[firewall_new] On limite l'upload des appartements ENS

Ignore-this: d684765f44d3a1ed757985421c51f14b darcs-hash:20121005151500-3a55a-997c16ca303b52c0335e6192ecf4a64bf3736ff3.gz
2012-10-05 17:15:00 +02:00 · 2012-10-05 17:15:00 +02:00 · b3a74d3233
commit b3a74d3233
parent f069f4cb51
1 changed files with 28 additions and 2 deletions
--- a/gestion/gen_confs/firewall_new.py
+++ b/gestion/gen_confs/firewall_new.py
@ -1372,6 +1372,8 @@ class firewall_sable(firewall_redisdead):
          for port in accueil_route[ip]:
           iptables("-A FORWARD -p tcp -d %s --dport %s -j ACCEPT" % (ip,port))
           iptables("-A FORWARD -p tcp -s %s --sport %s -j ACCEPT" % (ip,port))
+        iptables("-A FORWARD -s %s -j ACCEPT" % NETs['personnel-ens'][0])
+        iptables("-A FORWARD -d %s -j ACCEPT" % NETs['personnel-ens'][0])

    def mangle_table(self):
        iptables("-t mangle -F PREROUTING")
@ -1382,13 +1384,37 @@ class firewall_sable(firewall_redisdead):
                 "-m mac --mac-source %s " % mac_komaz +
                 "-j MARK --set-mark %s" % conf_fw.mark['proxy'])
        iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
+        #classification des personnels ens
+        for net in NETs['personnel-ens']:
+            # pas de limitation en download
+            #iptables("-t mangle -A POSTROUTING -d %(net)s "
+            #        "-j CLASSIFY --set-class 1:9998" % locals())
+            iptables("-t mangle -A POSTROUTING -s %(net)s "
+                     "-j CLASSIFY --set-class 1:9998" % locals())
+        warn=''
+        for interface in ["eth0.21"]:
+            # On vide les classes et qdisc
+            try:
+                tc("qdisc del dev %s root" % interface)
+            except TcError, c:
+                warn += str(c) + '\n'
+            # On construit les classes et qdisc de base
+            # La partie principale qui définit le comportement par défaut
+            tc("qdisc add dev %(interface)s root handle 1: htb r2q 1" % locals())
+            tc("class add dev %(interface)s parent 1: classid 1:1 "
+               "htb rate 128kbps ceil 128kbps" % locals())
+            tc("class add dev %(interface)s parent 1:1 classid 1:9998 "
+                   "htb rate 128kbps ceil 128kbps prio 1" % locals())
+            tc("qdisc add dev %(interface)s parent 1:9998 "
+                   "handle 9998: sfq perturb 10" % locals())
+        print warn


    def nat_table(self):
        firewall_redisdead.nat_table(self)
        # Proxy transparent pour le filiaire
-        iptables("-t nat -I PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
-
+        iptables("-t nat -A PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
+        iptables("-t nat -A POSTROUTING -s %s -j MASQUERADE" % NETs['personnel-ens'][0])
        if_defaut = "eth0"
        if_radin = "eth0.%d" % vlans["radin"]
        if_accueil = "eth0.%d" % vlans["accueil"]