diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt
index d617246bd..74c31eca2 100644
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@@ -4,6 +4,8 @@ Changes in 4.2.0-Beta2
2) Implement 'save' user exit.
+3) HELPER column in tcrules.
+
Changes in 4.2.0-Beta1
1) Fix handling of firewall marks.
diff --git a/Shorewall-common/lib.base b/Shorewall-common/lib.base
index 91d76285f..e28b9bbcf 100644
--- a/Shorewall-common/lib.base
+++ b/Shorewall-common/lib.base
@@ -35,7 +35,7 @@
#
SHOREWALL_LIBVERSION=40000
-SHOREWALL_CAPVERSION=40100
+SHOREWALL_CAPVERSION=40190
[ -n "${VARDIR:=/var/lib/shorewall}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -1075,6 +1075,7 @@ determine_capabilities() {
HASHLIMIT_MATCH=
NFQUEUE_TARGET=
REALM_MATCH=
+ HELPER_MATCH=
chain=fooX$$
@@ -1169,8 +1170,8 @@ determine_capabilities() {
qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
-
qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
+ qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
qt $IPTABLES -F $chain
qt $IPTABLES -X $chain
@@ -1223,6 +1224,7 @@ report_capabilities() {
report_capability "Hashlimit Match" $HASHLIMIT_MATCH
report_capability "NFQUEUE Target" $NFQUEUE_TARGET
report_capability "Realm Match" $REALM_MATCH
+ report_capability "Helper Match" $HELPER_MATCH
fi
[ -n "$PKTTYPE" ] || USEPKTTYPE=
diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt
index 31ff8839e..9b4b79b5f 100644
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@@ -113,6 +113,12 @@ Other Changes in Shoreall 4.2.0 Beta 2.
Those two scripts allow me to save and restore the contents of my
ipsets automatically under Shorewall-perl/Shorewall-lite (my
routestopped file does not use ipsets).
+
+2) A HELPER column is included in the tcrules file. The value in this
+ column names one of the Netfilter protocol 'helper' module sets
+ (ftp, sip, amanda, etc).
+
+ See http://www.shorewall.net/traffic_shaping.htm for an example.
None.
diff --git a/Shorewall-common/tcrules b/Shorewall-common/tcrules
index 1201a791c..cd32eddc1 100644
--- a/Shorewall-common/tcrules
+++ b/Shorewall-common/tcrules
@@ -9,7 +9,7 @@
#
# See http://shorewall.net/PacketMarking.html for a detailed description of
# the Netfilter/Shorewall packet marking mechanism.
-#######################################################################################################
-#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES
+######################################################################################################################
+#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
# PORT(S) PORT(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm
index 4cdf39dfa..cc3c7880d 100644
--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@@ -123,6 +123,7 @@ our %EXPORT_TAGS = (
do_user
do_tos
do_connbytes
+ do_helper
match_source_dev
match_dest_dev
iprange_match
@@ -1345,6 +1346,17 @@ sub do_connbytes( $ ) {
"${invert}-m connbytes --connbytes $min:$max --connbytes-dir $dir{$dir} --connbytes-mode $mode{$mode} ";
}
+#
+# Create a "-m helper" match for the passed argument
+#
+sub do_helper( $ ) {
+ my $helper = shift;
+
+ return '' if $helper eq '-';
+
+ qq(-m helper --helper "$helper");
+}
+
#
# Match Source Interface
#
diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm
index 8bae5ca95..15759b8e9 100644
--- a/Shorewall-perl/Shorewall/Config.pm
+++ b/Shorewall-perl/Shorewall/Config.pm
@@ -204,6 +204,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
HASHLIMIT_MATCH => 'Hashlimit Match',
NFQUEUE_TARGET => 'NFQUEUE Target',
REALM_MATCH => 'Realm Match',
+ HELPER_MATCH => 'Helper Match',
CAPVERSION => 'Capability Version',
);
#
@@ -266,7 +267,7 @@ sub initialize() {
LOGPARMS => '',
TC_SCRIPT => '',
VERSION => "4.2.0-Beta2",
- CAPVERSION => 40100 ,
+ CAPVERSION => 40190 ,
);
#
# From shorewall.conf file
@@ -409,6 +410,7 @@ sub initialize() {
HASHLIMIT_MATCH => undef,
NFQUEUE_TARGET => undef,
REALM_MATCH => undef,
+ HELPER_MATCH => undef,
CAPVERSION => undef,
);
#
@@ -1623,8 +1625,8 @@ sub determine_capabilities( $ ) {
$capabilities{TCPMSS_MATCH} = qt1( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
$capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name fooX1234 --hashlimit-mode dstip -j ACCEPT" );
$capabilities{NFQUEUE_TARGET} = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" );
-
- $capabilities{REALM_MATCH} = qt1( "$iptables -A $sillyname -m realm --realm 1" );
+ $capabilities{REALM_MATCH} = qt1( "$iptables -A $sillyname -m realm --realm 1" );
+ $capabilities{HELPER_MATCH} = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );
qt1( "$iptables -F $sillyname" );
qt1( "$iptables -X $sillyname" );
diff --git a/Shorewall-perl/Shorewall/Tc.pm b/Shorewall-perl/Shorewall/Tc.pm
index a3411727a..869f53b12 100644
--- a/Shorewall-perl/Shorewall/Tc.pm
+++ b/Shorewall-perl/Shorewall/Tc.pm
@@ -179,8 +179,8 @@ INIT {
initialize;
}
-sub process_tc_rule( $$$$$$$$$$$ ) {
- my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes ) = @_;
+sub process_tc_rule( $$$$$$$$$$$$ ) {
+ my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes , $helper ) = @_;
my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 );
@@ -284,7 +284,7 @@ sub process_tc_rule( $$$$$$$$$$$ ) {
if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
$restrictions{$chain} ,
- do_proto( $proto, $ports, $sports) . do_user( $user ) . do_test( $testval, $mask ) . do_tos( $tos ) . do_connbytes( $connbytes ),
+ do_proto( $proto, $ports, $sports) . do_user( $user ) . do_test( $testval, $mask ) . do_tos( $tos ) . do_connbytes( $connbytes ) . do_helper( $helper ),
$source ,
$dest ,
'' ,
@@ -887,12 +887,12 @@ sub setup_tc() {
while ( read_a_line ) {
- my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes ) = split_line1 2, 11, 'tcrules file';
+ my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, 'tcrules file';
if ( $mark eq 'COMMENT' ) {
process_comment;
} else {
- process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos, $connbytes;
+ process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos, $connbytes, $helper;
}
}
diff --git a/docs/traffic_shaping.xml b/docs/traffic_shaping.xml
index 8c793da05..c18e99b93 100644
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@@ -840,6 +840,13 @@ ppp0 6000kbit 500kbit
+
+
+ HELPER (Optional, added in Shorewall version 4.2.0 Beta 2).
+ Names one of the Netfiler protocol helper modules such as
+ ftp, sip,
+ amanda, etc.
+
@@ -920,6 +927,22 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
packet mark has been set, save it to the connection mark."
+
+
+
+
+ Mark all forwarded VOIP connections with connection mark 1 and
+ ensure that all VOIP packets also receive that mark (assumes that
+ nf_conntrack_sip is loaded and that Shorewall-perl 4.2.0 or later is
+ being used).
+
+ #MARK SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST CONNBYTES TOS HELPER
+# PORT(S) GROUP
+RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0
+CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0
+1 0.0.0.0/0 0.0.0.0/0 all - - - - - - sip
+SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0
+
@@ -1593,4 +1616,4 @@ class htb 1:120 parent 1:1 leaf 120: prio 2 quantum 1900 rate 76000bit ceil 2300
At least one Shorewall user has found this tool helpful: http://e2epi.internet2.edu/network-performance-toolkit.html
-
+
\ No newline at end of file
diff --git a/manpages/shorewall-tcrules.xml b/manpages/shorewall-tcrules.xml
index 25b93b414..73d02ce6b 100644
--- a/manpages/shorewall-tcrules.xml
+++ b/manpages/shorewall-tcrules.xml
@@ -497,6 +497,18 @@
Normal-Service (0)
+
+
+ HELPER —
+ "helper"
+
+
+ Added in Shorewall-perl 4.2.0 Beta 2. Names a Netfiler
+ protocol helper module such as
+ , , ,
+ etc.
+
+