forked from extern/shorewall_code
Deimplement flawed rate limiting with simple TC
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
fc95cb8dc6
commit
9e37fe1ffa
@ -443,7 +443,7 @@ sub process_flow($) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
sub process_simple_device() {
|
sub process_simple_device() {
|
||||||
my ( $device , $type , $in_bandwidth , $out_part ) = split_line 1, 4, 'tcinterfaces';
|
my ( $device , $type , $in_bandwidth ) = split_line 1, 3, 'tcinterfaces';
|
||||||
|
|
||||||
fatal_error "Duplicate INTERFACE ($device)" if $tcdevices{$device};
|
fatal_error "Duplicate INTERFACE ($device)" if $tcdevices{$device};
|
||||||
fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
|
fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
|
||||||
@ -478,47 +478,7 @@ sub process_simple_device() {
|
|||||||
"run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${in_bandwidth}kbit burst 10k drop flowid :1\n"
|
"run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${in_bandwidth}kbit burst 10k drop flowid :1\n"
|
||||||
) if $in_bandwidth;
|
) if $in_bandwidth;
|
||||||
|
|
||||||
if ( $out_part ne '-' ) {
|
|
||||||
my ( $out_bandwidth, $burst, $latency, $peak, $minburst ) = split ':', $out_part;
|
|
||||||
|
|
||||||
fatal_error "Invalid OUT-BANDWIDTH ($out_part)" if ( defined $minburst && $minburst =~ /:/ ) || $out_bandwidth eq '';
|
|
||||||
|
|
||||||
$out_bandwidth = rate_to_kbit( $out_bandwidth );
|
|
||||||
|
|
||||||
my $command = "run_tc qdisc add dev $physical root handle $number: tbf rate $out_bandwidth";
|
|
||||||
|
|
||||||
if ( defined $burst && $burst ne '' ) {
|
|
||||||
fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
|
|
||||||
$command .= " burst $burst";
|
|
||||||
} else {
|
|
||||||
fatal_error "Missing OUT-BANDWIDTH Burst ($out_part)";
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( defined $latency && $latency ne '' ) {
|
|
||||||
fatal_error "Invalid latency ($latency)" unless $latency =~ /^\d+(s|sec|secs|ms|msec|msecs|us|usec|usecs)?$/;
|
|
||||||
$command .= " latency $latency"
|
|
||||||
} else {
|
|
||||||
fatal_error "Missing OUT-BANDWIDTH Latency ($out_part)";
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( defined $peak && $peak ne '' ) {
|
|
||||||
$peak = rate_to_kbit( $peak );
|
|
||||||
$command .= " peakrate $peak";
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( defined $minburst && $minburst ne '' ) {
|
|
||||||
fatal_error "Invalid minburst ($minburst)" unless $minburst =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
|
|
||||||
$command .= " minburst $minburst";
|
|
||||||
}
|
|
||||||
|
|
||||||
emit $command;
|
|
||||||
|
|
||||||
my $id = $number; $number = in_hexp( $devnum |= 0x100 );
|
|
||||||
|
|
||||||
emit "run_tc qdisc add dev $physical parent $id: handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
|
|
||||||
} else {
|
|
||||||
emit "run_tc qdisc add dev $physical root handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
|
emit "run_tc qdisc add dev $physical root handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
|
||||||
}
|
|
||||||
|
|
||||||
for ( my $i = 1; $i <= 3; $i++ ) {
|
for ( my $i = 1; $i <= 3; $i++ ) {
|
||||||
emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
|
emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
|
||||||
|
|||||||
@ -1,18 +1,16 @@
|
|||||||
Changes in Shorewall 4.4.11
|
Changes in Shorewall 4.4.11
|
||||||
|
|
||||||
1) Allow rate limiting with Simple Traffic Shaping.
|
1) Apply patch from Gabriel.
|
||||||
|
|
||||||
2) Apply patch from Gabriel.
|
2) Fix IPSET match detection when a pathname is specified for IPSET.
|
||||||
|
|
||||||
3) Fix IPSET match detection when a pathname is specified for IPSET.
|
3) Fix start priority of shorewall-init on Debian
|
||||||
|
|
||||||
4) Fix start priority of shorewall-init on Debian
|
4) Make IPv6 log and connections output readable.
|
||||||
|
|
||||||
5) Make IPv6 log and connections output readable.
|
5) Add REQUIRE_INTERFACE to shorewall*.conf
|
||||||
|
|
||||||
6) Add REQUIRE_INTERFACE to shorewall*.conf
|
6) Avoid run-time warnings when options are not listed in shorewall.conf.
|
||||||
|
|
||||||
7) Avoid run-time warnings when options are not listed in shorewall.conf.
|
|
||||||
|
|
||||||
Changes in Shorewall 4.4.10
|
Changes in Shorewall 4.4.10
|
||||||
|
|
||||||
|
|||||||
@ -258,19 +258,7 @@ None.
|
|||||||
V. N E W F E A T U R E S I N T H I S R E L E A S E
|
V. N E W F E A T U R E S I N T H I S R E L E A S E
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
|
|
||||||
1) Beginning with this release, Simple Traffic Shaping allows rate
|
None.
|
||||||
limiting of outbound traffic using a Token Bucket Filter (man
|
|
||||||
tc-tbf).
|
|
||||||
|
|
||||||
The /etc/shorewall/tcinterfaces file has an additional column
|
|
||||||
(OUT-BANDWIDTH).
|
|
||||||
|
|
||||||
The format of this column is:
|
|
||||||
|
|
||||||
<rate>:<burst>:<latency>[:<peakrate>[:<minburst>]]
|
|
||||||
|
|
||||||
See the tc and tc-tbf manpages for information about these
|
|
||||||
parameters.
|
|
||||||
|
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user