From 8f6130cca45425695d286d7892358353123ec02e Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Mon, 4 May 2009 16:03:14 -0700
Subject: [PATCH] Update to nested classes; document nested classes in the
 release docs

---
 Shorewall/Perl/Shorewall/Tc.pm | 20 ++++++++-----
 Shorewall/changelog.txt        |  2 ++
 Shorewall/releasenotes.txt     | 55 ++++++++++++++++++++++++++++------
 3 files changed, 60 insertions(+), 17 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index 3cd3e294c..fe6941b56 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -173,6 +173,9 @@ our $sticky;
 #              rate      => <rate> ,
 #              ceiling   => <ceiling> ,
 #              priority  => <priority> ,
+#              occurs    => <number> # 0 means that this is a class generated by another class with occurs > 1
+#              parent    => <class number>
+#              leaf      => 0|1
 #              options   => { tos  => [ <value1> , <value2> , ... ];
 #                             tcp_ack => 1 ,
 #                             ...
@@ -622,12 +625,13 @@ sub validate_tc_class( $$$$$$ ) {
 	fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
     }
 
-    if ( $parrentclass != 1 ) {
+    if ( $parentclass != 1 ) {
 	#
 	# Nested Class
 	#
-	my $parentref = $tcref->{parentclass};
+	my $parentref = $tcref->{$parentclass};
 	fatal_error "Unknown Parent class ($parentclass)" unless $parentref && $parentref->{occurs} == 1;
+	$parentref->{leaf} = 0;
     }
 
     $tcref->{$classnumber} = { tos      => [] ,
@@ -638,8 +642,8 @@ sub validate_tc_class( $$$$$$ ) {
 			       flow     => '' ,
 			       pfifo    => 0,
 			       occurs   => 1,
-			       src      => 1,
 			       parent   => $parentclass,
+			       leaf     => 1,
 			     };
 
     $tcref = $tcref->{$classnumber};
@@ -673,10 +677,9 @@ sub validate_tc_class( $$$$$$ ) {
 	    } elsif ( $option eq 'pfifo' ) {
 		fatal_error "The 'pfifo'' option is not allowed with 'flow='" if $tcref->{flow};
 		$tcref->{pfifo} = 1;
-	    } elsif ( $option =~ /^occurs=((\d+)([ds]?))$/ ) {
-		my $val = $2;
+	    } elsif ( $option =~ /^occurs=(\d+)$/ ) {
+		my $val = $1;
 		$occurs = numeric_value($val);
-		$tcref->{src} = 1 if $3 eq 's';
 
 		fatal_error q(The 'occurs' option is only valid for IPv4)           if $family == F_IPV6;
 		fatal_error q(The 'occurs' option may not be used with 'classify')  if $devref->{classify};
@@ -1000,6 +1003,7 @@ sub setup_traffic_shaping() {
 	my $quantum  = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );
 	my $dev      = chain_base $device;
 	my $priority = $tcref->{priority} << 8;
+	my $parent   = in_hexp $tcref->{parent};
 
 	$classids{$classid}=$device;
 
@@ -1019,9 +1023,9 @@ sub setup_traffic_shaping() {
 	}
 
 	emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum",
-	       "run_tc class add dev $device parent $devref->{number}:$tcref->{parent} classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" );
+	       "run_tc class add dev $device parent $devref->{number}:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" );
 
-	emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit 127 perturb 10" ) unless $tcref->{pfifo};
+	emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit 127 perturb 10" ) if $tcref->{leaf} && ! $tcref->{pfifo};
 	#
 	# add filters
 	#
diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 883626b56..0406035cc 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -17,6 +17,8 @@ Changes in Shorewall 4.3.10
 
 8) Optimize IPMARK.
 
+9) Implement nested HTB classes.
+
 Changes in Shorewall 4.3.9
 
 1) Logging rules now create separate chain.
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 74426c3b0..fdfbb2ee2 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -165,6 +165,45 @@ None.
 5)  Compile for export (such as in the 'shorewall reload' command)
     caused the compiler to fail with an internal error.
 
+6)  Shorewall now supports nested HTB traffic shaping classes.  The
+    nested classes within a class can borrow from their parent class in
+    the same way as the first level classes can borrow from the root
+    class.
+
+    To use nested classes, you must explicitly number your classes.
+
+    Example:
+
+    /etc/shorewall/tcdevices
+
+    #INTERFACE	IN-BANDWITH	OUT-BANDWIDTH	OPTIONS
+    eth2	-		100mbps		classify
+
+    /etc/shorewall/tcclasses
+
+    #INTERFACE	MARK	RATE		CEIL	 PRIORITY	OPTIONS
+    1:10	-	full/2		full		1
+    1:100	-	16mbit		20mbit		2
+    1:100:101	-	 8mbit		20mbit		3	default
+    1:100:102	-	 8mbit		20mbit		3
+     
+    /etc/shorewall/tcrules
+
+    #MARK	SOURCE		DEST
+    1:102	0.0.0.0/0	eth2:172.20.1.107
+    1:10	206.124.146.177	eth2
+    1:10	172.20.1.254	eth2
+
+    The above controls download for internal interface eth2. The
+    external interface has a download rate of 20mbit so we guarantee
+    that to class 1:100. 1:100 has two subclasses, each of which is
+    guaranteed half of their parent's bandwidth.
+
+    Local traffic (that coming from the firewall and from the DMZ
+    server) is placed in the effectively unrestricted class 1:10. The
+    default class is guaranteed have of the download capacity and my
+    work system (172.20.1.107) is guarandeed the other half.
+   
 ----------------------------------------------------------------------------
                  N E W   F E A T U R E S   IN   4 . 3
 ----------------------------------------------------------------------------
@@ -549,19 +588,17 @@ None.
 	1:103.
 
     It is important to realize that, while class IDs are composed of a
-    <major> and a <minor> value, the set of values must be unique. That
-    is, the same numeric value cannot be used as both a <major> and a
-    <minor> number for the same interface unless class nesting occurs
-    (which is not currently possible with Shorewall). You should keep
-    this in mind when deciding how to map IP addresses to class IDs. 
+    <major> and a <minor> value, the set of <minor> values must be
+    unique. You must keep this in mind when deciding how to map IP
+    addresses to class IDs. 
 
     For example, suppose that your internal network is 192.168.1.0/29
     (host IP addresses 192.168.1.1 - 192.168.1.6). Your first notion
     might be to use IPMARK(src,0xFF,0x10000) so as to produce class IDs
-    1:1 through 1:6. But 1:1 is an invalid class ID since the <major>
-    and <minor> classes are equal. So you might chose instent to use
-    IPMARK(src,0xFF,0x10100) as shown in the example above so that all
-    of your <minor> classes will have a value > 256.
+    1:1 through 1:6. But 1:1 is the class ID if the base HTB class on
+    interface 1. So you might chose instent to use
+    IPMARK(src,0xFF,0x10100) as shown in the example above so as to
+    avoid minor class 1.
 
     The 'occurs' option in /etc/shorewall/tcclasses causes the class
     definition to be replicated many times. The synax is: