On 7/18/20 9:43 AM, Mark Kendrick wrote: > Hi everyone, > > I have a working two-interface Shorewall instance and I'm trying to use > simple traffic control to limit the upload speed to about 90% of the > 8mbit service limit. > > The configuration is applied correctly and without errors, and I see > what seems to be a proper setup when I run "tc qdisc". > > Unfortunately, for reasons I cannot sort out, the download speed is also > severely limited, well below what I specify in tcinterfaces. For that > matter, I'm not even sure why download speed is affected; traffic > control should only apply on egress, right? It's very strange. > > I realize this might not be a shorewall issue so feel free to redirect > me elsewhere. > > Some details (gw is the firewall system): > > gw ~ # shorewall version > 5.2.3.4 > > gw ~ # uname -a > Linux lifegw 3.10.0-1127.13.1.el7.x86_64 #1 SMP Tue Jun 23 15:46:38 UTC > 2020 x86_64 x86_64 x86_64 GNU/Linux > [ that's Centos 7 with current updates applied ] > > gw /etc/shorewall # cat shorewall.conf | grep TC > TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL" > TC= > CLEAR_TC=Yes > TC_ENABLED=Simple > TC_EXPERT=No > TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" > TCP_FLAGS_DISPOSITION=DROP > TC_BITS= > > gw /etc/shorewall # cat tcinterfaces | grep -v '^#.*' > enp1s0 External 40mbit:200kb 6.0mbit:100kb:200ms:100mbit:1516
Note that you are setting IN-BANDWIDTH, so you are definitely getting ingress policing. Furthermore, you are not using rate-estimating, so you are probably running afoul of offloading to your NIC (See shorewall FAQ 97a). > > gw ~ # tc qdisc > qdisc noqueue 0: dev lo root refcnt 2 > qdisc tbf 1: dev enp1s0 root refcnt 9 rate 6Mbit burst 100Kb peakrate > 100Mbit minburst 1512b lat 200.0ms > qdisc prio 101: dev enp1s0 parent 1: bands 3 priomap 1 2 2 2 1 2 0 0 1 > 1 1 1 1 1 1 1 > qdisc sfq 1013: dev enp1s0 parent 101:3 limit 127p quantum 1875b depth > 127 divisor 1024 perturb 10sec > qdisc sfq 1012: dev enp1s0 parent 101:2 limit 127p quantum 1875b depth > 127 divisor 1024 perturb 10sec > qdisc sfq 1011: dev enp1s0 parent 101:1 limit 127p quantum 1875b depth > 127 divisor 1024 perturb 10sec > qdisc ingress ffff: dev enp1s0 parent ffff:fff1 ---------------- > > With that configuration in place, my **download** speed (ingress, > right?) gets capped at around 7500kbit: > gw ~ # wget > "https://releases.ubuntu.com/20.04/ubuntu-20.04-desktop-amd64.iso"; > <snip> > 0% [ ] 13,639,680 947KB/s > > That is a download directly on the firewall system, so if I'm > understanding properly, that should be ingress only - egress shouldn't > have anything to do with it. I understand if I was testing on a system > connected to the firewall system then I'd have to be thinking about > egress from the firewall system to that connected system, but this is > happening only on the firewall system. > > When I disable traffic control in shorewall, the download speed returns > close to my provider's stated limit: > > gw ~ # cat /etc/shorewall/shorewall.conf | grep TC_ENABLED > TC_ENABLED=No > > gw ~ # tc qdisc > qdisc noqueue 0: dev lo root refcnt 2 > qdisc mq 0: dev enp1s0 root > qdisc pfifo_fast 0: dev enp1s0 parent :2 bands 3 priomap 1 2 2 2 1 2 0 > 0 1 1 1 1 1 1 1 1 > qdisc pfifo_fast 0: dev enp1s0 parent :1 bands 3 priomap 1 2 2 2 1 2 0 > 0 1 1 1 1 1 1 1 1 > > gw ~ # wget > "https://releases.ubuntu.com/20.04/ubuntu-20.04-desktop-amd64.iso"; > <snip> > 2% [=> ] 64,233,472 3.81MB/s > > Again, my intent here is to limit the upload speed, not the download > speed. I am very confused why any of this is affecting the download at all. See my comment about your tcinterfaces file above. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________ -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
