More TPROXY changes

- Combine identical DIVERT chains.
- Add --transparent to -m socket
- Reserve a TPROXY bit in the fwmark

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Config.pm

@@ -4094,9 +4094,10 @@ sub get_configuration( $$$ ) {
 	$globals{ZONE_OFFSET}     = $config{PROVIDER_BITS};
     }
 
-    fatal_error 'Invalid Packet Mark layout' if $config{ZONE_BITS} + $globals{ZONE_OFFSET} > 31;
+    fatal_error 'Invalid Packet Mark layout' if $config{ZONE_BITS} + $globals{ZONE_OFFSET} > 30;
 
     $globals{EXCLUSION_MASK} = 1 << ( $globals{ZONE_OFFSET} + $config{ZONE_BITS} );
+    $globals{TPROXY_MASK}    = $globals{EXCLUSION_MASK} << 1;
     $globals{PROVIDER_MIN}   = 1 << $config{PROVIDER_OFFSET};
 
     $globals{TC_MAX}         = make_mask( $config{TC_BITS} );

Shorewall/Perl/Shorewall/Tc.pm

@@ -169,7 +169,12 @@ my  %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
 		      tcout      => OUTPUT_RESTRICT );
 
 my $family;
-my $divert;
+
+#
+# Variables supporting DIVERT
+#
+my $divert;          #Next chain sequence number
+my %diversions;      #Map of marks -> chains. We use a hash rather than an array because mark values can be huge
 
 #
 # Rather than initializing globals in an INIT block or during declaration,
@@ -182,13 +187,14 @@ my $divert;
 #      able to re-initialize its dependent modules' state.
 #
 sub initialize( $ ) {
-    $family   = shift;
+    $family     = shift;
-    %classids = ();
+    %classids   = ();
-    @tcdevices = ();
+    @tcdevices  = ();
-    %tcdevices = ();
+    %tcdevices  = ();
-    @tcclasses = ();
+    @tcclasses  = ();
-    %tcclasses = ();
+    %tcclasses  = ();
-    @devnums   = ();
+    %diversions = ();
+    @devnums    = ();
     $devnum = 0;
     $sticky = 0;
     $ipp2p  = 0;
@@ -299,6 +305,7 @@ sub process_tc_rule( ) {
 				      },
 		       DIVERT => sub() {
 			                  fatal_error "Invalid DIVERT specification( $cmd/$rest )" if $rest;
+					  fatal_error "DIVERT requires TC_EXPERT=Yes" unless $config{TC_EXPERT};
 
 					  $chain = 'tcpre';
 
@@ -312,16 +319,18 @@ sub process_tc_rule( ) {
 
 					  validate_mark $val . '/' . in_hex( $globals{PROVIDER_MASK} );
 
-					  my $divertref = new_chain( 'mangle', 'DIVERT' . ( $divert ? $divert : '' ) );
+					  my $divertref = $diversions{$val};
-
+					  
-					  $divert++;
+					  unless ( $divertref ) {
-					      
+					      $divertref = $diversions{$val} = new_chain( 'mangle', 'DIVERT' . ( $divert ? $divert : '' ) );
-					  add_ijump( $divertref , j => 'MARK', targetopts => '--set-mark ' . in_hex( $val ) . '/' . in_hex( $globals{PROVIDER_MASK} ) );
+					      $divert++;
-					  add_ijump( $divertref , j => 'ACCEPT' );
+					      add_ijump( $divertref , j => 'MARK', targetopts => '--set-mark ' . in_hex( $val ) . '/' . in_hex( $globals{PROVIDER_MASK} ) );
+					      add_ijump( $divertref , j => 'ACCEPT' );
+					  }
 
 					  $target = $divertref->{name};
 
-					  $matches = '-m socket ';
+					  $matches = '! --tcp-flags FIN,SYN,RST,ACK SYN  -m socket --transparent ';
 				      },					      
 		       TPROXY => sub() {
 			                  require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
@@ -561,7 +570,7 @@ sub process_tc_rule( ) {
 
     if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
 				     $restrictions{$chain} | $restriction,
-				     do_proto( $proto, $ports, $sports) .
+				     do_proto( $proto, $ports, $sports) . $matches .
 				     do_user( $user ) .
 				     do_test( $testval, $globals{TC_MASK} ) .
 				     do_length( $length ) .
@@ -570,8 +579,7 @@ sub process_tc_rule( ) {
 				     do_helper( $helper ) .
 				     do_headers( $headers ) .
 				     do_probability( $probability ) .
-				     do_dscp( $dscp ) . 
+				     do_dscp( $dscp ) ,
-				     $matches ,
 				     $source ,
 				     $dest ,
 				     '' ,