From e0a506151f4a21c335a9c9d811b5c62c39743914 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Mon, 10 Apr 2006 22:52:10 +0000
Subject: [PATCH] Remove traffic shaping reconfiguration from 'shorewall
refresh'
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3782 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
Shorewall/changelog.txt | 3 +
Shorewall/compiler | 1 -
Shorewall/firewall | 768 ++-----------------------------------
Shorewall/releasenotes.txt | 6 +-
4 files changed, 43 insertions(+), 735 deletions(-)
diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 1920c3697..696ca5ad7 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -2,6 +2,9 @@ Changes in 3.2.0 Beta 5
1) Fix compilation problem on LEAF Bering.
+2) Remove traffic shaping code from the 'firewall' script to avoid
+ unmaintainable code duplication.
+
Changes in 3.2.0 Beta 4
1) Fix 'routeback' with bridge ports.
diff --git a/Shorewall/compiler b/Shorewall/compiler
index e43785f82..29e4869e7 100755
--- a/Shorewall/compiler
+++ b/Shorewall/compiler
@@ -132,7 +132,6 @@ run_iptables() {
fi
save_command "$IPTABLES_COMMAND $@"
-
}
#
diff --git a/Shorewall/firewall b/Shorewall/firewall
index eb10a3d1c..ca0e5152c 100755
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@@ -89,13 +89,15 @@ report () { # $* = message
# Run iptables and if an error occurs, stop the firewall and quit
#
run_iptables() {
- #
- # Purge the temporary files that we use to prevent duplicate '-m' specifications
- #
- [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
- [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
+ if [ -z "$KLUDGEFREE" ]; then
+ #
+ # Purge the temporary files that we use to prevent duplicate '-m' specifications
+ #
+ [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
+ [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
+ fi
- if ! $IPTABLES $@ ; then
+ if ! $IPTABLES $@ ; then
if [ -z "$STOPPING" ]; then
error_message "ERROR: Command \"$IPTABLES $@\" Failed"
stop_firewall
@@ -124,11 +126,13 @@ run_iptables2() {
# Quietly run iptables
#
qt_iptables() {
- #
- # Purge the temporary files that we use to prevent duplicate '-m' specifications
- #
- [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
- [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
+ if [ -z "$KLUDGEFREE" ]; then
+ #
+ # Purge the temporary files that we use to prevent duplicate '-m' specifications
+ #
+ [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
+ [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
+ fi
qt $IPTABLES $@
}
@@ -443,7 +447,9 @@ first_chains() #$1 = interface
#
iprange_echo()
{
- if [ -f $TMP_DIR/iprange ]; then
+ if [ -n "$KLUDGEFREE" ]; then
+ echo "-m iprange $@"
+ elif [ -f $TMP_DIR/iprange ]; then
echo $@
else
echo "-m iprange $@"
@@ -456,24 +462,28 @@ iprange_echo()
#
get_set_flags() # $1 = set name and optional [levels], $2 = src or dst
{
+ #
+ # Note: There is a lot of unnecessary evaluation in this function just so my text
+ # editor (kate) doesn't get lost trying to follow the shell syntax for highlighting.
+ #
local temp setname=$1 options=$2
[ -n "$IPSET_MATCH" ] || fatal_error "Your kernel and/or iptables does not include ipset match: $1"
case $1 in
*\[[1-6]\])
- temp=${1#*\[}
- temp=${temp%\]}
- setname=${1%\[*}
+ eval temp='${1#*\[}'
+ eval temp='${temp%\]}'
+ eval setname='${1%\[*}'
while [ $temp -gt 1 ]; do
options="$options,$2"
temp=$(($temp - 1))
done
;;
*\[*\])
- options=${1#*\[}
- options=${options%\]}
- setname=${1%\[*}
+ eval options='${1#*\[}'
+ eval options='${options%\]}'
+ eval setname='${1%\[*}'
;;
*)
;;
@@ -487,7 +497,9 @@ get_set_flags() # $1 = set name and optional [levels], $2 = src or dst
#
physdev_echo()
{
- if [ -f $TMP_DIR/physdev ]; then
+ if [ -n "$KLUDGEFREE" ]; then
+ echo -m physdev $@
+ elif [ -f $TMP_DIR/physdev ]; then
echo $@
else
echo -m physdev $@
@@ -1551,677 +1563,6 @@ setup_ecn() # $1 = file name
fi
}
-#
-# Set up an exclusion chain
-#
-build_exclusion_chain() # $1 = variable to store chain name into $2 = table, $3 = SOURCE exclusion list, $4 = DESTINATION exclusion list
-{
- local c=excl_${EXCLUSION_SEQ} net
-
- EXCLUSION_SEQ=$(( $EXCLUSION_SEQ + 1 ))
-
- run_iptables -t $2 -N $c
-
- for net in $(separate_list $3); do
- run_iptables -t $2 -A $c $(source_ip_range $net) -j RETURN
- done
-
- for net in $(separate_list $4); do
- run_iptables -t $2 -A $c $(dest_ip_range $net) -j RETURN
- done
-
- case $2 in
- filter)
- eval exists_${c}=Yes
- ;;
- nat)
- eval exists_nat_${c}=Yes
- ;;
- esac
-
- eval $1=$c
-}
-
-#
-# Arne Bernin's 'tc4shorewall'
-#
-setup_traffic_shaping()
-{
- local mtu r2q tc_all_devices device mark rate ceil prio options devfile=$(find_file tcdevices) classfile=$(find_file tcclasses) devnum=1
- mtu=1500
- r2q=10
-
- rate_to_kbit() {
- local rateunit rate
- rate=$1
- rateunit=$( echo $rate | sed -e 's/[0-9]*//')
- rate=$( echo $rate | sed -e 's/[a-z]*//g')
-
- case $rateunit in
- kbit)
- rate=$rate
- ;;
- mbit)
- rate=$(expr $rate \* 1024)
- ;;
- mbps)
- rate=$(expr $rate \* 8192)
- ;;
- kbps)
- rate=$(expr $rate \* 8)
- ;;
- *)
- rate=$(expr $rate / 128)
- ;;
- esac
- echo $rate
- }
-
- calculate_quantum() {
- local rate
- rate=$1
- rate=$(rate_to_kbit $rate)
- rate=$(expr $rate \* 128 / $r2q )
- if [ $rate -lt $mtu ] ; then
- echo $mtu
- else
- echo $rate
- fi
- }
-
- # get given outbandwidth for device
- get_outband_for_dev() {
- local device inband outband
- while read device inband outband; do
- expandv device inband outband
- tcdev="$device $inband $outband"
- if [ "$1" = "$device" ] ; then
- echo $outband
- return
- fi
- done < $TMP_DIR/tcdevices
- }
-
- check_tcclasses_options() {
- while [ $# -gt 1 ]; do
- shift
- case $1 in
- default|tcp-ack|tos-minimize-delay|tos-maximize-throughput|tos-maximize-reliability|tos-minimize-cost|tos-normal-service)
- ;;
- tos=0x[0-9a-f][0-9a-f]|tos=0x[0-9a-f][0-9a-f]/0x[0-9a-f][0-9a-f])
- ;;
- *)
- echo $1
- return 1
- ;;
- esac
- done
- return 0
- }
-
- get_defmark_for_dev() {
- local searchdev searchmark device ceil prio options
- searchdev=$1
-
- while read device mark rate ceil prio options; do
- expandv device mark rate ceil prio options
- options=$(separate_list $options | tr '[A-Z]' '[a-z]')
- tcdev="$device $mark $rate $ceil $prio $options"
- if [ "$searchdev" = "$device" ] ; then
- list_search "default" $options && echo $mark &&return 0
- fi
- done < $TMP_DIR/tcclasses
-
- return 1
- }
-
- check_defmark_for_dev() {
- get_defmark_for_dev $1 >/dev/null
- }
-
- validate_tcdevices_file() {
- progress_message2 "Validating $devfile..."
- local device local device inband outband
- while read device inband outband; do
- expandv device inband outband
- tcdev="$device $inband $outband"
- check_defmark_for_dev $device || fatal_error "Option default is not defined for any class in tcclasses for interface $device"
- case $interface in
- *:*|+)
- fatal_error "Invalid Interface Name: $interface"
- ;;
- esac
- list_search $device $devices && fatal_error "Interface $device is defined more than once in tcdevices"
- tc_all_devices="$tc_all_devices $device"
- done < $TMP_DIR/tcdevices
- }
-
- validate_tcclasses_file() {
- progress_message2 "Validating $classfile..."
- local classlist device mark rate ceil prio bandw wrongopt allopts opt
- allopts=""
- while read device mark rate ceil prio options; do
- expandv device mark rate ceil prio options
- tcdev="$device $mark $rate $ceil $prio $options"
- ratew=$(get_outband_for_dev $device)
- options=$(separate_list $options | tr '[A-Z]' '[a-z]')
- for opt in $options; do
- case $opt in
- tos=0x??)
- opt="$opt/0xff"
- ;;
- esac
- list_search "$device-$opt" $allopts && fatal_error "option $opt already defined in a chain for interface $device in tcclasses"
- allopts="$allopts $device-$opt"
- done
- wrongopt=$(check_tcclasses_options $options) || fatal_error "unknown option $wrongopt for class iface $device mark $mark in tcclasses file"
- if [ -z "$ratew" ] ; then
- fatal_error "device $device seems not to be configured in tcdevices"
- fi
- list_search "$device-$mark" $classlist && fatal_error "Mark $mark for interface $device defined more than once in tcclasses"
- classlist="$classlist $device-$mark"
- done < $TMP_DIR/tcclasses
- }
-
- add_root_tc() {
- local defmark
- defmark=$(get_defmark_for_dev $device)
- qt tc qdisc del dev $device root
- qt tc qdisc del dev $device ingress
- run_tc qdisc add dev $device root handle $devnum: htb default 1$defmark
- run_tc class add dev $device parent $devnum: classid $devnum:1 htb rate $outband
- run_tc qdisc add dev $device handle ffff: ingress
- run_tc filter add dev $device parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${inband} burst 10k drop flowid :1
- eval $(chain_base $device)_devnum=$devnum
- devnum=$(($devnum + 1))
- }
-
- add_tc_class() {
- local full classid tospair tosmask
- full=$(get_outband_for_dev $device)
- full=$(rate_to_kbit $full)
-
- if [ -z "$prio" ] ; then
- prio=1
- fi
-
- case $rate in
- *full*)
- rate=$(echo $rate | sed -e "s/full/$full/")
- rate="$(($rate))kbit"
- ;;
- esac
-
- case $ceil in
- *full*)
- ceil=$(echo $ceil | sed -e "s/full/$full/")
- ceil="$(($ceil))kbit"
- ;;
- esac
-
- eval devnum=\$$(chain_base $device)_devnum
- classid=$devnum:1$mark
-
- [ -n "$devnum" ] || fatal_error "Device $device not defined in $devfile"
-
- run_tc class add dev $device parent $devnum:1 classid $classid htb rate $rate ceil $ceil prio $prio quantum $(calculate_quantum $rate)
- run_tc qdisc add dev $device parent $classid handle 1$mark: sfq perturb 10
- # add filters
- if [ -n "$CLASSIFY_TARGET" ]; then
- run_iptables -t mangle -A tcpost $(match_dest_dev $device) -m mark --mark $mark -j CLASSIFY --set-class $classid
- else
- run_tc filter add dev $device protocol ip parent $devnum:0 prio 1 handle $mark fw classid $classid
- fi
- #options
- list_search "tcp-ack" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid
- list_search "tos-minimize-delay" $options && options="$options tos=0x10/0x10"
- list_search "tos-maximize-throughput" $options && options="$options tos=0x08/0x08"
- list_search "tos-maximize-reliability" $options && options="$options tos=0x04/0x04"
- list_search "tos-minimize-cost" $options && options="$options tos=0x02/0x02"
- list_search "tos-normal-service" $options && options="$options tos=0x00/0x1e"
-
- for tospair in $(list_walk "tos=" $options) ; do
- case $tospair in
- */*)
- tosmask=${tospair##*/}
- ;;
- *)
- tosmask=0xff
- ;;
- esac
- run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos ${tospair%%/*} $tosmask flowid $classid
- done
- }
-
- strip_file tcdevices $devfile
- strip_file tcclasses $classfile
-
- validate_tcdevices_file
- validate_tcclasses_file
-
- if [ -s $TMP_DIR/tcdevices ]; then
- progress_message2 "Processing $devfile..."
-
- while read device inband outband defmark ackmark; do
- expandv device inband outband defmark ackmark
- tcdev="$device $inband $outband"
- add_root_tc
- progress_message " TC Device $tcdev Added."
- done < $TMP_DIR/tcdevices
- fi
-
- if [ -s $TMP_DIR/tcclasses ]; then
- progress_message2 "Processing $classfile..."
-
- while read device mark rate ceil prio options; do
- expandv device mark rate ceil prio options
- tcdev="$device $mark $rate $ceil $prio $options"
- options=$(separate_list $options | tr '[A-Z]' '[a-z]')
- add_tc_class
- progress_message " TC Class \"$tcdev\" Added."
- done < $TMP_DIR/tcclasses
- fi
-
-}
-
-#
-# Process a TC Rule - $MARKING_CHAIN is assumed to contain the name of the
-# default marking chain
-#
-process_tc_rule()
-{
- chain=$MARKING_CHAIN target="MARK --set-mark" marktest=
-
- verify_designator() {
- [ "$chain" = tcout ] && \
- fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\""
- chain=$1
- mark="${mark%:*}"
- }
-
- do_ipp2p()
- {
- [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
- [ "x$port" = "x-" ] && port="ipp2p"
-
- case $proto in
- *:*)
- proto=${proto#*:}
- ;;
- *)
- proto=tcp
- ;;
- esac
-
- r="${r}-p $proto -m ipp2p --${port} "
- }
-
- add_a_tc_rule() {
- r=
-
- if [ "x$source" != "x-" ]; then
- case $source in
- $FW:*)
- [ $chain = tcpost ] || chain=tcout
- r="$(source_ip_range ${source#*:}) "
- ;;
- *.*.*|+*|!+*)
- r="$(source_ip_range $source) "
- ;;
- ~*)
- r="$(mac_match $source) "
- ;;
- $FW)
- [ $chain = tcpost ] || chain=tcout
- ;;
- *)
- verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
- r="$(match_source_dev $source) "
- ;;
- esac
- fi
-
- if [ "x${user:--}" != "x-" ]; then
-
- [ "$chain" != tcout ] && \
- fatal_error "Invalid use of a user/group: rule \"$rule\""
-
- r="$r-m owner"
-
- case "$user" in
- *+*)
- r="$r --cmd-owner ${user#*+} "
- user=${user%+*}
- ;;
- esac
-
- case "$user" in
- *:*)
- temp="${user%:*}"
- [ -n "$temp" ] && r="$r --uid-owner $temp "
- temp="${user#*:}"
- [ -n "$temp" ] && r="$r --gid-owner $temp "
- ;;
- *)
- [ -n "$user" ] && r="$r --uid-owner $user "
- ;;
- esac
- fi
-
- [ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval "
-
- if [ "x$dest" != "x-" ]; then
- case $dest in
- *.*.*|+*|!+*)
- r="${r}$(dest_ip_range $dest) "
- ;;
- *)
- [ "$chain" = tcpre ] && fatal_error "Destination interface is not allowed in the PREROUTING chain"
- verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\""
- r="${r}$(match_dest_dev $dest) "
- ;;
- esac
- fi
-
- if [ "x${length:=-}" != "x-" ]; then
- [ -n "$LENGTH_MATCH" ] || fatal_error "Your kernel and/or iptables does not have length match support. Rule: \"$rule\""
- r="${r}-m length --length ${length} "
- fi
-
- multiport=
-
- case $proto in
- ipp2p|IPP2P|ipp2p:*|IPP2P:*)
- do_ipp2p
- ;;
- icmp|ICMP|1)
- r="${r}-p icmp "
- [ "x$port" = "x-" ] || r="${r}--icmp-type $port"
- ;;
- *)
- [ "x$proto" = "x-" ] && proto=all
- [ "x$proto" = "x" ] && proto=all
- [ "$proto" = "all" ] || r="${r}-p $proto "
- [ "x$port" = "x-" ] || r="${r}--dport $port "
- ;;
- esac
-
- [ "x$sport" = "x-" ] || r="${r}--sport $sport "
-
- if [ -n "${excludesources}${excludedests}" ]; then
- build_exclusion_chain chain1 mangle "$excludesources" "$excludedests"
-
- run_iptables2 -t mangle -A $chain $r -j $chain1
-
- run_iptables -t mangle -A $chain1 -j $target $mark
- else
- run_iptables2 -t mangle -A $chain $r -j $target $mark
- fi
-
- }
-
- if [ "$mark" != "${mark%:*}" ]; then
- case "${mark#*:}" in
- p|P)
- verify_designator tcpre
- ;;
- cp|CP)
- verify_designator tcpre
- target="CONNMARK --set-mark"
- ;;
- f|F)
- verify_designator tcfor
- ;;
- cf|CF)
- verify_designator tcfor
- target="CONNMARK --set-mark"
- ;;
- c|C)
- target="CONNMARK --set-mark"
- mark=${mark%:*}
- ;;
- *)
- chain=tcpost
- target="CLASSIFY --set-class"
- ;;
- esac
-
- fi
-
- case $mark in
- SAVE)
- target="CONNMARK --save-mark --mask 255"
- mark=
- ;;
- SAVE/*)
- target="CONNMARK --save-mark --mask"
- mark=${mark#*/}
- verify_mark $mark
- ;;
- RESTORE)
- target="CONNMARK --restore-mark --mask 255"
- mark=
- ;;
- RESTORE/*)
- target="CONNMARK --restore-mark --mask"
- mark=${mark#*/}
- verify_mark $mark
- ;;
- CONTINUE)
- target=RETURN
- mark=
- ;;
- *)
- if [ "$chain" != tcpost ]; then
- verify_mark $mark
- fi
- ;;
- esac
-
- case $testval in
- -)
- ;;
- !*:C)
- marktest="connmark ! "
- testval=${testval%:*}
- testval=${testval#!}
- ;;
- *:C)
- marktest="connmark "
- testval=${testval%:*}
- ;;
- !*)
- marktest="mark ! "
- testval=${testval#!}
- ;;
- *)
- [ -n "$testval" ] && marktest="mark "
- ;;
- esac
-
- if [ -n "$marktest" ] ; then
- case $testval in
- */*)
- verify_mark ${testval%/*}
- verify_mark ${testval#*/}
- ;;
- *)
- verify_mark $testval
- testval=$testval/255
- ;;
- esac
- fi
-
- excludesources=
-
- case ${sources:=-} in
- *!*!*)
- fatal_error "Invalid SOURCE in rule \"$rule\""
- ;;
- !*)
- if [ $(list_count $sourcess) -gt 1 ]; then
- excludesources=${sources#!}
- sources=-
- fi
- ;;
- *!*)
- excludesources=${sources#*!}
- sources=${sources%!*}
- ;;
- esac
-
- excludedests=
-
- case ${dests:=-} in
- *!*!*)
- fatal_error "Invalid DEST in rule \"$rule\""
- ;;
- !*)
- if [ $(list_count $dests) -gt 1 ]; then
- excludedests=${dests#*!}
- dests=-
- fi
- ;;
- *!*)
- excludedests=${dests#*!}
- dests=${dests%!*}
- ;;
- esac
-
- for source in $(separate_list $sources); do
- for dest in $(separate_list $dests); do
- for port in $(separate_list ${ports:=-}); do
- for sport in $(separate_list ${sports:=-}); do
- add_a_tc_rule
- done
- done
- done
- done
-
- progress_message " TC Rule \"$rule\" added"
-}
-
-#
-# Setup queuing and classes
-#
-setup_tc1() {
- #
- # Create the TC mangle chains
- #
-
- createmanglechain tcpre
- createmanglechain tcfor
- createmanglechain tcout
- createmanglechain tcpost
- #
- # Process the TC Rules File
- #
- strip_file tcrules
-
- while read mark sources dests proto ports sports user testval length; do
- expandv mark sources dests proto ports sports user testval length
- rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $length")
- process_tc_rule
- done < $TMP_DIR/tcrules
- #
- # Link to the TC mangle chains from the main chains
- #
-
- if [ -n "$ROUTEMARK_INTERFACES" ]; then
- #
- # Route marks are restored in PREROUTING/OUTPUT prior to these rules. We only send
- # packets that are not part of a marked connection to the 'tcpre/tcout' chains
- #
- run_iptables -t mangle -A PREROUTING -m mark --mark 0 -j tcpre
- run_iptables -t mangle -A OUTPUT -m mark --mark 0 -j tcout
- else
- run_iptables -t mangle -A PREROUTING -j tcpre
- run_iptables -t mangle -A OUTPUT -j tcout
- fi
- run_iptables -t mangle -A FORWARD -j tcfor
- run_iptables -t mangle -A POSTROUTING -j tcpost
-
- if [ -n "$TC_SCRIPT" ]; then
- run_user_exit $TC_SCRIPT
- elif [ -n "$TC_ENABLED" ]; then
- setup_traffic_shaping
- fi
-}
-
-setup_tc() {
-
- progress_message2 "Setting up Traffic Control Rules..."
-
- setup_tc1
-}
-
-#
-# Clear Traffic Shaping
-#
-delete_tc()
-{
- clear_one_tc() {
- tc qdisc del dev $1 root 2> /dev/null
- tc qdisc del dev $1 ingress 2> /dev/null
-
- }
-
- run_user_exit tcclear
-
- run_ip link list | \
- while read inx interface details; do
- case $inx in
- [0-9]*)
- clear_one_tc ${interface%:}
- ;;
- *)
- ;;
- esac
- done
-}
-
-#
-# Refresh queuing and classes
-#
-refresh_tc() {
-
- progress_message2 "Refreshing Traffic Control Rules..."
-
- [ -n "$CLEAR_TC" ] && delete_tc1
-
- [ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre
-
- if qt $IPTABLES -t mangle -L $chain -n ; then
- #
- # Flush the TC mangle chains
- #
- run_iptables -t mangle -F tcfor
- run_iptables -t mangle -F tcpre
- run_iptables -t mangle -F tcout
- run_iptables -t mangle -F tcpost
- #
- # Process the TC Rules File
- #
- strip_file tcrules
-
- while read mark sources dests proto ports sports user testval length; do
- expandv mark sources dests proto ports sports user testval length
- rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $length")
- process_tc_rule
- done < $TMP_DIR/tcrules
- else
- setup_tc1
- fi
-
- if [ -n "$TC_SCRIPT" ]; then
- run_user_exit $TC_SCRIPT
- elif [ -n "$TC_ENABLED" ]; then
- setup_traffic_shaping
- fi
-
-}
-
-#
# Display elements of a list with leading white space
#
display_list() # $1 = List Title, rest of $* = list to display
@@ -2229,41 +1570,6 @@ display_list() # $1 = List Title, rest of $* = list to display
[ $# -gt 1 ] && echo " $*"
}
-policy_rules() # $1 = chain to add rules to
- # $2 = policy
- # $3 = loglevel
-{
- local target="$2"
-
- case "$target" in
- ACCEPT)
- [ -n "$ACCEPT_common" ] && run_iptables -A $1 -j $ACCEPT_common
- ;;
- DROP)
- [ -n "$DROP_common" ] && run_iptables -A $1 -j $DROP_common
- ;;
- REJECT)
- [ -n "$REJECT_common" ] && run_iptables -A $1 -j $REJECT_common
- target=reject
- ;;
- QUEUE)
- [ -n "$QUEUE_common" ] && run_iptables -A $1 -j $QUEUE_common
- ;;
- CONTINUE)
- target=
- ;;
- *)
- fatal_error "Invalid policy ($policy) for $1"
- ;;
- esac
-
- if [ $# -eq 3 -a "x${3}" != "x-" ]; then
- log_rule $3 $1 $2
- fi
-
- [ -n "$target" ] && run_iptables -A $1 -j $target
-}
-
#
# Add a record to the blacklst chain
#
@@ -2463,10 +1769,6 @@ refresh_firewall()
ecn=$(find_file ecn)
[ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn
- #
- # Refresh Traffic Control
- #
- [ -n "$MANGLE_ENABLED" ] && refresh_tc
run_user_exit refreshed
@@ -3156,7 +2458,6 @@ do_initialize() {
FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)
IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE)
-
case ${IPSECFILE:=ipsec} in
ipsec|zones)
;;
@@ -3216,8 +2517,11 @@ do_initialize() {
startup_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall"
fi
- rm -f $TMP_DIR/physdev
- rm -f $TMP_DIR/iprange
+ if [ -z "$KLUDGEFREE" ]; then
+ rm -f $TMP_DIR/physdev
+ rm -f $TMP_DIR/iprange
+ fi
+
}
#
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 92ef2baba..5fa5b0e00 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -29,7 +29,7 @@ Note to users upgrading from Shorewall 2.x or 3.0
Problems Corrected in 3.2.0 Beta 5
-1) On systems such as LEAF Bering that either don't have the 'mktemp' utility
+1) On systems such as LEAF Bering that either don't have the 'mktemp' utility
or whose 'mktemp' cannot create a temporary directory, firewall compilation
failed with the message:
@@ -40,7 +40,9 @@ Problems Corrected in 3.2.0 Beta 5
Other changes in 3.2.0 Beta 5
-None.
+1) The "shorewall refresh" command no longer refreshes traffic shaping.
+ Use "shorewall restart" instead if you need to reprocess the
+ tcrules, tcdevices and tcclasses files.
Migration Considerations: