Add FWMARK_RT_MASK capability.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-07-04 09:08:04 -07:00
parent d3e30b5fe4
commit 2ee4fd8f5a
8 changed files with 53 additions and 12 deletions

View File

@ -131,7 +131,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
Exporter::export_ok_tags('internal'); Exporter::export_ok_tags('internal');
our $VERSION = '4.4_9'; our $VERSION = '4.4_11';
# #
# describe the current command, it's present progressive, and it's completion. # describe the current command, it's present progressive, and it's completion.
@ -249,6 +249,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
OLD_HL_MATCH => 'Old Hash Limit Match', OLD_HL_MATCH => 'Old Hash Limit Match',
TPROXY_TARGET => 'TPROXY Target', TPROXY_TARGET => 'TPROXY Target',
FLOW_FILTER => 'Flow Classifier', FLOW_FILTER => 'Flow Classifier',
FWMARK_RT_MASK => 'fwmark route mask',
CAPVERSION => 'Capability Version', CAPVERSION => 'Capability Version',
KERNELVERSION => 'Kernel Version', KERNELVERSION => 'Kernel Version',
); );
@ -342,7 +343,7 @@ sub initialize( $ ) {
STATEMATCH => '-m state --state', STATEMATCH => '-m state --state',
UNTRACKED => 0, UNTRACKED => 0,
VERSION => "4.4.11-Beta3", VERSION => "4.4.11-Beta3",
CAPVERSION => 40408 , CAPVERSION => 40411 ,
); );
# #
@ -664,6 +665,7 @@ sub initialize( $ ) {
PERSISTENT_SNAT => undef, PERSISTENT_SNAT => undef,
OLD_HL_MATCH => undef, OLD_HL_MATCH => undef,
FLOW_FILTER => undef, FLOW_FILTER => undef,
FWMARK_RT_MASK => undef,
CAPVERSION => undef, CAPVERSION => undef,
KERNELVERSION => undef, KERNELVERSION => undef,
); );
@ -2421,6 +2423,10 @@ sub Flow_Filter() {
$tc && system( "$tc filter add flow add help 2>&1 | grep -q ^Usage" ) == 0; $tc && system( "$tc filter add flow add help 2>&1 | grep -q ^Usage" ) == 0;
} }
sub Fwmark_Rt_Mask() {
$tc && system( "$tc rule add help 2>&1 | grep -q /MARK" ) == 0;
}
our %detect_capability = our %detect_capability =
( ADDRTYPE => \&Addrtype, ( ADDRTYPE => \&Addrtype,
CLASSIFY_TARGET => \&Classify_Target, CLASSIFY_TARGET => \&Classify_Target,
@ -2432,6 +2438,7 @@ our %detect_capability =
ENHANCED_REJECT => \&Enhanced_Reject, ENHANCED_REJECT => \&Enhanced_Reject,
EXMARK => \&Exmark, EXMARK => \&Exmark,
FLOW_FILTER => \&Flow_Filter, FLOW_FILTER => \&Flow_Filter,
FWMARK_RT_MASK => \&Fwmark_Rt_Mask,
GOTO_TARGET => \&Goto_Target, GOTO_TARGET => \&Goto_Target,
HASHLIMIT_MATCH => \&Hashlimit_Match, HASHLIMIT_MATCH => \&Hashlimit_Match,
HELPER_MATCH => \&Helper_Match, HELPER_MATCH => \&Helper_Match,

View File

@ -35,7 +35,7 @@ use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces ); our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
our @EXPORT_OK = qw( initialize lookup_provider ); our @EXPORT_OK = qw( initialize lookup_provider );
our $VERSION = '4.4_10'; our $VERSION = '4.4_11';
use constant { LOCAL_TABLE => 255, use constant { LOCAL_TABLE => 255,
MAIN_TABLE => 254, MAIN_TABLE => 254,
@ -435,10 +435,12 @@ sub add_a_provider( ) {
} }
if ( $mark ne '-' ) { if ( $mark ne '-' ) {
emit ( "qt \$IP -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD}; my $mask = have_capability 'FWMARK_RT_MASK' ? "/$globals{PROVIDER_MASK}" : '';
emit ( "run_ip rule add fwmark $mark pref $pref table $number", emit ( "qt \$IP -$family rule del fwmark ${mark}${mask}" ) if $config{DELETE_THEN_ADD};
"echo \"qt \$IP -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
emit ( "run_ip rule add fwmark ${mark}${mask} pref $pref table $number",
"echo \"qt \$IP -$family rule del fwmark ${mark}${mask}\" >> \${VARDIR}/undo_routing"
); );
} }

View File

@ -40,7 +40,7 @@ use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( setup_tc ); our @EXPORT = qw( setup_tc );
our @EXPORT_OK = qw( process_tc_rule initialize ); our @EXPORT_OK = qw( process_tc_rule initialize );
our $VERSION = '4.4_9'; our $VERSION = '4.4_11';
our %tcs = ( T => { chain => 'tcpost', our %tcs = ( T => { chain => 'tcpost',
connmark => 0, connmark => 0,
@ -371,8 +371,10 @@ sub process_tc_rule( ) {
my $val = numeric_value( $cmd ); my $val = numeric_value( $cmd );
fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val; fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val;
my $limit = $globals{TC_MASK}; my $limit = $globals{TC_MASK};
fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes" unless ( have_capability 'FWMARK_RT_MASK' ) {
if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit; fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
}
} }
} }
} }

View File

@ -29,7 +29,7 @@
# #
SHOREWALL_LIBVERSION=40407 SHOREWALL_LIBVERSION=40407
SHOREWALL_CAPVERSION=40408 SHOREWALL_CAPVERSION=40411
[ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${VARDIR:=/var/lib/shorewall}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ]

View File

@ -1449,6 +1449,10 @@ determine_capabilities() {
exit 1 exit 1
fi fi
[ "$IP" = ip -o -z "$IP" ] && IP=$(which ip)
[ -n "$IP" -a -x "$IP" ] || IP=
[ "$TC" = tc -o -z "$TC" ] && TC=$(which tc) [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc)
[ -n "$TC" -a -x "$TC" ] || TC= [ -n "$TC" -a -x "$TC" ] || TC=
@ -1500,6 +1504,7 @@ determine_capabilities() {
LOG_TARGET=Yes LOG_TARGET=Yes
PERSISTENT_SNAT= PERSISTENT_SNAT=
FLOW_FILTER= FLOW_FILTER=
FWMARK_RT_MASK=
chain=fooX$$ chain=fooX$$
@ -1640,6 +1645,7 @@ determine_capabilities() {
qt $IPTABLES -X $chain1 qt $IPTABLES -X $chain1
[ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
[ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
CAPVERSION=$SHOREWALL_CAPVERSION CAPVERSION=$SHOREWALL_CAPVERSION
KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g')) KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
@ -1707,6 +1713,7 @@ report_capabilities() {
report_capability "Persistent SNAT" $PERSISTENT_SNAT report_capability "Persistent SNAT" $PERSISTENT_SNAT
report_capability "TPROXY Target" $TPROXY_TARGET report_capability "TPROXY Target" $TPROXY_TARGET
report_capability "FLOW Classifier" $FLOW_FILTER report_capability "FLOW Classifier" $FLOW_FILTER
report_capability "fwmark route mask" $FWMARK_RT_MASK
fi fi
[ -n "$PKTTYPE" ] || USEPKTTYPE= [ -n "$PKTTYPE" ] || USEPKTTYPE=
@ -1769,6 +1776,7 @@ report_capabilities1() {
report_capability1 PERSISTENT_SNAT report_capability1 PERSISTENT_SNAT
report_capability1 TPROXY_TARGET report_capability1 TPROXY_TARGET
report_capability1 FLOW_FILTER report_capability1 FLOW_FILTER
report_capability1 FWMARK_RT_MASK
echo CAPVERSION=$SHOREWALL_CAPVERSION echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION echo KERNELVERSION=$KERNELVERSION

View File

@ -287,6 +287,20 @@ None.
set to No, packet marks set in the PREROUTING chain are retained in set to No, packet marks set in the PREROUTING chain are retained in
the FORWARD chains. the FORWARD chains.
As part of this change, a new "fwmark route mask" capability has
been added. If your version of iproute2 supports this capability,
fwmark routing rules may specify a mask to be applied to the mark
prior to comparison with the mark value in the rule. The presence
of this capability allows Shorewall to relax the restriction that
small route marks may not be set in the PREROUTING chain when
HIGH_ROUTE_MARKS is in effect. If you take advantage of this
capability, be sure that you logically OR mark values rather then
simply setting them unless you are able to set both the high and
low bits in the mark in a single rule.
As always when a new capability has been introduced, be sure to
regenerate your capabilities file(s) after installing this release.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
I N P R I O R R E L E A S E S I N P R I O R R E L E A S E S

View File

@ -33,7 +33,7 @@
# #
SHOREWALL_LIBVERSION=40407 SHOREWALL_LIBVERSION=40407
SHOREWALL_CAPVERSION=40408 SHOREWALL_CAPVERSION=40411
[ -n "${VARDIR:=/var/lib/shorewall6}" ] [ -n "${VARDIR:=/var/lib/shorewall6}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ] [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]

View File

@ -1190,6 +1190,7 @@ determine_capabilities() {
IPMARK_TARGET= IPMARK_TARGET=
LOG_TARGET=Yes LOG_TARGET=Yes
FLOW_FILTER= FLOW_FILTER=
FWMARK_RT_MASK=
chain=fooX$$ chain=fooX$$
@ -1204,6 +1205,10 @@ determine_capabilities() {
[ -n "$IP" -a -x "$IP" ] || IP= [ -n "$IP" -a -x "$IP" ] || IP=
[ "$TC" = tc -o -z "$TC" ] && TC=$(which tc)
[ -n "$TC" -a -x "$TC" ] || TC=
qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
qt $IP6TABLES -F $chain qt $IP6TABLES -F $chain
@ -1333,7 +1338,8 @@ determine_capabilities() {
qt $IP6TABLES -F $chain1 qt $IP6TABLES -F $chain1
qt $IP6TABLES -X $chain1 qt $IP6TABLES -X $chain1
[ -n "$IP" ] && $IP filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
[ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
CAPVERSION=$SHOREWALL_CAPVERSION CAPVERSION=$SHOREWALL_CAPVERSION
KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g')) KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
@ -1398,6 +1404,7 @@ report_capabilities() {
report_capability "LOG Target" $LOG_TARGET report_capability "LOG Target" $LOG_TARGET
report_capability "TPROXY Target" $TPROXY_TARGET report_capability "TPROXY Target" $TPROXY_TARGET
report_capability "FLOW Classifier" $FLOW_FILTER report_capability "FLOW Classifier" $FLOW_FILTER
report_capability "fwmark route mask" $FWMARK_RT_MASK
fi fi
[ -n "$PKTTYPE" ] || USEPKTTYPE= [ -n "$PKTTYPE" ] || USEPKTTYPE=
@ -1457,6 +1464,7 @@ report_capabilities1() {
report_capability1 LOG_TARGET report_capability1 LOG_TARGET
report_capability1 TPROXY_TARGET report_capability1 TPROXY_TARGET
report_capability1 FLOW_FILTER report_capability1 FLOW_FILTER
report_capability1 FWMARK_RT_MASK
echo CAPVERSION=$SHOREWALL_CAPVERSION echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION echo KERNELVERSION=$KERNELVERSION