我希望这是一个简单的答案
问题:
- 我将名为 learn-address.sh 的 bash 脚本放在以下文件夹中:
vi /etc/openvpn/netem/learn-address.sh
- 在 .conf 文件中增加了以下 (2) 行:
script-security 3 learn-address /etc/openvpn/netem/learn-address.sh
- 并将以下权限应用于learn-address脚本:
chmod 755 /etc/openvpn/netem/learn-address.sh
但是,脚本确实更新了 tmp 文件中的文件 ($ip.classid 和 $ip.dev),并正确传递了变量
但是 bash 脚本不执行 tc class 和 filter 命令(qdisc 没有变化)
当用户连接到 OpenVPN 时调用 learn-address 脚本时,我将在脚本上使用什么权限来执行 tc class 和 filter 命令,或者我是否遗漏了其他内容?
非常感谢
脚本名称:learn-address.sh
#!/bin/bash
statedir=/tmp/
function bwlimit-enable() {
ip=$1
user=$2
dev=eth0
# Disable if already enabled.
bwlimit-disable $ip
# Find unique classid.
if [ -f $statedir/$ip.classid ]; then
# Reuse this IP's classid
classid=`cat $statedir/$ip.classid`
else
if [ -f $statedir/last_classid ]; then
classid=`cat $statedir/last_classid`
classid=$((classid+1))
else
classid=1
fi
echo $classid > $statedir/last_classid
fi
# Find this user's bandwidth limit
# downrate: from VPN server to the client
# uprate: from client to the VPN server
if [ "$user" == "myuser" ]; then
downrate=10mbit
uprate=10mbit
elif [ "$user" == "anotheruser"]; then
downrate=2mbit
uprate=2mbit
else
downrate=5mbit
uprate=5mbit
fi
# Limit traffic from VPN server to client
tc class add dev $dev parent 1: classid 1:$classid htb rate $downrate
tc filter add dev $dev protocol all parent 1:0 prio 1 u32 match ip dst $ip/32 flowid 1:$classid
# Limit traffic from client to VPN server
tc filter add dev $dev parent ffff: protocol all prio 1 u32 match ip src $ip/32 police rate $uprate burst 80k drop flowid :$classid
# Store classid and dev for further use.
echo $classid > $statedir/$ip.classid
echo $dev > $statedir/$ip.dev
}
function bwlimit-disable() {
ip=$1
if [ ! -f $statedir/$ip.classid ]; then
return
fi
if [ ! -f $statedir/$ip.dev ]; then
return
fi
classid=`cat $statedir/$ip.classid`
dev=`cat $statedir/$ip.dev`
tc filter del dev $dev protocol all parent 1:0 prio 1 u32 match ip dst $ip/32
tc class del dev $dev classid 1:$classid
tc filter del dev $dev parent ffff: protocol all prio 1 u32 match ip src $ip/32
# Remove .dev but keep .classid so it can be reused.
rm $statedir/$ip.dev
}
# Make sure queueing discipline is enabled.
tc qdisc add dev $dev root handle 1: htb 2>/dev/null || /bin/true
tc qdisc add dev $dev handle ffff: ingress 2>/dev/null || /bin/true
case "$1" in
add|update)
bwlimit-enable $2 $3
;;
delete)
bwlimit-disable $2
;;
*)
echo "$0: unknown operation [$1]" >&2
exit 1
;;
esac
exit 0
答案1
$dev
在两次调用 tc 时均未设置,
# Make sure queueing discipline is enabled.
tc qdisc add dev $dev root handle 1: htb 2>/dev/null || /bin/true
tc qdisc add dev $dev handle ffff: ingress 2>/dev/null || /bin/true
这决定
tc qdisc add dev root handle 1: htb
最有可能的错误被传送到/dev/null
将此行替换为
# Make sure queueing discipline is enabled.
dev=eth0
tc qdisc add dev $dev root handle 1: htb 2>/tmp/tqa-root.err || /bin/true
tc qdisc add dev $dev handle ffff: ingress 2>/tmp/tqa-handle.err || /bin/true