Correct restriction and chain number handling in the mangle files

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-11-22 15:43:30 +01:00 · 2016-10-23 15:36:04 -07:00 · 2016-10-23 15:36:04 -07:00 · 0efc7a4899
commit 0efc7a4899
parent e0203bca87
3 changed files with 16 additions and 10 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -2747,11 +2747,13 @@ sub accounting_chainrefs() {
    grep $_->{accounting} , values %$filter_table;
 }

-sub ensure_mangle_chain($) {
-    my $chain = $_[0];
+sub ensure_mangle_chain($;$$) {
+    my ( $chain, $number, $restriction ) = @_;

    my $chainref = ensure_chain 'mangle', $chain;
-    $chainref->{referenced} = 1;
+    $chainref->{referenced}  = 1;
+    $chainref->{chainnumber} = $number if $number;
+    $chainref->{restriction} = $restriction if $restriction;
    $chainref;
 }

--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -4098,11 +4098,13 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {

 	    my $chainref = ensure_chain( 'mangle', $chain = $chainnames{$chain} );

+	    $restriction |= $chainref->{restriction};
+
 	    for ( my $packet = 0; $packet < $marks; $packet++, $markval += $increment ) {
 		my $match = "-m statistic --mode nth --every $marks --packet $packet ";

 		expand_rule( $chainref,
-			     $restrictions{$chain} | $restriction,
+			     $restriction,
 			     $prerule ,
 			     $match .
 			     do_user( $user ) .
@ -4845,8 +4847,10 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    $chainref = ensure_chain( 'mangle', $chainnames{$chain} );
 	}

+	$restriction |= $chainref->{restriction} if defined $chainref->{restriction};
+
 	if ( ( my $result = expand_rule( $chainref ,
-					 ( $restrictions{$chain} || 0 ) | $restriction,
+					 $restriction,
 					 $prerule,
 					 do_proto( $proto, $ports, $sports) . $matches .
 					 do_user( $user ) .
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@ -2276,13 +2276,13 @@ sub setup_tc( $ ) {
    $convert = $_[0];

    if ( $config{MANGLE_ENABLED} ) {
-	ensure_mangle_chain 'tcpre';
-	ensure_mangle_chain 'tcout';
+	ensure_mangle_chain( 'tcpre', PREROUTING, PREROUTE_RESTRICT );
+	ensure_mangle_chain( 'tcout', OUTPUT    , OUTPUT_RESTRICT );

 	if ( have_capability( 'MANGLE_FORWARD' ) ) {
-	    ensure_mangle_chain 'tcfor';
-	    ensure_mangle_chain 'tcpost';
-	    ensure_mangle_chain 'tcin';
+	    ensure_mangle_chain( 'tcfor',  FORWARD );
+	    ensure_mangle_chain( 'tcpost', POSTROUTING, POSTROUTE_RESTRICT );
+	    ensure_mangle_chain( 'tcin',   INPUT      , INPUT_RESTRICT );
 	}

 	my @mark_part;