From 54a5e4af5223ec6e3f881cfeec158105e9eaef75 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 19 Mar 2014 10:24:30 -0700 Subject: [PATCH 1/2] A couple of minor tweaks to the Chains module. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index e0ff5e12f..bd68d119c 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -825,12 +825,13 @@ sub get_opttype( $$ ) { # $option, $default $opttype{$_[0]} || $_[1]; } -# # Next a helper for setting an individual option +# +# Next a helper for setting an individual option # sub set_rule_option( $$$ ) { my ( $ruleref, $option, $value ) = @_; - assert( defined $value && reftype $ruleref , $value, $ruleref ); + assert( defined $value && reftype $ruleref , $option, $ruleref ); $ruleref->{simple} = 0; $ruleref->{complex} = 1 if reftype $value; @@ -2332,7 +2333,7 @@ sub add_jump( $$$;$$$ ) { # # If the destination is a chain, mark it referenced # - $toref->{referenced} = 1, add_reference $fromref, $toref if $toref; + $toref->{referenced} = 1, add_reference( $fromref, $toref ) if $toref; my $param = $goto_ok && $toref && have_capability( 'GOTO_TARGET' ) ? 'g' : 'j'; @@ -3182,6 +3183,7 @@ sub check_optimization( $ ) { # Perform Optimization # # When an unreferenced chain is found, it is deleted unless its 'dont_delete' flag is set. +# sub optimize_level0() { for my $table ( qw/raw rawpost mangle nat filter/ ) { my $tableref = $chain_table{$table}; From db1b25b4d769f3bab67334deebc6b4fbdad1b1bc Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 22 Mar 2014 08:38:57 -0700 Subject: [PATCH 2/2] Restore small mark verification. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 11 +++++----- Shorewall/Perl/Shorewall/Tc.pm | 34 ++++++++++++++++++------------ 2 files changed, 27 insertions(+), 18 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index bd68d119c..f2027eafb 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -4797,11 +4797,6 @@ sub verify_mark( $ ) { } } -sub verify_small_mark( $ ) { - verify_mark ( (my $mark) = $_[0] ); - fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > $globals{TC_MAX}; -} - sub validate_mark( $ ) { my $mark = shift; my $val; @@ -4820,6 +4815,12 @@ sub validate_mark( $ ) { return numeric_value $val if defined( wantarray ); } +sub verify_small_mark( $ ) { + my $val = validate_mark ( (my $mark) = $_[0] ); + fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > $globals{TC_MAX}; + $val; +} + # # Generate an appropriate -m [conn]mark match string for the contents of a MARK column # diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 1a9ac4d6e..03720a0b6 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -227,8 +227,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) { our $designator; my $fw = firewall_zone; - sub handle_mark_param( $ ) { - my ( $option ) = @_; + sub handle_mark_param( $$ ) { + my ( $option, $marktype ) = @_; my $and_or = $1 if $params =~ s/^([|&])//; if ( $params =~ /-/ ) { @@ -292,16 +292,21 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) { $done = 1; } else { - my $mark = $params; - my $val; - if ( supplied $mark ) { - $val = validate_mark( $mark ); - } else { - $val = numeric_value( $mark = $globals{TC_MASK} ); - } # # A Single Mark # + my $mark = $params; + my $val; + if ( supplied $mark ) { + if ( $marktype == SMALLMARK ) { + $val = verify_small_mark( $mark ); + } else { + $val = validate_mark( $mark ); + } + } else { + $val = numeric_value( $mark = $globals{TC_MASK} ); + } + if ( $config{PROVIDER_OFFSET} ) { my $limit = $globals{TC_MASK}; unless ( have_capability 'FWMARK_RT_MASK' ) { @@ -375,7 +380,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) { maxparams => 1, function => sub () { $target = 'CONNMARK'; - handle_mark_param('--set-mark' ); + handle_mark_param('--set-mark' , HIGHMARK ); }, }, @@ -551,7 +556,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) { mask => in_hex( $globals{TC_MASK} ), function => sub () { $target = 'MARK'; - handle_mark_param('--set-mark'); + handle_mark_param('--set-mark', , HIGHMARK ); }, }, @@ -563,7 +568,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) { function => sub () { $target = 'CONNMARK '; if ( supplied $params ) { - handle_mark_param( '--restore-mark --mark ' ); + handle_mark_param( '--restore-mark --mask ', + $config{TC_EXPERT} ? HIGHMARK : SMALLMARK ); } else { $target .= '--restore-mark --mask ' . in_hex( $globals{TC_MASK} ); } @@ -591,7 +597,9 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) { function => sub () { $target = 'CONNMARK '; if ( supplied $params ) { - handle_mark_param( '--save-mark --mask ' ); + handle_mark_param( '--save-mark --mask ' , + $config{TC_EXPERT} ? HIGHMARK : SMALLMARK ); + } else { $target .= '--save-mark --mask ' . in_hex( $globals{TC_MASK} ); }