forked from extern/shorewall_code
135 lines
3.3 KiB
Plaintext
135 lines
3.3 KiB
Plaintext
|
#!/bin/sh
|
||
|
#
|
||
|
# Shorewall 3.2 -- /usr/share/shorewall/clib.tcrules
|
||
|
#
|
||
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||
|
#
|
||
|
# (c) 2005,2006 - Tom Eastep (teastep@shorewall.net)
|
||
|
#
|
||
|
# Complete documentation is available at http://shorewall.net
|
||
|
#
|
||
|
# This program is free software; you can redistribute it and/or modify
|
||
|
# it under the terms of Version 2 of the GNU General Public License
|
||
|
# as published by the Free Software Foundation.
|
||
|
#
|
||
|
# This program is distributed in the hope that it will be useful,
|
||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
|
# GNU General Public License for more details.
|
||
|
#
|
||
|
# You should have received a copy of the GNU General Public License
|
||
|
# along with this program; if not, write to the Free Software
|
||
|
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||
|
|
||
|
#
|
||
|
# Generate a command to run tc
|
||
|
#
|
||
|
run_tc() {
|
||
|
save_command run_tc $@
|
||
|
}
|
||
|
|
||
|
#
|
||
|
# Setup queuing and classes
|
||
|
#
|
||
|
setup_tc1() {
|
||
|
local mark_part=
|
||
|
#
|
||
|
# Create the TC mangle chains
|
||
|
#
|
||
|
|
||
|
createmanglechain tcpre
|
||
|
|
||
|
if [ -n "$MANGLE_FORWARD" ]; then
|
||
|
createmanglechain tcfor
|
||
|
createmanglechain tcpost
|
||
|
fi
|
||
|
|
||
|
createmanglechain tcout
|
||
|
#
|
||
|
# Process the TC Rules File
|
||
|
#
|
||
|
strip_file tcrules
|
||
|
|
||
|
while read mark sources dests proto ports sports user testval length tos; do
|
||
|
expandv mark sources dests proto ports sports user testval length tos
|
||
|
rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $length $tos")
|
||
|
process_tc_rule
|
||
|
done < $TMP_DIR/tcrules
|
||
|
#
|
||
|
# Link to the TC mangle chains from the main chains
|
||
|
#
|
||
|
|
||
|
#
|
||
|
# Route marks are restored in PREROUTING/OUTPUT prior to these rules. We only send
|
||
|
# packets that are not part of a marked connection to the 'tcpre/tcout' chains.
|
||
|
#
|
||
|
if [ -n "$ROUTEMARK_INTERFACES" -a -z "$TC_EXPERT" ]; then
|
||
|
mark_part="-m mark --mark 0/0xFF00"
|
||
|
#
|
||
|
# But let marks in tcpre override those assigned by 'track'
|
||
|
#
|
||
|
for interface in $ROUTEMARK_INTERFACES; do
|
||
|
run_iptables -t mangle -A PREROUTING -i $interface -j tcpre
|
||
|
done
|
||
|
fi
|
||
|
|
||
|
run_iptables -t mangle -A PREROUTING $mark_part -j tcpre
|
||
|
run_iptables -t mangle -A OUTPUT $mark_part -j tcout
|
||
|
|
||
|
if [ -n "$MANGLE_FORWARD" ]; then
|
||
|
run_iptables -t mangle -A FORWARD -j tcfor
|
||
|
run_iptables -t mangle -A POSTROUTING -j tcpost
|
||
|
fi
|
||
|
|
||
|
if [ -n "$HIGH_ROUTE_MARKS" ]; then
|
||
|
for chain in INPUT FORWARD; do
|
||
|
run_iptables -t mangle -I $chain -j MARK --and-mark 0xFF
|
||
|
done
|
||
|
fi
|
||
|
|
||
|
if [ -n "$TC_SCRIPT" ]; then
|
||
|
save_progress_message "Setting up Traffic Control..."
|
||
|
append_file $TC_SCRIPT
|
||
|
elif [ -n "$TC_ENABLED" ]; then
|
||
|
setup_traffic_shaping
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
setup_tc() {
|
||
|
|
||
|
progress_message2 "$DOING Traffic Control Rules..."
|
||
|
|
||
|
setup_tc1
|
||
|
}
|
||
|
|
||
|
#
|
||
|
# Clear Traffic Shaping
|
||
|
#
|
||
|
delete_tc()
|
||
|
{
|
||
|
clear_one_tc() {
|
||
|
save_command "tc qdisc del dev $1 root 2> /dev/null"
|
||
|
save_command "tc qdisc del dev $1 ingress 2> /dev/null"
|
||
|
|
||
|
}
|
||
|
|
||
|
save_progress_message "Clearing Traffic Control/QOS"
|
||
|
|
||
|
append_file tcclear
|
||
|
|
||
|
indent >&3 << __EOF__
|
||
|
ip link list | while read inx interface details; do
|
||
|
case \$inx in
|
||
|
[0-9]*)
|
||
|
qt tc qdisc del dev \${interface%:} root
|
||
|
qt tc qdisc del dev \${interface%:} ingress
|
||
|
;;
|
||
|
*)
|
||
|
;;
|
||
|
esac
|
||
|
done
|
||
|
__EOF__
|
||
|
}
|
||
|
|
||
|
CLIB_TCRULES_LOADED=Yes
|