Use multiport match in tcrules

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5018 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-11-29 00:38:10 +00:00
parent dbdc85bec6
commit adfa31c8e4
3 changed files with 32 additions and 9 deletions

View File

@ -8,6 +8,8 @@ Changes in 3.3.6
4) Use fwmark tc filter with unknown interfaces. 4) Use fwmark tc filter with unknown interfaces.
5) Use multiport match in tcrules.
Changes in 3.3.5 Changes in 3.3.5
1) Restore default route when there are no 'balance' providers. 1) Restore default route when there are no 'balance' providers.

View File

@ -45,7 +45,7 @@
# #
process_tc_rule() process_tc_rule()
{ {
local did_connmark= local did_connmark= multiport=
chain=$MARKING_CHAIN target="MARK --set-mark" marktest= chain=$MARKING_CHAIN target="MARK --set-mark" marktest=
@ -185,8 +185,6 @@ process_tc_rule()
r="${r}-m tos --tos ${tos} " r="${r}-m tos --tos ${tos} "
fi fi
multiport=
case $proto in case $proto in
ipp2p|IPP2P|ipp2p:*|IPP2P:*) ipp2p|IPP2P|ipp2p:*|IPP2P:*)
do_ipp2p do_ipp2p
@ -199,7 +197,7 @@ process_tc_rule()
[ "x$proto" = "x-" ] && proto=all [ "x$proto" = "x-" ] && proto=all
[ "x$proto" = "x" ] && proto=all [ "x$proto" = "x" ] && proto=all
[ "$proto" = "all" ] || r="${r}-p $proto " [ "$proto" = "all" ] || r="${r}-p $proto "
[ "x$port" = "x-" ] || r="${r}--dport $port " [ "x$port" = "x-" ] || r="${r}$multiport $port "
;; ;;
esac esac
@ -391,16 +389,35 @@ process_tc_rule()
dests=${dests%!*} dests=${dests%!*}
;; ;;
esac esac
#
for source in $(separate_list $sources); do # This isn't as fancy as the code in the rules file processor. It only uses multiport match
for dest in $(separate_list $dests); do # if the extended variety is available and then only on the destination port(s).
for port in $(separate_list ${ports:=-}); do #
if [ -n "$XMULTIPORT" ]; then
#
# Extended Multiport match can handle port ranges
#
multiport="-m multiport --dports"
for source in $(separate_list $sources); do
for dest in $(separate_list $dests); do
port=${ports:=-}
for sport in $(separate_list ${sports:=-}); do for sport in $(separate_list ${sports:=-}); do
add_a_tc_rule add_a_tc_rule
done done
done done
done done
done else
multiport=--dport
for source in $(separate_list $sources); do
for dest in $(separate_list $dests); do
for port in $(separate_list ${ports:=-}); do
for sport in $(separate_list ${sports:=-}); do
add_a_tc_rule
done
done
done
done
fi
progress_message " TC Rule \"$rule\" $DONE" progress_message " TC Rule \"$rule\" $DONE"
save_progress_message_short " TC Rule \\\"$rule\\\" Added" save_progress_message_short " TC Rule \\\"$rule\\\" Added"

View File

@ -59,6 +59,10 @@ Other Changes in 3.3.6
/etc/shorewall/interfaces. This is in preparation for the upcoming /etc/shorewall/interfaces. This is in preparation for the upcoming
change to the way that --physdev-out works in iptables/Netfilter. change to the way that --physdev-out works in iptables/Netfilter.
4) If your kernel and iptables have extended multiport support, then
Shorewall will use that support for the destination port when
generating rules from entries in the /etc/shorewall/tcrules file.
Migration Considerations: Migration Considerations:
1) Shorewall supports the notion of "default actions". A default 1) Shorewall supports the notion of "default actions". A default