Add restriction handling to tcrules processing

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8194 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-15 04:04:10 +01:00 · 2008-02-14 17:40:38 +00:00 · 2008-02-14 17:40:38 +00:00 · c0be049f3d
commit c0be049f3d
parent cc8d035d1a
4 changed files with 36 additions and 3 deletions
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@ -6,6 +6,10 @@ Changes in 4.1.5

 3)  Update modules file for 2.6.25.

+4)  Restore 3.4 code to work around busybox limination.
+
+5)   Add restriction handling in tcrules file.
+
 Changes in 4.1.4

 1)  Fix do_test() to accept 0 and to use the same mask as
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@ -64,7 +64,29 @@ Migration Issues.

 Problems corrected in 4.1.5.

-None.
+1)  An optimization added to Shorewall-shell in 4.0.0 has been backed
+    out to work around a limitation of Busybox 'sed'.
+
+2)  Previously, Shorewall would accept both an interface and an IP
+    address in tcrules POSTROUTING entries (such as CLASSIFY).
+
+    Example:
+
+    1:11      eth1:192.168.4.9	-	tcp	22
+
+    It also allows both a destination interface and address.
+
+    Example:
+
+    1:P	      -		eth1:192.168.4.9	tcp	22
+
+    Because Netfilter does not allow an input interface to be specified
+    in POSTROUTING or an output interface to be specified in
+    PREROUTING, Shorewall must use the routing table to generate a list
+    of networks accessed through any interface specified in these
+    cases. Given that a specific address (or set of addresses) has
+    already been specified, it makes no sense qualify it (them) by
+    another list of addresses.

 New Features in 4.1.5.

--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@ -1941,6 +1941,9 @@ sub expand_rule( $$$$$$$$$$ )
    $dnets = ALLIPv4 unless $dnets;
    $onets = ALLIPv4 unless $onets;

+    fatal_error "Input interface may not be specified with a source IP address in the POSTROUTING chain"      if $restriction == POSTROUTE_RESTRICT && $iiface && $inets ne ALLIPv4;
+    fatal_error "Output interface may not be specified with a destination IP address in the PREROUTING chain" if $restriction == PREROUTE_RESTRICT &&  $diface && $dnets ne ALLIPv4;
+
    if ( $iexcl || $dexcl || $oexcl ) {
 	#
 	# We have non-trivial exclusion -- need to create an exclusion chain
--- a/Shorewall-perl/Shorewall/Tc.pm
+++ b/Shorewall-perl/Shorewall/Tc.pm
@ -152,6 +152,10 @@ our %tcclasses;

 our $prefix;

+our %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
+		      tcpost     => POSTROUTE_RESTRICT ,
+		      tcfor      => NO_RESTRICT ,
+		      tcout      => OUTPUT_RESTRICT );
 #
 # Initialize globals -- we take this novel approach to globals initialization to allow
 #                       the compiler to run multiple times in the same process. The
@ -226,7 +230,7 @@ sub process_tc_rule( $$$$$$$$$$ ) {
 	    $target  = 'CLASSIFY --set-class';
 	}
    }
-
+        
    my $mask = 0xffff;

    my ($cmd, $rest) = split( '/', $mark, 2 );
@ -275,7 +279,7 @@ sub process_tc_rule( $$$$$$$$$$ ) {
    }

    if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
-				     NO_RESTRICT ,
+				     $restrictions{$chain} ,
 				     do_proto( $proto, $ports, $sports) . do_user( $user ) . do_test( $testval, $mask ) . do_tos( $tos ) ,
 				     $source ,
 				     $dest ,