I have set up a central Linux router with Shorewall script for a small company that have a HQ and several other offices. They're connected via OpenVPN.
All is well, except that I want to fine tune HTB / HFSC traffic shaping.
I need to be able to see in "real time", and in some human digestable form, the active connections, and what marks, rules, etc. are currently applied to them. What rules "fire" when that happens, that sort of thing.
Is there some sort of utility for that? If not, how is one supposed to get this insight? Are there any best practices to monitor realtime traffic control data on current packets/connections as they are being handled?
I need to be able to monitor the process of marking packets, connections, into what priority they're currently, etc. in real time to see the effect of my changes as I apply them.
If there's no such utility that can do this "out of the box", then I'm more than willing to write one, but even then I'd love to see some command line examples on how to get raw, useful data like that.
For example, if I want to see what TC parameters are being applied to an HTTP connection from machine A on the LAN to a HTTP server B on the external network being forwarded by the firewall I'm working on, what commands should I use? That sort of thing...
Or if I want to see a list of current connections that are being processed by a certain rule / leaf etc, how should I go about that?
Or maybe if I want to get a full list of current connections with every TC parameter that I can get that's being applied to them, how to list that?
And basically any useful combination along the lines of the above...
I'm not sure if I was clear enough. If not, then please tell me and I shall try to comply. :)
Any and all help, suggestion or insight into this would be greatly appreciated. :)
EDIT 1: Okay... I might need to clarify something here. I don't want "shorewall commands", any useful method that will give me information on active connections and their classification is great.
I don't expect to be spoon-fed, I know docs are scarce on this subject. But if it cannot be done easily for connections, then how about packet-level? A tcpdump example on how to get greppable info on packet classification before it leaves for it's destination, is also good. I can start building from there... so... essentially anything that I can use to stream raw, actual classification data in order to write a tool to monitor the current, active state, if one doesn't exists.
Sorry if i'm a little verbose, thanks for reading anyway...
