[Shorewall-newbies] Wonder Shaper for Shorewall

Gerhard Olsson gerhard.olsson at tjohoo.se
Thu Jan 15 00:52:18 PST 2004

Short description:
Version of WonderShaper (http://lartc.org/wondershaper/) with support for
Shorewall by default, with configuration in Shorewall setup files only. (A
few minor changes as well.)

Tom: Thanks again for Shorewall and the replies that helped me.

Longer description:
The change is very minor, but it took me a while get the concepts, and the
test methods I use together with the default WonderShaper setup caused me
to not see that it is working. Now it works like a charm for me!

Drop in the tcstart file (sent in a separate email) in the shorewall
directory and edit shorewall.conf as described (and possibly tcrules).

Add something like the following to shorewall.conf:
# Traffic Shaping
#Parameters controlling traffic shaping in tcstart
#Please see tcstart for details
#More info in http://shorewall.net/traffic_shaping.htm


If you want to "down prio" packets, mark them in tcrules:
#MARK           SOURCE          DEST            PROTO   PORT(S) CLIENT
#mark certain packets so they are handled by the rules in tcstart
#Mark certain IP adresses for masquraded adresses
#1:F       all
#ftp, BitTorrent ports (all are not included, but sufficiently many)
1       tcp     20,6881:6891
1       tcp     -       20,6881:6891

Modified tcstart file is posted separately, but the following is the key
# Assign fwmark packets to the low prio queue
tc filter add dev $TC_DEV parent 1: protocol ip prio 11 \
     handle 1 fw classid 1:30

Minor Change to Wonder Shaper
The default setup is as follows:
1: High prio traffic (like where bits in IP header set, ICMP (for testing)
and TCP ACK)
      Rate: Configured max rate
2: Normal traffic
      Rate: 90 % of configured max rate
3: Low prio traffic (configured in the script)
      Rate: 80 % of configured max rate

Down prio traffic only works well with "friendly" users. An environment
where users try to get around the rules (changing ports etc) will fare
better if the "normal (default)/low" prio levels are replaced with
"normal/low (default)" setup, and the normal packets are marked as
priotized. An extra level between High and normal could be added as well.

To test Wonder Shaper, I used a BitTorrent base load and added TCP/UDP
load (I used http://tptest.sourceforge.net/, you will however need a test
server close to you for tptest to work well). High prioty packets could
still be queued when the set max uplink rate were exceeded. (Has this
something to do with that the SFQ scheduler is used?)

I changed the configuration as follows:
1: High prio traffic (like where bits in IP header set, ICMP (for testing)
and TCP ACK)
      Rate: Configured max rate
2: Normal traffic
      Rate: 90 % of configured max rate with a ceil (possibility to borrow)
of max configured rate
3: Low prio traffic (configured in the script)
      Rate: 10 % of configured max rate with a ceil (possibility to borrow)
of 90% of max configured rate

With this change, the low prio traffic is quickly decreased when
High/normal traffic increases.
You may have other requirements that require other adjustments.

I also would like to lower the prio for "down prio TCP ACK" from High to
Normal. This will require additional classes in the tcscript files (since
fwmarked packets and other rules cannot (?) be combined in the same rule.
This will make the script more complicated and not add so much.

(WonderShaper: really good marketing name by the way)

Key change:
# bulk & default class 1:20 - gets slightly less traffic,
# and a lower priority:
tc class add dev $TC_DEV parent 1:1 classid 1:20 htb rate \
      $[9*$TC_UPLINK/10]kbit \
     ceil ${TC_UPLINK}kbit burst 6k prio 2 \
tc class add dev $TC_DEV parent 1:1 classid 1:30 htb rate \
     $[$TC_UPLINK/10]kbit \
     ceil $[9*$TC_UPLINK/10]kbit burst 6k prio 2

I have a Gibraltar (Debian based) firewall with Shorewall and a few PCs
(both Linux and Win) on my home LAN. If one of them downloads something,
the other users get sluggish Internet connection as well. Especially file
sharing services like BitTorrent with many simultaneous connections get
allocated a large share of the bandwidth. Certain elements of the
household use a larger share of the bandwidth, but do not want to
compensate the other users... The interactivity for the heavy users are
not good either, the PCs are slow. Traffic Shaping improves this

Shorewall has good support for traffic shaping. This is described in
http://shorewall.net/traffic_shaping.htm. I misunderstood this page
initially, and thought that the Shorewall setup support was limited
(updating this page is a minor area for improvement).
    * The 'tcstart' script is setting up the traffic shaping rules. A
standard script like Wonder Shaper (http://lartc.org/wondershaper/) or
htb.init (http://sourceforge.net/projects/htbinit/) can be used. (A minor
area for improvement would be to ship Shorewall with a default tcstart
    * The 'tcrules' configuration file allows marking of packets, this is
much simpler to configure than using iptables directly (or the tc command
to setup rules in tcstart directly).

I first tried Wonder Shaper with the file sharing portsset to low prio,
but did not get sufficient effect and I wanted to down prio using IP
address. This was when I consulted the mailing list the first time.
After help from Tom and reading up on the traffic shaping, I modified
the script as described, and I no longer need the IP address prio setting.

Sorry for the long post. Hopefully it will be useful for someone with
similar needs.


More information about the Shorewall-newbies mailing list