extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-01 07:25:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add an SPORT column to the tcpri file

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2020-07-09 13:34:55 -07:00
parent 381a0ad8aa
commit ac221348c0
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
5 changed files with 84 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -1646,8 +1646,8 @@ sub process_tcfilters() {
# #
# Process a tcpri record # Process a tcpri record
# #
sub process_tc_priority1( $$$$$$ ) { sub process_tc_priority1( $$$$$$$ ) {
my ( $band, $proto, $ports , $address, $interface, $helper ) = @_; my ( $band, $proto, $dports , $sports, $address, $interface, $helper ) = @_;
my $val = numeric_value $band; my $val = numeric_value $band;
@ -1658,7 +1658,7 @@ sub process_tc_priority1( $$$$$$ ) {
$rule .= join('', '/', in_hex( $globals{TC_MASK} ) ) if have_capability( 'EXMARK' ); $rule .= join('', '/', in_hex( $globals{TC_MASK} ) ) if have_capability( 'EXMARK' );
if ( $interface ne '-' ) { if ( $interface ne '-' ) {
fatal_error "Invalid combination of columns" unless $address eq '-' && $proto eq '-' && $ports eq '-'; fatal_error "Invalid combination of columns" unless $address eq '-' && $proto eq '-' && $dports eq '-' && $sports eq '-';
my $forwardref = $mangle_table->{tcfor}; my $forwardref = $mangle_table->{tcfor};
@ -1669,41 +1669,57 @@ sub process_tc_priority1( $$$$$$ ) {
my $postref = $mangle_table->{tcpost}; my $postref = $mangle_table->{tcpost};
if ( $address ne '-' ) { if ( $address ne '-' ) {
fatal_error "Invalid combination of columns" unless $proto eq '-' && $ports eq '-'; fatal_error "Invalid combination of columns" unless $proto eq '-' && $dports eq '-' && $sports eq '-';
add_rule( $postref , add_rule( $postref ,
join( '', match_source_net( $address) , $rule ) , join( '', match_source_net( $address) , $rule ) ,
1 ); 1 );
} else { } else {
add_rule( $postref , add_rule( $postref ,
join( '', do_proto( $proto, $ports, '-' , 0 ) , $rule ) , join( '', do_proto( $proto, $dports, $sports , 0 ) , $rule ) ,
1 ); 1 );
if ( $ports ne '-' ) { if ( $dports ne '-' ) {
my $protocol = resolve_proto $proto; my $protocol = resolve_proto $proto;
if ( $proto =~ /^ipp2p/ ) { if ( $proto =~ /^ipp2p/ ) {
fatal_error "ipp2p may not be used when there are tracked providers and PROVIDER_OFFSET=0" if @routemarked_interfaces && $config{PROVIDER_OFFSET} == 0; fatal_error "ipp2p may not be used when there are tracked providers and PROVIDER_OFFSET=0" if @routemarked_interfaces && $config{PROVIDER_OFFSET} == 0;
$ipp2p = 1; $ipp2p = 1;
} elsif ( $file_format == 1 ) {
add_rule( $postref ,
join( '' , do_proto( $proto, '-', $dports, 0 ) , $rule ) ,
1 )
unless $proto =~ /^ipp2p/ || $protocol == ICMP || $protocol == IPv6_ICMP;
} }
add_rule( $postref ,
join( '' , do_proto( $proto, '-', $ports, 0 ) , $rule ) ,
1 )
unless $proto =~ /^ipp2p/ || $protocol == ICMP || $protocol == IPv6_ICMP;
} }
} }
} }
} }
sub process_tc_priority() { sub process_tc_priority() {
my ( $band, $protos, $ports , $address, $interface, $helper ) = my ( $band, $protos, $dports , $sports, $address, $interface, $helper );
split_line1( 'tcpri',
{ band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 } ); if ( $file_format == 1 ) {
( $band, $protos, $dports , $address, $interface, $helper ) =
split_line2( 'tcpri',
{ band => 0, proto => 1, port => 2, dport => 2, address => 3, interface => 4, helper => 5 },
{},
6,
1 );
$sports = '-';
} else {
( $band, $protos, $dports , $sports, $address, $interface, $helper ) =
split_line2( 'tcpri',
{ band => 0, proto => 1, port => 2, dport => 2, sport => 3, address => 4, interface => 5, helper => 6 },
{},
7,
1 );
};
fatal_error 'BAND must be specified' if $band eq '-'; fatal_error 'BAND must be specified' if $band eq '-';
fatal_error "Invalid tcpri entry" if ( $protos eq '-' && fatal_error "Invalid tcpri entry" if ( $protos eq '-' &&
$ports eq '-' && $dports eq '-' &&
$sports eq '-' &&
$address eq '-' && $address eq '-' &&
$interface eq '-' && $interface eq '-' &&
$helper eq '-' ); $helper eq '-' );
@ -1713,7 +1729,7 @@ sub process_tc_priority() {
fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3; fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
for my $proto ( split_list $protos, 'Protocol' ) { for my $proto ( split_list $protos, 'Protocol' ) {
process_tc_priority1( $band, $proto, $ports , $address, $interface, $helper ); process_tc_priority1( $band, $proto, $dports , $sports, $address, $interface, $helper );
} }
} }
@ -1735,7 +1751,7 @@ sub process_tcinterfaces() {
# #
sub process_tcpri() { sub process_tcpri() {
my $fn = find_file 'tcinterfaces'; my $fn = find_file 'tcinterfaces';
my $fn1 = open_file 'tcpri', 1,1; my $fn1 = open_file 'tcpri', 2,1,0,1;
if ( $fn1 ) { if ( $fn1 ) {
first_entry first_entry

3
Shorewall/configfiles/tcpri
View File

@ -6,5 +6,6 @@
# See https://shorewall.org/simple_traffic_shaping.htm for additional # See https://shorewall.org/simple_traffic_shaping.htm for additional
# information. # information.
# #
?FORMAT 2
############################################################################### ###############################################################################
#BAND PROTO PORT ADDRESS INTERFACE HELPER #BAND PROTO DPORT SPORT ADDRESS INTERFACE HELPER

32
Shorewall/manpages/shorewall-tcpri.xml
View File

@ -27,8 +27,11 @@
<para>This file is used to specify the priority of traffic for simple <para>This file is used to specify the priority of traffic for simple
traffic shaping (TC_ENABLED=Simple in <ulink traffic shaping (TC_ENABLED=Simple in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5)). The url="shorewall.conf.html">shorewall.conf</ulink>(5)). Beginning with
priority band of each packet is determined by the <emphasis Shorewall 5.2.7, the file allows ?FORMAT 2 which inserts a SPORT column
immediately to the right of the DPORT column.</para>
<para>The priority band of each packet is determined by the <emphasis
role="bold">last</emphasis> entry that the packet matches. If a packet role="bold">last</emphasis> entry that the packet matches. If a packet
doesn't match any entry in this file, then its priority will be determined doesn't match any entry in this file, then its priority will be determined
by its TOS field. The default mapping is as follows but can be changed by by its TOS field. The default mapping is as follows but can be changed by
@ -87,15 +90,36 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>PORT(S) - <replaceable>port</replaceable> [,...]</term> <term>DPORT - <replaceable>port</replaceable> [,...]</term>
<listitem> <listitem>
<para>This column was named PORT prior to Shorewall 5.2.7. Both
'port' and 'dport' may be used in the <ulink
url="../configuration_file_basics.htm#Pairs">alternate input
format</ulink>.</para>
<para>Optional. May only be given if the the PROTO is TCP (6), UDP <para>Optional. May only be given if the the PROTO is TCP (6), UDP
(17), DCCP (33), SCTP (132) or UDPLITE (136). A list of one or more (17), DCCP (33), SCTP (132) or UDPLITE (136). A list of one or more
port numbers or service names from /etc/services. Port ranges of the port numbers or service names from /etc/services. Port ranges of the
form form
<replaceable>lowport</replaceable>:<replaceable>highport</replaceable> <replaceable>lowport</replaceable>:<replaceable>highport</replaceable>
may also be included.</para> may also be included. In format 1, packets whose source or
destination port matches the specified
<replaceable>port</replaceable>(s) are assigned to the band given in
the BAND column.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SPORT - <replaceable>port</replaceable> [,...]</term>
<listitem>
<para>Only present in file format 2. Optional. May only be given if
the the PROTO is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE
(136). A list of one or more port numbers or service names from
/etc/services. Port ranges of the form
<replaceable>lowport</replaceable>:<replaceable>highport</replaceable>
may also be included. </para>
</listitem> </listitem>
</varlistentry> </varlistentry>

2
Shorewall6/configfiles/tcpri
View File

@ -7,4 +7,4 @@
# information. # information.
# #
############################################################################### ###############################################################################
#BAND PROTO PORT ADDRESS INTERFACE HELPER #BAND PROTO DPORT SPORT ADDRESS INTERFACE HELPER

29
docs/simple_traffic_shaping.xml
View File

@ -187,8 +187,9 @@ eth0 External</programlisting>
<para>Assign traffic entering the firewall on a particular interface <para>Assign traffic entering the firewall on a particular interface
to a specific priority band:</para> to a specific priority band:</para>
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER <programlisting>?FORMAT 2
2 - - - eth1</programlisting> #BAND PROTO DPORT SPORT ADDRESS INTERFACE HELPER
2 - - - - eth1</programlisting>
<para>In this example, traffic from eth1 will be assigned to priority <para>In this example, traffic from eth1 will be assigned to priority
band 2.</para> band 2.</para>
@ -203,15 +204,17 @@ eth0 External</programlisting>
<para>Assign traffic from a particular IP address to a specific <para>Assign traffic from a particular IP address to a specific
priority band:</para> priority band:</para>
<programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER <programlisting>?FORMAT 2
1 - - 192.168.1.44</programlisting> #BAND PROTO DPORT SPORT ADDRESS INTERFACE HELPER
1 - - - 192.168.1.44</programlisting>
<para>In this example, traffic from 192.168.1.44 will be assigned to <para>In this example, traffic from 192.168.1.44 will be assigned to
priority band 1.</para> priority band 1.</para>
<note> <note>
<para>When an ADDRESS is specified, the PROTO, DPORT and INTERFACE <para>When an ADDRESS is specified, the PROTO, DPORT, SPORT and
columns must be empty.</para> INTERFACE columns must be empty.</para>
</note> </note>
</listitem> </listitem>
@ -219,11 +222,19 @@ eth0 External</programlisting>
<para>Assign traffic to/from a particular application to a specific <para>Assign traffic to/from a particular application to a specific
priority band:</para> priority band:</para>
<programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER <programlisting>#BAND PROTO PORT ADDRESS INTERFACE HELPER
1 udp 1194</programlisting> 1 udp 1194</programlisting>
<para>In that example, OpenVPN traffic is assigned to priority band <para>In that example, SSH traffic is assigned to priority band 1. In
1.</para> file format 2, the above would be as follows:</para>
<programlisting>#BAND PROTO DPORT SPORT ADDRESS INTERFACE HELPER
1 tcp 22
1 tcp - 22</programlisting>
<para>In other words, in file format 1, the compiler generates rules
for traffic from client to server and from server to client. In format
2, separate tcpri rules are required.</para>
</listitem> </listitem>
<listitem> <listitem>