>>> Where do you currently use the priority specified in the PRIORITY
>>> column in tcclasses?
>> In 'tc class add' commands.
>>> Am I right in assuming that this is a different "priority" which is
>>> present in the tc statements, which you just added in your patch (to
>>> be specified in tcfilters)?
>> Yes -- the new PRIORITY is used in 'tc filter add' commands generated by
>> entries in /etc/shorewall/tcfilters.
>>
>>> Also, how is the priority for outgoing packets determined (those that
>>> are defined in tcrules)?
>> In the current code, the priority of that filter is <priority of the
>> corresponding class> LAND 20. This allows entries in
>> /etc/shorewall/tcfilters to override firewall marks.
>
> Correction: it is ( <priority of the corresponding class> << 8 ) | 20.
I am sorry, but I can't see *any* of it.
OK, I prepared a (rather rudimentary) test case and I am attaching the relevant
files in this email - I hope the mailing list daemon would accept the
attachments, if not will send them privately.
In tcclasses I defined various classes for a single interface for both ingress
and egress (eth0->ifb0) with different priorities ranging from 1 to 7. In the
resulting compilation (shorewall compile -T -p -e) file (see firewall_tc) I can
see all of these classes and flows defined, though I cannot see any of the
priorities I have specified in my tclcasses file.
Ignoring the fact that the flow priorities (used in "tc filter" statements) are
always set at 10, I can't see the value of the priorities I specified in
tclasses (1-7) - either as raw values or as "<priority of corresponding class>
<< 8 | 20". Am I missing something? Where are these priorities defined?
#
# Shorewall version 4 - Tcclasses File
#
# For information about entries in this file, type "man shorewall-tcclasses"
#
# See http://shorewall.net/traffic_shaping.htm for additional information.
#
###############################################################################
#INTERFACE:CLASS MARK RATE: CEIL
PRIORITY OPTIONS
# DMAX:UMAX
e:10 - 10*full/100 full 1
tcp-ack
e:11 - 300kbps 50mbit 4
e:11:12 - 100kbps:50ms:1500b full 4
e:11:13 - 150kbps:100ms:1500b full 5
e:11:14 - 50kbps:375ms:1500b full 6
e:15 - 50kbps:25ms:1500b full 2
e:16 - 50*full/100 full 3
e:17 - 9*full/100 full 7
default
be:20 - 10*full/100 full 1
tcp-ack
be:21 - 400kbps 50mbit 4
be:21:22 - 150kbps:50ms:1500b full 4
be:21:23 - 150kbps:100ms:1500b full 5
be:21:24 - 100kbps:375ms:1500b full 6
be:25 - 50kbps:30ms:1500b full 2
be:26 - 50*full/100 full 3
be:27 - 9*full/100 full 7
default
#
# Shorewall version 4 - Tcdevices File
#
# For information about entries in this file, type "man shorewall-tcdevices"
#
# See http://shorewall.net/traffic_shaping.htm for additional information.
#
###############################################################################
#NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED
#INTERFACE INTERFACES
e:eth0 - 1000mbit classify,hfsc
be:ifb0 - 1000mbit hfsc eth0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall version 4 - Tcrules File
#
# For information about entries in this file, type "man shorewall-tcrules"
#
# See http://shorewall.net/traffic_shaping.htm for additional information.
# For usage in selecting among multiple ISPs, see
# http://shorewall.net/MultiISP.html
#
# See http://shorewall.net/PacketMarking.html for a detailed description of
# the Netfilter/Shorewall packet marking mechanism.
######################################################################################################################
#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH
TOS CONNBYTES HELPER
# PORT(S) PORT(S)
e:12 $FW 1.2.1.12
e:13 $FW 1.2.1.13
e:14 $FW 1.2.1.14
e:15 $FW 1.2.1.15
e:16 $FW 1.2.1.16
e:17 $FW 1.2.1.17
# See http://shorewall.net/traffic_shaping.htm for additional information.
#
##############################################################################################
#INTERFACE: SOURCE DEST PROTO DEST SOURCE TOS
LENGTH
#CLASS PORT(S) PORT(S)
#
# ifb0->eth0
#
be:22 1.1.1.22
be:23 1.1.1.23
be:24 1.1.1.24
be:26 1.1.1.26
be:25 1.1.1.25
be:27 1.1.1.27
#
# Configure Traffic Shaping for eth0
#
setup_eth0_tc() {
if interface_is_up eth0; then
qt $TC qdisc del dev eth0 root
qt $TC qdisc del dev eth0 ingress
eth0_mtu=$(get_device_mtu eth0)
eth0_mtu1=$(get_device_mtu1 eth0)
run_tc qdisc add dev eth0 root handle e: hfsc default 17
run_tc class add dev eth0 parent e: classid e:1 hfsc sc rate
1000000kbit ul rate 1000000kbit
[ $eth0_mtu -gt 2500 ] && quantum=$eth0_mtu || quantum=2500
run_tc class add dev eth0 parent e:1 classid e:10 hfsc sc rate
100000kbit ul rate 1000000kbit
run_tc qdisc add dev eth0 parent e:10 handle 1: sfq limit 127 perturb 10
run_tc filter add dev eth0 parent e:0 protocol ip prio 266 u32\
match ip protocol 6 0xff\
match u8 0x05 0x0f at 0\
match u16 0x0000 0xffc0 at 2\
match u8 0x10 0xff at 33 flowid e:10
progress_message " TC Class e:10 defined."
[ $eth0_mtu -gt 60 ] && quantum=$eth0_mtu || quantum=60
run_tc class add dev eth0 parent e:1 classid e:11 hfsc sc rate 2400kbit
ul rate 50000kbit
progress_message " TC Class e:11 defined."
[ $eth0_mtu -gt 20 ] && quantum=$eth0_mtu || quantum=20
run_tc class add dev eth0 parent e:11 classid e:12 hfsc sc umax 1500b
dmax 50ms rate 800kbit ul rate 50000kbit
run_tc qdisc add dev eth0 parent e:12 handle 2: sfq limit 127 perturb 10
progress_message " TC Class e:12 defined."
[ $eth0_mtu -gt 30 ] && quantum=$eth0_mtu || quantum=30
run_tc class add dev eth0 parent e:11 classid e:13 hfsc sc umax 1500b
dmax 100ms rate 1200kbit ul rate 50000kbit
run_tc qdisc add dev eth0 parent e:13 handle 3: sfq limit 127 perturb 10
progress_message " TC Class e:13 defined."
[ $eth0_mtu -gt 10 ] && quantum=$eth0_mtu || quantum=10
run_tc class add dev eth0 parent e:11 classid e:14 hfsc sc umax 1500b
dmax 375ms rate 400kbit ul rate 50000kbit
run_tc qdisc add dev eth0 parent e:14 handle 4: sfq limit 127 perturb 10
progress_message " TC Class e:14 defined."
[ $eth0_mtu -gt 10 ] && quantum=$eth0_mtu || quantum=10
run_tc class add dev eth0 parent e:1 classid e:15 hfsc sc umax 1500b
dmax 25ms rate 400kbit ul rate 1000000kbit
run_tc qdisc add dev eth0 parent e:15 handle 5: sfq limit 127 perturb 10
progress_message " TC Class e:15 defined."
[ $eth0_mtu -gt 12500 ] && quantum=$eth0_mtu || quantum=12500
run_tc class add dev eth0 parent e:1 classid e:16 hfsc sc rate
500000kbit ul rate 1000000kbit
run_tc qdisc add dev eth0 parent e:16 handle 6: sfq limit 127 perturb 10
progress_message " TC Class e:16 defined."
[ $eth0_mtu -gt 2250 ] && quantum=$eth0_mtu || quantum=2250
run_tc class add dev eth0 parent e:1 classid e:17 hfsc sc rate
90000kbit ul rate 1000000kbit
run_tc qdisc add dev eth0 parent e:17 handle 7: sfq limit 127 perturb 10
progress_message " TC Class e:17 defined."
progress_message " TC Device eth0 defined."
else
error_message "WARNING: Device eth0 is not in the UP state --
traffic-shaping configuration skipped"
fi
}
#
# Configure Traffic Shaping for ifb0
#
setup_ifb0_tc() {
if interface_is_up ifb0; then
qt $TC qdisc del dev ifb0 root
qt $TC qdisc del dev ifb0 ingress
ifb0_mtu=$(get_device_mtu ifb0)
ifb0_mtu1=$(get_device_mtu1 ifb0)
run_tc qdisc add dev ifb0 root handle be: hfsc default 27
run_tc class add dev ifb0 parent be: classid be:1 hfsc sc rate
1000000kbit ul rate 1000000kbit
run_tc qdisc add dev eth0 handle ffff: ingress
run_tc filter add dev eth0 parent ffff: protocol all u32 match u32 0 0
action mirred egress redirect dev ifb0 > /dev/null
[ $ifb0_mtu -gt 2500 ] && quantum=$ifb0_mtu || quantum=2500
run_tc class add dev ifb0 parent be:1 classid be:20 hfsc sc rate
100000kbit ul rate 1000000kbit
run_tc qdisc add dev ifb0 parent be:20 handle 8: sfq limit 127 perturb
10
run_tc filter add dev ifb0 parent be:0 protocol ip prio 266 u32\
match ip protocol 6 0xff\
match u8 0x05 0x0f at 0\
match u16 0x0000 0xffc0 at 2\
match u8 0x10 0xff at 33 flowid be:20
progress_message " TC Class be:20 defined."
[ $ifb0_mtu -gt 80 ] && quantum=$ifb0_mtu || quantum=80
run_tc class add dev ifb0 parent be:1 classid be:21 hfsc sc rate
3200kbit ul rate 50000kbit
progress_message " TC Class be:21 defined."
[ $ifb0_mtu -gt 30 ] && quantum=$ifb0_mtu || quantum=30
run_tc class add dev ifb0 parent be:21 classid be:22 hfsc sc umax 1500b
dmax 50ms rate 1200kbit ul rate 50000kbit
run_tc qdisc add dev ifb0 parent be:22 handle 9: sfq limit 127 perturb
10
progress_message " TC Class be:22 defined."
[ $ifb0_mtu -gt 30 ] && quantum=$ifb0_mtu || quantum=30
run_tc class add dev ifb0 parent be:21 classid be:23 hfsc sc umax 1500b
dmax 100ms rate 1200kbit ul rate 50000kbit
run_tc qdisc add dev ifb0 parent be:23 handle a: sfq limit 127 perturb
10
progress_message " TC Class be:23 defined."
[ $ifb0_mtu -gt 20 ] && quantum=$ifb0_mtu || quantum=20
run_tc class add dev ifb0 parent be:21 classid be:24 hfsc sc umax 1500b
dmax 375ms rate 800kbit ul rate 50000kbit
run_tc qdisc add dev ifb0 parent be:24 handle b: sfq limit 127 perturb
10
progress_message " TC Class be:24 defined."
[ $ifb0_mtu -gt 10 ] && quantum=$ifb0_mtu || quantum=10
run_tc class add dev ifb0 parent be:1 classid be:25 hfsc sc umax 1500b
dmax 30ms rate 400kbit ul rate 1000000kbit
run_tc qdisc add dev ifb0 parent be:25 handle c: sfq limit 127 perturb
10
progress_message " TC Class be:25 defined."
[ $ifb0_mtu -gt 12500 ] && quantum=$ifb0_mtu || quantum=12500
run_tc class add dev ifb0 parent be:1 classid be:26 hfsc sc rate
500000kbit ul rate 1000000kbit
run_tc qdisc add dev ifb0 parent be:26 handle d: sfq limit 127 perturb
10
progress_message " TC Class be:26 defined."
[ $ifb0_mtu -gt 2250 ] && quantum=$ifb0_mtu || quantum=2250
run_tc class add dev ifb0 parent be:1 classid be:27 hfsc sc rate
90000kbit ul rate 1000000kbit
run_tc qdisc add dev ifb0 parent be:27 handle f: sfq limit 127 perturb
10
progress_message " TC Class be:27 defined."
run_tc filter add dev ifb0 protocol ip parent be:0 prio 10 u32\
match ip src 1.1.1.22/32\
flowid be:22
run_tc filter add dev ifb0 protocol ip parent be:0 prio 10 u32\
match ip src 1.1.1.23/32\
flowid be:23
run_tc filter add dev ifb0 protocol ip parent be:0 prio 10 u32\
match ip src 1.1.1.24/32\
flowid be:24
run_tc filter add dev ifb0 protocol ip parent be:0 prio 10 u32\
match ip src 1.1.1.26/32\
flowid be:26
run_tc filter add dev ifb0 protocol ip parent be:0 prio 10 u32\
match ip src 1.1.1.25/32\
flowid be:25
run_tc filter add dev ifb0 protocol ip parent be:0 prio 10 u32\
match ip src 1.1.1.27/32\
flowid be:27
progress_message " TC Device ifb0 defined."
else
error_message "WARNING: Device ifb0 is not in the UP state --
traffic-shaping configuration skipped"
fi
}
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
