我希望这是一个简单的答案
问题:
script-security 3 learn-address /etc/openvpn/netem/learn-address.sh
chmod 755 /etc/openvpn/netem/learn-address.sh
但是,脚本会更新tmp文件中的文件($ ip.classid和$ ip.dev)并正确传递这些variables
但是bash脚本不执行tc类和filter命令(对qdisc没有改变)
当用户连接到OpenVPN时调用学习地址脚本时,我将在脚本上使用什么权限来执行tc类和filter命令?还是还有其他我错过的东西?
非常感谢
脚本名称:learn-address.sh
#!/bin/bash statedir=/tmp/ function bwlimit-enable() { ip=$1 user=$2 dev=eth0 # Disable if already enabled. bwlimit-disable $ip # Find unique classid. if [ -f $statedir/$ip.classid ]; then # Reuse this IP's classid classid=`cat $statedir/$ip.classid` else if [ -f $statedir/last_classid ]; then classid=`cat $statedir/last_classid` classid=$((classid+1)) else classid=1 fi echo $classid > $statedir/last_classid fi # Find this user's bandwidth limit # downrate: from VPN server to the client # uprate: from client to the VPN server if [ "$user" == "myuser" ]; then downrate=10mbit uprate=10mbit elif [ "$user" == "anotheruser"]; then downrate=2mbit uprate=2mbit else downrate=5mbit uprate=5mbit fi # Limit traffic from VPN server to client tc class add dev $dev parent 1: classid 1:$classid htb rate $downrate tc filter add dev $dev protocol all parent 1:0 prio 1 u32 match ip dst $ip/32 flowid 1:$classid # Limit traffic from client to VPN server tc filter add dev $dev parent ffff: protocol all prio 1 u32 match ip src $ip/32 police rate $uprate burst 80k drop flowid :$classid # Store classid and dev for further use. echo $classid > $statedir/$ip.classid echo $dev > $statedir/$ip.dev } function bwlimit-disable() { ip=$1 if [ ! -f $statedir/$ip.classid ]; then return fi if [ ! -f $statedir/$ip.dev ]; then return fi classid=`cat $statedir/$ip.classid` dev=`cat $statedir/$ip.dev` tc filter del dev $dev protocol all parent 1:0 prio 1 u32 match ip dst $ip/32 tc class del dev $dev classid 1:$classid tc filter del dev $dev parent ffff: protocol all prio 1 u32 match ip src $ip/32 # Remove .dev but keep .classid so it can be reused. rm $statedir/$ip.dev } # Make sure queueing discipline is enabled. tc qdisc add dev $dev root handle 1: htb 2>/dev/null || /bin/true tc qdisc add dev $dev handle ffff: ingress 2>/dev/null || /bin/true case "$1" in add|update) bwlimit-enable $2 $3 ;; delete) bwlimit-disable $2 ;; *) echo "$0: unknown operation [$1]" >&2 exit 1 ;; esac exit 0
$dev在两次调用tc时未被设置,
# Make sure queueing discipline is enabled. tc qdisc add dev $dev root handle 1: htb 2>/dev/null || /bin/true tc qdisc add dev $dev handle ffff: ingress 2>/dev/null || /bin/true
这个resolv来
tc qdisc add dev root handle 1: htb
最有可能是一个错误pipe道到/dev/null
用这个行代替
# Make sure queueing discipline is enabled. dev=eth0 tc qdisc add dev $dev root handle 1: htb 2>/tmp/tqa-root.err || /bin/true tc qdisc add dev $dev handle ffff: ingress 2>/tmp/tqa-handle.err || /bin/true