Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Contribute to GitLab
Sign in
Toggle navigation
N
nexdpi
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
sysadmin
nexdpi
Commits
60ee64dd
Commit
60ee64dd
authored
4 years ago
by
Franco (nextime) Lanza
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
A bit o priorities reorder
parent
55e3eb1a
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
42 additions
and
36 deletions
+42
-36
dpi
dpi
+4
-4
shaping
shaping
+38
-32
No files found.
dpi
View file @
60ee64dd
...
...
@@ -187,7 +187,7 @@ class NexDPI():
sername
=
aname
.
split
(
"."
)[
-
1
:][
0
]
ipv
=
flow
.
ip_version
log
.
debug
(
"RECEIVED: "
+
cname
+
" "
+
aname
+
" "
+
sername
)
log
.
debug
(
"RECEIVED: "
+
cname
+
" "
+
aname
+
" "
+
sername
+
"
\n\n
"
+
str
(
flow
)
)
if
[
aname
,
cname
]
in
list
(
Ignore
):
log
.
debug
(
"IGNORED: "
+
self
.
fullname
)
...
...
@@ -200,7 +200,7 @@ class NexDPI():
else
:
ipset_list
=
appd
[
'ipset'
]
if
not
aname
.
startswith
(
tuple
(
appd
[
'nostart'
])):
managed
=
True
managed
=
ipset_list
+
" Apps"
sh
(
"ipset test "
+
ipset_list
+
" "
+
triplet
+
" >/dev/null 2>&1 || ipset add "
+
ipset_list
+
" "
+
triplet
+
" timeout "
+
appd
[
'timeout'
]
+
" > /dev/null 2>&1"
)
log
.
info
(
"ADD: "
+
ipset_list
+
" "
+
triplet
+
" "
+
self
.
fullname
)
if
aname
.
startswith
(
tuple
(
appd
[
'knowstarts'
])):
...
...
@@ -212,7 +212,7 @@ class NexDPI():
else
:
ipset_list
=
Cats
[
cname
][
'ipset'
]
if
not
aname
.
startswith
(
tuple
(
Cats
[
cname
][
'nostart'
]))
and
not
sername
in
list
(
Cats
[
cname
][
'noapps'
]):
managed
=
True
managed
=
ipset_list
+
" Cats"
sh
(
"ipset add "
+
ipset_list
+
" "
+
triplet
+
" timeout "
+
Cats
[
cname
][
'timeout'
]
+
" --exist > /dev/null 2>&1"
)
log
.
info
(
"ADD: "
+
ipset_list
+
" "
+
triplet
+
" "
+
self
.
fullname
)
if
sername
in
list
(
Cats
[
cname
][
'knownapps'
]):
...
...
@@ -229,7 +229,7 @@ class NexDPI():
if
managed
:
log
.
warning
(
"MANAGED_UNKNOWN: "
+
self
.
fullname
)
f
=
open
(
"/tmp/dpi.managed.unknown"
,
"a"
)
f
.
write
(
aname
+
" "
+
cname
+
"
\n
"
)
f
.
write
(
aname
+
" "
+
cname
+
"
"
+
managed
+
"
\n
"
)
f
.
close
()
UnknownMatch
.
append
(
self
.
fullname
)
...
...
This diff is collapsed.
Click to expand it.
shaping
View file @
60ee64dd
...
...
@@ -241,63 +241,69 @@ ApplyShaping() {
$TCLASS
1:1 classid 1:50 htb rate
${
MAXREDUCEDRATE
}
mbit ceil
${
REALRATE
}
mbit prio 1
$TDISC
1:50 fq_codel
$TFILTER
1: protocol ip prio 4 basic match
"ipset(social_extip
$OUTDIR
)"
flowid 1:40
$TFILTER
1: protocol ip prio 3 basic match
"ipset(social_ip
$INTDIR
)"
flowid 1:40
$TFILTER
1: protocol ip prio 2 basic match
"ipset(social_triplet
$OUTDIR
,
$OUTDIR
,
$INTDIR
)"
flowid 1:40
# Prioritis are important! The first that match is the winning one.
$TFILTER
1: protocol ip prio 1 handle
${
IPSETS
[
"social"
]
}
fw flowid 1:40
$TFILTER
1: protocol ip
v6 prio 8 basic match
"ipset(social_extip6
$OU
TDIR
)"
flowid 1:40
$TFILTER
1: protocol ip
v6 prio 7 basic match
"ipset(social_ip6
$IN
TDIR
)"
flowid 1:40
$TFILTER
1: protocol ip
v6 prio 6 basic match
"ipset(social_triplet6
$OUTDIR
,
$OUTDIR
,
$INTDIR
)"
flowid 1:40
$TFILTER
1: protocol ip
prio 2 basic match
"ipset(social_ip
$IN
TDIR
)"
flowid 1:40
$TFILTER
1: protocol ip
prio 3 basic match
"ipset(social_extip
$OU
TDIR
)"
flowid 1:40
$TFILTER
1: protocol ip
prio 4 basic match
"ipset(social_triplet
$OUTDIR
,
$OUTDIR
,
$INTDIR
)"
flowid 1:40
$TFILTER
1: protocol ipv6 prio 5 handle
${
IPSETS
[
"social"
]
}
fw flowid 1:40
$TFILTER
1: protocol ipv6 prio 6 basic match
"ipset(social_ip6
$INTDIR
)"
flowid 1:40
$TFILTER
1: protocol ipv6 prio 7 basic match
"ipset(social_extip6
$OUTDIR
)"
flowid 1:40
$TFILTER
1: protocol ipv6 prio 8 basic match
"ipset(social_triplet6
$OUTDIR
,
$OUTDIR
,
$INTDIR
)"
flowid 1:40
$TFILTER
1: protocol ip prio 4 basic match
"ipset(kids_extip
$OUTDIR
)"
flowid 1:43
$TFILTER
1: protocol ip prio 3 basic match
"ipset(kids_ip
$INTDIR
)"
flowid 1:30
$TFILTER
1: protocol ip prio 2 basic match
"ipset(kids_triplet
$OUTDIR
,
$OUTDIR
,
$INTDIR
)"
flowid 1:30
$TFILTER
1: protocol ip prio 1 handle
${
IPSETS
[
"kids"
]
}
fw flowid 1:30
$TFILTER
1: protocol ip
v6 prio 8 basic match
"ipset(kids_extip6
$OUTDIR
)"
flowid 1:43
$TFILTER
1: protocol ip
v6 prio 7 basic match
"ipset(kids_ip6
$INTDIR
)"
flowid 1:30
$TFILTER
1: protocol ip
v6 prio 6 basic match
"ipset(kids_triplet6
$OUTDIR
,
$OUTDIR
,
$INTDIR
)"
flowid 1:30
$TFILTER
1: protocol ip
prio 2 basic match
"ipset(kids_ip
$INTDIR
)"
flowid 1:30
$TFILTER
1: protocol ip
prio 3 basic match
"ipset(kids_extip
$OUTDIR
)"
flowid 1:43
$TFILTER
1: protocol ip
prio 4 basic match
"ipset(kids_triplet
$OUTDIR
,
$OUTDIR
,
$INTDIR
)"
flowid 1:30
$TFILTER
1: protocol ipv6 prio 5 handle
${
IPSETS
[
"kids"
]
}
fw flowid 1:30
$TFILTER
1: protocol ipv6 prio 6 basic match
"ipset(kids_ip6
$INTDIR
)"
flowid 1:30
$TFILTER
1: protocol ipv6 prio 7 basic match
"ipset(kids_extip6
$OUTDIR
)"
flowid 1:43
$TFILTER
1: protocol ipv6 prio 8 basic match
"ipset(kids_triplet6
$OUTDIR
,
$OUTDIR
,
$INTDIR
)"
flowid 1:30
$TFILTER
1: protocol ip prio 4 basic match
"ipset(system_extip
$OUTDIR
)"
flowid 1:20
$TFILTER
1: protocol ip prio 3 basic match
"ipset(system_ip
$INTDIR
)"
flowid 1:20
$TFILTER
1: protocol ip prio 2 basic match
"ipset(system_triplet
$OUTDIR
,
$OUTDIR
,
$INTDIR
)"
flowid 1:20
$TFILTER
1: protocol ip prio 1 handle
${
IPSETS
[
"system"
]
}
fw flowid 1:20
$TFILTER
1: protocol ip
v6 prio 8 basic match
"ipset(system_extip6
$OU
TDIR
)"
flowid 1:20
$TFILTER
1: protocol ip
v6 prio 7 basic match
"ipset(system_ip6
$IN
TDIR
)"
flowid 1:20
$TFILTER
1: protocol ip
v6 prio 6 basic match
"ipset(system_triplet6
$OUTDIR
,
$OUTDIR
,
$INTDIR
)"
flowid 1:20
$TFILTER
1: protocol ip
prio 2 basic match
"ipset(system_ip
$IN
TDIR
)"
flowid 1:20
$TFILTER
1: protocol ip
prio 3 basic match
"ipset(system_extip
$OU
TDIR
)"
flowid 1:20
$TFILTER
1: protocol ip
prio 4 basic match
"ipset(system_triplet
$OUTDIR
,
$OUTDIR
,
$INTDIR
)"
flowid 1:20
$TFILTER
1: protocol ipv6 prio 5 handle
${
IPSETS
[
"system"
]
}
fw flowid 1:20
$TFILTER
1: protocol ipv6 prio 6 basic match
"ipset(system_ip6
$INTDIR
)"
flowid 1:20
$TFILTER
1: protocol ipv6 prio 7 basic match
"ipset(system_extip6
$OUTDIR
)"
flowid 1:20
$TFILTER
1: protocol ipv6 prio 8 basic match
"ipset(system_triplet6
$OUTDIR
,
$OUTDIR
,
$INTDIR
)"
flowid 1:20
$TFILTER
1: protocol ip prio 4 basic match
"ipset(full_extip
$OUTDIR
)"
flowid 1:50
$TFILTER
1: protocol ip prio 3 basic match
"ipset(full_ip
$INTDIR
)"
flowid 1:50
$TFILTER
1: protocol ip prio 2 basic match
"ipset(full_triplet
$OUTDIR
,
$OUTDIR
,
$INTDIR
)"
flowid 1:50
$TFILTER
1: protocol ip prio 1 handle
${
IPSETS
[
"full"
]
}
fw flowid 1:50
$TFILTER
1: protocol ip
v6 prio 8 basic match
"ipset(full_extip6
$OU
TDIR
)"
flowid 1:50
$TFILTER
1: protocol ip
v6 prio 7 basic match
"ipset(full_ip6
$IN
TDIR
)"
flowid 1:50
$TFILTER
1: protocol ip
v6 prio 6 basic match
"ipset(full_triplet6
$OUTDIR
,
$OUTDIR
,
$INTDIR
)"
flowid 1:50
$TFILTER
1: protocol ip
prio 2 basic match
"ipset(full_ip
$IN
TDIR
)"
flowid 1:50
$TFILTER
1: protocol ip
prio 3 basic match
"ipset(full_extip
$OU
TDIR
)"
flowid 1:50
$TFILTER
1: protocol ip
prio 2 basic match
"ipset(full_triplet
$OUTDIR
,
$OUTDIR
,
$INTDIR
)"
flowid 1:50
$TFILTER
1: protocol ipv6 prio 5 handle
${
IPSETS
[
"full"
]
}
fw flowid 1:50
$TFILTER
1: protocol ipv6 prio 6 basic match
"ipset(full_ip6
$INTDIR
)"
flowid 1:50
$TFILTER
1: protocol ipv6 prio 7 basic match
"ipset(full_extip6
$OUTDIR
)"
flowid 1:50
$TFILTER
1: protocol ipv6 prio 8 basic match
"ipset(full_triplet6
$OUTDIR
,
$OUTDIR
,
$INTDIR
)"
flowid 1:50
$TFILTER
1: protocol ip prio 4 basic match
"ipset(streaming_extip
$OUTDIR
)"
flowid 11:12
$TFILTER
1: protocol ip prio 3 basic match
"ipset(streaming_ip
$INTDIR
)"
flowid 11:12
$TFILTER
1: protocol ip prio 2 basic match
"ipset(streaming_triplet
$OUTDIR
,
$OUTDIR
,
$INTDIR
)"
flowid 11:12
$TFILTER
1: protocol ip prio 1 handle
${
IPSETS
[
"streaming"
]
}
fw flowid 11:12
$TFILTER
1: protocol ip
v6 prio 8 basic match
"ipset(streaming_extip6
$OU
TDIR
)"
flowid 11:12
$TFILTER
1: protocol ip
v6 prio 7 basic match
"ipset(streaming_ip6
$IN
TDIR
)"
flowid 11:12
$TFILTER
1: protocol ip
v6 prio 6 basic match
"ipset(streaming_triplet6
$OUTDIR
,
$OUTDIR
,
$INTDIR
)"
flowid 11:12
$TFILTER
1: protocol ip
prio 2 basic match
"ipset(streaming_ip
$IN
TDIR
)"
flowid 11:12
$TFILTER
1: protocol ip
prio 3 basic match
"ipset(streaming_extip
$OU
TDIR
)"
flowid 11:12
$TFILTER
1: protocol ip
prio 4 basic match
"ipset(streaming_triplet
$OUTDIR
,
$OUTDIR
,
$INTDIR
)"
flowid 11:12
$TFILTER
1: protocol ipv6 prio 5 handle
${
IPSETS
[
"streaming"
]
}
fw flowid 11:12
$TFILTER
1: protocol ipv6 prio 6 basic match
"ipset(streaming_ip6
$INTDIR
)"
flowid 11:12
$TFILTER
1: protocol ipv6 prio 7 basic match
"ipset(streaming_extip6
$OUTDIR
)"
flowid 11:12
$TFILTER
1: protocol ipv6 prio 8 basic match
"ipset(streaming_triplet6
$OUTDIR
,
$OUTDIR
,
$INTDIR
)"
flowid 11:12
if
[
x
"
$DIRECTION
"
==
x
"up"
]
;
then
if
$NAT
;
then
for
IPS
in
$IPSETS_NAMES
;
do
# The order of the rules is important.
# We don't want to add a RETURN statement after match, so, the last match will be the
# winning one.
iptmark
-m
set
--match-set
${
IPS
}
_ip
$INTDIR
-j
MARK
--set-mark
${
IPSETS
[
$IPS
]
}
iptmark
-m
set
--match-set
${
IPS
}
_triplet
$OUTDIR
,
$OUTDIR
,
$INTDIR
-j
MARK
--set-mark
${
IPSETS
[
$IPS
]
}
iptmark
-m
set
--match-set
${
IPS
}
_extip
$OUTDIR
-j
MARK
--set-mark
${
IPSETS
[
$IPS
]
}
iptmark
-m
set
--match-set
${
IPS
}
_ip
$INTDIR
-j
MARK
--set-mark
${
IPSETS
[
$IPS
]
}
ip6mark
-m
set
--match-set
${
IPS
}
_ip6
$INTDIR
-j
MARK
--set-mark
${
IPSETS
[
$IPS
]
}
ip6mark
-m
set
--match-set
${
IPS
}
_triplet6
$OUTDIR
,
$OUTDIR
,
$INTDIR
-j
MARK
--set-mark
${
IPSETS
[
$IPS
]
}
ip6mark
-m
set
--match-set
${
IPS
}
_extip6
$OUTDIR
-j
MARK
--set-mark
${
IPSETS
[
$IPS
]
}
ip6mark
-m
set
--match-set
${
IPS
}
_triplet6
$OUTDIR
,
$OUTDIR
,
$INTDIR
-j
MARK
--set-mark
${
IPSETS
[
$IPS
]
}
done
fi
...
...
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
