Document and correct implementation of EXCLUSION_MASK

1. Require KLUDGEFREE if existing rule uses mark match
2. Pretty up the code
3. Use MASK_BITS rather than TC_BITS when calculating the offset of EXCLUSION_MASK

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -3487,21 +3487,29 @@ sub expand_rule( $$$$$$$$$$;$ )
 
     if ( $iexcl || $dexcl || $oexcl ) {
 	#
-	# We have non-trivial exclusion -- need to create an exclusion chain
+	# We have non-trivial exclusion
 	#
 	if ( $disposition eq 'RETURN' || $disposition eq 'CONTINUE' ) {
 	    #
 	    # We can't use an exclusion chain -- we mark those packets to be excluded and then condition the following rules based on the mark value
 	    #
-	    require_capability 'MARK_ANYWHERE' , 'Exclusion in ACCEPT+/CONTINUE/NONAT rules', 's';
+	    require_capability 'MARK_ANYWHERE' , 'Exclusion in ACCEPT+/CONTINUE/NONAT rules', 's' unless $chainref->{table} eq 'mangle';
+	    require_capability 'KLUDGEFREE' ,    'Exclusion in ACCEPT+/CONTINUE/NONAT rules', 's' if $rule -~ / -m mark /;
+	    #
+	    # Clear the exclusion bit
+	    #
 	    add_rule $chainref = $chainref , '-j MARK --and-mark ' . in_hex( $globals{EXCLUSION_MASK} ^ 0xffffffff );
-	    
+	    #
+	    # Mark packet if it matches any of the exclusions
+	    #
 	    my $exclude = '-j MARK --or-mark ' . in_hex( $globals{EXCLUSION_MASK} );
 
 	    add_rule $chainref, ( match_source_net $_ , $restriction ) . $exclude for ( mysplit $iexcl );
 	    add_rule $chainref, ( match_dest_net $_ )                  . $exclude for ( mysplit $dexcl );
 	    add_rule $chainref, ( match_orig_dest $_ )                 . $exclude for ( mysplit $oexcl );
-
+	    #
+	    # Augment the rule to include 'not excluded'
+	    #
 	    $rule .= '-m mark --mark 0/' . in_hex( $globals{EXCLUSION_MASK} ) . ' ';
 	} else {
 	    #
@@ -3514,23 +3522,25 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    # Use the current rule and send all possible matches to the exclusion chain
 	    #
 	    for my $onet ( mysplit $onets ) {
+
 		$onet = match_orig_dest $onet;
+
 		for my $inet ( mysplit $inets ) {
+
+		    my $source_match = match_source_net( $inet, $restriction ) if have_capability( 'KLUDGEFREE' );
+
 		    for my $dnet ( mysplit $dnets ) {
-			#
-			# We evaluate the source net match in the inner loop to accomodate systems without $capabilities{KLUDGEFREE}
-			#
-			add_jump( $chainref, $echainref, 0, join( '', $rule, match_source_net( $inet, $restriction ), match_dest_net( $dnet ), $onet ), 1 );
+			$source_match = match_source_net( $inet, $restriction ) unless have_capability( 'KLUDGEFREE' );
+			add_jump( $chainref, $echainref, 0, join( '', $rule, $source_match, match_dest_net( $dnet ), $onet ), 1 );
 		    }
 		}
 	    }
-
 	    #
 	    # Generate RETURNs for each exclusion
 	    #
 	    add_rule $echainref, ( match_source_net $_ , $restriction ) . '-j RETURN' for ( mysplit $iexcl );
-	    add_rule $echainref, ( match_dest_net $_ ) .   '-j RETURN' for ( mysplit $dexcl );
-	    add_rule $echainref, ( match_orig_dest $_ ) .  '-j RETURN' for ( mysplit $oexcl );
+	    add_rule $echainref, ( match_dest_net $_ )                  . '-j RETURN' for ( mysplit $dexcl );
+	    add_rule $echainref, ( match_orig_dest $_ )                 . '-j RETURN' for ( mysplit $oexcl );
 	    #
 	    # Log rule
 	    #
@@ -3554,7 +3564,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 
     unless ( $done ) {
 	#
-	# No exclusions
+	# No non-trivial exclusions or we're using marks to handle them
 	#
 	for my $onet ( mysplit $onets ) {
 	    $onet = match_orig_dest $onet;

Shorewall/Perl/Shorewall/Config.pm

@@ -3094,8 +3094,8 @@ sub get_configuration( $ ) {
 	$config{PROVIDER_OFFSET} = $config{MASK_BITS} if $config{PROVIDER_OFFSET} < $config{MASK_BITS};
 	fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 32' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 31;
 	$globals{EXCLUSION_MASK} = 1 << ( $config{PROVIDER_OFFSET} + $config{PROVIDER_BITS} );
-    } elsif ( $config{TC_BITS} >= $config{PROVIDER_BITS} ) {
-	$globals{EXCLUSION_MASK} = 1 << $config{TC_BITS};
+    } elsif ( $config{MASK_BITS} >= $config{PROVIDER_BITS} ) {
+	$globals{EXCLUSION_MASK} = 1 << $config{MASK_BITS};
     } else {
 	$globals{EXCLUSION_MASK} = 1 << $config{PROVIDER_BITS};
     }

Shorewall/releasenotes.txt

@@ -35,7 +35,8 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
     address/net) in CONTINUE, NONAT and ACCEPT+ rules generated
     valid but incorrect iptables input. This has been corrected but
     requires that your iptables/kernel support marking rules in any
-    Netfilter table.
+    Netfilter table (CONTINUE in the tcrules file does not require this
+    support).
 
     This fix implements a new 'Mark in any table' capability; those
     who utilize a capabilities file should re-generate the file using

docs/PacketMarking.xml

@@ -331,7 +331,7 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
           <row>
             <entry>WIDE_TC_MARKS=No, HIGH_ROUTE_MARKS=No</entry>
 
-            <entry>TC_BITS=8, PROVIDER_BITS=0, PROVIDER_OFFSET=0,
+            <entry>TC_BITS=8, PROVIDER_BITS=8, PROVIDER_OFFSET=0,
             MASK_BITS=8</entry>
           </row>
 
@@ -364,7 +364,11 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
     than 16 when WIDE_TC_MARKS=Yes.</para>
 
     <para>Beginning with Shorewall 4.4.12, the field between MASK_BITS and
-    PROVIDER_OFFSET can be used for any purpose you want. </para>
+    PROVIDER_OFFSET can be used for any purpose you want.</para>
+
+    <para>Beginning with Shorewall 4.4.13, The first unused bit on the left is
+    used by Shorewall as an <firstterm>exclusion mark</firstterm>, allowing
+    exclusion in CONTINUE, NONAT and ACCEPT+ rules.</para>
   </section>
 
   <section id="Shorewall">