AND/OR capability in the tcrules file

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4613 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/lib.nat

@@ -393,6 +393,7 @@ networks="\$(get_routed_networks $detectinterface)"
 for network in \$networks; do
 __EOF__
 	    for destnet in $(separate_list $destnets); do
+
 		indent >&3 << __EOF__
     run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist
 __EOF__
@@ -422,7 +423,7 @@ __EOF__
 	    fi
 	fi
 
-    }
+    } #setup_one()
 
     if [ -s $TMP_DIR/masq ]; then
 	progress_message2 "$DOING Masquerading/SNAT"

Shorewall/lib.tcrules

@@ -264,6 +264,16 @@ process_tc_rule()
 	    target=RETURN
 	    mark=
 	    ;;
+	OR)
+	    [ -n "$did_connmark" ] && fatal_error "OR not valid with :C[FP]"
+	    target="MARK --or-mark"
+	    validate_mark $mark
+	    ;;
+	AND)
+	    [ -n "$did_connmark" ] && fatal_error "AND not valid with :C[FP]"
+	    target="MARK --and-mark"
+	    validate_mark $mark
+	    ;;
 	*)
 	    if [ "$chain" != tcpost ]; then
 		validate_mark $mark

Shorewall/tcrules

@@ -92,6 +92,20 @@
 #
 #			   As in a) above, may be followed by ":P" or ":F".
 #
+#			d) OR <mark>[/<mask>].
+#
+#			   Logically or the <mark> value with the current
+#			   packet mark.
+#
+#			   As in a) above, may be followed by ":P" or ":F".
+#
+#			d) AND <mark>[/<mask>].
+#
+#			   Logically and the <mark> value with the current
+#			   packet mark.
+#
+#			   As in a) above, may be followed by ":P" or ":F".
+#
 #	SOURCE		Source of the packet. A comma-separated list of
 #			interface names, IP addresses, MAC addresses and/or
 #			subnets for packets being routed through a common path.
@@ -115,7 +129,7 @@
 #			"-" as a separator.
 #
 #			Example: ~00-A0-C9-15-39-78
-
+#
 #	DEST		Destination of the packet. Comma separated list of
 #			IP addresses and/or subnets. If your kernel and
 #			iptables include iprange match support, IP address