How to limit bandwidth in Linux

How to limit bandwidth in Linux - shaperd (CBQ)

Warning
If you know english better than me, fix errors and send them to me. Maybe in the future, when I am going to be rich, I will invest in my education, but not now.

Versions:

01.11.2009 - Version 2.2.50

added hfsc, shfsc
added delay_pools_download and delay_pools_upload options (experimental) (see polish version of documentation)

26.08.2007 - Version 2.2.47
- fixes in setup_root
- added ignore_tos option (experimental)
- added ignore_cir_speed and ignore_eir_speed options
- fixes in imq_support
- added pppoe support - example configuration files available here
- 08.12.2006 - Version 2.2.43
  - few small fixes in imq_support and shtb
- 05.08.2006 - Version 2.2.42
- 28.05.2006 - Version 2.2.41
- 06.05.2005 - Because I have not enough time for site and documentation update - I put here current snapshot of shaperd project. Information: now shaperd should be installed by following commands: make a next make install
- 11.11.2004 - Version 2.2.24
  - Fixed ipchain_path, iptables_path because firewall control was done before shaperd was reading config file which cause that shaperd won't start with message Unknown firewall type.
- 18.10.2004 - Version 2.2.23
  - Added upper speed limit (the same as for start_speed=0) for first assigned speed when start_speed>0.
- 17.10.2004 - Version 2.2.22
  - Fixed trivial BUG in upload allocation speed procedure for last user in iplist.X file
  - Fixed BUG that in some case in log was apeared message Total of assigned upload bandwidth is more than hispeed!.
  - A few fixes in SIGHUP handler
  - A few fixes in SIGUSR1 handler
  - Removed burst_download and burst_upload parameters.
  - Added start_speed instead of high_start_speed - thanks to it is possible now to reduce fluctuation of speed in case if new user will get bandwidth allocation.
  - Added htb_burst and htb_cburst.
  - Added value rules_only for squid_support parameter.
  - Added check_firewall_counters parameter.
  - Added refresh_dead_fwrule parameter.
  - Added ipchains_path, iptables_path and tc_path parameters.
  - Few changes and bugfixes.
- 20.03.2004 - Version 2.2.11 - sorry - english docs not available yet. See Polish documentation.
- 25.07.2003 - Thanks to Jarek Guzik for the new version of shaperd banner.
- 11.07.2003 - Version 2.2.2
  - Few changes and fixes made by Marcin Siennicki. Also he made Makefile.
  - Changed shaperd numeration (CVS reason).
  - (HTB) Added burst_download and burst_upload options.
  - (kto.php) Changed eliminating domain name method from HOSTNAME system variable because on my Mandrake 9.1 this was'nt working.
  - (kto.php) Added displaying revision name of script.
  - (kto.php) Fixed ping control method because on Mandrake 9.1 it was'nt working.
- 26.04.2003 - Version 2.00beta61. Changed order of bandwidth assignment. Now working users are sorted from highest CIR (lospeed - minimum guaraneed speed) to lowest CIR. This change I made esspecially for commercial networks.
- 05.04.2003 - Version 2.00beta59.
  - If write_delay=0 - shaperd will not write bandwidth allocations on disk (in /var/shaper/ directory)
  - Shaperd will not write any messages to log when started with shownat or shownat_all
- 16.03.2003 - Version 2.00beta58. Fixed bug in remove_dead_class.
- 15.03.2003 - Version 2.00beta57.
  - Modified HTB class definitions for sharing bandwidth.
  - Added options:
    - ceil_download
    - ceil_upload
- 07.03.2003 - Version 2.00beta56.
  - Fixed bug if squid_support=yes and in local_int was used ip address with different mask than /32.
  - Removed "tc qdisc change dev %s parent %d:%d sfq perturb 10" which are not neccessery for sfq.
  - Added HTB version control - for HTB3.X added quantum parameter.
  - Fixed bug in even_division when continuous_control=yes
  - Changed format of weight parametetr for CBQ - now is float
  - Added configuration options:
    - check_download_factor_cnt
    - check_upload_factor_cnt
    - remove_dead_class
    - mask_mesg
    - delay_mesg
  - Fixed bug in iplist reading procedure
  - Changed default values of config parameters:
  - nomasq=yes
  - alt_natstat=yes
  - continuous_control=yes
- 03.02.2003 - Version 2.00beta44.
  - Changed packet marking method for extended_queue. Now sfter start shaperd will create firewall rules with MARK and TOS for every user. Thanks for it shaperd will faster start.
  - Optmized a bit nat tracking procedure. Added new option alt_natstat designed for working with big masquerade tables. Anyway a better solution to increase speed is to turn on nomasq=yes option.
  - Added options: timeout_ipchains_22, timeout_ipchains_24, timeout_iptables_24, timeout_global, squid_port, check_sum_of_bandwidth, nop_factor, add_factor, delay_mesq
  - Rewrote code for better squid support - tested with squid-2.4.STABLE7+TOS patch - nice working, and with squid-2.5.STABLE1 - which don't work correctly with TOS marking.
  - Probably fixed bug kernel: HTB: quantum of class XXXXX is small. Consider r2q change
  - Still not fixed bug: kernel: CBQ: class XXXXXXXX has bad quantum==0, repaired. but I fixed some class definitions and hope it will be solution. I'm not sure because this bug don't appear on my systems. So please report it to me.
  - Removed check_always option - now shaperd always will control bandwidth.
- 03.01.2003 - Version 2.00beta28. Added syntax control of configuration file.
- 28.12.2002 - Version 2.00beta27. Fixed bug in u32 filters.
- 15.12.2002 - Version 2.00beta26. Fixed bug in proxy filters. Added divide_upload option which allow to divide upload bandwidth. Not tested on ipchains system!
- 08.12.2002 - Version 2.00beta23. A few small fixes.
- 05.12.2002 - Version 2.00beta22. Fixed removing u32 filters procedure. Added new jump_type option
- 15.11.2002 - Version 2.00beta19. Fixed freeing memory procedures. Made workaround for HTB class usage with heavy upload traffic. I don't know why but when I create HTB classes for internet interface and local interfaces I can see that upload traffic influence to download traffic but in CBQ classes it working correct. So the solution for this is to use CBQ class only for limit upload traffic and CBQ or HTB for download traffic. Especially for it I added upload_class_type option.
- 13.11.2002 - Version 2.00beta17. Fixed freeing memory procedures. Disabled bandwidth limiting for connections from server's external IP numbers to local IP numbers.
- 12.11.2002 - Version 2.00beta14. Changed value of increasing speed quantum. Should be faster. A few modifications made.
- 04.11.2002 - Version 2.00beta11. Added continuous_control option which enable continuous bandwidth control.
- 01.11.2002 - Version 2.00beta8. Fixed squid firewall reading procedure. Problem was reported by Andrzej Barganski.
- 27.10.2002 - Version 2.00beta6. Fixed upload control classes.
- 26.10.2002 - Version 2.00beta4. Few a small fixes.
- 25.10.2002 - Version 2.00beta3. In this version I introduced many changes:
  - Possibility of starting many shaperd working independently from itself (under condition, that they're using different interfaces) (max 8)
  - Co-operation with many interfaces (also with internet interfaces) simultaneously (max 8) (shaperd does not add up transfers from some interfaces - it only assigns bandwidth for IP numbers, which have authorizations to work on given interface). Because I'm using only one internet link so this possibility I did not test in practice. I hope, that it's working and I'm waiting for someone who'll want to inform me about this ;)
  - Possibility of choice of methods of bandwidth management CBQ/TBF or HTB/SFQ (please don't ask me how to install HTB).
  - Changed format of /etc/shaper/shaper.cfg file
  - Changed format of /etc/shaper/iplist file
Because shaperd does not restrain already to CBQ - I changed the name of archive.
In the beginning I'd like to say that this software is in beta version so it means that shaperd is insufficiently tested and, in some cases, can make problems. Probably it will be upgraded more times.

Rule of working:
After appearing of a new user in network and beginning data transfer from internet (local transfer don't allocate bandwidth), shaperd is testing user's connections and compares it with list of exceptions (/etc/shaper/ignore file). If the daemon can't find connection in exception list then allocate bandwidth for this user. Size of bandwidth results from simple dividing maximum incoming speed of link by number of currently working users.
After specified time (default: 10 seconds) - shaperd checks utilization of user's allocated bandwidth. If user utilized less than 50% of allocated bandwidth, daemon reduces allocation about 25%. If user utilized more than 75% then shaperd increases bandwidth about minimum guaranteed bandwidth (e.g. 8000 bit/s that is 1 KB/s). If user utilized bandwidth between 50% and 75% then allocation is unchanged. Rule is to allocate bandwidth in sequence for: "new" users, low allocation users and rest of unused bandwidth is assigned to high allocated users. I hope it's clear :) Thanks to it shaperd prevents the connection from being took over by single maniacs using P2P software or idiot opening 30 sessions of FTP in the same moment, I wrote Shaperd in C language and funcionally match to shaper_cbq shell script (also made by me (as you see - you can't choose :)

Attention
Still exists insoluble problem in 2.4.x kernels, which cause that some old masqueraded connections are hanging on by 5 days. As a solution shaperd ignore connections with last activity time bigger than 600 seconds.

WARNING

Autor of this software will not respond for any damages, destructions or errors, caused by this software, description and anything else. Everythink you do - you do It on your own responsibility.
This software is tested on systems based on 2.4.8, 2.4.12, 2.4.18, 2.4.20, 2.4.21, 2.4.24, 2.6.8 kernels, ipchains and iptables firewalls (I'm using Linux Mandrake 9.1 and 10.1 for developing).

last version: shaperd.2.2.50.tar.gz (01.11.2009)

Older versions 2.XX:
shaperd.2.2.43.tar.gz (08.12.2006)
shaperd.2.2.42.tar.gz (05.08.2006)
shaperd.2.2.41.tar.gz (15.05.2006)
shaperd.2.2.23.tar.gz (18.10.2004)
shaperd.2.2.22.tar.gz (17.10.2004)
shaperd.2.2.11.tar.gz (20.03.2004)
shaperd.2.2.2.tar.gz (11.07.2003)
shaperd.2.200beta61.tar.gz (2.00beta61-26.04.2003)
shaperd.2.200beta59.tar.gz (2.00beta59-05.04.2003)
shaperd.2.200beta56.tar.gz (2.00beta56-07.03.2003)
shaperd.2.200beta44.tar.gz (2.00beta44-03.02.2003)
shaperd.2.200beta28.tar.gz (2.00beta28-03.01.2003)
shaperd.2.200beta27.tar.gz (2.00beta27-28.12.2002)
shaperd.2.200beta26.tar.gz (2.00beta26-15.12.2002)
shaperd.2.200beta23.tar.gz (2.00beta23-08.12.2002)
shaperd.2.200beta22.tar.gz (2.00beta22-03.12.2002)
shaperd.2.200beta19.tar.gz (2.00beta19-15.11.2002)
shaperd.2.200beta17.tar.gz (2.00beta17-13.11.2002)
shaperd.2.200beta14.tar.gz (2.00beta14-12.11.2002)
shaperd.2.200beta11.tar.gz (2.00beta11-04.11.2002)
shaperd.2.200beta8.tar.gz (2.00beta8-01.11.2002)
shaperd.2.200beta6.tar.gz (2.00beta6-27.10.2002)
shaperd.2.200beta4.tar.gz (2.00beta4-26.10.2002)
shaperd.2.200beta3.tar.gz (2.00beta3-25.10.2002)

Older versions 1.XX

Before you'll try to start shaperd you should check if your system accomplish following conditions:
1. installed iproute2 package
2. recompiled linux kernel for QoS (CBQ) support (I don't know other distributions but in Mandrake 8.1 (and up) and RedHat 9 (and up) kernel QoS (CBQ) is supported by default so I did not need to recompile kernel).
  If you don't know, how to compile kernel with QoS (CBQ) support then check this page.
3. Daemon co-operate as well with ipchains and iptables (firewall type is recognized automatically).
4. If you want to use squid with shaperd then you should patch squid source code
5. Is no needed to make any rules on firewall especially for shaperd. Daemon will do everythink needed after start.
6. You should check whether your kernel is QoS (CBQ) support. To do it write:
```
tc -d qdisc
```
  If you'll get nothing as a result then your kernel support QoS (CBQ).
  If you'll get RTNETLINK error then this mean that your kernel don't support QoS (CBQ) (or you forgot to load modules for QoS (CBQ)).
7. shaperd will work with few principles:
  
  should to write to /etc/shaper/shaper.X.cfg file a parameters of the local network interfaces - where X is a digit 0-7 meaning number of configuration file for next, working simultaneously shaperd daemons. In case, when we don't want to start some shaperds - you should to use 0 for every of configuration files.
  
  Example of configuration file for server with: 1 local network interface eth0 with 10Mbit bandwidth and 1 internet interface ppp0 with 115Kbit bandwidth (Erricson's HIS) It does not have larger differences in configuration for other types network links (like DSL or Cable).
  ipchains_path=/sbin/ipchains iptables_path=/sbin/iptables tc_path=/sbin/tc timeout_ipchains_22=3600 timeout_ipchains_24=7200 timeout_iptables_24=432000 timeout_global=300 start_speed=0 even_division=no continuous_control=yes squid_support=no squid_port=8080 divide_upload=yes extended_queue=no nomasq=yes check_sum_of_bandwidth=yes class_type=cbq upload_class_type=cbq check_download_factor_cnt=5 check_upload_factor_cnt=5 remove_dead_class=yes refresh_dead_fwrule=yes burst_type=maximum cburst_type=maximum htb_burst=8 htb_cburst=8 jump_type=5 nop_factor=60 add_factor=80 speed_ext=bit delay_mesg=yes mask_mesg=yes check_firewall_counters=12 debug=0 delay=10 write_delay=1 delay_pools_download=0/100,5000/75,20000/50 delay_pools_upload=0/100,5000/75,20000/50 inter_int=ppp0;8000;92000;1000;60000;auto;1 local_int=eth0;10485760;192.168.0.0/16;192.168.1.0/24;2
  Principies:
  
  ipchains_path - ipchains path
  
  iptables_path - iptables path
  
  tc_path - tc path
  
  timeout_ipchains_22 - timeout of masqueraded tcp connections on 2.2.x kernel and ipchains. This value is used to set tcp timeout with ipchains -M -S command.
  
  timeout_ipchains_24 - timeout of masqueraded tcp connections on 2.4.x kernel and ipchains. Default is 7200 minutes. This value will not affect on real masquerade timeout. It's only used by shaperd for ignoring older connection.
  
  timeout_iptables_24 - timeout of masqueraded tcp connections on 2.4.x kernel and iptables. Default is 432000 seconds. This value will not affect on real masquerade timeout. It's only used by shaperd for ignoring older connection.
  
  timeout_global - every connection older than this value (in seconds) will be ignored by shaperd.
  
  start_speed - method of assigment bandwidth for new users. If 0 then initailly assigned bandwidth is counted through straight division of quantity of hispeed through quantity of downloading users (e.g. for HIS with 5 downloading users = 100000/5 that is 20000 (Kbit)). For speed_start great than 0 assigned bandwidth is always the same as lospeed * start_speed.
  
  even_division - 1 will turn on even division of bandwidth assigned to every working user.
  
  continuous_control - yes will turn on continuous bandwidth control.
  
  squid_support - yes will turn on co-operation with SQUID. (iptables only). You should start SQUID on the same IP number as the first IP with mask in local_int. Also it must use standard squid port 3128. Before you start SQUID you should apply special patch (description is available here) to sources and recompile it. You do not have to create CBQ class with tc command as it was described in Uzycie section. Andrzej Romanowski sent me his version of 2.5STABLE3 squid patch - squid-2.5_hit_miss_mark.patch. Added rules_olny value which force shaperd to create squid firewall rules but for visualisation only. I'm using it on system with 2 ISP interfaces and on 2'nd link I'm using squid with delay_pools without shaperd control.
  
  squid_port - port number of squid.
  
  divide_upload - yes will turn on upload bandwidth dividing.
  
  extended_queue - yes will turn on extended queue separately for every user. (iptables only).
  
  nomasq - yes will turn off masquerade connection tracking for bandwidth allocation. In this case shaperd is watching firewall counters for connection tracking.
  
  check_sum_of_bandwidth - yes will turn on control of total sum of assigned bandwidths.
  
  class_type - type of main download traffic manager class - CBQ or HTB.
  
  upload_class_type - type of main upload traffic manager class - CBQ or HTB.
  
  check_download_factor_cnt - counter will down every cycle if any user will download data with speed more than assigned. If it reach 0 - in log will appear error Can't control download bandwidth of IP and if remove_dead_class=yes option is enabled - shaperd will remove forks for this user and create it again in next turn.
  
  check_upload_factor_cnt - counter will down every cycle if any user will upload data with speed more than assigned. If it reach 0 - in log will appear error Can't control upload bandwidth of IP and if remove_dead_class=yes option is enabled - shaperd will remove forks for this user and create it again in next turn.
  
  ceil_download - (HTB only) percentage amount of download bandwidth that can be borrow by user. Amount 50 means that user can borrow from other users 50% of his bandwidth assignment.
  
  ceil_upload - (HTB only) percentage amount of upload bandwidth that can be borrow by user. Amount 50 means that user can borrow from other users 50% of his bandwidth assignment.
  
  burst_type - (For HTB,EHTB,SHTB only) burst creating mode. For current - is using current user speed. For maximum - is using maximum possible speed for user.
  
  cburst_type - (For HTB,EHTB,SHTB only) cburst creating mode. For current - is using current user speed. For maximum - is using maximum possible speed for user.
  
  htb_burst - (For HTB,EHTB,SHTB only) factor for calculation - how many data can be send to user without limits. DataSize = speed / factor. If factor is equal 0 then HTB will automaticaly calculate burst parameter.
  
  htb_cburst - (For HTB,EHTB,SHTB only) factor for calculation - how many data can be send to user without limits. DataSize = speed / factor. If factor is equal 0 then HTB will automaticaly calculate cburst parameter.
  
  remove_dead_class - yes will turn on bad class removing if shaperd can't control speed with this class.
  
  refresh_dead_fwrule - yes will turn on bad firewall rules removing when shaperd will remove dead class if remove_dead_class parameter is turned on.
  
  check_firewall_counters - value of this parameter means how often (1 - means every shaperd cycle) shaperd will control firewall counters and check if is any counter overfilled. If 0 then firewall counters control is turned off. I added this parameter because I found some servers where was a problem with overfilled firewall. After reaching 4294967295 value counter don't reset to 0 value and after it shaperd throttled all traffic. In case of this now shaperd will check firewall counters and if any will reach 2147483647 (2GB) value then all counters will be reset.
  
  speed_ext - unit of speed (bit, Kbit or Mbit). Remember about count of all parameters including speed onto new unit.:
  
  inter_int
  
  local_int
  
  also in file iplist.X should to count units if assigned individual limits for individual users
  
  jump_type - amount of increasing bandwidth. 0 - rest of unused bandwidth, more than is a multipler of lospeed value. So if you set it to 1 it's mean that bandwidth will be lospeed value increased, 2 means that bandwidth will be 2*lospeed value increased etc. I suggest don't use 0 value.
  
  nop_factor - first link used factor. Value in percent. Default value is 50.
  
  add_factor - second link used factor. Value in percent. Default value is 75. By manipulating with these two factors you can increase total used bandwidth.
  
  debug - for debugging (availabl;e debugging levels 0 - none, 1, 2, 3)
  
  delay - Time of expectation between next cycles (minimum of 10 seconds - at larger quantity of IP numbers can appear arrangements of longer time one needs.
  
  delay_mesg - yes will turn off some log information about time of creating allocations.
  
  mask_mesg - no will turn off log messages Can't find mask for IP.
  
  write_delay - After which of cycle it has to be generated file bitrate_user_sh.X.old which contains list of IP numbers and list at present assigned bandwidths (necessary only to visualization at help of promissory note kto.php - Example)
  
  inter_int - parameters of internet link interfaces
  
  ppp0 - name of internet interface.
  
  8000 - lospeed - minimum guaraneed download speed.
  
  92000 - hispeed - maximum possible download speed.
  
  1000 - upload_lospeed - minimum guaranteed upload speed.
  
  60000 - upload_hispeed - maximum possible upload speed.
  
  auto - IP - IP number of internet interface. "auto" will turn on automatic taking IP number of internet interface.
  
  1 - CBQ class identifier (For every interface it has to be different - best next after 1).
  
  local_int - parameters of local network interfaces
  
  eth0 - name of local network interface. Do not write down here name of internet interface!
  
  10485760 - speed of interface (Remember about count onto suitable unit)(10MBit=10*1024*1024 bit=10485760 if unit is bit)
  
  192.168.0.0/16 - Number IP of interface with mask (in this of case it's the mask of net of class C what causes, that all transfers from numbers IP fitting to this mask will not have limitations. Thanks to it local transfer from server sent through local interfaces from local people in net was not clipped).
  
  192.168.1.0/24 - target ip number with mask (mask of applied subnet on given interface - e.g. for eth0 - 192.168.1.0/24 and for eth1 - 192.168.2.0/24).
  
  2 - CBQ class identifier (For every interface it has to be different - best next after 1).
  
  Example of configuration file for server with 2 local interfaces: eth0 and eth1 with 10Mbit and 100Mbit bandwidth and applying unit of speed Kbit. Internet link ppp0 from ISP about speeds 930Kbit.
  divide_upload=yes class_type=cbq upload_class_type=cbq jump_type=5 speed_ext=Kbit delay=10 write_delay=0 inter_int=ppp0;16;900;1;300;auto;1 local_int=eth0;10240;192.168.0.0/16;192.168.1.0/24;2 local_int=eth1;102400;192.168.0.0/16;192.168.2.0/24;3
  
  Example of configuration file for server with 3 local interfaces: eth0, eth1 and ppp2 with 10Mbit, 100Mbit and 768Kbit bandwidth (for this of interface we limit also local transfers) and applying unit of speed bit. Internet link ppp0 and ppp1 from ISP about speeds 115Kbit.
  divide_upload=yes class_type=cbq upload_class_type=cbq jump_type=5 speed_ext=Kbit debug=0 delay=10 write_delay=0 inter_int=eth0;8;440;1;100;auto;1 inter_int=ppp0;8;92;1;60;auto;2 local_int=eth1;10240;192.168.0.0/16;192.168.1.0/24;3 local_int=eth2;102400;192.168.0.0/16;192.168.2.0/24;4 local_int=ppp2;768;192.168.3.0/24;192.168.3.0/24;5
  
  Programme shaperd is delivered including archive both compiled version for processors x86 as C source file in form. Compiled version can not act on older systems and independent compilation of source's file courts. To compile this write:
  cd /usr/src/shaperd make
  or in older versions:
  gcc /usr/src/shaperd/shaperd.c -o /sbin/shaperd
  
  You should (I work above this to eliminate this) to write in file /etc/shaper/iplist.X all local IP numbers and by name of interfaces by which this numbers work - where X is a configuration number. Example:
  192.168.1.2=eth0 ppp0 192.168.1.3=eth0 ppp0 192.168.1.4=eth0 ppp0 8000 16000 8000 16000 192.168.1.5=eth0 ppp0 192.168.2.2=eth1 ppp0 192.168.2.3=eth1 ppp0 192.168.2.4=eth1 ppp1 192.168.2.5=eth1 ppp1
  I introduced possibility of placing of individual limits for individual IP numbers additionally. In above been mentioned example for IP number 192.168.1.4. I put following forks: 8000 (1KB of - guaranteed minimum) and 16000 (2KB - maximum assigned speed) and second pair for upload control. Remember, that value this such myself are passed in unit of speed how put unit in file shaper.X.cfg in parameter speed_ext.
  192.168.1.2=eth0 ppp0 192.168.1.3=eth0 ppp0 # IP numbers: 192.168.1.4 and 192.168.1.5 have one common allotment of bandwidth 192.168.1.4/31=eth0 ppp0 192.168.2.2=eth1 ppp0 192.168.2.3=eth1 ppp0 192.168.2.4=eth1 ppp1 192.168.2.5=eth1 ppp1
  Another example:
  192.168.1.0/24=eth0 ppp0 192.168.2.0/24=eth1 ppp0
  In case of lack of registrations shaperd accepts values written in file shaper.X.cfg for every number.
  
  Limit of 250 numbers IP on one interface exists - more numbers IP please to distribute on more interfaces.
  
  How to find values for parameters lospeed, hispeed, upload_speed.
  
  lospeed - minimum guaranteed speed. We compute it into straight way:
  lospeed = hispeed / max_number_of_IPs
  where:
  
  hispeed - maximum possible upload speed.
  
  max_number_of_IPs - maximum quantity of IP numbers, which can work through internet link
  
  I ask not to pass silly value of lospeed. If we have link SDI where hispeed carries out 92000 and it's 10 connected users to this net - this is nonsense given every lospeed even 16000(that is transfer 2KB/sek) because when 10 users will be worked on link and every getting allotment 16000, so after straight multiplying goes out, that link should have speed about 160Kbit!
  
  hispeed - use speed of link no declared by provider'a but real, which it pretends to measure downloading something through longer time through internet link in direction from internet to local network.
  If you do not know possibility of one's link, put declared speed onto beginning, install (and configure) programme lstat to making statistician and then overload link by some minutes (download something large - best some large files in the same time) e.g. wget is a good solution. On statisticians you will see real speed of your internet link.
  
  upload_hispeed - similarly how from hispeed - it should write such value with which speed it was been possible to send datas through link in direction from users to internet. In case synchronic links value of this is even hispeed and in case asynchronous links it can be also the same but in case of uploading of datas with full speed it's possible to notice fall of download speed. So you should set this value on level such, on which we do not notice fall of download speed. In case DSL links value upload_speed is much lower than hispeed and you should to put it about some percentage less than declared for given type of upload link speed (e.g. for DSL 512/128 upload_speed it were been possible to try to put on 110Kbit).
  
  If you turn on extended_queue, shaperd will create for every working user 4 subclass with different priorities. Main class will have number X:Y, where X is class identifier, Y is a line number (in file iplist.0) of ip number plus 4 (count only real lines - not comments and empty lines). For example if first from top IP number writen in iplist.0 is 192.168.1.2 and class identifier for local interface is 2 then class number is 2:5. If you want to see download flow by this user you can write:
  tc -s class show dev eth1
  and for HTB you can see:
  class htb 2:5 parent 2:1 prio 3 rate 214Kbit ceil 214Kbit burst 27391b cburst 1872b Sent 27025335 bytes 34960 pkts (dropped 0, overlimits 0) rate 21702bps 28pps lended: 0 borrowed: 0 giants: 0 injects: 0 tokens: 778767 ctokens: 15581
  and for upload:
  tc -s class show dev eth0
  for CBQ you can see:
  class cbq 1:5 parent 1:1 rate 14Kbit (bounded) prio 5 Sent 554775 bytes 4674 pkts (dropped 0, overlimits 0) borrowed 30 overactions 0 avgidle 379301 undertime 0
  Additional 4 classes for queueing has a numbers based on rule X:Y where X is class identifier and Y = (4*(A+4))+PRIO
  A - IP line position in iplist file,
  prio - priority - possible 100 (highest), 101, 102 and 103 (lowest - default for every not classified traffic).
  Bellow I put example of iptables rules created by default by shaperd after start. For ipchains shaperd don't create any rules because I don't know ipchains and how to do it. Exapmle:
  # download # highest priority for download - class 2:120 iptables -t mangle -A FORWARD -d 192.168.1.2 -m tos --tos 0x10 -j MARK --set-mark 2120 # medium priority for download - class 2:121 iptables -t mangle -A FORWARD -d 192.168.1.2 -m tos --tos 0x08 -j MARK --set-mark 2121 # low priority for download - 2:122 iptables -t mangle -A FORWARD -d 192.168.1.2 -m tos --tos 0x04 -j MARK --set-mark 2122 # Rest unclassified traffic will go to 2:123 class.
  Now example script for creating firewall rules based on /etc/shaper/queue_download_high.0 file: Analogically ypu should do the same for other queue files except queue_upload_server_* files which are still used by shaperd:
  #!/bin/sh extqueue=`grep extended_queue=yes /etc/shaper/shaper.0.cfg | wc -l` IFS=';' if [ $extqueue -eq 1 ];then grep -E -v "^#|^$" /etc/shaper/queue_download_high.0 | while read prot src sport dst dport do if [ "$prot" == "*" ];then prot="!icmp" fi if [ "$src" == "*" ];then src="0/0" fi if [ "$dst" == "*" ];then dst="0/0" fi if [ "$sport" == "*" ];then sport="0:65535" fi if [ "$dport" == "*" ];then dport="0:65535" fi if [ "$prot" != "icmp" ];then iptables -t mangle -I FORWARD -p $prot -s $src --sport $sport -d $dst --dport $dport -j TOS --set-tos 0x10 else iptables -t mangle -I FORWARD -p $prot -s $src -d $dst -j TOS --set-tos 0x10 fi done fi
  MARK we will count from formula
  M = (1000 * X) + PRIO + (4 * (A + 4))
  where M - Mark, X - class identifier, A - ip line position in iplist file, PRIO - 100, 101 or 102
  For first user and prio=100 subclass number will be 2120. Let's check if we correctly counted Mark. After converting this value 2120 to hexadecimal system we will get 0x848, now we write:
  tc -s filter show dev eth1 | grep 848
  and we will get as a result:
  filter parent 2: protocol ip pref 10 fw handle 0x848 classid 2:120
  So it's correct. All packets with 0x848 MARK will go to 2:120 class. Now we can observe traffic going through this class:
  watch tc -s class show dev eth1
  And we can see (if something was sent by this class) - for HTB:
  class htb 2:120 parent 2:5 leaf a688: prio 0 rate 273Kbit ceil 273Kbit burst 15Kb cburst 1948b Sent 10644 bytes 133 pkts (dropped 0, overlimits 0) rate 11bps lended: 133 borrowed: 0 giants: 0 injects: 0 tokens: 315623 ctokens: 39721
  Now we create firewall rules for traffic to internet (upload):
  # upload # lowest priority for upload - class 1:123 iptables -t mangle -A FORWARD -s 192.168.1.2 -d ! 192.168.0.0/16 -j MARK --set-mark 1123 # highest priority for upload - class 1:120 iptables -t mangle -A FORWARD -s 192.168.1.2 -d ! 192.168.0.0/16 -m tos --tos 0x10 -j MARK --set-mark 1120 # medium priority for upload - class 1:121 iptables -t mangle -A FORWARD -s 192.168.1.2 -d ! 192.168.0.0/16 -m tos --tos 0x08 -j MARK --set-mark 1121 # low priority for upload - class 1:122 iptables -t mangle -A FORWARD -s 192.168.1.2 -d ! 192.168.0.0/16 -m tos --tos 0x10 -j MARK --set-mark 1122
  The formula for counting MARK is the same as for download. You should know that upload traffic is limited on internet interface - not on local. So MARK for 192.168.1.2 and 100 priority (first IP in iplist file) is 1120 (in Hexadecimal system 0x460):
  tc -s filter show dev eth0 | grep 460
  and we will see:
  filter parent 1: protocol ip pref 10 fw handle 0x460 classid 1:120
  So it's ok. Now we will see traffic in this class:
  watch tc -s class show dev eth0
  and we see:
  class cbq 1:120 parent 1:5 leaf a69c: rate 18Kbit prio 3 Sent 12122 bytes 208 pkts (dropped 0, overlimits 0) borrowed 0 overactions 0 avgidle 8.07342e+06 undertime 0
  
  If you want use squid with shaperd you should know:
  
  squid_port must be the same as port in squid config file.
  
  I tested shaperd with squid also with transparent proxy configuration and it seems tah it's working.
  
  shaperd for squid_support will create special firewall rules (only for iptables available):
  iptables -t mangle -vxL POSTROUTING -n | grep 8080
  and
  iptables -vxL squid0 -n
  
  If you are not sure is your squid correctly marking TOS field for shaperd - you can check it writing:
  iptables -vxL squid0 -n | grep -E -v "destination|squid" | awk '{print $9,"\t",$2}'
  And if squid correctly mark TOS filed you will see (e.g.):
  192.168.1.3 135967 0.0.0.0/0 2074683 192.168.1.7 2432944 192.168.1.6 18121074
  If all rules for users will have 0 and only 0.0.0.0/0 will count then you have problem - recompile your squid.
  
  If CBQ is in modules then at start, system should load following modules:
  modprobe sch_cbq modprobe sch_tbf modprobe cls_u32
  For HTB you should load following modules:
  modprobe sch_htb modprobe sch_sfq modprobe cls_u32
8. Daemon has to act root on rights and to have possibility of record to directory /var/shaper. It has owner of this directory to be root. Attributes of this directory are 755
9. In directory /var/shaper is gernerated bitrate_user_sh.X.old file - it contains IP numbers as well as assigned bandwidths. It was been possible to use it to visualization on WWW page - example of use. Content of this file can look so:
```
192.168.1.2 40000
192.168.1.9 58000
```
  or if speed_ext is set as Kbit:
```
192.168.1.2 40 Kbit
192.168.1.9 58 Kbit
```
10. Is good to check how shaperd is working writing command:
```
tc -s qdisc
```
  Results of his working can look so:
```
 qdisc tbf d09f: dev eth0 rate 5430bps burst 10Kb lat 1.2s              
 Sent 108930 bytes 73 pkts (dropped 0, overlimits 0)                   
                                                                       
 qdisc tbf d09e: dev eth0 rate 5430bps burst 10Kb lat 1.2s             
 Sent 126618 bytes 89 pkts (dropped 0, overlimits 0)                   
                                                                       
 qdisc tbf d09d: dev eth0 rate 1638bps burst 10Kb lat 3.8s             

 Sent 54699 bytes 65 pkts (dropped 0, overlimits 321)                  
 backlog 6110b 5p                                                      
                                                                       
 qdisc tbf d09c: dev eth0 rate 10Mbit burst 10Kb lat 4.8ms             
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)                         
                                                                       
 qdisc tbf d09b: dev eth0 rate 10Mbit burst 10Kb lat 4.8ms             

 Sent 5690 bytes 53 pkts (dropped 0, overlimits 0)                     
                                                                       
 qdisc cbq 10: dev eth0 rate 10Mbit (bounded,isolated) prio no-transmit
 Sent 310829 bytes 302 pkts (dropped 0, overlimits 1555)               
 backlog 5p                                                            
  borrowed 0 overactions 0 avgidle 624 undertime 0
```
  Look on line from rate different from 10Mbit (or different in case of local link about different maximum speeds). In this of case of three first class illustrate transfers of three different computers in local net. Check, whether registered size of sent datas Sent are. If so this it means, that CBQ work correctly and cuts transfer.
11. If you have problems with starting of this daemon, before you will write to me - read this description once again and check all again. You can write to me then. In view of lack of time my help can be a bit delay so I command looking to Guest Book. Maybe someone, from written admins, will want to help you earlier.
12. If you'll configure and you'll succesfully start this programme on your server, write your datas to Guest Book. Write following data, please:
  - shaperd version
  - description of system (distribution, kernel version, remark)
  - e-mail
  - url of your server www page (if exists)
  Thanks to it you can help different administrators in installation of this daemon and you will relieve me a bit. I'll be very grateful.
13. It will be very pleasure for me, if some happy administrator will put in somewhere onto his network WWW page this small banner:
  
  Here's a HTML code for paste:
```
<p><a href="https://cbq.trzepak.net/">
<img src="https://cbq.trzepak.net/linux/pics/shaperd.gif" border="0" 
width="102" height="47" alt="Powered by Shaper CBQ"></a></p>
```
See a PHP script kto.php (additional script ckwintalk) for checking is wintalk working on user's side) to generating list of active computers alongside with assigned bandwidth allocation. You have to edit the script and to write datas from your net. Start him kto.php.
Script demands configuration of DNS for local IP numbers. Moreover bind can step out mistakes with some versions. You have to play into altering.
Problems
To avoid itself problems, which they can result in track of normal exploitation of shaperd you have to warn some rules
1. If shaperd crash or it does not want to start - start from compilation on your system of sources' codes. Executable file delivered in archive is compiled on fresh system and they can be problems with starting on older distributions.
2. At the start of system script /etc/init.d/shaperd start possibly on end and in peculiarity always start him after any scripts, which can modify firewall (e.g. every scripts to configuration masquerade, firewall etc).
3. If you executed any operations on firewall (you cleaned up meters of rules, added or deleted some rules, reloaded firewall etc) restart shaperd obligatorily. Renunciation of this can be effective stifling of whole incoming transfer, because shaperd at start creature of own rule on firewall and they have to be checked them in first order. Change of order of rules on firewall can (though it does not have) result, that registering rules will not register incoming traffic and daemon will affirm, that nobody uses assigned bandwidths so it will start to lower allotments (down to guaranteed minimum). To check whether rules for shaperd are on proper place and they work correctly it suffices to make following operation:
  - for ipchains:
    
    ipchains -L output -n
    table shaperX should be on the top position
    Chain output (policy ACCEPT): target prot opt source destination ports shaout0 all ------ 0.0.0.0/0 0.0.0.0/0 n/a shaper0 all ------ 0.0.0.0/0 0.0.0.0/0 n/a ppp-out all ------ 0.0.0.0/0 0.0.0.0/0 n/a eth-out all ------ 0.0.0.0/0 0.0.0.0/0 n/a
    
    ipchains -L shaper0 -n
    In this table should be rules for every IP numbers from file /etc/shaper/iplist.0 Example:
    Chain shaper0 (1 references): target prot opt source destination ports RETURN tcp ------ !192.168.1.1 192.168.1.2 * -> * RETURN tcp ------ !192.168.1.1 192.168.1.3 * -> * RETURN tcp ------ !192.168.1.1 192.168.1.4 * -> * RETURN tcp ------ !192.168.1.1 192.168.1.5 * -> * RETURN tcp ------ !192.168.1.1 192.168.1.6 * -> * RETURN tcp ------ !192.168.1.1 192.168.1.7 * -> * RETURN tcp ------ !192.168.1.1 192.168.1.8 * -> *
    
    watch ipchains -vxL shaper0 -n
    It will permit onto observation, do rules count quantity downloaded datas for individual IP numbers. Generally - if some number at present something download from internet, his rule has to count. If it does not make this - restart shaper.
  - for iptables:
    
    iptables -L FORWARD -n --line-numbers | grep sha
    table shaperX should to have No 1 position:
    1 shaout0 all -- 0.0.0.0/0 0.0.0.0/0
    
    2 shaper0 all -- 0.0.0.0/0 0.0.0.0/0
    
    iptables -L shaper0 -n
    In this table should be rules for every IP numbers from file /etc/shaper/iplist.0 Example:
    Chain shaper0 (1 references) target prot opt source destination RETURN all -- !192.168.0.0/16 192.168.1.2 RETURN all -- !192.168.0.0/16 192.168.1.3 RETURN all -- !192.168.0.0/16 192.168.1.4 RETURN all -- !192.168.0.0/16 192.168.1.5 RETURN all -- !192.168.0.0/16 192.168.1.6 RETURN all -- !192.168.0.0/16 192.168.1.7 RETURN all -- !192.168.0.0/16 192.168.1.8 RETURN all -- !192.168.0.0/16 192.168.1.9 RETURN all -- !192.168.0.0/16 192.168.1.10
    
    watch iptables -vxL shaper0 -n
    It will permit onto observation, do rules count quantity downloaded datas for individual IP numbers. Generally - if some number at present something download from internet, his rule has to count. If it does not make this - restart shaper.
4. Do not change times of keeping of connections on masquerade (e.g. by command: ipchains -M -S) - concerns only owners of kernel 2.2.X (because in 2.4.x this did not happen ;). shaperd changes this parameter and onto him it controls basis, which IP number is active. Arrangement of this parameter at working shaperd can cause, that shaperd will not "saw" some connections and it will not assign bandwidth for them.
5. Dissuade inscriptions privileged (?) IP numbers to file /etc/shaper/iplist in aim of avoidance of assigning them bandwidth. Result of such work not at all is obvious and maybe can be far from intentional. In dependence from system and version installed, on some systems something such it can get down to work and choose IP number will could take over whole link for itself. However result always will be the one - shaperd will be changed allotments very violently the rest of users. It leads this doubtless to unequal burden of link and distorts idea of applying shaperd.
6. Colleague Grzegorz Cichowski affirmed, that in case of inscription in file /etc/shaper/shaper.cfg parameters for 100Mbit local network interface one should to write speed 8Gbit what after count onto bits would give number in result 8589934592, which is 33 bite number and overflows size of registers of processor. To write such number one should to count it on Kbit instead of to write in bit. After count number equals 8388608 (unit Kbit). I ask to remember about count onto this unit all written speed in configuration as in command line!
7. I ask don't edit configuration files with software working under DOS or Windows from reason no standard format of end of line (CR+LF).
8. Do not put in empty line to configuration files.
Back Linux

Webmaster Grzegorz Fitrzyk