mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
Add DIVERT action to tcrules.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
6639b3534e
commit
582d025f58
@ -806,7 +806,7 @@ sub transform_rule( $ ) {
|
||||
}
|
||||
}
|
||||
|
||||
set_rule_option( $ruleref, $option, $params ) unless $params eq '';
|
||||
set_rule_option( $ruleref, $option, $params );
|
||||
}
|
||||
|
||||
$ruleref->{simple} = $simple;
|
||||
|
@ -169,6 +169,7 @@ my %restrictions = ( tcpre => PREROUTE_RESTRICT ,
|
||||
tcout => OUTPUT_RESTRICT );
|
||||
|
||||
my $family;
|
||||
my $divert;
|
||||
|
||||
#
|
||||
# Rather than initializing globals in an INIT block or during declaration,
|
||||
@ -191,6 +192,7 @@ sub initialize( $ ) {
|
||||
$devnum = 0;
|
||||
$sticky = 0;
|
||||
$ipp2p = 0;
|
||||
$divert = 0;
|
||||
}
|
||||
|
||||
sub process_tc_rule( ) {
|
||||
@ -242,6 +244,7 @@ sub process_tc_rule( ) {
|
||||
my $restriction = 0;
|
||||
my $cmd;
|
||||
my $rest;
|
||||
my $matches = '';
|
||||
|
||||
my %processtcc = ( sticky => sub() {
|
||||
if ( $chain eq 'tcout' ) {
|
||||
@ -294,6 +297,32 @@ sub process_tc_rule( ) {
|
||||
|
||||
$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
|
||||
},
|
||||
DIVERT => sub() {
|
||||
fatal_error "Invalid DIVERT specification( $cmd/$rest )" if $rest;
|
||||
|
||||
$chain = 'tcpre';
|
||||
|
||||
$cmd =~ /DIVERT\((.+?)\)$/;
|
||||
|
||||
$mark = $1;
|
||||
|
||||
fatal_error "Invalid DIVERT specification( $cmd )" unless defined $mark;
|
||||
|
||||
my $val = numeric_value( $mark );
|
||||
|
||||
validate_mark $val . '/' . in_hex( $globals{PROVIDER_MASK} );
|
||||
|
||||
my $divertref = new_chain( 'mangle', 'DIVERT' . ( $divert ? $divert : '' ) );
|
||||
|
||||
$divert++;
|
||||
|
||||
add_ijump( $divertref , j => 'MARK', targetopts => '--set-mark ' . in_hex( $val ) . '/' . in_hex( $globals{PROVIDER_MASK} ) );
|
||||
add_ijump( $divertref , j => 'ACCEPT' );
|
||||
|
||||
$target = $divertref->{name};
|
||||
|
||||
$matches = '-m socket ';
|
||||
},
|
||||
TPROXY => sub() {
|
||||
require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
|
||||
|
||||
@ -539,7 +568,8 @@ sub process_tc_rule( ) {
|
||||
do_helper( $helper ) .
|
||||
do_headers( $headers ) .
|
||||
do_probability( $probability ) .
|
||||
do_dscp( $dscp ),
|
||||
do_dscp( $dscp ) .
|
||||
$matches ,
|
||||
$source ,
|
||||
$dest ,
|
||||
'' ,
|
||||
@ -2002,6 +2032,11 @@ sub setup_tc() {
|
||||
mark => HIGHMARK,
|
||||
mask => '',
|
||||
connmark => '' },
|
||||
{ match => sub( $ ) { $_[0] =~ /^DIVERT/ },
|
||||
target => 'DIVERT',
|
||||
mark => HIGHMARK,
|
||||
mask => '',
|
||||
connmark => '' },
|
||||
{ match => sub( $ ) { $_[0] =~ /^TTL/ },
|
||||
target => 'TTL',
|
||||
mark => NOMARK,
|
||||
|
@ -407,6 +407,19 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
classes will have a value > 256.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis
|
||||
role="bold">DIVERT</emphasis>(<replaceable>mark</replaceable>)</para>
|
||||
|
||||
<para>Added in Shorewall 4.5.3. A DIVERT rule should preceed
|
||||
each TPROXY rule and should specify the same
|
||||
<replaceable>mark</replaceable> value. DIVERT avoids sending
|
||||
packets to the TPROXY target once a socket connection to Squid3
|
||||
has been established by TPROXY. DIVERT marks the packet with the
|
||||
specified <replaceable>mark</replaceable> and exempts it from
|
||||
any rules that follow.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis
|
||||
role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[/<replaceable>mask</replaceable>][,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para>
|
||||
@ -438,6 +451,12 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
request arrives.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<note>
|
||||
<para>A DIVERT rule specifying the same
|
||||
<replaceable>mark</replaceable> value and other column values
|
||||
should preceed each TPROXY rule.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
@ -304,6 +304,19 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
simply include COMMENT on a line by itself.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis
|
||||
role="bold">DIVERT</emphasis>(<replaceable>mark</replaceable>)</para>
|
||||
|
||||
<para>Added in Shorewall 4.5.3. A DIVERT rule should preceed
|
||||
each TPROXY rule and should specify the same
|
||||
<replaceable>mark</replaceable> value. DIVERT avoids sending
|
||||
packets to the TPROXY target once a socket connection to Squid3
|
||||
has been established by TPROXY. DIVERT marks the packet with the
|
||||
specified <replaceable>mark</replaceable> and exempts it from
|
||||
any rules that follow.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis
|
||||
role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[/<replaceable>mask</replaceable>][,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para>
|
||||
@ -335,6 +348,12 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
request arrives.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<note>
|
||||
<para>A DIVERT rule specifying the same
|
||||
<replaceable>mark</replaceable> value and other column values
|
||||
should preceed each TPROXY rule.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
@ -336,8 +336,16 @@ Tproxy 1 1 - lo - local</programlis
|
||||
eth1):</para>
|
||||
|
||||
<programlisting>MARK SOURCE DEST PROTO PORT(S)
|
||||
DIVERT(1) eth1 0.0.0.0/0 tcp 80
|
||||
TPROXY(1,3128) eth1 0.0.0.0/0 tcp 80</programlisting>
|
||||
|
||||
<note>
|
||||
<para>The DIVERT action was added in Shorewall 4.5.3; user's running
|
||||
earlier versions of Shorewall will need to use the <ulink
|
||||
url="extension_scripts.htm">start extension script</ulink> to add the
|
||||
DIVERT logic mentioned in the Squid article linked above.</para>
|
||||
</note>
|
||||
|
||||
<para>/etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
|
Loading…
Reference in New Issue
Block a user