On 09/12/2012 05:21 PM, Mr Dash Four wrote:
In other words, for any other classes (i.e. HTB in this case as
HFSC has no use for it), you use this value << 8 | 20 to
determine the class priority, right?
Also for HFSC.
My understanding was that you ignore the PRIORITY column in tcclasses
for HFSC as it doesn't support it.
No, I don't ignore it. It is still used for prioritizing the filters.
Attached are the tcdevices and tcclasses files from one of my test hfsc
configurations. Also attached is the output of 'shorewall show
classifiers' with that configuration running. In that output, the 'pref'
setting is the filter priority.
Note that the firewall mark classifiers all have their priority set to (
<class priority> << 8 ) | 20 and that the tcp-ack and tos-minimize-delay
rules have priority ( <class priority> << 8 ) | 10.
The classifiers would look exactly the same if HTB were used.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Shorewall6 4.5.8-RC1 Classifiers at gateway - Thu Sep 13 06:20:58 PDT 2012
Device eth0:
Device eth1:
filter parent 1: protocol all pref 276 fw
filter parent 1: protocol all pref 276 fw handle 0x1 classid 1:11
filter parent 1: protocol ip pref 522 u32
filter parent 1: protocol ip pref 522 u32 fh 800: ht divisor 1
filter parent 1: protocol ip pref 522 u32 fh 800::800 order 2048 key ht 800 bkt
0 flowid 1:12 (rule hit 11 success 1)
match 00060000/00ff0000 at 8 (success 3 )
match 05000000/0f00ffc0 at 0 (success 1 )
match 00100000/00ff0000 at 32 (success 1 )
filter parent 1: protocol ip pref 522 u32 fh 800::801 order 2049 key ht 800 bkt
0 flowid 1:12 (rule hit 10 success 0)
match 00100000/00100000 at 0 (success 0 )
filter parent 1: protocol all pref 532 fw
filter parent 1: protocol all pref 532 fw handle 0x2 classid 1:12
filter parent 1: protocol all pref 788 fw
filter parent 1: protocol all pref 788 fw handle 0x3 classid 1:13
filter parent 1: protocol all pref 1044 fw
filter parent 1: protocol all pref 1044 fw handle 0x4 classid 1:14
filter parent 1: protocol all pref 1300 fw
filter parent 1: protocol all pref 1300 fw handle 0x5 classid 1:15
Device eth2:
filter parent 2: protocol all pref 276 fw
filter parent 2: protocol all pref 276 fw handle 0x1 classid 2:10
filter parent 2: protocol ip pref 522 u32
filter parent 2: protocol ip pref 522 u32 fh 800: ht divisor 1
filter parent 2: protocol ip pref 522 u32 fh 800::800 order 2048 key ht 800 bkt
0 flowid 2:20 (rule hit 24 success 2)
match 00060000/00ff0000 at 8 (success 24 )
match 05000000/0f00ffc0 at 0 (success 2 )
match 00100000/00ff0000 at 32 (success 2 )
filter parent 2: protocol ip pref 522 u32 fh 800::801 order 2049 key ht 800 bkt
0 flowid 2:20 (rule hit 22 success 18)
match 00100000/00100000 at 0 (success 18 )
filter parent 2: protocol all pref 532 fw
filter parent 2: protocol all pref 532 fw handle 0x2 classid 2:20
filter parent 2: protocol all pref 788 fw
filter parent 2: protocol all pref 788 fw handle 0x3 classid 2:30
filter parent 2: protocol all pref 1044 fw
filter parent 2: protocol all pref 1044 fw handle 0x4 classid 2:40
filter parent 2: protocol all pref 1300 fw
filter parent 2: protocol all pref 1300 fw handle 0x5 classid 2:50
filter parent 2: protocol all pref 1556 fw
filter parent 2: protocol all pref 1556 fw handle 0x6 classid 2:60
#
# Shorewall version 4 - Tcclasses File
#
# For information about entries in this file, type "man shorewall-tcclasses"
#
# See http://shorewall.net/traffic_shaping.htm for additional information.
#
########################################################################################################
#IFACE: MARK RATE: CEIL
PRIORITY OPTIONS
#CLASS DMAX:UMAX
1 1 ${UP_SC_VOIP_RATE}kbit:\
${UP_SC_VOIP_DMAX}:\
${UP_SC_VOIP_UMAX} ${UP_UL_VOIP_RATE}kbit
1
1 2 ${UP_RT_PRIO_RATE}kbit:\
${UP_RT_PRIO_DMAX}:\
${UP_RT_PRIO_UMAX} ${UP_LS_PRIO_RATE}kbit:\
${UP_UL_PRIO_RATE}kbit
2 tcp-ack,tos-minimize-delay
1 3 - ${UP_LS_NORMAL_RATE}kbit:\
${UP_UL_NORMAL_RATE}kbit
3 red=(limit=$UP_NORMAL_RED_limit,\
min=$UP_NORMAL_RED_min,\
max=$UP_NORMAL_RED_max,\
burst=$UP_NORMAL_RED_burst,\
probability=$UP_NORMAL_RED_PROB,\
ecn)
1 4 - ${UP_LS_P2P_RATE}kbit:\
${UP_UL_P2P_RATE}kbit
4 red=(limit=$UP_P2P_RED_limit,\
min=$UP_P2P_RED_min,\
max=$UP_P2P_RED_max,\
burst=$UP_P2P_RED_burst,\
probability=$UP_P2P_RED_PROB,\
ecn)
1 5 - ${UP_LS_BULK_RATE}kbit:\
${UP_UL_BULK_RATE}kbit
5 default,\
red=(limit=$UP_BULK_RED_limit,\
min=$UP_BULK_RED_min,\
max=$UP_BULK_RED_max,\
burst=$UP_BULK_RED_burst,\
probability=$UP_BULK_RED_PROB,\
ecn)
2:10 1 ${UP_SC_VOIP_RATE}kbit:\
${UP_SC_VOIP_DMAX}:\
${UP_SC_VOIP_UMAX} ${UP_UL_VOIP_RATE}kbit
1
2:20 2 ${DOWN_RT_PRIO_RATE}kbit:\
${DOWN_RT_PRIO_DMAX}:\
${DOWN_RT_PRIO_UMAX} ${DOWN_UL_PRIO_RATE}kbit
2 tcp-ack,tos-minimize-delay
2:30 3 - ${DOWN_LS_NORMAL_RATE}kbit:\
${DOWN_UL_NORMAL_RATE}kbit
3 red=(limit=$DOWN_NORMAL_RED_limit,\
min=$DOWN_NORMAL_RED_min,\
max=$DOWN_NORMAL_RED_max,\
burst=$DOWN_NORMAL_RED_burst,\
probability=$DOWN_NORMAL_RED_PROB)
2:40 4 - ${DOWN_LS_P2P_RATE}kbit:\
${DOWN_UL_P2P_RATE}kbit
4 red=(limit=$DOWN_P2P_RED_limit,\
min=$DOWN_P2P_RED_min,\
max=$DOWN_P2P_RED_max,\
burst=$DOWN_P2P_RED_burst,\
probability=$DOWN_P2P_RED_PROB)
2:50 5 - ${DOWN_LS_BULK_RATE}kbit:\
${DOWN_UL_BULK_RATE}kbit
5 red=(limit=$DOWN_BULK_RED_limit,\
min=$DOWN_BULK_RED_min,\
max=$DOWN_BULK_RED_max,\
burst=$DOWN_BULK_RED_burst,\
probability=$DOWN_BULK_RED_PROB)
2:60 6 - 512mbit:1024mbit
6 default
#
# Shorewall version 4 - Tcdevices File
#
# For information about entries in this file, type "man shorewall-tcdevices"
#
# See http://shorewall.net/traffic_shaping.htm for additional information.
#
###############################################################################
#NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED
#INTERFACE INTERFACES
1:COMB_IF - ${UPLOAD}kbit
hfsc,linklayer=ethernet,overhead=0
2:INT_IF - 1024mbit hfsc,classify
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
