[Astlinux-commits] SF.net SVN: astlinux: [1290] trunk/package

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Revision: 1290
          http://astlinux.svn.sourceforge.net/astlinux/?rev=1290&view=rev
Author:   krisk84
Date:     2007-10-18 12:24:09 -0700 (Thu, 18 Oct 2007)

Log Message:
-----------
Update astshape to use iptables to CLASSIFY packets
Update iptables init to not clear the mangle tables
if we are using QoS
Update astfw to clamp the MSS on outgoing traffic
if we are using PPPoE

Modified Paths:
--------------
    trunk/package/iproute2/astshape
    trunk/package/iptables/astfw
    trunk/package/iptables/iptables.init

Modified: trunk/package/iproute2/astshape
===================================================================

--- trunk/package/iproute2/astshape	2007-10-18 18:09:06 UTC (rev 1289)
+++ trunk/package/iproute2/astshape	2007-10-18 19:24:09 UTC (rev 1290)
@@ -1,15 +1,52 @@
 #!/bin/bash
 # AstShape
-# Based off of WonderShaper (HTB)
+# Based off of WonderShaper (HTB) http://lartc.org
+# HFSC inspired by Maciej Bliziński, http://automatthias.wordpress.com/
+# Updated to use iptables CLASSIFY instead of tc u32, etc
 # Enhanced by Kristian Kielhofner <kr...@kr...>
 # Make sure that all of your VoIP devices set tos on RTP to 0x18
 # iax.conf: tos=0x18 sip.conf: tos=0x18
 
+# Set mandatory parameters here
+#DOWNLINK=4500
+#UPLINK=600
+#DEV=eth0
+
+# Optional tweaking below
+
+# Interactive ports
+# These ports (source OR destination) will be mapped into the
+# interactive class. Standard iptables ranges are valid.
+#INTPORTS="110"
+
+# VoIP ports
+# These ports (source OR destination) will be mapped into the
+# VoIP class. Standard iptables ranges are valid.
+# This will only match UDP traffic.  Why is your VoIP TCP?
+#VOIPPORTS="4569 5060 10000:20000"
+
+# Specify QDISC type here.  Available QDISCs are htb, hfsc
+# HFSC is experimental!
+QDISC="htb"
+
+# Traffic to shape.  Can be "host" "router" or "all"
+# If you define host, only traffic from this machine will be shaped.
+# If you define router, only traffic flowing through this machine will
+# be shaped.
+# If you define all, both will be shaped.
+# The default (recommended) is all.
+TRAFFIC="all"
+
+# Override them if you are using AstLinux
+if [ -r /etc/astlinux-release ]
+then
 . /etc/rc.conf
 
 DOWNLINK=$EXTDOWN
 UPLINK=$EXTUP
 
+# Auto detect QoS on bridges
+# Isn't it nice to use AstLinux? :)
 if [ "$EXTIF" = "br0" ]
 then
 DEV=`echo $BRIDGE0 | cut -d" " -f1`
@@ -17,6 +54,28 @@
 DEV="$EXTIF"
 fi
 
+if [ "$SHAPETYPE" ]
+then
+QDISC="$SHAPETYPE"
+else
+QDISC="htb"
+fi
+
+if [ "$SHAPETRAFFIC" ]
+then
+TRAFFIC="$SHAPETRAFFIC"
+else
+TRAFFIC="all"
+fi
+
+fi
+
+if [ ! "$DOWNLINK" -a "$UPLINK" -a "$DEV" -a "$QDISC" -a "$TRAFFIC" ]
+then
+echo "You need to configure AstShape before it can work properly"
+exit 1
+fi
+
 if [ "$1" = "status" ]
 then
 	echo "Showing AstShape status for $DEV"
@@ -30,21 +89,58 @@
 # clean existing down- and uplink qdiscs, hide errors
 tc qdisc del dev $DEV root    2> /dev/null > /dev/null
 tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null
+iptables -t mangle -F astshape 2> /dev/null > /dev/null
+iptables -t mangle -X astshape 2> /dev/null > /dev/null
 
-if [ "$1" = "stop" ] 
+# Get POSTROUTING,OUTPUT out of our way
+iptables -t mangle -F POSTROUTING 2> /dev/null > /dev/null
+iptables -t mangle -F OUTPUT 2> /dev/null > /dev/null
+
+if [ "$1" = "stop" ]
 then 
 	exit
 fi
 
-###### uplink
+# Determine QDISC for uplink
+case "$QDISC" in
 
+hfsc|HFSC)
+# add HFSC root qdisc
+tc qdisc add dev $DEV root handle 1: hfsc default 5
+
+# add main rate limit class
+tc class add dev $DEV parent 1: classid 1:1 hfsc sc rate ${UPLINK}kbit ul rate ${UPLINK}kbit
+
+# Interactive traffic: guarantee realtime full uplink for 50ms, then
+# 5/10 of the uplink
+tc class add dev $DEV parent 1:1 classid 1:20 hfsc rt m1 ${UPLINK}kbit d 50ms m2 $((5*$UPLINK/10))kbit \
+ls m1 ${UPLINK}kbit d 50ms m2 $((7*$UPLINK/10))kbit ul rate ${UPLINK}kbit
+
+# VoIP: guarantee full uplink for 200ms, then 3/10
+tc class add dev $DEV parent 1:1 classid 1:10 hfsc sc m1 ${UPLINK}kbit d 200ms m2 $((3*$UPLINK/10))kbit \
+ul rate ${UPLINK}kbit
+
+# Browsing: Don't guarantee anything for the first second, then guarantee 1/10
+#tc class add dev $DEV parent 1:1 classid 1:40 hfsc sc m1 0 d 1s m2 $((1*$UPLINK/10))kbit \
+#ul rate ${UPLINK}kbit
+
+# Default traffic: don't guarantee anything for the first two seconds, then guarantee 1/20
+tc class add dev $DEV parent 1:1 classid 1:30 hfsc sc m1 0 d 2s m2 $((1*$UPLINK/20))kbit \
+ul rate ${UPLINK}kbit
+
+# Default traffic: don't guarantee anything for the first 10 seconds, then guarantee 1/20
+tc class add dev $DEV parent 1:1 classid 1:40 hfsc sc m1 0 d 10s m2 $((1*$UPLINK/20))kbit \
+ul rate ${UPLINK}kbit
+;;
+
+htb|HTB)
 #install root HTB, point default traffic to 1:30
 tc qdisc add dev $DEV root handle 1: htb default 30
 
 #shape everything at $UPLINK speed to prevent queing
 tc class add dev $DEV parent 1: classid 1:1 htb rate ${UPLINK}kbit burst 6k
 
-#voip class 1:10 - "the crown prince of bandwidth"
+#voip class 1:10
 tc class add dev $DEV parent 1:1 classid 1:10 htb rate ${UPLINK}kbit burst 6k prio 1
 
 #high prio class 1:20
@@ -61,70 +157,75 @@
 tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10
 tc qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10
 tc qdisc add dev $DEV parent 1:40 handle 40: sfq perturb 10
+;;
 
-#Voip TOS in 1:10
-tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 match ip tos 0x18 0xff flowid 1:10
+*)
+echo "AstShape: Unsupported QDISC type"
+exit 1
+;;
 
-#Ports as defined above
-for a in $VOIPPORTS
-do
-	tc filter add dev $DEV parent 1:0 protocol ip prio 11 u32 match ip dport $a 0xffff flowid 1:10
-	tc filter add dev $DEV parent 1:0 protocol ip prio 11 u32 match ip sport $a 0xffff flowid 1:10
-done
+esac
 
-#TOS Minimum Delay (ssh, NOT scp) in 1:20
-tc filter add dev $DEV parent 1:0 protocol ip prio 20 u32 match ip tos 0x10 0xff flowid 1:20
+# Create possibility to match with iptables
+iptables -t mangle -N astshape
 
-#DNS in interactive class 1:20
-tc filter add dev $DEV parent 1:0 protocol ip prio 21 u32 match ip sport 53 0xffff flowid 1:20
-tc filter add dev $DEV parent 1:0 protocol ip prio 22 u32 match ip dport 53 0xffff flowid 1:20
+# Types of traffic to shape
+if [ "$TRAFFIC" = "router" -o "$TRAFFIC" = "all" ]
+then
+iptables -t mangle -A POSTROUTING -o $DEV -j astshape
+fi
 
-#only give TCP ACK's higher priority if this connection is asymmetrical
-if [ ! $DOWNLINK = $UPLINK ]
+if [ "$TRAFFIC" = "host" -o "$TRAFFIC" = "all" ]
 then
-#give TCP ACK's higher priority in 1:20
-tc filter add dev $DEV parent 1: protocol ip prio 23 u32 \
-   match ip protocol 6 0xff \
-   match u8 0x05 0x0f at 0 \
-   match u16 0x0000 0xffc0 at 2 \
-   match u8 0x10 0xff at 33 \
-   flowid 1:20
+iptables -t mangle -A OUTPUT -o $DEV -j astshape
 fi
 
-#Ports as defined above
-for a in $INTPORTS
+# Actually match traffic here
+#Our VoIP TOS flags (this is disabled right now)
+#iptables -t mangle -A astshape -m udp -p udp -m tos --tos 0x18 -j CLASSIFY --set-class 1:10
+
+#VoIP ports
+if [ "$VOIPPORTS" ]
+then
+for i in $VOIPPORTS
 do
-	tc filter add dev $DEV parent 1:0 protocol ip prio 24 u32 match ip dport $a 0xffff flowid 1:20
-	tc filter add dev $DEV parent 1:0 protocol ip prio 24 u32 match ip sport $a 0xffff flowid 1:20
+iptables -t mangle -A astshape -m udp -p udp --dport $i -j CLASSIFY --set-class 1:10
+iptables -t mangle -A astshape -m udp -p udp --sport $i -j CLASSIFY --set-class 1:10
 done
+fi
 
-#ICMP (ip protocol 1) in the interactive class 1:20
-tc filter add dev $DEV parent 1: protocol ip prio 25 u32 match ip protocol 1 0xff flowid 1:20
+# Interactive SSH in 2 (does NOT match SCP)
+iptables -t mangle -A astshape -m tcp -p tcp --dport 22 -m tos --tos 0x10 -j CLASSIFY --set-class 1:20
+iptables -t mangle -A astshape -m tcp -p tcp --sport 22 -m tos --tos 0x10 -j CLASSIFY --set-class 1:20
 
-#the slowest of the slow
-for a in $NOPRIOPORTDST
-do
-	tc filter add dev $DEV parent 1: protocol ip prio 40 u32 match ip dport $a 0xffff flowid 1:40
-done
+# DNS in 2
+iptables -t mangle -A astshape -m udp -p udp --dport 53 -j CLASSIFY --set-class 1:20
+iptables -t mangle -A astshape -m udp -p udp --sport 53 -j CLASSIFY --set-class 1:20
 
-for a in $NOPRIOPORTSRC
+#Interactive ports
+if [ "$INTPORTS" ]
+then
+for i in $INTPORTS
 do
- 	tc filter add dev $DEV parent 1: protocol ip prio 41 u32 match ip sport $a 0xffff flowid 1:40
+iptables -t mangle -A astshape -m udp -p udp --dport $i -j CLASSIFY --set-class 1:20
+iptables -t mangle -A astshape -m udp -p udp --sport $i -j CLASSIFY --set-class 1:20
+iptables -t mangle -A astshape -m tcp -p tcp --dport $i -j CLASSIFY --set-class 1:20
+iptables -t mangle -A astshape -m tcp -p tcp --sport $i -j CLASSIFY --set-class 1:20
 done
+fi
 
-for a in $NOPRIOHOSTSRC
-do
- 	tc filter add dev $DEV parent 1: protocol ip prio 42 u32 match ip src $a flowid 1:40
-done
+# PRIO TCP ACKs
+iptables -t mangle -A astshape -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK ACK \
+-m length --length :64 -j CLASSIFY --set-class 1:20
 
-for a in $NOPRIOHOSTDST
-do
- 	tc filter add dev $DEV parent 1: protocol ip prio 43 u32 match ip dst $a flowid 1:40
-done
+# put large (512+) icmp packets in default category
+#iptables -t mangle -A astshape -p icmp -m length --length 512: -j CLASSIFY --set-class 1:30
 
-#rest is 'non-interactive' ie 'bulk' and ends up in 1:30
-tc filter add dev $DEV parent 1: protocol ip prio 30 u32 match ip dst 0.0.0.0/0 flowid 1:30
+# Small ICMP (ip protocol 1) in the interactive class
+iptables -t mangle -A astshape -p icmp -m length --length :512 -j CLASSIFY --set-class 1:20
 
+# Downlink is always the same
+
 ########## downlink #############
 # slow downloads down to somewhat less than the real speed  to prevent 
 # queuing at our ISP. Tune to see how high you can set it.

Modified: trunk/package/iptables/astfw
===================================================================
--- trunk/package/iptables/astfw	2007-10-18 18:09:06 UTC (rev 1289)
+++ trunk/package/iptables/astfw	2007-10-18 19:24:09 UTC (rev 1290)
@@ -75,6 +75,12 @@
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
+#Do MSS clamping if we are configured for PPPoE
+if [ "$EXTIF" = "ppp0" ]
+then
+iptables -A FORWARD -o "$EXTIF" -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+fi
+
 #DMZ Support
 if [ "$DMZIF" ]
 then

Modified: trunk/package/iptables/iptables.init
===================================================================
--- trunk/package/iptables/iptables.init	2007-10-18 18:09:06 UTC (rev 1289)
+++ trunk/package/iptables/iptables.init	2007-10-18 19:24:09 UTC (rev 1290)
@@ -64,11 +64,16 @@
 /usr/sbin/iptables -t nat -P POSTROUTING ACCEPT
 /usr/sbin/iptables -t nat -P OUTPUT ACCEPT
 elif [ "$a" = "mangle" ]; then
+if [ "$EXTUP" -a "$EXTDOWN" ]
+then
+echo "Refusing to clear mangle because QoS is enabled"
+else
 /usr/sbin/iptables -t mangle -P PREROUTING ACCEPT
 /usr/sbin/iptables -t mangle -P INPUT ACCEPT
 /usr/sbin/iptables -t mangle -P FORWARD ACCEPT
 /usr/sbin/iptables -t mangle -P OUTPUT ACCEPT
 /usr/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+fi
 elif [ "$a" = "filter" ]; then
 /usr/sbin/iptables -t filter -P INPUT ACCEPT
 /usr/sbin/iptables -t filter -P FORWARD ACCEPT


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.


