Add 'IMQ Target' capability to tcrules

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-02-02 12:54:00 -08:00
parent ab04a7fb46
commit 0c1beb50ae
6 changed files with 46 additions and 4 deletions

View File

@ -28,7 +28,7 @@
#
SHOREWALL_LIBVERSION=40500
SHOREWALL_CAPVERSION=40500
SHOREWALL_CAPVERSION=40501
[ -n "${g_program:=shorewall}" ]

View File

@ -1956,6 +1956,7 @@ determine_capabilities() {
BASIC_FILTER=
CT_TARGET=
STATISTIC_MATCH=
IMQ_TARGET=
chain=fooX$$
@ -2083,6 +2084,7 @@ determine_capabilities() {
qt $g_tool -t mangle -F $chain
qt $g_tool -t mangle -X $chain
qt $g_tool -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
qt $g_tool -t mangle -A $chain -j IMQ --todev 0 && IMQ_TARGET=Yes
fi
qt $g_tool -t raw -L -n && RAW_TABLE=Yes
@ -2264,6 +2266,7 @@ report_capabilities() {
report_capability "ipset V5" $IPSET_V5
report_capability "Condition Match" $CONDITION_MATCH
report_capability "Statistic Match" $STATISTIC_MATCH
report_capability "IMQ Target" $IMQ_TARGET
if [ $g_family -eq 4 ]; then
report_capability "iptables -S" $IPTABLES_S
@ -2350,6 +2353,7 @@ report_capabilities1() {
report_capability1 BASIC_FILTER
report_capability1 CT_TARGET
report_capability1 STATISTIC_MATCH
report_capability1 IMQ_TARGET
echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION

View File

@ -291,6 +291,7 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
CT_TARGET => 'CT Target',
STATISTIC_MATCH =>
'Statistics Match',
IMQ_TARGET => 'IMQ Target',
CAPVERSION => 'Capability Version',
KERNELVERSION => 'Kernel Version',
);
@ -464,7 +465,7 @@ sub initialize( $ ) {
STATEMATCH => '-m state --state',
UNTRACKED => 0,
VERSION => "4.4.22.1",
CAPVERSION => 40500 ,
CAPVERSION => 40501 ,
);
#
# From shorewall.conf file
@ -690,6 +691,7 @@ sub initialize( $ ) {
BASIC_FILTER => undef,
CT_TARGET => undef,
STATISTIC_MATCH => undef,
IMQ_TARGET => undef,
CAPVERSION => undef,
KERNELVERSION => undef,
);
@ -2775,6 +2777,10 @@ sub Statistic_Match() {
qt1( "$iptables -A $sillyname -m statistic --mode nth --every 2 --packet 1" );
}
sub Imq_Target() {
qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" );
}
our %detect_capability =
( ACCOUNT_TARGET =>\&Account_Target,
AUDIT_TARGET => \&Audit_Target,
@ -2796,6 +2802,7 @@ our %detect_capability =
HASHLIMIT_MATCH => \&Hashlimit_Match,
HEADER_MATCH => \&Header_Match,
HELPER_MATCH => \&Helper_Match,
IMQ_TARGET => \&Imq_Target,
IPMARK_TARGET => \&IPMark_Target,
IPP2P_MATCH => \&Ipp2p_Match,
IPRANGE_MATCH => \&IPRange_Match,
@ -2967,6 +2974,7 @@ sub determine_capabilities() {
$capabilities{BASIC_FILTER} = detect_capability( 'BASIC_FILTER' );
$capabilities{CT_TARGET} = detect_capability( 'CT_TARGET' );
$capabilities{STATISTIC_MATCH} = detect_capability( 'STATISTIC_MATCH' );
$capabilities{IMQ_TARGET} = detect_capability( 'IMQ_TARGET' );
qt1( "$iptables -F $sillyname" );

View File

@ -460,6 +460,10 @@ sub process_tc_rule( ) {
} else {
$target .= " --hl-set $param";
}
} elsif ( $target eq 'IMQ' ) {
assert( $cmd =~ /^IMQ\((\d+)\)$/ );
require_capability 'IMQ_TARGET', 'IMQ', 's';
$target .= " --todev $1";
}
if ( $rest ) {
@ -1977,7 +1981,13 @@ sub setup_tc() {
mark => NOMARK,
mask => '',
connmark => 0
}
},
{ match => sub( $ ) { $_[0] =~ /^IMQ\(\d+\)$/ },
target => 'IMQ',
mark => NOMARK,
mask => '',
connmark => 0
},
);
if ( my $fn = open_file 'tcrules' ) {

View File

@ -458,6 +458,16 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
is set to <replaceable>number</replaceable>. The valid range of
values for <replaceable>number</replaceable> is 1-255.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</para>
<para>Added in Shorewall 4.5.1. Specifies that the packet should
be passed to the IMQ identified by
<replaceable>number</replaceable>. Requires IMQ Target support
in your kernel and iptables.</para>
</listitem>
</orderedlist>
</listitem>
</varlistentry>

View File

@ -355,6 +355,16 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
set to <replaceable>number</replaceable>. The valid range of
values for <replaceable>number</replaceable> is 1-255.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</para>
<para>Added in Shorewall 4.5.1. Specifies that the packet should
be passed to the IMQ identified by
<replaceable>number</replaceable>. Requires IMQ Target support
in your kernel and ip6tables.</para>
</listitem>
</orderedlist>
</listitem>
</varlistentry>