Finish INLINE in the tcrules file.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2025-01-03 20:19:19 +01:00 · 2013-12-01 09:25:32 -08:00 · 2013-12-01 09:25:32 -08:00 · 95abeaea24
commit 95abeaea24
parent 75258083e3
3 changed files with 69 additions and 4 deletions
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@ -207,7 +207,7 @@ sub initialize( $ ) {
 sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_;

-our  %tccmd;
+    our  %tccmd;

    unless ( %tccmd ) {
 	%tccmd = ( SAVE =>     { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
@ -316,6 +316,15 @@ our  %tccmd;

    fatal_error 'MARK must be specified' if $originalmark eq '-';

+    my $inline;
+    my $raw = '';
+
+    if ( $inline = ( $originalmark =~ /^INLINE\((.+)\)(:.*)?$/ ) ) {
+	$originalmark = $1;
+	$originalmark .= $2 if $2;
+	$raw = get_inline_matches;
+    }
+
    my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 );

    fatal_error "Invalid MARK ($originalmark)" unless supplied $mark;
@ -557,9 +566,12 @@ our  %tccmd;
 					   assert ( $cmd eq 'INLINE' );
 					   $matches = get_inline_matches;

-					   if ( $matches =~ /^(.*\s+)-j\s+(.+) $/ ) {
+					   if ( $matches =~ /^(.*\s+)-j\s+(.+)$/ ) {
 					       $matches   = $1;
 					       $target    = $2;
+					       my $action = $target;
+					       $action = $1 if $action =~ /^(.+?)\s/;
+					       fatal_error "Unknown target ($action)" unless $targets{$action} || $builtin_target{$action};
 					   } else {
 					       $target = '';
 					   }
--- a/Shorewall/manpages/shorewall-tcrules.xml
+++ b/Shorewall/manpages/shorewall-tcrules.xml
@ -473,6 +473,33 @@
              in your kernel and iptables.</para>
            </listitem>

+            <listitem>
+              <para><emphasis
+              role="bold">INLINE</emphasis>[(<replaceable>action</replaceable>)]</para>
+
+              <para>Added in Shorewall 4.6.0. Allows you to place your own
+              ip[6]tables matches at the end of the line following a semicolon
+              (";"). If an <replaceable>action</replaceable> is specified, the
+              compiler procedes as if that <replaceable>action</replaceable>
+              had been specified in this column. If no action is specified,
+              then you may include your own jump ("-j
+              <replaceable>target</replaceable>
+              [<replaceable>option</replaceable>] ...") after any matches
+              specified at the end of the rule. If the target is not one known
+              to Shorewall, then it must be defined as a builtin action in
+              <ulink url="shorewall-actions.html">shorewall-actions</ulink>
+              (5).</para>
+
+              <para>The following rules are equivalent:</para>
+
+              <programlisting>2:P             eth0              -         tcp 22
+INLINE(2):P     eth0              -         tcp 22
+INLINE(2):P     eth0              -                 ; -p tcp
+INLINE          eth0              -         tcp 22  ; -j MARK --set-mark 2
+INLINE          eth0              -                 ; -p tcp -j MARK --set-mark 2
+</programlisting>
+            </listitem>
+
            <listitem>
              <para><emphasis role="bold">IPMARK</emphasis> ‒ Assigns a mark
              to each matching packet based on the either the source or
--- a/Shorewall6/manpages/shorewall6-tcrules.xml
+++ b/Shorewall6/manpages/shorewall6-tcrules.xml
@ -503,6 +503,32 @@
              in your kernel and ip6tables.</para>
            </listitem>

+            <listitem>
+              <para><emphasis
+              role="bold">INLINE</emphasis>[(<replaceable>action</replaceable>)]</para>
+
+              <para>Added in Shorewall 4.6.0. Allows you to place your own
+              ip[6]tables matches at the end of the line following a semicolon
+              (";"). If an <replaceable>action</replaceable> is specified, the
+              compiler procedes as if that <replaceable>action</replaceable>
+              had been specified in this column. If no action is specified,
+              then you may include your own jump ("-j
+              <replaceable>target</replaceable>
+              [<replaceable>option</replaceable>] ...") after any matches
+              specified at the end of the rule. If the target is not one known
+              to Shorewall, then it must be defined as a builtin action in
+              <ulink url="shorewall6-actions.html">shorewall6-actions</ulink>
+              (5).</para>
+
+              <para>The following rules are equivalent:</para>
+
+              <programlisting>2:P             eth0              -         tcp 22
+INLINE(2):P     eth0              -         tcp 22
+INLINE(2):P     eth0              -                 ; -p tcp
+INLINE          eth0              -         tcp 22  ; -j MARK --set-mark 2
+INLINE          eth0              -                 ; -p tcp -j MARK --set-mark 2</programlisting>
+            </listitem>
+
            <listitem>
              <para><emphasis
              role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>] --