Allow SAME in the OUTPUT chain

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9531 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-08 16:54:10 +01:00 · 2009-02-25 21:04:17 +00:00 · 2009-02-25 21:04:17 +00:00 · 1705c42746
commit 1705c42746
parent 1f7d8964c3
4 changed files with 74 additions and 13 deletions
--- a/Shorewall/Shorewall/Providers.pm
+++ b/Shorewall/Shorewall/Providers.pm
@ -103,6 +103,7 @@ sub setup_route_marking() {

    my $chainref  = new_chain 'mangle', 'routemark';
    my $chainref1 = new_chain 'mangle', 'setsticky';
+    my $chainref2 = new_chain 'mangle', 'setsticko';

    my %marked_interfaces;

@ -116,6 +117,7 @@ sub setup_route_marking() {
 	unless ( $marked_interfaces{$interface} ) {
 	    add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
 	    add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "-i ! $interface -m mark --mark  $mark/$mask ";
+	    add_jump $mangle_table->{OUTPUT}     , $chainref2, 0, "-m mark --mark  $mark/$mask ";
 	    $marked_interfaces{$interface} = 1;
 	}

@ -763,13 +765,14 @@ sub lookup_provider( $ ) {
 #
 sub handle_stickiness() {
    my $setstickyref = $mangle_table->{setsticky};
+    my $setstickoref = $mangle_table->{setsticko};
    my $tcpreref     = $mangle_table->{tcpre};
+    my $tcoutref     = $mangle_table->{tcout};
    my %marked_interfaces;
    my $sticky = 1;

    fatal_error "There are SAME tcrules but no 'track' providers" unless @routemarked_providers;

-    my $stickyref = ensure_mangle_chain 'sticky';

    for my $providerref ( @routemarked_providers ) {
 	my $interface = $providerref->{interface};
@ -777,6 +780,7 @@ sub handle_stickiness() {
 	my $mark      = $providerref->{mark};
 	
 	for ( grep /-j sticky/, @{$tcpreref->{rules}} ) {
+	    my $stickyref = ensure_mangle_chain 'sticky';
 	    my $rule1;
 	    my $list = sprintf "sticky%03d" , $sticky++;

@ -786,7 +790,7 @@ sub handle_stickiness() {

 		if ( $chainref->{name} eq 'sticky' ) {
 		    $rule1 = $_;
-		    $rule1 =~ s/-j sticky/-m recent --name $list --update --seconds 120 -j MARK --set-mark $mark/;
+		    $rule1 =~ s/-j sticky/-m recent --name $list --update --seconds 300 -j MARK --set-mark $mark/;
 		} else {
 		    $rule1 = $_;
 		    $rule1 =~ s/-j sticky/-m mark --mark $mark -m recent --name $list --set/;
@ -800,6 +804,32 @@ sub handle_stickiness() {
 	    
 	    }
 	}
+
+	for ( grep /-j sticko/, @{$tcoutref->{rules}} ) {
+	    my $rule1;
+	    my $list = sprintf "sticky%03d" , $sticky++;
+	    my $stickoref = ensure_mangle_chain 'sticko';
+
+	    for my $chainref ( $stickoref, $setstickoref ) {
+
+		add_command( $chainref, qq(if [ -n "\$${base}_IS_UP" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
+
+		if ( $chainref->{name} eq 'sticko' ) {
+		    $rule1 = $_;
+		    $rule1 =~ s/-j sticko/-m recent --name $list --rdest --update --seconds 300 -j MARK --set-mark $mark/;
+		} else {
+		    $rule1 = $_;
+		    $rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
+		}
+		
+		$rule1 =~ s/-A //;
+
+		add_rule $chainref, $rule1;
+
+		decr_cmd_level( $chainref), add_command( $chainref, "fi" ) if $providerref->{optional};
+	    
+	    }
+	}
    }
 }

--- a/Shorewall/Shorewall/Tc.pm
+++ b/Shorewall/Shorewall/Tc.pm
@ -286,7 +286,12 @@ sub process_tc_rule( $$$$$$$$$$$$ ) {
 		    }

 		    if ( $target eq 'sticky ' ) {
-			fatal_error "SAME rules are only allowed in the PREROUTING chain" if $chain ne 'tcpre';
+			if ( $chain eq 'tcout' ) {
+			    $target = 'sticko';
+			} else {
+			    fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
+			}
+
 			$sticky++;
 		    }

--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -85,9 +85,10 @@ New Features in Shorewall 4.4
    are routed through one provider and some through another.

    To work around this issue, the SAME target has been added to
-    /etc/shorewall/tcrules. SAME may currently be used only in the
-    PREROUTING chain and causes matching connections from an individual
-    local system to all use the same provider.
+    /etc/shorewall/tcrules. SAME may be used in the PREROUTING and
+    OUTPUT chains. When used in PREROUTING, it causes matching
+    connections from an individual local system to all use the same
+    provider.

    For example:

@ -95,5 +96,18 @@ New Features in Shorewall 4.4

    If a host in 192.168.1.0/24 attempts a connection on TCP port 80 or
    443 and it has sent a packet on either of those ports in the last
-    two minutes then the new connection will use the same provider as
+    five minutes then the new connection will use the same provider as
    the connection over which that last packet was sent.
+
+    When used in the OUTPUT chain, it causes all matching connections
+    to an individual remote system to all use the same provider.
+
+    For example:
+
+    	SAME	$FW	-	tcp	80,443
+
+    If the firewall attempts a connection on TCP port 80 or
+    443 and it has sent a packet on either of those ports in the last
+    five minutes to the same remote system then the new connection will
+    use the same provider as the connection over which that last packet
+    was sent.
--- a/manpages/shorewall-tcrules.xml
+++ b/manpages/shorewall-tcrules.xml
@ -241,16 +241,28 @@
              providers are configured, this can lead to problems when some of
              the connections are routed through one provider and some through
              another. The SAME target allows you to work around that problem.
-              SAME may currently be used only in the PREROUTING chain and
-              causes matching connections from an individual local system to
-              all use the same provider. For example: <programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
+              SAME may be used in the PREROUTING and OUTPUT chains. When used
+              in PREROUTING, it causes matching connections from an individual
+              local system to all use the same provider. For example:
+              <programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
 #CLASSIFY                                                PORT(S)
 SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
              If a host in 192.168.1.0/24 attempts a connection on TCP port 80
              or 443 and it has sent a packet on either of those ports in the
-              last two minutes then the new connection will use the same
-              provider as the connection over which that last packet was sent.
-              </para>
+              last five minutes then the new connection will use the same
+              provider as the connection over which that last packet was
+              sent.</para>
+
+              <para>When used in the OUTPUT chain, it causes all matching
+              connections to an individual remote system to all use the same
+              provider. For example:<programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
+#CLASSIFY                                                PORT(S)
+SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
+              If the firewall attempts a connection on TCP port 80 or 443 and
+              it has sent a packet on either of those ports in the last five
+              minutes to the same remote system then the new connection will
+              use the same provider as the connection over which that last
+              packet was sent. </para>
            </listitem>

            <listitem>