From 5119e646598faf8b5d546d49367890e85d2c13b1 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Mon, 2 Oct 2006 17:33:46 +0000
Subject: [PATCH] Add logical AND and OR capability to tcrules

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4617 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/changelog.txt    |  6 ++++
 Shorewall/lib.tcrules      | 14 +++++++--
 Shorewall/releasenotes.txt | 64 +++++++-------------------------------
 Shorewall/tcrules          | 33 +++++++-------------
 4 files changed, 41 insertions(+), 76 deletions(-)

diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index a41939194..ed4f964ad 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -1,3 +1,9 @@
+Changes in 3.3.3
+
+1)  Fix exclusing in SUBNET column.
+
+2)  Add logical AND and OR support for tcrules.
+
 Changes in 3.3.1
 
 1)  Load the proxyarp lib when 'proxyarp' option is specified.
diff --git a/Shorewall/lib.tcrules b/Shorewall/lib.tcrules
index 36c9f7657..8cb6cdce3 100644
--- a/Shorewall/lib.tcrules
+++ b/Shorewall/lib.tcrules
@@ -264,15 +264,25 @@ process_tc_rule()
 	    target=RETURN
 	    mark=
 	    ;;
-	OR)
+	\|*)
+	    [ $chain = tcpost ] && fatal_error "Invalid class ID: $mark"
 	    [ -n "$did_connmark" ] && fatal_error "OR not valid with :C[FP]"
 	    target="MARK --or-mark"
+	    mark=${mark#|}
 	    validate_mark $mark
+	    if [ $((${mark%/*})) -lt 256 -a $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" -a $chain = tcpre ]; then
+		fatal_error "Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes"
+	    fi
 	    ;;
-	AND)
+	\&*)
+	    [ $chain = tcpost ] && fatal_error "Invalid class ID: $mark"
 	    [ -n "$did_connmark" ] && fatal_error "AND not valid with :C[FP]"
 	    target="MARK --and-mark"
+	    mark=${mark#&}
 	    validate_mark $mark
+	    if [ $((${mark%/*})) -lt 256 -a $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" -a $chain = tcpre ]; then
+		fatal_error "Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes"
+	    fi
 	    ;;
 	*)
 	    if [ "$chain" != tcpost ]; then
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 76550226a..9f07c21b8 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -1,4 +1,4 @@
-Shorewall 3.3.2
+Shorewall 3.3.3
 	  	 
  Note to users upgrading from Shorewall 3.0 or 3.2	 
   	 
@@ -31,64 +31,22 @@ Shorewall 3.3.2
     Please see the "Migration Considerations" below for additional upgrade 	 
     information. 	 
   	 
-Problems Corrected in 3.3.2
+Problems Corrected in 3.3.3
 
-1)  The 'proxyarp' option in /etc/shorewall/interfaces was not
-    triggering the loading of lib.proxyarp with the result that the
-    option was ignored unless there were also entries in
-    /etc/shorewall/proxyarp.
-
-2)  If both /etc/shorewall/tcdevices and /etc/shorewall/tcclasses were
-    empty then the compiler would fail with:
-
-	  setup_traffic_shaping: command not found
-
-3)  Previously, the directory name in the command "shorewall start
-    <directory name>" was being dropped by "/sbin/shorewall".
-
-4)  Previous, when /usr/share/shorewall/xmodules had been copied to
-    /etc/shorewall/modules, Shorewall was not looking in the correct
-    directory for the "xt_..." modules. There are two parts to the fix:
-
-    - The /usr/share/shorewall/xmodules file has been removed. The
-      /usr/share/shorewall/modules file will now load all required
-      modules regardless of which kernel version you are running.
-    - The MODULESDIR option can now contain a colon-separated list of
-      directories to search for modules with the default being:
-
-      /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
-
-5)  Rules in /etc/shorewall/tos which specify zones defined
-    using entries in /etc/shorewall/hosts applied to all traffic
-    to/from the zone interfaces (the bridge port, ipset or IP
-    address(es) in the zone definition were ignored).
-
-6)  Previously, 'shorewall-lite dump' did not report traffic shaping
-    information even if TC_ENABLED was set to Yes or Internal in the
-    shorewall.conf file used to compile the exported firewall script.
-
-    To correct this problem, the firewall script must be recompiled and
-    re-exported.
+None.
 
 Other changes in 3.3.2
 
-1)  /usr/share/shorewall/functions has been renamed
-    /usr/share/shorewall/lib.base. It remains symbolically linked by
-    its old name so that existing scripts that source this file will
-    continue to work.
+1)  For users whose kernel and iptables have Extended MARK Target
+    support, it is now possible to logically AND or OR a value into the
+    current packet mark by preceding the mark value (and optional mask)
+    with an ampersand ("&") or vertical bar ("|") respectively.
 
-2)  /usr/share/shorewall/lib.base (formerly /etc/shorewall/functions)
-    has been split into two libraries:
+    Example: To logically OR the value 4 into the mark value for
+    packets from 192.168.1.1:
 
-    - /usr/share/shorewall/lib.base -- code common to all Shorewall
-      components. This file is also released as part of Shorewall Lite.
-
-    - /usr/share/shorewall/lib.config -- configuration file parsing
-      code common to /usr/share/shorewall/compiler and
-      /usr/share/shorewall/firewall.
-
-3)  The output of "shorewall show log" and "shorewall logwatch" now
-    include the name of the log file being accessed.
+    #MARK   SOURCE
+    |4	    192.168.1.1
 
 Migration Considerations:
 
diff --git a/Shorewall/tcrules b/Shorewall/tcrules
index c0b96a01f..2d5e648bc 100644
--- a/Shorewall/tcrules
+++ b/Shorewall/tcrules
@@ -15,13 +15,24 @@
 #
 #		If you use multiple internet providers with the 'track' option,
 #		in /etc/shorewall/providers be sure to read the restrictions at
-#		http://shorewall.net/Shorewall_and_Routing.html.
+#		http://shorewall.net/MultiISP.html.
 #
 # Columns are:
 #
 #
 #	MARK/		a) A mark value which is an integer in the range 1-255.
 #	CLASSIFY
+#			   Normally will set the mark value. If preceded by
+#			   a vertical bar ("|"), the mark value will be
+#			   logically ORed with the current mark value to
+#			   produce a new mark value. If preceded by an
+#			   ampersand ("&"), will be logically ANDed with the
+#			   current mark value to produce a new mark value.
+#
+#			   Both "|" and "&" require Extended MARK Target 
+#			   support in your kernel and iptables; neither may
+#			   be used with connection marks (see below).
+#
 #			   If HIGH_ROUTE_MARKS=Yes in shorewall.conf then
 #			   you may also specify a value in the range 0x0100-
 #			   0xFF00 with the low-order byte being zero. Such
@@ -92,26 +103,6 @@
 #
 #			   As in a) above, may be followed by ":P" or ":F".
 #
-#			d) OR <mark>[/<mask>].
-#
-#			   Requires Extended MARK Target support in your kernel
-#			   and iptables.
-#
-#			   Logically or the <mark> value into the current
-#			   packet mark.
-#
-#			   As in a) above, may be followed by ":P" or ":F".
-#
-#			d) AND <mark>[/<mask>].
-#
-#			   Requires Extended MARK Target support in your kernel
-#			   and iptables.
-#
-#			   Logically and the <mark> value with the current
-#			   packet mark.
-#
-#			   As in a) above, may be followed by ":P" or ":F".
-#
 #	SOURCE		Source of the packet. A comma-separated list of
 #			interface names, IP addresses, MAC addresses and/or
 #			subnets for packets being routed through a common path.