mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-24 11:41:26 +02:00
Allow SAME in the OUTPUT chain
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9531 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
1f7d8964c3
commit
1705c42746
@ -103,6 +103,7 @@ sub setup_route_marking() {
|
|||||||
|
|
||||||
my $chainref = new_chain 'mangle', 'routemark';
|
my $chainref = new_chain 'mangle', 'routemark';
|
||||||
my $chainref1 = new_chain 'mangle', 'setsticky';
|
my $chainref1 = new_chain 'mangle', 'setsticky';
|
||||||
|
my $chainref2 = new_chain 'mangle', 'setsticko';
|
||||||
|
|
||||||
my %marked_interfaces;
|
my %marked_interfaces;
|
||||||
|
|
||||||
@ -116,6 +117,7 @@ sub setup_route_marking() {
|
|||||||
unless ( $marked_interfaces{$interface} ) {
|
unless ( $marked_interfaces{$interface} ) {
|
||||||
add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
|
add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
|
||||||
add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "-i ! $interface -m mark --mark $mark/$mask ";
|
add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "-i ! $interface -m mark --mark $mark/$mask ";
|
||||||
|
add_jump $mangle_table->{OUTPUT} , $chainref2, 0, "-m mark --mark $mark/$mask ";
|
||||||
$marked_interfaces{$interface} = 1;
|
$marked_interfaces{$interface} = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -763,13 +765,14 @@ sub lookup_provider( $ ) {
|
|||||||
#
|
#
|
||||||
sub handle_stickiness() {
|
sub handle_stickiness() {
|
||||||
my $setstickyref = $mangle_table->{setsticky};
|
my $setstickyref = $mangle_table->{setsticky};
|
||||||
|
my $setstickoref = $mangle_table->{setsticko};
|
||||||
my $tcpreref = $mangle_table->{tcpre};
|
my $tcpreref = $mangle_table->{tcpre};
|
||||||
|
my $tcoutref = $mangle_table->{tcout};
|
||||||
my %marked_interfaces;
|
my %marked_interfaces;
|
||||||
my $sticky = 1;
|
my $sticky = 1;
|
||||||
|
|
||||||
fatal_error "There are SAME tcrules but no 'track' providers" unless @routemarked_providers;
|
fatal_error "There are SAME tcrules but no 'track' providers" unless @routemarked_providers;
|
||||||
|
|
||||||
my $stickyref = ensure_mangle_chain 'sticky';
|
|
||||||
|
|
||||||
for my $providerref ( @routemarked_providers ) {
|
for my $providerref ( @routemarked_providers ) {
|
||||||
my $interface = $providerref->{interface};
|
my $interface = $providerref->{interface};
|
||||||
@ -777,6 +780,7 @@ sub handle_stickiness() {
|
|||||||
my $mark = $providerref->{mark};
|
my $mark = $providerref->{mark};
|
||||||
|
|
||||||
for ( grep /-j sticky/, @{$tcpreref->{rules}} ) {
|
for ( grep /-j sticky/, @{$tcpreref->{rules}} ) {
|
||||||
|
my $stickyref = ensure_mangle_chain 'sticky';
|
||||||
my $rule1;
|
my $rule1;
|
||||||
my $list = sprintf "sticky%03d" , $sticky++;
|
my $list = sprintf "sticky%03d" , $sticky++;
|
||||||
|
|
||||||
@ -786,7 +790,7 @@ sub handle_stickiness() {
|
|||||||
|
|
||||||
if ( $chainref->{name} eq 'sticky' ) {
|
if ( $chainref->{name} eq 'sticky' ) {
|
||||||
$rule1 = $_;
|
$rule1 = $_;
|
||||||
$rule1 =~ s/-j sticky/-m recent --name $list --update --seconds 120 -j MARK --set-mark $mark/;
|
$rule1 =~ s/-j sticky/-m recent --name $list --update --seconds 300 -j MARK --set-mark $mark/;
|
||||||
} else {
|
} else {
|
||||||
$rule1 = $_;
|
$rule1 = $_;
|
||||||
$rule1 =~ s/-j sticky/-m mark --mark $mark -m recent --name $list --set/;
|
$rule1 =~ s/-j sticky/-m mark --mark $mark -m recent --name $list --set/;
|
||||||
@ -800,6 +804,32 @@ sub handle_stickiness() {
|
|||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
for ( grep /-j sticko/, @{$tcoutref->{rules}} ) {
|
||||||
|
my $rule1;
|
||||||
|
my $list = sprintf "sticky%03d" , $sticky++;
|
||||||
|
my $stickoref = ensure_mangle_chain 'sticko';
|
||||||
|
|
||||||
|
for my $chainref ( $stickoref, $setstickoref ) {
|
||||||
|
|
||||||
|
add_command( $chainref, qq(if [ -n "\$${base}_IS_UP" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
|
||||||
|
|
||||||
|
if ( $chainref->{name} eq 'sticko' ) {
|
||||||
|
$rule1 = $_;
|
||||||
|
$rule1 =~ s/-j sticko/-m recent --name $list --rdest --update --seconds 300 -j MARK --set-mark $mark/;
|
||||||
|
} else {
|
||||||
|
$rule1 = $_;
|
||||||
|
$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
|
||||||
|
}
|
||||||
|
|
||||||
|
$rule1 =~ s/-A //;
|
||||||
|
|
||||||
|
add_rule $chainref, $rule1;
|
||||||
|
|
||||||
|
decr_cmd_level( $chainref), add_command( $chainref, "fi" ) if $providerref->{optional};
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -286,7 +286,12 @@ sub process_tc_rule( $$$$$$$$$$$$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ( $target eq 'sticky ' ) {
|
if ( $target eq 'sticky ' ) {
|
||||||
fatal_error "SAME rules are only allowed in the PREROUTING chain" if $chain ne 'tcpre';
|
if ( $chain eq 'tcout' ) {
|
||||||
|
$target = 'sticko';
|
||||||
|
} else {
|
||||||
|
fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
|
||||||
|
}
|
||||||
|
|
||||||
$sticky++;
|
$sticky++;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -85,9 +85,10 @@ New Features in Shorewall 4.4
|
|||||||
are routed through one provider and some through another.
|
are routed through one provider and some through another.
|
||||||
|
|
||||||
To work around this issue, the SAME target has been added to
|
To work around this issue, the SAME target has been added to
|
||||||
/etc/shorewall/tcrules. SAME may currently be used only in the
|
/etc/shorewall/tcrules. SAME may be used in the PREROUTING and
|
||||||
PREROUTING chain and causes matching connections from an individual
|
OUTPUT chains. When used in PREROUTING, it causes matching
|
||||||
local system to all use the same provider.
|
connections from an individual local system to all use the same
|
||||||
|
provider.
|
||||||
|
|
||||||
For example:
|
For example:
|
||||||
|
|
||||||
@ -95,5 +96,18 @@ New Features in Shorewall 4.4
|
|||||||
|
|
||||||
If a host in 192.168.1.0/24 attempts a connection on TCP port 80 or
|
If a host in 192.168.1.0/24 attempts a connection on TCP port 80 or
|
||||||
443 and it has sent a packet on either of those ports in the last
|
443 and it has sent a packet on either of those ports in the last
|
||||||
two minutes then the new connection will use the same provider as
|
five minutes then the new connection will use the same provider as
|
||||||
the connection over which that last packet was sent.
|
the connection over which that last packet was sent.
|
||||||
|
|
||||||
|
When used in the OUTPUT chain, it causes all matching connections
|
||||||
|
to an individual remote system to all use the same provider.
|
||||||
|
|
||||||
|
For example:
|
||||||
|
|
||||||
|
SAME $FW - tcp 80,443
|
||||||
|
|
||||||
|
If the firewall attempts a connection on TCP port 80 or
|
||||||
|
443 and it has sent a packet on either of those ports in the last
|
||||||
|
five minutes to the same remote system then the new connection will
|
||||||
|
use the same provider as the connection over which that last packet
|
||||||
|
was sent.
|
||||||
|
|||||||
@ -241,16 +241,28 @@
|
|||||||
providers are configured, this can lead to problems when some of
|
providers are configured, this can lead to problems when some of
|
||||||
the connections are routed through one provider and some through
|
the connections are routed through one provider and some through
|
||||||
another. The SAME target allows you to work around that problem.
|
another. The SAME target allows you to work around that problem.
|
||||||
SAME may currently be used only in the PREROUTING chain and
|
SAME may be used in the PREROUTING and OUTPUT chains. When used
|
||||||
causes matching connections from an individual local system to
|
in PREROUTING, it causes matching connections from an individual
|
||||||
all use the same provider. For example: <programlisting>#MARK/ SOURCE DEST PROTO DEST
|
local system to all use the same provider. For example:
|
||||||
|
<programlisting>#MARK/ SOURCE DEST PROTO DEST
|
||||||
#CLASSIFY PORT(S)
|
#CLASSIFY PORT(S)
|
||||||
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
|
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
|
||||||
If a host in 192.168.1.0/24 attempts a connection on TCP port 80
|
If a host in 192.168.1.0/24 attempts a connection on TCP port 80
|
||||||
or 443 and it has sent a packet on either of those ports in the
|
or 443 and it has sent a packet on either of those ports in the
|
||||||
last two minutes then the new connection will use the same
|
last five minutes then the new connection will use the same
|
||||||
provider as the connection over which that last packet was sent.
|
provider as the connection over which that last packet was
|
||||||
</para>
|
sent.</para>
|
||||||
|
|
||||||
|
<para>When used in the OUTPUT chain, it causes all matching
|
||||||
|
connections to an individual remote system to all use the same
|
||||||
|
provider. For example:<programlisting>#MARK/ SOURCE DEST PROTO DEST
|
||||||
|
#CLASSIFY PORT(S)
|
||||||
|
SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||||
|
If the firewall attempts a connection on TCP port 80 or 443 and
|
||||||
|
it has sent a packet on either of those ports in the last five
|
||||||
|
minutes to the same remote system then the new connection will
|
||||||
|
use the same provider as the connection over which that last
|
||||||
|
packet was sent. </para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user