mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-24 23:28:59 +01:00
215 lines
7.2 KiB
XML
215 lines
7.2 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
<refentry>
|
|
<refmeta>
|
|
<refentrytitle>shorewall-tcinterfaces</refentrytitle>
|
|
|
|
<manvolnum>5</manvolnum>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>tcinterfaces</refname>
|
|
|
|
<refpurpose>Shorewall file</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<command>/etc/shorewall/tcinterfaces</command>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para>This file lists the interfaces that are subject to simple traffic
|
|
shaping. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in
|
|
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
|
|
|
<para>A note on the <emphasis>bandwidth</emphasis> definition used in this
|
|
file:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>don't use a space between the integer value and the unit: 30kbit
|
|
is valid while 30 kbit is not.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>you can use one of the following units:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">kbps</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Kilobytes per second.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">mbps</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Megabytes per second.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">kbit</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Kilobits per second.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">mbit</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Megabits per second.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">bps</emphasis> or <emphasis
|
|
role="bold">number</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Bytes per second.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>k or kb</term>
|
|
|
|
<listitem>
|
|
<para>Kilo bytes.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>m or mb</term>
|
|
|
|
<listitem>
|
|
<para>Megabytes.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Only whole integers are allowed.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>The columns in the file are as follows.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">INTERFACE</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>The logical name of an interface. If you run both IPv4 and
|
|
IPv6 Shorewall firewalls, a given interface should only be listed in
|
|
one of the two configurations.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">TYPE</emphasis> - [<emphasis
|
|
role="bold">external</emphasis>|<emphasis
|
|
role="bold">internal</emphasis>]</term>
|
|
|
|
<listitem>
|
|
<para>Optional. If given specifies whether the interface is
|
|
<emphasis role="bold">external</emphasis> (facing toward the
|
|
Internet) or <emphasis role="bold">internal</emphasis> (facing
|
|
toward a local network) and enables SFQ flow classification.</para>
|
|
|
|
<note>
|
|
<para>Simple traffic shaping is only useful on interfaces where
|
|
queuing occurs. As a consequence, internal interfaces seldom
|
|
benefit from simple traffic shaping. VPN interfaces are an
|
|
exception because the encapsulated packets are later transferred
|
|
over a slower external link.</para>
|
|
</note>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>IN-BANDWIDTH -
|
|
[<replaceable>rate</replaceable>[:<replaceable>burst</replaceable>]]</term>
|
|
|
|
<listitem>
|
|
<para>Optional. If specified, enables ingress policing on the
|
|
interface. If incoming traffic exceeds the given
|
|
<replaceable>rate</replaceable>, received packets are dropped
|
|
randomly. With some DSL and Cable links, large queues can build up
|
|
in the ISP's gateway router. While this insures maximum throughput,
|
|
it kills interactive response time. By setting IN-BANDWIDTH, you can
|
|
eliminate these queues.</para>
|
|
|
|
<para>To pick an appropriate setting, we recommend that you start by
|
|
setting it significantly below your measured download bandwidth (20%
|
|
or so). While downloading, measure the ping response time from the
|
|
firewall to the upstream router as you gradually increase the
|
|
setting.The optimal setting is at the point beyond which the ping
|
|
time increases sharply as you increase the setting.</para>
|
|
|
|
<para>The <replaceable>burst</replaceable> option was added in
|
|
Shorewall 4.4.13. If not supplied, 10kb is assumed. A larger
|
|
<replaceable>burst</replaceable> size can help make the
|
|
<replaceable>rate</replaceable> estimate more accurate on fast
|
|
lines. The default <replaceable>burst</replaceable> often make the
|
|
enforced rate mush less that the specified
|
|
<replaceable>rate</replaceable>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>OUT-BANDWIDTH -
|
|
[<replaceable>rate</replaceable>[:[<replaceable>burst</replaceable>][:[<replaceable>latency</replaceable>][:[<replaceable>peek</replaceable>][:[<replaceable>minburst</replaceable>]]]]]]</term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 4.4.13. The terms are defined in
|
|
tc-tbf(8).</para>
|
|
|
|
<para>Shorewall provides defaults as follows:</para>
|
|
|
|
<simplelist>
|
|
<member><replaceable>burst</replaceable> - 10kb</member>
|
|
|
|
<member><replaceable>latency</replaceable> - 200ms</member>
|
|
</simplelist>
|
|
|
|
<para>The remaining options are defaulted by tc(8).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>FILES</title>
|
|
|
|
<para>/etc/shorewall/tcinterfaces.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See ALSO</title>
|
|
|
|
<para><ulink
|
|
url="http://ace-host.stuart.id.au/russell/files/tc/doc/sch_tbf.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/sch_tbf.txt</ulink></para>
|
|
|
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
|
|
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
|
|
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
|
|
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
|
|
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
|
|
shorewall-secmarks(5), shorewall-tcpri(5), shorewall-tcrules(5),
|
|
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
|
|
</refsect1>
|
|
</refentry>
|