thr3ads.net - Shorewall users - Help for TC in Shorewall [Dec 2008]

If this information is useful, please help other people find it:
Share via:

Phibee Network Operation Center

2008-Dec-01 16:26 UTC

Help for TC in Shorewall

Hi

anyone can help me to create a TC Rules on my shorewall 3.2.X ?
Shorewall are on my linux gateway (eth0: Net and Eth1:Lan)

I have a link:
   
eth0   2048kbits   2048kbits (Sdsl)

I want create a tc for:

eth1 and fw to eth0:

    All protocol are limited at 1792kbits
(a ftp or web download can''t get more 1792 kbits of BP)

a exeption:
    port UDP 4639 with in source: eth1:192.168.20.1
    can use the reserved 256 Kbits (2048 - 1792) and more
    if necessary but have in minimum 256 Kbs ..

i don''t have understand the documentation sorry ;=)

Thanks for your help
jerome



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Phibee Network Operation Center

2008-Dec-03 06:01 UTC

head link

Re: Help for TC in Shorewall

Hi

no answer ? he don''t have a personn that use TC in shorewall on this 
mailing list ?

;=)



Phibee Network Operation Center a écrit :> Hi
>
> anyone can help me to create a TC Rules on my shorewall 3.2.X ?
> Shorewall are on my linux gateway (eth0: Net and Eth1:Lan)
>
> I have a link:
>    
> eth0   2048kbits   2048kbits (Sdsl)
>
> I want create a tc for:
>
> eth1 and fw to eth0:
>
>     All protocol are limited at 1792kbits
> (a ftp or web download can''t get more 1792 kbits of BP)
>
> a exeption:
>     port UDP 4639 with in source: eth1:192.168.20.1
>     can use the reserved 256 Kbits (2048 - 1792) and more
>     if necessary but have in minimum 256 Kbs ..
>
> i don''t have understand the documentation sorry ;=)
>
> Thanks for your help
> jerome
>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
> Build the coolest Linux based applications with Moblin SDK & win great
prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>   

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Simon Hobson

2008-Dec-03 08:14 UTC

head link

Re: Help for TC in Shorewall

Phibee Network Operation Center wrote:
>no answer ? he don''t have a personn that use TC in shorewall on
this
>mailing list ?
Yes, but I personally haven''t had the time to sit down and collate the
information you''re asking for. I run a setup at work where we shape
inbound and outbound traffic with multiple bandwidth allocations (for customers)
and 4 priorities of traffic within each allocation. I''ve copied the
same setup at home (though obviously without the multiple bandwidth
allocations).

This is my home setup "tcstart" file. run_tc is a Shorewall provided
wrapper that calls tc and checks the exit status so Shorewall can abort if a tc
command fails. Note that rules are "last match applies" rather than
"first match applies" so generally need to be listed in increasing
order of detail if multiple rules can match a stream. Oh yes, and there is some
cruft that still needs cleaning up, sorry.


# clean existing down- and uplink qdiscs, hide errors
tc qdisc del dev eth0 root    2> /dev/null > /dev/null
tc qdisc del dev eth0 ingress 2> /dev/null > /dev/null
tc qdisc del dev ethext root    2> /dev/null > /dev/null
tc qdisc del dev ethext ingress 2> /dev/null > /dev/null


# External I/F

# install root HTB, point default traffic to 1:12:
run_tc qdisc add dev ethext root handle 1: htb default 12
# shape everything at uplink speed
run_tc class add dev ethext parent 1: classid 1:1 htb rate $OutSpeed burst 20k
cburst 20k

# Internal I/F
# First, an overall queue/classes to split firewall and net traffic
# install root HTB, point default traffic to 100:102:
run_tc qdisc add dev eth0 root handle 100: htb default 112
run_tc class add dev eth0 parent 100: classid 100:100 htb rate 95000kbit
# Class for firewall traffic - effectively unlimited
run_tc class add dev eth0 parent 100:100 classid 100:101 htb rate 75000kbit prio
1
run_tc qdisc add dev eth0 parent 100:101 handle 102: sfq perturb 10
# Class for net traffic - limit to line speed
run_tc class add dev eth0 parent 100:100 classid 100:102 htb rate $InSpeed burst
20k cburst 20k prio 1



# Out
run_tc class add dev ethext parent 1:1 classid 1:10 htb rate $OutSpeed ceil
$OutCeilDef burst 12k cburst 12k prio 1

run_tc class add dev ethext parent 1:1 classid 1:11 htb rate 500kbit ceil
$OutCeilDef burst 12k cburst 12k prio 1
run_tc class add dev ethext parent 1:1 classid 1:12 htb rate 600kbit ceil
$OutCeilDef burst 12k cburst 12k prio 2
run_tc class add dev ethext parent 1:1 classid 1:13 htb rate 200kbit ceil
$OutCeilDef burst 12k cburst 12k prio 3
run_tc class add dev ethext parent 1:1 classid 1:14 htb rate 100kbit ceil
3072kbit burst 12k cburst 12k prio 4

# run_tc qdisc add dev ethext parent 1:11 handle 11: sfq perturb 10
# run_tc qdisc add dev ethext parent 1:12 handle 12: sfq perturb 10
# run_tc qdisc add dev ethext parent 1:13 handle 13: sfq perturb 10
# run_tc qdisc add dev ethext parent 1:14 handle 14: sfq perturb 10

# In
run_tc class add dev eth0 parent 100:102 classid 100:110 htb rate 1400kbit ceil
$InCeilDef burst 16k cburst 16k prio 1

run_tc class add dev eth0 parent 100:102 classid 100:111 htb rate 500kbit ceil
$InCeilDef burst 12k cburst 12k prio 1
run_tc class add dev eth0 parent 100:102 classid 100:112 htb rate 600kbit ceil
$InCeilDef burst 12k cburst 12k prio 2
run_tc class add dev eth0 parent 100:102 classid 100:113 htb rate 200kbit ceil
$InCeilDef burst 12k cburst 12k prio 3
run_tc class add dev eth0 parent 100:102 classid 100:114 htb rate 100kbit ceil
3072kbit burst 12k cburst 12k prio 4

# run_tc qdisc add dev eth0 parent 100:111 handle 111: sfq perturb 10
# run_tc qdisc add dev eth0 parent 100:112 handle 112: sfq perturb 10
# run_tc qdisc add dev eth0 parent 100:113 handle 113: sfq perturb 10
# run_tc qdisc add dev eth0 parent 100:114 handle 114: sfq perturb 10



# Example of filtering by firewall marks
# Filter by Firewall marks into classes :
#run_tc filter add dev ethext protocol ip parent 1:0 prio 1 handle 41 fw flowid
1:41
#run_tc filter add dev ethext protocol ip parent 1:0 prio 1 handle 42 fw flowid
1:42
#run_tc filter add dev ethext protocol ip parent 1:0 prio 1 handle 43 fw flowid
1:43
#run_tc filter add dev ethext protocol ip parent 1:0 prio 1 handle 44 fw flowid
1:44


# General Filters

# Asterisk (SIP 5060, RTP 10240-11263, IAX2 4569
# run_tc filter add dev eth0 parent 100:0 protocol ip prio 1 u32 match ip dst
192.168.1.27 match ip dport 5060 0xffff flowid 100:111
# run_tc filter add dev eth0 parent 100:0 protocol ip prio 1 u32 match ip dst
192.168.1.27 match ip dport 10240 0xfc00 flowid 100:111
# run_tc filter add dev eth0 parent 100:0 protocol ip prio 1 u32 match ip dst
192.168.1.27 match ip dport 4569 0xffff flowid 100:111
# run_tc filter add dev ethext parent 1:0 protocol ip prio 1 u32 match ip src
192.168.1.27 match ip sport 5060 0xffff flowid 1:11
# run_tc filter add dev ethext parent 1:0 protocol ip prio 1 u32 match ip src
192.168.1.27 match ip sport 10240 0xfc00 flowid 1:11
# run_tc filter add dev ethext parent 1:0 protocol ip prio 1 u32 match ip src
192.168.1.27 match ip sport 4569 0xffff flowid 1:11

# DNS
run_tc filter add dev eth0 parent 100:0 protocol ip prio 1 u32 match ip sport 53
0xffff flowid 100:111
run_tc filter add dev ethext parent 1:0 protocol ip prio 1 u32 match ip dport 53
0xffff flowid 1:11


# Mail (SMTP 25 & 465, Submisstion 587, POP3 110 & 995, IMAP 143 &
993) is priority 3
run_tc filter add dev eth0 parent 100:0 protocol ip prio 1 u32 match ip dport 25
0xffff flowid 100:114
run_tc filter add dev ethext parent 1:0 protocol ip prio 1 u32 match ip sport 25
0xffff flowid 1:14
run_tc filter add dev eth0 parent 100:0 protocol ip prio 1 u32 match ip dport
465 0xffff flowid 100:113
run_tc filter add dev ethext parent 1:0 protocol ip prio 1 u32 match ip sport
465 0xffff flowid 1:13

run_tc filter add dev eth0 parent 100:0 protocol ip prio 1 u32 match ip dport
587 0xffff flowid 100:113
run_tc filter add dev eth0 parent 100:0 protocol ip prio 1 u32 match ip sport
587 0xffff flowid 100:113
run_tc filter add dev ethext parent 1:0 protocol ip prio 1 u32 match ip dport
587 0xffff flowid 1:13
run_tc filter add dev ethext parent 1:0 protocol ip prio 1 u32 match ip sport
587 0xffff flowid 1:13

run_tc filter add dev eth0 parent 100:0 protocol ip prio 1 u32 match ip dport
110 0xffff flowid 100:113
run_tc filter add dev eth0 parent 100:0 protocol ip prio 1 u32 match ip sport
110 0xffff flowid 100:113
run_tc filter add dev ethext parent 1:0 protocol ip prio 1 u32 match ip dport
110 0xffff flowid 1:13
run_tc filter add dev ethext parent 1:0 protocol ip prio 1 u32 match ip sport
110 0xffff flowid 1:13
run_tc filter add dev eth0 parent 100:0 protocol ip prio 1 u32 match ip dport
995 0xffff flowid 100:113
run_tc filter add dev eth0 parent 100:0 protocol ip prio 1 u32 match ip sport
995 0xffff flowid 100:113
run_tc filter add dev ethext parent 1:0 protocol ip prio 1 u32 match ip dport
995 0xffff flowid 1:13
run_tc filter add dev ethext parent 1:0 protocol ip prio 1 u32 match ip sport
995 0xffff flowid 1:13

run_tc filter add dev eth0 parent 100:0 protocol ip prio 1 u32 match ip dport
143 0xffff flowid 100:113
run_tc filter add dev eth0 parent 100:0 protocol ip prio 1 u32 match ip sport
143 0xffff flowid 100:113
run_tc filter add dev ethext parent 1:0 protocol ip prio 1 u32 match ip dport
143 0xffff flowid 1:13
run_tc filter add dev ethext parent 1:0 protocol ip prio 1 u32 match ip sport
143 0xffff flowid 1:13
run_tc filter add dev eth0 parent 100:0 protocol ip prio 1 u32 match ip dport
993 0xffff flowid 100:113
run_tc filter add dev eth0 parent 100:0 protocol ip prio 1 u32 match ip sport
993 0xffff flowid 100:113
run_tc filter add dev ethext parent 1:0 protocol ip prio 1 u32 match ip dport
993 0xffff flowid 1:13
run_tc filter add dev ethext parent 1:0 protocol ip prio 1 u32 match ip sport
993 0xffff flowid 1:13


# RSync traffic (873) priority 4
run_tc filter add dev eth0 parent 100:0 protocol ip prio 1 u32 match ip sport
873 0xffff flowid 100:114
run_tc filter add dev eth0 parent 100:0 protocol ip prio 1 u32 match ip dport
873 0xffff flowid 100:114
run_tc filter add dev ethext parent 1:0 protocol ip prio 1 u32 match ip sport
873 0xffff flowid 1:14
run_tc filter add dev ethext parent 1:0 protocol ip prio 1 u32 match ip dport
873 0xffff flowid 1:14


# Bittorrent traffic for TorrentFlux
run_tc filter add dev eth0 parent 100:0 protocol ip prio 1 u32 match ip dport
49152 0xfff0 flowid 100:114
run_tc filter add dev ethext parent 1:0 protocol ip prio 1 u32 match ip sport
49152 0xfff0 flowid 1:14


# TOS Minimum Delay (ssh, NOT scp) in 1:11:
run_tc filter add dev ethext parent 1:0 protocol ip prio 10 u32 match ip src
a.b.c.d/32 match ip tos 0x10 0xff flowid 1:11

# ICMP (ip protocol 1) in the interactive class 1:11 so we
# can do measurements & impress our friends:
run_tc filter add dev ethext parent 1:0 protocol ip prio 10 u32 match ip src
a.b.c.d/32 match ip protocol 1 0xff flowid 1:11

# To speed up downloads while an upload is going on, put ACK packets in
# the interactive class:
run_tc filter add dev ethext parent 1:0 protocol ip prio 10 u32 match ip src
a.b.c.d/32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000
0xffc0 at 2 match u8 0x10 0xff at 33 flowid 1:11




# Internal I/F

# TOS Minimum Delay (ssh, NOT scp)
run_tc filter add dev eth0 parent 100:0 protocol ip prio 10 u32 match ip dst
192.168.1.0/24 match ip tos 0x10 0xff flowid 1:111

# ICMP (ip protocol 1) in the interactive class so we can do measurements &
impress our friends:
run_tc filter add dev eth0 parent 100:0 protocol ip prio 10 u32 match ip dst
192.168.1.0/24 match ip protocol 1 0xff flowid 1:111

# To speed up downloads while an upload is going on, put ACK packets in the
interactive class:
run_tc filter add dev eth0 parent 100:0 protocol ip prio 10 u32 match ip dst
192.168.1.0/24 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000
0xffc0 at 2 match u8 0x10 0xff at 33 flowid 1:111


# Need to filter FW generated traffic to 100:111
run_tc filter add dev eth0 parent 100:0 protocol ip prio 1 u32 match ip src
a.b.c.d/32 flowid 100:101
run_tc filter add dev eth0 parent 100:0 protocol ip prio 1 u32 match ip src
192.168.1.1/32 flowid 100:101
# and traffic from DSL modem
run_tc filter add dev eth0 parent 100:0 protocol ip prio 1 u32 match ip src
192.168.27.1/32 flowid 100:101

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Shorewall Geek

2008-Dec-03 22:31 UTC

head link

Re: Help for TC in Shorewall

Simon Hobson wrote:> Phibee Network Operation Center wrote:
> 
>> no answer ? he don''t have a personn that use TC in shorewall
on this
>> mailing list ?
> 
> Yes, but I personally haven''t had the time to sit down and collate
the information you''re asking for. I run a setup at work where we shape
inbound and outbound traffic with multiple bandwidth allocations (for customers)
and 4 priorities of traffic within each allocation. I''ve copied the
same setup at home (though obviously without the multiple bandwidth
allocations).
> 
> This is my home setup "tcstart" file. run_tc is a Shorewall
provided wrapper that calls tc and checks the exit status so Shorewall can abort
if a tc command fails. Note that rules are "last match applies" rather
than "first match applies" so generally need to be listed in
increasing order of detail if multiple rules can match a stream. Oh yes, and
there is some cruft that still needs cleaning up, sorry.
It should be noted that this file is placed in /etc/shorewall/ and that
TC_ENABLED=Yes must be specified in shorewall.conf.

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Shorewall users - Dec 2008 - Help for TC in Shorewall

Help for TC in Shorewall

Re: Help for TC in Shorewall

Re: Help for TC in Shorewall

Re: Help for TC in Shorewall