1 |
I have tried following the howto here: |
2 |
http://gentoo-wiki.com/HOWTO_Packet_Shaping |
3 |
But it doesn't work. First of all it ends up limiting both upload AND |
4 |
download. I have tried a few different ways with all the same result. |
5 |
Anyone know what is wrong here? |
6 |
|
7 |
Here is my firewall file: |
8 |
Code: |
9 |
|
10 |
#!/bin/bash |
11 |
############################################################################# |
12 |
# Explaination of iptables for clarity |
13 |
# |
14 |
############################################################################# |
15 |
#filter -> table used to implement the firewall |
16 |
# |
17 |
#nat -> table used to implement IP masquerading (=internet sharing) |
18 |
# |
19 |
#mangle -> table used for specialized packet alteration |
20 |
# |
21 |
# |
22 |
# |
23 |
# | tables | chains | explaination |
24 |
# |
25 |
#-+-----------+---------------+------------------------------------ |
26 |
# |
27 |
# | | | |
28 |
# |
29 |
# | _/-- INPUT --------- for traffic coming into your box |
30 |
# |
31 |
# | filter <_--- OUTPUT -------- for traffic going out of your box |
32 |
# |
33 |
# | \-- FORWARD ------- for packets being routed through the |
34 |
box (= packets that aren't meant for you) |
35 |
# | | | |
36 |
# |
37 |
# | _/-- PREROUTING ---- for altering traffic as soon as it |
38 |
comes in |
39 |
# | nat ---<_--- POSTROUTING --- for altering traffic locally-generated |
40 |
packages before routing |
41 |
# | \-- OUTPUT -------- for altering traffic as it's about to |
42 |
go out |
43 |
# | | | |
44 |
# |
45 |
# | | | |
46 |
# |
47 |
# | mangle < |
48 |
# |
49 |
# | | |
50 |
# |
51 |
# | | |
52 |
# |
53 |
############################################################################# |
54 |
# Options for new rules (-A rules) |
55 |
# ----------------------------------- |
56 |
# -p -> protocol (tcp, udp, icmp, or all) |
57 |
# -s -> source |
58 |
# -d -> destination |
59 |
# -j -> target of the rule (where to send it) |
60 |
# -i -> in interface (only for INPUT, FORWARD and PREROUTING chains) |
61 |
# -o -> out interface (only for FORWARD, OUTPUT and POSTROUTING chains) |
62 |
# |
63 |
# |
64 |
# |
65 |
|
66 |
## Variables applying to the system |
67 |
IPTABLES='/sbin/iptables' |
68 |
# external interface |
69 |
EXTIF='eth0' |
70 |
# internal interface |
71 |
INTIF='eth1' |
72 |
TORRENT_CLIENT_PORT='65123' |
73 |
### Modules needed, just add one per line. |
74 |
MODULES="ip_tables |
75 |
iptable_nat |
76 |
ip_nat_ftp |
77 |
ip_conntrack_ftp" |
78 |
for i in $MODULES; |
79 |
do |
80 |
echo "Inserting module $i" |
81 |
modprobe $i |
82 |
done |
83 |
|
84 |
# Flush rules and delete chains |
85 |
$IPTABLES -F |
86 |
$IPTABLES -X |
87 |
$IPTABLES -F -t nat |
88 |
$IPTABLES -F -t mangle |
89 |
# Set the default policies for the chains |
90 |
$IPTABLES -t filter -P INPUT DROP |
91 |
$IPTABLES -t filter -P OUTPUT ACCEPT |
92 |
$IPTABLES -t filter -P FORWARD DROP |
93 |
$IPTABLES -t nat -P PREROUTING ACCEPT |
94 |
$IPTABLES -t nat -P POSTROUTING ACCEPT |
95 |
$IPTABLES -t nat -P OUTPUT ACCEPT |
96 |
|
97 |
### Set up the firewall rules |
98 |
# Allow all connections established by me (because default is to drop) |
99 |
$IPTABLES -t filter -A INPUT -i lo -j ACCEPT |
100 |
# Allow anything from the lan to this box |
101 |
$IPTABLES -t filter -A INPUT -i $INTIF -j ACCEPT |
102 |
# Allow anything from outside in if connection is already established |
103 |
$IPTABLES -t filter -A INPUT -i $EXTIF -m state --state |
104 |
RELATED,ESTABLISHED -j ACCEPT |
105 |
# Allow the following services in from the wild |
106 |
$IPTABLES -t filter -A INPUT -i $EXTIF -p tcp --dport ssh -j ACCEPT |
107 |
$IPTABLES -t filter -A INPUT -i $EXTIF -p tcp --dport 80 -j ACCEPT |
108 |
# allow ftp on special port |
109 |
$IPTABLES -t filter -A INPUT -i $EXTIF -p tcp --dport 6543:6599 -j ACCEPT |
110 |
$IPTABLES -t filter -A INPUT -i $EXTIF -p udp --dport 6543:6599 -j ACCEPT |
111 |
#$IPTABLES -t filter -A INPUT -i $EXTIF -p tcp --dport 20 -j ACCEPT |
112 |
#$IPTABLES -t filter -A INPUT -i $EXTIF -p udp --dport 20 -j ACCEPT |
113 |
|
114 |
## Prioritizing packets for shaping |
115 |
MARKPRIO1="1" |
116 |
MARKPRIO2="2" |
117 |
MARKPRIO3="3" |
118 |
MARKPRIO4="4" |
119 |
# Setting priority marks |
120 |
|
121 |
# Prio 1 |
122 |
# icmp |
123 |
iptables -t mangle -A FORWARD -p icmp -j MARK --set-mark $MARKPRIO1 |
124 |
iptables -t mangle -A OUTPUT -p icmp -j MARK --set-mark $MARKPRIO1 |
125 |
# ssh |
126 |
iptables -t mangle -A FORWARD -p tcp --dport 22 -j MARK --set-mark |
127 |
$MARKPRIO1 |
128 |
iptables -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark $MARKPRIO1 |
129 |
# non tcp |
130 |
iptables -t mangle -A FORWARD -p ! tcp -j MARK --set-mark $MARKPRIO1 |
131 |
iptables -t mangle -A OUTPUT -p ! tcp -j MARK --set-mark $MARKPRIO1 |
132 |
|
133 |
# Prio 2 |
134 |
|
135 |
# Prio 3 |
136 |
# http |
137 |
iptables -t mangle -A FORWARD -p tcp --dport 80 -j MARK --set-mark |
138 |
$MARKPRIO3 |
139 |
iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark $MARKPRIO3 |
140 |
# https |
141 |
iptables -t mangle -A FORWARD -p tcp --dport 443 -j MARK --set-mark |
142 |
$MARKPRIO3 |
143 |
iptables -t mangle -A OUTPUT -p tcp --dport 443 -j MARK --set-mark |
144 |
$MARKPRIO3 |
145 |
# smtp |
146 |
iptables -t mangle -A FORWARD -p tcp --dport 25 -j MARK --set-mark |
147 |
$MARKPRIO3 |
148 |
iptables -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark $MARKPRIO3 |
149 |
|
150 |
# Prio 4 |
151 |
# packets > 1024 bytes |
152 |
iptables -t mangle -A FORWARD -p tcp -m length --length 1024: -j MARK |
153 |
--set-mark $MARKPRIO4 |
154 |
# bittorrent |
155 |
iptables -t mangle -A FORWARD -i eth0 -p tcp --sport 1025:65535 -j MARK |
156 |
--set-mark $MARKPRIO4 |
157 |
iptables -t mangle -A FORWARD -i eth0 -p tcp --dport 1025:65535 -j MARK |
158 |
--set-mark $MARKPRIO4 |
159 |
|
160 |
# Remaining packets are marked according to TOS |
161 |
iptables -t mangle -A FORWARD -p tcp -m tos --tos Minimize-Delay -m mark |
162 |
--mark 0 -j MARK --set-mark $MARKPRIO1 |
163 |
iptables -t mangle -A FORWARD -p tcp -m tos --tos Maximize-Throughput -m |
164 |
mark --mark 0 -j MARK --set-mark $MARKPRIO2 |
165 |
iptables -t mangle -A FORWARD -p tcp -m tos --tos Minimize-Cost -m mark |
166 |
--mark 0 -j MARK --set-mark $MARKPRIO4 |
167 |
|
168 |
## To work around comcast torrent block |
169 |
#iptables -A INPUT -p tcp â??dport $TORRENT_CLIENT_PORT â??tcp-flags RST |
170 |
RST -j DROP |
171 |
##END torrent block |
172 |
|
173 |
### create custom chains |
174 |
#$IPTABLES -N private-internet |
175 |
#$IPTABLES -N internet-private |
176 |
#$IPTABLES -N icmp_accept |
177 |
# Create a special log and drop chain |
178 |
$IPTABLES -N log_drop |
179 |
$IPTABLES -A log_drop -j LOG --log-prefix "DROP---> " |
180 |
$IPTABLES -A log_drop -j DROP |
181 |
# log and reject chain |
182 |
$IPTABLES -N log_reject |
183 |
$IPTABLES -A log_reject -j LOG --log-prefix "REJECT---> " |
184 |
$IPTABLES -A log_reject -j REJECT |
185 |
# log and drop test for new rules |
186 |
$IPTABLES -N log_drop_test |
187 |
$IPTABLES -A log_drop_test -j LOG --log-prefix "TEST-DROP---> " |
188 |
$IPTABLES -A log_drop_test -j DROP |
189 |
|
190 |
### Special forwarding for internal servers and certain programs |
191 |
|
192 |
## lain forwards (192.168.2.22) |
193 |
# quake 3 on lain |
194 |
#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 27960 -j DNAT |
195 |
--to 192.168.2.22:27960 |
196 |
#$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.22 --dport 27960 -j |
197 |
ACCEPT |
198 |
#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 27961 -j DNAT |
199 |
--to 192.168.2.22:27961 |
200 |
#$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.22 --dport 27961 -j |
201 |
ACCEPT |
202 |
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 27960 -j DNAT |
203 |
--to 192.168.2.22:27960 |
204 |
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.22 --dport 27960 -j |
205 |
ACCEPT |
206 |
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 27961 -j DNAT |
207 |
--to 192.168.2.22:27961 |
208 |
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.22 --dport 27961 -j |
209 |
ACCEPT |
210 |
|
211 |
# Descent 3 on lain |
212 |
#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 2092 -j DNAT |
213 |
--to 192.168.2.22:2092 |
214 |
#$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.22 --dport 2092 -j |
215 |
ACCEPT |
216 |
#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 2093 -j DNAT |
217 |
--to 192.168.2.22:2093 |
218 |
#$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.22 --dport 2093 -j |
219 |
ACCEPT |
220 |
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 2092 -j DNAT |
221 |
--to 192.168.2.22:2092 |
222 |
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.22 --dport 2092 -j |
223 |
ACCEPT |
224 |
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 2093 -j DNAT |
225 |
--to 192.168.2.22:2093 |
226 |
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.22 --dport 2093 -j |
227 |
ACCEPT |
228 |
|
229 |
|
230 |
# azureus on laptop |
231 |
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 65124 -j DNAT |
232 |
--to 192.168.2.22:65124 |
233 |
$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 65124 -j DNAT |
234 |
--to 192.168.2.22:65124 |
235 |
$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.22 --dport 65124 -j |
236 |
ACCEPT |
237 |
$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.22 --dport 65124 -j |
238 |
ACCEPT |
239 |
#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 34625 -j DNAT |
240 |
--to 192.168.2.22:34625 |
241 |
#$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.22 --dport 34625 -j |
242 |
ACCEPT |
243 |
# azureus to lain - 192.168.1.22 |
244 |
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 65123 -j DNAT |
245 |
--to 192.168.2.23:65123 |
246 |
$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 65123 -j DNAT |
247 |
--to 192.168.2.23:65123 |
248 |
$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.23 --dport 65123 -j |
249 |
ACCEPT |
250 |
$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.23 --dport 65123 -j |
251 |
ACCEPT |
252 |
$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 34625 -j DNAT |
253 |
--to 192.168.2.23:34625 |
254 |
$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.23 --dport 34625 -j |
255 |
ACCEPT |
256 |
# gtk-gnutella to laptop |
257 |
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 34064 -j DNAT |
258 |
--to 192.168.2.22:34064 |
259 |
$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 34064 -j DNAT |
260 |
--to 192.168.2.22:34064 |
261 |
$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.22 --dport 34064 -j |
262 |
ACCEPT |
263 |
$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.22 --dport 34064 -j |
264 |
ACCEPT |
265 |
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 34065 -j DNAT |
266 |
--to 192.168.2.23:34065 |
267 |
$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 34065 -j DNAT |
268 |
--to 192.168.2.23:34065 |
269 |
$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.23 --dport 34065 -j |
270 |
ACCEPT |
271 |
$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.23 --dport 34065 -j |
272 |
ACCEPT |
273 |
|
274 |
|
275 |
# VNC to lain |
276 |
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 5900 -j DNAT |
277 |
--to 192.168.2.28:5900 |
278 |
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.28 --dport 5900 -j |
279 |
ACCEPT |
280 |
|
281 |
|
282 |
# rdesktop to lain |
283 |
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 3389 -j DNAT |
284 |
--to 192.168.2.22:3389 |
285 |
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.22 --dport 3389 -j |
286 |
ACCEPT |
287 |
#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 3389 -j DNAT |
288 |
--to 192.168.2.22:3389 |
289 |
#$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.22 --dport 3389 -j |
290 |
ACCEPT |
291 |
|
292 |
##nyuu forwards (192.168.2.28) |
293 |
# Descent 3 server to nyuu (192.168.2.28) |
294 |
# trackers |
295 |
#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 22999 -j DNAT |
296 |
--to 192.168.2.28:22999 |
297 |
#$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.28 --dport 22999 -j |
298 |
ACCEPT |
299 |
#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 27900 -j DNAT |
300 |
--to 192.168.2.28:27900 |
301 |
#$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.28 --dport 27900 -j |
302 |
ACCEPT |
303 |
# d3 game servers |
304 |
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 2111:2119 -j |
305 |
DNAT --to 192.168.2.28:2111-2119 |
306 |
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.28 --dport 2111:2119 |
307 |
-j ACCEPT |
308 |
#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 2111:2119 -j |
309 |
DNAT --to 192.168.2.28:2111-2119 |
310 |
#$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.28 --dport 2111:2119 |
311 |
-j ACCEPT |
312 |
# nyuu: vnc incoming |
313 |
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 5910 -j DNAT |
314 |
--to 192.168.2.28:5910 |
315 |
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.28 --dport 5910 -j |
316 |
ACCEPT |
317 |
# |
318 |
# ftp to proliant |
319 |
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 21 -j DNAT --to |
320 |
192.168.2.26:21 |
321 |
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.26 --dport 21 -j ACCEPT |
322 |
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 20 -j DNAT --to |
323 |
192.168.2.26:20 |
324 |
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.26 --dport 20 -j ACCEPT |
325 |
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 21 -j DNAT --to |
326 |
192.168.2.22:21 |
327 |
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.22 --dport 21 -j ACCEPT |
328 |
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 20 -j DNAT --to |
329 |
192.168.2.22:20 |
330 |
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.22 --dport 20 -j ACCEPT |
331 |
|
332 |
|
333 |
|
334 |
# palantir on MythTV box |
335 |
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 3000 -j DNAT |
336 |
--to 192.168.2.24:3000 |
337 |
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.24 --dport 3000 -j |
338 |
ACCEPT |
339 |
# mythweb (apache server) on MythTV box |
340 |
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 8080 -j DNAT |
341 |
--to 192.168.2.24:8080 |
342 |
$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.24 --dport 8080 -j ACCEPT |
343 |
$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 8080 -j DNAT |
344 |
--to 192.168.2.24:8080 |
345 |
$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.24 --dport 8080 -j ACCEPT |
346 |
|
347 |
|
348 |
|
349 |
|
350 |
### Set up the ip forwarding |
351 |
$IPTABLES -t filter -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT |
352 |
$IPTABLES -t filter -A FORWARD -i $EXTIF -o $INTIF -m state --state |
353 |
RELATED,ESTABLISHED -j ACCEPT |
354 |
|
355 |
### Set up ip masquerading |
356 |
# Allow the internal boxes onto the Internet |
357 |
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE |
358 |
## enable ip forwarding in the kernel |
359 |
echo 1 > /proc/sys/net/ipv4/ip_forward |
360 |
|
361 |
|
362 |
|
363 |
|
364 |
|
365 |
|
366 |
|
367 |
|
368 |
|
369 |
|
370 |
|
371 |
|
372 |
|
373 |
|
374 |
|
375 |
|
376 |
|
377 |
|
378 |
|
379 |
|
380 |
|
381 |
|
382 |
|
383 |
|
384 |
|
385 |
|
386 |
|
387 |
And here is the script that sets up the traffic shaping |
388 |
Code: |
389 |
|
390 |
#clear it out first |
391 |
tc qdisc del dev eth0 root |
392 |
## |
393 |
|
394 |
|
395 |
#Constants |
396 |
|
397 |
# Interface you want to do shaping on |
398 |
# eth2, eth1 for direct connection; ppp0 or so for dsl |
399 |
# and other dialup connections (check ifconfig) |
400 |
IFACE=eth0 |
401 |
|
402 |
# Priority marks |
403 |
MARKPRIO1="1" |
404 |
MARKPRIO2="2" |
405 |
MARKPRIO3="3" |
406 |
MARKPRIO4="4" |
407 |
|
408 |
# Rates |
409 |
UPRATE="152kbit" |
410 |
#P2PRATE=$UPRATE |
411 |
P2PRATE="128kbit" |
412 |
PRIORATE1="65kbit" |
413 |
PRIORATE2="46kbit" |
414 |
PRIORATE3="27kbit" |
415 |
PRIORATE4="8kbit" |
416 |
|
417 |
# Quantum |
418 |
QUANTUM1="12187" |
419 |
QUANTUM2="8625" |
420 |
QUANTUM3="5062" |
421 |
QUANTUM4="1500" |
422 |
|
423 |
# Burst |
424 |
BURST1="6k" |
425 |
BURST2="4k" |
426 |
BURST3="2k" |
427 |
BURST4="0k" |
428 |
CBURST1="3k" |
429 |
CBURST2="2k" |
430 |
CBURST3="1k" |
431 |
CBURST4="0k" |
432 |
|
433 |
# Set queue length for IFACE |
434 |
ifconfig $IFACE txqueuelen 16 |
435 |
|
436 |
# Specify queue discipline |
437 |
tc qdisc add dev $IFACE root handle 1:0 htb default 103 r2q 1 |
438 |
|
439 |
# Set root class |
440 |
tc class add dev $IFACE parent 1:0 classid 1:1 htb rate $UPRATE burst |
441 |
$BURST1 cburst $CBURST1 |
442 |
# Specify sub classes |
443 |
tc class add dev $IFACE parent 1:1 classid 1:101 htb rate $PRIORATE1 |
444 |
ceil $UPRATE quantum $QUANTUM1 burst $BURST1 cburst $CBURST1 prio 0 |
445 |
tc class add dev $IFACE parent 1:1 classid 1:102 htb rate $PRIORATE2 |
446 |
ceil $UPRATE quantum $QUANTUM2 burst $BURST2 cburst $CBURST2 prio 1 |
447 |
tc class add dev $IFACE parent 1:1 classid 1:103 htb rate $PRIORATE3 |
448 |
ceil $UPRATE quantum $QUANTUM3 burst $BURST3 cburst $CBURST3 prio 2 |
449 |
tc class add dev $IFACE parent 1:1 classid 1:104 htb rate $PRIORATE4 |
450 |
ceil $P2PRATE quantum $QUANTUM4 burst $BURST4 cburst $CBURST4 prio 3 |
451 |
|
452 |
# Filter packets |
453 |
tc filter add dev $IFACE parent 1:0 protocol ip prio 0 handle $MARKPRIO1 |
454 |
fw classid 1:101 |
455 |
tc filter add dev $IFACE parent 1:0 protocol ip prio 1 handle $MARKPRIO2 |
456 |
fw classid 1:102 |
457 |
tc filter add dev $IFACE parent 1:0 protocol ip prio 2 handle $MARKPRIO3 |
458 |
fw classid 1:103 |
459 |
tc filter add dev $IFACE parent 1:0 protocol ip prio 3 handle $MARKPRIO4 |
460 |
fw classid 1:104 |
461 |
|
462 |
# Add queuing disciplines |
463 |
tc qdisc add dev $IFACE parent 1:101 sfq perturb 16 quantum $QUANTUM1 |
464 |
tc qdisc add dev $IFACE parent 1:102 sfq perturb 16 quantum $QUANTUM2 |
465 |
tc qdisc add dev $IFACE parent 1:103 sfq perturb 16 quantum $QUANTUM3 |
466 |
tc qdisc add dev $IFACE parent 1:104 sfq perturb 16 quantum $QUANTUM4 |