Traffic Shaping/Control

Beginning with version 1.2.0, Shorewall has limited support for traffic shaping/control. In order to use traffic shaping under Shorewall, it is essential that you get a copy of the Linux Advanced Routing and Shaping HOWTO, version 0.3.0 or later. You must also install the iproute (iproute2) package to provide the "ip" and "tc" utilities.

Shorewall traffic shaping support consists of the following:

A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic Shaping also requires that you enable packet mangling.
/etc/shorewall/tcrules - A file where you can specify firewall marking of packets. The firewall mark value may be used to classify packets for traffic shaping/control.
/etc/shorewall/tcstart - A user-supplied file that is sourced by Shorewall during "shorewall start" and which you can use to define your traffic shaping disciplines and classes. I have provided a sample that does table-driven CBQ shaping but if you read the traffic shaping sections of the HOWTO mentioned above, you can probably code your own faster than you can learn how to use my sample. I personally use HTB (see below). HTB support may eventually become an integral part of Shorewall since HTB is a lot simpler and better-documented than CBQ. HTB is currently not a standard part of either the kernel or iproute2 so both must be patched in order to use it.

In tcstart, when you want to run the 'tc' utility, use the run_tc function supplied by shorewall.
/etc/shorewall/tcclear - A user-supplied file that is sourced by Shorewall when it is clearing traffic shaping. This file is normally not required as Shorewall's method of clearing qdisc and filter definitions is pretty general.

Kernel Configuration

This screen shot show how I've configured QoS in my Kernel:

/etc/shorewall/tcrules

The fwmark classifier provides a convenient way to classify packets for traffic shaping. The /etc/shorewall/tcrules file provides a means for specifying these marks in a tabular fashion.

Columns in the file are as follows:

MARK - Specifies the mark value is to be assigned in case of a match. This is an integer in the range 1-255.

Example - 5
SOURCE - The source of the packet. If the packet originates on the firewall, place "fw" in this column. Otherwise, this is a comma-separated list of interface names, IP addresses, MAC addresses in Shorewall Format and/or Subnets.

Examples
eth0
192.168.2.4,192.168.1.0/24
DEST -- Destination of the packet. Comma-separated list of IP addresses and/or subnets.
PROTO - Protocol - Must be the name of a protocol from /etc/protocol, a number or "all"
PORT(S) - Destination Ports. A comma-separated list of Port names (from /etc/services), port numbers or port ranges (e.g., 21:22); if the protocol is "icmp", this column is interpreted as the destination icmp type(s).
CLIENT PORT(S) - (Optional) Port(s) used by the client. If omitted, any source port is acceptable. Specified as a comma-separate list of port names, port numbers or port ranges.

Example 1 - All packets arriving on eth1 should be marked with 1. All packets arriving on eth2 should be marked with 2. All packets originating on the firewall itself should be marked with 3.

MARK	SOURCE	DEST	PROTO	PORT(S)	CLIENT PORT(S)
1	eth1	0.0.0.0/0	all
2	eth2	0.0.0.0/0	all
3	fw	0.0.0.0/0	all

Example 2 - All GRE (protocol 47) packets not originating on the firewall and destined for 155.186.235.151 should be marked with 12.

MARK	SOURCE	DEST	PROTO	PORT(S)	CLIENT PORT(S)
12	0.0.0.0/0	155.186.235.151	47

Example 3 - All SSH packets originating in 192.168.1.0/24 and destined for 155.186.235.151 should be marked with 22.

MARK	SOURCE	DEST	PROTO	PORT(S)	CLIENT PORT(S)
22	192.168.1.0/24	155.186.235.151	tcp	22

Hierarchical Token Bucket

I personally use HTB. I have found a couple of things that may be of use to others.

The gzipped tc binary at the HTB website didn't work for me -- I had to download the lastest version of the iproute2 sources and patch them for HTB.
I'm currently running with this set of shaping rules in my tcstart file. I recently changed from using a ceiling of 10Mbit (interface speed) to 384kbit (DSP Uplink speed).

run_tc qdisc add dev eth0 root handle 1: htb default 30
run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k

echo "   Added Top Level Class -- rate 384kbit"

run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k
run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k
run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500

echo "   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"

run_tc qdisc add dev eth0 parent 1:10 sfq perturb 10
run_tc qdisc add dev eth0 parent 1:20 sfq perturb 10
run_tc qdisc add dev eth0 parent 1:30 sfq perturb 10

echo "   Enabled SFQ on Second Level Classes"

run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10
run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 2 fw classid 1:20
run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30

echo "   Defined fwmark filters"

My tcrules file is shown in Example 1 above. You can look at my network configuration to get an idea of why I want these particular rules.

Last Updated 10/25/2002 - Tom Eastep