extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 23:53:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Backout ematch stuff for now

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-01-03 12:01:56 -08:00
parent 7e1a310929
commit 5a7e458104
2 changed files with 8 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/Perl/Shorewall/Config.pm
View File

@ -4273,7 +4273,7 @@ sub Basic_Filter() {
}
sub Basic_Ematch() {
$tc && have_capability 'BASIC_FILTER' && system( "$tc filter add basic help 2>&1 | egrep -q match" ) == 0;
$tc && have_capability( 'BASIC_FILTER' ) && system( "$tc filter add basic help 2>&1 | egrep -q match" ) == 0;
}
sub Fwmark_Rt_Mask() {

70
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -1908,36 +1908,6 @@ sub validate_tc_class( ) {
my %validlengths = ( 32 => '0xffe0', 64 => '0xffc0', 128 => '0xff80', 256 => '0xff00', 512 => '0xfe00', 1024 => '0xfc00', 2048 => '0xf800', 4096 => '0xf000', 8192 => '0xe000' );
#
# Handle an ipset name in the SOURCE or DEST columns of a filter
#
sub handle_ematch( $$ ) {
my ( $setname, $option ) = @_;
my $options = $option;
require_capability 'BASIC_EMATCH', 'IPSets', '';
if ( $setname =~ /^(.*)\[([1-6])\]$/ ) {
$setname = $1;
my $count = $2;
$options .= ",$option" while --$count > 0;
} elsif ( $setname =~ /^(.*)\[((?:src|dst)(?:,(?:src|dst))){0,5}\]$/ ) {
$setname = $1;
$options = $2 if supplied $2;
my @options = split /,/, $options;
if ( $config{IPSET_WARNINGS} ) {
my %typemap = ( src => 'Source', dst => 'Destination' );
warning_message( "The '$options[0]' ipset flag is used in a $typemap{$option} column" ), unless $options[0] eq $option;
}
}
return " ipset( $setname, $options )";
}
#
# Process a record from the tcfilters file
#
@ -1955,8 +1925,6 @@ sub process_tc_filter1( $$$$$$$$$ ) {
my $devref;
my $ematch = '';
if ( $device =~ /^[\da-fA-F]+$/ && ! $tcdevices{$device} ) {
( $device, $devref ) = dev_by_number( hex_value( $device ) );
} else {
@ -2002,27 +1970,15 @@ sub process_tc_filter1( $$$$$$$$$ ) {
my $rule = "filter add dev $devref->{physical} protocol $ip parent $devnum:0 prio $prio u32";
if ( $source ne '-' ) {
if ( $source =~ /^\+/ ) {
$ematch = join( ' ', 'match', handle_ematch( $source, 'src' ) );
} else {
my ( $net , $mask ) = decompose_net( $source );
$rule .= "\\\n match $ip32 src $net/$mask";
$have_rule = 1;
}
my ( $net , $mask ) = decompose_net( $source );
$rule .= "\\\n match $ip32 src $net/$mask";
$have_rule = 1;
}
if ( $dest ne '-' ) {
if ( $dest =~ /^\+/ ) {
if ( $ematch ) {
$ematch = join( ' ', $ematch, handle_ematch( $dest, 'dst' ) );
} else {
$ematch = join( ' ', 'match', handle_ematch( $dest, 'dst' ) );
}
} else {
my ( $net , $mask ) = decompose_net( $dest );
$rule .= "\\\n match $ip32 dst $net/$mask";
$have_rule = 1;
}
my ( $net , $mask ) = decompose_net( $dest );
$rule .= "\\\n match $ip32 dst $net/$mask";
$have_rule = 1;
}
if ( $tos ne '-' ) {
@ -2063,25 +2019,13 @@ sub process_tc_filter1( $$$$$$$$$ ) {
}
}
if ( $ematch ) {
if ( $have_rule ) {
my $tnum = in_hex3 $devref->{tablenumber}++;
push @$filtersref, ( "\nrun_tc $rule\\" ,
" link $tnum:0" );
$rule = "filter add dev $devref->{physical} protocol $ip parent $devnum:0 prio $prio basic ht $tnum:0 match ${ematch}";
} else {
$rule = "filter add dev $devref->{physical} protocol $ip parent $devnum:0 prio $prio basic match$ ${ematch}";
$have_rule = 1;
}
}
if ( $portlist eq '-' && $sportlist eq '-' ) {
if ( $have_rule ) {
push @$filtersref , ( "\nrun_tc $rule\\" ,
" flowid $devnum:$class" ,
'' );
} else {
warning_message "Degenerate tcfilter ignored" unless $ematch;
warning_message "Degenerate tcfilter ignored";
}
} else {
fatal_error "Ports may not be specified without a PROTO" unless $protonumber;