From bc4c6637c386eed59e7a742780b5d1e80d9f5043 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sat, 1 Aug 2020 17:10:00 -0700
Subject: [PATCH 1/2] Correct IPv6 ACK handling in Simple TC

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Tc.pm | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index a3df84c5c..3ec086bb3 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -365,9 +365,7 @@ sub process_simple_device() {
 
     emit( "run_tc filter add dev $physical parent $number:0 protocol all prio 1 u32" .
 	  "\\\n    match ip6 protocol 6 0xff" .
-	  "\\\n    match u8 0x05 0x0f at 0" .
-	  "\\\n    match u16 0x0000 0xffc0 at 2" .
-	  "\\\n    match u8 0x10 0xff at 33 flowid $number:1\n" );
+	  "\\\n    match u8 0x10 0xff at 53 flowid $number:1\n" );
 
     save_progress_message_short qq("   TC Device $physical defined.");
 

From 2f56edc1eddda2c0176bf1bbf693d0b8f46160d0 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sun, 2 Aug 2020 12:23:54 -0700
Subject: [PATCH 2/2] Document TC/IPSec issue

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 docs/simple_traffic_shaping.xml | 7 +++++++
 docs/traffic_shaping.xml        | 8 ++++++++
 2 files changed, 15 insertions(+)

diff --git a/docs/simple_traffic_shaping.xml b/docs/simple_traffic_shaping.xml
index fcac5e459..5a2dc8d61 100644
--- a/docs/simple_traffic_shaping.xml
+++ b/docs/simple_traffic_shaping.xml
@@ -93,6 +93,13 @@
     qdisc but seems to provide a benefit when the actual link output
     temporarily drops below the limit imposed by tbf or when tbf allows a
     burst of traffic to be released.</para>
+
+    <caution>
+      <para>IPSec traffic passes through traffic shaping twice - once en clair
+      and once encrypted and encapsulated. As a result, throughput may be
+      significantly less than configured if IPSEC packets form a significant
+      percentage of the traffic being shaped.</para>
+    </caution>
   </section>
 
   <section>
diff --git a/docs/traffic_shaping.xml b/docs/traffic_shaping.xml
index a83d470a0..8959b8549 100644
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@@ -385,6 +385,14 @@
             The default burst is 10kb, but on my 50mbit line, I specify 200kb.
             (50mbit:200kb).</para>
           </note>
+
+          <caution>
+            <para>Incoming IPSec traffic traverses traffic shaping twice -
+            firs as encrypted and encapsulated ESP packets and then en clair.
+            As a result, incoming bandwidth can be significantly less than
+            specified if IPSEC packets form a significant part of inoming
+            traffic.</para>
+          </caution>
         </listitem>
 
         <listitem>