Update docs and implementation of SECMARK

2024-11-23 08:03:11 +01:00 · 2010-09-04 16:08:29 -07:00 · 2010-09-04 16:08:29 -07:00 · b139ff7e90
commit b139ff7e90
parent 28ff3548ff
4 changed files with 53 additions and 25 deletions
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@ -165,6 +165,7 @@ our %tcclasses;
 our %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
 		      tcpost     => POSTROUTE_RESTRICT ,
 		      tcfor      => NO_RESTRICT ,
+		      tcin       => INPUT_RESTRICT ,
 		      tcout      => OUTPUT_RESTRICT );

 our $family;
@ -1374,13 +1375,13 @@ sub setup_traffic_shaping() {
 sub process_secmark_rule() {
    my ( $secmark, $chain, $source, $dest, $proto, $dport, $sport, $mark ) = split_line( 2, 8 , 'Secmarks file' );

-    my %chns = ( T => [ 'tcpost'   , POSTROUTE_RESTRICT ] ,
-		 P => [ 'tcpre'    , PREROUTE_RESTRICT ] ,
-		 F => [ 'forward'  , NO_RESTRICT ] ,
-		 I => [ 'tcin' ,   , INPUT_RESTRICT ] ,
-		 O => [ 'tcout' ,  , OUTPUT_RESTRICT ] );
+    my %chns = ( T => 'tcpost'  ,
+		 P => 'tcpre'   ,
+		 F => 'forward' ,
+		 I => 'tcin'    ,
+		 O => 'tcout'   , );

-    my ( $chain1 , $restriction ) = @{$chns{$chain}};
+    my $chain1= $chns{$chain};

    fatal_error "Invalid or missing CHAIN ( $chain )" unless $chain1;

@ -1393,7 +1394,7 @@ sub process_secmark_rule() {
    $disposition =~ s/ .*//;

    expand_rule( ensure_mangle_chain( $chain1 ) , 
-		 $restriction,
+		 $restrictions{$chain1} ,
 		 do_proto( $proto, $dport, $sport ) .
 		 do_test( $mark, $globals{TC_MASK} ) ,
 		 $source , 
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -172,6 +172,9 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
    See the shorewall-secmarks and shorewall6-secmarks manpages for
    details.

+    As part of this change, the tcrules file now accepts chain
+    designators 'I' and 'CI' for marking packets in the input chain.
+
 ----------------------------------------------------------------------------
             I V.  R E L E A S E  4 . 4  H I G H L I G H T S
 ----------------------------------------------------------------------------
--- a/manpages/shorewall-tcrules.xml
+++ b/manpages/shorewall-tcrules.xml
@ -58,7 +58,8 @@
        role="bold">:</emphasis>{<emphasis role="bold">C</emphasis>|<emphasis
        role="bold">F</emphasis>|<emphasis role="bold">P</emphasis>|<emphasis
        role="bold">T</emphasis>|<emphasis role="bold">CF</emphasis>|<emphasis
-        role="bold">CP</emphasis>|<emphasis role="bold">CT</emphasis>}]</term>
+        role="bold">CP</emphasis>|<emphasis
+        role="bold">CT</emphasis>|I:CI}]</term>

        <listitem>
          <para>May assume one of the following values.</para>
@ -83,12 +84,14 @@
              or <emphasis role="bold">:T</emphasis> where<emphasis
              role="bold"> :P</emphasis> indicates that marking should occur
              in the PREROUTING chain, <emphasis role="bold">:F</emphasis>
-              indicates that marking should occur in the FORWARD chain and
-              <emphasis role="bold">:T</emphasis> indicates that marking
-              should occur in the POSTROUTING chain. If neither <emphasis
-              role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
-              nor <emphasis role="bold">:T</emphasis> follow the mark value
-              then the chain is determined as follows:</para>
+              indicates that marking should occur in the FORWARD chain, :I
+              indicates that marking should occur in the INPUT chain (added in
+              Shorewall 4.4.13), and <emphasis role="bold">:T</emphasis>
+              indicates that marking should occur in the POSTROUTING chain. If
+              neither <emphasis role="bold">:P</emphasis>, <emphasis
+              role="bold">:F</emphasis> nor <emphasis
+              role="bold">:T</emphasis> follow the mark value then the chain
+              is determined as follows:</para>

              <para>- If the SOURCE is <emphasis
              role="bold">$FW</emphasis>[<emphasis
@ -144,6 +147,15 @@
                    <para>Mark the connecdtion in the POSTROUTING chain</para>
                  </listitem>
                </varlistentry>
+
+                <varlistentry>
+                  <term>CI</term>
+
+                  <listitem>
+                    <para>Added in Shorewall 4.4.13. Mark the connecdtion in
+                    the POSTROUTING chain</para>
+                  </listitem>
+                </varlistentry>
              </variablelist>

              <para><emphasis role="bold">Special considerations for If
--- a/manpages6/shorewall6-tcrules.xml
+++ b/manpages6/shorewall6-tcrules.xml
@ -54,7 +54,8 @@
        role="bold">:</emphasis>{<emphasis role="bold">C</emphasis>|<emphasis
        role="bold">F</emphasis>|<emphasis role="bold">P</emphasis>|<emphasis
        role="bold">T</emphasis>|<emphasis role="bold">CF</emphasis>|<emphasis
-        role="bold">CP</emphasis>|<emphasis role="bold">CT</emphasis>}]</term>
+        role="bold">CP</emphasis>|<emphasis
+        role="bold">CT</emphasis>|I|CI}]</term>

        <listitem>
          <para>May assume one of the following values.</para>
@ -76,15 +77,18 @@

              <para>May optionally be followed by <emphasis
              role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
-              or <emphasis role="bold">:T</emphasis> where<emphasis
-              role="bold"> :P</emphasis> indicates that marking should occur
-              in the PREROUTING chain, <emphasis role="bold">:F</emphasis>
-              indicates that marking should occur in the FORWARD chain and
-              <emphasis role="bold">:T</emphasis> indicates that marking
-              should occur in the POSTROUTING chain. If neither <emphasis
-              role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
-              nor <emphasis role="bold">:T</emphasis> follow the mark value
-              then the chain is determined as follows:</para>
+              or <emphasis role="bold">:T</emphasis>, <emphasis role="bold">:I
+              </emphasis>where<emphasis role="bold"> :P</emphasis> indicates
+              that marking should occur in the PREROUTING chain, <emphasis
+              role="bold">:F</emphasis> indicates that marking should occur in
+              the FORWARD chain, <emphasis role="bold">:I </emphasis>indicates
+              that marking should occur in the INPUT chain (added in Shorewall
+              4.4.13) and <emphasis role="bold">:T</emphasis> indicates that
+              marking should occur in the POSTROUTING chain. If neither
+              <emphasis role="bold">:P</emphasis>, <emphasis
+              role="bold">:F</emphasis> nor <emphasis
+              role="bold">:T</emphasis> follow the mark value then the chain
+              is determined as follows:</para>

              <para>- If the SOURCE is <emphasis
              role="bold">$FW</emphasis>[<emphasis
@ -137,7 +141,15 @@
                  <term>CT</term>

                  <listitem>
-                    <para>Mark the connecdtion in the POSTROUTING chain</para>
+                    <para>Mark the connection in the POSTROUTING chain</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>CI (added in Shorewall 4.4.13)</term>
+
+                  <listitem>
+                    <para>Mark the connection in the INPUT chain.</para>
                  </listitem>
                </varlistentry>
              </variablelist>