"Fossies" - the Fresh Open Source Software Archive

Member "shorewall-docs-xml-5.2.8/simple_traffic_shaping.xml" (24 Sep 2020, 16609 Bytes) of package /linux/misc/shorewall/shorewall-docs-xml-5.2.8.tar.bz2:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) XML source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 <?xml version="1.0" encoding="UTF-8"?>
    2 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
    3 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
    4 <article>
    5   <!--$Id$-->
    6 
    7   <articleinfo>
    8     <title>Simple Traffic Shaping/Control</title>
    9 
   10     <authorgroup>
   11       <author>
   12         <firstname>Tom</firstname>
   13 
   14         <surname>Eastep</surname>
   15       </author>
   16     </authorgroup>
   17 
   18     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
   19 
   20     <copyright>
   21       <year>2009</year>
   22 
   23       <year>2010</year>
   24 
   25       <holder>Thomas M. Eastep</holder>
   26     </copyright>
   27 
   28     <legalnotice>
   29       <para>Permission is granted to copy, distribute and/or modify this
   30       document under the terms of the GNU Free Documentation License, Version
   31       1.2 or any later version published by the Free Software Foundation; with
   32       no Invariant Sections, with no Front-Cover, and with no Back-Cover
   33       Texts. A copy of the license is included in the section entitled
   34       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
   35       License</ulink></quote>.</para>
   36     </legalnotice>
   37   </articleinfo>
   38 
   39   <section>
   40     <title>Introduction</title>
   41 
   42     <para>Traffic shaping and control was originally introduced into Shorewall
   43     in version 2.2.5. That facility was based on Arne Bernin's
   44     <firstterm>tc4shorewall</firstterm> and is generally felt to be complex
   45     and difficult to use.</para>
   46 
   47     <para>In Shorewall 4.4.6, a second traffic shaping facility that is simple
   48     to understand and to configure was introduced. This newer facility is
   49     described in this document while the original facility is documented in
   50     <ulink url="traffic_shaping.htm">Complex Traffic
   51     Shaping/Control</ulink>.</para>
   52 
   53     <para>In the absense of any traffic shaping, interfaces are configured
   54     automatically with the pfifo_fast <firstterm>queuing
   55     discipline</firstterm> (qdisc). From tc-pfifo_fast (8):</para>
   56 
   57     <blockquote>
   58       <para>The algorithm is very similar to that of the classful tc-prio(8)
   59       qdisc. pfifo_fast is like three tc-pfifo(8) queues side by side, where
   60       packets can be enqueued in any of the three bands based on their Type of
   61       Service bits or assigned priority.</para>
   62 
   63       <para>Not all three bands are dequeued simultaneously - as long as lower
   64       bands have traffic, higher bands are never dequeued. This can be used to
   65       prioritize interactive traffic or penalize ’lowest cost’ traffic.</para>
   66 
   67       <para>Each band can be txqueuelen packets long, as configured with
   68       ifconfig(8) or ip(8). Additional packets coming in are not enqueued but
   69       are instead dropped.</para>
   70 
   71       <para>See tc-prio(8) for complete details on how TOS bits are translated
   72       into bands.</para>
   73     </blockquote>
   74 
   75     <para>In other words, if all you want is strict priority queuing, then do
   76     nothing.</para>
   77 
   78     <para>Shorewall's Simple Traffic Shaping configures the prio
   79     qdisc(rx-prio(8)) on the designated interface then adds a
   80     <firstterm>Stochastic Fair Queuing</firstterm> sfq (tc-sfq (8)) qdisc to
   81     each of the classes that are implicitly created for the prio qdisc. The
   82     sfq qdisc ensures fairness among packets queued in each of the classes
   83     such that each <firstterm>flow</firstterm> (session) gets its turn to send
   84     packets. The definition of flows can be altered to include all traffic
   85     being sent <emphasis>by</emphasis> a given IP address (normally defined
   86     for an external interface) or all traffic being sent
   87     <emphasis>to</emphasis> a given IP address (internal interface).</para>
   88 
   89     <para>Finally, Simple Traffic Shaping allows you to set a limit on the
   90     total bandwidth allowed out of an interface. It does this by inserting a
   91     Token Bucket Filter (tbf) qdisc ahead of the prio qdisc. Note that this
   92     can have the effect of defeating the priority queuing provided by the prio
   93     qdisc but seems to provide a benefit when the actual link output
   94     temporarily drops below the limit imposed by tbf or when tbf allows a
   95     burst of traffic to be released.</para>
   96 
   97     <caution>
   98       <para>IPSec traffic passes through traffic shaping twice - once en clair
   99       and once encrypted and encapsulated. As a result, throughput may be
  100       significantly less than configured if IPSEC packets form a significant
  101       percentage of the traffic being shaped.</para>
  102     </caution>
  103   </section>
  104 
  105   <section>
  106     <title>Enabling Simple Traffic Shaping</title>
  107 
  108     <para>Simple traffic shaping is enabled by setting TC_ENABLED=Simple in
  109     <ulink url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5). You
  110     then add an entry for your external interface to <ulink
  111     url="manpages/shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5)
  112     (<filename>/etc/shorewall/tcinterfaces</filename>).</para>
  113 
  114     <para>Assuming that your external interface is eth0:</para>
  115 
  116     <programlisting>#INTERFACE             TYPE          IN-BANDWIDTH        OUT-BANDWIDTH
  117 eth0                   External</programlisting>
  118 
  119     <note>
  120       <para>If you experience an error such as the following during
  121       <command>shorewall start</command> or <command>shorewall
  122       restart</command>, your kernel and iproute do not support the <emphasis
  123       role="bold">flow</emphasis> classifier. In that case, you must leave the
  124       TYPE column empty (or specify '-').</para>
  125 
  126       <programlisting>Unknown filter "flow", hence option "hash" is unparsable
  127    ERROR: Command "tc filter add dev eth0 protocol all prio 1 parent 11: handle 11 flow hash keys nfct-src divisor 1024" Failed</programlisting>
  128 
  129       <para>RHEL5-based systems such as <trademark>CentOS</trademark> 5 and
  130       <trademark>Foobar</trademark> 5 are known to experience this
  131       error.</para>
  132 
  133       <para><emphasis role="bold">Update</emphasis>: Beginning with Shorewall
  134       4.4.7, Shorewall can determine that some environments, such as RHEL5 and
  135       derivatives, are incapable of using the TYPE parameter and simply ignore
  136       it.</para>
  137     </note>
  138 
  139     <para>With this simple configuration, packets to be sent through interface
  140     eth0 will be assigned to a priority band based on the value of their TOS
  141     field:</para>
  142 
  143     <programlisting>TOS     Bits  Means                    Linux Priority    BAND
  144 ------------------------------------------------------------
  145 0x0     0     Normal Service           0 Best Effort     2
  146 0x2     1     Minimize Monetary Cost   1 Filler          3
  147 0x4     2     Maximize Reliability     0 Best Effort     2
  148 0x6     3     mmc+mr                   0 Best Effort     2
  149 0x8     4     Maximize Throughput      2 Bulk            3
  150 0xa     5     mmc+mt                   2 Bulk            3
  151 0xc     6     mr+mt                    2 Bulk            3
  152 0xe     7     mmc+mr+mt                2 Bulk            3
  153 0x10    8     Minimize Delay           6 Interactive     1
  154 0x12    9     mmc+md                   6 Interactive     1
  155 0x14    10    mr+md                    6 Interactive     1
  156 0x16    11    mmc+mr+md                6 Interactive     1
  157 0x18    12    mt+md                    4 Int. Bulk       2
  158 0x1a    13    mmc+mt+md                4 Int. Bulk       2
  159 0x1c    14    mr+mt+md                 4 Int. Bulk       2
  160 0x1e    15    mmc+mr+mt+md             4 Int. Bulk       2</programlisting>
  161 
  162     <para>When dequeueing, band 1 is tried first and only if it did not
  163     deliver a packet does the system try band 2, and so onwards. Maximum
  164     reliability packets should therefore go to band 1, minimum delay to band 2
  165     and the rest to band 3.</para>
  166 
  167     <note>
  168       <para>If you run both an IPv4 and an IPv6 firewall on your system, you
  169       should define each interface in only one of the two
  170       configurations.</para>
  171     </note>
  172   </section>
  173 
  174   <section>
  175     <title>Customizing Simple Traffic Shaping</title>
  176 
  177     <para>The default mapping of TOS to bands can be changed using the
  178     TC_PRIOMAP setting in <ulink
  179     url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The default
  180     setting of this option is:</para>
  181 
  182     <programlisting>TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"</programlisting>
  183 
  184     <para>These entries map Linux Priority to priority BAND. So only entries
  185     0, 1, 2, 4 and 6 in the map are relevant to TOS-&gt;BAND mapping.</para>
  186 
  187     <para>Further customizations can be defined in <ulink
  188     url="manpages/shorewall-tcpri.html">shorewall-tcpri</ulink>(5)
  189     (<filename>/etc/shorewall/tcpri</filename>). Using that file, you
  190     can:</para>
  191 
  192     <orderedlist>
  193       <listitem>
  194         <para>Assign traffic entering the firewall on a particular interface
  195         to a specific priority band:</para>
  196 
  197         <programlisting>?FORMAT 2
  198 #BAND         PROTO         DPORT    SPORT     ADDRESS             INTERFACE        HELPER
  199 2               -             -        -          -                eth1</programlisting>
  200 
  201         <para>In this example, traffic from eth1 will be assigned to priority
  202         band 2.</para>
  203 
  204         <note>
  205           <para>When an INTERFACE is specified, the PROTO, DPORT and ADDRESS
  206           column must contain '-'.</para>
  207         </note>
  208       </listitem>
  209 
  210       <listitem>
  211         <para>Assign traffic from a particular IP address to a specific
  212         priority band:</para>
  213 
  214         <programlisting>?FORMAT 2
  215 #BAND         PROTO         DPORT    SPORT     ADDRESS             INTERFACE        HELPER
  216 
  217 1               -             -        -       192.168.1.44</programlisting>
  218 
  219         <para>In this example, traffic from 192.168.1.44 will be assigned to
  220         priority band 1.</para>
  221 
  222         <note>
  223           <para>When an ADDRESS is specified, the PROTO, DPORT, SPORT and
  224           INTERFACE columns must be empty.</para>
  225         </note>
  226       </listitem>
  227 
  228       <listitem>
  229         <para>Assign traffic to/from a particular application to a specific
  230         priority band:</para>
  231 
  232         <programlisting>#BAND         PROTO         PORT            ADDRESS             INTERFACE        HELPER
  233 1             udp           1194</programlisting>
  234 
  235         <para>In that example, SSH traffic is assigned to priority band 1. In
  236         file format 2, the above would be as follows:</para>
  237 
  238         <programlisting>#BAND         PROTO         DPORT       SPORT     ADDRESS             INTERFACE        HELPER
  239 1             tcp           22
  240 1             tcp             -         22</programlisting>
  241 
  242         <para>In other words, in file format 1, the compiler generates rules
  243         for traffic from client to server and from server to client. In format
  244         2, separate tcpri rules are required.</para>
  245       </listitem>
  246 
  247       <listitem>
  248         <para>Assign traffic that uses a particular Netfilter helper to a
  249         particular priority band:</para>
  250 
  251         <programlisting>#BAND         PROTO         DPORT           ADDRESS             INTERFACE        HELPER
  252 1               -             -             -                   -                sip</programlisting>
  253 
  254         <para>In this example, SIP and associated RTP traffic will be assigned
  255         to priority band 1 (assuming that the nf_conntrack_sip helper is
  256         loaded).</para>
  257       </listitem>
  258     </orderedlist>
  259 
  260     <para>It is suggested that entries specifying an INTERFACE be placed at
  261     the top of the file. That way, the band assigned to a particular packet
  262     will be the <emphasis role="bold">last</emphasis> entry matched by the
  263     packet. Packets which match no entry in <ulink
  264     url="manpages/shorewall-tcpri.html">shorewall-tcpri</ulink>(5) are
  265     assigned to priority bands using their TOS field as previously
  266     described.</para>
  267 
  268     <para>One cause of high latency on interactive traffic can be that queues
  269     are building up at your ISP's gateway router. If you suspect that is
  270     happening in your case, you can try to eliminate the problem by using the
  271     IN-BANDWIDTH setting in <ulink
  272     url="manpages/shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5).
  273     The contents of the column are a <replaceable>rate</replaceable>. For
  274     defining the rate, use <emphasis role="bold">kbit</emphasis> or <emphasis
  275     role="bold">kbps</emphasis> (for Kilobytes per second) and make sure there
  276     is NO space between the number and the unit (it is 100kbit not 100 kbit).
  277     <emphasis role="bold">mbit</emphasis>, <emphasis
  278     role="bold">mbps</emphasis> or a raw number (which means bytes) can be
  279     used, but note that before Shorewall 4.4.13 only integer numbers were
  280     supported (0.5 was not valid). To pick an appropriate setting, we
  281     recommend that you start by setting IN-BANDWIDTH significantly below your
  282     measured download bandwidth (20% or so). While downloading, measure the
  283     ping response time from the firewall to the upstream router as you
  284     gradually increase the setting. The optimal setting is at the point beyond
  285     which the ping time increases sharply as you increase the setting.</para>
  286 
  287     <para>Simple Traffic Shaping is only appropriate on interfaces where
  288     output queuing occurs. As a consequence, you usually only use it on
  289     external interfaces. There are cases where you may need to use it on an
  290     internal interface (a VPN interface, for example). If so, just add an
  291     entry to <ulink
  292     url="manpages/shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5):</para>
  293 
  294     <programlisting>#INTERFACE             TYPE          IN-BANDWIDTH
  295 tun0                   Internal</programlisting>
  296 
  297     <para>For fast lines, the actual download rate may be significantly less
  298     than the specified IN-BANDWIDTH. Beginning with Shoreall 4.4.13, you can
  299     specify an optional burst</para>
  300 
  301     <para>Also beginning with Shorewall 4.4.13, an OUT-BANDWIDTH column is
  302     available in <ulink
  303     url="manpages/shorewall-tcpri.html">shorewall-tcpri</ulink>(5). Limiting
  304     to outgoing bandwidth can have a positive effect on latency for
  305     applications like VOIP. We recommend that you begin with a setting that is
  306     at least 20% less than your measured upload rate and then gradually
  307     increase it until latency becomes unacceptable. Then reduce it back to the
  308     point where latency is acceptable.</para>
  309   </section>
  310 
  311   <section>
  312     <title>Combined IPv4/IPv6 Simple TC Configuration</title>
  313 
  314     <para>Beginning with Shorewall 4.4.19, a combined configuration is
  315     possible. To do that:</para>
  316 
  317     <itemizedlist>
  318       <listitem>
  319         <para>Set TC_ENABLED=Simple in both
  320         <filename>/etc/shorewall/shorewall.conf</filename> and
  321         <filename>/etc/shorewall6/shorewall6.conf</filename>.</para>
  322       </listitem>
  323 
  324       <listitem>
  325         <para>Configure your interface(s) in
  326         <filename>/etc/shorewall/tcinterfaces</filename>.</para>
  327       </listitem>
  328 
  329       <listitem>
  330         <para>Add entries to <filename>/etc/shorewall/tcpri</filename> and
  331         <filename>/etc/shorewall6/tcpri</filename> as desired. Entries in the
  332         former classify IPv4 traffic and entries in the latter classify IPv6
  333         traffic.</para>
  334       </listitem>
  335     </itemizedlist>
  336 
  337     <para>Example:</para>
  338 
  339     <para><filename>/etc/shorewall/tcinterfaces</filename><programlisting>#INTERFACE    TYPE        IN_BANDWIDTH            OUT_BANDWIDTH
  340 eth0        External    50mbit:200kb            6.0mbit:100kb:200ms:100mbit:1516   
  341 </programlisting>etc/shorewall/tcpri:</para>
  342 
  343     <programlisting>#BAND   PROTO       DPORT       ADDRESS     INTERFACE   HELPER
  344 COMMENT  All DMZ traffic in band 3 by default
  345 3   -       -       70.90.191.124/31
  346 COMMENT Bit Torrent is in band 3
  347 3   ipp2p:all   bit
  348 COMMENT But give a boost to DNS queries
  349 2   udp     53
  350 COMMENT And place echo requests in band 1 to avoid false line-down reports
  351 1   icmp            8
  352 </programlisting>
  353 
  354     <para>etc/shorewall6/tcpri:</para>
  355 
  356     <programlisting>#BAND   PROTO       DPORT       ADDRESS     INTERFACE   HELPER
  357 COMMENT  All DMZ traffic in band 3 by default
  358 3   -       -       2001:470:b:227::40/124
  359 COMMENT But give a boost to DNS queries
  360 2   udp     53
  361 COMMENT And place echo requests in band 1 to avoid false line-down reports
  362 1   icmp            8
  363 </programlisting>
  364   </section>
  365 
  366   <section>
  367     <title>Additional Reading</title>
  368 
  369     <para>The PRIO(8) (tc-prio) manpage has additional information on the
  370     facility that Shorewall Simple Traffic Shaping is based on.</para>
  371 
  372     <caution>
  373       <para>Please note that Shorewall numbers the bands 1-3 whereas PRIO(8)
  374       refers to them as bands 0-2.</para>
  375     </caution>
  376 
  377     <para>If you encounter performance problems after enabling simple traffic
  378     shaping, check out <ulink url="FAQ.htm#faq97">FAQ 97</ulink> and <ulink
  379     url="FAQ.htm#faq97a">FAQ97a</ulink></para>
  380   </section>
  381 </article>