Fix tcrules processing

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@773 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-12-16 03:10:39 +01:00 · 2003-10-21 20:26:23 +00:00 · 2003-10-21 20:26:23 +00:00 · f6c8974bda
commit f6c8974bda
parent bb55ad3128
3 changed files with 30 additions and 23 deletions
--- a/STABLE/changelog.txt
+++ b/STABLE/changelog.txt
@ -11,3 +11,5 @@ Changes since 1.4.7
 4) Corrected handling of LOGUNCLEAN.

 5) Corrected handling of "complex" zones.
+
+6) Fix tcrules processing.
--- a/STABLE/firewall
+++ b/STABLE/firewall
@ -1668,9 +1668,10 @@ setup_ecn() # $1 = file name
 #
 process_tc_rule()
 {
+    chain=$marking_chain
+    
    add_a_tc_rule() {
 	r=
-	chain=$marking_chain

 	if [ "x$source" != "x-"	 ]; then
 	    case $source in
@ -1693,26 +1694,6 @@ process_tc_rule()
 	    esac
 	fi

-	if [ "$mark" != "${mark%:*}" ]; then
-
-	    [ "$chain" = tcout ] && \
-		fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\""
-
-	    case "${mark#*:}" in
-		p|P)
-		    chain=tcpre
-		    ;;
-		f|F)
-		    chain=tcfor
-		    ;;
-		*)
-		    fatal_error "Invalid chain designator: (${mark#*:}) in rule \"$rule\""
-		    ;;
-	    esac
-
-	    mark="${mark%:*}"
-	fi
-
 	[ "x$dest"   = "x-"  ] || r="${r}-d $dest "
 	[ "$proto"   = "all" ] || r="${r}-p $proto "
 	[ "x$port"   = "x-"  ] || r="${r}--dport $port "
@ -1722,6 +1703,26 @@ process_tc_rule()

    }

+    if [ "$mark" != "${mark%:*}" ]; then
+
+	[ "$chain" = tcout ] && \
+	    fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\""
+	
+	case "${mark#*:}" in
+	    p|P)
+		chain=tcpre
+		;;
+	    f|F)
+		chain=tcfor
+		;;
+	    *)
+		fatal_error "Invalid chain designator: (${mark#*:}) in rule \"$rule\""
+		;;
+	esac
+
+	mark="${mark%:*}"
+    fi
+
    for source in `separate_list ${sources:=-}`; do
 	for dest in `separate_list ${dests:=-}`; do
 	    for port in `separate_list ${ports:=-}`; do
--- a/STABLE/releasenotes.txt
+++ b/STABLE/releasenotes.txt
@ -1,4 +1,4 @@
-This is a minor release of Shorewall.
+This is a bugfix release of Shorewall.

 Problems Corrected since version 1.4.6:

@ -31,7 +31,11 @@ Problems Corrected since version 1.4.6:
   defined using the /etc/shorewall/hosts file. It has since been
   discovered that in many cases these new chains contain redundant
   rules and that the "optimization" turns out to be less than
-   optimal. The implementation has now been corrected. 
+   optimal. The implementation has now been corrected.
+
+6) When the MARK value in a tcrules entry is followed by ":F" or ":P",
+   the ":F" or ":P" was previously only applied to the first Netfilter
+   rule generated by the entry. It is now applied to all entries.  

 Migration Issues: