#!/bin/bash # Somewhat simple script that controls bandwidth usage. # # This script assumes that iptables, ebtables and tc are installed. # It also assumes that it is being run on a bridge for the purposes # of port matching. This should be easy to modify. # # By Matthew Strait, 2006. May be distributed under the GPL version 2, # http://www.gnu.org/licenses/gpl.txt # tc needs to be told about the physical devices, even if you're a bridge physdevs="eth0 eth1" # syntax: " = , ". # Match types are "layer7" and "port". # "port" matches source or destination for tcp or udp. # "kbps" means "KBytes/second". This is tc's fault. actions=( "port = 80, 20kbps" "layer7 = gnutella, 50kbps" "layer7 = dns, 500kbps" "layer7 = smtp, 500kbps" "layer7 = x11, 100kbps" ) # Nothing below this line needs to be edited ######################################################################### PATH=$PATH:/usr/local/sbin # count commas... lastaction=`echo ${actions[*]} | tr \, '\n' | wc -l` # extra comma and array starts at zero... let lastaction-=2 stop-tc() { if ! [ $1 ]; then echo "specify a device!" cleanup 1 fi for dev in $@; do if tc qdisc del dev $dev root &> /dev/null; then echo "tc has now stopped for $dev" else echo "stopping tc for $dev failed (was probably already stopped)" fi done } cleanup(){ # Flush the whole filter table. iptables -F if ! [ $? = "0" ]; then echo flushing iptables failed at line $LINENO else echo iptables flushed fi ebtables -F if ! [ $? = "0" ]; then echo flushing ebtables failed at line $LINENO else echo ebtables flushed fi # stop traffic control completely. stop-tc $physdevs # if called with non-zero value, exit with that value if [[ $1 != 0 ]]; then exit $1; fi } # 0 = don't exit cleanup 0 # If these aren't loaded manually, shaping of the child connections will not work. # (Well, with version 0.1, it won't work anyway.) for m in ip_conntrack_ftp ip_conntrack_irc ip_conntrack_tftp ip_conntrack_amanda; do if ! lsmod | grep $m > /dev/null; then if ! modprobe $m; then echo failed to load module $m fi fi done # set up basic traffic control magic for dev in $physdevs; do tc qdisc add dev $dev root handle 1: htb default 10 if ! [ $? = "0" ]; then echo tc failed at line $LINENO; cleanup 1; fi done # The Netfilter mark number and also the QoS queue number. # Must start at 2 so it doesn't collide. n=2 # index into the speeds array index=0 for m in `seq 0 $lastaction`; do match=`echo ${actions[$m]} | cut -d\, -f1` speed=`echo ${actions[$m]} | cut -d\, -f2` type=`echo $match | cut -d\= -f1` arg=`echo $match | cut -d\= -f2` echo Packets matching \"$match\" will be shaped to $speed \($n\) if [ $type == "layer7" ]; then echo $arg $n >> l7-tmp-conf.$$ elif [ $type == "port" ]; then ebtables -A FORWARD -p IPv4 --ip-proto tcp --ip-source-port $arg -j mark --set-mark $n ebtables -A FORWARD -p IPv4 --ip-proto tcp --ip-destination-port $arg -j mark --set-mark $n ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-source-port $arg -j mark --set-mark $n ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-destination-port $arg -j mark --set-mark $n else echo "failed to parse \"$match\"" cleanup 1 fi if ! [ $? = "0" ]; then echo \[ip\|eb\]tables failed at line $LINENO; cleanup 1; fi for dev in $physdevs; do # per class traffic control black magic tc class add dev $dev parent 1: classid 1:$n htb rate $speed burst 1k if ! [ $? = "0" ]; then echo tc failed at line $LINENO; cleanup 1; fi tc qdisc add dev $dev parent 1:$n handle $n: sfq perturb 10 if ! [ $? = "0" ]; then echo tc failed at line $LINENO; cleanup 1; fi tc filter add dev $dev protocol ip parent 1: prio 1 handle $n fw flowid 1:$n if ! [ $? = "0" ]; then echo tc failed at line $LINENO; cleanup 1; fi done let n++ let index++ done modprobe ip_conntrack_netlink iptables -A FORWARD -j QUEUE l7-filter -f l7-tmp-conf.$$ cleanup 0 rm l7-tmp-conf.$$