holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Update to nested classes; document nested classes in the release docs

Browse Source
This commit is contained in:
Tom Eastep 2009-05-04 16:03:14 -07:00
parent 03cd8350dc
commit 8f6130cca4
3 changed files with 60 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -173,6 +173,9 @@ our $sticky;
# rate => <rate> ,
# ceiling => <ceiling> ,
# priority => <priority> ,
# occurs => <number> # 0 means that this is a class generated by another class with occurs > 1
# parent => <class number>
# leaf => 0|1
# options => { tos => [ <value1> , <value2> , ... ];
# tcp_ack => 1 ,
# ...
@ -622,12 +625,13 @@ sub validate_tc_class( $$$$$$ ) {
fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
}
if ( $parrentclass != 1 ) {
if ( $parentclass != 1 ) {
#
# Nested Class
#
my $parentref = $tcref->{parentclass};
my $parentref = $tcref->{$parentclass};
fatal_error "Unknown Parent class ($parentclass)" unless $parentref && $parentref->{occurs} == 1;
$parentref->{leaf} = 0;
}
$tcref->{$classnumber} = { tos => [] ,
@ -638,8 +642,8 @@ sub validate_tc_class( $$$$$$ ) {
flow => '' ,
pfifo => 0,
occurs => 1,
src => 1,
parent => $parentclass,
leaf => 1,
};
$tcref = $tcref->{$classnumber};
@ -673,10 +677,9 @@ sub validate_tc_class( $$$$$$ ) {
} elsif ( $option eq 'pfifo' ) {
fatal_error "The 'pfifo'' option is not allowed with 'flow='" if $tcref->{flow};
$tcref->{pfifo} = 1;
} elsif ( $option =~ /^occurs=((\d+)([ds]?))$/ ) {
my $val = $2;
} elsif ( $option =~ /^occurs=(\d+)$/ ) {
my $val = $1;
$occurs = numeric_value($val);
$tcref->{src} = 1 if $3 eq 's';
fatal_error q(The 'occurs' option is only valid for IPv4) if $family == F_IPV6;
fatal_error q(The 'occurs' option may not be used with 'classify') if $devref->{classify};
@ -1000,6 +1003,7 @@ sub setup_traffic_shaping() {
my $quantum = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );
my $dev = chain_base $device;
my $priority = $tcref->{priority} << 8;
my $parent = in_hexp $tcref->{parent};
$classids{$classid}=$device;
@ -1019,9 +1023,9 @@ sub setup_traffic_shaping() {
}
emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum",
"run_tc class add dev $device parent $devref->{number}:$tcref->{parent} classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" );
"run_tc class add dev $device parent $devref->{number}:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" );
emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit 127 perturb 10" ) unless $tcref->{pfifo};
emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit 127 perturb 10" ) if $tcref->{leaf} && ! $tcref->{pfifo};
#
# add filters
#

2
Shorewall/changelog.txt
View File

@ -17,6 +17,8 @@ Changes in Shorewall 4.3.10
8) Optimize IPMARK.
9) Implement nested HTB classes.
Changes in Shorewall 4.3.9
1) Logging rules now create separate chain.

55
Shorewall/releasenotes.txt
View File

@ -165,6 +165,45 @@ None.
5) Compile for export (such as in the 'shorewall reload' command)
caused the compiler to fail with an internal error.
6) Shorewall now supports nested HTB traffic shaping classes. The
nested classes within a class can borrow from their parent class in
the same way as the first level classes can borrow from the root
class.
To use nested classes, you must explicitly number your classes.
Example:
/etc/shorewall/tcdevices
#INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS
eth2 - 100mbps classify
/etc/shorewall/tcclasses
#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
1:10 - full/2 full 1
1:100 - 16mbit 20mbit 2
1:100:101 - 8mbit 20mbit 3 default
1:100:102 - 8mbit 20mbit 3
/etc/shorewall/tcrules
#MARK SOURCE DEST
1:102 0.0.0.0/0 eth2:172.20.1.107
1:10 206.124.146.177 eth2
1:10 172.20.1.254 eth2
The above controls download for internal interface eth2. The
external interface has a download rate of 20mbit so we guarantee
that to class 1:100. 1:100 has two subclasses, each of which is
guaranteed half of their parent's bandwidth.
Local traffic (that coming from the firewall and from the DMZ
server) is placed in the effectively unrestricted class 1:10. The
default class is guaranteed have of the download capacity and my
work system (172.20.1.107) is guarandeed the other half.
----------------------------------------------------------------------------
N E W F E A T U R E S IN 4 . 3
----------------------------------------------------------------------------
@ -549,19 +588,17 @@ None.
1:103.
It is important to realize that, while class IDs are composed of a
<major> and a <minor> value, the set of values must be unique. That
is, the same numeric value cannot be used as both a <major> and a
<minor> number for the same interface unless class nesting occurs
(which is not currently possible with Shorewall). You should keep
this in mind when deciding how to map IP addresses to class IDs.
<major> and a <minor> value, the set of <minor> values must be
unique. You must keep this in mind when deciding how to map IP
addresses to class IDs.
For example, suppose that your internal network is 192.168.1.0/29
(host IP addresses 192.168.1.1 - 192.168.1.6). Your first notion
might be to use IPMARK(src,0xFF,0x10000) so as to produce class IDs
1:1 through 1:6. But 1:1 is an invalid class ID since the <major>
and <minor> classes are equal. So you might chose instent to use
IPMARK(src,0xFF,0x10100) as shown in the example above so that all
of your <minor> classes will have a value > 256.
1:1 through 1:6. But 1:1 is the class ID if the base HTB class on
interface 1. So you might chose instent to use
IPMARK(src,0xFF,0x10100) as shown in the example above so as to
avoid minor class 1.
The 'occurs' option in /etc/shorewall/tcclasses causes the class
definition to be replicated many times. The synax is: