From e0cc8f04806182e1e95ae41c13a872b0db819060 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 5 Apr 2006 02:08:33 +0000 Subject: [PATCH] Phase II of breaking marks into two smaller marks git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3773 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 2 ++ Shorewall/compiler | 3 ++- Shorewall/functions | 13 +++++++++++-- Shorewall/releasenotes.txt | 26 ++++++++++++++++++++++++++ Shorewall/shorecap | 11 ++++++++++- 5 files changed, 51 insertions(+), 4 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index c859bf179..0af954668 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -6,6 +6,8 @@ Changes in 3.2.0 Beta 4 3) Fix mktempdir problem. +4) Implement HIGH_ROUTE_MARKS + Changes in 3.2.0 Beta 3 1) Correct handling of verbosity in the 'try' command. diff --git a/Shorewall/compiler b/Shorewall/compiler index 13e01e704..7f06f7673 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -9297,8 +9297,9 @@ do_initialize() { IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE) HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS) [ -n "$XCONNMARK_MATCH" ] || XCONNMARK= + [ -n "$XMARK" ] || XCONNMARK= - [ -n "$HIGH_ROUTE_MARKS" -a -z "$XCONNMARK" ] && fatal_error "HIGH_ROUTE_MARKS=Yes requires extended CONNMARK target and extended CONNMARK match support" + [ -n "$HIGH_ROUTE_MARKS" -a -z "$XCONNMARK" ] && fatal_error "HIGH_ROUTE_MARKS=Yes requires extended CONNMARK target, extended CONNMARK match support and extended MARK support" case ${IPSECFILE:=ipsec} in ipsec|zones) diff --git a/Shorewall/functions b/Shorewall/functions index 428ca86f2..f01a23127 100644 --- a/Shorewall/functions +++ b/Shorewall/functions @@ -1137,6 +1137,8 @@ determine_capabilities() { ENHANCED_REJECT= USEPKTTYPE= KLUDGEFREE= + MARK= + XMARK= qt $IPTABLES -N fooX1234 qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes @@ -1170,6 +1172,11 @@ determine_capabilities() { qt $IPTABLES -t mangle -N fooX1234 + if qt $IPTABLES -t mangle -A fooX1234 -j MARK --set-mark 1; then + MARK=Yes + qt $IPTABLES -t mangle -A fooX1234 -j MARK --and-mark 0xFF && XMARK=Yes + fi + if qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark; then CONNMARK=Yes qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes @@ -1225,14 +1232,16 @@ report_capabilities() { report_capability "Owner Match" $OWNER_MATCH report_capability "Ipset Match" $IPSET_MATCH report_capability "CONNMARK Target" $CONNMARK - report_capability "Extended CONNMARK Target" $XCONNMARK + [ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK report_capability "Connmark Match" $CONNMARK_MATCH - report_capability "Extended Connmark Match" $XCONNMARK_MATCH + [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH report_capability "Raw Table" $RAW_TABLE report_capability "IPP2P Match" $IPP2P_MATCH report_capability "CLASSIFY Target" $CLASSIFY_TARGET report_capability "Extended REJECT" $ENHANCED_REJECT report_capability "Repeat match" $KLUDGEFREE + report_capability "MARK Target" $MARK + [ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK fi [ -n "$PKTTYPE" ] || USEPKTTYPE= diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 626b9f1fa..afcc127de 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -95,6 +95,32 @@ Other changes in 3.2.0 Beta 4 #PROVIDER PRIORITY SOURCE DEST ISP1 1000 eth1 +2) Prior to now, it has not been possible to use connection marking in + /etc/shorewall/tcrules if you have a multi-ISP configuration that uses the + 'track' option. + + Beginning with this release, you may now set HIGH_ROUTE_MARKS=Yes in + shorewall.conf to effectively divide the packet mark and connection mark + into two 8-byte mark fields. + + When you do this: + + a) The MARK field in the providers file must have a value that is + less than 65536 and that is a multiple of 256 (using hex + representation, the values are 0x0100-0xFF00 with the low-order + 8 bits being zero). + + b) You may only set those mark values in the FORWARD chain. + + c) Marks used for traffic shaping must still be in the range of 1-255 + but these may now be set in any chain. If they are set in the + FORWARD chain, they must be set before any routing marks (those + with values greater than 255). + + d) When you SAVE or RESTORE in tcrules, only the TC mark value is + saved or restored. Shorewall handles saving and restoring the + routing (provider) marks. + Migration Considerations: 1) If you are upgrading from Shorewall 2.x, it is essential that you read diff --git a/Shorewall/shorecap b/Shorewall/shorecap index f52217a92..b03e38a7c 100755 --- a/Shorewall/shorecap +++ b/Shorewall/shorecap @@ -234,6 +234,8 @@ determine_capabilities() { ENHANCED_REJECT= USEPKTTYPE= KLUDGEFREE= + MARK= + XMARK= qt $IPTABLES -N fooX1234 qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes @@ -267,6 +269,11 @@ determine_capabilities() { qt $IPTABLES -t mangle -N fooX1234 + if qt $IPTABLES -t mangle -A fooX1234 -j MARK --set-mark 1; then + MARK=Yes + qt $IPTABLES -t mangle -A fooX1234 -j MARK --and-mark 0xFF && XMARK=Yes + fi + if qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark; then CONNMARK=Yes qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes @@ -308,7 +315,7 @@ report_capabilities() { report_capability NAT_ENABLED report_capability MANGLE_ENABLED report_capability MULTIPORT - [ -n "$MULTIPORT" ] && report_capability XMULTIPORT + report_capability XMULTIPORT report_capability CONNTRACK_MATCH report_capability USEPKTTYPE report_capability POLICY_MATCH @@ -327,6 +334,8 @@ report_capabilities() { report_capability CLASSIFY_TARGET report_capability ENHANCED_REJECT report_capability KLUDGEFREE + report_capability MARK + report_capability XMARK } load_kernel_modules