises. Please note that first the classes which equal or a lesser priority
|
traffic load rises. Please note that first the classes which equal
|
||||||
value are served even if there are others that have a guaranteed bandwith
|
or a lesser priority value are served even if there are others that
|
||||||
but a lower priority.</para>
|
have a guaranteed bandwith but a lower priority.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>CEIL - The maximum bandwidth this class is allowed to use when the link
|
<para>CEIL - The maximum bandwidth this class is allowed to use when
|
||||||
is idle. Useful if you have traffic which can get full speed when more important
|
the link is idle. Useful if you have traffic which can get full
|
||||||
services (e.g. interactive like ssh) are not used.
|
speed when more important services (e.g. interactive like ssh) are
|
||||||
You can use the value "full" in here for setting the maximum bandwidth
|
not used. You can use the value "full" in here for setting the
|
||||||
to the defined output bandwidth of that interface.</para>
|
maximum bandwidth to the defined output bandwidth of that
|
||||||
|
interface.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>PRIORITY - you have to define a priority for the class. packets
|
<para>PRIORITY - you have to define a priority for the class.
|
||||||
in a class with a higher priority (=lesser value) are handled before less priorized
|
packets in a class with a higher priority (=lesser value) are
|
||||||
onces.
|
handled before less priorized onces. You can just define the mark
|
||||||
You can just define the mark value here also, if you are increasing the mark values
|
value here also, if you are increasing the mark values with lesser
|
||||||
with lesser priority.</para>
|
priority.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>OPTIONS - A comma-separated list of options including the following:</para>
|
<para>OPTIONS - A comma-separated list of options including the
|
||||||
|
following:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>default - this is the default class for that interface where all
|
<para>default - this is the default class for that interface
|
||||||
traffic should go, that is not classified otherwise.</para>
|
where all traffic should go, that is not classified
|
||||||
<note><para>defining default for exactly <emphasis role="bold">one</emphasis> class per interface
|
otherwise.</para>
|
||||||
is mandatory!</para></note>
|
|
||||||
</listitem>
|
|
||||||
<listitem>
|
|
||||||
<para>tos-<tosname> - this lets you define a filter for the
|
|
||||||
given <tosname> which lets you define a value of the Type Of Service
|
|
||||||
bits in the ip package which causes the package to go in this class.
|
|
||||||
Please note, that this filter overrides all mark settings, so if you define
|
|
||||||
a tos filter for a class all traffic having that mark will go in it
|
|
||||||
regardless of the mark on the package.
|
|
||||||
You can use the following for this option:
|
|
||||||
|
|
||||||
tos-minimize-delay (16)
|
|
||||||
tos-maximize-throughput (8)
|
|
||||||
tos-maximize-reliability (4)
|
|
||||||
tos-minimize-cost (2)
|
|
||||||
tos-normal-service (0)
|
|
||||||
</para>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<note><para>Each of this options is only valid for <emphasis role="bold">one</emphasis> class per
|
|
||||||
interface.</para>
|
|
||||||
</note>
|
|
||||||
</listitem>
|
|
||||||
<listitem>
|
|
||||||
<para>tcp-ack - if defined causes an tc filter to be created that
|
|
||||||
puts all tcp ack packets on that interface that have an size of
|
|
||||||
<=64 Bytes to go in this class. This is useful for speeding up
|
|
||||||
downloads. Please note that the size of the ack packages is
|
|
||||||
limited to 64 bytes as some applications (p2p for example) use
|
|
||||||
to make every package an ack package which would cause them
|
|
||||||
all into here. We want only packages WITHOUT payload to match,
|
|
||||||
so the size limit. Bigger packets just take their normal way
|
|
||||||
into the classes.</para>
|
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>This option is only valid for <emphasis role="bold">class</emphasis> per interface.</para>
|
<para>defining default for exactly <emphasis
|
||||||
|
role="bold">one</emphasis> class per interface is
|
||||||
|
mandatory!</para>
|
||||||
|
</note>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>tos-<tosname> - this lets you define a filter for
|
||||||
|
the given <tosname> which lets you define a value of the
|
||||||
|
Type Of Service bits in the ip package which causes the package
|
||||||
|
to go in this class. Please note, that this filter overrides all
|
||||||
|
mark settings, so if you define a tos filter for a class all
|
||||||
|
traffic having that mark will go in it regardless of the mark on
|
||||||
|
the package. You can use the following for this option:
|
||||||
|
tos-minimize-delay (16) tos-maximize-throughput (8)
|
||||||
|
tos-maximize-reliability (4) tos-minimize-cost (2)
|
||||||
|
tos-normal-service (0)</para>
|
||||||
|
|
||||||
|
<note>
|
||||||
|
<para>Each of this options is only valid for <emphasis
|
||||||
|
role="bold">one</emphasis> class per interface.</para>
|
||||||
|
</note>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>tcp-ack - if defined causes an tc filter to be created
|
||||||
|
that puts all tcp ack packets on that interface that have an
|
||||||
|
size of <=64 Bytes to go in this class. This is useful for
|
||||||
|
speeding up downloads. Please note that the size of the ack
|
||||||
|
packages is limited to 64 bytes as some applications (p2p for
|
||||||
|
example) use to make every package an ack package which would
|
||||||
|
cause them all into here. We want only packages WITHOUT payload
|
||||||
|
to match, so the size limit. Bigger packets just take their
|
||||||
|
normal way into the classes.</para>
|
||||||
|
|
||||||
|
<note>
|
||||||
|
<para>This option is only valid for <emphasis
|
||||||
|
role="bold">class</emphasis> per interface.</para>
|
||||||
</note>
|
</note>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Real life examples</title>
|
<title>Real life examples</title>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Configuration to replace Wondershaper</title>
|
<title>Configuration to replace Wondershaper</title>
|
||||||
|
|
||||||
<para>You are able to fully replace the wondershaper script by using the buitin
|
<para>You are able to fully replace the wondershaper script by using
|
||||||
traffic control.You can find example configuration files at
|
the buitin traffic control.You can find example configuration files at
|
||||||
<ulink url="http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall/">"http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall/</ulink>. Please note that they are just examples and need to be adjusted
|
<ulink
|
||||||
to work for you. In this examples it is assumed that your interface for you internet connection is ppp0
|
url="http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall/">"http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall/</ulink>.
|
||||||
(for DSL) , if you use another connection type, you have to change it. You also need to change
|
Please note that they are just examples and need to be adjusted to
|
||||||
the settings in the tcdevices.wondershaper file to reflect your line speed. The relevant lines of
|
work for you. In this examples it is assumed that your interface for
|
||||||
the config files follow here. Please note that this is just an 1:1 replacement doing exactly what
|
you internet connection is ppp0 (for DSL) , if you use another
|
||||||
wondershaper should do. You are free to change it...
|
connection type, you have to change it. You also need to change the
|
||||||
</para>
|
settings in the tcdevices.wondershaper file to reflect your line
|
||||||
|
speed. The relevant lines of the config files follow here. Please note
|
||||||
|
that this is just an 1:1 replacement doing exactly what wondershaper
|
||||||
|
should do. You are free to change it...</para>
|
||||||
|
|
||||||
<para>tcclasses file</para>
|
<para>tcclasses file</para>
|
||||||
|
|
||||||
<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
|
<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
|
||||||
ppp0 1 full full 1 tcp-ack,tos-minimize-delay
|
ppp0 1 full full 1 tcp-ack,tos-minimize-delay
|
||||||
ppp0 2 9*full/10 9*full/10 2 default
|
ppp0 2 9*full/10 9*full/10 2 default
|
||||||
ppp0 3 8*full/10 8*full/10 2</programlisting>
|
ppp0 3 8*full/10 8*full/10 2</programlisting>
|
||||||
|
|
||||||
<para>tcdevices file</para>
|
<para>tcdevices file</para>
|
||||||
|
|
||||||
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
|
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
|
||||||
ppp0 5000kbit 500kbit</programlisting>
|
ppp0 5000kbit 500kbit</programlisting>
|
||||||
|
|
||||||
<para>tcrules file</para>
|
<para>tcrules file</para>
|
||||||
|
|
||||||
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
|
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
|
||||||
# PORT(S)
|
# PORT(S)
|
||||||
1:P 0.0.0.0/0 0.0.0.0/0 icmp echo-request
|
1:P 0.0.0.0/0 0.0.0.0/0 icmp echo-request
|
||||||
@ -468,15 +496,17 @@ ppp0 5000kbit 500kbit</programlisting>
|
|||||||
# mldonkey
|
# mldonkey
|
||||||
3 0.0.0.0/0 0.0.0.0/0 udp - 4666</programlisting>
|
3 0.0.0.0/0 0.0.0.0/0 udp - 4666</programlisting>
|
||||||
|
|
||||||
<para>
|
<para>Wondershaper allows you to define a set of hosts and/or ports
|
||||||
Wondershaper allows you to define a set of hosts and/or ports you want to classify as low priority.
|
you want to classify as low priority. To achieve this , you have to
|
||||||
To achieve this , you have to add these hosts to tcrules and set the mark to 3 (true if you use
|
add these hosts to tcrules and set the mark to 3 (true if you use the
|
||||||
the example configuration files).
|
example configuration files).</para>
|
||||||
</para>
|
|
||||||
|
|
||||||
<para>Setting hosts to low priority</para>
|
<para>Setting hosts to low priority</para>
|
||||||
<para>lets assume the following settings from you old wondershaper script (don't assume these
|
|
||||||
example values are really useful, they are only used for demonstrating):</para>
|
<para>lets assume the following settings from you old wondershaper
|
||||||
|
script (don't assume these example values are really useful, they are
|
||||||
|
only used for demonstrating):</para>
|
||||||
|
|
||||||
<programlisting>
|
<programlisting>
|
||||||
# low priority OUTGOING traffic - you can leave this blank if you want
|
# low priority OUTGOING traffic - you can leave this blank if you want
|
||||||
# low priority source netmasks
|
# low priority source netmasks
|
||||||
@ -491,7 +521,9 @@ NOPRIOPORTSRC="6662 6663"
|
|||||||
# low priority destination ports
|
# low priority destination ports
|
||||||
NOPRIOPORTDST="6662 6663"
|
NOPRIOPORTDST="6662 6663"
|
||||||
</programlisting>
|
</programlisting>
|
||||||
<para>This would result in the following additional settings to the tcrules file:</para>
|
|
||||||
|
<para>This would result in the following additional settings to the
|
||||||
|
tcrules file:</para>
|
||||||
|
|
||||||
<programlisting>
|
<programlisting>
|
||||||
3 192.168.1.128/25 0.0.0.0/0 all
|
3 192.168.1.128/25 0.0.0.0/0 all
|
||||||
@ -503,17 +535,20 @@ NOPRIOPORTDST="6662 6663"
|
|||||||
3 0.0.0.0/0 0.0.0.0/0 tcp - 6662,6663</programlisting>
|
3 0.0.0.0/0 0.0.0.0/0 tcp - 6662,6663</programlisting>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Using your own tc script</title>
|
<title id="tcstart">Using your own tc script</title>
|
||||||
|
|
||||||
<section id="owntcstart">
|
<section id="owntcstart">
|
||||||
<title>Replacing builtin tcstart file</title>
|
<title>Replacing builtin tcstart file</title>
|
||||||
<para>If you prefer your own tcstart file, just replace /etc/shorewall/tcstart with your own. </para>
|
|
||||||
<para>In your tcstart script, when you want to run the <quote>tc</quote> utility,
|
<para>If you prefer your own tcstart file, just install it in
|
||||||
use the run_tc function supplied by shorewall if you want tc errors to
|
/etc/shorewall/tcstart.</para>
|
||||||
stop the firewall.</para>
|
|
||||||
|
<para>In your tcstart script, when you want to run the <quote>tc</quote>
|
||||||
|
utility, use the run_tc function supplied by Shorewall if you want tc
|
||||||
|
errors to stop the firewall.</para>
|
||||||
|
|
||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -537,12 +572,15 @@ NOPRIOPORTDST="6662 6663"
|
|||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Traffic control outside shorewall</title>
|
<title>Traffic control outside Shorewall</title>
|
||||||
<para>To start traffic shaping when you bring up your network interfaces,
|
|
||||||
you will have to arrange for your traffic shaping configuration script to
|
<para>To start traffic shaping when you bring up your network
|
||||||
be run at that time. How you do that is distribution dependent and will
|
interfaces, you will have to arrange for your traffic shaping
|
||||||
not be covered here. You then should:</para>
|
configuration script to be run at that time. How you do that is
|
||||||
|
distribution dependent and will not be covered here. You then
|
||||||
|
should:</para>
|
||||||
|
|
||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -550,15 +588,10 @@ NOPRIOPORTDST="6662 6663"
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If your script uses the <quote>fwmark</quote>
|
<para>If your script uses the <quote>fwmark</quote> classifier, you
|
||||||
classifier, you can mark packets using entries in
|
can mark packets using entries in /etc/shorewall/tcrules.</para>
|
||||||
/etc/shorewall/tcrules. But you have to set TC_ENABLED=Yes. This
|
|
||||||
is normally ok, if your tcdevices and tcclasses file does not
|
|
||||||
contain entries.</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
|
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
</section>
|
</section>
|
||||||
</article>
|
</article>
|
||||||
Loading…
x
Reference in New Issue
Block a user