SHOREWALL-TCCLASSES(5) | [FIXME: manual] | SHOREWALL-TCCLASSES(5) |
NAME¶
tcclasses - Shorewall file to define HTB classesSYNOPSIS¶
/etc/shorewall/tcclasses
DESCRIPTION¶
A note on the rate/bandwidth definitions used in this file:•don't use a space between the integer
value and the unit: 30kbit is valid while 30 kbit is NOT.
•you can use one of the following units:
kpbs
Kilobytes per second.
mbps
Megabytes per second.
kbit
Kilobits per second.
mbit
Megabits per second.
bps or number
Bytes per second.
•if you want the values to be calculated
for you depending on the output bandwidth setting defined for an interface in
tcdevices, you can use expressions like the following:
full/3
Note that in a sub-class (a class that has a specified parent class), full
refers to the RATE or CEIL of the parent class rather than to the
OUT-BANDWIDTH of the device.
DO NOT add a unit to the rate if it is calculated !
The columns in the file are as follows.
INTERFACE - interface[[:parent]:class]
causes the bandwidth to be calculated as 1/3
of the full outgoing speed that is defined.
full*9/10
will set this bandwidth to 9/10 of the full
bandwidth
Name of interface. Each interface may
be listed only once in this file. You may NOT specify the name of an alias
(e.g., eth0:0) here; see http://www.shorewall.net/FAQ.htm#faq18
You may specify the interface number rather than the interface name. If the
classify option is given for the interface in
shorewall-tcdevices[1](5), then you must also specify an interface
class (an integer that must be unique within classes associated with this
interface). If the classify option is not given, you may still specify a
class or you may have Shorewall generate a class number from the MARK
value. Interface numbers and class numbers are always assumed to be specified
in hex and class number 1 is reserved as the root class of the queuing
discipline.
You may NOT specify wildcards here, e.g. if you have multiple ppp interfaces,
you need to put them all in here!
Please note that you can only use interface names in here that have a bandwidth
defined in the shorewall-tcdevices[1](5) file.
Normally, all classes defined here are sub-classes of a root class that is
implicitly defined from the entry in shorewall-tcdevices[1](5). You can
establish a class hierarchy by specifying a parent class -- the number
of a class that you have previously defined. The sub-class may borrow unused
bandwidth from its parent.
MARK - {-|value}
The mark value which is an integer in
the range 1-255. You set mark values in the shorewall-tcrules[2](5)
file, marking the traffic you want to fit in the classes defined in here. Must
be specified as '-' if the classify option is given for the interface
in shorewall-tcdevices[1](5)
You can use the same marks for different interfaces.
RATE - rate[:dmax[:umax]]
The minimum bandwidth this class should get,
when the traffic load rises. If the sum of the rates in this column exceeds
the INTERFACE's OUT-BANDWIDTH, then the OUT-BANDWIDTH limit may not be
honored. Similarly, if the sum of the rates of sub-classes of a class exceed
the CEIL of the parent class, things don't work well.
When using the HFSC queuing discipline, leaf classes may specify dmax,
the maximum delay in milliseconds that the first queued packet for this class
should experience. May be expressed as an integer, optionally followed by 'ms'
with no intervening white space (e.g., 10ms).
HFSC leaf classes may also specify umax, the largest packet expected in
this class. May be expressed as an integer. The unit of measure is
bytes and the integer may be optionally followed by 'b' with no
intervening white space (e.g., 800b). umax may only be given if
dmax is also given.
CEIL - rate
The maximum bandwidth this class is allowed to
use when the link is idle. Useful if you have traffic which can get full speed
when more needed services (e.g. ssh) are not used.
You can use the value full in here for setting the maximum bandwidth to
the RATE of the parent class, or the OUT-BANDWIDTH of the device if there is
no parent class.
PRIORITY - priority
The priority in which classes will be
serviced by the packet shaping scheduler and also the priority in which
bandwidth in excess of the rate will be given to each class.
Higher priority classes will experience less delay since they are serviced
first. Priority values are serviced in ascending order (e.g. 0 is higher
priority than 1).
Classes may be set to the same priority, in which case they will be serviced as
equals.
OPTIONS (Optional) - [option[,option]...]
A comma-separated list of options including
the following:
default
This is the default class for that interface
where all traffic should go, that is not classified otherwise.
Note
You must define default for exactly one class per interface.
tos=0xvalue[/0xmask] (mask defaults to 0xff)
This lets you define a classifier for the
given value/mask combination of the IP packet's
TOS/Precedence/DiffSrv octet (aka the TOS byte).
tos-tosname
Aliases for the following TOS octet value and
mask encodings. TOS encodings of the "TOS byte" have been deprecated
in favor of diffserve classes, but programs like ssh, rlogin, and ftp still
use them.
Note
Each of these options is only valid for ONE class per interface.
tcp-ack
tos-minimize-delay 0x10/0x10 tos-maximize-throughput 0x08/0x08 tos-maximize-reliability 0x04/0x04 tos-minimize-cost 0x02/0x02 tos-normal-service 0x00/0x1e
If defined, causes a tc filter to be created
that puts all tcp ack packets on that interface that have a size of <=64
Bytes to go in this class. This is useful for speeding up downloads. Please
note that the size of the ack packets is limited to 64 bytes because we want
only packets WITHOUT payload to match.
Note
This option is only valid for ONE class per interface.
occurs=number
Typically used with an IPMARK entry in
tcrules. Causes the rule to be replicated for a total of number rules.
Each rule has a successively class number and mark value.
When 'occurs' is used:
The 'RATE' and 'CEIL' parameters apply to each instance of the class. So the
total RATE represented by an entry with 'occurs' will be the listed RATE
multiplied by number. For additional information, see tcrules[2]
(5).
flow= keys
•The associated device may not have the
'classify' option.
•The class may not be the default
class.
•The class may not have any 'tos='
options (including 'tcp-ack').
•The class should not specify a MARK
value. If one is specified, it will be ignored with a warning message.
Shorewall attaches an SFQ queuing discipline
to each leaf HTB class. SFQ ensures that each flow gets equal access to the
interface. The default definition of a flow corresponds roughly to a Netfilter
connection. So if one internal system is running BitTorrent, for example, it
can have lots of 'flows' and can thus take up a larger share of the bandwidth
than a system having only a single active connection. The flow
classifier (module cls_flow) works around this by letting you define what a
'flow' is. The clasifier must be used carefully or it can block off all
traffic on an interface! The flow option can be specified for an HTB leaf
class (one that has no sub-classes). We recommend that you use the following:
When more than one key is give, they must be enclosed in parenthesis and
separated by commas.
To see a list of the possible flow keys, run this command: tc filter add flow
help Those that begin with "nfct-" are Netfilter connection
tracking fields. As shown above, we recommend flow=nfct-src; that means that
we want to use the source IP address before NAT as the key.
pfifo
Shaping internet-bound traffic:
flow=nfct-src
flow=nfct-src
Shaping traffic bound for your local net:
flow=dst
These will cause a 'flow' to consists of the traffic to/from each internal
system.
flow=dst
When specified for a leaf class, the pfifo
queing discipline is applied to the class rather than the sfq queuing
discipline.
limit= number
Added in Shorewall 4.4.3. When specified for a
leaf class, determines the maximum number of packets that may be queued within
the class. The number must be > 2 and <=128. If not specified,
the value 127 is assumed.
EXAMPLES¶
Example 1:Suppose you are using PPP over Ethernet (DSL)
and ppp0 is the interface for this. You have 4 classes here, the first you can
use for voice over IP traffic, the second interactive traffic (e.g. ssh/telnet
but not scp), the third will be for all unclassified traffic, and the forth is
for low priority traffic (e.g. peer-to-peer).
The voice traffic in the first class will be guaranteed a minimum of 100kbps and
always be serviced first (because of the low priority number, giving less
delay) and will be granted excess bandwidth (up to 180kbps, the class ceiling)
first, before any other traffic. A single VOIP stream, depending upon codecs,
after encapsulation, can take up to 80kbps on a PPOE/DSL link, so we pad a
little bit just in case. (TOS byte values 0xb8 and 0x68 are DiffServ classes
EF and AFF3-1 respectively and are often used by VOIP devices).
Interactive traffic (tos-minimum-delay) and TCP acks (and ICMP echo traffic if
you use the example in tcrules) and any packet with a mark of 2 will be
guaranteed 1/4 of the link bandwidth, and may extend up to full speed of the
link.
Unclassified traffic and packets marked as 3 will be guaranteed 1/4th of the
link bandwidth, and may extend to the full speed of the link.
Packets marked with 4 will be treated as low priority packets. (The tcrules
example marks p2p traffic as such.) If the link is congested, they're only
guaranteed 1/8th of the speed, and even if the link is empty, can only expand
to 80% of link bandwidth just as a precaution in case there are upstream
queues we didn't account for. This is the last class to get additional
bandwidth and the last to get serviced by the scheduler because of the low
priority.
#INTERFACE MARK RATE CEIL PRIORITY OPTIONS ppp0 1 100kbit 180kbit 1 tos=0x68/0xfc,tos=0xb8/0xfc ppp0 2 full/4 full 2 tcp-ack,tos-minimize-delay ppp0 3 full/4 full 3 default ppp0 4 full/8 full*8/10 4
FILES¶
/etc/shorewall/tcclassesSEE ALSO¶
http://shorewall.net/traffic_shaping.htm http://shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)NOTES¶
- 1.
- shorewall-tcdevices
- 2.
- shorewall-tcrules
06/28/2012 | [FIXME: source] |