blob: 1578dfa5726940f57720b44a6f061a1d2aac90e7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
|
# Device being configured
DEV=eth0
# IFB device is used to mirror ingress traffic from $DEV (see INGRESS_ALG)
IFB_DEV=ifb0 # Leave blank if $DEV is ifbX
# Internet EGRESS/INGRES rates in kbit or mbit. Measure this on a free line to gain precise value
EGRESS_RATE=512kbit # 128kbit, 256kbit, 512kbit
INGRESS_RATE=2048kbit # 256kbit, 512kbit, 1024kbit
# In order to control a queue at the router/bridge side we will downgrade a real link speed on purpose
RATE_SUB_PERCENT=5 # 20, 10
# Device physical speed in kbit or mbit
DEV_RATE=50mbit
# EGRESS root Classfull Disciplins
#
# htb: if link is not congested or you want to control busrts of traffic; recommended for downstream.
# hfsc: if link is congested and you need to control guarantees of delay; recommended for upstream.
# dmax = 50-100 [ms] = 50000-100000 [microsec]
# umax = MIN (rate * (dmax / 1000), 1500) [b]
# prio: if rate is variable and you want to be sure that interactive traffic has ultimate priority
# none: if link is not congested
#
EGRESS_ALG=htb
# EGRESS leaf Queuing Disciplines
#
# pfifo: real-time streams or IPSEC
# sfq: TCP sessions or best-effort class traffic
# red: hightly congested links or high-speed Internet [> 10Mbit/sec])
#
INTERACTIVE_LEAF_QDISC=pfifo
PRIVILEGED_LEAF_QDISC=pfifo
BESTEFFORT_LEAF_QDISC=red
LAN_LEAF_QDISC=sfq
# INGRESS treatment
#
# police: if link is constantly heavy congested set simple traffic policing
# cpolice: if link is constantly heavy congested but you need certain dedicated rates then set classfull traffic policiing
# ifb: shape INGRESS traffic as EGRESS of intermediate IFB device (aka imq)
# none: if link is not congested
#
INGRESS_ALG=ifb
# Filter rules (see tc, tc-filters man pages).
# You may have multiple <CLASS-NAME>_FILTER_<n> items.
# Maximum 100 filter items are allowed for each class.
# By default ALL unclassified traffic is being assined to Best-Effort class.
###################################
### INTERACTIVE FILTERING RULES ###
###################################
# ACK with payload < 64 bytes (32-bit version)
INTERACTIVE_FILTER_10="protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33"
# ACK with payload < 64 bytes
INTERACTIVE_FILTER_11="protocol ip prio 11 u32 match ip protocol 6 0xff match u8 0x10 0xff at nexthdr+13 match u16 0x0000 0xffc0 at 2"
# PHB TOS HEX NOTES
# ----------------------------------------------
# 0x10 SSH, IAX2
# 0x18
# CS1 PRIORITY 0x20
# AF11 0x28
# AF12 0x30
# AF13 0x38
#
# CS2 IMMEDIATE 0x40
# AF21 0x48
# AF22 0x50
# AF23 0x58
#
# CS5 CRITICAL 0xA0
# EF 0xB8 IAX2, SIP Voice
#
# CS6 INTERNETWORKCNTRL 0xC0 BGP (by default)
# CS7 NETWORKCONTROL 0xE0
INTERACTIVE_FILTER_30="protocol ip prio 30 u32 match ip tos 0xb8 0xff"
INTERACTIVE_FILTER_31="protocol ip prio 31 u32 match ip tos 0x10 0xff"
INTERACTIVE_FILTER_32="protocol ip prio 32 u32 match ip tos 0x18 0xff"
INTERACTIVE_FILTER_33="protocol ip prio 33 u32 match ip tos 0xa0 0xff"
# UDP
INTERACTIVE_FILTER_90="protocol ip prio 90 u32 match ip protocol 0x11 0xff"
# ICMP
INTERACTIVE_FILTER_91="protocol ip prio 91 u32 match ip protocol 0x1 0xff"
##################################
### PRIVILEGED FILTERING RULES ###
##################################
# SSH
PRIVILEGED_FILTER_20="protocol ip prio 20 u32 match ip dport 22 0xffff"
PRIVILEGED_FILTER_21="protocol ip prio 21 u32 match ip sport 22 0xffff"
# Remote Desktop
PRIVILEGED_FILTER_22="protocol ip prio 22 u32 match ip dport 3389 0xffff"
PRIVILEGED_FILTER_23="protocol ip prio 23 u32 match ip sport 3389 0xffff"
# ESP
PRIVILEGED_FILTER_50="protocol ip prio 50 u32 match ip protocol 0x32 0xff"
# AH
PRIVILEGED_FILTER_51="protocol ip prio 51 u32 match ip protocol 0x33 0xff"
# IPSEC-NAT
PRIVILEGED_FILTER_52="protocol ip prio 52 u32 match ip protocol 0x11 0xff match ip dport 4500 0xffff"
PRIVILEGED_FILTER_53="protocol ip prio 53 u32 match ip protocol 0x11 0xff match ip sport 4500 0xffff"
# PHB TOS HEX NOTES
# --------------------------------------
# CS3 FLASH 0x60 SIP signaling
# AF31 0x68
# AF32 0x70
# AF33 0x78
#
# CS4 FLASHOVERRIDE 0x80
# AF41 0x88 SIP Video
# AF42 0x90
# AF43 0x98
PRIVILEGED_FILTER_80="protocol ip prio 80 u32 match ip tos 0x60 0xff"
PRIVILEGED_FILTER_81="protocol ip prio 81 u32 match ip tos 0x88 0xff"
###################################
### BEST-EFFORT FILTERING RULES ###
###################################
BESTEFFORT_FILTER_85="protocol ip prio 85 u32 match ip tos 0x4 0xff"
BESTEFFORT_FILTER_86="protocol ip prio 86 u32 match ip tos 0x6 0xff"
BESTEFFORT_FILTER_87="protocol ip prio 87 u32 match ip tos 0x90 0xff"
BESTEFFORT_FILTER_88="protocol ip prio 88 u32 match ip tos 0x98 0xff"
# Example: Any traffic from/to 192.168.1.0/24 network will be classified as best-effort
#
### BESTEFFORT_FILTER_5="protocol ip prio 10 u32 match ip src 192.168.1.0/24"
### BESTEFFORT_FILTER_6="protocol ip prio 11 u32 match ip dst 192.168.1.0/24"
###########################
### LAN FILTERING RULES ###
###########################
# Example: Traffic Originated from router
#
###LAN_FILTER_10="protocol ip prio 10 u32 match ip src 192.168.1.10"
|