diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index 1d413f0de..9a2775c35 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -6,6 +6,8 @@ Changes in 4.1.7 3) Allow user exits to detect gateway. +4) Add CONNBYTES column to tcrules. + Changes in 4.1.6 1) Deprecate IMPLICIT_CONTINUE=Yes diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 13399fbd3..be1dd312b 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -106,6 +106,50 @@ New Features in 4.1.7. ETH0_1_GATEWAY=$(uci get /var/state/network.wan0.gateway) +2) A new CONNBYTES column has been added to the tcrules file. The + contents are: + + [!]:[[:{O|R|B}[:{B|P|A}]]] + + ! matches if the the packet/byte count is not within the range + defined by and . + + is an integer which defines the beginning of a byte/packet + range. + + is an integer which defines the end of a byte/packet range. + If omitted, only the beginning of the range is checked. + + The first letter gives the direction which the range refers to: + + O - The original direction of the connection. + R - The opposite direction from the original connection. + B - The total of both directions. + + If omitted, 'B' is assumed. + + The second letter determins what the range refers to. + + B - Bytes + P - Packets + A - Average packet size. + + If omitted, 'B' is assumed. + + Examples: + + 1000000: - Connection has transferred a total of + at least 1,000,000 bytes. + + 1000000::R - Connection has transferred at least + 1,000,000 bytes in the direction opposite + of the original direction (typical of a + large download). + + 1000000::O:P - Connection has sent at least 1,000,000 + packets in the direction of the original + connection. + New Features in Shorewall 4.1. 1) Shorewall 4.1 contains support for multiple Internet providers diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 358a4054b..509ec051c 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -1256,18 +1256,13 @@ sub do_connbytes( $ ) { my $invert = $1 || ''; $invert = '! ' if $invert; my $min = $2 || ''; my $max = $3 || ''; fatal_error "Invalid byte range ($min:$max)" if $max ne '' and $min > $max; - my $dir = $5 || ''; - my $mode = $6 || ''; + my $dir = $5 || 'B'; + my $mode = $6 || 'B'; $dir =~ s/://; $mode =~ s/://; - my $rule = "${invert}-m connbytes $min:$max "; - - $rule .= "--connbytes-dir $dir{$dir} " if $dir; - $rule .= "--connbytes-mode $mode{$mode} " if $mode; - - $rule; + "${invert}-m connbytes $min:$max --connbytes-dir $dir{$dir} --connbytes-mode $mode{$mode} "; } # diff --git a/Shorewall-perl/Shorewall/Tc.pm b/Shorewall-perl/Shorewall/Tc.pm index 6465a7665..98b39c00d 100644 --- a/Shorewall-perl/Shorewall/Tc.pm +++ b/Shorewall-perl/Shorewall/Tc.pm @@ -179,7 +179,7 @@ INIT { initialize; } -sub process_tc_rule( $$$$$$$$$$ ) { +sub process_tc_rule( $$$$$$$$$$$ ) { my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes ) = @_; my $original_mark = $mark; @@ -878,7 +878,7 @@ sub setup_tc() { if ( $mark eq 'COMMENT' ) { process_comment; } else { - process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos + process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos, $connbytes; } }