|
|
@@ -339,11 +339,11 @@ tc class add dev $dev parent 1: classid 1:1 hfsc sc rate ${rate}kbit ul rate ${r
|
|
|
if [ -n "$halfduplex" ]; then
|
|
|
export dev_up="tc qdisc del dev $device root >&- 2>&-
|
|
|
tc qdisc add dev $device root handle 1: hfsc
|
|
|
-tc filter add dev $device parent 1: protocol ip prio 10 u32 match u32 0 0 flowid 1:1 action mirred egress redirect dev ifb$ifbdev"
|
|
|
+tc filter add dev $device parent 1: prio 10 u32 match u32 0 0 flowid 1:1 action mirred egress redirect dev ifb$ifbdev"
|
|
|
elif [ -n "$download" ]; then
|
|
|
append dev_${dir} "tc qdisc del dev $device ingress >&- 2>&-
|
|
|
tc qdisc add dev $device ingress
|
|
|
-tc filter add dev $device parent ffff: protocol ip prio 1 u32 match u32 0 0 flowid 1:1 action connmark action mirred egress redirect dev ifb$ifbdev" "$N"
|
|
|
+tc filter add dev $device parent ffff: prio 1 u32 match u32 0 0 flowid 1:1 action connmark action mirred egress redirect dev ifb$ifbdev" "$N"
|
|
|
fi
|
|
|
add_insmod cls_fw
|
|
|
add_insmod sch_hfsc
|
|
|
@@ -400,17 +400,23 @@ start_cg() {
|
|
|
local pktrules
|
|
|
local sizerules
|
|
|
enum_classes "$cg"
|
|
|
- add_rules iptrules "$ctrules" "iptables -t mangle -A qos_${cg}_ct"
|
|
|
+ for command in $iptables; do
|
|
|
+ add_rules iptrules "$ctrules" "$command -w -t mangle -A qos_${cg}_ct"
|
|
|
+ done
|
|
|
config_get classes "$cg" classes
|
|
|
for class in $classes; do
|
|
|
config_get mark "$class" classnr
|
|
|
config_get maxsize "$class" maxsize
|
|
|
[ -z "$maxsize" -o -z "$mark" ] || {
|
|
|
add_insmod xt_length
|
|
|
- append pktrules "iptables -t mangle -A qos_${cg} -m mark --mark $mark/0x0f -m length --length $maxsize: -j MARK --set-mark 0/0xff" "$N"
|
|
|
+ for command in $iptables; do
|
|
|
+ append pktrules "$command -w -t mangle -A qos_${cg} -m mark --mark $mark/0x0f -m length --length $maxsize: -j MARK --set-mark 0/0xff" "$N"
|
|
|
+ done
|
|
|
}
|
|
|
done
|
|
|
- add_rules pktrules "$rules" "iptables -t mangle -A qos_${cg}"
|
|
|
+ for command in $iptables; do
|
|
|
+ add_rules pktrules "$rules" "$command -w -t mangle -A qos_${cg}"
|
|
|
+ done
|
|
|
for iface in $INTERFACES; do
|
|
|
config_get classgroup "$iface" classgroup
|
|
|
config_get device "$iface" device
|
|
|
@@ -419,18 +425,40 @@ start_cg() {
|
|
|
config_get download "$iface" download
|
|
|
config_get halfduplex "$iface" halfduplex
|
|
|
download="${download:-${halfduplex:+$upload}}"
|
|
|
- append up "iptables -t mangle -A OUTPUT -o $device -j qos_${cg}" "$N"
|
|
|
- append up "iptables -t mangle -A FORWARD -o $device -j qos_${cg}" "$N"
|
|
|
+ for command in $iptables; do
|
|
|
+ append up "$command -w -t mangle -A OUTPUT -o $device -j qos_${cg}" "$N"
|
|
|
+ append up "$command -w -t mangle -A FORWARD -o $device -j qos_${cg}" "$N"
|
|
|
+ done
|
|
|
done
|
|
|
cat <<EOF
|
|
|
$INSMOD
|
|
|
-iptables -t mangle -N qos_${cg} >&- 2>&-
|
|
|
-iptables -t mangle -N qos_${cg}_ct >&- 2>&-
|
|
|
-${iptrules:+${iptrules}${N}iptables -t mangle -A qos_${cg}_ct -j CONNMARK --save-mark --mask 0xff}
|
|
|
-iptables -t mangle -A qos_${cg} -j CONNMARK --restore-mark --mask 0x0f
|
|
|
-iptables -t mangle -A qos_${cg} -m mark --mark 0/0x0f -j qos_${cg}_ct
|
|
|
+EOF
|
|
|
+
|
|
|
+for command in $iptables; do
|
|
|
+ cat <<EOF
|
|
|
+ $command -w -t mangle -N qos_${cg}
|
|
|
+ $command -w -t mangle -N qos_${cg}_ct
|
|
|
+EOF
|
|
|
+done
|
|
|
+cat <<EOF
|
|
|
+ ${iptrules:+${iptrules}${N}}
|
|
|
+EOF
|
|
|
+for command in $iptables; do
|
|
|
+ cat <<EOF
|
|
|
+ $command -w -t mangle -A qos_${cg}_ct -j CONNMARK --save-mark --mask 0xff
|
|
|
+ $command -w -t mangle -A qos_${cg} -j CONNMARK --restore-mark --mask 0x0f
|
|
|
+ $command -w -t mangle -A qos_${cg} -m mark --mark 0/0x0f -j qos_${cg}_ct
|
|
|
+EOF
|
|
|
+done
|
|
|
+cat <<EOF
|
|
|
$pktrules
|
|
|
-${iptrules:+${iptrules}${N}iptables -t mangle -A qos_${cg} -j CONNMARK --save-mark --mask 0xff}
|
|
|
+EOF
|
|
|
+for command in $iptables; do
|
|
|
+ cat <<EOF
|
|
|
+ $command -w -t mangle -A qos_${cg} -j CONNMARK --save-mark --mask 0xff
|
|
|
+EOF
|
|
|
+done
|
|
|
+cat <<EOF
|
|
|
$up$N${down:+${down}$N}
|
|
|
EOF
|
|
|
unset INSMOD
|
|
|
@@ -450,20 +478,22 @@ stop_firewall() {
|
|
|
# remove rules referring to them, then delete them
|
|
|
|
|
|
# Print rules in the mangle table, like iptables-save
|
|
|
- iptables -t mangle -S |
|
|
|
- # Find rules for the qos_* chains
|
|
|
- grep '^-N qos_\|-j qos_' |
|
|
|
- # Exclude rules in qos_* chains (inter-qos_* refs)
|
|
|
- grep -v '^-A qos_' |
|
|
|
- # Replace -N with -X and hold, with -F and print
|
|
|
- # Replace -A with -D
|
|
|
- # Print held lines at the end (note leading newline)
|
|
|
- sed -e '/^-N/{s/^-N/-X/;H;s/^-X/-F/}' \
|
|
|
- -e 's/^-A/-D/' \
|
|
|
- -e '${p;g}' |
|
|
|
- # Make into proper iptables calls
|
|
|
- # Note: awkward in previous call due to hold space usage
|
|
|
- sed -n -e 's/^./iptables -t mangle &/p'
|
|
|
+ for command in $iptables; do
|
|
|
+ $command -w -t mangle -S |
|
|
|
+ # Find rules for the qos_* chains
|
|
|
+ grep -E '(^-N qos_|-j qos_)' |
|
|
|
+ # Exclude rules in qos_* chains (inter-qos_* refs)
|
|
|
+ grep -v '^-A qos_' |
|
|
|
+ # Replace -N with -X and hold, with -F and print
|
|
|
+ # Replace -A with -D
|
|
|
+ # Print held lines at the end (note leading newline)
|
|
|
+ sed -e '/^-N/{s/^-N/-X/;H;s/^-X/-F/}' \
|
|
|
+ -e 's/^-A/-D/' \
|
|
|
+ -e '${p;g}' |
|
|
|
+ # Make into proper iptables calls
|
|
|
+ # Note: awkward in previous call due to hold space usage
|
|
|
+ sed -n -e "s/^./${command} -w -t mangle &/p"
|
|
|
+ done
|
|
|
}
|
|
|
|
|
|
C="0"
|
|
|
@@ -478,6 +508,12 @@ for iface in $INTERFACES; do
|
|
|
export C="$(($C + 1))"
|
|
|
done
|
|
|
|
|
|
+[ -x /usr/sbin/ip6tables ] && {
|
|
|
+ iptables="ip6tables iptables"
|
|
|
+} || {
|
|
|
+ iptables="iptables"
|
|
|
+}
|
|
|
+
|
|
|
case "$1" in
|
|
|
all)
|
|
|
start_interfaces "$C"
|
Felix Fietkau