extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-19 17:28:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add 'IMQ Target' capability to tcrules

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-02-02 12:54:00 -08:00
parent ab04a7fb46
commit 0c1beb50ae
6 changed files with 46 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-core/lib.base
View File

@ -28,7 +28,7 @@
# #
SHOREWALL_LIBVERSION=40500 SHOREWALL_LIBVERSION=40500
SHOREWALL_CAPVERSION=40500 SHOREWALL_CAPVERSION=40501
[ -n "${g_program:=shorewall}" ] [ -n "${g_program:=shorewall}" ]

4
Shorewall-core/lib.cli
View File

@ -1956,6 +1956,7 @@ determine_capabilities() {
BASIC_FILTER= BASIC_FILTER=
CT_TARGET= CT_TARGET=
STATISTIC_MATCH= STATISTIC_MATCH=
IMQ_TARGET=
chain=fooX$$ chain=fooX$$
@ -2083,6 +2084,7 @@ determine_capabilities() {
qt $g_tool -t mangle -F $chain qt $g_tool -t mangle -F $chain
qt $g_tool -t mangle -X $chain qt $g_tool -t mangle -X $chain
qt $g_tool -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes qt $g_tool -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
qt $g_tool -t mangle -A $chain -j IMQ --todev 0 && IMQ_TARGET=Yes
fi fi
qt $g_tool -t raw -L -n && RAW_TABLE=Yes qt $g_tool -t raw -L -n && RAW_TABLE=Yes
@ -2264,6 +2266,7 @@ report_capabilities() {
report_capability "ipset V5" $IPSET_V5 report_capability "ipset V5" $IPSET_V5
report_capability "Condition Match" $CONDITION_MATCH report_capability "Condition Match" $CONDITION_MATCH
report_capability "Statistic Match" $STATISTIC_MATCH report_capability "Statistic Match" $STATISTIC_MATCH
report_capability "IMQ Target" $IMQ_TARGET
if [ $g_family -eq 4 ]; then if [ $g_family -eq 4 ]; then
report_capability "iptables -S" $IPTABLES_S report_capability "iptables -S" $IPTABLES_S
@ -2350,6 +2353,7 @@ report_capabilities1() {
report_capability1 BASIC_FILTER report_capability1 BASIC_FILTER
report_capability1 CT_TARGET report_capability1 CT_TARGET
report_capability1 STATISTIC_MATCH report_capability1 STATISTIC_MATCH
report_capability1 IMQ_TARGET
echo CAPVERSION=$SHOREWALL_CAPVERSION echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION echo KERNELVERSION=$KERNELVERSION

10
Shorewall/Perl/Shorewall/Config.pm
View File

@ -291,6 +291,7 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
CT_TARGET => 'CT Target', CT_TARGET => 'CT Target',
STATISTIC_MATCH => STATISTIC_MATCH =>
'Statistics Match', 'Statistics Match',
IMQ_TARGET => 'IMQ Target',
CAPVERSION => 'Capability Version', CAPVERSION => 'Capability Version',
KERNELVERSION => 'Kernel Version', KERNELVERSION => 'Kernel Version',
); );
@ -464,7 +465,7 @@ sub initialize( $ ) {
STATEMATCH => '-m state --state', STATEMATCH => '-m state --state',
UNTRACKED => 0, UNTRACKED => 0,
VERSION => "4.4.22.1", VERSION => "4.4.22.1",
CAPVERSION => 40500 , CAPVERSION => 40501 ,
); );
# #
# From shorewall.conf file # From shorewall.conf file
@ -690,6 +691,7 @@ sub initialize( $ ) {
BASIC_FILTER => undef, BASIC_FILTER => undef,
CT_TARGET => undef, CT_TARGET => undef,
STATISTIC_MATCH => undef, STATISTIC_MATCH => undef,
IMQ_TARGET => undef,
CAPVERSION => undef, CAPVERSION => undef,
KERNELVERSION => undef, KERNELVERSION => undef,
); );
@ -2775,6 +2777,10 @@ sub Statistic_Match() {
qt1( "$iptables -A $sillyname -m statistic --mode nth --every 2 --packet 1" ); qt1( "$iptables -A $sillyname -m statistic --mode nth --every 2 --packet 1" );
} }
sub Imq_Target() {
qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" );
}
our %detect_capability = our %detect_capability =
( ACCOUNT_TARGET =>\&Account_Target, ( ACCOUNT_TARGET =>\&Account_Target,
AUDIT_TARGET => \&Audit_Target, AUDIT_TARGET => \&Audit_Target,
@ -2796,6 +2802,7 @@ our %detect_capability =
HASHLIMIT_MATCH => \&Hashlimit_Match, HASHLIMIT_MATCH => \&Hashlimit_Match,
HEADER_MATCH => \&Header_Match, HEADER_MATCH => \&Header_Match,
HELPER_MATCH => \&Helper_Match, HELPER_MATCH => \&Helper_Match,
IMQ_TARGET => \&Imq_Target,
IPMARK_TARGET => \&IPMark_Target, IPMARK_TARGET => \&IPMark_Target,
IPP2P_MATCH => \&Ipp2p_Match, IPP2P_MATCH => \&Ipp2p_Match,
IPRANGE_MATCH => \&IPRange_Match, IPRANGE_MATCH => \&IPRange_Match,
@ -2967,6 +2974,7 @@ sub determine_capabilities() {
$capabilities{BASIC_FILTER} = detect_capability( 'BASIC_FILTER' ); $capabilities{BASIC_FILTER} = detect_capability( 'BASIC_FILTER' );
$capabilities{CT_TARGET} = detect_capability( 'CT_TARGET' ); $capabilities{CT_TARGET} = detect_capability( 'CT_TARGET' );
$capabilities{STATISTIC_MATCH} = detect_capability( 'STATISTIC_MATCH' ); $capabilities{STATISTIC_MATCH} = detect_capability( 'STATISTIC_MATCH' );
$capabilities{IMQ_TARGET} = detect_capability( 'IMQ_TARGET' );
qt1( "$iptables -F $sillyname" ); qt1( "$iptables -F $sillyname" );

14
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -379,7 +379,7 @@ sub process_tc_rule( ) {
$val = numeric_value ($s); $val = numeric_value ($s);
fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val >= 0 && $val < 128; fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val >= 0 && $val < 128;
$shift = $s; $shift = $s;
} }
} else { } else {
fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK'; fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK';
} }
@ -460,6 +460,10 @@ sub process_tc_rule( ) {
} else { } else {
$target .= " --hl-set $param"; $target .= " --hl-set $param";
} }
} elsif ( $target eq 'IMQ' ) {
assert( $cmd =~ /^IMQ\((\d+)\)$/ );
require_capability 'IMQ_TARGET', 'IMQ', 's';
$target .= " --todev $1";
} }
if ( $rest ) { if ( $rest ) {
@ -1977,7 +1981,13 @@ sub setup_tc() {
mark => NOMARK, mark => NOMARK,
mask => '', mask => '',
connmark => 0 connmark => 0
} },
{ match => sub( $ ) { $_[0] =~ /^IMQ\(\d+\)$/ },
target => 'IMQ',
mark => NOMARK,
mask => '',
connmark => 0
},
); );
if ( my $fn = open_file 'tcrules' ) { if ( my $fn = open_file 'tcrules' ) {

10
manpages/shorewall-tcrules.xml
View File

@ -458,6 +458,16 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
is set to <replaceable>number</replaceable>. The valid range of is set to <replaceable>number</replaceable>. The valid range of
values for <replaceable>number</replaceable> is 1-255.</para> values for <replaceable>number</replaceable> is 1-255.</para>
</listitem> </listitem>
<listitem>
<para><emphasis
role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</para>
<para>Added in Shorewall 4.5.1. Specifies that the packet should
be passed to the IMQ identified by
<replaceable>number</replaceable>. Requires IMQ Target support
in your kernel and iptables.</para>
</listitem>
</orderedlist> </orderedlist>
</listitem> </listitem>
</varlistentry> </varlistentry>

10
manpages6/shorewall6-tcrules.xml
View File

@ -355,6 +355,16 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
set to <replaceable>number</replaceable>. The valid range of set to <replaceable>number</replaceable>. The valid range of
values for <replaceable>number</replaceable> is 1-255.</para> values for <replaceable>number</replaceable> is 1-255.</para>
</listitem> </listitem>
<listitem>
<para><emphasis
role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</para>
<para>Added in Shorewall 4.5.1. Specifies that the packet should
be passed to the IMQ identified by
<replaceable>number</replaceable>. Requires IMQ Target support
in your kernel and ip6tables.</para>
</listitem>
</orderedlist> </orderedlist>
</listitem> </listitem>
</varlistentry> </varlistentry>