extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-18 23:57:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update docs and implementation of SECMARK

Browse Source
This commit is contained in:
Tom Eastep 2010-09-04 16:08:29 -07:00
parent 28ff3548ff
commit b139ff7e90
4 changed files with 53 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -165,6 +165,7 @@ our %tcclasses;
our %restrictions = ( tcpre => PREROUTE_RESTRICT , our %restrictions = ( tcpre => PREROUTE_RESTRICT ,
tcpost => POSTROUTE_RESTRICT , tcpost => POSTROUTE_RESTRICT ,
tcfor => NO_RESTRICT , tcfor => NO_RESTRICT ,
tcin => INPUT_RESTRICT ,
tcout => OUTPUT_RESTRICT ); tcout => OUTPUT_RESTRICT );
our $family; our $family;
@ -1374,13 +1375,13 @@ sub setup_traffic_shaping() {
sub process_secmark_rule() { sub process_secmark_rule() {
my ( $secmark, $chain, $source, $dest, $proto, $dport, $sport, $mark ) = split_line( 2, 8 , 'Secmarks file' ); my ( $secmark, $chain, $source, $dest, $proto, $dport, $sport, $mark ) = split_line( 2, 8 , 'Secmarks file' );
my %chns = ( T => [ 'tcpost' , POSTROUTE_RESTRICT ] , my %chns = ( T => 'tcpost' ,
P => [ 'tcpre' , PREROUTE_RESTRICT ] , P => 'tcpre' ,
F => [ 'forward' , NO_RESTRICT ] , F => 'forward' ,
I => [ 'tcin' , , INPUT_RESTRICT ] , I => 'tcin' ,
O => [ 'tcout' , , OUTPUT_RESTRICT ] ); O => 'tcout' , );
my ( $chain1 , $restriction ) = @{$chns{$chain}}; my $chain1= $chns{$chain};
fatal_error "Invalid or missing CHAIN ( $chain )" unless $chain1; fatal_error "Invalid or missing CHAIN ( $chain )" unless $chain1;
@ -1393,7 +1394,7 @@ sub process_secmark_rule() {
$disposition =~ s/ .*//; $disposition =~ s/ .*//;
expand_rule( ensure_mangle_chain( $chain1 ) , expand_rule( ensure_mangle_chain( $chain1 ) ,
$restriction, $restrictions{$chain1} ,
do_proto( $proto, $dport, $sport ) . do_proto( $proto, $dport, $sport ) .
do_test( $mark, $globals{TC_MASK} ) , do_test( $mark, $globals{TC_MASK} ) ,
$source , $source ,

3
Shorewall/releasenotes.txt
View File

@ -172,6 +172,9 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
See the shorewall-secmarks and shorewall6-secmarks manpages for See the shorewall-secmarks and shorewall6-secmarks manpages for
details. details.
As part of this change, the tcrules file now accepts chain
designators 'I' and 'CI' for marking packets in the input chain.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S I V. R E L E A S E 4 . 4 H I G H L I G H T S
---------------------------------------------------------------------------- ----------------------------------------------------------------------------

26
manpages/shorewall-tcrules.xml
View File

@ -58,7 +58,8 @@
role="bold">:</emphasis>{<emphasis role="bold">C</emphasis>|<emphasis role="bold">:</emphasis>{<emphasis role="bold">C</emphasis>|<emphasis
role="bold">F</emphasis>|<emphasis role="bold">P</emphasis>|<emphasis role="bold">F</emphasis>|<emphasis role="bold">P</emphasis>|<emphasis
role="bold">T</emphasis>|<emphasis role="bold">CF</emphasis>|<emphasis role="bold">T</emphasis>|<emphasis role="bold">CF</emphasis>|<emphasis
role="bold">CP</emphasis>|<emphasis role="bold">CT</emphasis>}]</term> role="bold">CP</emphasis>|<emphasis
role="bold">CT</emphasis>|I:CI}]</term>
<listitem> <listitem>
<para>May assume one of the following values.</para> <para>May assume one of the following values.</para>
@ -83,12 +84,14 @@
or <emphasis role="bold">:T</emphasis> where<emphasis or <emphasis role="bold">:T</emphasis> where<emphasis
role="bold"> :P</emphasis> indicates that marking should occur role="bold"> :P</emphasis> indicates that marking should occur
in the PREROUTING chain, <emphasis role="bold">:F</emphasis> in the PREROUTING chain, <emphasis role="bold">:F</emphasis>
indicates that marking should occur in the FORWARD chain and indicates that marking should occur in the FORWARD chain, :I
<emphasis role="bold">:T</emphasis> indicates that marking indicates that marking should occur in the INPUT chain (added in
should occur in the POSTROUTING chain. If neither <emphasis Shorewall 4.4.13), and <emphasis role="bold">:T</emphasis>
role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis> indicates that marking should occur in the POSTROUTING chain. If
nor <emphasis role="bold">:T</emphasis> follow the mark value neither <emphasis role="bold">:P</emphasis>, <emphasis
then the chain is determined as follows:</para> role="bold">:F</emphasis> nor <emphasis
role="bold">:T</emphasis> follow the mark value then the chain
is determined as follows:</para>
<para>- If the SOURCE is <emphasis <para>- If the SOURCE is <emphasis
role="bold">$FW</emphasis>[<emphasis role="bold">$FW</emphasis>[<emphasis
@ -144,6 +147,15 @@
<para>Mark the connecdtion in the POSTROUTING chain</para> <para>Mark the connecdtion in the POSTROUTING chain</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>CI</term>
<listitem>
<para>Added in Shorewall 4.4.13. Mark the connecdtion in
the POSTROUTING chain</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
<para><emphasis role="bold">Special considerations for If <para><emphasis role="bold">Special considerations for If

34
manpages6/shorewall6-tcrules.xml
View File

@ -54,7 +54,8 @@
role="bold">:</emphasis>{<emphasis role="bold">C</emphasis>|<emphasis role="bold">:</emphasis>{<emphasis role="bold">C</emphasis>|<emphasis
role="bold">F</emphasis>|<emphasis role="bold">P</emphasis>|<emphasis role="bold">F</emphasis>|<emphasis role="bold">P</emphasis>|<emphasis
role="bold">T</emphasis>|<emphasis role="bold">CF</emphasis>|<emphasis role="bold">T</emphasis>|<emphasis role="bold">CF</emphasis>|<emphasis
role="bold">CP</emphasis>|<emphasis role="bold">CT</emphasis>}]</term> role="bold">CP</emphasis>|<emphasis
role="bold">CT</emphasis>|I|CI}]</term>
<listitem> <listitem>
<para>May assume one of the following values.</para> <para>May assume one of the following values.</para>
@ -76,15 +77,18 @@
<para>May optionally be followed by <emphasis <para>May optionally be followed by <emphasis
role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis> role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
or <emphasis role="bold">:T</emphasis> where<emphasis or <emphasis role="bold">:T</emphasis>, <emphasis role="bold">:I
role="bold"> :P</emphasis> indicates that marking should occur </emphasis>where<emphasis role="bold"> :P</emphasis> indicates
in the PREROUTING chain, <emphasis role="bold">:F</emphasis> that marking should occur in the PREROUTING chain, <emphasis
indicates that marking should occur in the FORWARD chain and role="bold">:F</emphasis> indicates that marking should occur in
<emphasis role="bold">:T</emphasis> indicates that marking the FORWARD chain, <emphasis role="bold">:I </emphasis>indicates
should occur in the POSTROUTING chain. If neither <emphasis that marking should occur in the INPUT chain (added in Shorewall
role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis> 4.4.13) and <emphasis role="bold">:T</emphasis> indicates that
nor <emphasis role="bold">:T</emphasis> follow the mark value marking should occur in the POSTROUTING chain. If neither
then the chain is determined as follows:</para> <emphasis role="bold">:P</emphasis>, <emphasis
role="bold">:F</emphasis> nor <emphasis
role="bold">:T</emphasis> follow the mark value then the chain
is determined as follows:</para>
<para>- If the SOURCE is <emphasis <para>- If the SOURCE is <emphasis
role="bold">$FW</emphasis>[<emphasis role="bold">$FW</emphasis>[<emphasis
@ -137,7 +141,15 @@
<term>CT</term> <term>CT</term>
<listitem> <listitem>
<para>Mark the connecdtion in the POSTROUTING chain</para> <para>Mark the connection in the POSTROUTING chain</para>
</listitem>
</varlistentry>
<varlistentry>
<term>CI (added in Shorewall 4.4.13)</term>
<listitem>
<para>Mark the connection in the INPUT chain.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>