1SHOREWALL-TCCLASSES(5) [FIXME: manual] SHOREWALL-TCCLASSES(5)
2
6 tcclasses - Shorewall file to define HTB classes
7
9 /etc/shorewall/tcclasses
10
12 A note on the rate/bandwidth definitions used in this file:
13 · don't use a space between the integer value and the unit: 30kbit is
15 valid while 30 kbit is NOT.
16 · you can use one of the following units:
18 kpbs
20 Kilobytes per second.
21 mbps
23 Megabytes per second.
24 kbit
26 Kilobits per second.
27 mbit
29 Megabits per second.
30 bps or number
32 Bytes per second.
33 · if you want the values to be calculated for you depending on the
35 output bandwidth setting defined for an interface in tcdevices, you
36 can use expressions like the following:
37 full/3
39 causes the bandwidth to be calculated as 1/3 of the full
40 outgoing speed that is defined.
41 full*9/10
43 will set this bandwidth to 9/10 of the full bandwidth
44 Note that in a sub-class (a class that has a specified parent
46 class), full refers to the RATE or CEIL of the parent class rather
47 than to the OUT-BANDWIDTH of the device.
48 DO NOT add a unit to the rate if it is calculated !
50 The columns in the file are as follows.
52 INTERFACE - interface[[:parent]:class]
54 Name of interface. Each interface may be listed only once in this
55 file. You may NOT specify the name of an alias (e.g., eth0:0) here;
56 see http://www.shorewall.net/FAQ.htm#faq18
57 You may specify the interface number rather than the interface
59 name. If the classify option is given for the interface in
60 shorewall-tcdevices[1](5), then you must also specify an interface
61 class (an integer that must be unique within classes associated
62 with this interface). If the classify option is not given, you may
63 still specify a class or you may have Shorewall generate a class
64 number from the MARK value. Interface numbers and class numbers are
65 always assumed to be specified in hex and class number 1 is
66 reserved as the root class of the queuing discipline.
67 You may NOT specify wildcards here, e.g. if you have multiple ppp
69 interfaces, you need to put them all in here!
70 Please note that you can only use interface names in here that have
72 a bandwidth defined in the shorewall-tcdevices[1](5) file.
73 Normally, all classes defined here are sub-classes of a root class
75 that is implicitly defined from the entry in
76 shorewall-tcdevices[1](5). You can establish a class hierarchy by
77 specifying a parent class -- the number of a class that you have
78 previously defined. The sub-class may borrow unused bandwidth from
79 its parent.
80 MARK - {-|value}
82 The mark value which is an integer in the range 1-255. You set mark
83 values in the shorewall-tcrules[2](5) file, marking the traffic you
84 want to fit in the classes defined in here. Must be specified as
85 '-' if the classify option is given for the interface in
86 shorewall-tcdevices[1](5)
87 You can use the same marks for different interfaces.
89 RATE - rate[:dmax[:umax]]
91 The minimum bandwidth this class should get, when the traffic load
92 rises. If the sum of the rates in this column exceeds the
93 INTERFACE's OUT-BANDWIDTH, then the OUT-BANDWIDTH limit may not be
94 honored. Similarly, if the sum of the rates of sub-classes of a
95 class exceed the CEIL of the parent class, things don't work well.
96 When using the HFSC queuing discipline, leaf classes may specify
98 dmax, the maximum delay in milliseconds that the first queued
99 packet for this class should experience. May be expressed as an
100 integer, optionally followed by 'ms' with no intervening white
101 space (e.g., 10ms).
102 HFSC leaf classes may also specify umax, the largest packet
104 expected in this class. May be expressed as an integer. The unit of
105 measure is bytes and the integer may be optionally followed by 'b'
106 with no intervening white space (e.g., 800b). umax may only be
107 given if dmax is also given.
108 CEIL - rate
110 The maximum bandwidth this class is allowed to use when the link is
111 idle. Useful if you have traffic which can get full speed when more
112 needed services (e.g. ssh) are not used.
113 You can use the value full in here for setting the maximum
115 bandwidth to the RATE of the parent class, or the OUT-BANDWIDTH of
116 the device if there is no parent class.
117 PRIORITY - priority
119 The priority in which classes will be serviced by the packet
120 shaping scheduler and also the priority in which bandwidth in
121 excess of the rate will be given to each class.
122 Higher priority classes will experience less delay since they are
124 serviced first. Priority values are serviced in ascending order
125 (e.g. 0 is higher priority than 1).
126 Classes may be set to the same priority, in which case they will be
128 serviced as equals.
129 OPTIONS (Optional) - [option[,option]...]
131 A comma-separated list of options including the following:
132 default
134 This is the default class for that interface where all traffic
135 should go, that is not classified otherwise.
136 Note
139 You must define default for exactly one class per
140 interface.
141 tos=0xvalue[/0xmask] (mask defaults to 0xff)
143 This lets you define a classifier for the given value/mask
144 combination of the IP packet's TOS/Precedence/DiffSrv octet
145 (aka the TOS byte).
146 tos-tosname
148 Aliases for the following TOS octet value and mask encodings.
149 TOS encodings of the "TOS byte" have been deprecated in favor
150 of diffserve classes, but programs like ssh, rlogin, and ftp
151 still use them.
152 tos-minimize-delay 0x10/0x10
154 tos-maximize-throughput 0x08/0x08
155 tos-maximize-reliability 0x04/0x04
156 tos-minimize-cost 0x02/0x02
157 tos-normal-service 0x00/0x1e
158 Note
160 Each of these options is only valid for ONE class per
161 interface.
162 tcp-ack
164 If defined, causes a tc filter to be created that puts all tcp
165 ack packets on that interface that have a size of <=64 Bytes to
166 go in this class. This is useful for speeding up downloads.
167 Please note that the size of the ack packets is limited to 64
168 bytes because we want only packets WITHOUT payload to match.
169 Note
172 This option is only valid for ONE class per interface.
173 occurs=number
175 Typically used with an IPMARK entry in tcrules. Causes the rule
176 to be replicated for a total of number rules. Each rule has a
177 successively class number and mark value.
178 When 'occurs' is used:
180 · The associated device may not have the 'classify' option.
182 · The class may not be the default class.
184 · The class may not have any 'tos=' options (including
186 'tcp-ack').
187 · The class should not specify a MARK value. If one is
189 specified, it will be ignored with a warning message.
190 The 'RATE' and 'CEIL' parameters apply to each instance of the
192 class. So the total RATE represented by an entry with 'occurs'
193 will be the listed RATE multiplied by number. For additional
194 information, see tcrules[2] (5).
195 flow=keys
197 Shorewall attaches an SFQ queuing discipline to each leaf HTB
198 class. SFQ ensures that each flow gets equal access to the
199 interface. The default definition of a flow corresponds roughly
200 to a Netfilter connection. So if one internal system is running
201 BitTorrent, for example, it can have lots of 'flows' and can
202 thus take up a larger share of the bandwidth than a system
203 having only a single active connection. The flow classifier
204 (module cls_flow) works around this by letting you define what
205 a 'flow' is. The clasifier must be used carefully or it can
206 block off all traffic on an interface! The flow option can be
207 specified for an HTB leaf class (one that has no sub-classes).
208 We recommend that you use the following:
209 Shaping internet-bound traffic:
210 flow=nfct-src
211 Shaping traffic bound for your local net:
212 flow=dst
213 These will cause a 'flow' to consists of the traffic to/from
214 each internal system.
215 When more than one key is give, they must be enclosed in
217 parenthesis and separated by commas.
218 To see a list of the possible flow keys, run this command: tc
220 filter add flow help Those that begin with "nfct-" are
221 Netfilter connection tracking fields. As shown above, we
222 recommend flow=nfct-src; that means that we want to use the
223 source IP address before NAT as the key.
224 pfifo
226 When specified for a leaf class, the pfifo queing discipline is
227 applied to the class rather than the sfq queuing discipline.
228 limit=number
230 Added in Shorewall 4.4.3. When specified for a leaf class,
231 determines the maximum number of packets that may be queued
232 within the class. The number must be > 2 and <=128. If not
233 specified, the value 127 is assumed.
234
236 Example 1:
237 Suppose you are using PPP over Ethernet (DSL) and ppp0 is the
238 interface for this. You have 4 classes here, the first you can use
239 for voice over IP traffic, the second interactive traffic (e.g.
240 ssh/telnet but not scp), the third will be for all unclassified
241 traffic, and the forth is for low priority traffic (e.g.
242 peer-to-peer).
243 The voice traffic in the first class will be guaranteed a minimum
245 of 100kbps and always be serviced first (because of the low
246 priority number, giving less delay) and will be granted excess
247 bandwidth (up to 180kbps, the class ceiling) first, before any
248 other traffic. A single VOIP stream, depending upon codecs, after
249 encapsulation, can take up to 80kbps on a PPOE/DSL link, so we pad
250 a little bit just in case. (TOS byte values 0xb8 and 0x68 are
251 DiffServ classes EF and AFF3-1 respectively and are often used by
252 VOIP devices).
253 Interactive traffic (tos-minimum-delay) and TCP acks (and ICMP echo
255 traffic if you use the example in tcrules) and any packet with a
256 mark of 2 will be guaranteed 1/4 of the link bandwidth, and may
257 extend up to full speed of the link.
258 Unclassified traffic and packets marked as 3 will be guaranteed
260 1/4th of the link bandwidth, and may extend to the full speed of
261 the link.
262 Packets marked with 4 will be treated as low priority packets. (The
264 tcrules example marks p2p traffic as such.) If the link is
265 congested, they're only guaranteed 1/8th of the speed, and even if
266 the link is empty, can only expand to 80% of link bandwidth just as
267 a precaution in case there are upstream queues we didn't account
268 for. This is the last class to get additional bandwidth and the
269 last to get serviced by the scheduler because of the low priority.
270 #INTERFACE MARK RATE CEIL PRIORITY OPTIONS
272 ppp0 1 100kbit 180kbit 1 tos=0x68/0xfc,tos=0xb8/0xfc
273 ppp0 2 full/4 full 2 tcp-ack,tos-minimize-delay
274 ppp0 3 full/4 full 3 default
275 ppp0 4 full/8 full*8/10 4
276
278 /etc/shorewall/tcclasses
279
281 http://shorewall.net/traffic_shaping.htm
282 shorewall(8), shorewall-accounting(5), shorewall-actions(5),
284 shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
285 shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
286 shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
287 shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
288 shorewall-route_rules(5), shorewall-routestopped(5),
289 shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
290 shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
291 shorewall-tunnels(5), shorewall-zones(5)
292
294 1. shorewall-tcdevices
295 http://www.shorewall.net/manpages/shorewall-tcdevices.html
296 2. shorewall-tcrules
298 http://www.shorewall.net/manpages/shorewall-tcrules.html
299[FIXME: source] 09/16/2011 SHOREWALL-TCCLASSES(5)