More TPROXY changes

- Combine identical DIVERT chains.
- Add --transparent to -m socket
- Reserve a TPROXY bit in the fwmark

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-05-10 07:25:07 -07:00
parent 820c965b72
commit 4d4fc315e0
2 changed files with 28 additions and 19 deletions

View File

@ -4094,9 +4094,10 @@ sub get_configuration( $$$ ) {
$globals{ZONE_OFFSET} = $config{PROVIDER_BITS};
}
fatal_error 'Invalid Packet Mark layout' if $config{ZONE_BITS} + $globals{ZONE_OFFSET} > 31;
fatal_error 'Invalid Packet Mark layout' if $config{ZONE_BITS} + $globals{ZONE_OFFSET} > 30;
$globals{EXCLUSION_MASK} = 1 << ( $globals{ZONE_OFFSET} + $config{ZONE_BITS} );
$globals{TPROXY_MASK} = $globals{EXCLUSION_MASK} << 1;
$globals{PROVIDER_MIN} = 1 << $config{PROVIDER_OFFSET};
$globals{TC_MAX} = make_mask( $config{TC_BITS} );

View File

@ -169,7 +169,12 @@ my %restrictions = ( tcpre => PREROUTE_RESTRICT ,
tcout => OUTPUT_RESTRICT );
my $family;
my $divert;
#
# Variables supporting DIVERT
#
my $divert; #Next chain sequence number
my %diversions; #Map of marks -> chains. We use a hash rather than an array because mark values can be huge
#
# Rather than initializing globals in an INIT block or during declaration,
@ -182,13 +187,14 @@ my $divert;
# able to re-initialize its dependent modules' state.
#
sub initialize( $ ) {
$family = shift;
%classids = ();
@tcdevices = ();
%tcdevices = ();
@tcclasses = ();
%tcclasses = ();
@devnums = ();
$family = shift;
%classids = ();
@tcdevices = ();
%tcdevices = ();
@tcclasses = ();
%tcclasses = ();
%diversions = ();
@devnums = ();
$devnum = 0;
$sticky = 0;
$ipp2p = 0;
@ -299,6 +305,7 @@ sub process_tc_rule( ) {
},
DIVERT => sub() {
fatal_error "Invalid DIVERT specification( $cmd/$rest )" if $rest;
fatal_error "DIVERT requires TC_EXPERT=Yes" unless $config{TC_EXPERT};
$chain = 'tcpre';
@ -312,16 +319,18 @@ sub process_tc_rule( ) {
validate_mark $val . '/' . in_hex( $globals{PROVIDER_MASK} );
my $divertref = new_chain( 'mangle', 'DIVERT' . ( $divert ? $divert : '' ) );
my $divertref = $diversions{$val};
$divert++;
add_ijump( $divertref , j => 'MARK', targetopts => '--set-mark ' . in_hex( $val ) . '/' . in_hex( $globals{PROVIDER_MASK} ) );
add_ijump( $divertref , j => 'ACCEPT' );
unless ( $divertref ) {
$divertref = $diversions{$val} = new_chain( 'mangle', 'DIVERT' . ( $divert ? $divert : '' ) );
$divert++;
add_ijump( $divertref , j => 'MARK', targetopts => '--set-mark ' . in_hex( $val ) . '/' . in_hex( $globals{PROVIDER_MASK} ) );
add_ijump( $divertref , j => 'ACCEPT' );
}
$target = $divertref->{name};
$matches = '-m socket ';
$matches = '! --tcp-flags FIN,SYN,RST,ACK SYN -m socket --transparent ';
},
TPROXY => sub() {
require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
@ -561,7 +570,7 @@ sub process_tc_rule( ) {
if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
$restrictions{$chain} | $restriction,
do_proto( $proto, $ports, $sports) .
do_proto( $proto, $ports, $sports) . $matches .
do_user( $user ) .
do_test( $testval, $globals{TC_MASK} ) .
do_length( $length ) .
@ -570,8 +579,7 @@ sub process_tc_rule( ) {
do_helper( $helper ) .
do_headers( $headers ) .
do_probability( $probability ) .
do_dscp( $dscp ) .
$matches ,
do_dscp( $dscp ) ,
$source ,
$dest ,
'' ,