From f6c8974bdacd8bc61d9f63b58f5d31b1a294c2fb Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 21 Oct 2003 20:26:23 +0000 Subject: [PATCH] Fix tcrules processing git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@773 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- STABLE/changelog.txt | 2 ++ STABLE/firewall | 43 +++++++++++++++++++++-------------------- STABLE/releasenotes.txt | 8 ++++++-- 3 files changed, 30 insertions(+), 23 deletions(-) diff --git a/STABLE/changelog.txt b/STABLE/changelog.txt index e58b32a11..b995fb58b 100644 --- a/STABLE/changelog.txt +++ b/STABLE/changelog.txt @@ -11,3 +11,5 @@ Changes since 1.4.7 4) Corrected handling of LOGUNCLEAN. 5) Corrected handling of "complex" zones. + +6) Fix tcrules processing. diff --git a/STABLE/firewall b/STABLE/firewall index a83d9ee42..5a0ad6346 100755 --- a/STABLE/firewall +++ b/STABLE/firewall @@ -1668,9 +1668,10 @@ setup_ecn() # $1 = file name # process_tc_rule() { + chain=$marking_chain + add_a_tc_rule() { r= - chain=$marking_chain if [ "x$source" != "x-" ]; then case $source in @@ -1693,26 +1694,6 @@ process_tc_rule() esac fi - if [ "$mark" != "${mark%:*}" ]; then - - [ "$chain" = tcout ] && \ - fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\"" - - case "${mark#*:}" in - p|P) - chain=tcpre - ;; - f|F) - chain=tcfor - ;; - *) - fatal_error "Invalid chain designator: (${mark#*:}) in rule \"$rule\"" - ;; - esac - - mark="${mark%:*}" - fi - [ "x$dest" = "x-" ] || r="${r}-d $dest " [ "$proto" = "all" ] || r="${r}-p $proto " [ "x$port" = "x-" ] || r="${r}--dport $port " @@ -1722,6 +1703,26 @@ process_tc_rule() } + if [ "$mark" != "${mark%:*}" ]; then + + [ "$chain" = tcout ] && \ + fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\"" + + case "${mark#*:}" in + p|P) + chain=tcpre + ;; + f|F) + chain=tcfor + ;; + *) + fatal_error "Invalid chain designator: (${mark#*:}) in rule \"$rule\"" + ;; + esac + + mark="${mark%:*}" + fi + for source in `separate_list ${sources:=-}`; do for dest in `separate_list ${dests:=-}`; do for port in `separate_list ${ports:=-}`; do diff --git a/STABLE/releasenotes.txt b/STABLE/releasenotes.txt index ced306244..0dd0e4439 100644 --- a/STABLE/releasenotes.txt +++ b/STABLE/releasenotes.txt @@ -1,4 +1,4 @@ -This is a minor release of Shorewall. +This is a bugfix release of Shorewall. Problems Corrected since version 1.4.6: @@ -31,7 +31,11 @@ Problems Corrected since version 1.4.6: defined using the /etc/shorewall/hosts file. It has since been discovered that in many cases these new chains contain redundant rules and that the "optimization" turns out to be less than - optimal. The implementation has now been corrected. + optimal. The implementation has now been corrected. + +6) When the MARK value in a tcrules entry is followed by ":F" or ":P", + the ":F" or ":P" was previously only applied to the first Netfilter + rule generated by the entry. It is now applied to all entries. Migration Issues: