<\/a> <\/h2>\nA note on the rate<\/i>\/bandwidth definitions used in this file:<\/p>\n
\u2022 don’t use a space between the integer value and the unit: 30kbit is valid while 30 kbit is NOT.<\/p>\n
\u2022 you can use one of the following units:<\/p>\n
kpbs<\/b><\/p>\n
Kilobytes per second.<\/p>\n
mbps<\/b><\/p>\n
Megabytes per second.<\/p>\n
kbit<\/b><\/p>\n
Kilobits per second.<\/p>\n
mbit<\/b><\/p>\n
Megabits per second.<\/p>\n
bps<\/b> or number<\/b><\/p>\n
Bytes per second.<\/p>\n
\u2022 if you want the values to be calculated for you depending on the output bandwidth setting defined for an interface in tcdevices, you can use expressions like the following:<\/p>\n
full\/3<\/p>\n
causes the bandwidth to be calculated as 1\/3 of the full outgoing speed that is defined.<\/p>\n
full*9\/10<\/p>\n
will set this bandwidth to 9\/10 of the full bandwidth<\/p>\n
Note that in a sub\u2212class (a class that has a specified parent class), full refers to the RATE or CEIL of the parent class rather than to the OUT\u2212BANDWIDTH of the device.<\/p>\n
DO NOT add a unit to the rate if it is calculated !<\/p>\n
The columns in the file are as follows.<\/p>\n
INTERFACE<\/b> \u2212 interface<\/i>[[:parent<\/i>]:class<\/i>]<\/p>\n
Name of interface<\/i>.<\/p>\n
You may specify the interface number rather than the interface name. If the classify<\/b> option is given for the interface in shorewall\u2212tcdevices<\/font><\/b> [1]<\/font><\/small> (5), then you must also specify an interface class (an integer that must be unique within classes associated with this interface). If the classify option is not given, you may still specify a class<\/i> or you may have Shorewall generate a class number from the MARK value. Interface numbers and class numbers are always assumed to be specified in hex and class number 1 is reserved as the root class of the queuing discipline.<\/font><\/p>\nYou may NOT specify wildcards here, e.g. if you have multiple ppp interfaces, you need to put them all in here!<\/font><\/p>\nPlease note that you can only use interface names in here that have a bandwidth defined in the<\/font> shorewall\u2212tcdevices<\/font><\/b> [1]<\/font><\/small> (5) file.<\/font><\/p>\nNormally, all classes defined here are sub\u2212classes of a root class that is implicitly defined from the entry in<\/font> shorewall\u2212tcdevices<\/font><\/b> [1]<\/font><\/small> (5). You can establish a class hierarchy by specifying a parent<\/i> class \u2212\u2212 the number of a class that you have previously defined. The sub\u2212class may borrow unused bandwidth from its parent.<\/font><\/p>\nMARK<\/b> \u2212 {\u2212|value<\/i>[:priority<\/i>]}<\/font><\/p>\nThe mark value<\/i> which is an integer in the range 1\u2212255. You set mark values in the<\/font> shorewall\u2212mangle<\/font><\/b> [2]<\/font><\/small> (5) file, marking the traffic you want to fit in the classes defined in here. You can use the same marks for different interfaces.<\/font><\/p>\nThe priority<\/i>, if specified, is an integer in the range 1\u221265535 and determines the relative order in which the tc mark classification filter for this class is to be applied to packets being sent on the interface<\/i>. Filters are applied in ascending numerical order. If not supplied, the value is derived from the class priority (PRIORITY column value below): (class priority<\/i> << 8) | 20.<\/font><\/p>\nRATE<\/b> \u2212 {\u2212|rate<\/i>[:dmax<\/i>[:umax<\/i>]]}<\/font><\/p>\nThe minimum bandwidth this class should get, when the traffic load rises. If the sum of the rates in this column exceeds the INTERFACE’s OUT\u2212BANDWIDTH, then the OUT\u2212BANDWIDTH limit may not be honored. Similarly, if the sum of the rates of sub\u2212classes of a class exceed the CEIL of the parent class, things don’t work well.<\/font><\/p>\nWhen using the HFSC queuing discipline, this column specify the real\u2212time (RT) service curve. leaf classes may specify dmax<\/i>, the maximum delay in milliseconds that the first queued packet for this class should experience. May be expressed as an integer, optionally followed by ‘ms’ with no intervening white\u2212space (e.g., 10ms).<\/font><\/p>\nHFSC leaf classes may also specify umax<\/i>, the largest packet expected in this class. May be expressed as an integer. The unit of measure is bytes<\/i> and the integer may be optionally followed by ‘b’ with no intervening white\u2212space (e.g., 800b). umax<\/i> may only be given if dmax<\/i> is also given.<\/font><\/p>\nBeginning with Shorewall 4.5.6, HFSC classes may omit this column (e.g, ‘\u2212’ in the column), provided that an lsrate<\/i> is specified (see CEIL below). These rates are used to arbitrate between classes of the same priority.<\/font><\/p>\nCEIL<\/b> \u2212 [lsrate<\/i>:]rate<\/i><\/font><\/p>\nThe maximum bandwidth this class is allowed to use when the link is idle. Useful if you have traffic which can get full speed when more needed services (e.g. ssh) are not used.<\/font><\/p>\nYou can use the value full<\/b> in here for setting the maximum bandwidth to the RATE of the parent class, or the OUT\u2212BANDWIDTH of the device if there is no parent class.<\/font><\/p>\nBeginning with Shorewall 4.5.6, you can also specify an lsrate<\/i> (link sharing rate).<\/font><\/p>\nPRIORITY<\/b> \u2212 priority<\/i><\/font><\/p>\nFor HTB: The priority<\/i> in which classes will be serviced by the packet shaping scheduler and also the priority in which bandwidth in excess of the rate will be given to each class.<\/font><\/p>\nHigher priority classes will experience less delay since they are serviced first. Priority values are serviced in ascending order (e.g. 0 is higher priority than 1).<\/font><\/p>\nClasses may be set to the same priority, in which case they will be serviced as equals. For both HTB and HFSC, the priority<\/i> is used to calculate the priority of following Shorewall\u2212generated classification filters that refer to the class:<\/font><\/p>\n\u2022 Packet MARK<\/font><\/p>\n\u2022 tcp\u2212ack<\/b> and the tos<\/b> options (see below)<\/font><\/p>\nThe rules for classes with lower numeric priorities will appear before those with higher numeric priorities.<\/font><\/p>\nBeginning with Shorewall 4.5.8, the PRIORITY may be omitted from an HFSC class if you do not use the MARK column or the tcp\u2212ack<\/b> or tos<\/b> options. If you use any of those features and omit the PRIORITY, then you must specify a priority<\/i> along with the MARK or option.<\/font><\/p>\nOPTIONS<\/b> (Optional) \u2212 [option<\/i>[,<\/b>option<\/i>]…]<\/font><\/p>\nA comma\u2212separated list of options including the following:<\/font><\/p>\ndefault<\/b><\/font><\/p>\nThis is the default class for that interface where all traffic should go, that is not classified otherwise.<\/font><\/p>\nNote<\/big><\/b>
You must define default<\/b> for exactly one class per interface.<\/font><\/p>\ntos=0x<\/big><\/b>value<\/i>[\/0xmask<\/i>][:priority<\/i>] (mask defaults to 0xff)<\/big><\/font><\/p>\nThis lets you define a classifier for the given value<\/i>\/mask<\/i> combination of the IP packet’s TOS\/Precedence\/DiffSrv octet (aka the TOS byte).<\/big><\/font><\/p>\nBeginning with Shorewall 4.5.8, the value\/mask<\/i> may be followed by a colon (“:”) and a priority<\/i>. This priority determines the order in which filter rules are processed during packet classification. If not specified, the value (class priority<\/i> << 8) | 15) is used.<\/big><\/font><\/p>\ntos\u2212<\/b>tosname<\/i>[:priority<\/i>]<\/big><\/font><\/p>\nAliases for the following TOS octet value and mask encodings. TOS encodings of the “TOS byte” have been deprecated in favor of diffserve classes, but programs like ssh, rlogin, and ftp still use them.<\/big><\/font><\/p>\nBeginning with Shorewall 4.5.8, the tos\u2212name<\/i> may be followed by a colon (“:”) and a priority<\/i>. This priority determines the order in which filter rules are processed during packet classification. If not specified, the value (class priority<\/i> << 8) | 15) is used.<\/big><\/font><\/p>\ntos\u2212minimize\u2212delay<\/b> 0x10\/0x10
tos\u2212maximize\u2212throughput<\/b> 0x08\/0x08
tos\u2212maximize\u2212reliability<\/b> 0x04\/0x04
tos\u2212minimize\u2212cost<\/b> 0x02\/0x02
tos\u2212normal\u2212service<\/b> 0x00\/0x1e<\/big><\/font><\/p>\nNote<\/big><\/b>
Each of these options is only valid for ONE class per interface.<\/big><\/font><\/p>\ntcp\u2212ack[:<\/big><\/b>priority<\/i>]<\/b><\/big><\/big><\/font><\/p>\nIf defined, causes a tc filter to be created that puts all tcp ack packets on that interface that have a size of <=64 Bytes to go in this class. This is useful for speeding up downloads. Please note that the size of the ack packets is limited to 64 bytes because we want only packets WITHOUT payload to match.<\/big><\/big><\/font><\/p>\nBeginning with Shorewall 4.5.8, the tcp\u2212ack<\/b> may be followed by a colon (“:”) and a priority<\/i>. This priority determines the order in which filter rules are processed during packet classification. If not specified, the value (class priority<\/i> << 8) | 10) is used.<\/big><\/big><\/font><\/p>\nNote<\/big><\/b>
This option is only valid for ONE class per interface.<\/big><\/big><\/font><\/p>\noccurs<\/big><\/b>=number<\/i><\/big><\/big><\/big><\/font><\/p>\nTypically used with an IPMARK entry in tcrules. Causes the rule to be replicated for a total of number<\/i> rules. Each rule has a successively class number and mark value.<\/big><\/big><\/big><\/font><\/p>\nWhen ‘occurs’ is used:<\/big><\/big><\/big><\/font><\/p>\n\u2022 The associated device may not have the ‘classify’ option.<\/big><\/big><\/big><\/font><\/p>\n\u2022 The class may not be the default class.<\/big><\/big><\/big><\/font><\/p>\n\u2022 The class may not have any ‘tos=’ options (including ‘tcp\u2212ack’).<\/big><\/big><\/big><\/font><\/p>\n\u2022 The class should not specify a MARK value. If one is specified, it will be ignored with a warning message.<\/big><\/big><\/big><\/font><\/p>\nThe ‘RATE’ and ‘CEIL’ parameters apply to each instance of the class. So the total RATE represented by an entry with ‘occurs’ will be the listed RATE multiplied by number<\/i>. For additional information, see<\/big><\/big><\/big><\/font> shorewall\u2212tcrules<\/font><\/b><\/big> [3] (5).<\/big><\/font><\/big><\/big><\/p>\nflow=keys<\/i><\/big><\/font><\/big><\/big><\/p>\nShorewall attaches an SFQ queuing discipline to each leaf HTB class. SFQ ensures that each flow gets equal access to the interface. The default definition of a flow corresponds roughly to a Netfilter connection. So if one internal system is running BitTorrent, for example, it can have lots of ‘flows’ and can thus take up a larger share of the bandwidth than a system having only a single active connection. The flow<\/b> classifier (module cls_flow) works around this by letting you define what a ‘flow’ is. The classifier must be used carefully or it can block off all traffic on an interface! The flow option can be specified for an HTB leaf class (one that has no sub\u2212classes). We recommend that you use the following:<\/big><\/font><\/big><\/big><\/p>\nShaping internet\u2212bound traffic:
flow=nfct\u2212src
Shaping traffic bound for your local net:
flow=dst<\/big><\/font><\/big><\/big><\/p>\nThese will cause a ‘flow’ to consists of the traffic to\/from each internal system.<\/big><\/font><\/big><\/big><\/p>\nWhen more than one key is give, they must be enclosed in parenthesis and separated by commas.<\/big><\/font><\/big><\/big><\/p>\nTo see a list of the possible flow keys, run this command: tc filter add flow help<\/b> Those that begin with “nfct\u2212” are Netfilter connection tracking fields. As shown above, we recommend flow=nfct\u2212src; that means that we want to use the source IP address before NAT<\/i> as the key.<\/big><\/font><\/big><\/big><\/p>\npfifo<\/big><\/font><\/big><\/big><\/p>\nWhen specified for a leaf class, the pfifo queuing discipline is applied to the class rather than the sfq queuing discipline.<\/big><\/font><\/big><\/big><\/p>\nlimit=number<\/i><\/big><\/font><\/big><\/big><\/p>\nAdded in Shorewall 4.4.3. When specified for a leaf class, determines the maximum number of packets that may be queued within the class. The number<\/i> must be > 2 and <=128. If not specified, the value 127 is assumed.<\/big><\/font><\/big><\/big><\/p>\nred=(redoption<\/i>=value<\/i>, …)<\/big><\/font><\/big><\/big><\/p>\nAdded in Shorewall 4.5.6. When specified on a leaf class, causes the class to use the RED (Random Early Detection) queuing discipline rather than SFQ. See tc\u2212red (8) for additional information.<\/big><\/font><\/big><\/big><\/p>\nAllowable redoptions<\/i> are:<\/big><\/font><\/big><\/big><\/p>\nmin min<\/i><\/big><\/font><\/big><\/big><\/p>\nAverage queue size at which marking becomes a possibility.<\/big><\/font><\/big><\/big><\/p>\nmax max<\/i><\/big><\/font><\/big><\/big><\/p>\nAt this average queue size, the marking probability is maximal. Must be at least twice min<\/i> to prevent synchronous retransmits, higher for low min<\/i>.<\/big><\/font><\/big><\/big><\/p>\nprobability probability<\/i><\/big><\/font><\/big><\/big><\/p>\nMaximum probability for marking, specified as a floating point number from 0.0 to 1.0. Suggested values are 0.01 or 0.02 (1 or 2%, respectively).<\/big><\/font><\/big><\/big><\/p>\nlimit limit<\/i><\/big><\/font><\/big><\/big><\/p>\nHard limit on the real (not average) queue size in bytes. Further packets are dropped. Should be set higher than max<\/i>+burst<\/i>. It is advised to set this a few times higher than max<\/i>. Shorewall requires that limit<\/i> be at least twice min<\/i>.<\/big><\/font><\/big><\/big><\/p>\nburst burst<\/i><\/big><\/font><\/big><\/big><\/p>\nUsed for determining how fast the average queue size is influenced by the real queue size. Larger values make the calculation more sluggish, allowing longer bursts of traffic before marking starts. Real life experiments support the following guide-line: (min<\/i>+min<\/i>+max<\/i>)\/(3*avpkt<\/i>).<\/big><\/font><\/big><\/big><\/p>\navpkt avpkt<\/i><\/big><\/font><\/big><\/big><\/p>\nOptional. Specified in bytes. Used with burst to determine the time constant for average queue size calculations. 1000 is a good value and is the Shorewall default.<\/big><\/font><\/big><\/big><\/p>\nbandwidth bandwidth<\/i><\/big><\/font><\/big><\/big><\/p>\nOptional. This rate is used for calculating the average queue size after some idle time. Should be set to the bandwidth of your interface. Does not mean that RED will shape for you!<\/big><\/font><\/big><\/big><\/p>\necn<\/big><\/font><\/big><\/big><\/p>\nRED can either ‘mark’ or ‘drop’. Explicit Congestion Notification allows RED to notify remote hosts that their rate exceeds the amount of bandwidth available. Non\u2212ECN capable hosts can only be notified by dropping a packet. If this parameter is specified, packets which indicate that their hosts honor ECN will only be marked and not dropped, unless the queue size hits limit<\/i> bytes. Recommended.<\/big><\/font><\/big><\/big><\/p>\n