extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-11 08:08:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

Reverse 'tracked' tweak

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7833 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-12-05 20:08:09 +00:00
parent e042aacd03
commit 927ecdb085
2 changed files with 13 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
Shorewall-common/releasenotes.txt
View File

@ -48,7 +48,7 @@ Other changes in Shorewall 4.1.2.
1) Shorewall 4.1.2 contains enhanced operational logging capabilities
through a set of related enhancements to Shorewall-common and
Shorewall-shell. The enhancements are not supported by
Shorewall-perl. The enhancements are not supported by
Shorewall-shell nor are they supported by Shorewall-lite except
when the script is compiled using Shorewall-perl.
@ -131,21 +131,12 @@ Other changes in Shorewall 4.1.2.
there. Packet marking rules for traffic shaping of packets
originating on the firewall must be coded in the POSTROUTING table.
3) The behavior of the 'track' provider has been changed subtly when
TC_EXPERT=No.
3) Previously, Shorewall did not range-check the value of the
VERBOSITY option in shorewall.conf. Beginnins with Shorewall 4.1.2:
Previously, traffic entering from a tracked interface was subjected
to PREROUTING marking. This was to allow the PREROUTING rules to
clear the packet mark, thus causing the packet to be routed using
the 'main' table (table 254).
Beginning with Shorewall 4.1.2, when a packet enters on a tracked
interface, the packet mark will be cleared unconditionally and the
packet will be routed based on the main table.
This change should be transparent to most users. Users who use
PREROUTING marks to route between two tracked interface are advised
to switch to TC_EXPORT=Yes.
a) A VERBOSITY setting outside the range -1 through 2 is rejected.
b) After the -v and -q options are applied, the resulting value is
adjusted to fall within the range -1 through 2.
Migration Issues.
@ -155,21 +146,12 @@ Migration Issues.
there. Packet marking rules for traffic shaping of packets
originating on the firewall must be coded in the POSTROUTING table.
2) The behavior of the 'track' provider has been changed subtly when
TC_EXPERT=No.
2) Previously, Shorewall did not range-check the value of the
VERBOSITY option in shorewall.conf. Beginning with Shorewall 4.1:
Previously, traffic entering from a tracked interface was subjected
to PREROUTING marking. This was to allow the PREROUTING rules to
clear the packet mark, thus causing the packet to be routed using
the 'main' table (table 254).
Beginning with Shorewall 4.1.2, when a packet enters on a tracked
interface, the packet mark will be cleared unconditionally and the
packet will be routed based on the main table.
This change should be transparent to most users. Users who use
PREROUTING marks to route between two tracked interface are advised
to switch to TC_EXPORT=Yes.
a) A VERBOSITY setting outside the range -1 through 2 is rejected.
b) After the -v and -q options are applied, the resulting value is
adjusted to fall within the range -1 through 2.
New Features in Shorewall 4.1.

4
Shorewall-perl/Shorewall/Tc.pm
View File

@ -552,10 +552,10 @@ sub setup_tc() {
my $mark_part = '';
if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) {
$mark_part = $config{HIGH_ROUTE_MARKS} ? '-m connmark --mark 0/0xFF00' : '-m connmark --mark 0/0xFF';
$mark_part = $config{HIGH_ROUTE_MARKS} ? '-m mark --mark 0/0xFF00' : '-m mark --mark 0/0xFF';
for my $interface ( @routemarked_interfaces ) {
add_rule $mangle_table->{PREROUTING} , "-i $interface -j MARK --set-mark 0";
add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre";
}
}