blob: f1740f097035fc187ee7635b713b2dcb42c80bf7 (
plain) (
tree)
|
|
# Device being configured
DEV=ifb0
# IFB device is used to mirror ingress traffic from $DEV (see INGRESS_ALG)
IFB_DEV= # Leave it blank if $DEV is ifbX
# Internet EGRESS/INGRES rates in kbit or mbit. Measure this on a free line to gain precise value
EGRESS_RATE=2048kbit # 256kbit, 512kbit, 1024kbit
INGRESS_RATE=512kbit # 128kbit, 256kbit, 512kbit
# In order to control a queue at the router/bridge side we will downgrade a real link speed on purpose
RATE_SUB_PERCENT=5 # 20, 10
# Device physical speed in kbit or mbit.
DEV_RATE=50mbit
# EGRESS root Classfull Disciplins
#
# htb: if link is not congested or you want to control busrts of traffic; recommended for downstream.
# hfsc: if link is congested and you need to control guarantees of delay; recommended for upstream.
# dmax = 50-100 [ms] = 50000-100000 [microsec]
# umax = MIN (rate * (dmax / 1000), 1500) [b]
# prio: if rate is variable and you want to be sure that interactive traffic has ultimate priority
# none: if link is not congested
#
EGRESS_ALG=htb
# EGRESS leaf Queuing Disciplines
#
# pfifo: real-time streams or IPSEC
# sfq: TCP sessions or best-effort class traffic
# red: hightly congested links or high-speed Internet [> 10Mbit/sec])
#
INTERACTIVE_LEAF_QDISC=pfifo
PRIVILEGED_LEAF_QDISC=pfifo
BESTEFFORT_LEAF_QDISC=red
LAN_LEAF_QDISC=sfq
# INGRESS treatment
#
# police: if link is constantly heavy congested set simple traffic policing
# cpolice: if link is constantly heavy congested but you need certain dedicated rates then set classfull traffic policiing
# ifb: shape INGRESS traffic as EGRESS of intermediate IFB device (aka imq)
# none: if INGRESS traffic already is being shaped or if IFB device is being configured
#
INGRESS_ALG=none
# Filter rules (see tc, tc-filters man pages).
# You may have multiple <CLASS-NAME>_FILTER_<n> items.
# Maximum 100 filter items are allowed for each class.
# By default ALL unclassified traffic is being assined to Best-Effort class.
###################################
### INTERACTIVE FILTERING RULES ###
###################################
# ACK with payload < 64 bytes (32-bit version)
INTERACTIVE_FILTER_10="protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33"
# ACK with payload < 64 bytes
INTERACTIVE_FILTER_11="protocol ip prio 11 u32 match ip protocol 6 0xff match u8 0x10 0xff at nexthdr+13 match u16 0x0000 0xffc0 at 2"
# PHB TOS HEX NOTES
# ----------------------------------------------
# 0x10 SSH, IAX2
# 0x18
# CS1 PRIORITY 0x20
# AF11 0x28
# AF12 0x30
# AF13 0x38
#
# CS2 IMMEDIATE 0x40
# AF21 0x48
# AF22 0x50
# AF23 0x58
#
# CS5 CRITICAL 0xA0
# EF 0xB8 IAX2, SIP Voice
#
# CS6 INTERNETWORKCNTRL 0xC0 BGP (by default)
# CS7 NETWORKCONTROL 0xE0
INTERACTIVE_FILTER_30="protocol ip prio 30 u32 match ip tos 0xb8 0xff"
INTERACTIVE_FILTER_31="protocol ip prio 31 u32 match ip tos 0x10 0xff"
INTERACTIVE_FILTER_32="protocol ip prio 32 u32 match ip tos 0x18 0xff"
INTERACTIVE_FILTER_33="protocol ip prio 33 u32 match ip tos 0xa0 0xff"
# UDP
INTERACTIVE_FILTER_90="protocol ip prio 90 u32 match ip protocol 0x11 0xff"
# ICMP
INTERACTIVE_FILTER_91="protocol ip prio 91 u32 match ip protocol 0x1 0xff"
##################################
### PRIVILEGED FILTERING RULES ###
##################################
# SSH
PRIVILEGED_FILTER_20="protocol ip prio 20 u32 match ip dport 22 0xffff"
PRIVILEGED_FILTER_21="protocol ip prio 21 u32 match ip sport 22 0xffff"
# Remote Desktop
PRIVILEGED_FILTER_22="protocol ip prio 22 u32 match ip dport 3389 0xffff"
PRIVILEGED_FILTER_23="protocol ip prio 23 u32 match ip sport 3389 0xffff"
# ESP
PRIVILEGED_FILTER_50="protocol ip prio 50 u32 match ip protocol 0x32 0xff"
# AH
PRIVILEGED_FILTER_51="protocol ip prio 51 u32 match ip protocol 0x33 0xff"
# IPSEC-NAT
PRIVILEGED_FILTER_52="protocol ip prio 52 u32 match ip protocol 0x11 0xff match ip dport 4500 0xffff"
PRIVILEGED_FILTER_53="protocol ip prio 53 u32 match ip protocol 0x11 0xff match ip sport 4500 0xffff"
# PHB TOS HEX NOTES
# --------------------------------------
# CS3 FLASH 0x60 SIP signaling
# AF31 0x68
# AF32 0x70
# AF33 0x78
#
# CS4 FLASHOVERRIDE 0x80
# AF41 0x88 SIP Video
# AF42 0x90
# AF43 0x98
PRIVILEGED_FILTER_80="protocol ip prio 80 u32 match ip tos 0x60 0xff"
PRIVILEGED_FILTER_81="protocol ip prio 81 u32 match ip tos 0x88 0xff"
###################################
### BEST-EFFORT FILTERING RULES ###
###################################
BESTEFFORT_FILTER_85="protocol ip prio 85 u32 match ip tos 0x4 0xff"
BESTEFFORT_FILTER_86="protocol ip prio 86 u32 match ip tos 0x6 0xff"
BESTEFFORT_FILTER_87="protocol ip prio 87 u32 match ip tos 0x90 0xff"
BESTEFFORT_FILTER_88="protocol ip prio 88 u32 match ip tos 0x98 0xff"
# Example: Any traffic from/to 192.168.1.0/24 network will be classified as best-effort
#
### BESTEFFORT_FILTER_5="protocol ip prio 10 u32 match ip src 192.168.1.0/24"
### BESTEFFORT_FILTER_6="protocol ip prio 11 u32 match ip dst 192.168.1.0/24"
###########################
### LAN FILTERING RULES ###
###########################
# Example: Traffic Originated from router
#
###LAN_FILTER_10="protocol ip prio 10 u32 match ip src 192.168.1.10"
|
