In tcstart, when you want to run the 'tc' utility, use the run_tc function supplied by shorewall.
Beginning with version 1.2.0, Shorewall has limited support for traffic shaping/control. In order to use traffic shaping under Shorewall, it is essential that you get a copy of the Linux Advanced Routing and Shaping HOWTO, version 0.3.0 or later. You must also install the iproute (iproute2) package to provide the "ip" and "tc" utilities.
Shorewall traffic shaping support consists of the following:
| A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic
Shaping also requires that you enable packet mangling. |
| /etc/shorewall/tcrules - A file where you can specify
firewall marking of packets. The firewall mark value may be used to classify
packets for traffic shaping/control. |
| /etc/shorewall/tcstart - A user-supplied file that is
sourced by Shorewall during "shorewall start" and which you can
use to define your traffic shaping disciplines and classes. I have provided
a sample that does
table-driven CBQ shaping but if you read the traffic shaping sections of the
HOWTO mentioned above, you can probably code your own faster than you can
learn how to use my sample. I personally use HTB
(see below). HTB
support may eventually become an integral part of Shorewall since HTB is a
lot simpler and better-documented than CBQ. HTB is currently not a standard
part of either the kernel or iproute2 so both must be patched in order to
use it. In tcstart, when you want to run the 'tc' utility, use the run_tc function supplied by shorewall. |
| /etc/shorewall/tcclear - A user-supplied file that is sourced by Shorewall when it is clearing traffic shaping. This file is normally not required as Shorewall's method of clearing qdisc and filter definitions is pretty general. |
The fwmark classifier provides a convenient way to classify packets for traffic shaping. The /etc/shorewall/tcrules file provides a means for specifying these marks in a tabular fashion.
Columns in the file are as follows:
| MARK - Specifies the mark value is to be assigned in case of
a match. This is an integer in the range 1-255. Example - 5 |
| SOURCE - The source of the packet. If the packet originates
on the firewall, place "fw" in this column. Otherwise, this is a
comma-separated list of interface names, IP addresses, MAC addresses in
Shorewall Format and/or Subnets. Examples eth0 192.168.2.4,192.168.1.0/24 |
| DEST -- Destination of the packet. Comma-separated list of
IP addresses and/or subnets. |
| PROTO - Protocol - Must be the name of a protocol from
/etc/protocol, a number or "all" |
| PORT(S) - Destination Ports. A comma-separated list of Port
names (from /etc/services), port numbers or port ranges (e.g., 21:22); if
the protocol is "icmp", this column is interpreted as the
destination icmp type(s). |
| CLIENT PORT(S) - (Optional) Port(s) used by the client. If omitted, any source port is acceptable. Specified as a comma-separate list of port names, port numbers or port ranges. |
Example 1 - All packets arriving on eth1 should be marked with 1. All packets arriving on eth2 should be marked with 2. All packets originating on the firewall itself should be marked with 3.
| MARK | SOURCE | DEST | PROTO | PORT(S) | CLIENT PORT(S) |
| 1 | eth1 | 0.0.0.0/0 | all | ||
| 2 | eth2 | 0.0.0.0/0 | all | ||
| 3 | fw | 0.0.0.0/0 | all |
Example 2 - All GRE (protocol 47) packets not originating on the firewall and destined for 155.186.235.151 should be marked with 12.
| MARK | SOURCE | DEST | PROTO | PORT(S) | CLIENT PORT(S) |
| 12 | 0.0.0.0/0 | 155.186.235.151 | 47 |
Example 3 - All SSH packets originating in 192.168.1.0/24 and destined for 155.186.235.151 should be marked with 22.
| MARK | SOURCE | DEST | PROTO | PORT(S) | CLIENT PORT(S) |
| 22 | 192.168.1.0/24 | 155.186.235.151 | tcp | 22 |
I personally use HTB. I have found a couple of things that may be of use to others.
| The gzipped tc binary at the HTB website didn't work for me -- I had to download the lastest version of the iproute2 sources and patch them for HTB. |
| The HTB example in the HOWTO seems to be full of errors. I'm currently running with this set of shaping rules in my tcstart file so I know that it works. |
run_tc qdisc add dev eth0 root handle 1: htb default 30
run_tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit burst 15k
run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 150kbit ceil 10mbit burst 15k
run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 234kbit ceil 10mbit burst 15k
run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 1kbit ceil 10mbit burst 15k
run_tc qdisc add dev eth0 parent 1:10 sfq perturb 10
run_tc qdisc add dev eth0 parent 1:20 sfq perturb 10
run_tc qdisc add dev eth0 parent 1:30 sfq perturb 10
run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10
run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 2 fw classid 1:20
run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30My tcrules file is shown in Example 1 above. You can look at my network configuration to get an idea of why I want these particular rules.
Last Updated 6/18/2002 - Tom Eastep