#!/bin/bash
# ultimate.sh.S for ns.chsoft.biz
# Based on Wonder Shaper v1.1a
echo "/usr/sbin/ultimate.sh.S:  "

# This part shapes on the external interface: INTERNET <--- SERVERS
# See #*** INGRESS below for the internal interface.

# Please read the README before filling out these values.
# Set the following values to somewhat less than your actual download
# and uplink speed in kilobits.  Also set the device that is to be shaped.

# Start with 50%, increase until high latency returns, reduce... 
# kilobits/8 = Kbytes
# Example: DNLINK=800
DNLINK=4000		# * * * * THIS LIMITS EVERYTHING * * * *
sDNLINK=4600		# SkyRiver DSL has tested over 4600
UPLINK=900		# egress shaping (HTB shape outgoing) NextWeb DSL
sUPLINK=1350		# SkyRiver DSL (1500*.9=1350)
# Example: nDEV=ppp0
iDEV=eth0		# Ingress NIC
nDEV=eth1		# Egress NIC or, if you prefer, External Interface
sDEV=eth2		# SkyRiver (2nd DSL)

nNEWS="206.72.89.155"	# news.chsoft.biz
sNEWS="66.209.101.195"	# news.chsoft.biz
nYIC="206.72.89.194"	# yesican.chsoft.biz
sYIC="66.209.101.194"	# yesican.chsoft.biz

HUNP="205.215.62.0/24"	# 100proofnews
ADE="216.196.97.0/24"	# adelphia.net
ATJ="68.171.136.91"	# andthatsjazz
ADE3="216.196.97.142"	# news3.news.adelphia.net and news.iswest.com
CHS="206.72.89.152/29"	# skypipeline (chsoft.biz)
HBED1="62.146.66.160/27" # H+BEDV (antivirus)
HBED2="217.11.60.0/27"	# H+BEDV (antivirus)
ISW1="207.178.128.0/24"	# iswest
ISW2="216.166.71.0/24"	# iswest
ISW3="216.196.105.0/24"	# iswest (giganews)
NXTW="64.136.135.0/24"	# next web (pings me)
QWE1="63.231.195.0/24"	# qwest
QWE2="207.225.159.0/24"	# qwest
SKYN="207.106.92.0/24"	# skypipeline news
SKY="207.106.93.0/24"	# skypipeline
TERA="66.150.105.0/24"	# teranews
UNS1="63.223.5.0/24"	# usenetserver (west = nntp2)
UNS2="64.154.60.0/24"	# usenetserver
YAHO="66.218.0.0/16"	# yahoo
YAH="66.218.95.195"	# yahoo.com
YAHM="66.218.79.89"	# mail.yahoo.com
YAHL="66.218.75.184"	# login.yahoo.com

###### EXPLANATION
# See 'INGRESS' below for information about incoming packets.  All of this
# except for that refers to queueing outgoing packets.
#
# Most of what is sent goes out on a randomly selected high SOURCE port 
# ('sport') to a specific DESTINATION port ('dport').  For example, an http 
# request is sent with 'dport' = 80 and 'sport' = random.  Therefore, 'sport'
# specifications are rarely applicable.  The port number is located in the
# packet header and is specified thus:
# "u32 match ip dport PORT# 0xffff" or "u32 match ip sport PORT# 0xffff"
#
# Since shaping means quequeing OUTGOING packets, your IP Address(es) are 
# SOURCEs ('src') and the remote machine's IP Address(es) are DESTINATIONs 
# ('dst') - so, as with 'sport', 'src' specifications are rarely applicable. 
# The IP Address is located in the packet header and is specified thus:
# "u32 match ip src IP-ADDRESS" or "u32 match ip dst IP-ADDRESS"
#
# Read the HOWTO "All the filtering commands you will normally need" for
# protocol information (TCP, UDP, ICMP, GRE, IPSEC).  Also see the TOS and
# ICMP sections below.
######

# Sometimes you may notice low priority OUTGOING traffic slowing down important
# traffic. In that case, the following eLoPrio options may help you:

#			Ports:
# eLoPrioSPORT ('sport')
#	Set this to source ports that should have low priority.  If you have
#	an unimportant webserver on your traffic, set this to 80.
# These go into class 40
#   (some ports        ) 20   21    22 23 25   53  80   113   119  873 
#   (and what they are:) FTPd FTPc  SSH   SMTP DNS HTTP IDENT NNTP Rsync
# Matches (apparently) nothing.
eLoPrioSPORT="21 23 67 68 79 135 137 138 139 389 445 446 901 1026 1027 1028 1029 1234 5018"

# eHiPrioSPORT ('sport')
# These go into class 20
# *** Make sure no eLoPrioSPORTs are duplicated here! ***
# Matches (apparently) nothing.
eHiPrioSPORT=""

# eLoPrioDPORT ('dport')
#	Set this to destination ports that should have low priority. 
# The following are from my TARPIT list: 79 135 137 138 139 445 901
# Matches DIR=FROM? remote:PORT
eLoPrioDPORT="21 23 67 68 79 135 137 138 139 389 445 446 901 1026 1027 1028 1029 1234 5018"

# eHiPrioDPORT ('dport')
# *** Make sure no eLoPrioDPORTs are duplicated here! ***
# Matches DIR=FROM? ?:PORT
eHiPrioDPORT="22 53 113 123 5900 5901 6502 8200"

#			IPs / Netmasks:
# Set this to hosts or netmasks in your network that should have low priority.
# Low priority OUTGOING traffic.  You can leave this blank if you want.
# Matches (apparently) nothing.
eLoPrioCIDR_Src=""

# See EXPLANATION above; these do not need to be here.
# Matches (apparently) nothing.
#ex eHiPrioCIDR_Src="$ADE3 $ATJ $ISW1 $ISW2 $SKYN $UNS1"
eHiPrioCIDR_Src=""

# Set this to hosts or netmasks on the internet that should have low priority.
# Matches FROM REMOTE
eLoPrioCIDR_Dst="221.0.0.0/8 $nNEWS $NXTW"

# high priority destination netmasks ('dst'):
# Matches DIR? REMOTE:IP
#eHiPrioCIDR_Dst="$ADE3 $ATJ $ISW1 $ISW2 $SKYN $UNS1"
eHiPrioCIDR_Dst="$ATJ $HBED1 $HBED2"

if [ "$1" = "status" ]; then
   if [ "$2" = "" ] || [ "$2" = "e" ]; then
	echo "Sent on $nDEV (NextWeb):"
#	tc -s filter show dev $nDEV
	tc -s qdisc ls dev $nDEV
	tc -s class ls dev $nDEV
	echo "Sent on $sDEV (SkyRiver):"
#	tc -s filter show dev $sDEV
	tc -s qdisc ls dev $sDEV
	tc -s class ls dev $sDEV
	echo "'rate #bit' means Bytes per Second"
   fi
   if [ "$2" = "" ] || [ "$2" = "i" ]; then
	echo "Sent on $iDEV:"
#	tc -s filter show dev $iDEV
	tc -s qdisc ls dev $iDEV
	tc -s class ls dev $iDEV
	echo "'rate #bit' means Bytes per Second"
   fi
	exit
fi

# clean existing down- and uplink qdiscs, hide errors
tc qdisc del dev $nDEV root	2> /dev/null > /dev/null
tc qdisc del dev $sDEV root	2> /dev/null > /dev/null
tc qdisc del dev $nDEV ingress	2> /dev/null > /dev/null
tc qdisc del dev $sDEV ingress	2> /dev/null > /dev/null
tc qdisc del dev $iDEV root	2> /dev/null > /dev/null
tc qdisc del dev $iDEV ingress	2> /dev/null > /dev/null
modprobe -r sch_htb
modprobe -r sch_ingress
modprobe -r sch_esfq
modprobe -r cls_u32

if [ "$1" = "stop" ]; then 
	exit
fi

###### uplink (EGRESS)
# Install root HTB, point default traffic to 1:30:
tc qdisc add dev $nDEV root handle 1: htb default 30

# Shape everything at $UPLINK speed - this prevents huge queues in your
# DSL modem which destroy latency:
tc class add dev $nDEV parent 1: classid 1:1 htb rate ${UPLINK}kbit burst 6k

# High prio (interactive) class 1:10:
tc class add dev $nDEV parent 1:1 classid 1:10 htb rate ${UPLINK}kbit \
   burst 6k quantum 1514 prio 1

# Accelerated class 1:20 - the HIPRIO stuff:
tc class add dev $nDEV parent 1:1 classid 1:20 htb rate $[96*$UPLINK/100]kbit \
   ceil $[98*$UPLINK/100]kbit burst 5k quantum 1514 prio 2

# Bulk & default class 1:30 - gets a low priority:
tc class add dev $nDEV parent 1:1 classid 1:30 htb rate $[65*$UPLINK/100]kbit \
   ceil $[90*$UPLINK/100]kbit burst 5k quantum 1514 prio 3

# Penalized class 1:40 - the LOPRIO stuff gets the lowest rate and priority:
tc class add dev $nDEV parent 1:1 classid 1:40 htb rate $[05*$UPLINK/100]kbit \
   ceil $[10*$UPLINK/100]kbit burst 1k quantum 1514 prio 4

# Some get Stochastic Fairness:
# LARTC mailing list indicates that interactive should not be included.  Andy
# Furniss suggests that bulk be the only thing subject to SF.  I set a long
# perturb for accelerated and exclude interactive.
#tc qdisc add dev $nDEV parent 1:10 handle 10: esfq limit 64 depth 64 divisor 10 hash classic perturb 20
tc qdisc add dev $nDEV parent 1:20 handle 20: esfq limit 64 depth 64 divisor 10 hash classic perturb 99
tc qdisc add dev $nDEV parent 1:30 handle 30: esfq limit 64 depth 64 divisor 10 hash classic perturb 20
tc qdisc add dev $nDEV parent 1:40 handle 40: esfq limit 64 depth 64 divisor 10 hash classic perturb 20

###### Accelerate (interactive) the following:
# To speed up downloads while an upload is going on, put ACK packets in
# the interactive class 1:10:
# IP header length 0x5 (32 bit words)
# IP total length 0x34 (ACK + 12 bytes of TCP options)
# TCP ACK set (bit 5, offset 33)
# ("at nexthdr+33" = "at 13")

## Match ACK on all TCP packets with the ACK bit set:
## Caveat!: This can match packets up to 64K; don't do it.  Match small.
#tc filter add dev $nDEV parent 1: protocol ip prio 5 u32 \
#    match ip protocol 6 0xff \
#    match u8 0x10 0xff at nexthdr+13 \
#    flowid 1:10

# Match TCP packets smaller than 64 bytes:
# Because of the mask, can only match powers of 2 (32, 64, 128...).
# Remarked out ACK, normally 5th line:  match u8 0x10 0xff at 33 \
# "match u8 0x05 0x0f at 0" makes sure the IP header is 20 bytes.
tc filter add dev $nDEV parent 1: protocol ip prio 5 u32 \
    match ip protocol 6 0xff \
    match u8 0x05 0x0f at 0 \
    match u16 0x0000 0xffc0 at 2 \
    flowid 1:10

###### Some traffic is preferred, so in our class 1:20:
for a in $eHiPrioDPORT; do
 	tc filter add dev $nDEV parent 1: protocol ip prio 5 u32 \
	   match ip dport $a 0xffff flowid 1:20
done
for a in $eHiPrioSPORT; do
 	tc filter add dev $nDEV parent 1: protocol ip prio 5 u32 \
	   match ip sport $a 0xffff flowid 1:20
done
for a in $eHiPrioCIDR_Src; do
 	tc filter add dev $nDEV parent 1: protocol ip prio 5 u32 \
	   match ip src $a flowid 1:20
done
for a in $eHiPrioCIDR_Dst; do
 	tc filter add dev $nDEV parent 1: protocol ip prio 5 u32 \
	   match ip dst $a flowid 1:20
done

###### Give these short shrift:
# Penalized traffic suffers a worse fate in our slowest class 1:40:
for a in $eLoPrioDPORT; do
	tc filter add dev $nDEV parent 1: protocol ip prio 5 u32 \
	   match ip dport $a 0xffff flowid 1:40
done
for a in $eLoPrioSPORT; do
 	tc filter add dev $nDEV parent 1: protocol ip prio 5 u32 \
	   match ip sport $a 0xffff flowid 1:40
done
for a in $eLoPrioCIDR_Src; do
 	tc filter add dev $nDEV parent 1: protocol ip prio 5 u32 \
	   match ip src $a flowid 1:40
done
for a in $eLoPrioCIDR_Dst; do
 	tc filter add dev $nDEV parent 1: protocol ip prio 5 u32 \
	   match ip dst $a flowid 1:40
done
if [ -f /etc/firewall/shitlist ]; then
   while read SLIST; do
      SLIST=$(echo "$SLIST" | awk '{print $1}')
      tc filter add dev $nDEV parent 1: protocol ip prio 5 u32 \
         match ip dst $SLIST flowid 1:40
   done </etc/firewall/shitlist
fi

###### Everything else is non-interactive / bulk and ends up in class 1:30
# ICMP (ip protocol 1) WAS in the interactive class 1:10 but it is bulk now...
tc filter add dev $nDEV parent 1: protocol ip prio 5 u32 \
        match ip protocol 0 0xff flowid 1:30
tc filter add dev $nDEV parent 1: protocol ip prio 5 u32 \
        match ip protocol 1 0xff flowid 1:30
tc filter add dev $nDEV parent 1: protocol ip prio 5 u32 \
        match ip protocol 6 0xff flowid 1:30
tc filter add dev $nDEV parent 1: protocol ip prio 5 u32 \
        match ip protocol 17 0xff flowid 1:30
#tc filter add dev $nDEV parent 1: protocol ip prio 5 u32 \
#   	match ip dst 0.0.0.0/0 flowid 1:30

#*** INGRESS
# This part shapes on the internal interface: INTERNET ---> SERVERS

# iLoPrioSPORT ('sport')
#	Set this to source ports that should have low priority.
# These go into class 40
#   (some ports        ) 20   21    22 23 25   53  80   113   119  873 
#   (and what they are:) FTPd FTPc  SSH   SMTP DNS HTTP IDENT NNTP Rsync
# Matches FROM REMOTE:PORT TO SERVERS
iLoPrioSPORT="23 79 135 137 138 139 389 445 446 901 1026 1027 1028 1029 5018"

# iHiPrioSPORT ('sport')
# These go into class 20
# *** Make sure no iLoPrioSPORTs are duplicated here! ***
# Matches FROM REMOTE:PORT TO SERVERS
iHiPrioSPORT="20 21 22 53 80 113 123 5900 5901 6502 8200"

# iLoPrioDPORT ('dport')
#	Set this to destination ports that should have low priority. 
# Matches (apparently) nothing.
iLoPrioDPORT="23 79 135 137 138 139 389 445 446 901 1026 1027 1028 1029 5018"

# iHiPrioDPORT ('dport')
# *** Make sure no iLoPrioDPORTs are duplicated here! ***
# Matches DIR=? ?:PORT
iHiPrioDPORT="20 21 22 53 80 113 123 5900 5901 6502 8200"

#			IPs / Netmasks:
# Matches DIR=? REMOTE:IP
iLoPrioCIDR_Src="$NXTW"

# Matches DIR=? REMOTE:IP
#ex iHiPrioCIDR_Src="$ADE3 $ATJ $ISW1 $ISW2 $SKYN $UNS1"
iHiPrioCIDR_Src="$ATJ $HBED1 $HBED2 $nYES $sYES"

# Matches (apparently) nothing.
#ex iLoPrioCIDR_Dst="221.0.0.0/8"
iLoPrioCIDR_Dst="$NXTW"

# Matches (apparently) nothing.
#ex iHiPrioCIDR_Dst="$ADE3 $ATJ $ISW1 $ISW2 $SKYN $UNS1"
iHiPrioCIDR_Dst="$ATJ $HBED1 $HBED2 $nYES $sYES"

###### downlink (ingress)
# Install root HTB, point default traffic to 1:30:
tc qdisc add dev $iDEV root handle 1: htb default 30

# Shape everything at $DNLINK speed
tc class add dev $iDEV parent 1: classid 1:1 htb rate ${DNLINK}kbit burst 6k

# High prio (interactive) class 1:10:
tc class add dev $iDEV parent 1:1 classid 1:10 htb rate ${DNLINK}kbit \
   burst 6k quantum 1514 prio 1

# Accelerated class 1:20 - the HIPRIO stuff:
tc class add dev $iDEV parent 1:1 classid 1:20 htb rate $[96*$DNLINK/100]kbit \
   ceil $[98*$DNLINK/100]kbit burst 5k quantum 1514 prio 2

# Bulk & default class 1:30 - gets a low priority:
tc class add dev $iDEV parent 1:1 classid 1:30 htb rate $[33*$DNLINK/100]kbit \
   ceil $[50*$DNLINK/100]kbit burst 5k quantum 1514 prio 3

# Penalized class 1:40 - the LOPRIO stuff gets the lowest rate and priority:
tc class add dev $iDEV parent 1:1 classid 1:40 htb rate $[01*$DNLINK/100]kbit \
   ceil $[02*$DNLINK/100]kbit burst 1k quantum 1514 prio 4

# Some get Stochastic Fairness:
# LARTC mailing list indicates that interactive should not be included.  Andy
# Furniss suggests that bulk be the only thing subject to SF.  I set a long
# perturb for accelerated and exclude interactive.
#tc qdisc add dev $iDEV parent 1:10 handle 10: esfq limit 64 depth 64 divisor 10 hash classic perturb 20
tc qdisc add dev $iDEV parent 1:20 handle 20: esfq limit 64 depth 64 divisor 10 hash classic perturb 99
tc qdisc add dev $iDEV parent 1:30 handle 30: esfq limit 64 depth 64 divisor 10 hash classic perturb 20
tc qdisc add dev $iDEV parent 1:40 handle 40: esfq limit 64 depth 64 divisor 10 hash classic perturb 20

###### Accelerate (interactive) the following:
# To speed up downloads while an upload is going on, put ACK packets in
# the interactive class 2:15:
# IP header length 0x5 (32 bit words)
# IP total length 0x34 (ACK + 12 bytes of TCP options)
# TCP ACK set (bit 5, offset 33)
# ("at nexthdr+33" = "at 13")

## Match ACK on all TCP packets with the ACK bit set:
## Caveat!: This can match packets up to 64K; Don't do it.  Match small.
#tc filter add dev $iDEV parent 1: protocol ip prio 5 u32 \
#    match ip protocol 6 0xff \
#    match u8 0x10 0xff at nexthdr+13 \
#    flowid 1:10

# Match TCP packets smaller than 64 bytes:
# Remarked out ACK, normally 5th line:  match u8 0x10 0xff at 33 \
# "match u8 0x05 0x0f at 0" makes sure the IP header is 20 bytes.
tc filter add dev $iDEV parent 1: protocol ip prio 5 u32 \
    match ip protocol 6 0xff \
    match u8 0x05 0x0f at 0 \
    match u16 0x0000 0xffc0 at 2 \
    flowid 1:10
 
###### Some traffic is preferred, so in our class 1:20:
for a in $iHiPrioDPORT; do
 	tc filter add dev $iDEV parent 1: protocol ip prio 5 u32 \
	   match ip dport $a 0xffff flowid 1:20
done
for a in $iHiPrioSPORT; do
 	tc filter add dev $iDEV parent 1: protocol ip prio 5 u32 \
	   match ip sport $a 0xffff flowid 1:20
done
for a in $iHiPrioCIDR_Src; do
 	tc filter add dev $iDEV parent 1: protocol ip prio 5 u32 \
	   match ip src $a flowid 1:20
done
for a in $iHiPrioCIDR_Dst; do
 	tc filter add dev $iDEV parent 1: protocol ip prio 5 u32 \
	   match ip dst $a flowid 1:20
done

###### Give these short shrift:
# Penalized traffic suffers a worse fate in our slowest class 1:40:
for a in $iLoPrioDPORT; do
	tc filter add dev $iDEV parent 1: protocol ip prio 5 u32 \
	   match ip dport $a 0xffff flowid 1:40
done
for a in $iLoPrioSPORT; do
 	tc filter add dev $iDEV parent 1: protocol ip prio 5 u32 \
	   match ip sport $a 0xffff flowid 1:40
done
for a in $iLoPrioCIDR_Src; do
 	tc filter add dev $iDEV parent 1: protocol ip prio 5 u32 \
	   match ip src $a flowid 1:40
done
for a in $iLoPrioCIDR_Dst; do
 	tc filter add dev $iDEV parent 1: protocol ip prio 5 u32 \
	   match ip dst $a flowid 1:40
done
if [ -f /etc/firewall/shitlist ]; then
   while read SLIST; do
      SLIST=$(echo "$SLIST" | awk '{print $1}')
      tc filter add dev $iDEV parent 1: protocol ip prio 5 u32 \
         match ip dst $SLIST flowid 1:40
   done </etc/firewall/shitlist
fi

###### Everything else is non-interactive / bulk and ends up in class 1:30
tc filter add dev $iDEV parent 1: protocol ip prio 5 u32 \
        match ip protocol 0 0xff flowid 1:30
tc filter add dev $iDEV parent 1: protocol ip prio 5 u32 \
        match ip protocol 1 0xff flowid 1:30
tc filter add dev $iDEV parent 1: protocol ip prio 5 u32 \
        match ip protocol 6 0xff flowid 1:30
tc filter add dev $iDEV parent 1: protocol ip prio 5 u32 \
        match ip protocol 17 0xff flowid 1:30

###### downlink
# Slow downloads down to somewhat less than the real speed to prevent queuing
# at our ISP.  Tune to see how high you can set it.  ISPs tend to have *huge*
# queues to make sure big downloads are fast.  It is a pity, but this is all
# that can be done with INCOMING packets...
#
# Attach ingress policer:
tc qdisc add dev $nDEV handle ffff: ingress

# Filter *everything* to it (0.0.0.0/0); drop everything coming in too fast:
tc filter add dev $nDEV parent ffff: protocol ip prio 50 u32 match ip src \
   0.0.0.0/0 police rate ${DNLINK}kbit burst 10k drop flowid :1

# Repeat for SkyRiver DSL:
###### uplink (EGRESS) for SkyRiver DSL
# Install root HTB, point default traffic to 1:30:
tc qdisc add dev $sDEV root handle 1: htb default 30

# Shape everything at $sUPLINK speed - this prevents huge queues in your
# DSL modem which destroy latency:
tc class add dev $sDEV parent 1: classid 1:1 htb rate ${sUPLINK}kbit burst 6k

# High prio (interactive) class 1:10:
tc class add dev $sDEV parent 1:1 classid 1:10 htb rate ${sUPLINK}kbit \
   burst 6k quantum 1514 prio 1

# Accelerated class 1:20 - the HIPRIO stuff:
tc class add dev $sDEV parent 1:1 classid 1:20 htb rate $[96*$sUPLINK/100]kbit \
   ceil $[98*$sUPLINK/100]kbit burst 5k quantum 1514 prio 2

# Bulk & default class 1:30 - gets a low priority:
tc class add dev $sDEV parent 1:1 classid 1:30 htb rate $[65*$sUPLINK/100]kbit \
   ceil $[90*$sUPLINK/100]kbit burst 5k quantum 1514 prio 3

# Penalized class 1:40 - the LOPRIO stuff gets the lowest rate and priority:
tc class add dev $sDEV parent 1:1 classid 1:40 htb rate $[05*$sUPLINK/100]kbit \
   ceil $[10*$sUPLINK/100]kbit burst 1k quantum 1514 prio 4

# Some get Stochastic Fairness:
# LARTC mailing list indicates that interactive should not be included.  Andy
# Furniss suggests that bulk be the only thing subject to SF.  I set a long
# perturb for accelerated and exclude interactive.
#tc qdisc add dev $sDEV parent 1:10 handle 10: esfq limit 64 depth 64 divisor 10 hash classic perturb 20
tc qdisc add dev $sDEV parent 1:20 handle 20: esfq limit 64 depth 64 divisor 10 hash classic perturb 99
tc qdisc add dev $sDEV parent 1:30 handle 30: esfq limit 64 depth 64 divisor 10 hash classic perturb 20
tc qdisc add dev $sDEV parent 1:40 handle 40: esfq limit 64 depth 64 divisor 10 hash classic perturb 20

###### Accelerate (interactive) the following:
# To speed up downloads while an upload is going on, put ACK packets in
# the interactive class 1:10:
# IP header length 0x5 (32 bit words)
# IP total length 0x34 (ACK + 12 bytes of TCP options)
# TCP ACK set (bit 5, offset 33)
# ("at nexthdr+33" = "at 13")

## Match ACK on all TCP packets with the ACK bit set:
## This can match packets up to 64K; don't do it.  Match small.
#tc filter add dev $sDEV parent 1: protocol ip prio 5 u32 \
#    match ip protocol 6 0xff \
#    match u8 0x10 0xff at nexthdr+13 \
#    flowid 1:10

# Match TCP packets smaller than 64 bytes:
# Remarked out ACK, normally 5th line:  match u8 0x10 0xff at 33 \
# "match u8 0x05 0x0f at 0" makes sure the IP header is 20 bytes.
tc filter add dev $sDEV parent 1: protocol ip prio 5 u32 \
    match ip protocol 6 0xff \
    match u8 0x05 0x0f at 0 \
    match u16 0x0000 0xffc0 at 2 \
    flowid 1:10

###### Some traffic is preferred, so in our class 1:20:
for a in $eHiPrioDPORT; do
 	tc filter add dev $sDEV parent 1: protocol ip prio 5 u32 \
	   match ip dport $a 0xffff flowid 1:20
done
for a in $eHiPrioSPORT; do
 	tc filter add dev $sDEV parent 1: protocol ip prio 5 u32 \
	   match ip sport $a 0xffff flowid 1:20
done
for a in $eHiPrioCIDR_Src; do
 	tc filter add dev $sDEV parent 1: protocol ip prio 5 u32 \
	   match ip src $a flowid 1:20
done
for a in $eHiPrioCIDR_Dst; do
 	tc filter add dev $sDEV parent 1: protocol ip prio 5 u32 \
	   match ip dst $a flowid 1:20
done

###### Give these short shrift:
# Penalized traffic suffers a worse fate in our slowest class 1:40:
for a in $eLoPrioDPORT; do
	tc filter add dev $sDEV parent 1: protocol ip prio 5 u32 \
	   match ip dport $a 0xffff flowid 1:40
done
for a in $eLoPrioSPORT; do
 	tc filter add dev $sDEV parent 1: protocol ip prio 5 u32 \
	   match ip sport $a 0xffff flowid 1:40
done
for a in $eLoPrioCIDR_Src; do
 	tc filter add dev $sDEV parent 1: protocol ip prio 5 u32 \
	   match ip src $a flowid 1:40
done
for a in $eLoPrioCIDR_Dst; do
 	tc filter add dev $sDEV parent 1: protocol ip prio 5 u32 \
	   match ip dst $a flowid 1:40
done
if [ -f /etc/firewall/shitlist ]; then
   while read SLIST; do
      SLIST=$(echo "$SLIST" | awk '{print $1}')
      tc filter add dev $sDEV parent 1: protocol ip prio 5 u32 \
         match ip dst $SLIST flowid 1:40
   done </etc/firewall/shitlist
fi

###### Everything else is non-interactive / bulk and ends up in class 1:30
# ICMP (ip protocol 1) WAS in the interactive class 1:10 but it is bulk now...
tc filter add dev $sDEV parent 1: protocol ip prio 5 u32 \
        match ip protocol 0 0xff flowid 1:30
tc filter add dev $sDEV parent 1: protocol ip prio 5 u32 \
        match ip protocol 1 0xff flowid 1:30
tc filter add dev $sDEV parent 1: protocol ip prio 5 u32 \
        match ip protocol 6 0xff flowid 1:30
tc filter add dev $sDEV parent 1: protocol ip prio 5 u32 \
        match ip protocol 17 0xff flowid 1:30
#tc filter add dev $sDEV parent 1: protocol ip prio 5 u32 \
#   	match ip dst 0.0.0.0/0 flowid 1:30

###### downlink
# Slow downloads down to somewhat less than the real speed to prevent queuing
# at our ISP.  Tune to see how high you can set it.  ISPs tend to have *huge*
# queues to make sure big downloads are fast.  It is a pity, but this is all
# that can be done with INCOMING packets...
#
# Attach ingress policer:
tc qdisc add dev $sDEV handle ffff: ingress

# Filter *everything* to it (0.0.0.0/0); drop everything coming in too fast:
tc filter add dev $sDEV parent ffff: protocol ip prio 50 u32 match ip src \
   0.0.0.0/0 police rate ${sDNLINK}kbit burst 10k drop flowid :1

# Done ultimate.sh.S