extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-16 11:20:53 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add MANGLE_ENABLED option

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8351 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-03-24 22:36:48 +00:00
parent 4676e5b8b7
commit 2a6b894bd4
9 changed files with 66 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall-common/changelog.txt
View File

@ -8,6 +8,10 @@ Changes in 4.1.7
4) Add CONNBYTES column to tcrules. 4) Add CONNBYTES column to tcrules.
5) Fix a couple of 4.1.6 bugs.
6) Add MANGLE_ENABLED option.
Changes in 4.1.6 Changes in 4.1.6
1) Deprecate IMPLICIT_CONTINUE=Yes 1) Deprecate IMPLICIT_CONTINUE=Yes

18
Shorewall-common/lib.config
View File

@ -1882,6 +1882,7 @@ do_initialize() {
VERSION_FILE= VERSION_FILE=
LOGRULENUMBERS= LOGRULENUMBERS=
ORIGINAL_POLICY_MATCH= ORIGINAL_POLICY_MATCH=
ORIGINAL_MANGLE_ENABLED=
ensure_config_path ensure_config_path
@ -1962,6 +1963,7 @@ do_initialize() {
fi fi
ORIGINAL_POLICY_MATCH=$POLICY_MATCH ORIGINAL_POLICY_MATCH=$POLICY_MATCH
ORIGINAL_MANGLE_ENABLED=$MANGLE_ENABLED
ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)" ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)"
@ -2126,6 +2128,19 @@ do_initialize() {
KEEP_TC_RULES=$(added_param_value_no KEEP_TC_RULES $KEEP_TC_RULES) KEEP_TC_RULES=$(added_param_value_no KEEP_TC_RULES $KEEP_TC_RULES)
DELETE_THEN_ADD=$(added_param_value_yes DELETE_THEN_ADD $DELETE_THEN_ADD) DELETE_THEN_ADD=$(added_param_value_yes DELETE_THEN_ADD $DELETE_THEN_ADD)
if [ -n "$MANGLE_ENABLED" ] ; then
case $MANGLE_ENABLED in
Yes|yes)
;;
No|no)
MANGLE_ENABLED=
;;
*)
startup_error "Invalid value ($MANGLE_ENABLED) for MANGLE_ENABLED";
;;
esac
fi
[ "$PROGRAM" = compiler ] && [ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes" [ "$PROGRAM" = compiler ] && [ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes"
[ -n "$XCONNMARK_MATCH" ] || XCONNMARK= [ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
@ -2164,7 +2179,8 @@ do_initialize() {
fi fi
if [ -n "$TC_ENABLED" ];then if [ -n "$TC_ENABLED" ];then
[ -n "$MANGLE_ENABLED" ] || startup_error "Traffic Shaping requires mangle support in your kernel and iptables" [ -n "$ORIGINAL_MANGLE_ENABLED" ] || startup_error "Traffic Shaping requires mangle support in your kernel and iptables"
[ -n "$MANGLE_ENABLED" ] || startup_error "Traffic Shaping requires MANGLE_ENABLED=Yes in shorewall.conf"
fi fi
[ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD" [ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD"

20
Shorewall-common/releasenotes.txt
View File

@ -149,7 +149,25 @@ New Features in 4.1.7.
1000000::O:P - Connection has sent at least 1,000,000 1000000::O:P - Connection has sent at least 1,000,000
packets in the direction of the original packets in the direction of the original
connection. connection.
3) A new MANGLE_ENABLED option is added to shorewall.conf. The default
setting is 'Yes' which causes Shorewall to assume responsibility for
the Netfilter mangle table.
When MANGLE_ENABLED is set to 'No', Shorewall assumes no
responsibility for that table. In this setting:
a) Shorewall doesn't alter the mangle table.
b) You may not use Shorewall Traffic Shaping (TC_ENABLED must be
set to 'No'.
c) The tcrules file is ignored.
d) The providers file must be empty.
e) All entries in tcdevices must specify the 'classify' option and
traffic classification may only occur using the tcfilters file.
This allows for another application running on your firewall to
take over the mangle table and use it for it's own purposes.
New Features in Shorewall 4.1. New Features in Shorewall 4.1.

2
Shorewall-common/shorewall.conf
View File

@ -181,6 +181,8 @@ DONT_LOAD=
AUTO_COMMENT=Yes AUTO_COMMENT=Yes
MANGLE_ENABLED=Yes
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################

4
Shorewall-perl/Shorewall/Chains.pm
View File

@ -2215,7 +2215,7 @@ sub create_netfilter_load() {
push @table_list, 'raw' if $capabilities{RAW_TABLE}; push @table_list, 'raw' if $capabilities{RAW_TABLE};
push @table_list, 'nat' if $capabilities{NAT_ENABLED}; push @table_list, 'nat' if $capabilities{NAT_ENABLED};
push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED}; push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
push @table_list, 'filter'; push @table_list, 'filter';
$mode = NULL_MODE; $mode = NULL_MODE;
@ -2305,7 +2305,7 @@ sub create_chainlist_reload($) {
unless ( @chains ) { unless ( @chains ) {
@chains = qw( blacklst ) if $filter_table->{blacklst}; @chains = qw( blacklst ) if $filter_table->{blacklst};
push @chains, 'mangle:' if $capabilities{MANGLE_ENABLED}; push @chains, 'mangle:' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
$chains = join( ',', @chains ) if @chains; $chains = join( ',', @chains ) if @chains;
} }

2
Shorewall-perl/Shorewall/Compiler.pm
View File

@ -302,7 +302,7 @@ stop_firewall() {
run_stop_exit run_stop_exit
EOF EOF
if ( $capabilities{MANGLE_ENABLED} ) { if ( $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED} ) {
emit <<'EOF'; emit <<'EOF';
run_iptables -t mangle -F run_iptables -t mangle -F
run_iptables -t mangle -X run_iptables -t mangle -X

6
Shorewall-perl/Shorewall/Config.pm
View File

@ -356,7 +356,8 @@ sub initialize() {
DELETE_THEN_ADD => undef, DELETE_THEN_ADD => undef,
MULTICAST => undef, MULTICAST => undef,
DONT_LOAD => '', DONT_LOAD => '',
AUTO_COMMENT => '' , AUTO_COMMENT => undef ,
MANGLE_ENABLED => undef ,
# #
# Packet Disposition # Packet Disposition
# #
@ -1929,6 +1930,7 @@ sub get_configuration( $ ) {
default_yes_no 'AUTO_COMMENT' , 'Yes'; default_yes_no 'AUTO_COMMENT' , 'Yes';
default_yes_no 'MULTICAST' , ''; default_yes_no 'MULTICAST' , '';
default_yes_no 'MARK_IN_FORWARD_CHAIN' , ''; default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
default_yes_no 'MANGLE_ENABLED' , 'Yes';
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK}; $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
@ -1990,6 +1992,8 @@ sub get_configuration( $ ) {
$config{TC_ENABLED} = ''; $config{TC_ENABLED} = '';
} }
fatal_error "TC_ENABLED=$config{TC_ENABLED} is not allowed with MANGLE_ENABLED=No" if $config{TC_ENABLED} && ! $config{MANGLE_ENABLED};
default 'RESTOREFILE' , 'restore'; default 'RESTOREFILE' , 'restore';
default 'IPSECFILE' , 'zones'; default 'IPSECFILE' , 'zones';
default 'DROP_DEFAULT' , 'Drop'; default 'DROP_DEFAULT' , 'Drop';

2
Shorewall-perl/Shorewall/Providers.pm
View File

@ -463,6 +463,8 @@ sub setup_providers() {
progress_message2 "$doing $fn ..."; progress_message2 "$doing $fn ...";
require_capability( 'MANGLE_ENABLED' , 'a non-empty providers file' , 's' ); require_capability( 'MANGLE_ENABLED' , 'a non-empty providers file' , 's' );
fatal_error "A non-empty providers file is not permitted with MANGLE_ENABLED=No" unless $config{MANGLE_ENABLED};
emit "\nif [ -z \"\$NOROUTES\" ]; then"; emit "\nif [ -z \"\$NOROUTES\" ]; then";
push_indent; push_indent;

26
Shorewall-perl/Shorewall/Tc.pm
View File

@ -826,7 +826,7 @@ sub setup_traffic_shaping() {
# #
sub setup_tc() { sub setup_tc() {
if ( $capabilities{MANGLE_ENABLED} ) { if ( $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED} ) {
ensure_mangle_chain 'tcpre'; ensure_mangle_chain 'tcpre';
ensure_mangle_chain 'tcout'; ensure_mangle_chain 'tcout';
@ -867,23 +867,25 @@ sub setup_tc() {
setup_traffic_shaping; setup_traffic_shaping;
} }
if ( my $fn = open_file 'tcrules' ) { if ( $config{TC_ENABLED} ) {
if ( my $fn = open_file 'tcrules' ) {
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'MANGLE_ENABLED' , 'a non-empty tcrules file' , 's'; } ); first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'MANGLE_ENABLED' , 'a non-empty tcrules file' , 's'; } );
while ( read_a_line ) { while ( read_a_line ) {
my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes ) = split_line1 2, 11, 'tcrules file'; my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes ) = split_line1 2, 11, 'tcrules file';
if ( $mark eq 'COMMENT' ) { if ( $mark eq 'COMMENT' ) {
process_comment; process_comment;
} else { } else {
process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos, $connbytes; process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos, $connbytes;
}
} }
}
clear_comment; clear_comment;
}
} }
for ( @deferred_rules ) { for ( @deferred_rules ) {