Add BROKEN_NEXTHDR configuration option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8302 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-03-17 22:10:11 +00:00
parent d3e94d44c3
commit aead0c60e5
2 changed files with 28 additions and 6 deletions

View File

@ -356,6 +356,7 @@ sub initialize() {
DONT_LOAD => '',
BROKEN_ROUTING => '',
AUTO_COMMENT => '' ,
BROKEN_NEXTHDR => '' ,
#
# Packet Disposition
#
@ -1904,6 +1905,7 @@ sub get_configuration( $ ) {
default_yes_no 'DELETE_THEN_ADD' , 'Yes';
default_yes_no 'BROKEN_ROUTING' , '';
default_yes_no 'AUTO_COMMENT' , 'Yes';
default_yes_no 'BROKEN_NEXTHDR' , '';
default_yes_no 'MULTICAST' , '';
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';

View File

@ -549,11 +549,27 @@ sub process_tc_filter( $$$$$$ ) {
}
unless ( $port eq '-' ) {
fatal_error "Only TCP, UDP and SCTP may specify DEST PORT"
unless $protonumber == TCP || $protonumber == UDP || $protonumber == SCTP;
my $portnumber = in_hex8 validate_port( $protonumber , $port );
fatal_error "Only TCP, UDP, SCTP and ICMP may specify DEST PORT"
unless $protonumber == TCP || $protonumber == UDP || $protonumber == SCTP || $protonumber == ICMP;
$rule .= "\\\n match u32 $portnumber 0x0000ffff at nexthdr+0";
if ( $protonumber == ICMP ) {
my ( $icmptype , $icmpcode ) = split '//', validate_icmp( $port );
if ( $config{BROKEN_NEXTHDR} ) {
$rule .= "\\\n match u8 $icmptype 0xFF at 20";
$rule .= "\\\n match u8 $icmpcode 0xFF at 21" if defined $icmpcode;
} else {
$rule .= "\\\n match u8 $icmptype 0xFF at nexthdr+0";
$rule .= "\\\n match u8 $icmpcode 0xFF at nexthdr+1" if defined $icmpcode;
}
} else {
my $portnumber = in_hex8 validate_port( $protonumber , $port );
if ( $config{BROKEN_NEXTHDR} ) {
$rule .= "\\\n match u32 $portnumber 0x0000FFFF at 20";
} else {
$rule .= "\\\n match u32 $portnumber 0x0000FFFF at nexthdr+0";
}
}
}
unless ( $sport eq '-' ) {
@ -563,7 +579,11 @@ sub process_tc_filter( $$$$$$ ) {
$portnumber =~ s/0x0000/0x/;
$rule .= "\\\n match u32 ${portnumber}0000 0xffff0000 at nexthdr+0";
if ( $config{BROKEN_NEXTHDR} ) {
$rule .= "\\\n match u32 ${portnumber}0000 0xFFFF0000 at 20";
} else {
$rule .= "\\\n match u32 ${portnumber}0000 0xFFFF0000 at nexthdr+0";
}
}
emit( "run_tc $rule\\" ,