#!/bin/sh

# only do this when multiuser
# update-rc.d ipshaping start 12 2 3 4 5 . stop 88 0 1 6 .

tc='/sbin/tc'

stop() {
	# ignore errors
	$tc qdisc del dev eth0 root >/dev/null 2>&1
	$tc qdisc del dev eth0 ingress >/dev/null 2>&1
	$tc qdisc del dev ifb0 root >/dev/null 2>&1
}

my_lan='208.69.40.0/24'
sheep_clients='208.69.40.141/32'
sheep_inter='208.69.40.142/32'
mail='208.69.40.137/32'
pry='208.69.40.140/32'
clam='207.241.233.251/32'
mulark='64.81.61.105/32'
# void.arces.net -- sheep upload
void='64.193.138.139/32'

case "$1" in
	start|restart|burst)
                # monkeybrains lets us burst to 30mbit in the evenings 22:00 to 04:00
                if [ "$1" = "burst" ]; then
                        limit=50mbit
                        limitmp1=49.9mbit
                        limitm1=49mbit
                else
                        limit=10mbit
                        limitmp1=9.9mbit
                        limitm1=9mbit
                fi

		# clear any existing lists
		stop

		# this uses ifb to place a 9.5mbit limit on sheep inbound
		echo -n "enabling ip traffic shaping:"
		/sbin/modprobe ifb
		/sbin/modprobe xt_MARK
		/sbin/ifconfig ifb0 up
		$tc qdisc add dev eth0 ingress

		$tc qdisc add dev ifb0 root handle 1: htb default 2
		$tc class add dev ifb0 parent 1: classid 1:1 htb quantum 9000 rate 100mbit ceil 100mbit

                # this handles LAN traffic
		$tc class add dev ifb0 parent 1:1 classid 1:2 htb quantum 9000 rate 50mbit ceil 50mbit prio 100
                $tc filter add dev ifb0 protocol ip pref 100 parent 1: handle 2 fw classid 1:2
                $tc qdisc add dev ifb0 parent 1:2 handle 2: pfifo
                $tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 \
                        match ip src $my_lan flowid 1:2 \
                        action ipt -j MARK --set-mark 2 \
                        action mirred egress redirect dev ifb0

                # this branch is for non-local traffic
                $tc class add dev ifb0 parent 1:1 classid 1:3 htb rate 10mbit ceil 10mbit 

                # non-sheep and ACK inbound
		$tc class add dev ifb0 parent 1:3 classid 1:4 htb rate 9mbit ceil 10mbit prio 40
		$tc filter add dev ifb0 protocol ip pref 1 parent 1: handle 4 fw classid 1:4
		$tc qdisc add dev ifb0 parent 1:4 handle 4: sfq perturb 10 noports
		$tc filter add dev eth0 parent ffff: protocol ip prio 10 u32 \
			match ip dst 0.0.0.0/0 flowid 1:4 \
			action ipt -j MARK --set-mark 4 \
			action mirred egress redirect dev ifb0
		$tc filter add dev eth0 parent ffff: protocol ip prio 4 u32 \
			match u8 0x05 0x0f at 0 \
			match u16 0x0000 0xff80 at 2 \
			match ip protocol 6 0xff \
			match u8 0x10 0xff at 33 \
			flowid 1:4 \
			action ipt -j MARK --set-mark 4 \
			action mirred egress redirect dev ifb0

                # sheep inbound
		$tc class add dev ifb0 parent 1:3 classid 1:5 htb rate 1mbit ceil 9.5mbit prio 50
		$tc filter add dev ifb0 protocol ip pref 2 parent 1: handle 5 fw classid 1:5
		$tc qdisc add dev ifb0 parent 1:5 handle 5: sfq perturb 10 noports
		$tc filter add dev eth0 parent ffff: protocol ip prio 5 u32 \
			match ip dst $sheep_clients flowid 1:5 \
			action ipt -j MARK --set-mark 5 \
			action mirred egress redirect dev ifb0

		# egress
		F="$tc filter add dev eth0 protocol ip parent 1:"

		$tc qdisc add dev eth0 root handle 1: htb default 3
		$tc class add dev eth0 parent 1:  classid 1:1  htb quantum 9000 rate 100mbit ceil 100mbit

                # this branch is for LAN traffic
                $tc class add dev eth0 parent 1:1 classid 1:101 htb quantum 9000 rate 50mbit ceil 50mbit
                        $tc qdisc add dev eth0 parent 1:101 handle 101: pfifo
                        $F prio 1 u32 match ip dst $my_lan flowid 1:101

                # this branch is for non-local traffic
		$tc class add dev eth0 parent 1:1  classid 1:102  htb rate $limit ceil $limit

		# mostly interactive stuff
		$tc class add dev eth0 parent 1:102 classid 1:2  htb rate 2.0mbit ceil $limitmp1 prio 10
			$tc qdisc add dev eth0 parent 1:2 handle 2: sfq perturb 10 noports nosrcip
			# all IPTOS_LOWDELAY stuff -- i.e. ssh interactive
			# we put ICMP here so that pings show as close to raw unadultered latency as possible
			$F prio 9 u32 match ip tos 0x10 0xff flowid 1:2					# tos = 0x10
			$F prio 9 u32 match ip protocol 1 0xff flowid 1:2				# ICMP
			$F prio 9 u32 match ip sport  995 0xffff flowid 1:2				# imaps
			$F prio 9 u32 match ip sport  993 0xffff flowid 1:2				# pop3s
			$F prio 9 u32 match ip dport 7326 0xffff flowid 1:2				# icb
			$F prio 9 u32 match ip sport   25 0xffff match ip src $mail flowid 1:2          # mail.arctic.org:smtp
			$F prio 9 u32 match ip sport  465 0xffff match ip src $mail flowid 1:2          # mail.arctic.org:smtps
			$F prio 9 u32 match ip sport  587 0xffff match ip src $mail flowid 1:2          # mail.arctic.org:submission
			$F prio 9 u32 match ip sport   53 0xffff flowid 1:2				# dns in
			$F prio 9 u32 match ip dport   53 0xffff flowid 1:2				# dns out
			$F prio 9 u32 match ip sport  123 0xffff flowid 1:2				# ntp in
			$F prio 9 u32 match ip dport  123 0xffff flowid 1:2				# ntp out
			$F prio 5 u32 match ip sport  443 0xffff match ip src $sheep_clients flowid 1:2	# ssh port 443 hack
			$F prio 6 u32 \
				match u8 0x05 0x0f at 0 \
				match u16 0x0000 0xff80 at 2 \
				match ip protocol 6 0xff \
				match u8 0x10 0xff at 33 \
				flowid 1:2								# TCP ACKs < 128 bytes

		# the default class
		$tc class add dev eth0 parent 1:102 classid 1:3  htb rate 1.00mbit ceil $limitmp1 prio 40
			$tc qdisc add dev eth0 parent 1:3 handle 3: sfq perturb 10 noports nosrcip
			$F prio 10 u32 match ip dst 0.0.0.0/0 flowid 1:3				# default (ftp, smtp)
			#$F prio  7 u32 match ip dst $mulark match ip tos 0x08 0xff flowid 1:3

                # dhaskovec's queue
                $tc class add dev eth0 parent 1:102 classid 1:7  htb rate 1.0mbit ceil $limitmp1 prio 45
                        $tc qdisc add dev eth0 parent 1:7 handle 7: sfq perturb 10 noports nosrcip
                        $F prio 6 u32 match ip src $pry flowid 1:7                                      # twinlark.pry.com

		# highbandwidth stuff
		$tc class add dev eth0 parent 1:102 classid 1:4  htb rate 1.00mbit ceil $limitmp1 prio 50
			$tc qdisc add dev eth0 parent 1:4 handle 4: sfq perturb 10 noports nosrcip
			$F prio 8 u32 match ip tos 0x08 0xff flowid 1:4					# any throughput
			$F prio 4 u32 match ip dst $clam match ip src $sheep_clients flowid 1:4	        # sheep->clam
                        $F prio 4 u32 match ip dst $void flowid 1:4                                     # sheep upload

		# electricsheep.org, sheepserver.net
		$tc class add dev eth0 parent 1:102 classid 1:5  htb rate 0.50mbit ceil $limitm1 prio 60
			$tc qdisc add dev eth0 parent 1:5 handle 5: sfq perturb 10 noports nosrcip
			$F prio 5 u32 match ip src $sheep_inter flowid 1:5				# sheepserver.net

                # sheep clients
		$tc class add dev eth0 parent 1:102 classid 1:8  htb rate 0.50mbit ceil $limitm1 prio 60
			$tc qdisc add dev eth0 parent 1:8 handle 8: sfq perturb 10 noports nosrcip
			$F prio 4 u32 match ip sport 80 0xffff match ip src $sheep_clients flowid 1:8
			$F prio 4 u32 match ip sport 29540 0xffff match ip src $sheep_clients flowid 1:8

		# the bt seed has arbitrary ports
		$tc class add dev eth0 parent 1:102 classid 1:6  htb rate 0.50mbit ceil $limitm1 prio 70
			$tc qdisc add dev eth0 parent 1:6 handle 6: sfq perturb 10 noports nosrcip
			$F prio 5 u32 match ip src $sheep_clients flowid 1:6

		echo " egress."
		;;

	stop)
		stop
		;;

	status)
		# the munin script expects these labels
		echo "1:2 interactive, ACKs"
		echo "1:3 small www, smtp, remote backups"
		echo "1:7 pry.com"
		echo "1:4 large www, scp/sftp, sheep->archive/arces"
		echo "1:5 sheepserver.net, electricsheep.org"
                echo "1:8 sheep clients (web and bt tracker)"
		echo "1:6 sheep bittorrent seed"
		echo "==="
		$tc -s qdisc ls dev eth0
		$tc -s class ls dev eth0
		;;

	ingress_status)
		$tc -s qdisc ls dev ifb0
		$tc -s class ls dev ifb0
		;;
	*)
		echo "usage: $0 start|stop|restart|status|ingress_status"
		;;
esac

exit 0