def _delete_tc_class(self, id_):
"""
Deletes the tc class and applied filters
for a given ID (host)
"""
shell.execute_suppressed('{} filter del dev {} parent 1:0 prio {}'.format(BIN_TC, self.interface, id_))
shell.execute_suppressed('{} class del dev {} parent 1:0 classid 1:{}'.format(BIN_TC, self.interface, id_))
def block(self, host, direction):
host_ids = self._new_host_limit_ids(host, direction)
if (direction & Direction.OUTGOING) == Direction.OUTGOING:
# drops forwarded packets with matching source
shell.execute_suppressed('{} -t filter -A FORWARD -s {} -j DROP'.format(BIN_IPTABLES, host.ip))
if (direction & Direction.INCOMING) == Direction.INCOMING:
# drops forwarded packets with matching destination
shell.execute_suppressed('{} -t filter -A FORWARD -d {} -j DROP'.format(BIN_IPTABLES, host.ip))
host.blocked = True
self.host_ids_dict[host] = host_ids
def limit(self, host: Host, rate):
"""
Limits the uload/dload traffic of a host
to a specified rate
"""
id_ = self._create_id()
if host in self.host_id_map:
id_ = self.host_id_map[host]
self.unlimit(host)
# add a class to the root qdisc with specified rate
shell.execute_suppressed(
'{} class add dev {} parent 1:0 classid 1:{} htb rate {r} ceil {r}'
.format(BIN_TC, self.interface, id_, r=rate))
# add a fw filter that filters packets marked with the corresponding ID
shell.execute_suppressed(
'{} filter add dev {} parent 1:0 protocol ip prio {id} handle {id} fw flowid 1:{id}'
.format(BIN_TC, self.interface, id=id_))
# marks outgoing packets
shell.execute_suppressed(
'{} -t mangle -A POSTROUTING -s {} -j MARK --set-mark {}'.format(
BIN_IPTABLES, host.ip, id_))
# marks incoming packets
shell.execute_suppressed(
'{} -t mangle -A PREROUTING -d {} -j MARK --set-mark {}'.format(
BIN_IPTABLES, host.ip, id_))
self.host_id_map[host] = id_
host.limited = True
def create_qdisc_root(interface):
"""
Creates a root htb qdisc in traffic control for a given interface
"""
return shell.execute_suppressed(
'{} qdisc add dev {} root handle 1:0 htb'.format(BIN_TC,
interface)) == 0
def _delete_iptables_entries(self, host, direction, id_):
"""
Deletes iptables rules for a given ID (host)
"""
if (direction & Direction.OUTGOING) == Direction.OUTGOING:
shell.execute_suppressed('{} -t mangle -D POSTROUTING -s {} -j MARK --set-mark {}'.format(BIN_IPTABLES, host.ip, id_))
shell.execute_suppressed('{} -t filter -D FORWARD -s {} -j DROP'.format(BIN_IPTABLES, host.ip))
if (direction & Direction.INCOMING) == Direction.INCOMING:
shell.execute_suppressed('{} -t mangle -D PREROUTING -d {} -j MARK --set-mark {}'.format(BIN_IPTABLES, host.ip, id_))
shell.execute_suppressed('{} -t filter -D FORWARD -d {} -j DROP'.format(BIN_IPTABLES, host.ip))
def block(self, host):
id_ = self._create_id()
if host in self.host_id_map:
id_ = self.host_id_map[host]
self.unlimit(host)
# drops forwarded packets with matching source
shell.execute_suppressed(
'{} -t filter -A FORWARD -s {} -j DROP'.format(
BIN_IPTABLES, host.ip))
# drops forwarded packets with matching destination
shell.execute_suppressed(
'{} -t filter -A FORWARD -d {} -j DROP'.format(
BIN_IPTABLES, host.ip))
self.host_id_map[host] = id_
host.blocked = True
def _delete_iptables_entries(self, host: Host, id_):
"""
Deletes iptables rules for a given ID (host)
"""
shell.execute_suppressed(
'{} -t mangle -D POSTROUTING -s {} -j MARK --set-mark {}'.format(
BIN_IPTABLES, host.ip, id_))
shell.execute_suppressed(
'{} -t mangle -D PREROUTING -d {} -j MARK --set-mark {}'.format(
BIN_IPTABLES, host.ip, id_))
shell.execute_suppressed(
'{} -t filter -D FORWARD -s {} -j DROP'.format(
BIN_IPTABLES, host.ip))
shell.execute_suppressed(
'{} -t filter -D FORWARD -d {} -j DROP'.format(
BIN_IPTABLES, host.ip))
def enable_ip_forwarding():
return shell.execute_suppressed('{} -w {}=1'.format(
BIN_SYSCTL, IP_FORWARD_LOC)) == 0
def delete_qdisc_root(interface):
return shell.execute_suppressed(
'{} qdisc del dev {} root handle 1:0 htb'.format(BIN_TC, interface))
def flush_network_settings(interface):
"""
Flushes all iptable rules and traffic control entries
related to the given interface
"""
# reset default policy
shell.execute_suppressed('{} -P INPUT ACCEPT'.format(BIN_IPTABLES))
shell.execute_suppressed('{} -P OUTPUT ACCEPT'.format(BIN_IPTABLES))
shell.execute_suppressed('{} -P FORWARD ACCEPT'.format(BIN_IPTABLES))
# flush all chains in all tables (including user-defined)
shell.execute_suppressed('{} -t mangle -F'.format(BIN_IPTABLES))
shell.execute_suppressed('{} -t nat -F'.format(BIN_IPTABLES))
shell.execute_suppressed('{} -F'.format(BIN_IPTABLES))
shell.execute_suppressed('{} -X'.format(BIN_IPTABLES))
# delete root qdisc for given interface
shell.execute_suppressed('{} qdisc del dev {} root'.format(
BIN_TC, interface))
def limit(self, host, direction, rate):
"""
Limits the uload/dload traffic of a host
to a specified rate
"""
host_ids = self._new_host_limit_ids(host, direction)
if (direction & Direction.OUTGOING) == Direction.OUTGOING:
# add a class to the root qdisc with specified rate
shell.execute_suppressed(
'{} class add dev {} parent 1:0 classid 1:{} htb rate {r} burst {b}'
.format(BIN_TC,
self.interface,
host_ids.upload_id,
r=rate,
b=rate * 1.1))
# add a fw filter that filters packets marked with the corresponding ID
shell.execute_suppressed(
'{} filter add dev {} parent 1:0 protocol ip prio {id} handle {id} fw flowid 1:{id}'
.format(BIN_TC, self.interface, id=host_ids.upload_id))
# marks outgoing packets
shell.execute_suppressed(
'{} -t mangle -A POSTROUTING -s {} -j MARK --set-mark {}'.
format(BIN_IPTABLES, host.ip, host_ids.upload_id))
if (direction & Direction.INCOMING) == Direction.INCOMING:
# add a class to the root qdisc with specified rate
shell.execute_suppressed(
'{} class add dev {} parent 1:0 classid 1:{} htb rate {r} burst {b}'
.format(BIN_TC,
self.interface,
host_ids.download_id,
r=rate,
b=rate * 1.1))
# add a fw filter that filters packets marked with the corresponding ID
shell.execute_suppressed(
'{} filter add dev {} parent 1:0 protocol ip prio {id} handle {id} fw flowid 1:{id}'
.format(BIN_TC, self.interface, id=host_ids.download_id))
# marks incoming packets
shell.execute_suppressed(
'{} -t mangle -A PREROUTING -d {} -j MARK --set-mark {}'.
format(BIN_IPTABLES, host.ip, host_ids.download_id))
host.limited = True
with self._host_dict_lock:
self._host_dict[host] = {
'ids': host_ids,
'rate': rate,
'direction': direction
}
