extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 09:47:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add FORWARD_CLEAR_MARK option

Browse Source
This commit is contained in:
Tom Eastep 2010-07-03 17:03:42 -07:00
parent 5d1e19364a
commit d3e30b5fe4
6 changed files with 45 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Shorewall/Perl/Shorewall/Config.pm
View File

@ -461,6 +461,7 @@ sub initialize( $ ) {
DYNAMIC_BLACKLIST => undef, DYNAMIC_BLACKLIST => undef,
LOAD_HELPERS_ONLY => undef, LOAD_HELPERS_ONLY => undef,
REQUIRE_INTERFACE => undef, REQUIRE_INTERFACE => undef,
FORWARD_CLEAR_MARK => undef,
# #
# Packet Disposition # Packet Disposition
# #
@ -582,6 +583,7 @@ sub initialize( $ ) {
DYNAMIC_BLACKLIST => undef, DYNAMIC_BLACKLIST => undef,
LOAD_HELPERS_ONLY => undef, LOAD_HELPERS_ONLY => undef,
REQUIRE_INTERFACE => undef, REQUIRE_INTERFACE => undef,
FORWARD_CLEAR_MARK => undef,
# #
# Packet Disposition # Packet Disposition
# #
@ -2952,6 +2954,9 @@ sub get_configuration( $ ) {
default_yes_no 'OPTIMIZE_ACCOUNTING' , ''; default_yes_no 'OPTIMIZE_ACCOUNTING' , '';
default_yes_no 'DYNAMIC_BLACKLIST' , 'Yes'; default_yes_no 'DYNAMIC_BLACKLIST' , 'Yes';
default_yes_no 'REQUIRE_INTERFACE' , ''; default_yes_no 'REQUIRE_INTERFACE' , '';
default_yes_no 'FORWARD_CLEAR_MARK' , have_capability 'MARK' ? 'Yes' : '';
require_capability 'MARK' , 'FOREWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
numeric_option 'TC_BITS', $config{WIDE_TC_MARKS} ? 14 : 8 , 0; numeric_option 'TC_BITS', $config{WIDE_TC_MARKS} ? 14 : 8 , 0;
numeric_option 'MASK_BITS', $config{WIDE_TC_MARKS} ? 16 : 8, $config{TC_BITS}; numeric_option 'MASK_BITS', $config{WIDE_TC_MARKS} ? 16 : 8, $config{TC_BITS};

2
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -1383,7 +1383,7 @@ sub setup_tc() {
add_jump $mangle_table->{OUTPUT} , 'tcout', 0, $mark_part; add_jump $mangle_table->{OUTPUT} , 'tcout', 0, $mark_part;
if ( have_capability( 'MANGLE_FORWARD' ) ) { if ( have_capability( 'MANGLE_FORWARD' ) ) {
add_rule( $mangle_table->{FORWARD}, '-j MARK --set-mark 0' ) if have_capability 'MARK'; add_rule( $mangle_table->{FORWARD}, '-j MARK --set-mark 0' ) if $config{FORWARD_CLEAR_MARK};
add_jump $mangle_table->{FORWARD} , 'tcfor', 0; add_jump $mangle_table->{FORWARD} , 'tcfor', 0;
add_jump $mangle_table->{POSTROUTING} , 'tcpost', 0; add_jump $mangle_table->{POSTROUTING} , 'tcpost', 0;
} }

2
Shorewall/changelog.txt
View File

@ -18,6 +18,8 @@ Changes in Shorewall 4.4.11
8) Make find_hosts_by_option() work correctly where ALL_IP appears in 8) Make find_hosts_by_option() work correctly where ALL_IP appears in
hosts file. hosts file.
9) Add CLEAR_FORWARD_MARK option.
Changes in Shorewall 4.4.10 Changes in Shorewall 4.4.10
1) Fix regression with scripts. 1) Fix regression with scripts.

9
Shorewall/releasenotes.txt
View File

@ -278,6 +278,15 @@ None.
See http://www.shorewall.net/Vserver.html for details. See http://www.shorewall.net/Vserver.html for details.
2) A new CLEAR_FORWARD_MARK option has been added to shorewall.conf
and shorewall6.conf.
Traditionally, Shorewall has cleared the packet mark in the first
rule in the mangle FORWARD chain. This behavior is maintained with
the default setting (CLEAR_FORWARD_MARK=Yes). If the new option is
set to No, packet marks set in the PREROUTING chain are retained in
the FORWARD chains.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
I N P R I O R R E L E A S E S I N P R I O R R E L E A S E S

14
manpages/shorewall.conf.xml
View File

@ -562,6 +562,20 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">FORWARD_CLEAR_MARK=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has
cleared the packet mark in the first rule in the mangle FORWARD
chain. This behavior is maintained with the default setting of this
option (CLEAR_FORWARD_MARK=Yes). If FORWARD_CLEAR_MARK is set to
'No', packet marks set in the mangle PREROUTING chain are retained
in the FORWARD chains.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">HIGH_ROUTE_MARKS=</emphasis>{<emphasis <term><emphasis role="bold">HIGH_ROUTE_MARKS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>

14
manpages6/shorewall6.conf.xml
View File

@ -477,6 +477,20 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">FORWARD_CLEAR_MARK=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has
cleared the packet mark in the first rule in the mangle FORWARD
chain. This behavior is maintained with the default setting of this
option (CLEAR_FORWARD_MARK=Yes). If FORWARD_CLEAR_MARK is set to
'No', packet marks set in the mangle PREROUTING chain are retained
in the FORWARD chains.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">HIGH_ROUTE_MARKS=</emphasis>{<emphasis <term><emphasis role="bold">HIGH_ROUTE_MARKS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>