Shorewall users - Oct 2003 - Prioritizing traffic

I don''t know whether this is the right place to ask, but kindly point
me to
an FM that I can R if it isn''t.

My wife is creating lots of Kazaa traffic, and I am using rsync to create a 
full mirror of Red Hat''s FTP site, Aurora Linux FTP site, the LDP site,
and
some other stuff. Clearly, when one is moving well over 100GB over a 128 
Kbps link, this is going to take a long time... but that''s OK,
we''re in no
hurry.

However, of course since the link is saturated then email downloads and web 
browsing become dog-slow and frustrating. I could even live with mail being 
really slow, but the HTTP traffic I really wish could be given some sort of 
"high priority" so that I don''t have to shut down the rsync
transfer
temporarily when we''re really using the Net at home.

So really, happiness right now is just priority service for HTTP traffic. 
Go to the head of the line, and all that, since everything else can take an 
extra week to download without causing us any inconvenience.

I have heard some terms thrown around, but have no knowledge yet. Is this 
possible (I assume it is)? Is what I want traffic shaping, or quality of 
service, or TCP flags... what is it? And, of course, is this something I 
can configure with Shorewall or should I go read up on something else?

Thanks for any pointers,


-- 
Rodolfo J. Paiz
rpaiz@simpaticus.com

On Tue, 2003-10-21 at 08:27, Rodolfo J. Paiz wrote:
> I have heard some terms thrown around, but have no knowledge yet. Is this 
> possible (I assume it is)? Is what I want traffic shaping, or quality of 
> service, or TCP flags... what is it? And, of course, is this something I 
> can configure with Shorewall or should I go read up on something else?
You want traffic shaping; I personally use WonderShaper. You can read
about how I integrate Shorewall and WonderShaper at
http://shorewall.net/traffic_shaping.htm.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Tue, 2003-10-21 at 18:06, Tom Eastep wrote:
> You want traffic shaping; I personally use WonderShaper. You can read
> about how I integrate Shorewall and WonderShaper at
> http://shorewall.net/traffic_shaping.htm.
And ignore the ''tcrules'' file when you''ll be setting
up your traffic
shaper.

Petr

On Tue, 2003-10-21 at 09:53, Petr Stehlik wrote:
> On Tue, 2003-10-21 at 18:06, Tom Eastep wrote:
> > You want traffic shaping; I personally use WonderShaper. You can read
> > about how I integrate Shorewall and WonderShaper at
> > http://shorewall.net/traffic_shaping.htm.
> 
> And ignore the ''tcrules'' file when you''ll be
setting up your traffic
> shaper.
Hopefully the current version of the traffic shaping page makes that
clear.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Tue, 2003-10-21 at 19:07, Tom Eastep wrote:
> Hopefully the current version of the traffic shaping page makes that
> clear.
I have just noticed the sentence that makes it clear that WonderShaper
does not use the tcrules but there is still the old example (using
fwmarks) that did not work for me.

Petr

On Tue, 2003-10-21 at 10:24, Petr Stehlik wrote:
> On Tue, 2003-10-21 at 19:07, Tom Eastep wrote:
> > Hopefully the current version of the traffic shaping page makes that
> > clear.
> 
> I have just noticed the sentence that makes it clear that WonderShaper
> does not use the tcrules but there is still the old example (using
> fwmarks) that did not work for me.
Your /etc/shorewall/tcrules entry was wrong -- no traffic was being
marked by the rule (packet count was always zero).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Tue, 2003-10-21 at 19:30, Tom Eastep wrote:
> Your /etc/shorewall/tcrules entry was wrong -- no traffic was being
> marked by the rule (packet count was always zero).
Ah, thanks. I didn''t know that before (I didn''t realize that
the packet
count should grow). I am wondering what can be wrong on 

SRC=eth0,eth1
DEST=192.168.1.4

The only thing I can imagine is that the DEST was not translated yet.

Petr

On Tue, 2003-10-21 at 10:44, Petr Stehlik wrote:
> On Tue, 2003-10-21 at 19:30, Tom Eastep wrote:
> > Your /etc/shorewall/tcrules entry was wrong -- no traffic was being
> > marked by the rule (packet count was always zero).
> 
> Ah, thanks. I didn''t know that before (I didn''t realize
that the packet
> count should grow). I am wondering what can be wrong on 
> 
> SRC=eth0,eth1
> DEST=192.168.1.4
Here''s your rule:

4:F             eth0    192.168.1.4     all

It says that you want to mark all INCOMING traffic from eth0 with
destination (after NAT) of 192.168.1.4. Yet you are trying to shape the
traffic OUTBOUND on eth0. 

The ":F" indicates that marking should occur in the FORWARD chain so
the
destination address should already have been translated by DNAT rules
and by reply packets to connections created via SNAT/MASQUERADE.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Tue, 2003-10-21 at 20:52, Tom Eastep wrote:
> 4:F             eth0    192.168.1.4     all
> 
> It says that you want to mark all INCOMING traffic from eth0 with
> destination (after NAT) of 192.168.1.4. Yet you are trying to shape the
> traffic OUTBOUND on eth0. 
You''re right. Once I tried to set the SRC to "eth0,eth1" but
IIRC it
didn''t help.

BTW, eth0 is 192.168.1.0/24, eth1 is my wireless internet connection.

May I ask you for suggestion how to write the tcrule properly if I want
to mark the traffic coming from internet via eth1 to eth0:192.168.1.4?

Hmm, well, I have just tried removing "eth0" from
"eth0,eth1" (just in
case...) and it started working properly. So I got it working at last
thanks to your help. Interesting that SRC="eth0,eth1" breaks it.

Petr

On Tue, 2003-10-21 at 12:59, Petr Stehlik wrote:
> 
> BTW, eth0 is 192.168.1.0/24, eth1 is my wireless internet connection.
> 
> May I ask you for suggestion how to write the tcrule properly if I want
> to mark the traffic coming from internet via eth1 to eth0:192.168.1.4?
4:F	eth1	192.168.1.4	all

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Tue, 2003-10-21 at 12:59, Petr Stehlik wrote:
> On Tue, 2003-10-21 at 20:52, Tom Eastep wrote:
> > 4:F             eth0    192.168.1.4     all
> > 
> > It says that you want to mark all INCOMING traffic from eth0 with
> > destination (after NAT) of 192.168.1.4. Yet you are trying to shape
the
> > traffic OUTBOUND on eth0. 
> 
> You''re right. Once I tried to set the SRC to "eth0,eth1"
but IIRC it
> didn''t help.
> 
> BTW, eth0 is 192.168.1.0/24, eth1 is my wireless internet connection.
> 
> May I ask you for suggestion how to write the tcrule properly if I want
> to mark the traffic coming from internet via eth1 to eth0:192.168.1.4?
> 
> Hmm, well, I have just tried removing "eth0" from
"eth0,eth1" (just in
> case...) and it started working properly. So I got it working at last
> thanks to your help. Interesting that SRC="eth0,eth1" breaks it.
Yes -- there is a bug there that I''ve just reproduced. When you include
":F" in a rule with multiple sources, the ":F" is only being
applied to
the first source :-(

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Tue, 2003-10-21 at 22:03, Tom Eastep wrote:
> > May I ask you for suggestion how to write the tcrule properly if I
want
> > to mark the traffic coming from internet via eth1 to eth0:192.168.1.4?
> 
> 4:F	eth1	192.168.1.4	all
this is what I said in the last paragraph of my original mail (maybe you
didn''t read it). Any idea why puting both eth0 and eth1 to the SOURCE
broke the marking? In ''show mangle'' I can see two tcfor lines
(one for
eth1->192.168.1.4 and the other one for eth0->192.168.1.4) but the
packet count doesn''t increase in any of them.

It''s not important, I am just curious.

Petr

On Tue, 2003-10-21 at 22:18, Tom Eastep wrote:
> > thanks to your help. Interesting that SRC="eth0,eth1" breaks
it.
> 
> Yes -- there is a bug there that I''ve just reproduced. When you
include
> ":F" in a rule with multiple sources, the ":F" is only
being applied to
> the first source :-(
Oh great. So my fault actually helped a bit improving the shorewall :-)

Now I am satisfied and can unsubscribe from this mailing list.

Thank you for your great support of even greater product.

Petr

Tom Eastep wrote:

> You want traffic shaping; I personally use WonderShaper. You can read
> about how I integrate Shorewall and WonderShaper at
> http://shorewall.net/traffic_shaping.htm.
I did wondershaper rpm for shorewall integration. It can be found as 
http://tis.foobar.fi/tis/wondershaper-1.1a-3foo.src.rpm

Here is example config:

#
# Shorewall - Wondershaper-tcstart File
#
# /etc/shorewall/tcstart
#
#       Tcstart handles QoS handling. This file is provided by wondershaper
#       and you can configure your wondershaper from here.
#
#       Configuration format in this file is not at all same as in other
#       parts of shorewall so beware!
#
#       Set parameters and call wshaper or wshaper.htb according your
#       kernel capabilities.
#
#       More info can be found form wondershaper README.
#
# /usr/share/wondershaper/wshaper for cbq
# /usr/share/wondershaper/wshaper.htb for htb
#
WONDERSHAPER=/usr/share/wondershaper/wshaper

# This is incoming speed. Use something like max-speed - 20%
# DOWNLINK=440 for 512Kbit/s or 800 for 1024Kbit/s
#
DOWNLINK=800

# UPLINK=220 for 256Kbit/s
#
UPLINK=210

# DEV=eth0 if you use eth0
#
DEV=eth0

# low-priority OUTGOING traffic - you can leave this blank
#
NOPRIOHOSTSRC
# low-priority destination netmasks
#
NOPRIOHOSTDST
# low-priority sourc port
#
NOPRIOPORTSRC=80

# low priority destination ports
#


# call selected wondershaper if exists
[ -f $WONDERSHAPER ] && . $WONDERSHAPER

# Special: settings for ipsec connections
DOWNLINK=700
UPLINK=180
DEV=ipsec0
NOPRIOPORTSRC=443
NOPRIOPORTDST[ -f $WONDERSHAPER ] && . $WONDERSHAPER

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


-- 
Tuomo Soini <tis@foobar.fi>
Linux and network services
+358 40 5240030
Foobar Oy <http://foobar.fi/>

On Tue, 2003-10-21 at 13:28, Petr Stehlik wrote:
> On Tue, 2003-10-21 at 22:18, Tom Eastep wrote:
> > > thanks to your help. Interesting that SRC="eth0,eth1"
breaks it.
> > 
> > Yes -- there is a bug there that I''ve just reproduced. When
you include
> > ":F" in a rule with multiple sources, the ":F" is
only being applied to
> > the first source :-(
> 
> Oh great. So my fault actually helped a bit improving the shorewall :-)
> 
> Now I am satisfied and can unsubscribe from this mailing list.
> 
You''re welcome. The fix for this problem is in 1.4.7a and in the CVS
STABLE/ project.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net