@ -397,17 +397,17 @@ start_cg() {
local pktrules
local sizerules
enum_classes " $cg "
add_rules iptrules " $ctrules " " iptables -t mangle -A ${ cg } _ct "
add_rules iptrules " $ctrules " " iptables -t mangle -A qos_ ${ cg } _ct "
config_get classes " $cg " classes
for class in $classes ; do
config_get mark " $class " classnr
config_get maxsize " $class " maxsize
[ -z " $maxsize " -o -z " $mark " ] || {
add_insmod ipt_length
append pktrules " iptables -t mangle -A ${ cg } -m mark --mark $mark -m length --length $maxsize : -j MARK --set-mark 0 " " $N "
append pktrules " iptables -t mangle -A qos_ ${ cg } -m mark --mark $mark -m length --length $maxsize : -j MARK --set-mark 0 " " $N "
}
done
add_rules pktrules " $rules " " iptables -t mangle -A ${ cg } "
add_rules pktrules " $rules " " iptables -t mangle -A qos_ ${ cg } "
for iface in $INTERFACES ; do
config_get classgroup " $iface " classgroup
config_get device " $iface " device
@ -416,16 +416,16 @@ start_cg() {
config_get download " $iface " download
config_get halfduplex " $iface " halfduplex
download = " ${ download :- ${ halfduplex : + $upload } } "
append up " iptables -t mangle -A OUTPUT -o $device -j ${ cg } " " $N "
append up " iptables -t mangle -A FORWARD -o $device -j ${ cg } " " $N "
append up " iptables -t mangle -A OUTPUT -o $device -j qos_ ${ cg } " " $N "
append up " iptables -t mangle -A FORWARD -o $device -j qos_ ${ cg } " " $N "
done
cat <<EOF
$INSMOD
iptables -t mangle -N ${ cg } >& - 2>& -
iptables -t mangle -N ${ cg } _ct >& - 2>& -
${ iptrules : + ${ iptrules } ${ N } iptables -t mangle -A ${ cg } _ct -j CONNMARK --save-mark }
iptables -t mangle -A ${ cg } -j CONNMARK --restore-mark
iptables -t mangle -A ${ cg } -m mark --mark 0 -j ${ cg } _ct
iptables -t mangle -N qos_ ${ cg } >& - 2>& -
iptables -t mangle -N qos_ ${ cg } _ct >& - 2>& -
${ iptrules : + ${ iptrules } ${ N } iptables -t mangle -A qos_ ${ cg } _ct -j CONNMARK --save-mark }
iptables -t mangle -A qos_ ${ cg } -j CONNMARK --restore-mark
iptables -t mangle -A qos_ ${ cg } -m mark --mark 0 -j qos_ ${ cg } _ct
$pktrules
$up $N ${ down : + ${ down } $N }
EOF
@ -435,15 +435,33 @@ EOF
start_firewall( ) {
add_insmod ipt_multiport
add_insmod ipt_CONNMARK
cat <<EOF
iptables -t mangle -F
iptables -t mangle -X
EOF
stop_firewall
for group in $CG ; do
start_cg $group
done
}
stop_firewall( ) {
# Builds up a list of iptables commands to flush the qos_* chains,
# remove rules referring to them, then delete them
# Print rules in the mangle table, like iptables-save
iptables -t mangle -S |
# Find rules for the qos_* chains
grep '^-N qos_\|-j qos_' |
# Exclude rules in qos_* chains (inter-qos_* refs)
grep -v '^-A qos_' |
# Replace -N with -X and hold, with -F and print
# Replace -A with -D
# Print held lines at the end (note leading newline)
sed -e '/^-N/{s/^-N/-X/;H;s/^-X/-F/}' \
-e 's/^-A/-D/' \
-e '${p;g}' |
# Make into proper iptables calls
# Note: awkward in previous call due to hold space usage
sed -n -e 's/^./iptables -t mangle &/p'
}
C = "0"
INTERFACES = ""
[ -e ./qos.conf ] && {