--- a/htb.init +++ b/htb.init @@ -275,6 +284,7 @@ ### Filtering parameters # # RULE=[[saddr[/prefix]][:port[/mask]],][daddr[/prefix]][:port[/mask]] +# RULEIPv6=[[saddr[/prefix]][_port[/mask]],][daddr[/prefix]][_port[/mask]] # # These parameters make up "u32" filter rules that select traffic for # each of the classes. You can use multiple RULE fields per config. @@ -300,9 +310,13 @@ # RULE=10.5.5.5:80, # selects traffic going from port 80 of single host 10.5.5.5 # +# RULEIPv6=3ffe:80fe:c28:1:45d1:3a1:5e2b:e6c8 +# selects traffic going to IPv6 host 3ffe:80fe:c28:1:45d1:3a1:5e2b:e6c8 +# # # # REALM=[srealm,][drealm] +# REALMIPv6=[srealm,][drealm] # # These parameters make up "route" filter rules that classify traffic # according to packet source/destination realms. For information about @@ -327,6 +341,7 @@ # # # MARK= +# MARKIPv6= # # These parameters make up "fw" filter rules that select traffic for # each of the classes accoring to firewall "mark". Mark is a decimal @@ -414,6 +429,9 @@ PRIO_RULE_DEFAULT=${PRIO_RULE:-100} PRIO_MARK_DEFAULT=${PRIO_MARK:-200} PRIO_REALM_DEFAULT=${PRIO_REALM:-300} +PRIO_RULEIPv6=${PRIO_RULEIPv6:-150} +PRIO_MARKIPv6=${PRIO_MARKIPv6:-250} +PRIO_REALMIPv6=${PRIO_REALMIPv6:-350} ### Default HTB_PATH & HTB_CACHE settings HTB_PATH=${HTB_PATH:-/etc/sysconfig/htb} @@ -818,6 +838,13 @@ prio $PRIO_MARK handle $mark fw classid 1:$CLASS done ### mark + ### Create fw filter for MARKIPv6 fields + for mark in `htb_cfile_rules MARKIPv6`; do + ### Attach fw filter to root class + tc filter add dev $DEVICE parent 1:0 protocol ipv6 \ + prio $PRIO_MARKIPv6 handle $mark fw classid 1:$CLASS + done ### markipv6 + ### Create route filter for REALM fields for realm in `htb_cfile_rules REALM`; do ### Split realm into source & destination realms @@ -833,6 +860,21 @@ ${DREALM:+to $DREALM} classid 1:$CLASS done ### realm + ### Create route filter for REALMIPv6 fields + for realm in `htb_cfile_rules REALMIPv6`; do + ### Split realm into source & destination realms + SREALM=${realm%%,*}; DREALM=${realm##*,} + [ "$SREALM" = "$DREALM" ] && SREALM="" + + ### Convert asterisks to empty strings + SREALM=${SREALM#\*}; DREALM=${DREALM#\*} + + ### Attach route filter to the root class + tc filter add dev $DEVICE parent 1:0 protocol ipv6 \ + prio $PRIO_REALM route ${SREALM:+from $SREALM} \ + ${DREALM:+to $DREALM} classid 1:$CLASS + done ### realmipv6 + ### Create u32 filter for RULE fields for rule in `htb_cfile_rules RULE`; do ### Split rule into source & destination @@ -876,6 +918,49 @@ prio $PRIO_RULE u32 $u32_s $u32_d classid 1:$CLASS done ### rule + ### Create u32 filter for RULEIPv6 fields + for rule in `htb_cfile_rules RULEIPv6`; do + ### Split rule into source & destination + SRC=${rule%%,*}; DST=${rule##*,} + [ "$SRC" = "$rule" ] && SRC="" + + + ### Split destination into address, port & mask fields + DADDR=${DST%%_*}; DTEMP=${DST##*_} + [ "$DADDR" = "$DST" ] && DTEMP="" + + DPORT=${DTEMP%%/*}; DMASK=${DTEMP##*/} + [ "$DPORT" = "$DTEMP" ] && DMASK="0xffff" + + + ### Split up source (if specified) + SADDR=""; SPORT="" + if [ -n "$SRC" ]; then + SADDR=${SRC%%_*}; STEMP=${SRC##*_} + [ "$SADDR" = "$SRC" ] && STEMP="" + + SPORT=${STEMP%%/*}; SMASK=${STEMP##*/} + [ "$SPORT" = "$STEMP" ] && SMASK="0xffff" + fi + + + ### Convert asterisks to empty strings + SADDR=${SADDR#\*}; DADDR=${DADDR#\*} + + ### Compose u32 filter rules + u32_s="${SPORT:+match ip6 sport $SPORT $SMASK}" + u32_s="${SADDR:+match ip6 src $SADDR} $u32_s" + u32_d="${DPORT:+match ip6 dport $DPORT $DMASK}" + u32_d="${DADDR:+match ip6 dst $DADDR} $u32_d" + + ### Uncomment the following if you want to see parsed rules + #echo "$rule: $u32_s $u32_d" + + ### Attach u32 filter to the appropriate class + tc filter add dev $DEVICE parent 1:0 protocol ipv6 \ + prio $PRIO_RULEIPv6 u32 $u32_s $u32_d classid 1:$CLASS + done ### ruleipv6 + [ "$1" = "compile" ] && echo done ### classfile ;;