From b3a74d32335c60fd8d0dc2b1bff20e4e004e48c7 Mon Sep 17 00:00:00 2001
From: Valentin Samir <samir@crans.org>
Date: Fri, 5 Oct 2012 17:15:00 +0200
Subject: [PATCH] [firewall_new] On limite l'upload des appartements ENS

Ignore-this: d684765f44d3a1ed757985421c51f14b

darcs-hash:20121005151500-3a55a-997c16ca303b52c0335e6192ecf4a64bf3736ff3.gz
---
 gestion/gen_confs/firewall_new.py | 30 ++++++++++++++++++++++++++++--
 1 file changed, 28 insertions(+), 2 deletions(-)

diff --git a/gestion/gen_confs/firewall_new.py b/gestion/gen_confs/firewall_new.py
index b2e89c5b..817a8c0b 100755
--- a/gestion/gen_confs/firewall_new.py
+++ b/gestion/gen_confs/firewall_new.py
@@ -1372,6 +1372,8 @@ class firewall_sable(firewall_redisdead):
           for port in accueil_route[ip]:
            iptables("-A FORWARD -p tcp -d %s --dport %s -j ACCEPT" % (ip,port))
            iptables("-A FORWARD -p tcp -s %s --sport %s -j ACCEPT" % (ip,port))
+        iptables("-A FORWARD -s %s -j ACCEPT" % NETs['personnel-ens'][0])
+        iptables("-A FORWARD -d %s -j ACCEPT" % NETs['personnel-ens'][0])
 
     def mangle_table(self):
         iptables("-t mangle -F PREROUTING")
@@ -1382,13 +1384,37 @@ class firewall_sable(firewall_redisdead):
                  "-m mac --mac-source %s " % mac_komaz +
                  "-j MARK --set-mark %s" % conf_fw.mark['proxy'])
         iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
+        #classification des personnels ens
+        for net in NETs['personnel-ens']:
+            # pas de limitation en download
+            #iptables("-t mangle -A POSTROUTING -d %(net)s "
+            #        "-j CLASSIFY --set-class 1:9998" % locals())
+            iptables("-t mangle -A POSTROUTING -s %(net)s "
+                     "-j CLASSIFY --set-class 1:9998" % locals())
+        warn=''
+        for interface in ["eth0.21"]:
+            # On vide les classes et qdisc
+            try:
+                tc("qdisc del dev %s root" % interface)
+            except TcError, c:
+                warn += str(c) + '\n'
+            # On construit les classes et qdisc de base
+            # La partie principale qui définit le comportement par défaut
+            tc("qdisc add dev %(interface)s root handle 1: htb r2q 1" % locals())
+            tc("class add dev %(interface)s parent 1: classid 1:1 "
+               "htb rate 128kbps ceil 128kbps" % locals())
+            tc("class add dev %(interface)s parent 1:1 classid 1:9998 "
+                   "htb rate 128kbps ceil 128kbps prio 1" % locals())
+            tc("qdisc add dev %(interface)s parent 1:9998 "
+                   "handle 9998: sfq perturb 10" % locals())
+        print warn
 
 
     def nat_table(self):
         firewall_redisdead.nat_table(self)
         # Proxy transparent pour le filiaire
-        iptables("-t nat -I PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
-
+        iptables("-t nat -A PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
+        iptables("-t nat -A POSTROUTING -s %s -j MASQUERADE" % NETs['personnel-ens'][0])
         if_defaut = "eth0"
         if_radin = "eth0.%d" % vlans["radin"]
         if_accueil = "eth0.%d" % vlans["accueil"]