From 5c76e2a6935e64d1295c9684804b7e9d56191fe6 Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 5 May 2006 20:40:28 +0000 Subject: [PATCH] Change 'track' interraction with PREROUTING marking git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3861 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 2 ++ Shorewall/compiler | 10 ++++++++-- Shorewall/releasenotes.txt | 26 ++++++++++++++++++++++++-- 3 files changed, 34 insertions(+), 4 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index ac186e32d..c0c793e6d 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -10,6 +10,8 @@ Changes in 3.2.0 Beta 6 5) Fix default route generation in providers handling. +6) Change interraction of 'track' and PREROUTING marking. + Changes in 3.2.0 Beta 5 1) Fix compilation problem on LEAF Bering. diff --git a/Shorewall/compiler b/Shorewall/compiler index 9925ad33f..16b31db79 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -3416,7 +3416,7 @@ process_tc_rule() fatal_error "Invalid mark value ($mark) in rule \"$rule\"" ;; esac - elif [ -n "$HIGH_ROUTE_MARKS" -a $chain = tcpre ]; then + elif [ $(($mask)) -ne 0 -a -n "$HIGH_ROUTE_MARKS" -a $chain = tcpre ]; then fatal_error "Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes" fi fi @@ -3543,7 +3543,13 @@ setup_tc1() { # packets that are not part of a marked connection to the 'tcpre/tcout' chains. # if [ -n "$ROUTEMARK_INTERFACES" ]; then - mark_part="-m mark --mark 0" + mark_part="-m mark --mark 0/0xFF00" + # + # But let marks in tcpre override those assigned by 'track' + # + for interface in $ROUTEMARK_INTERFACES; do + run_iptables -t mangle -A PREROUTING -i $interface -j tcpre + done fi run_iptables -t mangle -A PREROUTING $mark_part -j tcpre diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 549b4cead..0ebc5113f 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -51,12 +51,23 @@ Other changes in 3.2.0 Beta 6 1) A TOS column has been added to /etc/shorewall/tcrules. This allows marking based on the contents of the TOS field in the packet header. +2) Beginning with this release, the way in which packet marking in the + PREROUTING chain interracts with the 'track' option in /etc/shorewall/providers + has changed in two ways: + + a) Packets *arriving* on a tracked interface are now passed to the PREROUTING + marking chain so that they may be marked with a mark other than the + 'track' mark (the connection still retains the 'track' mark). + + b) When HIGH_ROUTE_MARKS=Yes, you can still clear the mark on packets + in the PREROUTING chain (i.e., you can specify a mark value of zero). + Migration Considerations: 1) If you are upgrading from Shorewall 2.x, it is essential that you read - the Shorewall 3.0.5 release notes: + the Shorewall 3.0.6 release notes: - http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.5/releasenotes.txt + http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.6/releasenotes.txt 2) A number of macros have been split into two. The macros affected are: @@ -144,6 +155,17 @@ Migration Considerations: Use "shorewall restart" instead if you need to reprocess the tcrules, tcdevices and tcclasses files. +7) Beginning with this release, the way in which packet marking in the + PREROUTING chain interracts with the 'track' option in /etc/shorewall/providers + has changed in two ways: + + a) Packets arriving on a tracked interface are now passed to the PREROUTING + marking chain so that they may be marked with a mark other than the + 'track' mark (the connection still retains the 'track' mark). + + b) When HIGH_ROUTE_MARKS=Yes, you can still clear the mark on packets + in the PREROUTING chain (i.e., you can specify a mark value of zero). + New Features: 1) Shorewall has always been very noisy (lots of messages). No longer.