[ongolaboy.git] / scripts / qos / regles.bacgl

#!/bin/sh

IF_INTERNET=eth0.2
NET_BACGL=195.24.196.112/28
NET_BACGL2=195.24.195.224/29
NET_DMZ_Priv=192.168.10.0/24
NET_DMZ_Partenaire_Priv=192.168.11.0/24
IP_VISIO_Dir=195.24.196.124
IP_VISIO_Reu=195.24.196.125
IP_VISIO_Form=195.24.196.126
IP_Pub_SOGo=195.24.196.116
IP_Pub_VOIP=195.24.196.117


modprobe ifb numifbs=1

ip link set up ifb0

#pour tout supprimer
# tc qdisc dev $IF_INTERNET ingress
# tc qdisc del dev ifb0 root handle 1:

tc qdisc add dev  $IF_INTERNET ingress

#la version IPv6 ??
#tc filter add dev $IF_INTERNET parent ffff: protocol ip prio 1 u32 \
#       match ip6 dst $NET6_BACGL \
#       flowid 1:1 action mirred egress redirect dev ifb0

tc filter add dev $IF_INTERNET parent ffff: protocol ip prio 1 u32 \
        match ip dst $NET_BACGL \
        flowid 1:1 action mirred egress redirect dev ifb0

tc filter add dev $IF_INTERNET parent ffff: protocol ip prio 1 u32 \
        match ip dst $NET_BACGL2 \
        flowid 1:1 action mirred egress redirect dev ifb0

echo "Création de classes"
echo "Création de la racine"

tc qdisc add dev ifb0 root handle 1: htb default 190

# premiere classe fille qui agrège tout le traffic
tc class add dev ifb0 parent 1: classid 1:1 htb rate 9882kbit ceil 10000kbit

# creation des classes enfants
# classe VOIP
tc class add dev ifb0 parent 1:1 classid 1:11 htb rate 128kbit \
        ceil 256kbit prio 1

#groupe des visios
tc class add dev ifb0 parent 1:1 classid 1:12 htb rate 3000kbit \
        ceil 3500kbit prio 3

# groupe DMZ Pub
tc class add dev ifb0 parent 1:1 classid 1:13 htb rate 150kbit \
        ceil 1000kbit prio 2

# groupe DMZ Priv
tc class add dev ifb0 parent 1:1 classid 1:14 htb rate 1000kbit \
        ceil 2000kbit prio 2

# groupe DMZ Partenaire Priv
tc class add dev ifb0 parent 1:1 classid 1:15 htb rate 100kbit \
        ceil 512kbit prio 4

# groupe DMZ Partenaire Pub
tc class add dev ifb0 parent 1:1 classid 1:16 htb rate 100kbit \
        ceil 512kbit prio 4

# sonde RIPE
tc class add dev ifb0 parent 1:1 classid 1:17 htb rate 100kbit \
        ceil 512kbit prio 1

# groupe PC
tc class add dev ifb0 parent 1:1 classid 1:20 htb rate 5304kbit \
        ceil 9000kbit prio 4

#A l'interieur des PC on a les sous-classes suivantes
# groupe prof
tc class add dev ifb0 parent 1:20 classid 1:132 htb rate 768kbit \
        ceil 1500kbit prio 8

# groupe foad
tc class add dev ifb0 parent 1:20 classid 1:133 htb rate 768kbit \
        ceil 1500kbit prio 7

# groupe cai
tc class add dev ifb0 parent 1:20 classid 1:131 htb rate 1000kbit \
        ceil 4000kbit prio 7

# groupe formation
tc class add dev ifb0 parent 1:20 classid 1:130 htb rate 1000kbit \
        ceil 5000kbit prio 6

# groupe nomade
tc class add dev ifb0 parent 1:20 classid 1:125 htb rate 768kbit \
        ceil 3500kbit prio 8

# groupe personnel
tc class add dev ifb0 parent 1:20 classid 1:120 htb rate 100kbit \
        ceil 256kbit prio 5

# groupe le reste
tc class add dev ifb0 parent 1:14 classid 1:190 htb rate 10kbit \
        ceil 64kbit prio 9


# ordonnanceurs par classe
for id in 120 {130..133} 190
do
        tc qdisc add dev ifb0 parent 1:$id handle $id: sfq perturb 10
done
#tc qdisc add dev ifb0 parent 1:11 handle 11: sfq perturb 10
#tc qdisc add dev ifb0 parent 1:12 handle 12: sfq perturb 10

# mise en place des filtres
# VOIP
tc filter add dev ifb0 protocol ip parent 1:0 prio 1 u32 \
        match ip protocol 17 0xff \
        match ip sport 4569 0xffff flowid 1:11

tc filter add dev ifb0 protocol ip parent 1:0 prio 1 u32 \
        match ip protocol 17 0xff \
        match ip dport 4569 0xffff flowid 1:11

# Visio
#mettre le masque IPvisio/28
tc filter add dev ifb0 protocol ip parent 1:0 prio 1 u32 \
        match ip src $IP_VISIO_Dir/28 flowid 1:12
tc filter add dev ifb0 protocol ip parent 1:0 prio 1 u32 \
        match ip src $IP_VISIO_Reu/28 flowid 1:12
tc filter add dev ifb0 protocol ip parent 1:0 prio 1 u32 \
        match ip src $IP_VISIO_Form/28 flowid 1:12

# specifique à la DMZ
# DMZ Pub
tc filter add dev ifb0 protocol ip parent 1:0 prio 1 u32 \
        match ip src $IP_Pub_SOGo/28 flowid 1:13

tc filter add dev ifb0 protocol ip parent 1:0 prio 1 u32 \
        match ip src $IP_Pub_VOIP/28 flowid 1:13

# DMZ Priv
tc filter add dev ifb0 protocol ip parent 1:0 prio 1 u32 \
        match ip src $NET_DMZ_Priv flowid 1:14

#DMZ partenaire priv
tc filter add dev ifb0 protocol ip parent 1:0 prio 1 u32 \
        match ip src $NET_DMZ_Partenaire_Priv flowid 1:15

#DMZ partenaire pub .. Est-ce que ça vaut vraiment la peine ?

#sonde RIPE
tc filter add ifb0 parent 1:0 protocol ip  prio 1 handle 35 fw classid 1:16

# salle prof
tc filter add dev ifb0 protocol ip parent 1: prio 1 handle 32 fw flowid 1:132

# salle foad
tc filter add dev ifb0 protocol ip parent 1: prio 1 handle 33 fw flowid 1:133

# salle cai
tc filter add dev ifb0 protocol ip parent 1: prio 1 handle 31 fw flowid 1:131

# salle formation
tc filter add dev ifb0 protocol ip parent 1: prio 1 handle 20 fw flowid 1:120

# réseau nomade
tc filter add dev ifb0 protocol ip parent 1: prio 1 handle 25 fw flowid 1:125

# réseau personnel AUF
tc filter add dev ifb0 protocol ip parent 1: prio 1 handle 20 fw flowid 1:120

# le reste ... bah par défaut tout ira dans la classe 1:190

#les règles iptables à mettre en place sur fw
# un exemple avec la sonde
# iptables -t mangle -A PREROUTING -s 192.168.35.0/24 -j MARK --set-mark 0x35
#iptables -t mangle -A PREROUTING -s 192.168.35.0/24 -j RETURN
#
# et ainsi de suite