Merge tc4shorewall into Shorewall

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2610 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -12,6 +12,8 @@ Changes in 2.5.4
 
 6) "shorewall check" now checks the providers file.
 
+7) Merge 'tc4shorewall'
+
 Changes in 2.5.3
 
 1) Allow exclusion lists in /etc/shorewall/tcrules.

Shorewall/fallback.sh

@@ -69,11 +69,9 @@ restore_file /sbin/shorewall
 
 restore_file /etc/shorewall/shorewall.conf
 
-restore_file /etc/shorewall/functions
+restore_file /usr/share/shorewall/tcstart
-restore_file /usr/lib/shorewall/functions
+restore_file /usr/share/shorewall/functions
-restore_file /var/lib/shorewall/functions
+restore_file /usr/share/shorewall/help
-restore_file /usr/lib/shorewall/firewall
-restore_file /usr/lib/shorewall/help
 
 restore_file /etc/shorewall/common.def
 

Shorewall/firewall

@@ -3897,6 +3897,12 @@ add_an_action()
 	icmp|ICMP|1)
 	    [ -n "$port" ]  && 	dports="--icmp-type $port"
 	    ;;
+	ipp2p)
+	    dports="-m ipp2p --${port:-ipp2p}"
+	    port=
+	    proto=tcp
+	    do_ports
+	    ;;
 	*)
 	    [ -n "$port" ] && \
 		fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
@@ -5270,15 +5276,12 @@ process_rule() # $1 = target
 	esac
 
 	case $SECTION in
-	    NEW)
+	    ESTABLISHED|RELATED)
+		state="-m state --state $SECTION"
+		;;
+	    *)
 		state=
 		;;
-	    ESTABLISHED)
-		state="-m state --state ESTABLISHED"
-		;;
-	    RELATED)
-		state="-m state --state RELATED"
-		;;
 	esac
 
 	if [ -n "${serv}${servport}" ]; then

Shorewall/install.sh

@@ -240,6 +240,14 @@ install_file_with_backup help ${PREFIX}/usr/share/shorewall/help 0544
 echo
 echo "Help command executor installed in ${PREFIX}/usr/share/shorewall/help"
 
+#
+# Install the tcstart file
+#
+install_file_with_backup tcstart ${PREFIX}/usr/share/shorewall/tcstart 0544
+
+echo
+echo "Help command executor installed in ${PREFIX}/usr/share/shorewall/help"
+
 #
 # Delete the icmp.def file
 #
@@ -433,6 +441,28 @@ else
     echo "Providers file installed as ${PREFIX}/etc/shorewall/providers"
 fi
 
+#
+# Install the tcclasses file
+#
+if [ -f ${PREFIX}/etc/shorewall/tcclasses ]; then
+    backup_file /etc/shorewall/tcclasses
+else
+    run_install $OWNERSHIP -m 0600 tcclasses ${PREFIX}/etc/shorewall/tcclasses
+    echo
+    echo "TC Classes file installed as ${PREFIX}/etc/shorewall/tcclasses"
+fi
+
+#
+# Install the tcdevices file
+#
+if [ -f ${PREFIX}/etc/shorewall/tcdevices ]; then
+    backup_file /etc/shorewall/tcdevices
+else
+    run_install $OWNERSHIP -m 0600 tcdevices ${PREFIX}/etc/shorewall/tcdevices
+    echo
+    echo "TC Devices file installed as ${PREFIX}/etc/shorewall/tcdevices"
+fi
+
 #
 # Backup and remove the whitelist file
 #

Shorewall/shorewall.spec

@@ -97,6 +97,8 @@ fi
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/continue
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/started
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/providers
+%attr(0600,root,root) %config(noreplace) /etc/shorewall/tcclasses
+%attr(0600,root,root) %config(noreplace) /etc/shorewall/tcdevices
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/Makefile
 
 %attr(0544,root,root) /sbin/shorewall
@@ -108,6 +110,7 @@ fi
 %attr(0600,root,root) /usr/share/shorewall/action.template
 %attr(0444,root,root) /usr/share/shorewall/functions
 %attr(0544,root,root) /usr/share/shorewall/firewall
+%attr(0544,root,root) /usr/share/shorewall/tcstart
 %attr(0544,root,root) /usr/share/shorewall/help
 %attr(0600,root,root) /usr/share/shorewall/macro.AllowICMPs
 %attr(0600,root,root) /usr/share/shorewall/macro.Amanda

Shorewall/tcclasses

@@ -0,0 +1,152 @@
+# tc4shorewall	Version 0.5
+#
+#
+# /etc/shorewall/tcclasses
+#
+#	Define the classes used for traffic shaping in this file.
+#	
+#	A note on the rate/bandwidth definitions used in this file:
+#
+#		- don't use a space between the integer value and
+#		  the unit: 30kbit is valid while 30 kbit is NOT.
+#
+#		- you can use one of the following units:
+#
+#       		kbps		Kilobytes per second
+#       		mbps   		Megabytes per second
+#       		kbit   		Kilobits per second
+#      			mbit   		Megabits per second
+#      			bps or a 
+#			bare number	Bytes per second
+#
+#		- if you want the values to be calculated for you depending
+#		on the output bandwidth setting defined for an interface
+#		in tcdevices, you can use expressions like the following:
+#			
+#			full/3		causes the bandwidth to be calculated
+#					as 3 of the the full outgoing
+#					speed that is defined.
+#
+#			full*9/10	will set this bandwidth to 9/10 of
+#					the full bandwidth
+#
+#		DO NOT add a unit to the rate if it is calculated !
+#
+# Columns are:
+#
+#	INTERFACE	Name of interface. Each interface may be listed only
+#			once in this file. You may NOT specify the name of
+#			an alias (e.g., eth0:0) here; see
+#			http://www.shorewall.net/FAQ.htm#faq18
+#
+#			You man NOT specify wildcards here,  e.g. if you
+#			have multiple ppp interfaces, you need to put
+#			them all in here!
+#
+#			Please note that you can only use interface names
+#			in here that have a bandwidth defined in the tcdevices
+#			file
+#
+#	MARK		The mark value which is an integer in the range 1-255.
+#			You define this marks in the tcrules file, marking
+#			the traffic you want to fit in the classes defined
+#			in here. 
+#
+#			You can use the same marks for different Interfaces
+#
+#	RATE		The minimum bandwidth this class should get,
+#			when the traffic load rises. Please note
+#			that first the classes which equal or a lesser priority
+#			value are served.
+#
+#			You can use the following 			
+#Use kbit or kbps(for Kilobytes per second) for
+#			speed, and make sure there is NO space between the
+#			number and the unit.
+#			
+#	CEIL		The maximum bandwidth this class is allowed to use
+#			when the link is idle. Useful if you have traffic
+#			which can get full speed when more needed services
+#			(e.g. ssh) are not used.
+#
+#			You can use the value "full" in here for setting
+#			the maximum bandwidth to the defined output bandwidth
+#			of that interface
+#
+#			Use kbit or kbps(for Kilobytes per second) for
+#			speed, and make sure there is NO space between the
+#			number and the unit.
+#
+#	PRIORITY	you have to define a priority for the class
+#			Packages in a class with a higher priority (=lesser value)
+#			are handled before lesser priority onces.
+#			You can just define the mark value here also, if you are
+#			increasing the mark values with lesser priority.
+#				
+#	OPTIONS         A comma-separated list of options including the 
+#			following:
+#	
+#			default		- this is the default class for that 
+#					interface where all traffic should go, 
+#					that is not classified otherwise.
+#
+#					NOTE: defining default for exactly one 
+#					class per interface is mandatory!
+#
+#			tos-<tosname>	- this lets you define a filter for 
+#					the given <tosname> which lets you
+#					define a value of the Type Of Service
+#					bits in the ip package which causes
+#					the package to go in this class.
+#					Please note, that this filter overrides
+#					all mark settings, so if you define
+#					a tos filter for a class all traffic
+#					having that mark will go in it regard-
+#					less of the mark on the package.
+#					You can use the following 
+#					for this option
+#
+#   					tos-minimize-delay (16)
+#                               	tos-maximize-throughput (8)
+#                               	tos-maximize-reliability (4)
+#                               	tos-minimize-cost (2)
+#                               	tos-normal-service (0)
+#					
+#					NOTE: each of this options is only 
+#					valid for ONE class per interface.
+#							
+#			tcp-ack		- if defined causes an tc filter to
+#					be created that puts all tcp ack 
+#					packets on that interface that have
+#					an size of <=64 Bytes to go in this
+#					class. This is useful for speeding up
+#					downloads. Please note that the size
+#					of the ack packages is limited to 64
+#					bytes as some applications (p2p for
+#					example) use to make every package an
+#					ack package which would cause them 
+#					all into here. We want only packages
+#					WITHOUT payload to match, so the size
+#					limit.
+# 
+#					NOTE: This option is only valid for 
+#					ONE class per interface.
+#
+# 			
+#
+#	Example 1:	Suppose you are using PPP over Ethernet (DSL)
+#			and ppp0 is the interface for this. The
+#			device has an outgoing bandwidth of 500kbit.
+#			You have 3 classes here, the first you can use for
+#			interactive traffic (ssh) the second for p2p networking
+#			and the last one the rest. They all have a guaranteed
+#			bandwidth of 100kbit upstream, but 1 and 3 can get
+#			full speed if link is idle, 2 is limited to 200kbit 
+#
+#			ppp0  1  100kbit  full	   1  tcp-ack,tos-minimize-delay	
+#			ppp0  2	 100kbit  200kbit  2  	
+#			ppp0  3	 full/3  full/2	   3  default
+#
+################################################################################
+#INTERFACE	MARK	RATE	CEIL	PRIORITY	OPTIONS
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/tcdevices

@@ -0,0 +1,60 @@
+# tc4shorewall Version 0.5
+#
+# /etc/shorewall/tcdevices
+#
+#	Entries in this file define the bandwidth for interfaces
+#	on which you want traffic shaping to be enabled.
+#	If you do not plan to use traffic shaping for a device,
+#	don't put it in here as it limits the troughput of that
+#	device to the limits you set here.
+#
+# Columns are:
+#
+#
+#	INTERFACE	Name of interface. Each interface may be listed only
+#                       once in this file. You may NOT specify the name of
+#                       an alias (e.g., eth0:0) here; see
+#                       http://www.shorewall.net/FAQ.htm#faq18
+#	
+#			You man NOT specify wildcards here,  e.g. if you
+#			have multiple ppp interfaces, you need to put
+#			them all in here!
+#
+#	IN-BANDWIDTH	The incoming Bandwidth of that interface. Please
+#			note that you are not able to do traffic shaping
+#			on incoming traffic, as the traffic is already
+#			received before you could do so. But this allows
+#			you to define the maximum traffic allowed for
+#			this interface in total, if the rate is exceeded,
+#			the packets are dropped. 
+#			You want this mainly if you have a DSL or Cable
+#			Connection to avoid queuing at your providers side.
+#
+#			If you don't want any traffic to be dropped set this
+#			to a value faster than your interface
+#
+#			Use kbit or kbps(for Kilobytes per second) for
+#			speed, and make sure there is NO space between the
+#			number and the unit.
+#
+#	OUT-BANDWIDTH	The outgoing Bandwidth of that interface. 
+#			This is the maximum speed you connection can handle.
+#			It is also the speed you can refer as "full" if
+#			you define the tc classes. 
+#			Outgoing traffic above this rate will be dropped
+#
+#			Use kbit or kbps(for Kilobytes per second) for
+#			speed, and make sure there is NO space between the
+#			number and the unit.
+#
+#	Example 1:	Suppose you are using PPP over Ethernet (DSL)
+#                       and ppp0 is the interface for this. The
+#                       device has an outgoing bandwidth of 500kbit and an
+#			incoming bandwidth of 6000kbit
+#			ppp0	6000kbit	500kbit
+#
+#
+#################################################################################
+#INTERFACE    IN-BANDWITH      OUT-BANDWIDTH
+ppp0		4mbit		400kbit
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/tcstart

@@ -0,0 +1,236 @@
+#! /bin/sh
+
+# tcstart from tc4shorewall       Version 0.5
+# (c) 2005 Arne Bernin <arne@ucbering.de>
+# published under GPL Version 2
+
+
+if [ -z "$COMMAND" ]; then
+	SHOREWALL_DIR=.
+	SHARED_DIR=/usr/share/shorewall
+	FUNCTIONS=$SHARED_DIR/functions
+
+	. $FUNCTIONS
+
+	TMP_DIR=
+	TMP_DIR=$(mktempdir)
+fi
+
+setup_traffic_shaping()
+{
+	local mtu r2q tc_all_devices device mark rate ceil prio options
+	mtu=1500
+	r2q=10
+
+	rate_to_kbit() {
+		local rateunit rate
+		rate=$1
+		rateunit=$( echo $rate | sed -e 's/[0-9]*//')
+		rate=$( echo $rate | sed -e 's/[a-z]*//g')
+
+		case $rateunit in
+			kbit)
+				rate=$rate
+				;;
+			mbit)
+				rate=$(expr $rate \* 1024)
+				;;
+			mbps)
+				rate=$(expr $rate \* 8192)
+				;;
+			kbps)
+				rate=$(expr $rate \* 8)
+				;;
+			*)
+				rate=$(expr $rate / 128)
+				;;
+		esac
+		echo $rate
+	}
+
+	calculate_quantum() {
+		local rate
+		rate=$1
+		rate=$(rate_to_kbit $rate)
+		rate=$(expr $rate \* 128 / $r2q )
+		if [ $rate -lt $mtu ] ; then
+			echo $mtu
+		else
+			echo $rate
+		fi
+	}
+
+	# get given outbandwidth for device
+	get_outband_for_dev() {
+		local device inband outband
+       		while read device inband outband; do
+	    		expandv device inband outband
+            		tcdev="$device $inband $outband"
+	    		if [ "$1" = "$device" ] ; then
+	    			echo $outband
+	    			return
+	    		fi
+      		done < $TMP_DIR/tcdevices
+	}
+
+	check_tcclasses_options() {
+		while [ $# -gt 1 ]; do
+        		shift
+			case $1 in
+				default|tcp-ack|tos-minimize-delay|tos-maximize-throughput|tos-maximize-reliability|tos-minimize-cost|tos-normal-service)
+				;;
+				*)
+				echo $1
+				return 1		
+				;;
+			esac
+    		done
+		return 0
+	}	
+
+	get_defmark_for_dev() {
+		local searchdev searchmark device ceil prio options
+		searchdev=$1
+	
+	        while read device mark rate ceil prio options; do
+		expandv device mark rate ceil prio options
+		options=$(separate_list $options | tr '[A-Z]' '[a-z]')
+            	tcdev="$device $mark $rate $ceil $prio $options"
+	    	if [ "$searchdev" = "$device" ] ; then
+	    		list_search "default" $options && echo $mark &&return 0
+		fi
+        	done < $TMP_DIR/tcclasses
+
+		return 1
+	}
+
+	check_defmark_for_dev() {
+		get_defmark_for_dev $1 >/dev/null
+	}
+
+	validate_tcdevices_file() {
+		echo "Validating tcdevices file..."
+		local device local device inband outband
+	        while read device inband outband; do
+		    	expandv device inband outband
+       	    		tcdev="$device $inband $outband"
+	    		check_defmark_for_dev $device || fatal_error "Option default is not defined for any class in tcclasses for interface $device" 
+            		case $interface in
+                        	*:*|+)
+                               		fatal_error "Invalid Interface Name: $interface"
+                               		;;
+			esac 
+            		list_search $device $devices && fatal_error "Interface $device is defined more than once in tcdevices"
+            		tc_all_devices="$tc_all_devices $device"  	          
+           	done < $TMP_DIR/tcdevices
+	}
+
+	validate_tcclasses_file() {
+		echo "Validating tcclasses file..."
+		local classlist device mark rate ceil prio bandw wrongopt allopts opt
+		allopts=""
+        	while read device mark rate ceil prio options; do
+	    		expandv device mark rate ceil prio options
+            		tcdev="$device $mark $rate $ceil $prio $options"
+	    		ratew=$(get_outband_for_dev $device)
+			options=$(separate_list $options | tr '[A-Z]' '[a-z]')
+			for opt in $options; do
+				list_search "$device-$opt" $allopts && fatal_error "option $opt already defined in a chain for interface $device in tcclasses"
+				allopts="$allopts $device-$opt"
+			done
+			wrongopt=$(check_tcclasses_options $options) || fatal_error "unknown option $wrongopt for class iface $device mark $mark in tcclasses file" 
+			if [ -z "$ratew" ] ; then
+	    			fatal_error "device $device seems not to be configured in tcdevices"
+	    		fi	   
+	    		list_search "$device-$mark" $classlist && fatal_error "Mark $mark for interface $device defined more than once in tcclasses" 
+	    		classlist="$classlist $device-$mark"
+         		done < $TMP_DIR/tcclasses
+	}
+
+
+
+	add_root_tc() {
+		local defmark
+		defmark=$(get_defmark_for_dev $device)
+		tc qdisc del dev $device root 2>/dev/null  > /dev/null
+		tc qdisc del dev $device ingress 2>/dev/null > /dev/null
+		run_tc qdisc add dev $device root handle 1: htb default 1$defmark
+		run_tc class add dev $device parent 1: classid 1:1 htb rate $outband 
+		run_tc qdisc add dev $device handle ffff: ingress
+		run_tc filter add dev $device parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${inband} burst 10k drop flowid :1
+	}
+
+	add_tc_class() {
+		local full
+		#set -x
+		full=$(get_outband_for_dev $device)
+		full=$(rate_to_kbit $full)
+		#set -x
+		if [ -z "$prio" ] ; then
+			prio=1
+		fi
+		
+		case $rate in
+			*full*)
+				rate=$(echo $rate | sed -e "s/full/$full/")
+				rate="$(($rate))kbit"	
+				;;
+		esac
+
+		case $ceil in
+			*full*)
+				ceil=$(echo $ceil | sed -e "s/full/$full/")
+                		ceil="$(($ceil))kbit"
+				;;
+		esac
+		#set +x
+	
+		run_tc class add dev $device parent 1:1 classid 1:1$mark htb rate $rate ceil $ceil prio $prio quantum $(calculate_quantum $rate)
+		run_tc qdisc add dev $device parent 1:1$mark handle 1$mark: sfq perturb 10
+		# add filters
+		run_tc filter add dev $device protocol ip parent 1:0 prio 1 handle $mark fw classid 1:1$mark
+		# options
+		list_search "tcp-ack" $options && run_tc filter add dev $device parent 1:0 protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid 1:1$mark
+		list_search "tos-minimize-delay" $options && run_tc filter add dev $device parent 1:0 protocol ip prio 10 u32 match ip tos 0x10 0xff flowid 1:1$mark
+		list_search "tos-minimize-cost" $options && run_tc filter add dev $device parent 1:0 protocol ip prio 10 u32 match ip tos 0x02 0xff flowid 1:1$mark
+		list_search "tos-maximize-troughput" $options && run_tc filter add dev $device parent 1:0 protocol ip prio 10 u32 match ip tos 0x08 0xff flowid 1:1$mark
+		list_search "tos-minimize-reliability" $options && run_tc filter add dev $device parent 1:0 protocol ip prio 10 u32 match ip tos 0x04 0xff flowid 1:1$mark
+		list_search "tos-normal-service" $options && run_tc filter add dev $device parent 1:0 protocol ip prio 10 u32 match ip tos 0x00 0xff flowid 1:1$mark
+		# tcp
+		set +x
+	}
+
+	strip_file tcdevices
+	strip_file tcclasses
+
+	validate_tcdevices_file
+	validate_tcclasses_file
+
+	if [ -s $TMP_DIR/tcdevices ]; then
+        	echo "Processing tcdevices..."
+
+        	while read device inband outband defmark ackmark; do
+	    		expandv device inband outband defmark ackmark
+            		tcdev="$device $inband $outband"
+	   		add_root_tc
+			progress_message "   TC Device $tcdev Added." 
+      		done < $TMP_DIR/tcdevices
+	fi
+
+	if [ -s $TMP_DIR/tcclasses ]; then
+        	echo "Processing tcclasses..."
+
+        	while read device mark rate ceil prio options; do
+	    		expandv device mark rate ceil prio options
+            		tcdev="$device $mark $rate $ceil $prio $options"
+			options=$(separate_list $options | tr '[A-Z]' '[a-z]')
+	    		add_tc_class
+			progress_message "   TC Class \"$tcdev\" Added." 
+      			done < $TMP_DIR/tcclasses
+	fi
+
+}
+
+setup_traffic_shaping
+
+[ -n "$COMMAND" ] || rm -rf $TMP_DIR