Menu
▾
▴
Re: [Shorewall-users] Clarification on traffic control
|
From: Simon H. <li...@th...> - 2012-10-30 16:05:56
|
Tom Eastep wrote: >When you use an IFB, you must use filters (/etc/shorewall/tcfilters) to >do the classification of inbound traffic. There is no Netfilter hook >prior to the traffic being passed to the IFB, so tcrules in any form >won't work. > >For outbound traffic, your tcrules approach works fine. It also works >fine if you continue to do the shaping on your internal interface rather >than on an IFB. Ah, so decision time then I'll probably stick with IFB since I'm also looking at potentially adding an additional internal interface in the future. But I'll have to have a chat with others first and see where things are likely to go before I finalise that. Which do you think is likely to be most efficient - CPU load wise ? tcrules as I've been looking at (and don't use IFB), or tcfilters as I've been doing them up till now ? In particular, I'm thinking about the case where I might have <some number> of IP addresses to include in one set of classes - so potentially duplicating "address <something> and port <something>" rules many times in tcfilters. The particular group that's in mind at the moment is about 16 discrete IPs (not a simple address/mask set). >I struggle to keep this traffic shaping stuff straight in my head as well. :D So it's not just me then ! -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. |