Provided by: shorewall-common_4.0.12-1_all bug


       tcclasses - Shorewall file to define HTB classes




       A note on the rate/bandwidth definitions used in this file:

       · don’t  use  a space between the integer value and the unit: 30kbit is
         valid while 30 kbit is NOT.

       · you can use one of the following units:

         kpbs   Kilobytes per second.

         mbps   Megabytes per second.

         kbit   Kilobits per second.

         mbit   Megabits per second.

         bps or number
                Bytes per second.

       · if you want the values to be calculated  for  you  depending  on  the
         output  bandwidth  setting defined for an interface in tcdevices, you
         can use expressions like the following:

         full/3 causes the bandwidth to be  calculated  as  1/3  of  the  full
                outgoing speed that is defined.

                will set this bandwidth to 9/10 of the full bandwidth

       DO NOT add a unit to the rate if it is calculated !

       The columns in the file are as follows.

              Name  of  interface.  Each  interface may be listed only once in
              this file. You may NOT specify  the  name  of  an  alias  (e.g.,
              eth0:0) here; see 〈〉

              You  may  NOT  specify wildcards here, e.g. if you have multiple
              ppp interfaces, you need to put them all in here!

              Please note that you can only use interface names in  here  that
              have    a   bandwidth   defined   in   the   shorewall-tcdevices
              〈shorewall-tcdevices.html〉 (5) file

              The mark value which is an integer in the range 1-255.  You  set
              mark  values  in  the shorewall-tcrules 〈shorewall-tcrules.html〉
              (5) file, marking the traffic you want to  fit  in  the  classes
              defined in here.

              You can use the same marks for different interfaces.

              The  minimum  bandwidth  this class should get, when the traffic
              load rises. If the sum of the rates in this column  exceeds  the
              INTERFACE’s  OUT-BANDWIDTH, then the OUT-BANDWIDTH limit may not
              be honored.

              The maximum bandwidth this class is allowed to use when the link
              is  idle.  Useful  if  you have traffic which can get full speed
              when more needed services (e.g. ssh) are not used.

              You can use the value full  in  here  for  setting  the  maximum
              bandwidth to the defined output bandwidth of that interface.

              The  priority  in  which  classes will be serviced by the packet
              shaping scheduler and also the priority in  which  bandwidth  in
              excess of the rate will be given to each class.

              Higher  priority  classes  will experience less delay since they
              are serviced first. Priority values are  serviced  in  ascending
              order (e.g. 0 is higher priority than 1).

              Classes may be set to the same priority, in which case they will
              be serviced as equals.

       OPTIONS (Optional) — [option[,option]...]
              A comma-separated list of options including the following:

                     This is the default class for that  interface  where  all
                     traffic should go, that is not classified otherwise.


                     You  must  define  default  for  exactly  one  class  per

              tos=0xvalue[/0xmask] (mask defaults to 0xff)
                     This  lets  you  define  a  classifier  for   the   given
                     value/mask     combination    of    the    IP    packet’s
                     TOS/Precedence/DiffSrv octet (aka the TOS  byte).  Please
                     note  that  classifiers override all mark settings, so if
                     you define a classifer for a class,  all  traffic  having
                     that mark will go in it regardless of any mark set on the
                     packet by a firewall/mangle filter.

                     Aliases for  the  following  TOS  octet  value  and  mask
                     encodings.  TOS  encodings  of  the  "TOS byte" have been
                     deprecated in favor of diffserve  classes,  but  programs
                     like ssh, rlogin, and ftp still use them.

                             tos-minimize-delay       0x10/0x10
                             tos-maximize-throughput  0x08/0x08
                             tos-maximize-reliability 0x04/0x04
                             tos-minimize-cost        0x02/0x02
                             tos-normal-service       0x00/0x1e

                     Each  of  these  options  is only valid for ONE class per

                     If defined, causes a tc filter to be  created  that  puts
                     all tcp ack packets on that interface that have a size of
                     <=64 Bytes to go  in  this  class.  This  is  useful  for
                     speeding  up  downloads. Please note that the size of the
                     ack packets is limited to 64 bytes because we  want  only
                     packets WITHOUT payload to match.


                     This option is only valid for ONE class per interface.


       Example 1:
              Suppose  you  are  using PPP over Ethernet (DSL) and ppp0 is the
              interface for this. You have 4 classes here, the first  you  can
              use  for  voice  over IP traffic, the second interactive traffic
              (e.g.  ssh/telnet but not  scp),  the  third  will  be  for  all
              unclassified  traffic, and the forth is for low priority traffic
              (e.g.  peer-to-peer).

              The voice traffic in  the  first  class  will  be  guaranteed  a
              minimum  of 100kbps and always be serviced first (because of the
              low priority number, giving less  delay)  and  will  be  granted
              excess  bandwidth  (up  to  180kbps,  the  class ceiling) first,
              before any other traffic. A single VOIP stream,  depending  upon
              codecs, after encapsulation, can take up to 80kbps on a PPOE/DSL
              link, so we pad a little bit just in case. (TOS byte values 0xb8
              and 0x68 are DiffServ classes EF and AFF3-1 respectively and are
              often used by VOIP devices).

              Interactive traffic (tos-minimum-delay) and TCP acks  (and  ICMP
              echo  traffic  if you use the example in tcrules) and any packet
              with a mark of 2 will be guaranteed 1/4 of the  link  bandwidth,
              and may extend up to full speed of the link.

              Unclassified  traffic and packets marked as 3 will be guaranteed
              1/4th of the link bandwidth, and may extend to the full speed of
              the link.

              Packets  marked  with 4 will be treated as low priority packets.
              (The tcrules example marks p2p traffic as such.) If the link  is
              congested,  they’re only guaranteed 1/8th of the speed, and even
              if the link is empty, can only expand to 80% of  link  bandwidth
              just as a precaution in case there are upstream queues we didn’t
              account for. This is the last class to get additional  bandwidth
              and the last to get serviced by the scheduler because of the low

                      #INTERFACE  MARK  RATE    CEIL      PRIORITY    OPTIONS
                      ppp0        1     100kbit 180kbit   1           tos=0x68/0xfc,tos=0xb8/0xfc
                      ppp0        2     full/4  full      2           tcp-ack,tos-minimize-delay
                      ppp0        3     full/4  full      3           default
                      ppp0        4     full/8  full*8/10 4



SEE ALSO, shorewall-accounting(5), shorewall-actions(5), shorewall-
       blacklist(5),  shorewall-hosts(5),  shorewall-interfaces(5), shorewall-
       ipsec(5),  shorewall-maclist(5),  shorewall-masq(5),  shorewall-nat(5),
       shorewall-netmap(5),      shorewall-params(5),     shorewall-policy(5),
       shorewall-providers(5),        shorewall-proxyarp(5),        shorewall-
       route_rules(5),      shorewall-routestopped(5),     shorewall-rules(5),
       shorewall.conf(5),    shorewall-tcdevices(5),     shorewall-tcrules(5),
       shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)

                                 24 June 2008           shorewall-tcclasses(5)