extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-22 06:10:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add FWMARK_RT_MASK capability.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-07-04 09:08:04 -07:00
parent d3e30b5fe4
commit 2ee4fd8f5a
8 changed files with 53 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
Shorewall/Perl/Shorewall/Config.pm
View File

@ -131,7 +131,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
Exporter::export_ok_tags('internal');
our $VERSION = '4.4_9';
our $VERSION = '4.4_11';
#
# describe the current command, it's present progressive, and it's completion.
@ -249,6 +249,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
OLD_HL_MATCH => 'Old Hash Limit Match',
TPROXY_TARGET => 'TPROXY Target',
FLOW_FILTER => 'Flow Classifier',
FWMARK_RT_MASK => 'fwmark route mask',
CAPVERSION => 'Capability Version',
KERNELVERSION => 'Kernel Version',
);
@ -342,7 +343,7 @@ sub initialize( $ ) {
STATEMATCH => '-m state --state',
UNTRACKED => 0,
VERSION => "4.4.11-Beta3",
CAPVERSION => 40408 ,
CAPVERSION => 40411 ,
);
#
@ -664,6 +665,7 @@ sub initialize( $ ) {
PERSISTENT_SNAT => undef,
OLD_HL_MATCH => undef,
FLOW_FILTER => undef,
FWMARK_RT_MASK => undef,
CAPVERSION => undef,
KERNELVERSION => undef,
);
@ -2421,6 +2423,10 @@ sub Flow_Filter() {
$tc && system( "$tc filter add flow add help 2>&1 | grep -q ^Usage" ) == 0;
}
sub Fwmark_Rt_Mask() {
$tc && system( "$tc rule add help 2>&1 | grep -q /MARK" ) == 0;
}
our %detect_capability =
( ADDRTYPE => \&Addrtype,
CLASSIFY_TARGET => \&Classify_Target,
@ -2432,6 +2438,7 @@ our %detect_capability =
ENHANCED_REJECT => \&Enhanced_Reject,
EXMARK => \&Exmark,
FLOW_FILTER => \&Flow_Filter,
FWMARK_RT_MASK => \&Fwmark_Rt_Mask,
GOTO_TARGET => \&Goto_Target,
HASHLIMIT_MATCH => \&Hashlimit_Match,
HELPER_MATCH => \&Helper_Match,

10
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -35,7 +35,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
our @EXPORT_OK = qw( initialize lookup_provider );
our $VERSION = '4.4_10';
our $VERSION = '4.4_11';
use constant { LOCAL_TABLE => 255,
MAIN_TABLE => 254,
@ -435,10 +435,12 @@ sub add_a_provider( ) {
}
if ( $mark ne '-' ) {
emit ( "qt \$IP -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
my $mask = have_capability 'FWMARK_RT_MASK' ? "/$globals{PROVIDER_MASK}" : '';
emit ( "run_ip rule add fwmark $mark pref $pref table $number",
"echo \"qt \$IP -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
emit ( "qt \$IP -$family rule del fwmark ${mark}${mask}" ) if $config{DELETE_THEN_ADD};
emit ( "run_ip rule add fwmark ${mark}${mask} pref $pref table $number",
"echo \"qt \$IP -$family rule del fwmark ${mark}${mask}\" >> \${VARDIR}/undo_routing"
);
}

8
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -40,7 +40,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( setup_tc );
our @EXPORT_OK = qw( process_tc_rule initialize );
our $VERSION = '4.4_9';
our $VERSION = '4.4_11';
our %tcs = ( T => { chain => 'tcpost',
connmark => 0,
@ -371,8 +371,10 @@ sub process_tc_rule( ) {
my $val = numeric_value( $cmd );
fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val;
my $limit = $globals{TC_MASK};
fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
unless ( have_capability 'FWMARK_RT_MASK' ) {
fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
}
}
}
}

2
Shorewall/lib.base
View File

@ -29,7 +29,7 @@
#
SHOREWALL_LIBVERSION=40407
SHOREWALL_CAPVERSION=40408
SHOREWALL_CAPVERSION=40411
[ -n "${VARDIR:=/var/lib/shorewall}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]

8
Shorewall/lib.cli
View File

@ -1449,6 +1449,10 @@ determine_capabilities() {
exit 1
fi
[ "$IP" = ip -o -z "$IP" ] && IP=$(which ip)
[ -n "$IP" -a -x "$IP" ] || IP=
[ "$TC" = tc -o -z "$TC" ] && TC=$(which tc)
[ -n "$TC" -a -x "$TC" ] || TC=
@ -1500,6 +1504,7 @@ determine_capabilities() {
LOG_TARGET=Yes
PERSISTENT_SNAT=
FLOW_FILTER=
FWMARK_RT_MASK=
chain=fooX$$
@ -1640,6 +1645,7 @@ determine_capabilities() {
qt $IPTABLES -X $chain1
[ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
[ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
CAPVERSION=$SHOREWALL_CAPVERSION
KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
@ -1707,6 +1713,7 @@ report_capabilities() {
report_capability "Persistent SNAT" $PERSISTENT_SNAT
report_capability "TPROXY Target" $TPROXY_TARGET
report_capability "FLOW Classifier" $FLOW_FILTER
report_capability "fwmark route mask" $FWMARK_RT_MASK
fi
[ -n "$PKTTYPE" ] || USEPKTTYPE=
@ -1769,6 +1776,7 @@ report_capabilities1() {
report_capability1 PERSISTENT_SNAT
report_capability1 TPROXY_TARGET
report_capability1 FLOW_FILTER
report_capability1 FWMARK_RT_MASK
echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION

14
Shorewall/releasenotes.txt
View File

@ -287,6 +287,20 @@ None.
set to No, packet marks set in the PREROUTING chain are retained in
the FORWARD chains.
As part of this change, a new "fwmark route mask" capability has
been added. If your version of iproute2 supports this capability,
fwmark routing rules may specify a mask to be applied to the mark
prior to comparison with the mark value in the rule. The presence
of this capability allows Shorewall to relax the restriction that
small route marks may not be set in the PREROUTING chain when
HIGH_ROUTE_MARKS is in effect. If you take advantage of this
capability, be sure that you logically OR mark values rather then
simply setting them unless you are able to set both the high and
low bits in the mark in a single rule.
As always when a new capability has been introduced, be sure to
regenerate your capabilities file(s) after installing this release.
----------------------------------------------------------------------------
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
I N P R I O R R E L E A S E S

2
Shorewall6/lib.base
View File

@ -33,7 +33,7 @@
#
SHOREWALL_LIBVERSION=40407
SHOREWALL_CAPVERSION=40408
SHOREWALL_CAPVERSION=40411
[ -n "${VARDIR:=/var/lib/shorewall6}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ]

10
Shorewall6/lib.cli
View File

@ -1190,6 +1190,7 @@ determine_capabilities() {
IPMARK_TARGET=
LOG_TARGET=Yes
FLOW_FILTER=
FWMARK_RT_MASK=
chain=fooX$$
@ -1204,6 +1205,10 @@ determine_capabilities() {
[ -n "$IP" -a -x "$IP" ] || IP=
[ "$TC" = tc -o -z "$TC" ] && TC=$(which tc)
[ -n "$TC" -a -x "$TC" ] || TC=
qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
qt $IP6TABLES -F $chain
@ -1333,7 +1338,8 @@ determine_capabilities() {
qt $IP6TABLES -F $chain1
qt $IP6TABLES -X $chain1
[ -n "$IP" ] && $IP filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
[ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
[ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
CAPVERSION=$SHOREWALL_CAPVERSION
KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
@ -1398,6 +1404,7 @@ report_capabilities() {
report_capability "LOG Target" $LOG_TARGET
report_capability "TPROXY Target" $TPROXY_TARGET
report_capability "FLOW Classifier" $FLOW_FILTER
report_capability "fwmark route mask" $FWMARK_RT_MASK
fi
[ -n "$PKTTYPE" ] || USEPKTTYPE=
@ -1457,6 +1464,7 @@ report_capabilities1() {
report_capability1 LOG_TARGET
report_capability1 TPROXY_TARGET
report_capability1 FLOW_FILTER
report_capability1 FWMARK_RT_MASK
echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION