From 12f1aa6d77f415093bcd0ea241d2d1a2185e76bd Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Mon, 2 Oct 2006 16:48:08 +0000
Subject: [PATCH] AND/OR capability in the tcrules file

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4613 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/lib.nat     |  3 ++-
 Shorewall/lib.tcrules | 10 ++++++++++
 Shorewall/tcrules     | 16 +++++++++++++++-
 3 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/Shorewall/lib.nat b/Shorewall/lib.nat
index d16457a9e..b952b6797 100644
--- a/Shorewall/lib.nat
+++ b/Shorewall/lib.nat
@@ -393,6 +393,7 @@ networks="\$(get_routed_networks $detectinterface)"
 for network in \$networks; do
 __EOF__
 	    for destnet in $(separate_list $destnets); do
+
 		indent >&3 << __EOF__
     run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist
 __EOF__
@@ -422,7 +423,7 @@ __EOF__
 	    fi
 	fi
 
-    }
+    } #setup_one()
 
     if [ -s $TMP_DIR/masq ]; then
 	progress_message2 "$DOING Masquerading/SNAT"
diff --git a/Shorewall/lib.tcrules b/Shorewall/lib.tcrules
index 437254b17..36c9f7657 100644
--- a/Shorewall/lib.tcrules
+++ b/Shorewall/lib.tcrules
@@ -264,6 +264,16 @@ process_tc_rule()
 	    target=RETURN
 	    mark=
 	    ;;
+	OR)
+	    [ -n "$did_connmark" ] && fatal_error "OR not valid with :C[FP]"
+	    target="MARK --or-mark"
+	    validate_mark $mark
+	    ;;
+	AND)
+	    [ -n "$did_connmark" ] && fatal_error "AND not valid with :C[FP]"
+	    target="MARK --and-mark"
+	    validate_mark $mark
+	    ;;
 	*)
 	    if [ "$chain" != tcpost ]; then
 		validate_mark $mark
diff --git a/Shorewall/tcrules b/Shorewall/tcrules
index 4586afce7..5d7530f0e 100644
--- a/Shorewall/tcrules
+++ b/Shorewall/tcrules
@@ -92,6 +92,20 @@
 #
 #			   As in a) above, may be followed by ":P" or ":F".
 #
+#			d) OR <mark>[/<mask>].
+#
+#			   Logically or the <mark> value with the current
+#			   packet mark.
+#
+#			   As in a) above, may be followed by ":P" or ":F".
+#
+#			d) AND <mark>[/<mask>].
+#
+#			   Logically and the <mark> value with the current
+#			   packet mark.
+#
+#			   As in a) above, may be followed by ":P" or ":F".
+#
 #	SOURCE		Source of the packet. A comma-separated list of
 #			interface names, IP addresses, MAC addresses and/or
 #			subnets for packets being routed through a common path.
@@ -115,7 +129,7 @@
 #			"-" as a separator.
 #
 #			Example: ~00-A0-C9-15-39-78
-
+#
 #	DEST		Destination of the packet. Comma separated list of
 #			IP addresses and/or subnets. If your kernel and
 #			iptables include iprange match support, IP address