From 97fa7a051367cc46a5d7f6484957f9a60785e893 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Thu, 28 May 2009 14:29:33 -0700
Subject: [PATCH] Add LENGTH column to tcfilters file

---
 Shorewall/Perl/Shorewall/Tc.pm   | 11 ++++++++++-
 Shorewall/changelog.txt          |  2 ++
 Shorewall/configfiles/tcfilters  |  2 +-
 Shorewall/releasenotes.txt       |  8 ++++++++
 docs/traffic_shaping.xml         | 10 ++++++++++
 manpages/shorewall-tcfilters.xml | 15 ++++++++++++++-
 6 files changed, 45 insertions(+), 3 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index cd3d4d9cf..505cb13f2 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -778,11 +778,13 @@ sub validate_tc_class( ) {
     progress_message "  Tcclass \"$currentline\" $done.";
 }
 
+my %validlengths = ( 32 => '0xffe0', 64 => '0xffc0', 128 => '0xff80', 256 => '0xff00', 512 => '0xfe00', 1024 => '0xfc00', 2048 => '0xf800', 4096 => '0xf000', 8192 => '0xe000' );
+
 #
 # Process a record from the tcfilters file
 #
 sub process_tc_filter( ) {
-    my ( $devclass, $source, $dest , $proto, $portlist , $sportlist ) = split_line 2, 6, 'tcfilters file';
+    my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $length ) = split_line 2, 7, 'tcfilters file';
     
     my ($device, $class, $rest ) = split /:/, $devclass, 3;
 
@@ -817,6 +819,13 @@ sub process_tc_filter( ) {
 	$rule .= "\\\n   match ip dst $net/$mask";
     }
 
+    if ( $length ne '-' ) {
+	my $len = numeric_value( $length ) || 0;
+	my $mask = $validlengths{$len};
+	fatal_error "Invalid LENGTH ($length)" unless $mask;
+	$rule .="\\\n   match u16 0x0000 $mask at 2";
+    }      
+
     my $protonumber = 0;
 
     unless ( $proto eq '-' ) {
diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 3122ba979..ab823c757 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -7,6 +7,8 @@ Changes in Shorewall 4.3.12
 3) Delete support for ipset binding. Jozsef has removed the capability
    from ipset.
 
+4) Add LENGTH column to tcfilters file.
+
 Changes in Shorewall 4.3.11
 
 1) Reduce the number of arguments passed in may cases.
diff --git a/Shorewall/configfiles/tcfilters b/Shorewall/configfiles/tcfilters
index d8fb44607..450876109 100644
--- a/Shorewall/configfiles/tcfilters
+++ b/Shorewall/configfiles/tcfilters
@@ -6,6 +6,6 @@
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 #
 ###############################################################################
-#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE
+#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE   LENGTH
 #CLASS							PORT(S)	PORT(S)
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 7b4684a76..bdb97821b 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -153,6 +153,14 @@ None.
                  OUT-BANDWIDTH. Maximum delay is 10ms. Maximum packet
                  size is 1500 bytes.
 
+2)  Support for ipset bindings has been removed. Jozsef Kadlecsik has
+    already removed such support from ipset itself.
+
+3)  A LENGTH field has been added to the tcfilters file. The value must
+    be a numeric power of two between 32 and 8192 inclusive. Packets
+    with a total length that is strictly less that the specified value
+    will match the rule. 
+
 ----------------------------------------------------------------------------
                  N E W   F E A T U R E S   IN   4 . 3
 ----------------------------------------------------------------------------
diff --git a/docs/traffic_shaping.xml b/docs/traffic_shaping.xml
index 047913bcd..5d36d09b3 100644
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@@ -1662,6 +1662,16 @@ eth0              192.168.1.0/24   206.124.146.179</programlisting></para>
             are supported.</para>
           </listitem>
         </varlistentry>
+
+        <varlistentry>
+          <term>LENGTH</term>
+
+          <listitem>
+            <para>Must be a power of 2 between 32 and 8192 inclusive. Packets
+            with a total length that is strictly less than the specified value
+            will match the rule.</para>
+          </listitem>
+        </varlistentry>
       </variablelist>
 
       <para>Example:</para>
diff --git a/manpages/shorewall-tcfilters.xml b/manpages/shorewall-tcfilters.xml
index 461e8f0c4..2986d261c 100644
--- a/manpages/shorewall-tcfilters.xml
+++ b/manpages/shorewall-tcfilters.xml
@@ -1,4 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
   <refmeta>
     <refentrytitle>shorewall-tcfilters</refentrytitle>
@@ -105,6 +107,17 @@
           <para>Source port.</para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">LENGTH</emphasis> (Optional) - [<emphasis
+        role="bold">-</emphasis>|<emphasis>number</emphasis>]</term>
+
+        <listitem>
+          <para>Must be a power of 2 between 32 and 8192 inclusive. Packets
+          with a total length that is strictly less than the specified
+          <replaceable>number</replaceable> will match the rule.</para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
@@ -155,4 +168,4 @@
     shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tos(5),
     shorewall-tunnels(5), shorewall-zones(5)</para>
   </refsect1>
-</refentry>
\ No newline at end of file
+</refentry>