extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-14 13:47:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix TC match for bridge ports

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3453 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-02-08 22:33:13 +00:00
parent f628076bae
commit afcb4aa504
5 changed files with 76 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Shorewall/changelog.txt
View File

@ -38,6 +38,8 @@ Changes in 3.1.x.
18) Fix QUEUE when used in the ESTABLISHED section. 18) Fix QUEUE when used in the ESTABLISHED section.
19) Apply Ed Suominen's patch to tcrules. 19) Apply Ed Suominen's patch to tcrules.
-------------------------------------------------------------------------------
3.1.5
20) Speed up compilation by rewriting 'fix_bang()'. 20) Speed up compilation by rewriting 'fix_bang()'.
@ -47,8 +49,13 @@ Changes in 3.1.x.
23) Add compiled-program/library versioning scheme. 23) Add compiled-program/library versioning scheme.
-------------------------------------------------------------------------------
3.1.6
24) Apply Steven Springl's help patch. 24) Apply Steven Springl's help patch.
25) Fix 'allow/drop/reject' while Shorewall not running. 25) Fix 'allow/drop/reject' while Shorewall not running.
26) Implement bi-directional macros. 26) Implement bi-directional macros.
27) Fix TC bridge port handling.

29
Shorewall/compiler
View File

@ -2835,6 +2835,8 @@ setup_traffic_shaping()
case $1 in case $1 in
default|tcp-ack|tos-minimize-delay|tos-maximize-throughput|tos-maximize-reliability|tos-minimize-cost|tos-normal-service) default|tcp-ack|tos-minimize-delay|tos-maximize-throughput|tos-maximize-reliability|tos-minimize-cost|tos-normal-service)
;; ;;
tos=0x[0-9a-f][0-9a-f]|tos=0x[0-9a-f][0-9a-f]/0x[0-9a-f][0-9a-f])
;;
*) *)
echo $1 echo $1
return 1 return 1
@ -2891,8 +2893,14 @@ setup_traffic_shaping()
ratew=$(get_outband_for_dev $device) ratew=$(get_outband_for_dev $device)
options=$(separate_list $options | tr '[A-Z]' '[a-z]') options=$(separate_list $options | tr '[A-Z]' '[a-z]')
for opt in $options; do for opt in $options; do
list_search "$device-$opt" $allopts && fatal_error "option $opt already defined in a chain for interface $device in tcclasses" case opt in
allopts="$allopts $device-$opt" tos=*)
;;
*)
list_search "$device-$opt" $allopts && fatal_error "option $opt already defined in a chain for interface $device in tcclasses"
allopts="$allopts $device-$opt"
;;
esac
done done
wrongopt=$(check_tcclasses_options $options) || fatal_error "unknown option $wrongopt for class iface $device mark $mark in tcclasses file" wrongopt=$(check_tcclasses_options $options) || fatal_error "unknown option $wrongopt for class iface $device mark $mark in tcclasses file"
if [ -z "$ratew" ] ; then if [ -z "$ratew" ] ; then
@ -2917,7 +2925,7 @@ setup_traffic_shaping()
} }
add_tc_class() { add_tc_class() {
local full classid local full classid tospair tosmask
full=$(get_outband_for_dev $device) full=$(get_outband_for_dev $device)
full=$(rate_to_kbit $full) full=$(rate_to_kbit $full)
@ -2948,7 +2956,7 @@ setup_traffic_shaping()
run_tc qdisc add dev $device parent $classid handle 1$mark: sfq perturb 10 run_tc qdisc add dev $device parent $classid handle 1$mark: sfq perturb 10
# add filters # add filters
if [ -n "$CLASSIFY_TARGET" ]; then if [ -n "$CLASSIFY_TARGET" ]; then
run_iptables -t mangle -A tcpost -o $device -m mark --mark $mark -j CLASSIFY --set-class $classid run_iptables -t mangle -A tcpost $(match_dest_dev $device) -m mark --mark $mark -j CLASSIFY --set-class $classid
else else
run_tc filter add dev $device protocol ip parent $devnum:0 prio 1 handle $mark fw classid $classid run_tc filter add dev $device protocol ip parent $devnum:0 prio 1 handle $mark fw classid $classid
fi fi
@ -2959,7 +2967,18 @@ setup_traffic_shaping()
list_search "tos-maximize-throughput" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x08 0x08 flowid $classid list_search "tos-maximize-throughput" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x08 0x08 flowid $classid
list_search "tos-minimize-reliability" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x04 0x04 flowid $classid list_search "tos-minimize-reliability" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x04 0x04 flowid $classid
list_search "tos-normal-service" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x00 0x1e flowid $classid list_search "tos-normal-service" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x00 0x1e flowid $classid
# tcp
for tospair in $(list_walk "tos=" $options) ; do
case $tospair in
*/*)
tosmask=${tospair##*/}
;;
*)
tosmask=0xff
;;
esac
run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos ${tospair%%/*} $tosmask flowid $classid
done
} }
strip_file tcdevices $devfile strip_file tcdevices $devfile

29
Shorewall/firewall
View File

@ -1648,6 +1648,8 @@ setup_traffic_shaping()
case $1 in case $1 in
default|tcp-ack|tos-minimize-delay|tos-maximize-throughput|tos-maximize-reliability|tos-minimize-cost|tos-normal-service) default|tcp-ack|tos-minimize-delay|tos-maximize-throughput|tos-maximize-reliability|tos-minimize-cost|tos-normal-service)
;; ;;
tos=0x[0-9a-f][0-9a-f]|tos=0x[0-9a-f][0-9a-f]/0x[0-9a-f][0-9a-f])
;;
*) *)
echo $1 echo $1
return 1 return 1
@ -1704,8 +1706,14 @@ setup_traffic_shaping()
ratew=$(get_outband_for_dev $device) ratew=$(get_outband_for_dev $device)
options=$(separate_list $options | tr '[A-Z]' '[a-z]') options=$(separate_list $options | tr '[A-Z]' '[a-z]')
for opt in $options; do for opt in $options; do
list_search "$device-$opt" $allopts && fatal_error "option $opt already defined in a chain for interface $device in tcclasses" case opt in
allopts="$allopts $device-$opt" tos=*)
;;
*)
list_search "$device-$opt" $allopts && fatal_error "option $opt already defined in a chain for interface $device in tcclasses"
allopts="$allopts $device-$opt"
;;
esac
done done
wrongopt=$(check_tcclasses_options $options) || fatal_error "unknown option $wrongopt for class iface $device mark $mark in tcclasses file" wrongopt=$(check_tcclasses_options $options) || fatal_error "unknown option $wrongopt for class iface $device mark $mark in tcclasses file"
if [ -z "$ratew" ] ; then if [ -z "$ratew" ] ; then
@ -1730,7 +1738,7 @@ setup_traffic_shaping()
} }
add_tc_class() { add_tc_class() {
local full classid local full classid tospair tosmask
full=$(get_outband_for_dev $device) full=$(get_outband_for_dev $device)
full=$(rate_to_kbit $full) full=$(rate_to_kbit $full)
@ -1761,7 +1769,7 @@ setup_traffic_shaping()
run_tc qdisc add dev $device parent $classid handle 1$mark: sfq perturb 10 run_tc qdisc add dev $device parent $classid handle 1$mark: sfq perturb 10
# add filters # add filters
if [ -n "$CLASSIFY_TARGET" ]; then if [ -n "$CLASSIFY_TARGET" ]; then
run_iptables -t mangle -A tcpost -o $device -m mark --mark $mark -j CLASSIFY --set-class $classid run_iptables -t mangle -A tcpost $(match_dest_dev $device) -m mark --mark $mark -j CLASSIFY --set-class $classid
else else
run_tc filter add dev $device protocol ip parent $devnum:0 prio 1 handle $mark fw classid $classid run_tc filter add dev $device protocol ip parent $devnum:0 prio 1 handle $mark fw classid $classid
fi fi
@ -1772,7 +1780,18 @@ setup_traffic_shaping()
list_search "tos-maximize-throughput" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x08 0x08 flowid $classid list_search "tos-maximize-throughput" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x08 0x08 flowid $classid
list_search "tos-minimize-reliability" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x04 0x04 flowid $classid list_search "tos-minimize-reliability" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x04 0x04 flowid $classid
list_search "tos-normal-service" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x00 0x1e flowid $classid list_search "tos-normal-service" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x00 0x1e flowid $classid
# tcp
for tospair in $(list_walk "tos=" $options) ; do
case $tospair in
*/*)
tosmask=${tospair##*/}
;;
*)
tosmask=0xff
;;
esac
run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos ${tospair%%/*} $tosmask flowid $classid
done
} }
strip_file tcdevices $devfile strip_file tcdevices $devfile

18
Shorewall/functions
View File

@ -49,6 +49,24 @@ list_search() # $1 = element to search for , $2-$n = list
return 1 return 1
} }
#
# Return a space separated list of values matching
#
list_walk() # $1 = element to search for, $2-$n = list
{
local e=$1 result=
while [ $# -gt 1 ]; do
shift
case $1 in
$e*)
result="$result ${1##$e}"
;;
esac
done
echo $result
}
# #
# Functions to count list elements # Functions to count list elements
# - - - - - - - - - - - - - - - - # - - - - - - - - - - - - - - - -

3
Shorewall/releasenotes.txt
View File

@ -35,6 +35,9 @@ Problems Corrected in 3.1.6
2) The 'allow', 'drop' and 'reject' commands no longer produce iptables 2) The 'allow', 'drop' and 'reject' commands no longer produce iptables
errors when executed while Shorewall is not started. errors when executed while Shorewall is not started.
3) Shorewall now correctly handles devices in /etc/shorewall/tcdevices that
are actually bridge ports.
Other changes in 3.1.6 Other changes in 3.1.6
1) In macro files, you can now use the reserved words SOURCE and DEST 1) In macro files, you can now use the reserved words SOURCE and DEST