Allow TTL to be specified in the SAME action.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2025-01-22 05:28:59 +01:00 · 2015-02-17 19:11:28 -08:00 · 2015-02-17 19:11:28 -08:00 · aff8623a44
commit aff8623a44
parent 361f5af3e0
3 changed files with 17 additions and 5 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -649,6 +649,7 @@ our %opttype = ( rule          => CONTROL,
 		 simple        => CONTROL,
 		 matches       => CONTROL,
 		 complex       => CONTROL,
+		 t             => CONTROL,

 		 i             => UNIQUE,
 		 s             => UNIQUE,
@ -891,6 +892,8 @@ sub set_rule_option( $$$ ) {
 	    }
 	} elsif ( $opttype == EXCLUSIVE ) {
 	    $ruleref->{$option} .= ",$value";
+	} elsif ( $opttype  == CONTROL ) {
+	    $ruleref->{$option} = $value;
 	} elsif ( $opttype == UNIQUE ) {
 	    #
 	    # Shorewall::Rules::perl_action_tcp_helper() can produce rules that have two -p specifications.
@ -925,7 +928,7 @@ sub transform_rule( $;\$ ) {
 	my $option;
 	my $invert = '';

-	if ( $input =~ s/^(!\s+)?-([psdjgiom])\s+// ) {
+	if ( $input =~ s/^(!\s+)?-([psdjgiomt])\s+// ) {
 	    #
 	    # Normal case of single-character
 	    $invert = '!' if $1;
@ -955,7 +958,7 @@ sub transform_rule( $;\$ ) {

      PARAM:
 	{
-	    while ( $input ne '' && $input !~ /^(?:!|-[psdjgiom])\s/ ) {
+	    while ( $input ne '' && $input !~ /^(?:!|-[psdjgiomt])\s/ ) {
 		last PARAM if $input =~ /^--([^\s]+)/ && $aliases{$1 || '' };
 		$input =~ s/^([^\s]+)\s*//;
 		my $token = $1;
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@ -2049,7 +2049,7 @@ sub handle_stickiness( $ ) {
 			$rule1 = clone_irule( $_ );

 			set_rule_target( $rule1, 'MARK',   "--set-mark $mark" );
-			set_rule_option( $rule1, 'recent', "--name $list --update --seconds 300 --reap" );
+			set_rule_option( $rule1, 'recent', "--name $list --update --seconds $rule1->{t} --reap" );

 			$rule2 = clone_irule( $_ );

@ -2084,7 +2084,7 @@ sub handle_stickiness( $ ) {
 			$rule1 = clone_irule $_;

 			set_rule_target( $rule1, 'MARK',   "--set-mark $mark" );
-			set_rule_option( $rule1, 'recent', " --name $list --rdest --update --seconds 300 --reap" );
+			set_rule_option( $rule1, 'recent', " --name $list --rdest --update --seconds $rule1->{t} --reap" );

 			$rule2 = clone_irule $_;

--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@ -225,6 +225,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
    my  $device         = '';
    our $cmd;
    our $designator;
+    our $ttl            = 0;
    my $fw              = firewall_zone;

    sub handle_mark_param( $$ ) {
@ -587,6 +588,13 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 		$target = ( $chain == OUTPUT ? 'sticko' : 'sticky' );
 		$restriction = DESTIFACE_DISALLOW;
 		ensure_mangle_chain( $target );
+		if (supplied $params) {
+		    $ttl = numeric_value( $params );
+		    fatal_error "The SAME timeout must be positive" unless $ttl;
+		} else {
+		    $ttl = 300;
+		}
+
 		$sticky++;
 	    },
 	},
@ -801,6 +809,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 					 do_dscp( $dscp ) .
 					 state_match( $state ) .
 					 do_time( $time ) .
+					 ( $ttl ? "-t $ttl " : '' ) .
 					 $raw_matches ,
 					 $source ,
 					 $dest ,
@ -858,7 +867,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 			       } ,
 		   CONTINUE => { match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
 			       } ,
-		   SAME =>     { match     => sub ( $ ) { $_[0] eq 'SAME' },
+		   SAME =>     { match     => sub ( $ ) { $_[0] =~ /^SAME(?:\(d+\))?$/ },
 			       } ,
 		   IPMARK =>   { match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
 			       } ,