Hi to all:
I''ve configured shorewall in a test environmet to work with traffic
shapping. I''ve read those two articles:
http://www.shorewall.net/traffic_shaping.htm
http://www.shorewall.net/kernel.htm#Kernel-2.6.16
and configured my shorewall to limit the bandwitch.
My firewall configuration is the following:
Internet -- (external ip 192.168.0.200) FW (lan ip 192.168.10.129) ---
(192.168.10.129) Client
My debian version is 4.0, the vesion of shorewall deb package (3.2.6),
my kernel is 2.6.23-1-686 and the configuration file of shorewall is:
shorewall.conf
TC_ENABLED=Internal
TC_EXPERT=Yes
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
tcdevices
#INTERFACE IN-BANDWITH OUT-BANDWIDTH
eth1 90kbps 80kbps
tcclasses
#INTERFACE MARK RATE CEIL
PRIORITY OPTIONS
eth1 1 10kbps 30kbps
1 default
eth1 2 50kbps 80kbps 2
tcrules
#MARK SOURCE DEST PROTO PORT(S)
CLIENT USER
#
PORT(S)
2 0.0.0.0/0 0.0.0.0/0 tcp 80,20,21
But when I download a file from internet, the download speed of client
is 30KB/seg but it should be 80KB/seg since the mark is 2. Am I wrong?
shouldn''t it be the behaviour?
shorewall show mangle
.....
Chain tcpost (1 references)
pkts bytes target prot opt in out source
destination
0 0 CLASSIFY 0 -- * eth1 0.0.0.0/0
0.0.0.0/0 MARK match 0x1/0xff CLASSIFY set 1:11
0 0 CLASSIFY 0 -- * eth1 0.0.0.0/0
0.0.0.0/0 MARK match 0x2/0xff CLASSIFY set 1:12
Chain tcpre (1 references)
pkts bytes target prot opt in out source
destination
161 7656 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 MARK set 0x2
0 0 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 MARK set 0x2
0 0 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 MARK set 0x2
shorewall show capabilities
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Available
Connection Tracking Match: Available
Packet Type Match: Available
Policy Match: Available
Physdev Match: Available
Packet length Match: Available
IP range Match: Available
Recent Match: Available
Owner Match: Available
Thanks in advanced.
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Oscar Mas wrote:> Hi to all: > > I''ve configured shorewall in a test environmet to work with traffic > shapping. I''ve read those two articles: > > http://www.shorewall.net/traffic_shaping.htm > http://www.shorewall.net/kernel.htm#Kernel-2.6.16 > > and configured my shorewall to limit the bandwitch. > > My firewall configuration is the following: > > Internet -- (external ip 192.168.0.200) FW (lan ip 192.168.10.129) --- > (192.168.10.129) ClientNowhere in this report do you tell us which interface eth1 is (external or internel). You didn''t think that was important? Similarly, there is no output from ''shorewall show tc''. The Support Guidelines (http://www.shorewall.net/support.htm#Guidelines) clearly indicate that Traffic Shaping problem reports should be accompanied by the output of "shorewall dump". That output will give us a complete picture of your setup and will allow us to answer your questions. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Tom Eastep wrote:> Oscar Mas wrote: >> Hi to all: >> >> I''ve configured shorewall in a test environmet to work with traffic >> shapping. I''ve read those two articles: >> >> http://www.shorewall.net/traffic_shaping.htm >> http://www.shorewall.net/kernel.htm#Kernel-2.6.16 >> >> and configured my shorewall to limit the bandwitch. >> >> My firewall configuration is the following: >> >> Internet -- (external ip 192.168.0.200) FW (lan ip 192.168.10.129) >> --- (192.168.10.129) Client > > Nowhere in this report do you tell us which interface eth1 is > (external or internel). You didn''t think that was important? > Similarly, there is no output from ''shorewall show tc''. > > The Support Guidelines > (http://www.shorewall.net/support.htm#Guidelines) clearly indicate > that Traffic Shaping problem reports should be accompanied by the > output of "shorewall dump". That output will give us a complete > picture of your setup and will allow us to answer your questions. >Excuse me, my eth0 is 192.168.0.200 (WAN), and eth1 is 192.168.10.129 (LAN). This is my shorewall show tc: Shorewall-3.2.6 Traffic Control at QoS - Mon Apr 21 18:44:40 CEST 2008 Device eth0: qdisc pfifo_fast 0: root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 593215 bytes 5694 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 Device eth1: qdisc htb 1: root r2q 10 default 11 direct_packets_stat 0 ver 3.17 Sent 424564 bytes 771 pkt (dropped 0, overlimits 506 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc ingress ffff: parent ffff:fff1 ---------------- Sent 1357902 bytes 11720 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 11: parent 1:11 limit 127p quantum 1514b flows 127/1024 perturb 10sec Sent 424564 bytes 771 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 12: parent 1:12 limit 127p quantum 1514b flows 127/1024 perturb 10sec Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 class htb 1:11 parent 1:1 leaf 11: prio 1 quantum 1500 rate 80000bit ceil 240000bit burst 1499b/8 mpu 0b overhead 0b cburst 1499b/8 mpu 0b overhead 0b level 0 Sent 424564 bytes 771 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 557 borrowed: 214 giants: 0 tokens: 142579 ctokens: 47527 class htb 1:1 root rate 640000bit ceil 640000bit burst 1499b/8 mpu 0b overhead 0b cburst 1499b/8 mpu 0b overhead 0b level 7 Sent 424564 bytes 771 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 214 borrowed: 0 giants: 0 tokens: 17823 ctokens: 17823 class htb 1:12 parent 1:1 leaf 12: prio 2 quantum 4800 rate 400000bit ceil 640000bit burst 1499b/8 mpu 0b overhead 0b cburst 1499b/8 mpu 0b overhead 0b level 0 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 29296 ctokens: 18310 I attached my shorewall dump Thanks for the reply -- ilimit... *Oscar Mas* omas@in.ilimit.es ÀREA SISTEMES 0034 937 333 375 VOLTA 1, PIS 5 08224 TERRASSA.BCN Aquest enviament és confidencial i està destinat únicament a la persona a qui s''ha enviat. Pot contenir informació privada sotmesa al secret professional, la distribució de la qual està prohibida per la legislació vigent. ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Oscar Mas wrote:> > I attached my shorewall dump >Download traffic has SOURCE port 80. You are marking traffic with DEST port 80 (the outgoing ACKs). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone