From d838cf41bf752a873ec9ed97eba9bed3f9b854ca Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 28 Aug 2012 11:45:32 -0700 Subject: [PATCH] Allow TTL and HL in the PREROUTING chain. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Tc.pm | 21 +++++++++++++++++---- Shorewall/manpages/shorewall-tcrules.xml | 14 ++++++++++---- Shorewall6/manpages/shorewall6-tcrules.xml | 22 ++++++++++++++-------- 3 files changed, 41 insertions(+), 16 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 095be3fd4..8ac2140dc 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -384,10 +384,16 @@ sub process_tc_rule( ) { TTL => sub() { fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6; fatal_error "Invalid TTL specification( $cmd/$rest )" if $rest; - fatal_error "Chain designator $designator not allowed with TTL" if $designator && ! ( $designator eq 'F' ); - $chain = 'tcfor'; + if ( $designator ) { + if ( $designator eq 'P' ) { + $chain = 'tcpre'; + } else { + fatal_error "Chain designator $designator not allowed with TTL" if $designator ne 'F'; + } + } + $cmd =~ /^TTL\(([-+]?\d+)\)$/; my $param = $1; @@ -405,10 +411,17 @@ sub process_tc_rule( ) { HL => sub() { fatal_error "HL is not supported in IPv4 - use TTL instead" if $family == F_IPV4; fatal_error "Invalid HL specification( $cmd/$rest )" if $rest; - fatal_error "Chain designator $designator not allowed with HL" if $designator && ! ( $designator eq 'F' ); - $chain = 'tcfor'; + + if ( $designator ) { + if ( $designator eq 'P' ) { + $chain = 'tcpre'; + } else { + fatal_error "Chain designator $designator not allowed with HL" if $designator ne 'F'; + } + } + $cmd =~ /^HL\(([-+]?\d+)\)$/; my $param = $1; diff --git a/Shorewall/manpages/shorewall-tcrules.xml b/Shorewall/manpages/shorewall-tcrules.xml index 424401891..e43ce44d5 100644 --- a/Shorewall/manpages/shorewall-tcrules.xml +++ b/Shorewall/manpages/shorewall-tcrules.xml @@ -515,11 +515,17 @@ SAME $FW 0.0.0.0/0 tcp 80,443 role="bold">-|+]number) - Added in Shorewall 4.4.24. May be option followed by + Added in Shorewall 4.4.24. + + Prior to Shorewall 4.5.7.2, may be optionally followed by :F but the resulting rule is - always added to the FORWARD chain. If + is included, packets matching the rule - will have their TTL incremented by + always added to the FORWARD chain. Beginning with Shorewall + 4.5.7.s, it may be optionally followed by :P, in which case the rule is added to + the PREROUTING chain. + + If + is included, packets + matching the rule will have their TTL incremented by number. Similarly, if - is included, matching packets have their TTL decremented by number. If diff --git a/Shorewall6/manpages/shorewall6-tcrules.xml b/Shorewall6/manpages/shorewall6-tcrules.xml index 35c26217f..ee9914405 100644 --- a/Shorewall6/manpages/shorewall6-tcrules.xml +++ b/Shorewall6/manpages/shorewall6-tcrules.xml @@ -411,15 +411,21 @@ SAME $FW 0.0.0.0/0 tcp 80,443 role="bold">-|+]number) - Added in Shorewall 4.4.24. May be option followed by + Added in Shorewall 4.4.24. + + Prior to Shorewall 4.5.7.2, may be optionally followed by :F but the resulting rule is - always added to the FORWARD chain. If + is included, packets matching the rule - will have their HL (hop limit) incremented by - number. Similarly, if - is included, matching packets have - their HL decremented by number. If - neither + nor :P, in which case the rule is added to + the PREROUTING chain. + + If + is included, + packets matching the rule will have their HL (hop limit) + incremented by number. Similarly, if + - is included, matching packets + have their HL decremented by number. + If neither + nor - is given, the HL of matching packets is set to number. The valid range of values for number is 1-255.