def _delete_tc_class(self, id_): """ Deletes the tc class and applied filters for a given ID (host) """ shell.execute_suppressed('{} filter del dev {} parent 1:0 prio {}'.format(BIN_TC, self.interface, id_)) shell.execute_suppressed('{} class del dev {} parent 1:0 classid 1:{}'.format(BIN_TC, self.interface, id_))
def block(self, host, direction): host_ids = self._new_host_limit_ids(host, direction) if (direction & Direction.OUTGOING) == Direction.OUTGOING: # drops forwarded packets with matching source shell.execute_suppressed('{} -t filter -A FORWARD -s {} -j DROP'.format(BIN_IPTABLES, host.ip)) if (direction & Direction.INCOMING) == Direction.INCOMING: # drops forwarded packets with matching destination shell.execute_suppressed('{} -t filter -A FORWARD -d {} -j DROP'.format(BIN_IPTABLES, host.ip)) host.blocked = True self.host_ids_dict[host] = host_ids
def limit(self, host: Host, rate): """ Limits the uload/dload traffic of a host to a specified rate """ id_ = self._create_id() if host in self.host_id_map: id_ = self.host_id_map[host] self.unlimit(host) # add a class to the root qdisc with specified rate shell.execute_suppressed( '{} class add dev {} parent 1:0 classid 1:{} htb rate {r} ceil {r}' .format(BIN_TC, self.interface, id_, r=rate)) # add a fw filter that filters packets marked with the corresponding ID shell.execute_suppressed( '{} filter add dev {} parent 1:0 protocol ip prio {id} handle {id} fw flowid 1:{id}' .format(BIN_TC, self.interface, id=id_)) # marks outgoing packets shell.execute_suppressed( '{} -t mangle -A POSTROUTING -s {} -j MARK --set-mark {}'.format( BIN_IPTABLES, host.ip, id_)) # marks incoming packets shell.execute_suppressed( '{} -t mangle -A PREROUTING -d {} -j MARK --set-mark {}'.format( BIN_IPTABLES, host.ip, id_)) self.host_id_map[host] = id_ host.limited = True
def create_qdisc_root(interface): """ Creates a root htb qdisc in traffic control for a given interface """ return shell.execute_suppressed( '{} qdisc add dev {} root handle 1:0 htb'.format(BIN_TC, interface)) == 0
def _delete_iptables_entries(self, host, direction, id_): """ Deletes iptables rules for a given ID (host) """ if (direction & Direction.OUTGOING) == Direction.OUTGOING: shell.execute_suppressed('{} -t mangle -D POSTROUTING -s {} -j MARK --set-mark {}'.format(BIN_IPTABLES, host.ip, id_)) shell.execute_suppressed('{} -t filter -D FORWARD -s {} -j DROP'.format(BIN_IPTABLES, host.ip)) if (direction & Direction.INCOMING) == Direction.INCOMING: shell.execute_suppressed('{} -t mangle -D PREROUTING -d {} -j MARK --set-mark {}'.format(BIN_IPTABLES, host.ip, id_)) shell.execute_suppressed('{} -t filter -D FORWARD -d {} -j DROP'.format(BIN_IPTABLES, host.ip))
def block(self, host): id_ = self._create_id() if host in self.host_id_map: id_ = self.host_id_map[host] self.unlimit(host) # drops forwarded packets with matching source shell.execute_suppressed( '{} -t filter -A FORWARD -s {} -j DROP'.format( BIN_IPTABLES, host.ip)) # drops forwarded packets with matching destination shell.execute_suppressed( '{} -t filter -A FORWARD -d {} -j DROP'.format( BIN_IPTABLES, host.ip)) self.host_id_map[host] = id_ host.blocked = True
def _delete_iptables_entries(self, host: Host, id_): """ Deletes iptables rules for a given ID (host) """ shell.execute_suppressed( '{} -t mangle -D POSTROUTING -s {} -j MARK --set-mark {}'.format( BIN_IPTABLES, host.ip, id_)) shell.execute_suppressed( '{} -t mangle -D PREROUTING -d {} -j MARK --set-mark {}'.format( BIN_IPTABLES, host.ip, id_)) shell.execute_suppressed( '{} -t filter -D FORWARD -s {} -j DROP'.format( BIN_IPTABLES, host.ip)) shell.execute_suppressed( '{} -t filter -D FORWARD -d {} -j DROP'.format( BIN_IPTABLES, host.ip))
def enable_ip_forwarding(): return shell.execute_suppressed('{} -w {}=1'.format( BIN_SYSCTL, IP_FORWARD_LOC)) == 0
def delete_qdisc_root(interface): return shell.execute_suppressed( '{} qdisc del dev {} root handle 1:0 htb'.format(BIN_TC, interface))
def flush_network_settings(interface): """ Flushes all iptable rules and traffic control entries related to the given interface """ # reset default policy shell.execute_suppressed('{} -P INPUT ACCEPT'.format(BIN_IPTABLES)) shell.execute_suppressed('{} -P OUTPUT ACCEPT'.format(BIN_IPTABLES)) shell.execute_suppressed('{} -P FORWARD ACCEPT'.format(BIN_IPTABLES)) # flush all chains in all tables (including user-defined) shell.execute_suppressed('{} -t mangle -F'.format(BIN_IPTABLES)) shell.execute_suppressed('{} -t nat -F'.format(BIN_IPTABLES)) shell.execute_suppressed('{} -F'.format(BIN_IPTABLES)) shell.execute_suppressed('{} -X'.format(BIN_IPTABLES)) # delete root qdisc for given interface shell.execute_suppressed('{} qdisc del dev {} root'.format( BIN_TC, interface))
def limit(self, host, direction, rate): """ Limits the uload/dload traffic of a host to a specified rate """ host_ids = self._new_host_limit_ids(host, direction) if (direction & Direction.OUTGOING) == Direction.OUTGOING: # add a class to the root qdisc with specified rate shell.execute_suppressed( '{} class add dev {} parent 1:0 classid 1:{} htb rate {r} burst {b}' .format(BIN_TC, self.interface, host_ids.upload_id, r=rate, b=rate * 1.1)) # add a fw filter that filters packets marked with the corresponding ID shell.execute_suppressed( '{} filter add dev {} parent 1:0 protocol ip prio {id} handle {id} fw flowid 1:{id}' .format(BIN_TC, self.interface, id=host_ids.upload_id)) # marks outgoing packets shell.execute_suppressed( '{} -t mangle -A POSTROUTING -s {} -j MARK --set-mark {}'. format(BIN_IPTABLES, host.ip, host_ids.upload_id)) if (direction & Direction.INCOMING) == Direction.INCOMING: # add a class to the root qdisc with specified rate shell.execute_suppressed( '{} class add dev {} parent 1:0 classid 1:{} htb rate {r} burst {b}' .format(BIN_TC, self.interface, host_ids.download_id, r=rate, b=rate * 1.1)) # add a fw filter that filters packets marked with the corresponding ID shell.execute_suppressed( '{} filter add dev {} parent 1:0 protocol ip prio {id} handle {id} fw flowid 1:{id}' .format(BIN_TC, self.interface, id=host_ids.download_id)) # marks incoming packets shell.execute_suppressed( '{} -t mangle -A PREROUTING -d {} -j MARK --set-mark {}'. format(BIN_IPTABLES, host.ip, host_ids.download_id)) host.limited = True with self._host_dict_lock: self._host_dict[host] = { 'ids': host_ids, 'rate': rate, 'direction': direction }