Allow IPv6 Address as the third argument to TPROXY

- also update the manpages to describe TPROXY

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -536,6 +536,7 @@ sub valid_6address( $ ) {
     }
 
     return 0 if @address > $max;
+    return 0 unless $address =~ /^[a-f:]+$/;
     return 0 unless ( @address == $max ) || $address =~ /::/;
     return 0 if $address =~ /:::/ || $address =~ /::.*::/;
 

Shorewall/Perl/Shorewall/Tc.pm

@@ -205,7 +205,15 @@ sub process_tc_rule( ) {
 
     my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 );
 
-    fatal_error "Invalid MARK ($originalmark)" if defined $remainder || ! defined $mark || $mark eq '';
+    fatal_error "Invalid MARK ($originalmark)" unless defined $mark || $mark eq '';
+
+    if ( $remainder ) { 
+	if ( $originalmark =~ /^\w+\(?.*\)$/ ) {
+	    $mark = $originalmark; # Most likely, an IPv6 address is included in the parameter list
+	} else {
+	    fatal_error "Invalid MARK ($originalmark)";
+	}
+    }
 
     my $chain  = $globals{MARKING_CHAIN};
     my $target = 'MARK --set-mark';
@@ -376,6 +384,10 @@ sub process_tc_rule( ) {
 			$target .= " --on-port $port";
 
 			if ( supplied $ip ) {
+			    if ( $family == F_IPV6 ) {
+				$ip = $1 if $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/;
+			    }
+
 			    validate_address $ip, 1;
 			    $target .= " --on-ip $ip";
 			}

manpages/shorewall-tcrules.xml

@@ -43,26 +43,11 @@
     <variablelist>
       <varlistentry>
         <term><emphasis role="bold">MARK/CLASSIFY</emphasis> -
-        {<emphasis>value</emphasis>|<emphasis>major</emphasis><emphasis
-        role="bold">:</emphasis><emphasis>minor</emphasis>|<emphasis
-        role="bold">RESTORE</emphasis>[<emphasis
-        role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
-        role="bold">SAVE</emphasis>[<emphasis
-        role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
-        role="bold">CONTINUE</emphasis>|<emphasis
-        role="bold">SAME</emphasis>|<emphasis
-        role="bold">COMMENT</emphasis>|<emphasis
-        role="bold">IPMARK</emphasis>[([(<emphasis
-        role="bold">src</emphasis>|<emphasis
-        role="bold">dst</emphasis>}][,[<emphasis>mask1</emphasis>][,[<emphasis>mask2</emphasis>][,[<emphasis>shift</emphasis>]]]]])]}[<emphasis
-        role="bold">:</emphasis>{<emphasis role="bold">C</emphasis>|<emphasis
-        role="bold">F</emphasis>|<emphasis role="bold">P</emphasis>|<emphasis
-        role="bold">T</emphasis>|<emphasis role="bold">CF</emphasis>|<emphasis
-        role="bold">CP</emphasis>|<emphasis
-        role="bold">CT</emphasis>|I:CI}]</term>
+        <replaceable>mark</replaceable></term>
 
         <listitem>
-          <para>May assume one of the following values.</para>
+          <para>Where <replaceable>mark</replaceable> may assume one of the
+          following values.</para>
 
           <orderedlist numeration="arabic">
             <listitem>
@@ -397,6 +382,39 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               above so that all of your <replaceable>minor</replaceable>
               classes will have a value &gt; 256.</para>
             </listitem>
+
+            <listitem>
+              <para><emphasis
+              role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[/<replaceable>mask</replaceable>][,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para>
+
+              <para>Transparently redirects a packet without altering the IP
+              header. Requires a local provider to be defined in <ulink
+              url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
+
+              <para>There are three parameters to TPROXY - only the first
+              (mark) is required:</para>
+
+              <itemizedlist>
+                <listitem>
+                  <para><replaceable>mark</replaceable> - the MARK value
+                  corresponding to the local provider in <ulink
+                  url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
+                </listitem>
+
+                <listitem>
+                  <para><replaceable>port</replaceable> - the port on which
+                  the proxy server is listening. If omitted, the original
+                  destination port.</para>
+                </listitem>
+
+                <listitem>
+                  <para><replaceable>address</replaceable> - a local (to the
+                  firewall) IP address on which the proxy server is listening.
+                  If omitted, the IP address of the interface on which the
+                  request arrives.</para>
+                </listitem>
+              </itemizedlist>
+            </listitem>
           </orderedlist>
         </listitem>
       </varlistentry>

manpages6/shorewall6-tcrules.xml

@@ -43,22 +43,11 @@
     <variablelist>
       <varlistentry>
         <term><emphasis role="bold">MARK/CLASSIFY</emphasis> -
-        {<emphasis>value</emphasis>|<emphasis>major</emphasis><emphasis
-        role="bold">:</emphasis><emphasis>minor</emphasis>|<emphasis
-        role="bold">RESTORE</emphasis>[<emphasis
-        role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
-        role="bold">SAVE</emphasis>[<emphasis
-        role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
-        role="bold">CONTINUE</emphasis>|<emphasis
-        role="bold">COMMENT</emphasis>}[<emphasis
-        role="bold">:</emphasis>{<emphasis role="bold">C</emphasis>|<emphasis
-        role="bold">F</emphasis>|<emphasis role="bold">P</emphasis>|<emphasis
-        role="bold">T</emphasis>|<emphasis role="bold">CF</emphasis>|<emphasis
-        role="bold">CP</emphasis>|<emphasis
-        role="bold">CT</emphasis>|I|CI}]</term>
+        <replaceable>mark</replaceable></term>
 
         <listitem>
-          <para>May assume one of the following values.</para>
+          <para><replaceable>mark</replaceable> may assume one of the
+          following values.</para>
 
           <orderedlist numeration="arabic">
             <listitem>
@@ -290,6 +279,39 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               <para>To stop the comment from being attached to further rules,
               simply include COMMENT on a line by itself.</para>
             </listitem>
+
+            <listitem>
+              <para><emphasis
+              role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[/<replaceable>mask</replaceable>][,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para>
+
+              <para>Transparently redirects a packet without altering the IP
+              header. Requires a local provider to be defined in <ulink
+              url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
+
+              <para>There are three parameters to TPROXY - only the first
+              (mark) is required:</para>
+
+              <itemizedlist>
+                <listitem>
+                  <para><replaceable>mark</replaceable> - the MARK value
+                  corresponding to the local provider in <ulink
+                  url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
+                </listitem>
+
+                <listitem>
+                  <para><replaceable>port</replaceable> - the port on which
+                  the proxy server is listening. If omitted, the original
+                  destination port.</para>
+                </listitem>
+
+                <listitem>
+                  <para><replaceable>address</replaceable> - a local (to the
+                  firewall) IP address on which the proxy server is listening.
+                  If omitted, the IP address of the interface on which the
+                  request arrives.</para>
+                </listitem>
+              </itemizedlist>
+            </listitem>
           </orderedlist>
         </listitem>
       </varlistentry>