Add DIVERT action to tcrules.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-05-09 09:41:58 -07:00
parent 6639b3534e
commit 582d025f58
5 changed files with 83 additions and 2 deletions

View File

@ -806,7 +806,7 @@ sub transform_rule( $ ) {
}
}
set_rule_option( $ruleref, $option, $params ) unless $params eq '';
set_rule_option( $ruleref, $option, $params );
}
$ruleref->{simple} = $simple;

View File

@ -169,6 +169,7 @@ my %restrictions = ( tcpre => PREROUTE_RESTRICT ,
tcout => OUTPUT_RESTRICT );
my $family;
my $divert;
#
# Rather than initializing globals in an INIT block or during declaration,
@ -191,6 +192,7 @@ sub initialize( $ ) {
$devnum = 0;
$sticky = 0;
$ipp2p = 0;
$divert = 0;
}
sub process_tc_rule( ) {
@ -242,6 +244,7 @@ sub process_tc_rule( ) {
my $restriction = 0;
my $cmd;
my $rest;
my $matches = '';
my %processtcc = ( sticky => sub() {
if ( $chain eq 'tcout' ) {
@ -294,6 +297,32 @@ sub process_tc_rule( ) {
$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
},
DIVERT => sub() {
fatal_error "Invalid DIVERT specification( $cmd/$rest )" if $rest;
$chain = 'tcpre';
$cmd =~ /DIVERT\((.+?)\)$/;
$mark = $1;
fatal_error "Invalid DIVERT specification( $cmd )" unless defined $mark;
my $val = numeric_value( $mark );
validate_mark $val . '/' . in_hex( $globals{PROVIDER_MASK} );
my $divertref = new_chain( 'mangle', 'DIVERT' . ( $divert ? $divert : '' ) );
$divert++;
add_ijump( $divertref , j => 'MARK', targetopts => '--set-mark ' . in_hex( $val ) . '/' . in_hex( $globals{PROVIDER_MASK} ) );
add_ijump( $divertref , j => 'ACCEPT' );
$target = $divertref->{name};
$matches = '-m socket ';
},
TPROXY => sub() {
require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
@ -539,7 +568,8 @@ sub process_tc_rule( ) {
do_helper( $helper ) .
do_headers( $headers ) .
do_probability( $probability ) .
do_dscp( $dscp ),
do_dscp( $dscp ) .
$matches ,
$source ,
$dest ,
'' ,
@ -2002,6 +2032,11 @@ sub setup_tc() {
mark => HIGHMARK,
mask => '',
connmark => '' },
{ match => sub( $ ) { $_[0] =~ /^DIVERT/ },
target => 'DIVERT',
mark => HIGHMARK,
mask => '',
connmark => '' },
{ match => sub( $ ) { $_[0] =~ /^TTL/ },
target => 'TTL',
mark => NOMARK,

View File

@ -407,6 +407,19 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
classes will have a value &gt; 256.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">DIVERT</emphasis>(<replaceable>mark</replaceable>)</para>
<para>Added in Shorewall 4.5.3. A DIVERT rule should preceed
each TPROXY rule and should specify the same
<replaceable>mark</replaceable> value. DIVERT avoids sending
packets to the TPROXY target once a socket connection to Squid3
has been established by TPROXY. DIVERT marks the packet with the
specified <replaceable>mark</replaceable> and exempts it from
any rules that follow.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[/<replaceable>mask</replaceable>][,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para>
@ -438,6 +451,12 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
request arrives.</para>
</listitem>
</itemizedlist>
<note>
<para>A DIVERT rule specifying the same
<replaceable>mark</replaceable> value and other column values
should preceed each TPROXY rule.</para>
</note>
</listitem>
<listitem>

View File

@ -304,6 +304,19 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
simply include COMMENT on a line by itself.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">DIVERT</emphasis>(<replaceable>mark</replaceable>)</para>
<para>Added in Shorewall 4.5.3. A DIVERT rule should preceed
each TPROXY rule and should specify the same
<replaceable>mark</replaceable> value. DIVERT avoids sending
packets to the TPROXY target once a socket connection to Squid3
has been established by TPROXY. DIVERT marks the packet with the
specified <replaceable>mark</replaceable> and exempts it from
any rules that follow.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[/<replaceable>mask</replaceable>][,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para>
@ -335,6 +348,12 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
request arrives.</para>
</listitem>
</itemizedlist>
<note>
<para>A DIVERT rule specifying the same
<replaceable>mark</replaceable> value and other column values
should preceed each TPROXY rule.</para>
</note>
</listitem>
<listitem>

View File

@ -336,8 +336,16 @@ Tproxy 1 1 - lo - local</programlis
eth1):</para>
<programlisting>MARK SOURCE DEST PROTO PORT(S)
DIVERT(1) eth1 0.0.0.0/0 tcp 80
TPROXY(1,3128) eth1 0.0.0.0/0 tcp 80</programlisting>
<note>
<para>The DIVERT action was added in Shorewall 4.5.3; user's running
earlier versions of Shorewall will need to use the <ulink
url="extension_scripts.htm">start extension script</ulink> to add the
DIVERT logic mentioned in the Squid article linked above.</para>
</note>
<para>/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)