So after reading the traffic control documentation at shorewall.net I am a little confused. I don''t understand how to use the tcrules file. What I would ideally like to do is setup htb on a per user basis (either by IP or MAC address). If anybody has any hints on the best way to do this or is willing to explain the use of tcrules file a little better (how I could mark it per IP or MAC) I would love to hear it. Also this box sits between the gateway router and the clients so I am assuming it would have to be a bridging device am I correct? Any scripts or hints would be greatly appreciated. _ /-\ ndrew
On Fri, 2004-12-17 at 22:17 -0700, Andrew Niemantsverdriet wrote:> So after reading the traffic control documentation at shorewall.net I am > a little confused. I don''t understand how to use the tcrules file.That''s not surprising -- the Shorewall traffic control documentation tells you *how to integrate a traffic control solution with Shorewall*; it doesn''t pretend to teach you how to do traffic control under Linux. For that you want the Linux Advanced Routing and Traffic Control (LARTC) Howto or the Traffic Shaping Howto; both are linked from the Shorewall ''Useful Links'' page. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sat, 2004-12-18 at 23:46, Tom Eastep wrote:> On Fri, 2004-12-17 at 22:17 -0700, Andrew Niemantsverdriet wrote: > > So after reading the traffic control documentation at shorewall.net I am > > a little confused. I don''t understand how to use the tcrules file. > > For that you want the Linux Advanced Routing and Traffic Control (LARTC) > Howto or the Traffic Shaping Howto;Or you could try this link. I wrote this quite some time back. It may not be exactly what you want.. But it might be close enough to give you an idea. http://my-opensource.org/howto/qostrafficshaping-shorewall-wondershaper-howto.html -- Ow Mun Heng Gentoo/Linux on D600 1.4Ghz 98% Microsoft(tm) Free!! Neuromancer 00:07:18 up 3:59, 1 user, 0.19, 0.14, 0.10
I have a linux server put in data centre. It is running shorewall as iptables frontend. And I want to shape the traffic . But I read many articles, they most are assuming users at the private lan initiate the traffic eg. suring website, download files from ftp, bt stuffs, etc. In my case, I don''t have users behind the firewall. The server just serving http and ftp services for Internet users. So how wondershap work for me ? On Mon, 20 Dec 2004 09:08:11 +0800, Ow Mun Heng <Ow.Mun.Heng@wdc.com> wrote:> On Sat, 2004-12-18 at 23:46, Tom Eastep wrote: > > On Fri, 2004-12-17 at 22:17 -0700, Andrew Niemantsverdriet wrote: > > > So after reading the traffic control documentation at shorewall.net I am > > > a little confused. I don''t understand how to use the tcrules file. > > > > For that you want the Linux Advanced Routing and Traffic Control (LARTC) > > Howto or the Traffic Shaping Howto; > > Or you could try this link. I wrote this quite some time back. It may > not be exactly what you want.. But it might be close enough to give you > an idea. > > http://my-opensource.org/howto/qostrafficshaping-shorewall-wondershaper-howto.html > > -- > Ow Mun Heng > Gentoo/Linux on D600 1.4Ghz > 98% Microsoft(tm) Free!! > Neuromancer 00:07:18 up 3:59, 1 user, 0.19, 0.14, 0.10 > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Sun, 2004-12-19 at 21:24, Adrian Mak wrote:> I have a linux server put in data centre. It is running shorewall as > iptables frontend. And I want to shape the traffic . But I read many > articles, they most are assuming users at the private lan initiate the > traffic eg. suring website, download files from ftp, bt stuffs, etc. > In my case, I don''t have users behind the firewall. The server just > serving http and ftp services for Internet users. > > So how wondershap work for me ?If you take a look at shorewall.net Tom''s orginal setup (when shorewall.net was running on his network) will describe how to do this. Also the lartc site is good source of info but start off at the shorewall site and go from there. Read the links especially.
Hi, On Sun, 2004-12-19 at 18:08, Ow Mun Heng wrote:> On Sat, 2004-12-18 at 23:46, Tom Eastep wrote: > > On Fri, 2004-12-17 at 22:17 -0700, Andrew Niemantsverdriet wrote: > > > So after reading the traffic control documentation at shorewall.net I am > > > a little confused. I don''t understand how to use the tcrules file. > > > > For that you want the Linux Advanced Routing and Traffic Control (LARTC) > > Howto or the Traffic Shaping Howto; > > Or you could try this link. I wrote this quite some time back. It may > not be exactly what you want.. But it might be close enough to give you > an idea. > > http://my-opensource.org/howto/qostrafficshaping-shorewall-wondershaper-howto.html > > -- > Ow Mun Heng > Gentoo/Linux on D600 1.4Ghz > 98% Microsoft(tm) Free!! > Neuromancer 00:07:18 up 3:59, 1 user, 0.19, 0.14, 0.10 >That is a good link, thanks! However not quite what I was looking for. After re-reading my first post it is way to cryptic to understand what I want to do. I did not include enough information. I guess that is what you get for writing when you are half asleep. What I have is the htb-init script (http://freshmeat.net/projects/htb.init) I have moved that to the tcstart Shorewall file and enabled traffic controlling in shorewall.conf. What I am asking is how to use the tcrules file to mark traffic per ip so that is goes to the proper htb class. As I stated before the shorewall documentaion is confusing to me. Would this work: #MARK SOURCE DESTINATION PROTOCOL USER/GROUP TEST 1 eth1 192.168.1.100/32 all 2 eth1 192.168.1.1/24 all So that all packets going to 192.168.1.100 would be marked as 1 and all others would both be marked as 2? Lastly since this box sits between the gateway router and the clients (and I don''t want to change everbodys gateway) it would have to be a bridging device am I correct? Can traffic shaping even be done on a bridging device? The LARTC site is slient as far as I can see on the subject. Once again if anybody has a diffrent suggestion or scripts that they have already done I would love to see them. Thanks for the feedback guys! _ /-\ ndrew
On Mon, 2004-12-20 at 13:59 -0700, Andrew Niemantsverdriet wrote:> > What I have is the htb-init script > (http://freshmeat.net/projects/htb.init) I have moved that to the > tcstart Shorewall file and enabled traffic controlling in > shorewall.conf. What I am asking is how to use the tcrules file to mark > traffic per ip so that is goes to the proper htb class. As I stated > before the shorewall documentaion is confusing to me. Would this work: > > #MARK SOURCE DESTINATION PROTOCOL USER/GROUP TEST > 1 eth1 192.168.1.100/32 all > 2 eth1 192.168.1.1/24 all > > So that all packets going to 192.168.1.100 would be marked as 1 and all > others would both be marked as 2?No, that will not work. As clearly stated in the comments at the top of the tcrules file: # Unlike rules in the /etc/shorewall/rules file, evaluation # of rules in this file will continue after a match. So the # final mark for each packet will be the one assigned by the # LAST tcrule that matches. So the above rules will mark all packets entering eth1 and destined for 192.168.1.0/24 with a 2, including those destined for 192.168.1.100. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Mon, 2004-12-20 at 13:59 -0700, Andrew Niemantsverdriet wrote:> Lastly since this box sits between the gateway router and the clients > (and I don''t want to change everbodys gateway) it would have to be a > bridging device am I correct? Can traffic shaping even be done on a > bridging device? The LARTC site is slient as far as I can see on the > subject.I''ve never tried it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi On Mon, 2004-12-20 at 14:21, Tom Eastep wrote:> On Mon, 2004-12-20 at 13:59 -0700, Andrew Niemantsverdriet wrote: > > > > > What I have is the htb-init script > > (http://freshmeat.net/projects/htb.init) I have moved that to the > > tcstart Shorewall file and enabled traffic controlling in > > shorewall.conf. What I am asking is how to use the tcrules file to mark > > traffic per ip so that is goes to the proper htb class. As I stated > > before the shorewall documentation is confusing to me. Would this work: > > > > #MARK SOURCE DESTINATION PROTOCOL USER/GROUP TEST > > 1 eth1 192.168.1.100/32 all > > 2 eth1 192.168.1.1/24 all > > > > So that all packets going to 192.168.1.100 would be marked as 1 and all > > others would both be marked as 2? > > No, that will not work. As clearly stated in the comments at the top of > the tcrules file: > > # Unlike rules in the /etc/shorewall/rules file, evaluation > # of rules in this file will continue after a match. So the > # final mark for each packet will be the one assigned by the > # LAST tcrule that matches. > > So the above rules will mark all packets entering eth1 and destined for > 192.168.1.0/24 with a 2, including those destined for 192.168.1.100. > > -TomThanks Tom, My tcrules file got deleted and recreated so that explains why I missed it (and I missed it on shorewall.net). So am I going to run into problems making a lot of /32 entries? Will the time to restart shorewall increase drastically as I get more and more entries in it? Is anybody else trying to do bandwidth control for multiple users? I will document with what I come up with just in case somebody else wants to do the same thing. Especially with regards to the bridge setup. -- _ /-\ ndrew
On Mon, 2004-12-20 at 15:55 -0700, Andrew Niemantsverdriet wrote:> So am I going to run into > problems making a lot of /32 entries? Will the time to restart shorewall > increase drastically as I get more and more entries in it?I don''t know. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi, On Mon, 2004-12-20 at 20:44, Tom Eastep wrote:> On Mon, 2004-12-20 at 15:55 -0700, Andrew Niemantsverdriet wrote: > > So am I going to run into > > problems making a lot of /32 entries? Will the time to restart shorewall > > increase drastically as I get more and more entries in it? > > I don''t know. > > -TomOnce again I will do some testing and document. Although if the last match that the tcrules finds is the one that it is marked with might be best to go most general to least and save myself typing. Most of my clients will fit into one class there will be a few dozen "special cases". -- _ /-\ ndrew
On Mon, 2004-12-20 at 12:24, Adrian Mak wrote:> I have a linux server put in data centre. It is running shorewall as > iptables frontend. And I want to shape the traffic . But I read many > articles, they most are assuming users at the private lan initiate the > traffic eg. suring website, download files from ftp, bt stuffs, etc. > In my case, I don''t have users behind the firewall. The server just > serving http and ftp services for Internet users.So.. meaning, your serve others?? Like a real web server?? Even simpler. Just make TC shape the bandwidth going out of the Web-server.> > So how wondershap work for me ?In a way, yeah..> > > On Mon, 20 Dec 2004 09:08:11 +0800, Ow Mun Heng <Ow.Mun.Heng@wdc.com> wrote: > > On Sat, 2004-12-18 at 23:46, Tom Eastep wrote: > > > On Fri, 2004-12-17 at 22:17 -0700, Andrew Niemantsverdriet wrote: > > > > So after reading the traffic control documentation at shorewall.net I am > > > > a little confused. I don''t understand how to use the tcrules file. > > > > > > For that you want the Linux Advanced Routing and Traffic Control (LARTC) > > > Howto or the Traffic Shaping Howto; > > > > Or you could try this link. I wrote this quite some time back. It may > > not be exactly what you want.. But it might be close enough to give you > > an idea. > > > > http://my-opensource.org/howto/qostrafficshaping-shorewall-wondershaper-howto.html > > > > -- > > Ow Mun Heng > > Gentoo/Linux on D600 1.4Ghz > > 98% Microsoft(tm) Free!! > > Neuromancer 00:07:18 up 3:59, 1 user, 0.19, 0.14, 0.10 > > > > > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm-- Ow Mun Heng Gentoo/Linux on D600 1.4Ghz 98% Microsoft(tm) Free!! Neuromancer 14:52:52 up 5:41, 5 users, 0.61, 0.66, 0.49
Hi, On Mon, 2004-12-20 at 21:31, Andrew Niemantsverdriet wrote:> Hi, > On Mon, 2004-12-20 at 20:44, Tom Eastep wrote: > > On Mon, 2004-12-20 at 15:55 -0700, Andrew Niemantsverdriet wrote: > > > So am I going to run into > > > problems making a lot of /32 entries? Will the time to restart shorewall > > > increase drastically as I get more and more entries in it? > > > > I don''t know. > > > > -Tom > > Once again I will do some testing and document. Although if the last > match that the tcrules finds is the one that it is marked with might be > best to go most general to least and save myself typing. Most of my > clients will fit into one class there will be a few dozen "special > cases". > > -- > _ > /-\ ndrewAfter some testing done today I have found that a traffic shaping bridge with shorewall is possible. It works well with htb-init although I can not make it start automatically when shorewall does. The reason for this is htb-init needs a start command. Any ideas on this? Also is it possible to just reload the tcrules file and not have to restart all of shorewall? Anyway if you setup shorewall according to the Bridge Quick Start and use the tcrules file as described in the documentation there are no problems to getting everything up and going. The only tricky thing is htb does not know about bridges so if eth0 is connected to the internet a person would need to shape on eth1 for the clients connected to it. I hope that all makes sense. I will have more info as I get the bugs worked out. Also suggestions on getting htb.init-v0.8.5 to start and restart with Shorewall and reloading rules only would be great. Might have to be a custom script? Thanks, -- _ /-\ ndrew
On Tue, 2004-12-21 at 11:24 -0700, Andrew Niemantsverdriet wrote:> > After some testing done today I have found that a traffic shaping bridge > with shorewall is possible. It works well with htb-init although I can > not make it start automatically when shorewall does. The reason for this > is htb-init needs a start command. Any ideas on this?There is absolutely no reason to start/stop/restart htb-init at the same time as Shorewall. Simply use an init script for htb-init (IIRC, you can just put the htb-init in /etc/init.d) and set CLEAR_TC=No in shorewall.conf.> Also is it > possible to just reload the tcrules file and not have to restart all of > shorewall?One of the functions of "shorewall refresh" is to reload tcrules. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi, On Tue, 2004-12-21 at 11:41, Tom Eastep wrote:> There is absolutely no reason to start/stop/restart htb-init at the same > time as Shorewall. Simply use an init script for htb-init (IIRC, you can > just put the htb-init in /etc/init.d) and set CLEAR_TC=No in > shorewall.conf.Great, I did not realize that or even think about trying that. Works as it should. Still need to write just a small script so that it will start on boot but nothing to tough.> > Also is it > > possible to just reload the tcrules file and not have to restart all of > > shorewall? > > One of the functions of "shorewall refresh" is to reload tcrules. > > -TomOnce again works as it should. Pretty simple once you can get everything to work together. Thanks Tom! -- _ /-\ ndrew