extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-06 21:09:37 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add logical AND and OR capability to tcrules

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4617 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-10-02 17:33:46 +00:00
parent abf556e9d3
commit 5119e64659
4 changed files with 41 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Shorewall/changelog.txt
View File

@ -1,3 +1,9 @@
Changes in 3.3.3
1) Fix exclusing in SUBNET column.
2) Add logical AND and OR support for tcrules.
Changes in 3.3.1 Changes in 3.3.1
1) Load the proxyarp lib when 'proxyarp' option is specified. 1) Load the proxyarp lib when 'proxyarp' option is specified.

14
Shorewall/lib.tcrules
View File

@ -264,15 +264,25 @@ process_tc_rule()
target=RETURN target=RETURN
mark= mark=
;; ;;
OR) \|*)
[ $chain = tcpost ] && fatal_error "Invalid class ID: $mark"
[ -n "$did_connmark" ] && fatal_error "OR not valid with :C[FP]" [ -n "$did_connmark" ] && fatal_error "OR not valid with :C[FP]"
target="MARK --or-mark" target="MARK --or-mark"
mark=${mark#|}
validate_mark $mark validate_mark $mark
if [ $((${mark%/*})) -lt 256 -a $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" -a $chain = tcpre ]; then
fatal_error "Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes"
fi
;; ;;
AND) \&*)
[ $chain = tcpost ] && fatal_error "Invalid class ID: $mark"
[ -n "$did_connmark" ] && fatal_error "AND not valid with :C[FP]" [ -n "$did_connmark" ] && fatal_error "AND not valid with :C[FP]"
target="MARK --and-mark" target="MARK --and-mark"
mark=${mark#&}
validate_mark $mark validate_mark $mark
if [ $((${mark%/*})) -lt 256 -a $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" -a $chain = tcpre ]; then
fatal_error "Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes"
fi
;; ;;
*) *)
if [ "$chain" != tcpost ]; then if [ "$chain" != tcpost ]; then

64
Shorewall/releasenotes.txt
View File

@ -1,4 +1,4 @@
Shorewall 3.3.2 Shorewall 3.3.3
Note to users upgrading from Shorewall 3.0 or 3.2 Note to users upgrading from Shorewall 3.0 or 3.2
@ -31,64 +31,22 @@ Shorewall 3.3.2
Please see the "Migration Considerations" below for additional upgrade Please see the "Migration Considerations" below for additional upgrade
information. information.
Problems Corrected in 3.3.2 Problems Corrected in 3.3.3
1) The 'proxyarp' option in /etc/shorewall/interfaces was not None.
triggering the loading of lib.proxyarp with the result that the
option was ignored unless there were also entries in
/etc/shorewall/proxyarp.
2) If both /etc/shorewall/tcdevices and /etc/shorewall/tcclasses were
empty then the compiler would fail with:
setup_traffic_shaping: command not found
3) Previously, the directory name in the command "shorewall start
<directory name>" was being dropped by "/sbin/shorewall".
4) Previous, when /usr/share/shorewall/xmodules had been copied to
/etc/shorewall/modules, Shorewall was not looking in the correct
directory for the "xt_..." modules. There are two parts to the fix:
- The /usr/share/shorewall/xmodules file has been removed. The
/usr/share/shorewall/modules file will now load all required
modules regardless of which kernel version you are running.
- The MODULESDIR option can now contain a colon-separated list of
directories to search for modules with the default being:
/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
5) Rules in /etc/shorewall/tos which specify zones defined
using entries in /etc/shorewall/hosts applied to all traffic
to/from the zone interfaces (the bridge port, ipset or IP
address(es) in the zone definition were ignored).
6) Previously, 'shorewall-lite dump' did not report traffic shaping
information even if TC_ENABLED was set to Yes or Internal in the
shorewall.conf file used to compile the exported firewall script.
To correct this problem, the firewall script must be recompiled and
re-exported.
Other changes in 3.3.2 Other changes in 3.3.2
1) /usr/share/shorewall/functions has been renamed 1) For users whose kernel and iptables have Extended MARK Target
/usr/share/shorewall/lib.base. It remains symbolically linked by support, it is now possible to logically AND or OR a value into the
its old name so that existing scripts that source this file will current packet mark by preceding the mark value (and optional mask)
continue to work. with an ampersand ("&") or vertical bar ("|") respectively.
2) /usr/share/shorewall/lib.base (formerly /etc/shorewall/functions) Example: To logically OR the value 4 into the mark value for
has been split into two libraries: packets from 192.168.1.1:
- /usr/share/shorewall/lib.base -- code common to all Shorewall #MARK SOURCE
components. This file is also released as part of Shorewall Lite. |4 192.168.1.1
- /usr/share/shorewall/lib.config -- configuration file parsing
code common to /usr/share/shorewall/compiler and
/usr/share/shorewall/firewall.
3) The output of "shorewall show log" and "shorewall logwatch" now
include the name of the log file being accessed.
Migration Considerations: Migration Considerations:

33
Shorewall/tcrules
View File

@ -15,13 +15,24 @@
# #
# If you use multiple internet providers with the 'track' option, # If you use multiple internet providers with the 'track' option,
# in /etc/shorewall/providers be sure to read the restrictions at # in /etc/shorewall/providers be sure to read the restrictions at
# http://shorewall.net/Shorewall_and_Routing.html. # http://shorewall.net/MultiISP.html.
# #
# Columns are: # Columns are:
# #
# #
# MARK/ a) A mark value which is an integer in the range 1-255. # MARK/ a) A mark value which is an integer in the range 1-255.
# CLASSIFY # CLASSIFY
# Normally will set the mark value. If preceded by
# a vertical bar ("|"), the mark value will be
# logically ORed with the current mark value to
# produce a new mark value. If preceded by an
# ampersand ("&"), will be logically ANDed with the
# current mark value to produce a new mark value.
#
# Both "|" and "&" require Extended MARK Target
# support in your kernel and iptables; neither may
# be used with connection marks (see below).
#
# If HIGH_ROUTE_MARKS=Yes in shorewall.conf then # If HIGH_ROUTE_MARKS=Yes in shorewall.conf then
# you may also specify a value in the range 0x0100- # you may also specify a value in the range 0x0100-
# 0xFF00 with the low-order byte being zero. Such # 0xFF00 with the low-order byte being zero. Such
@ -92,26 +103,6 @@
# #
# As in a) above, may be followed by ":P" or ":F". # As in a) above, may be followed by ":P" or ":F".
# #
# d) OR <mark>[/<mask>].
#
# Requires Extended MARK Target support in your kernel
# and iptables.
#
# Logically or the <mark> value into the current
# packet mark.
#
# As in a) above, may be followed by ":P" or ":F".
#
# d) AND <mark>[/<mask>].
#
# Requires Extended MARK Target support in your kernel
# and iptables.
#
# Logically and the <mark> value with the current
# packet mark.
#
# As in a) above, may be followed by ":P" or ":F".
#
# SOURCE Source of the packet. A comma-separated list of # SOURCE Source of the packet. A comma-separated list of
# interface names, IP addresses, MAC addresses and/or # interface names, IP addresses, MAC addresses and/or
# subnets for packets being routed through a common path. # subnets for packets being routed through a common path.