# Device being configured DEV=eth0 # IFB device is used to mirror ingress traffic from $DEV (see INGRESS_ALG) IFB_DEV=ifb0 # Leave blank if $DEV is ifbX # Internet EGRESS/INGRES rates in kbit or mbit. Measure this on a free line to gain precise value EGRESS_RATE=1000kbit # 128kbit, 256kbit, 512kbit INGRESS_RATE=1000kbit # 256kbit, 512kbit, 1024kbit # In order to control a queue at the router/bridge side we will downgrade a real link speed on purpose RATE_SUB_PERCENT=5 # 20, 10 # Device physical speed in kbit or mbit DEV_RATE=50mbit # EGRESS root Classfull Disciplins # # htb: if link is not congested or you want to control busrts of traffic; recommended for downstream. # hfsc: if link is congested and you need to control guarantees of delay; recommended for upstream. # dmax = 50-100 [ms] = 50000-100000 [microsec] # umax = MIN (rate * (dmax / 1000), 1500) [b] # prio: if rate is variable and you want to be sure that interactive traffic has ultimate priority # none: if link is not congested # EGRESS_ALG=hfsc # EGRESS leaf Queuing Disciplines # # pfifo: real-time streams or IPSEC # sfq: TCP sessions or best-effort class traffic # red: hightly congested links or high-speed Internet [> 10Mbit/sec]) # INTERACTIVE_LEAF_QDISC=pfifo PRIVILEGED_LEAF_QDISC=pfifo BESTEFFORT_LEAF_QDISC=red LAN_LEAF_QDISC=sfq # INGRESS treatment # # police: if link is constantly heavy congested set simple traffic policing # cpolice: if link is constantly heavy congested but you need certain dedicated rates then set classfull traffic policiing # ifb: shape INGRESS traffic as EGRESS of intermediate IFB device (aka imq) # none: if link is not congested # INGRESS_ALG=ifb # Filter rules (see tc, tc-filters man pages). # You may have multiple _FILTER_ items. # Maximum 100 filter items are allowed for each class. # By default ALL unclassified traffic is being assined to Best-Effort class. # UDP INTERACTIVE_FILTER_1="protocol ip prio 100 u32 match ip protocol 0x11 0xff" # ICMP INTERACTIVE_FILTER_2="protocol ip prio 100 u32 match ip protocol 0x1 0xff" # ACK with payload < 64 bytes (32-bit version) INTERACTIVE_FILTER_3="protocol ip prio 100 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33" # ACK with payload < 64 bytes INTERACTIVE_FILTER_4="protocol ip prio 100 u32 match ip protocol 6 0xff match u8 0x10 0xff at nexthdr+13 match u16 0x0000 0xffc0 at 2" # PHB TOS HEX # -------------------------- # 0x10 # 0x18 # CS1 PRIORITY 0x20 # AF11 0x28 # AF12 0x30 # AF13 0x38 # # CS2 IMMEDIATE 0x40 # AF21 0x48 # AF22 0x50 # AF23 0x58 # # CS5 CRITICAL 0xA0 # EF 0xB8 # # CS6 INTERNETWORKCONTROL 0xC0 # CS7 NETWORKCONTROL 0xE0 INTERACTIVE_FILTER_5="protocol ip prio 100 u32 match ip tos 0x10 0xff" INTERACTIVE_FILTER_6="protocol ip prio 100 u32 match ip tos 0x18 0xff" INTERACTIVE_FILTER_7="protocol ip prio 100 u32 match ip tos 0xa0 0xff" INTERACTIVE_FILTER_8="protocol ip prio 100 u32 match ip tos 0xb8 0xff" # SSH PRIVILEGED_FILTER_1="protocol ip prio 100 u32 match ip dport 22 0xffff" PRIVILEGED_FILTER_2="protocol ip prio 100 u32 match ip sport 22 0xffff" # Remote Desktop PRIVILEGED_FILTER_3="protocol ip prio 100 u32 match ip dport 3389 0xffff" PRIVILEGED_FILTER_4="protocol ip prio 100 u32 match ip sport 3389 0xffff" # ESP PRIVILEGED_FILTER_5="protocol ip prio 100 u32 match ip protocol 0x32 0xff" # AH PRIVILEGED_FILTER_6="protocol ip prio 100 u32 match ip protocol 0x33 0xff" # PHB TOS HEX # -------------------------- # CS3 FLASH 0x60 # AF31 0x68 # AF32 0x70 # AF33 0x78 # # CS4 FLASHOVERRIDE 0x80 # AF41 0x88 # AF42 0x90 # AF43 0x98 PRIVILEGED_FILTER_7="protocol ip prio 100 u32 match ip tos 0x88 0xff" # IPSEC-NAT PRIVILEGED_FILTER_8="protocol ip prio 90 u32 match ip protocol 0x11 0xff match ip dport 4500 0xffff" PRIVILEGED_FILTER_9="protocol ip prio 90 u32 match ip protocol 0x11 0xff match ip sport 4500 0xffff" # Example: Any traffic from/to 192.168.1.0/24 network will be classified as best-effort # ### BESTEFFORT_FILTER_1="protocol ip prio 3 u32 match ip src 192.168.1.0/24" ### BESTEFFORT_FILTER_2="protocol ip prio 4 u32 match ip dst 192.168.1.0/24" # Example: Traffic Originated from router # ###LAN_FILTER_1="protocol ip prio 10 u32 match ip src 192.168.1.10"