mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-25 15:09:12 +01:00
a1ad796469
Signed-off-by: Tom Eastep <teastep@shorewall.net>
336 lines
16 KiB
XML
336 lines
16 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
<article>
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>QOS Configuration</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
|
|
|
<copyright>
|
|
<year>2012</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<section>
|
|
<title>Introduction</title>
|
|
|
|
<para>This configuration was inspired by the one in this thread on the
|
|
OpenWRT Forum: <ulink
|
|
url="https://forum.openwrt.org/viewtopic.php?pid=154533#p154533">https://forum.openwrt.org/viewtopic.php?pid=154533#p154533</ulink>.
|
|
The configuration has been adapted to Shorewall 4.5.6 with the following
|
|
changes:</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>The configuration uses an IFB, yet only uses firewall marks in
|
|
the OUTPUT and FORWARD chains to classify packets; clearly that
|
|
doesn't work<footnote>
|
|
<para>To be more precise, it doesn't work with an unpatched
|
|
kernel. The OpenWRT script assumes an 'act_conntrack' patch which
|
|
performs conntrack processing on packets before they are sent to
|
|
the IFB. That patch is not generally available.</para>
|
|
</footnote>The configuration presented here uses U32 classifiers
|
|
(shorewall-tcfilters(5)) to classify traffic for download shaping and
|
|
uses the POSTROUTING chain for upload shaping.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The sample uses a weak form of P2P classification; the one
|
|
presented below uses <ulink url="IPP2P.html">IPP2P</ulink>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The OpenWRT script assumed that the uplink was ATM -- the one
|
|
below makes no assumption (it specifies 'ethernet' with overhead
|
|
'0').</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>/etc/shorewall/params</title>
|
|
|
|
<para>The shell variables set in the OpenWRT script are set in the
|
|
Shorewall params file:</para>
|
|
|
|
<programlisting>DOWNLOAD=40000 #download speed in kbit. set xx% of real download speed
|
|
UPLOAD=7000 # set xx% of real upload speed
|
|
|
|
# multiports = up to 15 ports
|
|
# ports to be classified as bulk #set after connection mark save and after connection mark restore
|
|
TCP_BULK="1024:" #S and D ports
|
|
UDP_BULK="1024:" #S and D ports
|
|
|
|
# Destination ports to be classified as P2P
|
|
TCP_P2P="13769" #D ports
|
|
UDP_P2P="13769" #D ports
|
|
IP_P2P="192.168.0.133"
|
|
|
|
# Destination ports to be classified as normal
|
|
TCP_NORMAL="80,443,25,20,21,110,993,995" # D ports
|
|
UDP_NORMAL=""
|
|
|
|
# Destination ports to be classified as Prio (overules bulk ports)
|
|
TCP_PRIO="22,53" #destination ports
|
|
UDP_PRIO="22,53" #destination ports
|
|
|
|
# Destination ports to be classified as VoIP (overules bulk ports)
|
|
TCP_VOIP=""
|
|
UDP_VOIP="18080"
|
|
IP_VOIP="192.168.0.226" #destination and source IP
|
|
IP_VOIP="192.168.0.226" #destination and source IP
|
|
|
|
#!!!!!uplink leaf class parameters!!!!!!!!!
|
|
|
|
#bulk
|
|
UP_LS_BULK_RATE=$(($UPLOAD*5/100))
|
|
UP_UL_BULK_RATE=$UPLOAD
|
|
#settings leaf qdisc
|
|
UP_BULK_RED_PROB=0.05 #red drob probability
|
|
UP_BULK_RED_min=6250 #real limit. To limit BULK traffic
|
|
UP_BULK_RED_min2=6250 #min for doing the calculations (burst and etc)
|
|
UP_BULK_RED_max=$((2 * $UP_BULK_RED_min2 + $UP_BULK_RED_min))
|
|
UP_BULK_RED_burst=$(((5 * $UP_BULK_RED_min2) / (3 * 1000)))
|
|
UP_BULK_RED_limit=$(($UP_BULK_RED_max * 5))
|
|
|
|
#P2P
|
|
UP_LS_P2P_RATE=$(($UPLOAD * 5 / 100))
|
|
UP_UL_P2P_RATE=$UPLOAD
|
|
#settings leaf qdisc
|
|
UP_P2P_RED_PROB=0.05 #red drob probability
|
|
UP_P2P_RED_min=32000 #real limit. To limit P2P traffic
|
|
UP_P2P_RED_min2=32000 #min for doing the calculations (burst and etc)
|
|
UP_P2P_RED_max=$((5 * $UP_P2P_RED_min2 + $UP_P2P_RED_min))
|
|
UP_P2P_RED_burst=$(((5 * $UP_P2P_RED_min2) / (3 * 1000)))
|
|
UP_P2P_RED_limit=$(($UP_P2P_RED_max * 5))
|
|
#normal class
|
|
UP_LS_NORMAL_RATE=$(($UPLOAD * 40 / 100))
|
|
UP_UL_NORMAL_RATE=$UPLOAD
|
|
#settings leaf qdisc
|
|
UP_NORMAL_RED_PROB=0.05 #red drob probability
|
|
UP_NORMAL_RED_min=6250 #real limit. To limit NORMAL traffic
|
|
UP_NORMAL_RED_min2=6250 #min for doing the calculations (burst and etc)
|
|
UP_NORMAL_RED_max=$((2 * $UP_NORMAL_RED_min2 + $UP_NORMAL_RED_min))
|
|
UP_NORMAL_RED_burst=$(((5 * $UP_NORMAL_RED_min2) / (3 * 1000)))
|
|
UP_NORMAL_RED_limit=$(($UP_NORMAL_RED_max * 5))
|
|
|
|
#prio
|
|
UP_LS_PRIO_RATE=$(($UPLOAD*50/100))
|
|
UP_RT_PRIO_RATE="200" #rate in kbit
|
|
UP_RT_PRIO_UMAX="400" #lengte of the packets [byte]
|
|
UP_RT_PRIO_DMAX="15" #delay in ms
|
|
UP_UL_PRIO_RATE=$UPLOAD
|
|
|
|
#Voip
|
|
UP_UL_VOIP_RATE=$UPLOAD
|
|
UP_SC_VOIP_RATE="200"
|
|
UP_SC_VOIP_UMAX="350" #length of the voip packets [byte]
|
|
UP_SC_VOIP_DMAX="10" #delay in ms
|
|
|
|
#bulk
|
|
DOWN_LS_BULK_RATE=$(($DOWNLOAD*5/100))
|
|
DOWN_UL_BULK_RATE=$DOWNLOAD
|
|
#leaf qdisc parameters
|
|
DOWN_BULK_RED_PROB=0.05 #red drob probability
|
|
DOWN_BULK_RED_min=62500 #real limit. To limit BULK traffic
|
|
DOWN_BULK_RED_min2=62500 #min for doing the calculations (burst and etc)
|
|
DOWN_BULK_RED_max=$((2 * $DOWN_BULK_RED_min2 + $DOWN_BULK_RED_min))
|
|
DOWN_BULK_RED_burst=$(((5 * $DOWN_BULK_RED_min2) / (3 * 1000)))
|
|
DOWN_BULK_RED_limit=$(($DOWN_BULK_RED_max * 5))
|
|
|
|
|
|
#P2P
|
|
DOWN_LS_P2P_RATE=$(($DOWNLOAD*5/100))
|
|
DOWN_UL_P2P_RATE=4000
|
|
#leaf qdisc parameters
|
|
DOWN_P2P_RED_PROB=0.05 #red drob probability
|
|
DOWN_P2P_RED_min=200000 #real limit. To limit P2P traffic
|
|
DOWN_P2P_RED_min2=200000 #min for doing the calculations (burst and etc)
|
|
DOWN_P2P_RED_max=$((2 * $DOWN_P2P_RED_min2 + $DOWN_P2P_RED_min))
|
|
DOWN_P2P_RED_burst=$(((5 * $DOWN_P2P_RED_min2) / (3 * 1000)))
|
|
DOWN_P2P_RED_limit=$(($DOWN_P2P_RED_max * 5))
|
|
|
|
#normal class
|
|
DOWN_LS_NORMAL_RATE=$(($DOWNLOAD*75/100))
|
|
DOWN_UL_NORMAL_RATE=$DOWNLOAD
|
|
|
|
#leaf qdisc parameters
|
|
DOWN_NORMAL_RED_PROB=0.05 #red drob probability
|
|
DOWN_NORMAL_RED_min=62500 #real limit. To limit NORMAL traffic
|
|
DOWN_NORMAL_RED_min2=62500 #min for doing the calculations (burst and etc)
|
|
DOWN_NORMAL_RED_max=$((2 * $DOWN_NORMAL_RED_min2 + $DOWN_NORMAL_RED_min))
|
|
DOWN_NORMAL_RED_burst=$(((5 * $DOWN_NORMAL_RED_min2) / (3 * 1000)))
|
|
DOWN_NORMAL_RED_limit=$(($DOWN_NORMAL_RED_max * 5))
|
|
|
|
#prio
|
|
DOWN_RT_PRIO_RATE="500" #rate in kbit
|
|
DOWN_RT_PRIO_UMAX="400" #length of the packets [byte]/
|
|
DOWN_RT_PRIO_DMAX="1.5" #delay in ms
|
|
DOWN_UL_PRIO_RATE=$DOWNLOAD
|
|
|
|
|
|
#Voip
|
|
DOWN_UL_VOIP_RATE=$DOWNLOAD
|
|
DOWN_SC_VOIP_RATE="250"
|
|
DOWN_SC_VOIP_UMAX="350" #lengt of voip packets [byte]
|
|
DOWN_SC_VOIP_DMAX="1.2" #delay in ms</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>/etc/shorewall/init</title>
|
|
|
|
<para>The init file loads the ifb module, creating a single device:</para>
|
|
|
|
<programlisting>modprobe ifb numifbs=1
|
|
ip link set ifb0 up</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>/etc/shorewall/tcdevices</title>
|
|
|
|
<para>The tcdevices file describes the two devices:</para>
|
|
|
|
<programlisting>#NUMBER: IN_BANDWITH OUT_BANDWIDTH OPTIONS REDIRECT
|
|
1:eth0 - ${UPLOAD}kbit hfsc,linklayer=ethernet,overhead=0
|
|
2:ifb0 - ${DOWNLOAD}kbit hfsc eth0</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>/etc/shorewall/tcclasses</title>
|
|
|
|
<para>The tcclasses file defines the class hierarchy for both
|
|
devices:</para>
|
|
|
|
<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
|
|
1 1 ${UP_SC_VOIP_RATE}kbit:\
|
|
${UP_SC_VOIP_DMAX}:\
|
|
${UP_SC_VOIP_UMAX} ${UP_UL_VOIP_RATE}kbit 1
|
|
|
|
1 2 ${UP_RT_PRIO_RATE}kbit:\
|
|
${UP_RT_PRIO_DMAX}:\
|
|
${UP_RT_PRIO_UMAX} ${UP_LS_PRIO_RATE}kbit:\
|
|
${UP_UL_PRIO_RATE}kbit 1
|
|
|
|
1 3 - ${UP_LS_NORMAL_RATE}kbit:\
|
|
${UP_UL_NORMAL_RATE}kbit 1 red=(limit=$UP_NORMAL_RED_limit,\
|
|
min=$UP_NORMAL_RED_min,\
|
|
max=$UP_NORMAL_RED_max,\
|
|
burst=$UP_NORMAL_RED_burst,\
|
|
probability=$UP_NORMAL_RED_PROB,\
|
|
ecn)
|
|
1 4 - ${UP_LS_P2P_RATE}kbit:\
|
|
${UP_UL_P2P_RATE}kbit 1 red=(limit=$UP_P2P_RED_limit,\
|
|
min=$UP_P2P_RED_min,\
|
|
max=$UP_P2P_RED_max,\
|
|
burst=$UP_P2P_RED_burst,\
|
|
probability=$UP_P2P_RED_PROB,\
|
|
ecn)
|
|
1 5 - ${UP_LS_BULK_RATE}kbit:\
|
|
${UP_UL_BULK_RATE}kbit 1 default,\
|
|
red=(limit=$UP_BULK_RED_limit,\
|
|
min=$UP_BULK_RED_min,\
|
|
max=$UP_BULK_RED_max,\
|
|
burst=$UP_BULK_RED_burst,\
|
|
probability=$UP_BULK_RED_PROB,\
|
|
ecn)
|
|
|
|
2:10 - ${UP_SC_VOIP_RATE}kbit:\
|
|
${UP_SC_VOIP_DMAX}:\
|
|
${UP_SC_VOIP_UMAX} ${UP_UL_VOIP_RATE}kbit 1
|
|
|
|
2:20 - ${DOWN_RT_PRIO_RATE}kbit:\
|
|
${DOWN_RT_PRIO_DMAX}:\
|
|
${DOWN_RT_PRIO_UMAX} ${DOWN_UL_PRIO_RATE}kbit 1
|
|
|
|
2:30 - - ${DOWN_LS_NORMAL_RATE}kbit:\
|
|
${DOWN_UL_NORMAL_RATE}kbit 1 red=(limit=$DOWN_NORMAL_RED_limit,\
|
|
min=$DOWN_NORMAL_RED_min,\
|
|
max=$DOWN_NORMAL_RED_max,\
|
|
burst=$DOWN_NORMAL_RED_burst,\
|
|
probability=$DOWN_NORMAL_RED_PROB)
|
|
2:40 - - ${DOWN_LS_P2P_RATE}kbit:\
|
|
${DOWN_UL_P2P_RATE}kbit 1 red=(limit=$DOWN_P2P_RED_limit,\
|
|
min=$DOWN_P2P_RED_min,\
|
|
max=$DOWN_P2P_RED_max,\
|
|
burst=$DOWN_P2P_RED_burst,\
|
|
probability=$DOWN_P2P_RED_PROB)
|
|
2:50 - - ${DOWN_LS_BULK_RATE}kbit:\
|
|
${DOWN_UL_BULK_RATE}kbit 1 default,\
|
|
red=(limit=$DOWN_BULK_RED_limit,\
|
|
min=$DOWN_BULK_RED_min,\
|
|
max=$DOWN_BULK_RED_max,\
|
|
burst=$DOWN_BULK_RED_burst,\
|
|
probability=$DOWN_BULK_RED_PROB)</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>/etc/shorewall/mangle</title>
|
|
|
|
<para>The mangle file classifies upload packets:</para>
|
|
|
|
<programlisting>#MARK SOURCE DEST PROTO DPORT SPORT USER TEST
|
|
RESTORE:T - - - - - - !0:C
|
|
CONTINUE:T - - - - - - !0
|
|
2:T - - icmp
|
|
1:T - - udp $UDP_VOIP - - 0
|
|
1:T $IP_VOIP - - - - - 0
|
|
1:T - $IP_VOIP - - - - 0
|
|
2:T - - tcp $TCP_PRIO - - 0
|
|
2:T - - udp $UDP_PRIO - - 0
|
|
2:T - - tcp - $TCP_PRIO - 0
|
|
2:T - - udp - $UDP_PRIO - 0
|
|
3:T - - tcp $TCP_NORMAL - - 0
|
|
4:T - - ipp2p:all - - - 0
|
|
5:T - - tcp $TCP_BULK - - 0
|
|
5:T - - tcp - $TCP_BULK - 0
|
|
5:T - - udp $UDP_BULK - - 0
|
|
5:T - - udp - $UDP_BULK - 0
|
|
SAVE:T - - - - - - !0</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>/etc/shorewall/tcfilters</title>
|
|
|
|
<para>The tcfilters file classifies download packets:</para>
|
|
|
|
<programlisting>#INTERFACE: SOURCE DEST PROTO DPORT SPORT TOS LENGTH
|
|
#
|
|
# These classify download traffic
|
|
#
|
|
2:10 - $MYNET udp - $UDP_VOIP
|
|
2:20 - $MYNET tcp - $TCP_PRIO
|
|
2:20 - $MYNET udp - $UDP_PRIO
|
|
2:20 - $MYNET tcp $TCP_PRIO
|
|
2:20 - $MYNET udp $UDP_PRIO
|
|
2:30 - $MYNET tcp - $TCP_NORMAL
|
|
2:50 - $MYNET tcp $TCP_BULK
|
|
2:50 - $MYNET tcp - $TCP_BULK
|
|
2:50 - $MYNET udp $UDP_BULK
|
|
2:50 - $MYNET tcp - $UDP_BULK
|
|
</programlisting>
|
|
</section>
|
|
</article>
|