1SHOREWALL6-TCCLASSE(5) [FIXME: manual] SHOREWALL6-TCCLASSE(5)
2
6 tcclasses - Shorewall6 file to define HTB classes
7
9 /etc/shorewall6/tcclasses
10
12 A note on the rate/bandwidth definitions used in this file:
13 · don't use a space between the integer value and the unit: 30kbit is
15 valid while 30 kbit is NOT.
16 · you can use one of the following units:
18 kpbs
20 Kilobytes per second.
21 mbps
23 Megabytes per second.
24 kbit
26 Kilobits per second.
27 mbit
29 Megabits per second.
30 bps or number
32 Bytes per second.
33 · if you want the values to be calculated for you depending on the
35 output bandwidth setting defined for an interface in tcdevices, you
36 can use expressions like the following:
37 full/3
39 causes the bandwidth to be calculated as 1/3 of the full
40 outgoing speed that is defined.
41 full*9/10
43 will set this bandwidth to 9/10 of the full bandwidth
44 Note that in a sub-class (a class that has a specified parent
46 class), full refers to the RATE or CEIL of the parent class rather
47 than to the OUT-BANDWIDTH of the device.
48 DO NOT add a unit to the rate if it is calculated !
50 The columns in the file are as follows.
52 INTERFACE - interface[[:parent]:class]
54 Name of interface. Each interface may be listed only once in this
55 file. You may NOT specify the name of an alias (e.g., eth0:0) here;
56 see http://www.shorewall.net/FAQ.htm#faq18
57 You may specify either the interface number or the interface name.
59 If the classify option is given for the interface in
60 shorewall6-tcdevices[1](5), then you must also specify an interface
61 class (an integer that must be unique within classes associated
62 with this interface).
63 You may NOT specify wildcards here, e.g. if you have multiple ppp
65 interfaces, you need to put them all in here!
66 Please note that you can only use interface names in here that have
68 a bandwidth defined in the shorewall6-tcdevices[1](5) file.
69 Normally, all classes defined here are sub-classes of a root class
71 (class number 1) that is implicitly defined from the entry in
72 shorewall6-tcdevices[1](5). You can establish a class hierarchy by
73 specifying a parent class -- the number of a class that you have
74 previously defined. The sub-class may borrow unused bandwidth from
75 its parent.
76 MARK - {-|value}
78 The mark value which is an integer in the range 1-255. You set mark
79 values in the shorewall6-tcrules[2](5) file, marking the traffic
80 you want to fit in the classes defined in here. Must be specified
81 as '-' if the classify option is given for the interface in
82 shorewall6-tcdevices[1](5)
83 You can use the same marks for different interfaces.
85 RATE - rate[:dmax[:umax]]
87 The minimum bandwidth this class should get, when the traffic load
88 rises. If the sum of the rates in this column exceeds the
89 INTERFACE's OUT-BANDWIDTH, then the OUT-BANDWIDTH limit may not be
90 honored. Similarly, if the sum of the rates of sub-classes of a
91 class exceed the CEIL of the parent class, things don't work well.
92 When using the HFSC queuing discipline, leaf classes may specify
94 dmax, the maximum delay in milliseconds that the first queued
95 packet for this class should experience. May be expressed as an
96 integer, optionally followed by 'ms' with no intervening white
97 space (e.g., 10ms).
98 HFSC leaf classes may also specify umax, the largest packet
100 expected in this class. May be expressed as an integer. The unit of
101 measure is bytes and the integer may be optionally followed by 'b'
102 with no intervening white space (e.g., 800b). umax may only be
103 given if dmax is also given.
104 CEIL - rate
106 The maximum bandwidth this class is allowed to use when the link is
107 idle. Useful if you have traffic which can get full speed when more
108 needed services (e.g. ssh) are not used.
109 You can use the value full in here for setting the maximum
111 bandwidth to the RATE of the parent class, or the OUT-BANDWIDTH of
112 the device if there is no parent class.
113 PRIORITY - priority
115 The priority in which classes will be serviced by the packet
116 shaping scheduler and also the priority in which bandwidth in
117 excess of the rate will be given to each class.
118 Higher priority classes will experience less delay since they are
120 serviced first. Priority values are serviced in ascending order
121 (e.g. 0 is higher priority than 1).
122 Classes may be set to the same priority, in which case they will be
124 serviced as equals.
125 OPTIONS (Optional) - [option[,option]...]
127 A comma-separated list of options including the following:
128 default
130 This is the default class for that interface where all traffic
131 should go, that is not classified otherwise.
132 Note
134 You must define default for exactly one class per
135 interface.
136 tos=0xvalue[/0xmask] (mask defaults to 0xff)
138 This lets you define a classifier for the given value/mask
139 combination of the IP packet's TOS/Precedence/DiffSrv octet
140 (aka the TOS byte).
141 tos-tosname
143 Aliases for the following TOS octet value and mask encodings.
144 TOS encodings of the "TOS byte" have been deprecated in favor
145 of diffserve classes, but programs like ssh, rlogin, and ftp
146 still use them.
147 tos-minimize-delay 0x10/0x10
149 tos-maximize-throughput 0x08/0x08
150 tos-maximize-reliability 0x04/0x04
151 tos-minimize-cost 0x02/0x02
152 tos-normal-service 0x00/0x1e
153 Note
155 Each of these options is only valid for ONE class per
156 interface.
157 tcp-ack
159 If defined, causes a tc filter to be created that puts all tcp
160 ack packets on that interface that have a size of <=64 Bytes to
161 go in this class. This is useful for speeding up downloads.
162 Please note that the size of the ack packets is limited to 64
163 bytes because we want only packets WITHOUT payload to match.
164 Note
167 This option is only valid for ONE class per interface.
168 flow=keys
170 Shorewall attaches an SFQ queuing discipline to each leaf HTB
171 class. SFQ ensures that each flow gets equal access to the
172 interface. The default definition of a flow corresponds roughly
173 to a Netfilter connection. So if one internal system is running
174 BitTorrent, for example, it can have lots of 'flows' and can
175 thus take up a larger share of the bandwidth than a system
176 having only a single active connection. The flow classifier
177 (module cls_flow) works around this by letting you define what
178 a 'flow' is. The clasifier must be used carefully or it can
179 block off all traffic on an interface! The flow option can be
180 specified for an HTB leaf class (one that has no sub-classes).
181 We recommend that you use the following:
182 Shaping internet-bound traffic:
183 flow=nfct-src
184 Shaping traffic bound for your local net:
185 flow=dst
186 These will cause a 'flow' to consists of the traffic to/from
187 each internal system.
188 When more than one key is give, they must be enclosed in
190 parenthesis and separated by commas.
191 To see a list of the possible flow keys, run this command: tc
193 filter add flow help Those that begin with "nfct-" are
194 Netfilter connection tracking fields. As shown above, we
195 recommend flow=nfct-src; that means that we want to use the
196 source IP address before NAT as the key.
197 pfifo
199 When specified for a leaf class, the pfifo queing discipline is
200 applied to the class rather than the sfq queuing discipline.
201 limit=number
203 Added in Shorewall 4.4.3. When specified for a leaf class,
204 determines the maximum number of packets that may be queued
205 within the class. The number must be > 2 and <= 128. If not
206 specified, the value 127 is assumed.
207
209 Example 1:
210 Suppose you are using PPP over Ethernet (DSL) and ppp0 is the
211 interface for this. You have 4 classes here, the first you can use
212 for voice over IP traffic, the second interactive traffic (e.g.
213 ssh/telnet but not scp), the third will be for all unclassified
214 traffic, and the forth is for low priority traffic (e.g.
215 peer-to-peer).
216 The voice traffic in the first class will be guaranteed a minimum
218 of 100kbps and always be serviced first (because of the low
219 priority number, giving less delay) and will be granted excess
220 bandwidth (up to 180kbps, the class ceiling) first, before any
221 other traffic. A single VOIP stream, depending upon codecs, after
222 encapsulation, can take up to 80kbps on a PPOE/DSL link, so we pad
223 a little bit just in case. (TOS byte values 0xb8 and 0x68 are
224 DiffServ classes EF and AFF3-1 respectively and are often used by
225 VOIP devices).
226 Interactive traffic (tos-minimum-delay) and TCP acks (and ICMP echo
228 traffic if you use the example in tcrules) and any packet with a
229 mark of 2 will be guaranteed 1/4 of the link bandwidth, and may
230 extend up to full speed of the link.
231 Unclassified traffic and packets marked as 3 will be guaranteed
233 1/4th of the link bandwidth, and may extend to the full speed of
234 the link.
235 Packets marked with 4 will be treated as low priority packets. (The
237 tcrules example marks p2p traffic as such.) If the link is
238 congested, they're only guaranteed 1/8th of the speed, and even if
239 the link is empty, can only expand to 80% of link bandwidth just as
240 a precaution in case there are upstream queues we didn't account
241 for. This is the last class to get additional bandwidth and the
242 last to get serviced by the scheduler because of the low priority.
243 #INTERFACE MARK RATE CEIL PRIORITY OPTIONS
245 ppp0 1 100kbit 180kbit 1 tos=0x68/0xfc,tos=0xb8/0xfc
246 ppp0 2 full/4 full 2 tcp-ack,tos-minimize-delay
247 ppp0 3 full/4 full 3 default
248 ppp0 4 full/8 full*8/10 4
249
251 /etc/shorewall6/tcclasses
252
254 http://shorewall.net/traffic_shaping.htm
255 shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
257 shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
258 shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
259 shorewall6-providers(5), shorewall6-route_rules(5),
260 shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
261 shorewall6-secmarks(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
262 shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)
263
265 1. shorewall6-tcdevices
266 http://www.shorewall.net/manpages6/shorewall6-tcdevices.html
267 2. shorewall6-tcrules
269 http://www.shorewall.net/manpages6/shorewall6-tcrules.html
270[FIXME: source] 09/16/2011 SHOREWALL6-TCCLASSE(5)