From 77bfd7351d9585910a6d3d59e0b88de80ec35bb5 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Fri, 6 Jul 2018 11:21:18 +0200
Subject: [PATCH] do some basic traffic shaping on soriano

---
 modules/roles/manifests/security_tracker.pp   | 16 ++++++++++++++
 .../templates/security-tracker/traffic-shape  | 22 +++++++++++++++++++
 2 files changed, 38 insertions(+)
 create mode 100755 modules/roles/templates/security-tracker/traffic-shape

diff --git a/modules/roles/manifests/security_tracker.pp b/modules/roles/manifests/security_tracker.pp
index 6319fbd8e..40ed08a76 100644
--- a/modules/roles/manifests/security_tracker.pp
+++ b/modules/roles/manifests/security_tracker.pp
@@ -12,4 +12,20 @@ class roles::security_tracker {
 		site   => 'security-tracker.debian.org',
 		content => template('roles/apache-security-tracker.debian.org.conf.erb')
 	}
+
+	# traffic shaping http traffic
+	@ferm::rule { 'dsa-security-tracker-shape':
+		table => 'mangle',
+		chain => 'OUTPUT',
+		rule  => "proto tcp dport 443 MARK set-mark 20",
+	}
+
+	file { '/usr/local/sbin/traffic-shape':
+		mode   => '0755',
+		content => template('roles/security-tracker/traffic-shape'),
+		notify => Exec['/usr/local/sbin/traffic-shape'],
+	}
+	exec { '/usr/local/sbin/traffic-shape':
+		refreshonly => true
+	}
 }
diff --git a/modules/roles/templates/security-tracker/traffic-shape b/modules/roles/templates/security-tracker/traffic-shape
new file mode 100755
index 000000000..947252f7f
--- /dev/null
+++ b/modules/roles/templates/security-tracker/traffic-shape
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+tc qdisc del dev eth0 root
+tc qdisc add dev eth0 root handle 1:0 htb default 10
+tc class add dev eth0 parent 1:0 classid 1:10 htb rate 1gbps prio 0
+tc class add dev eth0 parent 1:0 classid 1:20 htb rate 20mbit ceil 16mbit prio 0
+tc class add dev eth0 parent 1:0 classid 1:30 htb rate 1mbit ceil 1mbit prio 0
+
+tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 20 fw flowid 1:20
+tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 30 fw flowid 1:30
+
+ipset -exist create http_abuser hash:ip timeout 3600
+
+# iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string 'GET /tor/status-vote/current/consensus HTTP' -j SET --add-set http_abuser src
+#iptables -A OUTPUT -t mangle -p tcp --sport 443 -j MARK --set-mark 20
+#iptables -A OUTPUT -t mangle -p tcp --sport 443 -m set --match-set http_abuser dst -j MARK --set-mark 30
+#A=""
+## A="$A 192.0.2.1" # whitelist
+#for i in $A; do
+ #iptables -I OUTPUT -t mangle -p tcp --sport 443 --destination $i -j ACCEPT
+#done
+
-- 
2.20.1