HOWTO_Packet_Shaping_with_HTB

This HOWTO explains the process of setting up packet shaping with HTB using the HTBinit scripts. These scripts make it easy to set up complicated traffic rules using simple configuration files.

This HOW-TO assumes that you have a kernel set up to do routing with Hierarchical Token Buckets and iproute2 installed as instructed in HOWTO Packet Shaping

Installing HTBinit

Installing HTB Init is easy, as it's in portage. You may need to add the experimental keyword for you architecture:

echo "net-misc/htbinit ~amd64" >> /etc/portage/package.keywords
emerge -atv net-misc/htbinit

Configuring HTBinit

Configuration for HTBinit is done in the /etc/htb directory. The possibilities for configuration are many, so I will give a moderately-complex configuration as an example.

Example: www and ftp traffic limiting, local network exempt

The goal for this configuration is to limit outbound (upload) web and ftp traffic to a reasonable level to allow low-latency connections to thrive. Assumptions:

1. Only upload speed is controllable in this configuration, since the machine is not being used as a router
2. About 45-50KB/s total upload speed is available on this example residential broadband connection.
3. FTP port is 21
4. Web port is 8000 (nonstandard)
5. Local traffic on the subnet is 192.168.1.x is exempt to traffic shaping
6. Remote web and ftp are being limited to 30K/s (upload only)

HTB defines "classes" of traffic by an ID number. Each ID can have any number of children IDs in a hierarchical fashion. For this example, ID 2 "root" is defined as all traffic on the interface. ID 3 is defined as local traffic. ID 4 is defined as remote traffic. ID 10 is www traffic (and since it is a child of ID 4, it is only remote www traffic). ID 11 is remote FTP traffic. ID 30 is the default traffic class, for all traffic not matching other rules.

              eth0-2:3.local
            / 
eth0-2.root                     eth0-2:4:10.www
            \                 /
              eth0-2:4.remote -- eth0-2:4:11.ftp
                              \
                                eth0-2:4:30.def

/etc/htb/eth0:

# HTB.init eth0
#

# Default traffic is ID:30
DEFAULT=30

The DEFAULT line identifies what the default traffic class is for the interface.

eth0-2.root:

# HTB.init eth0-2.root
#

# Default rate is 1 gigabit (local network)
RATE=10000000Kbit

The (upload) rate for ID 2 (root class) is defined as a very large value. This will effectively allow unlimited traffic at this level. Traffic is limited at the lower classes.

eth0-2:3.local

# HTB.init eth0-2:3.local

# Rate for local access is full-speed
RATE=10000000Kbit

# Local is anything that is being sent to/from a 192.168 address
RULE=192.168.1.*,192.168.1.*

The rate for the local class is the same as its parent class, which is effectively unlimited. The RULE line defines local traffic as anything originating and arriving in the 192.168.1.x subnet.

eth0-2:4.remote

# HTB.init eth0-2:4.remote

# Limit remote connections to 360kb/s (45 KB/s)
RATE=360Kbit

The rate for remote connections is limited to 45KB/s. All children are also limited by this rate. No rule is defined, so all traffic not meeting the other rules at this level are matched.

eth0-2:4:10.www

# HTB.init eth0-2:4:10.www

# RATE=<speed>|prate|pceil                      mandatory
# CEIL=<speed>|prate|pceil                      optional, default $RATE
# BURST=<bytes>                                 optional, default computed
# RULE=[[saddr[/prefix]][:port[/mask]],][daddr[/prefix]][:port[/mask]]

# Limit to 240kb/s (30KB/s)
RATE=240Kbit
CEIL=240Kbit
BURST=2K

# Anything leaving on port 8000 (web)
RULE=*:8000,

The rate for port 8000 is limited to 30KB/s using this class. Traffic that doesn't meet this rule is then checked against the rules in the next class.

eth0-2:4:11.ftp

# HTB.init eth0-2:4:11.ftp

# RATE=<speed>|prate|pceil                      mandatory
# CEIL=<speed>|prate|pceil                      optional, default $RATE
# BURST=<bytes>                                 optional, default computed
# RULE=[[saddr[/prefix]][:port[/mask]],][daddr[/prefix]][:port[/mask]]

# Limit to 240kb/s (30KB/s)
RATE=240Kbit
CEIL=240Kbit
BURST=2K

# Anything leaving on port 21 (ftp)
RULE=*:21,

The rate for port 21 is 30KB/s using this class. Traffic that doesn't meet this rule is checked against the rules in the next class.

eth0-2:4:30.def

# HTB.init eth0-2:4:30.def

# By default, allow the full 360kb/s (45KB/s)
RATE=360Kbit
CEIL=360Kbit
BURST=2K

The last class at this level (and the default class) will match all traffic not previously matched to a class, and be limited to 45KB/s.

Testing

Be sure to test your configuration before making it permanent. To test syntax of the files, compile the rules using this command:

/usr/sbin/htb.init compile

If it compiles without errors, you are ready to test the results.

Start HTBinit using this command:

/etc/init.d/htbinit start

If it starts without error, you can check the status of the HTB by running this command. It should show the various classes and filters set in place by the script.

/etc/init.d/htbinit stats

Test your configuration by measuring upload/download speed with HTB running and stopped. To stop HTBinit and disable all rules, run the following:

/etc/init.d/htbinit stop

Final Configuration

Once you are happy with your configuration, set it to start automatically with the network by running:

rc-update add htbinit default

Sources

1. http://edseek.com/~jasonb/articles/linux_tc_minihowto.shtml
2. http://www.gentoo-wiki.info/HOWTO_Packet_Shaping