Purge stale SAME recent entries

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9534 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-02-25 23:47:38 +00:00
parent c71eaa34cc
commit f238b6a5aa
2 changed files with 22 additions and 6 deletions

View File

@ -764,6 +764,7 @@ sub lookup_provider( $ ) {
# to the 'tracked' providers # to the 'tracked' providers
# #
sub handle_stickiness() { sub handle_stickiness() {
my $mask = $config{HIGH_ROUTE_MARKS} ? '0xFF00' : '0xFF';
my $setstickyref = $mangle_table->{setsticky}; my $setstickyref = $mangle_table->{setsticky};
my $setstickoref = $mangle_table->{setsticko}; my $setstickoref = $mangle_table->{setsticko};
my $tcpreref = $mangle_table->{tcpre}; my $tcpreref = $mangle_table->{tcpre};
@ -773,7 +774,6 @@ sub handle_stickiness() {
fatal_error "There are SAME tcrules but no 'track' providers" unless @routemarked_providers; fatal_error "There are SAME tcrules but no 'track' providers" unless @routemarked_providers;
for my $providerref ( @routemarked_providers ) { for my $providerref ( @routemarked_providers ) {
my $interface = $providerref->{interface}; my $interface = $providerref->{interface};
my $base = uc chain_base $interface; my $base = uc chain_base $interface;
@ -781,7 +781,7 @@ sub handle_stickiness() {
for ( grep /-j sticky/, @{$tcpreref->{rules}} ) { for ( grep /-j sticky/, @{$tcpreref->{rules}} ) {
my $stickyref = ensure_mangle_chain 'sticky'; my $stickyref = ensure_mangle_chain 'sticky';
my $rule1; my ( $rule1, $rule2 );
my $list = sprintf "sticky%03d" , $sticky++; my $list = sprintf "sticky%03d" , $sticky++;
for my $chainref ( $stickyref, $setstickyref ) { for my $chainref ( $stickyref, $setstickyref ) {
@ -791,32 +791,40 @@ sub handle_stickiness() {
if ( $chainref->{name} eq 'sticky' ) { if ( $chainref->{name} eq 'sticky' ) {
$rule1 = $_; $rule1 = $_;
$rule1 =~ s/-j sticky/-m recent --name $list --update --seconds 300 -j MARK --set-mark $mark/; $rule1 =~ s/-j sticky/-m recent --name $list --update --seconds 300 -j MARK --set-mark $mark/;
$rule2 = $_;
$rule2 =~ s/-j sticky/-m mark --mark 0\/$mask -m recent --name $list --remove/;
} else { } else {
$rule1 = $_; $rule1 = $_;
$rule1 =~ s/-j sticky/-m mark --mark $mark -m recent --name $list --set/; $rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/;
} }
$rule1 =~ s/-A //; $rule1 =~ s/-A //;
add_rule $chainref, $rule1; add_rule $chainref, $rule1;
if ( $rule2 ) {
$rule2 =~ s/-A //;
add_rule $chainref, $rule2;
}
decr_cmd_level( $chainref), add_command( $chainref, "fi" ) if $providerref->{optional}; decr_cmd_level( $chainref), add_command( $chainref, "fi" ) if $providerref->{optional};
} }
} }
for ( grep /-j sticko/, @{$tcoutref->{rules}} ) { for ( grep /-j sticko/, @{$tcoutref->{rules}} ) {
my $rule1; my ( $rule1, $rule2 );
my $list = sprintf "sticky%03d" , $sticky++; my $list = sprintf "sticky%03d" , $sticky++;
my $stickoref = ensure_mangle_chain 'sticko'; my $stickoref = ensure_mangle_chain 'sticko';
for my $chainref ( $stickoref, $setstickoref ) { for my $chainref ( $stickoref, $setstickoref ) {
add_command( $chainref, qq(if [ -n "\$${base}_IS_UP" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional}; add_command( $chainref, qq(if [ -n "\$${base}_IS_UP" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
if ( $chainref->{name} eq 'sticko' ) { if ( $chainref->{name} eq 'sticko' ) {
$rule1 = $_; $rule1 = $_;
$rule1 =~ s/-j sticko/-m recent --name $list --rdest --update --seconds 300 -j MARK --set-mark $mark/; $rule1 =~ s/-j sticko/-m recent --name $list --rdest --update --seconds 300 -j MARK --set-mark $mark/;
$rule2 = $_;
$rule2 =~ s/-j sticko/-m mark --mark 0\/$mask -m recent --name $list --rdest --remove/;
} else { } else {
$rule1 = $_; $rule1 = $_;
$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/; $rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
@ -826,8 +834,12 @@ sub handle_stickiness() {
add_rule $chainref, $rule1; add_rule $chainref, $rule1;
decr_cmd_level( $chainref), add_command( $chainref, "fi" ) if $providerref->{optional}; if ( $rule2 ) {
$rule2 =~ s/-A //;
add_rule $chainref, $rule2;
}
decr_cmd_level( $chainref), add_command( $chainref, "fi" ) if $providerref->{optional};
} }
} }
} }

View File

@ -111,3 +111,7 @@ New Features in Shorewall 4.4
five minutes to the same remote system then the new connection will five minutes to the same remote system then the new connection will
use the same provider as the connection over which that last packet use the same provider as the connection over which that last packet
was sent. was sent.
Important note: SAME only works with providers that have the
'track' option specified in /etc/shorewall/providers.