mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-23 14:08:45 +01:00
Fix TC match for bridge ports
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3453 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
f628076bae
commit
afcb4aa504
@ -38,6 +38,8 @@ Changes in 3.1.x.
|
||||
18) Fix QUEUE when used in the ESTABLISHED section.
|
||||
|
||||
19) Apply Ed Suominen's patch to tcrules.
|
||||
-------------------------------------------------------------------------------
|
||||
3.1.5
|
||||
|
||||
20) Speed up compilation by rewriting 'fix_bang()'.
|
||||
|
||||
@ -47,8 +49,13 @@ Changes in 3.1.x.
|
||||
|
||||
23) Add compiled-program/library versioning scheme.
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
3.1.6
|
||||
|
||||
24) Apply Steven Springl's help patch.
|
||||
|
||||
25) Fix 'allow/drop/reject' while Shorewall not running.
|
||||
|
||||
26) Implement bi-directional macros.
|
||||
|
||||
27) Fix TC bridge port handling.
|
||||
|
||||
@ -2835,6 +2835,8 @@ setup_traffic_shaping()
|
||||
case $1 in
|
||||
default|tcp-ack|tos-minimize-delay|tos-maximize-throughput|tos-maximize-reliability|tos-minimize-cost|tos-normal-service)
|
||||
;;
|
||||
tos=0x[0-9a-f][0-9a-f]|tos=0x[0-9a-f][0-9a-f]/0x[0-9a-f][0-9a-f])
|
||||
;;
|
||||
*)
|
||||
echo $1
|
||||
return 1
|
||||
@ -2891,8 +2893,14 @@ setup_traffic_shaping()
|
||||
ratew=$(get_outband_for_dev $device)
|
||||
options=$(separate_list $options | tr '[A-Z]' '[a-z]')
|
||||
for opt in $options; do
|
||||
list_search "$device-$opt" $allopts && fatal_error "option $opt already defined in a chain for interface $device in tcclasses"
|
||||
allopts="$allopts $device-$opt"
|
||||
case opt in
|
||||
tos=*)
|
||||
;;
|
||||
*)
|
||||
list_search "$device-$opt" $allopts && fatal_error "option $opt already defined in a chain for interface $device in tcclasses"
|
||||
allopts="$allopts $device-$opt"
|
||||
;;
|
||||
esac
|
||||
done
|
||||
wrongopt=$(check_tcclasses_options $options) || fatal_error "unknown option $wrongopt for class iface $device mark $mark in tcclasses file"
|
||||
if [ -z "$ratew" ] ; then
|
||||
@ -2917,7 +2925,7 @@ setup_traffic_shaping()
|
||||
}
|
||||
|
||||
add_tc_class() {
|
||||
local full classid
|
||||
local full classid tospair tosmask
|
||||
full=$(get_outband_for_dev $device)
|
||||
full=$(rate_to_kbit $full)
|
||||
|
||||
@ -2948,7 +2956,7 @@ setup_traffic_shaping()
|
||||
run_tc qdisc add dev $device parent $classid handle 1$mark: sfq perturb 10
|
||||
# add filters
|
||||
if [ -n "$CLASSIFY_TARGET" ]; then
|
||||
run_iptables -t mangle -A tcpost -o $device -m mark --mark $mark -j CLASSIFY --set-class $classid
|
||||
run_iptables -t mangle -A tcpost $(match_dest_dev $device) -m mark --mark $mark -j CLASSIFY --set-class $classid
|
||||
else
|
||||
run_tc filter add dev $device protocol ip parent $devnum:0 prio 1 handle $mark fw classid $classid
|
||||
fi
|
||||
@ -2959,7 +2967,18 @@ setup_traffic_shaping()
|
||||
list_search "tos-maximize-throughput" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x08 0x08 flowid $classid
|
||||
list_search "tos-minimize-reliability" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x04 0x04 flowid $classid
|
||||
list_search "tos-normal-service" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x00 0x1e flowid $classid
|
||||
# tcp
|
||||
|
||||
for tospair in $(list_walk "tos=" $options) ; do
|
||||
case $tospair in
|
||||
*/*)
|
||||
tosmask=${tospair##*/}
|
||||
;;
|
||||
*)
|
||||
tosmask=0xff
|
||||
;;
|
||||
esac
|
||||
run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos ${tospair%%/*} $tosmask flowid $classid
|
||||
done
|
||||
}
|
||||
|
||||
strip_file tcdevices $devfile
|
||||
|
||||
@ -1648,6 +1648,8 @@ setup_traffic_shaping()
|
||||
case $1 in
|
||||
default|tcp-ack|tos-minimize-delay|tos-maximize-throughput|tos-maximize-reliability|tos-minimize-cost|tos-normal-service)
|
||||
;;
|
||||
tos=0x[0-9a-f][0-9a-f]|tos=0x[0-9a-f][0-9a-f]/0x[0-9a-f][0-9a-f])
|
||||
;;
|
||||
*)
|
||||
echo $1
|
||||
return 1
|
||||
@ -1704,8 +1706,14 @@ setup_traffic_shaping()
|
||||
ratew=$(get_outband_for_dev $device)
|
||||
options=$(separate_list $options | tr '[A-Z]' '[a-z]')
|
||||
for opt in $options; do
|
||||
list_search "$device-$opt" $allopts && fatal_error "option $opt already defined in a chain for interface $device in tcclasses"
|
||||
allopts="$allopts $device-$opt"
|
||||
case opt in
|
||||
tos=*)
|
||||
;;
|
||||
*)
|
||||
list_search "$device-$opt" $allopts && fatal_error "option $opt already defined in a chain for interface $device in tcclasses"
|
||||
allopts="$allopts $device-$opt"
|
||||
;;
|
||||
esac
|
||||
done
|
||||
wrongopt=$(check_tcclasses_options $options) || fatal_error "unknown option $wrongopt for class iface $device mark $mark in tcclasses file"
|
||||
if [ -z "$ratew" ] ; then
|
||||
@ -1730,7 +1738,7 @@ setup_traffic_shaping()
|
||||
}
|
||||
|
||||
add_tc_class() {
|
||||
local full classid
|
||||
local full classid tospair tosmask
|
||||
full=$(get_outband_for_dev $device)
|
||||
full=$(rate_to_kbit $full)
|
||||
|
||||
@ -1761,7 +1769,7 @@ setup_traffic_shaping()
|
||||
run_tc qdisc add dev $device parent $classid handle 1$mark: sfq perturb 10
|
||||
# add filters
|
||||
if [ -n "$CLASSIFY_TARGET" ]; then
|
||||
run_iptables -t mangle -A tcpost -o $device -m mark --mark $mark -j CLASSIFY --set-class $classid
|
||||
run_iptables -t mangle -A tcpost $(match_dest_dev $device) -m mark --mark $mark -j CLASSIFY --set-class $classid
|
||||
else
|
||||
run_tc filter add dev $device protocol ip parent $devnum:0 prio 1 handle $mark fw classid $classid
|
||||
fi
|
||||
@ -1772,7 +1780,18 @@ setup_traffic_shaping()
|
||||
list_search "tos-maximize-throughput" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x08 0x08 flowid $classid
|
||||
list_search "tos-minimize-reliability" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x04 0x04 flowid $classid
|
||||
list_search "tos-normal-service" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x00 0x1e flowid $classid
|
||||
# tcp
|
||||
|
||||
for tospair in $(list_walk "tos=" $options) ; do
|
||||
case $tospair in
|
||||
*/*)
|
||||
tosmask=${tospair##*/}
|
||||
;;
|
||||
*)
|
||||
tosmask=0xff
|
||||
;;
|
||||
esac
|
||||
run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos ${tospair%%/*} $tosmask flowid $classid
|
||||
done
|
||||
}
|
||||
|
||||
strip_file tcdevices $devfile
|
||||
|
||||
@ -49,6 +49,24 @@ list_search() # $1 = element to search for , $2-$n = list
|
||||
return 1
|
||||
}
|
||||
|
||||
#
|
||||
# Return a space separated list of values matching
|
||||
#
|
||||
list_walk() # $1 = element to search for, $2-$n = list
|
||||
{
|
||||
local e=$1 result=
|
||||
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
case $1 in
|
||||
$e*)
|
||||
result="$result ${1##$e}"
|
||||
;;
|
||||
esac
|
||||
done
|
||||
echo $result
|
||||
}
|
||||
|
||||
#
|
||||
# Functions to count list elements
|
||||
# - - - - - - - - - - - - - - - -
|
||||
|
||||
@ -35,6 +35,9 @@ Problems Corrected in 3.1.6
|
||||
2) The 'allow', 'drop' and 'reject' commands no longer produce iptables
|
||||
errors when executed while Shorewall is not started.
|
||||
|
||||
3) Shorewall now correctly handles devices in /etc/shorewall/tcdevices that
|
||||
are actually bridge ports.
|
||||
|
||||
Other changes in 3.1.6
|
||||
|
||||
1) In macro files, you can now use the reserved words SOURCE and DEST
|
||||
|
||||
Loading…
Reference in New Issue
Block a user