Add 'IMQ Target' capability to tcrules

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.base

@@ -28,7 +28,7 @@
 #
 
 SHOREWALL_LIBVERSION=40500
-SHOREWALL_CAPVERSION=40500
+SHOREWALL_CAPVERSION=40501
 
 [ -n "${g_program:=shorewall}" ]
 

Shorewall-core/lib.cli

@@ -1956,6 +1956,7 @@ determine_capabilities() {
     BASIC_FILTER=
     CT_TARGET=
     STATISTIC_MATCH=
+    IMQ_TARGET=
 
     chain=fooX$$
 
@@ -2083,6 +2084,7 @@ determine_capabilities() {
 	qt $g_tool -t mangle -F $chain
 	qt $g_tool -t mangle -X $chain
 	qt $g_tool -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
+	qt $g_tool -t mangle -A $chain -j IMQ --todev 0 && IMQ_TARGET=Yes
     fi
 
     qt $g_tool -t raw	    -L -n && RAW_TABLE=Yes
@@ -2264,6 +2266,7 @@ report_capabilities() {
 	report_capability "ipset V5" $IPSET_V5
 	report_capability "Condition Match" $CONDITION_MATCH
 	report_capability "Statistic Match" $STATISTIC_MATCH
+	report_capability "IMQ Target" $IMQ_TARGET
 	
 	if [ $g_family -eq 4 ]; then
 	    report_capability "iptables -S" $IPTABLES_S
@@ -2350,6 +2353,7 @@ report_capabilities1() {
     report_capability1 BASIC_FILTER
     report_capability1 CT_TARGET
     report_capability1 STATISTIC_MATCH
+    report_capability1 IMQ_TARGET
 
     echo CAPVERSION=$SHOREWALL_CAPVERSION
     echo KERNELVERSION=$KERNELVERSION

Shorewall/Perl/Shorewall/Config.pm

@@ -291,6 +291,7 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 CT_TARGET       => 'CT Target',
 		 STATISTIC_MATCH => 
 		                    'Statistics Match',
+		 IMQ_TARGET      => 'IMQ Target',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -464,7 +465,7 @@ sub initialize( $ ) {
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED  => 0,
 		    VERSION    => "4.4.22.1",
-		    CAPVERSION => 40500 ,
+		    CAPVERSION => 40501 ,
 		  );
     #
     # From shorewall.conf file
@@ -690,6 +691,7 @@ sub initialize( $ ) {
 	       BASIC_FILTER => undef,
 	       CT_TARGET => undef,
 	       STATISTIC_MATCH => undef,
+	       IMQ_TARGET => undef,
 	       CAPVERSION => undef,
 	       KERNELVERSION => undef,
 	       );
@@ -2775,6 +2777,10 @@ sub Statistic_Match() {
     qt1( "$iptables -A $sillyname -m statistic --mode nth --every 2 --packet 1" );
 }
 
+sub Imq_Target() {
+    qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" );
+}
+
 our %detect_capability =
     ( ACCOUNT_TARGET =>\&Account_Target,
       AUDIT_TARGET => \&Audit_Target,
@@ -2796,6 +2802,7 @@ our %detect_capability =
       HASHLIMIT_MATCH => \&Hashlimit_Match,
       HEADER_MATCH => \&Header_Match,
       HELPER_MATCH => \&Helper_Match,
+      IMQ_TARGET => \&Imq_Target,
       IPMARK_TARGET => \&IPMark_Target,
       IPP2P_MATCH => \&Ipp2p_Match,
       IPRANGE_MATCH => \&IPRange_Match,
@@ -2967,6 +2974,7 @@ sub determine_capabilities() {
 	$capabilities{BASIC_FILTER}    = detect_capability( 'BASIC_FILTER' );
 	$capabilities{CT_TARGET}       = detect_capability( 'CT_TARGET' );
 	$capabilities{STATISTIC_MATCH} = detect_capability( 'STATISTIC_MATCH' );
+	$capabilities{IMQ_TARGET}      = detect_capability( 'IMQ_TARGET' );
 
 
 	qt1( "$iptables -F $sillyname" );

Shorewall/Perl/Shorewall/Tc.pm

@@ -379,7 +379,7 @@ sub process_tc_rule( ) {
 				$val = numeric_value ($s);
 				fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val >= 0 && $val < 128;
 				$shift = $s;
-			    }
+			    }			    
 			} else {
 			    fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK';
 			}
@@ -460,6 +460,10 @@ sub process_tc_rule( ) {
 			} else {
 			    $target .= " --hl-set $param";
 			}
+		    } elsif ( $target eq 'IMQ' ) {
+			assert( $cmd =~ /^IMQ\((\d+)\)$/ );
+			require_capability 'IMQ_TARGET', 'IMQ', 's';
+			$target .= " --todev $1";
 		    }
 
 		    if ( $rest ) {
@@ -1977,7 +1981,13 @@ sub setup_tc() {
 			  mark      => NOMARK,
 			  mask      => '',
 			  connmark  => 0
-			} 
+			},
+			{ match     => sub( $ ) { $_[0] =~ /^IMQ\(\d+\)$/ },
+			  target    => 'IMQ',
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
+			},
 		      );
 
 	if ( my $fn = open_file 'tcrules' ) {

manpages/shorewall-tcrules.xml

@@ -458,6 +458,16 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               is set to <replaceable>number</replaceable>. The valid range of
               values for <replaceable>number</replaceable> is 1-255.</para>
             </listitem>
+
+            <listitem>
+              <para><emphasis
+              role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</para>
+
+              <para>Added in Shorewall 4.5.1. Specifies that the packet should
+              be passed to the IMQ identified by
+              <replaceable>number</replaceable>. Requires IMQ Target support
+              in your kernel and iptables.</para>
+            </listitem>
           </orderedlist>
         </listitem>
       </varlistentry>

manpages6/shorewall6-tcrules.xml

@@ -355,6 +355,16 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               set to <replaceable>number</replaceable>. The valid range of
               values for <replaceable>number</replaceable> is 1-255.</para>
             </listitem>
+
+            <listitem>
+              <para><emphasis
+              role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</para>
+
+              <para>Added in Shorewall 4.5.1. Specifies that the packet should
+              be passed to the IMQ identified by
+              <replaceable>number</replaceable>. Requires IMQ Target support
+              in your kernel and ip6tables.</para>
+            </listitem>
           </orderedlist>
         </listitem>
       </varlistentry>