extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 01:37:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

Implement MARK and CONNMARK in the rules file.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-03-18 11:42:58 -07:00
parent 2bebf1c95a
commit 273c89a753
3 changed files with 129 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -2517,6 +2517,44 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
my $exceptionrule = ''; my $exceptionrule = '';
my $usergenerated; my $usergenerated;
my $prerule = ''; my $prerule = '';
#
# Subroutine for handling MARK and CONNMARK.
#
sub handle_mark( $$$ ) {
my ( $target, $param, $marktype ) = @_;
my $and_or = $param =~ s/^([|&])// ? $1 : '';
require_capability( 'MARK_ANYWHERE', "The $target action", 's' );
fatal_error "Mark Ranges are not supported in the rules file" if $param =~ /-/;
#
# A Single Mark
#
my $mark = $param;
my $val;
if ( supplied $mark ) {
if ( $marktype == SMALLMARK ) {
$val = verify_small_mark( $mark );
} else {
$val = validate_mark( $mark );
}
} else {
$val = numeric_value( $mark = $globals{TC_MASK} );
}
$target = join( ' ', $target, $and_or eq '|' ? '--or-mark' : $and_or ? '--and-mark' : '--set-mark' );
( $mark, my $mask ) = split '/', $mark;
if ( supplied $mask ) {
$target = join( ' ', $target , join( '/', $mark , $mask ) );
} else {
$target = join( ' ', $target , $mark );
}
$target;
};
if ( $inchain = defined $chainref ) { if ( $inchain = defined $chainref ) {
( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action}; ( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action};
@ -2602,7 +2640,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
$action = 'LOG'; $action = 'LOG';
} elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES | TARPIT ) ) ) { } elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES | TARPIT ) ) ) {
fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN; fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN;
fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq ''; fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '' || $actiontype & OPTIONS;
} }
} }
# #
@ -2648,6 +2686,10 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
$action = "AUDIT --type $param"; $action = "AUDIT --type $param";
} , } ,
CONNMARK => sub() {
$action = handle_mark( 'CONNMARK', $param, HIGHMARK );
} ,
REDIRECT => sub () { REDIRECT => sub () {
my $z = $actiontype & NATONLY ? '' : firewall_zone; my $z = $actiontype & NATONLY ? '' : firewall_zone;
if ( $dest eq '-' ) { if ( $dest eq '-' ) {
@ -2715,6 +2757,10 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
} }
}, },
MARK => sub() {
$action = handle_mark( 'MARK', $param, HIGHMARK );
} ,
TARPIT => sub { TARPIT => sub {
require_capability 'TARPIT_TARGET', 'TARPIT', 's'; require_capability 'TARPIT_TARGET', 'TARPIT', 's';

41
Shorewall/manpages/shorewall-rules.xml
View File

@ -328,6 +328,18 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">CONMARK({<replaceable>mark</replaceable>})</emphasis></term>
<listitem>
<para>Added in Shorewall 5.0.7, CONNMARK is identical to MARK
with the exception that the mark is assigned to connection to
which the packet belongs is marked rather than to the packet
itself.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">CONTINUE</emphasis></term> <term><emphasis role="bold">CONTINUE</emphasis></term>
@ -546,6 +558,35 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">MARK({<replaceable>mark</replaceable>})</emphasis></term>
<listitem>
<para>where <replaceable>mark</replaceable> is a packet mark
value.</para>
<para>Added in Shorewall 5.0.7, MARK requires "Mark in filter
table" support in your kernel and iptables.</para>
<para>Normally will set the mark value of the current packet.
If preceded by a vertical bar ("|"), the mark value will be
logically ORed with the current mark value to produce a new
mark value. If preceded by an ampersand ("&amp;"), will be
logically ANDed with the current mark value to produce a new
mark value.</para>
<para>Both "|" and "&amp;" require Extended MARK Target
support in your kernel and iptables.</para>
<para>The mark value may be optionally followed by "/" and a
mask value (used to determine those bits of the connection
mark to actually be set). When a mask is specified, the result
of logically ANDing the mark value with the mask must be the
same as the mark value.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term> role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>

41
Shorewall6/manpages/shorewall6-rules.xml
View File

@ -303,6 +303,18 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">CONMARK({<replaceable>mark</replaceable>})</emphasis></term>
<listitem>
<para>Added in Shorewall 5.0.7, CONNMARK is identical to MARK
with the exception that the mark is assigned to connection to
which the packet belongs is marked rather than to the packet
itself.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">CONTINUE</emphasis></term> <term><emphasis role="bold">CONTINUE</emphasis></term>
@ -523,6 +535,35 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">MARK({<replaceable>mark</replaceable>})</emphasis></term>
<listitem>
<para>where <replaceable>mark</replaceable> is a packet mark
value.</para>
<para>Added in Shorewall 5.0.7, MARK requires "Mark in filter
table" support in your kernel and iptables.</para>
<para>Normally will set the mark value of the current packet.
If preceded by a vertical bar ("|"), the mark value will be
logically ORed with the current mark value to produce a new
mark value. If preceded by an ampersand ("&amp;"), will be
logically ANDed with the current mark value to produce a new
mark value.</para>
<para>Both "|" and "&amp;" require Extended MARK Target
support in your kernel and iptables.</para>
<para>The mark value may be optionally followed by "/" and a
mask value (used to determine those bits of the connection
mark to actually be set). When a mask is specified, the result
of logically ANDing the mark value with the mask must be the
same as the mark value.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term> role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>