2008-12-11 01:03:00 +01:00
|
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
2008-12-14 18:37:30 +01:00
|
|
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
|
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
2008-12-11 01:03:00 +01:00
|
|
|
|
<refentry>
|
|
|
|
|
<refmeta>
|
2008-12-14 18:37:30 +01:00
|
|
|
|
<refentrytitle>shorewall6-tcclasses</refentrytitle>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
|
|
<manvolnum>5</manvolnum>
|
|
|
|
|
</refmeta>
|
|
|
|
|
|
|
|
|
|
<refnamediv>
|
|
|
|
|
<refname>tcclasses</refname>
|
|
|
|
|
|
2012-06-18 16:54:25 +02:00
|
|
|
|
<refpurpose>Shorewall6 file to define HTB and HFSC classes</refpurpose>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
</refnamediv>
|
|
|
|
|
|
|
|
|
|
<refsynopsisdiv>
|
|
|
|
|
<cmdsynopsis>
|
2008-12-14 18:37:30 +01:00
|
|
|
|
<command>/etc/shorewall6/tcclasses</command>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
</cmdsynopsis>
|
|
|
|
|
</refsynopsisdiv>
|
|
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
|
<title>Description</title>
|
|
|
|
|
|
|
|
|
|
<para>A note on the <emphasis>rate</emphasis>/bandwidth definitions used
|
|
|
|
|
in this file:</para>
|
|
|
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>don't use a space between the integer value and the unit: 30kbit
|
|
|
|
|
is valid while 30 kbit is NOT.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>you can use one of the following units:</para>
|
|
|
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><emphasis role="bold">kpbs</emphasis></term>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>Kilobytes per second.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><emphasis role="bold">mbps</emphasis></term>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>Megabytes per second.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><emphasis role="bold">kbit</emphasis></term>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>Kilobits per second.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><emphasis role="bold">mbit</emphasis></term>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>Megabits per second.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><emphasis role="bold">bps</emphasis> or <emphasis
|
|
|
|
|
role="bold">number</emphasis></term>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>Bytes per second.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
</variablelist>
|
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>if you want the values to be calculated for you depending on the
|
|
|
|
|
output bandwidth setting defined for an interface in tcdevices, you
|
|
|
|
|
can use expressions like the following:</para>
|
|
|
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term>full/3</term>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>causes the bandwidth to be calculated as 1/3 of the full
|
|
|
|
|
outgoing speed that is defined.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term>full*9/10</term>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>will set this bandwidth to 9/10 of the full
|
|
|
|
|
bandwidth</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
</variablelist>
|
|
|
|
|
|
2009-08-24 20:56:16 +02:00
|
|
|
|
<para>Note that in a sub-class (a class that has a specified parent
|
|
|
|
|
class), full refers to the RATE or CEIL of the parent class rather
|
|
|
|
|
than to the OUT-BANDWIDTH of the device.</para>
|
|
|
|
|
|
2008-12-11 01:03:00 +01:00
|
|
|
|
<para>DO NOT add a unit to the rate if it is calculated !</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</itemizedlist>
|
|
|
|
|
|
|
|
|
|
<para>The columns in the file are as follows.</para>
|
|
|
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><emphasis role="bold">INTERFACE</emphasis> -
|
2011-05-01 15:19:57 +02:00
|
|
|
|
<emphasis>interface</emphasis>[[:<emphasis>parent</emphasis>]:<emphasis>class</emphasis>]</term>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
|
|
<listitem>
|
2012-10-29 20:46:58 +01:00
|
|
|
|
<para>Name of <emphasis>interface</emphasis>.</para>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
2008-12-14 18:37:30 +01:00
|
|
|
|
<para>You may specify either the interface number or the interface
|
2011-05-03 01:37:59 +02:00
|
|
|
|
name. If the <emphasis role="bold">classify</emphasis> option is
|
|
|
|
|
given for the interface in <ulink
|
2008-12-14 18:37:30 +01:00
|
|
|
|
url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5),
|
|
|
|
|
then you must also specify an interface class (an integer that must
|
|
|
|
|
be unique within classes associated with this interface).</para>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
|
|
<para>You may NOT specify wildcards here, e.g. if you have multiple
|
|
|
|
|
ppp interfaces, you need to put them all in here!</para>
|
|
|
|
|
|
|
|
|
|
<para>Please note that you can only use interface names in here that
|
|
|
|
|
have a bandwidth defined in the <ulink
|
2008-12-14 18:37:30 +01:00
|
|
|
|
url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
|
2009-05-20 16:54:17 +02:00
|
|
|
|
file.</para>
|
|
|
|
|
|
|
|
|
|
<para>Normally, all classes defined here are sub-classes of a root
|
2011-05-01 15:19:57 +02:00
|
|
|
|
class (class number 1) that is implicitly defined from the entry in
|
|
|
|
|
<ulink
|
2009-05-20 16:54:17 +02:00
|
|
|
|
url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5). You
|
|
|
|
|
can establish a class hierarchy by specifying a
|
|
|
|
|
<emphasis>parent</emphasis> class -- the number of a class that you
|
|
|
|
|
have previously defined. The sub-class may borrow unused bandwidth
|
|
|
|
|
from its parent.</para>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><emphasis role="bold">MARK</emphasis> -
|
|
|
|
|
{-|<emphasis>value</emphasis>}</term>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>The mark <emphasis>value</emphasis> which is an integer in the
|
|
|
|
|
range 1-255. You set mark values in the <ulink
|
2008-12-14 18:37:30 +01:00
|
|
|
|
url="shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5) file,
|
2008-12-11 01:03:00 +01:00
|
|
|
|
marking the traffic you want to fit in the classes defined in here.
|
|
|
|
|
Must be specified as '-' if the <emphasis
|
|
|
|
|
role="bold">classify</emphasis> option is given for the interface in
|
|
|
|
|
<ulink
|
2012-06-22 19:17:26 +02:00
|
|
|
|
url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5) and
|
|
|
|
|
you are running Shorewall 4.5 5 or earlier.</para>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
|
|
<para>You can use the same marks for different interfaces.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><emphasis role="bold">RATE</emphasis> -
|
2012-06-13 23:29:13 +02:00
|
|
|
|
{-|<emphasis>rate</emphasis>[:<emphasis>dmax</emphasis>[:<emphasis>umax</emphasis>]]}</term>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>The minimum bandwidth this class should get, when the traffic
|
|
|
|
|
load rises. If the sum of the rates in this column exceeds the
|
|
|
|
|
INTERFACE's OUT-BANDWIDTH, then the OUT-BANDWIDTH limit may not be
|
2009-05-24 19:06:36 +02:00
|
|
|
|
honored. Similarly, if the sum of the rates of sub-classes of a
|
|
|
|
|
class exceed the CEIL of the parent class, things don't work
|
|
|
|
|
well.</para>
|
|
|
|
|
|
2012-06-13 23:29:13 +02:00
|
|
|
|
<para>When using the HFSC queuing discipline, this column specify
|
|
|
|
|
the real-time (RT) service curve. leaf classes may specify
|
|
|
|
|
<replaceable>dmax</replaceable>, the maximum delay in milliseconds
|
|
|
|
|
that the first queued packet for this class should experience. May
|
|
|
|
|
be expressed as an integer, optionally followed by 'ms' with no
|
2013-05-03 18:19:45 +02:00
|
|
|
|
intervening white-space (e.g., 10ms).</para>
|
2009-05-24 19:06:36 +02:00
|
|
|
|
|
|
|
|
|
<para>HFSC leaf classes may also specify
|
|
|
|
|
<replaceable>umax</replaceable>, the largest packet expected in this
|
|
|
|
|
class. May be expressed as an integer. The unit of measure is
|
|
|
|
|
<emphasis>bytes</emphasis> and the integer may be optionally
|
2013-05-03 18:19:45 +02:00
|
|
|
|
followed by 'b' with no intervening white-space (e.g., 800b).
|
2009-05-25 01:58:41 +02:00
|
|
|
|
<replaceable>umax</replaceable> may only be given if
|
|
|
|
|
<replaceable>dmax</replaceable> is also given.</para>
|
2012-06-13 23:29:13 +02:00
|
|
|
|
|
|
|
|
|
<para>Beginning with Shorewall 4.5.6, HFSC classes may omit this
|
|
|
|
|
column (e.g, '-' in the column), provided that an
|
|
|
|
|
<replaceable>lsrate</replaceable> is specified (see CEIL below).
|
|
|
|
|
These rates are used to arbitrate between classes of the same
|
|
|
|
|
priority.</para>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><emphasis role="bold">CEIL</emphasis> -
|
2012-06-13 23:29:13 +02:00
|
|
|
|
[<emphasis>lsrate</emphasis>:]<emphasis>rate</emphasis></term>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>The maximum bandwidth this class is allowed to use when the
|
|
|
|
|
link is idle. Useful if you have traffic which can get full speed
|
|
|
|
|
when more needed services (e.g. ssh) are not used.</para>
|
|
|
|
|
|
|
|
|
|
<para>You can use the value <emphasis role="bold">full</emphasis> in
|
2009-08-24 20:56:16 +02:00
|
|
|
|
here for setting the maximum bandwidth to the RATE of the parent
|
|
|
|
|
class, or the OUT-BANDWIDTH of the device if there is no parent
|
|
|
|
|
class.</para>
|
2012-06-13 23:29:13 +02:00
|
|
|
|
|
|
|
|
|
<para>Beginning with Shorewall 4.5.6, you can also specify an
|
|
|
|
|
<replaceable>lsrate</replaceable> (link sharing rate).</para>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><emphasis role="bold">PRIORITY</emphasis> -
|
|
|
|
|
<emphasis>priority</emphasis></term>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
2012-09-12 22:39:54 +02:00
|
|
|
|
<para>For HTB:</para>
|
|
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
|
<para>The <emphasis>priority</emphasis> in which classes will be
|
|
|
|
|
serviced by the packet shaping scheduler and also the priority in
|
|
|
|
|
which bandwidth in excess of the rate will be given to each
|
|
|
|
|
class.</para>
|
|
|
|
|
|
|
|
|
|
<para>Higher priority classes will experience less delay since
|
|
|
|
|
they are serviced first. Priority values are serviced in ascending
|
|
|
|
|
order (e.g. 0 is higher priority than 1).</para>
|
|
|
|
|
|
|
|
|
|
<para>Classes may be set to the same priority, in which case they
|
|
|
|
|
will be serviced as equals.</para>
|
|
|
|
|
</blockquote>
|
|
|
|
|
|
|
|
|
|
<para>For both HTB and HFSC, the <emphasis>priority</emphasis> is
|
2012-09-14 17:01:08 +02:00
|
|
|
|
used to calculate the priority of following Shorewall-generated
|
|
|
|
|
classification filters that refer to the class:</para>
|
|
|
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>Packet MARK</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para><emphasis role="bold">tcp-ack</emphasis> and the <emphasis
|
|
|
|
|
role="bold">tos</emphasis> options (see below)</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</itemizedlist>
|
|
|
|
|
|
|
|
|
|
<para>The rules for classes with lower numeric priorities will
|
|
|
|
|
appear before those with higher numeric priorities.</para>
|
|
|
|
|
|
|
|
|
|
<para>Beginning with Shorewall 4.5.8, the PRIORITY may be omitted
|
|
|
|
|
from an HFSC class if you do not use the MARK column or the
|
|
|
|
|
<emphasis role="bold">tcp-ack</emphasis> or <emphasis
|
|
|
|
|
role="bold">tos</emphasis> options. If you use those features and
|
|
|
|
|
omit the PRIORITY, then you must specify a
|
|
|
|
|
<replaceable>priority</replaceable> along with the MARK or
|
|
|
|
|
option.</para>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><emphasis role="bold">OPTIONS</emphasis> (Optional) -
|
|
|
|
|
[<emphasis>option</emphasis>[<emphasis
|
|
|
|
|
role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
2008-12-14 18:37:30 +01:00
|
|
|
|
<para>A comma-separated list of options including the
|
|
|
|
|
following:</para>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><emphasis role="bold">default</emphasis></term>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>This is the default class for that interface where all
|
|
|
|
|
traffic should go, that is not classified otherwise.</para>
|
|
|
|
|
|
|
|
|
|
<note>
|
|
|
|
|
<para>You must define <emphasis
|
|
|
|
|
role="bold">default</emphasis> for exactly one class per
|
|
|
|
|
interface.</para>
|
|
|
|
|
</note>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><emphasis
|
2012-09-12 22:39:54 +02:00
|
|
|
|
role="bold">tos=0x</emphasis><emphasis>value</emphasis>[/0x<emphasis>mask</emphasis>][:<replaceable>priority</replaceable>]
|
2008-12-11 01:03:00 +01:00
|
|
|
|
(mask defaults to 0xff)</term>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>This lets you define a classifier for the given
|
|
|
|
|
<emphasis>value</emphasis>/<emphasis>mask</emphasis>
|
|
|
|
|
combination of the IP packet's TOS/Precedence/DiffSrv octet
|
2009-06-21 02:37:09 +02:00
|
|
|
|
(aka the TOS byte).</para>
|
2012-09-12 22:39:54 +02:00
|
|
|
|
|
|
|
|
|
<para>Beginning with Shorewall 4.5.8, the
|
|
|
|
|
<replaceable>value/mask</replaceable> may be followed by a
|
|
|
|
|
colon (":") and a <replaceable>priority</replaceable>. This
|
|
|
|
|
priority determines the order in which filter rules are
|
|
|
|
|
processed during packet classification. If not specified, the
|
|
|
|
|
value (<replaceable>class priority</replaceable> << 8) |
|
|
|
|
|
10) is used.</para>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><emphasis
|
2012-09-12 22:39:54 +02:00
|
|
|
|
role="bold">tos-</emphasis><emphasis>tosname</emphasis>[:<replaceable>priority</replaceable>]</term>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>Aliases for the following TOS octet value and mask
|
|
|
|
|
encodings. TOS encodings of the "TOS byte" have been
|
|
|
|
|
deprecated in favor of diffserve classes, but programs like
|
|
|
|
|
ssh, rlogin, and ftp still use them.</para>
|
|
|
|
|
|
|
|
|
|
<programlisting> <emphasis role="bold">tos-minimize-delay</emphasis> 0x10/0x10
|
|
|
|
|
<emphasis role="bold">tos-maximize-throughput</emphasis> 0x08/0x08
|
|
|
|
|
<emphasis role="bold">tos-maximize-reliability</emphasis> 0x04/0x04
|
|
|
|
|
<emphasis role="bold">tos-minimize-cost</emphasis> 0x02/0x02
|
|
|
|
|
<emphasis role="bold">tos-normal-service</emphasis> 0x00/0x1e</programlisting>
|
|
|
|
|
|
2012-09-12 22:39:54 +02:00
|
|
|
|
<para>Beginning with Shorewall 4.5.8, the
|
|
|
|
|
<replaceable>tos-name</replaceable> may be followed by a colon
|
|
|
|
|
(":") and a <replaceable>priority</replaceable>. This priority
|
|
|
|
|
determines the order in which filter rules are processed
|
|
|
|
|
during packet classification. If not specified, the value
|
|
|
|
|
(<replaceable>class priority</replaceable> << 8) | 10)
|
|
|
|
|
is used.</para>
|
|
|
|
|
|
2008-12-11 01:03:00 +01:00
|
|
|
|
<note>
|
|
|
|
|
<para>Each of these options is only valid for ONE class per
|
|
|
|
|
interface.</para>
|
|
|
|
|
</note>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2012-09-12 22:39:54 +02:00
|
|
|
|
<term><emphasis
|
|
|
|
|
role="bold">tcp-ack</emphasis>[:<replaceable>priority</replaceable>]</term>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>If defined, causes a tc filter to be created that puts
|
|
|
|
|
all tcp ack packets on that interface that have a size of
|
|
|
|
|
<=64 Bytes to go in this class. This is useful for speeding
|
|
|
|
|
up downloads. Please note that the size of the ack packets is
|
|
|
|
|
limited to 64 bytes because we want only packets WITHOUT
|
|
|
|
|
payload to match.</para>
|
|
|
|
|
|
2012-09-12 22:39:54 +02:00
|
|
|
|
<para>Beginning with Shorewall 4.5.8, the <emphasis
|
|
|
|
|
role="bold">tcp-ack</emphasis> may be followed by a colon
|
|
|
|
|
(":") and a <replaceable>priority</replaceable>. This priority
|
|
|
|
|
determines the order in which filter rules are processed
|
|
|
|
|
during packet classification. If not specified, the value
|
|
|
|
|
(<replaceable>class priority</replaceable> << 8) | 20)
|
|
|
|
|
is used.</para>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
|
|
<note>
|
|
|
|
|
<para>This option is only valid for ONE class per
|
|
|
|
|
interface.</para>
|
|
|
|
|
</note>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
2009-05-20 16:54:17 +02:00
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term>flow=<emphasis>keys</emphasis></term>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>Shorewall attaches an SFQ queuing discipline to each
|
|
|
|
|
leaf HTB class. SFQ ensures that each
|
|
|
|
|
<firstterm>flow</firstterm> gets equal access to the
|
|
|
|
|
interface. The default definition of a flow corresponds
|
|
|
|
|
roughly to a Netfilter connection. So if one internal system
|
|
|
|
|
is running BitTorrent, for example, it can have lots of
|
|
|
|
|
'flows' and can thus take up a larger share of the bandwidth
|
|
|
|
|
than a system having only a single active connection. The
|
|
|
|
|
<option>flow</option> classifier (module cls_flow) works
|
|
|
|
|
around this by letting you define what a 'flow' is. The
|
2013-05-03 18:19:45 +02:00
|
|
|
|
classifier must be used carefully or it can block off all
|
2009-05-20 16:54:17 +02:00
|
|
|
|
traffic on an interface! The flow option can be specified for
|
|
|
|
|
an HTB leaf class (one that has no sub-classes). We recommend
|
|
|
|
|
that you use the following:</para>
|
|
|
|
|
|
|
|
|
|
<simplelist>
|
|
|
|
|
<member>Shaping internet-bound traffic:
|
|
|
|
|
flow=nfct-src</member>
|
|
|
|
|
|
|
|
|
|
<member>Shaping traffic bound for your local net:
|
|
|
|
|
flow=dst</member>
|
|
|
|
|
</simplelist>
|
|
|
|
|
|
|
|
|
|
<para>These will cause a 'flow' to consists of the traffic
|
|
|
|
|
to/from each internal system.</para>
|
|
|
|
|
|
|
|
|
|
<para>When more than one key is give, they must be enclosed in
|
|
|
|
|
parenthesis and separated by commas.</para>
|
|
|
|
|
|
|
|
|
|
<para>To see a list of the possible flow keys, run this
|
|
|
|
|
command:</para>
|
|
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
|
<para><command>tc filter add flow help</command></para>
|
|
|
|
|
</blockquote>
|
|
|
|
|
|
|
|
|
|
<para>Those that begin with "nfct-" are Netfilter connection
|
|
|
|
|
tracking fields. As shown above, we recommend flow=nfct-src;
|
|
|
|
|
that means that we want to use the source IP address
|
|
|
|
|
<emphasis>before NAT</emphasis> as the key.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
2009-10-26 20:23:32 +01:00
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term>pfifo</term>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
2013-05-03 18:19:45 +02:00
|
|
|
|
<para>When specified for a leaf class, the pfifo queuing
|
2009-10-26 20:23:32 +01:00
|
|
|
|
discipline is applied to the class rather than the sfq queuing
|
|
|
|
|
discipline.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term>limit=<emphasis>number</emphasis></term>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>Added in Shorewall 4.4.3. When specified for a leaf
|
2009-10-28 19:29:12 +01:00
|
|
|
|
class, determines the maximum number of packets that may be
|
2009-10-26 20:23:32 +01:00
|
|
|
|
queued within the class. The <emphasis>number</emphasis> must
|
2009-10-26 21:03:26 +01:00
|
|
|
|
be > 2 and <= 128. If not specified, the value 127 is
|
|
|
|
|
assumed.</para>
|
2009-10-26 20:23:32 +01:00
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
2012-06-13 23:29:13 +02:00
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term>red=(<replaceable>redoption</replaceable>=<replaceable>value</replaceable>,
|
|
|
|
|
...)</term>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>Added in Shorewall 4.5.6. When specified on a leaf
|
2012-06-15 19:34:09 +02:00
|
|
|
|
class, causes the class to use the RED (Random Early
|
|
|
|
|
Detection) queuing discipline rather than SFQ. See tc-red (8)
|
|
|
|
|
for additional information.</para>
|
2012-06-13 23:29:13 +02:00
|
|
|
|
|
|
|
|
|
<para>Allowable redoptions are:</para>
|
|
|
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
|
<varlistentry>
|
2012-06-15 19:34:09 +02:00
|
|
|
|
<term>min <replaceable>min</replaceable></term>
|
2012-06-13 23:29:13 +02:00
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>Average queue size at which marking becomes a
|
|
|
|
|
possibility.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2012-06-15 19:34:09 +02:00
|
|
|
|
<term>max <replaceable>max</replaceable></term>
|
2012-06-13 23:29:13 +02:00
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>At this average queue size, the marking
|
|
|
|
|
probability is maximal. Must be at least twice
|
|
|
|
|
<replaceable>min</replaceable> to prevent synchronous
|
2012-06-16 15:50:23 +02:00
|
|
|
|
retransmits, higher for low
|
|
|
|
|
<replaceable>min</replaceable>.</para>
|
2012-06-13 23:29:13 +02:00
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2012-06-15 19:34:09 +02:00
|
|
|
|
<term>probability
|
|
|
|
|
<replaceable>probability</replaceable></term>
|
2012-06-13 23:29:13 +02:00
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>Maximum probability for marking, specified as a
|
|
|
|
|
floating point number from 0.0 to 1.0. Suggested values
|
|
|
|
|
are 0.01 or 0.02 (1 or 2%, respectively).</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2012-06-15 19:34:09 +02:00
|
|
|
|
<term>limit <replaceable>limit</replaceable></term>
|
2012-06-13 23:29:13 +02:00
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>Hard limit on the real (not average) queue size in
|
|
|
|
|
bytes. Further packets are dropped. Should be set higher
|
|
|
|
|
than
|
|
|
|
|
<replaceable>max</replaceable>+<replaceable>burst</replaceable>.
|
|
|
|
|
It is advised to set this a few times higher than
|
|
|
|
|
<replaceable>max</replaceable>. Shorewall requires that
|
2012-06-16 15:50:23 +02:00
|
|
|
|
<replaceable>limit</replaceable> be at least twice
|
2012-06-13 23:29:13 +02:00
|
|
|
|
<replaceable>min</replaceable>.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2012-06-15 19:34:09 +02:00
|
|
|
|
<term>burst <replaceable>burst</replaceable></term>
|
2012-06-13 23:29:13 +02:00
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>Used for determining how fast the average queue
|
|
|
|
|
size is influenced by the real queue size. Larger values
|
|
|
|
|
make the calculation more sluggish, allowing longer
|
|
|
|
|
bursts of traffic before marking starts. Real life
|
2012-06-15 19:34:09 +02:00
|
|
|
|
experiments support the following guide‐line:
|
2012-06-13 23:29:13 +02:00
|
|
|
|
(<replaceable>min</replaceable>+<replaceable>min</replaceable>+<replaceable>max</replaceable>)/(3*<replaceable>avpkt</replaceable>).</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2012-06-15 19:34:09 +02:00
|
|
|
|
<term>avpkt <replaceable>avpkt</replaceable></term>
|
2012-06-13 23:29:13 +02:00
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>Optional. Specified in bytes. Used with burst to
|
|
|
|
|
determine the time constant for average queue size
|
|
|
|
|
calculations. 1000 is a good value and is the Shorewall
|
|
|
|
|
default.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
2012-06-15 19:34:09 +02:00
|
|
|
|
<term>bandwidth
|
|
|
|
|
<replaceable>bandwidth</replaceable></term>
|
2012-06-13 23:29:13 +02:00
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>Optional. This rate is used for calculating the
|
|
|
|
|
average queue size after some idle time. Should be set
|
|
|
|
|
to the bandwidth of your interface. Does not mean that
|
|
|
|
|
RED will shape for you!</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term>ecn</term>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>RED can either 'mark' or 'drop'. Explicit
|
|
|
|
|
Congestion Notification allows RED to notify remote
|
|
|
|
|
hosts that their rate exceeds the amount of bandwidth
|
|
|
|
|
available. Non-ECN capable hosts can only be notified by
|
|
|
|
|
dropping a packet. If this parameter is specified,
|
|
|
|
|
packets which indicate that their hosts honor ECN will
|
|
|
|
|
only be marked and not dropped, unless the queue size
|
2012-06-15 19:34:09 +02:00
|
|
|
|
hits <replaceable>limit</replaceable> bytes. Needs a tc
|
|
|
|
|
binary with RED support compiled in. Recommended.</para>
|
2012-06-13 23:29:13 +02:00
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
</variablelist>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
2012-12-29 19:58:11 +01:00
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term>fq_codel[=(<replaceable>codeloption</replaceable>=<replaceable>value</replaceable>,
|
|
|
|
|
...)]</term>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>Added in Shorewall 4.5.12. When specified for a leaf
|
2012-12-29 20:20:16 +01:00
|
|
|
|
class, causes the class to use the FQ_CODEL
|
|
|
|
|
(<firstterm>Fair-queuing Controlled-Delay</firstterm>) queuing
|
|
|
|
|
discipline rather than SFQ. See tc-fq_codel (8) for additional
|
|
|
|
|
information.</para>
|
2012-12-29 19:58:11 +01:00
|
|
|
|
|
|
|
|
|
<para>Allowable <replaceable>codeloptions</replaceable>
|
|
|
|
|
are:</para>
|
|
|
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term>limit</term>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>hard limit on the real queue size. When this limit
|
|
|
|
|
is reached, incoming packets are dropped. If the value
|
|
|
|
|
is lowered, packets are dropped so that the new limit is
|
|
|
|
|
met. Default is 1000 packets.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term>flows</term>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>is the number of flows into which the incoming
|
|
|
|
|
packets are classified. Due to the stochastic nature of
|
|
|
|
|
hashing, multiple flows may end up being hashed into the
|
|
|
|
|
same slot. Newer flows have priority over older ones.
|
|
|
|
|
This parameter can be set only at load time since memory
|
|
|
|
|
has to be allocated for the hash table. Default value is
|
|
|
|
|
1024.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term>target</term>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>is the acceptable minimum standing/persistent
|
|
|
|
|
queue delay. This minimum delay is identified by
|
|
|
|
|
tracking the local minimum queue delay that packets
|
|
|
|
|
experience. Default and recommended value is 5ms.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term>interval</term>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>is used to ensure that the measured minimum delay
|
|
|
|
|
does not become too stale. The minimum delay must be
|
|
|
|
|
experienced in the last epoch of length interval. It
|
|
|
|
|
should be set on the order of the worst-case RTT through
|
|
|
|
|
the bottleneck to give endpoints sufficient time to
|
|
|
|
|
react. Default value is 100ms.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term>quantum</term>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>is the number of bytes used as 'deficit' in the
|
|
|
|
|
fair queuing algorithm. Default is set to 1514 bytes
|
|
|
|
|
which corresponds to the Ethernet MTU plus the hardware
|
|
|
|
|
header length of 14 bytes.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term>ecn | noecn</term>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>can be used to mark packets instead of dropping
|
|
|
|
|
them. If ecn has been enabled, noecn can be used to turn
|
|
|
|
|
it off and vice-a-versa. By default, ecn is
|
|
|
|
|
enabled.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
</variablelist>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
</variablelist>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
</variablelist>
|
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
|
<title>Examples</title>
|
|
|
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term>Example 1:</term>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>Suppose you are using PPP over Ethernet (DSL) and ppp0 is the
|
|
|
|
|
interface for this. You have 4 classes here, the first you can use
|
|
|
|
|
for voice over IP traffic, the second interactive traffic (e.g.
|
|
|
|
|
ssh/telnet but not scp), the third will be for all unclassified
|
|
|
|
|
traffic, and the forth is for low priority traffic (e.g.
|
|
|
|
|
peer-to-peer).</para>
|
|
|
|
|
|
|
|
|
|
<para>The voice traffic in the first class will be guaranteed a
|
|
|
|
|
minimum of 100kbps and always be serviced first (because of the low
|
|
|
|
|
priority number, giving less delay) and will be granted excess
|
|
|
|
|
bandwidth (up to 180kbps, the class ceiling) first, before any other
|
2013-05-03 18:19:45 +02:00
|
|
|
|
traffic. A single VoIP stream, depending upon codecs, after
|
|
|
|
|
encapsulation, can take up to 80kbps on a PPPoE/DSL link, so we pad a
|
2008-12-11 01:03:00 +01:00
|
|
|
|
little bit just in case. (TOS byte values 0xb8 and 0x68 are DiffServ
|
|
|
|
|
classes EF and AFF3-1 respectively and are often used by VOIP
|
|
|
|
|
devices).</para>
|
|
|
|
|
|
|
|
|
|
<para>Interactive traffic (tos-minimum-delay) and TCP acks (and ICMP
|
|
|
|
|
echo traffic if you use the example in tcrules) and any packet with
|
|
|
|
|
a mark of 2 will be guaranteed 1/4 of the link bandwidth, and may
|
|
|
|
|
extend up to full speed of the link.</para>
|
|
|
|
|
|
|
|
|
|
<para>Unclassified traffic and packets marked as 3 will be
|
|
|
|
|
guaranteed 1/4th of the link bandwidth, and may extend to the full
|
|
|
|
|
speed of the link.</para>
|
|
|
|
|
|
|
|
|
|
<para>Packets marked with 4 will be treated as low priority packets.
|
|
|
|
|
(The tcrules example marks p2p traffic as such.) If the link is
|
|
|
|
|
congested, they're only guaranteed 1/8th of the speed, and even if
|
|
|
|
|
the link is empty, can only expand to 80% of link bandwidth just as
|
|
|
|
|
a precaution in case there are upstream queues we didn't account
|
|
|
|
|
for. This is the last class to get additional bandwidth and the last
|
|
|
|
|
to get serviced by the scheduler because of the low priority.</para>
|
|
|
|
|
|
|
|
|
|
<programlisting> #INTERFACE MARK RATE CEIL PRIORITY OPTIONS
|
|
|
|
|
ppp0 1 100kbit 180kbit 1 tos=0x68/0xfc,tos=0xb8/0xfc
|
|
|
|
|
ppp0 2 full/4 full 2 tcp-ack,tos-minimize-delay
|
|
|
|
|
ppp0 3 full/4 full 3 default
|
|
|
|
|
ppp0 4 full/8 full*8/10 4</programlisting>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
</variablelist>
|
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
|
<title>FILES</title>
|
|
|
|
|
|
2008-12-14 18:37:30 +01:00
|
|
|
|
<para>/etc/shorewall6/tcclasses</para>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
|
<title>See ALSO</title>
|
|
|
|
|
|
2012-06-17 19:03:19 +02:00
|
|
|
|
<para>tc-hfsc(7)</para>
|
|
|
|
|
|
|
|
|
|
<para>tc-red(8)</para>
|
2012-06-13 23:29:13 +02:00
|
|
|
|
|
2008-12-11 01:03:00 +01:00
|
|
|
|
<para><ulink
|
|
|
|
|
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
|
|
|
|
|
|
2011-09-26 19:16:52 +02:00
|
|
|
|
<para><ulink
|
|
|
|
|
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
|
|
|
|
|
2008-12-14 18:37:30 +01:00
|
|
|
|
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
|
|
|
|
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
2013-05-03 18:19:45 +02:00
|
|
|
|
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
|
2012-01-09 16:19:10 +01:00
|
|
|
|
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
|
2011-05-01 15:19:57 +02:00
|
|
|
|
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
|
|
|
|
|
shorewall6-secmarks(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
|
|
|
|
|
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
</refsect1>
|
2008-12-14 18:37:30 +01:00
|
|
|
|
</refentry>
|