Changes between Initial Version and Version 1 of WIPTrafficShaping


Ignore:
Timestamp:
09/13/07 23:23:32 (14 years ago)
Author:
Victor Julien
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • WIPTrafficShaping

    v1 v1  
     1= Workpage for Traffic Shaping support in Vuurmuur =
     2
     3== Resources ==
     4http://lartc.org/
     5http://gentoo-wiki.com/HOWTO_Packet_Shaping
     6http://lartc.org/manpages/tc-htb.html
     7http://lartc.org/manpages/tc-sfq.html
     8http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm
     9http://www.digriz.org.uk/jdg-qos-script/
     10
     11== Type of Shaping ==
     12
     13Outgoing only. Why? Basically it is the only kind of shaping that works well. Vuurmuur is designed to be a gateway firewall, and gateway firewalls can work fine this way.
     14
     15If we have a setup like this:
     16
     17LAN — <eth0-FW-ppp0> — WAN
     18
     19We can shape all traffic by only using outgoing shaping. A LAN-client downloading can be shaped on the eth0 interface of the firewall. A LAN-client uploading can be shaped on the ppp0 interface.
     20
     213 types of shaping:
     22
     23 * priority: e.g. ssh is more important than http
     24 * hard limits: e.g. cap bittorrent to 100kb/s
     25 * soft limits: e.g. cap bittorent to 100kb/s, unless there is no other traffic
     26
     27
     28== Classifying traffic ==
     29
     30VJ: i would like to use the CLASSIFY iptables target for this. See: http://iptables-tutorial.frozentux.net/iptables-tutorial.html#CLASSIFYTARGET
     31
     32Reasons:
     33
     34 * enables TS to be controlled as much from iptables rules as possible
     35 * works well with conntrack helpers such as ftp, irc, sip, h323
     36 * is easy to implement in the current Vuurmuur rules structure
     37
     38Drawbacks:
     39
     40 * only in 2.6 kernel
     41 * only outgoing traffic
     42
     43The way CLASSIFY works is like this.
     44{{{
     45iptables -t mangle -A FORWARD -i ppp0 -o eth0 -p tcp -s 0.0.0.0 -d 192.168.0.0/255.255.255.0 --sport 80 --dport 1024:65535 -j CLASSIFY --set-class 1:20
     46}}}
     47This classifies the traffic flowing from a webserver to the lan-clients to class 1:20. It uses this class from the outgoing interface (eth0 in this case), but this interface does not have to be set in the rule. The Linux routing engine will select the interface and use class 1:20 there (if it exists on that interface). This brings an interesting question: how to deal with classes. I think there are two options:
     48
     49 * use unique classes every where. So 1: for ppp0, 2: eth0, etc.
     50 * define all classes exactly the same on all interfaces. This of course is a problem when interfaces have different speeds.
     51
     52So defining unique class id's sounds best.
     53
     54== DSCP ==
     55
     56!DiffServ is a method commonly used to attempt guarantee Quality of Service to the networks, through the use of "classes", which are defined in the header of the IP packet through DSCP (DiffServ Code Point). To these classes, several priorities (larger the number, larger the priority) are attributed, so the routers/switches can apply several queuing strategies to satisfy the necessary requirements.
     57
     58DSCP can be considered an "evolution" of packet priorization defined in RFC791, IP Precedence. Actually, DSCP uses the same IP Header octet, "Type of Service", with the difference that 6 bits are used for signaling, instead 3. As follows RFC2474, the definition of this field, now called DS Field, "is intended to supersede the existing definitions of the IPv4 TOS octet". However, the DSCP backward compatibility with the ToS is maintained.
     59
     60Currently, the number of routers that implement DSCP for classification and priorization around the Internet are increasing plenty, at the same time with are already largely used in big corporate networks. This way, becomes interesting the possibility of marking DSCP codes on packets using Vuurmuur, once it makes possible the definition of quality of service patterns usable for any enviroment.
     61
     62Use example:
     63{{{
     64iptables -t mangle -A FORWARD -i eth0 -o ppp0 -p tcp -s 192.168.0.0/255.255.255.0 -d 0.0.0.0 --sport 1024:65535 --dport 5060 -j DSCP --set-dscp 46
     65}}}
     66We can also use the pre-defined DiffServ? classes:
     67{{{
     68iptables -t mangle -A FORWARD -i eth0 -o ppp0 -p tcp -s 192.168.0.0/255.255.255.0 -d 0.0.0.0 --sport 1024:65535 --dport 5060 -j DSCP --set-dscp-class EF
     69}}}
     70The two examples above demonstrate marking SIP packets in the way Lan --> Internet with the DSCP code "46". Again, in this case, we are just talking about egress traffic.
     71
     72Seemingly there exists the possibility to use DSCP with tc to priorization in linux, using the "DSMARK" discipline. (?)
     73
     74=== Useful link ===
     75
     76http://www.cisco.com/warp/public/105/dscpvalues.html
     77http://en.wikipedia.org/wiki/Differentiated_services
     78http://www.ietf.org/rfc/rfc2474.txt