diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 1ac5038e5..a92ef95b6 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -131,7 +131,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script Exporter::export_ok_tags('internal'); -our $VERSION = '4.4_9'; +our $VERSION = '4.4_11'; # # describe the current command, it's present progressive, and it's completion. @@ -249,6 +249,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT', OLD_HL_MATCH => 'Old Hash Limit Match', TPROXY_TARGET => 'TPROXY Target', FLOW_FILTER => 'Flow Classifier', + FWMARK_RT_MASK => 'fwmark route mask', CAPVERSION => 'Capability Version', KERNELVERSION => 'Kernel Version', ); @@ -342,7 +343,7 @@ sub initialize( $ ) { STATEMATCH => '-m state --state', UNTRACKED => 0, VERSION => "4.4.11-Beta3", - CAPVERSION => 40408 , + CAPVERSION => 40411 , ); # @@ -664,6 +665,7 @@ sub initialize( $ ) { PERSISTENT_SNAT => undef, OLD_HL_MATCH => undef, FLOW_FILTER => undef, + FWMARK_RT_MASK => undef, CAPVERSION => undef, KERNELVERSION => undef, ); @@ -2421,6 +2423,10 @@ sub Flow_Filter() { $tc && system( "$tc filter add flow add help 2>&1 | grep -q ^Usage" ) == 0; } +sub Fwmark_Rt_Mask() { + $tc && system( "$tc rule add help 2>&1 | grep -q /MARK" ) == 0; +} + our %detect_capability = ( ADDRTYPE => \&Addrtype, CLASSIFY_TARGET => \&Classify_Target, @@ -2432,6 +2438,7 @@ our %detect_capability = ENHANCED_REJECT => \&Enhanced_Reject, EXMARK => \&Exmark, FLOW_FILTER => \&Flow_Filter, + FWMARK_RT_MASK => \&Fwmark_Rt_Mask, GOTO_TARGET => \&Goto_Target, HASHLIMIT_MATCH => \&Hashlimit_Match, HELPER_MATCH => \&Helper_Match, diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index d3d322ecb..eee90e489 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -35,7 +35,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces ); our @EXPORT_OK = qw( initialize lookup_provider ); -our $VERSION = '4.4_10'; +our $VERSION = '4.4_11'; use constant { LOCAL_TABLE => 255, MAIN_TABLE => 254, @@ -435,10 +435,12 @@ sub add_a_provider( ) { } if ( $mark ne '-' ) { - emit ( "qt \$IP -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD}; + my $mask = have_capability 'FWMARK_RT_MASK' ? "/$globals{PROVIDER_MASK}" : ''; - emit ( "run_ip rule add fwmark $mark pref $pref table $number", - "echo \"qt \$IP -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing" + emit ( "qt \$IP -$family rule del fwmark ${mark}${mask}" ) if $config{DELETE_THEN_ADD}; + + emit ( "run_ip rule add fwmark ${mark}${mask} pref $pref table $number", + "echo \"qt \$IP -$family rule del fwmark ${mark}${mask}\" >> \${VARDIR}/undo_routing" ); } diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 7ef6a9e81..08ab45a4e 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -40,7 +40,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_tc ); our @EXPORT_OK = qw( process_tc_rule initialize ); -our $VERSION = '4.4_9'; +our $VERSION = '4.4_11'; our %tcs = ( T => { chain => 'tcpost', connmark => 0, @@ -371,8 +371,10 @@ sub process_tc_rule( ) { my $val = numeric_value( $cmd ); fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val; my $limit = $globals{TC_MASK}; - fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes" - if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit; + unless ( have_capability 'FWMARK_RT_MASK' ) { + fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes" + if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit; + } } } } diff --git a/Shorewall/lib.base b/Shorewall/lib.base index b2d28342c..146e556c4 100644 --- a/Shorewall/lib.base +++ b/Shorewall/lib.base @@ -29,7 +29,7 @@ # SHOREWALL_LIBVERSION=40407 -SHOREWALL_CAPVERSION=40408 +SHOREWALL_CAPVERSION=40411 [ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ] diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli index cb79c063b..f3020d1a4 100644 --- a/Shorewall/lib.cli +++ b/Shorewall/lib.cli @@ -1449,6 +1449,10 @@ determine_capabilities() { exit 1 fi + [ "$IP" = ip -o -z "$IP" ] && IP=$(which ip) + + [ -n "$IP" -a -x "$IP" ] || IP= + [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc) [ -n "$TC" -a -x "$TC" ] || TC= @@ -1500,6 +1504,7 @@ determine_capabilities() { LOG_TARGET=Yes PERSISTENT_SNAT= FLOW_FILTER= + FWMARK_RT_MASK= chain=fooX$$ @@ -1640,6 +1645,7 @@ determine_capabilities() { qt $IPTABLES -X $chain1 [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes + [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes CAPVERSION=$SHOREWALL_CAPVERSION KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g')) @@ -1707,6 +1713,7 @@ report_capabilities() { report_capability "Persistent SNAT" $PERSISTENT_SNAT report_capability "TPROXY Target" $TPROXY_TARGET report_capability "FLOW Classifier" $FLOW_FILTER + report_capability "fwmark route mask" $FWMARK_RT_MASK fi [ -n "$PKTTYPE" ] || USEPKTTYPE= @@ -1769,6 +1776,7 @@ report_capabilities1() { report_capability1 PERSISTENT_SNAT report_capability1 TPROXY_TARGET report_capability1 FLOW_FILTER + report_capability1 FWMARK_RT_MASK echo CAPVERSION=$SHOREWALL_CAPVERSION echo KERNELVERSION=$KERNELVERSION diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index a1c9d47cd..2c549cab4 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -287,6 +287,20 @@ None. set to No, packet marks set in the PREROUTING chain are retained in the FORWARD chains. + As part of this change, a new "fwmark route mask" capability has + been added. If your version of iproute2 supports this capability, + fwmark routing rules may specify a mask to be applied to the mark + prior to comparison with the mark value in the rule. The presence + of this capability allows Shorewall to relax the restriction that + small route marks may not be set in the PREROUTING chain when + HIGH_ROUTE_MARKS is in effect. If you take advantage of this + capability, be sure that you logically OR mark values rather then + simply setting them unless you are able to set both the high and + low bits in the mark in a single rule. + + As always when a new capability has been introduced, be sure to + regenerate your capabilities file(s) after installing this release. + ---------------------------------------------------------------------------- V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S I N P R I O R R E L E A S E S diff --git a/Shorewall6/lib.base b/Shorewall6/lib.base index 41aea3bbd..db604eeaf 100644 --- a/Shorewall6/lib.base +++ b/Shorewall6/lib.base @@ -33,7 +33,7 @@ # SHOREWALL_LIBVERSION=40407 -SHOREWALL_CAPVERSION=40408 +SHOREWALL_CAPVERSION=40411 [ -n "${VARDIR:=/var/lib/shorewall6}" ] [ -n "${SHAREDIR:=/usr/share/shorewall6}" ] diff --git a/Shorewall6/lib.cli b/Shorewall6/lib.cli index 310f7438a..e8e52cc19 100644 --- a/Shorewall6/lib.cli +++ b/Shorewall6/lib.cli @@ -1190,6 +1190,7 @@ determine_capabilities() { IPMARK_TARGET= LOG_TARGET=Yes FLOW_FILTER= + FWMARK_RT_MASK= chain=fooX$$ @@ -1204,6 +1205,10 @@ determine_capabilities() { [ -n "$IP" -a -x "$IP" ] || IP= + [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc) + + [ -n "$TC" -a -x "$TC" ] || TC= + qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= qt $IP6TABLES -F $chain @@ -1333,7 +1338,8 @@ determine_capabilities() { qt $IP6TABLES -F $chain1 qt $IP6TABLES -X $chain1 - [ -n "$IP" ] && $IP filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes + [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes + [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes CAPVERSION=$SHOREWALL_CAPVERSION KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g')) @@ -1398,6 +1404,7 @@ report_capabilities() { report_capability "LOG Target" $LOG_TARGET report_capability "TPROXY Target" $TPROXY_TARGET report_capability "FLOW Classifier" $FLOW_FILTER + report_capability "fwmark route mask" $FWMARK_RT_MASK fi [ -n "$PKTTYPE" ] || USEPKTTYPE= @@ -1457,6 +1464,7 @@ report_capabilities1() { report_capability1 LOG_TARGET report_capability1 TPROXY_TARGET report_capability1 FLOW_FILTER + report_capability1 FWMARK_RT_MASK echo CAPVERSION=$SHOREWALL_CAPVERSION echo KERNELVERSION=$KERNELVERSION