diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index a82d4baf7..19b4f98b7 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -183,6 +183,7 @@ our %EXPORT_TAGS = (
do_helper
validate_helper
do_headers
+ do_probability
do_condition
have_ipset_rules
record_runtime_address
@@ -4123,7 +4124,21 @@ sub do_headers( $ ) {
}
}
- "-m ipv6header ${invert}--header ${headers} ${soft}";
+ "-m ipv6header ${invert}--header ${headers} ${soft} ";
+}
+
+sub do_probability( $ ) {
+ my $probability = shift;
+
+ return '' if $probability eq '-';
+
+ require_capability 'STATISTIC_MATCH', 'A non-empty PROBABILITY column', 's';
+
+ my $invert = $probability =~ s/^!// ? '! ' : "";
+
+ fatal_error "Invalid PROBABILITY ($probability)" unless $probability =~ /^0?\.\d{1,8}$/;
+
+ "-m statistic --mode random --probability $probability ";
}
#
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index 6d6cabbde..a25b4e5be 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -194,8 +194,15 @@ sub initialize( $ ) {
}
sub process_tc_rule( ) {
- my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers ) =
- split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12 };
+ my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability );
+ if ( $family == F_IPV4 ) {
+ ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability ) =
+ split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 };
+ $headers = '-';
+ } else {
+ ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability ) =
+ split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 };
+ }
our @tccmd;
@@ -243,6 +250,7 @@ sub process_tc_rule( ) {
$source = '';
} elsif ( $source =~ s/^($fw):// ) {
+ fatal_error ":F is not allowed when the SOURCE is the firewall" if ( $designator || '' ) eq 'F';
$chain = 'tcout';
}
}
@@ -497,7 +505,8 @@ sub process_tc_rule( ) {
do_tos( $tos ) .
do_connbytes( $connbytes ) .
do_helper( $helper ) .
- do_headers( $headers ) ,
+ do_headers( $headers ) .
+ do_probability( $probability ) ,
$source ,
$dest ,
'' ,
diff --git a/Shorewall/configfiles/tcrules b/Shorewall/configfiles/tcrules
index e8308797a..74b58bb63 100644
--- a/Shorewall/configfiles/tcrules
+++ b/Shorewall/configfiles/tcrules
@@ -9,6 +9,7 @@
#
# See http://shorewall.net/PacketMarking.html for a detailed description of
# the Netfilter/Shorewall packet marking mechanism.
-######################################################################################################################
-#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
+######################################################################################################################################
+#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY
# PORT(S) PORT(S)
+
diff --git a/Shorewall6/configfiles/tcrules b/Shorewall6/configfiles/tcrules
index 1c5b86025..ba36f4a21 100644
--- a/Shorewall6/configfiles/tcrules
+++ b/Shorewall6/configfiles/tcrules
@@ -9,6 +9,6 @@
#
# See http://shorewall.net/PacketMarking.html for a detailed description of
# the Netfilter/Shorewall packet marking mechanism.
-##################################################################################################################################
-#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER HEADERS
+##############################################################################################################################################
+#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER HEADERS PROBABILITY
# PORT(S) PORT(S)
diff --git a/manpages/shorewall-route_rules.xml b/manpages/shorewall-route_rules.xml
index bebfd96d4..22f6573dc 100644
--- a/manpages/shorewall-route_rules.xml
+++ b/manpages/shorewall-route_rules.xml
@@ -32,7 +32,7 @@
SOURCE (Optional) - {-|interface|address|interface:address}
+ role="bold">-|[&]interface|address|interface:address}
An ip address (network or host) that
@@ -41,6 +41,11 @@
and an address. If the device lo is
specified, the packet must originate from the firewall
itself.
+
+ Beginning with Shorewall 4.5.0, you may specify
+ &interface in this column to indicate
+ that the source is the primary IP address of the named
+ interface.
diff --git a/manpages/shorewall-tcrules.xml b/manpages/shorewall-tcrules.xml
index cf433474d..ef91ea521 100644
--- a/manpages/shorewall-tcrules.xml
+++ b/manpages/shorewall-tcrules.xml
@@ -827,6 +827,21 @@ SAME $FW 0.0.0.0/0 tcp 80,443
4:T 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp
+
+
+ PROBABILITY -
+ [probability]
+
+
+ Added in Shorewall 4.5.0. When non-empty, requires the
+ Statistics Match capability in your kernel
+ and ip6tables and causes the rule to match randomly but with the
+ given probability. The
+ probability is a number 0 <
+ probability <= 1 and may be expressed
+ at up to 8 decimal points of precision.
+
+
diff --git a/manpages6/shorewall6-route_rules.xml b/manpages6/shorewall6-route_rules.xml
index 305330fda..438d189d5 100644
--- a/manpages6/shorewall6-route_rules.xml
+++ b/manpages6/shorewall6-route_rules.xml
@@ -41,6 +41,11 @@
and an address. If the device lo is
specified, the packet must originate from the firewall
itself.
+
+ Beginning with Shorewall 4.5.0, you may specify
+ &interface in this column to indicate
+ that the source is the primary IP address of the named
+ interface.
diff --git a/manpages6/shorewall6-tcrules.xml b/manpages6/shorewall6-tcrules.xml
index 125ed8fbd..fbad02eb5 100644
--- a/manpages6/shorewall6-tcrules.xml
+++ b/manpages6/shorewall6-tcrules.xml
@@ -778,6 +778,21 @@ SAME $FW 0.0.0.0/0 tcp 80,443
role="bold">! is omitted.
+
+
+ PROBABILITY -
+ [probability]
+
+
+ Added in Shorewall 4.5.0. When non-empty, requires the
+ Statistics Match capability in your kernel
+ and ip6tables and causes the rule to match randomly but with the
+ given probability. The
+ probability is a number 0 <
+ probability <= 1 and may be expressed
+ at up to 8 decimal points of precision.
+
+