mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-07 05:58:49 +01:00
3354d96ebb
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@319 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
258 lines
9.0 KiB
HTML
258 lines
9.0 KiB
HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||
<html>
|
||
<head>
|
||
|
||
<meta http-equiv="Content-Language" content="en-us">
|
||
|
||
<meta http-equiv="Content-Type"
|
||
content="text/html; charset=windows-1252">
|
||
|
||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||
|
||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||
<title>Traffic Shaping</title>
|
||
</head>
|
||
<body>
|
||
|
||
<table border="0" cellpadding="0" cellspacing="0"
|
||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||
<tbody>
|
||
<tr>
|
||
<td width="100%">
|
||
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
|
||
</td>
|
||
</tr>
|
||
|
||
</tbody>
|
||
</table>
|
||
|
||
<p align="left">Beginning with version 1.2.0, Shorewall has limited support
|
||
for traffic shaping/control. In order to use traffic shaping under Shorewall,
|
||
it is essential that you get a copy of the <a
|
||
href="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</a>,
|
||
version 0.3.0 or later. You must also install the iproute (iproute2) package
|
||
to provide the "ip" and "tc" utilities.</p>
|
||
|
||
<p align="left">Shorewall traffic shaping support consists of the following:</p>
|
||
|
||
<ul>
|
||
<li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic Shaping
|
||
also requires that you enable packet mangling.<br>
|
||
</li>
|
||
<li>/etc/shorewall/tcrules - A file where you can specify firewall
|
||
marking of packets. The firewall mark value may be used to classify packets
|
||
for traffic shaping/control.<br>
|
||
</li>
|
||
<li>/etc/shorewall/tcstart - A user-supplied file that is sourced
|
||
by Shorewall during "shorewall start" and which you can use to define
|
||
your traffic shaping disciplines and classes. I have provided a <a
|
||
href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
|
||
table-driven CBQ shaping but if you read the traffic shaping sections of
|
||
the HOWTO mentioned above, you can probably code your own faster than
|
||
you can learn how to use my sample. I personally use <a
|
||
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below). HTB
|
||
support may eventually become an integral part of Shorewall since HTB
|
||
is a lot simpler and better-documented than CBQ. HTB is currently not
|
||
a standard part of either the kernel or iproute2 so both must be patched
|
||
in order to use it.<br>
|
||
<br>
|
||
In tcstart, when you want to run the 'tc' utility, use the run_tc function
|
||
supplied by shorewall. <br>
|
||
</li>
|
||
<li>/etc/shorewall/tcclear - A user-supplied file that is sourced
|
||
by Shorewall when it is clearing traffic shaping. This file is normally
|
||
not required as Shorewall's method of clearing qdisc and filter definitions
|
||
is pretty general.</li>
|
||
|
||
</ul>
|
||
|
||
<h3 align="left">Kernel Configuration</h3>
|
||
|
||
<p align="left">This screen shot show how I've configured QoS in my Kernel:</p>
|
||
|
||
<p align="center"><img border="0" src="images/QoS.png" width="590"
|
||
height="764">
|
||
</p>
|
||
|
||
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
|
||
|
||
<p align="left">The fwmark classifier provides a convenient way to classify
|
||
packets for traffic shaping. The /etc/shorewall/tcrules file provides a
|
||
means for specifying these marks in a tabular fashion.</p>
|
||
|
||
<p align="left">Columns in the file are as follows:</p>
|
||
|
||
<ul>
|
||
<li>MARK - Specifies the mark value is to be assigned in case of
|
||
a match. This is an integer in the range 1-255.<br>
|
||
<br>
|
||
Example - 5<br>
|
||
</li>
|
||
<li>SOURCE - The source of the packet. If the packet originates on
|
||
the firewall, place "fw" in this column. Otherwise, this is a comma-separated
|
||
list of interface names, IP addresses, MAC addresses in <a
|
||
href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
|
||
<br>
|
||
Examples<br>
|
||
<20><><EFBFBD> eth0<br>
|
||
<20><><EFBFBD> 192.168.2.4,192.168.1.0/24<br>
|
||
</li>
|
||
<li>DEST -- Destination of the packet. Comma-separated list of IP
|
||
addresses and/or subnets.<br>
|
||
</li>
|
||
<li>PROTO - Protocol - Must be the name of a protocol from /etc/protocol,
|
||
a number or "all"<br>
|
||
</li>
|
||
<li>PORT(S) - Destination Ports. A comma-separated list of Port names
|
||
(from /etc/services), port numbers or port ranges (e.g., 21:22); if the
|
||
protocol is "icmp", this column is interpreted as the destination icmp
|
||
type(s).<br>
|
||
</li>
|
||
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If omitted,
|
||
any source port is acceptable. Specified as a comma-separate list of port
|
||
names, port numbers or port ranges.</li>
|
||
|
||
</ul>
|
||
|
||
<p align="left">Example 1 - All packets arriving on eth1 should be marked
|
||
with 1. All packets arriving on eth2 should be marked with 2. All packets
|
||
originating on the firewall itself should be marked with 3.</p>
|
||
|
||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||
<tbody>
|
||
<tr>
|
||
<td><b>MARK</b></td>
|
||
<td><b>SOURCE</b></td>
|
||
<td><b>DEST</b></td>
|
||
<td><b>PROTO</b></td>
|
||
<td><b>PORT(S)</b></td>
|
||
<td><b>CLIENT PORT(S)</b></td>
|
||
</tr>
|
||
<tr>
|
||
<td>1</td>
|
||
<td>eth1</td>
|
||
<td>0.0.0.0/0</td>
|
||
<td>all</td>
|
||
<td><EFBFBD></td>
|
||
<td><EFBFBD></td>
|
||
</tr>
|
||
<tr>
|
||
<td>2</td>
|
||
<td>eth2</td>
|
||
<td>0.0.0.0/0</td>
|
||
<td>all</td>
|
||
<td><EFBFBD></td>
|
||
<td><EFBFBD></td>
|
||
</tr>
|
||
<tr>
|
||
<td>3</td>
|
||
<td>fw</td>
|
||
<td>0.0.0.0/0</td>
|
||
<td>all</td>
|
||
<td><EFBFBD></td>
|
||
<td><EFBFBD></td>
|
||
</tr>
|
||
|
||
</tbody>
|
||
</table>
|
||
|
||
<p align="left">Example 2 - All GRE (protocol 47) packets not originating
|
||
on the firewall and destined for 155.186.235.151 should be marked with 12.</p>
|
||
|
||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||
<tbody>
|
||
<tr>
|
||
<td><b>MARK</b></td>
|
||
<td><b>SOURCE</b></td>
|
||
<td><b>DEST</b></td>
|
||
<td><b>PROTO</b></td>
|
||
<td><b>PORT(S)</b></td>
|
||
<td><b>CLIENT PORT(S)</b></td>
|
||
</tr>
|
||
<tr>
|
||
<td>12</td>
|
||
<td>0.0.0.0/0</td>
|
||
<td>155.186.235.151</td>
|
||
<td>47</td>
|
||
<td><EFBFBD></td>
|
||
<td><EFBFBD></td>
|
||
</tr>
|
||
|
||
</tbody>
|
||
</table>
|
||
|
||
<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24
|
||
and destined for 155.186.235.151 should be marked with 22.</p>
|
||
|
||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||
<tbody>
|
||
<tr>
|
||
<td><b>MARK</b></td>
|
||
<td><b>SOURCE</b></td>
|
||
<td><b>DEST</b></td>
|
||
<td><b>PROTO</b></td>
|
||
<td><b>PORT(S)</b></td>
|
||
<td><b>CLIENT PORT(S)</b></td>
|
||
</tr>
|
||
<tr>
|
||
<td>22</td>
|
||
<td>192.168.1.0/24</td>
|
||
<td>155.186.235.151</td>
|
||
<td>tcp</td>
|
||
<td>22</td>
|
||
<td><EFBFBD></td>
|
||
</tr>
|
||
|
||
</tbody>
|
||
</table>
|
||
|
||
<h3>Hierarchical Token Bucket</h3>
|
||
|
||
<p>I personally use HTB. I have found a couple of things that may be of use
|
||
to others.</p>
|
||
|
||
<ul>
|
||
<li>The gzipped tc binary at the <a
|
||
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB website</a> didn't work
|
||
for me -- I had to download the lastest version of the <a
|
||
href="ftp://ftp.inr.ac.ru/ip-routing">iproute2 sources</a> and patch
|
||
them for HTB.</li>
|
||
<li>I'm currently running with this set of shaping rules in my tcstart
|
||
file. I recently changed from using a ceiling of 10Mbit (interface speed)
|
||
to 384kbit (DSP Uplink speed).<br>
|
||
<br>
|
||
</li>
|
||
|
||
</ul>
|
||
|
||
<blockquote>
|
||
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "<22><> Added Top Level Class -- rate 384kbit"</pre>
|
||
|
||
<pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit<69> ceil 384kbit burst 15k quantum 1500</pre>
|
||
|
||
<pre>echo "<22><> Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
|
||
|
||
<pre>run_tc qdisc add dev eth0 parent 1:10 sfq perturb 10<br>run_tc qdisc add dev eth0 parent 1:20 sfq perturb 10<br>run_tc qdisc add dev eth0 parent 1:30 sfq perturb 10</pre>
|
||
|
||
<pre>echo "<22><> Enabled SFQ on Second Level Classes"</pre>
|
||
|
||
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
|
||
|
||
<pre>echo "<22><> Defined fwmark filters"<br></pre>
|
||
|
||
<p>My tcrules file is shown in Example 1 above. You can look at my <a
|
||
href="myfiles.htm">network configuration</a> to get an idea of why I want
|
||
these particular rules.<font face="Courier" size="2"><br>
|
||
</font></p>
|
||
</blockquote>
|
||
|
||
<p><font size="2">Last Updated 10/25/2002 - <a href="support.htm">Tom Eastep</a></font></p>
|
||
|
||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||
<20> <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||
<br>
|
||
<br>
|
||
</body>
|
||
</html>
|