Restore 4.5.3 compatibility

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-05-10 14:23:33 -07:00
parent 69d735ea0a
commit cb7fc31f0b
4 changed files with 190 additions and 23 deletions

View File

@ -396,8 +396,8 @@ sub process_a_provider() {
$gateway = '';
}
my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu, $tproxy , $load ) =
(0, $config{TRACK_PROVIDERS}, 0 , 0, $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), '' , 0 , 0 );
my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu, $tproxy , $local, $load ) =
(0, $config{TRACK_PROVIDERS}, 0 , 0, $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), '' , 0 , 0, 0 );
unless ( $options eq '-' ) {
for my $option ( split_list $options, 'option' ) {
@ -434,6 +434,11 @@ sub process_a_provider() {
} elsif ( $option eq 'fallback' ) {
$default = -1;
$default_balance = 0;
} elsif ( $option eq 'local' ) {
warning_message q(The 'local' provider option is deprecated in favor of 'tproxy');
$local = $tproxy = 1;
$track = 0 if $config{TRACK_PROVIDERS};
$default_balance = 0 if $config{USE_DEFAULT_RT};
} elsif ( $option eq 'tproxy' ) {
$tproxy = 1;
$track = 0 if $config{TRACK_PROVIDERS};
@ -455,7 +460,11 @@ sub process_a_provider() {
$maxload += $load;
}
if ( $tproxy ) {
if ( $local ) {
fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
fatal_error "'track' not valid with 'local'" if $track;
fatal_error "DUPLICATE not valid with 'local'" if $duplicate ne '-';
} elsif ( $tproxy ) {
fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'none';
fatal_error "'track' not valid with 'tproxy'" if $track;
fatal_error "DUPLICATE not valid with 'tproxy'" if $duplicate ne '-';
@ -472,7 +481,7 @@ sub process_a_provider() {
require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
if ( $tproxy ) {
if ( $tproxy && ! $local ) {
$val = $globals{TPROXY_MARK};
$pref = 1;
} else {
@ -532,6 +541,7 @@ sub process_a_provider() {
loose => $loose ,
duplicate => $duplicate ,
address => $address ,
local => $local ,
tproxy => $tproxy ,
load => $load ,
rules => [] ,
@ -584,6 +594,7 @@ sub add_a_provider( $$ ) {
my $loose = $providerref->{loose};
my $duplicate = $providerref->{duplicate};
my $address = $providerref->{address};
my $local = $providerref->{local};
my $tproxy = $providerref->{tproxy};
my $load = $providerref->{load};
@ -639,7 +650,7 @@ CEOF
if ( $mark ne '-' ) {
my $hexmark = in_hex( $mark );
my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex( $globals{ $tproxy ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : '';
my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex( $globals{ $tproxy && ! $local ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : '';
emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD};

View File

@ -202,15 +202,17 @@ sub process_tc_rule( ) {
my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp );
if ( $family == F_IPV4 ) {
( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp ) =
split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 }, undef , 14;
split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 }, { COMMENT => 0, FORMAT => 2 } , 14;
$headers = '-';
} else {
( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp ) =
split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 }, undef, 15;
split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 }, { COMMENT => 0, FORMAT => 2 }, 15;
}
our @tccmd;
our $format;
fatal_error 'MARK must be specified' if $originalmark eq '-';
if ( $originalmark eq 'COMMENT' ) {
@ -218,6 +220,15 @@ sub process_tc_rule( ) {
return;
}
if ( $originalmark eq 'FORMAT' ) {
if ( $source =~ /^([12])$/ ) {
$format = $1;
return;
}
fatal_error "Invalid FORMAT ($source)";
}
my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 );
fatal_error "Invalid MARK ($originalmark)" unless supplied $mark;
@ -301,6 +312,7 @@ sub process_tc_rule( ) {
$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
},
DIVERT => sub() {
fatal_error "Invalid MARK ($originalmark)" unless $format == 2;
fatal_error "Invalid DIVERT specification( $cmd/$rest )" if $rest;
$chain = 'tproxy';
@ -327,12 +339,28 @@ sub process_tc_rule( ) {
$cmd =~ /TPROXY\((.+?)\)$/;
my $params = $1;
my ( $port, $ip, $bad );
fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
if ( $format == 1 ) {
fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
( my $port, my $ip, my $bad ) = split ',', $params;
( $mark, $port, $ip, $bad ) = split_list $params, 'Parameter';
fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
warning_message "TPROXY is deprecated in a format-1 tcrules file";
} else {
if ( $params ) {
( $port, $ip, $bad ) = split_list $params, 'Parameter';
fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
} else {
fatal_error "Invalid TPROXY specification ($cmd)" unless $cmd eq 'TPROXY' || $cmd eq 'TPROXY()';
}
$mark = in_hex( $globals{TPROXY_MARK} ) . '/' . in_hex( $globals{TPROXY_MARK} );
}
if ( $port ) {
$port = validate_port( 'tcp', $port );
@ -352,8 +380,6 @@ sub process_tc_rule( ) {
}
$target .= ' --tproxy-mark';
$mark = in_hex( $globals{TPROXY_MARK} ) . '/' . in_hex( $globals{TPROXY_MARK} );
},
TTL => sub() {
fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
@ -1938,12 +1964,12 @@ sub setup_tc() {
if ( $config{MANGLE_ENABLED} ) {
ensure_mangle_chain 'tcpre';
ensure_mangle_chain 'tcout';
ensure_mangle_chain 'tproxy';
if ( have_capability( 'MANGLE_FORWARD' ) ) {
ensure_mangle_chain 'tcfor';
ensure_mangle_chain 'tcpost';
ensure_mangle_chain 'tcin';
ensure_mangle_chain 'tproxy';
}
my @mark_part;
@ -1961,7 +1987,7 @@ sub setup_tc() {
}
}
add_ijump $mangle_table->{PREROUTING} , j => 'tproxy' if $mangle_table->{tproxy}{referenced};
add_ijump $mangle_table->{PREROUTING} , j => 'tproxy';
add_ijump $mangle_table->{PREROUTING} , j => 'tcpre', @mark_part;
add_ijump $mangle_table->{OUTPUT} , j => 'tcout', @mark_part;
@ -2073,7 +2099,10 @@ sub setup_tc() {
process_tc_rule while read_a_line( NORMAL_READ );
clear_comment;
}
delete_jumps( $mangle_table->{PREROUTING}, $mangle_table->{tproxy} ) unless @{$mangle_table->{tproxy}{rules}};
}
if ( $config{MANGLE_ENABLED} ) {

View File

@ -38,6 +38,34 @@
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para>
</important>
<para>Beginning with Shorewall 4.5.4, the tcrules file supports two
different formats:</para>
<variablelist>
<varlistentry>
<term>FORMAT 1 (default - deprecated)</term>
<listitem>
<para>The older limited-function version of TPROXY is
supported.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>FORMAT 2</term>
<listitem>
<para>The newer version of TPROXY is supported.</para>
</listitem>
</varlistentry>
</variablelist>
<para>The format is specified by a line as follows:</para>
<blockquote>
<para><emphasis role="bold">FORMAT {1|2}</emphasis></para>
</blockquote>
<para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
the alternate specification syntax).</para>
@ -410,18 +438,54 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
<listitem>
<para><emphasis role="bold">DIVERT</emphasis></para>
<para>Added in Shorewall 4.5.3. Two DIVERT rule should preceed
the TPROXY rule and should select DEST PORT tcp 80 and SOURCE
PORT tcp 80 respectively (assuming that tcp port 80 is being
proxied). DIVERT avoids sending packets to the TPROXY target
once a socket connection to Squid3 has been established by
TPROXY. DIVERT marks the packet with a unique mark and exempts
it from any rules that follow.</para>
<para>Added in Shorewall 4.5.4 and only available when FORMAT is
2. Two DIVERT rule should preceed the TPROXY rule and should
select DEST PORT tcp 80 and SOURCE PORT tcp 80 respectively
(assuming that tcp port 80 is being proxied). DIVERT avoids
sending packets to the TPROXY target once a socket connection to
Squid3 has been established by TPROXY. DIVERT marks the packet
with a unique mark and exempts it from any rules that
follow.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,<replaceable>address</replaceable>])</para>
role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])
-- FORMAT 1</para>
<para>Transparently redirects a packet without altering the IP
header. Requires a local provider to be defined in <ulink
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
<para>There are three parameters to TPROXY - only the first
(mark) is required:</para>
<itemizedlist>
<listitem>
<para><replaceable>mark</replaceable> - the MARK value
corresponding to the local provider in <ulink
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
</listitem>
<listitem>
<para><replaceable>port</replaceable> - the port on which
the proxy server is listening. If omitted, the original
destination port.</para>
</listitem>
<listitem>
<para><replaceable>address</replaceable> - a local (to the
firewall) IP address on which the proxy server is listening.
If omitted, the IP address of the interface on which the
request arrives.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para><emphasis
role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,<replaceable>address</replaceable>])
-- FORMAT 2</para>
<para>Transparently redirects a packet without altering the IP
header. Requires a tproxy provider to be defined in <ulink

View File

@ -38,6 +38,34 @@
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para>
</important>
<para>Beginning with Shorewall 4.5.4, the tcrules file supports two
different formats:</para>
<variablelist>
<varlistentry>
<term>FORMAT 1 (default - deprecated)</term>
<listitem>
<para>The older limited-function version of TPROXY is
supported.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>FORMAT 2</term>
<listitem>
<para>The newer version of TPROXY is supported.</para>
</listitem>
</varlistentry>
</variablelist>
<para>The format is specified by a line as follows:</para>
<blockquote>
<para><emphasis role="bold">FORMAT {1|2}</emphasis></para>
</blockquote>
<para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
the alternate specification syntax).</para>
@ -318,7 +346,42 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
<listitem>
<para><emphasis
role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para>
role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])
-- FORMAT 1</para>
<para>Transparently redirects a packet without altering the IP
header. Requires a local provider to be defined in <ulink
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
<para>There are three parameters to TPROXY - only the first
(mark) is required:</para>
<itemizedlist>
<listitem>
<para><replaceable>mark</replaceable> - the MARK value
corresponding to the local provider in <ulink
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
</listitem>
<listitem>
<para><replaceable>port</replaceable> - the port on which
the proxy server is listening. If omitted, the original
destination port.</para>
</listitem>
<listitem>
<para><replaceable>address</replaceable> - a local (to the
firewall) IP address on which the proxy server is listening.
If omitted, the IP address of the interface on which the
request arrives.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para><emphasis
role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])
-- FORMAT 2</para>
<para>Transparently redirects a packet without altering the IP
header. Requires a local provider to be defined in <ulink