Allow specification of marking chain in TC rules

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@411 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-27 10:03:41 +01:00 · 2003-01-23 23:18:40 +00:00 · 2003-01-23 23:18:40 +00:00 · 0bd0a3672e
commit 0bd0a3672e
parent a0cb5de22c
2 changed files with 38 additions and 9 deletions
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -1757,7 +1757,7 @@ delete_nat() {

 #
 # Process a TC Rule - $marking_chain is assumed to contain the name of the 
-#                     marking chain
+#                     default marking chain
 #
 process_tc_rule()
 {
@ -1778,13 +1778,34 @@ process_tc_rule()
 		    ;;
 		*)
 		    if ! list_search $source $all_interfaces; then
-			fatal_error "Error: Unknown interface $source"
+			fatal_error "Error: Unknown interface $source in rule \"$rule\""
 		    fi
 		    
 		    r="-i $source "
 		    ;;
 	    esac
 	fi
+
+	if [ "$mark" != "${mark%:*}" ]; then
+	    
+	    [ "$chain" = tcout ] && \
+		fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\""
+	    
+	    case "${mark#*:}" in
+		p|P)
+		    chain=tcpre
+		    ;;
+		f|F)
+		    chain=tcfor
+		    ;;
+		*)
+		    fatal_error "Invalid chain designator: (${mark#*:}) in rule \"$rule\""
+		    ;;
+	    esac
+
+	    mark="${mark%:*}"
+	fi
+  
 	[ "x$dest"   = "x-"  ] || r="${r}-d $dest "
 	[ "$proto"   = "all" ] || r="${r}-p $proto "
 	[ "x$port"   = "x-"  ] || r="${r}--dport $port "
@ -1815,7 +1836,8 @@ setup_tc1() {
    # Create the TC mangle chains
    #
    
-    run_iptables -t mangle -N $marking_chain
+    run_iptables -t mangle -N tcpre
+    run_iptables -t mangle -N tcfor
    run_iptables -t mangle -N tcout
    #
    # Process the TC Rules File
@ -1831,11 +1853,9 @@ setup_tc1() {
    # Link to the TC mangle chains from the main chains
    #
    
-    if [ $marking_chain = tcfor ]; then
-	run_iptables -t mangle -A FORWARD -j tcfor
-    else
-	run_iptables -t mangle -A PREROUTING -j tcpre
-    fi
+    run_iptables -t mangle -A FORWARD    -j tcfor
+    run_iptables -t mangle -A PREROUTING -j tcpre
+    run_iptables -t mangle -A OUTPUT     -j tcout

    run_user_exit tcstart

--- a/Shorewall/tcrules
+++ b/Shorewall/tcrules
@ -17,10 +17,19 @@
 #	MARK		The mark value which is an
 #			integer in the range 1-255
 #
+#			May optionally be followed by ":P" or ":F"
+#			where ":P" indicates that marking should occur in
+#			the PREROUTING chain and ":F" indicates that marking
+#			should occur in the FORWARD chain. If neither
+#			":P" nor ":F" follow the mark value then the chain is
+#			determined by the setting of MARK_IN_FORWARD_CHAIN in
+#			/etc/shorewall/shorewall.conf.
+#
 #	SOURCE 		Source of the packet. A comma-separated list of
 #			interface names, IP addresses, MAC addresses 
 #			and/or subnets. Use $FW if the packet originates on
-#			the firewall.
+#			the firewall in which case the MARK column may NOT
+#			specify ":P" or ":F".
 #
 #			MAC addresses must be prefixed with "~" and use
 #			"-" as a separator.