# Device being configured DEV=eth0 # IFB device is used to mirror ingress traffic from $DEV (see INGRESS_ALG) IFB_DEV=ifb0 # Leave blank if $DEV is ifbX # Internet EGRESS/INGRES rates in kbit or mbit. Measure this on a free line to gain precise value EGRESS_RATE=512kbit # 128kbit, 256kbit, 512kbit INGRESS_RATE=2048kbit # 256kbit, 512kbit, 1024kbit # In order to control a queue at the router/bridge side we will downgrade a real link speed on purpose RATE_SUB_PERCENT=5 # 20, 10 # Device physical speed in kbit or mbit DEV_RATE=50mbit # EGRESS root Classfull Disciplins # # htb: if link is not congested or you want to control busrts of traffic; recommended for downstream. # hfsc: if link is congested and you need to control guarantees of delay; recommended for upstream. # dmax = 50-100 [ms] = 50000-100000 [microsec] # umax = MIN (rate * (dmax / 1000), 1500) [b] # prio: if rate is variable and you want to be sure that interactive traffic has ultimate priority # none: if link is not congested # EGRESS_ALG=htb # EGRESS leaf Queuing Disciplines # # pfifo: real-time streams or IPSEC # sfq: TCP sessions or best-effort class traffic # red: hightly congested links or high-speed Internet [> 10Mbit/sec]) # INTERACTIVE_LEAF_QDISC=pfifo PRIVILEGED_LEAF_QDISC=pfifo BESTEFFORT_LEAF_QDISC=red LAN_LEAF_QDISC=sfq # INGRESS treatment # # police: if link is constantly heavy congested set simple traffic policing # cpolice: if link is constantly heavy congested but you need certain dedicated rates then set classfull traffic policiing # ifb: shape INGRESS traffic as EGRESS of intermediate IFB device (aka imq) # none: if link is not congested # INGRESS_ALG=ifb # Filter rules (see tc, tc-filters man pages). # You may have multiple _FILTER_ items. # Maximum 100 filter items are allowed for each class. # By default ALL unclassified traffic is being assined to Best-Effort class. ################################### ### INTERACTIVE FILTERING RULES ### ################################### # ACK with payload < 64 bytes (32-bit version) INTERACTIVE_FILTER_10="protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33" # ACK with payload < 64 bytes INTERACTIVE_FILTER_11="protocol ip prio 11 u32 match ip protocol 6 0xff match u8 0x10 0xff at nexthdr+13 match u16 0x0000 0xffc0 at 2" # PHB TOS HEX NOTES # ---------------------------------------------- # 0x10 SSH, IAX2 # 0x18 # CS1 PRIORITY 0x20 # AF11 0x28 # AF12 0x30 # AF13 0x38 # # CS2 IMMEDIATE 0x40 # AF21 0x48 # AF22 0x50 # AF23 0x58 # # CS5 CRITICAL 0xA0 # EF 0xB8 IAX2, SIP Voice # # CS6 INTERNETWORKCNTRL 0xC0 BGP (by default) # CS7 NETWORKCONTROL 0xE0 INTERACTIVE_FILTER_30="protocol ip prio 30 u32 match ip tos 0xb8 0xff" INTERACTIVE_FILTER_31="protocol ip prio 31 u32 match ip tos 0x10 0xff" INTERACTIVE_FILTER_32="protocol ip prio 32 u32 match ip tos 0x18 0xff" INTERACTIVE_FILTER_33="protocol ip prio 33 u32 match ip tos 0xa0 0xff" # UDP INTERACTIVE_FILTER_90="protocol ip prio 90 u32 match ip protocol 0x11 0xff" # ICMP INTERACTIVE_FILTER_91="protocol ip prio 91 u32 match ip protocol 0x1 0xff" ################################## ### PRIVILEGED FILTERING RULES ### ################################## # SSH PRIVILEGED_FILTER_20="protocol ip prio 20 u32 match ip dport 22 0xffff" PRIVILEGED_FILTER_21="protocol ip prio 21 u32 match ip sport 22 0xffff" # Remote Desktop PRIVILEGED_FILTER_22="protocol ip prio 22 u32 match ip dport 3389 0xffff" PRIVILEGED_FILTER_23="protocol ip prio 23 u32 match ip sport 3389 0xffff" # ESP PRIVILEGED_FILTER_50="protocol ip prio 50 u32 match ip protocol 0x32 0xff" # AH PRIVILEGED_FILTER_51="protocol ip prio 51 u32 match ip protocol 0x33 0xff" # IPSEC-NAT PRIVILEGED_FILTER_52="protocol ip prio 52 u32 match ip protocol 0x11 0xff match ip dport 4500 0xffff" PRIVILEGED_FILTER_53="protocol ip prio 53 u32 match ip protocol 0x11 0xff match ip sport 4500 0xffff" # PHB TOS HEX NOTES # -------------------------------------- # CS3 FLASH 0x60 SIP signaling # AF31 0x68 # AF32 0x70 # AF33 0x78 # # CS4 FLASHOVERRIDE 0x80 # AF41 0x88 SIP Video # AF42 0x90 # AF43 0x98 PRIVILEGED_FILTER_80="protocol ip prio 80 u32 match ip tos 0x60 0xff" PRIVILEGED_FILTER_81="protocol ip prio 81 u32 match ip tos 0x88 0xff" ################################### ### BEST-EFFORT FILTERING RULES ### ################################### BESTEFFORT_FILTER_85="protocol ip prio 85 u32 match ip tos 0x4 0xff" BESTEFFORT_FILTER_86="protocol ip prio 86 u32 match ip tos 0x6 0xff" BESTEFFORT_FILTER_87="protocol ip prio 87 u32 match ip tos 0x90 0xff" BESTEFFORT_FILTER_88="protocol ip prio 88 u32 match ip tos 0x98 0xff" # Example: Any traffic from/to 192.168.1.0/24 network will be classified as best-effort # ### BESTEFFORT_FILTER_5="protocol ip prio 10 u32 match ip src 192.168.1.0/24" ### BESTEFFORT_FILTER_6="protocol ip prio 11 u32 match ip dst 192.168.1.0/24" ########################### ### LAN FILTERING RULES ### ########################### # Example: Traffic Originated from router # ###LAN_FILTER_10="protocol ip prio 10 u32 match ip src 192.168.1.10"