Menu
▾
▴
[Shorewall-users] traffic control per node (rather than per flow)?
|
From: Chuck K. <cko...@ya...> - 2007-08-05 03:12:43
|
I've got many machines behind a Shorewall Firewall that among other things NATs them all. I want to add some sort of Traffic Control that will give each computer a very roughly equal slice of my Internet bandwidth. So I've started by turning on Shorewall TC. It works as expected. But, there seems to be a loophole that can allow a few computers to use way way more than their fair share of bandwidth despite the TC. For example a computer that ran BitTorrent would (in my mind:-) abuse their capability by having their say 14 connections to different outside machines treated as 14 separate flows by the SFQ (Stochastic Fair Queueing) in the kernel and so get 14 turns (!) during every SFQ pass through its hash buckets. (Meanwhile computers browsing the web would get only one turn!) What can I do to treat each _computer_ rather than each _flow_ as a user of bandwidth? Any suggestions? thanks! (At first I thought tweaking the SFQ in the kernel was all that I needed. Shorewall TC would continue to function exactly the same without even knowing the SFQ under it was behaving differently. Fortunately for me SFQ is a loadable module that's fairly straightforward to tweak and replace. But: all my inside computers have already undergone NAT masquerading by then, so as I understand it all the packets have the _same_ source IP address [the firewall itself], and different source ports indicate different _flows_ not different _computers_. As a result, there's not much SFQ-like code can do even with reasonable modifications. ...Or is there?) -- Chuck Kollars http://www.ckollars.org/dragon.html ____________________________________________________________________________________ Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. http://smallbusiness.yahoo.com/webhosting |