From 0f33d5af0de0696ea9c9e11d63d7cafa3cd4b318 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 4 Dec 2002 21:17:14 +0000 Subject: [PATCH] Refresh also refreshes traffic control/shaping git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@349 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 17 ++------- Shorewall/firewall | 76 ++++++++++++++++++++++++++++++++------ Shorewall/releasenotes.txt | 16 +------- 3 files changed, 68 insertions(+), 41 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index e7bd8925f..f8569a0db 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,17 +1,6 @@ -Changes since 1.3.10 +Changes since 1.3.11 -1. Added TCP flags checking. +1. Fixed DNAT/REDIRECT bug with excluded sub-zones. -2. Accomodate bash clones like dash and ash +2. "shorewall refresh" now refreshes the traffic shaping rules -3. Added some comments in the policy chain creation/population logic. - -4. Check for fw->fw rules. - -5. Allow 'all' in rules. - -6. Add reverse GRE rules for PPTP server and clients. - -7. Add warning to tcrules file. - -8. Add warning to policy file that fw->fw policies aren't allowed. diff --git a/Shorewall/firewall b/Shorewall/firewall index 42ff1696d..813da1ec5 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -212,6 +212,22 @@ havechain() # $1 = name of chain eval test \"\$${1}_exists\" = Yes } +# +# Query NetFilter about the existence of a filter chain +# +chain_exists() # $1 = chain name +{ + qt iptables -L $1 -n +} + +# +# Query NetFilter about the existence of a mangle chain +# +mangle_chain_exists() # $1 = chain name +{ + qt iptables -t mangle -L $1 -n +} + # # Ensure that a chain exists (create it if it doesn't) # @@ -1639,10 +1655,7 @@ process_tc_rule() # # Setup queuing and classes # -setup_tc() { - - echo "Setting up Traffic Control Rules..." - +setup_tc1() { # # Create the TC mangle chains # @@ -1668,6 +1681,13 @@ setup_tc() { } +setup_tc() { + + echo "Setting up Traffic Control Rules..." + + setup_tc1 +} + # # Clear Traffic Shaping # @@ -1692,6 +1712,39 @@ delete_tc() done } +# +# Refresh queuing and classes +# +refresh_tc() { + + echo "Refreshing Traffic Control Rules..." + + delete_tc + + if mangle_chain_exists tcpre; then + # + # Flush the TC mangle chains + # + run_iptables -t mangle -F tcpre + run_iptables -t mangle -F tcout + # + # Process the TC Rules File + # + strip_file tcrules + + while read mark sources dests proto ports sports; do + expandv mark sources dests proto ports sports + rule=`echo "$mark $sources $dests $proto $ports $sports"` + process_tc_rule + done < $TMP_DIR/tcrules + + run_user_exit tcstart + else + setup_tc1 + fi + +} + # # Add a NAT rule - Helper function for the rules file processor # @@ -3747,6 +3800,8 @@ refresh_firewall() determine_zones + validate_interfaces_file + [ -z "$zones" ] && startup_error "ERROR: No Zones Defined" determine_interfaces @@ -3764,19 +3819,16 @@ refresh_firewall() # refresh_blacklist + # + # Refresh Traffic Control + # + [ -n "$TC_ENABLED" ] && refresh_tc + report "Shorewall Refreshed" rm -rf $TMP_DIR } -# -# Query NetFilter about the existence of a filter chain -# -chain_exists() # $1 = chain name -{ - qt iptables -L $1 -n -} - # # Add a host or subnet to a zone # diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 862ded861..0bd881040 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -2,21 +2,7 @@ This is a minor release of Shorewall that has a couple of new features. New features include: -1) A 'tcpflags' option has been added to entries in - /etc/shorewall/interfaces. This option causes Shorewall to make a - set of sanity check on TCP packet header flags. - -2) It is now allowed to use 'all' in the SOURCE or DEST column in a - rule. When used, 'all' must appear by itself (in may not be - qualified) and it does not enable intra-zone traffic (e.g., the rule - "ACCEPT loc all tcp 80" does not enable http traffic from - 'loc' to 'loc'). - -3) Shorewall's use of the 'echo' command is now compatible with bash - clones such as ash and dash. - -4) fw->fw policies now generate a startup error. fw->fw rules generate - a warning and are ignored. +1) "shorewall refresh" now reloads the traffic shaping rules.