From c80dacd86a23fccbe9d832f56187df7199f2909a Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Thu, 9 Oct 2003 21:26:08 +0000
Subject: [PATCH] p2pwall integration

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@762 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/changelog.txt    |  2 ++
 Shorewall/firewall         | 27 ++++++++++++++++++++++++---
 Shorewall/releasenotes.txt | 21 ++++++++++++++++++++-
 Shorewall/rules            |  2 ++
 4 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index eb2467a31..749f9bfb7 100755
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -5,3 +5,5 @@ Changes since 1.4.7
 
 2) Applied Andrew Zhoglo's patch that avoids using multiport match for
    ICMP.
+
+3) Added support for QUEUE target.
diff --git a/Shorewall/firewall b/Shorewall/firewall
index db7c2125e..3416925b8 100755
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@@ -2369,7 +2369,7 @@ add_a_rule()
     [ x$cport = x- ] && cport=
 
     case $proto in
-	tcp|udp|TCP|UDP|6|17)
+	tcp|TCP|6)
 	    if [ -n "$port" ]; then
 		dports="--dport"
 		if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then
@@ -2387,7 +2387,28 @@ add_a_rule()
 		fi
 		sports="$sports $cport"
 	    fi
-		;;
+
+	    [ "$target" = QUEUE ] && proto="$proto --syn"
+	    ;;
+	udp|UDP|17)
+	    if [ -n "$port" ]; then
+		dports="--dport"
+		if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then
+		    multiport="$multioption"
+		    dports="--dports"
+		fi
+		dports="$dports $port"
+	    fi
+
+	    if [ -n "$cport" ]; then
+		sports="--sport"
+		if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then
+		    multiport="$multioption"
+		    sports="--sports"
+		fi
+		sports="$sports $cport"
+	    fi
+	    ;;
 	icmp|ICMP|1)
 	    [ -n "$port" ]  && 	dports="--icmp-type $port"
 	    state=
@@ -2873,7 +2894,7 @@ process_rules()
     while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserset; do
 	temp="${xtarget%:*}"
 	case "${temp%<*}" in
-	    ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE)
+	    ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
 		expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserset
 
 		if [ "x$xclients" = xall ]; then
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 281d13b55..ea512511d 100755
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -24,4 +24,23 @@ None.
 
 New Features:
 
-None.
+1. A new QUEUE action has been introduced for rules. QUEUE allows you
+   to pass connection requests to a user-space filter such as p2pwall
+   (http://p2pwall.sourceforge.net).
+
+   For example, to use p2pwall to filter P2P applications, you would
+   add the following rules:
+
+   QUEUE   loc	     net	tcp
+   QUEUE   loc	     net	udp
+   QUEUE   loc	     fw		udp
+
+   You would normally want to place those two rules BEFORE any ACCEPT
+   rules for loc->net.
+
+   Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
+   Shorewall will only pass connection requests (SYN packets) to user
+   space. This is for compatibility with p2pwall.
+
+
+
diff --git a/Shorewall/rules b/Shorewall/rules
index 42f88d437..463368608 100755
--- a/Shorewall/rules
+++ b/Shorewall/rules
@@ -46,6 +46,8 @@
 #					    to the rules defined for that
 #					    (those) zone(s).
 #				LOG      -- Simply log the packet and continue.
+#				QUEUE	 -- Queue the packet to a user-space
+#					    application such as p2pwall.
 #
 #			You may rate-limit the rule by optionally
 #			following ACCEPT, DNAT[-], REDIRECT[-] or LOG with