Merge Fabio Longerai's LENGTH patch

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3296 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-20 09:47:51 +02:00 · 2006-01-15 22:54:12 +00:00 · 2006-01-15 22:54:12 +00:00 · 9325925aef
commit 9325925aef
parent 5083f753c4
5 changed files with 35 additions and 20 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -1,4 +1,4 @@
-Changes in 3.1.0
+Changes in 3.1.x.
 1) Removal of dynamic zones.
@ -16,3 +16,5 @@ Changes in 3.1.0
 7) Remove some restrictions on remote compiles.
 8) Add error checking to generated script.
 9) Merge Fabio Longerai's 'length' patch.
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -3656,6 +3656,11 @@ process_tc_rule()
 	    esac
 	fi
 	if [ "x${length:=-}" != "x-" ]; then
 		[ -n "$LENGTH_MATCH" ] || fatal_error "Your kernel and/or iptables does not have length match support. Rule: \"$rule\""
 		r="${r}-m length --length ${length} "
 	fi
 	multiport=
 	case $proto in
@ -3853,9 +3858,9 @@ setup_tc1() {
    #
    strip_file tcrules
-    while read mark sources dests proto ports sports user testval; do
+    while read mark sources dests proto ports sports user testval length; do
-	expandv mark sources dests proto ports sports user testval
+	expandv mark sources dests proto ports sports user testval length
-	rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval")
+	rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $length")
 	process_tc_rule
    done < $TMP_DIR/tcrules
    #
@ -4320,9 +4325,9 @@ refresh_tc() {
        #
        strip_file tcrules
-	while read mark sources dests proto ports sports user testval; do
+	while read mark sources dests proto ports sports user testval length; do
-	    expandv mark sources dests proto ports sports user testval
+	    expandv mark sources dests proto ports sports user testval length
-	    rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval")
+	    rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $length")
 	    process_tc_rule
        done < $TMP_DIR/tcrules
    else
--- a/Shorewall/functions
+++ b/Shorewall/functions
@ -970,6 +970,7 @@ determine_capabilities() {
    CONNMARK_MATCH=
    RAW_TABLE=
    IPP2P_MATCH=
    LENGTH_MATCH=
    CLASSIFY_TARGET=
    ENHANCED_REJECT=
@ -984,6 +985,7 @@ determine_capabilities() {
    qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT                           && OWNER_MATCH=Yes
    qt $IPTABLES -A fooX1234 -m connmark --mark 2  -j ACCEPT                            && CONNMARK_MATCH=Yes
    qt $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT                          && IPP2P_MATCH=Yes
    qt $IPTABLES -A fooX1234 -m length --length 10:20 -j ACCEPT                         && LENGTH_MATCH=Yes
    qt $IPTABLES -A fooX1234 -j REJECT --reject-with icmp-host-prohibited               && ENHANCED_REJECT=Yes
    qt $IPTABLES -t mangle -N fooX1234
@ -1032,6 +1034,7 @@ report_capabilities() {
 	report_capability "Packet Type Match" $USEPKTTYPE
 	report_capability "Policy Match" $POLICY_MATCH
 	report_capability "Physdev Match" $PHYSDEV_MATCH
 	report_capability "Packet length Match" $LENGTH_MATCH
 	report_capability "IP range Match" $IPRANGE_MATCH
 	report_capability "Recent Match" $RECENT_MATCH
 	report_capability "Owner Match" $OWNER_MATCH
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -1,4 +1,4 @@
-Shorewall 3.1.2
+Shorewall 3.1.3
 Note to users upgrading from Shorewall 2.x or 3.0
@ -26,18 +26,10 @@ Note to users upgrading from Shorewall 2.x or 3.0
   Please see the "Migration Considerations" below for additional upgrade
   information.
-Changes in 3.1.2
+New Features in 3.1.3
-1) With the execption of 'detectnets', the restrictions on remote compilation
+1)  A LENGTH column has been added to the /etc/shorewall/tcrules file to allow
-   (compile on one system and execute on nother) have been removed. It is
+    packet marking by packet length. Patch courtesy of Fabio Longerai.
   doubtful that the 'detectnets' restriction will ever be lifted.
 2) The compiled script now contains the same error checking as would be done
   during "shorewall [re]start" -- if an error occurs, a 'restore' or 'stop'
   is done (requires that Shorewall be installed on the target system).
 3) The '-e' option now follows "compile" or "generate" on the command line
   (it is specific to those commands).
 Migration Considerations:
--- a/Shorewall/tcrules
+++ b/Shorewall/tcrules
@ -162,10 +162,23 @@
 #					omitted, the packet mark's value is
 #					tested.
 #
 #			If you don't want to define a test but need to specify
 #			anything in the following columns, place a "-" in this
 #			field. 
 #
 #	LENGTH		(Optional) Packet Length. This field, if present
 #			allow you to match the length of a packet against   
 #			a specific value or range of values. You must have
 #			iptables length support for this to work. If you let
 #			it empy or place an "-" here, no length match will be
 #			done.
 #
 #                       Examples: 1024, 64:1500
 #
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 # For usage in selecting among multiple ISPs, see
 # http://shorewall.net/Shorewall_and_Routing.html
 ###############################################################################
-#MARK	SOURCE		DEST		PROTO	PORT(S)	CLIENT	USER	TEST
+#MARK	SOURCE		DEST		PROTO	PORT(S)	CLIENT	USER	TEST	LENGTH
 #							PORT(S)
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE