[NoCat] Patch: throttle-per-public-user-04.patch

Karl Gaissmaier karl.gaissmaier at kiz.uni-ulm.de
Mon, 04 Aug 2003 13:33:20 +0200 

Dies ist eine mehrteilige Nachricht im MIME-Format.
--------------FBF483CFFC49C3365CE963E0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Name:
	throttle-per-public-user-04.patch

Supersede:
	throttle-per-public-user-03.patch

Description:
        A small enhancement to -03.patch when the
	user doesn't supply a LimitBurst value we use
	the default of 5/timeunit



Regards
	Charly
-- 
Karl Gaissmaier       KIZ/Infrastructure, University of Ulm, Germany
Email:karl.gaissmaier@kiz.uni-ulm.de           Service Group Network
Tel.: ++49 731 50-22499
--------------FBF483CFFC49C3365CE963E0
Content-Type: text/plain; charset=us-ascii;
 name="throttle-per-public-user-04.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="throttle-per-public-user-04.patch"

diff -Naur NoCatAuth-nightly/gateway.conf NoCatAuth-mod/gateway.conf
--- NoCatAuth-nightly/gateway.conf	Tue Feb 11 02:59:09 2003
+++ NoCatAuth-mod/gateway.conf	Mon Aug  4 13:05:11 2003
@@ -68,6 +68,17 @@
 #
 # LoginTimeout	86400
 
+# Limit downstream to clients in Public class to a specific rate *per client*.
+#   This is done with iptables independently from the throttle.fw script.
+#   See chapter 6.4.3.1 "Limit match" of the iptables tutorial for details.
+#   If unset (by default), no limiting per client in Public class occurs.
+#
+# LimitAverage 10 - average of ten packets per second 
+# LimitBurst 100  - maximum peak per second
+#
+# LimitAverage 10
+# LimitBurst 100
+
 ###### Open Portal settings.
 #
 ##
diff -Naur NoCatAuth-nightly/lib/NoCat/Firewall.pm NoCatAuth-mod/lib/NoCat/Firewall.pm
--- NoCatAuth-nightly/lib/NoCat/Firewall.pm	Wed Feb 12 03:56:42 2003
+++ NoCatAuth-mod/lib/NoCat/Firewall.pm	Mon Aug  4 13:05:11 2003
@@ -21,6 +21,10 @@
     MembersOnly RouteOnly IgnoreMAC
 );
 
+# not in qw() in order to have independent patches
+# put these independent patches together in the next release -- charly
+push @Perform_Export, 'LimitBurst', 'LimitAverage';
+
 # If /proc/net/arp is available, use it. Otherwise, fork /sbin/arp and read
 # its output to get ARP cache data. Turns out '/sbin/arp -an' gives the same
 # output on both Linux and *BSD. (Thank goodness.)
diff -Naur NoCatAuth-nightly/libexec/iptables/access.fw NoCatAuth-mod/libexec/iptables/access.fw
--- NoCatAuth-nightly/libexec/iptables/access.fw	Wed Feb 12 03:33:24 2003
+++ NoCatAuth-mod/libexec/iptables/access.fw	Mon Aug  4 13:27:13 2003
@@ -33,6 +33,10 @@
     mark=2
 elif [ "$class" = "Public" ]; then
     mark=3
+    if [ -n "$LimitAverage" ]; then
+	LimitBurst=${LimitBurst:-5}	# defaults to 5
+	limit="-m limit --limit $LimitAverage --limit-burst $LimitBurst"
+    fi
 else
     echo "FATAL: Bad class: $class!"
     exit 1
@@ -47,8 +51,11 @@
 # Mark outbound traffic from this node.
 iptables -t mangle $cmd NoCat $match_mac -s $ip -j MARK --set-mark $mark
 
-# Mark inbound traffic to this node.
-iptables -t filter $cmd NoCat_Inbound -d $ip -j ACCEPT
+# Mark inbound traffic to this node. (obsolete when not using tc)
+iptables -t mangle $cmd NoCat -d $ip -j MARK --set-mark $mark
+
+# Accept inbound traffic to this node.
+iptables -t filter $cmd NoCat_Inbound -d $ip $limit -j ACCEPT
 
 #
 # Ende

--------------FBF483CFFC49C3365CE963E0--