[Openswan Users] Traffic shaping (tc) and Openswan

Sergey V. Stenkin stenkinsv at amteo.ru
Mon Mar 15 04:28:03 EDT 2010 

В Птн, 12/03/2010 в 14:59 -0500, Kevin White пишет:

> For example, for all of the data going out of a box on a tunnel, I want 
> to separate it into two groups, traffic going to remote IP address A 
> then traffic going anywhere else.  Address A gets priority: if data 
> needs to go out to A, it goes in front of data heading anywhere else.
> 
> How does Openswan sit in the whole Linux networking stack?  Can I do 
> traffic shaping on data I'm sending out the VPN?  Does Klips or native 
> make a difference?



If you want to use klips, you can use the following example script from my openwrt box.
If you want to use native, you need to tag ipsec packets to move them in queue IMQ ("...-j IMQ - todev $IMQ_")


My example:

#!/bin/sh /etc/rc.common
START=70

INET_IFACE="ipsec0"
IMQ_OUT="0"
IMQ_IN="1"

start() {

insmod sch_htb
insmod sch_sfq
insmod cls_u32

#######################################################################################################
#Outgoing traffic
#

iptables -t mangle -A POSTROUTING -o $INET_IFACE -j IMQ --todev $IMQ_OUT

tc qdisc add dev imq$IMQ_OUT root handle 1: htb default 20
tc class add dev imq$IMQ_OUT parent 1: classid 1:1 htb rate 500kbit burst 2k ceil 500kbit
tc class add dev imq$IMQ_OUT parent 1:1 classid 1:10 htb rate 400kbit burst 2k prio 0 ceil 500kbit
tc class add dev imq$IMQ_OUT parent 1:1 classid 1:20 htb rate 100kbit burst 2k prio 1 ceil 500kbit

tc qdisc add dev imq$IMQ_OUT parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev imq$IMQ_OUT parent 1:20 handle 20: sfq perturb 10


tc filter add dev imq$IMQ_OUT parent 1: protocol ip u32 match ip dst A.A.A.A flowid 1:10

ip link set imq$IMQ_OUT up
#######################################################################################################
#Incoming traffic
#

iptables -t mangle -A PREROUTING -i $INET_IFACE -j IMQ --todev $IMQ_IN
        
tc qdisc add dev imq$IMQ_IN root handle 1: htb default 20
tc class add dev imq$IMQ_IN parent 1: classid 1:1 htb rate 500kbit burst 2k ceil 500kbit
tc class add dev imq$IMQ_IN parent 1:1 classid 1:10 htb rate 400kbit burst 2k prio 0 ceil 500kbit
tc class add dev imq$IMQ_IN parent 1:1 classid 1:20 htb rate 100kbit burst 2k prio 1 ceil 500kbit

tc qdisc add dev imq$IMQ_IN parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev imq$IMQ_IN parent 1:20 handle 20: sfq perturb 10

tc filter add dev imq$IMQ_IN parent 1: protocol ip u32 match ip src A.A.A.A flowid 1:10

ip link set imq$IMQ_IN up              
#######################################################################################################
}

stop() {
ip link set imq$IMQ_OUT down
ip link set imq$IMQ_IN down
tc qdisc del dev imq$IMQ_OUT root
tc qdisc del dev imq$IMQ_IN root
iptables -t mangle -D POSTROUTING -o $INET_IFACE -j IMQ --todev $IMQ_OUT
iptables -t mangle -D PREROUTING -i $INET_IFACE -j IMQ --todev $IMQ_IN
rmmod sch_htb
rmmod sch_sfq
rmmod cls_u32
}


Best regards,
Sergey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100315/e334bc13/attachment.html

More information about the Users mailing list