Traffic Shaping/Control

Beginning with version 1.2.0, Shorewall has limited support for traffic shaping/control. In order to use traffic shaping under Shorewall, it is essential that you get a copy of the Linux Advanced Routing and Shaping HOWTO, version 0.3.0 or later. You must also install the iproute (iproute2) package to provide the "ip" and "tc" utilities.

Shorewall traffic shaping support consists of the following:

Shorewall allows you to start traffic shaping when Shorewall itself starts or it allows you to bring up traffic shaping when you bring up your interfaces.

To start traffic shaping when Shorewall starts:
  1. Set TC_ENABLED=Yes and CLEAR_TC=Yes
  2. Supply an /etc/shorewall/tcstart script to configure your traffic shaping rules.
  3. Optionally supply an /etc/shorewall/tcclear script to stop traffic shaping. That is usually unnecessary.
  4. If your tcstart script uses the 'fwmark' classifier, you can mark packets using entries in /etc/shorewall/tcrules.
To start traffic shaping when you bring up your network interfaces, you will have to arrange for your traffic shaping configuration script to be run at that time. How you do that is distribution dependent and will not be covered here. You then should:
  1. Set TC_ENABLED=Yes and CLEAR_TC=No
  2. Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear scripts.
  3. If your tcstart script uses the 'fwmark' classifier, you can mark packets using entries in /etc/shorewall/tcrules.

Kernel Configuration

This screen shot show how I've configured QoS in my Kernel:

/etc/shorewall/tcrules

The fwmark classifier provides a convenient way to classify packets for traffic shaping. The /etc/shorewall/tcrules file provides a means for specifying these marks in a tabular fashion.

Normally, packet marking occurs in the PREROUTING chain before any address rewriting takes place. This makes it impossible to mark inbound packets based on their destination address when SNAT or Masquerading are being used. Beginning with Shorewall 1.3.12, you can cause packet marking to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option in shorewall.conf.

Columns in the file are as follows:

Example 1 - All packets arriving on eth1 should be marked with 1. All packets arriving on eth2 and eth3 should be marked with 2. All packets originating on the firewall itself should be marked with 3.

MARK SOURCE DEST PROTO PORT(S) CLIENT PORT(S)
1 eth1 0.0.0.0/0 all    
2 eth2 0.0.0.0/0 all    
2
eth3
0.0.0.0/0
all


3 fw 0.0.0.0/0 all    

Example 2 - All GRE (protocol 47) packets not originating on the firewall and destined for 155.186.235.151 should be marked with 12.

MARK SOURCE DEST PROTO PORT(S) CLIENT PORT(S)
12 0.0.0.0/0 155.186.235.151 47    

Example 3 - All SSH packets originating in 192.168.1.0/24 and destined for 155.186.235.151 should be marked with 22.

MARK SOURCE DEST PROTO PORT(S) CLIENT PORT(S)
22 192.168.1.0/24 155.186.235.151 tcp 22  

My Setup

While I am currently using the HTB version of The Wonder Shaper (I just copied wshaper.htb to /etc/shorewall/tcstart and modified it as shown in the Wondershaper README), I have also run with the following set of hand-crafted rules in my /etc/shorewall/tcstart file:

run_tc qdisc add dev eth0 root handle 1: htb default 30

run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k

echo "   Added Top Level Class -- rate 384kbit"
run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1
run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0
run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500 prio 1
echo "   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"
run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5
run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10
run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5
echo "   Enabled PFIFO on Second Level Classes"
run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10
run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20
run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30
echo "   Defined fwmark filters"

My tcrules file that went with this tcstart file is shown in Example 1 above. You can look at my network configuration to get an idea of why I wanted these particular rules.

  1. I wanted to allow up to 140kbits/second for traffic outbound from my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic can use all available bandwidth if there is no traffic from the local systems or from my laptop or firewall).
  2. My laptop and local systems could use up to 224kbits/second.
  3. My firewall could use up to 20kbits/second.

Last Updated 2/13/2003 - Tom Eastep

Copyright © 2001, 2002, 2003 Thomas M. Eastep.