Tweak 'tracked' interface handling

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7831 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-common/changelog.txt

@@ -14,6 +14,8 @@ Changes in 4.1.2
 
 7)  Tighten up HIGH_ROUTE_MARKS in the OUTPUT chain.
 
+8)  Tweak 'track'.
+
 Changes in 4.1.1
 
 1)  Fix ULOG/NFLOG output.

Shorewall-common/releasenotes.txt

@@ -131,6 +131,22 @@ Other changes in Shorewall 4.1.2.
     there. Packet marking rules for traffic shaping of packets
     originating on the firewall must be coded in the POSTROUTING table.
 
+3)  The behavior of the 'track' provider has been changed subtly when
+    TC_EXPERT=No.
+
+    Previously, traffic entering from a tracked interface was subjected
+    to PREROUTING marking. This was to allow the PREROUTING rules to
+    clear the packet mark, thus causing the packet to be routed using
+    the 'main' table (table 254). 
+
+    Beginning with Shorewall 4.1.2, when a packet enters on a tracked
+    interface, the packet mark will be cleared unconditionally and the
+    packet will be routed based on the main table.
+
+    This change should be transparent to most users. Users who use
+    PREROUTING marks to route between two tracked interface are advised
+    to switch to TC_EXPORT=Yes.
+
 Migration Issues.
 
 1)  Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero
@@ -139,6 +155,22 @@ Migration Issues.
     there. Packet marking rules for traffic shaping of packets
     originating on the firewall must be coded in the POSTROUTING table.
 
+2)  The behavior of the 'track' provider has been changed subtly when
+    TC_EXPERT=No.
+
+    Previously, traffic entering from a tracked interface was subjected
+    to PREROUTING marking. This was to allow the PREROUTING rules to
+    clear the packet mark, thus causing the packet to be routed using
+    the 'main' table (table 254). 
+
+    Beginning with Shorewall 4.1.2, when a packet enters on a tracked
+    interface, the packet mark will be cleared unconditionally and the
+    packet will be routed based on the main table.
+
+    This change should be transparent to most users. Users who use
+    PREROUTING marks to route between two tracked interface are advised
+    to switch to TC_EXPORT=Yes.
+
 New Features in Shorewall 4.1.
 
 1)  Shorewall 4.1 contains experimental support for multiple Internet

Shorewall-common/shorewall

@@ -233,7 +233,7 @@ get_config() {
 			[ -n "$STARTUP_LOG" ] || $LOG_VERBOSITY=-1;
 			;;
 		    *)
-		        echo "  ERROR: INvalid LOG_VERBOSITY ($LOG_VERBOSITY)" >&2
+		        echo "  ERROR: Invalid LOG_VERBOSITY ($LOG_VERBOSITY)" >&2
 			exit 2;
 			;;
 		esac
@@ -256,10 +256,27 @@ get_config() {
 	fi
     fi
 
-    [ -n "${VERBOSITY:=2}" ]
+    case $VERBOSITY in
+	-1|0|1|2)
+	    ;;
+	*)
+	    if [ -n "$VERBOSITY" ]; then
+		echo "   ERROR: Invalid VERBOSITY setting ($VERBOSITY)" >&2
+		exit 2
+	    else
+		VERBOSITY=2
+	    fi
+	    ;;
+    esac
 
     [ -n "$USE_VERBOSITY" ] && VERBOSE=$USE_VERBOSITY || VERBOSE=$(($VERBOSE_OFFSET + $VERBOSITY))
 
+    if [ $VERBOSE -lt -1 ]; then
+	VERBOSE=-1
+    elif [ $VERBOSE -gt 2 ]; then
+	VERBOSE=2
+    fi
+
     export VERBOSE
 
     [ -n "${HOSTNAME:=$(hostname)}" ]

Shorewall-perl/Shorewall/Tc.pm

@@ -552,10 +552,10 @@ sub setup_tc() {
 	my $mark_part = '';
 
 	if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) {
-	    $mark_part = $config{HIGH_ROUTE_MARKS} ? '-m mark --mark 0/0xFF00' : '-m mark --mark 0/0xFF';
+	    $mark_part = $config{HIGH_ROUTE_MARKS} ? '-m connmark --mark 0/0xFF00' : '-m connmark --mark 0/0xFF';
 
 	    for my $interface ( @routemarked_interfaces ) {
-		add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre";
+		add_rule $mangle_table->{PREROUTING} , "-i $interface -j MARK --set-mark 0";
 	    }
 	}