Oh dear - I completely missed that in the FAQ. Sincerest apologies, Tom, and thank you for pointing me to it.
All sorted now - switching generic receive offload "off" solved the problem: gw ~ # ethtool -K enp1s0 gro off I will also experiment with rate estimation as you recommended. I may suggest linking to that incredibly helpful FAQ 97a entry in the "Additional Reading" part of your page on simple traffic shaping: https://shorewall.org/simple_traffic_shaping.html Appreciate your hard work on a great piece of software - I'm off to go mangle some packets. :) -- Mark On Sat, Jul 18, 2020 at 11:01 AM Tom Eastep <eastep...@gmail.com> wrote: > On 7/18/20 9:43 AM, Mark Kendrick wrote: > > Hi everyone, > > > > I have a working two-interface Shorewall instance and I'm trying to use > > simple traffic control to limit the upload speed to about 90% of the > > 8mbit service limit. > > > > The configuration is applied correctly and without errors, and I see > > what seems to be a proper setup when I run "tc qdisc". > > > > Unfortunately, for reasons I cannot sort out, the download speed is also > > severely limited, well below what I specify in tcinterfaces. For that > > matter, I'm not even sure why download speed is affected; traffic > > control should only apply on egress, right? It's very strange. > > > > I realize this might not be a shorewall issue so feel free to redirect > > me elsewhere. > > > > Some details (gw is the firewall system): > > > > gw ~ # shorewall version > > 5.2.3.4 > > > > gw ~ # uname -a > > Linux lifegw 3.10.0-1127.13.1.el7.x86_64 #1 SMP Tue Jun 23 15:46:38 UTC > > 2020 x86_64 x86_64 x86_64 GNU/Linux > > [ that's Centos 7 with current updates applied ] > > > > gw /etc/shorewall # cat shorewall.conf | grep TC > > TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL" > > TC= > > CLEAR_TC=Yes > > TC_ENABLED=Simple > > TC_EXPERT=No > > TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" > > TCP_FLAGS_DISPOSITION=DROP > > TC_BITS= > > > > gw /etc/shorewall # cat tcinterfaces | grep -v '^#.*' > > enp1s0 External 40mbit:200kb 6.0mbit:100kb:200ms:100mbit:1516 > > Note that you are setting IN-BANDWIDTH, so you are definitely getting > ingress policing. Furthermore, you are not using rate-estimating, so you > are probably running afoul of offloading to your NIC (See shorewall FAQ > 97a). > > > > > gw ~ # tc qdisc > > qdisc noqueue 0: dev lo root refcnt 2 > > qdisc tbf 1: dev enp1s0 root refcnt 9 rate 6Mbit burst 100Kb peakrate > > 100Mbit minburst 1512b lat 200.0ms > > qdisc prio 101: dev enp1s0 parent 1: bands 3 priomap 1 2 2 2 1 2 0 0 1 > > 1 1 1 1 1 1 1 > > qdisc sfq 1013: dev enp1s0 parent 101:3 limit 127p quantum 1875b depth > > 127 divisor 1024 perturb 10sec > > qdisc sfq 1012: dev enp1s0 parent 101:2 limit 127p quantum 1875b depth > > 127 divisor 1024 perturb 10sec > > qdisc sfq 1011: dev enp1s0 parent 101:1 limit 127p quantum 1875b depth > > 127 divisor 1024 perturb 10sec > > qdisc ingress ffff: dev enp1s0 parent ffff:fff1 ---------------- > > > > With that configuration in place, my **download** speed (ingress, > > right?) gets capped at around 7500kbit: > > gw ~ # wget > > "https://releases.ubuntu.com/20.04/ubuntu-20.04-desktop-amd64.iso"; > > <snip> > > 0% [ ] 13,639,680 947KB/s > > > > That is a download directly on the firewall system, so if I'm > > understanding properly, that should be ingress only - egress shouldn't > > have anything to do with it. I understand if I was testing on a system > > connected to the firewall system then I'd have to be thinking about > > egress from the firewall system to that connected system, but this is > > happening only on the firewall system. > > > > When I disable traffic control in shorewall, the download speed returns > > close to my provider's stated limit: > > > > gw ~ # cat /etc/shorewall/shorewall.conf | grep TC_ENABLED > > TC_ENABLED=No > > > > gw ~ # tc qdisc > > qdisc noqueue 0: dev lo root refcnt 2 > > qdisc mq 0: dev enp1s0 root > > qdisc pfifo_fast 0: dev enp1s0 parent :2 bands 3 priomap 1 2 2 2 1 2 0 > > 0 1 1 1 1 1 1 1 1 > > qdisc pfifo_fast 0: dev enp1s0 parent :1 bands 3 priomap 1 2 2 2 1 2 0 > > 0 1 1 1 1 1 1 1 1 > > > > gw ~ # wget > > "https://releases.ubuntu.com/20.04/ubuntu-20.04-desktop-amd64.iso"; > > <snip> > > 2% [=> ] 64,233,472 3.81MB/s > > > > Again, my intent here is to limit the upload speed, not the download > > speed. I am very confused why any of this is affecting the download at > all. > > See my comment about your tcinterfaces file above. > > -Tom > -- > Tom Eastep \ Q: What do you get when you cross a mobster > Shoreline, \ with an international standard? > Washington, USA \ A: Someone who makes you an offer you > http://shorewall.org \ can't understand > \________________________________________ > > > > -- > Tom Eastep \ Q: What do you get when you cross a mobster > Shoreline, \ with an international standard? > Washington, USA \ A: Someone who makes you an offer you > http://shorewall.org \ can't understand > \________________________________________ > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
