diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index a37999c8f..52203c459 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -19,6 +19,8 @@ Changes in 3.3.5 9) Implement -c option to [re]load command. +10) Don't create ingress qdisc if IN-BANDWIDTH = 0. + Changes in 3.3.4 1) Make exclusion work with "show zones" diff --git a/Shorewall/compiler b/Shorewall/compiler index 240114050..77a73cd45 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -2527,6 +2527,8 @@ process_rules() do_it() # $1 = "Yes" if the target is a macro. { + local intrazone= + expandv xprotocol xports xcports xaddress xratelimit xuserspec if [ -z "$SECTIONS" ]; then diff --git a/Shorewall/lib.tc b/Shorewall/lib.tc index 0e632ada5..68c5aac7e 100644 --- a/Shorewall/lib.tc +++ b/Shorewall/lib.tc @@ -193,8 +193,11 @@ setup_traffic_shaping() save_command "${dev}_mtu=\$(get_device_mtu $device)" run_tc "class add dev $device parent $devnum: classid $devnum:1 htb rate $outband mtu \$${dev}_mtu" - run_tc qdisc add dev $device handle ffff: ingress - run_tc filter add dev $device parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${inband} burst 10k drop flowid :1 + if [ ${inband} -gt 0 ]; then + run_tc qdisc add dev $device handle ffff: ingress + run_tc filter add dev $device parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${inband} burst 10k drop flowid :1 + fi + eval ${dev}_devnum=$devnum devnum=$(($devnum + 1)) diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 7b36f1044..ace373478 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -71,6 +71,10 @@ Other Changes in 3.3.5. If the file "capabilities" does not currently exist in the export directory then "-c" is automatically assumed. +4) If 0 (zero) is specified for the IN-BANDWIDTH in + /etc/shorewall/tcdevices then no ingress qdisc will be created for + the device. + Migration Considerations: 1) Shorewall supports the notion of "default actions". A default