From ce735e9415e7c43429bf83bffffa33ff586cb7fb Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 22 Dec 2011 15:41:16 -0800 Subject: [PATCH] Allow a chain designator in CLASSIFY rules Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Tc.pm | 23 ++++++++++++++++++----- manpages/shorewall-tcrules.xml | 30 ++++++++++++++++++++++++++++++ manpages6/shorewall6-tcrules.xml | 30 ++++++++++++++++++++++++++++++ 3 files changed, 78 insertions(+), 5 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 430d7650e..a43d2c4a4 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -104,6 +104,10 @@ my %flow_keys = ( 'src' => 1, 'sk-gid' => 1, 'vlan-tag' => 1 ); +my %designator = ( P => 'tcpre' , + F => 'tcfor' , + T => 'tcpost' ); + my %tosoptions = ( 'tos-minimize-delay' => '0x10/0x10' , 'tos-maximize-throughput' => '0x08/0x08' , 'tos-maximize-reliability' => '0x04/0x04' , @@ -207,15 +211,20 @@ sub process_tc_rule( ) { fatal_error "Invalid MARK ($originalmark)" unless supplied $mark; + my $chain = $globals{MARKING_CHAIN}; + if ( $remainder ) { if ( $originalmark =~ /^\w+\(?.*\)$/ ) { $mark = $originalmark; # Most likely, an IPv6 address is included in the parameter list } else { - fatal_error "Invalid MARK ($originalmark)"; + fatal_error "Invalid MARK ($originalmark)" + unless ( $mark =~ /^([0-9a-fA-F]+)$/ && + $designator =~ /^([0-9a-fA-F]+)$/ && + ( $chain = $designator{$remainder} ) ); + $mark = join( ':', $mark, $designator ); } } - my $chain = $globals{MARKING_CHAIN}; my $target = 'MARK --set-mark'; my $tcsref; my $connmark = 0; @@ -259,7 +268,8 @@ sub process_tc_rule( ) { require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark; } else { - fatal_error "Invalid MARK ($originalmark)" unless $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/; + fatal_error "Invalid MARK ($originalmark)" + unless $remainder || ( $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/ ); if ( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' ) { $originalmark = join( ':', normalize_hex( $mark ), normalize_hex( $designator ) ); @@ -278,9 +288,12 @@ sub process_tc_rule( ) { } } - $chain = 'tcpost'; + unless ( $remainder ) { + $chain = 'tcpost'; + $mark = $originalmark; + } + $classid = 1; - $mark = $originalmark; $target = 'CLASSIFY --set-class'; } } diff --git a/manpages/shorewall-tcrules.xml b/manpages/shorewall-tcrules.xml index fed77c4a3..75c6dc590 100644 --- a/manpages/shorewall-tcrules.xml +++ b/manpages/shorewall-tcrules.xml @@ -202,6 +202,36 @@ preceded by the number 1 (MARK 1 corresponds to minor class 11, MARK 5 corresponds to minor class 15, MARK 22 corresponds to minor class 122, etc.). + + Beginning with Shorewall 4.4.27, the classid may be + optionally followed by ':' and a capital letter designating the + chain where classification is to occur. + + + + F + + + FORWARD chain. + + + + + P + + + PREROUTING chain. + + + + + T + + + POSTROUTING chain. + + + diff --git a/manpages6/shorewall6-tcrules.xml b/manpages6/shorewall6-tcrules.xml index 1158c8073..fa3a1f932 100644 --- a/manpages6/shorewall6-tcrules.xml +++ b/manpages6/shorewall6-tcrules.xml @@ -202,6 +202,36 @@ preceded by the number 1 (MARK 1 corresponds to minor class 11, MARK 5 corresponds to minor class 15, MARK 22 corresponds to minor class 122, etc.). + + Beginning with Shorewall 4.4.27, the classid may be + optionally followed by ':' and a capital letter designating the + chain where classification is to occur. + + + + F + + + FORWARD chain. + + + + + P + + + PREROUTING chain. + + + + + T + + + POSTROUTING chain. + + +