extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-18 02:31:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add HELPER column to tcrules

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8558 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-06-05 20:39:05 +00:00
parent 8525c8ccdf
commit c2ee4eb2ba
9 changed files with 72 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-common/changelog.txt
View File

@ -4,6 +4,8 @@ Changes in 4.2.0-Beta2
2) Implement 'save' user exit. 2) Implement 'save' user exit.
3) HELPER column in tcrules.
Changes in 4.2.0-Beta1 Changes in 4.2.0-Beta1
1) Fix handling of firewall marks. 1) Fix handling of firewall marks.

6
Shorewall-common/lib.base
View File

@ -35,7 +35,7 @@
# #
SHOREWALL_LIBVERSION=40000 SHOREWALL_LIBVERSION=40000
SHOREWALL_CAPVERSION=40100 SHOREWALL_CAPVERSION=40190
[ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${VARDIR:=/var/lib/shorewall}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@ -1075,6 +1075,7 @@ determine_capabilities() {
HASHLIMIT_MATCH= HASHLIMIT_MATCH=
NFQUEUE_TARGET= NFQUEUE_TARGET=
REALM_MATCH= REALM_MATCH=
HELPER_MATCH=
chain=fooX$$ chain=fooX$$
@ -1169,8 +1170,8 @@ determine_capabilities() {
qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
qt $IPTABLES -F $chain qt $IPTABLES -F $chain
qt $IPTABLES -X $chain qt $IPTABLES -X $chain
@ -1223,6 +1224,7 @@ report_capabilities() {
report_capability "Hashlimit Match" $HASHLIMIT_MATCH report_capability "Hashlimit Match" $HASHLIMIT_MATCH
report_capability "NFQUEUE Target" $NFQUEUE_TARGET report_capability "NFQUEUE Target" $NFQUEUE_TARGET
report_capability "Realm Match" $REALM_MATCH report_capability "Realm Match" $REALM_MATCH
report_capability "Helper Match" $HELPER_MATCH
fi fi
[ -n "$PKTTYPE" ] || USEPKTTYPE= [ -n "$PKTTYPE" ] || USEPKTTYPE=

6
Shorewall-common/releasenotes.txt
View File

@ -113,6 +113,12 @@ Other Changes in Shoreall 4.2.0 Beta 2.
Those two scripts allow me to save and restore the contents of my Those two scripts allow me to save and restore the contents of my
ipsets automatically under Shorewall-perl/Shorewall-lite (my ipsets automatically under Shorewall-perl/Shorewall-lite (my
routestopped file does not use ipsets). routestopped file does not use ipsets).
2) A HELPER column is included in the tcrules file. The value in this
column names one of the Netfilter protocol 'helper' module sets
(ftp, sip, amanda, etc).
See http://www.shorewall.net/traffic_shaping.htm for an example.
None. None.

4
Shorewall-common/tcrules
View File

@ -9,7 +9,7 @@
# #
# See http://shorewall.net/PacketMarking.html for a detailed description of # See http://shorewall.net/PacketMarking.html for a detailed description of
# the Netfilter/Shorewall packet marking mechanism. # the Netfilter/Shorewall packet marking mechanism.
####################################################################################################### ######################################################################################################################
#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES #MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
# PORT(S) PORT(S) # PORT(S) PORT(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall-perl/Shorewall/Chains.pm
View File

@ -123,6 +123,7 @@ our %EXPORT_TAGS = (
do_user do_user
do_tos do_tos
do_connbytes do_connbytes
do_helper
match_source_dev match_source_dev
match_dest_dev match_dest_dev
iprange_match iprange_match
@ -1345,6 +1346,17 @@ sub do_connbytes( $ ) {
"${invert}-m connbytes --connbytes $min:$max --connbytes-dir $dir{$dir} --connbytes-mode $mode{$mode} "; "${invert}-m connbytes --connbytes $min:$max --connbytes-dir $dir{$dir} --connbytes-mode $mode{$mode} ";
} }
#
# Create a "-m helper" match for the passed argument
#
sub do_helper( $ ) {
my $helper = shift;
return '' if $helper eq '-';
qq(-m helper --helper "$helper");
}
# #
# Match Source Interface # Match Source Interface
# #

8
Shorewall-perl/Shorewall/Config.pm
View File

@ -204,6 +204,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
HASHLIMIT_MATCH => 'Hashlimit Match', HASHLIMIT_MATCH => 'Hashlimit Match',
NFQUEUE_TARGET => 'NFQUEUE Target', NFQUEUE_TARGET => 'NFQUEUE Target',
REALM_MATCH => 'Realm Match', REALM_MATCH => 'Realm Match',
HELPER_MATCH => 'Helper Match',
CAPVERSION => 'Capability Version', CAPVERSION => 'Capability Version',
); );
# #
@ -266,7 +267,7 @@ sub initialize() {
LOGPARMS => '', LOGPARMS => '',
TC_SCRIPT => '', TC_SCRIPT => '',
VERSION => "4.2.0-Beta2", VERSION => "4.2.0-Beta2",
CAPVERSION => 40100 , CAPVERSION => 40190 ,
); );
# #
# From shorewall.conf file # From shorewall.conf file
@ -409,6 +410,7 @@ sub initialize() {
HASHLIMIT_MATCH => undef, HASHLIMIT_MATCH => undef,
NFQUEUE_TARGET => undef, NFQUEUE_TARGET => undef,
REALM_MATCH => undef, REALM_MATCH => undef,
HELPER_MATCH => undef,
CAPVERSION => undef, CAPVERSION => undef,
); );
# #
@ -1623,8 +1625,8 @@ sub determine_capabilities( $ ) {
$capabilities{TCPMSS_MATCH} = qt1( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" ); $capabilities{TCPMSS_MATCH} = qt1( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
$capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name fooX1234 --hashlimit-mode dstip -j ACCEPT" ); $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name fooX1234 --hashlimit-mode dstip -j ACCEPT" );
$capabilities{NFQUEUE_TARGET} = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" ); $capabilities{NFQUEUE_TARGET} = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" );
$capabilities{REALM_MATCH} = qt1( "$iptables -A $sillyname -m realm --realm 1" );
$capabilities{REALM_MATCH} = qt1( "$iptables -A $sillyname -m realm --realm 1" ); $capabilities{HELPER_MATCH} = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );
qt1( "$iptables -F $sillyname" ); qt1( "$iptables -F $sillyname" );
qt1( "$iptables -X $sillyname" ); qt1( "$iptables -X $sillyname" );

10
Shorewall-perl/Shorewall/Tc.pm
View File

@ -179,8 +179,8 @@ INIT {
initialize; initialize;
} }
sub process_tc_rule( $$$$$$$$$$$ ) { sub process_tc_rule( $$$$$$$$$$$$ ) {
my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes ) = @_; my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes , $helper ) = @_;
my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 ); my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 );
@ -284,7 +284,7 @@ sub process_tc_rule( $$$$$$$$$$$ ) {
if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) , if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
$restrictions{$chain} , $restrictions{$chain} ,
do_proto( $proto, $ports, $sports) . do_user( $user ) . do_test( $testval, $mask ) . do_tos( $tos ) . do_connbytes( $connbytes ), do_proto( $proto, $ports, $sports) . do_user( $user ) . do_test( $testval, $mask ) . do_tos( $tos ) . do_connbytes( $connbytes ) . do_helper( $helper ),
$source , $source ,
$dest , $dest ,
'' , '' ,
@ -887,12 +887,12 @@ sub setup_tc() {
while ( read_a_line ) { while ( read_a_line ) {
my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes ) = split_line1 2, 11, 'tcrules file'; my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, 'tcrules file';
if ( $mark eq 'COMMENT' ) { if ( $mark eq 'COMMENT' ) {
process_comment; process_comment;
} else { } else {
process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos, $connbytes; process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos, $connbytes, $helper;
} }
} }

25
docs/traffic_shaping.xml
View File

@ -840,6 +840,13 @@ ppp0 6000kbit 500kbit</programlisting>
</simplelist> </simplelist>
</blockquote> </blockquote>
</listitem> </listitem>
<listitem>
<para>HELPER (Optional, added in Shorewall version 4.2.0 Beta 2).
Names one of the Netfiler protocol helper modules such as
<emphasis>ftp</emphasis>, <emphasis>sip</emphasis>,
<emphasis>amanda</emphasis>, etc.</para>
</listitem>
</itemizedlist> </itemizedlist>
<example id="Example1"> <example id="Example1">
@ -920,6 +927,22 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
packet mark has been set, save it to the connection mark."</para> packet mark has been set, save it to the connection mark."</para>
</blockquote> </blockquote>
</example> </example>
<example>
<title></title>
<para>Mark all forwarded VOIP connections with connection mark 1 and
ensure that all VOIP packets also receive that mark (assumes that
nf_conntrack_sip is loaded and that Shorewall-perl 4.2.0 or later is
being used).</para>
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST CONNBYTES TOS HELPER
# PORT(S) GROUP
RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0
CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0
1 0.0.0.0/0 0.0.0.0/0 all - - - - - - sip
SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0</programlisting>
</example>
</section> </section>
<section id="ppp"> <section id="ppp">
@ -1593,4 +1616,4 @@ class htb 1:120 parent 1:1 leaf 120: prio 2 quantum 1900 rate 76000bit ceil 2300
<para>At least one Shorewall user has found this tool helpful: <ulink <para>At least one Shorewall user has found this tool helpful: <ulink
url="http://e2epi.internet2.edu/network-performance-toolkit.html">http://e2epi.internet2.edu/network-performance-toolkit.html</ulink></para> url="http://e2epi.internet2.edu/network-performance-toolkit.html">http://e2epi.internet2.edu/network-performance-toolkit.html</ulink></para>
</section> </section>
</article> </article>

12
manpages/shorewall-tcrules.xml
View File

@ -497,6 +497,18 @@
<emphasis role="bold">Normal-Service</emphasis> (0)</programlisting> <emphasis role="bold">Normal-Service</emphasis> (0)</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">HELPER —
"<emphasis>helper</emphasis>"</emphasis></term>
<listitem>
<para>Added in Shorewall-perl 4.2.0 Beta 2. Names a Netfiler
protocol <firstterm>helper</firstterm> module such as
<option>ftp</option>, <option>sip</option>, <option>amanda</option>,
etc.</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>