Add HELPER column to tcrules

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8558 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-25 09:03:30 +01:00 · 2008-06-05 20:39:05 +00:00 · 2008-06-05 20:39:05 +00:00 · c2ee4eb2ba
commit c2ee4eb2ba
parent 8525c8ccdf
9 changed files with 72 additions and 13 deletions
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@ -4,6 +4,8 @@ Changes in 4.2.0-Beta2

 2)  Implement 'save' user exit.

+3)  HELPER column in tcrules.
+
 Changes in 4.2.0-Beta1

 1)  Fix handling of firewall marks.
--- a/Shorewall-common/lib.base
+++ b/Shorewall-common/lib.base
@ -35,7 +35,7 @@
 #

 SHOREWALL_LIBVERSION=40000
-SHOREWALL_CAPVERSION=40100
+SHOREWALL_CAPVERSION=40190

 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@ -1075,6 +1075,7 @@ determine_capabilities() {
    HASHLIMIT_MATCH=
    NFQUEUE_TARGET=
    REALM_MATCH=
+    HELPER_MATCH=

    chain=fooX$$

@ -1169,8 +1170,8 @@ determine_capabilities() {
    qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
    qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
    qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
-
    qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
+    qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes

    qt $IPTABLES -F $chain
    qt $IPTABLES -X $chain
@ -1223,6 +1224,7 @@ report_capabilities() {
 	report_capability "Hashlimit Match" $HASHLIMIT_MATCH
 	report_capability "NFQUEUE Target" $NFQUEUE_TARGET
 	report_capability "Realm Match" $REALM_MATCH
+	report_capability "Helper Match" $HELPER_MATCH
    fi

    [ -n "$PKTTYPE" ] || USEPKTTYPE=
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@ -113,6 +113,12 @@ Other Changes in Shoreall 4.2.0 Beta 2.
   Those two scripts allow me to save and restore the contents of my
   ipsets automatically under Shorewall-perl/Shorewall-lite (my
   routestopped file does not use ipsets).
+
+2) A HELPER column is included in the tcrules file. The value in this
+   column names one of the Netfilter protocol 'helper' module sets
+   (ftp, sip, amanda, etc).
+
+   See http://www.shorewall.net/traffic_shaping.htm for an example. 
    
 None.

--- a/Shorewall-common/tcrules
+++ b/Shorewall-common/tcrules
@ -9,7 +9,7 @@
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-#######################################################################################################
-#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES
+######################################################################################################################
+#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER
 #						PORT(S)	PORT(S)
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@ -123,6 +123,7 @@ our %EXPORT_TAGS = (
 				       do_user
 				       do_tos
 				       do_connbytes
+				       do_helper
 				       match_source_dev
 				       match_dest_dev
 				       iprange_match
@ -1345,6 +1346,17 @@ sub do_connbytes( $ ) {
    "${invert}-m connbytes --connbytes $min:$max --connbytes-dir $dir{$dir} --connbytes-mode $mode{$mode} ";
 }

+#
+# Create a "-m helper" match for the passed argument
+#
+sub do_helper( $ ) {
+    my $helper = shift;
+
+    return '' if $helper eq '-';
+
+    qq(-m helper --helper "$helper");
+}
+
 #
 # Match Source Interface
 #
--- a/Shorewall-perl/Shorewall/Config.pm
+++ b/Shorewall-perl/Shorewall/Config.pm
@ -204,6 +204,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 HASHLIMIT_MATCH => 'Hashlimit Match',
 		 NFQUEUE_TARGET  => 'NFQUEUE Target',
 		 REALM_MATCH     => 'Realm Match',
+		 HELPER_MATCH    => 'Helper Match',
 		 CAPVERSION      => 'Capability Version',
 	       );
 #
@ -266,7 +267,7 @@ sub initialize() {
 		    LOGPARMS => '',
 		    TC_SCRIPT => '',
 		    VERSION => "4.2.0-Beta2",
-		    CAPVERSION => 40100 ,
+		    CAPVERSION => 40190 ,
 		  );
    #
    # From shorewall.conf file
@ -409,6 +410,7 @@ sub initialize() {
 	       HASHLIMIT_MATCH => undef,
 	       NFQUEUE_TARGET => undef,
 	       REALM_MATCH => undef,
+	       HELPER_MATCH => undef,
 	       CAPVERSION => undef,
 	       );
    #
@ -1623,8 +1625,8 @@ sub determine_capabilities( $ ) {
    $capabilities{TCPMSS_MATCH}    = qt1( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
    $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name fooX1234 --hashlimit-mode dstip -j ACCEPT" );
    $capabilities{NFQUEUE_TARGET}  = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" );
-
-    $capabilities{REALM_MATCH} = qt1( "$iptables -A $sillyname -m realm --realm 1" );
+    $capabilities{REALM_MATCH}     = qt1( "$iptables -A $sillyname -m realm --realm 1" );
+    $capabilities{HELPER_MATCH}    = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );

    qt1( "$iptables -F $sillyname" );
    qt1( "$iptables -X $sillyname" );
--- a/Shorewall-perl/Shorewall/Tc.pm
+++ b/Shorewall-perl/Shorewall/Tc.pm
@ -179,8 +179,8 @@ INIT {
    initialize;
 }

-sub process_tc_rule( $$$$$$$$$$$ ) {
-    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes ) = @_;
+sub process_tc_rule( $$$$$$$$$$$$ ) {
+    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes , $helper ) = @_;

    my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 );

@ -284,7 +284,7 @@ sub process_tc_rule( $$$$$$$$$$$ ) {

    if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
 				     $restrictions{$chain} ,
-				     do_proto( $proto, $ports, $sports) . do_user( $user ) . do_test( $testval, $mask ) . do_tos( $tos ) . do_connbytes( $connbytes ),
+				     do_proto( $proto, $ports, $sports) . do_user( $user ) . do_test( $testval, $mask ) . do_tos( $tos ) . do_connbytes( $connbytes ) . do_helper( $helper ),
 				     $source ,
 				     $dest ,
 				     '' ,
@ -887,12 +887,12 @@ sub setup_tc() {

 	    while ( read_a_line ) {

-		my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes ) = split_line1 2, 11, 'tcrules file';
+		my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, 'tcrules file';

 		if ( $mark eq 'COMMENT' ) {
 		    process_comment;
 		} else {
-		    process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos, $connbytes;
+		    process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos, $connbytes, $helper;
 		}
 		
 	    }
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@ -840,6 +840,13 @@ ppp0           6000kbit         500kbit</programlisting>
            </simplelist>
          </blockquote>
        </listitem>
+
+        <listitem>
+          <para>HELPER (Optional, added in Shorewall version 4.2.0 Beta 2).
+          Names one of the Netfiler protocol helper modules such as
+          <emphasis>ftp</emphasis>, <emphasis>sip</emphasis>,
+          <emphasis>amanda</emphasis>, etc.</para>
+        </listitem>
      </itemizedlist>

      <example id="Example1">
@ -920,6 +927,22 @@ SAVE     0.0.0.0/0      0.0.0.0/0       all        -             -        -
          packet mark has been set, save it to the connection mark."</para>
        </blockquote>
      </example>
+
+      <example>
+        <title></title>
+
+        <para>Mark all forwarded VOIP connections with connection mark 1 and
+        ensure that all VOIP packets also receive that mark (assumes that
+        nf_conntrack_sip is loaded and that Shorewall-perl 4.2.0 or later is
+        being used).</para>
+
+        <programlisting>#MARK    SOURCE         DESTINATION     PROTOCOL   PORT(S)       CLIENT   USER/     TEST      CONNBYTES      TOS      HELPER
+#                                                                PORT(S)  GROUP
+RESTORE  0.0.0.0/0      0.0.0.0/0       all        -             -        -         0
+CONTINUE 0.0.0.0/0      0.0.0.0/0       all        -             -        -         !0
+1        0.0.0.0/0      0.0.0.0/0       all        -             -        -         -         -              -        sip
+SAVE     0.0.0.0/0      0.0.0.0/0       all        -             -        -         !0</programlisting>
+      </example>
    </section>

    <section id="ppp">
@ -1593,4 +1616,4 @@ class htb 1:120 parent 1:1 leaf 120: prio 2 quantum 1900 rate 76000bit ceil 2300
    <para>At least one Shorewall user has found this tool helpful: <ulink
    url="http://e2epi.internet2.edu/network-performance-toolkit.html">http://e2epi.internet2.edu/network-performance-toolkit.html</ulink></para>
  </section>
-</article>
+</article>
--- a/manpages/shorewall-tcrules.xml
+++ b/manpages/shorewall-tcrules.xml
@ -497,6 +497,18 @@
         <emphasis role="bold">Normal-Service</emphasis> (0)</programlisting>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">HELPER —
+        "<emphasis>helper</emphasis>"</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall-perl 4.2.0 Beta 2. Names a Netfiler
+          protocol <firstterm>helper</firstterm> module such as
+          <option>ftp</option>, <option>sip</option>, <option>amanda</option>,
+          etc.</para>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>