diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 405efbb04..f4a70abc9 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -537,6 +537,8 @@ sub process_in_bandwidth( $ ) { my $in_decay = '4sec'; if ( $in_rate =~ s/^~// ) { + require_capability 'BASIC_FILTER', 'An estimated policing filter', 's'; + if ( $in_rate =~ /:/ ) { ( $in_rate, $in_interval, $in_decay ) = split /:/, $in_rate, 3; fatal_error "Invalid IN-BANDWIDTH ($in_band)" unless supplied( $in_interval ) && supplied( $in_decay ); @@ -576,14 +578,25 @@ sub handle_in_bandwidth( $$ ) { my ($physical, $arrayref ) = @_;; my ($in_rate, $in_burst, $in_avrate, $in_interval, $in_decay ) = @$arrayref; - emit ( "run_tc qdisc add dev $physical handle ffff: ingress", - "run_tc filter add dev $physical parent ffff: protocol all prio 10 " . - "\\\n estimator $in_interval $in_decay basic\\" ); + emit ( "run_tc qdisc add dev $physical handle ffff: ingress" ); + + if ( have_capability 'BASIC_FILTER' ) { + emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 " . + "\\\n estimator $in_interval $in_decay basic \\" ); - if ( $in_rate ) { - emit( " police mpu 64 rate ${in_rate}kbit burst $in_burst action drop\n" ); + if ( $in_rate ) { + emit( " police mpu 64 rate ${in_rate}kbit burst $in_burst action drop\n" ); + } else { + emit( " police avrate ${in_avrate}kbit action drop\n" ); + } } else { - emit( " police avrate ${in_avrate}kbit action drop\n" ); + emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 " . + "\\\n u32 match ip src " . ALLIPv4 . ' ' . + "\\\n police rate ${in_rate}kbit burst $in_burst drop flowid :1", + '', + "run_tc filter add dev $physical parent ffff: protocol all prio 10 " . + "\\\n u32 match ip6 src " . ALLIPv6 . ' ' . + "\\\n police rate ${in_rate}kbit burst $in_burst drop flowid :1\n" ); } }