Took a stab at porting over the old shell based diffserv code

Didn't quite finish by any respect. But I'm thinking that
fw rules, classification, nat, and AQM all have to be
in the same langauge with the same assumptions throughout.

wip/iptables/ame.conf

@@ -0,0 +1,142 @@
+# Diffserv Configuration File
+
+WIRELESS_DEVS="wlan0"
+WIRED_DEVS="se+ ge+"
+
+DEBUG_LOG=/dev/null
+PRIOIP=
+PRIOIPV6=
+
+# IP addresses of the VoIP phones,
+# if none, set VOIPIPS=""
+
+VOIPIPS=""
+VOIP6IPS=""
+NTPIPS=""
+
+ROBUST_STATS=0
+
+# FIXME: Handle Vlans
+# FIXME: Handle new naming scheme
+# FIXME: Figure out link rate somehow for wired, at least
+# X11?
+
+# The really depressing part about trying to do classification
+# is the sheer number of ports in use.
+# http://www.networksorcery.com/enp/protocol/ip/ports06000.htm
+# In looking at that it gave me an idea in that we could just have
+# a linear 48k table to map port numbers to dscp 
+# matches would be --lowest-match (for a single lookup)
+# --best-match (for a dual lookup)
+
+
+
+#    This is the relevant table from the RFC
+#    |===============+=========+=============+==========================|
+#    |Network Control|  CS6    |   110000    | Network routing          |
+#    |---------------+---------+-------------+--------------------------|
+#    | Telephony     |   EF    |   101110    | IP Telephony bearer      |
+#    |---------------+---------+-------------+--------------------------|
+#    |  Signaling    |  CS5    |   101000    | IP Telephony signaling   |
+#    |---------------+---------+-------------+--------------------------|
+#    | Multimedia    |AF41,AF42|100010,100100|   H.323/V2 video         |
+#    | Conferencing  |  AF43   |   100110    |  conferencing (adaptive) |
+#    |---------------+---------+-------------+--------------------------|
+#    |  Real-Time    |  CS4    |   100000    | Video conferencing and   |
+#    |  Interactive  |         |             | Interactive gaming       |
+#    |---------------+---------+-------------+--------------------------|
+#    | Multimedia    |AF31,AF32|011010,011100| Streaming video and      |
+#    | Streaming     |  AF33   |   011110    |   audio on demand        |
+#    |---------------+---------+-------------+--------------------------|
+#    |Broadcast Video|  CS3    |   011000    |Broadcast TV & live events|
+#    |---------------+---------+-------------+--------------------------|
+#    | Low-Latency   |AF21,AF22|010010,010100|Client/server transactions|
+#    |   Data        |  AF23   |   010110    | Web-based ordering       |
+#    |---------------+---------+-------------+--------------------------|
+#    |     OAM       |  CS2    |   010000    |         OAM&P            |
+#    |---------------+---------+-------------+--------------------------|
+#    |High-Throughput|AF11,AF12|001010,001100|  Store and forward       |
+#    |    Data       |  AF13   |   001110    |     applications         |
+#    |---------------+---------+-------------+--------------------------|
+#    |    Standard   | DF (CS0)|   000000    | Undifferentiated         |
+#    |               |         |             | applications             |
+#    |---------------+---------+-------------+--------------------------|
+#    | Low-Priority  |  CS1    |   001000    | Any flow that has no BW  |
+#    |     Data      |         |             | assurance                |
+#     ------------------------------------------------------------------
+
+
+
+# Traffic classes:
+# 1:20 Pentultimate Priority (ntp)
+# 1:25 Link Local Packets (1 hop)
+# 1:30 Interactive (SSH, DNS, Quake)
+# 1:35 Multicast packets (X hops)
+# 1:40 (ACK)
+# 1:50 Low latency (VoIP)
+# 1:60 Browsing (HTTP, HTTPs)
+# 1:70 Default
+# 1:80 Bulk Services (smtp, rsync)
+# 1:90 Unclassifiable
+# 1:95 Low priority (p2p, pop3, etc)
+
+
+CLASSES="C_ULT C_LNK C_INT C_MCS C_ACK C_TLK C_BRW C_DEF C_BLK C_UNC C_P2P"
+CLASSID=":20   :25   :30   :35   :40   :50   :60   :70   :80   :90   :95"
+
+# Interactive classs: SSH Terminal, DNS and gaming (Quake)
+INTERACTIVEPORTS="22,222"
+GAMINGPORTS="3389,5900,5688"
+
+# People that use proxies can be shaped better, and 443 is important
+# include spdy, too
+
+PROXYPORTS="8123,3128,8118,1080,443,6127" 
+
+# rdate?
+NTPPORTS=123
+RTPPORTS="5004:5005"
+# ichat? skype?
+# VoIP telephony
+SIGNALPORTS="5060:5062"
+VOIPPORTS="5062:5100,10000:11000,5000:5059,8000:8016,5004,1720,1731,4569"
+VPNPORTS="1194,500,4500"
+CHATPORTS="6667,7000,194,5190,5222,5269"
+# WWW
+BROWSINGPORTS="80,81,8080"
+#FIXME: icecast, look at some radio stations. Soma uses:
+A_STREAMINGPORTS="8600,8048,9010,8884,8384,8010,9000"
+#FIXME: netflix, etc
+V_STREAMINGPORTS="554"
+
+ZEBRAPORTS="2600:2608"
+MONITORPORTS="161:162,199,5777"
+# Routing
+ROUTINGPORTS="179,$ZEBRAPORTS"
+# Yes, let's track git and cvs
+SCMPORTS="371,2401,3690,9418"
+MAILPORTS="143,220,993,587,465"
+# Rsync, SMTP
+BULKPORTS="25,873,20:21,109:110,119,631,4559"
+# Traditional filesharing has it's place
+FILEPORTS="137:139,369:370,445,2049,7000:7009"
+# The lowest priority traffic: eDonkey, Bittorrent, etc.
+P2PPORTS="110,143,445,4662:4664,6881:6999,540,1214,4031,6346:6347"
+XWINPORTS="177,6000:6010,7100"
+DBPORTS="1433:1434,3050,3306,5432:5433,5984"
+BACKUPPORTS="9101:9103,10080,13720:13721,13782:13783,2988:2989,10081:10083"
+TESTPORTS="5001:5002"
+
+# Classify these
+# talk, ntalk 517, 518
+# nntps 563
+# ldaps 636
+# webster 765
+# Radius 1812:1813
+# l2p 
+# dict 2628
+# Distcc 3632
+# Daap 3689
+# mdns 5353
+# RTP?
+

wip/iptables/ame_dbg

@@ -0,0 +1,20 @@
+#!/bin/sh
+#Debug code in place
+. ./codepoints.sh
+. ./functions.sh
+. ./ame.conf
+. ./user.conf
+
+DEBUG_LOG=/tmp/ame.$$
+dscp_stats=1
+ecn_stats=1
+icmp6_stats=1
+p80_stats=1
+
+case $1 in 
+    up) start ;;
+    down) stop ;;
+    restart) restart ;;
+    status) status ;;
+    help) help;;
+esac

wip/iptables/classify.conf

@@ -0,0 +1,54 @@
+# freq from-net to-net from-portrange to-portrange proto tag MODE type FLAG prio classes-from classes-to "COMMENT"
+
+1 0 0 0 81 tcp ROUTER ADMIN  USE 0 0 0 0 CS1 BE AF33 AF32        "Router admin port"
+9 0 0 0 80,8080 tcp WEB NORMAL USE 0 0 0 0 CS1 BE AF33 AF32      "The port 80 rathole"
+8 0 0 0 433 tcp SWEB    NORMAL USE 0 0 0 0 CS1 BE AF32 AF31      "https"
+6 0 0 0 8123,3128,8118,1080,6127 tcp 0 0 0 0 CS1 BE AF31 AF32    "Proxy Ports"
+7 0 0 0 22,222 tcp ADMIN BIMODAL USE 0 0 0 0 CS1 IT CS1 IT       "ssh"
+5 0 0 0 8600,8048,9010,8884,8384,8010,9000 tcp ASTREAMING NORMAL USE 0 0 CS1 BE AF42 AF43 "Audio Streaming"
+1 0 0 0 2600:2608 tcp ADMIN NORMAL  IGN 0 0 CS1 BE CS1 BE  "ZEBRA"
+4 0 0 0 6667,7000,194,5190,5222,5269 CHAT BIMODAL USE 0 0 CS1 IT CS1 IT "Chat"
+# NOT DONE YET
+4 0 0 0 371,2401,3690,9418 "SCM"
+3 0 0 0 143,220,993,587,465 "BULK"
+2 0 0 0 25,873,20:21,109,110,119,631,4559 "Bulk ports"
+1 0 0 0 177,6000:6010,7100 "Xwindows"
+4 0 0 0 1433:1434,3050,3306,5432,5433,5984 "Databases"
+1 0 0 0 9101:9103,10080,13720:13721,13782:13783,2988:2989,10081:10083 "Backup tools"
+
+# UDP stuff
+
+4 0 0 0 1194 0 udp VPN   KEEP KEEP KEEP KEEP  KEEP       
+5 0 0 0 3389,5900,5688 0 udp Gaming ANT KEEP KEEP KEEP  KEEP  #
+7 0 0 0 123 0 udp BE:EF EF:EF NORMAL ANT                 # 
+8 0 0 0 67,68 0 udp BE:EF EF:EF NORMAL ANT               # DHCP 
+6 0 0 0 5004,5005 0 udp CS1:EF AF43:AF42 NORMAL NORMAL   # RTP
+9 0 0 0 5060:5062 0 udp CS1:EF AF43:AF42 NORMAL NORMAL   # VOIP Signalling
+7 0 0 0 5063:5100,10000:11000,5000:5059,8000:8016,1720,1731,4569 0 udp # VOIP
+8 0 0 0 500,4500 0 udp KEEP KEEP KEEP KEEP
+
+0 0 0 0 6667,7000,194,5190,5222,5269 0 # chat
+0 0 0 0 560 0 # good ole ntalk I think
+0 0 0 0 554 0 VSTREAMING
+0 0 0 0 161,162,199,5777 0 # Monitoring
+0 0 0 0 179 0 # BGP Routing
+0 0 0 0 137:139,369:370,445,2049,7000:7009 0 # Traditional filesharing
+0 0 0 0 110,143,445,4662:4664,6881:6999,540,1214,4031,6346:6347 0 # PTP filesharing
+0 0 0 0 5001:5002 0 # Bandwidth tests
+
+# ICMP
+
+# ICMP6
+
+# Classify these
+# talk, ntalk 517, 518
+# nntps 563
+# ldaps 636
+# webster 765
+# Radius 1812:1813
+# l2p 
+# dict 2628
+# Distcc 3632
+# Daap 3689
+# mdns 5353
+# RTP?

wip/iptables/codepoints.sh

@@ -0,0 +1,91 @@
+# Codepoint variable reference
+
+# Standard codepoints in decimal
+
+BE=0
+AF11=10
+AF12=12
+AF13=14
+AF21=18
+AF22=20
+AF23=22
+AF31=26
+AF32=28
+AF33=30
+AF41=34
+AF42=36
+AF43=38
+EF=46
+
+CS1=8
+CS2=16
+CS3=24
+CS4=32
+CS5=40
+CS6=48
+CS7=56
+
+# Some new (proposed) codepoints
+
+BOFH=4
+ANT=42
+LB=63
+P2P=9
+
+# Some legacy codepoints
+# FIXME, do common tos bits and cisco
+# FIXME, get CS fixed
+
+KNOWN_CODEPOINTS="0 4 9 10 12 14 18 20 22 26 28 30 34 36 38 42 46 63 8 16 24 32 40 48 56"
+UNKNOWN_CODEPOINTS=""
+
+for i in `seq 1 63`
+do 
+    FOUND=0
+    for j in $KNOWN_CODEPOINTS
+    do
+	if [ "$i" = "$j" ] 
+	    then
+	    FOUND=1
+	fi
+    done
+    if [ $FOUND = 0 ]
+	then
+	UNKNOWN_CODEPOINTS="$UNKNOWN_CODEPOINTS $i"
+    fi
+done
+
+#    This is the relevant table from the RFC
+#    |===============+=========+=============+==========================|
+#    |Network Control|  CS6    |   110000    | Network routing          |
+#    |---------------+---------+-------------+--------------------------|
+#    | Telephony     |   EF    |   101110    | IP Telephony bearer      |
+#    |---------------+---------+-------------+--------------------------|
+#    |  Signaling    |  CS5    |   101000    | IP Telephony signaling   |
+#    |---------------+---------+-------------+--------------------------|
+#    | Multimedia    |AF41,AF42|100010,100100|   H.323/V2 video         |
+#    | Conferencing  |  AF43   |   100110    |  conferencing (adaptive) |
+#    |---------------+---------+-------------+--------------------------|
+#    |  Real-Time    |  CS4    |   100000    | Video conferencing and   |
+#    |  Interactive  |         |             | Interactive gaming       |
+#    |---------------+---------+-------------+--------------------------|
+#    | Multimedia    |AF31,AF32|011010,011100| Streaming video and      |
+#    | Streaming     |  AF33   |   011110    |   audio on demand        |
+#    |---------------+---------+-------------+--------------------------|
+#    |Broadcast Video|  CS3    |   011000    |Broadcast TV & live events|
+#    |---------------+---------+-------------+--------------------------|
+#    | Low-Latency   |AF21,AF22|010010,010100|Client/server transactions|
+#    |   Data        |  AF23   |   010110    | Web-based ordering       |
+#    |---------------+---------+-------------+--------------------------|
+#    |     OAM       |  CS2    |   010000    |         OAM&P            |
+#    |---------------+---------+-------------+--------------------------|
+#    |High-Throughput|AF11,AF12|001010,001100|  Store and forward       |
+#    |    Data       |  AF13   |   001110    |     applications         |
+#    |---------------+---------+-------------+--------------------------|
+#    |    Standard   | DF (CS0)|   000000    | Undifferentiated         |
+#    |               |         |             | applications             |
+#    |---------------+---------+-------------+--------------------------|
+#    | Low-Priority  |  CS1    |   001000    | Any flow that has no BW  |
+#    |     Data      |         |             | assurance                |
+#     ------------------------------------------------------------------
+

wip/iptables/dhcprule

@@ -0,0 +1,26 @@
+#!/bin/sh
+# Babel and possibly other protocols can mess between DHCP replies when 
+# moving between networks
+# This keeps this from happening
+# hopefully. God help you if you aren't using a /24 netmask
+
+# more than once I've thought that putting babel in it's own table made sense
+# And dhcp.
+
+dhcp=400
+
+iptables -t mangle -A OUTPUT -p udp -m multiport --port 67:68 -j MARK --set-mark $dhcp
+
+ip -o addr | grep 'inet ' | awk '{print $2 " " $4}' | while read DEV ipaddr
+do
+net=`echo $ipaddr | cut -f2 -d/`
+[ "$net" = 24 ] && {
+ip=`echo $ipaddr | cut -f1-3 -d.`
+ip route del $ip/27 dev $DEV table $dhcp
+ip route add $ip/27 dev $DEV table $dhcp
+}
+done
+
+ip rule del prio $dhcp
+ip rule add fwmark $dhcp table $dhcp prio $dhcp
+