1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
--- htb.init.old 2004-01-29 22:41:23.000000000 +0100
+++ htb.init 2006-09-07 23:32:58.000000000 +0200
@@ -275,6 +284,7 @@
### Filtering parameters
#
# RULE=[[saddr[/prefix]][:port[/mask]],][daddr[/prefix]][:port[/mask]]
+# RULEIPv6=[[saddr[/prefix]][_port[/mask]],][daddr[/prefix]][_port[/mask]]
#
# These parameters make up "u32" filter rules that select traffic for
# each of the classes. You can use multiple RULE fields per config.
@@ -300,9 +310,13 @@
# RULE=10.5.5.5:80,
# selects traffic going from port 80 of single host 10.5.5.5
#
+# RULEIPv6=3ffe:80fe:c28:1:45d1:3a1:5e2b:e6c8
+# selects traffic going to IPv6 host 3ffe:80fe:c28:1:45d1:3a1:5e2b:e6c8
+#
#
#
# REALM=[srealm,][drealm]
+# REALMIPv6=[srealm,][drealm]
#
# These parameters make up "route" filter rules that classify traffic
# according to packet source/destination realms. For information about
@@ -327,6 +341,7 @@
#
#
# MARK=<mark>
+# MARKIPv6=<mark>
#
# These parameters make up "fw" filter rules that select traffic for
# each of the classes accoring to firewall "mark". Mark is a decimal
@@ -414,6 +429,9 @@
PRIO_RULE_DEFAULT=${PRIO_RULE:-100}
PRIO_MARK_DEFAULT=${PRIO_MARK:-200}
PRIO_REALM_DEFAULT=${PRIO_REALM:-300}
+PRIO_RULEIPv6=${PRIO_RULEIPv6:-150}
+PRIO_MARKIPv6=${PRIO_MARKIPv6:-250}
+PRIO_REALMIPv6=${PRIO_REALMIPv6:-350}
### Default HTB_PATH & HTB_CACHE settings
HTB_PATH=${HTB_PATH:-/etc/sysconfig/htb}
@@ -818,6 +838,13 @@
prio $PRIO_MARK handle $mark fw classid 1:$CLASS
done ### mark
+ ### Create fw filter for MARKIPv6 fields
+ for mark in `htb_cfile_rules MARKIPv6`; do
+ ### Attach fw filter to root class
+ tc filter add dev $DEVICE parent 1:0 protocol ipv6 \
+ prio $PRIO_MARKIPv6 handle $mark fw classid 1:$CLASS
+ done ### markipv6
+
### Create route filter for REALM fields
for realm in `htb_cfile_rules REALM`; do
### Split realm into source & destination realms
@@ -833,6 +860,21 @@
${DREALM:+to $DREALM} classid 1:$CLASS
done ### realm
+ ### Create route filter for REALMIPv6 fields
+ for realm in `htb_cfile_rules REALMIPv6`; do
+ ### Split realm into source & destination realms
+ SREALM=${realm%%,*}; DREALM=${realm##*,}
+ [ "$SREALM" = "$DREALM" ] && SREALM=""
+
+ ### Convert asterisks to empty strings
+ SREALM=${SREALM#\*}; DREALM=${DREALM#\*}
+
+ ### Attach route filter to the root class
+ tc filter add dev $DEVICE parent 1:0 protocol ipv6 \
+ prio $PRIO_REALM route ${SREALM:+from $SREALM} \
+ ${DREALM:+to $DREALM} classid 1:$CLASS
+ done ### realmipv6
+
### Create u32 filter for RULE fields
for rule in `htb_cfile_rules RULE`; do
### Split rule into source & destination
@@ -876,6 +918,49 @@
prio $PRIO_RULE u32 $u32_s $u32_d classid 1:$CLASS
done ### rule
+ ### Create u32 filter for RULEIPv6 fields
+ for rule in `htb_cfile_rules RULEIPv6`; do
+ ### Split rule into source & destination
+ SRC=${rule%%,*}; DST=${rule##*,}
+ [ "$SRC" = "$rule" ] && SRC=""
+
+
+ ### Split destination into address, port & mask fields
+ DADDR=${DST%%_*}; DTEMP=${DST##*_}
+ [ "$DADDR" = "$DST" ] && DTEMP=""
+
+ DPORT=${DTEMP%%/*}; DMASK=${DTEMP##*/}
+ [ "$DPORT" = "$DTEMP" ] && DMASK="0xffff"
+
+
+ ### Split up source (if specified)
+ SADDR=""; SPORT=""
+ if [ -n "$SRC" ]; then
+ SADDR=${SRC%%_*}; STEMP=${SRC##*_}
+ [ "$SADDR" = "$SRC" ] && STEMP=""
+
+ SPORT=${STEMP%%/*}; SMASK=${STEMP##*/}
+ [ "$SPORT" = "$STEMP" ] && SMASK="0xffff"
+ fi
+
+
+ ### Convert asterisks to empty strings
+ SADDR=${SADDR#\*}; DADDR=${DADDR#\*}
+
+ ### Compose u32 filter rules
+ u32_s="${SPORT:+match ip6 sport $SPORT $SMASK}"
+ u32_s="${SADDR:+match ip6 src $SADDR} $u32_s"
+ u32_d="${DPORT:+match ip6 dport $DPORT $DMASK}"
+ u32_d="${DADDR:+match ip6 dst $DADDR} $u32_d"
+
+ ### Uncomment the following if you want to see parsed rules
+ #echo "$rule: $u32_s $u32_d"
+
+ ### Attach u32 filter to the appropriate class
+ tc filter add dev $DEVICE parent 1:0 protocol ipv6 \
+ prio $PRIO_RULEIPv6 u32 $u32_s $u32_d classid 1:$CLASS
+ done ### ruleipv6
+
[ "$1" = "compile" ] && echo
done ### classfile
;;
|