mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-23 08:03:11 +01:00
Purge stale SAME recent entries
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9534 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
c71eaa34cc
commit
f238b6a5aa
@ -764,6 +764,7 @@ sub lookup_provider( $ ) {
|
|||||||
# to the 'tracked' providers
|
# to the 'tracked' providers
|
||||||
#
|
#
|
||||||
sub handle_stickiness() {
|
sub handle_stickiness() {
|
||||||
|
my $mask = $config{HIGH_ROUTE_MARKS} ? '0xFF00' : '0xFF';
|
||||||
my $setstickyref = $mangle_table->{setsticky};
|
my $setstickyref = $mangle_table->{setsticky};
|
||||||
my $setstickoref = $mangle_table->{setsticko};
|
my $setstickoref = $mangle_table->{setsticko};
|
||||||
my $tcpreref = $mangle_table->{tcpre};
|
my $tcpreref = $mangle_table->{tcpre};
|
||||||
@ -773,7 +774,6 @@ sub handle_stickiness() {
|
|||||||
|
|
||||||
fatal_error "There are SAME tcrules but no 'track' providers" unless @routemarked_providers;
|
fatal_error "There are SAME tcrules but no 'track' providers" unless @routemarked_providers;
|
||||||
|
|
||||||
|
|
||||||
for my $providerref ( @routemarked_providers ) {
|
for my $providerref ( @routemarked_providers ) {
|
||||||
my $interface = $providerref->{interface};
|
my $interface = $providerref->{interface};
|
||||||
my $base = uc chain_base $interface;
|
my $base = uc chain_base $interface;
|
||||||
@ -781,7 +781,7 @@ sub handle_stickiness() {
|
|||||||
|
|
||||||
for ( grep /-j sticky/, @{$tcpreref->{rules}} ) {
|
for ( grep /-j sticky/, @{$tcpreref->{rules}} ) {
|
||||||
my $stickyref = ensure_mangle_chain 'sticky';
|
my $stickyref = ensure_mangle_chain 'sticky';
|
||||||
my $rule1;
|
my ( $rule1, $rule2 );
|
||||||
my $list = sprintf "sticky%03d" , $sticky++;
|
my $list = sprintf "sticky%03d" , $sticky++;
|
||||||
|
|
||||||
for my $chainref ( $stickyref, $setstickyref ) {
|
for my $chainref ( $stickyref, $setstickyref ) {
|
||||||
@ -791,32 +791,40 @@ sub handle_stickiness() {
|
|||||||
if ( $chainref->{name} eq 'sticky' ) {
|
if ( $chainref->{name} eq 'sticky' ) {
|
||||||
$rule1 = $_;
|
$rule1 = $_;
|
||||||
$rule1 =~ s/-j sticky/-m recent --name $list --update --seconds 300 -j MARK --set-mark $mark/;
|
$rule1 =~ s/-j sticky/-m recent --name $list --update --seconds 300 -j MARK --set-mark $mark/;
|
||||||
|
$rule2 = $_;
|
||||||
|
$rule2 =~ s/-j sticky/-m mark --mark 0\/$mask -m recent --name $list --remove/;
|
||||||
} else {
|
} else {
|
||||||
$rule1 = $_;
|
$rule1 = $_;
|
||||||
$rule1 =~ s/-j sticky/-m mark --mark $mark -m recent --name $list --set/;
|
$rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/;
|
||||||
}
|
}
|
||||||
|
|
||||||
$rule1 =~ s/-A //;
|
$rule1 =~ s/-A //;
|
||||||
|
|
||||||
add_rule $chainref, $rule1;
|
add_rule $chainref, $rule1;
|
||||||
|
|
||||||
|
if ( $rule2 ) {
|
||||||
|
$rule2 =~ s/-A //;
|
||||||
|
add_rule $chainref, $rule2;
|
||||||
|
}
|
||||||
|
|
||||||
decr_cmd_level( $chainref), add_command( $chainref, "fi" ) if $providerref->{optional};
|
decr_cmd_level( $chainref), add_command( $chainref, "fi" ) if $providerref->{optional};
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
for ( grep /-j sticko/, @{$tcoutref->{rules}} ) {
|
for ( grep /-j sticko/, @{$tcoutref->{rules}} ) {
|
||||||
my $rule1;
|
my ( $rule1, $rule2 );
|
||||||
my $list = sprintf "sticky%03d" , $sticky++;
|
my $list = sprintf "sticky%03d" , $sticky++;
|
||||||
my $stickoref = ensure_mangle_chain 'sticko';
|
my $stickoref = ensure_mangle_chain 'sticko';
|
||||||
|
|
||||||
for my $chainref ( $stickoref, $setstickoref ) {
|
for my $chainref ( $stickoref, $setstickoref ) {
|
||||||
|
|
||||||
add_command( $chainref, qq(if [ -n "\$${base}_IS_UP" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
|
add_command( $chainref, qq(if [ -n "\$${base}_IS_UP" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
|
||||||
|
|
||||||
if ( $chainref->{name} eq 'sticko' ) {
|
if ( $chainref->{name} eq 'sticko' ) {
|
||||||
$rule1 = $_;
|
$rule1 = $_;
|
||||||
$rule1 =~ s/-j sticko/-m recent --name $list --rdest --update --seconds 300 -j MARK --set-mark $mark/;
|
$rule1 =~ s/-j sticko/-m recent --name $list --rdest --update --seconds 300 -j MARK --set-mark $mark/;
|
||||||
|
$rule2 = $_;
|
||||||
|
$rule2 =~ s/-j sticko/-m mark --mark 0\/$mask -m recent --name $list --rdest --remove/;
|
||||||
} else {
|
} else {
|
||||||
$rule1 = $_;
|
$rule1 = $_;
|
||||||
$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
|
$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
|
||||||
@ -826,8 +834,12 @@ sub handle_stickiness() {
|
|||||||
|
|
||||||
add_rule $chainref, $rule1;
|
add_rule $chainref, $rule1;
|
||||||
|
|
||||||
decr_cmd_level( $chainref), add_command( $chainref, "fi" ) if $providerref->{optional};
|
if ( $rule2 ) {
|
||||||
|
$rule2 =~ s/-A //;
|
||||||
|
add_rule $chainref, $rule2;
|
||||||
|
}
|
||||||
|
|
||||||
|
decr_cmd_level( $chainref), add_command( $chainref, "fi" ) if $providerref->{optional};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -111,3 +111,7 @@ New Features in Shorewall 4.4
|
|||||||
five minutes to the same remote system then the new connection will
|
five minutes to the same remote system then the new connection will
|
||||||
use the same provider as the connection over which that last packet
|
use the same provider as the connection over which that last packet
|
||||||
was sent.
|
was sent.
|
||||||
|
|
||||||
|
Important note: SAME only works with providers that have the
|
||||||
|
'track' option specified in /etc/shorewall/providers.
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user