| 1234 |
\end{itemize} |
\end{itemize} |
| 1235 |
Same semantics as above. |
Same semantics as above. |
| 1236 |
|
|
| 1237 |
|
|
| 1238 |
|
\section{Traffic Control} |
| 1239 |
|
|
| 1240 |
|
To aid in setting up Quality of Service and Traffic Shaping, FreeWRT provides a |
| 1241 |
|
configurable script via the \app{fwrtc} package. Though this package will allow |
| 1242 |
|
you to choose between different implementations of Queueing Disciplines, for |
| 1243 |
|
now there exists only a single implementation using HTB. |
| 1244 |
|
|
| 1245 |
|
\subsection{Concept} |
| 1246 |
|
|
| 1247 |
|
In general, \app{fwrtc} allows classifying of network traffic into three classes: |
| 1248 |
|
\begin{description} |
| 1249 |
|
\item[REAL] high priority, mid bandwidth \\ |
| 1250 |
|
use this for low delay applications like \app{SSH}, \app{VoIP} |
| 1251 |
|
or \app{DNS} |
| 1252 |
|
\item[BULK] mid priority, high bandwidth \\ |
| 1253 |
|
this is a generic class for everything that doesn't fit above |
| 1254 |
|
or below |
| 1255 |
|
\item[P2P] low priority, low bandwidth \\ |
| 1256 |
|
use this class for all unwanted traffic disturbing normal use |
| 1257 |
|
of the internet connection (\app{P2P} and other parasites) |
| 1258 |
|
\end{description} |
| 1259 |
|
|
| 1260 |
|
\paragraph{Note} that fwrtc does not actually classify the traffic, it just |
| 1261 |
|
provides the classes above and allows comfortable configuration of the |
| 1262 |
|
necessary values. For classifying traffic, use \app{iptables} (see below for |
| 1263 |
|
more details). |
| 1264 |
|
|
| 1265 |
|
\subsection{Installation} |
| 1266 |
|
|
| 1267 |
|
This is done just like with any other FreeWRT package, so using the ADK to |
| 1268 |
|
integrate it into the firmware image right from the start or by installing it |
| 1269 |
|
afterwards using \app{ipkg}. |
| 1270 |
|
|
| 1271 |
|
\subsection{Configuration} |
| 1272 |
|
|
| 1273 |
|
\app{fwrtc} basically exists of two files: |
| 1274 |
|
\begin{itemize} |
| 1275 |
|
\item the script itself \file{/etc/hotplug.d/net/10-fwrtc} |
| 1276 |
|
\item a configuration file \file{/etc/fwrtc.conf} |
| 1277 |
|
\end{itemize} |
| 1278 |
|
It should not be necessary to touch the hotplug script, so adjusting the |
| 1279 |
|
configuration values should be enough to complete the first part of the setup |
| 1280 |
|
process. |
| 1281 |
|
|
| 1282 |
|
The second part consists of defining \app{iptables} rules for classifying |
| 1283 |
|
traffic. \app{fwrtc} provides three \app{tc}-filters (one for each class), |
| 1284 |
|
matching different firewall marks (see the \code{MARK} target of |
| 1285 |
|
\app{iptables}). |
| 1286 |
|
|
| 1287 |
|
See the example below to gather some inspiration on how to actually |
| 1288 |
|
implementing the rules: |
| 1289 |
|
|
| 1290 |
|
\begin{Verbatim}[label=sample set of iptables rules for fwrtc] |
| 1291 |
|
iptables -t mangle -A POSTROUTING -o eth0 -j tc |
| 1292 |
|
|
| 1293 |
|
### match ip tos Minimum-Delay |
| 1294 |
|
iptables -t mangle -A tc -m tos --tos 0x10 -j MARK --set-mark 0x1 |
| 1295 |
|
iptables -t mangle -A tc -m tos --tos 0x10 -j RETURN |
| 1296 |
|
|
| 1297 |
|
## fish out tcp syn, syn-ack and ack packets (no piggyback!) |
| 1298 |
|
iptables -t mangle -A tc -p tcp -m length --length 44:84 \ |
| 1299 |
|
--tcp-flags SYN,FIN,RST SYN -j MARK --set-mark 0x1 |
| 1300 |
|
iptables -t mangle -A tc -p tcp -m length --length 44:84 \ |
| 1301 |
|
--tcp-flags SYN,FIN,RST SYN -j RETURN |
| 1302 |
|
iptables -t mangle -A tc -p tcp -m length --length 44:84 \ |
| 1303 |
|
--tcp-flags SYN,ACK,FIN,RST ACK -j MARK --set-mark 0x1 |
| 1304 |
|
iptables -t mangle -A tc -p tcp -m length --length 44:84 \ |
| 1305 |
|
--tcp-flags SYN,ACK,FIN,RST ACK -j RETURN |
| 1306 |
|
|
| 1307 |
|
### prioritize icmp packets |
| 1308 |
|
iptables -t mangle -A tc -p icmp -j MARK --set-mark 0x1 |
| 1309 |
|
iptables -t mangle -A tc -p icmp -j RETURN |
| 1310 |
|
|
| 1311 |
|
### dns traffic |
| 1312 |
|
iptables -t mangle -A tc -p tcp --dport 53 -j MARK --set-mark 0x1 |
| 1313 |
|
iptables -t mangle -A tc -p tcp --dport 53 -j RETURN |
| 1314 |
|
iptables -t mangle -A tc -p udp --dport 53 -j MARK --set-mark 0x1 |
| 1315 |
|
iptables -t mangle -A tc -p udp --dport 53 -j RETURN |
| 1316 |
|
|
| 1317 |
|
### games |
| 1318 |
|
iptables -t mangle -A tc -m layer7 --l7proto quake-halflife -j MARK --set-mark 0x1 |
| 1319 |
|
iptables -t mangle -A tc -m layer7 --l7proto quake-halflife -j RETURN |
| 1320 |
|
iptables -t mangle -A tc -m layer7 --l7proto battlefield1942 -j MARK --set-mark 0x1 |
| 1321 |
|
iptables -t mangle -A tc -m layer7 --l7proto battlefield1942 -j RETURN |
| 1322 |
|
iptables -t mangle -A tc -m layer7 --l7proto battlefield2 -j MARK --set-mark 0x1 |
| 1323 |
|
iptables -t mangle -A tc -m layer7 --l7proto battlefield2 -j RETURN |
| 1324 |
|
|
| 1325 |
|
### voip |
| 1326 |
|
iptables -t mangle -A tc -m layer7 --l7proto sip -j MARK --set-mark 0x1 |
| 1327 |
|
iptables -t mangle -A tc -m layer7 --l7proto sip -j RETURN |
| 1328 |
|
iptables -t mangle -A tc -m layer7 --l7proto rtp -j MARK --set-mark 0x1 |
| 1329 |
|
iptables -t mangle -A tc -m layer7 --l7proto rtp -j RETURN |
| 1330 |
|
iptables -t mangle -A tc -m layer7 --l7proto skypetoskype -j MARK --set-mark 0x1 |
| 1331 |
|
iptables -t mangle -A tc -m layer7 --l7proto skypetoskype -j RETURN |
| 1332 |
|
|
| 1333 |
|
### crappy p2p traffic |
| 1334 |
|
iptables -t mangle -A tc -m layer7 --l7proto bittorrent -j MARK --set-mark 0x3 |
| 1335 |
|
iptables -t mangle -A tc -m layer7 --l7proto bittorrent -j RETURN |
| 1336 |
|
iptables -t mangle -A tc -m layer7 --l7proto edonkey -j MARK --set-mark 0x3 |
| 1337 |
|
iptables -t mangle -A tc -m layer7 --l7proto edonkey -j RETURN |
| 1338 |
|
iptables -t mangle -A tc -m layer7 --l7proto fasttrack -j MARK --set-mark 0x3 |
| 1339 |
|
iptables -t mangle -A tc -m layer7 --l7proto fasttrack -j RETURN |
| 1340 |
|
iptables -t mangle -A tc -m layer7 --l7proto gnutella -j MARK --set-mark 0x3 |
| 1341 |
|
iptables -t mangle -A tc -m layer7 --l7proto gnutella -j RETURN |
| 1342 |
|
iptables -t mangle -A tc -m layer7 --l7proto napster -j MARK --set-mark 0x3 |
| 1343 |
|
iptables -t mangle -A tc -m layer7 --l7proto napster -j RETURN |
| 1344 |
|
\end{Verbatim} |
| 1345 |
|
|
| 1346 |
\section{FWCF - FreeWRT Configuration Filesystem} |
\section{FWCF - FreeWRT Configuration Filesystem} |
| 1347 |
|
|
| 1348 |
FWCF is a separate flash partition for all changes made to the \file{/etc/} |
FWCF is a separate flash partition for all changes made to the \file{/etc/} |