From 1705c4274607044ec29a01cac672c179c490b2f8 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 25 Feb 2009 21:04:17 +0000 Subject: [PATCH] Allow SAME in the OUTPUT chain git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9531 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/Shorewall/Providers.pm | 34 ++++++++++++++++++++++++++++++-- Shorewall/Shorewall/Tc.pm | 7 ++++++- Shorewall/releasenotes.txt | 22 +++++++++++++++++---- manpages/shorewall-tcrules.xml | 24 ++++++++++++++++------ 4 files changed, 74 insertions(+), 13 deletions(-) diff --git a/Shorewall/Shorewall/Providers.pm b/Shorewall/Shorewall/Providers.pm index 16176b7ae..6a94cb280 100644 --- a/Shorewall/Shorewall/Providers.pm +++ b/Shorewall/Shorewall/Providers.pm @@ -103,6 +103,7 @@ sub setup_route_marking() { my $chainref = new_chain 'mangle', 'routemark'; my $chainref1 = new_chain 'mangle', 'setsticky'; + my $chainref2 = new_chain 'mangle', 'setsticko'; my %marked_interfaces; @@ -116,6 +117,7 @@ sub setup_route_marking() { unless ( $marked_interfaces{$interface} ) { add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark"; add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "-i ! $interface -m mark --mark $mark/$mask "; + add_jump $mangle_table->{OUTPUT} , $chainref2, 0, "-m mark --mark $mark/$mask "; $marked_interfaces{$interface} = 1; } @@ -763,13 +765,14 @@ sub lookup_provider( $ ) { # sub handle_stickiness() { my $setstickyref = $mangle_table->{setsticky}; + my $setstickoref = $mangle_table->{setsticko}; my $tcpreref = $mangle_table->{tcpre}; + my $tcoutref = $mangle_table->{tcout}; my %marked_interfaces; my $sticky = 1; fatal_error "There are SAME tcrules but no 'track' providers" unless @routemarked_providers; - my $stickyref = ensure_mangle_chain 'sticky'; for my $providerref ( @routemarked_providers ) { my $interface = $providerref->{interface}; @@ -777,6 +780,7 @@ sub handle_stickiness() { my $mark = $providerref->{mark}; for ( grep /-j sticky/, @{$tcpreref->{rules}} ) { + my $stickyref = ensure_mangle_chain 'sticky'; my $rule1; my $list = sprintf "sticky%03d" , $sticky++; @@ -786,7 +790,7 @@ sub handle_stickiness() { if ( $chainref->{name} eq 'sticky' ) { $rule1 = $_; - $rule1 =~ s/-j sticky/-m recent --name $list --update --seconds 120 -j MARK --set-mark $mark/; + $rule1 =~ s/-j sticky/-m recent --name $list --update --seconds 300 -j MARK --set-mark $mark/; } else { $rule1 = $_; $rule1 =~ s/-j sticky/-m mark --mark $mark -m recent --name $list --set/; @@ -800,6 +804,32 @@ sub handle_stickiness() { } } + + for ( grep /-j sticko/, @{$tcoutref->{rules}} ) { + my $rule1; + my $list = sprintf "sticky%03d" , $sticky++; + my $stickoref = ensure_mangle_chain 'sticko'; + + for my $chainref ( $stickoref, $setstickoref ) { + + add_command( $chainref, qq(if [ -n "\$${base}_IS_UP" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional}; + + if ( $chainref->{name} eq 'sticko' ) { + $rule1 = $_; + $rule1 =~ s/-j sticko/-m recent --name $list --rdest --update --seconds 300 -j MARK --set-mark $mark/; + } else { + $rule1 = $_; + $rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/; + } + + $rule1 =~ s/-A //; + + add_rule $chainref, $rule1; + + decr_cmd_level( $chainref), add_command( $chainref, "fi" ) if $providerref->{optional}; + + } + } } } diff --git a/Shorewall/Shorewall/Tc.pm b/Shorewall/Shorewall/Tc.pm index c01924e2d..510db3776 100644 --- a/Shorewall/Shorewall/Tc.pm +++ b/Shorewall/Shorewall/Tc.pm @@ -286,7 +286,12 @@ sub process_tc_rule( $$$$$$$$$$$$ ) { } if ( $target eq 'sticky ' ) { - fatal_error "SAME rules are only allowed in the PREROUTING chain" if $chain ne 'tcpre'; + if ( $chain eq 'tcout' ) { + $target = 'sticko'; + } else { + fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre'; + } + $sticky++; } diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 790a32164..0a3f0f523 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -85,9 +85,10 @@ New Features in Shorewall 4.4 are routed through one provider and some through another. To work around this issue, the SAME target has been added to - /etc/shorewall/tcrules. SAME may currently be used only in the - PREROUTING chain and causes matching connections from an individual - local system to all use the same provider. + /etc/shorewall/tcrules. SAME may be used in the PREROUTING and + OUTPUT chains. When used in PREROUTING, it causes matching + connections from an individual local system to all use the same + provider. For example: @@ -95,5 +96,18 @@ New Features in Shorewall 4.4 If a host in 192.168.1.0/24 attempts a connection on TCP port 80 or 443 and it has sent a packet on either of those ports in the last - two minutes then the new connection will use the same provider as + five minutes then the new connection will use the same provider as the connection over which that last packet was sent. + + When used in the OUTPUT chain, it causes all matching connections + to an individual remote system to all use the same provider. + + For example: + + SAME $FW - tcp 80,443 + + If the firewall attempts a connection on TCP port 80 or + 443 and it has sent a packet on either of those ports in the last + five minutes to the same remote system then the new connection will + use the same provider as the connection over which that last packet + was sent. diff --git a/manpages/shorewall-tcrules.xml b/manpages/shorewall-tcrules.xml index bb4a696e8..34e86a4eb 100644 --- a/manpages/shorewall-tcrules.xml +++ b/manpages/shorewall-tcrules.xml @@ -241,16 +241,28 @@ providers are configured, this can lead to problems when some of the connections are routed through one provider and some through another. The SAME target allows you to work around that problem. - SAME may currently be used only in the PREROUTING chain and - causes matching connections from an individual local system to - all use the same provider. For example: #MARK/ SOURCE DEST PROTO DEST + SAME may be used in the PREROUTING and OUTPUT chains. When used + in PREROUTING, it causes matching connections from an individual + local system to all use the same provider. For example: + #MARK/ SOURCE DEST PROTO DEST #CLASSIFY PORT(S) SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443 If a host in 192.168.1.0/24 attempts a connection on TCP port 80 or 443 and it has sent a packet on either of those ports in the - last two minutes then the new connection will use the same - provider as the connection over which that last packet was sent. - + last five minutes then the new connection will use the same + provider as the connection over which that last packet was + sent. + + When used in the OUTPUT chain, it causes all matching + connections to an individual remote system to all use the same + provider. For example:#MARK/ SOURCE DEST PROTO DEST +#CLASSIFY PORT(S) +SAME $FW 0.0.0.0/0 tcp 80,443 + If the firewall attempts a connection on TCP port 80 or 443 and + it has sent a packet on either of those ports in the last five + minutes to the same remote system then the new connection will + use the same provider as the connection over which that last + packet was sent.