Applied Fr�d�ric LESPEZ's patch for packet marking by user/group id

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1088 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -2,3 +2,4 @@ Changes since 1.4.9
 
 1) Implement destination list in masq file.
 
+2) Appled Frédéric LESPEZ's patch for packet marking by user/group id.

Shorewall/firewall

@@ -1709,6 +1709,25 @@ process_tc_rule()
 	    esac
 	fi
 
+	if [ "x$user" != "x-" ]; then
+
+	    [ "$chain" != tcout ] && \
+		fatal_error "Invalid use of a user/group: rule \"$rule\""
+
+	    case "$user" in
+		*:*)
+		    r="$r-m owner"
+		    temp="${user%:*}"
+		    [ -n "$temp" ] && r="$r --uid-owner $temp " 
+		    temp="${user#*:}"
+		    [ -n "$temp" ] && r="$r --gid-owner $temp "
+		    ;;
+		*)
+		    r="$r-m owner --uid-owner $user "
+		    ;;
+	    esac
+	fi
+
 	[ "x$dest"   = "x-"  ] || r="${r}-d $dest "
 	[ "$proto"   = "all" ] || r="${r}-p $proto "
 	[ "x$port"   = "x-"  ] || r="${r}--dport $port "
@@ -1767,9 +1786,9 @@ setup_tc1() {
     #
     strip_file tcrules
 
-    while read mark sources dests proto ports sports; do
-	expandv mark sources dests proto ports sports
-	rule=`echo "$mark $sources $dests $proto $ports $sports"`
+    while read mark sources dests proto ports sports user; do
+	expandv mark sources dests proto ports sports user
+	rule=`echo "$mark $sources $dests $proto $ports $sports $user"`
 	process_tc_rule
     done < $TMP_DIR/tcrules
     #

Shorewall/releasenotes.txt

@@ -20,3 +20,18 @@ New Features:
 
    If the list begins with "!" then SNAT will occur only if the
    destination IP address is NOT included in the list.
+
+2) Output traffic control rules (those with the firewall as the source)
+   may now be qualified by the effective userid and/or effective group
+   id of the program generating the output. This feature is courtesy of 
+   Frédéric LESPEZ.
+
+   A new USER column has been added to /etc/shorewall/tcrules.
+
+   It may contain :
+
+      [<user name or number>]:[<group name or number>]
+
+   The colon is optionnal when specifying only a user.
+
+       Examples : john: / john / :users / john:users	

Shorewall/tcrules

@@ -57,7 +57,22 @@
 #			any source port is acceptable. Specified as a comma-
 #			separated list of port names, port numbers or port
 #			ranges.
+#
+#	USER		This column may only be non-empty if the SOURCE is
+#			the firewall itself.
+#
+#			When this column is non-empty, the rule applies only
+#			if the program generating the output is running under
+#			the effective user and/or group.
+#
+#			It may contain :
+#
+#			   [<user name or number>]:[<group name or number>]
+#
+#			The colon is optionnal when specifying only a user.
+#			Examples : john: / john / :users / john:users	
+#
 ##############################################################################
-#MARK		SOURCE 		DEST		PROTO	PORT(S)	CLIENT
+#MARK		SOURCE 		DEST		PROTO	PORT(S)	CLIENT	USER
 #								PORT(S)
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE