extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-13 21:27:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add BROKEN_NEXTHDR configuration option

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8302 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-03-17 22:10:11 +00:00
parent d3e94d44c3
commit aead0c60e5
2 changed files with 28 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-perl/Shorewall/Config.pm
View File

@ -356,6 +356,7 @@ sub initialize() {
DONT_LOAD => '', DONT_LOAD => '',
BROKEN_ROUTING => '', BROKEN_ROUTING => '',
AUTO_COMMENT => '' , AUTO_COMMENT => '' ,
BROKEN_NEXTHDR => '' ,
# #
# Packet Disposition # Packet Disposition
# #
@ -1904,6 +1905,7 @@ sub get_configuration( $ ) {
default_yes_no 'DELETE_THEN_ADD' , 'Yes'; default_yes_no 'DELETE_THEN_ADD' , 'Yes';
default_yes_no 'BROKEN_ROUTING' , ''; default_yes_no 'BROKEN_ROUTING' , '';
default_yes_no 'AUTO_COMMENT' , 'Yes'; default_yes_no 'AUTO_COMMENT' , 'Yes';
default_yes_no 'BROKEN_NEXTHDR' , '';
default_yes_no 'MULTICAST' , ''; default_yes_no 'MULTICAST' , '';
default_yes_no 'MARK_IN_FORWARD_CHAIN' , ''; default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';

32
Shorewall-perl/Shorewall/Tc.pm
View File

@ -549,11 +549,27 @@ sub process_tc_filter( $$$$$$ ) {
} }
unless ( $port eq '-' ) { unless ( $port eq '-' ) {
fatal_error "Only TCP, UDP and SCTP may specify DEST PORT" fatal_error "Only TCP, UDP, SCTP and ICMP may specify DEST PORT"
unless $protonumber == TCP || $protonumber == UDP || $protonumber == SCTP; unless $protonumber == TCP || $protonumber == UDP || $protonumber == SCTP || $protonumber == ICMP;
my $portnumber = in_hex8 validate_port( $protonumber , $port );
$rule .= "\\\n match u32 $portnumber 0x0000ffff at nexthdr+0"; if ( $protonumber == ICMP ) {
my ( $icmptype , $icmpcode ) = split '//', validate_icmp( $port );
if ( $config{BROKEN_NEXTHDR} ) {
$rule .= "\\\n match u8 $icmptype 0xFF at 20";
$rule .= "\\\n match u8 $icmpcode 0xFF at 21" if defined $icmpcode;
} else {
$rule .= "\\\n match u8 $icmptype 0xFF at nexthdr+0";
$rule .= "\\\n match u8 $icmpcode 0xFF at nexthdr+1" if defined $icmpcode;
}
} else {
my $portnumber = in_hex8 validate_port( $protonumber , $port );
if ( $config{BROKEN_NEXTHDR} ) {
$rule .= "\\\n match u32 $portnumber 0x0000FFFF at 20";
} else {
$rule .= "\\\n match u32 $portnumber 0x0000FFFF at nexthdr+0";
}
}
} }
unless ( $sport eq '-' ) { unless ( $sport eq '-' ) {
@ -563,13 +579,17 @@ sub process_tc_filter( $$$$$$ ) {
$portnumber =~ s/0x0000/0x/; $portnumber =~ s/0x0000/0x/;
$rule .= "\\\n match u32 ${portnumber}0000 0xffff0000 at nexthdr+0"; if ( $config{BROKEN_NEXTHDR} ) {
$rule .= "\\\n match u32 ${portnumber}0000 0xFFFF0000 at 20";
} else {
$rule .= "\\\n match u32 ${portnumber}0000 0xFFFF0000 at nexthdr+0";
}
} }
emit( "run_tc $rule\\" , emit( "run_tc $rule\\" ,
" flowid $devref->{number}:$class" , " flowid $devref->{number}:$class" ,
'' ); '' );
progress_message " TC Filter \"$currentline\" $done"; progress_message " TC Filter \"$currentline\" $done";
$currentline =~ s/\s+/ /g; $currentline =~ s/\s+/ /g;