extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-18 20:30:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into 4.5.3

Browse Source
This commit is contained in:
Tom Eastep 2012-05-09 10:03:43 -07:00
commit 2eb7af23dc
5 changed files with 83 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -806,7 +806,7 @@ sub transform_rule( $ ) {
} }
} }
set_rule_option( $ruleref, $option, $params ) unless $params eq ''; set_rule_option( $ruleref, $option, $params );
} }
$ruleref->{simple} = $simple; $ruleref->{simple} = $simple;

37
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -169,6 +169,7 @@ my %restrictions = ( tcpre => PREROUTE_RESTRICT ,
tcout => OUTPUT_RESTRICT ); tcout => OUTPUT_RESTRICT );
my $family; my $family;
my $divert;
# #
# Rather than initializing globals in an INIT block or during declaration, # Rather than initializing globals in an INIT block or during declaration,
@ -191,6 +192,7 @@ sub initialize( $ ) {
$devnum = 0; $devnum = 0;
$sticky = 0; $sticky = 0;
$ipp2p = 0; $ipp2p = 0;
$divert = 0;
} }
sub process_tc_rule( ) { sub process_tc_rule( ) {
@ -242,6 +244,7 @@ sub process_tc_rule( ) {
my $restriction = 0; my $restriction = 0;
my $cmd; my $cmd;
my $rest; my $rest;
my $matches = '';
my %processtcc = ( sticky => sub() { my %processtcc = ( sticky => sub() {
if ( $chain eq 'tcout' ) { if ( $chain eq 'tcout' ) {
@ -294,6 +297,32 @@ sub process_tc_rule( ) {
$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift"; $target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
}, },
DIVERT => sub() {
fatal_error "Invalid DIVERT specification( $cmd/$rest )" if $rest;
$chain = 'tcpre';
$cmd =~ /DIVERT\((.+?)\)$/;
$mark = $1;
fatal_error "Invalid DIVERT specification( $cmd )" unless defined $mark;
my $val = numeric_value( $mark );
validate_mark $val . '/' . in_hex( $globals{PROVIDER_MASK} );
my $divertref = new_chain( 'mangle', 'DIVERT' . ( $divert ? $divert : '' ) );
$divert++;
add_ijump( $divertref , j => 'MARK', targetopts => '--set-mark ' . in_hex( $val ) . '/' . in_hex( $globals{PROVIDER_MASK} ) );
add_ijump( $divertref , j => 'ACCEPT' );
$target = $divertref->{name};
$matches = '-m socket ';
},
TPROXY => sub() { TPROXY => sub() {
require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's'); require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
@ -539,7 +568,8 @@ sub process_tc_rule( ) {
do_helper( $helper ) . do_helper( $helper ) .
do_headers( $headers ) . do_headers( $headers ) .
do_probability( $probability ) . do_probability( $probability ) .
do_dscp( $dscp ), do_dscp( $dscp ) .
$matches ,
$source , $source ,
$dest , $dest ,
'' , '' ,
@ -2002,6 +2032,11 @@ sub setup_tc() {
mark => HIGHMARK, mark => HIGHMARK,
mask => '', mask => '',
connmark => '' }, connmark => '' },
{ match => sub( $ ) { $_[0] =~ /^DIVERT/ },
target => 'DIVERT',
mark => HIGHMARK,
mask => '',
connmark => '' },
{ match => sub( $ ) { $_[0] =~ /^TTL/ }, { match => sub( $ ) { $_[0] =~ /^TTL/ },
target => 'TTL', target => 'TTL',
mark => NOMARK, mark => NOMARK,

19
Shorewall/manpages/shorewall-tcrules.xml
View File

@ -407,6 +407,19 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
classes will have a value &gt; 256.</para> classes will have a value &gt; 256.</para>
</listitem> </listitem>
<listitem>
<para><emphasis
role="bold">DIVERT</emphasis>(<replaceable>mark</replaceable>)</para>
<para>Added in Shorewall 4.5.3. A DIVERT rule should preceed
each TPROXY rule and should specify the same
<replaceable>mark</replaceable> value. DIVERT avoids sending
packets to the TPROXY target once a socket connection to Squid3
has been established by TPROXY. DIVERT marks the packet with the
specified <replaceable>mark</replaceable> and exempts it from
any rules that follow.</para>
</listitem>
<listitem> <listitem>
<para><emphasis <para><emphasis
role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[/<replaceable>mask</replaceable>][,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para> role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[/<replaceable>mask</replaceable>][,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para>
@ -438,6 +451,12 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
request arrives.</para> request arrives.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<note>
<para>A DIVERT rule specifying the same
<replaceable>mark</replaceable> value and other column values
should preceed each TPROXY rule.</para>
</note>
</listitem> </listitem>
<listitem> <listitem>

19
Shorewall6/manpages/shorewall6-tcrules.xml
View File

@ -304,6 +304,19 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
simply include COMMENT on a line by itself.</para> simply include COMMENT on a line by itself.</para>
</listitem> </listitem>
<listitem>
<para><emphasis
role="bold">DIVERT</emphasis>(<replaceable>mark</replaceable>)</para>
<para>Added in Shorewall 4.5.3. A DIVERT rule should preceed
each TPROXY rule and should specify the same
<replaceable>mark</replaceable> value. DIVERT avoids sending
packets to the TPROXY target once a socket connection to Squid3
has been established by TPROXY. DIVERT marks the packet with the
specified <replaceable>mark</replaceable> and exempts it from
any rules that follow.</para>
</listitem>
<listitem> <listitem>
<para><emphasis <para><emphasis
role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[/<replaceable>mask</replaceable>][,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para> role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[/<replaceable>mask</replaceable>][,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para>
@ -335,6 +348,12 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
request arrives.</para> request arrives.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<note>
<para>A DIVERT rule specifying the same
<replaceable>mark</replaceable> value and other column values
should preceed each TPROXY rule.</para>
</note>
</listitem> </listitem>
<listitem> <listitem>

8
docs/Shorewall_Squid_Usage.xml
View File

@ -336,8 +336,16 @@ Tproxy 1 1 - lo - local</programlis
eth1):</para> eth1):</para>
<programlisting>MARK SOURCE DEST PROTO PORT(S) <programlisting>MARK SOURCE DEST PROTO PORT(S)
DIVERT(1) eth1 0.0.0.0/0 tcp 80
TPROXY(1,3128) eth1 0.0.0.0/0 tcp 80</programlisting> TPROXY(1,3128) eth1 0.0.0.0/0 tcp 80</programlisting>
<note>
<para>The DIVERT action was added in Shorewall 4.5.3; user's running
earlier versions of Shorewall will need to use the <ulink
url="extension_scripts.htm">start extension script</ulink> to add the
DIVERT logic mentioned in the Squid article linked above.</para>
</note>
<para>/etc/shorewall/rules:</para> <para>/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)