Hi everyone, I have a working two-interface Shorewall instance and I'm trying to use simple traffic control to limit the upload speed to about 90% of the 8mbit service limit.
The configuration is applied correctly and without errors, and I see what seems to be a proper setup when I run "tc qdisc". Unfortunately, for reasons I cannot sort out, the download speed is also severely limited, well below what I specify in tcinterfaces. For that matter, I'm not even sure why download speed is affected; traffic control should only apply on egress, right? It's very strange. I realize this might not be a shorewall issue so feel free to redirect me elsewhere. Some details (gw is the firewall system): gw ~ # shorewall version 5.2.3.4 gw ~ # uname -a Linux lifegw 3.10.0-1127.13.1.el7.x86_64 #1 SMP Tue Jun 23 15:46:38 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux [ that's Centos 7 with current updates applied ] gw /etc/shorewall # cat shorewall.conf | grep TC TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL" TC= CLEAR_TC=Yes TC_ENABLED=Simple TC_EXPERT=No TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" TCP_FLAGS_DISPOSITION=DROP TC_BITS= gw /etc/shorewall # cat tcinterfaces | grep -v '^#.*' enp1s0 External 40mbit:200kb 6.0mbit:100kb:200ms:100mbit:1516 gw ~ # tc qdisc qdisc noqueue 0: dev lo root refcnt 2 qdisc tbf 1: dev enp1s0 root refcnt 9 rate 6Mbit burst 100Kb peakrate 100Mbit minburst 1512b lat 200.0ms qdisc prio 101: dev enp1s0 parent 1: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 qdisc sfq 1013: dev enp1s0 parent 101:3 limit 127p quantum 1875b depth 127 divisor 1024 perturb 10sec qdisc sfq 1012: dev enp1s0 parent 101:2 limit 127p quantum 1875b depth 127 divisor 1024 perturb 10sec qdisc sfq 1011: dev enp1s0 parent 101:1 limit 127p quantum 1875b depth 127 divisor 1024 perturb 10sec qdisc ingress ffff: dev enp1s0 parent ffff:fff1 ---------------- With that configuration in place, my **download** speed (ingress, right?) gets capped at around 7500kbit: gw ~ # wget " https://releases.ubuntu.com/20.04/ubuntu-20.04-desktop-amd64.iso"; <snip> 0% [ ] 13,639,680 947KB/s That is a download directly on the firewall system, so if I'm understanding properly, that should be ingress only - egress shouldn't have anything to do with it. I understand if I was testing on a system connected to the firewall system then I'd have to be thinking about egress from the firewall system to that connected system, but this is happening only on the firewall system. When I disable traffic control in shorewall, the download speed returns close to my provider's stated limit: gw ~ # cat /etc/shorewall/shorewall.conf | grep TC_ENABLED TC_ENABLED=No gw ~ # tc qdisc qdisc noqueue 0: dev lo root refcnt 2 qdisc mq 0: dev enp1s0 root qdisc pfifo_fast 0: dev enp1s0 parent :2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 qdisc pfifo_fast 0: dev enp1s0 parent :1 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 gw ~ # wget " https://releases.ubuntu.com/20.04/ubuntu-20.04-desktop-amd64.iso"; <snip> 2% [=> ] 64,233,472 3.81MB/s Again, my intent here is to limit the upload speed, not the download speed. I am very confused why any of this is affecting the download at all. Anyone have some ideas on what could be causing this, or where I should look next? Thanks in advance. --Mark
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
