mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-08 08:44:05 +01:00
Restore 4.5.3 compatibility
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
69d735ea0a
commit
cb7fc31f0b
@ -396,8 +396,8 @@ sub process_a_provider() {
|
||||
$gateway = '';
|
||||
}
|
||||
|
||||
my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu, $tproxy , $load ) =
|
||||
(0, $config{TRACK_PROVIDERS}, 0 , 0, $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), '' , 0 , 0 );
|
||||
my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu, $tproxy , $local, $load ) =
|
||||
(0, $config{TRACK_PROVIDERS}, 0 , 0, $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), '' , 0 , 0, 0 );
|
||||
|
||||
unless ( $options eq '-' ) {
|
||||
for my $option ( split_list $options, 'option' ) {
|
||||
@ -434,6 +434,11 @@ sub process_a_provider() {
|
||||
} elsif ( $option eq 'fallback' ) {
|
||||
$default = -1;
|
||||
$default_balance = 0;
|
||||
} elsif ( $option eq 'local' ) {
|
||||
warning_message q(The 'local' provider option is deprecated in favor of 'tproxy');
|
||||
$local = $tproxy = 1;
|
||||
$track = 0 if $config{TRACK_PROVIDERS};
|
||||
$default_balance = 0 if $config{USE_DEFAULT_RT};
|
||||
} elsif ( $option eq 'tproxy' ) {
|
||||
$tproxy = 1;
|
||||
$track = 0 if $config{TRACK_PROVIDERS};
|
||||
@ -455,7 +460,11 @@ sub process_a_provider() {
|
||||
$maxload += $load;
|
||||
}
|
||||
|
||||
if ( $tproxy ) {
|
||||
if ( $local ) {
|
||||
fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
|
||||
fatal_error "'track' not valid with 'local'" if $track;
|
||||
fatal_error "DUPLICATE not valid with 'local'" if $duplicate ne '-';
|
||||
} elsif ( $tproxy ) {
|
||||
fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'none';
|
||||
fatal_error "'track' not valid with 'tproxy'" if $track;
|
||||
fatal_error "DUPLICATE not valid with 'tproxy'" if $duplicate ne '-';
|
||||
@ -472,7 +481,7 @@ sub process_a_provider() {
|
||||
|
||||
require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
|
||||
|
||||
if ( $tproxy ) {
|
||||
if ( $tproxy && ! $local ) {
|
||||
$val = $globals{TPROXY_MARK};
|
||||
$pref = 1;
|
||||
} else {
|
||||
@ -532,6 +541,7 @@ sub process_a_provider() {
|
||||
loose => $loose ,
|
||||
duplicate => $duplicate ,
|
||||
address => $address ,
|
||||
local => $local ,
|
||||
tproxy => $tproxy ,
|
||||
load => $load ,
|
||||
rules => [] ,
|
||||
@ -584,6 +594,7 @@ sub add_a_provider( $$ ) {
|
||||
my $loose = $providerref->{loose};
|
||||
my $duplicate = $providerref->{duplicate};
|
||||
my $address = $providerref->{address};
|
||||
my $local = $providerref->{local};
|
||||
my $tproxy = $providerref->{tproxy};
|
||||
my $load = $providerref->{load};
|
||||
|
||||
@ -639,7 +650,7 @@ CEOF
|
||||
|
||||
if ( $mark ne '-' ) {
|
||||
my $hexmark = in_hex( $mark );
|
||||
my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex( $globals{ $tproxy ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : '';
|
||||
my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex( $globals{ $tproxy && ! $local ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : '';
|
||||
|
||||
emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD};
|
||||
|
||||
|
@ -202,15 +202,17 @@ sub process_tc_rule( ) {
|
||||
my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp );
|
||||
if ( $family == F_IPV4 ) {
|
||||
( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp ) =
|
||||
split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 }, undef , 14;
|
||||
split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 }, { COMMENT => 0, FORMAT => 2 } , 14;
|
||||
$headers = '-';
|
||||
} else {
|
||||
( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp ) =
|
||||
split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 }, undef, 15;
|
||||
split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 }, { COMMENT => 0, FORMAT => 2 }, 15;
|
||||
}
|
||||
|
||||
our @tccmd;
|
||||
|
||||
our $format;
|
||||
|
||||
fatal_error 'MARK must be specified' if $originalmark eq '-';
|
||||
|
||||
if ( $originalmark eq 'COMMENT' ) {
|
||||
@ -218,6 +220,15 @@ sub process_tc_rule( ) {
|
||||
return;
|
||||
}
|
||||
|
||||
if ( $originalmark eq 'FORMAT' ) {
|
||||
if ( $source =~ /^([12])$/ ) {
|
||||
$format = $1;
|
||||
return;
|
||||
}
|
||||
|
||||
fatal_error "Invalid FORMAT ($source)";
|
||||
}
|
||||
|
||||
my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 );
|
||||
|
||||
fatal_error "Invalid MARK ($originalmark)" unless supplied $mark;
|
||||
@ -301,6 +312,7 @@ sub process_tc_rule( ) {
|
||||
$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
|
||||
},
|
||||
DIVERT => sub() {
|
||||
fatal_error "Invalid MARK ($originalmark)" unless $format == 2;
|
||||
fatal_error "Invalid DIVERT specification( $cmd/$rest )" if $rest;
|
||||
|
||||
$chain = 'tproxy';
|
||||
@ -327,12 +339,28 @@ sub process_tc_rule( ) {
|
||||
$cmd =~ /TPROXY\((.+?)\)$/;
|
||||
|
||||
my $params = $1;
|
||||
my ( $port, $ip, $bad );
|
||||
|
||||
fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
|
||||
if ( $format == 1 ) {
|
||||
fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
|
||||
|
||||
( my $port, my $ip, my $bad ) = split ',', $params;
|
||||
( $mark, $port, $ip, $bad ) = split_list $params, 'Parameter';
|
||||
|
||||
fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
|
||||
fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
|
||||
|
||||
warning_message "TPROXY is deprecated in a format-1 tcrules file";
|
||||
} else {
|
||||
if ( $params ) {
|
||||
( $port, $ip, $bad ) = split_list $params, 'Parameter';
|
||||
|
||||
fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
|
||||
|
||||
} else {
|
||||
fatal_error "Invalid TPROXY specification ($cmd)" unless $cmd eq 'TPROXY' || $cmd eq 'TPROXY()';
|
||||
}
|
||||
|
||||
$mark = in_hex( $globals{TPROXY_MARK} ) . '/' . in_hex( $globals{TPROXY_MARK} );
|
||||
}
|
||||
|
||||
if ( $port ) {
|
||||
$port = validate_port( 'tcp', $port );
|
||||
@ -352,8 +380,6 @@ sub process_tc_rule( ) {
|
||||
}
|
||||
|
||||
$target .= ' --tproxy-mark';
|
||||
|
||||
$mark = in_hex( $globals{TPROXY_MARK} ) . '/' . in_hex( $globals{TPROXY_MARK} );
|
||||
},
|
||||
TTL => sub() {
|
||||
fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
|
||||
@ -1938,12 +1964,12 @@ sub setup_tc() {
|
||||
if ( $config{MANGLE_ENABLED} ) {
|
||||
ensure_mangle_chain 'tcpre';
|
||||
ensure_mangle_chain 'tcout';
|
||||
ensure_mangle_chain 'tproxy';
|
||||
|
||||
if ( have_capability( 'MANGLE_FORWARD' ) ) {
|
||||
ensure_mangle_chain 'tcfor';
|
||||
ensure_mangle_chain 'tcpost';
|
||||
ensure_mangle_chain 'tcin';
|
||||
ensure_mangle_chain 'tproxy';
|
||||
}
|
||||
|
||||
my @mark_part;
|
||||
@ -1961,7 +1987,7 @@ sub setup_tc() {
|
||||
}
|
||||
}
|
||||
|
||||
add_ijump $mangle_table->{PREROUTING} , j => 'tproxy' if $mangle_table->{tproxy}{referenced};
|
||||
add_ijump $mangle_table->{PREROUTING} , j => 'tproxy';
|
||||
add_ijump $mangle_table->{PREROUTING} , j => 'tcpre', @mark_part;
|
||||
add_ijump $mangle_table->{OUTPUT} , j => 'tcout', @mark_part;
|
||||
|
||||
@ -2073,7 +2099,10 @@ sub setup_tc() {
|
||||
process_tc_rule while read_a_line( NORMAL_READ );
|
||||
|
||||
clear_comment;
|
||||
|
||||
}
|
||||
|
||||
delete_jumps( $mangle_table->{PREROUTING}, $mangle_table->{tproxy} ) unless @{$mangle_table->{tproxy}{rules}};
|
||||
}
|
||||
|
||||
if ( $config{MANGLE_ENABLED} ) {
|
||||
|
@ -38,6 +38,34 @@
|
||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para>
|
||||
</important>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.4, the tcrules file supports two
|
||||
different formats:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>FORMAT 1 (default - deprecated)</term>
|
||||
|
||||
<listitem>
|
||||
<para>The older limited-function version of TPROXY is
|
||||
supported.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>FORMAT 2</term>
|
||||
|
||||
<listitem>
|
||||
<para>The newer version of TPROXY is supported.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>The format is specified by a line as follows:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><emphasis role="bold">FORMAT {1|2}</emphasis></para>
|
||||
</blockquote>
|
||||
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
@ -410,18 +438,54 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
<listitem>
|
||||
<para><emphasis role="bold">DIVERT</emphasis></para>
|
||||
|
||||
<para>Added in Shorewall 4.5.3. Two DIVERT rule should preceed
|
||||
the TPROXY rule and should select DEST PORT tcp 80 and SOURCE
|
||||
PORT tcp 80 respectively (assuming that tcp port 80 is being
|
||||
proxied). DIVERT avoids sending packets to the TPROXY target
|
||||
once a socket connection to Squid3 has been established by
|
||||
TPROXY. DIVERT marks the packet with a unique mark and exempts
|
||||
it from any rules that follow.</para>
|
||||
<para>Added in Shorewall 4.5.4 and only available when FORMAT is
|
||||
2. Two DIVERT rule should preceed the TPROXY rule and should
|
||||
select DEST PORT tcp 80 and SOURCE PORT tcp 80 respectively
|
||||
(assuming that tcp port 80 is being proxied). DIVERT avoids
|
||||
sending packets to the TPROXY target once a socket connection to
|
||||
Squid3 has been established by TPROXY. DIVERT marks the packet
|
||||
with a unique mark and exempts it from any rules that
|
||||
follow.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis
|
||||
role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,<replaceable>address</replaceable>])</para>
|
||||
role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])
|
||||
-- FORMAT 1</para>
|
||||
|
||||
<para>Transparently redirects a packet without altering the IP
|
||||
header. Requires a local provider to be defined in <ulink
|
||||
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
||||
|
||||
<para>There are three parameters to TPROXY - only the first
|
||||
(mark) is required:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><replaceable>mark</replaceable> - the MARK value
|
||||
corresponding to the local provider in <ulink
|
||||
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><replaceable>port</replaceable> - the port on which
|
||||
the proxy server is listening. If omitted, the original
|
||||
destination port.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><replaceable>address</replaceable> - a local (to the
|
||||
firewall) IP address on which the proxy server is listening.
|
||||
If omitted, the IP address of the interface on which the
|
||||
request arrives.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis
|
||||
role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,<replaceable>address</replaceable>])
|
||||
-- FORMAT 2</para>
|
||||
|
||||
<para>Transparently redirects a packet without altering the IP
|
||||
header. Requires a tproxy provider to be defined in <ulink
|
||||
|
@ -38,6 +38,34 @@
|
||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para>
|
||||
</important>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.4, the tcrules file supports two
|
||||
different formats:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>FORMAT 1 (default - deprecated)</term>
|
||||
|
||||
<listitem>
|
||||
<para>The older limited-function version of TPROXY is
|
||||
supported.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>FORMAT 2</term>
|
||||
|
||||
<listitem>
|
||||
<para>The newer version of TPROXY is supported.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>The format is specified by a line as follows:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><emphasis role="bold">FORMAT {1|2}</emphasis></para>
|
||||
</blockquote>
|
||||
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
@ -318,7 +346,42 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis
|
||||
role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para>
|
||||
role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])
|
||||
-- FORMAT 1</para>
|
||||
|
||||
<para>Transparently redirects a packet without altering the IP
|
||||
header. Requires a local provider to be defined in <ulink
|
||||
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
||||
|
||||
<para>There are three parameters to TPROXY - only the first
|
||||
(mark) is required:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><replaceable>mark</replaceable> - the MARK value
|
||||
corresponding to the local provider in <ulink
|
||||
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><replaceable>port</replaceable> - the port on which
|
||||
the proxy server is listening. If omitted, the original
|
||||
destination port.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><replaceable>address</replaceable> - a local (to the
|
||||
firewall) IP address on which the proxy server is listening.
|
||||
If omitted, the IP address of the interface on which the
|
||||
request arrives.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis
|
||||
role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])
|
||||
-- FORMAT 2</para>
|
||||
|
||||
<para>Transparently redirects a packet without altering the IP
|
||||
header. Requires a local provider to be defined in <ulink
|
||||
|
Loading…
Reference in New Issue
Block a user