



                            SafeFire Firewall

                               Version 1.2

              Copyright (C) 1999-2004 Link Guard Solutions Ltd.

                     TRAFFIC SHAPER GUIDE AND REFERENCE



Contents

    1. Introduction
    2. General concepts
    3. Traffic shaper configuration
    4. Pipe definition syntax



1. Introduction

    This document describes traffic shaper feature of SafeFire Firewall.

    The purpose of traffic shaper is to limit throughput of some connections
    selected by rules. This is performed by simulation of the communication
    line with (optional) delay and (optional) losses.

2. General Concepts

    The traffic shaper consists of independent pipes. Each of pipe has its own
    parameters. The traffic shaper works in conjunction with Packet filter and/or
    MAC packet filter facilities. To route packets trough the traffic shaper the
    'pipe' rule action is used in Packet filter or MAC packet filter rules.
    When particular packet matches the rule then it is forwarded to the pipe
    where it is delayed for specified amount of time and certain percent of
    packets is lost. Packets which successfully passed the pipe then forwarded
    as usual for the further processing.

    For example to route all traffic through some shaper pipe of number 1
    the following rule can be used in Packet filter:

    rule=65501 pipe 1 tcp from any to any bidi

    For more information about Packet filter or MAC packet filter rule
    configuration refer to "Packet Filter Guide and Reference" and "MAC Packet
    Filter Guide and Reference" book respectively.

    Each pipe of traffic shaper has a speed, length, delay and packet loss rate
    associated with it. When the packet is put in the pipe, it will stay here
    the time >= delay time (if delay time is set), and until the computed speed
    of the pipe become <= pipe speed (if pipe speed is set). If the packet loss
    rate (in percents) it set, the desired amount of packets will be dropped.
    The length of pipe is the maximum number if packets that pipe could hold.
    If the next packet cant fit into the pipe, it will be silently dropped.

3. Traffic shaper configuration

    Traffic shaper is configured independently through appropriate section
    [shaper] in configuration file. Please, refer to Configuration Guide And
    Reference for details about other configuration parameters.

    The traffic shaper consists of set of independent pipes. Each pipe defined
    be one line of following syntax:

    pipe=<definition>

    The syntax of <definition> described in next section.

    Each pipe must have a unique identifier - a number that can be referred in
    Packet filter or MAC packet filter definition sections.

4. Pipe definition syntax

    Each pipe has the following syntax:

        <number> [<parameter>]

    where

        <number>
           is the unique identifier of the pipe. By that identifier the pipe
           can be referenced by packet filter or MAC packet filter rules

        [<parameter>]
            is one of

            speed  - definition of pipe speed
            delay  - definition of pipe delay
            loss   - definition of pipe packet loss rate
            length - definition of pipe length

        speed
           the syntax of speed parameter is:

           speed <speed> [{M|K}][bps]  default - bps (bytes per second)

           the default speed is 0 which means no speed limit.

        delay
           the syntax of delay parameter is:

           delay <delay> [s|ms]        default - ms (milliseconds)

           the default delay is 0 which means no delay is set.

        loss
           the syntax of loss parameter is:

           loss <loss>[%]

           the allowed loss values are from 0 to 100
           the default loss is 0 which means no packet loss rate is set.

        length
           the syntax of length parameter is:

           length <length>

           the allowed length values are from 0 to MAX_LENGTH (500)
           the default length is MAX_LENGTH.

EOF
