From 2a6b894bd4e0a3b7a31187d1b93e46f9a7452729 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Mon, 24 Mar 2008 22:36:48 +0000
Subject: [PATCH] Add MANGLE_ENABLED option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8351 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall-common/changelog.txt        |  4 ++++
 Shorewall-common/lib.config           | 18 +++++++++++++++++-
 Shorewall-common/releasenotes.txt     | 20 +++++++++++++++++++-
 Shorewall-common/shorewall.conf       |  2 ++
 Shorewall-perl/Shorewall/Chains.pm    |  4 ++--
 Shorewall-perl/Shorewall/Compiler.pm  |  2 +-
 Shorewall-perl/Shorewall/Config.pm    |  6 +++++-
 Shorewall-perl/Shorewall/Providers.pm |  2 ++
 Shorewall-perl/Shorewall/Tc.pm        | 26 ++++++++++++++------------
 9 files changed, 66 insertions(+), 18 deletions(-)

diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt
index 9a2775c35..bbc03405e 100644
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@@ -8,6 +8,10 @@ Changes in 4.1.7
 
 4)  Add CONNBYTES column to tcrules.
 
+5)  Fix a couple of 4.1.6 bugs.
+
+6)  Add MANGLE_ENABLED option.
+
 Changes in 4.1.6
 
 1)  Deprecate IMPLICIT_CONTINUE=Yes
diff --git a/Shorewall-common/lib.config b/Shorewall-common/lib.config
index 9b85b19a2..3ee059c6d 100644
--- a/Shorewall-common/lib.config
+++ b/Shorewall-common/lib.config
@@ -1882,6 +1882,7 @@ do_initialize() {
     VERSION_FILE=
     LOGRULENUMBERS=
     ORIGINAL_POLICY_MATCH=
+    ORIGINAL_MANGLE_ENABLED=
 
     ensure_config_path
 
@@ -1962,6 +1963,7 @@ do_initialize() {
     fi
 
     ORIGINAL_POLICY_MATCH=$POLICY_MATCH
+    ORIGINAL_MANGLE_ENABLED=$MANGLE_ENABLED
     
     ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)"
 
@@ -2126,6 +2128,19 @@ do_initialize() {
     KEEP_TC_RULES=$(added_param_value_no KEEP_TC_RULES $KEEP_TC_RULES)
     DELETE_THEN_ADD=$(added_param_value_yes DELETE_THEN_ADD $DELETE_THEN_ADD)
 
+    if [ -n "$MANGLE_ENABLED" ] ; then
+	case $MANGLE_ENABLED in
+	    Yes|yes)
+		;;
+	    No|no)
+		MANGLE_ENABLED=
+		;;
+	    *)
+		startup_error "Invalid value ($MANGLE_ENABLED) for MANGLE_ENABLED";
+		;;
+	esac
+    fi
+
     [ "$PROGRAM" = compiler ] && [ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes"
 
     [ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
@@ -2164,7 +2179,8 @@ do_initialize() {
     fi
 
     if [ -n "$TC_ENABLED" ];then
-	[ -n "$MANGLE_ENABLED" ] || startup_error "Traffic Shaping requires mangle support in your kernel and iptables"
+	[ -n "$ORIGINAL_MANGLE_ENABLED" ] || startup_error "Traffic Shaping requires mangle support in your kernel and iptables"
+	[ -n "$MANGLE_ENABLED" ]          || startup_error "Traffic Shaping requires MANGLE_ENABLED=Yes in shorewall.conf"
     fi
 
     [ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD"
diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt
index b9a5b51e0..69eb7e1f1 100644
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@@ -149,7 +149,25 @@ New Features in 4.1.7.
 
         1000000::O:P      - Connection has sent at least 1,000,000
 			    packets in the direction of the original
-			    connection. 
+			    connection.
+
+3)  A new MANGLE_ENABLED option is added to shorewall.conf. The default
+    setting is 'Yes' which causes Shorewall to assume responsibility for
+    the Netfilter mangle table.
+
+    When MANGLE_ENABLED is set to 'No', Shorewall assumes no
+    responsibility for that table. In this setting:
+
+    a) Shorewall doesn't alter the mangle table.
+    b) You may not use Shorewall Traffic Shaping (TC_ENABLED must be
+       set to 'No'.
+    c) The tcrules file is ignored.
+    d) The providers file must be empty.
+    e) All entries in tcdevices must specify the 'classify' option and
+       traffic classification may only occur using the tcfilters file.
+
+    This allows for another application running on your firewall to
+    take over the mangle table and use it for it's own purposes.  
 
 New Features in Shorewall 4.1.
 
diff --git a/Shorewall-common/shorewall.conf b/Shorewall-common/shorewall.conf
index 676471208..036afdc81 100644
--- a/Shorewall-common/shorewall.conf
+++ b/Shorewall-common/shorewall.conf
@@ -181,6 +181,8 @@ DONT_LOAD=
 
 AUTO_COMMENT=Yes
 
+MANGLE_ENABLED=Yes
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm
index a65457e54..67a1c831e 100644
--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@@ -2215,7 +2215,7 @@ sub create_netfilter_load() {
 
     push @table_list, 'raw'    if $capabilities{RAW_TABLE};
     push @table_list, 'nat'    if $capabilities{NAT_ENABLED};
-    push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED};
+    push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
     push @table_list, 'filter';
 
     $mode = NULL_MODE;
@@ -2305,7 +2305,7 @@ sub create_chainlist_reload($) {
 
     unless ( @chains ) {
 	@chains = qw( blacklst ) if $filter_table->{blacklst};
-	push @chains, 'mangle:' if $capabilities{MANGLE_ENABLED};
+	push @chains, 'mangle:' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
 	$chains = join( ',', @chains ) if @chains;
     }
 
diff --git a/Shorewall-perl/Shorewall/Compiler.pm b/Shorewall-perl/Shorewall/Compiler.pm
index dbe89c275..1a30065fc 100644
--- a/Shorewall-perl/Shorewall/Compiler.pm
+++ b/Shorewall-perl/Shorewall/Compiler.pm
@@ -302,7 +302,7 @@ stop_firewall() {
     run_stop_exit
 EOF
 
-    if ( $capabilities{MANGLE_ENABLED} ) {
+    if ( $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED} ) {
 	emit <<'EOF';
     run_iptables -t mangle -F
     run_iptables -t mangle -X
diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm
index 5ebd271aa..a2ff5dfeb 100644
--- a/Shorewall-perl/Shorewall/Config.pm
+++ b/Shorewall-perl/Shorewall/Config.pm
@@ -356,7 +356,8 @@ sub initialize() {
 		DELETE_THEN_ADD => undef,
 		MULTICAST => undef,
 		DONT_LOAD => '',
-		AUTO_COMMENT => '' ,
+		AUTO_COMMENT => undef ,
+		MANGLE_ENABLED => undef ,
 		#
 		# Packet Disposition
 		#
@@ -1929,6 +1930,7 @@ sub get_configuration( $ ) {
     default_yes_no 'AUTO_COMMENT'               , 'Yes';
     default_yes_no 'MULTICAST'                  , '';
     default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
+    default_yes_no 'MANGLE_ENABLED'             , 'Yes';
     
     $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
 
@@ -1990,6 +1992,8 @@ sub get_configuration( $ ) {
 	$config{TC_ENABLED} = '';
     }
 
+    fatal_error "TC_ENABLED=$config{TC_ENABLED} is not allowed with MANGLE_ENABLED=No" if $config{TC_ENABLED} && ! $config{MANGLE_ENABLED};
+
     default 'RESTOREFILE'           , 'restore';
     default 'IPSECFILE'             , 'zones';
     default 'DROP_DEFAULT'          , 'Drop';
diff --git a/Shorewall-perl/Shorewall/Providers.pm b/Shorewall-perl/Shorewall/Providers.pm
index 605738dc5..d9f55a096 100644
--- a/Shorewall-perl/Shorewall/Providers.pm
+++ b/Shorewall-perl/Shorewall/Providers.pm
@@ -463,6 +463,8 @@ sub setup_providers() {
 	    progress_message2 "$doing $fn ...";
 	    require_capability( 'MANGLE_ENABLED' , 'a non-empty providers file' , 's' );
 
+	    fatal_error "A non-empty providers file is not permitted with MANGLE_ENABLED=No" unless $config{MANGLE_ENABLED};
+
 	    emit "\nif [ -z \"\$NOROUTES\" ]; then";
 
 	    push_indent;
diff --git a/Shorewall-perl/Shorewall/Tc.pm b/Shorewall-perl/Shorewall/Tc.pm
index 98b39c00d..6954f561a 100644
--- a/Shorewall-perl/Shorewall/Tc.pm
+++ b/Shorewall-perl/Shorewall/Tc.pm
@@ -826,7 +826,7 @@ sub setup_traffic_shaping() {
 #
 sub setup_tc() {
 
-    if ( $capabilities{MANGLE_ENABLED} ) {
+    if ( $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED} ) {
 	ensure_mangle_chain 'tcpre';
 	ensure_mangle_chain 'tcout';
 
@@ -867,23 +867,25 @@ sub setup_tc() {
 	setup_traffic_shaping;
     }
 
-    if ( my $fn = open_file 'tcrules' ) {
+    if ( $config{TC_ENABLED} ) {
+	if ( my $fn = open_file 'tcrules' ) {
 
-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'MANGLE_ENABLED' , 'a non-empty tcrules file' , 's'; } );
+	    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'MANGLE_ENABLED' , 'a non-empty tcrules file' , 's'; } );
 
-	while ( read_a_line ) {
+	    while ( read_a_line ) {
 
-	    my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes ) = split_line1 2, 11, 'tcrules file';
+		my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes ) = split_line1 2, 11, 'tcrules file';
 
-	    if ( $mark eq 'COMMENT' ) {
-		process_comment;
-	    } else {
-		process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos, $connbytes;
+		if ( $mark eq 'COMMENT' ) {
+		    process_comment;
+		} else {
+		    process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos, $connbytes;
+		}
+		
 	    }
-
-	}
 	
-	clear_comment;
+	    clear_comment;
+	}
     }
 
     for ( @deferred_rules ) {