SHOREWALL-TCCLASSES(5) | Configuration Files | SHOREWALL-TCCLASSES(5) |
tcclasses - Shorewall file to define HTB and HFSC classes
/etc/shorewall[6]/tcclasses
A note on the rate/bandwidth definitions used in this file:
kpbs
mbps
kbit
mbit
bps or number
full/3
full*9/10
Note that in a sub-class (a class that has a specified parent class), full refers to the RATE or CEIL of the parent class rather than to the OUT-BANDWIDTH of the device.
DO NOT add a unit to the rate if it is calculated !
The columns in the file are as follows.
INTERFACE - interface[[:parent]:class]
You may specify the interface number rather than the interface name. If the classify option is given for the interface in shorewall-tcdevices[1](5), then you must also specify an interface class (an integer that must be unique within classes associated with this interface). If the classify option is not given, you may still specify a class or you may have Shorewall generate a class number from the MARK value. Interface numbers and class numbers are always assumed to be specified in hex and class number 1 is reserved as the root class of the queuing discipline.
You may NOT specify wildcards here, e.g. if you have multiple ppp interfaces, you need to put them all in here!
Please note that you can only use interface names in here that have a bandwidth defined in the shorewall-tcdevices[1](5) file.
Normally, all classes defined here are sub-classes of a root class that is implicitly defined from the entry in shorewall-tcdevices[1](5). You can establish a class hierarchy by specifying a parent class -- the number of a class that you have previously defined. The sub-class may borrow unused bandwidth from its parent.
MARK - {-|value[:priority]}
The priority, if specified, is an integer in the range 1-65535 and determines the relative order in which the tc mark classification filter for this class is to be applied to packets being sent on the interface. Filters are applied in ascending numerical order. If not supplied, the value is derived from the class priority (PRIORITY column value below): (class priority << 8) | 20.
RATE - {-|rate[:dmax[:umax]]}
When using the HFSC queuing discipline, this column specify the real-time (RT) service curve. leaf classes may specify dmax, the maximum delay in milliseconds that the first queued packet for this class should experience. May be expressed as an integer, optionally followed by 'ms' with no intervening white-space (e.g., 10ms).
HFSC leaf classes may also specify umax, the largest packet expected in this class. May be expressed as an integer. The unit of measure is bytes and the integer may be optionally followed by 'b' with no intervening white-space (e.g., 800b). umax may only be given if dmax is also given.
Beginning with Shorewall 4.5.6, HFSC classes may omit this column (e.g, '-' in the column), provided that an lsrate is specified (see CEIL below). These rates are used to arbitrate between classes of the same priority.
CEIL - [lsrate:]rate
You can use the value full in here for setting the maximum bandwidth to the RATE of the parent class, or the OUT-BANDWIDTH of the device if there is no parent class.
Beginning with Shorewall 4.5.6, you can also specify an lsrate (link sharing rate).
PRIORITY - priority
Higher priority classes will experience less delay since they are serviced first. Priority values are serviced in ascending order (e.g. 0 is higher priority than 1).
Classes may be set to the same priority, in which case they will be serviced as equals. For both HTB and HFSC, the priority is used to calculate the priority of following Shorewall-generated classification filters that refer to the class:
The rules for classes with lower numeric priorities will appear before those with higher numeric priorities.
Beginning with Shorewall 4.5.8, the PRIORITY may be omitted from an HFSC class if you do not use the MARK column or the tcp-ack or tos options. If you use any of those features and omit the PRIORITY, then you must specify a priority along with the MARK or option.
OPTIONS (Optional) - [option[,option]...]
default
tos=0xvalue[/0xmask][:priority] (mask defaults to 0xff)
Beginning with Shorewall 4.5.8, the value/mask may be followed by a colon (":") and a priority. This priority determines the order in which filter rules are processed during packet classification. If not specified, the value (class priority << 8) | 15) is used.
tos-tosname[:priority]
Beginning with Shorewall 4.5.8, the tos-name may be followed by a colon (":") and a priority. This priority determines the order in which filter rules are processed during packet classification. If not specified, the value (class priority << 8) | 15) is used.
tos-minimize-delay 0x10/0x10
tos-maximize-throughput 0x08/0x08
tos-maximize-reliability 0x04/0x04
tos-minimize-cost 0x02/0x02
tos-normal-service 0x00/0x1e
tcp-ack[:priority]
Beginning with Shorewall 4.5.8, the tcp-ack may be followed by a colon (":") and a priority. This priority determines the order in which filter rules are processed during packet classification. If not specified, the value (class priority << 8) | 10) is used.
occurs=number
When 'occurs' is used:
The 'RATE' and 'CEIL' parameters apply to each instance of the class. So the total RATE represented by an entry with 'occurs' will be the listed RATE multiplied by number. For additional information, see shorewall-tcrules[3] (5).
flow=keys
When more than one key is give, they must be enclosed in parenthesis and separated by commas.
To see a list of the possible flow keys, run this command: tc filter add flow help Those that begin with "nfct-" are Netfilter connection tracking fields. As shown above, we recommend flow=nfct-src; that means that we want to use the source IP address before NAT as the key.
pfifo
limit=number
red=(redoption=value, ...)
Allowable redoptions are:
min min
max max
probability probability
limit limit
burst burst
avpkt avpkt
bandwidth bandwidth
ecn
fq_codel[=(codeloption=value, ...)]
Allowable codeloptions are:
limit
flows
target
interval
quantum
ecn | noecn
Example 1:
The voice traffic in the first class will be guaranteed a minimum of 100kbps and always be serviced first (because of the low priority number, giving less delay) and will be granted excess bandwidth (up to 180kbps, the class ceiling) first, before any other traffic. A single VoIP stream, depending upon codecs, after encapsulation, can take up to 80kbps on a PPPoE/DSL link, so we pad a little bit just in case. (TOS byte values 0xb8 and 0x68 are DiffServ classes EF and AFF3-1 respectively and are often used by VOIP devices).
Interactive traffic (tos-minimum-delay) and TCP acks (and ICMP echo traffic if you use the example in tcrules) and any packet with a mark of 2 will be guaranteed 1/4 of the link bandwidth, and may extend up to full speed of the link.
Unclassified traffic and packets marked as 3 will be guaranteed 1/4th of the link bandwidth, and may extend to the full speed of the link.
Packets marked with 4 will be treated as low priority packets. (The tcrules example marks p2p traffic as such.) If the link is congested, they're only guaranteed 1/8th of the speed, and even if the link is empty, can only expand to 80% of link bandwidth just as a precaution in case there are upstream queues we didn't account for. This is the last class to get additional bandwidth and the last to get serviced by the scheduler because of the low priority.
#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
ppp0 1 100kbit 180kbit 1 tos=0x68/0xfc,tos=0xb8/0xfc
ppp0 2 full/4 full 2 tcp-ack,tos-minimize-delay
ppp0 3 full/4 full 3 default
ppp0 4 full/8 full*8/10 4
/etc/shorewall/tcclasses
/etc/shorewall6/tcclasses
https://shorewall.org/traffic_shaping.htm[4]
https://shorewall.org/configuration_file_basics.htm#Pairs[5]
09/24/2020 | Configuration Files |