Re: Priorytety na uslugi

13 Maj 2005

      Hejka,
co prawda chcialem to nieco pozmieniac przed upublicznieniem,
tak zeby nie przypominalo jednej wielkiej prowizorki, ale chyba
nigdy tego nie zrobie... w zalaczniku jest skrypt wykozystywany
przeze mnie do generowania wszystkiego z lms'a co mi potrzebne
(poza mackami chyba)
uwaga 1: skrypt olewa up/download z  lms'a, robi to po swojemu
uwaga 2: tworzy 3 kolejki dla roznych uslug z calkowicie osobnymi
              limitami
uwaga 3: umozliwia natowanie publicznych ip (DNAT/SNAT)
uwaga 4: jest brzydki straszliwie bo przerabialem to co bylo pod reka
              tak by tylko dzialalo
uwaga 5: kernel ktorego uzywam paczowany jest zbiorczym patchem
              z www.inet.one.pl
w razie czego moge cos wyklarowac :)
btw. konstruktywne uwagi mile widziane.
-- 
Goblin

#!/usr/bin/perl -Tw
#include <lms-complex.ip.list>

#
# LMS version 1.3-cvs
#
#  (C) 2001-2004 LMS Developers
#  
#  Please, see the doc/AUTHORS for more information about authors!
#
#  This program is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License Version 2 as
#  published by the Free Software Foundation.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
#  USA.
#
#  $Id: lms-complex,v 1.29 2004/04/12 07:14:08 alec Exp $

use strict;
use DBI;
use Config::IniFiles;
use Getopt::Long;
use vars qw($configfile $quiet $help $version);

my %iplist = ( 
    "192.168.254.2" => "217.153.240.2",
#    "192.168.."  => "x.x.x.x",
);

#sub RandomiseArray {
#        my (%b, $c);
#        map { do { $c = rand } until(!exists $b{$c}); $b{$c} = $_ } @_;
#        return values(%b);
#}

sub mask2prefix($)
{
    my $mask = shift @_;
    my @tmp = split('.',$mask,4);
    my $q = sprintf("%b%b%b%b",$tmp[0],$tmp[1],$tmp[2],$tmp[3]);
    $q =~ s/0*$//;
    if ($q =~ /0/) {
    	print " You idiot. error in mask\n";
    }
    my $len = length($q) ;
    return $len;
}

sub matchip($$$)
{
    my ($ip,$net,$mask) = @_;
    my $prefix = mask2prefix($mask);
    my $bmask = 2**32 <<(32-$prefix);
    my @net = split('.',$net,4);
    my $bnet = dotquad2u32($net);
    if(($bnet & $bmask)!= $bnet) {
    	print "EEediot net &mask != net\n"; return 1==0
    }
    my $bip = dotquad2u32($ip);
    return (($bip&$bmask) == $bnet);
}

sub dotquad2u32($)
{
    my $dq = shift||'0.0.0.0';
    my @dq = split('.',$dq,4);
    return ((($dq[0] << 8) + $dq[1] << 8) + $dq[2] << 8) + $dq[3];
}

sub u32todotquad($)
{
    my $p = shift @_;
    return sprintf "%d.%d.%d.%d", ($p>>24)&0xff,($p>>16)&0xff, ($p>>8)&0xff,$p&0xff;
}

sub isprivate($)
{
    my ($ip) = @_;
    return matchip($ip,"192.168.0.0","255.255.0.0") || matchip($ip,"10.0.0.0","255.0.0.0") || matchip($ip,"172.16.0.0","255.240.0.0");
}

sub publicmap($)
{
        return 0;
}

my $_version = '1.3-cvs';

my %options = (
    "--config-file|C=s"	=>	$configfile,
    "--quiet|q"		=>	$quiet,
    "--help|h"		=>	$help,
    "--version|v"		=>	$version
);

Getopt::Long::config("no_ignore_case");
GetOptions(%options);

if($help)
{
    print STDERR <<EOF;
lms-complex, version $_version
(C) 2001-2004 LMS Developers

-C, --config-file=/etc/lms/lms.ini	alternate config file (default: /etc/lms/lms.ini);
-h, --help			print this help and exit;
-v, --version			print version info and exit;
-q, --quiet			suppress any output, except errors;

EOF
    exit 0;
}

if($version)
{
    print STDERR <<EOF;
lms-complex, version $_version
(C) 2001-2004 LMS Developers

EOF
    exit 0;
}

if(!$configfile)
{
    $configfile = "/etc/lms/lms.ini";
}

if(!$quiet)
{
    print STDOUT "lms-complex, version $_version\n";
    print STDOUT "(C) 2001-2004 LMS Developers\n";
    print STDOUT "Using file $configfile as config.\n";
}

if(! -r $configfile)
{
    print STDERR "Fatal error: Unable to read configuration file $configfile, exiting.\n";
    exit 1;
}

my $ini = new Config::IniFiles -file => $configfile;

my $networks_list = $ini->val('complex', 'networks') || '';
my $forward_to_list = $ini->val('complex', 'forward_to') || '';
my $cfile = $ini->val('complex', 'script_file') || '/etc/rc.d/rc.lms.complex';
my $cuid = $ini->val('complex', 'script_owneruid') || '0';
my $cgid = $ini->val('complex', 'script_ownergid') || '0';
my $cperm = $ini->val('complex', 'script_permission') || '700';
my $tcbin = $ini->val('complex', 'tc_binary') || '/sbin/tc';
my $ipbin = $ini->val('complex', 'iptables_binary') || '/usr/sbin/iptables';
my $snataddr = $ini->val('complex', 'snat_address') || '';
my $prescript = $ini->val('complex', 'prescript') || '';
my $postscript = $ini->val('complex', 'postscript') || '/etc/rc.d/rc.lms.post';

my $dbtype = $ini->val('database', 'type') || 'mysql';
my $dbhost = $ini->val('database', 'host') || 'localhost';
my $dbuser = $ini->val('database', 'user') || 'root';
my $dbpasswd = $ini->val('database', 'password') || '';
my $dbname = $ini->val('database', 'database') || 'lms';

my $dbase;

if($dbtype eq "mysql")
{
    $dbase = DBI->connect("DBI:mysql:database=$dbname;host=$dbhost","$dbuser","$dbpasswd", { RaiseError => 1 });
}
elsif($dbtype eq "postgres")
{
    $dbase = DBI->connect("DBI:Pg:dbname=$dbname;host=$dbhost","$dbuser","$dbpasswd", { RaiseError => 1 });
}
elsif($dbtype eq "sqlite")
{
    $dbase = DBI->connect("DBI:SQLite:dbname=$dbname;host=$dbhost","$dbuser","$dbpasswd", { RaiseError => 1 });
    $dbase->func('inet_ntoa',1,'u32todotquad','create_function');
    $dbase->func('inet_aton',1,'dotquad2u32','create_function');	
}
else
{
    print STDERR "Fatal error: unsupported database type: $dbtype, exiting.\n";
    exit 1;
}

open(COMPLEXSCRIPT, ">$cfile") or die("Fatal error: Unable to write $cfile, exiting.\n");

print COMPLEXSCRIPT "#!/bin/bash\n";

### CZYSZCZENIE I INICJOWANIE TABLIC ###

# Wyczyszczenie tablicy NAT
print COMPLEXSCRIPT "$ipbin -t nat -F\n";
# Wyczyszczenie tablicy FILTER
print COMPLEXSCRIPT "$ipbin -t filter -F\n";
print COMPLEXSCRIPT "$ipbin -t filter -P FORWARD DROP\n";
# Wyczyszczenie tablicy MANGLE
print COMPLEXSCRIPT "$ipbin -t mangle -F\n";
print COMPLEXSCRIPT "$ipbin -t mangle -N LOW_PRIO\n";
print COMPLEXSCRIPT "$ipbin -t mangle -N STD_PRIO\n";
print COMPLEXSCRIPT "$ipbin -t mangle -N HIGH_PRIO\n";

### PODSTAWOWE REGOLY TABLIC IPTABLES ###

# Wpisy zliczajace ruch na interfejsach
print COMPLEXSCRIPT "$ipbin -t filter -A FORWARD -i eth1\n";
print COMPLEXSCRIPT "$ipbin -t filter -A FORWARD -o eth1\n";
print COMPLEXSCRIPT "$ipbin -t filter -A FORWARD -i eth3\n";
print COMPLEXSCRIPT "$ipbin -t filter -A FORWARD -o eth3\n";

# Dropowanie wirusow itp.
print COMPLEXSCRIPT "$ipbin -t filter -A FORWARD -p tcp --dport 135 -j DROP\n";
print COMPLEXSCRIPT "$ipbin -t filter -A FORWARD -p tcp --dport 445 -j DROP\n";

# Forwarduj tylko z/do naszych sieci
print COMPLEXSCRIPT "$ipbin -t filter -A FORWARD -s 192.168.0.0/16 -j ACCEPT\n";
print COMPLEXSCRIPT "$ipbin -t filter -A FORWARD -d 192.168.0.0/16 -j ACCEPT\n";
print COMPLEXSCRIPT "$ipbin -t filter -A FORWARD -s 10.0.0.0/16 -j ACCEPT\n";
print COMPLEXSCRIPT "$ipbin -t filter -A FORWARD -d 10.0.0.0/16 -j ACCEPT\n";

### PODZIAL NA PRIORYTETY USLUG ###

# Klasyfikowanie ruchu do markowania pakietow w zaleznosci od uslugi
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -j STD_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j LOW_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --dport 20:21 -j HIGH_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --sport 20:21 -j HIGH_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --dport 22 -j HIGH_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --sport 22 -j HIGH_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --dport 25 -j HIGH_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --sport 25 -j HIGH_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --dport 53 -j HIGH_PRIO\n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --sport 53 -j HIGH_PRIO\n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p udp --dport 53 -j HIGH_PRIO\n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p udp --sport 53 -j HIGH_PRIO\n";
# HTTP
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --dport 80 -j HIGH_PRIO\n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --sport 80 -j HIGH_PRIO\n";
# POP3
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --dport 110 -j HIGH_PRIO\n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --sport 110 -j HIGH_PRIO\n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --dport 443 -j HIGH_PRIO\n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --sport 443 -j HIGH_PRIO\n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --dport 1716 -j HIGH_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --sport 1716 -j HIGH_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p udp --dport 1716 -j HIGH_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p udp --sport 1716 -j HIGH_PRIO \n";
# Microsoftowy broadcast radia gdansk
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p udp --sport 1755 -j HIGH_PRIO \n";
# Roger Wilco
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --dport 3782 -j HIGH_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --sport 3782 -j HIGH_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p udp --dport 3782 -j HIGH_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p udp --sport 3782 -j HIGH_PRIO \n";
# Tlenofon
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p udp --dport 4569 -j HIGH_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p udp --sport 4569 -j HIGH_PRIO \n";
# BattleNet
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --dport 4000 -j HIGH_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --sport 4000 -j HIGH_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --dport 6112 -j HIGH_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --sport 6112 -j HIGH_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p udp --dport 6112 -j HIGH_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p udp --sport 6112 -j HIGH_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --dport 3724 -j HIGH_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --sport 3724 -j HIGH_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p udp --dport 3724 -j HIGH_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p udp --sport 3724 -j HIGH_PRIO \n";
# XBox Connect
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --dport 8602 -j HIGH_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --sport 8602 -j HIGH_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p udp --dport 8602 -j HIGH_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p udp --sport 8602 -j HIGH_PRIO \n";
# Shoutcast
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --sport 8000:8005 -j HIGH_PRIO \n";
# GG
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --sport 8074 -j HIGH_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp --dport 8074 -j HIGH_PRIO \n";
# Dedykowany port dla Skype
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p udp --dport 55555 -j HIGH_PRIO\n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p udp --sport 55555 -j HIGH_PRIO\n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p icmp -j HIGH_PRIO \n";
print COMPLEXSCRIPT "$ipbin -t mangle -A PREROUTING -p tcp -j CONNMARK --save-mark \n";

### KONIEC PRIORYTETOW USLUG ###

### INGERSS NA WAN DO IMQ0 ###

print COMPLEXSCRIPT "$ipbin -t mangle -A POSTROUTING -s ! 192.168.0.0/16 -d 192.168.0.0/16 -j IMQ --todev 0 \n";
print COMPLEXSCRIPT "/usr/sbin/ip link set imq0 up \n";

### GLOWNE KOLEJKI DLA INTERFEJSU WAN ###

print COMPLEXSCRIPT "$tcbin qdisc del dev eth3 root handle 1: htb default 5\n";
print COMPLEXSCRIPT "$tcbin qdisc del dev imq0 root handle 1: htb default 5\n";

print COMPLEXSCRIPT "$tcbin qdisc add dev eth3 root handle 1: htb default 5\n";
print COMPLEXSCRIPT "$tcbin class add dev eth3 parent 1: classid 1:3 htb rate 8000kbit burst 2k\n";
print COMPLEXSCRIPT "$tcbin class add dev eth3 parent 1:3 classid 1:4 htb rate 1024kbit ceil 5000kbit burst 2k\n";
print COMPLEXSCRIPT "$tcbin class add dev eth3 parent 1:3 classid 1:5 htb rate 1024kbit ceil 6000kbit burst 2k\n";
print COMPLEXSCRIPT "$tcbin class add dev eth3 parent 1:3 classid 1:6 htb rate 2048kbit ceil 6000kbit burst 2k\n";

print COMPLEXSCRIPT "$tcbin qdisc add dev imq0 root handle 1: htb default 5\n";
print COMPLEXSCRIPT "$tcbin class add dev imq0 parent 1:  classid 1:1 htb rate 8000kbit burst 2k\n";
print COMPLEXSCRIPT "$tcbin class add dev imq0 parent 1:1 classid 1:4 htb rate 1000kbit ceil 5000kbit burst 2k\n";
print COMPLEXSCRIPT "$tcbin class add dev imq0 parent 1:1 classid 1:5 htb rate 3000kbit ceil 5000kbit burst 2k\n";
print COMPLEXSCRIPT "$tcbin class add dev imq0 parent 1:1 classid 1:6 htb rate 4000kbit ceil 7000kbit burst 2k\n";

### SKRYPT WLASCIWY Z REGOLKAMI PER HOST ###

my $allnetworks = "";

my $dbq = $dbase->prepare("SELECT name FROM networks");
$dbq->execute();
while (my $row = $dbq->fetchrow_hashref()) {
    $allnetworks = "$allnetworks $row->{'name'}";
}

if(!$networks_list)
{
    $networks_list = $allnetworks;
}

if(!$forward_to_list)
{
    $forward_to_list = $allnetworks;
}

my @networks = split ' ',$networks_list;
my @fw_networks = split ' ',$forward_to_list;

my $counter4=4000;
my $counter5=5000;
my $counter6=6000;
my $ip;
foreach my $key (@networks)
{
    my $dbq = $dbase->prepare("SELECT inet_ntoa(address) AS address, mask FROM networks WHERE name = UPPER('$key')");
    $dbq->execute();
    while (my $row = $dbq->fetchrow_hashref()) {
    	my $sdbq = $dbase->prepare("SELECT inet_ntoa(ipaddr) AS ipaddr FROM nodes WHERE access = 1 ORDER BY ipaddr");
    	$sdbq->execute();
    	while(my $srow = $sdbq->fetchrow_hashref())
    	{
    		if(matchip($srow->{'ipaddr'},$row->{'address'},$row->{'mask'}))
    		{
    			$counter4++;
    			$counter5++;
    			$counter6++;

    			if(exists($iplist{"$srow->{'ipaddr'}"}))
    			{
    			    print "Dupowaty zew. IP $srow->{'ipaddr'} -> $iplist{$srow->{'ipaddr'}}\n";
    			    print COMPLEXSCRIPT "$ipbin -t nat -A POSTROUTING -s $srow->{'ipaddr'} -j SNAT --to-source $iplist{$srow->{'ipaddr'}} \n";
    			    print COMPLEXSCRIPT "$ipbin -t nat -A PREROUTING -d $iplist{$srow->{'ipaddr'}} -j DNAT --to-destination $srow->{'ipaddr'} \n";

    			    print COMPLEXSCRIPT "$ipbin -t mangle -A LOW_PRIO -s $srow->{'ipaddr'}/32 -j MARK --set-mark $counter4 \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A LOW_PRIO -s $srow->{'ipaddr'}/32 -j RETURN \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A LOW_PRIO -d $srow->{'ipaddr'}/32 -j MARK --set-mark $counter4 \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A LOW_PRIO -d $srow->{'ipaddr'}/32 -j RETURN \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A STD_PRIO -s $srow->{'ipaddr'}/32 -j MARK --set-mark $counter5 \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A STD_PRIO -s $srow->{'ipaddr'}/32 -j RETURN \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A STD_PRIO -d $srow->{'ipaddr'}/32 -j MARK --set-mark $counter5 \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A STD_PRIO -d $srow->{'ipaddr'}/32 -j RETURN \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A HIGH_PRIO -s $srow->{'ipaddr'}/32 -j MARK --set-mark $counter6 \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A HIGH_PRIO -s $srow->{'ipaddr'}/32 -j RETURN \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A HIGH_PRIO -d $srow->{'ipaddr'}/32 -j MARK --set-mark $counter6 \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A HIGH_PRIO -d $srow->{'ipaddr'}/32 -j RETURN \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A LOW_PRIO -s $iplist{$srow->{'ipaddr'}}/32 -j MARK --set-mark $counter4 \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A LOW_PRIO -s $iplist{$srow->{'ipaddr'}}/32 -j RETURN \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A LOW_PRIO -d $iplist{$srow->{'ipaddr'}}/32 -j MARK --set-mark $counter4 \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A LOW_PRIO -d $iplist{$srow->{'ipaddr'}}/32 -j RETURN \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A STD_PRIO -s $iplist{$srow->{'ipaddr'}}/32 -j MARK --set-mark $counter5 \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A STD_PRIO -s $iplist{$srow->{'ipaddr'}}/32 -j RETURN \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A STD_PRIO -d $iplist{$srow->{'ipaddr'}}/32 -j MARK --set-mark $counter5 \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A STD_PRIO -d $iplist{$srow->{'ipaddr'}}/32 -j RETURN \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A HIGH_PRIO -s $iplist{$srow->{'ipaddr'}}/32 -j MARK --set-mark $counter6 \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A HIGH_PRIO -s $iplist{$srow->{'ipaddr'}}/32 -j RETURN \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A HIGH_PRIO -d $iplist{$srow->{'ipaddr'}}/32 -j MARK --set-mark $counter6 \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A HIGH_PRIO -d $iplist{$srow->{'ipaddr'}}/32 -j RETURN \n";
    			}
    			else
    			{
    			    print COMPLEXSCRIPT "$ipbin -t nat -A POSTROUTING -o eth3 -s $srow->{'ipaddr'} -j MASQUERADE\n";

    			    print COMPLEXSCRIPT "$ipbin -t mangle -A LOW_PRIO -s $srow->{'ipaddr'}/32 -j MARK --set-mark $counter4 \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A LOW_PRIO -s $srow->{'ipaddr'}/32 -j RETURN \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A LOW_PRIO -d $srow->{'ipaddr'}/32 -j MARK --set-mark $counter4 \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A LOW_PRIO -d $srow->{'ipaddr'}/32 -j RETURN \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A STD_PRIO -s $srow->{'ipaddr'}/32 -j MARK --set-mark $counter5 \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A STD_PRIO -s $srow->{'ipaddr'}/32 -j RETURN \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A STD_PRIO -d $srow->{'ipaddr'}/32 -j MARK --set-mark $counter5 \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A STD_PRIO -d $srow->{'ipaddr'}/32 -j RETURN \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A HIGH_PRIO -s $srow->{'ipaddr'}/32 -j MARK --set-mark $counter6 \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A HIGH_PRIO -s $srow->{'ipaddr'}/32 -j RETURN \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A HIGH_PRIO -d $srow->{'ipaddr'}/32 -j MARK --set-mark $counter6 \n";
    			    print COMPLEXSCRIPT "$ipbin -t mangle -A HIGH_PRIO -d $srow->{'ipaddr'}/32 -j RETURN \n";
    			}

    		      # Dodanie wpisow dla strumieni w MANGLE

    		      #LOW Priority download
    		        print COMPLEXSCRIPT "$tcbin class add dev imq0 parent 1:4 classid 1:$counter4 htb rate 1kbit ceil 512kbit quantum 2000 burst 2k \n";
    		        print COMPLEXSCRIPT "$tcbin qdisc add dev imq0 parent 1:$counter4 handle $counter4: sfq perturb 10 \n";
    			print COMPLEXSCRIPT "$tcbin filter add dev imq0 protocol ip parent 1:0 prio 3 handle $counter4 fw flowid 1:$counter4 \n";
    		      #STD Priority download
    		        print COMPLEXSCRIPT "$tcbin class add dev imq0 parent 1:5 classid 1:$counter5 htb rate 1kbit ceil 512kbit quantum 2000 burst 2k \n";
    		        print COMPLEXSCRIPT "$tcbin qdisc add dev imq0 parent 1:$counter5 handle $counter5: sfq perturb 10 \n";
    			print COMPLEXSCRIPT "$tcbin filter add dev imq0 protocol ip parent 1:0 prio 4 handle $counter5 fw flowid 1:$counter5 \n";
    		      #HIGH Priority download
    		        print COMPLEXSCRIPT "$tcbin class add dev imq0 parent 1:6 classid 1:$counter6 htb rate 1kbit ceil 1024kbit quantum 2000 burst 2k \n";
    		        print COMPLEXSCRIPT "$tcbin qdisc add dev imq0 parent 1:$counter6 handle $counter6: sfq perturb 10 \n";
    			print COMPLEXSCRIPT "$tcbin filter add dev imq0 protocol ip parent 1:0 prio 5 handle $counter6 fw flowid 1:$counter6 \n";
    		      #LOW Priority upload
    		        print COMPLEXSCRIPT "$tcbin class add dev eth3 parent 1:4 classid 1:$counter4 htb rate 1kbit ceil 128kbit quantum 2000 burst 2k \n";
    		        print COMPLEXSCRIPT "$tcbin qdisc add dev eth3 parent 1:$counter4 handle $counter4: sfq perturb 10 \n";
    			print COMPLEXSCRIPT "$tcbin filter add dev eth3 protocol ip parent 1:0 prio 3 handle $counter4 fw flowid 1:$counter4 \n";
    		      #STD Priority upload
    		        print COMPLEXSCRIPT "$tcbin class add dev eth3 parent 1:5 classid 1:$counter5 htb rate 1kbit ceil 384kbit quantum 2000 burst 2k \n";
    		        print COMPLEXSCRIPT "$tcbin qdisc add dev eth3 parent 1:$counter5 handle $counter5: sfq perturb 10 \n";
    			print COMPLEXSCRIPT "$tcbin filter add dev eth3 protocol ip parent 1:0 prio 4 handle $counter5 fw flowid 1:$counter5 \n";
    		      #HIGH Priority upload
    		        print COMPLEXSCRIPT "$tcbin class add dev eth3 parent 1:6 classid 1:$counter6 htb rate 1kbit ceil 512kbit quantum 2000 burst 2k \n";
    		        print COMPLEXSCRIPT "$tcbin qdisc add dev eth3 parent 1:$counter6 handle $counter6: sfq perturb 10 \n";
    			print COMPLEXSCRIPT "$tcbin filter add dev eth3 protocol ip parent 1:0 prio 5 handle $counter6 fw flowid 1:$counter6 \n";

    			print COMPLEXSCRIPT "\n";
    		}
    	}
    	my $sdbq = $dbase->prepare("SELECT inet_ntoa(ipaddr) AS ipaddr FROM nodes WHERE access = 0 ORDER BY ipaddr");
    	$sdbq->execute();
    	while(my $srow = $sdbq->fetchrow_hashref())
    	{
    		if(matchip($srow->{'ipaddr'},$row->{'address'},$row->{'mask'}))
    		{
                                print "Generuje przekierowanie do blokady dla $srow->{'ipaddr'} \n";
    			print COMPLEXSCRIPT "$ipbin -t nat -I PREROUTING -p tcp -s $srow->{'ipaddr'} --dport 80 -j DNAT --to-destination 10.0.0.1\n\n";
    		}
    	}

    }
}

$dbase->disconnect();
close(COMPLEXSCRIPT);
chown $cuid, $cgid, $cfile or print "Warning! Unable to set owner of $cfile to $cuid.$cgid.\n";
chmod oct($cperm), $cfile or print "Warning! Unable to set permission $cperm to $cfile.\n";

Radoslaw Pieczonka

znaczniki (0)

uczestnicy (1)