blob: a8d1d3856781a4d972c73246f3dcb0d398636e42 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
# Device being configured
DEV=eth0
# IFB device is used to mirror ingress traffic from $DEV (see INGRESS_ALG)
IFB_DEV=ifb0 # Leave blank if $DEV is ifbX
# Internet EGRESS/INGRES rates in kbit or mbit. Measure this on a free line to gain precise value
EGRESS_RATE=1000kbit # 128kbit, 256kbit, 512kbit
INGRESS_RATE=1000kbit # 256kbit, 512kbit, 1024kbit
# In order to control a queue at the router/bridge side we will downgrade a real link speed on purpose
RATE_SUB_PERCENT=5 # 20, 10
# Device physical speed in kbit or mbit
DEV_RATE=50mbit
# EGRESS root Classfull Disciplins
#
# htb: if link is not congested or you want to control busrts of traffic; recommended for downstream.
# hfsc: if link is congested and you need to control guarantees of delay; recommended for upstream.
# dmax = 50-100 [ms] = 50000-100000 [microsec]
# umax = MIN (rate * (dmax / 1000), 1500) [b]
# prio: if rate is variable and you want to be sure that interactive traffic has ultimate priority
# none: if link is not congested
#
EGRESS_ALG=hfsc
# EGRESS leaf Queuing Disciplines
#
# pfifo: real-time streams or IPSEC
# sfq: TCP sessions or best-effort class traffic
# red: hightly congested links or high-speed Internet [> 10Mbit/sec])
#
INTERACTIVE_LEAF_QDISC=pfifo
PRIVILEGED_LEAF_QDISC=pfifo
BESTEFFORT_LEAF_QDISC=red
LAN_LEAF_QDISC=sfq
# INGRESS treatment
#
# police: if link is constantly heavy congested set simple traffic policing
# cpolice: if link is constantly heavy congested but you need certain dedicated rates then set classfull traffic policiing
# ifb: shape INGRESS traffic as EGRESS of intermediate IFB device (aka imq)
# none: if link is not congested
#
INGRESS_ALG=ifb
# Filter rules (see tc, tc-filters man pages).
# You may have multiple <CLASS-NAME>_FILTER_<n> items.
# Maximum 100 filter items are allowed for each class.
# By default ALL unclassified traffic is being assined to Best-Effort class.
# UDP
INTERACTIVE_FILTER_1="protocol ip prio 100 u32 match ip protocol 0x11 0xff"
# ICMP
INTERACTIVE_FILTER_2="protocol ip prio 100 u32 match ip protocol 0x1 0xff"
# ACK with payload < 64 bytes (32-bit version)
INTERACTIVE_FILTER_3="protocol ip prio 100 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33"
# ACK with payload < 64 bytes
INTERACTIVE_FILTER_4="protocol ip prio 100 u32 match ip protocol 6 0xff match u8 0x10 0xff at nexthdr+13 match u16 0x0000 0xffc0 at 2"
# PHB TOS HEX
# --------------------------
# 0x10
# 0x18
# CS1 PRIORITY 0x20
# AF11 0x28
# AF12 0x30
# AF13 0x38
#
# CS2 IMMEDIATE 0x40
# AF21 0x48
# AF22 0x50
# AF23 0x58
#
# CS5 CRITICAL 0xA0
# EF 0xB8
#
# CS6 INTERNETWORKCONTROL 0xC0
# CS7 NETWORKCONTROL 0xE0
INTERACTIVE_FILTER_5="protocol ip prio 100 u32 match ip tos 0x10 0xff"
INTERACTIVE_FILTER_6="protocol ip prio 100 u32 match ip tos 0x18 0xff"
INTERACTIVE_FILTER_7="protocol ip prio 100 u32 match ip tos 0xa0 0xff"
INTERACTIVE_FILTER_8="protocol ip prio 100 u32 match ip tos 0xb8 0xff"
# SSH
PRIVILEGED_FILTER_1="protocol ip prio 100 u32 match ip dport 22 0xffff"
PRIVILEGED_FILTER_2="protocol ip prio 100 u32 match ip sport 22 0xffff"
# Remote Desktop
PRIVILEGED_FILTER_3="protocol ip prio 100 u32 match ip dport 3389 0xffff"
PRIVILEGED_FILTER_4="protocol ip prio 100 u32 match ip sport 3389 0xffff"
# ESP
PRIVILEGED_FILTER_5="protocol ip prio 100 u32 match ip protocol 0x32 0xff"
# AH
PRIVILEGED_FILTER_6="protocol ip prio 100 u32 match ip protocol 0x33 0xff"
# PHB TOS HEX
# --------------------------
# CS3 FLASH 0x60
# AF31 0x68
# AF32 0x70
# AF33 0x78
#
# CS4 FLASHOVERRIDE 0x80
# AF41 0x88
# AF42 0x90
# AF43 0x98
PRIVILEGED_FILTER_7="protocol ip prio 100 u32 match ip tos 0x88 0xff"
# IPSEC-NAT
PRIVILEGED_FILTER_8="protocol ip prio 90 u32 match ip protocol 0x11 0xff match ip dport 4500 0xffff"
PRIVILEGED_FILTER_9="protocol ip prio 90 u32 match ip protocol 0x11 0xff match ip sport 4500 0xffff"
# Example: Any traffic from/to 192.168.1.0/24 network will be classified as best-effort
#
### BESTEFFORT_FILTER_1="protocol ip prio 3 u32 match ip src 192.168.1.0/24"
### BESTEFFORT_FILTER_2="protocol ip prio 4 u32 match ip dst 192.168.1.0/24"
# Example: Traffic Originated from router
#
###LAN_FILTER_1="protocol ip prio 10 u32 match ip src 192.168.1.10"
|