diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index d791c92d1..d25413877 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -113,6 +113,7 @@ our @EXPORT = ( qw( OPTIONS IPTABLES TARPIT + MARKRULE FILTER_TABLE NAT_TABLE MANGLE_TABLE @@ -281,7 +282,7 @@ our %EXPORT_TAGS = ( get_interface_address get_interface_addresses get_interface_bcasts - get_interface_acasts + get_interface_acastst interface_gateway get_interface_gateway get_interface_mac @@ -461,6 +462,7 @@ use constant { STANDARD => 0x1, #defined by Netfilter OPTIONS => 0x80000, #Target Accepts Options IPTABLES => 0x100000, #IPTABLES or IP6TABLES TARPIT => 0x200000, #TARPIT + MARKRULE => 0x400000, #MARK-oriented rules FILTER_TABLE => 0x1000000, MANGLE_TABLE => 0x2000000, @@ -3186,14 +3188,14 @@ sub initialize_chain_table($) { 'ACCEPT+' => STANDARD + NONAT, 'ACCEPT!' => STANDARD, 'ADD' => STANDARD + SET, - 'AUDIT' => STANDARD + AUDIT + OPTIONS, + 'AUDIT' => STANDARD + AUDIT + OPTIONS, 'A_ACCEPT' => STANDARD + AUDIT, - 'A_ACCEPT+' => STANDARD + NONAT + AUDIT, + 'A_ACCEPT+' => STANDARD + NONAT + AUDIT, 'A_ACCEPT!' => STANDARD + AUDIT, 'A_DROP' => STANDARD + AUDIT, 'A_DROP!' => STANDARD + AUDIT, - 'NONAT' => STANDARD + NONAT + NATONLY, - 'CONNMARK' => STANDARD + OPTIONS, + 'NONAT' => STANDARD + NONAT + NATONLY, + 'CONNMARK' => STANDARD + MARKRULE + OPTIONS, 'CONTINUE' => STANDARD, 'CONTINUE!' => STANDARD, 'COUNT' => STANDARD, @@ -3206,8 +3208,8 @@ sub initialize_chain_table($) { 'INLINE' => INLINERULE, 'IPTABLES' => IPTABLES, 'LOG' => STANDARD + LOGRULE + OPTIONS, - 'MARK' => STANDARD + OPTIONS, - 'NFLOG' => STANDARD + LOGRULE + NFLOG + OPTIONS, + 'MARK' => STANDARD + MARKRULE + OPTIONS, + 'NFLOG' => STANDARD + LOGRULE + NFLOG + OPTIONS, 'NFQUEUE' => STANDARD + NFQ + OPTIONS, 'NFQUEUE!' => STANDARD + NFQ, 'QUEUE' => STANDARD + OPTIONS, diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 38977b2fd..5c4f3f5a9 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -465,7 +465,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT', TPROXY_TARGET => 'TPROXY Target', FLOW_FILTER => 'Flow Classifier', FWMARK_RT_MASK => 'fwmark route mask', - MARK_ANYWHERE => 'Mark in the filter table', + MARK_ANYWHERE => 'Mark in the filter and nat tables', HEADER_MATCH => 'Header Match', ACCOUNT_TARGET => 'ACCOUNT Target', AUDIT_TARGET => 'AUDIT Target', diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 72b2850b4..3919ba44f 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -5422,6 +5422,10 @@ sub process_snat1( $$$$$$$$$$$$ ) { $actiontype = $builtin_target{$target = 'MASQUERADE'}; $add_snat_aliases = ''; $logaction = 'MASQ'; + } elsif ( $action =~ /^((?:CONN)?MARK)(\+)?\((.+)\)$/ ) { + $actiontype = $targets{$logaction = $1}; + $pre_nat = $2; + validate_mark( $param = $3 ); } else { ( $target , $params ) = get_target_param1( $action ); @@ -5440,7 +5444,7 @@ sub process_snat1( $$$$$$$$$$$$ ) { $target = 'LOG'; } } else { - fatal_error "Invalid ACTION ($action)" unless $actiontype & ( ACTION | INLINE ); + fatal_error "Invalid ACTION ($action)" unless $actiontype & ( ACTION | INLINE | MARKRULE ); $logaction = ''; } } @@ -5766,6 +5770,8 @@ sub process_snat1( $$$$$$$$$$$$ ) { } else { $loglevel = ''; } + } elsif ( $actiontype & MARKRULE ) { + $target = "$logaction --set-mark $param" } else { for my $option ( split_list2( $options , 'option' ) ) { if ( $option eq 'random' ) {